==Phrack Inc.== Volume Four, Issue Forty-One, File 2 of 13 [-=:< Phrack Loopback >:=-] By Dispater & Mind Mage Phrack Loopback is a forum for you, the reader, to ask questions, air problems, and talk about what ever topic you would like to discuss. This is also the place Phrack Staff will make suggestions to you by reviewing various items of note; books, magazines, software, catalogs, hardware, etc. In this issue: Comments on Phrack 40 : Rop Gonggrijp Fine Art of Telephony (re: Phrack 40) : Inhuman Question & Comment (BT Tymnet/AS400) : Otto Synch BT Tymnet article in Phrack 40 : Anonymous Phrack fraud? : Doctor Pizz Remarks & Warning! : Synaps/Clone1/Feyd One Ron Hults (re: Phrack 38 Loopback) : Ken Martin Hacking In Czecho-Slovakia : Stalker Phrack 40 is Sexist! : Ground Zero Phrack 40 is Sexist!? (PC Phrack) : Shit Kickin' Jim Misunderstood Hackers Get No Respect : The Cruiser Hackers Should Land In Jail, Not In Press : Alan Falk Anonymous Usenet Posting? : Anonymous Anonymous Mail Poster : Sir Hackalot Phrack On The Move : Andy Panda-Bear Computer Underground Publications Index : Amadeus Pirates v. AT&T: Posters : Legacy Irreverent Ultrix 4.2 Bug : Krynn PumpCon Hosed : Phil "The Outlander" 2600 Meeting Disrupted by Law Enforcement : Emmanuel Goldstein Two New Hardcovers : Alan J. Rothman _______________________________________________________________________________ Letters to the Editors ~~~~~~~~~~~~~~~~~~~~~~ From: rop@hacktic.nl (Rop Gonggrijp) (Editor of Hack-Tic Magazine) Date: August 14, 1992 Subject: Comments on Phrack 40 My compliments! You've put out one of the best issues to date. If you keep this up I'll have to get jealous! Rop Gonggrijp (rop@hacktic.nl) Dangerous and capable of making fax: +31 20 6900968 considerable trouble. ---------- From: Inhuman (Sysop of Pentavia BBS) Date: August 18, 1992 Subject: Fine Art of Telephony I just wanted to let you guys know that the article titled "The Fine Art of Telephony" was one of the best articles I've seen in Phrack in a long time. I hope to see more information on switching and general telephony in the future. Thanks, Inhuman ---------- Date: October 22, 1992 From: Otto Synch Subject: Question & Comment Hello, Reading your (huge) Phrack issue #40, and noticing that you were accepting comments and questions, I decided to post mine. First of all, please forgive the English. I'm French and can't help it :-) My comment: When I saw in the index that this issue was dealing with BT Tymnet, I felt very happy because I was looking for such information. And when I read it, I felt really disappointed. Toucan Jones could have reduced his whole article with the following lines: -> Find any Tymnet number. -> Dial and wait for the "Please log-in:" prompt. -> Log as user "help", no password required. -> Capture everything you want, it's free public information. I must say I was a bit surprised to find this kind of article in a high-quality magazine such as yours... My question: I'm currently trying to find out everything about a neat AS/400 I've "found," but I never saw any "hack report" on it. Do you know if there are any available? OK - Let's see if you answer. We feel somewhat lonely here in the Old Continent...but Phrack is here to keep the challenge up! Regards, > Otto Sync < ---------- From: Anonymous Date: August 19, 1992 Subject: BT Tymnet article in Phrack 40 Dear Phrack Staff, The BT Tymnet article in the 40th issue of Phrack was totally lame. I hate it when people enter Telenet or Tymnet's information facility and just buffer all the sh*t that's in there. Then they have the audacity to slap their name on the data as if they had made a major network discovery. That's so f*ck*ng lame! Phrack should make a policy not to accept such lame sh*t for their fine magazine. Is Phrack *that* desperate for articles? Crap like commercial dial- up lists is about as lame as posting a few random pages from the front of the white pages. The information is quickly outdated and easily available at any time to anyone. You don't hack this sh*t. Regards, Anonymous (anonymous because I don't want to hear any lame flames) [Editor's Response: We agree that buffering some dialup list is not hacking, however, in this specific case, a decision was made that not everyone had ready access to the information or even knew of its existence. Furthermore and more relevant to why the article appeared in Phrack, an article on Tymnet was appropriate when considering the recent events with the MOD case in New York. In the future, you may ask that your letter be printed anonymously, but don't send us anonymous mail.] ---------- From: Doctor Pizz Date: October 12, 1992 Subject: Phrack fraud? I recently received an ad from someone who was selling the full set of Phrack back issues for $100.00. I do believe that this is a violation of your rights to Phrack, as he is obviously selling your work for profit! The address I received to order these disks was: R.E. Jones 21067 Jones-Mill Long Beach, MS 39560 It seems he is also selling the set of NIA files for $50, a set of "Hacking Programs" for $40, LOD Tech Journals for $25, and lots of viruses. It sounds like some sort of copyright violation, or fraud, as he is selling public domain stuff for personal profit. At least you should be aware of this. Anyway, I look forward to receiving future volumes of Phrack! Keep up the good work. Good luck in stopping this guy! Thank you, --Doctor Pizz-- [Editor's Note: We look forward to hearing what our Phrack readers think about people selling hardcopies of Phrack for their own personal profit.] ---------- From: Synaps a/k/a Clone1 a/k/a Feyd Date: September 2, 1992 Subject: Remarks & Warning! Hi, I've been a regular reader of Phrack for two years now and I approve fully the way you continue Phrack. It's really a wonderful magazine and if I can help its development in France, I'll do as much as I can! Anyway, this is not really the goal of my letter and excuse me for my English, which isn't very good. My