Copy Link
Add to Bookmark
Report
System Failure 11
..>> yeah everybody's equal, just don't measure it.
` ``` ` '
, ,o8'` '8o,o8 8o,o8'` '8o,o8 8o,o8'` '8o,o8'` '8o8'` '8o.
, $$$: `"""' $$$$$: `"""' ,$$$$$: $$$$$: $$$: ÄË×ËÄÄ Ä
` ` `` ```""""^%ggggg. ```""""""^%ggggg.,g#7$$$$: $$$$$: $$$: È×ØËÄÄ Ä Ä
` .g#7. $$$$$: .g#7#g. $$$$$' `"""' Í¿ `"ý«$: $$$: -Ä××ÌÌÍÄÄ- Ä
, ,,,` ,, $$$: $$$$$: $$$$$: $$$$$: .g#7#g. ÌÄÄÍ» ` $$$: ºØÅÊÍÄ --
` $$$: $$$$$: $$$$$: $$$$$: $$$$$: ºÄÚ»ÃÍ-Ä>Ä>$$$: ×ÅÊÄÄ Ä
$$$: $$$$$: «Óý"'' `"ý"' ``"ý«: Áͼȼ ,: $$' `"'
$$$: $$$$$: l systemfailureleven? l: ,·g#$: $l nOnameascii
$$$: $$$$$: «·,,. ,g#g, .,,Ö«: $$$$$: $$, ,,,
`"` `$$$$: $$$$$: $$$$$: $$$$$: `ýÓ$$: $$$: $$$ '
anarchist l$$$: $$$$$: $$$$$: $$$$$:nmmmm l$: $$$: $$$
.,. ,$$$$: $$$$$: $$$$$: $$$$$: ,Ög$$: $$$: $$$ '
: : ::: $$$:: :$$$$$::: $$$$$: ::$$$$$: : $$$$$:: :$$$$$: ::$$$::: $$$ :: ::
$$$: .gggaa $$$$$: $$$$$: _.,Úya*- _ . `"' '' $$$ ' ''
`À*f_ $$$$$: `''_-` ` `` ` `` ' ` `
`` $$$$$:
³$$$$:: : haveweallgonesoinsane? ` '
³7Óý"' ,
³'
.----------------------------------------------------------------------------.
| System Failure: Issue #11 |
`----------------------------------------------------------------------------'
Greetings once again. As most of you have probably noticed, our domain is back
once again (it's about damn time), and several areas have been redesigned and
changed around a bit. We're currently making our DefCon plans, and we'll have
a lot of cool stuff to offer there. Much thanks goes out to Anarchist (once
again) for the opening ascii, Zhixel for this issue's ansi, and all the people
who contributed articles.
--Logic Box [4/24/98]
.----------------------------------------------------------------------------.
| http://www.sysfail.org/ |
| [sysfail@syfail.org] |
`----------------------------------------------------------------------------'
.----------------------------------------------------------------------------.
| CONTENTS |
| SysInfoTrade by SysFail Staff |
| Portable Hacking by Saint skullY the Dazed |
| Nortel's Millennium Payphone by Err418 |
| Basic UNIX Stealth Techniques by DrekHead |
| Spee vs. Raymond, Part II by Spanish Prince |
| The Inner Workings of GTE by Gwonk |
| English Hacker Gets Busted by Pinguino |
| SUID 101 by Skrike |
| Stop the Spam! Part II by Saint skullY the Dazed |
| Interview With Spanish Prince by Pinguino |
| Yet Another (Extremely Late) DefCon 5 Review by BarKode |
`----------------------------------------------------------------------------'
<-------+
| SysInfoTrade
+----------------> staff@sysfail.org
-- DefCon this year is going to be awesome; Pinguino and Jason Dube (Scattered
Comics) are building the ultimate backdrop/table design for both DefCon and
ComiCon. Also, the Scavenger Hunt is being planned out, and the Frequency Hunt
as well. Buy or borrow a scanner and bring it to DefCon so you can
participate.
-- The Celeron chip, a Pentium II-based 266MHz chip, is now available from
Intel, but currently only in volumes of 1,000 at $155 each (i.e. for full
pre-built systems).
-- http://members.tripod.com/~Drusus/tech.html/: Check that out! A road map
of compiled information that shows a hazy guideline of Intel's 5 year plan.
-- 2600 is still publishing, with late issues but still alive. Barnes and
Noble ran a memo to all their managers telling them to not put 2600 on the
shelves and to pull issues, because an article ran that explained the
technical aspects of the Barnes and Noble computer system.
-- Netscape's search engine contracts with Yahoo, Excite, AOL, Lycos, and
Infoseek are expiring next week. President Jim Barksdale is renegotiating the
contracts so that Netscape can become more of a retailer than a wholesaler of
services.
-- The European Union (EU) got pretty pissed at the US when they tried to redo
the domain structure. They gently reminded the US government that they didn't
own the Internet. The argument was over InterNIC, a US company under
government contract, administrating the top level domains. The Internet
Society set up a company called CORE, housed in Geneva, to run twenty-three
other domains. Negotiations between CORE and the US stopped the functionality
of CORE, who also believes that it should not make profits from administrating
the database.
-- Are you a webmaster? You can make money by putting a specific link on your
site to Mile High Comics. It's not a scam, it's easy money. Make 10% off back
issue comics ordered by people originating from your site. E-mail
pinguino@leper.org for more info.
-- System Failure now has its own FEFnet IRC server, irc.sysfail.org. Come
check it out.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Portable Hacking
by Saint skullY the Dazed (skully@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
So you want to be able to hack from anywhere. Been looking at palmtops, but
just can't decide? Well, let's cut through the bullshit. While the new CE
machines look good, they are really lacking. First, they're slow. Second, they
require special software. While for many this isn't a problem, you want to be
able to do anything you want. Enter the Hewlett Packard LX series.
