2600 v24 n4 (winter 2007)

The More Things Change...
Power Trip
Building Your Own Networks
Pirates of the Internet
Telecom Informer
Darknets
Scanning the Skies
Essential Security Tools
Decoding Experts-Exchange.com
An Introduction to Beige Boxing
Hacking the SanDisk U3
Exploring AT&T's Wireless Account Security
Hacker Perspective: Rop Gonggrijp
(More) Fun with Novell
PayPal Hurts
Facebook Applications Revealed
Letters
Hacking Windows Media DRM
The Noo World
Forensics Fear
Transmissions
Cracked Security at the Clarion Hotel
Building Your Own Safe, Secure SMTP Proxy
Zero-Knowledge Intrusion
Booting Many Compressed Environments on a Laptop
Avoid Web Filtering with SSH Tunneling
Marketplace
Meetings
9
11
13
15
16
18
20
21
22
24
26
29
30
32
34
48
49
51
52
54
55
57
58
61
62
66

• •
As we move towards our 25th year learn as much as we can from.
of publishing, we find that so much has So what has managed to stay the same
changed in the world we write about. Yet over the years? A number of things actually,
somehow, a surprising amount of things are some good and some bad.
almost exactly the same. For one, the spirit of inquisitiveness
Let's look at where technology has taken that drives much of what the hacker world
us. Obviously, nothing has stood still in the consists of is very much alive and in rela-
hardware and software universe. In 1984, tively the same state it's been in for so long.
ten megabytes of storage was still more than If anything were to sum up what every single
what most people had access to. Those few one of our articles has had in common over
who even had their own computers would, all these years, it's that desire to find out
more often than not, wind up shuffling five just a little bit more, to modify the param-
and a quarter inch floppies before they eters in a unique way, to be the first to figure
would invest in an expensive piece of hard- out how to achieve a completely different
ware like a hard disk. And speed was a mere result. Whether we're talking about getting
fraction of a fraction of what it is today. If around a barrier put in place to prevent you
you could communicate at 300 baud, it was from accessing a distant phone number or
considered lightning fast to most people. Of a restricted computer system, or cracking
course, there were those who were always the security of some bit of software so that
pushing to go faster and get more. It was this you can modify it to perform functions never
incessant need for expansion and improve- dreamed of by its inventors, or revealing
ment that got us where we are today. some corporate secrets about how things
Perhaps not as dramatic in scale but really work in the world of networks and
certainly as wrenching in feeling has been security - it's all about finding out something
the change to our society and the world and sharing it with anyone interested enough
around us. In the current day, we are secu- to listen and learn. These are the very foun-
rity-obsessed without having gotten any dations upon which 2600 was founded and
better at being secure. We seem to have those values are as strong today as they were
lost any semblance of the trust that once back in our early days. In many ways they
guided us as human beings. Instead, we live have actually strengthened. The Internet
in a state of perpetual alertness, suspicion, is an interesting example of this. While its
and fear. Some would say that this is reality predecessor, the ARPANET of the 60s and
and that this state of mind is the only way 70s, was developed under the authority of
to survive in a hostile world. We would say the military, what has evolved since then is a
that it's a sad reality and one that needs to veritable bastion of free speech and empow-
be analyzed and hopefully altered. Were erment of individuals. Of course, it's not all
we to have started publishing in 2008 rather so idealistic. Not everyone cares and there's
than in 1984, we likely would have been a constant struggle with those who want
quickly branded as potential terrorists before the net to be nothing more than a shopping
ever being able to establish a foothold in mall and those who seek to control every
our culture that enabled us to be seen as a aspect of it. But who can deny that literally
revealing and even necessary voice. any point of view can be found somewhere
Today we continue to exist in no small on today's net? And a surprising amount
part because we have existed for nearly of people will defend that concept regard-
a quarter century. It is that history which less of their own personal opinions. Almost
strengthens us and one we should all try and without fail, if someone is told that they may
Page 4 -------------------- 2600 Magazine

not put forth a certain viewpoint or spread
information on a particular subject, then
the community of the net will respond and
make sure the information is spread more
than it ever would have been had there not
been an attempt made to squash it in the
first place. Nobody has yet been able to put
the top back on the bottle and prevent this
kind of a reaction since never before in the
history of humanity has such a tool been so
widely accessible. There obviously is still a
long way to go and a good many battles to
fight in order to keep free speech alive on
the net. But this is at least encouraging and
indicative of how hacker values have easily
meshed with more mainstream ones.
But something else which hasn't
changed over the years is the malignment of
hackers and what we stand for. The irony is
that most people understand perfectly well
what we're all about when presented with
the facts. The mainstream media, however,
never has and probably never will. It's
simply not in their interests to portray us as
anything but the kind of threat that will help
them sell newspapers and get high ratings.
Fear sells - that is the unfortunate truth.
And fear of the unknown sells even better
because so Iittle evidence is needed to start
the ball rolling.
In the media, as in politics, enemies
are needed in order to set forth an agenda.
From the beginning, hackers have fit the
qualifications to be that enemy. They know
too much, insist on questioning the rules,
and won't stop talking and communicating
with themselves and others. These types
of people have always been a problem in
controlled environments like dictatorships
and public schools. It's not too difficult to
see why they're viewed with such hostility
by people who want to hold onto whatever
power they happen to have. A true indi
vidual is no friend to autocrats.
If you read a newspaper or watch virtu
ally any newscast, you won't have to wait
too long for a story to appear with details
on how the private records of thousands (or
sometimes millions) of people have been
compromised while in the care of some
huge entity. We could be talking about a
phone company, credit card provider, bank,
university, or government. And the informa
tion that was lost might include anything
from people's names, addresses, unlisted
phone numbers, Social Security and/or
credit card numbers, a list of purchases,
health records, you name it: data that
was entrusted to the company, agency, or
bureaucracy for safekeeping which has
been compromised because someone did
something foolish, like somehow post confi
dential hospital files to a public web page, or
copy customer information to a laptop which
was subsequently lost or stolen. Yet in virtu
ally every instance of such a profound gap in
common sense, you will find that hackers are
the ones getting blamed. It makes no differ
ence that hackers had nothing to do with
letting the information out in the first place.
The media and the authorities see them as
the people who will do virtually anything to
get private data of individuals and make their
lives miserable.
This misdirection of blame serves two
purposes - as it always has. The first is to
absolve those really responsible of any
true blame or prosecution. The second is to
create an enemy who can be blamed when
ever anything goes wrong. Of course, the
irony is that if hackers were the ones running
and designing these systems, the sensitive
data would actually be protected far better
than it is now. There simply is no excuse
for allowing people's private information
to be copied onto insecure machines with
no encryption or other safeguards. The fact
that it keeps happening tells us that dealing
with this isn't very high on the priority list.
Perhaps if those organizations that don't
have sufficient security practices were held
accountable rather than being allowed to
blame invisible demons, we might actually
move forward in this arena. But one must ask
what would be in it for them? The answer is
not a whole lot.
These battles and conflicts will no doubt
continue regardless of what direction our
society takes us. While we have indeed been
frustrated with the seeming lack of prog
ress on so many levels, we can't help but
be fascinated with where we will wind up
next - both in the technological and political
spectrum. The combination of the two may
very well seal our future for quite a long time
to come.
The one thing that will keep us going
(and that has made it so worthwhile for all
of these years) is the spirit of curiosity that
our readers and writers continue to proudly
exhibit. It's a very simple trait, and perhaps
one that's an unerasable ingredient of our
humanity. It will survive no matter how our
technology advances, regardless of any law
or decree put forth to stifle it, and in spite
of misperceptions and overall c1uelessness.
If we keep asking questions and thinking
outside the box, there will always be some
thing good to look forward to.
Winter 2007-2008 ------------------ Page 5

POWER
by OSIN
TRIP
send the a lert to, and so on. You shou l d a lso
thi n k about such th i ngs as the p lacement of the
It is common in 2600 for writers to preface camera. Set it far enough away from the area
whatever topic they may be discussing with a you ' re mon itoring so that the camera has enough
disclaimer such as "I by no means condone or time to record a few seconds and send an emai l
encourage i l l egal activity." That ends with th is before it gets unpl ugged. You might even want
article. S i nce it is now i mpossible in America to consider h i d i ng it or disgu ising it as another
to tel l who is a cri m i na l and who is not, or to object. The point is that you can ' t have a secret
tel l what is a crime and what is not, I whole- warrantless search if there's video of someone i n
heartedly condone the practice of the actions you r residence. And know i ng about it is half the
I ' m about to lay out by any and a l l cri m i nals battle. Remember that they don 't have t o kick
reading this article. B ut not to worry: shou ld down your door or pick the lock. Many of these
any of you cri minals out there run afoul of the gangs have h uge amou nts of technical resources,
greatest crime syndicate si nce the Gambi nos, so they can make their own keys to get i nto you r
you c a n always use the "Scooter" Libby lame- place.
ass defense, assum i ng you ' re a rich, wh ite, non- B ut let's not stop there; evi ldoers a lways
violent, first time offender. col l ude with other crimi nal elements of society
One of the most used weapons of today's to get what they want. Anyone desperate
organ i zed crime syndicate is the secret warrant- enough to do a secret warrantless search is
less search. That means they can enter your probably wise enough t o case out t he victim
residence wh i l e you ' re away and either seize before such a search is actual l y conducted.
computer equ ipment or bug the place. Surely And, during the course of such an i nvestiga-
such evi l doesn't exist in the Land of the Free tion, they m ight discover that you have wireless
and Home of the Brave! And, how i ronic: I cameras throughout you r residence. How might
began writing this article on the 4th of J u ly. B ut, they react? Wel l , barring a fu l l-scale search and
yes, thi ngs are tak i ng place that I ' m pretty sure seizure, which wou ld make secrecy moot, they
the forefathers of the USA didn't i ntend. So, let's m ight col l ude with a wel l -known cri m i na l enter-
take a bite out of crime! prise that shakes down citizens on a month ly
Our fi rst weapon agai nst evi l -doers is wire- basis: the power company. Keep in mind that the
less technology, specifical ly an I nternet-capable power company w i l l always do what it takes to
wireless camera and a wireless access poi nt please its regulatory master. So, with no power,
(WAP). I won ' t go i nto the security consider- our wireless camera and setup is useless, right?
ations of wireless cameras and access poi nts; I ' l l Not s o fast. Consider our second weapon against
only say that it is i n your best i nterest to change secret warrantless searches: the U PS.
the defa u lt login password. There are many more When the U PS first came out, it was noth i ng
security issues perta i n i ng to this technology, more than a glorified surge protector. The first
but they are beyond the scope of th is article. I ones cou ld power a desktop computer and
strongly suggest that you educate yourself about monitor for about 1 5 m i nutes, rea l l y only
these issues lest you give cri m i nals access to usefu l to give the user time to gracefu l l y shut
spy on you . No, what we' re more i nterested in down the computer. About a year ago, though,
at this stage are the capabi l ities of the wi reless I came across the newer versions. They had a
cameras on the market now. Different cameras USB port which a l l owed them to be monitored
have different capabi l ities, but if you were to with proprietary software on a laptop. They also
select one, I wou l d say it shou l d have at least boasted far greater power capacity than older
two capabi l ities: the abi l ity to be mon itored over models did. The one I bought cou ld power a
the I nternet with a browser and the abi l ity to desktop and flat screen mon itor for nearly 90
send emai l a lerts or attach ments. m i nutes. B ut, because I haven't used my desktop
You shou l d consult your particular camera ' s i n years and I d i d n ' t want a good U PS g o to
docu mentation for information on how to set it waste, I wondered how long this U PS wou ld
up. I can't real ly give specifics si nce different power my wireless camera, broadband modem,
manufactu rers' cameras vary widely, but in most and WAP. The power req u i rements for a l l three
cases you can set the ema i l notification, whether added up to 1 1 0 Watts wh i l e the U PS boasted
to send an mpeg attachment, the n umber of an abi l ity of 450 Watts. On top of bei ng a surge
seconds to record, which ema i l addresses to protector, the U PS also contai ned a voltage
Page 6 -------------------- 2600 Magazine

