2600 v24 n2 (summer 2007)

Discovering Vulns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
The Shifty Person's Guide to Owning Tire Kingdom. ............... .... ....... ............ . ..... ... 8
Enhancing Nortel IP Phones with Open Source Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Telecom Informer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Deobfuscation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .15
Getting 2600 the Safe Way. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Fun at the Airport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Hacking Xfire. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . . . . . . . . . 2 5
Hacker Perspective: Mitch Altman. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . .. . . . . . . . . . .. .. .26
Valuepoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Internet Archaeology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Hacking Answers by Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3
Letters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
VolP Cellphones: The Call of the Future. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Pandora Hack - Get Free MP 3s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Adventures in Behavioral Linguistics...... .......... ..... ... .... .. .. ............... . .... .............50
Transmissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
An ISP Story. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Hacking Whipple Hill with XSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Haunting the MS Mansion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Reading ebooks on an iPod. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Java Reverse Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Marketplace. . . . . . . . . . . . . .. .. . .. ..... .. . .. . . . . .............. . . . .... . . . ........... ... .. . .... ........... .. . . ..62
Puzzle. . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Meetings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . .66

We've witnessed a great change in our
culture over the last couple of decades. But
many of our readers have only been around
themselves for that amount of time or even
less. Therefore it's important to look at what
has changed so that some perspective can
be gleaned out of what's been going on. And
for the rest of us, it's important to remember
so we can also learn and hopefully plan
things out for a better future.
People used to get involved in hacking
back when the world of computer and
telephone technology was just beginning
to open up because for many of us it was
the only way in. Owning a computer was
something most of us could only dream
about. And the telephone network was
big and omnipotent and kept out of the
reach of those who wanted to shape it and
experiment.
In the early days, if you wanted to play
with a UNIX system, you almost had to
use one that you didn't have permission to
access. If you wanted to communicate on
something bigger than a one or two line
BBS, breaking into a system run by the
government or a large corporation was a
path many of us chose.
The cost of making a telephone call was
almost universally prohibitive for anyone
who had the desire to try and communicate
with people outside their local area. Methods
were devised and shared that allowed those
with a bit of technical knowledge, a spirit of
rebellion, and a desire to explore the ability
to make calls all around the world, not just
to other people like them but also to opera
tors and technicians who could help them
understand the vast system.
Today it's a completely different land
scape, at least for those of us in the devel
oped world. Hopping on the net and
communicating worldwide is something
practically everyone takes for granted these
days. It means nothing to access a website
that's coming from another part of the world
whereas in the past it would have been a big
deal to see even a foreign newspaper in the
library. Details of our daily lives are shared
planetwide through our blogs, mailing lists,
mobile phones, laptops, and scores of other
devices and methods. Contacting anyone
anywhere at any time has never been easier
or cheaper.
It would seem that everything those
hackers of the not-so-distant past were
setting out to achieve has been accom
plished. Access is readily available to most
of us, communications around the globe
are cheap or free, information on operating
systems and computer programs is shared
rather than restricted, and concepts like
open source software, free access, and open
expression seem to be flourishing or, at the
very least, heavily in demand.
So where do the hackers fit in today?
How are they even relevant?
To answer this requires an understanding
of what hacking actually is. If you're of the
belief that the world of hacking comprises
little more than making free phone calls and
infiltrating computer systems, then the rele
vance factor has indeed gone way down.
There is no long distance anymore; There
seems to be little that is beyond reach. You
no longer have to be a hacker to figure it
all out. And since computers are now every
where, all sorts of people are accessing
things they're not supposed to have access to,
regardless of their technical ability. Whether
it's a university that leaves the personal
data of 90,000 people up on a website, a
certain government agency that still has its
routers accessible to the entire world using
default passwords, or individuals who feel
compelled to post an astounding amount
of personal data and private thoughts on
sites like MySpace, Facebook, LiveJournal,
Blogger, and so many others - infiltration
and the obtaining of data that we really
shouldn't be able to obtain is hardly a chal
lenge anymore.
To many that challenge has been
reversed. Instead of trying to figure out
ways to penetrate a system, the task now
is to keep from being victimized by our
Page 4 -------------------- 2600 Magazine

collective naivete and the poor security that
pervades the computers running our society.
Maintaining your own privacy, avoiding the
many ways of becoming a victim, and ulti
mately designing better systems is the next
step that many of us are already taking.
While these are all positive things to be
involved in, they are mostly defensive and
lack the real edge of what the hackers of
old were involved in. For those who have
never experienced this, it's very difficuIt to
describe. But it's a feeling of knowing that
you're into something fascinating that most
"normal" people could never understand
and that one day might lead to something
incredible. It's also something that is usually
forbidden for one reason or another, often
because the people in control also realize
the tremendous potential and they fear the
sense of empowerment that individuals
might gain by understanding this.
Lots of people see the thrill in being
involved with something like the hacker
world because it's portrayed with a hint
of insurgency and self-determination. It's
romanticized in our movies, on television,
and in literature. Even in mainstream stories,
the hero always operates outside the rules in
order to get the job done effectively, as well
as to be defined as a true individual. And
for the vast majority of those interested in
becoming part of the hacker culture, this is
all that matters: the image. That, even more
than the changing technologies, is what
threatens the relevancy of the hacker world.
It's the epitome of a rebel without a cause.
There are all sorts of stories that have
been written about victors in a war who then
have no idea how to handle their triumph
because they never expected to win. There
are elements of that which can be applied
to hackers. We no longer need to struggle to
accomplish those things we wanted, mainly
communications, understanding, and the
sharing of information. Those all seem to
be the defaults now. In that regard we have
most definitely won.
But luckily the hacker mentality goes
quite a bit beyond those concepts. Discovery
never ends. Nor do those forces that want
total control over societies and individuals,
those forces which we must engage in
perpetual battle with. As long as they exist -
in other words, for the duration of humanity
- the hacker mentality will continue to be
relevant and essential.
It's difficult not to get sucked into the
world of popularity, especially when what
you are saying or doing happens to become
trendy. We've faced this odd problem for a
large part of our existence. We've watched
many good ideas turn into vastly successful
business models. We've seen many people
become insanely rich. And we've witnessed
the inevitable gap that develops between
the original goals and the realities of the
marketplace when "success" strikes. It's not
that bigger isn't always better. The original
picture, however, does tend to become
obscured when it's surrounded by flashi
ness and mass appeal. This may be fine for
promoting commercial products but it's
about the worst thing that could happen to
an entity with ideals.
An interesting parallel is that of govern
ment. Many years ago it was possible to be
heard as an individual, even all the way to
the top leadership positions. Today that is all
but impossible with all of the "protection"
and virtual firewalls that keep the people
from their leaders. This is not a healthy
progression. There is growing and then there
is growing apart.
We will remain relevant as long as we
keep thinking and developing as individuals.
It's clear the landscape has changed and it
would be foolish to not change with it. But to
say the hacker world is dead because there's
nothing left to hack shows a profound lack
of understanding as to what hacking actually
is. It's not a fashion statement or a fad. It's not
a bunch of people looking to break the laws
and get everything there is to get for free. It's
a state of mind that keeps one in a constant
state of questioning everything around
them, whether it be technological in nature,
a set of rules, or an entire belief system. It's
about adapting and experimenting, far more
than most others would ever attempt. And,
perhaps most importantly, it's about sharing
what you learn and what you experience,
not just with fellow hackers but with the rest
of the world. It's likely most of the latter will
have no idea just what it is you're doing and
in fact may completely misunderstand your
motives. But perceptions change over time,
one way or another.
We're always looking to hold onto our
spirit here and to self-examine as much as
possible. This is why we sent out reader
surveys to all of our subscribers earlier this
year. In the next issue we hope to be able to
analyze the pile of opinions and suggestions
we've gotten back. The enthusiasm we've
seen so far is all the evidence we need to
conclude that we've still got something
amazing here.
Summer 2007---------------------- Page 5

by Cliff
"H3y dOODz w07 R t3 h r3411 y k3wl hAx
4. . . ?" Aren't you just sick of read i ng this ki nda
thi ng? G uess what, the "k3wl hax" don't get
designed and published by Microsoft each
week. People find them. Where do exploits
and vu l ns (system vul nerabi l ities) get found?
They're usua l l y bugs or misused features.
But how do they get d iscovered? How can
you d iscover your own, or better sti l l, how
can you reduce the risk of someone else
fi nding vulns with your code? I'm goi�g to
ta l k in genera l terms about methodologies as
opposed to any script-kiddie examples.
Exploits
Exploits are vul nerabi l ities that have been
taken to the next level - someone has seen
a weakness/vu l n and then worked out how
to abuse it. An exploit may a l low i l lega l
code to be run, it may j ust crash a system,
or it may open a back door for further abuse
later. Exploits are pretty much l i m ited by the
vul nerabi l ity fou nd, but someti mes what
appears a m i nor vul nerabi l ity can open up a
cha i n of exploits. Some types of explOits are
described below.
Reboot- make the server req u i re a restart.
Th is can i nterrupt other processes, maybe
req u i re manual starts of some tools, cause
a lot of anxiety, "stabi l ity" issues, and other
bad th i ngs. Very hard to track down.
Starve of Oxygen - strangle all the other
apps on the box. If apps run out of system
resources (typica l ly RAM or D isk), they can
get pan icky and start throwing errors of
their own . Starving a box using one vuln/
exploit may force other apps to fai l , possibly
revea l i ng secrets a long the way, or at least
being a h uge pai n to clear up.
Slow to crawl - If all the starved apps
above behave wel l, they' l l just starve to
death, and the server wi l l spend every CPU
cycle dea l ing with error messages from dyi ng
applications.
Reveal a secret - we just had the one
hundred-m i l l ionth (that's a huge number,
100, 000, 000 seconds is over three yea rs!) set
Page 6
customer ata I computer
systems in the u.s. Of course the rea l number
is much h igher; these 100 m i l l ion were the
ones that had to be confessed. Computers
hold so many secrets and they're held so
i nsecurely that secret-fis h i ng is a massive
exploit. Secrets cou ld be personal deta i l s, or
even server detai l s, both val uable to different
groups. If an app u nder duress wi l l report its
database fi lepath, for i nstance, other attacks
can be crafted to attempt to retrieve that fi le
(and the goodies it conta ins!).
Run illegal code - The server deta i l s are
a very usefu l secret for further exploitation.
I l lega l code may run i n-process and so widen
the hole of the vul nerabi l ity by giving esca
lated privs.
Open a door - I l legal code cou ld be used
to i nsta l l a backdoor i nto the system, making
futu re breaches easier
Pwn3d! - and the box becomes a zombie,
completely owned by someone other than
the owner!
Failing Inelegantly
Great, you've written the k i l ler app for
whatever system/language/etc. Wel l done!
You probably started as a proof-of-concept,
then added a bit of testing onto the end, then
fixed it for the tests that fa i led, and cal led it
RTM. There is only one person in the world
less qualified to test you r code than you are
and that's your mother. You are the world's
worst test of your own code. You know the
workflows, you know where the bod ies are
buried, you know which bits have to be
handled gently.
U nfortunately, your users won't. Users
are dumb, a l l of them. If they weren't dumb,
they'd have written the app themselves, so
assume they're dumb. If you went so far as to
provide a manua l/tra i n i ng for you r app, your
users wi l l either forget it or use it as a bible.
But you' l l have forgotten one or two key
poi nts, so they' l l i mprovise. They' l l put a n u l l
i n the cost box instead o f a zero. H e l l , they
may even type "zero". L i kely this' l l cause
2600 Magazine

