Happy Hacker Digest March 19-20, 1997
This is a moderated list for discussions
of *legal* hacking.
Carolyn Meinel and Ruben D. Canlas Jr.
OR to the Hackers forum: http://www.infowar.com
Digest archives are held under the "New" button at the Infowar site
Please don't send us anything you wouldn't
email to your friendly neighborhood narc, OK?
To subscribe or unsubscribe,
use the subscribe boxes on the menu bars, please.. If
you decide you just want to use the forum and not get these mailings,
our feelings won't get hurt if
you unsubscribe from this list.
H a p p y h a c k i n g !
URL 'O the Day: http://www.usps.gov/ncsc/locators/find-is.html
Where to report pyramid scheme spams
Table of Contents
o Hacker Wars Strike Again
o New Hacks: Usenet News Servers Vulnerable, New Windows Holes
o Windows Registry Stuff
o Anonymous Email Sites
o Call for Writers
o Social Engineering
o Download Shell Account Stuff
o IRCII Scripts?
o Breaking into Windows
o Telenet Tutorial
Hacker Wars Strike Again
Carolyn: If you emailed the Happy Hacker list or Carolyn Meinel on March
18 or 19 you may have received an obscene message from the Gray Areas Liberation
Front (GALF). This was accomplished by using the recently publicized inetd
exploit to gain root access to Southwest Cyberport's system. This root
access was then used to install .forward files in two of my shell accounts
on the system which redirected email to the account email@example.com. Then
there was an autoresponder at firstname.lastname@example.org which sent an obscene message
to whomever emailed me at these two accounts. At the time I was routing
all my cmeinel.com email through one of these shell accounts. For all
you who emailed me during this time, please accept my apologies for that
So what is GALF? This is a group devoted to destructive attacks on any
Internet Service Provider that serves people who they believe may be enemies
of Netta Gilboa. She is the editor of Gray Areas magazine. You can catch
her Web site at http://www.gti.net/grayarea/. Warning: this site contains
adult material regarding prostitution, pornography, illegal drugs, hacking
and phreaking. You may also read about her in the essay "Elites, Lamers,
Narcs and Whores: Exploring The Computer Underground," in the anthology
_Wired Women: Gender and New Realities In Cyberspace_, edited by Lynn Cherny
and Elizabeth Reba Weise, Seal Press 1996.
GALF has made war on the Happy Hacker list almost from day one of its
existence. Their modus operandi is to damage computer systems. Sites
they have hit in their war against Happy Hacker include New Mexico Internet
Access, Cibola Communications, The University of Texas at El Paso and,
in a heavy blitz from March 18-20, Southwest Cyberport.
On March 20 Southwest Cyberport capitulated to the attacks. The owner
advised Carolyn Meinel that it could no longer afford the financial devastation
caused by the GALF attacks. He agreed to close all my shell accounts. His
hope is that with me gone, GALF will leave Southwest Cyberport alone.
This latest continues a disturbing trend in Cyberspace. The FBI is unlikely
to get involved because their policy is to only prosecute crimes that involve
theft of money. Since GALF has a purely political agenda -- the furtherance
of whatever they believe are the aims of Netta Gilboa -- the FBI considers
this to be not worth pursuit.
What is Gilboa's role in this? She has chilled discussion of this in
the print media by threatening to sue those who publish stories about GALF.
For example, she managed to kill an article that was to have run in the
Nov. issue of Internet Underground magazine on GALF. So sue me, Netta.
I would be proud to stand up to you in court.
What is the role of escape.com in this? I don't believe they actively
collaborate with GALF. For example, GALF broke into a New Mexico Tech computer
over Christmas break and posted email to a Web site on escape.com that
they stole of a young woman student. When I complained, the sysdamin deleted
the Web site immediately. My guess is that escape.com allows GALF to use
escape.com as a base for operations simply because they cannot afford the
expense of fighting their hacking attacks.
So who are the people who operate GALF? Two individuals well-known on
this list claim to know but won't tell. Is this because they are afraid,
or is it because they sympathize -- or even my be part of GALF ? I don't
But I (Carolyn) do know that I will not be intimidated. I fought Jim
Crow laws that segregated people with darker skins from us Caucasian folks
back when this meant risking our lives. One of my friends died from a beating.
