dMP dMP dMMMMb dMP .-------------------------------------------------. dMP dMP dMP.dMP dMP | United Phone Losers | dMP dMP dMMMMP" dMP `-------------------------------------------------' dMP.aMP dMP dMP [ issue UPL027 | released 3/15/02 | low-carb meal ] VMMMP" dMP dMMMMMP [ http://www.phonelosers.net ] .-------------------------------------------------------------------------. | introduction | `-------------------------------------------------------------------------' UPL is growing up. She's much more mature in her later years, and I sense she's just going to continue to grow and develop, complete with menstrual cycles and huge breasts. So here. Your latest UPL fix, like so much crack up an addict's inflamed nostril. It'll only be enough for a night or so, then y'all will be back begging for more. So get ready to sell your body this next time around, because your following highs won't come free; I demand compensation, baby - and I fuck to cum! So take this poison, you ungrateful fucks. Stick the fucking spike into your skin, and let your brain drip to the carpet floor. Can you feel it? There's a vast fucking world out there for you! Imbibe it, imbibe it and take all that you can, until all your left with is a shadow of your former fucking self and memories of what it used to feel like to be *YOU*. From me, with love. --- linear .-------------------------------------------------------------------------. | | | straight from the dark dungeons of the internet | | -------------CONTENTS------------ | | | | ARTICLES | | Rob T Firefly's Guide to Hacker Cinema..................Rob T. Firefly | | Exploiting weak password schemes with gdb.....................Phractal | | Team Activism FAQ...............................................linear | | Hacking the IconLock Desktop Lockout Software...................Diesel | | This Is The Tale of Divestiture The Death of a Network.......^CircuiT^ | | Cell Phone Spam - (A Wireless "Fuck You")........................Axion | | Telco Tracking Phreakers.......................Matt Coin & Tyler Cairo | | AIM has gone mad............................................Nep Tunium | | | | ULTIMATE FACT81 PACKAGE | | Free Local Calls................................................fact81 | | Explore Kmart (Follow Up).......................................fact81 | | Hack Quick-Scribe...............................................fact81 | | Retail Transaction System Hacks.................................fact81 | | Making Voice and Data Compatible................................fact81 | | | | PHRESH WAREZ | | Random Phone Number Generator.................................Gzaector | | | | Announcements | | Disclaimer | | | | -=* MORE ACTION PACKED ARTICLES IN UPL TONEAGE! *=- | | Be Sure to Check Out http://www.phonelosers.net/issues/toneage27.txt | | For More Old-School UPL Leetness! | | | `-------------------------------------------------------------------------' "It's important for us to explain to our nation that life is important. It's not only life of babies, but it's life of children living in, you know, the dark dungeons of the Internet." George W. Bush, Arlington Heights, IL, October 24, 2000 .-------------------------------------------------------------------------. | Rob T Firefly's Guide to Hacker Cinema | | Written By RTF Email: r_t_f@phonelosers.net | `-------------------------------------------------------------------------' Hi everyone! It's been a while. How are things? Here I present to you my comprehensive guide to Hacker Cinema. By comprehensive, I mean absolutely complete information as far as the top of my head is concerned. I'm writing this in bits and pieces at work and on an offline computer, so I'm not doing any sneaky IMDBing or anything. Any errors are my own, and shame on me as a movie addict for them. Please note that I'm using the term "Hacker" in the general sense, encompassing hackers, phreaks, crackers, yackers, schmackers, and whatever other labels us geeks come up with for ourselves. I'll do more of these as more hacker flicks come out. Enjoy! WARGAMES Here it was, the movie that started it all. Not that it started preople hacking in general, it just clued the general public in on what was going on and thusly (I like that word) inspired loads of people to join in. I remember seeing this in the theaters, old bastard that I am. Wargames was about a normal geek (Matthew "Simba" Broderick) armed with what amounted at the time to about ten grand worth of computer equipment which was probably less powerful than the Game Boy I had in junior high. He decides to try hacking out a software company's computers for an early crack at the hot new upcoming games, since alt.binaries.warez wouldn't be invented for another decade or so. Instead, his wardialer (he uses a wardialer! Zowie!) picks up WOPR, a top secret artificial intelligence at NORAD which is in control of American nuclear missiles. Like all room-sized superdupercomputers of the era, WOPR was extremely stupid. It mistakes Ferris Bueller for its creator, and takes his request for games as an order to take over NORAD's systems and start up nuclear war against Russia. This was much more dangerous than today's technology, which would take Matt's request and immediately offer him a free trial on AOL and lots of pornography. Eventually, Broderick is busted by the Army, escapes from the army, collects his girlfriend (Ally Sheedy, the scary girl from "The Breakfast Club") and hunts down the real creator Professor Falken, a recluse who was played by some Englishman whose name escapes me. (Hey, if he was a British genius, why was he making stupid evil supercomputers for us Americans? Shouldn't he have been working for MI6?) He then brings English Guy and Breakfast Girl back to the army, where they are of absolutely no help. So the kid stops the computer blowing up Russia by - wait for it - telling it to go play with itself. Overall, it's a very good film. It's not really about hacking in itself, it just uses a hacker main character. It's a flick about how nobody should get in nuclear war, because it is bad and would hurt innocent kids. I would agree with this, more or less. Five out of five floppies. Bonus points if you were raised in the 80s and had nuke drills in grade school. [;] [;] [;] [;] [;] TRON Tron was fun, made by Disney in an age where that name didn't always mean hideous distortion of a popular work of fiction and/or historical event. It made hideously heavy use of computer-generated effects before people outside of Atari knew what the hell they were. For that alone it's a notable geek flick. Tron follows the goings-on in the computer world, which is a funky blacklit place where computer programs exist as human-like beings covered in circuit patterns (and sometimes, bizarrely, togas.) They do their thing, worshipping the mysterious "users" (i.e. normal humans like you and I, and maybe that other guy) in the real world. One of these users, Flynn (Jeff "Starman" Bridges) runs afoul of the evil computer program who overlords the computer world, and is changed by the big badass evil polygonal face into a program and sucked into the computer world. While there, he helps a bunch of rebellious programs (led by a program called "Tron," hence the title) overthrow evil face guy and save the real world somehow in the process. He then gets beamed back into reality, and probably ends up getting the girl or something. The computer world is a quite fascinating creation for its time, since it was pretty much all CG or CG-enhanced visuals made by tons of 1980s computers that would probably lose a shouting match with a modern calculator-watch. All polygons and smooth surfaces. The light-cycle game scene is a classic. Flashback: I remember going to the Ice Capades (Kids: ask your parents. Or better yet: don't) with my family, and seeing a whole black-lit Tron-inspired ice show. I think I fell asleep, I usually did during those things. Anyway, back to the flick. There are some throwaway references that hackers will get a kick out of, like Jeff Bridges using a cool hacker-y gizmo to get past a ridiculously huge security door. And it reinforced the secret belief about video games I had when I was around five or six, where the little blob of pixels on the screen you controlled was a living being who really did die a horrid death when you lost. I always felt so bad for Pac-man when I killed him. And look at me now, torturing Sims to death for pleasure. Three out of five floppies, bonus points for graphics geeks. [;] [;] [;] THE LAST STARFIGHTER Again, not really a hacker movie, but of interest to hackers because all the fx were done digitally long before people did such things. Nowadays, it's like watching demos on the old Playstation games you got sick of in 1997. But it did feature the late Robert Preston as a jolly old alien, and he's one of my favorite classic actors. So sue me. I saw this three or four times in the theaters, if memory serves. Short but sweet - a normal teen beats his favorite arcade game, only to find that it was made by aliens to test prospective fighters for their interstellar war. He's whisked away to fight for the aliens, and an android takes his place so Earth doesn't miss him. He meets up with his new partner, an alien with a very rudely shaped head. They save everyone, and our guy gets his girlfriend to go back into space with him at the end. I can't persuade my girlfriend to ever let me use my own TV remote, and he gets his gal to go to outer freaking space with him without a second thought. Bastard. Two out of five floppies. [;] [;] MAX HEADROOM - 20 MINUTES INTO THE FUTURE Whether