your system to fai l . How it fa i l s is critica l not
j ust to the app, but to every other system on
the machi ne!
Yum! Resources! - if you r app fai l s cata
strophica l ly and fa i l s to release resources
(memory usua l l y), you're enemy n umber
one. Exploit: crash the app a few ti mes and
watch as other systems struggle for oxygen.
One of them may do someth ing cool, or at
the very least, force a reboot.
Dog in the Manger - you r app fai l s, but
in fai l i ng pops up a moda l dialogue warn ing
of the fai l ure before closing down. Exploit:
simi lar to above, the program holds server
resources hostage u nti l some stupid "ok"
box is ticked. . . on a blade in a massive server
farm!
Debug Messages - your app fai l s, and
i n order to help you out, it tel l s you some
secrets about where and how it fa i led. Now
everyone knows what version of . N ET (or
whatever) you're ru n n i ng and, lookee here, a
sni ppet of the app code. That cou ld be handy
later. . . .
Error Messages - l ike Debug messages,
but less friendly. It's quite common to see
databases tel l i ng you thi ngs about them
selves when a web app has fai led to consider
a problem (e.g., MySQL, Access).
You can force i nelegant fa i l u res by feed i ng
i n bad data (remember that user who typed
"zero"? What if it was malicious?! You may
not know how to exploit a v u l n, but some
body else m ight, so treat a l l vulns as serious.
Unexpected Input = Unexpected Output
Applications usua l ly dea l in one or another
with data. In fact, if they don't they're prob
ably just cartoons and not worth bothering
with. Data can go i nto or come out of some
kind of datastore, usua l ly a database package
of some sort. Th is i s coo l . It mea ns we may be
able to get some secrets out i n exchange for
putting some weird stuff i n (tech n ical name
here is SQL I njection).
How do you get to enter wei rd stuff?
Have a look at the app you're testing and
start typing th i ngs i nto the fields you can type
th i ngs i nto. The key here is to type in th i ngs
the application isn't expecting. Good apps
wi l l va l idate these attacks away, poor ones
won't. I nputs typica l ly expect text, a nu mber
or someti mes even a fi le - don't give them
exactly what they're expecti ng.
If they want a fi le (e.g., an avatar upload
for a foru m), try passing them an mp3, or
an exe. See what happens. You shou ld have
the fi le rejected stra ight away, but if the
app accepts an exe, you may fi nd a way to
execute it (on the server!) l ater.
If the app wants a number, what kind of
n umber does it want? If it expects an i nteger,
try giving it a float (or any other non-i nteger,
such as 3 .14159).
What happens if you give it a O? Or a
0.000000000000001? Or -1? Or 999999
<sn i p loads more 9s> 99? Or "zero"?
One of these tests may upset the system if
it tries to insert text i nto a n u meric field, or
tries to divide by zero. If the system is strong,
it' l l l augh at you r efforts. But lesser apps wi l l
trip up and maybe tel l you a bit about the
system!
If the app expects text, then try giving
it loads of text. Try givi ng it non-printi ng
characters. Try giving it characters that have
special uses too - my favourites are ';/&--%*?,
spaces, and various combi nations of them
dependi ng on what I 've discovered about the
app (if it has an MSSQL backend, try feed ing
fields with %<Yo';--). Th is can be fasci nati ng if
you get your entered text echoed back to you
on the next page (for insta nce a search form),
as if your entry isn't parsed and va l idated.
You can start bu i ld i ng database queries to
discover more about the app and possibly
release secret data .
Websites may be probed by messing
with thei r query strings if they pass data in
the query string (what appea rs i n the address
bar). You may wa nt to try HTM LEn(()ded
va l ues.
So what if you h it a web app with massive
JavaScript va l idation ? It may have s i m i lar
match i ng va l i dation on the server or the
developer may have been lazy. Try a tool l i ke
Tamper Data (a Fi refox extension) to twea k
exactly what gets posted back to the server
after the JavaScript has had its fu n and tried
to stop you!
Can't Take the Strain
Load testing is the opposite of a DDoS
attack. Proper load testi ng wi l l let you know
how much activity your server/app can
handle before melting down usi ng the exact
same tools as you cou ld use for a DDoS. You
j ust watch the resu lts more closely.
Microsoft has a great free stress/load
testing application "Web Application Stress
Tool" aka Homer. Find it on thei r website.
They a l so have a fa ncier one with some of
the datacenter editions of some tools, but
Homer wi l l do a l l you need. There are doubt
less many others avai lable too.
Start off by worki ng out what a "sensible"
workflow through your site may be, and
record it. Now play that workflow back with
more c l i ents and note which pages seem to
be slowest (from the resu lts) . Ramp it up a
bit more, keep noti ng you r results, and keep
goi ng. If you graph your results, you ' l l notice
a pretty l i near rise in response ti mes u nti l you
h it an el bow in the curve where responses
Summer 2007----------------------------------------- Page 7

get dramatical ly slower. Th is is your theo
retical maximum load. Of course, real world
usage isn't nearly so relentless as a cluster
on the same LAN hammeri ng one app, but
usage w i l l come in peaks, and you must be
able to handle those peaks, not the a verage
(including overn ight) load!
I'm sure you've fou nd one or two pages of
you r app which seem to cause you the most
delays. Rewrite them or spl it them i nto parts
and keep the server load down. It' l l probably
be the page with all the big database access/
writes, etc., so look at opti mising those.
If testing someone else's site, make sure
you have perm ission first. One man's load
test is another man's D DoS!
Finally
When writi ng your app, try designing
i n security from the begi n n i ng. This means
coding defensively, expecting your audience
to be at best dumb, at worst, hostile! Val idate
every field you have both on the server and
client, and only accept val ues with i n the
most restrictive range. Expect non-alphanu
meric characters and the effects they can
have. Trap specific errors, a l l you can th i n k
of, a n d handle them gracefu l ly. Always have
a catchal l for unspecified errors, and aga i n,
handle it gracefu l ly. Get you r code read and
tested by friends/peers/col leagues (open
source software has a passive testing pool of
peers).
Test your app on a v i rtua l mach i ne of
some sort (Microsoft Vi rtua l PC or VMWare)
so you can recover from errors quickly and
easi ly without ki l l i ng any other apps. Tal k to
you r datacenter guys about the possibil ity
of using virtual servers (agai n VMWare/
Microsoft both have excel lent offeri ngs) to
completely ringfence apps. Always make
sure you disable any debug modes you have
before going public with you r app, and
fi na l ly load test your app so you know how it
wi l l cope over time. If you know up front that
you w i l l run i nto loadi ng problems in about
three months with expected growth, you can
plan for app tun i ng or hardware expansions
and make sure you don't starve other apps
causing them to fai l . And in a l l that spare
time you now have, why not try fi nding some
new vul ns?
by The Thermionic Overlord Beach, Florida. A l l 600 or so stores in the
With stores splattered a l l over the U n ited U .S. connect to th is system every day through
States, chances are you've been to a Ti re standard DSL or cable connections for
Ki ngdom at some point for an o i l change, upgraded stores, dialup l i nes for older ones.
ti res, or an overpriced brake job. TK sure If you tel net to as400.tirekingdom.com, the
runs a sl ick busi ness, with i nti mate corpo- system wi l l throw you a logi n screen at any
rate micromanagement made possible by a time of day or n ight without compl a i nt. What
centra l i zed network architecture. about that username and password? Pick a
Imagine what you cou l d do if you store number. For Store 121, log in as S121,
control led Ti re Kingdom's main computer password S121, et cetera. You can't actu a l l y
systems: With manager's privileges a lone, you do anyth i ng un less your I P address is recog-
have the abil ity to h i re and fi re employees, nized by the system (TKI) but there exist ways
change pay rates, look up commerc i a l and around th is problem.
consumer credit card data, even commit Wa ltz up to your loca l store on a Saturday
outright theft. It's easier than you th i n k with when they're slammed and take a peek at the
th is article as your unofficial guide. generic PCs on the cou nter ru n n i ng terminal
Getting In emu lation software. Each one is numbered
The heart of Ti re Ki ngdom is as400. tirek i n the pattern of S (store number) PC ( PC
.. ingdom.com, an I BM AS400 located i n Juno number), as i n 5121PC03 . On the terminal
Page 8 --------------------- 2600 Magazine

software, that same PC would have a display
ID of S121DSP 03. Taped to at least one of
the computers at the main counter will be
a list of employee numbers for everyone at
the store, including managers. You have to be
behind the counter to see this, however....
Getting Behind the Counter
If you'd like to play around with the system
from a store location with impunity, ask to
speak to the general manager and tell him you
want to apply for a job. Note the name of the
store manager. You'll need it later. He'll most
likely steer you to one of the PCs immedi
ately and log onto TK Intranet (intraneUirek
ingdom.com, usernameTK(store#), password
TK(store#), domain TKI). He'll sign into the
Deploy hiring management console with his
employee number and password and leave
you to fill out an application. As soon as he's
gone, fire up a command prompt and enter
tracert aS400.tirekingdom.com. Note the last
hop on the store network and write this IP
address down for future reference. It's the
Cisco 2500 router underneath the counter.
You'll have no web access because all DNS
requests besides TK Intranet and a handful of
partner companies are blocked.
If you've brought your handy flash drive
with a keystroke logger program, now is
the time to take advantage of it. Dump the
program into an unused directory, fire it up,
and don't worry for a second about an anti
virus. You won't find one.
When they're not paying attention too
closely, pick up their phone and call another
Tire Kingdom, not one in the general area
of yours. Explain to whomever picks up the
phone that you've lost/spilled coffee on your
yellow book with the tech support number
in it, and could they pretty please give it to
you, you're having trouble connecting to the
AS400. Write this number down on a piece
of paper illong with the manager's employee
number, the router's internal I P, the store's
external I P if you can find it, and whatever
artistic doodles you've been working on.
Day Two
Wait until Monday to return to the storl' as
Sundays are generally dead. Make sure you
get a good night's sleep since you'II have to
work quickly today.
Walk in as if you own the place dnd tl�II
the body at the counter that you're finishing
an application. Return to the same computer
and copy your keystroke log to your flash
drive, making sure to wipe the original with
the Wipe utility you should be carrying. Busy
yourself with whatever hackerish antics you
desire until the body at the desk is no longer
paying close attention to you, then grab a
phone and walk it around a corner for some
privacy. By now you should know the manag
er's employee number, password, router and
store IP, tech support phone number, and
a static IP address associated with a public
computer (not the one at your house).
A Quick Note on TK Passwords
EveryTK employee has a six or seven digit
employee number which they keep during
their tenure atTire Kingdom.They also have
a password between six and eight digits long,
as mandated by the AS400's security policy,
that must be changed every 90 days. The
password cannot be the same as any of the
two or three previous passwords and cannot
contain speCial characters to my knowl
edge. However, 99.9% of all TK passwords
will be completely numeric as every counter
employee including managers keys with their
right hand on the numerical pad. For speed,
most of them are only six characters in length
and are chosen to be quick to pound out.
Tech Support is Here to Help You
Call the tech support number. Have your
spiel polished, rehearsed, and ready to go.
When you get someone on the line, tell them
some variation of the following:
"Hi, this is (managers name), the
manager of TK(store#), and we're having a
lot of problems with our Internet access. I
keep getting an error when I try to connect,
the AS400 keeps telling me I'm signing on
from an unknown IP address, and to call you
guys with this IP address: (the static IP of a
computer you have access to)."
If your social engineering ruse works,
prepare for pandemonium as the Tire
Kingdom you're in loses all access to the
AS400. Hang up the phone and walk out,
and quickly get behind the IP address you
gave the help desk.
Owning
By now you should have all of the infor
mation you need to spectacularly Own the
AS400 as a manager. The AS400 is configured
for ease of use, and finding your way around
should be no problem. For real fun, log into
lnLraneL.Lireklnydolll.cOlll, click Deploy,
log in as your managerial self, and promote
everyone as high as you possibly Cdn. Deploy
will give you access to an employee's home
address, all personal information, sometimes
even a picture. The AS400 has provisions for
retail credit card lookup, too.... If you dig
deep enough, you'll find information that no
one should be able to Zlccess, maybe even
yours.. .
Shouts to fysch and lynch, Lardlog, 3mOU,
OJ Hekla, and the Democratic Congress:
Please don 't ruck it up.
Summer 2007---------------------- Page 9

