..>> yeah everybody's equal, just don't measure it. ` ``` ` ' , ,o8'` '8o,o8 8o,o8'` '8o,o8 8o,o8'` '8o,o8'` '8o8'` '8o. , $$$: `"""' $$$$$: `"""' ,$$$$$: $$$$$: $$$: ` ` `` ```""""^%ggggg. ```""""""^%ggggg.,g#7$$$$: $$$$$: $$$: ` .g#7. $$$$$: .g#7#g. $$$$$' `"""' Ϳ `"$: $$$: -- , ,,,` ,, $$$: $$$$$: $$$$$: $$$$$: .g#7#g. ͻ ` $$$: -- ` $$$: $$$$$: $$$$$: $$$$$: $$$$$: ڻ->>$$$: $$$: $$$$$: "'' `""' ``": ͼȼ ,: $$' `"' $$$: $$$$$: l systemfailureleven? l: ,g#$: $l nOnameascii $$$: $$$$$: ,,. ,g#g, .,,֫: $$$$$: $$, ,,, `"` `$$$$: $$$$$: $$$$$: $$$$$: `$$: $$$: $$$ ' anarchist l$$$: $$$$$: $$$$$: $$$$$:nmmmm l$: $$$: $$$ .,. ,$$$$: $$$$$: $$$$$: $$$$$: ,g$$: $$$: $$$ ' : : ::: $$$:: :$$$$$::: $$$$$: ::$$$$$: : $$$$$:: :$$$$$: ::$$$::: $$$ :: :: $$$: .gggaa $$$$$: $$$$$: _.,ya*- _ . `"' '' $$$ ' '' `*f_ $$$$$: `''_-` ` `` ` `` ' ` ` `` $$$$$: $$$$:: : haveweallgonesoinsane? ` ' 7"' , ' .----------------------------------------------------------------------------. | System Failure: Issue #11 | `----------------------------------------------------------------------------' Greetings once again. As most of you have probably noticed, our domain is back once again (it's about damn time), and several areas have been redesigned and changed around a bit. We're currently making our DefCon plans, and we'll have a lot of cool stuff to offer there. Much thanks goes out to Anarchist (once again) for the opening ascii, Zhixel for this issue's ansi, and all the people who contributed articles. --Logic Box [4/24/98] .----------------------------------------------------------------------------. | http://www.sysfail.org/ | | [sysfail@syfail.org] | `----------------------------------------------------------------------------' .----------------------------------------------------------------------------. | CONTENTS | | SysInfoTrade by SysFail Staff | | Portable Hacking by Saint skullY the Dazed | | Nortel's Millennium Payphone by Err418 | | Basic UNIX Stealth Techniques by DrekHead | | Spee vs. Raymond, Part II by Spanish Prince | | The Inner Workings of GTE by Gwonk | | English Hacker Gets Busted by Pinguino | | SUID 101 by Skrike | | Stop the Spam! Part II by Saint skullY the Dazed | | Interview With Spanish Prince by Pinguino | | Yet Another (Extremely Late) DefCon 5 Review by BarKode | `----------------------------------------------------------------------------' <-------+ | SysInfoTrade +----------------> staff@sysfail.org -- DefCon this year is going to be awesome; Pinguino and Jason Dube (Scattered Comics) are building the ultimate backdrop/table design for both DefCon and ComiCon. Also, the Scavenger Hunt is being planned out, and the Frequency Hunt as well. Buy or borrow a scanner and bring it to DefCon so you can participate. -- The Celeron chip, a Pentium II-based 266MHz chip, is now available from Intel, but currently only in volumes of 1,000 at $155 each (i.e. for full pre-built systems). -- http://members.tripod.com/~Drusus/tech.html/: Check that out! A road map of compiled information that shows a hazy guideline of Intel's 5 year plan. -- 2600 is still publishing, with late issues but still alive. Barnes and Noble ran a memo to all their managers telling them to not put 2600 on the shelves and to pull issues, because an article ran that explained the technical aspects of the Barnes and Noble computer system. -- Netscape's search engine contracts with Yahoo, Excite, AOL, Lycos, and Infoseek are expiring next week. President Jim Barksdale is renegotiating the contracts so that Netscape can become more of a retailer than a wholesaler of services. -- The European Union (EU) got pretty pissed at the US when they tried to redo the domain structure. They gently reminded the US government that they didn't own the Internet. The argument was over InterNIC, a US company under government contract, administrating the top level domains. The Internet Society set up a company called CORE, housed in Geneva, to run twenty-three other domains. Negotiations between CORE and the US stopped the functionality of CORE, who also believes that it should not make profits from administrating the database. -- Are you a webmaster? You can make money by putting a specific link on your site to Mile High Comics. It's not a scam, it's easy money. Make 10% off back issue comics ordered by people originating from your site. E-mail pinguino@leper.org for more info. -- System Failure now has its own FEFnet IRC server, irc.sysfail.org. Come check it out. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Portable Hacking by Saint skullY the Dazed (skully@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- So you want to be able to hack from anywhere. Been looking at palmtops, but just can't decide? Well, let's cut through the bullshit. While the new CE machines look good, they are really lacking. First, they're slow. Second, they require special software. While for many this isn't a problem, you want to be able to do anything you want. Enter the Hewlett Packard LX series. HP has a great line of palmtops that run DOS. Yes, DOS, not some watered-down version of winbloze or propietary OS. What does this mean? There are hundreds of programs for it. Oldschool games, wardialers, you name it. The processor is equivalent to a 286, with a monochrome CGA LCD screen. It does a full 80x25 console and has 20 built-in programs. It does anything you could want a portable to do. I use mine for both school and work. The built-in word processer has a great feature for outlines and notes. Let me demonstrate. I. These are my notes. A. By simply hitting the promote and demote keys 1. I can write notes like this 2. with headers and everything. B. The promote and demote are F7 and F8 II. Which is a really nice feature. A. And you can even keep typing and typing and typing so you can have multiple lines with no formatting It also has a built-in macro program that is very powerful. I set mine up with HTML codes, so I can code on this faster then I can with any editor. The built-in terminal will do ANSI/vt100 (minus the colors) and download with xmodem, ymodem or zmodem. It can connect either a PCMCIA type 2 modem or an external modem using the built-in 9-pin serial port. The standard LX comes with either 1MB or 2MB of RAM. This is split between the 640K memory and storage space, which is configurable on how much each gets. If you need more storage, you can get a flash card