Copy Link
Add to Bookmark
Report
k-1ine_45
1234567891011121314151617181920212223242526272829303132333435363738394041424344#
#K-1INE#45#SCREAM#in#your#PANTS#45#SCREAM#in#your#PANTS#45#SCREAM#in#your#PANTS#
##DWfjEEDEW;######;;######KEEDEFKW#################E;;# EE#f fEEDjfD;;##DEDD###W
#Dfffff;fffjfft,;,;;fffGjDfEK########KEDDEDDLfDEEDE###Gt;,;,,;;f;fLfffi;;tfGfi:#
##K#KDEDfffjffffffLffftffEDGK#W##Et, . . :,LE##Di. ;;GLfGt; .,;f#
#####ED;ffffffjt;;;;ti;:;,####f; ';##DE#Dt; :fEW#KEDLD
#f,;;,;t,;;it;,;ftfffftt###Wt :tL#W ;tfEfff;; f
#GEfGEifffjt;,;,t,t;tfG##Kt, ;;;; ,;i:i;f;; ':KEEft; ;;fffjffD
###D;;;;;,;;ffjffGDDED##j ;jLt; . :,tG: ;##f;tGGG,tfDDj,fE
#: fjfWfGfi;:,:;:;tDK##; ;; D##Wi ;iLGD###
#Kffi;;;ffffffjjtf##KK; :;;: t#W#############
#EDELffffLfLGEfiffK#D, itt DK####WG###KjfK
#EfttffGDLDGED#EK#### t :DDDLfjt: ,,: . ;f jW;###fjG###D##
#DffffffffjfjfLLLf#ED :jft: ::;,;jEf jG: f#i###Wtj###E;#
#####D#WE###KEK#####j f tW, :; ;# KD i###WtK##: #
##;jWEfftW#WWj,fW#W#f t EL # fE ;K##WDK# t#
##jiK##DDftG##Wfj###j t# :f#EEWGi: t :fEt. :# G#j f###ff# L#
#GK#Efjf###WK#KK###iW: DG ::; :t; t :i Li: :;L: f# W# ,###ff#Dt#
# :LE###KfK; f#G#f ;D:i tL ft f . :, ;f .D::G tGt t###ff##:j
# tK#f, .L, f## tG ;Kf;,;;tLi ; , :. .;f :i W t f###fj##if
# :K#j. E. W#. :ftt t jGELjj, tED D###;###fE
#ED#j iL D#E . K :i j#: ###LD###t#
####j ,D .W#. t: tifK: LG,f; f# f####KD#Lf#
####G ,D ,jW#WG ti: : .;: ;f .:#t ;#####WW#tf#
####K tEEDEfGK##; f; ,;: :DGi :j#f :W#########j#
#####: t##Gf;..:iL#t t :EWW# :fK: tK#Ki fK#####WKL#DK#
#####j j#####ELi:,fW#f Gf D#;LDf LGD; GE##D: ;K#######f;t#D##
###E#W ijDDGKEW####WWfj;f#j: E, t#G Kfj f;j: KG#L: t#####f####G###E#
####W#KDt,. :W###WW##fEfD#; :E L# :fLt Ei: :WDt. f#####iG########i#
####DD: ;#########fW#W f; ## G #t fE; j#f f####K;D##K;D####;#
###W, .,G##########f#: fD :#, GG #D D#t tG#####,i###:G#####f#
###t : j#############W ## fDG,LD .G; t#G L######t,W##it###### #
###. tKW##############;j#t :tDWDt Wf ;W#, f######K W###:####DW# #
###. ;LWEi:t#############G fj: ;G i###f ######KWGW##Lf###L ## #
###t.. ;#t .fEDEL,:::tD##L :; t####f ######j;####:G###: #G #
#EDWt,. j#K: iL: i##E, :tD#####t #######L####:G###,:# #
#jE##EKj. ,WW; .G; i##WLtt;;,;fD########j f#;K########GW###LfK f#
########L: :W#t D, E#,:fffjfGKEK#######f j#: tG####W##E###,Df K#
#########D. .G#D. .E D#i ft i########f ;##G ;E########f#tG##
##########W: .;K#j LiifK#j if G#########j .###D :iW####### j##
###########E .jKWkkkkkKK####D#f. :j:D##########f t####i ;G#####Kf##
E###########L :DKW#########t;f::,;iK##########,f f####G :fW######
#############; :K##########K; ,tD######W######:L . tW#####Kt .:tW###
#############D f##W###################K######K; ; L########t;; ,D#
#############j .i#########L############EG#######KtiL###E######L;ti f#
W############f :EW######### G#####L#####;E#############E#########D;ft f#
#############KL;iK###W#######ft###########t##########################Wfft f#
#################WKWW########f;#######################################DjLGjt j#
#############DDKKW########K##DG##############;####################K#####KKGGitW#
#######W#####WW###########f##################f#####WW#######################WGW#
################################WWWWWWWWWWWWWWW#################################
##################WEDGLfjii,;::.:.;.::.;:.:.;.:::::;iitjfGDEKW##################
##########WEDfj;,::..:. . . .. ..::. :;tfLDK###########
#####KGji.::.. . . . .:..,tfD######
####D::. . .. .. .. .. .. . ,iW####
###D: . ..::::,ittjjfjjffjfjjjjtt;;::... .. .i####
##K;. .:,fGEW#WWEED;CYB0RG/ASM;EEEKW#WEGf,.. . ..t###
##i. :;E#ji' ':tE#D, .:D##
#;,. :. ;LE#G' 't##KGj;:..: . . : :::G#
#ELfi,;,,,,;itfDKKDf;#W ;#K;tfDKWEDGLLfLLLfLDEW#
#tjfGDEEEEEEDLjt::.:,## ;#E:,.:::;iijjjjttjitiL#
#,. :.. ....: . .t#E W#i. . .... . ::L#
#i: .. :iWW, ;WWi:. .:D#
iE;: . ... : :tG#K; :G#Efi:,....:.:..:;D#'
'K#EGfjjjjjjfLGE#WDi :tDW#WEDDDDDDDEW#E'
':ijLGGGGGGLft;:" ':;ttttttt;t;:'
SCREAM in your PANTS
K-1ine 45 Fall 2oo4
^
^ < RANDoM WoRDS >
^
^ Pre-Introduction . . . . . . . . . . . . . . . . . . . CYB0RG/ASM
^ Introduction . . . . . . . . . . . . . . . The Clone
^ Contact Information . . . . . . . . . . . . . . . . . . The Clone
^ Link of the Quarter . . . . . . . . . . . . . CYB0RG/ASM
^ K-1ine Mirrors . . . . . . . . . . . . . . . . . . . . . The Clone
^
> DoCUMENtS <
^
^ Hacking the Actiontec GT701(-wg) . . . . . . . . . omin0us and sub
^ Windows Logic Bombs . . . . . . . . . . . . Aftermath
^ Single Access Serving System . . . . . . . . . . . . Majestic 1/12
^ Wetware hacking: Sound and Smell . . . . . . . Cybur Netiks
^ More Phun with the Audiovox 8900 . . . . . . . . . . . . . . TeK-g
^ Cracking Encrypted Intelligence . . . . . . . . . aestetix
^ Another Scam From the Dirty Pigs in Edmonton . . . . . . MsOgynis
^ Exploiting Telus POTS/Payphone Lines in Calgary . Falcon Kirtaran
^ Hacking Mircom Technologies Telephone Access Systems . . The Clone
^
< CoNCLUS:oN >
^
^ Credits . . . . . . . . . . . . . . . . . The Clone
^ Shouts . . . . . . . . . . . . . . . . . . . . . . . . . The Clone
^
^
K-1ine 45 SCREAM in your PANTS Fall 2oo4
^
^
Pre-Introduction By CYB0RG/ASM October 31st, Two Thousand Four
---------------------------------------------------------------------
1893. Norwegian painter, Edvard Munch, paints "The Scream". Munch's
work often included the symbolic portrayal of themes such as misery,
sickness, and death.
---------------------------------------------------------------------
a century goes by wherein some misery, sickness, and death happens...
then...
---------------------------------------------------------------------
February 12th, 1994. The National Gallery's "Scream" painting is
stolen. (Munch had made four versions of the painting.) Three months
later the painting was recovered.
---------------------------------------------------------------------
1996. "Scream," directed by Wes Craven, hits theatres. The plot
features a psychopathic serial killer stalking a group of teens...
just like in the movies! Ha ha ha.. art imitating life imitating art.
I get it. But then life starts imitating the art imitating life
imitating art and things get really interesting if not just a little
confusing. Oh yeah, and the killer wears a mask inspired by Edvard
Munch's now infamous painting.
---------------------------------------------------------------------
1997. Three male teenagers who had repeatedly watched Scream murder
two girls in Salem, Massachusetts.
---------------------------------------------------------------------
1997. "Scream 2" hits theatres. In this sequel to the 1996 film, the
number of suspects only goes down as the body count slowly goes up!
Ha ha ha.. I get it! Just like in real life!
---------------------------------------------------------------------
1999. Patrick was 14 when he put on a "Scream" mask and broke into a
former teachers house near Hood Canal. Yelling "Die, bitch, die," he
repeatedly stabbed and beat her while her baby slept in another room.
---------------------------------------------------------------------
1999. Thirty-four violent films, including Scream, found in the rooms
of two male college students at Hadlow, Kent, who stabbed a friend to
death, dismembered his body, and then burnt the leftovers.
---------------------------------------------------------------------
1999. Two schoolboys who brutally stabbed a friend and left him for
dead after watching Scream are convicted of attempted murder at Hull.
---------------------------------------------------------------------
1999. With the help of two cousins, a teenager stabbed his mother to
death after watching Scream in Lynwood, California.
---------------------------------------------------------------------
2000. "Scream 3" hits theatres. Because inspiring a monumental string
of barbarous copycat murders really requires a trilogy! Ya dig?
---------------------------------------------------------------------
2000. Three men, one in a "Scream" mask, scaled a balcony and broke
into an apartment in the England Run complex off U.S. 17. One victim
was bound with duct tape. Matthew W. Glenn, 18, resisted his
attackers and was shot in the back.
---------------------------------------------------------------------
2000. A woman and two men, wearing Scream masks, robbed a store in
Lowell, Massachusetts, and shot a man dead.
---------------------------------------------------------------------
2000. Five young men wore Scream masks when they gang raped a 21-
year-old woman in a town near Paris.
---------------------------------------------------------------------
A few weeks later at Lebetain, eastern France, the police arrested a
boy of 15 when his parents were found dead after being repeatedly
stabbed while they slept. In his confession the boy said he had
hallucinations after watching "Scream" and heard voices telling him
to kill his parents.
---------------------------------------------------------------------
November 29th, 2000. An 18-year-old man robbed a convenience store
wearing a "Scream" mask -- and his 17-year-old wife drove the getaway
car. Jessica Powell told police they took the money so they could go
to the movies.
---------------------------------------------------------------------
2001. A 24-year-old Belgian in the town of Gerpinnes with no criminal
record and no history of psychiatric problems dressed himself in a
long black tunic, donned a Scream mask, and stabbed a 15-year-old
schoolgirl 30 times with two enormous kitchen knives.
---------------------------------------------------------------------
2002. Man accused of shooting two men dead in a bar in Pennsylvania
wore a Scream mask.
---------------------------------------------------------------------
March 2002. After two teenage girls at Saint-Vit, eastern France,
tortured a classmate in an abandoned house, the local public
prosecutor said they had admitted watching the film just beforehand.
He claimed that the girls, aged 15 and 13, had been influenced by the
film and carried a knife which "strongly recalled the weapon used in
the horror film."
---------------------------------------------------------------------
April 2nd, 2002. Kevin Skaggs was at the counter of the Oregon Quick
Cash Payday Advance when a man wearing a Scream mask walked in. The
robber indicated that he had a gun and wanted money. Skaggs pulled
his own gun and shot Jeffrey Gordon Duncan in the chest. The
assailant fled and was found dead a few blocks away. "If there is one
good thing that comes out of this," Skaggs said, "it's that people
will know that we are not going to put up with this sort of thing."
---------------------------------------------------------------------
May 2002. A 17-year-old french boy stabs a 15-year-old girl 17 times
after watching "Scream". He had tried unsuccessfully to attack two
other schoolgirls before inviting his final victim to go for a walk
around a football field near their homes.
---------------------------------------------------------------------
October 2002. A masked gunman robbed a North Toledo McDonalds and
fled with an undisclosed amount of money. Wearing a mask from the
movie Scream and using a voice changer to disguise his voice, the
robber approached the counter and pulled out a gun.
---------------------------------------------------------------------
November 3rd, 2002. A group of about 15 men, all believed to be Asian
and in their early 20's, went on a stabbing rampage in England and
knifed 4 random people. The main offender was wearing a Scream-style
Halloween mask.
