==Phrack Inc.== Volume Two, Issue 24, File 11 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN P h r a c k W o r l d N e w s PWN PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN PWN Issue XXIV/Part 1 PWN PWN PWN PWN February 25, 1989 PWN PWN PWN PWN Created, Written, and Edited PWN PWN by Knight Lightning PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Time And Time Again ~~~~~~~~~~~~~~~~~~~ Greetings to everyone! This issue of Phrack Inc. marks the completion of the plan I had conceived a little more than one year ago -- "The Phoenix Project." No, not the bulletin board run by The Mentor (although the name of the board came from this plan), my scheme to rebuild the hacking community from its remaining ashes of the "Crisis of 1987." My plan had several parts that needed to come together. - Announce the plan and pour lots of hype into it to spur great enthusiasm. - Hold SummerCon '88 in St. Louis, Missouri to get today's hackers to meet. - Regain control of Phrack Inc. and put it back on its feet. - Release the Vicious Circle Trilogy to expose and defeat our security problems. - Bring today's hackers into the next Millennium with The Future Transcendent Saga (which helps to unite yesterday's hackers with the present). And now... Announcing The 3rd Annual... SummerCon '89 ~~~~~~~~~~~~~ Saint Louis, Missouri July 23-25, 1989 The date is a tentative one, but I would imagine that it will not change. For more information please contact Taran King or Knight Lightning. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - On the lighter side, this issue of Phrack World News contains articles dealing with Shadow Hawk, The Disk Jockey, Compaq, the FBI "Super" Database, the Australian-American Hackers Ring, Computer Emergency Response Team, StarLink, The Xenix Project, The Lost City of Atlantis, The Beehive BBS, and much more. So read it and enjoy. For any questions, comments, submissions of articles, or whatever, I can be reached at C483307@UMCVMB.MISSOURI.EDU or C483307@UMCVMB.BITNET or whatever bulletin board you can find me on. :Knight Lightning _______________________________________________________________________________ Explosives Expertise Found In Computer January 5, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Matt Neufeld (The Washington Times) One of the four Bethesda youths killed in an explosion in the garage at the home of the Brazilian Embassy's attache last weekend had access to a local computer system's how-to listing of bombs and explosives, according to a system member. "He was highly involved with computers," said the computer operator of the 18-year-old Dov Fischman, one of the teens killed by the explosion. "Dov used to go over to my friend's house," where they discussed various types of software and computer systems, he said. Located within an elaborate computer system of about 200 private bulletin boards is a board titled "The Lost City of Atlantis" that contains files under the following names: "Pipe Bombs," Gas Tank Bombs," "Make Smoke Bombs," "Soda Bombs," "Explosive Info," "Kitchen Improvised Plastic Explosives," and "Plastic Explosives," according to system files reviewed yesterday by the Washington Times. Details on committing mischief and various illegal activities fill the files of Atlantis and other boards in the system. The Atlantis board is listed under the heading, "The Rules of Anarchy." The files on Atlantis, which is run locally, but could be accessed by computer owners nationwide, include information and correspondence on how to buy various chemicals and and explosives used to make bombs. Other files have explanations on how to use these materials to fashion the bombs. "Some or all of you reading this may have caught word from the grapevine that I sell laboratory materials and/or chemicals," begins one message from a system worker who operates under the pseudonym "The Pyromaniac." "I can get for you almost any substance you would want or need," the message says later. "Always remember that I am flexible; Your parents need not know about the chemicals." Mr. Fischman and the other teens have been described by friends and relatives as highly intelligent, hard-working honor students. They were killed about 3:15 a.m. Saturday in an explosion at the home of attache Vera Machado in the 6200 block of Verne Street. A Montgomery County Police investigation determined the cause was accidental and caused by the youths "experimenting with some type of explosive." Nitrates, peroxides and carbonates were found at Mr. Fischman's home, along with literature on "resources for chemicals and appliances and recipes utilized for explosive devices," said fire marshal's spokesman Mike Hall. "The exact nature of resources and recipes has not been disclosed by the investigative section, as the investigation is going on." "I have no knowledge that any computer system information was used," but that possibility will be investigated, Mr. Hall said. Mr. Fischman's father, Joel, yesterday said his son and the other three youths were involved with computers. But he said he was not aware of any connection between computers and the explosion. He referred further questions to the police. The local computer system operator said most users are 15 to 19 years old. The operator, however, said it is common for