regu lator so I had some confidence that using it
outside its i ntended design parameters wou ldn't
fry my wireless setup. I gave it a go. Using my
laptop to monitor the U PS I found that after an
hour of run n i ng all three devices off the U PS, the
battery's charge had fal len to around 92 percent.
Not bad. Now, theoretica l l y, if the power usage
is l i near, then that m ight run the setup for more
than 1 0 hours, but in a rea l-world scenario,
more power is goi ng to be uti l i zed as my wire
less components become more active or have to
send out data over my broadband connection. I
never tested how long it cou ld power the setup
si nce you can decrease the l ife of the recharge
able 1 2 volt battery if you go below 80% charge,
so let' s assume for argument' s sake that my U PS
w i l l power the fu l l req u i rements of my wire
less setup for 7 hours. That's sti l l a long time for
m iscreants to have to wait to start their search.
B ut power outages are common i n the
U n ited States. It's not u n usual for one to occur,
and there are usua l ly no sinister forces beh ind
them, so how do you know if the power outage
at you r residence is a normal one? For that
matter, how wou l d you know that one occurred?
It's true that my U PS starts beepi ng when the
power goes out, and si nce my wireless camera
also has a microphone, I ' d be able to hear it if
I logged i n to see what's goi ng on. But I ' d have
to know that an outage has occurred to con nect
in the first place. The point is that you may not
know if the outage is just a normal blackout, but
there are ways of know i ng that an outage has
occurred. The problem is one of notification.
And in th is next part, I'm going to use a program
that's been used on computers for several years
to track battery energy consumption (our th i rd
weapon): Advanced Power Management (APM).
APM is normal l y used on laptops to mon itor
the battery and do some notifications when the
battery level approaches critical levels. The good
thing about APM is that it w i l l tel l you when
the power goes out or the power adapter is
unpl ugged from the wal l socket. It goes without
say i ng that APM wi l l treat a power outage the
same way it wou l d treat unpl ugging the power
adapter from the wal l and run n i ng on battery
power. For this example, I ' l l be using OpenBSD.
On OpenBSD 3 .9, my version of APM w i l l give
human readable statistics on the status of the
power. On a laptop, the command to execute is
apm -v. You may need to start the apm daemon
first, which is merely ampd. When you run the
apm -v command it wi l l output three l i nes
simi lar to these:
Battery state : high , 1 0 0% remaining ,
1 5 1 minutes l i fe est imate
Ale adapter s tate : connected
Performance state : uninitialized ( 2 0 0MHz )
But when the AC adapter is unplugged or
there is a power outage the second l i ne i n the
second l i ne had changed. Before we proceed,
though, I want to return to the wireless camera.
Anyone who has one of these cameras and
has used the motion detection ema i l attach
ment option w i l l tel l you that it's someti mes
too sensitive to l ight changes and not sensitive
enough to motion u n less you have the sensi
tivity set to h igh. The fa lse positives the camera
sends out can be annoyi ng. Wou l d n 't it be n ice
if the camera 's motion detection option cou l d
b e turned on only if the power goes out? I found
that it is possible, assum i ng your camera a l lows
it. Most of these cameras are run n i ng a simple
web server to which you can log i n and make
changes to the setti ngs and options. My camera,
for instance, uses the G ET method when you
cl ick the Apply button to turn motion detection
and ema i l i ng on. The entire cal l I need to use
shows up in the browser U R L location bar. So
now that I know what the fu l l U R L is to do this
manua l l y, I can i ncorporate that knowledge in
my cron script so that when a power outage is
detected it wi l l automatically turn on the motion/
emai l option using wget. Here is a Perl script that
wou l d perform this feat (the wget l i ne has been
truncated si nce the real cal l is very, very long):
#l/usr/bin/perl
@apm=�/usr/bin/apm -v�;
foreach $line ( @apm ) {
if ( ( index $line , tlnot
"connected II
) >
1 ) {
#if the apm .lock file does not exi st
i f {! ( - e 'apm.lock' ) )
# We only want this command to run
"once which i s why we have a lock file
'wget -0 powert rip.html
--ht tp-user=admin -http
"passwd=yourpas sword http;//camera�ip/
-adm/file. cgi ?audio_enable=enabled&mo
-t=enabled&emai l =you@youri sp.comll .. ;
$lock=-/
-bin/touch apm.lock';
}
} else {
#The power i s back on. Remove the lock
-file but do not turn off monitoring
i f ( ( index
-$l ine , "connectedlr ) >
1 ) {
$exec='/bin/rm -f apm.lock';
}
As I said, the http ca l l has been severly
truncated. The actual ca l l is much longer. Each
camera is different, though, so you may actual l y
have t o sniff your traffic to learn t h e actual cal l
to your camera ' s webserver to turn o n motion
detection. Note that the variable that actual l y
turns on monitori ng is "mot" for m y camera. To
turn off mon itori ng, you wou l d j ust change your
cal l l i ne and set mot t o "disabled", but I advise
you to leave mon itoring turned on after a power
outage event.
output from apm changes to this: There is an old saying that cri m i nals always
A/e adapter state , not connected return to the scene of the crime. I don 't know
So, it's that particular l i ne that we are most if that's always true, but our crim i nals are very
i nterested i n . After p l ugging the laptop i nto a anal-retentive and won 't give up eas i l y. So they
wa l l socket, we cou l d write a script that wou l d may cal l i n some favors from another syndicate
run in cron every m i n ute and test whether that which has a long h i story of col l usion: your ISP.
Winter 2007-2008 ------------------ Page 7

I ' m not sure if it is feasible for the ISP to discon
nect j ust one DSL or cable modem, but I can
imagine they wou ld have some way to block any
traffic coming from your modem temporarily.
That means that even with backup power, your
ema i l a lert and attachment wi l l not get through.
What to do then?
Although my camera has a proprietary
program to save i mages to a flash drive or hard
disk, it's not easily scriptable i n a U n ix- l i ke envi
ronment. To combat this possible attack, then, we
must resort to an entirely different setup. I nstead
of using a WAP, wireless camera, and modem,
we w i l l use a d igita l camera, an old 8x8 Wi nTV
card, and a program cal l ed Motion. The OS
used is some variation of Li nux; in the particu lar
case when I first built this setup, I used RedHat.
Motion uses the vide04 1 i nux i nterface, so any TV
card or d igita l camera setup that supports video-
4 1 i nux might work. It's hard to tel l with some
hardware, but that's why I never throw a ny hard
ware away if it sti l l works. Anyway, the setup
goes l i ke this: you hook the video-out of the
camera into the video-in of the TV card wh ich
is sitting in a PCI slot of your desktop computer.
You ' ve downloaded Motion from Sou rceForge.
net and have it i nstal led. Here ' s an excerpt from
my motion.conf fi le:
f ramerate 10
input
norm
auto brightness yes
threshold 1000
noise level 16
night
-
compensate yes
lightswitch yes
daemon on
quiet yes
execute /us r/share/alert. sh
target dir /home/pics
f fmpeg
-
cap.new no
f fmpeg
-
timelaps on
thread
-
threadl.conf
Some thi ngs may have changed in the later
releases of Motion, so you shou l d read the
documentation. I won ' t go i nto great deta i l
other to say that threshold controls how sensi
tively Motion will react to movement, execute
means that a n a lert script is run once motion is
detected, and targecdi r is where the j peg images
of the detected motion are stored. Right before I
log out of my mach ine and leave my residence,
I have a shel l script which delays the startup of
Motion and runs as a background process:
echo "Sleeping for 60 seconds."
sleep 60
echo "Starting motion detector . . . 11
motion
That gives me time to get out the door before
Motion starts detecting. There are tons of other
options that Motion has, such as stream i ng
mpegs, but they are beyond the scope of th is
article. Returning to our problem of cri m i nals
secretly going through our residence, we have
to assume that if your ISP is blocking outgoing
traffic from your modem, then the miscreants
w i l l sti l l have physica l access to your system
run n i ng Motion. That's a problem. If they can
reboot your system using some sort of rescue
CD, then they might be able to mount your hard
drives, search for any j pegs and delete them.
What to do?
A wh i l e back, I wrote an article for 2 600 on
loopback encryption on flash drives. You can
now read it at http,//uk.geocities.com/
"'osin1941. B ut I th i n k you get the idea. Usi ng
the loopback device, you can create an encrypted
filesystem to write the i mages. Without knowing
where to look, any state-supported cri m i nals
wi l l not spend that m uch time looking for your
i mages. And rebooting t h e mach i ne with a Linux
rescue CD won 't help them u n l ess they know
the password to mount the encrypted fi le system.
Also, there are other open source programs, such
as TrueCrypt, out there that let you do the same
th i ng as the loopback encrypted fi lesystem but
on-the-fly. I h ighly suggest you take the time to
acqua i nt yourself with the various options you
have avai lable to you .
It is u n l i kely that t h e current state o f affa i rs
w i l l ever lead to the repea l of secret warrantless
searches. Once cri minals get a certai n amount
of power, they never ever want to rel i nquish
control and, short of an i nsurgency, it's very hard
to break their grasp on our l ives. B ut, armed with
the right tools, we can make it harder for them
to pai nt us as terrorists wh i le they themselves
excuse their own for simi lar conduct. And, si nce
equa l protection and treatment u nder the law
is now a lie i n the U n ited States, it is up to us
to start fighting back. I hope th is article spawns
more articles on leveling the playing field for
those of us who don 't have powerfu l friends.
SAVE HOTEL PENN
The home of the HOPE conferences is in danger of being tom down
and replaced with a huge office complex. Help us fight to preserve the
historic Hotel Pennsylvania, a vital part of New York City since 1919.
Join the discussion at talk.hope.net.
Keep updated at www.savethehotel.org.
Page 8 -------------------- 2600 Magazine