I'm not going to let some fascist GALF gang push the Happy Hacker list
off the Internet. Just watch us -- we will ALWAYS find a way to keep going.
Congratulations to all of you with the courage to maintain archives on
your Web sites. Congratulations also to our inside team of Betty G. O'Hearn,
Winn Schwartau, Webwarrior, Gerard Cochrane Jr., Ruben D. Canlas Jr., Matt
Hinze, Peter Beckman, Silicon Toad, Brett Perlas, k1neTiK, Leprekon, WarBeast,
and all of you who dare to post to this list.
Unfortunately, the latest GALF attack has led to loss of our planned
editor for the intermediate list. So we are still looking for candidates
for the job. It has no pay, and you will be subjected to incessant attacks
on you and any entity that provides you with Internet access. However,
it will definitely be a way for you to get a reputation for being either
brave or foolish or some sort of masochist. Qualifications for the job
are a strong knowledge of computer science and familiarity with hacking
-- and a mature, no flames attitude toward people who sincerely want to
Oh, no, what happened to the award-winning Infowar site, http://www.infowar.com?
Did hackers get us? Arrrggghhh!!! False alarm, it was just a hard disk
crash. It is simply not possible for some hacker accessing the system remotely
to cause a hard disk crash.
But we did have some interesting hacker wars on our IRC server. Bots,
ICMPing, you name it, it got too exciting. When Infowar gets up again,
we will be running the Hacker IRC server under new rules. Hear, ye, hear
ye, this is what our Supreme IRC Cop Betty G. O'Hearn has to say about
the new regime:
This purpose of this server is for the enjoyment of those who wish to
come here and exchange information, for help, for education, and
for exploration of issues relevant to information security, and information
Profanity and pornography will not be tolerated.
RULES RULES RULES
The operators of this server have the right to kill, ban or
kline anyone for any violation of the Rules.
No Fake Usernames
No Mass Messages
No ICMP Bombing
No Bots Unless Registered and the Bot Request Form is Submitted
No Profanity used direct in the channel
No Pornography of ANY TYPE is to be traded, or transferred
Bot Request Form
1. Owners (Registered) Infowar.Com NICK
2. Owners (Non-Anonymous) E-mail address.
3. BOT's (Registered).Infowar.Com NICK
4. Channel(s) that the BOT will reside.
5. Purpose of running the BOT.
Forward this form via email to email@example.com
Wait for response back acknowledging that the bot is registered.
Any violators will be Klined from this server without notice.
Thank you for volunteering!
IRC cops are to maintain order in the channel using common sense.
No power trips please.
Warnings will be given in private to those users who are breaking rules.
A three warning limit is suggested.
Congratulations to the new Infowar IRC cops: Brett Perlas <firstname.lastname@example.org>,
k1neTiK <email@example.com>, Leprekon <firstname.lastname@example.org>, WarBeast <email@example.com>,
and, yes, Warpy <firstname.lastname@example.org>. We will announce additional
IRC cops as they are deputized.
New Hacks: Usenet News Servers Vulnerable, New Windows Holes
T a s t y B i t s f r o m t h e
T e c h n o l o g y F r o n t
Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce
-- since 1994
Your Host: Keith Dawson
This issue: <URL:http://www.tbtf.com/archive/03-21-97.html>
..Usenet servers under attack
Unknown crackers are broadcasting forged control
used in the routine maintenance of Usenet News,
across the Internet
in an apparently successful attempt to extract sensitive
formation from thousands of news servers. For details
see this New York Times story ; it may not remain
online as long
as this coverage from PC Week . The attack targets
the software commonly used to manage the flow of
Usenet news, and
exploits a vulnerability that has been known --
and for which a fix
has existed -- for a year and a half. One system
accidentally sent a similar message while analyzing
the attack re-
ceived sensitive files from hundreds of systems
around the world.
The unknown perpetrators forged their messages so
that they appeared
to come from David Lawrence <email@example.com>,
moderator of news.announce.newgroups. The Times
quotes Lawrence on
the possible outcome of the attacks:
> This attack could [open] a previously
inaccessible site for
> shell access. The cracker would have
the name of the site,
> user names, and possible broken passwords
for those sites.