that will hold up to 80MB. Programs have been written with the palmtop in mind. If you need portable e-mail, you can use the Datacomm application to connect to a shell and use elm (or pine, ugh), or you can get a PPP stack or SLIP/CSLIP driver (such as Netterm or WWW/LX) and connect to any provider that supports PPP or SLIP. I can touch-type on mine, using a modified home row (3 fingers instead of 4), and most people, even with larger fingers, have found that you can type on this (unlike many CE machines). And what about battery life? Well, today I replaced my alkaline batteries for the first time since getting my new 100LX a month ago. Even with a PCMCIA modem, I can still get 20-30 minutes of use on fresh batteries (PCMCIA modems draw a lot of power). You can also put NiCad batteries in, and whenever you plug in your 100LX it will charge the batteries. All in all, the 95/100/200LX is the best series of palmtops I have used to date. From being able to type on it, to running any of the thousands of DOS apps avalible, to the size (able to fit in the pocket of my jeans easily), it is by far the best of both worlds. Small and powerful. How many palmtops can you say that about today? Sadly, HP has decided to discontinue production of their DOS-based palmtops because of the Microsoft powerhouse pushing WinCE, so starting with the 300LX, they went to CE. You can still find them for sale in the newsgroups (comp.sys.palmtops) or on any of the auction houses such as ebay, onsale, and haggle. If you're wondering why this is formatted funny [Editor's Note: not anymore it's not, neener neener], it's because I wrote it on my palmtop at a larger resolution. At any rate, I need to get going; the bus is almost at my stop and I need to go call those UK BBS's from Office Max, who ripped me off a while ago. Good thing I have a PCMCIA modem and alligator clips, huh? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nortel's Millennium Payphone by Err418 (err418@technologist.com) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hi! I'm Err418, and I'm from the 418 area code in Canada (Quebec). I'm the president of a French H/P/C zine in Canada, which you can read at http://totalcontrol.home.ml.org/ (if you speak French, that is). Now, let's talk about the Millennium payphone. This digital payphone is a pain in the ass for Canadian phreakers because a lot (90%) of the payphones in Canada are Millennium, and they're impossible to redbox from because they are independant from the telco's ACT tone system; they use a different line for checking calling card and credit card numbers, and have their own rates. These digitals payphones are made by Northern Telecom (http://www.nt.com/). Here is the technical description for the Millennium: Height : 533 mm Width : 194 mm Depth : 155 mm Wieght : 19,5 kg (42 lb) Temperature Humidity In Service : -40 to 60 C 95% maximum (at 40 C) Not in Service : -50 to 70 C 95% maximum (at 40 C) There's also a card reader that can read calling cards and credit cards (Visa, MasterCard). The one that I have at home (American Magnetic model 170-TDA) has a flat cable wire with 14 pins that is, in a Millennium, connected to a controlling device. I don't have a controlling device at home, and I'm trying to get the schematic of the reader. If you've got it, please e-mail a copy. Another important part of the Millennium payphone is the LCD screen (2x20). I don't know how the Telco controls ALL the LCD displays of all the Millenniums in this area (I think 2600 had an article on it, I'm not sure). Wouldn't it be nice if you could alter the LCD displays? "Sorry, Bell Canada Sucks" "Do you want free sex ? Call 1-800-288-2880, then press 0" "Our customers are bad motherfucking stupid. We own them." Also, the Millenniums have a lot of programming features. The default password to access them is CRA-SERV (type it when the phone is hung up). I don't know how to enter commands, but I'm trying to get a Millennium Programming Manual from Nortel. For some reason, they don't seem to want to sell me one. Finally, Nortel's digital payphones have an internal 1200 baud modem to interface with it on a standard telephone line. The problem is that I don't have any numbers to test it with. If you get some, try the Payphone Manager that Cathode Ray is distributing at http://members.xoom.com/ray_dios_haque/ This is what I know about the Millennium payphone. I hope it helps you, or teaches you something useful. See ya next time! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Basic UNIX Stealth Techniques by DrekHead (drekhead@arena.cwnet.com) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This text details basic stealth techniques to use on a UNIX machine in order to avoid detection. Hopefully this will help sysadmins find unauthorized users and help lame script kiddies be less lame. I. Basic Log Files ------------------ 90% of the paths to the files that log activities will be defined in /etc/syslog.conf. Be sure to check this out in order to find out where they are so that you can examine them and alter them. *NEVER* remove the entire log file; nothing tips off an admin faster then when his 12 meg log file is suddenly truncated to zero. In order to find if anything pertaining to you is in the log file, you can "grep" or "tail" it. Now, when editing this file, you can either "vi" it or use grep to remove all the lines for you. An example of this: say you logged in from "haxor.net" and there are multiple "Failed .... from asdfasd.haxor.net". you could either use vi and delete them by hand, or you could: grep -v haxor.net syslog > syslog.new then cp syslog.new syslog There! you have just removed all references from syslog of your source. Moral of the story: only remove information from log files that pertain to you. II. UTMP/WTMP Files ------------------- UTMP and WTMP files are the database files that store information about logins. The utmp file holds information about everyone who is currently logged in; when someone logs out, their entry is no longer in the utmp file. The wtmp entry is a log of everyone who has been on the system and how long they were on for. To further help you understand, "who" reads from the utmp file, and "last" reads from the wtmp file. This is almost always the first place an admin will look when he thinks something is up. *NEVER* remove the utmp/wtmp files; not only can you break certain