% = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 1 of 12 : Phrack XVII Introduction It's been a long time, but we're back. After two successful releases under the new editorship, Taran King told us that with his vacation from school, he'd be able to put Phrack Seventeen together. His plans soon changed, and Seventeen was now our responsibility again. Procrastination set in, and some difficulty was encountered in compiling the files, but we finally did it and here it is. There's a lot of good material in this issue, and we're lucky enough to have PWN contributions from several sources, making it a true group effort. Since The Mad Chemist and Sir Francis Drake, as well as myself, are moving on to other things, the editorship of Phrack Inc. may be changing with the release of Phrack Eighteen. Regardless of what direction the publication takes, I know that I will have no part in the creation of the next issue, so I'd like to mention at this time that my involvement with the magazine, first as a contributor and later as a contributing editor, has been fun. Phrack will go on, I'm sure, for another seventeen issues at least, and will continue to be a primary monument to the vitality of the hacker culture. -- Shooting Shark Contributing Editor Phrack XVII Table of Contents ----------------------------- # Title Author Size ---- ----- ------ ---- 17.1 Phrack XVII Introduction Shooting Shark 3K 17.2 Dun & Bradstreet Report on AT&T Elric of Imrryr 24K 17.3 D&B Report on Pacific Telesis Elric of Imrryr 26K 17.4 Nitrogen-Trioxide Explosive Signal Substain 7K 17.5 How to Hack Cyber Systems Grey Sorcerer 23K 17.6 How to Hack HP2000's Grey Sorcerer 3K 17.7 Accessing Government Computers The Sorceress 9K 17.8 Dial-Back Modem Security Elric of Imrryr 11K 17.9 Data Tapping Made Easy Elric of Imrryr 4K 17.10 PWN17.1 Bust Update Sir Francis Drake 3K 17.11 PWN17.2 "Illegal" Hacker Crackdown The $muggler 5K 17.12 PWN17.3 Cracker are Cheating Bell The Sorceress 8K % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 2 of 12 : Dun & Bradstreet Report on AT&T AT&T Credit File, taken from Dun & Bradstreet by Elric of Imrryr DUN'S FINANCIAL RECORDS COPYRIGHT (C) 1987 DUN & BRADSTREET CREDIT SERVICE Name & Address: AMERICAN TELEPHONE AND TELEGRAPH Trade-Style Name: 550 Madison Ave AT & T NEW YORK, NY 10022 Telephone: 212-605-5300 DUNS Number: 00-698-0080 Line of Business: TELECOMMUNICATIONS SVCS TELE Primary SIC Code: 4811 Secondary SIC Codes: 4821 3661 3357 3573 5999 Year Started: 1885 (12/31/86) COMBINATION FISCAL Employees Total: 317,000 Sales: 34,087,000,000 Employees Here: 1,800 Net Worth: 14,462,000,000 This is a PUBLIC company 12/31/86 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS % COMPANY INDST COMPANY CHANGE % NORM % Cash. . . . . . . . . . . . . 2,602,000 17.5 6.7 9.0 Accounts Receivable . . . . . 7,820,000 (13.1) 20.1 5.7 Notes Receivable. . . . . . . ---- ---- ---- 0.2 Inventory . . . . . . . . . . 3,519,000 (26.1) 9.1 1.3 Other Current Assets. . . . . 1,631,000 72.0 4.2 5.8 Total Current Assets. . . . . 15,572,000 (8.0) 40.0 22.0 Fixed Assets. . . . . . . . . 21,078,000 (4.7) 54.2 35.6 Other Non-current Assets. . . 2,233,000 55.9 5.7 42.4 Total Assets. . . . . . . . . 38,883,000 (3.9) 100.0 100.0 Accounts Payable. . . . . . . 4,625,000 (6.4) 11.9 4.2 Bank Loans. . . . . . . . . . ---- ---- ---- 0.2 Notes Payable . . . . . . . . ---- ---- ---- 1.0 Other Current Liabilities . . 6,592,000 0.8 17.0 6.2 Total Current Liabilities . . 11,217,000 (2.4) 28.8 11.6 Other Long Term Liab. . . . . 13,204,000 38.2 34.0 46.8 Deferred Credits. . . . . . . ---- ---- ---- 6.4 Net Worth . . . . . . . . . . 14,462,000 (1.2) 37.2 35.2 Total Liabilities & Worth. . 38,883,000 (3.9) 100.0 100.0 Net Sales . . . . . . . . . . 34,087,000 (2.4) 100.0 100.0 Gross Profit. . . . . . . . . 15,838,000 ---- 46.5 40.1 Net Profit After Tax. . . . . 139,000 (91.1) 0.4 15.3 Dividends/Withdrawals . . . . 1,371,000 (0.9) 4.0 7.7 Working Capital . . . . . . . 4,355,000 (19.8) ---- ---- RATIOS % ---INDUSTRY QUARTILES--- COMPANY CHANGE UPPER MEDIAN LOWER (SOLVENCY) Quick Ratio . . . . . . . . . 0.9 (10.0) 2.9 1.2 0.6 Current Ratio . . . . . . . . 1.4 (6.7) 4.9 2.2 1.0 Curr Liab to Net Worth (%). . 77.6 (1.1) 13.2 26.4 38.1 Curr Liab to Inventory (%). . 318.8 32.1 244.8 475.8 675.0 Total Liab to Net Worth (%) . 168.9 (4.3) 127.4 180.2 297.2 Fix Assets to Net Worth (%) . 145.7 (3.6) 144.9 215.0 263.0 (EFFICIENCY) Coll Period (days). . . . . . 83.7 (11.1) 31.9 46.7 61.6 Sales to Inventory. . . . . . 9.7 32.9 56.2 33.8 20.0 Assets to Sales (%) . . . . . 114.1 (1.6) 210.5 266.1 373.4 Sales to Net Working Cap. . . 7.8 21.9 6.3 2.3 1.1 Acct Pay to Sales (%) . . . . 13.6 (4.2) 4.9 8.7 13.8 (PROFITABILITY) Return on Sales (%) . . . . . 0.4 (91.1) 20.1 14.6 11.3 Return on Assets (%). . . . . 0.4 (89.5) 7.2 5.7 3.7 Return on Net Worth (%) . . . 1.0 (90.6) 19.0 15.9 12.8 Industry norms based on 469 firms, with assets over $5 million. 12/31/85 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS % COMPANY INDST COMPANY CHANGE % NORM % Cash. . . . . . . . . . . . . 2,213,700 3.4 5.5 7.5 Accounts Receivable . . . . . 8,996,100 (4.0) 22.2 5.6 Notes Receivable. . . . . . . ---- ---- ---- 0.4 Inventory . . . . . . . . . . 4,759,300 (0.6) 11.8 1.2 Other Current Assets. . . . . 948,500 (8.2) 2.3 5.1 Total Current Assets. . . . . 16,917,600 (2.4) 41.8 19.8 Fixed Assets. . . . . . . . . 22,112,900 5.2 54.7 39.2 Other Non-current Assets. . . 1,432,000 (3.2) 3.5 41.0 Total Assets. . . . . . . . . 40,462,500 1.6 100.0 100.0 Accounts Payable. . . . . . . 4,942,800 (11.4) 12.2 4.9 Bank Loans. . . . . . . . . . ---- ---- ---- 0.3 Notes Payable . . . . . . . . 2,100 ---- ---- 0.8 Other Current Liabilities . . 6,542,600 15.5 16.2 5.9 Total Current Liabilities . . 11,487,500 2.2 28.4 11.9 Other Long Term Liab. . . . . 9,553,200 2.7 23.6 46.8 Deferred Credits. . . . . . . 4,788,500 18.9 11.8 6.8 Net Worth . . . . . . . . . . 14,633,300 (4.1) 36.2 34.5 Total Liabilities & Worth. . 40,462,500 1.6 100.0 100.0 Net Sales . . . . . . . . . . 34,909,500 5.2 100.0 100.0 Gross Profit. . . . . . . . . ---- ---- ---- 33.7 Net Profit After Tax. . . . . 1,556,800 13.6 4.5 14.0 Dividends/Withdrawals . . . . 1,382,900 3.7 4.0 13.0 Working Capital . . . . . . . 5,430,100 (10.8) ---- ---- RATIOS % ---INDUSTRY QUARTILES--- COMPANY CHANGE UPPER MEDIAN LOWER (SOLVENCY) Quick Ratio . . . . . . . . . 1.0 ---- 2.5 1.1 0.6 Current Ratio . . . . . . . . 1.5 ---- 3.8 1.9 0.9 Curr Liab to Net Worth (%). . 78.5 6.5 15.8 29.4 43.9 Curr Liab to Inventory (%). . 241.4 2.8 285.7 485.5 790.6 Total Liab to Net Worth (%) . 176.5 9.6 134.4 190.1 320.9 Fix Assets to Net Worth (%) . 151.1 9.7 148.4 219.0 289.5 (EFFICIENCY) Coll Period (days). . . . . . 94.1 (8.7) 31.5 47.2 63.8 Sales to Inventory. . . . . . 7.3 5.8 52.3 31.4 18.0 Assets to Sales (%) . . . . . 115.9 (3.4) 217.1 277.8 356.8 Sales to Net Working Cap. . . 6.4 16.4 6.0 2.7 1.6 Acct Pay to Sales (%) . . . . 14.2 (15.5) 6.1 10.4 15.7 (PROFITABILITY) Return on Sales (%) . . . . . 4.5 9.8 19.0 13.6 9.5 Return on Assets (%). . . . . 3.8 11.8 6.9 5.3 3.4 Return on Net Worth (%) . . . 10.6 17.8 19.7 15.8 12.7 Industry norms based on 605 firms, with assets over $5 million. 12/31/84 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS COMPANY INDST COMPANY % NORM % Cash. . . . . . . . . . . . . 2,139,900 5.4 6.6 Accounts Receivable . . . . . 9,370,800 23.5 6.3 Notes Receivable. . . . . . . ---- ---- 0.4 Inventory . . . . . . . . . . 4,789,200 12.0 1.2 Other Current Assets. . . . . 1,033,100 2.6 4.1 Total Current Assets. . . . . 17,333,000 43.5 18.6 Fixed Assets. . . . . . . . . 21,015,000 52.8 45.0 Other Non-current Assets. . . 1,478,600 3.7 36.4 Total Assets. . . . . . . . . 39,826,600 100.0 100.0 Accounts Payable. . . . . . . 5,580,300 14.0 5.2 Bank Loans. . . . . . . . . . ---- ---- 0.2 Notes Payable . . . . . . . . ---- ---- 1.0 Other Current Liabilities . . 5,663,300 14.2 5.5 Total Current Liabilities . . 11,243,600 28.2 11.9 Other Long Term Liab. . . . . 9,300,200 23.4 47.8 Deferred Credits. . . . . . . 4,026,000 10.1 6.5 Net Worth . . . . . . . . . . 15,256,800 38.3 33.8 Total Liabilities & Worth. . 39,826,600 100.0 100.0 Net Sales . . . . . . . . . . 33,187,500 100.0 100.0 Gross Profit. . . . . . . . . 16,436,200 49.5 28.1 Net Profit After Tax. . . . . 1,369,900 4.1 14.1 Dividends/Withdrawals . . . . 1,333,800 4.0 7.3 Working Capital . . . . . . . 6,089,400 ---- ---- RATIOS ---INDUSTRY QUARTILES--- COMPANY UPPER MEDIAN LOWER (SOLVENCY) Quick Ratio . . . . . . . . . 1.0 2.3 1.0 0.6 Current Ratio . . . . . . . . 1.5 3.4 1.6 0.9 Curr Liab to Net Worth (%). . 73.7 17.7 30.6 43.5 Curr Liab to Inventory (%). . 234.8 312.5 491.6 754.3 Total Liab to Net Worth (%) . 161.0 139.2 193.7 314.9 Fix Assets to Net Worth (%) . 137.7 161.5 228.9 295.3 (EFFICIENCY) Coll Period (days). . . . . . 103.1 34.3 51.6 67.8 Sales to Inventory. . . . . . 6.9 52.1 32.6 20.1 Assets to Sales (%) . . . . . 120.0 216.7 268.2 353.0 Sales to Net Working Cap. . . 5.5 7.2 3.1 1.7 Acct Pay to Sales (%) . . . . 16.8 6.2 10.9 15.4 (PROFITABILITY) Return on Sales (%) . . . . . 4.1 18.5 13.1 9.8 Return on Assets (%). . . . . 3.4 7.0 5.3 3.3 Return on Net Worth (%) . . . 9.0 19.7 15.7 12.6 Industry norms based on 504 firms, with assets over $5 million. END OF DOCUMENT Name & Address: AMERICAN TELEPHONE AND Trade-Style Name: 550 Madison Ave At & T NEW YORK, NY 10022 Telephone: 212-605-5300 DUNS Number: 00-698-0080 Line of Business: TELECOMMUNICATIONS SVCS TELE Primary SIC Code: 4811 Secondary SIC Codes: 4821 3661 3357 3573 5999 Year Started: 1885 (12/31/86) COMBINATION FISCAL Employees Total: 317,000 Sales: 34,087,000,000 Employees Here: 1,800 Net Worth: 14,462,000,000 This is a PUBLIC company HISTORY 04/20/87 JAMES E. OLSON, CHB-CEO+ ROBERT E. ALLEN, PRES-COO+ RANDALL L TOBIAS, V CHM+ CHARLES MARSHALL, V CHM+ MORRIS TANENBAUM, V CHM+ S. LAWRENCE PRENDERGAST, V PRES- TREAS C. PERRY COLWELL, V PRES- CONTROLLER DIRECTOR(S): The officers identified by (+) and Howard H. Baker Jr, James H. Evans, Peter F. Haas, Philip M. Hawley, Edward G. Jefferson, Belton K. Johnson, Juanita M. Kreps, Donald S. Perkins, Henry B. Schacht, Michael I. Sovern, Donald F. McHenry, Rawleigh Warner Jr, Joseph D. Williams and Thomas H. Wyman. Incorporated New York Mar 3 1885. Authorized capital consists of 1,200,000,000 shares common stock $1 par value and 100,000,000 shares preferred stock $1 par value. Outstanding Capital Stock at Feb 28 1987: 1,071,904,000 common shares and at Dec 31 1986 preferred stock outstanding consisted of redeemable preferred shares composed of 8,500,000 shares of $3.64 preferred stated value $50; 8,800,000 shares of $3.74 preferred, stated value $50 and 25,500 shares of $77.50 preferred, stated value $1,000. Business started 1885. The company's common stock is listed on the New York, Boston, Midwest, Philadelphia and Pacific Coast Stock Exchanges under the symbol "ATT". At Dec 31 1986 there were 2,782,102 common shareholders. At Jan 1 1986 officers and directors as a group owned less than 1% of the outstanding common stock with the remainder owned by the public. OLSON, born 1925. 1950 Univ of North Dakota, BSC. Also attended Univ of Pennsylvania. 1943-1946 United States Army Air Force. 1960-1970 Northwestern Bell Telephone Co, V Pres-Gen Mgr. 1970-1974 Indiana Bell Telephone Co, Pres. 1974-1977 Illinois Bell Telephone Co, Pres. 1977 to date AT&T, 1979 V Chb-Dir; Jun 1985 President, 1986 CHM. MARSHALL, born 1929, married. 1951 Univ of Illinois, BS; also attended Bradley Univ; 1953-present AT&T; 1980 Asst Treas, 1976 Vice Pres-Treas; 1985 Exec Vice President, 1986 V-CHM. TANENBAUM, born 1928 married. 1949 Johns Hopkins Univ, BA chemistry. 1950 Princeton Univ, MA chemistry. 1952 PhD in physical chemistry. 1952 to date AT&T, various positions, 1985 Ex Vice Pres, 1986 V-CHM. PRENDERGAST, born 1941 married. 1963 Brown Univ, BA. 1969 New York Univ, MBA. 1963-1973 Western Electric Company; 1973 to date AT&T, 1980 Asst Treas, 1984 V Pres-Treas. COLWELL, born 1927. Attended AT&T Institute of Technology. 1945-1947 U S Army. Employed by AT&T and its subsidiaries since 1948 in various positions. 1984 Vice Pres & Contr, AT&T Technologies Inc (subsidiary); 1985-present V Pres-Contr. ALLEN born 1935 married. 1957 Wabash College BA. Has held a vareity of executive position with former Bell Operating subsidiaries and AT&T subsidiaries. Appointed to current position in 1986. TOBIAS born 1943. 