it be the original British TV Movie, or the American TV series it spawned, Max is thought-provoking fun for any 80s-based hacker. Basically, it's an unclear point in the future where the world is controlled by TV networks, who live and die by the ratings. Edison Carter, an ace reporter for one of these networks (Matt "Angry Neighbor in 'Honey I Shrunk the Kids'" Frewer) investigating the cause of some mysterious deaths of TV viewers finds out that compressed ads on his own network are to blame. (The ads are so compressed that watching them overloads your nervous system and explodes you. Neat, huh?) Since Carter's seen too much, the evil network employees, consisting of a board member and Bryce, the network's adolescent genius hacker, foil his daring escape by knocking him off his motorbike in the company parking garage with a remotely controlled barrier sign (which reads "Max. Headroom 2.3 meters" on it. Get it? Hmm?) and beaning him unconscious. While he's out cold, they scan Carter's mind into their computer in an effort to see just how much of the evil scheme he knows. The scanned mind is unstable, though, and morphs into the zany Max Headroom personality (played by Frewer in prosthetic makeup, with Amiga-generated CG polygonal backgorunds.) Max is from then on an independent personality zipping from screen to screen over the network, eventually situating himself into the network's live broadcasts. So, they ship Carter off for dead, but he's not, and he makes a triumphant return, the bad guy loses, etc. and Carter meets his new computer-generated alter-ego who is now a ratings goldmine. In the British movie, Bryce the hacker was decidedly evil, working totally in cahoots with the main bad guy, while in the American version they made him transform into more of a good guy for the purposes of a series. The series was cancelled after just one season when the TV executives realized that they were putting out a show telling everyone how amoral they were. Four floppies out of five, three floppies if you're getting as sick of all the fashionable 80s nostalgia as I am. [;] [;] [;] [;] SNEAKERS Ah yes, here's a treat. It's about a merry band of hooligans, made up of old-school hacker Robert Redford, conspiracy nut Dan Aykroyd (who really is,) ex-fed Sydney Poitier, some blind hacker genius guy played by some actor, and some damn kid played by River Phoenix (in his final role before he took enough drugs to successfully explode his head.) This group hires themselves out to banks and things in order to test their security measures just as a group of highly-trained hacker criminals would. The film opens with an insanely elaborate bank-robbing scheme, culminating in the Horse Whisperer bringing a suitcase stuffed with cash back in to the bank's board of directors to show them how easy it was. Later, these merry men are contacted by the government to steal a new universal code-breaker from the mathmagician who invented it. After doing so, they find out that they didn't even do the job for the feds, and the plot gets into a huge and fascinating web of intriguing intrigue. The main villain, and Redford's old hacking partner, is played by Ben Kingsley, who in this film is not nearly as nice as Ghandi, but much smarter than the schmuck he played in "Species." The hacking aspects of the movie are done reasonably realistically, and the plot will interest about anyone following the course of information technology. The blind guy is fun, and the ending is simply to die for. A must-rent, at least. Four out of five floppies... wait, we're into the 90s now. Make that four out of five CDs. (o) (o) (o) (o) HACKERS Mwahaha! Didn't think I'd leave this one out, did you? Here's the story of a bunch of hackers in New York City, Johnny Lee Miller, Matthew Lillard, Renoly Santiago, Laurence Mason, Jesse Bradford, and Angelina Jolie (in her first movie, and first breast shot.) One of these hackers happens upon a mineral corporation's computer system, and sees something he shouldn't. This provides an opportunity for an evil hacker working as the company's sysop (Fisher Stevens, who is still best known as Ben the Indian guy from "Short Circuit," playing half his age) to set his embezzlement schemes in motion, and pin all wrongdoing on the innocent hackers. The good hackers end up staging a huge hacking battle against the bad guy, and the "Hackers of the World Unite" (instant catchphrase) in the cause of justice. This flick took a lot of flack from actual hackers when it came out for a few reasons. Sure, the movie's hacking itself was extremely fictionalized and stylized, where your screen zooms through funky 3D corridors of text and numbers while you hack. Sure, it got a lot of facts wrong, or at least stretched them a bit. But what seemed to irk the underground most was the fact that it was bound to repeat the negative effects of Wargames, in that by dragging things back into the mainstream, the scene would suddenly be flooded with newbies who want to be just like the movie hackers. And that did happen, to an extent. But as in the previous decade, the wannabe level soon faded back to normal background noise as unprepared folks realized just how much work it would take to be the real thing. The only permanent effects of that flick are a slightly raised annoying poser level in the hacker scene (which is not important to real hackers, and generally only bothers other competition-fearing posers these days) and an illustrious career for Angelina Jolie's breasts. Fun Fact: Fisher Stevens' real name is - wait for it - Steven Fisher. Funny Fact: When this flick came out, movies having their own official websites was still in its infancy. MGM had a funny idea to *fake* a hack on their own official site for the flick, and it can still be seen at http://www.mgmua.com/hackers/inventory/hacked/ Funner Fact: Hackers was filmed in New York City's then newly constructed Stuyvesant High School. A "gifted" school, quite a few real hackers I know in the area attend Stuyvesant. Three out of five CDs. (o) (o) (o) THE NET Okay, it had to happen. Back when the Internet was still much more of a mystery to the general public than it is today, people were much more likely to swallow this rancid mcnugget of a movie. At least it had Sandra Bullock, fresh off "Speed." The gist... Sandy is a hacker who stumbles onto a huge secret conspiracy by.. erm.. clicking a hyperlink. A Greek letter "Pi" hyperlink. Now, if I ran a big evil conspiracy's website, I'd maybe keep my url secret, or maybe use a password system of some sort, so only my fellow evildoers could get on the site. I just might decide *against* submitting my site to Link Exchange. So anyway, since only a genius hacker like Sandra Bollocks could think to - I'll say it again - *click a hyperlink,* the evil conspiracy knobs see fit to go into every official database, replacing her information with that of a wanted criminal. Also, they kill off her pal Dennis Miller, who deserved better than being in this movie anyway. (His next flick, "Bordello of Blood," was a step up.) Soooo... Miss Congeniality goes and gets a virus, and sticks it in a random computer somewhere, and takes down the conspiracy. With a virus. Which just goes to show, if you're an evil overlord, back up your data. Even utterly inept evil people like these should be able to figure out Zip disks, or CDRWs. Fun Fact: This movie actually scared my mom into calling me one night and forcing me to explain to her why it was all a great big crock of margarine. I had developed a cheezy celebrity crush on Sandra after seeing "Speed," but this movie helped get me out of that, so for that alone I'll give it one CD. (o) INDEPENDENCE DAY Everyone saw this when it came out for the sake of watching the White House, the Twin Towers, and other landmark buildings go BOOM. That'll probably never be as hilarious as it once was. Anyway, it was your standard alien invasion flick, with a bit of a silly hacker twist. One of the main characters is a hacker, played by Jeff "The Fly" Goldblum. He ends up defeating the aliens by hooking up with a pilot (Will Smith) to fly a stolen alien ship back to the mothership, and using his, erm, Powerbook to, uhm, upload a virus to, er, the aliens' computers. It's a damn good thing the aliens were running MacOS, or that'd never have worked. Three CDs, bonus points if you saw it on the big screen. (o) (o) (o) PIRATES OF SILICON VALLEY This made-for-cable movie become something of a cult hit amongst geeks, so much so that it was quickly made available on vid, which is sort of a rarity for tv movies. It's based on the true events of the home computer explosion of the 80s, and should be a required history lesson for anyone in the field. The exploits of Steve Jobs (Noah Wyle,) Steve Wozniak (Joey Slotnick,) and the humble blue-box-fueled beginnings of Apple Computers are faithfully portrayed, and Anthony "Weird Science" Michael-Hall actually does a decent Bill Gates. The character of Woz is the narrator as the early computer companies fight it out like Dear Abby and Ann Landers. Rent this, or catch it on cable, and learn about your roots. Four CDs, minus a few if you're Captain Crunch and are peeved by the guy who played you. (o) (o) (o) (o) THE MATRIX Okay, eveyone in the damn world has seen this movie a zillion times, so I'll make this quick. An average hacker (Keanu "Whoa" Reeves) finds out from a mythical super hacker he had been searching for that the world is a huge illusion, controlled by a computer intelligence to appease us while it holds all our real bodies in pods and feeds off our brain waves. What is