remarks are about the way you distribute Phrack. Sometimes, I don't receive it fully. I know this is not your fault and I understand that (this net sometimes has some problems!). But I think you could provide a mail server like NETSERV where we could get back issues by mail and just by MAIL (no FTP). Some people (a lot in France) don't have any access to international FTP and there are no FTP sites in France which have ANY issues of Phrack. I did use some LISTSERV mailers with the send/get facility. Could you install it on your LISTSERV? My warning is about a "group" (I should say a pseudo-group) founded by Jean Bernard Condat and called CCCF. In fact, the JBC have spread his name through the net to a lot of people in the Underground. As the Underground place in France is weak (the D.S.T, anti-hacker staff is very active here and very efficient), people tend to trust JBC. He seems (I said SEEMS) to have a good knowledge in computing, looks kind, and has a lot of resources. The only problem is that he makes some "sting" (as you called it some years ago) operation and uses the information he spied to track hackers. He organized a game last year which was "le prix du chaos" (the amount of chaos) where he asked hackers to prove their capabilities. It was not the real goal of this challenge. He used all the materials hackers send him to harass some people and now he "plays" with the normal police and the secret police (DST) and installs like a trade between himself and them. It's really scary for the hacking scene in France because a lot of people trust him (even the television which has no basis to prove if he is really a hacker as he claims to be or if he is a hacker-tracker as he IS!). Journalists take him as a serious source for he says he leads a group of computer enthusiasts. But we discovered that his group doesn't exist. There is nobody in his group except his brother and some other weird people (2 or 3) whereas he says there is 73 people in his club/group. You should spread this warning to everybody in the underground because we must show that "stings" are not only for USA! I know he already has a database with a lot of information like addresses and other stuff like that about hackers and then he "plays" with those hackers. Be very careful with this guy. Too many trust him. Now it's time to be "objective" about him and his group! Thanks a lot and goodbye. Synaps a/k/a Clone1 a/k/a Feyd ---------- From: Ken Martin <70712.760@compuserve.com> Date: November 17, 1992 Subject: One Ron Hults...(Phrack 38 Loopback) Dear Phrack Staff: This letter is concerning the letter in the Phrack Loopback column (#38, April 20, 1992) written by one Ron Hults. It suggests that all children should be disallowed access to a computer with a modem. The news release to which it is attached attempts to put an idea in the reader's mind that everything out there (on bulletin boards) is bad. Anyone who can read messages from "satanic cultists, pedophile, and rapists" can also read a typical disclaimer found on most bulletin boards which have adult material and communication areas available to their users, and should be able to tell the SysOp of a BBS how old he/she is. A child who is intelligent enough to operate a computer and modem should also be able to decide what is appropriate for him/her to read, and should have the sense enough to avoid areas of the BBS that could lead to trouble, and not to give their address and home phone number to the Charles Manson idols. (It is a fact that all adolescents have thoughts about sex; nothing can change that. The operator of a BBS also has the moral responsibility to keep little kids out of the XXX-Rated GIF downloading area.) One problem with that is BBSes run by the underground type (hack/phreak, these usually consist of people from 15-30 years of age). The operators of these let practically anyone into their system, from my experiences. These types of BBSes often have credit card numbers, telephone calling card numbers, access codes to credit reporting services, etc., usually along with text-file documents about mischievous topics. Mr. Hults makes no mention of these in his letter and press release. It is my belief that these types of systems are the real problem. The kids are fascinated that, all of a sudden, they know how to make explosives and can get lots of anything for free. I believe that the parents of children should have the sense enough to watch what they are doing. If they don't like the kind of information that they're getting or the kind of messages that they're sending to other users, then that is the time to restrict access to the modem. I am fifteen years old, and I can say that I have gotten into more than my share of trouble with the law as a result of information that I have obtained from BBSes and public communications services like CompuServe. The computer is a tool, and it always will be. Whether it is put to good use or not depends on its user. I have put my computer/modem to use in positive applications more than destructive ones. I would like Mr. Hults to think about his little idea of banning children from modem use, and to think about the impact it would have on their education. Many schools use computers/modems in their science and English curriculums for research purposes. Banning children from telecommunications is like taking away connection to the outside world and all forms of publication whatsoever when one takes a look around a large information service like CompuServe or GEnie, and sees all of the information that a service like this is capable of providing to this nation. Thanks, Ken Martin (70712.760@compuserve.com) a.k.a. Scorpion, The Omega Concern, Dr. Scott ---------- From: Stalker Date: October 14, 1992 Subject: Hacking In Czecho-Slovakia Hi there! I'm student from Czecho-Slovakia (for some stupid person who doesn't know, it's in middle Europe). Call me Stalker (if there is other guy with this name, call me what you want). If you think