"Men are only as good as

their technical development I I allows them to be." I I - George- Orwell ------7 - g-7-4 Editor-In-Chief . Emmanuel Goldstein

Layout and Design ShapeShifter

Cover Design Dabu Ch'wald

Office Manager Tampruf

Writers: Bernie S., Billsf, Bland Inquisitor, Eric Corley, Dalai, Dragorn, John Drake, Paul Estev, Mr. French, Javaman, Joe630, Kingpin, Lucky225, Kevin Mitnick, The Prophet, David Ruderman, Screamer Chaotix, Seraf, Silent Switchman, StankDawg, Mr. Upsetter

Webmasters: Juintz, Kerry

Network Operations: css, mlc

Broadcast Coordinators: Juintz, Pete, daRonin, Digital Mercenary, Kobold, w3rd, Gehenna, Brilldon, lee, Logix, Pytey, Mighty Industries, DJ Riz, Dave

IRC Admins: daRonin, Digital Mercenary, Shardy, The Electronic Delinquent

Inspirational Music: Manu Chao, Phil Ochs, Combustible Edison, Sparks, Philip Glass, 386DX

Shout Outs: Woz, kdm, Jello, Dan Morgan, Visual Goodness, Lazlow, Cheshire, Adrian --- \ Shockers When this issue is released, our fifth press via thc Intcrnct. ;~itthori(y li!:~tr(*\ conference will have been held in New York everywhcre will start to clamp down on what City. We named it, fittingly, The Fifth HOPE. can he said and how. When digital technol- For those unfamiliar, HOPE is an acronym ogy allows perfect copies of audio and vit1r.o for Hackers On Planet Earth. This also marks to be created and shared, the status quo is jlo the tenth anniversary of the first HOPE con- ing to be threatened and panic will enwc.. ference in 1994, the first time ever that hack- When computers and databases become ers gathered in such large numbers in the more and more integrated, our private infor- United States. And of course, we're also in mation will be shared by more and more en- the midst of our 20th anniversary here at tities. And it will become increasingly 2600, founded somewhat ironically in 1984. difficult to remain anonymous as we move We see a certain symmetry in all of these events and anniversaries. But more impor- closer to a society that demands accountabil- tantly, we see symmetry in the goals and ity for one's every move, purchase, and ideals expressed every day in the hacker transgression. community as they relate to those of the hu- Every one of these issues is of great con- man race in the 21st century. The things we cern to the vast majority of people in our pre- see as important, the technology we find our- sent society. Suddenly the technology that selves playing with and designing, the limits made us curious - and got many of us labeled we constantly test and push, and the free- as weird for taking such an abnormal interest doms we instinctively stand up for - these are in it - is changing the very nature of the all being mirrored in the "real" world on a world. And to those people who didn't take daily basis. an interest before, a lot of these sudden Most of us never intended for things to changes and all-encompassing issues are ex- become so serious, much like we never in- tremely disconcerting. They are to us as well, tended for this publication to be of interest to although anyone paying attention would more than a very narrow portion of the popu- know that the changes were anything but lace. To this day, hackers are born out of the sudden. They are part of a pattern, one which curiosity that relatively few people feel to- is continuing and one which will only grow wards technology and they move forward worse in time, so long as people remain ig- through the determination of wanting to fig- norant and convinced that they lack both the ure something out or make it work better. intellect and ability to do anything about it. That's really all it is and all it has ever been. As we well know, that is one of the great- No pressing desire to change the world, no compelling~needto be the focal point of the est weapons any agent of oppression can media, and certainly no wish to be fashion- possess: the ability to convince people that able. Events, however, have an odd way of they can't make a difference and that certain changing one's focus and altering the path. things are inevitable. We're here to tell you Anyone who could have predicted the ex- that anyone can make a difference and noth- plosion of technology in the past 20 years ing is a certainty. With that in mind, now is could have also predicted the social conse- as good a time as any to take a look at the de- quences and conundrums that came along velopments going on around us and decide if with it. Obviously when everyone gains the that is really the direction we want to be ability to operate the equivalent of a printing heading in. / \ Why does this responsibility fall upon the ing, there's a whole other aspect that the en- hacker community in particular? Two rea- tire world is watching. If our privacy is at sons. We understand how a lot of the tech- risk, our safety is in danger, or our rights are nology used to implement these changes gradually being extinguished, odds are the really works. Which means we know the abuse of technology plays some part in this. weaknesses and the potential abuses from Ironically, hackers are frequently viewed in both outside and within. And we also have a the mainstream as the ones who abuse high history of standing up to authority - whether tech. But even those subscribing to this no- it's the authority that tells us not to ask ques- tion can see the logic of paying attention to tions or the authority that locks us away in what hackers uncover. To ignore this is to prison for using technology in a way that walk blindly into unknown territory. wasn't quite authorized. So we find ourselves in a very different The hacker spirit has proven very difficult world than when we started in 1984 or even to crush over the years. Even if one voice is when we held the first HOPE conference a silenced for revealing information, another decade ago. We've become far more depen- will soon take its place. No matter what the dent on technology for nearly every aspect of restrictions or penalties surrounding a partic- our lives and technology is being used intru- ular bit of technology, you can bet that hack- sively on a steadily increasing basis. If we ers somewhere are figuring out ways to have the expertise to uncover information on defeat it in the public arena. It's just that now how it all works, then we also have the oblig- there are a great many more people paying ation to our fellow citizens to make it all attention to the results. public. Twenty years from now, the world Hacking has never been as relevant and as will be a very different place. We have the important as it is today. While many of us are ability to educate others and influence the still kids playing with toys and experiment- changes that transpire along the way. At Long Last The Wait Is Over!

'L~umner 2004 page 5~~ T 5curnware, Spyware, Aawaaa.

A ,-

by shinohara -MIOfferCompanion, Trickier, GAIN. GMT.exe, [email protected] CMESys.exe, and a quite a few others. Forget about cookies. They're child's play GatorIGAIN is marketed as a software prod- compared to the sheer nastiness of Gator or to uct that will automatically fill in passwords the insolence of Newton Knows Best. The and other form-elements on web pages, but its more I studied them, the angrier I got. I sim- main purpose is to load an advertising spy- ply had to write an article about them to warn ware module called OfferCompanion which people. displays pop-up ads when visiting some web- What is Spyware and Adware? sites. Once installed, Gator's software never Let's first get our definitions straight. stops running and it monitors pretty much There are a lot of different names floating everything a user does. The program is freely around. Spyware is seemingly useful software distributed by http://www.gainpulbishing installed on your PC that will observe your ,.corn but it can be found in a slew of file- actions, gather data on your surfing habits and sharing applications, including the "most- what you are interested in, compile that data, downloaded software" on the Internet - the and send it back to the main server. In this new KaZaA version that just came out a few sense, it's similar to a Trqjan horse. Adware days ago and which I investigated while writ- mainly receives ads in the form of images ing this article. In fact, you cannot even install (simple gifs, animated gifs) or other multime- and use KaZaA without agreeing to also in- dia type files. Adware can also include com- stall Gain. Talk about asshole$! ponents which will spy on users' actions. Gator are so insolent that they justify what Those components which are installed on the they do as "right." From a CNET news.com PC without a user's permission can be called article in 2001: "We pet lots of angry calls; sneakware. Spamware is essentially the same maybe even an attorney calls up because as adware - serving unwanted ads. A lot of they're angry," said Gator's Eagle. "We ex- people (myself included) have begun calling plain it's the consumers' right because we're all of these types simply scumware. invited onto the desktop. We're not changing Gator their content; we're popping up on the con- There are many scumwares on the market sumers' desktop. Don't they advertise on TV that we can examine. In fact, if we try to look showing competitor comparisons? The only at all of them, we will spent literally days do- difference is that we're more effective. The ing so. That is why I have narrowed the list to next call we get is usually from the VP of the most notorious ones and the ones you are sales, saying, 'We would like to work with most likely to meet. GatorIGAIN is one of you."' them. How Do You Get Infected With It? Gator is one of the nastiest pieces of spy- In Gator's case, it can come into your PC ware around.. Gator's parent company in three ways: either pre-bundled in a file- changed their name to Claria Corporation sharing program such as KaZaa, iMesh and a (http:Nwww.claria.com) in an attempt to dis- few others, in some alleged "freeware" such associate themselves from Gator. But they as AudioGalaxy, Go!zilla, and WeatherBug, still stink just as bad. It is carried by almost all or the so-called drive-by-installation, using P2P file-share apps as well as free ISP's like Internet Explorer's ActiveX controls where a Netzero. In fact, I can't seem to be able to get website attempts to download and install soft- rid of it. Every time I turn around, there is a ware (executable code) from a banner or a fresh install of Gator on my system. Worse, pop-up ad on the user's PC. This is by far the Gator software is composed of several sepa- sneakiest way, since most average users don't l rate modules, incarnations, and names: Gator, have a clue about Secure Zone settings and [often choose Yes when confronted with a dia- GatorlGAIN Modules log, thinking the browser is simply installing Gator (iegator.dll and others) is the main a needed plug-in for a website they're view- software, which auto completes web forms ing. Depending on the browser's security set- (which is completely unnecessary for many tings, the software will either download users these days, since IE and Mozilla have silently and without any user action, or pre- had automatic form completion, password sent an install dialog. saving, etc. built in for some time). Gator is also now available for download OfferCompanion is the advertising spy- in separate freeware applications called eWal- ware module. It is responsible for spying on let and Precision TimeIDate Manager, but no- your web browsing habits, downloading and body in their right mind would even use displaying pop-up ads, and transmitting per- those. When installed, Gator begins to slowly sonal information to Gator. download and install other modules. Trickler (fsg.exe, fsg-ag.exe, fsg*.exe) is What Does It Do? an "install stub," a small program that is in- Gator has two main purposes: to deliver stalled with the application you really wanted. ads to the user based on the profile it builds (Gator almost always appears on your system and to collect information on the user's habits, due to installing other software and not the in- including (but not limited to) every page vis- staller available from Gator's website.) When ited, the length of time the user spent at each installed, Trickler inserts a Run key in your site, what the user is interested in, what ads (if Registry so that it is silently and automati- any) the user clicks on, any special searches cally loaded every time you start your com- the user does, any keywords entered, and any puter. Trickler runs hidden and very slowly files downloaded. It saves all of that info in a downloads the rest of Gator/OfferCompanion file on your computer which identifies your onto your system. It is suggested that this PC through its IP address. "trickling" activity is intended to slip under The newest Gator trick is to hijack a pop- the user's radar, the steady, low usage of band- up ad from another company when users visit width going unnoticed. While often named a competitor's website. This practice (which I fsg.exe, Trickler can go under other similar find rather amusing, I must admit) is known names, such as fsg-ag.exe (installed with Au- as "being Gatored." It is accomplished by dioGalaxy) or another name containing "fsg" selling common "keywords" to companies or "trickler". such as search engines. One e-tailer that's GAIN (GMT .exe , CMESys.exe, been bitten is 1-800-Flowers.com. When cer- GAIN-TRICKLER-* . EXE, other files) is short for tain web surfers visit the site to browse for Gator Advertising Information Network and bouquets, a pop-up ad appears for $10 off at is the newest incarnation of the Gator chief rival ftd.com. The same sort of thing spyware we all know and love. happens at americanairlines.com, where a Each .exe file installs itself into a different Delta Airlines promotion is waiting in the directory. GAIN for example can be found in wings. Ads like these find their way onto C: \Program Flles\Gator\ and the registry browser windows through "plug-ins" that key HKEY-LOCAL-MACHINE-- I Software- -1 MlcrO come bundled with certain software down- ,soft--] Windows--]Current version-] Run. loads. GMT is in c : \Program Files\CommonFiles Keyword advertising consists mostly of -\GMT\ and in the C:\Windows\Start selling trademark owners the rights to their ,Menu\Programs\StartUp\. own names - on a search engine, for example. CMiie can be found inside c:\~rograrn But the reverse is true in many new applica- ,Files\Common Files\. tion services such as Gator. And because the Removing GAINlGator applications are downloaded with the con- This is a somewhat long and annoying sumer's consent, the companies say they are process, so let's get right to it. I must warn standing on firm legal ground, despite numer- you it involves tweaking Window's registry, ous complaints from marketing executives. so if you don't feel comfortable doing that, After compiling the data it receives, Gator seek professional attention. There are several sells to other advertisers, who can then pur- places you need to clean up, depending on chase the opportunity to display pop-up ads at how the software was installed. I will go over certain moments, such as when specific words each step by step. appear on the screen or specific words are AddIRemove Program Applet. The best typed into search engines. way is to begin by first uninstalling it through

Page 71 $he AddIRemove function in the Control puter, go to C:\, go inside Windows, and look Panel, since simply manually removing it for the Start Menu folder. See if any of the exe may result in some of the components being files listed above are in there. Remove them if left on your PC. To accomplish this, go to you find any. This will have the added benefit Start--]Settings, open the Control Panel, start of making your computer boot and run faster. up AddIRemove applet, and hunt for either Note that using the program associated with a GM, Gain, GATOR, or any of the above particular ad-trojan may reinstall these refer- listed modules. ences, and even the ad-tro~anitself. PKZip is Windows' Registry. Click on START, go to notorious for this. (For this reason, it is im- RUN, and type "regedit". Click "OK to start portant that you zap the aqsociated adware the registry editor. There are several keys you program as well, or at least make sure nobody need to check here. First, using the directory runs it.) tree, browse to the key: HKEY-LOU-MACHINE- MSCONFIG. Under Windows 98 and --ISOFTWARE--]Microsoft--] Windows--] higher, there is a program called MSCONFIG -Currentversion- -]Run. If YOU got either that allows you to view and enableldisable CMESys and the GMT in the right pane, StartUp applications. This can be used (usu- delete them both by using the right mouse ally) to turn off auto-loading spyware compo- key. Now you need to exit the registry editor nents. (To run MSCONFIG if you have it, and restart your computer. click on Start ] Run, and type msconfig in the Here are the other keys you should check: Run box.) As you can see, msconfig is a Sys- HKEY-LOCAL-MACHINE- -I Sof tware- -1 tem Configuration Utility and it's got several -Microsoft--]Windows--]Current version-- options you can modify. Let's now go over -]Run-, each one, briefly discussing what they are and HKEY-LOCAL-MACHINE- -1 Software - -1 *Microsoft --I Windows- -1 Current version-- what can be changed inside them. The Gen- -] RunOnce, eral option specifies what system files your HKEY-LOCAL-MACHINE- -1 Software- -1 PC reads and executes while booting up. This bMicrosoft - -1 Windows- -1 Current version-- option is useful in case of an emergency dur- I RunOnceEx, HKEY-LOCAL-MACHINE- -1 Software- -1 ing Safe Mode boot up. Normally, most au- -Microsoft--]Windows--]Current version-- toexec.bat and config.sys files are empty -] Runservices today, but they used to play a big role in the and HKEY-LOCAL_MACHINE- -1 Software- -1 olden DOS days (Windows 95 and Windows -Microsof t - -1 Windows- -1 Current version- - 98). If you know DOS (and DOS is still ex- -1 RunServicesOnce. tremely useful in many ways, even if Mi- Another three registry keys are: HKEY-CLASSES-ROOT\CLSID\(~~FFB~CO-0~~1-crosoft makes it exceedingly difficult for you ~ll~5-~9~5-00500413153~~ to even run DOS programs on NT based sys- HKEY-LOCAL-MACHINE\SOFTWARE\G~~O~.CO~ tems such as Windows 2000 and XP), you can HKEY-LOCAL-MACHINE \SOFTWARE\ Ga torTest peek inside those files and remove any lines Using the directory tree browse to those you don't want or don't think you need. A keys and delete them. good idea is instead of removing the lines to Program Files directoryfoldel: Next, you just place a REM in front of them. will need to locate and remove both the CEII Systern.ini and Win.ini are more Windows and GMT directory folders on your com- configuration files, telling it how to boot up. I puter. They are both located in the Program suggest you don't mess with them unless you Files directory. To get there, start from My really know what you are doing. Computer, go to Program Files, locate Com- The Startup Option is another more ad- mon Files, and peek inside. If you see CEII vanced way to tell Windows what software to andlor GMT, simply click on them with the run when it boots up. Personally, I like to keep right mouse button and choose Delete. mine as clean and tidy and program-free as If Gator was installed by Precision Time possible. I have seen some people's comput- & Date Manager, locate and delete the ers that had at least 30 lines inside Startup, all "WebPT" or "WebDM" inside the "Program from various software packages installed that Files" folder if it exists. did nothing for the user except take memory. I StartUp directoryfolder. The next place to had to argue with a client several days ago, check will be your StartUp folder. The trying to convince him that in fact Microsoft's StartUp folder loads the software listed in Office does not need to be inside Startup and there every time you start up or reboot the that, yes, he still would have been able to use computer. To go there, start up from My Com- Office any time he wanted to. Talk about ig- age6 Gorance not being bliss! Newton made me see red in several ways,\ How does yours look? Can you justify such as adding an extra search bar into Inter- why all of the programs listed in there have to net Explorer and not even asking me if I begin at boot up time? Do you know what would allow it to do so. each program is and what its function is? Removing Newton Knows Best Don't you think you should? This is somewhat difficult, since it places a Newton Knows Best key inside the registry and installs itself in This is another very annoying spyware or several places. Run a search via Start--]Find scumware or whatever you wanna call it that and uninstall. Don't just remove Newton. Hit gets installed in a variety of ways, including the same places I outlined above in removing with several file sharing programs. One of GAINIGator. them is Grokster. I read about Grokster, one SaveNow (When UShop) of the most infested of the P2P services, so I This gets installed by Bearshare among decided to see if it was really as bad as the others. Put quickly, it is an advertising toolbar writer claimed. I'm sorry to report it was that monitors what sites you visit and pops up worse. sponsored "deals" when visiting those sites. When Grokster ran for the first time, a sep- Fighting Back arate program popped up, asking me what my There are several software packages that country and zip code was. It was called New- will help you to manually look for Gator and ton Knows Best. Since I didn't remember al- many other scumwares on your system. Ad- lowing it to install, instead of just removing it aware from Lavasoft (http:Nwww.lavasoft- I decided to observe what it was and what it usa.com/) is a good one that has both a would do. So far I am not very happy with it freeware and paid shareware version. It can at all. It added an extra bar to my Internet Ex- help you remove remnants of programs in- plorer that I had trouble removing. When I stalled surreptitiously on your machines. launched Netscape, Newton jumped up and Ad-aware is easy to use. Start it up and stared too. It even booted the self-updated click on Scan Now. From there, you will be Newton exe. I was aghast. Yet another of the giving the following options: Perform smart many shameless companies who surrepti- system scan, Use custom scanning options, tiously install software on my PC without and Select driveslfolder to scan. asking me first, then begin to monitor my Performing the smart system scan is good. surfing habits. Click on Next and let it run. I did a quick search on Newton Knows Once Ad-aware is done, you will be given Best, but couldn't find much. Newton bills it- a list of suspicious registry keys, registry val- self as a personal search companion. It claims ues, and possible scumware exe files and fold- it will help us get the most out of the Internet. ers. Click on Next. Here is what they say at http://www.newfree- You will be given the file name, what type ware.com/intemet/7 111: "We designed New- it is (registry key or exe), what it is, where it is tonKnows based on user functionality and in your system, and comments that will even benefit. As you surf the web, Newton sits dis- tell you what website was responsible for the cretely in the background, waiting to fetch scumware. If you hover over each with your relevant content for you. As soon as he digs mouse button, a yellow pop up screen will ap; some up, the Newton suggestion window pear with more info. You have two options slides up and presents his top finds. For exam- here: either quarantine the offending files or ple, "My Auction Items" fetches eBay auc- outright delete them by choosing Next. tions for your favorite items. Newton further As a precaution, I again must warn you enhances your browsing experience by deliv- some of your nice "free" programs won't be ering related content links directly into his able to work if you kill their spywares, so be- toolbar. Newton quickly connects you to your fore you push Next you must find what is favorite shopping, music, travel sites and needed by you and what you can live without. more. With its built-in auto-update feature Some suggestions on how to find and our continuing commitment to quality, scumwares: Newton will continue to evolve, and so too 1. Begin using a process observer that will will your surfing prowess. Plus, with the abil- show all the software currently running on ity to request your favorite new feature, New- your system at all times. I can easily find and tonKnows is destined to become your monitor any of these programs using the great ultimate Internet search companion." and free Process Explorer from /http://www.sysinternals.corn/ntw2k/free Forget about ZoneAlarm. That's not gootl -ware/procexp.shtml. Using it, I discovered enough and it doesn't do much. I tested it sev-? that GAINIGator-whatever you wanna call it era1 times, trying to figure out why so many writes to the following files: people liked it. I think the main reason is be- c:!windows!cookies!, cause it is free. c:!windows!history!history.ie5!, 3. Run a weekly check on all the places I c:!windows!temporary internet mentioned: Windows' Startup folder, Reg- files ! content. ie5 ! istry's Run, msconfig. Keep them clean. There C:\WIND~W~\C~~KIE~\INDEX.DAT, are so many scumwares confronting the aver- C:\WINDOWS\HISTORY\HISTORY.IE5\ age computer users today, it's easy to become WINDEX. DAT overwhelmed! Worse, new ones are coming C:\WINDOWS\TEMPOR-l\CONTENT.IE5\ out daily! Keep up with them by reading site.; WINDEX. DAT, such as http://www.cexx.org, or search for C:\WINDOWS\TEMPOR-l\CONTENT.IE5\, more info on your own. 0C:-WINDOWS-Cookies-index.dat, 4. Practice some self control and stop C:-WINDOWS-History-History.IE5- downloading and installing all the new hot -index. dat , P2P apps your buddies told you about. C:-WINDOWS-Temporary Internet This is just a small introduction into the Files-Content.IE5-index.dat world of scumwares. I would like to hear 2. Set up and configure a good firewall. from other people about their own experi- Make sure you monitor all the incoming and ences with other scumwares so we can all outgoing connections your computer makes. learn.

