Slashdot Mirror

Actually, Windows's DNS client was showed to be very insecure in last Phrack release and probably various other places, so you don't even need to be in the middle to attack. Nevertheless, as you say, I don't expect Windows or any other OS to work fine without its DNS client. To disable the DNS client service, Microsoft would have to make it an on-demand library, per application, as it is on Linux. But they'll lose most of the DNS cache feature.

Why not learn how to do it yourself? http://www.phrack.org/show.php?p=47&a=19

There is a do-it-yourself GPS jammer, published in Phrack.

hmm, interesting you say that. I personally like this little magazine called phrack, it can be quite informative sometimes. But you are right ;Login: is a good mag.

-

Haha. I wonder if this whole thing has ANYTHING to do with this?

http://www.phrack.org/unoffical/p62/p62-0x0d.txt

I'm familiar with stack overflows.

Maybe you are thinking about stack based buffer overflows. Stack based buffer overflows are often easy to exploit, and I think more than 50% of the worms on the internet use such exploits. It just means that you can overflow a buffer, which is allocated on the stack. When such an overflow happens, the return address is usually just a few bytes away, so you can change the return address to point into the buffer you just filled with code.

A stack overflow OTOH rarely happens, unless you trigger an infinite recursion in the code. Normally a stack overflow will just result in a DoS attack, because the OS will kill any process that overflows its stack. There should always be an unmapped page between the stack and any other mapping, such that overflows can be catched. (Could you overflow a kernel stack it would be an entirely different matter)

A heap overflow just means you overflow a buffer allocated from the heap. Any return address is far away, so they are not as trivial to exploit. But you can corrupt memory management data structures, which you might be able to use to have the memory management system return allocations overlapping with other important areas, which you might then be able to get overwritten. It can get very complicated. Take a look on Vudo - An object superstitiously believed to embody magical powers (Smashing The Heap For Fun And Profit)

pah. call that persecution.

try finding a plan9 exploit.

and this one doesn't count. It's a hoax.

This is x86 specific since I'm talking about the stack frame and specific registers, etc. but can be "ported" to other architectures with similar ideas

foo.c
#include <string.h>

int main(int argc, char *argv[])
{
char buf[5];
strcpy(buf, argv[1]);
return 0;
}

> make foo && ./foo AAAAAAAAAAAAAAAAAAAAAAAAAA

This is an example of a trivial buffer overflow. These types of attacks happen due to the nature of the stack. All local variables are stored on the stack - along with the saved ebp AND the return address. strcpy doesn't do any sort of bounds checking on the buffers it is copying between. In this case, buf is filled with the first 5 A's, but then the other n-5 A's must go somewhere else as well. What will happen is that eventually the saved value of ebp will be corrupted and become 0x65656565 ("AAAA") and the RETURN ADDRESS (this is the location that will be jumped to upon exiting the function) will be corrupted and become 0x65656565 ("AAAA"). If the malicious user is crafty enough in the creation of the exploit string he will specify an actual address somewhere relatively close to the current buffer and to jump to. Since that memory will have been copied by the call to strcpy, after completing this function, the program will jump to the attackers code and happily execute it. Thus allowing arbitrary code to be executed.

For a more detailed explanation of how these things work check out "Smashing the Stack for Fun and Profit" in phrack #49. Actually, reading old phracks is a good way to get an idea about lots of different issues in security :)

You can also check out these slides from an introductory systems course at Carnegie Mellon University. (OK, its a shameless plug of sorts since I'm TAing it, but they actually are pretty good slides. :-P)

Try "Smashing the Stack for Fun and Profit", Phrack 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.

I ended up dropping out of university and moving into the computer security industry full time, and haven't looked back since. Off and on, I've had to write some code for a work-related project, but not that often (usually use commerical security solutions).

I suspect some of these security guys who have been around a long time, whether they know it or not - develop an ivory tower complex. Nobody knows how to do anything better than they can, because they've seen it all - or you have to prove yourself by being an honours student or something.

Bah! I say... I'm making more money than you smelly students anyway! ;-)

[...] Real leet0 ninja teams would have to sneak around (hide logs) via thief or hitman to avoid the security (IDS's) to locate the files they were looking for. If they set off a laser tripwire (Snortbox) the Counter-Terrorists (Secret Service) would be notified and they'd start spawning in on the maps a la "The Matrix". It'd be a huge gunfight, file fragments would be flying everywhere, and people would be dropping off-line left and right while plugged into their Nebuchadnezzar-like chairs.

