The More Things Change ...

Power Trip
Building Your Own Networks
Pirates of the Internet
Telecom Informer
Darknets
Scanning the Skies
Essential Security Tools
Decoding Experts-Exchange.com
An Introduction to Beige Boxing
Hacking the SanDisk U3
Exploring AT&T's Wireless Account Security
Hacker Perspective: Rop Gonggrij p
(More) Fun with Novell
PayPal Hurts
Facebook Applications Revealed
Letters
Hacking Windows Media DRM
The Noo World
Forensics Fear
Transmissions
Cracked Security at the Clarion Hotel
Building Your Own Safe, Secure SMTP Proxy
Zero-Knowledge Intrusion
Booting Many Compressed Environments on a Laptop
Avoid Web Filtering with SSH Tunneling
Marketplace
Meetings
9
11
13
15
16
18
20
21
22
24
26
29
30
32
34
48
49
51
52
54
55
57
58
61
62
66

As we move towards our 25th year learn as much as we can from.
of publishing, we find that so much has So what has managed to stay the same
changed in the world we write about. Yet
over the years? A number of things actually,
somehow, a surprising amount of things are
some good and some bad.
almost exactly the same.
For one, the spirit of inquisitiveness
Let's look at where technology has taken
that drives much of what the hacker world
us. Obviously, nothing has stood still in the
consists of is very much alive and in rela-
hardware and software universe. In 1984,
tively the same state it's been in for so long.
ten megabytes of storage was still more than If anything were to sum up what every single
what most people had access to. Those few
one of our articles has had in common over
who even had their own computers would,
all these years, it's that desire to find out
more often than not, wind up shuffling five
just a little bit more, to modify the param-
and a quarter inch floppies before they
eters in a unique way, to be the first to figure
would invest in an expensive piece of hard-
out how to achieve a completely different
ware like a hard disk. And speed was a mere
result. Whether we're talking about getting
fraction of a fraction of what it is today. If
around a barrier put in place to prevent you
you could communicate at 300 baud, it was
from accessing a distant phone number or
considered lightning fast to most people. Of
a restricted computer system, or cracking
course, there were those who were always
the security of some bit of software so that
pushing to go faster and get more. It was this
you can modify it to perform functions never
incessant need for expansion and improve-
dreamed of by its inventors, or revealing
ment that got us where we are today.
some corporate secrets about how things
Perhaps not as dramatic in scale but
really work in the world of networks and
certainly as wrenching in feeling has been
security - it's all about finding out something
the change to our society and the world
and sharing it with anyone interested enough
around us. In the current day, we are secu-
to listen and learn. These are the very foun-
rity-obsessed without having gotten any
dations upon which 2600 was founded and
better at being secure. We seem to have
those values are as strong today as they were
lost any semblance of the trust that once
back in our early days. In many ways they
guided us as human beings. Instead, we live
have actually strengthened. The Internet
in a state of perpetual alertness, suspicion,
is an interesting example of this. While its
and fear. Some would say that this is reality
predecessor, the ARPANET of the 60s and
and that this state of mind is the only way
70s, was developed under the authority of
to survive in a hostile world. We would say
the military, what has evolved since then is a
that it's a sad reality and one that needs to
veritable bastion of free speech and em pow-
be analyzed and hopefully altered. Were
erment of individuals. Of course, it's not all
we to have started publishing in 2008 rather
so idealistic. Not everyone cares and there's
than in 1984, we likely would have been
a constant struggle with those who want
quickly branded as potential terrorists before
the net to be nothing more than a shopping
ever being able to establish a foothold in
mall and those who seek to control every
our culture that enabled us to be seen as a
aspect of it. But who can deny that literally
revealing and even necessary voice.
any point of view can be found somewhere
Today we continue to exist in no small
on today's net? And a surprising amount
part because we have existed for nearly
of people will defend that concept regard-
a quarter century. It is that history which
less of their own personal opinions. Almost
strengthens us and one we should all try and
without fail, if someone is told that they may
Pa
g
e 4 2600 Ma
g
azine
not put forth a certain viewpoint or spread
information on a particular subject, then
the community of the net will respond and
make sure the information is spread more
than it ever would have been had there not
been an attempt made to squash it in the
first place. Nobody has yet been able to put
the top back on the bottle and prevent this
kind of a reaction since never before in the
history of humanity has such a tool been so
widely accessible. There obviously is still
long way to go and a good many battles to
fight in order to keep free speech alive on
the net. But this is at least encouraging and
indicative of how hacker values have easily
meshed with more mainstream ones.
But something else which hasn't
changed over the years is the malignment of
hackers and what we stand for. The irony is
that most people understand perfectly well
what we're all about when presented with
the facts. The mainstream media, however,
never has and probably never will. It's
simply not in their interests to portray us as
anything but the kind of threat that will help
them sell newspapers and get high ratings.
Fear sells - that is the unfortunate truth.
And fear of the unknown sells even better
because so I ittle evidence is needed to start
the ball rolling.
In the media, as in politics, enemies
are needed in order to set forth an agenda.
From the beginning, hackers have fit the
qualifications to be that enemy. They know
too much, insist on questioning the rules,
and won't stop talking and communicating
with themselves and others. These types
of people have always been a problem in
controlled environments like dictatorships
and public schools. It's not too difficult to
see why they're viewed with such hostility
by people who want to hold onto whatever
power they happen to have. A true indi
vidual is no friend to autocrats.
If you read a newspaper or watch virtu
ally any newscast, you won't have to wait
too long for a story to appear with details
on how the private records of thousands (or
sometimes millions) of people have been
compromised while in the care of some
huge entity. We could be talking about a
phone company, credit card provider, bank,
university, or government. And the informa
tion that was lost might include anything
from people's names, addresses, unlisted
phone numbers, Social Security and/or
credit card numbers, a list of purchases,
health records, you name it: data that
was entrusted to the company, agency, or
bureaucracy for safekeeping which has
been compromised because someone did
something foolish, like somehow post confi
dential hospital files to a public web page, or
copy customer information to a laptop which
was subsequently lost or stolen. Yet in virtu
ally every instance of such a profound gap in
common sense, you will find that hackers are
the ones getting blamed. It makes no difer
ence that hackers had nothing to do with
letting the information out in the first place.
The media and the authorities see them as
the people who will do virtually anything to
get private data of individuals and make their
lives miserable.
This misdirection of blame serves two
purposes - as it always has. The first is to
absolve those really responsible of any
true blame or prosecution. The second is to
create an enemy who can be blamed when
ever anything goes wrong. Of course, the
irony is that if hackers were the ones running
and designing these systems, the sensitive
data would actually be protected far better
than it is now. There simply is no excuse
for allowing people's private information
to be copied onto insecure machines with
no encryption or other safeguards. The fact
that it keeps happening tells us that dealing
with this isn't very high on the priority list.
Perhaps if those organizations that don't
have sufficient security practices were held
accountable rather than being allowed to
blame invisible demons, we might actually
move forward in this arena. But one must ask
what would be in it for them? The answer is
not a whole lot.
These battles and conflicts will no doubt
continue regardless of what direction our
society takes us. While we have indeed been
frustrated with the seeming lack of prog
ress on so many levels, we can't help but
be fascinated with where we will wind up
next - both in the technological and political
spectrum. The combination of the two may
very well seal our future for quite a long time
to come.
The one thing that will keep us going
(and that has made it so worthwhile for all
of these years) is the spirit of curiosity that
our readers and writers continue to proudly
exhibit. It's a very simple trait, and perhaps
one that's an unerasable ingredient of our
humanity. It will survive no matter how our
technology advances, regardless of any law
or decree put forth to stifle it, and in spite
of misperceptions and overall c1uelessness.
If we keep asking questions and thinking
outside the box, there will always be some
thing good to look forward to.
Winter 2007-2008
Pg
e 5
POWER
by OSIN
TRIP
send the a l ert to, and so on. You shou l d a l so
thi n k about such th i ngs as the pl acement of the
I t i s common i n 2600 for wri ters to preface camera. Set i t far enough away from the area
whatever topi c they may be di scuss i ng wi t h a you ' re mon i tori ng so that the camera has enough
di s cl ai mer such as " I by no means condone or t i me to record a few seconds and send an emai l
encourage i l l egal acti vi ty." That ends wi th th i s before i t gets unpl ugged. You mi ght even want
art i cl e. S i nce i t i s now i mposs i bl e i n Ameri ca to consi der h i di ng i t or di sgu i s i ng i t as another
to tel l who i s a cri mi na l and who i s not, or to object. The poi nt i s that you can ' t have a secret
tel l what is a cr i me and what is not, I whol e- warrantl ess search i f there' s vi deo of someone i n
heartedl y condone the practi ce of the act i ons you r res i dence. And knowi ng about i t i s hal f the
I ' m about to l ay out by any and a l l cri mi nal s batt l e. Remember t hat they don ' t have t o ki ck
readi ng t hi s art i cl e. But not t o worry: shou l d down your door or pi ck t he l ock. Many of these
any of you cr i mi nal s out there run afoul of the gangs have h uge amou nts of techni cal resources,
greatest cr i me syndi cate s i nce the Gambi nos, so they can make t hei r own keys to get i nto you r
you c a n al ways use the "Scooter" L i bby l ame- pl ace.
ass defense, assumi ng you ' re a r i ch, wh i te, non- But l et ' s not stop there; evi l doers a l ways
vi ol ent, fi rst t i me offender. col l ude wi t h other cr i mi nal el ements of soci ety
One of the most used weapons of today' s to get what they want. Anyone desperate
organ i zed cr i me syndi cate is the secret warrant- enough to do a secret warrant l ess search i s
l ess search. That means they can enter your probabl y wi s e enough t o case out t he vi ct i m
res i dence wh i l e you ' re away and ei ther sei ze before such a search i s actual l y conducted.
computer equ i pment or bug the pl ace. Surel y And, dur i ng the course of such an i nvesti ga-
such evi l does n' t exi st i n the Land of the Free t i on, they mi ght di scover that you have wi rel ess
and Home of the Brave! And, how i roni c: I cameras t hroughout you r resi dence. How mi ght
began wr i t i ng t hi s art i cl e on the 4th of J u l y. But, they react? Wel l , barr i ng a fu l l -scal e search and
yes, t hi ngs ar e tak i ng pl ace t hat I ' m pretty s ure sei zure, whi ch wou l d make secrecy moot, they
the forefathers of the USA di dn't i ntend. So, l et ' s mi ght col l ude wi t h a wel l - known cri mi na l enter-
take a bi te out of cr i me! pr i se t hat shakes down ci t i zens on a month l y
Our fi rst weapon agai nst evi l -doers i s wi re- bas i s : the power company. Keep i n mi nd that the
l ess technol ogy, speci fi cal l y an I nternet-capabl e power company wi l l al ways do what i t takes to
wi rel ess camera and a wi rel ess access poi nt pl ease i ts regul atory master. So, wi t h no power,
(WAP) . I won ' t go i nto the securi ty consi der- our wi rel ess camera and set up is usel ess, ri ght?
ati ons of wi rel ess cameras and access poi nts; I ' l l Not s o fast. Consi der our second weapon agai nst
onl y say that it is i n your best i nterest to change secret warrant l ess searches: the UPS.
t he defa u l t l ogi n password. There are many more When the UPS fi rst came out, i t was noth i ng
securi ty i ssues perta i n i ng to t hi s technol ogy, more t han a gl or i fi ed surge protector. The fi rst
but they are beyond the scope of th i s arti cl e. I ones cou l d power a desktop computer and
strongl y suggest t hat you educate yoursel f about moni tor for about 1 5 mi nutes, rea l l y onl y
these i ssues l es t you gi ve cri mi nal s access to usefu l to gi ve the user t i me to gracefu l l y shut
spy on you . No, what we' re more i nterested i n down the computer. About a year ago, though,
at t hi s stage are the capabi l i t i es of the wi rel ess I came across the newer versi ons. They had a
cameras on the market now. Di fferent cameras USB port whi ch a l l owed them to be moni tored
have di fferent capabi l i t i es, but i f you were to wi t h propr i etary software on a l aptop. They al so
sel ect one, I wou l d say it shou l d have at l east boasted far greater power capaci ty than ol der
two capabi l i t i es: the abi l i ty to be mon i tored over model s di d. The one I bought cou l d power a
the I nternet wi t h a browser and the abi l i ty to desktop and fl at screen mon i tor for near l y 90
send emai l a l erts or attach ments. mi nutes . But, because I haven't used my desktop
You shou l d cons ul t your parti cul ar camera ' s i n years and I di dn ' t want a good UPS go to
docu mentati on for i nformat i on on how to set it waste, I wondered how l ong t hi s UPS wou l d
up. I can't real l y gi ve speci fi cs s i nce di fferent power my wi rel ess camera, broadband modem,
manufactu rers' cameras vary wi del y, but i n most and WAP. The power requ i rements for a l l three
cases you can set the ema i l noti fi cat i on, whether added up to 1 1 0 Watts wh i l e the UPS boasted
to send an mpeg attachment, the n umber of an abi l i ty of 450 Watts. On top of bei ng a surge
seconds to record, whi ch ema i l addresses to protector, the UPS al so contai ned a vol tage
P
g
e 6 2600 Ma
g
azine
regu l ator so I had some confi dence that us i ng i t
outsi de i ts i ntended desi gn parameters wou l dn' t
fry my wi rel ess set up. I gave i t a go. Us i ng my
l aptop t o moni tor t he UPS I found that after an
hour of run n i ng al l t hree devi ces off the UPS, the
battery' s charge had fal l en to around 92 percent.
Not bad. Now, theoret i ca l l y, i f the power usage
is l i near, then that mi ght r un the set up for more
than 1 0 hours, but i n a rea l - wor l d scenar i o,
more power is goi ng to be uti l i zed as my wi re
l ess components become more act i ve or have to
send out data over my broadband connect i on. I
never tested how l ong it cou l d power the set up
s i nce you can decrease the l i fe of t he recharge
abl e 1 2 vol t battery if you go bel ow 80% charge,
so l et' s assume for argument' s sake that my UPS
wi l l power the fu l l requ i rements of my wi re
l ess setup for 7 hours. That ' s sti l l a l ong t i me for
mi screants to have to wai t to start t hei r search.
But power outages are common i n t he
Un i ted States. I t ' s not u n us ual for one t o occur,
and there are usua l l y no s i ni ster forces beh i nd
them, s o how do you know i f t he power outage
at you r res i dence i s a normal one? For that
matter, how wou l d you know that one occurred?
I t ' s true that my UPS starts beepi ng when the
power goes out, and s i nce my wi rel ess camera
al so has a mi crophone, I ' d be abl e to hear it i f
I l ogged i n t o see what ' s goi ng on. But I ' d have
to know that an outage has occurred to con nect
i n the fi rst pl ace. The poi nt i s that you may not
know if the outage is just a normal bl ackout, but
there are ways of knowi ng that an outage has
occurred. The probl em i s one of noti fi cat i on.
And i n th i s next part, I 'm goi ng t o use a program
t hat ' s been used on computers for several years
to track battery energy consumpti on ( our th i rd
weapon) : Advanced Power Management ( APM) .
APM i s normal l y used on l aptops to mon i tor
the battery and do some noti fi cat i ons when the
battery l evel approaches cri ti cal l evel s. The good
t hi ng about APM i s that i t wi l l tel l you when
the power goes out or the power adapter i s
unpl ugged from the wal l socket. I t goes wi thout
sayi ng that APM wi l l treat a power outage the
same way i t wou l d treat unpl uggi ng the power
adapter from the wal l and run n i ng on battery
power. For t hi s exampl e, I ' l l be us i ng OpenBSD.
On OpenBSD 3 . 9, my vers i on of APM wi l l gi ve
human readabl e stati sti cs on the status of the
power. On a l aptop, the command to execute i s
apm -'. You may need t o start the apm daemon
fi rst, whi ch i s merel y ampd. When you r un the
apm -' command i t wi l l output three l i nes
s i mi l ar to these:
Battery state : high, 1 0 0% remaining ,
1 5 1 minutes l i fe est imate
Ale adapter s tate : connected
Performance state : uninitialized ( 2 0 0MHz)
But when the AC adapter is unpl ugged or
there i s a power outage the second l i ne i n the
second l i ne had changed. Before we proceed,
though, I want to ret ur n to the wi rel ess camera.
Anyone who has one of these cameras and
has us ed the mot i on detecti on ema i l attach
ment opt i on wi l l tel l you that i t ' s someti mes
too sens i ti ve to l i ght changes and not sens i ti ve
enough to moti on u n l ess you have t he sensi
ti vi ty set t o h i gh. The fa l se pos i ti ves the camera
sends out can be annoyi ng. Wou l dn ' t it be n i ce
i f the camera ' s mot i on detecti on opt i on cou l d
be turned on onl y i f the power goes out? I found
t hat i t i s poss i bl e, assumi ng your camera a l l ows
i t. Most of these cameras are run n i ng a s i mpl e
web server t o whi ch you can l og i n and make
changes to the sett i ngs and opt i ons. My camera,
for i nstance, uses the GET method when you
cl i ck the Appl y button to t ur n mot i on detecti on
and ema i l i ng on. The enti re cal l I need t o use
shows up i n the browser URL l ocat i on bar. So
now that I know what the fu l l UR L i s to do t hi s
manua l l y, I can i ncorporate t hat knowl edge i n
my cr on scri pt so t hat when a power outage i s
detected i t wi l l automati cal l y t ur n on t he mot i on/
emai l opt i on us i ng wget. Here is a Per l scr i pt that
wou l d perform t hi s feat ( the wget l i ne has been
truncated s i nce the real cal l i s very, very l ong) :
#l/usr/bin/perl
@apm=/usr/bin/apm - v;
foreach $line ( @apm) {
if ( ( index $line, tlnot
"connected
tI
)
_
1 ) {
#if the apm .lock file does not exi st
i f {! ( - e 'apm.lock') )
# We only want this command to run
"once which i s why we have a lock file
'wget powert rip.html
--ht tp- user=admin -http
"passwd=yourpas sword http;//cameraip/
-adm/file. cgi ?audio_ enable=enabled&mo
-t=enabled&emai l =you@youri sp.comll . ;
$lock=-/
-bin/touch apm.lock';
}
} else {
#The power i s back on. Remove the lock
-file but do not turn off monitoring
i f ( ( index
-$l ine, "connectedlr )
_
1 ) {
$exec='/bin/rm J apm.lock';
}
As I sai d, t he http ca l l has been sever l y
truncated. The actual ca l l i s much l onger. Each
camera i s di fferent, t hough, so you may actual l y
have t o s ni ff your traffi c to l earn t h e actual cal l
to your camera ' s webserver to t ur n o n mot i on
detect i on. Note that the var i abl e that actual l y
t ur ns on moni tori ng i s "mot" for my camera. To
t ur n off mon i tor i ng, you wou l d j ust change your
cal l l i ne and set mot t o "di sabl ed", but I advi se
you to l eave mon i tor i ng turned on after a power
outage event.
output from apm changes to t hi s :
There i s an ol d sayi ng t hat cri mi nal s al ways
A/e adapter state , not connected
ret ur n to the scene of t he cr i me. I don ' t know
So, i t ' s that part i cul ar l i ne that we are most
i f that ' s al ways true, but our cr i mi nal s are very
i nterested i n . After pl uggi ng the l aptop i nto a
anal - retenti ve and won ' t gi ve up eas i l y. So they
wa l l socket, we cou l d wri te a scr i pt that wou l d
may cal l i n some favors from another syndi cate
r un in cron every mi n ute and test whether that
whi ch has a l ong h i story of col l us i on: your I SP.
Winter 2007-2008
P
g
e 7
I ' m not s ure if it is feasi bl e for t he I SP to di scon
nect j ust one DSL or cabl e modem, but I can
i magi ne they wou l d have some way to bl ock any
traffi c comi ng from your modem temporar i l y.
That means that even wi t h backup power, your
ema i l a l ert a nd attachment wi l l not get t hrough.
What t o do then?
Al though my camera has a propr i etary
progra m to save i mages to a fl ash dri ve or hard
di s k, i t ' s not eas i l y scri ptabl e i n a Un i x- l i ke envi
ronment. To combat t hi s poss i bl e attack, then, we
must resort to an ent i r el y di fferent set up. I nstead
of us i ng a WAP wi rel ess camera, and modem,
we wi l l use a di gi ta l camera, an ol d 8x8 Wi nTV
card, and a program cal l ed Moti on. The OS
used i s some var i at i on of Li nux; i n the parti cu l ar
case when I fi rst bui l t t hi s set up, I used RedHat.
Moti on uses the vi de041 i nux i nterface, so any TV
card or di gi ta l camera set up that supports vi deo-
41 i nux mi ght work. I t's hard to tel l wi t h some
hardware, but t hat's why I never throw a ny hard
ware away i f i t sti l l works. Anyway, t he setup
goes l i ke t hi s: you hook t he vi deo-out of the
camera i nto the vi deo- i n of t he TV card wh i ch
i s si tt i ng i n a PCI s l ot of your desktop computer.
You ' ve downl oaded Mot i on from Sou rceForge.
net and have it i nstal l ed. Here' s an excerpt from
my mot i on. conf fi l e:
f ramerate 10
input
norm
auto brightness yes
thre
s
hold 1000
noise level 16
night
-
compensate yes
light
s
witch yes
daemon
on
quiet yes
execute /usr/share/alert. sh
target dir /home/pics
f fmpeg
-
cap.new no
f fmpeg
-
timelaps on
thread
-
threadl.conf
Some t hi ngs may have changed i n the l ater
rel eases of Mot i on, so you shou l d read the
documentat i on. I won ' t go i nto great deta i l
other to say that t hreshol d control s how sens i
ti vel y Moti on wi l l react t o movement, execute
means that a n a l ert scri pt is r un once mot i on i s
detected, and targecdi r i s where t he j peg i mages
of the detected mot i on are stored. Ri ght before I
l og out of my mach i ne and l eave my res i dence,
I have a shel l scri pt whi ch del ays the startup of
Mot i on and r uns as a background process:
echo "Sleeping for 60 seconds."
sleep 60
echo "Starting motion detector
_ _ _
II
motion
That gi ves me t i me to get out the door before
Mot i on starts detect i ng. There are tons of other
opt i ons t hat Mot i on has, such as strea mi ng
mpegs, but t hey a re beyond the scope of th i s
art i cl e. Retur ni ng t o our probl em of cri mi nal s
secret l y goi ng t hrough our res i dence, we have
to assume that i f your I SP is bl ocki ng outgoi ng
traffi c from your modem, t hen the mi screants
wi l l sti l l have physi ca l access to your system
run n i ng Mot i on. That ' s a probl em. I f they can
reboot your system us i ng some sort of rescue
CD, then they mi ght be abl e to mount your hard
dr i ves, sea rch for any j pegs and del ete t hem.
What to do?
A wh i l e back, I wrote an arti cl e for 2 600 on
l oopback encrypt i on on fl ash dri ves. You can
now read i t at http,
//
uk.geocities.com
/
"os
i
n1941. But I th i n k you get t he i dea. Us i ng
the l oopback devi ce, you can create an encrypted
f i l esystem to wr i te the i mages. Wi thout knowi ng
where t o l ook, any state-supported cri mi nal s
wi l l not spend that much t i me l ooki ng for your
i mages. And reboot i ng t he mach i ne wi th a L i nux
rescue CD won ' t hel p t hem unl ess they know
t he password to mount the encrypted fi l e system.
Al so, there are other open source programs, such
as TrueCrypt, out there t hat l et you do t he same
th i ng as the l oopback encrypted fi l esystem but
on-t he-fl y. I h i ghl y suggest you take the t i me to
acqua i nt yoursel f wi t h the var i ous opt i ons you
have avai l abl e to you .
I t i s u n l i kel y t hat t h e current state of affa i rs
wi l l ever l ead to the repea l of secret warrantl ess
searches. Once cri mi nal s get a certai n amount
of power, they never ever want to rel i nqui s h
control and, short of an i nsurgency, i t ' s very hard
to break t hei r grasp on our l i ves . But, armed wi t h
t he r i ght tool s, we can make i t harder for t hem
t o pai nt us as terrori sts wh i l e t hey themsel ves
excuse t hei r own for s i mi l ar conduct. And, s i nce
equa l protect i on and treatment u nder the l aw
is now a l i e i n t he Un i ted States, it is up to us
t o start fi ght i ng back. I hope th i s art i cl e spawns
more arti cl es on l evel i ng the pl ayi ng fi el d for
t hose of us who don ' t have powerfu l fri ends.
SA VE HOTEL PENN
The home of the HOPE conferences is in danger of being tom down
and replaced with a huge offce complex. Help us fght to preserve the
historic Hotel Pennsylvania, a vital part of New York City since 1919.
Join the discussion at talk.hope.net.
Keep updated at www.savethehotel.org.
Pa
g
e 8
2600 Ma
g
azine
00hY0l

by LSnd|u
As developments like data retention and
censorship become prevalent, it might be wise
to build new networks, networks that belong
to the users. Back in the BBS days, people
operated their own networks like FidoNet
over the easily available but unfree telephone
network. Today, the Internet is the new unfree
network, plagued by companies who want to
extort more and more money out of the users.
So, it might be a good idea to build your own
moderately-sized networks. Even if this won't
solve any important problems in the world, it
will still be fun.
In this article, I would like to compress all
the information needed to do so. This article is
are a number of technologies for this, but we'll
focus on OpenVPN because it is available for
most platforms and easy to set up, at least in
shared key mode. First you need to create a
key:
openvpn --genkey - -secret some
"fil e . key
This stores the shared key in the file some
file.key. Obviously, you could use any file
name for this. This key has to be copied to
both ends of the tunnel. OpenVPN then needs
a configuration file which tells it what to do.
Here's an annotated example. First, the server's
configuration file:
port 1117 #Be sure to have this UDP
"port open to be accessed
. from the client
dey tun
a bit Linux-centric, but the ideas should be easy
# internal server Adr. client address
to convert to just about any operating system.
ifconfig 172.24.13.ll 172.24.13 .12
Well what's the obvious thing you need
# name of your keyfile
f d h I f
secret somefle. key
irst? Connections. To ay we ave a ot L
# periodically send some packets to keep
possibilities, from IP over carrier pigeon to fast
M the connection alive though routers
fiber optic connections. The most practical of keepalive 10 120
these are probably WLAN and VPN-Tunnels.
comp-Izo # compress the data.
The other thing needed
is routing. So we need
And the client's:
a routing protocol which is simple to use and
remote nameorip. of your . server. org # This
available to anybody.
is the IP or -domain name of your server
Let's start with the connections. Obviously
port ll17 # The same as on your server
h I h
dey tun
t e simp est connection is just an Et ernet
# internal client adr. server address
cable. Configure the nodes just as usual, and
ifconfig 172.24.13.12 172.24.13.ll
there you go. For larger distances, it might be
# name of your keyile
wise to use WLAN evices in ad-hoc mode.
secret somefile. key
This is probably best explained by an example.
# periodically send some packets to keep
Let's assume our wireless device is named
. the connection alive though routers
I f d d
keepalive 10 120
w anD. You can in out its name an settings
comp-Izo # compress the data.
with the iwconfig command. Setting up t
i
e
As you can see, there are two differences
device can be a bit tricky. You will need the
between the server's and the client's configu-
following commands:
ration files: the client's file has an additional
iwconfig wlanO essid "NetworkName"
remote line, and the ifconfig lines have the
-channel 6 mode ad-hoc commit
ifconfig wlanO 10 .lll. 4.5 netmask
IP addresses in reverse order. Again, please
. 255.255.255.0 choose the internal addresses randomly, to
The first line sets the wireless device's avoid collisions. Be sure to always use private
channel and network. The second command addresses.
assigns the IP address 10.111.4.5 and netmask To start openvpn, just type openvpn
255.255.255.0 to the device. The other wireless .- -config your config fil e . conf. Start
devices on the network would have to be in the openvpn first on your server, then on your
1 O.lll.4.x range, with x between 1 and 254. client. Most distributions already have init files
On some cards you will have to first execute to start openvpn automatically on boot-up.
an i f config wlanO up command to turn on These often only support one tunnel. If that is
the device. Please choose the IP addresses as enough for you, you can try to use that.
randomly as possible to avoid collisions. If you Now, you need to set up the routing. For
notice that an IP address or range is already this we will use OLSR as provided by olsrd.
taken, use another address. This is now probably the most popular daemon
VPN Tunnels are a bit harder to set up. There for wireless meshed networks. I prefer the 0.5
Winter 2007-2008

P
g
e 9
series as it is considerably more stable than the
0.4 one.
To make it work, you might need to change
a few settings in the configuration file,
olsrd.conf:
UseHysteresis no
LinkQualityLevel 2
In the interface section of the file you need
to uncomment the line
Ip4Broadcast 255.255.255.255
and adapt the Interface line to inclu
.
de all
your network interfaces. In my case that IS:
Interface !
l
tunOrl rrtunl1! t'
tun2
,1
"
lI
tun3
1
1
"tun4" "tunS" "tun6"
. . .
tun
?1I IItun8" lIethO"
Now you can simply start olsrd by typing
olsrd d 2 on the console. After a short while,
the links' status messages should appear. Once
you seem to be connected to your peers, you
can type route n to get a list of all the
routes. Typically, you should get a line for every
node in the network.
What if you have computers which cannot
run olsrd, for example because they are routers
or pri nters?
For those computers, you can use the host
network announcement (H NA) feature. This
feature tells the other nodes in the network that
your node can reach computers that are not
nodes.
In the Hna4 section of olsrd . conf, you
will find an example of this. You will also
have to tell the devices that they can reach the
OLSR-managed network via your node. One
easy way to do this is to set the devices' default
gateway to your computer.
So what could be accomplished with this?
Of co

rse, you could start by connecting your

computer to your friends' computers and even
to strangers'. Additionally, you could set up a
wireless interface. With this, you will be able
to offer network access to all members of
the network, without having to offer Internet
access. If nearby nodes also have wireless
devices, they can also form a connection and
build a network. Wireless networks were the
original application for olsrd.

n
.
Berlin, there
is such a wireless network consisting of several
hundred nodes.
In the dormitory I live in, we have some
wireless nodes. Roaming works rather well.
You can walk throughout the building and keep
your IP address despite being in a different
point of the network topology.
.
As described, this network does not Include
internet access. If you want to provide it, you
have several possibilities. The simplest and
most elegant is to set up NAT on your node
and use a HNA entry to 0.0.0. 0 0.0.0.0 in your
olsrd . conf . Nodes to which your node is
the closest internet gateway will automatically
use your connection. There can be sever

1
internet gateways; however, be aware that If
network topology changes cause you to change
your gateway, then stateful protocols like TCP
might break.
Another way is to use proxies. For example,
I run an anonymity proxy on one of my nodes.
This works fairly well if you only want to do
web-browsing, as you must manually select
your gateway in your web browser.
A good compromise might be to create
another VPN tunnel to the internet. This would
potentially allow you to have unlimited internet
access.
To further obscure the network topology and
therefore the position of servers of the network,
it might be desirable to install those serv

rs on
virtual machines. You could then Just migrate
the server from one location to another.
I already operate a small network consisting
of 3 permanent nodes plus some extra nod

s
fading in and out. If you want to connect to I

,
I am willing to give a tunnel to anyone who IS
willing to give some tunnels to others.
Automation
In order to save you from having to do a
lot of monotonous work, I have written a few
scripts.
The script search
_
ip . sh first gets a
random address from the private address range.
If we did not check, there would be a rather
high chance of collision

. Th

s is a tra
.
dition

1
birthday paradox. Keep In mind

hat, In addi
tion to this high chance, there |5 also pro

ability of not recognizing that an IP address |5

already taken.
When an apparently free I P address is found,
the script wri te
_
configurat ion_fil es . sh
is executed. This script creates a server and a
client configuration file as well a
.
s the shar

d
key file and neatly packs them Into two
.
Zip
files one for the server and one for the client.
Ple
;
se edit the settings at the top of this file to
suit them to your needs.
getkeys . cgi is a "key dispenser". It gives
out a different key file for every request. If you
have a very fast computer with a fast
.
conn

c
tion to the internet, you could use the first SCript
to create a few hundred configuration files and
use the cgi-script to get them to your peers.
Be sure to not leave your key files world
readable. Not only could they be read by
just about anybody on your system, but also
OpenVPN will refuse to start.
So, let the fun begin.
References:
olsrd: http://www.olsr.org
Birthday Paradox: http://en.wikipedia.org
-lwikilBirthday -paradox
Large olsrd WLAN-mesh in Berlin (in
German): http://www.olsrexperiment.de/
The scripts mentione
d
in this
article can be downloa
d
e
d
from
the 2600 Co
d
e Repository at
http://www.2600.com!co
d
e/
Pa
g
e 10 2600 Ma
g
azine
||8l08Pl00
|1l0|10l
U UCk dCl
UCkClm Cum
Yo ho ho and a bott l e of caffei nated beverages !
We hear about them on the news: evi l nerds
that make those poor mu l ti -bi l l i on dol l ar record
compani es and movi e studi os l ose money. But
who are pi rates real l y? I ' m sure that many peopl e
who read th i s magazi ne ar e pi rates too, whether
you di stri bute i ntel l ectual property or you s i mpl y
down l oad MP3s . Whether you do or not, t hi s
arti cl e wi l l be i nsi ghtfu l .
I wrote t hi s arti cl e because of an arti cl e on
pi racy from the Summer 2004 i ssue of 2600
that I remember, not because it i nspi red me but
because i t was so bad. I was al so i nspi red by how
uni nformed or j ust pl ai n i gnorant the guys who
wri te for news shows are. Hopefu l l y, my arti cl e wi l l
shed l i ght on somethi ng that few peopl e, not even
other hackers, know much about. In t hi s arti cl e, I
wi l l go i nto detai l about how pi racy works. I know
that a l ot of you guys wi l l know most of the terms
but I wi l l defi ne them anyways for the newbi es.
uS C
Thi s i s probabl y the si mpl est as wel l as the
most wi despread form of pi racy; i t i s al so the one
you are probabl y most fami l i ar wi th. The pi rate
extracts songs from a CD, wh i ch is cal l ed r i ppi ng
them. Thi s can be done ei t her from the offi ci al CD
on the day of i ts rel ease or i n advance i f the pi rate
works for the record company. Then, the songs
are converted to the MP3 audi o format, most
common l y at a bi trate of 1 2 8 ki l obi ts per second,
wh i ch makes fi l es of rel ati vel y l ow qual i ty. Fi nal ly,
these new fi l es are put in the "Shared Fol der" of
the user ' s peer-to-peer ( P2 P) program. That ' s it; the
P2 P program automati cal l y shares the fi l es wi th
anyone who requests them, so the user does n' t
have t o worry about anythi ng. Each person who
downl oads a fi l e al so begi ns shari ng i t, so even
more peopl e can downl oad the fi l e and at faster
speeds.
You may have heard on the news about peopl e
gett i ng sued by the RI AA, wh i ch i s an organi zati on
representi ng the four l argest Ameri can record
compani es, and some of you mi ght be worri ed
about bei ng sued, but here' s my advi ce: don ' t
worry; they don ' t have shi t on you. That' s ri ght:
the way these guys "catch" you is by searchi ng
for a sel ected MP3 fi l e of one of t he art i sts they
represent and then sendi ng out l etters to the
househol ds usi ng all of the I P addresses that
show up. The same I P i s usua l l y shared by several
di fferent househol ds even you don ' t factor i n Wi Fi
and t he fact that they can' t prove who was usi ng
the computer. ( A robber cou l d' ve broken i n to
use your hi gh speed connecti on because he has
di al up, downloaded musi c, and saved i t to thei r
i Pod. ) I f you ' re sti l l worri ed, however, download
a program cal l ed Peer Guardi an. I t ' s free and i t
bl ocks anti -P2 P compani es' and government
organi zati ons' I Ps from connect i ng to you. Wi thout
goi ng on a rant, I ' d just l i ke to poi nt out that the
record compani es have actual l y made more
money si nce P2 P became bi g: record sal es may
be down, but i nternet sal es are way up. Al so, they
barel y pay the musi ci ans anyth i ng; i f i t was n' t for
ASCAP and BMI gi vi ng the art i sts performance fees
for radi o pl ay, covers, and the l i ke, most mus i ci ans
seri ousl y woul d be dyi ng of hunger.
uVCS
I f you l i ve i n Asi a or a l arge ci ty wi th a
predomi nantl y Asi an area (a "Chi natown") i n i t,
then you' ve probabl y seen peopl e sel l i ng pi rated
movi es. Where do they get them from? Most
pi rated DVD sal esmen down l oad the movi es
from Torrent si tes l i ke Torrentspy and Mi ni nova.
Th i s is very easy to do, but the sa l esmen make
money off the chumps who don ' t know how to
do it by sel l i ng the movi es for anywhere from $ 1
to $ 5 each. The movi es are usua l l y i n VCD format,
whi ch i s l i ke nVD but l ower qual ity, whi ch can fit
on a CD-R, and whi ch can be pl ayed on any DVD
pl ayer. But where those torrents come from i s a
more i nterest i ng story.
Usual l y the movi e is captured by someone
si tti ng i n the movi e theater wi th a camera. Th i s
was once done very poorl y, but now i t ' s usual l y
done wi th a tri pod and an empty theater. These are
cal l ed "Cam" rel eases and usual l y come out the
day of the movi e' s rel ease, but they are al so are
usual l y of bad qual i ty. There i s al so another method
called "Telesync" whi ch i s basi ca l l y the same as
Cam, except the audi o comes t hrough some di rect
i nput such as a headphone j ack, rather than the
camera's mi crophone. They are al so usual ly better
qual i ty than thei r Cam counterparts. I f a movi e i s
very popul ar, especi al l y among the t he whi te male
1 4-30 demographi c that most often downl oads
these fi l es, then someti mes a DVD Screener wi l l
be rel eased one or two weeks l ater. These fi l es,
someti mes j ust cal l ed "Screeners", are DVD ri ps
made from a DVDs of the movi e that are gi ven
out onl y to certai n peopl e i n the fi l m i ndustry
but wh i ch then get l eaked. Regardl ess of how
the movi e was captured, the rel ease group then
converts the movi e to an Xvi D fi l e, whi ch i s a h i gh
quali ty vi deo format, better than DVD, but wh i ch
can most l y only be watched on computers and
some DVD pl ayers, or al ternatel
y
to VCD format
as BI N/CUE di sc i mage fi l es whi ch can be burnt to
CD. The fi l es are then di stri buted as a torrent.
A torrent i s a fi l e contai ni ng i nformati on about
whi ch fi l es to downl oad from wh i ch Bi tTorrent
Winter 2007-2008
Pa
g
e 11
tracker. It bas i cal ly works the same way as P2 P
programs, but i nstead of usi ng Ares or Li mewi re to
search, you use a websi te. The torrent fi l es are found
on torrent webs i tes wh i ch ei ther have thei r own
tracker, l i ke . Torrentspy does, or search mu l t i pl e
trackers, l i ke I sohunt does. These are publ i c torrent
si tes; there are al so pri vate torrent s i tes wh i ch you
can joi n by i nvi tat i on onl y. On pri vate trackers, t he
qual i ty of the fi l e you downl oad i s usual l y better
and the download usual ly goes faster, you al so
have to mai ntai n a certai n rati o of how much data
you downlmd to how much you upl md, and you
al so have a l ower select i on of f i l es, un l ess i t ' s an
enormous si te such as Oi nk.
bulw|C, LmCS, ndLlC|
Thi s i s the form of pi racy most of you are unfa
mi li ar wi th because i t is the most compl icated.
Don ' t get me wrong: i t' s not compl i cated; i t j ust
seems that way to the average person. Software
is usual l y di stri buted as a tri al vers i on of the soh
ware and a crack. A crack is often a modi fi ed mai n
executabl e of t he program whi ch bypasses the
l i cens i ng system, though someti mes al l you need a
ser i al number or l i cense key. Games usual l y come
as the fu l l game ri pped from the offi ci al CDs wi th
the copy protecti on cracked, pl us a ser i al number
or a program that generates ser i al numbers. Some
ti mes you ' l l al so get a NoCD program, wh i ch
i s t he same as a crack but i nstead of bypassi ng
the l i censi ng system, i t bypasses the system that
checks whether the game CD is i nserted or not.
However, i f the game came as CD- ROM di sc
i mage fi l es, then you can use a Vi rtual CD program
l i ke Daemon Tool s to emulate an actual CD dri ve
i nstead.
Cracks, key generators, NoCDs, and the l i ke
are made by peopl e known as crackers. The
crackers use debuggers l i ke Ol l yDbg and I DA Pro
to di sassembl e t he ori gi nal program' s assembl y
code. They then modi fy t hi s code wi th a hex edi tor
such as Hi ew or Fl exHex. Commerci al software
programs often try to prevent t hi s by usi ng software
protect i on systems such as Armadi l l o, ASProtect,
or Wi nLi cense, but most crackers can get around
these protecti on systems anyways. There are si tes
out there that have databases of cracks and seri al s,
but today these si tes are so fi l l ed wi th adware and
mal ware they' re not even worth vi si t i ng un l ess
you real l y know what you ' re doi ng.
Back i n the day, warez used to actual l y be
upl oaded to one' s own FTP or HTTP server or to
a hacked server. Now, however, al most everyone
upl oads to a si te cal l ed Rapi dshare or to one of
i ts many cl ones l i ke Megaupl oad. These si tes
were cool at f i rst but they have wai t ti mes of up
t o a mi nute before you downl oad can t he f i l e you
want. Th i s can be bypassed, but a l ot of the ti me
i t ' s unsuccessfu l . Al so, because the si tes usual l y
l i mi t upl oaded fi l es t o 1 00 MB each, warez down
l oads are usual l y i n 1 00 MF RAR parts. RAR fi l es
are compressed arch ives s i mi l ar to ZI P fi l es. The
down l oad si tes, however, have created somethi ng
cal led premi um accounts, where you pay mont hl y
for an account t hat can downl oad an unl i mi ted
amount of fi l es wi thout wai t ti mes and wi th pri ori
t i zed speeds. These premi um accounts are often
used al most l i ke a currency on warez forums.
Warez forums are i nternet forums where warez
down l oads are posted. Most of these downl oads,
however, are taken from DDL si tes, whi ch I ' l l tal k
about l ater. Warez forums have secti ons for chat
t i ng j ust l i ke other forums; they al so have "VI P"
secti ons, whi ch you gai n access to by havi ng a
certai n amou nt of posts or, more common l y, by
donat i ng to the si te. These VI P secti ons suppos
edl y contai n rare, hi gh-qual i ty f i l es, but most of
thp t i me these secti ons are di sappoi nt i ng and not
worth your money or post i ng t i me.
Warez forums used to have very good poten
ti al, but now everyone uses DDL si tes or torrent
si tes. Thi s is because al l the big Warez forums
are currentl y owned by morons. One exampl e
i s a forum ca l l ed WTal k: i t started as a very good
forum, not because of the admi n but because of
the powerfu I and smart peopl e he knew. After a
compl i cated seri es of events, the admi ni strator
banned the peopl e who were the most i ntegral
to hi s forum, and sl owl y everyone el se who was
i mportant to the commun i ty started to l eave or get
banned. After a wh i l e, the on l y peopl e l eft were
so ch i l di sh and stupi d ( "noobs") that they cou l d
rel ate t o the admi n. Si nce everyone wi th doubl e
di gi t I Qs has l eft, the on l y peopl e l eft to gi ve the
admi ni strator advi ce are the ones as stupi d as or
stupi der than hi m. They suck up to hi m, so al l hi s
hai r-brai ned i deas have resu l ted i n even lower
qual ity members and even in more noobs; t hi s i s
a process I cal l " Reverse Natural Sel ecti on". On
top of al l , he has al so secretl y kept a l og of hi s
members ' passwords, wh i ch are supposed t o be
encrypted, and he' s used hi s members ' donati ons
for the si te to buy new MacBooks, i Pods, and
so on. Thi s stupi dity and corrupti on i s common
among many warez forum admi ns, though not
usual l y to t hi s degree.
Sorry for my l i ttl e rant. Anyways, back on
topi c: DDL si tes are websi tes where the l i nks to
downl oads are submi tted and then di spl ayed as
thousand-page l i sts of software ti tl es. They al so, of
course, have a search bar. The bi ggest DDL si tes
are Katz and PhazeDDL. The si tes that submi t thei r
l i nks are ei ther actual websi tes or warez forums,
but, ei ther way, they both use Rapi dshare most of
the ti me. Al so, i f you search for a fi l e on a DDL
si te, most resu l ts you get wi l l be redundant: the
same Rapi dshare l i nk over and over, j ust wi th
di fferent peopl e gett i ng ad revenue or members.
LunC uS un
Warez has come a l ong way from the "Don ' t
copy that f l oppy" era, to the ri se and fal l of Napster
and Kazaa, to Torrents, and to peopl e sel l i ng some
th i ng that is supposed to be free. Who knows what
the future hol ds? Maybe one day you ' l l be abl e to
down l oad physi cal objects, but what I know for
certai n is that, ri ght now, warez is at a h i gh poi nt
for quanti ty and l ow poi nt for qual i ty. I t wi l l take
someth i ng bi g to fi x i t. I hope you enjoyed my
arti cl e and l earned someth i ng from i t. I hope to
wri te for 2600 agai n.
About me: I have been an active member in
the warez community for several years now and
sometimes I contribute to the Wikipedia article
on warez. I have my own warez forum. It's small
but with it, I'm trying to battle the flaws of other
warez forums I mentioned earlier in the article.
You can visit it at http : / /www . kronikfil ez.
.com!.
Pa
g
e 12 2600 Ma
g
azine
Hello, and greetings from the upon the 911 infrastructure in your
Central Office! It's hard to believe area. In most cases, this will be
that it's already winter, but the some form of Enhanced 911 (E911),
Cascades are covered in snow and the current standard (most recently
ski racks are on almost every car. updated in 2004). At the network
This is a time of year when a lot of level, E911 consists of a voice circuit
emergencies happen, and the tele- (over which you communicate with
phone system plays - now more the call answerer) and a data circuit.
than ever - a vital part in emer- The data circuit (which is private,
gency response. runs a proprietary protocol, and
These days, 911 is the virtually isn't connected to the Internet) is a
universal way throughout the u.s. redundant dedicated connection to
and Canada to summon the police, an Automatic Location Identification
fire department, or an ambulance (ALI) database.
(sometimes all three at once). There Basic 911 provides only a voice
is an extremely detailed and rigorous connection to the PSAp with no
set of standards around how 911 other identifying data. While call
systems and facilities are designed takers have the ability to trace calls,
and constructed, and the standard- it requires a call to the local phone
setting organization is the National company which can take up to
Emergency Number Association ten minutes. The limitations of this
(NENA). system are evident when 911 calls
When you dial 911, the telephone are received from people who are
switch invokes an SS7 route that has disoriented or experiencing medical
been specially configured for this emergencies and may be unable
purpose. In most cases, your call will to answer many questions or even
e routed over a dedicated trunk to provide the location from which
a dedicated 911 switch (although in they are calling.
some areas this is a shared tandem In an effort to solve this problem,
switch - not the recommended the E911 standard was developed.
configuration but it's better than E911-capable PSAPs use Automatic
nothing). The 911 switch looks at Number Identification (ANI) data to
your inbound ANI and, based on identify callers. Based on this data,
that, routes you to the appropriate your phone number will display
Public Safety Answering Point on the call answerer's console. The
(PSAP) via a dedicated trunk. At this E911 system will also query the ALI
point - only a couple of seconds database based on your ANI data. In
after you placed the call - the call most cases, this database is main
answerer will inquire "911, what's tained by Intrado, Incorporated (a
your emergency?" private company) and contains CNA
The information available to the (Customer Name/Address) data for
911 call answerer is dependent nearly everyone in the United States
Winter 2007-2008
Pa
g
e 13
with a phone - even including
unlisted numbers (I bet telemarketers
would love to get their hands on this).
Newer revisions of E911 include the
ability to provide CPS location data
for wireless phones, and this data is
also obtained via the ALI database.
However, these capabi I ities are fai rly
new and not yet widely deployed.
While the 911 system is incred
ibly useful and has saved many lives
since it was originally deployed in
1968 (in Haleyville, Alabama and
Nome, Alaska of all the random
places), it wasn't originally designed
to work with newer telecommunica
tions services such as VolP, wireless
phones, and CLECs (Competitive
Local Exchange Carriers). These have
exploded since the Telecommunica
tions Act of 1996 largely deregulated
telephone service, creati ng both
challenges and security vulnerabili
ties in the 911 system.
VolP services in particular have
illustrated practical vulnerability in
the E911 system. Recently, a group
of highly unethical phreaks (one
of whom was known
J
ears ago as
"Magnate") was a rreste for engagi ng
in an activity called "SWATting." This
exploited a little known and multi
tiered loophole in the E911 system.
In case you haven't heard what
"SWATting" is, it involves spoofing
someone else's ANI when calling a
911 "backdoor" number. Every PSAP
in the 911 system has a "backdoor"
number by design. These are used by
operators to connect you to emer
gency services if you dial "0" instead
of "911" for help. They can also be
announced as the emergency contact
number via the Emergency Alert
System (of "This Is A Test" fame) in the
event of a failure in the 911 switch or
trunks (this actually happened a few
years ago in Seattle). The unethical
caller can then describe a violent
kidnapping or other situation likely
to provoke a SWAT team dispatch
by the 911 call taker, who has no
idea that the apparent caller is actu
ally the victim of a cruel (and very
dangerous) hoax.
Back in the good old days of
Ma Bell, nobody could touch the
SS7 network except for loyal card
carrying CWA union technicians.
These days, any idiot with an Asterisk
box and a sleazy VolP provider
based in Romania effectively has
full SS7 control and the ability to
impersonate any ANI they damn
well please. This is because with
certain VolP providers, any TNI data
that you configure in your VolP PBX
is accepted as gospel by the VolP
carrier, and is sent to the PSTN as
both CLIO and ANI data. Congress
is worried about spoofing Caller 10,
but that's small potatoes in my mind
- most of the shenanigans around
spoofed CLIO data are harmless
pranks. ANI spoofing, on the other
hand -especially when mixed with
911 -is the real problem. If anything
damn well ought to be more illegal
than it already is, it's this!
And that's the end of my curmud
geoning here from the Central Office,
at least for this ski season. Stay in
bounds, stop in place if you experi
ence a whiteout, and always keep
your mobile phone charged to call
the ski patrol!
Links
http://www.nen a.org
National Emergency Number Asso
ciation, the standard-setter for 911
systems.
http://www.qwest.com/
-wholesale/pcat/911.html
- Qwest 911 interconnection and
product oferings for filthy CLECs.
This site contains links to many
excellent diagrams of Basic 911 and
E911 call routing topologies, which
incompetent CLEC technicians could
never understand.
Pa
g
e 14 2600 Ma
g
azine
Uy W L
w CPuSm . Cum
1C bCg nn ngulC nd
I n the begi n n i ng, t here was the I nternet.
Everyone happi l y connected to i t, and swapped
i nformati on freel y, wi t hout concern for pri vacy or
safety. But soon, t hi s began to change. The fasci st
regi me began to pass l egi sl at i on, shackl i ng once
free i nformati on, and spyi ng on the once-free
peopl e. The I i ghtnets were shut down by l aw
enforcement or l egal acti on. Even the decentral
i zed networks, such as Bi tTorrent trackers, fear i ng
attack, began t o become secl us i ve and pri vate.
1C1CCnu ugy
Th i s new wave of total i tar i ani sm ca l l s for the
next generati on of fi l e shari ng technol ogi es, dark
nets. Thus far, there have been, rough l y speaki ng,
t hree generati ons of fi l e shar i ng technol ogi es,
each wi th a fundamental fl aw l eadi ng to i ts
demi se. The fi rst generati on was the centra l i zed
and semi -central i zed l i ghtnets, such as Napster
and even the Wor l d Wi de Web. However, due
t o t hei r centra l i zed nature, t hey were shut down
by cr i mi nal charges or l egal acti on of some ki nd.
The second generati on consi sted of decentral
i zed networks, such as gnutel l a and Bi tTorrent.
Al though the decentra l i zed networks are a great
i mprovement over the central i zed networks of
yesteryear, t hey, l i ke t hei r ancestors, are fl awed.
Decentral i zati on was created to combat the l egal
attacks whi ch destroyed networks l i ke Napster.
However, many t hi ngs were overl ooked in t hei r
deSi gn, namel y anonymi ty and encrypt i on. I n
t he wake of I SP moni tor i ng and RI AA l aws ui ts,
decentral i zat i on i s not enough. I ndi vi dual s are
bei ng targeted, i n order to spread fear.
1C KCSSlnCC
The th i rd generati on of fi l e shar i ng software
is the most i mportant: darknets . A darknet is a
pri vate encrypted vi rt ual network for a sma l l
group of peopl e. The goal of a darknet i s a smal l ,
compl etel y encrypted network, compl etel y i nvi s
i bl e to anyone who does n' t know about i t. Not
even your I SP can tel l what fi l es are bei ng moved
t hrough the heavi l y encrypted darknet.
ulVl unSu| L|knCl
There are several advantages to darknets.
I n a sma l l network, wi t h onl y trusted users, I P
farmi ng techni ques used by t he RI AA and s i mi l ar
organi zati ons ar e usel ess. Darknets ar e heavi l y
encrypted, s o they are i mmune t o I SP mon i tor i ng
tool s. Darknets can be "br i dged" by users who
bel ong t o mu l t i pl e darknets (see Sma l l Wor l d
Theory) . Becuase darknets are sma l l networks set
up by groups who know each other, key di st r i bu
t i on becomes a non- i ssue.
Darknets fi x the vul nerabi l i ti es suffered by
thei r predecessors, but not wi thout expense.
Darknets have one weakness: peopl e. The secu
ri ty of a darknet i s based on trust of t hose usi ng
i t. Before you i nvi te someone i nto your group,
ask yoursel f i f you real l y t rust that person. Al so,
set stri ct r ul es regardi ng members i nvi t i ng new
peopl e i nto your darknet . One l apse of j udgment
cou l d compromi se the securi ty of your darknet.
Wi th a ti ght- kni t group of peopl e you trust, and
weapons-grade encrypt i on, darknets are the
safest, most robust fi l e shar i ng ava i l i bl e.
bu d ng L|knCl
There are a n umber of ways to bui l d a darknet.
Unfort unatel y, there i s n' t much software avai l
abl e t o do i t . Freenet ( freenetproj ect . org)
and WASTE ( waste . sourceforge . net) can
bot h be used t o create dark nets . However, both
of these create decentral i zed darknets. Th i s may
seem l i ke a good t h i ng, and i n many si tuati ons i t
i s. Before deci di ng on a decentra l i zed network,
take i nto account the s i ze of your network, and
how often peopl e keep thei r computers runni ng.
Make sure there i s a root node whi ch wi l l al ways
be on, preferabl y wi t h a stati c I P.
The second opt i on is a centra l i zed network.
Un l i ke l arge central i zed networks, darknets are
not onl y sma l l and pri vate but al so di sposabl e.
A l arger darknet can be composed of sma l l er
networks, wi t h connecti ons made t hrough
shared members, preferabl y connect i ng t hrough
some sort of proxy i n order to protect the i den
ti ti es of the users. A central i zed darknet cou l d
be constructed i n a n umber of ways, s uch as an
encrypted NFS dr i ve and a secure connecti on l i ke
an ssh tunnel ; an encrypted FTP servi ce where
each user is gi ven an account whi ch can wri te
to the servi ce; speci al i zed software whi ch uses a
hub to cache data (I am wri ti ng such software); or
a di rectory, such as a torrent tracker, where a I I the
fi l es are encrypted.
Peace.
Winter 2007-2008

