Forgot your password?
typodupeerror
Security

New Phrack 239

Posted by michael
from the things-man-wasn't-meant-to-know dept.
Anonymous Coward writes "A new issue of the Phrack Magazine, #60 has been released today. It details some decent technique about kernel exploitation (OpenBSD), Cisco remote exploit, how to backdoor a core bzimage kernel and other stuff. The ascii based magazine is available at phrack.org."
This discussion has been archived. No new comments can be posted.

New Phrack

Comments Filter:
  • by eln (21727)
    Slow News Day Grips Springfield

  • Wow... (Score:1, Interesting)

    by JPhule (170787)

    I remember reading phrack back in the day. It gave me fun things to do friends and foes before I realized how stupid a lot of it was. Building red, blue, biege etc. boxes and turning off my nieghbors phone. It was mostly juvenile stuff that just turned me into a little delinquent but it got me interested in the tech industry and I apprieciate that.


    • I was always fond of that bomb recipie they published. It had this jem in the refinement instructions: "set up the apperatus and *run*" if that's not enough to remove the person from the gene pool the instructions finished by saying the resulting explosives should be detonated by throwing a rock at it.

      After that I stopped reading Phrack for some reason..
  • Anyone notice... (Score:2, Informative)

    by Dillon2112 (197474)
    ...that the link is to phrack.org but when you actually go there, their current site name is a bit different? =P
    I like some of what they stand for (intellectual curiosity, hacking (in the real sense) and freedom) but a lot of what they *do* with those ideas is a bit dissapointing. In this case however, its not only right on target, but funny as well.
    • license. When some people say "free" what they mean is without responsibility or repercussion. I believe in the gedanken that your right to swing your arms about ends at the tip of my nose.

      Some people find this "restriction" intollerable. What's interesting is that these people often go on and on about their "rights" if you do anything to them.

      Well, a good many of them grow out of that eventually, and the ones that don't we just call assholes.

      Power always needs to be tempered with restraint, and the more power the more restraint.

      As Ghandi once pointed out nonviolence is not weakness, indeed, the weak cannot be nonviolent. Only the strong, and only in proportion to their strength.

      One can only be free in proportion to one's sense of responsibility.

      Otherwise you're just some punk kid that a bunch of people with freedom are going to beat the crap out of in a back alley some day in the hopes that it'll jar something loose and you start to "get it."

      KFG
  • Cool domain (Score:5, Interesting)

    by alfaiomega (585948) <alfaiomega@despammed.com> on Sunday December 29, 2002 @03:11AM (#4975248) Homepage
    The gzipped tarball of Phrack #60 is available at http://www.phrack-dont-give-a-shit-about-dmca.org/ archives/phrack60.tar.gz [phrack-don...t-dmca.org]
    • Nostalgia... (Score:5, Interesting)

      by alfaiomega (585948) <alfaiomega@despammed.com> on Sunday December 29, 2002 @03:28AM (#4975291) Homepage

      After looking at Phrack #1 [phrack.org] from 1985 I decided that I just have to run
      for i in `seq -w 1 60 | tac`; do wget http://www.phrack.org/archives/phrack$i.tar.gz; done
      and spend this day on reading Phrack issues backwards. It's going to be a hellova nostalgic New Year for me... :_)

      • by Anonymous Coward
        You sir are in dire need of a life. But look at me posting to slashdot at 2:30 am.
  • ASCII sucks! In the future, we will all be using AMAZA-COLOR ANSI graphics!

    Aside from its dull graphics, phrack is a cool magazine and I recommend that everyone download it. If, by some act beyond our understanding, it gets /.ed, you can use my mirror here [dnsart.com].
  • Like many others, I don't give a phrack.
  • Traffic Lights (Score:4, Interesting)

    by sharph (171971) <sharp@sauropod.org> on Sunday December 29, 2002 @03:37AM (#4975323) Homepage
    Theres an article about hacking traffic lights. Do you think that now that the information is now open to a wide public, we will see traffic lights doing weird things?
    • by Phroggy (441) <slashdot3.phroggy@com> on Sunday December 29, 2002 @04:02AM (#4975383) Homepage
      Theres an article about hacking traffic lights. Do you think that now that the information is now open to a wide public, we will see traffic lights doing weird things?

