---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 02 of 17 -------------------------[ P H R A C K 51 L O O P B A C K --------[ Phrack Staff 0x1>------------------------------------------------------------------------- Issue 50 proves that Phrack _is_ back, and better than ever. Congratulations to you and the rest of the Phrack staff for putting together what I think is by far the most informative issue to date. The quality of the articles and code (YES! Lots of code!) reflects the hard work and commitment that obviously went in to this issue. I could go on, but I'm all out of lip balm. Thank you! _pip_ [ Thank you. We aim to please. ] 0x2>------------------------------------------------------------------------- { ...Bugtraq Phrack 50 announcement deleted... } So What? Who cares? get this crap off of the mailing list. phrack is as much trash as 2600 or any other little idiot magazine. [ Thank you. We aim to please. ] 0x3>------------------------------------------------------------------------- juggernaut is way cool, man. minor bug: you dont unset IFF_PROMISC on exit, so it's not terribly stealthy, but it's no big deal to fix. anyway. cool. .techs. [ Although Juggernaut is *not* meant to be a 'covert' program you are completely right about that. I should unset promiscuous mode when the program exits. In fact, in version 1.2 (patchfile available in this issue) I include this very thing. ] 0x4>------------------------------------------------------------------------- Hi! I've got the p50.tgz and well, played a little with jugernaut. It's realy cool but: 1) It doesn't compile so clean. You've forgot to #includebefore 2) The spy connection part is not quite cool because you sniff and dump all the stuff that is comeing from the dest. port and dest. host ... So if U try 2 spy say: 193.226.34.223 [4000] 193.226.62.1 [23] U spy in fact all the stuff that is comeing from 193.226.62.1 [23] for ALL the conn. made to 193.226.62.1 on the 23 (telnet) port. This will cause a cool mess on the screen. I've tried 2 restrict the spying by introduceing a new cond. iphp->daddr==target->saddr in net.c ... it brocked the spy routine Maybe U'll fix somehow that thing.. All my best regards, Sandu Mihai [ includes . The compilation of the program should go smoothly on any linux 2.0.x based system. Version 1.2 also fixes the TCP circuit isolation problem you allude to... ] 0x5>------------------------------------------------------------------------- Thanks! This is a very impressive tool! Brilliant work! Thank you, --Craig [ Thank you. ] 0x6>------------------------------------------------------------------------- I'm just writing this to say thanx for putting out such a kickass publication. Down here in 514 it's fuckin dead, you mention hacking and half the people don't have a clue what Unix is.It's fuckin pathetic, but i'm glad to say that your mag has helped a lot and i look forward to future issues, you guys really do make a difference in the hacking community. Thanx. Snake Eyes [ Amen to that. ] 0x7>------------------------------------------------------------------------- Hi! =8) Why don't you (at Phrack) compile an updated Pro-Phile on known H/P Groups like the one on issue #6 ? So we - the readers - can know something more about the ACTUAL scene (but perhaps it's not worth - ppl's sick of all that 3l33t d00dz ;) I really appreciated that dox & srcs on spoofing, D.O.S., etc. HIGH technical quality, sources, articles, news.... and it's free! :P Ahh that's life! ;) However, great job with the latest Phrack issues. To quote a friend of mine (talking of Phrack Magazine)... > It's improved a lot with Deamon9 in command.... K, that's all. **PHRACK RULEZ!** (I had to say that :) Oh... and sorry for my english! Cya.... -Axl- [ Not a bad idea. Perhaps someone would like to do an article on the existing groups out there for P52? ] 0x8>------------------------------------------------------------------------- I would like to know what you suggest to get me headed in the right direction reguarding the compromise of computers on the internet. any information that you would be able to spare would be most appreaciated. atomicpunk. [ It's *all* about compromise. It's something you have to do. Be fair to them. Listen to them. Don't shut them out of your life. They are wonderful creatures... It's a give and take thing and sometimes, yes, you *have* to compromise -- that's part of having a mature relationship. ] 0x9>------------------------------------------------------------------------- I recently locked into my car so i called a friend to come help me when the slim jim was no help he decided to try another less known method. We simply took a stiff metal coat hanger and straightened it out and made a small loop in it then we took a small speaker wire about 3 feet long and tied a loop into one end so it would slide to make the loop smaller or larger. Then you take the wire and run it in through the loop in the hanger and pry the top edge of the car door open and slide both looped ends through holding onto the unlooped ends. then you use the hanger to position the loop in the speaker wire around the door lock once you have the loop into position you hold the hanger steady and gradualy pull the loop tight around the lock once the loop is tight you just pull up on the hanger. This works on most all vehicles with top door locks and with a little prep. and practice can be done in under 2 mins. also its less conspicious and easier to get than a slim jim. and they are cheap so no one care to toss the out after breaking into an entire lot of cars. Hope you found this phile worth while C'ya The Stony Pony [ Aspiring young car thieves among us thank you; however if you lock yourself in the car again, you might try unlocking the door manually. ] 0xa>------------------------------------------------------------------------- HOW YOU KNOW YOUR A TRY HARD HACKER ------------------------------------- By [Xtreme] I just wrote this to tell all you try hard hackers something. 