� ,
This publication Is dedicated to all of those before us
who built the foundation for the nackers of the world to
"'press thems elves openly and without prejudice.
While we attempt to continue in our quest to obtain
knowledge and understanding, we invite you , the reader,
to join in and share any thoughts you may have
regarding the magazine, hacking, life, work and anything
else that you feel is important enough to be shared.
We 're not going to knock anyone down for asking
questions or ri di cule the steadfast eli tist folks who
believe that knOWledge should not be shared. We believe
knowledge should In fact be shared with one another, no
matter how trivial the information may app ear to be.
After all, knowl edge is pow er.
Think back to the way it was, when hackers stu ck
together and had a good time . An amusing time when
hackers shared their stories of exploration and ultimate
conquest. A wondrous time when hackers were
considered the good guys and looked up to by those not
fortunate enough to understand the technology around
them . A simple time when a hackers harmless efforts
gained a new understanding of technology Issues and
the praise from their peers and superiors alike .
That time can stili be NOW. Hackers of the world unite
and exercise your freedom to disseminate Information!
Distribution
Greg, Boiler, Syn tax, David B.
Assistant Editors Photography
Alexand er Tolstoy CHS, Dark Paladin, Daniel Spisak
Dave S.
Forum Admin
Office Help Ustler_
Pixel Pixie, Jess, Lexus,
Dark Palad in, DoctorWHO,
Writers
ML Shannon , Ustler, Unicoder,
MomoPi, Mr. Asshole
Dr. Fibes, Jeremy Martin,
Artwork The Goldfin ger, Dual Parallel,
Derek Chatwood - AKA. Searcher MobbyG, Cactus Jack, Israel Torres,
Kate 0 ., Parallax, Grandpa Hackma n, Electra-Solve
Maso nt1Nolf
ISSN 1082-2216
Copyr ight 1983-2005 by Syntel Vista, Inc.
All opinio ns and view s expressed in Blacklisted ! 4 11 Magazine are those ofthe writers ofthe articles, and do
not nec essaril y reflect the views or opinions of any Syntel Vista, Inc. staff members or it's editors .
All rights reserv ed. No pa rt of this material may be reproduced , stored in a retrieval system, or trans mitted
in any form or by any means, electronic, mechanical, photocopying, reco rding or otherw ise, withou t the prior
written permission of Syntel Vist a, Inc.
Blacklistedl411 Magazine
P.O. Box 2506
Cypress CA , 90630
9035768ABBAJBVJB-0024
DBBL 01,07,32,41,52
PRINTED IN THE UNITED STATES OF AMERICA
� Blacklisted! 411 s
Doc Salvage Neuromancer
ECSC Doc Jones
oleBuzzard Line Tech
Dark Tangent Alaric
----__ DEFCON Short Circuit
- -Fteaky ____________ Mingle
Blackwave -____________. The Goldfinger
Irvine Underground - - E;-"Gofi--
Consumertronics Group 42
Wizguru SWAT
Greyhawk Trash-OOX
Spratt_ Doule-O-Jake
The Underground Mac Ender Wiggin
Bobeeve TechnoHeap
German GI Electronics
Big Dog Lucky225
Skippy
Avatar ....and a few ANONYMOUS people
Inside this iss~e
4 - Introduction 46 - Auditor: Debian WiFi Hacking
.. 5 • Letter from the editor 52 - Internet Insecurity
" 6 - Letters and Comments 56 - Remote Encrypted Data Access
16 - The Art of Casual WiFi Hacking 59 - Aminet: The Makeover
i ~21 - Cheating on Browser-based Games 61 - Hacking the Mirra M-250
30 - Free Broadband 69 - Cloaking and You
33 - How would I hack thee? 71 - Hardcore Wardriving...
38 - The Hacker Chronicles Part V 73 - Defcon 13 Recap
40 - Review Corner 79 - The Black Market
-
42 - Humanoid Companions
.
82 - Monthly Meetings.
- .... .- ......
_ ...
I ~. r A,J,J"t" ... I In
aat tone " ormaI tIon
" Y 'lIi1""
fe
l.
r How to Contact us:
Blacklisted' 411 MagaZIne
Distribut ion and Sales:
Blacklisted! 411 Distribution
P.O. Box 2506 P.O. Box 2506, Cypress, CA 90630
Cypress, CA 90630 Email: sales@blacklisted411.net
Subscriptions: Ad vertising:
$20 U.S., $24 Canada, $35 Foreign Blacklisted! 4 11 Advertising
Check or Money Order (U.S. Funds only) P.O. Box 2506, Cypress, CA 90630
Email: advertising@blacklisted4 11.net
Articles :
Blackiisted! 41 1 Articles
P.O. Box 2506, Cypress. CA 90630 World Wid e Web :
(Include name & address-we PAY for articles)
Website: http://www.blacklisted411.net
Letters: Store : http://store.blacklosted411.net
Blacklisted! 41 1 Letters Forums: http://www.bI411forums.com
P.O. Box 2506, Cypress, CA 90630
. _ .... .....tIl .~ 1
- ....,
ill
�Blacklisted! 411 introductionfor those ofyou who are new .....
Who w e are. .. and were .•• 41 1 conce pt, but this time do it as a print magazine. It was
extremely diffia.Jlt to get started because the group was no more
Th e question often arises on the SUbject of, "How did it all start?" in and he was alone. He was the only one of the original group
refe rence to our magazine and it's history. In response to this members remaining that had an interest in bringing the hacker
popular question, here is a quick history lesso n of Blacklisted! 411 group and magazine alive again. With some money, the will to mak e
magazin e, including names, dates and little known facts whi ch have, it happen , top of the line (at the time) computer gear and page
thus far , been hidden away for years.. layout software, Blacklisted! 411 was reborn. Blacklisted! 411
Volume 1, Issue 1 was released in Janua ry 1994. Blacklisted! 41 1
Blacklisted 4 11 magazine dates back to Octobe r 1983 with a group was finally BACK. The issues were released r."'~ iitn iy · and
of friends from a Southe rn California high school that shared a distribution was small. R~a rrtJe~. lJ,e reiated user meets were
commo n interest. They were all deepl y interested in their Ata ri, packed! The . ~Ii:elest in the magazine was great. Afte r a yea r
Apple and Commodore computers , electronics , scien ces, arcade ~<;~. it was decided to try a quarterly format in an effort to
games , etc. The y built projects , hacked into v~~.:s tiling·s: made increase distribution. During that year Zach ary managed to get in
lh~! r _ C\;i: programs . ca~ :.:~ wflil grand ideas and tried to make contact with ma ny of the old grou p membe rs, most of whom which
them into some sort of reality. The group started a monthly hackers are active staff members even today.
"dis k magazine- (an early fonn of what is now known as an e-zine)
called -Blacklisted 411, the hackers mon tnty", This may sound In 1999, what was to be the last issue of Blacklisted! 411 (Vo lume 5,
strange today but circulating infonnation on disk was the best way to Issue 4 ) was published. It was unknown at the time , but man y
get it out (at the time) with out all the cool toys we take for granted pitfalls would ultimately cause the dem ise of the magazine.
today . There was no internet to utilize and nobody had printers Officially, it was dead as a doornail. After 4 years of regrouping and
which could print anything other than plain text (and didn't even do planning, Blacklisted! 411 magazine was resurrected yet again..
that well). W ith a disk based system, text files, primitiv e grap hicsl
pictures, and utilities were fairfy easy to distribute and it could be To date, Blacklisted! 411 is one of the oldest group of hackers still
copied by anyone who had a compa tible computer. At the peak, at rema ining and releasing gathered and compiled infonn ation withi n
least 150 disk copies of the disk magazine we sent the hacke r community and the mainstream community as well.
into the world, though there is no way to know how many were Hanging onto the very same hacker mentality and code of ethics
copied by others. from the 80's, Blacklisted! 411 stands apart from the res tTheir ideal
is that hackers are not thieves - they're curious people who are the
Eventuall y mode ms caught on and the magazine was distributed makers and shakers of the technology secto r. They're not elitist
through crude BBS systems. Using the powe r of a Commodore 64 , hackers by any means and believe that no question is ever a
a Blacklisted! 411 info site, which anyone could log into without "stupid" question. Old school hackers and newb ie hackers alike,
handle or password , was created and operated . It was a completely Blackli sted l 411 caters to you.
open message center. Using X-modem or Punter file transfer
protocols, one could download the latest Blacklisted! 411 files or What' about now...
readl leave ' messa ges" which later became known as a "messa ge
base" and has evolved into what are now commonly known as Community
"newsgroup postings" or "forum postings". There was only one Over the last year and a half, a lot has been happening. W e have
message center, no email capability & only 1 phone line. Primitive , become more active in the Hacke r Community . As we are based in
indeed. Effective, howe ver. the los Ang eles area, we have built relationships with the loca l
Hacker groups such as lA2600, 502600, twentythreedotorg, Irvine
Aroun d 1984, the purchase of a 9 pin dot matrix printer that could Undergrou nd and more. We have been attending and sponsoring
print basic graphics was entered into th e mix. Printing out Hacker Co nventions and Conferences such as the layer One
copies of the Blacklisted 4 11 monthly and copyi ng them at the Convention and the ever popular Defcon. You can find us attending
media center at the high school became the new "experiment". The these conventions regUlarly. We usuall y have a booth at these
media center staff graciously allowed the production of these copies events where we sell subscri ptions, current and back issues of the
free of charge which was very cool at the time. The copie s were magazin e, and other swag. We also provide several "convention
passed out at the local "copy meets" (an interesting phenome non of only" promot ions so look for us there.
past times - hordes of computer users wou ld meet at a
predetermin ed location and setup their computers with the sole Magazine Development
purpose of cop ying software and exch anging this software with each A major effort is being made to increase our exposure to the
other ). Piles of the magazine were 'eft anywhere and everywh ere Hacking and Infonna tion Security Community. Our distribution goals
people could see them. One popular locatio n was next to the Atari fo r the magazine was to break 100K co pes distributed each quarter
m
Gauntlet and GaunUot II arcade games strateg ically located at 7- sometime 2004 and we surpassed our goal within our timeframe..
11's all over the place. It's been a longtime myth that peo ple Based on orders fro m distributors and sell through, nobody comes
photocopied those original copies and then those were photocop ied , even close to touching us in the hacking arena . We have been
etc. There's no telling just how many generations of early printouts seeki ng and hiring freelan ce writers, photog raphers, and editors to
of Blacklisted! 41 1 monthly made it out there. increase the quality and scope of the magazine. Addit ionally, we
have people who are actively trying to promote the magazine both
Years wen t by and Blacklisted! 411 evolved . The short life-span of inside and outside of our close communi ty.
the printou ts was both a great success and a miserable failu re. No
matte r"where they were left , they were taken - and taken quicklyl Merchandising I SWAG
The feed back was awesome in that people wanted more. Th e We now have a whole series of Blacklisted! 411 therned swag and
interest was very high, but the inability to 'meet this growing demand merchandise. T his cu rrently includes stickers and apparel, but will
was completely over looked. The plug was officia lly pulled on the soon include post ers. a new OVD and whateve r else our creative
printout experiment and distributio n through diskettes remained the minds can come up with..Input, help, and direct submissions for this
nonn . It was really the easiest way to go at the time. The will be accepted and appreciated .
Blacklisted! 41 1 info site grew into a 2-1ine system. This was a big
deal in 1985. By that time , informatio n was almost exd usivety Charities
passe d aroun d by modem (unofficially on paper) and disks were still Blackli sted! 4 11 is run by real people who care about othe r things
being released at this time. aside from hackin g. No, really. In the spirit of helping people and
organizations outside of our community, Blacklisted! 411 Magazine
June of 1987 marked the end of Blacklisted! 411, the hackers has officially donated to the local chapter of the Ronald McDonald
monthly. The last disk based maga zine (# 46) was distributed that House charity. After all, children are our future . Blacklisted! 4 11
month. Since all of us original crew were finally out of high schoo l Magazine wholeheartedly supports the Ronald McDonald House
and onto college , work and the bigg erlbetter things in life, nobody miss ion and the ir program s. Addit ionally, we've don ated heavily to
had the time or inclination to put any effort into the disk based the W estminster Parish Festival, speciticalty with the intent to help
magazine anymore. The once thriving Blacklisted ! 4 11 grou p broke support their youth programs and special classes for the mentally
up and people went their separate wa ys. Naturall y, it was assumed and physically handicapped.
that this was the end and Blacklisted! 411 would never be
resurrected in any form. If you have questions , comments, articles , ideas. flames, genera l
"screw you guyr' message s or wish to offer support in some wa y,
In the summer of 1993, one member (and the origina l editor-in- please contact us immediately and let's see what we can do.
cbief), za chary Blackstone, felt it was time to revive the Blacklisted! Tha nks for your support . hackers! B£.411
4 Volume 7 Iss ue 4 ~ Fall 2005 Blackli stedl411
�r-- -
Letter from Zachary Blackstone, editor-in-chief. ....
Welcome to the newest edition of Blackli sted ! 4 11 volume 7), table of contents, sample article s and a little
magazine, the official hackers magazine . A lot has been text about what was going on at the time of public ation
going on since the Summer issue first appeared at Defcon for each issue. There ' s some really interesting stuff to
13 this year . We were finally able to come up with read and look at.
SWAG to give away (and sell to some small degree ). The
shirts seem to have been a hit, while the hats were The new look is simpl y stunning, considerin g the
received with mild attention. The sixteen various bumper rundown look of the site beforehand . If you have not
sticker designs were also a hit, we've actual ly seen them seen it yet, you really must visit our website and check it
on cars throughout the SoCal area from time to time. out right away. In case you forgot, the URL of our
That 's pretty cool to see the m in use. website is www .blacklisted41l.net
Ok, I've got a lot of ground to cover and only one page to Something new which is sweeping the hacker community
cram it into, so let 's get started. is our new monthl y "online edition" of Blacklisted 411
which we' ve called "Blacklisted 4 11 .NET' Introdu ced
I' m going to mention a little bit about Defcon this year. in the middle of October , it 's alread y taken off to an
Overall, we believe the event was an incredible success, incredible start. It's a little somethin g we cooked up to
both for the staff and owners of the event itself, but also try and give back to the commun ity. Many people have
for the visitors and our booth . Everyo ne had a great time asked if the online edition would be an electronic version
and walked away knowing there 's simply no better hacker of the print magazine. The answer to this question is a
convent ion on the planet! No doubt, if you visited our resounding NO. The online edition is completely separate
bo oth, you met our "booth babes" who were handing out of the print version and conta ins articles and other
free copies of the Summer issue. They were a new material which is entirely different from the print version
addition to our booth operation and we think they did a of our magazine. The only thing similar is the name .
great job this year. Thanks girls! Everyone seemed Anyhow, sinc e the recent news of Phrack going out of
pleased to receive free copies of the Summe r issue, too. business, we decided to try and pick up some of the slack
It's a small gesture we make to the community each year and offer a FREE online hacker magazine. We 're not
at the conventions we attend. It 's not much , but it' s the trying to replace them, just give the hacker community
thought that counts , right ? We also held a small raffle something they don't have to pay for. Available as a
and gave away free swag, subscriptions and even a few PDF, we'll pump out a new issue each month , so visit our
20GB Apple IPOD ' s. When it's all said and done, we website often and make sure to grab your copy .
had an awesome time at Defcon this y ear. So, with that Remember, it's absolu tely FREE and you're welcome to
said, count on seeing us there next year! copy it, upload it, mirror it, P2P it, archive it, print it, pass
it around to your friend s, etc. All we ask is that you give
Something new that I'm really excited about is the fact us credit and a link (www .blacklisted411 .net) if you use
that our magazin e has gone from a 60 page format to an any of the material for any purpose.
84 page format, bring ing this little zine to the top position
as far as page count goes. That' s right, we ju st added 24 Well, that about sums up all the new stuff going on right
more pages of content per issue! We 've been getting so now. Naturally, we 're always on the lookout for new
much support from the communi ty lately, we decided it talent in the form of writers, artists, photographers and
was time to add a few more pages, filled with hacking anyo ne else who can add to the value of our magazine.
content. You' d think that we'd have to pass the extra cost Among other things , one of the main reasons that we're
onto our readers, but that' s not true. The price of the set apart from other hacker magazines is that we actually
magazine has NOT been incre ased because of this PAY our writers, artists and content providers.
change. We sincerely hope that you enjoy the additiona l Information may want to be free, but in reality, GOOD
page count and the added content. information usually has to be paid for.
Big news on the hacker radar is our website. Yes, many Additionally, we' re looking for active individuals who
of you are already aware of this , but we recently upgra ded will POST in our forums . Having an active and fun
our website. When I say "upgraded" it doesn 't even forum area takes the effort of many people. We' ve
begin to tell the story. The old look was getting tired and provided the "arena" now it 's time you kick yours elf in
didn't really appeal to anyone, includin g myself. So, in a the rear end and get posting .
combin ed effort, we made sweeping chan ges to the
website, including the addition of new content in the form We're a magazine, produced by hacker s and made for
of articles and reviews, and mass ive expansion of already hackers. We believe in being a team player and welcome
existing material. We even added new sections, complete everyone to voice their opinion s. Hack the System!
with cover scans (from vo lume I all the way thro ugh - Editor
~~ •..• •..---.--.-.-:::I:£. JL:"~££I.• .• .•. ~ • .• • ..L aa ~
l ~ rtes of interest: II I
II· .!-
!
•
Teshirta, baseb all caps and bumper stickers are now ava ilable on our online store.
il _Deadline on all articles, lett ers, artwork and ads for Volume 8, Issue1 is Jan uary 13th. 2006 .
.
i - AL L classified ad s are now FREE and are limited to spac e co nstraints pe r issue. First come , first se rved.
l,~
\•
!
I :
i1l1- We're a PAYING MA~T for a~icles we use! We pa.y .S25- S450 ~epending 00 size , quality & use of phot os. :~
l "'-_ifl-~ . £~L.~.~i .• :.~Ia---=-~ ~----= LL£r :a .• • • _ .~.~
Blacklistedl411 Volume 7 Issue 4 · Fall 2005 5
II
�Letters and commentsfrom our readers .. ...
Hi Zach, I am a new subber and am locking forward to To Any Personnel at 2600 Magazine or Blacklisted 411
gelli ng Blacklisted 411 in the mail. The little paragraph that is Magazine who might be able to Help:
on the first page of the mag is what really got me to
subscribe. The forum seems to be a little slow . I'm not a I've been trying. I've been trying really hard, but it j ust never
computer hacker and don't really know anything about them. seems to work. I don't know whether it's just pure bad luck,
I am still in the physical world and cyberspace is a bit hard for my own inherit stupidity, or any combination thereof that
me to grasp so I get along better with stuff I can touch and might be the deciding factor, but for some reason, the shit
rewire and modify with a soldering iron. I love electronic just doesn't work.
gadgets and instruments. I hope I can find common ground
with a few of the hackers here and maybe even learn I'd like to call myself a hacker. I 'really would, but the closest
something. I wish I could be as fortunate to be in an area thing I've ever come to "hacking" was vandalizing one
where people are actually willing to come to gather at a place computer back in my first High School programming class...
of regularity. I am in the middle of nowhere and you just and that wasn't even that difficult. It's been five years since
cannot get people out here to get together for anything. We then, and I don't think that I've gotten very far in my
have tried to start a ham radio club several times and no endeavors. It may be that I don't have enough time to commit
dice! Of course my niche is any kind of radio and I love metal to the art itself, or that, perhaps, I'm simply not able to hack,
detecting. So thank you for having the wireless listing on the but I want to. You have no idea how badly I want to, either.
forum. It sounds like you have a fun group there at Badly enough to spend hours up ever night sifting through
Blacklisted · 411 and always savor ' the experience of bullshit website after bullshit website, trying to find the one bit
commoradarie because it is getting harder to find good of information I needed, the one text file I overlooked that
friends. So Zach thank you for the mag and taking me on may hold the key between gaining access to systems, and
board. Take it easy and CU later Zach. Nice meeting you. my unfortunate and woeful lack thereof.
Wirechief I turned to my friends who claimed to be hackers. All I found
there was senseless bullshit wrapped in a tasty Gothic shell. I
Hey Wirechief. Welcome aboard! Glad to have you around. I tried searching the internet for programs that might have
can completely understand where you 're coming from. My been what I was looking for, aniy to cast them aside after
background was in electronics before I ever touched a being called a "script kiddie." Elitist hackers in their far-
computer- my first computer was an Altair that I built myself superior mentality...why can't they see that I'm not some
in the 70's. Having buill my first computer at a component wannabe, but that I truly Want To Be? Why can't they
level, I was easily sucked into computers, making the j ump remember that, at some point, at least one of them was just
from electronics to computers quite simple for me. Anyhow, like me--searching for answers down the alleys of Digital
in the spiril of "ota school hacking" I intend to make available Infinity.
some small electronic projects related to hacking in some
way. If all goes as planned, we'll even be able to provide I have no clue where to begin. I'm on a 56K modem, running
circuit boards and part kits, just like the old electronic AOt.. For the moment, this is the best I can do. Realistically
magazines used to do. I think that might go over well with speaking, there is no hope for me, is there? There's no hope
people like yourself who want to get hands-on time with their for the kid who's stuck at home with the AOL-Head family,
soldering iron and other tools. Keep watching, we're bound and can't break through because he's not the financial
to get some of these projects in an upcoming issue of decision maker.
Blacklisted. Maybe even this issue.
My assets are: a brain, drive, and a lust to know what I can
So, the point is that if you have a love for electronics, you've and can't do with this computer. Is there anyway I can learn
already got common ground with most hackers right off the to hack with what I have?
bat. Let me tell you, fhe staff over here at Blacklisted! 411
love their electronic gadgets to no end. We always have Ash
some new toy to play with. You 're in good company.
Hello Ash, First, let's define the word "hacker' so we're on
As for the forums, unfortunately Ihey are a little slow. It lakes the same page. According to www.wikipedia.arg, an excerpt
the effort of many 10keep Ihe forums ective, even in Ihe face of what we typically believe to be a hacker is:
of apparent inactiVity. It's something we intend to "work on"
as time goes on. Keep postingin the meantime. "hacker is extended to mean a person who makes things
work beyond perceived limits through their own technical
skill, such as a hardware hacker"
I've only just come across your magazine and I'm wondering
if there is any place in the UK that may sell your magazine, In other words, a hacker is a skilled user of technology,
we have nothing like this here. Thanks capable of modifying said technology to conform to their own
needs. Given this definition, breaking into systems,
Iceman vandalizing computers and wreaking havoc in any way isn't
what we're about. If you can swallow this ideal, you're off to
Hi Iceman. Blacklisted! 411 magaZine is available throughout a good start.
the United States, Canada, Mexico, Ireland, Japan, Israel,
Hong Kong and various other destinations across the globe. Most of the hackers over here started wah much less than
Particularly in the U.K., our title used to be available at Tower you have at your disposal right now. We had 8-bit
Records in your area, but they pulled out of the area recentfy computers, no hard drives (some of us didn't even have
during a "rearrangement" of their company. To date, I'm not floppy drives!), no internet, our modems ran at 300 baud (or
certain that our magazine is available at any location within even 110 baud for some of the extreme old schoolers).. So,
the U.K. We don't have a complete listing of our avaifability you've got it good compared to where we started. With this
at this time, so I can't give you 100% accuracy on exact in mind, here are my suggestions on how 10 learn to be a
locations where our magazine is or isn't being sold at the hacker.
lime, but it appears from an initial look that we do not have
any distribution into the U.K. for the time being. I could be 1. First and foremost, READ untif you eyes feel like
mistaken, however. I will research this further and see if we they're going to pop out of your head. ... then read
can correct this serious gap within our distribution chain. some more. Research every aspect of technology-
computers, electronics, gadgets, etc. Don't limit your
6 Volume 7 Issue 4 - Fall 2005 Blacklisted I 411
� reading to the internet, although it's an excellent 9. Post in hacker forums.. Again , if you have questions,
resource. In addition to this, you should pick up a few be SPECIFIC and pointed. No generalized questions.
subject -related magazines (blacklisted, 2600 , binary Hackers don't want to spoon feed you all the answers,
revolution, they want to see that you're genuinely interested and
2. Learn to program multiple computer languages. I trying to leam on your own. Binary Revolution has a
would recommend BASIC, C++, PASCAL and PERL really good forum. We have a forum, too.
for starters. Heck, why not even start with some
simple HTML. I know it sounds like a hefty workload, So, that's about it. Give all these steps a try and see where
but once you get the hang of one, the rest should fall you go. There's no magic pill that will turn you into a hacker
in line rather quickly. It's important that you overnight. It takes time, patience and a lot of aggravation.
understand computer languages on some level before Just stick with it and, eventually, yo u'll get onboard. Good
you understand how to manipulate them. luck.
3. Ask a lot of very specific questions. Stay away from
generic, "how can I be a hacker" questions, rather ask
pointed questions about a specific topic. Ie: I need a In regards to the info Lint requested in Volume 6 Issue 4: I
piece of code for a programming project that will do used to work for the company that manufactured the BART
THIS. You're more likely to get a sincere response if cards, along with cards and tickets from transportation
you appear that you really want to learn instead of systems all over the wor ld. Unless they have changed in the
having all the answers handed to you. You see, in the last five years or so the BART cards are Low Coerciv ity, 300
hacker community, it's important that each of us has Oersted . The 0.25 inch magnetic stripe is app lied direct ly to
the desire and capacity to learn and teach ourselves. the card extruded from a slurry of magnetic "ink" that we
It's part of the gameplan so to speak. Being se/f- manufactured ourselves. Our job in production was to apply
taught is the hacker way. I believe black hat, white hat the stripe in the correct position and to the specified electrical
and gray hat would all agree on this point. properties which we tested by writing a signal to samples and
4. In addition to #3 above, if you do have a specific reading back the retum on a digital scope. There were many
question, first look it up on Google before you pose other parameters to deal with making fo r a hair pulling
your questio ns among the hacker comm unity. Many experience. These contract jobs are offered by a sealed
times you will find that the answer to your question has bidding process, so what's made by one company today may
already been asked-and answered-many times be made by an othe r next time around . The manufa cturers of
over and a simple search will reveal this to be true. the equipment the tickets are used in design and quote the
Many Jine wbies" ha ve been scorn for {aiHng to perform specification s of tha product and it is up to tha supplier to
this rather easy task before asking their question. Be deliver cards that meet or exce ed the specs. Hope this helps.
forewarned, hackers tend to be impatient when asked
something that's already been answered. I believe it's Dark Pu rpose
just one of those bad trails certain groups exhibit.
Naturally, you will from time to time, find more patient Hey Dark Purpose. Thanks for the input.
hackers who will hold your hand through the tough
parts. Many hackers, sadly, do forget that they too
started knowing little to nothing and had to put up with Ok, so I was sitting in Computer class... I know what your
the same attitudes new hackers still have to deal with thinking he hacked into his schools computer, But really I was
today. It comes from dealing with many wannabes, as just bypassing my school Internet restrictions on the Internet
you put it, who want it all but don't want to put any using Firefox.
effort into learning.
5. Interact with other hackers. Find a local hacker 1. First thing you want to do is find out the kind of stuff your
meeting or attend DefCon, LayerOne, Toorcon, schoo l is blocking on the net.
InterzOne conventions. DefCon is by far the leader in
hacker conventions and the best party in town. Not 2. Go out and buy a USB Key (128MB+)
only will you walk away, learning something new, but
you'll have an awesome time partying it up with other 3. Download and install Firefox to you r USB Key
hackers. Additionally, you may want to try attending a
local Linux or Unix user group meeting. 4. Download and install plug-ins (Flash player)
6. Visit hacker websites. I would personally recommend
I-hacked.com. They 're a hardware hacking website 5. Rena me Firefox to Internet Explorer on your USB
and I'm a big believer in hardware hacking-that's
where all the fun is and the easy path for hackers to 6. Test and run Firefox to see if it works. Don't save any
make something of themselves in the reaf world. setting s.
Hardware hacking eventually leads to designing
gadgets and doing honest hacker work. Hackaday. 7. Take your USB to schoollwo rk put in USB slot on a
com is another cool hardware hacking website . Check computer at your school/work and run Firefox now your going
'em out when you have a chance. to want to transfer all your stuff from Internet explorer when it
7. Read hardware hacking books. I know I hard on ask, then it asks if you want to maka Firefox your default
reading, but it's really the best way to learn, aside from browser , click NO.
hands-on work. I would recomm en d these books for
starters: Hardware Hacking: Have Fun While Voiding 8. See if any sites load and work (They should work and you
Your Warranty, Hardware Hacking Projects for Geeks, should be able to play games and download stuff)
Home Hacking Projects for Geeks, Game Console
Hacking, Wireless Hacking, etc.. All of these are Now that you did those steps Or I hope you did, or if you
interestingreads.. don't understand some of the steps I'll tell you what is going
8. Build your own computer. People always balk at this on in each step.
comment. It 's NOT impossible to build your own
machine. If you 're broke or cannot afford the parts, go In step 1 you want to gather all the info you can about your
to a local computer scrapyard or local computer repair school computers and how the network is setup and what it
center and ask them for some leftovers. I didn't say blocks and what runs. Try downloading things and running
build a new top of the line Pentium 4, 5Ghz system. things. In step 2 you need the USB so you can install Firefox
Try your hand at putting together an older 486 system (In step 3) most USB keys at 128MB are around $19.99 . In
(and, yes you CAN get the parts for free-I see the step 3 you will download and install Firefox to the USB so
ads in the local recycler all the time, 'please come and you can nun it on the computer. Reason it's on a USB and
take this crap away!!? your installing it at your house is because most schools or
Blacklisted! 411 Volume 7 Issue 4 • Fall 2005 7
�work areas block download and installing things. In Step 4 I am investigating a scam operation and need to find
you want to get all your plug-ins for Firefox so you can play someone whocan:
your games or download your emulators :). In Step 5 You
want to rename Firefox because most schools keep a log of 1. Get an unlisted AT&T cell phone number
every program you open, Most only show the name of the 2. Get a SBC Global DSL e-mail address password
program your running and not an Icon and details so if you 3. Construct an attachment that will install a file on an
rename it Firefox they think your on Internet Explorer. In Step OS10.2 Mac when the file is received and opened as e-mail
6 You want to test and run Firefox at your house (run it from
your USB only) so you can see if it's all working and running Please contact me and I will verify who I am and the reason
fine. In step 7 you finally get to take it to school or work and for this.
put it in the USB slot and run Firefox (now AKA Internet
Explorer) and when you run Firefox it will ask if you want to Bill
transfer all your info from Internet explorer to Firefox, you
want to click YES, Because this transfers the proxy info for Bill, every time I read a question like this, I can't help but feel
Firefox to connect to the network and run. If you have to like someone 's trying to pUll the wool over my eyes, so to
manually set the connection settings go to Tools> Options> speak. Personally, t don't care what your reasons are for
Connection Settings and enter the info in. It also may ask if wanting to know how to do these things, the fact remains that
you want to make Firefox your Default browser, Click NO. In doing these things are illegal, with the exception of item # 1
Step 8 you get to use Firefox for all your internet needs above. You can go to any number of sources, whom I refuse
music, games, forums,. to disclose to you and find this Information LEGALLY. Item
#2 - this is asking for trouble. Computer trespassing comes
You can try to install Firefox to your computer at school but to mind. An ickY thing to do ....and get caught doing. Item #
try to hide it and also rename it. If not just use the USB 3. This one pissee me off. I hate SPAM, I hate virii (viruses),
options or put it on a CD and run it that way. But easy way to I hate worms, and I hate troj an horses. This is the kind of
hide it I think is on a USB key. stuff that gets people in a HEAP of trouble and I don't feel
sorry for them. Not one bit.
