%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % T H E E M P I R E T I M E S % % ------------------------------- % % The True Hacker Magazine % % % % July 10, 1992 Issue II % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Editor in Chief: Albatross Co-Editor: {Spot is Open} Email: bbs.albatros@goonsquad.spies.com Staff: {Spot is Open} wdem416@worldlink.com Dist. Center: The Empire Corporation =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Phile Description Size Author or Group - ------------------------------------------------ ---- --------------- 1 Introduction 1k Albatross 2 The Grim Reaper and his CBI Story 10k The Grim Reaper 3 Why the Secret Service Will Bust You 11k C.P.S.R Instead of the F.B.I. 4 Use The Freedom of Information Act For You 38k F.O.I.A. 5 Carding in the 90's 4k Mustang 6 Specs on Caller ID 6k TELECOM 7 Foiling The Cracker 37k S.E.I. 8 Phreak Knowledge {What All Should Know} 8k Rebel Lion 9 The Beginner's Guide To Hacking On Datapac 73k The Lost Avenger 10 SummerCon '92 (The Conference) 7k Albatross 11 The News .... On the MOD Bust 10k {Various News} =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 1 of 11 Introduction As Time goes on and on, it seems that The Empire Times are reaching a bigger and better field of people, I have noticed myself that the level of knowledge has jump 10 fold since the first issue and that was small. Well after you finsh this baby I think The world will be in for the time of there life.... The Times Needs writes like mad, so talk to me and I see what I can do to give ya a helping hand. I need Freelance writers and dedicated staff members.... "Don't let anybody stand in your way, Fight till the end, Never give in and never let them win, Allways fight Back" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 2 of 11 The Grim Reaper & His CBI Story by The Grim Reaper Well, I am sure you have all heard that I had a small legal problem today, and I know how stuff gets blown out of proportion, so I thought I'd explain the story myself. Here goes... I have carded a few items in the past 3 days, and I have NEVER done this before. The Grim Reaper got CBI accounts and placed orders, and I picked them up. Well, one of the places Grim ordered from was Paradise Computers, they knew it was a bogus order, but told us the package was shipped. Then they called the FEDS. Anyhow, the Feds must have been watching the pickup spot, then following me around till I met up with Grim to deliver his share of the stuff. As soon as we went to make the exchange, the Secret Service, FBI, state police, and local police were running at us with bulletproof vests and automatic guns. They handcuffed us, separated us, and took each of us back to our homes for them to search. So I haven't talked to Grim Reaper since I saw him lying next to me on the ground being arrested. But here's my story. About 20 agents came to my apartment and grabbed all computer equipment without a receipt. So we still have 1 modem, and this computer system. Anyhow, they grabbed\ every piece of paper they could find. Unfortunately, I am a very organized person, and had "the who's who in the pirate world" written down for my use. So if you ever gave me your real name, number, or address, it is now in the hands of the Secret Service and FBI. This list was quite large, as it took 2 years to compile. These boys did their homework. They knew Enterprize was USA HQ and they knew my handle, and they knew I supplied the group with software. They weren't going for just anyone here guys, they knew they needed to bust a group leader. Well, they did. Got me on carding, pirating, and a ton of other legal terms having to do with both of these. I was charged with 6 different counts, each holding a 5-30 year prison sentence. It doesn't look good for me at all. I'll post a file as soon as I get arraigned and let you guys know what is going on. But I will say this now, and I MEAN it. I love the groups, the software, and the competition. But regardless of what happens to me, I am done forever. No more NotSoHumble Babe, no more USA. I hate to do this to everyone, but I really don't have a choice. And regardless of who I am that got busted, be strong and support what you believe in your hearts: piracy. Don't let them win. You guys can all go on without me. Just promise me you won't give up and throw in the towel. If anyone wants to contact me, you can leave e-mail on Enterprize for me, or call voice AT YOUR OWN RISK. They told me they were tapping the phone lines. Just got to say a few goodbyes... Genesis: man, this stuff is in your blood, don't allow my mistakes to mess up something you've loved your whole life. You Gotta Ski! Silencer: well, you warned me and I didn't listen. I needed to listen to the kid with a knowledgable mind. Sorry, the second time I left a group and left you hanging... Cool Hand: Joe, you are a really nice person to talk to, and you've got a wife and kids. Remember that man, is this stuff worth it? Line Noise: Neil, I guess you are one of the happier ones to hear of my bust. No THG, no USA. You will rule the world man, but be more careful than I was. The PieMan: Well, you can quit threatening to turn my board in if you ever get caught. My board was officially busted. Fab.Furlough: Deep down inside, you are a backstabber. But I still love you man... And to all I didn't say anything to, doesn't mean I don't care. I hope USA will continue to live and prosper. And I will do anything I can(legally) to help USA prosper. Goodbye... The NotSoHumble Babe Of course, that was the version she wanted to play to the general public. The NotSoHumble Babe and The Grim Reaper were not just doing this for the first time, it had been a routine thing for quite a while. (For at least 4 months, when TGR carded his 486/33). I guess it would be helpful to take a few steps back, and get a look at the whole picture as I know it (From reliable sources, and from personal experiance with these two people). The NotSoHumble Babe was always known for her good contacts in the software field, that is the reason for USA's quick appearence. People probably wondered how she did it? I am sure she had many ways, but the one tactic she used which gained her the interest of the FBI was telling the software Co's she was a distributor. All of them believed this expept for one. When this one checked her Employer Identification Number, and found it didn't check out with her, they knew something was up. They then had her lines monitored, and because of this found out they had more then a business fraud on their hands, they found out they had a veteran Credit Card abuser, and the leader of a major pirate group. This then in turn caused a lot more investigation to take place, and in turn the interest of the Secret Service. Since they were being monitored, the SS knew all their plans. When TGR had ordered his next shipment of carded goods, the SS notified the company of what was going on, and set the trap. Now, after several months of investigation on The Grim Reaper (Mike Arnolds) and The NotSoHumble Babe, the case was about to come to a close, they had everything they needed to convict these two people in court, and whoever else they wanted. As Amy said in her text above, she and Mike were on the way to meet each other to split the goods they had carded. When Amy went to FedEx to pick up her shit, and go meet Mike, they were surrounded, and arrested. This took place on 1-29-92 at approximately 2:27pm. Mike and Amy were taken back to their houses, where all of their equipment was looked over. As she said, anything without a receipt was confiscated. Then, came the big talks from the Feds - Interrogation. This day totally changed Mike's and Amy's life drastically. Things would not be the same. And because of this, they were both pretty moved. Because of this insecure feeling, and because they are both unable to take this shit themselves, and not implicate other people, they decided to cooperate 100% with the authorities. Anything they didn't have on paper, anything the Feds found unclear, Mike and Amy are/were right there to make a clear picture for them. Amy failed to say this, I see. I know first hand, The Grim Reaper and The NotSoHumble Babe are going to drag as many as they can with them. A loser thing to do, but that's what they are going to do. Looks like it's time for us all to either call it quits for a while, or be very fucking careful. TGR and TNSHB are both history. They fucked up. And now they will pay for their mistakes. But we don't need to be party to their bullshit. Delete their accounts from your board, blacklist them, lock out newusers, change the system pw, and even go as far as deleting all USA affiliates if you feel it is necessary. What about USA? What about Genesis and BBS-A-Holic? Well, Genesis was one of her partners in crime. Thomas always made it a habit to get something out of each of her shipments, so to do this, he had to contribute somehow, nothing is free. He helped card about 25% of the shit they got, so I am sure he is a nervous mother fucker right now. The Feds are monitoring his local FedEx anyway, so if he goes there to pick up his last package, his ass is in jail too. He also was a very avid user of the 950-0511 extender, as the Feds are aware of, and they might pop him for this, who knows? The board? USA? I have heard, but not from Genesis, that USA is now officially dead. BBS-A-Holic is down, and no idea when it will come back up. But when it does again come online, I will not be a member on that system. Thomas is considering turning himself in, if he does this, he said he too will cooperate with the Feds, which means if you were his friend yesterday, and helped him card shit, or anything, then you might share his cell tomorrow. What do you know about The Grim Reaper, The Void, and Vision-x? - The Grim Reaper is getting popped for the second time, therefore, I think his ass will be in jail a few years, once he is sentenced. The Void? I am not sure, but I assume since he had carded all of his computer equipment, that it was all confiscated, along with all of his backups. Mike being in jail, or not, will never again run a board. As for Vision-x, who knows. Warlord has not made a public statement yet, so noone knows yet. He does live in 313 as did the other two, so if I were him I would be scared shitless, especially since he was supposed to receive a carded 386/25 from USA. Felony Net and Toxic Net are all history. Perhaps Warlord will bring them back, though, but I don't foresee this any time soon. The Grim Reaper and The NotSoHumble Babe were charged with Credit Card Fraud, ammounting 18,200$, and software piracy adding up to 72,000$. Once you add Genesis' (Thomas') part in, the credit card fraud will probably amount to 21,000$, but, that's just my guess, based on all this shit he told me about that he assisted in, and some he did on his own. When TNSHB says to call her board and leave her your questions, or number to call you back at, it is just a simple way to drag you in. Dont fall for it. Lives and freedom are too precious to ruin for a bitch like her. Just for the hell of it, here are their telephone numbers, if you want to verify all this shit, just call and ask them. (I advise you do this from a payphone a LONG way from your house, and dont identify yourself) The Grim Reaper (Mike) 313-981-1903/313-981-1296 The NotSoHumble Babe (Amy) 313-442-2523 Genesis (Thomas) 213-328-7507 Hope this has all been helpful. If you want more history on these people, send a public message on OoofNet in care of [>ANONYMOUS<], and I will give the desired history out. [> ANONYMOUS <] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 3 of 11 Why The Secret Service Will Bust You Instead of The F.B.I. Here is a letter from the Director of the Secret Service to US Rep. Don Edwards, D-California, in response to questions raised by Edwards' Subcommittee. This copy comes from Computer Professionals for Social Responsibility in Washington, DC. DEPARTMENT OF TREASURY UNITED STATES SECRET SERVICE WASHINGTON, DC 20223 The Honorable Don Edwards Chairman Subcommittee on Civil and Constitutional Rights Committee on the Judiciary House of Representatives Washington, D.C. 20515 Dear Mr. Chairman: Thank you for