FREQUENCY : inside the hacker mind
FREQ25 OCTOBER 2002
COVER – http://www.bobandchad.com/hackermind/images/freq25ab.gif
===========================
1. “The Changing Times”
2. Practical Examples of Social Engineering
3. Hackers – A Declining State?
4. VNC – The Good, The Bad, and The Ugly
5. The Death of the Internet
6. Review – “The Art of Deception”
7. Random Stuff From the Net
8. Crosstalk
9. Closing Arguments
10. Crew
===========================
“Only the educated are free.”
Epictetus (50 AD - 138 AD), Discourses
1. “The Changing Times”
You hit a certain age, and suddenly you hate hackers and all
they stand for…isn’t that the way it is? Not in all cases, I assure
you. Although in recent times I’ve found myself bombarded by people
who want to know if this odd phenomenon is happening to me, am I
cutting back the output of Hackermind due to a sudden hatred of
hackers?
Get real. I’ve been into this stuff for almost twelve years
now, the idea of suddenly going against everything I’ve spoken out
about is absurd if you ask me. I think I’ve laid out rather clearly
why Hackermind isn’t airing, so I won’t bother repeating myself.
Nonetheless, I am at a point in my life where I have a ton of things
to think about…certifications, job hunting, finding a nice place to
live and starting a life for myself. You’ll get there too someday,
and you’ll have the same things to think about.
It’s not easy, which is why I’m glad I have this ezine to
tell you all about it. Saying it all on the air would have been
better, but I think this is almost just as good. Long time listeners
may recall my frequent stories regarding college, dealing with
incompetence, switching schools, and so on. Or perhaps you remember
Dash’s experiences with the law, or our encounters with
“hacker-hating” online. Whatever the case may be, we always tried to
give people a heads up about what to expect in life. Some of you
might have loathed the personal stories, but we know from feedback
that many of you were thankful. That’s exactly what I’m doing now,
letting you see firsthand what it’s like to make one of the biggest
transitions of your life…and how you can still hold on to that hacker
ethic.
You do feel a bit more grown up, more mature, but for the
most part you still think the same way you always have. I say “for
the most part” because opinions on certain issues do change, but
that’s only natural. It’s when you do a complete 180 that you have
to worry, like going from hacker supporter to FBI informant. To me,
the things I’ve always condoned are still perfectly all right. After
all, how can I go against what I used to believe, when I always
condemned invading home PC’s or destroying other people’s property?
I was always about exploration and creation, so no, I won’t suddenly
agree with the MPAA. Fuck ‘em. And to even things out, fuck the
RIAA too.
Personally, I’m looking forward to getting an interesting job
in computers where I can spread the hacker spirit, and so far I’ve
been met with open arms. The school I’m attending is (are you ready
for this?) completely hacker friendly. I’ve had instructors who have
encouraged me to get curious with the machines, to try things out,
and tell others what I find. Probably because they themselves were
hackers. Alright, so if people can maintain that hacker spirit when
entering the job field, why do so many others repent their former
hacker ways? Getting busted is usually a big factor, many hackers
see how foolish it is to hack into a phone switch if it means going
to prison for a year. Others find different, perhaps more social,
hobbies and find their old ways to be “childish” or “foolish.”
These are only possibilities, and I’d like to assure you that
just because you find other things to be interested in does not mean
that hacker mind goes away. The best advice I can offer is to
remember who you are, don’t let that fancy Porsche or $100,000 a year
paycheck cloud your mind too much. If you stay true, and not buy
into the corporate bullshit that’s out there, you can be an active
participant in the business world while still maintaining your hacker
beliefs. Not everyone will, but imagine if more people did. Picture
a successful CEO thanking 2600 for pointing out a vulnerability…sound
impossible? It’s not, not if you stay true.
The best advice is to incorporate the hacker inside you into
the life you choose. It would probably be a much more hacker
friendly world if you did. Remember, times change, but the hacker
spirit lives on.
And now, before we all fall asleep, welcome to Freq25. -screamer
=================================================================
2. *** Practical Examples of Social Engineering *** By:
dual_parallel (www.oldskoolphreak.com)
Humans. These creatures are involved in every system that hackers
encounter.
Guess what - humans are the most vulnerable component and a fruitful
target for
information gathering. Surreptitiously gaining what you desire is
called social engineering (SE). Surreptitiously, here, does not mean
without the target's knowledge. It means the target does not have
knowledge of your motives or who you really are. This is not to say
social engineering always occurs face-to-face. Social engineering can
be used through the telephone, electronic mail, physical mail, or
through another person.
This article will demonstrate (and hopefully inspire) the use
of social engineering, not through fictional scripts, but through
real world examples experienced or witnessed.
Retail Paging Systems
---------------------
Wal-Mart store phones have clearly marked buttons for the paging
system. Wal-Mart is
the exception, not the rule. So how do you get on the paging system
to have a little
fun when you're bored out of your mind shopping with your girlfriend?
Social engineering, my whipped friend. Find a phone and dial an
extension, preferably the store op. The key here is to become a
harried employee, saying something
similar to..."This is Bill in shoes. What's the paging
extension?" More often than not,
you'll get the extension without another word. Now, get some by
saying something sweet over the intercom.