by Ariel Saia
I thought it would be fu n to try connecti ng
one of our company's Nortel IP phones from
my home using my broadband connection
and a VPN tu n nel back to our corporate
office. So I took one of our Nortel i2 004
phones home and starting seei ng what I
cou ld do with it.
I fi rst needed to get i nto the phone's setup.
That was easy enough. I powered the u n it up
and once I saw the Nortel logo come up on
the d i splay, I hit the group of fou r buttons
one at a time (below the LCD screen) i n
sequence 1 -2 -3 -4 from left t o right. I n the
setup I noticed our telephony department
configures the phone with fu l l DHCP with
data and voice VLAN smarts i n the phone.
Si nce my goa l was to use the phone in a very
basic home network environment, I would
need to manual ly configure some of these
setti ngs (more on this l ater) . However I did
notice the 51 server (Nortel phone server)
specified. So at thi s poi nt it looked promising
that I cou ld have my office I P phone working
at my house.
For the first step I needed to create my
VPN tu n nel to corporate. I had a $400 Cyber
Guard 5G560 fi rewa l l/vpn device floating
around and decided to configure it as a PPTP
cl ient and con nect it to my company's PPTP
VPN server. Once connected I cou l d then
ping the 51 server (Nortel phone server) from
the 5G560 box. Fantastic! I trekked on; I now
needed to configure the phone to communi
cate over this link rather than bei ng on our
i nterna l LAN . I went i nto the phone's setup
aga i n and selected "0" for no DHCP. I then
gave the phone a static I P address (on the
same subnet as the LAN on my 5C560 box)
of 1 92 .168 . 1 . 1 0, netmask 2 5 5 .2 5 5 .2 5 5.0,
and 1 92 . 1 68. 1 . 1 as the gateway. The next
option was the 51 IP (Nortel phone server)
1 72 . 1 6.201 . 1 1 . Next was the 51 port. I
selected the default port of 4 1 00. I a l so opted
for the defau lts for 51 Action " 1 " and Retry
Count "5" and repeated the same steps for
52 . I then was asked for a "Voice VLAN ." I
selected "0" for no on the Voice and Data
VLA N . I sti l l had my 5C560 con nected
to my corporate PPTP server. The phone
rebooted and after about two m i nutes the
phone connected to the 51 server and was
prompti ng me for a Node and TN n umber
(this i s how the phone i s registered to the
Nortel phone system). The next day I asked
one of my friends in the telephony depart
ment to provide me with a "Node" and "TN"
for my phone. I returned home, pl ugged the
n umbers i nto the phone, and Wa l la!! The
phone connected!
I picked up the handset and cal led my
friend. I cou ld then hear him pick up his
handset and begin ta l ki ng but he cou ldn't
hear me from his end. After some head
scratching I decided to put a packet sn iffer
between my 5G560 box and my broadband
connection. I found the Nortel phone server
was trying to send packets to the phone
during my phone cal l on port U D P/52 0 1 and
my 5G560 box was of course dropping the
packets. I then created a rule on the SG560
box to redi rect any i ncom ing U D P/52 0 1
traffic t o 1 92 . 1 68. 1 . 1 0 (the I P phone). I then
placed my cal l aga i n and he cou ld now hear
me and I cou ld hear him. 50 there I sat with
an office extension i n my house!
I told my friend i n the telephony depart
ment about my test and of course he wanted
one for his house too. However, after hearing
he wou l d need a $400 CyberGuard unit,
excitement qu ickly turned to disappoi nt
ment. I now was determi ned to come up with
a rel iable and i nexpensive way to use our I P
office phones i n remote locations.
I had a L i n ksys WRT54G v4 router flashed
with D D-WRT (one of the best thi rd party
firmw,lre) that I had been using for Wi-Fi
bridging. I remembered seei ng the capabi l ity
of using it as a P PTP or OpenVPN c l ient!
server. 50 I configured the router as a PPTP
cl ient j ust l i ke the 5G560 unit and added
to port forwarding ( U D P 5201 ) needed by
the Nortel phone system. The IP phone
connected and my test cal l s were made
Page 10 -------------------- 2600 Magazine

successfu l ly, aga i n just l i ke i n the SG560 over my company's PPTP VPN server. I now wanted
to test the rel iabil ity of the WRT54G. I quickly found that the PPTP connection wou ld drop
with i n a few hours and not recon nect without req u i ri ng a reboot of the router. Th is of cou rse
was not an acceptable option so I started looking i nto OpenVPN as an alternative to PPTP. I n
the meantime m y friend from the telephony department found Nortel was sel l i ng a solution
(Nortel Contivity) that essentia l ly does the same th i ng for about $3 50-$450 per phone and
about 1 0k for the backend VPN server. Ouch!
Now more than ever I wanted to b u i l d a sol ution on open source software. I i nsta l led
my favorite Linux distribution (SuSe 1 0. 1 ) on a spare server we had in our server room and
began the OpenVPN setup. I tested the L i n ksys WRT54G (DD-WRT) with the OpenVPN
c l ient instead of PPTP. I wrote th is custom startup script for D D-WRT that creates the needed
certificate files and ca l ls the OpenVPN c l ient, a lso mon itoring the tunnel for i nactivity, and
acts accordi ngly.
DD-WRT Startup Script
(remember not to enable OpenVPN in the OO-WRT CUI since this script calls it for you)
echo 'sleep 8' » /tmp/vpngo . sh
mkdir /tmp/openvpn
echo 1 1
-----BEGIN CERT I F I CATE-----
***Add Your I Pcop Server Cert HERE! ! ***
-----END CERT I F I CATE-----
" > /tmp/openvpn/ca.crt
echo n
-----BEGIN CERT I F I CATE-----
***ADD Your I Pcop Client Cert HERE! ! ***
-----END CERT I F I CATE-----
11
> /tmp/openvpn/client.crt
echo n
-----BEGIN RSA PRIVATE KEY-
***Add Your I PCop Private Key HERE ! !**
- ----END RSA PRIVATE KEY-----
" > /tmp/openvpn/client.key
echo nclient
dev tun
proto udp
remote ***YOUR PUBLI C I PCOP SERVER*** 1194
resolv-re t ry infinite
nobind
pers i st-key
pers i s t-tun
float
keepalive 10 12 0
tun-mtu 14 0 0
tun-mtu-ext ra 3 2
ms s f i x 1 3 0 0
c a /tmp/openvpn/ca.crt
cert /tmp/openvpn/client . crt
key /tmp/openvpn/client . key " > /tmp/openvpn/openvpn.conf
echo 'iptable s -A POSTROUT1NG -t nat -0 tunO -j MASQUERADE' > /tmp/openvpn/route-up . sh
echo 'iptable s -D POSTROUT1NG -t nat -0 tunO -j MASQUERADE' > /tmp/openvpn/route-down.sh
echo 'iptables -t nat -I PREROUT1NG -i tunO -p udp --dport 5 0 0 0:53 0 0 -
"j DNAT --to-dest ination 192 . 16 8 . 1 . 10' » /tmp/vpngo . sh
echo 'iptable s -I INPUT -p tcp --dport 4 4 3 -j logaccept' » /tmp/vpngo . sh
echo 'iptables -I INPUT -p tcp --dport 22 -j logaccept' » /tmp/vpngo.sh
chmod 777 /tmp/openvpn/route-up . sh
chmod 777 /tmp/openvpn/route-down . sh
echo 're sult = O' » /tmp/vpngo . sh
echo 'pinglo s s = O ' » /tmp/vpngo . sh
echo 'p ingloss2=0' » /tmp/vpngo . sh
echo 'rm /tmp/vpngo . sh' » /tmp/vpngo.sh
echo 'rm /tmp/vpngo.sh' » /tmp/vpngo . sh
echo 'rm /tmp/keypass' » /tmp/vpngo.sh
echo 'date 092 0 110 8 2 0 07' » /tmp/vpngo . sh
echo 'touch /tmp/keypass' » /tmp/vpngo.sh
echo 'echo '***PKCS12 F ile Pas sword***' > /tmp/keypass' » /tmp/vpngo . sh
echo '/usr/sbin/openvpn --config /tmp/openvpn/openvpn . conf --rout e-up /tmp/openvpn/route
"up.sh --down /tmp/openvpn/route-down . sh --askpas s /tmp/keypass' » /tmp/vpngo.sh
echo ' sleep 6 0' » /tmp/vpngo2 . sh
echo while [ "x" ]' » /tmp/vpngo2.sh
echo do' » /tmp/vpngo2 . sh
echo sleep 12' » /tmp/vpngo2 . sh
echo result=�ifconf ig tunO 2 > &1 I grep -c RUNNING" » /tmp/vpngo2.sh
echo if [ $re sult -eq 0 ]' » /tmp/vpngo2.sh
echo then' » /tmp/vpngo2 . sh
Summer 2007---------------------------------------- Page ll

echo sleep 10' » /tmp/vpngo2.sh
echo result=�ifconfig tunO 2>&1 I grep -c RUNNING-' » /tmp/vpngo2.sh
echo if [ $result -eq 0 l' » /tmp/vpngo2.sh
echo then' » /tmp/vpngo2.sh
echo while [ $result -eq 0 l' » /tmp/vpngo2.sh
echo do' » /tmp/vpngo2.sh
echo killall openvpn' » /tmp/vpngo2.sh
echo /usr/sbin/openvpn --config /tmp/openvpn/openvpn.
"conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/
-'route-down.sh --askpass /tmp/keypass &' » /tmp/vpngo2.sh
echo ' sleep 40' » /tmp/vpngo2.sh
echo ' iptables -t nat -I PREROUTING -i tunO -p udp --dport
.. 5000:5300 -j DNAT --to-destination 192.168.1.10' » /tmp/vpngo2.sh
echo I iptables -I INPUT -p tcp --
dport 443 -j logaccept' » /tmp/vpngo2.sh
echo iptables -I INPUT -p tcp --dport 22 -j logaccept' » /tmp/vpngo2.sh
echo result='ifconfig tunO 2>&1 I grep -c RUNNING" » /tmp/vpngo2.sh
echo done' » /tmp/vpngo2.sh
echo result='ifconfig tunO 2>&1 I grep -c RUNNING'- » /tmp/vpngo2.sh
echo fi I » /tmp/vpngo2.sh
echo fi' » /tmp/vpngo2.sh
echo sleep 11' » /tmp/vpng02.sh
echo ' pingloss2='ping -c 5 172.16.201.11 I grep -
-'c "100% packet loss"" » /tmp/vpng02.sh
echo if [ $ping1oss2 -eq 1 ], » /tmp/vpngo2.sh
echo then' » /tmp/vpng02.sh
echo ' sleep 10' » /tmp/vpng02.sh
echo ' pingloss2='ping -c 8 172.16.201.11 I grep -
-. c "100% packet loss"" » /tmp/vpng02.sh
echo if [ $pingloss2 -eq 1 l' » /tmp/vpngo2.sh
echo ' then' » /tmp/vpngo2.sh
echo ' pingloss3='ping -c 8 ***YOUR PUBLIC IPCOP
.SERVER*** grep -c "100% packet loss"" » /tmp/vpngo2.sh
echo if [ $pingloss3 -eq 0 l' » /tmp/vpngo2.sh
echo then' » /tmp/vpng02.sh
echo killall openvpn' » /tmp/vpngo2.sh
echo sleep l' » /tmp/vpngo2.sh
echo /usr/sbin/openvpn --config /tmp/openvpn/openvpn.
-'conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/
-'route-down.sh --askpass /tmp/keypass &' » /tmp/vpngo2.sh
echo sleep 2' » /tmp/vpngo2.sh
echo fi' » /tmp/vpngo2.sh
echo ' fi' » /tmp/vpngo2.sh
echo ' fi' » /tmp/vpngo2.sh
echo ' done' » /tmp/vpngo2.sh
chmod 777 /tmp/vpngo.sh
chmod 777 /tmp/vpngo2.sh
chmod 777 /tmp/keypass
sh /tmp/vpngo . sh &
sh /tmp/vpngo2.sh
***DO-WRT Firewall Script****
iptables -t nat -I PREROUTING -i tunO -p udp --dport
... 5000:5300 -j DNAT --to - destination 192.168.1.10
iptables -I INPUT -p tcp --dport 22 - j logaccept
iptables -I INPUT -p tcp --dport 4 4 3 -j l ogaccept
The router stayed connected and was reconnecti ng when necessary. This was to be the
rock sol i d remote I P phone sol ution I was searching for. However I wanted others to a l so
manage the server and to be able to set up new certificates (phone users) when necessary
and my 5u5e setup via certificates would be a cha l lenge for non-Linux admins. So I needed
an easier more user-friendly management interface. I PCop with "Zeri n i " wou ld fit the bi l l
perfectly. I insta l led I Peop with the OpenVP N add-on "Zeri n i ." I was surprised a t how easy i t
was to configure m u ltiple OpenVPN tunnel s with the bu i lt i n certificate manager. A s for the
DD-WRT box, a l l I needed to have the end users do was to p l ug it i nto any DHCP enabled
network with I nternet access. That it! I then convinced management to pu rchase 65 L i n ksys
WRT54G Ls for less than $45 each and flashed them with DD-WRT (v2 3spl-vpn). However
you don't necessary need to purchase WRT54GLs. Any supported router l isted on the DD
WRT site wi l l do. We now have over 60 remote users (sa les, support, etc.) that rely on their
phones every day, and a l ready have plans to more than double the number of users! I have
tested this with Nortel's i2001 , i2002, i2004, and i2007 I P phones. You can a l so use this setup
to connect remote offices as wel l, not j ust Nortel IP phones!
Thanks to "BrainS/ayer" for OO-WRT ( www.dd-wrt. com) and the IPCap crew (www.
.. ipcop.arg)!
Page 12 -------------------- 2600 Magazine