1964 Indiana University with a BS in Marketing. Has held a variety of management and executive positions with former Bell Operating subsidiaries and AT&T subsidiaries. Elected to current position in 1986. OTHER OFFICERS: James R. Billingsley, Sr V Pres Federal Regulation; Michael Brunner, Ex V Pres Federal Systems; Harold Burlingame, Sr V Pres Public Relations and Employee Information; Vittorio Cassoni, Sr V Pres Data Systems Division; Richard Holbrook, Sr V Pres Business Sales; Robert Kavner, Sr V Pres & CFO; Gerald Lowrie, Sr V Pres Public Affairs; John Nemecek, Ex V Pres Components & Electronic Systems; John O'Neill, Ex V Pres National Systems Products; Alfred Partoll, Sr V Pres External Affairs; John Segall, Sr V Pres Corporate Strategy & Development; Alexander Stack, Sr V Pres Communications Systems; Paul Villiere, Ex V Pres Network Systems Marketing and Customer Operations; John Zegler, Sr V Pres and General Counsel; and Lydell Christensen, Corp V Pres and Secretary. DIRECTORS: MCHENRY, research professor, Georgetown University. BAKER JR, partner, Vinson & Elkins and Baker, Worthington, Crossley, Stansberry & Woolf, attorneys. EVANS, former Chairman, Union Pacific Corporation. HAAS, Chairman, Levi Strauss & Company. HAWLEY, Chairman, Carter Hawley Hale Stores Inc. JEFFERSON, former Chairman, E.I. du Pont de Nemours and Company. JOHNSON, private investor and owner of The Chaparrosa Ranch. KREPS, former United States Secretary of Commerce. PERKINS, former Chairman, Jewel Companies Inc. SCHACHT, Chairman, Cummins Engine Company Inc. SOVERN, President, Columbia University. WARNER JR, former Chairman, Mobil Corporation. WILLIAMS, Chairman, Warner Lambert Company. WYMAN, former Chairman, CBS Inc. As a result of an antitrust action entered against American Telephone and Telegraph Company (AT&T) by the Department of Justice, AT&T agreed in Jan 1982 to break up its holdings. In Aug 1982, the U. S. District Court-District of Columbia, entered a consent decree requiring AT&T to divest itself of portions of its operations. The operations affected consisted of exchange telecommunications, exchange access functions, printed directory services and cellular radio telecommunications services. AT&T retained ownership of AT&T Communications Inc, AT&T Technologies Inc, Bell Telephone Laboratories Incorporated, AT&T Information Systems Inc, AT&T International Inc and those portions of the 22 Bell System Telephone Company subsidiaries which manufactured new customer premises equipment. The consent decree, with modifications, was agreed to by AT&T and the U. S. Department of Justice and approved by the U. S. Supreme Court in Feb 1983. In Dec 1982, AT&T filed a plan of reorganization, outlining the means of compliance with the divestiture order. The plan was approved by the court in Aug 1983 The divestiture completed on Jan 1 1984, was accomplished by the reorganization of the 22 principal AT&T Bell System Telephone Company subsidiaries under 7 new regional holding companies. Each AT&T common shareowner of record as of Dec 10 1983 received 1 share of common stock in each of the newly formed corporations for every 10 common shares of AT&T. AT&T common shareowners retained their AT&T stock ownership. The company has an ownership interest in certain ventures to include: (1) Owns 22% of the voting stock of Ing C. Olivetti & C., S.p.A. of Milan, Italy with which the company develops and markets office automation products in Europe. (2) Owns 50% of a joint venture with the N. V. Philips Company of the Netherlands organized to manufacture and market switching and transmission systems in Europe and elsewhere. (3) Owns 44% of a joint venture with the Goldstar Group of the Republic of Korea which manufactures switching products and distributes the company's 3B Family of Computers in Korea. The company also maintain stock interests in other concerns. In addition to joint venture activities described above, intercompany relations have also included occasional advances from subject. OPERATION 04/20/87 Through subsidiaries, provides intrastate, interstate and international long distance telecommunications and information transport services, a broad range of voice and data services including, Domestic and Long Distance Service, Wide Area Telecommunications Services (WATS), 800 Service, 900 Dial It Services and a series of low, medium and high speed digital voice and data services known as Accunet Digital Services. Also manufactures telephone communications equipment and apparatus, communications wire and cable, computers for use in communications systems, as well as for general purposes, retails and leases telephone communications equipment and provides research and development in information and telecommunications technology. The company is subject to the jurisdiction of the Federal Communications Commission with respect to interstate and international rates, lines, services and other matters. Terms: Net 30, cash and contract providing for progress payments with final payment upon completion. The company's AT&T Communications Inc subsidiary provides interstate and intrastate long distance communications services for 80 million residential customers and 7 million businesses. Sells to a wide variety of businesses, government agencies, individuals and others. Nonseasonal. EMPLOYEES: 317,000 including officers. 1,800 employed here. FACILITIES: Owns premises in multi story steel building in good condition. Premises neat. LOCATION: Central business section on main street. BRANCHES: The company's subsidiaries operate 19 major manufacturing plants located throughout the United States containing a total 26.2 million square feet of space of which 1.49 million square feet were in leased premises. There are 7 regional centers and 24 distribution centers. In addition, there are numerous domestic and foreign branch offices. SUBSIDIARIES: The company had numerous subsidiaries as of Dec 31 1986. Subsidiaries perform the various services and other functions described above. Its unconsolidated finance subsidiary, AT&T Credit Corporation, provides financing to customers through leasing and installment sales programs and purchases from AT&T's subsidiaries the rights to receivables under long-term service agreements. Intercompany relations consists of parent making occasional advances to subsidiaries and service transactions settled on a convenience basis. A list of principal subsidiaries as of Dec 31 1986 is on file at the Millburn, NJ office of Dun & Bradstreet. 08-27(9Z0 /61) 00703 001 678 NH Chemical Bank, 277 Park Ave; Marine Midland Bank, 140 Broadway; Chase Manhattan Bank, 1 Chase Manhattan Plaza 12/31/86 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS % COMPANY INDST COMPANY CHANGE % NORM % Total Current Assets. . . . . 15,572,000 (8.0) 40.0 22.0 Fixed Assets. . . . . . . . . 21,078,000 (4.7) 54.2 35.6 Other Non-current Assets. . . 2,233,000 55.9 5.7 42.4 Total Assets. . . . . . . . . 38,883,000 (3.9) 100.0 100.0 Total Current Liabilities . . 11,217,000 (2.4) 28.8 11.6 Other Long Term Liab. . . . . 13,204,000 38.2 34.0 46.8 Net Worth . . . . . . . . . . 14,462,000 (1.2) 37.2 35.2 Total Liabilities & Worth. . 38,883,000 (3.9) 100.0 100.0 Net Sales . . . . . . . . . . 34,087,000 (2.4) 100.0 100.0 Gross Profit. . . . . . . . . 15,838,000 ---- 46.5 40.1 RATIOS % ---INDUSTRY QUARTILES--- COMPANY CHANGE UPPER MEDIAN LOWER Quick Ratio . . . . . . . . . 0.9 (10.0) 2.9 1.2 0.6 Current Ratio . . . . . . . . 1.4 (6.7) 4.9 2.2 1.0 Total Liab to Net Worth (%) . 168.9 (4.3) 127.4 180.2 297.2 Sales to Inventory. . . . . . 9.7 32.9 56.2 33.8 20.0 Return on Sales (%) . . . . . 0.4 (91.1) 20.1 14.6 11.3 Return on Assets (%). . . . . 0.4 (89.5) 7.2 5.7 3.7 Return on Net Worth (%) . . . 1.0 (90.6) 19.0 15.9 12.8 Industry norms based on 469 firms, with assets over $5 million. End_of_File. % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 3 of 12 : Dun & Bradstreet Report on Pacific Telesis Pacific Telesis Credit File, taken from Dun & Bradstreet by Elric of Imrryr Name & Address: PACIFIC TELESIS GROUP (INC) 140 New Montgomery St SAN FRANCISCO, CA 94105 Telephone: 415-882-8000 DUNS Number: 10-346-0846 Line of Business: TELECOMMUNICATION SERVICES Primary SIC Code: 4811 Secondary SIC Codes: 2741 5063 5732 6159 Year Started: 1906 (12/31/86) COMBINATION FISCAL Employees Total: 74,937 Sales: 8,977,300,000 Employees Here: 2,000 Net Worth: 7,753,300,000 This is a PUBLIC company 12/31/86 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS % COMPANY INDST COMPANY CHANGE % NORM % Cash. . . . . . . . . . . . . 200,600 671.5 1.0 9.0 Accounts Receivable . . . . . 1,390,700 (3.8) 6.8 5.7 Notes Receivable. . . . . . . ---- ---- ---- 0.2 Inventory . . . . . . . . . . 116,300 (4.4) 0.6 1.3 Other Current Assets. . . . . 448,700 18.6 2.2 5.8 Total Current Assets. . . . . 2,156,300 9.3 10.6 22.0 Fixed Assets. . . . . . . . . 17,244,900 1.6 84.9 35.6 Other Non-current Assets. . . 919,300 53.8 4.5 42.4 Total Assets. . . . . . . . . 20,320,500 4.0 100.0 100.0 Accounts Payable. . . . . . . 1,760,300 74.1 8.7 4.2 Bank Loans. . . . . . . . . . 21,800 847.8 0.1 0.2 Notes Payable . . . . . . . . ---- ---- ---- 1.0 Other Current Liabilities . . 623,000 (35.8) 3.1 6.2 Total Current Liabilities . . 2,405,100 21.3 11.8 11.6 Other Long Term Liab. . . . . 5,564,600 (7.6) 27.4 46.8 Deferred Credits. . . . . . . 4,597,500 9.0 22.6 6.4 Net Worth . . . . . . . . . . 7,753,300 6.0 38.2 35.2 Total Liabilities & Worth. . 20,320,500 4.0 100.0 100.0 Net Sales . . . . . . . . . . 8,977,300 5.6 100.0 100.0 Gross Profit. . . . . . . . . ---- ---- ---- 40.1 Net Profit After Tax. . . . . 1,079,400 16.2 12.0 15.3 Dividends/Withdrawals . . . . 654,100 10.0 7.3 7.7 Working Capital . . . . . . . 248,800 (999.9) ---- ---- RATIOS % ---INDUSTRY QUARTILES--- COMPANY CHANGE UPPER MEDIAN LOWER (SOLVENCY) Quick Ratio . . . . . . . . . 0.7 ---- 2.9 1.2 0.6 Current Ratio . . . . . . . . 0.9 (10.0) 4.9 2.2 1.0 Curr Liab to Net Worth (%). . 31.0 14.4 13.2 26.4 38.1 Curr Liab to Inventory (%). . 999.9 26.9 244.8 475.8 675.0 Total Liab to Net Worth (%) . 162.1 (2.9) 127.4 180.2 297.2 Fix Assets to Net Worth (%) . 222.4 (4.1) 144.9 215.0 263.0 (EFFICIENCY) Coll Period (days). . . . . . 56.5 (9.0) 31.9 46.7 61.6 Sales to Inventory. . . . . . 77.2 10.6 56.2 33.8 20.0 Assets to Sales (%) . . . . . 226.4 (1.5) 210.5 266.1 373.4 Sales to Net Working Cap. . . ---- ---- 6.3 2.3 1.1 Acct Pay to Sales (%) . . . . 19.6 64.7 4.9 8.7 13.8 (PROFITABILITY) Return on Sales (%) . . . . . 12.0 10.1 20.1 14.6 11.3 Return on Assets (%). . . . . 5.3 10.4 7.2 5.7 3.7 Return on Net Worth (%) . . . 13.9 9.4 19.0 15.9 12.8 Industry norms based on 469 firms, with assets over $5 million. 12/31/85 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS % COMPANY INDST COMPANY CHANGE % NORM % Cash. . . . . . . . . . . . . 26,000 550.0 0.1 7.5 Accounts Receivable . . . . . 1,446,200 20.6 7.4 5.6 Notes Receivable. . . . . . . ---- ---- ---- 0.4 Inventory . . . . . . . . . . 121,700 ---- 0.6 1.2 Other Current Assets. . . . . 378,300 (8.3) 1.9 5.1 Total Current Assets. . . . . 1,972,200 22.1 10.1 19.8 Fixed Assets. . . . . . . . . 16,968,400 6.1 86.8 39.2 Other Non-current Assets. . . 597,700 29.4 3.1 41.0 Total Assets. . . . . . . . . 19,538,300 8.1 100.0 100.0 Accounts Payable. . . . . . . 1,011,100 14.6 5.2 4.9 Bank Loans. . . . . . . . . . 2,300 ---- ---- 0.3 Notes Payable . . . . . . . . ---- ---- ---- 0.8 Other Current Liabilities . . 969,900 18.6 5.0 5.9 Total Current Liabilities . . 1,983,300 (1.0) 10.2 11.9 Other Long Term Liab. . . . . 6,021,700 0.8 30.8 46.8 Deferred Credits. . . . . . . 4,216,300 16.6 21.6 6.8 Net Worth . . . . . . . . . . 7,317,000 12.9 37.4 34.5 Total Liabilities & Worth. . 19,538,300 8.1 100.0 100.0 Net Sales . . . . . . . . . . 8,498,600 8.6 100.0 100.0 Gross Profit. . . . . . . . . ---- ---- ---- 33.7 Net Profit After Tax. . . . . 929,100 12.1 10.9 14.0 Dividends/Withdrawals . . . . 594,400 11.9 7.0 13.0 Working Capital . . . . . . . 11,100 ---- ---- ---- RATIOS % ---INDUSTRY QUARTILES--- COMPANY CHANGE UPPER MEDIAN LOWER (SOLVENCY) Quick Ratio . . . . . . . . . 0.7 16.7 2.5 1.1 0.6 Current Ratio . . . . . . . . 1.0 25.0 3.8 1.9 0.9 Curr Liab to Net Worth (%). . 27.1 (12.3) 15.8 29.4 43.9 Curr Liab to Inventory (%). . 999.9 ---- 285.7 485.5 790.6 Total Liab to Net Worth (%) . 167.0 (6.7) 134.4 190.1 320.9 Fix Assets to Net Worth (%) . 231.9 (6.0) 148.4 219.0 289.5 (EFFICIENCY) Coll Period (days). . . . . . 62.1 11.1 31.5 47.2 63.8 Sales to Inventory. . . . . . 69.8 ---- 52.3 31.4 18.0 Assets to Sales (%) . . . . . 229.9 (0.5) 217.1 277.8 356.8 Sales to Net Working Cap. . . ---- ---- 6.0 2.7 1.6 Acct Pay to Sales (%) . . . . 11.9 5.3 6.1 10.4 15.7 (PROFITABILITY) Return on Sales (%) . . . . . 10.9 2.8 19.0 13.6 9.5 Return on Assets (%). . . . . 4.8 4.3 6.9 5.3 3.4 Return on Net Worth (%) . . . 12.7 (0.8) 19.7 15.8 12.7 Industry norms based on 605 firms, with assets over $5 million. 12/31/84 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS COMPANY INDST COMPANY % NORM % Cash. . . . . . . . . . . . . 4,000 ---- 6.6 Accounts Receivable . . . . . 1,198,800 6.6 6.3 Notes Receivable. . . . . . . ---- ---- 0.4 Inventory . . . . . . . . . . ---- ---- 1.2 Other Current Assets. . . . . 412,400 2.3 4.1 Total Current Assets. . . . . 1,615,200 8.9 18.6 Fixed Assets. . . . . . . . . 15,999,500 88.5 45.0 Other Non-current Assets. . . 461,800 2.6 36.4 Total Assets. . . . . . . . . 18,076,500 100.0 100.0 Accounts Payable. . . . . . . 882,100 4.9 5.2 Bank Loans. . . . . . . . . . ---- ---- 0.2 Notes Payable . . . . . . . . 304,000 1.7 1.0 Other Current Liabilities . . 817,600 4.5 5.5 Total Current Liabilities . . 2,003,700 11.1 11.9 Other Long Term Liab. . . . . 5,973,500 33.0 47.8 Deferred Credits. . . . . . . 3,617,000 20.0 6.5 Net Worth . . . . . . . . . . 6,482,300 35.9 33.8 Total Liabilities & Worth. . 18,076,500 100.0 100.0 Net Sales . . . . . . . . . . 7,824,300 100.0 100.0 Gross Profit. . . . . . . . . ---- ---- 28.1 Net Profit After Tax. . . . . 828,500 10.6 14.1 Dividends/Withdrawals . . . . 531,200 6.8 7.3 Working Capital . . . . . . . 388,500 ---- ---- RATIOS ---INDUSTRY QUARTILES--- COMPANY UPPER MEDIAN LOWER (SOLVENCY) Quick Ratio . . . . . . . . . 0.6 2.3 1.0 0.6 Current Ratio . . . . . . . . 0.8 3.4 1.6 0.9 Curr Liab to Net Worth (%). . 30.9 17.7 30.6 43.5 Curr Liab to Inventory (%). . ---- 312.5 491.6 754.3 Total Liab to Net Worth (%) . 178.9 139.2 193.7 314.9 Fix Assets to Net Worth (%) . 246.8 161.5 228.9 295.3 (EFFICIENCY) Coll Period (days). . . . . . 55.9 34.3 51.6 67.8 Sales to Inventory. . . . . . ---- 52.1 32.6 20.1 Assets to Sales (%) . . . . . 231.0 216.7 268.2 353.0 Sales to Net Working Cap. . . ---- 7.2 3.1 1.7 Acct Pay to Sales (%) . . . . 11.3 6.2 10.9 15.4 (PROFITABILITY) Return on Sales (%) . . . . . 10.6 18.5 13.1 9.8 Return on Assets (%). . . . . 4.6 7.0 5.3 3.3 Return on Net Worth (%) . . . 