Airport White Courtesy Phones
-----------------------------
Imagine you've already been stripped searched and you're waiting for
your delayed
flight. Naturally, you gravitate to a phone. Is it white? Then
you've got a free
call right in front of you. Just pick up to get the op. "This
is Bill at Southwest, Gate A5. We're swamped and our phones are
tied. Can I get an outside line?" If the phone does not have
DTMF, or the op wants to dial the call for you, do
not call a number related to you.
Hotels
------
Hotels hold such promise. Some hotels have voice mail for each room,
guests receiving a PIN when they check in. Hotels also have
"guest" phones; phones outside of rooms that connect only
to rooms or the front desk. Pick up a guest
phone, make like a friendly guest and say, "I forgot my PIN.
Could I get it again? Room XXX."
Knowing the registered name of the target room helps, for the Hotel
and Restaurant Management Degree Program graduate may ask for it.
Do not follow through with the next social engineering example. Or,
like the author, try it on a friend. Go to the front desk and tell
the attendant that you've locked your key (card) in the Laundromat,
in your room, lost it, etc. Do not try this with
the attendant that checked you in. And again, do not enter someone's
room without permission.
Calling Technical Support
-------------------------
So you've found a new-fangled computerized phone and you want to
learn more about it. Do the same thing you do when you have trouble
with your AOL - call tech support. First, do a little planning
(after getting the tech support number off of the phone or the web).
Get some info on the phone, like phone number, model number, other
identifying numbers, etc. Also, know the name of the facility in
which the phone is located. Now that you've got some ammo, you're
ready to make the call. Posing as an employee of the facility, call
tech support and make up a problem for the phone you've identified.
Act a little dumb and be apologetic, acting like you don't want to
waste their time. All the while, pumping them for information -
"I hate
to bug you for this, but <insert problem here>."
<You'll get some info from tech support
here.> <Build on what you've learned and curiously ask another
question.> And so on until you reach the point where you can feel
that it's time to end the call. Occasionally acting amazed at their
knowledge may be helpful.
Calling AS Technical Support
----------------------------
The most famous examples of social engineering are the SE panels at
HOPE. H2K2 saw Emmanuel change some poor soul's dinner reservations
and obtain customer credit information from a randomly chosen
Starbucks. He called the Starbucks as
tech support.
When you've determined what you want and where you want it from
(don't call MIT as
tech support, by the way), make up a "report" of a problem.
More than likely, there will be a problem, or the person you call
will have a question. Questions are gold! Even if you have no idea
what the target is talking about, you can of course
fake it and use that question as leverage to gain more information.
Practice these easy-to-do examples of social engineering and
then extend the skills you gain to larger projects. And no, Dade, do
not be funny when social engineering - that'll get you nowhere. Most
importantly, do not use you SE skills
for evil. Have some fun, gain the "forbidden" knowledge,
and use your skills wisely.
==========================================================================
3. *** Hackers – A Declining State? *** By: Zero Tolerance
First it was all about programming, making the most elegant
code you could, so that a program could come to life and do something
amazing. That was a time where hackers were creators, artists, and
yes even magicians. Then it was about exploration, using blue boxes
to route calls all over the world and really bringing the hacker
spirit to the people. Eventually this changed, and hackers became
more interested in playing with systems they wouldn’t normally have
access to, and all of this could now be done from home. Getting in
wasn’t really as important as using the machine once you were in
there. These hackers loved to program, so they got access to
machines that would actually allow them to get some good cpu time.
But what do we have today? Everywhere I turn I see hackers
who are so obsessed with spotting vulnerabilities and exploiting them
that it becomes a type of addiction, how many computers can you
penetrate in a given week, or month, or year? The concept of USING
the machines is gone, replaced with the mere thrill of “getting in.”
This might raise a lot of hostility, but think about it, has the
state of “hackerdom” somehow declined to being nothing more than a
script kiddy free for all? Have we let ourselves become so obsessed
with going where we’re not supposed to that the actual fun of
creating with computers has been all but forgotten?
Now I know that there are still programmers out there, but
what are they doing? Writing exploits! They’re cracking security
for fun. Sure they’re doing it an incredibly ingenious way, but why
aren’t more hackers actually creating things? It’s rare you hear
about a hacker creating a program to help the average joe learn about
computers more easily, or a group working on an easier to use version
of Linux. They do exist, but my point is their numbers are so small
as to be negligible. And yet, the hunt for holes and vulnerabilities
goes on.
Forgetting about script kiddies for a moment, how many times
have you yourself examined source code trying to find that one flaw,
that one strcpy() or undersized buffer, that will allow you to get
root with a little effort. OK, I see about three hundred thousand
hands, now put them down. How many of you have gathered up a group
of friends and started writing some software that will actually DO
something other than exploit a flaw? How many of you have started
making operating systems that are easy to use, but that don’t forget
the spirit of open source? Needless to say, the number of hands
really isn’t that many.
A valid argument against this logic is that the good stuff is
already there. Linux is already a fantastic operating system (if
people would give it a chance instead of buying every damn micro$oft
product that comes out), or GNU is coming out with a ton of free
software as we speak. Fair enough, then let me ask this…how many of
you are currently working on making Linux better? Or improving other
open source programs? You can do that you know, that’s what open
source is all about ;). Head over to mozilla.org and give modifying
their source a try, if you make a good enough improvement they might
even add it to the official product.