1) You goto other hacker pages on the web. 2) You think loading a program that waz made by a hacker is hacking. 3) The only thing you do is get the lastest passwd file from your isp. 4) You goto channels like #hack and ask for passwd files. 5) You don't know where to get warez. 6) You always telnet to hosts and type login: root password: root and stuff like that. 7) You brag about how you are a hacker. 8) You don't know C. 9) Your a girl. 10) You don't know what's a shell. 11) You don't know what Linux, FreeBSD and all those other UNIX's are. 12) You don't have a UNIX OS. 13) You think when using IRC war scripts, your hacking. 14) Asking how to hack other people's computer. 15) You try cracking a shadowed passwd file. 16) You don't know if a passwd file is shadowed or not. 17) You ask what is a T1. 18) You ask how to email bomb and you think email bombing is a form of hacking. 19) Your learning BASIC language. 20) You think you can get into hacking straight away. 21) You don't know how to set up an eggdrop bot. 22) You think .mil stands sites stand for a country. [ That is without a doubt, the dumbest thing I have ever read in my life. Not only do I award you no points, but we are all now dumber having read that. May God have mercy on your soul. ] 0xb>------------------------------------------------------------------------- What command do I use to make you denial of service package work? [ You hit yourself in the head with a hammer. ] 0xc>------------------------------------------------------------------------- I was scanning the 413 xxx 99XX range and I found some #'s. I have no idea what they do. I was wondering if you could help me out. Maybe call them and see what you find or someting. (413) xxx-99xx (413) xxx-99xx (413) xxx-99xx These are all fax #s, I think (413) xxx-99xx (413) xxx-99xx goes beep beep beep (413) xxx-99xx goes beeeep (413) xxx-99xx auto foward I think (413) xxx-99xx goes beeep beeep [ I tried calling these but I got no answer. Maybe the 'X' on my phone is case sensitive? ] 0xd>------------------------------------------------------------------------- Sir, I would like to know how could I get root permission from a simple user. I have read that this can be accomplished by setuid programs, and I have read an article describing the way this can be done in Phrack Magazine. Still I couldn't gain root access. I would be very interested in finding ways of doing this on Irix 5.2 or Solaris 2.5. If you know anything about this, please send me an e-mail. If you know any resources on the Web that details the use of setuid programs in order to get root access, please tell me. [ P49-14 ] 0xe>------------------------------------------------------------------------- >AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...!< Mich, not Mitch. "Mich" is short for "Michel." M. E. Kabay, PhD, CISSP (Kirkland, QC) Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com [ No, Mike is short for Michael. ] 0xf>------------------------------------------------------------------------- Your zine is the best Please send it to Psycho [email protected] The Psychotic Monk PS:Aohell rulez [ You are an idiot. ] 0x10>------------------------------------------------------------------------- Hi, Phrack people! Great job on issue 50! Nice magazine. Article 'bout TTY hijacking is really superb. I have just one question to you. Is there any holes on target system in this situation? There's a server, running freeBSD 2.1.5, with a shadowed passwords. I've got a dial-up account on that machine as a simple user. What bugs can I use for having root privileges? Best wishes from Ukraine!! OmegA [ find / -perm -4000 -print ] 0x11>------------------------------------------------------------------------- hello... long-time reader, first-time writer: i know that all "submissions" are to be encrypted... and i should be encrypting anyways, but i'll make it quick ... besides, this isn't really a "submission..." congrats on reaching the 50th issue mark, and congrats on an excellent ish! i just a quick question. i would like to reprint the for issue #50 on my web page, with a hypertext link to the Official Phrack Homepage (http://www.fc.net/phrack/ - correct?). I think it says brings up some important points, and since it's copywrited, and you sren't losers, i'd ask you (it's not like a simple copywrite has stopped anyone before)! thanks, lenny [ A simple copyright may not stop people, but the simple restitution remanded by courts might. However, go ahead and put a hypertext link. The official webpage will be at phrack.com/net/org, SOON. ] 0x12>------------------------------------------------------------------------- In Volume