programs like some UNIX/OS's login programs, but this is a huge tip off to admins. It is true that without these files, there is significantly less information about your source, but there are other ways of getting around this. There are programs out there like zap.c and zap2.c that will remove the utmp/wtmp entries; however, these programs fucking suck and do a shitty job of removing entries that can be tracked down if someone knows what they are doing. I will soon be releasing a high quality, interactive utmp/wtmp utility that does this in a way that is almost impossible to detect. In the meantime, I would however recommend using zap or zap2, as they are better then just deleting the whole file. If you have mad "dd" skillz you can dd the entries in and out of those files but you have to know the exact size of the utmp struct for the OS you're operating on. III. History Files ------------------ FOR CHIRST FUCKING SAKE, DON'T LEAVE THESE AROUND!!! I recommend doing a "rm $HOME/.sh_history" followed by a "mkdir $HOME/.sh_history". The path to the machine's shell history may be different, so check your HISTFILE env variable. Also be sure to "unset HISTFILESIZE", as command history is sometimes just as bad. IV. .rhosts files and hosts.equiv --------------------------------- Don't leave these around everywhere. Use your head. V. /etc/passwd -------------- Don't fucking add accounts, bonehead. Take the passwd file if it is not shadowed, but don't mod it. VI. /etc/inetd.conf ------------------- Don't add "/bin/sh" to inetd.conf without hiding it a little bit; if you want to add a shell to inetd, create something that looks like it should be on the system. The "/bin/sh" line sticks out like you wouldn't believe. VII. Root Shells ---------------- If you're going to have a root shell, stealth its name well, and don't keep it in the user's home directory, as that will stick out in a find. If you're going to hide a root shell, put it where the legit suid binaries go. VIII. Web Page -------------- Modifying this is usually not something I would recommend doing when trying to stay hidden. IX. Ethernet Sniffers --------------------- When you use these, keep in mind that the ethernet driver you are binding to is going to be set to Promiscious mode, which will be noticed by any admin that is worth his salt. X. Common Sense --------------- Use common sense. What would you look for if you thought your machine was compromised? Use your imagination; the more arcane and creative a backdoor is, the harder it will be to find. Closing ------- Once again, don't be an idiot; if you're going to hack, hack smart, and be a gentleman. If you're an admin, this should keep you on your toes. Best of luck to you folks. E-mail all comments to drekhead@arena.cwnet.com. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Spee vs. Raymond, Part II by Spanish Prince (spee@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hi and stuff or something or other. Time to update you as to what's gone on with my case against my school district for wrongly suspending/threatening to expell me for voicing my thoughts on band in general and Raymond Walczuk and give general info about the out-of-court settlement. OK. After we filed our lawsuit (my dad and I), the lawyers and the school district had already decided that they were going to settle, as they did not need to go to a trial and have this whole thing turn into a media circus, which we agreed with. It took about 3 weeks to get all the details of the settlement ironed out.... The suspension will be removed from my record, with no mention of it ever coming up in any file that will go to a college, etc. Also, the school has written a letter to my dad and I apologizing to us for them supending me and trying to censor my free speech and my right to air my thoughts. The letter apologizing was 2 pages long and explained that they were sorry for what they did. That $550,000 that I was suing for wasn't even going to happen. Had this case gone to trial, I had been advised by my attorneys that we'd be lucky to get any money, and that the jury could just elect to give us legal fees. That $550,000 was just a number that was to be bargained down from. The amount of money that I received from the school district is $30,000. You may think, "WTF Spee, why didn't you just sue for the 500k?" Well, first of all, the school was already putting up the flag saying that they wanted to settle and end this. I wanted this as well. Another thing is that if we had gone to trial, the school would've told the press that they had already tried to settle with me for 30k, and that I was just in this for the money. The whole purpose of this thing was _not_ for the money, it was for free speech and against the powers that the public school systems in America have today; money was irrelevant, and I feel that the main issue in this case was proven, that the school system cannot censor what students say on the internet and wherever else outside of school grounds, not money. Now, I know what you're all asking..."Spee, SHOW ME THE MONEY!" Now now...I plan on putting most of it into some sort of stock/mutual fund in order to save up for college (bleh) and all that jazz. The part that doesn't go into the fund goes into the Spee Hardware Fund (TM). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Inner Workings of GTE by Gwonk (gwonk@diversion.com) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- GTE serves a lot of areas all over the U.S. They are usually found in rural areas, which means they are either behind, or they have a lot of things that most urban places don't have. For example, the DMS-1, which is basically a switching system that fits in a brown box the size of a small closet. These are often found outside of very small rural communities on back roads. GTE areas that are a little old use a "DMS-1 Urban Model" to serve small communities and "suburbs". These brown boxes usually hum like a swarm of bees, and are usually found next to fiber optic bridges' "white metal box" for expansive purposes. The DMS-1 isn't very fun to play with, but it has about 20 marine batteries in the bottom of it, and lots of blinking lights. Usually, there is a little booklet or card inside of it that tells you what all of the pretty lights mean. Any of you that know GTE a little bit might have seen these little "U-locks" with a triangle in