But how many people will? How many people will actually try
creating something with a computer, instead of putting down everyone
else’s faulty software? I don’t mean to suggest that improving
security by solidifying code isn’t important, but it sure would be
nice to see more people get a bit more creative. If more people
stopped spending all their time bitching about crappy software and
actually tried writing some of their own, they might get a better
understanding of why it’s no easy task, not to mention get a better
understanding of what it truly means to “hack.”
To conclude, I should stress that I never meant to compare
programmers searching for vulnerabilities to script kiddies who
exploit them. I’m afraid some people may read this article and come
away with that impression, so let me assure you, that’s not the
message I wanted to convey. However I do stand by my statement that
hackers as a whole seem to be declining these days. You might
disagree, but I think it’s high time we stopped trying to prove how
easily something can be exploited (either through programming
wizardry or script kiddy attacks) and started showing the world what
we can actually do with our talents. The hacker spirit will live on,
only in it’s more original sense. Maybe then people will start
accepting hackers, and won’t mind so much when they do find a
vulnerability. Oh well, just a thought.
==========================================================================
4. *** VNC – The Good, The Bad, and The Ugly *** By: Screamer
Chaotix
VNC, or “Virtual Network Computing” was created by AT&T
Laboratories Cambridge as a way of giving users remote control over
another machine. Unlike telnet or other such remote control
applications, VNC allows a user to see the desktop and actively
interact with it. Like other programs however, VNC has its
advantages and disadvantages, and that’s what I’d like to go over
today. I won’t bother covering the history of the application,
that’s already been done at http://www.uk.research.att.com/vnc/.
Installation
To begin, a user downloads either the Windows package or UNIX
package, depending on what type of machine they will be running the
server on. The package includes both the “VNC Viewer” and “VNC
Server”, which should be pretty self-explanatory. Users install the
server on the machine they’d like to have remote control over, and
adjust various settings (such as allowing or disallowing keyboard use
on the remote machine by a connected client, setting a password,
etc). Once tailored to the users liking, the user can install the
same package on a remote machine and run the viewer. From here, it’s
a simple matter of entering in an IP address and then typing the
password. Once logged in, the user can control the remote machine in
real time. Any actions done on the machine will remain that way, and
can be seen by anyone else currently on that computer. Whatever
control the original installer of the program had is the same control
the remote user has, and therein lies one prob!
lem…but I’ll get to that in a bit.
The Good
VNC can be a great tool for people wanting to use their
machines from far away without having to bother with shell accounts
or the like, but other uses have been found as well. One use I’ve
found for it allows friends and family to view a private website I’ve
set up on my home LAN. Like the great power they are, Optimum Online
(our “friendly” cable provider here in Connecticut) won’t allow you
to set up a web server on their network. You could get around this
by changing the port, but too much traffic will most likely be
noticed, and why risk losing my access when there’s another
workaround? By installing the VNC server on a separate, Win98
machine, people were able to VNC in and use a browser to visit the
otherwise inaccessible site. True, this is not the most efficient
way of doing things, but there are other, more “hackerish” uses.
Playing on a home network is great, but it’s even more fun
when you have a few friends login and join you. Shell accounts are
good, but logging into Windows machines leaves a bit to be desired.
Through the use of VNC, people can connect to one machine, and simply
use Network Neighborhood or a dos window to browse through the other
machines and have all sorts of fun. Once, me and a friend were both
logged into a Win98 machine (check the properties of the VNC Viewer
to be sure you allow simultaneous connections) and actually found
ourselves fighting over the mouse pointer! Using a mere notepad
file, we had an amusing time chatting with one another while
simultaneously playing with the box. The possibilities are
limitless.
One thing I hear people yelling right now is, is it OS
dependant? The answer is, no. Linux users (running X of course) can
open up the viewer, enter in the IP of a Win machine, login, and
bingo! Windows as seen through the eyes of Linux. Some cry
blasphemy, I say it’s pretty darn cool.
The Bad
I suppose this section is only “bad” depending on how you
look at it, but VNC does pose an often overlooked security risk.
Running on port 5800, it’s often all to easy to set nmap to scan for
open ports all night long. Once found, one need only connect to each
IP and try some common passwords (and considering these are probably
personal PC’s, the passwords are most likely a trivial joke). The
only real security is that the VNC Viewer will close if an incorrect
password is given, but there’s a way to give an attacker a better
chance of getting in. By merely opening a browser and heading to http://12.34.56.78:5800, you’ll receive a
java login prompt. Some machines have different settings, but I’ve
found most allow 5 login attempts via this method. Typical passwords
may include “password,” “admin”, “administrator”, “12345” or “asdf”.
You may also want to try the computer name, which is so generously
shown in the title bar of the browser window. Once in, the user’s
desk!
top is at your control. Unlike one of those sad little Trojans, you
will actually have access to everything, all of which appears in a
real time GUI window.
With no username required, VNC looks to be the backdoor of
the new millennium.
The Ugly
VNC, aside from posing a security risk, has its drawbacks.