HP has a great line of palmtops that run DOS. Yes, DOS, not some watered-down
version of winbloze or propietary OS. What does this mean? There are hundreds
of programs for it. Oldschool games, wardialers, you name it. The processor is
equivalent to a 286, with a monochrome CGA LCD screen. It does a full 80x25
console and has 20 built-in programs. It does anything you could want a
portable to do.
I use mine for both school and work. The built-in word processer has a great
feature for outlines and notes. Let me demonstrate.
I. These are my notes.
A. By simply hitting the promote and demote keys
1. I can write notes like this
2. with headers and everything.
B. The promote and demote are F7 and F8
II. Which is a really nice feature.
A. And you can even keep typing and typing and typing so you can have
multiple lines with no formatting
It also has a built-in macro program that is very powerful. I set mine up with
HTML codes, so I can code on this faster then I can with any editor. The
built-in terminal will do ANSI/vt100 (minus the colors) and download with
xmodem, ymodem or zmodem. It can connect either a PCMCIA type 2 modem or an
external modem using the built-in 9-pin serial port.
The standard LX comes with either 1MB or 2MB of RAM. This is split between the
640K memory and storage space, which is configurable on how much each gets. If
you need more storage, you can get a flash card that will hold up to 80MB.
Programs have been written with the palmtop in mind. If you need portable
e-mail, you can use the Datacomm application to connect to a shell and use
elm (or pine, ugh), or you can get a PPP stack or SLIP/CSLIP driver (such as
Netterm or WWW/LX) and connect to any provider that supports PPP or SLIP.
I can touch-type on mine, using a modified home row (3 fingers instead of 4),
and most people, even with larger fingers, have found that you can type on
this (unlike many CE machines).
And what about battery life? Well, today I replaced my alkaline batteries for
the first time since getting my new 100LX a month ago. Even with a PCMCIA
modem, I can still get 20-30 minutes of use on fresh batteries (PCMCIA modems
draw a lot of power). You can also put NiCad batteries in, and whenever you
plug in your 100LX it will charge the batteries.
All in all, the 95/100/200LX is the best series of palmtops I have used to
date. From being able to type on it, to running any of the thousands of DOS
apps avalible, to the size (able to fit in the pocket of my jeans easily), it
is by far the best of both worlds. Small and powerful. How many palmtops can
you say that about today? Sadly, HP has decided to discontinue production of
their DOS-based palmtops because of the Microsoft powerhouse pushing WinCE, so
starting with the 300LX, they went to CE. You can still find them for sale in
the newsgroups (comp.sys.palmtops) or on any of the auction houses such as
ebay, onsale, and haggle.
If you're wondering why this is formatted funny [Editor's Note: not anymore
it's not, neener neener], it's because I wrote it on my palmtop at a larger
resolution. At any rate, I need to get going; the bus is almost at my stop and
I need to go call those UK BBS's from Office Max, who ripped me off a while
ago. Good thing I have a PCMCIA modem and alligator clips, huh?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nortel's Millennium Payphone
by Err418 (err418@technologist.com)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Hi! I'm Err418, and I'm from the 418 area code in Canada (Quebec). I'm the
president of a French H/P/C zine in Canada, which you can read at
http://totalcontrol.home.ml.org/ (if you speak French, that is).
Now, let's talk about the Millennium payphone. This digital payphone is a
pain in the ass for Canadian phreakers because a lot (90%) of the payphones in
Canada are Millennium, and they're impossible to redbox from because they are
independant from the telco's ACT tone system; they use a different line for
checking calling card and credit card numbers, and have their own rates. These
digitals payphones are made by Northern Telecom (http://www.nt.com/).
Here is the technical description for the Millennium:
Height : 533 mm
Width : 194 mm
Depth : 155 mm
Wieght : 19,5 kg (42 lb)
Temperature Humidity
In Service : -40 to 60 øC 95% maximum (at 40 øC)
Not in Service : -50 to 70 øC 95% maximum (at 40 øC)
There's also a card reader that can read calling cards and credit cards (Visa,
MasterCard). The one that I have at home (American Magnetic model 170-TDA)
has a flat cable wire with 14 pins that is, in a Millennium, connected to a
controlling device. I don't have a controlling device at home, and I'm trying
to get the schematic of the reader. If you've got it, please e-mail a copy.
Another important part of the Millennium payphone is the LCD screen (2x20). I
don't know how the Telco controls ALL the LCD displays of all the Millenniums
in this area (I think 2600 had an article on it, I'm not sure). Wouldn't it be
nice if you could alter the LCD displays?
"Sorry, Bell Canada Sucks"
"Do you want free sex ? Call 1-800-288-2880, then press 0"
"Our customers are bad motherfucking stupid. We own them."
Also, the Millenniums have a lot of programming features. The default password
to access them is CRA-SERV (type it when the phone is hung up). I don't know
how to enter commands, but I'm trying to get a Millennium Programming Manual
from Nortel. For some reason, they don't seem to want to sell me one.
Finally, Nortel's digital payphones have an internal 1200 baud modem to
interface with it on a standard telephone line. The problem is that I don't
have any numbers to test it with. If you get some, try the Payphone Manager
that Cathode Ray is distributing at http://members.xoom.com/ray_dios_haque/
This is what I know about the Millennium payphone. I hope it helps you, or
teaches you something useful. See ya next time!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Basic UNIX Stealth Techniques
by DrekHead (drekhead@arena.cwnet.com)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This text details basic stealth techniques to use on a UNIX machine in order
to avoid detection. Hopefully this will help sysadmins find unauthorized users
and help lame script kiddies be less lame.