It seems that "The Neuromancer" is closer to actualization than I ever imagined.

My God, you are clearly brainwashed after watching to many "hacker" movies. I might suggest reading Phrack to see how it really works. It would be great if life was like a violent video game, but it unfortunately is not. I can assure you that both sides of network security is just sitting in a dark room staring in a terminal window, writing text and reading text. There is no blood, there are no explosions, we are not muscular machos and hot chicks don't give a damn what we do. Welcome to the real world.

Randomization is no solution, There are adaptive attacks out there.

Google around, or read about it in Phrack. It's pretty advanced stuff, way too big to post here on slashdot. The article I linked to deals with PaX, which basically does the same as marking stack pages read-only. Similar techniques work on SPARC hardware too.

Also, nergal published an interesting paper in Phrack #58 about return-into-libc exploits.

Image files cannot run commands!!!!

Are you sure about that?

The technical reasons of why overwriting a buffer is bad, are beyond the scope of this post. Just know that it is one of the worst things that can happen ;)

The technical reasons of why overwriting a buffer is bad are described here

I recommend reading Smashing the stack for fun and profit.

It's very informative.

While faking the gps signal might be it bit of a long shot for terrorist, jamming it definantly is not. Since this system is unlikely to stear a plane "away" toward the ground, one would have to keep the plane bouncing into the virtual WTC protection walls untils it runs out of full to crash it using the "herding from the ground" trick. Not an easy job, but it would work with every plane in the range of the jammer...

However when a suicide pilot places a simple home made (or russian store bought) jammer near the antenna of the GPS system, the GPS system should lose sight of all the sattalites. I guess in such an event airplance GPS units would stop reporting their position and the flight computers would have to rely on other positioning sensors lik gyro`s, acceleration meters compas, altimeters and radio beacons. Werent these the primary ones anyway?. Now if this system watches only gps (unlike normal flight computer systems) then it cant function with GPS disabled (lets hope it is programmed to realize this). If its just a patch to normal flight computer software then it will still have the beacon directions, compas and other non gps sensors. It seems unlikely these would still be able to pinpoint a place as "small" as the wtc. Ofcourse the radio beacons used in aviation might be jammed just as well leaving the plane with pretty much a compas and its speed, after an ocean trip, nonone could tell where the WTC was without looking outside at the skyline.

http://www.phrack.org/phrack/60/p60-0x0d.txt

I suspect this would foil the proposed system as the system would have no choice but to disable itself once the system didn't know where it was.

Cheers... Clark

Most of the time I don't really care what something is, (If it is an integer it doesn't matter if it is a long, int, short, byte, or long long, all the math operators work, and I can mix and match)

These results contain a link to the beth.com file, but I can't download it because someone decided to be political and block US netblocks from his website. Oh well.

Smashing the Stack for Fun and Profit.

Moderately known fact:

("Moderately" because I wouldn't say it's widely known, but it's not little known either. And hey, it's probably offtopic, but who cares, it's interesting...)

The hacker 'zine Phrack was named after this.


Mechanik

Why use LKM? Why not the (very impressive) method the suckit-rootkit used?

My big hairy conspiracy theory would be in the line of super zonda type of organization hiring some of the most skilled crackers and r00ting the boxen all around ... for spamming, ddosing or whatever ... welcome to the Wild Wild Net.

something from phrack: Traffic lights

This is so Phrack #60! Come on, people... get with the times!!!

Phrack's way is far more entertaining, anyways.

Mod parent up... this is a beautiful website that demonstrates the power and beauty of CSS. They encourage readers to contribute stylesheets for their website, and have a truly mind-opening gallery of CSS.

The first thing I did when I found zen garden was make a CSS that looks like the old phrack website. Ugly yet beautiful in its own carcinogenic green terminal way :)

I think the whole point of CSS is that you don't need to be a graphic designer to make a good website. You can use div tags to organize your content, and get an artist to help with a slick stylesheet and GIF^H^H^HPNGs later if you want.

Overview
A low cost device to temporarily disable the reception of the civilian course acquisition (C/A) code used for the standard positioning service (SPS)[1] on the Global Positioning System (GPS/NAVSTAR) L1 frequency of 1575.42 MHz.

This is accomplished by transmitting a narrowband Gaussian noise signal, with a deviation of +/- 1.023 MHz, on the L1 GPS frequency itself. This technique is a little more complicated than a simple continuous wave (CW) jammer, but tends to be more effective (i.e. harder to filter) against spread spectrum based radio receivers. ...

