[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Line Noise ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ]
Current issue : #49 | Release date : 1996-08-11 | Editor : daemon9
IntroductionPhrack Staff
Phrack loopbackPhrack Staff
Line NoisePhrack Staff
Phrack Prophile on MudgePhrack Staff
Introduction to Telephony and PBX systemscavalier
Project Loki: ICMP TunnelingAlhambra & daemon9
Project Hades: TCP weaknessesdaemon9
Introduction to CGI and CGI vulnerabilitiesG. Gilliss
Content-Blind CancelbotDr. Dimitri Vulis
A Steganography Improvement Proposalcjm1
South Western Bell Lineman Work CodesIcon
Introduction to the FedLine software systemParmaster
Telephone Company Customer Applicationsvoyager
Smashing The Stack For Fun And ProfitAleph1
TCP port Stealth ScanningUriel
Phrack World Newsdisorder
Title : Line Noise
Author : Phrack Staff
                        .oO Phrack Magazine Oo.

              	     Volume Seven, Issue Forty-Nine
			
			      File 3 of 16

                           //   //  /\   //   ====
                          //   //  //\\ //   ====
                         ==== //  //  \\/   ====

                     /\   //  // \\    //  /===   ====
                    //\\ //  //   //  //   \=\   ====
                   //  \\/    \\ //  //   ===/  ====

------------------------------------------------------------------------------

     CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96

                  Tengo que hable con mi abogado.

     ----------------------------------------------------------------

What : A computer/telephony/security conference. (show this part to your 
       boss.)

Where: Fort Brown Hotel, Brownsville Texas. 

When : 28 & 29 December, 1996

Who  : The usual gang of cretins.

Why  : It's winter, and it is 12 degrees outside.  The dumpsters are frozen
       shut, and there are icicles on the payphones.  Brownsville is at the
       Southern-most tip of Texas, right up against...Mexico.  Yes, Mexico,
       land of cheap cerveza, four-dollar strippers, and liberal drinking
       laws.  Mexico, where you too can own your very own Federal law
       enforcement official for a fistful of pesos.

     ----------------------------------------------------------------
                              
                              Speakers

Anybody wishing to speak at CuervoCon should send 
e-mail to the address at the bottom of this announcement.
Currently the list includes:
u4ea (by teleconfrence)
Major
ReDragon
Caffiend (about her Breasts)
daemon9 (about his Breasts)

     ----------------------------------------------------------------

                               Events

"How Much Can You Drink?"
"Fool The Lamer"
"Hack The Stripper"
"Hack The Web Server"
"sk00l"
"Ouija Board Hacking"

...as well as a variety of Technical Presentations.


     ----------------------------------------------------------------


                         General Information


The Fort Brown Hotel will have available to us, 125 rooms at the holiday in @ 
$55 a room, and $75 rooms at the ramada @ $45 each.  The Fort Brown was 
previously an actual fort when it was closed down by Uncle Sam.  It became one
large hotel until it was recently purchased and split into the Holiday Inn and
the Ramada.  The Fort Brown was chosen because it is across the street from 
the bridge to Mexico.  You can call the Fort Brown Ramada at: 

	210-541-2921

You can call the Fort Brown Holiday Inn at:

	210-546-2201

Call for reservations, make sure to tell them your with CuervoCon.

Friday and Saturday the con will be in the 'Calvary' room.  While Sunday we 
have the 'Fortress Room' where all the big speakers will be.  Friday and 
Saturday we will have a few speakers and activities.  Friday Night mainly, 
so we can have people arrive on time.  We hope to have the con room open 24 
hours a day.

Brownsville is right on the Mexican border, adjacent to the Mexican town
Matamoris.  The Gulf of Mexico is 25 miles away.  Brownsville has a population
just over 100,000.  The police force includes 175 officers, and a wide variety
of federal law enforcement agencies have a strong presence there as well.
The climate is semi-tropical, and the RBOC is SouthWestern Bell.

Matamoris is the other half of brownsville.  Home of over 1/2 a million 
people, it is known since the early 1900's as a pit of sin.  The federale's 
are not to be fucked with and it is serviced by TelMex.  It is known for its 
bars, strip clubs and mexican food.  Matamoros also has an airport incase 
you live in Mexico and care to go, via aeromexico.

Directions:
In Texas Driving - Go anyway you can to get to US 77 South. Take 77 South 
till it ends in Brownsville. From there you will turn right on International.
Proceed all the way down international, right before the bridge, turn left.
The Fort Brown will be on the left.

For those flying in - We are going to try to have a shuttle going. Also just
tell the cab driver, Fort Brown.

The Con Registration Fee, aka the pay it when you walk in our we will beat you
up, is only 10$ and an additional 5$ for the 'I paid for eliteness sticker' 
which will let you into the special events, such as hack the stripper.

     ----------------------------------------------------------------

                       Celebrity Endorsements



Here's what last years participants had to say about CuervoCon:

"I attended the CuervoCon 95.  I found many people there who, fearing a
 sunburn, wanted to buy my t-shirts!" -ErikB

"I tried to attend, but was thwarted by "No Admittance to The Public" 
 sign.  I feel as though I missed the event of the year." - The Public

"mmmm...look at all the little Mexican boys..." -Netta Gilboa

"Wow!  CuervoCon 95 was more fun that spilling my guts to the feds!" - 
 Panther Modern

"CuervoCon is our favorite annual event.  We know we can give 
 security a day of rest, because you people are all too drunk to
 give us any trouble..." - AT&T

"No moleste, por favor." - TeleMex

Don't miss it!

     ----------------------------------------------------------------


Have you ever hacked a machine in your hometown from a foreign
country?

Have you ever had to convert dollars into pesos to get your bribe right?

Have you ever spent time in a foreign prison, where your "rights as an 
American" just don't apply?

Have you ever been taken down for soemthing that wasn't even illegal 
half an hour ago?

YOU WILL!  And the con that will bring it to you?

CUERVOCON 96

     ----------------------------------------------------------------

     CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 
                            brought to you by
     - S.o.B. - TNo - PLA - Phrack - The Guild - F.U.C.K. - SotMESC - 


                          Contact Information

info@cuervocon.org

www.cuervocon.org - Look here for updates.

Voice mail system coming up soon.

     ----------------------------------------------------------------


                                ----<>----


*** The truth behind the Adult Verification Services 

	     ('porno' will set you free)

*** By your passively skeptical author, t3.

*** 10.30.96


        Let's speak for a minute about 'porno'.  'Porno' has saturated the 
Net to a level in which it's difficult *not* to see it, regardless if 
you're looking for it.  It can be found on the largest web site and the 
smallest ftp site.  It can be found on Usenet, it can be found with any 
one of numerous search engines.  Let's not delude ourselves, porno is 
*everywhere* and anyone with the motor skills to click a mouse can have access 
to it.

About a year ago a concept came along called 'Adult Verification'.  This first
started out by people writing crude cgi scripts that would query every person
as to their age.  'Are you 18' it would say, and even a sexually aware 9-year
old would know to say 'yay' to this.