P
g
e 1 5
:co--

7 :{;
Uy LulbumU
The pur sui t of knowl edge and u nderstandi ng
of t he way t hi ngs works does n' t need t o be
l i mi ted t o computers and tel ephones. We are
bei ng bombarded on a constant basi s by mi cro
waves from mobi l e phone towers, radi o transmi t
ters, tel evi si on broadcast towers, and even from
satel l i tes thousands of mi l es above the eartb ' s
equator. These satel l i tes are t he focus of t hi s
art i cl e.
Us i ng a system that onl y costs about $300,
you can expl ore the exci t i ng worl d of satel l i te
TV broadcasts from the comfort of your own
couch (and the roof of your house from ti me to
ti me) . Sports backhaul s, news feeds, syndi ca
ti on upl i nks, forei gn programmi ng, unbi ased
news, government propaganda, weather reports,
i nternet access, total l y free (free as i n beer and as
i n speech) programmi ng, and most i mportant l y,
a greater understandi ng of how the broadcast
worl d works are a l ready bei ng bl asted towards
you every mi n ute of every day so why not have
some fun !
1C L |kC bC l
Tel evi si on satel l i tes are a l l l i ned up al ong the
equator of the Earth . When seen from the Earth ' s
su rface, they form an arc across the southern sky
known as the Cl arke Bel t, after sci ence fi cti on
pi oneer Arthur c Cl arke. The arc contai ns over
80 satel l i tes that usual l y have a name i denti fyi ng
t hem and a number t hat corresponds wi t h the
l ongi tude meri di an they are on. For exampl e, the
mai n Di sh Network satel l i te i s known as Echo
star 6/8 and i t s i ts i n a geosynchronous orbi t over
t he 1 1 0 degrees West l ongi tude l i ne. I t i s often
referred to as 1 1 Ow ( read one-ten-west) .
b|udCSl bndS
There are three commonl y used broadcast
bands used for satel l i te tel evi si on di st r i but i on.
The Ku-band i s the most common method of
satel l i te broadcast i ng i n the cou ntry. I t i s uSld
by both major di rect-to-homp satpl l i te servi ces
( Di recTV and Di s h Network) as wpl l as by i nde
pendent satel l i te bandwi dth provi ders. Ka-band
i s a newer technol ogy that has been used for
years to di st r i bute satel l i te i nternlt access and
satpl l i t p radi o but whi ch has recentl y started
maki ng i nroads to vi deo di str i but i on. F i nal l y,
there is cl assi c Cband, wh i ch the maj or nptworks
use for di str i but i ng thei r channel feeds to other
satel l i te provi ders and cabl e compan i es. C-band
requi res very l arge di shes, the smi i l est of wh i ch
are nearl y ( feet across. Ku- and Ka-band si gnal s
ca n be pul l ed i n wi th much smal l er di shes,
approxi matel y 30 i nches across, wh i ch are eas i l y
mounted on a roof or wal l .
VdCu blnd|dS
Much of thl avai l abl e vi deo up there i s now
di gi ta l . Over the past ten years, most anal og
vi deo has di sapppared on the Ku-band, but you
can sti l l fi nd a bi t avai l abl e on Cband. I n the
case of vi deo di st r i but i on, di gi tal does not al ways
mean better. A good standard defi ni t i on feed
on Cband wi l l al most al ways be bettpr t han a
di gi ta l feed of the samp channel bpcause it is the
master feed. By thp t i me i t rpaches your cabl e
or di rect-to-home satel l i te system, i t has been
encoded di gi ta l l y, compressed, and bi t-starved
to the poi nt of l ooki ng l i ke a pi xel ated mess.
Anal og, however, i s a h uge bandwi dt h hog, and
prone t o i ntprfprence, so al ong the way, th i ngs
progressed more to provi di ng di gi tal feeds . An
anal og channel takes the same space as up to 2 0
di gi ta l channel s, a n d when satel l i te provi ders can
provi de more bandwi dth for channel di st r i but i on,
they get more money fr om channel producers.
Anal og programs are j ust regul ar NTSC fppds i n
Nort h Amer i ca, a n d can be pi cked up by cheap
ana l og recei vers .
I n the di gi tal real m, the poss i bi l i t i es of what
you can fi nd expand greatl y. So do t he di ffi cu l
ti es i n i n i t i al l y fi ndi ng t hp s i gnal and t he expense
i n gett i ng proper equ i pment. Thp mai n di gi tal
standard used for satel l i te TV i n North Ameri ca i s
ca l l ed DVB-S. Most of the wor l d uses DVB var i
ants for t hei r di gi tal tel evi si on di st r i but i on, such
as DVB- S for satel l i te, DVB- T for terrestri al , and
DVB- C f or cabl e. I n Nort h Ameri ca we use ATSC
for di gi tal terrestri al , and QAM for di gi tal cabl e.
gu mCnl
The bare mi ni mum set up you woul d need to
get started is a satel l i te di s h, a TV, and a satel
l i te recpi ver. Thp di sh is usual l y a parabol i c di s h
t hat si ts on a mast, wi th an ar m shoot i ng out from
the bottom wh i ch hol ds the eye poi nt i ng back
at tbe di s h. Th i s eye i s cal l ed a L NB ( Low Noi se
Bl ock) . There are a few types of L NBs ava i l abl e.
A Di recTV/[i s h Network di s h contai ns a ci rcu l ar
LNB. Ci rcul ar refers t o the shape of t he mi cro
waves bei ng beamed towards i t. Ci rcul ar LNBs
pi ck up spi ral shaped blams. These are beamed
out at very h i gh power, so the di s b i tsel f does n ' t
need t o be very bi g t o pu l l i n t h e si gna l . Unfortu
natel y, these LNBs aren ' t su i ted to pi cki ng up the
real l y cool stuff out there, and the di shes they are
attached to are a bi t too smal l , usua l l y between
1 R and 20 i nches.
For the enol stuff, you wi l l need a l i near L NB.
Pa
g
e 1 6
2600 Ma
g
azine
The term l i near, l i ke ci rcul ar, refers to the type of
beam it takes i n. Li near beams are l ess powerfu l
and more prone to weather i nterference, so they
requi re l arger di shes. A certai n type of l i near
L NB that can atta i n frequenci es sl i ght l y l ower
than a regu l ar l i near L NB i s cal l ed a u n i versa l
L NB. The di sadvantage to un i versa l L NBs i s
t hat not al l swi tches are compat i bl e wi th t hem.
There are pl enty of newer swi tches, however,
that work perfectl y, and if you have a s i ngl e di s h
system, t hen you most l i kel y won' t need swi tches
anyway.
I f you have more t han one L NB t hat you want
to connect to your recei ver, then you wi l l need
to obtai n a swi tch. The best swi tches to use are
cal l ed DI SEqC swi tches. ( I have no i dea how to
pronounce th i s out l oud. I say ' di z-e-q-c, ' but I
am probabl y wrong. ) You can hook four L NBs
i nto the swi tch, and then j ust r un a si ngl e cabl e
down t o the recei ver.
The L NB I prefer is cal l ed the I nvacom
QPH-03 1 and you can pi ck i t up for about $80 at
any of a n umber of shops on the i nternet. I t can
pi ck up both ci rcul ar and uni versa l beams and
has two outputs for each. An LNB thi s fancy i s not
necessary, however; a cheap $ 1 5 uni versa l L NB
wou l d be fi ne for a begi nner j ust gett i ng started.
The di s h is an i mportant consi derat i on. A
s mal l 1 8- i nch di s h won ' t real l y do for us, because
there are onl y a few channel s avai l abl e to us
l egi ti matel y wi t hout subscri bi ng t o or decrypt i ng
an encrypted si gna l . (Th i s i s poss i bl e, but not t he
focus of t hi s art i cl e. ) I deal l y, t he best di s h t o get
started wi th wou l d be 30 i nches or l arger. I opted
for a Fortec FC90P 90cm ( 36") di s h. The di s h wi l l
come wi th a mast that you can mount o n your
roof or on a wal l , t he refl ecti ng di s h, and the
L NB arm, but you wi l l have to suppl y the L NB
yoursel f. Thi s di s h wi l l set you back about $ 1 00,
i ncl udi ng s hi ppi ng.
The recei ver i s where stuff gets rea l l y fun, at
l east for me. I personal l y have two recei vers. The
fi rst i s a di gi tal DVB recei ver, and then I l oop out
from i t to an ol d anal og recei ver. For di gi tal , you
have many choi ces, and unfortunatel y the market
is a bi t saturated ri ght now, because these di gi tal
recei vers can al so be used for not-so- I egi ti mate
purposes. If you onl y want to be l egi t, I recom
mend the Pnsat 2 5 00A recei ver. Though i t i s
now di scont i nued, there are tons of them avai l
abl e on eBay for about $50- $70. I t has a very
rel i abl e bl i nd-scan feature, whi ch i s essent i al for
fi ndi ng wi l d feeds.
I f you are l ooki ng for anal og, you may have
a much harder t i me fi ndi ng a recei ver, because
they are ol d and rare. I recent l y found an ana l og
satel l i te recei ver from the ' 80s wi th whi ch you
can j ust di al up the enti re map of frequenci es, for
onl y $32 s hi pped. I di dn' t have a C-band set up
so there was n' t ver y much t o fi nd, but the t hi ngs
I di d fi nd were pretty i nterest i ng: some soccer,
col l ege basketbal l , an outdoor i ce hockey game
pl ayed on a pond, and an FBI tra i n i ng vi deo. Any
anal og satel l i te recei ver from the Uni den Supra
l i ne is h i gh l y recommended.
F i nal l y, the l ast pi ece of equi pment you real l y
won ' t want t o l i ve wi t hout i s a di s h motor. Th i s
motor wi l l t i l t and pan your di s h automati cal l y,
so you don ' t have to go up on the roof every ti me
you want to l ook at a di fferent satel l i te. A motor
can be found on l i ne for about $1 00. You put your
di s h on t he motor, put t he motor on t he mast, and
poi nt the ent i re assembl y t o the satel l i te cl osest to
true south from your current posi t i on. Once you
peak your si gnal there, you can use a feat ure of
the Pnsat ca l l ed USALS that wi l l automati cal l y
track t he other satel l i tes across t he Cl arke Bel t
based on that i n i t i al true south pos i t i on i ng. I t ' s
amazi ng t o see i t i n act i on. My motor of choi ce
i s the Stab HH90.
LCl' SbCnlCbkCS
Here i s where the magi c happens. You ' ve
got your system a l l set up, your di s h i s poi nted
to true south, you ' ve got your USALS a l l set
up, and you ' ve got your remote in hand. The
fun in t hi s is fi gur i ng i t out, so th i s won ' t be a
how-to. To poi nt you i n the ri ght di recti on of
satel l i te posi t i ons, I recommend http : / /www .
-lyngsat . com, a l i sti ng of satel l i tes around the
wor l d and the channel s t hat t hey contai n. Usi ng
your recei ver, you wi l l tel l your di s h t o poi nt at
a speci fi c satel l i te based on i ts posi t i on ( such as
97 degrees West) and bl i nd-scan i t. " B l i nd-scan"
wi l l fi nd al l channel s on the satel l i te, i ncl udi ng
fu l l -t i me channel s, data feeds, radi o channel s,
and wi l dfeeds . Wi l dfeeds are on-the-spot news
reports that are bei ng sent back to the network,
whi ch i ncl ude t i mes when the reporter i s "off t he
ai r" wh i l e t hei r hai r i s bei ng fi xed, t hey practi ce
thei r l i nes, or have candi d conversat i ons wi th the
camera crew. You may al so fi nd tra i n i ng vi deos
that are broadcast to government agenci es and
school s around the country. I f you ' re a sports
fan, you ' l l l ove the sports wi l dfeeds, wh i ch are
di rect from the stadi u m broadcasts before they go
back to the network. You ' l l somet i mes fi nd these
wi thout graph i cs, commerci al s, and, more rarel y,
even wi thout the an noyi ng commentators !
News feeds show up a l ot on SBS6 ( 74w) ,
NASA TV i s avai l abl e on 1 1 9w wi t h a ci rcul ar
L NB, and PBS has some network feeds on AMC3
( 87w) . As i de from wi l dfeeds, among the other
programmi ng ava i l abl e on these satel l i tes (espe
ci al l y 97w) i s a t on of forei gn programmi ng. You
can get an i nternat i onal perspecti ve on news, h i t
Bol l ywood movi es, sports that aren ' t normal l y
ai red i n th i s regi on, a n d j ust a h uge dose of i nter
nat i onal cul t ure. The real fun is expl or i ng, so I ' l l
l eave you to i t !
LunC uS un
There are tons of t h i ngs wai t i ng for you to
fi nd them up there. Fi ndi ng somethi ng strange
and i nterest i ng gi ves me an awesome feel i ng,
and I feel better knowi ng that I ' ve expl ored the
system enough to ga i n a greater u nderstandi ng
of the satel l i te wor l d as a whol e. For more i nfor
mati on on the topi c, check out these great l i nks:
Lyngsat Satel l i te I ndex: http : / /www .
-lyngsat . com
Satel l i teguys FTNMPEG Forum:
htt
p
: / /www . sate l l iteguys . us / free
-al r - fta - di s cuss ion/
Shout outs: sxtxixtxcxh, traJ/sb, my lovely wife
Hypher and JemsTV who helped me out with
this article.
Winter 2007-2008
P
g
e 1 7
Over the course of my career i n network
secur i ty, I have come across a l ot of securi ty
tool s, most of whi ch may a l ready be fami l i ar to
peopl e readi ng t h i s art i cl e. Some of you may be
a l ot more adept wi th them t han I am. Wi th t hi s
art i cl e, I am hopi ng t o l ay groundwork for these
tool s whi ch peopl e can then bui l d upon. For
each tool , I wi l l present where to fi nd i t, what it
does, how and when to use i t, and other t i dbi ts of
i nformati on wh i ch may come in handy.
Name: n map
Where: http : / / inseeure . org/nmap/
What: n map ( Network Mapper) is probabl y one
of the most recogn i zabl e names of programs
when i t comes t o network secur i ty. Support i ng
both I Pv4 and ( some) I Pv6, n map has become a
stapl e for anyone worki ng i n network secur i ty. I t
i s most commonl y known for i t s port scanni ng
abi l i ti es and its abi l i ty to customi ze t he scans.
When: nmap comes i n very handy f or a number
of purposes. Vu l nerabi l i ty assessments, penetra
ti on tests, test i ng fi rewa l l r ul es, test i ng ( H/N) l DS
functi ona l i ty, and network audi ts are the mai n
ones wh i ch come t o mi nd off t he top of my head,
a l though I ' m s ure many of you out there have
used nmap for other purposes as wel l .
How: nmap can b e used s i mpl y a s a basi c
port scanner (nmap - sT $target) . Th i s
wi l l perform a fu l l TCP connect scan on most
common ports. Or, i t can be used for somet hi ng
more compl ex: nmap - sN Jl - P O
-- pO - 6 5 5 3 5 ' $target wi l l perform a
NULL ( - sN, no fl ags set) TCP scan, very s l owl y
( -T1 ) , wi t h no I CMP check ( - PO) on al l 65, 5 3 6
ports, wh i l e attempti ng t o guess t h e target ' s
operati ng system based on t he resu l ts. Us i ng
nmap t o test your ( H/N) I DS si gnat ures and the
al ert i ng wh i ch goes al ong wi t h them i s a task
wh i ch wi l l al l evi ate a l ot of headaches when
sett i ng up your I DS to test functi onal i ty. Usi ng
nmap from outsi de your network and attacki ng
your fi rewal l and any stati ca l l y NATed hosts wi l l
hel p you audi t your current fi rewal l pol i cy and
set up. Us i ng some of the advanced opti ons and
scan types wi t h n map wi l l hel p you h i de your
hosts from fi ngerpr i nt i ng attacks.
Name: amap
Esserl t. i

3. 1
uses si gnatures to test appl i cat i on sett i ngs agai nst
a speci fi c port. I f you have ever set up a server,
you know that most servi ces can be re- mapped
to run on a di fferent port. For i nstance, edi t i ng
Apache' s " Li sten Port" di recti ve wi l l al l ow you t o
change wh i ch port your webserver i s on. I f you
change t hi s to TCPI22, some scanners may report
i t as the SSH servi ce. Us i ng amap agai nst t hi s wi l l
tri gger the HTTP si gnature and l et you know what
i s real l y run n i ng on the port. amap supports both
I Pv4 and I Pv6 for test i ng and i s very accurate
wi th i ts resul ts.
When: amap can be used dur i ng VAs, RAs,
Pen Tests and system setups or as a troubl e
shoot i ng tool .
How: Us i ng amap wi t h t he -bqv opt i ons i s a
good start. Th i s wi l l perform banner grabbi ng
and attempt to match agai nst t he si gnature to l et
you know what i s r unni ng on the port you have
con nected to. As a real - l i fe exampl e ( san i t i zed) , I
had a customer who had rebooted t hei r fi rewa l l
a n d i ncomi ngTCP port 2 5 was n' t worki ng. When
I tel neted to the port, I got an odd banner so I ran
amap agai nst i t. Thi s is what I got:
[ root@alice ~ | # amap - bqv
- 9 9 9 . 8 8 8 . 7 7 7 . 666 2 5
Us ing trigger file /usr/ local /etc/
- appdef s . trig . . . loaded 30 triggers
Using response file /usr/local/ etc/
. appdef s . resp . . . loaded 346 responses
Us ing trigger file /usr/local / etc/
M appdef s . rpc . . . loaded 4 50 triggers
amap vS . 2 ( www . thc . org/ thc - amap) started
at 2007 - 06- 2 4 16 , 17 , 3 4 - MAPPING mode
Total amount of tasks to perform
in plain connect mode : 2 3
Wait ing for timeout o n 2 3 connections
Protocol on 9 9 9 . 8 8 8 . 7 7 7 . 666 , 2 5 / t cp ( by
t rigger http) matches smtp- pix -
banner : 2 2 0
* * * *
2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * *
0
* * * *
0
* * * *
0
* * * * * * * * * * * * * * *
2
* * * * * *
200
* * * * * * * * * * * *
0
*
00
amap vS . 2 fini shed at 2007 - 06- 2 4 16 : 1 7 : 3 4
Not i ci ng that that the banner matches "smtp
pi x, " I was abl e to make the modi fi cat i ons to
the fi rewal l not to proxy i ncomi ng mai l . I re- ran
amap after and got th i s:
Protocol on 9 9 9 . 8 8 8 . 7 7 7 . 666 : 2 S / tcp
( by trigger http ) matches smtp -
banner : 2 2 0 rai l . soredorain . blah Microsoft
ESMTP MAI L Service , Vers ion 6 . 0 . 3 7 90 . 1830
ready at Sun , 2 4 Jun 2007 162 209 - 0400
Where: http : / /www . the . org/the - amap/
Name: hpi ng
What: amap (Appl i cati on Mapper) is a tool whi ch
Where: http : / /www . hping . org
Pa
g
e 1 8 2600 Ma azine
Vhat: Us i ng I he hasi cs of I raceroule, Icptracer
oute uses TO' i nstead 01 the usua l UDP/I CMP
combi mti on of tradi l i ond l traceroute. Some
fi rewa l l s bl ock normal Iraceroute I raffi c hUI wi l l
a l l ow TCP Iraffi c C go t hrough. By us i ng tcptra
ceroute, you can see the path you ' re taki ng on
the port you eXIcl 10 usc.
Vhen: I f you ' re troubl eshoot i ng ;md need to fi nd
the pat h a certa i n packet wi l l t ake on a mu l t i
homed system or a l arge network wi th a l ot of
dynami c routi ng, but the i ntermedi ary rout i ng
devi ces don ' t al l ow regu l ar traceroute, use
tcptraceroute i nstead.
How: Runni ng tcptraceroute $host
-Sport wi l l trace the route usi ng TCP SYN
packets t o the $host on the speci fi ed TCP $port. I t
wi l l fi rst set the TTL t o 1 whi ch i s expected t o di e
at t he fi rst hop and recei ve an error message from
the rout i ng devi ce that the TTL has expi red. The
program records that I P address as the fi rst hop.
I t wi l l then i ncrement the TTL t o 2 so the packet
wi l l make i t past the fi rst hop but not the second.
Th i s process repeats unti l ei t her the maxi mum
TTL, wh i ch defau l ts t o 30, has been reached or
t he port i s reached, ei ther open or cl osed. I f you
don ' t expect the path to be too l ong, Iry us i ng
tcptraceroute - n q 1 - m J L $target
-Sport. The " -n" opti on, usefu l at any ti me, tel l s
tcptraceroute not t o perform doma i n l ookups and
t o gi ve you the I P addresses onl y. Th i s makes the
resul ts qu i cker as the program does n' t spend
ti me l ooki ng up hostnames. Us i ng "-q 1 " tel l s the
program to onl y query the hops once i nstead of
the defaul t three ti mes. Agai n, thi s i s al so usefu l
for al most every t i me. The l ast opti on, "-m 1 5 ",
speci fi es the maxi mu m n umber of hops to use.
The defaul t i s 3 0 and i t can go as h i gh as 2 5 5 . Be
warned: i f you ' re stuck i n an asymmetri c rout i ng
scenari o or are caught i n a dynami c rout i ng l oop,
you may cause some congesti on and headaches
for the admi ns.
Name: grass. pl
Vhere: http : / /www . 2 6 0 0 . com/ code / 2 2 2 /
-grass . pl
Vhat: grass is a Perl program I created (yes, t hi s
paragraph i s a bi t of sel f-promoti on) t o hel p test
stateful fi rewa l l software and connect i ons tabl es
of the fi rewal l s. It supports both I Pv4 and I Pv6
and acts as a TCP "door-j am" to create a 3 -way
handshake. When you ' re ready to cl ose the
the fi rewa l l appeared to change a SYN packet
i nlo d ACK packet. Further troubl eshoot i ng
found t hat the devi ce downstream was a wi re
l ess router wh i ch (for some reason) cou l d onl y
handl e 2 5 connect i ons at a t i me. When connec
ti on 2( came i n, i l woul d us e I he s ame source
port as connect i on 1 t hrough the wi rel ess rouler
and, when i t h i t the fi rewa l l , the fi rewa l l woul d
" hel p" t he packet by changi ng I he fl ags. I created
grass to ai d i n troubl eshoot i ng statefu l fi rewa l l s
O stated connecti ons over TO)
Name: nelcal ( nc)
Vhere: http : / /www . vulnwatch . org/
netcat/
Vhat: I t ' s probabl y easi er t o say what nPlcat
i sn ' t. Netcat ( nc) i s hyped as the "Swi ss Army
Kni fe" of networki ng tool s and i t l i ves up to that
hype. You can use nc for someth i ng as s i mpl e as
creati ng a TCP con necti on or you can be more
advanced by creat i ng 0 server-cl i ent sel up 10
compress and transfer fi l es between two hosl s.
You can have nc l i sten i ng on a server and r un a
program when you connect to i t. The poss i bi l i ti es
are al most endl ess.
How: As much as I want to ta l k a l ot about nc,
I thi n k I shou l d keep i t short as thi s a rt i cl e cou l d
become a book. nc can be used on i t ' s own or
you can put i t i n your scri pts. You can set i t up to
be a server or even j ust a l i sten i ng socket on your
TCP stack. I have taken the fol l owi ng exampl e
from t he nc README fi l e wh i ch i l l ustrates a good
use for nc:
A typical example of something " rsh " is often
llsen for: on one sine,
nc - 1 -p 1234 I uncompres s - c I tar xvfp
and then on the other si de
tar cfp - / some/dir I compress -c I nc
-- w 3 othermachine 1234
will transfer the contents of a nirec/ory fom
one machine to another, without having to worry
about . rhosts files, user accounts, or inetn config
urations at either end.
As you can see, us i ng nc in addi t i on to what
you normal l y do can make l i fe a l ot eas i er. You
can bui l d a basi c automated fi l e transfer program
between two mach i nes wi th a l i ttl e knowl edge
of scri pti ng, some nc and a cron j ob. Netcat
is worth s i tti ng down wi th a pot of coffee and
pl ayi ng around wi th .
connecti on, a IC wi l l send the cl os i ng 3-way
Name: i ke-scan
handshake and cl ose the connecti on .
Vhere: http : / / www . nta - monitor . c om/
Vhen: I f you have ever worked on a statefu l
-tool s / ike - scan/
fi rewa l l at the l ow l evel , you know that they hol d
Vhat: i ke-scan has a name whi ch i s a bi t
con necti on i nformati on usua l l y cal l ed a state
mi s l eadi ng as i t does n' t rel y on I SAKMP on l y;
tabl e or connect i ons tabl e. I f the con nect i on
i t does I PSec scanni ng as wel l . I f you are
tabl e gets fu l l , dependi ng on the fi rewa l l software
performi ng a VA, SA or PenTest agai nst a VPN-
you ' re usi ng, connecti ons may get dropped. Or,
capabl e machi ne, i ke-scan is a must.
i f you try to open a con necti on on an a l ready
How: Us i ng i ke-scan may requi re a bi t of readi ng
establ i shed source port, you may have wei rd
on t hei r wi ki si te to gl ean a good amount of
effects. grass gi ves you the abi l i ty to choose
usage i nformati on. By i tsel f, i ke-scan wi l l go
both the desti nati on and the source port for your
and attempt t o ga i n as much i nformati on about
traffi c.
the VPN target as i t can: I s i t us i ng Aggressi ve
How: I was worki ng on a customer i ssue where
Mode? What encrypti on and has hi ng methods
Winter 2007-2008

Pa
g
e 1 9
are supported? What sort of authenti cati on i s
bei ng done? These ar e j ust a few quest i ons whi ch
i ke-scan wi l l attempt t o answer for you . I n addi
t i on t o performi ng basi c enumerati on, i ke-scan
can be used t o negoti ate ful l VPN connecti vi ty,
though t hi s may not be for everyone to try. I have
found that i ke-scan is very hel pfu l when troubl e
shoot i ng VPN connecti ons, especi al l y when you
don' t control the remote end. Some VPN error
messages from speci fi c vendors can be rather
crypti c (No Val i d SA - Ye ol de gener i c Check
poi nt Error Message) and i ke-scan hel ps gi ve
you good i nformati on i n determi n i ng where the
probl em may l i e. Us i ng i ke-scan i n your VA, SA
and PenTest work i s al so very hel pfu l .
There are a lot more securi ty tool s out there
wh i ch I haven' t menti oned, i ncl udi ng among
Uy lUul
Cunky uVC|3Pgm . Cum
At work t hi s week, I was tryi ng to resol ve
a part i cu l ar l y pern i ci ous bug, so I Googl ed
for the error message and came u p wi t h t hi s :
http : / / www . expert s - exchange . com/
-Programming/Mi sc/ Q 2 0 9 1 4 3 9 7 . html
Experts-exchange - h mm, that' s awfu l l y
cl ose t o ExpertSexChange. com, a nother of my
favor i te webs i tes! E r, not rea l l y.
L i ke many s uch si tes, they wou l d l i ke you r
money before s howi ng you t he sol ut i ons to
the quest i ons posted. B ut u n l i ke other si tes,
Experts- Exchange actu a l l y does s how you t he
sol ut i ons, j u st i n a grayed-out box t hat ' s hard
to read.
When I ' ve come across t hi s s i te i n t he past,
I j ust vi ewed the HTML source, and there
you cou l d read t he answers i n pl a i n text, t hus
savi ng you t hei r $20 year l y fee. B ut t hi s t i me,
t he answers l ooked l i ke t hi s:
"Vg' f abg nf hahfhny nf I bh znxr vg
fbhaq . . .
Not terr i bl y hel pfu l , but I guessed t hat they
were us i ng a s i mpl e s ubsti tuti on al gor i t hm
to encrypt t he text. I qu i ckl y fi red up a text
edi tor, copi ed the encrypted text to a fi l e cal l ed
expert s - exchange . txt, and wrote t hi s
Perl scr i pt:
open ( IN , ' expert s - exchange . txt ' ) ;
my $text

j oin t ' ' , < IN ;