8uilding Vour
8wnNetworks
by Casandro
As developments like data retention and
censorship become prevalent, it might be wise
to build new networks, networks that belong
to the users. Back in the BBS days, people
operated their own networks like FidoNet
over the easily available but unfree telephone
network. Today, the Internet is the new unfree
network, plagued by companies who want to
extort more and more money out of the users.
So, it might be a good idea to build your own
moderately-sized networks. Even if this won't
solve any important problems in the world, it
will still be fun.
In this article, I would like to compress all
the information needed to do so. This article is
are a number of technologies for this, but we'll
focus on OpenVPN because it is available for
most platforms and easy to set up, at least in
shared key mode. First you need to create a
key:
openvpn - -genkey - -secret some
"'fil e . key
This stores the shared key in the file some
file.key. Obviously, you could use any file
name for this. This key has to be copied to
both ends of the tunnel. OpenVPN then needs
a configuration file which tells it what to do.
Here's an annotated example. First, the server's
configuration file:
port 1117 #Be sure to have this UDP
"port open to be accessed
.. from the client
dey tun
a bit Linux-centric, but the ideas should be easy # internal server Adr. client address
to convert to just about any operating system. ifconfig 172.24.13.ll 172.24.13.12
Well what's the obvious thing you need # name of your keyfile
f d h I f
secret somefile.key
irst? Connections. To ay we ave a ot 0
# periodically send some packets to keep
possibilities, from IP over carrier pigeon to fast _ the connection alive though routers
fiber optic connections. The most practical of keepalive 10 120
these are probably WLAN and VPN-Tunnels. comp-Izo # compress the data.
The other thing needed is routing. So we need And the client's:
a routing protocol which is simple to use and remote nameorip.ofyour.server.org # This
available to anybody. is the IP or -domain name of your server
Let's start with the connections. Obviously port ll17 # The same as on your server
h I h
dey tun
t e simp est connection is just an Et ernet # internal client adr. server address
cable. Configure the nodes just as usual, and ifconfig 172.24.13.12 172.24.13.ll
there you go. For larger distances, it might be # name of your keyfile
wise to use WLAN devices in ad-hoc mode. secret somefile.key
This is probably best explained by an example. # periodically send some packets to keep
Let's assume our wireless device is named ... the connection alive though routers
I f d d
keepalive 10 120
w anD. You can in out its name an settings comp-Izo # compress the data.
with the iwconfig command. Setting up tile As you can see, there are two differences
device can be a bit tricky. You will need the between the server's and the client's configu-
following commands: ration files: the client's file has an additional
iwconfig wlanO essid "NetworkName"
remote line, and the ifconfig lines have the- channel 6 mode ad-hoc commit
ifconfig wlanO 10 .lll.4.5 netmask IP addresses in reverse order. Again, please
... 255.255.255.0 choose the internal addresses randomly, to
The first line sets the wireless device's avoid collisions. Be sure to always use private
channel and network. The second command addresses.
assigns the IP address 10.111.4.5 and netmask To start openvpn, just type openvpn
255.255.255.0 to the device.The other wireless ... - -config your config fil e . con f . Start
devices on the network would have to be in the openvpn first on your server, then on your
1O.lll.4.x range, with x between 1 and 254. client. Most distributions already have init files
On some cards you will have to first execute to start openvpn automatically on boot-up.
an i f config wlanO up command to turn on These often only support one tunnel. If that is
the device. Please choose the IP addresses as enough for you, you can try to use that.
randomly as possible to avoid collisions. If you Now, you need to set up the routing. For
notice that an IP address or range is already this we will use OLSR as provided by olsrd.
taken, use another address. This is now probably the most popular daemon
VPN Tunnels are a bit harder to set up. There for wireless meshed networks. I prefer the 0.5
Winter 2007-2008 ------------------ Page 9

series as it is considerably more stable than the
0.4 one.
To make it work, you might need to change
a few settings in the configuration file,
olsrd.conf:
UseHysteresis no
LinkQualityLevel 2
In the interface section of the file you need
to uncomment the line
Ip4Broadcast 255.255.255.255
and adapt the Interface line to inclu
.
de all
your network interfaces. In my case that IS:
Interface !ltunOrl rrtunl1! t'tun2,1
",lItun311 "tun4" "tunS" "tun6"
..,. ..tun?1I IItun8" lIethO"
Now you can simply start olsrd by typing
olsrd �d 2 on the console. After a short while,
the links' status messages should appear. Once
you seem to be connected to your peers, you
can type route �n to get a list of all the
routes. Typically, you should get a line for every
node in the network.
What if you have computers which cannot
run olsrd, for example because they are routers
or printers?
For those computers, you can use the host
network announcement (HNA) feature. This
feature tells the other nodes in the network that
your node can reach computers that are not
nodes.
In the Hna4 section of olsrd . conf, you
will find an example of this. You will also
have to tell the devices that they can reach the
OLSR-managed network via your node. One
easy way to do this is to set the devices' default
gateway to your computer.
So what could be accomplished with this?
Of co�rse, you could start by connecting your
computer to your friends' computers and even
to strangers'. Additionally, you could set up a
wireless interface. With this, you will be able
to offer network access to all members of
the network, without having to offer Internet
access. If nearby nodes also have wireless
devices, they can also form a connection and
build a network. Wireless networks were the
original application for olsrd. �n
.
Berlin, there
is such a wireless network consisting of several
hundred nodes.
In the dormitory I live in, we have some
wireless nodes. Roaming works rather well.
You can walk throughout the building and keep
your IP address despite being in a different
point of the network topology.
.As described, this network does not Include
internet access. If you want to provide it, you
have several possibilities. The simplest and
most elegant is to set up NAT on your node
and use a HNA entry to 0.0.0.0 0.0.0.0 in your
olsrd . conf . Nodes to which your node is
the closest internet gateway will automatically
use your connection. There can be sever�1
internet gateways; however, be aware that If
network topology changes cause you to change
your gateway, then stateful protocols like TCP
might break.
Another way is to use proxies. For example,
I run an anonymity proxy on one of my nodes.
This works fairly well if you only want to do
web-browsing, as you must manually select
your gateway in your web browser.
A good compromise might be to create
another VPN tunnel to the internet. This would
potentially allow you to have unlimited internet
access.
To further obscure the network topology and
therefore the position of servers of the network,
it might be desirable to install those serv�rs on
virtual machines. You could then Just migrate
the server from one location to another.
I already operate a small network consisting
of 3 permanent nodes plus some extra nod�s
fading in and out. If you want to connect to I�,
I am willing to give a tunnel to anyone who IS
willing to give some tunnels to others.
Automation
In order to save you from having to do a
lot of monotonous work, I have written a few
scripts.
The script search_ip . sh first gets a
random address from the private address range.
If we did not check, there would be a rather
high chance of collision�. Th�s is a tra
.
dition�1
birthday paradox. Keep In mind �hat, In addi
tion to this high chance, there IS also pro�
ability of not recognizing that an IP address IS
already taken.
When an apparently free IP address is found,
the script wri te_configurat ion_fil es . sh
is executed. This script creates a server and a
client configuration file as well a
.
s the shar�d
key file and neatly packs them Into two
.
Zip
files one for the server and one for the client.
Ple;se edit the settings at the top of this file to
suit them to your needs.
getkeys . cgi is a "key dispenser". It gives
out a different key file for every request. If you
have a very fast computer with a fast
.
conn�c
tion to the internet, you could use the first SCript
to create a few hundred configuration files and
use the cgi-script to get them to your peers.
Be sure to not leave your key files world
readable. Not only could they be read by
just about anybody on your system, but also
OpenVPN will refuse to start.
So, let the fun begin.
References:
• olsrd: http://www.olsr.org
• Birthday Paradox: http://en.wikipedia.org
-lwikilBirthday-paradox
• Large olsrd WLAN-mesh in Berlin (in
German): http://www.olsrexperiment.de/
The scripts mentioned in this
article can be downloaded from
the 2600 Code Repository at
http://www.2600.com!code/
Page 10 ------------------- 2600 Magazine

Pirates of the
Internet
by black death
blackdeathx@gmail.com
Yo ho ho and a bottle of caffeinated beverages!
We hear about them on the news: evi l nerds
that make those poor mu lti-bi l l ion dol lar record
companies and movie studios lose money. But
who are pirates really? I ' m sure that many people
who read th is magazine are pirates too, whether
you distribute intel lectual property or you simply
down load MP3s. Whether you do or not, this
article wi l l be insightfu l .
I wrote this article because of an article on
pi racy from the Summer 2004 issue of 2600
that I remember, not because it i nspired me but
because it was so bad. I was also inspired by how
uninformed or just plain ignorant the guys who
write for news shows are. Hopefu lly, my article wi l l
shed l ight o n somethi ng that few people, not even
other hackers, know much about. In this article, I
wi l l go into detai l about how piracy works. I know
that a lot of you guys will know most of the terms
but I wi l l define them anyways for the newbies.
Music
This is probably the simplest as wel l as the
most widespread form of piracy; it is also the one
you are probably most fami l iar with. The pirate
extracts songs from a CD, wh ich is cal led ripping
them. This can be done either from the official CD
on the day of its release or i n advance if the pi rate
works for the record company. Then, the songs
are converted to the MP3 audio format, most
common ly at a bitrate of 1 2 8 ki lobits per second,
wh ich makes fi les of relatively low qual ity. Final ly,
these new fi les are put in the "Shared Folder" of
the user's peer-to-peer (P2 P) program. That's it; the
P2 P program automatically shares the fi les with
anyone who requests them, so the user doesn't
have to worry about anything. Each person who
downloads a fi le also begins sharing it, so even
more people can download the fi le and at faster
speeds.
You may have heard on the news about people
getting sued by the RIAA, wh ich is an organization
representing the four largest American record
companies, and some of you might be worried
about being sued, but here's my advice: don 't
worry; they don 't have shit on you. That's right:
the way these guys "catch" you is by searching
for a selected MP3 fi le of one of the artists they
represent and then sending out letters to the
households using all of the IP addresses that
show up. The same IP is usua lly shared by several
different households even you don 't factor in WiFi
and the fact that they can't prove who was using
the computer. (A robber cou ld've broken in to
use your high speed connection because he has
dial up, downloaded music, and saved it to their
i Pod.) If you ' re sti l l worried, however, download
a program cal led Peer Guardian. It's free and it
blocks anti-P2 P companies' and government
organizations' IPs from connecting to you. Without
goi ng on a rant, I'd just l i ke to point out that the
record companies have actually made more
money since P2 P became big: record sales may
be down, but internet sales are way up. Also, they
barely pay the musicians anyth ing; if it wasn't for
ASCAP and BMI givi ng the artists performance fees
for radio play, covers, and the l i ke, most musicians
seriously would be dyi ng of hunger.
Movies
If you l ive in Asia or a large city with a
predominantly Asian area (a "Chi natown") i n it,
then you've probably seen people sel l i ng pirated
movies. Where do they get them from? Most
pirated DVD salesmen down load the movies
from Torrent sites l i ke Torrentspy and Mini nova.
Th is is very easy to do, but the sa lesmen make
money off the chumps who don 't know how to
do it by sel l ing the movies for anywhere from $ 1
to $ 5 each. The movies are usua lly i n VCD format,
which is l i ke nVD but lower qual ity, which can fit
on a CD-R, and which can be played on any DVD
player. But where those torrents come from is a
more interesting story.
Usual ly the movie is captured by someone
sitting in the movie theater with a camera. Th is
was once done very poorly, but now it's usual ly
done with a tripod and an empty theater. These are
cal led "Cam" releases and usually come out the
day of the movie's release, but they are also are
usually of bad qual ity. There is also another method
called "Telesync" which is basica l ly the same as
Cam, except the audio comes through some direct
input such as a headphone jack, rather than the
camera's microphone. They are also usually better
qual ity than their Cam counterparts. If a movie is
very popular, especially among the the white male
1 4-30 demographic that most often downloads
these fi les, then someti mes a DVD Screener wi l l
be released one o r two weeks later. These files,
someti mes just cal led "Screeners", are DVD rips
made from a DVDs of the movie that are given
out only to certain people in the fi lm i ndustry
but wh ich then get leaked. Regardless of how
the movie was captured, the release group then
converts the movie to an XviD fi le, which is a h igh
quality video format, better than DVD, but wh ich
can mostly only be watched on computers and
some DVD players, or alternately to VCD format
as B I N/CUE disc image fi les which can be burnt to
CD. The fi les are then distributed as a torrent.
A torrent is a fi le containing information about
which files to download from wh ich BitTorrent
Winter 2007-2008 ------------------ Page 11