by Chris Johnson idences concerning contats or promotions First off, a small introduction for those of the radio stations might be holding. Now you who don't know the evil that is here's the even more interesting part. CMM is ClearChannel. Clearchannel operates a bit exempt from the Do Not Call list. That's over 1,200 stations as of the writing of this right?ClearChannel is using a loophole in the article. They also own 37 television stations law to force its fecal matter into your home. and operate over 200 venues nationwide. Now, keep in mind, all dialing is done from They are in 248 of the top 250 radio markets, either Norwood, Ohio or Fort Wright, Ken- controlling 60 percent of all rock program- tucky. If they say they are calling locally, ming. They also do outdoor advertising and they are full of crap. CMM hires only the best own the tours of musicians like Janet Jack- people for its delicate research. They recruit son, Aerosmith, Pearl Jam, Madonna, and the vast majority of their individuals from N'Sync. temporary agencies. CMM holds three train- Now we add a small division of ing classes a week at two days per class to ClearChannel based out of Cincinnati called train new agents if that gives you any idea on Critical Mass Media into the mix. Critical the turnover rate. They also pay these idiots Mass Media is the research arm of $8.50 an hour. If you're broke, it can be a lu- Clearchannel's radio business. CMM does crative opportunity for money. audience research, music research, and also Data from all calls is entered into a com- conducts telemarketing to businesses and res- puter system referred to as CAT1 or the Com- age0 J \ /puter Aided Telephone Interviewer. It's pow- likely pull it from airplay. ered by SCO Openserver Unix in a dumb ter- You're probably saying "Why is that so minal style environment. CfMC SURVENT horrible, Chris?" Well, the reason it is horri- is the main program used by the agent to con- ble is because of the method in which they duct interviews. The agent has very limited contact you. On the day the project is due, access to the operating system. Most supervi- they will not dial any number less than two sory tasks including stopping and starting times in one day and sometimes even more. workstations is done by a section operator, I've seen one campaign where they redialed referred to at CMM as a "captain" operator. all the previously dialed numbers eight times Agents are monitored in several different in one day! They also will call your house ways including roaming or spot monitors every time they get a new project in from that done with cordless phones and by computer radio station. Also, the other downside with as well where a supervisor watches what they this is if you say that you are not interested, input into the system and what they are say- then they simply note your file for a callback ing to the respondent. Any PBX phone in the in a week. That's right, even if you tell them call center can monitor an agent's station. where to go, they will still keep calling! Now lets move on to how to identify a call However, they'll just wait a week, maybe. from CMM. The easiest way is to watch for The only easy way to get off their list is to tell the number 513-858-2250 and the name them that if they call again that you are going HAMILTON, OH on Caller ID. to sue them. There are several different types of calls Next we shall move on to the Perceptual. that CMM will place. First off let's discuss What this is is a full investigation of your ra- the "Audience" call. The rep will call your dio listening habits. CMM will call and iden- home and say "Hello, this is [insert name tify themselves as "[insert city name here] here] from [insert major city name here] Ra- Radio Ratings Center." They first will ask a dio Research." This is what CMM does to bunch of qualifying questions. If you qualify probe for radio listening habits. Now keep in for this survey, be prepared to spend no less mind that during this call they will ask you a than 30 minutes on the phone with these bunch of different qitestions such as name, folks. If you want to get out of it, however, race, and other additional questions that the just tell them if they call back you're going to station wants asked. sue the pants off of them. The agent is re- Then there is the "Screener" call. This is quired to code your call so that the system au- much like the audience call except if you pick tomatically places you on their do not call the station they're screening for, they'll ask list. you an extra question: "Can you be reached at Last but not least, let's get to the Nest. this number all year round?" and usually lasts Nest marketing is used by most ClearChannel around 30-45 seconds. stations.. Nest takes a few different forms. Let's say you got asked that question and I'm not going to describe them all here, but if you receive yet another call from them. How- you really want to know all the different ever, this time they're asking for you person- forms this can take, go pay a visit to ally and they identify themselves as "[insert http:Nwww.criticalmassmedia.com. Today city name here] Radio Ratings Center." If you we're going to cover the Nest "telemarketing" agree to take the call, they will ask you some call. Now as far as I can tell, this is where similar questions to the screener call above. CMM definitely abuses the loophole. Due to If you the right station completing the the fact that they are not selling anything, ClearChannel trifecta, the rep will say "Now they are exempt from the law. Your phone let me explain to you how this works" and will ring with the same number used by all of proceed to read some responses and defini- these other studies and a voice at the other tions. You'll get to listen to around 40 song end of the line will identify himherself as hooks and be asked your opinion on each "Chris Johnson," "Alex," "Chris," "Pat," or a song. This is how stations figure out their few other cleverly disguised androgynous playlist for the upcoming week. If a song names. They will talk as if they are calling (let's use Milkshake by Kelis as an example) from the station itself and will want to add triggers 50 people to say that they have never you to a contest or encourage you to listen at (liked this song, then the station will most certain times. I will give you a hint. The

Page 33' 7 6mes they tell you to listen are key times for call. So it's a good sporting possibility that the Arbitron diary keepers. There is elec- you don't really have that person's name. tronic monitoring equipment that can allow a Also, if they give you the number to the "cor- station to make an educated guess as to how porate office," 513-858-2250, it's only a many listeners are actually listening to the VMS! There are no humans there. Ask if you station. The more listeners at those specific should call 5 13-631-4266 instead. That's the times, the more of a ratings share they can real corporate office. get, the more advertisers they can get, the All of the above studies cost the stations more money they can make. thousands of dollars to complete. One esti- Let's talk about what happens if you de- mate that I heard was that a Perceptual was mand a supervisor. One of the call center around $1500 per complete (they generally managers or supervisors will come to the do no less than 300-400 completes on this agent's terminal and pick up the phone. They type of project), a music call is around $500 will give their name and ask how they can to $700 per complete (generally around 100 help. Most of the time these names are fake. people complete these), and an audience call There is one manager in the call center that is around $250 to $400 a complete (there are generates a unique name for every supervisor always around 420 completes).

by L. Gallion hold large printouts together) This article assumes you are familiar with 7) A good pair of steel scissors lockpicking and lockpicking tools. If you are 8) A plastic cable tie (used to secure cables completely new to the subject, I suggest you and wires together) Google for the MITGuide lo Lockpicking and 9) A round-head brass fastener read it before continuing. Using just these items and a little imagina- To pick a lock, you need two things: a tion, we can create several different lockpick- pick and a tension wrench. The pick is used ing tools. to press on or rake across the pins inside a Let's get started with the most limited of lock while the tension wrench applies a turn- our resources, the paper clips. Professional ing force to the lock's cylinder. The trouble is picks and wrenches are often made from it isn't always practical (or even legal, de- hardened, flat spring steel, while paper clips pending on local ordinances) to carry profes- are round. soft. and bendable. This means sional lockpicking tools. Fortunately most that paper clip picks are only useful against homes and offices come stocked with all of locks with weak pin springs and paper clip the materials necessary to make your own ba- wrenches only work with easily turned cylin- sic tools. ders. For example, here are some items I To make a paper clip pick, straighten out rounded up in just a few minutes: one end of the paper clip (leave the other end 1) Fingernail clippers (the kind with a built- curled as a handle) and then bend the very in nail file and a little hole at one end) end of the straight section into a small, sharp 2) A couple of bobby pins "hill" sticking up (this is the classic half dia- 3) An old credit card (or any plastic card of mond pick shape). The easiest way to do this similar thickness) is to clamp (don't press too hard) about a 4) A couple of small paper clips quarter inch of the paper clip in the jaws of 5) A large safety pin the fingernail clippers and use the clippers to 6) A "Prong Fastener" (Acco #70022, used to bend the paper clip. Do this again about one ZbOO flagazine/ I.eighth of an inch in from the end to finish poke yourself). Next, insert the pin through forming the hill shape. The end of the paper the hole at the rear of the fingernail clippers. clip should look roughly like this: The pin should just barely be sticking out of A the far side of the hole. Then, by rotating the While too soft to work as an actual pin entire clippers up or down, you can pinch and pick, a paper clip can be used to rake simple bend the portion of the pin sticking through locks, like the disk tumblers you will find in the hole. Stop bending once the pin has a most Steelcase and Hon filing cabinets, desks nice, gentle curve of about 45 degrees. Fi- and overhead bins. nally, open the safety pin up a little wider so To make a paper clip tension wrench, un- it stays in a permanent "L" shape. fold the paper clip as before (leaving one Being strong and made of flexible steel, curled end as a handle) and then bend about a your new-and-improved safety pin can be half inch of the straightened portion back used as a hook pick on a variety locks. I have onto itself. You will want to make the actual successfully used it to pick five disk tum- bend as small as possible, so use a hard object blers, four pin padlocks, and six pin dead- to press on the bend and "close" it as much as bolts. you can (the scissor handles work well here). Next let's tackle another strong performer, Finally, bend the "handle" so the paper clip the bobby pin. Bobby pins can be made into a now has an "L" shape. good hook pick or a small tension wrench The bend at the end of the paper clip will very quickly. First, remove the little plastic usually fit into the bottom of the keyhole of tips that come on most bobby pins and spread most medium sized locks. However, a paper it apart so it forms an "L" shape. Next, insert clip tension wrench is very weak and I have the straight leg (not the wavy one) of the only used it successfully on smooth working bobby pin through the hole in the fingernail deadbolts. clippers so that about a quarter inch sticks out Now let's move on to a much better tool: on the other side. The tricky part of the bobby the safety pin pick. Steven Hampton, author pin pick is that we want to put a bend along of Secrets of Lockpicking, says he got started the thin edge (not the flat sides). To do this, using just a safety pin pick and a bent screw- tightly pinch the flat sides of the bobby pin driver as a tension wrench. Now you too can about a half inch back from the fingernail make just such n pick in seconds. First, care- clipper's hole. Then move the fingernail clip- fully open up the safety pin and use the clip- per up or down to carefully bend the bobby per's nail file to dull the point (so you won't pin. If it starts to twist, stop and carefully /straighten the twist out and then continue Our final group of impromptu lock pick-' bending again. Stop bending the hobby pin ing tools is a set of rakes. Rakes are pulled when you have about a 45-degree angle. You back and forth and up and down against the have the proper shape when you lay your pins of a lock in the hopes of opening it. metal "L" down flat on a table and the end of While raking won't have much of an effect one of the legs sticks up. The bobby pin ten- against most high security locks, it works sion wrench is a lot simpler. Just open up the very well against desks, filing cabinets, and bobby pin and spread it apart until it perma- cheap padlocks. nently forms an "L" shape. Although a great Our rakes will be made out of the round- tension wrench, the width of the bobby pin is head brass fastener, prong fastener, and the often too small to be used on a lot of locks. If cable tie. Start by straightening out one of the the bobby pin wrench is too small, try using thin metal legs on the brass and prong fasten- the nail file of your fingernail clippers. Just ers. Then use your scissors to carefully cut a extend the nail file out to a 90-degree angle. series of "V" shaped notches or smooth The nail file tip will fit into the keyhole of "hills" at the end of each object (just on one some medium sized locks and the body of the side). Make certain the end is either pointed clippers acts as the handle. or sloped so that it can enter the keyway eas- Credit card picks are easy to make but are ily. You may also need to trim down the flat only strong enough for one or two picking bottom portion of the rake to get it to fit into sessions. First, cut the credit card into about the lock. half inch strips. Next, use a straightened pa- Of these three rakes, I have gotten the best per clip to measure the depth of the lock results with the cable tie. It's tough, flexible (push it in until you hit the back wall). Using nylon construction allows it to move this depth, trim down one end of the credit smoothly in and out of most locks. However, card strip so it is small enough to enter the don't think that any of these makeshift tools top of the keyway. As you trim the end of the are going to easily crack that high-security card down, shape the tip in either a half dia- Medeco in your office. Advanced lockpick- mond or half round pick style (see the MIT ing takes a combination of skill, practice, Guide if you are not familiar with these luck, and the proper tools. But the next time shapes). Don't forget, credit card plastic is you lock your boss's big presentation in a fil- relatively soft, so try to use your fingers to ing cabinet and lose the key, don't panic! Just support the thin shaft as you move it around use your lockpicking ability and a few office within the lock. supplies. 4 Lost 4r I I by Acidus consist of several ~nu$lleticpiu-ticles heltl to a [email protected] PVC card with a glue, and the orientation of www.yak.net/acidus these particles (and their magnetic fields) is Just like Sun Microsystems, people have how the data is stored. Magstripes can con- been forecasting the death of magstripes for tain several tracks of information, each .I 10 years. Yet they are still the most common inches wide. These tracks are defined by sev- form of physical authentication in the world. eral standards; we are most interested in Their widespread deployment makes compo- Track 2. This is the most widely used track, nents for them cheap, and home brewed ap- having been standardized by the American plications limitless. While there is a great Bankers Association. This track contains up wealth of knowledge on the Internet about to 40 characters from a 16 character set. magstripes, most of this is over six years old, So how is the magnetic representation un- mostly for very specific microcontrollers, or derstood by computers? Well, the reader con- has out of date source code with no tains a head which outputs an analog signal comments. Straight answers about how of the magnetic fluxes on the card. A special- magstripes work and how to interface to a ized chip, called an F2F decoder, converts modem PC simply don't exist. I plan to these signals into digital outputs. Interfacing correct that. directly to the analog signals would be in- Brief History sane, and F2F chips are critical for easy inter- Count Zero wrote the definitive work on facing. Each F2F chip needs five volts (5V) magstripes in November of 1992 for Phrack and a ground (GND) as inputs, and for output 37, entitled "Card-0-Ramai Magnetic Stripe has a Card Present (CP) line, as well as one to Technology and Beyond" . While an excel- three pairs of Clock (CLK) and Data (DATA) lent work, discussing the physical character- lines, one pair for each track the reader sup- istics of magstripes as well as how the data is ports. These F2F chips decode the magstripe encoded on them, it contains no information data of each track as Bit Stream, using the about interfacing to magstripe readers. While CLK and DATA line. When the CLK line several people ha~epublished works on read- goes high, DATA line is the value of that bit ers and copiers , the definitive guide on in- (low=O, high=l). The CP line goes high when terfacing readers to computers was written by the reader detects that a card is being swiped Patrick Gueulle in June of 1998 entitled "In- through it. We will not use the CP line in our terfacing a TTL Magcard Reader to the PC implementation. Game port" . This work is extremely short, Our Approach , with no explanation of its Pascal source code. Using an F2F chip, we can read the bit 1 It has been over six years since someone stream of the data on the card. From the ABA wrote something of substance about standard, we know how those bits represent magstripe interfacing. The uncommented numbers and characters (shown in Figure 3). source code that you can find out there is so We simply need a way for a computer to read horribly dated that it will not run on any mod- in the bit stream and write some software to ern Windows OS (2K, XP). This article will convert it to the characters defined in the explain in detail interfacing a magstripe to a ABA standard. The good news is readers with