close IN ;
$text " t r { vvGgFf } { I iTtSs } ;
print $ text ;
others h unt, a sessi on hi j acker; thc-hydra, a pass
word audi tor; and thc- i pv6, an I Pv6 attack tool ki t .
Al l of these, and others I haven' t touched upon,
cou l d be put together t o have a book wri tten
about them. I j ust wanted to draw some attenti on
to the ones whi ch I use on a regu l ar basi s and fi nd
most hel pfu l i n my day-to-day securi ty work. I n
other words, i f I di dn ' t menti on $your_favori te_
program i n t hi s art i cl e, I ' m not tryi ng to s l i ght
you, the tool ' s authors, or i ts i mportance. I hope
you fi nd th i s art i cl e usefu l and begi n to expl ore
the uses of these and other programs. Once you
become accustomed to how they work, you wi l l
fi nd yoursel f usi ng them i n a l l sorts of scenar i os
i n whi ch you may not have thought of usi ng them
but i n whi ch they wi l l hel p you out i mmensel y.
I ' m us i ng the " tr" ( trans l i terat i on) operator
to change each V i n t he text i nto a n I, and so
on . I j ust guessed that t he stri ng " Vg' f" was
s upposed to be t he word " I t ' s . "
The res ul t l ooked promi s i ng, so I
j u st kept maki ng guesses. Ul t i matel y my
decodi ng l ooked somethi ng l i ke t hi s:
$text t r{ AaBbCcEeFfGgHhliJj LlM
-mNn O o P P Q q R r S s T t UuVvWWYY z z }
{ NnOoPpRrSsTtUuVvWWyyz zAaBbccDdE
-eFfGgHhl iJj LlMm} ;
Wi th everyth i ng i n a l phabeti cal order l i ke
that, i t ' s pretty easy to see t hat the text was j u st
rot 1 3 -encoded. So, t hi s s i mpl i fi ed Per l scr i pt
took care of decodi n g t he whol e t hi ng:
open ( IN , ' expert s - exchange . txt ' ) ;
my $text j oin ( " , < IN ;
close IN ;
$text " t r{ A- Z } { N- ZA- M} ;
$text t r { a- z } { n- za- m} ;
print $text ;
Now, i n my case, t he decoded text di dn' t
get me any fu rther toward sol vi ng my or i gi nal
probl em t han t he encoded text, but i t was a fun
d i vers i on. You r mi l eage may vary.
Editorial Note: As of press time, we have
been notified that Experts-Exchange has
recently changed its website so that the
ROT- 1 3 decoding algorithm described
here will no longer work. We hope that
our readers will nonetheless find the article
instructive.
Pge 20
2600 Ma azine
Connect ing . . .
An I nt roduct i on
Be ige Boxing
to
by | k u SCn
I ' m goi ng to take a few moments to take
tb i ngs back to the basi cs: I ' m goi ng to teach you
bei ge boxi ng. Bei ge boxes go back to the or i gi ns
of hacki ng, when accessi ng other peopl e' s phone
l i nes hel ped you remai n undetected. US i ng
h i j acked phone I i nes hel ped conceal cri mes that
were commi tted t hrough modem connect i ons.
Bei ge boxi ng i s a sci ence; empl oyi ng i t i n
practi cal si t uat i ons i s an art. Bei ge bOXi ng wi l l
permi t you to connect a phone, l aptop, o r Pal m
Pi l ot to a tel ephone l andl l ne. Whether you are
l earn i ng by tappi ng i nto your own phone l i ne, or
someone el se' s, there are onl y a coupl e of baS I C
parts and tool s you wi l l need t o get started. Once
you ' ve l earned to bei ge box, you can l earn more
about more advanced topi cs i ncl udi ng DTMF
tones, red boxi ng, soci al engi neeri ng, wardi a l i ng,
and wi retappi ng.
So, l et ' s start wi th somethi ng basi c. As I go
t hrough the fol l owi ng exampl es, I expect that you
are al ready fami l i ar wi t h the fol l owi ng th i ngs:
.
you
know what a phone i s, you know how to di al a
phone number, you know what a modul ar phone
j ack i s. I f you ' re usi ng a modem, I al so expect
that you know how to di al wi th that modem and
how t o do whatever el se you want t o over t he
phone l i ne once connected.
Al so, it hel ps to have common sense when
doi ng anythi ng cl andesti ne. I f you pl an to do
anythi ng i l l egal , or anythi ng that you th i nk mi ght
be i l l egal , check you r l ocal l aws and t r y not t o
break them. Bei ge box i ng offenses, I n the eyes
of the l aw, usual l y i nvol ve trespassi ng, theft of
servi ces . Connect i ng to the i nternet by bei ge
boxi ng may be cons i dered a federal offense,
s i nce the i l l egal phone con nect i on wi l l more
than l i kel y cross state l i nes.
you wi l l nCed a phone, and you won' t be doi ng
anyth i ng t o i t.
So choose an appropri ate phone. Obvi ousl y,
the phone you wi l l be us i ng to Bei ge Box wi l l
need portabi l i ty! I f you can ' t use i t wi th one hand
or l ess, don ' t bother wi th i t. A decent hands-free
tel ephone is i dea l .
Fi rst, cu t the phone cord a s cl ose t o on e of
the ends as poss i bl e, so you have a phone cord
wi th a modul ar jack at onl y one end. Next, you
wi l l want to spl i ce the same end of the cord that
was j ust cut. Th i s wi l l expose the two ( someti mes
four) col or-coated wi res i ns i de the cord. We wi l l
onl y b e dea l i ng wi th the red and green wi res, so
i f you al so have yel l ow and bl ack wi res, you can
carefu l l y cut them off.
The obj ect here is that you want to connect
your two a l l i gator cl i ps to the two separate wi res
i nsi de of the phone cord. I wou l d say you wi l l
on l y need to expose the l ast two i nches or s o .f
the outer pl ast i c cover. Th i s wi l l l eave you wi th
two wi res, one rd, and one green, sti cki ng out
two i nches from the end of the cord. Then, str i p a
I i ttl e of the pl asti c j acket off the red and the green
wi res, so you have enough bare wi re to connect
the cl i ps.
Fi nal l y, attach the a l l i gator cl i ps, one to each
stri pped wi re. Now, i t does n' t actual l y l ook l i ke
a box, but you can pl ug i t i nto your one-pi ece
phone. Construct i on is now fi n i shed, and you
have j ust made a bei ge box.
I ' m sure you ' re now wonderi ng what you can
do wi th the box you ' ve j ust bu i l t. To test it out,
l ook for your home phone l i ne' s j u ncti on box. Thi s
i s where your phone l i ne comes i nto t he house
and where i t i s wi red to your home' s tel ephone
wi res. I t wi l l typi cal l y be found on the outsi de of
the house but may be i n a garage or poss i bl y by
your house' s fusebox. I have seen j unct i on boxes
l ocated i n many pl aces, from apartment bui l di ng
1C uSl b m C LCVCCYuu MVC
l aundry rooms to hotel ut i l i ty cl osets, but I ' m s ure
VC| dC. 1C bC gC bux your search wi l l qui ckl y succeed.
A "bei ge box, " or a homemade " l i neman' s Once you have found your j unct i on box, open
handset," i s a s i mpl e tel ephone cord modi fi cat i on. i t up. I f i t has a l ock on i t , use your j udgment
I t i s cal l ed a bei ge box because the fi rst versi on and your common sense. I f you keep readi ng, I ' l l
ever made supposedl y used a bei ge phone. I ' m assume you ' ve got i t open. These are customer
s ure you can l earn more about thi s i f you l ook for boxes, so the person who pays for the phone wi l l
a descri pti on on the Hacker ' s Lexi con. own t he equi pment.
.
Constructi on is s i mpl e. You ' l l need a few What we are ai mi ng for is a br i dge-type
parts: one modul ar phone cord, wh i ch wi l l be con nect i on, a l l owi ng your phone to access the
muti l ated; two sol der-type or screw-type a l l l - l and l i ne. So, you wi l l want to connect your a l l i -
gator cl i ps, preferabl y i ns ul ated; a sol deri n
p
i ron gator cl i ps . I f you ' re smart, you won ' t reach your
or screwdr i ver (accordi ngl y) ; and someth i ng to hand i nto the j uncti on box and fi ddl e around,
cut and spl i ce the phone cord, typi ca l l y a wi re as there i s el ectri cal current fl owi ng through the
cutter wh i ch wi l l doubl e as a wi re spl i cer. Fi nal l y, wi res. It wi l l typi ca l l y be onl y 20 vol ts of di rect
Winter 2007-2008
Pa
g
e 21
current, but if the phone happens to r i ng, you ' l l
get a n i ce "wake- up ca l l , " a s r i ngi ng vol tage i s
around 1 00 vol ts of al ternat i ng current.
Respect i ng the el ectr i ci ty i nsi de of the box
and observi ng reasonabl e safety measures, attach
the a l l i gator cl i ps accordi ngl y: red t o red, green
to green. You may not i ce that green, red, bl ack,
and yel l ow wi res are connected to your four
termi nal s . You wi l l be attach i ng your a l l i gator
cl i ps to the red- and green-wi red termi nal s .
Hopefu l l y your j uncti on box i s wi red t hi s
s i mpl y. I f t hi s i s not t he case, remember t he r ul e:
ri ght red r i ng, l eft green t i p. Or, mor e s i mpl y: r i ght
red. Some boxes are wi red th i s way i nstead of
us i ng col ored wi res. So attach your red wi re wi th
the ri ght termi nal (wh i ch i s usual l y a screw) and
your green wi re to the l eft termi nal ( al so a screw) .
Correct l y attached, wi th a phone pl ugged i n, you
shou l d get a di al tone. Th i s means success.
You can connect your bei ge box to any phone
l i ne whi ch you can access . You can expand t hi s
t o network j uncti on boxes, whi ch ar e the ugl y
green boxes l ocated i n res i denti a l areas, and to
buri ed phone cabl e l i nes i f you can match the
correct wi res together. You may be sur pr i sed to
see how many phone l i nes are grouped together
i n one l ocat i on.
Now what you do wi th i t i s up t o your i magi na
t i on, and i s onl y l i mi ted by the l aws of el ectr i ci ty.
An FM transmi tter can be attached to a phone
l i ne. So can audi o i nput and output connectors
and a mu l ti tude of other devi ces and appl i ca
ti ons. Bei ge box i ng s i mpl y taps i nto a phone l i ne.
After that, there' s not much of a l i mi t.
A note to those who are u nfami l i ar wi th
UC|CC|Cu (k duUuy)
ll//www. duUuy.Cum/
technol ogi cal tamperi ng: th i s devi ce i s not
meant to harass the AT&T operator, enemi es, or
ex-gi rl fri ends. I t i s not meant as a tool to sta l k
someone or t o l i sten t o pr ivate phone ca l l s. I t
i s not i ntended t o do any damage, physi cal or
emoti onal . I t i s a tool for l earn i ng about the phys
i cal aspects of and poss i bi l i ti es of th i s technol ogy.
L uSS|y u1C|mS
Dual -Tone Multi-Frequency (DTMF) Tones:
The tones emi tted by a touch-tone tel ephone or
a devi ce modi fi ed to emi t such tones. As wel l
a s di al i ng phone numbers, they are al so used
to control tel ephone equ i pment, i ncl udi ng el ec
troni c swi tchi ng equi pment and payphones.
Red Box: A modi fi ed DTMF tone di al er that
generates the tones whi ch tel l a payphone that a
quarter, di me, or ni ckel has been deposi ted. Si nce
i ts di scovery, the poss i bi l i ty of red boxi ng has
been wi del y el i mi nated by tel ephone company
countermeasures.
Social Engineering: Acqui ri ng i nformati on
through mani pu l ati ve soci al i nteract i on.
Wardialing: The act of di al i ng phone numbers
i n a sequence to search for tel ephone numbers
wi th i nterest i ng properti es or for phone l i nes
connected to modems.
Wiretapping: Recordi ng or transmi tt i ng the
conversati on taki ng pl ace over a phone l i ne,
i n order to l i sten to conversati ons and gather
i nformat i on.
Lineman' s Handset: A devi ce used by tel e
phone company repai rmen to connect to a
phone I i ne for test i ng purposes. A professi onal
and feature-en hanced versi on of the bei ge box.
my knowl edge, thi s wi l l permanentl y remove the
U3 wi th no way of rei nsta l l i ng i t at a l ater date.
Doi ng th i s wi l l make the rest of t hi s arti cl e i rrel
evant. Pl ease note: i n no way am I resfonsi bl e for
you breaki ng your drive as a resul t 0 the proce
dures bel ow.
When I fi rst i nstal l ed my new fl ash dri ve, a
sandi sk Cruzer Mi cro 2GB, I found the appl i cati on
that was autol oaded, Launchpad, to be a bi t cl unky
and cumbersome. Of course, I was usi ng an ol der
machi ne at work whi ch was at end of l i fe cycl e a
bSC nu|mlun
year pri or. The graphi cal features were ni ce, and
There are some basi c t hi ngs you shou l d know
the concept was fantasti c; to me, it seemed to be
about the U3 Smart Dri ve. The U3 comes pre-part i -
an attempt at a portabl e operati ng system i n that
ti oned; most of the devi ce i s a FAT parti ti on wi th a
you coul d transport al l of your appli cati ons, whi ch
h i dden SYSTEM fi l e. SYSTEM i s where al l of your
woul d remai n on the dri ve. Even so, the removal of
programs are stored. The l ast four to si x megabytes
the addi ti onal dri ve became necessary, as my posi -
or so are al l ocated t o an 1 50-9960 parti ti on that
ti on requi red hoppi ng from machi ne to machi ne.
emul ates a CD- ROM dri ve. Wi thi n the CD-ROM
Wai ti ng for the dri ve to i nstal l each time meant
parti ti on, there is an autorun. i nf whi ch ki cks off the
wasti ng ti me.
i nstal l ati on of the Launchpad. The Launchpad i s the
Whi l e th i s arti cl e i s not a tutori al about U3
mai n program for management of the appl i cati ons
removal , you can go to http : / /www . u3 . com/ i nstal l ed on the dri ve, as wel l as for fi l e manage
"uninstal l l to remove the U3 i f you want. To
ment and data encrypti on. The U3 runs on ( al most)
P
g
e 22
2600 Ma
g
azine
any PC run n i ng Wi ndows 200 SP4+, XP OVi sta.
Some of the U3 ' s features are portabi l i ty and
t he fact that you don ' t need admi n r i ghts t o i nsta l l
new software. Some of the negati ve aspects are the
need for two separate dri ve l etters, trace fi l es that
are somet i mes l eft on the host PC after i mproper
removal , and the wai t ti me needed for the i n i t i al
i nsta l l ati on of the U3 ( i n s ome cases, up t o
mi n utes from personal experi ence) .
The CD-ROM part i t i on on the San Di s k Mi cro
cannot be wr i tten to l i ke a nor mal CD. There is some
amount of reverse engi neer i ng i nvol ved; however,
if you can r un Magi cl SO, by the end of th i s short
art i cl e, you s houl d be abl e t o re-wr i te you r U3. I
began l ooki ng for ways to remove the dr i ve and
found var i ous other tool s that I cou l d use.
1uu S PCCdCd
Fi rst, you wi l l need to downl oad LPl n
stal l er. exe. LPl nsta l i er i s requi red t o wri te to
the CD- ROM part i t i on. You can downl oad
t hi s from http : / /www . sandi sk . com/
"Retail /Defaul t . aspx?CatID=1 4 1 1 0r you
can vi si t my si te at http : / /www . dohboy . net.
Second, you wi l l need t o wr i te an I SO that the L Pl n
sta l l er wi l l us e t o ' bur n' t o t he U3 ' s CD- ROM. You
can do t hi s wi th the hel p of Magi ci SO (http : / /
. www . magiciso . com/) . Even if you do not
have the ful l versi on, the tri a l versi on a l l ows you to
create an i mage s mal l er than 400MB. That ' s i t.
KC-Wf l nglC L3
Some have tri ed t o rewr i te t he U3 by craft i l y
us i ng L i nux; some have attempted th i s us i ng some
fancy host fi l e modi fi cati on to mi mi c San Di s k' s
web server, but al l you rea l l y have t o do i s save the
i mage you have created as " cruzer- autorun .
"i so" i n the same di rectory as the LPl nsta l i er. Once
the LPl nsta l i er i s run, i t wi l l grab the "cruzer
"autorun . i so" and u s e i t, s i nce i t bel i eves th i s
fi l e has a l ready been downl oaded. I f t he fi l e i s not
i n that l ocati on and t here i s an i nternet connecti on
ava i l abl e, LPl nsta l i er wi l l go to the SanDi s k webs i te
and downl oad the most up to date vers i on of the
Launchpad. You can see what Launchpad tri es to
connect to us i ng ethereal . There is a l i mi tati on to
the s i ze of the i mage: 6. 2MB. I have tri ed l arger but
onl y got errors.
Remember, the i mage must be named cruzer
"autorun . iso and e i n t he s ame di rectory as
LPl nsta l i er. LPl nsta l i er wi l l wr i te t he . i so f i l e t o t he
fl ash dr i ve' s CD- ROM part i t i on. I probabl y don ' t
have t o menti on i t , but make s ure the U3 i s actual l y
pl ugged i nto the computer before r unni ng LPl n
stal ler. I n my l i ne of work, I am used to worki ng
wi t h t he l owest common denomi n ator.
[AutoRun]
1 S
autor un . i nf
open " program . exe "
i con . \dohboy . i co, O
Save the above i nformati on, repl aci ng program.
GXG wi th any gl oba l l y-executabl e appl i cati on on t he
host machi ne or any appl i cati on on the U3 parti
ti on. For i nstance, i f you have an appl i cati on on
the U3 cal l ed haxor. exe i n the root di rectory of the
CD- ROM parti ti on, you woul d reference i t us i ng
= \haxor . exe. Autorun . i nf must be i n the i mage' s
root di rectory, j ust l i ke wi t h any autor un f i l e.
Vi sual Basi c Scr i pt, t hough i t i s s l ower and
ugl i er, i s my code of choi ce. These fi l es are easy
to create and can be l aunched as l ong as wscr i pt
or cscri pt is on the host mach i ne. If they are not,
ei ther can al so be wri tten to your part i t i on; you are
onl y l os i ng 1 1 2 KB by doi ng so.
m CmCnllunS
Thus far, I have wr i tten var i ous scri pts and appl i
cat i ons for t h e U3 wh i ch make my j ob easi er and my
l i fe more fun . One such scr i pt wi l l a l l ow me t o track
my U3 i f i t i s l ost or stol en. Th i s was done us i ng the
get Info . vbs scr i pt ava i l abl e i n the 2 600 code
repos i tory or on my webs i te at http : / /www .
"dohbay . net . Th i s scr i pt wi l l send me an emai l
wi t h the l ogi n, doma i n, l ocal I P address, publ i c I P
address, regi stered owner, a n d other i nfor mat i on of
anyone us i ng the l ost or stol en U3 . Thi s i s onl y i f
t he user i s currentl y connected t o t he i nternet and
has no l i mi tat i on on t hei r abi l i ty t o connect t o my
SMTP server. I pl an on devel opi ng a free servi ce
that wou l d a l l ow a user t o t r ack thei r U3 i n the
event that i t was l ost or stol en vi a my websi te. I t i s
a work i n progress.
I t mi ght a l so be poss i bl e to wr i te scr i pts t hat
woul d a l l ow you to pol l the system for i nfor ma
t i on and wr i te i t t o a fi l e l ocated on the FAT part i
t i on. How i s t hat pos s i bl e i f the dr i ve l etter coul d
be di fferent from machi ne t o mach i ne? Make the
scr i pt search for a fi l e from a l l poss i bl e dr i ves and
append i nformati on when found. Var i ous other
scr i pts l i ke thi s can be found on my si te as wel l .
Another i mpl ementat i on of mi ne was a
keyl ogger. I used C++ to create an i nvi s i bl e appl i
cati on cal l ed squ i d. exe ( I mi ght post t hi s on my
websi te) that l ogged keys. The way i t worked was to
l oad upon l aunch and l og keys. Once the t humb
dr i ve was pl ugged back i nto the mach i ne, s qui d
woul d know that the dr i ve was pl ugged i n aga i n,
and wou l d search for a speci fi c f i l e i n the root of
the FAT part i t i on. After the fi l e was wri tten, squ i d
wou l d exi t wi t h garbage cl eanup. No f i l es on the
host computer wou l d be created.
For fun, rewr i te the autorun . inf to open a
shutdown sequence. (for exampl e: "shutdown ~ 1
. - t 0 0 ")
LunC uS un
Whi l e some of these i mpl ementat i ons are fa i r l y
tame, there are potent i al l y far more dangerous
scr i pts and programs that can be wr i tten. My squ i d
was a fai r l y s l ow appl i cati on s i nce I onl y wrote i t
t o test what I coul d do. Whi l e i t performed as I had
pl anned, i t cou l d have been opti mi zed to be qui te
a bi t faster and r un wi thout us i ng as many system
resources.
Whi l e t hi s arti cl e focused mai nl y on the San Di s k
because of i t s vul nerabi l i ty wi t h LPl nsta l l er, there
i s a poss i bi l i ty t he parti t i on on any U3 coul d be
rewr i tten. Mor e i nformati on on hardware, such as the
HDK, mi ght be obtai ned by ema i l i ng l i cens ing@
"u3 . argo Have fun wi th your U3 and try not to
get in troubl e us i ng i t.
The scripts mentioned in this
article can be downloaded from
the 2600 Code Repository at
http: //www. 2600. com!code/
Winter 2007-2008
P
g
e 23
1 I
u.
Uy SlCV
I ' m wri ti ng thi s art i cl e to i nform the readers
about the potent i a l i nsecur i ti es of t hei r wi re
l ess phone servi ce. I used to work for Ci ngul ar,
so most of t hi s i nformati on wi l l appl y di rect l y
t o t hei r servi ce. That ' s not t o say t hat t hi ngs are
any di fferent wi th other provi ders, but I have no
speci fi c i nter nal experi ence wi t h t hem. I ' d al so
l i ke to remi nd the readers that t hi s i nformati on
s houl d be used as a gui de to further secure access
to your own wi rel ess phone servi ce account and
not t o breach t he secur i ty of others.
Ci ngul ar has changed i ts name to AT&T s i nce
I or i gi nal l y started wr i t i ng t hi s art i cl e. That ' s the
onl y t hi ng that has changed, so t hi s does not
make t hi s art i cl e usel ess and does not mean that
your account i s any more secure.
Wi rel ess carri ers store a scary amount
of personal i nformat i on about each of t hei r
customers. Even scar i er, every support repre
sentati ve has access to t h i s i nformati on s i mpl y
by pl uggi ng i n any bi t of i dent i fy i ng i nformati on
about you or your account . Among other opt i ons,
thi s can be your name, date of bi rt h, soci a l secu
r i ty number, address, home phone n u mber, or
cel l phone number. J ust about a nyth i ng speci fi
cal l y rel at i ng to you can be used to pu l l up even
morc i nfor mat i on about you. Even worse, much
or a l l of t h i s i nformat i on can be used by anyone
that cal l s i nto the support department to change
i nformati on on your accou nt, add servi ces, or
remove servi ces. That l i st goes on and on too.
By defaul t when you cal l i nto AT&T customer
care and reach an operator, genera l l y after hours
of hol di ng, you ' re asked to confi r m your wi re
l ess number. Thi s genera l l y comes up automati
ca l l y on the screen, whi ch i s cal l ed t he "screen
pop" i nter nal l y. Al ong wi t h that i s the fi rst screen
that the representati ve must cl i ck t hrough after
they' ve confi rmed your access to the accou nt.
They' re supposed to cl i ck wh i ch of the secu
r i ty meas ures was used to veri fy your i denti ty.
Representati ves are tol d to ask for t he l ast four
di gi ts of t he soci al secur i ty number, t hough wi t h
enough compl ai n i ng you can genera l l y get them
to gi ve you access to the accou nt by provi di ng
the b i l l i ng address on f i l e. Great!
After the representati ve has cl i cked t hrough,
confi r mi ng t hat your i dent i ty has been veri fi ed,
a l og entry i s pl aced on t he account s howi ng
whi ch representati ve accessed t he account and
when. Th i s can be eas i l y bypassed by cl i cki ng
t he "cancel " button l ocated on t he screen pop
wi ndow, or by accessi ng t he i nter nal database,
Tel egence, di rect l y and not t hrough the i n i t i al
veri fi cati on system, t he name of whi ch escapes
me. Many representati ves do t hi s i f they're
l azy. Tel egence i s where a l l of the goodness i s .
The search featu re a l l ows the agent t o pul l up
accou nts us i ng any of t he i dent i fy i ng i nforma
t i on ment i oned above. You can genera l l y pi ck
out a l azy representati ve as one t hat asks you
t o confi rm your phone n umber i f you entered i t
when cal l i ng i n or i f you pressed 1 t o confi rm
the ca l l er 1 0.
A qu i ck note about notes ( hal ) : even t hough
representati ves may make notes on accou nts
and even t hough the system sti l l makes notes
automati ca l l y for j ust about every act i on taken,
they don't rea l l y mean anyth i ng good for you.
Genera l l y notes are a pl ace where representa
ti ves expl ai n to other representati ves t hat may
fi el d your cal l l ater whether or not they s houl d
bel i eve what you say or go out of t hei r way to
hel p you . Di d you get a ngry wi t h a previ ous
representati ve or sound frustrated? Yeah, t hat ' l l
probabl y fol l ow you for t he l i fe of your accou nt.
The l i fe of an AT&T representati ve i s not a fun
one and each day rea l l y drags al ong. You hear
the same t hi ng nearl y every cal l and get yel l ed
at nearl y every cal l . The onl y way for representa
ti ves to get back at you wi t hout gett i ng fi red i s to
make your notes sound l i ke you were as u nco
operati ve as poss i bl e. And they wi l l .
I n addi t i on t o i nformati on stored el ectroni
cal l y, AT&T cal l centers al ways have pages
and notepads fi l l ed wi th i dent i fy i ng i nforma
t i on l ayi ng around. Representat i ves are tra i ned
to wr i te down speci fi c i nformati on gathered
when on a cal l , i n order to prevent havi ng to
ask a customer aga i n . Thi s i ncl udes credi t card
numbers used for payments over t he phone.
Thankfu l l y, securi ty at t he cal l centers t hem
sel ves i s fai r l y good (seri ous l y) , but vi s i tors ar e
a l l owed t o be escorted t hr oughout the bu i l di ng
by any empl oyee. Techn i cal l y, guests are not
a l l owed i n the work area, but t hi s ru l e i s l argel y
i gnored. Badges must be di s pl ayed at al l t i mes
and I ' ve actua l l y had secur i ty questi on me when
mi ne had si mpl y fl i pped around. Kudos for that.
Unfortunatel y, k i ndness i s what breaks t h i s down.
I t ' s qui te easy to gai n access to a cal l center i tsel f
s i mpl y by enteri ng dur i ng t he morni ng rush,
when everyone el se shows up for work. Despi te
the extensi ve vi deo-based tra i n i ng advi s i ng that
empl oyees are to watch out for "ta i l i ng" t hrough
t he entrance, i t ' s human nat ure to hol d t he door
open for you r fel l ow representati ve as they come
P
g
e 24 2600 Ma
g
azine
to the door after you . Everyone does th i s . Th i s,
coupl ed wi t h sensi ti ve customer i nformati on
ava i l abl e on j ust about every desk, l eads to the
potent i al for di saster.
Let ' s assume physi cal access, though, i s
hard t o get, but t he fact that you r i nformati on
i s ava i l abl e to a l l representati ves opens a new
door for a nyone to get or change th i s i nforma
ti on. A n umber of news art i cl es have recentl y
been publ i shed whi ch show how easy i t i s to
buy i nformati on about a nyone' s soci al secur i ty
n umber or address. Th i s wou l d a l l ow the defeat
of both secu ri ty measures in pl ace by AT&T. Even
i f you don ' t have th i s i nformati on or don ' t want
to pay for i t, l osi ng you r phone i s a great start to
gi vi ng up control of your phone servi ce.
Many peopl e don ' t th i n k t o cal l i n and have
thei r phone s uspended i mmedi atel y, so there' s
a great chance that di al i ng 611 (for customer
servi ce) on a found phone wi l l be about the most
effort needed to gai n access to an account. The
automated phone prompt speaks back the phone
n umber ( wri te th i s down) t hat ' s cal l i ng, savi ng
you from havi ng to cal l yoursel f to f i nd the phone
n umber and pl aci ng your phone n umber on that
customer ' s cal l l og. Th i s answers quest i on #1 by
the representati ve, "What ' s the wi rel ess n umber
you ' re cal l i ng i n reference to? " Rarel y, some
representati ves wi l l ask for the fu l l name of the
person that' s cal l i ng. I t' s for l oggi ng purposes
onl y and gets entered i nto the notes of the wi re
l ess n umber ' s accou nt; access i s not restri cted on
a per- name basi s. I f th i s happens, you can gener
a l l y gi ve any name you ' d l i ke and sti l l proceed
t hrough the ver i fi cati on process. Next, you ' l l go
t hrough the authenti cati on process descr i bed
above. Remember t hat knowi ng the vi ct i m' s
address i s us ua l l y enough t o get t hrough. Once
veri fi ed, the account is yours. You ' re free to add
or remove servi ces, change contact i nforma
t i on, change wi rel ess numbers, request that cal l
records b e mai l ed to an address, o r anythi ng el se
you l i ke. Everyth i ng can be done over the phone
once you ' re "veri fi ed" .
You mi ght be wonder i ng exact l y how you ' d
get someone' s address, especi al l y i f you j ust
found a phone l yi ng around. That part is actu
a l l y s urpr i s i ngl y easy. Headi ng i nto an i ndepen
dent AT&T deal er wi th the phone number for the
account i s enough . Remember to ca l l 611 and
l i sten for t he phone n umber t o be repeated, s o
you don ' t have t o have t o cal l any of your phones
and have the n umber l ogged i nto thei r ca l l l og.
I f you di d cal l your own number, the l ogs wou l d
be kept not j ust on t h e phone, bu t al so on the
computers used by AT&T to mon i tor mi nutes,
usage, and on the l i st mai l ed to customers each
month as part of thei r bi l l .
You c a n genera l l y di st i ngui s h a deal er from
a corporate store by the actua l name of the
company run n i ng the store l i sted on or around
the Ci ngul ar/AT& T l ogo on t he door or wi ndow.
Otherwi se, you can al ways ask a representa
t i ve as they' re supposed to truthfu l l y answer the
questi on.
Deal ers are genera l l y u nderpai d representa-
t i ves for a t hi rd-party company wi th no rel at i on
t o AT&T other t han t hei r resel l er status. They
usual l y care about nothi ng more t han gett i ng you
to upgrade you r text message package or addi ng
i nternet access as they make a l arge chunk of
commi ssi on off of "extras. " Wi th that comes a
l ack of care for the secur i ty of accounts. I guess
that they assume that j ust knowi ng the phone
n umber on an account and that the servi ce i s
fr om AT&T i s a uthenti cati on enough for t hem
and that th i s i nformati on al one shou l d provi de
access t o the account. Next, as ki ng t o veri fy t he
b i l l i ng address on fi l e for the account shou l d
be enough t o get them t o tel l you . Wr i t i ng t hi s
down wou l d be a bad i dea, s o try t o remember
i t. I ' m s ure you cou l d al so get them to gi ve you
the soci al securi ty n umber by stati ng you tri ed
to cal l and the numbers you gave were deni ed,
so they tol d you to come i n to a store and have
i t changed.
Then a l l you need to do is ca l l customer care
agai n, address i n brai n, and you ' ve successfu l l y
penetrated t h e deep defenses of AT&T.
A ( semi -) great way to prevent a l l of t hi s
from happeni ng i s t o pl ace a password on the
account. Th i s password supersedes any other
form of authenti cati on at l east, i t' s supposed to.
Provi ded the representati ve over the phone rea l
i zes that there i s a password on t he account, the
account can not be accessed wi thout knowi ng
t hi s password. Unfort unatel y t he onl y way a
representati ve knows t hat a password is on a n
account i s by t h e sma l l , unbol ded red text that
appears as one of the authenti cati on methods
l i sted when you fi rst cal l i n. Unfortunatel y, the
system does n' t requ i re that th i s method be used,
and representati ves are more i n touch wi th t hei r
rout i ne and are to preoccupi ed wi t h the need to
handl e as many ca l l s as poss i bl e in one day ( ca l l
stats matter, you know) even t o noti ce i t most
of the t i me. Pssworded accounts are commonl y
accessed wi thout the password over the phone
due t o the i nattenti ve representati ve on the l i ne.
Scary! I t' s the onl y access control that you can
pl ace on your account, though.
Even i f you do a l l that you can t o protect your
account, you can ' t compensate for poor corpo
rate teach i ng. Encouragi ng representati ves to
wri te down personal i nformati on for customers
they deal wi th is bad pract i ce. I ' d much rather
have to repeat my i nformati on t han have i t l yi ng
around on someone' s desk for the pryi ng eye or
u nwanted vi si tor to see. The contracted cl ea n i ng
crews that come i n n i ghtl y probabl y don ' t
care about you r pr i vacy ei ther, and fu l l credi t
card numbers wi th names and addresses are
readi l y ava i l abl e for t hei r vi ewi ng as they cl ean,
u nwatched, each n i ght.
I hope that thi s art i cl e has proved usefu l to
everyone wi th a cel l phone. They' re not qu i te
as secure and pr i vate as everyone i magi nes and
expects t hem t o be. Wi t h better tra i n i ng, better
pay, and stri cter h i ri ng standards, AT&T cou l d
pretty eas i l y change th i s around and greatl y
i ncrease the protecti on they provi de for thei r
customers ' personal i nformat i on.
Winter 2007-2008

P
ge 25
^y UO3I |CCCOI COO|OOI3I | OO | 3IC Hack- Tc C3|3 l CO-
v| I| v|3I | IUC3O3IO UC3 |3CkC| Ab/||, v| | C 3I| | | | 3 OOC O I|C
3I3|ICG | O ^3|C| O Z O, 3IC| l | 3|_C| l b|3 | O 1|C CI|C| | 3OG3.
vCOII OvOIC O| I |C | OC3| COu OC| | l _uC33 l UCC3UC 3|I O I|C
O /U3IC|G3U. /I I|C O| | | O_ |3CkC| COUUu O | Iy 3OUCI | UC
3I3I | OO, l |3GIO u3C 3 U|3OG OCv Gu| | O_ I|C C3| | y ! b3 v| | | C
C| CCI|OO| CvOI | O_U3C| | OCI|3I I|C | 3y| O_ v| I| Uy 3I|C|3 3
C| I v33 |COI| O_ |OU 3 COU3Oy U3uG 3COu3I| C UOGCU, 3| I |Ou_|
C3 | CG bGu . l O 3CI, /U3IC|G3U 3|u3U| y l v33 |3Ck| O_ UCO|C -
|3G COOI|3CICG I|C COI| |C C| CC- vCO l v33 3O| GC| | O_ |^ I|3O3-
I | OO 33 3 I u| OkCy 3C|v| CC. bGuv33 U| IIC|3 IO_CI|C| v| I| 3 | | COG 3I
CvCO I|3 | O | O_ I|C O| | -vO|kC|3 . 3_C ! Z . buI 3IC| |C3G| O_ bICvCO
1| | 3 ' vOI| O_ U3C| | OC' v33 | O |Cvy` 3 UOOk Hackers, Heroes of
3CI 3 COUuIC| v| I| 3 IOuC| the Computer Revolution, l kOCv
3C|CCO |u O O | O_ V| OGOv3. 1O v|3I l v33 3OG I|3I l v33 IO UC
U3kC U3IIC|3 vO|3C, | O3 | GC C3C|
[
3|I O 3 _| OU3| COUUu O | Iy, CvCO
COUuIC| v33 3 ||Kb v| |C| C33 | l COu | G OO| y kOCv 3 Cv OI|C|
UOGCU I|3I 3COI I|C C| CCI | OO |3CkC|3 3|OuOG UC. l U3_| OC Uy
|C3u | I3 IO bGu, v| | C| | O I u| O IO| G |C| | Cv|CO l vCOIIO |3Uu|_O|
I|C C| Iy. l |3G OOI UCCO U| | OG IO I|C ! bb ||3O3 |OUUuO| C3I| OO
I |C|OU| CU3O C| CCI|OO| CvOI | O_ |OO_|C33 I O | OG 3 Cv |uOG|CG
UCO|C, UuI OOv l v33 |3v| O_ Uy OI|C| |3CkC|3. /IC| I|3I l v33
3CC |uUUCG | O | I. /OG | I | u |I. |OOkCG, 3OG Uy ! b l v33 OOC
|C| |33 l 3|Ou | G Qu| Ck| y O I|CO|_3O| ZC|3O I|C| |3I | u|O-
| OI|OGuCC Uy3C| . ^y O3UC | 3 C3O |3CkC| CvCOI. I|C |3| 3CI| C
KO |OO_|| 3OG l ` U 3 |uIC| |3CkC| |3|Iy. |OO_ 3OG O|U3I| vC
O3I| OO3| fl O | | vC3 | O /U3IC|G3U, yC3|3 O C| O|3I| OO, U3y|CU,
1|C CI|C| | 3OG3. bOUC O yOu 3OG U| 3C| | C O| | OvCG, Gu| | O_
v| | | kOOv UC 33 l |3vC UCCO v| | C|, 3UOOU3OyOI|C| I| | O_3,
UCOI | OOCG | O I| | 3 U3_3Z| OC 33 vC Ou OG 3O 3 |3|CG U3Oy OCv
vC| | 33 UCCO 3 |C_u | 3| _uC3I OO 3OG | OIC|C3I | O_ v3y3 O U3k| O_
Of The Hook O| 3| UO3I 33 | OO_ |CC |OOC C3 | 3 . /OG v|CO vC
33 I|C 3 |Ov |33 C| 3ICG. l U OOC OI Ou| |3OG3 OO I|C kCy3 IO
O I|C U3| O O|_3O| ZC|3 O| I|O3C IHC OuC| C3| UuOkC|3 I|3I C| 3ICG
|uIC| |3CkC| CvCOI3 | | kC |3| 3CI| C u OGC| OC3I| 3OUC3 uUv3y 3I3I| OO3
|3CkC| |3|Iy, |3Ck| O_ 3I I |C | O/U3IC|G3U, vC|OUI | yO|_3-
|OG O I|C |O | vC|3C, |/| Z ! , O | ZCG IOu |3 I|C|C O| 3| | Ou | | | COG3
CIC. bCIvCCO ! b 3OG ! 3 l 3OGI|C| || | COG3. buI CvCO UC| | OG
uU| | 3 |CG Hack- Tc, 3 U3_3Z| OC I|C _|C3IC3I U| 3C| | C v33 I|C
OOI u O | | kC 2600 CCCI I|3I | I UOI| v3I | OOIOCGuC3IC, IO3|3|CO
v33 v| | IICO | O |uIC| . |u| | O_ I|C I|C U| OG3 O C| | Ov |3CkC|3 3OG
Pge 26 2600 Ma azine
OI|C Ou | 3I | OO 3I | 3|_C. |3G, UuI I|C v33I U3 O| | Iy v33
Ab/| |, I|C l OIC| OCI |Ov| GC|, u3 | O_ 3O O| GC| 3y3ICU U3GC Uy 3
v33 UuC| UO|C 3 O| | I | C3| 3I3IC- COU3Oy C3| | CG CG3. V| | | C l
UCOI I|3O 3OyI| | O_ C| 3C. 1|C 3IuG| CG I|C | C_3 | |Cu | |CUCOI3O|
l OIC|OCI U3Ck I|CO vOu | G OCvC| C| CCI|OO| C vOI| O_, l UCC3UC CvCO
U3kC 3Oy UOOCy. v3y IOO G| | - UO|C COOv| OCC I|3I 3 | | O I|C3C
Cu | I 3OG |C3ky O| I|C _COC|3| U3C| | OC3 ' I|3I vC|C 3| | | O 3CI
Ou| 3I | OO . l | CI Ab/| | | O 1 997 COUuIC|3) OCCGCG IO _O | vC
3OG 3I3|ICG 3 COUuIC| 3CCu- vC|CIO |3vCI|3O33|COI3OGvC| | -
| | Iy COO3 u| I3OCy, 3OG I|CO 3IC| | 3U| C C| CCI| OO3 . 1|C |C_u | 3I| OO3
I|3I 3 COU3Oy I|3I Uu| | G3 vO| CC I|C3ICG I|C3C 3y3ICU3 33 | I|Cy
COC|yI | O_ UOU| | C |OOC3. bu I l vC|C | OGCCG UC|C U3C| | OC3.
kCI _O| O_ IO |3CkC| CvCOI3 3OG 1|Cy vO| | | CG 3UOuI I|C 3UOu OI3
CO-O|_3O| Z| O_ Ou| OvO CvCOI O |uU| G| Iy 3OG v| U|3I| OO I|Cy
CvC|y Ou | yC3|3 . COu | G v| I |3I3OG 3OG I|Cy U3GC
|33I O|v3|G IO 2006 3OG 3 u|C OOUOGy vOu | G _CI 3 |OCkCG
I|C | OC3| C| CCI| OO3 . l v33 3O_|y |OU IOuC| | O_ OOC. |OUuIC|
UCC3u3C l C| I Uy C| CCI| OO |3G 3CCu|| Iy v33 O` I CvCO UCOI| OOCG.
UCCO 3IO| CO. 1|C|Cv33 OO v3y IO buI I|C U| __C3I |OU| CU v33 O` I
OU3C|vC 3 COu OI, OOC u3I |3G IO I|C | 3CkO3CCu| | Iy, |I v33 I|C | 3Ck
UC| | CvCI|3II| | 3 v| |C| C33-CQu | CG O I|3O3j3|COCy. VC _OI IO_CI|C|
U| 3Ck-UOV| OGOv3 U3C| | OCv33 3 3U3 | | _|Ou O || kC- U| OGCG
COu OI| O_ |OOC3I | y. l k|Cv 3 | | II | C CO| C 3OG 3I3|ICG | 3O O | O_ 3
U| I IOO UuC|3UOuII|C | | 3k3 333O- C3U3| _O.
C| 3ICG v| I | COUuIC| ICC|OO| O_y 1|C|C |3G UCCO |Cv| Ou3
I O _O 3| OO_ v| I| I|3I. l v33 O` I 3IICUI3 I O |3| 3C I |C QuC3-
I|C OO| y O|C v|O v33 3O_|. ^y I| OO O I|u3IvO|I| | OC33 | O |C| 3-
| O|_I | UC|| C|G b3||y C3UC OUC I | OO IO vOI| O_ U3C| | OC3, UuI I|C
|OU I|3I ^3|C| 2006 C| CCI| OO ^| | | 3I|y O I|C l OIC| | O| v33 u3CG
v| I| I|C C3CI 33UC 3IO|y I|3I l IO 3| |I | |_ I|C OOOC|I3 O
|3G COUC |OUC v| I| . I|y| O_ IO C| CCI|O|| CvOI | |_33 ICC| |O|OUC
|C33O| v| I| O| | -vO|kC|3 v|O |uGG| IC3. || vC| I|3I |3| O Ou|
C| C3| | yC| I I|3IO|| yI |CUCG| C3 | | y _|Ou CO|3 | 3ICG O || -ICC|- Ov| O
3|3|O| G vOu | G G| 3I | u3I 3uC| 3 3CkC|3, I| | 3 v33 3O 3|O3C
vOOGC|u | 3 | | |y UO. V|C| vC I|3I v33 |` I _O| |_ IO vO| k I| | 3
UCI | 3IC| I|3I G3y, vC vOvCG IO I | UC. |u| | |_ I|C OCI yC3| 3|G 3
OOI O|| y_CI U3G UuIIO GO 3OUC- |3| vC U3|3_CGIO_CII|C3IIC|-
I| | O_ 3UOuI | I . I | OO O I |C UCG| 3. VC C| 3| UCG
buI I|3I v33 |` I _O| |_ IO UC 3 | | I|3I I|C CG3 U3C|| |C3 vC|C
I|3I C33y. UyI|CI| UC/U3IC|G3U COUuIC|3 3|G OOI GCG| C3ICG
|3G _OIIC| C| CCI|O|| C vOI| |_, |3|Gv3|C '33 I|C U3|u3CIu|C|
| I v33 j|CIIy | 3IC | | I|C _3UC. C| 3| UCG) 3|G I|3I I |CyCOu | G u3I
/U3IC|G3U, v| I| 3 Ou3I| OO 33 C33 | | UCI3u_|I IO | 3y C|C33
O 3|O| U3IC| y 750, 000, v33 O| | | C 3UOuI C| CCI| O| |C3 u | I3 . 1|C
I|C 33I C| Iy | O 1|C CI|C| | 3OG3 C|3O| 3C| | | O_ I|C3CCOUuIC|3 | O
, v| I|3 Ou| 3I | OOO3|Ou|G1 6. 5 I|C CI|C| | 3|G3 v|OIC vO|GC|u |
U| | | | OO) IO _CI C| CCI|OO| C vOI| |_. | O|_ |3|I3 O| || 3 vCU3 | IC, 3|G | |
bOUC C| I| C3 vC|C |C|I| |_ I|C |C3CI | O| IO Ou| C| 3| U |C 33| G |C
33UC3y3ICUI|3I/U3IC|G3U |Ov G| G |OI UC| | CvC || 3 U3C| | |C3
Winter 2007-2008 P
g
e 27
COu | G| 3y C|CSS.
bO WC C3uSCG 3 I|uC UCG| 3
|C|Zy W|C| WC _OI |O| G O 3
CG3 vOI| |_ COUuIC| 3|G
U3GC | I | 3y C|CSS. ,VC 3| SO
U3GC| I | | C 3UOuIC| CCI| O||CSu | IS. )
1|C|C W3S 3 GCU3IC | | || | | 3UC|I,
Gu| | |_ W|| C| I|C |CSO|S | U| C
U| | | SIC| |OU| SCG IO 3O| |I IWO
COUU| IICCS. 1|3I |CI C| CCI| O|,
3| | |IC| |3I | O|3| C| CCI | O| OUSC|-
v3I | O| U| SS | O| SIuG| CG I|C |OU-
| CUS W| I| C| CCI|O| | C vOI | |_ | |
I|C COu |I|y W|| C| u|I| | I |C| |3G
3| W3yS UCC| I|CC3U| CCOu |I|y
O| u |COOI|OvC|S | 3| C-VOI| |_. l |
I|C| | |CO|I, I|Cy 3Gv| SCG I|3I
I|CSC ICS O vOI| |_ COUuIC|S
` ` S|Ou | G UC |3SCG OuI 3 | G I|C
IWO COUU| IICCS 3| SO W|OIC vC|y
|3|S| |CO|IS 3UOuI |OW I|CSC
U3C| | |CS C3UC 3UOuI3|G |OW
I|Cy S|Ou | G |OI UC uSCG | | I|C
uIu |C. / | OI UO|C |3C|CG. VC
I||C3IC|CG IO I3kC I|C _OvC| |-
UC|I IO COu|I O| SCvC|3 OCC3-
S | O|S, 3|G WC CvC| WO| 3 C3SC
| | W| | C|I|C CG33|Ov3| W3S
| u | | | | CG. buI Uy I|C| I|C U| | | SI|y
|3G 3| |C3Gy GCC| GCG IO I||OW | |
I|C IOWC| , |CI|3CI | |_ I |C | C_| S-
| 3I | O| I|3I 3| | OWC C| CCI|O|| C
vOI| |_. 1|C |CI C| CCI| O|S | | 1|C
CI|C| | 3OGS W| | | UC |C| G uS | O_
C|C| | S 3|G3C|, W| | C| | S |C3 | | y
Qu | IC l| S | |CC OvC| |C|C WC vC
O| | y _OI O|C |3CC C| C| CCI| O|,
SO COu |I| O_ Uy |3|G | S | ` I 3 | | I|3I
|3|G) .
l|C O I |C I |||_S I|3I SI|uCk
UC 3UOuI I| | S C3U3| _| W3SI|3I
| | O|GC| IO W| |, WC vC |CCGCG
3 | UOSI CvC|y |3CkC| Sk| | | | U3_| |-
3U| C. l U3_| |C3 | | I|CSIuyOuC3|
| C3| | |OU I| | S U3_3Z| |C, O| |OU
_O| |_ IO , O| |C| | |_ O|_3|| ZC) 3
3CkC| CO|vC|I| O|. ||OU