      No, not really.
    • The information on building incendiary devices (that's "bombs" for any morons that may be reading this) is open to a wide public on the internet, too, but we don't see explosions all over the place... so most likely, no.
      • Considering traffic lights wont blow up on you, people may find it more entertaining.

        Fewer people would fuck with bombs than traffic lights
        • I'd be not so sure. A lot of kids are fearless about personal injury, but I think there are more reckless young pyros than adolescents with no fear of authority. Sure, most thumb their nose at the Man often enough and give independance plenty of lip service, but anyone who gets caught fscking w/ traffic signals will be majorly fucked, and more kids will acknowledge that than their mortality, I think.
    • You know what, the first time some idiot messed with traffic lights and gets a family killed because of it, you'll see the first capital murder case from hacking in the U.S. The only possible 'safe' hacking you could do of traffic lights would be to turn them all red. You better hope you don't accidentally turn them all green, though, or even yellow.

      Stick to defacing web sites, kids, especially if you live in Texas. Yeesh.
      • actually (Score:4, Funny)

        by commodoresloat (172735) on Sunday December 29, 2002 @04:23AM (#4975431)
        I recall a story in an old 2600 about someone who managed to get caught hacking not traffic lights but those signs on freeways with giant LEDs telling people there is a traffic jam or whatever. Seems this guy changed the text to read "FUCK YOU ALL." Pretty funny, and relatively harmless, imho. But yeah it's not the same as messing with a traffic light, which could be really dangerous.
      • Re:yikes (Score:3, Informative)

        by thogard (43403)
        There is very little you can do with trafic lights. Most of them use physical relay lock outs to keep two of the signals going green in different directions at the same time. About all that could be done that could cause a problem is dropping the yellow time to close to zero but there should be a minium time for that as well. Other than that, you've got exactly the same risk as when the power goes out. Too bad in that case most people think they have the right of way on the main road and no company has been smart enough to put in some battery backed flashing LED's to hint to people that its tuned into a 4 way stop. Of course 99% of all intersections with traffic lights could be replaced with round-abouts and increase saftey but that won't ever happen.
        • Of course 99% of all intersections with traffic lights could be replaced with round-abouts and increase saftey but that won't ever happen


          You must live in Europe. They put a roundabout in a couple of years ago at a major intersection here in Florida. It soon became the absolute worse place for traffic accidents. No one could figure out how to use it.

          The drivers test here in Florida is similiar to a MCSE exam, you can score perfect on the test, but you still not know what the hell you are doing.
          • Thouse were traffic circles, not round abouts. The difference is that the person in the roudnabout has the right of way and the traffic circles the people in the circule yeld to thouse entering. Most of the ones in DC are traffic circles. A well designed roundabout will allow traffic to enter in only one way. The old traffic circles (from the days of horses) enter at 90 degrees and a complete disater. A well designed round about will simply be a Y interesction with a yeld sign. If the drivers can't figure that out, they should not be on the road.

            A typical roundabout can allow 4 times more cars though per hour and scale to points where you need overpasses.

            Don't judge a concept based on a few bad implementations. In the town I live in, there are roundabouts on the west side and none on the east. It turns out that the west side doesn't have the traffic problems but the counts show much higher levels. The pollution is lower, the accident rates are lower and the traffic jams form when the west side traffic hits the east side where all the stop lights are.

            I can't find any reference to the place you mentioned but there are many web references about roundabouts in Florida that have reduced accident rates according to google.
          • by d0s (550629)

            You must live in Europe. They put a roundabout in a couple of years ago at a major intersection here in Florida.

            Lemme guess, Parkland? NOBODY uses the silly thing correctly. Considering the average Parkland I.Q. is something like 80, that's not very surprising.

        • For a moment there I thought you said that roundabouts increase safety. Because, of course, that would not make any sense whatsoever.
        • MOST of them? What kind of percentage are we talking about here? It only takes one intersection with lights that aren't like that to cause a fatality.
          • The flashing yellow kind are the only type I know about that don't have a safty interlock. There are some very complex systems that have several interlocks and can fail in strange ways but they are designed to fial in a way that all sides get red. Most older lights will fail in such a way as one side gets a green and all the others gets a red. For a typical intersection of a main road with a minor side street, that works well when there is a problem.
      • Yeah, I remember seeing a show on the discovery channel (or maybe it was TLC) about some kids that pulled a stop sign out of the ground (or bent it down or something) and got sentenced to several years in jail because someone got killed at that intersection as a result of their "antics".