"Imagine," he says, "the end of property crime. Everything that has any value and could be stolen -- a car, a laptop, a piece of construction equipment" (not to mention every ship, plane, truck trailer, and toddler) -- "everything like that will know its location and be able to report it. We can go even further: You tell your laptop that it should only find itself at your office or your home. And if it finds itself in a car trunk, it wakes up, notices that it's in the wrong place, calls your cell phone, and says, 'Hi, this is your laptop. I'm at this location on this map you see. Is that okay?'"

That instantly made me think of the Phrack article on the Low Cost and Portable GPS Jammer. Never know when that baby's going to come in handy.

What would keep people from building the relatively cheap and easy GPS Jammer described in Phrack? Seems like trowing one of the jammers in your trunk would take care of the GPS ever working correctly.

Oh c'mon. This is one horse that's been flogged on /. a million times already. Most attacks aren't directed at desktop users (though those are the ones that get the most publicity) but at servers. And that's one market which MS certainly doesn't dominate. Why are there still far more attacks directed at MS products? Do you really think the frequency and severity of exploits of (say) IIS and apache are comparable? (Note that apache has more than twice the market share as IIS.)

If you're claiming that most attackers are on windows machines, that's not true either. If you have the technical sophistication to author buffer overflow exploits, it's pretty likely that you've played with linux at some point. Go read phrack , for instance, and see for yourself.

The reason OSS is more secure is that (if it needs any repeating):

• Since everyone can look at the source the good guys are far likelier to find any given bug before the bad guys and a patch is usually out before there's an exploit
• The Unix design is simply a lot cleaner and security conscious, period.

But jamming a nanovolt signal isn't exactly rocket science.

The principles behind GPS are well understood, as are the interactions of radio signals in the ionosphere. So I don't think it will take very long at all. Bah.

i personally don't want to have to learn another language. its not that i'm against it, but that doing so is actually a performance hit, ex. if (x + y + z) is not valid in java, is has to be converted ((x+y+z)> 0) to boolean, not just cast. being forced to learn all the little rules that are required to compile in some new language takes time, and its not always clear that there are advantages.

certainly its possible to educate programmers about proper, secure methodologies, but then it becomes a question of habit; if you don't force yourself to do it everytime, you're going to forget in that one critical instance.

why not code that knowledge into the tool that builds the program?

i personally don't want to have to learn another language. its not that i'm against it, but that doing so is actually a performance hit, ex. if (x + y + z) is not valid in java, is has to be converted ((x+y+z)> 0) to boolean, not just cast. being forced to learn all the little rules that are required to compile in some new language takes time, and its not always clear that there are advantages.

certainly its possible to educate programmers about proper, secure methodologies, but then it becomes a question of habit; if you don't force yourself to do it everytime, you're going to forget in that one critical instance.

why not code that knowledge into the tool that builds the program?

That said, it does appear to be a capable, fully-featured package and I'd guess that as long as you take the proper precautions you should be OK. I can't comment on the stability though; the security concerns I had were enough to cause me to move along to the next product on my list.

Given that, what would it take to mask RFID tags?

Since the frequency of the "standard" is already known, could one create a true transmitter that would overload (and possibly burn out) the tranceiver unit?

Or, would it be possible to create a transmitter that would just transmit and mask all other signals given to it by true RFID tags?

Looks like people better start working on this article in the latest issue of Phrack. It has the details of how to build a GPS jammer. When we people in power start to realise technology is a double-edged sword and raising the bar constantly like this just pisses people off?

After looking at Phrack #1 from 1985 I decided that I just have to run
for i in `seq -w 1 60 | tac`; do wget http://www.phrack.org/archives/phrack$i.tar.gz; done
and spend this day on reading Phrack issues backwards. It's going to be a hellova nostalgic New Year for me... :_)

From the Great Hacker Hall Of Fame, I bring you this, so that you will remember where it all started (Written by The Mentor for Phrack magazine in 1986). NEVER FORGET WHO YOU ARE!!

--->
\/\The Conscience of a Hacker/\/ by +++The Mentor+++

Written on January 8, 1986

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain
for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me...

Or feels threatened by me...Or thinks I'm a smart ass...Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found.

"This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying
for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek
after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual,
but you can't stop us all... after all, we're all alike.

+++The Mentor+++

--->

Back issues of Phrack have some good explosives info.