Four, Issue Forty-One, File 3 of 13, Supernigger was featured in your Phrack Pro-Phile. Whatever happened to him? Did he "grow up and get a real job" or is he still lurking around? - Styx [ Both. ] 0x13>------------------------------------------------------------------------- People @ Phrack: In Phrack #50 in the file 'Linenoize' Khelbin wrote an article about remote BBS hacking, namely using Renegade's default 'PKUNZIP -do' command overwrite the userbase with your own ... For some strange reason, while renegade is booted, and if it runs PKUNZIP -do the procedure will NOT work... but the procedure DOES work when Renegade is down at the Dos Prompt..? Does Renegade extract files into memory or something while testing for integrity? -8) .. I tried this out on 10-04, 5-11 and even 04-whatever-the-fuck-that-version-was and it didn't work.. I think Khelbin needs help for his chronic crack addiction since I can't find any way possible to get his article to work.. op: Taos BBS ~~~ Telegard v3.02 [ We dunno. Anyone else have an answer? ] 0x14>------------------------------------------------------------------------- Regarding Xarthons submission about Linux IP_MASQ in Phrack 50... The masquerading code is not designed for security. Hardwiring RFC1918 addresses into the IP_MASQ code is not a clever idea for two reasons: 1) It diminishes the usefulness of the code. I have used masquerading to keep things running when my company changed internet providers. I masqueraded our old _valid_ IP range. Other people may come up with other valid uses, like providing redundancy through two ISPs. 2) The masquerading code is part of the Linux packet filter, which can certainly be configured to prevent spoofing, a quite a bit more. If the static packet filter and the masquerading code are used together they can provide as much security as a 'dynamic' filtering firewall like Firewall-1 in many cases. A very short 'HOW-TO': 1) Put spoofing filters on all interfaces. Only allow incoming packets to the external interface if the destination address is that of the external interface (that's the address the masquerading code inserts as the source address of outgoing packets). 2) Insert rule(s) in the forwarding filter to masquerade your outgoing packets. You do not need to route incoming replies to masqueraded packets, that happens auto-magically. Deny everything else (and _log_). 3) Make sure the gateway does not run anything that leaves you vulnerable. Don't run NFS, the portmapper etc. Update sendmail, bind to the latest versions if you run them. 4) Disable telnet, and use 'ssh' for maintenance. If you must support incoming telnet connections through the firewall install the TIS firewall toolkit, and use one-time passwords. 5) Run 'COPS', 'Tripwire'. 6) Read a good book about Internet security, and make sure you understand all the issues involved before you configure _any_ firewall, even one with a GUI and a drool-proof manual. I hope this is useful to some people. Ge' Weijers (speaking for myself only) 0x15>------------------------------------------------------------------------- You write in P49-06: ... The only sure way to destroy this channel is to deny ALL ICMP_ECHO traffic into your network. No. It suffices to clear the content of the packets when passing the firewall. ralf [ True enough. However, by doing this you remove the RTT info from the ICMP echos which will break some implementations which rely on it. ] 0x16>------------------------------------------------------------------------- Hi, I�m a Wannabe, maybe you would call me and idiot. Where do you guys hang out, IRC? Wich channel, #supreme? Wich server? Know any good trix for me how to learn more about hacking? Please answer my letter, I know that you get lots of letters, but please!! [ EFNet, #phrack ] 0x17>------------------------------------------------------------------------- You can�t realy say that IRC is for loosers cuz in Phrack 50 I saw an article with some text taken from IRC, and you were logged in. [ We are losers. Ergo, yes we can. ] Which good hack books, UNIX books or things like that do you recommend. Thank You For An Answer!! [ Anything Addison Wesley or ORA. Also, many of the PTR/PH books. ] 0x18>------------------------------------------------------------------------- I am writing to inquire about the fate of Pirate Magazine and how I might contact it's creators. It seems to have been out of circulation since 1990 and I was hoping to look at possibly organizing some kind of initiative to revive this excellent publication. I thought first to turn to Phrack magazine. Thanx for your time. Joong Gun [ Anyone have any information? ] 0x19>------------------------------------------------------------------------- Hello, I just got Phrack 50 and loved it....It is the first one I've got. I was wondering if you guys know about any other newsletters or magazines that are sent to your e-mail address or you can get off the web on a regular basis, like Phrack. thanX [ Other magazines come and go on a pretty regular basis. Phrack is eternal. Phrack is all you need. ] 0x1a>------------------------------------------------------------------------- Please help me. If I can't join your club, please let me learn from you. I am interested in both Program hacking and remote access. Thanks. quattro [ You join our club if you can find our secret clubhouse. ] 0x1b>------------------------------------------------------------------------- hi. This is from a guy you probably will never hear of again, and definantly have never heard of already. I wanna ask you a question. At my school, people write crap on their backpacks with witeout. I have never done this for 2 reasons 1) I dont wanna be grouped with the poseur metalheads, etc who write "Pantera" and "666" and "Satan" etc but cannot name a song of thiers, and/or go to church.... 