I computer, how to control it, and present eas- built in F2F chips are easy to find and pretty ily ported source code that people can use. cheap. They can be purchased from Digikey, Magstripe Basics Jameco, etc. under the name TTL readers. See the Phrack article for much more You don't want to buy the expensive readers \ information about this subject. Magstripes that connect directly to a serial or parallel $ort, as these readers will require special ing an LED to make sure the 5V and GND' software to read from them. going to your reader are really active. We are going to adapt an approach shown What we have done is soldered the reader in the Gueulle article and interface through the game port. This has several advantages. The game port provides 5V and GND to run GND i% the reader without an external power supply; it has four easy to read inputs, game ports are usually free whereas serial and parallel ports are not, and even legacy free PCs without parallel ports, serial ports, or ISA slots still have game ports. Parts Getting a TTL reader is pretty easy. Digikey has a large section on them. Simply search for "mag card." Other online stores Figure I. Wiring the Magstripe cany them as well. You want the simplest and cheapest one you can get. We are only in- outputs to the input pins on the game port that terested in Track 2 readers. We don't care correspond to joystick buttons. We can now about cabling since we will make our own access the bit stream from the F2F chip as if and we don't want motorized readers. We we are checking the status of joystick but- want the readers where you manually swipe tons! We read from the game port by reading the card (these are a lot cheaper). I am a big from VO port 0x201. If we wired the reader fan of the Omron V3A family of readers, to a game port as shown in Figure 1, when we specifically the V3A-4, since it offers exactly read from VO port 0x201, we will receive a what we need. Expect to spend around $15 to byte whose format is described in Figure 2. $20. In addition, you will need a DB15 male connector to plug into the game port. Make sure you don't buy a DB15 HD for VGA con- nections. Jameco part #I5034 is what you want. You'll also need soldering tools, some wire, a hot glue gun, and some electrical tape. Notice that the inputs are inverted. Thus I used a few feet of speaker wire to connect for each corresponding bit, 0 means a 1 from the reader to the game port, so the reader the card and a 1 means a 0 from the card. could sit in front of the computer. How do we read a byte from port 0x201? It How to Interface varies from language to language, but is nor- Make sure you can get the data sheet for mally of the form "inputByte = INP (ad- your TTL reader and that it supports Track 2. dress)." We then use "AND 16" to extract the Check the manufacturer's site. Using the DATA bit from the fifth bit of the read byte. pinout from the data sheet, solder wires to the This gives us the bit stream. 5V, GND, DATA, and CLK pins, making Bit Stream Explained sure you are using the CLWDATA pair for The bit stream of a Track 2 magstripe card Track 2 if your reader supports multiple looks like this: tracks. The contacts you have to solder to [leading zeros. . .I [start] [Data. . .I could be quite small; after soldering the [endl [LRCI [trailing zeros. . .I wires, I covered the contacts on the reader The data on the card is a 16 character set, with hot glue to make sure they wouldn't represented by five bits, four for the charac- shift, break, or short each other out. Take ter, one as odd parity. The character set for your time and solder carefully. Track 2 is shown in Figure 3. Next, solder the ends of the 5V, GND, We are only interested in 0-9 and the start, DATA, and CLK to the DB15 connector as stop, and field characters. They show us shown in Figure 1. where in the bit stream we have valid data, A word of warning: not all the grounds on and how that data is divided into fields. The a game port will really be grounds. Check us- number of leading zeros and trailing zeros --Data its-- way. If you have several programs running\ b@bl bZ b3 b4 Char Purpose and your computer is off doing something fl else and misses a bit, the data will be wrong. 6 6 B I 1 P1 Data 1BBQe 1 ' How time critical it is can vary with language BlBOB 2 - and hardware. On a Pentium 150, the PASI;; llB81 3 ' CAL code from Luis Padilla Visdornine ee1oe 4 - 1B1.31 5 ' compiled and worked fine in DOS, but an im- el181 6 plementation in Qbasic, even compiled, 111BB 7 ' failed. The 3.4+ GHz machines of today 69BlB B " lee11 9 ' should have no problem. a 1 I 11 : Control Lastly, a note on V0 port access. If you 1 1 0 1 0 ; Start Sentinel want to use my VB code and are using 0 e 11 1 r: ControL 1 9 1 1 8 - Field Separator Win2K or Xfi you will need to grab the In- 0 11 1 B r Control pout32 from . This is a DLL that allows you 1 1 1 1 1 7 End Sentinel to directly access VO ports under 2K and XP, Iiquro 3. Trsok 2 8r+ which don't allow direct access like Win 9x vary, and are there to sync the clock inside and ME do. the F2F chip. The trailing zeros are there so Source Code Explained you can run your mag card backwards VB is used because it's easy to understand through a reader. Please note the F2F chip and port, and I don't want the language to in- doesn't look for the start or stop characters, or terfere with the explanation. The code is lim- anything like that. It simply reads the fluxes ited in that it will only deal with cards slid in and outputs the CLK and DATA lines. Our the proper direction. It is heavily commented, program must scan the stream and find the so here is a quick overview. We read the start character. Once you find it, you know DATA from the card just as described above, where the five bit boundaries are for each using a set of time critical loops. The array is character and can read the data on the card. sized to 240 since we will never have more We are interested in all data from the start than 240 bits on Track 2. We don't need to use character to the stop character. The LRC is a the CP line because the CLK line will not go checksum used to make sure the data on the high until a card is in the track. After the first card is correct. The source code doesn't check stage, our array contains entire bytes from the LRC. Rarely is it necessary and for the 0x201 when we only care about the Data bit. most part any problems you have will be with The next stage uses "AND 16" to mask off the timing loop, as described in the next sec- the DATA from the fifth bit. The array now tion. has only 1's and Os, the raw bit stream. Next Problems we scan the array looking for 11010. This Remember all those advantages for inter- marks the start of the data. Once found, we facing to a game port? There is one big then read five bits at a time, looking for the downside. The game port doesn't generate an end character 1111 1. When we find it, we interrupt when a joystick is moved or a but- read through the bit stream from the start ton is pressed. This means in our software we character to the stop character at five bit in- have to use lots of loops when reading the bit tervals (since each character in the stream is stream so we can trap the changes of the CLK five bits), and decode the characters using the line. To read a single data bit from the DATA line, we have to do the following: chart in Figure 3. We append these decoded Step I: Loop, checking for when the CLK characters to a string until we have read all goes high (and thus bit 5 goes low). the data between the start and stop. Step 2: Save the value of the DATA line (bit 5). Here is a sample of the decoded bit stream Step 3: Loop, waiting for the CLK to go low of a Visa: Account Number: 4313 0123 4567 8901 (and thus bit 5 to go high). Expires : 5/06 Step 4: If we still have more bits to read, go Output : to Step 1. ;4313012345678901=0506101xxxxxxxxxxxxx? This is a time critical loop. The program The 101 after the expiration data is com- has to catch each and every bit in real time mon to all Visa cards. See references below , since the bits are not saved or cached in any for many more examples of card formats. Improvements wallet. You'll be amazed at the stuff you find\ The code given here is very basic, so peo- encoded on them. I've found SSNs, PIN ple can understand what's going on. More ad; numbers, birth dates, and more. vanced code and applications are available . There is no group, there is only code. One of the first improvements would be al- References lowing the card to be swiped in both direc- Copies of most of the info from these tions. You capture the bit stream the same links can be found at www.yak.net/acidus. way. You then look for the start character, 111 c~~~-o-R~~~: ti^ stripe ~~~h- then find the end character, and nology and Beyond, Count Zero, http://www. then the LRC. You then calculate the LRC to *phrack.org/p~ack/37~7-06- The Defini- make sure the data is correct. If any of those tive guide on magstripes: formats, encoding, steps fail, simply try again going backwards and reading. through the stream. Interrupt driven program- f21 Magnetic Stripe readerlwriter, Luis ming be a We didn't use the Padilla Visdomine, http://www.gae.ucm.es/ CP line, because our polling method doesn't --padilla/extraworWstripe.html -An excel- need it, and the game port doesn't have it. Us- lent web page, Luis builds a mag reader and ing the CP line and the CLK line, you could writer from scratch. Lots of examples of card wire something to say the strobe line on a parallel port and trigger an interrupt so the fo-ats3 rather advanced. computer doesn't have to keep polling until a Interface a TTL Magcard Read to the card is really there. PC Games Port, Patrick Gueulle http:// Closing and Thanks -www.blackmarket-press.net/info/plastic/ "If I have seen farther than others, it is 'magstri~e/card-tech/3I~~.~d~-A very only because I have stood on the shoulders of Paper On PC interfacing with giants." Those giants, most notably Count ~0%. Zero, made this article possible. Thanks to all Logix 4 U Homepage, www.logix4u. the hackers who learned so much and docu- *cjb.net - Contains the inpout32.dll needed mented their discoveries. Please take this to directly access VO ports using INP and code and improve on it as much as you like. 07; on Win2k and XP machines. Just remember to give credit as I have: hack- Most Significant Bit Homepage, ers have been working on magstripes for Acidus, www.yak.net/acidus - My home- nearly 15 years. Swipe all the cards in your page, lots of info on a variety of subjects.

Public Function Swipecard0 As String

Dim cardout As String 'Will hold the final string of Card Characters Dim cardRaw(1 To 240) As Byte 'array to hold samples each bit on the magcard.

...... GATHER RAW BIT STREAM 'Reads the DATA bits from the card by trapping the CLK signal

1 For k = 1 TO 240 DoEvents 'VB specfic statement, lets you yield so programs doesn't 'hog CPU. On slow/high-loaded machines this could be removed 'to make sure time critical loop happens I e = Inp(&H2Ol) 'Read in byte Loop Until (e And 32) = 0 'wait until CLK goes high 'since the CLK is high, DATA is valid, so save cardRaw(k) = e

'wait for CLK to go low again DO e = Inp(&HZOl) Loop Until (e And 32) = 32 Next ,------...... CONVERT ARRAY TO BITSTREAM 'Since the array cardRaw has the CLK bits, DATA bits, and other junk 'we AND the DATA bit out, and set that entry in the array to the value 'of the DATA bit. All entries in cardRAW will be 0 or 1 after this

ZbOO Magazine ' cardRaw(k) = (cardRaw(k1 And 16) If cardRaw(k) = 0 Then cardRaw(k) = 1 If cardRaw(k) = 16 Then cardRaw(k1 = 0 Next

,______------~======...... LOCATE START AND END OF BITSTREAM 'Since cards can have any number of leading and trailing zeros, we need 'to find where start character ";" is. Then we will know where the 5 bit boundries fall to define the characters. We also look for the End character "?"

j = 0 'start at index 0 of the array 'Loop until we find "11010" which is the start character DO j=j+l Loop Until (cardRaw(j ) = 1 And cardRaw(j + 1) = 1 And cardRaw(j + 2) = 0 And cardRaw(j + 3) = 1 And cardRaw(j + 4) = 0)

starts = j 'save its location

'Now loop through, jumping 5 bits at a time (ie 1 character at a time) 'until we find '11111" which is the end chacter DO j=j+S Loop Until (cardRaw(j) = 1 And cardRaw(j + 1) = 1 And cardRaw(j + 2) = 1 And card~aw(j+ 3) = 1 And cardRaw(j + 4) = 1)

ends = j 'save its location

!______------==~==...... DECODE BITSTREAM TO OUTPUT STRING 'We walk through the array at 1 character at a time (5 bits at a time) 'from the start character to the end character (this ay we avoid the leading and trailing zeros, as well as the LRC checksum) 'We examine those 5 bits and append the appropriate character to the end of the 'string

cardout = "" 'empty the string

F~~ j = starts TO ends Step 5 'for(j=starts;jc=ends;j+=5)

If (cardRaw(j) = 1) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 0) And (cardRaw(j + 3) = 1) And b (cardRaw(j + 4) = 0) Then cardout = cardout + " ; " If (cardRaw(j) = 1) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 1) And W(cardRaw(j + 4) = 0) Then cardout = cardout + "=" If (cardRaw(j) = 1) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 1) And Z(cardRaw(j + 4) = 1) Then cardout = cardout + "?" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 0) And (cardRaw(j + 3) = 1) And b(cardRaw(j + 4) = 1) Then cardout = cardout + " :" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 1) And b(cardRaw(j + 4) = 1) Then cardout = cardout + "c" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 1) And W(cardRaw(j + 4) = 0) Then cardout = cardout + ">" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 0) And (cardRaw(j + 3) = 0) And Z(cardRaw(j + 4) = 1) Then cardout = cardout + "0" If (cardRaw(j) = 1) And (cardRaw(j + 1) = 0) And lcardRaw(j + 2) = 0) And (cardRaw(j + 3) = 0) And Z(cardRaw(j + 4) = 0) Then cardout = cardout + "1" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 0) And (card~aw(j+ 3) = 0) And b(cardRaw(j + 4) = 0) Then cardout = cardout + "2" If (cardRaw(j) = 1) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 0) And (cardRaw(j + 3) = 0) And W(cardRaw(j + 4) = 1) Then cardout = cardout + "3" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 0) And b (cardRaw(j + 4) = 0) Then cardout = cardout + "4" If (cardRaw(j) = 1) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 0) And b(cardRaw(j + 4) = 1) Then cardout = cardout + "5" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 1) And (cardRaw(j + 2) = 1) And (cardRaw(j + 3) = 0) And b (cardRaw(j + 4) = 1) Then cardout = cardout + "6" If (cardRaw(j) = 1) And (cardRaw(j + 1) = 1) And (cardRawlj + 2) = 1) And (card~aw(j+ 3) - 0) And W(cardRaw(j + 4) - 0) Then cardout = cardout + "7" If (cardRaw(j) = 0) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 0) And (cardRaw(j + 3) = 1) And *(cardRaw(j + 4) = 0) Then cardout = cardout + '18'3 If (cardRaw(j) = 1) And (cardRaw(j + 1) = 0) And (cardRaw(j + 2) = 0) And (card~aw(j+ 3) = 1) And b (cardRaw(j + 4) = 1) Then cardout = cardout + '"9"

Next

'Return the string Swipecard = cardout End Function

LSummer 2004 page 39l & Listening Via Linux \ 1 by Solthae are beginning to come to you (your own per- Greetings. I bring you some simple C sonal server, making your own hon- code that, when compiled, sets UP a simple eypot to stick on the telnet port, perhaps server on your system listening On a port of begin work on a mud, a joke of the day echo your request. But first ... server, etc.). did I code this and send it Since that's basically the whole Without getting too longwinded, I simply wanted to provide an appetizer to the world I'll leave you here. I have faith in your intelli- of ~i~~~ network programming rve been gence and also didn't want to bore you with getting into over the last year or so. The texts attempting to explain what the various I've read and the uroiects I've worked on have strange calls are doing (socket(2), listen(21, kept me reading ;nd*continuing them (not al- bind(2), etc.). Instead I left you with a pro- ways common). I'm hoping to turn on new gram that doesn't support something as vital people interested and help out those already as multiple clients (see fork(2)). I also hard interested who'~enot Yet had any neat code coded the families used, the specified ser- play with. I 'gured that the best way I vices, and other goodies (such as broadcast- could do that was by providing the most basic ing and general UDP which are not of code that would also be useful and enter- taining. The result: my simple 1istener.c. Be- "hardcoded" but "notcoded"). These are for sides I love to see code in 2600. you to learn on your own and come highly what does listener do? Listener listens on recommended as interesting subjects to take whatever machine it is executed on (provided UP study (especially as just a hobby). This, I "&" to run in background), waiting and lis- hope, will send you out of your dark room or tening (that's three) for connections to the (unfortunately) deeper into the Internet to specified port. For example: find out socket programming information. solthae@rnars$> ./listener 2600 & then Besides, it takes time to explain the whole solthae@rnars$z telnet localhost 2600 concept (that's what books are for) as well as will connect you to the listener program. the specifics. So just read the comments and What happens afterwards is up to you. How the verbose variable names to follow along. is that up to me? YOUmodify listener to do Either way 1 hope you enjoy the code (ques- something than what I provided edit- tions, comments, bitches, complaints to dear ing the code at the bottom of the for loop 2600, I'11 address them there). (line 72). You'll see: Primary sources (not just the net): while ffgetslbuf, sizeof buf,rStreaml ) { . . . This continues to receive requests (for tel- TCP/IP Sockets in C by Donah00 & Calvert net, requests are whatever was typed before Linux Socket pressing enter) and storing them in the "char Warren U! Gay buf[lM.At that point you can process them at Shout outs: The 2600tucson crew, Ashley, will. Hopefully at this point the opportunities Noam Chomsky, Robitussin, Modest Mouse. // ...... // 1istener.c // by solthae // Simple server code that allows for remote connections. Can have various uses (honeypot, // listener, mud server, etc). I've hardcoded it to run on localhost with no specific service // being run, in hopes that those wishing to mod it for multiple clients, specific services, etc. // will follow up and learn more on their own. / / // Usage: // listener 2600 & // this will leave a process running as seen with ps', listening for connections on port 2600. // ...... #include , #include cstdlib.hs // error0 reports an error then exits program void error(const char 'err) { perror (err); exit (1); l int main(int argc, char **argv) { int z,x; struct sockaddr-in serverAddress; // AF-INET family (like Momma's family) struct sockaddr-in clientAddress; // AF-INET family unsigned short portNumber; // Port Number for server FILE *??Stream = NULL; // Read Stream . FILE 'wstream = NULL; // Write Stream int s; // Socket int c; // Client Socket char buf [40961 ; // 1/0 Buffer socklen-t addrlen; // for accept(2) when using g++ compiler // Check for correct argument usage if (argc != 2) { fprintf (stderr,"Usage: %s \nP',argv[Ol ; exit(1); ) // Assign supplied argument as Port Number portNumber = atoi (argv[ll ) ;

// Create a TCP/IP socket to use: if ( (S = socket (PF-INET,SOCK-STREAM, 0) == -1) error ("socket(2) " ) ; // Fill in local address structure (that'd be our server address) memset(&serverAddress, 0, sizeof(serverAddress)); // Clear out structure senrerAddress.sin-family = AF-INET; // Internet address family serverAddress.sin-addr.s-addr = htonl(1NADDR-ANY); // Any incomming interface serverAddress.singort = htons(p0rtNumber); // Local Port to use // Bind to the server address: if((= = bind(s,(struct sockaddr +)&serverAddress,sizeof(serverAddress))) == -1) error ("bind(2 ) ") ;

// Make it a listening socket: if ((2 = listen(s,lO)) == -1) error("listen(2)"); // The server loop: for(;;) { // Wait for a connection: addrlen = sizeof(c1ientAddr-ess); if ( (c = accept (s,(struct sockaddr *) &clientAddress,&addrlen) ) == -1) error ("accept(2) " ) ;

// Thr read stream is where the clients requests are going // to becomming in through (don't mix them up) // create read stream: if (1 (rstream = fdopen(c,"rV))){ close (c); continue ; I // The write stream is where you are going to print your // messages (like requests) to the client (don't mix them up1 // create write stream if (! (wstream = fdopen(dup(c),"wv))) { fclose (rStream); continue; I // Set both streams to line buffered mode: setlinebuf(rStream); setlinebuf (wstream);

...... \nu) ; printf ("Put a telnet message here for fun\ne'); ...... \n"); // --.-...... -.-.------NoTE TO READERS ...... // This is the main workhorse of the code. This takes requests from // the client through the read stream rstream. You then can process these // 'requests' (i.e.. sent text, etc.) as a 'char buf [I ' (i.e, string) // Below: process 1 echo's sent command, process 2 prints stringlen, // and the last one goes through buf on by one printing the chars. // Enjoy making creative ways to process buf from different clients1 // ...... // Process client's requests: while (fgets(buf, sizeof buf, rstream)) { printf ("\necho: %s",buf); //---- Process 1 printf ("\nsize: %d",strlen(buf)) ; //---- Process 2 for(x=O;xcstrlen(buf);x++) //---- Process 3 printf ("\n%c",buf[XI);

