==Phrack Inc.== Volume 0x0c, Issue 0x40, Phile #0x01 of 0x11 |=-----------------------------------------------------------------------=| |=--------------------------=[ Introduction ]=---------------------------=| |=-----------------------------------------------------------------------=| |=-------------------=[ By The Circle of Lost Hackers ]=-----------------=| |=-----------------------------------------------------------------------=| "As long as there is technology, there will be hackers. As long as there are hackers, there will be PHRACK magazine. We look forward to the next 20 years" This is how the PHRACK63 Introduction was ending, telling everybody that the Staff would have changed and to expect a release sometimes in 2006/2007. This is that release. This is the new staff, "The Circle of Lost Hackers". Every new management requires a presentation and we decided to do it by Prophiling ourselves. Useless to say, we'll keep anonymous, mainly for security reasons that everyone understands. Being anonymous doesn't mean at all being closed. Phrack staff has always evolved, and will always evolve, depending on who really care about being a smart-ass. The staff will always receive new people that cares about writing cool articles, meet new authors and help them at publishing their work in the best conditions. Grantee of freedom of speech will be preserved. It is the identity of our journal. Some people were starting to say that phrack would have never reborn. That there would have never been a PHRACK64 issue. We heard that while we were working on, we smiled and kept going on. Some others were saying that the spirit was lost, that everything was lost. No, Phrack is not dead. Neither is the spirit in it. All the past Phrack editors have done a great work, making the Phrack Magazine "the most technical, most original, the most Hacker magazine in the world", written by the Underground for the Underground. We are in debt with them, every single hacker, cracker or researcher of the Underground should feel in debt with them. For the work they did. For the spirit they contributed to spread. For the possibility of having a real Hacker magazine. No, nothing is or was ever lost. Things change, security becomes a business, some hackers sell exploits, others post for fame, but Phrack is here, totally free, for the community. No business, no industry, no honey, baby. Only FREEDOM and KNOWLEDGE. We know the burden of responsibility that we have and that's why we worked hard to bring you this release. It wasn't an easy challenge at all, we have lost some people during those months and met new ones. We decided to make our first issue without a "real" CFP, but just limit it to the closest people we had in the underground. A big thank to everyone who participated. We needed to understand who really was involved and who was lacking time, spirit or motivation: having each one a lot of work to do (writing, reviewing, extending and coding) was the best way to succeed in that. This is not a "change of direction", next issues will have their official CFP and whatever article is (and has always been) welcome. We know that we have a lot to learn, we're improving from our mistakes and from the problems we've been facing. Aswell, we know that this release is not "the perfect one", but we think that the right spirit is there and so is the endeavor. The promise to make each new release a better one is a challenge that we want to win. No, Phrack is not dead. And will never die. Long live to PHRACK. - The Circle of Lost Hackers [-]=====================================================================[-] For this issue, we're bringing you the following : 0x01 Introduction The Circle of Lost Hackers 0x02 Phrack Prophile of the new editors The Circle of Lost Hackers 0x03 Phrack World News The Circle of Lost Hackers 0x04 A brief history of the Underground scene The Circle of Lost Hackers 0x05 Hijacking RDS TMC traffic information signal lcars danbia 0x06 Attacking the Core: Kernel Exploitation Notes twiz sgrakkyu 0x07 The revolution will be on YouTube gladio 0x08 Automated vulnerability auditing in machine code Tyler Durden 0x09 The use of set_head to defeat the wilderness g463 0x0a Cryptanalysis of DPA-128 sysk 0x0b Mac OS X Wars - A XNU Hope nemo 0x0c Hacking deeper in the system scythale 0x0d The art of exploitation: Autopsy of cvsxpl Ac1dB1tch3z 0x0e Know your enemy: Facing the cops Lance 0x0f Blind TCP/IP hijacking is still alive Lkm 0x10 Hacking your brain: The projection of consciousness keptune 0x11 International scenes Various Scene Shoutz: All the people who helped us during the writing of this issue especialy assad, js, mx-, krk, ceb, sysk. Thank you for your support to Phrack. The magazine deserve a good amount of work and it is not possible without a strong and devoted team of hackers, admins, and coders. Shouts to the dudes at phneutral : again we failed to come this year but we look forward to contributing to the meeting in the future. The circle of lost hackers is not a precise entity and people can join and quit it, but the main goal is always to give Phrack the release deserved by the underground hacking community. You can join us whenever you want to present a decent work to a wider range of peoples. We also need reviewers on all topics related to hardware hacking and body/mind experience. All the retards who pretend to be blackhat on irc and did a pityful attempt to leak Phrack on Full-Disclosure : Applause (Even the changes in the title were so subtle, a pity you did not put any rm -fr in the code, maybe you didnt know how to use uudecode ?) Enjoy the magazine! [-]=====================================================================[-] Nothing may be reproduced in whole or in part without the prior written permission from the editors. Phrack Magazine is made available to the public, as often as possible, free of charge. |=-----------=[ C O N T A C T P H R A C K M A G A Z I N E ]=---------=| Editors : circle[at]phrack{dot}org Submissions : circle[at]phrack{dot}org Commentary : loopback[@]phrack{dot}org Phrack World News : pwn[at]phrack{dot}org |=-----------------------------------------------------------------------=| Submissions may be encrypted with the following PGP key: (Hint: Always use the PGP key from the latest issue) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (GNU/Linux) mQGiBEZSCpoRBAC0VU8+6+Sy9/8Csiz27VrdOIV9cxhaaGr2xTg/U8rrfzz4ybbZ hfFWJv+ttdu6C+JEATlGJKzn9mVJl35EieQcC8bNJ6SXz1oJHTDhFsGkG1A8Qi2k /yRPtljPceWWxgCxBfoc8BtvMLUbagSJ/PFzy+ibwCGfoMxYifbbkRyS8wCgmVUV gBmpzy4ls5qzegAqVP0CIyEEAK7b7UjnOqvEjsSqdgHy9fVOcxJhhIO/tP8sAvZR /juUPGcl6PtP/HPbgsyccPBZV6s0LYliu92y7sLZH8Yn9SWI87IZvJ3Jzo2KQIRC zlZ+PiSK9ITlTVd7EL0m8qXAlESBnjMA4of6+QckvuGnDTHPmHRsJEnseRr21XiH +CmcA/9blLrNhK4hMwMlULB/3NnuejDjkyTTcAAFQx2efT0cUK6Esd0NSlLS4vlL 3QWwnMTDsdc37sTBbhM1c6gwjD46lz2G4bJWXCZZAb6mGNHDkKL9VosW+CN3KtMa MOvFqVOKM0JnzHAHAzL2cyhUqUU9WYOHMv/ephWeFTooadcrqbQ/VGhlIENpcmNs ZSBvZiBMb3N0IEhhY2tlcnMgKHd3dy5waHJhY2sub3JnKSA8Y2lyY2xlQHBocmFj ay5vcmc+iGYEExECACYFAkZSCpoCGwMFCQPCZwAGCwkIBwMCBBUCCAMEFgIDAQIe AQIXgAAKCRCtZBmRMDi989eZAJ9X06v6ATXz1/kj+SG1GF5aRedM6QCgjkhZLVQP aNUYru8KVtzfxd0J6om5Ag0ERlIKrRAIAMgbTDk286rkgrJkCFQo9h8Pf1hSBOyT yU/BFd0PDKEk8+cMsMtPmS0DzBGv5PSa+OWLNPxCyAEXis5sKpoFVT5mEkFM8FCh Z2x7zzPbI+bzyGMTQ4kPaxoTf2Ng/4ZE1W+iCyyTsSwtjxQkx2M4IOzW5rygtw2z lqrbUN+ikKQ9c2+oleIxEdWiumeiw7FkypExWjo+7HCC2QnPtBVYzmw5Ed6xDS1L rXQ+rKj23L7/KL0WSegQ9zfrrVKISD83kiUgjyopXMBY2tPUdUFlpsImE8fNZ3Rm hYW0ibpOWUdu6K+DnAu5ZzgYhVAWkR5DQkVTGUY3+n/C2G/7CfMJhrMAAwYH/1Pw dlFmRQy6ZrxEWEGHpYaHkAjP1vi4VM82v9duYHf1n25OiJhjf9TDAHTfZBDnlBhz CgWCwi79ytMFOCIHy9IvfxG4jNZvVTX2ZhOfPNullefHop3Gsq7ktAxgKJJDZ4cT oVHzF4uCv7cCrn76BddGhYd7nru59yOGDPoV5f7xpNi1cxgoQsF20IpyY79cI8co jimET3B1F3KoxOtzV5u+vxs6+tdWP4ed5uGiYJNBC+h4yRl1CChDDDHjmXGNPJrr +2Y49Hs2b3GsbCyaDaBv3fMn96tzwcXzWxRV9q4/pxot/W7CRpimCM4gHsrw9mZa +Lo+GykjtzVMMdUeZWaITwQYEQIADwUCRlIKrQIbDAUJA8JnAAAKCRCtZBmRMDi9 80yQAJ9v7DcHj42YzpFRC7tPrGP72IB/pgCdHjt52h4ocdJpq5mKKwb6yONj5xM= =Nf2W -----END PGP PUBLIC KEY BLOCK----- phrack:~# head -22 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of * the editors and contributors, truthful and accurate. When possible, * all facts are checked, all code is compiled. However, we are not * omniscient (hell, we don't even get paid). It is entirely possible * something contained within this publication is incorrect in some way. * If this is the case, please drop us some email so that we can correct * it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for * the entirely stupid (or illegal) things people may do with the * information contained herein. Phrack is a compendium of knowledge, * wisdom, wit, and sass. We neither advocate, condone nor participate * in any sort of illicit behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in * the articles of Phrack Magazine are intellectual property of their * authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -EOF- ==Phrack Inc.== Volume 0x0c, Issue 0x40, Phile #0x02 of 0x11 |=-----------------------------------------------------------------------=| |=--------------------------=[ Phrack Pro-Phile ]=-----------------------=| |=-----------------------------------------------------------------------=| |=-------------------=[ By The Circle of Lost Hackers ]=-----------------=| |=-----------------------------------------------------------------------=| Welcome to Phrack Pro-Phile. Phrack Pro-Phile is created to bring info to you, the users, about old and highly important controversial peoples. The first Phrack Pro-Phile was created in Phrack Issue 4 by Taran King. Since this date, a total of 43 profile were realized. Some well know hackers were profiled like Taran King, The Mentor, Knigh Lighting, Lex Luthor, Emmanuel Goldstein, Erik Bloodaxe, Control-C, Mudge, Aleph-One, Route, Voyager, Horizon or more recently Scut. This prophile is probably a little more different since it will introduce the new staff. Since the people composing The Circle of Lost Hackers want to stay anonymous, the Prophile will be more a "question-answer" prophile. -------------------------------------------------------------------------- Personal -------- Handle: The Circle of Lost Hackers Call them: call them what you want, just be careful Handle Origin: Dead Poets Society movie Date of Birth: from 1977 to 1984 Age at current date: haha Countries of origin: America, South-America and Europe ------------------------------------------------------------------- Favorite Things --------------- Women : Angelina Jolie because she was a great hacker in a movie Cars : Like everyone, the Dolorean. The only nice car in the world. Foods : Italian food is without a doubt the best food. Some other prefer Chinese or Japanese once they tasted Yakitori's. Alcohols : anything which make you drunk Drugs : sex Music : Drum and Bass, Sublime, Orbital, Red Hot Chili Peppers, DJ Shadow, The Chemical Brothers, The Mars Volta, more generally death metal, and gothic rock. Abstract electro bands like Boards of Canada. Movies : Blade Runner, The Usual Suspect, Fight Club, Kill Bill, hackers (private joke) Authors : Gurdjieff, Rufolf Steiner, Rupert Sheldrake, Plato, Stephan Hawkings, Roger Penrose, George Orwell, Noam Chomsky, Sun Tzu, Nicolas Tesla, Douglas Hofstadter, Ernesto Guevara, Daniel Pennac, Gabriele Romagnoli ---------------------------------------------------------------------------- Open Interview -------------- Q: Hello A: Saluto amigo! Q: Can you introduce yourselves in a few words? A: The Circle of Lost Hackers is a group of friends overall. Two years ago when TESO decided to stop Phrack, the voice of the underground decided not to let Phrack dying. People started to wonder .. Phrack is really dead ? In no way it is. Phrack reborns, always, from the influence of multiple hacking crews to make this possible. But at the beginning it was not easy to create a new team, a lot of people agreed to continue Phrack but not really to write or review articles. Also, one of the most important thing was to have people with the good spirit. Now we think that we have a good team and we hope bring to the Underground scene a lot of quality papers like in old issues of Phrack, but keeping the technical touch that makes Phrack a unique hacking magazine. The Phrack staff evolves and will always evoluate a new talents get interested in sharing for fun and free information. Q: How many people are composing The Circle of Lost Hackers? A: We could tell you, but we would have to kill you, after. The only important thing is that "The Circle of Lost Hackers" is not a restricted club. More people will join us, others may leave, depending on who really believes in comunication, hacking and freedom of research and information. Q: When did you start to play with computers and to learn hacking? A: Each one of us could answer differently. There's not a "perfect" age to start, neither it is ever too late to start. Hacking is researching. It is being so obstinated on resolving and understanding things to spend nights over a code, a vulnerability, an electronic device, an idea. Hacking is something you have inside, maybe you'll never take a computer or write a code, but if you've an "hacking mind" it will reveal itself, sooner or later. To give you an idea of the first computers of some members of the team, it was a 286, 486 SX or an Amiga 1000. Each of us started to play with computer at the end of 80' or beginning of 90'. The hacking life of our team started more or less around 97. Like with a lot of people, Phrack and 2600 mag were and are a great source of inspiration, as well as IRC and reading source code. Q: This interview is quite strange, you do the questions and the answers at the same time ?!?! A: What's the problem, in phrack issue 20 Taran King did a prophile of himself!!! Q: Can you tell us what is your most memorable experience? A: Each of us has a lot of memorable experiences but we don't really have a common experience where we hacked all together. So to make easy we are going to take three of our "memorable" experiences. 1. A subtle modification about p0f wich made me finding documents that I wasn't supposed to find. Some years ago, I had a period when each month I tried to focus on the security of one country. One of those countries was South-Korea where I owned a big ISP. After spending some time to figure out how I could leave the DMZ and enter in the LAN, I succeed thanks to a cisco modification (I like default passwords). Once in the LAN and after hiding my activity (userland > kernelland), I installed a slightly modification of p0f. The purpose if this version was to scan automatically all the windows box found on the network, mount shared folders and list all files in these folders. Nothing fantastic. But one of the computers scanned contained a lot of files about the other Korea... North Korea. And trust me, there were files that I wasn't supposed to find. I couldn't believe it. I could do the evil guy and try to sell these files for money, but I had (and I still have) a hacker ethic. So I simply added a text file on the desktop to warn the user of the "flaw". After that I left the network and I didn't come back. It was more than 5 years ago so don't ask me the name of the ISP I can't remember. 