---------------------------------------------------------------------
November 23rd, 2002. 24-year-old Jeffrey Ivan Vample of Norristown,
PA, raped, strangled, and robbed 67 year old Alice Hufnagle-Llauman.
She was found half naked and bound with duct tape in her bedroom. A
bloody "Scream" mask, and a calender with the notation on November
23rd reading "My Love, What a Day," were recovered.
---------------------------------------------------------------------
July 31st, 2003. 51-year-old West Roxbury man, James Hayes, decided
to break off his hockey stick, attach a 5-inch knife, grab a Scream
mask, a cloak, and some electrical cord, and drive to his ex-wife's
house after learning she was sleeping with a woman. Once there, he
burst into the bedroom wearing the Scream mask and repeatedly stabbed
his ex-wifes lesbian lover with his makeshift "man-spear".
---------------------------------------------------------------------
October 31st, 2003. A crazed psychotherapist wore a Scream mask and
"ghost" cloak to kill a stranger on Halloween. Heather Stephenson-
Snell, president of an all-women chapter of the Hell's Angels, set
out to murder her love rival Diane Lomax and frame her ex-lover
(former porn video stripper Adrian Sinclair) for the murder. But when
neighbour Bob Wilkie, 43, intervened she shot him dead with a sawn-
off shotgun instead.
---------------------------------------------------------------------
February 2004. At around 5am a man attired in black robe and a Scream
mask, climbed through a dormitory window in Leeds. The burglar locked
himself in the bedroom and held the student at hammer point. He then
demanded mobile phone, credit cards, and relevant pin numbers. The
burglar threatened to return soon and kill the student if he had
given the wrong number. The burglar left, locking the student inside
his room. After much frantic banging on ceilings and floors, the
student succeeded in waking his flatmates who had to bust the door
open and release the poor captive.
---------------------------------------------------------------------
April 10th, 2004. A Hamilton liquor store was held up by an armed man
wearing a green "Scream" mask. He got away on a blue mountain bike
carrying several bottles of spirits.
---------------------------------------------------------------------
August 22nd, 2004. Armed, masked thieves burst into an open Oslo
museum in broad daylight and snatched the Edvard Munch masterpiece
"The Scream". Estimated value of the painting is between $77 million
and $97 million Canadian. The painting has yet to be recovered.
---------------------------------------------------------------------
September 2004. 61-year-old Richard Anthony Carbone shot and killed a
young friend, Daniel Ray Elzie, 19, who had been staying at his
apartment in Rolling Hills in East Bremerton. Carbone heard a noise
at the back of his apartment and was confronted by Elzie wearing a
"scream mask" and carrying what appeared to be a bloody sword.
Carbone shot Elzie in the stomach, continued to drink for a couple of
hours, then called his son to tell him what had happened. By the time
his son arrived, Elzie had bled to death.
---------------------------------------------------------------------
September 29th, 2004, for reasons known only to her, Britney Spears
put on a Scream-style mask for a visit to the local burger joint.
Spears, accompanied by reputed spouse Kevin Federline, little sister
Jamie Lynn, and mom-chauffeur Lynn, finished the evening by lobbing
milkshakes at paparazzi.
---------------------------------------------------------------------
Tonight, in your community, knife wielding maniacs are donning their
Scream masks and hunting for victims just like you. Disembowelements,
vicious sexual assaults, grisly tortures, senseless shootings, stolen
priceless artworks, blatant abuses of frosty chocolate confections...
you'd better prepare yourself to...
___________________ __________ ___________ _____ ___ ___
/ ______/\ ___ \\______ \\_ _____/ / _ \ / \/ \
\______ \ / \ \/ | _/ | __)_ / /_\ \ / \
/ \\ \____| | \ | \/ | \/ \ / \
Cyb______ / \______ /|____|_ //_______ /\____|__ /\_____||___ /
\/ \/ \/ \/ In \/ your pants \/!
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Introduction:
Greetings Boils and Ghouls...
Welcome to the Fall Issue of K-1ine Magazine; #45. We have an
incredible issue for you this quarter; because it not only contains
some of the latest hacker and phreaker information, but because it's
also a special Halloween edition!
The K-1ine staff were pretty worried this wouldn't be able to compete
with the absolutely mind-blowing Summer issue, but I think we at least
came pretty close.
Don't forget; the next time you write something original and thought
provoking that relates to the hack/phreak scene, think about sending
it our way. We may just publish it. Then again we might not. Take a
risk and shoot it over to us.
Now is the moment you've all been waiting for; K-1ine goodness in its
most natural and most pure form. Hold onto your bags of candies, and
change of underwear kiddies because you are about to leap into hacker
greatness...
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Contact Information;
|*> Comments/Questions/Submissions: theclone@hackcanada.com
|*> Check out my site: (Nettwerked) http://www.nettwerked.net
|*> Check out the Web-forum: http://board.nettwerked.net/
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Link of the Quarter:
Oddity Cinema - http://www.odditycinema.com/
Tired of hollywood regurgitating the same old crap? Well you should be
you brain-dead zombie. Quit being such a victim and try thinking for
yourself for a change. You know there is more to movies than what you
find on the highly censored and intellectually sanitized shelves of
your local Blobbuster Video.
Oddity Cinema offers the most brain-fucking demented selection of video
on the planet. Whatever your twisted desire they can probably feed it.
And if you don't have any twisted desires then there is no time like
the present to discover some latent ones... like:
Vomit churning gore & violence? Of course!
Softcore Nazi porno? Only the finest.
Cannibalism? Taste the other other white meat.
A little token bestiality? oh yeah.
Necrophelia? The only date you're likely to get.
Snuff? Mm hmm.
Hardcore anal sex with zombies? Probably!
And not only do they have an online store, they also have a physical
store right here in Deadmonton on Whyte Avenue, conveniently located
under the daycare.
Many of these movies are banned in most countries. You might want to
take advantage of this little pocket of availability while you still
can. So grab a bag of Orville Reddenblubber's Ultimate Theatre-Style
Blubber-Lovers Popcorn (patent pending) and take in some gawd-awful
bloody sex and violence in an effort to desensitize yourself to the
horrors of the coming revolution as we push forward in accelerating
the decline of our already doomed society.
[ submitted by: CYB0RG/ASM ]
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
K-1ine Magazine Mirrors:
WIRETAPPED
"Wiretapped.net is an archive of open source software, informational
textfiles and radio/conference broadcasts covering the areas of
network and information security, network operations, host integrity,
cryptography and privacy, among others. We believe we are now the
largest archive of this type of software and information, hosting in
excess of 20 gigabytes of information mirrored from around the world."
Now mirrored in two places, one in Belgium and another in Sydney.
http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/
HACK CANADA
"Hack Canada is the source for Canadian hacking, phreaking, freedom,
privacy, and related information."
http://www.hackcanada.com/canadian/zines/k_1ine/index.html
SECURITY-CORE
"Security-Core mirrors K-1ine.. and that's about it so far."
http://security-core.com/modules.php?op=modload&
name=Downloads&file=index&req=viewdownload&cid=5
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Hacking the Actiontec GT701(-wg)
Or, a primer on building your own hacked (custom) firmware
by omin0us and sub
Note: We've also gone ahead and mirrored the source code downloads. As soon as
I get around to reading the licenses I may post the raw firmware images. If you
have any further questions you may contact me.
Introduction
This paper is our attempt to deobfuscate the Actiontec GT701 wireless gateway.
There are a couple of other websites out there with the same goal in mind,
however, our intent was to provide accurate information based off of various
sources including both official and un-official documentation, kernel source,
configuration files, and just plain hacking.
Hardware
The hardware making up this unit revolves around the ar7wrd, the ar7wrd is one
of Texas Instruments' "system on a chip" solution for DSL routers. The hardware
of the GT701 (or any other AR7-based device for that matter,) consists of a
power supply, the 160Mhz MIPS 4KEc V4.8 processor, 16Mb of SDRAM, and 4Mb of
FLASH. For your input/output, there's the RJ-11 for your DSL, your ethernet
device (TI Avalanche CPMAC) jack, a USB port, and an ACX-11x based (chip #
TNETW130) wireless setup as well as 6 status LEDs. On the board, there are also
two separate sets of 5 pins each. These are mostly believed to be serial (JTAG
is also possible) due to Texas Instruments displaying a serial/UART interface
on the AR7 diagrams, several pins being attached to the board, and due to the
following ADAM2 variables:
modetty0 38400,n,8,1,hw
modetty1 38400,n,8,1,hw
bootserport tty0
ADAM2
To be perfectly honest, we're still not entirely too sure what ADAM2 really is.
We know that it's stored on block 2 of the MTD device. We also know that it
appears to be some sort of system for storing environment variables in flash
used during both boot-time and run-time, as well as a boot-loader of some sort.
We also know that it's responsible for storing the MAC addresses, as found in
our mtd dump:
Error: environment variable "maca" not set.
Setting default mac address : 00:e0:a0:a6:66:70
The following is a dump of /proc/ticfg/env, which is the /proc interface to
ADAM2.
# cat /proc/ticfg/env
memsize 0x01000000
flashsize 0x00400000
modetty0 38400,n,8,1,hw
modetty1 38400,n,8,1,hw
bootserport tty0
cpufrequency 150000000
sysfrequency 125000000
bootloaderVersion 0.22.02
ProductID GT701-WG
HWRevision 2A
SerialNumber none
AEIBootVersion 0.2i
my_ipaddress 192.168.0.1
prompt Adam2_AR7DB
firstfreeaddress 0x9401d328
req_fullrate_freq 125000000
maca 00:20:E0:1D:95:F4
mtd2 0x90000000,0x90010000
mtd1 0x90010000,0x900d0000
mtd0 0x900d0000,0x903e0000
mtd3 0x903f0000,0x90400000
macb 00:20:E0:1D:95:F5
macc 00:20:E0:1D:95:F6
usb_board_mac 00:20:E0:1D:95:F8
usb_rndis_mac 00:20:E0:1D:95:F9
mac_ap 00:20:E0:1D:95:F7
autoload 1
mtd4 0x903e0000,0x903f0000
usb_pid 0x6010
usb_vid 0x1668
man Actiontec Electronics, Inc.
prod Actiontec USB/Ethernet Home DSL Modem
When you hold down the Reset button during boot, an FTP server is spawned on
the default port (TCP/21) typically allowing you to flash new firmware, as well
as set and unset different ADAM2 environment variables.
The following is a list of commands that the ADAM2 FTP server supports.
REBOOT UNSETENV SETENV GETENV
MEDIA RETR TYPE STOR
P@SW PASV SYST PASS
USER PORT QUIT ABOR
When Actiontec's recovery app is run, it also sends a UDP packet to port 5035,
and then initiates a connection to the FTP port. The following is the output
of a sniffed connection of a typical firmware upgrade.
UDP broadcast port 5035: (16 bytes)
0x00 0x00 0x16 0x02 0x01 0x00 0x00 0x00
0xc0 0xa8 0x00 0x01 0x00 0x00 0x00 0x00
UDP response from modem to port 5035: (16 bytes)
0x00 0x00 0x16 0x02 0x02 0x00 0x00 0x00
0x01 0x00 0xa8 0xc0 0x00 0x00 0x00 0x00
220 ADAM2 FTP Server ready.
USER adam2
331 Password required for adam2.
PASS adam2
230 User adam2 successfully logged in.
TYPE I
200 Type set to I.
MEDIA FLSH
200 Media set to FLSH.
PORT 192,168,0,102,130,11
200 Port command successful.
STOR nsp.ar7wrd.squashfs.img mtd0
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
TYPE I
200 Type set to I.
MEDIA FLSH
200 Media set to FLSH.
PORT 192,168,0,102,130,12
200 Port command successful.
STOR ram_zimage_pad.ar7wrd.nsp.squashfs.bin mtd1
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
TYPE I
200 Type set to I.
MEDIA FLSH
200 Media set to FLSH.
PORT 192,168,0,102,130,13
200 Port command successful.
STOR config.xml mtd3
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.
QUIT
The Actiontec GT701's MTD blocks are set up as follows:
mtd0 3,136K Root (SquashFS - compressed filesystem)
mtd1 768K Kernel
mtd2 64K ADAM2
mtd3 64K config.xml
mtd4 64K unkown/unused
We're not too sure what else it is capable of, but there are some hints of it
being able to boot off the network (DHCP,) and/or booting specified images.
Here are some ADAM2 commands, though we haven't actually been able to test
these yet:
fixenv Defragment for Env. space
unsetenv Unsets the Env. variable <var>
setenv Sets Env. variable <var> with a value <val>
printenv Displays Env. Variables
erase Erase Flash except Adam2 Kernel and Env space
setmfreq Configures/dumps the system and cpu frequencies
memop Memory Optimization
info Displays board information
h/help Displays the commands supported
There are others, but some of the command names didn't show up, only the
descriptions, and we don't have a console hooked up to see them for ourselves
yet.
