Letters: PUBLIC ADDRESS

Further Questions

Dear 2600: I have a few articles ready for submission.  Would like to send them to you, but first could you please point me in the direction you would like to see?  Have a few ready about how to hire pen-testers, how to conduct safe pen-tests, exploit development (basic stack overflow, basic malware analysis), behavioral analysis, and a few more.  Is there anything in particular you would like to publish about?       Yuval Nativ We want you to write about what you know and tie it into the hacker perspective as best you can.  We don't want to steer you into a specific topic or theme since you may have a great deal to say on something we know little about.  The best articles come from the passion you feel about the subject matter, not from an assignment by us or anyone else.  We look forward to seeing what you have to say.

Dear 2600: The below mentioned things I used to do regarding penetration testing and currently working with the penetration testing (article writing and book publishing) firms from the U.K., Poland, and Russia.  Let me know if I can submit an article and work along with you guys.       RP In the interests of time and space, we left out your extended resume, which was pretty impressive, but completely unnecessary.  We're not about titles and achievements, but rather ideas and theories written by curious and adventurous types who aren't afraid to try new things and risk getting into a little trouble in the process of learning and sharing information.  That's what we define as the hacker perspective.  So please send us an article (articles@2600.com) and tell us what you've been up to and what sorts of havoc you might be able to wreak, given the opportunity.  You can be nine or 90, as long as you can write and have something interesting to say.

Dear 2600: I'm going to be purchasing a lifetime subscription in the coming weeks and had a small (and fairly trivial) question. I've been reading your magazine since the mid-1990s, and have always purchased it from a store.  For subscriptions, do you ship the issues in an envelope or is it loose?  I ask because I live in the frozen wastelands of Canada, and loose magazines from other publications tend to get torn up by the time they reach me. I'm definitely getting the lifetime hook-up, so your response won't alter my decision.  I'm just curious about what I can look forward to, that's all. Thanks for your time.       Daniel We thank you for your support.  Lifetime subs help us pay the bills.  Your issues will arrive in plain brown envelopes.  For those who are really concerned about such things, our name doesn't appear in the return address.

Dear 2600: I have been published a substantial amount and I have just completed an interview with an individual that by anyone's definition is a cyber spy.  I thought of your magazine as a good place for such a piece. As background, I was working on a piece about a cyber attack and this just sort of evolved out of that.  My guess is that it would be about 1000 words. So, are you interested?  If so, when would you need the piece by?       Kevin As our auto-responder should have told you, articles are continually processed, so deadlines aren't really an issue.  Please just send us what you have and we'll hopefully find a place for it in a future issue.

Dear 2600: If I digitally subscribe to 2600 through Google Play, would I be able to participate in the many perks that regular dead-tree version subscribers have?       A curious person If by perks you mean being able to submit a free Marketplace ad, yes, this is now possible if you send us some sort of proof of purchase in place of the subscriber label coding.  The perk of being able to smell the ink or fan yourself with our pages just isn't available to digital subscribers, sorry.

Article Feedback

Dear 2600: In 30:4, the article titled "Black and White: The Growing Schism Between Hackers and the Law" is a great example of our universities, lawmakers, and law enforcement not working together to explain how to properly report a vulnerability to an affected organization.  I think it is high time we all start contacting our politicians to encourage them to begin writing better laws and enacting better policies to allow white hats to report problems they find to site owners.  When I say white hat, I literally mean someone following the letter of the law.  Going into a network, especially areas that require authentication, and snooping around without written consent from the owner and without doing damage, is equivalent to breaking the Computer Fraud and Abuse Act of 1986 (CFAA).  The CFAA should be your ultimate guide to determine what you are wearing - enough said. Not to knock the original writer, but it seems he must not have known or tried to use a WHOIS lookup to find the contact information of the site owner.  He should have also tried to contact one of the InfraGard members listed on the site, assuming they had their email addresses posted.  The reason for the feds' overreaction is that InfraGard is a forum between federal, state, and local governments, along with critical infrastructure organizations, to discuss critical security issues.  Posting a vulnerability all over the place was not the brightest idea, but it was noble for the writer to try to get their attention.  I hope this incident does not cost him his future job prospects. I would suggest that we all try to use some discretion in bringing to attention critical security issues that were accidentally discovered, by using anonymous forms of communication to report the problem to site owners.  That means using whois.sc, looking for the webmaster's email address (which the author did try), and using Google to try to look up the owner's contact information.  It is vital that you document all of the time and work you did (e.g. right-clicking and looking at the source code of the site).  This is your get out of jail free card.  It proves what actions you performed and when.  Assuming the site owner has logging enabled, the logs should clear you from any wrongdoing - this assuming you didn't go into any protected areas on purpose or try anything to exploit the vulnerability.  Overall, you need to treat this with due diligence.  If you can't find the site owner, then contact the hosting company as a last resort.  If that does not work, then just let the site owner find out the hard way.  I am sorry to say that, but if you covered all your bases, then the onus is on the owner and you should pride yourself on doing a good job. Never cease trying to do good - it will be rewarded one day.  I understand the author's frustration and belief that no good deed goes unpunished, but I believe in the end the good will always outweigh the bad.  Keep trying and never give up helping those around you.       The Professor And don't forget to send us the details whether or not you were successful in getting any attention.  It's what we're here for.

Dear 2600: I enjoyed "Telecom Informer," as always, in 30:4.  In the article, TProphet bemoaned the lack of responsible schools of thought for American businesses.  I'm writing to mention that there is now a new breed of business school, where "sustainability" is the key theme.  Bainbridge Graduate Institute, near one of TP's prior haunts, Seattle, is one of the earliest.  Presidio College has a sustainable MBA, too.  One of the binding notions is 3BL, or Triple Bottom Line, which emphasizes "people, planet, and prophet."       Estragon Seems like a natural fit with a slogan like that.  The spelling is a little off, though.

