Hackers' Intelligence
Of all the features of hacking that mystify outsiders, the first
is how the hackers get the phone numbers that give access to the
computer systems, and the passwords that open the data. Of all the
ways in which hacking is portrayed in films, books and tv, the most
misleading is the concentration on the image of the solitary genius
bashing away at a keyboard trying to 'break in'.
It is now time to reveal one of the dirty secrets of hacking:
there are really two sorts of hacker. For this purpose I will call
them the trivial and the dedicated. Anyone can become a trivial
hacker: you acquire, from someone else, a phone number and a password
to a system; you dial up, wait for the whistle, tap out the password,
browse around for a few minutes and log off. You've had some fun,
perhaps, but you haven't really done anything except follow a
well-marked path. Most unauthorised computer invasions are actually
of this sort.
The dedicated hacker, by contrast, makes his or her own
discoveries, or builds on those of other pioneers. The motto of
dedicated hackers is modified directly from a celebrated split
infinitive: to boldly pass where no man has hacked before.
Successful hacking depends on good research. The materials of
research are all around: as well as direct hacker-oriented material
of the sort found on bulletin board systems and heard in quiet
corners during refreshment breaks at computer clubs, huge quantities
of useful literature are published daily by the marketing departments
of computer companies and given away to all comers: sheaves of
stationery and lorry loads of internal documentation containing
important clues are left around to be picked up. It is up to the
hacker to recognise this treasure for what it is, and to assemble it
in a form in which it can be used.
Anyone who has ever done any intelligence work, not necessarily
for a government, but for a company, or who has worked as an
investigative journalist, will tell you that easily 90% of the
information you want is freely available and that the difficult part
is recognising and analysing it. Of the remaining 10%, well over
half can usually be inferred from the material you already have,
because, given a desired objective, there are usually only a limited
number of sensible solutions.
** Page 42
You can go further: it is often possible to test your inferences and,
having done that, develop further hypotheses. So the dedicated
hacker, far from spending all the time staring at a VDU and 'trying
things' on the keyboard, is often to be found wandering around
exhibitions, attending demonstrations, picking up literature, talking
on the phone (voice-mode!) and scavenging in refuse bins.
But for both trivial operator, and the dedicated hacker who wishes
to consult with his colleagues, the bulletin board movement has been
the single greatest source of intelligence.
Bulletin Boards
Since 1980, when good software enabling solitary micro-computers
to offer a welcome to all callers first became widely available, the
bulletin board movement has grown by leaps and bounds. If you haven t
logged on to at least one already, now is the time to try. At the
very least it will test out your computer, modem and software --and
your skills in handling them. Current phone numbers, together with
system hours and comms protocol requirements, are regularly published
in computer mags; once you have got into one, you will usually find
current details of most of the others.
Somewhere on most boards you will find a series of Special
Interest Group (SIG) sections and among these, often, will be a
Hacker's Club. Entrance to each SIG will be at the discretion of the
Sysop, the Bulletin Board owner. Since the BBS software allows the
Sysop to conceal from users the list of possible SIGs, it may not be
immediately obvious whether a Hacker's section exists on a particular
board. Often the Sysop will be anxious to form a view of a new
entrant before admitting him or her to a 'sensitive' area. It has
even been known for bulletin boards to carry two hacker sections:
one, admission to which can be fairly easily obtained; and a second,
the very existence of which is a tightly-controlled secret, where
mutually trusting initiates swap information.
The first timer, reading through a hacker's bulletin board, will
find that it seems to consist of a series of discursive conversations
between friends. Occasionally, someone may write up a summary for
more universal consumption. You will see questions being posed. if
you feel you can contribute, do so, because the whole idea is that a
BBS is an information exchange. It is considered crass to appear on a
board and simply ask 'Got any good numbers?; if you do, you will not
get any answers. Any questions you ask should be highly specific,
show that you have already done some ground-work, and make clear that
any results derived from the help you receive will be reported back
to the board.
** Page 43
Confidential notes to individuals, not for general consumption,
can be sent using the E-Mail option on the bulletin board, but
remember, nothing is hidden from the Sysop.
A flavour of the type of material that can be seen on bulletin
boards appears from this slightly doctored excerpt (I have removed
some of the menu sequences in which the system asks what you want to
do next and have deleted the identities of individuals):
Msg#: 3538 *Modem Spot*
01/30/84 12:34:54 (Read 39 Times)
From: xxxxxxxxxx
To: ALL
Subj: BBC/MAPLIN MODEMS
RE THE CONNECTIONS ON THE BBC/MAPLIN MODEM SETUP. THE crs PIN IS USED TO
HANDSHAKE WITH THE RTS PIN E.G. ONE UNIT SENDS RTS (READY TO SEND) AND
SECOND UNIT REPLIES CTS (CLEAR TO SEND). USUALLY DONE BY TAKING PIN HIGH. IF
YOU STRAP IT HIGH I WOULD SUGGEST VIA A 4K7 RESISTOR TO THE VCC/+VE RAIL (5V).