the bottom of it that keep you out of things like repeaters and fiber optic bridges. On unscrewing the triangle, the "U-lock" comes off; the easiest way to unscrew the "U-lock" is with a skinny 7/16 socket wrench (they just always come in handy, don't they?), but a pair of needlenose pliers works also. The reason that I call these things locks (when they are most obviously not) is because when playing around with one of these DMS's, some people had the brilliant idea to take out communications to who the DMS served. A day after doing this, we, er "they" made it into the local paper, and the small article said that we either "picked" the lock or took it off by force. Lock my ass. If GTE couldn't figure out how we got in, they shouldn't be working with phones. Now, GTE doesn't usually buy DMS-1's. If they don't put in a DMS-100, they would put in a DMS-10, which is slightly better than a DMS-1. Hooray for Nortel. Higher number, more expensive and better, just like an operating system. More info on the DMS-10 is found on http://www.nortel.com/, and it is basically the same as a DMS-1. 4-Tel is a system used by GTE that was created by the Teradyne Telecommunications Division, basically just to test lines. When you dial into a 4-Tel system (usually an 800 number), it will say "Hello, this is VRS 400. Enter your ID code". Usually, the ID code is the last 5 digits of the lineman's social security number. If the entry is correct, it says "Accessing user record for __________, please wait. Password?" Then you enter the password, which is usually the same thing as the ID code. Once in the system, you are at the main menu. The main menu help commands are 0: Help, 1: Line Test Menu, 2: Fault Location, 3: Special Tests, 6: Retrieve Test Results, 7: Completion Test, 8: Exit, 9: Non-Testing Utilities. Since the number of available system commands is much larger than the number of keys on a DTMF hand set, the VRS 400 uses a layered menu structure, so many of the first options bring up other menus. Commands that are available from the Main Menu are Completion Test(7), Exit(8) and Help(0). Completion test executes a line test after you repair trouble, and makes sure that the fault has been cleared. The recorded information includes: user ID code, time and date, overall results of the completion test. The rest of the options are menus, and I will handle them one menu at a time. Line Test Menu (1) ------------------ 0: Help (Available from all menus) 1: Line Test 7: New Line Number (the number of the line to be tested) 8: Hear Again (available from all menus, just repeats the options) 9: Archive (available from all menus, saves the results of the test, which gets deleted within 48 hours) *: Previous Menu (available from all menus) Fault Location Menu (2) ----------------------- 1: Short, Ground, or Cross Location (finds out what type of fault exists; this is a long process, and if you want to know more, e-mail me, but no one but a real loser should care :-)) 2: Open Location (starts all Open Location tests on the CO side of the fault, another painfully long process) 7: New Line Number *: Previous Menu Special Tests Menu (3) ---------------------- 1: Special Line Test (performs initial special line test) 2: Loop and Ground (calculates the resistance between the pair under test and ground) 3: Pull Dial Tone (don't get too excited, it only tries to force a dial tone from a switch by shorting the line. The system counts the number of times that a dial tone is successfully pulled in a specific number of seconds) 4: Pair ID (helps you identify a specific tip/ring pair by sending an audible signal--alternating low and high tones--to the line under test... you can listen to the tones with a normal handset; the Pair ID test continues until you hit * or the 30-minute timeout is reached) 7: New Line Number Non-Testing Utilities (9) ------------------------- 1: Select VRS Speech Mode (you can speed up your "work" with this) 2: Record Your Own Name (if you want to leave a message for the telco employee whose social security number you have; what you record will be his name the next time he gets in. :-) -- not a good idea) This is all fine and dandy, but it's not really anything too useful unless you are testing lines. When I first started playing around with this, I tried to test a busy number. When you try to test a busy number, you reach the "Subscriber Busy Menu". From there you can press 1 for Line Monitor, 2 for Override and Test, and 3 for Wait for Idle. Line Monitor only causes the audio state of the line to be examined (not what I was hoping for). Override and Test causes the system to attempt to force the line to an idle state (Disconnect Subscriber), and it is almost always sucessful; it also seems to block out service for as long as it takes on the line you are running tests on. Press 9 for yes, 6 for no. And that's about it. Often, 4-Tel information, passcodes, and phone numbers are found on little blue cards in GTE trucks, or if you are lucky, in the trash. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- English Hacker Gets Busted by Pinguino (pinguino@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- On April 18, 1998, a seventeen-year-old boy in England was arrested. The Abbey National Bank in England was hacked the last weekend of March, and fingers point at J.F. Apparently, there was a direct dialup to the bank, maintained by the Datalock 4000 system. The hacker claims he was very careful, and thinks that someone narked him out. J.F.: Abbey National are totally playing it down--they wrote to me, I seen their lawyers, they want it all *hush hush*... fuck that. It's coming out, I their asses, they ain't getting away without media attention. J.F. is a member of CoF (http://www.cofuk.com/). He was questioned that day for three hours. Two hours after his arrest, Extreemuk was taken in as well. The cops have Defiant's info, and he fears that he's up next for questioning. J.F.: Defiant is a dumb fuck. Ping: Hehehe. J.F.: Man, there are sooo many LIES going around about what has happened. I don't like the lies. Ping: Clear some of this up for us. J.F.: I was arrested on April 18th. They traced it back to the phone line outside my house which I beige off, due to the big mouth of a certain individual who I can't name. After searches, they didn't find anything in my house, or on my computer, so I was released on