real? Etc, etc. It's a good hacker movie for a few reasons. The hackers are the good guys again. The movie jives with the common hacker paranoia that something sinister is going on behind everything (granted, that's not just a hacker thing, it's garden-variety paranoia.) The CG and bullet-time effects are now the stuff of legend, copied by pretty much everything that came afterward. And it is a rare thing indeed when an intelligent, thought provoking movie actually does well with the average American moviegoer. I guess we have the Hong Kong-esque shooting and fighting scenes to thank for that. Four out of five CDs. And if *anyone* catches you with these... (o) (o) (o) (o) FREEDOM DOWNTIME This is an indy documentary by the crew behind 2600 magazine, covering Hackerdom in general and the Kevin Mitnick and Bernie S fiascos in particular. I caught the premeire at the H2K hacker con in New York City a couple of Summers ago, and I was suitably impressed. It's definitely by hackers and for hackers, and anyone who isn't into the scene will probably not know what to make of it, but just may come away from it with something to think about. And there is a fun scene where Emmanuel and the 2600 crew come across a vehicle sporting one of their "Free Kevin" stickers, and proceed to tear-ass after the poor sucker in multiple cars in a cellphone-concerted effort around some winding streets, ostensibly to thank the drivier for his or her support, but I think they just terrorized the poor sympathizer for a while before he or she finally shook them off. Fun! It's currently doing the college and film festival circuit, with plans to release on VHS and DVD soon. Check http://freedomdowntime.com for showings near you. Fun Fact: My good pals Gonzo and Nitephreak are in it for a second each in some NYC 2600 meeting shots. You're jealous! Four out of five CDs, bonus points for the close followers of 2600 magazine, Kevin Mitnick, and their various legal battles. (o) (o) (o) (o) ENEMY OF THE STATE I like Will Smith. And I'm not ashamed to say so. I just have so much more respect for him as an actor when he isn't doing an accompanying cheezy rap song to go with the movie. I liked watching "Men In Black" fine, but my heart sunk upon hearing the Fresh Prince gabber on about the "uh, uh, yeah, uh" Men In Black over the credits. Thankfully, he's the main character in this one, and there's no rap song. Prince plays some normal guy who somehow stumbles upon the dreaded "something he shouldn't have seen" so common to these movies when he comes into posession of a video depicting some important guy being murdered. Blah blah conspiracy blah, and he enlists the help of a reclusive hacker (Gene Hackman, in unconvincing nerd glasses from Spencer Gifts) So Lex Luthor and the Fresh Prince join forces to ousmart the conspiracy guys, and blah blah yackety schmackety. I seem to remember liking the hacking and conspiracy aspects, but I find that I don't really remember crap about the story, so I guess it wasn't that memorable. Oh well. Two slightly scratched CDs. (o) (o) ANTITRUST "Antitrust" is about a genius programmer kid who gets tapped by a big software company (a thinly disguised Microsoft substitute) for a gazillion dollar job with a big project called Synapse. The job means he has to abandon some hacker friends who are playing with code of their own, but he goes anyway. He meets the CEO, a thinly disguised Bill Gates type (Tim "Shawshank Redemption Guy" Robbins) and another hacker type (this funny looking guy with blond hair and a brown Amish beard who was recently in a lame show called "Dead Last") who becomes his new pal. He's the star programmer for a while, until he sees some new code for the project given him by Bill Gates Guy, and recognizes it as the work of his hacker friend, who died mysteriously. So it turns out that Alternate Universe Gates is killing independent hackers and stealing their work for his company. Also, the hero's girlfriend turns out to be working for the Man, and tries to kill him with sesame seeds. Erm... he's allergic to them. So, he hacks his way out, gets Bizarro Gates caught, and his remaining hacker friends help him post the whole "Synapse" project on the web, open-source. Speaking of which, this movie gets brownie points for using terms like "Open Source." Whee! Lots of little things like this will make hacker viewers chuckle. Fun Fact: I walked past Tim Robbins in the NYC Aids Walk one year. Three Open-source CDs out of five. (o) (o) (o) SWORDFISH The most recent induction into the hacker cinema category. Swordfish stars Hugh "Wolverine" Jackman, Halle Berry's breasts, John "Barbarino" Travolta, and a caterpillar. More on the caterpillar later. Huey Jacky plays a reformed hacker who is recruited by Halle Berry's breasts to help shadowy underworld figure L. Ron Travolta crack a bank's systems so he can implant a worm that will somehow help him rob it. Travolta has a stripey goatee in this film, which is played by a live caterpillar. This is obvious because from scene to scene, it will curl one way, then the other. Sometimes, it isn't even there! Presumably the caterpillar was injured during these scenes, and no double was avaiable. I have named this phenomenon the "Travoltapillar" and I refer to it as often as I can in everyday conversation. So anyway, now Hugh Janus is getting lots of money for his cheesy Hollywood hacking, playing on a computer which is obviously a leftover prop from "The Matrix" with its multiple useless screens and his graphical assembling of worm programs in 3d virtual reality. He then finds out that Halle Berry's breasts are really a pair of undercover cops, which themselves are really undercover bad guys. Double agents, indeed! Then it gets confusing as hell, Huey screws up the bank thing, but it's not screwed up, and Travolta ends up looking like he did when he played President Clinton a few movies ago. And Halle Berry's breasts die, but don't die. Or something. All in all, it's not really worth the price of the rental, or the price of a caterpillar for that matter. But there was a funny scene involving Hugh Hackman running from a fed, and there are references to a mysterious hacker named Torvalds. That's an homage to Linus Torvalds the Linux poobah, not Willy Torvalds who works at Red Lobster. Two CDs, in honor of Halle's contribution to the film. (o) (o) Agree? Disagree? Email me or post on the UPL board and let me know! -- RTF r_t_f@phonelosers.net [note from linear: for more HACKER MOVIES info, check out http://www.phonelosers.org/hacker_movies.html where you can find a listing and some reviews of other HACKER MOVIES] .-------------------------------------------------------------------------. | Exploiting weak password schemes with gdb | | Written By Phractal Email: phractal@phonelosers.net | `-------------------------------------------------------------------------' //precondition: //This article is working with a FreeBSD environment for this article, //so the asm gdb stuff may be a bit different if running on linux or any //other non-BSD unix. phractal assumes general C and GDB knowledge of //reader, but I'm not that good at it, so feel free to mail me my //mistakes or to skool me more in the ways of ASM Well, I know that one can do the same tasks which this blurb discusses with a common hex editor, but in an effort to look leet, as well as learn about memory and stuff, I present a way to do it with gdb. Well, some of you may be asking what it is that I am going to school you on. I am talking about very weak means of password protecting programs, and how to use gdb to reverse engineer them and get the password. I don't know of any programs that this would be of great use to, but hey, its a concept ;) let's start with some k0de: /////////////////// pass.c ////////////////// ---KUT------------ #include #include #include main() { char pass[20]; printf("enter password \n"); gets(pass); if(strcmp(pass,"boob")) { printf("access denied \n"); exit(0); } else { printf("access granted \n"); } return 0; } ------END KUT-------------- ok, now go ahead and compile this party $ gcc -o pass pass.c Now test it out to make sure it werkz $./pass enter password boob access granted $ ok, cool that worked, let's try a wrong password $./pass enter password zzzz access denied $ Alright, everything is in order, OR SO IT MAY SEEM!! Let's whip out good ol' gdb. $ gdb pass GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"...(no debugging symbols found)... (gdb) disass main Dump of assembler code for function main: 0x804854c