that computers, networks, hacking and other interesting things are not in Eastern Europe, you're WRONG. I won't talk about politicians. They really make me (and other men from computers) sick! I'll tell you what is interesting here right now. Our university campus is based on two main systems, VMS and ULTRIX. There's VAX 6000, VAX 4000, MicroVAX, VAXStation and some oldtimer machines which run under VMS. As for hacking, there's nothing interesting. You can't do some tricks with /etc/passwd, there's no main bug in utilities and commands. But, as I know, VMS doesn't crypt the packets across the network so you can take some PC and Netwatch (or any other useful software ) and try to see what is interesting on the cable. You can grab anything that you want (usernames, passwords, etc.). Generally, students hate VMS and love UNIX-like systems. Other machines are based on ULTRIX. We have DECstations (some 3100, some 5000) and one SM 52-12 which is something on VAX-11 :-(. It is a really slow machine, but it has Internet access! There's many users so you can relatively easily run Crack (excellent program) since passwd is not shadowed. Another useful thing is tftp (see some other Crack issues). There was a machine with enabled tftp, but after one incident, it was disabled. I would like to tell you more about this incident but sysadmins are still suspecting (they probably read my mail). Maybe after some months in other articles. Now I can tell you that I'm not a real UNIX-GURU-HACKER, but the sysadmins thought that I was. Someone (man or girl, who knows) has hacked one (or two) machines on our campus. Administrators thought that I was this mysterious hacker but I am not! He/she is much better than I and my friends. Today no one knows who the hacker is. The administrator had talked to him/her and after some weeks, gave him/her an account. He/she probably had root privileges for some time and maybe has these today. He/she uses a modem to connect. His/her login name is nemo (Jules Verne is a popular hero). I will try to send mail to him/her about Phrack and maybe he/she will write interesting articles about himself. And some tips. Phrack is very interesting, but there's other interesting official files on cert.org (192.88.209.9) available via anonymous FTP. This is the Computer Emergency Response Team (CERT) FTP server. You can find interesting information here about bugs in actual software, but you will see only which command or utility has the bug, not how to exploit it. If you are smart enough, there's nothing to say. If you are not, you must read Phrack! :-) Bye, Stalker ---------- From: Ground Zero Date: August 25, 1992 Subject: Phrack 40 is Sexist! Hi, just a quick comment about Phrack's account of SummerCon: I don't think your readers need to know or are really interested in hearing about the fact that Doc Holiday was busy trying to pick up girls or that there were some unbalanced teeny-boppers there offering themselves to some of the SummerCon participants. Also, as a woman I don't care for your characterizations of females in that file. I'm not trying to nitpick or be politically correct (I hate PC), I'm just writing because I felt strongly enough about it. Ciao. Ground Zero (Editor of Activist Times, Inc./ATI) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: Shit Kickin' Jim Date: September 11, 1992 Subject: Phrack 40 is Sexist!? (PC Phrack) Listen here woman. I don't know whut yer big fat butt thinks Phrack wuz tryin' to insinuate. Lemme tell yew a thang er two. First of all, Phrack ain't run by some little pip-squeek faggot ass pansies. Ah mean wut are you sum kinda hOmOsexual? Here's what ah mean. NOW here iz a real story 'bout me and one a my bestest friends: 4x4 Phreaker. See 4x4 Phreaker come down to Texas fur a little hackin adventure. Even though he lives up there in Yankee-land, 4x4 Phreaker iz a pretty good ol' boy. Whuddya think real manly hackers do when they get together? Go stop by Radio Shack and buy shrink wrap? HELL NO! We fuckin' went to Caligula XXI. Fur yew ol' boys that ain't from 'round here er yer a fauygut out there that might be readin this, Caligula XXI specializes in enertainmunt fer gennelmen. Now, me and 4x4 Phreaker didn't go to hawk at some fat nasty sluts like you might see at your typical Ho-Ho Con. We went with the purpose in mind of seein a real movie star. Yup Christy Canyon was in the house that night. 4x4 Phreaker and me sat down at a table near the front. At that point I decided that I'd start trollin for babes. Yep that's right I whipped out an American Express Corporate Gold card. And I'll be damned if it weren't 3 minutes later me and 4x4 Phreaker had us 2 new found friends for the evening. So anywayz, yew can see we treated these two fine ladies real nice and they returned the favor. We even took em to Waffle House the next mornin'. So I dunno where yew git off by callin us sexist. Yer just some Yankee snob big city high horse woman who expects to be a takin care of. God bless George Bush and his mistress Jennifer whutz her name. :Shit Kickin' Jim (Madder than a bramer bull fightin a mess of wet hornets) _______________________________________________________________________________ Misunderstood Hackers Get No Respect August 10, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by The Cruiser (ComputerWorld)(Page 24)(Letters to the Editor) I just read the replies to Chris Goggans' "Hackers aren't the real enemy" [ComputerWorld, June 29], and I thought I'd address a few of the points brought up. I'm a hacker -- which means that I'm every system administrator's nightmare. Hardly. Many hackers are politically aware activists. Besides being fueled by an obsession for mastering technology (I call it a blatant disregard for such), true hackers live and obey a strict moral code. All this talk about the differences between voyeurism and crime: Please, let's stop comparing information access to breaking into someone's house. The government can seize computers and