The main reason I wrote this tutorial is because my school I
had to use this because they turned off ActiveX and that I can appreciate wanting to shut down a scam operation, but I
stopped me from being able to play games (needed flashl absolutely do not condone breaking the law to accomplish
ActiveX), use online proxy sites such as www.cbrowse.com the task. It's bad for your own personal freedom and it's bad
and www.whopy.com because the fields for entering the for the hacker name. Every time someone does this crap,
address were in JavaScript (needed ActiveX) and I had to hackers get blamed for it. I for one won't help the media in
.use those to check out www.2600.com site for updates since their efforts to discredit the hacker community. .
it was a blocked site titled "hacking" :( . So I hope this helps
other people with the same problems. Once I used firefox I
could get on www.addictinggames.com and play games and I have been a fan for awhile and was looking to subscribe but
visit proxy sites so I could bypass the school filter and visit when I noticed that your magazine has seemingly
my most Favoritesites! disappeared from the local book shops since the Winter 2004
edition. I also noticed that the website hasn't made mention
Mixfever of a newer edition since then either and it appears that you
guys have abandoned the website as well. I have only seen
. Interesting work-around. Keep in mind that the schools updates and posts from readers and nothing from the staff
install those internet restrictions for a reason and bypassing since last year.
these restrictions may be asking for trouble-it depends on
the school and how aggressive their rules are. We applaud WTF? !I Are you guys going to publish this magazine or are
the effort, but don't condone applying these work-arounds on you going to go the way of Phrack and so many other great
the propertY of others. It's just a recipe for disaster. hacker mags and j ust disappear? Don't let 2600 be the only
remaining 'real' hacker mag out there. Let the readers know
what we can do to help you out (other than subscribe --
Hi guys, great try. The Summer edition is almost worthless to seeing we may not see another magazine). I'll keep buying
me as I can't read the small type and I got tired of trying to them off the shelf and telling people about it as long as YOU'll
use a magnifying glass. I even copied the pages using keep putting them on the sheff to begin with.
"enlarge" to try and read it. If you are going to have a larger
print version out for Winter, I'll subscribe. I hope you're still out there somewhere to get this message.
Dave Shard66
Hello Dave. This is a growing complaint that we receive Hey Shard66. You and I have had some words back and
about 2 or 3 times a year. Over the years, I have dismissed forth in the forums and I know the record has been set
this complaint since it's only so few. However, I've recenlly straight as far as you're concemed. I thought I would go
taken this complaint to heart, not because of my own inability ahead and include this comment in the latest edition, just to
to read the magazine (in fact, I can read the text perfeclly, but clear the air for everyone to read. In a nutshell, two problems
I have 20120 without the use of any corrective apparatus) but occurred over the time-span that tbe Winter 200412005 and
rather the mounting complaints over the last couple of years Spring 2005 issues were to be released. The first problem
coupled with our aging readers. Anyhow, me being a hacker was a lack of redundancy with our printer services which
and wanting to get to the bottom of the problem at hand, I Ultimately caused the Winter 200412005 issue to go
went out and asked people what specifically generated unpublished. I know it's a shame, but we sucked it up and
problems with people reading the magazine. Upon further took the punches as they came in and still got the next issue
investigation, I was able to ascertain what the problem really out on time. Which brings us to the Spring 2005 issue. We
was. Apparenlly, some of our readers have trouble reading printed up 150,000 copies and was ready to retease the issue
Times New Roman at 6 point, but the Arial at 6-point is as planned. However, one of our long-time distributors
perfectly legible. So, because of this specific information, I (Desert Moon periodicats) went out of business, taking with .
have upped the Times New Roman a notch to 7 point from them crucial distribution into a couple of high profile chains.
here on out. Hopefully, this will alleviate the problem. Only We scattered to try and fix the problem, but in the end, our
time will tell. I will watch for additional complaints. So, there Spring issue missed some important distribulion into two
ya have it Dave. And it didn't even have to wait until the chain stores which didn't make us look any better. AnyhOW,
Winter issue (this is the FALL issue). How's that for quick by the Summer issue, we had shifted our distribution to
response time? Hope the jump in font size helps out. another company and the problem was resolved. Shard66, I
8 Volume 7 Issue 4 - Fall 2005 Blacklistedl 411
� know you already verified distribution into your area which is fa gef this online as well as from any number of major
good news. Sadly, the length of time is takes from the day retailers. We're vel}' excited about this project over here.
we ship to the day the issue appears on the shelves is
completely outside of our control. Each issue for the next two DC Capture the flag. 171 see if I can get someone over here
years, we're planning to release a week earlier than the full to write something on this topic.
three months between issues. By the time 8 issues pass,
we'll be back on track, getting our issues out well BEFORE Thank you again for your time and comments. If you have
each new season starts. Irs a simple, yet effective plan. any other comments, feel free to contact me anytime.
So, to sum up, we're still in biz and evetything is fine. Our
Spring 2005 and Summer 2005 issues both saw heavy Hey, I remembered an ad in one of your 2000 or 2001 issues
distribution, even with the distribution company problem for for an electronics surplus store in California. I cant
the Spring 2005 issue. We were steady at 150,000 copies remember the name...maybe you can help me out? I can
for the Spring and Summer issues. With the issue you are remember the place having a website. Heh, that probably
now holding in your hands, we're at an astounding 200,000 doesn't help much. Lemme know if you can remember
copies! I think ifs sefe to sey that we're in fact the # 1
distributed HACKER magazine on the planet. Not an easy Fennicirrus
thing to accomplish, either. Yay for us.
Hey, first off, we weren't publishing in 2000-2001, so your
As for our website, plea se -note the ma ssive changes we've dates must be off. We've talked about many surplUS stores
made recently. Go check it out if you haven't already done in CA as well as placed ads for them. Since we're west
so. As far as helping out, as always, we can use articles, coast. most of the places we deal with are local to us, so it's
artwork and photographs. Thars pretty standard. Some difficull to narrow down what you 're looking for, Can you be
people have already stepped up to the plate and put forth more specific?
their support. Thanks guys!
I have three ques tions that maybe you or one of your read e rs
Hello, I got a free issue of BL411 at DefCon and enjoyed could explain.
reading ~ on the plane ride home (although it is about 6 point
font-maybe we could bring that up to 10 point, huh?)...1 went Question 1: How do I modify my Nextel (Motorola) phone?
ahead and signed up for a subscription. I can't wait to see Does the model of phone change how one would go about
the DVD some day. modifying the phone or trying to access a forgotten
password?
BTW, my wife and I especially enjoyed the heartwarming
article by the chick who married the hacker. Pretty funny-and Question 2; How would someone who wanted to gain access
true. to the continuously broadcasted satellite television without
having to "pay" for ~ , also how would one go about
Hello. Is there a number or something of that nature that amplifying the signal to distribute the signal to other rooms so
would help identify your magazine to the person that does the that their is no longer a need for the in room equipment.
purchasing for the stores ?
For that matter how could someone get around a cable box
Brian for the home that is required for "HBO" and other "pay"
channels
Hello Brian, yes, tell them the ISSN of the magazine you're
looking for is 1082-2216. Further, you can use the BIPAD Question 3: My third question is with a laptop with WI-FI
which is 40535 or the full barcode which is 5064440535. capabilities. How would someone go about building a
What store are you dealing with? We may be able to help directional a ntenna for better recepti on. M ore importantly is
from this end. there a way to "boost" the output of the sendlrece ive signal to
improvement of the WI-FI signal?
What I would like to see would be a very thorough tutorial BL411
about the DC Capture the Flag competition. Exactly how
does it work, what toOlziskillz do you need, how do the For question I, go to www.motomodders.com-they have all
referees score & monitor everything, who are some of the top the latest Motorola phone hacks and mods.
playerz, how do you get involved w~ a group that does this,
do the playerz practice together all the time or just get Question 2. Sorry but we're not in the business of stealing
together at DC, etc. It looks like a lot of fun, but everyone's satellite or cable programming. That's outside of our arena.
working so hard, you hate to bother them trying to get some Allhough, amplifying the signal to all of your rooms
answers. throughout the house, you could use a distribution amp from
the output of your receiver and hardwire all the rooms to the
Thanks and keep up the good work. emp .
JeremyCEC Questio n 3. Directional wi-fi antennas are ava ilable all over
the net. If you want to BUILD your own, check out the review
Hello JeremyCEC. Thank you for your comments. We tIy to article on our website. www.blacklisted411.net which
provide an interesting media for our readers so I'm always describes a site dedicated to building your own directional
happy to hear when someone enjoys what we offer. I'll antenna. Can you boost the output? Sure you can. Visit
forward your comments to Zero Hack about her article. www.omni-wifi.com or www.wifiantenna .com . Both of these
sites have interesting gear available. For the boosters, be
Anyhow, about the font size. We get about 2-3 complaints prepared to spend some money. If you want to go on the
per year on this topic. We've fiddled with the font size from cheap for a signal booster, a company by the name of
time to time but the vel}' •smett: size tends to lend itself to Hawking makes the model HSB2 hi-gain WiFi signal booster.
getting more information crammed into each issue. You 'll be It runs about $5D-ish. I have not reviewed one of these yet,
happy to know that we have upped the font size ever so but I've heard mixed reports about it's usefulness. The
slightly with the Times New Roman (by one point) so we'll manufacturer claims a maximum distance boost of up to
see if that helps at all. 600%. That's worth a gander. .
The DVD. We're so close to having this done. You71be able
Blacklisted! 411 Volume 7 Issue 4 ~ Fall 2005 9
� Well mates , the only way to find your magazine is to come in Commodore 64 age. I fond ly remember sitting in fro nt of the
US, is bloody difficult to find here in Italy! I'm lucky, I used to C-64 with a copy of Compute entering lines of basic.
travel ofte n for working reasons, so... voila, just caught the
Summer issue . You guys do a great job, tks indeed! Roman H, MAME is awesome , you can get all the information
you need about ~ from a few websites.
M@rku s
Do a Google search for the group ait.games .mame where
You're absolutely right. We don't have any distribution into you'll get all the updated news and frequently asked
Italy. At least, not that I am aware of. We'd like to change questions.
that. If you have a listing of specialty stores that carry
interesting publtcetions from the U.S., forward the information http://groups-beta.google.com/group/alt.games.mame - here
and 1'1/ see if we can't get our magazine available in your you can get additional files to make it run better .
location.
http://www .classicgaming .com/mame32qal - I recommend
mame32, it's easy to install and one single download. finding
A friend and I will be starting a monthl y meeting in my area the roms is different, you'll get a few of those here:
(40 miles east of Pittsburgh, PAl . We would like to associate
the meeting with Blackliste d 411, especially your group's http://www.tombstones .org.ukl-ankman/
ethos of 'information should be free' and 'knowledge should
always be shar ed , even with noobies'. When I'm not on the computer hacking or playing MAME then
I'm on my brand new Atari Flashback 2 which is based on the
The purpose of these meeti ngs will be to gather in one place 2600 system with 40 built in games. I have an awesome time
people in the area with similar interests and give them an playing it and get the manuals fo r the games from WWW .
opportunity to talk, share ideas, discuss projects , and maybe atariage.com. Yeah this sounds like a commercial or
even teach I leam someth ing. We will be putting up flyers advert isement.
and creating a website over the course of the next month
hopefully with the first meeting taking place in about 4 weeks. I am looking for an emulator for the C-64 , I'm looking for an
air traffic controller game and my wife continually asks me to
I think I rememb er (haven't read my first issue of Blacklisted find "TOOTH INVADERS " for her. Any help here?
since Defeon some weeks ago) mention in your mag about
emailing you and you could provide guidelines of sorts for Thanks again for an awesome mag, keep up the great work.
holding such meetings . I was also hoping that it might be
possible to purchase additional copies of your magaZine, Superman
perhaps 50 copies (at a discount?) , to distribute and help stir-
up interest. Hey Superman. Good to hear from you. Thanks for the
update to Roman's question. I loved the Commodore 64. In
Also if you have any flyers (PDF, JPG , whatever) that could fact, when I first made the Blacktisted 41 1 hacker monthly in
be modified and used it'd be great! 1983, it was on a Commodore 64 and released on C=64
diskettes. Boy, the memories. Anyhow, Air Traffic Controller
Jpbarto by Hewson as well as Tooth Invaders by Commodore are
both available all over the net as a ROM image (for use with
Hello and welcome aboard. I'm glad to see more and more emulst ors}. If you want the actual software on floppy disk, or
people interesting in starting up their own meetings. We'd be in the case of Tooth Invaders, on cartridge, you might want to
happy to help in any way we can. We don't have any pre- try Ebay. As much as I despise Ebay, I have to admit that
made flyers since we don't host meetings ourselves, but I'm they make it pretty easy for people to find obscure items that
sure you're more than capable of producing your own flyers. otherwise would be nearly impossible to locate.. ..naturally,
Anyhow, jf you need copies of our magazine, contact me via for a premium, with some exceptions of course.
email. Last but not least, send over the specifics on your
meeting-where it's to be held, what day of the month, etc.
I'd be glad to add it to our meet listing in the back of the Hi, I picked up a copy of your mag about a month ago at
magazine. Good luck!! Cinefile Video (Vol. 6 , Issue 4, "Hacking with a proxy
server") . It caught my eye be cause one of my roommat es is
into animatronics, and I'm ex perime nting with Unix by putting
Hi, I'm Rudy and i just started reading your magazine and I NetBSD on myoid Powermac 8500. I saw in the Black
love it. I'm also just starting to learn how to hack. I think it's Market section that you're looking for an artist. I happen to
just amazing what hackers do for people . The thing is that I work as a graphic designe r, and I do illustration as well. You
don't exactly know how to do ~ and i was wondering if you can find a PDF of my portfolio at (you'll 'have to
could e-ma il me wilh some advise on how to manipulate excuse the websit e, though. Web is not my specialty.)
codes and to blow security. The whole reason I started to
hack is because my parents keep on putting passwords on It's not really finished yet, but perhaps you'd find it interesting.
my computer anc!- I cant get through the code. So help a guy I don't always . have a lot of time in between working and
out anda new hacke r to the hacker society .). looking for work, but I thought I'd offer my services in case
you ever would want to take advantage of them . Anyway .
Rudy keep up the good work!,
Hello Rudy and welcome aboard. First off, we don't email Erik
responses to questions like these-we print them in the
magazine. Second of all, we don't show people how to hack, Hey Erik, thanks for the heads up. We're always interested
thaI's something you will have to learn on your own. We can in new graphics work. When you have a chance, can you
help you along the way, however. Hacking isn't about send your sample work to us? Thanks for your support.
blowing security. well not exactiy. It's about exploring the
possibilities that exist in and around technology. I j ust
answered someone else about becoming a hacker. The Hello Blacklisted crew . I am very impressed with your
same applies to you. Good luck. magazine. I like your attitude and the wealth of information
you present to the readers. I specific ally enjoyed the Serious
Salvage series by TechnoHeap. I was wondering if you were
Dear 41 1 and Roman H, Awesome mag, you guys have planning on doing any updates to his salvage articles anytime
outdone yourselves once again. I grew up in the Atari and soon? I buy up each issue, hoping you're going to include
10 Volume 7 Issue 4 • Fall 2005 Blacklisted! 41 1
~------------------------
� more information on this subject. I'd like to thank you for the help just about anyone at any level of experience. I have a
information because I was able to actually generate an question for you. It's not really hacking related, but more on
income Irom his suggestions. That alone make you guys classic tech. You seem to have a firm grasp on where to find
worth the read! I've been watching all of these salvage things, so I thought it couldn't hurt to ask you. I've been
places since I read your first issue that included the Serious working on some old Atari Star Wars boards (arcade game)
Salvage series. I'd like to update you that Ball Electronics and I've run into a situation where I need some spare POKEY
and ACP have both gone out 01 business. Ok, well thanks for chips (you know, the C012294B sound chip). I found a stash
the awesome magazine. Keep up the great work guys! of boards at an operators location but the boards were
stripped clean of the socketed chips. I was able to locate
Salvage Hound everything (including the EPROMs and speech chip) but I've
been unable to locate that darned pokey chip part number
Hey Salvage Hound. . TechnoHeap has been working away anywhere. I know this is a lame question, but I really need
at a new article for awhile now, complete with photographs this part so I can revive at least one of these machines. I
and additional information on where 10 find the good stuff. heard that you can find them in old cartridges of some type.
You are correct. Not only has Ball Electronics gone under Is this true? Which ones? Ok, well thanks for your help. II
after dwindling patronage over the years, bul the ACP retail there is anything I can do to help out your cause, let rne
store front has in fact gone toe-up. However, you 'll be happy know.
to know Ihat ACP Components (across the .street in a
completely unmarked warehouse) is sfifl in business. Yay. Jasper
Also on the MIA list is: Marvac in Clairmont, Marvac in
Pasadena and a couple of other smaller retailers. The Hey Jasper. Listen , this is an easy question to answer. If
surplus market, regardless of these closings, is alive and you want the pokey, best place is to visil Best Electronics at
well. You just have to know where to look. TechnoHeap will wwwbest-etectromcs-oe.com). Last time I checked, they
reveal all in an upcoming issue. Slay tuned. I've forwarded were going for $5 each. Nol 100 bad, really. As for finding
your concerns to him. them in cartridges, yes this is true. You can find them in two
Atari 7800 cartridges: Ballblazer and Commando. Note, they
are NOT socketed and you will be required 10 desolder them
Dear Blacklisted. I recently visited this website called "the from the circuit board. In my opinion, I would just pay the $5
flash mind reader" at http://trunks.secondfoundation.org/files/ and avoid Ihe hassle of having to desolder (and possibly
psychic.swf and it has completely baffled me as to how it damage) a 40 pin chip. Good luck. Those Slar Wars
works. Can you take a look and explain it to me? I know it's boardsels take 4 Pokeys each. That can add up real fast!
not really reading my mind, but it sure is a trip to see it
correctly show me my symbol each time. Thanks guys, I love
what you're doing over there!! In the online article "Finding and Using Anonymous Proxies"
by Hevnsnt, I had some trouble using the Charon application
Charlie K. that he described. I am having trouble with finding a valid
"Proxy Judge" in the "Connect Options" box. It always sez
Hey Charlie. This is a simple math trick. You're supposed to "Bad Proxy Judge Detected" when I enter a proxy there. I
use digits 00 through 99. Given this and the equation they beleive that this is why I cannot find anonymous proxies
offer up, there are only 10 possible answers. Two digit using Charon. Can you help me with this?
numbers 00 through 09 will produce answer of 0, numbers 10
through 19 will produce answer of 9, numbers 20 through 29 Brainwaste
will produce answer of 18, numbers 30 through 39 will
produce answer of 27 and so on...40 10 49 is 36, 50 to 59 is
45, 60 to 69 is 54, 70 to 79 is 63, 80 to 89 is 72 and 90 to 99 Greetings Zach. I know you guys are deep into component
is 81. As you can see, only 10 possible answers. The site level design and repair. I've been trying my hand at
knows that every time you do an equation (correctly), one of component level repair and have one huge hurdle I've yet to
your answers must be from the above list. If you look at the discover an easy way to get around. Desoldering. Yes,
site, each of the answers above (0, 9, 18, 27, 36, 45, 54, 63, desoldering chips from circuit boards without destroying the
72, 81) has the exact same symbol associated with it. You board. I've tried solder suckers. I've tried desoldering wick.
click the crystal ball and that very symbol will show itself. I've tried heat guns. I always find a new way to destroy the
Pretly neat, huh? circuit board in the process of tryingto remove chips. HELP!
Destiny X
I have a question that maybe one of your readers or you
could answer. The question is I have a friend who has a Hello Destiny. I wasjust having this very conversation with a
_ Phone from Nextel and the phone has GPS capabilities but staff member a few weeks ago. Here's what I recommended
the company wants a monthly charge to access it. Is their a to him at the time. Get yourself a professional desoldering
way around that? Another question I have is that the same slation. I personally recommend the Hakko line-up. Www.
person wants to change their phone number on the phone hakko.com I would go for the model 701 (htlp:llwww.hakko.
but she bought if from someone else and the other person com/english/products/hakko_701.hlml)or an older 700 if you
has lorgotten the password how can she find out the can find one. They're really great tittle machines. Note, stay
password? AWAY from the model 808. Using the 700n01 is pretly
simple as long as you know how to go about it. First, flow
Reader some new sotder onto the pins of the chip you want to
remove. Then, use the desoldering part of the hakko unit.
Hello. As far as bypassing a paid service, I can't help you Place the tip on the pad, heat it up until the solder melts,
with that at all. If you want to get into the phone, I would move it around a lillie to make sure the solder has melled in
need to know the model number. Withoul that information, the hole, then squeeze the trigger. SUCK ... solder all gone.
I'm at a loss and cannot advise you. However, you may want Do that for every pin and the chip should come up wilh little
to try out www.motomodders.com - they have a Iremendous trouble and no damage to the board. I've done it thousands
amount of 'information on Motorola phones. I believe you of times without ever losing a board (or a chip for that
might be able to find someone who can help you out. matter). I did a quick look and found a new model 700 on
ebay for $100 buy it now. Not a bad deal at all considering
this unit runs about $900 new. Oh, be sure to change out the
Hey guys. I've been reading your magazine since volume 6, filters OFTEN. They get clogged up, usually after you shut
issue 4. All I can say is WOW!! I really am impressed with the machine down and it cools off. I usually change them out
the operation you've got going on and your Willingness to just before I start Ihe unit up each time. Good luck.
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 11
I
�I am trying to access some data on a disk.. I'm having a hell make you pay it, no matter what excuse you may have. /I's a
at a time with this. Is there any way to can help me? simple but sad truth.
Greevil
In the movie , ·War Garnes .· Matthew Broderick is able to trick
Well. we'd like to help you. but we have no idea what you a telephone into giving him a free call with a soda can pull lab
want help with. exactly. What do you want to access. & trick an electronic lock into opening with a tape recorder.
precisely ? Do you need to get some data off of a dead hard Are these plausible? Can you explain them? Devoted
drive? Do you want to remove some data off of a floppy reader in Cambrige. MA. P.S. Please use larger text in
which is from a different platform than your own? Do you future issues. P.P.S. What's a COCOI?
want to "rip" some code from a game on disk ? What? We're Unknown
waiting to get a more detailed idea of what you want help
with. Data on a disk ....1can assume you mean a 3.5 " disk on Ok. here we go.. By the way, we really do love this movie..
the PC platform. But. then again. I could be wrong. I really it's one of our favorites over here.. All of the details of the
need more information on the subject before I can advise stuff they do within that movie may not be entirely correct; but
you. when you overlook those minor(HUGE) details. it's a fun
movie to watch. Anyhow. on to your questions. It is entirely
possible to "fool" a payphone into giving you a free phone
I am having one hell of a time over here! SCE has tumed off call - in essence. making the phone believe you inserted
my power and I'm pissed off. They want this HUGE deposit money when, in fact. you did not do so. The method
befo re they wililum the power back on. What are my options Matthew used to achieve this is has never successfully been
here? Can I just file a dispute and get my power back on? attempted by anyone over here, though we have heard over
I'm sure you can give me some insight. I've been without and over again by many thet it did in fact work at some point
power for nearly a week and a half now. HELP! in time, supposedly still working about the time the movie
carne out .
Powerless
The next question: Matthew tricked an electronic lock into
We hope you have your power back on by the time you read opening with a tape recorder. Now. again, this is entirely
this! Answering your question. unfortunately there are not possible given the information we had at Ihe time of watching
many options available to you. As you know. SCE and other the movie. You can clearly "hear ' in the movie that the
utility companies are nothing short of monopolies. So, let's keypresses did. in fact, create a DTMF tone with each push.
see here. . I'm assuming you failed to pay which is the initial A recording of these tones would most likely be readily
cause for your un-plugged status Now they want a deposit acceptable into the input of the electronic switch. However, it
plus any monies owed. Typical. was a very crude, CRUDE example and there was no
isolation used. etc.. Anyhow, I doubt very much that NORAD
Ok, here's Ihe deal.. If you dispute them, call up the Public would be using such crappy security locks on their detention
Utilities Commission and complain. They will require you to (looked more like a medical unit) cells. Every single
give them the money in question and then they wiff decide electronic lock that we 've worked with never E VER used
who is right and who is wrong. Unfortunately. we must inform DTMF tones to operate the switching action. However, we
you that the PUC is in the back pockets of ALL the utility do know there exists switching devices that DO use DTMF
companies. Yeah. PUC. we know they own you! Don't try to tones (over the phone lines or over Amateur radio auto
lie your way out of it! So. in essence, you ju st waste your patches) to operate. Given the type of switch used in the
time and SCE gets the money anyway. I've never once movie (a DTMF operated switch) it was p ossible to trick it as
witnessed any individual or company win against a utility done in the movie....however. unlikely that the real world
when the PUC is involved. Never! uses such locks in locations such as the one in the movie.
Anyway, if you don't want to bother with them, you can j ust Explanation: In the movie, the switch used DTMF (Dual
pay SCE.. It's not lost money. They will hold the deposit for a Tone, Multi Frequency) tones (such as the tones made when
length of one year and then. if there are NO late payments you push keys on your telephone)... these tones. in tum,
within that year. they will credit your account with the deposit operate the switch....the switch is "listening" for those tones..
amount, plus any interest made within that year (the interest when it hears the proper sequence, it opens up. Now, simply
is supposed to be whatever the prime rate is at the time - recording these tones would suffice in fooling the switch.
which amounts to nothing, really) According to their rules, if Record the tones and then play them back... it'll be nearty the
you ARE late any time within that year. they reserve the right same as keying in the tones by hand.... that's it. Try this...
to hold on to that deposit for up to 5 years. That's what they next time you make a call, figure out a way to RECORD the
say, but in reality, they just start the 12 month clock over tones you 're dialing. When done, play the tones into the
aga in. mouthpiece at a later time.. If you recorded them with any
clarity and play them back with little distortion and high
If you disconnect service at any time and you are paid up at enough audio level, the call should be placed as if you just
the time, they will refund your deposit. The deposit isn't such dialed it by hand. Pretti neat! haha.. This is how people
a bad thing unle ss it's outrageous and you j ust cannot afford used to (and still do, actually) place redbox phone calls.
it. If that is the case, you might want to try calling Home They record the coin insertion tones and then play them back
Energy Assistance. They may be able to help you. Their into the mouthpiece of a payphone somewhere. Allhough
number is (800)433-4327. Who knows. you might be eligible. many phone companies have caught onto this and it no
longer works as the mouthpiece is shut OFF until a coin is
Your last option is theft. which we do not encourage, but it is inserted. at which time you CAN use the recorded tones.: .
a thought which crosses many minds. Theft of power has a Fun! Doesn't always work, as there's always someone doing
hefty penally and it's dangerous. However, it's very easy to something new to stop call fraud. Ok, as for larger text in the
do - and - get away with. believe it or not. You can slow future? We'll work on it.. We have to cram a LOT of stuff on
meters down. tap power off of a neighbor, etc.. these pages, larger text would seriously cut into the content
quantity.. We'll see about it, though.
My suggestion is to pucker up and pay SCE. I know it's not
what you wanted to hear, but we 're not about stealing A COCOT is a Customer Owned Coin Operated
services. SCE workers can be really nice if you show interest Telephone.... it's a payphone that you or I or anyone can
in paying them. In fact, if you ask nicely, they may reduce purchase. pop onto a phone line 'and make money with it..
the "deposit" amount or push the deposit back to a further These phones can be found all over the states...and they are
date. let you make installments on it, etc. Under NO not operated by the phone companies... They are privately
circumstances wiff they ignore the deposit. They're going to owned and operated... That's about it. Happy hacking!
12 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
�I just wanted to compliment you for running a great magazine - it's pretty cool and has much better topics.
magazine. I thought that your answers to the guy who was Question: I am interested in submitting some articles for
still using a Commodore 64 home computer were right on the reprint. Would you be interested? Please withhold my namel
nose and it was nice of you to refer to the machine as you location as I am sure some people may be offended with my
did. I get sick of people talking down on the Commodore 64 association with you and I don't feel like dealing with them
all the time. As you know, it was (and still is) a great little thinking I've left them in the dust for your magazine. It's a
machine and does a lot for such a small (and OLD) piece of bunch of b.s., apparently! Anyhow, be sure to answer me
work. I was wondering if you could print a little more on the and I'll get you some cool articles.