your letter of April 3, 1990, concerning your committee's interest in computer fraud. We welcome the opportunity to discuss this issue with your committee and I hope the following responses adequately answer your questions. Question 1: Please describe the Secret Service's process for investigating computer related crimes under Title 18, United States Code, Section 1030 and any other related statutes. Response: The process by which the Secret Service investigates computer related crimes is similar to the methods we use to investigate other types of criminal investigations. Most of the investigative techniques are the same; surveillances, record checks, witness and suspect interviews, etc. the primary difference is we had to develop resources to assist in the collection and review of computer evidence. To provide our agents with this expertise, the secret service developed a computer fraud investigation course which, as of this date, has trained approximately 150 agents in the proper methods for conducting a computer fraud investigation. Additionally, we established a computer Diagnostics center, staffed with computer professional, to review evidence on computer systems. Referrals of computer related criminal investigations occur in much the same manner as any other case. A victim sustains a loss and reports the crime, or, a computer related crime is discovered during the course of another investigation. In the investigations we do select, it is not our intention to attempt to supplant local or state law enforcement. We provide enforcement in those cases that are interstate or international in nature and for one reason or another are beyond the capability of state and local law enforcement agencies. When computer related crimes are referred by the various affected industries to the local field offices, the Special Agent in Charge (SAIC) determines which cases will be investigated based on a variety of criteria. Each SAIC must consider the economic impact of each case, the prosecutive guidelines of the United States Attorney, and the investigative resources available in the office to investigate the case . In response to the other portion of your question, the other primary statute we use to investigate computer related crimes is Title 18, United States Code, Section 1029 ( Access Device Fraud). This service has primary jurisdiction in those cases which are initiated outside a bank and do not involve organized crime, terrorism, or foreign counterintelligence (traditional responsibilities of the FBI). The term "access device" encompasses credit cards, debit cards, automatic teller machines (ATM) cards, personal identification numbers (PIN's) used to activate ATM machines, credit or debit card account numbers, long distance telephone access codes, computer passwords and logon sequences, and among other things the computer chips in cellular car phones which assign billing. Additionally, this Service has primary jurisdiction in cases involving electronic fund transfers by consumer (individuals) under Title 15, U. S. code, section 169n (Electronic Fund Transfer Act). This could involve any scheme designed to defraud EFT systems used by the public, such as pay by phone systems, home banking, direct deposit, automatic payments, and violations concerning automatic teller machines. If the violations can be construed to be a violation of the banking laws by bank employee, the FBI would have primary jurisdiction. There are many other statutes which have been used to prosecute computer criminals but it is within the purview of the U.S. Attorney to determine which statute will be used to prosecute an individual. Question 2: Has the Secret Service ever monitored any computer bulletin boards or networks? Please describe the procedures for initiating such monitoring, and list those computer bulletin boards or networks monitored by the Secret Service since January 1988. Response: Yes, we have occasionally monitored computer bulletin boards. The monitoring occurred after we received complaints concerning criminal activity on a particular computer bulletin board. The computer bulletin boards were monitored as part of an official investigation and in accordance with the directives of the Electronic Communications Privacy Act of 1986 (Title 18 USC 2510) The procedures used to monitor computer bulletin boards during an official investigation have involved either the use of an informant (under the direct supervision of the investigating agent) or an agent operating in an undercover capacity. In either case, the informant or agent had received authorization from the computer bulletin board's owner/operator to access the system. We do not keep records of the bulletin boards which we have monitored but can provide information concerning a particular board if we are given the name of the board. Question 3: Has the Secret Service or someone acting its direction ever opened an account on a computer bulletin board or network? Please describe the procedures for opening such an account and list those bulletin boards or networks on which such accounts have been opened since January 1988. Response: Yes, the U.S. Secret Service has on many occasions, during the course of a criminal investigation, opened accounts on computer bulletin boards or networks. The procedure for opening an account involves asking the system administrator/operator for permission to access to the system. Generally, the system administrator/operator will grant everyone immediate access to the computer bulletin board but only for lower level of the system. The common "pirate" computer bulletin boards associated with most of computer crimes have many different level in their systems. The first level is generally available to the public and does not contain any information relation to criminal activity. Only after a person has demonstrated unique computer skills, been referred by a known "hacker," or provided stolen long-distance telephone access codes or stolen credit card account information, will the system administrator/operator permit a person to access the higher levels of the bulletin board system which contains the information on the criminal activity. As previously reported in our answer for Question 2, we do not keep records of the computer bulletin boards on which we have established accounts. Question 4: Has the Secret Service os0someone acting under its direction ever created a computer bulletin board or network that was offered to the public? Please describe any such bulletin board or networks. Response: No, the U. S. Secret Service has not created a computer bulletin board nor a network which was offered to members of the public. We have created an undercover bulletin board which was offered to a select number of individuals who had demonstrated an interest in conducting criminal activities. This was done with the guidance of the U.S. Attorney's office and was consistent with the Electronic Communications Privacy Act. Question 5: Has the Secret Service ever collected, reviewed or "downloaded" transmissions or information from any computer network or bulletin board? What procedures does the Secret Service have for obtaining information from computer bulletin boards or networks? Please list the occasions where information has been obtained since January 1988, including the identity of the bulletin boards or networks, the type of information obtained, and how that information was obtained (was it downloaded, for example). Response: Yes, during the course of several investigations, the U. S. Secret Service has "down loaded" information from computer bulletin boards. A review of information gained in this manner (in an undercover capacity after being granted access to the system by it's system administrator) is performed in order to determine whether or not that bulletin board is being used to traffic in unauthorized access codes or to gather other information of a criminal intelligence nature. At all times, our methods are in keeping with the procedures as outlined in the Electronic Communications Privacy Act (ECPA). If a commercial network was suspected of containing information concerning a criminal activity, we would obtain the proper court order to obtain this information in keeping with the ECPA. The U. S. Secret Service does not maintain a record of the bulletin boards we have accessed. Question 6: Does the Secret Service employ, or is it considering employing, any system or program that could automatically review the contents of a computer file, scan the file for key items, phrases or data elements, and flag them or recommend further investigative action? If so, what is the status of any such system. Please describe this system and research being conducted to develop it. Response: The Secret Service has pioneered the concept of a Computer Diagnostic Center (CDC) to facilitate the review and evaluation of electronically stored information. To streamline the tedious task of reviewing thousands of files per investigation, we have gathered both hardware and software tools to assist our search of files for specific information or characteristics. Almost all of these products are commercially developed products and are available to the public. It is conceivable that an artificial intelligence process may someday be developed and have application to this law enforcement function but we are unaware if such a system is being developed. The process of evaluating the information and making recommendations for further investigative action is currently a manual one at our CDC. We process thousands of computer disks annually as well as review evidence contained in other types of storage devices (tapes, hard drives, etc.). We are constantly seeking ways to enhance our investigative mission. The development of high tech resources like the CDC saved investigative manhours and assist in the detection of criminal activity. Again, thank you for your interest. Should you have any further questions, we will be happy to address them. Sincerely, /s/ John R. Simpson, Director cc: Honorable Charles E. Schumer =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 4 of 11 Use The Freedom of Information Act For You >>> Freedom of Information Kit <<< The following files are for individuals or organizations who wish to make an FOIA application to a federal agency. This kit is also available in printed form. If you wish to obtain the printed version, please send a check or money order made payable to FOIA,Inc. for $3.00 to: FOIA,Inc., P.O. Box 02 2397, Brooklyn, NY 11202-0050. USING THE FREEDOM OF INFORMATION ACT The Freedom of Information Act entitles you to request any record maintained by a federal Executive branch agency. The agency must release the requested material unless it falls into one of nine exempt categories, such as "national security," "privacy," "confidential source" and the like, in which case the agency may but is not compelled to refuse to disclose the records. This kit contains all the materials needed to make FOIA requests for records on an individual, an organization or on a particular subject matter or event. 