tracker. It basically works the same way as P2 P
programs, but instead of using Ares or Li mewi re to
search, you use a website. The torrent fi les are found
on torrent websites wh ich either have their own
tracker, l i ke . Torrentspy does, or search mu ltiple
trackers, l i ke Isohunt does. These are publ ic torrent
sites; there are also private torrent sites wh ich you
can joi n by invitation only. On private trackers, the
qual ity of the file you download is usually better
and the download usually goes faster, you also
have to maintain a certain ratio of how much data
you downlmd to how much you uplmd, and you
also have a lower selection of fi les, un less it's an
enormous site such as Oink.
Software, Games, and Other
This is the form of piracy most of you are unfa
miliar with because it is the most compl icated.
Don 't get me wrong: it's not complicated; it just
seems that way to the average person. Software
is usually distributed as a trial version of the soh
ware and a crack. A crack is often a modified main
executable of the program which bypasses the
l icensing system, though someti mes al l you need a
serial number or license key. Games usually come
as the fu l l game ripped from the official CDs with
the copy protection cracked, plus a serial number
or a program that generates serial numbers. Some
ti mes you ' l l also get a NoCD program, wh ich
is the same as a crack but i nstead of bypassing
the l icensing system, it bypasses the system that
checks whether the game CD is i nserted or not.
However, if the game came as CD-ROM disc
image fi les, then you can use a Virtual CD program
l i ke Daemon Tools to emulate an actual CD drive
instead.
Cracks, key generators, NoCDs, and the like
are made by people known as crackers. The
crackers use debuggers l i ke Ol lyDbg and I DA Pro
to disassemble the original program 's assembly
code. They then modify this code with a hex editor
such as Hiew or FlexHex. Commercial software
programs often try to prevent this by using software
protection systems such as Armadil lo, ASProtect,
or Wi nLicense, but most crackers can get around
these protection systems anyways. There are sites
out there that have databases of cracks and serials,
but today these sites are so fi l led with adware and
malware they' re not even worth visiting un less
you really know what you ' re doing.
Back in the day, warez used to actually be
uploaded to one's own FTP or HTTP server or to
a hacked server. Now, however, almost everyone
uploads to a site cal led Rapidshare or to one of
its many clones l i ke Megaupload. These sites
were cool at first but they have wait times of up
to a minute before you download can the file you
want. Th is can be bypassed, but a lot of the time
it's unsuccessfu l . Also, because the sites usually
l imit uploaded fi les to 1 00 MB each, warez down
loads are usually in 1 00 MFl RAR parts. RAR fi les
are compressed arch ives similar to ZIP fi les. The
down load sites, however, have created something
called prem ium accounts, where you pay monthly
for an account that can download an unlimited
amount of fi les without wait times and with priori
tized speeds. These premium accounts are often
used al most l i ke a currency on warez forums.
Warez forums are internet forums where warez
down loads are posted. Most of these downloads,
however, are taken from DDL sites, which I ' l l talk
about later. Warez forums have sections for chat·
ting just l i ke other forums; they also have "VI P"
sections, which you gai n access to by having a
certain amou nt of posts or, more common ly, by
donating to the site. These VIP sections suppos
edly contain rare, high-qual ity files, but most of
thp time these sections are disappointing and not
worth your money or posting time.
Warez forums used to have very good poten
tial, but now everyone uses DDL sites or torrent
sites. This is because all the big Warez forums
are currently owned by morons. One example
is a forum ca l led WTalk: it started as a very good
forum, not because of the admi n but because of
the powerfu I and smart people he knew. After a
complicated series of events, the administrator
banned the people who were the most i ntegral
to his forum, and slowly everyone else who was
important to the commun ity started to leave or get
banned. After a wh i le, the on ly people left were
so ch i ldish and stupid ("noobs") that they cou ld
relate to the admin. Since everyone with double
digit IQs has left, the on ly people left to give the
administrator advice are the ones as stupid as or
stupider than him. They suck up to him, so all his
hair-brained ideas have resu lted i n even lower
qual ity members and even in more noobs; this is
a process I cal l "Reverse Natural Selection". On
top of all, he has also secretly kept a log of his
members' passwords, wh ich are supposed to be
encrypted, and he's used his members' donations
for the site to buy new MacBooks, i Pods, and
so on. This stupidity and corruption is common
among many warez forum admi ns, though not
usually to this degree.
Sorry for my l ittle rant. Anyways, back on
topic: DDL sites are websites where the l inks to
downloads are submitted and then displayed as
thousand-page lists of software titles. They also, of
course, have a search bar. The biggest DDL sites
are Katz and PhazeDDL. The sites that submit their
l inks are either actual websites or warez forums,
but, either way, they both use Rapidshare most of
the time. Also, if you search for a file on a DDL
site, most resu lts you get wi l l be redundant: the
same Rapidshare link over and over, just with
different people getting ad revenue or members.
Conclusion
Warez has come a long way from the "Don 't
copy that floppy" era, to the rise and fal l of Napster
and Kazaa, to Torrents, and to people sel l i ng some
th ing that is supposed to be free. Who knows what
the future holds? Maybe one day you ' l l be able to
down load physical objects, but what I know for
certain is that, right now, warez is at a h igh poi nt
for quantity and low poi nt for qual ity. It wi l l take
someth ing big to fix it. I hope you enjoyed my
article and learned someth ing from it. I hope to
write for 2600 again.
About me: I have been an active member in
the warez community for several years now and
sometimes I contribute to the Wikipedia article
on warez. I have my own warez forum. It's small
but with it, I'm trying to battle the flaws of other
warez forums I mentioned earlier in the article.
You can visit it at http : / /www . kronikfil ez .
...com!.
Page 12 -------------------- 2600 Magazine

Hello, and greetings from the upon the 911 infrastructure in your
Central Office! It's hard to believe area. In most cases, this will be
that it's already winter, but the some form of Enhanced 911 (E911),
Cascades are covered in snow and the current standard (most recently
ski racks are on almost every car. updated in 2004). At the network
This is a time of year when a lot of level, E911 consists of a voice circuit
emergencies happen, and the tele- (over which you communicate with
phone system plays - now more the call answerer) and a data circuit.
than ever - a vital part in emer- The data circuit (which is private,
gency response. runs a proprietary protocol, and
These days, 911 is the virtually isn't connected to the Internet) is a
universal way throughout the u.s. redundant dedicated connection to
and Canada to summon the police, an Automatic Location Identification
fire department, or an ambulance (ALI) database.
(sometimes all three at once). There Basic 911 provides only a voice
is an extremely detailed and rigorous connection to the PSAp, with no
set of standards around how 911 other identifying data. While call
systems and facilities are designed takers have the ability to trace calls,
and constructed, and the standard- it requires a call to the local phone
setting organization is the National company which can take up to
Emergency Number Association ten minutes. The limitations of this
(NENA). system are evident when 911 calls
When you dial 911, the telephone are received from people who are
switch invokes an SS7 route that has disoriented or experiencing medical
been specially configured for this emergencies and may be unable
purpose. In most cases, your call will to answer many questions or even
be routed over a dedicated trunk to provide the location from which
a dedicated 911 switch (although in they are calling.
some areas this is a shared tandem In an effort to solve this problem,
switch - not the recommended the E911 standard was developed.
configuration but it's better than E911-capable PSAPs use Automatic
nothing). The 911 switch looks at Number Identification (ANI) data to
your inbound ANI and, based on identify callers. Based on this data,
that, routes you to the appropriate your phone number will display
Public Safety Answering Point on the call answerer's console. The
(PSAP) via a dedicated trunk. At this E911 system will also query the ALI
point - only a couple of seconds database based on your ANI data. In
after you placed the call - the call most cases, this database is main
answerer will inquire "911, what's tained by Intrado, Incorporated (a
your emergency?" private company) and contains CNA
The information available to the (Customer Name/Address) data for
911 call answerer is dependent nearly everyone in the United States
Winter 2007-2008 ------------------ Page 13

with a phone - even including
unlisted numbers (I bet telemarketers
would love to get their hands on this).
Newer revisions of E911 include the
ability to provide CPS location data
for wireless phones, and this data is
also obtained via the ALI database.
However, these capabiIities are fairly
new and not yet widely deployed.
While the 911 system is incred
ibly useful and has saved many lives
since it was originally deployed in
1968 (in Haleyville, Alabama and
Nome, Alaska of all the random
places), it wasn't originally designed
to work with newer telecommunica
tions services such as VolP, wireless
phones, and CLECs (Competitive
Local Exchange Carriers). These have
exploded since the Telecommunica
tions Act of 1996 largely deregulated
telephone service, creating both
challenges and security vulnerabili
ties in the 911 system.
VolP services in particular have
illustrated practical vulnerability in
the E911 system. Recently, a group
of highly unethical phreaks (one
of whom was known
J
ears ago as
"Magnate") was arreste for engaging
in an activity called "SWATting." This
exploited a little known and multi
tiered loophole in the E911 system.
In case you haven't heard what
"SWATting" is, it involves spoofing
someone else's ANI when calling a
911 "backdoor" number. Every PSAP
in the 911 system has a "backdoor"
number by design. These are used by
operators to connect you to emer
gency services if you dial "0" instead
of "911" for help. They can also be
announced as the emergency contact
number via the Emergency Alert
System (of "This Is A Test" fame) in the
event of a failure in the 911 switch or
trunks (this actually happened a few
years ago in Seattle). The unethical
caller can then describe a violent
kidnapping or other situation likely
to provoke a SWAT team dispatch
by the 911 call taker, who has no
idea that the apparent caller is actu
ally the victim of a cruel (and very
dangerous) hoax.
Back in the good old days of
Ma Bell, nobody could touch the
SS7 network except for loyal card
carrying CWA union technicians.
These days, any idiot with an Asterisk
box and a sleazy VolP provider
based in Romania effectively has
full SS7 control and the ability to
impersonate any ANI they damn
well please. This is because with
certain VolP providers, any TNI data
that you configure in your VolP PBX
is accepted as gospel by the VolP
carrier, and is sent to the PSTN as
both CLIO and ANI data. Congress
is worried about spoofing Caller 10,
but that's small potatoes in my mind
- most of the shenanigans around
spoofed CLIO data are harmless
pranks. ANI spoofing, on the other
hand - especially when mixed with
911 - is the real problem. If anything
damn well ought to be more illegal
than it already is, it's this!
And that's the end of my curmud
geoning here from the Central Office,
at least for this ski season. Stay in
bounds, stop in place if you experi
ence a whiteout, and always keep
your mobile phone charged to call
the ski patrol!
Links
http://www.nen a.org
National Emergency Number Asso
ciation, the standard-setter for 911
systems.
http://www.qwest.com/
-wholesale/pcat/911.html
- Qwest 911 interconnection and
product offerings for filthy CLECs.
This site contains links to many
excellent diagrams of Basic 911 and
E911 call routing topologies, which
incompetent CLEC technicians could
never understand.
Page 14 ------------------- 2600 Magazine