Amiga line of computers because I recently purchased a . (name withheld)
used Amiga 2000 and I would like to know more about it, how
I can use it, what software I should use with it, etc. Thanks Cool. Yes, we're always interestedin article submissions...
for a great mag! Contact us through our website ASAP and let us take a loot
Hawkeye at what you've got. We can withhold your name/location,
etc... BUT, if you're a writer for who I think you are.. .. you
Hey Hawkeye, we've been trying to include articles on the shouldn't CARE what they think.. If you still want to submit
Amiga as often as possible. We still get a few requests for anything, try to include some type of name or alias that
them from time to time and then we pump out a new article. peeple will know. Our readers like to know who's articles
Most of them have been done by Mobby G. as of late. He's they're reading. The more known you are, the better off your
our only Amiga writer we have around. ' Anyhow, we will, in articles will be received . At least, that's how I see it. I
future issues, be dealing more with the hardware hacks and suppose I could be completely off-base. Well, thanks for
such and how you can use it in a manner which follows ·with your support. .
the basic idea behind the magazine (hacking) more or less. Just wanted to drop you a note and say how much I liked
Thanks for your interest in the growth of the magazine, your mag. I had never heard of it until i was in my local
Hawkeye.. Borders looking for the latest and there weren't
any and they seem to have stopped carrying them. Instead
in it's exact place I see your magazine. So I see it say lIhe
I have an old Commodore 64 that I still use and I was official hackers magazine and take all 3 copies that they had
wondering if there is anything I can use with it to learn a little in the store for my friends. I am an ex-hacker from back in
more about hacking, phreaking and such. I am new to all of the day when they got more than stealing cable
this, so please try to keep it simple like you usually do. By accomplished and went to taco bell. Now all the so-called
the way, I really do like your magazine. You guys are doing a hackers do is smoke crack and talk a lot. Anyways, I am also
great job I aboutto start a store dedicated to hackers and hacking types
PolarSwirl of materials. It's called legal to me and have been selling
console copiers under the name for a couple of years now.
You're in luck. A lot of us started out on Commodore 64's so We well be a cross between a spy-shop and a computer
we know of many things you can do with it. The only thing I store doing upgrades, software sales , cd-rom burning, selling
will talk about this time around will be a program called all kinds of underground publications, and most every kind of
"Phone Man" (I believe that's what it was called - it's been a semi-legal hacking paraphernalia that I can get my hands on.
LONG time) Anyhow, this cool little program has all sorts of So if you could, can you send me info on advertising as well.
stuff that's cool to play with.. It has a redbox tone generator , Until now I didn't know there were any other magazines to
a green box tone generator, silver box, blue box, etc. Plus, contribute to. Anyways, thanx for a great mag and lots of
it's a terminal software as well. Believe it or not, recording luck in the future.
those little red box tones and playing them back into a DoD
payphone is what got a LOT of kids started in the wonderful
world of hacking. Phone Man is a very OLD program and I Hey, glad you like the magazine and we're happy you found
do not know what the last release version of it was, but it will
it. Ah, how many times we're heard the same story... I found
always remain in my mind that I had a good time playing with it at Borders...next to, behind, in front of, etc... hahaha So, did your
and a lot of little hacks you can make to do just about friends enjoy the copies you picked up for them? Glad to see
anything you can dream up. Locate that program, play with it someone from the old school hacker crowd is still around.
for awhile and then get back to us. Have fun and hope you When you start up your store, let us know. I'd like to check it
CAN locate the program. out myself sometime. Check out our website (we just
redesigned it) for your media kit information. Everything is
available online now. Anyhow, I'm glad you hooked up with
This is the first time I've seen your magaZine. I saw it in my us. Yes, there ARE other hackers magazines available.
local Borders, right where a competitors magazine (no Thanks for the comments. Be sure to contact us soon. We
names) used to be. I am happy to have found your have a lot to talk about. Laters and take it easy.
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 13
�With the massive influx of WWW users and AO Lers, man y of approved ID card in place for people who want to: travel on
you may have noticed the surge in new 'EliTE' haxors. I've an airplane, open a bank account, collect social security
got nothing wrong with this. I welcome new users into the payments or utilize any number of other governmental
scene when I can, and I hope they do well. Traditionally, services. ..and, of course, this would supposedly make it
they tend to be nice at first, till I ask them one question, more difficult for terrorists to do their evil bidding.
From that point on, I am som ewhat conside red the enem y.
Well, I have a problem wifh a national ID only on a personal
They get offended. Now, I am no old school hacker, but I am pti vacy issue, but on the surface, the ID sounds OK at this
an old school user. I have had friends excel in the ANSI art point. Overall, I have no issue with the stated intent, in fact it
field. I have had friends get busted for phreaking, hacking, would be a good thing for all of us. particularly is you travel.
carding. you name it. I just merely watched it all. But in the Here's where it gets a little too hairy for my liking.
height of my AG, I noticed something. We were living in a
golden age. Boards ALL ran without PGRs, UUDL ratios, no The Department of Homeland Security has been given the
file points, etc. sale power to setup the standards for these ID cards. So far,
we're pretty sure that the following infonnation will be
This subculture used to be about the free trade of included on the card in electronic format: name, birth date,
information. it used to be about helping one another. I don't gender, ID number, a digitet photograph and your address.
know what happened to that. Somewhere between The problem begins when we start adding retinal scan,
_WarGames_ and _Sneakers_ something went wrong. The fingerptints AND make it RFID compatible. It's possible that,
people that make up this mystic world of ours have gali en eventually, the Department of Homeland Secutity may
greedy. They all seek power, instead of companionship. require this ID to be used to do your shopping at the local
You must know what I am talking about... Users aren't as grocery store, the flower ·shop or wtio knows what else. The
nice anymore. The perpetual newbie is treated like shit by problem is that nobody knows and the Department of
the users who think they hav e been in the sce ne a long time . Homeland Security has sweeping power to do whate ver the
hell they feel like doing, with little to no opposition from any
There shouldn't be a place for braggarts in our world. We entity. The scatiest part of this is the addition of RFID to the
visit a place where skin color and other mate rial things don't cards. I for one will refuse to use one of these up until the
matter. But the influx of users a re making it ma tter. Like I very end. The folks at defcon this year proved that RFID
said, I am no power user, a nd don't eve r asp ire to be , but this could be read from a distance of what, 69 feet was it? Could
world of ours, this 'scene' is dying. I plead to you ail not to let you imagine how tragic this would be for people? Have you
that happen... Make it about information, not who can get the ever heard of identity theft? It would get worse with these
most '0 days' first. Thanks 4 11, and you rule. new ID's armed with RFID, not better! That's a fact, people.
MetalHead So, all we can do is wait and see what the final details of this
so-called "rea!" ID will amount to. I for one will be watching
Times change - and the people change with it. We very closely on this subj ect. It's a real issue and everyone
remember the "good old days" as well. We're in agreement should be wortied.
that the whole scene has degraded over the years. People
have become careless, rude and greedy, Once upon a time,
one could call their local system and grab all the info they I've been foilowing your magazine for a few issues and have
wanted, ask all the questions they wanted and someone decided to write in once and for ail. I was at one of the
would help. A little time passed and the people in the "know" surplus stores that TechnoHeap recently sugessted and I
started hoarding all the infonnation for themselves and held found a phone that had ABGD buttons. I was wondering
onto it very tightly, If you had a question to ask, you were what the A, B, C and D touch tone keys are used for? I have
considered a "lamer".. This such behavior has been getting never seen them on anything else nor have I seen any
worse through the years. Now, it's come to a point where mention of their use anywhere. Why are they not found on
there are people who KNOW and the people who do NOT phones?
know.. not many people in between. GradyV.
We're tight there In the middle, guys. Helping people along. Hi there, Grady... Ok, here's an answer straight out of the
Btinging them into the know. If you don't like it, that's too Hacker FAQ concerning the ABCD touch tones: These are
bad. We're here to bust the infonnation lock-Up wide open so extensions to the standard touch-tones (0-9, ", #) which
everyone willknow what's going on. We're going stay to the otiginated with the U,S , military's Autovon phone network.
true hacker ways and SHARE our infonnation. The original names of these keys were FO (Flash Overtide),
F (Flash), I (Immediate), and P (Ptioti ty). The various
Ok, that's enough of that for awhile.. Thanks for btinging ptiotity levels established calls with varying degrees of
some topics into light. We all know it, but nobody wants to immediacy, termina ting other conversations on the ne twork
admit it. Thanks for being honest. We could use a little more if necessary. FO was the greatest ptioti ty, nonnally reserved
of that. Ironic, isn'tit? Hackers. Honesty. Doesn't seem like for the President or very high ranking officials. P had a
those two words should be anywhere ne ar each other these lesser ptiotity, but still took precedence over calls that were
days, consideting that the media has been dragging the placed without any ptiotity established. Today, the tones
hacker name through the mud for many years. are commonly referred to as the A, B, C and D tones
respectively; each of these tones use 1633 Hz as their high
tone. These are found mainly used in special applications
Hey Blacklisted. I've heard about this Real iD thing (national such as amateur radio repeaters for their signaling and
ID card?) and I was wondering what your take was on the control. Modems and touch tone circuits tend to include the
subject. You seem to have an unnatural ability to see right A, B, C and D tones as well. These tones have not been
through the BS and give us the real scoop on any given used for general public service, and it would take years
subject. So, can you give me a heads up on the situation before these tones could be used in such things as
before I this new concept becomes a reaiity. customer infonnation lines; such services would have to be
compatible with the existing 12-button touch tone sets in any
SamB. case .
Hello Sam. Real ID. It's a up and coming "plan" (recently An interesting note: most modems will recreate these touch
passed under the Real ID Act) to replace our dtivers license tones... instead of numbers, use ABCD... see if it works on
with a new ID card which is supposed to be confonned to a your modem.. Kind of useful for your touch tone projects if
standard that each and every State in the union can read you're wortied about people using their phones to ttigger your
electronically, more or less. The idea is to have a federally devices. Think about it. It's called security through obscutity.
14 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� I love the magazine. I'm not particularly adept but I'm still catalogs from the 80's-ACP put out a great catalog with
curious. I study various technologies from lime to time but I tons of pictures and descriptions. So did Jameco. Their
tend to get impatient with textbooks and want to know how older catalogs are the best! Now, don't gasp everyone. Get
the electronic and mechanical things I live with actually work . your hands on a Radio Shack catalog for starters. It has
Your magazine is great for that, although it's often over my pictures and descriptions of parts. It's a good start. Next, get
head. This gives me some direction , though. some catalogs from places like:
A local electronics store here in Gainesville has recently JDR Microdevices
changed hands and the new owner has been cleaning it out. 1850 South 10th Street
It used to look like a chiphead's basement. You could find San Jose, CA 95112
everything from new ie's to old 60's computer tape drives (800)538-5005
there , mostiy in pieces. I used to go there just to poke
around. Anyway, the new owner doesn't want the old stuff Mouser Electronics
around anymore and has been taking out the parts that he 11433 Woodside Avenue
thinks he can sell and tossing the rest. He told me that he Santee, CA 92071
had dumped five tons of stuff in the previous three months. I (800)992-9943
have been making nightly forays into his dumpster since then
and have now got the garage too full to park the car in it. MECI
340 E. First Street
Generally I strip stuff off of circuit boards and put things Dayton, OH 45402
together on a solderless bread board. I often can't completely (800)344-4465
identify the components but when I can I tinker with them. It's http://lvww.meci.com
a cheap supply of parts and I don't cry when I cook
something. My question primarily is, how do I identify what Marlin P. Jones & Assoc. Inc.
the components are? The ones with numbers I can P.O. Box 12685
sometimes find data on in a replacement catalog or the Lake Park, FL 33403-0685
ARRL handbook, but not very often. Sometimes the shape of (800)652-6733
a part gives it away. Often, though, I have no idea of what
some part is. All Electronics
905 S. vermont Avenue
A poke around in the construction roll off where a Los Angeles, CA 90006
supermarket is under renovation scored me four of the led (213)380-8000
matrix type of electronic signs, and I would love to get them (800)826-5432
working. They bear the name Litek and three of the four are http://lvww.allcorp.com
model ISA4008. The other one is model SAT4008. They're
four feet, four inches long and have led matrices on both Digikey
sides. They have four wire power cords, two wires each for 701 Brooks Ave. South
ground and two for +9 volts. They each also have a four wire Thief River Falls, MN 56701-0677
phone cord jack. The circuit boards inside bear the name (800)344-4539
Litek Microsystems, inc. http://www.digikeycom
My guess is that you work out your design on a computer and Contact these people and get their catalogs. It will help you
upload it to the sign, probably through some kind of out quite a bit. We have no info on your electronic signs..
proprietary bus slot card. It would be cool if I could program Perhaps one of our readers will be able to send information
them through a modem though. Anyway, they have little you can use.
batteries on the boards so I think they must have enough
memory to hold the message and that you could use the
same computer to program a number of them. I would be Cool zine you 9uys have. Quickly, I need a rundown of the
appreciative of any help you could give me. DTMF tones over here in the UK so I can mess around.. Can
you also include the redbox tones, if they exist? Thanks
Keep the cool magazine coming. Bunches
tofm ZerO Kay
. Awesome! You're interested in electronics. You sound like We don't get many requests for this info, but we have it on
the rest of us over here. I really hate to hear about people hand. So, no problema, dude! Here's the DTMF tones. You
dumping so much junk like that. I would suggest taking as should be able to figure out the chart below:
much of it as you can. if you're a real hardware hacker type,
1209Hz 1336Hz 1477Hz 1633Hz
you can find a use for just about every little part you can find.
697Hz 1 2 3 A
Stripping parts off of boards is a great way to save money 770Hz 4 5 6 B
and allow one to become "fearless" when they prototype stuff
because, like you said, who cares if you fry something, right? 852Hz 7 8 9 C
Back in the 80's, I used to do the same thing... I'd have piles 941Hz o # D
and piles of circuit boards set aside just to strip for parts.
There's one big drawback (besides it being so time Now for the redbox tones. The 1000Hz tone listed below is
consuming - which doesn't really seem to matter for the real NOT a DTMF, it's a single tone. (Strange, huh?) Anyhow,
hacker type ... or really bored type) anyhow, the draw back is supposedly, for this to work, you need an operator to connect
that you're not really too sure if the part you stripped off of a your call. We're not sure of the effectiveness of this, but
circuit board is good or not. It really sucks when you work so here's the info to chomp on. If anyone out there has any
hard to get a circuit designed and then prototyped... and then specific information regarding this, please forward it to us.
you get stuck into a debug mode for the next 6 hours only to AnyhOW, here's your redbox tone:
find out an electrolytic capacitor and two transistors were bad
the whole time. Damnit! Now, I won't keep used parts for JOp Length 200 milliseconds. Freq: 1000Hz.
very long unless I can definitely determine if they're good or 20p Two times the Above.
not. 50p Length 350 milliseconds. Freq: 1000Hz.
1ukp Two times the Above.
Want to identify parts? This is going to sound kind of lame,
but get your hands on electronic catalogs. Particularly older
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 15
� The Art of Casual WiFi Hacking
BY JEREMY MARTIN
It is a cloudy Friday night and I am in the listening to another
episode of 2600's "Off the hook" radio when the interruption of the
phone catches my attention. I had been expecting the call from my
colleague, because I needed help with some new proof-of-concept
ideas for a penetration test I have the following week. During the
conversation, we eagerly decided to head out for the night to
Wardrive in the area. Wardriving is always a good excuse to test
new programs and ideas. We position both laptops for optimal
WiFi sigoal, easy access to the GPS devices, and secure them for
the least amount of movement while driving. Right before we
) eave, we make sure the power converter is turned on, and the
systems are plugged in. To cover all our bases, one laptop runs
Windows XP Pro, NetStumbler, and Cain&Able while the second
system has Suse 9.2 Linux with Kismet, Airsnort, Aircrack, and
Voidl!. Using two devices with such different environments
improves success while surveying WiFi in an area or "footprinting"
them.
Wardriving
Also referred to as "Geek 's catch and release
fishing ", is the act of driving around and
scanning for open WiFi hotspots. This is
considered a sport in many circles and is
growing in popularity across the globe.
Here is where the fun begins. After driving for a few miles, we WarwaIking
enter a well lit street in the business section of town, and hear the Is similar to wardriving, but on foot. There are
ping of live access points every few seconds. Even though we have many PDA devices that will allow you to
been doing this for years, we are both amazed at the percentage of install wireless and network auditing tools.
companies that employ WiFi that do not implement any sort of L.. --J
encryption. This allows us to park and let Kismet do what it does best... passively listen to network traffic running
over the 802.11 sigoa!. We are able to map several subnets and gather other interesting information being broadcast to
the public. At the end of the night, we were able to gather over 127 WiFi hotspots after only driving seventeen miles
round trip. With this type of information gathered, playtime for hackers begins.
Wardriving is done for many reasons. Some do it for a social activity with friends. Others Wardrive as a community
service to increase awareness, as a business model to secure for profit, or even the cause the dreaded criminal acts of
spreading viruses, hack, or commit fraud.
The Gear
Windows system: Linux system:
• Acer Aspire 1520 laptop • Acer Travelmate
• RiklenGPS
• Microsoft MN-520
•• FM Modulator
Windows XP Pro
•• Suse Linux 9.2
Kismet
• NetStumbler
• AirSnort
• Cain & Able • Void11
• MS Streets & Trips
Wardriving does not take a long list of special tools and equipment. Above is a list of equipment I use and have found
to work, it is not a requirements list. Almost any WiFi enabled Windows machine can scan for hotspots right out of
the box by installing either Cain or NetStumbler. Linux is another story. Since the Linux environment allows for
more direct access to the hardware, there are more items to consider. These include Linux compatibility, correct
drivers, and knowledge of iwconfig or similar configuration utility for using the card in promiscuous mode. Many
"Live Linux" distributions take care of most the work for you if the WiFi card has compatible chipsets. The most
common and well known WiFi chipset for Linux use is the PRISM 2. The Orinoco Gold card became very popular
because of it's easy of use and ability to work with most Linux environments out of the box. You can use most
Windows based cards in a Linux environment by using an NDIS driver, but they will not work for scanning purposes
because of the inability to access the hardware directly.
16 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� The problem you may come across is that most Windows based scanning utilities use a method of scanning called
"Active scanning" because of the limited access to the hardware. When scanning for WiFi using an active scanning
method, your device sends out a request on every channel and logs all replies. The traffic produced can be immense
and is also noisy. Anyone setup to listen for incoming connections will instantly know you are scanning because of
this.
NetStumbler is an active Windows based scanner that produces the information you need for mapping WiFi hotspots
including ssm, Encryption, and GPS coordinates. Since the program constantly screams out "ARE THERE ANY
ACCESS POINTS OUT THERE", the responses are more abundant. One of the issues you may come across is that
the traffic is so chatty that other devices scanning may get spammed by fake access points. NetStumbler is not self
contained and it uses Windows drivers to access the WiFi card, causing the Wireless Zero Configuration to shut down
when run. Wireless Zero Configuration in WinXP allows the operating system to find available WiFi networks. This
is a problem for connecting to an access point while Wardriving. The easiest way to resolve this is to save the
NetStumbler data, close the program, and refresh the available networks.
Cain & Able is one of the best FREE all-around auditing programs out there for the WiJ1..dCWS-:'- J
.
platform. It sports ARP poisoning, password crackers, a VoIP logger, and has a WiFT scanner built
in. This application dO,es not have-the same downfall as NetStumbler because it uses a Third-Party
- driver called WinPcap (used for most low level network programs like the sniffer Ethereal). Cain & "",t':;'. :... ~
Able doesn't seem to detect the volume of Access points as NetStumbler does, so the choice is ..
mainly a preference one
Kismet is popular because it uses "Passive scanning" methods and does not interfere with
network traffic or WiFi signals.. When using a passive scanner, data is logged only when an
access point 'transmits. It is almost impossible to detect while giving you even more
information then the previously mentioned counterparts. If enough traffic is generated or
active traffic passes through, you can grab the IP address range of the access point without
having to log in. Knowing the access point' s IP address can come in handy if the network
does not use DHCP. If you use a second computer running Cain to Arp poison the access
point, Kismet can gather a lot more then just the SSID.
If you do not want to install a Linux distribution on your system, you can download a live Linux distribution with all
of the required tools already installed on a CD. Live Linux distributions are used to allow even a Windows installed
system to boot into a Linux environment that is not installed on the hard drive. Most Live Linux distributions do not
mount the hard drive and leave little to no trace evidence that they were ever used in an attack. These distributions
can also be used to gather information from a target system without compromising the evidence.
Last but not least, you need a means of transportation of some sort. I like to use a vehicle because I' m too lazy to
carry around a "desktop replacement" laptop and have not invested money into a good PDA yet. It 's much more
efficient to sit, relax, and Wardrive. I drive a good old American gas guzzling SUV to seat all of the people
comfortably. One of the most important items you can purchase besides the computer equipment would have to be
the power converter. I use a three 700 watt AC converters because there are always 1-6 people needing power when
ever I go out. I also have a spare battery because I tend to drain more power then most people.
Now that you have chosen your gear, you can start to Wardrive. One of the most common questions people ask when
they are new to the scene is "what should I expect"? When you drive, most areas will usually have a concentration of
noticeable signals in business districts and residential areas. I know it doesn't take a genius to deduct these obvious
facts, but there are different reasons why the hotspots are available.
Small to medium sized businesses are more likely to have unsecured wireless access points then large companies,
publicly traded businesses, fmancial institutions, or health organizations. The later are covered under many regulations
in most countries and are required to encrypt wireless communications if they are allowed to use them at all. Many
small to 'medium sized businesses either do not have the budget to hire competent IT staff or do not feel that the
security is important and do not bother to lock down straying signals. Yet there is another reason this section may
have open WiFi. They want it. .. Some people feel adding open intemet access adds another level of service and
quality ofl ife to their environment. These companies welcome your patronage.
Residential WiFi is the most common signal you will pick up. Some open access points are open to develop adhoc
Metropolitan Area Networks for file sharing, underground intemet media, and to help make society. SeattleWireless.
net is a prime example of a portion of the community working together to bring WiFi to a larger crowd. This Seattle
based group even produced several online videos to help increase awareness. Not all residential service is open to
sharing though. Many ISPs have service agreements that make sharing the Internet access against the rules; subjecting
the owner to fines and/or cancellation of service. If the resident does not give you the proverbial "ok" to use the
Internet or network connection, you may be breaking many laws including theft of service, unauthorized access to a
computer network, criminal trespass, or even federal anti-wiretapping laws.
Now that you have the data, what do you do with it? This section will discuss using a program on the Microsoft
Windows platform with NetStumbler data to survey an area. Below, figure I shows a sample of data that may
resemble the data you will also find. Keep in mind that the percentage of Encrypted Vs. Non-encrypted networks will
vary from location to location. In the area where these tests have been conducted, 65.78% of the networks have no
encryption scheme implemented. Scary part is the business districts had a higher percentage of vulnerable systems
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 17
�then residential areas . Another very important thing to look at is the list of SSID names ... Many of them are using
the default name. Broadband routers with default name will probably still have the default pas sw ords on them as we ll,
and ar e far more interesting targets then a hi dden SSID. Now; back to work. ..
@004OO5llt = 6
@ 00062524CFE6 6
@ lUJ95BC561AC 11
@lXO:41C8E6A6 505SCJtJl}-KarrowEstates 6
@lOI'<95F7D1lJll AppleNetwolkfld108 10
@lUJ95B C7F416 NETGEAA 11
@00l:41601lF311 ink,,,, 6
® 00t:C3SS!l B190 Gateway 6 11 Mbpe
@ooeocao75DB2 ~--
@llI01 24flAFBB WIAN 11 11
@00l:41F42AF5 ink$ys 6 11 Mbos Li1ksys AP
@llJJOOO285E63 def.uIl 6 11 Mbos D-Lirk AP
@ OOOC4147C4B4 Railway Disl'ict 4 11 Mbos Ln ksys AP WEP
@ llIOF66D52ll1F inluy, 6 11 Mbps Lnksys AP
@llIOF6618E1JB5 ink,y, 6 54 MbOS Lh ksys AP
@001124OOFD41 C&SAi,POI' 1 54 MbOS (Fake) AP
@ OOOC41B6ED5B flnk,y, 6 11 Mbps Lnksys AP
@OOOF66CCBBlD link,y, 6 54 Mbp, Lnksys AP
@00904B3C18F4 wireless 6 54 Mbps Gemtek AP
@00601 D1D3E74 Home 1 11 Mbps Prolo:im(... AP
@ OOOF663'1DFl F link,y, 6 54 Mbps Linksys AP
0OO625F76C56
F igure 1 (NetStumbler data gathered during an area scan)
The native Ne tStum bler file (NS 1), can be uploaded to most of the online WiFi public dep ositories for the rest of the
community to view such as wifnnaps.com and wigle.net. For example:
Wigle .net quote s Types supported:
Net Stu mbler: native (.nsl), text , wiscan, summary
DStumbler: text output
Kismet: C SV (.csv), XML (.xml), GP S (.gps), CWGD output
MacStumbler: plist XML, wiscan format
Pocket Warrior: Text output
However, if yo u wan t to import it into man y ofthe comm ercial map programs like Mic rosoft's Streets & Trips or Ma p
Point, yo u will need to con vert the data into a more universally rea d file such as a CSV formatt ed file. Th is is easily
done by ope ning Net Stumbler, left clicking on file, Left click on export, and then on Summary. Sav e the file with a " ,
CSV" exten sion and then close NetStumbler. Converting data in general is not that difficult , you j ust need to be
aware of the end format. The exported file is most of the way done , but jus t needs to go through a little cle an up
before imp ortin g to another program. As illustrated in figures 2 and 2, by opening the file in a basic text editor, you
can see how clean the file already is. You will ju st need to remove a couple lines. If yo u have programmin g skills,
you can auto mate the process in very little time .
Net work St u:m.bler Ve r sio n O. 4 . 0
wi -sc a n summary wi t h ext e ne dcne
Longi tude ( SS ID ) T ype ( BSSID )
SDa t e GMT : 2004-11 - 1 4
. 3 7 0 4 B6 7 11 114 .1 8 1 9 3 0 0 ( The Pines BSS ( 0 0: Oc: 41 : 1 5
. 3 70 866 7 11 11 4 1 8 1 2 1 5 0 ( ) BSS ( 00 :90 :4b: 36 :4 2 :20 )
. 3 6 9 21 8 3 11 114 .2 100967 ( d efault ) BSS ( 00:4 0 :0 5 : 24
. 3 6 9 2 41 7 11 11 4 2095 217 ( l inksys ) BSS ( 0 0 : 0 6 :2 5 :5 5
. 3 7 0 71 6 7 11 114 .20611 8 3 ( 101 ) BSS ( 00 : aO : f8:3c :54 :c7 )
Figure 2 (NetStumbler data export containing proprietary header information)
18 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� SSID )
The Pines
) BSS
defaul t )
linksys )
1 01 ) BSS
GPCSTORE )
( linksys )
t~1HillJ~®f1V_ _~EW$1@tW*,r?*7r4$;%r$r ~
Fig ure 3 (NetStumbler data export aft er header information has been cleaned)
Now that you have used Cain, Netxtumbler, or Kismet to gather the information, you can start your quest to crack the
WEP. The important portion of the data that you will need to start with is the targets ssm, MAC address, and
Channel. : !c
Gatheri ng the information
With the needed information, criminals will now start to attack the WEP, or install a Warcracker (small computer
designed to automate information gathering and cracking process) that can be either accessed remotely or picked up at
a later time. Information Security professionals will sometimes install these devices during a penetration tests or
espionage simulations to snifftraffic and archive it for future analysis.
To stay legal while practicing "proof-of-concept", it is a good idea to create a lab environment with several WiFi
access points as targets and several systems with WlFi cards to increase the amount of "interesting" traffic.
Interesting traffic contains the key negotiation packets and will allow you to gather enough information by sniffmg to
crack the WEP key in a short period of time. This traffic can be generated by running programs like Aireplay and
Voidl!. This will generate the required WEP initialization vectors for the cracking to take place. Airodump is easy
to use and helps with this process.
For this example, the target WiFi Access Point has the ssm of WLAN, MAC address of XX:XX:XX:XX;XX:XX,
and the channel of 9. We will use Airodump to capture the weak IV packets and start the passive packet capture to
the file named keygen. The command should look like this from the a root level command line shell:
root@home[\]# airodump wlanOkeygen X¥.·X¥.·X¥.·X¥.·X¥.·XX
This will save all of the interesting packets in a file called keygen.txt that we will use shortly. However, unless you
have a lot of time on your hands, you may want to speed up the process a little. Voidll is a common tool that
deauthenticates the wireless clients. This works great in a lab envirorunent, but will set off triggers in a business
setting and is a symptom of a possible attack of your system. During a Kismet scan, we have found a client system
with the MAC address of YY:YY:YY:YY:YY;YY. This is important because we are going to target that MAC
. address along with the Wireless Access Point to help generate the information we need. Using Voidl l , the conunand
should look like this from the a root level conunand line shell:
~Irvine Underground
Located in Orange County, California
Irvine Underground Organization
www.irvineunderground .org
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 19
� root@JWmef\l# voidll yenetraJion -D -s IT:IT:IT: IT: IT:IT'-B XX:XX:XX:XX:XX:XX wlanO
For shorte n the time it takes even more , many people use VoidIl in conjunction with Aireplay. This program
capturesvali d traffic and replays the traffic and sends it to tIie Access Point to generate more of the right traffic . .
root@hamef\l# aireplay -i wlanO -b xx:xx:xx.·xx.·xx.·XX -m 68 -n 68 -d IT: IT: IT·IT:IT: IT
The entire time the programs Voidll and Aireplay are running, Airodump is capturing packet s that will be used in the
cryptanalysis process. With multiple systems generating the traffic , a sniffer can record data faster and increase the
time it takes to uncover the key . Aerodump can be used to save the traffic to a file, and aircrac k can then take tha t file
to attack the key. The whole trick is to force the WiF i device to generate the right traffic .
Cracking the WEP
Now we have a file ready to be sent to the butcher. This is where Aircrack comes in. It will use the Airodump data
and start the cracking process to generate the correct key . To break 128 bit WEP, the file will need to have 200,000to
700,000 uniq ue N packets. Assuming that we have a good enough file, we attack the file to get the key. Using
Aircrack, the command should look like this from the root level command line shell :
root@hamef\l# aircrack -1'2 -m .u:xx.·XX:xx.·xx.·XX-n 128 -q 3 keygen r.cap
When the key has been discovered, you should see "KEY FOUND!". At this point, the Wireless Acce ss Point has
been compromised and can be accessed. You have now cracked WiFi encryption!
A similar method was use at an ISSA meeting in Los Ang eles, a local team of FBI special agents cracked a 128 bit
. WEP key in three minutes using commonly found tools available off the lu temet. This demonstration was done to
prove that even WEP 128 is a vu lnerable encryp tion and should no longer be used when securing WiFi hotspots .
Keep in mind, the more computers generating interesting packets, the faster you can break the WEP .