2) I dont wanna be grouped with the wanna be hackers who write stuff like Anarchy symbols, "Aohell" "Kaboom" and the such, because thats just plain lame. You have to feel sorry for people who think they are elite because they can mailbomb somebody. Another reason I have never written anything is I havent found anything worht advertising. Now i have, I wanna write "The guild" or something to that extennt maybe "r00t" or something. I have not done this for i do not want to piss you off (indirectly something may get to you about it. It could happen, remember the 6 degrees of seperation? hehehe). If this is ok with you, lemme know please. ([email protected]) Also, if your wondering why im mailing this to you alone, it is because you are a fucking baddass. heh. Well, lemme know whenever ok? thanks. (I know i have an absence of punctuation, i'm in a hurry and I have homework) [ You have our permission to write r00t on your backpack. ] 0x1c>------------------------------------------------------------------------- yes i want to learn how to hack and need to learn fast Js444 told me you can help will repay BIG thanks [ How big? ] 0x1d>------------------------------------------------------------------------- I sent this from your hoime page...is it X-UIDL? I dunno, it's 4 AM anyway um oh, keep in mind that ur response (if made) to this may be dumped to #hack printed in the next Citadel knockoff or whatevrr I was just like thinking oh, I was thinking "I don't have an Irix sniffer!"...actually my thoughts don't have quotes around them it was more like ~o- all the Irix sniffers I have suck -o~ and then theres like Irix 4, 5, 6. Bah. And like sniffit sucks and anyway. And then I mentioned this and people were making fun of me, but I don't care. I only care lately when people are like, "Oh that's what youy make? I'm 17, have a criminal record and make three times that!". Anyway, people are like, "No, no nirva is elite" so I thought, aha, I'll ask nirva what a good Irix sniffer is. Oh, like now that people are laughing at that I have to keep this quets like secrtet. I even think some Irix's don't have compile, like Solaris. Christ, some Solaris's have jack shit. Anyway. 1) Why don't u log on #hack, or are you tres elite #!guild or beyond elite #www or #root #Twilight_Zone and more importantly 2) Irix sniffer - captures passwords, actually compiles. I hate coding. I am a a lazy American. And like, getting legit root access on an Irix...bvah, Irix sniffer! Bye-bye hackers oh PostScript 3) Are you a cyberpunk? If I ran Phrack I wouldn't like Mr. Tishler have "Are hackers in general geeks?" as the question _everyone_ gets, I think, Are you a cyberpunk? Would be it [ 1. We do hang out on as many public channels as we can stand for at least a little bit of time each issue. But really why do you care if an editor of Phrack is there when people are shouting about their penis size and how many drugs they are on? If you want to talk about something, we are always available by e-mail and will usually talk to you by private msgs if we aren't busy doing something else at the moment. 2. Anyone want to write us a really cool one? 3. Who are we to change tradition? ] 0x1e>------------------------------------------------------------------------- Hello, I wanna ask you something about the following problem. I'm really stuck (the 1st time ;-)) ! Is it possible to pass a firewall and access one of the domains behind it ?? I'm afraid that the sysadmins did their job fine :( I've got everything what I need but that damn wall....I'll give you some info that I've obtained so far: - IP-address of the firewall, - All the domains + IP adresses behind this wall, - The login-account of the superuser, - All the open-UNIX ports behind the wall, - The company has no WWW-site but they do have an Intranet. portscanning gives me this: 21~=ftp, 23~=telnet, 25~=smtp-mail 220 x.x.x.x SMTP/smap Ready. This is at IP x.x.x.2 but I found out that also x.x.x.1 belongs to the same company with 3 other ports... 7~=echo, 9~=discard-sink null 79~=finger. Is the only way to go by D.O.S. attack the firewall and then spoof the firewall's IP addres ? But how to start ?? Woul u be so kind to help me ?? TIA, theGIZMO [ fragmentation. ] 0x1f>------------------------------------------------------------------------- Ok, this might sound dumb , but, I think it would be cool to have this as a slogan. "Blah, blah, blah, and along with your subscription, you'll receive a LIFETIME WARRANTY ON YOUR BRAIN!! That is, if for any reason your brain can't figure out a problem you're having hacking, just e-mail us with your question and we'll be glad to help you out. Note: Please PGP encrypt all questions regarding hacking questions. Thank you." Do you like it? Note that blah, blah, blah is whatever you would it to be. Such as, "You can subscribe to Phrack