equipment from suspected hackers, never to return it, without even charging a crime. I will not sit back and let Big Brother control me. The Cruiser _______________________________________________________________________________ Hackers Should Land In Jail, Not In Press October 19, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Alan Falk (ComputerWorld)(Page 32)(Letters to the Editor) The letters you get from avowed hackers seem to glorify the virtues of hacking. I find this very disturbing for a simple reason: It completely ignores the issue of private property. The computer systems they hack into (pun intended) and the databases they try to access, as well as the data in the databases, are private property. An analogous argument might be that breaking and entering a jewelry store and taking off with some valuables is really a way of testing the security controls at the jeweler's establishment. They're really just doing it for the excitement and challenge. Would they promote voyeurism based on the "logic" that "after all, if they didn't want me to look, they'd have pulled the drapes closer together?" The fact that there's challenge or excitement involved (or even commitment, intellect or whatever) does not change the issue. I suggest that hackers who gain entry to systems against the wishes of the systems' owners should be treated according to the laws regarding unlawful entry, theft, etc. Alan Falk Cupertino, California _______________________________________________________________________________ Anonymous Usenet Posting? ~~~~~~~~~~~~~~~~~~~~~~~~~ Date: August 19, 1992 From: Anonymous I've read in Phrack all about the different ways to send fake mail, but do any of the readers (or Mind Mage) know anything about anonymous newsgroup posting? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Anonymous Mail Poster August 4, 1992 ~~~~~~~~~~~~~~~~~~~~~ by Sir Hackalot Here is some C source to a simple "anonymous" mail poster that I wrote a LONG time ago. It's just one of many pieces of code I never gave to anyone before. You may find it useful. Basically, it will connect to the SMTP port and automate the sending. It will allow for multiple recipients on the "To:" line, and multiple "To:" lines. From: sirh@sirh.com ------ Cut here for fm.c ----- #include #include #include #include #include #include #include #include #include #include int openSock(name,port) char *name; int port; { int mysock,opt=1; struct sockaddr_in sin; struct hostent *he; he = gethostbyname(name); if (he == NULL) { printf("No host found..\n"); exit(0); } memcpy((caddr_t)&sin.sin_addr,he->h_addr_list[0],he->h_length); sin.sin_port = port; sin.sin_family = AF_INET; mysock = socket(AF_INET,SOCK_STREAM,0); opt = connect(mysock,(struct sockaddr *)&sin,sizeof(sin)); return mysock; } /* This allows us to have many people on one TO line, seperated by commas or spaces. */ process(s,d) int d; char *s; { char *tmp; char buf[120]; tmp = strtok(s," ,"); while (tmp != NULL) { sprintf(buf,"RCPT TO: %s\n",tmp); write(d,buf,strlen(buf)); tmp = strtok(NULL," ,"); } } getAndSendFrom(fd) int fd; { char from[100]; char outbound[200]; printf("You must should specify a From address now.\nFrom: "); gets(from); sprintf(outbound,"MAIL FROM: %s\n",from); write(fd,outbound,strlen(outbound)); } getAndSendTo(fd) int fd; { char addrs[100]; printf("Enter Recipients, with a blank line to end.\n"); addrs[0] = '_'; while (addrs[0] != '\0') { printf("To: "); gets(addrs); process(addrs,fd); } } getAndSendMsg(fd) int fd; { char textline[90]; char outbound[103]; sprintf(textline,"DATA\n"); write(fd,textline,strlen(textline)); printf("You may now enter your message. End with a period\n\n"); printf("[---------------------------------------------------------]\n"); textline[0] = '_'; while (textline[0] != '.') { gets(textline); sprintf(outbound,"%s\n",textline); write(fd,outbound,strlen(outbound)); } } main(argc,argv) int argc; char *argv[]; { char text[200]; int file_d; /* Get ready to connect to host. */ printf("SMTP Host: "); gets(text); /* Connect to standard SMTP port. */ file_d = openSock(text,25); if (file_d < 0) { printf("Error connecting to SMTP host.\n"); perror("smtp_connect"); exit(0); } printf("\n\n[+ Connected to SMTP host %s +]\n",text); sleep(1); getAndSendFrom(file_d); getAndSendTo(file_d); getAndSendMsg(file_d); sprintf(text,"QUIT\n"); write(file_d,text,strlen(text)); /* Here we just print out all the text we got from the SMTP Host. Since this is a simple program, we didnt need to do anything with it. */ printf("[Session Message dump]:\n"); while(read(file_d,text,78) > 0) printf("%s\n",text); close(file_d); } ----- End file fm.c _______________________________________________________________________________ From: Andy Panda-Bear Date: September 25, 1992 Subject: Phrack on the move To Whom It May Concern: I love reading your Phrack articles and find them very, very informative as well as helpful. I was wondering in you've ever or plan to put together a compendium of related articles. For instance, you could make a Phrack guide to telephony and include all telephone/telecommunications articles. Perhaps a "Phrack Guide to UNIX" or "Phrack Guide to Internet" could be produced. It could have reprints of past articles along with commentaries by individuals who care to share their knowledge. Anyway it's just something to think about. Thanks for many megabytes of useful info and keep it coming. Later, Andy Panda-Bear ---------- Computer Underground Publications Index ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Amadeus I just finished the new edition of the Phrack Index, now called the Computer Underground Publications Index since it now includes the issues of the Legion of Doom Tech Journals and Informatik. You can get it from ftp.uu.net as /tmp/CUPindex I have already sent it to da folks at CUD so that they may enter it into their archives. The CUP has been updated to included all the Phracks up to 40. C'ya Amadeus _______________________________________________________________________________ Pirates v. AT&T: Posters August 8, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~ by Legacy Irreverent (legacy@cpu.cyberpnk1.sai.com) On May 24 1992, two lone Pirates, Legacy of CyberPunk System, and Captain Picard of Holodeck, had finally had enough of AT&T. Together, they traveled to the AT&T Maintenance Facility, just west of Goddard, Kansas, and claimed the property in the name of Pirates and Hackers everywhere. They hoisted the Jolly Roger skull and crossbones high on the AT&T flagpole, where it stayed for 2 days until it was taken down by security. This event was photographed and videotaped by EGATOBAS Productions, to preserve this landmark in history. And now you can witness the event. For a limited time we are offering a 11" x 17" full color poster of the Jolly Roger Pirate flag flying high over AT&T, with the AT&T logo in plain view, with the caption; "WE CAME, WE SAW, WE CONQUERED." These are $5.50 each and are laminated. Also available, by request is a 20" x 30" full color photograph, and a cotton T-shirt with the same full color picture on the front, for $20 each. If you are interested in purchasing any of the above items, simply send check or money order for the amount to: CyberPunk System P.O. Box 771027 Wichita, KS 67277-1072 A GIF of this is also available from CyberPunk System, 1:291/19, 23:316/0, 72:708/316, 69:2316/0. FREQ magicname PIRATE Any questions, send them to Legacy@cpu.cyberpnk1.sai.com _______________________________________________________________________________ Ultrix 4.2 Bug ~~~~~~~~~~~~~~ By Krynn A bug was discovered in Ultrix 4.2 upgrade version. It involves npasswd, and root. It is quite simple, and a patch/fix is available. Here is a description of the hole: Sys Admin's username: mradmin Any user's username : mruser Okay, mruser has forgotten his password, which isn't good. Mruser goes to mradmin and asks mradmin to change his password to newpass. Mradmin does so. Mradmin now will su to root, and npasswd mruser. He will enter mruser's new password, newpasswd. It will appear in the /etc/passwd that mruser's password is a "*" (shadowed), and that it has been changed, but it hasn't. The password changed was root's, meaning root's password is now newuser. A fix is available via anonymous ftp at: black.ox.ac.uk /src/npasswd.enhanced.shar.Z The original is there as /src/npasswd jpl.tar.Z _______________________________________________________________________________ PumpCon Hosed November 5, 1992 ~~~~~~~~~~~~~ by Phil "The Outlander" PumpCon '92 was held this past weekend at the Westchester Courtyard by Marriott, and was shut down in spades. It began like any typical hacker/phreak/cyberpunk's convention, with lots of beer, lots of shooting the bull, and lots of people from around the country, except that the guests got sloppy, stupid, noisy, and overconfident. The manager of the hotel, accompanied by three town of Greenborough police officers, entered the room at approximately 10pm on Saturday. The manager had received complaints about noise and vandalism from some of the hotel's other guests. She claims to have tried to call the room several times before physically entering, but the room's telephone line was consistently busy. The police officers noticed the multiple open (and empty) beer bottles scattered around the room and were gearing up to make some arrests for "Unlawful Possession of Alcoholic Beverages by Underage Persons" when one of the policemen spotted an Amiga, connected to a US Robotics modem, which was in turn connected to the suite's phone line. The "stolen" calling card was all the probable cause necessary to upgrade the charges to "Wire Fraud." Everyone in the suite was detained for questioning. Standard investigation procedure was followed. The entire case was handled by local authorities, including the Westchester County DA. To my knowledge, the FBI and Bell Security people were not called in (or if they were, it was after I was released). Each detainee was body-searched for diskettes, hand-written notes about credit and computer services, autodialers, and the like. The suite where PumpCon had taken place was also searched. Hardware seized includes at least two Amigas with monitors, modems, and diskettes, and one AT&T dumb terminal with modem. Each of the detainees was interviewed in turn. Just before dawn on the morning of Sunday, November 1st, the police began making the actual arrests. Four to eight people were arrested and taken to the local jail. The rest of the detainees were released with no charges or arrests filed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - And now on a personal note to anybody who is new to the world of hacking: Many of the attendees to PumpCon '92 were just like me. I was aware of the possible consequences of an arrest, but the full enormity of the possibilities hadn't sunk in. Getting busted can really ruin your life, and I am unwilling to sacrifice my liberty and get a criminal record just for the thrill of hanging out with the "eleet." I was personally terrified out of my skull and went right off any dreams I had of being some kind of big-time cyberpunk. The law had us outgunned ten to one (literally and figuratively) and I as I write this on Monday night I still haven't stopped shaking. To anyone who hasn't considered what it would be like to get seriously busted, I want you to try and picture the scene that night, and comes the dawn, a lot of the people you were partying with just twelve hours earlier are carted away in handcuffs to face an uncertain future. The attendees of PumpCon, including myself and with few exceptions, were utter and complete fools. They thought that they could act like jerks, bust up the hotel, and phreak off the room lines without bringing down the heat like a jet of molten lava. They thought they were too smart to get caught. They thought that they were immortal. They thought wrong, and now some of them are going to pay for it. I got