by- WiliPC
willpc@hushmail.com
The Beginning of the End
In the begi n n i ng, there was the Internet.
Everyone happily connected to it, and swapped
i nformation freely, without concern for privacy or
safety. But soon, this began to change. The fascist
regime began to pass legislation, shackl i ng once
free i nformation, and spying on the once-free
people. The I ightnets were shut down by law
enforcement or legal action. Even the decentral
ized networks, such as BitTorrent trackers, fearing
attack, began to become seclusive and private.
The Technology
Th is new wave of total i tarianism ca l l s for the
next generation of fi le sharing technologies, dark
nets. Thus far, there have been, rough ly speaki ng,
three generations of fi le sharing technologies,
each with a fundamental flaw leading to its
dem ise. The first generation was the centra l i zed
and sem i-central ized l ightnets, such as Napster
and even the World Wide Web. However, due
to their centra l ized nature, they were shut down
by crim i nal charges or legal action of some kind.
The second generation consisted of decentral
ized networks, such as gnutella and BitTorrent.
Although the decentra l i zed networks are a great
improvement over the central i zed networks of
yesteryear, they, l i ke their ancestors, are flawed.
Decentral ization was created to combat the legal
attacks which destroyed networks l i ke Napster.
However, many thi ngs were overlooked in their
deSign, namely anonymity and encryption. In
the wake of ISP monitoring and RIAA lawsuits,
decentral ization is not enough. I ndividuals are
being targeted, in order to spread fear.
The Resistance
The th i rd generation of fi le sharing software
is the most i mportant: darknets. A darknet is a
private encrypted virtual network for a sma l l
group of people. The goal o f a darknet is a smal l,
completely encrypted network, completely invis
ible to anyone who doesn't know about it. Not
even your ISP can tel l what fi les are being moved
through the heavily encrypted darknet.
Motivations for a Darknet
There are several advantages to darknets.
In a sma l l network, with only trusted users, I P
farm ing techniques used by the RIAA and s i m i lar
organizations are useless. Darknets are heavily
encrypted, so they are immune to ISP mon itoring
tools. Darknets can be "bridged" by users who
belong to m u ltiple darknets (see Sma l l World
Theory). Becuase darknets are sma l l networks set
up by groups who know each other, key distribu
tion becomes a non-issue.
Darknets fix the vul nerabil ities suffered by
thei r predecessors, but not without expense.
Darknets have one weakness: people. The secu
rity of a darknet is based on trust of those using
it. Before you i nvite someone i nto your group,
ask yourself if you really trust that person. Also,
set strict rules regard i ng members i nviting new
people i nto your darknet. One lapse of judgment
cou ld compromise the security of your darknet.
With a tight-knit group of people you trust, and
weapons-grade encryption, darknets are the
safest, most robust fi le sharing ava i l ible.
Building a Darknet
There are a n umber of ways to build a darknet.
Unfortunately, there isn't much software avail
able to do it. Freenet ( f reenetproj ect . org)
and WASTE (waste . source f o rge . net) can
both be used to create darknets. However, both
of these create decentral i zed darknets. Th is may
seem l i ke a good th i ng, and in many situations it
is. Before deciding on a decentra l i zed network,
take into account the size of your network, and
how often people keep their computers runni ng.
Make sure there is a root node which w i l l always
be on, preferably with a static I P.
The second option is a centra l i zed network.
Un l i ke large centrali zed networks, darknets are
not only sma l l and private but also disposable.
A larger darknet can be composed of sma l ler
networks, with connections made through
shared members, preferably connecting through
some sort of proxy in order to protect the iden
tities of the users. A central i zed darknet cou ld
be constructed i n a n umber of ways, such as an
encrypted N FS drive and a secure connection l i ke
an ssh tunnel; an encrypted FTP service where
each user is given an account which can write
to the service; specialized software which uses a
hub to cache data (I am writi ng such software); or
a directory, such as a torrent tracker, where aI I the
fi les are encrypted.
Peace.
Winter 2007-2008 ----------------- Page 15

Se-ann;n3
" /he SK:;eS
by GutBomb
The pursuit of knowledge and u nderstanding
of the way thi ngs works doesn't need to be
l i mited to computers and telephones. We are
being bombarded on a constant basis by micro
waves from mobile phone towers, radio transm it
ters, television broadcast towers, and even from
satell ites thousands of mi les above the eartb 's
equator. These satell ites are the focus of this
article.
Using a system that only costs about $300,
you can explore the exciting world of satell ite
TV broadcasts from the comfort of your own
couch (and the roof of your house from time to
ti me). Sports backhauls, news feeds, syndica
tion uplinks, foreign programmi ng, unbiased
news, government propaganda, weather reports,
i nternet access, total ly free (free as in beer and as
in speech) programmi ng, and most i mportantly,
a greater understanding of how the broadcast
world works are a l ready being blasted towards
you every m i n ute of every day, so why not have
some fun !
The Clarke Belt
Television satell ites are a l l l i ned up along the
equator of the Earth . When seen from the Earth 's
su rface, they form an arc across the southern sky
known as the Clarke Belt, after science fiction
pioneer Arthur c:. Clarke. The arc contains over
80 satel l i tes that usual l y have a name identifying
them and a number that corresponds with the
longitude meridian they are on. For example, the
main Dish Network satell ite is known as Echo
star 6/8 and it sits in a geosynchronous orbit over
the 1 1 0 degrees West longitude l i ne. It is often
referred to as 1 1 Ow (read one-ten-west).
Broadcast Bands
There are three commonly used broadcast
bands used for satell ite television distribution.
The Ku-band is the most common method of
satell ite broadcasting in the cou ntry. It is uSl'd
by both major di rect-to-homp satpll ite services
(Di recTV and Dish Network) as wpl l as by inde
pendent satell ite bandwidth providers. Ka-band
is a newer technology that has been used for
years to distribute satell ite internl't access and
satpll itp radio but which has recently started
making inroads to video d istribution. Finally,
there is classic Cband, wh ich the major nptworks
use for distributing their channel feeds to other
satell ite providers and cable compan ies. C-band
requi res very large dishes, the smil ilest of wh ich
are nearly (, feet across. Ku- and Ka-band signals
ca n be pul led in with much smal ler dishes,
approxi mately 30 inches across, wh ich are easi ly
mounted on a roof or wal l .
Video Standards
Much of thl' avai lable video up there is now
digita l . Over the past ten years, most analog
video has disapppared on the Ku-band, but you
can sti l l find a bit avai lable on Cband. In the
case of video distribution, digital does not always
mean better. A good standard defi nition feed
on Cband w i l l al most always be bettpr than a
digita l feed of the samp channel bpcause it is the
master feed. By thp time it rpaches your cable
or di rect-to-home satell ite system, it has been
encoded digita l ly, compressed, and bit-starved
to the point of looking l i ke a pixelated mess.
Analog, however, is a h uge bandwidth hog, and
prone to intprfprence, so along the way, th i ngs
progressed more to providing digital feeds. An
analog channel takes the same space as up to 2 0
digita l channels, a n d when sate l l ite providers can
provide more bandwidth for channel distribution,
they get more money from channel producers.
Analog programs are just regular NTSC fppds i n
North America, a n d can b e picked up b y cheap
ana log receivers.
I n the digital realm, the possibil ities of what
you can find expand greatly. So do the difficu l
ties i n i n itially finding thp signal and the expense
in getting proper equ ipment. Thp main digital
standard used for satel l ite TV i n North America is
ca lled DVB-S. Most of the world uses DVB vari
ants for their digital television distribution, such
as DVB-S for satel l ite, DVB-T for terrestrial, and
DVB-C for cable. I n North America we use ATSC
for digital terrestrial, and QAM for d igital cable.
Equipment
The bare minimum setup you would need to
get started is a satell ite dish, a TV, and a satel
lite recpiver. Thp dish is usual ly a parabolic dish
that sits on a mast, with an arm shooting out from
the bottom wh ich holds the eye poi nting back
at tbe dish. Th is eye is cal led a L N B (Low Noise
Block). There are a few types of LNBs ava i l able.
A Di recTV/[)ish Network dish contains a circu lar
LNB. Circular refers to the shape of the m icro
waves being beamed towards it. Circular LNBs
pick up spiral shaped bl'ams. These are beamed
out at very h igh power, so the disb itself does n ' t
need t o b e very b i g t o p u l l i n t h e signa l . Unfortu
nately, these LNBs aren 't su ited to picking up the
really cool stuff out there, and the d ishes they are
attached to are a bit too small, usua lly between
1 R and 20 i nches.
For the enol stuff, you w i l l need a l i near LNB.
Page 1 6 -------------------- 2600 Magazine