C|C|3 |
Sk| | | S SuC| 3 S GC3 | | |_ W| I| I|C
UCG| 3O| W| | I| |_|CSS |C| C3SCSIO
SOC| 3| C|_| |CC|| |_,_CII| |_|O| GO
I|CSySICU | | O|GC|IO CC| | UC|I
W| I| | I) , | OCk| Ck| |_ , S|OW| |_
I|3I I |C UCC|3|| C3| | OCkS WC|C
UO_uS 3S I|C S3UC O|C |u|O kCy
W3S uSCG 3 | | OvC| I|C COu |I|y) ,
|CvC|SC C|_| |CC|| |_ , UOG| y| |_
I|C| | 68000 COGC W| I|OuI 3CCCSS
IO SOu|CC), 3|G SySICU 3GU| | | S-
I|3I | O| ,WCUS| IC) .
|3v| |_ uU | | S|CG 3 |3CkC|
U3_3Z| |C 3|G GO|C I|C l b|, l
W3S |O SI|3|_C| IO CO|| | CI. /I
Ab/||WC |3G|3G SC|| OuS| SSuCS
W| I | I|C | |3UOuS C|u|C| O
bC| C|IO| O_y 3S WC| | 3S W| I| I|C
|C|U3| _OvC| |UC|I. /| SO, I|C
| |IC| |3I| O|3| CO|I3CIS l _OI |OU
_|OW| |_u| | I|C|3CkC|COUUu-
| | Iy 3| G O. I |C |3Ck W3S vC|y
UuC| 3 |uIC|- |C| U3| |O CCI,
3|G WC |C SI| | | WO| k| |_ IO_CI|C|
I| _|I| y IO 3| SO _CI | | G O I|CSC
S3UC U3C| | |CS | | |C|U3|y. /I
CC|I3| | UOUC|IS l |3G I|C u| |y
CC | | |_ I|3I SOUC|OW I| | S W3SI|C
|O CCII|3I l |3G UCC| | | I|3| | | |_
O| 3| | I|CSCyC3|S .
bO l _uCSS W|3I | ` U S3y| |_ | S
I|3I | yOu 3|C 3 |3CkC|, | yOu`|C
_O| |_ IO |3CkC| CO|vC|I| O|S, |
yOu | | kC | _u || |_SIuOuIO| | yOu
3|C Uu | | G| |_ yOu | OW| |O CCIS. . . .
|| C3SC |C3 | | ZC I|3I, OSS | U| y Uy
3CC| GC|I, yOu U3y 3| SO OSSCSS
SOUC I|u | y OWC|u | Sk| | | S I|3I
C3| |C| U| | |_ 3UOuI O| | I| C3|
C|3|_C, 3|G I|3I I|CSC S k| | | S W| | |
UCCOUC UO|C 3|G UO|C | UO|-
I3|I 3S ICC||O| O_y UCCOUCS 3
U| __C| 3|I O CvC| UO|C O| | I | C3|
GCU3ICS. bO | yOu GO|` I | | kC I |C
|CWS, _O OuI 3|G U3kC SOUC O
yOu | OW| !
Pge 28 2600 Ma azine
Uy L|un C 3
C|un C 3Pgm . Cum
I . ve recei ved a l ot of e-mai l s from peopl e i n
reference t o my art i cl e i n 2 3 : 4, a n d I fi gured I ' d
wr i te up t hi s addendum t o i t address i ng a l ot of
the common i ssues and di scussi ng some further
expl oi ts . The most common i ssue I was asked
about i s the "software confl i ct" wi t h Norton
Ant i Vi r us. When you put the pwdump fi l es on
a fl ash dr i ve or e-mai l them to yoursel f, Norton
eats up the fi l es a l most i mmedi atel y. I f you can
access msconfi g and regedi t, t hen you can j ust
t ur n off the auto- protect and S i t ' s no l onger an
i ssue; however, Norton does have s ome defense
agai nst t hi s, and most users are l ocked out of
those ut i l i ti es. An even s i mpl er and more obvi ous
sol ut i on i s t o j ust u n i nsta l l Norton al together.
Most i nsti t ut i ons use Norton AV Corporate
Edi t i on, whi ch you cannot u n i nsta l l i t wi t hout
a password. Fort unatel y, i ncompetent admi ns
such as mi ne don ' t change the defaul t password
whi ch i s "symantec" . Another i ssue commonl y
encountered was l ack of access t o the command
prompt. The eas i est way t o get t her e i s to open
up I E and put C : \Windows \ System3 2 \ i n the
address bar. Then, CMD i s ri ght there. However,
if t hi s is not a n opti on, you can a l ways put the
pwdu mp2 executabl e and . dl l on a fl ash dr i ve
and wr i te a s i mpl e l i ttl e r unme. bat batch f i l e
wi t h the fol l owi ng code:
pwdump2 ` output . txt
Th i s wi l l capture the hashes output by
pwdump to a text fi l e cal l ed outputtxt, so you
can j ust open up your fl ash dr i ve, doubl e-c l i ck
your batch fi l e, and not even have to worry about
gett i ng manual command prompt access.
Over the past several months, I ' ve al so
furthered t he depth of my expl oi ts and expl ored
them to the greater of thei r potenti a l . The
PsTool s s ui te, previ ousl y owned by sys i nter
nal s and recent l y bought out by Mi cro$oft, has
some great tool s . For exampl e, psshutdown and
psexec are awesome l i ttl e programs that you
can use to remotel y s hutdown machi nes and
execute programs. You can have great fun wi t h
t hi s dur i ng presentati ons. Here' s a qui ck anec
dote for you : t here was t hi s new teacher that
everyone hated because he di dn' t know any of
the materi al he was s upposed to be teach i ng
and acted as more of a pol i ce offi cer i n the
c l ass rather t han a teacher. He wou l d constant l y
ki ck ki ds out or gi ve t hem detent i ons for r i di cu
l ous t hi ngs l i ke checki ng the weather or t hei r
e-mai l ; one ki d even got hi s computer pr i vi l eges
suspended because he was caught down l oadi ng
Fi refox. Forgi ve the ki d for not want i ng to use
I nternet Expl orer 6, the browser that makes any
securi ty profess i onal quake wi t h fear. Anyway,
one day t hi s teacher, wi t h hi s supervi sor present,
was maki ng a presentat i on to the cl ass when,
suddenl y, two dozen pop-ups of t ubgi r l . com
came onto the screen. Much l aughter (of the
students) ensued. To thi s day, our i s "network
manager" baffl ed by t hi s . I t was a l l done t hrough
the wonders of psexec, whi ch wi l l remotel y
execute a program on a target machi ne. I f neces
sary, i t wi l l a l so copy a program to the remote
machi ne and then execute i t; however, I have not
been abl e to get t hi s feat ure worki ng correct l y.
The other ut i l ity, psshutdown, wi l l remotel y l og
off, restart, or s hutdown a target machi ne; you
can al so provi de a l i st of mach i nes i n a separate
fi l e. You can downl oad a l l of the Pstool s and read
the gui de on the syntax of t hei r use at http : / /
-www . mi c r o s o f t . com/ t e chne t / s ys i n t e r
-nal s / ut i l i t i es /pstool s . mspx. Once aga i n,
you can make some nasty automated batch fi l es
wi t h t hi s. Here' s a good exampl e wi t h what I l i ke
to cal l the "SuperShutdown" . Make a batch fi l e
wi t h t he fol l owi ng code:
psshutdown \ \
*
-u username -p
- password -k L -n 0 -t 9 : 0 0 ` 0
Thi s wi l l effecti vel y s hutdown every machi ne
i n the same Wi ndows doma i n as you at 9: 00 a. m.
The t i me i s i n speci fi ed 24- hour format. You ' l l
al so need to use an admi ni strator ' s username
and password, whi ch you conven i ent l y got wi t h
pwdump2 and j ohn i f you r ead my l ast art i cl e,
for t hi s to work. The other parameters are - k to
shut down the machi ne, - f to force any appl i ca
t i ons r unni ng on the mach i ne to cl ose, - n 10
to speci fy t he t i meout connect i ng to remote
machi nes because pss hutdown won ' t work on
Wi ndows 98, and ' 0 to di sabl e the di al og that
appears when t he machi ne i s bei ng shutdown.
Make s ure you don ' t forget t he - ' 0; otherwi se,
a di a l og wi l l di s pl ay on thei r mach i ne that you
from your machi ne are run n i ng the shutdown !
As al ways, u s e you r head when pl ayi ng
around wi t h t hi s stuff. You can pl ay s ome great
pranks wi th psshutdown and psexec, but pay
careful attent i on to t he var i ous swi tches and
parameters they have; forgett i ng or mi s us i ng one
i s a n easy way t o get yoursel f caught . Speak i ng
of gett i ng caught, if you are captured by enemy
sysadmi ns, any knowl edge of you r exi stence wi l l
be di savowed.
Winter 2007-2008 P
g
e 29
Uy Sl|gun
Thi s art i cl e i s about how PayPal transacti on rever
sal s can cost reci pi ents a l ot of dough. I ' m wri ti ng
from the perspecti ve of a hacker who sees how the
shortcomi ngs of the PayPal system coul d bp used to
take money out of the pocket of someone el se.
The techni ques descr i bed i n thi s arti cl e coul d
be used agai nst anyone wi th a PayPal account, i n
amounts from a few penn i es t o thousands of dol l ars.
Wi th a mass protest agai nst, say, a di sfavored pol i t
I cal candi date, company, or i ndi vi dual , many peopl e
wor ki ng together cou l d rapi dl y cause troubl e-
i ncl udi ng pl enty of money l ost-for t hei r target.
My bi ggest concern is the "Donate Now' " button
l i nki ng to PayPal that we sec on the websi tes of so
many char i t i es and open source software devel op
ment projects. I was i nspi red to wri te th i s art i cl e
when I recei ved a chargeback, and l ater a transac
ti on reversal , from PaYPd l . I run a char i ty that oper
ates open source project, and receive donati ons
vi a PayPal . Cett i ng donati ons vi a PayPal i s qui te ni ce,
and i t ' s a maj or way we sustai n our project.
The basi c si tuati on i s that on PayPal i t costs a
"" ' p, ent extra money when a transact i on i s di sputed
by the sender. Wh i l e th i s i s n' t that di fferent from the
way banks and credi t card compan i es operate, many
I ndi Vi dual s and sma l l ch'ri ti es use PayPal because
they C,l n' t afford the i nfrastructure, don ' t have the
vol ume, or haven ' t got the ri ght type of corporate
structurr' to accept credi t cards di rectl y. I n other
words, th i s techn i que can be more hurtful wi t h
PayPal agai nst sma l l chari ti es or s i mi l ar organi zati ons
than agai nst brr cks-and-mortar stores.
For money that was pai d and recei ved by PayPal
(from one PayPal user to another), PayPal handl es
di sputes I nternal l y. So, i f funds were sent to you from
sompone el se' s PayPal account, and the transacti on i s
di sputed, PayPal has a process to eval uate the cl ai m.
You can f i nd thei r resol uti on process onl i ne, wi th l ots
of detai l s. I t is very much geared towards the sel l i ng
of goods.
Here' s the rundown of an actual di sputed
transact i on I recei ved recentl y. Someone made a $2
donati on to my organi zati on, then fi l ed a di spute.
.
For a $2 . 00 purchase or donati on sent vi a PayPal
Wi th a PayPal account, $0. 38 was charged as a fee
to accept the payment, then $0. 38 was charged to
reverse the transact i on.
PayPal wal ked away wi t h 3 8 cents ( 1 9% of the
or i gi nal transact i on) , and my PyPal account was
38 cents l i ghter as a resul t of the transacti on. The
$ 1 . 72 netted ori gi nal l y from the $2 . 00 donati on was
removed, but then a further 38 cents were removed.
PayPI al so accepts payments vi a credi t card. I f
a credi t card transacti on i s di sputed, the credi t card
company i nteracts wi th PayPa l . PayPI i nteracts wi th
the PyPa l account hol der.
I f the transact i on i s reversed ( i n t hi s case, i t ' s
Pa
g
e 30
cal l ed a chargeback), a chargeback fee
may be charged if the credi t card company charges
PayPal . That I S, PayPal passes the fee on to the account
hol der. I n what became an actual chargeback, I
recei ved a donati on of $ 1 00 whi ch was di sputed
about 1 0 weeks l ater and subsequentl y reversed.
.
For a $ 1 00 purchase or donati on sent vi a PayPI
Wi t h a credi t card, $3. 20 i s charged as a fee t o accept
the payment, then $3. 20 was charged to reverse the
payment, then $ 1 0 was charged as a chargeback fee
PayPal wal ked away wi th $ 1 3 . 2 0 ( 1 3. 2% of the
ori gi nal transacti on) , and th i s ti me my PayPal account
was $ 1 3 . 2 0 l i ghter as a resul t of the chargeback. The
$ 1 00 donati on vi a credi t card cost l ots more than the
$2 donati on vi a PyPal account i f there i s a di spute
and cha rgeback.
.
PayPal charges fees as a percentage of the trans
acti on. Normal l y, thi s i s 30 cents per transact i on,
pl us 2 . 9' of the transact i on. There are vari ati ons i n
di fferent countri es, for di fferent currenci es a n d for
di fferent types of transact i ons.
'
Doi ng the math, if ten peopl e worked together
to each make a $ 1 00 donat i on, then made a cl ai m
agai nst me, I woul d be out $ 1 32, rather t han recei vi ng
$968. Bel ow, I ' l l gi ve some i deas about how such
mass act i on coul d h"ppen wi th rel ati ve i mpun ity.
To sum up, the chargeback ( i nvol vi ng someone
who made a donati on to my organi zati on vi a PayPal )
had these costs. Fi rst, the amount of the ori gi nal
donat i on was removed from my account. Second,
PayPal col l ected thei r usual fee (descri bed bel ow)
on the transacti on amount-even though they had
al rpady removed i t off the top from the donati on
amount. Thi rd, there was a chargeback fee of $1 0
from the c",di t card company.
In my research, I found that PayPal l i sts di fferent
chargeback fees for di fferent countri es (they' re al l
about $ 1 0-20 US) . Some banks l i st thei r credi t card
chargeback fees, wh i ch are comparabl e and some
ti mes even hi gher.
.
How can you work around l osi ng money t hrough
di sputed PayPI payments I f you ' re actual l y sel l i ng
I tems vi a PayPal , fol l ow the terms of thei r Sel l er
Protecti on Pol i cy. Read the fi ne pri nt: protecti on
stops for many purchases at $250.
Protecti on does not extend t o anythi ng other
than goods. PayPI ' s sel l er protecti on pl an states
that "Onl y physi cal goods arc covered by the Sel l er
Protecti on Pol i cy. I ntangi bl e goods, such as servi ces
or i tems del i vered el ectroni cal l y ( e. g. , software,
MP3s, eBooks), are not covered. " In other words
there is no sel l er protecti on pl an for accept i ng don
:
ti ons, taki ng payment for work performed, or other
non-tangi bl es.
There don ' t seem to be dol l ar l i mi ts for sel l er
protecti on, and I have made and recei ved payments
of up to $ 1 0, 000. But for buyer protecti on, transac
ti ons are onl y covered up to $2000 u nder certai n
ci rcumstances, $250 otherwi se.
Dur i ng the t i me of a di spute (whi ch can take
2600 Ma
g
azine
weeks or months, but is more typi cal l y j ust a few
days), th" payment amount is frozln.
P"yPal has a pol i cy that they do not reverse P"yPal
transacti ons un l ess they arl taki ng money irom the
sel l er. I n other words, i t' s not l i ke US banks' FDI C
i nsurance. I magi ne that someollP scams you for
$ 1 000 from your PayPa l account, then wi thdrcws the
money irom thei r Pay!l account, l eavi ng i t empty
.
PayPal wi l l not gi ve you your $ 1 000 back un l ess the
other account has that money. Thi s opens up , whol e
l ot of poss i bi l i ti es, but i t ' s basi Gl l l y al l j ust fraud: take
the money and r un. There are many stori es about
t hi s happeni ng on eBay (whi ch owns PayPal ) . From
readi ng PayPa l ' s pol i ci es, i t sounds l i ke i t doesn ' t
matter whether thei r "buyer protecti on pl an" appl i es
or not.
Compare t hi s to credi t card protecti on, where
you wi I I get your money back regardl ess of whether
the credi t card company got thei r money back, or
whether any goods i nvol ved were returned. Your
mi l eage may vary, and t hi ngs mi ght be di iferent
outsi de of the US. My few experi ences wi th credi t
card fraud were that the credi t card compani es j ust
di dn' t care: they woul d hol d a transacti on dur i ng
" i nvesti gati on" and do essenti al l y nothi ng. At the
end, i f the merchant fi ghts, the customer l oses. But
i f the customer wi ns, the credi t card company wi l l
retu r n the money.
On the two occasi ons where my credi t card
was stol en (once physi cal l y, once el ectroni cal l y) , I
provi ded proof (a pol i ce report #) and the charges
were reversed. The l egi ti mate stores that were stol en
from ( wi th my credi t card) was not gi ven t hei r money
for the transacti ons, and di d not get thei r goods back.
One of them was assessed a chargebdck fee by the
credi t card company, i ndi cati ng that the PyPal tech
n i que descri bed here can be effecti ve wi th credi t
cards, too.
By th, way, i f t hi s hasn ' t convi nced you to never
use your debi t card for these types of purchases, you
need to read your debi t card agreement. Most banks
oHer very I i ttl e protecti on for debi t card transacti ons,
even i f the debi t card hol ds a maj or credi t card sea l .
Let ' s work through some expl oi ts. Fi rst, i magi ne
a hypotheti cal candi date runni ng for nati onal oifi ce.
The candi date accepts Pay Pal as a method of dona
ti on on hi s or her Web si te. I f ten peopl e each make
donati ons of $ 1 000 to the candi date, usi ng thei r
credi t card, t he candi date wi l l have $ 1 0000 mi nus
PayPal fees of $293 .
If those ten peopl e then cal l thei r ten di fferent
credi t card compani es, sayi ng the charge was unau
thori zed ( "my teenager borrowed my card," " I thi nk
the Starbucks store I go t o every day mi ght have
copi ed my card number," etc. ) , the candi date wi l l
l ose the $ 1 0000, pl us another $293, pl u s another
$ 1 00. Ten peopl e together cost the candi date about
$393 from hi s or her own account.
Woul d the credi t card compani es catch on?
Probabl y not, for two reasons: the excuses gi ven are
not bi g enough to warrant seri ous i nvest i gati on, and
there i s not a l ot of shar i ng and report i ng of credi t
card fraud. Wi l l PyPa l catch on that the ten peopl e
are wor ki ng together? Maybe, but what i f they al l had
a common excuse ( "we a l l go to that Starbucks") ?
Second, l et ' s l ook at a l arger scal e wi th smal l er
donati ons. What i f a fraudster has hundreds or thou
sands of stol en credi t card numbers, and a vendetta
agai nst a parti cul ar open source software project ' s
chari ty? Assumi ng t he cr i mi nal had pl enty of t i me on
hi s or her hands ( si nce i t ' s i ntenti onal l y hard t o auto
mate payments and account creati on on PyPal ), she
coul d run a few transacti ons of l ess than $ 1 0 per day
to the targeted chari ty. Then, let the l egi ti mate credi t
cdrd hol dlr di spute the transacti on.
At $ 1 0 per chargeback pl us f((s, any donati on of
under about $ 1 1 is a net l oss for the targeted chari ty
of the chargeback fee, i n addi ti on to the cost of th,'
reversed transact i on.
Fi nal l y, l et ' s t hi nk of an even l arger-scal e scam.
How dhout . n urban l egend sent vi a tons of spaml
Message one: "Th i s ch'l ri ty i s doi ng wonderfu l work,
but i s about to have i ts chari tabl e organi zati on status
reversed by the I RS. I n order to meef the I RS requi re
ments [ i nsert va l i d hyper l i nk here
l
, they need to
recei ve severa l hundred sma l l donati ons ( $2 to $ 1 0) .
By donati ng wi t h your PayPal account or credi t card,
the chari ty wi l l be abl e to provi de cl par proof to the
I RS that the chari ty i s l egi ti mate. "
Li nk to the real organi zati on and i ts "'a I PayPal
l i nk. Wai t for peopl e to donate. Assume a very sma l l
( l ess than . 1 %) response on the spam but a I ;Hge
campai gn of mi l l i ons of spams. There are cl ear l y a l ot
of i di ots who respond to spam, and you onl y need a
smal l proport i on.
Then, a week or two l ater send spam message
#2, "You mi ght have heard recentl y about a char i ty
that made a pl ea to mai ntai n i ts status wi th the I RS.
I f you donated any money be i nformed that you are
a vi cti m of fraud. The ch,r i ty' s I RS status is not up for
renewal , and there is no effort to remove its 501 (c)
(3) status under I RS regul ,ti ons [ i nsert another val i d
hyper l i nk herp] . I f you donated wi th PayPal , protest
your donati on and reverse i t, fol l ow t hi s l i nk [ l i nk
t o PayPal di spute center] . I f you donated wi th your
credi t card, be sure t o fi l e a di spute cl ai m wi t h your
bank. "
Woul d your sparn carpai gn br i ng i n more money
to the target than was reversed l ater? Agai n, l et ' s do
some math. Assume 200 donati ons are made wi th
an average of $5 each, and SO(X) of donati ons are
made vi a PayPal accounts, wi th the others arc made
us i ng PayPal wi th a credi t card. The net ga i n i s 200
x $5, mi nus 45 cents per transati on for PayPa l ' s fees:
$91 1 .
I f 1 00 out of 200 donors ii l e a successfu l cl ai m
wi t h PayPal or thei r credi t card company, and hal f
used thei r credi t card, $500 woul d be removld
from the chari ty via PayPa l . Chargeback fees woul d
net a further $500 ( $1 0 each for 50 credi t cards) .
Further PayPa l fees of $48. 50 woul d be assessed
as the $500 were removed. Total removed i s
500+500+4B. 50= 1 04B. 50. The chari ty woul d get to
keep the proceeds from Ih" 1 OO donors who di dn' t
protest, about $455. 50 ( hal f of $91 1 ) . Net l oss t o the
chari ty i s 455. 50 - 548. 50 or $93 . 1 O-pl us l ots of
aggravati on.
PayPI does have a l ot of protecti ons i n pl ace,
but far fewer when no goods are bei ng sol d, and far
fewer at l arger dol l ar amounts. J ust a few reversed
transacti ons can make a chari ty or other reci pi ent
have bad day. I n thi s art i cl e, I have l ai d out some
of the basi cs, and al so worked through some hypo
theti cal scenari os where a l arger number of reversed
transacti ons can be trul y damagi ng.
Lots of peopl e have worked on anonymous
payment systems, non-repudi ati on of payments, and
escrow systems for del i veri ng goods. For exampl es,
read some arti cl es on e-gol d. PayPal does not i mpl e
ment the hard parts of such a system, whi ch requi re
a trusted i ntermedi ary ( not one who profi ts from
every type of transacti on, i ncl udi ng i l l egi t i mate ones,
as PyPal does), and strong cryptographi c methods
of ensur i ng i denti ty whi l e mai ntai ni ng anonymi ty.
PayPI is ubi qui tous, but has fl aws. Let the buyer, and
the sel l er, beware.
Winter 2007-2008

Pa
g
e 3 1
Uy SldC||
SldC||.dCVPgm .Cum
OxOO: nl|uduClun
Surel y most of you are fami l i ar wi th Face
book, one of the most popul ar soci al networ ki ng
si tes on the I nternet. Many fai thfu l user s once
prai sed i ts s i mpl i ci ty and i t s el egance. Then,
one fata l day i n l ate May, Facebook u nvei l ed
its devel opment pl atform, u n l eash i n
g
a fl ood
of t hi rd-party appl i cat i on add-ons to the masses
regi stered on Facebook. Thousands of eager
users mi ndl essl y added these feat ure enhance
ments. Many of Facebook' s most fai thfu l users
began to get agi tated wi t h a l l the traffi c comi n
g
from t hei r fri ends, who were start i ng vi rt ual food
t i on that al l ows you to set your current state of
fi ghts, and i n some cases even began vi rt ual l y
.
d d d I f d A f
bi t i ng fri ends ( creepy) . Al ong wi t
h
the shear
mi n an I SP ay I t to your nen s. neat eature
i ncl udes the abi l i ty to store the h i story of your
annoyance of these appl i cat i ons, a new questi on
past mood sett i ngs and changes.
of securi ty was i ntro
d
uced.
Th i s appl i cati on seems s i mpl e enough. Where
Now that you have a l l of t hese neat gadgets
coul d there poss i bl y be a secur i ty l apse? I am gl ad
at your di sposal , what el se are you a
f
l owi ng
you asked.
onto your page? Facebook' s appl i cat i on hel p
Fi rst of al l , when you vi ew someone' s mood
page states that " . . . appl i cat i ons bui l t by t hi rd
hi story, the appl i cati on does not ensure that you
parti es do not affect the pri vacy of your i nforma-
are a fri end of the person whose hi story you are
t i on i n any way. Your account i nformati on is sti l l vi ewi ng. Okay, bi g dea l : someone can see the
secure and we ensure that no t hi rd parti es store h i story of my past moods. I cou l dn' t care l ess!
or col l ect any of your i nformat i on. " Wel l , anyone cou l d eas i l y automate t he task of
As Facebook stated, you r stored i nforma- grabbi ng everyone' s current mood. Subsequentl y,
t i on is safe, but how is the authenti cati on on the
ti s could be used i n conj u ncti on wi th other data
appl i cat i ons themsel ves? Th i s i s l eft compl etel y
for fut ure phi s hi ng or soci al engi neeri ng attacks.
up to the pl ugi n devel opers. As we wi l l see
For i nstance, peopl e that are currentl y depressed
short l y, man
y
devel opers di d not take secur i ty
or confused may tend to be more prone to fal l i ng
very ser i ousl y as t hey devel oped and rel eased
for someth i ng stupi d.
these appl i cat i ons.
To see someone' s moods h i story, si mpl y substi -
Due to t he overwhel mi ng n umber of appl i ca-
tute the target ' s Facebook i d where t he Xs are:
t i ons, we are onl y goi ng to take a l ook at three
ht t p : I I app s . f ac ebook . coml emot ing I
sampl e Facebook appl i cat i ons. These appl i ca-
-? page=his tory&uid=xxxxxxxxx
t i ons shou l d gi ve you an i dea about some of
Thank you for hangi ng wi t h me t hi s far. Hope-
the pri vacy and secur i ty i ssues that come wi t h
ful l y th i s exampl e moti vated the hamster t o start
dd b k I
run n i ng i n your head. If you are fol l owi ng my
a i ng Face app i cat i ons.
t hought pattern, the next l ogi cal step wou l d be to
OxOl : |CUug
try to set your mood and see what happens. When
Before we begi n, I h i ghl y suggest that you
you cl i ck the i con to set your mood, a URL l i ke
downl oad the Fi refox pl ufi n cal
r
ed F i rebug. I t
the fol l owi ng i s used to update your status:
http : / /neo . hotornot . com/ facebook/
i s an amazi ng tool that a ows you to devel op
"emot ing/ set mood? emo id=xx&fb s ig in
and debug webs i tes. More i mportant l y to us, i t
"i f rame=l &fb-sig t ime::1 1 8 3 8 6 8 333 . 4734&fb
a l l ows you to al ter the c l i ent- si de code before . s ig_user=xxxxxxxxx&fb_s i9...rofl e_ -
submi tt i ng a for m. I n order t o j ump t o a pl ace
"update t ime= 1 1 8 3 8 4 5 2 3 7 &fb sig sess ion k
i n the co
d
e, r i ght cl i ck on the desi red secti on of
"ey= l j aoduf 9 8 2 3 0 9audsoi fuiaj 3 4Iaj idj dd&
the pare and c l i ck " I nspect E l ement . " There are
"fb sig expires=O &fb sig api key=ao302au9 0
"ua098 320 9 8 0 9 8 0 9 8 3 2 098 1 3&fb -
severa ways of al ter i ng t he pages gi ven bel ow,
"sig added= l &fb sig= 3 1 j a l j ds
but t hi s seems to be more effi c i ent t han manual l y "ioajl j 1 3 2 2 3 2 0 9ao 9 3 2a4abe
edi t i ng the GET var i abl es i n the gi ven URLs. Yes, you guessed i t. Moods does not authen-
ti cate to ensure that you are sett i ng your current
xZ. u0dS mood. Si mpl y change the fb s i g_user var i -
The fi rst appl i cati on we wi l l l ook at i s s i mpl y
abl e t o another person' s 1 0, and you can update
cal l ed "Moods". Moods i s a very si mpl e appl i ca-
how they are feel i ng. Do not tel l me how I feel !
Pa
g
e 32
2600 Ma
g
azine
x3. |CC LS
Facebook came out wi th a feature that al l ows
you to gi ve vi rt ual gi fts to your fri ends. Maybe
you want to send a pi ct ure of a rose, a pi ct ure
of a hamburger, or a pi ct ure of handcuffs to your
fri end. That i s a l l fi ne and dandy, but then Face
book deci ded to charge you $1 per gi ft. Most of us
are too cheap to actual l y pay $ 1 t o send a stupi d
pi ct ure t o someone on the I nternet. Enter the Free
Gi fts appl i cati on.
Free Gi fts i s j ust as the name woul d suggest. I t
i s an add-on that al l ows you to send and recei ve
free gi fts to and from your fri ends. The fl aw i n t hi s
appl i cati on i s eeri l y s i mi l ar t o t he one found I n
Moods. You can vi ew the gi fts recei ved by anyone
(fri end or not) , s i mpl y by al teri ng the i d number
sent to the Facebook appl i cat i on: http : / / apps .
-facebook . com f reegi f t s / ? toxxxxxxx
Agai n, si mpl y change the id, and you can vi ew
that person' s recei ved gi fts. You may have guessed
i t by now, but you can al so send a free gi ft to any
person that uses the Free Gi fts appl i cati on, fri end
or not.
You probabl y noti ced whi l e l ooki ng at some
random rerson' s recei ved gi fts, that there is a
"Send a Gi ft" button on the top left porti on of the
page. Sendi ng thi s person a gi ft i s not qu i te as eas
y
as si mpl y cl i cki ng the button, but it mi ght as wel l
be. After you have cl i cked t o send a gi ft, sel ect the
gi ft to send. Now, you have to choose a recI pi ent.
Sel ect from " Fri ends Wi th Free C ifts" . You mi ght
noti ce that i f a person' s not a fri end, then you
can ' t send them a gi ft. Now i s when Fi rebug starts
to s hi ne. Ri ght cl i ck on the dror down menu of
fri ends and i nspect the el ement. You wi l l see a l i st
entry l i ke the fol l owi ng.
<opt ion
value " xxxxxxxxx" >MyFri end< / opt ion>
Si mpl y al ter t he val ues t o refl ect t he person
t hat you want to send the gi ft to. You can send
the gi ft anonymousl y, or you can j ust be a creepy
stal ker and send the gi ft from your own profi l e. So
far we have been abl e to vi ew or change anyone' s
mood, and we have been abl e t o send gi fts to
anyone wi th the Free Ci fts arpl i cati on. What
comes next?
x+. buC|W
When you setup your Facebook account, they
gi ve you a vi rt ual "wa l l " where fri ends can post
publ i c comments to your profi l e. Th i s l S ki nd of
cool , but there are some l i mi tati ons. You cannot
post an i mage or a vi deo to a fri end' s wal l .
Wel l , the i nventors of Super Wal l have come to
the rescue. Thi s appl i cati on al l ows s i m
p
l e text
messages, pi ct ure messages, and even l i nks to
web vi deos served up by Googl e or Youtube.
My ori gi nal test i n
g
wi th Super Wal l i ncl uded
tryi ng to l i n k to an off-si te i mage, i n an attempt
to track profi l e vi ews. Facebook counters thr s by
cach i ng every i mage used in th i rd party arpl i ca
t i ons. Therefore, al l requests t o i mages ar e effec
ti vel y handl ed l ocal l y by Facebook' s web servers .
Thi s hei rs reduce the server l oad on any th i rd
rarty webs i tes .
Si nce my fi rst attemrt was shot down, I
deci ded to l ook i nto other asrects of Super Wal l .
For my second test, I posted a si mrl e text message
to my own Super Wal l . Awesome, everyth i n
g
i s
worki ng. Fi nal ly, I took a l ook at what was gOi ng
on behi nd t he scenes.
Fi rebug came to the rescue agai n as I i nspected
the Post button for the Super Wal l appl i cati on.
I nterest i ng:
< input typeo:lI hiddenl ! value= l 1 xxxxxxxxxll
-name= l I fb sig proii l el1 / >
< input type= " hidden"
"value= " 1 1 8 3 8 3 2 3 i 6 . 0 0 8 2 "
-name= " fb sig t ime " / >
< input type= !l hiddenll value = " xxxxxxxxxl l
-name= l I fb sig usern / >
< input type= r1 hidden" value= " 1 1 8 3 8 3 5 2 8 7
1
1
-name=
ll
fb_s igyrofi le _update_t ime
ll
/ >
< input type= " hidden" value= 1 I 1 3 4
"0 9 8 3 5 0 9 8 3 2 0 9 8 1 0 9 2 8 4 0 9 8 3 2 0 9 5 8 2 0 3
-" name= " fb_s i9_sessi on_key" / >
< input type= l1 hiddenl l value= " Q "
-name=
ll
fb si g expires " / >
< input type= " hidden" value= " 2 2 3 4 1 3 4 4 1 5 0 9 8 3 2
"1 0 9 8 1 0 3 9 8 5 9 0 8 3 2 3 5 "
-name= " fb s i g api_keyll / >
< input type= " hidden" value= " l "
-name= l I fb sig added" / >
< input type= " hiddenl1 valueo:1 1 2 3 9 1 9 2 1 8 2 1 4
-9 1 2 9 3 1 0 4 9 3 8 1 0 9 8 3 1 4 8 9 3 11 name= f b _s i g" / >
< input type= l1 hiddenl i value = II XXXXXXXXX"
-name= I
I
owner id
l l
/ >
The fb sIg user fi el d is the Facehook
user i d of tne per
s
on rost i ng the comment, and
owner id i s the Facebook user i d of the Super
Wal l ' s owner. When wri ti ng to your own Super
Wal l , both of these fi el ds wi l l be equal to your
Facebook user i d.
Unl i ke t he previ ous appl i cati ons, Super
Wal l ensures that you are on te person ' s fri end
l i st before you can post to hi s or her Surer
Wal l . However, i f you change the va l ue of
fb s ig user to a fri end' s i d, the resul t wi l l be a
wan postfrom your fri end. You have now spoofed
a comment from one of
J
our fri ends onto your
own wal l . Wow, t hi s coul get ugl y.
After further tweaki ng, I was al so abl e to
post on a fr i end' s Super Wal l as someone el se,
si mpl y by al ter i n
g
.
both the .wner id and
fb sig profi le fi el ds accordi ngl y. Tne person
you are posti ng as does have to be a fri end of the
wal l ' s owner i n order for thi s to work.
Phi shers cou l d eas i l y abuse Super Wa l l by
spoofi ng messages to peopl e by assumi ng a
fri end' s i denti ty. The phl sher cou l d then post
mal i ci ous l i n ks, and the vi ct i m woul d l i kel y not
even th i nk twi ce about goi ng to the given address.
Spammers cou l d al so automate post i ng messages
from fr i ends to reopl e' s wal l s. One way devel
opers cou l d hel p defend agai nst t hi s attack i s by
addi ng a pi ct ure box confi rmati on tool that wou l d
be presented before posti ng the messages t o t he
wal l s.
xb. LunC uS unS
We j ust fi n i shed up with a qui ck l ook i nto
some of the secur i ty concerns wi th Facebook' s
new t hi rd-rart
y
appl i cati ons. There are hundreds
of avai l abl e add-ons, and l ooki ng at t he securi ty
on a l l of them is someth i ng I wi l f l eave up to the
readers. These securi ty l apses cou l d eas i l y l ead
to spam or phl s hl ng attacks on you and your
fri ends. Thanks to the new appl i cati ons, it is now
poss i bl e to rose as someone el se, wi thout ever
cracki ng a password. Pl ease t hi nk twi ce before
addi ng another appl i cati on to your Facebook
rrofi l e. Embrace s i mpl i ci ty.
Shout-outs: ver
y
one at Bin Rev, venom, n
y
On,
Dan, Todd, Michelle, Anna, and all my college
friends.
Winter 207-2008 Pa
g
e 33
Mischief
Dear 2600:
Here i s somet hi ng extra to add to my art i cl e
i n 24: 3 ( "How t o Cheat Goog4 1 1 " ) . One real l y
cool and easy th i ng t o do i s t o regi ster a busi ness
i n some faraway pl ace wi t h a name l i ke "Tenni s "
or " Gol f" O someth i ng s i mpl e l i ke t hat . Then what
you do i s ca l l up Goog41 1 and tel l t hem the ci ty/
state of where you added that bus i ness. But when
i t asks for a busi ness name or category, j ust yel l
anythi ng i nto the phone. Make s ure i t doesn ' t
regi ster what you s ai d. I t shou l d s ay " I ' m sorry,
try aga i n" or somet hi ng s i mi l ar. So yel l somet hi ng
i ncoherent i nto i t aga i n. Thi s t i me i t wi l l s ay " I f
you ' d l i ke t o type i n t he busi ness name or category
us i ng the keypad, pl ease press 1 . " So you press 1 .
Then you use your keypad to type out your busi
ness name - "Tenni s , " " Gol f, " or whatever, and, i f
Googl e pi cks i t up, i t l ooks f or a busi ness named
that. Si nce you put your busi ness i n an obscure
ci ty/state wi t h a name so generi c as " Gol f, " it wi l l
probabl y pi c k your busi ness. Th i s i s on e of t h e best
ways that I ' ve found to make s ure that Googl e
wi l l pi ck your busi ness. Caus e i t al ways t hi nks
you ' re typi ng a busi ness name. Very s urefi re way
of gett i ng Googl e on your si de.
Good l uck, and happy Googl e hacki ng.
PhreakerD7@gmail.com
Dear 2600:
I was stuck i n Schi phol a i rport ( Amsterdam) a
coupl e of weeks ago and had a chance to screw
around wi t h a web termi nal near my gate. I di dn' t
rea l l y need t o get on t he web enough t o j ust i fy t he
t wo euros for 1 5 mi nutes or whatever i t was, so I
fi gured I ' d try to score some for free. Here' s what
I came up wi t h. So s i mpl e you cou l d fol l ow even
after a tri p to t he smart shop:
1 . Press Wi ndows-u ( opens accessi bi l i ty op-
t i ons) .
2. Cl i ck " Hel p" button.
3. Ri ght cl i ck t he t i t l e bar.
4. Sel ect "J ump to URL" .
5. E nter a va l i d URL ( must i ncl ude protocol ) .
6. E nj oy your free I nternet.
7. Even better, browse a websi te that opens l i n ks
i n a new browser. Cl i ck one of t hose l i n ks
and you have your very own I E wi ndow.
8. Have fun . I di dn' t have much ti me, but I di d
get a chance t o pl ay around wi t h t h e I nternet
sett i ngs ( new home page! ) . I ' m s ure you can
get away wi t h much more.
mthed
Binding Woes
Dear 2600:
I wou l d l i ke to voi ce my compl ai nt about the new
bi ndi ng you are usi ng. I recei ved the l ast i ssue of your
magazi ne i n t he mai l and read i t from front t o ten
pages before the l ast. Around page 55 I di scovered
that the pages where bei ng torn from the bi ndi ng. I
don ' t mean to say that they were comi ng ungl ued,
they were actual l y r i ppi ng a mi l l i meter or two away
from the gl ue.
Pl ease f i nd another bi ndi ng sol ut i on or stop
putt i ng the words so cl ose to the mi ddl e.
XeNoS
Words cannot express how upset we've been
at the problems with the past issue. Apparently the
inside paper was too thin while the cover had the
proper thickness. We've made a bunch of changes
and expect to get this one right. Let' hope the page
you're reading these words on does our magazine
justice.
Dear 2600:
I have al ways enj oyed readi ng your magazi ne. I
have even resubscri bed recentl y because of the recent
cl osure of my favori te l ocal magazi ne store. The new
bi ndi ng absol utel y sucks. I can't even open the damn
t hi ng wi thout i t becomi ng i mposs i bl e t o read t he
words near the bi ndi ng. The pages are even start i ng to
fal l out on the l atest i ssue. Rai se the pri ce and go back
to the ol d bi ndi ng.
Andy
If the problems don't go away we will have to look
at other possibilities. At this point it appears these an
noyances were caused by using the wrong type of
paper and miscommunication as to what the proper
margins should be. If the letters are too close to the
margin or if the paper is all screwed up again as you're
reading this, there' a good chance someone is being
harshly interrogated on the matter at this very mo
ment. We apologize to everyone for the Autumn issue
which we consider to be below our standards. We've
made a lot of changes and we hope to see results with
this new issue. Thanks for sticking with us.
Discoveries
Dear 2600:
So I th i n k I ' ve sol ved the puzzl e from the Summer
i ssue. " The Th i nker" i s th i n k i ng about how much he
hates the DMCA. I am si tti ng here th i n ki ng about how
much I j ust l earned about the data matri x format!
I started by tryi ng to reverse engi neer the enti re
t hi ng by hand. I was at "work" so I used the tool s at
P
g
e 34 2600 Ma
g
azine
hand: a text edi tor and PHP. I created four arrays of
data wi t h a 1 in each pi ece of the gr i d that was bl ack
and a 0 for each pi ece that was whi te. ( What can I
say - I was at work and bored. Besi des, doi ng the data
entry remi nded me of stor i es I ' d heard of peopl e hand
codi ng Commodore games by typi ng i n the byte code
out of magazi nes! ) I then started tryi ng to see some
patterns i n the numbers based on the deci mal va l ue
of t he bi nary val ue of each row. I qui ckl y di scovered
there were some n umbers vaguel y cl ose but noth i ng
t hat matched. I t hen t ri ed maki ng a composi te of the
arrays. Th i s yi el ded four or fi ve pi eces of "the matri x"
that were empty but noth i ng meani ngfu l . I pri nted i t
out and took i t home. I rea l i zed that the l eft, bottom,
top, and ri ght bars seemed to be u n i form for each
sector. I noti ced thi s wh i l e enteri ng i t manua l l y as
wel l . I fi gured these must be " regi strati on" bars or
whatnot for some type of scanner. I a l so fl i rted wi t h
the i dea that maybe the deci mal va l ues cou l d repre
sent words i n a base 1 8 notati on or somet hi ng s i mi l ar.
I s l ept on i t .
The next morni ng at wor k I went t o wash my
hands i n the bathroom and was checki ng i f the soap
was vegan or not (ser i ousl y) and noti ced a pattern that
l ooked very fami l i ar to what I had been star i ng at a l l
ni ght. I knew I h a d seen someth i ng s i mi l ar before. I
spent the next coupl e of hours researchi ng al ternati ve
barcode methods and fi nal l y stumbl ed upon the data
matr i x. I spent a wh i l e readi ng about decodi ng a l go
r i t hms whi ch compensated for poor i mage qual ity,
etc. Th i s was n' t an i ssue for me as I manual l y i nputted
them and then had a fu ncti on whi ch generated the
i mage, not wi t h GD, but wi t h a tabl e wi t h di vs set
to 8x8 wi t h a background col or of bl ack. I made a
screen shot and cropped it down, then I found an
on l i ne uti l i ty whi ch can encode and decode data
matri x i mages. No j oy. It j ust returned a bl ank str i ng!
I t hough for a moment maybe the dat a mat r i x di d
represent noth i ng and i t was supposed t o be some sort
of Zen koan l i ke "form is voi d, voi d is for m" type dea l
haha. I doubl e-checked that I hadn' t entered any i nfo
wrong and as far as I coul d tel l I hadn' t . An hour l ater
I read someth i ng about needi ng a " qui et zone" around
the i mage for any of the al gori t hms to work. I added
a wh i te border around the i mage and tri ed i t aga i n .
Bam! I f i nal l y got an output that meant someth i ng!
The output trans l ated t o 09-f9- 1 1 -02-9d-74-e3-
Sb-d8-41 -S6-cS-63-S6-88-cO.
That j oyous number! That number whi ch brought
Di gg to i ts knees a few weeks earl i er. How cou l d i t not
be burned i nto my mi nd forever? So yeah, I hope that
suffi ces as an expl anat i on as to how I fi gured i t out,
etc. And I guess my fi nal answer is that the th i n ker i s
th i n k i ng " Fuck the DMCA. " Never gi ve up, never gi ve
i n, never l et the enemy wi n.
shaunxcore
It is indeed heartening to see how much time and
efort people spend in solving these things. We're sor
ry that you didn't actually win this time but we trust
you had fun on the journey.
Dear 2600:
I t may amuse you to know that "2 600" i s the post
code ( zi p code for you Ameri cans) of Capi t al Hi l l ,
where the Austra l i an Prl i ament is si tuated.
Dear 2600:
Here' s an i nterest i ng t i dbi t for your readers.
Boston' s transi t fares are col l ected us i ng a system of
magstri pe paper t i ckets or RFI D pl asti c cards. I was
havi ng troubl e wi th a paper t i cket and I ' m pretty s ure I
got doubl e-charged for a t r i p. So I ta l ked to one of the
transi t workers at a stati on to ask what he cou l d do.
He brought me to one of the t i cket machi nes and
di d someth i ng to get to a screen that asked for hi s PI N.
Then, as I watched, he started enter i ng h i s PI N ri ght i n
front of me. I started t o l ook away out of courtesy but,
to my shock, he actua l l y sai d the numbers out l oud as
he entered them!
Enteri ng h i s PI N got h i m i nto an admi n i strati ve
mode that, among other t hi ngs, a l l owed h i m to get
deta i l ed i nformati on on when fares were deducted
from my card. Sure enough, we cou l d see the doubl e
charge . . . not that he was actua l l y abl e to do anyt hi ng
about i t . How annoyi ng.
For the cur i ous out t her e ( and who i sn ' t?) , the PI N
was 1 32 1 0. I ' m not sure what he had to do to get to t he
PI N entry screen, but I ' m afrai d i t mi ght have i nvol ved
tappi ng hi s speci al admi n i strati ve RF I D card. I wasn ' t
payi ng attent i on, though, so i t mi ght on I y be a matter
of tappi ng a speci al button. Certa i nl y i t wou l dn' t be
hard to pretend to be i n a si t uat i on l i ke mi ne i n order
to watch a transi t empl oyee more cl osel y wh i l e they
access the men u . I t ' s i nterest i ng that t hei r secur i ty
is so l ax. Of course, that ' s not an excuse to use t hi s
i nformati on t o get free fares.
Lex
People who speak their PINs out loud almost haw
to be admired for completely moving in the opposite
direction as the rest of us, who are forever trying to
become more secure and protecting our private infor
mation (and that of others) . We wonder how many
other PIN talkers are out there.
Dear 2600:
Th i s is a very s i mpl e hack, but onl y works i f you
al ready have a resi dent l ogi n to t hi s system. I STA
North Ameri ca i s a t hi rd-party uti l i ty bi l l i ng company
that bi l l s resi dents for uti l i t i es on behal f of apartment
bui l di ngs. Si mpl y go to www. i stabi l l s. com. l ogi n,
or si gn up f or a l ogi n usi ng the account nu mber on
your month l y bi l l . Once l ogged i n, cl i ck on " Hi story
Prior to ( whatever date) . " This wi l l take you to the ol d
access page, whi ch can a l so be accessed di rect l y at
http://accountsj ax. vi terrausa. com. You can al so l ogi n
here wi t h your account number and PI N, or si gn up
for access wi t h your account nu mber and other i nfor
mat i on. Once l ogged i n, cl i ck on " Di spl ay account
h i story. " You can then proceed to di spl ay the account
h i story for any resi dent account si mpl y by changi ng
the " LOC" and " ROUTE" va l ues i n the URL. The
si te does not use cooki es to keep track of users, nor
does i t use SSL. The ROUTE val ue i s the property I D,
and the LOC va l ue is the resi dent I D. You can a l so
cl i ck " Change password" or the other opt i ons from
the mai n account page and rel oad the pages us i ng
di fferent ROUTE and LOC va l ues t o change other
users ' passwords and so fort h. These pages were obvi
ousl y l ast used i n 2 006, but si nce they' re sti l l up, they
pose a secur i ty and pri vacy ri sk that was brought to
t hi s company' s attent i on over a year ago and whi ch
Chri s they refused to act upon.
So technically every time t hey convene it:, a ZOUU a a
meeting. In addition to this flagrant violation of privacy,
Winter 2007-2008

Pa
g
e 35
new users are told that their "User Name is the
Service Code printed on your utility bill" while their
password is simply their five digit zip code! After
getting this easily obtainable information from some
unsuspecting person, there' no end to the havoc that
could be caused.
Dear 2600:
I ' m current l y at a hal fway house i n Okl ahoma.
I fi gured out a t r i ck wi t h the phones here and now
everyone ca l l s l ong di stance for free. But what I 'd
l i ke to know is what ki nd of system are these phones
based on that woul d al l ow us a l l to make free ca l l s ?
Here's what we do: we pi ck up t he handset and di al
1 8, count t o t hree sl owl y or wa i t for a t i ny cl i ck from
i nsi de the phone ( I have to count because I ' m hard
of hear i ng) , then press 00 and qui ckl y press one or
two numbers ei ght t i mes. (I l i ke pressi ng 7 and 8 back
and forth . . . makes a cute j i ngl e. ) An operator wi l l say
"than k you" and i f you di d i t ri ght i t wi l l say "thank
you" aga i n and gi ve you a di al tone. You can t hen ca l l
wherever except for i nternati ona I for some reason. I
can cal l Canada though . Somet i mes it makes a l oud
whi stl i ng feedback noi se and somet i mes i t gi ves you
a di al tone but the keys don't work. Coul d you cl ar i fy
what 's occur r i ng for t hi s to happen ?
I l ove your mag and sti l l get it even though I ' m
i ncarcerated.
Noah
hard to say exactly what 's happening but
there:, surely some sort of a drop down to a dial
tone at some point which might be the tiny click you
hear. Or it could be' the dial tone you get after the
"thank you" which is bypassing the normal restriction.
Then again, dialing lO could be connecting you to
a distant line somewhere. The important thing is that
you're continuing t o use your mi nd and figure things
out whil' incarcerated which is always a good thing
to do. Thes' days getting around dialing restrictions
is less about the cost and more about just bypassing
whatever controls are being placed on you. In a world
wh,'re you can have unlimited long distance for next
to nothing, th,'se kinds of controls shouldn 't f'ven be
around much longer. li t least not for reasons of cost.
Theories
t i me machi ne that can travel both forwards and back
wards i n ti me. I state that because ti me i s a constant.
I t i s al ways movi ng forward. Chronol ogi cal events i n
h i story easi l y veri fy t hi s. Now that I have cl eared u p
those l i tt l e mi sconcept i ons, I woul d l i ke to move o n to
the bi gger pi cture. To make t i me travel poss i bl e we are
goi ng to need a vessel that can carry us. Thi s woul d
l ook no di fferent t han your average space shutt l e
wi t h mi nor al terat i ons. For exampl e the engi nes may
be di fferent and the gas chambers l arger t o hol d the
amount of fuel that i s goi ng to be needed to make
thi s a real i ty. Now wi t h our shutt l e bui l t, we need to
di scuss how i t i s goi ng to be used. Assumi ng that the
shutt l e was bu i l t to execute our pl an, we are goi ng to
need to travel away from the Eart h at a speed faster
t han the Earth i s travel i ng. Ti me on Eart h i s onl y rel a
t i ve to the speed the Earth i s travel i ng. We manage
our t i me due to the spi n n i ng. By travel i ng th i s speed
( ass umi ng that there i s enough fuel to propel us that
fast and for the amount of t i me) , we are abl e to create
a di fference i n our t i me and Eart h ' s t i me. Ti me now
havi ng a di fferent factor for us, we can i magi ne that
the Eart h i s agi ng more t han we are at a faster rate. I t
i s as i f we are sl owi ng down t i me due to our speed.
Wi thout preci se cal cul at i ons we are not abl e to deter
mi ne the amount of t i me we woul d be exceedi ng
dur i ng our travel i n space. Upon return i ng t o the
Earth, assumi ng that the theory i s correct about t i me
bei ng di fferent for movi ng obj ects and the speed they
are travel i ng, we can i nfer that the ti me we have aged
wou l d be l ess than what the Eart h has aged. I t may not
be the founta i n of youth, but i t i s a step up. Remember
that thi s i s onl y a t heory. There are k i nks and i deas that
are subj ect to change. Thank you for your t i me.
J esse
It's good to hear that scientists are exploring the
possibility of time travel without the use of a Oe
Lorean as they are rather expensive and dificult to get
a hold of. We also are indebted to you for confirming
that time travel is indeed a one way street. This easily
explains why we have not met any time travelers since
they would have to come from the past where it hasn't
been invented yet. We look forward to future reports
from the laboratory.
Dear 2600:
I j ust acti vated "my favs" on my cel l phone and
the di fference I noti ced was when you add a n umber
Dear 2600:
to "my favs" i t adds a + i n front of the phone number.
I am wr i t i ng about possi bl y gett i ng an art i cl e
So i f I am not mi staken i f you hol d the O for a coupl e
posted. I bel i eve t hat t hi s woul d make a worthy art i cl e
of seconds, the d comes on the screen. Then you di al
for i t s controvers i al nature and i t s unendi ng cur i osi ty.
the n umber you want and send and t hi s shoul d make
I have al ways found the i dea of t i me travel pl aus i bl e. I t
a cal l wi t hout any extra mi nutes as i t wi l l be a "my
has al ways been on the back burner i n my mi nd tryi ng
favs" cal l . So i n other words i s no mi n utes charge
to fi gure out how and why. So I am aski ng that you gi ve
or d is a pl us .
a moment of your t i me t o read a story/theory about
Ken
t i me travel . I th i n k i t wou l d be worthy of readers' t i me
The plus sign has nothing at all to do with billing
as wel l . After the publ i s hi ng of H. G. Wel l s' book The
the call. On GSM phones, the plus sign can denote
Ti me Mach i ne, sci ence has embraced a new study.
the heginning of the phone number. It can be gotten
Throughout t i me they have become more and more
in various ways, by hitting the asterisk button twice,
aware that t hi s mi ght not be so farfetched. Sci ent i sts
holding the zero, and through other methods. I t'
are bel i evi ng that they are gett i ng cl oser to u n l ocki ng
usually followed by a country code and then t he rest
the mystery and maki ng it possi bl e to i ndeed t i me
of the number. In t he States and Canada we have it
travel . Many theori es have been presented over the
easy since the country code i s l and our dialing " /

years and I wou l d l i ke to share mi ne wi t h you now.