In this article, we have discussed the entire process of cracki ng WEP encryptio n from the init ial search during
Wardriv ing or Warwa lking. It is important to beco me famili ar with scanning tools like Cain, Kismet, NetStumb ler,
and MiniS turnbler to help survey the area. 'Inc ither tools that have been covered should give you the ability to crack
your own WEP key and may now have th e extra push yon need to convince those with WiFi to move to the next level
of security, WPA. WPA or WPAZ encryption is the new commercial standard and is more difficult to break.
Disclaimer: Do not connect to Wireless networks that you do not have authorization to use . Many busines ses
are more then happy to share their WiFi signal with you if you are a regular customer. On the othe r side of the
coin , private parties such as home users are usual ly not as friendl y when they see someone parked outside their
house in the middle of the night and may call the polic e. Depe nding on the laws and regulations in you r area,
this may be cons idered illegal. Just reme mber, Wardriving is the catch and release for geeks . Be safe, be smart,
and happy Wardriving.
Resources:
Windows WiFi
• http://www.NetSturnbler.com (NetSturnbler & Min iSturnbler )
• http ://www.oxid.it (Ca in & Able)
Linux WIFi (Some of these applications have a port to Windows)
• http :// freshmeat.netlp rojectslaircra ck (Aircrack, Airep lay, Airodump)
• http://sourceforge.netlprojectslairown (Airpwn)
• http ://sourceforge.netlprojectslainmort(Airsnort)
• http ://www.kismetwireless.netl(Kismet)
• http://wepcrack.sourceforge.netl(WEPCrack )
WiFi Hotspot online map s
• http://www.wifimaps.coml
• http ://wigle.netl
Other good resources
• http ://www.cwnp .com(planet3 Wirele ss)
• http:/ /www.infusecwriter.com :. .
• http://www.oissg .org (Open Information Systems Security Group)
• http ://www.revision3.com(HomeofSeveral Hack/Computer ezines )
• http ://www.seattlewireless.net (Seattle Wireless)
• http://www.tomsnetworking.comlSections-art icle lll-pagel.php (FBI Cracks WEP)
20 Vol ume 7 Issue 4 - Fall 2005 Blacklisted! 411
� UnicOder presents
Cheat i ng on Br?OWSEH'!~-lnuied Games
A true hacking story
unicoder@blacklisted411.net
Preface
Anyone that has ever played browser-based games probably has seen the high score lists with the people on the top
with unrealistic scores. You may have wondered : "How did these people manage to get such high scores?" If you
were smart enough, you would come to the conclusion that these people didn't play the game for hours just to get a
high score, but rather they cheated. But how can one cheat on one of these games? And what can developers of
browser-based games do to prevent cheating? This and more will be covered in my article . Prepare for a thrilling true
hacking story featuring me - UnicOder - and watch me putting myself on top of a high score list by using some dirty
tricks. ;-)
How everything started ...
It all started around a month ago, when I was waiting on some of my colleagues at my universities campus. Since they
were late, I used the spare time to think about what my next article for Blacklisted!41 I would be. Unfortunatel y I
didn't come up with any mind-blowing ideas, so I grabbed my cell phone and started to play Tetris to kill time. I don't
remember how long I played, but suddenly I had the idea to write about cheating on browser-based games. I realised
that for many years I had wondered how some people managed to cheat on browser-based games, but had never
actually tried it myself.
A few weeks later, my vacation started, and I finally had time for some hacking activities . On a rainy day I found
myself searching for a website containing JavaScript games on it (I chose JavaScript games for my little
"experiment", because most ofthem suffer from a weaker security than the widespread Flash-bas ed games).
I finally found a website with a bunch of Javascript games on it (Tetris, Snake, Pacman, Mine sweeper, . ..) that
seemed worth a hack. I will refer to the website as
www.cooljsgames.com from now on (the original name was changed to protect the page from abuse).
As any ethical hacker would do, I told the operators of the website before attempting to hack the high scores list.
Fortunatel y, they graciously allowed me to perform the hack and later allowed me to publish this article (thanks guys,
you are awesome!). This is where my hacking adventur e could ultimately start . ..
Exploring the games on www.cooljsgames.com
Before attempting to do any hacking , I decided to explore www.cooljsgames.com first. I found several nice games and
decided to playa few of them . After I finished playing, I decided I would hack the high score list of the Tetris game
(primarily because I had the idea for this article while playing Tetris ;-) ).
Let's have a look at the Tetris game and how the score submission process works:
First of all you playas long as you can. I guess I don't have to explain the rules of Tetris, as anybody knows this
game. When you loose, a "Submit your Score" button appears (F ig 1).
Figure 1
Blacklisted! 411 .Volume 7 Issue 4 • Fall 2005 21
�When you click on this "Submit your Score" button, a page showing your score is loaded (Fi g 2), but the score is not
yet entered into the high score list. Before this is done, you have to enter at least a username and a password (which
you can choose freely - you don' t have to register) and click on another "Submit" button (Fig 2).
J;s_~ :
f"l>ll'"",~;
*,4$ ""Mt~~ !,,,w .U ~ ~~
kr-;J~~~ t.
~'9« " >;mE'l" ~ ~,,}V<:G II!'!W" qct~~~ ¥~,.-j ec; ce;;t:~_ ~1'9)
~m..ffi. 'Wu ",iii r~. ~~~l:f -«t 't""'-T ~~A' W !nn1 fNt'~ili:"~
Fig ure 2
If your computer doesn't drop the connection at this point, a page telling you that your high score was successfully
entered shows up (Fig 3).
!.~-~ ~
.• I
i
L'~';E&i•.. J
Fig ure 3
Last but not least you can click on "See Hall of Fame" or try another round ofTetris by clicking on the "Back to the
Game" option. When you click on "See Hall of Fame" a page showing the high scores is loaded (Fig 4).
22 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� •
>"
"
'"
:n
:t..
-:;:-;.
tl:'
.t>;;I
",;:,
;:1
,.,.,
S!H"'t
S:'Sd>::-~
_t ~
~ ...r.?\!
..""
0>$
,,'
":'$
"::.1:
,M
''''
~
}W;l
~.....,.
)~
"'"
~;:.~
."
i :>
0:'
ss
~
"*,~.. ~_lf
~' 3
'$~$t ,.
,, ~
.> .-
.....
..,, ~ t
........
-~;
<:::>"",
, ~ ~~
"-<%
..
~-
""
Ul> ,,
1~
Figu re 4
As you can see in Fig 4 my score was terrib le. But this didn't matter since it only gave me more motivation to hack
my way to the top.
T he first hacking att empt - Modification of the JavaScript Code at r untime .. .
Now that I knew enough about how the game and the process of the score submission worked, I started my first
hacking attempt - the modification of the games JavaScript code. There was one thing I real ised outright: The easiest
way to place a fake high score into the high score list is to inject the score before it is submitted to the server.
As I mentioned before, the simplest way to boost your high score is the modification of the JavaScript code that is
executed on your browser. To carry out this evil plan I decided to try a new extension for the Mozilla Firefox browser
called Platypus [1J. This allowed me to edit the website (and therefore the embedded JavaScrip t source code as well)
directly in my browser. My intention was to use Platypu s to change some lines of the Tetris games JavaScript code (at
runtime and directly in the browsers window) to produce higher scores that could be submitted to www.coolj sgames.
com later on.
As it turned out, this was not the best plan since Platypus seemed to have problems with the website' s massive amount
of JavaScript code. Applying the "Modify Target HTML" function in Platypus always resulted in an incomplete
presentation of the source code (Fig 5). I tried everything but I could not force Platypus to display (and let me edit) the
whole code of the JavaScript Tetris game.
Fig ure 5
Blacklisted! 411 Vo lume 7 Issue 4 - Fall 2005 23
�I really don't know exactly why Platypus had this problem - maybe it was because I used a Beta Version (Version
0.51) that is far away from being stable - but I finally rej ected Platypus and decided tochange the Javascript source in
a good old manner with a simple text editor.
The second attempt - Mod ificati on oft he JavaScri pt Co de with a simp le text editor ••.
First of all I downl oaded play.htm (this contains the JavaScript source of the Tetris game) from www .cooljsgames .
com to my local hard disk and opened the file in my favourite text editor, Programmers Notepad (2). Reading through
the code of the JavaScript I found the code passage that dealt with the initialisatio n of the Tetris game (Fig 6).
~, ~,Z!t:aFx.d'tt,'~ '~ ~ ' .ar.m. ~ .... . ~ < ;
~ .:k~';;W>'l:I'l~ , ,;>e: s-t a1~'&( t': >::td ': · ~ ,.n:cls '~ " ' ~< ;
!1~! ·~~~ .sa.s:ll~M i~.~ ~·tl · , .ltYAt: >;,{UMtU1lf:" > YMA.~~': i
!p~;'.!."!.~.'; ... ~ } . s, 3...1, A, h 3 1 l. 1. \., $. l. l .C..-~,..~ ,'2 ~~> O- ...t;, ;i,i: . ~ . :>...::'. s .,c , »... ~ . ~.~.¢";%;;j.,.(; ./::
blr.- ~.! ... ;:;;. ! " ::'~.t !~~ . .
t "' l" ;:1 '" Q ) .1 0( '1'7; ;..... s . : ~:
.!~ ·~ .Vl't:l~lI ~' I .~ ... .. t~
~-~k::s-:~~~~~ i · .t;?..a~ · ~ ~ !!~ '" "'.:l'"'l
t.~~1 " t;
II
~U~-!r; ('::;Y~'f<'JiQJ ,;....-<:n1 :t re ;.l~~•• *
f~f. It , tt *"~ ~- M: ~~~ ~1; ~ "~.$bW" -~ -l'I¢~ 1%~fl w w4
~'f"i'IWf~. w~ ~ ll;.."t ;JI:"~ ~.lJIr t UW 6<'lI<=a t ::Jtt>it'l:l~j •
.. . i. ..... • . .. . .. ... . ... . L
"""
And there it was; UnicOder aka leethacker on top of the Tetris high score list! Thanks to cheating . (Fig 15)
28 Volume 7 Iss ue 4 - Fall 2005 Blacklisted1411
� ....."..
Highscores
Figure15
Conclusions
As you can see, there is no magic behind cheating on a browser -based game expecially when the security of the game
is weak like the site I hacked : All I needed for this hack was perseverance, a computer with internet access, Mozilla
Firefox and some nice browser extensions. But I don't just want to tell you how to cheat on browser-based games, but
also how to properly secure them ...
3 methods to circumvent cheating :
URL referrer protection (very basic protection)
Encryption of the scores sent to the online server .(mediocre protection, depends on the encryption
algorithm and if its client or server based)
Additional use of strong session keys (best protection, impedes the replay attack)
The combined use of all three methods mentioned above makes cheating nearly impossible (I do not want to say
. impossible, because anything can be hacked). All the developers have to do to prevent cheating, is to implement these
things into their games . I know, things like encryption or session keys are not easy to implement, but hey - there is no
better way to make browser-based games more secure. And what is more important than security?
If you have any further questions regarding this article or if you just want to give me a shout send an email to
unicoder@blacklisted4ll.net, post in the Blacklisted!4ll forums (http://www.blacklisted411.net/forums/) or submit a
comment to the printed magazine.
And never forget: Hacking is not a game, hacking is survival training . ;-)
Links
[I] Platypus - http://platypus.mozdev.org/
[2] Programmers Notepad - http ://www.pnotepad.org/
[3] Hypertext Transfer Protocol HTTP /I.l - http://www.ietf.org/rfc/rfc26l6.txt
[4] Web Developer Extension - http://chrispederick.com/work/firefox/webdeveloper/
[5] LiveHTTPHeaders - http://livehttpheaders.mozdev.org/
Shouts
Ustler and the administrators of the hacked website
Blacklisted! 411 Volume 7 Issue 4 • Fall 2005 29
� FREE BROADBAND
[ By Dr. Fibes
]
You're saying "What's that?" Yes, I' m not kidding. No tricks or gimmicks, no salesman will come to your door. I'm
going to show you EXACTLY how to get FREE broadband. You're not going to steal it, that' s bad karma dude.
You're going to use your brain to get it, like any good white hat hacker.
Actually, you'r e still going to pay for broadband. But you' re going to consolidate some other bills into your
broadband payment, the net result being your broadband is going to be paid for from this rearrangement. Or at least
very close. Perhaps it would be more accurate to say "Broadband for the price of cheap dialup." I think I can safely
say that.
Let' s do an abridged recap of two-way communication history, certainly not comprehensive.
Once upon a time, personal interaction was the only method of two-way communication possible. If you needed to
communicate with someone, you stood face to face with them and spoke to one another. Oh, you could send a proxy
messenger in your place, but really, it' s about the same thing.
Then that writing thing came along and after a while, many people learned how to do it. Then came the postal service.
You could write your thoughts down on some medium and send it to someone far away. After quite a while, you
might get a response back from them. It was low-tech to the max, but much better than what was in existence before
that time. It got faster and faster with advances in transportation, but there was always a lag in the conversation.
Then the telephone was invented. Amazing. Now you could talk to someone miles away, simply by speaking into
this little Bakelite funny looking thing. It sure beat yelling. They could hear you (somewhat) and speak back. You
could understand almost everything they said. It helped to revolutionize the world. It was a good thing.
Then along came personal computers. Heck, you could send an email and your contact on the other end would get it
almost instantly. Sure beat the snail mail. The "lag" could now be reduced to minutes, even seconds. Even with
1200 baud modems. "Verily" we all said, "this is good." And it was and it is.
But people prefer talking. It's faster for most of them, easier, and the conveyance of information is also superior for
most people. You may have noticed that many folks in this world can't spell or write in a very coherent fashion, but
most can communicate at least on some level by speaking. And if they are really poor at communicating, at least with
voice communication and the inherent instant feedback that occurs with it, sub-standard communication can often be
corrected in real time.
We still have Ma Bell, at least a facsimile of it. The price for traditional phone service is somewhat reasonable,
although those in the know are aware that it' s way overpriced. But not so much so that most people in say, the U.S.
and Europe can't cope with it.
But now there's a new kid in town.
Have you heard of VOIP? Of course you have. It' s the buzz. VOIP is coming. Soon, almost everyone will dump
their landlines and use VOIP instead. That's the popular consensus, is it true? I think so. There are pros and cons to
just about everything in life, VOIP is no exception. Let' s take a detailed look at VOIP and weigh those factors. And
let' s try to do it without getting too bogged down in the technical aspects of the subject, but rather from the viewpoint
of human beings with human goals and obstacles, seeking ever more effective tools to achieve those goals and
overcome the obstacles.
I believe that the main thing holding VOIP back is resistance to change. We' ve had the familiar phone company
system longer than anyone reading this has been alive. We're very familiar with its pros and cons and it does the job .
"Better the devil you know.. ."
Remember dialpad.com? It was one of a handful of companies bringing us this type of technology early on. It was
somewhat lame. But it did give a good vision of what was to come. The audio was garbled beyond comprehension at
times. You really needed a specialized "operator" type headset (earphones & mike) to use it; otherwise you'd have
feedback problems. Both you and your contact on the other end had to have a computer and the Dialpad program
installed on them. But it worked OK a good percentage ofthe time.
When the old Dialpad was in existence, I had many friends in a town about 30 miles away from me. The phone
company wanted to charge me $.15Iminute to talk to them. This could run into some dough after a month or so of
chatting. My friends & I were ecstatic about Dialpad, even with its many shortcomings, because now we paid $0.001
30 Volume 7 Issue 4 - Fall 2005 Blacklisted I 411
� minute to talk. At the end of the month, we owed ZERO. We' d often talk for hours, why hang up? It was free.
Dialpad is now owned by Yaboo. No surprise there, many, many companies are positioning themselves to take
advantage of the huge VOIP wave about to wash over the world. That's the real question we should all be asking
. ourselves: "Whose service do I utilize?"
Vonage is the Verizon offshoot. This is for the sheeple. For those who are afraid of trusting their two-way existence
to anything new, Verizon has the answer. At an outrageous price that totally negates one of the most important
advantages to VOIP. Those devils...
Redundancy is also an important issue. Any good engineer will design in some degree of redundancy if at all
possible. For an often quoted example, the sbuttle has 3 computers that "vote" on every decision. Another example:
all cars since the 1960's, perhaps even before, have separate hydraulic systems for the front and rear brakes. If one
fails, you still have at least some braking power in the other. Communications can be vitally important, if we
desperately need to communicate, we want to be sure that we can.
Let' s go back to our once upon a time scenario. Not that long ago, the ONLY method of two-way communication
was the telephone. Now most of us have: email, landline phone, cell phone, chat services, etc. Even the lowly phone
booth counts unless you live in the woods. That' s a lot of redundancy.
Just how muchredundancy do you need? Near as 15-20 years ago, most folks had only the telephone and the phone
booth. Ok, 'that's two methods of two-way communication. Now let's add in today's cell phones and the various
internet services. That's four methods in the modem world (counting the myriad of internet services as only one
system). How many backup systems do you really need?
IMHO, the cell phone is a viable backup service. Excluding the phone, phone booth and cell phone, all of the
communications I have mentioned utilize the internet in some fashion. Perhaps then some are concerned with the
question "What if my ISP goes down?"
Well how about this. Let's say you live somewhere and a big disaster occurs, maybe a huge hurricane. Hey, that just
happened. Did Ma Bell's communications system survive? Nope. Pretty much nothing did. So what did those poor
souls gain from the redundancy of the phone company?
-r-
Yeah, your ISP may go down. The phone company may shut down. The cell relay satellites may get fried in the blink
of an eye. That's why we have redundancy.
What I am speaking of is this: with your ISP, cell phone and the same old lowly phone booth, you already have
multiple options, more than you had 15-20 years ago. Do you need another one? Some may answer "Yes." Then
plunk down your $30 + per month and you shall have it.
For those that feel three options are reasonable, call Ma Bell and tell them to take a hike. You j ust saved $30 + per
month. What's that broadband cost? Huh, about $30-35 per month. Now we have come full circle to the point of lhis
article.
In a case like Katrina, about the only things that would have kept you communicating with the outside world would
have been a battery-powered ham transceiver and a good antenna. And then only if you had been able to keep it from
. getting soaked. In most of the stories you read, those poor people said it happened so fast all they had time to do was
head for the attic. It' s not likely anyone would have had time to grab the transceiver from the garage, much less the
antenna. OK, maybe a two-meter handheld could be handy.
The point is: how many of you landline phone fans have a ham transceiver in the garage? If you' re truly serious about
having as many options as possible come hell or tsunami, shouldn't you get one of those too? It just doesn't add up.
Now VOIP isn' t free, at least convenient VOIP. So you 've got me, you may not get off quite free. But dam close. If
you take an HONEST look at your phone usage you're likely to find you can get what you need in a VOIP service for
less than half of what your Verizon or other traditional phone service charges monthly. With no change whatsoever in
your usage habits. Isn't that a good deal?
Incidentally, if you paid attention to the news, the people interested in pushing WIMAX were down there in New
Orleans before any other communications industry, providing WIMAX VOIP to the survivors. Ma Bell was nowhere
in sight. How' s that for a testimonial?
Many are probably dragging their feet about VOIP due to equipment cost. While VOIP offers vastly superior audio
quality in comparison to standard phone lines, unless you replace your phones with VOIP enabled phones, you won't
notice much improvement, although even if you don't you' ll probably notice some. Last I checked VOIP phones
were pretty pricey. For you shoestring people (like me) using your current phones is a good option. Yeah, it won' t
sound like an audiophile stereo system, but it'll be at least as good as what you're used to and much cheaper.
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 31
� Then the only equipme nt you' ll need (because you're already goin g to get a router for your broadband, right?) is a
VOIP to RJ- lI adapter. I just checked on Ebay, they' re going for between $15-99, with shipping . In most cases,
you' ll just DISCONNEC T YOUR EXISTING WIRES TO THE PHONE COMPANY, plug the adapter into one of
your existing phone jac ks, hook an Ethernet cable into your router and then start calling people. No heavy duty phone
wiring exercise s. The same wires that alread y e.xist in your abode will suffice .
.' IMPORTANT NOTE : Follow the manufacturer's directions , not mine. This gene ral description is not meant to be an
instruction manual on installing a VOIP adapter. You assume all risk even if these instructions are wrong , etc. etc.
Specifically, you' ll blow your new adapter if you don 't disconnect the service lines from the phone company before
doing anything else.
The available plans by providers vary greatly in this infant industry. And what suits me may not be right for you, so
I'll leave that for you to do on your own.
The services offered vary greatly as well. Some have 9 1I & 411 service, others don 't. Most that don 't say they'll
offer that in the future. But most providers offer things like call forwarding, caller ID with name, call waiting,
distinctive ring, voicemail and others STANDARD. Add those up on your traditional service.
Some allow you to transfer your existing number over, others don 't . At least one utilizes your computer bandwidth to
conduit their bus iness in exchange for a low monthly rate, the majority of them don 't. Most allow you to use your
laptop as a cell phone in Wi-Fi hot spots. It goes on & on, you 'll ju st have to decide which factors are important to
you .
Be sure and snoop around to see what actual customers of that provide r have to say about their service. I haven 't seen
too many negative comments , but better to fmd out before you plunk down your bucks .
A few, like Vonage, requ ire that you use THEIR adapter. Check out these det ails with a potenti al vendor before
getting that whiz-bang adapter on Ebay.
You may have noticed that I haven't spoken a great deal about the technical aspects of VOIP. That 's because it' s
really not necessary to go into that to get a grasp of the possibilities here. It's what you' re already used to with phone
service. Sign up, plug it in and start talking .
After Katrina , Rita came rolling in from the Gul f to hit Houston . Many Houston residents, with Katrina's awesome
horror still fresh in their minds, hopp ed in their vehicles and headed north . The traffic jams were tremendous. Fuel
ran out at the gas stations along the way. It was yet another nightmare.
Yet if these folks had thought about it for a few minute s before they left, they would have realized that this would be
the case. Why not head to the west or east to a road less traveled? They had plenty of time, they could have even
made it to high and dry Arizo na before Rita made landfall.
Follow your heart, not the herd . They 'll follow along shortly in this case. If you' re on dialup , trade it in for
broadband now for the same price or less. Ifyou ' re on broadband already, start saving now .
And my apolo gies to the people of Houston, hindsight is 20120. After Katrina, who ' d be criticized for not runnin g like
crazy in the opposite direction? The analogy was for the purpose of illustration only.
32 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� How ·WOULD I HACK THEE?
Social En9inee~in9 and the Basic Hack
By M L Shannon
As we all know, there are many sources of information, but some of which are not so easily accessable, So when
someone has good reason to obtain this information, but are prevented from doing so, then what might be called
extraordinary measures are called for.
(Insert theme from Mission Impossible here)
This could mean physically entering the facility, the place where the files are stored, which might require resorting to
something as harn-fisted as breaking down a door, (which you are aware if you have ever done it, makes a great deal
of noise, often sufficient to wake up the midnight shift IT people) or with a bit more finess (like the geeks in the
contest at DEFCON 13) lockpicking.
But sometimes, Oh Joy! it is possible to hack ones way into the repository, or even better, depending on particulars,
find someone else to do the job.
Now, in such a Black Bag operation, a good way to begin is to make a plan, calculate the odds. The chances of
success compared to a free ride in a foul smelling van full of nasty criminals all wearing designer stainless steel
bracelets by Smith and Wesson. Not to mention the loss of your laptop.
Case the Joint
Over the years that I have been involved in electronic surveillance and countermeasures, it has become second nature
to wonder, when I enter a room, how someone would go about installing listening devices. How and where. I learned
to think that way, a mindset that is necessary when working a TSCM sweep.
Now, one criteria (TSCM techs use that word sometimes, just as the old timers still say ' clandestine' ) is the possibility
of an inside jo b.
Devise a plan. Check the perimeter, and if possible get inside and have a look. Take stock of the tools available for the
mission and . Devising a plan and all that fix
In my earliest experiences searching for monitoring devices, there were few personal computers and most businesses
didn't even have them. But the TSCM technician today has to deal with computer systems as they are present in most
homes and virtually all businesses.
So, along with opening all of the books on the shelves and removing plastic plates from wall plugs and switches,
peeking underneath desks and tables, it has become necessary to test clients systems for vulnerabilities. Such as
machines that do not require a usemarne and password to access them, passwords that are easily guessed or written on
a Post-It and stuck on the back of the monitor or in an unlocked desk drawer, and worse, terminals left online, the user
not having logged out On one sweep, which was a large corporation that you have probably heard of, I found a
number of them.
In the wireless world, we now look for Access Points that don't use at least WEP and are sitting in front of a window,
and of course "rogue"'wireless Access Points installed by a competitor's spy or urthappy employee about to quit.
But I had always approached this from a countermeasures perspective; on the defensive, wondering how someone else
might attack a system, and how I might discover what they had done, rather than how I would go about it. They are
much the sarne, but not entirely.
That was until something happened to change the way I looked at one system in particular, and wonder how it might
be possible to hack my way into it. For a reason that I believed was justified. Should you have read my first book,
Don't Bug Me from Paladin Press, you might recall where I stated that while spying on someone without them
knowing about it is legally wrong, it is not necessarily morally wrong.
In that book, I tell the story of a beautiful young girl that was being stalked and terrorized by her ex-husband and no
one could do anything to help her. Until, that is, an electronic technician bugged the guys bedroom and got the goods
on him. Confronted with the evidence - tape recordings- he never bothered her again.
Sometimes spying is justified, even if it is unlawfuL
Blacklisted! 411 Volume 7 Issue 4 • Fall 2005 33
�pc
•
Many years later someth ing happened , a prob lem, and though it was later resolved , at the time caused me to start
thinki ng about how I migh t take care of it myself. I had what I believed to be morally jus tifie d reaso n to access
information as I will describe in this short article.
I was waiti ng in the examining room at a loca l clinic. The doctor comes in, a puzz led expression on his face . Now that
alone was enough to freak me out and when he sits down and says he "h as somet hing to discuss with me" , my pulse
rate goes into triple digits.
He wants to know about a problem I suppose dly had relat ing to one of the other physicians there, which was a
mystery to me- I had gotten along fine with everyo ne there. At least as far as I knew. Then he asked if I had bee n
exam ined for (a serious disease) recently, that there was a note in my file abou t it.
I am starting to wonder ifhe has the right m e and he verifie s this, so I want to kn ow what the hell is goi ng on. But he
won't tell me anythi ng . Covering up a mistake? I wo nder.
After the exam I ask ifthey can fax me a copy ofthe blood test result and am tol d no. No way. I will have to make an
appoin tme nt (which takes several weeks) or come to the urgent care clinic which means sitting in the lobby for seve ral
hours and takin g up staff time that could be used for someone really sick .
This clinic is part of th e City and County Health Department network . It links the many satellite clinics, hospitals and
other facilities and stores information on the patie nts that visit them. So , what if I wanted to look at my own reco rds,
to find out what the hell they didn't want to tell me. Or maybe even someone else' s file?
And, again , while the information was soon made ava ilable to me (and there were no physi cal problems requiring
treatment) still I wondered, how might I go about getting into the system?
Soci al Engineering 101
No w, this particular facility was open to patients on a sliding-scale basis, a place for low income peopl e as well as
starv ing writers , and at the time I qual ified as I had no steady income. It was also for the homeless, and so, the
'average' patient migh t be assumed , by the health care workers, to not have much in the way of computer skills.
At least that's the impression I got when I start ed probing for answers. Play ing dumb, of course which is an important
factor in social engin eering . .
In many , if not most situation s, give the person you are quizzin g th e idea that they know much more than you do and
you' ll get more answers than if you come on with a lot of arrog ance . Although sometimes you ne ed to come on a bit
heavy as you will read later on.
I scheduled a visit, having had a min or foot injury and complaining of back pain, which was real and probably the
result of sitting in front of this damn ed monitor so many hours a day. I get there , get signed in, the usual tempe rature
and bloo d pressure check and "Do yo u use drugs ? Yes. What kind? Heineken. Is that all? Yes."
After waiting a couple hours , trying to read a book on the Linux operating system that is mostly g(r)eek to me, I am
led to an examining room . The nurse comes to ask the requi site, 'where does it hurt ' questions.
Whi le I am exp laining that my foot hurts (it really did since I dropped a power supply on it) and that I have uppe r
back pain (I don 't mention co mputers) I stare at the termin al sitting on a shelf and work in a few innocuous questi ons.
Like whether or not 'that computer' had Donkey Kong and if they could send that "Internet Email I have heard
about". She didn 't know if it was connected to the Internet but yes, they could send mail to othe rs on the "circuit" . The
Donkey Kong question was ignored but I suspect it served to make me seem ignorant as well as harml ess.
" Hey, wow, that's neat - you can call up the computer when you are at home to check up on patients and stuff, eh"? I
was referr ing to RAS but agai n, of course I didn 't use the term .
She didn 't know for sure but said she assumed that Th e Doctors would , like for emergencies, be able to. So, it appears
that the netwo rk does hav e RAS .
I let it go at that.
The nurse leaves and again, I wait for the doctor. I am tempte d to try punching a few keys but deci de to wait and try to
get more information. I do look at the back of the terminal. Two USB ports. Cables are power, monitor, mouse,
keyboard and a CAT-5 . But no RJ-I I ph one cab le.
The Doctor comes in, asks me ques tions. I explain about the injury and some other symptoms and that I think I have
plantar fascitis. He looks at me with a quizzical express ion and I tell him that a frie nd I was visiting looked on the
Internet after I mentioned my foot probl em, and he found this pla ce that told all about it.
34 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� •
So I asked, maybe you can find that place on this (I point) computer? .
He doesn't know.
Doc leaves telling me nurse will be back with my prescription in a little while.
I still resist temptation I don't touch the terminal but I am thinking. Plotting. Mentally hacking.
Making Plans
Now, how am I gonna get into this system?
I want to be prepared, so I consider all my options.
If the terminal is active, and runs off a Windows server, I could maybe plug in a thumb drive and if it uses Plug and
Play, the drive will automatically be assigned a logical drive letter. But if it is a Unix system, I am out of luck as I
don't know Unix well enough to get the thing mounted, which would probably require root or SUo In any case, his has
to be done fast to avoid having to explain what I was up to. And keep in mind that we live in the post-9-1 1 America.
Such an attempted hack could very well mean getting busted. Handcuffs. Jail, even.
I could install a key logger in the keyboard cable, then power down the terminal so that the next person to use it would
have to reboot it and enter the info I want- user ID and password.