2. Learning hacking by practice with some of the best hackers world-wide. Sometimes you think you know something but its almost always possible to find someone who prove you the opposite. Wether we talk about hacking a very big network with many thousands of accounts and know exactly how to handle this in minuts in the stealthiest manner, or about auditing source code and find vulnerability in a daemon server or Operating System used by millions of peoples on the planet, there is always someone to find that outsmart you, when you thought being one of the best in what you are doing. I do not want to enter in detail to avoid compromising anyone's integrity, but the best experience are those made of small groups (3, 4 ..) of hackers, working on something in common (hacking, exploits, coding, audits ..), for example in a screen session. Learning by seing the others do. Teaching younger hackers. Sharing knowledge in a very restricted personal area. Partying in private with hackers from all around the world and getting 0day found, coded, and used in a single hacking session. Q: Is one of you has been busted in a previous life? A: Hope no but who knows? Q: What do you think about the current scene? A: We think a lot of things, probably the best answer is to read the article "A brief history of the Underground" in this issue where we are talking about the scene and the Underground. Q: What's your opinion about old phracks? A: Great. Old phracks were the first source of information when we were starving for more to learn. _The_ point of reference. But don't stop yourselves to the last 10 issues, all issues are still interesting. Q: And about PHC? A: Well, thats an interesting question. To be honest, PHC did not just do those bad things we were used to learn from the web or irc, we like some of them and even know very well a few others. Also, the two attempted issues 62 and 63 of PHC had an incontestable renew in the spirit and there were even some useful information on honeypots and protecting exploits. However, we have a problem with unjustified arrogance. If it's true the security world has a problem with white/black hats, we think that the good way to resolve the problem is not to fight everyone, especially such a poor demonstrative way. It's not our conception of hacking. Take the first 20 issues of Phrack and try to find unjustified arrogant word/sentence/paragraph: you won't find any. The essence of hacking is different : it's learning. Hacking to learn. You can be a blackhat and working in the IT industry, it's not incompatible. We have nothing against PHC and we think the Underground needs a group like PHC. But the Underground needs a magazine like Phrack as well. The main battle of PHC is fighting whitehats but it's not Phrack's battle. It's never been the purpose of Phrack. If we have to fight against something, it's against the society and not targeting whitehats personally (that doesn't mean that we support whitehat...). Phrack is about fighting the society by releasing information about technologies that we are not supposed to learn. And these technologies are not only Unix-related and/or software vulnerabilities. We agree with them when they say that recent issues of Phrack helped probably too much the security industry and that there was a lack of spirit. We're doing our best to change it. But we still need technical articles. If they want to change something in the Underground, they are welcome to contribute to Phrack. Like everyone in the Underground community. Q: Full-disclosure or non-disclosure? A: Semi-disclosure. For us, obviously. Free exchange of techniques, ideas and codes, but not ready-to-use exploit, neither ready-to-patch vulnerabilities. Keep your bugs for yourself and for your friend, do the best to not make them leak. If you're cool enough, you'll find many and you'll be able to patch your boxes. Disclosing techniques, ideas and codes implementations helps the other Hackers in their work, disclosing bugs or releasing "0-day" exploits helps only the Security Industry and the script kiddies. And we don't want that. You might be an Admin, you might be thinking : "oh, but my box is not safe if i don't know about vulnerabilities". That's true, but remember that if only very skilled hackers have a bug you won't have to face a "rm -rf" of the box or a web defacement. That's kiddies game, not Hackers one. But that's our opinion. You might have a totally different one and we will respect it. You might even want to release a totally unknown bug on Phrack's pages and, if you write a good article, we'll help you in publishing it. Maybe discussing the idea, before. As we said in the introduction, the first thing we want to garantee is freedom of speech. That's the identity of our journal. Q: What's the best advice that you can give to new generation of hackers? A: First of all, enjoy hacking. Don't do that for fame or to earn more money, neither to impress girl (hint: not always works ;)) or only to be published somewhere. Hack for yourself, hack for your interest, hack to learn. Second, be careful. In every thing you do, in any relationship you'll have. Respect people and try to not distrupt their work only because you're distracted or angry. Third, have fun. Have a lot of fun. And never, never, never setup an honeypot (hi Lance!). Q: What do you think about starting an Underground World Revolution Movement against the establishment ? A: Do it. But do it Underground. The nowadays world is too obsessed by "visibility". Act, let the others talk. Q: What's the future of hacking ? A: The future is similar to the present and to the past. "Hacking" is the resulting mix of curiosity and research for information, fun and freedom. Things change, security evolves and so does technology, but the "hacker-mind" is always the same. There will always be hackers, that is skilled people who wants to understand how things really go. To be more concrete, we think that the near future will see way more interest in hardware and embedded systems hacking : hardware chip modification to circumvent hardware based restrictions, mobile and mobile services exploits/attacks, etc. Moreover, seems like more people is hacking for money (or, at least, that's more "publicly" known), selling exploits or backdoors. Money is usually the source of many evils. It is indeed a good motivating factor (moreover hacking requires time and having that time payed when you don't have any other work is really helpful), but money brings with itself the business mind. People who pays hackers aren't interested in research, they are interested in business. They don't want to pay for months of research that lead to a complex and eleet tecnique, they want a simple php bug to break into other companies website and change the homepage. They want visible impact, not evolved culture. We're not for the "hacking-business" idea, you probably realized that. We're not for exploit disclosure too, unless the bug is already known since time and showing the exploit code would let better understand the coding techniques involved. And we don't want that someone with a lot of money (read : governement and big companies) will be one day able to "pay" (and thus "buy") all the hackers around. But we're sure that that will never happen, thanks to the underground, thanks to people like you who read phrack, learn, create and hack independently. Q: Do you have some people or groups to mention ? A: (mentioning some people and say what do u thing about them, phc, etc) There are groups and people who have made (or are making) the effective evolving of the scene. We try to tell a bit of their story in "International Scenes" phile (starting from that issue with : Quebec, Brazil and France). Each country has its story, Italy has s0ftpj and antifork, Germany has TESO, THC and Phenolit (thanks for your great ph-neutral party), Russia, France, Netherlands, or Belgium have ADM, Synnergy, or Devhell, USA and other countries have PHC... Each one will have his space on "International Scenes". If you're part of it, if you want to tell the "real story", just submit us a text. If you are too paranoid to submit a tfile to Phrack, its ok. If you wish to participate to the underground information, how journal is your journal as well and we can find a solution that keep you anonymous. Q: Thank you for this interview, I hope readers will enjoy it! A; No problem, you're welcome. Can I have a beer now? --EOF-- ==Phrack Inc.== Volume 0x0c, Issue 0x40, Phile #0x03 of 0x11 |=-----------------------------------------------------------------------=| |=-------------------------=[ Phrack World News ]=-----------------------=| |=-----------------------------------------------------------------------=| |=-------------------=[ By The Circle of Lost Hackers ]=-----------------=| |=-----------------------------------------------------------------------=| The Circle of Lost Hackers is looking for any kind of news related to security, hacking, conference report, philosophy, psychology, surrealism, new technologies, space war, spying systems, information warfare, secret societies, ... anything interesting! It could be a simple news with just an URL, a short text or a long text. Feel free to send us your news. Again, we need your help for this section. We can't know everything, we try to do our best, but we need you ... the scene needs you...the humanity needs you...even your girlfriend needs you but should already know this... :-) 1. Speedy Gonzales news 2. One more outrage to the freedom of expression 3. How we could defeat the Orwellian Narus system 4. Feeling safer in a spying world 5. D-Wave computing demonstrates a quantum computer -------------------------------------------- --[ 1. _____ _ / ___| | | \ `--. _ __ ___ ___ __| |_ _ `--. \ '_ \ / _ \/ _ \/ _` | | | | /\__/ / |_) | __/ __/ (_| | |_| | \____/| .__/ \___|\___|\__,_|\__, | | | __/ | |_| |___/ _____ _ | __ \ | | | | \/ ___ _ __ ______ _| | ___ ___ | | __ / _ \| '_ \|_ / _` | |/ _ \/ __| | |_\ \ (_) | | | |/ / (_| | | __/\__ \ \____/\___/|_| |_/___\__,_|_|\___||___/ _ _ | \ | | | \| | _____ _____ | . ` |/ _ \ \ /\ / / __| | |\ | __/\ V V /\__ \ \_| \_/\___| \_/\_/ |___/ -Speedy News-[ There is no age to start hacking ]-- http://www.dailyecho.co.uk/news/latest/display.var. 1280820.0.how_girl_6_hacked_into_mps_commons_computer.php -Speedy News-[ Eeye hacked ? ]-- http://www.phrack.org/eeye_hacked.png -Speedy News-[ Anarchist Cookbook ]-- The anarchist cookbook version 2006, be careful... http://www.beyondweird.com/cookbook.html -Speedy News-[ Is Hezbollah better than Israeli militants? ]-- http://www.fcw.com/article96532-10-19-06-Web -Speedy News-[ How to be secure like an 31337 DoD dude ]-- https://addons.mozilla.org/en-US/firefox/addon/3182 -Speedy News-[ Hi I'm Skyper, ex-Phrack and I like Phrack's design! ]-- http://conf.vnsecurity.net/cfp2007.txt -Speedy News-[ The most obscure company in the world ]-- http://www.vanityfair.com/politics/features/2007/03/spyagency200703? printable=true¤tPage=all A "MUST READ" article... -Speedy News-[ Terrorism excuse Vs freedom of information ]-- http://www.usatoday.com/news/washington/2007-03-13-archives_N.htm -Speedy News-[ Zero Day can happen to anyone ]-- http://www.youtube.com/watch?v=L74o9RQbkUA -Speedy News-[ NSA, contractors and the success of failure ]-- http://www.govexec.com/dailyfed/0407/040407mm.htm -Speedy News-[Blood, Bullets, Bombs, and Bandwidth ]-- http://rezendi.com/travels/bbbb.html -Speedy News-[ The day when the BCC predicted the future ]-- http://www.prisonplanet.com/articles/february2007/260207building7.htm -Spirit News-[ Just because we like these websites ]-- http://www.cryptome.org/ http://www.2600.com/ --[ 2. One more outrage to the freedom of expression by Napoleon Bonaparte The distribution of a book containing a copy of the Protocols of the Elders of Zion was stopped in Belgium and France by Israeli lobbyists. The authors advance that the bombing of the WTC could be in relation with Israel. It's not the good place to argue about this statement, but what is interesting is that 6 years after 11/09/01 we read probably more than 100 theories about the possible authors of WTC bombing: Al Qaeda, Saoudi Arabia, Irak (!) or even Americans themselves. But this book advances the theory that _maybe_ there is something with Israel and the diffusion is forbidden, just one month after its release. Before releasing this book, the Belgian association antisemitisme.be read it to give his opinion. The result is apparent: the book is not antisemitic. The only two things that could be antisemitic in this book are: - the diffusion of "The Protocols of the Elders of Zion" in the annexe of the book. If you take a look on Amazon, you can find more than 30 books containing The Protocols. - the cover of the book which show the US and Israeli flags linked with a bundle of dollars. Actually you can find the same kind of picture on the website of the Americo-Israeli company Zionoil: http://www.zionoil.com/ . And the cover of the book was designed before the author found the same picture on Zionoil's website. Also, something unsettling in this story is that the book was removed on the insistence of a Belgian politician: Claude Marinower. And on the website of this politician, we can see him with Moshe Katsav who is the president of Israel and recently accused by Attorney General Meni Mazuz for having committed rape and other crimes... http://www.claudemarinower.be/uploads/ICJP-israelpresi.JPG So why the distribution of this book was banned? Because the diffusion of "The Protocols of the Elders of Zion" is dangerous? Maybe but... You can find on Internet or amazon some books like "The Anarchist Cookbook" which is really more "dangerous" than the "The Protocols of the Elders of Zion". In this book you can find some information like how to kill someone or how to make a bomb. If we have to give to our children either "The Anarchist Cookbook" or "The Protocols of the Elders of Zion", I'm sure that 100% of the population will prefer to give "The Protocols of the Elders of Zion". Simply because it's not dangerous. So why? Probably because there are some truth in this book. The revelations in this book are not only about 11/09/2001 but also about the Brabant massacres in Belgium from 1982 to 1985. The authors advances that these massacres were linked to the GLADIO/stay-behind network. As Napoleon Bonaparte said: "History is a set of lies agreed upon". He was right... [1] http://www.antisemitisme.be/site/event_detail.asp?language=FR&eventId =473&catId=26 [2] http://www.ejpress.org/article/14608 [3] http://www.wiesenthal.com/site/apps/nl/content2.asp?c=fwLYKnN8LzH&b =245494&ct=2439597 [4] http://www.osservatorioantisemitismo.it/scheda_evento.asp?number=1067& idmacro=2&n_macro=3&idtipo=59 [5] http://ro.novopress.info/?p=2278 [6] http://www.biblebelievers.org.au/przion1.htm --[ 3. How we could defeat