Software
The Actiontec GT701 runs off of Linux kernel 2.4.17 patched for MIPS, ATM,
SquashFS, and pre-empt (not enabled.) The kernel is provided by MontaVista
and is believed to be the MontaVista Carrier Grade Linux kernel version 2.1.
Linux version 2.4.17_mvl21-malta-mips_fp_le (mspeng@localhost.localdomain)
(gcc version 2.95.3 20010315 (release/MontaVista)) #24 Fri Jul 16 13:22:25 PDT
2004
Along with the kernel, the GT701 also runs on top of Busybox 0.61.pre with
uClibc libraries (version 0.9.19.) The root filesystem uses SquashFS 1.x,
which is a compressed, read-only filesystem stored on the MTD block. One
should note that SquashFS 2.x is not backwards-compatible with 1.x. A ramdisk
is mounted at /var and any files that require write access or either stored
there, or symlinked to that tree.
In order to retrieve and edit the file system one would first have to download
SquashFS and compile it into their kernel, as well as build the user-land tools.
Once this is complete your first step would be to either extract nsp.ar7wrd.
squashfs.img from the recovery tool, or do something similar to the following
(while running a tftp server):
# dd if=/dev/mtdblock/0 of=/var/mtd0
6272+0 records in
6272+0 records out
# tftp -p -l /var/mtd0 -p mtd0.img <your ip>
This will give you a mountable SquashFS image wherever you you placed your
tftp root. In order to to write to it though, you will need to copy a mounted
SquashFS directory to a non-SquashFS directory as follows:
# mkdir temp fs
# mount -o loop -t squashfs mtd0.img temp/
# cp -R temp/ fs/
And you now have a write-able directory to edit/delete or whatever else may
please you. Re-creating the image is just as easy:
# mksquashfs target.old/ target.img -noappend -check_data
Creating little endian filesystem on target.img, block size 32768.
Little endian filesystem, data block size 32768, compressed data, compressed
metadata Filesystem size 1897.99 Kbytes (1.85 Mbytes)
33.35% of uncompressed filesystem size (5691.04 Kbytes)
--- Output cut ---
There are two things to keep in mind while building filesystem images. The
first is that the GT701 can only STORE 3,136K (compressed) on the FLASH chip.
You should at this point, also realize that the filesystem is decompressed and
stored in RAM when mounted, and you only have 16Mb RAM to begin with, so either
way, it's a tight fit.
Actiontec uses a set of utilities to manage your configuration files. They
manage the XML file stored on mtd3 as well as handle your web-based
configuration changes. There is also supposed to be a CLI client for it,
however, I haven't quite figured out how that works yet. These utilities can
usually be identified by having "cm_" as a prefix, although the CGI program
for the web-based configuration is called "webcm," and of course, we can't
forget libcm.so. The XML file contains all of your configuration, including IP
addresses, authentication, networking settings, and probably just about
everything else. You can extract a current version of the file the same way we
demonstrated dumping the filesystem above, but by replacing mtd0 with mtd3.
You will also need to strip all of the excess garbage at the end of the file.
I should also note that that mtd3 is monitored regularly for corruption, and
if mtd3 happens to become corrupted, it will repopulate the block with
/etc/config.xml.
The list of configuration programs is as follows:
cm_pc Started at boot, stdout is /dev/tts/0,starts cm_logic
and cm_monitor
cm_logic Monitors and re-populates mtd3
cm_monitor ? ... Not exactly sure.
cm_cli Used to perform the actual updating of the config files.
webcm Handles web-based configuration changes, sends them off
to cm_cli
Webcm is used in conjunction with thttpd to provide a small, yet working,
web-based interface to allow you to make changes to your gateway's
configuration.
As far as networking is concerned, the GT701 used pppd with a PPPoA plugin for
your connection to your ISP. For telnet and DHCP, the gateway uses utelnetd
and udhcpd, respectively. The Actiontec GT701 also supports UPNP through the
use of upnpd on interfaces ppp0 and br0. br0 consists of the USB device, the
Ethernet device, and the wireless device.
The wireless drivers are not compiled into the kernel or as a kernel module,
rather, they are handled by a userland driver called user_drv. On the original
firmware, the user_drv_cli utility provided a very capable command line
interface that allowed you to change many settings pertaining to the wireless
network device. Some of these settings included what Regulatory domain you
were in, for instane, one could take their access point out of the FCC domain,
and place it under the French domain, or better yet, a custom domain, and
change power levels, as well as usable channels. In the newer firmware, it
seems this software has been crippled, and will not allow you to access the
CLI.
Conclusion
The Actiontec GT701-wg is a powerful embedded Linux device running on a MIPS
platform based off of Texas Instruments' AR7 "one-chip" solution. It is
relatively easy to hack the GT701. The firmware images are squashFS 1.x images
and the base Linux system is run on BusyBox with the uClibc libraries. If one
were to setup a cross-compile environment and use the squashFS tools they
could generate new firmware images with great ease.
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<port9> I just spent the last 45 mins watching some dude work a hand-loom
while speaking in a language I don't understand.
<port9> There is no hope for me.
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
. * * .
* *
* *
* *
* *
* *
* *
* *
* *
* *
, Windows Logic Bombs. ,
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
_______________*____________________________________________*___________________
Ka - fucking - boom
__________________________________________
/ / / / / / / /|
/_____/_____/_____/_____/_____/_____/_____/ |
| | __|_____|_____|_____|__ | | |
| ___ | | ___________________ | | ___ | |
|| |--| | 12:00:00 | |--|| | |
||___ | |=| Logic Set to blow |=| ||___ | |
| |--| | At Memory Address | |--| | |
|| | | |=| 4556 x 1337 |=| || | | |
||__| |--| | DEVICE IS ARMED! | |--||__| | |
| | | | |___________________| | | | | |
| | |--|_______________________|--| | | /
|_____|_____|_____|_____|_____|_____|_____|/
DISCLAMER: Note that some of the techniques in this file have not been tested
on all operating systems. If you mess up your (or some one elses) operating
system(s) please do not blame me because I won't take responsibility. The
following techniques have only been tested on windows XP Pro. Use at your own
risk!!!
NOTE TO THE WISE: This file is aimed at audiences with some batch experience
and some knowledge of the windows operating system(s). If youre into smashing
kernel stacks and creating operating systems with ASM then this file is
probably too basic for you. This text file is meant to show how easily it is
to create a triggering effect in the Windows operating system and most anti-
virus programs won't be able to pick it out. This is a very simple guide aimed
towards beginners and anyone who wants to learn a quirk or two on the Windows
OSes.
"I don't know how world war three will be fought, but I do know that world war
four will be fought with sticks and stones." - Albert Einstein
Who knows what kind of terrible and terrifying weapons that will be created. Al
is most likely thinking of the dangerous kind. The kind I am about to tell you
about can be dangerous, but can also have a lot of really useful purposes and
applications to it as well. In the virus world they are called logic bombs.
What is a logic bomb? A logic bomb is an event that is triggered to happen when
another event that the user does happens. I think that a time bomb is a type of
logic bomb, and we will be touching on the subject of time bombs in this text
as well.
Thompsons A+ guide to software defines a logic bomb as "Dormant code added to
software that is triggered by a predetermined time or event."
I think that is as clear as it's going to get on the definition.
In windows it is extremely easy to make a program execute on a predetermined
time or event. This guide will teach you how to make some code execute on a
predetermined event (but if your smart you will probably figure out how to do
the time part by yourself).
First off, lets start at the windows root. Usually windows will be installed
on C:\. in \windows OR \winnt we will find folders and some files that are
essential for windows to run. These are the files we are going to use to make
the logic bomb do what we want it to do.
Windows XP, 98, and ME use c:\windows for essential windows programs and 2000
and NT use c:\winnt for those programs.
NOTE: The following techniques have been tried and tested in windows XP pro.
There is no guarantee that the following methods will work in any other version
of windows.
Try this. Go into c:\windows\system32. \system32 is where lots of command line
programs are stored, and is also a place where the command prompt will call on
if you ask it to run a program (such as ping or tracert). This is the place
where we will do our mucking around in.
If your using windows XP, then delete cmd.exe. Notice that after 5 seconds or
so, cmd.exe re-appears! Try this with other exe files in the system32 folder
and the \windows folder. Note that I'm not sure what all files will re-appear,
but I am positive that lots of them will. Most of the exe files seam to, but
don't count on files that you have placed there yourself, or picture or movie
files to re-appear!
Ok, what does this have to do with logic bombs?
Ok, I am about to tell you how to make a logic bomb. Don't worry if you don't
understand it at first. I will explain it after.
1) Go into c:\windows\system32\ and create a batch file (If you dont know how
to create a batch file learn how to do that first). Name the batch file
"batchfile.bat"
2) In the batch file type this in the following order:
start c:\windows\system32\calc.exe
start c:\windows\system32\cmd32.exe
Then close and save the batch file.
3) Create another batch file wherever you want and name it whatever you want. You
will only be using this new batch file once. In the batch file type this:
rename c:\windows\system32\cmd.exe c:\windows\system32\cmd32.exe
rename c:\windows\system32\batchfile.bat c:\windows\system32\cmd.exe
Then execute the second batch file. After you executed it you have made the
logic bomb. Delete the second batch file that you made.
What does this logic bomb do? I'll tell you.
In step number one, we create the actual bomb. The bomb is the batch file, but
it wont work yet. In step two you enter the data of the bomb. The line start
c:\windows\system32\calc.exe starts calculator. The second line, start
c:\windows\system32\cmd32.exe starts the program cmd32.exe. But wait! There
is no such file named cmd32.exe! Thats because we havent created it yet.
In step three, we make a second batch file which renames cmd.exe to cmd32.exe
in the first line. In the second line of the batch file, we rename the original
batch file we made to cmd.exe.
What does that mean? That means whenever you start cmd from now on you will be
starting up a batch file first, then you will start up cmd32 (the REAL command
prompt) and calc.exe.
I put calc.exe into the batch file to demonstrate that when you try to call
cmd.exe you have the ability to start two programs at once using this
technique. Calc.exe can be replaced with ANY program that is on the computer.
Thats the gist of making a logic bomb! Simple!
The reason you need to use a batch file is if you try to rename cmd.exe (the
real one) and try to make a batch file named cmd.bat you will find that the
real cmd.exe comes back very quickly and you will only have a few seconds to
create the new batch file name. Once created, the real cmd.exe will not be
written back to its original name if the batch file is already in place.
So from now on, whenever a user goes to start -> run and types "cmd" they will
get both the cmd.exe and calc.exe.
This is an extremely basic logic bomb. If you have looked in the system32
folder you may have noticed that there are a crap load of files in there! Even
experienced windows system administrators dont know what all of these programs
do. A few changed file names would be hard for anyone to notice, especially if
nothing has seamed to change.
If you want to add some time properties you can add an "if" statement in your
batch file. This would look something like this:
if %date% == Fri 13/01/06 (
ping localhost)
or something similar.
Ok, lets do another example. This time, we are going to use a very common
windows application. Notepad! Every time notepad opens, MrMalware.exe will
open with it. Here is the example:
Create the triggering batch file by making a batch file with these two lines
in it:
rename c:\windows\system32\notepad.exe c:\windows\system32\notepad32.exe
rename c:\windows\system32\batchfile.bat c:\windows\system32\notepad.bat
then close the file. Now make another batch file that will be the logic bomb
itself. Make sure this file is in c:\windows\system32\ call it batchfile.bat
start c:\windows\system32\notepad32.exe
if %date% == Fri 13/01/06 (
start MrMalware.exe)
Then execute and delete the first batch file. Now whenever notepad is called,
notepad won't start up first, but notepad.bat will start up and it will call
the real notepad program. The real notepad program is now called
"notepad32.exe" because we re-named it. So that will start up. Then
notepad.bat checks the date. If the date is Friday the 13th on January 2006,
then it will start MrMalware.exe whatever that does. Simple, isn't it?
I think that if you start to integrate time with the logic that you should
use some high level programming language to do so because batch has its
limitations. Anything more advanced than starting one program with any other
program that you can call from start -> run you may want to consider not using
batch. A program that has been compiled can have an extension of exe, which
would make it harder to spot and detect.
This logic bomb can be used for good and evil. If youre an administrator, you
can use it to start a log of how many times a user is using a specific program,
or you can use it to execute malware.