: push %ebp 0x804854d : mov %esp,%ebp 0x804854f : sub $0x28,%esp 0x8048552 : add $0xfffffff4,%esp 0x8048555 : push $0x80485fb 0x804855a : call 0x80483f0 <<<-------------\ 0x804855f : add $0x10,%esp | 0x8048562 : add $0xfffffff4,%esp | 0x8048565 : lea 0xffffffec(%ebp),%eax | 0x8048568 : push %eax | 0x8048569 : call 0x8048400 <<<----------------|--\ 0x804856e : add $0x10,%esp | | 0x8048571 : add $0xfffffff8,%esp | | 0x8048574 : push $0x804860d | | 0x8048579 : lea 0xffffffec(%ebp),%eax | | 0x804857c : push %eax | | 0x804857d : call 0x8048410 <<<-------------|--|----\ 0x8048582 : add $0x10,%esp | | | 0x8048585 : mov %eax,%eax | | | 0x8048587 : test %eax,%eax | | | 0x8048589 : je 0x80485ac | | | 0x804858b : add $0xfffffff4,%esp | | | 0x804858e : push $0x8048612 | | | 0x8048593 : call 0x80483f0 | | | 0x8048598 : add $0x10,%esp | | | 0x804859b : add $0xfffffff4,%esp | | | 0x804859e : push $0x0 | | | 0x80485a0 : call 0x8048430 | | | 0x80485a5 : add $0x10,%esp | | | 0x80485a8 : jmp 0x80485bc | | | 0x80485aa : mov %esi,%esi | | | 0x80485ac : add $0xfffffff4,%esp | | | 0x80485af : push $0x8048622 | | | 0x80485b4 : call 0x80483f0 | | | 0x80485b9 : add $0x10,%esp | | | 0x80485bc : xor %eax,%eax | | | 0x80485be : jmp 0x80485c0 | | | 0x80485c0 : leave | | | 0x80485c1 : ret | | | 0x80485c2 : nop | | | 0x80485c3 : nop | | | __ | | | Woah, that's alot of information, it probably would have been \ | | | a lot less if my programming didn't suck so much. Let's examine \ | | | the program, first from personal experience. What was the first | | | | thing that we saw it do? Of course,it asked us for the password |--/ | | to enter. Let's assume that at memory address 0x80455a, the call | | | to the function is when that occurs in the program. / | | PS. We know that when it is, but we're acting like we haven't__/ | | seen the C source, pretend, use your imagination! | | __ | | Ok, we enter in a string of text that will be analyzed to see if \ | | indeed it IS the password set by the program to unlock itself and \ | | display 'access granted'. OK, now what could be accepting the |---/ | string into memory? let's scroll up and look at the gdb ASM dump / | once again. hey, there is a call to the function. That __/ | look's like its it, let's assume so. | __ | Now gets() hasn't analyzed the string, it has merely taken it in from\ | the user and placed it into a variable in memory. So, ONCE AGAIN, we \ | turn to the ASM dump and look some more. Hey, not that much farther | | down, we seethe function! That's definetly gotta be it, after |----/ all, it compares strings. What are we comparing? Well, it would be a / good guess to assume that we are comparing something to the password__/ to see if the password is correct or not. if we use gdb again (gdb) x/4bc 0x08044860d we get the output 0x804860d <_fini+25>: 98 'b' 111 'o' 111 'o' 98 'b' recocgonize that? there's boob! the password! .-------------------------------------------------------------------------. | UPL Team Activism Frequently Asked Questions | | Written By linear Email: linear@phonelosers.net | `-------------------------------------------------------------------------' Yes, I know we already posted this on the site, but I thought I'd include it here, just for good measure. Expect the UPL Team Activism Official Website (tm) SOMEDAY. - - - - - - - - - - - - - o What is UPL Team Activism? o This all sure sounds a lot like cDc Hactivismo... o Doesn't UPL ever do anything original? o What are the goals of UPL Team Activism? o Huh? o What if I don't agree with the goals of UPL Team Activism? Does that mean I can no longer read UPL or be a part of the scene? o Does the presence of UPL Team Activism mean that the UPL zine will be flooded with political crap? o Isn't this all a little extreme? o Can I join UPL Team Activism? o So if I'm in UPL Team Actvism, I'm part of the UPL group, right? What is UPL Team Activism? - - - - - - - - - - - - - - UPL Team Activism is a group of politically-conscious, socially aware individuals created to coexist with the UPL technology-abuse scene. With the growing fact that hacking is a political act in and of itself, it has become necessary to bring about awareness and promote social justice. This all sure sounds a lot like cDc Hactivismo... - - - - - - - - - - - - - - - - - - - - - - - - - It does, doesn't it? Although it is eerily similar to Hactivismo, we assure you that at the time of Team Actvism's inception, cDc was not in mind. It was not until the following day that we realized we had sub-consciously stolen yet another group's idea. Oops. Doesn't UPL ever do anything original? - - - - - - - - - - - - - - - - - - - - No. Creativity is unnecessary and therefore counter-productive to the goals of Team Activism. What are the goals of UPL Team Activism? - - - - - - - - - - - - - - - - - - - - - As we've stated, our main goal is to spread awareness regarding social justice and civil rights issues, and in this way come up with alternative means to those of the status-quo, and more humane solutions. Through awareness, compassion, direct action, peace, tolerance, and unity, we will be able to liberate ourselves and others. Huh? - - - It means we're fucking up THE SYSTEM, d00dz!!!!!11!!!!!~!1!!!1! Disrupting the heirarchial status-quo to create true peace and freedom (no, not corporate freedom - such as the freedom to choose between Coke and Pepsi) through non-violent means. What if I don't agree with the goals of UPL Team Activism? Does that mean I can no longer read UPL or be a part of the scene? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you don't agree, fine. We'll think you're a bit naive and you'll lose a lot of Team Actvism's respect, but you're free to participate in the scene and have dumb little arguments with us. However, we find it difficult to imagine how someone can participate within a counter-culture suc as the computer underground without seeing how it relates to everything else. Especially now with those big corporations trying to silence both political actvists and computer advocates (through such means as the RIAA imposing lawsuits against file-sharing, MPAA sucessfully limiting free speech even further, or legislation like the DMCA and similar documents - all this is politics, folks). So, like it or not, if you're involved in the computer underground, you're (perhaps unwillingly) fighting with us. Boy, it sure does suck for you fascist right-wing conservatives to be on our side, doesn't it? Does the presence of UPL Team Activism mean that the UPL zine will be flooded with political crap? - - - - - - - - - - - - - - - - - - - - - - - - - No. Although there will be a lot more political info within UPL, we'll still have just as much of our normal slop in there to balance out the universe. Isn't this all a little extreme? - - - - - - - - - - - - - - - - - Not if you care at all about who gets to control (or in their case, exploit) your life and the lives of the rest of the world. Can I join UPL Team Activism? - - - - - - - - - - - - - - - Yes, in fact you can! If you're a conscious-minded individual who cares about social-justice and making a change, it is possible for you to join. You don't even need to agree with all of our views (however, a good majority is necessary, otherwise what's the purpose of joining?). Just get in contact with linear and after he gets to know you and has a good idea of your views we'll all (not just linear) determine your involvement within Team Activism. So if I'm in UPL Team Actvism, I'm part of the UPL group, right? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NO! No one is in UPL! There are several staff members, but UPL is not a group. We will not alter our staff list at anyone's suggestion, for any reason. Team Activism is group independent from the UPL zine and website, but acts under the umbrella of the UPL collective. The zine and Team Activism are not the same thing! We hope this document has answered all your questions. However, any further inqueries you might have can be addressed to activism@phonelosers.net --- linear .-------------------------------------------------------------------------. | Hacking the IconLock Desktop Lockout Software | | Written By Diesel Email: jd610224@yahoo.com | `-------------------------------------------------------------------------' IconLock is a security program that runs in Windows and can do things like preventing you from rearranging the icons on the Winduhs desktop,changing the wallpaper,deleting icons,changing filenames,etc. My high school uses IconLock on all the computerz in the library. When you right-click on an icon,the DELETE,ARRANGE ICONS,and various other menu items are unavailable. If you right-click on an empty area of the desktop, at the bottom of the popup menu there is a thing that says IconLock on it. This is how you know your skewl is using IconCock and not some other (but probably just as cheap) lockout program. Now for the good part: IconLock is so fucking easy to defeat! All you (the 31337 hacker) needs to do is get to the program folder. On our computers, it's in the Program Files folder,in a sub-folder titled IconLock. Once you're in the folder, hold down the shift key, and click on EVERYTHING in the folder,or go to Edit>Select All. Now right-click and select DELETE. Most of the files in there should go to the recycle bin,however some won't. Instead you will get a message, something like "Cannot delete specified file. File is in use" Now for the technical shit- depending on which files you were able to delete,the program may or may not still work. However, if the *.bin file is gone, you are almost guaranteed that the program will not operate next time you reboot. Whether or not this file is gone,reboot the computer now. Ok,good you have rebooted the computer. When the desktop comes back up, right-click on an empty space, see if IconLock is still in the little pop-up menu. If it isn't, keep reading. If it is, see the end of this file for what you should do. Go back to the IconLock folder right-click it,and select Delete from the menu. If you still get a message or two saying certain files can't be deleted,then just move the IconLock folder into another folder (Norton AntiVirus,etc). Reboot again. When Windows comes back,find the IconLock folder again, and again try to delete it. It should delete this time.If it doesn't, then don't worry about it,unless the IconLock program is still active. If it's still active, go find another computer to 0wn. The methods described above worked on every computer I have tried it on, except one. WHAT TO DO IF IT DOESN'T GO AWAY!!: First, mutter "fuck you IconCock". Ok,now that you feel better (or not), create a system disk with a 3.5" floppy. Now reboot the computer. When it says Starting Windows 95 or 98,or whatever version you're running (come on, schools are too cheap to upgrade to ME!!),hit F8. This brings up the startup menu. Choose Step-By-Step Confirmation, and hit enter. When it asks for the command interpreter, give it the path to the command interpreter stored on your system disk. Say yes to all of the questions,except the ones that say shit like, C:\IconLock.exe (Enter=y/Esc=No). Once you have done this, go find the computer's DOS prompt. My school disabled the DOS prompt on all the library computers but not on the computers in communications tech. But the comm.tech computers don't have IconLock either. But there's other fun things you can do from the DOS prompt, like format C:\. But anyhow, once you get to the DOS prompt, type in the following: C:\WINDOWS\COMMAND\EDIT.COM C:\WINDOWS\WIN.INI and hit Enter. Once the Edit program opens, scroll down the list and delete anything that looks like it has anything to do with IconLock. That is ANYTHING. Goto File>Exit, click yes when it asks you if you want to save changes. Reboot the computer. Go to the IconLock folder,right-click it, and choose Delete from the menu. YOU MUST IMMEDIATELY EMPTY THE RECYCLE BIN BEFORE YOU LEAVE. Remember- A good hacker leaves no e-trails. Peace, Diesel .