the Orwellian Narus system by Napoleon Bonaparte AT&T, Verizon, VeriSign, Amdocs, Cisco, BellSouth, Top Layer Networks, Narus, ... all theses companies are inter-connected in our wonderful Orwellian world. And I don't even talk about companies like Raytheon or others involved in "ECHELON". That's not new, our governments spy us. They eavesdrop our phones conversation, our Internet communications, they take beautiful photos of us with their imagery satellites, they can even see through walls using satellites reconnaissance (Lacrosse/Onyx?), they install cameras everywhere in our cities (how many cameras in London???), RFID tags are more and more present and with upcoming technologies like nanotechnologies, bio-informatics or smartdusts system there is really something to worry about. With all these systems already installed, it's utopian to think that we could come back to a world without any spying system. So what we can do ? Probably not a lot of things. But I would like to propose a funny idea about NARUS, the system allowing governments to eavesdrop citizens Internet communications. This short article is not an introduction to Narus. I will just give you a short description of its capacities. A more longer article could be written in a next release of Phrack (any volunteer?). So Narus is an American company founded in 97. The first work of NARUS was to analyze IP network traffic for billing purpose. In order to accomplish this they have strongly contributed to the standardization of the IPDR Streaming Protocol by releasing an API Code [1] (study this doc, it's a key to break NARUS). Nowadays, Narus is also included in what I will call the "spying business". According to their authors, they can collect data from links, routers, soft switches, IDS/IPS, databases, ..., normalize, correlate, aggregate and analyze all these data to provide a comprehensive and detailed model of users, elements, protocols, applications and networks behaviors. And the most important: everything is done in real time. So all your e-mails, instant messages, video streams, P2P traffic, HTTP traffic or VOIP can be monitored. And they doesn't care about which transmission technology you use, optical transmission can also be monitored. This system is simply amazing and we should send our congratulations to their designers. But we should also send our fears... If we want to block Narus, there is an obvious way: using cryptography. Nowadays, it's quite easy to send an encrypted email. You don't even have to worry about your email client, everything it's transparent (once configured). The problem is that you need to give your public key to your interlocutor, which is not really "user friendly". Especially if the purpose is simply to send an email to your girlfriend. But it's still the best solution to block a system like Narus. Another way to block Narus is to use steganography, but it's more complicate to implement. In conclusion, there is no way to stop totally a system like Narus and the only good way to block it is to use cryptography. But we, hackers, we can do something against Narus. Something funny. The idea is the following: we should know where a Narus system is installed! First step. An organization, a country or simply someone should buy a Narus system and reverse it. There are a lot of tools to reverse a system, free or commercial. Since the purpose of Narus is to analyze data, the main task is parsing data. And we know that systems parsing data are the most sensitive to bugs. So a first idea could be to fuzzing it with random requests and if it doesn't work doing some reversing. Once a bug is detected (and for sure, there IS at least one bug), the next step is to exploit it. Difficult task but not impossible. The most interesting part is the next one: the shellcode. There are two possibilities, either the system where Narus is installed has an outgoing Internet connexion or there isn't an outgoing Internet connexion. If not, the shellcode will be quite limited, the "best" idea is maybe just to destroy the system but it's not useful. What is useful is when Narus is installed on a system with an outgoing Internet connexion. We don't want a shell or something like that on the system, what we want is to know where a Narus system is installed. So what our shellcode has to do is just to send a ping or a special packet to a server on Internet to say "hello a Narus is installed at this place". We could hold a database with all the Narus system we discover in the world. This idea is probably not very difficult to implement. The only bad thing is if we release the vulnerability, it won't take a long time to Narus to patch it. But after all, what else can we do? Again, as Napoleon said: "Victory belongs to the most persevering". And hackers are... [1] http://www.ipdr.org/public/DocumentMap/SP2.2.pdf --[ 4. Feeling safer in a spying world by Julius Caesar At first, it's subtle. It just sneaks up on you. The only ones who notice are the paranoid tinfoil hat nutjobs -- the ones screaming about conspiracies and big brother. They take a coincidence here and a fact from over there and come up with 42. It's all about 42. We need cameras at ATM machines, to catch robbers and muggers. Sometimes they even catch a shot of the Ryder truck driving by in the background. People get mugged in elevators, so we need some cameras there too. Traffic can be backed up for a while before the authorities notice, so let's have some cameras on the highway. Resolution gets better, and we can catch more child molestors and terrorists if they can record license plates and faces. Cameras at intersections catch people running red lights and speeding. We're getting safer every day. Some neighborhoods need cameras to catch the hoods shooting each other. Others need cameras to keep the sidewalks safe for shoppers. It's all about safety. Then one day, the former head of the KGIA is in charge, or arranges for his dimwitted son to fuck up yet again as president of something. Soon, we're at war. Not with anyone in particular. Just Them. You're either with us, or you're with Them, and we're gonna to git Them. Our phone calls need to me monitored, to make sure we're not one of Them. Our web browsing and shopping and banking and reading and writing and travel and credit all need to be monitored, so we can catch Them. We'll need to be seached when travelling or visiting a government building because we might have pointy metal things or guns on us. We don't want to be like Them. It's important to be safe, but how can we tell if we're safe or not? What if we wonder into a place with no cameras? How would we know? What if our web browsing isn't being monitored? How can we make sure we're safe? Fortunately, there are ways. Cameras see through a lens, and lenses have specific shapes with unique characteristics. If we're in the viewing area of a camera, then we are perpendicular to a part of the surface of the lens, which usually has reflective properties. This allows us to know when we're safely in view of a camera. All it takes is a few organic LEDs and a power supply (like a 9V battery). Arrange the LEDs in a circle about 35mm in diameter, and wire them appropriately for the power supply. Cut a hole in the center of the circle formed by the LEDs. Now look through the hole as you pan around the room. When you're pointing at a lens, the portion of the curved surface of the lens which is perpendicular to you will reflect the light of the LEDs directly back at you. You'll notice a small bright white pinpoint. Blink the LEDs on and off to make sure it's reflecting your LEDs, and know that you are now safer. Worried that your Internet connection may not be properly monitored for activity that would identify you as one of Them? There are ways to confirm this too. Older equipment, such as carnivore or DCS1000 could often be detected by traceroute, which would show up as odd hops on your route to the net. As recently as 2006, AT&T's efforts to keep us safe showed up with traceroute. But the forces of Them have prevailed, and our protectors were forced to stop watching our net traffic. Almost. We can no longer feel safe when seeing that odd hop, because it doesn't show up on traceroute anymore. It will, however, show up with ping -R, which requests every machine to add its IP to the ping packet as it travels the network. First, do a traceroute to find out where your ISP connects to the rest of the net; [snip] 5 68.87.129.137 (68.87.129.137) 28.902 ms 14.221 ms 13.883 ms 6 COMCAST-IP.car1.Washington1.Level3.net (63.210.62.58) 19.833 ms * 21.768 ms 7 te-7-2.car1.Washington1.Level3.net (63.210.62.49) 19.781 ms 19.092 ms 17.356 ms Hop #5 is on comcast's network. Hop #6 is their transit provider. We want to send a ping -R to the transit provider (63.210.62.58); [root@phrack root]# ping -R 63.210.62.58 PING 63.210.62.58 (63.210.62.58) from XXX.XXX.XXX.XXX : 56(124) bytes of data. 64 bytes from 63.210.62.58: icmp_seq=0 ttl=243 time=31.235 msec NOP RR: [snip] 68.87.129.138 68.86.90.90 4.68.121.50 4.68.127.153 12.123.8.117 117.8.123.12.in-addr.arpa. domain name pointer sar1-a360s3.wswdc.ip.att.net. An AT&T hop on Level3's network? Wow, we are still safely under the watchful eye of our magnificent benevolent intelligence agencies. I feel safer already. --[ 5. D-Wave demonstrates a quantum computer by aris February the 13'th, 2007, Wave computing made a public demonstration of their brand-new quantum computer, which could be a revolution in computing and in cryptography in general. The demonstration took place at Mountain View, Silicon Valley, though the quantum computer itself was left at Vancouver, remotely connected by Internet. The Quantum computer is a hybrid construction of classical computing and a quantum "accelerator" chip: The classical computer makes the ordinary operations, isolates the complicate stuff, prepare it to be processed by the quantum chip then gives back the results. The whole mechanism is meant to be usable over networks (with RPC) to be accessible for companies that want a quantum computer but can't manage to handle it at their main office (The hardware has special requirements). [1] The quantum chip is a 16 Qbits engine, using superconductiong electronics. Previous tries to do quantum computers were made previously, none of them known to have more than 3 or 4 Qbits. D-Wave also pretends being able to scale that number of Qbits up to 1024 in 2008 ! That fact made a lot of people in scientific area skeptic about the claims of D-Wave. The US National Aeronautics and Space Administration (commonly known as NASA) confirmed to the press that they've built the special chip for D-Wave conforming their specifications. [2] Now, how does the chip works ? D-Wave hasn't released that much details about the internals of their chip. They have chosen the superconductor because it makes easier to exploit quantum mechanics. When atoms are very cold (approaching the 0K), they transform themselves into superconducting atoms. They have special characteristics, including the fact their electrons get a different quantum behaviur. In the internals, the chips contains 16 Qbits arranged in a 4x4 grid, each Qbit being coupled with its four immediate neighbors and some in the diagonals. [3] The coupling of Qbits is what gives them their power : a Qbit is believed to be at two states at same time. When coupling two Qbits, the combination of their state contains four states, and so on. The more Qbits are coupled together, the more possible number of states they have, and when working an algorithm on them, you manipulate all of their states at once, giving a very important performance boost. By its nature, it may even help to resolve NP-Complete problems, that is, problems that cannot be resolved by polynomial algorithms (we think of large sudoku maps, multivariate polynomial systems, factoring large integers ...). Not coupling all of their Qbits makes their chip easier to build and to scale, but their 16Qbits computer is not equal to the theoretical 16 Qbits computers academics and governments are trying to build for years. The impact of this news to the world is currently minimal. Their chips currently work slower than a low-range personal computer and costs thousands of dollars, but maybe in some years it will become a real solution for solving NP problems. The NP problem that most people involved in security know is obviously the factoring of large numbers. We even have a proof that it exists a *linear* algorithm to factorize a multiple of two large integers, it is named Shor's algorithm. It means when we'll have the hardware to run it, factorizing a 1024 bits RSA private key will only take two times the time needed to factorize a 512 bits key. It completely destroys the security of the public cryptography as we know it now. Unfortunaly, we have no information on which known quantum algorithms run on D-Wave computer, and D-Wave made no statement about running Shor's algorithm on their beast. Also, no claim have been given letting us think the chip could break RSA. And for sure, NSA experts probably already studied the situation (in the case they don't already own their own quantum computer). References: [1] http://www.dwavesys.com/index.php?page=quantum-computing [2] http://www.itworld.com/Tech/3494/070309nasaquantum/index.html [3] http://arstechnica.com/articles/paedia/hardware/quantum.ars ==Phrack Inc.== Volume 0x0c, Issue 0x40, Phile #0x04 of 0x11 |=-----------------------------------------------------------------------=| |=-------------=[ A brief history of the Underground scene ]=------------=| |=-----------------------------------------------------------------------=| |=-----------------------------------------------------------------------=| |=-------------------=[ Duvel ]=-----------------=| |=-------------------=[ for ]=-----------------=| |=-------------------=[ The Circle of Lost Hackers ]=-----------------=| |=-------------------=[ ]=-----------------=| |=-----------------------------------------------------------------------=| --[ Contents 1. Introduction 2. The security paradox 3. Past and present Underground scene 3.1. A lack of culture and respect for ancient hackers 3.2. A brief history of Phrack 3.3. The current zombie scene 4. Are security experts better than hackers? 