12.8 19.7 15.7 12.6 Industry norms based on 504 firms, with assets over $5 million. END OF DOCUMENT Name & Address: PACIFIC TELESIS GROUP (INC) 140 New Montgomery St SAN FRANCISCO, CA 94105 Telephone: 415-882-8000 DUNS Number: 10-346-0846 Line of Business: TELECOMMUNICATION SERVICES Primary SIC Code: 4811 Secondary SIC Codes: 2741 5063 5732 6159 Year Started: 1906 (12/31/86) COMBINATION FISCAL Employees Total: 74,937 Sales: 8,977,300,000 Employees Here: 2,000 Net Worth: 7,753,300,000 This is a PUBLIC company HISTORY 09/01/87 DONALD E GUINN, CHB PRES+ THEODORE J SAENGER, V CHB GROUP PRES+ SAM L GINN, V CHB+ JOHN E HULSE, V CHB CFO+ ROBERT V R DALENBERG, EX V PRES BENTON W DIAL, EX V PRES-HUM GEN COUNSEL SEC RESOURCES ARTHUR C LATNO JR, EX V PRES THOMAS G CROSS, V PRES TREAS FRANK V SPILLER, V PRES COMPTROLLER DIRECTOR(S): The officers identified by (+) and Norman Barker Jr, William P Clark, Willaim K Coblentz, Myron Du Bain, Herman E Gallegos James R Harvey, Ivan J Houston, Leslie L Luttgens, E L Mc Neely, S Donley Ritchey, Willaim French Smith & Mary S Metz. Incorporated Nevada Oct 26 1983. Authorized capital consists of 505,000,000 shares common stock, $.10 par value. OUTSTANDING CAPITAL STOCK: Consists of following at Dec 31 1986: 215,274,878 common shares at a stated value of $21.5 million plus additional paid in capital of $5,068.5 million. The stock is publicly traded on the New York, Pacific and Midwest Stock Exchanges. There were 1,170,161 common shareholders at Feb 1 1987. Officers and directors as a group hold less than 1% of stock. No other entity owned more than 5% of the common stock outstanding. The authorized capital stock was increased to $1,100,000,000 shares in 1987 by Charter Amendment. In addition, the company declared a two-for-one stock split in the form of a 100% stock dividend effective Mar 25 1987. BACKGROUND: This business was founded in 1906 as a California Corporation. The Pacific Telephone & Telegraph Company formed Dec 31 1906. Majority of the stock was held by American Telephone & Telegraph Co (A T & T), New York, NY, prior to divestiture. DIVESTITURE: Pursuant to a court oder of the U S District Court for the Distirict of Columbia, A T & T divested itself of the exchange, telecommunications, exchange access and printing directory advertising portions of its 22 wholly-owned subsidiary operating telephone companies, including the Pacific Telephone & Telegraph Company. A T & T retains ownership of the former A T & T long lines interstate organization, as well as those portions of the subsidiaries that provide interchange services and customer premises equipment. To accomplish the divestiture, this regional holding company was formed, which took over the applicable operations and assets of the Pacific Telephone & Telegraph Company and its subsidiary, Bell Telephone Company of Nevada. Stock in the subject was distributed to the shareholders of A T & T, who also retained their existing A T & T Stock. The divestiture was accomplished on Jan 1 1984. RECENT EVENTS:During Jun 1986, the company completed the acquisition of Communications Industries Inc, Dallas, TX. In Dec 1986, the company's wholly-owned subsidiary Pac Tel Cellular Inc of Michigan signed an agreement to purhcase five cellular telephone properties for $316 million plus certain contingent payments. These five systems operate under the name of Cellular One. This acquaition is subject to regulatory and court approval and final legal review. ------------------------OFFICERS------------------------. GUINN born 1932 married. 1954 received BSCE from Oregon State University. 1954-60 with The Pacific Telephone & Telegraph Company, San Francisco, CA. 1960-64 with Pacific Northwest Bell Telephone Co, Seattle, WA, as vice president. 1964-70 with A T & T. 1970-76 with Pacific Northwest Bell. 1976-80 with A T & T as vice president-network service. 1980 chairman and chief executive officer of The Pacific Telephone & Telegraph Company. 1984 with Pacific Telesis Group as chairman, president and chief executive officer. SAENGER born 1928 married. 1951 received BS from the University of California. 1946-47 in the U S Army. 1951-52 secretary and manager for the Oakland Junior Chamber of Commerce. 1950-70 held various positions with The Pacific Telephone & Telegraph Company. 1970-71 traffic operations director for Network Administration in New York, A T & T. 1971 with The Pacific Telephone & Telegraph Company. 1974 vice president. 1977 president. 1984 with Pacific Telesis Group as vice chairman and president, Pacific Bell. GINN born 1937 married. 1959 graduated from Auburn University. 1969 received MS from Stanford University. 1959-60 in the U S Army Signal Corps as captain. 1960 joined A T & T Long Lines. 1977 vice president-staff for A T & T Long Lines. 1978 joined The Pacific Telephone & Telegraph Company as executive vice president-network. 1983 vice chairman. 1984 with Pacific Telesis Group as vice chairman and group president, PacTel Companies. HULSE born 1933 married. 1955 received BS from the University of South Dakota. 1956-58 in the U S Army. 1958 joined Northwestern Bell Telephone Co. 1980 joined The Pacific Telephone & Telegraph Company as executive vice president and chief financial officer. 1983 vice chairman. 1984 with Pacific Telesis Group as vice chairman and chief financial officer. LATNO born 1929 married. Received BS degree from the University of Santa Clara. 1952 with Pacific Telephone & Telegraph Co. 1972 vice president-regulatory. 1975 executive vice president-external affairs. 1984 with Pacific Telesis Group as executive vice president-external affairs. DALENBERG born 1930 married. Graduated from the University of Chicago Law School and Graduate School of Business. 1956 admitted to practice at the Illinois Bar and in 1973 the California Bar. 1957-67 private law practice in Chicago, IL. 1967-72 general attorney for Illinois Bell. 1972-75 general attorney for The Pacific Telephone & Telegraph Company. 1975 associate general counsel. 1976 vice president and secretary-general counsel. 1984 with Pacific Telesis Group as executive vice president and general counsel-secretary. CROSS. Vice President and Treasurer and also Vice President of Pacific Bell. DIAL born 1929 married. 1951 received BA from Whittier College. 1961 received MS from California State University. 1951-53 in the U S Army. 1954 with The Pacific Telephone & Telegraph Company. 1973 vice president-regional staff and operations service for Southern California. 1976 vice president-customer operations in Los Angeles, CA. 1977 vice president-corporate planning. 1980 vice president-human resources. 1984 with Pacific Telesis Group as executive vice president-human resources. SPILLER born 1931 married. 1953 received BS from the University of California, San Francisco. 1954-56 in the U S Army as a second lieutenant. 1953 with The Pacific Telephone & Telegraph Company. 1977 assistant comptroller. 1981 assistant vice president-finance management. 1981 vice president and comptroller. 1984 with Pacific Telesis Group as vice president and comptroller. ---------------------OTHER DIRECTORS---------------------. BARKER. Retired chairman of First Interstate Bank Ltd. CLARK. Of counsel to the law firm of Rogers & Wells. COBLENTZ. Senior Partner in Coblentz, Cahen, Mc Cabe & Breyer, Attorneys, San Francisco, CA. DU BAIN. Chairman of SRI International. GALLEGOS. Management consultant. HARVEY. Chairman, and chief executive officer of Transamerica Corporation, San Francisco, CA. HOUSTON. Chairman and chief executive officer of Golden State Mutual Life Insurance Co. LUTTGENS. Is a community leader. MC NEELY. Chairman and chief executive officer of Oak Industries, Inc, San Diego, CA. RITCHEY. Retired Chairman of Lucky Stores Inc. SMITH. Partner in Gibson, Dunn & Crutcher, Attorneys. METZ. President of Mills College. OPERATION 09/01/87 Pacific Telesis Group is a regional holding company whose operations are conducted by subsidiaries. The company's two major subsidiaries, Pacific Bell and Nevada Bell, provide a wide variety of communications services in California and Nevada, including local exchange and toll service, network access and directory advertising, and provided over 90% of total 1986 revenues. Other subsidiaries, as noted below, are engaged in directory publishing, cellular mobile communications and services, wholesaling of telecommunications products, integrated systems and other services, retails communications equipment and supplies, financing services for products of affiliated customers, real estate development, and consulting. Specific percentages of these operations are not available but in the aggregate represent approximately 10%. Terms are net 30 days. Has over 11,000,000 accounts. Sells to the general public and commercial concerns. Territory :Worldwide. EMPLOYEES: 74,937 including officers. 2,000 employed here. Employees are on a consolidated basis as of Dec 31 1986. FACILITIES: Owns over 500,000 sq. ft. in 20 story concrete and steel building in good condition. Premises neat. LOCATION: Central business section on side street. BRANCHES: The subject maintains minor additional administrative offices in San Francisco, CA, but most operating branches are conducted by the operating subsidiaries, primarily Pacific Bell and Nevada Bell in their respective states. SUBSIDIARIES: Subsidiaries: The Company has the following principal operating subsidiaries, all wholly-owned either directly or indirectly. The telephone subsidiaries account for over 90% of the operating results. (1) Pacific Bell (Inc) San Francisco CA. Formed 1906 as a California corporation. Acquired in 1984 as part of the divestiture of AT&T. It is the company's largest subsidiary . It provides telecommunicaton services within its service area in California. (2) Nevada Bell (Inc) Reno NV. Incorporated in 1913. acquired from Pacific Bell in 1984 by the divestiture of its stock. Provides telecommunications, services in Nevada. (3) Pac Tel Cellular Inc, TX. Renamed subsidiary formerly known as Comminications Industries Inc. Acquired in 1986. Operates as a marketer of cellular and paging services. This subsidiary, in turn, has several primary subsidiaries as follows:. (a) Gen Com Incorporated. Provides personal paging services. (b) Multicom Incorporated. Markets paging services. (4) Pac Tel Personal Communications. Formed to eventually hold all of the company's cellular and paging operations. It is the parent of the following:. (c) Pac Tel Cellular supports the company's cellular activities. (d) Pac Tel Mobile Services-formed to rent and sell cellular CPE and paging equipment and resell cellular services, is now largely inactive. (5) Pac Tel Corporation, San Francisco CA began operations in Jan 1986 as a direct holding company subsidiary. It owns the stock of the following companies:. (e) Pac Tel Communications Companies-operates two primary divisions, Pac Tel Info Systems and Pac Tel Spectrum Services. (f) Pac Tel Finance-provides lease financing services. (g) Pac Tel Properties-engages in real estate transactions holding real estate valued at approximately $140 million at Dec 31 1986. (h) Pac Tel Publishing -inactive at present. (i) Pacific Telesis International-manages and operates telecommunicatin businesses in Great Britain, Japan, South Korea, Spain and Thailand. (6) Pac Tel Capital Resources, San Francisco, CA -provides funding through the sale of debt securities. INTERCOMPANY RELATIONS: Includes common management, intercompany services, inventory and equipment transactions, loans and advances. In addition, the debt of Pac Tel Capital Resources is backed by a support agreement from the parent with the debt unconditionally guaranteed for repayment without recourse to the stock or assets of the telephone subsidiaries or any interest therein. 08-27(1Z2 /27) 29709 052678678 H ANALYST: Dan Quinn 12/31/86 COMBINATION FISCAL (Figures are in THOUSANDS) FINANCIALS % COMPANY INDST COMPANY CHANGE % NORM % Total Current Assets. . . . . 2,156,300 9.3 10.6 22.0 Fixed Assets. . . . . . . . . 17,244,900 1.6 84.9 35.6 Other Non-current Assets. . . 919,300 53.8 4.5 42.4 Total Assets. . . . . . . . . 20,320,500 4.0 100.0 100.0 Total Current Liabilities . . 2,405,100 21.3 11.8 11.6 Other Long Term Liab. . . . . 5,564,600 (7.6) 27.4 46.8 Net Worth . . . . . . . . . . 7,753,300 6.0 38.2 35.2 Total Liabilities & Worth. . 20,320,500 4.0 100.0 100.0 Net Sales . . . . . . . . . . 8,977,300 5.6 100.0 100.0 Gross Profit. . . . . . . . . ---- ---- ---- 40.1 RATIOS % ---INDUSTRY QUARTILES--- COMPANY CHANGE UPPER MEDIAN LOWER Quick Ratio . . . . . . . . . 0.7 ---- 2.9 1.2 0.6 Current Ratio . . . . . . . . 0.9 (10.0) 4.9 2.2 1.0 Total Liab to Net Worth (%) . 162.1 (2.9) 127.4 180.2 297.2 Sales to Inventory. . . . . . 77.2 10.6 56.2 33.8 20.0 Return on Sales (%) . . . . . 12.0 10.1 20.1 14.6 11.3 Return on Assets (%). . . . . 5.3 10.4 7.2 5.7 3.7 Return on Net Worth (%) . . . 13.9 9.4 19.0 15.9 12.8 Industry norms based on 469 firms, with assets over $5 million. % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 4 of 12 : Nitrogen-Trioxide Explosives ------------------------------------------------------------------------------ Working notes on Nitrogen Tri-Iodide (NI-3) By: Signal Sustain INTRODUCTION This particular explosive is a real loser. It is incredibly unstable, dangerous to make, dangerous to work with, and you can't do much with it, either. A string of Black Cats is worth far more. At least you can blow up anthills with those. NI-3 is basically a compound you can make easily by mixing up iodine crystals and ammonia. The resulting precipitate is very powerful and very unstable. It is semi stable when wet (nothing you want to trust) and absolutely unstable when dry. When dry, anything will set it off, such as vibration, wind, sun, a fly landing on it. It has to be one of the most unstable explosives you can deal with. But it's easy to make. Anyone can walk into a chem supply house, and get a bottle of iodine, and and a supermarket, and get clear ammonia. Mix them and you're there. (See below for more on this) So, some of you are going to try it, so I might as well pass on some tips from hard experience. (I learned it was a loser by trying it). Use Small Batches First, make one very small batch first. Once you learn how powerful this stuff is, you'll see why. If you're mixing iodine crystals (that's right, crystals, iodine is a metal, a halogen, and its solid form is crystals; the junk they sell as "iodine" in the grocery store is about 3% iodine in a bunch of solvents, and doesn't work for this application), you want maybe 1/4 teaspoonful MAX, even less maybe. 