IN THE EVENT OF A BUFFER OVERFLOW THESE RTS/CTS PINS ARE TAKEN LOW AND THIS
STOPS THE DATA TRANSFER. ON A 25WAY D TYPE CONNECTOR TX DATA IS PIN 2
RX DATA IS PIN 3
RTS IS PIN 4
CTS IS PIN 5
GROUND IS PIN 7
ALL THE BEST -- ANY COMMTO XXXXXXXXX
(DATA COMMS ENGINEER)
Msg#: 3570 *Modem Spot*
01/31/84 23:43:08 (Read 31 Times)
From: XXXXXXXXXX
To: XXXXXXXXXXX
Subj: REPLY TO MSG# 3538 (BBC/MAPLIN MODEMS)
ON THE BBC COMPUTER IT IS EASIER TO CONNECT THE RTS (READY TO SEND) PIN HE
CTS (CLEAR TO SEND) PIN. THIS OVERCOMES THE PROBLEM OF HANDSHAKING.
SINCE THE MAPLIN MODEM DOES NOT HAVE HANDSHAKING.I HAVE PUT MY RTS CTS JUMPER
INSIDE THE MODEM. MY CABLES ARE THEN STANDARD AND CAN BE USED WITH HANDSHAKERS.
REGARDS
Hsg#: 3662 *HACKER'S CLUB*
02/04/84 23:37:11 (Read 41 Times)
From: XXXXXXXXXX
To: ALL
Subj: PUBLIC DATA NET
Does anyone know what the Public Data Net is? I appear to have access to it, &
I daren't ask what it is!
Also, can anyone tell me more about the Primenet systems... Again I seem to
have the means,but no info. For instance, I have a relative who logs on to
another Prime Both of our systems are on Primenet, is there any way we can
communicate?
More info to those who want it...
top?
Msg has replies, read now(Y/N)? y
Reply has been deleted
top?
Msg#: 3739 *HACKER'S CLUB*
02/06/84 22:39:06 (Read 15 Times)
From: xxxxxxxxxx
To: xxxxxxxxxx
Subj: REPLY TO MSG# 3716 (PRIMENET COMMS)
Ahh, but what is the significance of the Address-does it mean a PSS number. or
some thing like that? Meanwhile, I'II get on-line (via voice-link on the phone!)
to my cousin, and see what he has on it....
** Page 44
Msg#: 3766 *HACKER'S CLUB*
02/07/84 13:37:54 (Read 13 Times)
From: xxxxxxxxxxx
To: xxxxxxxxxxx
Subj: REPLY TO MSG# 3751 (PUBLIC DATA NET)
Primenet is a local network. I know of one in Poole, An BTGold use
one between their systems too. It Is only an internal network, I
suggest using PSS to communicate between different primes. Cheers.
top?
Msg#: 3799 *BBC*
02/07/84 22:09:05 (Read 4 Times)
From: xxxxxxxxxxx
To: xxxxxxxxxxx
Subj: REPLY TO MSG# 3751 (RGB VIDEO)
The normal video output BNC can be made to produce colour video by
making a link near to the bnc socket on the pcb. details are in the
advanced user guide under the chapter on what the various links do.
If you require more I will try to help, as I have done this mod and
it works fine
Msg#: 935 *EREWHON*
09/25/83 01:23:00 (Read 90 Times)
From: xxxxxxxxxx
To: ALL
Subj: US PHONE FREAKING
USA Phone Freaking is done with a 2 out of 5 Code. The tones must be
with 30Hz, and have less than 1% Distortion.
Master Tone Frequency = 2600 Hz.
>1 = 700 & 900 Hz
>2 = 700 & 1100 Hz
>3 = 900 & 1100 HZ
>4 = 700 & 1300 Hz
>5 = 900 & 1300 Hz
>6 = 1100 & 1300 Hz
>7 = 700 & 1500 HZ
>8 = 900 & 1500 Hz
>9 = 1100 & 1500 Hz
>0 = 1300 & 1500 Hz
>Start Key Signal = 1100 & 1700 Hz
>End Key Signal = 1300 & 1700 Hz
> Military Priority Keys 11=700 & 1700 ; 12=900 & 1700 - I don't
recommend using these. ( The method of use will be explained in a
separate note. DO NOT DISCLOSE WHERE YOU GOT THESE FREQUENCIES TO
ANYONE!
Msg#: 936 *EREWHON*
09/20/83 01:34:43 (Read 89 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: UK PHONE FREAKING
The UK System also uses a 2 out of 5 tone pattern.
The Master Frequency is 2280 Hz
>I = 1380 & 1500 Hz
>2 = 1380 & 1620 Hz
>3 = 1500 & 1620 Hz
>4 = 1380 & 1740 Hz
>5 = 1500 & 1740 Hz
>6 = 1620 & 1740 Hz
>7 = 1380 & I860 Hz
>8 = 1500 & 1860 Hz
>9 = 1620 & 1860 Hz
>0 = 1740 & 1860 Hz
>Start Key = 1740 & 1980 ; End Keying = 1860 & 1980 Hz
>Unused I think 11 = 1380 & 1980 ; 12 = 1500 & 1980 Hz
This is from the CCITT White Book Vol. 6 and is known as SSMF No. 3
to some B.T. Personnel.