I would need to be able to get back into the same examining room to retrieve it, but this is no big deal. I wait two days,
go in, have a seat in the waiting area across from that exam room, and wait till it is vacant. I go in and if anyone asks
what I am doing there, I say I lost a ring last time and was looking for it. They buy it and ask me to leave. But it took
only ten seconds to retrieve the keylogger.
When I get home, I see what is on it. With a little luck, a user name and password. Maybe links to other networks I
can make a note of for future reference. Whatever.
The Internet?
I already knew they have Email on their net. And the doctor who gave me his card has his Email address on it. David
Barnyard MD. daveb@healthiernet.org.
So, their network can be accessed through the Internet. At least their mail server. Time to dig around. I fire up
NetDemon, (from www.netdemon.net) an excellent suite ofIP tools.
First, I check the IP. Enter healthiernet.org and I get the IP which is 204 .XX. XXX.X . To make sure it is up and
running, I ping it and get
reply from [204 .XX .XXX. X] 1 72 ms
reply from [ 20 4. XX. XXX. X] 188 ms
, r e p ly fr om [ 2 0 4 . XX.XXX. X] 187 ms
reply f rom [ 2 0 4 . XX. XXX. X] 188 ms
v" r e p l y from [ 204 . XX. XXX. X] 172 ms
. p ing statist i cs for 204 . XX .XXX.X
5 packets t r a n s mi t te d , 5 r eceive d
round- trip time (ms ) min 1 72 , avg 1 8 1 , max 1 8 8
'1 could run traceroute but it isn't necessary as I know the network in here in the city where I am. But I do want to see
" if Dr. Barnyard 's Email address is valid, so again I use Net Demon. It is a valid address.
oj
Then, I do a Whois on healthiernet.org.
Or gName : City & Cou n t y of West Woogieboogie
Or g ID : x xxxxxx
Ad dr e ss : XXX Networks , Depa rtmen t o f x xxx x xx xx, 1 2 34 Kowa b un g a St r e e t, 3rd
Floo r
Ci ty: Wes t Woogi e b o og i e
StateProv : CA
Post alCode : 94 103
Country: us
..- Te chHa nd l e : BH26 7-ARIN
Te c hName : J o n e s , Bob
. Te c h Ph on e: +1 -4 15 -255 -xx xx
Tech Ema il : b j on e z @healthiernet.org
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 35
� •
Now I know where they are located, and I have a contact name. Maybe Mr. Jones will be useful if! approach him the
right way.
I
Next, I type the IP into Firefox and check out their web site. Much useful information here- names of people I might
get answers from. And I examine the source. Hmmm. I see the webmaster's name and Email and that it was built
using Front Page. I make a mental note of that.
Wireless?
So far I haven't seen any wireless equipment anywhere in the clinic, and my little keychain WiFi detector called The
Seeker hasn't indicated the presence of802.11 but that doesn't mean there isn' t any.
The clinic is in the same building with several govemment offices, so maybe there is an AP somewhere inside one of
the private clinic areas that connects to one of these offices. For whatever reason. And some of the clinic terminals
might be on a segment that feeds through the router and into an AP.
So next, I might try camping out on the street across from the clinic.
To avoid drawing suspicion, I go to Goodwill and get a used messenger bag and a clipboard and take one of my
radios. Like mail delivery persons, messengers are ' invisible; no one pays any attention to them.
With a Zaurus running Kismet I will capture anything within range, and of course it will look like I am a bored
delivery person waiting for the next pickup and playing with something like a Game Boy. (Messengers are computer
illiterate. Everyone knows...". Comment heard in an elevator).
Another lesson in Social Engineering. Don't attract attention. Look as if you belong where you are.
Port Scan ning
I have their Net Range from whois, so I could look for open ports, but this would be only if all else fails. Even with
budget cuts and staff shortages, they still have IT people to keep such an important net up and running. There too
much of a chance of getting nailed (door kicked in, Homeland Security people with machine guns, etc.) unless I can
work without being traced.
So, at least for now, scanning is out.
The Old Geek in the Maintenance Man's Coveralls Trick
Here is where another version of social engineering is appropriate
Having made a few queries to the doctors and nurses, I had come to the conclusion that they are generally as computer
illiterate as they think their patients are.
And being as busy as they are, they don' t have a lot of time to deal with things other than their patients.
T he Operation
I have decided on the keystroke logger. I install and retrieve it as described, and I have lucked out. I have the login
info for three different staff members including one doctor. The same one that gave me his card a while back.
There is an Internet Cafe down the street from my apartment that I can connect to fo r fre e. The owners don't know
this- the p eople who go there don't either. They pay six bucks an hour for access to the desktop machines.
Another possibility is to use dial-up from someone else 's ph one line if one is available.
In either case I would use my DEC 'sterile' notebook computer. The hard drive has been f ormatted and wiped and
reformatted, has never been online, and no software is used that could be traced back to me.
OveridIf~,Why take chances?
And, ofcourse, I don't want to alert anyone that I am trying to get into their net.
So, at this point I have login info, passwords, but no access. If I were left alone in one of the examining rooms long
enough, then maybe I could fmd the data I want but this is improbable, what with so many staff people in and out,
and who would definitely want to know what the hell I was doing messing with one oftheir computers.
"Uh, I thought the nurse said you do have Donkey Kong."
Not the best of plans.
36 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� •
But remember that the network does have RAS. So what I need is a phone number.
I call the number I have for their network facility on 1234 Kowabunga Street and, in my best German accent, request
to be connected to "the person in charge".
"This is Dr. Sergut Braunschweiger with the XX General Hospital's visiting benign hyperparapatuitary hematology
analysis group. You are aware that we would be here, are you not?"
Now this is where arrogance can be useful in Social Engineering. You are a physician to begin with and by hitting the
poor IT guy with something , bullshit medical terminology that he probably wouldn 't understand even if it was real,
and in any case, that sounds important. So, you have him on the defensive .
Look , I was given a wrong number to connect to the database for hematology patients records that are part of our
study and I need to get some case file numbers for my presentation.
I was told to use 255-xxxx
Since you, as the doctor, have the right prefix, the IT guy is more likely to five you the rest of the number. Once you
have that, use a Terminal Emulator and connect. Use the login ID from the keystroke logger and you are into the
network .
Concl usion
So how did I finally get the files I wanted?
Not by hacking into the network . I used yet another variation of social engineering.
Hospitals are, to repeat myself, very busy places with doctors and nurses , orderlies and security guards, confused
patients and concerned visitors running round.
Again, looking like you belong where you are is imperative. Next is knowing the language, the terminology, and of
course knowing where the information is located.
Next, what are you likely to see lying around in a large hospital?
Uniforms. Whites , greens ... and here and there, the unquestioned badge of authenticity , the stethoscope.
I have 'the patients' (my own) ill card and so the required numbers.
So I take the elevator to the third floor. Medical Records .
"Patient Shannon is in ER on a gunshot wound C and B claiming has B neg and I need his most recent blood workup
stat."
A few minutes later, I have my own file, And a small digital camera.
Hacking is only part of the process of obtaining 'fo rbidden' information . Social Engineering will often produce results
where super-geeks might fail. And that, getting the information, is what it is all about.
Oh, I left the stethoscope behind; I didn't steal it.
Electronics Inventory Online
EIO is a versatile electronics surplus source
associating information with the distribution
of electron ics, computer and
optical materials. We have implemented
interactive via e-mail, technical forums on
Liquid Crystal Displays, Charge Coup le
Devices, Stepper Motors, Lasers, Laser Light
Shows, Microcontrollers, Holography, Fiber
Optics, Electro-Optics and EIO Products with
many more forums to come. We boldly
supply links to competitors, revealing
alternate and additional sources of surplus
electronics, along with providing a rich
listing of information on events (trade shows,
swap meets, conferences, etc.) and
resources such as web sites, magazines.
newsgroups, and information of interest to
the technologically inclined.
Be sure to check us out at: www.eio.com
Electronics Inventory Online
22412 Normandie Ave, Unit A, Torrance, CA 90502
TEL: (877)-746-7346 (310)533-5150
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 37
I
� •
The Hacker Chronicles
An ac cou n t i n g of the life and e v e n t s of a re al h ones t t o
g oodne s s o l d s c h o o l hacker .
PART V
** A series o f arti cle s written exclusively for Blackl istedl 411 **
By Cactus Jack
Inspired by the re cent re-discovery of Blacklisted! 4 11 magazine and at the request of my wife , I've agreed to write a quasi-
autobiography of some of the goings on in my life that relate to hacking , from as far back as I
can recall. Amazingly enough, I recall everything from the time I was a few months old up until right now, thirty some odd
years later. Very few pe ople have a memory like mine , but those who do should use their gift to teach, instruct and entertain
others. If anything, simply deta iling expe riences and providing a lesson in history would be more than adequate in helping the
cause. With this in mind, I intend to detail as much of my life as possible. noting the many hacker related experiences I've
had. I hope you enjoy the read.
Welcome to the fifth installment of my ongoing article.
The Post-Colleqe Years
To bring you up to speed in the story, I had just finished college, had a bank account full of money and decided to take a long
break from work. I was completely out of the loop for two years, in fact. As far as I was concerned, it was a long needed
(and des erved) vaca tion to say the least. Sure , I was still interested in technology and continued to upgrade my machines as
time passed, but I didn't really explore hacking during that time. I just focused on buying up pre-made gadgets and didn't
bother dissecting them or constructing anything new.
Anyhow, after j ust over two years of practicing being a lazy bum, I snapped out of it and dove right back into life, head first.
Hacking was my first priority. The year was 1992. The first thing on my agenda was to get out there and bUy up some
electronics surplus to bulk up my own hacking supplies. First stop was Barry's (ECSC). As Zachary Blackstone has
suggested since his first issue of his disk based hacker maga zine in 198 3 (yes, I was an avid reader of his disk magazine
back in the da y) Barry Gatt was extremely easy to deal with and it was nearly impossible to leave his store without buying a
truckload at a time. I bought so much good stuff on that single trip: RAM, EPROMs, programmers, test gear, wire, blank
copper-clad circuit boards and a couple of payphones. Next stop were a couple of lesser known salvage yards that
happened to cater toward electronic/compute r scra p.
By the time I had finished stocking up, I was prepped and ready to dive right into hacking again. I started by focusing on my
old Amiga. Years earlier, I had helped design the platform for a multi-serial card that later evolved into the Comports 8-port
high speed serial board. Wi th that in mind, I decided to try my hand at de signing a new 32-p ort card capable of running all
high speed modems. Within two months, I had a prototype board running. I handed the prototype over to Zach at Blacklisted
411 Magazine and they used it for their online BBS up until the d ay they pulled the plug. I eventually sold the design and
prototype #2 to DKB but they never did anything with it to my knowledge. You see, the Amiga was kind of on the way out at
the time, so a lot of companies slopped dumping money into the production of new hardware for it. Too bad, it was a nice
machine. Regardless of this, I kept working on Amiga hardware and sold one-off's as much as possible.
After playing with the Amiga for awhile and listening to music on it. I tried my hand at programming a SID player-remember
the old SID songs? Anyhow, it was successful and I then had to dig up myoid commodore 64 diskettes to try and get my
massive collection of SID songs. Ok, found the disks, but had no way to move them from the C=64 disks to my Amiga.
Hmm. So I had to design a conversion process of some sort. Eventually, it turned into a cable/interface/software package
that allowed me to connect a 1541 (or 1571) disk drive to my Amiga. Ok, problem solved. I enjoyed my SID songs to no
end.
In fact, I enjoyed them so much, I decided to hack the (6581) SID chip some more. I did it awhile back and then left the c=64
"scene"... I had to gut 5 or 6 C=64's to get the SID chips I needed to start designing something. Let me tell you something
about this chip. Not only does it have an amazing sound, it's also VERY easy to work with. The signal to noise ratio isn't that
great, but the unique sound it produces has probably introduced more people to hacking than anything else. The end result
of my 6581 hacking netted me a working stand-alone SID keyboard and a working SID MIDI box. I still have my SID MIDI
box to this day (2005) and use it from time to time. As for the keyboard, it was sold to someone in the Netherlands in 1994.
Never saw it again . I know, so sad.
Oh yeah, during this whole time, I forgot to mention where I was working. I picked up a part time job with a local custom
circuit fabrication plant (actually, it's a pretty well known firm). Whenever a customer would come in needing a special
something or other, I'd pick up a job to design it for them. It was extremely good pay and the part time status allowed me the
freedo m to wo rk on my own projects on the side. 1used their fa cilities to manufa cture my own stuff and they had no problem
with it-was one of the best perks of working there. I could fab a circuit board in minutes on their equipment.
Eventually, all this designing lead me to arcade games. I used to be so into arcade games back in the 80's, I couldn't help
but notice when the games started popping up in surplus circles and, eventually, in the auctions. Back then (1993-1995), you
38 Volume 7 Issue 4 - Fall 2005 Blacklisted ! 411
� -
could pick up rare classics (Atari Quantum, Williams Inferno) for $100 or so. Naturally, me being the pack rat that I am, I
gobbled up dozens of games and stored them at my place. I immediately began diagnosing dead games and quickly
discovered that they were rather easy to work on. I also noted the number of "custom" chips a lot of these games required.
The first game I tackled was an Atari Star Wars cockpit version. The board was dead, the monitor was dead, the machine
itself was in EXCELLENT condition. The monitor took me 15 minutes to repair by replacing all the transistors on the chassis.
Did the trick and it fired up immediately. I had a spare board, so I was able to test it. However, I still wanted to work on the
original, because it was upgraded to an Empire Strikes Back.
The first thing I noticed was the ESB daughter card and the small custom chip attached to it. Luckily, the part was still
available through a couple of sources at the time, so I grabbed up a few of them. Next thing I noticed was a custom chip by
the number of 137179-001 (I still remember it!!) I was able to buy up a small lot of 50 of these from a local repair shop. They
had no idea what they were, but they had a bunch. I got the entire lot for $10. What a steal! Anyhow, I was able to repair
the board with little time Invested. It turned out to be a bad EPROM on the CPU board. I had an extensive collection of
programming equipment on hand, so it was an easy fix. Anyhow, this game repair was the one that got me into arcade
games with both feet. I realized that these custom chips would run out at some point and people would need them. Perfect
situation for me since I lovedreverse engineering.
I started picking up side repair work from a dozen different repair shops around the area - yeah , there were a lot of them still
around back then. I had a reputation for being able to repair the "tough" ones and the multi-board setups. I have to admit, I
was fast, accurate and inexpensive , which is why I was able to pick up so much extra work!
Several things I contributed to the "community" during my days of hacking arcade games:
1. I provided alternatives to custom chips for Atari, Williams and Bally/Midway boards. Specifically, I was able to produce
a discreet component version of the 137179-001 chip that Atari used on several of their boards. If you look around,
you can find the plans for this floating around the net even today. I also provided alternatives to the customs on the
Pac Man/Ms. Pac Man boards. I see that many people have duplicated this effort over the years. That's cool to see
that there are still some active hardware hackers among us. I also produced an alternative to the custom chip used on
the Empire Strikes Back upgrade, allowing anyone to make the upgrade themselves.
2. I compiled a log of known good EPROM and PROM checksums for hundreds of games, mostly keeping to Atari,
Williams and Bally/Midway. What was great about this log was that I included checksums for what has become some
of the rarest of the rare games ever produced. When I got started, there wasn't much demand for these, so it was
difficult to tell what was "rare" and what wasn't. If I had known, I probably would have kept a few games. I released
this log to so many people over the years, I know it's out there on the net now. I have not done a search for it, but I
know that work was put to good use by a lot of people so it's proliferation into the net is all but guaranteed.
3. I started a GAME-to-JAMMA standard. Personally, I hated JAMMA games more or less, but it sure made it easy to
work on games based on a single test rig capable of plugging any game into. Eventually, I started making conversion
harnesses to allow easy hook up into my JAMMA rig. Until then, I had a special rig for each game I worked on. I even
produced a small portable JAMMA test rig that could be dragged on location to work on games outside the shop. I
built 25 of these for a local repair shop as part of an exclusive deal. I just saw one of these sell on ebay a few months
ago. It went for $800-ish. Not badI
4. I created a repair log for each game I worked on. Most of these logs ended up being about an inch thick with paper. I
included notes, checksums, symptoms, diagnosis, parts alternatives, etc. I had planned on taking these logs and
turning them into repair books, but I never got around to it. I did release notes as people required them, helping
people fix their own games. However, I still retain the entirety of my repair logs and intend to send them off to a
publisher eventually. I figure since most of these games are now classics, people can really benefit from my vast
knowledge of the repair of these machines.
Needless to say, I enjoyed the arcade hacking to no end. I finally got out of it because I had done so much and it seemed
that the few arcade companies I worked for were starting to do so badly (as far as income) that it wasn't worth it anymore. All
but two of those companies have since gone out of business, making it even more desirable to get back into the arcade
repairs again. Who knows, maybe I will someday .
My experience working on arcade games landed me my next job. I started doing contract work, designing devices for a large
company still in business today. (By the way, I'm purposely leaving out names so I don't piss off any of my past or present
employers.) They in-turn sell these designs to their clients who manufacture the devices and put them on the market. Many
of the little electronic gadgets you guys play with today, I've probably played some role in it's design somewhere along the
way. I've done everything from telecommunications and satellite to radio controlled and home AN equipment.
I started out as a curious kid, interested in what made things tick. Now, I'm helping to make the things that tick. How's that
for full circle? Hopefully, there are some out there who pick these things apart and will eventually take my place as a
designer of technology. I'm getting to the point where I'm thinking about early retirement, so all you hardware hackers out
there, be advised, there are cool jobs waiting for you in the technology sector. My job may be up for grabs sometime soon.
I'd like to see a fellow hacker get the job .
Now I'm going to go on a small rant. Who are these people who keep saying hackers are bad? The media, law
enforcement. Those are the two main offenders. I'm a hacker. I'm a GOOD hacker. I create and build new technology. I'm
the one responsible for making those very tools and gadgets the media and law enforcement utilized to do their jobs. Talk
about ungrateful? Why don't you guys smarten up a little bit and take out your aggression on real criminals. I can't
understand when being curious became synonymous with being a criminal. It aggravates me to no end when I read the
headlines. It saddens me that the once proud name of "hacker" has been trashed over and over again by these two entities
that the general public now thinks hackers are bad people. However, I have noticed a trend lately, following the Matrix
movies, that people generally think that hackers are "cool" and mysterious. I suppose I can live with that label. Hey, it's
better than the alternative, right? Anyhow, with this said, I conclude my series. I sincerely hope that some of you found my
stories to be of some interest. As the Blacklisted Crew says, HACK THE SYSTEM!
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 39
I
� •
40 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� I-Hacked
-
Classif icat ion : Website (hardwa re hacker)
Cost: $0
URL : htlp :l/www.i-hacke d.com
I think this might be a first for me - writing a review ota website. I usually stick to hardware/softwa re/videos , etc. Try to
follo w along with me. Anyhow. there's this hardware hacker we bsite by the name of I-hacked (www .l-hacked.com) run by
Heavnsnt. I've been on the site many times , looking around at their constant flow of articles since I'm big into hardware
hacking.. I really -like what they 're doing and I can't help but to notice the great material and the HIGH traffic the site gets.
Not bad. Not bad at all. One of my favorite articles is "Dirty MIRT" (Mobile InfraRed . Transmitter) - it's a how-to on
constructing a device that will force a traffic signal to give you a green light, jus t like the fire trucks and ambulances get.
Anyhow, as much as I like it,1 would never"re commend 'building one of these or using -o ne. Why? It's a federalcrlme!
There's an article on hacking coke machines. google hacking, firetox browser hacking , etc. Yeah, so there ' are tons of
articles and the y're updated very often . As I'm writing this review, a couple of riewarticles just popped up. . Nice. You have
'to vis]t this site. It's worth your time . .
Mak e Magazine .
Classifica.tion : Magaz ine (ma instr eam)
Cost: $34.95/y r U.S. $39.95/yr CAN $49.95/yr FOREIGN
URL : htlp:llwww.m akezine.com .
Published and backed by O'Reilly Media, Inc, Make Magazine is a very cool hardware hacker maga zin.e. It's much more
than a magazine, though. It's so fricken THICK and full of information, it's more like a book: In fact , they call ii a "MOOK"
which I thought was somewhat amusing , Produced quarter ly, the cost of th is magazine rings in at around $10 a copy. The
magazine is a lot like the old electronics magazines (with all the DIY projects) mixed with a little hacking. It's a true hardware
a
haC:king magazi ne . lt's very mainstrea m , too whic h is good for ever yone . t he -have an oppo rtunityto shine good light on
. the hacker community. If you like WIRED, this one is SO much belter. . 1 had mi l irst three issues sitting on my desk-for
.almost two months before I finally had the chance.to crack them open and soak it in. · I have to say that I'm very impressed
with·thequalitY and the.amount of information. It really blew me away. I'm so. incredibl v'fia ppy to see something like this
tl naJlyb efng produced because it's backed so 'w ell, it will probably stay around for the tonq- haut. As a hacker" I feel thatthe
more informatio n sources available , the belter off we all are. Keep in mind that because this is a mainstream product, you
might get alittle of that mainstream feel to it. (ie: shoving ads down your throat ). Personally , I totally dig this magazine . Istill
think it's worth the money anddefinitely worth a look. To .date, I've received four issue s (every issue they'veproduced to
datel an d have been delighted with each issue . If you have not checked them out, please do so right away. I think you'll be
pleasantly surprised by this find .
For the most realistic, mind blowing kidnapping
adventures anywhere period!
Get kidnapped by our sexy Elite All Girls Team, or get
your ass kicked by the hardcore and sinister Henchman!
Its your choice, but you only live once!
I·
r
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 41
I
� -
If you think back to all the sci-fi movies and TV shows you almost always see robots or humanoid bats running
around and interacting with humans. Star Wars had droids like C3PO and R2D2 and a host of other robots for various
applications. Star Trek had Data, a humanoid android. The movie I-robot with Will Smith was another great example
of humanoid companions. They were extremely "real" looking and capable of interaction. Check out their cool site
too. During my research for this article, I came across another article in an unrelated genre that actually believed the
site was real! Obviously they never seen the movie, or they would have known the NS-5 isn't quite possible yet. The
site makes use of flash and I could see it fooling someone. (I didn't say who)
The fact that humanoid robots are always present indicates that they have become an accepted presence in society.
The introduction of humanoid robots will impact our lives probably more than any other previous invention, including
the car, the personal computer, and even the internet. They'll change society, our relationships and even redefine the
family. It seems far off, but its coming.
As far as robots go, the first applications are likely to be from the military. In the United States, the overwhelming
majority of financial support for robotics R&D comes from the Department of Defense. This isn 't really a surprise
since were always looking for bigger and better ways to kill people and blow stuff up.
Robots have been used in industry for some time, just look at the auto industry. Eventually, when consumer models
crop up, we'll probably see a variety of task oriented models that will help us with household chores, light
conversation and of course, recreation. This is where it will get very interesting. Sex robots will probably be in high
demand. If they look real, and "feel" real, then you know they are gonna be a hit. More on that later...
For starters, imagine a domestic robot, acting as your butler or "household manager", that could communicate and
control all the other robotic appliances and equipment in your home as well as do tasks such as taking out the garbage,
retrieving your jacket from the upstairs bedroom, cooking dinner, and caring for your elderly live-in parent, how much
time would that save you in a week?
The techno logy already exists and it can be done. In Japan, numerous high tech companies are developing companion
robots and robots for many applications. A household robot would probably help reduce stress, and increase the
quality of life. Once they work out the bugs, they can only improve. Humanoid development is in its infancy, and
thats what we are witnessing now. The majority of humanoid development is occurring in Japan where half of its
registered engineers are centered on robot intelligence and related fields.
Robots and Ethics
"The next great consumer technology will arrive in the form of personal robots". says Ron Arkin a Regents professor
in the College of Computing and director ofthe Mobile Robot Lab.
"The innovations will be accompanied by a host of ethical concerns about human-robot interaction." adds Arkin, who
co-teaches a course on robots and society with Charles Isbell, an assistant professor in the College of Computing.
"The introduction of robots to the general public may be sluggish at first, but it is inevitable." says Arkin, reflecting a
consensus among roboticists worldwide. Among the tasks frequently mentioned as suitable for personal or domestic
robots are housecleaning, cooking, helping care for elderly or disabled people, tutoring and secretarial tasks .
As robots become more animated and sophisticated, Arkin says, they may even be designed as humanoid companions,
teaching humans how to dance, for example. Dance? No word on whether he meant vertically or horizontally although
I will be covering robot intimacy more closely later.
Much of his lab's work aims to identify and combine the elements of reflexive behaviors with cognitive functioning to
create autonomous, decision-making robots. The process is aided by techniques that help a robot "learn" from its
interaction with the environment.
Human-robot interaction, military applications are some of the issues addressed in Arkin's robots and society class.
"What are we doing in terms of military applications? Is this appropriate use? Should robots be able to employ lethal
force?" Arkin asks rhetorically. "A t some point, do we trust the machines more than we trust ourselves? The
Terminator movies seem to suggest we cannot trust the machines. I'm talking worse case scenario of course.
42 Volume 7 Issue 4 - Fall 2005 Blacklistedl411
� •
"My concern right now is not to formulate doctrine. but rather to formulate a consciousness among roboticists and
robotic scientists that these questions need to be asked," he says. "Georgia Tech, through this course development, has
provided me a wonderful forum to share those questions with my undergraduates."
Lots of really smart guys seem to agree that a few decades from now, give or take a few years, a C3PO lookin' droid
is gonna be playing cards with your grandma, watching your kids, or delivering mail in your office.
"I have felt for years that the first 'killer application' of personal robots will be companionship, especially for the
elderly," said Roger Brockett, a professor of computer science and engineering at Harvard University in Cambridge,
Massachusetts. "Robots are potentially much smarter than dogs and they will not require the same level of upkeep."
Brockett, who founded the Harvard Robotics Laboratory in 1983, is one of several scientists who believe robots will
some day be a part of everyday life.
Joel Burdick, a mechanical engineer and director of the Robotics Group at the California Institute of Technology in
Pasadena, envisions personal robots as something akin to a very sophisticated handheld computer.
"They may remind people of their schedules as they leave the house, keep an eye on children while dinner is prepared,
deliver mail in an office, dispense drugs at a hospital, all kinds of tasks that free up people, trying to make people'S
lives easier," he said.
Manuela Veloso, a computer scientist at Carnegie Mellon University in Pittsburgh, Pennsylvania, looks forward to a
future where robots are as much accepted into daily life as the family dog or a newborn child.
"I'm interested in something that just co-exists with us rather than filling any holes. in the same way that when a
human is born we do not need it, but it becomes a part of our lives," she said.
State of Robotics
Although a robot the likes of C-3PO is still a futuristic fantasy. the concept of human-like robots is currently very
popular in Japan, said Burdick. "Japanese society is becoming very elderly and they think they will need more robots
in the home to help out elderly people."
Honda Motor Co. of Japan is currently promoting what it calls the most advanced humanoid . Named ASIMO
(Advanced Step in Innovative Mobility), the robot can interpret the postures and gestures of humans and move
independently in response.
The company says in a statement that ASIMO can "greet approaching people, follow them. move in the direction they
indicate, and even recognize their faces and address them by name." The robot can also access information via the
Internet and use it to answer people's questions (in Japanese) about the news and weather. The last press release
indicated there have been new developments in the ASIMO' robot, and it is capable of running now! Check out their
website and watch a clip of that Iii sucker go!
http://world.honda.com/ASIMOI
http://www.honda.co.j p/ASIMO/
. There are robots on the consumer market such as the Roomba Intelligent FloorVac from iRobot, which can vacuum
your crib without you lifting a finger. The robot is a commercial venture of computer scientists and engineers
affiliated with the Massachusetts Institute of Technology's Artificial Intelligence Lab in Cambridge.
Robot Sexuality
With all this innovation and research & development, I think it' s a safe bet that, at least eventually, humanoid
companions will become as common as cars and computers.
As robots get more sophisticated and more "real" looking, its inevitable that human nature will prevail and attempt to
create Sex robots. Sex-bots, or whatever you want to call them will likely become a separate, if not popular industry
within the humanoid companion genre. Enter the Masturbatrix.....
Almost every single sci-fi movie we' ve seen has alluded to, in one way or another, virtual or robotic sex.
Not necessarily displaying or advocating it, but alluding to it...they just never got into detail with sexuality in movies
an shows like Star Wars, Star Trek, OrIrobot.
Sex dolls are nothing new. What is relatively new are the innovations in them. Ultimately, the people that build and
design these dolls are doing so with the concept of them being fully functional and interactive at some point, thus, a
humanoid companion. A perfect example of very realistic looking sex dolls are the RealDoll . These hit the scene
years ago and even Howard Stern "tried one out". He gave it a double fisted, enthusiastic two thumbs up. He said, and
Blacklisted I 411 Volume 7 Issue 4 - Fall 2005 43
� •
I quote, "Best sex I ever had! I swear to God! This RealDoll feels better than a real woman! She's fantasti c! I love her!
This RealDoll is for real, I swear! Better than a woman ! My wife isn't as good as that! May God take away all my
ratings if I'm lyin g! I'll take a lie detector test! I swear on the life of my children! I did it and it was fulfilling! I did it
and I'm proud of it! It was great! It was the best sex I ever had! Thank you RealDol!.com! It was fabulous! I could fall
in love with that thing!" Howard Stern
After checking out their site, its amazin g how real they look. And at a whopping base price of $6,499 .00 they're not
playing around . They have a few comp etitors as well. http://www .superbabe2000.com/frarne 1.htmI These don 't look
quite as good, but they are less expensive. A recent headlin e, taken from Ana nova, read.. . .
Robot Sex Dolls
A German inventor claims to have created the world's most sophisticated robot sex doll .
The sex androids developed by aircraft mechanic Michael Harriman from Nuremberg have 'hearts' that beat harder
during sex.
They also breathe harder and have internal heaters to raise the body temperature - but their feet stay cold "just like in
real life", according to Harriman.
He said: "They are almost impossible to distinguish from the real thing, but I am still developing improv ements and I
will only be happy when what I have is better than the real thing ."
The dolls sold under the Andy brand name are on offer for ££4,000 each for the basic model, with extra charges for
adaptations like extra large breasts .
Underneath the silicon skin, developed for use in medical surgery , is an electronic heart that beats faster during sex.
The model can also be made to move by remote control, wigglin g her hips under the bedclothes and making other
suggestive movements - all at the touch of a button .