-------------------------------------------------------------------------. | This Is The Tale of Divestiture The Death of a Network | | Written By ^CircuiT^ | `-------------------------------------------------------------------------' Under the terms of divestiture, AT&T gave up ownership of the BOCs, The 22 BOCs were spun off into seven regional holding companies: US WEST, Bell Atlantic, Bell South, Southwestern Bell, Pacific Telesis, NYNEX, and Ameritech. US WEST was the Regional Bell Operating Company (RBOC) which served Oregon, Washington and 12 other western states. It is now named Qwest. The breakup of the Bell System was expected to create as many problem as it would solve. Some of the expected problems were asset transfer, subsidy issues, access to competing long distance companies, and customer confusion. 1.Asset Transfer Most of the nationwide telephone network had been built based on one entity operating it. now that local service and long distance were to be separated, shared facilities needed to be separated, ownership identified, and if necessary, transferred. Items such as commonly-owned buildings, transmission facilities, switches, trucks, test equipment and the like had to be dealt with. Employees had to be reassigned to new organizations. Provisioning systems that allowed for the installation of services involving local and long distance had to be recreated or modified. 2.Subsidy Issues Historically the telephone industry used profits generateed from toll services to subsidize the costs of the local service. In acompetitive long-distance market, local-service providing companies (the RBOCs) would no longer have access to this subsidy money. 3.Access to competing long distance companies The Bell System had been developed and designed for a single long distance supplier. Under the goals of divertiture, many long distance companies would need access to customers. The RBOCs switches were equipped to allow just one long distance company (AT&T) to be accessed by dialing 1+ or 0+. How would AT&T's competitor's customers get to their carrier? 4.Customer Confusion Telephone subscribers had long enjoyed a single point of responsibility for telephone service. Now, there would be several suppliers of services. Although many industry players perdicted that divestiture would result in the near destruction of telephone service in the United States, the post-divestiture period, while radically different from the pre-divestiture one, was a time when the industry experienced tremendous growth. Here is a summary of what actually happened after divestiture. BOCs provided most local telephone service, yellow pages, and some operator services. Toll subdidies that were used to keep the cost of local service low continued, but in a different way. Early in the divestiture discussions, the parties realized that some long distance revenues must continue to keep the local rates reasonable. Part of the divestiture plan included the establishment of areas within which the BOCs could still carry toll calls (and hence improve their revenue stream). The plan was to create the creation of special geographical areas called LATAs. Historically, revenues from long distance service have been used to subsidize local service, thereby allowing local service (considered a social necessity) to be priced below cost at a level affordable by most people. Since this pricing anomaly existed prior to divestiture (by governmental design), it appeared that local rates would no longer be utilizing artificially high toll rates to subsidize local service. A number of steps were taken to keep local rates under control; among them was the establishment of Local Access and Transport Areas (LATAs). LATAs are geographical area within which the Bell Operating Companies were permitted to carry traffic. The BOCs were prohibited from carrying traffic between LATAs; this traffic had to be carried by Interexchange Carriers (IXCs), such as AT&T, Sprint, and MCI. LATAs were set up to defin the areas within which the BOCs would have a temporary monopoly (differed by state) on long distance, the revenues from which would cushion the blow of the loss of revenues from interLATA long distance (now the exclusive province of IXCs). LATAs were generally set up along the lines of the Federal Government's Standard Metropolitan Statistical Areas (SMSAs), which define those areas within which "common economic interest" exists. .-------------------------------------------------------------------------. | Cell Phone Spam - (A Wireless "Fuck You") | | Written By Axion Email: axionrising@hotmail.com | `-------------------------------------------------------------------------' **************************************************** **************************************************** ** Legal Stuff: Umm, don't listen to me, m'kay? ** ** I'm one of those silly people your priest ** ** warned you about who believes in freedom of ** ** information. I break the law sometimes, and ** ** that means I'm gonna go to hell. But you don't ** ** have to! This text file is for "informational ** ** purposes ONLY", and I can't be held responsible** ** for your actions. Okay? Breaking the law is ** ** bad, so don't break the law. Please pray for ** ** my evil sinning soul. *sips coffee* ** **************************************************** **************************************************** Ahh, spam... We've all grown to love this stuff more and more over the years. What? You hate spam?!?! ...Well, I do too. Everyone does. That's the whole point of this article. Here, I'll teach you one method of using spam to your advantage, which will no doubt cause your enemies to ph33r j00r mad §killz. Since the beginning of time (well, the world wide web, at least), spam has been probably one of the most loathed aspects of connectivity. I'm not just referring to "spam" in the advertising sense of the word, but in the "unwanted e-mail" tense. Man, do we ever hate going to our precious in-box and having to click all those little boxes every day, trying to keep up with all that shit e-mail we get. I swear to god, you sign up to have your website hosted at just one "free" server, and all of a sudden you're on 50 mailing lists. Of course, if you wanted to get revenge on someone, you could just get spammy on their ass & sign them up for tons of such spam. But so far, this has served no purpose. Sure, it's annoying having to manually delete 15 or 20 e-mails at a time, but it's no big deal. Likewise, anybody with half a brain (not actually too many people) would probably have some type of spam filter enabled on their account. (A popular option with large e-mail providers like Hotmail and Yahoo.) So you see, signing up an enemy for spam has never posed any real threat, and never caused any real damage... Until now. A few months ago, I decided to finally jump on the bandwagon and buy a shiny new GSM phone. (No, you can't have the number.) It was a brand new Mitsubishi G310, which although not the greatest shiniest new phone on the market, was capable of recieving text messages. (whoopie...) My provider was Fido, as I chose to remain anonymous and have a contract-free pre-paid mobile. ("Get to the freakin' point, Axion!") Well, when I signed up, I could also recieve brief e-mail messages on the phone. The address format on a Fido account in Canada is as follows: XXXYYY****@fido.ca The "XXX" is the area code, the "YYY" is the prefix, and "****" the suffix. Duh. Through Fido's shitty website, you can create an alias for this address for customization & anonymity purposes. (i.e. "magnumPIdork@fido.ca") Both addresses will work interchangeably. On a Fido handset, you are charged 10 cents for every e-mail or text message you recieve or send. (Here's where the fun starts.) All of a sudden, we can look at spam in an entirely new way! Rather than the simple annoyance it used to be, we can turn spam into an evil account-draining weapon!!! Simply go to a website where you can sign the victim up for multiple e-mails, and enter the address. *click!* There goes ten cents. *click!