The term l inear, l i ke circular, refers to the type of
beam it takes in. Li near beams are less powerfu l
and more prone to weather interference, so they
require larger dishes. A certai n type of l i near
L N B that can atta i n frequencies sl ightly lower
than a regu lar l i near L N B is cal led a u n iversa l
LNB. The disadvantage to un iversa l LNBs is
that not all switches are compatible with them.
There are plenty of newer switches, however,
that work perfectly, and if you have a single dish
system, then you most l i kely won' t need switches
anyway.
If you have more than one L N B that you want
to connect to your receiver, then you wi l l need
to obtain a switch. The best switches to use are
cal led DISEqC switches. (I have no idea how to
pronounce th is out loud. I say 'diz-e-q-c,' but I
am probably wrong.) You can hook four L N Bs
i nto the switch, and then j ust run a si ngle cable
down to the receiver.
The L N B I prefer is called the I nvacom
QPH-03 1 and you can pick it up for about $80 at
any of a n umber of shops on the internet. It can
pick up both circular and universa l beams and
has two outputs for each. An LNB this fancy is not
necessary, however; a cheap $ 1 5 universa l L N B
wou ld b e fine for a beginner just getting started.
The dish is an i mportant consideration. A
small 1 8-inch dish won ' t rea l l y do for us, because
there are only a few channels avai lable to us
legitimately without subscribing to or decrypting
an encrypted signa l . (Th is is possible, but not the
focus of this article.) Idea l l y, the best dish to get
started with wou l d be 30 i nches or larger. I opted
for a Fortec FC90P 90cm (36") dish. The dish wi l l
come with a mast that you can mount o n your
roof or on a wal l , the reflecting dish, and the
L N B arm, but you w i l l have to supply the L N B
yourself. This d i s h wi l l set you back about $ 1 00,
including shippi ng.
The receiver is where stuff gets rea l ly fun, at
least for me. I personal ly have two receivers. The
first is a digital DVB receiver, and then I loop out
from it to an old analog receiver. For digital, you
have many choices, and unfortunately the market
is a bit saturated right now, because these digital
receivers can also be used for not-so-Iegitimate
purposes. If you only want to be legit, I recom
mend the Pansat 2 5 00A receiver. Though it is
now discontinued, there are tons of them avail
able on eBay for about $50-$70. It has a very
rel iable bli nd-scan feature, which is essential for
finding wild feeds.
If you are looking for analog, you may have
a much harder time finding a receiver, because
they are old and rare. I recently found an ana log
satell ite receiver from the ' 80s with which you
can just dial up the enti re map of frequencies, for
only $32 shipped. I didn't have a C-band setup
so there wasn't very much to find, but the things
I did find were pretty i nteresti ng: some soccer,
col lege basketbal l, an outdoor ice hockey game
played on a pond, and an FBI tra i n i ng video. Any
analog satel l ite receiver from the Uniden Supra
l i ne is h igh ly recom mended.
Finally, the last piece of equipment you rea l l y
won ' t want t o l ive without is a d i s h motor. Th is
motor wi l l tilt and pan your dish automatical l y,
so you don 't have to go up on the roof every ti me
you want to look at a different satell ite. A motor
can be found o n l i ne for about $1 00. You put your
dish on the motor, pu t th e motor on th e mast, and
point the entire assembly to the satell ite closest to
true south from your current position. Once you
peak your signal there, you can use a feature of
the Pansat ca lled USALS that wi l l automatically
track the other satel l ites across the Clarke Belt
based on that i n itial true south position i ng. It's
amazing to see it i n action. My motor of choice
is the Stab H H90.
let's Scan the Skies
Here is where the magic happens. You 've
got your system a l l set up, your dish is pointed
to true south, you ' ve got your USALS a l l set
up, and you 've got your remote in hand. The
fun in this is figuring it out, so th is won ' t be a
how-to. To point you i n the right direction of
satell ite positions, I recommend http : / /www .
-lyngsat . com, a l isti ng of sate l l ites around the
world and the channels that they contai n. Using
your receiver, you wi l l tel l your dish to point at
a specific satell ite based on its position (such as
97 degrees West) and b l ind-scan it. " B l ind-scan"
wi l l find all channels on the satel l ite, i ncluding
fu l l -time channels, data feeds, radio channels,
and wildfeeds. Wildfeeds are on-the-spot news
reports that are being sent back to the network,
which incl ude ti mes when the reporter is "off the
air" wh ile their hair is being fixed, they practice
their l ines, or have candid conversations with the
camera crew. You may also find tra i n i ng videos
that are broadcast to government agencies and
schools around the country. If you ' re a sports
fan, you ' l l love the sports wildfeeds, wh ich are
di rect from the stadi u m broadcasts before they go
back to the network. You ' l l someti mes find these
without graph ics, commercials, and, more rarely,
even without the an noying commentators!
News feeds show up a lot on SBS6 (74w),
NASA TV is avai lable on 1 1 9w with a circular
L N B, and PBS has some network feeds on AMC3
(87w). Aside from wildfeeds, among the other
programming ava i l able on these satel l ites (espe
cially 97w) is a ton of foreign programmi ng. You
can get an i nternational perspective on news, h it
Bollywood movies, sports that aren 't normal l y
aired in th is region, a n d j ust a h uge dose o f i nter
national culture. The real fun is exploring, so I ' l l
leave you to it!
Conclusion
There are tons of th i ngs waiting for you to
find them up there. Finding someth i ng strange
and i nteresting gives me an awesome feeli ng,
and I feel better knowing that I ' ve explored the
system enough to ga i n a greater u nderstanding
of the satell ite world as a whole. For more i nfor
mation on the topic, check out these great l i nks:
Lyngsat Satel l ite I ndex: http : / /www .
-lyngsat . com
Satell iteguys FTNMPEG Forum:
http : / /www . sate l l iteguys . us / free
-al r - fta - di s cu s s ion/
Shout outs: sxtxixtxcxh, traJ/sb, my lovely wife
Hypher, and JemsTV who helped me out with
this article.
Winter 2007-2008 ----------------- Page 17

Over the course of my career i n network
security, I have come across a lot of security
tools, most of which may a l ready be fam i l iar to
people reading th is article. Some of you may be
a lot more adept with them than I am. With this
article, I am hoping to lay groundwork for these
tools which people can then build upon. For
each tool, I wi l l present where to find it, what it
does, how and when to use it, and other tidbits of
i nformation wh ich may come in handy.
Name: n map
Where: http : / / inseeure . org/nmap /
What: n map (Network Mapper) is probably one
of the most recogn izable names of programs
when it comes to network security. Supporting
both I Pv4 and (some) I Pv6, n map has become a
staple for anyone working i n network security. It
is most commonly known for its port scanning
abi l ities and its abil ity to customize the scans.
When: nmap comes i n very handy for a number
of purposes. Vu l nerabi l ity assessments, penetra
tion tests, testing fi rewa l l rules, testing (H/N)lDS
functiona l ity, and network audits are the main
ones wh ich come to m i nd off the top of my head,
a lthough I ' m sure many of you out there have
used nmap for other purposes as wel l .
How: nmap can b e used simply a s a basic
port scanner (nmap - v - sT $target). Th is
wi l l perform a fu l l TCP connect scan on most
common ports. Or, it can be used for something
more complex: nmap - v - sN - T l - P O
- - p O - 6 5 5 3 5 - 0 $target wi l l perform a
NULL (-sN, no flags set) TCP scan, very slowly
(-T1 ), with no ICMP check (-PO) on all 65,5 3 6
ports, wh ile attempti ng t o guess t h e target's
operati ng system based on the resu lts. Using
nmap to test your ( H/N)IDS signatures and the
alerting wh ich goes along with them is a task
wh ich w i l l alleviate a lot of headaches when
setting up your IDS to test functionality. Using
nmap from outside your network and attacking
your firewal l and any statica l ly NATed hosts wi l l
help you audit your current firewal l pol icy and
setup. Using some of the advanced options and
scan types with n map wi l l help you h ide your
hosts from fingerprinting attacks.
Name: amap
Esserlt. i ·3. 1
uses signatures to test appl ication settings agai nst
a specific port. If you have ever set up a server,
you know that most services can be re-mapped
to run on a different port. For instance, editing
Apache's "Listen Port" di rective wi l l al low you to
change wh ich port your webserver is on. If you
change this to TCPI22, some scanners may report
it as the SSH service. Usi ng amap agai nst this wi l l
trigger the HTTP signature and let you know what
is really run n i ng on the port. amap supports both
I Pv4 and I Pv6 for testing and is very accurate
with its results.
When: amap can be used during VAs, RAs,
PenTests and system setups or as a trouble
shooting tool .
How: Using amap with the -bqv options is a
good start. Th is wi l l perform banner grabbi ng
and attempt to match agai nst the signature to let
you know what is running on the port you have
con nected to. As a real-l ife example (san itized), I
had a customer who had rebooted their firewa l l
a n d i ncom ingTCP port 2 5 wasn't working. When
I tel neted to the port, I got an odd banner so I ran
amap agai nst it. This is what I got:
[ root@alice - l # amap - bqv
- 9 9 9 . 8 8 8 . 7 7 7 . 666 2 5
Us ing t rigger file /usr/ local /etc/
- appde f s . trig . . . loaded 30 t riggers
Using response file /usr/local/etc/
... appde f s . resp . . . loaded 346 responses
Us ing trigger file /usr/local /etc/
_ appde f s . rpc . . . loaded 4 50 t riggers
amap vS . 2 ( www . thc . org/ thc - amap ) started
at 2007 - 06 - 2 4 16 , 17 , 3 4 - MAPPING mode
Total amount of tasks to perform
in plain connect mode : 2 3
Wait ing for t imeout o n 2 3 connections
Protocol on 9 9 9 . 8 8 8 . 7 7 7 . 666 , 2 5 /t cp (by
t rigger http ) matches smtp -pix -
banner : 2 2 0
* * * * 2 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * *0* * * *0* * * *0
* * * * * * * * * * * * * * * 2 * * * * * * 200* * * * * * * * * * * *0*00
amap vS . 2 fini shed at 2007 - 06 - 2 4 16 : 1 7 : 3 4
Noticing that that the banner matches "smtp
pix," I was able to make the modifications to
the firewal l not to proxy i ncom ing mai l . I re-ran
amap after and got th is:
Protocol on 9 9 9 . 8 8 8 . 7 7 7 . 666 : 2 S / tcp
( by trigger http ) matches smtp -
banner : 2 2 0 rnai l . sornedornain . blah Microsoft
ESMTP MAIL Service , Vers ion 6 . 0 . 3 7 90 . 1830
ready at Sun , 2 4 Jun 2007 162 209 - 0400
Where: http : / /www . the . org/the - amap/ Name: hping
What: amap (Application Mapper) is a tool which Where: http : / /www . hping . org
Page 1 8 ------------------- 2600 Ma azine

VVhat: Using Ihe hasics of Iraceroule, Icptracer
oute uses TO' instead 01 the usua l U D P/ICMP
combi mtion of tradiliond l traceroute. Some
firewa l ls block normal Iraceroute Iraffic hUI wi l l
a l low TCP Iraffic 10 go through. By using tcptra
ceroute, you can see the path you ' re taking on
the port you eXI)('cl 10 usc.
VVhen: If you ' re troubleshooting ;md need to find
the path a certa i n packet will take on a m u lti
homed system or a large network with a lot of
dynamic routi ng, but the i ntermediary routing
devices don 't al low regu lar traceroute, use
tcptraceroute instead.
How: Running tcptraceroute $host
-Sport wi l l trace the route using TCP SYN
packets to the $host on the specified TCP $port. It
wi l l fi rst set the TTL to 1 which is expected to die
at the first hop and receive an error message from
the routing device that the TTL has expi red. The
program records that IP address as the first hop.
It wi l l then increment the TTL to 2 so the packet
w i l l make it past the first hop but not the second.
Th is process repeats unti l either the maximum
TTL, wh ich defau lts to 30, has been reached or
the port is reached, either open or closed. If you
don 't expect the path to be too long, Iry using
tcptrac e route - n - q 1 - m 1 5 $target
-Sport. The "-n" option, usefu l at any ti me, tel ls
tcptraceroute not to perform doma in lookups and
to give you the I P addresses only. Th is makes the
results qu icker as the program doesn't spend
time looking up hostnames. Using "-q 1 " tel l s the
program to only query the hops once instead of
the default three ti mes. Agai n, this is also usefu l
for al most every time. The last option, "-m 1 5 ",
specifies the maxim u m n umber of hops to use.
The default is 3 0 and it can go as h igh as 2 5 5 . Be
warned: if you ' re stuck in an asymmetric routing
scenario or are caught i n a dynamic routing loop,
you may cause some congestion and headaches
for the admi ns.
Name: grass.pl
VVhere: http : / /www . 2 6 0 0 . com/ code / 2 2 2 /
-gra s s . pl
VVhat: grass is a Perl program I created (yes, this
paragraph is a bit of self-promotion) to help test
stateful firewa l l software and connections tables
of the firewal ls. It supports both I Pv4 and I Pv6
and acts as a TCP "door-jam" to create a 3 -way
handshake. When you ' re ready to close the
the firewa l l appeared to change a SYN packet
inlo ;111 ACK packet. Further troubleshooting
found that the device downstream was a wi re
less router wh ich (for some reason) cou ld only
handle 2 5 connections at a time. When connec
tion 2(, came in, il would use Ihe same source
port as connection 1 through the wi reless rouler
and, when it h it the firewa l l, the firewa l l would
"help" the packet by changing Ihe flags. I created
grass to aid in troubleshooting statefu l firewa l ls
or stated connections over TO)
Name: nelcal (nc)
VVhere: http : / /www . vulnwatch . org/
netcat/
VVhat: It's probably easier to say what nPlcat
isn 't. Netcat (nc) is hyped as the "Swiss Army
Knife" of networking tools and it lives up to that
hype. You can use nc for someth ing as simple as
creati ng a TCP con nection or you can be more
advanced by creating a server-cl ient selup 10
compress and transfer fi les between two hosls.
You can have nc l isten ing on a server and run a
program when you connect to it. The possibil ities
are al most endl ess.
How: As much as I want to ta l k a lot about nc,
I thi n k I shou ld keep it short as this article cou ld
become a book. nc can be used on it's own or
you can put it in your scripts. You can set it up to
be a server or even just a li sten ing socket on your
TCP stack. I have taken the fol lowing example
from the nc README fi le wh ich i l l ustrates a good
use for nc:
A typical example of something "rsh " is often
llsen for: on one sine,
nc - 1 -p 1234 I uncompre s s - c I tar xvfp -
and then on the other side
tar cfp - / some / d i r I comp re s s -c I nc
- - w 3 othermachine 1234
will transfer the contents of a nirec/ory from
one machine to another, without having to worry
about . rhosts files, user accounts, or inetn config
urations at either end.
As you can see, using nc in addition to what
you normal ly do can make l ife a lot easier. You
can build a basic automated fi le transfer program
between two mach i nes with a l ittle knowledge
of scripti ng, some nc and a cron job. Netcat
is worth sitting down with a pot of coffee and
playing around with .
connection, a IC wi l l send the closing 3-way Name: ike-scan
handshake and close the connection . VVhere: http : / / www . nta - monito r . c om/
VVhen: If you have ever worked on a statefu l -tool s / ike - s can/
firewa l l at the low level, you know that they hold VVhat: ike-scan has a name which is a bit
con nection i nformation usua l ly cal led a state misleading as it doesn't rely on I SAKMP on ly;
table or connections table. If the con nection it does I PSec scanning as wel l. If you are
table gets fu l l, depending on the firewa l l software perform i ng a VA, SA or PenTest agai nst a VPN-
you ' re usi ng, connections may get dropped. Or, capable machi ne, i ke-scan is a must.
if you try to open a con nection on an a l ready How: Using i ke-scan may require a bit of reading
established source port, you may have wei rd on their wiki site to glean a good amount of
effects. grass gives you the abi l ity to choose usage i nformation. By itself, i ke-scan wi l l go
both the desti nation and the source port for your and attempt to ga i n as much i nformation about
traffic. the VPN target as it can: Is it using Aggressive
How: I was working on a customer issue where Mode? What encryption and has h i ng methods
Winter 2007-2008 ------------------ Page 1 9