The 2280 Hz tone is being filtered out at many exchanges so you may
need quite high level for it to work.
** Page 45
Msg#: 951 *EREWHON*
09/21/83 17:44:28 (Read 79 Times)
From: xxxxxxxxxx
To: PHONE FREAK's
Subj: NEED YOU ASK ?
In two other messages you will find the frequencies listed for the
Internal phone system controls. This note is intended to explain how
the system could be operated. The central feature to realise is that
( especially in the (USA) the routing information in a call is not in
the Dialled Code. The normal sequence of a call is that the Area Code
is received while the Subscriber No. Is stored for a short period.
The Local Exchange reads the area code and selects the best route at
that time for the call. The call together with a new "INTERNAL"
dialling code Is then sent on to the next exchange together with the
subscriber number. This is repeated from area to area and group to
group. The system this way provides many routes and corrects itself
for failures.
The Technique. make a Long Distance call to a number which does not
answer. Send down the Master Tone. (2600 or 22080 Hz) This will
clear the line back, but leave you in the system. You may now send
the "Start key Pulse" followed by the Routing Code and the Subscriber
No. Finish with the "End keying Pulse". The system sees you as being
a distant exchange requesting a route for a call.
Meanwhile back at the home base. Your local exchange will be logging
you in as still ringing on the first call. There are further problems
in this in both the USA and the UK as the techniques are understood
and disapproved of by those in authority. You may need to have a
fairly strong signal into the system to get past filters present on
the line. Warning newer exchanges may link these filters to alarms.
Try from a phone box or a Public Place and see what happens or who
comes.
Example:- To call from within USA to Uk:
> Ring Toll Free 800 Number
> Send 2600 Hz Key Pulse
> When line goes dead you are in trunk level
> Start Pulse 182 End Pulse = White Plains N.Y. Gateway continued in
next message
Hsg#: 952 *EREWHON*
09/21/83 18:03:12 (Read 73 Times)
From: xxxxxxxxxx
To: PHONE FREAKS
Subj: HOW TO DO IT PT 2
> Start Pulse 044 = United Kingdom
> 1 = London ( Note no leading O please )
> 730 1234 = Harrods Department Store.
Any info on internal address codes would be appreciated from any
callers.
Msg#: 1028 *EREWHON*
09/25/83 23:02:35 (Read 94 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: FREEFONE PART I
The following info comes from a leaflet entitled 'FREEFONE':
"British Telecom's recent record profits and continuing appalling
service have prompted the circulation of this information. It
comprises a method of making telephone calls free of charge."
Circuit Diagram:
O---o------- -------o----O
: ! ! :
: ! ! :
L o-------- --------o P
I ! ! H
N ! ! O
E o-- ------ ----o N
: ! ! E
I ! ! :
N o------- -------o :
: :
: :
: :
O---------------------------O
** Page 46
S1 = XXX
C1 = XXX
D1 = XXX
D2 = XXX
R1 = XXX
Continued...
MSG#: 1029 *EREWHON*
09/25/83 23:19:17 (Read 87 Times)
From xxxxxxxxxxx
To: ALL
Subj: FREEFONE PART 2
Circuit Operation:
The circuit inhibits the charging for incoming calls only. When a
phone is answered, there is normally approx. IOOmA DC loop current
but only 8mA or so is necessary to polarise the mic In the handset.
Drawing only this small amount is sufficient to fool BT's ancient
"Electric Meccano".
It's extremely simple. When ringing, the polarity of the line
reverses so D1 effectively answers the call when the handset is
lifted. When the call is established, the line polarity reverts and
R1 limits the loop current while D2 is a LED to indicate the circuit
is in operation. C1 ensures speech is unaffected. S1 returns the
telephone to normal.
Local calls of unlimited length can be made free of charge. Long
distance calls using this circuit are prone to automatic
disconnection this varies from area to area but you will get at least
3 minutes before the line is closed down. Further experimentation
should bear fruit in this respect.
Sith the phone on the hook this circuit is completely undetectable.
The switch should be cLosed if a call is received from an operator,
for example, or to make an outgoing call. It has proved extremely
useful, particularly for friends phoning from pay phones with jammed
coin slots.
*Please DO NOT tell ANYONE where yoU found this information*
Msg#: 1194 *EREWHON*
10/07/83 04:50:34 (Read 81 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: FREE TEST NUMBERS
Free Test Numbers
Here are some no's that have been found to work:
Dial 174
you replace handset the phone rings.
Dial 175
test...', then when you hang-up the phone rings. Pick it up and you
either get dial tone which indicates OK or you will get a recording
i.e 'poor insulation B line' telling you what's wrong. If you get
dial tone you can immediately dial 1305 to do a further test which
might say 'faulty dial pulses'. Other numbers to try are 182, 184 or
185. I have discovered my exchange (Pontybodkin) gives a test ring
for 1267. These numbers all depend on you local exchange so It pays
to experiment, try numbers starting with 1 as these are all local
functions. Then when you discover something of interest let me know
on this SIG.