juvenile bail. They keep making me go back to talk to them. I think they can't, but my lawyer told me that I have to be careful. Ping: In England, can you be tried as an adult at 17? J.F.: Nope. I am 18 in 3 weeks, but I am very lucky that I am still classified as a juvenile. Ping: What consequences do you think you'll be facing if they charge you as guilty? J.F.: Well, first of all, they have to gather enough info to charge me, but I have been told only about 12-18 months due to the fact that I am a juvenile. Fuck that shit, it's not gonna come to that. If I were 18, it would be 5-7 years, so they keep lecturing me about how lucky I am. Ping: Afterwards, will you be restricted from using a computer? J.F.: For an extra 6 months or something daft (I think that's correct). Then I will be severely punished if anything else happens. Ping: Which, nothing will. J.F.: Correcto. J.F.: To be honest with you, I think nothing will happen. I am confident due to what my lawyer has told me. Ping: That's good.. is this going to go to press, with you appearing as the victim, and the bank looking like a bad guy? J.F.: That's what I am hoping. The bank is totally trying to cover it up. NO PRESS activity.. they want it all quiet. I want it to erupt online. Ping: Sounds good... what do you want people reading this article to do? J.F.: You see... that's where I'm not sure, because I've never been in this situation before.... Ping: They can tell their local press, send releases to AP Wire.. maybe you should talk to Spee. He's good with getting coverage over legal matters. =) J.F.: Right. The problem at this stage is that I don't want to conflict with other CoF members.. apparently they were talking with antionline.com yesterday. J.F.: Oh, and tell everyone they'll see me at DefCon, I'm coming all the way from England. :o))) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SUID 101 by Skrike (skrike@ida.net) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ok, this is for all you UNIX newbies out there. All you UNIX Gods out there might want to skip this. [NOTE: UNIX command are surrounded by quotes (i.e. the program "passwd")] First off, let's discuss some of the basics about how the UNIX system works. When a user is added in the UNIX environment, they are assigned a user identification number (UID). This helps the system identify who is running what processes, and how to handle them. The root user, who is in charge of system maintenance, is assigned the UID of 0. Anyone whose UID is 0 will have the same abilities as the root user. This concept is simple enough to understand. Normally when a program is run, it assumes the UID of the user who is running it. When a normal user is logged into a UNIX system, sometimes it is necessary for this unprivileged user to be able to accomplish tasks that require root privileges. One example of this is the "passwd" routine. When you want to change your password, you run the program "passwd". The problem with this is that the "passwd" program needs to edit the the user field in the /etc/passwd file. But no system administrator in the world is going to give a user read access to the /etc/passwd file, let alone allow them to write to it. Another example is the "mail" program. This program allows a user to stick a message into another user's mailbox, but this neeeds to be done without letting the user have write access to that user's directory. Well, this problem has a solution. In UNIX, a program may assume the UID of another user in order to accomplish tasks otherwise unnattainable for the unprivileged user. These programs assume another user's UID, called SUID (SetUID). So instead of the program using the UID of the person running it, it assumes the UID of the user who created that program. This is often confusing when new users do a "ls -l" and see this as a file permission: -rws-r-xr-x The "s" that is in the position of the owner's execute bit denotes that the program is SUID. If you saw this file permission: -rwxr-sr-x This would denote that the program is SGID (SetGID), or it is set to run as a program of a certain group (group identification). To set a file as SUID or SGID, you add an extra number at the beginning of the umask. This runs along the same lines as the standard read, write and execute. We all know that read is 4, write is 2, and execute is 1, right? Well, SUID is 4, SGID is 2, and a sticky bit is 1. For instance, if you wanted to create a file that had your UID and was able to be read and executed by everyone in the world, you would type: chmod 4755 filename Anyone who executed that program would be running it as you. This can turn into a potential security exploit in a number of different ways. For example, say you're at school in your lab, and you leave your computer for just a second. All a person would need to do to gain access to your account in the future, without knowing your password, would be to copy the shell file you use to a temp directory and change the mode on it to make it SUID as your UID, and they can log in as you anytime they want. Here's how: cp /bin/sh /home/hacker/victims-shell chmod 4755 /home/hacker/victims-shell All they would need to do is run this program, and they enter into a separate shell; any command they execute while in this shell will be run with the same UID as the victim. There are many programs that are SUID root, or SGID of a superuser group that have potential security holes. It just takes some exploring. Some things to look for: * If a program is SUID, and it allows a shell escape in it, you are still inside that program and executing commands with that UID. * If a SUID program allows you to execute commands, those commands will be executed with that user's UID. But be sure to look carefully. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Stop the Spam! Part II by Saint skullY the Dazed (skully@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- In System Failure 10, Vect0r talked a bit about stopping spam. This document takes that a step further, giving more detailed information. There are basically two easy ways to reduce spam. Either block it at the daemon level and make sure it doesn't even hit your box (useful for sysadmins), or block it before your mail reader reads it. Mail Daemons ------------ There are two major daemons in use today: sendmail and qmail. Sendmail seems to be the de facto standard, even though every single version has had some security hole or another. The current version is 8.8.8, which so far has no known holes, but I'm not gonna hold my breath. The other daemon--which is quickly gaining popularity--is qmail. I personally recommend qmail, as it has not had one security hole documented, and there is a $1000 reward for anyone who manages to document a hole in the software. Sendmail -------- If you plan on using sendmail, I'd first off recommend getting a book. "The Bat Book," by O'Riley and Associates, is a good choice (so called because it has a large bat on the front cover). You will want to pay attention to the sendmail.cf sections and really learn how to configure it. The first thing you want to do is block any outside sites from relaying mail through your server. I have no idea how this is done as, I'm a qmail whore (that's where the bat book comes in [unless someone wants to write this as a future article]). You then want to block certain sites from sending mail to you at all. The easy way to accomplish both is to set up an include file for certain files to handle which domains can relay, who can not send mail to you, etc. There are several sites with preconfigured spam-catchers. Qmail ----- Qmail is a drop-in replacement for sendmail (From the qmail README). Overall, I have found qmail to be faster, easier, and just as powerful as sendmail. Every machine I set up and am given control over gets qmail (because of co- workers, I can't put it on every machine). I have compiled it mostly on Slackware Linux boxes, and the first time I installed it on a FreeBSD machine, it ran perfectly. The configuration is not kept in a single file but in the /var/qmail/control directory. It can be as simple as just a local, rcpthosts, and a me, or so complex that there are not fewer then 15 files. Most find the ideal configuration for their machine in just 5 files or so. Let's take my FreeBSD box running qmail as an example. skully:/var/qmail/control$ ls -l total 10 -rw-r--r-- 1 root qmail 19 Apr 5 19:05 defaultdomain -rw-r--r-- 1 root qmail 73 Apr 5 19:06 locals -rw-r--r-- 1 root qmail 19 Apr 4 01:51 me -rw-r--r-- 1 root qmail 19 Apr 5 19:06 plusdomain -rw-r--r-- 1 root qmail 19 Apr 6 21:28 rcpthosts As you can see, I have 5 configuration files. Basically, to stop spam, I have set up rcpthosts to disallow anyone from sending mail through me. Within rcpthosts, I have a list of domains which are allowed to send through me. Everyone else who tries to send to an address not contained in locals will get a bounce. This completes the protection to keep people from sending spam through you. However, you may not want to get spam in your own inbox. This can again be done at the daemon level, but it's much easier to just set up a filter. In this case, we will use procmail (mentioned in Vect0r's article). Procmail -------- To use procmail, you should have access to the mail server where your mail gets sent. The first thing to setup is .forward/.qmail. Use .forward if your system uses sendmail, and .qmail if your system uses qmail. Add this line for either one: |IFS=' '&&exec /usr/local/bin/procmail -f-||exit 75 # If you use sendmail, enclose the whole line in quotes. Then you need to set up your .procmailrc. Here's a simple example: PATH=/bin:/usr/bin:/usr/local/bin MAILDIR=$HOME/Mail #you'd better make sure it exists DEFAULT=$HOME/Mail/other #completely optional LOGFILE=$HOME/from #recommended :0: * ^To:.*BUGTRAQ* bugtraq :0: * ^Subject:.*Entry*Guestbook* guestbook :0: * ^To:.you $HOME/Mailbox That will filter anything from Bugtraq (which isn't addressed to you) to its own mail folder, and all guestbook entries to the guestbook folder. Anything addressed to you goes to your mail spool (if you use sendmail, change that to /var/spool/mail/) and anything not addressed to you (which is usually spam) goes to the other folder. There is a lot more that can be done with procmail, so read the docs for more info. Conclusion ---------- Spam is relatively easy to deal with; you just need to take the time to set up your mail daemons/filters correctly. Of course, the easiest way to keep from getting spam is not to post to Usenet, be careful who you give your address to, and have a separate e-mail account for anything you sign up for (like pay-per-hit web thingies). Then again, maybe you like spam.... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Interview With Spanish Prince by Pinguino (pinguino@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I conducted a recent interview with our newest group member, Spanish Prince, who, as most of you know, was suspended from his school after speaking out against his music teacher Raymond Walczuk on the world wide web (http://www.raymondsucks.org/). Here it is: Ping: What's the next stage of your trial? You settled, right? Spee: Yup. It's over. Ping: Who are you suing next? Spee: Uhh no one.. if the school retaliates or if the teachers retaliate, then it'll throw out the settlement and we'll go to trial, same if Raymond tries anything. Ping: How is Raymond treating you now? Spee: He's treating me well, how I shoulda been treated before. Ping: Do you think a lot of kids will put up myteachersucks.com, and what do you think of that? Spee: I think they will, they're entitled to do whatever they want to do. Ping: What are some of the stranger publications you've been interviewed for? Spee: Star 94 in Atlanta and abcnews.com. Ping: How did the wire hear about the case? Spee: My lawyers gave it a press release when this whole thing happened. Ping: How many weeks has it been since your initial suspension? Spee: 6 weeks. Ping: What are you going to do with the money? Give it all out at DefCon? Spee: No.. that's going to the Spee Hardware Fund. Ping: Would you like reader donations to that? Spee: Yeah I accept donations. Ping: What kind of cellphone did you get? Spee: AT&T Ericson Alex100.. need e-mail on it.. speecellphone@sysfail.org. =) Ping: Did having his full info on the page actually do any harm to Raymond? Spee: Not that I know of. Ping: What's Raymond like? Spee: He's a good band director. It's not that he's a bad teacher, it's the way he treated me. Ping: Cool. Most band directors I know of are pricks. How's your newsgroup, alt.fan.sean-obrien? Spee: Not too many people carry it, but you can access it through DejaNews. Ping: What's the weirdest fan mail you've gotten? Spee: Someone fell in love with me after they saw my picture on the front page of the local paper. Ping: It was the encyclopedias, huh? Spee: Yeah, that's it. I think it was the encyclopedias. Ping: Everyone should have a set over their computer so they can pick up chicks. You should sell that pic to Encyclopedia Britannica. Spee: Yeah, I can be their spokeperson, tell them they can learn about the first amendment and stuff. Ping: Well, that's about it. Thanks Spee@#$!