Soon thereafter, someone topped this 4-line piece of code by writing a login 
interface, most likely it was incorporated into Netscape or some other, less
worthy browser.  This program made use of the actual browser to authenticate   
users.  Of course one needed a login and password, of which had to be manually
added after ample proof of age was received.  If one merely wanted to 
cover one's ass, this would not be a logical solution.

This all occurred during which the CDA (Communications Decency Act) had 
actually existed.  On June 7, 1995, the CDA was passed through the Senate 
to the President, signed, and made a law:

(1) in the heading by striking `Broadcasting obscene
              language' and inserting `Utterance of indecent or profane
              language by radio communication; transmission to minor of
              indecent material from remote computer facility, electronic
              communications service, or electronic bulletin board service';

et al...Now it was illegal to transmit 'indecent material' on the 
Internet.  If this were to actually be adhered to, the Net would shrink 
so drastically that the current topology would last ten years before 
needing an upgrade.

Is was soon apparent that this act was not going to fly.  Groups like the 
EFF and the ACLU suddenly became extremely busy.  Companies such as Apple 
and Microsoft challenged the constitutionality of such a law and took 
this directly to court.  It was also apparent that the transmission of 
'indecent material' would not disappear, but merely go further underground.

Indeed, this is exactly what happened.  Soon thereafter Adult Verification
services began popping up.  AVS (Adult Verification Services), Adultcheck,
Adultpass, and a slew of others came up with an idea.

The idea was to verify a person's adult status by acquiring one's credit 
card number.  This would, ahem, without a doubt, prove that the individual
was 18.  Why?  Because you had to be 18 to have a credit card of course!
Someone obviously didn't take into consideration the five or so million 
pre-adults that would make it their goal to surpass such shotty 
authentication.

It began by the government stating that a credit card is a legal means of 
verifying one's age, this allowing those distributing 'porno'graphic 
materials to continue distributing to those 18 and over.  The initial 
means that the 'providers of porn' used to do this was to basically 
verify the format of the card and not actually run a check on it.  As 
most of us all know, there have been plenty of "Credit Card Generators" 
produced in the last five years, quite capable of fooling these shotty 
authentication systems.

As this authentication was obviously lacking in the "authentication" 
part, the next step was to actually validate the cards.  This began and 
ended nearly as quickly, for finding a credit card (for example, in 
mommy's purse), junior could peruse porn until his dick grew red and chafed.

On June 12, 1996 it was was determined that the CDA indeed violated one's 
constitutional rights and was striken down as a law.  More on this at 
<http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/>.

But it didn't seem to phase the Authentication services.  

The Authentication Services currently verify age by obtaining a credit 
card, verifying it, and actually charging a fee for the service.  About 
$9.95 for two years which entitles you to an abundance of graphic, ad, 
and airbrush-laden web pages and images.  This most likely sufficiently 
scared off the less determined of minors because now they'd be engaging in 
credit card fraud.  

It's truly odd that after it has been deemed legal to distribute said 
porn, that all of these services still insist that it's illegal to do 
so.  Let us realize that Usenet barely flinched when the CDA was in 
effect, and still offered gigs upon (glorious) gigs of nude bodies to 
oggle at.

After taking a good look at this whole bizarre operation, I have made a 
few conclusions of my own.  

Charging $9.95 for two years of access to 'porno'graphy seems a little too 
good to be true.  One must realize that there is a charge to the billing 
company for each credit card transaction made.  I'd be surprised if it 
wasn't half of this ten bucks.  These authentication companies also pay 
"handsomely" the purveyors of porn.  In order for such a service to 
function, obviously there needs to be an agreement with the distributor and the 
authenticator.

Now, one that distributes 'porno'graphy on the Net will certainly not feel 
the need to do these Verification Services any favors.  The majority of 
people that do run these explicit sites are certainly not interested in 
supporting censorship of their material (probably 90% money-making).  The 
AVS's knew this and offered a stipend to those using their services.

The AVS's currently work by paying the site that contains 'indecent 
material' a certain amount each time that site gets another person to 
sign up with their service.  This works by the AVS sending html that is 
put on a verification page.  If one finds this page important enough, 
they may be convinced to sign up with the service that allows you to 
access it.  

The stipend is generally around $4.00, and as high as $7.50.  There are 
many AVS's, and the majority of the said 'sites' use more than one, 
sometimes all of them for verification.  If a particular site uses one 
AVS exclusively, the AVS will pay on the highest end of their scale for new 
recruits.

If we get into some simple math, we may find some contradictions 
regarding this.  The initial fee to those interested in accessing porn is 
$9.95.  Out of these we can safely say that more than $3.00 goes to 
simply checking the validity of the card and billing it.  This leaves the 
AVS with $6.95.

Now, on the receiving end we have a very minimum of $4.00 going towards 
each new person that signs up.  It's probably safe to say that over 90% 
of new customers to these AVS's sign-up through 'porno'graphic pages and 
not directly from the site itself.

So $9.95 ends up being $6.95 after expenses, and then the service sends 
another $4.00 to the person that gave them the account.  This leaves the 
AVS with a maximum of $2.95 total.

The costs running an AVS are surely not exorbant, but are certainly not 
cheap.  I have yet to find an AVS running off of anything less than at T1 
(1.544mbit) speeds.  This translates to an extreme minimum of 1k/month.  
If you include employees, office space, and incidentals, running any such 
service couldn't cost less than 5k a month at the very least.  This would 
mean to break even one would have to bring in:

5000/2.95

1694 new customers a month, simply to break even!  That's a lot 
considering the membership lasts for two years.  And this is in the 
*best-case* scenario.  I would be hard-pressed to believe that one such 
service could steadily rely on such a base of new clients every month 
indefinitely!

I have theorized that these services are in fact not self-run moneymaking 
ventures, but are actually being funded by a higher authority.  It's 
quite feasible to believe that the government, having been challenged and 
beat, have actually allocated funds to protecting the minors of the Net 
from obscenity.  It's *certainly* not far-fetched, especially with Al 
Gore (think, Tipper) in an improperly high position.

The government could allocate a comparitively paltry sum of one million a 
year towards funding (even creating) companies that act merely to pay 
people to be complacent.  What if the government merely let relatively 
computer proficient professionals bid on forming these AVS's?  What if?

Well, unless i'm overlooking something, I can't see too much illogic to 
my theory.

Another consideration of these services is that even at their current 
state, they are extremely easy to overcome.  So easy, in fact, that their 
existence will hardly offer much resistance to a horny teenager.  Remember, 
people will do anything to get 'porno'graphy.

Such holes in these systems are that the verified member of such an AVS 
connects to a sexually explicit site, is bounced backed to the AVS for 
authentication, and is then bounced back again to the page (url) that 
contains the "naughty stuff".  This page can be simply bookmarked and 
distributed to anyone and their Mom.

Why?  All the services I've come across (the largest ones) do not 
authenticate the target url, they target the initial "warning" page and 
contain information to pass the user on to the naughty stuff.  Thus if 
one single person can obtain the target url, he can bypass all future 
authentication and can as well pass the url on through various channels, 
quite easily ending up in the hands of a minor.