Msg: 2241 *EREWHON*
12/04/83 20:48:49 (Read 65 Times)
From: SYSOP
To: SERIOUS FREAKS
Subj: USA INFO
There is a company (?) in the USA called Loopmaniacs Unlimited,
PO Box 1197, Port Townsend. WA, 98368, who publish a line of books on
telephone hacking. Some have circuits even. Write to M. Hoy there.
One of their publications is "Steal This Book" at S5.95 plus about $4
post. Its Worth stealing, but don't show it to the customs!
** Page 47
Msg#: 3266 *EREWHON*
01/22/84 06:25:01 (Read 53 Times)
From: xxxxxxxxxx
To: ALL
Subj: UNIVERSITY COMPUTERS
As already described getting onto the UCL PAD allows various calls.
Via this network you can access many many university/research
computers To get a full list use CALL 40 then HELP, select GUIDE.
Typing '32' at the VIEW prompt will start listing the addresses. Host
of these can be used at the pad by 'CALL addr' where addr is the
address. For passwords you try DEMO HELP etc. If you find anything
interesting report it here.
HINT: To aviod the PAD hanging up at the end of each call use the
LOGON command - use anything for name and pwd. This seems to do the
trick.
Another number: Tel: (0235) 834531. This is another data
exchange. This one's a bit harder to wake up. You must send a 'break
level' to start. This can be done using software but with a maplin
just momentarily pull out the RS232 com. Then send RETURNs. To get a
list of 'classes' you could use say Manchesters HELP:- CALL 1020300,
user:DEMO pwd:DEMO en when you're on HELP PACX.
Msg#: 3687 *HACKER'S CLUB*
02/05/84 14:41:43 (Read 416 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: HACKERS NUMBERS
The following are some of the numbers collected in the Hackers SIG:
Commodore BBS (Finland) 358 61 116223
Gateway test 01 600 1261
PRESTEST (1200/75) 01 583 9412
Some useful PRESTEL nodes - 640..Res.D (Martlesham's experiments in
Dynamic Prestel DRCS, CEPT standards, Picture Prestel, 601
(Mailbox,Telemessaging, Telex Link - and maybe Telecom Gold), 651
(Scratchpad -always changing). Occasionally parts of 650 (IP News)
are not properly CUGed off. 190 sometimes is interesting well.
These boards all specialised in lonely hearts services !
The boards with an asterisk all use BELL Tones
*Fairbanks, AK, 907-479-0315
*Burbank, CA, 213-840-8252
*Burbank, CA, 213-842-9452
*Clovis, CA, 209-298-1328
*Glendale, CA, 213-242-l882
*La Palma, CA, 714-220-0239
*Hollywood, CA, 213-764-8000
*San Francisco CA, 415-467-2588
*Santa Monica CA, 213-390-3239
*Sherman Oaks CA, 213-990-6830
*Tar~ana , CA, 213-345-1047
*Crystal Rivers FL,904-795-8850
*Atlanta, GA, 912-233-0863
*Hammond, IN, 219-845-4200
*Cleveland, OH, 216-932-9845
*Lynnefield, MA, 6l7-334-6369
*Omaha, NE, 402-571-8942
*Freehold, NJ, 201-462-0435
*New York, NY, 212-541-5975
*Cary, NC, 919-362-0676
*Newport News,VA 804-838-3973
*Vancouver, WA, 200-250-6624
Marseilles, France 33-91-91-0060
Both USA nos. prefix (0101)
a) Daily X-rated Doke Service 516-922-9463
b) Auto-Biographies of young ladies who normally work in
unpublishable magazines on 212-976-2727.
c)Dial a wank 0101,212,976,2626; 0101,212,976,2727
** Page 48
Msg#: 3688 *HACKER'S CLUB*
02/05/84 14:44:51 (Read 393 Times)
From: xxxxxxxxxxx
To: ALL
Subj: HACKERS NUMBERS CONT...
Hertford PDP 11/70 Hackers BBS:
Call 0707-263577 with 110 baud selected.
type: SET SPEED 300'CR'
After hitting CR switch to 300 baud.
Then type: HELLO 124,4'CR
!Password: HAE4
When logged on type: COMMAND HACKER
Use: BYE to log out
*********
EUCLID 388-2333
TYPE A COUPLE OF
ONCE LOGGED ON TO PAD TYPE CALL 40
TRY A FEW DIFFER DIFFERENT CALLS THIS WILL LET U LOG ON TO A WHOLE
NETWORK SYSTEM ALL OVER EUROPE!
YOU CAN ALSO USE 01-278-4355.
********
unknown 300 Baud 01-854 2411
01-854 2499
******
Honeywell:From London dial the 75, else 0753(SLOUGH)
75 74199 75 76930
Type- TSS
User id: D01003
password: Unknown (up to 10 chars long)
Type: EXPL GAMES LIST to list games
To run a game type: FRN GAMES(NAME) E for a fotran game.
Replace FRN with BRN for BASIC games.
******
Central London Poly 01 637 7732/3/4/5
******
PSS (300) 0753 6141
******
Comshare (300) 01 351 2311
******
'Money Box' 01 828 9090
******
Imperial College 01 581 1366
01 581 1444
*******
These are most of the interesting numbers that have come up over the
last bit. If I have omitted any, please leave them in a message.