I. Basic Log Files
------------------
90% of the paths to the files that log activities will be defined in
/etc/syslog.conf. Be sure to check this out in order to find out where they
are so that you can examine them and alter them. *NEVER* remove the entire log
file; nothing tips off an admin faster then when his 12 meg log file is
suddenly truncated to zero. In order to find if anything pertaining to you is
in the log file, you can "grep" or "tail" it. Now, when editing this file, you
can either "vi" it or use grep to remove all the lines for you. An example of
this: say you logged in from "haxor.net" and there are multiple "Failed ....
from asdfasd.haxor.net". you could either use vi and delete them by hand, or
you could:
grep -v haxor.net syslog > syslog.new
then
cp syslog.new syslog
There! you have just removed all references from syslog of your source.
Moral of the story: only remove information from log files that pertain to
you.
II. UTMP/WTMP Files
-------------------
UTMP and WTMP files are the database files that store information about
logins. The utmp file holds information about everyone who is currently logged
in; when someone logs out, their entry is no longer in the utmp file. The wtmp
entry is a log of everyone who has been on the system and how long they were
on for. To further help you understand, "who" reads from the utmp file, and
"last" reads from the wtmp file. This is almost always the first place an
admin will look when he thinks something is up. *NEVER* remove the utmp/wtmp
files; not only can you break certain programs like some UNIX/OS's login
programs, but this is a huge tip off to admins. It is true that without these
files, there is significantly less information about your source, but there
are other ways of getting around this.
There are programs out there like zap.c and zap2.c that will remove the
utmp/wtmp entries; however, these programs fucking suck and do a shitty job of
removing entries that can be tracked down if someone knows what they are
doing. I will soon be releasing a high quality, interactive utmp/wtmp utility
that does this in a way that is almost impossible to detect. In the meantime,
I would however recommend using zap or zap2, as they are better then just
deleting the whole file. If you have mad "dd" skillz you can dd the entries in
and out of those files but you have to know the exact size of the utmp struct
for the OS you're operating on.
III. History Files
------------------
FOR CHIRST FUCKING SAKE, DON'T LEAVE THESE AROUND!!! I recommend doing a
"rm $HOME/.sh_history" followed by a "mkdir $HOME/.sh_history". The path to
the machine's shell history may be different, so check your HISTFILE env
variable. Also be sure to "unset HISTFILESIZE", as command history is
sometimes just as bad.
IV. .rhosts files and hosts.equiv
---------------------------------
Don't leave these around everywhere. Use your head.
V. /etc/passwd
--------------
Don't fucking add accounts, bonehead. Take the passwd file if it is not
shadowed, but don't mod it.
VI. /etc/inetd.conf
-------------------
Don't add "/bin/sh" to inetd.conf without hiding it a little bit; if you want
to add a shell to inetd, create something that looks like it should be on the
system. The "/bin/sh" line sticks out like you wouldn't believe.
VII. Root Shells
----------------
If you're going to have a root shell, stealth its name well, and don't keep it
in the user's home directory, as that will stick out in a find. If you're
going to hide a root shell, put it where the legit suid binaries go.
VIII. Web Page
--------------
Modifying this is usually not something I would recommend doing when trying to
stay hidden.
IX. Ethernet Sniffers
---------------------
When you use these, keep in mind that the ethernet driver you are binding to
is going to be set to Promiscious mode, which will be noticed by any admin
that is worth his salt.
X. Common Sense
---------------
Use common sense. What would you look for if you thought your machine was
compromised? Use your imagination; the more arcane and creative a backdoor is,
the harder it will be to find.
Closing
-------
Once again, don't be an idiot; if you're going to hack, hack smart, and be a
gentleman. If you're an admin, this should keep you on your toes. Best of
luck to you folks. E-mail all comments to drekhead@arena.cwnet.com.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Spee vs. Raymond, Part II
by Spanish Prince (spee@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Hi and stuff or something or other. Time to update you as to what's gone on
with my case against my school district for wrongly suspending/threatening to
expell me for voicing my thoughts on band in general and Raymond Walczuk and
give general info about the out-of-court settlement.
OK. After we filed our lawsuit (my dad and I), the lawyers and the school
district had already decided that they were going to settle, as they did not
need to go to a trial and have this whole thing turn into a media circus,
which we agreed with. It took about 3 weeks to get all the details of the
settlement ironed out....
The suspension will be removed from my record, with no mention of it ever
coming up in any file that will go to a college, etc. Also, the school has
written a letter to my dad and I apologizing to us for them supending me and
trying to censor my free speech and my right to air my thoughts. The letter
apologizing was 2 pages long and explained that they were sorry for what they
did.
That $550,000 that I was suing for wasn't even going to happen. Had this case
gone to trial, I had been advised by my attorneys that we'd be lucky to get
any money, and that the jury could just elect to give us legal fees. That
$550,000 was just a number that was to be bargained down from.
The amount of money that I received from the school district is $30,000. You
may think, "WTF Spee, why didn't you just sue for the 500k?" Well, first of
all, the school was already putting up the flag saying that they wanted to
settle and end this. I wanted this as well. Another thing is that if we had
gone to trial, the school would've told the press that they had already tried
to settle with me for 30k, and that I was just in this for the money. The
whole purpose of this thing was _not_ for the money, it was for free speech
and against the powers that the public school systems in America have today;
money was irrelevant, and I feel that the main issue in this case was proven,
that the school system cannot censor what students say on the internet and
wherever else outside of school grounds, not money.
Now, I know what you're all asking..."Spee, SHOW ME THE MONEY!" Now now...I
plan on putting most of it into some sort of stock/mutual fund in order to
save up for college (bleh) and all that jazz. The part that doesn't go into
the fund goes into the Spee Hardware Fund (TM).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Inner Workings of GTE
by Gwonk (gwonk@diversion.com)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GTE serves a lot of areas all over the U.S. They are usually found in rural
areas, which means they are either behind, or they have a lot of things that
most urban places don't have. For example, the DMS-1, which is basically a
switching system that fits in a brown box the size of a small closet. These
are often found outside of very small rural communities on back roads.