Dear 2600: I was just reading Clutching Jester's "Hacker Perspective" column in the Spring 2014 issue and the "encrypted" message at the end of the article is "Happy hacking , everyone!" It is shifted two characters to the right in relation to the typical American keyboard.  I'm sure you have figured it out already, but I just thought I would send a message to spoil the secret!       Wolf Bronski

Random Thoughts

Dear 2600: When thinking of privacy statements such as those found on the bottom of websites or pertaining to other services used, consumers believe this means their information will be kept from prying eyes.  The complete opposite is true when it comes to privacy statements that individuals agree to.  Instead, these statements give many loopholes for any type of organization to give out personal information on consumers.  Privacy statements give the organizations providing a particular service terms that only benefit them, not the consumer, clients, etc.  Privacy statements are legal contracts that have loop-holes to benefit only the service provider, not the individual users, unfortunately.  My advice to all consumers like myself is to read those terms carefully.       Bill Miller This is good advice, but we also need to know what exactly to do when these terms fall short of our expectations.  Many of them contain pages and pages of legalese and it's almost impossible for any but the most dedicated to wade through all of that.  We believe that helping to spread the word on which of these agreements actually offer a raw deal to the consumer is a very valuable service.  Often, the resulting bad publicity results in a quick change to the policy in question.

Dear 2600: With the rise of password cracking tools using dictionary, brute-force, and algorithmic methods, why haven't system administrators and programmers universally adopted a simple method of thwarting such attempts? These attempts rely on the fast computing power of both the target system and the attacking machine or network.  Password crack attempt speed is currently measured in millions or billions of attempts per second.  Why not simply set up the target systems to require a delay of, for example, one second per password attempt on each username?  I admit to not being a developer, so I don't know if it's easy or possible for a system to lock out each particular username for one second after each failed attempt at that username.  Many systems will lock you out after a specified number of failed attempts, so my proposal seems reasonable.  Developing and implementing this ability would essentially end password cracking by slowing the cracking tools down to glacial speed.  Authorized automated systems which contain the correct password and human users would not be inconvenienced at all. Food for thought...       Sol The extremely fast password attempt speed you refer to applies to offline attempts, where a list of encrypted passwords has been obtained and the cracking is done at whatever speed is available through the hardware and program being used.  Actual attempts using a login prompt do indeed slow down on some systems, such as Linux, in almost exactly the way you propose.  The real trick is to keep the actual password file secure, as there is no way to control the speed with which someone attempts to crack it once it's in their hands.

Dear 2600: So instead of a rally in D.C., how about one at Ft. Meade, Maryland?  It is public domain... think about that... why can we not see what is inside the software?  I am very interested to see this magical coding that eludes all perimeter security.  Furthermore, I would argue that it is in the public interest to see the source code to this software that they call PRISM.  We all know that it take a lot of processing speed to convert binary to assembly language, so in that there is the real possibility of a physical or metaphysical layer such as EMP, or electromagnetic impulse.  The utilization of this bandwidth is the most efficient way to collect metadata since the invention of transistors and is one of the most untapped resources, being that it is a physical reaction on the atmosphere that is being collected.  These new devices that are visible in the magnetic spectrum are the hole in the window or the reason you keep being robbed. There are a number of factors, now.  Going backwards from metaphysical, we get into physical or actually visible in the known measurable range.  We have a large amount of data being hexadecimally rearranged into variables that seem inconsistent or rearranged and then that data is stored.  Without an outer shield/condom for computers, the infrastructure will always be vulnerable to an outer perimeter attack on information.  SIGINT is nothing new.  It is a shame that this technology is not available to consumers; to detect and reuse such an energy source is vital to power consumption capabilities in the sense that it allows more power to be stored in one AA battery.  Theoretically, you could turn one AA battery into the largest supercomputer in the world if enough resources were applied to it.       J Thompson That's one battery we could really use.

Communications

Dear 2600: I'm writing a book about what society can learn from the work, motivations, and methods of hackers.  And I'm hoping you'll consider allowing me to include you.  Obviously, your work across 2600 and HOPE makes your perspectives essential and I'd love to talk to you about it in person. My working premise is that the rest of us (i.e., not hackers) have a lot to learn from the way hackers (white hats) go about things.  I'm exploring how we might become better in life, business, art, etc. if we can adopt some hacker traits ourselves.  And I'm wondering whether a world of driven, questioning hackers might be able to solve some of the world's problems, and how we do that.       Dave We get a lot of letters like this and it's simply not possible to give each of them individual attention, let alone do in person things.  That's why we encourage people to attend (and start) our meetings, as these are the places where all sorts of conversations are possible with people who really do get it.  Sure, they may not be official representatives of the magazine, but that really isn't important in describing what hackers are all about, relating some of the history, etc.  People who come to the meetings are usually quite well versed in what we're all about and they deserve the opportunity to give their perspective.  We're also able to provide feedback at our conferences and through our weekly radio program, in case you really want something specific from us. Finally, we're not big fans of the whole white hat/black hat thing as such designations are meaningless and ultimately harmful.  People, especially hackers, cannot be categorized in such a simplistic manner, unless it's to sell a product or scare someone into buying or doing something you want.  You will find generally good people doing evil things and vice versa.  That's the nature of humanity and it's no different with hackers.  We're just a bit more interesting.

Dear 2600: I have been inspecting some of our cable equipment and I haven't read up on the magazines in a long time.  However, my dad's phone hasn't worked right since 2009 and it's our business phone also.  I went out to inspect some of the cable stuff...  I found four red tags on the cable lines, one blue tag, and one white tag.  None of our services have worked properly and a lot of times we don't even get our phone calls.  What are the technical codes of these tags?       Robert To the best of our knowledge, those tags simply indicate the last time that particular piece of equipment was looked at or serviced.  It would be very helpful to know what was written on them, if anything.  For your dad's business phone to not have worked properly for the past five years is inexcusable.  We're not sure what kinds of problems you've been having, but it's been our experience that when dealing with the phone and/or cable companies, aggressive hounding is sometimes the only way to get something done.  Obviously, it helps to be specific and direct with them.  The problems you're having need to be documented and, if nothing is fixed after all of that, your next stop should be your region's Public Service Commission or equivalent.