As well, if stupidity was a metaphor for AVS's, most of the target url's 
have filenames such as "warning.html" or "granted.html".  Any 
half-respectable search engine (such as AltaVista) is capable of snarfing 
out such information.  Doubly-so because these services will obviously 
want to advertise their existence.

The only method that seems to partially protect minors from 'porno'graphy 
is the method of installing client-based software such as SurfWatch that 
try to censor 'porno'graphy.  This, as well, relies on a willing company or 
individual to operate.  This works quite archaically by imbedding META 
tags in html source. For example:

<META name="description" content="Validate Age Verification 
Service"><meta name="keywords" content="sex erotica nude porn penthouse 
pornography erotic porno adult playboy dating marriage love date age 
validate validation protect children kids money commercial wealth nudes 
pics jpg gif">

This particular tag would be placed in the receiving html of a 
co-operative service or individual.  The client-based software would 
search for such tags and censor the content accordingly.  From my 
understanding, those using AVS's are not required to embed these tags in 
their "warning" page html.  If they do not, which I would imagine many 
probably wouldn't, then suddenly these client-based censorship tools are 
rendered useless.

So in conclusion, I would give a big thumbs-down for this whole pathetic 
means of controlling freedom.  The Internet was meant to be a place to 
free exchange of information.  Today a minor is just as able to find 
explicit material on the Net as he/she is able to dig through Mom and 
Dad's dresser for copies of Hustler.  A minor is just as capable of 
watching R or X-rated movies, stealing a magazine from a store, or even 
buying one.  

It's time to stop using half-assed and crippled ways of protecting kids 
from obscenity on the Net.  If you're a parent and you don't want your 
child to view such 'porno'graphy, then why not do what you're supposed to 
do and discipline the kid.

Lazy fuckers.


t3
.end



                                ----<>----


T.A.C.D Presents...
Hacking ID Machines 
By PiLL

Table Of Contents

I.   What is an ID Machine & who uses them?
II.  Hardware and software of the ID machines
III. Common security of ID Machines
IV.  What to do once you get in
V.   Closing
VI.  Greets


Part One: What is an ID machine and who uses them?

First we will start with the basics. An IDM or ID Machine is exactly
what the name entails.  It is a computer that government and large
companies use to make security badges and ID cards for employees and
visitors. All of the IDM's are DOS based so security, to say the least,
sucks. There are four models of IDM's. The one we will be covering the
most is the latest and greatest: the ID 4000. Also in the family of
IDM's are the 3000, 2000+, and 2000. I have heard of an ID 1000 but I
have yet to see or play with one, so if you find one, tell me. The 2000
is DOS 3.3 so I can imagine that an ID 1000 is even a bigger waste of
time. IDM's are manufactured by a branch of Polaroid entitled Polaroid
Electronic Imaging. If you want more information on IDM's call (800)343-5000
and they will send you some general specs.  I will let you know right
off the start that these machines sell for as much as $75,000.00 but the
average price is around $40,000.00. So getting caught crashing one is
NOT a good idea.
 
You are probably wondering what companies use ID machines.  Here is a
brief list. All of the Colorado and Alaska DMV's, The IRS, The FBI, The
U.S. Mint, The Federal Reserve, almost any military branch, Hewlett
Packard, Polaroid, Westinghouse (I wouldn't recommend fucking with them:
for more information on Westinghouse check out the movie Unauthorized Access
available from CDC's home page), and all of the major prisons in the
United States. By now you should be getting ideas of the potential fun
you can have. Not that I would ever use what I know for anything illegal
;)

Part Two: Hardware and Software

I will cover each machine in order but you will probably notice that the
ID4000 will get by far more attention then any other.

Hardware and Software for the 2000+ and 2000 is kind of like teaching
someone about the Apple ][ and how to use Logo so I will try not to bore
you to much with them. The 2000 series are unique to the others because
they are one full unit. The hardware is basically a really cheesy
oversized case with a 9 monochrome monitor, a 3 monitor for viewing the
victim of the hideous picture it takes, a 286 Wyse computer with 1meg of
RAM (really hauls ass), a data compression board, image processing board
(*Paris* Board), a signature scanner, a color film recorder or CFR, a
WORM Drive, a modem, and most of the time a network card so the data can
be stored on a mainframe. The Software of the 2000 series is a really
neat database program running under DOS 3.3. If you have never heard of
or used EDLIN, I would not recommend playing with a 2000. The only major
differences between an ID2000 and an ID2000+ is that the computer on the
2000+ is a HP Vectra 386 with 4megs and a SCSI Interface. That's all you
really need to know you probably won't ever encounter one unless you go
trashing a lot.

The ID3000 is also an HP 386/20 but uses DOS 5.0 and a Matrox Digital
Processing board instead of the old Paris board of the 2000 series.

This came about when your state ID actually started to remotely resemble
you in 1992. Also in the 3000 years their were more peripherals
available such as the latest CFR at the time (I think it was the 5000),
PVC printers, and bar code label printers.  The software is basically
DOS 5.0 but this time they use a database shell much like DOSSHELL as
the interface with the machine. The 3000 uses SYTOS for data storage and
transfer and it is best to dial in using a program called Carbon Copy.

The 4000 is the best even though it's not that great. It was is the
first IDM in the Polaroid line that let the customer customize the
machine to their needs.  This is the machine that you see when you go to
the DMV, at least in Denver.  It consists of a JVC camera, a Matrox
processing board, a data compression board, an Adaptec 1505 SCSI card, a
14.4 modem, a network card, and can have any of the following added to
it: a PVC printer (in case you didn't know that's what they use on
credit cards), a magnetic stripe encoder, a bar code printer, a thermal
printer, a CFR (usually the HR6000 like at the DMV), a Ci500 scanner,
and signature pad, a finger print pad (interesting note if you have a
black light and one of the new Colorado Driver licenses hold it under a
black light and look what appears under your picture, you should see
your finger print), and a laminator. Now some of you are thinking what
about the holograms? Those are actually in the lamination, not on the
badge itself. To obtain lamination walk into the DMV and look to the
right or left of the machine if you see a little brown box that's what
you need, but please remember to leave some for the rest of us that
might be next in line. Or you can go to Eagle hardware and buy a bolt
cutter for the dumpster but that's a different text file.

The 4000 runs DOS 6.0 and Windows 3.1. The actual software for the 4000
is a terrible Visual Basic shell that reminds me of the first time I ran
that program AoHell. The only difference is that AoHell did what it was
suppose to, the 4000 software is a headache of GPF's , Environment
Errors, and Vbrun errors. A nice feature that the 4000 has that the
other IDM's don't, is the ability to create and design your own badge.
You can even do it remotely ! ! =) . Unfortunately the program Polaroid
developed for this makes paintbrush look good. But on a bright note you
can import Images.