GTE areas that are a little old use a "DMS-1 Urban Model" to serve small
communities and "suburbs". These brown boxes usually hum like a swarm of bees,
and are usually found next to fiber optic bridges' "white metal box" for
expansive purposes. The DMS-1 isn't very fun to play with, but it has about 20
marine batteries in the bottom of it, and lots of blinking lights. Usually,
there is a little booklet or card inside of it that tells you what all of the
pretty lights mean. Any of you that know GTE a little bit might have seen
these little "U-locks" with a triangle in the bottom of it that keep you out
of things like repeaters and fiber optic bridges. On unscrewing the triangle,
the "U-lock" comes off; the easiest way to unscrew the "U-lock" is with a
skinny 7/16 socket wrench (they just always come in handy, don't they?), but a
pair of needlenose pliers works also.
The reason that I call these things locks (when they are most obviously not)
is because when playing around with one of these DMS's, some people had the
brilliant idea to take out communications to who the DMS served. A day after
doing this, we, er "they" made it into the local paper, and the small article
said that we either "picked" the lock or took it off by force. Lock my ass. If
GTE couldn't figure out how we got in, they shouldn't be working with phones.
Now, GTE doesn't usually buy DMS-1's. If they don't put in a DMS-100, they
would put in a DMS-10, which is slightly better than a DMS-1. Hooray for
Nortel. Higher number, more expensive and better, just like an operating
system. More info on the DMS-10 is found on http://www.nortel.com/, and it is
basically the same as a DMS-1.
4-Tel is a system used by GTE that was created by the Teradyne
Telecommunications Division, basically just to test lines. When you dial into
a 4-Tel system (usually an 800 number), it will say "Hello, this is VRS 400.
Enter your ID code". Usually, the ID code is the last 5 digits of the
lineman's social security number. If the entry is correct, it says "Accessing
user record for __________, please wait. Password?" Then you enter the
password, which is usually the same thing as the ID code. Once in the system,
you are at the main menu. The main menu help commands are 0: Help, 1: Line
Test Menu, 2: Fault Location, 3: Special Tests, 6: Retrieve Test Results, 7:
Completion Test, 8: Exit, 9: Non-Testing Utilities. Since the number of
available system commands is much larger than the number of keys on a DTMF
hand set, the VRS 400 uses a layered menu structure, so many of the first
options bring up other menus. Commands that are available from the Main Menu
are Completion Test(7), Exit(8) and Help(0). Completion test executes a line
test after you repair trouble, and makes sure that the fault has been cleared.
The recorded information includes: user ID code, time and date, overall
results of the completion test. The rest of the options are menus, and I will
handle them one menu at a time.
Line Test Menu (1)
------------------
0: Help (Available from all menus)
1: Line Test
7: New Line Number (the number of the line to be tested)
8: Hear Again (available from all menus, just repeats the options)
9: Archive (available from all menus, saves the results of the test, which
gets deleted within 48 hours)
*: Previous Menu (available from all menus)
Fault Location Menu (2)
-----------------------
1: Short, Ground, or Cross Location (finds out what type of fault exists; this
is a long process, and if you want to know more, e-mail me, but no one but
a real loser should care :-))
2: Open Location (starts all Open Location tests on the CO side of the fault,
another painfully long process)
7: New Line Number
*: Previous Menu
Special Tests Menu (3)
----------------------
1: Special Line Test (performs initial special line test)
2: Loop and Ground (calculates the resistance between the pair under test and
ground)
3: Pull Dial Tone (don't get too excited, it only tries to force a dial tone
from a switch by shorting the line. The system counts the number of times
that a dial tone is successfully pulled in a specific number of seconds)
4: Pair ID (helps you identify a specific tip/ring pair by sending an audible
signal--alternating low and high tones--to the line under test... you can
listen to the tones with a normal handset; the Pair ID test continues until
you hit * or the 30-minute timeout is reached)
7: New Line Number
Non-Testing Utilities (9)
-------------------------
1: Select VRS Speech Mode (you can speed up your "work" with this)
2: Record Your Own Name (if you want to leave a message for the telco
employee whose social security number you have; what you record will be his
name the next time he gets in. :-) -- not a good idea)
This is all fine and dandy, but it's not really anything too useful unless you
are testing lines. When I first started playing around with this, I tried to
test a busy number. When you try to test a busy number, you reach the
"Subscriber Busy Menu". From there you can press 1 for Line Monitor, 2 for
Override and Test, and 3 for Wait for Idle. Line Monitor only causes the audio
state of the line to be examined (not what I was hoping for). Override and
Test causes the system to attempt to force the line to an idle state
(Disconnect Subscriber), and it is almost always sucessful; it also seems to
block out service for as long as it takes on the line you are running tests
on. Press 9 for yes, 6 for no. And that's about it.
Often, 4-Tel information, passcodes, and phone numbers are found on little
blue cards in GTE trucks, or if you are lucky, in the trash.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
English Hacker Gets Busted
by Pinguino (pinguino@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
On April 18, 1998, a seventeen-year-old boy in England was arrested. The Abbey
National Bank in England was hacked the last weekend of March, and fingers
point at J.F. Apparently, there was a direct dialup to the bank, maintained by
the Datalock 4000 system. The hacker claims he was very careful, and thinks
that someone narked him out.
J.F.: Abbey National are totally playing it down--they wrote to me, I seen
their lawyers, they want it all *hush hush*... fuck that. It's coming
out, I their asses, they ain't getting away without media attention.
J.F. is a member of CoF (http://www.cofuk.com/). He was questioned that day
for three hours. Two hours after his arrest, Extreemuk was taken in as well.