Dear 2600: Have you heard about the proposed new rules on net neutrality the FCC just announced?  They plan to allow a "fast lane" at higher pricing.  What do you think about this?  It was just announced today, April 23rd.       Jerry listening on WBAI The net neutrality issue is moving too fast for us to be able to say definitively where it stands at the time we make it to newsstands and subscribers.  Suffice to say, it's in dire shape at the moment, due to the recent actions by the FCC.  If that is allowed to go unchallenged, it will change a great deal about the way we get access to the Internet.  We believe individuals won't benefit from this and that large corporations and parties interested in control of traffic will be the ones who gain.  But the battle is not lost.  This recent turn of events only serves to demonstrate how quickly things can change and how we should never let our guard down.  We suggest keeping updated online, particularly through sites such as eff.org, so more negative changes don't go through without our being witness to them.

Information

Dear 2600: For those who missed their chance at phone phreaking in the 1980s and 1990s, the Phone Losers of America have developed a Telephone Network Interface which is connected to seven answering machines.  This interface allows people an opportunity to hack into the connected machines, thereby experiencing some of the thrill enjoyed by enthusiasts back in the glory days of phreaking.  The list of answering machines currently includes an ITT 9910, AT&T 1722, GE 29875GEI-B, Vtech 9152, AT&T 1738, GE 2-98768, and a Panasonic KX-TCI743W.  Hacking answering machines is easier nowadays thanks to the advent of Google to locate their respective instruction manuals, but some can prove to be more challenging.  In addition to the answering machines, the network also offers a conference room that nobody is ever on and a "choose-your-own-adventure" game that can be played over the phone.  The system also recognizes AUTOVON military tones to access extra "features."  This isn't the first network to be developed in hopes of capturing the nostalgia of old-school phreaking.  Project MF exists to give younger phreaks a taste of what Blue Boxing was like and it appears that HackThisSite.org is working on a similar project.  If anybody wants to give old-school phreaking a try, you can find information at ProjectMF.org and PhoneLosers.org/TNI.  The Phone Losers of America TNI can be reached at: 206-424-8422       Tyler Frisbee This is truly some amazing stuff and we're thrilled that the history is being preserved in this manner.  We had all kinds of fun with answering machines over the years and had even more fun watching others try to hack ours.  Incidentally, we printed an article on brute-forcing PIN code keypads in our Spring issue which contained a list of the shortest possible sequence for entering anything up to a four-digit code, which would pretty much cover any answering machine of the era.

Dear 2600: I read that some of your readers had lost the back issues (and probably some other items as well) when their credit card expired from Amazon. Myself being a veteran of the IT industry with a long period of my career spent doing backups (and restores) for a living, and generally being cautious about trusting Big Corporations with my stuff, I "solved" this very problem a while back. I use an application called Calibre (calibre-ebook.com).  With that you will be able to manage your Kindle (and other e-book readers) and synchronize the content to and from your device and computer, a.k.a. backup! Keep up the good work!       //j We've heard very good things about this application and hope our readers use this to protect the content they've purchased.  With luck, we'll be able to help make this the norm, so that nobody loses back issues of any publication.

Dear 2600: I enjoy reading your articles and love the variety included in each edition.  Thank you 2600, and thank you to all contributors. I know you've already mentioned Grace Hopper in the past, but I think she's worth reintroducing on a regular basis.  Newcomers will benefit by learning about someone who greatly influenced our current understanding of technology and leadership - and old hacks occasionally need a reminder of such things.  Grace is not with us anymore, but she was incredibly influential when she was; her ideas are still relevant and applied to this day.  You can learn more at en.wikiquote.org/wiki/Grace_Hopper.       Oliver

Dear 2600: I was rummaging around the insides of my XP PC and learned that Microsoft decided on an interesting name for the OS's final build number. I'm pretty sure someone must have sent this to you already, but just in case... screen grab attached.       Chris We didn't even have to look.  Build 2600, right?  We've gotten so many emails on this over the years, we've completely lost count.  What's most surprising about it all is that it's lasted so long.

Meetings

Dear 2600: The New York City 2600 meeting was an important thing in getting me to where I am in the world today.  However, over the past ten years or so, I haven't attended any.  I was thinking about attending the next meeting and giving a hacking presentation, something relatively low-key (I remember how the Citigroup people were).  I was wondering if I should just show up, develop a quorum, and make it happen, or if there is someone specific I should speak with who "runs" the meeting.  If it goes well, maybe I'll make it a regular thing.       Brad If you attended the meetings in the past, you should remember that they are extremely informal and that "presentations" aren't really given.  Some meetings are able to incorporate such things, but to the best of our knowledge, New York didn't really do this.  Also, there is no one person who "runs" the meetings in any location.  It's a group effort and there's no rank to pull.  We hope you show up and get reacquainted with attendees.

Dear 2600: I am here at the Krystal Hamburger in Titusville, Florida, the stated meeting location for 2600 readers in this part of East Central Florida.  Once again, I feel like The Maytag Repairman as I sit with the empty boxes that once held my Krystal hamburgers, and I wander back to the counter to refill my small Coke every once in a while.  The free refills and free Wi-Fi is what made the location my venue of choice since the StoneFire Art Gallery closed down. Please consider asking meeting hosts to list their Foursquare short code for inclusion in their meeting listing.  This way, people looking for the meeting can find a standardized format (Google Maps) for finding the meeting venue.  Example: Titusville: Krystal Hamburger, 2914 S Washington Ave (US-1).  4sq.com/bpM6DY The use of the Foursquare short code allows a user to not only find our venue, but use the directions section of the site as well without the host having to deal with geocoding the place.  Meeting hosts just look for their venue on foursquare.com, and the short code is available on the page.       Richard Cheshire, Phreak & Hacker Again, as we don't actually have hosts for the meetings, it's tough to say who would take on the responsibility for doing this and making sure it was accurate.  While this can be convenient, we don't think people aren't showing up because they can't find one of our venues, especially when an address is given.  If there still isn't anyone else showing up after the promotion this meeting has received through the magazine and website, not to mention this letter, we'll have to conclude that it's just not a viable location.