* Another ten cents. Whoop-dee-doo. Well, here's how we can make things more interresting: Go to and you'll see many wonderful discussion groups you can join. Click the first 30 of them, then go to the bottom of the page to fill in the test subject's email address. In case you were'nt following, that's (the area code & phone number)@fido.ca The reason you only click the first 30 is that debian.org have a "security" feature where you can only sign up for 30 groups at a time. (Remember this whilst getting j00r spam on. Most such pages have similar rules.) Big deal. You just cost someone $3.00. That was easy enough, right? In about two minutes, their phone will be beeping like crazy, and their account will be debitted 3 bucks. Now go to ...There you go: another $1.20 Or maybe , if your victim happens to love Ultimate Frisbee. (Who does'nt?) Well, you get the point. 1 unwanted e-mail sent to the handset = 10 cents wasted. This should also work with Rogers, Telus, ect, so long as the provider supports e-mail. The only downfall of this lame "exploit" (if you can even call it that): you need to know the person's telephone number. But on the plus side, they'll be beeping like crazy, and you're wasting their money. So there. I found a use for spam. Final Notes: I'm sure there are probably a few discussion groups out there that don't have the forethought to send out confirmation e-mails, so obviously subscribing the victim to one of these would instantly flood their phone with an unstoppable onslaught of annoying, expensive spam. If anyone finds such a discussion group, please let me know so I can compile a list. This file was created to educate, not to destroy. When I realised how succeptible most mobiles are to such an attack, I felt it neccessary to get the word out. I'm simply warning all of you not to hand out your wireless e-mail address. http://axion.0catch.com - Axion 02/14/02 - .-------------------------------------------------------------------------. | Telco Tracking Phreakers | | Written By Matt Coin & Tyler Cairo Email: coinncairo@kevinsnet.com | `-------------------------------------------------------------------------' While scouting out COCOTS to make teleconferences from, and payphones to redbox, as well as dialing random numbers, we were also playing around with a deactivated cell phone to make random collect calls, we noticed the battery of the cell phone was 2/3 dead. 5 payphones and 2 teleconferences later, we kept seeing unmarked white vans going to places where we used payphones. Various trucks were parked at centers where we had had some fun, but had no drivers in them. We also kept seeing a red truck with lights and several antennas on top drive by whenever the cell phone went on. We had also been been seen behind an Eckard Drug Store by a Closed-Circuit Seecurity Camera. In one of the shopping centers, we found a payphone with out a payphone. It was simply the holder that a payphone would held in, and telephone cable. We pulled the cable out a little to see the wires, and to see if we could hook our phone up to it, when a lady in the barber shop next door, came out and asked us why we yanked the cord out of the phone, when there really was no phone there. We simply told her that the wire was hanging loose, and we were looking at it. We had also gone into our local 7-11 to ask who the manager on duty was, and the phone number there. The clerk, however, denied us all information. It was then that we realized that these trucks were following us. They had stopped at every place we had used a payphone. I turned on my cellphone once again, and the red truck ran by. That's when the cell phone battery completely died. We rode back to one of the first shopping centers we called out from, and they appeared in the parking lot there, too. That's about when we jumped on our bikes and started to head home. When we finally got on the the last street leading up to our house, we noticed that there was an unmarked white van there too. However, the driver didn't see us, and we managed to get home. It was the weirdest thing ever. The 2 most illegal things we did were to get a 95 cent refund and J-Walk... .-------------------------------------------------------------------------. | AIM has gone mad... | | Written By Nep Tunium | `-------------------------------------------------------------------------' Well, the other day I had signed on to the AIM servers via Trillian, which is a Windoze multi-client. You can connect to AIM, ICQ, IRC, MSN, and Y! at the same time in one client. I've always liked this service... but I recieved an IM the other day that said this: AOL Instant Messenger: You have been disconnected from the AOL Instant Messenger Service (SM) for accessing the AOL network using unauthorized software. You can download a FREE, fully featured, and authorized client here (the URL for their download place). Naturally, I thought it was some jerk who registered that SN and de0cided to punt Trillian users... but every time I log back on, that happens. So wait... I have to download THEIR goddamn client or else I can't use a free service? What about the Gaim, Kaim, Kinkatta, or other Linux/BSD/BeOS/SunOS/whatever client users? Can they not use the free service because they don't have their own special AOL authorized client? Now, luckily, since this computer is running Winblows, I can still log on... but I think it's an outrage that we can't use a free service from a different client than their crummy one. Therefore, I will no longer be using the AOL instant messenger service if this continues. It's not that big a deal to reconnect to it, as this only happens after a minute or two. But I'm going to start as many protests against AOL as possible for trying to do this. I think that if you too belive that this is horrible for everyone except Mac/Windows users using their client, it would be a good idea to stand up against this, until the free service is granted to all. .-------------------------------------------------------------------------. | Free Local Calls | | Written By fact81 Email: fact81@onebox.com | `-------------------------------------------------------------------------' This article is for the new phreak, elucidating upon simple ways to get free local calls - if your mom lets you out of the house. Nothing written here is new, nor is credit taken from those whom have phreaked before. This article will not go into boxing. This article will teach you to be aware and to use what exists around you (until you make your boxes). First way to get a call? Ask. Wherever you go, there's bound to be a phone and someone willing to let a phreak use it. The remaining methods eliminate interaction with humans. The first target is Target. Just dial 9 on any red courtesy phone to get an outside line. Next, head to the employment application phones at front of the store. Sit down, unplug the power from the back of the phone, and plug it back in. You'll get the administration menu and can dial (locally) at will. Don't forget to go to "Call Log" and delete your calls. Toys R Us has a similar employment application phone (Phillips Screen Phone) with the following Main Menu items: 1. Quick Dial 2. Phone List 3. Group List 4. Call Log 5. Phone Settings 6. Consumer Agent’s Network 8. Decision Point Menu The Toys R Us phone is stuffed in a plastic cabinet, making it a bitch to unplug and plug in the power. Kinko’s, your 24-hour office, is already loads of fun. But, they also have two or three courtesy phones sitting on desks by the computers. The automotive industry is kind to phreaks. Jiffy Lube and other oil change places usually have a courtesy phone in their unattended lobby. Auto dealerships are phreak heaven. Not only are there courtesy phones in the service lobby, there's a phone on every table in the sales area. So, any phreak can get free calls at will. And these free calls should spawn other ideas about the phones all around you - extensions, voice mail, paging systems, and inter-store calling - just to name a few. .-------------------------------------------------------------------------. | Explore Kmart (Follow Up) | | Written By fact81 Email: fact81@onebox.com | `-------------------------------------------------------------------------' Kmart is almost as ubiquitous as Wal-Mart, and very bastion of BlueLight is filled with technology to play with. This article explores that technology. At the Customer Service counter sits one of two public computers running BlueLight.com, Kmart’s online shopping application. These computers (the other residing in Electronics) run NT, have LCD monitors, a keyboard, and an enclosed trackball where the right mouse button is trapped under plastic. The BlueLight.com application starts automatically, so logging off or shutting down just brings the application right back up. Ctrl+Shift+Esc for 10 or 15 seconds will open infinite Task Managers and crash the machine, but that's not what we want. We want info and access. BlueLight.com (v 1.0.55) is an e-commerce application that features products and a shopping cart, running on publicly available NT computers in undoubtedly every Kmart across the nation. The application is a browser, accessing the Internet to transmit selections from the local Kmart to Kmart.com’s servers. To learn about the server, press Ctrl+Alt+Delete and Logoff. The machine will cycle quickly, bringing up the BlueLight app. Hit F1 for help. NT won't be able to find the help file, so quickly hit Enter to find the file yourself. An Open dialog box will open and reside in the background, causing not the BlueLight home page to appear, but the following: Via: 1.1 USKIHSVPBLPRX5 Date: Sun, 26 Aug 2001 02:09:03 GMT Server: Apache/1.3.14 (Unix) Etag: "1a17-103-3b5de6ca" Kmart runs Apache 1.3.14 as their web server. Now, find a link on the BlueLight page that begets a 404. Follow