For one, regardless of your connection speed it’s extremely laggy.
While it does provide a great way to use your home PC from a remote
location, a lot of patience is required. If anything, I’d recommend
for making routine checks on a machine you keep running. If your VNC
password is secure enough, you should find this to be a reliable way
of monitoring your machine remotely.
Aside from performance, the fact that anyone who logins gets
complete control of the machine can be quite disconcerting. For one
thing, they can shutdown the machine. A person on the road will most
likely have a hard time turning the machine back on without a little
help. That’s not the worst thing that could happen though, imagine
my horror as I watched my friend open up regedit. I’ll leave the
other possibilities up to you.
Conclusion
This article should not be considered a complete guide to
Virtual Network Computing, but rather an introduction to some of its
pros and cons. For a better understanding, I encourage you to
download it (it’s freeware) and play around for yourself. And if
you’re the nosy type, go ahead and scan the net for port 5800, you’ll
probably be shocked by how many keep this program running on a daily
basis. That’s it for now, but I encourage others to share what
they’ve found with this interesting program
==========================================================================
5. *** The Death of the Internet *** By: Jeff Chester
(originall posted on tompaine.com)
Jeff Chester is executive director of the Center for Digital
Democracy.
The Internet’s promise as a new medium -- where text, audio, video
and data can be freely exchanged -- is under attack by the
corporations that control the public’s access to the 'Net, as they
see opportunities to monitor and charge for the content people seek
and send. The industry’s vision is the online equivalent of seizing
the taxpayer-owned airways, as radio and television conglomerates did
over the course of the 20th century.
To achieve this, the cable industry, which sells Internet access to
most Americans, is pursuing multiple strategies to closely monitor
and tightly control subscribers and their use of the net. One element
can be seen in industry lobbying for new use-based pricing schemes,
which has been widely reported in trade press. Related to this is the
industry’s new public relations campaign, which seeks to introduce a
new "menace" into the pricing debate and boost their case,
the so-called "bandwidth hog."
But beyond political and press circles are another equally important
development: new technologies being developed and embraced that can,
in practice, transform today's open Internet into a new
industry-regulated system that will prevent or discourage people from
using the net for file-sharing, internet radio and video, and
peer-to-peer communications. These are not merely the most popular
cutting-edge applications used by young people; they also are the
tools for fundamental new ways of conducting business and politics.
These goals and objectives are visible to anyone who cares to look at
the arcane world of telecommunications policy and planning, either in
the industry trade press or government documents. The bottom line is
the industry want to kill the Internet as we know it.
Take a minute and wade through this bit of arcana -- and ponder its
implications.
"The IP Service Control System from Ellacoya Networks gives the
Broadband Operator ‘Total Service Control’ to closely monitor and
tightly control its subscribers, network and offerings." So
reads the Web site of Ellacoya.com, a relatively new firm, describing
the business-to-business service that it is selling to large Internet
service providers.
Ellacoya is backed by Wall Street investment powerhouse, Goldman
Sachs, which sees a major opportunity to turn around the red
ink-plagued broadband sector. Continuing, the website explains,
"Establishing Total Service control enables operators to better
manage traffic on the network, [and] easily introduce a range of
tiered and usage based service plans... Talkative applications,
especially peer-to-peer programs like KaZaA and Morpheus, tend to
fill all of the available bandwidth... The IP Service Control System
allows operators to identify, limit and report on these aggressive
applications."
The fundamental character of the Internet today is that it lacks
precisely these kinds of tolls, barriers and gatekeepers. But
technology like Ellacoya’s hardware and software is not just an
enticing idea; it’s more of a silver bullet for beleaguered telecom
executives. It’s being tested in industry trials and points to the
kind of Internet the industry would like to develop over the next few
years. The way telecom corporations get from today’s open-access
Internet to their version of the future starts by changing how people
pay for the net.
Industry's New Business Plan
Most people now pay a flat fee for online access. But the big media
companies offering Internet service; Comcast, ATT, AOL -- would like
to change that, and already have in a few test locations.
The broadband industry’s plans to institute tiered pricing have been
widely reported in its trade press. There are numerous articles about
replacing today’s open 'Net environment with industry-self-described
versions of "walled gardens" or "Internet Lite."
(See "Cable Operators Seek to Corral Bandwidth Hogs", Cable
Datacom News, 10/01/02) The central feature of these proposals is
much like telephone companies; there’s a price plan for everyone.
To make the case to regulators that such pricing is fair and overdue,
cable operators have begun a PR effort, spinning that a small percent
of users account for a disproportionately large amount of bandwidth
used on broadband networks. They’ve created and embraced the
pejorative term, "bandwidth hog," to describe those -- such
as music-obsessed college students -- who find robust uses for
high-speed connections. Already major news sources, such as the BBC,
and technology journalists are using the term in their reports.
To deal with this "problem," the companies are considering
a variety of approaches to ensure they remain in full control of
their bandwidth -- unless consumers can afford to pay the hefty
access fees. Under a typical plan, a user would be allotted a limited
amount of bandwidth per month, and would be charged extra fees for
going over this amount. This approach isn’t very different from the
software industry, where the free versions of an application are
intended to frustrate and prompt people to buy the ‘better’ version.