Dear 2600: I am disappointed at the turnout of the meetings, especially since it is already official on the web site.  Is there anyone that you know in Minnesota who would like to take over and will show up every month?  Thank you.       Scott We urge you not to give up so quickly.  It can take many months to get responses and attendance and we know it can be frustrating to not see results right away.  If you continue to get the word out, we believe people will respond.  Getting a website going can definitely help, as can social media.  If there is a problem with the location for potential attendees, you will likely hear about it there.

Dear 2600: I have a friend who was looking for the local 2600 meeting.  He said he checked out Barnes & Noble downtown and was unable to locate it at the typical time and that the website for the local chapter seems to have dissolved/disbanded.  I would like to start a new 2600 local meeting in Maryland.  I can create a website with times and information about topics.  Is this acceptable?  Supposing I set up the details and get it running, what is necessary for my group to be listed as a meeting in the official list?  Is there a code of ethics for local meetings that I could found the group on to attempt to keep it professional and out of legal trouble?  Let me know any information you can provide.  Thank you.       David All of the info you're looking for can be found in our guidelines section on our meetings page (www.2600.com/meetings).  We do suggest keeping the meeting in the same place if you're planning on reviving an existing meeting, as you don't want people going to different locations based on old listings or memories.  Meetings should only be moved if there's a problem with the venue, such as it going out of business or being extremely hard to find or inconvenient to get to.  Read on for someone else with a similar objective.

Dear 2600: I'm going to give a shot at reviving the Maryland 2600 meetings.  If you're interested, meet us at the Barnes & Noble in the harbor.  You can be anonymous and avoid the LinkedIn-esque environment that has largely taken over the local hacker scene.  Don't worry about expensive meals and alcohol, or offending a potential employer, because there will be neither.       zenlunatic Sounds like there's some history here which may be worth exploring as a lesson to the rest of us.  Please share these experiences if you can.  We wish you luck getting things going again.

Dear 2600: I would like to know how I can be a part of your next meeting?       Stacy We have the easiest meetings in the world to be a part of.  Just show up and you become part of them.  If you don't have one nearby, you can start them and become a part of them that way.  Our meeting guidelines are at www.2600.com/meetings/guidelines.html.  It's really that simple.

Dear 2600: What can I do about an incorrect 2600 meeting location in the Dallas area?  I am aware that there is both a "Dallas 2600 meeting" and a "North Dallas 2600" meeting, but I only see the listing for "Dallas (Plano)." What can I do?       Mike You did the right thing coming to us.  And you weren't the only one.  Read on.

Dear 2600: It has recently come to my attention that the Dallas 2600 meeting has been removed from your 2600.com/meetings/mtg.html page.  The Dallas meeting has been at the same location for over six years. We have had meeting information up at tx2600.org and tx2600.info for several years and run an active mailing list on tx2600.info. Please correct your information.  I'm also available in the irc.2600.net #tx2600 channel if you have any questions.       Will (NameBrand) The situation has been rectified.  This mix-up happened when we received an update for a meeting that seemed to be representing Dallas and, having not seen any recent reports from the old Dallas location, we assumed it was the same one that had moved.  We've renamed the new one as Plano and restored Dallas to its rightful place.  We're happy as always to see people paying attention.

Dear 2600: Hi I am looking to participate in meetings with Hax0rs LONDON STYLE PLS DANKE       Will (NameBrand) We don't really know what this means, but if you're asking where the London meetings are, they're listed in the back of the issue and on the website.  The location is the same as always.  We will phone ahead so the London regulars know what's coming.

Dear 2600: Well, that was fun!  I put on a clean shirt, my best jeans, even clean socks and underwear and headed out to my very first 2600 meeting at the Lakeshore Mall in Sebring, Florida.  I arrived at the appointed place at 5:15 pm for the 6:00 meeting.  I stayed till 6:30.  Not a soul showed up.  There were a few possibilities... folks who looked like they might be the types interested in a 2600 meeting.  I walked up to each and asked, "Are you here for a meeting?"  One dude gave me the deer-in-the-headlights look before saying, "No."  The others just shook their heads, afraid to make eye contact with me.  I might give it another try next month, in which case I'll report back on my adventure. Frankly, I was rather surprised to see Sebring in the meetings listing.  We are a fairly rural county in central Florida where there are more orange trees than people.  In fact, I think there are probably more cattle in our county than people.  I'm curious: when was the last time you received confirmation of a meeting actually taking place in Sebring? I've enjoyed reading your magazine every quarter for the past two years or so.  Keep up the good work.       Seymour Technically, your showing up made it somewhat official, but clearly a meeting with only one person isn't much of a meeting at all.  We haven't seen another update in a year or two, so if you can confirm that nobody else is showing up to subsequent meetings, we'll have to pull it from the listings.  This kind of thing happens as people move out of the area or wind up doing other things.  It's always possible for others to pick it up again, but it's pointless to list meetings that aren't happening.  Our typeface in the issue really can't get any tinier, so deleting a few entries isn't necessarily a bad thing.

Dear 2600: As required by the 2600 meeting guidelines, I would like to inform 2600 that I am transitioning the duties of coordinator and primary contact for the XXX 2600 group in ZZZ to YYY.  If you have any questions please contact YYY. Thank you!       Name Deleted       ex-XXX 2600 coordinator (Aug 2006 - Apr 2014) We deleted your name and all identifying info because we didn't want to bring undue attention to your meeting through our response.  We don't know where you got the idea that you had to have a coordinator, let alone that we had to be updated on who that was.  It's fine to have someone who takes on responsibility, but it's important to not let that turn into any sort of authority, as that's not what the meetings are all about.  Everyone at the meeting should be considered equal and as much a part of things as anyone else, regardless of how much or how little they actually contribute.  Our only stipulation is that attendees follow our guidelines in order to remain a welcome part of the gatherings.  And we thank you for your service.

Dear 2600: I'm curious about how up to date the list of meetings is.  I live in Seattle and was wanting to attend meetings, but didn't see any groups or mailing lists about it, and was wondering how active the Seattle group is.  Thanks in advance!       Seymour We update the meeting list for every issue and you can see the most recent date on the top of the meeting pages on our website.  We know that the Seattle meeting is pretty active.