G reeti ngs from the Central Office! It's
h ard to bel ieve that summer is a l ready here,
but the solstice is j u st around the corner and
the rai n has a l ready gotten a l ittle warmer.
Although I rarely see the sun from my
windowl ess workplace, we actu a l l y get
a lot of it during the summer. Here i n the
Pacific Northwest, the sun rises j ust after
five i n the morn i ng, and does n ' t set u nti l
after n i ne at n ight. With only three months
a year of sem i-decent weather, people spend
a lot more time outdoors, and mob i l e phone
usage skyrockets. Capita l ism bei ng what it
is, u nscrupu lous mob i l e service providers
are l u rking i n the shadows with a n i nter
esting new way to make a quick buck. And,
l ike ou r indigenous (and revolti ng) banana
sl ugs, they ' re leav i ng a tra i l of s l i me wher
ever they go.
The more that scams change i n the tele
communications industry, the more they stay
the same. During the 1 980s, prem i u m-rate
" i nformation services" such as 976, 540, and
900 numbers were i ntroduced. Although
there were a few exceptions (such as pay-per
cal l tech nical support l i nes), these services
were mostly scams i ntended to b i l k u nsus
pecting subscribers. They 'd offer dial-a-joke,
dial-a-moan, or other services of dubious
val ue, adding eye-popping (and often und is
closed) charges to a subscriber' s month ly
b i l l. When you received an outrageous
phone bi l l, Ma Bel l wou ld c l a i m that they
were j ust a b i l l ing agent, but then threatened
to shut off you r phone if you d i d n ' t pay the
so-cal led "th i rd party" charges. There were
few (if any) regu l ations arou nd disclosu re of
pay-per-cal l charges, or opportun ities to opt
out of them.
Eventu a l l y, both the FCC and n umerous
state public uti l ity commissions i ntervened
to stop the madness. They requ i red Ma
Bel l to block " i nformation service" pay-per
cal l numbers at no charge upon request,
and proh ibited discon nection of your
l i ne for fai l u re to pay thi rd-party charges
(provided that you paid you r local service
charges on ti me). Additional req u i rements
were placed on service providers, forci ng
them to both d i sc lose pricing up front and
a l low subscribers to hang up without bei ng
charged if they d i d n ' t agree. Predictably, the
market for such " i nformation services" effec
tively dried up - after a l l, it's only profitable
to run a scam if you can both fool a sucker
and force them to pay without recourse.
Wel l, fast forward to 2 007 and the same
thing is happening a l l over aga i n. Ever heard
of Dada Mob i l e? B l i nko? Jamster? U nti l
recently I hadn 't, but I prefer to spend my
eveni ngs in the centra l office perform ing
"service mon itori ng" of my subscribers'
private conversations. Hey, if the NSA
doesn 't need a warrant, I figure that I don ' t
either. However, if you watch MTV, Amer
ican Idol, or any television show with a
mainstream audience, you ' ve probably
encountered a n ad for a "prem i um-rate text"
service offered via an SMS short code. I n
other words, vote for you r favorite celebrity
and get soaked on your cel l u lar phone bi l l.
Or, if you ' re creative, maybe soak someone
else's cel l u lar phone b i l l....
SMS short codes (referred to as Com mon
Short Codes or CSCs) are five-digit and six
d igit codes issued by the CTIA, a cel l ular
industry lobby i ng group. Anyone can lease
one, at costs ranging from $500 per month
(for a random ly issued CSC) to $ 1 000 per
month (for a van ity CSC). Th is gets you the
number assignment and mai ntenance i n
t h e CSC database (wh ich is performed by
NeuStar, a company that controls a shocking
percentage of cel l u lar network i nfrastruc
ture; among other th ings, they also control
system ID assignments). However, owners
of CSCs must negotiate i nterconnection
agreements with every wireless carrier indi
vidua l l y. Alternatively, they can work with a
service provider (such as Veri Sign - another
corporation with an i ncredible degree of
i nfluence i n the wireless i ndustry) who has
ex isting interconnection agreements with
most carriers.
Armed with a short code and an i ntercon
nection agreement, you ' re i n busi ness! Just
fool some sucker (often a ch i ld) into sending
you a text message and you can then tack
Summer 2007---------------------------------------- Page 13

absurd charges (which can recu r as often as
weekly) onto their phone b i l l with v i rtual
impun ity. Sure, there are some vol untary
i ndustry provisions and codes of conduct,
which i n practice are just so m uch horse
manure. It's just l i ke the bad old days of the
1 980s. Charges are b i l led with scant (if any)
d i sclosure and w i reless phone companies
threaten to shut their customers' phones off
if the thi rd-party charges are n ' t paid. The
difference is the sheer audacity with which
this i s done and the almost complete l ack of
recou rse. Wireless telecommunications (by
design) is a v i rtual ly u n regu l ated i ndustry.
Don 't expect rel i ef from the FCC or publ ic
uti l ity comm i ssions on this one. And with
Congress i n the pocket of lobbying groups
such as the CTIA, this problem is u n l i kely to
ever be solved.
(By the way, than ks, Erratic, for subscri b i ng
my cel l phone to eight separate ri ng tone
download and celebrity update services thi s
morn i ng. I can 't wait t o get m y bi l l and I
hope you don 't m i nd that the USOC on your
POTS l i ne changed to 1 2 B. Oops, my finger
s l i pped.)
So, let's rewind to the 1 980s aga i n . In
1 984, the long d i stance market was deregu
lated . Most subscri bers stayed with AT&T, but
upstarts MCI and Sprint quickly grabbed the
N umber Two and N u mberThree shares i n the
market respectively. By the late 1 980s there
were over a dozen long dista nce companies
and by the ea rly 1 990s there were l itera l ly
hundreds. The market became i ncreasi ngly
cutthroat and providers came up with a l l
sorts o f i nteresting ways t o gai n your long
distance busi ness. For example, one long
distance company did busi ness as "The Phone
Company" so any (often elderly) subscriber
that asked for "The Phone Company" as
their long distance provider wou ld get them
- not surprisi ngly, at noncompetitive rates.
Another company, LCI, sold its services via
m u lti level marketi ng, often alongside prod
ucts l i ke Amway and Mary Kay. Evidently, it
paid off. Today LCI is Qwest, one of the few
rema i n i ng Baby Bel l s (Qwest acq u i red US
West i n 2 000) . And everyone has probably
heard the story of c igar-chomping Missis
sippi scam artist Bern ie Ebbers, former CEO
of WoridCom and now Inmate #5 602 2 -054
at FCI Oakdale.
With al l of this competition, a prac
tice known as "slammi ng" became a major
problem. Long d i stance compan ies wou ld
use dubious (often borderi ng on unethical)
methods to switch you to thei r long d i stance
services. For example, AT&T mai led m i l l ions
of $ 1 00 checks. These looked l i ke rebate
checks, perhaps from a l egal settlement
(of which there were many at the ti me).
However, the fine print on the back i nd icated
that you r signature authorized switching
you r long d i stance service to AT&T. And
for a few years, it seemed l i ke no d i n ner in
America wou ld ever go u n i nterrupted by a
sales pitch from a long d i stance company.
Some companies d i d n ' t even bother asking
for authorization. They' d j u st switch you to
the i r long distance service (often b i l led at
outrageous rates). Many consumers didn't
even notice.
Eventual ly enough pol iticians were
personal ly affected by the problem and the
FCC cracked down aga i n . Subscribers now
have the right to i n itiate a "PIC Freeze,"
which req u i res the subscriber to contact
the i r local phone company to change long
d i stance carriers. Unscrupu lous carriers who
engage i n slamm i ng are subject to fi nes and
even cri m i nal penalties. And, for the most
part, it does n ' t matter m uch anymore as most
subscribers use thei r cel l phones for long
d i stance these days. Without m uch fanfare,
AT&T exited the residentia l long d i stance
market l ate l ast year.
These days we' re begi n n i ng to see a
different kind of slam m i ng - cel l phones! For
the past few years, you 've been able to take
your phone nu mber with you when changing
carriers. Unscrupulous wireless phone
compan ies have used this to thei r advantage.
They cal l, i ntroduce themselves as some
thi ng l i ke "Your Wi reless Phone Company"
(that' s their actual company name, just l i ke
the long distance carrier calling itself "The
Phone Company"), and offer to send you
a new, free phone. If you agree, they wi l l
i ndeed send you a free phone - along with a
brand new service provider, a brand new rate
plan (at unfavorable rates), and a brand new
contract with a hefty early termi nation fee.
Add ing i nsult to i nj u ry, your previous wi re
less provider w i l l also b i l l you an early term i
nation fee if you were sti l l i n contract with
them. And al l of this is bei ng done legal ly,
under procedures outl ined by the FCC.
Speaking of the law of u n i ntended conse
quences, your existi ng wireless provider is
prohibited by law from even warn i ng you
that you might be the victim of a scam.
And on that note, an outside plant techn i
cian told me that we' re headed for a few sun
breaks and the clock tel l s me that my shift is
over. It's ti me to get outside and enjoy the
weather! Have a fun summer, watch out for
phone scams, and I ' l l see you aga i n in the
fal l . Or perhaps, if you ' re l ucky enough to
visit the spectacu lar Pacific Northwest, you ' l l
even see m e at a 2600 meeti ng!
Page 14 -------------------- 2600 Magazine