A more elegant way of writing this program would be writing it in VB. If you
wrote it in VB, or any other non-script language, you have more control over
the logic of the mechanisms of the bomb and what, why, how and when it
executes, but this is the simplest and quickest way to do it. You could also
make a vbs (vb script) file, but I have not played with this either. These
are just ideas for you to use.
There are many potential uses for this. One use I have not yet tried is getting
administration privileges. You could create a logic bomb that starts when
notepad starts that creates a user and puts him in the administrators group.
You could do this from booting from a floppy disk and creating the logic bomb.
A malicious user could put a program somewhere on the hard disk and set it to
'explode' on a certain event and be long gone by the time it actually occurs.
You could also use the AT command in dos to do the same thing, or use the task
scheduler, but that's a lot easier to detect. Another thing about this method
is that it is not like a virus that is running in the background waiting for
a specific keystroke (those can be detected in process viewers most of the
time). This just waits for a program to be called.
What is a solution to network administrators? There is a program called LAN
Guard File Integrity Checker. It checks on a specified date and time what files
have been changed. The same people who made the LAN Guard network-auditing tool
make it. It will email you the changes some one made to the computer, but there
are always ways around this. You could, for example, find out when it is
scheduled to send the e-mail and shut down the program at that time and send
fake emails or even shut down the service all together. Or even if your logic
bomb works with an executable instead of a batch file, an administrator might
see the changes made, but when they see that some obscure file has been deleted
and replaced (with one that they dont know is malware etc) and another file
has been renamed and they see the system works exactly like it did before the
changes were made, they might not put two and two together. And remember, the
only way an administrator could find out is *after* the implementation of the
bomb.
If you are using an XP pro machine a solution is to use the Windows system
file checker. This program checks to see if all of the system files are the
originals. To start this program go to the command prompt and type
SFC /scannow but this program too could be deleted or corrupted.
Notepad is excellent to use for this type of re-naming logic bomb because it
is used a lot. It is used to edit html, ini files, batch files and text files
(duh) to name a few. Other programs to use for this technique are: ping,
tracert, cmd.exe, calc.exe, dir and any other file in c:\windows, c:\winnt,
c:\windows\system32 or any other place where your computer looks for command
line executables. You may also want to note that the logic bomb will run
whenever the batch file-logic bomb is executed and this may cause problems of
its own, but thats for you to experiment with.
Usually discovery of such small hacks such as this are inevitable to the
experienced system administrator, but as you can see, often discovery can
theoretically be delayed and sometimes may not be discovered at all. As you
have seen, making a logic bomb that will go off when a local windows program
is executed is as easy as:
1) Making the logic bomb with batch or other programming language
2) Doing a Rename with another batch file, and
3) Deleting the evidence.
Even Tron can (maybe) do it!
Hopefully this guide has shown you the basics of event-triggered events and
you will find your own new ways of triggering events when other events occur.
Questions? Comments? Death threats? Mail aftermath.thegreat@gmail.com
This file is not copywrited and is not intellectual property (intellectual
property is stupid).
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
--> tron (~user@ip68-1-50-252.pn.at.cox.net) has joined #hackcanada
<urinetrouble> oh. it's tron.
<urinetrouble> can you shoot lasers out of your eyes?
<tron> get a real handle kid
<urinetrouble> haha
<jedkiwi> lol
<fr0st> lol
<urinetrouble> your's is based off some fucking disney flick, you silly goose
<tron> off an elite movie
<urinetrouble> disney.
<tron> hey disney rules! i especially like aladdin because it reminds me that
someday i will be able to travel the world on a flying carpet.
<tron> :`( I'm a lonely old man
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
( SASS ) Single Access Serving System ( /SASS )
Written and Investigated by Majestic 1/12
Prepared for: http://www.datutoday.tk
Submitted to: http://www.phreaksandgeeks.com
( Special thanX to " greyarea ", for finding and posting this number and Pass,
allowing me access to the systems and functions of this Sass Unit! ThanX to
" Lineside " For his Hz scales from his artie, also posted in the Sass Section
of http://www.datutoday.tk )
Sass Unit Dialup Number: ( 602 ) 277 9994
Npa = (602) Pheonix Arizona
xxx = (277) Quest Communications
One or Two rings to Dialtone enter "****", you will be prompted to enter Tech
ID, Enter in "****", a dialtone will proceed until you are prompted to enter
the Ten digit subscriber line number... Type # and you will get the list of
options as follows:
Dial 5 for Dtmf Keypad Test
Dial 6 for Caller ID
Dial 71 for Ringback
Dial 72 for Call waiting Ringback
Dial 81 for Single tone: choose between 03 (304 Hz) and
32 (3204 Hz)
Dial 82 for Low coil tone Sweep
Dial 83 for Three tone slope (400 Hz,1004 Hz, 2804 Hz)
Dial 85 for Quiet termination
Dial 86 for Milliwatt tone
Dial 87 for 30 Tone sweep: choose start and end tone between
03 (304 Hz) to 32 (3204 Hz). For a full tone
sweep you enter *
Dial 88 for Number identification sweep: 1200 HZ - 2200 HZ
(for caller id)
Dial 89 for Data sweep (900 Hz - 2800 Hz)
Dial 80 for 10 tone slope (304 Hz - 3204 Hz)
Dial # for New Subscriber Line
Dialed 5 - DTMF Keypad Test, Whatever key pressed, machanical Voice told you
the Numerical Number.
Dialed 6 - When I tried #6 I was told Restricted .. I then unlocked my line
with *82 and tried again. This time it spit out my number then repeated it.
Upon dialing into a Sass Unit your ANI may be being logged, but wen you test
the Caller ID option # 6 if your line is blocked with a permenant caller ID
Block it will either readback as "Private" or "Restricted".
Dialed 71 - <*>Ringback Please enter 10 digit ringback number. I was told by
persons living in the above stated NPA that the ringback feature does work,
but is NPA restricted. This Function as I was told by Greyarea and decoder
would only work with a Sass Unit that was on the Switch in the NPA ( 602 )
So when I find one that is in or around this area, I will indeed be recording
the full audio and submitting that to: http://www.phreaksandgeeks.com as well!
Dialed 72 - <*>Call Waiting Ringback Please enter 10 digit ringback number. I
was told by persons living in the above stated NPA that the ringback feature
does work, but is NPA restricted.
Dialed 81 - Single tone Enter 2 digits, ( only ones that worked so far that I
saw were the ones stated above " 03 " ( 304 Hz ) and " 32 " ( 3204 Hz).
Anything else gives an error message.
Dialed 82 - Low Coil Tone Sweep - When to Milliwatt then to other Test Tones...
Higher tones as the Sweep Progressed lasted 12 seconds!
Dialed 83 - Three Tone Slope - Lower Level Tone to a Milliwatt, then to a
higher pitched tone As stated above ... In Order (400 Hz,1004 Hz, 2804 Hz)
Dialed 85 - Quiet termination Just as it said " Quiet " No noise at all!
Dialed 86 - Milliwatt Tone - Instant Milliwatt for 10 seconds
Dialed 87 - 30 Tone Sweep Press * to start full Sweep, or enter the same two
digits as described in Promt 81.
Dialed 88 - Caller ID Tone Sweep Multi Tone Sweep from Low to high end range.
Number identification sweep: (1200 HZ - 2200 HZ)
Dialed 89 - Data Tone Sweep, Tone Sweep from low to high end range.
(900 Hz - 2800 Hz)
Dialed 80 - Ten Tone Slope, (304 Hz - 3204 Hz)
<*> options ( 71 & 72 ) have me wondering, if maybe you have to enter in the
actual Ringback line number and is just a subscriber line number. I tried
entering my number and never got a call back from the Sass Unit, or any other
unit for that matter. I have tried this a few dozen times, and got the same
response out of the Sass Unit. option 71 - " Ringback - Dial 10 Digit Ringback
number, Entered in a Real NPA and XXX, made up last four and was prompted with
" Please hangup for test ring. "
I have yet to connect to a subscriber line number, as it tells me it is unable
to connect. I have tried to connect to the numbers 602 277 9990 - 9999 as I
thought maybe I had to use the same NPA and XXX as the Sass Unit. I was still
not able to connect. Perhaps this system is like the Direct Access Test Unit
systems,( DATU ) and require an admin code to setup certain features. I again
hungup and redialed the Sass number and attempted to access an admin mode by
using the same codes as a Datu. No response other then the 4 digit default
logon code. I will continue to explore this system, and get to know it better.
Perhaps I will learn more about admin feature, and such... I hope this .txt
phile helps you understand the Sass a little better. Please feel free to
email me @ datu_warrior@phreaker.net with more information and or questions
on the Sass Unit. Please visit my Direct Access Test Unit site
@ http://www.datutoday.tk for all your 1337 Remote Accessing needs...
Added as of April 29 2004 ...
Dialed the access number:
602 277 9994
Entered in the login **** and the Admin code of ******* and got The prompt:
" Dial 10 digit subscriber line number! " I tried to press # for the feature
list, but was then again prompted for the 10 digit subscriber line number! It
wasn't until I entered a number in the 602 277 XXXX that I heard "ok" ...
" Intercept " ... " Accessing " ... " Connected to 602 277 XXXX, Pair Gain
Line ... ok Audio Monitor " 5 - 10 second delay until a double beep then
the standard Datu fuction list was prompted.
2 = Audio Monitor
33 = Short Tip and Ring to Ground
37 = Short Ring to ground (Tip Open)
38 = Short Tip to ground (Ring Open)
44 = High Level Tone on Tip and Ring
47 = High Level Tone On Ring (Tip Grounded)
48 = High Level Tone on Tip (Ring Grounded)
5 = Low Level Tone
6 = Open Line
7 = Short Line (Tip to Ring Short)
9 = Permanent Signal Release
# = New Subscriber Line
## = Force Disconnect
* = Connect preparation function after disconnect
(system programmable from 1 to 99 minutes
enter number of minutes); enter number of
minutes after "*"
It is my conclusion that if a regular login of **** and a regular Tech ID of
**** is entered, you will receive the standard test mode of the Sass Unit...
Mainly Test Tones, and ANI confir mation for the Tech to use when either
installing a new subscriber line, or testing a circuit at the CO. When the
access number is dialed and the login of **** and Tech ID of ******* is entered
you will receive the admin features, which then allows the use of the Datu
( Direct Access Test Unit ) features, as listed in the Harris Dracon Datu
Manuals which can be found on the Harris Dracon Website or on my own site of:
http://www.datutoday.tk!
Shouts to:
decoder, Ic0n, Natas, White Sword, Brisk Attivo, Royal, Twinkee the Kid,
greyarea, Rijil V, Eta, Rios, The Clone, And everyone that has helped in
my pursuit of Remote Access Information.
L8er....
Majestic 1/12
( The Collective )
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<jimmiejaz> I can't stand re-heated coffee *shudders*
<jimmiejaz> That's one of the reasons I broke up with my EX, she'd make
coffee in the microwave.
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Wetware hacking: Sound and Smell
Cybur Netiks (cybur_netiks@Phreaker.net)
http://www.hackdaplanet.150m.com
Disclaimer: I take no responsibility to any damage either physical or
otherwise that may occur. This kind of treatment may be harmful to some
individuals. Make sure you are in top form physically and mentally if
you decide to try this, which I still advise against.
I based this on a trial beginning with sound (music) to stimulate memories
/ emotions and later moved on to smell.
-sound-
I simulated anger. I looked through my collection of old mp3's that I no
longer listen to. Unfortunately, these were numbered and I cannot tell
you what song I was using, but that doesn't really matter. I picked out
a song that wasn't calm but that didn't currently inspire anger either,
a kind of high-energy techno music I used. Then to recreate the
appropriate conditions, I set the mp3 on repeat and recalled in as much
detail as possible, times that I was extremely angry. Bringing back
these memories gave me an energy rush simular to anger, but not as
impacting. I repeated this at small intervals at least once every two
days. I don't know how long I did this for, I think about two months,
but I soon found I would immediately get the rush of energy associated
with anger when I started the music, even before I began to simulate the
conditions. For quite awhile afterwards, the simulated emotions
triggered from this song were strong and unfaltering (I don't know about
now, those old MP3's are gone) so it appeared to be a success. I never
did try it with another emotion, unfortunately. I chose anger because it
seemed to be the easiest to simulate.
-smell-
I noticed one day when I was in a store and someone was wearing the
exact brand of perfume that my mom uses (the lady was wearing way too
much perfume, i wasn't even that close to her) and immediately I was
flooded with memories of my mom. Interesting, I thought, maybe someone
could use this to recall anything. It wasn't until when I started this
article (this incident was awhile ago) that I actually tried to make
another memory stimulated by smell. I decided to see if I could remember
my bed and be rejuvinated every time I smelled a certain scent. I picked
out one rather strong-smelling scent of the axe deoderant bodyspray. I
sprayed it over myself just before I went to sleep every night for about
a month. I won't go into detail (after all, all I was doing is spraying
deoderant and going to sleep) but I probably should have sprayed it
every time I woke up, because instead of rejuvinating me, all it did was
remind me of how tired I was when I went to sleep and made me tired
immediately! Oh well, this just shows how something as simple as your
perfume can trigger memories or emotions.