1/4 TSP of this stuff is one hellacious bang; it rattled the windows for a block around when it went off in my back yard. So go with 1/4 TSP, if I can talk you into it. The reason is the instability of this compound. If you mix up two teaspoonfuls and it goes off in your hand, kiss your hand goodbye right down to the wrist. A bucketful would probably level any house you'll find. But 1/4 teaspoon, you might keep your fingers. Since I know you're not going to mix this stuff up with remote tools, keep the quantities small. This stuff is so unstable it's best to hedge your bets. Note: When holding NI3, try to hold with remote tools -- forceps? But if you have to pick it up, fold your thumb next to your first finger, and grip around with your fingers only. Do not grip the flask the conventional way, fingers on one side, thumb of the other. This way, if it goes, you may still have an opposing thumb, which is enough to get by with. The compound is far more stable when wet, but not certain-stable. That's why companies that make explosives won't use it; even a small chance of it blowing up is too dangerous. (They still lose dynamite plants every now and then, too, which is why they're fully automated). But when this stuff gets dry, look out. Heinlein says "A harsh look will set it off", and he isn't kidding. Wind, vibration, a breath across it, anything will trigger it off. (By the way, Heinlein's process, from SF book "Farnham's Freehold", doesn't work, either -- you can't use iodine liquid for this. You must use iodine crystals.) Don't Store It What's so wickedly dangerous is if you try to store the stuff. Say you put it in a cup. After a day, a crust forms around the rim of the liquid, and it dries out. You pick up the cup, kabang!, the crust goes off, and the liquid goes up from the shock. Your fingers sail into your neighbor's lawn. If you make this, take extreme pains to keep it all wet. At least stopper the testtube, so it can't evaporate. Making It Still want to make it? Okay. Get some iodine crystals at a chem supply store. If they ask, say you need to purify water for a camping trip, and they'll lecture you on better alternatives (halazone) but you can still get it. Or, tell them you've been elected to play Mr. Wizard, and be honest -- you'll probably get it too. Possession is not illegal. Get as little as possible. You need little and it's useless once you've tried it once. Aim for 1/4 teaspoonful. Second, get some CLEAR, NON SUDSY ammonia at the store, like for cleaning purposes (BUT NO SUDS! They screw things up, it doesn't make the NI-3). Third, pour ammonia in a bowl. Peeew! Nice smell. Fourth, add 1/4 TSP or less of iodine crystals. Note these crystals, which looks like instant coffee, will attack other metals, so look out for your tableware. Use plastic everything (Bowl, spoon) if you can. These crystals will also leave long-standing iodine stains on hands, and that's damned incriminating if there was just an NI-3 explosion and they're looking for who did it. Rubber gloves, please, dispose after use. Now the crystals will sort of spread out. Stir a little if need be. Be damned careful not to leave solution on the spoon that might dry. It'll go off if you do, believe me. (Experience). Let them spread out and fizzz. They will. Then after an hour or so there will be left some reddish-brown glop in the bottom of the clear ammonia. It's sticky like mud, hard to handle.. That's the NI-3. It is safe right now, as it is wet. (DO NOT LET A RIM FORM ON THE AMMONIA LIQUID!) Using It Now let's use up this junk right away and DON'T try to store it. Go put it outside someplace safe. In my high school, someone once sprinkled tiny, tiny bits (like individual crystals) in a hallway. Works good, it's like setting off a cap under someone's shoe after the stuff dries. You need far less than 1/4 TSP for this, too. Spread it out in the sun, let it dry. DO NOT DISTURB. If you hear a sudden CRACK!, why, it means the wind just blew enough to set it off, or maybe it just went off by itself. It does that too. It must be thoroughly dry to reach max instability where a harsh look sets it off. Of course the top crystals dry first, so heads up. Any sharp impact will set it off, wet or dry. While you're waiting for it to dry, go BURN the plastic cup and spoon you made it with. You'll hear small snapping noises as you do; this is the solution drying and going off in the flames. After two hours or so, toss rocks at the NI3 from a long ways away, and you'll see it go off. Purplish fumes follow each explosion. It's a sharp CRACK, you can't miss it. Anyway. Like I say, most people make this because the ingredients are so easily available. They make it, say what the hell do I do now?, and sprinkle tiny crystals in the hallway. Bang bang bang. And they never make it again, because you only get one set of fingers per hand, and most people want to keep them. Or they put it in door locks (while still in the "sludge" form), and wait for it to try. Next person who sticks a key in there has a big surprise. (This is also why most high school chem teachers lock up the iodine crystals.) Getting Rid Of It If you wash the NI-3 crystals down your kitchen sink, then you have to only wait for them to dry out and go off. They'll stick to the pipe (halogen property, there). I heard a set of pipes pop and crackle for days after this was done. I'd recommend going and throwing the mess into a vacant lots or something, and trying to set it off so no one else does accidentally. If you do this, good luck, and you've been warned. -- Signal Sustain ------------------------------------------------------------------------------ % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 5 of 12 : How to Hack Cyber Systems How To Hack A CDC Cyber By: ** Grey Sorcerer Index: 1. General Hacking Tips 2. Fun with the card punch 3. Getting a new user number the easy way 4. Hacking with Telex and the CDC's batch design 5. Grabbing a copy of the whole System 6. Staying Rolled In with BREAK 7. Macro Library 8. RJE Status Checks 9. The Worm 10. The Checkpoint/Restart Method to a Better Validation I'm going to go ahead and skip all the stuff that's in your CDC reference manuals.. what's a local file and all that. If you're at the point of being ready to hack the system, you know all that; if not, you'll have to get up to speed on it before a lot of this will make sense. Seems to me too many "how to hack" files are just short rewrites of the user manuals (which you should get for any serious penetration attempt anyway, or you'll miss lots of possibilities), without any tips on ways to hack the system. General hacking tips: Don't get caught. Use remote dialups if possible and never never use any user number you could be associated with. Also never re-use a user number. Remember your typical Cyber site has a zillion user numbers, and they can't watch every one. Hide in numbers. And anytime things get "hot", lay off for awhile. Magtapes are great. They hold about 60 Meg, a pile of data, and can hold even more with the new drives. You can hide a lot of stuff here offline, like dumps of the system, etc., to peruse. Buy a few top quality ones.. I like Black Watch tapes my site sells to me the most, and put some innocuous crap on the first few records.. data or a class program or whatever, then get to the good stuff. That way you'll pass a cursory check. Remember a usual site has THOUSANDS of tapes and cannot possibly be scanning every one; they haven't time. One thing about the Cybers -- they keep this audit trail called a "port log" on all PPU and CPU accesses. Normally, it's not looked at. But just remember that *everything* you do is being recorded if someone has the brains and the determination (which ultimately is from you) to look for it. So don't do something stupid like doing real work on your user number, log off, log right onto another, and dump the system. They WILL know. Leave No Tracks. Also remember the first rule of bragging: Your Friends Turn You In. And the second rule: If everyone learns the trick to increasing priority, you'll all be back on the same level again, won't you? And if you show just two friends, count on this: they'll both show two friends, who will show four... So enjoy the joke yourself and keep it that way. Fun With The Card Punch Yes, incredibly, CDC sites still use punch cards. This is well in keeping with CDC's overall approach to life ("It's the 1960's"). The first thing to do is empty the card punch's punchbin of all the little punchlets, and throw them in someone's hair some rowdy night. I guarantee the little suckers will stay in their hair for six months, they are impossible to get out. Static or something makes them cling like lice. Showers don't even work. The next thing to do is watch how your local installation handles punch card decks. Generally it works like this. The operators love punchcard jobs because they can give them ultra-low priority, and make the poor saps who use them wait while the ops run their poster-maker or Star Trek job at high priority. So usually you feed in your punchcard deck, go to the printout room, and a year later, out comes your printout. Also, a lot of people generally get their decks fed in at once at the card reader. If you can, punch a card that's completely spaghetti -- all holes punched. This has also been known to crash the cardreader PPU and down the system. Ha, ha. It is also almost certain to jam the reader. If you want to watch an operator on his back trying to pick pieces of card out of the reader with tweezers, here's your chance. Next, the structure of a card deck job gives lots of possibilities for fun. Generally it looks like this: JOB card: the job name (first 4 characters) User Card: Some user number and password -- varies with site EOR card: 7-8-9 are punched Your Batch job (typically, Compile This Fortran Program). You know, FTN. LGO. (means, run the Compiled Program) EOR card: 7-8-9 are punched The Fortran program source code EOR card: 7-8-9 are punched The Data for your Fortran program EOF card: 6-7-8-9 are punched. This indicates: (end of deck) This is extremely typical for your beginning Fortran class. In a usual mainframe site, the punchdecks accumulate in a bin at the operator desk. Then, whenever he gets to it, the card reader operator takes about fifty punchdecks, gathers them all together end to end, and runs them through. Then he puts them back in the bin and goes back to his Penthouse. GETTING A NEW USER NUMBER THE EASY WAY Try this for laughs: make your Batch job into: JOB card: the job name (first 4 characters) User Card: Some user number and password -- varies with site EOR card: 7-8-9 are punched COPYEI INPUT,filename: This copies everything following the EOR mark to the filename in this account. EOR Card: 7-8-9 are punched. Then DO NOT put an EOF card at the end of your job. Big surprise for the job following yours: his entire punch deck, with, of course, his user number and password, will be copied to your account. This is because the last card in YOUR deck is the end-of-record, which indicates the program's data is coming next, and that's the next person's punch deck, all the way up to -his- EOF card. The COPYEI will make sure to skip those pesky record marks, too. I think you can imagine the rest, it ain't hard. Hacking With Telex When CDC added timeshare to the punch-card batch-job designed Cyber machines, they made two types of access to the system: Batch and Telex. Batch is a punch-card deck, typically, and is run whenever the operator feels like it. Inside the system, it is given ultra low priority and is squeezed in whenever. It's a "batch" of things to do, with a start and end. Telex is another matter. It's the timeshare system, and supports up to, oh, 60 terminals. Depends on the system; the more RAM, the more swapping area (if you're lucky enough to have that), the more terminals can be supported before the whole system becomes slug-like. Telex is handled as a weird "batch" file where the system doesn't know how much it'll have to do, or where it'll end, but executes commands as you type them in. A real kludge. Because the people running on a CRT expect some sort of response, they're given higher priority. This leads to "Telex thrashing" on heavily loaded CDC systems; only the Telex users get anywhere, and they sit and fight over the machine's resources. The poor dorks with the punch card decks never get into the machine, because all the Telex users are getting the priority and the CPU. (So DON'T use punch cards.) Another good tip: if you are REQUIRED to use punch cards, then go type in your program on a CRT, and drop it to the automatic punch. Sure saves trying to correct those typos on cards.. When you're running under Telex, you're part of one of several "jobs" inside the system. Generally there's "TELEX," something to run the line printer, something to run the card reader, the mag tape drivers (named "MAGNET") and maybe a few others floating around. There's limited space inside a Cyber.. would you believe 128K 60-bit words?.. so there's a limited number of jobs that can fit. CDC put all their effort into "job scheduling" to make the best of what they had. You can issue a status command to see all jobs running; it's educational. Anyway, the CDC machines were originally designed to run card jobs with lots of magtape access. You know, like IRS stuff. So they never thought a job could "interrupt," like pressing BREAK on a CRT, because card jobs can't. This gives great possibilities. Like: Grabbing a Copy Of The System For instance. Go into BATCH mode from Telex, and do a Fortran compile. While in that, press BREAK. You'll get a "Continue?" verification prompt. Say no, you'd like to stop. Now go list your local files. Whups, there's a new BIG one there. In fact, it's a copy of the ENTIRE system you're running on -- PPU code, CPU code, ALL compilers, the whole shebang! Go examine this local file; you'll see the whole bloody works there, mate, ready to play with. Of course, you're set up to drop this to tape or disk at your leisure, right? This works because the people at CDC never thought that a Fortran compile could be interrupted, because they always thought it would be running off cards. So they left the System local to the job until the compile was done. Interrupt the compile, it stays local. Warning: When you do ANYTHING a copy of your current batch process shows up on the operator console. Typically the operators are reading Penthouse and don't care, and anyway the display flickers by so fast it's hard to see. But if you copy the whole system, it takes awhile, and they get a blow-by-blow description of what's being copied. ("Hey, why is this %^&$^ on terminal 29 copying the PPU code?") I got nailed once this way; I played dumb and they let me go. ("I thought it was a data file from my program"). Staying "Rolled In" When the people at CDC designed the job scheduler, they made several "queues." "Queues" are lines. There's: 1. Input Queue. Your job hasn't even gotten in yet. It is standing outside, on disk, waiting. 