Cheers, xxxxx.
Msg#: 5156 *HACKER'S CLUB*
04/15/84 08:01:11 (Read 221 Times)
From: xxxxxxxxxx
To: ALL
Subj: FINANCIAL DATABASES
You can get into Datastream on dial-up at 300/300 on 251 6180 - no I
don't have any passwords....you can get into Inter Company
Comparisons (ICC) company database of 60,000 companies via their
1200/75 viewdata front-end processor on 253 8788. Type ***# when
asked for your company code to see a demo...
Msg#: 5195 *HACKER'S CLUB*
04/17/84 02:28:10 (Read 229 Times)
From: xxxxxxxxxx
To: ALL
Subj: PSS TELEX
THIS IS PROBOBLY OLD HAT BY NOW BUT IF YOU USE PSS THEN A92348******
WHERE **=UK TELEX NO. USE CTRL/P CLR TO BET OUT AFTER MESSAGE. YOU
WILL BE CHARGED FOR USE I GUESS
** Page 49
Msg#: 7468 *EREWHON*
06/29/84 23:30:24 (Read 27 Times)
From: xxxxxxxxxx
To: PHREAKS
Subj: NEW(OLD..) INFO
TODAY I WAS LUCKY ENOUGH TO DISCOVER A PREVIOUSLY UNKNOWN CACHE OF
AMERICAN MAGAZINE KNOWN AS TAP. ALTHOUGH THEYRE RATHER OUT OF DATE
(1974-1981) OR SO THEY ARE PRETTY FUNNY AND HAVE A FEW INTERESTING
BITS OF INFORMATION, ESPECIALLY IF U WANT TO SEE THE CIRCUIT DIAGRAMS
OF UNTOLD AMOUNTS OF BLUE/RED/BLACK/??? BOXES THERE ARE EVEN A FEW
SECTIONS ON THE UK (BUT AS I SAID ITS COMPLETELY OUT OF DATE). IN THE
FUTURE I WILL POST SOME OF THE GOOD STUFF FROM TAP ON THIS BOARD
(WHEN AND IF I CAN GET ON THIS BLOODY SYSTEM''). ALSO I MANAGED TO
FIND A HUGE BOOK PUBLISHED BY AT&T ON DISTANCE DIALING (DATED 1975).
DUNNO, IF ANYBODY'S INTERESTED THEN LEAVE A NOTE REQUESTING ANY INFO
YOU'RE ARE CHEERS PS ANYBODY KNOW DEPRAVO THE RAT?? DOES HE STILL
LIVE?
Msg#: 7852 t*ACKER'S CLUB*
08/17/84 00:39:05 (Read 93 Times)
From: xxxxxxxxxx
To: ALL USERS
Subj: NKABBS
NKABBS IS NOW ONLINE. FOR ATARI & OTHER MICRO USERS. OPERATING ON 300
BAUD VIA RINGBACK SYSTEM. TIMES 2130HRS-2400HRS DAILY. TEL :0795
842324. SYSTEM UP THESE TIMES ONLY UNTIL RESPONSE GROWS. ALL USERS
ARE WELCOME TO ON. EVENTUALLY WE WILL BE SERVING BBC,COMMODORE VIC
20/64 OWNERS.+NEWS ETC.
Msg#:8154 *EREWHON*
08/02/84 21:46:11 (Read 13 Times)
From: ANON
To: ALL
Subj: REPLY TO MSG# :1150 (PHREAK BOARDS)
PHREAK BOARD NUMBERS
ACROSS THE U.S.
IF YOU KNOW OF A BOARD THAT IS NOT LISTED HERE, PLEASE LET ME KNOW
ABOUT IT.