are supported? What sort of authentication is
bei ng done? These are just a few questions which
i ke-scan will attempt to answer for you . I n addi
tion to performi ng basic enumeration, i ke-scan
can be used to negotiate ful l VPN connectivity,
though this may not be for everyone to try. I have
found that i ke-scan is very helpfu l when trouble
shooting VPN connections, especially when you
don't control the remote end. Some VPN error
messages from specific vendors can be rather
cryptic (No Val i d SA - Ye olde generic Check
point Error Message) and i ke-scan helps give
you good i nformation in determi n i ng where the
problem may l ie. Using i ke-scan in your VA, SA
and PenTest work is also very helpfu l .
There are a lot more security tools out there
wh ich I haven't mentioned, including among
by Phatbot
chunkylover37@gmail.com
At work this week, I was trying to resolve
a particu larly pern icious bug, so I Googled
for the error message and came u p with this:
http : / / www . expert s - exchange . c om/
-Programming/Mi s c / Q 2 0 9 1 4 3 9 7 . html
Experts-exchange - h m m, that's awfu l l y
close t o ExpertSexChange.com, a nother o f m y
favorite websites! Er, not rea l l y.
L i ke many such sites, they wou ld l i ke you r
money before showing you the sol utions to
the questions posted. B ut u n l i ke other sites,
Experts-Exchange actu a l l y does show you the
solutions, j u st in a grayed-out box that's hard
to read.
When I 've come across this site i n the past,
I j ust viewed the HTML source, and there
you cou ld read the answers i n p l a i n text, thus
saving you their $20 yearly fee. B ut this ti me,
the answers l ooked l i ke this:
"Vg'f abg nf hahfhny nf Ibh znxr vg
fbhaq. . ."
Not terribly helpfu l, but I guessed that they
were using a simple substitution algorithm
to encrypt the text. I qu ickly fired up a text
editor, copied the encrypted text to a fi l e cal l ed
expert s - exchange . txt, and wrote this
Perl scri pt:
open ( IN , ' expert s - exchange . txt ' ) ;
my $ t ext = j oin t ' ' , < IN» ;
c l o s e IN ;
$ t ext = - t r { vvGgFf } { I iTt S s } ;
print $ t ext ;
others h unt, a session hijacker; thc-hydra, a pass
word auditor; and thc-ipv6, an I Pv6 attack toolkit.
All of these, and others I haven't touched upon,
cou l d be put together to have a book written
about them. I j ust wanted to draw some attention
to the ones which I use on a regu lar basis and find
most helpfu l in my day-to-day security work. I n
other words, if I d i d n ' t mention $your_favorite_
program i n this article, I ' m not trying to sl ight
you, the too l ' s authors, or its i mportance. I hope
you find th is article usefu l and begin to explore
the uses of these and other programs. Once you
become accustomed to how they work, you w i l l
find yourself using them i n a l l sorts o f scenarios
i n which you may not have thought of using them
but i n which they wi l l help you out immensely.
I ' m using the " t r" (transliteration) operator
to change each V i n the text i nto a n I, and so
o n . I j ust guessed that the stri ng "Vg'f" was
supposed to be the word "It's."
The result looked promisi ng, so I
j u st kept making guesses. U ltimately my
decodi ng looked somethi ng l i ke this:
$ t ext = - t r { AaBbCcEeFfGgHh l i J j LlM
- m N n O o P P Q q R r S s T t U u V v W W Y Y z z }
{ NnOoPpRrS sTtUuVvWWyyz zAaBbccDdE
-eFfGgHhl iJj L lMm } ;
With everyth ing i n a l phabetical order l i ke
that, it' s pretty easy to see that the text was j u st
rot1 3 -encoded. So, this simpl ified Perl script
took care of decodi n g the whole thi ng:
open ( IN , ' expert s - exchange . txt ' ) ;
my $ t ext = j oin ( " , < IN » ;
c l o s e IN ;
$ t ext = - t r { A- Z } { N - ZA- M } ;
$ t ext = - t r { a - z } { n - za - m } ;
print $ t ext ;
Now, i n my case, the decoded text d i d n ' t
get me any fu rther toward solving my origi nal
problem than the encoded text, but it was a fun
d iversion. You r m i leage may vary.
Editorial Note: As of press time, we have
been notified that Experts-Exchange has
recently changed its website so that the
ROT- 1 3 decoding algorithm described
here will no longer work. We hope that
our readers will nonetheless find the article
instructive.
Page 20 ------------------- 2600 Ma azine

Conne c t i ng . . .
An I nt roduc t i on
B e i ge Box i ng
t o
By Erik Paulsen
I ' m going to take a few moments to take
tb i ngs back to the basics: I ' m goi ng to teach you
beige boxing. Beige boxes go back to the origins
of hacking, when accessing other people's phone
l i nes hel ped you remain undetected. USing
h ijacked phone Ii nes helped conceal crimes that
were committed through modem connections.
Beige boxing is a science; employing it in
practical situations is an art. Beige bOXing wi l l
permit you to connect a phone, laptop, o r Pal m
Pilot to a telephone land l l ne. Whether you are
learn i ng by tapping i nto your own phone l i ne, or
someone else's, there are only a couple of baSIC
parts and tools you will need to get started. Once
you 've learned to beige box, you can learn more
about more advanced topics i ncluding DTMF
tones, red boxi ng, social engineeri ng, ward i a l ing,
and wi retappi ng.
So, let's start with somethi ng basic. As I go
through the fol lowi ng examples, I expect that you
are al ready fam i l iar with the fol lowing th ings:
.
you
know what a phone is, you know how to dial a
phone number, you know what a modular phone
j ack is. If you ' re using a modem, I also expect
that you know how to dial with that modem and
how to do whatever else you want to over the
phone l i ne once connected.
Also, it helps to have common sense when
doing anythi ng clandestine. If you plan to. do
anything i l legal, or anythi ng that you th ink might
be i l legal, check you r l ocal laws and try not to
break them. Beige box i ng offenses, I n the eyes
of the l aw, usual ly i nvolve trespassi ng, theft of
services. Connecting to the i nternet by beige
boxing may be considered a federal offense,
since the i l legal phone con nection wi l l more
than l i kely cross state l i nes.
you w i l l nC'ed a phone, and you won't be doing
anyth ing to it.
So choose an appropriate phone. Obviously,
the phone you wi l l be using to Beige Box wi l l
need portabi l ity! I f you can 't use i t with one hand
or less, don 't bother with it. A decent hands-free
telephone is idea l .
Fi rst, c u t the phone cord a s close t o o n e of
the ends as possible, so you have a phone cord
with a modular jack at only one end. Next, you
wi l l want to spl ice the same end of the cord that
was j ust cut. Th is wi l l expose the two (someti mes
four) color-coated wires i nside the cord. We wi l l
only b e dea l i ng with the red and green wi res, so
if you also have yellow and black wi res, you can
carefu l ly cut them off.
The object here is that you want to connect
your two a l l i gator cl ips to the two separate wires
i nside of the phone cord. I wou ld say you wi l l
o n l y need to expose the last two i nches or s o .of
the outer plastic cover. Th is w i l l leave you with
two wires, one r�'d, and one green, sticki ng out
two i nches from the end of the cord. Then, strip a
Iittle of the plastic jacket off the red and the green
wi res, so you have enough bare wire to connect
the clips.
Final ly, attach the a l l igator cl ips, one to each
stripped wire. Now, it doesn't actually look l i ke
a box, but you can plug it i nto your one-piece
phone. Construction is now fin ished, and you
have just made a beige box.
I ' m sure you ' re now wonderi ng what you can
do with the box you ' ve j ust b u i lt. To test it out,
look for your home phone l i ne's j u nction box. This
is where your phone l i ne comes i nto the house
and where it is wired to your home's telephone
wires. It w i l l typica lly be found on the outside of
the house but may be i n a garage or possibly by
your house's fusebox. I have seen j unction boxes
located in many places, from apartment bui lding
The Most Simple Device You Have laundry rooms to hotel util ity closets, but I ' m sure
Ever Made: The Beige Box your search wi l l quickly succeed.
A "beige box," or a homemade " l i neman's Once you have found your j unction box, open
handset," is a simple telephonecord modification. it up. If it has a lock on it, use your judgment
It is cal led a beige box because the first version and your common sense. If you keep reading, I ' l l
ever made supposedly used a beige phone. I ' m assume you 've got i t open. These are customer
sure you can learn more about this if you look for boxes, so the person who pays for the phone w i l l
a description on the H acker' s Lexicon. own the equipment.
.
Construction is simple. You ' l l need a few What we are a i m i ng for is a bridge-type
parts: one modular phone cord, wh ich w i l l be con nection, a l lowing your phone to access the
m uti lated; two sol der-type or screw-type a l l l- land l i ne. So, you w i l l want to connect your a l l i-
gator c l i ps, preferably insulated; a solderinp i ron gator c l i ps. If you ' re smart, you won 't reach your
or screwdriver (accordi ngly); and someth i ng to hand i nto the j unction box and fiddle around,
cut and spl ice the phone cord, typica l ly a wire as there is electrical current flowing through the
cutter wh ich wi l l double as a wire spl icer. Final ly, wires. It wi l l typica l ly be only 20 volts of d irect
Winter 2007-2008 ----------------- Page 2 1