users of the system to peruse the files while their parents have no knowledge of the contents. The boards and files are legal, and the bomb information is primarily confined to "private" bulletin boards created by persons known as "system operators." However, anyone with a home computer, a telephone and a modem can hook up to the bulletin boards if they gain approval of the individual operators, the operator said. "I think this should be allowed, but not just for any kids," said the operator, who is an adult. He said it's "really the parents' fault" for not supervising their children's computer access. Another board in the system, "Warp Speed," also provides information on explosives. That board was shut down sometime between December 30, 1988 and January 1, 1989 the operator said. That board is "host" to "Damage, Inc.," which is a "group of people who concentrate on explosives, things to screw people up, damage," he said. In the "Beehive" board the following message appears from "Mister Fusion:" "low cost explosives are no problem. make them yourself. what do you want rdx? detonators, low explosives? high explosives? i can tell you what to do for some, but I would reccomend (sic) cia black books 1-3." Other boards and files in the system include information on computer hacking, constructing a device to jam police radar detectors, picking locks, and "phreaking," which is computer jargon for using computers to make free telephone calls. Some of these files are: "Making LSD," "Listing of common household chemicals," "Info on Barbiturates," "Make a mini-flame thrower," How to make a land mine," "How to Hot Wire a car," "Home Defense: part II, guns or friends," "How to have fun with someone else's car," "Fun! with Random Senseless Violence," "Picking up little girls," and "How to break into a house." "A lot of the information is wrong, in the phreaker world, regarding ways to defeat the telephone company," said the operator, who has been involved with computers for at least six years. "But the bomb information is pretty much accurate." In the two page, "High Explosives" file, there are detailed explanations on how to use the chemicals cacodyal, tetryl and mercury fulminate. "This stuff is awesome," begins the section on cacodyal. "It is possesses flammability when exposed to air. Plus it will release a cloud of thick white smoke. The smoke just happens to be arsenic." The file does offer this warning at the end: "Don't attempt to make these things unless you are experienced in handling chemicals. They can be very dangerous if not handled properly." The "Kitchen Improvised Plastic Explosives" file, which instructs users on "how to make plastique from bleach" and is credited to a Tim Lewis, warns that the chemicals are dangerous." _______________________________________________________________________________ Computer Emergency Response Team (CERT) January 23, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Excerpted from UNIX Today WASHINGTON -- The federal government's newly formed Computer Emergency Response Team (CERT) is hoping to sign up 100 technical experts to aid in its battle against computer viruses. CERT, formed last month by the Department of Defense's Advanced Research Project Agency (DARPA), expects to sign volunteers from federal, military, and civilian agencies to act as advisors to users facing possible network invasion. DARPA hopes to sign people from the National Institute of Science and Technology, the National Security Agency, the Software Engineering Institute, and other government-funded university laboratories, and even the FBI. The standing team of UNIX security experts will replace an ad hoc group pulled together by the Pentagon last November to deal with the infection of UNIX systems allegedly brought on by Robert Morris Jr., a government spokesman said. CERT's charter will also include an outreach program to help educate users about what they can do the prevent security lapses, according to Susan Duncal, a spokeswoman for CERT. The group is expected to produce a "security audit" checklist to which users can refer when assessing their network vulnerability. The group is also expected to focus on repairing security lapses that exist in current UNIX software. To contact CERT, call the Software Engineering Institute at Carnegie-Mellon University in Pittsburgh at (412) 268-7090; or use the Arpanet mailbox address cert@sei.cmu.edu. _______________________________________________________________________________ The Xenix Project aka The Phoenix Project Phase II January 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are some big changes in store for everyone's favorite bulletin board. As of January 25, 1989, The Mentor became the proud owner of the complete SCO Xenix system, complete with the development kit and text utilities (a $1200 investment, but worth it). He has arranged for a UUCP mail and USENET newsfeed, and is working on getting bulletin board software up and running on it. So what does this mean to you? As I have been illustrating throughout The Future Transcendent Saga and a few other files/places, the future lies in the wide area networks. So now for the first time ever, The Mentor is offering the hackers a cheap, *LEGAL* way to access the gigabytes of information available through USENET. Mail