Harriman sa id his design was an improvement on the popular 'real dolls' sold in the USA.
The promise of high tech sex has come in various forms.
In Star Trek, they have the holo-deck, but they never really show you what its really capa ble of, or how far you can go
with it. These are questio ns that not only space nerds want answered, but just about everyone would want to know if
they thought these things were actually available.
Wantin g to know myself, purely for academic purposes (cough), I discovered a few "devices" in the area of
Teledi ldonics. Lo!. Yes, I know. I get a kick out of that every time I hear it.
Teledildonics: dictionary.com definition is-
Sex in 'fcomputer simul ated virtual reality especially computer-mediated sexual interaction between the VR presences
of two-humans.
This practice is not yet possible except in the rather limited form of erotic conversation on MUDS (multi user
dimension s) and the like. The term, however, is widely recogn ised in the VR commun ity as a 'ha ha only
serious"projection of things to come . "When we can sustain a multi-sensory surround good enough for teledild onics,
*then* we'll know we'r e gettingsomewhere.n
Meanwhile , the best they have been able to come up with (to my know ledge) is the ' Virtual Sex Machine' . This
system is, for lack of a better word, uh....um, lets do this..here are some excerpts taken from their site.
Th e Virtual Sex Machine consists of a small black box, some connect ors and a device which looks like a penis
pump . It hooks up to any standard 25 pin parallel (prin ter) port on your Pc.
The available library of cd 's contain sexually explicit materi al (porno !) or you can download special files. The
machine comes with all the necessary cables and power supplie s to install and operate your machine . No other
equipme nt should be necessary.
And its made in America! MAC users, yo ur outta luck! Not compatible. doh !
How do you operate it?
(excerpt)
This seems to be confusing to some people. We did not include manual control s for the device for one very specific
reason. The purpose of the machine is to re-create a sexual experience. The concept behind the Virtual Sex Machine is
44 Volume 7 Issue 4 - Fall 2005 Blacklistedl 411
� •
that you the viewer get to experience the action on the screen, as it happens, how it happens. It is portrayed as an
actual sexual experience. Part of the attraction for the experience is the fact that you don't know what is going to
happen next. You are also given pleasure without effort. You are not really in control of the situation, but are
experiencing the fun without the effort. We are working on a version of the software that has override controls tucked
away for those that need to have control over the experience. Stay tuned to our site for updates on this.
I can try to explain it to you all day, your best bet is to just check out the site and see for yourself.
http://www.vrinnovations.com/
They seemed to have gotten a lot of publicity from 1999 to 2003, and most of the feedback I saw was mixed. Seems
like they got everyone really aroused, but then sort of didn' t seal the deal or just failed to deliver. I've never tried it,
so I can't give you a personal recommendation, but if anyone out there has one, or has tried it, email me an let me
know.
After all is said and done, the promise ofVR sex just isn't up to speed yet. And we still can't come home to our own
personal humanoid companion that looks like Jenna Jameson, but until we can, brave men and uh, mostly men, will
continue their quest to bring us closer to humanoid companions for all their many uses, and we salute them! Pz
the Goldfinger goldfinger@blacklisted41 I .net
ANNOUNCEMENT
BLACKLISTEDl411 WEBSITE
HAS BEEN REDESIGNED!!
That's right! Blacklisted! 411 Magazine would like to
inform everyone that our website has undergone an
extensive upgrade. We've added a comprehensive
selection of online material and several all-new sections
to visit. If you haven't been there in awhile, go check it
out ASAP!
In addition, we've launched a ne~ online hacker
magazine by the name of "Blacklisted 411 .NET" which
contains completely separate articles and compliments
our print version. It's free, so go download your copy
today!
So, don't forget to visit our newly redesigned website:
WWW.BLACKLISTED411.NET
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 45
� •
Auditor: Debian WiFi Hacking
An article for t h o s e intereste d i n wire l e s s networking! but new to Linux.
By M L Shannon
Disclaimer
Thi s article is for inform ation purp oses only ; to learn about wi re less hackin g and secu rity. Be awar e that while
interceptin g signa ls only such as in Wardriving, is apparently legal, extracting text, graphi cs, and pas swo rds is not.
Also, it is unla wful to use someone else' s AP for Intern et access without their perm ission .
Intro
Wireless computi ng is the "in" thing. Bu sinesses large and small are moving to wire less because it is easier and
cheaper to set up. It elimin ates the need for CA T-5 cables and th e exp ense of string ing them throu gh the facili ty. The
same applies to home netw orks, thank s to WiFi on e can inex pensively install a DSL rout er and Acc ess Point arid take
a port able out in the back yard or wherever, and conn ect. Wire less cafe ' s are opening by the hundreds for peop le who
find them conv enientl y near the ir job, or a place to relax and get cheap or free broadband acce ss.
Many suc h businesses are unaware that their connection to the Intern et is far from sec ure, as are most individu als. Th e
results of many wardriving exercises reveal that we ll under half of th e APs detected use WEP encryptio n, which , at
best is to most people is a false sense of security. WE P can be defeated .
I learned from my years in surve illan ce and co untermeas ures, th at the only way to be secur e from electron ic
eav esdrop ping is to know how it work s. The sam e is true of wire less networking.
Thi s, the first in what may be a serie s of articl es, is about maint enance, testing and ha cking using th e Deb ian Linu x
Auditor suite of applications.
Fo r this firs t article we will go ove r only a few , the most important app lications, wh ich are those that
I . Detect WiF i APs and Ad Hoc mod e cards
2. Intercep t text packe ts
3. Spoof, or change th e MAC of a wire less card .
Audito r is a powerful and sophisticated suite of program s, applications that you downl oad as a single file and bum to
CD as an image . You can run Auditor from th e boo table Linux CD, or you can install it on your HD as dual boot and
still have your ex isting OS, whether Wind ows or BSD .
Why Aud itor co mpared to Win Apps?
First of all , Aud itor is free (althoug h donations are acc epted) and th en there aren 't, that [ know of, any complete
Windows 's uites' like Audit or. Audi tor also contain s text and hex editors , screen capture, graphics programs, Firefox
for WWW and lots more. All on a single disk .
So, you can run the Aud itor suite with yo ur present OS intact, remove the CD and reboot and your comput er is ju st as
it was before yo u ran Audit or. .
And also, not everyone can justify the ex pense of a dedicated portab le ju st for Audi tor
There are indeed some excell ent wireless applic ati ons for Windows, and two that, far as [ have been able to fmd, have
no Linu x co unterparts.
The first of these is CommView for WiFi. Th is is a grea t progra m, with which yo u can search for APs, and once
found , view both text and graphics. (Is that yo ur neighbor across the stre et, the sweet little blu e haired lady,
downloading hard core porn?) CommView is versati le and pow erfu l and has the mos t comprehensive set of filters
(Ca lled ' rules' ) I know of. You can filter packets in (see on screen) or out (block) by MA C, ssm, text string, port ,
data, control and mana gem ent pack ets.
[ had the pleasure of meetin g the author while 1 was in New Zea land .
The seco nd is Iris, with which you can see what is on the mon itor of the AP yo u are monitorin g in real time. [ have
played with the demo , and it appears to be on e helluva progr am. It goes for about US$1200.00.
46 Volume 7 Issue 4 - Fall 2005 Blacklistedl411
� •
So, for real time viewing of the target, these two Win apps might be the better choice, but for serious detection and
analysis, and hacking, Auditor is the answer.
System Requirements
While I don't see this listed on the Auditor site, I would suggest at least:
Pent II notebook; laptop, at 500 MHz or faster
128 MB RAM.
CD burner, such as Nero.
Wireless card that can run in Radio Monitor Mode and an antenna. Before you buy, be aware that most PCMCIA
cards do not have a connection, jack , for an external antenna, so it is a good idea to check before you buy. Determine
what kind of jack , MMCX for example, and then obtain an antenna with the right cable.
Auditor will, of course. run on a desktop but some ofthe applications in Auditor may not like PCI cards or WiFi cards
on an ISA Adapter, and anyway. once running you will likely want to do some field testing. A shopping cart with a
couple car batteries provides plenty of space. and it is easy enough to mount a hi-gain antenna but this is rather
consp icuous ; it may well draw unwanted attention.
Many WiFi cards are supported and driver installation is not required as Auditor loads them automatically .
I have tried Auditor with a Linksys WPC-55AG dua l band and Senao NL 25 I I CD Plus Ext 2, and both work
automatically. The old class ic Orinoco Gold also works but the newer Proxim 8420 WD does not. For that matter, the
Proxim doesn't work on much of anything Windows so is not recommended . Perhaps later Proxim models work, see
the Auditor FAQ at
http://new.remote-exploit.orglindex.php/FAQ_main
The Senao has external antenna connections (2) as does Proxim, some SMC cards, and the classic Orinoco Gold, but
again, most do not.
So without an antenna, unless you are within a short distance of an AP, from a few dozen meters to maybe across the
street, you may not see much signal strength . But radio wave s work in mysterious ways, so you never know.
Radio Monitor Mode
In this mode, also known as raw monitoring mode, the WiFi card will receive only; it will not transmit. It is strongly
recommended that it be used to prevent anyone from being able to detect you while you are detecting them, and
prevents accidentally associating with (connecting to) an AP you are monitoring. Instructions on how this is done is at
http://new.remote-exp loit.orgiindex.php/FAQ_main.
To find out what chipset a given card uses, go here:
http ://www.l inux-wlan.org/docs/wlan_adapters.html.gz
Back up everything!
Even though you are not likely to damage any files using Auditor, it is still a good idea to make backups of all
important files. Just in case.
Downloading and Installing
Auditor, which is more than 600 Mb in size, is downloaded as an ISO file from any of several sources, listed here:
http ://new .remote-e xploit.orglindex.p hp/Aud itor_main
http://new.remote -exploit.orglindex.p hp/Auditor _mirrors
It takes a couple hours depending on your download speed. If you are using dial-up, or for whatever reason don't want
to download something that large, you can send email mmo@remote-exploit.org to see if someone will snail mail you
a copy of the latest version.
If it download s successfully, you can go ahead and bum it, but then you have the option of checking MP5 which is a
hash algorithm to verify integrity of the file. I skipped this and just fired it up, and... it wouldn' t run. Oh, it tried, I got
the boot screen, but then a long series of error messages, including media error, buffer I/O error and on and on.
Being a newbie to Linux, I had to look up them but the explanations still didn't tell me what was " Tong .
Finally it dawned on me that I read somewhere on the Auditor site that I should bum the CD at a slow speed, 8x or
eve n4x.
I did this and Auditor was up and running.
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 47
� •
Burning
Once you have downloaded the file, you need to bum it to a CD as an image file. This is not the same as an ordinary
data file. If necessary, read the help files for the program you are using.
With Nero, you want Disk Image or Saved Proj ect. Other applications, look for burn as an image .
Now this may be important: If you burn the.CD at the fastest speed your drive is capable of, the CD might not work. I
found this out the hard way by not reading the help files. Bum it at 8x or even 4x.
Starting Auditor
First, you may need to change your BIOS settings so the machine will boot from CD.
Once the ISO has been burned as an image, pop the disk into the drive and reboot.
Problems Running Auditor
Even if the disk boots, it might not install in RAM. It may appear to be trying but will display a long list of errors
such as Fatal Exception in Interrupt, Segmentation Fault, Not Synching, Unable to Mount Root and ending in the fatal
Kernel Panic. .
Also, the CD may run a few times and then ju st quit completely. This happened the first time I tried Auditor, and even
after leaming about the slow burn, the same thing happened.
I suspected it was because of this crappy computer, a Compaq Presario 2700, (You don't want one) but I heard the
same story from a few others.
Install Auditor on the hard drive
Auditor has this option, to HD install. Open the KDE menu, and under All Applications , System, at the top is Auditor
HD Installer.
There is an advantage of doing this: If you have a computer that does not have both the CD and floppy drives, there is
nowhere to save the files you build from scanning (Auditor is running a RAM disk) unless you install an externa l hard
'drive. Fine for at home, but inconvenient for field works as they require external power. Now if the drive is not
partitioned for dual boot, you are running
Windows and want to keep it, the alternative is:
Dual Boot
Some people can dual boot with no problems at all. Someone at a recent 2600 meeting had a machine that was triple
boot; Win 2000, Red Hat and Free BSD as I recall! Others find it difficult, especially those new to Linux. My first
attempt was somewhat tricky but fortunately I bought the Red Hat Pro box version and by reading the manuals I got
through it OK.
But: there is a better way:
Partition Magic.
I bought PM years ago for whatever reason, but had never used it; didn't trust it. Didn 't want to take a chance on
losing or screwing up files. But I have since purchased a Western Digital external 80 Gb drive (I can't say enough
good things about WD; have bought their drives since Connor merged with Seagate or whatever it was that they did)
and have never had a problem. So I backed up everything on the Compaq and fired it up.
With PM installation was flawless, I followed the default settings and only a few times did I have to look up anything.
As with any flavor of Linux, you will need to set a root account and one or more user accounts.
NOTE: While it may be possible to change settings to prevent this, some of the wireless apps run only from root. Fine
as long as you don 't fire up Xchat and get kicked off an IRC server for logging on as root :)
It took about an hour on the Compaq 30 Gb drive, and when I rebooted, up came Grub and the dual boot option
screen. Audito r is the default and comes up automatically unless you choose Windows .
The opening screen takes a couple minutes to load, then there is a toolbar at the bottom of the screen with several
icons. The installation includes text editors, Firefox for WWW and many other application s.
Using Kismet
The first of the applications in this article is Kismet, of which there are two versions . The first is the original Kismet,
the other is Gkismet, a Gill for Kismet.
48 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
Ii
� --
Open KDE. To get to the applications, scroll up to Auditor, then Wireless. Then Scanner/Analyzer. There are two
selections. Kismet Tools and Wellenreiter. Kismet are the main tool with which to get started . Later, after you are
intercepting Access Points, you can try Wellenreiter, spotifyour MAC and see what 's in the packets using Ethereal.
When you click on Kismet, you will be asked to choose a Data Direct ory. For now, you can use most anything, such
as the tmp directory under your user name. Next click Yes to confirm the location, then OK on the next prompt;
Desired Fileprefix.
Now, Kismet starts running. Click the up arrow to run full screen if desired.
Unless you are in an isolated area, there will be at least a few listings. On the left is the name of the network; the SSID
or Station Set IDentifie r. The rest of the columns contain details of the APs or AdHoc' s you are receiving . Click 'h'
for the Help screen which explains what most ofit means.
Kismet starts in autofit sort mode, so you won' t be able to expand the listings. To change it, you need to use
command line from Konsole. More on this is in the help files and Forums listed at the end of this article under Getting
Help.
Using Gkismet
Start it the same way, Auditor, Wireless, Scanner/An alyzer. When the screen loads, you should see the same listings
as with Kismet but this version is a little eas ier to use. On the left are two icons.
The icon with a little triangle shaped flag, a pennant is an Access Point:
The icon is of a little computer is a Probe Request; A signal being sent out from a WiFi card, looking for an Access
Point to connect to. (If in RMM no signal is sent; the card is silent and undetectable.) Also known as Ad-Hoc mode
where one computer associates directly with another and not through an Access Point.
Click on the + for any listing and it expand s to display detailed info on the signal. Most of it isn't important yet; this is
about getting started, so can be disregarded for now. The main things are the SSID, signal strength, and WEP.
Click on View and you can sort by signal strength or munber of data (not control) packets.
Once you see packets being captured, you can open either Packet Dump or Screen Dump and see what is being
intercepted.
Using Ethereal
OK you now are able to use Kismet and have presumably found a few APs or AdHoc cards, and you want to know
what kind of information is being transmitted. The KDE menu path is Auditor/analyzer/Netw ork/Etherea l.
Double click to start it, then on the top menu bar, select Capture, Interfaces. Pick one of the devices (You will see the
difference when you have tried both) and click on Prepare.
If you want Ethereal to display the packets it logs in real time (Rather than storing in a file)
Update list of packets in real time and then capture. )
A window will open on the right showing numbers of captured packets and you will see them on the main screen.
As long as you have found at least one signal in Kismet, you should see packets.
Tr oubleshooting
Auditor is up and running and I have started Kismet, but [ don't see anything on the screen.
Either you are in an ice cave in Antarctica or a rural area without an external antenna . Try visiting a wireless cafe' .
I see lots of signals, they are all Access Points, but when I run Ethereal , all I see are like garbage packets, meaningless
digits and characters.
What you are seeing are management and control packets, and no one is using the AP at the time, or packets from a
WEP encrypt ed Access Point.
I
Blackrtstedl411 Volume 7 Issue 4 · Fall 2005 49
� •
Understanding signal strength
The strength of a WiFi sign al you intercept may be measure d in different ways with differe nt applications.
Technic ally, it is measured in decibels, dB, but different app lications use different meth ods. So, what numb ers you see
with one program don't necessarily relate to another. What coun ts is if the signal is strong enough that you can
intercept and read the packets . So, it is not nece ssary to spe nd time learning this.
Where to Get Help
http ://new.remote- exploit.orglindex .phpIFAQ_main
http ://new.remote-exploit.orglindex.phplTu torials
Sources, PC Cards
Most computer stores sell wirele ss cards. Very few of them sell cards that have an extern al antenna connection. And if
you search most online sources and read the specs on the cards that they do have, you aren't likely to see if they do
have an antenna connection.
Seattle Wireless, http ://www .seattl ewireless.netlhas lots of good informat ion.
Two of the best cards are the Sena o and the SMC 2835 W. Both are compatible with Linux and Unix: Free BSD for
exampl e.
Finding the SMC (wit h the antenn a connecti on) is problematic; yo u' ll find it wher e you find it or order online
Surf & Sip sells the Sena o, with two antenna ja cks. for about $90.
http ://www.sur fandsip .comllocation.httn
The old Orinoco Gold card is good for monitoring. but has less sensitivity than the SMC or Sen ao, both of which have
a much higher power output when used for your own netw ork . Or whatever else.
The Pro xim 8420-WD, which does have an antenn a conne ction, does not work with Auditor. or hardly anyth ing else .
Sources, Antenna Cables
.This can be difficult. as there are many type s of connectors. so aga in, find out what you need for connecting an
extern al antenna when you obtain the card . Probably the best source for pigtails and extension cables is www .therfc.
com in Maryl and. They have been in busin ess for many yea rs and their produ cts are excellent. The y are the only place
I will buy from.
"I Can't find your magazine in my local bookstore"
Sound familiar?
Are you having trouble finding our Magazine?
Since we've been out of print for a few years, most of the retail book stores and newsstands are not carrying our title.... .yet.
After a few issues hit the streets, more and mo re stores will carry our magazine. It's all a matter of time . We know it can be
next to impossible to find Blacklisted! 411 in your local neighborhood bookstore at a time like this. There are a few ways you
can get our magazi ne. Subscribing is the best way to get the magazine...NOW. This can be done through regular
mail or by visiting our websi te . It's somewhat easy to obtain .our magazine if you really wa nt it.
Ifyou're in a place that does n't ca rryour magaz ine and you'd like to see it there in the future, do one of the following:
1. Ifyou're not sure ifthe store you're in carries our magazine , ASKTHEM! They might be sold out or they may have hidden
the magazi ne in a spec ial section or behind other magazi nes. Those pesky anti -hacker type drones mig ht be 'hiding them .
2. If they do not carry our maga zine , tell the store manage r that you wo uld like to see this magazine in thei r store in the
future. Our ISSN is 1082-2216. Give them this number and tell them 'the y should call their magazine distributor(s) to obtain
the title. Make sure you iet them know how disappointed you'd be if they didn't stock them or "forgot" to at least calland TRY
to get them in stock.
3. If that fails, you can give us their address a nd phone number and possibly a contact name. We will have the chance to
call them and convi nce them into carrying ou r wo nderful magazine .
4. Subscribe if you don't want to bothe r with any of the previous methods .
5. Ta ke a look in Tower Records/Magazines , Barnes & Nobles, Borders or Bookstar. They usually have them in stock.
6. Borrow a copy fr om a frie nd - make sure to return it when you're do ne.
Blacklisted! 411 Magazine
P,O. Box 2506
Cypress, CA 90630
50 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� •
BLACKLISTED I 411 MAGAZI
PRESENTS
HACK THE SYSTEM!
(the DVD )
Our latest project is in the works, and will be coming soon to a
D VD store near you!
We'r e puttin g together a brand new DVD about hacke rs, the hacker commun ity, technology and
all related issues. The DVD is arranged as a documentary with a mix of "reality TV" thrown in
to capture the interest of a wide audience - old school & newb ie hacker s, teens, college students
and professionals alike. Packed with interviews from the Blacklisted! 411 staff, contributors,
real life hackers (both white hat and black hat), celebrities, industry leaders, law enforcem ent
and local gove rnment, this won't be your average hacker video. It's the idea l of the Blacklisted !
4 11 team to bring to the table an informed look at hackin g, the reality, the pitfalls and
associated amu sement. We're serious, but we'd like to keep it fun, too.
You asked f or it, so here it is!
**Meet many of the Blacklisted!411 staff**
Meet our own Editor in chief, Zachary Blackstone! You'll also fmally be able to meet the
infamous, octopus wearing, Extreme Kidnapping' s very own Goldfinger! You' ll also meet
Ghetto Mafia of our "street crew" and many other staff and crew members !
**Live tutorials and how-to's?"
See how a red box is really made and what it does. Watch wardriving in action. Caller ill
spoofing, social engineering, and how to fmd goodies at a salvage yard. Just a few of the "must
see" things which will be available on this DVD.
**Fasc inating interviews ofl aw enforcement officials, hackers in
the news, and software mogu ls**
You'll enjoy what other memb ers ofthe hacker community have to say. Some from beh ind bars,
some previo usly behind bars, some rich dudes that got their start from hacki ng, and some
hackers we met on the street. Not to mention you'll love to hear what law enforcement official s
. really thinks about hackers .
**Hilarious comedic skits**
Who wants to watch a DVD with boring all talk, talk, talking? You'll see skits that rival any of
the popular reality jackass skits out there! Hear some hysterical phone prank s, and many more
skits and pranks that will leave you either speechless or rolling on the floor laughing!
**Clips of the most outrageous "for hackers only" beach party **
See the.ad in this issue for mor e info on the Blacklisted! 41 1 end of summer beach party. Be
sure to be there, you might see yourse lf on the D VD!
If you'd like to learn more about the DVD, or if you would
like to contribute to it, please check out the we~site at:
WWW.HACKTHESYSTEMDVD.COM
�If you 've been reading the mainstream tech news you may have noticed that cracker attacks and the like have been
increasing dramatically as of the last year or so. It appears that many of those that once took delight in learning the
vulnerabilit ies of the net j ust for the sake of knowledge have now crossed over to "the Dark Side", using their abilities
for less noble purposes, such as gleaning money. Your money.
If you' re like many of us, you may have a false sense of security. After all, in spite of the dire warnings we've all
read about for years, many ofus haven 't really experienced any problems of note.
That doesn' t mean that these security risks are not that big ofa deal. It just means we 've all been lucky.
As these "black hats" become more proficient, the danger ramps up to each and every one of us. It's currently
increasing at a rate such as we have not experienc ed before.
It' s not all gloom and doom though. We have options that are new and very difficult to circumvent. That will be the
primary focus of this article. There is much information about this subject on the web. It is my goal to present this
information to you here in one place, to save you many nights of reading arcane pages that will put you to sleep.
Probably the most basic and easily used tool in regards to the security of your machine is a firewall. Almost everyone
is somewhat familiar with firewalls. These are available in both software and hardware varietie s.
From the viewpoint of security, the hardware firewall probably has a slight edge. It's easy to comprehend that a
maliciou s TCP packet from evilone .com can do you absolutely no harm if it doesn 't even make it to your machine.
It' s like the bouncer at your party, no undesirables can even get past the front door. Assuming of course, that it' s
properl y configured and well designed.
But practically speaking from a home consumer point of view, a software firewall will work j ust about as well. A
dedicated hardwa re firewall starts at about $350 and the sky' s the limit. There are decent software firewalls available
for free. The Windows XP SP2 firewall is pretty good, except that it only works on incoming packets. This means if
you were to get something like a Trojan in your email, it could compromise you by relaying sensitive information
outgoing to who knows where. It's unlikely that you would ever know.
Although I have not personally used it, ZoneAlarm gets pretty high marks from the security gurus on the net. And the
personal home version is free. There are at least 2 or 3 other free firewalls that are commonly recommended. Not all
are created equal, so I recommend you continue reading this article, I will be discussing what you want to look for in a
firewall.
Getting back to so ftware firewalls, another advanta ge is that they can be updated at any time. So as new methods of
exploitation become known, the software author can implement countermeasures and make them avail able for
download in a timely manner. This can be more difficult or even impossible with hardware firewalls.
The biggest downsid e to software firewalls is that they utilize your system resources, and that means stealing some of
your machines time, which really means YOUR time. Hardware firewalls operate independently, so this is not an
issue.
Most routers also come with a hardware firewall. These can be the best solution of all for the home user. The newer
ones are often very comprehensive and inexpensiv e. I personally prefer this method for my home use, primarily
because most of them contain at least a NAT firewall . And another layer of firewall as well.
Routers that have a NAT (Network Address Translation) firewall are very desirable because they essentially hide your
machine( s) from external sources. The only externally visible information available from you is the IP address of the
router itself. This is NOT your machine 's IP address. It is impossible for anyone to see your IP through a NAT
firewall, The router assigns these to your machin es, usually someth ing like 192.168.0.100 through 192.168.6.199,
each new machine gets the next number in line. An addre ss of this value is never assigned to a machine coupled
directly to the net. You could have 25 machin es on that router, all they can see is the one IP address of the router.
However, you should be aware that Java is happy to give out your private IP address and the only way to stop it is to
disable scripting. The NAT firewall can prevent your IP address from being seen externally, but it can't keep you
from freely giving it away .
52 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
�You should also be aware that hy the use of a technique called fingerprinting, some information can still b'- leaked
through'. Carefully formed TCP . packets can be sent that cause the operating system name and version of your
machine{s) to be disclosed. It' s very likely that in the future your greedy ISP will do exactly that to reveal how many
machines are on the other side of the router. They like to limit the number to a few machines, so that they can
artificially charge you for more machines, when their real concern should be your bandwidth usage, Sigh.
There are methods to spoof this information. You can fmd them by searching for "fingerprinting spoof '. Knowing
the operating system is very valuable to a bad guy trying to do you harm , He needs to know what operating system
you're using in order to decide which method of attack to use. In a future article we'll explore those methods.
As stated previously, there is often another firewall layer on these routers. These primarily take the form of Packet
Filtering or Stateful Packet Inspection. This same information applies to software firewalls.
If at all possible, you want to get a Stateful Packet Inspection firewall, also known as Dynamic Packet Filtering.
Packet Filtering, also known as Static Packet Filtering simply examines a packet's header information .
The more robust Stateful Packet Inspection examines not only the header information, but also what' s going on up
through the application layer. It tracks each connection and all of its interfaces through the firewall, making sure that
it is valid. In this manner, it can determine more than just source and destination information. It does this by
monitoring the state of the connection and keeping track of it in a table. This allows it to filter packets not only
according to the rules that you have defmed, but also based upon prior packets that have passed through it
Additionally, RPC (such as Frontpage Server Extensions) and UDP (such as Domain Name Resolution. from your
DNS server) applications can work seamless with it, because it creates virtual session information for them. No other
firewalls can do this.
Now most of these routers come with pretty wide open specs to limit the amount of customer support they have to
provide. This is understandable; after all, why should they have to teach you all about firewalls? So in order to use
them effectively, you must go to the router configuration screen, almost always a unique address in your browser that
communicates directly with the router itself.
Some ofthe things you'll want to be sure to lock down:
(Note: Not all firewalls have all of the options listed here, you'll have to determine what's appropriate for yours)
Respond to the ICMP (ping), DON'T . Many crackers use software that is the modern-day equivalent of wardialers to
seek out vunerabl e machines. They ping hundreds of thousands of addresses per hour looking for addresses that have
a machine on them. Don't be seen.
Denial of Service firewall - DO. The reasons are obvious.
Remote Administration - DON'T . Do you really need to remotely access your firewall? This is almost never needed
and provides a security hole. You can administer the router from any of the local computers.
Allow Trusted Stations Only, DO. Unless you intentionally have pedestrian computers (a friend's laptop for example)
visiting your router limit access to only those computers that you know of. If you have the same friend over all the
time with his laptop, you can just put him on the trusted list. MAC addresses can be spoofed, but this provides yet
another layer of protection. And that's all you' ve got, layers.
Broadcast ssm, DON'T. Hey, you know what it is, don't you? Why tell the world. Give them yet one more hurdle
to overcome.
Use WPA, DO. Don't use the WEP encryption, it's a jok e. While WPA can be cracked too, it 's tougher, requiring
the acquisition of hundreds of thousands of packets. Layers. And while we're on the subj ect, use a keyphrase that is
20 characters or more in length and includes numbers and letters. The more random the better, "mary had a little
lamb3" is not what we' re looking for. Don't help them to crack your key.
Block access control for any port you 're not using. Which ones are these? That depends on what software you use.
One thing's for sure, it'll be almost all of them. Some of the most commonly used TCP ports are:
Port 80 for web browsing
Port 443 for secure web browsing
Port 2 I for ftp
Port 25 and 110 for email
Port I 19 for nntp (usenet)
Port 5190 for AIM
Port 53 and 113 for DNS service
Blacklis ted! 411 Volume 7 Issue 4 • Fall 2005 53
�Port 23 for Telnet
Port 1863 for MSN messenger
Port 5190 forICQ
Not a comprehensive list by any means, but it'll give you an idea. Note also that non-standard ports can be used for
any of these functions, for example, you may access an ftp server on many ports, not just port 21, depending on the
server. So just do your best, and check your various programs to see if they still function correctly. Ifnot, find out
what ports they are using and open those.
Most good firewalls will also stealth the ports. This means that they won't respond if someone tries to send a request
to them. Why is this important? Because even if a port is CLOSED, it will respond to a request packet and you can
be compromised through it with a TCP stack exploit.
OK, so now you've set up your firewall, and everything appears to be working correctly. How do you know if you're
sec ure?
First of all, you're not. You've just made it a lot tougher. But let's check and just see how secure you are.
There are many web-based firewall checks, some are better than others. One of my favorites is http://www.
auditmypc.com . They often surprise me, just when I think I've got it all buttoned up. They have one page I fmd very
informative also: http://www.auditmypc.com/security-patch.asp
Some of the things you find there may surprise you.