lucky. I was released, and I learned some invaluable lessons. I can't stress enough to anybody out there who is treating the state of the Hack like it's a big game: You aren't going to get your marbles back when the night is over. The stakes are real. Ask yourself if you can deal with the possibilities of ruining your life before it's even begun. Everyone must make their own decision. You are only given this one chance to bail out now; any others that come along are blessings from on high. If you do decide to live in the computer underground, I can only offer this advice: Cover your a$$. Do not act foolishly. Do not associate with fools. Remember that you are not immortal, and that ultimately there are no safety nets. Intelligence can't always save you. Do not, in your arrogance, believe that it will. My time as a cyberpunk has been short and undistinguished but it has taught me this much. I'm not saying that you should not become a hacker. If that is truly your wish, then I'm not one to stop you. I'm just warning you that when the fall comes, it can come hard, and there's nobody who can help you when you've gone far enough past the line. Phil "The Outlander" _______________________________________________________________________________ 2600 Meeting Disrupted by Law Enforcement December 12, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Emmanuel Goldstein (Editor of 2600 Magazine) The following is a letter I wrote to the Washington Post in response to their article about the incidents at the Pentagon City Mall on November 6, entitled, "Hackers Allege Harassment at Mall" (dated November 13, page A1). Their article failed to focus on the startling revelation of federal government involvement and the ominous implications of such an action. The article also does little to lessen the near hysteria that is pumped into the general public every time the word "hacker" is mentioned. Let us take a good look at what has been confirmed so far. A group of computer hackers gathered at a local mall as they do once a month. Similar meetings have been going on in other cities for years without incident. This gathering was not for the purposes of causing trouble and nobody has accused the hackers of doing anything wrong. Rather, the gathering was simply a place to meet and socialize. This is what people seem to do in food courts and it was the hackers' intention to do nothing more. When mall security personnel surrounded the group and demanded that they all submit to a search, it became very clear that something bizarre was happening. Those who resisted were threatened with arrest. Everyone's names were written down, everyone's bags gone through. One person attempted to write down the badge numbers of the people doing this. The list was snatched out of his hand and ripped to pieces. Another hacker attempted to catch the episode on film. He was apprehended and the film was ripped from his camera. School books, notepads, and personal property were seized. Much of it has still not been returned. The group was held for close to an hour and then told to stay out of the mall or be arrested. This kind of treatment is enough to shock most people, particularly when coupled with the overwhelming evidence and eyewitness accounts confirming no unusual or disruptive behavior on the part of the group. It is against everything that our society stands for to subject people to random searches and official intimidation, simply because of their interests, lifestyles, or the way they look. This occurrence alone would warrant condemnation of a blatant abuse of power. But the story doesn't end there. The harassment of the hackers by the mall police was only the most obvious element. Where the most attention should be focused at this point is on the United States Secret Service which, according to Al Johnson, head of mall security, "ramrodded" the whole thing. Other media sources, such as the industry newsletter Communications Daily, were told by Johnson that the Secret Service was all over the mall that day and that they had, in effect, ordered the harassment. Arlington police confirm that the Secret Service was at the mall that day. It is understood that the Secret Service, as a branch of the Treasury Department, investigates credit card fraud. Credit card fraud, in turn, can be accomplished through computer crime. Some computer hackers could conceivably use their talents to accomplish computer crime. Thus we arrive at the current Secret Service policy, which appears to treat everybody in the hacker world as if they were a proven counterfeiter. This feeling is grounded in misperceptions and an apprehension that borders on panic. Not helping the situation any is the ever-present generation gap -- most hackers are young and most government officials are not. Apart from being disturbed by the gross generalizations that comprise their policy, it seems a tremendous waste of resources to use our Secret Service to spy on public gatherings in shopping malls. It seems certain to be a violation of our rights to allow them to disrupt these meetings and intimidate the participants, albeit indirectly. Like any other governmental agency, it is expected that the Secret Service follow the rules and not violate the constitutional rights of citizens. If such actions are not publicly condemned, we will in effect be granting a license for their continuance and expansion. The incident above sounds like something from the darkest days of the Soviet Union when human rights activists were intimidated by government agents and their subordinates. True, these are technology enthusiasts, not activists. But who they are is not the issue. We cannot permit governmental abuse of any person or group simply because they may be controversial. Why do hackers evoke such controversy? Their mere presence is an inconvenience to those who want so desperately to believe the emperor is wearing clothes. Hackers have a tendency of pointing out the obvious inadequacies of the