4.1. The beautiful world of corporate security 4.2. The in-depth knowledge of security conferences 5. Phrack and the axis of counter attacks 5.1. Old idea, good idea 5.2. Improving your hacking skills 5.3. The Underground yellow pages 5.4. The axis of knowledge 5.4.1. New Technologies 5.4.2. Hidden and private networks 5.4.3. Information warfare 5.4.4. Spying System 6. Conclusion --[ 1. Introduction "It's been a long long time, I kept this message for you, Underground But it seems I was never on time Still I wanna get through to you, Underground..." I am sure most of you know and love this song (Stir it Up). After all, who doesn't like a Bob Marley song? The lyrics of this song fit very well with my feeling : I was never on time but now I'm ready to deliver you the message. So what is this article about? I could write another technical article about an eleet technique to bypass a buffer overflow protection, how to inject my magical module in the kernel, how to reverse like an eleet or even how to make a shellcode for a not-so-famous OS. But I won't. There are some other people who can do it much better than I could. But it is the reason not to write a technical article. The purpose of this article is to launch an SOS. An SOS to the scene, to everyone, to all the hackers in the world. To make all the next releases of Phrack better than ever before. And for this I don't need a technical article. I need what I would call Spirit. Do you know what I mean by the word spirit? --[ 2. The security paradox. There is something strange, really strange. I always compare the security world with the drug world. Take the drugs world, on the one side you have all the "bad" guys: cartels, dealers, retailers, users... On the other side, you have all the "good" guys: cops, DEA, pharmaceutical groups creating medicines against drugs, president of the USA asking for more budget to counter drugs... The main speech of all these good guys is : "we have to eradicate drugs!". Well, why not. Most of us agree. But if there is no more drugs in the world, I guess that a big part of the world economy would fall. Small dealers wouldn't have the money to buy food, pharmaceutical groups would loose a big part of their business, DEA and similar agencies wouldn't have any reason to exist. All the drugs centers could be closed, banks would loose money coming from the drugs market. If you take all thoses things into consideration, do you think that governments would want to eradicate drugs? Asking the question is probably answering it. Now lets move on to the security world. On the one side you have a lot of companies, conferences, open source security developers, computer crime units... On the other side you have hackers, script kiddies, phreackers.... Should I explain this again or can I directly ask the question? Do you really think that security companies want to eradicate hackers? To show you how these two worlds are similar, lets look at another example. Sometimes, you hear about the cops arrested a dealer, maybe a big dealer. Or even an entire cartel. "Yeah, look ! We have arrested a big dealer ! We are going to eradicate all the drugs in the world!!!". And sometimes, you see a news like "CCU arrests Mafiaboy, one of the best hacker in the world". Computer crime units and DEA need publicity - they arrest someone and say that this guy is a terrorist. That's the best way to ask for more money. But they will rarely arrest one of the best hackers in the world. Two reasons. First, they don't have the intention (and if they would, it's probably to hire him rather than arrest him). Secondly, most of the Computer Crime Units don't have the knowledge required. This is really a shame, nobody is honest. Our governments claim that they want to eradicate hackers and drugs, but they know if there were no more hackers or drugs a big part of the world economy could fall. It's again exactly the same thing with wars. All our presidents claim that we need peace in the world, again most of us agree. But if there are no more wars, companies like Lockheed Martin, Raytheon, Halliburton, EADS, SAIC... will loose a huge part of their markets and so banks wouldn't have the money generated by the wars. The paradox relies in the perpetual assumption that threat is generated from abuses where in fact it might comes from inproper technological design or money driven technological improvement where the last element shadows the first. And when someone that is dedicated enough digs it, we have a snowball effect, thus every fish in the pound at one time or an other become a part of it. And as you can see, this paradox is not exclusive to the security industry/underground or even the computer world, it could be considered as the gold idol paradox but we do not want to get there. In conclusion, the security world need a reason to justify its business. This reason is the presence of hackers or a threat (whatever hacker means), the presence of an hackers scene and in more general terms the presence of the Underground. We don't need them to exist, we exist because we like learning, learning what we are not supposed to learn. But they give us another good reason to exist. So if we are "forced" to exist, we should exist in the good way. We should be well organized with a spirit that reflect our philosophy. Unfortunately, this spirit which used to characterized us is long gone... --[ 3. Past and Present Underground scene The "scene", this is a beautiful word. I am currently in a country very far away from all of your countries, but it is still an industrialized country. After spending some months in this country, I found some old-school hackers. When I asked them how the scene was in their country, they always answered the same thing: "like everywhere, dying". It's a shame, really a shame. The security world is getting larger and larger and the Underground scene is dying. I am not an old school hacker. I don't have the pretension to claim it I would rather say that I have some old-school tricks or maybe that my mind is old-school oriented, but that's all. I started to enjoy the hacking life more or less 10 years ago. And the scene was already dying. When I started hacking, like a lot of people, I have read all the past issues of Phrack. And I really enjoyed the experience. Nowadays, I'm pretty sure that new hackers don't read old Phrack articles anymore. Because they are lazy, because they can find information elsewhere, because they think old Phracks are outdated... But reading old Phracks is not only to acquire knowledge, it's also to acquire the hacking spirit. ----[ 3.1 A lack of culture and respect for ancient hackers How many new hackers know the hackers history? A simple example is Securityfocus. I'm sure a lot of you consult its vulnerabilities database or some mailing list. Maybe some of you know Kevin Poulsen who worked for Securityfocus for some years and now for Wired. But how many of you know his history? How many knew that at the beginning of the 80's he was arrested for the first time for breaking into ARPANET? And that he was arrested a lot more times after that as well. Probably not a lot (what's ARPANET after all...). It's exactly the same kind of story with the most famous hacker in the world: Kevin Mitnick. This guy really was amazing and I have a total respect for what he did. I don't want to argue about his present activity, it's his choice and we have to respect it. But nowadays, when new hackers talk about Kevin Mitnick, one of the first things I hear is : "Kevin is lame. Look, we have defaced his website, we are much better than him". This is completely stupid. They have probably found a stupid web bug to deface his website and they probably found the way to exploit the vulnerability in a book like Hacking Web Exposed. And after reading this book and defacing Kevin's website, they claim that Kevin is lame and that they are the best hackers in the world... Where are we going? If these hackers could do a third of what Kevin did, they would be considered heroes in the Underground community. Another part of the hacking culture is what some people name "The Great Hackers War" or simply "Hackers War". It happened 15 years ago between probably the two most famous (best?) hackers group which had ever existed: The Legion of Doom and Master of Deception. Despite that this chapter of the hacking history is amazing (google it), what I wonder is how many hackers from the new generation know that famous hackers like Erik Bloodaxe or The Mentor were part of these groups. Probably not a lot. These groups were mainly composed of skilled and talented hackers/phreackers. And they were our predecessor. You can still find their profiles in past issues of Phrack. It's still a nice read. Let's go for another example. Who knows Craig Neidorf? Nobody? Maybe Knight Lightning sounds more familiar for you... He was the first editor in chief of Phrack with Taran King, Taran King who called him his "right hand man". With Taran King and him, we had a lot of good articles, spirit oriented. So spirit oriented that one article almost sent him to jail for disclosing a confidential document from Bell South. Fortunately, he didn't go in jail thanks to the Electronic Frontier Foundation who preached him. Craig wrote for the first time in Phrack issue 1 and for the last time in Phrack issue 40. He is simply the best contributor that Phrack has ever had, more than 100 contributions. Not interesting? This is part of the hacking culture. More recently, in the 90's, an excellent "magazine" (it was more a collection of articles) called F.U.C.K. (Fucked Up College Kids) was made by a hacker named Jericho... Maybe some new hackers know Jericho for his work on Attrition.org (that's not sure...), but have you already taken time to check Attrition website and consult all the good work that Jericho and friends do? Did you know that Jericho wrote excellent Phrack World News under the name Disorder 10 years ago (and trust me his news were great) ? Stop thinking that Attrition.org is only an old dead mirror of web site defacements, it's much more and it's spirit oriented. Go ask Stephen Hawking if knowing the scientific story is not important to understand the scientific way/spirit... Do you think that Stephen doesn't know the story of Aristotle, Galileo, Newton or Einstein ? To help wannabe hackers, I suggest that they read "The Complete History of Hacking" or "A History of Computer Hacking" which are very interesting for a first dive in the hacking history and that can easily be found with your favorite search engine. Another good reading is the interview of Erik Bloodaxe in 1994 (http://www.eff.org/Net_culture/Hackers/bloodaxe-goggans_94.interview) where Erik said something really interesting about Phrack: "I, being so ridiculously nostalgic and sentimental, didn't want to see it (phrack) just stop, even though a lot of people always complain about the content and say, "Oh, Phrack is lame and this issue didn't have enough info, or Phrack was great this month, but it really sucked last month." You know, that type of thing. Even though some people didn't always agree with it and some people had different viewpoints on it, I really thought someone needed to continue it and so I kind of volunteered for it." It's still true... ----[ 3.2 A brief history of Phrack Let's go for a short hacking history course and let's take a look at old Phracks where people talked about the scene and what hacking is. Phrack 41, article 1: --------------------- "The type of public service that I think hackers provide is not showing security holes to whomever has denied their existence, but to merely embarrass the hell out of those so-called computer security experts and other purveyors of snake oil." This is true, completely true. This is closely related to what I said before. If there are no hackers, there are no security experts. They need us. And we need them. (We are family) Phrack 48, article 2: --------------------- At the end of this article, there is the last editorial of Erik Bloodaxe. This editorial is excellent, everyone should read it. I will just reproduce some parts here: "... The hacking subculture has become a mockery of its past self. People might argue that the community has "evolved" or "grown" somehow, but that is utter crap. The community has degenerated. It has become a media-fueled farce. The act of intellectual discovery that hacking once represented has now been replaced by one of greed, self-aggrandization and misplaced post-adolescent angst... If I were to judge the health of the community by the turnout of this conference, my prognosis would be "terminally ill."..." And this was in 1996. If we ask to Erik Bloodaxe now what he thinks about the current scene, I'm pretty sure he would say something like: "irretrievable" or "the hacking scene has reached a point of no return". "...There were hundreds of different types of systems, hundreds of different networks, and everyone was starting from ground zero. There were no public means of access; there were no books in stores or library shelves espousing arcane command syntaxes; there were no classes available to the layperson. ..." Have you ever heard of a "hackademy"? Nowadays, if you want to be a hacker it's really easy. Just go to a hacker school and they will teach you some of the more eleet tricks in the world. That's the new hacker way. "Hacking is not about crime. You don't need to be a criminal to be a hacker. Hanging out with hackers doesn't make you a hacker any more than hanging out in a hospital makes you a doctor. Wearing the t-shirt doesn't increase your intelligence or social standing. Being cool doesn't mean treating everyone like shit, or pretending that you know more than everyone around you." So what is hacking? My point of view is that hacking is a philosophy, a philosophy of life that you can apply not only to computers but to a lot of things. Hacking is learning, learning computers, networks, cryptology, telephone systems, spying system and agencies, radio, what our governments hide... Actually all non-conventional subjects or what could also be called a third eye view of the context. "There are a bunch of us who have reached the conclusion that the "scene" is not worth supporting; that the cons are not worth attending; that the new influx of would-be hackers is not worth mentoring. Maybe a lot of us have finally grown up." Here's my answer to Erik 10 years later: "No Eric, you hadn't finally grown up, you were right." Erik already sent an SOS 10 years ago and nobody heard it. Phrack 50, article 1: --------------------- "It seems, in recent months, the mass media has finally caught onto what we have known all along, computer security _IS_ in fact important. Barely a week goes by that a new vulnerability of some sort doesn't pop up on CNN. But the one thing people still don't seem to fathom is that _WE_ are the ones that care about security the most... We aren't the ones that the corporations and governments should worry about... We are not the enemy." No, we are not the enemy. But a lot of people claim that we are and some people even sell books with titles like "Know your enemy". It's probably one of the best ways to be hated by a lot of hackers. Don't be surprised if there are some groups like PHC appearing after that. Phrack 55, article 1: --------------------- Here I will show you the arrogance of the not-so-far past editor, answering some comments: "...Yeah, yeah, Phrack is still active you may say. Well let me tell you something. Phrack is not what it used to be. The people who make Phrack are not Knight Lightning and Taran King, from those old BBS days. They are people like you and me, not very different, that took on themselves a job that it is obvious that is too big for them. Too big? hell, HUGE. Phrack is not what it used to be anymore. Just try reading, let's say, Phrack 24, and Phrack 54..." And the editor replied (maybe Route): "bjx of "PURSUiT" trying to justify his `old-school` ezine. bjx wrote a riveting piece on "Installing Slackware" article. Fear and respect the lower case "i"". This is a perfect example of how the Underground scene has grown up in the last few years. We can interpret editor's answer like "I'm writing some eleet articles and not you, so I don't have to take into consideration your point of view". But it was a really pertinent remark. Phrack 56, article 1: ------------------------------ Here is another excellent example to show you the arrogance of the Underground scene. Again, it's an answer to a comment from someone: "...IMHO it hasn't improved. Sure, some technical aspects of the magazine have improved, but it's mostly a dry technical journal these days. The personality that used to characterize Phrack is pretty much non-existant, and the editorial style has shifted towards one of `I know more about buffer overflows than you` arrogance. Take a look at the Phrack Loopback responses during the first 10 years to the recent ones. A much higher percentage of responses are along the lines of `you're an idiot, we at Phrack Staff are much smarter than you.