        I don't have a link to the case, but if I'm not mistaken those kids are still "out of society".

        • by jci (521890)
          This [kscourts.org] appears to be an appeal to something similar to what you speak of, though its an appeal about an insurance company.
          I remember seeing what you speak of as well.

          From the above link (an appeal):
          ...Where a driver of an insured car drove to an intersection and removed and carried away the stop sign in the insured car, no coverage exists for the death of a motorist at the intersection because the motorist's death was not causally connected to the use of the insured car.
          I think I remember something similar to screwing around with the traffic lights on the x-files, where someone set it green with mind powers or something..
          • by jci (521890)
            Bah, this [cnn.com] is the case I believe the show was about. Changed my search to "accident after removal of stop sign"
    • if your traffic hack results in someones death, you can be faced with a life sentence under modern U.S. law.

      If you don't live in America, we'll just threaten your government until they let us extradite. I firmly believe that hacking is art, but some things should just be left alone. That said, I throughly read and enjoyed it; keep em coming phrack!
      • If your traffic hack results in someones death, you can be faced with a life sentence under modern U.S. law.
        Most likely, if the intent wasn't malicious, you'd probably be charged with manslaughter and serve 5-10 years on a first offense.
        • Or even better, the US "government" will use their new presidentially approved authority to allow the military to assassinate you (I shit you not!) by claiming you are a terrorist. Without trial.

          Worryingly enough, they do now have that authority - it was in the news a few weeks ago that there are about 20 Al-Q suspects (note - suspects, not ever been subject to trial) who the military have been authorised to kill if it would be too difficult/dangerous to capture. And more can be added to this list without presidential say-so. It truly is the beginning of the police state, and the end of civilisation if this is allowed to happen.

    • Re:Traffic Lights (Score:3, Informative)

      by haunebu (16326)
      Much easier is to just flash your brights thrice and the photoreceptors (present on top of/within most urban traffic controllers) will assume yours is an emergency vehicle and cycle to green ASAP.
      • unless you're stuck in some backass town where all the lights are on timers. sometimes i hate wisconsin
      • The traffic lights where I used to live had such a photo receptor. The emergency vehicles had BRIGHT, focused xenon strobes which triggered them. I couldn't aim my headlights high enough to hit them, and my 4 D-cell maglight wasn't bright enough.

        I thought about making a strobe/parabolic reflector combo, but just never got around to it. The first question to answer would be: ``has anyone thought to outlaw it in my jurisdiction yet?''

    • What you mean like poor timing, waiting until you're 20 feet away and jumping to red with a .0003 second yellow cycle, being timed specifically so that unless you can get your car from 0 to warp 7 in 3 seconds you have no prayer of making the next light or randomly switching between normal and blinking operation?

      Denver has that already! Bastards! They must have been testing out their diabolical schemes here!

      Oh yeah, and before I get a load of mindless "I live in Denver and don't have..." responses, try driving around Uptown for a while. Let me know how that works out for 'ya

    • What, you mean like working correctly? I wish!
  • can i subscribe to the 'i wanna be a hacker' club too? aww darn.. well LoL
    • Sure you can! - they'll post your subscription request in Loopback will all the other errors of society they find when they run fsck on their e-mail box :P
  • Gray hat? (Score:5, Interesting)

    by arvindn (542080) on Sunday December 29, 2002 @04:00AM (#4975378) Homepage Journal
    Phrack is perhaps a good example of the line between black hat and white hat "hackers" being blurry. The articles are informative and well-written, and by intelligent people, not your typical 14 yr old cracker on ecstasy who launches DDOS attacks from haX0r'd machines. I've done a compilers course, but still found a lot to learn about compilers from a phrack article on buffer overflows. Also check out the essays at SANS [sans.org].
    • Re:Gray hat? (Score:5, Informative)

      by SuperDuG (134989) <(be) (at) (eclec.tk)> on Sunday December 29, 2002 @04:23AM (#4975429) Homepage Journal
      I think the one thing that people need to get out of their heads is the common misconception of a "black hat hacker or cracker". The terminology is quite specific as:

      - "sript kiddie" refers to someone with little or no maturity that uses an automated exploit scan program that makes hacks a matter of happenstance if anything else.