Deobfusca
by Kousu
kousue@gmail.com
Boilerplate: I don 't officia l l y condone any
of these activities, of course. Use your own
judgment.
Introduction
Compi led languages let you distribute
bi naries wh ich, although a l l the mach ine
code is there, are genera l l y extremely
ti me-consuming to disassemble. Scripting
l anguages do not have such a luxury. They
deal at a h igh level, and ru n n i ng code on
their level req u i res using h igh-level constructs
(un l i ke with compi led languages, where the
output i s very low level and the security is
that 1 ) i nformation - names, i ndentation,
etc. - i s lost in the comp i l ation and 2) not
many people have the ski l ls to do the reverse
operation).
I n the scripting language world, there are
a great deal of idiots and/or l iars who scam
even bigger idiots by promising that no one
w i l l be able to "steal " their source code.
It shou ld send up a warn i ng flag if you
ever consider using obfuscated code, espe
cially if it's obfuscated. I n principle, this is as
bad as bi nary blobs, which have led to, for
example, rootkitabi l ity of every system using
Wi-Fi . I n the great tradition of paranoia of
th is great zi ne, consider that no one knows
what the script is up to. Is it fu l l of bugs?
Is it phon ing home and giving confidentia l
iancar·£�p ·Tactuar obfusc"ated script
:scopbinl
: 911006.php #support code
i nformation l i ke cred it card numbers to the
origi nal author?
Wel l, l ucki ly, with scri pti ng languages,
obfuscation is difficult to actua l ly secu re.
There' s no way to run a generic program on
such code and result in a completely i rrevers
ible encryption for the same reason D RM is
fundamenta l ly flawed: you have to decrypt it
somewhere in order for it to run. You ' d need
some sort of self-generati ng code to do it, but
even then the very th i ng wh ich makes inter
preted languages so flexible (the eva I fu nc
tion/statement) that wou ld have to be used
to implement th is can, with some effort, be
intercepted so that eventu a l l y you find the
original code. Other tricks i nvolving the use
of external l ibraries are u n l i kely because
of the complexity to the user (the one who
wants to obfuscate their code) and secu rity
reasons, espec i a l ly in web development.
SourceCop
We' re goi ng to use as our case study
SourceCop, avai lable from http://www .
- sourcecop.coml for only $30 (regu lar
price $45 ! ) with the n ice guarantee that
SourceCop'd code runs on a l l of U n i x/Linux/
BSD/MaclWi ndows (wh ich is noth i ng more
than the I ist of platforms for PH P. . .) .
So, fi rst of a l l we i nsta l l P H P (from http:/I
- php.net or your loca l package mi rror if on
a *nix), if not a l ready insta l led, and then we
get to work.
Looking at a SourceCop'd scrip! we see:
i From our knowledge of CGI scri pts (of which P H P scri pts are a subset) i n genera l, we
iknow that the website http://examp1e .org/path/to/script/dhcart.php w i l l cause PHP to
iload and run dhcart.php. PH P, being a scripting language, just runs from the top, so we can
:start traci ng the code i m mediately and looking for ways to get at the actual code:
:$less dhcart. php
!<?php if (lfunction_exists ('findsysfolder ')} {function findsysfolder{$fld) {$fldl�di
�.. rname ($fIdl ;$fld=$fldl. '/scopbin r ;clearst.atcache () ; if ( ! is_dir ($fIdl )return finds
i-ysfo1der ($f1d11 ;e1se return $f1d;}}require_once (findsysfolder (__FILE__ I. '/911006.
-php'l ;$REXISTHECAT4FBI='FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341
[ ...snip a lot of Hex. ..J
i$REXISTHECAT4FBI=' 94CD76CD371C5A7BC70C186E779C293B9B49BACASA781A6';
'-'eval{y0666fOacdeed38d4cd9084ade1739498 ('311B3C4449F3l071CO',$REXISTHEDOG4FBI» ;?>
. So we see that it defi nes a function "fi ndsysfolder" if it doesn't exist. At the end it ca l l s
a function that itself h a s an obfuscated name ("y0666fOacdeed3 8d4cd9084ade1 73 9498")
with two arguments: a string of hex (probably more obfuscation?) and a variable $REXIS-
Summer 2007 Page 15

THEDOG4FBI, which is defi ned as a big block of hex which is certa i n l y the obfuscated code
(i ncidenta l l y, this program always uses the same stupid variable name) and then passes this
straight into evalO.
This last poi nt is our attack vector, the weakness I spoke of. I n fact, SourceCop appears
to be overly simplistic (and it probably is). It on ly has one eva l O cal l in the entire block, so
whatever this evaI does is the entirety of the function of this script and what is passed i nto it,
by defi n ition of evalO, must be the plai ntext code. So simply replacing eval O with a pri ntO wi l l
give u s the code! Sure, it's possible the code cou ld be mu ltiple-obfuscated and that this wou ld
just give us another obfuscated block of source code, but then you just repeat this process
u nti l you get to the final plai ntext. And that is why obfuscation is useless and why anyone who
has the gal l to sel l a shitty "product" that does it deserves to lose his bal ls.
Back to the code:
So we replace this eval with "pri nt" and then hop to the command l i ne:
$ed - /dheart/
$php dheart . php
$
What? Very strangely we got no output! Perhaps it's time to check out what's i n that myste
rious scopbi n file (incidenta l ly this same file is used for every SourceCoppi ng):
$ Iess seopbin/ 9 1 1 0 0 6 . php
<?php ini_set ( ' include-path ' , dirname (__FILE__) i
[ . . . J
function g 0 6 6 6fOacdeed3g0666fOacdeed38d4 cd9084ade1739498 ($s) { return (strst
--r ($s,'echo ' ) =�false? (strstr ($s , ' print ' ) ==false ) ? (strstr ($s , ' sprint ' ) ==
-false ) ? (strstr ($8, r sprintf r ) = =false ) ?false : exit ( ) : exit ( ) : exit ( ) : exit ( ) ) ; }
[ . . . ]ini_set ( ' includeyath ' , I . I ) j ? >
I t seems to be more of the same, except hel pfu l ly PHP requi res naming variables with $
signs so we can spot that these are mostly not obfuscated code but rather awkwardly named
variables. So this here is a program . Also, PHP requ i res the use of {} so we can figure out what
the i ndentation shou ld look l i ke. I n itia l ly when I did this I put new l i nes in a l l the right p laces
and using the magic of find-and-replace I shortened a l l the names and traced through it trying
to u nderstand. But the quick fix here is simpler than that and I will cut to the chase. Near the
middle we see the use of "strstr($s, 'pri nt')" among others i n a ternary hook chai n, where a l l
the final else c lauses are "exitO". It's a good bet that this f i l e is looking i nside o u r source f i l e for
any uses of echo/pri ntlspri ntlspri ntf ( i .e., any attempts to do exactly what we' re doi ng) and if
so just ki l l i ng the program. Simply removing this check shou ld make it work, so long as there
are no other blocks. There are m u ltiple ways of removing it: the quick-and-di rtiest by far is to
j ust rename what it's searchi ng for.
Most rel iably, replace a l l the exitO cal l s with some ben ign return va l ue, l i ke a fal se, as
shown. Or even better, blank the fu nction body, remove everything, and just put a "return
false;" .
$ed - / dhcart/
$php dheart . php
< ?php
include IIphpmailer/class. phpmailer . php ll ;
include " whois servers . php " i
include 1I1anguage . php ll i
if ( i empty ($HTTP_GET_VARS ) ) while ( list ($name , $value )
..� each ($HTTP GET VARS ) ) $$name � $value ;
if ( ! isset ($HTTP SESSION VARS [ ' numberofitems ' ]»
$HTTP SESSION VARS [ ' numberofitems']=O i
if ( J isset {$HTTP SESSION VARS [ ' numberremoved ' ] ) )
$HTTP_SESSION_VARS [ 'numberremoved ' ] = O ;
$numdomreg=count ($register) ;
A C
$ #hooray . we see that i t works and stop i t before it' s
f ini shed . Now to save the results to a f i le .
$php dheart. php > dheart . deerypted . php
Discussion
SourceCop is a particularly weak obfuscation. A l l it does is use a cypher function to hide
the code and then make it difficult for a human to fol low the decryption code by using long
Page 16 -------------------- 2600 Magazine

mea n i ngless variable names. B ut the basic technique is the same for any of these systems.
These systems are j ust downright stupid. Friends Don 't Let Friends Use Obfuscators.
The method presented here - letting un known code run on your system - is potentially
da ngerous. It's not i mplausible that an obfuscator could try to detect if it's being run wrongly
somehow and cause da mage of u n known magn itude. Su re, if that booby trap was evpr set
off i ncorrpctly it cou ld be very bad for the obfuscator's busi ness, but with the level of short
sightedness blata ntly displayed here it's a perfect possi bility. It would be wise to set up a j a i l
system to test these th i ngs out on. If ru n n i ng a * n i x you c a n make a ch root j a i l to d o th is.
Another method is to trace the code manually, try to figu re out what it's up to, and then write
a program i mplementi ng the decryption scheme. Let's see that now. But fi rst, a preface.
In diggi ng through SourceCop I feel li ke vom iti ng. It's disgusti ng, disgusting codp ilnd j ust
wasting CPU cyc les letting it run is nauseati ng.
Reverse Engineering
But anyway, here is the scopbi n/9 1 1 006.php file i ndented properly:
func t i on A45 4 0 acdeed38d4cd9084 ade 1 7 3 9498 ($x89 7 3 5 6954 c2cd3d41b
-'221e3f24t99bba , $x2 76e7 9316561 733d64abd f O O f8eBae48 )
{ return $Xew6 e79316 5 6 1 733d64abdfO Of8e8ae4 8; }
funct ion b5434fOacdeed38d4cd9084ade 173 9498 ($x8973 56954c2cd3d4 ]
"b221e3f24f 99bba , $x276e79316561733d64abdfOO f8e8ae48 )
{ return $Xew6e79316561733d64abdf o Of8e8ae48; }
funct ion c43dsdOacdeed38d4cd9084ade 1739498 ($x897356954c2cd3d41
"b221e3f24f99bba , $x276e79316561733d64abdfO Of8 e8ae48 )
{return $Xew6e793 16561 7 3 3 d64 abdf O O f 8e8ae48; }
funct ion XdsfOacdeed38d4cd90 B4ade1739498 ($x897356954c2cd3d41b
"221e3f24f99bba , $x276e79316561733d64abdfOOf8e8ae48)
{return $Xew6e79316561733d64abdfO Of8e8ae48 ; }
funct ion y0666fOacdeed38d4cd9084ade1739498 ($x897356954c2cd3d41
"b221e3f24f99bba , $x276e79316561733d64abdfO Of8e8ae48 )
(
$xOb43c25ccf2340e23492d4d3141479dc= " ;
$x71510c08e23d2083eda280afa650b045=O;
$x16754c94f2e48aaeOd6f34280507be58=strlen ($x897356954c2cd3d41b221e3f24f99bba ) i
$x7a86c157ee9713c34fbd7alee40fOc5a=hexdec ( ' &H' .
"substr ($x276e79316561733d64abdf O Of8e8ae48 , O , 2));
for ($xlb90el 035d4d268eOd8b1377f3dc85a2=2;$x1b90el035d4d268eOd8b1377f3dc85a2<strl
"en ($x276e79316561733d64abdf O Of8e8ae48);$xlb90el 035d4d268eOd8b1377f3dc85a2+=2)
(
$xe594cc261a3b25a9c9gec79da9c91ba5=hexdec (trim{substr ($x276e79316561
"733d64abdfO Of8e8ae48 , $xlb90e1035d4d268eOd8b1377f3dc85a2 , 2)));
$x71510c0 8e23d2083eda280afa650b045= ( ($x71510c08e23d2083eda280afa650b045<$x16
"754c94f2e48aaeOd6f34280507be58) ?$x71510c08e23d2083eda28 0 afa650b045 + 1 , 1);
$xab638ge47b1edcf1a5267d9cfb513ce5=$xe594cc261a3b25a9c9gec79da9c91ba5 A ord (subst
"r ($x897356954c2cd3d41b221e3f24f99bba , $x71510c08e23d2083eda280afa650b045 - 1 , 1)) ;
if ($xab638 ge47bledcfla5267d9cfb513ceS<= $x7a86c157ee971 3c34fbd7alee40fOc5a)
$xab638 ge47bledcf1a5267d9cfb513ce5=255+$xab638ge47b1edcfla
"5267d9cfb513ce5-$x7a86c157ee9713c34fbd7alee40fOc5a;
else
$xab638 ge47bledcf1a5267d9cfb513ce5=$xab638 ge47bledcfla52
"67d9cfb513ce5-$x7a86c157ee9713c34fbd7a1ee40fOc5a;
$xOb43c25ccf2340e23492d4d3141479dc=$xOb43c25ccf2340e23492d4
"d3141479dc . chr ($xab638ge47bledcfla5267d9cfb513ce5);
$x7a86c157ee9713c34fbd7alee40fOc5a=$xe594cc261a3b25a9c9gec79da9c91ba5 i
}
return $xOb43c25ccf2340e23492d4d3141479dc;
}
funct ion f5434fOacdeed38d4cd9084ade1739498 ($x897356954c2cd3d41
"b221e3f24f99bba , $x276e79316561733d64abdfO Of8e8ae48)
(
if (file exists ($x456e79316561733d64abdf O Of8e8ae48))
{unlink ($x456e79316561733d64abdfO Of8e8ae48) I } ;
return $Xew6e79316561 7 3 3 d64abdfO Of8eBae48;
}
funct ion j 43dsdOacdeed38d4cd90 84ade1739498 ($x897356954c2cd3d41
"b221e3f24f99bba , $x276e79316561733d64abdfO Of8e8ae48)
{
Summer 2007---------------------------------------- Page 17

