WHA Rf;.QLL Y IJI.Q "Hac(.cing can get you in a who(e (0+ �ore +rout>(e than you +hink and if a co�p(ete(y creepy +hing +0 do." - lXlJ wet> page ai�ed a+ kidf +0 difcourage hacking (www.u5doj.!Jov/k.jd5pa!Je/do ..do nt/reck.(e55.ht�)

s'rll If If 2600(lSSN 0749-3851) is published Editor-In-Chief quarterly by 2600 Enterprises Inc. Emmanuel Goldstein 7 Strong's Lane, Setauket, NY 11733. Second class postage permit paid at lavoUI and Design shapeSHIFTER Setauket, New York.

Cover Design snc. The Chopping Block Inc. POSTMASTER: Send address changes to OfficeManager P.O. Box 752, Middle Island. NY Tamprut 2600, 11953-0752. Wrilers:Bernie S .. Billst. Blue Whale. Copyright (c) 1999 2600 Enterprises. Inc. Noam Chomski. Eric Corlev. Dr. Delam. Yearly subscription: U.S. and Canada - Derneval. Nathan Dortman. John Drake. $18 individual, $50 corporate (U.S. funds). Paul Estev. Mr. French. Thomas Icom. Joe630. Kingpin. Mm. Kevin Mitnick. The Overseas - $26 individual. $65 corporate. Prophet. David Ruderman. Seraf. Silent Back issues available for 1984-1998 at $20 Switchman. Scott Skinner. Mr. Upsetter per year. $25 per year overseas. Individual issues available from 1988 on Webmaslers:Kerrv. Macki at $5 each. S6.25 each overseas. Nelwork Ooeralions:CSS.lzaac

Broadcasl Coordinalors: Juintz. ADDRESS ALL Shihlock. AbsoluteO. silicon. cnote. Anakin SUBSCRIPTION CORRESPONDENCE TO: IRC Admins:autojack. ross 2600 Subscription Dept., P.O. Box 752. Insoiralional Music: Joe Strummer. Middle Island. NY 11953-0752 Svd Barrett. real earlv Flovd. Ron Geesin ([email protected]). ShoUI OUIS: Hippies From Hell. etov. claudus. The Stony Brook Press. 112. FOR LETTERS AND ARTICLE www.indvmedia.org.Studio X. and everyone who stood UP in Seallle SUBMISSIONS, WRITE TO: RIP: Krvstalia 2600 Editorial Dept., P.O. Box 99, Middle Island, NY 11953-0099 Good luck: Nahali ([email protected], [email protected]). 2600 Office Line: 516-751-2600 2600 FAX Line: 516-474-2677 Viulencer Vandalsr Victims

As the 90's fade into history, it's not down the USIA for eight days. This is how likely the unhealthy trends of our society long it took them to lnstall decent security, will do the same anytime soon. In many something they had never bothered to do In ways we've become practically enslaved to the first p1ace:He didn't take away their se­ the corporate agenda, to the great detriment curity - fhey never had it to begin with. But of the individual. this fact wasn't seen as relevant In any of the The signs have been around for a while. stories that ran. And what about the act of You've seen them repeatedly in these pages. taking a oung person away from his People interested in technology who ask100 friends an family for more than a year and many: questions or probe too aeeply or thor­ forcing himJ to live with potentially danger­ ougnly are seen as a threat because they ous cnminals? Well... that's justice. might adversely affect profits or embarrass In both cases that which is most precious those in authonty. The net has steadily been to our society - the individual- was made to transforming from a place where freedom of suffer because their actions and form of ex­ speech is paramounf to one where it all re­ pression caused humiliation of some greater volves around the needs of business. power. We've seen this before in the hacker Now there's nothing wrong with com­ world with Bernie S. and Kevin Mitnick mprce, people making a profit, or even peo­ (who is at last scheduled for release on Janu­ ple wHo just don't care about the thIngs ary 21, 2000). Peor.le who go to forbidden others value. After all, there's room for all places, utter. forbiad�n speech, or are just types in the world as well as on the net. But seen as an Inconvemence are stepped on, that's not how it's panning out. Increasingly, abused, even tortured. the needs of the individual are bein� saCrI­ Why: punish such relatively harmless in­ ficed for the needs of big business. "Corpo­ dividuals, whether they be hackers or rate mentalitv is replacIng our sense of demonstrators, with such passionate individual liberty. And ifs pointing us vengeance? Could it be that their very exis­ down a very dark road. tence constitutes a real threat that the au­ Consider things that have happened in thorities have no idea how to handle? the very recent past. In Seattle, the disparities between what A teenage hacker from Washington State happened and what was reported were al­ pleaded guilty to hacking several prominent mos1 comical - vandalism of commercial government web sites, including the White property being reported as violence whereas House and the United States Tnformation viofence agaInst individuals was mostly Agency. Despite there being no damage glossed over, with the exception of certain caused to any: of the sites (apart from embar­ foreign and alternative media. What kind of rassment ana having the index.html file re­ a sOCiety are we turning into when commer­ named), the government felt that 15 months cial losses are more important than the hu­ in prison ana a $40,000 fine was appropri­ man injuries? How couId the good people of ate. Rej?orts say: he could have gotten 15 years Time/Warner (CNN) have missed this? Or and a $"250,000 fine. Microsoft and General Electric (MSNBC)? Later that same month coincidentally in Or even Disney !ABC)? Why would SUCh the same state, police fired tear gas and shot bastions of journalism Ignore the real story:? rubber bullets at a crowd of peaceful Were they maybe more concerned with demonstrators who were protesting the whether the WTO would continue to look World Trade Organization's meeting in Seat­ out for them and their interests? tle. Many said it was the worst civIl unrest We ma indeed have developed a horri­ since Vietnam. bly cynicar outlook on society. fi's hard not At first glance, you might not think these to when things like this are so often toler­ stories have very much to do with one an­ ated. But the flipside is that our view of the other. But when you analyze them a little individual has only strengthened. If there's more closely, it's not difficult to see that they one thing we've learned from recent events, are both symptoms of the same disease. it's that people aren't as brain dead as we Much of the un\Jfovoked brutality in­ were led to Believe. People do care, they are flicted by the Seattle Police went unre­ paying attention, and tHey see the ominous ported, despite the abundance of sound and fanes of the future. Few persons seem to r.icture images. But every major network trust the government anymore, big business dutifully ran a story about the "violent anar­ is increaSIngly seen as a threat to our free­ chists" who started all the trouble. In the dom, and individual troublemakers are fill­ end, whenever the word "violence" was ing our expanding prison system. mentioned, one thought only of those peo­ It's nof very difficult to see how we got ple. to this sorry state. All of the mergers and Zyklon caused no damage to any of the consolidation of power have carried a heavy systems he got into. Yet tfie mass media and inevitable price. The real question IS painted him as someone dangerous. He re­ how do we regaIn control of our destinies? named a file. But all reports say that he shut 'smU'."'S.1,1.'tI,'*}1 Winter 1999-1900 Page S files on the 0.62 boot disk. Follow the in­ structions for unzipping and making the The fOllo�Tn��Ws described boot disk and the data disk. If you can't for the purposes of education. I'm aware get this far, you have no business doing this procedure could be and has been this in the first place. used to circumvent the security of any When this is done, copy ntfs.o to the Windows NT machine which the user has boot disk, edit the Modules file, add the physical access to. I do not condone the line "ntfs" to it (no quotes), and save the use of this information for illegal pur­ file. At this point it is best if you boot the poses, nor am I responsible for anything disk a few times, first to test it and sec­ stupid anyone does with this information. ond to get familiar with what will happen NTFS support in Linux is still Beta, read­ and how Trinux will respond to com­ ing and copying from the drive is safe, mands given it. This way there are no but copying to the drive is an "at your sunrises. own risk" deal. WHAtl'JERt Now take the two floppies to the ma­ �One of the many misconceptions about Windows NT is that it's a secure chine you want to access. Boot the first operatin9 system and that by formatting disk. When it asks if you have a data disk, a disk with NTFS and properly setting put in the second disk and type "y" then permissions, nobody can access the in­ hit return. It will then ask you again. Type formation on that disk without permission "n" and hit return. to do so. When it is finished booting, you will There are two problems with this the­ have a "Trinux 0.61" prompt. Type "ins­ ory. First, it is wrong. Second, all it really mod ntfs.o" - this loads the NTFS support. does is make crash recovery more diffi­ cult. I will describe a method for circum­ Type "mount -t ntfs /dev/hda1 /mnt" - venting NTFS security: using a Linux this will mount the first partition on the first boot disk. This can be useful in many hard drive. This assumes the first partition ways. From the system administrator's on the first hard drive is an NTFS parti­ view, this is an excellent way to get ac­ tion. If not, the following table will give you cess to important files on a system that an idea of how to mount the proper drive. has crashed before formatting the hard These are for IDE drives: drive and reinstalling NT. From the /dev/hda1 hacker's view, it gives access to the sys­ tem files. He would not normally have ac­ /dev/hda2 second partition on the first cess to the registry, user profiles, PST drive Files, etc. /dev/hdb1 first partition on the second In order to accomplish this you will hard drive need some knowledge of Linux. It is pos­ /dev/hdb2 second partition on the sec­ sible to do this with a DOS bootable ond hard drive floppy, but the only NTFS drivers avail­ You get the idea. Now you should able are read only and therefore useless have access to the drive. You can now put to me. In all fairness, Linux has this vul­ nerability as well. a third floppy in the drive and type "mount The first thing you need is a copy of -t msdos /dev/fdO /floppy". This gives you the latest version of Trinux. This is a access to the floppy so you have some­ Linux mini distribution designed for net­ place to save files to. Alternately, if you work administration and it has many use­ are really clever you could get the proper ful features. Its best feature though is its modules for zip drive support which con­ ability to boot from a floppy on virtually nects to the LPT port (scsLo and ppa.o), any machine which has more than 8 MB which would give you more flexibility in of RAM. Get two blank floppy disks, go to copying files. www.trinux.org. and download the follow­ I would like to give creative credit to ing files: boot.gz, classic.gz, ntfs.o, and eM, who challenged me to find a way to rawrite.exe. The current version as of this access an NTFS system from a floppy writing is 0.62, however use version 0.61 disk. as there is not enough room for extra

Page 6 2600 Magazine by Kurruppt2k printers, you get the idea. Meaning each worksta­ For quite some time, hackinghas meant knowing a tion in its network exists as an entity in itself(vs. decent amount about UNIX, or, foryou old-school dumb tenninals logging into a huge UNIX ma­ hackers, VMS, TSO, or whatever. Maybe you chine), and ifit needs something froma server,you would have to know a tad about Netware,but that have to connect to it via NetBIOS. In Windows was as far into the PC world as you cared to delve. Networking, this meansmapping a logical network Well, it's 2000 now, andMicrosoft is getting its drive toa particular share. foot into the World Wide Web, meaning the per­ MicrosoftNetworking centage of NT machines on thenet is increasing. A Shares. The heart of Windows networks. A share is lot. Now, many of you UNIX-only hackers refuse just like a volumein Netware - a directory setup to to even glance in the direction of a Windows box, be accessed fromauthorized persons/workstations but NT is only going to get bigger as time goes on, inside the network/internetwork. Shares can either not tomention Windows 2000(active directory... use share-level security, or user-level security. ooh!). And what ifthe web page you want to de­ Share level security means that the resource is pro­ face happens to be sitting on an NT Server?Yo u're tected by a single password, and anyone knowing just going to have to suck it in and leam to break that password canaccess the share. User level se­ into NT machines too. curityis more UNIXish, in that your pennissions to My least favorite thing about Windows is its poor a particular share depend on who you are logged in socket capabilities. This means less open ports as. Now, this entire article refersto breaking into when you scan, which means less daemons to play NT over the Internet, so logging in isn't feasible with, which means less points-of:entry. And if you (though it is possible, see the "Elite Tactics" be­ searchthe exploit archivesfor NT stuff,you won't low). Ifport 139 is open though(which it almost findmuch besides DoS sploits and stuffthat needs always is on an NT Server,and oflen times is on tobe executed locally on the NT LAN. All ofa NT Workstation and Windows 9.x), you can use sudden your oceanof UNIX hacking techniques is Client for MicrosoftNetworks to connect to it. about 10 percent applicable in the NT world. First make sure you have the client installed - go to For starters,NT is an NOS, meaning a client/server Control Panel, then Network(you should also have environment. If you telnet to a UN IX machine and NetBIOS, NetBEUI, and TCP/IP installed).You execute a command, yourrequest is processed on will use the Net commandto do this. Once you thatmachine, using its resources. If you connect to find your targetNT machine and see an open port a Windows box and issue a command, the process 139, your firststep is to findout ifthereare any is launched ontoyour computer, using your re­ open shares. To findout, type this at a command sources, and if it's a command that reports system prompt: infonnation, it gives you info on your own com­ C:\net view \\Iip addressl puter. How do you execute commandsto be run on Ifyou get an error message, it probably means that yourtarget Windows machine'? Suddenly theseNT the computer you attempted to connect to had no machinesseem untouchable. Not true. open shares(or possibly that you don't have Win­ How to hack anNT box all depends on what ex­ dows Networking set up correctly on your ma­ actly yourgoal is. WithUNIX, you're usually chine, so check!). If shares exist, you will see a list looking to get a root shell. As I'm sure you know, of them, including theshare name, share type you can't have a "shell" on a remote NT box. NT (disk, printer, etc.), and any comments the sysad­ is set up to share resources - files, applications, min wanted tomention. For more NetBlOS infor-

Wi nter 1999-1900 Page 7 mation on thismachine, use the"nbtstaf' com­ Gold will dothe samething. mand If you see no openshares, there is stilla pos­ NAT (NetworkAuditing Tool) is a greatprogram sibilityof hidden shares. Common hidden share by themakers of Legion. It willattempt to connect names include: to any open share you specifY, attackingwith pass­ * (samba) words you provide in a wordlist. It alsolooks for *SMB (samba) hidden shares. *SMBSERVER (samba) LOphtCrackis anNT password cracker. Getting ADMIN$(remote administration - can you say NT passwords can be tricky - see the "Password "root shell"?) Cracking" section. To connect to any share, visible or hidden, you And fina11y, AGENT SMITIL This programwill again use theNet command,in thefollowing fash­ essentially brute force the hell out of yourtarget, ion: and log all responses to a file of your choice. Of­ C:\net use i: \\Iip address)\[share name) tentimesthis will be youronly way to break To check for hidden shares,just try to connect to throughpassword protection on your share. thenames given above, or any others you can think All fourof these programare available at The Cy­ of. If it exists, you'll connect Once you receive the berUnderground (www.users.uswest.net/�kur­ "The command was completed su=ssfully"mes­ ruppt2k). sage, you are connected to theNT machine. Logi­ Password Cracking caldrive I: (or whateverdrive letter you assigned) All the hashes reside in the SAM (SecurityAc­ now becomes thatshare - you've mapped a net­ count Manager) hive of theregistry. To get the workdrive to it. This is similarto mountingremote hive, you have a few options. If you're nmning filesystemsin UNIX.So to see what you've con­ Windows NTyourself, you caninsta11 LOphtCrack nected to, changeto drive I: and issue a "dir".You andattempt a Remote RegistryDump. If the ma­ can now use anyDOS commands to explore the chine you're targeting allows for registry sharing, share. The share, however, may bepassword pro­ you will have theentire SAM hive imported into tected.You may be prompted for a passwordright LOpht. Most ofien, though, thisdoesn't work. You afterissuing Net a Use, or after connecting when could always do a core dump, convert the autop­ trying to browse the filesystern. Typical hacker sied datainto ASCII, and pick outthe hashes. But methods canbe used to defeat this. If; however, thatcan betime consuming and messy (not to you get a message that you donot have privileges mention you'd have to upload softwareto perform to thatresource (or "access denied"),this means a core dump). So you may have to resort to going thatthe share is user-level, and since you can't re­ afterthe SAM hive stored on thehard disk of the ally log on, you won't be able to access the share. machine (or anyother Domain Controller on the Once in, you will have either"read" pennissions, network).The fileyou arelooking for is "sam._". meaning you can look at or execute (launch into The problem is thatNT hides this file from users your RAM) a file, or "read/write," meaning you andessentially disables it frombeing accessed canedit any file as well. To check, makea file and while NTis nmning. To get it, you'll have to boot delete it. Createa directory anddeltree it. thecomputer to an alternate OS (Linux,DOS, etc.) Utilities and get it thatway. Anotherproblem is thatthe Here I will outline a few useful tools you should hive is on an NTFS partition. DOS, of course, uses have when planning to breakinto anNT box. FAT, andLinux uses EXT2,so you'll need a pr0- Legionis a Wmdows sharescanner - it will auto­ gramto access the alien partition (such as NTFS­ mate doing NetView commands on an entire sub­ ooS).lnstalling another OS onto the remote net (or multiple subnets). Launchit, sit back, and machine will most likely be tough, as will forcing it watch as it combs networks for open shares. If you to reboot,though programs exist thatwill doit. If prefer doing everything from UNIX,WmHack nothingelse, tryDoSing it to force it into reboot-

Page 8 2600 Magazine ing. So before you devise a vile planto put DOS DOS EDIT toedit thedefault.htrn or index.htrnl 6.22 anddosreboot.exe onto your target,and file. Otherwise,you canalways use HTTPto up­ changethe boot.ini, look aroundfor backup copies load your file. Netscape andInternet Explorer both of sam._. It's not unheardof to findan old copy in have clients to upload htrnlfiles via HITP- just something like "C:\winnt\pdc\repair". use theuser names andpasswords youcracked. Also, if you prefer to crack passwords with UNIX, Networksniffers canalso be put into place. LOpht­ you'll have to convert the hive to a UNIX passwd Crack comes with 5MB Packet Capture, a decent file (cut and paste thehashes). sniffer. Searchthe net for otherNT, Ethernet, or To­ FfP ken Ring sniffers. The point here is that if there is Theclosest thing a hacker cando to telnetting in to even one Wmdows 9.x machine on the network, it anNT machine is connecting via FTP. The prob­ sends cieartext(ASCII) passwordswhen authenti­ lem is thatjust because anaccount exists on the cating, so a snifferwill always catch them. machine doesn't meanthat it's allowed FTP ac­ There are also a huge varietyof exploits for NT. cess. So get the password hashes, crackthem, and The trickis weeding throughthe DoS sploits and tryto FTPinto them all. the local ones. One remoteexploit, If thesysadmin thinkshe's smart, he'll renamethe iishack.eseliishack.asm (www.eeye.com) theoreti­

Administrator(root) account. Either way, if you cally will upload any file(in your case, a trojan) crack thepassword, you'll have FTP access with right throughlIS's HTTPdaemon. lIS ships with administrativeprivileges. You cannow defuce web most NT SelVerpackages, and comes withone of pages, get more passwords for othercomputers on the earlierseIVice packs. Even if the machine in thenetwo rk, upload trojans,etc. Here's a trick: question isn't a web selVer, it probablyhas lIS in­ copy theEvent Viewer programto a shareddirec­ stalled. One popularweb SeIVerfor NTis WebSite tory,then Net View to it. You now have access to Pro, which has a vulnerabilityin its packaged COl all logs on thatmachine. executables. Specifically, uploader.exe allows you Elite Tactics to upload filesto the computer - withoutpass­ Okay, let's pretendyou have FTPaccess. The prob­ words. lem is, you can't executeprograms or do anything Now, when I said that you can'tlog on to anNT else that'sany fun. The answer - a troj an.Oet one SelVerover the Internet, thatwas partiallywrong. thatallows you complete filesystem access, allows The only way to log intoan NTnetwork is to be a for screenshots of your targetcomputer, and lets member of the domain. So you'll have to make you open andkill active windows (NetBus does all your computer a member. How? Hack thePOC of this). But how do you run thetro janonce you (PrimaryDomain Controller)or a BDC (Backup upload it? You have a few options. Put it in theau­ Domain Controller).Now, chances are if you've toexec.bat or autoexec.nt file, and force it into re­ gotten farenough "in" to make yourself a member booting (possibly witha DoS attack), or just wait of thedomain, you probablyhave all the permis­ until someone reboots it. Anotherploy, if thema­ sions you could ever want. If not, launchthe pro­ chine is a web server: upload the trojaninto a COl gram called User Manager for Domains andadd directory (cgi-win, cgi-dos, cgi-shl, etc.),then re­ yourself, with your IP address. quest thetro janwith a browser. If you statethe path In Summary correctly, theweb service will spawn (launch)the Allin all, NT is a very differentenvironment than troj anfor you. Now just connect withyour client, UNIXor VMS. It also demandsvery different andyou have complete controlof thecomputer. skills andtechniques to hack. Doing so is just as re­ Here'sanother scenario. Let's say you want to hack wardingas breaking into a SPARC station,and will their web page. You have a few passwords,but the provide you withall kinds of new anduseful infor­ FTP service has been disabled. Well, if theweb mation. Thisis, after all, why we do what we do. pages reside in a share(unlikely) you canuse MS-

Winter 1999-1900 Page 9 by Seuss prone to normal RF leakage.) Next, mea­ The most prevalent information on tele­ sure the capacitance of the line, dividing phone counter-surveillance has been float­ the value by .83 (the average mutual capac­ ing around for at least 15 years. Short the itance for a mile of phone line). This is pair at the demark and measure resistance. roughly the length of your line. Write it Open the pair at the demark and measure down, you'll need it later. Remember that the resistance. Abnormally high or low re­ .83 is an average value, which can range sistances indicate a phone tap. Forrest from .76 to .90 depending on line condi­ Ranger wrote about it in text files, M.L. tions. To get a more accurate measurement Shannon and Paul Brookes included it in you can fine tune your figure by comparing their books, and an untold number of phone capacitance measurements on a section of phreaks have employed this technique. De­ plant cable of a known length, or use a spite its popularity, the technique has its TDR. shortcomings: it fails to detect devices in­ Disconnect all the phones from the line stalled in the outside plant, split pairs are you want to test. Go to your demark and undetected, and transmitters built into the disconnect your pair on the customer ac­ phone are not tested for. cess side. Short the pair and measure the re­ What you'll need: sistance of the line from the farthest jack I) Access to a local DATU. with the meter set to its lowest scale. Re­ 2) A multimeter with high impedance verse the polarity of the meter and measure scales (several meters that measure into the again. If either resistance is more than a giga-ohm range are available) and a capac­ few ohms, it would suggest a series device itance meter. wired into the line somewhere on your 3) An induction probe. property. Now return to your demark, open 4) A frequency counter or near field de­ the pair, and cover the ends in electrical tector. tape. Measure the resistance of the pair 5) Something that makes continuous with the meter set to its highest scale. A less noise, like a tape player. than infinite resistance would suggest a de­ 6) Ancillary tools (screwdrivers, a can vice wired in parallel to your line. wrench, etc.). Testing in the outside plant should be First, call the phone company to ask conducted from the telco side of the de­ about your line's readiness for ISDN or mark point in order to avoid measurement DSL. High-speed services demand a line error from the station protector circuit. Call with no loading coils and a minimum that DATU and short the pair, then measure amount (less than 2500 ft.) of bridged taps. the resistance of the line. Compare the Either will cause inaccurate measurements. value you got for your line's length with the Begin by taking the phone offhook and figures below: turning on your tape player (to tum on Note: 5ESS switches incorporate a "test voice activated transmitters). Now give bus" that will add about 500 ohms to the your phone a pass with your near field de­ shorted pair. tector or frequency counter. Transmitters in These figures will vary with tempera­ the phone will hopefully be picked up at ture, splices, wet sections, and a host of this point. (Note: some speakerphones are other reasons. Large deviations could (but

Page 10 2600 Magazine don't necessarily) suggest something wired demark point. If you hear the tape player in series with the line. This measurement through the probe, your phone's hook­ may be supplemented by either a resistance switch has been compromised. to ground measurement of both sides of the Checking for splits on your linc requires pair and a capacitance balance test or a an induction probe and access to a plant voltage measurement. A resistive imbal­ wiring cabinet. Add a tone to either lead of ance of more than 10 ohms or a noticeable your pair with th e DATU. Probe all the drop in off-hook voltage calls for further conductors in the binder pair, listening for inspection. the trace tone. If you hear the tone on more To test for parallel devices in the outside than two leads (the ones connected to the plant, open the line with the DATU and re- line you're checking) your line has been

Wire Gauge Loaded Pair Unloaded Pair split. This can be either a bad splicing job, or someone intentionally hooking a pair up 26ga 8t33 8333 to your line. If any of the above tests suggests that 24g.. 52.89 51.89 there is something on your line, remember that there are plenty of innocent reasons a

22ga 33.72 3239 test could turn up positive, so a detailed physical search is in order. Disassembling 199a 17.43 16.10 the phone in question and comparing the innards to a schematic would be a wise idea peat the parallel test as described above. at this point. Take the covers off your Testing for telephone hook-switch compro­ phone jacks, dig around in your demark mises requires an induction probe. Recon­ point, peek inside wiring cabinets if you nect your pair at the demark and plug aU can, and so on. There are some places that your phones back in. Turn your tape player are likely out of your reach, but keep in back on and put it near your phone. Now mind that they're likely out of reach to probe all the lines coming through your many wiretappers as well.