      - "cracker" is one step higher from a script kiddie as this is a person who actually has a target in mind, but is not randomly screening. Usually a cracker will gain access by acquring a password (hence cracker). There are many ways to do this, but the more calculated attacks are usually by a cracker that is persistent.

      - "black hat hackers" these are the guys you rarely hear about as they're main goal in life is to be where they shouldn't be and make sure that they're the only ones that know what they are doing. This is the sexiest of illegal hackers as these are the types that actually get into the "unbreakable" systems and really do know their shit. These people work for the government usually (and not just American) and some are even employed without wanting to be (part of a plea bargain). These are the type of people that you want to not be interested in your system as with a certain amount of time they will get into your system.

      I'm not implying you don't know this, I was meerly trying to elaborate further on your post. And not everything these "Evil Hackers" do is all that bad. Many "script kiddie" tools are useful in testing your own systems for holes or exploits, if you have the same toys as they do, they can't beat you.

      Grey hats are where most all computer type people belong, where we all usually do good, but we do know some tricks of the trade. Like an automechanic who knows how to hotwire a car or jimmy a lock open, does that make him a criminal? Same goes for anyone who is a professional locksmith (make the best theives?), doctors (make the best killers?), and bomb squad officiers (make the best bomb builders?). The joy of being a grey hat is knowing enough to protect yourself because you've been there before.

      Case-In-Point ... the most secure server is one that is unplugged and buried in the middle of the earth, and that's still questionable.

      • "doctors (make the best killers?)"

        Well, I believe Britain's biggest mass murderer was a doctor killing his patients, and so successful they weren't even certain how many he'd murdered to the nearest hundred... luckily the hundred or two they were sure of was enough to get him convicted.
        • That would be Dr. Harold Shipman, the BBC [bbc.co.uk] reports that he killed 215 of his patients, although he was jailed for life for 15 murders, I assume they didn't know about the others. Here [google.com] is a list of articles about him from the BBC.
      • - "sript kiddie" refers to someone with little or no maturity that uses an automated exploit scan program that makes hacks a matter of happenstance if anything else.

        Wrong. 'Script Kiddie' refers to someone exceptionally more skillfull at programming, hacking, cracking and everything else that goes beyond VB DB Frontends than the average slashdotter, but also happens to be younger and is thus referred to as 'Script Kiddie' (disaproving frown) to cloak the fact that they are actually intelligent enough to have their computer do stuff they want it to do and that said average slashdotter doesn't know zilch about. While at the same time they're out in the club closing in on some cute girls.
        • Re:Wrong. (Score:1, Informative)

          by Anonymous Coward
          Oh man, somebody has issues.

          No. A script kiddie is one who downloads exploits and runs them without any understanding of how he's doing what he's doing. Cookbook programming of an infinitely lower level. And usually they ARE kids, mentally and socially if not physically.
        • I had the impression, from a number of people, that a script kiddie had nothing to do with age, but rather matuarity. Someone, who as the parent described, uses scripts and bots found on the internet to run their attacks. I don't think that script kiddies write their own scripts, hence script kiddies, not hackers/crackers/ etc.
      • I disagree. Basically, in the last part you just described a white hat. I mean, what is it that you think a white hat is? Every "hacker" (here used in the computer security sense of the word, which includes white/gray/black) has to know the holes and should presumably have the exploits down pat. The term doesn't refer to what skills you posess, it refers to what you do with them.

        A white hat uses this knowledge to protect their networks and systems, nothing more, nothing less. They will probably pass this information on to other white hats without a moment's hesitation.
        A gray hat uses this knoweldge to protect their networks, but doesn't mind looking the other way when said knowledge is passed on and used destructively. But the gray hat won't do anything actively invasive to other networks, but won't have a problem giving out this information indiscriminately.
        A black hat will simply use their knowledge to exploit and/or enter systems (though presumably for non-destructive purposes).

        By your example, the locksmith, doctor, and bomb squad officers would all probably be white hats. It is hard to think of an analog to the gray hat outside computing though, because it is really more a computer security related phenomena. Perhaps it is most comparable to a neutral nation-state.

        Now I see why so many people get frustrated by these ridiculous terms.

    • I have been calling myself a "grey hat" for a while now.