2. Executing Queue. Your job is currently memory resident and is being executed, although other jobs currently in memory are competing for the machine as well. At least you're in memory. 3. Timed/Event Rollout Queue: Your job is waiting for something, usually a magtape. Can also be waiting for a given time. Yes, this means you can put a delayed effect job into the system. Ha, ha. You are on disk at this point. 4. Rollout Queue: Your job is waiting its turn to execute. You're out on disk right now doing nothing. Anyway, let's say you've got a big Pascal compile. First, ALWAYS RUN FROM TELEX (means, off a CRT). Never use cards. If you use cards you're automatically going to be low man on the priority schedule, because the CPU doesn't *have* to get back to you soon. Who of us has time to waste? Okay, do the compile. Then do a STATUS on your job from another machine. Typically you'll be left inside the CPU (EXECUTE) for 10 seconds, where you'll share the actual CPU with about 10-16 other jobs. Then you'll be rolled-out (ROLLOUT), at which time you're phucked; you have to wait for your priority to climb back up before it'll execute some more of your job. This can take several minutes on a deeply loaded system. (All jobs have a given priority level, which usually increments every 10 sec or so, until they start executing). Okay, do this. Press BREAK, then at the "Continue?" prompt, say yes. What happened? Telex had to "roll your job in" to process the BREAK! So you get another free 10 seconds of CPU -- which can get a lot done. If you sit and hit BREAK - Y every 10 sec or so during a really big job, you will just fly through it. Of course, everyone else will be sitting and staring at their screen, doing nothing, because you've got the computer. If you're at a school with a Cyber, this is how to get your homework done at high speed. Macro Library If you have a typical CDC site, they won't give you access to the "Macro library." This is a set of CPU calls to do various things -- open files, do directory commands, and whatnot. They will be too terrified of "some hacker." Reality: The dimbulbs in power don't want to give up ANY of their power to ANYONE. You can't really do that much more with the Macro library, which gives assembly language access to the computer, than you can with batch commands.. except what you do leaves lots less tracks. They REALLY have to dig to find out what your program did if you use Macro calls.. they have to go to PPU port logs, which is needle in a haystack sort of stuff, vs. batch file logs, which are real obvious. Worry not. Find someone at Arizona State or Minnesota U. that's cool, and get them to send you a tape of the libraries. You'll get all the code you can stand to look at. By the way they have a great poster tape... just copy the posters to the line printer. Takes a long time to print them but it's worth it. (They have all the classic ones.. man on the moon, various playmates, Spock, etc. Some are 7 frames wide!). With the Macro library, you can do many cool things. The best is a demon scanner. All CDC user numbers have controlled access for other users to individual files -- either private, (no access to anyone else), semiprivate (others can read it but a record is made), or public (anyone can diddle your files, no record). What you want is a program (fairly easy to do in Fortran) that counts through user numbers, doing directory commands. If it finds anything, it checks for non semi-private (so no records are made), then copies it to you. You'll find the damnedest stuff, I guarantee it. Try to watch some system type signing in and get the digits of his user number, then scan variations beginning with that user #. For instance, if he's a SYS1234, then scan all user #'s beginning with SYS (sysaaaa to sys9999). Since it's all inside the Fortran program, the only record, other than hard-to-examine PPU logs, is a "Run Fortran Program" ("LGO.") on the batch dayfile. If you're not giving the overworked system people reason to suspect that commonplace, every-day student Fortran compile is anything out of the ordinary, they will never bother to check -- the amount of data in PPU logs is OVERWHELMING. But you can get great stuff. There's a whole cool library of Fortran-callable routines to do damned near anything a batch command could do in the Minnesota library. Time to get some Minnesota friends -- like on UseNet. They're real cooperative about sending out tapes, etc. Generally you'll find old files that some System Type made public one day (so a buddy could copy them) then forgot about. I picked off all sorts of stuff like this. What's great is I just claimed my Fortran programs were hanging into infinite loops -- this explained the multi-second CPU execution times. Since there wasn't any readily available record of what I was up to, they believed it. Besides, how many idiot users really DO hang into loops? Lots. Hide in numbers. I got Chess 4.2 this way -- a championship Chess program -- and lots of other stuff. The whole games library, for instance, which was blocked from access to mere users but not to sysfolk. Again, they *can* track this down if you make yourself obnoxious (it's going to be pretty obvious what you're doing if there's a CAT: SYSAAAA CAT: SYSAAAB CAT: SYSAAAC .. etc. on your PPU port log) so do this on someone else's user number. RJE Status Checks Lots of stupid CDC installations.. well, that doesn't narrow the field much.. have Remote Job Entry stations. Generally at universities they let some poor student run these at low pay. What's funny is these RJE's can do a status on the jobs in the system, and the system screeches to a halt while the status is performed. It gets top priority. So, if you want to incite a little rebellion, just sit at your RJE and do status requests over and over. The system will be even slower than usual. The Worm Warning: This is pretty drastic. It goes past mere self-defense in getting enough priority to get your homework done, or a little harmless exploration inside your system, to trying to drop the whole shebang. It works, too. You can submit batch jobs to the system, just as if you'd run them through the punchcard reader, using the SUBMIT command. You set up a data file, then do SUBMIT datafile. It runs separate from you. Now, let's say we set up a datafile named WORM. It's a batch file. It looks like this: JOB USER,blah (whatever -- a user number you want crucified) GET,WORM; get a copy of WORM SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system SUBMIT,WORM.; send it to system (16 times) (end of file) Now, you SUBMIT WORM. What happens? Worm makes 16 copies of itself and submits those. Those in turn make 16 copies of themselves (now we're up to 256) and submit those. Next pass is 4096. Then 65536. Then... Now, if you're really good, you'll put on your "job card" a request for high priority. How? Tell the system you need very little memory and very little CPU time (which is true, Submit takes almost nothing at all). The scheduler "squeezes" in little jobs between all the big ones everyone loves to run, and gives ultra-priority to really tiny jobs. What happens is the system submits itself to death. Sooner or later the input queue overflows .. there's only so much space .. and the system falls apart. This is a particularly gruesome thing to do to a system, because if the guy at the console (count on it) tries the usual startup, there will still be copies of WORM in the input queue. First one of those gets loose, the system drops again. With any luck the system will go up and down for several hours before someone with several connected brain cells arrives at the operator console and coldstarts the system. If you've got a whole room full of computer twits, all with their hair tied behind them with a rubber band into a ponytail, busily running their Pascal and "C" compiles, you're in for a good time. One second they will all be printing -- the printers will be going weep-weep across the paper. Next second, after you run, they will stop. And they will stay stopped. If you've done it right they can't get even get a status. Ha, ha. The faster the CPU, the faster it will run itself into the ground. CDC claims there is a limit on the number of jobs a user number can have in the system. As usual they blew it and this limit doesn't exist. Anyway, it's the input queue overflow that kills things, and you can get to the input queue without the # of jobs validation check. Bear in mind that *anything* in that batch file is going to get repeated ten zillion times at the operator console as the little jobs fly by by the thousands. So be sure to include some charming messages, like: job,blah user,blah * eat me! get,worm submit,worm .. etc. There will now be thousands of little "eat me!"'s scrolling across the console as fast as the console PPU can print them. Generally at this point the operator will have his blood pressure really spraying out his ears. Rest assured they will move heaven and earth to find you. This includes past dayfiles, user logs, etc. So be clean. Remember, "Revenge is a dish best served cold." If you're mad at them, and they know it, wait a year or so, until they are scratching their heads, wondering who hates them this much. Also: make sure you don't take down a really important job someone else is doing, okay? Like, no medical databases, and so forth. Now, for a really deft touch, submit a timed/event job. This "blocks" the job for awhile, until a given time is reached. Then, when you're far, far away, with a great alibi, the job restarts, the system falls apart, and you're clear. If you do the timed/event rollout with a Fortran program macro call, it won't even show up on the log. (Remember that the System Folk will eventually realize, in their little minds, what you've done. It may take them a year or two though). CHECKPOINT / RESTART I've saved the best for last. CDC's programmers supplied two utilities, called CheckPoint and Restart, primarily because their computers kept crashing before they would finish anything. What Checkpoint does is make a COMPLETE copy of what you're doing - all local files, all of memory, etc. -- into a file, usually on a magtape. Then Restart "restarts" from that point. So, when you're running a 12 hour computer job, you sprinkle checkpoints throughout, and if the CDC drops, you can restart from your last CKP. It's like a tape backup of a hard disk. This way, you only lose the work done on your data between the last checkpoint and now, rather than the whole 12 hours. Look, this is real important on jobs that take days -- check out your local IRS for details.. Now what's damned funny is if you look closely at the file Checkpoint generates, you will find a copy of your user validations, which tell everything about you to the system, along with the user files, memory, etc. You'll have to do a little digging in hex to find the numbers, but they'll match up nicely with the display you of your user validations from that batch command. Now, let's say you CKP,that makes the CKP file. Then run a little FORTRAN program to edit the validations that are inside that CKP-generated file. Then you RESTART from it. Congratulations. You're a self made man. You can do whatever you want to do - set your priority level to top, grab the line printer as your personal printer, kick other jobs off the system (it's more subtle to set their priority to zilch so they never execute), etc. etc. You're the operator. This is really the time to be a CDC whiz and know all sorts of dark, devious things to do. I'd have a list of user numbers handy that have files you'd like made public access, so you can go in and superzap them (then peruse them later from other signons), and so forth. There's some gotchas in here.. for instance, CKP must be run as part of a batch file out of Telex. But you can work around them now that you know the people at CDC made RESTART alter your user validations. It makes sense in a way. If you're trying to restart a job you need the same priority, memory, and access you had when trying to run it before. Conclusion There you have it, the secrets of hacking the Cyber. They've come out of several years at a college with one CDC machine, which I will identify as being somewhere East. They worked when I left; while CDC may have patched some of them, I doubt it. They're not real fast on updates to their operating system. ** Grey Sorcerer % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 6 of 12 : How to Hack HP2000's How to Hack an HP 2000 By: ** Grey Sorcerer Okay, so you've read the HP-2000 basic guides, and know your way around. I will not repeat all that. There's two or three things I've found that allow you through HP 2000 security. 