BUY.. 2600 ONLINE! Yes.. it s true. You can finally buy 2600 and 2600 accessories without having to waste valuable energy getting out of your chair or licking a stamp! Best of all.. you can get a lifetime subscription and pay for it over the course of your entire lifetime.. all through the magic of credit cards. We will also be offering online registration for H2K to avoid waiting on line once you get there! No more writing checks or pacing the halls for weeks waiting for your stuff to arrive - online orders usually ship in one week. Check in often for new items and special offers. www.2600. CODl I

Winter 1999-1900 Page 11 DATUs - The Tool of the New A e Phreak

byMMX switch to the remotely located pair gain tenninal. The Most of this article is adapted/condensed from the enclosure is installed inside the cabinet housing the pair administnrtion manual. But be honest with yourself be­ gainequipment. One DATU-RTand one PGA II,work­ fore criticizing me for"stealing" this article. When was ing together in the same switch, may serve a maximum the last timeyou called Hanis andSE'd it out of them? of 212 separate MAU locations. The RT system pro­ Huh? Didn't think so bitch. vide� the technidans the ability to perfonn a series of The Harris Direct Access Test Unit Remote Termi­ line preparation functions to subscriber lines. These nal extends the field technician's testing capabilities of functions are established and maintained by authorized subscriber lines through the non-metallic environment personnel. of a pair gain system. Typical pair gain systems include Now, onto my partof the article. SLC-96, SLC-Selies 5, etc. The systemhas threemajor I won't be speaking about administratormode for components: the Direct Access Test Unit (DATU), the threereasons: Pair Gain Applique II (PGA II), and the remotely lo­ I) If you acddentally screw something up, the cated Metallic Access Unit (MAUl. DAJU probably won't work. 2) You don't own any DATU thatyou're using (nor DirectAcc essTest Unit ­ do you have pennission),and therefore you're commit­ Remote Tenninal ting a crime by accessing one. The DATU-RT is a printed circuit card that pro­ 3) I think thatif I talkabout things like changing the vick�s microprocessor control of line preparation func­ NTT Busy Test, you will do something naughty. Very tions, voice prompted menus, and status reports to the naughty. technician. It allows technicians to access and perfonn However, I will consider releasing an article on specific loop conditioning and tone generating func­ DATUAdministrator functionsin thefuture. tions on any working subscriber line toprepare the line To access the DATU, dialthe telephone numberas­ for use with field test equipment. The cardis installed in signed to it. Upon connection, you will hear a 440hz the Metallic Facility Tenninal (MFl) bay and con­ "dial tone" indicating that the DAJU hasanswered and nected to theCentral Office switcb. is ready for password entry. Dial thc password of the DATU, which is defaulted for techniciansat 1111. If the PairGain AppJique n first digit of the pa�sword is not entered within seven ThePGA IIis a printed circuitcard extend� that the secondsafter the DATU answers,it willrelease theline. DATU-RT capabilities into the pair gain environment Upon entering a successful password another DATU and serves as the interlace between the DAJU-RT and dial tone is heard, prompting you to dial the seven digit the switch's Pair Gain Test Controller (PGTC). It deter­ subscTiberline number (in other words, the number you mines the status of the PGTC and it� metallic DC test want to test). Occasionally,something will be wrong at pair, provides carrier channel signaling and tmnsmis­ the CO, the DATU will say "Error, badno-test trunk" sion test result�, and controls theDATU-RT's access to and a pulsating440hz tone will beheard. If you ever get the MAD. The card is installed in the MFTframe and this, than you probably are accessing a DATU either at connected tothe switch. a CO where someone is a�leep at their desk or in a re­

mote office. I have yet to get this error at a heavily MetallicAcc essUnit manned CO. You also won't be able to run test� if you The MAU provides the standard DATU-RT line get this message. conditioning functions as directedby the DATU-RT. It After the DATU prompts you to dialthe subscTiber eliminates the need for metallic bypass pairs from the line number, a few things can happen. If you dialed a

Page 12 2600 Magazine number not selVedby thatDATU, you will get themes­ 2 - Audio Monitor. Providesa way tD verifYthat the sage: "INVALID PREFIX" and another DATU dial busy test was correct. Traffic on the line is audible but tDne. Upon dialing a correctnumber, ifthe line is idle, unintelligible. Audio Monitor is autDmatically disabled the DPUU accesses the line and you will hear "Con­ at regular inteIVais tD insurethe that DATU-Rf is able nectedtD ddd-dddd. OK. AudioMonitor." You can then tD detect DTMF tDnes in the event an exceptionally select a line conditioning function anytime after the strongaudio signal is presentThis occurs atregular six­ voice messagebegins, including theten seconds of au­ second inteIVais and is of approximately two seconds dio monitor before themenu is presented. If the line is duration. busy, the DPUU will say "Connected tD ddd-dddd. 3 - Short to Ground The "ShorttD Ground" func­ Busy line.Audio MonitDr."The busy line will then be tion is used tD connect the 'TIp, Ring, or both leads tD monitoredfor 10 seconds. Itshould be saidat this point Groundpotential. Ifonly a single lead(TIp or Ring) is that all audio traffic is unintelligible. After theten sec­ selected,the opposite lead is untenninated. ondsof audiomonitor, the DPUUwill send two 614hz 4 - High Level To ne. This function places 577hz 1Dnes in rapidsuccession tD indicatethe end of the mon­ high-level(+22 dBm) intenuptedtDne bursts on the'TIp itorperiod. Featuresthat would bedisruptive tD acall in lead, Ring lead, or both. Ifa single leadis selected, the progress are not available if the DPUU-Rf detects a opposite lead is grounded. This function is typically busy line condition. These functions include "High­ usedfor thepurpose of conductor orpair identification. level Tone," ''Open Subscriber Line," and ''Short Sub­ 5 - Low Level To ne. This function places 577hz scriber Line." low-level (-12 dBm) intenuptedtDne bursts on boththe There are theories about confusing the DPUU by 'TIpand Ring leads. Becausethe tDne signal is longitudi­ changing its busy testin administratormode. Theoreti­ nal,use of thisfunction does not disrupttraffic on a busy cally,if you change thebusy teston theNTI, you could, line. Tone bursts can be heard only on a telephone in­ say, open your ex-girlfiiend 's line while she was on the strumentconnected between'TIp or Ring and Ground. Thisfunction is typicallyused for the purpose of con­ or pair identification on a busy sub­ line. 6 - Open Subscriberline. The "Open function removes BatteIy

u potentialsfium the subs criber 's and Ring leads.

SIl�,scriherLine"function provides anelec­

short across the subscriber 's 'TIp and leads. * - Hold Functions (Keep Te st After ULSconnect). The ''Hold Tesf ' feature pro­ a means by which a line condition as­ serted by the DPUU-Rf is maintained fora specified Functions of theDATU time inteIVai after disconnecting fium the DATU-Rf. Anyway, after learning the status of the line, the The durationthe of Hold Test inteIVaiis enteredthrough functions are presented in a menu fonnat. MainMenu the telephone keypad and is specifiedin minutes. Any functions are announcedas follows: inteIVai bemay entered, however, the DATU -Rf will Most of these functions actually aren'tas exciting not maintain a line condition longer than the Access as theysound, if you'reon crack A quick descriptionof 'TImeout inteIVai. The programmed function is auto­ each ofthe functions: matically canceled by the DPUU-Rf when the speci­ l-Announce Main Menu. fiedtime inteIVai or, if of a shorterduration, the Access

Winter 1999-1900 Page 13 Timeoutinterval has elapsed. (At thispoint, it should be DATU.interesting An predicament.The DATUis pre­ noted that upon setting up a DATU, the administrator paredas alwaysto handleyour problem. By dialing"*" determines the Access Timeout Interval, which is basi­ before the subscriberline number,the DATU will wait cally a timer to say "good-bye" once you've lounged until you hang up, and then test the line. Pretty simple, too long on theDATU. By default, theAccess Timeout eh? Oh yes, and for those who wonder why thereis no is 10 minutes. Also, after hitting *, the DATU will "audiomonitor" duringsingle line access: afteryou se­ prompt you with either "DIAL NUMBER OF MIN­ lect the test func1ion, the DATU will ask you for the UTES" or "DIAL 2 DIGI TS FOR NUMBER OF "numberof minutes." The testing doesn't startuntil one MINUTES."With respect to single digit entries, '1)" is minuteafter you hang up. interpreted a� 10 minutes. Also, afteryou use thisfunc­ Sadly, the actual Administrator's Guide went into tion, the DATU will expect you to be finished and will great detail on the use of each feature of the DATU say"PLEASE HANG UP") morethan three times by theend of it. Stupid corporate

# - NewSubscriber Line. This functionrelea= the product�. currently-held subscriber line so that anothersubscriber line may beaccessed. Conditioning of Carrier Before moving on, there is one other function that System Lines is worthmentioning. Note: Unless you have a fairly basic grdSp of the

9 - Peml£lnent Signal Releal·e. The"Pennanent way pair gain systems operate, I would suggest skip­ Signal Relea-;e" functioncauses the removal of Battery ping thissection. ,md Ground potentials fum a pennanent signal line After dialing the subscriber line number, if the line served by a step-by-step switch. This function is typi­ is on a pair gain system, the DATU announces, "AC­ cally used to cleara busy condition resultingfum a line CESSING" and repcat� the subscriber telephone num­ fault so that nonnal line tests may be performed.After ber entered. The DATU armounces the state of the pressing "9" on the keypad, the DATU responds with subscribc'r lineINTI with one of the following voice "PERMANENT SIGNAL RFLEASE." After execut­ messages: ing the required sequence of operations, theDATU tests "PAIR GAIN LINE, PROCESSING" - if the line the subscriberline to detennine whether the busy condi­ is idle and is a pair gain line.

tion has been cleared. The result of this test is then an­ "BUSY LINE"- if theline is busy. nounced as either "OK" if the line is idle or "BUSY If the selectedline is busy, theDATU cannot deter­ LINE" if the line is busy. This function is not available mine whcther theline is served by a carrier system. It is, unless specifically enabled by theDATU administrdlor. therefore,not possible forthe DATU to activatethe Pair Unless enabled, any attempt to use this functionresult� Gain Test Controller (PGTC) and metallically cormect in the message "ERROR - PERMANENT SIGNAL the DC Bypass pair at the RT to the subscriber line. RELEASE DISABLED." Pennanent Signal Relea-;e Without this metallic connection, the DATU carmot will functiononly on a line thatthe DATU has identified condition the line. In this case, only the"Audio Moni­ as busy. An attempt to use this function on an idle line tor" and "Low-Level Tone" functions are available to results in the message "ERROR - IDLE LINE." the user. Because it� signal is longitudinal, the Low­ Level Tone function is generally not effective when SingleLine Access used on a busy carrier system line. If the line is idle, the You may be saying at thispoint, "Gee,MMX, how DATU attempt� to activatethe PairGain Test Controller do you find themeasure of the interior anglesof a regu- (PGTC). The PGTC, in tum, tests the canier ch,mnel lar [Xllygon'?"If you'resaying this,you probablyarc on and communicates the result� to the DATU. These op-- a large number of prescription drugs. Moving right emtions require additional time and may resultin a de- along... If you should findyourself"testing" the line that lay of up to 30 seconds. After successfully completing you'recalling theDATU with, you will realizethat you these steps, theRT system identifies the carriercharmel can't test that line, since you're using it to call the a� follows:

Page 14 2600 Magazine "S INGLE-PARTY LINE" - ifa single-party chan­ AlphanumericPair Gain nel nnit is detected. System IDEntry "MULTI-PARTYLINE" - if a multi-party channel This section describes the method by which alpha­ unit is detected. betical letters may be entered using a standard 12-key "COIN LINE"- if a coin channel unit is detected. DTMFkeypad. Ifthe DATU is unable to activate the PGTC or the lL Enter any leading numbers that are part of the PGTC enconnters a problem in testing thecarri er chan­ Pair GainSystem IDin the normal manner. nel, the DATU issues one of the following voice mes­ h. Enter '**'. Thiskey sequence places the RT sys­ sages: temin a special mode in which alpha and certain other "BYPASS PAIR BUSY OR PGTC FAILURE" - non-numeric characters may be entered as a series of the DC Bypass pair is in use, all PGTC test cireuits are two-digit key codes. busy or the PGTC cannot complete camer system con­ c. The firstkey depression simply identifies the key nections. on which the desired character is stamped or printed.

"PAIR GAIN SYSTEM ALARM" - the camer Press the key on which the character appears. For ex­ systemserving the selected line is in a major alarmcon­ ample, if chardCter is "A", "B", or "C", press thc "2" dition. key. "CHANNEL NOT AVAILABLE" - channel test d The second key depression identifies a single results wereno t provided by the PGTC. character from the group (typically three letters) se­ "BAD CHANNEL" - channel test� failed - possi­ lected with the first keystroke. The chardCter is identi­ ble bad channel unit. fied by its position on the key. To sclcet the first, press

Aftera failure in carrier channel tests or in activat­ "I". If the desired letter is the second of the three, press ing the PGTC, theDATU remains in Menu ItemSelec­ "2". Press "3" if the desired letter is the third of the tionmode so that the centrJ.i officepersonnel may more group. easily determine the problem. If one of the above error e. Repeal steps c and d for each alpha character in messages is heard, however, the DATU is probably not the Pair Gain System ID. When the last character has connectedto the line to be tested. Therefore, line condi­ been entered, enter "**,, just as previously done in step tioning commands will be accepted and confirmed by b. This restores the "numeric entry" mode.Special two­ the DATU but the condition may not necessarily exist key sequences are assigned to the letters "Q" , "Z", and on the line anytime after one of the above error mes­ certain punctuation chardcters. Table I below outlines sages is heard. these. f Enter any trailing numbers that arepart of the Pair RemoteTenninal (RT) Acc ess GainSystem ID. Afterthe DATUhas successfully accessed the sub­ g. Any combination of letters and numbers may be scriber line and acquiredchannel testresults, the DATU entered in this manner. Repeat the appropriate steps as will say "PLEASE ENTER PAIR GAINSYSTEM necessary. ID.DIAL ST AR WEND." Enter Pair GJinSystemlD h Enter a single star (*) to complete the Pair Gain using telephone keypad. To condition line from Central System IDentry. Officeusing the bypass pair, enter "0*". Use the follow­ i. Aller the Pair GainSystem ID has beensuccess­ ing section (Alphanumeric p.J.irGain System IDEntry) fully entered, the DATU will say "PLEASE ENTER if Pair GainSystem ID includes alphabetic or punctua­ PAIR NUMBER. DIAL STAR TO END." Enterthe tion characters. If selected, the bypa�s pair must be in pairnumber for the subscriber'sline using the telephone place between the host element of the DATU at the keypad. CentralOffice and the RT. j. The DATU providesverification of the Pair Gain SystemID entry witha voice message. If a validID was entered, theDATU annonnces "ACCESS" followed by the IDpreviously entered. If the Pair Gain System IDis

Winter 1999-1900 Page 15 not valid or ifthe bypass pairwas selected, the DATU announces "USE BYPASSPAIR." Physical Dimensions Length: 8.0 inches Width: 7.5 inches Height: 2.0 inches Weight: 1.7 pounds Electrical Battery InputRequire­ ment (measured withrespect toCO ground) * -46to - 54 volt� DC * 600 rnAmaximum * 2 volt� peak-to-peak noise maximumfrom CO A� LineInterface (Ground Start) SomeWords About 1. TIpGJUi Ring Parameters in OjJHookMode MaleVoiced DATUs * Meet�FCC Part 68 requirement� At this point, T should mention at least something * Resistance is 120 - 280 ohmsat 20to 80 rnA aboutthose DATUs withan incredibly sexy malevoice. * Minimumcurrent DC requiredis 20 rnA Theseare an extremenuity at the date of writing.Tn fact, * Typical AC impedance, at I kH7, is 640ohms in a list of over 200DATUs that I have, T only know of 2. TIp GJUiRing Parameters in On-HookMode one that still works. Upon speaking to the man at Hams * Meet�FCC Part 68 requirement� who actuallydeveloped the DATU, he said,"It's so old, * Minimumring detect level is 65 volt� AC rnls you could blow dust offit" However, since it is still in * Unintcffilptedpre-trip ring durationis 300ms use, T will soon be writingsome words aboutit Please * Ringerequivalence L� 0.5B note that if you find a DATU-T in use, T would love to 3. SecondaryDial To ne get a recordingof the administratormenu for it * Secondary dial tone is provided upon ring trip, LastRemarks (for thise) issu pa�swordentry, and new subscriber line To begin my ending, I would like to say to anyone selection who thinks "Hey, cool, I'll DATU an AOL access num­ * Dial tone is silenced when a digit is dialed or berand make it busy," is not only lame and stupid, but when the DATU-RT timesout alsofac tually wrong. The NITcan't access hunt lines, * Dialtone level is -16dBm +/-3 dBm and you may inadvertently set offan audible alann at * Dial tone frequency is 440 Hz +/-8 Hz your CO by doing so. Oh yes, and the "LOSLEEVE" * Hannonic distortionis less than 10% LED of the DATU will go on when you try. In the fu­ 4. DTMFDial Decoding: ture, I will go into the wild and crnzy world of the test * Each incoming dual-tone signal is translated into interfacefor non standanl offices. Following that, well, one of the 12 characterset� shown in Table 2

I'll see what I can dig up foryou. Perhaps something * Frequency deviations of up to +/-2.5% are ac­ about (dareT say) ... Administratormode? cepted and all deviations greater than +/-3.5% are re­ jected

Physicaland Electrical * DTMFtones greater50 than ms are accepted Specifications * Tnterdigit timing is greater than 40 ms and less

(directlycopied from administration manual) than sevenseconds are accepted

* Signalstrength per frequency of -20 to 0 dBm are

Page 16 2600 Magazine accepted 4. Low-level 7hne Test 5. Vo ice Message Output * Ty pical signal strength, mea�ured tip-ta-ground * Averagevoice level is -13 dBm or ring-ta-ground: * Voice frequency rangeis 200to 3,000Hz * At the CO is -12 dBm +/-3 dBm No 'lestInterlace 1hmk * At 18,000cable feet fromthe CO is -19 dBm 1. TqJ and Ring Parameters in 1dle Mode 5. High level To ne Te st (Differential) * Resistance is greaterthan 20M ohms * Tip-to-ring signal strengthis +22 dBm +/-3 dBm 2. Ttp andRing Parameters inActive Mode * Tip-ta-groundor ring-ta-ground signal strengthis * Resistanceis 100 to 180 ohms at 20 - 90 rnA + 17 dBm+/-3 dBm. * Maxllnumcurrent DC is 90 rnA Acronyms That You AreToo Stupid To Know * TypicalAC impedance, at I kHz, is 660ohms DATU - DirectA=�s Test Unit

3. MF OutputParameters HILARY- Gue�s! * Each outgoing dual-tone sinusoidal signal is PGA- PairGain Applique translated from one of the 12 character set� shown in PGTC - PairTest Gain Controller Table 2 Rf - RemoteTerminal * Frequencydeviation is le�s than+/-2%

* Signalstrength per frequency is -5 to - 15 dBm * Digitduration is 70 m� * lnterdigitalpause is 70 ms 4. DialPuL�e Addressing Parameters * Percentbreak is 60% * Repetitionrate is 10 pulses persecond

* lntcrdigitaltime is 1,000ms 5. Sleeve CurrentParameters * Low current mode is 7 to lO rnAinto 120ohm sleeve * Highcurre nt mode is 50 to 70 rnAinto 120ohm sleeve * Maximumextemal sleeve loopresistance is 700 ohms 'lestFuncti on Parameters 1. Open test isgreater tlum 20M oluns 2. TqJ and ring shortedis less tlum 2 oluns 3. To ne Te st * Frequency is 577 Hz * Frequency erroris less than+/-3%

Wi nter 1999-1900 Page 17 STAPLES

by Maverick(212) W.II, IS IIOU might liu.ss,I used to work lor Stlpl.s, Th. Ollic. Sup.rstore. Use� to, Siapies sellsPr cuslom-builloteva Proleva com­ that Is, until thell llred me over somethmg pUlers. These are displalledand sold Ihrough which was, .ven lor them, ridiculous. So, a sland-alon. sllSlemal on•• nd ol lhe com­ here 1 1m, spilling milgu ts about the technol­ puter Will. The "kloskw slmplllallows cus­ ogll used In their stores. lomers 10 look al SP.cs, sel.cl various sllstempackages and options, and prlnl oul a prlc. quole. This sllslem runs Windows NT, The stores usePhon a standardes Meridian and Is SUSC.Pllbl. IO Ih. nllsdos irick. [BoOI­ phone sllstemwith six lines: the first three Ing Irom a IIOPPIIand running Ihe shlreware outgoing local and the list three specill program nUsdos Illows read-onlll access 10 lines. Thes. special lines are onlllgood for Ihe hard driv .) COPllingIhe Sim lIIe and run­ calls and calls to other stor.s and can­ • 800 ning Il lhrough lOphlCrack reveals Ilv. dif­ not be used lor regular local and/or long dlS­ I.r.nl us.rs and passwords. The tanc. calls. Administralor password Is al l.aSI som.whal To dial another store, either hit one 01 the secure - I lull IWO weeks running lOphlCrack r.gular line buttons and dill the regular didn't reveal II. The olher 109 ins/passwords phon. number, or, Irom anll01 the lines, dial are: the store's number. Each store has two 100 -Ihls accounl ls disabled. numbers, one lor voice and the other lor "Bue"" 100 -Ihls accounl ls used lax. The voice lines are alwallS 1-100-444- "I:U" lIm.'";RIIR. lor regular cuslomer browsing. nXI where lin is the 4-digit store number, -Ihis one aulO­ Pldded with Inillil zero's, il ne.ded. The lax "u,".,.";"ST'PUS1234 " maticallll ioads new I.atur.s/prlclng Irom a lin.s are alwalls As lar as I 1-100-555-nn. diskett know, these numbers are onlllgood when •. 100 -Ihis allows IIOU10 calling Irom Inside a store. "mi, ";"ST'PUS1234" change Ihe currenl pricing and make an up­ Sometimes, the outgoing lines r.qulr. a dale diskette which can b. load.d on Ihe password. ThiS is not too common, but Is eas- same or olher machine using account "uP­ 1111clrc umv.nted. BII punching fEATURE·· lrom dal.". anll phon., IIOUcan acc.ss the phon. SIlS­ t.m's configuration menus. It does ask lor a login and password bUl lhe delaults are In­ COMPaQ 13> iO variablll266 344 [WCONFIGwl. The onlllphone Staples also sells Compaq Bulll-To-Order line In Ihe slores Ihal will work In a power com pUlers. These are viewed and ord.r.d outage Is Ihe one Ihe lax machine al lhe COPII from a Compaq compuler, which is usuallll cenl.r is plugged Inlo. placed rlghl nex1 10 Ihe Proleva. Unlike Ihe The phones also lealure, in Ihe lower Proteva, however, Ihe Compaq "kiosk" has a righl corner, a wpag." button. wMall 1 have pow.r-up BIOS password and Is nelworked lIouratt. nlion, Siapl.s shopp.rs.... " inlo Siapies' corporal. WAN. This Is neces­ sarlibecause Ihe kiosk is onlllus.d as a vlew.r lor Compaq's web sile where Ihe �ie.e.on COMPuter specs, option IiSIS, and ord.rlng lorms realill Loclted n.1l 1O th. selecllon oI l11pewriter and are. The site is available at printer ribbons In everll Siapl.s slor. I.S an old www.compaq.com/relall. login and pass­ 386 com puler Ihal is conslanllllrunnlDg a words ar. "STAPun", where xxn Is Ihe 4- program which is supposed 10 assisl c�s­ digit slore code, padded wilh initial D's as lomers in finding Ihe proper ribbon. ThiS needed. There Is verll llllie securltllon Ihls slandalone sllslemhas no securitllwhalSo­ compuler. Slmplllpressing Ctrl-AII-Del, and ev.r. Simplll pr.sslng the spacebar 10 kiCk . "End Task"-Ing Ihe kiosk sonware [reallllMI­ oll ihe screen saver and hilling Ctrl-Br.ak IS crosoll inlern.t EIPlorer run lull-screen .nough 10 drop IIOU10 a DOS prompl. [Rebool­ wilhoUI the loolbars, etc.) drops IIOUdlr .clIlI ing and breaking oul ol lhe aUloelec.bal ls 10 Wln95. A new browser can be fired up and also trlvlalillpossible.) Unfortunalelll, once whooosh, IIOUcan surf lhe nel. Or IIOUcan go IIOUare al a DOS prom PI, Iher. Is reallllnolh­ into N.lwork Neighborhood and look around Ing much 10 dO, as ail ihe ribbon-finder Illes a lillie. What .Ise is on Ihe local n.lworkil are In a speclal lormal. One Ihlng Ihal is pos­ Read on.... sibl. Is changing Ihe screen saver Image. II'S localed al c:\rlbnlndr\scrnsvr2.pcl, and is a slandlrd 640x480 pCl llle. '.IrsO,uice. ago, all .ach COMPuters Siapies slore had In