Bandwidth caps have already been implemented in Canada by major
Internet service provider Sympatico, Inc., and observers have been
quick to note that the limit -- 5 GB per month -- would effectively
restrict regular use of emerging applications such as Internet radio,
streaming media and video-on-demand.
Consider this excerpt from an article about Sympatico’s bandwidth
caps in the May 6 edition of Toronto Globe and Mail by reporter Jack
Kapica.
A classic conflict has arisen over streaming media, especially of
radio. In a recent letter to globetechnology.com, Andrew Cole,
manager of media relations for Bell Sympatico, defended the 5GB bit
cap, saying that "In my experience, Internet radio stations
usually transmit at approximately 20 Kbps. This equates to 1.2MB per
minute, or 72MB per hour. At this rate, a HSE customer could enjoy 70
hours of Internet Radio per month and remain within the bandwidth
usage plan."
But a 20-Kbps stream is considered poor quality by many people who
tune into Internet-based radio stations for such things as classical
music concerts. For these people, audio quality streamed at 20 Kbps
has been described as "pathetic at best, somewhat akin to AM
radio" by Tony Petrilli of Level Platforms Inc. of Ottawa.
"Decent audio quality starts at 56 Kbps to 64 Kbps, and really
gets acceptable only around 100 Kbps," he said. This alone,
continued Mr. Petrilli, "will blow the cap, let alone any other
form of surfing, such as looking at movie trailers or even reading
Web-based news. Heaven forbid that someone listens to 90 minutes a
day of quality Internet radio. That way we'd blow the cap in 20 days.
When you consider the fact that the largest American
telecommunications firms are often part of the same mega-corporation
with music, video or movie-producing entertainment divisions -- such
as AOL-Time Warner -- you can see how an industry-regulated Internet
would handily end music and movie industry worries about Napster-like
file swapping by people who don’t want to pay industry-monopolized
retail prices for content.
Thus, the strategic and technically feasible solutions embodied by
companies such as Ellacoya is obviously why Goldman-Sachs was keen to
invest in the firm -- as it offers the actual means to monetize the
net and turn around the revenue-poor broadband sector.
According to Ellacoya’s technical datasheet, operators can create
"up to 51,000 unique policies that can be combined to generate
limitless numbers of subscriber policies." Such rules, they
explain, can either permit, deny, priority queues, address lock, rate
limit or redirect access. The same technology also poses new concerns
over privacy, since Ellacoya's technology "collects usage
statistics for subscribers and applications, capturing service
events, session details, and byte counts.... Operators can 'stamp'
the subscribers identity on all records."
The Industry Spin
The cable industry will argue that such ubiquitous control systems
and restrictive pricing structures are necessary to resolve bandwidth
backups. But the fact is, this cannot be the case, because cable
systems are constructed to avoid bandwidth shortages. But don't take
my word for it.
Mike LaJoie, vice president for advanced technology at AOL-Time
Warner told MultiChannel News, "The way that the HFC (hybrid
fiber coaxial) architecture works, we never run out of
bandwidth," LaJoie said. "We can always split or do other
things that will give us the bandwidth that we want, so it really
ends up being a desire to provide the best and highest experience for
our customers." (See "HD on VOD Searches for
Resolution", Multichannel News, 09/30/02) What these statements
make clear is that the cable industry's goal for broadband is to
monetize bandwidth. By charging a toll for every bit, the industry
can simultaneously extract great profits from the new applications
that it allows on its networks, as well as restrict access to those
that it finds problematic, i.e. those that compete with its own
content offerings. In short, the industry finally sees a way to make
money online.
Of course, these calculations are utterly self-serving, ignoring the
fact that the net was developed with tax dollars and has been an
incubator for an array of innovations that extend far beyond creating
new profit centers for big media companies. The envisioned control
structures will inhibit robust Internet use by early broadband
adopters, and discourage development of new high-speed applications
such as Internet-based telephone and video-on-demand, thus slowing
overall broadband growth.
Worse, this business model will erect high economic and technical
barriers to entry for non-commercial and public interest uses of the
high-speed Internet, threatening civic discourse, artistic expression
and non-profit communications. In moving to implement this highly
centralized vision for broadband, the cable industry does not simply
ignore the democratic and competitive history of the Internet -- it
is actively hostile to it.
Consumption-based pricing and other restrictive access controls
contradict the spirit of openness and innovation that built the
Internet in the first place, and will do irreparable harm to its
future as a medium for small business initiatives, non-commercial
users and democratic discourse. New threats to privacy are also
clear, given the intrusive nature of the technology to closely
monitor all online use. If you think spam is bad now...
And Where Is The FCC?
This new threat to online communications is a direct consequence of
recent Federal Communications Commission policies by Chairman Michael
Powell that permit cable companies to operate their broadband
platforms in a "discriminatory, non-open access" manner.
This legalese means the FCC, the historic guardian of the public
interest in the communications field, has abdicated its founding
charge: to serve the public interest before private interests.
In sum, the Internet as we now know it -- and its revolutionary
promise -- may soon pass into the history books. In the absence of
public policy safeguards, the emerging pricing and control structures
will fundamentally change the kinds of information -- and way it’s
delivered -- on the Internet. The ramifications extend far beyond the
quarterly reports and shareholder earnings for the nation’s
telecommunications corporations.