// Close client's connection fclose (wStream); shutdown(fileno(rStream), SHUT-RDWR) ; fclose (rstream); 1 // If control gets here there's a major problem with time/space return 0;

by SARain down somewhere or saving it to a tile (you Do you still have one of those old keyboard- could encrypt the file with an easier to remem- connecting Cue Cats from Digital Conver- ber password) just in case your Cue Cat or bar gence? Well, if you do then you can use it to code ever gets lost or damaged. In order to use create a very hard to crack password for most it, all you have to do is open up the program or programs or services and it won't even take you service that you have set to use this password ten seconds to enter it in. All you need to do is and, with the blinking cursor in the dialog box, connect your Cue Cat to your computer and scan your bar code. You will see it enter the open up gedit, notepad, or some other typing string and then it will automatically hit enter. program. Now look around your house - or Just a few precautions when using your Cue computer desk if you're lazy - and find a bar Cat for passwords. 1) Your Cue Cat has a code that you can always have available (I used unique serial number included in the string it my student ID bar code). Scan the card with displays so you can only use that particular Cue your Cue Cat and a string of numbers and letters Cat to enter the password. 2) Your passwords should appear in your typing program. Do this are only as strong as their weakest link. If you several times to make sure you get the same leave your bar code laying around, other people string most of the time. Now copy the string that could use it. appears the most and paste it into the new pass- Overall I have found it to be very handy for word prompt for whatever you want to use it password entry and often faster than entering a for. I would recommend writing this string shorter password on the keyboard. The Global Date Format

by Richard Cheshire the clock in the control center that usually [email protected] showed MET (Mission Elapsed Time, or the There are many ways of writing the date. time since the spacecraft lifted off the I got my "epiphany" back in the 1970's. It launch pad) was showing the current date was during the period between the end of the and time. Apollo program, and the beginning of the It was only one of those short four second space shuttle era in 1981. I was watching a "establishment shots" that a film director documentary about NASA and noticed that will use to establish where a scene is taking \ /place. As they panned across the room, I for Mars, the asteroids and beyond. I'm not a couldn't help but notice that the clock was "one worlder," I'm a multi-worlder! showing the year, month, day, hour, minute, Markus Kuhn has moved his page to and second in that order! "Wow!" I thought http://www.cl.cam.ac.uk/-mgk25/iso- to myself. "That makes sense!" I've been writing the date in that format ever since. Of time.htm1 at Cambridge University in Eng- course I stiIl wrote it wrong for many years, land. Besides quoting the standard itself, it not knowing any better. also points out some interesting things about You see, the beauty of writing the date in this date format. For one thing, it is already the format 1975.02.05 meant that there was in use by more than three quarters of the no ambiguity as to whether I meant the Sec- world's population. China has more than ond of May or the Fifth of February. You half of that population, and China (usually simply read it from highest to lowest (year followed by month followed by day). And considered a backward nation) is already us- the real charmer was the fact that this format ing the format. is computer sortable! In the American con- You can do it, too! vention of writing the date 02/05/75, files If you're a programmer, you instinctively named with the year would have the files recognize that the format of YYMMDD (or from February's of different years sorted all YYYYMMDD if you want to avoid "The mixed together, while 75.02.05 would al- Century Problem") lends itself to sorting, ways sort ahead of 76.02.03. When I found the World Wide Web in and the beauty of the concept makes you 1996, I had to change my habit of 20 years. want to use it in everyday life as weIl. But Like most people, I rebel against change and the rest of America hasn't recognized this I didn't like it when I found out. But it seems format yet. Over the years that I've used the that this format is an international standard - format, I've noticed that people look at it I had just been using the wrong character as funny. That's simply because not many peo- a separator. But instead of "dots" I had to change to "dashes" as in 75-02-05. ple use it. Back in the 70's I'd stop in the public li- And when bureaucrats hand me a form brary and read Aviation Week magazine (the where they've already filled in the date and "magazine of record" for the aerospace in- tell me "sign there," I sign my name and dustry), just because I've always been a bit then put the date next to it in my format. If of a space cadet (which is why I now live in they ask (and they usually don't), I explain Florida where I can watch NASA launch it's the international format that I always use rockets to Mars and send men and metal into Earth orbit). I noticed that the Europeans and, should it become necessary, I will be used the decimal point in their phone num- able to quickly prove it's my signature if my bers and it looked like an elegant way of de- date format is used. With all the "identity noting the fact that my date format was theft" issues going on around now, this is "different" from the way most people did making more sense to people. things. Now you, dear reader, are just one per- Shortly after I found the web, I found son. You may be thinking, "What I do as just Markus Kuhn's web page at a university in Germany. His web page on ISO-8601 Inter- one person can't be that significant." But it national Date And Time Format changed my can be! If we each print out a copy of the life and brought me a sense of self-vindica- Standard, and show it to the people in the tion. This was the way the world did things. Front Office where we work, we can help Now I've been accused of being one of those America join the rest of the world in one, "one world" creeps who thinks there should seemingly small, insignificant area. Maybe be a single world government. Absolutely not. But as a science fiction fan who thinks you can help show that the hackers of the Star Trek is pretty neat, I think the world world want to foster global cooperation, and needs to pull together into a joint space pro- that those bullies of the world who write \ gram to reach the moon as a stepping stone viruses are not who the hackers really are. Page 23 1 by Eoban and the med~aservers and onboard computer\ [email protected] are just Intel PCs. Have a look at their whitc I First, a little background: All the munici- paper at: http:llwww.transitv.com/network3 pal buses in Milwaukee have LCD video dis- ~/wht~papr/3000-CDI-002-003.pdfcirca plays in them showing where one is in the July 200 1. city. It also shows weather, news, sports, ads, But this document, while intriguing. and so on. yielded little information as to when the So one day while wardriving, a few buses actually updated their video files. All friends and I discovered a rather interesting we could get was that they were updated characteristic of all (as far as we can tell) mu- "overnight." According to MCTS's own nicipal buses in the city of Milwaukee. When schedules, the buses parked from around 230 a bus drove by, an AP with an SSID of am to 4:30 am. The transfer would almost "route-mi" appeared on our stumbler, slowly certainly have to be during this time period. increasing in signal strength and then, as the So that's when we'd have to grab their pack- bus passed us, decreasing and disappearing in ets. And even then, we might have to get in- a few more seconds. We reached the conclu- side a building somewhere. sion that it was the bus itself and we sped af- But we haven't cracked jack shit yet, so ter it. After a few more seconds, we realized I'm left to speculate. For now, all I can say is it was an ad-hoc connection and ran standard that it is plainly idiotic to not cloak the SSID 128-bit WEP. of something like this. There is absolutely no We didn't have a sniffer ready to go that reason why anyone else would need to know day so we drove around and found another about "route-mi" but there it is in the open bus. Same thing. We figured we could crack it anyway. I credit them for running WEP, of pretty easily as long as the bus actually used course, but it still is only WEP. It is only a wi-fi for sending something - there had to be matter of time before it's compromised, and encrypted traffic being transmitted. Trying to because the software itself appears to be rela- crack WEP with an LLC packet every minute tively well-documented, it's simply a matter or two ain't gonna work so well. We also fig- of changing your chipset's MAC address and ured that all the buses (to simplify things a SSID to impersonate the other end of the ad- bit) would all run the same key. Even if the hoc connection and upload your own video buses only used the wi-fi points for telemetry file. synching while parked at the central station, For now, let me say that I don't plan to do we could just sit across the street from the this. But I can't speak for anyone else who station and log packets that way. has knowledge of the Transit TV network's That night, a little googling uncovered a presence in their local bus system. Computerworld online article that men- If you live in Milwaukee, Birmingham, tioned, albeit briefly, that ITEC Entertain- Orlando, Sydney, or anywhere else that has a ment had wi-fi networks for video on buses in similar system, I'd like to hear about your ex- Milwaukee, Birmingham, and Orlando. periences with the buses. It's my understand- There was also a recent Australian spinoff of ing it may be implemented on trains as well. ITEC that was running trials in Sydney. So All in all, as this kind of technology becomes the wi-fi network did transmit something in- more widespread, it's important for advertis- teresting. But then things became a little ing firms, city governments, and the design- more confusing when we discovered a com- ers of the system itself to recognize the panylsystem called Transit TV potential for abuse. Run a network like ITEC (http:Nwww.transitv.com). It turns out Transit Transit TV and you're simply asking for it. TV is a subsidiary of ITEC, and their web site Many thanks to AK-RAGE for the laptop has absolutely no problem with giving away and ultimate 200rnW wardriving card and all the technical details behind their systems' Brian for lending us the ultimate wardriving operation. All their wi-fi equipment is Cisco, machine, his Toyota Matrix. I Omni Locks and