computer systems we entrust with such a large and growing part of our lives. Many people don't want to be told how flimsily these various systems are held together and how so much personal data is readily available to so many. Because hackers manage to demonstrate how simple it is to get and manipulate this information, they are held fully responsible for the security holes themselves. But, contrary to most media perceptions, hackers have very little interest in looking at other people's personal files. Ironically, they tend to value privacy more than the rest of us because they know firsthand how vulnerable it is. Over the years, hackers have gone to the media to expose weaknesses in our credit reporting agencies, the grading system for New York City public schools, military computer systems, voice mail systems, and even commonly used push button locks that give a false sense of security. Not one of these examples resulted in significant media attention and, consequently, adequate security was either delayed or not implemented at all. Conversely, whenever the government chooses to prosecute a hacker, most media attention focuses on what the hacker "could have done" had he been malicious. This reinforces the inaccurate depiction of hackers as the major threat to our privacy and completely ignores the failure of the system itself. By coming out publicly and meeting with other hackers and non-hackers in an open atmosphere, we have dispelled many of the myths and helped foster an environment conducive to learning. But the message we received at the Pentagon City Mall tells us to hide, be secretive, and not trust anybody. Perhaps that's how the Secret Service wants hackers to behave. But we are not criminals and we refuse to act as such simply because we are perceived that way by uninformed bureaucrats. Regardless of our individual outlooks on the hacker issue, we should be outraged and extremely frightened to see the Secret Service act as they did. Whether or not we believe that hackers are decent people, we must agree that they are entitled to the same constitutional freedoms the rest of us take for granted. Any less is tantamount to a very dangerous and ill-advised precedent. Emmanuel Goldstein Editor, 2600 Magazine -- The Hacker Quarterly (516)751-2600 (NOTE: 2600 Magazine coordinates monthly hacker meetings throughout the country.) _______________________________________________________________________________ Two New Hardcovers November 24, 1992 ~~~~~~~~~~~~~~~~~~ by Alan J. Rothman (New York Law Journal)(Page 5) During the opening sequence of the classic English television series "The Prisoner," the lead character known only as Number 6 (brilliantly played by Patrick McGoohan) is abducted and taken to a secret location called "The Village." He desperately pleads with his captors "What do you want?" Their grim response is "Information." Through 17 thrilling episodes, his kidnappers staged elaborate high-tech ruses to find out why he quit work as a spy. Had this story been set in the 1990s rather than the 1960s, all The Village's proprietors would have needed was a PC and a modem. They could have assembled a composite of Number 6's movements by cross-referencing records from any of the commercial data bases containing the details of nearly everyone's daily activities. Then with a bit of ingenuity, they could have tried to steal even more information by hacking into other restricted data systems. No longer fiction, but common fact, the billowing growth in the computers and telecommunications networks everywhere is generating urgent legal issues regarding the content, usage and ownership of the data coursing through them. Dilemmas have also surfaced concerning the responsibilities of the businesses which gather, sift and repackage such information. Indeed, a critical juncture has now been reached where the basic constitutional rights of privacy and expression are colliding with the ever-expanding reach of modern technology. Two well-crafted books have recently been published which together frame the spectrum of relevant individual rights issues in these areas with uncanny symmetry. Fortunately, neither degenerates into a "computers are bad" jeremiad. Rather, they portray an appropriate balance between the virtues of computerization and disturbing cases of technological misuse for wrongful commercial and governmental ends. Presenting array of new forms of electronic encroachment on personal privacy is Jeffrey Rothfeder's alarming new book, "Privacy for Sale: How Computerization Has Made Everyone's Private Life an Open Secret" (Simon & Schuster, 224 pages, $22). He offers the chilling thesis that anyone can find out nearly anything regarding anybody and there is nowhere left to hide. He convincingly states his case in a concise and insightful exploration of the trends and abuses in the mass processing of personal data. The fascinating mechanics of how and where information about virtually every aspect of our lives is gathered and then computerized are extensively described. The most productive fonts include medical records, credit histories, mortgage applications, subscription lists, phone records, driver's licenses and insurance forms. Yet notwithstanding the legitimate commercial and regulatory reasons for providing these facts, the author carefully documents another more deeply hidden and troubling consequence of volunteering such information: It is constantly resold, combined with other sources and reused without your knowledge or permission for purposes entirely different from those you first intended. Mr. Rothfeder alleges the most perilous result of these activities is the growing and highly organized sales, integration and cross-matching of databases. Businesses and government entities now have sophisticated software to generate complex demographic profiles about individuals, populations and geographic areas. In turn, these computer-generated syntheses are increasingly used for invasive and discriminatory