a link on the error page to get a gray page that shows the following: MS Proxy Server v2.0 Proxy Server: uskihsvpblprxl.kih.kmart.com When someone gets more access on BlueLight computers, let everyone know. On to the phones. Kmart uses a Nortel Norstar phone system, with phones hanging on columns throughout the store. Therefore, all customers are more than welcome to access these feature-rich phones (see Table 1). Table 1: Norstar Features Background Music Feature 8 6 Call Forward Feature 4 Call Pickup Feature 7 5 Conference/Transfer Feature 3 Do Not Disturb Feature 8 5 Exclusive Hold Feature Hold Last Number Redial Feature 5 Link Feature 7 1 Message - Reply Feature 6 5 Message - Send Feature 1 Page Feature 6 0 Program External Autodial Feature * 1 Program Feature Autodial Feature *3 Program Internal Autodial Feature *2 Ring Again Feature 2 Speed Dial Feature 0 Transfer (if equipped) Feature 7 0 Voice Call Feature 6 6 Voice Call Deny Feature 8 8 Cancel Features Feature + # + code Extensions are not the same at every store, but this list (see Table 2) should be useful. Table 2: Kmart Extensions 200 Garage 366 Layaway 211 Auto 377 Manager 222 Camera 388 Mens & Boys 233 Cash Cage 399 Personnel 244 Check Out 1 400 Pharmacy 1 255 Check Out 2 411 Pharmacy 2 266 Dressing Room 414 Pharmacy 3 277 Eatery/Deli 422 Processing 288 Footwear 433 Receiving 299 Garden Ins 444 HBA/Reader 300 Garden Out 455 Security 311 Office 466 Service Desk 1 322 Electronics 477 Service Desk 2 333 Housewares 488 Sporting 344 Jewelry 499 Toys 355 Ladies 500 605 Area The POS system at Kmart is IBM centric with Symbol peripherals. Kmart uses IBM 4683 POS terminals with NCR countertop UPC scanners and Checkmate MICR scanners. The pin pads used are Checkmate model CM 2120's, OS 1.07, version 2.1. Gain access to the pin pad by pressing the four small buttons by the LCD screen, and the two bottom-most buttons, green Enter and red Cancel, simultaneously. You'll get a password prompt, where I've yet to guess the correct code. An incorrect password gets CM2100 Starting O.S... On the way to the back of the store (towards Layaway), you’ll notice a Symbol Spectrum 4 network controller adapter (NCA) high up on a column. The NCA connects the 4683 POS computers, the Symbol hand-held terminals, and the IBM 4680 server in the back. The Spectrum 4 allows price-update downloads, remote administration of the 4683 terminals, and storewide communication with the hand-helds. Once in Layaway, you'll find payphones and two computers, both Symbol LS 7000 II's with bar code guns plugged into Symbol Link LL320's. The first menu on the LS 7000 II’s is the Layaway Application Menu, with the following choices: 1. Layaway 2. Store Functions 3. Layaway Reporting 4. End of Day Basically, the only time to use the Layaway computers is when Layaway is closed. Unfortunately, the End of Day functions have been performed, and a new day has to be initiated to access any other functions. On a side note, by the pharmacy sits a Health Monitor Center. It's a Vita-Stat computer that measures blood pressure and heart rate. Three buttons adorn the fake wood-veneered, sit-down cabinet - Start, Erase, and Stop. I'd love to see a hack for this, like artificially high readings. As one can see, Kmart holds a lot of promise; further access on the BlueLight computers, exploring the POS system, spoofing heart conditions. All in the name of fun. 1-800-866-0086 - Kmart locator 1-800-GO-KMART - Kmart Mastercard .-------------------------------------------------------------------------. | Hack Quick-Scribe | | Written By fact81 Email: fact81@onebox.com | `-------------------------------------------------------------------------' At your local Sears Watch Service, you might find a touch screen terminal running the Quick-Scribe application by Axxess Technologies (axxesstech.com/qs/default.htm). It’s a consumer-operated terminal that engraves personalized messages on gifts. This article will show you how to access the administrative functions of Quick-Scribe. Start by grabbing the screen with both hands, thumbs at each top corner. Now press the top corners simultaneously, quickly, and repeatedly. You will get a white screen with four, 0-9 numeric keypads. Each keypad represents one digit of a four-digit pass code. With 10^4 possibilities, start with the obvious. "1234" didn’t work, but "1111" did. A successful pass code brings up a white screen titled "PRIVELEDGED ACTIVITIES." The following commands are displayed: View Log Files (Details) View Log Files (Summary) Engraver Utilities Change Stock Change Peripheral Configuration (future) Modify Site Specific Data (future) Run Diagnostics (future) Complete Problem Report (future) Capture Data Merchant Summary Report Restart Application Merchant Summary Report, as an example of the type of data you’ll find, can show you how many of what type of item were sold in a user selected time frame. Data can then be stored to disk or displayed on screen. The last command will get the NT desktop, but only briefly. Quick- Scribe is a daemon and runs in the foreground. I’m guessing that if your fast you can start another app before Quick-Scribe takes over. Axxess Technologies has another line of customer-operated engraving machines called Quick-Tag. These machines are targeted at the pet owner market, and are found in every Petsmart. I’ve yet to have success on a Quick-Tag machine, probably because they don’t run on Microsoft. .-------------------------------------------------------------------------. | Retail Transaction System Hacks | | Written By fact81 Email: fact81@onebox.com | `-------------------------------------------------------------------------' The goal of this article is to impart knowledge upon the reader about point-of-sale (POS) and retail transaction systems. This knowledge is meant to be obscured, but easily gained by those who look for it. Here is the basic play-by-play of a modern cashless retail transaction, with hardware in parentheses. 1. Cashier scans UPC (barcode scanner) 2. Price appears on cash register, which totals purchase (POS) 3. Cashier inputs DEBIT as payment (POS) 4. Customer swipes card, enters pin, accepts purchase total (pin pad) 5. Funds are verified, purchased completed (server) After considering a trasaction and data required, it seems that there are five areas of interaction during the completion of a retail transaction: 1. Magstripe reader to pin pad 2. Internal, or embedded, system in the pin pad 3. Interaction between the pin pad and POS (cash register) 4. Data traffic between POS and local database (server) 5. Data traffic between local database and national database Only methods for gaining the second level of access are presented here, although a non-technological method to gain transaction information history of a company will be given - along with a real-world example. The first piece of POS hardware considered is the VeriFone PINpad 1000 (vnibankcard.com/products/verfone-pinpad1000.htm). The PINpad utilizes derived unique key per transaction (DUKPT) or Master/Session key management. This hack deals with the Master/Session management technique. A Master key resides in the pad and a session key is generated for each transaction, ensuring accuracy. To access the Master key, press the four corner buttons simultaneously - 1, 3, CLEAR, and ENTER. "WHICH MKEY?" appears. Enter any number and "ENTER OLD MKEY" appears. The next step in PINpad exploration would contain social engineering the number of digits in the Mkey or the Mkey itself, either from the establishment or a VeriFone vendor. Brute force would be difficult without knowing how many digits comprised an Mkey. The next piece of POS hardware is the pin pad at every register of Wal-Mart and Walgreen's. Access the not-to-be-seen screens by pressing the top left arrow button and bottom right ENTER button simultaneously. You'll get CM2001I 256k V1.40 SM V5.4 and then Enter password... A wrong pass code begets Validating app... then EFT prog: 0028 EFT parm: 0032 Program Release WALUSA1 1.42 Kmart and some grocery stores use different pin pads. They use the Checkmate CM2120, manufactured by IVI Checkmate (ckmate.com). The Checkmate pin pads can be accessed by pressing the four, small buttons by the LCD screen and the Cancel and Enter buttons at the bottom simultaneously. "Enter password..." will appear. The obvious passwords didn't work, spawning an "Incorrect password" message and then data similar to the Wal-Mart pads. Store number with preceding and/or following digits did not work either. Social skills and keen observation are essential when discovering new technologies and their related security. While examining pin pads, notice the stickers and tags adorning the box, possibly on every side. Some may have 800 numbers and another number labeled "Client" or "Partner." The 800 number is the number to the merchant's bank who supplied the card payment hardware, and the Client number is the only form of authentication needed to listen to financial information of a particular store. As promised, a working example, from the bottom of a Hypercom PinPadS8: 1-800-622-0842 Client #: 325202008992 Up to four months of automated transaction data can be gained. If desired, one could talk to a customer service representative. Subject matter experts have stated that POS systems are untested in the form of sophisticated attacks. These examples are far from sophisticated, yet effective. Should they not be disclosed? Understanding can only bring about better security. .