1988 EDITION Fund for Open Information and Accountability, Inc. P.O. BOX 02 2397, Brooklyn, NY 11202-0050 (212) 477-3188 INSTRUCTIONS HOW TO MAKE A COMPLETE REQUEST Step 1: Select and make copies of the sample letter. Fill in the blanks in the body of the letter. Read the directions printed to the right margin of the letter in conjunction with the following instructions: For individual files: Insert the person's full name in the first blank space and any variations in spelling, nicknames, stage names, marriage names, titles and the like in the second space. Unlike other requests, the signatures of an individual requesting her/his own file must be notarized. For organizational files: In the first blank space insert the full and formal name of the organization whose files you are requesting. In the second blank space insert any other names, acronyms or shortened forms by which the organization is or has ever been known or referred to by itself or others. If some of the organization's work is conducted by sub-groups such as clubs, committees, special programs or through coalitions known by other names, these should be listed. There is no need to notarize signature for organizational requests. For subject matter or event files: In the first blank space state the formal title of the subject matter or event including relevant dates and locations. In the second blank space provide the names of individuals or group sponsors or participants and/or any other information that would assist the agency in locating the material you are requesting. Step 2: The completed sample letter may be removed, photocopied and mailed as is or retyped on your own stationary. Be sure to keep a copy of each letter. Step 3: Addressing the letters: Consult list of agency addresses on page 7 and 8 of this kit. FBI: A complete request requires a minimum of two letters. Send one letter to FBI Headquarters and separate letters to each FBI field office nearest the location of the individual, the organization or the subject matter/event. Consider the location of residences, schools, work, and other activities. INS: Send a request letter to each district office nearest the location of the individual, the organization or the subject matter/event. Address each letter to the FOIA/PA office of the appropriate agency. Be sure to mark clearly on the envelope: Attention FOIA Request FEES In 1987 a new fee structure went into effect. Each agency has new fee regulations for search and review time and for duplication of released documents. Commercial requesters must pay for search and review time and for duplication costs. News Media representatives and Educational and Scientific Institutions whose purpose is scholarly or scientific research pay for duplication only. Public Interest groups who can qualify as press, educational, or scientific institutions will be charged duplication costs only. All other non-commercial requesters are entitled to up to 100 pages of free copying and up to 2 hours of free search time. Requesters will have to pay fees for work that extends beyond those limits unless they qualify for a fee waiver or reduction (see below). No fee may be charged if the cost of collection exceeds the fee. Advanced payment may not be demanded unless a requester has previously failed to pay on time or the fee exceeds $250. FEE WAIVER You will notice that the sample letter includes a request for a fee waiver with instructions for the agency to refer to an attached sheet. Fees for all non-commercial requesters, beyond the 2 hours/100 page/automatic waiver described above, may be waived or reduced if the disclosure of the information is: "in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in the commericial interest of the requester." You should always request a waiver or fees if you believe the information you are seeking will benefit the public. Read the fee waiver worksheet for non-commercial users included in this kit on page 5 for help in composing a request for a fee waiver. If your request for a waiver is denied, you should appeal that denial, citing the ways in which your request meets the standards set in the attached fact sheet. HOW TO MAKE SURE YOU GET EVERYTHING YOU ARE ENTITLED TO. . . AND WHAT TO DO IF YOU DON'T After each agency has searched and processed your request, you will receive a letter that announces the outcome, encloses the released documents, if any, and explains where to direct an appeal if any material has been withheld. There are four possible outcomes: 1. Request granted in full: This occurs very infrequently. If the response you get indicates that the agency has released all records pertinent to your request, with no exclusions or withholdings, you will receive the requested documents with an agency cover letter, or if bulky, the documents may be mailed under separate cover. Next step: Check documents for completeness (see instructions below) and make an administrative appeal if you find a discrepancy between your own analysis and that of the agency (see instructions below). 2. Request granted in part and denied in part: This response indicates that the agency is releasing some material but has withheld some documents entirely or excized some passages from the documents released. The released documents may be enclosed or, if bulky, mailed under separate cover. Next step: Check documents for completeness (see instructions below) and make an administrative appeal of denials or incompleteness (see instructions below). 3. Request denied in full: This response and the denied part response indicate that the agency is asserting that material in its files pertaining to your request falls under one of the nine FOIA exemptions. These are categories of information that the agency may, at its discretion, refuse to release. Next step: Make an administrative appeal (see instructions below). Since FOIA exemptions are not mandatory, even a complete denial of your request can and should be appealed. 4. No records: This response will state that a search of the agency's files indicates that it has no records corresponding to those you requested. Next step: Check your original request to be sure you have not overlooked anything. If you receive documents from other agencies, review them for indications that there is material in the files of the agency claiming it has none. For example, look for correspondence, or references to correspondence, to or from that agency. If you determine that there are reasonable grounds, file an administrative appeal (see instructions below). HOW TO CHECK DOCUMENTS FOR COMPLETENESS Step 1: Before reading the documents, turn them over and number the back of each page sequentially. The packet may contain documents from the agency's headquarters as well as several field office files. Separate the documents into their respective office packets. Each of these offices will have assigned the investigation a separate file number. Try to find the numbering system. Usually the lower righthand corner of the first page carries a hand-written file and document number. For instance, an FBI document might be marked "100-7142-22." This would indicate that it is the 22nd document in the 7142nd file in the 100 classification. As you inspect the documents, make a list of these file numbers and which office they represent. In this way you will be able to determine which office created and which office received the document you have in your hand. Often there is a block stamp affixed with the name of the office from whose files this copy was retrieved. The "To/From" heading on a document may also give you corresponding file numbers and will help you puzzle out the origin of the document. When you have finally identified each document's file and serial number and separated the documents into their proper office batches, make a list of all the serial numbers in each batch to see if there are any missing numbers. If there are missing serial numbers and some documents have been withheld, try to determine if the missing numbers might reasonably correspond to the withheld documents. If they don't, the release may be incomplete and an administrative appeal should be made. Step 2: Read all the documents released to you. Keep a list of all documents referred to in the text, including letters, memos, teletypes, reports, etc. Each of these "referred to" documents should turn up in the packet released to you. If any are not in the packet, it is possible that they are among the documents withheld and a direct inquiry should be made. In an administrative appeal, ask that each of these "referred to" documents be produced or that the agency state plainly that they are among those withheld. List each "referred to" document separately. The totals of unproduced vs. witheld must be within reason; that is, if the total number of unproduced documents you find referred to in the text of the documents produced exceeds the total number of documents withheld, the agency cannot claim that all the "referred to" documents are accounted for by the withheld category. You will soon get the hang of making logical conclusions from discrepancies in totals and missing document numbers. Another thing to look for when reading the released documents is the names of persons or agencies to whom the document has been disseminated. The lower left-hand corner is a common location for the typed list of agencies or offices to whom the document has been directed. In addition, there may be additional distribution recorded by hand, there or elsewhere, on the cover page. There are published glossaries for some agencies that will help in deciphering these notations when they are not clear. Contact FOIA, Inc. if you need assistance in deciphering the text. Finally, any other file numbers that appear on the document should be noted, particularly if the subject of the file is of interest and is one you have not requested. You may want to make an additional request for some of these files. HOW TO MAKE AN ADMINISTRATIVE APPEAL Under the FOIA, a dissatisfied requester has the right of administrative appeal. The name and address of the proper appeal office will be given to you by each agency in its final response letter. This kit contains a sample appeal letter with suggestions for adapting it to various circumstances. However, you need not make such an elaborate appeal; in fact, you need not offer any reasons at all but rather simply write a letter to the appeals unit stating that "This letter constitutes an appeal of the agency's decision." Of course, if you have identified some real discrepancies, you should set them forth fully (for example see Step 2 under "How to Check Documents for Completeness"), but even if you have not found any, you may simply ask that the release be reviewed. If you are still dissatisfied after the administrative appeal process, the FOIA gives you the right to bring a lawsuit in federal district court. MONITORING THE PROGRESS OF YOUR REQUEST You should receive a letter from each agency within 10 days stating that your request has been received and is being processed. You may be asked to be patient since requests are being handled on a first come first served basis. The best strategy is to be "reasonably" patient, but there is no reason to sit complacently and wait for an interminable period of time. A good strategy is to telephone the FOIA office in each agency after about a month if you have received nothing of substance. Ask for a progress report. Note the name of the person you speak to and what they say. Continue to call every 4 to 6 weeks. Good record keeping helps avoid time-consuming and frustrating confusion. A looseleaf notebook with a section devoted to each request simplifies this task. At the beginning of the request process, sometimes it is difficult to foresee what course of action you will want to take in the future. Keep copies of all correspondence to and from each agency. They can be inserted between the notes on phone calls so that all relevant material will be at hand for future use, including phone consultations, correspondence, newspaper articles, preparation for media appearances, congressional testimony or litigation. [NOTE: All the text in braces [] is for your information. Do NOT include in request] [NOTE: Start by photocopying several copies of this letter or retype if you prefer] SAMPLE REQUEST LETTER FOR ALL AGENCIES Date: To: FOIA/PA Unit [Check box for appropriate agency] __ FBI Headquarters __ FBI Field Office __ Other Agency This is a noncommerical request under the Freedom of Information and Privacy Acts. I have attached a sheet setting out my application for a fee waiver of any fees in excess of those which are provided free because of my category. My category for fee and fee waiver purposes is: (check one) __ request for personal file; no search fee and 100 free pages. __ journalist, academic or scientist; no search fee and 100 free pages. __ other non-commerical requester (group or person); 2 hours free search and 100 free pages. I request a complete and thorough search of all filing systems and locations for all records maintained by your agency pertaining to and/or captioned: ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ including, without limitation, files and documents captioned, or whose captions include: [describe records desired and/or insert full and formal name] ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ This request specifically includes where appropriate "main" files and "see references," including but not limited to numbered and lettered sub files and control files. I also request a search of the Electronic Surveillance (ELSUR) Index, or any similar technique for locating records of electronic surveillance and the COINTELPRO Index. I request that all records be produced with the administrative pages. I wish to be sent copies of "see reference" cards, abstracts, search slips, including search slips used to process this request, file covers, multiple copies of the same documents if they appear in a file, tapes of any electronic surveillance, photographs, and logs of physical surveillance (FISUR). Please place missing documents on "special locate." I wish to make it clear that I want all records in your office "identifiable with my request," even though reports on those records have been sent to Headquarters and even though there may be duplication between the two sets of files. I do not want just "interim" documents. I want all documents as they appear in the "main" files and "see references" of all units of your agency. If documents are denied in whole or in part, please specify which exemption(s) is(are) claimed for each passage or whole document denied. Give the number of pages in each document and the total number of pages pertaining to this request and the dates of documents withheld. I request that excized material be "blacked out" rather than "whited out" or cut out and that the remaining non-exempt portions of documents be released as provided under the Freedom of Information Act. Please send a memo (with a copy or copies to me) to the appropriate unit(s) in your office to assure that no records related to this request are destroyed. Please advise of any destruction of records and include the date of and authority for such destruction. As I expect to appeal any denials, please specify the office and address to which an appeal should be directed. I can be reached at the phone listed below. Please call rather than write if there are any questions or if you need additional information >from me. I expect a response to this request within ten (10) working days, as provided for in the Freedom of Information Act. [Have signature notorized ONLY if requesting your own files] Sincerely, (Signed)_______________________________________________ Name (print or type):_______________________________ Address:___________________________________________________ ___________________________________________________________ Telephone:________________________ Social Security number (optional): _______________________ (for personal files) Date of Birth:____________________ Place of birth:___________________ (for organization files) Date of founding:_____________________________________ Place of founding:____________________________________ Address of organization:______________________________ ___________________________________________________________ ___________________________________________________________ [MARK CLEARLY ON ENVELOPE: FOI/PA REQUEST] FEE WAIVERS Fee Waiver Worksheet for Non-Commercial Requesters All non-commercial requesters are entitled to apply for a fee waiver for charges in excess of those which are provided free because of requester's category. Following amendments to the FOIA in October 1986, the Justice Department issued a memo outlining six criteria to be used by agencies in determining whether or not to grant fee waivers. Many Congresspeople dispute the memo's legality, pointing out its invitation to subjective judgements, and its proclivity to intimidate requesters. Nevertheless, until the six criteria are eliminated, either by Congress or court decisions, requesters will have to address them in order to qualify for a fee waiver. To apply for a fee waiver, attach a separate sheet of paper to your request letter explaining in narrative form how your request satisfies each of the following six criteria. (1) Explain how the records you are requesting are likely to shed light on the operations or activities of the government. (2) Describe how the records you are requesting will contribute to the understanding of government operations or activities. If the information being requested is not already in the public domain bring this fact to the agency's attention. (3)a. Explain to the agency how the public will ultimately benefit from the information you are requesting. Legislative history and recent case law indicate that the "public" is not limited to U.S. public nor must it be the "public at-large." For example, Representatives English and Kindness jointly stated during recent Congressional debate, "Public understanding is enhanced when information is disclosed to the subset of the public most interested, concerned or affected by a particular action or matter." Furthermore, District Court Judge Harold Greene in a 1987 opinion involving a request by a Canadian newspaper said, "There is no requirement in the [FOIA] statute that news media seeking fee waivers [must] serve the American public exclusively, or even tangentially . . . an FBI official does not have the authority to amend the law of the United States by restricting it beyond its plain terms."* In other words, the public you seek to educate does not have to reside in the United States, nor is the size of that public relevant to your entitlement to a fee waiver. (3)b. Explain to the agency your qualifications (educational, work experience, etc.) for understanding the requested information and outline your ability and intention to disseminate the information once it has been obtained. You might want to cite any of the following activities in order to demonstrate your ability and intention to disseminate information to the public: writing newspaper or scholarly articles, writing books, granting interviews, public speaking engagements, preparing Congressional testimony, producing pamphlets, videos, film, radio programs, etc. (4) The Justice Department memo stipulates that the contribution to public understanding must be "significant." What constitutes a "significant" contribution is clearly susceptible to subjective interpretation. However, we suggest that you make reference to current news stories, efforts to correct the historical record or expose government or corporate fraud or threats to public health and safety. Broadly speaking, any information that would enable the public to hold the government accountable for any of its operations or activities can be persuasively argued to be a "significant" contribution to public understanding. (5) and (6) Explain to the agency (if it is the case) that any commercial interest that will be furthered by the requested records is not the primary interest when compared to the public interest that will be served. For example, if the information is requested pursuant to the publication of a book, you should explain (if it is the case) that this book is not destined to become a bestseller because of topic, publisher, or anticipated audience, etc. News media representatives, scholars or scientists, should make requests for documents and fee waivers on the appropriate institutional letterhead. Similarly, requests for organizational files should be made on the appropriate letterhead. You have a right to file an administrative appeal if you receive an adverse decision regarding either your fee category or fee waiver request. The letter containing the adverse decision will tell you to whom you should direct the appeal. ------ * Joint statement by Reps. English and Kindness, Congressional Record, H-9464, October 8, 1986; Judge Greene's opinion in Southam News v. INS. (Civ. No. 85-2721, D.D.C., November 9, 1987). SAMPLE ADMINISTRATIVE APPEAL LETTER Date: To: FOIA/PA Appeals Office RE: Request number [Add this if the agency has given your request a number] This is an appeal pursuant to subsection (a)(6) of the Freedom of Information Act as amended (5 U.S.C. 552). On [date] I received a letter from [name of official] of your agency denying my request for [describe briefly the information your are after]. This reply indicated that an appeal letter could be sent to you. I am enclosing a copy of my exchange of correspondence with your agency so that you can see exactly what files I have requested and the insubstantial grounds on which my request has been denied. [Insert following paragraph if the agency has withheld all or nearly all the material which has been requested] You will note that your agency has withheld the entire (or nearly entire) document that I requested. Since the FOIA provides that "any reasonably segregable portion of a record shall be provided to any person requesting such record after deletion of the portions which are exempt," I believe that your agency has not complied with the FOIA. I believe that there must be (additional) segregable portions which do not fall within the FOIA exemptions and which must be released. [Insert following paragraph if the agency has used the (b)(1) exemption for national security purposes to withhold information] Your agency has used the (b)(1) exemption to withhold information. [I question whether files relating to events that took place over twenty years ago could realistically harm the national security.] [Because I am familiar with my own activities during the period in question, and know that none of these activities in any way posed a significant threat to the national security, I question the designation of my files or portions of my file as classified and exempt from disclosure because of national security considerations.] [Sample optional arguments to be used if the exemption which is claimed does not seem to make sense; you should cite as many specific instances as you care to of items withheld from the documents that you have received. We provide two examples which you might want to adapt to your own case.] "On the memo dated______the second paragraph withheld under the (b)(1) exemption appears to be describing a conversation at an open meeting. If this is the case, it is impossible that the substance of this conversation could be properly classified." Or, "The memo dated____ refers to a meeting which I attended, but a substantial portion is deleted because of the (b)(6) and (b)(7)(c) exemptions for unwarranted invasions of personal privacy. Since I already know who attended this meeting, no privacy interest is served by the withholding." I trust that upon examination of my request, you will conclude that the records I have requested are not properly covered by exemption(s)____ [insert the exemption(s) which the agency's denial letter claimed applied to your request] of the amended FOIA, and that you will overrule the decision to withhold the information. [Insert following paragraph if an itemized inventory was not supplied by the agency] If you choose to continue to withhold some or all of the material which was denied in my initial request to your agency, I ask that you give me an index of such material, together with the justification for the denial of each item which is still withheld. As provided in the Freedom of Information Act, I will expect to receive a reply to this adminstrative appeal letter within twenty (20) working days. If you deny this appeal and do not adequately explain why the material withheld is properly exempt, I intend to initiate a lawsuit to compel its disclosure. [You can say that you intend to sue if that is your present inclination even though you may ultimately decide not to file suit.] Sincerely, name: address: signature: [MARK CLEARLY ON ENVELOPE: ATTENTION: FREEDOM OF INFORMATION APPEALS] FUND FOR OPEN INFORMATION AND ACCOUNTABILITY, INC. P.O. BOX O2 2397, BROOKLYN, NY 11202-0050 FOIA/PA ADDRESSES FOR SELECTED FEDERAL AGENCIES Administrative Office of the U.S. Courts Washington, D.C. 20544 (202) 633-6117 Bureau of Prisons 320 1st St., NW Washington, D.C. 20534 (202) 724-3198 Central Intelligence Agency Information and Privacy Coordinator Washington, D.C. 20505 Civil Service Commission Appropriate Bureau: ___ Bureau of Personnel Investigation, ___ Bureau of Personnel ___ Information Systems Civil Service Commission 1900 E Street, N.W. Washington, D.C. 20415 (202) 632-4431 Commission on Civil Rights General