1. When you log in, a file called HELLO on the user number Z999 is run. A lot of time this file is used to deny you access. Want in? Well, it's just a BASIC program, and an be BREAKed.. but, usually the first thing they do in that program is turn Breaks (interrupts) off by the BRK(0) function. However, if you log in like this: HELLO-D345,PASS (return) (break) With the break nearly instantly after the return, a lot of time, you'll abort the HELLO program, and be home free. 2. If you can create a "bad file", which takes some doing, then anytime you try to CSAVE this file (compile and save), the system will quickly fade into a hard crash. 3. How to make a bad file and other goodies: The most deadly hole in security in the HP2000 is the "two terminal" method. You've got to understand buffers to see how it works. When you OPEN a file, or ASSIGN it (same thing), you get 256 bytes of the file -- the first 256. When you need anymore, you get 256 more. They are brought in off the disk in discrete chunks. They are stored in "buffers." So. Save a bunch of junk to disk -- programs, data, whatever. Then once your user number is full, delete all of it. The effect is to leave the raw jumbled data on disk. Pick a time when the system is REAL busy, then: 1. Have terminal #1 running a program that looks for a file to exist (with the ASSIGN) statement as quickly as it can loop. If it finds the file there, it goes to the very end of the file, and starts reading backwards, record by record, looking for data. If it finds data, it lets you know, and stops at an input prompt. It is now running. 2. Have terminal #2 create a really huge data file (OPEN-FILE, 3000) or however it goes. What happens is terminal #2's command starts zeroing all the sectors of the file, starting at file start. But it only gets so far before someone else needs the processor, and kicks #2 out. The zeroing stops for a sec. Terminal #1 gets in, finds the file there, and reads to the end. What's there? Old trash on disk. (Which can be mighty damned interesting by the way -- did you know HP uses a discrete mark to indicate end-of-buffer? You've just maybe got yourself a buffer that is as deep as system memory, and if you're clever, you can peek or poke anywhere in memory. If so, keep it, it is pure gold). But. Back to the action. 3. Terminal #2 completes the OPEN. He now deletes the file. This leaves Terminal #1 with a buffer full of data waiting to be dumped back to disk at that file's old disk location. 4. Terminal #2 now saves a load of program files, as many as are required to fill up the area that was taken up by the deleted big file. 5. You let Terminal #1 past the input prompt, and it writes its buffer to disk. This promptly overlays some program just stored there. Result: "bad program." HPs are designed with a syntax checker and store programs in token; a "bad program" is one that the tokens are screwed up in. Since HP assumes that if a program is THERE, it passed the syntax check, it must be okay... it's in for big problems. For a quick thrill, just CSAVE it.. system tries to semi-compile bad code, and drops. Really, the classier thing to do with this is to use the "bottomless buffer" to look through your system and change what you don't like.. maybe the password to A000? Write some HP code, look around memory, have a good time. It can be done. ** Grey Sorcerer % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 7 of 12 : Accessing Government Computers +++++++++++++++++++++++++++++++++++++++ + ACCESSING GOVERNMENT COMPUTERS + + (LEGALLY!) + +-------------------------------------+ + Written by The Sorceress + + (The Far Side 415/471-1138) + +++++++++++++++++++++++++++++++++++++++ Comment: I came across this article in Computer Shopper (Sept. 1987) and it talked about citizens access government computers since we do pay for them with our taxpayers monies. Since then, I have had friends and gone on a few myself and the databases are full of information for accessing. One thing, you usually have to call the sysop for access and give him your real name, address and the like. They call you back and verify your existence. Just a word of warning; crashing a BBS is a crime, so I wouldn't fool with these since they are government based. ----------------------------------------------------------------------------- National Bureau of Standards - Microcomputers Electronic Information Exchange. Sysops: Ted Landberg & Lisa Carnahan Voice: 301-975-3359 Data: 301-948-5717 300/1200/2400 This BBS is operated by the Institute for Computer Sciences and Technology which is one of four technical organizations within the National Bureau of Standards. This board also contains information on the acquisition, management, security, and use of micro computers. ----------------------------------------------------------------------------- Census Bureau - Census Microcomputer and Office Technology Center, Room 1065 FB-3 Washington, D.C. (Suitland, MD) Sysop: Nevins Frankel Voice: 301-763-4494 Data: 301-763-4576 300/1200 The purpose of this BBS is to allow users to access the following: Census Microcomputer and office technology information center bulletins and catalogues, software and hardware evaluations, Hardware and software inventories, Census computer club library, Public Domain software, etc. ----------------------------------------------------------------------------- Census Bureau - Census Microcomputer and Office Technology Center, Personnel Division, Washington DC. Voice: 301-763-4494 Data: 301-763-4574 300/1200/2400 The purpose of this board is to display Census Bureau vacancies from entry level to senior management. ----------------------------------------------------------------------------- Department of Commerce - Office of the Under Secretary for Economic Affairs, Office of Business Analysis, Economic Bulletin Board. Sysop: Ken Rogers Voice: 202-377-0433 Data: 202-377-3870 300/1200 This is another well run BBS with in-depth news about the Department of Commerce Economic Affairs Agencies including current press releases and report summaries. ----------------------------------------------------------------------------- COE BBS - Manpower and Force Management Division, Headquarters, U.S. Army Corps of Engineers, 20 Massachusetts Ave. NW, Washington, DC. Sysop: Rich Courney Voice: 202-272-1646 Data: 202-272-1514 300/1200/2400 The files database was one of the largest they ever seen. Directory 70 has programs for designing masonry and retaining walls using Lotus's Symphony. ----------------------------------------------------------------------------- General Services Administration - Information Resources Service Center. Data: 202-535-8054 300 bps Data: 202-535-7661 1200 bps GSA's Information Resources Service Center provides information on contracts, schedules, policies, and programs. One of the areas that is interesting was the weekly supplement to the consolidated list of debarred, suspended and ineligible contractors. ----------------------------------------------------------------------------- Budget and Finance Board of the Office of Immigration Naturalization Service. DO NOT CALL THIS BBS DURING WORKING HOURS. Sysop: Mike Arnold Data: 202-787-3460 300/1200/2400 The system is devoted to the exchange of information related to budget and financial management in the federal government. It is a 'working' system for the Immigration and Naturalization Service personnel. ----------------------------------------------------------------------------- Naval Aviation News Computer Information (NANei) - Supported by: Naval Aviation News Magazine, Bldg. 159E, Navy Yard Annex, Washington, DC 20374. Sysop: Commander Howard Wheeler Voice: 202-475-4407 Data: 202-475-1973 300/1200 Available from 5 pm to 8 am. weekdays 5pm Friday to 8 am Monday This is a large BBS with lots of Navy related information and programs. NANci is for those interested in stories, facts, and historical information related to Naval Aviation. ----------------------------------------------------------------------------- Federal National Mortgage Association - Sysop: Ken Goosens Data: 202-537-7475 202-537-7945 300/1200 This BBS is in transition. Ken Gossens will be running a new BBS at 703-979-6360. The BBS maybe become a closed board under the new sysop. This BBS has/had one of largest collections of files for downloading. ----------------------------------------------------------------------------- The World Bank, Information, Technology and Facilities Department, Office System Division, Washington DC. Sysop: Ashok Daswani Voice: 202-473-2237 Data: 202-676-0920 300/1200 Basically a software exchange BBS, but has other information about the use of microcomputers and software supported by World Bank. IBM product announcements also kept up to date. ----------------------------------------------------------------------------- National Oceanic Atmospheric Administration (NOAA), National Meteorological Center. * You must obtain a password from the SYSOP to log on to this BBS. Sysop: Vernon Patterson Voice: 301-763-8071 Data: 301-899-0825 300 bps 301-899-0830 1200 bps This is one of the most useful databases available on-line. With it you can access meteorological data collected form 6000 locations throughout the world. It can also display crude, but useful graphic maps of the US illustration temperatures, precipitation and forecasts. ----------------------------------------------------------------------------- National Weather Service, US Dept. of Commerce, East Coast Marine Users BBS * You must obtain a p/w from the SYSOP to logon this BBS. Sysop: Ross Laporte Voice: 301-899-3296 Data: 301-454-8700 300bps Use this BBS to obtain info about marine weather and nautical info about coastal waterways including topical storm advisories. ----------------------------------------------------------------------------- NARDAC, Navy Regional Data Automation Center, Norfolk, VA. 23511-6497 Sysop: Jerry Dew Voice: 804-445-4298 Data: 804-445-1627 300 & 1200 bps A basic Utilitarian system developed to support the informational needs of NARDAC. The Dept. of Defense mag., CHIPS is available in the files section of this BBS. There are also Navy and IBM related articles to read. ----------------------------------------------------------------------------- Veterans Administration, Info Technology Bulletin Board. Data: 202-376-2184 300/1200 bps The content of this BBS ranges from job opening listings to information computer security. ----------------------------------------------------------------------------- Dept. of Energy, Office of Civilian Radioactive Waste Management, Infolink. Sysop: Bruce Birnbaum Voice: 202-586-9707 Data: 202-586-9359 300/1200 bps This BBS has press leases, fact sheets, backgrounders, congressional questions, answers, speeches & testimony, from the Office of Civilian Radioactive Waste Management. ----------------------------------------------------------------------------- I skipped listing a few of the BBSes in this article if the chances were slim to get on or if the BBS got a bad review. Most of the ones listed seemed to have lot of informative files for downloading and viewing pleasure. This article carried a very strong word of warning about tampering/crashing these since they are run by the govt. and a volunteer Sysop. Since you can get on these legally why not use it? The Sorceress % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 8 of 12 : Dialback Modem Security In article <906@hoptoad.uucp> gnu@hoptoad.UUCP writes: >Here are the two messages I have archived on the subject... >[I believe the definitive article in that discussion was by Lauren Weinstein, >vortex!lauren; perhaps he has a copy. What follows is the original article that started the discussion. I do not know whether it qualifies as the "definitive article" as I think I remember Lauren and I both posted further comments. - Dave ** ARTICLE FOLLOWS ** ------------------------------------------------------------------------------ An increasingly popular technique for protecting dial-in ports from the ravages of hackers and other more sinister system penetrators is dial back operation wherein a legitimate user initiates a call to the system he desires to connect with, types in his user ID and perhaps a password, disconnects and waits for the system to call him back at a prearranged number. It is assumed that a penetrator will not be able to specify the dial back number (which is carefully protected), and so even if he is able to guess a user-name/password pair he cannot penetrate the system because he cannot do anything meaningful except type in a user-name and password when he is connected to the system. If he has a correct pair it is assumed the worst that could happen is a spurious call to some legitimate user which will do no harm and might even result in a security investigation. Many installations depend on dial-back operation of modems for their principle protection against penetration via their dial up ports on the incorrect presumption that there is no way a penetrator could get connected to the modem on the call back call unless he was able to tap directly into the line being called back. Alas, this assumption is not always true - compromises in the design of modems and the telephone network unfortunately make it all too possible for a clever penetrator to get connected to the call back call and fool the modem into thinking that