The consequences are cultural and will affect the pace and character
of progress in the early 21st century. If the communications
companies impose tolls, roadblocks and dead ends on the information
‘superhighway,’ they will be robbing public trust resources in much
the same way 19th century mining companies pilfered public lands and
20th century radio and television networks privatized the public’s
airwaves.
====================================================================
6. *** Review – “The Art of Deception” *** By: Screamer Chaotix
“The Art of Deception” by Kevin D. Mitnick (note the D.,
perhaps to separate himself from his former hacker activities and be
taken more seriously) is a look at the art of social engineering.
While fairly pricey for most, coming in at about 27.50 unless you
find a sale or get it online, the majority of the book is well worth
your dollar. Not everything is perfect, but overall it does what it
sets out to do…which might not be exactly what a lot of people had in
mind.
To explain, the book is definitely aimed at those looking to
stop social engineering. Through the use of “Mitnick Messages”
scattered throughout, Kevin offers advice on how to prevent people
from invading your private property by way of social engineering. At
first I was a bit thrown by this, I would have preferred just a
general look at the actual “art” of conning someone, but in the end I
decided to shutup and just enjoy the book for what it was.
“What it is” is a little hard to explain. Beginning with an
foreword from Steve Wozniak, and an even more interesting
introduction from Kevin, the majority of the book deals with specific
instances of social engineering. Acting out line for line how a
call, or an in person visit, may go, the book takes us into the minds
of both the “mark” and the social engineer. This is where it really
gets interesting. We’re able to see many of the tricks used by
Kevin, er.. allegedly used, and can actually witness people falling
for these manipulations. It’s a great opportunity to get inside the
human psyche and see exactly why we fall for certain things. Plus,
it makes for damn entertaining reading.
The end of the book is dedicated to helping people stop
social engineering by giving instructions on what companies can do to
protect themselves, but the odds are if you’re reading this ezine you
probably have little need for that. If anything, it gives some good
tips on how to protect yourself in your daily life…and it comes from
a master of manipulation.
While Kevin does devote much time to helping companies
prevent this, rest assured he takes time to explain to people exactly
what he feels a true hacker is. He admits he broke the law, but
still asserts he is not a malicious hacker. He clearly states that a
hacker is someone who figures things out and does not damage the
computers they visit (read his preface for an exact explanation).
Hacking however, is not the books primary concern. Those of you
looking for technical explanations regarding computers and other
electronics would be better off purchasing “Hacking Exposed” or
something similar, this book is clearly about the human element.
This may deter some readers, I myself would love to see Kevin
create a book about computers and give the same explanations about
hacking that he gives regarding social engineering, but whether he
ever does is up to the laws that be. All in all, I see no reason why
anyone should not by this book. It both informs you about, and
alerts you to all that can be done through social engineering. And
any book where a detailed explanation of how to walk off with eight
million dollars without a gun or computer in the first chapter is
well worth it’s cover price if you ask me. He’ll definitely give you
something to think about, and keep you entertained throughout.
A personal congratulations to Kevin Mitnick for an excellent
first book, I look forward to seeing more of his work. -screamer
7. *** Random Stuff From the Net ***
[musicunited.org]
Registrant:
RECORDING INDUSTRY ASSOC. OF AMERICA INC (NAGCNJPUSD)
1330 Connecticut Ave., NW #300
WASHINGTON, DC 20036
US
Domain Name: MUSICUNITED.ORG
Administrative Contact:
McCaffrey, Howard (IXPMOSZSRI) info@musicunited.org
1330 Connecticut Ave., NW #300
Washington, DC 20036
US
202.775.0101 202.775.7253
Technical Contact:
DIGEX INC. (DH3795-ORG) QIP@DIGEX.COM
DIGEX INC.
One Digex Plaza
Beltsville, MD 20705
US
240-264-2000 fax: - - o^?`po^?a
o^?`
Record expires on 18-Sep-2005.
Record created on 18-Sep-2002.
Database last updated on 25-Oct-2002 15:35:39 EDT.
Domain servers in listed order:
MIA01.DIGEX.COM 216.255.129.249
MIA02.DIGEX.COM 216.255.130.249
MUSICUNITED.ORG (AKA CHICAGOLANDSPEEDWAY.COM)
MICROSOFT – IIS/5.0
WINDOWS 2000
$ telnet www.musicunited.org 80
Trying 164.109.25.159...
Connected to www.musicunited.org.
Escape character is '^]'.
head
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Fri, 25 Oct 2002 21:10:09 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head><body>The
parameter is incorrect. </body></html>Connection closed
by foreign host.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
[http://www.geocities.com/Heartland/Farm/9753/poem_files/computers1.htm]
“Cheap Spell-Checker”
Eye halve a spelling chequer
It came with my pea sea
It plainly marques four my revue
Miss steaks eye kin knot sea.
Eye strike a key and type a word
And weight four it two say
Weather eye am wrong oar write
It shows me strait a weigh.
As soon as a mist ache is maid
It nose bee fore two long
And eye can put the error rite
Its rare lea ever wrong.