Thanks to Monty Solomon < firstname.lastname@example.org> for
quick notice on this
..This week's crop of Microsoft security holes
TBTF for 3/9/97 
This is getting boring. If the student community
keeps finding Mi-
crosoft security glitches at this rate TBTF may
go to a scoreboard
system. A student at the University of Washington,
<email@example.com>, sent word
of three new security
problems in Microsoft software. They all allow an
attacker easy ways
to record the username and password of unsuspecting
found and documented #4; users in the U.K.
and Israel discovered
#5 and #6, respectively, Neither one is a student
as far as I know.
Birnbaum's exploit site  links an exhaustive
and frequently up-
dated compendium  of Windows NT security holes;
at this writing
50 are listed, most with patches or workarounds.
Found by Date W-95 W-NT
---- ---- ---- -------------------------
#4  Aaron
3/14 no yes username,
#5  Paul
3/15 no yes ", "
" and more
#6  Steve
3/17 yes no cleartext
..Cryptographers find a flaw in digital cell-phone code
Bruce Schneier and three other researchers subjected
secret CMEA algorithm, a symmetric cypher with a
64-bit key length,
to "simple cryptanalysis." They found a flaw in
the algorithm that
effectively reduces its key length to 24 or 32 bits;
encrypted using CMEA can now be broken on a run-of-the-mill
seconds or minutes. Details of CMEA were supposed
to be a closely
guarded secret known only to a small circle of industry
but technical documents were leaked late last year
and showed up
on the Internet. This tactic, which the security
fully labels "security through obscurity," is hit
hard in the re-
searchers' press release: "Our work shows clearly
why you don't do
this behind closed doors. [We're] angry at the cell
because when they changed to the new technology,
they had a chance
to protect privacy and they failed." The researchers
have posted an
account  of the exploit, and also host a copy
of the New York
Times writeup  on the affair.
The Times article says that unnamed telecommunications
fingered the NSA as a source of pressure to weaken
Yesterday the NSA's Clint Brooks <firstname.lastname@example.org>
warded this official statement (which I saw on Declan
FC mailing list):
> "NSA had no role in the design or selection
of the encryption
> algorithm chosen by the Telecommunications
> tion (TIA). NSA also had no role in
the design or manufacture
> of the telephones themselves. As we
understand the researchers'
> claim, it appears that the algorithm
selected and the way it
> was implemented in the system has
led to the stated flaws. NSA
> provided the TIA with technical advice
on the exportability of
> these devices under U.S. export regulations
A poster to the Cryptography mailing list paraphrased
er as: "NSA did not openly tell TIA not to use strong
crypto in the
digital phone standards, and wasn't directly involved
in the decis-
ion about which uselessly weak cryptographic system
they should select."
Today Omnipoint  bought page A21 of the New York
edition) to deliver a "public-service message" to
users of wireless
phones that the Omnipoint system, based on GSM technology,
vulnerable to the publicized attack. "Self-serving
message" is more
like it, though they do have a point: the researchers
note  that
their approach "affects both CDMA and TDMA cellular
systems, but not
TBTF home and archive at <URL:http://www.tbtf.com/>.
send the message "subscribe" to email@example.com.
© 1994-1997 by Keith Dawson, <firstname.lastname@example.org>.
mercial use prohibited. For non-commercial purposes
post, and link as you see fit.
Layer of ash separates morning and evening milk.
Windows Registry Stuff
If you want to learn more about the registry, I've got a nice FAQ.
Just e-mail me at:
And ask for a copy. It's in a 270Kb Zip files, so you better be
able to hanle files that large.
I didn't write the FAQ, I just got it off of a cover CD, and thought
it is quite good.
For all my fellow British hackers:
GO HERE: http://www.madrab.demon.co.uk/phuk/phukfaq.html
For a cool FAQ. Check out:
A note on the on-going mail bombing debate - I think that mail bomb
programs should be made available on websites, but only if the senders
e-mail address is included in the actual messages, and the program does
not attempt to cover any tracks. That would! sure stop the
lamers(or Z, if you are of that sad disposition) from using them.
It would also allow easy retaliation, and their name/details could be distributed
amount the better newsgroups (aka, all but alt.2600!).
Just a final note,
go to whois.
Press enter (or what ever), for great joy!!!!!!!!