Briefly here is a run down of what exactly happens when you get your
picture taken on an ID4000 at the DMV. At the first desk or table the
narrow eyed, overpaid, government employee will ask you for some general
information like a birth certificate, picture ID, name, address, SSN#, what
party you prefer to vote for, and whether or not you want to donate your
organs in the event of your untimely demise. You reply by handing her
your fake birth certificate and ID that you had printed no more then an
hour ago, hoping the ink is dry. "My name is Lee Taxor I reside at
38.250.25.1 Root Ave in the Beautiful Port apartments #23 located in
Telnet, Colorado, I prefer to vote for Mickey Mouse of the Disney party,
and can't donate my organs because Satan already owns them." The
disgruntled employee then enters all your information in the correct fields
while never taking an eye off you in fear that you know more about the
machine he or she is using then they do (perhaps you shouldn't of worn
your Coed Naked Hacking T-shirt that you bought at DefCon 4). As soon as
the bureaucrat hits <ENTER> all of the information is sent to a database
located in the directory named after the computer (i.e.
c:\ID4000\ColoDMV\96DMV.MDB). Then you are directed to the blue screen
where you stare at the JVC monitor trying to look cool even though the
camera always seems to catch you when you have to blink or yawn or even
sneeze. *SNAP* the picture is taken and displayed on the monitor where
the employee can laugh at your dumb expression before printing it. If
the employee decides to print the picture it is saved as a 9 digit
number associated with your database record. The 4000 then compresses
the picture and saves it. So the next time you go in and the pull up
your record it will automatically find the associated picture and
display it on the screen. But in the mean time you grab your fake ID the
DMV just made for you and leave happy.

In a nut shell that's all there is to these machines.

Part Three:  Security

I think a better topic is lack of security.  I have yet to see any of
these machines that are remotely secure. Before we go any further the
4000 is best accessed using CloseUp the others using Carbon Copy, But
any mainstream communications program will more then likely work. You
Dial and it asks you right away for a username and password. whoa, stop,
road block right their. Unless of course you know the backdoor that
Polaroid put in their machines so they can service them. =)

ID4000
Login: CSD (case Sensitive)
Password: POLAROID (who would of guessed?)
 
ID3000
Login: CPS
Password: POLAROID (god these guys are so efficient)

ID2000+ And ID2000
Login: POLAROID  (ahh the good old days)
Password: POLAROID

Now if these do not work because they have been edited out, there are
still a few VERY simple ways of getting in to your victims system. The
first is to go with every hackers default method of social engineering.
The best way to do this is to call them up and say "Hi this is (insert
tech name here) with Polaroid Electronic Imaging! How is it going down
there at (name of company)."  The say "pretty good!" in a funny voice
thinking what great customer support. You say "How is the weather been
in (location of company)" they reply with the current weather status
feeling that they can trust you cause you are so friendly. You say "well
(name of person), we were going through our contacts one by one doing
routine upgrades and system cleaning to ensure that your database is not
going to get corrupted anytime soon and that everything is doing what it
is supposed too, if you know what I mean (name of person)." Now they
reply "oh yeah" and laugh with you not having a clue of what you are
talking about. And they then say "well everything seems to be in order."
You say "great sounds good but old *Bob* would have my head if I didn't
check that out for myself." Then you ask if the modem is plugged in and
wait for the reply. The either say yes or no then you ask them go plug
it & give you the number or just give you the number. Then they comply
cause they are just sheep in your plan. You say "Hey thanks (name) one
more thing would happen to know if user CSD:Polaroid exists or did you
guys delete it." If they deleted it ask them to put it back in, giving
you administrative access. They probably know how to and will comply. If
they need help have them do the following: Click on the combination lock
icon at the top of the screen. This will bring them to the
administrative screen and they will have the choices of Purge, Reports,
and Passwords. Have them click on passwords. Then have them enter you as
a new user with CSD as your Name and Polaroid as your Password. After
they have done that make sure they give you all the Keys. The keys are
basically access levels like on a BBS. Lets some users do certain things
while others can not. The only key you need is administrative but have
them give you the rest as well.  The other keys are Management and Luser
I think. The keys are located to the left of the user information that they
just entered. Then have them click OK and close the call politely. Ta
da!! Here is a list of Polaroid phone techs but I would not advise using
Bob or Aryia cause their big wigs and nobody ever talks to them.

Senior Techs of Polaroid                                          
Regular Techs
Bob Pentze (manager)                                              
   
Don Bacher
Aryia Bagapour (assistant)                                       
Richard          
Felix Sue                                                         
     
Rick Ward
Jordan Freeman                                                    
   
Dave Webster
 
Call 1-800-343-5000 for more Names =)



Part Four: What to Do once you get in

Now that your in you have access to all of their database records and
photos.  Upload your own and have fun with it! Everything you do is
logged so here's what you'll want to do when you're done making yourself
an official FBI agent or an employee of the federal reserve. Go to all
of the available drives which could be a lot since they are on a network
and do a search from root for all of the LOG files i.e. C:\DIR /S *.LOG
Then delete the fuckers!!!! You can also do this by FDISK or formatting.
Just kidding! But if you want to do it the right way then go to the
admin screen and purge the error and system logs.

Basically if you want the form for government badges or the FBI agents
database this is the safest way to go. These computer do not have the
ability to trace but it does not mean the phone company doesn't! ANI
sucks a fat dick so remember to divert if you decide to do this. If you
don't know how to divert I recommend you read CoTNo or Phrack and learn
a little bit about phone systems and how they work.

Moving around in the software once your past the security is very simple
so I'm not going to get into it. If you can get around a BBS then you
don't need any further help. Just remember to delete or purge the logs.

Part Five: Closing

If your looking for some mild fun like uploading the DMV a new license
or revoking your friends this is the way to do it. However if you're
looking to make fake ID's I recommend you download the badge format and
purchase or obtain a copy of IDWare by Polaroid. IDware is a lot like
the 4000 software except you only need a scanner not the whole system.
As a warning to some of the kids I know of one guy who bought a
$50,000.00 ID4000 and paid it off in a year by selling fake ID's. When
Polaroid busted him they prosecuted to the fullest and now the guy is
rotting in a cell for 25 to 50 years. Just a thought to ponder.

Peace 
PiLL

Greetz
Shouts go out to the following groups and individuals: TACD, TNO, MOD,
L0pht, CDC, UPS, Shadow, Wraith, KaoTik, Wednesday, Zydirion, Voyager,
Jazmine, swolf, Mustard, Terminal, Major, Legion, Disorder, Genesis,
Paradox, Jesta, anybody else in 303, STAR, BoxingNuN, MrHades, OuTHouse,
Romen, Tewph, Bravo, Kingpin, and everyone I forgot cause I'm sure there
are a bunch of you, sorry =P.

                                ----<>----

 The Top Ten things overheard at PumpCon '96                   

10. "You gotta problem? Ya'll gotta rowl!"
               - Keith the security guard

 9. "My brain has a slow ping response" 
               - Kingpin

 8. "Space Rogue, I've been coveting your pickle."
               - espidre

 7. "If there's space -n shit, then it's Star Trek. Unless there's that
      little Yoda guy - then it's Star Wars" 
               - Kingpin

 6. "I'm the editor of Phrack. Wanna lay down with me?"
               - A very drunk unnamed editor of Phrack

 5. "Let's go find that spic, b_, no offense"  
               - A drunk IP to b_.

 4. "I'm lookin for that fat fucker Wozz.  He's big, and got a green shirt,
     and glasses, and curly hair, just like you.  As a matta a fact, you
     gots similar characteristics!" 
               - A drunk IP to wozz.