Counsel, U.S. Commission on Civil Rights 1121 Vermont Ave., N.W., Rm. 600 Washington, D.C. 20405 (202) 376-8177 Consumer Producet Safety Commission 1111 18th St., N.W. Washington, D.C. 20207 (301) 492-6580 Defense Intelligence Agency The Pentagon Washington, D.C. 20301-6111 (202) 697-8844 Department of Defense/Department of the Air Force Freedom of Information Manager Headquarters, USAF/DADF Washington, D.C. 20330-5025 (202) 545-6700 Department of Defense/Department of the Army General Counsel Secretary of the Army The Pentagon, Rm. 2E727 Washington, D.C. 20310 (202) 545-6700 Department of Defense/ Marine Corps Commandant of the Marine Corps Department of the Navy Headquarters, Marine Corps Washington, D.C. 20380-0001 (202) 694-2500 Department of Defense/ Dept. of the Navy Chief of Naval Operations OP 09 B30 Pentagon, Rm. 5E521 Washington, D.C. 20350-2000 (202) 545-6700 Department of Energy 1000 Independence Ave., S.W. Washington, D.C. 20585 (202) 252-5000 Department of Justice/ General Administration __ Civil Rights Division, __ Antitrust Division, __ Drug Enforcement Administration __ Immigration and Naturalization Service FOIA/ Privacy Act Unit Department of Justice Constitution Ave. & 10th St., N.W. Washington, D.C. 20530 (202)633-2000 Department of Labor 200 Constitution Ave., N.W. Washington, D.C. 20210 (202) 523-8165 Department of State Director, Freedom of Information Bureau for Public Administration Department of State, Rm 239 2201 C St., N.W. Washington, D.C. 20520 (202) 647-3411 Department of the Treasury Internal Revenue Service 1111 Constitution Ave., N.W. Washington, D.C. 20224 (202) 566-5000 (Consult phone book for regional offices) Environmental Protection Agency Freedom of Information Office A101 Room 1132 West Tower 401 M St., S.W. Washington, D.C. 20460 (202) 382-4048 Equal Employment Opportunities Comm. Office of Legal Services 2401 E St., N.W., Rm. 214 Washington, D.C. 20507 Attn. Richard Roscio, Assc. Legal Counsel (202) 634-6922 Federal Communications Commission 1919 M St., N.W. Washington, D.C. 20554 (202) 254-7674 Food and Drug Administration 5600 Fishers Lane Rockville, MD 20857 (301) 443-1544 Health and Human Services 200 Independence Ave., S.W. Washington, D.C. 20201 Housing and Urban Development 451 Seventh St., S.W. Washington, D.C. 20410 (202) 755-6420 National Aeronautics & Space Administration 400 Maryland Ave, S.W. Washington, D.C. 20546 (202) 453-1000 National Archives and Records Service Pennsylvania Ave. at 8th St., N.W. Washington, D.C. 20408 (202) 523-3130 National Labor Relations Board 1717 Pennsylvania Ave., N.W. Washington, D.C. 20570 (202) 632-4950 National Security Agency Ft. George G. Meade, MD 20755-6000 (301) 688-6311 National Security Council Old Executive Bldg. 17th & Pennsylvania Ave., N.W. Washington, D.C. 20506 Attn. Brenda Reger (202) 395-3103 Nuclear Regulatory Commission Director, Office of Administration Washington, D.C. 20555 (202) 492-7715 Secret Service U.S. Secret Service 1800 G St., N.W. Washington, D.C. 20223 Attn. FOIA/ Privacy Office (202) 634-5798 Securities and Exchange Commission 450 5th St., N.W. Washington, D.C. 20549 (202) 272-2650 U.S. Customs Service 1301 Constitution Ave., N.W. Washington, D.C. 20229 (202) 566-8195 U.S. Agency for International Development 320 21st. St., N.W. Washington, D.C. 20532 (202) 632-1850 U.S. Office of Personnel Management 1900 E St., N.W. Washington, D.C. 20415 (202) 632-5491 U.S. Postal Service Records Office 475 L'Enfant Plaza, S.W. Washington, D.C. 20260-5010 (202) 245-5568 Veterans Administration 810 Vermont Ave., N.W. Washington, D.C. 20420 (202) 389-2741 [2/88] Federal Bureau of Investigation Offices where files are held Albany, NY 12207 Memphis, TN 38103 502 U.S. Post Office and Courthouse 67 N. Main St 518-465-7551 901-525-7373 Albuquerque, NM 87102 Miami, FL 33137 301 Grand Ave. NE 3801 Biscayne Blvd 505-247-1555 305-573-3333 Alexandria, VA 22314 Milwaukee, WI 53202 300 N. Lee St 517 E. Wisconsin Ave 703-683-2680 414-276-4684 Anchorage, AK 99513 Minneapolis, MN 55401 701 C St 392 Federal Bldg 907-276-4441 612-339-7861 Atlanta, GA 30302 Mobile, AL 36602 275 Peachtree St. NE 113 St. Joseph St 404-521-3900 205-438-3674 Baltimore, MD 21207 Newark, NJ 07102 7142 Ambassador Rd Gateway 1, Market St 301-265-8080 201-622-5613 Birmingham, AL 35203 New Haven, CT 06510 Room 1400, 2121 Bldg 150 Court St 205-252-7705 203-777-6311 Boston, MA 02203 New Orleans, LA 70112 John F. Kennedy Federal Office Bldg 1250 Poydras St., Suite 2200 617-742-5533 504-522-4670 Buffalo, NY 14202 New York, NY 10278 111 W. Huron St 26 Federal Plaza 716-856-7800 212-553-2700 Butte, MT 59702 Norfolk, VA 23510 U.S. Courthouse and Federal Bldg 200 Granby Mall 406-792-2304 804-623-3111 Charlotte, NC 28210 Oklahoma City, OK 73118 6010 Kenley Lane 50 Penn Pl 704-529-1030 405-842-7471 Chicago, IL 60604 Omaha, NE 68102 219 S. Dearborn St 215 N. 17th St 312-431-1333 402-348-1210 Cincinnati, OH 45205 Philadelphia, PA 50 Main St 600 Arch St 513-421-4310 215-629-0800 Cleveland, OH 44199 Phoenix, AZ 85012 1240 E. 9th St 201 E. Indianola 216-522-1400 602-279-5511 Columbia, SC 29201 Pittsburgh, PA 1529 Hampton St 1000 Liberty Ave 803-254-3011 412-471-2000 Dallas, TX 75202 Portland, OR 97201 1801 N. Lamar 1500 SW 1st Ave 214-741-1851 503-224-4181 Denver, CO 80202 Quantico, VA 22135 Federal Office Bldg FBI Academy 303-629-7171 703-640-6131 Detroit, MI 48226 Richmond, VA 23220 477 Michigan Ave 200 W. Grace St 313-965-2323 804-644-2631 El Paso, TX 79901 Sacramento, CA 95825 202 U.S. Courthouse Bldg 2800 Cottage Way 915-533-7451 916-481-9110 Honolulu, HI 96850 St. Louis, MO 63103 300 Ala Moana Blvd 1520 Market St 808-521-1411 314-241-5357 Houston, TX 77002 Salt Lake City, UT 84138 515 Rusk Ave 125 S. State St 713-224-1511 801-355-8584 Indianapolis, IN 46204 San Antonio, TX 78206 575 N. Pennsylvania St 615 E. Houston 317-639-3301 512-225-6741 Jackson, MS 39264 San Diego, CA 92188 100 W. Capitol St 880 Front St 601-948-5000 619-231-1122 Jackonsville, FL 32211 San Francisco, CA 94102 7820 Arlington Expressway 450 Golden Gate Ave 904-721-1211 415-552-2155 Kansas City, MO 64106 San Juan, PE 00918 300 U.S. Courthouse Bldg Hato Rey, PR 816-221-6100 809-754-6000 Knoxville, TN 37919 Savannah, GA 31405 1111 Northshore Dr 5401 Paulsen St 615-588-8571 912-354-9911 Las Vegas, NV 89101 Seattle, WA 98174 Las Vegas Blvd. S 915 2nd Ave 702-385-1281 206-622-0460 Little Rock, AR 72201 Springfield, IL 62702 215 U.S. Post Office Bldg 535 W. Jefferson St 501-372-7211 217-522-9675 Los Angeles, CA 90024 Tampa, FL 33602 11000 Wilshire Blvd 500 Zack St 213-477-6565 813-228-7661 Louisville, KY 40202 Washington, DC 20401 600 Federal Pl 1900 Half St. SW =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 5 of 10 The Empire Times Presents Carding in The 90's By Mustang False ------ Carders are out to phuck people over, By charging vast amounts of money to there credit Cards. True ---- Carders are really trying to fuck up the government, by making charges that people refuse to pay and the government has to pick up the tab. Now we all know the dangers of carding, but this file is dedicated to showing you the ways to get by these problems. If any problem is not written in this file or there is something that is wrong E-mail me on Empire or other fine boards. Traces-Even though it's a long shot that the store has a trace, never ever call from home. Use a payphone or public phone. Always know exactly what you want, So you cann make your order fast and easy. Try and use a deep voice when calling a store that way they belive it is a adult. Always use a drop point and never your own home. Know you already have the card number and name. Now pick up the pay phone and call a store. Store Clerk- Hects, Can I help you? Carder- Yes can you please conect me with the BLAH BLAH department. Store Clerk- Please hold. Department Clerk- BLAH BLAH department can I help you? Carder- Yes I would like to order by credit card one BLAH BLAH. Department Clerk- Ok... I will need your credit card number. Carder- American Express, Number xxxxxxxxxxxxxxxx. Departmen Clerk- Ok... Now what's your name. Carder- My name is JOHN DOE. Department Clerk- What's your experation date? Carder- Me experation date is BLAH BLAH. Department Clerk- Please hold while I cheack to see if the info is valid. Department Clerk- Everything checks out. Carder- (Sigh) Can I have that deliverd to my home? Department Clerk- Yes, What's your address? Carder- My addrress is BLAH BLAH. Department Clerk- Thank You it's should arrive in a few weeks. Carder- Thanks alot. CLICK Its as easy as that. Next you have to pick up the stuff you orderd at your drop site. Now if you read the above you know that sending a dilevery to your own home is fucking stupid. So what you do is go out into your naborhood and find a nice little house for sale. Then when you order somthing give the address. Now when the UPS man comes here is a good story to tell him. UPS Man- Dose BLAH BLAH live here. Carder- She used to but moved out last week, she told me to pick up any mail that came to the house and foward it to here. UPS Man- Ok can you please sign here. Carder- Sure, Thank You. Now you have the delivery. (Note, Never put your real name down on the sign in sheet. Now find a good place to hide the goods for about a Two days just so now one get suspiciuos then take it home and have a ball. Geting Credit Card Numbers. There are many ways of doing this. I will just name a few. Trashing- Going through trash looking for numbers. Looking around ATM- machines for those little cards that have thecard number on them. Using Programs- That spit out card numbers. And then my favorte is a system written by Saturday Knight, This file can be found on any Elite BBs, it's called AMEX.zip. Well that's alll I have to say about carding for this issue. And remember Don't card just for fun becase that's how you get busted. I would like to thank The following: ----------------------------------- Dameon- For helping me get started. Cultish Person- For showing how not to be a good user. Alby - For all his help. =-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 6 of 11 Specs On Caller ID This is a copy of the data sheet picked up at the Rockwell booth at the COMDEX show. INTRODUCTION Calling Number Delivery (CND), better known as Caller ID, is a telephone service intended for residential and small business customers. It allows the called Customer Premises Equipment (CPE) to receive a calling party's directory number and the date and time of the call during the first 4 second silent interval in the ringing cycle. The customer must contact a Bellcore Client Company to initiate CND service. According to Pacific Bell representatives, the following states and district currently support CND service: Delaware, District of Columbia, Florida, Georgia, Idaho, Kentucky, Louisiana, Maine, Maryland, Nebraska, Nevada, New Jersey, Oklahoma, Tennessee, Vermont, Virginia, and West Virginia. The following states are scheduled to support CND service by April, 1992: Alaska, Arizona, California, Colorado, Illinois, Indiana, Iowa, Massachusetts, Mississippi, New Hampshire, New York, North Carolina, North Dakota, Ohio, Oregon, Rhode Island, and South Carolina. PARAMETERS The data signalling interface has the following characteristics: Link Type: 2-wire, simplex Transmission Scheme: Analog, phase-coherent FSK Logical 1 (mark) 1200 +/- 12 Hz Logical 0 (space) 2200 +/- 22 Hz Transmission Rate: 1200 bps Transmission Level: 13.5 +/- dBm into 900 ohm load (I have copied this data as presented. I believe the transmission level is meant to be -13.5 dBm.) PROTOCOL The protocol uses 8-bit data words (bytes), each bounded by a start bit and a stop bit. The CND message uses the Single Data Message format shown below. Channel Carrier Message Message Data Checksum Seizure Signal Type Length Word(s) Word Signal Word Word CHANNEL SEIZURE SIGNAL The channel seizure is 30 continuous bytes of 55h (01010101) providing a detectable alternating function to the CPE (i.e. the modem data pump). CARRIER SIGNAL The carrier signal consists of 130 +/- 25 mS of mark (1200 Hz) to condition the receiver for data. MESSAGE TYPE WORD The message type word indicates the service and capability associated with the data message. The message