it had in fact dialed the legitimate user. The problem areas are as follows: Caller control central offices Many older telephone central office switches implement caller control in which the release of the connection from a calling telephone to a called telephone is exclusively controlled by the originating telephone. This means that if the penetrator simply failed to hang up a call to a modem on such a central office after he typed the legitimate user's user-name and password, the modem would be unable to hang up the connection. Almost all modems would simply go on-hook in this situation and not notice that the connection had not been broken. If the same line was used to dial out on as the call came in on, when the modem went to dial out to call the legitimate user back the it might not notice (there is no standard way of doing so electrically) that the penetrator was still connected on the line. This means that the modem might attempt to dial and then wait for an answerback tone from the far end modem. If the penetrator was kind enough to supply the answerback tone from his modem after he heard the system modem dial, he could make a connection and penetrate the system. Of course some modems incorporate dial tone detectors and ringback detectors and in fact wait for dial tone before dialing, and ringback after dialing but fooling those with a recording of dial tone (or a dial tone generator chip) should pose little problem. Trying to call out on a ringing line Some modems are dumb enough to pick up a ringing line and attempt to make a call out on it. This fact could be used by a system penetrator to break dial back security even on joint control or called party control central offices. A penetrator would merely have to dial in on the dial-out line (which would work even if it was a separate line as long as the penetrator was able to obtain it's number), just as the modem was about to dial out. The same technique of waiting for dialing to complete and then supplying answerback tone could be used - and of course the same technique of supplying dial tone to a modem which waited for it would work here too. Calling the dial-out line would work especially well in cases where the software controlling the modem either disabled auto-answer during the period between dial-in and dial-back (and thus allowed the line to ring with no action being taken) or allowed the modem to answer the line (auto-answer enabled) and paid no attention to whether the line was already connected when it tried to dial out on it. The ring window However, even carefully written software can be fooled by the ring window problem. Many central offices actually will connect an incoming call to a line if the line goes off hook just as the call comes in without first having put the 20 hz. ringing voltage on the line to make it ring. The ring voltage in many telephone central offices is supplied asynchronously every 6 seconds to every line on which there is an incoming call that has not been answered, so if an incoming call reaches a line just an instant after the end of the ring period and the line clairvoyantly responds by going off hook it may never see any ring voltage. This means that a modem that picks up the line to dial out just as our penetrator dials in may not see any ring voltage and may therefore have no way of knowing that it is connected to an incoming call rather than the call originating circuitry of the switch. And even if the switch always rings before connecting an incoming call, most modems have a window just as they are going off hook to originate a call when they will ignore transients (such as ringing voltage) on the assumption that they originate from the going-off-hook process. [The author is aware that some central offices reverse battery (the polarity of the voltage on the line) in the answer condition to distinguish it from the originate condition, but as this is by no means universal few if any modems take advantage of the information supplied] In Summary It is thus impossible to say with any certainty that when a modem goes off hook and tries to dial out on a line which can accept incoming calls it really is connected to the switch and actually making an outgoing call. And because it is relatively easy for a system penetrator to fool the tone detecting circuitry in a modem into believing that it is seeing dial tone, ringback and so forth until he supplies answerback tone and connects and penetrates system security should not depend on this sort of dial-back. Some Recommendations Dial back using the same line used to dial in is not very secure and cannot be made completely secure with conventional modems. Use of dithered (random) time delays between dial in and dial back combined with allowing the modem to answer during the wait period (with provisions made for recognizing the fact that this wasn't the originated call - perhaps by checking to see if the modem is in originate or answer mode) will substantially reduce this window of vulnerability but nothing can completely eliminate it. Obviously if one happens to be connected to an older caller control switch, using the same line for dial in and dial out isn't secure at all. It is easy to experimentally determine this, so it ought to be possible to avoid such situations. Dial back using a separate line (or line and modem) for dialing out is much better, provided that either the dial out line is sterile (not readily traceable by a penetrator to the target system) or that it is a one way line that cannot accept incoming calls at all. Unfortunately the later technique is far superior to the former in most organizations as concealing the telephone number of dial out lines for long periods involves considerable risk. The author has not tried to order a dial out only telephone line, so he is unaware of what special charges might be made for this service or even if it is available. A final word of warning In years past it was possible to access telephone company test and verification trunks in some areas of the country by using mf tones from so called "blue boxes". These test trunks connect to special ports on telephone switches that allow a test connection to be made to a line that doesn't disconnect when the line hangs up. These test connections could be used to fool a dial out modem, even one on a dial out only line (since the telephone company needs a way to test it, they usually supply test connections to it even if the customer can't receive calls). Access to verification and test ports and trunks has been tightened (they are a kind of dial-a-wiretap so it ought to be pretty difficult) but in any as in any system there is always the danger that someone, through stupidity or ignorance if not mendacity will allow a system penetrator access to one. ** Some more recent comments ** Since posting this I have had several people suggest use of PBX lines that can dial out but not be dialed into or outward WATS lines that also cannot be dialed. Several people have also suggested use of call forwarding to forward incoming calls on the dial out line to the security office. [This may not work too well in areas served by certain ESS's which ring the number from which calls are being forwarded once anyway in case someone forgot to cancel forwarding. Forwarding is also subject to being cancelled at random times by central office software reboots] And since posting this I actually tried making some measurements of how wide the incoming call window is for the modems we use for dial in at CRDS. It appears to be at least 2-3 seconds for US Robotics Courier 2400 baud modems. I found I could defeat same-line-for-dial-out dialback quite handily in a few dozen tries no matter what tricks I played with timing and watching modem status in the dial back login software. I eventually concluded that short of reprogramming the micro in the modem to be smarter about monitoring line state, there was little I could do at the login (getty) level to provide much security for same line dialback. Since it usually took a few tries to break in, it is possible to provide some slight security improvement by sharply limiting the number of unsuccessful callbacks per user per day so that a hacker with only a couple of passwords would have to try over a significant period of time. Note that dialback on a dedicated dial-out only line is somewhat secure. David I. Emery Charles River Data Systems 617-626-1102 983 Concord St., Framingham, MA 01701. uucp: decvax!frog!die -- David I. Emery Charles River Data Systems 983 Concord St., Framingham, MA 01701 (617) 626-1102 uucp: decvax!frog!die % = % = % = % = % = % = % = % = = % P h r a c k X V I I % = = % = % = % = % = % = % = % = % Phrack Seventeen 07 April 1988 File 9 of 12 : Data-Tapping Made Easy --FEATURE ARTICLES AND REVIEWS- TAPPING COMPUTER DATA IS EASY, AND CLEARER THAN PHONE CALLS ! BY RIC BLACKMON, SYSOP OF A FED BBS Aquired by Elric of Imrryr & Lunatic Labs UnLtd Note from Elric: This file was written by the sysop of a board for computer security people (run on a CoCo), as far as I know the board no longer exists, it was being crashed by hackers too much... (hehe). --------------------- FOR SEVERAL YEARS, I ACCEPTED CERTAIN BITS OF MISINFORMATION AS TECHNICALLY ACCURATE, AND DIDN'T PROPERLY PURSUE THE MATTER. SEVERAL FOOLS GAVE ME FOOLISH INFORMATION, SUCH AS: A TAP INTERRUPTS COMPUTER DATA TRANSMISSIONS; DATA COULD BE PICKED UP AS RF EMANATIONS BUT IT WAS A MASS OF UNINTELLIGIBLE SIGNAL CAUSED BY DATA MOVING BETWEEN REGISTERS; ONE HAD TO BE IN 'SYNC' WITH ANY SENDING COMPUTER; DATA COULDN'T BE READ UNLESS YOU HAD A DIRECT MATCH IN SPEED, PARITY & BIT PATTERN; AND ONLY A COMPUTER OF THE SAME MAKE AND MODEL COULD READ THE SENDING COMPUTER. THIS IS ALL PLAIN SWILL. IT IS IN FACT, AN EASIER CHORE TO TAP A COMPUTER THAN A TELEPHONE. THE TECHNIQUE AND THE EQUIPMENT IS ALMOST THE SAME, BUT THE COMPUTER LINE WILL BE MORE ACCURATE (THE TWO COMPUTERS INVOLVED, HAVE ERROR CORRECTING PROCEDURES) AND CLEARER (DIGITAL TRANSMISSIONS HAVE MORE DISTINCT SIGNALS THAN ANALOG TRANSMISSIONS). FIRST, RECOGNIZE THAT NEARLY ALL DATA TRANSMISSIONS ARE SENT IN CLEARTEXT ASCII SIGNALS. THE LINES CARRYING OTHER BIT-GROUPS OR ENCIPHERED TEXTS ARE RARE. SECOND, THE SIGNAL APPEARS ON GREEN AND RED (WIRES) OF THE PHONE LINE ('TIP' AND 'RING'). THE DATA IS MOST LIKELY ASYNCHRONOUS SERIAL DATA MOVING AT 300 BAUD. NOW THAT 1200 BAUD IS BECOMING MORE CHIC, YOU CAN EXPECT TO FIND A GROWING USE OF THE FASTER TRANSMISSION RATE. FINALLY, YOU DON'T NEED TO WORRY ABOUT THE PROTOCOL OR EVEN THE BAUD RATE (SPEED) UNTIL AFTER A TAPED COPY OF A TRANSMISSION IS OBTAINED. IN A SIMPLE EXPERIMENT, A TAPED COPY OF A DATA TRANSMISSION WAS MADE WITH THE CHEAPEST OF TAPE RECORDERS, TAPPING THE GREEN AND RED LINES BEYOND THE MODEM. THE RECORDING WAS THEN PLAYED INTO A MODEM AS THOUGH IT WERE AN ORIGINAL TRANSMISSION. AT THAT POINT, HAD IT BEEN NECESSARY, THE PROTOCOL SETTINGS ON RECEIVING TERMINAL COULD HAVE BEEN CHANGED TO MATCH THE TAPE. NO ADJUSTMENTS WERE NECESSARY AND A NICE, CLEAR ERROR-FREE DOCUMENT WAS RECEIVED ON THE ILLICIT VIDEO SCREEN AND A NEAT HARD-COPY OF THE DOCUMENT CAME OFF THE PRINTER. THE MESSAGE WAS INDEED CAPTURED, BUT HAD IT BEEN AN INTERCEPTION INSTEAD OF A SIMPLE MONITORING, IT COULD HAVE BEEN ALTERED WITH A SIMPLE WORD PROCESSOR PROGRAM, TO SUIT ANY PURPOSE, AND PLACED BACK ON THE WIRE. WERE I TO HAVE AN INTEREST IN INFORMATION ORIGINATING FROM A PARTICULAR COMPANY, AGENCY, OR OFFICE, I THINK THAT I WOULD FIND IT FAR MORE PRODUCTIVE TO TAP A DATA TRANSMISSION THAN TO TAP A VOICE TRANSMISSION, AND EVEN MORE REWARDING THAN GETTING HARDCOPY DOCUMENTS. *SIGNIFICANT & IMPORTANT INFORMATION IS MORE CONCENTRATED IN A DATA TRANSMISSION. *SIGNIFICANT & IMPORTANT INFORMATION IS MORE EASILY LOCATED IN DATA TRANSMISSIONS THAN IN MASSES OF FILES OR PHONE CALLS. *TRANSMITTED DATA IS PRESUMED TRUE, AND WHEN ALTERATION IS DISCOVERED, IT'S READILY BLAMED ON THE EQUIPMENT. *THE LAWS CONCERNING TAPS ON UNCLASSIFIED AND NON-FINANCIAL COMPUTER DATA ARE EITHER QUITE LACKING OR ABJECTLY STUPID. THE POINT OF ALL THIS IS THAT THE PRUDENT MANAGER REALLY OUGHT TO ENCRYPT ALL DATA TRANSMISSIONS. ENCRYPTION PACKAGES ARE CHEAP (A 'DES' PROGRAM IS NOW PRICED AT $30) AND ARE EASY TO USE. ------------------------------- #### PHRACK PRESENTS ISSUE 17 #### ^*^*^*^ Phrack World News, Part 1 ^*^*^*^ **** File 10 of 12 **** - P H R A C K W O R L D N E W S - (Mainly Compiled By Sir Francis Drake) 2/1/88 BUST UPDATE =========== All the people busted by the Secret Service last July were contacted in September and asked if they "wanted to talk." No one but Solid State heard from the S.S. after this. Solid State was prosecuted and got one year probation plus some required community service. The rest: Ninja NYC, Bill >From RNOC, Oryan QUEST, etc. are still waiting to hear. Some rumors have gone around that Oryan QUEST has cooperated extensively with the feds but I have no idea about the validity of this. The following is a short interview with Oryan QUEST. Remember that QUEST has a habit of lying. PHRACK: Did you hear from the SS in September? It seems everybody else has. QUEST: No. I haven't heard from them since I was busted. Maybe they forgot me. P: What's your lawyer think of your case? Q: He says lay low. He says it's no problem because of my age. P: What do your parents think? Q: They were REALLY pissed for about a week but then they relaxed. I mean I think my parents knew I went through enough... I mean I felt like shit. P: Do you plan to keep involved in Telecom legit or otherwise? Q: Uhh, I wanna call boards... I mean I can understand why a sysop wouldn't give me an access but... I'm thinking of putting a board up, a secure board just to stay in touch ya know? Cause I had a lot of fun I mean I just don't want to get busted again. P: Any further words of wisdom? Q: No matter what anyone says I'm *ELITE*. NOOOO don't put that. P: Yes I am. Q: No I don't want people to think I'm a dick. P: Well... Q: You're a dick. - On a completely different note, Taran King who as some of you know was busted, is going to be writing a file for Phrack about what happened real soon now. MEDIA ===== The big media thing has been scare stories about computer viruses, culminating in a one page Newsweek article written by good old Sandza and friends. John Markoff of the San Francisco Examiner wrote articles on viruses, hacking voice mailboxes, and one that should come out soon about the July Busts (centering on Oryan QUEST). A small scoop: He may be leaving for the New York Times or the San Jose Mercury. Phreak media wise things have been going downhill. Besides PHRACK (which had a bad period but hopefully we're back for good) there is 2600, and Syndicate Report. Syndicate Report is dead, although their voice mail system is up. Sometimes. 