 3. "He was passed out on the floor... so I pissed on him" 
               - An unknown assailant referring to IP       

 2. "It was the beginning and the end of my pimping career"
               - Kingpin referring to his escapade of getting paid
                 two dollars for sex.

 1. "French Toast Pleeeeze!"
               - Everyone 

 
                                ----<>----


       TOP 0x10 REASONS TO KICK && WAYS TO GET
         KICKED OUT OF #HACK (Revision 0.1.1)
                    By SirLance

0x0f asking for any information about any Microsoft products
0x0e talking about cars, girls, or anything unrelated to hacking
0x0d flooding with a passwd file contents
0x0c asking how to unshadow passwd
0x0b being on #hack, #warez and #hotsex at the same time
0x0a asking for ops
0x09 using a nick including words like 'zero' 'cool' 'acid' or 'burn'
0x08 asking if someone wants to trade accounts, CCs or WaR3Z
0x07 asking what r00t means
0x06 asking when the latest Phrack will be released
0x05 asking where to get or how to create a BOT
0x04 having the word BOT anywhere in your nick
0x03 having a nick like Br0KnCaPs and SpEak LiK3 Th4t all the time
0x02 asking for flash.c or nuke.c, spoof.c, ipsniff.c or CrackerJack
0x01 thinking #hack is a helpdesk and ask a question
0x00 being on from AOL, Prodigy, CompuServe, or MSN

                   -EOL-

        
                                ----<>----

                             International business
                                    by HCF


Friday, 3:00am 4.12: 
	I get the call:

	Julie:	"You break into computers right...?"
	Dover:	"Yea, what kind..."
	Julie:	"Mac, I think."
	Dover:	"Hmm... Call ``HCF'' at 213.262-XXXX"
	Julie:	"Uh, will he be awake...?"
	Dover:	"Don't worry (snicker) he'll be awake."

Friday, 4:00am 4.12
	HCF called me at 4am after he got the call from Julie:

	HCF:	"you got me into this mess, I need to barrow your car."
	Dover:	"Umm shure.  Ok..."
	HCF:	"I'll be right over..."

Friday, 12:30pm 4.12: upon returning the car:

	HCF: 	"Umm, got a parking ticket, I'll write you a check later..."

(I never got the check.)

Kathleen's comment to Julie which was passed to me (days later):

	Kath:	"Why didn't you tell me he was cute, I want him for myself!"

When I passed this on to HCF:

	HCF:	"She is *gorgeous* but not without a wet suit..."



	Here is the story that happened early one Friday morning...  The names
have been changed to protect the innocent, the guilty, and the innocent-looking
guilty....

I was reading up on a new firewall technology, the kind that locks
addresses out of select ports based on specific criterion, when the phone
rang.

"Hello?"
The voice of a women, between 18 and 30, somewhat deep like Kathleen
Turner's, said, "Uh, hello..."

There was an obvious pause.  It seemed she was surprised that I was so
awake and answered sharply on the second ring.  It was in the middle of my
working hours; 3:30 AM. There was no delay in the phone's response, no
subtle click after I picked up, and the audio quality was clear.

"Do you hack?"  she asked.

Recorder on.  Mental note: *stop* getting lazy with the recorder.

"No.  Are you on a Cell phone?" I responded
"No."
"Are you using a portable battery operated telephone?"
"No.  I was told by my friend ..."
"Are you in any way associated with local, federal or state law enforcement
agencies?"
"Oh, I get it.  No I'm not.  Julie said that you could help me."

I knew Julie through a mutual friend.

"Could you call me back in 5 minutes."
"Well, um, ok."

Throughout the whole conversation, the phones on her end were ringing off
the hook.  As soon as I hung up, Ben, the mutual friend, called.  Julie had
called him first, and he gave her my number.  I got his reassurance that
this was legit.  Ben was snickering but wouldn't divulge what it was about.
By now my curiosity was piqued.

The phone rang again, "I need someone who can break into a computer."
"Whose computer?"
"Mine."

It turns out that the woman had hostility bought out the previous owner of
this business.  The computer in question had both a mission-critical
database of some sort and a multi-level security software installed.  She
had been working under a medium permission user for some time.  The
computer crashed in such a way as to require the master password (root) in
order to boot.  The pervious owner moved out of town, could not be
contacted, and was most likely enjoying the situation thoroughly.  The
woman was unaware of any of the technical specifications or configuration
of the machine.  I was able to find out that it was a Apple Macintosh Color
Classic; a machine primarily distributed in Japan.  It would be around
10:00 AM in Tokyo.

"Why are the phones ringing so often at this time of the morning?" I asked.
"I do a lot of international business."

I was intrigued, the answer was smoothly executed without a delay or pitch
change.  I took the job.

Upon arriving, I was greeted by a young, stunningly beautiful, woman with
long, jet-black hair and stressed but clear green eyes.  I checked the room
for obvious bugs and any other surveillance.  There were calendars on the
wall, filled out with trixy and ultra-masculine sounding names like Candy
and Chuck.  The phones had died down some. The machine in question was
obviously well integrated into the environment; dust patterns, scratch
marks, worn-out mouse pad;  it had been there for some time.  There was a
PBX, around 6 to 8 voice lines, three phones, and no network, modem or
outside connectivity.

The security, which we'll call VileGuard, defeated all the "simple" methods
of by-passing.  None of the standard or available passwords, in any case or
combination, worked.  A brute-force script would be slow as second failure
shut the machine down.

I made a SCSI sector copy onto a spare drive and replaced it with the
original.  This involved tearing open the machine, pulling various parts
out, hooking up loose wires, merging several computers, and turning things
on in this state.  Trivial and routine, I did it rapidly and with both
hands operating independently.  For those who have never opened the case of
an all-in-one Mac, it involves a rather violent looking smack on both sides
of the pressure fitted case backing, appropriately called "cracking the
case."  This did not serve well to calm the nerves of the client.  After a
few moments of pallor and little chirps of horror, she excused herself from
the room.

While the SCSI copy preceded, I overheard her taking a few calls in the
other room.  What I heard was a one-sided conversation, but I could pretty
much fill in the blanks,

"Hello, Exclusive Escorts, may I help you?"
"Would you like to be visited at your home or at a hotel?"
"Well, we have Suzy, she's a 5'4" Asian lady with a very athletic body.
Very shy but willing, and very sensual, she measures 34, 24, 34."
"Big what?  Sir, you'll have to speak a little clearer."
"Oh, I see, well we have a very well endowed girl named Valerie, she's a
double D and measures 38, 24, 34.  Would that be more to your liking?"

It was not easy to keep from busting up laughing.

"He wants you to do what?  Well, charge him double."

With the new drive installed, and to predictable results, I fired up a hex
editor. My experience has been that full-disk encryption typically slows
the machine down to the point where the user disables it.  At around
$5C9E8, I found, "...507269 6E74204D 616E6167 65722045 72726F72...
...Print Manager Error..." in plain text.  I searched for some of the
known, lower permission, passwords.  I found a few scattered around sector
$9b4.  The hex editor I was using could not access the boot or driver
partitions, so I switched to one that could.  It's not as pretty of an
interface as the last editor, and is rather old.  Its saving grace though
is that it doesn't recognize the modern warnings of what it can and cannot
see.  There it was, VileGuard; driver level security.