type word for CND is 04h (00000100). MESSAGE LENGTH WORD The message length word specifies the total number of data words to follow. DATA WORDS The data words are encoded in ASCII and represent the following information: o The first two words represent the month o The next two words represent the day of the month o The next two words represent the hour in local military time o The next two words represent the minute after the hour o The calling party's directory number is represented by the remaining words in the data word field If the calling party's directory number is not available to the terminating central office, the data word field contains an ASCII "O". If the calling party invokes the privacy capability, the data word field contains an ASCII "P". CHECKSUM WORD The Checksum Word contains the twos complement of the modulo 256 sum of the other words in the data message (i.e., message type, message length, and data words). The receiving equipment may calculate the modulo 256 sum of the received words and add this sum to the reveived checksum word. A result of zero generally indicates that the message was correctly received. Message retransmission is not supported. EXAMPLE CND SINGLE DATA MESSAGE An example of a received CND message, beginning with the message type word, follows: 04 12 30 39 33 30 31 32 32 34 36 30 39 35 35 35 31 32 31 32 51 04h= Calling number delivery information code (message type word) 12h= 18 decimal; Number of data words (date,time, and directory number words) ASCII 30,39= 09; September ASCII 33,30= 30; 30th day ASCII 31,32= 12; 12:00 PM ASCII 32,34= 24; 24 minutes (i.e., 12:24 PM) ASCII 36,30,39,35,35,35,31,32,31,32= (609) 555-1212; calling party's directory number 51h= Checksum Word DATA ACCESS ARRANGEMENT (DAA) REQUIREMENTS To receive CND information, the modem monitors the phone line between the first and second ring bursts without causing the DAA to go off hook in the conventional sense, which would inhibit the transmission of CND by the local central office. A simple modification to an existing DAA circuit easily accomplishes the task. (I will mail the Rockwell data sheet, which includes the suggested schematic diagram.) MODEM REQUIREMENTS Although the data signalling interface parameters match those of a Bell 202 modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps modem receiver may be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used on a modem to indicate when to monitor the phone line for CND information. After the RI bit sets, indicating the first ring burst, the host waits for the RI bit to reset. The host then configures the modem to monitor the phone line for CND information. (I'm skipping some Rockwell-specific information here.) According to Bellcore specifications, CND signalling starts as early as 300 mS after the first ring burst and ends at least 475 mS before the second ring burst APPLICATIONS Modem manufacturers will soon be implementing new modem features based on CND information as this service becomes widely available. Once CND information is received the user may process the information in a number of ways. 1. The date, time, and calling party's directory number can be displayed. 2. Using a look-up table, the calling party's directory number can be correlated with his or her name and the name displayed. 3. CND information can also be used in additional ways such as for: a. Bulletin board applications b. Black-listing applications c. Keeping logs of system user calls, or d. Implementing a telemarketing data base REFERENCES For more information on Calling Number Delivery (CND), refer to Bellcore publications TR-TSY-000030 and TR-TSY-000031. To obtain Bellcore documents contact: Bellcore Customer Service 60 New England Avenue, Room 1B252 Piscataway, NJ 08834-4196 (908) 699-5800 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 7 of 11 ``Foiling the Cracker'' A Survey of, and Improvements to, Password Security This work was sponsored in part by the U.S. Department of Defense. Daniel V. Klein Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15217 dvk@sei.cmu.edu +1 412 268 7791 With the rapid burgeoning of national and international networks, the question of system security has become one of growing importance. High speed inter-machine communication and even higher speed computational processors have made the threats of system ``crackers,'' data theft, data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual accounts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a proactive password checker, is proposed. Introduction The security of accounts and passwords has always been a concern for the developers and users of Unix. When Unix was younger, the password encryption algorithm was a simulation of the M-209 cipher machine used by the U.S. Army during World War II. Robert T. Morris Ken Thompson Password Security: A Case History Communications of the ACM 22 11 594-597 November 1979 Morris1979 This was a fair encryption mechanism in that it was difficult to invert under the proper circumstances, but suffered in that it was too fast an algorithm. On a PDP-11/70, each encryption took approximately 1.25ms, so that it was possible to check roughly 800 passwords/second. Armed with a dictionary of 250,000 words, a cracker could compare their encryptions with those all stored in the password file in a little more than five minutes. Clearly, this was a security hole worth filling. In later (post-1976) versions of Unix, the DES algorithm Proposed Federal Information Processing Data Encryption Standard Federal Register (40FR12134) March 17, 1975 DES1975 was used to encrypt passwords. The user's password is used as the DES key, and the algorithm is used to encrypt a constant. The algorithm is iterated 25 times, with the result being an 11 character string plus a 2-character ``salt.'' This method is similarly difficult to decrypt (further complicated through the introduction of one of 4096 possible salt values) and had the added advantage of being slow. On a \(*mVAX-II (a machine substant- ially faster than a PDP-11/70), a single encryption takes on the order of 280ms, so that a determined cracker can only check approximately 3.6 encryptions a second. Checking this same dictionary of 250,000 words would now take over 19 hours of CPU time. Although this is still not very much time to break a single account, there is no guarantee that this account will use one of these words as a password. Checking the passwords on a system with 50 accounts would take on average 40 CPU days (since the random selection of salt values practically guarantees that each user's password will be encrypted with a different salt), with no guarantee of success. If this new, slow algorithm was combined with the user education needed to prevent the selection of obvious passwords, the problem seemed solved. Regrettably, two recent developments and the recurrence of an old one have brought the problem of password security back to the fore. CPU speeds have gotten increasingly faster since 1976, so much so that processors that are 25-40 times faster than the PDP-11/70 (e.g., the DECstation 3100 used in this research) are readily available as desktop workstations. With inter-networking, many sites have hundreds of the individual workstations connected together, and enterprising crackers are discovering that the ``divide and conquer'' algorithm can be extended to multiple processors, especially at night when those processors are not otherwise being used. Literally thousands of times the computational power of 10 years ago can be used to break passwords. New implementations of the DES encryption algorithm have been developed, so that the time it takes to encrypt a password and compare the encryption against the value stored in the password file has dropped below the 1ms mark. Matt Bishop An Application of a Fast Data Encryption Standard Implementation Computing Systems 1 3 221-254 Summer 1988 Bishop1988 David C. Feldmeier Philip R. Karn UNIX Password Security \- Ten Years Later CRYPTO Proceedings Summer 1989 Feldmeier1989 On a single workstation, the dictionary of 250,000 words can once again be cracked in under five minutes. By dividing the work across multiple workstations, the time required to encrypt these words against all 4096 salt values could be no more than an hour or so. With a recently described hardware implementation of the DES algorithm, the time for each encryption can be reduced to approximately 6 ms. Philip Leong Chris Tham UNIX Password Encryption Considered Insecure USENIX Winter Conference Proceedings January 1991 Leong1991 This means that this same dictionary can be be cracked in only 1.5 seconds. Users are rarely, if ever, educated as to what are wise choices for passwords. If a password is in a dictionary, it is extremely vulnerable to being cracked, and users are simply not coached as to ``safe'' choices for passwords. Of those users who are so educated, many think that simply because their password is not in /usr/dict/words, it is safe from detection. Many users also say that because they do not have any private files on-line, they are not concerned with the security of their account, little realizing that by providing an entry point to the system they allow damage to be wrought on their entire system by a malicious cracker. Because the entirety of the password file is readable by all users, the encrypted passwords are vulnerable to cracking, both on-site and off-site. Many sites have responded to this threat with a reactive solution \- they scan their own password files and advise those users whose passwords they are able to crack. The problem with this solution is that while the local site is testing its security, the password file is still vulnerable from the outside. The other problems, of course, are that the testing is very time consuming and only reports on those passwords it is able to crack. It does nothing to address user passwords which fall outside of the specific test cases (e.g., it is possible for a user to use as a password the letters ``qwerty'' \- if this combination is not in the in-house test dictionary, it will not be detected, but there is nothing to stop an outside cracker from having a more sophisticated dictionary!). Clearly, one solution to this is to either make /etc/passwd unreadable, or to make the encrypted password portion of the file unreadable. Splitting the file into two pieces \- a readable /etc/passwd with all but the encrypted password present, and a ``shadow password'' file that is only readable by root is the solution proposed by Sun Microsystems (and others) that appears to be gaining popularity. It seems, however, that this solution will not reach the majority of non-Sun systems for quite a while, nor even, in fact, many Sun systems, due to many sites' reluctance to install new releases of software. The problem of lack of password security is not just endemic to Unix. A recent Vax/VMS worm had great success by simply trying the username as the password. Even though the VMS user authorization file is inaccessible to ordinary users, the cracker simply tried a number of ``obvious'' password choices \- and easily gained access. What I propose, therefore, is a publicly available \fIproactive\fR password checker, which will enable users to change their passwords, and to check a priori whether the new password is ``safe.'' The criteria for safety should be tunable on a per-site basis, depending on the degree of security desired. For example, it should be possible to specify a minimum length password, a restriction that only lower case letters are not allowed, that a password that looks like a license plate be illegal, and so on. Because this proactive checker will deal with the pre-encrypted passwords, it will be able to perform more sophisticated pattern matching on the password, and will be able to test the safety without having to go through the effort of cracking the encrypted version. Because the checking will be done automatically, the process of education can be transferred to the machine, which will instruct the user \fIwhy\fR a particular choice of password is bad. Password Vulnerability It has long been known that all a cracker need do to acquire access to a Unix machine is to follow two simple