Page 18 2600 Magazine Ihe wa, Of compulers was an AS400 lermlnal. This ran over a 9600 leased line 10 Ihe cor­ Securi�Most Staples stores Personnel have a securlt, porate headquarters and was used for Inven­ guard at Ihe fronl door. He lit's usuall, a he) lor, control, prlnllng price signs, entering Is the one who aslls'ou 10 leave ,our bag damages, and man, other taslls.About two with him when 'ou enter the store. He's basl­ ,ears ago, Staples Installed Frame Rela, T1S call, powerless 10 do an,lhlng, Ihough. II to all Its stores and upgraded to Ihree actual pushed hard enough, and baclledb, a slore computers In each slore. The Sales Man­ manager, he can refuse 'ou entr, 10 Ihe slore ager's office received a computer, as did Ihe if 'ou refuse to leave ,our bags with him. BUI General Manager's. The third was set UP as a mosl of the lime, he'll let 'ou In wllh a "I'll training compuler for emplo,ee use, usuall, have to checll,our bag when 'ou leave." Of In Ihe larger of Ihe IWO offices. These were course, 'ou don'l have to let him, and he generall, 266 10 333Mhz Penllums wllh ei­ can't malle'ou. Iher 32 or 64 megs of memor,. All ran Win NT 4.O SP3. The compuler in the Sales Manager's of­ SecurStaples pollc,i-ty Is that Proc a managered canures onl, fice was usuall, lIept running a terminal pro­ SlOP a suspected shoplifter al the door If that gram that simulated the AS400 terminal that manager has lIeptthe suspect In sight at all had been removed. The General Manager's times from the moment the, lallesomelhlng compuler was used for mailing emplo,ee and hide It 10 Ihe momenl lhe, tr, 10 walllOUI schedules and lIeeplng tracllOf emplo,ee Ihe door. This Is ver, difficult, II nOl lmpossl­ punches al the IImeclocli. It was also used ble, especlall, If the manager Is following ever, Sunda, do emplo,ees' pa,roll. The 10 Ihe suspecl -Ihe manager has 10 run pasl the training compuler was loaded with various suspecl lo get 10 Ihe door flrsl ln order 10 certification and educational software and SlOP him, bUI can'l talle his e,es off him. This lIepttracll of which emplo,ees had passed rule Is often Ignored, however, as managers which "courses" al "Slaples U: All three sometimes lallethe word of lhe securlt, compulers had browsers and could surf Sla­ guard, or even Ihe associ ales as 10 what has pies Intranet and the Internet. happened. Man, limes, nothing Is done 10 the Using ntfsdos and lophtcracllon these suspect. as Ihere Is no proof and Inadequate machines revealed Ihe following accounts: surveillance. Jlllmlul,Ir.'DI: "BIBSllufWII. 9" - Thought Siapies has a special code word 10 Indl­ the,'d malleIt more secure using a period. cale a securlt, problem. This code Is "Fred Heh heh. Klein," who used 10 be Ihe head of loss Pre­ SUB" : - Disabled. vention for Siapies man, ,ears ago. B, slm­ lu" .1I111:"Iu"allll' " - Used, obvlousl" pi, paging "Fred Klein 10 aisle 4," an, for maintenance and Installallon. assoclale can Indlcale Ihat Ihere Is a suspi­ Sla"/esSBllllcB:",cIIlIBSse/,,aIS" - Yes, cious person In Ihal aisle. All olher assocl­ Ihe login bacllwards. ales are supposed 10 drop whal lhe, are JlssDclal,:"SEU "- What we were sup­ doing and converge on Ihat location en posed do. 10 masse In, baslcall" an attempt 10 scare Ihe IIauall,eCJI.E" What the managers - suspecl lnlo leaving. didn't. Sales:"SPlS"- Our stoclls,mbol. u'BlIII:"'JlSSWBRD"- Yes, Ihls account CertainSecuri-ty Staples slores, De usuall,vices Ihose with aCluall, exlsls. Someone must have tallen Ihe highesl losses, have gotten a securit, Ihe instructions a little too lIterall, when s,stem Installed. It consists of a sel of aslled10 I,pe In Ihelr userld and password. "gales" sel on ellher side of Ihe entrance and exll doors, and rolls of stlcllerswhich \he C::aun are placed on hlgh-tlcllel ltems. The sllcllers With Ihe arrival of Ihe office computers, Inlerrupt Ihe weallmag nellc field PUI oul b, Siapies stores also received a remote termi­ the gates which causes the gates to beep. nal hoolledUP Inlo Ihe s,stem. This "gun" This can obvlousl, be defealed easll, b, re­ has a smali lcd screen, an alphanumeric lIe,­ moving Ihe sllcllersfrom Ihe merchandise. Some slores also have cameras, usuall, pad and a scanning laser. Almosl an, func­ aimed at the main entrance, and posslbl, lion 'ou can do from Ihe AS400 lermlnal ls one In Ihe mone, room. available from the gun, lnCludlng price Well, thai'S enough for now. When I dig up checlls,sign printing, and Invenlor, func­ some more informallon, I'll be sure to write lions. anolher article. Unlll ihen - happ, haclilngi www.2600. com

Winter 1999-1900 Page 19 I Own Your Car! us fit the description of an executive type. by Slatan I work the night shift for a major auto We were obvious computer geeks, as our company near the motor city in Michigan. coworkers would say. So we thought of a One night all the bosses went home early plan. We gathered a bunch of door parts, a and left us there alone. We had learned ear­ frame here, a sealing strip there, got some lier that day (on the news) that a bunch of calculators, sketch pads, pencils, and a few us were being laid off and the rest were be­ compasses left over from the manual days. ing transferred or strong-armed into quit­ We picked up some heavy blueprints to tmg. The executives didn't even have the back up our story and typed up a fake work decency to tell us first, or in person. We order. Our pass cards would let us in most had to hear it on TV. So needless to say, no of the way but when we got to the glass one was in a good mood. wall, we were stuck. Sliding my card Where I work there is no getting out. If through, it just beeped. I thought about you quit you have to take 30 days (unem­ spraying some salt water in the reader, like ployment) before you can work at another what people did in the old days with Coke related facility. The software we use is machines, but that would have been de­ only used by other related facilities. Still structive and nonproductive. Instead, so­ they wouldn't release us from our con­ cial engineering would be our key. tracts. Most of us had put in years of ser­ A voice spoke from the intercom. "Can vice and worked overtime to get projects I help you?" out to match deadlines set by executives I replied, "The reader won't read my who had no idea of the work involved. card." Even forsaking our families at times, and The voice came back, "You're not in for what? To be walked on and thrown out the computer for this area." like yesterday's newspapers, to perfect a "I have a job that requires my un­ vehicle that we will never be able to af­ escorted access to this area". ford? No perks at this job, poor pay, no "I'll be right down," the voice shot employee discount, no job security, and the back. night shift makes getting anything done We showed him our ID badges that impossible. Basically, they own us. proved we worked there and he asked what After learning of our imminent doom, we were doing. We explained that we everyone was sitting around wondering needed to get in the restricted area to do what would become of us. Three of us - some last minute changes to the seals in who were as close to model employees as one of the vehicles before this year's auto you could get - did our jobs and didn't show, which was only a few weeks away. screw around while other people slacked Unconvinced, the guard wouldn't let us off and played solitary. We never took ad­ through. We unrolled the blue prints and vantage of our jobs. That is, until that one showed him where the trouble was. Being night. the senior he was, he couldn't read the I was the first who mentioned a blueprints or make heads or tails of it. scheme, half jokingly and half seriously. "There is an airflow problem throughout "We should go down into that restricted the door system, which at high speeds area and try to get in." The other two guys causes wind deviation thus amplifying agreed we really didn't have anything to cabin noise and increasing internal pres­ lose. So we decided to go for it. We knew sure." We threw in some more technical BS what was in there because you could see and buzz words and finally he was con­ all the experimental cars from the solid vinced after we showed him the phony glass walls. The sliding doors were about work order. He slipped his passkey through 10 feet high and 1 5 feet wide. The only the door and opened it for us. He watched problem was that they were locked by an us for about a half hour until he got a buzz executive level passkey card. We knew from another part of the building and had they wouldn't let us walk right in - none of to go. We told him this will take us most of

Page 20 2600 Magazine the night and we could let oursel ves out. I ights on. The ride was smooth, and steer­ There were push-buttons on this side. Now ing was tight and effortless even at speeds the fun would begin. over 150. The car also has GPS installed in Most of you won't see the vehicle we case you get lost or you lock your keys in were about to play with until 2002. It's a it - or if the car is stolen. If you get in an prototype and there were six of them there. accident and the airbag goes off, it autodi­ In the trunk was a fuel cell, holding about als the headquarters and patches you into a 50 gallons of racing fuel. The tires of the 24 hour receptionist who can listen in on car were kicked out and set out about 6" in your cabin and talk directly to you using the rear, and mostly to the corners of the cellular towers. This system and features car. It was super charged, none of that are commonly referred to as telemetry, an­ cheap turbo charge crap. Under the hood other new buzzword that will be popping was, well you wouldn't believe me if I told up later this year. The home base of this is you. Needless to say this wasn't the fuel networked and the receptionist can watch economizing car that everyone thinks your car's movement on her screen. She we're all working on to save the environ­ can patch her screen to other receptionists ment. This car was pure evil. Oh, did I too. Other features of this system allow mention that we are one of the most presti­ you to navigate and even be told histories gious car companies, that we are the defin­ of the towns that you're driving through. ition of luxury and class? Most older fo lks No per-minute fees, just one yearly fee. want one of our cars when they retire . So Had I not been having so much fu n I would this car will be a shock when it's released. have thought to get the dial-in number to And it will be released. the automated computer. We drooled enough. Now it was time to It was nearing our lunch time so I hit test out our made-up theory. There are al­ the blue button which connected the car to ways keys in these vehicles and full tanks the 24 hour lady. She gave us her name and of gas. No emblems on the car so no one asked how she could help us. I said we will know what it is if they see it. Heck, at needed the location of a 24 hour restaurant. 2 am who would be out on the roads any­ She gave us a few of them and then told way? We fired her up and two of us went me to turn right at the next exit and guided out, leaving one behind to open the door so me there no problem. All without even ask­ we could get back in. I took the second ing my name, or where I was calling from. spin at the wheel and, oh my gosh, talk I later learned this service will cost about about power and speed. I had never driven $400 a year but that is unlimited service a super charger before. There was no wait­ calling. Data travels at a slow analog speed ing for the turbo to kick in. You hit the gas of 2400 bps. This should change soon as and it was pure power. The tires would more digital towers are put up along the squeal as long as you held the gas down. expressways. Then all vehicles will use At 80 mph it seemed like we were crawling spread-spectrum. and every time I tapped the peddle the tires The lady said she was getting a reading would squeal. At 95 mph they would of engine compartment heat and suggested squeal ! I think I got whiplash that day. At a I ensure the radiator was ful l, even though red light a Corvette pulled up next to us, a it appeared full to her. It might have been new sleek one. He gunned his engine and due to my driving over 100 mph for so when the light changed I nOOfed the gas. long before I called her. "I'll check it out," Bad mistake - the car just sat there spin­ I told her. Just think what other people ning its wheels like we were on ice. OK, could do if this fell into the wrong hands. I'm a computer geek, not a drag racer. I This service makes the Pentium III ID fea­ came off the entrance ramp to 1-75 at 75 ture look like small potatoes. mph. I was looking for a certain switch Hacking in the future will soon find its that I had heard existed. I flipped off the way into the automobile. This car itself is headlights and hit the switch. Night Vision. one large computer; there are microchips A camera is mounted in the hood in the in every part of the car, each controlling symbol. It displays the image on the win­ components, mirrors, windows, seats, door dow and you can see through fog and rain. locks, power brakes, etc. Viruses will be It makes everything white and is very cool. easily inserted into the car's onboard sys­ I like it because I can drive with no head- tem via the CD player which will soon be a

Wi nter 1999-1900 Page 21 direct link to the car's CPU. A hacker means. A high price would have to be paid could make the horn honk every time the to the companies that own the rights to the brake pedal is pressed. Just think what a specific radio spectrum which would be re­ program like Back Orifice could do on one quired by this system. They figure they of these cars. will pass the cost to the consumer and have I see it like this: A voice announces to them pay for the service like we do now the irritated driver: "What's wrong - you for the Internet. (Mental note, invest in don't like Rob Zombie?" "No! " yells back AT &T stock.) With all the talk of what the executive driver. "Fine, turn it off. Oh they want to do, no one is talking about that's right, you can't. I own your car!!! " what they're going to do to make it secure. Most of the top automakers are secretly They are relying on digital spread spec­ making it their goal to turn their luxury trum to be their firewall saying that will cars into a virtual onboard LAN. And it protect them from their signals being inter­ was highly evident in the car I was driving. cepted. In my opinion this is very near­ Behind closed doors, execs discuss their sighted, yet typical. What they don't future plans. They want their vehicles to be realize is that sometimes the demon comes able to access the Internet. It would have from within. to be wireless and they know what that I've seen the future, and it is sweet.

- We lcome to irc.2600 .net - Message of the Day

2600 STYLE - IRC -

- We all know IRe is an anarchic way of communicating, to say the least .

- Thi s is all fine and good , except that it some times makes

- communicating a bit difficul t. A bunch of us have put our heads

- together and come up with some thing that should please everyone - the

- 2600 IRC Network . Tha t 's right , a new network that 's completely

- independent of EFNet, undernet, dalnet, whatever . Simp ly change your

- server to irc.2600 .net and you 're in !

- As thi s is our own server, we can do wha tever we damn well please on

- it and you have more of a chance of implementing features that you

- want as wel l. Al the momenL, we allow usernames of up to 32 charac ters

- instead of the current limit of 9. We 're working on implementing

- secure connections for our users so the monitoring agencies can go

- back to real crime once again . And , at long last, 2600 readers will be

- able to contact people in their areas by simp ly entering a channel

that identifies their state or country . For example, #ks2600 is the

- 2600 channel for Kansas , #2600de is the 2600 channel for Germany .

- (States come before the 2600, countries come after . A full list of the

- two-letter codes is available on our seyver .) And , as always #2600

- will exist as the general 2600 channel, open to everyone at all times .

- You can create your own channels and run them as you see fit , in the

- tradition of IRe .

- We look forward to seeing this network grow and flourish. Help spread

- the word - irc.2600 .net - a network for hackers , run by hackers .

Page 22 2600 Magazine Te lco-Ba bb le One mega-binder is equivalent to 25 super-binders. And last, one ultra­ binder has 25 mega-binders or 39,625 pairs of colored wires. This is equiva­ lent to one ultra-fiber optic cable. n't too hard now... was it? t to that for tele­ are more than rs, re are ribbons in- ate each individual cept, binder. hat is interesting about it is into the subject and that the color code applies to it - col­ . t on it. ors respe to the color code sep- ed with respect t the w that no confusion nic Di wh confu- air C di d bo was wr nd the !pum(J�!1\lLt.,o r under- mation in their quest for knowle e in the v cable the Information Age. What was ex­ sequences with respect to the color plained was the color code. The color code. Practice using the terminology code is the foundation to understand­ with a telco person who works out in ing the wires that are used for our the field and that person will be im­ telephone connections. When you see pressed. As for understanding the var­ a telephone cable, it will be a dull sil­ ious networking protocols, packet­ ver/greyish color and will have a vari­ switching, TCP/IP, to name a few, ety of different colors of wires. When they rarely understand it (not to casti­ you strip the wire, it is copper. And of gate their intelligence). This is from course, copper is a conductor of elec­ my social engineering with others in tricity. the field. In contrast, the tel cos pro­ All of the wires have different vide us with services that are vital to specified colors with respect to the the connections to the communica­ color code. Understanding the se­ tions terminals so that we can have quence will help you understand how our Internet and telephone connec­ to connect it to a 66 block, for exam­ tions. ple. Encountering other types of cable As a techo-dweeb dilettante, the with the wires inside will show the telco realm was different compared to various colors of the wires. It will be the computer/electronics realm; two in a different sequence, but the con­ completely different entities. I rarely cept applies as it does to all other use the color code, but it's good to telephony cable. Now that there is share the knowledge with others not clarity to the purpose for the wire, I'll familiar with it. When the two are in­ expand on the different types of termi­ tegrated there is an appreciation for nology pertaining to how the cable is the cabling, terminals, and connec­ defined. tions making it possible for communi­ For the standard telephony cable, cation lines to be in existence. Yet, inside there are 25 pairs of color­ it's fascinating to ponder how a cop­ coded wires. The definition for the 2 5 per wire with plastic wrapped around pairs of wires is called a binder. From it in various colors is vital to the com­ the definition of a binder, we can ex­ munications that we are using today pand our telco jargon. One super­ and for tomorrow. binder has 2 5 binders with 625 pairs.

Winter 1999-1900 Page 23 An Intro to Paging Networks and POCSAG/FLEX interception code on that frequency will beep and re­ by Black Axe ceive the data. Second, it means that one Pagers are very, very common nowa­ can monitor pagers that are not based in days, Coverage is widespread and cheap, their area. Based on the example of Dave's and the technology is accepted by most. pager, he might have bought it in New Ever wonder, though, what happens on York City. He also could live there. How­ these paging networks? Ever wonder what ever, because the data is transmitted all kind of traffic comes across those pager over the coverage area, monitoring systems frequencies? Ever listen to your scanner on in Boston, Washington DC, and Philadel­ a pager frequency in frustration, hearing phia could all intercept his pages in real the data stream across that you just can't time. Many paging customers are unaware interpret? Want to tap your radio, get a de­ of their paging coverage areas and usually coding program, and see what you've been do not denote the NPA (area code) from missing? which the page is being received. This can Before I begin, let's cover just exactly cause problems for the monitoring individ­ how those precious few digits make it from ual, who must always remember that seven the caller's keypad to the display of the digit pages shown on the decoder display pager in question, Or perhaps your moni­ are not necessarily for their own NPA. tor.... Let's entertain a hypothetical situation The Pager Decoding Setup in which I would like to speak with my Maybe you knew this, maybe you did­ friend, Dave. First, I pick up my phone and n't. ... Paging networks aren't encrypted. dial Dave's pager number (555-1 234). I They all transmit data in the clear, gener­ hear the message "type in your phone num­ ally in one of two formats. The older for­ ber and hit the pound sign." So I comply, mat is POCSAG; which stands for Post enter 555-4321# and then hang up. Office Code Standards Advisory Group. Here's where the fun starts. This is all POCSAG is easily identified by two sepa­ dependent on the coverage area of the rate tones and then a burst of data. POC­ pager. The paging company receives the SAG is fairly easy to decode. FLEX, on the page when I enter it, and looks up the cap­ other hand, is a bit more difficult, but not code of the pager it is to be sent to. A cap­ impossible. FLEX signals have only a sin­ code is somewhat akin to an ESN on a gle tone preceding the data burst. Here's cell phone; it identifies each specific pager how to take those annoying signals out of on a given frequency. The paging company your scanner and onto your monitor. You will then send the data up to a satellite will need: (usually), where it is rebroadcast to all I. A scanner or other receiver with a towers that serve that particular paging discriminator output. A discriminator out­ network . (Remember last year, when put is a direct connection to the output of everyone's pagers stopped working for a the discriminator chip on your scanner. fe w days? It was just such a satellite that This is accomplished by soldering a single went out of orbit.) The paging towers then wire to the output pin of the NFM discrim­ transmit the page in all locations that inator chip to the inner conductor of a jack Dave's pager is serviceable in. In this case, installed on the scanner. RCA jacks are let's say that Dave's pager has a coverage commonly used for convenience. A list of area that consists of a chunk of the East scanners and their discriminator chips can Coast, going from Boston down to Wash­ be found at ington DC, and out to Philadelphia. The http://www.comtronics.net/scandata. tx t. page intended for him is transmitted all For obvious reasons, the larger and more throughout that region. Since a pager is a spacious a scanner is internally, the easier one-way device, the network has no idea as the modification is to perform. to where the pager is, what it's doing, etc. 2. A computer is required to actually in­ so it just transmits each page all over the terpret and display the pages. Most pager coverage area, every time. decoding software runs under Win95. This "So?" you may say, "What's that do for includes all software which uses the sound me?" We ll, it means two different things. card to decode signals. If you have a data First, pagers can be cloned with no fear of slicer, there are a few programs which will detection because the network just sends run under DOS. out the pages, and any pager with that cap- 3. You will need a Soundblaster com-

Page 24 2600 Magazine patible sound card. This will let you snag proceeded to look up everyone who had POCSAG traffic. Or you can build a data copies posted on the We b and told them slicer and decode FLEX traffic too. Or you that if they didn't take those specific pro­ can be lazy and buy one from Texas 2-Way grams off of the Web, it was court time. for about $80 or so. The Soundblaster The threatened webmasters removed the method will obviously tie up your com­ offending copies, fearing a lawsuit from puter while decoding pages. Using the Motorola. After this, our good friends from slicer will let you run decoders on an old the United States Secret Service arrested DOS box and will let you use your better Bill Cheek and Keith Knipschild for mess­ computer for more important stuff. ing around with decoding hardware and 4. Antennas. cabling, etc .... You will software - the SS appeared to want to make need an RCA cable (preferably shielded) to data slicers illegal. Of course, these arrests take the discriminator output either into were ridiculous, but nobody wanted to get the sound card or into the slicer. If using a busted .... so the vast majority of resources slicer, you will also need the cable to con­ on American websites disappeared. Check­ nect your slicer to your computer. As far as ing around English or German sites may antennas go, pager signals are very strong, yield some interesting results. so you won't need much of an antenna. A Now you're ready. Fire up the software. rubber ducky with a right angle adapter, at­ Get that receiver on a nice, hot frequency. tached right to the back of the radio, will Look at all of the pages streaming across be more than enough. The signals are so the network . Give it a few hours ... getting damned strong that you might even be able bored yet? Ye s? Okay... now that you have to get away with a paper clip shoved into a functional decoding setup, let's make use the antenna jack. Think of what kind of an of it. Know someone's pager that you want antenna your pager has; this should give to monitor? Here's how to snag them .. you a good idea of what the requirements First you need the frequency; it's usually are in the antenna department. inscribed on the back of the pager. Also, Connect your scanner's discriminator you can try to determine what paging com­ output to either your data slicer or your pany they usc, and then social engineer the sound card. If using a sound card, be sure freq out of the company. www.percon­ to use the line in connection. If using a corp.com also has a search function where data slicer, connect that to the correct port you can locate all of the paging transmit­ on your computer. Tune yourself a nice, ters (and fregs) in your area, listed hy who strong (they're all strong, really) paging owns em. Not bad. So you have the fre­ signal. quency... now what? We ll, wait until you Where are they? We ll, the vast majority have to actually talk to this person. Get of numeric pagers are crystalled between your setup cranking on the frequency that 929 and 932mHz. Try there. Or if you want this person's pager is using. Now, page to try decoding some alphanumeric pagers, him. Pay close attention to the data coming try the VHF range around 158mHz. There across the network... see your phone num­ is also some activity in the 460-470mHz ber there? See the capcodc that your phone range. number is addressed to? That's it. Some Now what about software. you say? hetter decoding programs have provisions That is where things start to get somewhat to log every single page to a certain cap­ difficult. Motorola developed most paging code to a logfile ... this is a good thing. Get protocols in use and holds licenses to a data slicer, set everything up on a dedi­ them. Any software that decodes POCSAG cated 486, and have fu n gathering data. or FLEX is a violation of Motorola's intel­ For updates to this article visit the lectual property rights. So one day, the Phone Punx Network (http://fly.to/ppn). people at Motorola decided that they didn't Mail can he sent to the Phone Punx want that software floating around. They address and it will find its way to me. DO YOU HAVE A SECRET?

!Is It something so sensitive you can t risk us back­ Lracing your fingerprints fH.)m the envelope you mail us? We understand. That's why our fax machine is always ready to talk to

Winter 1999-1900 Page 2S STIITlll1 NEWS

We've decided 10 lurn back Ihe hands of time and embark on a shreWd markeling plov. ERectiVe immedlatelv, our subscription price Will r// reven 10 whal h was nearlY len vears ago - amere $18!

Why are we doing thisil Have we complelelY 10SI our mindsilWe will not dignify that with a >-==-- response. Bul we will say Ihal we are looking 10 gel more subscribers �__:::::::-- and, since Ihe vasl majorilv of '"""'-- people buy 2600 In Ihe stores, this

- seems as good a way as any. Plus ifll ��_ _ shut up Ihose people who complain F_:r'�� '"""� thai subscribing is more eXlensive than boving II al lhe stands. Thars no longer Ihe case. Now, in addition to not having 10 fight in the aisles for the latest issue and being able to place free markelPlace ads, vou will also save money over the newssland price. Just like Time and Newsweek.