Eye have run this poem threw it
I am shore your pleased two no
Its letter perfect awl the weigh
My chequer tolled me sew.
-Sauce unknown
“If Dr. Seuss were a Technical Writer”
Here's an easy game to play.
Here's an easy thing to say.
If a packet hits a pocket on a socket on a port,
And the bus is interrupted as a very last resort.
>And the address of the memory makes your floppy disk abort,
Then the socket packet pocket has an error to report!
If your cursor finds a menu item followed by a dash,
And the doubleclicking icon puts your window in the trash,
And your data is corrupted 'cause the index doesn't hash.
Then your situation's hopeless and your system's gonna crash!
You can't say this?
What a shame, sir!
We'll find you
another game, sir!
If the label on the cable on the table at your house
Says the network is connected to the button on the mouse,
But your packets want to tunnel on another protocol,
That's repeatedly rejected by the printer down the hall,
And your screen is all distorted by the side affects of Gauss,
So your icons in the windows are so wavy as a souse,
Then you may as well reboot and go out with a bang,
'Cause as sure as I'm a poet, the sucker's gonna hang!
When the copy of your floppy's getting sloppy on the disk,
And the microcode instructions cause unnecessary RISC.
Then you have to flash your memory and you'll want to RAM your ROM.
Quickly turn off the computer and be sure to tell your mom!
===================================================================
8. *** Crosstalk ***
>Frequency,
In response to your crosstalk reply in Freq24, regarding
Linux in a Microsoft world, I’d like to point out something I see far
too often. You had said that Linux might be better if the world
wasn’t dominated by Microsoft products, but like so many others, you
forgot one key fact. Microsoft does not force the world to use its
products, therefore, please don’t blame Linux shortcomings on them.
You use their operating systems for ease of use, as does most of the
world, so any argument you have against them should at least
acknowledge that fact. [nerve_ending]
REPLY> It’s ironic you say that Microsoft doesn’t force people to
use their products while they’re in the middle of a antitrust
scandal. They’re accused of being a monopoly, and a monopoly, as I’m
sure you’re aware, is a corporation that gets so large it completely
dominates the market and prevents competition. If this wasn’t so,
perhaps more people could find out about Linux and realize what a
great system it is (I refuse to call it an “alternative” to Windows),
and that could lead to even greater advancements on the open source
front. However, we do acknowledge that Windows is easy to use. But
what about all the times it crashes? What about all the errors we
receive? To be honest, every time we made a show we worried about
the operating system simply freezing up on us, and on several
occasions, it did. Shouldn’t we acknowledge that as well? Windows
has become synonymous with operating system, much like Kleenex with
tissue. It comes preinstalled on virtually every!
machine you buy, so yes, of course most people will be using it one
way or another. But that doesn’t mean we have to support it whole
heartedly.
>Frequency,
I’m surprised you allowed an article about cracking into porn
sites to be published in your otherwise distinguished ezine. Despite
cracksalots arguments, I don’t understand what that has to do with
hacking. I can remember screamer arguing a long time ago about how
he didn’t like anarchy and stuff like that, and yet you’ll print an
article about this? In the future, you should strive to give hackers
a positive image before the eyes of the world. You used to do that,
and I don’t want to see the quality of your ezine go down the tubes
because of this. [lionel]
REPLY> We knew we’d receive letters regarding “Cracking 101” by
Sir Cracksalot in issue 24. First off, who are we to silence someone
who writes an article to inform others? There was no personal
information about individuals given out, and it wasn’t a tool for
crime disguised as an article. It did deal with computers, and
making them do something interesting, whether we agree with what
could be done or not is irrelevant. As for “anarchy” material, I had
made that statement not about information, but about relevance.
Hackers, and I stress in my opinion, are people who play with
technology to make it do incredible things. No information about how
something could be made or done is “bad” information, but is it
necessarily relevant? That was my whole argument, as I didn’t see
“how to break the human wrist” or drive by shootings as things that
were, or should be, associated with hacking. The information itself
should not be condemned, but I do think there are more approp!
riate places for it besides a hacker board.
>Frequency,
Back in Freq21, Leland D. Peng wrote an article titled “Don’t
Support This Site.” As a webmaster myself, I’m very discouraged to
see someone talking shit about people who ask for donations or use
banner ads. Usually if you want quality, you have to pay. I respect
his opinion, but banners and donations help to keep some very
important voices on the net. Not all of us have as much money as
micro$oft, stop putting down those you claim to support. [Jagged
Edge]
REPLY> [To clarify, that article appeared in Freq22] At the time
of this writing Leland isn’t available to comment, but through
discussion I’ve seen we think very similar. His arguments stem from
anger towards those that try to make a buck off of what they do,
without any genuinely necessary reason to make that money. To use
the Hackermind shirts we created a while back as an example, we put
those up on cafepress.com at the minimum price. Why? Because we
didn’t have to pay anything in the first place, so why force a price
hike on our listeners just so we could get a profit? As for a site’s
survival, I’m sure Leland will agree that no one here wants to
silence those voices that are helping the community, but the bottom
line is that there are cheaper ways for everything. Using your
imagination will take you a long way, and save your visitors a lot of
headaches too.