2600 has gone from a monthly magazine to a quarterly one because they were losing so much money. One dead and 2 wounded. MISCELLANEOUS ============= Taran King and Knight Lightning are having a fun time in their fraternity at University of Missouri. Their respective GPA's are 2.1 and 2.7 approximately.... Phantom Phreaker and Doom Prophet are in a (punk/metal) band... Lex Luthor is alive and writing long articles for 2600... Sir Francis Drake sold out and wrote phreak articles for Thrasher... Jester Sluggo has become vaguely active again... CONCLUSION ========== Less and less people are phreaking, the world is in sorry shape, and I'm going to bed. Hail Eris. sfd #### PHRACK PRESENTS ISSUE 17 #### ^*^*^*^ Phrack World News, Part 2 ^*^*^*^ **** File 11 of 12 **** "Illegal Hacker Crackdown" from the California Computer News - October 1987 Article by Al Simmons - CCN Editor Hackers beware! Phone security authorities, the local police, and the Secret Service have been closing down on illegal hacking - electronic thievery - that is costing the long-distance communications companies and their customers millions of dollars annually. In the U.S., the loss tally on computer fraud, of all kinds, is now running between $3 billion and $5 a year, according to government sources. "San Francisco D.A. Gets First Adult Conviction for Hacking" (After about 18 years, it's a about time!) San Francisco, District Attorney Arlo Smith recently announced the first criminal conviction in San Francisco Superior Court involving an adult computer hacker. In a report released August 31, the San Francisco District Attorney's office named defendant Steve Cseh, 25, of San Francisco as having pled guilty earlier that month to a felony of "obtaining telephone services with fraudulent intent" (phreaking) by means of a computer. Cseh was sentenced by Superior Court Judge Laurence Kay to three years probation and ordered to preform 120 hours of community service. Judge Kay reduced the offense to a misdemeanor in light of Cseh's making full restitution to U.S. Sprint - the victim phone company. At the insistence of the prosecuting attorney, however, the Court ordered Cseh to turn his computer and modem over to U.S. Sprint to help defray the phone company's costs in detecting the defendant's thefts. (That's like big money there!) A team of investigators from U.S. Sprint and Pac Tel (the gestapo) worked for weeks earlier this year to detect the hacking activity and trace it to Cseh's phone line, D.A. Arlo Smith said. The case centered around the use of a computer and its software to illegally acquire a number of their registered users to make long-distance calls. Cseh's calls were monitored for a three-week period last March. After tracing the activity to Cseh's phone line, phone company security people (gestapo stormtroopers) were able to obtain legal authority, under a federal phone communications statute, to monitor the origin and duration of the illegal calls. Subsequently, the investigators along with Inspector George Walsh of the San Francisco Police Dept. Fraud Detail obtained a search warrant of Cseh's residence. Computer equipment, a software dialing program, and notebooks filled with codes and phone numbers were among the evidence seized, according to Asst. D.A. Jerry Coleman who prosecuted the case. U.S Sprint had initially reported more than $300,000 in losses from the use of their codes during the past two years; however, the investigation efforts could only prove specific losses of a lesser amount traceable to Cseh during the three-week monitoring period. "It is probable that other computer users had access to the hacked Sprint codes throughout the country due to dissemination on illegal computer bulletin boards," added Coleman (When where BBS's made illegal Mr. Coleman?) "Sacramento Investigators Breakup Tahoe Electronic Thefts" Meanwhile, at South Shore Lake Tahoe, Secret Service and phone company investigators arrested Thomas Gould Alvord, closing down an electronic theft ring estimated to have rung up more than $2 million in unauthorized calls. A Sacramento Bee story, filed by the Bee staff writers Ted Bell and Jim Lewis, reported that Alvord, 37, was arrested September 9, on five felony counts of computer hacking of long-distance access codes to five private telephone companies. Alvord is said to have used an automatic dialer, with computer programmed dialing formulas, enabling him to find long-distance credit card numbers used by clients of private telephone companies, according to an affidavit filed in Sacramento's District Court. The affidavit, filed by William S. Granger, a special agent of the Secret Service, identified Paula Hayes, an investigator for Tel-America of Salt Lake City, as the undercover agent who finally brought an end to Alvord's South Shore Electronic Co. illegal hacking operation. Hayes worked undercover to purchase access codes from Alvord. Agent Garanger's affidavit lists U.S. Sprint losses at $340,000 but Sprint spokesman Jenay Cottrell said that figure "could grow considerably," according to the Bee report. One stock brokerage firm, is reported to have seen its monthly Pacific Bell telephone bill climb steadily from $3,000 in April to $72,000 in August. The long-distance access codes of the firm were among those traced to Alvord's telephones, according to investigators the Bee said. Alvord was reportedly hacking access codes from Sprint, Pacific Bell, and other companies and was selling them to truck drivers for $60 a month. Alvord charged companies making overseas calls and larger businesses between $120 and $300 a month for the long-distance services of his South Shore Electronics Co. >From The $muggler #### PHRACK PRESENTS ISSUE 17 #### ^*^*^*^ Phrack World News, Part 3 ^*^*^*^ **** File 12 of 12 **** +-------------------------------------------------------------------------+ -[ PHRACK XVII ]----------------------------------------------------------- "The Code Crackers are Cheating Ma Bell" Typed by the Sorceress from the San Francisco Chronicle Edited by the $muggler The Far Side..........................(415)471-1138 Underground Communications, Inc.......(415)770-0140 +-------------------------------------------------------------------------+ In California prisons, inmates use "the code" to make free telephone calls lining up everything from gun running jobs to visits from grandma. In a college dormitory in Tennessee, students use the code to open up a long-distance line on a pay phone for 12 straight hours of free calls. In a phone booth somewhere in the Midwest, a mobster uses the code to make untraceable calls that bring a shipment of narcotics from South America to the United States. The code is actually millions of different personal identification numbers assigned by the nation's telephone companies. Fraudulent use of those codes is now a nationwide epidemic that is costing America's phone companies more than $500 million each year. In the end, most of that cost is passed on to consumers, in the form of higher phone rates, analysts say. The security codes range form multidigit access codes used by customers of the many alternative long-distance companies to the "calling card" numbers assigned by America Telephone & Telegraph and the 22 local phone companies, such as Pacific Bell. Most of the loss comes form the activities of computer hackers, said Rene Dunn, speaking for U.S. Sprint, the third-largest long-distance company. These technical experts - frequently bright, if socially reclusive, teenagers - set up their computers to dial the local access telephone number of one of the alternative long-distance firms, such as MCI and U.S. Sprint. When the phone answers, a legitimate customer would normally punch in a secret personal code, usually five digits, that allows him to make his call. Hackers, however, have devised computer programs that will keep firing combinations of numbers until it hits the right combination, much like a safecracker waiting for the telltale sound of pins and tumblers meshing. Then the hacker- known in the industry as a "cracker" because he has cracked the code- has full access to that customer's phone line. The customer does not realize what has happened until a huge phone bill arrives at the end of the month. By that time, his access number and personal code have been tacked up on thousands of electronic bulletin boards throughout the country, accessible to anyone with a computer, a telephone and a modem, the device that allows the computer to communicate over telephone lines. "This is definitely a major problem," said one telephone security expert, who declined to be identified. "I've seen one account with a $98,000 monthly bill." One Berkeley man has battled the telephone cheats since last fall, when his MCI bill showed about $100 in long-distance calls he had not made. Although MCI assured him that the problem would be taken care of, the man's latest bill was 11 pages long and has $563.40 worth of long-distance calls. Those calls include: [] A two-hour call to Hyattsville, Maryland, on January 22. A woman who answered the Hyattsville phone said she had no idea who called her house. [] Repeated calls to a dormitory telephone at UCLA. The student who answered the phone there said she did not know who spent 39 minutes talking to her, or her roommate, shortly after midnight on January 23. [] Calls to dormitory rooms at Washington State University in Pullman and to the University of Colorado in Boulder. Men who answered the phones there professed ignorance of who had called them or of any stolen long-distance codes. The Berkeley customer, who asked not to be identified, said he reached his frustration limit and canceled his MCI account. The phone companies are pursing the hackers and other thieves with methods that try to keep up with a technological monster that is linked by trillions of miles of telephone lines. The companies sometimes monitor customers' phone bills. If a bill that averages about $40 or $50 a month suddenly soars to several hundred dollars with calls apparently placed from all over the country on the same day, the phone company flags the bill and tries to track the source of the calls. The FBI makes its own surveillance sweeps of electronic bulletin boards, looking for stolen code numbers. The phone companies occasionally call up these boards and post messages, warning that arrest warrants will be coming soon if the fraudulent practice does not stop. Reputable bulletin boards post their own warnings to telephone hackers, telling them to stay out. Several criminal prosecutions are already in the works, said Jocelyne Calia, the manager of toll fraud for U.S. Sprint. If the detectives do not want to talk about their methods, the underground is equally circumspect. "If they (the companies) have effective (prevention) methods, how come all this is still going on?" asked one computer expert, a veteran hacker who says he went legitimate about 10 years ago. The computer expert, who identified himself only as Dr. Strange, said he was part of the original group of electronic wizards of the early 1970s who devised the "blue boxes" complex instruments that emulate the tones of a telephone and allowed these early hackers to break into the toll-free 800 system and call all over the world free of charge. The new hacker bedeviling the phone companies are simply the result of the "technology changing to one of computers, instead of blue boxes" Dr. Strange said. As the "phone company elevates the odds... the bigger a challenge it becomes," he said. A feeling of ambivalence toward the huge and largely anonymous phone companies makes it easier for many people to rationalize their cheating. A woman in a Southwestern state who obtained an authorization code from her boyfriend said, through an intermediary, that she never really thought of telephone fraud as a "moral issue." "I don't abuse it," the woman said of her newfound telephone privilege. "I don't use it for long periods of time - I never talk for more than an hour at a time - and I don't give it out to friends." Besides, she said, the bills for calls she has been making all over the United States for the past six weeks go to a "large corporation that I was dissatisfied with. It's not as if an individual is getting the bills." There is one place, however, where the phone companies maybe have the upper hand in their constant war with the hackers and cheats. In some prisons, said an MCI spokesman, "we've found we can use peer pressure. Let's say we restrict access to the phones, or even take them out, and there were a lot of prisoners who weren't abusing the phone system. So the word gets spread to those guys about which prisoner it was that caused the telephones to get taken out. Once you get the identification (of the phone-abusing prisoner) out there, I don't think you have to worry much" the spokesman said. "There's a justice system in the prisons, too."