I don't know how well this will work for other people, and I don't
suggest trying it. It may be emotionally stressful for some people.
Wetwear Hacking References:
'Brain-Wave Machine'
(CYB0RG/ASM, Hack Canada)
http://www.hackcanada.com/homegrown/wetware/brainwave/index.html
'Electronic Mind Control - remotely altering our lives'
(The Clone, Hack Canada / Nettwerked)
http://www.hackcanada.com/homegrown/wetware/misc/emc.txt
'Telepresence Bi-Autoerotic Intercourse'
(CYB0RG/ASM, Hack Canada)
http://www.hackcanada.com/homegrown/wetware/phuckme/index.html
--
Smell and Memory References:
'SMELL AND MEMORY'
(Shigeyuki Ito, Serendip)
http://serendip.brynmawr.edu/bb/neuro/neuro00/web2/Ito.html
'Improving Memory'
(Paula Tchirkow, MSW, LSW, ACSW)
http://www.seniormag.com/headlines/memory-help.htm
.eof
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<tek> i'm turning emo.
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
MORE PHUN WITH THE AUDIOVOX 8900 By TeK-g (Sept. 2004)
This time around we will explore the filesystem of the Audiovox 8900 (AKA LG
VX6000) using Bitpim and the USB data cable. We will examine the Telus 8900
compared to other 8900's to gain a better understanding of Telus' frugality.
*********************************************************************
*********** PLEASE READ THE FOLLOWING BEFORE CONTINUING.*************
*********************************************************************
From: http://bitpim.sourceforge.net/testhelp/
Audiovox CDM8900
THIS PHONE IS NOT SUPPORTED
The internal software in this phone is far too fragile and shoddy.
There is a very real risk of locking up the phone so badly it won't
reboot and has to be replaced through trivial operations.
Consequently this phone is not supported by BitPim and you should
not use it with BitPim even if
it appears to work. You should not
report any issues with this phone and we will not respond to
support requests other than by pointing to this page.
**********************************************************************
To paraphrase: this COULD seriously SCREW UP your phone. You have been
warned.
NEEDED:
Bitpim: http://bitpim.sourceforge.net
Datacable: http://ebay.com
SETUP:
1) Install the 8900 on your respective OS using the driver disc accompanying
your cable. Make sure phone is turned on and everything is connected
correctly.
2) Download and install bitpim.
FIRST STEPS:
Once you have bitpim up and running, you will need to configure the phone so
as to facilitate communication. This is accomplished by (under win2k3) EDIT
--> SETTINGS. Once here you will need to modify the PHONE TYPE field to
VX6000. Next go to BROWSE and select CURITEL PACKET SERVICE. The phone is
now correctly configured and ready for some data transfer.
Next we will need to view a copy of the filesystem. For this we select the
FILESYSTEM tab and right click on REFRESH. This will give us the filesystem,
all readable in HEX.
FURTHER EXAMINATION:
/ch/ <-- call history, readbale plain text.
/nvm/$SYS.INVAR2 <-- ESN stored here. Note this phone was second hand,
subsequently this is likely different on 1 owner phones.
/nvm/nvm_0002 <--- at address 0000070 we see the security code for the
phone, again plaintext,
Below, you should see 2 six digit text numbesr, first set of 6 digits is
your SPC
code the next set of 6 digit should be Telus One time subsidy lock code. The
SPC code can be used to access the ##TELUS menu referred to in article one.
Shouts to Steve DM for this tidbit!
/nvm/nvm_0005 <--- at address 00000f0 we see the phone's email address
phone#@microbrowser.telusmobility.com **
/ams <-- this looks to be the java dir. Some .jar files here.
/photo <-- here is all the photos. You can download them, a nice workaround
if you are a victim of the story below.
/preload/images <-- all the preloaded images for MMS
/preload/ringer <-- all the preloaded ringers for MMS
That basically does it for the filesystem, only other thing to try is adding
a wallpaper and attempting to upload. Unfortuneately we get exception.
Looking closer this is an error relating the BREW, the program on the phone
designed to handle this sort of thing (so you dont need to use MMS/WAP).
Looking where BREW is supposed to be on the phone, we see the directory is
there /br, but no files. THANKS TELUS. Uploading images manually has had
negative results for me. Even when I overwrite the old files, every time I
go to open them, the phone freezes. A hypothesis for this is enclosed below.
** The 8900 is a very buggy phone. The phone is unstable at best and
inoperable at worst, a combination of poor hardware and modified firmware
(THANKS AGAIN TELUS) contribute to making this phone pretty unstable. An
example: Activating a second hand 8900. The activation processes fine,
however your WAP and MMS will not work. The reason? A memory allocation flaw
in the filesystem disables this. It also has a tendancy to rename incoming
calls (you see the last call's name on the current call's incoming number on
call display). It also affects the numbers of pictures and occaisonally
causes the phone to lock up all together. This memory allocation error is
most likely the cause of the uploaded images crashing the device. The
solution? Telus has a firmware upgrade for the phone for all second hand
users. At last check my Telus dealer had just received it but were unsure of
how to use it without permanently damaging my phone so they told me to come
back.
if you mess up your phone while trying to make your own ring tone for the
phone and send it to it via your computer, don't fret. Delete the directory
file, and it will recreate it after a power cycle. Problem, if you had other
ring tones, you lose them. Possible solution: back up your files first!!
(THANKS STEVE DM!)
So that is it this time around. If you have anything to contribute, you can
email me @ fawkyou420@hotmail.com. A BIG SHOUT TO STEVE DM FOR SOME OF THE
INFO. YOUR HELP IS APPRECIATED AND PROVES YOU DONT HAVE TO BE A UNBERCODER
TO HAVE A LITTLE PHUN AT THE EXPENSE OF TELUS. BWAHAHA.
-TeK-g
FURTHER READING ON THE 8900:
http://www.phonescoop.com/phones/p_forum.php?p=241
http://www.cellphonehacks.com/viewforum.php?f=21
http://cellphoneforums.net/forumdisplay.php?s=d62ebc60bdf2cc9e03038c55cd542c97&forumid=85
http://www.howardforums.com/archive/forum/166-1.html
http://bitpim.sourceforge.net/testhelp/
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<port9> Is doing well on math assignments supposed to cause guilt^
<theclone> port9, no masturbating with a math text book is
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Never Whistle While You're Pissing
An in-depth guide to "Cracking Encrypted Intelligence"
PhreakNIC 8 in Nashville, TN on 23 October 2004
aestetix (aestetix@aestetix.net)
http://www.mw2600.org
Introduction
Humans are predictable. There's no questioning this statement: anyone with a
minimal amount of exposure to other humans will attest to this. Telemarketers
have scripts that not only give people information they know will catch their
attention, but already have rebuttals to a wide spectrum of questions that
might be asked. Anyone who's ever worked in sales will comment on a pattern
that emerges on several levels, rush periods varying both in the hours of the
day and the seasons of the year.
For as long as history and human interactions have been recorded, but more
specifically in the last 150 years as technology ballooned with the Industrial
Revolution, these patterns have been noted and incorporated into a plethora of
designs. The study of these patterns coincide almost directly with the desire
to understand how the world works and attempts to answer "the mysteries of
life".
In studying patterns, three main concepts arise: what are these patterns; can
they be replicated or destroyed, once recognized; and once controlled, can they
be used to manipulate the environment? The first question can be restated in
terms of philosophy, political and economical study, and is seen in the most
basic mathematics. The second commonly arises in cryptology (the art of encip-
hering and deciphering encoded messages) and artificial intelligence (AI). The
final idea emerges in neuro-linguistic programming and social engineering tech-
niques.
The title of this talk is meant to be a pun on words: "encrypted intelligence"
refers both to understanding how the human psyche works and subsequently
replicating it in AI, methods which have been used in cryptologic study, and
using the knowledge we've gathered from both spectra to enhance social engin-
eering skills, "crack" the patterns that emerge, and take advantage of our new
insight.
The simple answer is that they actually have a great deal in common, depending
on your view of what AI is supposed to be. By briefly studying cryptologic
history, we can draw several direct links to AI, both in theory and practice.
However, there are many misconceptions about both fields which must be
dispelled before delving further into either spectrum.
Inherent with AI is the classic argument of exactly what constitutes "thought".
A longstanding debate within the AI community (and philosophic community in
general) precludes the question of whether AI can actually exist; the approach
that has been most successful in the last 40 years is to mimic patterns that
simulate intelligence to the point that we lend enough credence to a machine
to cross a specific threshold. In his book Computer Power and Human Reason,
Eliza creator Joseph Weizenbaum goes into detail on this psychology, noting
that people at times became so trustworthy of his psychologist program that
they would actually ask him to leave the room so they could "talk" with the
machine in private.
The great myth of cryptology, especially when considering modern cryptology,
is that security only comes from having the latest, greatest, most up to date
cipher algorithms. Although proper implementation of these would theoretically
make your information more secure, people forget that the true nature of crypt-
ography lies in the key. What's more, computers aside, the most pattern-obfus-
cating system in the world is utterly useless if you forget the key. From my
experience, I've found that the best cryptologists concentrate less on a complex
system and more on trying to understand the people they are hiding information
from and constructing a system that will evade their knowledge. Cryptology is
all about understanding your opposition.
What is Cryptology?
Cryptology is nothing new. The art of creating hidden messages and analysis
thereof has existed since humans started recording information. In many arenas
codes are unintentionally created: for example, the creators of the Greek Linea
B cipher were simply recording information, and it has become a cipher because
their language was lost to history, only revealing itself to people attempting
a linguistic brute force. Anyone who has learned a foreign language is familiar
with slowly analysing a paragraph and watching the meaning unravel as they
identify word relationships.
Cryptology traces its roots back to multiple cultures. Credit for the first
major works written on the subject goes to the Arabs, including Abu an-Nabati
for his "Kitab shauq al-mustaham fi ma'rifat rumuz al-aqlam" ("Book of the
Frenzied Devotee's Desire to Learn About the Riddles of Ancient Scripts")
where he introduces several cipher alphabets. The epitome of Arab cryptologic
knowledge was completed in 1412 by Shihab al-Qalqashandi, who surveyed basic
substitution techniques.
The most primitive and best introductory cipher is the "substitution" cipher,
which involves substituting a familiar symbol with a foreign symbol. Common
examples of this include numeric substitution (A=1, B=2, C=3, etc) and rotation
substitution such as the Caesar cipher, where the cipher text (CT) is the plain
text (PT) rotated three times (A=C, B=D, C=E, etc). There are more complex forms
created to add noise to the cipher, such as multiple letter substitution (A=BCD,
B=FGE, C=DNF) or multiple number substitution (A=234, B=483, C=438). Replacing
one symbol with multiple symbols adds an additional barrier to cryptanalysis.
As was soon discovered, every language has a letter frequency order which arises
with enough writing. English, the current universal language of the world, has
an order beginning with "ETAOIN", where "E" tends to occur 13% of the time, "T"
11%, "A" and "O" 9%, and so on. These percentages will vary slightly with every
text, but the deviation is not significant.
If we were to run a letter frequency analysis on the previous paragraph, the
result would be as follows: E (37 times or 13.6%), T (25 or 9.2%), N (23 or
8.5%), I (22 or 8.1%), A (19 or 7%), and so on. We also must consider that
that was an extremely small paragraph; results become far more tangible when
analyzing an essay or an entire book. This pattern is conspicuous within all
works written in English, and although it varies with other languages, the
principal is still the same.
Another example of patterns emerging through obfuscation comes from the poly-
alphabetic (multiple alphabets) cipher. Originally introduced by Giovanni
Battista Porta as the cipher disk, this cipher was later refined into a
tableau (table) by Blaise de Vigenere and subsequently termed the "Vigenere
Cipher". Here, rather than having a single symbol substitution for each
character, we have an entire alphabet that rotates.
If we look at a cipher disk, we can see two rows of letters: the inner and
outer alphabets. For a simple Caesar cipher, we rotate the inner alphabet
so that the "c" matches the "a" on the outer alphabet, and can translate
the entire CT. With a Vigenere cipher, the inner alphabet is rotated for
-every letter- of the ciphertext. This additional rotation gave the poly-
alphabetic cipher exponential security over the substitution cipher, and
adopted the name "Le Chiffre Indechiffrable" (the undecipherable cipher)
for centuries until it was finally cracked by Charles Babbage, the same
man who created the Difference Engine and who's apprentice, Ada Lovelace,
founded what we know today as computer science.