      Point: my email address is greyhathacker@ that really popular hotmail thing.

  • er... (Score:1, Insightful)

    i just glanced over the mailbag section, and while some of the reader letters are indeed pretty lame, do they really have to be that elitest in their replies? ugh... yeah yeah, flamebait, i know- but it had to be said.
    • actually, i used to enjoy going through loopback. but, it somehow didn't have the same zing to it in P-60. maybe, fewer people want to get insulted and have it archived forever! or maybe, phrack staff has grown more tolerant... or maybe, more mails are getting piped to /dev/null!!
  • This would be stupid
    But hacking traffic lights is
    mentioned. Traffic lights!
  • What the phruck?

    Don't worry, I'll do it myself.
    /me pimpslaps himself

  • by OttoM (467655) on Sunday December 29, 2002 @06:11AM (#4975660)
    Patches for OpenBSD 3.0 and 3.1 were submitted August 11, 2002. OpenBSD 3.2 was released with the patched code. See errata page [openbsd.org].

    While interesting, the article describes a vulnerability that already has been fixed.

  • by Pedrito (94783) on Sunday December 29, 2002 @07:59AM (#4975904) Homepage
    A new issue of the Phrack Magazine, #60 has been released today

    And the latest Computer Shopper is on the newstands. Just wanted to make sure no slashdotter let that one get by them.
    • Ewww... I hate the Computer Shopper.

      I don't know if Pricewatch killed it or what, but I remember when the CS used to be thicker than most bibles and consumed hours of my time looking for parts.

      Now it's a cruddy pamphlet that sucks as bad as all other Windows-mostly computer magazines.
  • The original version of the famous 'Hacker's Manifesto' was published on some early issue of Phrack. What hacker's manifesto? The one that The Mentor wrote and the same that was used in 'Hackers' -movie.
    ----
  • where's my 1200 baud Avatex so I can dial up Demon Roach Underground [cDc] in Amarillo.

    pwd=kill.
  • by r5t8i6y3 (574628) on Sunday December 29, 2002 @11:24AM (#4976501)
    this, IMHO, is the most valuable information in Phrack 60:

    Kevin Mitnick wrote a book, "The Art of Deception". The first chapter
    has been deleted by the publisher at the last minute. It's available
    on the internet:
    http://www.wired.com/news/culture/0,1284,56187,00. html [wired.com]
    http://littlegreenguy.fateback.com/chapter1/Chapte r%201%20-%20Banned%20Edition.doc [fateback.com]

    [i linked this Phrack quote because Slash adds a space character to strings that wordwrap - can anyone tell me how to prevent this from happening?]
    • Is it just me, or does anyone else see a similarity between Kevin's treatment and the treatment of so-called witches way back when?

      All these people were so freaked out by what they thought he could do with a payphone, they denied him his every right.

  • Intrigued by this "phrack" I started reading through the archives and found this article from 1986 [phrack-don...t-dmca.org] that was an overview of cellular telephone technology. This was an interesting paragraph:
    Cellular Telephones come in two basic versions, as car phones and portable phones, with a briefcase hybrid. Car phones are by far the most common, because they are much cheaper. But most believe that, ultimately, portables will be the most popular. Washington Post Company president Richard Simmons, whose company is a partner in several cellular systems, even predicts that by the early 1990's
    "There will be phones roughly the size of a calculators that you carry around in your pocket. They will cost no more than five hundred dollars. They will emancipate people from the necessity of locating a phone to make calls. The bad news is, you will never be able to get away from the phone, and we'll call it progress."

    It turns out these guys were predicting the future...

  • My favorite memory from Phrack was an article outlining ways to trick pholks into giving you all the information you needed to call the phone company and get their service all messed up. The authors claimed they called people with very professional-sounding voices, and answered as MCI customer service. They had friends in the room talking to "customers" and clicking on loud IBM keyboards for background noise. The author acted like they had been called by the victim, confusing the victim who had themselves answered the phone, and said there must be something wrong with the service and that they could fix it right up in a jiff. Then they asked for all the pertinent information about the victim and their phone account.

    At 14, I thought it was slicker than apeshit! Low-tech and simple.

    Ahhhhh... Phrack!

    I also had a friend that did lots of public service hours for unwisely applying things he learned about in Phrack. I did not think that was slick on his part.

1: No code table for op: ++post

Working...