JOLLY ROGER 713-468-0174
PIRATE'S CHEST 617-981-1349
PIRATE'S DATA CENTER 213-341-3962
PIRATE'S SPACE STATION 617-244-8244
PIRATE'S OUTHOUSE 301-299-3953
PIRATE'S HANDLE 314-434-6187
PIRATE'S DREAM 713-997-5067
PIRATE'S TRADE 213-932-8294
PIRATE'S TREK 914-634-1268
PIRATE'S TREK III 914-835-3627
PIRATE-80 305-225-8059
SANCTUARY 201-891-9567
SECRET SERVICE ][ 215-855-7913
SKELETON ISLAND 804-285-0041
BOCA HARBOR 305-392-5924
PIRATES OF PUGET SOUND 206-783-9798
THE INSANITARIUM 609-234-6106
HAUNTED MANSION 516-367-8172
WASTELANDS 513-761-8250
PIRATE'S HARBOR 617-720-3600
SKULL ISLAND 203-972-1685
THE TEMPLE 305-798-1615
SIR LANCELOT'S CASTLE 914-381-2124
PIRATE'8 CITY 703-780-0610
PIRATE-S GALLEY 213-796-6602
THE PAWN SHOPPE 213-859-2735
HISSION CONTROL 301-983-8293
BIG BLUE MONSTER 305-781-1683
THE I.C.'S SOCKET 213-541-5607
THE MAGIC REALM 212-767-9046
PIRATE'S BAY 415-775-2384
BEYOND BELIEF 213-377-6568
PIRATE's TROVE 703-644-1665
CHEYANNE MOUNTAIN 303-753 1554
ALAHO CITY 512-623-6123
CROWS NEST 617-862-7037
PIRATE'S PUB ][ 617-891-5793
PIRATE'S I/0 201-543-6139
SOUNDCHASER 804-788-0774
SPLIT INFINITY 408-867-4455
CAPTAIN'S LOG 612-377-7747
THE SILHARILLION 714-535-7527
TWILIGHT PHONE 313-775-1649
THE UNDERGROUND 707-996-2427
THE INTERFACE 213-477-4605
THE DOC BOARD 713-471-4131
SYSTEM SEVEN 415-232-7200
SHADOW WORLD 713-777-8608
OUTER LIMITS 213-784-0204
METRO 313-855-6321
MAGUS 703-471-0611
GHOST SHIP 111 - PENTAGON 312-627-5138
GHOST SHIP - TARDIS 312-528-1611
DATA THIEVES 312-392-2403
DANGER ISLAND 409-846-2900
CORRUPT COMPUTING 313-453-9183
THE ORACLE 305-475-9062
PIRATE'S PLANET 901-756-0026
CAESER S PALACE 305-253-9869
CRASHER BBS 415-461-8215
PIRATE'S BEACH 305-865-5432
PIRATE'S COVE 516-698-4008
PIRATE'S WAREHOUSE 415-924-8338
PIRATE'S PORT 512-345-3752
PIRATE'S NEWSTAND ][ 213-373-3318
PIRATE'S GOLDMINE 617-443-7428
PIRATE'S SHIP 312-445-3883
PIRATE'S MOUNTAIN 213-472-4287
PIRATE'S TREK ][ 914-967-2917
PIRATE'S TREK IV 714-932-1124
PORT OR THIEVES 305-798-1051
SECRET SERVICE 213-932-8294
SHERWOOD FOREST 212-896-6063
GALAXY ONE 215-224-0864
R.A.G.T.I.H.E. 217-429-6310
KINGDOM OF SEVEN 206-767-7777
THE STAR SYSTEM 516-698-7345
ALPHANET 203-227-2987
HACKER HEAVEN 516-796-6454
PHANTOM ACCESS 814-868-1884
THE CONNECTION 516-487-1774
THE TAVERN 516-623-9004
PIRATE'S HIDEAWAY 617-449-2808
PIRATE'S PILLAGE 317-743-5789
THE PARADISE ON-LINE 512-477-2672
MAD BOARD FROM MARS 213-470-5912
NERVOUS SYSTEM 305-554-9332
DEVO 305-652-9422
TORTURE CHAMBER 213-375-6137
HELL 914-835-4919
CRASHER BBS 415-461-8215
ALCATRAZ 301-881-0846
THE TRADING POST 504-291-4970
DEATH STAR 312-627-5138
THE CPU 313-547-7903
TRADER'S INN 618-856-3321
PIRATE'S PUB 617-894-7266
BLUEBEARDS GALLEY 213-842-0227
MIDDLE EARTH 213-334-4323
EXIDY 2000 713-442-7644
SHERWOOD FOREST ][ 914-352-6543
WARLOCK~S CASTLE 618-345-6638
TRON 312-675-1819
THE SAFEHOUSE 612-724-7066
THE GRAPE VINE 612-454-6209
THE ARK 701-343-6426
SPACE VOYAGE 713-530-5249
OXGATE 804-898-7493
MINES OF MORIA ][ 408-688-9629
MERLIN'S TOWER 914-381-2374
GREENTREE 919-282-4205
GHOST SHIP ][ - ARAGORNS 312-644-5165
GENERAL HOSPITAL 201-992-9893
DARK REALM 713-333-2309
COSMIC VOYAGE 713-530-5249
CAMELOT 312-357-8075
PIRATE'S GUILD 312-279-4399
HKGES 305-676-5312
MINES OF MORIA 713-871-8577
A.S.C.I.I. 301-984-3772
** Page 50
If Anybody is mad enough to actually dial up one (or more') of these
BBs please log everything so thAt others may benefit from your
efforts. IE- WE only have to register once, and we find out if this
board suits our interest. Good luck and have fun! Cheers,
Msg#: 8163 *HACKER'S CLUB*
08/30/84 18:55:27 (Read 78 Times)
From: XXXXXXXXXX
To- ALL
Subj: XXXXXX
NBBS East is a relatively new bulletin board running from lOpm to
1230am on 0692 630610. There are now special facilities for BBC users
with colour, graphics etc. If you call it then please try to leave
some messages as more messages mean more callers, which in turn means
more messages Thanks a lot, Jon
Msg#: 8601 *HACKER'S CLUB*
09/17/84 10:52:43 (Read 57 Times!
From: xxxxxxxxxx
To: xxxxxxxxx
Subj: REPLY TO Msg# 8563 (HONEYWELL)
The thing is I still ( sort of I work for XXX so I don't think they
would be too pleased if I gave out numbers or anything else. and I
would rather keep my job Surely you don't mean MFI furniture ??