"Eric is endowed with eight and has a very masculine physique."

Every male was "endowed with eight," every female had relatively identical
measurements.

I hunted fruitlessly around the low sectors for what might be the master
password.  All awhile wishing the find function of the editor would accept
regexp.  All the other passwords were intercapped on the odd character, but
that was a convention of the current owner, and not necessarily used by the
past owner.

"Oh, you want a girl that is fluent in Greek?"

It's not professional for me, and not good salesmanship for her, to have me
overheard laughing myself into anoxia.  After trying to straighten up and
gather my wits together again, I began to consider an alternate
possibility.  If I don't know the password, what happens if I make it so
that the driver doesn't either.  Return to the first-installed condition
perhaps? It was a thought.  It turned out to be a bad thought, resulting in
my haphazardly writing "xxxx" over, pretty much, random sectors of the
driver partition.

"Oh yes sir, Roxanne prefers older men.  She appreciates how very
experienced they are.  I understand sir, and I'm sure she can help you with
that."

Before I made a second copy and whipped out the RE tools, TMON and MacNosy,
I tried booting. The results were, as you'd expect, that the disk didn't
mount.  Instead, it asked me if I wanted to reinitialize the disk.  Pause.
Think... ya, why not. This was most definitely farther than I had gotten
with the secure driver installed and functional.  I canceled and fired up
one of many disk formatters I had on hand.  Though the formatter wasn't the
slickest, it had proven itself repeatedly in the past.  Its main quality
was that of writing a driver onto a disk that is in just about *any*
condition.  It's made by a French drive manufacturer.  As dangerous as this
behavior is, I'm sure it's a planned feature.  It could see the drive and
allowed me to "update" the driver.  A few seconds later, a normal
"finished" dialog.

"Yes, Stan carries a set of various toys with him.  No, I don't believe he
normally carries that, but I'm sure if you ask him nicely, he'll drop by
the hardware store on his way and pick one up."

I rebooted.  It worked.  I copied over the disk's data and reformatted.
Time to try it on the original drive (I had, of course, been working on my
copy.)  Upon startup, before anything could be accessed, "Please input the
master password..."

Puts an unusual twist on the phrase, "adverse working conditions"

- HCF

Note 1: Payment was in currency.
Note 2: If you ever think you understand the opposite sex's view on sex,
you're underestimating.


                                ----<>----


	The Beginners Guide to RF hacking

		by Ph0n-E of BLA & DOC


     Airphones suck.   I'm on yet another long plane ride to some
wacky event.  I've tried dialing into my favorite isp using this lame GTE
airphone, $15 per call no matter how long you "talk".  In big letters it
says 14.4k data rate, only after several attempts I see the very fine
print, 2400 baud throughput.  What kind of crap is that?  A 14.4 modem that
can only do 2400?  It might be the fact they use antiquated 900MHz AM
transmissions.  The ATT skyphones that are now appearing use imarsat
technology, but those are $10/minute.  Anyway they suck, and I have an
hour or so before they start showing Mission Impossible so I guess I'll
write this Phrack article Route has been bugging me about.

   There are a bunch of people who I've helped get into radio stuff, five
people bought handheld radios @ DefCon...  So I'm going to run down some
basics to help everyone get started.  As a disclaimer, I knew nothing about
RF and radios two years ago.  My background is filmmaking, RF stuff is just
for phun.

   So why the hell would you want to screw around with radio gear?  Isn't it
only for old geezers and wanna be rentacops?  Didn't CB go out with Smokey
& the Bandit?  

Some cool things you can do:

   Fast-food drive thrus can be very entertaining, usually the order taker
is on one frequency and the drivethru speaker is on another.  So you can
park down the block and tell that fat pig that she exceeds the weight
limit and McDonalds no longer serves to Fatchix.  Or when granny pulls up
to order those tasty mcnuggets, blast over her and tell the nice MCD slave
you want 30 happy meals for your trip to the orphanage.  If you're lucky
enough to have two fast food palaces close to each other you can link them
together and sit back and enjoy the confusion.

   You've always wanted a HERF gun, well your radio doubles as a small
scale version.  RF energy does strange and unpredictable things to 
electronic gear, especially computers.  The guy in front of me on the plane
was playing some lame game on his windowz laptop which was making some very 
annoying cutey noises.  He refused to wear headphones, he said "they mushed 
his hair...".  Somehow my radio accidentally keyed up directly under his
seat, there was this agonizing cutey death noise and then all kinds of cool
graphics appeared on his screen, major crash.  He's still trying to get it
to reboot.

   Of course there are the ever popular cordless phones.  The new ones work
on 900MHz, but 90% of the phones out there work in the 49MHz band.  You can
easily modify the right ham radio or just use a commercial low band radio
to annoy everyone.  Scanning phone calls is OK, but now you can talk back,
add sound effects, etc...  That hot babe down the street is talking to
her big goony boyfriend, it seems only fair that you should let her know
about his gay boyfriend.  Endless hours of torture.

   You can also just rap with your other hacker pals (especially useful 
cons). Packet radio, which allows you up to 9600 baud wireless net 
connections, its really endless in its utility.

How to get started:

   Well you're supposed to get this thing called a HAM license.  You take 
this test given by some grampa, and then you get your very own call sign.
If you're up to that, go for it.  One thing though, use a P.O. box for your
address as the feds think of HAMs as wackos, and are first on the list when
searching for terrorists.  Keep in mind that most fun radio things are 
blatantly illegal anyway, but you're use to that sort of thing, right?

   If you are familiar with scanners, newer ones can receive over a very
large range of frequencies, some range from 0 to 2.6 GHz.  You are not going
to be able to buy a radio that will transmit over that entire spectrum.  There
are military radios that are designed to sweep large frequencies ranges for
jamming, bomb detonation, etc. - but you won't find one at your local radio
shack.

A very primitive look at how the spectrum is broken down into sections:

  0 - 30MHz (HF)  Mostly HAM stuff, short-wave, CB.
 30 - 80MHz (lowband)  Police, business, cordless phones, HAM
 80 - 108MHz (FM radio)  You know, like tunes and stuff
110 - 122MHz (Aircraft band) You are clear for landing on runway 2600
136 - 174MHz (VHF)  HAM, business, police
200 - 230MHz Marine, HAM
410 - 470MHz (UHF), HAM, business
470 - 512MHz T-band, business, police
800MHz cell, trunking, business
900MHz trunking, spread spectrum devices, pagers
1GHZ+ (microwave) satellite, TV trucks, datalinks

   Something to remember, the lower the frequency the farther the radio waves
travel, and the higher the frequency the more directional the waves are.

   A good place to start is with a dual band handheld.  Acquire a Yaesu
FT-50.  This radio is pretty amazing, its very small, black and looks cool.
More importantly it can easily be moded.  You see this is a HAM radio, it's
designed to transmit on HAM bands, but by removing a resistor and solder
joint, and then doing a little keypad trick you have a radio that transmits 
all over the VHF/UHF bands.  It can transmit approximately 120-232MHz and 
315-509MHz (varies from radio to radio), and will receive from 76MHz to about
1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones.  You also 
want to get the FTT-12 keypad which adds PL capabilities and other cool stuff
including audio sampling.  So you get a killer radio, scanner, and red box all
in one! Yaesu recently got some heat for this radio so they changed the eprom
on newer radios, but they can modified as well, so no worries.