by Toby any Office/Access pasword recovery tool on toby @richards.net it. I used Accentsoft'\ tool (http.//www.prt-4 Omni Locks and the impact of stupid cor- rwordrecoverytools.coin/en/office.shtml~ porate politics on security could easily each because it was the first one I Found wi:!i ,I have its own article. I am using each subject fully functional demo verslon. At th~rpant as the example for the other. But as you read, we can look at the file with Access, or we can be sure to consider the implications of each rename it back to an .ODF file and run Facil- on its own merit. ity Manager on it. Omni Locks Stupid Politics Omni Locks (http://www.omnilock.com/) You would think that it is self-evident that are a popular brand of combination lock for keeping the ODF database file secure is key. securing doors. You'll commonly find these But political power struggles and petty per- on the doors to server rooms and, in some sonal agendas can cloud people's judgment. companies, you may find them on all perime- In one organization, the Omni Locks are ter doors. In particular, the Omni Lock 2000 managed by the support (building mainte- model can be programmed with employee nance) department. It is very important to name and combination pairs, which allows these support folks that they retain the only the lock to keep logs of who uses the door. control over the Omni Locks. Thev don't This model is identified by the model name want anyone, including IT, to have any con- found on the underside of the lock. The flow trol or maintenance access to the locks. They generally goes like this: The Omni Lock soft- have specifically told the IT department to ware, called "Facility Manager," is the inter- stay out of Omni Lock business. So IT was face to a database file. The Facility Manager never told where the Omni Lock files were. loads itself onto a PDA (the PDA needs to be IT never poked around to figure it out, either, IRDA capable for this to be useful). The PDA then synchronizes with the Facility Manager because that would be disobeying the V.P. database. Now, point your IRDA capable who told them to butt out. PDA at an Omni Lock to synchronize users, But it was inevitable that the IT depart- combinations, and logs. ment would one day hire someone curious. You can't just go reprogramming any And so the new network administrator looked Omni Lock 2000 just because you got your for the Omni Lock files. He found them in hands on a copy of Facility Manager and a \\~ERVER\DEP~TMENT~\SUPPORT\~MNI PDA with IRDA. When you run Facility ,LOCK\. That's kind of an obvious place, but Manager for the first time, you create a new it gets worse. Who do you suppose has read "facility." A facility seems to be the combina- access to these files? All users! tion of the database and its unique identifier. If support had put the best interests of the Unless you have a brand new Omni Lock company ahead of their own political agen- 2000, then you cannot synchronize with your das, this would have been avoided. But why lock unless the PDA and lock have the same should we trust the network administrator facility. (who has access to everything anyway)? But that hardly makes the system secure. Conclusion The database file, which is called "New Fa- The worst security risk remains the human cility.ODFUby default, is actually a password factor. And is worse than just social engineer- protected Microsoft Access database. Re- ing. Stupid politics can compromise network name the file with a .MDB extension and run and even physical security. by b-bstf Second are the older, p2p veterans who use [email protected] other p2p networks (Gnutella, BitTorrent, I've written this article after reading a few EMule) and programs as well as KaZaA. In ad- letters which show that some readers seem to dition to using p2p for music, they may also know little about piracy on the Internet. I don't download games, programs, movies, etc. know everything about piracy on the net, but I IRC Kiddies would go so far as to say that I know a fair bit Not far up from the KaZaA Kiddies we about it. have the people who go to IRC for their warez First off, piracy isn't just a few guys who fix. These folks can be more knowledgeable work at cinemas and software stores taking the about computers and the Internet but tend to be odd film or game home and sharing it on their just as irritating as the KaZaA Kiddies. Warez home FTP servers or KaZaA. Channels are often run by people who have ac- Piracy on the Internet, or "the warez scene" cess to a fair amount of pirated material (more (as those into it like to call it) is surprisingly about them later). There are generally two organized. Pirated softwarelgameslmoviesl types of these Warez Channels: &anything are called "warez" and will referred Fserve Chans. These can often be run by to as that from now on. the same KaZaA or IRC kiddies. They don't re- The Piracy "Food Chain" ally have a reason to run them; they just like to TOP feel important. They mainly use the mIRC Warez/Release Groups - People who release client's File Server function and some "133 the warez to the warez community. Often skript" to share their warez direct from their linked with Site Traders. hard drives. Site Traders - People who trade the releases XDCC Chans. These are usually run by from the above groups on fast servers. people into FXP Boards or Sitetrading. They FXP Boards - Skript Kiddies who have access to fast, new warez. They "employ" scan/hack/fill vulnerable computers with people to "hack" into computers with fast In- warez. ternet connections and install XDCC Clients IRC Kiddies - Users of IRC (Internet Relay (usually iroffer - www.iroffer.org) which are Chat) who download from "XDCC Bots" or used to share out pirated goods. From what I've "Fserves." seen, the people running these channels must KaZaA Kiddies - Users of KaZaA and other primarily do it because they like to have power p2p (peer to peer) programs. over a lot of people (being a chan op), but also Bottom they will often be given free shell accounts to We'll start at the bottom. run BNCs, Eggdrops, etc. by shell companies KaZaA Kiddies in exchange for an advert in the topic of the At the bottom of the piracy food chain we channel. have the KaZaA Kiddies. There appear to be IRC Kiddies can be found on EFnet two groups of these KaZaA Kiddies. First, the (irc.efnet.net) or Rizon (irc.rizon.net). Other 13 year old kids with broadband downloading servers and channels can be found through the odd mp3 here and there because they can't www.packetnews.org. afford outrageously overpriced CDs from FXP Boards stores. Harmless kids, costing no one any real FXP is the File exchange Protocol. It isn't money, pursuing their musical interest. Also, an actual protocol, just a method of transfer these are the people being labeled "pirates." making use of a vulnerability in FTP. It allows These are the ones "Killing the Music Indus- the transfer of files between two FTP servers. try." These are the ones who are being sued by Rather than client to server, the transfer be- the RIAA for thousands of dollars. Sigh. comes server to server. FXP usually allows \ faster transfer speeds although it is generally The Filler. Now if the "pubstro" is fast not enabled on commercial servers as it is also enough and has enough hard drive space, it's a vulnerability known as the "FTP Bounce the Filler's job to get to work filling it with the Attack." latest warez (the Filler usually has another The Boards. FXP Boards usually run Vbul- source for his warez such as Site Trading). letin (forum software www.vbulletin.org) and Once he's done FXPing his warez, the Filler its members consist of Scanners, Hackers, and goes back to the board and posts "leech logins" Fillers. There are also usually a few odd mem- (read only logins) for one and all to use. What bers such as Graphics People or Administra- a great community! tors but they don't do much. FXP Boards are mostly full of Script Kid- The Scanner The Scanner's job is to scan IP dies and people with too much time on their ranges where fast Internet connections are hands. They like to think the FBI are after them known to lie (usually university, etc.) for com- and get very paranoid, but in reality no one re- ally gives a damn what they're up to except the puters with remote-root vulnerabilities. We're unlucky sysops who get all their bandwidth talking brute forcing MS SQL and Netbios eaten up because they forgot to patch a three- passwords, scanning for servers with the IIS year-old vulnerability. The true "nOOb" FXP Unicode bug (yes that three-year-old one). Oh Boards can be found on wondernet (irc.won- yes, FXP Boards are where the lowest of the dernet.nu) so, if you like, go sign up on one low Script Kiddies lurk. The Scanner will of- and see what it's all about. Tip: Pretend to be ten use already "hacked" computers for his female. This will almost guarantee you a place scanning (known as scanstro's), using "remote on a board. Say you can scanhack dcom, net- scan" programs such as SQLHF, XScan, Fs- bios, sql, apache, and have a lOmbit .eu Ohour can, and HScan along with a nice program to source. hide them (hiderun.exe) from the user of the Site Trading computer. Once the Scanner has gotten his re- Next on the list, and pretty much at the top sults, he'll run off to his FXP Board and post it. or near the top (as far as I've seen) are the Site This is where the "Hacker" comes into play. Traders. These are generally just people with The "HackertYScript Kiddie/dot-slash Kid- too much time on their hands who have possi- die. Now I think it's fairly obvious what the bly worked their way up through FXP Boards. "Hackers" do. (They actually call themselves Site Trading is basically the trading of pirated hackers!) Yes, they break into computers! material between sites. Their OS of choice (for breaking into) is usu- The Sites. These sites have very fast Inter- ally Windows. There are many easy to exploit net connections (10mbit is considered the min- vulnerabilities and *nix scares these people. imum, IOOmbit good, and anything higher The Hacker's job is to run his application and pretty damn good) and huge hard disk drives "root" the scanned server. The program he uses (200GB would probably be the minimum). (of course) depends upon the vulnerability the These sites are often hosted at schools, univer- Scanner has scanned for. For example, if it's sities, people's work, and in Sweden (IOmbit Netbios Password he will often either use lines are damn cheap in .se). These sites are re- psexec (www.sysinterna1s.com) or DameWare ferred to as being "legit." This means that the NT Utilities. There are various other vulnera- owner of the computer knows that they are there and being run. Fast connections mean a bilities and programs used too many to list - lot to some people. If you have access to a here. Once he has "rooted" the computer (this lOOmbit line (and are willing to run a warez usually means getting a remote shell with ad- server there), there are people who would quite min rights), he will use a technique known as happily pay for and have a computer shipped "the tftp method" or "the echo method" (tftp -i to you just for hosting a site that they will IP get file.exe) to upload and install an FTPD make absolutely no profit from (you can meet (this is almost always Sew-U) on his target. (In them on EFnet). Unfortunately, this is where the case of the IRC Kiddies this would also be credit card fraud can come into Site Trading. iroffer.) Once the FTPD is installed and work- This is frowned upon by pretty much everyone ing he'll post the "admin" logins to the FTP (there is already enough paranoia and risk in server on his FXP Board. Depending on the Site Trading) but some people do use stolen speed of the compromised computer's (or credit card information to buy hard drives and "pubstro"/"stro") Internet connection and the such. To be fair, Site Traders aren't a bad bunch hard drive space, it will be "taken" either by a - the majority don't even believe in making any Filler or a Scanner. money out of it and insist that they are just do- eggdrop bot with various scripts installed. The Internet to see that film, or that it's becausc (11 bot will make an announcement on an IRC you that thousands of people are now playin,, channel whenever a directory is made or up- that leaked Halflife 2 alpha and there are new. load completed. It will also give race informa- articles everywhere about this "anonymo~~k., tion. leaker" - it feels good, in a geeky kind of way. , The People. There are basically two ranks A lot of these people (not all, not all) may haw in sitetrading: "SiteOps" and "Racers." rather uneventful lives and to know that, al- i SiteOps, as you will have guessed, are the though at school, college, or work they're con- administrators. There are usually between two sidered a loser, they can go home at night ant1 and five SiteOps. One is often the supplier of be looked upon as some kind of god within the site, another the person who found the sup- their group of online friends would feel good. plier and guided them through the installation I do not believe that profit is a factor. Thesc of the FTPD. The others will be friends and groups insist that they don't do this sort of people involved in the warez scene. One or thing for money, and I believe them. more of the SiteOps will be the "nuker." It is Here's a quote from a DEViANCE .nfo file: his job to "nuke" any releases that are old or We do this just for FUN. We are against an!, fake (more about releases shortly). profit or commercialisation of piracy. We do Racers are the folks who will "race" re- not spread any release, others do that. In fact. leases between sites. Usually they will have we BUY all our own games with our own hard access to a number of sites and will FXP re- earned and worked for efforts. Which is from leases as soon as they're released. FXPing a re- our own real life non-scene jobs. As we love lease will gain credits. The ratio is usually 1:3, game originals. Nothing beats a quality origi- so FXPing lOOMB will get them 300MB cred- nal. "If you like this game, BUY it. We did!" its on the site, allowing them to FXP 300mb of A quote from a Team Razor .nfo file: SUP- data from that site, which will gain them PORT THE COMPANIES THAT PRODUCE 900mb where they FXP that, etc., etc. "Rac- QUALITY SOFTWARE! IF YOU ENJOYED ing" of releases occurs when two or more rac- THIS PRODUCT, BUY IT! SOFTWARE AU- ers are uploading the same file. The "race" is to THORS DESERVE SUPPORT!! upload the most of the release at the fastest Releases speed. Racing happens shortly after a release A release is a piece of pirated material is ... released. packaged and released by a warez group. The Warez/Release Groups1"grps" format of the release varies, but in the case of These are the ones basically supplying games or programs the release is usually in everyone with the warez. These are the ones bidcue, compressed with RAR, and split into the MPAA and RIAA don't seem to be too wor- 15,000,000 byte files. The naming of the re- ried about, or at least aren't making a big pub- lease will usually be something along the lines lic fuss about. However, these groups are of "New.Game.3-ReLEASEGROUP". known to the FBI and they know that the FBI The types of releases vary. In games there and whatever other authorities are watching are mainly either CD Images (binlcue format) them and collecting evidence. They know that or Rips. Movies are either DivXIXvids (usu- one day these authorities will strike as they ally 600-800mb files) or SVCDNCDs (two or have done in the past. A lot of these people are three bidcue files). There are many different just hoping that they won't be caught when it types of movie releases. A great list of these happens. As a result of this, anyone "high up" can be found at www.vcdquality.com. Releases is extremely paranoid. Most users will use will almost always be accompanied by a .nfo multiple BNCs (BouNCer, an IRC proxy) be- file. This will provide information about the re- fore even going near an IRC network. A lot of lease and the group. large groups will own their own IRC Networks Additional Info and SSL is used at every opportunity (FTP, The following information is not from first IRC, etc.). It's hard to understand why these hand experience, like the past information has people actually do it when there is such a risk. been. This has been obtained from text files,, \ \ 6,ld to me by people, and assumed. It will be on anonymous accounts. So instead of break- ~nostlyaccurate, but there may well be errors. ing into a computer, the warez kiddies would The main members of any release group just upload their warez and give the IP address :Ire: to their friends. This was very popular but died The Supplier This is the guy working at the out for obvious reasons. local cinema or games store, the guy with the Tagging. Once found a Pub would be digital camera happy to sneak it into the cin- "tagged" (a folder with the name ema, etc. Generally these people have to have "tagged.by.lamepubkiddieWor something simi- access to new material, usually before anyone lar would be made). The idea was that if a Pub else gets to it. Often they will also have to have was already "tagged" other Pubbers would a fairly decent upload speed. leave it alone. This apparently worked for a The Cracker (only in gamedapps groups) while, with people respecting other people's This will vary between groups. For example, a tags and leaving the Pubs alone. But it cer- VCD/SVCD group would not require a tainly hasn't worked for a very long time. cracker. But the cracker plays an important Dir Locking. This was used in Pubbing to role. He will have to crack the game's protec- stop people other than your warez group find- tion that stops the game from being played ing and downloading your warez (and slowing without the official CD. This guy usually has a the server down). You would hide it, using di- fair bit of programming experience and can be rectory names such as "coml" and "." These quite smart. directory names would also be hard to delete or Site Supplier Similar to Site Trading, how- even open, so it could take some time before ever warez groups are often more picky about the warez were found by the server admin. the sites they choose. The minimum speed is Raping. The act of Raping an FTP server is usually 1OOMBit and often groups will only when someone downloads pretty much every- accept sites that are being supplied by the ac- thing they can from it at a very fast speed. It's tual System OpsIAdmins themselves. frowned upon. Courier This guy's role is basically Site Leeching. Downloading a lot without up- Trading. He has to distribute the group's re- loading. lease to other sites. PubStealing/Rehacking. Back "in the day" Terms you may have heard and their mean- this would have been refemng to as uploading ings: to an already tagged Pub. Now it means replac- PRE/PREfd. When a release is released an- ing someone else's Serv-U with yours. Pub- nouncements will be made across many IRC Stealing is frowned upon and people will often channels called "PRE Chans." This is called be banned from W Boards if they are found the "PRE Time" and is the official time of re- to be doing it. lease. PRE Time is used mainly in site trading. Securing. The act of Securing a pubstro O*. This is a reference to how new the re- lease is. would involve deleting key files such as Osec. This is a dream - nOOb IRC Chans of- ftp.exe, tftp.exe, cmd.exe, etc. or changing the ten use this term but they are lying. username/password. Securing methods depend Ohour Means the release was PRE'd under upon the vulnerability. an hour ago. Some warez related links: Oday. Means the release was PRE'd under www.nforce.nl - a site that archives .nfos and an hour ago. releases. This site is frowned upon by people And so on.... in "the scene." Nuked. If a release is Nuked, the uploader www.isonews.com - a site seized by the federal of the release will lose credits on the site he is government. Nuked on. A release is Nuked when it is break- www.vcdquality.com - for movies specifically. ing site rules (like eight hours of PRE or ear- www.fxp.nl - fxp stuff. lier). www.jtpfxp.net - rather large archive of Pubstro/Stro. This is a computer that has fxplscript kiddie tutorials. been compromised and has an FTPD running www.packetnews.org - XDCC search engine. on it. It will be used to share warez, mainly to www.downhillbattle.org - not related, but fuck the FXP Community. the RIAA! ScanStro. Similar to the above, but is used If I've mentioned a program and not given a to scan for other vulnerable computers. link it's because it can be easily found through Pub/Pubbing. Pubs are dead. These are Google. from the old days when many university and That's all. I hope this has given someone a , business FTP servers had write access enabled better view of piracy. Page 27' Dear 2600: My cat is obsessed with rubber bands. hair elastic,\. Dear 2600: and generally anything circular that she can hook in hcr ' I am assuming you have seen this site before - but in little mouth and run off with. Today she attempted 10 case you haven't 1 thought you would like to add it to your scoop up the red circle in the "no photoslno videos" pic bookmarks: http:llwww.payphone-directory.org/. It ture on the cover of 20:4. seems funny that all the phones don't seem to accept any Keep up the good work. Even my cat is interested ill incoming calls anymore. I wish my phone didn't accept 2600, it seems. incoming calls either. Si1lyCatOwnc.r %ggs Animals, toddlers, and aliens continue to make lrp The online payphone directory is one of our favorite some of our most loyal readers. sites on the net. It:s well worth contributing to this valu- able service. Unfortunately so many phones can no Dear 2600: longer be called due to the greed of the phone companies I expected an April Fool's prank, somewhat in thc who believe a payphone shouldn't be used unless it's con- same vein as last year's where the government "comman- stantly generating income for them. But it2 still pretty deered" your site, but this year I was pleasantly surprisctl cool to know where payphones can be,found and what lo- with the old-school games, such as Tetris and Pac-man. cation correspond.r to which number. This info obviously that you had on the site. Excellent job. already exists but for some reason the phone companies mg48s keep it secret. Ifyou're referring to our site somehow being patch<,(/ Dear 2600: into an Atari 2600 on April I, letk just say the investi~n- I don't know how known this is but I just found it and tion is continuing. would like to share it with my fellow Hackers in School. If you go to http:Nwww.proxify.com you can enter a url Dear 2600: such as http://www.2600.com and go there anonymously, Having recently found myself working a retail job a1 also bypassing the Cyber Patrol or whatever the school a major computer retailer, I've noticed some promisin; uses. There are more websites like proxify, such as trends. While I wouldn't say the average customer is any http:Nwww.anonymizer.com. more technically inclined than you would probably ex- Scott pect, they seem to understand very well the rights that are It's preny well known but it's always nice to learn of being taken from them. For example, as soon as 321 Stu- more. You can be sure that those people who don't want dios' DVD X Copy was pulled from the shelf, I found my- you going to our site will also be keeping track of these self constantly explaining what the DMCA is, how it is methods of bypassing their restrictions so they can $nd entirely too broad, and even some of the more technical ways of blocking access to them as well. Meanwhile, aspects of how the program operated. While it's fairly here's another. likely my explanation of encryption, DeCSS, rippers, and the likes went over at least a few heads, without exception Dear 2600: people were genuinely concerned about their rights. This letter is regarding the letter by thesuave1 in 21: 1. Along with visiting the EFF's website, I recommended I am a 12th grader at Gateway High School in Aurora, every person I talked to go out and pick up at least one CO. My school also has similar software installed. This copy of 2600. I've had more than a few people come back can be easily avoided by using an anonymous web ser- into the store thanking me for opening their eyes. So in vice such as The Cloak (http:Nwww.the-cloak.com). You turn, thanks for opening their eyes 2600. can easily find such services for free just by searching Redukt Google for anonymous web browsing. X snipax This corresponds with many accounts we hear a.r ~aell as those we see for ourselves. People just aren't as unin- Gratitude formed as those in power would like them to be. And even 1 those who are uninformed often just haven't had the is- Dear 2600: sues explained to them in an engaging way. When people, I've been published in peer-reviewed journals over- realize the power they possess, they become a real threat seas. I've had editorials published in The New York Rmes. to those who have been manipulating them. Fosterinz I've written instructional material that has gone out to that realization is a worthy pursuit. every English-speaking country for companies at the top of the Fortune 500. Still, there is something especially Dear 2600: satisfying about writing an article for a magazine of such I currently attend a high school in Greenville, South infamy, especially considering that it has worldwide dis- Carolina. Just today I went out to the local bookstore and tribution. picked up my first and only issue of 2600 - 20:4. I was The Piano Guy reading through the letters and I think it's really awesome It:? that special feeling that comes with knowing that that you guys let everyone read people's opinions on edu- you've just sealed yourfate. cation and technology. I have found myself gettiny: \

c.omputer world. Hackers (using the term an IPaddress, the proxy did nothing. 0;er the lightly) do not stick up for each other when span of a month, the school switched proxies th~ngstake a turn for the worse. about three or four times. They -finally During my junior year in high school, the stumped us with BESS. So far the only who01 network security was a joke. The method around it is to use Babelfish to trans- who01 admin's goal was to block student ac- late websites back to English (although now ccss from the C:\ drive, prevent us from ob- they block AltaVista as well). Also, some- ruining DOS access, restrict us to our times it misses websites that have a www2 username folders, and block us from inappro- clone of itself. The most outrageous thing priate web sites. I'm sure that the school was when www.google.com was blocked, but faced security issues before but they did after enough complaints it was once again nothing to make it more difficult for us. cleared as an appropriate site. Being a typical student, I wanted access At the time I was also enrolled in a com- heyond what the web proxy would offer me. puter science class, a CISCO networking When class got dull I took refuge in a quick class, and an A+ tech class. Each of those

game of Slime Soccer or Jet Slalom. As these classes had use of the command -.prompt. Do- sites became more popular and the proxy ing labs where one needs to ping a machine started picking them off one by one, alternate or run tracert across a network is impossible