>Frequency,
When people write articles for 2600 they get a shirt, why not
give people some incentive to write for your ezine? I know I’d write
a lot more if I knew I’d get something outta the deal, but it’s just
an idea. [Cricket]
REPLY> We have considered doing what Phrack does; sending each
issue to the people who submitted articles that were published a week
or more before everyone else gets it. We haven’t yet started doing
this, but in all likelihood we will soon. It’s the least we can do
for those that take the time to contribute. As for shirts or other
goodies, the point of writing articles is to say whatever’s on your
mind, not for a reward.
>Frequency,
I’m confused about hacking laws in the United States…are
there differing degrees of severity when hacking? Does the legal
system distinguish between casual snooping and actual destruction?
And if so, what other kinds of factors come into play? [anonymous]
REPLY> We’re not lawyers, so we’re probably not the best source
to turn to for legal advice. These days it almost seems like you’re
at the mercy of the court, your punishment is based on how paranoid
the judge is or how horrific the prosecutor’s imagination can be.
For the most part, intent is hard to prove and doesn’t seem to come
into question. For example, nowadays getting into a hospital’s
computer could be construed as attempted murder. Ironically the
punishment is probably more severe because you used a computer…go
figure. It really is a shame how the majority of the world looks at
computer hacking these days though. Today, even if you simply view
someone’s directory structure in a web browser you may very well be
facing some serious consequences. To those anti-hacker types, that’s
exactly how it should be. They’ll never understand the technology,
so it’s better to use guerrilla tactics instead of looking like
fools.
=======================================================================
8. *** Closing Arguments ***
In case you didn’t notice, our cover this month was inspired
by musicunited.org, a website owned by the RIAA, although they don’t
want to admit that on the actual site. I won’t bother explaining
what they’re all about, I’m sure you all have browsers capable of
viewing their pretty graphics and text, but just so you don’t miss
it, here’s a link to learn what artists think about downloaders http://www.musicunited.org/3_artists.html and
for more propaganda, visit http://www.musicunited.org/4_shouldntdoit.html
.
It makes me a little angry to see artists who already make
millions (if not billions) demanding that you put every hard earned
cent into their pocket. Forget about whether getting someone else’s
work for free is right or wrong for a moment, it’s something that
anyone can do these days! It’s as simple as breathing, and is done
on a worldwide scale. Do the artists, and especially the RIAA,
honestly believe they can stop people from trading files once and for
all? And lastly, to the artists…if music doesn’t pay anymore, maybe
you should get a real job and leave the music to the people who truly
love making it. If all you want is the most “compensation” possible,
you probably don’t give a shit about what you make. I send out this
ezine for free, you don’t see me demanding people pay 13 dollars an
issue. Why? I do it because I love it, and a lot of other people
seem to enjoy it. I’ll make money some other way, threatening
readers to pay up is NOT the way to do it.
And with that said, everyone needs to send me 20 bucks right
now…haha, just kidding. I just hope everyone realizes I don’t hate
all popular musicians or filmmakers. In fact, while watching the
horror film “Jason X” on DVD (yes, I admitted I downloaded that movie
before it was released because the studio delayed it so much…well
there you go, now I’ve paid my debt) I heard the lead writer and
director joking about how their film was such a popular bootleg
online. They themselves knew the studio fucked up by waiting so long
to bring it out, and seemed pleased that people got to see it one way
or another. In fact, the writer was actually SELLING the bootleg!
He was so pissed at the studio that he began selling his own
copies…now that’s how it should be done. Put more power in the hands
of the creators, and less in the white haired CEO’s at New Line
Cinema. I only wish I knew about it, I would have been proud to send
in my cash…if only to give 100% profit to the creators.
Aside from my horror movie fixation, there’ve been some other
things going on in the world. Recently the internet experienced one
of the largest DDoS attacks ever. The attack targeted the 13 root
servers that make up the main backbone of the internet, although not
enough were actually affected badly enough to cause slowdown.
Naturally, CNN reported on the hackers that nearly shutdown the
internet. Their security professional (obviously a pro, he had
spiked hair) said it wasn’t a sophisticated attack, but alas, hackers
were the culprits. You know, a guy sent a virus to his friend in
Illinois…that damn hacker.
And to close the 25th issue, a message to all present and
future writers. If you would like to receive personal feedback,
please include your address, along with the handle you submit, at the
top of your article. We won’t print your address unless it’s
included in the body of your email, nor will it be given to anyone
who asks. As usual, send any and all submissions to articles@hackermind.net,
or screamer@hackermind.net
will work just as well. Now, with that said, farewell and adieu.
-screamer
=================================================================
9. *** Crew ***
Editor in Chief – Screamer Chaotix
Webmaster – Dash Interrupt
Network Administrator – Leland D. Peng
NT Specialist – Unreal
Radio Specialist – w1nt3rmut3
Writers – dual_parallel, Zero Tolerance, Jeff Chester
Shout Outs – Todd Farmer, Jim Isaac, Kevin D. Mitnick, Sparky (go
home), Langley, www.artbell.com
SEND ARTICLES TO – articles@hackermind.net
W W W . H A C K E R M I N D . N E T
January 2003
6
2
3