We're also lowering Ihe price of our back issues. Whh even issue we Slockpile, we lose more space so we'd reallv like to get rid of the damn things. You can now gel back issues for $20 per year or $5 per issue from 1988 on. Overseas Ihose numbers are $25 and $6.25 respectivelY. Name: AmI. Enclosed: __ _

Address: Apl. #: ______

CiIV: State: Zip: ______

IndIVidual Subscriptions [Nonh America)

o 1 Year - $18 0 2 Years - $33 0 3 Years - $46 Overseas Subscriptions

o 1 Year, lndividual - $26 lifetime Subscription [anvwhere) 0$260 Back Issues $20 per vear [$25 Overseas)' 1984-1998 Indicate vear[s): _-----,��--=-_-=------,�,-­ PhOIOCOPI Ihis page. lill it OUI. and send il IO: 2600 Subscriplions. PO Box 152. Middle Island. NY 11953

Page 26 2600 Magazine • tant concern. Reporters need to get theIr "'Aby JimC� Nieken rff� 14�PTA . work in on time, and that can sometimes Much has been said lately about JOur- mean sacrificing accuracy for haste. nalists and the their outright No one wants to print an untruthful disregard for n Mitnick story, but the fact is that the less time and others, criticized you spend researching, the less quahty foray into rs. Few information you will get. That informa­ would deny , . influe?ce of tion also needs to be analyzed if it is to journalists, no one slil,lilmsto hke be conveyed correctly, which also takes them. They tend't ackers and time. most other "un de subcultures in Looming deadlines are not the only a negative light, a .fe can't get your side . f Qu won't talk, Years ago, when I was just getting � and newspapers may b� , ot�ed to pnnt into the newspaper business, a gnzzled i t only what they have h,ilrd from other old editor took me aside and explained sources. Those may by y?ur , �nds and what I was really supposed to be doing .f � fa mily, but they coulda��o ��cl lhe police there. "My job," he said, "is fi lling up and other government age�oles, or the newspapers. Your job is meeting dead- . guy whose life was ruin d+because he lines." His point was that whde Journahs­ i� missed the season premIere of Ally tic integrity was all well and good, McBeal when you took out the electric newspapers couldn't print blank pages. company. Deadlines are not just a part of the job; they are often the single most impor-

Winter 1999-1900 Page 27 up a piece of writing like you wouldn't The Interview as Seduction and believe. If you're not careful they could Betrayal even end up right in the headline. If it In college, a journalism professor once takes three minutes of set up and hypo­ told me that there arc only two kinds of thetical situations and philosophical justi­ people in the world, those who are inter­ fi cations before you can say something viewed often and who know how to be in­ like, "".so I guess if looked at it that way terviewed - and those who aren't and we should probably just blow up the don't. As a reporter ;l;iget most of my in­ phone company building," you can be as­ formation via the inf�,rv iewing process, sured they will not print the philosophical but no other newsgath!,ring technique has justifications and skip right into your ad­ a greater potentfa( fgt �istorting informa­ mission of a terrorist plot. tion. Unlike a &<;hool district budget, or As an interviewee, you can help in a the winner .01'an election, or somcthing number of ways. First, don't say anything equally quantifial;!ie. c�hv ersations are that needs a lot of background or buildup. more subject to int!,,rpretation than most We work with sound bites, and you people realize. Yo�r ideas must survive should never say anything you don't want the transfer into your own w�.ds, into my printed unless you make it clear that it's head or into my notes, into .new words in off the record. All reporters will respect the fi nal story, past the;mercurial tempers your wishes to not have a quote printed, of various editors, and fi naIty back into but always pay attention to what you are the heads of a hundred thousand t�aders. saying. Don't say anything too socio­ It'snot at all uncommon fOf peoplc to pathic. Go slowly. We can only write so complain that they were misquoted or fa st, and it allows you to choose your misrepresented when they see their WOf!-jS words more precisely. If you're ever sus­ in print. I hear it all the time. picious, ask the reporter to read your The distortion extends beyond merely words back to you. Make sure you like getting the exact wording of a quote what it says, because they may come back wrong. Words arc usually taken totally .�P haunt you and this is the only chance out of context, poorly extrapolated from you are going to get to change them. sloppy notes, or even shamelessly fabri­ Al$p , always realize that you never have cated. It's very uncommon for a reporter .to answer any question asked by a re­ to totally fa ke quotes (we tend to be porter. We 're not cops, and we can't force pretty anal when it comes to what's inside you to do anything. On the other hand, quote marks), but danger lies in how most journalists have large expense ac­ quotes are set up. It all depends on how counts and. brihes are an extremely com­ your comments are explained and what mon industry practice. You might suggest context they are placed in. that you sit dowifover dinner to talk. Be You could say something like: "I don't sure to order a dessert. really like people who break into other Jounlalists May Be Stupid, But people's computers just to mess with Our Re rs Are Even Stupider .�,,� stuff. I mean, the idiots usually deserve My handYi;.. � ierl;lsoftWord grammar what they get for leaving stuff wide open, checker tells me that this document is but it's really mean and no one should written at or around ��e 10th grade read­ take advantage of people like that." ing level. This means that if you can read But a week later this might be printed this paper without mOV;!Tlg your lips, you in the local paper: "".One hacker said are capable of reading at at least that that he fe els no sympathy for people level. Most magazines and nearly all whose computers are attacked or vandal­ newspapers are written at or around the ized. 'The idiots usually deserve what 6th grade level. This is not because this is they get for leaving their stuff wide all the average American can handle. open,' he said casually." Rather, it keeps Joe Public fr om choking The quote was reproduced accurately, on his coffee at 7:30 AM as he slams into but the context was totally reversed. Be­ words like "axiological." Put simply - ware of this. Reporters lovc juicy, cal­ newspapers are mass mediums. They arc lous, or controversial quotes. They spice consumed by the general public, and are

Page 28 2600 Magazine written so people don't have to know any­ would expect the Associated Press, CNN, thing about the subject being reported. ABC, and the average local paper to at Newspapers are expected to provide least get the basic information correct. I only general information and basic facts. would bet some amount of money that You might succeed in explaining the intri­ CBS, NBC, MSNBC, Fox News, and most cacies of exploiting a CGI loophole and larger city papers retain at least a passing stealing root access on a server to a re­ resemblance of reality. As for most Inter­ porter, but the writer still needs to ex­ net news clearinghouses, any local televi­ plain that to 500,OOO"oon-technical sion news station, or the likes of MTV - people. Most jou are fa irly good at their efforts are more akin to self-serving assimilating in£' ut they are propaganda than journalism. I wouldn't still not likelft al details cor- trust MTV to report anything accurately, rect. Even 'i f th stand it for let alone something as delicate as what it some reason", s likely t£t get twisted in means to be a hacker. h the translation,. '; {i,�:I:,., jill Every news-gathering company has a There is little YO-lt, different perspective on sensationalism gard, other than to tr,lI �iir:jng your versus responsibility. It's probably in language. Assume tJf'�,'�p�ter has no your best interest to evaluate how much clue when it comes to techno.(lJ'gy, and no you trust the particular organization be­ intention of printing au.ything t4i �east bit fo re you consent to a story about or in­ technical anyway...... ' .. ' " volving you. If you don't already trust . ' . most or all of what they tell you, don't Journ alism is a Bu�iness: expect that you and your story will fare A Lesson in any better. One thing you can do to help is to constantly mention how much you Economic Theory distrust the media and how they've let News reporting organizations are nahl you down considerably in the past. Bring public service. They are a business' like it to the fo refront of the reporter's mind any other, and they must remain prof­ accuracy is more important to you itable if they want to continue printing 01' 'th at what is provocative. Make him or broadcasting. In order to do this, they th;an her·,think that they will be betraying you must run interesting stories about inter­ misrepresent you in any way. It esting events. If that means slanting an �f,t�)! usuall helps a lot. issue or exaggerating a point, it can eas­ y ily be justified, Most of my journalism Conf.l�Qsion: Reporters are classes in college centered on giving oth­ erwise mundane stories enough "sizzle" 'eople, To o to make them interesting. But there is a If YQu ever fi nd yourself the subject of duality at work: "sizzle" versus "respon­ a news story, be aware that the end prod­ sibili ty." Most reporters have no desire to uct will ptoba"!�,not show you the same print a fa lse story, but most reporters way you sil6eiyl'll1rself. Complicated de­ have no desire to print a boring story ei­ tails tena fo be simplified, and that can ther. Often the two sides are at least par­ mean a signifie:lI!ilf'change for something tially in conflict . But it could be worse as technical as computer hacking. than that, depending on the particular Like I said, no reporter and no news­ ethics of thc organization doing the news paper wants to prinl an ilntruthful story. gathering. It's not likely that they will totally fa bri­ The journalistic reputation of the net­ cate fa cts, but they carrbe tnen out of work or newspaper doing the story is typ­ context and reworked to create a more in­ ically a good barometer of how concerned teresting story. Reporters often go into a they are about responsible reporting. I story with preconceived ideas, aild it can would trust PBS or Th e New Yo rk Ti mes be difficult to change them. Just act nat­ with just about anything, although they ural, be truthful, and explain things as make errors like anyone else. I would clearly as you can. If the reporter is any trust the Boston Globe or thc Wa shington good, you may actually like what you Post to get most of the story right. I read in the paper or see on TV a few days later.

Wi nter 1999-1900 Page 29 EOPLE WHO CAN'T EEP QUIET

knowledge is truly power. I don't belong to any groups, I Inequities don't seek approval from "peers" or posers. I learn for Dear 2600: the sake of learning. About Kevin Mitnick, I think that I was recently listening to the 8/ 1 7/99 Off the Hook the real crime he committed is not that which he was and reading the latest copy of Popular Science. While charged with (or even what he was not charged with). looking through the ads in the back of PopSci I came What he pled to was rather small potatoes. Social engi­ upon the part in the show where you discussed the fact neering doesn't deserve four and a half years in prison. that DirectTV sued Dan Morgan for having inhmnation Hut I know what the government thinks does deserve it: on how their technology works as well as ads for tech­ Mitnick's forbidden knowledge. Simply put, Mitnick nology that bypasses their enclyption and I noticed knows too much for the rulers' comfort. As I said before, something. PopSci, a reputable and widely distributed when knowledge is forbidden it is power. I dusted offmy magazine, runs ads for cable descramblcrs. These, as I copy of The Fugitive Game a few days ago, and right on recall, are illegal in most areas and have virtually the the back cover Mitnick says: "They're saying that I'm same function as the encryption bypassing technology John Dillinger, that I'm tenible, that it's shocking that I advertised in Satellite Wa tch News. Upon further investi­ could get this awesome power.. .. People who use com­ gation I found that Popular Mechanics (PopSci's sister puters are very trusting, very easy to manipulate. I know magazine) also runs these aus. What the he11 is the deal the computer systems of the world are not as safe as they with this? Not to mention that the whole case violated the think." First Amendment and is complete and utter bullshit. That is Kevin's real crime: exposing the fault lines Ackbar in the power ofthe ruling class. Therefore, we should say As this HY1S (j "civil" case, it was relatively easyfor that he is proudly I!uiltyas charged, and that the govern­ a /arf.!,(! cOIfJoralioll like General Motors (you do know ment's Orwellian psychological torture experiment on that General Motors mt'llS DirecTV, don ', you ?) to shut Mitnick is just a symptom of how fragile their hold is on dmvn a puny puhlisher like ",)'alel/ite Wa tch News. " In those who have the knowledge. Free Kevin for the sake this case, the ji:Jc{ that SWN daredto print articles detail­ of Kevin, but also to show that the Power can be fought ing how nss signals could he decoded was enough to in� successfully. Kevin Mitnick and Bernie S. have already cur GM :v wrath. Even wilh the First Amendment and shown us that it is truly We the People, and not They the man.','lo.val suhscrihers Oil OIU< " side, it can (?lien he im­ Rulers, who have the power - when we have the knowl­ possihle to sutl,ive the filiRation that a corporale giant edge. And Ihal, not social recognition or publicity, is the clin muster. By the �vay, \

Page 30 2600 Magazine saying that helshe didn't want to damage their karma (or by all means please do. However, I and many more like get caught), Not only did this person not take anything, me, feel it is far more beneficial to beat society at its own but helshe left the door open to the truck so the driver vain and superficial game. would come back and sec that someone had been in it. Major Motoko This way the driver would learna lesson and not keep the This works fine if you 're Raing "undercover" for a door unlocked again, Now there are some people who specificproject. But fTumy people expand this to include believe that that is the right and moral thing to do, J'm their school, work, and family life, all f;" the sake of' not necessarily patronizing these people but here is my making things easiet: Only problem there is that the more side. you play that game the more you need to. When your de­ This anonymous person said, "My hacking philoso­ signer jeans turn inLo mortRa!?esyou find it much harder phy has usually been one of education." This is my phi­ to turn on the idealism when you fe e/ like it. !l You don 't losophy as well. If I steal equipment out of a cable or sell out your valuesfrom the start, you 'lI.find it a lot eas­ Bell truck, I could educate myself by examining it, or ier to hold onto them in different situations. }hu might maybe even use it for some phreaking phun. If I were to also be surprised how much you can Ket away with while steal any handbooks out of these trucks, then I definitely being "weird, " would be educating myself. There may be valuable infor­ mation in these books that I could not find anywhere Difference of Op inion

else. By doing this I don't believe that "A life of crime is Dear 2600: my goal." Yet a life full of knowledge and excitement is. I read the infonnativc article in the CNN Internet I think this is important to talk about because steal­ section (cnn.comffECHIspecials/hackers/qandas). I be­ ing for the sake of knowledge is a subject that hackers lieve it was your editor who responded to the questions and phreaks on any level can disagree upon. by CNN. I really do appreciate your honesty and candid TeckX3 response. I am a person who believes that the govern­ BRONX ment and the corporations have been misleading us for Yo u raise an interesting point. We strongly helieve decades. There is much evidence that this is true. I do not ' that obtaining knowledge l!lhmvsomethin;; w()rk�; isn [ II believe that everything I read or see 011 a web site is ac­ bad thing. But (f you then use that knowledge in a de­ curate. On the contrary, being a thinking person, I take structive way, that is where you 've gone wrong. As fo r everything that I hear or read wilh a grain of salt. Being a how the knowledge is obtained, that too can make a hig thinking person, I feel I should respond to your response. d(fferellce. rryou shoot and kill a technician because you Pirst off, I believe your logic is quite Hawed. Pagers, cell want to read one qf his numuals, the knowledge isn 'f so phones, and computers are primarily communication de­ much the issue as is hmv you obtained it. Same thinK with vices. They arc not toys. According to your mentality it is breaking into a van to steal something. Yo u're actual!.v okay to steal something if others leave it out in the open. physically breaking into something and }'OU're depriving Your philosophy leaves much room for the justification someone (�rsomething that is their,\" (stealing). Th at\'far of breaking and enlering, and copying web pages that dU/erent from copying it or trichng the company into don't belong to you. One could perceive your actions ,md sending you a copy. In desperate limes, sfealinK can he the actions of all of your group as the selfish behavior of the only way to survive. We just don 'f helieve it:\· quite at individuals who have very little respect for the privacy of that point yet. other individuals. In response to your opinion that hack­

Dear 2600: ers should not be prosecuted and put in prison it's not This is in response to oolong's letter in 16:2. I must surprising considering that most criminals do not under­ say I am in complete agreement. Sadly, in this day and stand why they are in jail. We as a society cannot let our age most everyone judges a book hy its cover. Therefore, private belongings and documenls be subject to the crim­ to further advance our causes, I think it is vitally impor­ inal class. As long as your organization believes it has the tant to remain ever so "underground" even if that means right to steal from others (just hecause you can) and take (shiver) conformity on the outside. After being involved advantage of new technology to the detriment of your with computers for quite a few years now and also in­ fe llow brothers and siste", I will never support hackers volved with the general pUhlic, I have t'lUnd itis far eas­ or their belief systems. It is interesting that you feel you ier to get what you want and get away with it if people are doing this country a great service by being the first to feel you are like them. If wearing Tommy Hilfiger and break in and rearrange legitimate web sites, believing Calvin Klein keeps people from being suspicious and that if your organization did not do it first, that interna­ even judgmental, then by all means have at it. Neverthe­ tional terrorists would get around to it. But that is not the less, keep doing whatever you want in your own time. way it hnppened, is it? Unfortunately, your organization Then again. if you feel it is necessary to spike your hair has become the terrorists you say you so adamantly op­ three feetover your head, dye it purple, and pierce every pose. loose piece of skin you possihly can (J am being Ferr Jeffrey Seelman stereotypical here and sport eight piercings myself) then Milwaukee

Winter 1999-1900 Page 31 Theres nothing like a letter that starts off really nice But the matter, save his probation, will soon be behind and then plummets into name-calling and fo olish sim­ him, so we can at least celebrate that. I look forward to plicity. Now let:, try and stay civil. We do not condone listening to Kevin alongside Bernie S. on Off The Hook theft. However, your definition of th�ft is so incredibly sometime in the future, and I look forward to replacing broad as to include things like copying web pages! Yo u the "Free Kevin" bumper sticker on my car with a need to realize what theft really is - taking something "Kevin is Free" sticker. A good job all around. away that isn 't yours to take. Simple enough ? When you EchoMirage take something, its not thereanymore. Copying afile is­ We hope you 'remaking the stickers this time round. n't the same as taking it. Now you can argue that this Dear 2600: doesn't make it right and maybe that:, true. But it doesn't Over the summer I was a counselor at a national make it equivalent to whatever crime you want to punish computer camp (Ogelthorpe University in Atlanta) people fo r. As fo r your little rant on our inability to re­ where I taught 16/32 bit Intel x86 assembly, c, c++, and spect privacy, perhaps you should look at who is invad­ Pascal to around 250 kids. During the two weeks that I ing yours. How much junk mail you getfrom hackers? do taught and had fun (it was a blast surprisingly), I would How many times have we entered your name into a data­ sit down daily with a group of my students during breaks base and shared it with several thousand of our friends ? and explain to them the whole Mitnick affair, what hap­ How many times have we left your private info lying pened, what went wrong, etc. I've never seen so many around jo r anyone to stumble across ? Hackers have little kids filled with such enthusiasm on a politicaIJethi­ learned these things through exploring and refusing to cal issue such as this. It was awesome the reactions that believe everything they 're told. Hackers encourage the were raised from our discussions. Now there are some use of encryption in order to further protect one :\. pri­ 250+ kids ranging from 8- 13 or so running around in At­ vacy. Ta ke good look at who opposes strongencryption {l lanta with an insanely enthusiastic Free Kevin mentality and direct your anger that way. We 're sorry you don't about them, which can only help the situation. I think think '!f'pagers, cell plumes, and computers as toys but that we (as in those who back Mitnick and want to fight we always will and it:,from that enthusiasm tlull we will the hell he's going through) should try and educate the design applications that you would never dream of That upcoming generation on the whole affair whenever the is entirely your loss. YtJU may think it:\, appropriate to im­ opportunity arises. I think a lot of times people just try prison people who don buy info your values and occa­ '[ and target an older generation because they can do some­ siO/wllyembarrass poweiful entities. We don 't. thing about it right now, rather than the generation who Dear 2600: in five or six years will have the power to make a differ­ First thing's First i know since im on aol i'm a ence. We have to think of the future, not just the present. "lamer" or Whatever you wanna call me but im also on skaboy mIRC ...but the Reason im writing this letter is because i Good points. And in case anyone in Atlanta was wanna FuCK up AOL and i found some Stupid String to w(}nderinK what all the noise was, now you know. make "guides" "host's" "rangers" and "ints" if 2600 Dear 2600: put's this in a Mag the Strings might be dead Cause they The lesson taught by the U.S. government prosecu­ change them monthly but since im SuCH a HaCKeR if tion of Kevin Mitnick should clearly show that all hack­ you need them or need the new one's if there Dead Email ers should unite for the common purpose of bringing me @aol.com use Subject "aolsucks" or something Gay down the U.S. government through the disruption of its like that well here are the String and go OSW the FUCK computer systems. There is already a replacement gov­ outtia some Guides =1 Gudie String=NME Host=ISV ernment ready. It's manifesto can be observed at: Ranger=OlA int=WPL www.angelfire.com/onldonemperor/index.html. Thank KeeP it ReaL in tha 9d9 and PHrEAK the Fuck out­ you. tia some PHoNeZ fer me Don L, Da "Sleep" We ll now that the replacement government is ready, YtJU watched the MTV.'pedal, didn't you ? Anyway, you what are we waiting for? reallyneed to lu)()k up with the writer of the letter befiJre yours. There s rUJ end to what the two of you could teach Dear 2600: each other. I just wanted to let you know that while I was at school one day, we had a guest speaker from the FBI. He Mitnick was a Special Agent from the Kansas City Branch. When

Dear 2600: I asked him about his thoughts on Kevin, he didn't say Congratulations to Kevin Mitnick, the 2600 team, much. This got all my other classmates wondering who and everybody who played a part in spreading the word. Kevin was, and he still wouldn't talk about it. It's like the Justice still evaded Kevin, he was by no means treated agents are told not to talk about him. He did say that he fairly, and the remaining aspects of his sentencing are thought that Kevin deserved the time that he got, and that still unacceptable given his time in jail without bail/trial. was about it. CherryPie

Page 32 2600 Magazine It took a lot of guts to speak up like that. The things smudged, we 'll repeat the gistof it here. It's not so much some kids aredoing in school today area real inspira­ the actual guilt or innocence but the fa ct that when you tion to us. see the autharities distort the trath and abuse the system as we have seen with the Mitnick case and others, it be­ Dear 2600: I found your article "Slow Motion" very interesting. comes much easier to take other such claims seriously whereas thase wha never question the authorities would I had not previously seen any articles that detailed the re­ cent history of Kevin Mitnick. I found the money issues never consider this/or a second. It seems quite apparent to be quit enlightening and almost laughable. I wonder that there are more than a fe w improprieties in the pros­ how many others suffer similar fates, yet remain anony­ ecution of the Mumia case - the wide assortment of peo­ mous. ple aroundthe world calling fo r a new trial is something BADJRM that should be taken seriously. And, fo r the record, Shi­ To o many, we 'resure. We will try to keep updated on momura is Japanese. as many as possible. Dear 2600:

Dear 2600: I happened to be in the parking lot of the Navy Hos­ How in the world do you actually think the Mitnick pital in Beaufort, SC today and saw a car with a "Free case is unfair when there are so many more unfair cases Kevin" bumper sticker on it. I've been following the in this world? Kevin, sorry to say buddy, but you are the story since I first read it in 2600 and explained it all to my least of anyone's concerns. There are people right now wife. We are both glad that it is winding down but are on death row. And you are sitting here in a little jail cell still angered over the treatment of him. I was just amazed getting money from big time nerds who think you are that your outreach is so far, that bumper stickers tum up their shrine. How can you tell me that you think five in the craziest places. years is bad compared to someone who is right now on Also, in the 16:2 2600, ethan wrote about a secret in death row for life and every week you arc getting a letter Excel 97. There is also one for Excel 95 for those of you saying this is the last week of your life. Well Kevin, sorry who haven't upgraded yet. Go to line 95 and select it. Hit buddy, we do not care that much about five years of your the tab key once. Then click Help, then About. Now hold bad life. That fiveyears would be like heaven compared down SHIFT-ALT-CTL and click on Tech Support. to one week on death row. So why are you guys promot­ There you are. Now you can explore all around and ing it so it won't happen again? Stop trying to raise check it out. If you go to the wall to the left of where you money for this one guy. We are not playing favorites over start and move up against it, then type EXCELKFA, the here. Let's get some money to all of the people in jail, not wall will disappear, and you can continue up the path. If just one dark who got busted for computer fraud or what­ you make it outside, let us know what's out there. I keep ever he got charged with. I subscribed to 2600 for years fal ling offthe damn ledge. and years. Then finally the whole book is a Kevin Mit­ Suicidal nick book I'm paying for. Do us a favor. Just drop it. Stupidity matt The only thing more annoying than people who don't Dear 2600: careare people wha pretend they do. We doubt you really I was glancing through some of amazon.com's more give a shit about anyone who 's suffering so just drop the interesting books when I noticed a link at the bottom of fa cade. the review inviting the author to submit his comments. Curious, I followed it, wondering what kind of verifica­ Dear 2600: tion system they'd have to keep ne'er-do-wells from im­ I was recently reading a letter written by Brother In­ personating some poor writer. As it turns out, they ask ferior in issue 16:3 about bow the Mitnick case and the you once, politely, if you are indeed the author, after Mumia Abu Jamal case are so closely related. Let's think which you're pretty much free to post whatever you about the facts for a moment. Mumia is in prison because want. I've currently "authored" several books and I still he murdered a cop (whether out of cold blood or self de­ cannot believe security could be this lax. I stuck mainly fense.) Mitnick trespassed on computer systems and with obscure technical and conspiracy books, but I don't caused $4000 of damage (who did it affect, that Chinese see anything stopping your readers from penning such dude, and now he's a millionaire). How can we even masterpieces as The Iliad or The Collected \I-hrks of think that these two cases are at all related? Mitnick did Shakespeare. Note: Ali I had to do was find a book with­ something that really hurt no one and Mumia did some­ out an author review and go to it. As long as you stay thing that affects the fam ily of the cop, the police force, within the rather loose submission guidelines, Amazon and probably a lot of other people. You do Mitnick a dis­ will post the most bizarre author comments. But try not service trying to relate the two people. So stick to your to rag on a writer too much. These guys have to make a skate mags, and don't buy 2600 any more. living too. Expect your comments to be posted in 5-7 Darth_tampon days. In case our re,\ponse to that letter somehow was kippIe