in front of most numbers as part of our long distance
Fi rst off, I wou l d l i ke to el i mi nate the i dea of us i ng
format achieves the same effect as dialing from over-
a De Lorean car (as i n Back to the Future) to t i me
seas on a mobile phone. The plus sign also won't inter-
travel . I wou l d al so l i ke to el i mi nate the i dea of a
fere with normal domestic dialing so it's transparent.
Pa
g
e 36 2600 Ma
g
azine
Dear 2600:
I ' m not a hacker per se but need to bri ng forth
a I i tt l e i nformati on and start a seri ous d i scussi on for
our future. Over the decades, bi oni c i mpl ants have
become more popul ar. El ectron i cs have found t hei r
way i nto our eyes, bra i ns, l i mbs, and our hearts. I n
such a pi oneeri ng fi el d of research, secur i ty and safety
from a hacker ' s poi nt of vi ew wi l l take a back seat.
Let' s take a l ook at how current technol ogy i s expl oi t
abl e and ul t i matel y l i fe threateni ng.
Pcemakers have been i mpl anted s i nce the l ate
50s. They have an onboard computer ca l l ed the
generator. When the generator senses an abnormal i ty
i n the heart rhyt hm it tri ggers a l ead to contract the
muscl e. Back then these " rate-responsi ve" devi ces
were set to tri gger at preset numbers. An exampl e is i f
t he heart rate drops bel ow 70 pmb t he devi ce starts to
pace. The generator reads body movement and breath
to determi ne what the pace shoul d be. The th i nk i ng i s,
the more you move and breath, the more your heart
pumps.
New pacemakers are a l i tt l e more fl exi bl e. They
have a magneti c swi tch cal l ed a reed. A sma l l magnet
produci ng more t han 90 gauss can cl ose t hi s swi tch.
Th i s puts the devi ce i nto programmi ng mode. Coi nci
denta l l y, once cl osed t he devi ce spts t o a defaul t pace.
To my knowl edge a person' s heart rate drops prett y
l ow dur i ng s l eep. I t wou l d be a shame i f a magnet got
cl ose to the l eft col l ar bone. The l ast t hi ng you nppd
i s a pacemaker doi ng 45 bpm wh i l e your own heart
i s tryi ng to do 3 8 . Arrhyt hmi a sounds pa i nfu l eVl'n
to a hea l thy hpart. You ' l l wa nt to stay away from arc
wel di ng, cel l phones, l arge motors, MRl s, etc. , etc.
Another avenue for attack i s the actual program
mi ng of the devi ce. A si mpl e web search can l ead
you to the handhel d programmi ng equ i pment. You
can a l so get a mon i tor trans mi tter from eBay. These
trans mi tter devi ces are pl aced near or connected to
the pacema ker ' s generator. They convert and trans mi t
i nformati on vi a tel ephone t o a phys i ci an t hat reads
devi ce/pati ent stati st i cs. My knowl edge stops there.
My poi nt i s t hi s . The pacemaker i s a s i mpl e devi n'
t hat one can use to cause great damage. I ' m not
ta l k i ng about hacki ng a door here; t hi s i s a l i fe. As
i mpl ants become more adva nced and common in our
heal t h and pl easure, I hope pati ent safety outsi de t he
medi cal procedure i s consi dpred.
ki X
Responses
Dear 2600:
Th i s l etter i s i n responsp to the aspi r i ng correct i ons
department offi cer regardi ng J ack McCl el l an, the sel f
procl ai med but not l ega l l y convi ct ed sex offender.
McCl el l an has previ ousl y stated in i ntervi ews he
created the websi te www.stegl . org (Seatt l e-Tacoma
Everett Gi rl Love) as a way to i n form parents about
t hei r l ack of attpnt i on to the safety of t hei r chi l dren
wh i l e out i n publ i c. Dependi ng on who you bpl i eve,
McCl el l an st at ed he removed the webs i te because
of the fl ack he was gett i ng but others say it was the
servi ce provi der whi ch removed the si te.
Shortl y afterwards he moved to Cal i fori a where
he started a s i mi l a r webs i te cal l ed Los Angel es Gi rl
Thi s is where t hi ngs cou l d get t r i cky.
I n most courts, for a restra i n i ng order to sti ck,
the pet i t i oner ( person obta i n i ng order, i n thi s case
attorneys wi th daughters) needs to convi nce the
court the respondent (person the order i s agai nst)
poses an i mmedi ate threat to the pet i t i oner. How
can McCl el l an be consi dered a threat when he takes
hi s photos wh i l e out i n publ i c us i ng equi pment you
can buy at any store? I s thi s where we start arresti ng
peopl e and convi ct i ng them on t he mere fact they
mi ght commi t a cr i me?
Or i s i t a si t uat i on i n whi ch McCl el l an has
commi tted a cr i me, despi te hi s cr i es of i nnocence,
and j ust hasn ' t been caught?
Ta l k to any l aw enforcement offi cer, correct i ons
offi cer, probat i on offi cer, or attorney and fi nd out how
many attempts i t may take for a cr i me to actua l l y sti ck
t o a cri mi n a l ' s record. Your chosen career path i s a
thankl ess but nobl e path . St i ck wi t h it because i n the
end the cri mi na l s do get t hei r j usti ce. And no vi gi
l antes are requi red. Good l uck.
Squeel i ng Sheep
There are real dangers in taking shortcuts to justice
and that 's what tl1< ahove case demonstrates, whether
int('ntionally or nol. While this guy may now be on
ev('rybod(, radar, any sort of a prosecution wit hout
u dearcut violation of a la w would do {df l1l O/` haHn
I han good ultimat ely. This sorl of thing is mirrored ill all
sorls of other cas('s where people who are prel pnding
to be u cerlain age are prosecuted for pot el t il criml's
against someOf1{ ' elS( ' who\ also prel e/ ) ( /ing t o be a
certain a
g
e but is actuully a law (' nforn: ' / nent ag( nt .
And while t here may bp a '' pern`nt chance that a
crime would have h"en commit/ ed had the second
person actually heen a minor, I he inconvenienl facl
here is that there was no r( 'al victim - actual or pol en
t ial. Many are willing to ovrlook t his lilt/e prohl" ", in
the intNests of saft y am/ peace of mind but i:, a 51 1'1'
in dislurbing direction. One day w(' could dct ually
we prosecut ions for such I hings in the "Second Liti , "
world, among ot her places, where t h" people arpn 'l
r<' al bul crimes against Ihem would be.
Dear 2600:
I have bepn an avi d reader of your magazi ne for
qu i te some t i me. Most i nter('st i ng to me is the opi n
i ons secti on. Readi ng the 5ugg{st i ons, comments, and
questi ons al ways bri ngs a s mi l e. I n t hi s past i s s ue t he
very l ast opi ni on posted i s a qu(st i on aski ng " What
OS do you prefer: Wi ndows, L i nux, or Mac? " The
.||l response i s " We don ' t di scuss rel i gi on here. "
I must tel l you t hat t hi s comment had |C l aughi ng
hysteri ca l l y. I found t hat l i keness t o be so absurd and
yet the mor p I th i n k about i t the more i t becomes
appropri ate. Why i s i t that we must defi ne oursel ves
by what as we use? Let us not di vi de oursel ves i nto
smal l fract i ons of u communi ty but exi st equa l l y wi t h
al l who are Pl ectroni c pnthusi asts. Hackprs are fi rst
and foremost for the freedom of i deas and i nforma
t i on everywhere. Hats off t o your ent i re team for the
excel l ent work you do i n t aki ng part i n the freedoms
we can a l l enj oy.
3v. mi ke
Thai sentimenl sounds suspiciously ()pbian.
Love. Cal i for ni a stepped up to the pl ate and i ssued a
Dear 2600:
temporary restra i n i ng order requi r i ng McCl el l an stay
To daCo/ombian:
30 feet away from any chi l d.
After a l l i s sai d and done, you ' re st i l l fetchi ng i mages
Winter 2007-2008
Pa
g
e 37
from www. 2 600. com for di s pl ay on your browser and
that domai n wou l d sti l l be showi ng up i n any l og fi l es
that you r networ k admi n keeps. You ' re no better off
t han if you ' d j ust bookmarked it unl ess your admi n
a l so enj oys poki ng around i n your browser sett i ngs.
I f 2 600' s mai n web page rea l l y i s too s l ow to l oad
over di al up, I suggest you subscri be to the RSS feed at
http: //www. 2 600. com/rss . xml and watch i t for publ i
cati on noti ces ( and other i nterest i ng news ! ) . At l ess
than 8kb as of today, even a s l ow modem shou l d
be abl e t o down l oad i t i n a coupl e of seconds.
To M in the opinions section:
I l i ve i n a sma l l town. I am a sysadmi n and my
wi fe i s a doctor, so we' re both on cal l pretty much
2 4/7. We l i ke doi ng the same t hi ngs you and your
f r i ends do, i ncl udi ng goi ng to movi es. Our cel l
phones are al ways on vi brate i n t heaters and other
qui et publ i c pl aces and nei ther my wi fe nor I have
ever once answered them wi t hout fi rst steppi ng
out i nto a hal l way or l obby. I f cel l phone j ammers
become common, we wou l d never be abl e to enj oy
an eveni ng out agai n; bei ng reachabl e i n case of a
work emergency i s more i mportant t han the new Res i
dent Evi I movi e.
I know that some i mpol i te j erks don' t care i f they
ru i n i t for the rest of us, but don' t take i t out on the
maj ori ty of us that act respons i bl y. Remember, you
don ' t hear a l l the peopl e i n a t heater who have thei r
phone r i ngers off or on vi brate. You j ust hear the
i di ots.
i <3puppi es
In some places, theaters and restaurants them
selves are the ones that operate cell phone jammers.
I n addition, there are lots of places that just don 't get
a signal inside their establishments. The need to be
reachable all the time is a relatively flew one for the
majority of p(ople dnd we're obviously still experi
(ncing some growing pains.
Dear 2600:
Th i s l etter i s i n response to 01 Wal ker ' s l etter i n
2 4: 2 . Fi rst of a l l , I am a computer techni ci an i n a publ i c
school di stri ct. I have t o say I was qui te upset when I
read your l etter. I t's not that computer techn i ci ans arc
i ncompetent. They arc understaffed, u nderpa i d, and
control l ed by i ncompetent superi ntendents.
Our budget for equ i pment i s cut by 50 percent
or more each year. Software i s the same. We rccentl y
were approvld for two more addi t i onal empl oyees
but because of personal grudges we arc not permi tted
to start i ntervi ews yet. We arc constant l y h i ndered by
our admi n i strati ve staff as to how and when we are
a l l owed to do our j obs. Now t hi s bei ng sai d, there are
four of us in our department: three tEchni ci ans and
our systems admi n . We support s i x bui l di ngs and arc
current l y bui l di ng another brand new s hi ny bui l di ng.
We support a 50-50 mi x of PC ( Wi ndows XP) and
Mac ( 1 0. 4. 1 0) cl i ents wi t h an 85 percent Wi ndows
Server ( 2000, 2003) base. We have one techni ci an,
moi , who i s cert i fi ed i n both Mac and Wi ndows.
( Guess who supports the MACs for the whol e di stri ct
a l ong wi t h doi ng a l l warranty work?) Our teachers a l l
have di stri ct i ssued l aptops a n d have no c l u e how to
use t hem.
Teachers are extremel y i l l i terate ( unwi l l i ng to l earn
al so) when i t comes to computers and the admi n i stra-
i t i s amazi ng they can get dressed i n the morni ng) .
Ni nety percent of our t i ckets are for probl ems that
i nvol ve stupi di ty. Was i t pl ugged i n ? Di d your battery
have a fu l l charge? Was i t the ri ght password? Di d you
spel l your l ogi n name r i ght? Were you pl ugged i nto
our network or were you wi rel ess?
You want to know why th i ngs aren ' t perfect? I t's
not because your techi es don't know how to do i t .
They don't have the t i me or staff i ng t o make i t so. We
were recentl y accused of " abusi ng the t i me cl ock"
when we put i n a combi ned 1 50 hours of OT j u st
to get the di stri ct ready for the start of school . Your
techi es al s o most l i kel y don't care. Don't get me
wr ong. A school di stri ct i s a great j u mpi ng off poi nt
to a career but asi de from benefi ts the pay sucks. Try
l i vi ng on 30k a year when you are mar r i ed, have ki ds,
and have a mortgage. The onl y peopl e i n a school
di stri ct who get what they want are teachers. Unl ess
you have a contract ( or a uni on for that matter), you
wi l l be screwed i n a school di stri ct.
On a si de note, we are a l l open mi nded i ndi vi d
ual s i n my department and 2 600. com i s not bl ocked
i n our di stri ct. We l i sten to a l l students who are
wi l l i ng to tel l us if we are doi ng someth i ng wrong or
i f they found someth i ng they coul d get i nto that they
shou l dn 't have. We don't puni s h cur i os i ty.
Keep up the great work. Love the mag!
theforensicsguy
Dear 2600:
In response to Gu i tarma n i ax ' s comment in 24: 2
regardi ng t he " Redboxi ng i n the New Age" art i cl e, I
can say i t ' s a rel ati vel y common phreak practi ce to
refer to a tel ephone company by one of thei r ol der
names when gi vi ng an expl anat i on . I n t hi s case, I
th i n k i t ' s bei ng used to refer to the former SBC areas
of AT&T terri tory. As some of the readers may know,
Bel i South exi ted out of the payphone busi ness i n earl y
2001 . I f the author had s i mpl y referred to former SBC
terri tory as AT&T th i s coul d easi l y confuse someone
who i s n' t too fami l i ar wi th the tel ephone system i n
Bel i South terri tory. Th i s i s n' t someth i ng t hat ' s nati ve
to Bel l System terri tory, ei t her. I ' l l try to not go i nto
too much detai l , but l et ' s take Embarq, a tel ephone
comp;my that serves some of the more r ura l reaches
of many states i n the U. S. as an exampl e. I n Vi rgi n i a,
before they Wlr e known as Embarq, or even Spri nt, t he
company that served the area was known as Centra l
Tel ephone of Vi rgi ni a. Exc l us i vel y i n t hi s area, test
numbers such as an Automated Number Announce
ment Ci rcui t, a machi ne that reads back the n umber
you ' re ca l l i ng from, as wel l as other fun t hi ngs, are
l ocated i n the 1 1 x range, x bei ng one through zero.
Addi t i onal l y, the code 959 and any l ast four di gi ts i n
a l l of t h i s area wi l l take you ou t of the offi ce you ' re
di a l i ng from and wi l l reach a n umber on the nearest
offi ce to you that processes l ong di stance cal l s owned
by Spri nt. I n nearby Carol i na Tel ephone terri tory, a l so
owned by Embarq, both the codes 1 1 x and 959 don' t
(xi st. Referr i ng t o tel ephone compan i es by thei r ol der
namps | j ust P;"y anrl uni qu! ways of maki ng ri mr
who you ' re ta l ki ng about ( besi des, I th i n k "Centra l
Tel ephone" sounds a lot better t han " Embarq, " don' t
you? ) .
ThoughtPhreaker
tors have the mi nds of cavemen. ( How these peopl e Dear 2600:
can hol d doctorates and be t hi s stupi d i s beyond me; " Less code and phone stuff. " Ser i ousl y? C' mon,
Pa
g
e 38
2600 Ma
g
azine
t hi s i s n' t the " Qui l t i ng Quarterl y. " I have to say over
the years there have been many art i cl es featur i ng
code t hat was wr i tten i n a l anguage I was not fami l i ar
wi t h, but t o better u nderstand t he art i cl e I wou l d l earn
at l east enough to hel p me appreci ate the fi ner poi nts
of the code. I t has defi n i tel y expanded my hor i zons.
cOld_phuzl 0n
In our recent survey we received a lot of comments
on both sides of this issue. At this stage it makes more
sense for us to gravitate towards less code in the actual
printed magazine with supplemental code available
on our website. This allows for the pages here to
be devoted to theories and explanations plus it also
keeps people from having to retype or scan all of the
code which can really be a pain in the ass.
Dear 2600:
You have probabl y al ready recei ved tons of
responses to the art i cl e t i t l ed "Hacki ng 2600 Maga
z i ne Authors" by Agent Smi th ( 24: 3) . I can onl y
i magi ne t hat many peopl e feel t he s ame as I do about
thi s art i cl e but I s i mpl y cou l dn' t stay s i l ent on t hi s
i ssue. Agent Smi t h shou l d be very proud of h i msel f for
out i ng a coworker and probabl y gett i ng h i m fi red if not
in seri ous troubl e for wr i t i ng about company system
vul nerabi l i t i es. Whi l e I share Mr. Smi t h' s senti ments
about l oyal ty, as i t i s no doubt an admi rabl e qual i ty,
what he fai l s to real i ze i s that l oyal ty, l i ke respect, i s
earned and not gi ven bl i ndl y. One mi ght argue that a l l
empl oyees shou l d be l oyal t o t h e company for whi ch
they work. After al l , t hey are empl oyed of t hei r own
free wi l l and can l eave i f they aren ' t happy wi t h t hei r
j ob. That ' s al l good and fi ne but the t r ut h i s there are
hundreds of reasons someone wou l d hol d onto a j ob
they don ' t l i ke, not l east of al l fear of starvi ng to death,
fear of change and the u nknown, and fear of l eavi ng
one' s comfort zone. These aren ' t tri vi al matters for
most peopl e. I too work for a very l arge company
wi t h offi ces around the worl d whose name i s very
recogn i zabl e and I can speak from some experi ence
on t hi s subj ect. Large compan i es have a tendency
to have a corporate cu l t ure that i s not conduci ve to
shar i ng i nformat i on. Many compani es don' t even
real i ze that they are doi ng t hi s and somet i mes they do
i t on purpose. The cu l t ure that you work i n wi l l deter
mi ne how l oyal , happy, dedi cated, and hard worki ng
t he company' s empl oyees are. I t i s al most as i f t he
bi gger t he company, t he worse t he cul t ure i s for the
empl oyees. Many bosses do not even rea l i ze that they
i s not happy wi t h hi s j ob because he has t r i ed to
poi nt out vul nerabi l i t i es to hi s boss or coworkers and
recei ved a col d or i ndi fferent response? I s i t possi bl e
t hat t hi s person i s not happy wi t h h i s j ob because the
cu l t ure does not encourage i ntel l i gent thought and
puts i n pl ace an envi ronment whi ch di scourages free
t hi nki ng and i ngenu i ty? I wou l d say it is very l i kel y the
case s i nce most l arge compan i es want to do t hi ngs
the way they' ve al ways been done. They don ' t want to
change, whether it is out of fear of the unknown, ego,
or s i mpl y l azi ness.
The quest i on I woul d ask i s why an obvi ousl y
i ntel l i gent person i s not l oyal to hi s company. You may
say you don ' t gi ve a hoot but i f you care about your
company so much you shoul d care about t hi s . I t i s
l i kel y that he i s not t he onl y empl oyee i n thi s si t uat i on
and i f that i s the case you wi l l see more and more
art i cl es i n 2600 spott i ng hol es i n your company' s
i nfrastruct ure and systems. Whi ch begs the quest i on,
why then, i f you care so much about your company
and are so l oyal to i t di d you not report the art i cl e
i mmedi atel y t o management and l et t hem know that
they have a maj or i ssue? Hmmm . . . l ooks l i ke someone
needs to t hi n k about what l oyal ty means wh i l e they
poi nt the fi nger at other staff members.
Logopol i s
Dear 2600:
I read the art i cl e on " Cheat i ng" Goog41 1 i n 24: 3.
One of t he aut hor's predi ct i ons i s that Googl e wi l l
eventua l l y pul l t he free connect i ng part, reason bei ng
" abuse" by peopl e us i ng i t to connect t o a var i ety of
phone numbers that aren ' t Yel l ow Pge type busi
nesses such as payphones, ANAC, or l oops. Far from
i t! In today's day and age, I ' d even wager that a good
number of wea l t hi er 2600 readers mi ght be wi l l i ng
t o pi ck up t he cost of provi di ng n umerous i n-country
phone cal l s, especi al l y gi ven the popul ari ty of u n l i m
i ted cal l i ng pl ans these days, j ust to grab onto a l i st
of a l l the cool est or most popul ar and i nterest i ng
phone numbers among 2600 readers i n t he country.
Li kewi se, I ' m sure Googl e uses the i nformati on the
same way, to categor i ze how popul ar bus i nesses are,
and any sort of i nterference wi t h that data col l ecti on
acti vi ty woul d reduce the val ue of the project far more
t han the non-ma l i ci ous pl ayfu l ness suggested i n the
arti cl e.
Zaphraud
create and perpetuate an envi ronment that encourages Dear 2600:
the behavi or that the subj ect of your rant (the2 6000ne) J ust read your edi tori al regardi ng the feedback
exhi bi ted by publ i s hi ng a seemi ngl y anonymous l etter you had been recei vi ng on the subj ect of pol i t i cs i n
i n 2 600. I ' m sure Agent Smi t h i s t hi nki ng, " Frankl y I your magazi ne. There are as many reasons to oppose
don ' t gi ve a s hi t s i nce I ' m perfectl y happy at my j ob pol i t i cal content as there are reasons t o consume i t,
and I ' m treated wi t h respect" but th i s may not be t he even i f onl y i n order to " keep your fri ends cl ose, and
case for someone who works i n another department, keep your enemi es cl oser. " Peri cl es sai d "J ust because
i n another branch, or even i n the same department you do not take an i nterest i n pol i t i cs, does not mean
as yoursel f. Di fferent un i ts of the busi ness may be pol i t i cs won ' t take an i nterest i n you . "
r un di fferentl y and may not have t he s ame wonderfu l L i ke i t or not, that wor l d of pol i t i cs i s what ul t i -
envi ronment you, you rsel f, ar e subj ect to. matel y deci des whi ch, i f any, of our day-to-day act i ons
I can speak from experi ence when I say that I makes us cr i mi na l s, or what types of act i ons can be
have seen bosses wi t h i n my organ i zat i on try to hus h used agai nst us as ci t i zens. Those t hi ngs shoul d be of
workers who expose vul nerabi l i ti es or s i mpl y try to great i nterest to us a l l because they certa i nl y affect us
i mprove horr i bl e processes that h i nder product i vi ty a l l . I n my opi ni on, anyone turn i ng a bl i nd eye toward
and cause stress to the empl oyees carryi ng out these that has no room to compl a i n when they don' t l i ke the
absurd pol i ci es. I n fact, many busi ness processes resul t. I am not unreasonabl y concerned about 2600
are cou nteri nt u i t i ve and j ust pl ai n stupi d. I t sounds l osi ng focus due to any pol i ti cal content, and i n fact
r i di cu l ous but it is true. Is it possi bl e that the2 6000ne I wel come i t from a source u n l i kel y to perpetuate the
Winter 2007-2008

Pa
g
e 39
mai nstream medi a' s i gnorant bi as.
Thanks guys, keep up the good work.
Dvnt
Dear 2600:
I ' d l i ke to respond to the "Target: For Credi t Card
Fraud" from 24: 3 wi th a bi t of skept i ci s m. Fi rst, I
cannot see how he has done " more good t han har m"
by exposi ng t hi s i nfo about hacki ng i nto Target ' s
i nter nal networ k by not doi ng anyth i ng for "over
a month" and then wr i t i ng an art i cl e about how he
i l l ega l l y pl ayed around i n i t wh i l e he worked there
and not show any evi dence of report i ng t hi s secur i ty
fl aw to any Target aut hor i ty. I am not tryi ng to bash on
2O|| for publ i s hi ng i t, but rea l l y, shou l d these ki nd of
arti cl es get publ i shed?
I mean thi s guy i s wri ti ng an ar t i cl e to a hacker
mag a month after bei ng an empl oyee of t hat company
report i ng a fl aw i n t hei r network and pretendi ng to
be c bad-css, rema i n i ng anonymous, ,ia poi nt i ng
out how t hi s i nform,lt i on i s onl y f or advi ce to t he
company t o change t hei r secur i ty system.
t i di d not menti on what pos i t i on he hel d, but
we can assume he di d not have an aut hor i t y posi
t i on si nce he menti oned t hat he pl ayed around on
t he i n tern,) 1 nctvvor k from ft'gi sl ers lo corputprs i n
t h e empl oyment ki osks a l ong wi t h man,1gf'rS i and
bdckroom cOl nput ers, t herdor e i mpl yi ng he was a
ground workpr wi t hout an offi ce ( t herefore not part
of the tech group) and t h" t he di d not do hi s j ob, but
rdt her pl ayed a round wi t h peopi t" s i nfon"" t i on l i ke a
l i l t l e ki d wr i t i ng :H ndt eur l\` bdt ch fi l es t o ret r i eve
t hi s i nfo.
A bi g concept t hat s l i pp('c my mi nd when I fi rst
s ki rrn('d t hrough t hi s :} lt i ci t' is t hat , i f I hi s ki d knows
a l l of t hi s " t pchi e" knowl edge, why i n the heck W,S hp
wor ki ng , 1 1 Tl rg"t i n I lw fi rst pl ,) ce! ( lbvi ousl y t il l S k i d
i s pl t h( ' r (' x<l gg('rdt i ng or l yi ng dbout t he " break- i n" he
aCl u,l l l y empl oyed on t he rtwork. ili <cour:lgi ngl y,
t hi s ki d di d not I dst l ong enough t o expl oi t , t he whol ,.
( ' nt i re n('(wor k. Oh gol l yl Wh,l t d sh,l nw' H(' cou l dn' t
sl pd l mort ' cc('di t card i nfo or d t l east fc(' 1 l i ke he
Wd S Sl ("l l i ng sorn(' vd l udbl e i nform,l t i on t hat anyone
C,l n get ,Kcess t o. COllle on, regi st ers? I n no W1'' are
t hey i nvol ved (' nough i n t he nll work t o even h,lVe
empl oyee i nfo. I ' v(' workl'd wi t h rcgi 3ters in s i mi l a r
st ores. You have no ,HT(,SS t o ,l tlyth i ng except d bi g
, a i , Ul ,ll or t or relards.
I n s ummary, t hi s ki d i s ( ' i t ll lr ('xdggl'rdt i ng on wh,l
Ill' found or he is f l dt out l yi ng. I ' ve kdrncd n('v{'r 10
I r ust a source u n l (' ss ot hl' rs Cdn b,l( k i t up and t hi s i s
a goon f'xampl t., of i t .
Ki d, I suggest you SlOp chi l d' s pl dY ,lI ld std rt doi ng
Wh,l t t hey pay you t or ,1I d I PI t he red l t cchi es worry
,1 iJout secur i l y 1 J r('.l ( I ll' s.
I t j ust s i ckens mp how dn
Y
OIW er n wr i tc .1 IS
dr t i cl e < uch dS t hi s ,1 I ld get i t publ i shed. I n no way i s
t hi s : rrt i cl c' hel pfu l 1 0 t he re,l ders, t he m,lg, or T,l Igll
(or t hat mat t er. [ )() n ' l vva i t a Ill ont h t o wr i t e a VdgU('
lr t i cl e on c 1( ol1l pany\ poor spcur i t y un l ess you report
t he r! aw t o Ih" comp,1 I1 Y li rst l I f you don ' t, then you
d|' i ndepd doi ng mOIl h,l I m t h,l Il good, and shoul dn' t
i ncl udp t he BS " hout " pl (' as(' do nlt use t hi s i nfo lor
mdl i ci ous pu rposes . " Pcopl e l i ke I hi s m,l k" a bad
naille for hack(' IS.
edge? There are people everywhere who know things
that may he a lot more than what ' needed for their
jobs. And regardless of whether or not this writer
should have reportpd the information to his local
supervisor before revealing it to the world, what :
important i s that t he information wasn 't kept secret.
We've sppn plpnty of examplps of how reporting
something to your hoss or teacher or even to someone
you have no connection to can backfire and wind up
causing you all sorts of problems. 1 a microcosm of
the hackpr getting hlamed for the vulnerahility which
hp didn't create hut merely exposed. lnd in this
particular case, there are likely many other companies
making the same mistake who will read this and learn
something about what they're doing wrong - hefore
it\ too late. So while you may only see the evil that
can conlP fror disc/osing such information, there is
always a benefit to discussing thpse mistakes.
Incidentally, the system at Target may have been
changed since this article was printed. In facI, we
rpcpivpd Ihis letter from the author of the piece after
we had already put the articie inl o Ihe issue:
"I appreciate that you are going to publish my
arl ie/p, hUI I helieve that hy the time it is printed, the
informalion will no longer he ,lccurate. It has come
to my attention that Ihe riea(lIine ( I'C/ compli
ance is very c/o. (http: //wwIVpcicollplianceguide.
org/) . If Targel is ilIowing the standards SC forth by
PC compliance, Ihen Iheir security setup would have
changed. I have no way to wrify any changes have
taken placl, hut I can only assume they have lighl
('fle(! up their security I am rec/ufsting that you do
1101 puhlish the artidf. I rion ' l wanl l o propagate fa/w
infonndl io(J du(i put the reputation of your mag<1 7ine
, ) 1 risk. "
Ideas
Dear Zb.
ThE' number of wi rel ess cOnl ltct i ons i n my ' hood
i s gett i ng t o the poi nt where someonpl s connpci on
over l ,' ps sonwone "I se' s. Wi th t hat i n mi nd I dpci ded
t o make a pol i t i cal stat(,I1(' nt wi t h my wi rekss rout er
na ille' by ch,lIl gi ng it trol11 L i nksys to I l l at ll l i l l .l ry ( your
st ,l 1 lnl l ' nt h(' ' ) . Theil Illy daught er suggpsted I change
i t l o MoV('You rTrd i l er so ry nei ghbor wou l d St|` it and
move hi s I ra i l er frorn r i ght i n front of my house. But
Wll1 t i f I cou l d CJIllllll l i c,l te wi t h nei ghbors us i ng j ust
ry serv('r n,l lll e and t he free I ransll i lier i t caile wi t h!
[ cou l d ch<lg(' my server name to c1|' you there" and
wa i t unt i l c1 nei ghbor ( i . e. , I",b) ch: mgps thei r server
ndnw t o " Yes, #OOX4.l ", the dal' bei ng some code
word or ,l ilY t hi ng you l i k(' . Wi t h a s i mpl e progr,' ll,
I cou l d ch,l Ilgp t he nd nl(' of ry tr,l Il srn i t ter ,md you
( ou l d moni t or changes 1 0 nare wi t h d h(wk'r and
d,l l p fi el d. u(h dS " SCrv -O1 0 1 1 0 1 0 I O I I 1 0(" and you
cou l d responcwi l h "Serv2 -()()O I I I OOl O l 0 1 1 01 00 1 1 " .
Wi t h a sequence nu rber and dal a fi pl d, pl us maybe
SOIl' in band cont rol bi lS, you coul d t rans ri t a l l over.
Th{, onl v dr;vh;l Ck i s most tl hcrnet/I ) connect i on
softwa re

neeDS t o repst abl i s h t he secure connect i on
wi t h ,1 password ('wry t i me I he mnl e chd ngt's. But
I hi s cou l d 1 ) usefu l i n an Cmergency.
FobG
F33dyOO Dear Zb.
no you {('<Illy hc/;cv(' t hdl there cUC HO intelligent 1 1
m l ong t i me reader and rpcent subscri ber
f)(:()f/t' vvorkill! <I t I<lrgel lho hev(' h[('rhie " knovvl-
( fi n<l l l y overcame t hdt " bei ng on d l i st" p'Hanoi a,
Pa
g
e 40 2600 Ma
g
azine
what can I say) . Al though I don ' t al ways agree wi t h or
hi ghl y va l ue every s i ngl e art i cl e, overal l I real l y l ove
what you guys are doi ng. I al so take great pl easure i n
remi n i sci ng "the good o l d days" whi l e perusi ng some
of the ear l i er i ssues. Some art i cl es I even consi der
" requi red readi ng" and merci l essl y harangue fri ends,
fami l y, and empl oyees i nto readi ng t hem. I t i s t hi s l ast
concept that I wi s h to pursue further.
It woul d be amazi ngl y cool ( and more t han a
l i ttl e usefu l ) to be abl e to search your on l i ne i ndex,
fi nd an art i cl e( s) or l etter( s) of i nterest, and then cl i ck
t o go di rect l y to the fu l l text of the content i n ques
t i on. Even cool er i f I cou l d provi de such access to
my empl oyees. Oh, I know that whol e i dea sort of
di rect l y threatens a l l you hol d dear and sacred ( i . e. ,
your pr i mary source of revenue) - but I ' m not aski ng
f or free di gi ta l content. I a l ready have the i ssues,
I j ust want to be abl e to peruse them (and have my
empl oyees do so) - wi thout t humb-pri nt i ng them a l l
up ( hel l o, 2 3 : 4) .
So, what do you t hi nk? I ' d l i ke to make on l i ne
perusal of your magazi ne an empl oyee benefi t for my
company, and I don ' t mi nd payi ng for the pri vi l ege.
Make i t an onl i ne servi ce and I ' l l pay for subscri p
ti ons, or l i cense i t and I ' l l host i t mysel f. Any chance
i n hel l t hi s i dea goes anywhere?
thotpoizn
While it all sounds nifty, actually implementing
such a thing requires a great deal of work and a lot
of coordination. By no means is it impossible but we
have yet to hear a plan that we're capable of imple
menting and that wouldn't put us out of business.
Dear Zb.
Have you guys ever thought about maybe pr i nt i ng
a reference book of the best pri nted and u npr i nted
art i cl es ? Maybe c l assi fy them i nto pert i nent secti ons
accordi ng t o codi ng, hardware, and usefu l programs.
I f i nd mysel f r i fl i ng t hr ough ol d copi es of you r mag for
art i cl es that I have read when I run i nto a si tuati on and
know t hat I read an art i cl e t hat has someth i ng rel evant
to the si tuati on. I wou l d l ove to add a ZOUU reference
styl e book to my desk at the publ i c school I support
and it woul d be great to i ndex a l l of that usefu l i nfo!
Matthew
This is something we're actively pursuing and
expect t o have more news about soon.
Problems
t i mes a day and cal l between 3 pm and 1 1 pm.
Beachedwhale
Let's not be so quick to assume that the Secret
Service doesn 't like to prank call people. But you
mention that this caller managed to block Caller 10
which right there puts them at a level of sophistica
tion beyond that of the Secret Service. 50 what you're
dealing with is an entity who is calling you over and
over again without identifying themselves. Back i n
the old days, this sort of thing happened all the time.
Today it' so much easier to identify incoming calls
even when they're blocked. There' no more running
to the central office while trying to keep the caller on
the line and taking ZU minutes to figure out what part
of the country the call is coming from. These days it' s
all logged somewhere. If the Caller 10 is blocked then
you (the called party) simply aren 't able to see that
information. But your phone company can. Those
are the people who can help you put a stop to this.
There are other more tricky ways such as forwarding
your line to a service that reads the ANI data rather
than the Caller 10 data. A few years ago a company
named Z-Tel inadvertently provided this service to
their customers when forwarding calls to another line.
Someone could call your landline with t heir Caller 10
data blocked, the Z- Tel service would ring your line
and after a certain number of rings would forward the
call to a second number that you had designated as
part of a "follow-me " service, and the caller' actual
number would appear as the incoming number on
the second phone regardless of blocking status. This
little feature was discovered and "fixed. " But there are
undoubtedly other ways of doing this and we're sure
our readers will send in suggestions. For now, simply
don 't pick up blocked calls and r{'(urn the phone calls
of anyone you know who calls you with their number
blocked. When the people behind this stop get ting
anything other than your voicemail, they will grow
bored and move on to something else like physically
attacking you. And then you'll know who they are.
Dear Zb.
Al though t hi s l etter has noth i ng to do wi t h
phreaki ng or tech n i cal hacki ng, i t enta i l s an i nter
est i ng si t uat i on about soci al l y "hacki ng" the educa
ti onal system:
The hi gh school whi ch I attend uses the Prenti ce
Ha l l bi ol ogy cur r i cul um for thei r bi ol ogy courses
offered through the I nternat i onal Bacca l aureate
program. I t turns out that t hi s is the exact same
cur r i cu l um that l used i n mi ddl e school t hrough a
Dear Zb.
"gi fted and ta l ented" progra m i n seventh grade. Upon
Thanks for the great publ i cat i on. I l ove i t. I have
l ear n i ng t hi s I was i ncredi bl y di sappoi nted. After
been readi ng s i nce I have been 1 2 and rea l l y enj oy
a l l , I wou l d not be l earn i ng anyth i ng new in one of
it. I have had some probl ems l atel y that I th i n k you
my favori te subj ects for an ent i re semester ! Then it
great geeks can fi gure out or give some advi ce about.
dawned on me: bes i des j ust havi ng remembered a l l of
Here i s my probl em. I have been recei vi ng a bunch of
the i nformati on wi t h i n the textbook, I sti l l had a copy
cal l s from the "Secret Servi ce" l atel y and i t i s gett i ng
of every si ngl e test and assi gnment for t hat textbook.
rea l l y ol d. I h i ghl y doubt that the Secret Servi ce l i kes
These are the standard tests devi sed by Prenti ce Ha l l
prank ca l l i ng peopl e, and I wou l d l i ke t o know who
Publ i s hi ng, mi nd you. I n the I B program and i n my
i s beh i nd the probl em. I t i s a pri vate nu mber whi ch i s
h i gh school , i t i s consi dered academi c di shonesty or
the troubl e. And I can' t bl ock a l l pri vate ca l l s because
"cheat i ng" i f one somehow has a copy of a test pri or
some of my fri ends have bl ocked Cal l er I D by defau l t.
to the admi ni strat i on of that test, hence the sol uti on to
So how shou l d I go about stoppi ng the cal l s and/or
my probl em. I f I tel l the bi ol ogy teacher and/or the I B
fi gure out who i s ca l l i ng me? I fi gure they are j ust
admi ni strator that I have these and submi t copi es to
from some other more i mmature 1 4-year-ol d not too
them to prove i t, they may bump me up a semester
di fferent from mysel f. I am gett i ng the cal l s on my cel l
to mater i al I haven ' t l earned yet ! I cou l d say that i t
phone whi ch i s the worst part. They ca l l about si x
wou l dn' t feel ri ght on my consci ence to cheat i n t hi s
Winter 2007-2008 Pa
g
e 41
man ner, that I fear penal t i es, etc. The obvi ous pi tfa l [ s
t o t h i s approach a r e that they cou l d j ust gi ve me a[ ter
nate, and u ndoubtedl y easi er, tests, or they cou l d
us e tests di fferent from t he standard. There i s al so the
poss i bi l i ty that they wou l d j ust not care or that they
woul d confi scate the tests. (I wi l l make copi es whi ch
I won ' t t ur n i n. ) I have been l ucky so far, compared to
many hackers, as to the qual ity of my educati on, and
I am worri ed somewhat t hat my l uck may r un out and
the teache" wi l l resort to l udi crous measures out of
l azi ness. I f th,y state t hat I cou l dn' t have remembered
a [ [ of that, then they wou l d be condemn i ng t hei r own
teachi ng methods. How do they expect us to recal [
i t i n rea [ l i fe, then ? Pl us, there i s sti l [ the fact that I
wi l [ be bored, havi ng [ earned a [ [ of t hi s previ ousl y.
Thus, it is a fa i rl y pos i t i ve si t uat i on for me ei ther way
- they ei t her move me up i n the curri cul um or I get an
easy A, t he l atter bei ng t he l ess desi rabl e of the two
outcomes. The true col ors of the H program and of
my hi gh school , whi ch i s h i ghl y touted for a publ i c
school , sha l l be reveal ed regardl ess. Need[ ess t o say,
it wi l l be i nteresti ng to see what comes of t hi s. The
t hi ngs one has to do to [ earn . .
The Phi losopher
Dear 2600:
I have a story for you but i t ' s not about hacki ng.
My wi fe and I were vi si t i ng fami l y and stayi ng at an
unnamed motel . Th i s motel was one of those rea l l y
cheap ones where you go for affa i rs and stuff. Anyway,
t hi s hotel advert i sed Free Wi rel ess I nternet, whi ch i s
one of t he reasons I chose i t . I was browsi ng arou nd
the I nternet usi ng t hei r network when I got cur i ous.
[ wondered what type of router t hey wer e us i ng and
how secure i t was. So [ opened up the command
prompt, got the I P address, and typed i t i nto the U RL
bar. A fa mi l i ar screen popped up. I t was the same one
from my wi rel ess network at home. So I knew they
were us i ng a L i n ksys router. Then came the admi n
name a n d password prompt. I thought I ' d gi ve i t a
shot and use the defaul t whi ch i s no admi n name and
the password i s " adml n" . I mean, no motel , hotel , or
any other pl ace wou l d be dumb enough to [ eave i t
dS the defaul t sett i ngs but [ fi gured i t wou l dn' t hurt
to try. Lo and behol d | was granted access and the
d[ [ too fclli [ i ar, to me anyways, confi gurati on page
popped up. I t was so edsy to get i n I was stun ned. I
l ooked up i n the uppcr ri ght hand corner of the screen
and noti ced they were usi ng the same router I used at
home. At t hi s poi nt I cou l d have changed whatever I
wanted but I di dn ' t . I di dn' t bother tel [ i ng the guy at
t he front desk beca use he wou l d have bl own me off
and he probabl y wou l d have ca[ l ed the cops and sai d
I was hacki ng i nto t hei r network. I thought I wou l d
share t hi s story wi t h you t o show how some peopl e
sti [ 1 don' t car e about t hei r network secur i ty.
Togeta
Dear 2600:
I don ' t know why, but the l ast two t i mes I ' ve
purchased 2600 at my [ ocal Borders, they have been
unabl e to scan the UPC and get i t to r i ng up. They
wi l l key i t i n manua [ l y as a generi c peri odi cal , whi ch
as far as I know means you guys don ' t get any sort of
credi t or anyth i ng for i t. J ust a heads up.
Rami e
Borders doesn't have this policy but Barnes and
Noble does, where issues that they lose track of get
charged to us. Thanks to you and the many others
who arc keeping us updated.
Dear 2600:
I work at a col l ege i n New J ersey. To put t hi ngs i nto
perspecti ve: The peopl e who r un t hi s pl ace th i n k that
technol ogy means more computers i n the cl assroom
We recent l y swi tched from a Novel [ server ( wh i ch
was seven years ol d) to a Wi ndows Acti ve Di rectory
server ( wh i ch i s new). So the guys from the I T depart
ment i nsta l l ed WAD on my mach i ne. I asked the I T
guy, "Do I keep the same passwordl" Hi s repl y was,
" No, here' s your new password. " He then tol d me
that my username was " j smi t h" and my password was
" j s1 2 34" . " 1 234" i s my phone extensi on on campus.
How secure i s my ( or anyone el se' s) password and
fi l es i f everyone knows how t o get i n! Lucki l y I was
abl e to have my I T guy change my password so no
one knows what i t i s.
Si nce everyone' s password i s not protected, can I
l og i n as the col [ ege presi dent? What about the hEW)
of the I T department? Fac i l i t i es? Fi nance? I haven' t
t ri ed i t, but I ' m very tempted t o.
hypo
What 's even more amazing is t hat you apparently
don 't have the ability to control your own password.
Civing out a default lS lairly standard and not neces
sarily insecure if W, followed up immediately by a
password change. This apparent missing second step
at your institution is indeed a major problem.
Dear 2600:
Pl ease stop a [ 1 subscri pt i ons addrfssed to the
fac i l i ty l i sted above. Th i s i s a state hospi ta l for ci vi l l y
commi tted sexua l l y psychopath i c personal i ti es and
sexua l l y dangerous persons. I t i s i nappropri ate for
them to recei ve t hi s subscri pt i on. Your publ i cati on
j eopardi zes the secur i ty of our faci l i ty and pl aces a
r i sk to pati ents, staff, and the publ i c.
Office of Special I nvestigations
We've been arcused of d lot of things but jeop
ardizing the security of a civilly com milled sexually
psychopathic personality is a first. We're also not sure
how such a person reading our maga7ine puts the
public at risk but we'll ce to your judgment on that.
However, as the person (s) who subscribed to us at
this institution paid us for it, we must notify them and
issue refunds for t he unreceivec issues. Hopefully tha t
won 't CaU5p OCgrief
Questions
This i s primarily because most peop/p aren 't
network admins. Odds are the guy at the front desk
has no skill or interest in this department at all and his
solution to the problem would be to just unplug the
thing. While large chains can afford to hire I T guys
and ensure that routers don 't get installed with default
passwords, the smaller places might wind up not
Dear 2600:
o(ering the service at all if it becomes too problem-
Are you i nterested in an arti cl e about spoofi ng
atic. That : why education on a very basic level i s so
f i ngerpri nt bi ometri c sensors! I ' ve j ust done a bunch
important. Something like this should he as intuitive
of work on fdke fi ngerpr i nts and I cou l d wr i te a pretty
as locking a door.
n i ce how to ( actual l y addressi ng the pract i cal i ssues
Pa
g
e 42 2600 Ma
g
azine
and what the best methods are, u n l i ke most of the
academi c worl d) . I ' ve al so got some stuff on Al bert
Wehde, who seems to have been t he fi rst guy to forge
pr i nts, way back in 1 92 7 when he was in federa l
pri son for gunrunni ng.
I ' m aski ng i nstead of submi tt i ng because I haven' t
read ZOUUfor a wh i l e and I don't know i f you want to
cover t hi s stuff or even i f you ' ve covered it recentl y.
If you ' re i nterested, what sort of word count do you
usua l l y want?
M
Anything involving spoofing, bypassing security,
or just plain mischief is most certainly something we'd
be interested in hearing more about. As for word
count, just shoot for long enough to tell your story as
thoroughly as possible without becoming boring.
Dear 2600:
After gett i ng a hang up on my phone showi ng
a number of 2 1 4-000, I started Googl i ng and found
out t hat maybe 2 1 4-000 has somet hi ng t o do wi t h
ca l l s comi ng across from Mexi co vi a Texas. I then
stumbl ed across some post i ngs about thi s number:
2 1 4-586-0999. When I di al i t a synthesi zed voi ce
cal l ed out my phone n umber then sai d " Pl ease wa i t
wh i l e I connect your cal l . " I t hen get some i nterest i ng
new-agey techno mus i c t hat j ust goes on and on.
Anyone know what these numbers actua l l y are?
Doda
This number is indeed interesting. While we
couldn't get it to read out the phone number, the
endless musical hold is apparently unavoidable.
Judging from the many comments about the number
on the Internet, it seems to show up on various calls
from other countries all over the world. There is wide
speculation that this is some sort of a VolP service
where the phone number is being manipulated. We'll
keep our readers updated if we get any more info.
Dear 2600:
Not sure i f t hi s is poss i bl e, but cou l d you get me
i n contact wi th the wr i ter of an art i cl e i n the current
i ssue? The reason for my i nterest i s that I was i ntri gued
by t hei r anal ysi s of the network and I work as an engi
neer for a competi ng company. So I am i nterested i n
what we can do to secure our product.
Davi d
If a writer wants to be contacted, he/she will add
an email address to their byline. Otherwise we have
to assume they don 't wish to receive correspondence.
And we simply cannot serve as a go-between for a
whole variety of reasons.
Dear 2600:
I recei ved t hi s ema i l as the date i ndi cates and I
was wonder i ng if t hi s can be traced to the sender or
an or i gi n? I shoul d have wri tten sooner about t hi s.
I was readi ng the art i cl e " Hacki ng ZOUU Magazi ne
Authors" i n 24: 3 and i t got me t o th i nk i ng about t hi s
threateni ng ema i l I recei ved back i n Apri l of t hi s year.
I have treated t hi s as a prank most l y except I di d have
a short connecti on wi th the F BI when I was asked to
do some radi o mon i tori ng after I tuned in a strange
radi o transmi ssi on in CW I i ntercepted off of the 30
meter ham band.
I buy ZOUU off of the mag r ack at Hasti ngs regu-
----- Original Message -----
Sent: Monday, April / O, ZUUz / Z.DO PM
Subject: Comply with us or you die
Do you want to live? Comply with us, even as you
reading this mail, you are being watched. Your internet
and telephone are tapped by us. This is a serious case.
After, reading this mail, don ' t try anything stupid.
Don ' t involve police, interpol, or FBI.
I am a strong member of islamic shite and an
assasian by profession. I am from Afghanistan. I was
paid by someone to assasinate you and your family
by bomb blast last weekend. We have carefully moni
tored your family for one month now and we have
your family profile and personal data.
You are supposed to be a dead person by now,
but we want to give you chance to live if you comply
with us by doing what we will ask you to do. Your
family cannot run or hide from us because we have
network almost all over the world. Remember , we
are watching now and if you involve police, you will
die! ! !
May Allah be blessed.
John
In a way this sort of thing was inevitable. The
old style spam of simply trying to con people out of
their money may well evolve into outright threats and
intimidation tactics to extort people. We find the letter
extremely humorous but you undoubtedly don 't. Our
unprofessional opinion tells us that the level of absur
dity contained within indicates that this thing isn 't for
real. The fact that they mention the FBI and that you
already have been involved with the FBI leads us to
suspect this is someone who knows this about you.
And if somehow this information went out over one
of the ham bands, then that is almost certainly what
i s happening. There are al l sorts of ways of figuring
out where the mail came from based on full headers
(which weren't forwarded to us), the appearance of
the email address in public posts, and other clues. But
it' s also possible to mask all of this information with a
tiny degree of competence. Then you must look for
other clues within the hody of the message, t he liming
of its delivery, etc. And if after all of this you find t hat
it' keeping you up at night, by all means contact
someone in authority who's capable of understanding
what 's going on. Threats of violence should never he
tolerated.
Dear 2600:
I ' ve been enj oyi ng ZOUU for some t i me now and
wou l d l i ke t o have your voi ce arou nd for a l ot l onger.
To that end I ' ve often wondered whi ch method of
buyi ng the magazi ne is most benefi ci al to you guys.
For exampl e, do you need sal es from my l ocal book
store to i ncrease ci rcul at i on through di st r i butors and
make i t worth gi vi ng you shel f space? Or do you
prefer the extra money you get from subscri pt i ons?
Does the di scount for mu l t i -year subscri pti ons rea l l y
outwei gh t h e cost of renewal noti ces? I t seems l i ke
l i feti me subscri pti ons gi ve you cash up front, but do
you then regret it when subscri bers I i ve forever?
I n short, ass umi ng mi nor pri ce di fferences and
paranoi a about subscr i bi ng aren ' t a concern t o me,
what way of buyi ng the magazi ne does the most to
keep ZOUU vi abl e in the l ong run ?
RB i n S F
l ar l y a n d appreci ate t h e work a l l of you do. S o t hanks The only real answer t o this is t o recommend that
for readi ng t hi s and be carefu l out there! you do whatever is most convenient for you and that
Winter 2007-2008