steps, namely: Acquire a copy of that site's /etc/passwd file, either through an unprotected uucp link, well known holes in sendmail, or via ftp or tftp. Apply the standard (or a sped-up) version of the password encryption algorithm to a collection of words, typically /usr/dict/words plus some permutations on account and user names, and compare the encrypted results to those found in the purloined /etc/passwd file. If a match is found (and often at least one will be found), the cracker has access to the targeted machine. Certainly, this mode of attack has been known for some time, Eugene H. Spafford The Internet Worm Program: An Analysis Purdue Technical Report CSD-TR-823 Purdue University November 29, 1988 Spafford1988 and the defenses against this attack have also long been known. What is lacking from the literature is an accounting of just how vulnerable sites are to this mode of attack. In short, many people know that there is a problem, but few people believe it applies to them. ``There is a fine line between helping administrators protect their systems and providing a cookbook for bad guys.'' F. Grampp R. Morris Unix Operating System Security AT&T Bell Labs Technical Journal 63 8 1649-1672 October 1984 Grampp1984 The problem here, therefore, is how to divulge useful information on the vulnerability of systems, without providing too much information, since almost certainly this information could be used by a cracker to break into some as-yet unviolated system. Most of the work that I did was of a general nature \- I did not focus on a particular user or a particular system, and I did not use any personal information that might be at the disposal of a dedicated ``bad guy.'' Thus any results which I have been able to garner indicate only general trends in password usage, and cannot be used to great advantage when breaking into a particular system. This generality notwithstanding, I am sure that any self-respecting cracker would already have these techniques at their disposal, and so I am not bringing to light any great secret. Rather, I hope to provide a basis for protection for systems that can guard against future attempts at system invasion. The Survey and Initial Results In October and again in December of 1989, I asked a number of friends and acquaintances around the United States and Great Britain to participate in a survey. Essentially what I asked them to do was to mail me a copy of their /etc/passwd file, and I would try to crack their passwords (and as a side benefit, I would send them a report of the vulnerability of their system, although at no time would I reveal individual passwords nor even of their sites participation in this study). Not surprisingly, due to the sensitive nature of this type of disclosure, I only received a small fraction of the replies I hoped to get, but was nonetheless able to acquire a database of nearly 15,000 account entries. This, I hoped, would provide a representative cross section of the passwords used by users in the community. Each of the account entries was tested by a number of intrusion strategies, which will be covered in greater detail in the following section. The possible passwords that were tried were based on the user's name or account number, taken from numerous dictionaries (including some containing foreign words, phrases, patterns of keys on the keyboard, and enumerations), and from permutations and combinations of words in those dictionaries. All in all, after nearly 12 CPU months of rather exhaustive testing, approximately 25% of the passwords had been guessed. So that you do not develop a false sense of security too early, I add that 21% (nearly 3,000 passwords) were guessed in the first week, and that in the first 15 minutes of testing, 368 passwords (or 2.7%) had been cracked using what experience has shown would be the most fruitful line of attack (i.e., using the user or account names as passwords). These statistics are frightening, and well they should be. On an average system with 50 accounts in the /etc/passwd file, one could expect the first account to be cracked in under 2 minutes, with 5\-15 accounts being cracked by the end of the first day. Even though the \fBroot\fR account may not be cracked, all it takes is one account being compromised for a cracker to establish a toehold in a system. Once that is done, any of a number of other well-known security loopholes (many of which have been published on the network) can be used to access or destroy any information on the machine. It should be noted that the results of this testing do not give us any indication as to what the \fIuncracked\fR passwords are. Rather, it only tells us what was essentially already known \- that users are likely to use words that are familiar to them as their passwords. Bruce L. Riddle Murray S. Miron Judith A. Semo Passwords in Use in a University Timesharing Environment Computers & Security 8 7 569-579 November 1989 Riddle1989 What new information it did provide, however, was the \fIdegree\fR of vulnerability of the systems in question, as well as providing a basis for developing a proactive password changer \- a system which pre-checks a password before it is entered into the system, to determine whether that password will be vulnerable to this type of attack. Passwords which can be derived from a dictionary are clearly a bad idea, Ana Marie De Alvare E. Eugene Schultz, Jr. A Framework for Password Selection USENIX UNIX Security Workshop Proceedings August 1988 Alvare1988 and users should be prevented from using them. Of course, as part of this censoring process, users should also be told why their proposed password is not good, and what a good class of password would be. As to those passwords which remain unbroken, I can only conclude that these are much more secure and ``safe'' than those to be found in my dictionaries. One such class of passwords is word pairs, where a password consists of two short words, separated by a punctuation character. Even if only words of 3 to 5 lower case characters are considered, /usr/dict/words provides 3000 words for pairing. When a single intermediary punctuation character is introduced, the sample size of 90,000,000 possible passwords is rather daunting. On a DECstation 3100, testing each of these passwords against that of a single user would require over 25 CPU hours \- and even then, no guarantee exists that this is the type of password the user chose. Introducing one or two upper case characters into the password raises the search set size to such magnitude as to make cracking untenable. Another ``safe'' password is one constructed from the initial letters of an easily remembered, but not too common phrase. For example, the phrase ``Unix is a trademark of Bell Laboratories'' could give rise to the password ``UiatoBL.'' This essentially creates a password which is a random string of upper and lower case letters. Exhaustively searching this list at 1000 tests per second with only 6 character passwords would take nearly 230 CPU days. Increasing the phrase size to 7 character passwords makes the testing time over 32 CPU years \- a Herculean task that even the most dedicated cracker with huge computational resources would shy away from. Thus, although I don't know what passwords were chosen by those users I was unable to crack, I can say with some surety that it is doubtful that anyone else could crack them in a reasonable amount of time, either. Method of Attack A number of techniques were used on the accounts in order to determine if the passwords used for them were able to be compromised. To speed up testing, all passwords with the same salt value were grouped together. This way, one encryption per password per salt value could be performed, with multiple string comparisons to test for matches. Rather than considering 15,000 accounts, the problem was reduced to 4,000 salt values. The password tests were as follows: Try using the user's name, initials, account name, and other relevant personal information as a possible password. All in all, up to 130 different passwords were tried based on this information. For an account name klone with a user named ``Daniel V. Klein,'' some of the passwords that would be tried were: klone, klone0, klone1, klone123, dvk, dvkdvk, dklein, DKlein, leinad, nielk, dvklein, danielk, DvkkvD, DANIEL-KLEIN, (klone), KleinD, etc. Try using words from various dictionaries. These included lists of men's and women's names (some 16,000 in all); places (including permutations so that ``spain,'' ``spanish,'' and ``spaniard'' would all be considered); names of famous people; cartoons and cartoon characters; titles, characters, and locations from films and science fiction stories; mythical creatures (garnered from Bulfinch's mythology and dictionaries of mythical beasts); sports (including team names, nicknames, and specialized terms); numbers (both as numerals \- ``2001,'' and written out \- ``twelve''); strings of letters and numbers ( ``a,'' ``aa,'' ``aaa,'' ``aaaa,'' etc.); Chinese syllables (from the Pinyin Romanization of Chinese, a international standard system of writing Chinese on an English keyboard); the King James Bible; biological terms; common and vulgar phrases (such as ``fuckyou,'' ``ibmsux,'' and ``deadhead''); keyboard patterns (such as ``qwerty,'' ``asdf,'' and ``zxcvbn''); abbreviations (such as ``roygbiv'' \- the colors in the rainbow, and ``ooottafagvah'' \- a mnemonic for remembering the 12 cranial nerves); machine names (acquired from /etc/hosts); characters, plays, and locations from Shakespeare; common Yiddish words; the names of asteroids; and a collection of words >from various technical papers I had previously published. All told, more than 60,000 separate words were considered per user (with any inter- and intra-dictionary duplicates being discarded). Try various permutations on the words from step 2. This included making the first letter upper case or a control character, making the entire word upper case, reversing the word (with and without the aforementioned capitalization), changing the letter `o' to the digit `0' (so that the word ``scholar'' would also be checked as ``sch0lar''), changing the letter `l' to the digit `1' (so that ``scholar'' would also be checked as ``scho1ar,'' and also as ``sch01ar''), and performing similar manipulations to change the letter `z' into the digit `2', and the letter `s' into the digit `5'. Another test was to make the word into a plural (irrespective of whether the word was actually a noun), with enough intelligence built in so that ``dress'' became ``dresses,'' ``house'' became ``houses,'' and ``daisy'' became ``daisies.'' We did not consider pluralization rules exhaustively, though, so that ``datum'' forgivably became ``datums'' (not ``data''), while ``sphynx'' became ``sphynxs'' (and not ``sphynges''). Similarly, the suffixes ``-ed,'' ``-er,'' and ``-ing'' were added to transform words like ``phase'' into ``phased,'' ``phaser,'' and ``phasing.'' These 14 to 17 additional tests per word added another 1,000,000 words to the list of possible passwords that were tested for each user. Try various capitalization permutations on the words from step 2 that were not considered in step 3. This included all single letter capitalization permutations (so that ``michael'' would also be checked as ``mIchael,'' ``miChael,'' ``micHael,'' ``michAel,'' etc.), double letter capitalization permutations (``MIchael,'' ``MiChael,'' ``MicHael,'' ... , ``mIChael,'' ``mIcHael,'' etc.), triple letter permutations, and so on. The single letter permutations added roughly another 400,000 words to be checked per user, while the double letter permutations added another 1,500,000 words. Three letter permutations would have added at least another 3,000,000 words \fIper user\fR had there been enough time to complete the tests. Tests of 4, 5, and 6 letter permutations were deemed to be impracticable without much more computational horsepower to carry them out. Try foreign language words on foreign users. The specific test that was performed was to try Chinese language passwords on users with Chinese names. The Pinyin Romanization of Chinese syllables was used, combining syllables together into one, two, and three syllable words. Because no tests were