Wi nter 1999-1900 Page 33 Yo u're absolutely right ahout the shoddy verification wrong ...." Basically, nullification (which by itself might on Amazon. lV(> were a hit skeptical at/irs!so we decided not he a bad thing), "regardless of legal instructions in­ to try it on one (?four fa vorite titles. Within days, "How volved with controversial issues, products, or services." 7h Become a Pokemon Master" had our rather cryptic Mildly interesting, to be sure. The plot thickens. Of remarks attached to its Amazon entry, no doubt con/us­ the six prejudices jurors would not be able to overcome - inf.?and inspiring kids all around the �v{)rld. We 're curi­ as you might expect, white supremacists, gun manufac­ ous what other odd remarks will pop up between now turers, tobacco companies, breast-·implant manufactur­ and the da,v Amazon wakes up. ers, and HMOs were on this list --- "(1 computer hacker" placed second, a mere 12 percent behind the white su­ Dear 2600: premacist and five percent above gun manufacturers, I was watching C-SPAN on Sept. 20th at about 8 same with tobacco, and eight percent above both breast­ pm, and Matt Drudge and Mike Kinsley (of slate.com) implanters and HMOs. were being interviewed by the show's usual guest, Brian You're so right ahout the insanity of this country to­ Lamb. After his usual political conspiracy rantings, wards inquiry. Kevin might be a hard luck story readers Drudge launched into an attack on hackers, calling them can connect with on an abstract level, but these kinds of wimps. He tried to get Mike Kinsley to join in, but he'd surveys should wake the hacker community up to the have none of it. Drudge claims that it's "hackers" who fact that the public is now gunning for you. messed up his viIe web site dedicated to scandal, yellow c. edward kelso 'journalism," libel, innuendo, and sensationalism. He FISTICUFFS zine also gloated that he railed against hackers on a radio Dear 2600: show (I'm not sure if he was a guest or if he now has his I work [or a financial services company here in the own show). He also all but called them cowards. UK. Recently I was part of an evaluation effort on a I'm not shocked that an amoral nitwit like Dmdge product called Session Wall. This is a straight scanning would liken "hacker" to a person who acts in an illegal program that can filter by content type and either block, fashion. Nor am I shocked that he'd lump them all to­ log, or warn an admin of sites. The categories are as you gether. What does shock me is that he was stupid enough would expect: Sex, Terrorism, and so on. One category to challenge "hackers" to hack his site again. which caught my eye was "Criminal or Subversive Con­ Jack O'Lantern tent". The IT guy said that the settings for the blocked Think how bad we 'd all tl'eli/he said he liked us. sites were as the product came out of the box. The only Dear 2600: two sites listed as Subversive or Criminal were Recently. I was perusing my Octoher 5, 1999 edition www.2600.com and www.kevinmitniek.com. of the Orlando Sentinel, the local paper for most of us in Thought you'd like to know. the Central Florida area. On page A- II, in the Op-Ed Arcoddath section, Leonard Pitts of the Tribune Media Services had Scotland an article about how Viacom chief Sumner Redstone said OK, we ·re convinced. N{)b{){�v likes us. the news media was being insensitive to Chinese and Dear 2600: Cuban leaders. Mr. Pitts was very sarcastic with all of There's a simple bug in the proxy software we this and then made a general apology to "all the nation's have running here at work and r d guess that it's avail­ .<.;windlers, drunken drivers, hackers, car-jackers, robbers, able in most proxy software. We're running a program rapists, stalkers, murderers, and molesters." He then goes called Cyher Patrol that can restrict access to web sites on to say "Hey, just because they're the scum of the earth that are deemed inappropriate but it only matches a list doesn't mean they don't have feelings." Now guess of www.*.* strings and not IP addresses_ which gtoup of people he mentioned that pissed me off Any idiot can figure out that resolving the IP ad­ the most. At the end of the article, the Sentinel says that dress and manually entering it in your web browser "readers can contact Leonard Pitts via e-mail at elp­ will still get you to the page (simply ping sex.com, get [email protected] or by calling him toll-free at 1-800-457- the IP address, and you're on your way). A bug this 388 1." I encourage everyone with the time to contact large shouldn't be allowed in something that claims him and explain in a mature and intelligent manner that "Cyber Patrol is the Internet filtering software rated the hackers do not belong in the same category as rapists and best by educators, industry and leading magazines" murderers. If you can't explain your position to him (www.cyberpatrol.com). without being a moron, don't e-mail or call him. Annbis Dr. Bagpipes Handy Stuff To Know Dear 2600: In the November 8, 1999 Rusiness We ek, page 6, I Dear 26()0: noticed an anecdote entitled 'The List: Justice American If you go to www.mapquest.com and get a map by Style." Part of the blurb reads: "Half of all Americans searching by area code and prefix, the star should be the say that they would act on their own heliefs of right and location of the CO t()f the exchange. Seems to work in

Page 34 2600 Magazine most of the cases. It's very cool ! Yet I got banned from my computer lab and sentenced to J. Arthur Ballarat a month of ISS (in school suspension). I slowly fen be­ Los Angeles, CA hind because of the school's apparent apathy about my We fo und this to be amazingly accuratein just about further education (you see, they don't let you out of ISS everyexchange we entered. What a great way to findthe until you are completely caught up with your work and location of your central offi ce! you've completed your term). I flunked the grade be­ Dear 2600: cause of that. After a rough start in the next year of high school I dropped out. I think that the whole Mirnick case Yo, ever heard of www.freei.net? There's a thing I has put quite a paranoid spell over many people. Seems discovered in it where you can surf without the damn as though the media dropped the topic when the tables ads. Here's how: After you download the software and were turned. The governmenthas made quite an example sign-up and shit, just open up the program as usual, then and 1984 is just around the corner. wait until it loads completely. When you see "Freei Net­ hightechno works" on the taskbar, right click it and select "Close". When it says "Disconnecting from Freei. It may take a Dear 2600: few minutes" or something like that, press Ctrl+AIt+Del Why are people so afraid of hackers? People in my and select "Goodbye from Freei" and press "End Task". school are afraid I'll do something to their credit or When the "End Task" prompt shows up, press "End something, and I never even threatened any of them. I'm Task", and voila! 11,e Internet connection stays and the starting to wish I did. ads go away. Valen I'm only eleven years old, by the way .... Understandable but you must resist the dark side. mad kow diseez And already figuring out how to defe at commercial­ My steries ization of the net. Dear 2600: In the lot beside my aparlt11ent complex there is a The High Cost of Learning BellSouth building. I've never seen anyone go through Dear 2600: the front door or corne out of it, but I have seen a few I found out how screwed up this world is over the people driving out of the barbed-wire gates in the course of two to three weeks. I minimized this window evening. The building has no windows, flood lights on that comes up on boot up. The librarian went over to the all sides, and the front door (which is glass) opens into a computer and freaked out and rebooted it. Later in the very small, empty room with another door. The second day when I went back to the library, she pulled me aside door is significantly heavier (wood or metal) with one of and asked me why I messed up the computers. I was like those swipe-card security boxes. There is no office or what the hell. She threatened to give me two days of in­ secretary, and I'm not sure why they even have a front school suspension if I didn't tell her what I did to mess door. What is this place? I imagined it was some sort of the computers up. Also, my friend asked about Kevin substation thing but why does it look like a maximum se­ Mitnick and if they had any books about him. The librar­ curity prison? What is so important inside that they have ian freaked again and made him walk through the little razor barbs around? Are they just really paranoid about scanner thing two times and empty his pockets to make vandalism? sure he didn't steal anything. The world has all the wrong drdoom ideas about us. I think it is stupid to think that we all have This sounds like a central offi ce where calls for the malicious intentions. What do you think about this? area are switched. It could also be a toll station used fo r gpf muting long distance. Since that is the heart of the phone Stupidity breeds in schools. system, the security is understandable. Many central of fices these days require little in the way of human pres­ Dear 2600: ence which would explain why people are seldom I would like to add another incident to the ever around. }(JU can use the method another reader submit­ growing "guilt by association" section. I was also caught ted above fo r trackingdown your central offi ce to see if in school reading your zine when I got sent to the office that :\. what it is. If it isn 't, keep asking questions until for a lecture and apparently marked as a computer ruf­ someone tells you. Yo u have everyright to know. fian. First I was accused of stealing a Macintosh camera, which they later discovered was the doing of someone Dear 2600: else. Then I was accused of "hacking" on a teacher's In the main library of my city, I saw that they computer, when it didn't even have a modem. Afterthat I changed the old Windows NT computers to computers was told that I had "made an alias hard drive" on one of from Sun Microsystems running Solaris. The interface their Macs which was complete crap. I don't even know sucks ass and the keys are misplaced. I found out that if what the hell that is, if it's even an actual tcnn or even you press alt-o and type anything you want, you'll get a possible. I have no experience with Macs whatsoever. gray screen that says: "Whatchew talkin' 'bout, Willis?"

Wi nter 1999-1900 Page 35 I wonder what is that? Retail Tips Jack Dear 2600: From what we 're told, this has something to do with I am sure you have all seen the credit card boxes in the financial difficulties "Different Strokes " star Gary most stores. They have an LED message bar at the top, a Coleman has gotten into. Since he gets a royalty every numeric keypad, and a place to swipe the card. I have time that line is used, his financial standing will soon be seen them almost everyWhere, including Blockbuster, restored. Yo ur library will receive a bill every time you Wal-Mart, and Ingles. They are out on the checkout do that with the help of the secretlocator chip that comes counter for all the patrons to use. The heart of these ma­ with all upgrades. chines is a simple modem setup. Hmmm, modem. The HotmaifHijinx modem calls the store's system, wherever it may be, each Dear 2600: time a credit card is used. In 16:2 Letters, ZeROLogiKz wrote about hidden Here's the kicker. The setup program for each mo­ text located at the top of Hotmail's website. His assump­ dem is accessed through the credit card boxes ! I found tion was that Microsoft was "withholding" information this out by accident one day while messing with the box from viewers. That's not the case at all. What Microsoft in Blockbuster. Aftertrying different key combinations, I was doing was attempting to improve their search engine was prompted with the setup options on the little green listings, by stooping to the level of a sparnmer. LED screen! I reset the modem, and the system hung. Hiding text in web pages is fairly common practice, The idiots working there were like "What the fuck hap­ and it's done by matching the text color to the back­ pened?" As it turned out, they apologized for a "power ground color. The hidden text will usually have some­ surge" (heh) and gave us our rentals for free! thing to do with the topic of the page itself and So I know what you are thinking, "That's great, but oftentimes, it'll be nothing more than large groups of how do I do it?" Well, the answer is simple. Every one of similar words. The idea is to pad the page's content with these machines is made by the same company, and there­ extra instances of key words, in hopes of being listed fore there is a default key sequence that will enter setup higher in search results. Case in point, at Hotmail, the on most any machine. By default, no password is re­ hidden text talked about "Free Email (Electronic Mail) quested, however I have encountered machines with on the Internet." password protection (in Wal-Mart). To enter setup you You 'll findthe same phenomenon at most porn sites must press the upper right and lower leftkeys simultane­ - visit any porn site and do a Select All. Chances are ously, then the lower right and upper leftkeys simultane­ you'll find a huge string of hidden words, e.g. "ass tits ously. This should get you into setup on 90 percent of all sex fuck" etc. The site's webmaster has placed these boxes. If you findthat the box is password protected, of­ words on the page, hoping that his site will be listed first ten it is the store number which is on all receipts. I have when someone heads to Altavista and searches for some­ rarely encountered protected ones. Apparently, most thing nasty. stores think that all the protection they need is an obvious Of course, what most webmasters obviously don't key sequence. Typical. realize is that these search-engine-spamming tactics Once you are in, there are plenty of options, such as don't work. Search engines, for the most part, aren't run changing the number to dial, resetting the modem, set­ by idiots; and the folks who operate the major search en­ ting the baud rate, and even better stuff. I am not telling gines are always installing new filters to combat spam. you this, though, so that you can steal credit card num­ For example, most search engines now check for the bers; this is to simply give you more knowledge. If you presence of a BGCOLOR tag in every page, and will ig­ steal credit card numbers, you are reflecting poorly on and noreany text that's set to the background color. Some en­ yourself the hacker community, so don't. Have fun gines take this a step further and ignore text that's with this, and keep information free. anywhere near the background; e.g. #F3F3F3 text on a WillyL. AKA Ve rba #FFFFFF background would be ignored. Most search This is an excellent example of what the hacker com­ engines also filter out words which recur too often, large munity standsfo r. In the eyes of the ignorant, there is no groups of words with no punctuation, etc. other use for this information except to commit a crime. You'd think that Microsoft of all companies would There is nobody at our offi ce who upon reading this did­ know that hidden text is the most outdated (and useless) n't immediately head over to the 24 hour supermarketto trick in the book. Regardless, I guess what surprises me try this out. It'swhat you do with the knowledge that de­ most is that Microsoft would even want to spam the termines what kind of person you are. There are those search engines like some shady porn site. As if there's a who would already condemn you fo r telling us and cer­ person on the planet who doesn't already know what tainly they would condemn usfor telling the world. Play­ Hotmail is - or where to findit. ing around with such a system may get you into trouble Shaun but its little more than curiosity and experimentation. Memphis, TN both healthy things. Now, if you rig the thing to call a number and approve yourfa ke creditca rd, you become a

Page 36 2600 Magazine thief as soon as you start stealing. That defines where we Dear 2600: draw the line: at the actual commission of a crime. Not In response to a letter from charr in 16:2, the newer the spreading of information, not the theorizing, not even version (3.0) of AIM will not let you hex the advert.oem the experimentation. Va ndalism and theftare easily de­ file and get away with it. I tried hexing it as usual. Then I finedyet our critics want to muddy the waters by extend­ saved it. When I brought up AIM and signed on, I no­ ing their definitions to encompass speech and simple ticed nothing had changed. I got hack into the Hex editor mischi�f. All this will accomplish is to create a whole and found that the original file was restored. I don't know new population of so-called criminals. Unfortunately if AOL reads 2600, but somehow they figured it out and this seems to be a growing trend. found a way to ditch it. If anyone knows how to get Dear 2600: around this, please let us know. Anyway, since reading that article, I've been hexing all my programs that have Recently I was in Borders Books and I really wanted to get this Linux book with a three disc set but it cost 70 ads in them including Juno and Go!Zilla. Sirblime bucks. I only had 30 on me. It just so happened that there was an older edition of that book that was only 29.99. I Dear 2600: swapped the price tags. When I went to the trontcounter, Another Bell Atlantic update. Their recently up­ the lady didn't even think twice when she asked for 30 graded voice mail has a special feature. Try dialing 7 or bucks. I started to get really curious about this. I came 9. This used to be used for moving back or forward back the next day and found another expensive book but through a message. Now when you press 7 or 9 you can this time switched the price tag with a book on a com­ hear parts of other people's messages. Messages that are pletely different subject. I went to the checkout and the tram someone else's voice mail entirely! Another inno­ lady said it was the wrong tag and she had to look up the vation brought to you from Bell Atlantic. real price. A few days later I was at CompUSA and they Loggia had two versions of visual c++; professional, which was We strongly .\'uspecf this was a temporary problem $450, and learning, which was $80. I switched those tags and that it was only in your area :\' s)'stem and not in and it worked. every system, at least not at the same time. However, it�, SenorPuto yel another reason why getting voice mail thnmgh the Good one. Now try this. YtJU can avoid the hassle "l phone company is a pret�v dumbmove. paying entirely by simply running out the door while Dear 2600: holding the item you wish to take. Thismay result in loud To check your long distance carrier (inter-LATA), noises, shouting people, and sirens of various sorts. We you use, as always 1-700-555-4141. The new number to sugXesf experimenting as much as possible and keeping check your intra-LATA carrier is 700-4 141 (just the a log of' what different stores do. And if' by some bizarre seven digits). twist of fa te you wind up in a courtroom, slww the judge dannyh this letter. They need to laugh too. YtIU can actually enter any jilUrdigits after the 700 Dear 2600: fo r this new number. In addition, you can sometimes get Coupla add-ons to finn's letter about ATMs and some rather interesting results - in some areas we 've OS/2 in 16:3. OS/2 is very widely used in banks, Na­ heard an IDfrom NYNEX, a company that hasn't existed tionsBank and Bank of Boston being two of the biggest. since 1997. In addition to banks, POS systems use OS/2, as he/she Dear 2600: stated in his letter about Kinkos. Take a look next time A letter from CorLan published in 16:2 told of a lit­ you are at Ruby Tuesday or a bar with a touch screen sys­ tle string which will make a pop-up ad pop right back tem, eight out of ten times it'll be an OS/2 driven system. down again afterwards. Well, there's an easy way to keep creatnre the darn thing from popping up at all. The HTML (no­ script) tag does what it says - it turns offscripts until the Up dates tag is undone ({/noscript)). We ll, since the pop-up ads Dear 2600: are popped up by java scripts. a well placed {noscript} This is in response to "the ninth name is NOD's" let­ tag will keep the script tram ever happening. For those ter about the secret in www.whatisthematrix.com. There who use Tripod, the script is automatically placed in the are other names that you can type in too. I just viewed the {head}, so putting a {noscript} before the head (and a source and it came up with these: geof, skroce, darrow, {/noscript) after, if you use scripts later on in the page) wrong number, guns, morpheus, trinity, deja vu, steak, will do the trick. Incidentally, no ad will pop up if you agentbullettime, crash, lobby, mirror mirror, neo bullet simply do not use a {head} tag at all, but that's usually time, SENTINEL, NEBUCHADNEZZAR, SEN­ not practical .. If you also use scripts in your {head}, it T1NELLLARGE800x600, and site credits. shouldn't be too hard to figure out where exactly the kAoS script goes, and place your {noscript} and your scripts strategically. (I think you can put a {noscript} after the

Winter 1999-1900 Page 37 {/title}, and then put your scripts, but I'm not sure.) For dows and Macintosh systems. Once they leave you can those of you unfortunate enough to be using Geocities, I plug it into your Linux box, call up tech support, tell believe the script is put at the very end of the page, so just them your new mac address, and you're good to go. But slip in a {noscript} at the end. Personally, I prefer to use if you have a problem you're out of luck, because they the many free web space providers that are actually free, don't support Linux, and also the box has to be locked up with no ad requirements or anything. from hacker activity. They do random scans for open Sir Reginald ports and potentally illegal activity. And lastly, the priut All Dear 2600: and file shariug thing is not valid. modems have the ports for that blocked out and the only way to get them I am writing in response to the article in your last is­ removed is to ask for them to be removed. sue about hacking the gated community TVIphone entry ScOOter box. Whoever wrote this ought to be shot for giving such little info. I looked all over my apartment building'S box Dear 2600: for the manufacturer, but it wasn't displayed. Luckily, In "Iuternet Radio," theJestre recommends portscan­ the box broke soon after that and a repair technician was niug the Real Audio server to get the port it's running on. dispatched. When he arrived, I went right up and asked lt would be a hell of a lot easier to just connect to the him who manufactured the box. He also let me have a server, netstat -a, then pick out the connection you're peek inside. He said it was the Sentex Systems, Infinity looking for. The single connection would look a heckuva "L" Series. You can download information about these lot less suspicious than an entire portscan on a 2000 port machines at www.sentexsystems.com. I found that it is range. (By the way, I've found many servers on port rather simple to dial into these boxes if you set up your 7070.) terminal properly. You must use TVI 910 emulation. No, emdeo all you Win 95 losers, you can't use HyperTerminai. Get Dear 2600: a real term prog. Set data bits and parity to 81NII, I just wanted to add a little bit of info to AllOut99's XONIXOFF, and the manual also says full-duplex modchiplGame Enhancer letter. First, there are a few dif­ (FOX) but I didn't need to set that in mine. The baud rate ferent versions of modchip, and if you're duped into buy­ is tricky so you may need to reconnect at different speeds ing an older one, you'll find most newer games don't starting from 14000 and working your way down until work. The latest version uses the Stealth program, which you get it right. The particular box I was dialing into is only detected by the newest Japanese games and a gave up the handshake without any further configuration, very few cruddy American releases. So the stealth mod­ but the troubleshooter's manual I downloaded from the chip is perfectly viable right now. I own one. The Japan­ website states that some units are configured to require a ese version of FF8 detects the stealth modchip, but "." folJowed by a six digit access code before the hand­ Square (good guys, them) removed it for the American shake starts. Fortunately, the factory default is 000000. release. My guess is they realized they'd be locking out a The backdoor code for pre- 1994 models is 736839. good portion of their audience. There is no logging mechanism for dial-in, so a late­ If some game you want to play detects a modchip, night brute force broken over several nights should work you can either use a game enhancer code that fo ols the also. This same code can be used from the keypad to en­ modchip detection used in the game, or apply a simple ter ''program mode". Just type "***" and then the six patch to the ISO image you're copying. These can be digit code. Once inside, there's not much to do. You can found all over the web, and are mainly for PA LINTSC make the door open at certain times if you want or conversions. A note about using game enhancers exclu­ change the clock time. Although it is pretty cool that in­ sively instead of modchips, though: I've read that you stead of my last name, my friends have to scroll down to cannot use them to play multi-disc games. A second note: SATAN when they come over. modchip burners can be made for less than $20 and the Wisbing he was back in New York software is freely available. I recommend going this Dear 2600: route if you're in for a challenge. If not, I bought my Regarding the article on Infiltrating MediaOne, if I modchip from www.psxtune.com and am completely may correct a few points .... The biggest error is the pass­ satisfied. word thing: MediaOne's default password is never On the complete opposite end of the spectrum now, ''password'' and if the tech that set this up set it to that, I'm enlisted in the Air Force, and they do use TEMPEST he 's a moron and probably doesn't work there anymore. in buildings and computer systems that deal with classi­ In my experience it's always been HSD then a random fied information. However, we aren't told anything about number, and I think they've changed it since then. Also, it other than the fact that it exists. I don't work around you can call tech support and change your password that anything classified (heh, or so I'm led to believe), so way, not just through the web page. There also seems to snooping around probably wouldn't do any good. But I be this strange idea that MediaOne doesn't like people certainly wiIJ write if something interesting ever pops up. running Linux. They actually don't care what you run, Ell but the techs are only trained to do installations on Win-

Page 38 2600 Magazine for us. Please have a section honoring the U.S. Navy Dear 2600: Seals. Thank you. Black Knight I must have had a slip of the fingers in my letter to We 'll devote a whole issue to them ifyou tell us how you. The phone test number in Long Beach, CA is 117 in hell we reminded you of them. (not 1170 like I wrote). Dial it, wait a moment, and a voice will come on the line saying something like "Proc­ Dear 2600: ter Test..." and then give you a verbal menu of all the I don't kuow if you are in a position to answer this tests you can do by pressing the numbers (it's a long list). but I thought I would give it a try. I am completely fed up SAR with rude people and their cell phones. Especially people Dear 2600: who can't resist answering and talking on them in movie theaters, restaurants, etc. An inability to drive and talk at Hey, remember that trick for Hotmail where you the same time is also high on my list. I was hoping to find could get into someoue's account if they were logged in? plans for a box that would automatically disconnect cell Hotmail fixed it immediately but there is another way. phones or cause so much static that the owners could not However, it is hard to implement. You need netbus or use them. Given my limited understanding of how cell some other remote admin tool where you can get a phones work I expect the easiest option would be to cre­ screen dump. When you are logged into Hotmail, you ate a great deal of static by transmitting noise across the will notice in the location box a bunch of gibberish. If correct frequency range. Making them call back and you can get a screen dump while your victim is logged in adding up connect charges several times before they give to their account, and you type the gibberish into your lo­ up would be very satisfying. Even better would be the cation box, you can get into their account as long as they ability to make it ring again and again until they turn it are logged in! hiddenlOl off but I'm fairly sure that is not possible. Otherwise known as jumping throughhoops. Russ Dear 2600: Dear 2600: I just picked up your Fall '99 issue a couple of days In response to your 16: 1 article "Hacking a Sony ago. Great stuff. I always get excited when I peruse Playstation" and the letter from mattin 16:2, I would like through your mag and find code, especially socket code. to follow up. First, if you look on the bottom of your I'm a beginner socket programmer, and any articles that PSX, in the top right cornerof the label, you will findthe have code in them really help me out (the socket pro­ model series. The Playstation has evolved throughout the gramming articles in 15:3 and 16:1 got me started). If I years - from changing the position of the laser, changing could just ask one thing of people who submit source the writing on the button etc. - but in essence it is still the code for their articles, it's to please, please, add com­ same (although the 1000 series is supposed to be slightly ments to your code. You may be able to understand it, but faster). I myself am the proud owner of a 1002 model. others may not. Thanks again, and keep up the good However, onto the point. The late 7000's and the 9000's work! have, as matt said, a steel case over where the mod chip sureshot would go, but all the models (even my 1(02) have a par­ allel port, where I stick my "GameBooster." This lets me Ripoff play imports, copies, and GameBoy carts. Very useful. I got mine for 315 pounds (yes, England). Another method Dear2600: to playing imports and backups is the disc swap. Press On this month's telephone statement (Bell Atlantic) I Open, and find the button at the back that detects the noticed there was a $5 charge for switching long-dis­ cover is shut, then stick in a pencil, blu-tak it to the top, tance carriers. The switch was from MCI WoridCom, ad­ and voila. Now stick in a regular game, wait for the dress in Denver, to WoridCom Inc., with an address in piracy screen, then rip it out and stick in a copy/import. San Antonio. As we kuow, these companies are now the This is risky though; you have to rip out the game while same company. it is spinning, and I will take no responsibility if you I called to complain, received a credit and apologies, screw up. On a side note, if you own a 1000 and the laser of course. But I wonder how many MCI WoridCom cus­ has packed in, or you notice decreased performance, turn tomers will be billed for a nonexistent switch to World­ the Playstation upside down. May sound crazy, but it Com and pay, not noticing the problem. works. Larry caS Observations Suggestions Dear 2600: I'm not sure if you've gotten letters like this before, Dear 2600: but I thought this might be of interest. I've noticed a little As I was reading your magazine the other day I re­ membered the U.S. Navy Seals and everything they do continued on 48