Dear 2600: I, with some friends, am attempting to start a 2600 chapter operating out of Wilmington, North Carolina.  We have held one "meeting," though it was mostly just us hanging out.  I put up a page at portcityhackers.org to try attracting some attention, and was hoping that y'all would list us with your aggregate list of sites/meetings for some extra exposure since our bookstores don't sell 2600. P.S. I love the product that y'all put together.       Jared You're off to a good start, and hopefully this letter will help more people find out about your meetings.  If we keep getting updates sent to meetings@2600.com, we will add you to our official listing.  Good luck!

Letters on Letters

Dear 2600: Reading Issue 30:4 prompts me to write this letter.  The first thing I do when I get my 2600 Magazine is read the letters section.  Perhaps I was in a bad mood or something but some items in the "Critical Observations" section really annoyed me.  Reading the first two letters, I am reminded that some people don't understand the spirit of hacking and what 2600 is trying to preserve.  Common topics of letter submissions include: complaints of political motivations of 2600, outright asking for someone to "do" something for them, implications of 2600 being hypocritical, and general misunderstanding of what 2600 wants to preserve.  This might kinda seem like a rant and I may be talking in abstract terms, so I apologize in advance. I'll start with my thoughts on the spirit of hacking.  I believe the spirit of hacking includes thinking outside of the box.  This means doing things that others don't do, finding ways of having things work differently than intended, making things work for how you need them to be instead of how they are, thinking of things that others have not thought of, and making things better than they are.  Going further, the spirit of hacking is sharing this information with friends (and everyone else), recognizing that everyone has something to contribute (even if they have less or more technical knowledge), and holding onto the freedom to do all of the above.  To some extent, this knowledge can be (and has been) used to help maintain personal freedoms that other people may want to take away. Moving onto the political aspect, I would say that pretty much anything can be said to be (or twisted to be) a political topic.  Isn't politics pretty much a difference of opinions as to what the freedoms and restrictions of the citizens of a country should be?  Sure, it is a struggle for power for those involved, but to what end?  It's to get power to enable the freedoms and restrictions that they want to have in place.  Sure, I would say that makes the spirit of hacking as political (and non-political) as any other topic.  That is not necessarily a bad thing.  Instead of immediately discounting someone's view because it is "political," it should be responded to with reason and consideration. My second item refers to requests for people to do things for them.  It's hardly worth talking about since no one takes these people seriously (and why should they?), but I can say that I never really cared for people who don't at least try to do things themselves.  Perhaps these people have tried and failed - no one really knows.  The spirit of hacking is perpetuated by people who walk up to a task and start tinkering with it.  Maybe they are tinkering for fun or they have a real need to do something.  Everyone needs help sometimes, but I think it is often better to try to make the effort yourself (unless it is not feasible to do so). The third item was the hypocrisy of 2600.  I don't really see it, myself.  Keeping in mind that there is not only one person working and contributing to the magazine, I don't really know how you can expect to never see conflicting opinions/statements.  Also, knowing that there are different people contributing, would you really want to not see conflicting opinions?  The answer should be no.  Imagine that you are in a meeting and you are designing some new [whatever].  The first person makes a statement as to what you should do and the other dozen people say "sounds good to me."  That's not good at all.  This idea kinda moves me into my last topic. My final thought was about what 2600 is trying to preserve.  The following items are what I have inferred from reading 2600 for about ten years now.  They seem to try to preserve the integrity of the hacker spirit (through the changing times) as well as the integrity of their publication.  They want a sharing of knowledge, opinions, and new finds.  They want people with different experiences and conflicting beliefs to work together to better things.  Unproductive and ineffectual things are not desired, and sometimes mocked ("Hey, can you hack my ex-girlfriend's email account, bro?").  As one might expect, they want to maintain the integrity of their publication.  This is why they require articles that are not published elsewhere. To close my letter, I am not trying to persuade you to change your opinions.  I am trying to help make people realize that their letters might be able to contain more rational thoughts which, in turn, may offer more effective deliberation on the topics that are discussed in this magazine.       Shocked998 We have to admit that it wouldn't be nearly as much fun if those people who wanted us to do things for them didn't write in.  Regarding the political angle, we agree that so many things in everyday life are political in nature.  By avoiding that reality, we basically give up any say in the outcome, a contribution that could be considerable given the intelligence level of this community.  We've seen that avoidance lessen over the years and the organizational abilities amongst hackers have improved substantially.  That is a very good thing.  How else will we not become victims of bad laws and oppression in the future?  And how else will we be able to help share information, reveal leaks, and protect individuals from prying eyes?  Politics, combined with our curiosity, mischief, and sense of justice have brought us to a very interesting place.

Dear 2600: I'm a bit late reading 2600 this time around, and the "Horror Story from Hell" in 30:4 really intrigued me.  I study malware in my spare time, and have never heard of anything so completely devastating as the thing described by Morgan. If I'm not too late, could you please pass off my email to Morgan?  I'd like to try to help combat this malware.  If everything in the letter is accurate, this discovery might be more important than the discovery of (((Stuxnet))), and with many worse implications. If Morgan isn't interested in my help, then I wish him/her luck, and would love to hear how everything turns out in the form of an article.  This is definitely article worthy. Thanks for the great magazine.       Hunter We're not in the habit of passing messages between readers, but if the original writer expresses an interest, we will convey your info.