P
g
e 43
you keep doing it. If you subscribe and forget to renew
t hen obviously that doesn't help us. And i f you keep
going to your store in hopes of finding us and either
get there too late or aren't lucky enough to have a store
that carries us in your town, then subscribing helps
both you and us. We hope people find us in book
stores and don't just bring issues over to the coffee
section and get stains on them. While it's good to see
stacks of issues in stores, if they remain there for too
long it becomes a problem. I is your civic duty to see
that the issues get sold to people who can appreciate
them. We're not asking that you drag total strangers
in off the street and demand that they buy an issue
(although we're not forbidding that action either)
nor are we suggesting that you buy all of the issues
yourself and then hand them out as gifts and swallow
the loss without complaining. What we would like is
for people to be aware when a new issue is out and
for them to alert others so that our sales do well and
we have enough to put out the next one. Our readers
have always been very loyal and, as we're 7 00 percent
reader support<,d, they are literally the only reason
we're still around. If we were advertiser supported,
the numbers could be fudged in order to keep the
advertisers paying whatever we wanted, resulting in
a publication that served no one but ourselves. That,
unfortunately, is a common practice and it's one of the
reasons we've resisted even cautious steps into that
world. So please subscribe or buy individual copies in
whatever manner is best for you. (No, we don't mind
when our lifetime subscribers live forever. ) In short,
spreading the word always helps. Bul l hanks so much
just for caring enough to ask.
Dear 2600:
I ' ve been an avi d reader of you r publ i cat i on for
severa l years now and I l ove the techni cal i nforma
t i on presented. I do have a quest i on for y' al l , however,
whi ch dea l s wi t h captur i ng streami ng vi deo as i t
appea rs on the Pc. On yout ube. com, t her e are severa l
vi deos whi ch take a whi l e to down l oad. It wou l d be
great if it were possi bl e to record the strea ms to a fi l e
on the hard dr i ve so i t coul d be watched l at er wi thout
t he cont i nued pausi ng whi ch occurs when the addi
t i ona l vi deo has to be downl oaded.
What I have tri ed a l ready i s to ri ght-cl i ck on the
page that i s pl ayi ng the stream, sel ect Vi ew Source,
and t hen save i t to a ". txt" f i l e. I then opened the .txt
fi l e in Notepad. exe and performed a search for l i nks
that ended i n the sta ndard suffi x associ ated wi t h vi deo
fi l es ( i . e. , . wmv, . swf. , .asp, etc. ) . On the rare occa
si on that I found one, I wou l d cut and paste i t i nto my
browser's "www" fi el d and cl i ck go. However, t hi s di d
not appear t o work.
I s there any other method by whi ch I coul d
capture t he streams?
CMG
Yeah, there are methods that actually work. One
you might want to try is You Tube Downloader which
can bc found at http: //youtubedownload.altervista.
org/.
Dear 2600:
Hey guys. Are you i nterested i n Pol i s h payphones?
Wel l , i f you are I cou l d take some photos. J ust tel l
me.
suN8Hcl f
Whilc this somehow feels like we're entering
into a drug deal, yes, we are interested. Hook us up.
Thanks.
Dear 2600:
Any chance of you guys doi ng an arti cl e on the
Si deki ck?
Bi omechanoi dXI I I
Only i f someone writes one. Our address is
articles@2600. com.
Dear 2600:
I j ust got done readi ng 24: 2 and found i t to be
very wel l i nformed. I tru l y enj oyed readi ng i t al though
thi s edi t i on was my fi rst and onl y i ssue. I don't have
access to a computer but I pl an to remedy that in the
near future. I n the meant i me I was wonder i ng i f you
cou l d provi de me and/or di rect me to any i nformati on
regardi ng the fol l owi ng:
1 ) E Door Tracker.
2) ATM Technol ogy ( i . e. , keypad, etc. , etc. )
3) Websi tes t hat conta i n hacker equi pment.
I n cl osi ng I thank you i n advance.
Anthony
We probably shouldn 't ask what you're up to but
all of what you seek can be found on the net just by
plugging those phrases (and others) into a search
engine. There's way too much to simply provide to
you while you don't have computer access and we're
not sure what good the websites would do you during
that time anyway. We suggest having a friend print out
a bunch of stuff from some of the results of this search.
It will keep you busy.
Dear 2600:
How does one catch someone who is back
spoofi ng the tel ephones at home and the cel l phone?
l know i t i s happen i ng but I don't know how to fi nd
out who i s doi ng i t .
Christine
We'd be more interested io hearing how you
"know" this is happening. We get letters like this all
the time where people are convinccd someone is
watching their every move or impersonating them
hut without a clear picture as to just how this conclu
sion was reached, it 's impossible to give good advice.
Spoofing Caller ID isn't very hard to do which is why
nobody should rely on that data for any sort of identity
verification. It would be a good idea to not use any
service that docs.
Dear 2600:
What's the dea l wi t h the Wi nter 2 006-2007 cover?
Why i s Bob Dyl an shaki ng hands wi t h the guy from
the "Take on Me" vi deo by A- Ha (80s band) ? What's i n
t h e s ui tcase? Why i n front of t h e Merri l l Lynch bu l l ?
W1 f3y Of R34d3r
I t represents t he joining of forces t o prevent Merrill
Lynch from moving uptown and destroying the Hotel
Pennsylvania. We just didn't know it at thc time.
Dear 2600:
Do you have any surveys whi ch show the most
popu l ar computer compan i es? Under each company
what i s the most popu l ar computer? What i s the most
popul ar as? Who has the best customer servi ce? Do
you have anyone who can wr i te a program start i ng
P
g
e 44 2600 Ma
g
azine
wi t h DE BUG? Do you have anyone who does
assembl y l anguage programmi ng on a DOSlWi ndows
OS? I f so, what books does he recommend to hel p me
l ear n t hi s l anguage?
FK
00 you ever write anything that isn't a question ?
Most of what you're asking has nothing to do with
our subject matter, is way too general, and is really
stuff that you get to learn on your own after playing
around with computers for a while. You will find
plenty of people willing to give you advice once you
get involved.
Surprised?
Dear 2600:
I j ust pi cked up you r l atest zi ne ( 24: 3) at the l ocal
Barnes and Nobl e whi ch di spl ays i t r i ght out i n front
of a l l of the other zi nes. I noti ced the whi te bl ocks
on the outsi de bi ndi ng and remembered seei ng them
on a coupl e of past i ssues. Wel l , bei ng home al one
bored I thought of putt i ng the i ssues wi t h t he whi te
bl ocks together i n a stack to see if the bl ocks wou l d fi t
together and maybe see some ki nd of message. After
severa l tri es I fi nal l y di d see someth i ng. I t l ooks l i ke the
l etters S- U- R-P-R-I -S-E and then somet hi ng that l ooks
l i ke a B or maybe an 8 and bstl y maybe a symbol of
some sor t . I see t hi s when I stack t hem: 24: 2 on top,
24: 3 i n t he> mi ddl e, ,1d 2 4: 1 on t he bott om. Pl ease
t el l me i f t hi s i s somet hi ng O am I seei ng t h i ngs? I f i t i s
somet hi ng I guess I ' l l have t o wa i t for 24: 4 t o see what
the l ast two t hi ngs are . . . . Or wi l l i ?
SJ KJ RX
Stacking issues out of order - what is this world
coming to?
Dear 2600:
I s " sur pr i sed? " the fi nal message on the spi ne of
the l ast t hree i ssues, or i s there more!
MasterChen
What do we get if w(' answer correct lyi
Dear 2600:
OK, so ever si nce I read one l etter that was sent i n
sayi ng that t h e wr i ter was on l y tryi ng to get hi s n a me i n
the magazi ne, I was i nt r i gued. B u t I a l so rea l i zed that
i f everyone di d that, then 1 ) there woul d bp cU i ssue
and 2) i t cou l d be cons i dered spammi ng Z|ll ( wh i ch
wou l d be i nterest i ng) and wou l d ra i se the a l ready
enormous l etters sect i on to a rea l l y huge si ze.
So t her e rea l l y i s a poi nt to t hi s l etter. I see t hai
there i s an i nterest i ng factor t o your new bi ndi ng of
t he magazi ne. And i n a future rpsponse to your ques
t i on: no, I am not su rpri sed. Hat e to di sappoi nt ! Keep
up the great art i cl es!
PreisT
Dear 2600:
I have not i ced your spi ne on the new Z|||
mags. I f I pl ace them i n or der of 1 , 3, 2 i t seems to say
Surpri se07. I th i n k t he l ast i ssue of t he year wi l l be t he
bottom so t he or der wi l l be 4, 1 , 3 , 2 . Does t he order of
the mags mean a nyt h i ng?
I know a l ot of the readers don' t l i ke the m,w
spi ne. But I do. Center pages and back cover do not
pop off aft er heavy use now. So i t seems to hol d up
better.
Keep up the good work. And hi dden treats.
Unknown One
Dear 2600:
"Surpri sed?" That i t was that easy? Yeah, I ki nda
am.
strangerOnfire
How about the fact that it wasn't supposed to
be completely readable for another year? Perhaps it
should be changed to "Shocked? " for our benefit.
Opportunity
Dear 2600:
Good Day!
Barri ster J ohn I be i s my name and a Sen i or Advo
cate of Ni ger i a. I have a proposal to di scuss wi t h you
concerni ng one of our Deceased customers who i s a
nat i onal of you r country. As soon as I hear from you
and once we are i n agreements. I woul d be needi ng
your assi stance i n maki ng a busi ness i nvestment i n
rea l estate, oi l & gas a n d any ot her l ucrati ve sphere of
busi ness in your country.
Owi ng to the urgency of t hi s transact i on, I wou l d
appreci ate an i mmedi at e response from you t o
confi rm the recei pt of my mai l . As soon as I get t h i s
response from you, I wi l l furn i sh you wi t h det a i l s of
the tra nsacti on and the urgency at whi ch I need | Oget
the funds t ransff
'
red out of Ni ge' r i a to you . Your ed r i i es!
response t o t hi s l etter wi l l be appreci ated.
John( SAN)
We really want t o do business wi t h you hut feel
uneasy because of the grammar and capit ali/ation
issues wCve previously written t o you about . Olle
of your colleagu('s evel l sent us a let t er t hat was
compl"te/y ill capital leiters ! We 'imply cal1 l ot ahide
t hat as it makes us 1" 11 '1uite .,mall in comparison.
Once we have t h" protocol sort ed out , we would
be most happy to supply you with all of the ill(orma
tion you need dl UI mo{"( ' i n md( 'r t hat we 1 l J , I Y help
to secure the t ra ll Sfr o( the (ul l ds (rom Nigeria. /| is
indeed di.' turhillg how much money has heen tied
up ill your country oV('r the years simply bfc |t'
t here arel l 't "l l Ough people ill the world who tll give
out their bank decount numhers alld t rdns(er cod"s.
Please count us in u concerned p, l rties who \\1 l 1/ t o
hel. Yours truly, et c.
Observations
Dear 2600:
I re,l l l y ('
nj oy your publ i cat i on. Al t hough I ' m not
a "hacker" mysel f, I feel t hat I ' m mueh more' enl i ght
ened concerni ng computers i n gt' ner,l l beca use> of
your efforts and publ i cat i on. Creat j ob. Tha nks ,l nd
keep up t he good wor k !
Now t h a t t hat ' s ou t of t h e way, here' s somet hi ng
that perhaps a good hacker coul d t ackl e. A coupl e of
years ago, my wi fe bought an HP 8250 " Photosmart"
pri nter. For the fi rst ti mp, a few days ago, I got i nto
some of the more eso! pri c areas of its con l rol pa nel ,
and wow, t here' s a lot of i nformati on t here. One of
t he t hi ngs t hat caught my eye is the "expi rat i on date"
of the i nk cart r i dges, whi ch I take to i ndi cate that you
have to buy a new one from HP - because i t won ' t use
the "expi red" one whether i t has i n k or not. A cl ever
Winter 2007-2008

Pa
g
e 45
way to keep the revenue stream up, huh?
Why does n' t someone pokp around wi t h these
t hi ngs and see what you can l earn? I f the i n k cartri dge
has a chi p that can be fl ashed, then cartri dges cou l d
l ast - wel l , essenti al l y forever !
I f you ' ve al ready wri tten about t hi s, I ' d be grateful
for a reference!
Pl umBob
We've never heard of a printer refusing to use an
i nk cartridge because of a passed expiration date. You
may get an annoying popup message and perhaps
a dire warning of a voided warranty should some
thing go wrong but Ihat 's about the extent of it. Any
company with any sense would know that this kind
of forced control over its customers will simply stir
up bitter resentment against them, not to mention all
som of ways to bypass their restrictions.
Dear 2600:
After more t han seven years of readi ng I fi nal l y
subscri bed t o t he mag . . . and i t fel t good. I al so j ust
renewed my WBAI members hi p dur i ng "Off The
Hook" and it a l so fel t good.
I n my strol l down memory l ane I pi cked up the
Wi nter 2000 i ssue of 2600 and i n the " Di rect i on"
art i cl e you say somet hi ng t hat sti l l r i ngs t r ue today,
"Thei r ( musi c i ndustry' s) l ack of foresi ght is overshad
owed onl y by t hei r nai ve i ns i stence of us i ng bul l yi ng
tact i cs t o get thei r way and hol d ont o t hat whi ch was
never t hei rs to begi n wi t h. "
After the recent $220, 000 ru l i ng agai nst a poor
woman who downl oaded (al l egedl y) a l i tt l e over
20 songs, i t ma kes me th i n k that in seven years the
RI AA sti l l th i n ks that bul l yi ng works. I t ' s too bad more
peopl e don't read, subscri be, and support your efforts
because then maybe the bul l yi ng wou l d stop.
Stay Human.
hypoboxer
Bullies only go away when people stand up to
them. It's worth the occasional hlack eye if some other
eyes get opened as a result. Oftentimes just making
others awarp of wha! going on is enough to start
changing the situation. And there\ no doubt that this
particular situation is changing.
Dear 2600:
One day after retur ni ng home from work, I was
sur pr i sed to see a package addressed to me from a
tota l stranger. Ant i ci pat i ng a puff of ant hrax, I opened
i t up to see my aut umn i ssue of 2600 al ong wi th a
letter. Apparentl y, my copy of th" magazi ne got stuck
to that of anot her subscri ber and both were del i vered
to hi s address. But i nstead of t hrowi ng i t away and
j ust forgett i ng about i t, he went total l y out of hi s way
to mai l me my i ssue. I j ust want to express a publ i c
word of t hanks.
Mi ke
Alexandria, VA
This is indeed the true spirit of 2600 reaelers and
we also thank Fd for his consideration. Now we intend
to figure out how in hell some of our envelopes are
sticking together. Thanks for letting us know
Express, no less. Gee t hanks, 2600, for k i l l i ng trees
in a vai n attempt to sel l me credi t card that I al ready
carry even.
Has 2600 sol d out? I s al l l ost ? I s t he end near?
Repent, and si n no more, oh corporate s hi l l s, and
remove my address from your hounds-of- ma i l .
DataBoy
We've done a thorough investigation into this and
we've been i n touch with you over it as well. We don' t
know how American Express got your info but we can
say that it most definitely wasn 't from us. We take this
sort of thing very seriously and go to great lengths to
make sure our subscribers retain their privacy But we
don't for one minute think that there aren't forces out
there working to somehow subvert this system which
is why it's so important to always be alert and aware of
any weirdness going on. By all means make a slightly
different name or address for your subscription, not
just for us but for everyone you give your address to,
so that you can see who' giving your information to
whom. The only possible way your address could
have heen passed along from when you placed your
order was if someone manually copied it down at the
post office or if somehow PayPal (where your order
was placed) harvested it whm you mtered your
information. If it's the latter then we undoubtedly will
he hearing more about it, not only from our readers
but from scores of others who use their service.
Dear 2600:
I ' ve been a reader of 2600 s i nce about 1 998 so
fi rst l et me say t hanks for gi vi ng me somet h i ng to l ook
forward to every t hree mont hs. I al so catch Off The
Nook and Of The Wall, a l though most l y webcasts
thlse days as sadl y I ' ve moved off Long I sl and.
Anyway, I j ust thought you mi ght get a
ki ck out of t hi s wpbsi te - i n part i cul ar, the
user agreement whi ch can be found here:
http: //www. cybprtri al l awyer. com/user-agreement
Towards thl mi ddl l you wi l l fi nd my plrsonal
favori te s ni ppet: " We also own all of t he code,
including the I I TML code, and all content. As you
may know, you can view the /-ITML code with a stan
dard hrowser We do not permit you to view such
code since we consider it to he our intellpctual prop
erty protected hy the copyright laws. You are therefore
nol aUlhorized to do so. "
I am j ust cur i ous to see your opi ni on of it, as wel l
as the opi ni on of thE l i stenprs and vi ewers. KeEp
up thE great work and rpst assured you have a l oyal
reader/l i stener for l i fe.
speedkOre
This is jusl so typical of thp corporale world and
how Ihpir littlp fantasyland becomes rpality on so
many levels. We live in a land where filmmakers have
to cover up ads in public pldces or hlot out the names
of products or logos on t-shirts because they haven't
gotten "permission " to use thp5e images. Croups of
people who sing " Nappy Rirthday" face prosecu
tion if they don 'I pay for the rights. There are even
those who believe you can he prosecuted for taking
a picture of a building without getting the permission
of the people who "own " the rights to its image. And
Dear 2600: now a website that tells you that you are not autho-
I magi ne my del i ght to l earn that a l i feti me rized t o read its contents. Since wp have now printed
subscri pti on c<"ts so l i tt l p. I m;gi np my horror when I their word, without getting specifiC permission from
bought i t and started recei vi ng advert i si ng addressed them, we can only cower in fear in antiCipation of
to my 2600-speci fi c nom de pl ume. Ameri can the action that will undoubtedly be taken against us.
Pa
g
e 46
2600 Ma
g
azine
What a screwed up planet we have become.
Dear 2600:
I was recentl y retur ni ng home from overseas on
a Lufthansa fl i ght. I t was one of those pl anes where
everyone has thei r own personal TV at t hei r seat and
you can choose what movi esrV shows t o watch and
they start on-demand. Qu i te a number of a i r l i nes have
these now for l ong- haul fl i ghts. I t' s pretty good - you
have a sel ecti on of several dozen movi es and a bunch
of other cr ap t oo. So anyway, I ' m not s ure what I di d
but I managed to "crash" the consol e so t hat i t j u st
kept resetti ng to the mai n screen no matter what I
sel ected. I cal l ed the attendant over and he had h i s
col l eague reboot t h e uni t ( somewhere ou t of si ght
from my seat).
Th i s i s when i t got i nterest i ng. On the screen, I
saw what l ooked l i ke a DOS boot screen ! Unfortu
natel y I di d not copy i t a l l down i n t i me, but i t started
l i ke so:
Windows CE Loader v2. 7
Prt F. . .
I t l oaded a fi l e cal l ed epos9. bi n o r someth i ng l i ke
that and menti oned a company cal l ed Rockwel l . I t
a l so l i sted a server I P of 1 72 . 1 8. 22 . 1 8 and a termi nal
I P of 1 72 . 1 8. 22 . 20. I t h i n k these are i nter nal l ocal
reserved I Ps l i ke the more common 1 92 . 1 68. * . I t al so
di d some TFTP transfers of the system fi l es from the
server and I ' m not s ure but I t hi nk I saw someth i ng
about X-modem( ! ) ment i oned too. Anyway, soon after
a l l t hi s i nterest i ng data, the graphi cal screen l oaded up
and I was back i nto the nor mal mode of the devi ce.
I thought i t wou l d be i nterest i ng i f anyone knew
more about how these worked to share wi t h the rest
of us. Are they j ust gl or i fi ed PocketPC MPEG pl ayers?
Cou l d any i nterest i ng effects be achi eved by "hacki ng"
these? For exampl e, upl oadi ng your own vi deos to
then show up on peopl e' s TVs? The poss i bi l i t i es are
endl ess! To see the i nfo fi rsthand, j ust act dumb and
tel l a fl i ght attendant your TV i s n' t respondi ng and ask
them t o reboot i t for you. Then have a pen and paper
ready!
Bri an the Fist
A lifetime subscription to anyone who adds
"Freedom Downtime" to their plane collection of
films. (If you wind up screwing up the navigation
system this offer is void. )
Dear 2600:
I was readi ng up on Edgar Al l en Poe on Wi ki pedi a
and read about the Poe Toaster. The descr i pt i on they
gave on the si te sounded very s i mi l ar to a scene i n
Freedom Downt i me. S o I t hi nk t hi s mystery dat i ng
back to 1 949 has fi nal l y been sol ved.
drl ecter
It sort of flies in the face of the time travel theory
presented a few pages back but we're certain there
must be some rational explanation that we're inca
pable of grasping.
Dear 2600:
Appl e has such a un i que way of worki ng the
system, especi al l y the medi a. They make t hei r prod
ucts l ook ni ce and pretty, al ong wi t h maki ng them
to work Appl e products i nto t hei r product i ons. Th i s
way, many peopl e see the product and s ay " Ooh!
That ' s hot! I have t o get one of those! " And before you
know i t, everyone i s tal ki ng about i t. Th i s concept i s
very s i mi l ar t o how t he sports car manufacturers l i ke
Ferrar i and Corvette have so many peopl e thi n k i ng
that a bi g, expensi ve sports car is the u l t i mate t hi ng
t o have. I th i n k t hat Appl e' s i Phone s houl d be more
accuratel y l abel ed as the "product hype of the year. "
Jef
Dear 2600:
Regardi ng I an 2. 0's comment i n 24: 2, pages 44
and 45, I am genera l l y i n agreement wi th h i m. As i s
my tradi t i on, I read 2 600's s ummer edi t i on l yi ng i n a
hammock i n Al gonqu i n Prk as part of my vacati on
readi ng.
The pattern that my wi fe and I fol l ow i s to take
August off and to be offl i ne for three weeks so we can
go campi ng, get outsi de, and be acti ve. I can' t stress
enough how va l uabl e t hi s "offl i ne t i me" i s and that
I can't recommend doi ng i t more. I t serves as ti me
to cl ear one's mi nd, refl ect, rel ax, and see the offl i ne
worl d.
Thanks for t he great magazi ne a l l t hese years.
Tomorrow I head back on l i ne. Today I wri te post
cards whi l e enj oyi ng the human scenery of the coffee
shop.
Boomer/NIT
You have indeed made us jealous. You might want
t o consider one of t he semiannual European hacker
camps which is a good mix between being online and
being in the wilderness. Of course if you really want to
get away from computers, it might drive you mad.
Dear 2600:
I recentl y stu mbl ed headfi rst i nto your publ i cati on
and radi o adventures. I was doi ng research on DeCSS
for a paper that I was submi tt i ng to the Free Software
Foundat i on and I came across the audi o recordi ngs
of Emmanuel 's deposi t i on. Ever s i nce then, I have not
been abl e to quel l my need to read and l i sten to as
much i nformat i on comi ng from 2600 as possi bl e. I
have been buyi ng the magazi ne and l i sten i ng to the
radi o arch i ves for al most a year now. Of course, 2600
has merel y been a j umpi ng off poi nt . There i s never an
i ssue or a radi o show that goes by that I don't hear of
somet hi ng new to research or i nvesti gate.
I have been a hacker for over 20 years. I j ust never
knew that there was t hi s cu l t ure of i ndi vi dual s that
thought and fel t the same way about technol ogy. Most
of the technol ogi sts that I have worked wi th and met
over the years have been "go wi th the grai n" sort of
peopl e. I don' t val ue goi ng wi th the crowd merel y for
the sake of goi ng wi t h the crowd. I j ust wanted to take
t hi s opport un i ty to t hank you for your great endeavors
over the years so that i ndi vi dual s such as mysel f cou l d
have an outl et and a communi ty. I have been i nspi red
to start a ZOUU meet i ng here in West Vi rgi ni a. I wi l l
send you a l l of the detai l s when th i ngs get off the
ground.
seem soph i st i cated but si mpl e to use, so i t appeal s
Matt
to the more cl uel ess i ndi vi dual s . Then Appl e cal l s i n
It always good to hear from people who have
the news medi a to annou nce t hei r product l aunches,
been affected by our world somehow and, better still,
wh i l e at the same t i me they pay TV and movi e wr i ters
have been inspired to do something of their own.
Winter 2007-2008