Magazine by sending e-mail to [email protected] requesting you be put on the list, and along with your subscription......" Ok, thats it....write back if you like it....or if you don't. Here is my PGP public key. Oh yeah...you might have gotten mail from [email protected]. That is me. So direct replies to those messages to this new address...Thank you. [ You're right. It does sound dumb. ] 0x20>------------------------------------------------------------------------- Hey, sorry to bother you but I just got Redhat Linux 4.1 in the mail. I think it's great besides the fact that I hear that it lacks security. HOw do I get PGP up in it? Is it easy to install? Thanks. Killer Bee [ yes, very easy to install. Read the documentation. It's different for different platforms. ] 0x21>------------------------------------------------------------------------- Hello My name is Joseph and I am intrested in any information you may have about the early day's of hacking and current hacking underground.. also I understand you are a member of the guild ?? what is this? Joseph --> [email protected] [ The guild is like what r00t was before r00t got all famous and became greatly feared and admired. Oh. And we spend most of our time counting our millions and having sex with models. ] 0x22>------------------------------------------------------------------------- Hi there, Do you know where I can find the Rosetta stone for interpreting the output of Solaris lockd & statd in debug mode? I can't find any public information about it, even on Sun sites. Sun Microsystem refuses to let their lab publish anything about interpretation of system calls outputs. Are they afraid that they will be losing support contracts if this information gets out? The man page does not include arguments to run in debug mode, and what's the point of providing the tools w/o the means to interpret the result? Teach a man how to fish .....you know. Thanks. Christine [ Someone want to write an article on it? ] 0x23>------------------------------------------------------------------------- In regards to the article on Ethernet spoofing: As an aside note for the highly paranoid: ethernet spoofing Note: some of this is theorized, and might not be 100% accurate - if you get the jist of it, you should be able to figure out if it works for you. It is possible to spoof ethernet hardware addresses as well. Some cards will allow you to do this easily, but you need to have card programming docs (check the Linux kernel source for your card driver-!!). Others won't let you do it at all, and require a ROM change, or worse it might be solid state logic on the card - EVIL. Course you might be able to get around solid state stuff by recoding the ROM, but I wouldn't recommend it unless you don't have the $70 to buy a new card, and have a month or two to spend in the basement. ... rest of stuff(tm) deleted ... Interestingly enough, most of the Sun sparc stations I've seen allow you to enter in any mac address that you want using ifconfig(1M). I "know someone" who picked up a Sparc IPC for $50 (Can $$) and upon discovering that the battery that powers the IDPROM was deceased, we needed to fake a mac address to get it to talk to someone. Sun's default is 0:0:0:0:0:0 but the 3Com card's mac (from a different network) worked quite nicely. Interesting concept the author has though, I'll be f*ck around with the idea when I'm supposedly doing work =) [ MAC address spoofing techniques are well known about, especially under Sparcs. However, do some research, write some code and an article and submit it... ] 0x24>------------------------------------------------------------------------- I love your e-zine it is the coolest thing i've read. [ Thank you. It's the coolest thing we've written. ] Please could you tell me any ways to violate the security of a "MacAdmin" based system on the Apple Macintosh. [ What's a Macintosh? ] Mark "Vombat" Brown May phrack and Fiona live forever! [ ...and may Phrack and Fiona do a joint project some time soon... ] 0x25>------------------------------------------------------------------------- Hey, I sent this to you because yer handle is shorter. Anyways, great job on issue 50, always a pleasure to read it, and in article 12, by Sideshow Bob, I was wondering about the "tail" command. I don't seem to have this nifty util, and was wondering if perchance, you knew where I could get a copy. Also: the Skytel article sorta looked like an advertisement to me. Nothing against that, it's still pretty interesting to learn of Skytel's history, and of the nifty things out there, but I was wondering if it sounded like a detailed ad to anyone else. But if you could help me out with the tail command, I'd be so grateful. Joel Thomas [ Standard GNU utility. Try your local unix box. ] 0x26>------------------------------------------------------------------------- | | G'day mate, | I am a computer user in Camplong, Timor. I have limited internet access, as | it is a long distance phone call from home. I have downloaded your issues | 46-50 and haven't read through them all yet, but what I see looks good. | What I need from you is a UUENCODER program so I can extract the included | files. [ Standard GNU shell tool. Any Unix host will have it. Do a websearch to get it for Windows. ] | I am also confused on how to extract the .c files from the