Msg#: 8683 *HACKER'S CLUB*
09/19/84 19:54:05 (Read 63 Times)
From: xxxxxxxxx
To: ALL
Subj: DATA NODE
To those who have difficulty finding interesting numbers. try the UCL
Data Node on 01-388 2333 (300 baud).When you get the Which Service?
prompt. type PAD and a couple of CRs. Then, when the PAD> prompt
appears type CALL XOOXOOX, where is any(number orrange of numbers.
Indeed you can try several formats and numbers until you find
something interesting. The Merlin Cern computer is 9002003 And it's
difficult to trace You through aq data exchange! If anyone finds any
interesting numbers, let me know on this board, or Pretsel mailbox
012495225.
Msg has replies, read now(Y/N)' Y
Msg#: 9457 *HACKER'S CLUB*
10/11/84 01:52:56 (Read 15 Times)
From: xxxxxxxxxxx
To: xxxxxxxxxxx
Subj: REPLY TO MSG# 8683 (DATA NODE)
IF YOU WANT TO KNOW MORE ABOUT THIS xxxxx PHONE PHONE xxxx xxxxxx
ON 000 0000
Msg#: 8785 *HACKER'S CLUB*
09/21/B4 20-28-59 (Read 40 Times)
From xxxxxxxxxxxxxx
Subj: NEW Number
NEW Computer ON LINE TRY RINGING 960 7868 SORRY THAT'S 01 (IN LONDON) IN FRONT.
good LUCK!
** Page 51
Please note that none of these hints, rumours, phone numbers and
passwords are likely to work by the time you are reading this...
However, in the case of the US credit agency TRW, described in the
previous chapter, valid phone numbers and passwords appear to have
sat openly on a number of bulletin boards for up to a year before the
agency realised it. Some university mainframes have hacker's boards
hidden on them as well.
It is probably bad taste to mention it, but of course people try
to hack bulletin boards as well. An early version of one of the most
popular packages could be hacked simply by sending two semi-colons
(;;) when asked for your name. The system allowed you to become the
Sysop, even though you were sitting at a different computer; you
could access the user file, complete with all passwords, validate or
devalidate whomever you liked, destroy mail, write general notices,
and create whole new areas...
Research Sources
The computer industry has found it necessary to spend vast sums on
marketing its products and whilst some of that effort is devoted to
'image' and 'concept' type advertising--to making senior management
comfortable with the idea of the XXX Corporation's hardware because
it has 'heard' of it--much more is in the form of detailed product
information.
This information surfaces in glossies, in conference papers, and
in magazine journalism. Most professional computer magazines are
given away on subscription to 'qualified' readers; mostly the
publisher wants to know if the reader is in a position to influence a
key buying decision--or is looking for a job.
I have never had any difficulty in being regarded as qualified:
certainly no one ever called round to my address to check up the size
of my mainframe installation or the number of employees. If in doubt,
you can always call yourself a consultant. Registration is usually a
matter of filling in a post-paid card. My experience is that, once
you are on a few subscription lists, more magazines, unasked for,
tend to arrive every week or month--together with invitations to
expensive conferences in far-off climes. Do not be put off by the
notion that free magazines must be garbage. In the computer industry,
as in the medical world, this is absolutely not the case. Essential
regular reading for hackers are Computing, Computer Weekly, Software,
Datalink, Communicate, Communications Management, Datamation,
Mini-Micro Systems, and Telecommunications.
** Page 52
The articles and news items often contain information of use to
hackers: who is installing what, where; what sort of facilities are
being offered; what new products are appearing and what features they
have. Sometimes you will find surveys of sub-sets of the computer
industry. Leafing through the magazine pile that has accumulated
while this chapter was being written, I have marked for special
attention a feature on Basys Newsfury, an electronic newsroom package
used, among others, by ITN's Channel Four News; several articles on
new on-line hosts; an explanation of new enhanced Reuters services; a
comparison of various private viewdata software packages and who is
using them; some puffs for new Valued Added Networks (VANs); several
pieces on computer security; news of credit agencies selling
on-line and via viewdata; and a series on Defence Data Networks.
In most magazines, however, this is not all: each advertisement is
coded with a number which you have to circle on a tear-out post-paid
'bingo card': each one you mark will bring wads of useful
information: be careful, however, to give just enough information
about yourself to ensure that postal packets arrive and not
sufficient to give the 'I was just passing in the neighbourhood and
thought I would call in to see if I could help' sales rep a 'lead' he
thinks he can exploit.
Another excellent source of information are exhibitions: there are
the ubiquitous 'product information' sheets, but also the actual
machines and software to look at and maybe play with; perhaps you can
even get a full scale demonstration and interject a few questions.
The real bonus of exhibitions, of course, is that the security sense
of salespersons, exhausted by performing on a stand for several days
and by the almost compulsory off-hours entertainment of top clients
or attempted seduction of the hired-in 'glamour' is rather low.
Passwords are often written down on paper and consulted in your full
view. All you need is a quick eye and a reasonable memory.