The cops have Defiant's info, and he fears that he's up next for questioning.
J.F.: Defiant is a dumb fuck.
Ping: Hehehe.
J.F.: Man, there are sooo many LIES going around about what has happened. I
don't like the lies.
Ping: Clear some of this up for us.
J.F.: I was arrested on April 18th. They traced it back to the phone line
outside my house which I beige off, due to the big mouth of a certain
individual who I can't name. After searches, they didn't find anything
in my house, or on my computer, so I was released on juvenile bail. They
keep making me go back to talk to them. I think they can't, but my lawyer
told me that I have to be careful.
Ping: In England, can you be tried as an adult at 17?
J.F.: Nope. I am 18 in 3 weeks, but I am very lucky that I am still classified
as a juvenile.
Ping: What consequences do you think you'll be facing if they charge you as
guilty?
J.F.: Well, first of all, they have to gather enough info to charge me, but I
have been told only about 12-18 months due to the fact that I am a
juvenile. Fuck that shit, it's not gonna come to that. If I were 18, it
would be 5-7 years, so they keep lecturing me about how lucky I am.
Ping: Afterwards, will you be restricted from using a computer?
J.F.: For an extra 6 months or something daft (I think that's correct). Then I
will be severely punished if anything else happens.
Ping: Which, nothing will.
J.F.: Correcto.
J.F.: To be honest with you, I think nothing will happen. I am confident due
to what my lawyer has told me.
Ping: That's good.. is this going to go to press, with you appearing as the
victim, and the bank looking like a bad guy?
J.F.: That's what I am hoping. The bank is totally trying to cover it up. NO
PRESS activity.. they want it all quiet. I want it to erupt online.
Ping: Sounds good... what do you want people reading this article to do?
J.F.: You see... that's where I'm not sure, because I've never been in this
situation before....
Ping: They can tell their local press, send releases to AP Wire.. maybe you
should talk to Spee. He's good with getting coverage over legal matters.
=)
J.F.: Right. The problem at this stage is that I don't want to conflict with
other CoF members.. apparently they were talking with antionline.com
yesterday.
J.F.: Oh, and tell everyone they'll see me at DefCon, I'm coming all the way
from England. :o)))
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
SUID 101
by Skrike (skrike@ida.net)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ok, this is for all you UNIX newbies out there. All you UNIX Gods out there
might want to skip this.
[NOTE: UNIX command are surrounded by quotes (i.e. the program "passwd")]
First off, let's discuss some of the basics about how the UNIX system works.
When a user is added in the UNIX environment, they are assigned a user
identification number (UID). This helps the system identify who is running
what processes, and how to handle them. The root user, who is in charge of
system maintenance, is assigned the UID of 0. Anyone whose UID is 0 will have
the same abilities as the root user. This concept is simple enough to
understand.
Normally when a program is run, it assumes the UID of the user who is running
it. When a normal user is logged into a UNIX system, sometimes it is necessary
for this unprivileged user to be able to accomplish tasks that require root
privileges. One example of this is the "passwd" routine. When you want to
change your password, you run the program "passwd". The problem with this is
that the "passwd" program needs to edit the the user field in the /etc/passwd
file. But no system administrator in the world is going to give a user read
access to the /etc/passwd file, let alone allow them to write to it. Another
example is the "mail" program. This program allows a user to stick a message
into another user's mailbox, but this neeeds to be done without letting the
user have write access to that user's directory. Well, this problem has a
solution.
In UNIX, a program may assume the UID of another user in order to accomplish
tasks otherwise unnattainable for the unprivileged user. These programs assume
another user's UID, called SUID (SetUID). So instead of the program using the
UID of the person running it, it assumes the UID of the user who created that
program. This is often confusing when new users do a "ls -l" and see this as
a file permission:
-rws-r-xr-x
The "s" that is in the position of the owner's execute bit denotes that the
program is SUID. If you saw this file permission:
-rwxr-sr-x
This would denote that the program is SGID (SetGID), or it is set to run as a
program of a certain group (group identification).
To set a file as SUID or SGID, you add an extra number at the beginning of the
umask. This runs along the same lines as the standard read, write and execute.
We all know that read is 4, write is 2, and execute is 1, right? Well, SUID is
4, SGID is 2, and a sticky bit is 1. For instance, if you wanted to create a
file that had your UID and was able to be read and executed by everyone in the
world, you would type:
chmod 4755 filename
Anyone who executed that program would be running it as you. This can turn
into a potential security exploit in a number of different ways. For example,
say you're at school in your lab, and you leave your computer for just a
second. All a person would need to do to gain access to your account in the
future, without knowing your password, would be to copy the shell file you use
to a temp directory and change the mode on it to make it SUID as your UID, and
they can log in as you anytime they want. Here's how:
cp /bin/sh /home/hacker/victims-shell
chmod 4755 /home/hacker/victims-shell
All they would need to do is run this program, and they enter into a separate
shell; any command they execute while in this shell will be run with the same
UID as the victim. There are many programs that are SUID root, or SGID of a
superuser group that have potential security holes. It just takes some
exploring. Some things to look for:
* If a program is SUID, and it allows a shell escape in it, you are still
inside that program and executing commands with that UID.
* If a SUID program allows you to execute commands, those commands will be
executed with that user's UID. But be sure to look carefully.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Stop the Spam! Part II
by Saint skullY the Dazed (skully@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In System Failure 10, Vect0r talked a bit about stopping spam. This document
takes that a step further, giving more detailed information.
There are basically two easy ways to reduce spam. Either block it at the
daemon level and make sure it doesn't even hit your box (useful for
sysadmins), or block it before your mail reader reads it.