`..." And the reply: " - Trepidity apparently still bitter at not being chosen as Mrs. Phrack 2000." IMHO, Trepidity's remark was probably the best remark for a long long time. Let's stop this little history course. I have showed you that I'm not alone in my reflection and that there is something wrong with the current disfunctional scene. Some people already thought this 10 years ago and I know that a lot of people are currently thinking exactly the same thing. The scene is dying and its spirit is flying away. I'm not Erik Bloodaxe, I'm not Voyager or even Taran King ... I'm just me. But I would like to do something like 15 years ago, when the word hacking was still used in the noble sense. When the spirit was still there. We all need to react together or the beast will eat whats left of the spirit. ----[ 3.3 The current zombie scene "A dead scene whose body has been re-animated but whose the spirit is lacking". I'm not really aware of every 'groups' in the world. Some people are much more connected than me. And to be honest, I knew the scene better 5 years ago than I do now. But I will try to give you a snapshot of what the current scene is. Forgive me in advance for the groups that I will forget, it's really difficult to have an accurate snapshot. The best way to have a snapshot of the current scene is probably to use an algorithm like HITS which allow to detect a web community. But unfortunately I don't have time to implement it. So the current scene for me is like a pyramid and it's organized like secret societies. I would like to split hackers groups in 3 categories. In order to not give stupid names to these groups I will call them layer 1 group, layer 2 group and layer 3 group. In the layer 1, 5 years ago, you had some really "famous" groups which were, I think, composed of talented people. I will split this layer into two categories: front-end groups and back-end groups. Some of the groups I called front-end are: TESO, THC, w00w00, Phenoelit or Hert. Back-end groups include ADM, Synergy, ElectronicSouls or Devhell. And you also have PHC that you can include in both categories (you know guys you have your entry in Wikipedia!). And at the top of that (but mainly at the top of PHC) you had obscure/eleet groups like AB. In the layer 2, I would like to include a lot of groups of less scale but I think which are trying to do good stuff. Generally, these groups have no communication with layer 1 groups. These groups are: Toxyn, Blackhat.be, Netric, Felinemenace, S0ftpj (nice mag), Nettwerked (congratulation for the skulls image guys!), Moloch, PacketWars, Eleventh Alliance, Progenic, HackCanada, Blacksecurity, Blackclowns or Aestetix. You can still split these groups into two categories, front-end and back-end. Back-end are Toxyn or Blackat.be, others probably front-end. Beside these groups, you have a lot of wannabe groups that I'd like to include in layer 3, composed of new generation of hackers. Some of these groups are probably good and I'm sure that some have the good hacking spirit, but generally these groups are composed of hackers who learned hacking in a school or by reading hackers magazine that they find in library. When you see a hacker arrested in a media, he generally comes from one of these unknown groups. 20 years ago, cops arrested hackers like Kevin Mitnick (The Condor), Nahshon Even-Chaim (Phoenix, The Realm), Mark Abene (Phiber Optik, Legion of Doom) or John Lee (Corrupt, Master of Deception), now they arrest Mafia Boy for a DDOS... There are also some (dead) old school groups like cDc, Lopht or rhino9, independent skilled guys like Michal Zalewski or Silvio Cesare, research groups like Lsd-pl and Darklab and obscure people like GOBBLES, N3td3v or Fluffy Bunny :-) And of course, I don't forget people who are not affiliated to any groups. You can also find some central resources for hackers or phreackers like Packetstorm or Phreak.org, and magazine oriented resources like Pull the Plug or Uninformed. In this wonderful world, you can find some self proclaimed eleet mailing list like ODD. We can represent all these groups in a pyramid. Of course, this pyramid is not perfect. So don't blame me if you think that your groups is not in the good category, it's just a try. The Underground Pyramid _ / \ / \ / \ / \ / \ <-- More eleet hackers in / \ / \ the world. Are you in? / -(o)- \ / / \ \ / \ / \ /_____________________\ / \ <-- skilled hackers / AB, Fluffy Bunny, ... \ hacking mainly /___________________________\ for fun / | | | \ / PHC | TESO | ADM | cDc \ <-- Generally / EL8 | THC | Synergy | Lopht \ excellent skills / GOBBLES| WOOWOO| Devhell | rhino9 \ some groups have / ... | ... | ... | .... \ the good spirit /_______________________________________\ / | \ / Blackhat.be | HackCanada \ <-- good skills, / Toxyn | Felinemenace \ some are / ... | Netric \ very / | ... \ original /___________________________________________________\ / \ / WANABEE GROUPS \ <-- newbies /_________________________________________________________\ / \ <-- info / Resources: 2600,Phrack, PacketStorm, Phreak.org, Uniformed, \ for / PTP, ... \ all /_________________________________________________________________\ All of these people make up the current scene. It's a big mixture between white/gray/black hats, where some people are white hat in the day and black hat at night (and vice-versa). Sometimes there are communication between them, sometimes not. I also have to say that it's generally the people from layer 1 groups who give talks to security conferences around the world... It's really a shame that PHC is probably the best ambassador of the hacking spirit. Their initiative was great and really interesting. Moreover they are quite funny. But IMHO, they are probably a little too arrogant to be considered like an old spirit group. Actually, the bad thing is that all these people are more or less separate and everyone is fighting everyone else. You can even find some hackers hacking other hackers! Where is the scene going? Even if you are technically very good, do you have to say to everyone that you are the best one and naming others as lamerz? The new hacker generation will never understand the hacking spirit with this mentality. Moreover the majority of hackers are completely disinterested by alternate interesting subjects addressed for example in 2600 magazine or on Cryptome website. And this is really a shame because these two media are publishing some really good information. Most hackers are only interested by pure hacking techniques like backdooring, network exploitation, client vulnerabilities... But for me hacking is closely related to other subjects like those addressed on Cryptome website. For example the majority of hackers don't know what SIPRnet is. There is only one reference in Phrack, but there are several articles about SIPRnet in 2600 magazine or on Cryptome website. When I want to discuss about all these interesting subjects it's really difficult to find someone in the scene. And to be honest the only people that I can find are people away from the scene. The majority of hackers composing the groups I mentioned above are not interested by these subjects (as far as I know). Old school hackers in 80's or 90's were more interested by alternated subjects than the new generation. In conclusion, firstly we have to get back the old school hacking spirit and afterwards explain to the new generation of hackers what it is. It's the only way to survive. The scene is dying but I won't say that we can't do anything. We can do something. We must do something. It's our responsibility. --[ 4 Are security experts better than hackers? STOP!!!!! I do not want to say that security experts are better than hackers. I don't think they are, but to be honest it's not really important. It's nonsense to ask who is better. The best guy, independent from the techniques he used, is always the most ingenious. But there are two points that I would like to develop. ----[ 4.1 The beautiful world of corporate security I met a really old school hacker some months ago, he told me something very pertinent and I think he was right. He told me that the technology has really changed these last years but that the old school tricks still work. Simply because the people working for security companies don't really care about security. They care more about finding a new eleet technique to attack or defend a system and presenting it to a security conference than to use it in practice. So Underground, we have a problem. A major problem. 15 years ago, there were a lot of people working for the security industry. At times, there also were a lot of people working in what I will call the Underground scene. No-one can estimate the percentage in each camp, but I would say it was something like 60% working in security and 40% working in the Underground scene. It was still a good distribution. Nowadays, I'm not sure it's still true. A better estimation should be 80/20 orientated to security or maybe even worse... There are increasingly more and more people working for the security world than for the Underground scene. Look at all these "eleet" security companies like ISS, Core Security, Immunity, IDefense, eEye, @stake, NGSSoftware, Checkpoint (!), Counterpane, Sabre Security, Net-Square, Determina, SourceFire...I will stop here otherwise Google will make some publicity for these companies. All these security companies have hired and still hire some hackers, even if they will say that they don't. Sometimes, they don't even know they hired a hacker. How many past Phrack writers work for these companies? My guess is a lot, really a lot. After all, you can't stop a hacker if you have never been one... You'll tell me: "that's normal, everyone has to eat". Yeah, that's true. Everyone has to eat. I'm not talking about that. What I don't like (even if we do need these good and bad guys) is all the stuff around the security world: conferences, (false) alerts, magazines, mailing lists, pseudo security companies, pseudo security websites, pseudo security books... Can you tell me why there is so much security related stuff and not so much Underground related stuff? --[ 4.2 The in-depth knowledge of security conferences If you have a look at all the topics addressed in a security conference, it's amazing. Take the most famous conferences: *Blackhat, *SecWest or even Defcon (I mention only marketing conferences, there are others good conferences that are less corporate/business oriented like CCC, PH neutral, HOPE or WTH). Now look at the talks given by the speakers, they're really good. When I went to a security conference 5 years ago it was so funny, I was saying to my friends: "these guys are 5 years late". It was true then but I think it's not true anymore. They are probably still late, but not as late as they were. But the most relevant point for me is that recently there have been a lot of very interesting subjects. OK not everything was interesting - there were some shit subjects too. What I would consider as interesting subjects are those related to new technologies (VOIP, WEB 2.0, RFID, BlackBerry, GPS...) or original topics like hardware hacking, BlackOps, agency relationships, SE story, bioinfo attack, nanotech, PsyOp... What the Fuck ?!#@?! 10 years ago, all the original topics were released in an Underground magazine like Phrack or 2600. Not in a security conference where you have to pay more than $1000. This is not my idea of what hacking should be. Do you really need publicity like this to feel good? This is not hacking. I'm not talking here about the core but the form. When I'm coding something at home all night and in the morning it works, it's really exciting. And I don't have to say to everyone "look at what I did!". Especially not in public where people have to pay more than $1000 to hear you. Another incredible thing about these security conferences is what I would call the "conference circuit". Nowadays, if you are a security expert, the trend is to give the same talk at different security conferences around the world. More than 50% of all security experts are doing this. They go in America at BlackHat, Defcon and CanSecWest, after they move in Europe and they finish in Asia or Australia. They can even do BlackHat America, BlackHat Europe and BlackHat Asia! Like Roger Federer or Tiger Woods, they try to do the Grand Slam! So you can find a conference given in 2007 which is more or less the same than one in 2005. Thus it seems we have now a new profession in our wonderful security world: "conferences runner" ! Last funny thing is the number of conferences that I will include in the category "How to hack the system XXX". For example at the last Blackhat USA there was a conference on how to hack an embedded device, for example printers and copiers. Despite the fact that it's interesting (collecting document printed), what I find funny is the fact that you just have to hack a non conventional device to be at Blackat or Defcon. So, I will give some good advice to hackers who want to become famous: try to hack the coffee machine used by the FBI or the embedded device used by the lift of the Pentagon and everyone will see you as a hero or a terrorist (thats context based). --[ 5. Phrack and the axis of counter-attack Now that I have given you an overview of the security world, let's try to see how we can change it. There are two possibilities here. The first one is this:- I say to you "OK now that you really understand the problem, it's definitely time to change our mentality. This is the new mind set that we have to adopt". It's a little bit pretentious to say this though. Nobody can solve the problem alone and pretend to bring the good solution. So I guess that the first possibility won't work. People will agree but nobody will do anything. The second