text | files(philes?). [ As it says in the header file: gcc -o extract extract.c then `extract filename` ] | I am not a C programmer, but my dad is. [ That's nice. ] | | I need PGP. Although my side of the internet is safe, noone reading others | letters (the sysop is too dumb or something to even think about that) I want | my mail to get where it is going in one piece unread. Where can I find a | free copy of PGP? [ Do a websearch. ] 0x27>------------------------------------------------------------------------- .. crack me up. Excellent social porno in your reader's letters section. Keep on commenting. Might start screaming soon. Um, the guy from slovakia might want to get hold of Bill Squire for information on smartcard programmers; as I seem to recall, he likes messing with these electronic devices. Another thing; I though DC was now just sticking to his viola? According to all the news he only started hacking because someone vandalized it? Wonder if I should have used the same thing in my case: "I plead not guilty, Magistrate sir, but the University's good-for-nothing courses drove me to it." Whatever it takes, I guess.. Yum. -me. 0x28>------------------------------------------------------------------------- This is a response to p48-02 in which one "Mr. Sandman" proceeded to spew out eleven paragraphs of blatant misinformation. Rather than lumbering through a point-by-point rebuttal to his letter, I will quickly summarize what was wrong with it, and then state a few facts to clarify some things. KoV never touched Skidmore. This is something that anyone who was in the group will attest to. And not just to follow the old "admit nothing, deny everything" plan. In reality, we NEVER touched it. In retrospect, I find it very odd that someone from New York would claim to know so much about the inner workings of a decidedly regional [Connecticut] hacker collective. While we weren't exactly xenophobic, we certainly didn't go out of our way to divulge information about ourselves to anyone outside the group (or the state, for that matter). This would explain why Mr. Sandman's letter was riddled with insufferably laughable lies that were obviously the product of a jealous and dejected outsider. One thing that needs to be put to rest is that we were certainly not "a bunch of egotistical and immature criminals" as Mr. Sandman would have you believe. The primary focus of KoV's efforts was not to "break into universities" or "make ourselves look bigger and more important than we were." We existed, first and foremost, to unify what was, at that time, a greatly divided scene. Squabbling and infighting among those few real hackers who were still around was leading to a critical breakdown at the fundamental level. Something had to be done, and fast. In an effort to bring together a group of like-minded individuals (not only from the hacker perspective but also in terms of anarcho-libertarian philosophy and ideology), I started KoV with an intentionally humorous name behind the acronym. It was an almost immediate success, and over time I certainly accomplished all that I'd set out to do, and then some. The current state of the "Connecticut hacker scene" (for lack of better terminology) is much different than it was in the summer of 1994. People are working together, cooperating, and the incessant "civil wars" which plagued us back then are all but nonexistent today. I think I'd be well within my rights to credit KoV with helping to assure that those problems are now but a memory. It really bothers me when anonymous instigators like Mr. Sandman attempt to dishonor all the work that we did to get this far, without even really having a clue as to what we were (and are) all about. Perhaps he and his ilk could benefit from such groups as KoV. Because no matter how I feel about him and his actions... "The more we fight among ourselves, the less of a threat we are to the system." - Valgamon Sat Jun 07 15:49:25 EDT 1997 0x29>------------------------------------------------------------------------- What up. Yo, Ima hack/phreak from back in the day (1984) My 1st bbs was on an atari with a floppy drive and 64k! Nowadays, I do rap music and acting, live in Los angeles (im from western NY), and run 900#s and adult websites. Check this out, I need to thangs: #1: FTP space for adult pix (not really important, since my host gives me unlimited space), but I have no anonymous ftp capabilities) #2: Windows NT or unix Can you help?? Have broom (Music software) will travel (trade) [ We will trade you unix for a rap song about Phrack and a movie role for route. ] 0x2a>------------------------------------------------------------------------- This is in reference to the first part of your " PGP Attack FAQ," which addresses the length of time necessary to brute force IDEA. Perhaps I'm overly paranoid (naw...) or just a perfectionist, but I would like to point out two things about this: 1) Somewhat of an error in your math? 2) "As far as present technology is concerned." "As we all know the keyspace of IDEA is 128-bits. In base 10 notation that is: 340,282,366,920,938,463,463,374,607,431,768,211,456. To recover a particular key, one must, on average, search half the keyspace. That is 127 bits: 170,141,183,460,469,231,731,687,303715,884,105,728. If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, it