But there's many others, so just go to Google and look for "firewall test" to try others.
You do use Firefox, don't you? If not, I highly recommend it over the bloated insecure pig that Microsoft puts out.
Hevnsnt has a great article on the blacklisted4ll .net website about using Firefox.
I also suggest downloading a copy of NMAP, you can get it from http://www.insecure .org/nmap.It·s common for
folks to use that wonderful program to look for ways to exploit you, why not beat them at their own game? Just look
in your router administration screen for the IP address of the router (the true external IPl, and run NMAP to check that
IP, it's that easy. Be sure and spend a little time at insecure.org learning how to use NMAP, it has a lot of options.
After all is said and done, you still carmot be completely secure. So the best thing to do is to shut down your machine
when you' re not using it. There ' s plenty of folks out there that j ust leave their machine on 24n , they're just asking
for it. If your machine 's not on it's not a security risk. The days of leaving personal computers on all the time are
over. Back in the day it was said that it was "better for the computer" or "better for the hard drive" to just never shut
it off. I really don't know if that was true or if we just convinced ourselves of it because we didn't want to wait for
that startup on those slow 4 meg. machines. But now it' s a moot point, because modem hard drives and motherboards
definitely do better when allowed to cool down now and then. Just ask an old desert rat like me. It gets hot in the
Mojave. If you leave it on all the time out here, you' ll be buying a new machine quite often.
Think this is all a bunch of "the sky is falling" malarkey? Go on over to auditmypc and let them show you your
internal IP address right through your shiny new firewall.
Still not convinced? Here's a copy of the access control log for my firewall this morning as I finished this article,
about 2Yz hours worth. I also had one attempted denial of service attack not shown.
Good Luck.
07.68.178.16 Unknown
07.68.178.16 Unknown
6.167.248.178 Unknown
3.210.164.47 Unknown
2.244.123.146 Unknown
5.200.201.29 Unknown
3.210.164.41 Unknown
3.210.164.41 Unknown
6.218.70.162 Unknown
3.211.241.203 Unknown
0.189.165.189 Unknown
2.244.124.50 Unknown
5.91.108.146 Unknown
2.245.2.72 Unknown
6.167.231.170 Unknown
2.244.56.80 Unknown
2.43.77.210 Unknown
54 Volume 7 Issue 4 - Fall 2005
� 005-10-20 10:03:40 nknown 9.3.58.202 Unknown LAN(TC P,port 4838 5)
005- 10-20 10:06:33 nknown 6.94.230.125 Unknown LAN(UDP,port 57352)
005-10-2 0 10:07:35 nknown 2.244.67.112 Unknown LAN(TC P,port 48385)
005-10-20 10:09:55 nknown 2.244.124 .38 Unknown LAN(TCP,port 35584)
005-10-20 10:11:45 nknown 198.84.140.152 Unknown LAN(TC P,port 5120)
005- 10-20 10:11:45 nknown 198.84.140.152 Unknown LAN(TCP,port 5376)
005- 10-20 10:11:45 nknown 198.64.140.152 Unknown LAN(TCP ,port 5888)
005-10-20 10:11:45 nknown 198.64.140 .152 Unknown LAN(TCP,port 5632)
005-10-20 10:11:45 nknown 198.64.140.152 Unknown LAN(TCP, port 6400)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 7936)
005-10-20 10:11:45 Unknown 198.64.140. 152 Unknown LAN(TC P,port 10496)
005-10 -20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 12288)
005-10-20 10:11:45 Unknown 198.64.140 .152 Unknown LAN(TCP,port 12800)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 20480)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TC P,port 15104)
005- 10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TC P,port 20224)
005- 10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP ,port 25344)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP ,port 20736 )
005-10 -20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP ,port 28 160)
005-10 -20 10:11:45 nknown 198.64.140.152 Unknown LAN(TC P,port 30464 )
005-10-20 10:11:45 nknown 198.64.140.152 Unknown LAN(TCP ,port 31488)
005-10- 20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP ,port 34048 )
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 34816 )
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TC P,port 34560)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 35584)
005- 10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 35072)
005-10-20 10:11:45 Unknown 198.64. 140.152 Unknown LAN(TCP ,port 36352)
005-10 -20 10:11:45 Unknown 198.64. 140.152 Unknown LAN(TCP,port 37376)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 43520)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 19969)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port4224 1)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 48385)
005-10-20 10:11:45 Unknown 198.64.140.152 Unknown LAN(TCP,port 41985 )
005-10-20 10:12:43 Unknown 07.68.178.16 Unknown LAN(TCP ,port 13577)
005-10 -20 10:12:43 Unknown 07.68.178.16 Unknown LAN(TC P,port 13321)
005-10 -20 10:13:57 nknown 6.102.7.99 Unknown LAN(TC P,port 10250)
005-10-20 10:14:00 Unknown 6.102.7.99 Unknown LAN(TC P,port 266)
005-10-20 10:14:43 nknown 16.239.57.147 Unknown LAN(TCP ,port 18954)
005-10-20 10:17:21 Unknown 198.65.111.254 Unknown LAN(TCP,port 43530 )
005- 10-20 10:17:40 nknown 6.218.70.160 Unknown LAN(UDP,port 59912)
005- 10-20 10:18:04 Unknown 198.65.111.254 Unknown LAN(TC P,port 22538 )
005-10-20 10:18:55 nknown 2.244.191.84 Unknown LAN(TCP,port 48385)
005-10-20 10:19:31 nknown 3.210.164.23 Unknown LAN(TCP ,port 14089)
005-10-20 10:19 :31 Unknown 63.210.164.41 Unknown LAN(TCP,port 12809)
005-10-20 10:19:31 Unknown 3.210.164.4 1 Unknown LAN(TC P,port 12553)
005-10-20 10:19:33 Unknown 3.210.164.25 Unknown LAN(TCP,port 15881)
005-10-20 10:21:20 Unknown 72.244.118.246 Unknown LAN(TCP,port 34560)
005-10-20 10:28:04 Unknown 72.244.124.139 Unknown LAN(TCP ,port 34560)
005-10-20 10:29:29 Unknown 216.239.57.147 Unknown LAN(TCP,port 39695)
005-10-20 10:33:07 Unknown 198.65.111.254 Unknown LAN(TCP,port 52750)
005- 10-20 10:37:13 Unknown 07.68.178.16 Unknown LAN(TCP,port 53265)
005-10-20 10:40:36 Unknown 72.244 .117.246 Unknown LAN(TC P,port 48385)
005-10-20 10:41:57 Unknown 01.133.162.228 Unknown LAN(U DP,port 35072)
005-10-20 10:44:37 Unknown 2.244.127 .244 Unknown LAN(TCP,port 34560)
005-10-20 10:44:59 Unknown 07.46.250.119 Unknown LAN(TCP ,port 28936 )
005-10 -20 10:48:05 Unknown 07.68.179.219 Unknown LAN(TCP,port 40712)
005-10-20 10:51:05 Unknown 07.68.178.61 Unknown LAN(TC P,port 33032 )
005-10-20 10:52:43 Unknown 2.244.124.59 nknown LAN(TC P,port 34560)
005-10-20 10:57:34 Unknown 2.244 .124.220 Unknown LAN(TCP ,port 48385)
005-10-20 10:59:38 Unknown 83.32.239.189 Unknown LAN(UDP,port 35072 )
005-10-2 0 10:26:31 Unknown 02.99.172.160 Unknown LAN(U DP,port 516)
005-10-20 10:39:01 Unknown 72.244.114.135 Unknown LAN(TCP,port 48385 )
005-10-20 10:39:34 Unknown 72.244.127.99 Unknown LAN(TC P,port 48385 )
005-10-20 10:44:06 Unknown 72.244.67.125 Unknown LAN(TCP,port 48385)
005-10-20 10:45:09 Unknown 72.244.67.125 Unknown LAN(TCP,port 35584)
005-10-20 11:08:50 Unknown 66.102.7.104 Unknown LAN(TCP,port 2564)
005-10-20 11:09:03 Unknown 216.239.57.103 Unknown LAN(TCP,port 14852)
005-10-20 11:12:17 Unknown 198.65.111.254 Unknown LAN(TC P,port 22788 )
005-10-20 11:17:23 Unknown 72.244.114.130 Unknown LAN(TC P,port 35564)
005-10-2 0 11:21:08 Unknown 72.244.127.34 Unknown LAN(TC P,port 34560 )
005-10-20 11:22:34 Unknown 02.99.170.138 nknown LAN(UDP ,port 39429 )
005-10-20 11:26:48 Unknown 16.239.57.99 nknown LAN(TC P,port 25867)
005-10-20 11:29:33 Unknown 198.65.111.249 nknown LAN(TC P,port 26123)
005-10-20 11:29:33 Unknown 198.65.111.249 Unknown LAN(TC P,port 34059 )
005-10-20 11:30:00 Unknown 06.16.239.232 Unknown LAN(TC P,port 64012 )
005-10-20 11:32:35 Unknown 16.239.57.96 Unknown LAN(TC P,port 34573)
Blacklisted! 411 Volume 7 Issue 4 • Fall 2005 55
� By dualyarallel
Do It Ourselves
You 've seen them . Articles about "selling up such-and-such server on your home cable" and "getting this-and-that access
using your home DSL." Those are fine for your power user who knows more than a Compoosa employee and less than a
LUG attendee. This article takes the basic concept of the do-it-at-horne article to the next level, for such an aware
Community needs proportionate security and mobility.
Security and mobility are exactly what this project provides . For example, imag ine yourself at the local..cafe : good coffee ,
relaxing atmosphere and free Wi-F l. Irs the perfect spot to kick it and get some work done at the same time . You're banging
away on your article and slap yourse~ in the forehead . You forgot your research data at homel
Oh wait No worries . You can grab the files you need wherever there 's net access . But every noob with Ethereal is going to '
get your passwords and data . No worries again . You have easy-to-use encrypted access to hundreds of gigs of file storage .
Ah. Good mocha .
Prerequisites
To executively summarize, we'll build an NFS server , build an SSH server, mount the exported file space , and setup gFTP for
file access . It is assumed that the reader has broadband access and a hardware firewall , or route r. Note that home
broadband upload speed is the bottleneck in this system . Red Hat Enterprise Linux (RHEL) and nano are used throughout
The reader is responsible for keeping an up-to-date box . Enterprise Linux uses up2date , and apt-get is another of many
options . The reader is also responsible for creating backups if a configuration goes south .
# cp config.file config .file.bak
Build the NFS Server
Network File System (NFS) , created by Sun Microsystems, allows networ k shares to be used as if they were local. NFSv3 is
insecure exposed to the Intemet, hence this configuration. We'll export drive space from a ded icated file server to the SSH
login server , which faces the Internet On to the build .
Be resource ful and find an older compu ter and a large hard drive . Comb ine the two. Partit ion the drive to include a separa te
partit ion to export - that is, to share across your network. Here is an example partitioning schem e for a 120GB hard drive:
/devlh da1 /boot 100MB
/devlhda2 / 13000 MB
/devlh da3 swap 768 MB (2x 384 MB RAM)
/devlh da4 EXTENDED PARTITION
/dev/hda5 /export 100000 MB
This scheme gives an /export partition of 100 GB , which is more than enough of space for this application. Now install GNU I
Linux with the minimum of components. X is optional. NFS and RPC are necessary, which RHEL installs by default Users
won 't be needed on this system , as irs solely a file server and only root is necessary for administration. Enable portmap and
nfsd for your run level using system-config-services. Also , shutdown any and all unneeded services , i.e, pcmcia , sendmail,
etc .
Create a data directory in the /export partition , make rt world-wrrteable, and set the sticky bit
# mkdir /exporVdata
# chmod 1777 /exporVdata
Edit /etc/exports and add the following line , entering the appr opriate host name or IP address .
/exporVdata SSH_HOST (rw,async)
Restart portmap and nfsd.
# service portmap restart
# service nfs restart
lV1.\Nr), 1.\ In.J'\(~IH.Isr)'I~n! Lill }1I~lrI'IN(;
IN Y()IIU 1.\IU~1.\?
1)I.I~1.\SI~ (~()N'I'1.\(~')' lIS 1,\S1'\.)
1.\Nn "TI~'I.I. }11.\ln~ I')' 1.\ UI~1.\I.I')'Y
56 Volume '7 Issue 4 - Fall 2005 Blacklisted! 411
� Set up tcpwrappers -fetcJhosts.d-:.ny and fetc/hosts.allow - to only allow NFS connections from the login host.
# nano fetc/hosts.deny
ALL: ALL
This denies all access from all hosts. Now poke holes with hosts.allow.
# nano fetc/hosts.allow
portmap : SSH HOST : ALLOW
lockd : SSH-HOST: ALLOW
mountd : SSH-HOST: ALLOW
statd : SSH:::HOST : ALLOW
This provides a relatively secure file server. Security is u~imately defined by a properly configured SSH server. :
Build the SSH Server
This is the login machine that faces the Internet. Given a NAT router, it only shows the Internet one port, 22. ' Configure your
router as such. Once the router is conflqured, configure a firewall to only allow SSH connections. In RHEL 4, configure the
firewall with:
# system-config-securitylevel
Also configure tcpwrappers for the login host with two simple lines in hosts. deny and hosts.allow respectively. We'll cover
additional customization of hosts. allow later.
# nano fetc/hosts.deny
ALL: ALL
# nano fetcJhosts.allow
sshd : ALL : ALLOW
Now harden SSH by editing fetc/sshisshd_config. Uncomment and edit the following lines.
# nano fetc/sshisshd_config
Port 22
Protocol2 '
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
PermitRootLogin no
StrictModes yes .
PasswordAuthentication yes
PermitEmptyPasswords no
ChaliengeResponseAuthentication no
UsePAMyes '
X11Forwarding no
PrintMotd yes
PrintLastLog no
Compression yes
PidFile fvarfrunfsshd.pid .
ShowPatchLevel no
Subsystem sftp fusrAibexec/opensshfsftp-server
PrintMotd should only be uncommented if you are going to use a message as such :
Proprietary System
Authorized access ONLY . Users subject to monitoring .
ALL other use prohibited.
**************************************** ********************************
Force sshd to reread the new configuration and we're ready to mount the exported space.
# kill-s 1 ' cat Ivarfrunfsshd.pid'
Mount Export
A few simple operations performed on the login server, we'll create a mount point, edit fstab and, finally, mount.
The exported partition needs a mount point for it to, well , mount. We'll call the new directory, or mount point , fdata.
# mkdir fdata
Now make an addition to fetclfstab for it to automatically mount fdata.
# nano fetclfstab
NFS_HOST:fexportldata fdata nfs hard ,intr ,rsize=8192,w.ize=81920 0
Blacklisted! 411 Volume 7 Issue 4'- Fall 2005 57
I
�Manually mount Idata with:
# mount -a
Configure gFTP
Many SFTP clients are available for Linux. gFTP just happens to be particularly robust and user-friendly. Irs also more than
likely included in any distro you choose. Modern versions of gFTP support SFTP right out of the box.
Enter your external IP address or hostname in the Host box, and your user name and password in their respective boxes.
Choose SSH2 from the drop down list on the right hand side. Click the two-computer button on the left hand side to securely
connect to your server. Navigate to Idata in the right pane. Click Bookmarks->Add bookmark in gFTP's menu bar. Enter a
descriptive name and se lect Remember pass word if convenience is valuable .
Test and Enjoy
Shut down gFTP and start a packet sniffer. Connect to your server and transfer some files capturing the entire process.
After a few transfers , sort your capture by IP address and see if you can see anytihing that resembles English. I'll spoil n - you
won' .
WMhout using it, you can't imagine how convenient it is to be able to backup and retrieve files, securely, at the drop of a hat.
Maintenance
This setup is pretty low maintenance. You could probably just let it run as long as you keep packages up to date. If you're
curious or paranoid, you can watch your logs and really see what's going on on the net. Here's a Perl script that mails SSH-
pertinent entries from ivarnog /messages. Run nat 23:59 each night as a cron job.
Now when you get lots of failed login attempts from farway lands, and you will, add the offending domains or IP ranges to I
etc/hosts.allow.
sshd : ALL EXCEPT 123. .cn .pl : ALLOW
Nothing against China or Poland, those just block all hosts that resolve to those TLDs. It also blocks every IP from
123.0.0.0/8.
To Close
Again , the utility and security of this setup is most appreciated when it's used , and you'll use it a lot. To inject some personal
experience, I wrote this article all over the city, writing at a whim, always with a backup.
Remote access can be made even more secure with a key pair and ssh-agent. If your use outgrows your bandwidth, many
ISPs have upgraded plans or even business grade service. Who knows what you can do then.
What you will know is that you have secure access to your data. That capabil ity is a valuable advantage in this ever more
technologically dependent world.
dual is a noob who wants everyone to use encryption, to reduce their ecological footprint , and to spread the
antimemes of blackspotting, simplification, and self-sufficiency.
58 Volume 7 Issue 4 - Fall 2005 Blacklistedl 411
~i====-----
� Aminet: The Makeover
Th is is o ne even the guys from Quee r Eye wou l d l ove6
ByMobbyG
With all the ups and down the Am iga community has faced in its turbulent history , Aminet has been there through the good
and the bad of the whole ordeal. Aminet is one of the biggest reposito ries of Amiga software in the world . With over 5,000
programs and 9 full mirrors, and countless CO releases, it's easily one of the best and biggest resources for your Amiga.
Urban Muller, the man behind the start up of this website couldn't be reached for an interview. So hopef ully I can give you a
pretty fu ll picture of what Aminet has to offer you by way of Amiga software.
First of all, it is always a good idea to use the mirror closes t to you. Most of us know the reason why we should, but fo r thos e
few, who don't, here's why, it can be a little faster and takes some of the load of the main server. I perso nally used the main
serversince it was so close, but on those rare occasions it was kind of boggeddown or having a problem, I used the one in
Germany. G ermany see ms to be the second fastest from what I can see . But he re is a list of the full mirrors:
USA us.aminet.net
Germany de.amine!.net
UK uk.amine!.net
Italy if.amine!.net
Sweden se.aminat.net
Norway no.aminet.net
Czech Rep. cz.a minet.net
USA us2.aminet.net
For the complete list, head on over to http://us.amine !.neUinfolWww/mirro rs.html. That will have the above list as well as the
partial mirrors . Updates are usually done fairly quickly when new files are uploaded , but if you don 't see something on a
mirror that is on themain server, just be patient.
On the main page of Aminet , at http://www .aminet.net you'll be greeted by the last 14 days wo rth of uploads . In recent times,
the page wasn't updated as much due to the Amiga languishing in corporate hell. Plus the interface was pretty much bare
bones. Now it has gotten a make over thanks to the renewed efforts of Aminet's maintainers. Aminet now stores files for not
oniy the 68K versions of the OS, but for the PPC (OS4 , Morph , Warp Up, PowerUP ), as well as the i386 based Amithlon and
AROS .
There was still some software fo r the 68K Amiga being w ritten by the community, before the changes , but at only a trickle .
Now with the release of OS 3.5/3.9 and 0S4, the page is gelli ng updated very frequently. And if you 're a music fan , you can
always find new mods on Aminet as well.
Aminet is divided into categor ies to help make finding what you want easier . 15 categor ies with assorted sub categories
allows you to navigate to a spec ific subject of software you are looking for and allows you to browse what's available. A listing
would look someth ing like below ... ...
14Bif_CDP layer.lha disklcd rom 92K 1997-12-24 Ver1.1 COPlayer for Toshiba, 14bif output - (readme)
First up is the name of the program . Most of the files for the 68K Amiga are still in LHA fo rmat, and LHA is available in a self
executable binary on Amine!. You can also find LHA for the x 86 platforms as well. WinZip allows you to see the contents of
an LHA file , but I have yet to manage to get it to extract the files without the actual LHA program being installed . Yet WinRAR
seems to have this all bum in. Also the x86 version of LHA hasn't been Updated in sometime. I would suggest going with
WinRAR as if has a GUI and seems pretty solid when it comes to LHA files .
After the name you'll see the directory and sub directory where you found the fi le. This is if you used the search feature of the
site, which we'll cover in a bit, and want to know where the file is located if you decide to come back at a later time.
The next one if of course the file size, followed by the date it was uploaded. Most of the older files have disappeared over the
years. I know this from searching fo r doors and other files for my BBS. But if you have any of the Aminet CDs available to
you, these files are not lost forever. You can regularly find them on eBay as well as some of the Amiga retailers online. And
since the software on them is mostl y shareware, demos and fre eware, making a copy of your buddie s is probably ok as well.
But I would suggest researching this as I didn 't have time to for this article.
Now something new has been added , and that is a graphic that shows which platform the program is for. The classic rainbow
check mark is the logo fo r the classic 68K Amiga platform that runs the Motoro la 68K cpus (But we knew that already right?).
For the new 0 S4 you wo uld see .the red and white checkered Boing Ball, Morph OS would be a Blue Butterfly, and WarpUp
and PowerUp PPC would be their respected logos in icon form , as well as fo r the AROS and Amithlon systems. Then you
have a brief description of the program . This is c1ickable to give you the longer version .
er1.1 COPlayer for Tos hiba, 14bit output
owerp xxxxxx-xxxxxx .xx-muenchen.de (Christian Buchner)
isklcdrom .
68k-amigaos
ttp://main.amine!.neUdisklcdrom/ 14Bit_COPlayer.lha - View contents
http ://main.aminel. neUdiskicdrom/14Bit_COPlayer.readme
Blacklisted! 411 Volume 7 Issue 4 • Fall 2005 59
� AMINET : THE MAKEOVER
A."CD-DA player f or To shiba CDRo ms t ha t r ep l a y s via the Amiga audi o c ha nne l s
Version 1 .1
This i s an updat e t o Vl.O t hat has pa s s ed through Aminet re cently .
* The 'GU! c a n now b e opened on pu b li c screens a nd when s t a r t e d f r om a s he l l .
·Fixed en forcer hits in ca l ibrati o n program .
* Fi xed a smal l bug in sound dr iver . Sound driver somewhat e nhanced .
Fe atur e s:
• e LI, Workben ch and Del i Tr acker interface
* Previous ly un seen 14 b i t quality . ~
• Does not disturb and is not di sturbed by mu lti t a sking (HI GHPRI flag )
.. Ac ceptable (n ot very high) CPU usage with DMA c ont r ollers
• FULL SOURCE CODE IN CLUDED !
The CDPlayer i s built up on a 14bit experimental Cyb e rS o und low leve l drive r. I am having
great plans f or a ne w s ound sub s ystem repla cing aud i o.device and s ound .datatypes. Drivers
fo r t o cca ta , maes tro planned. Con cept te xts i n c l u de d ! Suggestions we lcome .
Some of the info not shown here, that is new, is that authors now have the option of upload ing a screen shot of the program
which will be included on the read me page . Also, some authors like to include the file list for the arch ive they've uploaded.
Other info which is not shown is the distribution of the file . If the author decided he/she didn 't want ~ released on any of the
Aminet CDs, they could fill in an optional field in the readme that would let Aminet know what he wanted. The readme is a
required file for all Aminet archives, as any file w~hout a readme is suspect to being a commercial program and will probably
be deleted from Aminel. Also , some other fields that could show up are ."Requires" , which would tell you about other archives
that the upload needs to work, with a full path if on Aminel. Also memory and chipset requirements could go here . "Replaces"
which lets the author specify files that are superseded by this upload . And version numbers as well.
Now if you're in a saucy mood like I am somet imes , and like to just do some searches for keywords or not sure where to look
for what you want , the search feature on Aminet is pretty niee and has a few options for you to use to help narrow down what
you want. -
The search flags are pretty simple. But instead of using the ". " as a wildcard , you would use "%" to match a phrase or
keywo rd. To match a single character, you would use "_" . l~erals can be escaped with a bac kslash "\". So as the example on
Am inet shows, a search for "Iha%: Would retum all files that have lHA in the name and before the dot.
On e feature of Am inet that I miss that was stopped some time ago was the distribution CDs . Since a lot of their downloads
now are from broadband users , they dec ided to stop. Plus at the time , the amount of incom ing software was at a low point,
and ~ didn't make much sense to continue it. But now with the resurgence of uploads, perhaps they will start things up again.
But there is a wealthof softwareon Aminet for your classicAmiga. Hardware hacksbeing some of the more interesting ones.
Just doing a quick look in the hard/hack section you find some very good ones .
2000sl01.Iha 5K1992-03-11 Use A500/Al000 expansion as A2000 slot
20rom A1000.lha 2K1996-01 -27 Kick20 in Al000 freak -s hack
2HDsOn1200.lha 2K1996-08-20 How to get 2HD 's on a 1200 or 1HD and a CD Rom
2megagnus5Od4.1ha182K 1993-12-04 Build a 2 meg Agnus board for 50012000
2MegAgnusSOd5.1ha183K 1995-10-23 Build (or buy) a low-price 2 meg Agnus board for 50012000
2Megram.lha 11K 1997-02-22 2Meg Ram mod for A500
3to1mix.lha 1471<2000-08-28 3 Devices to 1 Mixer
41DE.lha 14K1998-01-30 Connect 4 IDE drivers to your A1200/4oo0
So if building hardware is your thing , that is a just a sample of what is there. If you code and still have your Am i9a, Aminet is
still accepting programs. So why not upload that lillie app you have silt ing there? Or if you have something to make ~ easier
to moves files between the Amiga and PC fi le systems, upload il. I encourage you to go visit Aminet if you haven done so in a
while. I think you 'll be impressed with ~s update and the new software that is now coming out for the Amiga . I wou ld also
encourage you, if you do code, to dig out any old programs you have for your Amiga and upload them , or belter yet, update
them and re-release them . Hell, maybe now could be the time to release the siouree code for that little RPG you wrote . Even
if you don't code for the Amiga platform, you could always release the source code and have the Amiga Community do the
porting .
Well , that's going to wrap it up for this one. In my next one , I'll tell you how to get an Amiga up and running on your x86
based machine using the free WinUAE.
'nuff said ...
60 Volume 7 Issue 4 - Fall 2005 Blacklistedl411
�r H~ki~9 ih;mir;a m~o
Introduction
ByUstler
For some time I've noticed the Mirra M-250 server in stores , magazines, and online advert ising. Searching through the web, I
was only able to glean basic information about how the server worked . Was ~ a custom application like the Linksys NSLU-2
or the Linksys EFG-250? What are the hardware specs? Could it be hacked? Was ~ Linux or Windows based? Did it really
perform 128M encryption like the website claims? These questions and more are what ill be exploring in this article.
Scope of the Article
First off, I want to define the scope of the article (What I'll cover and what I won't cover ). Most importantly , this article will
cover the basic specifications of the M-250 server along with some information and observations about software , and
possible hacks . For legal purposes , I have to remain very vague on some of the contents on the Mirra hard drive (Specifically
anything w~ their strict legal header attached ).
Purchasing the Mirra
By far, one of my favorite forms of hacking is hardware hacking . For over a year, I've wanted to hack a Mirra server, but
never really had the money or time to do so. After much debate, I finally decided to purchase it off EBay for around 300$
(Product was an open box retum. MSRP 499$+) . It seemed like a good deal since I was getting a 250 GB hard drive (If all
else fails, pulllhe hard drive out) .
After waiting a week, which seemed more like months , my Mirra finally arrived . I quickly opened ~ up and started to mess
w~h it. Since ~ was open box, it didn't come with any softwar e or manuals , which would normally be fine , but the Mirra client
software required a hardware specific cd-key . So for my first hack, I had to do a lillie social engineering. At first , I decided to
play it straight, so I called the company up, and asked them for the cd-key. After explaining where I purchased it from , and
why the cd-key was missing, the .customer service rep put me on hold and disappeared for 30 minutes. Eventually , he came
back and said "Well sir, we are sorry , but we don 't support anything purchased off Ebay." So I said, "Well what should I do to
get the CD-Key , the item is brand new, but for some reason, the person that returned it didn't return the CD-Key .". And then
he made the fatal mistake of saying "I honestly don't know." First off, this really pissed me off. A company should support
ANY product that is sold through ANY retailer, and they shouldn't be allowed to discriminate . Furthermore a customer service
representative should never admit that he doesn 't know an answer. It makes the company look weak and unprofessional.
Ai this point'l was stuck with a useless Mirra server , but I wasn't going to let this stop me. I quickly set 'up~ a free email
address and created a plausible explanation to why I didn't have the CD-key (Email was chosen because after calling back 3-
4 times , I came to the conclusion that the person who I spoke to before was the only person operating the phones) . W~hout
going into much deta il, I explained that I had purchased the Mirra server along time ago (6 months), and took out the CD and
manuals to read them over. When I finally had time to set ~ up, I couldn't find the manuals and CD. and went on to explain
that I must have misplaced or lost them . I also emphasized that I had spent a lot of my Valuable time looking for the
docume ntation and CD, but was unable to pinpoint their location . Afte r sending this off with the serial code (Which was on the
bottom of the Mirra), I waited for around 24 hours before getting a response . And guess what. they gave me the CD-Key
(Now how hard was that!).
Hardware
Since I had waited for the CD-key for almost 24 hrs, I decided to take a peek inside the Mirra b~fore doing anything else. At
first glance, you'll notice that the Mirra sports almost all the input and outputs of a normal PC (Seriai, Printer ,USB, Ethernet ,
Sound , VGA). The only things missing are the mouse and keyboard porls .
Outside images
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 61
�Next, I proceeded to open the thing and scope out the insides. I was able to glean some info from extremetech.com such as
"1GHz VIN Centaur CPU (fan-eooled), 128MB of DDR266" .
Mi"i-ITX board jig 1
Just to note, the IDE connectors and front side USB connectors where removed to allow you to get a better look at the
motherboard. Also , there is a hard drive just below the PCI slot on the bottom. As you can see, we have all the makings of a
normal PC. We have 2 IDE ports, 2 memory slots. a fanless VIA CPU, a PCI slot, and some other stuff. The motherboard is
actually an Epia-ESP5000 and the PDF containing all the info can be found on this website (http://www.viavpsd.comJproductl
epia_minLitx_spec.jsp?motherboardld=21).
My next goal was to find out the prices for all the components (400-500 USD for the Mirra? How much was Seagate making
off these devices?) I went ahead and grabbed all the part numbers off the components and did a quick search on the net for
the prices.