l f S t_ A ($x4.shP7 CJl1 h 1)61 7 � 3d64dhdfn ofH�8a�4R))
($x456e79316561733d64abdfO Of8eBae481 , } ,
return $Xew6e79316561733d64abdfO OfBe8ae48 ;
}
[unc t J on lldsfOacdeed38d4cd9084ade1739498 ($xB97356954c2cd3d41b
�221elf24fg ghha . $x276e7 g316S61733d64ahdfO OfBeBae4B)
{
if (file exists ($x45Ge79316561733d64abdfO OfBeBae48))
{unlink ($x456e79316561733 d64abdfO OfBe8ae48) ; } ;
return $Xew6e79316561 733d64abdfO OfBe8ae48 ; }
funct ion tr5434fOacdeed38d4cd90B4ade1739498 ($x897356954c2cd3d4
�lb221e3f24f99bba , $x2 76e79316561733d64abdfO Of8eBae48)
{
if (file exists ($x456e79316561733d64abdfO Of8eBae4B) }
{unlink ($x456e79316561733d64abdfO Of Be8ae48 I , } ,
return $Xew6e79316561 733d64abdfO OfBeBae48 ;
}
funct ion f0666fOacdeed38d4cd9084ade1739498 ($x)
{ return implode ( ' ' , file ($xl I , }
funct ion g0666fOacdeed38d4cd9084ade1739498 ($s)
{
return (strstr ($s , ' echo ' ) ==false?
(strstr ($s , ' print ' ) = =false) ?
(strstr ($s , ' spr:int ' ) = =false) ?
(strstr ($s , ' sprint_f ! )= =false) ?
false :
exit () :
exit () :
exit () :
exit ( I I ,
function hyr3dsdOacdeed38d4cd9084ade1739498 ($xB97356954c2cd3d4
"lb221e3f24f99bba , $x276e79316561733d64abdfO OfBe8ae48)
{
if (file exists ($x456e79316561733d64abdfO Of8e8ae48))
{ unl i;;k ($x456e79316561733d64abdfO OfBeBae48I , } ,
return $Xew6e79316561733d64abdfO OfBe8ae48 ; }
funct ion uygfOacdeed38d4cd9084ade1739498 {$x897356954c2cd3d41b
"221e3f24f99bba , $x276e79316561733d64abdfO OfBeBae4B I
{
if (file exists ($x456e79316561733d64abdfO OfBe8ae48))
{ unl i;;k ($x456e79316561733d64abdfO OfBeBae48I , } ,
return $Xew6e79316561733d64abdfO OfBe8ae4B ; }
funct ion drfg34fOacdeed3Bd4cd90B4ade1739498 ($x897356954c2cd3d4
"lb221e3f24f99bba , $x276e79316561733d64abdfO OfBeBae48)
{
if {file exists {$x456e79316561733d64abdfO Of8eBae4B))
{ unl i;;k ($x456e79316561733d64abdfO Of8eBae48I , } ,
return $Xew6e79316561 733d64abdfO Of8eBae4B ; }
funct ion j hkgvdsdOacdeed38d4cd90B4ade1739498 ($xB97356954c2cd3d4
"lb221e3f24f99bba , $x276e79316561733d64abdfO OfBe8ae48I
{
if (file exists ($x456e79316561733d64abdfO Of8e8ae48))
{ unlink ($X456e79316561733d64abdfO OfBeBae48) i } i
return $Xew6e79316561733d64abdfO OfBeBae4B ;
}
function yrdhhdacdeed3Bd4cd9084ade1739498 ($xB97356954c2cd3d41
"b221e3f24f99bba , $x276e79316561733d64abdfO OfBe8ae481
{
if (file exists ($x456e79316561733d64abdfO Of8eBae4B } }
{ unl i;;k ($x456e79316561733d64abdfO Of8eBae4B I , } ,
return $Xew6e79316561733d64abdfO OfBe8ae4B ;
}
ini set ( ' include path ' , ' . ' } ; '? >
-Fi rst, you cansee a lot of i somorphic functions which are probably there to throw us off - a
stupid way to try it si nce it's so easy to remove. This makes us suspicious.
Let's check dhcart.php for function ca l ls (roughly approxi mated by searching for occur
rences of "0". It turns out that only three non bui lt- i n functions are actually cal led: f0666f O ac
deed3 8d4cd908 4 ade1 7 3 94 9 8 ( I , g06 66fO acdeed3 8d4cd908 4 ade1 7 3 94 98 ( I , a nd yo666f o acdeed38d
Page 18 --------------------2600 Magazine

4 cd9084 ade17 3 94 98 ( ) . The fi rst i s a simple wrapper, the second is the one that dies if it decides
we' re bei ng naughty (oh la la . . .), the th i rd is the one with the loop and "2 55+" (suggestive of
some encryption scheme). Thus the only active code in 9 1 1 006.php that we know of are these
two functions, and tracing them wi l l reveal any other active fu nctions, and recursively doing
th is wi l l tel l us which code is l i ve and which we can dump.
f06 6 6 f O acdeed3 8d4 cd908 4 ade17 3 94 98 ( } and g06 6 6 f O a cdeed3 8d4 cd908 4 ade17 3 94 98 ( } cal l
noth i ng but bu i lt i n fu nctions, so we ignore them.
y06 6 6 f O acdeed3 8d4 cd908 4 ade17 3 94 98 ( ) is more complex, so with the aid of searching for
"(" we discover. . . that it ca l l s noth ing but bui lt-ins.
So surprise sur-fucki ng-prise, the entire rest of the code is claptrap. To /dev/nu l l you go!
Now to make the names more readable. The fu nctions and their arguments ca n be renamed
(but then re-al iased if you wish so that the obfuscated code wi l l sti l l run) according to what
they seem to be doi ng. To rename, we use the wondrous fi nd-and-repl ace feature that your
text editor shou ld have.
Here is the code. In the i nterest of leav i ng some sma l l a mount of mystery for you to puzzle
over, I ' m not goi ng to explain it.
< ?php ini_set ( l inc lude-path ' , di rnarne { __F I LE__) ) ;
function decrypt ( $key , $cyphertext )
{
$ s = ' , ;
$ i = O ;
$keylen= strlen ( $key} ;
$ char=hexdec ( ' &H ' . substr { $cyphertext , O , 2 ) ) ;
for ( $ j =2 ; $ j < s t r l en ( $cyphertext } , $ j + = 2 }
(
$cypherbyte=hexdec ( t rim ( substr ( $ cyphertext , $ j , 2 ) ) ) ,
$ i = ( ( $ i < $keyl en) ? ( $ i + I ) , I } ,
$plainbyte = $ cypherbyte A ord ( subs t r ( $key , $ i - l , 1 ) ) ;
i f ( $plainbyt e < = $cha r )
$plainbyt e = 2 5 5 + $plainbyt e - $ char ;
e l s e
$plainbyte=$plainbyt e - $ char ,
$ s = $ s . chr ( $plainbyt e } ,
$char=$ cypherbyt e ;
}
return $ 5 ;
}
func t i on y 0 6 6 6 f O acdeed3 8d4cd9 0 8 4 ade 1 7 3 9 4 9 8 ( $x 8 9 7 3 5 6 9 5 4 c2 cd3d4 1
-'b2 2 1 e 3 f 2 4 f 9 9bba , $x2 76e7 9 3 1 6 5 6 1 7 3 3d64abdf O O f B eBae4 8 )
{ return decrypt ( $x8 9 7 3 5 6 9 5 4 c 2 cd3d4 1b2 2 1 e 3 f 2 4 f 9 9bba , $x2 7 6 e 7 9 3 1 6 5 6 1 7 3 3d64abdf O O f 8 e 8ae4 8 } , }
funct i on l oadFi l e ( $x )
{ return imp l ode ( ' ' , f i l e ( $x } } , }
funct i on f 0 6 6 6 f Oacdeed3 8d4cd9 0 8 4 ade 1 7 3 9 4 9 8 ( $x )
{ return loadF i l e ( $x } , }
funct i on checkFi l e { $ s )
{
return ( strstr ( $ s , ' echo ' ) = = f a l s e ?
( strstr ( $ s , ' print ' } = = f a l se ) ?
( strstr ( $ s , ' sprint ' ) = = f a l se ) ?
( s trstr ( $ s , ' sprintf ' ) = = f a l se ) ?
false :
exit ( ) :
exit ( ) ,
exit ( ) ,
exit ( } ) ,
func t i on g 0 6 6 6 f Oacdeed3 8d4cd9 0 8 4 ade 1 7 3 9 4 9 8 ( $ s )
{ return checkFi l e ( $ s } ; }
ini_set ( ' inc lude-path ' , l . I } ; ? >
Conclusion
Obfuscation is i nefficient. Obfuscation is u nderhanded. Obfuscation is written by people
who assume others are rea l ly stupid and i ntend to exploit that. It is as close to evi l as ASC I I
c a n get. I wrote th is guide both t o raise consciousness o f t h i s particu lar idiocy i n t h e world
today, and to gu ide newbies a long the path to hackerdom. I hope you found it en l ighteni ng.
Now excuse me wh i l e I flick th i s switch .
Summer 2007---------------------------------------- �ge 1 9

by daColombian
jmwco�llblazemail.com
Accord i ng to my family, 1 ,1111 a very P,lr,l
n(lICj persun. I red l ly don 't th i n k I am para
n(JI(l; rd lher. I classifv myself ,I S "c.m'fu l ."
One oj Ihe Ihi ngs Ihal I tcnr! to bp ca refu l
about is purchasi ng the I<ltpSt 16()() Maga
zine. Wh i lp I tru ly bel ieve that the 16()() siaff
protects the irlentitil's of thei r subscri bers,
I l ive i n a very sma II town where everY0nl'
knows everyone's busi ness and I CJn only
I magille the uproar that the arriva l of 16()()
wou Ir! cause.
So i n order to protect the "ppace, " I have
been relegaterl to goi ng to a bookstore i n
another town to purchase it (with cash). The
biggest problem with this method is bei ng
able to know when the new issue is releaser!.
I have to fwriorlica l ly stop by the aforemen
tionerl bookstore anrl check to scc if the new
issue is out. Th is quickly became trouble
some due to the d i stances i nvolved. So I had
to look for another answer.
Opt ion Expl i c i t
O n ELt'Ol: Resume Next
I started hy checki ng the 160() website
every day at work (because I only have di,l l u p
at home) b u t even that was troublesome
beG1USl' the network adm i n is one of them
"ass-backwa rds" fol ks who th i n ks "hacker" is
a di rty word and wou l d have marle my l ife
miserable if they fou nd out.
.
What I neer/erl was a way to view the
cover image
,
Without logging any suspi
C IOUS activity. So what I ended up doing was
wrrtlllg a sma l l ASP page (see corle below)
that wou l d grab the cover i mage of the latest
Issue fro m the 2600 website and display it so
that I wou lrl know i nsta ntly when the new
issue was out. Th i s wou ld a l low me to know
th is by only goi ng to my personal website.
Basica l l y the page takes a given U RI.,
searches for a given token, and then returns
the associatprl i mage dS a l i n k to go to that
page. As you can see from the sample code,
I a l so get a couple of other i mages for my
readi ng pleasure.
Good l uck, stay safe, and keep your
powder dry....
D i m oHttp , sTemp , i Comi c , lStart , iEnd , aUrl s ( 3 ) I aSrch ( 3 ) f aComi cs ( 3 ) , a
Set oHttp = CreateObj ect ( " Msxm12 . ServerXMLHTTP . 3 . 0 " )
aUr l s ( O ) .. ht t p : / /www . 2 6 0 0 . com/ ..
aSrch ( O ) 11 images / covers II
aUrl s ( l ) Ilhttp : / / www . di lbert . com/ ..
aSrch ( l l " TODAY ' S COM I C "
aUrl s ( 2 ) = " http : / /www . gocomi c s . com/ thequigmans / ..
aSrch ( 2 ) " comi c s / tmqui "
% >
<: ! DOCTYPE HTML PUBI.. IC " - / /W 3 C / / DTD HTML 4 . 0 Trans i t iona l / l EN " >
<html >
<head>
< t i t l e >Comi c s page< / t i t l e >
<meta h ttp- equiV= II Content - Type It content= " text/html ; charset o;:.windows "" 12 5 2 It >
< /head >
<body>
< tabl e width= S 9 0 c e l l spac ing= 5 c e l lpadding= S >
< t r > < t d c l a s s = ' l inetop ' col span=4 a l i gn= l e t t val ign�bottom>Comic s < / t d > < / t r >
< %
, l oop through a l l of t h e URLs in t h e array
For a � 0 to Ubound ( aUr l s l - 1
aComi c s ( a )
.. Page 20 -------------------- 2600 Magazine