   Now for some radio basics.  There are several different modulation schemes,
SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation,
etc.  The most common type above HF communications is NFM, or Narrow band 
Frequency Modulation.

There are three basic ways communication works:

Simplex - The Transmit and Receive frequencies are the same, used for short
distance communications.

Repeater - The Transmit and Receive frequencies are offset, or even on
different bands.

Trunking - A bunch of different companies or groups within a company share
multiple repeaters.  If you're listening to a frequency with a scanner and
one time its your local Police and the next it's your garbage man, the fire
dept... - that's trunking.  Similar to cell phones you get bits and pieces 
of conversations as calls are handed off among repeater sites.

   Their radios are programmed for specific "talk groups", so the police only
hear police, and not bruno calling into base about some weasel kid he found
rummaging through his dumpsters.  There are three manufacturers - Motorola,
Ericsson (GE), and EF Johnson.  EFJ uses LTR which sends sub-audible codes 
along with each transmission, the other systems use a dedicated control 
channel system similar to cell phones.  Hacking trunk systems is an entire 
article in itself, but as should be obvious, take out the control channel 
and the entire system crashes (in most cases).

   OK so you got your new radio you tune around and your find some security
goons at the movie theater down the street.  They are total losers so you
start busting on them.  You can hear them, but why they can't hear you?
The answer-- SubAudible Tones.  These are tones that are constantly
transmitted with your voice transmission - supposedly subaudible, but if
you listen closely you can hear them.  With out the tone you don't break
their squelch (they don't hear you.)  These tones are used keep nearby
users from interfering with each other and to keep bozos like you from
messing with them.  There are two types, CTCSS Continuos Tone-Codes Squelch
system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital
Coded Squelch (DPL - Digital Privacy Line).  If you listened to me and got
that FT-50 you will be styling because its the only modable dual band that
does both.  So now you need to find their code, first try PL because its
more common.  There is a mode in which the radio will scan for tones for
you, but its slow and a pain.  The easiest thing to do is turn on Tone
Squelch, you will see the busy light on your radio turn on when they are
talking but you wont hear them.  Go into the PL tone select mode and tune
through the different tones while the busy light remains on, as soon as you
hear them again you have the right tone, set it and bust away!  If you
don't find a PL that works move on to DPL.  There is one other squelch
setting which uses DTMF tone bursts to open the squelch, but its rarely
used, and when it is used its mostly for paging and individuals.

   Now you find yourself at Defcon, you hear DT is being harassed by
security for taking out some slot machines with a HERF gun, so you figure
it's your hacker responsibility to fight back.  You manage to find a
security freq, you get their PL, but their signal is very weak, and only
some of them can hear your vicious jokes about their moms.  What's up?  They
are using a repeater.  A handheld radio only puts out so much power,
usually the max is about 5 watts.  That's pretty much all you want radiating
that close to your skull (think brain tumor).  So a repeater is radio that
receives the transmissions from the handhelds on freq A and then
retransmits it with a ton more watts on freq B.  So you need to program
your radio to receive on one channel and transmit on another.  Usually
repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and
they can either be positive or negative offsets.  Most radios have a
auto-repeater mode which will automatically do the offset for you or you
need to place the TX and RX freqs in the two different VCOs.  Government
organizations and people who are likely targets for hacks (Shadow Traffic
news copter live feeds) use nonstandard offsets so you will just need to
tune around.

   Some ham radios have an interesting feature called crossband repeat.
You're hanging out at Taco Bell munching your Nachos Supreme listening to the
drive thru freq on your radio.  You notice the Jack in the Box across the
street, tuning around you discover that TacoHell is on VHF (say 156.40) and
Jack in the Crack is on UHF (say 464.40).  You program the two freqs into
your radio and put it in xband repeat mode.  Now when someone places their
order at Taco they hear it at Jacks, and when they place their order at
Jacks they hear it at Taco.  When the radio receives something on 156.40 it
retransmits it on 464.40, and when it receives something on 464.40 it
retransmits it on 156.40.

"...I want Nachos, gimme Nachos..."  
"...Sorry we don't have Nachos at Jack's..." 
"...Huh? Im at Taco Bell..."  
Get it?  Unfortunately the FT-50 does not do xband repeat, that's the only 
feature it's lacking.

   Damn it, all this RF hacking is fun, but how do I make free phone calls?
Well you can, sort of.  Many commercial and amateur repeaters have a
feature called an autopatch or phonepatch.  This is a box that connects the
radio system to a phone line so that you can place and receive calls.  Keep
in mind that calls are heard by everyone who has their radio on! The
autopatch feature is usually protected by a DTMF code.  Monitor the input
freq of the repeater when someone places a call you will hear their dtmf
digits - if you're super elite you can tell what they are by just hearing
them, but us normal people who have lives put the FT-50 in DTMF decode mode
and snag the codez...  If your radio doesn't do DTMF decode, record the audio
and decode it later with your soundblaster warez.  Most of the time they
will block long-distance calls, and 911 calls.  Usually there is a way
around that, but this is not a phreaking article.  Often the repeaters are
remote configurable, the operator can change various functions in the field
by using a DTMF code.  Again, scan for that code and you too can take
control of the repeater.  What you can do varies greatly from machine to
machine, sometimes you can turn on long-distance calls, program speed-dials,
even change the freq of the repeater.

   What about cordless phones, can't I just dial out on someone's line?
Sort of.  You use to be able to take a Sony cordless phone which did
autoscanning (looked for an available channel) drive down the block with
the phone on until it locked on to your neighbors cordless and you get a
dialtone.  Now cordless phones have a subaudible security tone just like PL
tones on radios so it doesn't work anymore.  There are a bunch of tones and
they vary by phone manufacturer, so it's easier to make your free calls other
ways.