\Summer ZOO4 Page 451 \ /when Altiris is blocking you. After a few thing which to this point amuses me is that days of watching the teacher do the labs for the admin of this network created a master lo- us on the overhead, a few of us realized that gin script for himself. This script would auto- Altiris only blocked the command prompt matically "net use" to every directory on the from the start menu. A quick glance at a Win- district server. This still did not do much. At dows 2000 install showed that the com- this point we had access to every student mand.com file is in the C:\WINNT\ folder, but were still restricted to the single -SYSTEM32\ folder. The best thing was that teacher's files. Altiris did not prevent us from making short- It was by pure accident that I struck gold. cuts. So a quick link to the command.com file A class of mine went to one of the computer gave us the prompt we dreamed of. labs to type up some essays. I picked a com- At this point the wanna-be hacker inside a puter and powered it on, but was welcomed couple of us woke up. We began to have a bit by a blue screen that claimed the boot volume of a game going. See what you can learn to be corrupt. Needless to say the computer about the network. I must admit that it was wouldn't work. Being too lazy to shift a com- fun and even exhilarating. A week later we puter over I tried to see if I could get to the already had access to the C:\ drive and com- command prompt and run anything to fix the mand prompt access. We learned that while problem. I was unsuccessful, but once the Altiris would prevent us from entering local class left the room for lunch I found myself URLs by hand, it had no issue with links. So alone with the machine. Actually, I was des- a simple hyperlink to file:///C:\ would give us perate for results so I began looking closely the drive. From there we could run com- at the boot prompts. "Press F2 for diagnostic" mand.com, telnet, or anything else that we was one of them and it seemed appropriate at wanted. the time. I hit F2 and was greeted by a Boot- Until this point it was nothing special. A works logo. The available options were all little bit of clicking and some short HTML. grayed out so I couldn't do anything, but Eventually an accomplice of ours learned a when I quit I found myself face to face with teacher's paqsword. None of us womed about the command line. It was time to explore. using it because we still didn't have grade- DIR showed a file called startnet.bat. book passwords, nor did any of us desire They couldn't have made this simpler. This them. Teachers have it a little bit easier then file called all the necessary programs to con- students. At the time, teachers had full access nect me to the local network. Better yet, no to student folders. Also, they had no restric- login needed. Once I realized that I could see tions of the command prompt and could even other computers, I checked to see if I could execute regedit. Nevertheless, the key was access my personal folder. I could. Using when we saw a small login script executing "net use," I mapped the teacher directory and in the background. We took a screen shot and found I could access any folder I wanted to, found the location where the file was being anywhere in the entire school district server. I run from. It was this file that made me aware also quickly learned that every machine was, of the array of "net" commands. "Net use," by default, sharing $C. This meant that re- for example, will map a network shared di- motely I could access the C drive of every rectory to a drive letter. That's how the computer. At this point I should have re- servers automatically displayed the O:\ drive ported this hole to the admins and saved my- for students and the drive for teachers. self the trouble, but curiosity got the best of Also, I learned about the "net view" com- me. This was too good to be true. There was mand, which displayed all the computers on almost no way to trace who was at the com- the local workgroup. When I ran this com- puter. There was no usemame, no password. mand, the results were astonishing. Every The only evidence would be IP information machine in the entire school district was visi- and MAC address, but since hundreds of stu- ble from any node. Using the teacher ac- dents sit in that lab during the day, it would count, I could "net use" to the folder of any be hard to trace it back to me. student that belonged to the school district. Another check at the network computer Be it a middle school kid or the prom queen made me laugh a little more. TROY-PROXY of the rival high school. While this was was the name of the machine which housed , "cool" at the time, it was of no use to us. The the friendly BESS guard dog. A simple DEL Ctatement would get rid of it all. Fortunately, We cracked some jokes and in the end the; rione of us had malicious intent. At this point, decided that since I personally did not cause the network was at our disposal, and even any damage that they would talk to the prin- though there was nothing we wanted from all cipal and get me off the hook. "According to those folders, it was sure nice to know that us, you're not in any trouble." Great words to [hey were available to us. It was like being re- hear at such a moment, but unfortunately leased from a prison. Also, up to this point no they were empty. They did speak to the prin- one had any idea what was going on. None of cipal, but she claimed that some action still the admins even bothered to check up on the had to be taken. All four of us were sus- red flags that were probably showing up on pended indefinitely and we had to schedule a their systems. Nevertheless, the fun had to hearing. We all got our sentences on Friday, end at some point. but I was fortunate to get a hearing the up- A certain student who went by the alias coming Monday. The meeting was pointless eCKO decided to play some more games. He though since my statement meant nothing to learned how to remotely shut down ma- the principal who seemed only concerned chines, as well as eject CD-ROMs. Person- about us gaining access to teacher e-mails, ally, I was a little intrigued but he decided not which we did not do. Either way, two of us to share this information. Anyway, his fun got a week's vacation, the kid who originally backfired on him. During one of his classes got the password was out for an extra day, he began to eject his teacher's CD-ROM from while eCKO was out for two weeks and lost his computer. The sad thing is that he admit- all of his computer classes. Also, he didn't re- ted to it personally. He claims to have thought ceive a very warm welcome when he re- the teacher to be "cool" and not rat him out. turned. Wrong! Within a day his username was Someone once said "If you tell anyone blocked. This posed problems for him since about your acts, you've already made your he needed to get to his student folder to get first mistake." Probably the best advice one wme files. He got the bright idea that since could offer. Trust no one. While you think he knew a teacher's password that he would your friends will not rat you out, just wait un- \imply use that to get his files. Needless to til they sit in the hot seat. Also, as far as uy, his computer was being watched. The moment he logged in with the teacher user- school "exploration" is concerned, keep away name, his computer froze as the Altiris "eye" from it. While most admins will not concern watched his screen. He knew he was busted. themselves too much, the repercussions It took about two days for him to turn could be serious. While suspension is not himself in. He admitted to using the teacher very bad, especially since the absence is ex- password and claimed that I had given it to empt, worse things could happen. In eCKO's him. I quickly got a pass to get down to the case, he lost his computer classes. But if any- office and was interviewed, prison style. As I one suspects tampering with the gradebooks, \at there I heard a few other familiar names your own grade could quickly become void. ~cttingcalled down, and saw a few familiar Imagine trying to send a transcript with a l'aces pass into a nearby "conference office." note that says your grades are invalid. We It was clear that everyone who was in on this don't like the massage "invalid" on our com- was ratted out. I did the only thing I could pilers, let alone our high school transcripts. I ;ind tried to save my ass. There was no deny- was fortunate this time, but it took me a few ing the fact that I used the teacher's account weeks before I got back on track with all the and accessed data that was not mine to ac- schoolwork I missed. Also, as expected, my cess, but no harm was done. I figured that as grades dropped a little in all my classes. I long as I told the technicians how to fix their have decided since to leave the school com- problems that things would be all right. puters to be used for their intended purpose. Into the second hour of the meeting, two As for the admins, they ghetto patched some computer techs walked into the room and de- of the loopholes and conipletely ignored oth- cided that they wanted to talk. I told them ers. "Sources" claim that the DOS access no about all their security issues as well as the longer works and simply displays an empty major Bootworks flaw. I can honestly say that directory. BESS is still at large, but we still they were decent people, one of them at least. have our shortcuts. L"..., ,004 Page 47/ (continued from page 39 hope you can help me out because I am extremely A) Steals computer services ate. B) Steals a company's products through a computer- based ordering system "Desperate"doesn't begin to cover it. Whatever your C)Illegally copies and sells copyrighted software problems, and we certainly won't try to minimize them, D) Attempts to gain unauthorized access to a computer they are nothing compared to the world of hurt you'll en- system ter if you do stupid things like offer complete strangers Obviously, I wouldn't be writing if I thought a correct money to help you do illegal things. But even if you answer was among their selection, but there is not. Yet an- weren't a complete stranger we would tell you the same other unfortunate example of the misrepresentation of our thing. Andjust where did you get this distorted view of the community. hacker world where this is the kind of thing we do? Yeah, sephail we know - the mass media. Itk still no excuse. There You're not going to tell us which one was their right should be something in your genetic code that alerts you answer? Actually, it seems odd that someone with no un- to the fact that you're doing something extremely stupid derstanding of hackers wouldn't assume we're guilty of and wrong. all of these. Equally odd that someone who did under- So we're cleas the offer was in Canadian dol1ar.s and stand hackers wouldn't have an alternative an.we,: Are nor American, right? you sure there wasn't an "all of the above" and/or a 'hone of the above" choice included as well? Dear 2600: From Verizon's public website under "Local Phone Dear 2600: Service," "Online HelpFAQs," "Voice Mail." you will After reading all the letters about insecure systems in find instructions for "Getting Started with Home Voice the previous issue, 1 wanted to write to you and share the Mail." Step number three says: "Dial your starter pass- wonde@l experience that I had in setting up my voice word, which is your seven-digit home telephone num- mail at school this past year. I go to Rensselaer Polytech- ber." nic Institute (www.rpi.edu) and everyone who works So basically all you have to do is find someone who there is stupid beyond belief for a number of reasons. One has new service or someone who has not changed the of those reasons is the handling of the voice mail system. password and you can own their voice mail. Theoreti- In order to initialize your voice mail you have to pick up cally, you could take Verizon White Pages from last quar- any phone on campus, dial the voice mail number (6006). ter, compare it with this quarter's and find all the new then dial your phone number (for instance, 4002). then in- customers. Then you could just punch in numbers from put the default password (1224561, then use the menus to the Verizon White Pages until you have a hit. enter a real password. set your greeting, etc. The problem Just to further test their security on this I called cus- with this system, as I'm sure you've already guessed, is tomer support (and not from my home phone) and that anyone can set up anyone> voice mail. When I first claimed that my voice mail was locked out. They changed set mine up I accidentally dialed the wrong number and the password for me. All they asked for was my name, ad- set my own password and greeting to my neighbor's dress, and home phone. No account number, no Social phone. I could easily have gotten to school a day early Security number, no "amount of last bill," mother's and set every voice mail on campus to profanity or some- maiden name, or any other verification qoestions. thing equally juvenile and damaging. The point of this is, Thanks Verizon! many large organizations like schools and corporations The Great Belzoni seem to go instantly stupid when issues of security come up. The fact that voice mail exists is apparently good Dear 2600: enough for them. Any concerns about security or imper- This is an update to the "coupon trick" article printed sonation are just ignored. in 20:2. I was so intrigued by the article that 1 immedi- ManiacDan ately began making up some coupons for a test run at a lo- Even 20 year.7 ago this would have been considered cal department store chain called Fred Meyer. I knew they absurdly dumb. But we're impressed that they deviated had recently installed self-checkouts and was eager to see from the 123456 default password string. We smell a Dar- if the trick worked. Well, it did work but I found myself win Award. wanting more. In the original article the author discov- ered that a 30 cent coupon had the numbers 3030 in the Dear 2600: barcode and that by changing them to 7575 the coupon ' Hi my name is Ashmit. I guess you already know that was instantly a 75 cent coupon. The problem is that his lol. Anyways, I got your e-mail from the www.2600.com basic method is limited to a cents amount, or a maximum website. The reason I am e-mailing you is because I was of 99 cents. I wanted to make up coupons worth dollar hoping you could help me out with a little something. I amounts. After clipping every coupon out of the Sunday need to know whether you can gain access into a web ads I compared all of the $1 coupons and all of the $2 server and its databases. If you can then we are set. Basi- coupons and so forth. Well, it was very easy to figure out cally here is the deal in a nutshell. I need someone with that all of the $1 coupons had the exact same code as each the abilities to get into my school server and change a few other and all of the $2 coupons had the exact same code things. I have saved up $3500 over the past year for this as each other and so forth. I searched for the coupon with and am willing to pay it in cash, as I am from the Win- the highest value and ended up with a $7 coupon for Crest nipeg area. You do not have to worry about getting caught whitening strips. I merely wrote down the two digit code 1 because I am sure as long as you erase your traces, there used to represent $7 and applied that code to a coupon I 1 I is no way of either one of us being caught, guaranteed. I had for a box of Tide laundry detergent. I printed up the 1 8 Zb00 Magazine1 !.oupon and used it on an $8 box of Tide and sure enough "Town Hall" meeting. First is the fact that this meeting II subtracted $7 and gave me a grand total of $I. Happy was held at a private school. Why couldn't this meeting be \hopping and enjoy! held in Seattle's Town Hall? If the security of the city's Clint public buildings can't be trusted, then isn't that an impor- Let's once again make it clear what the difference is tant topic for discussion? This issue wasn't raised by hetween hacking and stealing. Discovering the vulnera- either the Seattle Times or the Post-lntelli~ences hility, figuring out the system, and testing it are examples Second, I walked into Campion Hall two days ago of hacking. But you seem to have ~~aultedover to the and picked up an eight page stack of paper lying on a desk rtealing community which really doesn't involve much in titled "Seattle Town Hall Attendees." Several copies of the way of skill and simply turns you into a dishonest per- the document were laying on the desk and had various son. And don't t~>to use the "unfair prices" logic as the names checked off, none of which were labeled as confi- people (most likely in the store) who have to cover the dif- dential, restricted, or sensitive information. Further, the ference are probably a lot more innocent than you. We copy I put in my backpack was next to a stack of only ask that you do us one favor. When you get caught brochures. I was being watched by several police officers and prosecuted, don't go telling the authorities that you and a few men in suits who I assumed to be DHS em- hacked the system. All you did was mess amund with one ployees. None of them attempted to stop me from taking part of it in a very crude manner. this list. On later review, the list is a four column table which may have been derived from the web sign-up form. Dear 2600: There are columns for First and Last Name, Occupation, We need more magazines like yours with an other- and Title. The list is sorted by last name and some of the wise unseen view on today's media community. I'm writ- fields are blank. Some of the names are in italics and they ing because I have a problem and wish to complain (not appear to he people of some import, which leads me to bout you but to you). Maybe I can get a few suggestions speculate that they would be ushered through without be- :IS well. I'm 18 and live in a residential program for "trou- ing closely questioned or searched (although I wasn't bled youths" in Massachusetts. I rarely have access to a there in time to witness the ingression). Close examina- computer with Internet capabilities and when I do it's for tion of the document reveals that Tom Ridge is not on the ;I very short period only. My main hobby is computer list. Neither is Steve Ballmer, who was in attendance ac- work and hacking. But my lack of access to a computer cording to various news sources. This gives me the im- drives me crazy. At home on the weekends my one refuge pression of a separate class of VIPs who were not was my broadband connection through (blech!) AOL no required to register and be screened by the DHS. I do not less. Now even that's been taken away and my camp time intend to publish this list of names; my point in taking a I\ more limited. School computer usage is limited in itself copy was merely to illustrate the inattention to detail and IO researching colleges on a Mac. disregard for personal privacy in the Department of I was so excited when last year the program said we'd Homeland Security. However, for purposes of verifica- cct a laptop and Internet access. I found out that our pal tion I will share this excerpt from an attendee named John Mr. Gates had fallen asleep counting his money again and who wrote in the "Occupation" field: "Please don't draft our Internet Explorer was corrupt. When I went into the me." Network Neighborhood, surprisingly to me, the installer If this is an indication of the level of privacy that the 111rMSIE was in the same folder as a directory of private Department of Homeland Security intends to provide, I 1i:ltient information - unlocked! do not support it. I notified our computer guy who handed off the info Lee Collcton III someone else who interrogated me as to my "hacking" into patient files! I had stumbled onto a directory, not Dear 2600: trpened it, and notified the admin at once that sensitive pa- This is in response to an anonymous letter in 20:4 ficnt data was unlocked. Now the admin (who's a hit of a about Department of Homeland Security regional offices l~nkererhimself) didn't have the brass to own up to his (disguising themselves as other government offices). illistake and he let me take the heat. As far as I know, DHS doesn't have many regional of- It's funny that a year Inter that same guy has given me fices and, of all government agencies, the only agency 111conly admin account to our new computer (no Internet that disguises itself as another government entity within ($1' course). this country is the CIA (it seems that CIA domestic of- Hell, I can't even pet a subscription to your mag be- fices are commonly disguised as the Secret Service). ~,:lusemy dad works with enti-terroriqm and isn't sure DHS, I believe, does not employ anyone directly outside what people would think if 2600 came to our house! of Washington. Instead, what people like to think of as C: igahy te-GRynd3R "DHS agents" are really officers of its component agen- You would think someonr involvetl with anti-terror- cies, i.e., CIA, DIA, FBI, NSA, etc. rrrn wouldn't be so eosilv scared of ~~liatpeople might Prospero rlrink of a magazine. 111 any ewnt, you have your share of prranoid, ignorant people around you who clearly are Redirecting ,rli.aicl of losing even a little control. We wish you luck. Dear 2600: Ifomeland Security I have a lot of respect for everything you have done to ensure that cyberspace remains the last enclave of free I)ear 2600: speech. I have a lot of respect for your continued fight There are two points that stand out dramatically in the with those that would like to own, control, and sell the In- I:~ceof the recent local Department of Homeland Security ternet. But you are dead wrong on the fuckgeneralmo-

Page UY' &.corn issue. I believe that no one has the right to point but my problem was when the prompt asked for the PIN\ his own DNS entry into someone else's website. Why? to be the last four digits of my Social Security number. I Let's imagine that you have a family website with your called the Tracfone people to see why. I got the line I was wife's and kids' pictures and someone registers fuckmate- expecting, telling me I had nothing to worry about, this rial.com which then points right to your website. Would has nothing to do with the government. and it's only for you like that? Would you like that fuckmaterial.com site customer service purposes. Yeah, like if Big Brother is advertised on all the available search engines? Would you your customer service rep? If the number is only for cus- like the resulting e-mail directed to your family? I do not tomer service reasons, why ask for the Social Security think so. A hyperlink from a website pointing to another numbers in the first place? website is a different story, but advertising a website that Just a little heads-up for everyone. purposely points to someone else's material, copyrighted Michael J. Ferris or not, does not seem right nor fair to me at all. Did you try simply not giving it to them? If they don't But that's me. already have it, there shouldn't even be an issue. But if Steve Duch they already have this information, the time to ol2ject What you suggest runs counter to the very,founda- would have been back when it was originally given to tions of the net andjies in the face offlee speech. No, it'.? them. Unless there's a credit check involved, you can get not very nice and yes, some people may get offended. But away with giving them a fake number: (Obviously, you it's far more qfensive to us to be told that we are not al- don't want to lose track qf the number you've given them lowed to make a statement or to be told that we cannot or things could get very complicated) From theirpoint of redirect to a site without permission. And your fictitious view, this is a better default password than 1234 since it's family scenario is easily dealt with by simply denying any almost always unique for different customers but still connections thar originate with the offending site. easy to rememher: But if they're suggesting that everyone use the last four digits of their Social Securi? number as Observations their normal PIN, that'k a very had idea,for obvious rea- sons. Dear 2600: Dear 2600: I just watched the documentary called Freedom Downtime and was blown away that the government of Stephen recently noted (21: I) that US soldiers are "to be in the mindset of being deployed at all times, be it at the United States was able to break its own laws and not home or abroad" and that reminded me of something be brought to justice. You've probably heard this over and from Aldous Huxley's Brave New World Revisited, end of over again for the last five years plus, but it's new to me, the first chapter: and I just wanted to let you know there are still eyes being "But liberty as we all know, cannot ,flourish in a opened. country thar is permanerztly on a war footing, or even a Mugulord near war footing. Permanent crisis justifies permanent Thanks for the feedback. Be sure to check ortt the control of everything and everybody by the agencies of DVD,for even more eye opening material. the central government. " Dear 2600: Given current polling data, this war on a noun (terror) I have a Nokia 3390 with T-Mobile as provider. When seems to me to be an awfully effective way of justifying I put my phone in silent mode and vibrate alert is off, if permanent control without the messiness that was the someone calls me from a land line I can hear them talking Florida recount of 2000. 1 wonder if Congress and the before I an.vwer the call through the earpiece on the States will repeal the 22nd Amendment so Bush can run phone! I discovered this recently when I had my phone for a third time in 2008. Or will they save everyone the set to silent mode and vibrate alert off. I heard my friend's trouble and just make George first king of the new United voice saying "pick up the phone, pick up the phone!" and Kingdom OF America? my phone was displaying "incoming call" before I even Michael hit the send key to answer. The sound is not as loud as it is Let'.? not get ahead of orrrselves. 2004 isn't over yet. in a normal conversation, but still this is very interesting. Dear 2600: If someone calls me from a cell phone this does not seem I just came across this article with the following to work, only from a land line phone. I am not sure how quote from John Kerry: "Have you had a beer with me this happens but consider it deserving of more research. yet? I like to have fun as much as the next person, and go Pablo out and hack around and have a good time." It made me We've gone nuf.7 trying to test this out. although not wonder if Kerry is a hacker in disguise. Maybe being a on your specific model. So,far no luck. But it'.? not thefirst Massachusetts senator (home of MIT) did him some time we've heard of similar occurrences. No doubt our good. readers will have more to say on this. autocode That was actually a coded message. We demanded Dear 2600: that he use the word "hack" in a public statement as a I am a Tracfone user and have been for some time gesture of good will toward.^ the disenfrancliiserl hacker now. Overall I have been pleased with the service I have electorate. Bush has yet to respond to our demands. But been getting. However, as I was trying to add minutes re- we probably shoztlrln't be telling you this. cently, I noticed something sinister. I went through the usual automated menu nonsense, but when I got to the Dear 2600: part where I was prompted to add my minutes, I was In response to ieMpleH's letter in 21 :1, "Using a pub- asked to make up a PIN. This has never happened before lic form on a website [to broadcast vulgarity] hardly L Lems like 'hacking' to me" either. It was just a lame, ju- lege admins know this sensitive info is available to any venile prank that screwed up a free and potentially useful psycho with an Internet connection. \crvice. This sort of behavior is, by ieMpIeHts own defin- Second, I have recently discovered Live Unix CDs. tio on, not hacking, and not even security-related (as there They are full distributions of Unix that boot and run the was no security to defeat), and therefore out of the scope entire operating system off of the CD. The benefit (which and below the quality level (in my opinion) of this maga- I am still exploring) is that you can pop in the CD on a /ine. I would ask ieMpleH and others to focus their time, computer that requires usemame/pw login (i.e., campus talents, and energy on more productive works. computers) and reboot, set the BlOS to boot from CD, Bryan run Unix off the CD, and have complete use of the com- Isn't this exactly what the writer already said? Why i.s puter! When you are done, just reboot because everything it necessary to lecture someone who already agrees with was done in memory and there's no trace you were there! yu? Just don't forget to grab your CD before you leave. Check out Knoppix, PCLinuxOS, SLAX, or PHLAK which Dear 2600: have extra goodies. I have just read most of what happened at Pentagon Keep up the tight for our freedoms. It is from reading Mall with the Secret Service. In Arlington this is nothing new. I have lived here for all my life and have been ar- your great publication that I became active with EFF. cycoanalytikal rested for erroneous behavior like "Obstruction of Jus- tice" wile trying to walk away from an Arlington County Dear 2600: police officer who was harassing me in a movie line at I found Spua7's letter in 20:3 about the FBI's presen- Ballston Common Mall (also in Arlington). tations in Phoenix interesting since I also saw a similar The clandestine actions of watching young tech presentation several months ago (set up by my employer). savvy adults and teens by the FBI, the Secret Service, and I disagree, however, with Spua7's assessment that the pre- mall police is really a waste of time and money. If they sentation lacked "actual real knowledge" or that it was all want to know what is going on at our plrhlic meetings about a repressed fear of lack of control. In fact, I would then let's invite them to sit down and listen with us. We argue quite the opposite - for what is truly going on here have nothing to hide and we are definitely not terrorists. is a total hijacking of the hacker ethic by the authority Furthermore, what in the heck were you guys doing that formerly sought to suppress it. While I found it rather with contraband in your pockets at a meeting? A meeting amusing (on the surface) that the FBI focused heavily on that you know is not favored by the government? Come 2600, the most chilling aspect of the whole thing was the on guy$ and girls, this is not good. We have to give them overall message to my employer: when it comes to cyber- no open reason to want to search us. Next time, please he crime, the FBI can't help you. more careful of what is in your pockets. We don't want The FBI agent doing the presentation made the point someone to find a dub bag and have everyone get charged that security starts on every desktop. 2600 has been say- with dealing pot, do we? Like I said, let's invitc a memher ing this for years, has it not? Now it seems your message of the Secret Service or the FBI (tech savvy only) to sit in has finally gotten through to the FBI. According to this on one or two meetings so they can see that we are merely ~r~tellectualswho enjoy solving prohlems and finding presentation, the FBI's strategy to fight cybercrime is problems to solve. something called "information sharing." They have set up DRAHZ a network of organizations intended to work together, Our meetings are alwavs open to tlrp prrhlic (rnd that sharing knowledge of security flaws and weaknesses. The ittc1ude.s people who are part of lo,^. etr~rcemenr.We whole idea revolves around prevention and enabling cor- rlon't spec;ficnlly in~litepeople,froni crtir. o~:catti:otion.As porations and those "at risk" to take their fate into their li~rtkr ,fenrs of the meeting atteri(lr~(~shark it1 1992, we own hands - to arm themselves with knowledge. And yet, certainly cnn't,forrltpeoplc ~,howr>rr wr~rried ahotrr how hasn't that been the point of 2600 from the beginning? r.fjrtoin things ir>rrlrlhc tr.scrl ognittst fltt~m.II'.~ ctctrtal1.v a Simon Shadow IY,~rare thir1.q h>,/illr/pcr~l7/(,II.II~I It,nr, ol~.solutel~no,fear Dear 2600: when ,facing sru.11 n /r~rttti~l(rl~lr~tul~~cr:vrrt:v, doubly so I would like to address two letters that appeared in n,hen you inject con(.(,nrr,rlprtrr,rrfs itrfo tlrc, eqrtatinn. 20:4. One reader was bothered by the use of the color Dear 2600: black being associated with evil or bad. He also stated First, I found a VolP progr;ltn called Skype. Excellent that white people commit most of the crimes. The facts \ound quality for frcc long tli.;t;~ncecnlls. After doing a support him only if he's talking about white collar crime. qearch (specifying ngc1st.x). I fount1 n few people online Perhaps in fairness he'll work to change the phrase "white who were using thcir rcnl names as usernames, first and collar" as part of his crusade as well. Another reader wor- Inst! So I started chatting to one girl and mentioned I was ries about the government knowing they subscribe to in college. She respontlctl. "My brothers are in college" 2600. If you think the feds find you interesting, how and when I asked where, she told me. So I googled the about subscribing to the Washington Report On Middle \chool name, found the college's site, ran a search for her East Affairs (pro-Palestinian) or Small Arms Review (ma- last name (which wasn't a common name), and found chine guns and silencers). Visitors to Barnes and Noble both brothers with info they probably didn't know was really need to check out the complete library. Well, I have public: name, phone number, major, academic year, home to go now. I think I see the Homeland Security Prize Pa- (iddress! So I asked her if she lived at that address and of trol van pulling up out front. Mayhe I'll be in their next course she flipped out. The lesson here: Don't ever use commercial! , your full name as a usemame and be sure to let the col- Greg Gowen