would still take all these machines longer than the universe as we know it has existed and then some, to find the key. IDEA, as far as present technology is concerned, is not vulnerable to brute-force attack, pure and simple. " Somewhat of an error in your math ======================== OK, let's examine the math. For simplicity, let's say we only had one machine that could try 1,000,000,000 keys/sec. The number of seconds it would take for this machine to search half the keyspace, and thus find the correct key would be 170,141,183,460,469,231,731,687,303715,884,105,728 divided by 1,000,000,000. This would yield 170,141,183,460,000,000,000,000,000,000 seconds of maximum search time before finding the key. This in turn would be 2,835,686,391,010,000,000,000,000,000 minutes = 47,261,439,850,100,000,000,000,000 hours = 1,969,226,660,420,000,000,000,000 days = 5,395,141,535,400,000,000,000 years = approximately 5.395 sextillion years. If there are 1,000,000,000 of these machines as you suggest, then the years required for a successful brute force crack would be 5,395,141,535,400,000,000,000 / 1,000,000,000 = 5,395,141.5354. So, it comes down to: are you saying that these 1,000,000,000 machines are acting as a collective entity or can *each* one of these machines operate on 1,000,000,000 keys/sec and thus operate together at a speed of (1,000,000,000) * (1,000,000,000) = 1,000,000,000,000,000,000 keys/sec. If the first is true, then you are correct in saying that "it would still take all these machines longer than the universe as we know it has existed and then some," as it would take app. 5.395 sextillion years (scientists estimnate that universal redshift shows the universe to have existed thus far for only 15 billion years). If the second is true, then it would take far less time than the existence of the universe at app. 5.395 million years... which could be compared to twice the amount of time human beings have existed on earth, or just a fraction of the time dinosaurs were here. [ Hrm. Take it up with Schneier. ] "As far as present technology is concerned." ============================= How far is present technology concerned?! The Intel/Sandia Teraflops Supercomputer can reportedly perform 1.06 trillion floating point operations per second (refer to http://www.intel.com/pressroom/archive/releases/cn121796.htm). Assuming [ Keep in mind that factoring and brute force key searches are integer-based calculations, not floating point operations. ] one of these "instructions" can operate on, let's say something around a 28th power float variable, then disregarding read/write operations, the system can search at 1.06 trillion keys/sec. This yields a total search time (before a successful "hit") of 170,141,183,460,469,231,731,687,303715,884,105,728 / 1.06 trillion = 160,510,550,434,000,000,000,000,000 seconds = 5,089,756,165,470,000,000 years or 5.089 quintillion years... still a rediculous amount of time even on the fastest publicised system in existence. Now, this system, the Intel/Sandia Teraflops Supercomputer is made up of 9,200 200 MHz Pentium Pro processors. Being that they didn't have to buy them at markup/retail and they manufacture them from scratch for their own purposes, let's say it cost $500 per chip plus some negligible ram and labor costs (how much ram do you need when you have a gig+ worth of onboard cache, etc.). With 9,200 chips, the system would take about $4,600,000 to build. A practical question: if federal taxation is %28 on an annual income of $80,000, where does all the money go? Well, let's say a Billion dollars per decade goes to the NSA to build whatever they want. If the 9,200 chip system cost $4,600,000 then a little algebra reveals that with one billion dollars, the NSA could purchase approximately 2 million 200 MHz pentium pros. If the 9200 chip system did 1.06 trillion keys/sec, thus the 2 million chip system would be capable of approximately 230,434,782,609,000 keys/sec or app. 230 trllion keys/sec. Now, say the NSA is smart enough not to buy crappy x86 chips and instead get 500 MHz DEC Alpha RISC chips. This is 300 Mhz or 3 fifths faster than a 200 MHz pentium pro approximately. so 230 trillion + (230 trillion * 3/5) = 368,695,652,174,000 or 368 trillion keys/sec. The original calculation yields that the successful search time would be 170,141,183,460,469,231,731,687,303715,884,105,728 / 368,695,652,174,000 = 461,467,832,499,000,000,000,000 seconds = 14,633,048,975,700,000. Ok, great... so now we're down to 14.6 quadrillion years of search time, which means that at least now we may get REALLY lucky and hit the right key within a certain degree of insanity. But, this was only a billion dollars we gave the NSA in a decade. If we're especially paranoid, let's say the government was so concerned over nuclear terrorists sending encrypted messages, that the NSA got a TRILLION dollars to build a system. That divides the whole equation by a thousand making the search time 14,633,048,975,700 years or 14.6 trillion years... STILL rediculous. Ok, so let's say that now we're giving the NSA a HUNDRED TRILLION DOLLARS thus dividing the search time by 100 yielding 146,330,489,757 years which is about ten times longer than the existence of the universe. But now, if we had 1,000,000,000 of *these* machines working concurrently the search time would