Mail Daemons
------------
There are two major daemons in use today: sendmail and qmail. Sendmail seems
to be the de facto standard, even though every single version has had some
security hole or another. The current version is 8.8.8, which so far has no
known holes, but I'm not gonna hold my breath. The other daemon--which is
quickly gaining popularity--is qmail. I personally recommend qmail, as it has
not had one security hole documented, and there is a $1000 reward for anyone
who manages to document a hole in the software.
Sendmail
--------
If you plan on using sendmail, I'd first off recommend getting a book. "The
Bat Book," by O'Riley and Associates, is a good choice (so called because it
has a large bat on the front cover). You will want to pay attention to the
sendmail.cf sections and really learn how to configure it.
The first thing you want to do is block any outside sites from relaying mail
through your server. I have no idea how this is done as, I'm a qmail whore
(that's where the bat book comes in [unless someone wants to write this as a
future article]). You then want to block certain sites from sending mail to
you at all. The easy way to accomplish both is to set up an include file for
certain files to handle which domains can relay, who can not send mail to you,
etc. There are several sites with preconfigured spam-catchers.
Qmail
-----
Qmail is a drop-in replacement for sendmail (From the qmail README). Overall,
I have found qmail to be faster, easier, and just as powerful as sendmail.
Every machine I set up and am given control over gets qmail (because of co-
workers, I can't put it on every machine). I have compiled it mostly on
Slackware Linux boxes, and the first time I installed it on a FreeBSD machine,
it ran perfectly. The configuration is not kept in a single file but in the
/var/qmail/control directory. It can be as simple as just a local, rcpthosts,
and a me, or so complex that there are not fewer then 15 files. Most find the
ideal configuration for their machine in just 5 files or so. Let's take my
FreeBSD box running qmail as an example.
skully:/var/qmail/control$ ls -l
total 10
-rw-r--r-- 1 root qmail 19 Apr 5 19:05 defaultdomain
-rw-r--r-- 1 root qmail 73 Apr 5 19:06 locals
-rw-r--r-- 1 root qmail 19 Apr 4 01:51 me
-rw-r--r-- 1 root qmail 19 Apr 5 19:06 plusdomain
-rw-r--r-- 1 root qmail 19 Apr 6 21:28 rcpthosts
As you can see, I have 5 configuration files. Basically, to stop spam, I have
set up rcpthosts to disallow anyone from sending mail through me. Within
rcpthosts, I have a list of domains which are allowed to send through me.
Everyone else who tries to send to an address not contained in locals will get
a bounce.
This completes the protection to keep people from sending spam through you.
However, you may not want to get spam in your own inbox. This can again be
done at the daemon level, but it's much easier to just set up a filter. In
this case, we will use procmail (mentioned in Vect0r's article).
Procmail
--------
To use procmail, you should have access to the mail server where your mail
gets sent. The first thing to setup is .forward/.qmail. Use .forward if your
system uses sendmail, and .qmail if your system uses qmail. Add this line for
either one:
|IFS=' '&&exec /usr/local/bin/procmail -f-||exit 75 #<YOUR LOGIN NAME HERE>
If you use sendmail, enclose the whole line in quotes. Then you need to set up
your .procmailrc. Here's a simple example:
PATH=/bin:/usr/bin:/usr/local/bin
MAILDIR=$HOME/Mail #you'd better make sure it exists
DEFAULT=$HOME/Mail/other #completely optional
LOGFILE=$HOME/from #recommended
:0:
* ^To:.*BUGTRAQ*
bugtraq
:0:
* ^Subject:.*Entry*Guestbook*
guestbook
:0:
* ^To:.you
$HOME/Mailbox
That will filter anything from Bugtraq (which isn't addressed to you) to its
own mail folder, and all guestbook entries to the guestbook folder. Anything
addressed to you goes to your mail spool (if you use sendmail, change that to
/var/spool/mail/<yourlogin>) and anything not addressed to you (which is
usually spam) goes to the other folder. There is a lot more that can be done
with procmail, so read the docs for more info.
Conclusion
----------
Spam is relatively easy to deal with; you just need to take the time to set up
your mail daemons/filters correctly. Of course, the easiest way to keep from
getting spam is not to post to Usenet, be careful who you give your address
to, and have a separate e-mail account for anything you sign up for (like
pay-per-hit web thingies). Then again, maybe you like spam....
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Interview With Spanish Prince
by Pinguino (pinguino@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
I conducted a recent interview with our newest group member, Spanish Prince,
who, as most of you know, was suspended from his school after speaking out
against his music teacher Raymond Walczuk on the world wide web
(http://www.raymondsucks.org/). Here it is:
Ping: What's the next stage of your trial? You settled, right?
Spee: Yup. It's over.
Ping: Who are you suing next?
Spee: Uhh no one.. if the school retaliates or if the teachers retaliate, then
it'll throw out the settlement and we'll go to trial, same if Raymond
tries anything.
Ping: How is Raymond treating you now?
Spee: He's treating me well, how I shoulda been treated before.
Ping: Do you think a lot of kids will put up myteachersucks.com, and what do
you think of that?
Spee: I think they will, they're entitled to do whatever they want to do.
Ping: What are some of the stranger publications you've been interviewed for?
Spee: Star 94 in Atlanta and abcnews.com.
Ping: How did the wire hear about the case?
Spee: My lawyers gave it a press release when this whole thing happened.
Ping: How many weeks has it been since your initial suspension?
Spee: 6 weeks.
Ping: What are you going to do with the money? Give it all out at DefCon?
Spee: No.. that's going to the Spee Hardware Fund.
Ping: Would you like reader donations to that?
Spee: Yeah I accept donations.
Ping: What kind of cellphone did you get?
Spee: AT&T Ericson Alex100.. need e-mail on it.. speecellphone@sysfail.org. =)
Ping: Did having his full info on the page actually do any harm to Raymond?