can be sent through BITNET, MILNET, ARPANET, and INTERNET gateways to users all over the world. In short, connectivity has arrived and the future grows ever closer. The first thing that The Mentor wants to do is get a second hard disk drive. There is no way the Xenix Project can run right now without it. His 40 meg has a 20 meg Xenix partition, 17 megs of which is occupied by the /root/ file system. The MS-DOS partition has 12 megs of the board, plus all the programs he needs to exist (Pagemaker, Word, Microsoft C, Brief, etc). A *MINIMUM* of a 60 meg drive will be needed to support the newsfeed (USENET generated 50 megs of traffic in the last 2 weeks). A 100+ meg drive would be better. Once a hard disk is obtained, the system will go online as a single-line UNIX machine. Hopefully, enough money will be generated to add a second phone line and modem quickly. At this point the system will begin to take off. The Mentor's eventual goal (inside 6 months) is to have 4-6 300-2400 baud lines available for dialin on a hunt group, plus a 19.2Kbaud line for getting the USENET feed. The estimated startup cost for a 5-line system is: 110 meg hard disk........................ $1000 4 2400 baud modems (I've got 1 already).. $ 525 Installation of 4 phone lines............ $ 450 MultiPort Serial Card.................... $ 300 SCO Xenix Software....................... $1200 ~~~~~ $3475 Financing is a problem. The Mentor has already sunk the $1200 into the Xenix package (plus his original purchase of the computer system), leaving him $2200 away from the best hacker system in the world. There are two ways that he hopes on getting the money for the rest of the system. A) Donations - Many users have already indicated that they will send in anywhere from $10 to $100. Surprisingly enough, the security people on The Phoenix Project have been extremely generous. There *is* an incentive to donate, as will be shown below. B) Monthly fees - There will be a $5-$12.50 charge per month to use the UNIX side of the system, but the Phoenix Project BBS will remain free! Here is how it works: Level 1 - BBS Only. Anyone who wishes to use only The Phoenix Project will call and log in to account name 'bbs.' They will be forced into the BBS software, at which point they will log in as usual. As far as they're concerned, this is just a change of software with the addition of the front end password 'bbs.' Level 2 - Individual Mail & News account. For $5 a month, a user will get their own private account with full access to UUCP mail and USENET news. They will be able to send mail all over the world and to read and post to the hundreds of USENET newsgroups. Legally, for a change! Level 3 - Individual Mail, News, Games, and Chat. The user will have all the privileges of a Level 2 person, be able to access games such as Rogue, Chase, and Greed, plus will have access to the multi-user chat system similar to the one running on Altos in West Germany, allowing real-time conferencing between hackers here in the states without having to have an NUI to get to Datex-P. This will cost $10 per month. Level 4 - Full Bourne Shell access. This will allow access to the full system, including the C compiler, text utilities, and will include access to the online laser printer for printing term papers, important documents, or anything else (mailing will incur a small fee.) Level 4 access will be restricted to people technically sophisticated enough to know how to use and how not to use UNIX compilers. The entire Xenix Development System and Text Processing Utilities are installed, including online manual pages. I will aid people in debugging and testing code whenever needed. Charge is $12.50 per month. C) Why Donate? - Simple. You get a price break. Here are the charter membership categories: Contributing: $20 You receive 6 months of Level 2 access, a $10 savings over the monthly fees. Supporting: $45 You receive either 1 year of Level 2 access or 6 months of Level 3 access. Sustaining: $75 You receive 1 year of Level 3 access, or life time level 2 access. Lifetime: $100 You receive lifetime Level 4 access. Contributions in amounts less than $20 will be directly applied toward Level 2 access (e.g. A $10 donation will give you 2 months Level 2 access). Hardware contributions will definitely be accepted in return for access. Contact me and we'll cut a deal. Information Provided by The Mentor - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - A Few Notes From The Mentor ~~~~~~~~~~~~~~~~~~~~~~~~~~~ People -- I am not trying to make a profit off of this. If I could afford the hardware I'd buy it. The Phoenix Project has been committed to bringing you the best in hack/phreak information available, and will continue to do so FREE. I stress, even after the switch is made, The Phoenix Project BBS will be available under a un-pass-worded login that anyone can log into and use. It's only if you want to enter the world of networks in a *LEGAL* manner that I need to get money . The system will expand as interest in it expands. If I never get enough paid users to add more than one line, it will remain a one-line system. I think enough people will see the advantages of UUCP and USENET to be willing to shell out the cost of a 6-pack of good beer to get access. As a side note to UNIX hacks out