Winter 1999-1900 Page 39 HOW TO [REATE NEW URBAN LEGENDS his five year old son a big bear hug. He by Jim Johnstone heard a terrible cracking and the boy Urban legends are fantastic stories was rushed to Vancouver Public Gen­ people tell each other. They hear the eral Hospital. The x-rays revealed that story from a friend, who heard it from the boy had fractured three lower lum­ someone else, and so on. The result is bar. (A broken back.) Not only did the the same as playing that kid's game of chiropractor instructor not accept his telephone; the stories evolve, often be­ new promotion. the next day he tear­ coming funnier, scarier, or sicker. They fully announced to the class that he also take on local characteristics, some­ was resigning immediately. times naming local streets or cities or Analysis: Any story where a kid dies even names of people. And, of course, or is hurt gets passed around by anx­ they become impossible to verify. ious parents. This story works because The growth of the Internet has pro­ it's ironic. it's a chiropractor of all peo­ vided an ideal medium for the transfer ple who broke his kid's back. He goes of urban legends. They can now be e­ from being on top of the world to re­ mailed to people around the world signing in disgrace, all in one day. The quickly and easily. story also plays on people's fears about Common Characteristics of cracking backs. Every story needs a Urban Legends hook that makes people pass it around. Many urban legends contain similar Moral: Don't hug people too hard, characteristics. Usually they have a especially if you are a chiropractor who moral to tell. "Don't do this" or "Watch just got a promotion. out for this." Many e-mailed legends co­ The Miracle Diet erce people into sending them onwards, My aunt's friend worked with a often by using guilt or appealing to a woman who was always trying these sense of ethics. Some legends are down­ crash diets. One day she came across a right gruesome. They tap into our sub­ small classified ad for a revolutionary conscious fears causing us to exclaim, "I pill that guaranteed rapid weight loss. knew it!" Other urban legends contain She paid and was sent the pills in the subtle and overt humor. (Like the story mail about a week later. To her delight of the woman who found a stray dog in she started losing weight. Slowly at first New York City. She took it in to her then fa ster and faster. She went from home, fed it, washed it, bought it a flea 200 pounds to 125. Unfortunately, by collar, and took it to the vet. The vet the third month, she was feeling more examined it and told the woman she and more nauseous. One day her doctor had actually caught an oversized wharf took some x-rays of her intestines and ra t.) found a three-foot tapeworm growing Three New Urban Stories inside her! The diet company had sent The Excited Chiropractor her a pill infested with tapeworm eggs. This happened to my friend's chiro­ She was given anthelmintics, a drug practor instructor at a college in Van­ that kills worms, and put on a diet high couver, BC. He said that one day during in iron salts. The salt caused her to gain class the president of the college all her weight back, and she ballooned walked in and announced that the pro­ again to 215 pounds. fessor had been promoted to head of Analysis: Have you ever imagined the department. Everybody clapped what it would be like to have a three­ and congratulated the beaming man. foot worm attached to your insides, Later that night when he went home slurping up all the food you just di­ and announced his good fortune to his gested? You probably have. I just took family he was so excited that he gave

Page 40 2600 Magazine this fe ar and escalated it. To add some credibility to an otherwise unbelievable humor, I made the woman gain all the story. Again, I used humor and irony as weight back ii as punishment for her the catch. The big thing going for this being so goddamn stupid. tale is that it panders to society's fe ars Moral: Don't try miracle pills or of technology. crash diets. Also notice how I used the Moral: The Internet is evil. word anthelmintics. Using jargon makes Creating your Own Legend your story more believable. (I also used Watch out. Some people will be up- jargon in the chiropractor story with set at you for creating yet another un­ lumbar.) true legend that circulates through Man Dies Proving Internet is society. There is a mass movement on Safe for Children the Internet of people dedicated to de­ AP - Jesse Solomon, 55, died yester­ bunking urban legends (see Barb day after a bomb that he was building Mikkelson's website - www.snopes.com exploded in his arms near Flagstaff, Ari­ and the Computer Virus Myth's page - zona. Solomon was apparently proving kumite.com/myths). They think we to a friend that the Internet did not waste our time passing on useless sto­ provide dangerous information about ries or hoaxes - it's also annoying log­ how to construct bombs, Molotov cock­ ging on to your e-mail account to 50 tails, and poisonous substances. messages, half of them silly stories that Jason Riggs, Solomon's friend, said have been forwarded to hundreds of the two had been arguing the week be­ people before you. Then again, almost fore about the dangers of the Internet. everybody enjoys a good tale. "I told him that children could find Generally folklorists don't think it's stuff that could do a lot of damage. I possible for people to make up an ur­ said the net should be more regulated." ban legend. Jan Harold Brunvand, au­ According to Riggs, Solomon disagreed. thor of several popular books on urban "I downloaded a text file about how to legends, believes that true legends de­ use household chemicals to make a velop from people changing details of a bomb right in your kitchen," said Riggs. story until the story develops its own When he showed Solomon the informa­ oral tradition. Scholars call this process tion, Solomon denied that the recipe communal re-creation. But if your story would work. "He called it a hoax and an is clever enough, it might get e-mailed urban legend and said that he would to hundreds of different people and de­ prove it to me." velop its own tradition. The next day Riggs was phoned by Okay, so how do we do it? Just think Flagstaff police and asked to identify of a good story. Make it funny,disgust­ the body of his friend. Constable ing, not too unbelievable, and perhaps Samantha Heathers said that an ambu­ add a moral. Say that it happened to lance was called to Solomon's residence your friend's mother's dentist. Keep it after neighbors complained of an explo­ local, use street names if possible. I sion. Police found remnants of a strongly suggest that you don '/ make it makeshift bomb and evacuated two cute and cuddly. There is nothing more nearby apartment buildings. Solomon annoying then reading about some was taken to Hotel Dieu Hospital but women who met the man of her dreams was pronounced dead on arrival. and blah blah blah. Keep it vicious and "He was trying to prove to his friend sadistic - for entertainment purposes! that the instructions for making the Feel free to use the ones I just made up bomb were bogus," said Heathers. "Peo­ or change them to your liking. Once ple should be very cautious about what they're out there, you can forget about they receive on the Internet," she copyright or anything like that. They added. The police are still investigating are in the public domain. Just remem­ the incident. ber that by creating urban stories Analysis: You will notice right away (they're not legends yet!), you're not that I made this story sound like a news exactly making the world a better place report. Don't be afraid to try different to live. styles. In this case, a news report adds

.------Wi nter 1999-1900 Page 41 U.S. DEPARTMENTOF JUSTICE STAMPS, NEGOTlABLE INSTRUMENT, OR Federal Bureau of Prisons OTHER ITEMS RETURNED TO SENDER

TO: (Sender -- See Relurn Address) FROM: (Illstituuou) 17� PD ifJ 'Z. rvl lCU Ie" /tJ1«'d , jJ 'f /IQCJ3

INMATE'S NAME REGISTER NUMBER: DATE-

Material Returned

You enclosed with your correspondence stamps The below material cannot be _ or stamped items that cannot be given to the inspected without damage. inmate. Electronic Musical You enclosed with your correspondence an Greeting Card incorrectly prepared negotiable instrument. Padded Card (Negotiable instruments require the inmate's _ __

committed name and register number.) Double Faced _ Polaroid Photos You enclosed unauthorized material: _J Other - specify below Body Hair

Plant Shavings

xually Explicit Personal Photos __ ;e Other - specify below _ /

The correspondence or letter bas, however, been provided to the inmate with a copy of this notice.

Specific Material Returned (y)�I'o.Z iV\ '!" In-tvof rvl,w(p -�i-t fV,r01f£t \, CJJdt.

(Printe

DISTRIBUTION· Original - Addressee (with material) Yellow - Inmate Pink - Mail Room File Goldenrod - Central File BP-326(58) USP LVN JANUARY 1991

While we managed to suppress the urge to send body hair and plant shavings, we just couldn't resist sending two inches "of inter­ net, web-site material printed in code." That happened to be Kevin's e-mail that we've been sending him for years which has helped to keep him sane all this time. To these people, anything they don't understand could be considered a "code" which pretty much includes it all. Hackingby Bob IMploreragain, makes[th Ford seeme rather stuparid as] Since I only have my own vehicle I well. can't be sure if this will work on Now What earlier/later Explorers or any ofFord's Now that you have the code you get to other vehicles with keyless entry systems. decide what to do with it. You could change Entry the code on the door, but that's useless be­ Given that the Explorer in question has cause you can still use the permanent code. a keypad entry system let's begin. The num­ Nevertheless, here is how to go about bers on the keypad will range from I to 0 adding your own personal code (useful for grouped in pairs of two. For instance: {1-2} flauntingyour power over a friend). {3-4} {5-6} {7-8}{9-O}. These keypads Enter the permanent code. Within five come preset with a five digit permanent seconds press the {1-2} button. Within five code, which you can change if you so seconds of that, enter the new code. To please. Unfortunately the permanent code erase a personal code, repeat steps 1 and 2 still stays in memory. I've learned that you but skip step 3 (wait six seconds). can hit any amount of numbers beforehand The car's alarm system (if equipped) as long as you get the code in the right or­ can be armed fr om the keypad by pressing der. So you can pretty much punch random {7-8} {9-O} and disarmed by simply enter­ numbers without stopping fo r any length of ing the code. The Autolock fe ature (if you time and not set off alarms, and still be al­ or your friend is cheap) can also be disabled lowed entry if you get the code in the right and re-enabled using the keypad. Just enter order. Also, hitting the {3-4} button after the permanent code (not the user set code) the code has been entered and the driver's and within fiveseconds hold the {7-8} but­ side door unlocked (it does this automati­ ton and then within fivemore seconds press cally when the code is punched in) will un­ and release the {3-4} button. (No, you can't lock all the doors. Turning the key twice let go of the {7-8} button - you just have to within four seconds in any of the car's stand there and look stupid.) locks also has this effect. Just for Fun Getting the Code Even without the entry code you can Ford is very stupid if the fo llowing is still lock all the doors on the car by holding true. The nature ofthe last three digits of in the {7-8} and {9-O} buttons at the same my entry code, "911," made me think that time. You can also set your fr iend's seat (if Ford may actually preset their numbers to equipped) to all the way fo rward (if they have this as the last three digits so that it are tall) or all the way back (if they are will be easy to remember. Ifthis is so then short). First, turn the car on. Then move the "XX911," where "XX" is any two number seat to the desired position. Press the set combination, would be the fo rmat to use in button, the light will come on. While the hacking the code. This will greatly reduce light is on, press control 1. the hacking time. If this is not the case then And while you're phucking with your the fact that you can just keep pressing but­ friend's car, make sure you slap a "Free tons randomly until it unlocks, instead of Kevin" bumper sticker on the back too. having to wait five seconds before trying Have fun!

Wi nter 1999-1900 Page 43 Net NannyNo nsense

within the fi les is encrypted, so you can't just open it up by Raz and change the password. But, if you open up the two Net Nanny is one of those many Internet "surveil­ fi les in a comparison program, you can see where in the lance" programs for Windows that is designed to allow fi le the difference is, thus what part of the fi le the pass­ parents to monitor and restrict their children's compu�er word is kept in. Once you know where it is, you can open usage, and children are pretty much the only people who up the original Wnn3b.dex in a hex editor, go to that part, will be restricted with this. This program is so shoddily and replace it with the same part of one of the other files. made I don't ow where to start. So I'll just walk you You now have a copy of Wnn3b.dex with the original set­ tings, but a different password. Just move it back to the Net Nanny folder and you're on your way. It would proh­ ased to watch web browsers, and ably be best to also keep a copy of the original file, so you can replace it if your parents or whoever administers it has to get into it. An easier, and probably the best way, to get into Net Nanny would be to move Wnn3b.dex somewhere, start Net Nanny, and make a new password. Now you have two Wnn3b.dex files: one for your use, and one for the person who thinks they 're in control. You could just switch them whenever you want to use it, and then change it back when you're done. I say this is the best way because now If the default installati you can control it to your liking, but still easily change it Nanny will be in C:\NetNanny back when needed. on the desktop and in the Start By far the easiest way to take control of Net Nanny Nanny, then it will prompt you for is to just reinstall it. If you don't have the disks your par­ wrong and it goes into the log. In the ents used to install it, you can just go to www.net­ installed, you will find six programs (0 nanny.com and download their 30-day evaluation. to administer, one to remove the program, Reinstalling Net Nanny resets everything back to the ers), help fi1es, readmes, dlls, and then som original, so it's just like when your parents first installed by Net Nanny to run. After a little experi it� time stamps, I fo und that Wnn3b.dex is the impor­ Surveillance Programs in tant fi le. It contains all the lists of words or sites to look for, user names, their passwords, and the administra General not intend this article to be solely about Net password. Vh oh, I accidentally deleted it. Will Ne . It is by far the worst of these types of programs I Nanny now crash my computer, or lock me out of the sys­ yet. I really just wanted to give people an idea tem? Of course not. Net Nanny is user-friendly. Just run orked, and perhaps other programs out there it and instead of asking for a password it will tell you way. Here are some things that will work there is none, and ask you if you would like to set a new programs, simply because they rely on one. Sure you would. s instead of the program's faults. That will work for getting into Net Nanny to admin­ see how gullible your parents are is ister. If you just want to browse the web without being ing program in a hex editor and restricted or logged, just do the old Ctrl-Alt-Del and " to "ON", "Enabled" to "Dis­ close the program named Wnldr32. Also, by simply mov­ hen they open up the program ing or deleting Wnn3b.dex from the Net Nanny folder, it on) they might try to turn stops Net Nanny from blocking or logging any Internet e actually disabling it for connections, be it web sites or irc channels or whatever. your autoexec.bat file This all could be fine for some people - just delete to print on the screen t the file or dose the program and you're done. But others serious error, and failure to of you out there may want to be a little more discreet lead to hard drive failure ing along those about your computer usage, or actually change the Net lines). Finally, the oldest tricks times the best. A Nanny settings. First, I suggest copying Wnn3.log to an­ key logger hidden in the background will tell you the other folder. This is the log fi le, and keeps track of password the next time someone tries to get into the pro­ everything relating to the Net Nanny program with time gram. stamps. Now, there are a few ways to get into the Net If you do find that whatever program your system is Nanny program. The hardest way is to move the fi le running has a main fi le where it keeps all its information, Wnn3b.dex somewhere, then start Net Nanny. Then make and if you get into the program and change the settings a password and exit. Move the new Wnn3b.dex and do it andlor password, you should copy it somewhere safe and all over again, but this time with a different password of set your system to copy it to the program's fo lder at the same length. Now you have two Wnn3b.dex files of startup. This will insure that your settings will always be the same size, each with a different password. Everything there, untouched. Good luck !

Page 44 2600 Magazine Why Redboxing Doesn't Work

by The pendent on any tones you cannot To understand red box local calls - unless you route them t�rough long distance carrier. doesn't work, it is , rn rV'. rl·<:> nt ? stand why it did Some�lmes this is possible; try dialing (and still ooes i a carneraccess code before your lo­ cal call. As an interesting sidenote understand the ' phones and toll collectincj"s,,'s te�rhs residential phones don'tl1ave a There ground start mechanism, which can create very amusing results if their line class IS inadvertently changed to

are a little less (503) call Gan­ Seat­ ree rates of

phones this type. oper- ations in southern Florida are an excellent example of this. The pri­ mary difference between a "standard" payphone and a COCOT-Wpe pay­ phone is that with a "standard" phone, toll collection and verification IS based in the central office. With COCOT-type phone t is handled the teleptione itself. .,.!I his is a distinction, which ;..,ro.,..;... ·. o later. There is

Winter 1999-1900 Page 45 Page 46 2600 Magazine The Sprint Integrated On-demand Netwurk [ION)

cities were chosen as the initial cit by Prototype Zero y networks was because of the existIng [email protected] conditions resident in each of them, Recently I happened upon a lot of including broadband MANs (Metro­ information on Sprint's new ION politan Area Network) and strong technology. I deCIded to share this customer bases. Sprint claims its info willl my community. ION ION lines can carry as many calls as stands for Integrated On-demand Sprint, AT&T, and MCI currently Network. The oasic idea of ION is to carry put together. Mmhmm .... provide customers with unlimited Here's how it works: The nation­ numbers of phone lines, etc. The sys­ wide Sprint Fiber-optic network is tem works by dynamically allocatIng connected to service nodes which in bandwidth to tne places it is needed. turn connect to the MANs. The fiber­ You can pick up another extension in optic network is connected to the In­ your home and link in to a conversa­ ternet and other data networks. The tion already going on, or make an­ MANs connect homes and small and other call as if you had two ph�me large businesses all over the city. lines, or more. No problems wIth Every residence / business would paying for extra lines for :rour mo­ have a central hub which connects aem, fax, etc. You pay Spnnt them to the MAN. A diagram pro­ monthly by how much bandwidth vided by Sprint shows a home hav­ you consumed. That could get ing a fax machine, a computer, an� a pricey. Not to mention you could be pnone line connected to a hub whIch constantly connected to the Internet has a direct line to the MAN. The as if through a Tl. general layout of the network is a Sprint nas teamed up with Bell­ star topology, with the fiber-optic core and Cisco, and are planning to network at the center. sell their equipment through Radio The Future Shack, who already carries a wide We can only wait to find out the variety of Sprint products. Bellcore is future of this emerging technology. I providing the central software will write another article on the pos­ framework for ION's network, in ad­ sible hackability of ION when the dition to providin� consultant ser­ technology becomes more common­ vices to ensure rehability of the new place (especially when I get to use network. Cisco will provide critical It). The idea of an extremely Wide hardware for the system, both in the Area Network sounds very interest­ CO and the home / business. They ing (hmm, how 'bout that Network will also provide the ability of voice Neighborhood?), and if the network over Asynchronous Transfer Mode becomes a commonplace technology, (ATM) and the ability to connect to it's our job to find out all about it. It other carriers' legacy circuit­ would seem slightly scary to have switched networks. Several compa­ your phone / fax / modem all hooked nies have committed to using ION, Into the same line and controlled by including Coastal States Manage­ the telco. Would you have a choice of ment, Ernst & Young LLP, Halfmark, ISPs? What are tne possibilities for Silicon Graphics, and Tandy. (Hey, wiretapping? Or packet sniffing? remember oack in the 80's when Mc­ We'll see soon. Donalds volunteered to test ISDN?) The city-wide networks were de­ My thanks to Ve geta125 fo r getting ployed (to the best of my knowl­ me a lot of info on ION, Bioweapo.n, . edge) last fall in:Chicago, Atlanta, Cheshire, and Crunchman fo r revlewmg Dallas, Houston, Kansas City, Den­ the article. ver, and New York. The reason these

"""""'--" ., .,�------

Wi nter 1999-1900 Page 47 glitch in the code. You should be back at the main screen. continue rom 39 electronic "push 7) Enter the following string: *3001 #1 2345# screen" teller machines at CitiBank. If you go to a vacant 8) A nice hidden menu will appear with lots of things machine and look down at the screen, you will see a to look at. We are really interested in the "Security" item prompt to put in your card. Start pushing at random so select it. places on the screen. You will notice that they all make 9) What you are looking at is the current security the same low beeping noise. However, if you push in the code for the phone. You can change it or merely memo­ upper right corner of the screen, you will hear a slightly rize it once and for all. higher pitched beep. Once you've heard the sound, re­ 10) Tum the phone offand then back on again. peat the pushing twice. Then get away. A new screen will II) When prompted, incorrectly enter the lock code pop up asking for the user to put in a CitiBank card. Even five times. if someone tries to do this, nothing will work. Instead, 12) When the prompt for the security code comes the machine will freezeand make more beeps. Scares the up, enter the security code. shit out of any unsuspecting person. Luckily though, af­ 13) The phone is now unlocked and ready for full ter about 30 seconds of the "freeze," everything will re­ usc. turn to normal. Just a fun little thing I like to do at If none of this worked then you are either doing CitiBank. something wrong, have a different (better)version of the errorshutoff software, or are simply using a different phone. I hope We published this a fe w years back actually. It:, not Nokia, Sprint, or whoever is responsible plans to offera a glitch but a fe ature fo r the visually impaired. It works software upgrade that removes this back door. Locking quite well too. But you need to enter numbers in a your phone is pretty much meaningless so be careful out slightly different manner. It'sfun to figure out so we won 't there. As a side note, this should also work with the 6188 spill the beans here. When you successfully complete a although I havc not tried it. transaction, you get victory music. Defeat music fo llows Dumah all fa ilures as well as all timeouts. Many an afternoon Dear 2600: can be spent repeatedly putting a row of ATM's into this Just recently, I was exploring the plethora of chan­ nwde and hearing the defeat music sequentially going nels on Cox Basic Cable in South Orange County, CA down the line in the midst of confusedbankers. and I stumbled upon something rather interesting. On Dear 2600: channel 117, there was some sort of active line-graph I don't know if this is common knowledge but here monitor on. No sound, no nothing. Just this moving line goes anyway. I recently got a Nokia 6185 and was mov­ graph. It looked like some sort of computerized seismo­ ing about the web looking for interesting infonnation on graph program. I turned on the same channel several my new phone. I found a review which makes reference hours later, and it looked like the same pattern. Probably to a string that would get you into the field test mode of looped. The same oscillated lines over and over. But the phone. I tried it out and let me tell you it offers a every day, the loop changes. I'd like to leam about the whole lot more than a toggle for the field test mode. Here computer that puts this through the broadcasting net­ is where the fun starts. The 6185 has two different codes work. What organization would be broadcasting such a you can setup, a lock code and a security code. The lock thing? Why? Why would it be just a looped pattern of code is used to lock your phone, meaning that a locked wavy lines') Would you have any idea what this is? phone will prompt you for the code if you try to make a Snot Guome call, get into the address book, etc. The security code is We 've noticed a similar channel but only when a TV used to give you access to various user system settings. is hooked up without a cable box. Might be a good idea Try this with your own Nokia 6185: to tape this channel and see when the change occurs. I) Make sure "Phone Lock" is on by going to Might also be a good idea to call the cable company and MenU/Settings/Security settings/Access codeslPhone demand to know why there s an alien �pacecraft on one lock and selecting on. of their channels. Something tells us our cable technician 2) Turn your phone off. readers will be writing us about this one so just stay 3) Turn your phone back on. It should say "Phone tuned. locked" at the bottom of the display above "Menu" and Dear 2600: "Names". I've had my Qualcomm (QCP-2700) phone for over 4) Selecting "Menu" will triggerthe prompt for the two years. Twice I've had the software upgraded and lock code. now have BH3.1 .09, PRL 231 installed. Millions of 5) Say you forgot your lock code and you continue these units are in circulation (under different names), and to get it wrong when prompted. After the five incorrect I would like to share what I know, in hopes that someone attempts you will be prompted for your security code. will write with additional information. You forgot that too? Never fear ! If you turn the phone on, press 111111 (six times), 6) Key "Back" from the prompt for the security then push the select key. You will go into a diagnostics