purposes. Numerous examples of such misuse are cited, ranging from slightly annoying to purely horrifying. The astonishing breadth of this roster includes the sale of driver's license information with height weight specifications to clothes marketers for tall men and thin women, purchases of credit histories and workmen's compensation claims reports by prospective employers who believe this material is indicative of a job applicant's character, and the creation of "propensity files" by federal agencies to identify people who have not committed any offense but might likely be criminals. Two additional problems pervade the trafficking of intimate information. First, there is little or no federal legislation to effectively protect people from certain problems presented in the book. For example, the release of medical records thought to be "confidential" is virtually unprotected. Second, it can be extremely difficult to have false entries corrected before they have a ripple effect on your other data. Beyond the common tales of frustration at clearing up a faulty credit report, Mr. Rothfeder relates the case of a man denied any health insurance because his medical records contained an erroneous report he was HIV positive. JOURNEY IN CYBERSPACE Turning to a much more accurate account, author Bruce Sterling takes readers into the ethereal realm of "cyberspace" where computers, networks, and electronic bulletin boards systems (BBS) are linked together by phone. In his first non-fiction work, "The Hacker Crackdown: Law and Disorder on the Electronic Frontier" (Bantam, 328 pages, $23), he chronicles the U.S. government's highly visible efforts in 1990 to prosecute "hackers" it suspected of committing crimes by PC and modem. However, Mr. Sterling distinguishes this term as being more about active computer enthusiasts, most of whom have never committed any wrongdoing. The writer's other credits include some highly regarded "cyberpunk" science fiction, where computer technology is central to the plots and characters. The "crackdown" detailed by the author began with the crash of AT&T's long- distance phone system on January 15, 1990. Although it has never been proven that hackers were responsible, this event served as the final catalyst to spur federal law enforcement agencies into concerted action against a suspected underground of computer criminals. A variety of counter-operations were executed. Most notable was Operation Sundevil the following May when agents around the country seized 42 computer systems, 23,000 diskettes, and halted 25 BBS's where the government believed hackers were exchanging tips of the trade. Some of the government's resulting prosecutions through their nationwide efforts were moderately successful. However, the book's dramatic centerpiece is the trial of Craig Neidorf (a.k.a. Knight Lightning). Mr. Neidorf was a contributor to Phrack, an electronic magazine catering to hackers, available on various BBS's. In January 1989, another hacker named "Prophet" transmitted a document he pilfered from BellSouth's computers regarding the 911 emergency system to Neidorf. Together they edited the text, which Neidorf then published in Phrack. In July 1990, he was placed on trial for federal charges of entering a fraudulent scheme with Prophet to steal this document. The government alleged it was worth $79,499 and that its publication threatened emergency operations. To the prosecutor's dismay, the case was dropped when the defense proved the same material was publicly available for only $13. With insight and style, Mr. Sterling uses this and other events to cast intriguing new spins on applicable civil liberties issues. Are the constitutional guarantees of freedom of expression and assembly fully extended to BBS dialogs and gatherings? What degree of privacy can be expected for personal data on systems which may be subject to surreptitious entry? Are hackers really breaking any laws when merely exploring new systems? Is posting a message or document on a BBS considered a "publication"? Should all BBS's be monitored just because of their potential for illegal activity? What are the responsibilities of BBS operators for the contents of, and access to, their systems? The efforts of Mitchell Kapor, the co-developer of Lotus 123 and now chairman of ONtechnology, are depicted as a direct response to such issues raised by the crackdown. Mr. Kapor assembled a prominent group of fellow computer professionals to establish the Electronic Frontier Foundation (EFF), dedicated to education and lobbying for free speech and expression in electronic media. As well, EFF has provided support to Craig Neidorf and others they consider wrongly charged with computer crime. Weighty legal matters aside, the author also embellishes his story with some colorful hacker lore. These denizens of cyberspace are mostly young men in their late teens or early twenties, often fueled by junk food and propelled by macho. Perhaps their most amusing trait is the monikers they adopt -- Bloodaxe, Shadowhawk, and of course, Phiber Optik. Someone else, a non-hacker involuntary given the pseudonym "Number 6," knew his every act was continually being monitored and recorded against his will. As a manifestation of resistance to this relentless surveillance, he often bid farewell to other citizens of the Village with a sarcastic "Be seeing you." Today, the offerings of authors Rothfeder and Sterling provide a resounding "And you" as a form of rejoinder (often uttered by The Village's citizens as well), to publicize the ironic diversity threats wrought by information technology. Number 6 cleverly managed to escape his fictional captivity in The Village during the final (and mind-boggling) episode of The Prisoner. However, based on the compelling evidence presented in these two books, the protection of individual rights in the reality of today's evolving "global village" of computer networks and telecommunications may not be so neatly resolved.