From: Adam Christopher <email@example.com>
1. Does anyone know where I can find an assembler for DOS? I've
all over looking for one, but I can't find any.
2. A week ago my Netscape started acting funny and it turned out I had
virus. I cleaned my HD and all of my disks, but when I tried
my comp locked up after the Plug and Play BIOS message. my comp
quiet and it sounded like the HD just stopped. I was able to
boot off a
disk and when I restored my system from tape, it still wouldn't boot.
So finally I whipped out the 'ol Win95 Upgrade CD and reinstalled.
system will boot now, but why wouldn't it boot before?
Carolyn: My guess is that the registry was the culprit.
Anonymous Email Sites
From: Niraj Bhatt <firstname.lastname@example.org>
To keep yourself anonymous (almost), there are several services on the
Internet that will give you a free e-mail address. Some of the
services, like BigFoot, simply forward the mail to the address of your
Others, such as RocketMail, give you an entire mailbox you can access
from anywhere. Doesn't hurt to give them a try, they're all free.
NetAddress - http://netaddress.usa.net/
BigFoot - http://www.bigfoot.com/
iName - http://four11.iname.com/ OR http://www.iname.com
Web - Based Services:
MailCity - http://www.mailcity.com/
HoTMaiL - http://www.hotmail.com/
RocketMail - http://www.rocketmail.com/
Call for Writers
Visit The Digital Misfit Syndicate Web Site at:
To get on the mailing list, send mail to email@example.com
with a subject of <Subscribe_Mailing_List>
DMS is currently looking for writers, ideas, and suggestions
Please mail firstname.lastname@example.org with your article, or
if you are
From: email@example.com (Len)
Sorry to be of a bother to you, but there is one or two things I just
1 - I know nothing(NOTHING!) of social engineering and I think that
it's an art on it's own. I want to know if it's possible for you to tell
me what it's all about and even how to do it(what to say).
I give you my word of honor that I won't use it for evil or bad doing.
I just think that in order to become a good happy hacker, I need to
all about hacking...can't only know some parts.
Thank you for your time.
2 - The server on IRC that you use .. is it INFOWAR..or is that just
a channel. Do you connect to it, or do you use UNDERNET ?
P.s: I have a great sense of humor...you may play pranks on me if you
Carolyn: That's a dangerous offer:):):)
1) Social engineering is known in other circles as learning how to be
a con artist. But it's worth discussing in order to learn how to
protect oneself from it. A number of hackers, especially the ones
trying to shut us down, fear that the Happy Hacker list is a giant
social engineering exercise. Is it? You'll find out!
2) The Infowar IRC server is Java stand-alone application. We prefer
it if you use your Web browser (it has to be able to use Java) and click
on chat to get in. It's at http://www.infowar.com -- as soon as they fix
the hard drive for the server!
Download Shell Account Stuff
From: Adam Christopher <firstname.lastname@example.org>
>From: Engineering Practice Pty Ltd <email@example.com>
>I was just wondering can you download stuff from your shell account
>your home pc(i.e. mail )? I looked at the help files but
couldn't >find anything that would help
There is a handy-dandy util called sz(send zmodem). FTP to
ftp.planet.net/~nitro/bin/ (or something, just look around /~nitro/)
GET the file and type "rz filename" where filename is whatever you
From: cLOut <firstname.lastname@example.org>
I was wondering what a GOOD, all around ircII script is? I've
*MANY*, but can't really find a good one. Anyway, if ya know of some
ircII, e-mail them to me..L8rz.
.oO cL0ut Oo.
Breaking into Windows
From: email@example.com (Douglas S Dangerfield)
I am a newbie, and I have been skimming through the GTMHH, and I have
question about Series #2 Section #2 - Easy Win Break In #2
I follow step one and two then I have problems when I come to
three. It says, Choose 7. then at the MS-DOS prompt type
"rename c:\windows\*pwl c:\windows\*zzz."
I then hit Enter after typing it, and I get :
"Invalid parameter - c:\windows\*zzz."
What does this mean, and what am I doing wrong? Can you help me.
trying to learn
Carolyn: Sorry, sorry, it's a typo. It should be *.pwl and *.zzz. I
left out the dots.
From: Mr. Fubar <firstname.lastname@example.org>
Carolyn P. Meinel wrote:
> Get both NTLocksmith and
> NTRecover -- and lots more free hacker tools -- from > http://www.ntinternals.com.