current, but if the phone happens to ring, you ' l l
get a n ice "wake-up ca l l ," a s ringing voltage is
around 1 00 volts of alternating current.
Respecting the electricity i nside of the box
and observing reasonable safety measures, attach
the a l l igator cl ips accordingly: red to red, green
to green. You may notice that green, red, black,
and yel low wires are connected to your four
terminals. You wi l l be attach i ng your a l l igator
c l i ps to the red- and green-wi red term inals.
Hopefu l ly your j unction box is wired this
simply. If this is not the case, remember the rule:
right red ring, left green tip. Or, more simply: right
red. Some boxes are wi red th is way i nstead of
using colored wires. So attach your red wire with
the right terminal (wh ich is usually a screw) and
your green wire to the left termi nal (also a screw).
Correctly attached, with a phone pl ugged in, you
shou ld get a dial tone. Th is means success.
You can connect your beige box to any phone
l i ne which you can access. You can expand this
to network j unction boxes, which are the ugly
green boxes located i n residentia l areas, and to
buried phone cable l i nes if you can match the
correct wi res together. You may be surprised to
see how many phone l i nes are grouped together
in one location.
Now what you do with it is up to your i magina
tion, and is only l i m ited by the laws of electricity.
An FM transm itter can be attached to a phone
l i ne. So can audio i nput and output connectors
and a m u ltitude of other devices and applica
tions. Beige box i ng simply taps i nto a phone l i ne.
After that, there's not much of a l i m it.
A note to those who are u nfam i l iar with
by Mercereau (aka dohboy)
http://www.dohboy.com/
technological tamperi ng: th is device is not
meant to harass the AT&T operator, enemies, or
ex-gi rlfriends. It is not meant as a tool to sta l k
someone or t o l isten t o private phone ca l ls. I t
is not i ntended t o d o any damage, physical o r
emotional. It is a tool for learn ing about the phys
ical aspects of and possibil ities of th is technology.
Glossary of Terms
Dual-Tone Multi-Frequency (DTMF) Tones:
The tones emitted by a touch-tone telephone or
a device modified to emit such tones. As wel l
a s dialing phone numbers, they are also used
to control telephone equ ipment, including elec
tronic switching equipment and payphones.
Red Box: A mod ified DTMF tone d ialer that
generates the tones which tel l a payphone that a
quarter, di me, or nickel has been deposited. Si nce
its discovery, the possibil ity of red boxing has
been widely e l i m i nated by telephone company
countermeasures.
Social Engineering: Acqui ring i nformation
through manipu lative social i nteraction.
Wardialing: The act of di ali ng phone numbers
in a sequence to search for telephone numbers
with interesting properties or for phone l i nes
connected to modems.
Wiretapping: Recording or transmitting the
conversation taking place over a phone l ine,
in order to l i sten to conversations and gather
i nformation.
Lineman's Handset: A device used by tele
phone company repairmen to connect to a
phone I ine for testing purposes. A professional
and feature-en hanced version of the beige box.
my knowledge, this wi l l permanently remove the
U3 with no way of reinsta l l i ng it at a later date.
Doing th is will make the rest of this article irrel
evant. Please note: in no way am I resfonsible for
you breaking your drive as a result 0 the proce
dures below.
When I first instal led my new flash drive, a
sandisk Cruzer Micro 2GB, I found the application
that was autoloaded, Launchpad, to be a bit clunky
and cumbersome. Of course, I was using an older
machine at work which was at end of life cycle a Basic Information
year prior. The graphical features were nice, and There are some basic thi ngs you shou ld know
the concept was fantastic; to me, it seemed to be about the U3 Smart Drive. The U3 comes pre-parti-
an attempt at a portable operating system in that tioned; most of the device is a FAT partition with a
you could transport al l of your applications, which h idden SYSTEM file. SYSTEM is where all of your
would remain on the drive. Even so, the removal of programs are stored. The last four to six megabytes
the additional drive became necessary, as my posi- or so are allocated to an 150-9960 partition that
tion required hopping from machine to machine. emulates a CD-ROM drive. Withi n the CD-ROM
Waiti ng for the drive to instal l each time meant partition, there is an autorun.inf which kicks off the
wasti ng time. installation of the Launchpad. The Launchpad is the
While th is article is not a tutorial about U3 main program for management of the applications
removal, you can go to http : / /www . u3 . com/ instal led on the drive, as wel l as for fi le manage
"'uninstal l l to remove the U3 if you want. To ment and data encryption. The U3 runs on (almost)
Page 22 ------------------ 2600 Magazine

any PC run n i ng Wi ndows 200 SP4+, XP, or Vista .
Some of the U 3 ' s features are portabil ity and
the fact that you don 't need admin rights to i nsta l l
new software. Some o f the negative aspects a re the
need for two separate d rive letters, trace fi les that
a re someti mes left on the host PC after improper
remova l, and the wait time needed for the i n itial
i nsta l l ation of the U3 ( i n some cases, up to 3
m i n utes from personal experience) .
The CD-ROM partition on the San Disk Micro
can not be written to l i ke a normal CD. There is some
amount of reverse engi neering i nvolved; however,
if you can run MagiclSO, by the end of th is short
a rticle, you should be able to re-write you r U3. I
began looking for ways to remove the d rive and
found various other tool s that I cou l d use.
Tools Needed
Fi rst, you wi l l need to download LPln
stal ler.exe. LPl nsta l ier is req u i red to write to
the CD-ROM partition. You can download
th i s from http : / /www . sandi sk . com/
"Retail /Defaul t . aspx?CatID= 1 4 1 1 0r you
can visit my site at http : / /www . dohboy . net.
Second, you wi l l need to write a n ISO that the LPln
sta l ler w i l l use to 'burn' to the U 3 ' s CD-ROM. You
can do this with the help of MagiciSO (ht tp : / /
..www . magi c i s o . com/). Even if you do not
have the fu l l version, the tria l version a l lows you to
create an i mage smaller than 400MB. That's it.
Re-Writing the U3
Some have tried to rewrite the U3 by craftily
using L i nux; some have attem pted th i s using some
fancy host fi le mod i fication to m i m i c San Disk's
web server, but all you rea l ly have to do i s save the
i m age you have created as "cruzer- autorun .
"i so" i n the same d i rectory as the LPl nsta l ier. Once
the LPl nsta l ier is run, it wi l l grab the "cruze r
"autorun . i so" and u s e it, si nce it bel i eves th i s
fi le h a s a l ready been downloaded. If t h e fi le i s not
in that location and there is an i nternet connection
ava i l able, LPl nsta l ier wi l l go to the SanDisk website
and download the most up to date version of the
Launchpad. You can see what Launchpad tries to
con nect to using ethereal . There is a l i m itation to
the size of the i mage: 6.2MB. I have tried larger but
only got errors.
Remember, the i mage must be named cruzer
"autorun . iso and be i n the same d i rectory as
LPl nsta l ier. LPl nsta l ier wi l l write the . iso file to the
flash drive's CD-ROM partition. I probably don 't
have to mention it, but make sure the U3 i s actu a l l y
plugged i nto the computer before running LPln
staller. In my l i ne of work, I am used to working
wit h t he lowest common denomi n ator.
[AutoRun]
lips
autorun . i nf
open = "program . exe "
i con = . dohboy . i c o , O
Save the above i nformation, replacing program.
exe with any globa l l y-executable appl ication on the
host mach i ne or any appl ication on the U3 parti
tion. For i n stance, if you have an appl i cation on
the U3 cal led haxor.exe i n the root d i rectory of the
CD-ROM partition, you wou l d reference it using
. haxor . exe. Autoru n . i nf must be i n the i mage's
root d i rectory, just l i ke with any autorun file.
Visual Basic Script, though it is slower and
ugl ier, is my code of choice. These fi les a re easy
to create and can be lau nched as long as wscript
or cscript is on the host mach ine. If they are not,
either can a l so be written to your partition; you are
only losing 1 1 2 KB by doing so.
Implementations
Thus far, I have written various scri pts and app l i
cations for t h e U3 w h i c h make my job easier and my
l ife more fun . One such script w i l l a l low me t o track
my U3 if it is lost or stolen. Th is was done using the
get Info . vbs script ava i lable in the 2 600 code
repository or on my website at http : / /www .
"dohbay . net . Th i s script w i l l send me an ema i l
with the login, dom a i n, loca l I P address, publ ic I P
address, registered owner, a n d other i nformation of
a nyone using the lost or stolen U 3 . Th is is only if
the user i s currently connected to the i nternet and
has no l i m itation on their abil ity to con nect to my
SMTP server. I plan on developing a free service
that wou l d a l l ow a user to track thei r U 3 i n the
event that it was lost or stolen via my website. It i s
a work i n progress.
It m i ght a l so be possible to write scri pts that
wou l d a l l ow you to pol l the system for i nforma
tion and write it to a fi le located on the FAT parti
tion. How i s that possible if the drive l etter cou ld
be different from mach i ne to mach i ne? Make the
script sea rch for a fi le from a l l possible drives and
append i nformation when found. Various other
scripts l i ke th i s can be found on my site as wel l .
Another i m p lementation of m i ne was a
keylogger. I used C++ to create an invisible appl i
cation cal led squ id.exe ( I m ight post this on my
website) that l ogged keys. The way it worked was to
load upon launch and log keys. Once the thumb
d rive was plugged back i nto the mach i ne, squid
wou l d know that the drive was plugged in aga i n,
and wou l d search for a specific file i n the root of
the FAT partition. After the fi le was written, squ i d
wou l d exit w i t h garbage clean up. No files on the
host computer wou l d be created.
For fu n, rewrite the autorun . inf to open a
sh utdown sequence. (for exa mple: "shutdown - r
.. - t 0 0 ")
Conclusion
While some of these implementations a re fa irly
tame, there a re potentia l ly far more dangerous
scripts and programs that can be written. My squ id
was a fairly slow app l i cation si nce I only wrote it
to test what I cou l d do. While it performed as I had
plan ned, it cou l d have been opti mized to be quite
a bit faster and run without using as many system
resources.
While this a rticle focused mainly on the San Disk
because of its vul nerabi l ity with LPl nsta l ler, there
is a possibi l ity the partition on any U3 coul d be
rewritten. More i nformation on hardware, such as the
H DK, m ight be obtai ned by ema i l i ng l i cens ing@
"u3 . argo H ave fun with you r U3 and try not to
get in trouble using it.
The scripts mentioned in this
article can be downloaded from
the 2600 Code Repository at
http://www.2600.com!code/
Winter 2007-2008 ----------------- Page 23

2600 v24 n4 (winter 2007)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2600 v24 n4 (winter 2007)

Similar to 2600 v24 n4 (winter 2007) (20)

More from Felipe Prado

More from Felipe Prado (20)

Recently uploaded

Recently uploaded (20)

2600 v24 n4 (winter 2007)