@#%^& Spee: !@#$%^&* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Yet Another (Extremely Late) DefCon 5 Review by BarKode (barkode@slackware.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- In an effort to encourage people to go to DefCon 6 this summer, here's yet another DefCon 5 review. I woke up at 4:15 to a phone ring...my girlfriend wakes me up and tells me to get ready. Going to DefCon today. Well, I spend the next couple of hours packing and getting ready, I wake up Phelix at about 5:15, we've gotta leave by 6. We get to the airport, and I end up having to boot my system for airport security... Phelix and I meet up with DrekHead and Warchild. Anyway, we end up playing a serial game of Descent II on our laptops on the way to Vegas, an hour-and-fifteen-minute flight from 916 (Sacramento). Arriving a few minutes early, we depart the airport in a taxi-van and make our way to the MGM Grand Hotel, where we gotta drop off our luggage. Being only about 9:00, we can't check in for a while, so we haul over to the Aladdin, which isn't exactly as close to the MGM as the DefCon announcement file said it was. Anyway, arriving 30 minutes early for registration, we ended up waiting around for DT to show up. They started letting people in about 10:20 or so, and Drek and I were the first two people to register in, and I got the first t-shirt. Well, there were hundreds of people in the hallway of the Aladdin, so DT just started letting people in for free, and you had to register on your own accord. Then they'd kick everyone out later and make them re-enter the room. I ran into Richard Theime who said hello. Soon after they started letting people in, there were a few kids sitting around with a hub. I jumped in and we started setting up a network. There were a couple of Linux machines, and someone had an IBM laptop running AIX. Not to mention a bunch of 95 machines. Well, we started up a network. Phelix had no network card on the laptop he borrowed from me, so he went serial PPP thru DrekHead's machine. I set up a web server and a "webcam" with a QuickCam on my machine. Drek set up a nameserver using dc5.net as the domain and we started taking hostname entries. We kept track of IPs and hosts on a piece of paper, and people started jumping in. We got another hub and linked it to the existing one. Drek got the exploit archive on public FTP and I linked it from the web page. At this point we had about 8-10 laptops in our group. We got this going within about an hour. I wish I would have saved a copy of the trashed routing table we had. Our group decided to take off and go back to the room for some reason. We got the room, then lost our friend Jimmy... we spent the next hour or so paging him and wandering the MGM, looking around. Finally we found him (he called the room) and we made our way back to the conference room. Well, the network connection was still down, but we needed the hub and cables. I ended up trekking back to the hotel for it. I had to break the lock off of my luggage, and then I walked all the way back to the conference room. On the way there, I ran into some DefCon folks, a couple of guys and a cute girl. I smiled at the group, and she said, "Hi BarKode!", I stopped, turned around, and tried to guess at who she was. It was Courtnee, one of Phelix's friend's and someone I met last year. We talked briefly and I continued to the conference. Unfortunately, we didn't need it anymore, as the T1 wasn't going to go up tonight. We grabbed some food at a buffet in the Aladdin. Making our way back to the conference room, Swift and Locke were still working on getting the network up, and Las Vegas Digital Internet was not giving us the data... line protocol was down. The TCP/IP drinking game started, which wasn't as interesting as DefCon 4. Mudge tried to get it going, but the audience participation sucked. Hacker Jeopardy followed, which proved to be more interesting with the exception of the fact that half of the questions sucked. I won a 4-wire repeater card for answering a question like, "When did the UFO crash at Roswell, NM?". At some point during the game, Pete Shipley and Voyager got in a fistfight in the hallway and were arrested (or at least escorted from the conference). The game continued and ended up with a very drunk Novacain and associates with a negative score, and one team that had like 200 points. We made our way back to the hotel room (without Phelix, who stayed behind) and passed out. Saturday, I'm awaken by Prophet who stayed with us, who says it's almost 10, and we all start getting ready. Phelix is passed out on the couch, I wasn't even sure when he got there. After some commotion, we start towards the conference again. After breakfast at the buffet place, we enter the network room to find that the network is still down, but the Capture the Flag network is starting up, unofficially. I set up a web server and the QuickCam, and bam, I'm getting strobed by some machine. Well, my laptop's Linux kernel (2.0. something) is patched, but I had booted it to 95 because I didn't have QuickCam drivers for Linux. The network wasn't functioning properly anyway, so I ended up just taking it off the net until the external connection came up. I watch Mudge talk about NT security flaws and Challenge/Response for about an hour, which prompts me to consider coding a dictionary cracker for no apparent reason. Good thing I brought my hub, we end up using it to bridge the external network to the CTF net. The external network isn't up yet, but we've got the hub connected. We chilled at our network table for a couple of hours as people joined us. Over the next 3 hours or so I started writing a dictionary cracker in perl. Where is that now anyway... The T1 didn't work cause it was wired wrong. It's 6:42 already and the network still doesn't work. Well, Nightcat came by and set up his machine on the network, with Windows 95 (unpatched for the recently