possibility is to start with Phrack. All the people who make up The Circle of Lost Hackers agree that Phrack should come back to its past style when the spirit was present. We really agree with the quote above which said that Phrack is mainly a dry technical journal. It's why we would like to give you some idea that can bring back to Phrack its bygone aura. Phrack doesn't belong to a group a people, Phrack belongs to everyone, everyone in the Underground scene who want to bring something for the Underground. After all, Phrack is a magazine made by the community for the community. We would like to invite everyone to give their point of view about the current scene and the orientation that Phrack should take in the future. We could compile a future article with all your ideas. ----[ 5.1. Old idea, good idea If you take a look at the old Phrack, there are some recurring articles : * Phrack LoopBack * Line noise * Phrack World News * Phrack Prophiles * International scenes Here's something funny about Phrack World News, if you take a look at Phrack 36 it was not called "Phrack World News" but instead it was "Elite World News"... So, all these articles were and are interesting. But in these articles, we would like to resuscitate the last one: "International scenes". A first essay is made in this issue, but we would like people to send us a short description of their scene. It could be very interesting to have some descriptions of scenes that are not common, for example the China scene, the Brazilian scene, the Russian scene, the African scene, the Middle East scene... But of course we are also interested in the more classic scenes like Americas, GB, France, Germany, ... Everything is welcome, but hackers all over the world are not only hackers in Europe-Americas, we're everywhere. And when we talk about the Underground scene, it should include all local scenes. ----[ 5.2. Improving your hacking skills Here we would like to start a new kind of article. An article whose purpose is to give to the new generation of hackers some different little tricks to hack "like an eleet". This article will be present in every new issue (at least until it's dead ... we hope not soon). The idea is to ask to everyone to send us their tricks when they hack something (it could be a computer or not). The tricks should be explained in no more than 30 lines, and it could even be one line. It could be an eleet trick or something really simple but useful. Example: An almost invisible ssh connection ---------------------------------- In the worse case if you have to ssh on a box, do it every time with no tty allocation ssh -T user@host If you connect to a host with this way, a command like "w" will not show your connection. Better, add 'bash -i' at the end of the command to simulate a shell ssh -T user@host /bin/bash -i Another trick with ssh is to use the -o option which allow you to specify a particular know_hosts file (by default it's ~/.ssh/know_hosts). The trick is to use -o with /dev/null: ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -i With this trick the IP of the box you connect to won't be logged in know_hosts. Using an alias is a good idea. Erasing a file -------------- In the case of you have to erase a file on a owned computer, try to use a tool like shred which is available on most of Linux. shred -n 31337 -z -u file_to_delete -n 31337 : overwrite 313337 times the content of the file -z : add a final overwrite with zeros to hide shredding -u : truncate and remove file after overwriting A better idea is to do a small partition in RAM with tmpfs or ramdisk and storing all your files inside. Again, using an alias is a good idea. The quick way to copy a file ---------------------------- If you have to copy a file on a remote host, don't bore yourself with an FTP connection or similar. Do a simple copy and paste in your Xconsole. If the file is a binary, uuencode the file before transferring it. A more eleet way is to use the program 'screen' which allows copying a file from one screen to another: To start/stop : C-a H or C-a : log And when it's logging, just do a cat on the file you want to transfer. Changing your shell ------------------- The first thing you should do when you are on an owned computer is to change the shell. Generally, systems are configured to keep a history for only one shell (say bash), if you change the shell (say ksh), you won't be logged. This will prevent you being logged in case you forget to clean the logs. Also, don't forget 'unset HISTFILE' which is often useful. Some of these tricks are really stupid and for sure all old school hackers know them (or don't use them because they have more eleet tricks). But they are still useful in many cases and it should be interesting to compare everyone's tricks. ----[ 5.3. The Underground yellow pages Another interesting idea is to maintain a list of all the interesting IP ranges in the world. This article will be called "Meaningful IP ranges". We have already started to scan all the class A and B networks. What is really interesting is all the IP addresses of agencies which are supposed to spy us. Have a look at this site: http://www.milnet.com/iagency.htm However we don't have to focus our list on agencies, but on everything which is supposed to be the power of the world. It includes: * All agencies of a country (China, Russia, UK, France, Israel...) * All companies in a domain, for example all companies related to private secret service or competitive intelligence or financial clearing or private army (dyncorp, CACI, MPRI, Vinnel, Wackenhut, ...) * Companies close to government (SAIC, Dassault, QinetiQ, Halliburton, Bechtel...) * Spying business companies (AT&T, Verizon, VeriSign, AmDocs, BellSouth, Top Layer Networks, Narus, Raytheon, Verint, Comverse, SS8, pen-link...) * Spoken Medias (Al Jazeera, Al Arabia, CNN, FOX, BBC, ABC, RTVi, ...) * Written Medias or press agencies (NY/LA Times, Washington Post, Guardian, Le monde, El Pais, The Bild, The Herald, Reuters, AFP, AP, TASS, UPI...) * All satellite maintainers (Intelsat, Eurosat, Inmarsat, Eutelsat, Astra...) * Suspect investment firms (Carlyle, In-Q-Tel...) * Advanced research centers (DARPA, ARDA/DTO, HAARP...) * Secret societies, fake groups and think-tanks (The Club of Rome, The Club of Berne, Bilderberg, JASON group, Rachel foundation, CFR, ERT, UNICE, AIPAC, The Bohemian Club, Opus Dei, The Chatman House, Church of Scientology...) * Guerilla groups, rebels or simply alternative groups (FARC, ELN, ETA, KKK, NPA, IRA, Hamas, Hezbolah, Muslim Brothers...) * Ministries (Defense, Energy, State, Justice...) * Militaries or international polices (US Army, US Navy, US Air Force, NATO, European armies, Interpol, Europol, CCU...) * And last but not least: HONEYPOT! It's obvious that not all ranges can be obtained. Some agencies are registered under a false name in order to be more discrete (what about ENISA, the European NSA?), others use some high level systems (VPN, tor ...) on top of normal networks or simply use communication systems other than the Internet. But we would like to keep the most complete list we can. But for this we need your help. We need the help of everyone in the Underground who is ready to share knowledge. Send us your range. We started to scan the A and B range with a little script we made, but be sure that the more interesting range are in class C. Here is a quick start of the list : 11.0.0.0 - 11.255.255.255 : DoD Network Information Center 144.233.0.0 - 144.233.255.255 : Defense Intelligence Agency 144.234.0.0 - 144.234.255.255 : Defense Intelligence Agency 144.236.0.0 - 144.236.255.255 : Defense Intelligence Agency 144.237.0.0 - 144.237.255.255 : Defense Intelligence Agency 144.238.0.0 - 144.238.255.255 : Defense Intelligence Agency 144.239.0.0 - 144.239.255.255 : Defense Intelligence Agency 144.240.0.0 - 144.240.255.255 : Defense Intelligence Agency 144.241.0.0 - 144.241.255.255 : Defense Intelligence Agency 144.242.0.0 - 144.242.255.255 : Defense Intelligence Agency 162.45.0.0 - 162.45.255.255 : Central Intelligence Agency 162.46.0.0 - 162.46.255.255 : Central Intelligence Agency 130.16.0.0 - 130.16.255.255 : The Pentagon 134.11.0.0 - 134.11.255.255 : The Pentagon 134.152.0.0 - 134.152.255.255 : The Pentagon 134.205.0.0 - 134.205.255.255 : The Pentagon 140.185.0.0 - 140.185.255.255 : The Pentagon 141.116.0.0 - 141.116.255.255 : Army Information Systems Command-Pentagon 6.0.0.0 - 6.255.255.255 : DoD Network Information Center 128.20.0.0 - 128.20.255.255 : U.S. Army Research Laboratory 128.63.0.0 - 128.63.255.255 : U.S. Army Research Laboratory 129.229.0.0 - 129.229.255.255 : United States Army Corps of Engineers 131.218.0.0 - 131.218.255.255 : U.S. Army Research Laboratory 134.194.0.0 - 134.194.255.255 : DoD Network Information Center 134.232.0.0 - 134.232.255.255 : DoD Network Information Center 137.128.0.0 - 137.128.255.255 : U.S. ARMY Tank-Automotive Command 144.252.0.0 - 144.252.255.255 : DoD Network Information Center 155.8.0.0 - 155.8.255.255 : DoD Network Information Center 158.3.0.0 - 158.3.255.255 : Headquarters, USAAISC 158.12.0.0 - 158.12.255.255 : U.S. Army Research Laboratory 164.225.0.0 - 164.225.255.255 : DoD Network Information Center 140.173.0.0 - 140.173.255.255 : DARPA ISTO 158.63.0.0 - 158.63.255.255 : Defense Advanced Research Projects Agency 145.237.0.0 - 145.237.255.255 : POLFIN ( Ministry of Finance Poland) 163.13.0.0 - 163.32.255.255 : Ministry of Education Computer Center Taiwan 168.187.0.0 - 168.187.255.255 : Kuwait Ministry of Communications 171.19.0.0 - 171.19.255.255 : Ministry of Interior Hungary 164.49.0.0 - 164.49.255.255 : United States Army Space and Strategic Defense 165.27.0.0 - 165.27.255.255 : United States Cellular Telephone 152.152.0.0 - 152.152.255.255 : NATO Headquarters 128.102.0.0 - 128.102.255.255 : NASA 128.149.0.0 - 128.149.255.255 : NASA 128.154.0.0 - 128.154.255.255 : NASA 128.155.0.0 - 128.155.255.255 : NASA 128.156.0.0 - 128.156.255.255 : NASA 128.157.0.0 - 128.157.255.255 : NASA 128.158.0.0 - 128.158.255.255 : NASA 128.159.0.0 - 128.159.255.255 : NASA 128.161.0.0 - 128.161.255.255 : NASA 128.183.0.0 - 128.183.255.255 : NASA 128.217.0.0 - 128.217.255.255 : NASA 129.50.0.0 - 129.50.255.255 : NASA 153.31.0.0 - 153.31.255.255 : FBI Criminal Justice Information Systems 138.137.0.0 - 138.137.255.255 : Navy Regional Data Automation Center 138.141.0.0 - 138.141.255.255 : Navy Regional Data Automation Center 138.143.0.0 - 138.143.255.255 : Navy Regional Data Automation Center 161.104.0.0 - 161.104.255.255 : France Telecom R&D 161.105.0.0 - 161.105.255.255 : France Telecom R&D 161.106.0.0 - 161.106.255.255 : France Telecom R&D 159.217.0.0 - 159.217.255.255 : Alcanet International (Alcatel) 158.190.0.0 - 158.190.255.255 : Credit Agricole 158.191.0.0 - 158.191.255.255 : Credit Agricole 158.192.0.0 - 158.192.255.255 : Credit Agricole 165.32.0.0 - 165.48.255.255 : Bank of America 171.128.0.0 - 171.206.255.255 : Bank of America 167.84.0.0 - 167.84.255.255 : The Chase Manhattan Bank 159.50.0.0 - 159.50.255.255 : Banque Nationale de Paris 159.22.0.0 - 159.22.255.255 : Swiss Federal Military Dept. 163.12.0.0 - 163.12.255.255 : navy aviation supply office 163.249.0.0 - 163.249.255.255 : Commanding Officer Navy Ships Parts 164.94.0.0 - 164.94.255.255 : Navy Personnel Research 164.224.0.0 - 164.224.255.255 : Secretary of the Navy 34.0.0.0 - 34.255.255.255 : Halliburton Company 139.121.0.0 - 139.121.255.255 : Science Applications International Corporation ... The last one is definitely interesting; people interested by obscure technologies should investigate in-depth SAIC stuff... But anyway this list is rough and incomplete. We have a lot more interesting ranges but not yet classed. It's just to show you how easy it is to obtain. If you think that the idea is funny, send us your range. We would be pleased to include your range in our list. The idea is to offer the more complete list we can for the next Phrack release. ----[ 5.4. The axis of knowledge I'm sure that everyone knows "the axis of evil". This sensational expression was coined some years ago by Mr. Bush to group wicked countries (but was it really invented by the "president" or by m1st3r Karl Rove??). We could use the same expression to name the evil subjects that we would like to have in Phrack. But I will leave to Mr Powerful Bush his expression and find a more noble one : The Axis of Knowledge. So what is it about? Just list some topics that we would like to find more often in Phrack. In the past years, Phrack was mainly focused on exploitation, shellcode, kernel and reverse engineering. I'm not saying that this was not interesting, I'm saying that we need to diversify the articles of Phrack. Everyone agrees that we must know the advances in heap exploitation but we should also know how to exploit new technologies. ------[ 5.4.1 New Technologies To illustrate my point, we can take a quote from Phrack 62, the profiling of Scut: Q: What suggestions do you have for Phrack? A: For the article topics, I personally would like to see more articles on upcoming technologies to exploit, such as SOAP, web services, .NET, etc. We think he was right. We need more article on upcoming technology. Hackers have to stay up to date. Low level hacking is interesting but we also need to adapt ourselves to new technologies. It could include: RFID, Web2, GPS, Galileo, GSM, UMTS, Grid Computing, Smartdust system. Also, since the name Phrack is a combination between Phreack and Hack, having more articles related to Phreacking would be great. If you have a look to all the Phrack issues from 1 to 30, the majority of articles talked about Phreacking. And Phreacking and new technologies are closely connected. ------[ 5.4.2 Hidden and private networks We would like to have a detailed or at least an introduction to private networks used by governments. It includes: * Cyber Security Knowledge Transfer Network (KTN) http://ktn.globalwatchonline.com * Unclassified but Sensitive Internet Protocol Router Network and The Secret IP Router Network (SIPRN) http://www.disa.mil/main/prodsol/data.html * GOVNET http://www.govnet.state.vt.us/ * Advanced Technology Demonstration Network http://www.atd.net/ * Global Information Grid (GIG) http://www.nsa.gov/ia/industry/gig.cfm?MenuID=10.3.2.2 ... There are a lot private networks in the world and some are not documented. What we want to know is: how they are implemented, who is using them, which protocols are being used (is it ATM, SONET...?), is there a way to access them through the Internet, .... If you have any information to share on these networks, we would be very interested to hear from you. ------[ 5.4.3 Information warfare Information warfare is probably one of the most interesting upcoming subjects in recent years. Information is present everywhere and the one who controls the information will be the master. USA already understands this well, China too, but some countries are still late. Especially in Europe. Some websites are already specialized in information warfare like IWS the Information Warfare Site (http://www.iwar.org.uk) You can also find some schools across the world which are specialized in information warfare. We, hackers, can use our knowledge and ingeniousness to do something in this domain. Let me give you two examples. The first one is Black Hat SEO (http://www.blackhatseo.com/). This subject is really interesting because it combines a lot of subjects like development, hacking, social engineering, linguistics, artificial intelligence and even marketing. These techniques can be use in Information Warfare and we would like the Underground to know more about this subject. Second example, in a document entitled "Who is n3td3v?" the author (hacker factor) use linguistic techniques in order to identify n3td3v. After having analyzed n3td3v's text, the author claims that n3td3v and Gobbles are probably the same person. N3td3v's answer was to say that he has an A.I. program allowing him to generate a text automatically. If he wants to sound like George Bush, he has simply to find a lots of articles by him, give these texts to his A.I. and the AI program will build a model representing the way that George Bush write. Once the model created, he can give a text to the A.I. and this text will be translated in "George Bush Speaking". Author's answer (hacker factor) was to say it's not possible. For working in text-mining, I can tell you that it's possible. The majority of people working in the academic area are blind and when you come to them with innovative techniques, they generally say you that you are a dreamer. A simple implementation can be realized quickly with the use of a grammar (that you can even induct automatically), a thesaurus and markov chains. Add some home made rules and you can have a small system to modify a text. An idea could be to release a tool like this (the binary, not the source). I already have the title for an article : "Defeating forensic: how to cover your says" ! More generally, in information warfare, interesting subjects could be: * Innovative information retrieval techniques * Automatic diffusion of manipulated information * Tracking of manipulated information Military and advanced centers like DARPA are already interested in these topics. We don't have to let governments have the monopoly on these areas. I'm sure we can do much better than governments. ------[ 5.4.4 Spying System Everyone knows ECHELON, it's probably the most documented spying system in the world. Unfortunately, the majority of the information that you can find on ECHELON is where ECHELON bases in the world are. There is nothing about how they manipulate data. It's evident that they are using some data-mining techniques like speech recognition, text-cleaning, topic classification, name entity recognition sentiment detection and so on. For this they could use their own software or maybe they are using some commercial software like: Retrievalware from Convera : http://www.convera.com/solutions/retrievalware/Default.aspx Inxight's products: http://www.inxight.com/products/ "Minority Report" like system visualization: http://starlight.pnl.gov/ ... For now we are like Socrates, all we know is that we know nothing. Nothing about how they process data. But we are very interested to know. In the same vein, we would like to know more on Narus (http://www.narus.com/), which could be used as the successor of CARNIVORE which was the FBI's tools to intercept electronic data. Which countries use Narus, where it is installed, how is Narus processing information... Actually any system which is supposed to spy on us is interesting. --[ 6. Conclusion I'm reaching the end of my subject. Like with every articles some people will agree with the content and some not. I'm probably not the best person for talking about the Underground but I tried to resume in this text all the interesting discussions I had for several years with a lot of people. I tried to analyze the past and present scene and to give you a snapshot as accurate as possible. I'm not entirely satisfied, there's a lot more to say. But if this article can already make you thinking about the current scene or the Underground in general, that means that we are on the good way. The most important thing to retain is the need to get back the Underground spirit. The world changes, people change, the security world changes but the Underground has to keep its spirit, the spirit which characterized it in the past. I gave you some ideas about how we could do it, but there are much more ideas in 10000 heads than in one. Anyone who worry about the current scene is invited to give his opinion about how we could do it. So let's go for the wakeup of the Underground. THE wakeup. A wakeup to show to the world that the Underground is not dead. That it will never die, that it is still alive and for a long time. Thats the responsibility of all hackers around the world. ==Phrack Inc.== Volume 0x0c, Issue 0x40, Phile #0x05 of 0x11 |=-----------------------------------------------------------------------=| |=----------------------=[ Hijacking RDS-TMC Traffic ]=------------------=| |=----------------------=[ Information signal ]=------------------=| |=-----------------------------------------------------------------------=| |=-----------------------------------------------------------------------=| |=-----------------=[ By Andrea "lcars" Barisani ]=--------------=| |=-----------------=[ ]=--------------=| |=-----------------=[ ]=--------------=| |=-----------------=[ Daniele "danbia" Bianco ]=--------------=| |=-----------------=[ ]=--------------=| |=-----------------------------------------------------------------------=| --[ Contents 1. - Introduction 2. - Motivation 3. - RDS 4. - RDS-TMC 2. - Sniffing circuitry 4. - Simple RDS Decoder v0.1 5. - Links --[ 1. Introduction Modern Satellite Navigation systems use a recently developed standard called RDS-TMC (Radio Data System - Traffic Message Channel) for receiving traffic information over FM broadcast. The protocol allows communication of traffic events such as accidents and queues. If information affects the current route plotted by the user the information is used for calculating and suggesting detours and alternate routes. We are going to show how to receive and decode RDS-TMC packets using cheap homemade hardware, the goal is understanding the protocol so that eventually we may show how trivial it is to inject false information. We also include the first release of our Simple RDS Decoder (srdsd is the lazy name) which as far as we know is the first open source tool available which tries to fully decode RDS-TMC messages. It's not restricted to RDS-TMC since it also performs basic decoding of RDS messages. The second part of the article will cover transmission of RDS-TMC messages, satellite navigator hacking via TMC and its impact for social engineering attacks. --[ 2. Motivation RDS has primarily been used for displaying broadcasting station names on FM radios and give alternate frequencies, there has been little value other than pure research and fun in hijacking it to display custom messages. However, with the recent introduction of RDS-TMC throughout Europe we are seeing valuable data being transmitted over FM that actively affects SatNav operations and eventually the driver's route choice. This can have very important social engineering consequences. Additionally, RDS-TMC messages can be an attack vector against SatNav parsing capabilities. Considering the increasing importance of these system's role in car operation (which are no longer strictly limited to route plotting anymore) and their human interaction they represent an interesting target combined with the "cleartext" and un-authenticated nature of RDS/RDS-TMC messages. We'll explore the security aspects in Part II. --[ 3. RDS The Radio Data System standard is widely adopted on pretty much every modern FM radio, 99.9% of all car FM radio models feature RDS nowadays. The standard is used for transmitting data over FM broadcasts and RDS-TMC is a subset of the type of messages it can handle. The RDS standard is described in the European Standard 50067. The most recognizable data transmitted over RDS is the station name which is often shown on your radio display, other information include alternate frequencies for the station (that can be tried when the signal is lost), descriptive information about the program type, traffic announcements (most radio can be set up to interrupt CD and/or tape playing and switch to radio when a traffic announcement is detected), time and date and many more including TMC messages. In a FM transmission the RDS signal is transmitted on a 57k subcarrier in order to separate the data channel from the Mono and/or Stereo audio. FM Spectrum: Mono Pilot Tone Stereo (L-R) RDS Signal ^ ^ ^ ^ ^^ |||||||||| | |||||||||| |||||||||| || |||||||||| | |||||||||| |||||||||| || |||||||||| | |||||||||| |||||||||| || |||||||||| | |||||||||| |||||||||| || |||||||||| | |||||||||| |||||||||| || -------------------------------------------------------------------------- 19k 23k 38k 53k 57k Freq (Hz) The RDS signal is sampled against a clock frequency of 1.11875 kHz, this means that the data rate is 1187.5 bit/s (with a maximum deviation of +/- 0.125 bit/s). The wave amplitude is decoded in a binary representation so the actual data stream will be friendly '1' and '0'. The RDS smallest "packet" is called a Block, 4 Blocks represent a Group. Each Block has 26 bits of information making a Group 104 bits large. Group structure (104 bits): --------------------------------------- | Block 1 | Block 2 | Block 3 | Block 4 | --------------------------------------- Block structure (26 bits): ---------------- --------------------- | Data (16 bits) | Checkword (10 bits) | ---------------- --------------------- The Checkword is a checksum included in every Block computed for error protection, the very nature of analog radio transmission introduces many errors in data streams. The algorithm used is fully specified in the standard and it doesn't concern us for the moment. Here's a representation of the most basic RDS Group: Block 1: --------------------- PI code = 16 bits | PI code | Checkword | Checkword = 10 bits --------------------- Block 2: Group code = 4 bits B0 = 1 bit --------------------------------------------------- TP = 1 bit | Group code | B0 | TP | PTY | <5 bits> | Checkword | PTY = 5 bits --------------------------------------------------- Checkword = 10 bits Block 3: ------------------ Data = 16 bits | Data | Checkword | Checkword = 10 bits ------------------ Block 4: ------------------ Data = 16 bits | Data | Checkword | Checkword = 10 bits ------------------ The PI code is the Programme Identification code, it identifies the radio station that's transmitting the message. Every broadcaster has a unique assigned code. The Group code identifies the type of message being transmitted as RDS can be used for transmitting several different message formats. Type 0A (00000) and 0B (00001) for instance are used for tuning information. RDS-TMC messages are transmitted in 8A (10000) groups. Depending on the Group type the remaining 5 bits of Block 2 and the Data part of Block 3 and Block 4 are used according to the relevant Group specification. The 'B0' bit is the version code, '0' stands for RDS version A, '1' stands for RDS version B. The TP bit stands for Traffic Programme and identifies if the station is capable of sending traffic announcements (in combination with the TA code present in 0A, 0B, 14B, 15B type messages), it has nothing to do with RDS-TMC and it refers to audio traffic announcements only. The PTY code is used for describing the Programme Type, for instance code 1 (converted in decimal from its binary representation) is 'News' while code 4 is 'Sport'. --[ 4. RDS-TMC Traffic Message Channel packets carry information about traffic events, their location and the duration of the event. A number of lookup tables are being used to correlate event codes to their description and location codes to the GPS coordinates, those tables are expected to be present in our SatNav memory. The RDS-TMC standard is described in International Standard (ISO) 14819-1. All the most recent SatNav systems supports RDS-TMC to some degree, some systems requires purchase of an external antenna in order to correctly receive the signal, modern ones integrated in the car cockpit uses the existing FM antenna used by the radio system. The interface of the SatNav allows display of the list of received messages and prompts detours upon events that affect the current route. TMC packets are transmitted as type 8A (10000) Groups and they can be divided in two categories: Single Group messages and Multi Group messages. Single Group messages have bit number 13 of Block 2 set to '1', Multi Group messages have bit number 13 of Block 2 set to '0'. Here's a Single Group RDS-TMC message: Block 1: --------------------- PI code = 16 bits | PI code | Checkword | Checkword = 10 bits --------------------- Block 2: Group code = 4 bits B0 = 1 bit ----------------------------------------------------- TP = 1 bit | Group code | B0 | TP | PTY | T | F | DP | Checkword | PTY = 5 bits ----------------------------------------------------- Checkword = 10 bits T = 1 bit DP = 3 bits F = 1 bit Block 3: D = 1 bit PN = 1 bit ------------------------------------- Extent = 3 bits | D | PN | Extent | Event | Checkword | Event = 11 bits ------------------------------------- Checkword = 10 bits Block 4: ---------------------- Location = 16 bits | Location | Checkword | Checkword = 10 bits ---------------------- We can see the usual data which we already discussed for RDS as well as new information (the <5 bits> are now described). We already mentioned the 'F' bit, it's bit number 13 of Block 2 and it identifies the message as a Single Group (F = 1) or Multi Group (F = 0). The 'T', 'F' and 'D' bits are used in Multi Group messages for identifying if this is the first group (TFD = 001) or a subsequent group (TFD = 000) in the stream. The 'DP' bit stands for duration and persistence, it contains information about the timeframe of the traffic event so that the client can automatically flush old ones. The 'D' bit tells the SatNav if diversion advice needs to be prompted or not. The 'PN' bit (Positive/Negative) indicates the direction of queue events, it's opposite to the road direction since it represent the direction of the growth of a queue (or any directional event). The 'Extent' data shows the extension of the current event, it is measured in terms of nearby Location Table entries. The 'Event' part contains the 11 bit Event code, which is looked up on the local Event Code table stored on the SatNav memory. The 'Location' part contains the 16 bit Location code which is looked up against the Location Table database, also stored on your SatNav memory, some countries allow a free download of the Location Table database (like Italy[1]). Multi Group messages are a sequence of two or more 8A groups and can contain additional information such as speed limit advices and supplementary information. --[ 