Page 48 2600 Magazine mode. The screen displays 1) Version 2) Programming 3) school network') I suppose they referenced me in a data­ Field Debug. base and I was the only one with my name in their list, In order to go into Programming or Field Debug, but it's not an uncommon name. you have to enter a password. I have discovered the de­ Paranoia? I don't know. fault password for the Field Debug screen is 040793 (or Dissolution X 040PWD). This won't work to get into Programming We do. mode. Dear 2600: Once in DEBUG mode, there are more options. I) As I was listening to the October 1988 edition of Off Toggle QNC (?), 2) Screen (Changes screen display into The Hook, I realized that while I am only IS, I really do Hex values), 3) Test Calls. feel like I am part of something specia\. When I think Test calls is what I am curious about. Oncein DE­ about computers, I think about them as "a gateway" to BUG mode, I have options to make the following types another world. I think of them as marvels. I can sit there of call: Old8kMarkov, New8kMarkov, New13kMarkov, for hours pondering over the internal workings of a 13k Loopback, 8k Loopback with an option below that Commodore 64, or a Vic 20, an 8086 laptop, 186, 286, says Start Call. Does anyone know what a Markov type 386, and so forth and so on. I've noticed today in fhe call or Loopback type call is? "computer" world, there are many people, young, old, Every time I ask someone at Sprint (my PCS new, who don't understand, but alasb believe they do. provider) or the people at Qualcomm, I get told to stay They think that "hacking" is composed of loading up out of diagnostics mode or I might have to bring in my their AOL, or any ISP connection for that matter, and fir­ phone for reprogramming. Why do I have passwords on ing away a nuker, eggdropper, or some other exploit. my own phone anyway? Isn't it my phone? Am I paying They don't understand that a hacker is not always some­ a license fee or do I not own my own phone? one who is malicious, or someone who only goes to de­ Shawn stroy, or ruin someone's day. They don't know that a real, An interesting phenomena takes place with some true hacker is someone who wishes to understand how phones (we 've noticed it on Samsungs) when in that something works ... who wants to dive into the depths of mode. On one of the test calls, the phone will redial the how this functions, how part A talks to part B, or how the last number it tried without telling you on the screen. computer can interpret input from us, in our human lan­ That phone will ring and the person who picks up will guage, convert and understand it in its own language, hear a scrambled signal that sounds like R2D2. No kid­ whether it be strict Assembly, Binary, Hex, C, C++, Java, ding. Astor the Screen setting, you will also see things in visual basic, Pascal, Fortran, Perl, Cobol, and so forth. there like signal strength and transmitter ident�liers. I am only in the IOfh grade, but already I know that I Dear 2600: do not want to go into this world as one of the people I'm not your standard paranoid guy, but what's hap­ who don't know A from B, B tram Q, 17 from 35, and pened to me seems incredibly... odd. 00 11 0 from 4e6. I am not exactly sure why I felt the need I recently got to college and noticed that I was be­ to write to you, but 1 needed to vent my voice. I want to hind a set of firewalls. Wegot laptops that were set up to dive into the depths of science, computers, how they use proxies via an autoconfiguration script for Netscape. work, how they will work. How the phones work. I don't Before I had setup proxies for Outlook on my computer I want to destroy, I don't want to break, I only want to had wanted to check e-mail to pop3 accounts that are learn. I fhink that is what is wrong with society today. outside the firewalls. In order to do so without knowl­ The American media has shown hackers as people who edge of the proxy servers I decided to use Netscape and sit in fheir room all night, doing nothing but squinting at sign up for a yahoo account (you can check pop3 ac­ their monitors, trying to mess up someone's computer. counts with it). What happened next was what seems so Graphix odd. Sofew people retain this sense of wonder that really While signing up for a Yahoo account, they re­ is an essential part of appreciating technology. If you quested that I fill out a form that includes a special ques­ ever reach the point where you can talk to someone on tion that is used forretrieving a forgotten password. They the phone or over the net and not realize how incredible automatically suggest a question, and an answer. This the whole process is, you 've lost something really impor­ question and answer hit very close to home. tant. The suggested question was: "What is your favorite Dear 2600: pet's name'!" and the suggested answer was: '"'B.l." In 16:2, Elite wrote "What the hell is the background I happen to have a dog named B.1. This is an incred­ of issue 16:1 supposed to be?" Your response was "Re­ ibly odd name, nearly one of a kind and thus I conclude flection. Surprise. Terror. For the future." That line is that it could not be just a coincidence. from a Babylon 5 episode in which Kosh said those What is Yahoo doing with personal information words to Talia Winters. I just thought that was a perfect about me? How did they know it was me if it was my response on your part. I also want to say fhat this Free firsttime using this computer and the firsttime I used my Kevin crusade you have started is the most inspiring

Winter 1999-1900 Page 49 thing I have read about in a long time. They asked if I had anything to do with it and 1 replied Websurfer that I thought it would be an informative article on the misleading media controlling our youth. They told me As that is one TV show that has been a great inspi­ ration to us, we 're glad someone picked up the refe r­ that it was a pro-terrorist act and against school policy. ence. Now ifonly someone would pick up "Crusade. " Then they found three copies of 2600 in my shoulder bag. They said that it was unjustified reading material Questions and they proceeded to confiscate it. Unjustified? What Dear 2600: the hell was that supposed to mean? Did they think what I would like a little more info on the irc.2600.net they were doing was justified? Anyway, I told them that server. Isn't there a number that my modem must dial to it was research for my computer class because we were access the server? And do you have any pointers how to learningabout servers, and then they banned me from us­ switch servers back and forth. This is verynecessary be­ ing a computer on campus. cause I have to share the computer with other "family" I went to my detentions and was doing fine for a who would absolutely freakif they knew where my in­ week until my fourth period English class. I read a poem terests lay (needless to say, I use Magic Encrypted Fold­ about social anarchy to the class, once again eaming my­ ers to keep my personal files personal). I am trying to self two Saturday detentions, which I refused to go to. stay inconspicuous and am very interested in using the Principal's office again. This time they called my parents hacker server when I am actually online. and told them I was guilty of insubordination. After I ex­ Val plained the situation to them, they thought it was the stu­ Yo u must already be connected to the net befo re you pidest thing they had ever heard of. My mother called the can use the ire server. It works exactly the same as any principal screaming things meant to be written in aster­ other irc server anywhere in the world. All you have to isks. do is replace or add our server name in whatever pro­ Monday morning, as I walked into my geometry gram you access irefro m. Simply connectingto it is not class five minutes late, everyone turned around and going to get you in trouble sinceit's ratherindistinguish­ stared at me. What the hell was going on? I later found able from any other irc server. out that my teacher told the class not to listen to my "preaching" and to ignore my pamphlets. Dear 2600: Well, now 1 am at another school (I was suspended I have a question. I have two separate lines for my for bringing my laptop to school so I left, again). I hope home, and on my computer line sometimes it will say that the Constitution is one day burned since there is no "the computer you are dialing isn't responding" so I plug meaning to it anymore when you can't post that a TV the phone line into my phone and there are two women show wrongfullyportrayed hackers in the world. talking on my line and they can hear me. 1 was wonder­ Oh, by the way, after 1 left someone changed every ing what is going on? computer screen background and screen saver to say InfiDel "Free Eddie." It:, a stab in the dark but we 'dguess that your phone Skanarchist line really belongs to someone else. Either that or their (Eddie) phone line belongs to you. No matter how you look at it, the same phone line is showing up in two places. The Dear 2600: phone companies do this all the time. I want to offera bit of constructive criticism regard­ ing your recent deception at the hands of MTV. Your first mistake was ever trusting the media establishment (or in MTV MTV's case, something pretending to be part of the me­ Dear 2600: dia establishment) and anyone who thinks that she can I live among the MTV race, or so 1 like to call them. do investigative journalism while wearing camouflage Most of us reading this magazine know the type: Hurley pants. I am sure you have realized this by now, so let's wearing, trend loving, brown nosing,. spoiled popular move on. The question is: How do we overcome the is­ kids. Most schools probably have 25 percent of these sue of generating publicity for important issues (i.e., kids, give or take a couple. Well, my school was around Kevin Mitnick) while still retaining control of the mes­ 90 percent. The remaining 10 percent are considered low sage? From my experience, you have two options: Hold life scum. As I read the article on the 2600 site something over their heads to ensure compliance (i.e., (www.2600.comlnewslI9991l019.html) about MTV's refuse to sign releases until you see the finalcut) or con­ ''True Life: I am a Hacker," I realized that everyone at trol the means of production. You would have been better my school now thinks that they can all die at the stroke of served by the latter; making your own documentary and some keys. then offering it to MTV and anyone else who would be 1 decided to post the article around school to inform interested, airing it yourselves via the web or cable ac­ everyone what a crock of shit it was. Bad idea. It landed cess, and offering it to network news as a clip for those me in the principal's officewith two Saturday detentions. 15 second news stories that they love so much. I must ad-

Page SO 2600 Magazine mit I am surprised the hacker community would allow various cases of 2600 never showing up on the shelf: someone else to do their talking for them. i_ball Memorandum There arc already people doing their own produc­ TO: All Stores tion.\'. But it isn 'f wise to isnlate ourselves completely FROM: To m To lworthy fromthe media since they will then he assured qf doing a Date: October 27, 1997 badjob every time. Had we not tried to help them, the ex­ Suhject: Community Standards act same story would have come out except we wouldn 'f The protests, letters, and phone calls regarding the have realized how much they didn 't care ahout the truth. works of lock Sturgis, David Hamilton, and Sally Mann It was an unfortunate but necessary lesson. continue around the country. A fe w pockets (�lextreme activity exist in some markets, while other markets have Dear 2600: experienced no activity at all. All stores have responded My liiends told me that there was a show on MTV quickly and professionally resulting in fe w confronta­ about hacking a few weeks ago and started talking all of tions or emergencies. this shit. It was so funny to see that my uninformed Over the years we have experienced similar activity friends thought they could be hackers. They threw these with boob' such as "Satanic Ve rses ", "The Anarchist:\, stupid facts at me and my amusement turned to anger. I Cookbook", and "American Psycho ". Being purveyors realized that the bullsbit that MTV was producing was of the written word and trustees of the First Amendment setting the hacker community back very far. It was hard is not without its complexities. Though all of our cus­ enough to explain anything about hacking to my friends tomers welcome and appreciate our broad assortments, in the tirst place, but now it's almost impossible because many of them also ask that ttiC apply discretion in our as­ they don't believe MTV could actually lie. So this really sortments rexarding individual "community standards " sucks. in each of our markets. techx3 Keep in mind that we will not categorically remove Dear 2600: any book from the shelves, nor will we violate any laws I would like to say that MTV did the hacker commu­ up to and including the books we sell. l{ any court oflaw nity a great injustice. They really took advantage by us­ determines any of our books to be in violation of Fed­ ing young hackers to do the whole documentary and eral, State, or Local legislation, we will remove them exploiting their big egos. I really was disappointed about fro m our shelves. In the absence qf such a .finding we are the viewing time of the LOpht which seemed to be the entitled, under the First Amendment, to offerlorsale any most interesting part but it only lasted less than a minute. book requested by our customers. Also I'd like to know if 2600 will ever have an on­ The selection and display of books fo r sale within line shop to subscribe and purchase T-shirts and 2600 our stores is a little more complicated. Many of our com­ merchandise. Will you guys ever expand your merchan­ munities have specific laws regarding the availability dise to include a 2600 coffee mug which would be cool and display of some of the hooks we sell. In some com­ for my desk at work? munities, the laws are specific enouxh to state by name UnclePhester9600 that "Playboy " and "Penthouse " must he securedfrum Ifwe get a design that doesn 't make us fe el like id­ open sale and not available to minors. In the fa ce of the iots, we ' d probably give it a shot. As .lor the online store, variables, ifyou helieve that any book we send you is not as it happens we just started one on our web site which appropriate to the laws and standards (�lyour commu­ means you can order subscriptions, back issues,. shirt.'!, nity, you are encouraged to place it in a secure location etc. without having to waste time and postage mailing and in some instances remove itfrom the shelves af your letters. And things generally arrive much fa ster this way store. Wc� will still ordf'r any hook in print requested by too. our customers and, as always, hooks containinx sensitive material will not he sold to anyone under the age of 18. Barnes & Noble Memo Found? Certainly, il there are books in your store that you believe Dear 2600: to be beyond the tolerances qlyour community, be sure I hate to admit it, but I took a job jockeying the and communicate your actions to your district manager. espresso machine at the Barnes & Noble location in Thank you again .If" allyour support and outstand­ North Richland Hills, Texas. I discovered that I make a ing judgment in the handling of this issue. Should you great cup of coffee, but I never expected to discover this: have any questions, please contact your district man­ a cute little memo posted on a bulletin board in the back. ager, regional director, or myself After scanning over it and picking my jaw up off the You guys getting this? Any slack-jawed yokel work­ floor, I snagged it off the board and stuffed it in my ing at B&N (and believe me, there are plenty of them) pocket. can decide to implement hislher own Hawed moral judg­ I think that this memo might explain many of the ment and take 2600 off the shelf and put it behind the seemingly random instances of readers under the age of counter so no one under 18 can purchase it. For that mat­ 18 being told they cannot purchase 2600, and the other ter, this inbred moron could go stick the whole stack of

Winter 1999-1900 Page 51 mags in the back, to be stripped and sent back to the dis­ 1 almost broke out into a laugh when I thought the tributor because this undereducated, $6,50 an hour hospital's system had been breached. Then I finished mouth-breather might think that the material is too sensi­ reading the message: tive for hislher community. Not to mention the bad name "THIS IS A SECURITY EXERCISE FOR THE they give to innocent materials such as 2600 by grouping HOSPITAL." them with the likes of pedophilic photography, racial Oh well, it was fun. A few moments later, another e­ bigotry, and other such truly disturbing publications. If I mail arrived saying, "When in ThreatCon Bravo, look owned a company the size of B&N, I most assuredly for any suspicious characters and report them to secu­ would not allow the lowest employees on the corporale rity." Considering I was looking kind of suspicious (little ladder to make any decisions for my company, much less dude, black baggie pants, antigovernmentshirt on ... what decisions that could potentially enrage my customers. a day to choose to wear that!), I bolted for the door. Good Pretty retarded way to run a book store, if you ask me. to know the .mil is scared. Love your zine. Mangaburn Slack Packet We 've contacted Barnes and Noble concerning whether or not this memo actually was circulated. (f it Stories of the Past was, it could certainly explain some things, not only fo r Dear 2600: us but];)t· awhole host of other publications. We 'll wait Enjoy your magazine! Thought I'd reminisce a little. to hear what they have to say an the matter. We like to I learnedto program FORTRAN IV an punch cards back think that the vast majority o{stores have people like the in 1980 at a junior college. When I got to a University, I following writer in positions af power. got an account (wow), and was able to program through a Dear 2600: remote terminal. I was an engineering student and spent A customer called our store, the Barnes & Noble in many hours into the early mornings programming and Muskegon, Michigan tonight and told us that someone looking through areas I could get into. The only hack I had written a letter about our store in your magazine. We ever did was when a slowwitted student used one of the read it and wanted to reply. We have sold your magazine engineering terminals and left it without logging off. I in our store since it opened three and a half years ago. It happened upon it. I wrote a batch filethat executed upon seems that most times we sell out of your magazine. I'm startup the next time he logged on. The batch file exe­ not sure who that guy talked to, but obviously it was cuted a program that told him to remember to log offbe­ someone who didn't have a clue. We just wanted to let fore leaving the terminal. A few days later I found another you know. Thanks ! terminal that someone had not logged off of. When I Dawn Bates checked the account number I found out it was the sarne Bookseller at B&N account as the last one I found' I wrote another batch file Muskegon, Michigan that ran at login. It was a bit more scathing. Essentially it said, "Close your account, dumb-shit." I laughed to my­ Fun Stuff self and forgot about it. Not two days later I found the Dear 2600: same damn account open again! So this time I wrote a Found something quite interesting, amusing, and, batch file that looked exactly like the login screen and well, all around funny today. While going to an eye ap­ asked for his account number and password. This second pointment today at the local military hospital (I am a mil­ login was my hack. It sent the password to a dummy ac­ itary brat, yay), I heard on the PA that "we are now in count 1 had. (I knew that the sysop could track me down if ThreatCon Bravo." For those of you who don't know I used my own account. I had six spare accounts, some I what ThreatCon is, it's Threat Condition ... the base 1 was had inherited from students who had graduated and never on has been at ThreatCon Alpha since the Gulf episode. told the computer manager they had left. Things were a The higher in the alphabet, the worse conditions are. lot less strict back then.) Anyway, the account owner did­ Anyway, ThreatCon Bravo is supposed to be pretty not n't even suspect a problem even though he had to enter good. This kind of spooked me a bit, when I remembered his password twice (big clue that something is wrong). As that this week was some sort of "prepare for the worst" soon as the password got sent to me, I had the batch file week. Making my way over to the exit, I heard this about change the password and log off. I passed the account three more times. It got me thinking. I changed direction number and password around the engineering department and headed to my father's office. Before I could even and we used the account to poke into where we were not open his e-mail folder, I heard "d-d-d-ling", like the old supposed to. We were kind enough to leave the files in­ Windows startup sound (scary, I am a Un*x guy). This tact. It only lasted a few days before the sysop changed was his auto-email-notify. I opened the message and the password again and I lost my play account. I played here's what I got: more pranks on other engineering students and anyone "WE ARE RAGE (REBELS AGAINST GOVERN­ who happened to leave a terminal open without logging MENT ENTITIES). WE OWN YOUR SYSTEM. WE off. But I never stole another account. Anyway, keep up ARE BREATHING DOWN YOUR NECKS. YOU the good work and remember to have fun, but do no ARE OURS." harm. Brien

Page 52 2600 Magazine by P!!yLay above can present the Outlook interface paylay666(tyyahoo.com through a web browser so users can access Microsoft Exchange Server is one of the their mail. Challenge/Response authentication most popular and widely deployed groupware is the default, but it requires IE. Most admin­ and messaging servers around. It's also very istrators step the authentication down to clear­ easy to install and configure, so a lot of know­ text so N etscape users can access their mail. nothing jackasses are becoming Exchange ad­ This is a common mistake a lot of admins ministrators overnight. Typically, these mail make, sacrificing security for usability. The servers are not very secure and often miscon­ default path to Exchange's OWA is ".". A lot figured. Whetheryou are a hacker or an Ex­ of companies allow anonymous access to change administrator, there is one golden rule public fo lders. If you poke around long of security: NT is only as secure as the infra­ enough, a lot of information can be gained structure; Exchange is only as secure as NT. from reading public fo lders. A side note: Both rely on an informed and competent sys­ OWA uses LDAP to do queries on the Global tem administrator. Address List. If you can access OWA from the The purpose of this article is to introduce Internet, chances are they have anonymous the curious to Microsoft Exchange, how it LDAP enabled. With a LDAP-enabled mail works, and its vulnerabilities. I am not going reader, you are browsing their corporate email to teach you how to hack into NT; volumes Itst m no time. In most Exchange sites, email could be written on it's exploits. address = NT username. 'Nutfsaid. 3. POP3. Exchange allows POP3 clients Understanding Exchange Server to connect to the mail server. If an administra­ Microsoft Exchange Server is a (!:roup­ ware and messaging tool, built for medIUm to tor enables this, they usually enable clear-text authentication. I have noticed most admins large corporations. A lot of smaller companies also use It because of the ease of installation would rather just enable clear-text than hassle and native support for Outlook mail reader. with upgrading mail clients. Like all Microsoft products, it uses propri­ 4. lMA P4. See POP3. Same authentica­ etary protocols and mail transfer methods. tion. But it also supports most major standards of Now that I have laid out various protocols, mail transfer and the like. "Out of the box" it's obvious there are various ways to connect Exchange supports many protocols, including to Exchange from the Internet. Microsoft has these: XAOO, X.500, LDAP, SMTP, POP3, had their share of security problems with Ex­ and IMAP4. The XAOO and X.500 connectors change, which were subsequently fixedby an can be quite fun,but that is a whole other arti­ Exchange Service pack or hot fix.I have been cle. Internally, it supports connectivity to working with Exchange for years now, and I other mail systems, such as MS Mail, Notes have not once been to a site that had the latest CC:Mail, Groupwise, and SNADS. For Inter� service pack or hot fix. So, the firststep in un­ net connectivity, it has a built in SMTP server. derstandmg Exchange's vulnerability is un­ derstanding what build you are working with. Connection and Authentication Two ways to get this info; look at the mail Exchan�e Server supports four ways to headers: connect to It: [snip] with SMTP (Microsoft Exchange I. Exchange Client. "Exchange" client is a Internet Mail Service Version 5.5.2232.9) MAPI program that can natively connect to an or telnet into Exchange on port 25: Exchange server. For a long time it was only [snip] 220 mail.paylay.com ESMTP the Exchange Client which shipped with early Server (Microsoft Exchange Internet Mail versions of Exchange and MicrosoftOutlook Service 5.5.2232.9) ready 97/98/2000. These clients use NT Authentica­ Build Exchange Version tion, meaning you have to have an NT ac­ count on the server/domain with appropriate 4.0.837 Exchange 4.0 Exchange 4.0 SPI permissions in order to connect. Recently, HP 4.0.838 4.0.993 Exchange 4.0 SP2 announced that OpenMail for HP-UX and (also referred to Linux supports Exchange server connectivity. haven't seen it so I can't tell you how it as Exchange 4.0a) I 4.0.994 Exchange 4.0 SP3 works, but the Linux version sounds like Exchange 4.0 SP4 something fun to hack around with. 4.0.995 Starting with Exchange version 5.0.1457 Exchange 5.0 2. HTTP 5.0. 1458 Exchange 5.0 SPI 5.0, Exchange has a feature called Outlook 5.5.1960 Exchange 5.5 Web Access. A server equipped with IIS3/4, Exchange 5.5 SPI Active Server Pages, and Exchange 5.0 and 5.5.2232 5.5.2448 Exchange 5.5 SP2

Winter 1999-1900 Page S3 Exploits Click on Organization \Site\Configu­ Obviously, if you come across a server ration\Server and bring up the properties for that is using a very early build, chances are the current server, then click on Permissions. they haven't bothered to install any NT or liS There is a box titled "Windows NT Accounts service packs. This is a sad fact I find com­ With Inherited Permissions". Scrolling pletely laughable. Give me my Palm and Palm through the permissions list, there is a set of modem and 10 minutes on an Exchange build permissions called "Service Account Admin". 2232 on NT SP3 and lIS out of the box, and I A smart NT administrator would have a dedi­ will be perusing payroll, tax, or bribe intiJr­ cated account that is never used to log in with, mation or just looking at some jerk's corpo­ and this account would have a very, very rate sales contacts or whatever. If you are strong password. Why, you ask? Because an interested, do a little homework on general account with this set of permissions is GOD. NT and, more specifically, lIS exploits and A Service Account Admin can do anything; you will find a lot of useful information. read anyone's mail, contacts, calendar, jour­ Some common, open holes in an Exchange nal, tasks, and public fo lders. You can send Server: mail as them, receive mail, set incoming mail I. A lot of dumb-ass VP's want to check rules, fo rward mail, filter mail to another their e-mail from their Palm and cell phone mailbox, anything. You can set up a filter and from a desert island using their own ISP. Be­ rule on the CFO's Inbox that will copy all cause a lot of admins are dumb, lazy, or scared mail with the words "Confidential" or "Fi­ of their boss, they have allowed anonymous nances" in the body, and have it automatically access into the SMTP portion of Exchange. delete out of Sent Items so he never knows. Check this first. With Service Account access, the possibilities 2. Exchange's SMTP connector has a fe a­ are endless. ture that disables mail relaying. A lot of com­ Now, your next question is: which is the panies have this fe ature turned off because Exchange Service Account in the user list? they probably don't understand what mail re­ Good question - a jack-hole administrator laying is. Heh, they probably think it's a good would make it the default NT account - "Ad­ thing. So check into this next. ministrator" or he thinks he is gonna fo ol the 3. If the build is 5.5.2448 or below and hackers and name it "QzG6fWI" . I usually they have mail relaying disabled, there's still a call mine "Joe Rodriguez" with the username way around it. If the e-mail is sent using "j oer". Something obviously not a service ac­ what's called "Encapsulated SMTP", a way count. Another good place to start is if you for Exchange to send mail to another Ex­ have access to the NT user list and the Ex­ change Server via SMTP, you can relay mail change Global Address List, start cross-refer­ because it allows relaying if the mail appears encing names. Some admins may have to be coming from another Exchange server. created a Service Account mailbox, but hid­ Microsofthas a hot-fixfor it, but most compa­ den it from the address list. So, figure out nies run NT Service Pack Nothing, so chcck what NT accounts don't have mailboxes. You this out. may be looking at some kind of service admin 4. Exchange uses NT authentication for account, Exchange or otherwise. Of course if mailboxes, so exploits used for NT passwords you have weaseled yourself into some kind of can be applied to Exchange. Hack the Admin­ admin access in the NT domain, but you don't istrator password and you just hacked the Ad­ have access to the Exchange server, see what ministrator mailbox. services are running on Exchange. With some 5. Any mail standard Exchange uses crafty NT Resource Kit tools and some NET (IMAP4, POP3, SMTP, etc.) is, well, stan­ commands, you will be able to bring up prop­ dard. So the general rules when dealing with erties for services. With the "Start Up" prop­ these protocols also apply to Exchange. erties for any Exchange service, who has D nder the Hood "Log On As" permissions? You have just dis­ Exchange has what's called a Service Ac­ covered one Exchange Service Account user­ count. This is the NT account that Exchange name. It may not be the only one, but it is a uses to sendlreceive mail, stop and start ser­ start. vices, and perform other Exchange-related This is a good basic introduction to Ex­ duties. This account should be the most secure change. It is just as much a hacking tutorial as account on your mail server. So, let's findout it is a how-to guide for Exchange admins on what the Service Account user name is: how a network ought not to be designed.