Phrack

For example, this.

Back issues of Phrack have some good explosives info.

Phrack

For example, this.

Here is the pretty much identical article published in Phrack for easy online reading.
Its a good read and shows that while Inferno implements encyption and other security measures, it is not very secure. The author of the article has written a login utility and password cracker for Inferno however his site seems to be down, or temporarily empty i guess, at the moment. It doesnt really cover plan9, just a mention.

Phrack Volume 57 article 0x0a was all about this.

This was released back in August. I can see the marketing now:

Phrack - it only comes out once a year, but it's still ahead of the times :)

Apparently the next issue is to be released in time for Christmas. Read it now and you'll have read the 'sploit headlines for the next year.

This sort of thing was alluded to in Phrack #57, Phile #8 (on the now-infamous "this doesn't seem to be exploitable" Sudo exploit)...

here.

Definitely not your average script kiddie's reading material (it includes an indepth breakdown of malloc() and its ilk), but worth a read if you're interested.

Many people know the handle "Aleph1" because he wrote the famous article Smashing The Stack For Fun And Profit under that nickname. That article explains very well how to exploit buffer overflows.

Boy do I remember those days. It was all about TRS-80's, Apple II's, Atari 400 + 800's and Commodore 64's. For most of us, it was also about hacking MCI, Sprint, and other phone codes so you could call all the good BBS's around the country without running up a huge phone bill.

In those days, most people had 300 baud modems, and maybe 1200 baud if you were rich!! Most of us started out innocently, calling local boards, usually spread by word-of-mouth. at "Computer Interest Groups." Then after getting into it, most of the more serious "hacker-types" would prove themselves worthy and get into the hack-and-phreak secret sections that many boards had. It was all about sharing hard-won info on telecommunications, etc...

This is the route I followed. I was on Shadowland, Metal Shop, Metal Shop Private, etc.. I actually helped start Phrack magazine. I often spoke with Craig (Knight Lightning) on the phone and online, and remeber all the arguments about freedom of speech, and how it would be perfectly OK to make an online magazine compiling the best articles and textfiles found online. I wrote the TMC Primer for Phrack #10. (I went by Cap'n Crax then as well). I also cracked the protection on many games for the Apple II, Atari 800, and Commodore 64, maybe you've played some and seen my name. Those were the days.

Of course, a few years later came "Operation Sundevil" and the arrest of many hackers in the scene. Most everyone probably know the case of Craig and the infamous E911 document, and the later dropping of the case after it was found that the document was available from Bell itself for like $13.99. But it sure cost him in legal fees. Myself, I never got in any trouble whatsoever, and now the statute of limitations is up, so I don't mind telling all about it. I think I'll have to mail this guy doing the documentary, I remember a lot, and have much more to tell than the little I've shared here!!

The whole AT&T farce you mentioned did happen.

The guy(s) who "stole" the AT&T documents (E911 Document) was none other than Erik Bloodaxe and his fellow Legion of Doom members. Bloodaxe up until a couple years ago was also editor of Phrackmagazine.

The whole imbroglio surrounding the E911 document is mentioned in Bruce Sterlings book: The Hacker Crackdown: Law and disorder on the electronic frontier. Bruce Sterling placed this huge book on Project Gutenburg free for anyone to download. It is a good book and has a lot of info on the history of hacking, (pre script-kiddie days) as well as Operation Sundevil which was responsible for the confiscation of the computer systems of Steve Jackson Games, (GURPS RPGs) mainly because they had a BBS, and had Cyberpunk role playing game information on their boxes.

They knew my friend and I had been using them heavily, so we were blamed for their failure.

This whole story sounds like someone is trying to be exonerated in the court of public opinion, good thinking, you stupid little criminal.

If in fact you had exposed the evil principals charade, by uncovering the secret logs (what a crock!) why did your parents stand by and let you take the 120 hours of community service? Your parents seemed sufficiently outraged. Bullshit!

You know what you ought to do? Send a letter to 2600 magazine detailing just why it is that we should feel sorry for you, or better yet, send it to Phrack magazine. I'm sure there'll be a shoulder you can cry on there, girly-boy.

We took shit for years from teachers

Cry me a fucking river. If you weren't stupid, and hadn't got caught, you wouldn't have had to take shit from nobody. But I guess that's to be expected from a Mac luser.

There is one person's account of a job interview with the NSA available online.

IIRC Phrack published the NSA security manual a few years back.