Dear 2600: I have read your website since the mid-1990s (after I started programming) and the magazine since the 2000s.  Since then, it has been my favorite science/philosophy magazine (meaning also the philosophical/sociopolitical/etc. focus of many editorials and some articles).  Though I would have never expected to (with social attitudes about curiosity/hacking when I was growing up), I turned several people on to the magazine - both a hacker who inspired me, and those who do not consider themselves hackers, but liked the editorials, articles, and letters I advised they read.  I found a local 2600 group, which exceeded my expectations, then I submitted my first article to you, and have ideas for others. Though 2600 possibly always criticized large, inefficient, and corrupt organizations (government or private) , after my first few years of reading 2600, when so-called "free speech zones" became common at political events (after some being invitation-only), and various computer technology steadily became more integral to people's lives, it seems there has always been more to criticize... with companies creating more "walled garden" and insecure technology, and always more insidious stuff, such as Apple making a technology to sell to police to disable people's Apple devices in a specific area when the police want.  Though various major restrictive net laws (often renamed and attempted again) did not always pass because of outcry, the U.S. and other governments did not hesitate to just start censoring whatever parts of the net they felt like (supposedly criminal sites) and punishing sites' owners even just for doing hyperlinks to average web homepages, blogs, posts, etc.  It was good to see other s from the whole political spectrum involved in outcry, part of which was begun by the late and great Aaron Swartz, who started the (((Demand Progress))) organization and "hacking politics."  Since then, not only does Demand Progress report CISPA is back, but EFF reports that secret TPP negotiations (by politicians and who knows who else) are continuing, which would have many unjust effects, including a net more heavily controlled by governments and large companies, with an interest mostly in their "rights" and few/none of common citizens/netizens' rights.  Good news on a smaller amount of legislation due to outcry is Congress' consideration of the USA Freedom Act to scale back NSA monitoring... but some hackers think if that passes, it would just be circumvented, as governments already circumvent laws when they can. Some would argue it is not enough to "hack politics" in specific cases, but that political norms/processes must be hacked - at least to make politics more egalitarian and meritocratic (not special interest-controlled) and to restore freedom, civil/human rights, etc., to how they were intended for free societies.  It is good to contact your representatives if they will listen, but it is important to spread the word to as many people as you can, like Aaron Swartz and the people he inspired to rally did, or like Mahatma Gandhi and Martin Luther King.  History shows freedom erodes unless people take a stand sufficiently. The larger good news this year was the growth of hacker conventions (of various focus), hackathons (including in mainstream companies), and the increased condoning of hacking, with even the U.S. president proclaiming a National Day of Civic Hacking - hacking is becoming more socially acceptable!  It remains to be seen if this is just about what large organizations can get from hackers, or if organizations are starting to like hacker culture/ideals. I continue to enjoy reading 2600 for technical aspects that interest me, and even for finding out about some hacker-related social issues that may not be widely known at the time.  Thanks again for decades of 2600 and keep up the good work! Happy Hacking.       darwin

The Digests

Dear 2600: First of all, thanks for the great mag, and thanks for making it available via Nook/Kindle.  Any plans to make more of the annual digests available as DRM-free EPUBs?  I would much prefer to buy them directly from you guys in that format rather than going through Barnes & Noble.  I bought Volume 29, but it appears to be the only one available in that format. Thanks!       J We do indeed plan on continuing with the release of more volumes.  In fact, we're going ahead with a plan suggested by a reader in our last issue to hopefully speed up the process significantly.  Look for the details in one of our house ads.  In addition, Volume 30 should already be available at the time of this printing.  As for the EPUB format, we'd like to continue with this.  Surprisingly, not very many readers chose this format, apparently opting instead for PDFs.

Dear 2600: On page 41 of issue 31:1, sol mentions an idea regarding lifetime subscriptions for the yearly digests. You mention that it is a great idea, but would most likely be applicable to the PDF version, as you do not have access to the Kindle customer data. How is this a problem? While Amazon would most likely not have a system to offer a lifetime subscription to a magazine, surely 2600 could come up with a system to disperse Kindle (and even Nook and EPUB files) to those who have such a subscription, perhaps with a website the subscribers have access to and a mailing list so that the lifetimers can be updated when new issues are available. As for the editing and creation of these annual digests, I have done a lot of work in the field of converting physical books to digital books... even ones where I had to manually copy down the words from the source. Let me know.       Variable Rush We intend to look into every possible way of doing this, but the main problem with formats like Kindle is that we need to do a crazy amount of proofing to make sure the OCR scans are completely accurate.  Much of this requires knowledge of what was in the original articles, and the entire process takes substantially longer than formatting pages into PDF form.  The plan here is to get at least part of this done quickly, and the idea presented is the best one so far.  It also will help us ascertain the interest level, so we can figure out just how much time is worthwhile to devote to future development of the archives.

Critique

Dear 2600: I have been an on and off reader of 2600 for some time.  It depends on if I can find the magazine in the store.  As I have gotten older, I have noticed that the magazine has not.  Today I logged on to your website for the first time and realized why.  It seems so juvenile. Lock picking: How many times has this been covered in 2600 the magazine? Phone Phreaking: Did we not cover that back when we actually had land lines? Why have you not moved onto something more glamorous like: 1.)  "How to disassemble an iPhone." 2.)  "How to root an iPhone." 3.)  "How to remove the glass from an Android phone." 4.)  "Lock penetration of the HID electronic locking systems." 5.)  "How and why Bitcoin works." 6.)  "How to hack a CISCO router." Just some thoughts as I sit here at 5:30 in the morning.       Chris Well, hopefully by the time the sun came up, you came to the realization that we have, in fact, covered a number of those stories over the years.  There's nothing stopping us from covering even more of them if people write the articles and submit them.  But your main problem seems to be in what we've actually spent time on in our issues.  First off, we're not sure how you reached these conclusions when you "logged on" to our website, as you won't find articles from the magazine there.  You seem to be under the impression that we've printed a lot of lockpicking articles when we're constantly hearing about how we don't print enough.  (Again, this reflects the number of submissions on the topic that we get.)  As for phone phreaking or anything else you consider outdated, there is a lot to be said about history and how systems of the past and present tie together.  Again, we haven't printed that much recently on phone phreaking and would like to have more, both focusing on present day technology and the systems of the past.  This is how we learn about features, possibilities of new developments, and weaknesses.  Not to mention it's a hell of a lot of fun.  So we'd like to advise you to lighten up a bit and see if there's anything you actually like in a current issue.  Maybe there isn't.  But we like to think that we still encompass the spirit of hacking in our pages and reflect what some of the more creative voices in our community are saying.