   But as I mentioned before you can screw with people, not with your FT-50
though.  Cordless phones fall very close to the 6 meter (50MHz) HAM band and
the lowband commercial radio frequencies.  There are 25 channels with the
base transmitting 43-47MHz and the handset from 48-50MHz.  What you want to
do is program a radio to receive on the base freqs and transmit on the
handset freqs.  The phones put out a few milliwatts of power (very little).
On this freq you need a fairly big antenna, handhelds just don't cut it - 
think magmount and mobile.  There are HAM radios like the Kenwood TM-742A 
which can be modified for the cordless band, however I have not found a 
radio which works really well receiving the very low power signals the 
phones are putting out.   So, I say go commercial!  The Motorola 
Radius/Maxtrac line is a good choice.  They have 32 channels and put out 
a cool 65watts so your audio comes blasting out of their phones.  Now 
the sucko part, commercial radios are not designed to be field 
programmable.  There are numerous reasons for this, mainly they just want 
Joe rentalcop to know he is on "Channel A" , not 464.500.  Some radios are 
programmed vie eproms, but modern Motorola radios are programmed via a 
computer.  You can become pals with some guy at your local radio shop and 
have him program it for you.  If you want to do it yourself you will need
a RIB (Radio Interface Box) with the appropriate cable for the radio, and
some software.  Cloned RIB boxes are sold all the time in rec.radio.swap 
and at HAM swap meets.  The software is a little more difficult, Motorola 
is very active in going after people who sell or distribute thier software
(eh, M0t?) They want you to lease it from them for a few zillion dollars.
Be cautious, but you can sometimes find mot warez on web sites, or at HAM
shows.   The RIB is the same for most radios, just different software, you
want Radius or MaxTrac LabTools.  It has built in help, so you should be 
able to figure it out.  Ok so you got your lowband radio, snag a 6 meter 
mag mount antenna, preferably with gain, and start driving around.  Put 
the radio in scan mode and you will find and endless amount of phone calls
to break into.  Get a DTMF mic for extra fun, as your scanning around listen
for people just picking up the phone to make a call.  You'll hear dialtone,
if you start dialing first since you have infinitely more power than the 
cordless handset you will overpower them and your call will go through.  
It's great listening to them explain to the 411 operator that their phone is
possessed by demons who keep dialing 411.  Another trick is to monitor the 
base frequency and listen for a weird digital ringing sound - these are tones
that make the handset ring.  Sample these with a laptop or a yakbak or
whatever and play them back on the BASE frequency (note, not the normal
handset freq) and you will make their phones ring.  Usually the sample won't
be perfect so it will ring all wacko.   Keep in mind this tone varies from
phone to phone, so what works on one phone wont work on another.

   Besides just scanning around how do you find freqs?  OptoElectronics
makes cool gizmos called near-field monitors.  They sample the RF noise
floor and when they see spikes above that they lock on to them.  So you
stick the Scout in your pocket, when someone transmits near you, the scout
reads out their frequency.  The Explorer is thier more advanced model which
will also demodulates the audio and decode PL/DPL/DTMF tones.  There are
also several companies that offer CDs of the FCC database.  You can search
by freq, company name, location, etc.  Pretty handy if your looking for a
particular freq.  Percon has cool CDs that will also do mapping.  Before
you buy anything check the scanware web site, they are now giving away
their freq databases for major areas.

  OK radioboy, you're hacking repeaters, you're causing all the cordless
phones in your neighborhood to ring at midnight, and no one can place 
orders at your local drivethrus.  Until one day, when the FCC and FBI 
bust down your door.  How do you avoid that??  OK, first of all don't 
hack from home.  Inspired people can eventually track you down.  How?
Direction Finding and RF Fingerprinting.  DF gear is basically a 
wideband antenna and a specialized receiver gizmo to measure signal 
strength and direction.  More advanced units connect into GPS units for 
precise positioning and into laptops for plotting locations and advance 
analysis functions such as multipath negations (canceling out reflected 
signals.)  RF finger printing is the idea that each individual radio has
specific characteristics based on subtle defects in the manufacture of the 
VCO and AMP sections in the radio.  You sample a waveform of the radio and
now theoretically you can tell it apart from other radios.  Doesn't really 
work though-- too many variables.  Temperature, battery voltage, age, 
weather conditions and many other factors all effect the waveform.  
Theoretically you could have a computer scanning around looking for a 
particular radio, it might work on some days. Be aware that fingerprinting
is out there, but I wouldn't worry about it *too* much.  On the other hand
DF gear in knowledgeable hands does work.  Piss off the right bunch of HAMS 
and they will be more than happy to hop in their Winnebego and drive all 
over town looking for you.  If you don't stay in the same spot or if you're 
in an area with a bunch of metal surfaces (reflections) it can be very very 
hard to find you.  Hack wisely, although the FCC has had major cutbacks 
there are certain instances in which they will take immediate action.  They 
are not going to come after you for encouraging Burger King patrons to become 
vegetarians, but if you decide to become an air-traffic controller for a day
expect every federal agency you know of (and some you don't) to come looking 
for your ass.

   My plane is landing so thats all for now,  next time - advanced RF hacking,
mobile data terminals, van eck, encryption, etc.


EOF


                                ----<>----


10.16.96

Log from RAgent

GrimReper: I work For Phrack
GrimReper: Yeah
GrimReper: I gotta submit unix text things like every month
GrimReper: I've been in Phrack for a long time
GrimReper: Phrack is in MASS
-> *grimreper* so how much does Phrack pay you?
*GrimReper** How much?
*GrimReper** Hmm......
*GrimReper** About $142
-> *grimreper* really
-> *grimreper* who paid you?
*GrimReper** w0rd
*GrimReper** CardShoot
*GrimReper** Cardsh00t
-> *grimreper* hmm, I don't see any "cardsh00t" in the credits for phrack
+48
*GrimReper** There is
-> *grimreper* you might as well stop lying before I bring in daemon9,
+he's another friend of mine
-> *grimreper* he's one of the editors of phrack
*GrimReper** Get the latest Phrack?
*GrimReper** Its gonna have my NN
*GrimReper** watch
-> *grimreper* not anymore
*GrimReper** Go Ahead
-> *grimreper* actually
*GrimReper** so?
-> *grimreper* you will be mentioned
-> *grimreper* you'll be known as the lying fuckhead you are, when this
+log goes in the next issue

        
                                ----<>----
10.24.96

Log from Aleph1

*** ggom is ~user01@pm1-6.tab.com (ggom)
*** on irc via server piglet.cc.utexas.edu ([128.83.42.61] We are now all
  piglet)
*ggom* i am assembling a "tool shed".  A "shed" for certain "expert" activity.
    Can you help?
-> *ggom* maybe... go on
*ggom* i represent certain parties that are looking for corporate information.
   this would fall under the "corporate espionage" umbrella
*ggom* this information could probably be obtained via phone phreak but access to
  corporate servers would be a plus...can you help?
-> *ggom* a) how do I know you are not a cop/fed? b) why did you come to #hack
  to ask for this? b) what type of data you after? c) what type of money are 
 you talking about?
*ggom* where else should i go to ask for this stuff????????
-> *ggom* you tell me.  How do you know about #hack?
*ggom* looked it up on the irc server...figured this was a good place to
  start...........     i am talking about 4 to 5 figures here for the information
-> *ggom* you are also talking 4 to 5 years
-> *ggom* #hack is visited regularly by undercovers and the channel is logged
-> *ggom* talking openly about such thing is not smart
*ggom* whatever...........  man, if you are GOOD, you are UNTRACEABLE.  i
  guess i am looking in the wrong place......
-> *ggom* you been watching way to many times "Hackers" and yes #hack is the
  wrong place...
*ggom* we are on a private channel.........suggest a more private setting....
-> *ggom* sorry you started off on a bad foot. If you got a million to spare
  for such information you would also have the resources to find the
  appropiate person to do the job. So you either are full off it, are a fed,
  or just plain dumb. This conversation ends here.
*ggom* later
*ggom* not talking a million.. talking 5 to 6 figures.........    you are
  right
*ggom* talk to me.......
*ggom* talk to me.......


                                ----<>----
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2014, Phrack Magazine.