-------------------------------------------------------------------------. | Making Voice and Data Compatible | | Written By fact81 Email: fact81@onebox.com | `-------------------------------------------------------------------------' This is a transcription of a CXR Telcom paper, straight from a Qwest dumpster. It teaches the basics of modulation and explains where many numbers in networking come from. I've corrected errors and added a couple of comments. Digital computer data consists of 1's and 0's, already compatible with T1 digital format. Voice signals are complex analog waveforms that must be digitized to be compatible with T1. The analog signal must be sampled often enough to be recreated at the distant end, producing what sounds like the original conversation. The analog wave is sampled at twice the highest frequency on the line. The human voice produces understandable information in the range of 300 to 3300Hz. The phone company allocates 4000Hz (4kHz) per analog line, enough to filter crosstalk. Therefore, 4000 cycle changes per second (4kHz) x 2 (twice the highest frequency) = 8000 samples per second. For the human voice to be accurately represented a sufficient number of bits must be used to create a digital word; 8 bits offers a sufficient number of different points. Pulse Code Modulation (PCM) --------------------------- PCM is a sampling process that compresses a conversation into a 64kb/s standard Digital Signal Level 0 (DS0). There are 2 steps: 1. The incoming analog signal is sampled at 8000 times a second and converted to pulses using Pulse Amplitude Modulation (PAM). [The amplitude of the pulses conveys the information.] 2. Each pulse is assigned an 8-bit binary value (1 or 0). 64kb/s, DS0 rate is reached by multiplying the number of samplings per second by the number of bits per sample. 8000 samples/second x 8 bits/sample = 64 kb/s Once digitized, voice and data can be combined. Time Division Multiplexing (TDM) divides the T1 into 24 64kb/s time slots. An identical number of DS0 signals representing data and voice is assigned to each slot. Each group of 24 time slots is called a T1 Frame. Each slot contains 8 bits (7 bits and a least significant bit for signaling). 8 bits x 24 = 192 bits. An additional bit is added for framing, for a total of 193 bits. One Frame = 24 8-bit words (192kb/s) plus one framing bit (8kb/s) DS0's are sampled at 8000 times/second. 8000 times 193 bits equals 1.544Mb/s, a Digital Signal Level 1 (DS1). [So, a T1 frame is sent every 0.000125 seconds, or 125 microseconds.] AMI Format ---------- In Alternate Mark Inversion (AMI), the binary mark "1" is represented by a square wave. "0" is represented by a straight line. Each pulse alternates between positive and negative. This Bipolar format allows the signal to travel farther on a copper pair and offers some built in error detection. When consecutive pulses with the same polarity are detected, a Bipolar Violation is created (BPV). All DS1 signals must meet certain ones density (marks density) standards. At least one pulse must be transmitted within any 8-bit sequence (12.5%). Since long strings of 0's can affect timing, standards require that in every 24 bits of information, there must be at least three pulses and no more than 15 consecutive 0's. A technique called pulse stuffing was used to overcome these conventions where every 8th bit was stuffed with a 1. This limited data rates to 56kbps (7 bit word [not 8] x 8000samples per second per DS0). B8ZS ---- Bipolar with 8-zero substitution (B8ZS) breaks up long strings of 0's. The CSU [Channel Service Unit - Think of a CSU as a "modem" between and a LAN and a WAN.] reads the 8 bit format, recognizes when a string of 8 zeros will cause problems and strips off the 8 bit byte and substitutes a fictitious byte. When receiving equipment receives the DS1 signal, it recognizes the B8ZS pulses and replaces them with 0's. Superframe Framing ------------------ A Superframe is made up of 12 individual frames. The 193rd framing bit of each frame forms a 12-bit word to control frame and signal management. To share the signaling bits in 12 frames, in a Superframe, D-4 framing uses Robbed Bit Signaling where the least significant (8th) bit of the DS0's in the 6th and 12th frames are used for signaling (on-hook, off-hook states). ESF Framing ----------- The Extended Superframe contains 24 193-bit frames. Three-fourths of the control bits are used for evaluating circuit performance. Six control bits are used for a Cyclic Redundancy Check (CRC). Twelve bits are used as a data link for communication between transmission and reception. Six bits are used to manage signaling and framing. A CRC-6 is a 6-bit word that detects bit errors. This 6-bit word is a calculation sent by the transmitter and compared with the same calculation at the receiver. A 4kbps overhead is set-aside for Facility Data Link (a synchronous communications channel). A set of standard message formats is defined for communicating across the data link. Some of the maintenance messages include performance data reports, specific error events, historical information and error counts. .-------------------------------------------------------------------------. | Random Phone Number Generator | | Written By Gzaector Email: gzaector@hotmail.com | `-------------------------------------------------------------------------' #!/usr/bin/perl # #Random Phone Number Generator #By Gzaector - gzaector@hotmail.com #PLA WV http://www.spudweb.com # #I wrote this because as you can see I have no life #You can improve on my "awsome" PERL skills, but please at least give me a little credit # #Dont forget to save this with a .pl extension # #This should work on all *nix boxes with PERL, although it has only been tested on linux # #Be sure the change the perl path to suit you machine, and dont forget the prefixes and NPA also. # #To use - perl rng.pl ######################################################################### #Edit these to go along with your NPA and prefixes around your local calling area $npa = "304"; $prefix1 = "233"; $prefix2 = "232"; $prefix3 = "845"; $prefix4 = "843"; ######################################################################### #Random number generators $rpfx = int(rand 4) + 1; $rn = int(rand 10000); ########################################################################## #Number construction if ($rpfx == 1) { $pfx = $prefix1; } if ($rpfx == 2) { $pfx = $prefix2; } if ($rpfx == 3) { $pfx = $prefix3; } if ($rpfx == 4) { $pfx = $prefix4; } if ($rn >= 1000) { $num = "$npa - $pfx - $rn"; &show; } if ($rn <= 999) { if ($rn <= 99) { if ($rn <= 9) { $num = "$npa - $pfx - 000$rn"; &show; } $num = "$npa - $pfx - 00$rn"; &show; } $num = "$npa - $pfx - 0$rn"; &show; } ######################################################################### #Show the shit sub show { print "********** Random phone number generated! ********** \n"; print " $num \n"; print " *http://www.phonelosers.org* \n"; print " *http://www.phonelosers.net* \n"; print " *http://www.spudweb.com* \n"; exit; } ######################################################################### .-------------------------------------------------------------------------. | announcements | `-------------------------------------------------------------------------' from linear: o Many people have been asking about the UPL/PLA TELEPHONE DIRECTOR0Y, and when the hell the next edition is coming out. Well, to tell you the truth, I'm still unsure. BUT: RBCP and I have been toying with the idea of changing the Director0y's format into a more INTERACTIVE media, and we might possibly be finished with this in upcoming months. Stay tuned! o The TEAM ACTVISM website is still not up, but eventually I plan to start work on it. I am envisioning a portal-esque news service focusing on UPL Team Activism concerns. o Speaking of TEAM ACTIVISM, I don't remember all the people who emailed me asking me to let them be a part of it. So, when I release the website, you all should email me AGAIN, because I'm an idiot. o United Phone Losers is mentioned in YET ANOTHER book (the last time we were mentioned was in STEAL THIS COMPUTER BOOK II). This time we're back in _The Complete Hacker's Handbook : Everything You Need to Know About Hacking in the Age of the Web_ by Dr. X! For more info, check out: o BBS Documentary mentions UPL and our theory of "k-rad" (along with our invented "f-rad" alternative) in their research section. from Phractal: o UPL is looking for more lamers to make us confs. o Shout out to TEAM PHREAK from Rob T Firefly: o I would like to proudly announce that his genetic lagacy is now fulfilled in the form of premature male pattern baldness! from Harry Tuttle: o The information about Peek-a-Booty being released for beta testers that was previously posted on the UPL site, despite what Cult of the Dead Cow said in their Peek-a-Booty MP3, was false. However, Peek-a-Booty should be released some time in the not TOO distant future. For more info on Peek-a-Booty, check out the following: o "Shout outs" to my "homies." .-------------------------------------------------------------------------. | disclaimer | `-------------------------------------------------------------------------' Winners don't do drugs. .-------------------------------------------------------------------------. | | | THE UPL ARISTOCRACY (FEAR!) | | | | linear Phractal | | Head of State, Editor Toneage Editor, Arrogance | | linear@phonelosers.net phractal@phonelosers.net | | | | Rob T Firefly Harry Tuttle | | Token Elder, Interim Editor Team Activism Co-Founder | | r_t_f@phonelosers.net tuttle@phonelosers.net | | | `-------------------------------------------------------------------------' EOF