P
g
e 47
Hacki ng Wi ndows
by A lZZ9
wi t h i t . One i s cal l ed a KI D and i s basi ca l l y a
pub I ic key that i dent i fi es the fi I e. The other is the
L i ke vegetabl es bei ng t hrust i nto the face of
S I D, whi ch acts more l i ke a pri vate key. You ' l l
a n unsuspect i ng ch i l d, I was recent l y pushed mto
need both of these to pl ay the fi l e but the hard
the mi ddl e of the Di gi tal Ri ghts Management
one to get i s the S I D. I t ' s the protected pri vate
debate. I wi sh I cou l d say that I was doi ng some- key that, i f i n the wrong hands, al l ows the user to
th i ng as nobl e as recreat i ng Star Wars i n ASCI I do j ust about anyth i ng t o t h e encrypted content.
format, hacki ng Mi crosoft, or l evel i ng up my
The secret t o gett i ng t hi s key i s t o use a l i ttl e
l evel 3 6 ni ght el f drui d. No, I was doi ng noth i ng
known feature of Wi ndows Medi a Pl ayer: debug
of the sort when I got a fi rst- hand taste of DRM. I
mode. Whi l e Wi ndows Medi a Pl ayer is i n debug
was l ooki ng for naked gi r l s .
mode, other programs can access var i abl es that
My "research" started l ast month wh i l e my
are norma l l y h i dden away from pryi ng eyes. The
gi r l fri end was out of town for the t hi rd week i n
newest Wi ndows Medi a Pl ayer a s of t hi s wri ti ng
a row and I ' d grown ser i ousl y ti red of the same
i s vers i on 1 0. 00. 00. 3990, whi ch wi l l not work
drunken col l ege gi r l s maki ng out on the same
for our purposes. Mi crosoft real i zed that debug
couch wi t h same dr unken frat boys watchi ng. I t
mode was the proverbi al weak l i n k i n the DRM
seemed l i ke I ' d seen everyth i ng on the net when
chai n so they di sabl ed the use of i t when pl ayi ng
I happened t o stumbl e across a si te t hat a l l owed
a fi l e whi ch is DRM enabl ed. The l atest vers i on of
u n l i mi ted downl oads of t hei r DVDs for onl y $30
Wi ndows Medi a Pl ayer t hat I ' ve seen worki ng i s
a month . Un l i mi ted down l oads! I ' d never pai d
vers i on 9. 000. 000. 3344. I t shoul d be noted that
for porn onl i ne and hadn' t bought pri nted porn
i f you ' ve ever i nstal l ed WMPl 0 and then revert
s i nce I was 1 8, hut t hi s seemed l i ke a good deal ,
back t o WMP9, t hi s hack wi l l not work.
so I si gned up. L i ttl e di d I know, but these guys
Now, l et ' s get to i mpl ement i ng the hack.
used some ser i ous DRM.
Fi rst, I recommend sta rt i ng wi t h a fresh copy
Here' s what you shou l d know about the
of Wi ndows XP. You tH do th i s wi thout havi ng
poss i bi l i t i es of Wi ndows Medi a DRM:
a cl ean i nsta l l , but there are vari ous DL Ls that
You have to type i n your username and pass-
need to be a speci fi c vers i on for our l i ttl e scheme
word i nto Wi ndows Medi a Pl ayer every ti me that
to work proper l y. Some graphi cs and vi deo
you pl ay a vi deo.
programs wi l l overwri te these fi l es we depend
You have to be on l i ne so that Wi ndows Medi a
on, and thi s wi l l prohi bi t us from str i ppi ng the
Pl ayer can con nect wi th the l i censi ng server.
DRM. Aga i n, updati ng to WMPl 0 wi l l ru i n your
You can onl y pl ay t he vi deos i n the Wi ndows
decrypt i ng efforts .
vers i on of Wi ndows Medi a Pl ayer. Maci ntosh
So, assumi ng you ' ve got a cl ee m XP i nsta l l
a n d L i n u x are not supported.
and Wi ndows Medi a Pl ayer 9, we can conti nue.
You wi l l be unabl e t o pl ay a ny fi l es you ' ve
Fi rst, make sure that you can actua l l y pl ay the
previ ousl y downl oaded once your account i s
vi deo you ' re tryi ng t o decrypt. I f you ca n' t pl ay
del eted from the l i cens i ng server.
tbe fi l e, then you need to troubl eshoot why; our
Of course, I di dn' t l ear n of these ph i l i sti ne
tool s wi l l not work unt i l the vi deo pl ays properl y.
restri cti ons unt i l after I ' d handed over the money,
Tbere was one DRM-rel ated update I had to r un
but after I di d, the hacker i n me knew t hat there
for WMP9 to get the vi deo fi l e worki ng i n the fi rst
must be a way to un l ock these f i l es. The fol l owi ng
pl <l ce. Runni ng t he update that al l owed me to
is < gui de to decodi ng Wi ndows Medi a DRM
pl <y the vi deo di dn' t i mpai r my abi l i ty to decrypt
protected vi deo fi l es.
the fi l e l ater. You may have t o do the same.
I n order to
decrypt a Wi ndows Medi <l
DRM
The next step i n our decodi ng process i s t o
fi l e, you fi rst need to have ri ghtfu l access t o the
get the decodi ng tool s . There are two programs
fi l e i n questi on . I f you don ' t know the username
we' l l need. One i s cal l ed drmdbg, whi ch opens
and password to pl ay the fi l e, you won' t be
Wi ndows Medi a Pl ayer i n debug mode and
abl e to decrypt i t wi th the tool s here. You al so
extracts the SI D. The other program, whi ch i s
need a computer capabl e of run n i ng Wi ndows
cal l ed drm2wmv, decrypts the WMV f i l e wi th the
Medi a Pl ayer i n debug mode and copi es of two
S I D from drmdbg. There are di fferent vers i ons of
decodi ng tool s named dr m2wmv and dr mdbg to
both of these programs, and di ferent versi ons wi l l
decrypt the data .
work better i n di fferent si t uat i ons. There are two
Befor e we get i nto decrypt i ng a WMV f i l e, l et ' s
vers i ons of dr m2wmv. One i s wri tten i n J apanese
l ook at how Wi ndows Medi a DRM works. Each
and has crypt i c
error messages; the other,
WMV f i l e wi th DRM has two keys associ ated
drm2wmv_e, i s transl ated i nto Engl i s h and has
Pa
g
e 48 2600 Ma
g
azine
more sens i bl e error messages. I recommend the
Engl i s h vers i on as i t worked much better for me.
As far as drmdbg goes, there are three vers i ons
that I ' ve found: drmdbg-03 1 , drmdbg- 52 7, and
drmdbg-62 1 . They a l l extract the SI D from the
WMV fi l e, but I ' ve had the best l uck wi t h versi on
527. Normal l y, you have t o scour Wi nny, Ares, or
Gn utel l a for these fi l es, but I ' ve made an archi ve
of a l l three vers i ons of drmdbg and and both
versi ons of drm2wmv to make your l i fe eas i er.
You can fi nd the archi ve at http : / / www .
megaupl oad . com/ ? d=5014MCK2
Once you get and extract t hi s fi l e, you ' l l noti ce
a bunch of di fferent fi l es and fol ders. We' l l get to
those i n a bi t. For now, j ust r un any vers i on of
drmdbg. I t wi l l open up Wi ndows Medi a Pl ayer
and wai t. Th i s is when you shou l d open up your
protected vi deo fi l e. The pl ayer shoul d contact
the l i censi ng server as usual , but then i t shou l d
qu i t, and you shoul d see a message sayi ng that
the KI D and S I D were copi ed to the c l i pboard.
I f the fi l e does n' t pl ay or i f the fi l e j ust pl ays
norma l l y, then drmdbg i s havi ng troubl e gett i ng
the SI D. Try us i ng a di fferent versi on of drmdbg.
I f none of the vers i ons you have work, check for a
newer vers i on on l i ne, or i nsta l l VMware and get
a cl ean i nsta l l of XP to work wi t h.
Once the SI D i s copi ed t o the c l i pboard, you
need to put i t i nto a fi l e i n the drm2 fol der. The
name of the fi l e you create doesn ' t matter, but
the extensi on has to be . key. We' l l cal l the fi l e
nodrm . key i n our exampl e. So, makethenodrm .
key fi l e and paste the contents of the c l i pboard
i nto i t. A sampl e key fol l ows:
by AgentS
<DRM2WMV2 >
<KID>oxQ+ql O i WEGMTEHW9U6erQ==< !KID>
< S ID>tD6TrfMAnMgel zQleWVlGEODHGs=< / SI D>
< INFO> Z : \Movies\ PrOn\video_
"wi th drm . wmv < / INFO>
< !DRM2
W
MV2 >
When you paste the key, it wi l l a l l be on one
l ong l i ne and contai n wei rd carri age returns. I
repl aced those strange characters wi t h actual
carri age ret ur ns here but you don ' t have t o worry
about doi ng so yoursel f; the program wi l l work
fi ne wi th the badl y formatted text as i t i s. You can
al so pl ace mu l t i pl e keys i nto one fi l e; j ust pl ace
each of them on a new l i ne. Now save the fi l e.
Now i t ' s t i me t o r un t he mai n decrypt i ng tool ,
drm2wmv. Th i s part, i f you' ve made i t t hi s far, i s
t he easi est. Si mpl y r un t he drm2wmv command
on the fi l e you want t o decrypt. I n our exampl e,
t hi s wi l l l ook l i ke t hi s: drm2 wmv e Z : \Movie s \
PrOn\video with drm . wmv
You shou l d
t
en s
e
e a progress bar move
across the screen, and a new fi l e wi l l be created
cal l ed [ nodrm] - video with drm . wmv.
Noti ce that when you open th
e
new
fil
e, it won ' t
r un t hrough any of t he authenti cati on techn i ques
and the fi l e is now pl ayabl e on a Mac ! Sweet !
Th i s i sn ' t the onl y way to un l ock a DRM
protected WMV fi l e. There i s a graphi cal t ool t hat
attempts to decrypt these fi l es ( wh i ch i s i ncl uded
i n the zi p fi l e) more seaml ess l y, but i t di dn' t work
a l l of the ti me for me. Al so, there are, and al ways
wi l l be, tool s that record the raw output of the
medi a pl ayer, but s i nce we l ose a generati on, I
chose not to use t hi s method here.
Thanks! And happy down l oadi ng!
resu l ts wh i ch suggest t he us e of Nootropi cs by
heal thy peopl e.
Thi s art i cl e i s i ntended as a resou rce t o ass i st the I magi ne, i f you wi l l , a pi l l that makes you more
reader i n u nderstandi ng a topi c not heavi l y u nder- focused, hel ps you form memori es better, or l ets you
stood as of yet. Every person i s di fferent and every stay up for days at a ti me wi thout the harmfu l effects
si tuati on is di fferent. The i nformati on provi ded here produced by amphetami nes, coca i ne, caffei ne, and
i s offered as a poss i bl e answer t o many potenti a l the l i ke. The new wor l d created by l ear n i ng drugs
quest i ons. The author i s not responsi bl e i n any way and bra i n enhancements i s here. I
'
ve read about i t
for any consequence res ul t i ng from readi ng t hi s i n s ci - f i books, but man, i t
'
s gosh dar n ni fty when
ar t i cl e. sci ence fi ct i on becomes real i ty. ( Ki nda makes you
So, suppose you ' re googl i ng around cyber- feel a l l warm and fuzzy i ns i de, don ' t i t?)
space, l ett i ng you r ADD r un wi l d, l ooki ng up any There a l ready exi sts a fert i l e market for mi nd
i nteresti ng words or subj ects you may happen to enhancements. A n umber of websi tes offer these
come across. You have every subj ect from aXXo to drugs for sa l e. Some s i tes even go as far as to have
Zen Comput i ng i n a tab i n you r browser. Then, you real MDs on staff that " l egi t i mi ze" prescr i pt i ons for
come across a word that has a ni ce "cyber" sort of each sal e after fi l l i ng out a br i ef questi onnai re. I f
r i ng t o i t: "Nootropi cs". ( Ah, Boredom, t he pl aces you answer the doctor ' s questi ons correctl y, you
you take me somet i mes ! ) get the drugs, j ust l i ke i n real l i fe. Heck, you can
Nootropi cs are a new type of drug. They were even buy i n bul k. Tempti ng, but I don ' t feel l i ke
ori gi nal l y desi gned to treat such neurologi cal di sor- gett i ng ar rested wi th ki l os of prescr i pt i on drugs.
ders as Al zhei mer ' s, Pr ki nson ' s di sease, and ADD! " Possess i on wi t h i ntent to di st r i bute" does n' t sound
ADHD. However, recent studi es have produced l i ke somethi ng I feel l i ke spendi ng ti me i n j a i l for.
Winter 2007-2008 P
g
e 49
There are many nootropi c drugs on the mar ket.
After a l i ttl e research, you rea l i ze /' ust how common
they are becomi ng. The r esu ts can be very
sur pr i si ng.
Drug I nformation and Si de Effects
Depreny : A sel ecti ve MAO-B i n h i bi tor created
to treat and prevent Pr ki nson's Di sease, i t has been
found to safel y i ncrease a l ertness whi ch in t ur ns
a l l ows one to be more moti vated to accompl i s h
tasks.
Modafi ni l : The preci se mechani s m t hrough
wh i ch Modafi n i I promotes wakefu I ness i s unknown.
"Tested and proven to a l l ow one to stay awake and
a l ert for up to 48 hours i f taken correctl y" (yeah
I got a l i tt l e exci ted when I r ead t hat ) . There are
few si de effects and they tend to be mi l d. So far
there has been no i ndi cati on of poss i bl e death
due to overdose. Si mpl y taki ng the person off the
dosage wi l l ret ur n them to norma l . One si de effect
seemed to be i mpai red speech; however, upon
readi ng further, I found t hat th i s was after havi ng
been up for extended peri ods of t i me. I can i magi ne
t hat certa i n parts of the bra i n may not respond to
thi s dr ug, and I know that when I ' ve been up for
two days, my speech is a bi t s l urred too. However,
documentat i on states that motor ski l l s and l ogi c
centers remai n a l ert.
One word of cauti on: t hough not the manu
facturer does n' t l i ke t o tal k about i t, Modafi n i l has
shown to have affect the i mmune system. I can
a l most guarantee that t hi s i s because the bra i n i s
not a l l owed t o enter t he sl eep-state responsi bl e
for repai ri ng t hi s system. I ' m fai rl y certai n t hat t he
manufacturer i s aware of t hi s as t hey have rel eased
a new and i mproved model cal l ed Nuvi gi l , but
t hat ' s for another day.
Pi racetam: A cycl i c deri vati ve of GABA, i t i s
shown t o i ncrease cogni t i ve funct i on and commu
ni cat i on between the two hemi spheres of t he
bra i n . I t i s al so t hought to i ncrease the number of
chol i nergi c receptors i n the bra i n . Th i s dr ug has
been prescr i bed i n cases of Al zhei mer ' s, ADD and
hypoxi a, f or whi ch i t has been seen as a di st i nct l y
benefi ci al treatment. Mi l d headache and i ncreased
appet i te can occur, as your bra i n is us i ng more
chol i ne and more gl ucose due t o a hi gher cerebral
metabol i c rate.
Neurogenex : A combi nat i on of bra i n enhance
ment dr ugs, Neurogenex i s desi gned for l onger-term
use t han drugs l i ke Modafi n i l . Most of the drugs i n
t hi s cocktai l ki ck i n i nstantl y, but some t ake aout
two weeks before showi ng any si gns. Wi del y used
among I vy League types, thi s medi cati on has s hown
remarkabl ( r(s ul ts and few si de effects.
As wi t h most dr ugs, you shou l d not combi ne
these wi t h a l cohol or certai n medi cat i ons. And
none shoul d be taken whi l e pregnant.
I wi l l focus on Modafi n i l and Pi racetam for
thi s arti cl e due to thei r popu l ar i ty and di sti nct
character i st i cs.
Whi l e research i ng t hese dr ugs, I was most
i ntri gued by Modafi n i l because of how wel l i t
works. I t l ets you stay awake. There i s no crash after
taki ng it for a peri od. Overdos i ng to a dangerous
l evel i s di ff i cul t . I t' s out of you r system i n about 1 5
hours. There have been s i mi l ar drugs i n the past
but they' ve a l l been severel y control l ed. Due to
the si de effects and toxi ci ty, they requ i red constant
vi gi l ance. Modafi n i l , however, was des i gned so
peopl e cou l d take i t on thei r own, safel y and, as an
al ter nati ve use, an enhancement. Dr ug compani es
wou l d l ove to see t hi s product become ava i l abl e
over the counter; however, there i s a bi t of skept i
ci s m due to the somewhat recent ephedr i ne fi asco,
whi ch i n my opi ni on never shoul d have gone as
far as i t di d. Common sense woul d tel l you that the
dr ug was bad for you r cardi ac system.
When I t r i ed Modafi n i l , I found mysel f i n a
cur i ous state of wakefu l ness. Cur i ous because it was
very mi l d and fel t more l i ke rej uvenati on after my
t i r i ng day at work. Upon test i ng by pl ayi ng a vi deo
game, I found my sel f more effecti ve i n game pl ay.
I had previ ousl y had troubl e gett i ng past a certai n
l evel i n the game. An hour after taki ng Modafi n i l , I
found mysel f gett i ng past that poi nt wi t h ease. I fel t
as i f I was reta i n i ng and us i ng i nformati on better
t han before. After I hi t another poi nt i n the game
where I kept dyi ng, I deci ded i t was ti me to go read
a book. I am qu i te proud of my l i brary; however, I
f i nd mysel f r ar el y abl e t o focus enough t o be abl e
t o read. Thi s probl em di dn' t even occu r to me as I
started f l i ppi ng t hrough my hardbound edi t i on of
Gray' s Anatomy.
I deci ded to research the further capabi l i ti es of
t hi s drug and try s l eepi ng onl y 8 hours every other
day. I fi gured out a dose t i mi ng pl an and went for i t.
Thi s proved very successfu l and I made a l ot of prog
ress i n my studi es and research dur i ng about three
weeks of t hi s pract i ce. The key, I found, is proper
n utri ti on. I requi red fou r meal s a day on non-s l eep
days. But throughout the enti re ordeal I was very
vi gi l ant and abl e to car ry out my dai l y duti es eas i l y.
The onl y annoyance was a s l i ght headache now
and then; t hi s went away when suppl emented wi t h
Chol i ne. Now, I woul d never recommend tryi ng
thi s for s uch a l ong peri od, as doi ng so wi l l most
defi n i tel y wreak chaos on you r system.
I then found Pi racetam ( al so known as Noot
ropi l ) , whi ch is fai r l y eas i l y avai l abl e for a l l
accounts a n d purposes and, from what I read, very
safe wi th a mi l d non-sti mul ant effect. I found t hi s
t o be qui te accurate. After a br i ef " l oadi ng phase" I
found my l ong and short-term memory i mprovi ng.
Long-l ost memor i es came back and new acquai n
tances' names were effortl ess t o remember. There
was a di sti nct i ncrease i n refl exi ve motor functi on
and even hear i ng. I can catch t hi ngs that others
knock over i n mi d-a i r, and have no troubl e maki ng
out l yr i cs of songs on the radi o. My overa l l atti tude
has i mproved as wel l .
As wi t h Modafi n i l , I wou l d suggest i ng suppl e
ment i ng Pi racetam wi th DMAE or Centrophe
noxi ne. My opi ni on of the two i s that Pi racetam
i s much safer and creates the res ul ts I 'm l ooki ng
f or perfectl y.
I di d not wr i te t hi s art i cl e as a "how-to gui de"
by any means. I t s houl d onl y serve as a means of
i nformi ng those otherwi se i gnorant of the new age
we are enter i ng-one where hi gher I Q comes i n
pi l l form, a n d refl exes l i ke J et L i ' s are sol d a t the
pharmacy.
Thank you for readi ng. I hope I have hel ped
answer some questi ons, but I hope even more that I
have hel ped you create many new quest i ons of your
own. Keep i n mi nd that you r bra i n is a preci ous
t hi ng. Sel f medi cat i on i s dangerous, especi al l y wi th
powerfu l cerebral drugs such as these. You cou l d
poss i bl y damage yoursel f severel y. Remember,
onl y a few neurons stand between a proper l y func
t i oni ng bra i n and t urn i ng yoursel f i nto a cactus.
"Brought t o you from the makers of sharp things. "
ShOlltOllts /O Port7Alliance, GeekLoveRadio, and
The DDP Keep freedom free.
Pa
g
e 50
2600 Ma
g
azine
Uy AnunymuuS L -1uwn MCkC|
A coupl e of years ago, I started a j ob worki ng
wi th a forensi cs software company. Thei r product
i s probabl y the best software on the market by
far, but the company j ust rel eased a new product
that has made me questi on whether I want to stay
in t hi s pos i ti on . Th i s software has the potent i al
t o al l ow Bi g Brother t o search our computers,
wi thout us knowi ng i t.
Al l ow me to expl ai n: I n the ol d days i f
someone di d someth i ng wrong, we woul d go out
and bl ack bag the computer, bri ng i t to a l al1, and
use a forensi c tool t o extract data fo a warrant.
Th i s techni qup i s sti l l used today by many compa
n i es. However, technol ogy now al l ows a forensi c
exami npr t o avoi d the need t o go t o the physi ca l
l ocati on. The exami ner can use tool s to go over
the I nternet to search for and retri eve a l l the data
for the warrant. Th i s i s bei ng done a l ot more, as
i t i s much more cost-effecti ve th i s way.
Now, a forensi cs exami ner has the abi l i ty to
put a pi ece of code ( PaC) on every computer
i n a gi ven company and to extract data from
a l l suspects i n questi on at one t i me. I f you have
1 0, 000 computers and you are l ooki ng to see how
someone l eaked the Q3 data earl y, no probl em:
n i ne cl i cks of a button, and you ' re done.
Al most every Fortune 1 000 company i s ei ther
us i ng or th i nki ng about us i ng thi s tool . Try to
tel net to port 4445 of your workstati on and see i f
you connect t o anyth i ng. Thi s i s the defaul t port,
but the company can change it to anyth i ng they
want. I f you connect, then there i s noth i ng on
the computer that you can do wh i ch I can' t tel l
o r show you at a l ater t i me. The defaul t process
name i s COG tart . C7C, but th i s can be hi dden
or renamed.
Th i s software i s unreal .
Muw duCS l wu|k
Essenti a l l y, the pac runs as a root ki t on
every workstati on and server. The forens i c tool
connects to the pac wi th a CUI , secured wi th
PKI PCP authenti cat i on. The forensi c pac runs
underneath the operat i ng system, so you can
l ook i nto anyth i ng the as i s doi ng. Al so, because
it is not OS-dependent, h i dden di rectori es,
embedded code, changed fi l es or even other
the abi l i ty to see vol at i l e memory, whi ch means
t hat processes, current users, and network ports
can a l l be seen i n rea l ti me. If you are run n i ng a
troj an i n memory, then it wi l l be found. If you are
usi ng netG or bi frost, it wi l l be found.
Wl CSC Cn ldu
Beca use the POC i s u nderneath the OS, i t
has the abi l i ty to act on a l l 1 0, 000 computers
at once. I t can wi pe sectors, k i l l processes, and
cI ose ports.
There i s al so a pl ugi n for I DS systems to make
i t easi er to wepd out fa l se posi ti ves. If a server i s
bei ng hi t wi t h an attack, the I DS can tel l the tool
to go to the computer in questi on and t o col l ect
evi dence on whatever i s happeni ng.
I t can l ook at a computer, compare it to
a previ ous search, and see if anyth i ng has
changed.
Wl' S lC U gdC
I magi ne what coul d happen i f t he govern
ment put th i s pac on every new computer to
come out i n 2008. Every government agency i s
al ready us i ng t hi s software. Another i ssue wou l d
be i f someone fi gures ou t how to use the pac
on these computers. Hel l o, u n l i mi ted power !
I magi ne havi ng ful l access t o every server, work
stati on, and l aptop i n a Fortune 50 company.
Al though t hi s company has been very good
to me, I feel i t i s not ri ght that such knowl edge
and knowl edge i s power- i s gi ven to watch over
us. You are now aware of the tool s bei ng used to
see you .
Muw du Slu lC luu u| mkC l fdC|
u|lC luu lu SCC wl m du ug
Si mpl e secur i ty measures can be taken, for
exampl e:
Fu l l di s k encrypti on i s a great start, but
you r company pol i cy may prohi bi t th i s.
Look i nto the U3 encrypted dri ve.
Consi der VMware wi th encrypti on,
putt i ng / boot on USB.
I nvesti gate bootabl e CD' s wi t h encrypted
USB.
Learn new ant i -forensi cs techni ques and
tool s, s uch as Sam Spade and touch.
rootki ts wi l l be detected i nstant l y. I t al so has I hope t hi s wi l l hel p educate you.
\. Winter 2007-2008 PaJe 51
What does a guy have to do to
not get noticed around here?
a si ngl e number, i t was sti l l poss i bl e track
down someone i n t he real wor l d.
The second ghost, t hat of pr i vacy
You are no l onger a shadowy fi gu re
present, shows us what can happen when
on t he I nternet. A
dynami c I P wi l l not
compani es s hare data. Mon i tor i ng t he
i ncrease your myst i que. Your nested
brows i ng habi ts of mi l l i ons of users i s
anonymi ty rout i ng system wi l l not h i de
t r i vi al when those users vol u nteer t hei r
who you real l y are. The I nter net Santa
i nfor mat i on, l i kes, di s l i kes, and fr i ends.
Cl aus knows i f you ' ve been Googl i ng
Soci al networks have often been consi d
for naughty or ni ce, and he knows you
ered a major pr i vacy r i s k, but t he r i s ks are
haven' t been s l eepi ng at 3 am. I nternet
di rect l y t i ed to the i nformati on that the
Santa i s comi ng to you r town to make
user i s wi l l i ng to s hare. I n November 2007,
s ure you ' ve seen every poss i bl e advert i se-
Facebook partnered wi t h several compa
ment for the l atest TV show, gadget, or
n i es to s hare behavi or and purchas i ng
method for en l argi ng you r nether regi ons
data from ot her s i tes. The " Beacon" feature
for t he hol i day season, and Santa needs
l i n ks a user's Facebook i dent i ty wi th thei r
t o get pai d.
behavi or on other si tes by a l l owi ng access
There are hundreds or t housands of
to the Facebook i nfor mat i on.
bi ts of i nfor mat i on about where you
Mu l t i pl e commerci al s i tes, such as
are, what you buy, and what ads you ' ve
Overstock, Fandango, and The New Yor k
watched ( and what ones you ' ve ski pped) ,
Ti mes revi ew s i tes l i n k to t he Beacon
what books you read, what search terms
system and aggregate purchase i nforma
you l ook for, and what sort of ema i l you
t i on wi t h a user profi l e. The most publ i c
get. Each pi ece of i nfor mat i on i s of l i mi ted
outcry is due to t hi s i nfor mat i on bei ng
va l ue unt i l someone l i n ks t hem together
di s pl ayed to other user s vi ewi ng the Face
sudden l y the di sparate fragments of
book entry, but no matter how (or not) the
your behavi or become a s i ngl e record
i nformati on i s di spl ayed, the behavi or has
set reveal i ng mor e about you r habi ts and
been recorded and correl ated.
i nterests t han you mi ght th i n k ( or want) .
The bi ggest pr i vacy i nvader of modern
The fi rst ghost, that of pr i vacy past,
systems is the web browser. Browsers
takes us back to 2006 when AOL rel eased
are l arge, compl ex pi eces of code whi ch
a l arge database of anonymi zed search
handl e u nt r usted ( and frequent l y hosti l e)
dat a for publ i c research : wi th i n days,
data fr om anonymous networ k sources .
several groups had associ ated the search
Excl udi ng vul nerabi l i t i es and expl oi ts to
terms of t he users to bu i l d profi l es of users,
the browser code i tsel f, modern s i tes are
even mu l t i pl e users of t he same system,
attempt i ng t o t ur n a statel ess u naut hen
and i n some cases i t was enough to track
t i cated system i nto a statefu l , strongl y
down i ndi vi dual s t o rea l -wor l d names and
aut hent i cated system to refer to dynami c
addresses. Despi te qu i ckl y rea l i zi ng thei r
data. Brows i ng l eaves a conti nual detr i t us
er r or and removi ng t he search data, i t had
of cooki es and sess i on dat a l i n ki ng who
obvi ous l y spread too far to conta i n and i s
you were wi th where you are now. The
sti l l ava i l abl e. Let's l ook at t hi s aga i n : After
browser is a constant across changi ng I P
removi ng a l l user- i dent i fi abl e i nfor mat i on
addresses: Who you wer e t he l ast t i me i s
from t he l ogs and hashi ng users down t o
who you are now, regardl ess of how you
P1e 52 2600 Magazine
got there.
Our greatest conveni ence i s our
greatest downfa l l , as i s often t he case
wi th secur i ty. " Remember me" i s the
most i nnocuous and obvi ous of the
r i sks - ad servi ces each pl ace a tracki ng
cooki e whi ch can moni tor you r move
ment across mu l t i pl e websi tes . The most
obvi ous, but by no means the onl y one, i s
Coogl e Anal yt i cs. Coogl e ach i eved deep
penetrati on by i ncl udi ng useful , free,
and (to the average user) non-obtr usi ve
tool s . Websi te mai nta i ners i ncl ude a bi t
of j avascr i pt, and get a weal th of useful
i nfor mat i on about vi s i tors. Esti mates of
coverage are hard to fi nd, but it is perva
s i ve. The downsi de? Every s i te whi ch
contai ns an Anal yt i cs entry updates the
bread crumb tra i l , bu i l di ng a model of
who you are and where you go. Pr i vacy
networks such as Tor can protect traffi c
and or i gi n, but can ' t prevent an appl i ca
ti on on you r system happi l y updati ng the
bread cr umb tra i l .
Sure, the maj or i ty of t hese servi ces are
anonymi zed so that no di rect l y i dent i fi
abl e i nformati on i s ret urned. However,
a l ook to t he past shows that obfuscated
i nfor mat i on may not be enough to prevent
i dent i fyi ng i nfor mat i on from l eaki ng, and
t he servi ces you use may be acti vel y
worki ng aga i nst you r pr i vacy i nterests:
Provi di ng advert i s i ng data i s a l ucrat i ve
bus i ness model .
F i nal l y we come to the specter of
pr i vacy fut ure, t radi t i onal l y t he most
fri ghten i ng of the t r i o and i n th i s story
no l ess so. " So what, " you may ask, " I
don ' t care i f t hey want t o send me ads,
I bl ock popups, and what ' s wrong wi th
gett i ng ads for products I mi ght actua l l y
care about ? " Absol utel y noth i ng. B ut once
that data model i ng you r behavi or, i ncl i
nat i ons, and opi n i ons exi sts, i t i s t here
forever, s i mpl y a subpoena away from t he
next wi tch h u nt for whatever are consi d
er ed the l atest unpatri oti c acti vi ti es .
I n 2006, t he u. S. gover nment l au nched
a subpoena process for search data from
t he maj or search provi ders: Coogl e,
Yahoo, AOL, and Mi crosoft. Of the fou r,
onl y Coogl e fought t he request. Wh i l e the
request was onl y for search terms, wi th
absol utel y no user- i dent i fyi ng i nfor ma
t i on (even t he one-way hash AOL used t o
l i n k quer i es by t he same user i n t he previ
ousl y rel eased data) , i t shows t hat the
courts are aware of the avai l abi l i ty of t hi s
i nformati on.
I n J une 2 007, federal prosecutors
attempted to force Amazon to di s cl ose
customers who had purchased books
from a speci fi c sel l er. The case centered
around tax evas i on on the part of t he
sel l er, however i t served as an addi t i onal
harbi nger of attempts t o use on l i ne tracki ng
data wel l beyond the presentati on of
adverti sements, and t he j udge who r ul ed
i n favor of Amazon i n November agreed,
cal l i ng i t "troubl i ng because i t permi ts
the gover nment to peek i nto t he readi ng
habi ts of speci fi c i ndi vi dual s wi t hout thei r
pr i or knowl edge or permi ssi on . "
How do we prevent t hi s future from
happen i ng to us ? Unfortunatel y i t ' s not
goi ng to be as easy as buyi ng t he bi ggest
turkey i n the store wi ndow ( and t hat ' s
where I ' l l end t he hol i day metaphor s) .
Browsers have begun t o add pr i vacy
enhanci ng features: Fi refox can auto
mati ca l l y cl ear the cooki es, cache, and
brows i ng h i story on exi t, for exampl e.
However, these measu res won ' t hel p
agai nst tracki ng wi th i n a s i ngl e browser
sess i on, and a s i gni fi cant model of
behavi or can sti l l be bui l t . Di sabl i ng a l l
tracki ng functi onal i ty i n the browser by
turni ng off cooki es, j avascr i pt, j ava, and
f l as h wi l l prevent tracki ng by anyth i ng but
I P address and HTTP referrers, but wi l l
render many s i tes u nusabl e. Some mi ti ga
t i on can al so be found by us i ng tool s such
as Creasemonkey or Adbl ock to fi l ter the
URLs whi ch provi de the tracki ng i nforma
ti on: www. googl e-anal yt i cs. com and ss l .
googl e-anal yt i cs. com are eas i l y bl ocked,
but affect onl y tracki ng by Anal yt i cs and
not other s i tes.
There i s l i kel y no si l ver bul l et bes i des
vi gi l ance: Be voca l , hol d the servi ces
whi ch hol d your personal i nfor mat i on to
the commi tments i n thei r pr i vacy agree
ments, and avoi d dea l i ng wi t h those who
don ' t or who have poor pr i vacy pol i ci es.
Opt out of i nfor mat i on s har i ng whenever
poss i bl e, and compl ai n when i t i s n ' t made
poss i bl e.
Happy brows i ng t o al l , and t o a l l a
good ni ght .
'
Winter 2007-2008 Pa1e 53
by Gauss VanSant
I recentl y stayed at the Cl ari on Hotel i n
Al bany, whi ch offers free h i gh-speed I nternet to i ts
guests. Dur i ng my stay, I oeci oed to poke around
on hotel ' s network. I had hear o horror stori es
about hotel networks ano wanteo to see i f they
were accurate.
The hotel contai neo three di fferent wi rel ess
networks that I cou l d i dentify. The fi rst network
used the SSI D "Cl ari onl nn" . I t was unsecured
and broaocast i ng its SSI D. I connecteo to the
network and was i mmedi atel y di sappoi nteo wi th
the network speed; i f thi s was the hotel ' s "hi gh
speed I nternet," then the advert i sers deserved to
be drawn and quartered.
I ran the standard L i nksys router secur i ty test:
browse to 1 '2 . 1 68 . 1 . 1 ann enter the defaul t
passworos for the router. I f can ' t be bothereo to
l ook the defaul t up, don ' t have i t memori zed,
and happen to be l ousy at gupssi ng, try user
name: admi n, password: admi n . The connecti on
fai l eo wi thout di spl ayi ng a password prompt,
so I assumed that the router had been set up to
di sabl e wi rel ess admi ni strati ve access, but j ust to
be sure I checked my computer' s I P confi gura
ti on. Surpri se surpr i se, 1 '2 . 1 68. 1 . 1 was not my
oefaul t gateway, and as i t turned out, whatever
I hao connected to was not even us i ng a pr ivate
IP address. In retrospect, the devi ce was prob
abl y a wi rel ess modem/router combi nati on, but
after a ni ne-hour dri ve, th i s di on' t occur to me,
so I si mpl y retri ed the " Li nksys for Dummi es" test,
watched i t fa i I, and passed out.
The next morn i ng, I wandered over to the
hotel ' s publ i c computer l ab. Th i s consi steo of two
computers, one r unni ng Wi ndows XP, the other
runni ng Wi noows Vi sta. I sat oown at the XP box,
whi ch was a l ready l oggeo i n, ano di o a bi t of
i ol e web brows i ng. Onl y a bi t, though; I qu i ckl y
di scovereo that HTTPS was bei ng bl ocked,
al though strai ght HTTP worked fi ne. At fi rst, I
thought that t hi s mi ght be an overl y paranoi d fi re
wal l confi gurati on, but the nei ghbori ng Vi sta box
worked perfect l y wel l .
I l ooked arouno the i nstal l ed programs l i st,
thi nki ng I mi
g
ht fi nd some sort of chi ldproofi ng
fi l ter i nsta l l ed, but i nstead I found good reasons
for the hotel to l ock down network ports. One
t hi ng Vi sta has ri ght, and the t hi ng whi ch prob
abl y saved that box, i s that i t requi res a pass
woro to i nsta l l any si gn i fi cant software. On the
XP machi ne, I fou nd Wor l d of Warcraft, Second
Li fe, and, my oh my, Fami l y Key Logger. Wel l , that
can ' t be good, can i t?
I starteo up the keystroke l ogger and saw i t
pu l l u
p
an i con i n the Qui ck Launch bar, whi ch
i ncl uded an opti on to vi ew the keystroke l og.
Wel l , what woul d you do? I n addi ti on to some test
text I entered to see i f the program was worki ng,
I oi scovered some l engthy chat transcri pts from
a program l i sted as Mai l . ru, whi ch turned out to
be a Russi an l anguage chat cl i ent. I al so found a
username and password for a Ci t i bank Austra l i a
account, a n d some e-mai l transcri pts from the
same user. Oh, hel l .
Putt i ng asi de that moral di l emma (vacati on
i n Honol ul u, anyone?) , I l ooked around t o see
why the hotel computers seemed to get such a
fast network s
p
eed whi l e mi ne was so l ousy. As
i t turned out, the hotel ' s second wi rel ess network
was not broadcast i ng i ts SSI D, "QUALI TY",
thou
g
h it otherwi se appeared to be j ust as unse
cured as the Cl ari onl nn network. I heaoed back to
my room to l og i n.
Hi gh-speed I nternet, ri ght? No. I cou l dn' t
connect t o QUALI TY and cou l dn' t fi gure out
why, so I deci ded that the hotel had set up MAC
fi l teri ng on the router. Th i s may not seem l ogi cal
at fi rst gl ance; after al l , the hot el cl earl y hadn' t
bothered wi th any other secur i ty. But i t di d make
some sense when I di scovered a note that hotel
customers cou l d come to the front desk to pi ck up
a wi rel ess card for the hotel network.
Here' s how not to hand out a $60 pi ece of
computer equi pment: Do not ask for i denti fi ca
ti on. Do not ask the person what room he or she
i s stayi ng i n. Do not ask the person to si gn hi s
or her name. Do not wri te down any i denti fyi ng
i nformat i on about t he devi ce. I n fact, do not do
anyth i n
g
that woul d prevent anyone from wal ki ng
out of te l obby and pawni ng off hal f of your
network i nfrastructure.
So I pi cked up a caro and tri eo i t out. Now
I cou l d connect to the QUALI TY network, but
my s i gna l strength was mi serabl e: 1 'X, at best,
and none at a l l i f I moved in the wrong di rec
t i on. Si nce the Cl ari on I nn network had a much
stronger si gnal , I guessed that the card was a dud
and spoofed i t s MAC address on my own wi rel ess
devi ce. Sti l l no j oy. Eventual l y, I tri ed connect i ng
from the hotel ' s computer room, whi ch, i t turned
out, worked even wi thout the MAC spoofi ng.
Go fi gure: I ' d gi ven the hotel credi t for i mpl e
ment i ng a basi c securi ty measure when, i n fact,
they s i mpl y di dn' t have proper si gnal coverage for
thei r h i gh-speed network. I wou l d understand i f
i t were i ntended to be used by the hotel systems
onl y, but the desk person who gave me (er, l et me
borrow) the wi rel ess card speci fi cal l y tol d me to
connect to the QUALI TY network. So, i f guests
were supposed to be usi ng i t, why was n' t i t broad
cast i n
g
an SSI D?
I bel i eve I menti oned fi ndi ng three wi re
l ess networks earl i er. The thi rd was a near-exact
copy of the Cl ari on I nn network, Cl ari onl nn1 or
somet hi ng l i ke that. I ts si gnal was so weak t hat
I never bothered to pl ay wi th i t; presumabl y, i t
PJe 54
2600 Ma
g
azine
.
was coveri ng t he ot her end of the hotel . At t hi s
poi nt, I deci ded t hat the hotel nptwnrks werpn' t
worth poki ng at , shor t of l oc<lt i ng the h,ldware
,md pl uggi ng i n an Ethernet cabl e, and I was n' t
about t o do that wi t hout a spotter.
I headed back to the hotel computers and
checked i n on the XP mach i ne. By t hi s poi nt,
someone had l ogged out of the guest account,
k i l l i ng the keystroke l ogger, whi ch ra i ses the ques
ti on of what poi nt there i s in a keystroke
,
l ogger
that a fi ve-year-ol d who understands the concept
of ri ght-cl i ck cou l d di sabl e. But I di gress. I l ogged
back i nto the account and got t hi s pl easant
message for my troubl es:
"Dear Hotel
Your secur i
'
ty is awfu l . You ' re j ust l ucky I was
too l azy to break i nto your admi n account. "
I ' m paraphrasi ng, but honestl y i t wasn ' t much
more i ntel l i gent tha n that, poppi ng up i n a DOS
wi ndow on l ogi n . The amusi ng part was that
when I sat down at the computer, the admi n i s
trator account had been left l ogged i n, and pretty
much anyone wi th a fi nger cou l d have s i mpl y
cl i cked thei r way i nto i t. Presumabl y t he "1 33t
haxOr" had actual l y broken i nto t he box over the
network. Yet another reason to avoi d the box I i ke
the pl ague, but the box was turn i ng i nto an oni on
for me: tasty and l ots of l ayers, but peel i ng them
back made me want to cry.
Vi ewi ng h i dden fi l es and fol ders turned up
a Remote Desktop program i n the Documents
fol dpr; if t hi s was n' t a back door that t he scr i pt
ki ddi e had set up, t hen i t probabl y was the t hi ng
whi ch l et h i m i n to t he system. I al so turned up
<other key l oggi ng program, Perfect I<eyl ogger.
Th i s one was a bi t steal t hi er t han the other one,
i n that i t di dn' t pop i n the Al l Programs menu
waggi ng i ts ta i l and smi l i ng. I suppose I cou l d
have l ooked for some l ogs for t hi s program as
wel l , but at that poi nt the box ' s vi rus scanner
pi nged me about a new pi ece of mal ware that
was busy i nsta l l i ng i tsel f, and I fel t a strong urge
for an ant i sept i c and some sl eep.
The next morni ng was checkout ti me, and i t
was onl y wi th a great effort of wi l l t hat I di dn' t
grab pass i ng staff by t he col l ar and start screami ng
about l east pri vi l ege. Returni ng the wi rel ess card
i nvol ved no more checki ng than acqui ri ng the
th i ng had; i n fact, I sti l l have a dr i ver di sc for i t
that I real l y ought to th i nk about mai l i n
g
back.
The moral of the story? Don ' t touch a hotel
computer. If you must touch a hotel computer,
and you have the opti on, pi ck Vi sta over XP,
because a bl i nd stab at secur i ty is better than
noth i ng. And, no matter how i mportant you th i nk
i t i s, do not l og i nto anyth i ng of val ue. SSL i s no
defense agai nst a keystroke l ogger, and for a l l I
know that poor Austral i an' s bank account i s st i l l
out i n the open .

di ng Your Own
Secur
Proxy
0y S f
S fPCfCC[u nl.nCl
bei ng l ogged, any attempt to ci rcumvent these
restri cti ons must be di sgui sed as val i d network
traffi c. Si nce ssh and scp must remai n open for
Shows of power are very common i n the val i d busi ness use, I have devi sed a method
busi ness wor l d when a new executi ve takes whereby I may conti n ue to use Thu nderbi rd to
power. The reasoni ng, I have been tol d, is to send my personal ema i l from work but use ssh
make a powerfu l fi rst i mpress i on that you are the and scp to proxy the outgoi ng messages through
bi g, bad new boss. a personal shel l account. Th i s has the excel l ent
Recentl y, the CEO of the sma l l software added benefi t of encrypti ng my outgoi ng mai l ,
company I work for was repl aced. After several h i di ng it from corporate snoops.
weeks, the new CEO began to wi el d the ax. The method I use cons i sts of four parts:
At fi rst, a few fri nge benefi ts such as catered 1 . A custom SMTP server r uns on my l ocal
meet i ngs and per i odi c team gather i ngs at the mach i ne on some arbi trary port. To
l ocal pub were gone. Next came the restr i cti ons make detecti on s l i ght l y more di ffi cu l t, I
on i nternet use. I nternet traffi c is now l ogged and do not us e t he defaul t SMTP port of 2 5 .
fi l tered. AOL 1 M traffi c i s now routed through a As of t hi s wri t i ng, there are no i n-house
proxy and l ogged. And, cl osest to my heart, SMTP port scans. Management does actual l y
restri cti ons are now i n pl ace; a l l outgoi ng mai l rea l i ze that devel opers wr i t i ng network
must now be sent t hrough the company' s SMTP code often have works- i n-progress
server where, of course, i t i s l ogged. Unt i l th i s run n i ng on mul t i pl e h i gh numbered
poi nt, I had been happi l y accessi ng and sendi ng ports.
my personal e-mai l wi th Thu nderbi rd and my 2. The custom SMTP server wi l l accept
personal I MAP and SMTP servers. Webmai l messages l i ke a normal SMTP server.
servi ces such as Gmai l are out of the quest i on as The message i s then copi ed wi th scp to a
al ternati ves, as these si tes are now bl ocked and di rectory on a mach i ne on whi ch I have
HTTP requests for these si tes are now l ogged. remote shel l access.
Furthermore, s i nce a l l network traffi c i s now 3. A cron j ob runs every mi n ute to pol l
\. Winter 2007-2008
Pe 55
the message di rectory and send the
messages to thei r dest i nat i ons.
4. After each message i s sent, i t i s moved to
an arch i ve di rectory.
After I had a rough outl i ne of my approach i n
my head, I deci ded t o actual l y i mpl ement t he i dea
us i ng the Python programmi ng l anguage. I made
thi s choi ce because I have found that Python ' s
compact a n d powerful l anguage constructs often
make codi ng go faster t han it woul d wi th other
l anguages. Al so, there are many readybu i l t
APl s avai l abl e. I was certai n that I cou l d eas i l y
fi nd code whi ch wou l d handl e t he s s h and scp
as wel l as the eventual SMTP connect i on. The
onl y code I woul d have to wri te woul d be to
gl ue together ready made pi eces. In t hi s regard,
Python certai n l y met my expectat i ons. The code
whi ch I wrote i s a good exampl e of code re use
and the power of Pyt hon.
To begi n, the i nsta l l fol l owi ng nonstandard
python modul es: pyDNS ( http : / /pydns .
-source forge . net/ ) , smtps. py ( http : / I
-www . hare . demon . co . uk/ smtps . py). and
pexpect (http : / /pexpect . sourceforge .
-net I ) . Obvi ousl y, you wi l l need a shel l account
on a mach i ne somepl ace t hat has an ssh daemon
run n i ng. Al so, i t i s assumed that you have the
ssh and scp command l i ne tool s i nstal l ed on
your l ocal system and i n your path . One secur i ty
note: for the ssh and scp commands, you wi l l
ei ther need to put your password i n the scr i pt
O use ssh keys. I n the i ncl uded code, I embed
my password i n the scri pt. I f you do t hi s, you
must chmod your scr i pt to be 0700, so no other
users of your system can read your password. I
bel i eve that t hi s is j ust as good securi ty as the use
of ssh keys. I f someone got root on your system,
then they woul d be abl e to use your ssh key t o
l ogi n to your remote server j ust as eas i l y as us i ng
your password. Us e whi chever you are most
comfortabl e wi t h.
After you have i nstal l ed the prerequi s i te
modul es, the SMTP proxy consi sts of two
programs. SMTPLocalServi ce . py is to be
run l ocal l y. I run t hi s on the same machi ne I am
run n i ng Thunderbi rd on. SMTPLocal Service .
-py r uns vi a cron on the remote host.
For the sake of s i mpl i ci ty, I j ust start the scr i pt
SMTPLocal Servi ce. py from the command l i ne as
fol l ows:
python SMTPLocalServi ce . py 1 2 3 4
I n t h i s exampl e, I set t h e port t o be 1 2 34. Of
course, you may choose any port you wi sh.
SMTPRemoteService . py i s set up vi a
crontab. Here i s how i t l ooks i n my cr on fi l e
/usr/local/bin/python /home/
-sai l O r/ smtp out / SMTPRemoteService . py
Note t hat t hi s j ust r uns every mi nute of every
hour of every day. Agai n, how often t hi s r uns i s
up t o your di scret i on.
F i nal l y, you must tel l Thu nderbi rd about your
new SMTP server. Go t o t he Tool s menu and sel ect
"Accou nt Sett i ngs . . . " . From the menu on the l eft
hand si de of the wi ndow, choose "Outgoi ng
Server ( SMTP) ". Sel ect t he "Add . . . " button. Now,
s i mpl y enter the name of t he machi ne run n i ng
SMTPLocal Service . py and the port that you
have chosen. Set thi s as your defaul t SMTP server,
and now you wi l l be abl e to send outgoi ng safe,
secure outgoi ng mai l , free from pryi ng eyes !
Pl ease be aware that I make no cl ai m that t hi s
i s bul l etproof code. Astute readers wi l l noti ce
that mai l i s now bei ng sent asynchronousl y.
Fai l u res i n SMTPLocalService . py usual l y,
but not al ways, cause an error to be propagated
back to Thu nderbi r d. Fai l u res i n sendi ng the
mai l from your shel l host wi l l need to be
debugged from the server by manual l y run n i ng
SMTPRemoteService . py.
I n thi s art i cl e, I excl usi vel y use Thunderbi rd
as an exampl e, but t hi s shou l d work j ust as easi l y
wi t h a n y ema i l cl i ent ass umi ng you confi gure
the SMTP sett i ngs correct l y. These scri pts were
devel oped on Un i x; however, they wi l l eas i l y
work wi th onl y s l i ght modi fi cati on wi th Pyt hon
on Wi ndows.
Anyone wi th further quest i ons or comments
may contact me i n #2 600 on the 2 600 I RC
network, vi a I CQ 49059002 6, or at sai l Or@
creepj oi nt . net.
The scripts mentioned in this article can be
downloaded from the 2600 Code Repository
at http: //www. 2600. comicode/

Z E R O - K N O W L E D G E
I N T R U S I O N
Uy s. dgu|ny
Th i s art i cl e i s about evasi on of i ntrusi on
detecti on systems: whoever moni tors acti vi ti es
on the target network shoul d have zero knowl
edge about these acti vi ti es. Before cont i nui ng, I
must warn that unaut hori zed access to i nforma
ti on systems i s cr i me i n most countri es. The poi nt
of t hi s wri teup i s awareness of t he poss i bi l i ti es,
whi ch wi l l hel p protecti ng i nfrastructure.
Zero-knowl edge i ntrusi on i s based on two
pr i nci pl es: perform onl y passi ve reconnai ssance,
and do not ever generate traffi c that i s not gener
ated by l egi ti mate c l i ents on the network. I ntru
si on detecti on systems are based on anoma l y
detecti on. You j ust don ' t create anomal i es.
LAN - - - - Hub - - - - Vi c t im
I _ _ Agent
Why thi s i s better that j ust l ocat i ng an avai l
abl e port or di sconnect i ng t he vi ct i m system?
Because i t does n' t create anomal i es: there ar e no
new connecti ons to the port on the LAN swi tch,
and onl y temporary di sconnect i ons of exi st i ng
systems. As such, al arms probabl y won ' t be
rai sed. Of course, you need to power the i ntru
si on agent usi ng some ki nd of power source, and
h i de it-but modern offi ce bu i l di ngs seem to be
desi gned for j ust that. Audi ts of power-cons umi ng
devi ces are unheard of. Enter i ng the bu i l di ng i s
beyond t he scope of t hi s art i cl e; I refer you to
Hol l ywood movi es for i deas.
A very i mportant aspect i s remote control of
t he i ntrusi on agent. My preferred way i s to use
mobi l e data servi ces avai l abl e on commerci al
GSM and CDMA networks. Thi s i s better than
Wi - Fi because compan i es somet i mes empl oy
speci al i zed "wi rel ess" i ntrusi on detecti on
systems whi ch focus on detect i ng t he presence
of al i en Wi - Fi devi ces on premi ses. There i s al so
the abi l i ty to control the agent from pretty much
anywhere i n the wor l d. A di al - i n I P connecti on
to the agent i s one opti on. A better approach i s to
connect the agent to an i ntermedi ary server and
go t hrough that.
Start the reconnai ssance wi thout us i ng an
I P address. Make sure you don ' t assi gn an I P
address and don ' t start a DHCP c l i ent o n your
Ethernet i nterface; use " i f config ethO up"
to acti vate the i nterface. Th i s i s suffi ci ent for
run n i ng tcpdump or another traffi c sni ffer. You
have to capture traffi c for a few days and anal yze
t he resu l ts. The i nformati on you ' re l ooki ng at
i ncl udes, but i s n' t l i mi ted to, DHCP and DNS
confi gurat i on, Wi ndows i nfrastructure ( such as
names, doma i n control l ers' l ocat i ons) , messagi ng
i nfrastructure detai l s, software di str i but i on and
acti ve network mon i tor i ng tool s . Al l t raffi c of t he
vi cti m system wi l l be avai l abl e for s ni ffi ng, whi ch
hel ps great l y: on a stand- al one port, onl y broad
cast-type i n formati on wou l d be avai l abl e.
The second stage of zero-knowl edge i ntrusi on
i nvol ves I P connecti vi ty and generat i ng network
traffi c. Tbe way we connect to tbe vi cti m network
al so bel ps bere: i t a l l ows connect i ng to the I P
network even i f 802 . 1 x port securi ty or another
endpoi nt secur i ty mechan i sm i s used. The i ntru
si on agent wi l l have to have the same MAC
address for the LAN connecti on as the vi cti m host
and have netfi l ter confi gured to deny a l l i nbound
connecti ons. See 1 1 1 for further detai l s .
Cl oni ng i s a powerfu l techni que and an i mpor
tant part of zero-knowl edge i ntrusi ons. There' s
an i nterest i ng appl i cat i on for i t wh i ch a l l ows
connect i ng to secured wi rel ess networks. Let ' s
say t he target organi zat i on depl oyed a WLAN
accordi ng to Mi crosoft ' s secure WLAN depl oy
ment gui del i nes, usi ng ei ther PEAP and pass
words or EAP-TLS and certi fi cates for aut henti ca
ti on (see 1 2al and 1 2 b[ ) . El ements of t he sol ut i ons
i ncl ude dual computer/user aut hent i cat i on, a
RADI US server wi th a TLS certi fi cate, and strong
traffi c encrypti on wi th dynami c r;mdom keys.
These components are a l l very secure-unl ess
you can cl one an aut hori zed cl i ent system. Onl y
opportun i st i c i ntruders steal documents and art i
facts; those wi t h a pl an and determi nati on make
copi es. Si nce the system t hat has been cl oned i s
not stol en, al ar ms are not rai sed. Take a Wi ndows
l aptop system i mage, i nsta l l i t on another l aptop,
change the l oca l admi n i strator password, change
the AuthMode regi stry val ue ( under HKLM\ Soft
ware \ Mi c rosoft \ EAPOL \ Pa ra meters \ Cenera l \
Gl oba l \ ) to 2 , and reboot. Now the computer
wi l l authenti cate wi th i ts own credenti a l s, ei t her
password or certi fi cate, and you are connected
to the secure WLAN. That is another way of
connect i ng the i ntrusi on agent wi thout physi cal
i ntrusi on or presence.
Now, when you have I P connecti vi ty, the
rul e i s not to use any type of network connec
t i on that is not used by l egi ti mate c l i ents, as seen
i n the i nformati on col l ected dur i ng the fi rst stage
of i ntrusi on. Th i s i s very i mportant. There are
many "eth i cal hacki ng" courses, and they pretty
much a l l suggest usi ng tool s l i ke n map (see
1 31 )
for network mappi ng. Don ' t-not even wi t h the
\ Winter 2007-2008 P1e 57
paranoi d t i mi ng opt i on. The rat i onal e is s i mpl e:
i f you r un "nmap - T Pranoi d host. i nternal .
exampl e. com" then some unus ual connecti ons
wi l l be attempted. Unusual i s suspi ci ous. I ntru
si on detecti on systems may be confi gured wi th
a rul e that echo servi ce ( on ports 7/tcp and 71
udp) i s not to be used anywhere on the network.
The nmap r un wi l l tri gger the al arm wi th a
si ngl e packet. However, Net BI OS over TCP/I P i s
consi dered nor mal on most networks, so you can
sweep subnets usi ng tool s l i ke NBTScan (see 1 4] )
wi thout tri gger i ng al arms, because connecti ons
on 1 3 7/udp are "good. "
I n the end, you have a system that i s
connected to the network and knowl edge about
the normal behavi or of network c l i ents. Thi s
provi des an i deal base for an acti ve attack. The
zero- knowl edge status wi l l end at some stage.
But by l i mi t i ng the attack to the use of i nfor
mati on obtai ned usi ng soci al engi neeri ng el se
where, the wi ndow of opportu ni ty for attack can
UybCully lZgC| d
be greatl y extended wi t h speci fi c weaknesses
the network i n quest i on and zero-day expl oi ts
agai nst protocol s that exi st on the i nfrastructure.
Shouts out to the Coffee Company of Balaclava,
hello to ES, and good luck to the P&A squad.
WCU KCC|CnCCS
[ 1 1 ett i ng Around 802 . 1 x Port-based Network
Access Control Through Physi cal I nsecuri ty ( http : / /
"s l . mvps . org/docs / 8 0 2dot lx . htm)
[ 2al Secur i ng Wi rel ess LANs wi th PEAP and Pss
words (http : / /www . microsoft . com/ technet/
"s e c u r i t y/ gu i danc e / c ryp t ographye t c /
"peap ! . mspx)
[ 2b] Secur i ng Wi rel ess LANs wi th Certi fi cate
Servi ces (http : / /www . microsoft . com/ technet /
"securi ty/ prodtech/ wi ndows s e rver2 0 0 3 /
"pki wire/ sw1an . mspx)
[31 Nmap - Free Securi ty Scanner For Network
Expl orati on Securi ty Audi ts ( http : / / insecure .
"org/nmap)
[41 NBTScan. Net BI OS Name Network Scanner
( ht t p : / / www . i n e t c a t . n e t / s o f t wa r e /
"nbtscan . htm1)
state. At the same t i me that I was prepari ng for
thi s tri p, whi ch i ncluded my planni ng to take
Disclaimers: Al standard disclaimers apply my laptop for offli ne computi ng needs as my
especially ones about reading manuals before relati ve does not have net access, I reali zed
trying, backing up data and using a box without that Veri zon mi ght need me to have a Wi ndows
important info on it before trying anything in part i t i on set up for a di stant but upcomi ng f i ber
this article. Mileage may vary. conversi on. I really am not fond of Wi ndows
Thi s arti cle is about how to use a few Li nux/ and don' t use i t, but apparently Verizon has
Uni x command li nes to be able to carry several somethi ng agai nst non-proprietary OSes. I
operati ng systems in a compressed form on a really resent i t, as I would rather use that di sk
laptop wi th l i mi ted di sk space. Before getti ng
space for somethi ng useful, such as backups
i nto the "meat" of the arti cle, I wi ll explai n or mi rrors, instead of wasti ng i t wi th an as
what i nspi red me to f i gure out thi s way of I don' t use. Thi s led me to begi n toyi ng wi th
doi ng thi ngs, so the reader can see when i t the i dea of compressi ng i t somehow whi le not
mi ght be useful. After learni ng the techni ques in use. I also teach at a local computer club,
presented here, the laptop user wi ll be able to and wanted to boot i nto other di stri buti ons
do the followi ng: of Li nux and FreeBSD so I could test thi ngs

Carry a laptop set up for dual booti ng, on multi ple di stri buti ons to see if they work
but have more than two complete before gi vi ng my lectures. All thi s forced me
OSes actually stored on the laptop. to learn a way of compressi ng and "swappi ng

Be able to uncompress and acti vate a out" a whole operati ng system to "swap i n"
compressed i mage of an as i nstance and use another.
in about ten mi nutes
The techni que works, and I have person-