Dear 2600: Your code repository on 2600.com is woefully out of date.  The last update is from 25:3.  Is this because you now expect people to buy digital versions of the magazine if they want the code? This forced me to type in blerbl's very nice "wordlistgenerator.py" from 31:1.  I could find no explanation for this code, as it does not go with either of the articles around it, or, really with the "Automated Target Acquisition" article on page 58 where blerbl is mentioned.  O.K., it sort of goes with that article, but not directly. For readers who might be wondering, wordlistgenerator.py is a nice little text scraper.  Point it at one or more "targets" (websites, files), pick a regex wordlist rule from the menu, and collect some interesting strings.  Thanks, blerbl!       Sh0kwave We're sorry about not updating our code repository in such a while.  We're definitely going to get on top of that.  As for the code you saw in the last issue, that was meant to be used in conjunction with our article on "Robbing the Rich Using Bitcoin," which immediately preceded the code.

Experiences

Dear 2600: I have been experiencing something very usual for the last two weeks.  I have been hearing things in my head asking me for a website that I own.  I registered this domain on Christmas Day and since then I have been working on developing it.  I read that it is possible to make people hear things though V2K, virtual telepathy, using a microwave auditory effect.  Have you ever discussed this on Off The Hook or Off The Wall?  Has anything pertaining to this been published in 2600 Magazine?  I'm not sure who to tum to regarding this matter.  I'm a big fan of 2600 and your radio shows.  I was hoping you could give me some information about this or possibly discuss this on one of your future radio shows.  Someone is abusing this technology and trying to extort me.  Thank you for your time.       David We've had obnoxious registrars hound us for renewals long before the expiration date, we've been bothered by annoying people who insist on trying to buy our domains from us, but we haven't encountered anything quite as intrusive as this.  The "V2K" technology you allude to is a popular topic on the Net and it's alleged that it's defined by the military as such: "Voice to skull device is a non-lethal weapon which includes (1) a neuro-electromagnetic device that uses microwave transmission of sound into the skull of persons or animals by way of pulse-modulated microwave radiation; and (2) a silent sound device which can transmit sound into the skull of persons or animals ... the sound modulation may be voice or audio subliminal messages."  We should point out that none of this is verified, but we're certain the military would love to get their hands on this kind of technology if it were at all possible.  However, whenever hearing voices inside one's head, it's always good to be open to the possibility that something else is going on, hard as that may be to accept.

Dear 2600: I should really thank Anonymous for writing what could have been my own letter back in 31:1, since I have recently re-entered the world of IT employment after years of manual labor.  The difference being, I actually enjoyed being away from IT the past four years!  After graduating from a tech school (one that I loved, I might add, as their focus was on actual learning, not money), I was thrust into the world of corporate IT bullshit.  A world of stress, tension, and all around ugliness.  Money was the bottom line, which meant working 16-hour days without added compensation, and occasionally getting death threats.  To get away from all of that, to actually have a job doing "grunt work," was a treat.  I could enjoy computers again, since I was only playing around with them in my free time, and not struggling to make them work to keep from being yelled at.  Hell, I'll be honest, I worked on a boat all those years!  I was breaking ice, shoveling snow, and taking green water up to my knees on the bow... and I loved it.  I thought I would never again return to the horrors of IT. Yet, as Anonymous pointed out, there's always the issue of money.  I couldn't survive on ten bucks an hour, no matter how much I loved my job.  But I was lucky.  An IT job opened up at a school and I was fortunate enough to land the position.  Now I work at a place that encourages learning, a place that understands the true definition of "hacker," a place that prides itself on technology.  So, finally, at 33, I'm a married man who gets to play with computers all day and teach kids about technology, and to watch as their eyes light up when they take a computer apart and put it back together.  No, I'll never get rich working there, but you really can love something and make it your career.  How's that for a happy ending? To reiterate what Anonymous said, thanks to 2600 for keeping the hacker spirit alive, and I'll see you at HOPE X.       Screamer Chaotix You raise some excellent points regarding employment.  We find that the people who really excel at things have had a variety of experiences, often seemingly unrelated to each other, but all of which form a part of their overall story.  This is an extension of the experimentation we are always encouraging within the hacker world.  It's often necessary to experiment in life itself in order to figure out a direction.  It can be risky and scary, but if you maintain a healthy dialogue with yourself, you can benefit greatly from this approach.

Dear 2600: Re: "Relax, We Bought Security," Wananapaoa Uncle wrote an amazing article on SMB (small-medium business) security.  I walked out of my last job for exactly these written reasons.  Third-party security contractors have no idea how daily business operations and production up-time work.  The contractors get the security audits because the company can point to them if there is a security breach, while not being personally responsible. In my case, a security audit was being done by the same company that installed previous systems.  One of my roles was managing and properly configuring these systems, which typically deployed with default passwords and configurations.  Yes, these same folks were the "security professionals" running the audit.  Said company's name has a dictionary definition of "spread throughout."  I let a sad chuckle out reading that and applying it to their business model.       Pic0o

Dear 2600: This is getting really old.  I'm not normally one to complain about how retail shops display their wares, but this is the third time I've done so in 2600... about the exact same issue.  After my last such letter was published, the local Barnes & Noble store (#2832) actually corrected how 2600 was displayed and it could be seen easily without needing to search behind other magazines for it.  It seemed like a logical way to display a magazine, although I'm not a professional magazine rack manager.  Once again however, it's back to the normal "keep it hidden" method.  I recommend 2600 to everyone I know, and recently a friend actually went to purchase it but could not find it (even though they had numerous copies - if you weren't already aware of where it generally gets stashed, then you could be searching for awhile). This is getting old, and I'm tired of complaining about it.  You often talk about having to pay for lost or stolen issues.  I'm curious how many are reported as losses that are actually just scattered throughout the display shelves that even the employees can't seem to find.  I always fix them, but they always seem to lose their way again.  Perhaps the 20 plus brands of men's magazines with hot women in bikinis on the covers are causing them to wander. Do you have any recommendations that might help with this?  I would really like for people to be able to find 2600 when I suggest it.  Not everyone is comfortable asking for employee help to find a hacking publication. Thanks for all the great brain candy.       Pic0o This is a difficult problem to solve, since it really only takes one person with a grudge to create this situation.  In many cases, we can't even be sure it's someone working for the store in question.  We have many enemies and powerful ones at that.  So it's not too unreasonable to assume they would stoop to the level of actually hiding our issues to keep people from seeing them.  We need people like you to counter this.  Every time it happens, it needs to be brought to the attention of management.  If they're the ones doing it (which doesn't make a lot of sense for them), they will want to stop being questioned constantly and will likely cease the practice.  If it's somebody from outside who's doing this, perhaps the store will manage to catch them in the act.  The important thing is to get it on their radar.  Silencing people/publications is never the way to make a point and that needs to be made crystal clear.