Page 51' by MobiusRenoire right-click. The listing wi!l scro .xtensively The following is a presentation of a very if it's a decently-sir&! webt~c,so you useful network utility. Some call it the Swiss should redirect output from netcat to an Army knife of network utilities. With it you ASCII file. Now you have a copy of the web- can connect to a port on a server, listen on a page's source. Big deal, right? It gets a little port on your local machine, set up a backdoor more interesting. on a machine, or port scan someone's box.. The typical request is formatted "GET / The uses of these and other features will be HTTPlI.0". The slash is, of course, the root made clear shortly. Standard disclaimer: This directory wherever you connected, where the article is knowledge and is therefore inher- index page will be returned if you didn't spec- ently neither good nor evil; only what you do ify otherwise. You can change this using ei- with it decides that. I cannot and will not be ther absolute or relative URLs with usually held responsible. That said, let's move on. the same results. Absolute references will The first thing that I did with Netcat was typically work with the most accuracy. This to connect to a server. The typical command is the typical request that your browser sends line options I use are "nc -v -v when it connects to a web server but without :", where is the num- b...5s /her of characters submitted by the form. This mails you currently have as well as thei; is important, because you're going to copy sizes. Use "retr " to get the this information in a text editor in order to email. have some fun with it. SMTP (port 25) is similar, and for You can alter the information that it was brevity's sake, it's up to you to discover syn- going to post, as long as you change the con- tax. I will tell you that to send e-mail to a do- tent-length field above to reflect your changes. You can delete some of the other main outside of your business or school, you fields as well, but depending on where it's go- will probably have to login using an encryp- ing to be posted, you may need to keep those tion method of sorts. You can make your fields the same as when you received the POP3 client connect to localhost and let net- form. cat listen on port 25 to get the login syntax if After editing the form-submittal to your you must (this is also a good way to spoof the taste, start up netcat again, but this time use it From: address in an e-mail). to connect to the server from where you got Netcat can do numerous more things. The your form data. This time, instead of doing a things that I have listed can help you if you GET request, you replace GET with POST. need to check on what data one of your forms The full command will basically be "POST http://www.google.corn/search HTTP/l .OM or is sending, allowing you into your e-mail ac- something similar. This does the same thing count when the webclient or your POP3 as pressing the button on the original website, client is not working, and getting the source but this time you get to decide what gets sent. to pesky websites. Think your network's You can either retype the form data that you safe? You can also port scan it with Netcat to just got or put the POST command at the top ensure yourself that unnecessary ports are of the text file you created and use >out.txt to blocked. On the flip side, Netcat can be used use the file for input. Make sure there are a to port scan computers andlor networks to couple of lines after the POST command or it find vulnerabilities and it can be set up to be a won't send. nasty backdoor into a computer using the An important note: there is usually a refer- rer field in the HTTP header that should prob- right command-line switches (see documen- ably not get changed. If whatever you're tation). Now, this backdoor can either hurt or submitting to a script that checks the referrer help you. There are many PERL scripts in- and requires that the referrer he :I certain page cluded with some versions that will allow the (so people can't post from their own web- computer running Netcat to act as a proxy or sites), then it needs to be what it was when even an IRC server. Or... you could run Net- you got it. cat so that you can log in to your or someone That's not a big deal of course, but it is a else's computer and have cmd.exe run as vital exploration of the protocol that defines soon as you connect. how a server sends wehpages and a browser In sum, get to know Netcat as well as requests and scnds data. It is definitely rec- many of the other great utilities out there. ommended that you rci~tlLIP on some of the syntax of HTTP protocol. as well as POP3 Learn the protocols and intricacies that allow and SMTP, which wc'll he looking at shortly. the Internet to run and never quit asking Netcat is great for exploration, but it can questions. also serve practical uses such as checking Additional Information your POP3 (port 110) e-mail. If you go to a Netcat was originally written by *Hobbit* college like mine where connecting to your e- for *nix and was ported over to NT by Weld mail account requires no encryption, then Pond. More information can be found in var- you can simply connect to their POP3 server ious places on the web, as well as the readme and, with the right syntax, login. Typical lo- file included in most zip files. Use this pow- gin looks like this: login erful tool to learn and to educate others. pass For more information on HTTP, POP3 To check for e-mail, supply the word "list" and SMTP, read RFCs 1521, 1225, and 822 on a new line. It will return the number of e- respectively.

Page 531 The Lantronix SCS lb20: ~n ~n~ublicized~oId Mi

by JK out of the box, don't just plug Ir Inlo llie nct- This article is a simple no-nonsense run- work and be glad it works. Configure ~t (type down of the defaults and specifications of the "setup")! If properly configured however, the Lantronix SCS 1620. It is used all over the SCS 1620 offers excellent security and incred- place, inchding one of the nation's biggest ible functionality. chains of banks, as well as in several universi- If you happen to be inside one of these ties. It is surprisingly common to come across boxes for whatever reason, here is a list of systems that have been put on a network (espe- commands to try out (the obvious ones have no cially headless ones) and not configured at all. explanation, just google it!). Hopefully administrators who use these de- adduser vices will realize that with the publicly avail- alias able information below, their network could be cat penetrated easily, and subsequently computers clear that hold important financial information could deluser be compromised. No one wants to see their direct - direct mode on (for device bank account emptied as a result of negligent communication) administration. dtedce - configure device port type The SCS 1620 from Lantronix is a very editbrk - edit user "send break" sequence cool device. It has 16 RS-232 serial ports on editdev - edit device settings the back so you can control devices (primarily edltesc - edit escape sequence computers) with ease. Beyond that, it is a pizza edituser - edit user settings box shaped RedHat Linux box with a 128 mb exit - deselect a port memory card, a two row LCD on the front, an help - show help optional modem module for dialup access, a info - show system information 101100 ethemet port to put it on the network, a less terminal interface direct COMM access, and a listdev - list device names PCU8 port to connect to the Lantronix PCU8 listen - listen on a port power manager. listusers The default banner is simply "SCS 1620". logout The default communication parameters for man the terminal and device ports are as follows: passwd 9600 baud, 8 data bits, 1 stop parity, No parity, powerof f XontXoff flow control, port type of DCE. The reboot modem port's default parameters for the mo- SAVE - save programming changes select - select a port dem port are the same, except with a baud rate scp - secure copy of 38400 and RTSICTS flow control. The setup - use to initially configure power manager port (PCU8) has the same de- the SCS 1620 faults as the terminal and device ports, except sftp

the port type is DTE. The device and PCU8 ssh--- ports can be configured for baud rates of 2400- ssh keygen 11 5.2k baud, and as DTE or DCE. telnet By default, the only user that can log in is timeout - set timeout timers "sysadmin" (default password "PASS"). Once version - show version info inside, you can change various settings or go install-modem into what they call root mode (simply a shell) Remember, there is nothing wrong with ex- by typing bash. From there you can SU and the ploration. Don't abuse your situation and give default password is "root". As sysadmin or us hackers a bad name, but don't be afraid to root, you can write per1 scripts. look around some computer systems. So admins, when you take the SCS 1620 Shout Outs: DS, SW JCH, HJ, AP, LB, etc. i

I Happenings through the front door. Be secure. Learn the secrets and weakness oito- day's Locks. Ifyou want to get where you are not supposed to be, this book could be your answer. Explore the empowering world of lock pick- BRrmEY SPEARS CAN'T CODE DEMOS INUTAH... so we have to ask for your ing. Send twenty bucks to Standard Publications, PO Box 2226HQ. help! Don't Let us down, at the front-running American Demoparty: Pil- Champaign, IL 61825 or visit us at www.standardpublications.com/ grimage 2004. Come and compete with other programmers for prizes and accolades in beautiful Salt Lake City Utah. If coding isn't your thing. bdirect/2600.html for your 2600 reader price discount. come for the visual fireworks and the hard-driving bass. Held over the CABLETV DESCRAMBLERS. New. (2) Each $74 + $5.00 shipping, money or- weekend of September 17-18. Check out the facts, the stats, the rules, derjcash only. Works on analog or analogjdigital cable systems. Premium , and the fools at http://pilgrimage.scene.org/. Now in our second year: channels and possibly PW depending on system. Complete with llOvac oops, we did it again! power supply. Purchaser assumes sole responsibilityfor notifying cable operator of use of descrambler. Requires a cable TV converter (i.e., Radio For Sale Shack) to be used with the unit. Cable connects to the converter, then the descrambler, then the output goes to TV set tuned to channel 3. CD FREEDOM OOWNTIMEON DVD! Years in the making but we hope it was 9621 Olive, Box 28992-TS, Olivettet Sur. Missouri 63132. Email: worth the wait. A double DVD set that includes the two hour documen- [email protected]. tary, an in-depth interview with Kevin Mitnick, and nearly three hours of HOW TO BEANONYMDUSON THEINTERNET Easy to follow lessons on extra scenes, Lost footage, and miscellaneous stuff. Plus captioning for achieving Internet anonymity, privacy, and security. The book's 20 chap- 20 (that's right, 20) languages. commentary track, and a lot ofthings ters cover 1) simple proxy use for WWW: 2) how to send and receive e you'lljust have to find for yourself! The entire two disc set can be had by mail anonymously: 3) use SOCKS proxies for IRC, ICO, NNTP, SMTP, HTTP; sending $30 to Freedom Downtime DVD, PO Box 752, Middle Island, NY 4) web based proxies - JAP, Multiproxy. Crowds: 5) do-it-yourself proxies 11953 USA or by ordering from our online store at - AnalogX, Wingates: 6) read and post in newsgroups (Usenet) in com- http://store.2600.com. (VHS copies of the film still available for $15.) plete privacy; 7) for pay proxies. Learn how to hunt for, find, and utilize HACKER T-SHIRTS AND !TICKERS at JinxGear.com. Stop running around alltypes of proxies, clean up your browsers, clean up your whole Win- naked! We've got new swagalicious t-shirts, stickers, and miscellaneous dows OS. This professionally written but non-technicaljargon filled book contraband coming out monthly including your classic hacker/geek de- is geared towards the beginner to advanced readers and the average In- signs, hot-short panties, dog shirts, and a whole mess of kickass stickers. ternet user. The book Lessons are on a CD in easy to read HTMLinterface We also have LAN party Listings, hacker conference Listings, message fo- format with numerous illustrations throughout. Send $20 (I'll pay S/H) rums, a photo gallery, and monthly contests. Hell, don't even buy. just to Plamen Petkov, 1390 E Vegas Valley Dr. #40, Las Vegas, NV 89109. sign on the ma~linglist and have a chance to win free stuff. Or follow the Money orders, personal checks, cash accepted. easy instructions to get a free sticker. Get it all at www.JinxGear.com! THEIBM-PC UNDERGROUND ON DVD. Topping off at a fu114.2 gigabytes, HACKER LOGO T-SHIRTS AND !TICKERS. Show your affiliation with the ACiD presents the first DVD-ROM compilation for the IBM-PC underground hacker community. Get t-shirts and stickers emblazoned with the Hacker scene entitled "Dark Domain." Inside is an expansive trove of files dating Logo at HackerLogo.com. Our Hacker Logo t-shirts are high quality Hanes as far back as 1987 up to the close of 2003; from artpacks to loaders and I Beefy-Ts that willvisibly associate you as a member of the hacker culture. cracktros to magazines, plus all the necessary programs for browsing Our stickers are black print on sturdy white vinyl, and work well on note- them. If you ever wanted to see a lost JED ANSImation display at 2400 books, laptops, bumpers, lockers, etc. to identify you as a member of the baud, here's your chance. For order details and more information please hacker community. Find them at HackerLogo.com. consult http://w.darkdomain.org/. PHRAINE. Technology information without the noise. A new electronic AFFORDABLE AND RELIABLE UNUX HOSIING. Kaleton Internet provides quarterly written with first generation hacker curiosity, ethics, and tech- affordable web hosting based on Linux servers. Our hosting plans start nical ability in mind. Order vour copy online for a minimal price @ from only $4.95 per month. This includes support for Python, Perl, PHP, http:l/pearlyfreepress.madosn~.com/pnraine. I MySQL, and more. Privacy is guaranteed and you can pay by E-Gold, pay- THE PREPARATORY MANUAL OF NARCOTICS. A~rnorJared B. Leoaaro pal, or credit card. http://www.kaleton.com shows us how to prepare and handle numerous controlled substances of DRIVER'S UCENSE BAR-BOOK and "fake" ID templates. Includes photos, an intoxicating nature. Written in plain English, this manualis simple templates, and information on all security features of every single Ameri- enough for the common man to comprehend yet advanced enough to can and Canadian drivers' licenses. Including information on making hold the attention of even the most accomplished chemist. All of our ti- "fake" ID'S on PVC cards, laminating, making holograms, magnetic tles are perfect bound and printed on acid-free, high quality paper that is stripes, software, and more to make your very own License! Send $25 25% recycled, 10% of which is post consumer content. Visa. Mastercard, cash in US funds or an international money order in US funds made out American Express, Discover, JCB, and old fashioned checks and money to R.J. Orr and mailed to Driver's Bar Book, PO Box 2306. Station Main, orders are welcomed. Due to much fraud, we no Longer accept eChecks. Winnipeg, Manitoba, R3C 4A6, Canada. Order now and get FREE laminates No orders by telephone, please. Customer setvice and product informa- with every order! We ship worldwide free! tion: 800-681-8995 or 614-275-6490. We ship worldwide - and we now ONLINE RETAILER OF COMPUTER PRODUClS is also a 2600 subscriber! offer FREE shipping to hell! PHONE HOME. Tiny, sub-miniature, 7/10 ounce, programmable/repro- 60.000 different computer products from components to complete sys- grammable touch-tone, multi-frequency (DTMF) dialer which can store up tems, laptops, PDAs, cables, RAM, and media all available online at to 15 touch-tone digits. Unit is held against the telephone receiver's mi- http://www.digitaleverything.ca. Worldwide shipping is no problem. Just crophone for dialing. Press "HOME" to automatically dial the stored digits mention you are a subscriber and I'LL give you better prices too. Contact which can then be heard through the ultra miniature speaker. Ideal for Dave at [email protected] for more info. E.T.'s, children, Alzheimer victims, lost dogs/chimps, significant others, WIRELESS SECURTIY PERSPECTIVES. Monthly, commercial-grade informa- hackers, and computer wizards. Give one to a boyjgirl friend or to that tion on wireless security. Learn how to protect your cellular, PCS, 3G. potential "someone" you meet at a party, the supermarket, school, or the Bluetooth, or WiFi system from 2600 readers. Subscriptions start at $350 mall; with your pre-programmed telephone number, he/she willalways per year. Check us out at http://cnp-wireless.com/wsp.html. be able to call you! Also, idealif you don't want to "disclose" your tele- REAL WORLD HACUNG: Interested in rooftops, steam tunnels, and the phone number but want someone to be able to call you locally or long Like? For a copy of Infiltration, the zine about going places you're not distance by telephone. Key ring/clip. Limited quantity available. Money supposed to go, send $3 cash to PO Box 13, Station E, Toronto, ON M6H order only. $24.95 + $3.00 S/H. Mail order to: PHONE HOME. Nimrod Di- 4E1, Canada. vision, 331 N. New Ballas Road, Box 410802, CRC. Missouri 63141. TAPflPLThe original phreaking and hacking zines! All original back is- LEARN LOCK PICKTNG It's EASY with our book. Our 2nd edition adds lots sues on CD-ROM. Only $5 including postage! Write for a free catalog of more interesting material and illustrations. Learn what they don't want the best underground CD-ROMs! Whirlwind, Box 8619, Victoria BC. V8W you to know. Any security system can be beaten, many times right 352, Canada. I helo Warned Announcements