------�

Page 54 2600 Magazine ro m Bernie S. endured, all because the Secret Ser­ Contmue Page 5 vice was mad at him? Wouldn't more ad space be sold if Zyklon were shown as an The answer has been staring us in the electronic terrorist rather than a simple juve­ face for some time. And Seattle was the first nile delinquent? It's far easier to portray opportunity to apply it on a somewhat mas­ events witn the smoke and mirrors we saw sive scale. in a recent MTV slander piece on hackers as The technology that has been developing well as so many other corporate media fias­ over the years IS unquestionably of grea1 cos. The facts only serve to complicate mat­ benefit to whoever decides to maRe use of it. ters and muddy the message. And p'eople The relatively open architecture of the Inter­ are stupid, after all. All they want is to be en­ net lends itself to a great variety of applica­ tertained and nothing stands in the way of tiems, not just for those with the most power. that more than the truth. Right? That is its magnetic allure and it's also the The tide has turned. It may take some reason everyone in authority is scared to time, but it seems obvious to us that not death of it. The net represents the true po­ ever one is buying int

Wi nter ] 999-] 900 Page 55 MAR K E T P LAC E REAL HACKER MOVIE in production. We want your in­ HA PPENINGS put about Y2K. Email: [email protected]. DoomsDay Scenario coming soon! H2K - HOPE 2000 will be taking place on July 14, 15, and TECHNICAL BOOKS AND HACKER FICTION: Open­ 16, 2000 in New York City at the HOtel Pennsylvania (the VMS manuals, C, networking, Cuckoo's Egg, etc. Send e­ site of the first HOPE Conference in 1994). '!his time we mail for complete list to: [email protected]. have two floors and enough room to do whatever we Y2K MUST HAVES: Tired of all the Y2K hype? Or do you want. Start planning now! Reserve your room at the hotel want to show you survived it with a grin? If you answered by calling (212) 736-5000 (sentimental types can dial PEnn­ yes to either you need to order your "Y2K - Just hype it" t­ sylvania 6-5000). Mention that you're with the H2K con­ shirt or your "I Survived the Y2K Bug" t-shirt. These white ference to get the discounted rate. Unlike previous HOPE with black print shirts are a must have for all hackers etc. conferences, we will be running this one around the clock to show your true feeling of Y2K. We also offer a "Ufe is a beginning on Friday morning and ending on Sunday Progress Indicator" t-shirts for all computer users who night. We expect at least two tracks of speakers as well as know what it means to spend hours and hours in front of music, films.. and a/v presentations of all sorts. Registra­ the screen. To order: Please specify which shirt(s) you tion for H2K is $40 and includes admission to all events would like and quantity. They come in L or XL for only throughout the three days. You can send your registration $16 plus $4s&H. Please send check or money order with to: H2K, PO Box 848, Middle Island, NY 11953. Make mailing address payable to: Curt Baker, PO Box 50425, checks or money orders payable to 2600. Be sure to include Sparks, NY 89435. Allow 4-6 weeks for delivery. your name, address, and, if possible, an email address. If HACK THE RADIO: Hobby Broadcasting magazine cov­ you'd like to volunteer to help at the conference, email ers DIY broadcasting of all types: AM, FM, shortwave, TV; [email protected]. If you're interested in giving a pre­ and the Internet. It includes how-to articles about equip­ sentation.. email [email protected]. We also have a mailing ment, station operation and programming, enforcement, list for ongoing discussion about the conference. Email and much more. For a sample, send $3 U.S. ($4 Canada or [email protected] and put "subscribe h2k" on the $5 international). A subscription (4 quarterly issues) is $12 first line of the mail. Continue to check www.h2k.net for in the U.S. Hobby Broadcasting, PO Box 642, Mont Alto, updates. PA l7237. PEOPLE WITH ATIITUDE. Check out the political page FOR SA LE at the Caravela Books website: communists, anarchists, PLAY MP3S IN YOUR CAR OR HOME: Mpjuke unit Klan rallies, ethnic revolt - all at: plays mp3 cd, cdr, and dvd disks. Can be mounted in car, http:/ /users.aol.com/ caravela99 - and a novel "Rage of home, or even inside a free drive bay of a Pc. It can be the Bear" by Bert Byfield about a 15-year-old blonde girl trunk mounted in a car or placed under the dash. The unit who learns the art of war and becomes a deadly Zen Com­ is self contained, pre-assembled, and it includes a wireless mando warrior - send $12 (postpaid) to: Caravela Books remote. For more information, visit: QH93, 134 Goodburlet Road, Henrietta, NY 14467. http://www.mp3carplayer.com/2600 0r e-mail THE BEST HACKERS INFORMATION ARCHIVE on 26OO®mp3carplayer.com. Sign up for our affiliate program CD-ROM has just been updated and expanded! The Hack­ and earn some cash. Resellers needed. $25 from every 2600 ers enCyclopedia '99 - 12,271 files, 650 megabytes of infor­ sale will go to the Kevin Mitnick fund . We will ship any­ mation, programs, standards, viruses, sounds, pictures, where that we can. lots of NEW 1998 and 1999 information. A hacker's dream! HITP:lIPAOLOS.COM since 19%. We offer lockpicking Find out how, why, where, and who hackers do it to and and auto entry tools, confidential trade publications, sur­ how they get away with it! Includes complete YIPL I TAP vival tools and goods, an exciting line of switchblades, back issues 1-91! Easy HTML interface and DOS browser. some priced as low as less than $25, and a complete line of US $15 including postage worldwide. Whirlwind Soft­ super-realistic Airsoft guns. Danger: do not brandish these ware, Unit 639, 185-911 Yates St., Victoria, BC Canada V8V guns in public, you may be arrested/shot. We guarantee what 4Y9. Get yours! we sell UNCONDITIONALLY for 30 days, in addition to TAP T- SHIRTS: They're back! Wear a piece of phreak his­ factory warranties, and will beat the competition's prices tory. $17 buys you the TAP logo in black on a white 100% on anything! No "spy store" or "Y2K" hype here. Visit us cotton shirl. As seen at Beyond Hope. Cheshire Catalyst­ to post messages to our discussion board, add your e-mail approved! Specify L I XL. Send payment to TPC, 75 Willett to our mailing list, or place an order with our easy-to-use SI. lE, Albany, NY 12210. catalog! We ship internationally, and only sell to qualified WIRETAPPING, cellular monitoring, electronic surveil­ customers. lance, photographs, frequencies, equipment sources. 16 COMPLETE TEL BACK ISSUE SET (devoted entirely to page pictorial of the equipment used in a real life counter­ phone phreaking) $10 ppd for hard copy or CD-ROM measures sweep. Never before published information in PDF I GIF version with lots of extra phreaking related data THE PHONE BOOK by M L Shannon, ISBN 0-87364-972-9. (voice changers and scramblers, tone boxes, bugging, etc.) 8 1/2 x 11 paperback, 263 pages. Autographed copy $43 $14 ppd. Forbidden Subjects CD-ROM (330 mb of hacking postpaid as follows: check or money order payable to files) $12 ppd. Pete Haas, PO Box 702, Kent, OH 44240- Lysias Press for $38, second check or money order for $5 0013. payable to Reba Vartanian to be forwarded to 2600 for the HACKERS WORLD. 650 MB hacking files $15, 650 MB Kevin Mitnick defense fund. Lysias Press, PO Box 192171, phreaking files $15, Anarchy Cookbook 99 $10, list of San Francisco, CA 94119-2171. Also available from Paladin warez CDs $5, Surveillance Catalog $5, Virus 99 (730 pages Press, PO Box 1407, Boulder, CO 80307 and by special or­ about computer viruses) $5. Send all orders to: 700 Palm der from Barnes and Noble. Dr. #107, Glendale, CA 91202. Make all checks out to CAP'N CRUNCH WHISTLES. Brand new, only a few left. Edgar. THE ORIGINAL WHISTLE in mint condition, never used. REAL WORLD HACKING: Interested in rooftops, stearn Join the elite few who own this treasure! Once they are tunnels, abandoned buildings, subway tunnels, and the gone, that is it - there are no more! Keychain hole for like? For a copy of Infiltration, the zine about going other keyring. Identify yourself at meetings, etc. as a 2600 mem­ places you're not supposed to go, send $2 to PO Box ber by dangling your keychain and saying nothing. Cover 66069, Town Centre PO, Pickering, aNT LlV 6P7, Canada. one hole and get exactly 2600 hz, cover the other hole and LEARN NUMBER BASE THEORY the easy way. Booklet + DOS diskette, $17 ppd, Lew E. Jeppson, 138 S 350 East, get another frequency. Use both holes to call your dog or North Salt Lake, UT 84054. dolphin. Also, ideal for telephone remote control

Page 56 2600 Magazine devices. Price includes mailing. $79.95. Not only a collec­ tor's item but a VERY USEFUL device to carry at all times. Cash or money order only. Mail to: WHISTLE, PO Box 11562-ST, Cit, Missouri 63105. SERVICES SUSPECTED OR ACCUSED OF A CYBERCRIME IN HELP WA NTED THE SAN FRANCISCO BAY AREA? You need a seman­ tic warrior committed to the liberation of information who NEED HELP WITH CREDIT REPORT. Please respond to specializes in hacker, cracker, and phreak defense. Contact B. Mandel, 433 Kingston Ave., P.O. Box 69, Brooklyn, NY Omar Figueroa, Esq., at (800) 986-5591 or (415) 986-5591, at 11225. [email protected], or at Pier 5 North, The Embar­ HELP TO FIND TROJAN HORSE PROGRAM. Under­ cadero, San Francisco, CA 94111-2030. Free personal con­ stand there is a Trojan Horse program which may be sultation for 2600 readers. All consultations are strictly added as an attachment to an e-mail (which appears in­ confidential and protected by the attorney-client privilege. nocuous when viewed or read) but which will execute and CHARGED WITH A COMPUTER CRIME in any state or record any password used by the recipient and then send federal court? Contact Dorsey Morrow, Attorney at Law, at it by e-mail to an outside recipient. Further, that if the out­ (334) 265-6602 or visit at www.dmorrow.com. Extensive side recipient doesn't receive it for any reason, the e-mail computer and legal background. Initial phone conference message with password(s) will not bounce back to the free. sender. Also, there is another Trojan Horse program which, after it installs itself in the UNIX-based ISP of the target, will mail out copies of all incoming/ outgoing to an ANNOUNCEMENTS OFF THE HOOK is the weekly one hour hacker radio outside recipient without the target being aware of it. Can show presented Tuesday nights at 8:00 pm ET on WBAI anyone help with complete information, details, and pro­ 99.5 FM in New York City. You can also tune in over the grams? [email protected] net at www.2600.com/ offthehook or on shortwave in I NEED TO OBTAIN credit report information on others North and South America at 7415 khz. Archives of all from time to time with little or no cost. Can someone help? shows dating back to 1988 be found at the 2600 site. testl [email protected] can Your feedback is welcome at [email protected]. NEED HELP FINDING AND USING WAREZ SITES. I THE FAMILY, a close-knitted anarchy social group has am looking for several specific graphic, photo, and music formed for hackers, phreakers, and computer nerds. Join production programs. Need help getting to them. Com­ with your kind in furtherance of independent ideology, fi­ pensation will be given for working full versions. E-mail nancial freedom, and prosperity. Master the possibility of [email protected] for list or details. collective thought and association with members of your NEW, COOL WEB AND PRINT MAGAZINE. It will be own mindset. For further enlightenment as to the lifestyle the TImeI Life, People, Spin for generations X, Y, and Z. of the family, break the old mold, dare to explore, contact: Looking for writers on all subjects or anything of interest. Purceh Branson, Drawer K, Dallas, PA 18612. E-mail [email protected]. Benefits include publica­ tion, free stuff, concert and event tix and passes. Photogra­ phers and artists also wanted. Join NOW! Person,,' LOOKING FOR NEW FRIENDS. Am in the Corruption TELEPHONE NUMBER HELP. Help to find list of tele­ Center of America (Corrections Corporation of America) phone numbers for each telephone company I city where a prison doing a skidbid that's taking too long. Need stimu­ testman calls to find out all telephone lines connected to a lation and information. Am WM 5'10", brown hair, brown particular address. Also where can one get unlisted tele­ eyes (for the ladies). Used to go as Admkirk on irc. Bored phone numbers without cost. The information used to be out of my mind and looking to make a connection. Steven somewhere on the Internet. [email protected] Lezak, #OO0091-A0250176, Diamondback Correctional Fa­ I AM LOOKING FOR ASSISTANCE in cracking al­ cility (CCA), P.O. Box 780, Watonga, OK 73772-0780. phanumeric password protected MS Access files. Please BOYCOTI BRAZIL is requesting your continued assis­ send all info to [email protected]. Your help will be tance in contacting PURCHASING AGENTS, state and greatly appreciated. In return, anyone needing info on municipalities, to adopt "Selective Purchasing Ordi­ WHCA (The White House Communication Agency), I will nances," prohibiting the purchasing of goods and services be happy to lend assistance with copies (or fax) of all from any person doing business with Brazil. Purchasing ground fiber(Tl through OC128) in DC metropolitan area agents for your town should be listed within your town's or other documents. web site, listed on www.city.net or www.munisource.org. PROFIT FROM YOUR TALENTS! Computer hacker Examples of "Selective Purchasing Ordinances" can be re­ wanted for confidential and lucrative assignment. Experi­ viewed within the "Free Burma Coalition" web site. enced only. No newbies please. Must leave clear message Thanking 2600 staff, subscribers, and friends for your con­ with phone number and email address plus best time to tinued help in informing the WORLD as to my torture, de­ reach you. Call Steve 212-864-0548. Message for Miles: an­ nial of due process, and forced brain control implantation swering machine erased your number! Please call again. by Brazilian Federal Police in Brasilia, Brazil during my extradition to the U.S. Snail mail appreciated from volun­ WA NTED teers. John G. Lambros, #00436-124, USP Leavenworth, PO MINIATURE PEN-MICROPHONE that is very sensitive Box WOO, Leavenworth, KS 66048-1000. Web site: and transmits at least 300 feet to an FM radio. Need the www.brazilboycott.org namel address of manufacturer(s) (and prices if available). Reply to b/o/[email protected]. ONLY SUBSCRIBERS CAN ADVERTISE IN I'M LOOKING FOR THE ORIGINAUOFFICIAL TAP 26001 MAGAZINEINEWSLETfER.Contact me if you have any Don't even bother trying to take out an ad unless you information regarding the original TAP phreaking maga­ subscribe! All ads are free and there is no amount of zine / newsletter.I suggest you provide the condition of the money we will accept for a non-subscriber ad. We hope magazine / newsletter and the price that you would want that's clear. Of course, we reserve the right to pass judg­ for it when e-mailing me at [email protected] or icq ment on your ad and not print it if it's amazingly stupid 13693228. I want the ORIGINAL copies only. or has nothing at all to do with the hacker world. All WANTED: Heathkit ID-4001 digital weather computer in submissions are for ONE ISSUE ONLY! If you want to working condition. Also wanted: microprocessors for run your ad more than once you must resubmit it each Heathkit ID-4001, ID-1890, ID-I990, and ID-2090. Advise time. Include your address label or a photocopy so we what you have, price, and condition. E-mail: know you're a subscriber. Send your ad to 2600 Market­ [email protected] place, PO Box 99, Middle Island, NY 11953. Include your address label or photocopy. Deadline for Spring issue: 2/1/00.

Winter 1999-1900 Page 57 ARGENTINA MEXICO Ittinois Ohio Buenos Aires: In the bar at San Mexico City: Zocalo Subway Chicago: Screenz, 2717 North Clark Akron: Arabica on W. Market Jose 05. Station (Line 2 of the Metro, blue St. Street, intersection of Hawkins, W. AUSTRALIA line). At the "Departamento del Indiana Market, and Exchange. Adelaide: Outside Sammy's Snacf( Distrito Federal" exit, near the Ft. Wayne: Glenbrook Mall food CLeveland: Coventry Arabica, Bar, on the corner of Grenfell & payphones & the candy shop, at court. 6 pm. Cleveland Heights, back room Pulteney StreeB� 6 pm. the beginning of the "Zocalo-Pino IndianapoLis: Circle Centre Mall in smoking section. Brisbane: Hungryjacks on the Suare.z" tunnel. the StarPortjBen & Jerry's area. Columbus: Convention Center Queen St. Mall (RHS, opposite Infp POLAND Kansas (downtown) basement, farback of Booth). 7 pm. stargant Szczednski: Art Caffe. Kansas City: Oak Park Mall food building in carpeted payphone Canberra: KC's Virtual Reality Cafe, �g blue boo�. 7 pm. court (Overland Park). 11 East RW, Civic. 6 pm. RUSSIA Kentucky Oklahoma Melbourne: Melbourne Central Moscow: Burger QUeen cafe near Louisville: Barnes & Noble at 801 Oklahoma City: Shepard Mall, at Shopping Centre at the Swanston TAR(fASU (TeLephone' Agencyof S Hurstbourne Pkwy. the benches next to Subway & Street entrance near the public Russl;;!/fetegraphAgency of Soviet Louisiana across from the payphones. phones. Union,"-also known as Nicitskie Baton Rouge: In the LSU Union Payphone numbers: (405) 942- Perth:The Merchant Tea & Coffee Vorota. Building, between the Tiger Pause 9022, 9228, 9391, 9404. (183 Murray Street). Meet outside. SCOTLAND & Swensen's Ice Cream, next to the Tulsa: Woodland Hills Mall food 6 pm. Aberdeen; Outside S1. Nicholas' payphones. Payphone numbers: court. Sydney: Hotel Sweeney's Internet Church graveyard, near OX (225) 387-9520, 9538, 9618, Oregon

Cafe (top floor), corner of Clarence Com m unicationsi'mid"'li!il'iolls treet 9722, 9733, 9735. McMinnviLle: Union Block, 403 NE and Druitt Streets. 6 pm. store. 7 pm. NewOrLeans: Lakeside Shopping 3rd St. AUSTRIA Glasgow: Central Station, Cent-erfood court by Cafe du Portland: Pioneer Place Mall (not Graz; Cafe HaltesteUe on payphones next to Platform 1. 7 Monde. Payphones: (504) 835- Pioneer Square!), food court. Jakominiplatz. pm. 8769, 8778, 8833 - good luck Pennsylvania BRAZIL SOUTH AFRICA getting aroUf:\d the carrier. PhiladeLphia: 30th Street Amtrak Belo Horizonte� Pelego's: Bar at Cape Town: At the "Mississippi Maine Station at 30th & Market, under Assufeng, near the payphone."6 Detour" . Portland: Maine Mall by the bench the "Stairwell 7" sign. Payphones: pm. Johannesburg: Sandton food at the food court door. (215) 222-9880, 9881, 9779, Rio de Janeiro: Rio Sut Shopping co urt. Maryland 9799, 9632; 387-9751. Center, Fun Club Night Club. UNITED STATES Baltimore: Bames & Noble cafe at South Dakota CANADA Alabama the Inner Harbor. Sioux FaLls: Empire Mall, by Burger Alberta Auburn: COIJITyard outside the Massachusetts Ki ng. Calgary: Eau Claire Market food co'mputer lab at the Foy Union Boston: Prudential Center P1.aza, Tennessee (Qurt (near the "milk wall"). Building. 7 pm. terrace food court.. Payphones; KnoxviLLe: Borders Books Cafe Edmonton: Sidetrack Cafe, 10333 Birmingham: Hoover Galleria food (617) 236-6582, 6583, 6584, across from Westown MalL 112 Street. 4 pm. court by the payphones nextto 6585, try to bypass the carrier. M�mphis: Cafe Apocalypse. British Columbia Wendy's.7 pm. Michigan NashviLLe: Bean Central Cafe, Vancouver: Pacific Centre Food TUscaloosa: University of Alabama, Ann Arbor: Galleria on South intersection of West End Ave. & Fair, one level down fromstreet Ferguson Center by the payphones. University. 29th Ave. S. three blocks west of level by payphones. 4 pm to 9 pm. Arizona Minnesota Vanderbilt-campus. ontario Phoenix: Peter Piper Pizza at Metro BLoomington: Mall of America, Texas Austin: Ottawa: Cafe Wim on Sussex, a Center. north side food court, across from Dobie Mall food court. block down from Rideau Street. 7 Tucson: Barnes & Noble, 5130 Eo Burger King & the bank of Dallas: Mama's (iin:a, CampbeU & pm. Broadway. payphones that don't take Preston. Toronto: Cyberlalid Internet Cafe, Arkansas incoming calls. Ft. Wo rth: North East Matl food 257 Yonge St. 7 pm. Jonesboro: Indian Mall food court Duluth: Barnes & Noble by Cubs. 7 court neat food court payph(mes, Quebec by the big windows. pm. Loop 820 @ Bedford Euless Rd, 6 MontreaL: Bell Amphitheatre, 1000 California Missouri pm. Gauchetiere Street. LosArmeles: Union Station, corner St. louiS: Galleria, Highway 40 & Houston: GalLeria 2 food court, ENGLAND of Macy& Alameda. Inside main Brentwood, elevated section, food under the stairs near the BristoL: By the phones outside the entrance,by bank of phones. court area, by the theaters. payphones. Almshouse/Galleries, Merchant Payphones: (213) 972-9519, 9520; Springfield: Barnes& Noble on San Antonio: North Star Mall food Street, Broadmead. Payphones; 625-9923, 9924. Battlefield across fromthe mall. court. +44-117-9299011, 9294437. 6:45 Sacramento: Round Table Pizza, Montana Utah pm. 127KS treet. Butte:Butte Plaza Mall on Harrison Salt lake City: ZCMI Mall in the HuLL: In the Old Grey Mare pub, SanJpjego: EspressoNet on Regents Ave. near JC Penney and GN-C. food court. opposite The University of Hull. 7 Road (Vons Shopping Malt). Nebraska Washington pm. San Francisco: 4 Embarcadero Omaha: Oak View Mall Barnes & Seattle: Washington State Leeds: Leed City train station Plaza;;-,inside). Payphones: (415) Noble. 6:30 pm. (Qnvention Center, first floor. outside John Menzies. 6 pm. 398-9il!l3, 9804. 9805, 9806. Nevada Spokane: Spokane Valley Mall food London: Trocadero Shopping San Jose: Orchard Valley J;offe e Las Vegas: Wow Superstore Cafe, court. Center (near Picadilly Circus) Shop/Net Cafe (Campbell). Sahara & Decatur. 8 pm. Wisconsin downstairs near the BT touch point District of CoLumbia Reno: Meadow Wood Malt, Palms Eau Claire: London Square Mall terminaL 7 pm. Arlington: Pentagon City Mall in food court by Sbarro. 3-9 pm. food court. Manchester: Cyberia Internet Cafe the food court. New Hampshire Madison: Union South (227 N. on Oxford Rd. next to st. Peters Florida Nashua: Pheasant Lane Mall, near RandalL Ave.) on �e tower level in Square. 6 pm. Ft. Myers: At the cafe in'-Barnes 8. the big clock in the food court. the Martin Luther King Jr. Lounge FRANCE Noble. New Mexico by till;! payphones. Payphone: (608) Paris: Place d'Italie XIII, in front of Miami: Dadeland Mall on the raised Albuquerque: Winrock Mall food 251·9909. the Grand Ecran Cinema. 6-7 pm. seating section in the food court. court, near payphooes. on the lower Milwaukee: Mayfair Mall on GREECE Orlando: Fashion Square Mall in level between the fountain & Highway 100 (","�fair Rd.) & North Athens: Outside the bookstore the food court between Hovan arcage.,,'Payphones: (505) 883- Ave. in the MaYFairCommunity Papaswtiriou on the corner of Gourmet & Panda Express. 9935, �941, 9976, 998,. Room. Payphone: (414) 302-9549. Patision and Stournari. 7 pm. Payphones: (407) 895-5238, 7373, NewVork INDIA 4648; 896-9708; 895-6044, 6055. Buffalo: Galleria MaH food COlJJt. New Delhi: Priya Cinema Complex, Pensacola: Cordova Mall, food New York: CfticCitp Center, in the near the Allen Solly Showroom. court, tables near ATM. 6:30 pm. lobby, near the 'payphones, 153 E ITALY Georgia 53rd St., between Lexington & 3rd. AU meetings take place on the Milan: Piazza Loreto in front of Atlanta: Lenox Mall food court. Rochester: Marketplace- MaU food firstf riday of the month from ap­ McDonalds. Hawaii court. 6 pm. proxim!1!tely 5 pm to 8 pm local JAPAN HonoLuLu: Web Site Story Cafe North Carolina time unless otherwise noted. To Tokyo: Ark Hills Plaza (in front of inside Fwa Hotel Waikiki, 2555 Charlotte: South Park Mall. raiSed start a meeting in your city, leave a Subway sandwiches) Roppongi (by Cartwright Rd. (Waikiki). 6 pm. area of the food court. message & phone number at (516) Suntory Hall). Idaho Raleigh: Crabtree Valley Mall. food 751-2600 or send email to meet­ Pocatello: College Market, 604 court [email protected]. South 8th Street.

Page 58 2600 Magazine