there, this system will also offer a good place to explore your UNIX hacking techniques. Unlike other systems that penalize you for breaking security, I will reward people who find holes in my security. While this will mostly only apply to Level 4 people (the only ones not in a restricted shell), 3-6 months of free access will be given to people discovering security loopholes. So if you've ever wanted an unrestricted environment for learning/perfecting your UNIX, this is it! For more information, I can be reached at: The Phoenix Project: 512-441-3088 Shadowkeep II: 512-929-7002 Hacker's Den 88: 718-358-9209 Donations can be sent to: Loyd PO Box 8500-615 San Marcos, TX 78666 (make all checks payable to Loyd) +++The Mentor+++ "The Future is Forever!" _______________________________________________________________________________ Breaking Into Computers Is A Crime, Pure And Simple December 4, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Edward A Parrish Jr., Past President, IEEE Computer Society Originally printed in Los Angeles Times During the last few years, much has been written to publicize the feats of computer hackers. There was, for example, the popular movie War Games, about a teen-ager who, using his home computer, was able to tap into a military computer network and play games with the heart of the system. The games got of control when he chose to play "thermonuclear war." The teen-ager, who was depicted with innocent motives, eventually played a crucial role in solving the problem and averting a real nuclear exchange, in the process emerging as hero. A real-life example in early November involved a so-called computer virus (a self-replicating program spread over computer networks and other media as a prank or act of vandalism), which nearly paralyzed 6,000 military and academic computers. Unfortunately, perhaps because the effect of such "pranks" seems remote to most people, it is tempting to view the hacker as something of a folk hero - a lone individual who, armed with only his own ingenuity, is able to thwart the system. Not enough attention is paid to the real damage that such people can do. But consider the consequences of a similar "prank" perpetrated on our air-traffic control system, or a regional banking system, or a hospital information system. The incident in which an electronic intruder broke into an unclassified Pentagon computer network, altering or destroying some files, caused potentially serious damage. We do not really know the full effect of the November virus incident that brought many computers on the Cornell-Stanford network to a halt, but credible published estimates of the cost in man-hours and computer time have been in the millions of dollars. The vast majority of professional computer scientists and engineers who design, develop, and use these sophisticated networks are dismayed by this total disregard of ethical practice and forfeiture of professional integrity. Ironically, these hackers are perhaps driven by the same need to explore, to test technical limits that motivates computer professionals; they decompose problems, develop an understanding of them and then overcome them. But apparently not all hackers recognize the difference between penetrating the technical secrets of their own computer and penetrating a network of computers that belong to others. And therein lies a key distinction between a computer professional and someone who knows a lot about computers. Clearly a technical degree is no guarantee of ethical behavior. And hackers are not the only ones who abuse the power inherent in their knowledge. What, then, can we do? For one thing, we - the public at large - can raise our own consciousness; Specifically, when someone tampers with someone else's data or programs, however clever the method, we all need to recognize that such an act is at best irresponsible and very likely criminal. That the offender feels no remorse, or that the virus had unintended consequences, does not change the essential lawlessness of the act, which is in effect breaking-and-entering. And asserting that the act had a salutary outcome, since it lead to stronger safeguards, has no more validity than if the same argument were advanced in defense of any crime. If after experiencing a burglary I purchase a burglar alarm for my house, does that excuse the burglar? Of course not. Any such act should be vigorously prosecuted. On another front, professional societies such as the IEEE Computer Society can take such steps to expel, suspend, or censure as appropriate any member found guilty of such conduct. Finally, accrediting agencies, such as the Computing Sciences Accreditation Board and the Accreditation Board for Engineering and Technology, should more vigorously pursue their standards, which provide for appropriate coverage of ethical and professional conduct in university computer science and computer engineering curriculums. We are well into the information age, a time when the computer is at least as vital to our national health, safety and survival as any other single resource. The public must insist on measures for ensuring computer security to the same degree as other technologies that are critical to its health and safety. _______________________________________________________________________________