Be able to compress and deactivate ally f i eld tested i t. It only requi res si x standard
an uncompressed as i nstance in Li nux/Uni x commands: dd, cfdi sk, gzi p df,
about ten mi nutes, or, alternately, to rm, and nano or pi co. Theoreti cally, parts of
revert any changes made duri ng a thi s techni que can be used just for backi ng
usage sessi on, si mply by choosi ng not up whole systems, or a Li nux "Li ve CD"
to compress the sessi on. such as Knoppi x could be used to run the
Here is why I fi gured out thi s techni que: I commands, and thus a Wi ndows user could
recently had a tri p to vi si t a relati ve in another swi tch between di fferent versi ons of Wi ndows
Paee 58
2600 MaJazine
for whatever reason.
For the sake of brevity, I will make a few
assumptions
.
One is that the reader is tech
savvy enough to have set up the GRUB
boot loader i n the MBR and the "alternate"
OS (whatever that might be) in the partition
/ dev / hdal . I wi I I call this partition the
"swing partition," as different 05es will swing
into uncompressed activity in this disk space.
Most users will come to this article with a
Windows installation in the swing partition,
and a Linux one in the first extended partition,
which is usually / dev/hda5 . Again, after
understanding this technique, it is easily modi
fiable to suit different customized situations
.
Let's start with a look at the GRUB boot
loader in a typical dual boot situation. On
a typical installation, GRUB resides in the
computer' s MBR and uses a file called
/boot /grub/ menu . 1 st, which resides in
the Linux partition. The menu . 1 s t file is a
simple text file which presents the boot menu
to the user. This menu looks like a couple
of boot options for the Linux system, then a
separator that says "other operating systems"
and a few automatically-generated lines for
your Windows installation
.
From a Linux
command line prompt, open up the /boot /
grub/menu . 1 s t file with your favorite text
editor. You will notice that the Windows entry
has the command "chain1oader + 1 " at the
bottom. This is the first key to understanding
how to complete our project. This command
tells GRUB to go into that partition and load
whatever boot loader is in that partition,
which in this case is Windows' . Therefore,
whatever you have in that first partition will
load and run as long as it has a boot loader in
the partition with it, rather than havi ng its boot
loader in the MBR. This is why on my system I
changed the menu from "Windows whatever"
to "Chain load Partition # 1 . "
So after making any desired changes to
GRUB' s menu, the first step is to copy the
whole partition to a compressed file. The beau
tiful thing about the command line is its power:
with a pipe and two commands we can copy
that whole partition, byte for byte, including
its format ( FAT L| NTF5) to a data file on Linux.
This needs to be done as root, because only
root can access a whole unmounted partition
as a device under Linux or Unix. I first set up
a directory called /backup/ images to hold
my images of the swing partition. Here is the
command to make the image:
dd i f = / dev/hda1 I gzip > /backup/
- images /windows . hda1 . gz
Let me explain. The first part of the
command is " dd", which is the disk-to-disk
copy command. When given the parameter
" i f = / dev/hda1", it makes a byte for byte
copy of the partition, including the format,
garbage, data, and everything else, and sends
that to standard output. ( If you had used a
second parameter, " of = somefi le", you would
get an uncompressed image of the disk.) You
need to pipe this to a compression program in
order to save disk space, so pipe it right into
gz ip. gz i p makes a zip file from standard
input to standard output, so direct the output
(the
0
>
0
directs output) to a file. Later on, I ' ll
touch on how to optimize the compression
before running this command, but let ' s jump
right into how to restore a partition.
As you have probably guessed, the
command to restore the partition is pretty
much the opposite of the imaging command.
The command is
gzip - cd /backup/ images /windows .
- hda1 . gz I dd of = / dev/hda1
Here, the gzip command i s called with the
options "-cd" which tells gzip to decompress
and throw the result onto standard output. That
standard output is piped to the dd command
with the output file set to the partition to which
we want to wri te.
As we stand now, we have a nifty way of
backing up a whole partition using onl y a few
standard commands. But let ' s see how we can
extend th is to put an a I ternate system into the
swing partition.
First, swap out whatever is in the swing
partition. Then, use a disk partition editing
utility to delete the partition / dev / hdal . I like
to use cfdisk, which is a text mode graphical
partition editor, but anything that can delete
the partition will do the job. The important
thing is not to change the size of any of the
partitions, because that will cause the image
files you create with dd to be either too big or
too little. So delete the partition without modi
fying the other partitions.
This will clear the way for you to install
another system into the swing partition. All
you need to do is to put your installation CD
into the CD drive and reboot. The installer of
the new OS will then see an empty slot in the
partition table. After installing and setting up
the new OS, you use the same commands to
copy off and compress the swing partition,
and then use the restore command to bring
in whichever system you want into the swing
partition. Just make sure that when the installer
of the new system asks where you want to put
the boot loader, you don' t overwrite the MBR!
For this to work, that MBR needs to remain
untouched, so place the boot loader into the
partition with the system.
The astute reader will see that this whole
things raises an important question, which is
that the partition label will be inconsistent. For
example, let ' s say that the last install you did
Winter 2007-2008 Pa
g
e 59
was FreeBSD. Now the partition table entry is
marked as a FreeBSD partition, but when you
load a Windows partition into the swing parti
tion, you'll have a Windows format partition
with a FreeBSD type label in the partition table.
Well, the beauty of GRUB is that it ignores the
partition label, so as long as the kernel it boots
under can read that partition it will boot it. I n
my field testing, the only oddness I had was
that Windows XP would check its file system
because of what it termed an "inconsistent
flag." But the check would come back as OK
and the machine would reboot into WinXP.
Now, a word on the compression.
Remember where I said that image that dd
produces contains even the garbage on the
disk? Well, that garbage, be it old chunks of
now-deleted files or other whatnot, can cause
a hiccup. The easiest and most efficient thing
to compress, is a long string of the same char
acter, so it would be helpful to write out the
free spaces on the disk with something and
then delete it. How? We once again tur n to the
dd command. This command goes like this:
dd i f = / dev/ zero of = /mnt /hdal /
- zeros . dat bs =l O O O O O O count = l O
This command produces a file of 1 0 mega
bytes of zeros. Note that, for this command,
you must mount the swing partition because
you wa nt to create a file within the partition,
not to work on the whole partition. Here I
mount the partition to /mnt / hdal . Then, the
input file is " / dev/ zero", which is a pseu
do-device in Linux which just gives unlimited
zeros when accessed. The bs is one megabyte,
and dd is asked to do this for ten such blocks,
giving a 1 0 megabyte file of zeros. You need
to see the free space on the swing partition
and adjust this command accordingly (try "df
-h" after mounting). Then, run the command,
follow it up with a " rm Imntlhda 1 Izeroes.dat" to
remove the file. This is an easy way of zeroing
out unused areas of the disk. After doing this, I
managed to get 9 GB partitions with Windows
XP, Windows 2000, and FreeBSD compressed
down to 1 .4 GB files!
As we've seen, standard LinuxiUnix
commands totally rock with their power! Now
you can travel with several different OSes
crunched down into small files while traveling
with limited disk space. But the benefits of
learning these commands does not end there;
you can also back up a whole partition before
applying an update or installing a program.
Then, if you don't like what that update or
installation did, you can roll back to your
previous state. By keeping several of these
previous states copied up to a larger drive
such as a USB disk or another computer, you
can go back to whatever state you want. Also,
if you set up computers for others, you can set
up everything in a fixed-sized partition of, for
example, 1 0 GB. Now, you could actually roll
out and install really quickly if the hardware is
similar enough by just copying out a standard
ized 1 0 GB partition. We' ve also seen how to
quickly zero out unused space in a partition,
which can have security applications.
TECHNOLOG: F: OM A HACKE
BROADCAST FOR ALL THE
Wed nesdays, 1 900- 20
WBAI 99 . 5 FM, New Yor
WBCQ 741 5 Khz - shortwave to No
and at http : //www. 2600 . com/offthehook
Ca l l us duri ng the show at + 1 2 1 2 209 2900.
Ema i l oth@2600. com wi th you r comments .
And yes, we are i nterested i n Si mul casti ng on other stati ons or vi a satel l i te.
Contact us if you can hel p spread "Of The Hook" to more l i steners !
P e 60
2600 Ma azine
fVo;d Web
hlter;
n
w;th
55' iannel;
n
:
Uy1CSSn
lCSS nPgm . Cum
As an exper i enced Websense admi n i s
trator, I was exci ted to read Maj or L ump' s
art i cl e about ci rcumvent i ng fi l teri ng, "Avoi di ng
I nternet Fi l ter i ng, " i n t he Spr i ng 2 007 i s s ue of
2600. Unfort u natel y, I was di smayed to f i nd
out t hat that t he method he proposed was not
an act ual workaround but rat her a product of
a poor l y confi gured Websense i ntegrat i on.
The Websense i nsta l l at i on i n quest i on di d not
have a servi ce respons i bl e for fi l teri ng traffi c on
non- HTTP ports, so t he wr i ter was eas i l y abl e
to ci rcumvent i t by vi si t i ng an HTTPS i nternet
proxy. Websense and other top-t i er i nternet
f i l teri ng products r el y on i ntegrat i on wi t h
another servi ce, most common l y a fi rewa l l or
proxy servers, to forward nor mal HTTP traffi c.
The fi l ters rel y on packet s ni ffi ng to pi ck up the
sl ack and to be abl e to fi l ter not onl y HTTPS and
FTP, but a l so i nst ant message traffi c, proxi es,
streami ng medi a, peer-to-peer software, and
more. Most i nternet fi I teri ng databases conta i n
t he I P addresses of wel l - known proxy webs i tes,
so t hey can bl ock them on HTTPS as wel l as
HTTP. Wi th t hi s i n mi n d and i n an effort to stay
one step a head of my users, I deci ded to start
searchi ng for a real method of ci rcumvent i ng
i nternet fi l ter i ng.
1Cbu ul un
My search ended i n s uccess wi th a wonderfu l
method many of you ma
y
be fami l i ar wi t h: SSH
t unnel i ng. You can f i nd methods on accom
pl i s hi ngt i s a l l over t heweb, but i t was t he gui de at
http : / / www . buz z surf . com/ surf atwork/
that br oke i t down t he best for me. Bas i ca l l y,
we' l l di sgu i se your SSH t unnel as a n HTTPS
connect i on and forwdrd a l l i nternet traffi c
t hrough i t, effecti vel y bypass i ng a l l I nternet
fi l ter i ng, and fi rewa l l s i n between .
To accompl i s h t hi s, confi gure a P C a t home
as a normal SSH server, but set i t to l i sten on
por t 443, whi ch i s nor mal l y reserved for HTTPS.
Now, assu mi ng you ' ve made s ure thi s SSH server
i s access i bl e from t he I nt ernet, you connect to
your SSH server. I recommend us i ng a free DNS
servi ce s uch as Dyn DNS (www . dyndns . com)
to make it easi er to connect back to you r PC at
home. Th i s i s most eas i l y done by downl oadi ng
or bri ngi ng i n a copy of putty and at t he command
prompt ru n n i ng t he command "putty 8 0 8 0
% -ssh sShserver", repl aci ng
sshserver wi t h t he I P or address of your SSH
CIF: CU M I. E NTIO N
server. Once you ' ve successfu l l y connected
to and l ogged i nto your SSH server, you need
onl y change you r browser ' s sett i ngs to use the
SSH t unnel you ' ve created as a SOCKS proxy.
Th i s is done i n t he I E ' s Adva nced Proxy Sett i ngs
confi gurati on by sett i ng t he SOCKS address
to 1 2 7. 0. 0. 1 and t he port to BOBO. Now you r
i nternet traffi c i s encrypted and vi rt ua l l y u nde
tectabl e. Th i s can al so be used for a ny other
web appl i cat i on that supports SOCKS proxi es;
s i mpl y confi gure t hem t he same way.
KSkS
Obvi ous l y, t here are r i sks i nvol ved wi t h
test i ng t hi s at work. I f you r I nformat i on Securi t y
department i s a nyth i ng l i ke mi ne, t hen there are
a l ar ms and tri ggers set around t he network j u
.
st
wai t i ng to squeal on you the second that they
detect proxy usage. However, ass umi ng you
confi gure t hi s correct l y the fi rst t i me, t here wi I I
b e a l most n o i ndi cat i on of t hi s beca use o f t he
encrypti on i nvol ved. Websense l ogs i t as HTTPS
trafti c to an " Uncategori zed I P address. " There
are onl y two ways t hat Websense cou l d stop
you : i f HTTPS i s bl ocked or i f u ncategor i zed
webs i tes are bl ocked. Nei t her i s very l i kel y
u n l ess you ' re i n a very sma l l envi ronment, as
bot h have very l egi t i mate uses. The onl y fl ag
that was ra i sed was by my I nt r usi on Detect i on
System. I was pl easant l y s urpr i sed to f i nd out
i t di d i n fact not i ce I was usi ng SSH on a port
other t han t he defaul t of 22 and that i t t hrew a n
event marked Sus pi ci ous . Lucki l y t h e event on l y
fi res a few t i mes du r i n g t h e i n i t i al connect i on
and i s n' t detected aft er that. I n l arger envi ron
ments, i t ' s not uncommon to see SSH run n i ng
on an u n us ual port, but if you have H wry vi gi
l ant securi ty department, t hi s cou l d be noti ced.
LSCS
There are more uses to t hi s vers i on of SSf 1
t unnel i ng t han j ust ci rcumventi ng fi l teri ng; t hi s
al so work s very wel l to protect yoursel f and your
i nformat i on on u ntrusted networks such as wi re
less hot spots. Wh i l e bus i nesses ,d uni versi ti es
normal l y warn and noti fy thei r users i f they arc
bei ng moni tored, t here is no way of tel l i ng j ust
what is l u rki ng on an u ntrusted network wa i t i ng
to s ni ff your traffi c. SSH t unnel i ng can be used
for t hi ngs other t h<n i nternet forwardi ng. Wi t h a
few changes, you can use i t to protect con nec
t i ons back to your home network for ema i l or
pr i nt i ng. I f you know t he port a servi ce commu
n i cates on, you can put i t t hrough t hi s SSH
t unnel .
Winter 2007-2008 Pa
g
e 6 1
Happenings
THE LAST HOPE. The seventh Hackers On Planet Earh conference
will be held at New York City's HOtel PEnnsylvania July 1 8-20, 2008.
Visit www. hope. net for the latest news. Speakers, vendors, creative
participation welcome. Cal l (21 2) PEnnsylvania 6-5000 for the speci al
conference room rate. Discuss your plans and suggest ideas at
talk. hope. net. History awaits.
CELEBRATE COMPUTER HISTORY AT THE VINTAGE
COMPUTER FESTIVAl. The mi ssi on of the Vintage Computer
Festival i s to promote the preservation of "obsolete" computers by
offering people a chance to experience the technol ogi es, people, and
stories that embody the remarkable tale of the computer revolution.
The VCF features a speaker series, a hands-on exhibition of live,
worki ng vintage computers from al l eras of computer history, a
marketplace, a fi l m festival, and more! This year we celebrate 1 0
years of the VCF, s o thi s event wi l l b e the biggest and best ever. For
more information, visit http://www.vintage.org. The game i s afoot!
www.vintage.org/special/2007/vcfx/
For Sale
TV-B-GONE. Turn off TVs i n publ i c places! Ai rports, restaurants,
bars, anywhere there' s a TV. Now available as an open source kit, as
well as the super-popular ori gi nal keychain. The kit turns of TVs at
40 yards! 200 readers get 1 0% discount on TV-B-Gone keychains -
use Coupon Code: 2600. www.TVBGone. com
JEAH. NET suppors 200because we read too! JEAH. NET
conti nues to be #1 for fast, stable FreeBSD shel l accounts wi th
hundreds of vhost domai ns, FreeBSD and Pl esk web hosti ng, 1 00%
private and secure domai n registration, and aggressive merchant
solutions! 200readers' setup fees are always waived at JEAH. NET.
J! NX-HACKER CLOTHING/GEAR. Tired of bei ng naked? JI NX. com
has 300+ 1' s, sweatshi rts, sti ckers, and hats for those rare times
that you need to leave your house. We've got swag for everyone,
from the buddi ng nOOblet to the vintage geek. So take a five mi nute
break from surfi ng prOn and check out http://www. JI NX. com. Uber
Secret-Speci al -Mega Promo: Use "2600v24n04" and get 1 0% off
of your order.
SIZE *DOES* MATTER! The Twi n Towers may be gone forever but
a detailed image still exists of the massive 374-foot radio tower that
was perched atop One World Trade Center. Thi S hIgh qual ity glossy
color poster i s available i n two sizes (1 6"x20" and 20"x30") and
makes a spectacular gift for engineers, scientists, radio &television
buffs, or anybody who appreciates a unique, rarely seen view of
the World Trade Center. Visit www.wtc-poster. us for samples and to
order your own poster.
VENDING MACHI NE JACKPOTTERS. Go to
www.hackershomepage.com for EMP Devices, Lock Picks, Radar
Jammers &Controversial Hacking Manuals. 407-965-5500
MAKE YOUR SOFTWARE OR WEBSITE USER FRIENDLY with
Foxee, the fri endl y and interactive cartoon bl ue fox! Not everyone
who will navigate your website or software application will be an
expert hacker, and some users wi!! need a little hel p! Foxee i s a
hand-animated Microsoft Agent character that wi l l accept i nput
through voice commands, text boxes, or a mouse, and interact with
your users through text, ani mated gestures, and even di gi tal speech
to hel p guide them through your software with ease! Foxee supports
10 spoken languages and 31 written languages. She can be added
to your software through C++, VB6, al l . Net languages, VBScript,
JavaScript, and many others! Natively compatible with Mi crosoft
Internet Explorer and can work with Mozi l l a Firefox when used with
a free pl ug-i n. See a free demonstration and purchasi ng information
at www.foxee.net!
NET DETECTIVE. Whether you' re just curi ous, trying to locate or fi nd
out about people for personal or business reasons, or you' re l ooki ng
for people you' ve fal l en out of touch wi th, Net Detective makes it al l
possi bl e! Net Detective i s used worl dwi de by private investigators
and detectives, as wel l as everyday people who use it to fi nd lost
relatives, old high school and army buddies, deadbeat parents, lost
loves, people that owe them money, and just plain ol d snoopi ng
around. Visit us today at www.netdetective. org. uk.
NETWORKING AND SECURITY PRODUCTS available at
OvationTechnol ogy. com. We're a suppl i er of Network Security and
Internet Privacy products. Our online store features VPN and firewall
hardware, wireless hardware, cable and DSL modems/routers,
I P access devices, Vol P products, parental control products, and
ethernet swi tches. We pride oursel ves on provi di ng the highest level
of technical expertise and customer satisfaction. Our commitment to
you . . . No surprises! Buy with confi dence! Security and Privacy i s our
busi ness! Visit us at http://www.OvationTechnology.com/store. htm.
PHONE HOME. Ti ny, sub-mi ni ature, 7/1 0 ounce, programmable/
reprogrammable touch-tone, multi-frequency (DTMF) dialer whi ch
can store up to 15 touch-tone di gi ts. Uni t i s hel d agai nst the
telephone receiver's microphone for di al i ng. Press " HOME" to
automatically di al the stored di gits whi ch can then be heard through
the ultra mi niature speaker. Ideal for E. T ' s, children, Alzheimer
vi ctims, lost dogs/chi mps, significant others, hackers, and computer
wizards. Give one to a boy/girl friend or to that potential " someone"
you meet at a pary, the supermarket, schoo! , or the mal l ; with your
pre-programmed telephone number, he/she will always be abl e to
call you! Also, ideal if you don' t want to " di scl ose" your telephone
number but want someone to be abl e to cal l you locally or l ong
distance by tel ephone. Key ring/Cl i p. Limited quanti ty avai l abl e.
Money order only. $24.95 + $3.00 S/H. Mai l order to: PHONE HOME,
Ni mrod Di vi si on, 331 N. New Ballas Road, Box 41 0802, CRC,
Mi ssouri 631 41 .
REAL WORLD HACKI NG: Interested i n rooftops, steam tunnel s,
and the l i ke? Read the al l -new Access Al l Areas, a guidebook to the
art of urban exploration, from the author of Infiltration zi ne. Send
$20 postpai d i n the US or Canada, or $25 overseas, to PO Box 1 3,
Station E, Toronto, ON M6H 4E1 , Canada, or order onl i ne at
www.infiltration.org.
FHEEOOMOOWNIMEON DVD! Years i n the maki ng but we hope
it was worth the wait. A double DVD set that includes the two hour
documentary, an i n-depth interview with Kevin Mitni ck, and nearly
three hours of extra scenes, lost footage, and miscellaneous stuf.
Pl us capti oni ng for 20 (that' s ri ght, 20) l anguages, commentary track,
and a lot of thi ngs you' l l just have to fi nd for yourself! The entire two
disc set can be had by sendi ng $30 to Freedom Downtime DVD,
PO Box 752, Mi ddl e I sl and, NY 1 1 953 USA or by ordering from our
onl i ne store at http://store. 2600. com. (VHS copies of the film sti l l
available for $1 5. )
CAP'N CRUNCH WHISTLES. Brand new, onl y a few left. THE
ORI GI NAL WHI STLE i n mi nt condi ti on, never used. Joi n the elite few
who own this treasure! Once they are gone, that's it - there are no
more! Keychain hol e for keyring. Identify yourself at meeti ngs, etc. as
a 200 member by si mpl y dangl i ng your whi stl e and saying nothi ng.
Cover one hol e and get exactly 200hz, cover the other hole and get
another frequency. Use both holes to call your dog or dol phi n. Also,
ideal for telephone remote control devices. Pri ce i ncl udes mai l i ng.
$49. 95. Not onl y a collector' s i tem, but also a VERY USEFUL device
to carry at al l ti mes. Cash or money order only. Mai l to: WHI STLE c/o
PESI , P.O. Box 1 1 562-ST, Cl ayn, Mi ssouri 631 05.
Help Wanled
RENEGADE BLACK SHEEP TECH ENTREPRENEUR i n process
of putting flesh on the bones of an encrypted voice communications
project. Do you have experience i n the deep details of VoIP/SIP
protocols, network traffic analysis, bi l l i ng system construction, PtoP
routing, and so on? Interested i n working wi th a topend team to
bui l d a world-changing tool for regular folks around the world to use
i n thei r everyday lives? Contact me at wri nko@hushmai Lcom.
Wanled
LOOKING FOR 2 READERS who would like to offer thei r
services for hire. Want to make money working from home or on the
road, cal l (740) 544-6563 extensi on 1 0.
I AM COLLECTING the direct (non-toll-free) telephone numbers that
wi l l connect directly to the airport ai rl i ne counters of the following
ai rl i nes: American, Continental, US Air, Southwest, Delta, Northwest,
and United i n major cities so that if I am ever bounced or a flight i s
del ayed or canceled, I can reach someone di rectl y and personally
with a non 800 number who can do something i mmediately. The
airport ai rl i ne counter personnel usual l y know immediately and/or
can rebook, etc. without delay. Please emai l : us. ai rl i nes@yahoo.com.
HELP! I want to set up a voice bridge chat line for hackers but need
the software. Cal l me at (21 3) 595-8360 (Ben) or
www.UndergroundClassifieds. com.
Serices
BEEN ARRESTED FOR A COMPUTER OR TECHNOLOGY
RELATED CRIME? Have an idea, invention, or business you want to
buy, sell, protect, or market? Wi sh your attorney actually understood
you when you speak? The Law Ofice of Michael B. Green, Esq.
i s the solution to your 21 st century legal problems. Former SysOp
and member of many private BBS' s si nce 1 981 now available to
Pa
g
e 62
2600 Magazine
di rectly represent you or bridge the communi cations gap and assist
your current legal counsel . Extremely detailed knowledge regardi ng
cri mi nal and ci vi l l i abi l ity for computer and technology related actions
(1 8 U. S. C. 1 028, 1 029, 1 030, 1 031 , 1 34 1 , 1 342, 1 343, 251 1 , 251 2,
ECPA, DMCA, 1 996 Telecom Act, etc. ), domai n name di sputes,
intellectual property matters such as copyrights, trademarks, l i censes
and acqui si ti ons, as wel l as general busi ness and corporate law.
Over 1 1 years experi ence as i n-house legal counsel to a computer
consulting business as wel l as an over 20 year background i n
computer, telecommuni cati ons, and technology matters. Publ ished
law review arti cles, contributed to nati onal l y publ ished books, and
submitted briefs to the United States Supreme Court on Internet and
technology rel ated issues. Admi tted to the U.S. Supreme Court, 2nd
Ci rcui t Court of Appeals, and al l New York State courts and fami l i ar
wi th other j uri sdi cti ons as wel l . Many attorneys will take your case
wi thout any consideration of our cul ture and wi l l see you merely as
a source of fees or worse, with i l l -conceived prejudices. My office
understands our culture, i s sympathetic to your situati on, and wi l l
treat you wi th the respect and understanding you deserve. No fee
for the i nitial and confidential consultation and, if for any reason we
cannot hel p you, we wi l l even try to fi nd someone el se who can at no
charge. So you have nothi ng to lose and perhaps everything to gain
by contacting us first. Visit us at: http://www.computorney.com or
cal l 51 6-9WE-HELP (51 6-993-4357).
HAVE A PROBLEM WITH THE LAW? DOES YOUR LAWYER NOT
UNDERSTAND YOU? Have you been charged wi th a computer
related crime? I s someone threatening to sue you for somethi ng
technology related? Do you just need a lawyer that understand IT
and the hacker culture? I've publ i shed and presented at HOPE and
Defcon on the law facing technology professionals and hackers al i ke.
I ' m both a lawyer and an IT professi onal . Admi tted to practice law
i n Pennsylvania and New Jersey. Free consultation to 200readers.
http://muentzlaw.com alex@muentzlaw.com (21 5) 806-4383
PIMP YOUR WIRELESS ROUTER! http://packetprotector.org. Add
VPN, IPS, and web AV capabilities to your wireless router wi th free,
open-source firmware from PacketProtector.org
HACKER TOOLS TREASURE BOX! You get over 650 l i nks to key
resources, plus our proven tricks for rooting out the hard-to-find
tools, instantlyl Use to build your own customized hacker (AHEM,
network security) tool ki t.
http://FortressDataProtecti on. com/securitybook
ADVANCED TECHNICAL SOLUTIONS. #422 - 1 755 Robson Street,
Vancouver. B. C. Canada V6G 3B7. Ph: (604) 928-0555. Electronic
countermeasures - find out who i s secretly videotaping you or
buggi ng your car or office. "State of the Art" detection equi pment
uti l i zed.
INCARCERATED 200MEMBER NEEDS COMMUNITY HELP
to bui l d content i n free cl assi fi ed ad and "local busi ness directory"
i n 50 countries. John Lambros, the founder of Boycott Brazil. has
l aunched a FREE classified ad. want ad, and local busi ness directory
i n 50 global markets. The mission i s si mpl e: "free help to bi l l i ons of
people locating jobs, housi ng, goods and services, social activities,
a girtfriend or boyfriend, community information, and just about
anythi ng else i n over one mi l lti on neighborhoods throughout the
world - al l for FREE. HELP ME OUT! SPREAD THE WORD! Please
visit www.NoPayClassifieds.com and add some content. I t will take
al l of five or ten mi nutes. Li nks to "No Pay Classifieds" are also
greatly appreciated.
SUSPECTED OR ACCUSED OF A CYBERCRI ME I N ANY
CALIFORNIA OR FEDERAL COURT? Consult wi th a semantic
warrior committed to the liberation of information. I am an aggressive
cri mi nal defense lawyer speci al i zi ng i n the following types of cases:
cri mi nal copyright i nfri ngement, unauthorized computer access, theft
of trade secrets, identity theft, and trademark i nfri ngement. Contact
Omar Figueroa, Esq. at (41 5) 986-5591 , at
omar@stanfordal umnLorg, or at 50S Broadway, San Francisco,
CA 941 33-4507. Graduate of Yale College and Stanford Law
School , and Gerry Spence's Trial Lawyers Col l ege. Complimentary
case consultation for 200readers. Al l consultations are strictly
confidential and protected by the attorney-client privilege.
INTELLIGENT HACKERS UNIX SHELL. Reverse.Net i s owned
and operated by intelligent hackers. We believe every user has the
ri ght to onl i ne security and privacy. I n today' s hosti l e anti-hacker
atmosphere, intelligent hackers require the need for a secure place
to work, compi l e, and explore without big-brother looking over
their shoulder. Hosted at Chicago Equi ni x wi th Juni per Filtered
DoS Protection. Mul ti pl e FreeBSD servers at P4 2.4 ghz. Afordable
pricing from $5/month wi th a money back guarantee. Lifetime 2S%
discount for 200 readers. Coupon code: Save2S00.
http://www.reverse.net
ANTI-CENSORSHIP L1NUX HOSTING. Kaleton Internet provides
afordable web hosti ng, email accounts, and domain registrations
based on dual processor P4 2.4 GHz Linux servers. Our hosting
plans start from only $8.95 per month. This i ncl udes support for
Python, Perl, PHP, MySOL, and more. You can now choose between
the USA, Singapore, and other ofshore locations to avoid censorship
and guarantee free speech. We respect your privacy. Payment can
be by E-Gol d, PayPal, credit card, bank transfer, or Western Uni on.
See www.kaleton.com for details.
Announcements
OFF THE HOOK i s the weekly one hour hacker radi o show
presented Wednesday ni ghts at 7: 00 pm ET on WBAI 99. 5 FM i n
New York City. You can al so tune i n over the net at
www. 2S00. comioffthehook or on shortwave i n North and South
Ameri ca at 741 5 khz. Archives of al l shows dati ng back to 1 988 can
be found at the 200 site i n mp3 format! Shows from 1 988-2007
are now avai l abl e i n DVD- R hi gh fidel ity audi o for onl y $ 1 0 a year
or $1 50 for a l i feti me subscription. Send check or money order to
2600, PO Box 752, Mi ddl e I sl and, NY 1 1 953 USA or order through
our onl i ne store at http://store. 2600. com. Your feedback on the
program i s al ways wel come at oth@2S00. com.
THE HI GH WEI RDNESS PROJECT. We are a SubGeni us wi ki
seeki ng submi ssi ons of strange, controversial, subversive, and
above al l Sl ackful sources of informati on. We do not fol l ow a
so-cal l ed "neutral poi nt of vi ew" - please make your entri es as
biased as you want, as long as they' re interesti ng! Speci al secti ons
dedicated to information warfare, software, conspi raci es, rel i gi on
and skepti ci sm, and more. Check us out: www. modemac. com.
I NFOSEC NEWS i s a privately run, medi um traffic l i st that caters to
the di stri buti on of information security news arti cl es. These articles
come from such sources as newspapers, magazines, and onl i ne
resources. For more i nformati on, check out:
http://www. infosecnews. org.
CHRI STIAN HACKERS' ASSOCIATI ON: Check out the web page
http://www. chri sti anhacker.org for detai l s. We exist to promote a
communi ty for Chri sti an hackers to di scuss and i mpact the realm
where faith and technology intersect for the purpose of seeing lives
changed by God' s grace through faith i n Jesus.
Personals
TRYING HARD not to let the bright l i ght of my mi nd's eye grow di m.
Feed the fire by droppi ng me a l i ne and fi l l i ng my head wi th thoughts.
I ' l l reciprocate by projectile vomi ti ng my intellect strai ght to your
mai l box. Interests i ncl ude wri ti ng, anythi ng computer related, and
privacy/anonymity i ssues. Max Ri der, SBI#00383681 , DCC 1 1 81
Paddock Rd. , Smyrna, DE 1 9979.
PRISONER SEEKS FRI ENDS to hel p wi th book review l ookups
on Amazon by keywords. Com Sci major, thirsty to catch up to the
real world before my reentry. I have my own funds to buy books. I
only need reviews. I ' m MUD/MMORPG savy i n C++, Java, Python,
PHI MySQL, DirectX. Ken Roberts J60962, 450-1 -28M, PO Box 9,
Avenal, CA 93204.
ELECTRONIC WARFARE, COUNTERINTELLIGENCE, HACKI NG.
A-Space and I ntel l i pedi a are my interests. Looki ng for pen-pal s,
friends, and contacts worldwide. I buy books, magazines, and
unusual pictures. I n search of information on financial privacy, off
shore banki ng and trusts, unusual books, magazines, and pictures.
Please write. English or Spani sh OK. Experience i n telecom, 2-way
radio, packet and advanced threat infrared countermeasures
(EW). Former boy, now locked up i n one of America's prisons l i ke
thousands of other former boys who l ost thei r way. I wi l l respond to
al l who wri te. D. Coryell T-681 27 D3-247up, PO Box 8504, Coal i nga,
CA 9321 0, USA.
OFFLI NE OUTLAW I N TE needs some hel p i n devel opi ng
programmi ng ski l ls. Interested i n Perl and Javascript. Also pri vacy i n
al l areas. Library here i s inadequate. Feel free to drop those Bi l l Me
Later cards, add me to the mai l i ng l i sts, etc . . Thanks to al l those who
have helped me so much already, you know who you are. Wi l l i am
Li ndl ey 822934, CT Terrel l , 1 300 FM 655, Rosharon, TX 77583-8604
WHEN THE BULLET HITS THE BONE. Bored and lonely phone
nerd. Got some ti me left i n our nation's wonderful corrections
system. Looking for pen pals to hel p pass the time. Interests i ncl ude
(not l i mited to) telecom, computers, pol i ti cs, musi c (punk rock,
i ndustri al , etc. ), tats, urban exploration. 23, white mal e, 6' 1 " , 1 90 I bs,
bl ack hai r, green eyes, a few tats. Wi l l respond to al l . Mi chael Kerr
09496-029, FCI Bi g Spri ng, 1 900 Si ml ar Ave. , Big Spri ng, TX 79720.
A enise In 2600!
ONLY SUBSCRIBERS CAN ADVERTISE I N 2! Don' t even thi nk
about tryi ng to tEake out an ad unless you subscri be! Al l ads are free
and there i s no amount of money we wi l l accept for a non-subscriber
ad. We hope that' s clear. Of course, we reserve the ri ght to pass
judgment on your ad and not pri nt it if i t' s amazi ngl y stupi d or has
nothi ng at all to do wi th the hacker world. We make no guarantee as
to the honesty, righteousness, sanity, etc. of the people advertising
here. Contact them at your peri l . Al l submi ssi ons are for ONE
ISSUE ONLY! If you want to run your ad more than once you must
resubmit i t each ti me. Don' t expect us to run more than one ad for
you i n a single i ssue either. Include your address label/envelope or a
photocopy so we know you' re a subscriber. Send your ad to:
200Marketplace, PO Box 99, Middl e I sl and, NY 1 1 953.
Deadline for Spring issue: ZZ.
Winter 2007-2008 P
ge 63
NEW STUFF !
2 6 0 0 SWEATSHI RTS - THE SECOND EDI TI ON
We now have a completely new style of hooded sweatshirt in addition to
our standard black pullover design. These new ones are gray in color and
have a zippered front. Big red numbers proclaim "2600" for those who se
you coming and big red letters in the back spell out "HACKER" for those
who wonder who it was that just went past. (If you' re trying to hide the
fact that you' re a hacker, this may not be the sweatshirt for you.)
Avai l able i n si zes L, XL, and XXL for $35 (outside the U. S . and Canada add $1 0 for
shi ppi ng) . Send check or money order to address below or visit store.2600.com.
(Addi ti onal si zes wi l l be stocked i f enough peopl e ask for them. )
Yes, you read that right. 2600 now has ceramic cofee mugs designed with
the DMCA (Di gi tal Mi l lenni um Cofee Act) in mind. The 2600 seal appears
on the front and the various restrictions of the mug's use appear on the back.
(It is a violation of the DMCA to use this mug for tea.).
2600, PO Box 752, Middle Island, NY 1 1 953 USA
Avai l abl e wi th whi te l etteri ng on a bl ack mug or bl ack l ettering on a white mug. $ 1 5 each or 2
for $25 (outsi de the u. s . and Canada add $ 1 0 each for shi ppi ng - sorry, these thi ngs are heavy)
THE L HST HOPE
I f you mi s s thi s one , there ' s nothing l ef t to say .
J oi n us on J u l y 1 8, 1 9, a nd 20, 2008 at the Hotel Pen nsyl va n i a i n
New York Ci ty a nd see who gets the l ast word .
S peci a l room rates wi l l be ava i l a bl e at +1 21 2 P E n ns yl va n i a 6-5000
(736- 5000 for those of you wi thout l etters on you r phones) . Deta i l s
on wh o wi l l b e s pea ki ng a n d how you ca n pa rti ci pate a l ong wi th a
whol e l ot more i nfor mati on i s at www. hope. net.
The wi nner of the Autumn 2007 puzzle i s healwhans who correctly surmi sed that the PDF41 7
barcode contained a quote from Wi nston Churchi ll that was broadcast on October 1 , 1939 and
sai d "I t i s a ri ddle, wrapped i n a mystery, i nsi de an eni gma." ( He was talki ng about Russi a. )
P
g
e 64
2600 Ma
g
azine
"First they ignore you, then they laugh at you, then they fight you,
then you win. " - Mahatma Gandhi
260 (ISSN 0749-3851, USPS # 003- 1 76);
Winter 2007-2008, Volume 24 Issue 4, is
published quarterly by 2600 Enterprises Inc. ,
2 Flowerield, St. James, NY 1 1 780.
Periodical postage rates paid at
St. James, NY and additional mailing
ofces.
POSTMASTER:
Send address changes to: 2600
P. O. Box 752 Mi ddl e I sl and,
NY 1 1 953-0752.
SUBSCRI PTI ON CORRESPONDENCE:
2600 Subscri pti on Dept . , P. O. Box 752,
Mi ddl e I sl and, NY 1 1 953-0752 USA
(subs@2600. com)
YEARLY SUBSCRI PTI ONS:
U. S. and Canada - $20 i ndi vi dual ,
$50 corporate ( U. S. Funds)
Overseas - $30 i ndi vi dual , $65 corporate
Back i ssues avai l abl e for 1 984-2006 at
$20 per year, $26 per year overseas
I ndi vi dual i ssues avai l abl e from 1 988 on
at $5. 00 each, $6. 50 each overseas
LETTERS AND ARTI CLE
SUBMI SSI ONS:
2600 Edi tori al Dept . , P. O. Box 99,
Mi ddl e I sl and, NY 1 1 953-0099 USA
(l etters@2600. com, arti cl es@2600. com)
26 Ofice Li ne: +1 631 751 2600
26 Fax Li ne: +1 631 474 2677
Copyri ght 2007 -2008; 2600 Enterpri ses I nc.
Winter 2007-2008

Pa
g
e 65
ARGENTINA
Buenos Aires: I n the bar at San
Jose 05.
AUSTRALIA
Melbourne: Gafeine at ReVautt
Bar, 16 Swanston
W
al k, near
Melbourne Central Shopping
Centre. 6: 30 pm
Sydney: The Crystal Pal ace,
front barlbistro, opposite the bus
stati on area on George St at
Central Station. 6 pm
AUSTRIA
Graz: Cafe Haltestetle on
Jakomi ni pl atz.
BRAZIL
Belo Horizonte: Pel ego' s Bar at
Assufeng, near the payphone.
6 pm
CANADA
Albera
Calgary: Eau Cl ai re Market
food court by the bl and yellow
wal l . 6 pm
British Columbi a
Victori a: QV Bakery and Cafe,
1 701 Government S1.
Manitoba
Wi nni peg: SI. Vital Shoppi ng
Centre, food court by HMV.
New Brunswick
Moncton: Champlai n Mal l food
court, near KFC. 7 pm
Ontario
Barrie: Wi l l i am' s Coffee Pub, 505
Bryne Dr. 7 pm
Guel ph: Wi l l i am' s Coffee Pub,
492 Edi nbourgh Rd S. 7 pm
Ottawa: World Exchange Pl aza,
1 1 1 Albert St, second floor.
6:30 pm
Toronto: Col l ege Park Food
Court, across from the Taco Bel l .
Waterloo: Wi l l i am' s Coffee Pub,
1 70 University Ave W. 7 pm
Windsor: Uni versity of Windsor,
CAW Student Center commons
area by the large window. 7 pm
Quebec
Montreal: Bel l Amphitheatre,
1 000, rue de l a Gauchetiere.
CHI NA
Hong Kong: Pacific Coffee i n
Festival Wal k, Kowloon Tong.
7 pm
CZECH REPUBLI C
Prague: Legenda pub. 6 pm
DENMARK
Aalborg: Fast Eddi e' s pool hal l .
Aarhus: I n the far corner of the
DSB cafe i n the railway station.
Copenhagen: Cafe Bl asen.
Sonderborg: Cafe Druen.
7: 30 pm
EGYPT
Port Said: At the loot of the
Obelisk (EI Mi ssal l ah).
ENGLAND
Brighton: At the phone boxes
by the Sealife Centre (across
the road trom the Pal ace Pi er).
Payphone: ( 01 273) 606674. 7 pm
Exeler: At the pay phones,
Bedford Square. 7 pm
London: Trocadero Shoppi ng
Center (near Piccadi l l y Ci rcus),
lowest l evel . 6:30 pm
Manchester: Bulls Head Pub on
London Rd. 7: 30 pm
Norwich: Borders entrance to
Chapef fi el d Mal l . 6 pm
Readi ng: Afro Bar, Merchants
Pl ace, off Fri ar St. 6 pm
FINLAND
Helsi nki : Fenni akortteli food
court (Vuorikatu 1 4) .
FRANCE
Grenoble: Eve, campus of St.
Martin d' Heres. 6 pm
Li l l e: GrandPlace ( Place Chaes
de Gaul l e) i n front of the Furet du
Nord bookstore. 9 pm
Paris: Place de l a Republ i que,
near the (empty) fountai n. 6: 30
pm
Rennes: In front of the store
"Blue Box" close to Pl ace de l a
Republ i que. 8 pm
GREECE
Athens: Outsi de the bookstore
Papasotiriou on the corner of
Patision and Stournari . 7 pm
IRELAND
Dubl in: At the phone booths
on Wicklow t beside Tower
Records. 7 pm
ITALY
Mi l an: Pi azza Loreto in front of
McDonal ds.
JAPAN
Tokyo: Li nux Cafe i n Aki habara
di stri ct. 6 pm
NEW ZEALAND
Auckland: London Bar, upstai rs,
Wellesley St, Auckl and Central.
5:30 pm
Christchurch: Java Cafe, corner
of Hi gh St and Manchester St.
6 pm
Wel l i ngton: Load Cafe i n Cuba
Mal l . 6 pm
NORWAY
Oslo: Osl o Sentral Train Station.
7 pm
Tromsoe: The upper floor at Bl aa
Rock Cafe, Strandgata 1 4. 6 pm
Trondhel m: Ri ck' s Cafe i n
Nordregate. 6 pm
PERU
li ma: Barbi l oni a (ex Apu Bar), en
Alcanfores 455, Miraflores, at the
end of Tarata St. 8 pm
SCOTLAND
Glasgow: Central Station,
payphones next to Platform 1 .
7 pm
SOUTH AFRICA
Johannesburg (Sandlon City):
Sandton food court. 6: 30 pm
SWEDEN
Gothenburg: 2nd fl oor i n Burger
Ki ng at Avenyn. 6 pm
Stockhol m: Outside Lava.
SWITZERLAND
Lausanne: I n front of the MacDo
besi de the train stati on. 7 pm
UNITED STATES
Alabama
Auburn: The student l ounge
upstai rs i n the Fay Uni on
Bui l di ng. 7 pm
Huntsvi l l e: Stanlieo's Sub Vi l l a
on Jordan Lane.
Tuscaloosa: McFarl and Mal l food
court near the front entrance.
Arizona
Tucson: Borders i n the Park
Mal l . 7 pm
California
Irvine: Panera Bread, 3988
Barranca Parkway. 7 pm
Los Angeles: Union Station,
corner of Macy & Alameda. I nsi de
mai n entrance by bank of phones.
Payphones: ( 21 3) 972-951 9,
9520: 625-9923, 9924; 61 3-9704,
9746.
Monterey: London Bridge Pub,
Wharf #2.
Sacramento: Round Tabl e Pjzza
at 1 27 K St.
San Diego: Regents Pi zza, 41 50
Regents Park Row #1 70.
San Francisco: 4 Embarcadero
Pl aza (i nsi de). 5:30 pm
San Jose: Outsi de the cafe at
the MLK Library at 4th and E San
Fernando. 6 pm
Colorado
Boulder: Wi ng Zone food court,
1 3th and College. 6 pm
Denver: Borders Cafe, Parker
and Arapahoe.
District of Columbia
Arlinglon: Pentagon City Mal l by
the phone booths next to Panda
Express. 6 pm
Florida
Ft. Lauderdale: Broward Mal l i n
t he food court. 6 pm
Gainesvi l l e: I n the back of the
University of Fl ori da' s Reitz Uni on
food court. 6 pm
Melbourne: House of Joe Coffee
House, 1 220 W New Haven
Ave. 6 pm
Orl ando: Fashi on Square Mal l
Food Court between Hovan
Gourmet and Manchu Wok. 6 pm
Tampa: Uni versi ty Mal l i n the
back of the food court on the 2nd
floor. 6 pm
Georgia
Atlanta: Lenox Mal l food cour.
7 pm
Idaho
Boise: BSU Student Uni on
Bui l di ng, upstairs from the mai n
entrance. Payphones: (208)
342-9700, 970 1 .
Pocalel l o: Coll ege Market, 604
S 8th St.
I l l inois
Chicago: Nei ghbcrhood Boys
and Gi rls Cl ub, 2501 W Irving
Park Rd. 7 pm
Indiana
Evansvi l l e: Barnes and Nobl e
cafe at 624 S Green Ri ver Rd.
Ft. Wayne: Gl enbrook Mal t food
court in front of Sbarro's. 6 pm
Indianapol is: Mo' Joe Coffee
House, 222 W Mi chi gan St.
Soulh Bend ( Mishawaka):
Barnes and Nobl e cafe, 4601
Grape Rd.
Iowa
Ames: Memori al Uni on Bui l di ng
food court at the Iowa State
Uni versity.
Kansas
Kansas City (Overland Park):
Oak Park Mal l food court.
Wichita: Riverside Perk, 1 1 44
Bitting Ave.
Louisiana
Baton Rouge: I n the LSU Uni on
Bui l di ng, between the Ti ger
Pause & McDonal d' s. 6 pm
New Orleans: Z'otz Coffee House
uptown at 821 0 Oak st. 6 pm
Maine
Portland: Maine Mall by the
bench at the food court door.
Maryland
Baltimore: Barnes & Nobl e cafe
at the I nner Harbor.
Massachusetts
Boston: Prudenti al Center Pl aza,
terrace food court at the tabl es
near the windows. 6 pm
Marlborough: Sol omon Park Mall
food court.
Northampton: Downstairs of
Haymarket Cafe. 6:30 pm
Michigan
Ann Arbor: Starbucks i n The
Gal l eri a on S Uni versity.
Mi nnesota
Bloomington: Mall of Ameri ca,
north si de food cour, across
from Burger King & the bank
of payphones that don't take
i ncomi ng cal l s.
Mi ssouri
Kansas City (Independence):
Barnes & Nobl e, 1 9 1 20 E 39th SI.
St. Louis: Galleria Food Court.
Sprtngflel d: Borders Books and
Musi c coffeeshop, 3300 S Gl en
stone Ave, one block south of
Battlefield Mal l . 5: 30 pm
Nebraska
Omaha: Crossroads Mall Food
Court. 7 pm
Nevada
Las Vegas: reJAVAnate Coffee,
3300 E Fl ami ngo Rd (at Pecos).
7 pm
New Mexico
Al buquerque: University of New
Mexico Student Union Bui l di ng
(pl aza "I owe' l evel l ounge),
mai n campus. Payphones:
505-843-9033, 505-843-9034.
5:30 pm
New York
New York: Ci ti group Center, in
the lobby, near the payphones,
1 53 E 53rd St, between Lexington
& 3rd.
Rochester: Panera Bread, 2373
W Ri dge Rd. 7:30 pm
North Carolina
Charlotte: South Park Mal l food
court. 7 pm
Ralei gh: Royal Bean coffee shop
on Hi l lsboro St (next to the Pl ay'
makers Sports ar and across
from Mer
edfl
h (lQlig),
Wilmington: T Connection
Intemet Cafe,
2
50-1 Raci ne
Dri ve, Raci ne Commons Shop
pi ng Center.
North Dakola
Fargo: West Acres Mall food
court by the Taco John' s. 6 pm
Ohio
Ci nci nnati: The Brew House,
1 047 E McMi l l an. 7 pm
Clevel and: University Circle
Arabi ca, 1 1 300 Juni per Rd.
Upstairs, turn right, second room
on left.
Col umbus: Convention center
on street level around the corner
from the food court.
Dayton: TGI Friday'S off 725 by
the Dayton Mal l .
Oklahoma
Oklahoma City: Cafe Bel l a,
southeast corner of SW 89th St
and Penn.
Tulsa: Promenade Mal l food
court.
Oregon
Portland: Backspace Cafe, 1 1 5
N W 5th Ave. 6 pm
Pennsylvania
Al l entown: Panera Bread, 31 00
W Ti l ghman St. 6 pm
Harrisburg: Panera Bread, 4263
Union Deposit Rd. 6 pm
Phil adel phia: 30th St Station,
southeast food court near mi ni
post office.
South Carol i na
Charleston: Northwoods Mal l
i n the hal l between Sears and
Chi kFi l A.
South Dakota
Sioux Fal l s: Empire Mal l , by
Burger Ki ng.
Tennessee
Knoxvi l l e: Borders Books Cafe
across from Westown Mal l .
Memphi s: Quetzal , 664 Union
Ave. 6 pm
Nashville: Vanderbi l t University
Hill Center, Room 1 5 1 , 1 231 1 8th
Ave S. 6 pm
Texas
Austi n: Spi der House Cafe, 2908
Fruth St, front room across from
the bar. 7 pm
Houston: Ni nta's Express in front
of Nordstrom'S in the Gal l eri a
Mal l .
San Antoni o: North Star Mal l
food court. 6 pm
Utah
Sail Lake City: ZCMI Mal l i n The
Park Food Court.
Vermont
Burl i ngton: Borders Books at
Church St and Cherry St on the
second floor of the cafe.
Virgi ni a
Arl ington: (see District of
Col umbi a)
Charlottesvi l l e: Greenberry's
Coffee & Tea Company at the
Barracks Ad Shoppi ng Center.
6:30 pm
Virginia Beach: Lynnhaven Mal l
on Lynnhaven Parkway. 6 pm
Washlnglon
Seattle: Washington State
Convention Center. 2nd level ,
south si de. 6 pm
Spokane: Coffee Stati on, 931 5 N
Nevada (North Spokane). 6 pm
Wisconsin
Madison: Barri ques Coffee, 1 27
W Washington Ave.
All meetings tke place on
the firt Frday of the month_
Unless otherwise noted, they
start at bpm local time. To star
a meeting in your city send
email to meetlngs@200.com.
Pa
g
e 66
2600 Ma
g
azine