wind up being 146.330489757 years. But, if each RISC processor were replaced with a small piece of nanotechnology, each piece of this nanotech being 100 times faster than the alpha chips, you get 1.46330489757 year. There ya have it... some classified nanotechnology, 100 trillion dollars, and a DAMN lot of landmass all multiplied by 1,000,000,000 and you've brute forced IDEA in a year and a half. I won't go into the tedious calculations, but an object with the surface area of two of our moons would approximately be able to house this complex. Now, as I know you're asking about where to store all the keys... and the fact that this drive would be bigger than a solar system and so on, just have the keys generated using the same PRNG in the brute force attack... you'll just have three times the instructions (write for the generation, read to get it, write to compare it) so multiply the search time by three. The technology is possible... it's economics and territory that doesn't work. [ Theorectially shure. But you have sorta just proved the point that it is not feasible. ] --gKHAN 0x2b>------------------------------------------------------------------------- The snippit in P50 in section 02 of the zine by Xarthon entitled > Yet another Lin(s)ux bug! "IP_MASQ fails to check to make sure that a > packet is in the non routable range." "So in conclusion, you are able to > spoof as if you are on the inside network, from the outside. " Is so incomplete I would almost call it a lie. The only way that Linux would do this is if the person setting up the IP-Masq system issued the command "ipfwadm -F -p masquerade" which if you read the IP-Masq HOWTO it tells you explicity NOT to do for this very reason. My retort for Xarthon and all others who do stupid ass things like leave port 19 open and such; is that Linux only sux if you do. To wit, don't be a moron, and you won't have to complain that it sucks. Swift Griggs | UNIX Systems Admin 0x2c>------------------------------------------------------------------------- Hi there, I have a question regarding a certain piece of hardware that has come into my possession. Since this little piece of equipment contains no indications of its intended use i have no idea what this thing could do. So here's a descrition of the little box; i hope you might be able to provide me with more information on what this device is supposed to do. Description: -lightgrey rectangular casing (13CMx9CMx3CM) -frontpanel has one green LED, a connector labeled "SCANNER", and a little door which reveals two sets of dipswitches (2 sets of 8, labeled "DIPSW1" and "DIPSW2") -backpanel has three connectors, a RJ4-like connector (only it has 6 lines instead of 4; it looks like a connector for a Memorex Terminal) labeled "A", a standard IBM-PC keyboard connector labeled "B", and a small (9-pin) serial interface-connector labeled "C". -there is a sticker with a serial number, a barcode, and "Made in Taiwan" on the bottom -the circuit-board contains IC's of Sony, Philips, and TExas Instruments -there is also one removable EPROM, made by AMD; it has a label on it which reads "V2.61 CS:EF88" I have found that a normal keyboard plugged into connector B, while a KBD-to-RJ-jack cord is plugged into connector A will allow the box to be placed between the keyboard and the kbd-port; so my first guess would be that this is some kind of filtering device. But that doesn't explain why there is a serial-connector and this "SCANNER" connector present. So, do you know what this thing is ? -lucipher. [ Readers? ] 0x2d>------------------------------------------------------------------------- hi, my friends.i am a newbie come from China,i had read some Phrack magazine. but to me surprise,i had not success compile a program still now.i send e-mail to the author,but server tell me there is no this user. for example, phrack-49-15 describle tcp port scan,but i can not find ip_tcp.h, other paper tell me a way to guess password,and said the program only need Ansi complier,but i can not success too. oh.my god. i use sun os ,gcc, i need your help, thanks. yours keven zhong [ Here at Phrack, we use TheDraw for ANSI compilers. I hope that answers your question. ] 0x2e>------------------------------------------------------------------------- I'm just writing this to say thanks to all the hackers that represent Phrack and work hard to keep it going,you guys are truly keeping the new generation alive.If it weren't for Phrack i'd probably never have wanted to waste my time with computer's,the technical info is first class and a lot better than most of the crap out there.I would suggest that maybe once in a while u guys could write some more stuff geared towards the newbies,it really is important because most people who aren't familiar with the terms get completely lost.Down here in Montreal(514),most people think hacking is spreading virri or u/l shitty trojans,there's no talk about unix or networks.We really need some help down here,the scene is practically dead and most newbies don't have any support to help them get started.Anywyas i just want to say keep up the good work,and it's really appreciated. -- | Return Address: [email protected] | Standard disclaimer: The views of this user are strictly his/her own. [ Thanks, if anyone cool is in Montreal, e-mail this guy and revive your scene. ] ----[ EOF