Spee: Not that I know of.
Ping: What's Raymond like?
Spee: He's a good band director. It's not that he's a bad teacher, it's the
way he treated me.
Ping: Cool. Most band directors I know of are pricks. How's your newsgroup,
alt.fan.sean-obrien?
Spee: Not too many people carry it, but you can access it through DejaNews.
Ping: What's the weirdest fan mail you've gotten?
Spee: Someone fell in love with me after they saw my picture on the front page
of the local paper.
Ping: It was the encyclopedias, huh?
Spee: Yeah, that's it. I think it was the encyclopedias.
Ping: Everyone should have a set over their computer so they can pick up
chicks. You should sell that pic to Encyclopedia Britannica.
Spee: Yeah, I can be their spokeperson, tell them they can learn about the
first amendment and stuff.
Ping: Well, that's about it. Thanks Spee@#$!@#%^&
Spee: !@#$%^&*
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Yet Another (Extremely Late) DefCon 5 Review
by BarKode (barkode@slackware.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In an effort to encourage people to go to DefCon 6 this summer, here's yet
another DefCon 5 review.
I woke up at 4:15 to a phone ring...my girlfriend wakes me up and tells me to
get ready.
Going to DefCon today.
Well, I spend the next couple of hours packing and getting ready, I wake up
Phelix at about 5:15, we've gotta leave by 6. We get to the airport, and I end
up having to boot my system for airport security... Phelix and I meet up with
DrekHead and Warchild.
Anyway, we end up playing a serial game of Descent II on our laptops on the
way to Vegas, an hour-and-fifteen-minute flight from 916 (Sacramento).
Arriving a few minutes early, we depart the airport in a taxi-van and make our
way to the MGM Grand Hotel, where we gotta drop off our luggage. Being only
about 9:00, we can't check in for a while, so we haul over to the Aladdin,
which isn't exactly as close to the MGM as the DefCon announcement file said
it was. Anyway, arriving 30 minutes early for registration, we ended up
waiting around for DT to show up. They started letting people in about 10:20
or so, and Drek and I were the first two people to register in, and I got the
first t-shirt. Well, there were hundreds of people in the hallway of the
Aladdin, so DT just started letting people in for free, and you had to
register on your own accord. Then they'd kick everyone out later and make them
re-enter the room. I ran into Richard Theime who said hello.
Soon after they started letting people in, there were a few kids sitting
around with a hub. I jumped in and we started setting up a network. There were
a couple of Linux machines, and someone had an IBM laptop running AIX. Not to
mention a bunch of 95 machines. Well, we started up a network.
Phelix had no network card on the laptop he borrowed from me, so he went
serial PPP thru DrekHead's machine. I set up a web server and a "webcam" with
a QuickCam on my machine. Drek set up a nameserver using dc5.net as the domain
and we started taking hostname entries. We kept track of IPs and hosts on a
piece of paper, and people started jumping in. We got another hub and linked
it to the existing one. Drek got the exploit archive on public FTP and I
linked it from the web page. At this point we had about 8-10 laptops in our
group. We got this going within about an hour. I wish I would have saved a
copy of the trashed routing table we had.
Our group decided to take off and go back to the room for some reason. We got
the room, then lost our friend Jimmy... we spent the next hour or so paging
him and wandering the MGM, looking around. Finally we found him (he called the
room) and we made our way back to the conference room.
Well, the network connection was still down, but we needed the hub and cables.
I ended up trekking back to the hotel for it. I had to break the lock off of
my luggage, and then I walked all the way back to the conference room. On the
way there, I ran into some DefCon folks, a couple of guys and a cute girl. I
smiled at the group, and she said, "Hi BarKode!", I stopped, turned around,
and tried to guess at who she was. It was Courtnee, one of Phelix's friend's
and someone I met last year. We talked briefly and I continued to the
conference.
Unfortunately, we didn't need it anymore, as the T1 wasn't going to go up
tonight. We grabbed some food at a buffet in the Aladdin. Making our way back
to the conference room, Swift and Locke were still working on getting the
network up, and Las Vegas Digital Internet was not giving us the data... line
protocol was down.
The TCP/IP drinking game started, which wasn't as interesting as DefCon 4.
Mudge tried to get it going, but the audience participation sucked. Hacker
Jeopardy followed, which proved to be more interesting with the exception of
the fact that half of the questions sucked. I won a 4-wire repeater card for
answering a question like, "When did the UFO crash at Roswell, NM?".
At some point during the game, Pete Shipley and Voyager got in a fistfight in
the hallway and were arrested (or at least escorted from the conference). The
game continued and ended up with a very drunk Novacain and associates with a
negative score, and one team that had like 200 points. We made our way back to
the hotel room (without Phelix, who stayed behind) and passed out.
Saturday, I'm awaken by Prophet who stayed with us, who says it's almost 10,
and we all start getting ready. Phelix is passed out on the couch, I wasn't
even sure when he got there. After some commotion, we start towards the
conference again. After breakfast at the buffet place, we enter the network
room to find that the network is still down, but the Capture the Flag network
is starting up, unofficially. I set up a web server and the QuickCam, and bam,
I'm getting strobed by some machine. Well, my laptop's Linux kernel (2.0.
something) is patched, but I had booted it to 95 because I didn't have
QuickCam drivers for Linux. The network wasn't functioning properly anyway, so
I ended up just taking it off the net until the external connection came up.
I watch Mudge talk about NT security flaws and Challenge/Response for about an
hour, which prompts me to consider coding a dictionary cracker for no
apparent reason. Good thing I brought my hub, we end up using it to bridge the
external network to the CTF net. The external network isn't up yet, but we've
got the hub connected.
We chilled at our network table for a couple of hours as people joined us.
Over the next 3 hours or so I started writing a dictionary cracker in perl.
Where is that now anyway...