Guess what- NTLocksmith is not free!?! Any ideas on where I can get
or something like it for less than $84? Let me know,
Carolyn: My mistake, I don't know how to get it without paying.
From: --=Tepes=-- <email@example.com>
>To use Internet Explorer as a Windows shell, bring it up just like
>if you were going to surf the Web. Kill the program s attempt to establish
>an Internet connection -- we don t want to do anything crazy, do we?
>Then in the space where you would normally type in the URL you want
>instead type in c:.
>Whoa, look at all those file folders that come up on the screen. Look
>familiar? It s the same stuff your Windows Explorer would show you.
>fun, click Program Files then click Accessories
then click MSPaint.
>All of a sudden MSPaint is running. Now paint your friends who are
>this hack very surprised.
If you type c:/ in Netscape Gold 3.01, it will do the same thing,
it doesn't look like Winblowz Explorer. They look like links.
Carolyn: But if you play around some with Netscape you will see it doesn't
behave that much like a shell. It's pretty good for opening text files
in an appropriate word processor, but you can't get it to run other kinds
Port Surf Question
Can you be traced while port surfing on telnet? What about if you
attempt to log on to something? Do you know if I can be traced through
this account if I used false information. Please keep this
confidential or post it anonymously.
Carolyn: If you are asking that question, the answer is yes. There are
ways to evade identification, however.
Courtesy of Exodus
Orig. by JR
It seems that not many of you know that Telenet is connected to about
80 computer-networks in the world. No, I don't mean 80 nodes, but 80
networks with thousands of unprotected computers. When you call your
local Telenet-gateway, you can only call those computers which accept reverse-charging-
If you want to call computers in foreign countries or computers in USA
which do not accept R-calls, you need a Telenet-ID. Did you ever notice
that you can type ID XXXX when being connected to Telenet? You are then
asked for the password. If you have such a NUI (Network-User-ID) you can
call nearly every host connected to any computer-network in the world.
Here are some examples:
026245400090184 :Is a VAX in Germany (Username: DATEXP and leave
for CHRIS !!!)
0311050500061 :Is the Los Alamos Integrated computing network
the hosts connected to it is the DNA (Defense Nuclear Agency)!!!)
0530197000016 :Is a BBS in New Zealand
024050256 :Is the S-E-Bank in Stockholm,
Sweden (Login as GAMES
02284681140541 :CERN in Geneva in Switzerland (one of the biggest
nuclear research centers in the world) Login as GUEST
0234212301161 :A Videotex-standard system. Type OPTEL to
get in and
use the ID 999_ with the password 9_
0242211000001 :University of Oslo in Norway (Type
LOGIN 17,17 to
play the Multi-User-Dungeon !)
0425130000215 :Something like ITT Dialcom, but this one
is in Israel !
ID HELP with password HELP works fine with security level
0310600584401 :Is the Washington Post News Service via
Tymnet is connected to Telenet, too !) ID and Password is: PETER
You can read the news of the next day !
The prefixes are as follows:
02624 is Datex-P in Germany
02342 is PSS in England
03110 is Telenet in USA
03106 is Tymnet in USA
02405 is Telepak in Sweden
04251 is Isranet in Israel
02080 is Transpac in France
02284 is Telepac in Switzerland
02724 is Eirpac in Ireland
02704 is Luxpac in Luxembourg
05252 is Telepac in Singapore
04408 is Venus-P in Japan
...and so on... Some of the countries have more than one
packet-switching-network (USA has 11, Canada has 3, etc).
OK. That should be enough for the moment. As you see most of the
passwords are very simple. This is because they must not have any fear
of hackers. Only a few German hackers use these networks. Most of the computers
are absolutely easy to hack !!! So, try to find out some Telenet-ID's and
leave them here. If you need more numbers, leave e-mail.
I'm calling from Germany via the German Datex-P network, which is
similar to Telenet. We have a lot of those NUI's for the German network,
but none for a special Tymnet-outdial-computer in USA, which connects me
to any phone #.
CUL8R, Mad Max
PS: Call 026245621040000 and type ID INF300 with password DATACOM to
more Information on packet-switching-networks !
PS2: The new password for the Washington Post is KING !!!!