5. Sniffing circuitry Sniffing RDS traffic basically requires three components: 1. FM radio with MPX output 2. RDS signal demodulator 3. RDS protocol decoder The first element is a FM radio receiver capable of giving us a signal that has not already been demodulated in its different components since we need access to the RDS subcarrier (and an audio only output would do no good). This kind of "raw" signal is called MPX (Multiplex). The easiest way to get such signal is to buy a standard PCI Video card that carries a tuner which has a MPX pin that we can hook to. One of these tuners is Philips FM1216[2] (available in different "flavours", they all do the trick) which provides pin 25 for this purpose. It's relatively easy to identify a PCI Video card that uses this tuner, we used the WinFast DV2000. An extensive database[3] is available. Once we get the MPX signal it can then be connect to a RDS signal demodulator which will perform the de-modulation and gives us parsable data. Our choice is ST Microelectronics TDA7330B[4], a commercially available chip used in most radio capable of RDS de-modulation. Another possibility could be the Philips SAA6579[5], it offers the same functionality of the TDA7330, pinning might differ. Finally we use custom PIC (Peripheral Interface Controller) for preparing and sending the information generated by the TDA7330 to something that we can understand and use, like a standard serial port. The PIC brings DATA, QUAL and CLOCK from demodulator and "creates" a stream good enough to be sent to the serial port. Our PIC uses only two pins of the serial port (RX - RTS), it prints out ascii '0' and '1' clocked at 19200 baud rate with one start bit and two stop bits, no parity bit is used. As you can see the PIC makes our life easier, in order to see the raw stream we only have to connect the circuit and attach a terminal to the serial port, no particular driver is needed. The PIC we use is a PIC 16F84, this microcontroller is cheap and easy to work with (its assembly has only 35 instructions), furthermore a programmer for setting up the chip can be easily bought or assembled. If you want to build your own programmer a good choice would be uJDM[6], it's one of the simplest PIC programmers available (it is a variation of the famous JDM programmer). At last we need to convert signals from the PIC to RS232 compatible signal levels. This is needed because the PIC and other integrated circuits works under TTL (Transistor to Transistor Logic - 0V/+5V), whereas serial port signal levels are -12V/+12V. The easiest approach for converting the signal is using a Maxim RS-232[7]. It is a specialized driver and receiver integrated circuit used to convert between TTL logic levels and RS-232 compatible signal levels. Here's the diagram of the setup: \ / \ / | | | [ RDS - Demodulator ] | *diagram* ______________[ ]__ |- || |=- |- || F T |=- |- || M U |=- P |- || 1 N |=- C |- || 2 E |=- I |- || 1 R |=- |- || 6 |=- 1 _______ 20 B | ||________|=- --------> MPX ---> MUXIN -|. U |- u |- | pin 25 -| |- s |- | AF sound output -| T |- |- | -| D |- |- | -| A |- |- | -| 7 |- |- | -| 3 |- QUAL______ |- | -| 3 |- DATA____ | |- | -| 0 |- CLOCK_ | | |___________________| -|_______|- | | V 10 11 | V | _______________________________________________________________V | | | ___________________________________________________________| | | ___|_____________________________________________________________| | | | | | | 1 _______ 18 V | V x -|. u |- -> data out (to rs232)______________ | V | x -| |- -> rts out (to rs232)____________ | | | _| x -| 1 |- <- osc1 / clkin | | | | | MCLR -> -| 6 |- -> OSC2 / CLKOUT | V | | | Vss (gnd) -> -| F |- <- Vdd (+5V) V | | | |_____ DATA -> -| 8 |- x | | | |_______ QUAL -> -| 4 |- x | | |________ CLOCK -> -| |- x | | x -|_______|- x | | 9 10 | | ______________________________ | | Serial Port | 1 _______ 16 | | | (DB9 connector) | -|. U |- ^ | | ______________ | -| |- | | | | RX - pin2 | | -| R |- RTS _| | | ____V________ | | -| S |- V | | . o . . . | | | -| 2 |- | V \ . o . . / | | -| 3 |- <- _____| | --------- |_________|____ <- DATA -| 2 |- <- _______| ^ RTS - pin 7 | -|_______|- |_______________________| 8 9 Here's the commented assembler code for our PIC: ; ; Copyright 2007 Andrea Barisani ; Daniele Bianco ; ; Permission to use, copy, modify, and distribute this software for any ; purpose with or without fee is hereby granted, provided that the above ; copyright notice and this permission notice appear in all copies. ; ; THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ; WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ; MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ; ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ; WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ; ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ; OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ; ; Pin diagram: ; ; 1 _______ 18 ; x -|. U |- -> DATA out (to RS232) ; x -| |- -> RTS out (to RS232) ; x -| 1 |- <- OSC1 / CLKIN ; MCLR -> -| 6 |- -> OSC2 / CLKOUT ; Vss (gnd) -> -| F |- <- Vdd (+5V) ; DATA -> -| 8 |- x ; QUAL -> -| 4 |- x ; CLOCK -> -| |- x ; x -|_______|- x ; 9 10 ; ; Connection description: ; ; pin 4 : MCLR (it must be connected to Vdd through a resistor ; to prevent PIC reset - 10K is a good resistor) ; pin 5 : Vss (directly connected to gnd) ; ; pin 6 : DATA input (directly connected to RDS demodulator DATA out) ; pin 7 : QUAL input (directly connected to RDS demodulator QUAL out) ; pin 8 : CLOCK input (directly connected to RDS demodulator CLOCK out) ; ; pin 14: Vdd (directly connected to +5V) ; pin 15: OSC2 / CLKOUT (connected to an 2.4576 MHz oscillator crystal* ) ; pin 16: OSC1 / CLKIN (connected to an 2.4576 MHz oscillator crystal* ) ; ; pin 17: RTS output (RS232 - ''RTS'' pin 7 on DB9 connector** ) ; pin 18: DATA output (RS232 - ''RX'' pin 2 on DB9 connector** ) ; ; pin 1,2,3,9,10,11,12,13: unused ; ; *) ; We can connect the oscillator crystal to the PIC using this simple ; circuit: ; ; C1 (15-33 pF) ; ____||____ ______ OSC1 / CLKIN ; | || | ; | ___ ; gnd ---| = XTAL (2.4576 MHz) ; | --- ; |____||____|______ ; || OSC2 / CLKOUT ; C2 (15-33 pF) ; **) ; We have to convert signals TTL <-> RS232 before we send/receive them ; to/from the serial port. ; Serial terminal configuration: ; 8-N-2 (8 data bits - No parity - 2 stop bits) ; ; HARDWARE CONF ----------------------- PROCESSOR 16f84 RADIX DEC INCLUDE "p16f84.inc" ERRORLEVEL -302 ; suppress warnings for bank1 __CONFIG 1111111110001b ; Code Protection disabled ; Power Up Timer enabled ; WatchDog Timer disabled ; Oscillator type XT ; ------------------------------------- ; DEFINE ------------------------------ #define Bank0 bcf STATUS, RP0 ; activates bank 0 #define Bank1 bsf STATUS, RP0 ; activates bank 1 #define Send_0 bcf PORTA, 1 ; send 0 to RS232 RX #define Send_1 bsf PORTA, 1 ; send 1 to RS232 RX #define Skip_if_C btfss STATUS, C ; skip if C FLAG is set #define RTS PORTA, 0 ; RTS pin RA0 #define RX PORTA, 1 ; RX pin RA1 #define DATA PORTB, 0 ; DATA pin RB0 #define QUAL PORTB, 1 ; QUAL pin RB1 #define CLOCK PORTB, 2 ; CLOCK pin RB2 RS232_data equ 0x0C ; char to transmit to RS232 BIT_counter equ 0x0D ; n. of bits to transmit to RS232 RAW_data equ 0x0E ; RAW data (from RDS demodulator) dummy_counter equ 0x0F ; dummy counter... used for delays ; ------------------------------------- ; BEGIN PROGRAM CODE ------------------ ORG 000h InitPort Bank1 ; select bank 1 movlw 00000000b ; RA0-RA4 output movwf TRISA ; movlw 00000111b ; RB0-RB2 input / RB3-RB7 output movwf TRISB ; Bank0 ; select bank 0 movlw 00000010b ; set voltage at -12V to RS232 ''RX'' movwf PORTA ; Main btfsc CLOCK ; wait for clock edge (high -> low) goto Main ; movfw PORTB ; andlw 00000011b ; reads levels on PORTB and send movwf RAW_data ; data to RS232 call RS232_Tx ; btfss CLOCK ; wait for clock edge (low -> high) goto $-1 ; goto Main RS232_Tx ; RS232 (19200 baud rate) 8-N-2 ; 1 start+8 data+2 stop - No parity btfsc RAW_data,1 goto Good_qual goto Bad_qual Good_qual ; movlw 00000001b ; andwf RAW_data,w ; good quality signal iorlw '0' ; sends '0' or '1' to RS232 movwf RS232_data ; goto Char_Tx Bad_qual ; movlw 00000001b ; andwf RAW_data,w ; bad quality signal iorlw '*' ; sends '*' or '+' to RS232 movwf RS232_data ; Char_Tx movlw 9 ; (8 bits to transmit) movwf BIT_counter ; BIT_counter = n. bits + 1 call StartBit ; sends start bit Send_loop decfsz BIT_counter, f ; sends all data bits contained in goto Send_data_bit ; RS232_data call StopBit ; sends 2 stop bit and returns to Main Send_1 goto Delay16 StartBit Send_0 nop nop goto Delay16 StopBit nop nop nop nop nop Send_1 call Delay8 goto Delay16 Send_0_ Send_0 goto Delay16 Send_1_ nop Send_1 goto Delay16 Send_data_bit rrf RS232_data, f ; result of rotation is saved in Skip_if_C ; C FLAG, so skip if FLAG is set goto Send_zero call Send_1_ goto Send_loop Send_zero call Send_0_ goto Send_loop ; ; 4 / clock = ''normal'' instruction period (1 machine cycle ) ; 8 / clock = ''branch'' instruction period (2 machine cycles) ; ; clock normal instr. branch instr. ; 2.4576 MHz 1.6276 us 3.2552 us ; Delay16 movlw 2 ; dummy cycle, movwf dummy_counter ; used only to get correct delay ; for timing. decfsz dummy_counter,f ; goto $-1 ; Total delay: 8 machine cycles nop ; ( 1 + 1 + 1 + 2 + 2 + 1 = 8 ) Delay8 movlw 2 ; dummy cycle, movwf dummy_counter ; used only to get correct delay ; for timing. decfsz dummy_counter,f ; goto $-1 ; Total delay: 7 machine cycles ; ( 1 + 1 + 1 + 2 + 2 = 7 ) Delay1 nop RETURN ; unique return point END ; END PROGRAM CODE -------------------- Using the circuit we assembled we can "sniff" RDS traffic directly on the serial port using screen, minicom or whatever terminal app you like. You should configure your terminal before attaching it to the serial port, the settings are 19200 baud rate, 8 data bits, 2 stop bits, no parity. # stty -F /dev/ttyS0 19200 cs8 cstopb -parenb speed 19200 baud; rows 0; columns 0; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^H; eof = ^D; eol = ; eol2 = ; swtch = ; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 100; time = 2; -parenb -parodd cs8 -hupcl cstopb cread clocal crtscts -ignbrk brkint ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl -ixon -ixoff -iuclc -ixany -imaxbel -iutf8 -opost -olcuc -ocrnl -onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 -isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke # screen /dev/ttyS0 19200 1010100100001100000000101000*000101001+11101111011111111110000001011011100 10101001++000001100101100*110100101001000011000000111010000100101001111111 0011101100010011000100000+000000000 ... As you can see we get '0' and '1' as well as '*' and '+', this is because the circuit estimates the quality of the signal. '*' and '+' are bad quality '0' and '1' data. We ignore bad data and only accept good quality. Bad quality data should be ignored, and if you see a relevant amount of '*' and '+' in your stream verify the tuner settings. In order to identify the beginning of an RDS message and find the right offset we "lock" against the PI code, which is present at the beginning of every RDS group. PI codes for every FM radio station are publicly available on the Internet, if you know the frequency you are listening to then you can figure out the PI code and look for it. If you have no clue about what the PI code might be a way for finding it out is seeking the most recurring 16 bit string, which is likely to be the PI code. Here's a single raw RDS Group with PI 5401 (hexadecimal conversion of 101010000000001): 01010100000000011111011001000001000010100011001011000000001000010100000011001001010010010000010001101110 Let's separate the different sections: 0101010000000001 1111011001 0000 01 0 0001 01000 1100101100 0000001000010100 0000110010 0101001001000001 0001101110 PI code Checkword Group B0 TP PTY <5 bits> Checkword Data Checkword Data Checkword So we can isolate and identify RDS messages, now you can either parse them visually by reading the specs (not a very scalable way we might say) or use a tool like our Simple RDS Decoder. --[ 10. Simple RDS Decoder 0.1 The tool parses basic RDS messages and 0A Group (more Group decoding will be implemented in future versions) and performs full decoding of Single group RDS-TMC messages (Multi Group support is also planned for future releases). Here's the basic usage: # ./srdsd -h Simple RDS-TMC Decoder 0.1 || http://dev.inversepath.com/rds Copyright 2007 Andrea Barisani || Usage: ./srdsd.pl [-h|-H|-P|-t] [-d ] [-p ] -t display only tmc packets -H HTML output (outputs to /tmp/rds-*.html) -p PI number -P PI search -d location db path -h this help Note: -d option expects a DAT Location Table code according to TMCF-LT-EF-MFF-v06 standard (2005/05/11) As we mentioned the first step is finding the PI for your RDS stream, if you don't know it already you can use '-P' option: # ./srdsd -P rds_dump.raw | tail 0010000110000000: 4140 (2180) 1000011000000001: 4146 (8601) 0001100000000101: 4158 (1805) 1001000011000000: 4160 (90c0) 0000110000000010: 4163 (0c02) 0110000000010100: 4163 (6014) 0011000000001010: 4164 (300a) 0100100001100000: 4167 (4860) 1010010000110000: 4172 (a430) 0101001000011000: 4185 (5218) Here 5218 looks like a reasonable candidate being the most recurrent string. Let's try it: # ./srdsd -p 5218 -d ~/loc_db/ rds_dump.raw Reading TMC Location Table at ~/loc_db/: parsing NAMES: 13135 entries parsing ROADS: 1011 entries parsing SEGMENTS: 15 entries parsing POINTS: 12501 entries done. Got RDS message (frame 1) Programme Identification: 0101001000011000 (5218) Group type code/version: 0000/0 (0A - Tuning) Traffic Program: 1 Programme Type: 01001 (9 - Varied Speech) Block 2: 01110 Block 3: 1111100000010110 Block 4: 0011000000110010 Decoded 0A group: Traffic Announcement: 0 Music Speech switch: 0 Decoder Identification control: 110 (Artificial Head / PS char 5,6) Alternative Frequencies: 11111000, 00010110 (112.3, 89.7) Programme Service name: 0011000000110010 (02) Collected PSN: 02 ... Got RDS message (frame 76) Programme Identification: 0101001000011000 (5218) Group type code/version: 1000/0 (8A - TMC) Traffic Program: 1 Programme Type: 01001 (9 - Varied Speech) Block 2: 01000 Block 3: 0101100001110011 Block 4: 0000110000001100 Decoded 8A group: Bit X4: 0 (User message) Bit X3: 1 (Single-group message) Duration and Persistence: 000 (no explicit duration given) Diversion advice: 0 Direction: 1 (-) Extent: 011 (3) Event: 00001110011 (115 - slow traffic (with average speeds Q)) Location: 0000110000001100 (3084) Decoded Location: Location code type: POINT Name ID: 11013 (Sv. Grande Raccordo Anulare) Road code: 266 (Roma-Ss16) GPS: 41.98449 N 12.49321 E Link: http://maps.google.com/maps?ll=41.98449,12.49321&spn=0.3,0.3&q=41.98449,12.49321 ...and so on. The 'Collected PSN' variable holds all the character of Programme Service name seen so far, this way we can track (just like RDS FM Radio do) the name of the station: # ./srdsd -p 5201 rds_dump.raw | grep "Collected PSN" | head Collected PSN: DI Collected PSN: DIO1 Collected PSN: DIO1 Co