, get the text f rom the given page
sTemp = getLink ( aUrl s ( a ) , oHtt p )
, i f there i s text
If Len ( sTemp ) > 0 Then
, l ook for the token
iComic = InSt r ( UCase ( sTemp ) , UCase ( aSrch ( a ) ) )
I f iComic > 0 Then
, l ook for the image tag
i S t art = InStrRev ( UCase ( sTemp ) , " < IMG " , iComi c )
I f iStart > 0 Then
, l ook for the clos ing > o f the image tag
iEnd = InSt r ( iStart , sTemp , " > " ) + 1
I f iEnd > 0 Then
, get the image tag text
aComi c s ( a ) = Mid ( sTemp , iStart , iEnd - iStart )
, replace the src with one point ing to the originat ing website
I f InSt r ( aComi c s ( a ) , " SRC= " " / " ) > 0 Then
aComi c s ( a ) = Replace { aComi c s { a ) , " SRC= " " / " , " SRC= " " " & aUrl s ( a ) )
E I s e I f InSt r ( aComi c s ( a ) , u SCR= "' ) > 0 Then
Else
aComi cs (a) Replace ( aComi c s ( a ) , " SRC= " ' , " SRC= ' " & aUr l s ( a ) )
aComi c s ( a ) Replace ( aComi c s ( a ) , " SRC= " " " , " SRC= " " u & aUr l s ( a ) )
End I f
, wri te the image tag out with a hyperl i nk to the originating website
Response . Write " < t r > < t d al ign=center><a hre f = " " " & aUr l s ( a ) & " " " > " &
.. aComi c s ( a ) & " < / a > < / td>< / t r > " & vbc r l f
End I f
End I f
End I f
End I f
Next
< t r > < t d c l a s s = ' l inebot tom ' col span=4 aI ign=center val i gn=top > &nbsP i < / t d > < / t r >
< / tabl e >
< /body>
< / html >
< %
Funct i on getLink { sUrl , oHttp )
Dim Ref Page
On Error Resume Next
getLink = " n
, open the urI
oHttp . Open " GET " , sUrl , Fal s e
I f Err . Number = 0 Then
' send the request
oHttp . Send
If Err . Number = 0 Then
1 get the response
Ref Page = oHttp . responseText
, return the response if the page is found
I f InStr ( RefPage , " NOT FOUND " ) = 0 Then getLink
End I f
End I f
Ref Page
End Funct ion
% >
Summer 2007---------------------------------------- Page 2 1
)

at tb e Airport ·· I
by Evil Wrangler
I l ive i n a major U .s. city which, l i ke
most major U .S. cities, has a major a i rport
that has been i nfested with Transportation
Safety Adm i n i stration workers and idiotic,
restrictive secu rity pol icies designed to give
the American public a fa lse sense of safety
and provide an artificial environment for
i nefficient and greedy a i rl i ne compa n i es to
continue to do busi ness. Many suspect that
the Emperor is, in fact, naked, and recently
I took it upon myself to i nvestigate whether
the vau nted a i rport security implemented by
the ga rgantuan TSA is thorough or not.
What i s detai led i n this narrative n udges
very c lose to brea k i ng U . s . laws. U nder no
c i rcumstances shou ld anyone read i ng this
rep l icate what i s written here. Th is accou nt,
wh i le factual, is for i nformation pu rposes
only.
Recently I was i n the a i rport wa iting for a
fl ight that had been delayed . Wow, l i ke that
never happens. It was late at n ight - after
8:00 pm, and si nce I a l ready had parked the
car and had about an hour to k i l l, I dec ided
that I wou ld wander arou nd and i nvestigate
the l ay of the land. At the ti me I d i d th i s, I
was dressed i n jeans, sneakers, and a b l ack
t-s h i rt that proc l a i med: " I ' m not a hacker,
I ' m a security professional." Rea l ly - th is was
what I was wearing. Why this matters wi l l
become evi dent shortly.
So I started by exam i n i ng the physical
layout of the term i n a l bu i ld i ng. Bottom floor
for arrivals and baggage c l a i m, main floor
for tickets and check- i n, and a mezza n i n e
for offices and food. Arriva l s is boring - by
then a l l the fu n ' s over. The m a i n floor, with
ticketing and check- i n, is where the TSA
does the i r security dance. Basica l l y there ' s
a section o f t h e floor that a l lows passengers
to pass through from the ticket counters to
the side with the gates and a i rcraft and over
priced shopp i ng. Passengers stand i n long
l i nes, remove thei r shoes, and occasiona l l y
'- Page 22
a TSA person pu l l s a grandmother out of
the l i ne and gives her "the wand" which is a
more thorough physical search designed to
detect that yet another America n ' s l i berties
are bei ng violated.
U nfortu nately for the TSA (and us,
perhaps) ai rport architects were not aware
that the U . S . wou ld become a terrorist
target and therefore when they laid out the
floor plans they designed them to faci l itate
access, not restrict it. So TSA has to make
up for thei r shortsightedness by physical ly
blocki ng off access using those elastic rope
and-pole gizmos accompan ied by a TSA
goon or two. In addition, the enti re term i na l
floor, from t h e entranceways down t o the
gates, is being monitored by CCTV. So i n
the event somebody somewhere does some
thing to someone sometime, it gets recorded
on videotape for l ater network and cable
broadcast, and for the tria l of course.
In my particular unnamed major city
ai rport there are two large sections of the floor
staffed with TSA goons with the i r conveyer
belts, elastic ropes, x-ray mach i nes, and
other paraphern a l i a . There a l so are a couple
of areas, blocked off with elastic ropes and
man ned by TSA goons, where fl ight crew,
wheelcha i r passengers, etc. can proceed
from one side of the term i n a l to the other.
Basica l l y, if you want to get to the gates, you
have to wa l k past a TSA station. Or do you ?
Wel l, that' s what I decided t o find out.
For starters I went up to the mezza n i ne,
above the term i n a l . Origi n a l l y this floor was
designed to a l low people to stand and gawk
at the a i r travelers wh i le enjoying thei r l attes.
It has a terrific view of the a i rfield, and is
perfect for sma l l ch i ldren who want to prac
tice spitting on helpless travelers. However,
si nce the terrorists m ight try someth i ng more
extreme than spitti ng, the enti re mezza n i ne
floor above the gate concou rse has been
glassed off, from the balcony to the cei l i ng,
2600 Magazine

using thick (but not b u l l etproof) glass panels
and s i l icone seal ant.
At the end ofthe mezzan i ne walkwaythere
is a smal ler panel cut to fi l l the remai n i ng
space (of cou rse the a rchitect d i d not thi n k
t o design a mezza n i ne t o b e a m u ltiple of
the length of the glass panels). That panel, on
the end far away from TSA, only had s i l icone
sealant bond ing it to another panel - it was
not bonded to the wa l l .
For those not fam i l iar with s i l icone
sea l ant, acetone, a l so known as nail pol i sh
remover, wi l l d issolve it qu ite effectively. So
you r garden variety terrorist need only wa l k
i nto the a i rport, take the esca l ator or elevator
up to the next floor, wal k to the end where
there are no people, fasten a suction cup
or other apparatus to the gl ass, and with a
couple of m i n utes with some acetone and
maybe a uti l ity knife (remember, I never
went through security so I can have what
ever I want to do this) that glass panel is
going to come loose.
What a buddi ng terrorist wou l d do after
that is a matter of conjectu re - start shooti ng,
throw explosives, or j u st dump out you r
handy conta i ner o f sarin or anthrax or what
ever and wa it for the fun to begi n . Or else
they cou ld simply c l i mb over the ra i l i ng
and drop to the floor below, or use a rope
and rappel if they' re goi ng for that whole
"commando terrori st" look.
But most of us a ren 't terrorists - a fact
that appea rs to have been lost on the U .S.
government. Why wou ld we wa nt to risk
injury cl i m b i ng over the rai l ing and droppi ng
ten or fifteen feet when we cou l d j u st wa l k
down the stai rs? That's right, i n m y particular
ai rport I observed several stai rcases that led
d i rectly from the mezzan i ne down to the
gate side of the termi na l main floor. Two had
i mposing signs mou nted on the door saying
" Restricted Access - Do Not Enter" and one
had absol utely no sign at a l l . That's ca l l ed
"security by obscurity" and it's a l ways a bad
idea. A l l three sta i rwe l l s were open and
none of them had so much as an alarm. I
persona l l y verified these facts. Had I desi red
an extended stay with the federa l authori
ties I eas i l y cou l d have wa l ked down the
stai rs and exited onto the term inal floor on
the gate side of the term inal without having
gone through secu rity. My entry wou ld have
been recorded by security cameras. Tal k
about meeting you a t the gate!
Not i n c l i ned to do a lot of wa l k i ng? Lazy
or fat hackers can take the elevator. In my
particu lar a i rport there are severa l eleva
tors between the three floors. One elevator
is b u i l t so that it lets you out on the main
floor i n a narrow hal lway adjacent to the
wome n ' s bathroom. If that' s not enticing
enough, you can j ust turn around and
wal k though the u n l ocked door to the gate
side of the term i n a l . The sign on the door
reads " Restricted Access - Do Not Enter, "
b u t there' s absol utely no physical barrier
preventing someone from wal k i n g though
the door. If you ' re male, and you ' d rather use
the men ' s bathroom, you can wa l k past the
elevator, a rou nd the TSA checkpo i nt whi ch
i s situated between two dividing wal ls, and
past the men ' s room to the other labeled
and u n l ocked door. Aga i n , security cameras
wi l l record your i ntrusion, but besides that
there' s absol utely no barrier to entry.
U p on the mezza n i ne you get a terrific
view, mostly of cleavage and construction
dust, but a l so of the secu rity camera layout.
Most of the cameras are hardwi red together
and routed to a hidden security outpost.
However some of the cameras are - I am
not making this up - con nected to wi re
less routers pl ugged i nto electrical sockets
nea rby. Those fam i l iar with the old X l O
camera hack - if you ' re not j u st Google for
2600 and warspy i ng - wi l l rea l ize that with
a laptop and some i nexpensive hardware,
it is possi ble to override the signal of the
cameras. A cute Hollywood i l l ustration of
thi s is ava i lable i n the original Speed movie
where, unfortunately, it fa i l s to fool terrorist
Den n is Hopper. But if you wa nted to get
through one of those doors I mentioned
ea rl ier a l l you 'd do is record a sma l l video
c l i p of nothing happe n i ng on one of the
cameras, and then replay that c l i p as a loop
on the camera 's frequency whi le you browse
the bookstores and l uggage shops on the
gate side of the term i n a l .
There were other enticing finds up o n
the top floor, i n c l u d i n g empty offices with
Simplex door locks (some with defc lU !t
combi nations and some that wou ld req u i re
either a few good guesses or else Google
for the 2600 article by Scott Skin ner and
Emmanuel Goldstein) as wel l as a n u rsery
and the offices of the TSA. That's right, I
wal ked arou nd and past the security offices
severa l ti mes without being observed or
cha l l enged .
A l so up on the mezzan i ne was a closed
and locked branch of a large u.s. ba n k that
was, in spite of several cameras poi nting
at the front, open and accessible from the
back side. Behi nd the tel ler desk there
were offices with their network con nected
Windows workstations, u n l ocked, and the i r
Summer 2007---------------------------------------- Page 23