While at first it seems incredulously impossible, cracking the Vigenere
simply involved a natural derivative of frequency analysis. For a given
polyalphabetic cipher, there is a limited length that the key can be.
Borrowing an example from David Kahn, if we have the ciphertext:
KIOVIEEIGKIOVNURNVJNUVKHVMGZIA
we can see there are certain letter sequence repetitions (underlined) that
occur. With a larger ciphertext, there will obviously be many more places
of repetition, which makes our cracking technique much more reliable.
Assuming the position of the first letter, "K", is 1, and each position
thereafter 2, 3, 4, etc, we can determine the number of letters between
each repetition. For example, the second occurence of KIOV begins at 10,
which signifies a difference of nine letters.
Here's where things get fun: nine factors into 3*3, 9*1, or 1, 3, and 9.
If we do this for each repetition, we'll begin to see patterns in the
numbers involved in the factors. Let's say that 3 is the most commonly
occuring number; we can break the ciphertext up into groups of three:
KIO
VIE
EIG
KIO
VNU
RNV
JNU
VKH
VMG
ZIA
Does this look familiar yet? Try splitting up the columns and looking down.
Think for a moment. How can we apply frequency analysis to this? Each indi-
vidual -column- is a rotation with a single letter for the key, and the keys
for each column join together to form the keyword for the ciphertext! If you
run a frequency analysis on the first column, we'll discover the key is "F",
and "U" and "N" for the next two. Now apply this new key, "FUN", to the ori-
ginal ciphertext, and the secret is revealed: "TOBEORNOTTOBE..." Once again,
we've shown that no matter how obfuscated a message may be, there will always
emerge inescapable patterns which betray it.
There is -one- theoretical cipher that can never be cracked: the one time pad
cipher. This involves setting a completely random key for each letter, aboli-
shing all frequency. This is a derivative of the polyalphabetic cipher, and
the fundamental groundwork for the German Enigma code. The Enigma, originally
devised by the German Arthur Sherbius, is composed of several alphabets set
on rotors hooked into a typewriter and a lightboard. When a key is pressed,
electricity circulates through the rotors, depending on the configuration,
and the resulting ciphertext lights up on the lightboard. There are other
features, such a variable number of rotors and plugs to swap letters, but
this description is sufficient for this paper; if you're interested in more,
read Singh's The Code Book or Kahn's Codebreakers.
Although the Enigma capitalised on abolishing letter frequency (look up the
statistics: the amount of permutations possible is incomprehensible), where
there's a will, there's a way. The team at Bletchley Park in England was
determined to defeat the Nazis, and incorporated the right genii to do it,
a team headed by crypto-god Alan Turing. Turing noticed that the Axis usually
sent weather reports over the telegraph; he started making guesses as to words
they would use to describe the day's weather, and used the correlation between
rotor wheel locations and corresponding letters to unravel an incredible amount
of permutation-- these techniques were incorporated into the Turing "Bombe",
the partner of Colossus and the ancestor of modern computers. To even begin
describing all the techniques the Allies used against the Nazis would require
an entire book in itself; ironically, the mammoth Codebreakers makes little/no
mention of these operations because the British government didn't consider
declassifying them until the mid-70s, and the park wasn't officially declass-
ified until 1987. During this time, many of the original machines had been
lost or destroyed, and Hut 4 where Naval Intelligence operations occured had
been cleared and turned into a cafe-- good food though :)
Now let's look at Artificial Intelligence!
At the end of WW2, because there was no need for cryptanalysts anymore,
Turing started thinking about the machines he had created. Alongside the
automata theories of Descartes (written of in his Discourses) and the rise
of mechanism with the Industrial Revolution, viewing people as machines was
nothing new. However, Turing applied these ideas directly with a method to
determine intelligence: the Turing Test. Originally debuting in his paper
"Computing Machinery and Intelligence", the Turing test involves a person
(A) sitting at a computer recieving questions from both another person (B)
and a computer. If A is fooled into thinking the computer is human, the
computer has passed the test. There are many delimeters to this, and many
questions about the ethics and religious implications which Turing answers
at the end of his paper. The test quickly gained fame, and set the groundwork
for the next two decades of AI research.
In 1958, Marvin Minsky and John McCarthy founded the MIT AI Lab, where over
the next ten years leaps and bounds were had. Two of the most significant
projects were Eliza, the computer psychiatrist created by Joseph Weizenbaum,
and SHRDLU, created by Terry Winograd. Eliza operated on a complex understa-
nding of patterns which emerge in human language, creating realistic responses
that would convince the user that "she" was sentient. Winograd's machine was
an interpreter that could read input text and move blocks around or answer
that it could not obey its instructions and why. Where cryptology for so
long focused on analysing people patterns to destroy them, AI tried to
create systems that could mimic them realisitically enough to fool people.
To truly understand how Eliza works, we first need a good understanding of how
a language (like English) is structured. While there are nitpick exceptions,
a typical sentence is composed of a subject, verb, and direct object. There
also exist descriptory words, like adverbs and adjectives, as well as prepo-
sitions. A proper sentence clause is established with these. For example, if
we have the sentence "Timmy caught the ball", we can insert the clause "who
was running" to get "Timmy, who was running, caught the ball." At first, this
seems like a typical lesson in English, until we apply game theory.
Series exist in two basic forms: recursive transition networks and augmented
transition networks. The first is like a fractal with parameters you set at
the beginning that don't change. Each iteration feeds into another instance,
following the same algorithm. The second is more like a chess game. There
are set rules and limits, but the parameters change with every turn.
Jumping back to language, if we apply these theories to how English is
structured, we can actually view each clause as an instance, and a multi-
clausal sentence can be seen as an iterative game. The structure is the
same (you always have a subject and verb), but the parameters constantly
change (the subject may move from "Timmy" to "he"). The challenge of a
programmer is to understand how these changes work and to code his program
accordingly. In addition, we must understand how the pronouns and subjects
within clausal instances relate back to the original statement.
Sounds easy enough, huh? Amazingly enough, Weizenbaum actually managed to
create a system that could imitate conversation. The system was also prog-
rammed to pick out certain words and ask common questions relating to them.
For example, if it saw the user type the word "sad", it might respond with
"Why are you sad?"
Winograd's system, SHRDLU, was created under the same idea, but with a comp-
letely different response mechanism. Rather than forming its own sentences
and responding in text, it would interpret the user input
and move blocks accordingly. Several challenges came up: what if
someone wrote "PICK UP THE RED BLOCK" and then "PUT IT DOWN"? The
system would have to link the pronoun back to "red" and "block". If
there were more than one red block, it would need to respond by asking
which red block to move, then understand the responce and know to apply it
to the previous statement. With an ironic twitch, SHRDLU was appropriately
named after "ETAOIN SHRDLU", the first ten letters of frequency in the English
language :)
There have been many new developments in the years since, including voice and
handwriting recognition. The intricate details are far too elabourate for this
paper, but their existence capitalizes off the same idea: understanding human
patters and creating a system to mimic them.
Is Your Brain Fried Yet?
Ultimately, we can see that in human language and activity, certain inescapable
patterns exist that will emerge if put under the right eyes. Both cryptology and
artificial intelligence have, at heart, analysis of these patterns. As we saw
with the substitution, polyalphabetic, and Vigenere ciphers, a good cryptosystem
eradicates these patterns as much as possible while still leaving an opening that
only a single key is able to unlock.
While this is held in principal with the theoretical one-time pad cipher,
realistically there will always be ways to pop these keys open. More modern
algorithms tend to rely on prime numbers or insane iterations, substitution
boxes, and elliptical curve cryptography, and many people, including Singh,
feel that the advent of quantum cryptography means the death of cryptanalysis.
To respond to this claim, I recall the words of V1RU5 regarding lockpicking:
they can make the most secure electromagnetic door system possible, but if you
cut the power, it opens right up. In other words, if a system seems secure, it
just hasn't met the proper match yet.
It's much harder to make a blanket statement like that about AI. For one thing,
people can't seem to agree on what AI -is-, should be, or what determines
intelligence versus thought. Some schools throw Godel's proof into the pile,
saying that once a system reaches a certain point of complexity, it can be
considered sentient. Ray Kurzweil wrote an article with an excellent example
where a computer that was about to be disconnected emailed a plea to a lawyer,
who fought a lawsuit on the computer's behalf. Others are more skeptic. John
Searle's Chinese Room Experiment is an excellent example, where he effectively
claims that a computer will never rise above the sum of its parts. However, we
can agree that the same pattern analysis which influenced the development of
cryptology have had a monumental affect on AI progress.
Wait, Wait, Wait... What About Social Manipulation?
If you notice the speaker list, you'll see Johnny Christmas and I are giving a
joint presentation. More accurately, he's covering this because he knows his
shit much better than I do. However, I can list off a few tidbits of NLP I've
learned over the years. First, there's the shit with the eyes. It's fucked up,
it's beyond your control, it kinda shocked me when I first learned about it.
It's a really common trick used by inquisitors: when you're trying to remember
something you -know-, your eyes move to one side of your head, an when you're
trying to make up something, they move to the other side. This is one of the
reasons that good investigators start out questioning with really easy
questions.
Second, men tend to think more in numbers and words, whereas women tend to be
more visual. For example, a guy might not be able to do elementary algebra,
but he can remember 10,000 football stats with no effort. Women prefer to
upkeep appearance, both physical and home. Major newspapers like the New York
Times and Wall Street Journal target industries dominated by men, and
subsequently are filled with long textual articles, while Cosmopolitan and
(insert woman's magazine) tend to be far more visual.
Before I get flaming dog shit thrown at me, this obviously doesn't affect
everyone. I know plenty of respectable businesswomen who read major newspapers
religiously, and guys who are more into Mozart than Joe Montana (like myself).
These are just a few quick examples I could think of... if you want to know
more, ask Johnny Christmas. I've also seen listings for NLP talks at DefCon
and other cons, but I really haven't attended them. Sue me. ;)
Influenced By:
General:
Finite and Infinite Games by James P. Carse
Republic by Plato
The Underground History of American Education by John Taylor Gatto
Cryptology:
The Codebreakers by David Kahn
Crypto by Steven Levy
The Code Book by Simon Singh
Codes, Ciphers, & Other Cryptic & Clandestine Communication by Fred Wrixon
Applied Cryptography by Bruce Schneier
Cryptonomicon by Neal Stephenson
Artificial Intelligence:
Machines that Think by Pamela McCorduck
Computer Power and Human Reason by Joseph Weizenbaum
Discourse on Method by Rene Descartes
Godel, Escher, Bach by Douglas R. Hofstadter
"Computing Machinery and Intelligence" by Alan Turing
Giant Brains by Edmund Berkeley
Understanding Computers and Cognition by Terry Winograd and Fernando Flores
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<port9> Nausea, heartburn, indigestion. Upset stomach, diarrea. Yay!
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Another Scam From the Dirty Pigs in Edmonton
MsOgynis
2004.09.23
I got one of those forwards today. You know the ones. It's being sent to every
person in the senders address book. I hate getting these generic emails. It was
just a string of pictures. I expected the usual obscene grouping that amuses the
same type of person that enjoys morning radio shows.
I went through the pictures a couple of times to make sure what I was seeing was
real, and that it was what it said it was. The images depicted police setting up
a garbage can with a photo radar device. The pictures were of inside the garbage
can too, so I was a little suspicious. I checked out what I could online to see
if there was any corroborating evidence that such a thing was going on in my
home town.
I came across a lot of interesting information on how the government in Alberta
has tried to limit the use of these devices, and the police refusing to abide by
these legal decisions, or manipulating the law to best suit their motives.
What motives could the police possibly have outside of enforcing safe driving
habits in the populous? It has been touted in the media as a cash cow, with the
public outraged, but helpless. The police have been making unbelievable amounts
of money through this scam. In 1995, the year Edmonton police first started
implementing photo radar, the city generated $3.5 million. Last year Edmonton
police scammed $15,007,607. That's a significant increase either in speeders or
the use of these systems.
Digging through a few sites that were dedicated to the fight of photo radar in
Alberta, I found this: "In 1999, Lockheed Martin (the company that, at the time,
was taking a significant percentage of each ticket paid by Edmonton citizens)
presented Edmonton city police with an award for their efforts." Lockheed
Martin? You bet! The guys that brought you such innovations as missiles of mass
destruction and the Columbine Massacre are the same ones that developed and made
a cut of many of our speeding tickets.
The images of the garbage can were still unverified anywhere though. I fired off
an email to a guy that runs one of these "photo radar is evil" sites, with the
pictures attached. He wrote back that he had heard of something like this being
tested in Sherwood Park. And, he was right!