At both exhibitions and conferences it is a good idea to be a
freelance journalist. Most computer mags have relatively small
full-time staff and rely on freelancers, so you won't be thought odd.
And you'll have your questions answered without anyone asking 'And
how soon do you think you'll be making a decision? Sometimes the lack
of security at exhibitions and demonstrations defies belief. When ICL
launched its joint venture product with Sinclair, the One-Per-Desk
communicating executive work- stations; it embarked on a modest
road-show to give hands-on experience to prospective purchasers. The
demonstration models had been pre-loaded with phone numbers...of
senior ICL directors, of the ICL mainframe at its headquarters in
Putney and various other remote services....
** Page 53
Beyond these open sources of information are a few murkier ones.
The most important aid in tackling a 'difficult' operating system or
applications program is the proper documentation: this can be
obtained in a variety of ways. Sometimes a salesman may let you look
at a manual while you 'help' him find the bit of information he can't
remember from his sales training. Perhaps an employee can provide a
'spare', or run you a photocopy. In some cases, you may even find the
manual stored electronically on the system; in which case, print it
out. Another desirable document is an organisation's internal phone
book...it may give you the numbers for the computer ports, but
failing that, you will be able to see the range of numbers in use
and, if you are using an auto-dial modem coupled with a
search-and-try program, you will be able to define the search
parameters more carefully. A phone book will also reveal the names of
computer managers and system engineers; perhaps they use fairly
obvious passwords.
It never ceases to astonish me what organisations leave in refuse
piles without first giving them a session with the paper shredder.
I keep my cuttings carefully stored away in a second-hand filing
cabinet; items that apply to more than one interest area are
duplicated in the photocopier.
Inference
But hackers' research doesn't rely simply on collecting vast
quantities of paper against a possible use. If you decide to target
on a particular computer or network, it is surprising what can be
found out with just a little effort. Does the organisation that owns
the system publish any information about it. In a handbook, annual
report, house magazine? When was the hardware and software installed?
Did any of the professional weekly computer mags write it up? What do
you know about the hardware, what sorts of operating systems would
you expect to see, who supplied the software, do you know anyone with
experience of similar systems, and so on.
By way of illustration, I will describe certain inferences it is
reasonable to make about the principal installation used by Britain's
Security Service, MI5. At the end, you will draw two conclusions:
first that someone seriously interested in illicitly extracting
information from the computer would find the traditional techniques
of espionage--suborning of MI5 employees by bribery, blackmail or
appeal to ideology--infinitely easier than pure hacking; and second,
that remarkable detail can be accumulated about machines and
systems, the very existence of which is supposed to be a secret--and
by using purely open sources and reasonable guess-work.
** Page 54
The MI5 databanks and associated networks have long been the
subject of interest to civil libertarians. Few people would deny
absolutely the need for an internal security service of some sort,
nor deny that service the benefit of the latest technology. But,
civil libertarians ask, who are the legitimate targets of MI5's
activities? If they are 'subversives', how do you define them? By
looking at the type of computer power MI5 and its associates possess,
it possible to see if perhaps they are casting too wide a net for
anyone's good. If, as has been suggested, the main installation can
hold and access 20 million records, each containing 150 words, and
Britain's total population including children, is 56 million, then
perhaps an awful lot of individuals are being marked as 'potential
subversives'.
It was to test these ideas out that two journalists, not
themselves out-and-out hackers, researched the evidence upon which
hackers have later built. The two writers were Duncan Campbell of the
New Statesman and Steve Connor, first of Computing and more recently
on the New Scientist. The inferences work this way: the only
computer manufacturer likely to be entrusted to supply so sensitive a
customer would be British and the single candidate would be ICL. You
must therefore look at their product range and decide which items
would be suitable for a really large, secure, real-time database
management job. In the late 1970s, the obvious path was the 2900
series, possibly doubled up and with substantive rapid-access disc
stores of the type EDS200.
Checking through back issues of trade papers it is possible to see
that just such a configuration, in fact a dual 2980 with a 2960 as
back-up and 20 gigabytes of disc store, were ordered for classified
database work by the Ministry of Defence'. ICL, on questioning by
the journalists, confirmed that they had sold 3 such large systems
two abroad and one for a UK government department. Campbell and
Connor were able to establish the site of the computer, in Mount Row,
London W1, and, in later stories, gave more detail, this time
obtained by a careful study of advertisements placed by two
recruitment agencies over several years. The main computer, for
example, has several minis attached to it, and at least 200
terminals. The journalists later went on to investigate details of
the networks--connections between National Insurance, Department of
Health, police and vehicle driving license Systems.
In fact, at a technical level, and still keeping to open sources,
You can build up even more detailed speculations about the MI5 main
computer.
** Page 55
ICL's communication protocols, CO1, C02, C03, are published items;
you can get terminal emulators to work on a PC, and both the company
and its employees have published accounts of their approaches to
database management systems, which, incidentally, integrate software
and hardware functions to an unusually high degree, giving speed but
also a great deal of security at fundamental operating system level.
Researching MI5 is an extreme example of what is possible; there
are few computer installations of which it is in the least difficult
to assemble an almost complete picture.
.bmp)
No comments:
Post a Comment