n umerous chairs, desks, office suppl ies, and
telephones. I l itera l ly had the opportun ity
to rob a bank branch at the a i rport. Besides
a picture of me wal king past the c l osed
and locked tel ler wi ndows on the security
cameras, there wou ld have been no way that
I cou ld have been l i n ked to the crime had
I taken some elementary forensic prepara
tions. Need less to say I passed up this golden
opportun ity to spend several years in a state
pen itentiary, but the security holes rem a i n as
I write this, waiting for someone with fewer
scruples (and maybe better at c l i mbing over
h igh wal l s) to take advantage of them.
Having identified these (and other) c h i n ks
i n the vau nted TSA armor, it was time for
me to approach the TSA workers. I rode the
esca lator down to the main term i n a l floor
(sti l l on the street side of the term inal, not
h aving passed through security) and began
to i nteract with the TSA workers.
At th i s point I ' d been wa l ki ng a round
the term i n a l for about a n hour, u nmolested,
weari ng my black t-s h i rt. I approached three
TSA goons/guards and asked about the
configuration of the escalators, namely the
one goi ng u pstai rs was not adjacent to the
one goi ng up from the floor below. The TSA
person tol d me that they did not know but I
cou ld go ask I nformation. I explai ned that the
name of the i nformation department was a
misnomer and that I wou ld be more l i kely to
get an answer from mai ntenance. They told
me that they d i d not know where mai nte
na nce was. I than ked them and wa l ked back
upstai rs to stare down on them in d i sgust.
I rode the escalator down from the
mezzan i ne level and stood i n front of three
TSA workers weari ng a hacker t-s h i rt, having
previously wa l ked by them several ti mes
in the past 60 m i nutes, and they neither
noticed me nor considered me suspicious.
Only i n America....
Next I approached another group of TSA
workers at a different checkpo i nt and struck
up a conversation about an antique a i rplane
mou nted from the cei l i ng of the term i n a l .
O n e o ft h e TSA workers asked me someth i ng
l i ke "Are you here to pick up someone or are
you here doing someth ing else?" I assu red
them, truthfu l ly, that I was there for the
purpose of meeting an arriving passenger.
That satisfied them. I soon became bored
and went downstai rs to the arriva l s area,
partly to be consistent with my story, but
a l so to scope out the lower floor.
Arrivi ng passengers descend from the
gate area to the baggage c l a i m area. They
then proceed to the baggage carrouse l . To
keep the riffraff out, there is an overhead rig
consisti ng of motion sensors and flash i ng
b l ue l ights mou nted above the base of the
descending escalators. Th i s post is manned
by a TSA worker. Apparently if someone
tries to wal k from the baggage a rea to go
up the down escalator, the l ights flash and
a recorded voice shouts "Wa rn i ng warn i n g
do not proceed" or "Danger Wi l l Robi nson"
or someth i ng equal ly u rgent. Problem was, I
only saw it activated when passengers came
down the escalator, creati ng false positives
which the TSA worker dutifu l l y ignored.
In the i nterest of learn i ng I approached
the TSA workers (by now there were two) and
asked them what they referred to this device
as, what was its name? They seemed not to
understand me. I tried asking the question
a different way. After the th i rd attempt the
one that kind of spoke English expl a i ned to
the one that obviously did not speak Engl ish
that I was i nq u i ring about the term that they
used to describe thei r particu lar security
device. The best answer that the two TSA ESL
candidates cou ld produce was the one that I
ventured for them - sensor. U n less these two
were martia l a rts teachers moon l ighting as
security goons, there was no hope that they
wou ld be able to withstand any sort of brute
force attack, let alone someth i ng simple l i ke
me d i stracting them wh i l e someone else
snuck beh i nd them and scooted up the esca
l ator (or sta i rs - there a lso were stai rs, but
lazy American passengers a lways seemed to
use the escalator to descend to the baggage
c l a i m area).
F i na l ly, it was time for me to pick up my
arriving passenger. The i r plane had arrived,
so I went u pstai rs to the mezzanine and
cal l ed thei r cel l phone. I watched through
the not-b u l l etproof glass that I cou l d eas i l y
detach as the i r p l a n e taxied t o t h e gate a n d
d isgorged them, neither safe n o r sound, i nto
my city ' s major a i rport term i n a l .
I n summary, there are two poi nts t o take
away. The fi rst is that secu rity is an i l l usion and
that the Emperor i s, i ndeed, qu ite naked, if
you simply begin looki ng. The second, more
d i stu rb i ng poi nt, i s that the government both
is lying to us and i s spendi ng sh itloads of tax
money on nonsensical contrivances l i ke the
Transportation Safety Adm i n i stration, which
shou ld be dismantled IMHO and replaced
with something that actu a l l y cou ld identify
the sma l l n u m ber of potentia l terrorists rather
than forci ng the enti re popu l ation of the
cou ntry to end u re the m i santhropic gropi ng
of an u neducated i l l iterate workforce. End of
soapbox - happy hacking!
. Page 24 ------------------- 2600 Magazine

H a c ki n g 5Cfire
by Akurei
I'm not much of a writer so please forgive.
Recently I was pissed off when I found Xfire
wouldn't record the time I was spending
building NWN2 (Neverwinter Nights 2)
modules via the toolset. But it was more than
happy to record the time from the game. So I
went about tweaking this and in the process
found some fun things you can do.
Everything listed here is very benign and
far more a mod than any real hack. Though
I'm sure given the proper exploitation you
could piss off Xfire quite a bit.
Upon browsing to your Xfire directory
you will find a file called "xfire--8ames.ini."
This holds all the game data/tracking info
the client calls upon to track your game-play
use. However the client makes no attempt to
match your client ini with their server side ini
unless a client update/patch changes them.
This of course leaves us a big window to
modify this all we want.
First let's see how to add those trackers
for the NWN 1 or 2 toolsets. Developers do
deserve credit, don't they?
Open xfire--8ames.ini with any standard
text editor. It doesn't need to be anything
fancy. And there's no encryption on this either,
so it's plain as day to read/understand.
For Neverwinter 1 do a search for Never
winter and you should see the following:
�
LongName=Neverwinter Nights
ShortName =nwn LauncherDi rKey=HKEY
-LOCAL MACH INESOFTWAREBioWare
-
_NWNNeverwint er Locat ion
Below that line you would add the
following:
Detect Exe=nwtoolset . exe
Save and you're done. It goes without
saying you shouldn't do this with Xfire
running. It wouldn't cause any problems.
You'd just have to client restart for the new
ini to take effect.
For Neverwinter 2, follow the same steps
listed above (except keep searching past
NWNl until is says Neverwinter 2). This time
you should see the following code:
De tectExe [ O J =nwn2main . exe
DetectExe [ l J =nwn2ma in amdxp . exe
In this case you would
-
add the following:
DetectExe [ 2 J =nwn2too l s e t l auncher . exe
Saveagainand you'llbe set. Just remember
that when the client is updated/patched the
ini is not always changed. But you should
check each time as it likely will have been.
There are multiple workarounds for this
system as well, but that's another article.
If you've been paying attention, or have
even the slightest of nefarious minds, you can
see how this system is very open to exploita
tion. Any system process could be slapped
into the ini for detect, to create a false result
on any game of your choice.
RS WANT

I don 't know how to defi ne a hacker, but not for someone else or what I thought others
I guess I am one. And whatever hacki ng is, wanted of me. I chose to stop watching TV.
I derive great pleasure from it, and, more And it sucked ! I was bored. What to do? I
recently, commun ity as wel l . did some o f the th i ngs that I h a d been doing
I grew up i n my own l i ttle world as a kid. a l l a long, but had neglected: tak i ng apart
What choice did I have? Being tormented electronics, putting them back together,
dai ly and beaten up frequently by other kids ham radio, messing with phones, program
for being geeky, I quickly found that hangi ng m i ng the mai nframe computer l ate at night
out by myself was way better than bei ng at the factory that let some of us cub scouts
subjected to the cruelty of the other kids i n duri ng the wee hours when they didn't
wh i l e the gym teacher (it's always the gym need the computer power to make chem i
teacher, isn't it?) watched the scene with h i s ca l ly processed, frozen desserts for America.
arms folded, encouragi ng their dai ly tortures. Though I was sti l l depressed, I saw that there
Not havi ng other kids to learn from about were some thi ngs I actual ly l i ked doi ng.
social norms, I looked at thi ngs and thought The first big system I tried to hack was
about th i ngs in my own way. Th is was pai nfu l me. L i ke many of my first hacks, it wasn't
as a kid, but it turned out to be a great asset successfu l . I made a big mess of th i ngs. I
l ater i n l ife. Starting from a depressed blob tried to hack myself i nto a wonderfu l person
of a kid, I somehow learned to love l ife, and for others and fai led. Later I wou ld figure
hacking is a big part of how I did that. So out that for some systems, such as myself,
is TV. I see l ife as a hack. We keep h acki ng it's way better to make use of strengths, as
away at it, making it as good as we can, and wel l as fi nd good uses for what I thought
sharing it as we go along. were weaknesses. But back then there were
How can anyone can be bored? Maybe some successes on other fronts. I managed to
boredom has to do with feel ing confined, l i ke convince my parents to add a second phone
in a hospita l . Or a jai l cel l . Maybe it rea l ly l ine to thei r house. I set to hacking a switch
comes down to depression. While depressed that wou ld con nect the two phone l i nes
how can you be motivated to do anyth i ng? together after I ' d ca l l two pizza places, or
Except maybe watch TV. That's what I did, two bu l l ies from school who didn't l i ke each
as a kid, as much as I cou ld: after another other. I soon learned that I had to unscrew
day of anguish at the hands of my peers, I ' d the phone' s m icrophone so that n o one
come home and retreat i nto TV. I remember cou ld hear me laugh. Wiring the basement
th inki ng, wh i l e watching yet another episode for sound with the homemade stereos I bu i lt
of Gilligan 'S Island, " I don 't rea l ly l i ke this was important for l i sten ing to Pink Floyd ' s
- why d o I watch th is every day?" But I j ust Dark Side of the Moon rea l ly loud, way high
kept watch i ng. Ti me went away. Hours each on pot (from the homemade electronic bong
day that I wasn 't doi ng someth ing enjoyable, that I made), meditating on fix i ng myself so
that I wasn't learn ing how to interact with that other people might actually want me
other kids, that I wasn't being active or doi ng around.
someth ing hea lthy. And all the j u n k food I ate That bri ngs me to what rea l ly saved my
i n front of the th i ng made me even fatter. And l ife. Pot. I know it's not fashionable i n our
a l l the people on TV were beautifu l, happy, homeland-security-era to say that you did
and any problems they had were solved by drugs. But it was the 70s then and everyone
the end of the half-hour show. They had was smoking it, even the jocks. And after
friends, they had warm, lovi ng parents. It was somehow getting through j u n ior h igh school
a l l so depressi ng! And the next day, back at a l ive (if not emotional ly scarred for l ife), I
school, I was even more of a target: I 'd get found another system to hack: the school
beaten and tormented a l l the more. So, I ' d district. I worked i t so that I had a choice of
come home and retreat i nto TV. The cycle of which of two h igh schools to go to and, natu
depression continued. ral ly, chose the one a l l the bu l l ies did not go
But one day, I made a choice for myself, to. And this high school had an electronics
Page 26 -------------------- 2600 Magazine

2600 v24 n2 (summer 2007)

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to 2600 v24 n2 (summer 2007)

Similar to 2600 v24 n2 (summer 2007) (20)

More from Felipe Prado

More from Felipe Prado (20)

Recently uploaded

Recently uploaded (20)

2600 v24 n2 (summer 2007)