"Photo radar operators can snap speeders coming and going with the Can-Cam. The
Sherwood Park prototype, the only one of its kind in North America, is a
four-foot-high metal box which an operator wheels across the street to monitor
traffic travelling in the opposite direction from the photo radar vehicle. So
far, Affiliated Computer Services (ACS), which operates photo radar and red
light cameras in Strathcona County, is just using the Can-Cam on two-lane
streets because provincial legislation requires the operator to visually
identify the speeding vehicle.
Although the Can-Cam doesnt exactly stand out on a boulevard, the operators
post portable photo radar signs to alert the public to the presence of the
camera. Its in the pilot phase and the technology seems to be an effective way
to decrease speeds and make the roads safer." Portable signs that alert the
drivers there may be photo radar. The device looks like any electrical box you'd
see on the side of the street. Up close (in the picture provided) you can see
the wheels, but as a driver going by, you'd never know.
We can sit back and allow our civil liberties be eaten away one by one. Allow
the police to scan your drivers license into a database when you go to a bar.
Allow them to set up cameras to take pictures of you as you drive by. We can
become the USA. Or, fight it. This is a test site, but it will be part of the
regular system soon enough.
Sources:
Sherwood Park News - http://www.sherwoodparknews.com/story.php?id=101006
Edmonton Photo Radar - http://www.members.shaw.ca/halotic/radar/
Government of Alberta - http://www.solgen.gov.ab.ca/policing/radar.aspx?id=2512
Pictures:
http://www.smartestgirls.com/images/photoradar12.gif
http://www.smartestgirls.com/images/photoradar22.gif
http://www.smartestgirls.com/images/photoradar32.gif
http://www.smartestgirls.com/images/photoradar42.gif
http://www.smartestgirls.com/images/can_cam2.gif
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<Blistov> i wish everyone programmed in assembler.
<Blistov> we could all be content with a screamin fast 486DX
<aestetix> Blistov, in assembly. An assembler is the tool used to assemble
the code.
<port9> haha. Assembler, assembly, ASM. Why is everything argued over when
it comes to the poor language^
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
'Exploiting Telus POTS / Payphone Lines in Calgary, AB.'
Here are some things that do strange things with other things, if that makes any
sense at all, on Telus systems in Calgary, AB (+1403):
Nortel Centurions are bright orange under those black and brown covers which are
fully removable! This is an armour plate - you can access the coin vault from
it but need a key or a lockpick to access the circuits.
777-XXXX:
777 is an area which appears to be assigned mostly to an offsite Meridian PBX
for the CBE; each room in the CBE schools has its own phone number that starts
with 777 as far as I can tell.
However, it is not all assigned to them. 777-9759 and 777-9758 both route to 911
operators. I obviously didnt want to keep scanning there, they would have
figured it out pretty quick.
211:
211 service exists from pots lines and cell phones, but not payphones
Possible exploits:
Here, I believe I may have discovered where Telus is hiding all its diagnostics.
A few things one should know:
- A busy signal is usually Telus telling us that we aren't allowed to do what we
are doing
- It can also mean you got the password wrong
- There is no law against scanning in Alberta, or (I think) any other province.
Stop confusing American state laws with Canadian ones.
Exploit A: Telus 101XXXX codes
The codes assigned to Telus used in Calgary are as follows:
0424: Payphones
0324: Not payphones
If you dial 1010324# from a POTS line, you get a dialtone. If you dial it from
a payphone, the carrier access code is wrong (like it is for every other valid
carrier).
Should you dial 1010424# instead, if you are on a POTS line you will get a busy
signal. If you are on a payphone, it will do one of a few things. It might not
let you call it or just hang up when you do (Millenniums), or tell you that you
aren't authorised to call that number. It will do the same thing if you dial
1010424-0# from a pots line.
Exploit B:
Interestingly enough, if you dial 1010424-1-403-XXX-XXXX from a POTS line,
"your local call is proceeding...". It won't.
Now, should you choose to dial 1010424-1-570-XXX-XXXX from the same phone,
it will be busy. However, if you dial 570XXXXXXX where XXXXXXX is not your
own phone number, the call cannot be completed as dialed.
511XXXXXXXXXX will also be busy. However, it has done strange things in the
past, like given recordings and routed before 10 digits after the 511.
Exploit C:
From a POTS line, dial #XXXXXX. You don't have that feature, apparently -
what feature is this? Probably tests and loops, et cetera.
-- Falcon Kirtaran
10/18/04
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
* theclone virtual-hugs(tm) pontifex
--- theclone gives channel operator status to pontifex
* pontifex virtual-hugs(tm) theclone. (Virtual-hugs(tm) 2.0 Evaluation
Version - 29 days remaining)
<Backspace> I think I have a keygen for that somewhere...
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Hacking Mircom Technologies Telephone Access Systems
Written by: The Clone
Date: Tuesday October 19, 2004
Web-Site: http://www.nettwerked.net
E-mail: theclone@hackcanada.com
Blending Hacking, Phreaking, Lock Picking,
and Urban Exploration into one phile.
Dedicated to: Hack Canada and Nettwerked.
Representing the Canadian hack / phreak scene
for over 5 years, and to represent forevermore.
Written for: The Fall 2004 Issue of K-1ine Magazine
Table of Contents:
# Introduction / Disclaimer
# Mircom System Features
# Exploiting Mircom Systems
# Conclusion to this Document
Introduction / Disclaimer:
This document is dedicated to subverting the physical and remote security
of the Mircom Telephone Access System, supposedly "uncrackable" machines
widely used across Canada / the United States. Mircom Technologies, the
company that invented these bitches, manufactures a full range of other
security products which include fire control and communication products
dedicated to life safety in the telephone access markets.
In this document you will: learn what the Mircom Telephone Access Systems
are, learn how to administrate the systems, and learn how to use a few
"tricks" I have discovered in order to gain both building access, elevator
control, free long distance telephone calls, and to cause general mayhem
in your community.
Now this is your warning; none of the knowledge you pick up from this
article should EVER be used in practice. Unauthorized access to the
administration functions of a computer controlled system of any kind,
including building security systems is against the law. This file was
simply written as a resource for individuals who want to learn about
the unknown such as what big business and government agencies wish to
keep from the public. This file is written for people sick of ignorance.
If you do not want to use this knowledge as anything but a resource for
your criminal activities, I advise you to STOP reading. Hell, don't stop
reading... I'm not responsible for your behavior and could really care
less that you want to spend the rest of your life rotting in a prison.
Mircom System Features:
The Mircom Technology Building systems range in size, in cost, and of
course in features. Since I didn't feel it absolutely necessary to list
off every single feature of each model, I simply linked to their data
sheet PDF files. Make use of the resources linked off the images. There's
a lot to learn about the models that I could not have possibly put better
myself.
Image: http://www.nettwerked.net/01.jpg (MODEL: MUS-2000SDK)
URL: http://www.mircom.com/catsheets/tas/CAT-6518.pdf
Image: http://www.nettwerked.net/02.jpg (MODEL: MUS-2036K)
URL: http://www.mircom.com/catsheets/tas/CAT-6516.pdf
Image: http://www.nettwerked.net/03.jpg (MODEL: MUS-3140K)
URL: http://www.mircom.com/catsheets/tas/CAT-6517.pdf
Image: http://www.nettwerked.net/04.jpg (MODEL: MUS-1000SDK)
URL: http://www.mircom.com/catsheets/tas/CAT-6519.pdf
Image: http://www.nettwerked.net/05.jpg (MODEL: MUS-1360K)
URL: http://www.mircom.com/catsheets/tas/CAT-6520.pdf
Image: http://www.nettwerked.net/06.jpg (MODEL: MRK-1RK/MRK-1RKS)
URL: http://www.mircom.com/catsheets/tas/CAT-6515.pdf
Image: http://www.nettwerked.net/07.jpg (MODEL: NSL-12K/24K/36K)
URL: http://mircom.com/products/tas/nsl%20kits.htm
Image: http://www.nettwerked.net/08.jpg (MODEL: US-2000 U.S.E.)
URL: http://mircom.com/catsheets/tas/CAT-6521.pdf
Exploiting Mircom Systems:
Lets face it; every physical and remote computer controlled infrastructure
on earth, whether it be some guy's personal computer or some lonely mainframe
in a downtown office is vulnerable in one way or another. Don't be fooled by
the marketing gimmicks being thrown your way by big business conglomerates
out to make a buck on your ignorance. Every single Mircom Physical Security
System around the planet is secured by a company that happened to have leaked
it out to the wrong person. Now you're probably thinking to yourself "Yeah
right, Clone. You're pulling my leg. You can't be telling me Mircom was that
stupid!" Well they were. Now before you get too excited; I'm going to be
straight with you; I will not be publishing the passwords. Don't bother asking
me for the codes, because for all you know I don't even have them - and never
have. But don't fret, my pet, I will let you in on a few interesting secrets
anyways.
Physical Administration:
Mircom Technologies decided the best way to keep landlords and building owners
from permanently getting locked out of administrating their security systems
when they decide to forget their password, was to implement a 10 or 12 digit
override password (factory default) that could work on every model. That way
Joe Nobody has to pay Mircom a nice fat consulting fee every time he gets piss-
drunk and loses the cigarette package he wrote the administration password on.
The fucking hillbilly should have gotten the password tattooed on his ass.
For this particular article I will be using the Mircom TAS-2000 Telephone
Access System (MUS-3140K) as Physical Administration "subject matter".
Now before you jump into finger hacking this system to death, you must, and I
repeat must, *always* check for one of two things; people and cameras. People
are less of a threat, because most of the time they will figure you're just
calling someone you know in the building, and at times will even offer to let
you in the building. External cameras watching the doorway and, depending on
the model and the hardware implementation, a hidden camera (model #: CAM-1)
located inside of the Mircom telephone access system itself may be watching
your every move. If you notice a camera is possibly built into the model of
Mircom you're about to hack, walk away. Come back a few days later and wear
some kind of disguise; such as a head scarf that covers your entire face, or
better yet a balaclava for a more phearsome "I'm gonna 0wn this b1tch!" look.
As you approach the Mircom Telephone Access System you will notice a screen
(unless altered by the administrator) that says: "Mircom - Enter Dial Code"
# To enter the Administration Menu, enter the following code: 9999. Some
older models use 0000.
http://www.nettwerked.net/menu-3.jpg
PHYSICAL ADMIN I.D. MENU
# You will be prompted for the password. Enter that 10 or 12 digit pin code.
(Don't worry the password is asterisked ************ for your "security".)
http://www.nettwerked.net/menu-4.jpg
PHYSICAL ADMIN PASSWORD MENU
What you get access to when you've bypassed the administration login screen:
http://www.nettwerked.net/menu-5.jpg
(Navigation Tip: By pressing "0" on the menu, you enter the option your ">"
cursor is pointed at. To scroll through the options press "#")
You are now at the main menu. If you choose the "Add new record" option you
will then have the ability to add extensions which dial any telephone number
you want. If the building administrator did not set up a toll-block with the
telecom carrier servicing the dedicated line, you can program long distance
numbers including international and 1-900 pay telephone numbers into the
system. So let's assume you have a need to enter into that menu, you will
immediately be brought to this screen which says "Enter Dial Code [____]".
At this point, dial any extension you want to program into the system for
later use; such as 1234.
http://www.nettwerked.net/menu-18.jpg
After you have entered your extension of choice, you will be brought to a
screen that says "Enter Telephone No. [____________]".
http://www.nettwerked.net/menu-19.jpg
This is where you will obviously enter your telephone number of choice.