The T1 didn't work cause it was wired wrong. It's 6:42 already and the network
still doesn't work. Well, Nightcat came by and set up his machine on the
network, with Windows 95 (unpatched for the recently released Out-of-band
bug). DrekHead and I decided it would be cool to nuke his machine, which we
proceeded to do. DrekHead coded a reverse-nuking program, which would wait for
a connection on port 139 and then nuke the connecting host before they had a
chance to nuke him, which wouldn't work anyway considering he's running Linux.
Well, we have Nightcat telnet to DrekHead's machine, which in turn crashes his
box and blue screens Win95. Word. Anyway, the external network connection is
completely fucked, (including the fact that the wall jack was wired wrong).
So the T1 doesn't work period.
Two shafty characters walk up to our table inquiring on if we had any laptops
to sell, and were very interested in whether or not they were stolen, and they
weren't. Once they found out they were legit, they jammed (gee, MIB?). So
DrekHead and Warchild say, "Yo, get a shirt." I approach DT about it, who
says, "Yo yo yo, I'm out of shirts for today." We end up just setting up to
get one after the conference. Although, all three of us should get one. I
wasn't really paying too much attention to the guy because I was writing
something while I was talking to him.
We find out that some guy hopped out of Nightcat's hotel window and stole a
satellite dish from the roof, then proceeded to drag it down the hallway of
the hotel, or something along those lines. KC comes in and sits next to me
with one of those large margaritas. We talk, and he offers to go get me one.
Well, I accept, and he brings me a quart of some really good margarita. I
weigh about 135-140, and I chugged about 80% in a few minutes after having not
eaten in a while. I got kinda tipsy, and KC was wasted. KC works with Java
security, and we had a good discussion on that while we had our drinks.
DrekHead, Phelix, and Warchild return from McDonald's to find me partially
intoxicated. After about 30 minutes, I'm sobered up.
Hacker Jeopardy starts again; this time Strat and Bruce Snider are playing.
Bruce fields a few questions on crypto, and a good deal of questions end up
getting turned to the audience. I got pissed when Wynn passed me up on the
question regarding what PERL stands for (Practical Extraction and Report
Language) and picked the guy a few rows behind me. But I ended up getting a
bunch of stuff later anyway.
I talk to DT about my pictures, and he mentions that we should put up the pix
from my digital camera on defcon.org, which was cool. We planned on logging on
once the T1 went up, which it didn't.
Teklord comes up to me and suggests we take a walk down the strip and check
out the Luxor, New York New York, etc. Phelix goes off on his own thing as
Drek, Warchild, Teklord and his fiancee (Plucky), and myself all head towards
Tek's room to drop off some stuff and pick up some radios. We then go to our
room at the MGM and drop off our laptops. We make our way towards the New
York, New York, which turns out to be kind of closing up shop. We trek thru
the Excalibur to the Luxor on these elite people-mover things. The Luxor is
closing too. Getting bored quick, we try to ride the inclinators at the Luxor,
only to be denied by rent-a-cops. Attempting to foil their scam by getting to
the stairs didn't work. We start paging people like Emmanuel Goldstein over
the PA, but then Drek picks up a phone right next to Teklord and says "Yo,
this is <whoever was paged>" The operator connects them, then Teklord says
"Where are you?" and Drek replies, "Looking at you." Well, considering the
operator doesn't always hang up right away, we decide it would be good to
expidite our exit of that particular hotel. The Excalibur has even better
paging.
Teklord takes off to his room, and we go back to the MGM. I'm rather tired at
this point, but room service is very expensive. I put my shoes back on and go
back down to this huge hotel looking for food, only to find room service
prices. This sucks, so I go back up and order room service, which is $34 for
the three of us, not including Prophet.
Waking up the next morning find Phelix passed out on the floor, we have about
15 minutes to check out before they bill us more. So I run down to find a 100
person line to check out. However, there is a table that says, "Express Check
Out". I fill out a form in like 45 seconds and drop it in the box. The guy
says I can keep the keys (We had about 5 to 7 keys to the room). Word. I go
back up after I've checked out and get ready to jam. We head off to breakfast
in Prophet's G-Ride, a rented Ford Escort. We end up in the ghetto at a Carl's
Jr., which takes like 20 minutes to get us food. We talk for a while, then
Prophet drops us off at the Aladdin. Well, we're talking to folks and
listening to some speeches. Lots of free stuff gets given out. I take a bunch
more pictures.
Word on the Street says that some folks from the TDYC crew got a bunch of
soapy water dumped on them on their balcony from a room above.
Se7en gives an awesome speech on "What the Feds think of us". I may have
missed it but I believe he brought up "Hackers Against Child Pornography"
which probably everybody supports enthusiatically. Se7en and DT throw out even
more free stuff, DT throwing lots of books which either land up front or stuff
hits the ceiling., and then Cyber does his speech.
Things are wrapping up at this point, and DT puts a whole TON of stuff out on
the stage for people to rummage through. The GTE door is given away, and
people start to take off. Some guy hops up on stage and says his laptop got
stolen. Even though it's a Mac, people still go look for the guy that took it.
DrekHead, myself, and about 10 other people go searching for the guy. I'm not
sure if anyone ever found it.
Prophet pulls the car around front, and we make our way to the airport, after
saying bye to KC and some other associates. We meet up with some folks in the
airport and talk for a while, then it's back to Sacramento.
And that's my review of DefCon 5, I guess. I'm not sure why anyone would care.
Anyway, have a nice day.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
That wraps up issue 11. System Failure 12--our one year anniversary
issue--will be out toward the end of May (probably the last weekend of May,
due to the fact that I'm a lazy bastard). Be sure to check out our new FEFnet
IRC server (irc.sysfail.org) as well. See you next issue!@#$
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-E-O-F-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-