GOOD COMMUNICATORS NEEDED to promote revolutionary sender-pays DFFTHE HOOK is the *eekly one hour hacker radio show presented rpam elimination infrastructure. E-mail [email protected] with Wednerdav niahts- at 200 om '3 on WBAI 99.5 FM in New York CIN. YOJ "2600 marketplace" inyour message. Lifetime residual earnings can also tune in over the net at ww.2600.com/offthehook or on-short- potential. wavein North and South America at 7415 khz. Archives of all shows dat- CREDIT REWRT HELP NEEDED. Need some assistance removing negative ing back to 1988 can be found at the 2600 site, now in mp3 format! items off credit reports. Will pay. All agencies. Please respond to Shows from 1988-2003 are now available in DVD-R format for $30! Send [email protected]. check or money order to 2600, PO Box 752. Middle Island, NY 11953 USA HIRING PROFESSIONALINTERNET CONSULTANTS with job references only or order throuah our online store at htto://store.2600.com.. ., Your feed- back on the program is always welcome at [email protected]. for the following: website security, performance tuning, and markefing CHRISTIAN HACKERS' ASSOCIATION: Check out the webpage for online magazine. Please send your bio and resume to: http://www.christianhacker.org for details. We exist to promote a com- [email protected] you can work from home, but should livein munityfor Christian hackers to discuss and impact the realm where faith (or around) NYC, as you will need to attend a meeting or two. and technology intersect for the purpose of seeing lives changed by God's grace through faith in Jesus. Wanted HACKERSHOMEPAGE.COM. Your source for keyboard logqers, gambling - ~ deuice5, maqnprlr srnpe reaoer/writers, venaing machlne defeaters, IFYDU DON'T WANT SOMETHING TO BETRUE, does that make it propa- satel Ire TV ea..ioment. locroicks, etc... (4071 650-2830. qanda? Whpn wp'rr children and we don't want to listen. we put our VMYTHS.COM AUDIO RANTS are available kee bf charge to computer talk hand\ over our rarr. As we qrow up, we create new ways to ignore things shows. These short and often hilarious MP3s dispel the hysteria that we rlnn't want to h~ar.We make excuses. We Look the other way. We label surrounds computer security. One former White House computer security thinqs "propaqanda" or "scare tactics." But it doesn't work. It doesn't advisor hates these rants (and we don't make this claim lightly). Check make the truth go away. Government and corporate MIND CONTROL PRO- out Vmyths.corn/news.dm for details. GRAMS are used to intimidate, torture, and murder people globally. It HACKERMIND: Dedicated to bringing you the opinions of those in the may not be what you want to hear. But that doesn't make it any less true. hacker world, and home of the enne Frequency. Visit Pleasevisit and support John Gregory Lambros by distributing this ad to www.hackrrmind.net for details. free classified advertising sites and newsgroups globally. DO YOU WANT ANOTHER PRINTED MAGAZINE that complements 2600 with w.brazilboycott.org THANK YOU! even more hacking information? Binary Revolutionis a magazine from HAVE KNOWLEDGE OF SECUWPl BREACHES at your bank? Heard rumors of the Digital Dawg Pound about hacking and technology. Specifically, we cracked customer databases? Know there are unaddressed vulnerabilities look at underground topics of technology including: Hacking, Phreaking, In a retailer's credit card network, but its management doesn't know or Security, Urban Exploration, Digital Rights, and more. For more informa- care? We want your tips. We are a business newsletter focusing on secu- tion, or to order your printed copy online, visit us at rity issues in the financial industry: ITsecurity, privacy, regulatory com- http://www.binrev.com/ where you will also find instructions on mail pliance, identity-theft and fraud, money-laundering. Wherever criminal orders. Welcome to the revolution! activity meets banks, we are there. You can remain anonymous. (Note: we will not print rumors circulated by one person or group without ohta~ning Personals supporting evidence or corroboration from other parties.) Contact PRISON mLLSUCKS! Also known as Alphabits, busted for hacking a few [email protected] or call 212-564-8972, ext. 302. banks, stuck in this hell for another two years. I'm going nuts without BWING BOOKS AND MORE. Man interested in books related to hacking. any mental stimulation. Iwelcome letters from anyone and will reply to security, phreakinq, programming, and more. Willinq to purchase reason- all! Help me out, put pen to paper. Jeremy Cushing #551130, Centinela able books/offers. Ido search Google! No rip-offs please. Contact me at State Prison, P.O. Box 911. Imperial, CA 92251-0911. [email protected]. RESOURCE MAN recommends for your hacking delight to write: Loompan- FREE SOFWARE DISTRIBUTION. Ihave a website (www.eloder.com, come ics Unlimited, P.O. Box 1197, Port Townsend, WA 98368: check it out!) that has a fair amount of traffic. Mostly for debian and www.loompanics.com for books on hacking. Ask for their catalog. As for redhat cds. Iam Looking for hackers who have made their own interesting me, I am currently learning QBasic. Please send me hardcopy of any programs and wish to share. Ifyou have some really interesting apps, I graphical, animated, or game programs. Thank you. Daniel Sigsworth can give you (for free!) a page or a sub domain. Iam Looking to assist #1062882, P.O. Box 20000, Wallace Unit, Colorado City, TX 79512-2000. the open source movement and the hacker community. You can email me IAM A 22 YEAR OLD KNOWLEDGE SEEKER that has been incarcerated for at [email protected]. Please place "download"in the subject heading. the past 2 years and have 2 years to go until my release. Iam looking for All interesting ideas welcome. Eric Loder. anyone who has the time to teach or print tutorials for me to learn from. NEED DIAL UP HACKING INFO (steps involved, current dial ups, etc.) Also Iam interested in any field such as phreaking, cracking, programming Looking for places on the Internet where Ican get unlisted phone OpenBSD, or anything else to keep my mind on the right track while Ido numbers for free. Please contact me at [email protected]. my segregation time. Ialso would enjoy some penpals ifanyone has time. Iwill answer ALL letters promptly. If interested please write me at: Joshua Steelsmith #113667, WVCF-IDOC, P.O. Box 1111, Carlisle, IN 47838. WHY PAY HUNDREDS OF DOLLARS FOR SSL CERIS? CAcert.org, a nonprofit, STORMBRINGER'S 411: My Habeas Corpus (2255) was just denied so I'm in community-based Certificate Authority offers the same 128-bit digital for the 262 month long haul. Am trying to get back in contact with the certificate-based security for exactly $0.00. Compare that with the prices D.C. crew, Roadie, Joe630, Alby, Protozoa, Dphie, Professor, Dr. Freeze, of industry leaders like Thawte and Verisiqn! Support the next open Mudge, VaxBuster, Panzer, and whoever else wants to write. P.T. Barnum, source revolution and come download X.509 certificates (both personal Ilost your 411. Wireless, ham, data over radio is my bag. Write: William certs for e-mail encryption AND server-side certs for SSL) for free at K. Smith, 44684.083. FCI Cumberland Unit A-1, PO Box 1000, Cumberland, MD 21501 (web: www.stormbringer.tv). www.cacert.org. No tricks, no hidden agenda ...we're here to serve the Internet community. (Of course, feel free to click on our "donate" Link if ONLY SUBSCRIBERS CAN ADVERlISE IN 26W! Don't even think about try- you want to help!) Just as you'd never consider paying $35 for domain ing to take out an ad unless you subscribe! All ads are free and there is registration again, soon you'll laugh at the prices closed-source, no amount of money we will accept for a non-subscriber ad. We hope commerna. prondprs arp rnarglng today as WPI \*ww.cacert.org . that's clear. Of course, we reserve the right to pass judgment on your ad INTELLIGENT HACKERS UHM SHELL Reverse.het is owned and operated and not print it if it's amazingly stupid or has nothing at all to do with by Intelligent Hackers. We believe every user has the right to online se- the hacker world. We make no guarantee as to the honesty, righteous- curity and privacy. Intoday's hostile anti-hacker atmosphere, intelligent ness, sanity, etc. of the people advertising here. Contact them at your hackers require the need for a secure place to work, without Big Brother peril. All submissions are for ONE ISSUE ONLY! Ifyou want to run your ad looking over their shoulder. Hosted at Equinox Chicago. Juniper filtered more than once you must resubmit it each time. Don't expect us to run DoS protection with multiple FreeBSD servers @ P4 2.4 ghz with com- more than one ad for you in a rinqle issue either. Include your address plete online "privacy." Compile your favorite security tools, use ssh, stun- label or a photocopy so we know ynu're a suh5criber. Send your ad to nel, irc, nmap, etc. Affordable pricing from $lO/month, with a 14 day 2600 Marketplace, PO Box 99. Mirldl~Irland. NY 11953. Deadline for money back guarantee. http://ww.reverse.net/ Autumn issue: 9/1/04. FPANCE m'mict of Columbia New York Avignon: Bottom of Rue de la Re- Arlingtow"Pentagon City Mallin the NmYork: C~hgroupCenter. ~n the pubiique in front of the fountain with food court. 6 pm. lobby. near the payphones. 153 E53rd AUmcpxU the flowen. 7 pm. flo* - ' St., between Lanngton & 3rd AdeWe: At the payphones near the Grenoble: Eve, campus ofjt. Martin Ft Lauderdale: Broward Mallin the No& Carolina Academy Clnerna oil Pulteney St. 8 pm d'Here5. foad court. 6 pm. Charlath: South Park Mall foad caurt Bnsbane: Hungry Jacks on the Ween Paris: Place de la Republique, nearthe Gainesvile: In the back dthe IJnlver- Greensboro: Bear Rock Cafe Fnendly St Mali (RHS, apposlte Info 800th) 7 (empty) fountain. 6 pm. slty of Florida's Re& Union Food court. Shopp~ngCenter 6 pm r ,. Rennes: In front of the store "Blue 6 pm. Ralelqh Crahtree Vallev Mall food Canbem: KC'SVirtual Reality Cafe, 11 Box" close to the place of the Republic. Orlando: Fashion Square Mall Food co.~~f.-, I of the VrDonalo<. East RW, Civic. 7 pm. 7 om. Court between Hovan Gourmet and 7Hlmmgton: lnoepenornce Mall fooo I Melbourne: Melbourne Central Shop- GREECE Manchu Wok. 6 pm. C0"lt ping Centre at the Swanston Street en- Atfrens: Outside the bookstore Pa- Georgia Ohio trance near the pubLic phones. paswtiriou on the corner of Patision Atlank Lenox Mall food court. 7 pm. Akron: Arabica on W. Market Street, in- Perth: The Merchant Tea and Coffee and Stournari. 7 pm. Hawaii tersection of Hawkins. W. Market, and House, 183 Murray St. 6 pm. IREIAND Honolulu: Coffee Talk Cafe. 3601 Wa- Exchange. Svdnw The Crvstal Palace. front ialae Ave. Payphone: (808) 732-9184. .. 2 Dublin: At the phone booths on Wick- Cleveland: University Circle Arabica, bdr nlrtro. opposite tne b~srtanon low Street beside Tower Records. 7 pm. 6 pm. ll300 Juniper Rd. Upstairs, turn right, area on George Strrer a1 Cenrra Sta- IlALY Idaho second room on Left. tion. 6 pm. Milan: Piazza Loreto in front of McDon- Boise: BSU Student Union Building, Columbus: Convention Center (down- AUSlRU alds. upstairs from the main entrance. Ulr town), south (hotel) half, carpeted I Cafe HaCstelle on Jakomini- JAPAN Pavohones: (2081 342-9700. 9701. payphone area, near restrooms, north plah. ~dhtello:~d~~eg; Market. 604 South TohLinux Cafe in Akihabara district. of food court. 7 pm. BRAZIL 8th Street. 6 pm. Dayton: Atthe Marions behind the Belo Horimnte: Pelego's Bar at As- Illinois NEW ZEALAND Dayton Mall. sufeng, near the payphone. 6 pm. Chimgo: Union Station in the Great Auckland: London Bar, upstairs, OMahoma CANADA Wellesley St., Auckland Central. 530 Hall near the payphones. Albertl Indiana Oklahoma C% The Magic Lampin the pm. Lakes~deShopping Center near the cor- Calgary: Eau Claire Market food court Christchurch: Java Cafe. corner of High Evansville: Barnes and Noble cafe at by the bland yellow wall (formerly the 624 S Green River Rd. ner of N. May Ave. and NW 73rd St. St. and Manchester St. 6 pm. Tub: Woodland Hills Mall food court. "milk wall"). Wellington: Load Cafe in Cuba Mall. 6 R Wayne: Glenbrook Mall food court British Columbia in front of Sbarro's. 6 pm. Oregon vm. Portland: Backspace Cafe, 115 NW 5th Nanaimo: Tim Horton's at Comox & NORWAY Indianapolis: Borders Books on the Wallace. corner of Meridian and Washington. Ave. 6 pm. Oslo: Oslo SentralTrain Station. 7 pm. Pennsylvania Vancower: Pacific Centre Food Fair, Tmmsoe: The upper floor at Blaa Rock Soutfr Bend (Mishawaka): Barnes and one level down from street level by Noble cafe, 4601 Grape Rd. A~~.Panera Bread on Route 145 Cafe. 6 pm. (Whitehall). 6 pm. payphones. 4 pm to 9 pm. Trondheim: Rick's Cafe in Nordregate. 6 Iowa Victoria: Eaton Center food court by Ams: Santa Fe Espresso. 116 Welch Philadelphia: 30th Street Station. A&W. pm. AVP under Stairwell 7 sign. SCMLAND Kansas Pittsburah: W~lliamPitt Union buildina Manitoba Glasgow: Central Station, payphones Winnipeg: Garden City Shopping Cen- Kansas City (Overland Park): Oak Park on the Univerr~tyof Pittsburgh campus next to Platform 1. 7 pm. ter, Center Food Court adjacent to the Mail food court. by the B~gelowBoulevard entrance. SLOVAKIA Louisiana South Carolina A & W restaurant. Bratish at POIUSC~ty Center in the New Brunswick Baton Rouge: In the LSU Union Build- Charleston: Northwoods Mallin the food court (opposite slde of the esca- Moncton: Ground Zero Networks Inter- ing, between the Tiger Pause & McDon- hall between Sears and Chik-Fil-A. lators). 8 om. net Cafe, 720 Main St. 7 pm. ald's, next to the payphones. South Dakota ~rerk~it;: Kelt Pub. 6 pm. Ontario New Orleans: La Fee Verte. 620 Conti Sioux Fak Empire Mall, by Burger SOUTH AFRICA Bsrrie: William's Coffee Pub, 505 Bryne Street. 6 pm. King. Johannsburq (Sandton Citv): Sandton Drive. 7 pm. Maine Tennessee food court. 630 pm. -. Guelph: William's Coffee Pub. 429 Edin- Portland: Maine Mali by the bench at Knonille: Borders Books Cafe across SWEDEN bourgh Road. 7 pm. the food court door. from Westown Mall. Gothenburg: Outs~deVaniij. 6 pm. Hamilton: McMaster University Student Malyland Memphis: Cafe inside Bookrtar - 3402 Stockholm: Outside Lava. Center, Room 318, 750 pm. Baltimore: Barnes & Noble cafe at the Poplar Ave. at H~qhland.6 pm. SWmERLAND Ottawa: Agora Bookstore and Internet Inner Harbor. Nashville: J-J's Market. 1912 Broadway. Cafe. 145 Besserer Street. 6:30 pm. Lausanne: Infront of the MacDo beside MassachuKttr the train station. Texas Toronto: Food Bar. 199 College Street. Boston: Prudential Center Plaza, ter- Austin: Dobie Mall food court. (luebec UNITED SATES race food court at the tabler near the Alabama Dallas: Mama's Pizza. Campbell& Pre- Montnal: Bell Amphitheatre, 1000 windows. sto~~.7 pm. Gauchebere Street. Auburn: The stuoerlt omge ~pstairsin Marlbomugh: Solomon Park Mall food tne Foy Unlon 0.1 ulng. 7 pm. Houston: Ninfa's Express in front of CHINA court. Nordrtrom's in the Galleria Mall. Hunkville: MaOlson Sq.are Mall ~ntne Hang Kong: Pacific Coffee in Festival Northampton: Javanet Cafe across from San Antonio: North Star Mall food Walk, Kowloon Tong. food court near McDonald's. 7 pm. Polask, Park. Tuseloosa: McFarland Mall food court court. QECH REPUBLIC Michigan Utah Rague: Legenda pub 6 pm near the front entrance. Ann Arbor: The Galleria on South Uni- Arimna Salt Lakecity: ZCMI Mallin The Park DENMARK versity. Food Court. Aarhus: Inthe far corner of the DSB Phoenix Borders, 2nd Floor Cafe Area. Minnesota 2402 E. Camelback Road. Vermont cafe in the railway station. Bloomington: Mall of America, north Burlington: Borders Books at Church Copenhagen: Ved Cafe Blasen. Tucson: Borders in the Park Mall. 7 pm. side food court. across from Buroer St. and Cherry St. an the second floor Sonderborg: Cafe Druen. 230 pm. California King & the bank of payphones thBt I of the cafe. Em Lor Angels: Union Station. corner of don't take incoming calls. Virginia Porthid: Atthe foot ofthe Obelisk (El Macy & Alameda. Inside main entrance Missouri Arlington: (see District of Columbia) Missailah). by bank of phones. Payphoner: (213) Kansas City (Independence) Barnes & I Virginia Beach: Lynnhaven Mall on ENGLAND 972-9519.9520; 625-9923, 9924; 613- Noble, 19120 East 39th St. Lynnhaven Parkway. 6 pm. Exeter: At the payphones, Bedford 9704. 9746. St. Louis: Galleria, Highway 40 & Square. 7 pm. Orange County (Lake hmt) Diedrich Brentwood, elevated section, food Washington Hampshire: Outside the Guildhall, Coffee, 22621 Lake Forest Drive. court area, by the theaters. Sesttle: Washington State Convention Portsmouth. Sacramento (Citrus Heightr): Barnes & Springfield: Borders Books and Music Center. 6 pm. Hull: The Old Gray Mare Pub, opposite Noble, 6111 Sunnre BLvd. 7 pm. coffeeihao. 3300 South Glenstone Ave. Wisconsin Hut University. 7 pm. San Diego: Regents Pizza, 4150 Re- one block'south of Battlefield Mall. Madison: Union South (227 N. Randall London: Trocadero Shopping Center gents Park Row #170. 530 pm. Ave.) on the Lower Level in the Copper 1 (near Picadilly Circus). Lowest level. 7 San Francisco: 4 Embarcadero Plaza Nebraska Hearth Lounge. Milwaukee: The Node. 1504 E. North P"'. (,"side). Payphones: (415) 398-9803, Omaha: Crossroads Mall Food Court Manchcster: The Green Room on Whit- 9804,9805. 9806. 7 pm. Ave. worth Street. 7 pm. San Jose (Campbell): Orchard Valley Nevada Nolwich: Main foyer of the Norwich Coffee Shop/Net Cafe on the corner of Las Vegas: Palms Casino food court. All meetings take place on the first Fri- "Forum" Library. 5:30 pm. S Central Ave. and E Campbell Ave. 8 pm. dav ofthe month. Unless otherwise I Reading: Afro Bar. Merchants Place, off Santa Barbara: Cafe Siena on State New Mexico nareo. they start ar 5 pm loca tlmr Fnar St. 6 pm. Street. Albuquerque: Winrock Mall food court, To rrarr a meennq n your ot), eave a nNLAN0 Colorado near payphones on the lower level be- m~ssrlqe8 onone wroer ac 1631) HelsinM: Fenniakortteli food court Boulder: Wing Zone food court, 13th tween the fountain & arcade. Pay- 751-2600 o; send email to meet- ' (Vuorikatu 14). and College. 6 pm. phones: (505) 883-9985.9976, 9841. [email protected]. Ethbpie. Not very many payphones to be found &IL&. Fdin Sigiriya, &is booth holds in this country but here'b one of them in Addis the mounting from e previous tenant. IAbb.

&I EtepLnta Island in Mwnbati, some Sri Lanlu. TBe shape of this pbode ia the city af cr~isr,painters splaahed tkis phase but not kdyis rather weid to say the llertst. enough to dampen its brilliant yellow spirit.

ur website and see our vast array of payphone ,,, ,,, ...dt we've compiled! http:Nwww.2600.com L.. .".A!; .:. ~ . -. .: :- All ofthe\? ~pno~o\ ere ILIL~I~in Sotia. Herr \\c Ant1 \\ hel~a phollc 0111) tahr\ card\. Ille! appeal- \ee a moclern oralife C~III lid card phune. lo \impl) CLITtlic ~UIIOII~li;~lt otf.

Herr'\ a blue card pho~ie\hliicli \\,a\ right next The old \tyle payphoni. \\ it11 funk! \~~rrtruntli~~g. to thr oranfe phone ~~bo\,e.Sucll spectac~~lnr Drah. let inr~-ie~~inf. J~spla!\ of COIOI- ;ire \ il-tll;~ll) LIIIIIC;II-Jof lirre in