released Out-of-band bug). DrekHead and I decided it would be cool to nuke his machine, which we proceeded to do. DrekHead coded a reverse-nuking program, which would wait for a connection on port 139 and then nuke the connecting host before they had a chance to nuke him, which wouldn't work anyway considering he's running Linux. Well, we have Nightcat telnet to DrekHead's machine, which in turn crashes his box and blue screens Win95. Word. Anyway, the external network connection is completely fucked, (including the fact that the wall jack was wired wrong). So the T1 doesn't work period. Two shafty characters walk up to our table inquiring on if we had any laptops to sell, and were very interested in whether or not they were stolen, and they weren't. Once they found out they were legit, they jammed (gee, MIB?). So DrekHead and Warchild say, "Yo, get a shirt." I approach DT about it, who says, "Yo yo yo, I'm out of shirts for today." We end up just setting up to get one after the conference. Although, all three of us should get one. I wasn't really paying too much attention to the guy because I was writing something while I was talking to him. We find out that some guy hopped out of Nightcat's hotel window and stole a satellite dish from the roof, then proceeded to drag it down the hallway of the hotel, or something along those lines. KC comes in and sits next to me with one of those large margaritas. We talk, and he offers to go get me one. Well, I accept, and he brings me a quart of some really good margarita. I weigh about 135-140, and I chugged about 80% in a few minutes after having not eaten in a while. I got kinda tipsy, and KC was wasted. KC works with Java security, and we had a good discussion on that while we had our drinks. DrekHead, Phelix, and Warchild return from McDonald's to find me partially intoxicated. After about 30 minutes, I'm sobered up. Hacker Jeopardy starts again; this time Strat and Bruce Snider are playing. Bruce fields a few questions on crypto, and a good deal of questions end up getting turned to the audience. I got pissed when Wynn passed me up on the question regarding what PERL stands for (Practical Extraction and Report Language) and picked the guy a few rows behind me. But I ended up getting a bunch of stuff later anyway. I talk to DT about my pictures, and he mentions that we should put up the pix from my digital camera on defcon.org, which was cool. We planned on logging on once the T1 went up, which it didn't. Teklord comes up to me and suggests we take a walk down the strip and check out the Luxor, New York New York, etc. Phelix goes off on his own thing as Drek, Warchild, Teklord and his fiancee (Plucky), and myself all head towards Tek's room to drop off some stuff and pick up some radios. We then go to our room at the MGM and drop off our laptops. We make our way towards the New York, New York, which turns out to be kind of closing up shop. We trek thru the Excalibur to the Luxor on these elite people-mover things. The Luxor is closing too. Getting bored quick, we try to ride the inclinators at the Luxor, only to be denied by rent-a-cops. Attempting to foil their scam by getting to the stairs didn't work. We start paging people like Emmanuel Goldstein over the PA, but then Drek picks up a phone right next to Teklord and says "Yo, this is " The operator connects them, then Teklord says "Where are you?" and Drek replies, "Looking at you." Well, considering the operator doesn't always hang up right away, we decide it would be good to expidite our exit of that particular hotel. The Excalibur has even better paging. Teklord takes off to his room, and we go back to the MGM. I'm rather tired at this point, but room service is very expensive. I put my shoes back on and go back down to this huge hotel looking for food, only to find room service prices. This sucks, so I go back up and order room service, which is $34 for the three of us, not including Prophet. Waking up the next morning find Phelix passed out on the floor, we have about 15 minutes to check out before they bill us more. So I run down to find a 100 person line to check out. However, there is a table that says, "Express Check Out". I fill out a form in like 45 seconds and drop it in the box. The guy says I can keep the keys (We had about 5 to 7 keys to the room). Word. I go back up after I've checked out and get ready to jam. We head off to breakfast in Prophet's G-Ride, a rented Ford Escort. We end up in the ghetto at a Carl's Jr., which takes like 20 minutes to get us food. We talk for a while, then Prophet drops us off at the Aladdin. Well, we're talking to folks and listening to some speeches. Lots of free stuff gets given out. I take a bunch more pictures. Word on the Street says that some folks from the TDYC crew got a bunch of soapy water dumped on them on their balcony from a room above. Se7en gives an awesome speech on "What the Feds think of us". I may have missed it but I believe he brought up "Hackers Against Child Pornography" which probably everybody supports enthusiatically. Se7en and DT throw out even more free stuff, DT throwing lots of books which either land up front or stuff hits the ceiling., and then Cyber does his speech. Things are wrapping up at this point, and DT puts a whole TON of stuff out on the stage for people to rummage through. The GTE door is given away, and people start to take off. Some guy hops up on stage and says his laptop got stolen. Even though it's a Mac, people still go look for the guy that took it. DrekHead, myself, and about 10 other people go searching for the guy. I'm not sure if anyone ever found it. Prophet pulls the car around front, and we make our way to the airport, after saying bye to KC and some other associates. We meet up with some folks in the airport and talk for a while, then it's back to Sacramento. And that's my review of DefCon 5, I guess. I'm not sure why anyone would care. Anyway, have a nice day. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- That wraps up issue 11. System Failure 12--our one year anniversary issue--will be out toward the end of May (probably the last weekend of May, due to the fact that I'm a lazy bastard). Be sure to check out our new FEFnet IRC server (irc.sysfail.org) as well. See you next issue!@#$ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-E-O-F-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-