Dear 2600: Here's the story of how I inadvertently got my cell phone into eavesdropping mode: On my way to the airport, I left my cell phone on the airport shuttle bus.  The next morning, not being able to find my phone, I dialed it in order to locate it by hearing the ringtone. Instead, I did not hear my phone ring, I heard someone talking!  It was like when you pick up your phone at the exact same time someone is dialing you.  But the other person was in the middle of a conversation, and I could only hear one side of it.  She was talking about intersections and addresses, and stuff like that.  Totally confusing to me.  After listening for a few minutes, trying to figure out what was going on, I hung up and redialed. This time, the shuttle operator answered normally, and informed me that I had left my phone in the shuttle.  I made arrangements to pick it up when I returned. That's when I realized that I had been eavesdropping on her phone call to her dispatcher from my cell phone that had been somehow switched to transmit mode.  I don't know if it was my newly-purchased prepaid cell phone that did it, or what. Here's the part that I found so interesting: the quality of the transmission while my cell phone was in eavesdropping mode was outstanding.  Normally, cell phones break up, the sound quality is poor, you almost have to yell sometimes.  This was like I was in the car with her.  Perfect transmission, like a professional sound stage. Just thought I would let people know that your cell phones make Very Good eavesdroppers.       Margaret

New Stuff

Dear 2600: I'm contacting you from a local start up called notrace.im.  We have been working on this product for a while now.  We just launched not too long ago.  We were wondering how to get an article published with you guys.  What we launched is a private messaging app.  We were called the Snapchat of texts but better because you don't need an app in order to receive text messages.  Some of our features include self destructing messages, ability to send messages to email or most U.S. phones, ability to unsend messages, ability to send anonymous messages, and the security of knowing nothing is stored on your device but a dead link.  Please give us a look and let us know what we can do.  We are at website notrace.im and available as an app on Android and at the Google Play store.       nico It's more likely that someone will review your service and write an article about that from a hacker perspective.  You're welcome to send us an article describing what it is you do, but it's probable we'd prefer to print something written from the view of someone not affiliated with the company.  But please send us something anyway, and if it's interesting and doesn't read like a PR piece, we'll certainly consider it.

Dear 2600: Hello, I'd like to let you know about Privacy Eraser Free, a freeware tool to keep privacy on a computer well protected and secure.  The software allows cleaning up browsing history, wiping disk data down to unrecoverable state, and removing traces left by applications. Typical computers usually have a lot of hidden doorways a cyber-trespasser can use to access personal or protected information.  Privacy Eraser Free helps maintaining the security of a PC by regapping those breaches.  In particular, the app permanently deletes visited URLs, browsing history, saved authorization data, Windows run history, search history, open/save history, recent documents, and more.  It offers secure file deletion and disk wiping mechanisms to ensure deleted files remain deleted.  Moreover, it helps cleaning leftovers of many popular applications that often stay in the system and keep cluttering it even after the app itself is removed. With the flexible, highly customizable, and open plug-in architecture of the tool, users can even customize their own exclusive Privacy Eraser!  Scheduling capabilities and the built-in performance booster help users to speed up Internet surfing and browsing and boost their PC's performance and stability. I hope this information could be a good topic for a post or article that will be of interest for your readers. Let me know what you think!  If you have any questions or need additional information, please let me know.       Julia Wunder       Cybertron Software O.K., we know this was a blatant product pitch, but thought it was interesting enough to share.  The features sound noble enough, but are you sure you want to call your product "Privacy Eraser?"  That sort of makes it sound like it's privacy you're getting rid of, rather than the opposite.  Just our humble opinion.

Dear 2600: My name is Nick Grey, and I am a professional social media manager. I have something to offer that might interest you. I have a suggestion for your Twitter channel twitter.com/2600 I can add to you Twitter channel, with more than 2000 followers. The high rating of your Twitter channel helps increase the credibility of the services which you offer. The cost of the service is only $60.  I work without pre-payment; payment is carried out after all the work is done.  You pay only once and all Followers are added permanently.  No Twitter password is required.  No harm to your channel.  Please let me know if you are interested. If this does not interest you, I'm sorry to have bothered you!  To unsubscribe click here. Have a good day!       Nick Grey Rather than clicking there we decided to paste here and share this absurd pitch with the world.  Does anyone actually fall for this nonsense?  Are there really people and organizations so desperate to have followers that they will pay to collect fake ones?  We know we should never be surprised by these things, but for future civilizations who stumble upon old copies of our magazine and use it to judge our society, let this be the defining point of just how stupid some of us actually were.

Dear 2600: We noticed that the HOPE X domain name on the cover of the latest 2600 was similar to a domain name we own.  You have 62 X's, we have 63 X's. We just wanted to let you know that if anyone types in 63 X's, they will be taken to this web page: xxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxx. Unfortunately, HOPE X falls on the same days as QuakeCon, so we won't be able to attend it - maybe next time.  Members of our local hackerspace (Makers Local 256) should be there, though. Anyway, just wanted to inform you about this redirect.  We don't know if it was needed or not, but we wanted to help out if it was.  (We also have 63 C's (.cc), so hence the site name.)       Charlotte M. Ellett & Jesse       c63industries.com This is the coolest thing ever and we're thrilled that you put in the redirect for HOPE X.  We're also pretty amazed that you took the time to count the number of X's on the cover and that we happened to be just one X shy of your site.  This has really been a fun year for domains.