Part Number Cost Note
K-1010 45 IIp:/Iwww.casetek.com.tw/minilck-1010-1b.htm
35.99 a longer sold. It was re laced with newer model
98 IIp://store.ituner.comlitunerlviae 50ed53f.html
EST. 14.00+
50+ etai! is 108, comes with 50$ rebate.
Now that I had a feel of what J was dealing with, I decided to plug in a monitor and USB keyboard. After hill ing the power
button, I was presented with a huge Mirra splash logo. Not too long after, the OS started to boot. And guess what, it was
L1NUX. To be exact, it was Debian Linux 3.0. After the initial boot process, I was presented with a bunch of ReiserFS journal
messages (Hmm, guess they're using ReiserFS.) Finally, after 1·2 minutes of loading, I was presented with the login prompt.
J quickly grabbed my USB keyboard and alle mpted to try a few of obvious passwords such as MirralMirr a, MirraiarriM, etc.
But for some reason the USB keyboard did not work. Certainly they where preventing any kind of USB devices from working
(I would have to guess that they disabled it in the BIOS). Now, according to the manual for the ESP·500 0, there is supposed
to be a mouse and keyboard port, but unfortunately I didn't notice any during my initial inspection of the peripheral. After
taking a quick look inside the box, I noticed that they where indeed there , but for some odd reason, they had covered them
up (Security through obscurity!). So I proceeded to peel off the sticker (Shown Below)
62 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
� Afte r find ing a standa rd keyboard (non-usb), I went ahead and plugged myself in and began password guessing. Much to my
dismay , I was unab le to gain any headwa y in my attempt to crack the password. At this point I had two choices : Remove the
hard drive, or fi nd some wa y to boot of a cd-rom, which leads me to my next section of the article.
Gelling the Mirra to Boot
The BIOS on the Mini-ITX boa rd is set up to boot from the Primary Master and any attempt to boot from other devices is
futile . Attemp ting to enter the BIOS gives us the standard annoy ing password prompt. Now the obvious route of attack would
be to reset the bios (Jumpe r or removing the battery) , but in this case : this didn't accompl ish anything . After trying both
methods , I concluded that the BIOS was a custom OEM bu ild and the password was probabl y either invalid (Meaning there
was no actual password ',j ust a loop for the password prompt ) or it was hard coded into the BIOS image . At this point, I really
didn't care about recoveri ng the BIOS password; I just want ed to reset the BIOS to the fa ctory defau lts. I wa s able to get the
Mirra to boot off another hard drive that contained Linux by swapp ing the IDE cabl es (Primary Master), which gave me the
idea on how to flash the BIOS. To accompli sh my goal of gaining access to the BIOS , Linux wouldn't be the best opera ting
system sinee most BIOS flashing programs are DOS based. To flash the BIOS, I was going to need either a DOS or
Windows Opera ting system from which I could run the flash program from . To do this, I went ahead and downloa ded the
opensouree altemative to DOS , FreeDOS (hll p:/Iwww.freedos.orgl) . FreeDOS is very simil ar to DOS , but it's free, and comes
with a lot more features. To make the Mirra boot into FreeDOS , I wasn 't going to be able to use the Live CD, so I pulled the
Linux hard drive that I had used earlier and hooked ft up to another computer I had. Afte r boot ing into FreeDOS (Via the CD ),
I went ahead and followed the prompts and installed it to appropriate hard drive. When the installa tion had finished , I
restarted and booted into Windows XP (Which was on the Primary Drive) . After Windows finished loading, I went ahead and
downloaded the BIOS image and flashing utility and proceeded to save the m to the FreeDOS FAT partition.
http://www .viavpsd.com/product/1/0/epia0207.BIN
http://www .viavpsd.comlproductl5/0/awfl 823b.exe
Next I removed the hard drive and reatta ched it to the Mirra , maki ng sure to set it as Prim ary Master . The first attempt to boot
into FreeDOS work ed, and I was able to flash the BIOS. But for some odd reaso n, the BIOS still prompted me for a
password, so I decided to try the "BIOS reset" jum per again. Aft er waiti ng a minute or so with the jump er set to reset, I
returned it to the default.setting, and start ed to boot the system again. After entering the BIOS , I wa s relieved to see that the
password prompt had indeed been removed . (DO NOT BOOT INTO MIRRA AFTER YOU HAVE FLASHED YOUR BIOS.
KEEP READ ING )
Mirra OS
Hacking in Progress
As I mentioned before, the Mirra serveris no more than a Debian 3.0 Linux serv er that's modified to act as a backup server.
Of course, it is entirely possible to add fea tures to Mirra without losing any functionality. Samba , SFT P, and maybe even a
firew all are entirely possib le whil e still being able to use Mirra itself . To do the followi ng mod ificatio ns, you are going to need
to have done the mod ifications to the BIOS (If you're booting off of a CD) or the other option is to add a separate hard drive
with Linux preinstalled on it (Primary Mast er), and set the Mirra hard dr ive to Secondary Master.
Blacklistedl41 1 Volume 7 Issue 4 - Fall 2005 63
�To explorer the Mirra hard drive, I'll be using Fedora Core 4.
First let's look at the layout of the Mirra hard drive:
::~ $'l'~ ~1(~~
·'~ US9 ~~
~~ ~ t:;t.~
,
~t
.
Ut
Sit ,.,....
$1$ ~.¢l
m
iI:~ M't\4 fR"!'
I:&!
seen "" tm ~ r;
2:r!¢5~ fllk~
....
~~
'''' "., ~ ,.
,.
2Sll w~m
-
ns ~$f1fJi
~t :t4 ::S4 m~m
Ul ""ni
~ ::;:~., ,., -:~ t~-j.'I'O'ao
'S1 ~ ~ffl
~HI:
:* :IDII¢~ 1~'H1" #':i»w
First thing we notice is that there are 3 primary partitions (hda1, hda2, hda3) and an extended partition (hda4). With in hda4,
we have 5 reiserfs partitions and one swap partition . The next task is to create folders to which I can mount the partitions to.
This is pretty simple, just do
mkdir /mntlh da 1
And increment the numbe r at the end till you're at 10 (Excluding hdaS and hda4, which do not need to be mounted ). Now
where ready to mount our partitions (Shown in the picture below)
I dev/ shm 155892 0 1 55892 0% ! dev/ shm
[roo t~no calho st J] # mount / dev/hda1 / JIlI1t /hdal
[root@localhost 1]# mount I dev/hda2 ! mnt /hda2
[root@localhost I J# nount I dev/hda3 ! mnt /hda3
,[r oot @l ocal hos t / J# mount ! dev/hda 5 / mnt /hda 5
[r ootll i ocal hos t /l # mount I dev/hda6 I mnt /hda6
[root@loca lhost I l# nount I dev/hda7 I mnt ! hda7
{ro ot @localhos t J] # nount I dev/hda9 I mnt/hda9
•[root @l ocal hos t f}# mount I dev! hda10 I mnt / hda10
•[r oot@l ocal host f} # df
'Files ys t em 1K- blocks Used Available Use% Mounted on
/ dev/ hdd2 2031 5844 10128916 9138288 53% !
/ dev! hdd1 1019208 14868 951732 2% / boc t
/ de v! shm 1 55892 o 1 55892 0% ! dev!shm
/ dev!hdal 530088 295504 234584 56% ! mnt!hda1
I de v! hda2 530088 32840 497248 7% / mnt!hda2
I dev/hda3 393518 1477 52 245764 38% / mnt ! hda3
j dev/hda 5 265008 32860 232148 13% f nmtfhda 5
I dev / hda6 393518 96716 296800 25% ! mnt f hda6
I dev/ hda7 265008 32840 232168 13% ! mnt /hda7
I dev/hda9 530088 32840 497248 7% ! mnt/hda9
I dev/hdal O 24101 5808 34028 240981780 1% ! wlt/hda10
;{r oot @l ocalhos t / J#
64 Volum e 7 Issue 4 - Fall 2005 Blacklisted! 411
� Mount Points Breakdown
artition Mount Point
dev/hdal
dev/hda2 altroot
dev/hdaJ var
dev/hdaS isp iri
dev/hda6 update
dev/hda7 tmp
dev /hda9 slop
dev/hda1O data
Since we have the partitions mounted, we can now explorer the contents of the partitions. The first partition we are going to
look at is hda1, which is the root partition. Inside hda1, we see the usual allotment of Linux folders , but take note of the
following folders since they appear to be out of the ordinary. These folders are altroot, data, ispiri, and slop. My first
impression about the folder "altroot" was it was used to chroot, but this is not what it's used for. Altroot is the mount point for
hda2 and is used for updates. Essentially, in the case of an update (Major), the Mirra server would download the files and
extract them to altroot. Then IT would set 1iI0to boot from hda2 instead of hda1, hence swapping the partitions (This may not
be entirely true , after I figured out that it w as not using altroot as a chroot directory, I decided to stop inve stigating it. )
Probably the most important part of hda1 is the letel folder that contains the rc.d files for booting. These are the files that we
will need to modify to ensure that we are able to boot from the Mirra hard drive without messing up our BIOS image. In
particular, you need to find the file "S18ispiri-bioscheck" (Please note this is a symbolic link to Irool/init.dflspiri-bioscheck )
find /mnt/hda 1 -name S 18isiri-bioscheck
In my case, I j ust moved the file into letc to prevent it from running. The file itseff is pretty simple. It creates a SHA1 hash of
the nvram, and if it doesn't match the one contained in the file ltself, it will restore the nvram from "/ispiri/nvramlslurpeel
lastnvram". Most of the customization scripts are contained in Iroot/init.d. One very important thing that you might want to
note about the boot process is that the lilo.conf contained in letc is not used. If you look at lroot/i nit.dlispiri-se tup you will see
that lilo.conf is removed and a symbolic link is placed to l root/lilol lilo.conf. This same file also contains the script to migrate
from hda1 to hda2 during an upgrade, just in case you want to look for yourself.
Now that we looked at hda1 and hda2, we can move onto hda3. This partition is your typicallvar so there really isn't much to
notice. The only thing worth noting is the "ispiri" folder that contains some files in a subdirectory called slurpee. Taking a look
inside of the file client.db, you will notice that its formatted in XML. Most notably the value , which makes me
wo nder if they are implementing some sort of PKI system running on their servers.
Surprisingly, hda5 is an exact copy of Ivarlisp iril. This is probably for backup purposes, although I could be wrong. On the
other hand, hda6 offers us a complete backup of the Mirra OS. I don't know if this is particular to servers that where
upgraded, or if it's common to all Mirra servers. It would make sense to keep a complete backup just in case the system
became corrupt or problems started to arise. Within hda6, which is mounted as l update, we have two folders , osload and
precious (Must be a Lord of the Rings fan). The folder precious has one file names license.xml. This file appears to contain
some interesting information. As the extension applies the file is in XML format and contains only three values; licensekey,
securitykey, licensekeystate. The LicenseKey value, as its name implies, contains the license key used to activate the
software. The Security key on the other hand is probably associated with Mirra.com servers. The last value is used to verify
the state of the license. For example, in my XML file, the value is set to $VERIFIED, which probably points to another value
set by one of the startup scripts.
Now that we briefly examined the license.xml file, we move onto the osload folder. This folder contains the root files in gunzip
and cpio format. The file controLxml has the names of the files to extract along with the SHA1 hashes. The extraction process
is pretty straight forward, so we wont cover exactly how to extract or manipulate these files, if you need assistance with this,
contact me and ill get back to you.
The hda7 and hda8 partitions are standard on most Linux systems (ltrnp and swap) so we won't discuss their purpose. Last
but not least, hda10 . This is the actually data partition that Mirra stores the backup files on. As shown in the previous table,
the mount point is Idata. The Mirra program itself doesn't actually access the Idata directly, but through a symbolic link
contained in flspirilslurpee l. It is entirely possible to mount an external drive and repoint the data partition. but this would
require editing the startup files (Which reconfigures the symbolic links during startup)
Blacklisted! 411 Vo lume 7 Issue 4 - Fall 2005 65
�•
Give Me Root
Hack ing in Progress with the CD-ROM and sec ondary hard drive
All right enough with looking at the layout lets start working on gaining root access. After attempting multiple different
methods, I came up with an easy solution for changing the root password. To do this, we need to change the default runlevel
to one. Next we are going to need to mount the hda1 partition and modify letelinittab. Now, any Linux guru would probably
wonder why we wouldn't attempt to replace the lilo bootloader, and then append the runlevel. The answer is actually simple,
unless we modify the inittab file, we won't be able to log into the box without a password.
Normally single user mode would not require a password, but in this case, we have an additional line added to our inittab
--:S:wait:/sbin/sulogin
This entry is used to require a password for runlevel 1. To defeat this security measure, simply comment it out wrth a #. After
commenting that iine out, head up to the line just below "# The Default runlevel.". Here we can specify the default runlevel.
Normally this would look like "id:3:initdefault:", bu we need to change this to "id:1:initdefault:". After rebooting, you should be
given a shell with root access. Now its time to change the root password. This is rather simple, just type in "passwd" and
change your password, simple as that. If you are running the client software you'll notice that the connection to the server
.isn't present. To get the server to work with the client software we need to change to run level 2. Before we do this, there is
one important file we need to remove. These are letelnologin and letc/nologin.boot. These files prevent logins from the
console and are re-added through a startup script every time you boot. After removing them, we can enter "telinit 2". After
this, we have to wait 1-2 minutes for it to switch runlevels. After it's done, you should be able to type in the username "root"
and the password that you entered earlier. Great, now we have console access, what about SSH? Well, SSH access has a
few tricks we need to employ to get it to work. Normally in runlevel 2, the script S19-ispiri-sshdebu9 would run. In the startup
script, it checks for a variable that defines whether or not the server is set in debug mode. If its not in debug mode, it a file is
created in letelsshl called "sshd_noUo_be_run". If this file exists, SSHD won't run. Simply remove this file also. Now we go
back to letelrc2.dl and run ".IS20ssh start". And it's as simple as that.
Putty connectedto Mirra
Serve r and Client
We haven't talked much about the server/client part, so we will briefly talk about it in this section. As you may have noticed,
Mirra runs on Linux and the client is based on Windows .NET (Weird Combination). The actual server part is built in Java and
runs on Jetty, the 100% Java server. Since I don't program in Java, I'm not even going to try to figure out how it runs, and ill
leave that up to the Java nuts. What I do know is the server is vulnerable to a denial of service attack (Determined by
scanning with Nessus) [http://secunia.comladvisories/11166/]. Other than that, nothing else appears to be remotely
exploitable. Now I wanted to take a quick look at the way the server and the client communicate. According to the site, the
server uses 128bit SSL encryption, but the keyword that made me suspicious was "internet". Now anyone with any
background in networking knows that there is a big difference between intemet and a LAN. What I wanted to know was
whether or not information being transferred from the Mirra client and server was encrypted. For the client to work, it has to
be on the same network as the server, so I had to assume that the connection was not being tunneled through a proxy of any
66 Vo lume 7 Issue 4 • Fall 2005 Blacklisted! 411
�sort. Running ethereal produced some very interesting results. The authentication key appears to be generated from Mirra.
com and is sent to the server by the client in clear text. On another note, the client sends all the information in friendly and
unencrypted XML. Now, being of the curious nature, I've done a little war driving around Doctors Offices (One of the Primary
Clients for the Mirra Server) and have noticed that most of them either don't encrypt their wireless LAN, or simply use WEP.
Since the Mirra sends information Unencrypted over the LAN, and only encrypts data when it's being accessed via Mirra.
com, it's entirely possible to either sniff the traffic (If the client part is wireless based) or attempt a man in the middle attack.
Just in case you're not famiiiar with a Man-in -he-Middle, ill give a quick example . First off, our network layout is below. To
employ this hack, we use a technique called ARP Poison Routing (APR). This technique relies on the fact that the ARP
protocol does not use any form of authentication and is stateless. Essentially what we are doing, is re-routing the traffic from
the client through our compute r before it reaches the Mirra server. Normally this could be solved with a layer of encryption
(Such as SSL), but unfortunately this feature is not implemented . I know there are a variety of ways to protect against a man-
in-the-middle attack, but SSL seems like a quick and easy solution for Mirra when deploying a server in an unknown
environment.
Mirra Server
WirelessAP
Client
Hacker
As we mentioned before, the authentication appears to be some sortof publickey systemfor authentication, thus eliminating
the ability to do a Replay attack. What you may be able to do is a connection hijacking/spoofing attack. In this attack, we
would first monitor the communication using a sniffer (Possibly ARP poisoning depending on the topology) , after we have
enough informat ion, such as the authentication credentials , we attack the client with a DOS or similar attack to disconnect the
client (In a wireless environment, we would force the client to disassociate). While we are doing this, we can replay the traffic
and impersonate the client (With appropriate spoofing, of course).
Anotherweakness that I've identified was the fact that it sent out "sleep" packets at a set interval. These packets are in XML
format and since they are at a consistent rate, it leaves open the possibility to perform a "Known Plain Text Attack" when
dealing with cryptography . If a LAN is being encrypted with certain algorithms, we can collect these packets (Which are at a
consistent interval, hence we look for packets at that interval over a period of time) , and eventually determine the key. The
only form of randomness is the time and date, and even that can be guessed .
Expanding the Possibilities
In my opinion, I would rather just run Linux off the hardware rather than using the Mirra modified version of Debian Linux.
Although most of you hopefully feel the same, some of you might want to be able to use Mirra.com and be able to access it
via SSH, FTP, SFTP. Well fortunately for you, I do have scme suggestions. I do have to warn you that certain upgrades
(Such as Perl) will break the Jetty server (Can be fixed by moving libraries around, or downgrading). Also , if memory serves
me right, the Mirra already had apt-get installed on it. The only problem was that the directory structure was missing. So after
re-creating the directory structure and adding the proper sources, I was able to successfully run "apt-get update" and the
"apt-get install nmap" or "apt-get install gee". I would highly advise against running "apt-get upgrade" because it will break the
Jetty server (Perl upgrade). On a further note, you may have to play with a few things to get it to work. We won't discuss this
CHECI( OUT OUR COMPLETELY
REDESIGNED WEBSITE!
WW~BLACI(LISTED"I'.NET
Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 67
� since this is only an introductory article on the Mirra server and the fact that I have space and time constraints. I can say that
I've successfully installed vsflpd , openvpn , nmap , nessus , and a few other tools.
Vast Room for Improvements
Seagate has a great idea, but really needs to improve the security of their product. Of course they won't be able to "T otally"
secure the backup server, but the current securitywhen transfer between c1ienUserveris weak . Also, I would like to see them
implement encryption when storing information. Now you may wonder, wouldn't that be expensive and require a faster
platform? Well fortunately with VIA 's new Padlock technology, this is entireiy possible . VIA Padlock is, to my understanding ,
a hardware based encryption mechanism able of perform ing AES encryption acceleration. Check it out (http ://www.via.com .
tw/en/init iatives/padlocklhardware.jsp) . We can clear ly see from the compa rison on the webs ite, that the PadLoc k technology
effective ly reduce s the encryption time significantly while using less CPU utilization . Also , a Trusted Platform Modu le for
storing passwo rds and encryption keys along with a way to securel y backup the keys would also be apprec iated . Of course I
understand that these secu rity features could raise the price of the product , thus I wou ld suggest the ability for a purchas er to
customize the appliance , or upgrade it. For example , you coul d buy the server at Best Buy, and then pay 100 dollars to
upgrade it to a high security model which would require some sort of hardware addition.
Closing Thoughts
While Seagate and lspiri have done a relatively good job at bringing a backup server into the market, much is to be desired
when it comes to security and pricing . Not only , in my opinion , is the product overpriced , but it lacks the features that would
allow it to crush the competit ion. Of course the feature of "Remote Access " is to be desired, but we are dependent u,1 Mirra .
com and Seagate for their services. If Seagate ever decided to close the website down,we.wQI..!!C ·iiO ionqer have remote or
local access to the backup server. While this probablywont happen anytime ~Cvil , i fear th"idit may be discontinued down the
road due to lack of sales . As for pricing , I feel that Mirra is ext!e~::;ty overp riced. The price differences from the M-250 and
the M-160 is over 100$. That's 100 USD for 90 ~:g. of extra spa ce. May seem reasonable to some , but you have to consider
that the actual hard drive is a.~ !',T;"; 'ni iH lIl d the MSRP is appro ximate ly 50$ after the mail in rebate . Furthermore, the price
~~t':'!ee~;t,e M-'400 a nd M-250 is 300 dollars (799 $ and 499$ ). Conside ring that I could simply purchase a second hard drive
and mount it in the spare 5.25 slot (Thus giving me 500 GB) , I doubt the price is raised with the cost of hardware . In
conclus ion, I feel the Mirra is appropriate for small businesses lacking techn ical expertise, but for the rest of us, don 't waste
your money . Might as well go buy the hardware yourself, and install Fedora .
o'nn.d~xD e'
Enterprise IT Solutions
Hosting, Co-Locations,
&
Dedicated Unix, Mac, & PC Servers
Whats On Your Server Is Your Business
Keeping It Connected Is Ours
*24 X 7 X 365 Network Monitoring•
•99.9999"/0 Up.Time'"
+Tl CotllleCtions*
*FiberLinks•
•CIimate Controlled Server Room.
Itttp://H'WH'.roundtreeit. com
603-6 76-8200
68 Volume 7 Issue 4 - Fall 2005 Blacklisted! 411
~r--------------------
� CLOAHlnG AnD 'IIOU
By Grandpa Hackman
It sounds so mysterious. Cloaking. Like something w~h ominous gray overtones.
Why is it done? How is it done? What is the future of cloaking?
This article wiil attempt to answer those questions.
I won't be able to include the actual instruction booklet to teil you how to cloak, but I can teil you what it's about, and how to
find out more. Also, this article describes website cloaking , not the kind often used by hackers to hide themselves for roots.
To fuily understand what it's ail about, an explanation of search engine optimization is in order.
Priorities. That's what it's about. Money. If you're a website owner, you have many options available to you to advertise
your site. Advertising your site is essential. After ail, you may have the finest mousetrap on the planet, but if nobody knows
about it, you're not going to catch any mice.
There are not as many options as "the good ole days", but there are still a lot of methods to advertise. There are "surf
engines" like ts25 (one of the best for the buck), double-opt-in safelists , pay-per-c1ick, etc. If you're hyping a website, you
probably use ail of these options and then some.
But it's hard to beat the "targeted traffic " you get for free from a search engine. Or should I say "You can't beat the targeted
traffic you get for free from a search engine." This is because your potential customer came to you actuaily looking for your
product. He's 80% sold before he gets to your page. He needs and wants this widget and actuaily went to the trouble to
search for it.
And not only is this a very special customer likely to bUY, buy, buy, but it didn't cost you a dime. Most other methods have
some cost involved and on top of that, the customers are not "targeted", they just happen to be interested in the SUbjectline
of your email or your pretty webpage struck their fancy as it flashed across their screen, etc. They stiil don't know that they
want or need your product, they're just temporari ly mesmerized. Now it's your job to ' seil" them your product, much tougher
than just supplying what they're already looking for.
OK, so now we've discussed why you would want to be listed on the search engines. What is involved in getting listed?
Weil, with most of them, not a whole lot. Yahoo wants $299/yr. to "think" about listing you, no guarantee you'i1 get listed,
what a deal. Fortunately, there are ways to "trick" Yahoo into listing you without paying that outrageous graft.
But most of the rest will find you with their spiders. Now, this can take months. Most site owners are a little more anxious
than that. Again , there are ways to speed up this process, for free even. Weil , it involves effort on your part, but at least no
capital outlay.
And then there is the issue of ranking. It reaily doesn 't mean much if you get listed on a search engine and you're back on
page 68. Nobody is going to see you, NOBODY.
So not only is it important to get listed, but it is mandatory that you get a good ranking. Otherwise, your goal of making
money is not going to be realized.
Google states on their information pages that: "Google doesn't accept payment for inclusion (known as "paid inclusion") of
sites in our index, nor for improving the rank of sites in our results."
This appears to be the case. Google claims that their ranking system is based upon "a complex algorithm" designed to
prevent fraud and designed to give ALL the opportunity for a good listing, regardless of financial clout. All weil and good.
Then they go on and teil you "It's also possible that we're not able to crawl your site due to technical reasons. A few of the
mostcommon onesare listedbelow:
Your pages were unavailable when we tried to crawl them.
Your pages are dynamicaily generated .
You employ doorway pages.
Your pages use frames."
And that's the probiem. Except for the 1" instance, you may very weil be employing one of those methods and have trouble
getting listed. And you probably have very good reasons to write a dynamicaily generated page, for example. These tend to
be infinitely more work to produce and for ail your labor, you are rewarded with a page that Google won't list.
Which bring us fuil circle to cloaking. Cloaking is a method which allows you to serve one set of pages to the search engines
and another set to humans, Or otherdivisions accordingto data sent by the requestor. Here's how it works:
When you (or the search engine) request a page an "http header" is sent. Here's an example of the information in this
header:
GET: lindex.htm
HOST: www.yoursite.com
Blacklisted! 411 Volume 7 Issue 4 • Fall 2005 69
� is a
printed hacking magazine put out by the DDP that cover s
I' trial offe r, and if you use the code NTQOHeOOu527 E you'll
get a $5 discount.
hackinq, phreaking, and other asso rted topics from the
computer underground. For more information on the
BLACKLISTED MEETINGS will begin in Greece as the new magazine, fo rums, HackRad io, HackTV, or any of our other
year arrives , They will be held every 3rd saturday of the numerous projects, come to W\NW.binrev .com and join the
month and they will begin at 7pm . Meeting point will be the revolution. ''THE REVOLUTION W ILL BE DIGITIZED."
centre of Athens at the metro station Panepistimio by the NEW HACKING WEBS ITE: Hackit.org has hacking guides,
fo untains. Also check the webpage www .blacklisted41 1.gr. forums,tools and more. Much more. Check it out!
Mar ketplace class ified advertising is currently FREE to anyone. It's a first come, fi rst served offer, limited only by
space constraints within each issue. If you'd like an ad placed within Blacklistedl 411, you should send it in as
soon as possible. We accept both commerc ial as w ell as personal ads . We may decide not to publish any ads
which ar e inappropriate or have no connection with the hacker community.
CONTACT US A T: www .blackli sted411.net
Blacklist ed! 411 Vol ume 7 Issue 4 - Fall 2005 81
�I ~Effff!Lr~~Efff!~~: ]
Interested in ' ';'e~tlng;up- Wiin soi-Tie of In:: e!~cklisted! 411 readers? We will list all hacker meeting information that is
provided to us. We will list "Blacklisted! 411" only meetingsas well as "lndependerii' meeiiti[jS"cpen to all.
Celifomie. Coloredo ~------
(949 Area Code) -Irvine (719 Ares-Code) - Colorado Springs
iHop - By Airport (Upstairs Room), 18542 MacArthur, Irvine, DC719 - Hack the Rockies. Meetings held on the 3rd Sat. of
CA- 92714 - Meeting is not Blacklisted! 411 specific. The every month. 8pm-11pm @ Xlreme Online, 3924 Palmer
meeting date may change from month to month. For Park BLVD
specifics, check here: www.irvineunderground.org Hosted by: DC719 POC: h3adrush
Hosted by : Freaky
(303 Area Code) - Centennial
New Mexico We meet the first Friday and third of every month at 5:00pm
at the Borders cafe on Parker in Arapahoe Crossings.
(505 Area Code) - Albuquerque Hosted by: Ringo
Winrock Mall - Louisiana at 140, food court, east side doors
under the security camera dome.
First Friday of the month, 5:30pm - 9:00pm
Georgie
Hosted by: Mr. Menning (678/770/404 Area Codes) - Duluth
Meetings are the first and third Tuesday of every month. in
Wyoming the cafe of Frys Electronics. They start at 6:30 until we get
kicked out, and then continue elsewhere. Visit our -site at
(307 Area Code) - Rock Springs/Green River www .Hack Dul uth .org and sign up on the forums to receive
White Mountain Mall-Sage Creek Bagels. The last Friday emails about the group.
or every month from 6:30pm until 9:30pm. Hosted by : P(7)NYB (7)Y
Hosted by : Phreaky
(678/770/404 Area Codes) - Snellville
Roride Borders at 1929 Scenic Highway, first Saturday of every
month. 8:00PM .
(407 Area Code) - Orlando Hosted by: iamsam (comingto/eave@gmail.com)
The computer room in the Grand Reserve Apts. at Maijland
Park
Last Friday of the month, 12:00pm - 1:30pm
Mexico
. Hos ted by: Whisper (666 Area Code) - Tijuana, B.C.
Cafe Internet, Calle 12, Felix M. Gomez #644, Col. Libertad.
In back room by payphone. First Friday of the month,
Texes 5:00pm to 8:00pm
(713 Area Code) - Houston Hosted by: Tom
In front of Rocfish on WestheimeriKirkwood. Last Sunday of
every month, 7:00pm tili ciose.
Hosted by : MuerloChongo YOUR MEETING HERE
Start up your own meeting l Contact us right away !l
" 1I1.Ji(;n]~Isrl'I~J) ;l l l" rl\Nl'S YOIJll
l\lrl'1\rOnIl
Are you an artist? Do you li ke Blackl isted! 411? Do you hate Blacklistedl411? Well , if you 're looking for
i work, it doesn 't matter if you li ke us or not, does it? If you'd li ke to show off some of you r talent, why not
send us some samples on PAPER or send us a disk with your sample artwork. We'd be happy to show off
your wo rk , give you a free subscription or ma ke some other arrangement if YOU'd like. If you 're in tereste d , ....
'\ take a look through the magazine and make note of the existing artw ork . Think about it and try to come up
/J wi th something completely original which coincid es wit1l'1J1e general t heme of t he magazin e. A few ideas
to consider: Pirates , Skull & Crossbones, Einstein , Computers, Electronics , Phones , Cable TV, Satellite
TV, Rad lo, etc .
Here's who you send your artwork to:
Blacklisted I 411 ARTWORK
P.O. Box 2506, Cypress, CA 90630
j!>o.. We WANT to hear from yOU....don 't delay - j ust send us whatyo u have. We prefer
f reehand artwork on PAPER, but will accept in high resolution (if at all poss ible) computer ...
graphics formats : TIF, TGA, JPG, GIF, PSD, PCX and most other popular im age fonn ats.
.-.a _ ...
82 Vo lume 7 Iss ue 4 • Fall 2005 Blac klisted! 411
�Blacklisted! 411 Volume 7 Issue 4 - Fall 2005 83
��