The next option you have will be "Enter Elevator Code". After you enter
that code, you will be prompted to "Enter Elevator ID". To be honest with
you, I have not yet figured out what this option is for exactly, but I'm
guessing it has something to do with telling the elevator what floor to
bring you to after you've been let in by the extension you called. Or
maybe it has to do with Mircom's "Elevator Restriction Capability". This
option only matters if you have an elevator in the building, and probably
won't be much use to you anyways.
http://www.nettwerked.net/menu-20.jpg
http://www.nettwerked.net/menu-22.jpg
The next option on the table is "Edit Record". Scroll down to this menu
and access it. This menu is one of the most interesting ones because it
will give you the option of viewing what specific extension is bound to
what particular telephone number. This is a great way for you to capture
the private phone number of a certain cute tenant *wink wink* or hated
tenant you might have wanted to harass for some time. You also have the
ability with "Edit Record" to, of course, EDIT which number any extension
calls. Pissed off at someone in your building? Well the next time a loved
one comes to their door to visit, they won't be reached because you edited
the telephone number so that it calls something funny like phone sex or
your favorite pizza delivery company.
http://www.nettwerked.net/menu-23.jpg
http://www.nettwerked.net/menu-24.jpg
Your next option is "Delete Record". This is pretty self-explanatory.
http://www.nettwerked.net/menu-26.jpg
http://www.nettwerked.net/menu-27.jpg
The next option on this menu is "Main Door DTMF". This is the code that
is programmed into the Mircom system which, when triggered by a DTMF tone
will open the door. When you call an extension and the person wants to let
you in, they will (by default) press "9" on their telephone. You can piss
off everyone in the building by changing it to another number. heh heh.
http://www.nettwerked.net/menu-28.jpg
http://www.nettwerked.net/menu-29.jpg
The next option on this menu is "AUX door DTMF". "Aux" means Auxiliary and
is essentially the code for opening a secondary door in the building. If
there is no secondary door for the building, then it is typically left at
the default 9.
http://www.nettwerked.net/menu-30.jpg
Other options include:
Online Timer programming
http://www.nettwerked.net/menu-32.jpg
http://www.nettwerked.net/menu-33.jpg
Enter New Password. You can set a secondary, non-override password for entry
into the Mircom Telecom Access System. If being anonymous is your game, I
would suggest not modifying this menu if a password has already been set by
the administrator. If you change the password, chances are the administrator
is going to wonder why his password doesn't work.
http://www.nettwerked.net/menu-35.jpg
The Set Time and Date on the next menu option.
http://www.nettwerked.net/menu-36.jpg
Display the Time and Date on the next menu option.
http://www.nettwerked.net/menu-38.jpg
http://www.nettwerked.net/menu-37.jpg
You can Sort the directory by Name, by Dial Code (extension), or you can use
the Auto Sort feature.
http://www.nettwerked.net/menu-39.jpg
http://www.nettwerked.net/menu-41.jpg
You can select the language you want the Mircom Telecom Access System to
display. The options: 0=E (English), 1=F (French), 2=S (Spanish), 3=M
(Mandarin).
http://www.nettwerked.net/menu-42.jpg
Set and Enter NSL ID & SPA.
http://www.nettwerked.net/menu-43.jpg
http://www.nettwerked.net/menu-44.jpg
Set and Enter NSLB ID & SPB/SPE.
http://www.nettwerked.net/menu-45.jpg
http://www.nettwerked.net/menu-46.jpg
Set and Enter the Elevator ID and Timer.
http://www.nettwerked.net/menu-47.jpg
http://www.nettwerked.net/menu-52.jpg
Auto-Program the Mircom System.
http://www.nettwerked.net/menu-50.jpg
http://www.nettwerked.net/menu-51.jpg
Set the Mircom System to Tone or Pulse. 0=T (Tone), 1=P (Pulse). Stick
with Tone. Pulse is essentially for rural areas still using rotary
telephones.
http://www.nettwerked.net/menu-54.jpg
http://www.nettwerked.net/menu-55.jpg
Options Menu. Haven't figured out what this does yet. Maybe you can,
and then give me some insight.
http://www.nettwerked.net/menu-56.jpg
http://www.nettwerked.net/menu-57.jpg
Reset - this resets the entire Mircom Telecom Access System. This is
essentially a restart of the software. It will ask you "Are you sure?"
Press * to Cancel, and # to Accept the reset.
http://www.nettwerked.net/menu-58.jpg
http://www.nettwerked.net/menu-59.jpg
Initialize Logging. This starts logging of all keys pressed, including
extensions and keyless entry codes. If you managed to purchase a Modem
Module (model number: MDM-1000) you could "capture" this data and use
it for whatever you wanted; like market research! =)
http://www.nettwerked.net/menu-60.jpg
Luckily for you there is the next option; Init/Erase all data. This
essentially "clears" the logs.
http://www.nettwerked.net/menu-61.jpg
Exit - This exits the Mircom Menu System and thus wraps up my explanation
of the menu options.
http://www.nettwerked.net/menu-62.jpg
(For much larger, high resolution panel images please go to:
http://www.nettwerked.net/mircom-pics.zip)
Mircom Keyless Entry:
# One of the coolest features available on the various Mircom panel models
is the ability to set a keyless entry code for access to the building. Are
you into Urban Exploration? Want to gain access to a building for a little
break and enter? Hate when you lose the keys to your building and get stuck
waiting for someone to enter the building to let you in? All of these reasons
are good enough reasons to set a keyless entry code. To enter the Keyless
Entry Login Menu, enter the following code: 9998. Some older models use 0001.
If you have not managed to successfully bypass the administration menu in all
its 10 to 12 digit hard-to-hack glory, then you will not be able to set your
own keyless code. The next best thing is the ever time consuming Brute Force
Attack!
With a 4 digit keyless entry code, you have 10,000 possible combinations to
try. When you enter the login id (9998 or 0001) you will be asked for a pin
code. When you get the pin code wrong, there will be a 3-5 second delay
before you are brought back to the main menu which shows "Enter the dial
code" on the screen. Try obvious combinations first: 0000, 1234, 2004, 9999,
etc. If those don't work, work your way up; there is a high probability you
will get the correct keyless entry code before trying all 10,000 combinations
- unless of course the administrator didn't set a keyless entry code. Those
silly bastards.
Other ways to open the door for keyless entry:
I've thought of two other ways to get access without physically breaking the
door open or waiting for someone else to let you in. The first way: I noticed
that in some cases misconfigured or inactive extensions for all of the Mircom
Panel models will give you a 0+ operator. In my case Telus is the telco. If
you social engineer a 0+ TOPS/TSPS operator into transferring you to a number
(tell them your telephone keypad is jammed and it's urgent), such as a cell
phone, you could then answer that cell phone and press '9'. The DTMF "9" key
triggers the Mircom box which in turn opens the door when pressed. The other
way to gain access for keyless entry is by blasting DTMF "9" into the voice
mail message of your cell phone or landline beforehand and then when the time
is right, social engineer a 0+ operator and have them transfer you to that
telephone number. The problem with the second trick is that you might have
problems with remote-controlled voice mail systems, such as most versions
of Audix/Octel/Meridian Voice Mail System which stops recording when you hit
any DTMF key on the telephone. Old-school tape recorders which allow you to
record anything (including DTMF) will work fine enough indeed.
A successful door entry hack is shown below in this photograph:
http://www.nettwerked.net/menu-63.jpg
Conclusion to this Document:
This completes another article by yours truly. I expect this document opened
up your eyes to another aspect of hacking and phreaking you might not have
otherwise thought to research and exploit had you not sat down read this fine
piece of modern literature. In conclusion to this article, I just want to say
one thing; don't stop exploring. Don't stop your desire to explore beyond the
boundaries set forth by the powers that be. Get out, play with technology and
make it do something it wasn't intended to do. And don't ever stop sharing
that knowledge with other like-minded individuals. Hackers and phreakers need
to stick together like shit to stink! Peace.
.eof
This document is Copyright © 2004 by Nettwerked Incorporated.
All Rights Reserved.
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
<Pokeon> sooo many people poke me
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Credits:
Without the following contributions, this 'zine issue would be fairly
delayed or not released. So thank you to the following people [none of
which, besides CYB0RG/ASM, Cybur Netiks, and Tek-g, have mastered the
apparently near-impossible task of 80-column formatting! *GLARE*]:
aestetix, Aftermath, CYB0RG/ASM, Cybur Netiks, Falcon Kirtaran,
Majestic 1/12, MsOgynis, omin0us, sub, TeK-g, and, of course,
The Clone.
Shouts:
CYB0RG/ASM, Fractal, h410G3n, The Question, Phlux, Magma, Hack Canada,
The Grasshopper Unit, port9, Nyxojaele, Ms.O, Tr00per, Flopik, jimmiejaz,
oz0n3, *Senorita Chandelier*, Prologic, Kankraka, Markcore, cyburnetiks,
coercion, H1D30U5, tek, the irc #hackcanada channel, The Nettwerked
Meeting Crew, and the entire (active) Canadian H/P scene.
.:,;itttttii;,:.
:ijLEKW############WKEGfti,.
:jEK############################KL;
.jE###################################WG;
,G#########################################Ei
:G############################################WG.
.f################################################Et
;L#################################################WK:
iW#############WWWWWW###############WWWW##########WWWWD
;W####WWWWW##WWWKKEEDDEKW#########WWKEEEEKKWWW#WW#WWWWWWf
.GWWWWWWWWWWWWKWWKGti;;tGKWWWW####WEGfLLGEEEEEKWWWWWWWWWWW;
;KWWWWWWWWWWWKEEELt;. ,jEWWWWWWKf,:.,;ifLDDDEKKKKWWWWWWWE.
jEWWWWKKKKKKKKEDGft. LWKKWWWE: .;ifGEKKKKKWWWWWWWW,
.GEKKKKKKKKKKKKELft. jKKKWKKD tLDKKKKKKWWWWWKWi
,GEKKKKKKKWKKKKLti: jWWKKKKD. .:fGEKKKKKKWWWWKWj
,GEKKWWWWWWWWEf;: jWKKKKKK; :;fLDKKKKKWWWWKKE.
;DEKWWWWWWWEf;. .DWWWWWWKL :tfLEKWWWWWWWWWf
jDKWWWWWKDj;. .LWWWWWWWWW; :ijLEKWWWWWWWWf
;EKWWKKDfi: ;EWW#####WWWE: .;jLDEKWWWWWWL.
.fWWWDfi;:. ,GWKWW#####WWWWE: :iLGEKWWWWWE:
,GWWKDj,. .jKWKKWW###WWWWWWWD. :,tGEKWWWWD.
.LWWWKDf: .jKWWKKKWWKDGfLEKKKWWEi .jDEKWWWL
iKKKWWKDi ,tEWWKKKKKKGi .iGKKKWKf. .LEKKKKW;
iKKKEKWWWEt. .iDKKKKKKKKKEf: .fEKKKKEGt: GKKKKEEG
;DKKEEEKKWWWWEDLffLLGEWWKKKKKKKKKEt .fEEKKKKKWKGji;;,:... ,fKKKKKEEE:
:LKKEEEEEKKKKKKKKWWKKKEEDDEEKKKKEj ,GEKKEEKWWWWWWWWWKKKKWWWKKKKEED,
;EEEEEEEKKKKEEEKKEEDDGGGEEEEEEEDi ,cYb. ,GGEKEEDEKWWWKKKKKKKKKKKKKEEEEL.
jDDDDEEEEEEEEEEDDGLffGEEEEEEEDDDLGGEKKKKEGfLDEDDEKEDGGDEEEKKKKKKKKKKEEDDDD;
;GDGGGGGGLLLffffjjjGEEEEEKKKWWW#WWWWWWW##WWWWWWWWKEDGLLGGGGDDDDDDDGGLLLGj
.tfffjjttiittttjLDEEEKKKKKWW####WWWWWWWWWWWWWWWWKEEDDLfffffffffjjjjjffi
:;iiiiiiiijLGDEEEEKKKKWWW###WWWKKKKKKKWWWWWWWWEEDDDLffjjttiiiittt;.
,ittjfLGDEEEEEEKKKKKWWWELji,:::::,;tLDEKWKKEEDDEDGLffjtttttti:
,fLLGDEEKKKKKEKKKKKKEj: .:tLDEKEEDEEEEDGLfffffji.
iLGDDEEKKKKKEKKKKKEf. ,fDEEDDEEEEEEGGLLLfj,
jLDEEEEKKKKKKKKEEL. :LDEEDDEEEEKEEDDGL,
.;DEEKKKKKKKKKEED; ,fEEEDEEEEEKKEEDi
LEEKKKKKEEEEEEf :GDDDDDEEEEEEDf
;EEKKEEEEEEEDD; fDDDDDDEEEEDG:
.DEEEEEEEEEEDD: ;DDDDDDDDDDLt
LEEEEEEEEEDDD: :GDDDDDDDDGt:
:GDDDDDDDDDDD. .GEDGGGGGGj
;LGDDDDDDDDD: A LEGGGGGLj.
;fLGDDDDDDE; N E T T W E R K E D ;DGGLLLj:
:tLGDDDDDEj P R O D U C T jDGLLLj.
.;fLGDDDEE: .GGGGLf:
:tLGDDEKj ..;DGGGL;
.tLGDEKG. ::.fDGGGf.
;jGEKK;. :..DDDDGj
jGEKG.. ..;EDDDGi
.jDKK:. ..;GEDEDG,
tEWG.. .. .:.GKEEEDj
LWW;. . :.iKKEEEj
iKWj.. . : LKKEEE,
:KWE. ..KKKEEf
DWW: jWKKKE,
LWWf .. .DWKKKL
jW#E: . iKWKKK;
:WWK;. GWWKKD
DWWi.. .EWKKKj
;KWf .. ,KKKKK,
LKKi ..;DEEKGt
.GDEL;,. :ifDGDEf;
.fGLGGGLLLLLLLGi'
,jffjtttjfj;'
.iLjfff"