done to determine whether the words actually made sense, an exhaustive search was initiated. Since there are 398 Chinese syllables in the Pinyin system, there are 158,404 two syllable words, and slightly more than 16,000,000 three syllable words. The astute reader will notice that 398\s-2\u3\d\s+2 is in fact 63,044,972. Since Unix passwords are truncated after 8 characters, however, the number of unique polysyllabic Chinese passwords is only around 16,000,000. Even this reduced set was too large to complete under the imposed time constraints. A similar mode of attack could as easily be used with English, using rules for building pronounceable nonsense words. Try word pairs. The magnitude of an exhaustive test of this nature is staggering. To simplify this test, only words of 3 or 4 characters in length >from /usr/dict/words were used. Even so, the number of word pairs is \fBO\fR(10\s-3\u7\d\s+3) (multiplied by 4096 possible salt values), and as of this writing, the test is only 10% complete. For this study, I had access to four DECstation 3100's, each of which was capable of checking approximately 750 passwords per second. Even with this total peak processing horsepower of 3,000 tests per second (some machines were only intermittently available), testing the \fBO\fR(10\s-3\u10\d\s+3) password/salt pairs for the first four tests required on the order of 12 CPU months of computations. The remaining two tests are still ongoing after an additional 18 CPU months of computation. Although for research purposes this is well within acceptable ranges, it is a bit out of line for any but the most dedicated and resource-rich cracker. Summary of Results The problem with using passwords that are derived directly from obvious words is that when a user thinks ``Hah, no one will guess this permutation,'' they are almost invariably wrong. Who would ever suspect that I would find their passwords when they chose ``fylgjas'' (guardian creatures from Norse mythology), or the Chinese word for ``hen-pecked husband''? No matter what words or permutations thereon are chosen for a password, if they exist in some dictionary, they are susceptible to directed cracking. The following table give an overview of the types of passwords which were found through this research. A note on the table is in order. The number of matches given from a particular dictionary is the total number of matches, irrespective of the permutations that a user may have applied to it. Thus, if the word ``wombat'' were a particularly popular password from the biology dictionary, the following table will not indicate whether it was entered as ``wombat,'' ``Wombat,'' ``TABMOW,'' ``w0mbat,'' or any of the other 71 possible differences that this research checked. In this way, detailed information can be divulged without providing much knowledge to potential ``bad guys.'' Additionally, in order to reduce the total search time that was needed for this research, the checking program eliminated both inter- and intra-dictionary duplicate words. The dictionaries are listed in the order tested, and the total size of the dictionary is given in addition to the number of words that were eliminated due to duplication. For example, the word ``georgia'' is both a female name and a place, and is only considered once. A password which is identified as being found in the common names dictionary might very well appear in other dictionaries. Additionally, although ``duplicate,'' ``duplicated,'' ``duplicating'' and ``duplicative'' are all distinct words, only the first eight characters of a password are used in Unix, so all but the first word are discarded as redundant. box, tab(:), center; cp+2fB s s s s s s cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB l n n n n n n . Passwords cracked from a sample set of 13,797 accounts Type of:Size of:Duplicates:Search:# of:Pct.:Cost/Benefit Password:Dictionary:Eliminated:Size:Matches:of Total:Ratio\s-2\u*\d\s+2 User/account name:130\s-3\u\(dg\d\s+3:\-:130:368:2.7%:2.830 Character sequences:866:0:866:22:0.2%:0.025 Numbers:450:23:427:9:0.1%:0.021 Chinese:398:6:392:56:0.4%\s-3\u\(dd\d\s+3:0.143 Place names:665:37:628:82:0.6%:0.131 Common names:2268:29:2239:548:4.0%:0.245 Female names:4955:675:4280:161:1.2%:0.038 Male names:3901:1035:2866:140:1.0%:0.049 Uncommon names:5559:604:4955:130:0.9%:0.026 Myths & legends:1357:111:1246:66:0.5%:0.053 Shakespearean:650:177:473:11:0.1%:0.023 Sports terms:247:9:238:32:0.2%:0.134 Science fiction:772:81:691:59:0.4%:0.085 Movies and actors:118:19:99:12:0.1%:0.121 Cartoons:133:41:92:9:0.1%:0.098 Famous people:509:219:290:55:0.4%:0.190 Phrases and patterns:998:65:933:253:1.8%:0.271 Surnames:160:127:33:9:0.1%:0.273 Biology:59:1:58:1:0.0%:0.017 \fI/usr/dict/words\fR:24474:4791:19683:1027:7.4%:0.052 Machine names:12983:3965:9018:132:1.0%:0.015 Mnemonics:14:0:14:2:0.0%:0.143 King James bible:13062:5537:7525:83:0.6%:0.011 Miscellaneous words:8146:4934:3212:54:0.4%:0.017 Yiddish words:69:13:56:0:0.0%:0.000 Asteroids:3459:1052:2407:19:0.1%:0.007 Total:86280:23553:62727:3340:24.2%:0.053 In all cases, the cost/benefit ratio is the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio. The dictionary used for user/account name checks naturally changed for each user. Up to 130 different permutations were tried for each. While monosyllablic Chinese passwords were tried for all users (with 12 matches), polysyllabic Chinese passwords were tried only for users with Chinese names. The percentage of matches for this subset of users is 8% \- a greater hit ratio than any other method. Because the dictionary size is over 16\(mu10\s-2\u6\d\s+2, though, the cost/benefit ratio is infinitesimal. The results are quite disheartening. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000 word dictionary postulated at the beginning of this paper, yet armed even with this small dictionary, nearly 25% of the passwords were cracked! tab(:), center, box; cp+2fB s s cfB cfB cfB l n n. Length of Cracked Passwords Length:Count:Percentage 1 character:4:0.1% 2 characters:5:0.2% 3 characters:66:2.0% 4 characters:188:5.7% 5 characters:317:9.5% 6 characters:1160:34.7% 7 characters:813:24.4% 8 characters:780:23.4% The results of the word-pair tests are not included in either of the two tables. However, at the time of this writing, the test was approximately 10% completed, having found an additional 0.4% of the passwords in the sample set. It is probably reasonable to guess that a total of 4% of the passwords would be cracked by using word pairs. Action, Reaction, and Proaction What then, are we to do with the results presented in this paper? Clearly, something needs to be done to safeguard the security of our systems from attack. It was with intention of enhancing security that this study was undertaken. By knowing what kind of passwords users use, we are able to prevent them from using those that are easily guessable (and thus thwart the cracker). One approach to eliminating easy-to-guess passwords is to periodically run a password checker \- a program which scans \fI/etc/passwd\fR and tries to break the passwords in it. T. Raleigh R. Underwood CRACK: A Distributed Password Advisor USENIX UNIX Security Workshop Proceedings August 1988 Raleigh1988 This approach has two major drawbacks. The first is that the checking is very time consuming. Even a system with only 100 accounts can take over a month to diligently check. A halfhearted check is almost as bad as no check at all, since users will find it easy to circumvent the easy checks and still have vulnerable passwords. The second drawback is that it is very resource consuming. The machine which is being used for password checking is not likely to be very useful for much else, since a fast password checker is also extremely CPU intensive. Another popular approach to eradicating easy-to-guess passwords is to force users to change their passwords with some frequency. In theory, while this does not actually eliminate any easy-to-guess passwords, it prevents the cracker from dissecting /etc/passwd ``at leisure,'' since once an account is broken, it is likely that that account will have had it's password changed. This is of course, only theory. The biggest disadvantage is that there is usually nothing to prevent a user from changing their password from ``Daniel'' to ``Victor'' to ``Klein'' and back again (to use myself as an example) each time the system demands a new password. Experience has shown that even when this type of password cycling is precluded, users are easily able to circumvent simple tests by using easily remembered (and easily guessed) passwords such as ``dvkJanuary,'' ``dvkFebruary,'' etc. Dr. Brian K Reid 1989 DEC Western Research Laboratory Personal communication. Reid1989 A good password is one that is easily remembered, yet difficult to guess. When confronted with a choice between remembering a password or creating one that is hard to guess, users will almost always opt for the easy way out, and throw security to the wind. Which brings us to the third popular option, namely that of assigned passwords. These are often words from a dictionary, pronounceable nonsense words, or random strings of characters. The problems here are numerous and manifest. Words from a dictionary are easily guessed, as we have seen. Pronounceable nonsense words (such as ``trobacar'' or ``myclepate'') are often difficult to remember, and random strings of characters (such as ``h3rT+aQz'') are even harder to commit to memory. Because these passwords have no personal mnemonic association to the users, they will often write them down to aid in their recollection. This immediately discards any security that might exist, because now the password is visibly associated with the system in question. It is akin to leaving the key under the door mat, or writing the combination to a safe behind the picture that hides it. A fourth method is the use of ``smart cards.'' These credit card sized devices contain some form of encryption firmware which will ``respond'' to an electronic ``challenge'' issued by the system onto which the user is attempting to gain acccess. Without the smart card, the user (or cracker) is unable to respond to the challenge, and is denied access to the system. The problems with smart cards have nothing to do with security, for in fact they are very good warders for your system. The drawbacks are that they can be expensive and must be carried at all times that access to the system is desired. They are also a bit of overkill for research or educational systems, or systems with a high degree of user turnover. Clearly, then, since all of these systems have drawbacks in some environments, an additional way must be found to aid in password security. A Proactive Password Checker The best solution to the problem of having easily guessed passwords on a system is to prevent them from getting on the system in the first place. If a program such as a password checker reacts by detecting guessable passwords already in place, then although the security hole is found, the hole existed for as long as it took the program to detect it (and for the user to again change the password). If, however, the program which changes user's passwords (i.e., /bin/passwd) checks for the safety and guessability before that password is associated with the user's account, then the security hole is never put in place. In an ideal world, the proactive password changer would require eight character passwords which are not in any dictionary, with at least one control character or punctuation character, and mixed upper and lower case letters. Such a degree of security (and of accompanying inconvenience to the users) might be too much for some sites, though. Therefore, the proactive checker should be tuneable on a per-site basis. This tuning could be accomplished either through recompilation of the passwd program, or more preferably, through a site configuration file. As distributed, the behavior of the proactive checker should be that of attaining maximum password security \- with the system administrator being able to turn off certain checks. It would be desireable to be able to test for and reject all password permutations that were detected in this research (and others), including: tab(:); c lw(2.3i) c lw(2.3i). \(bu:T{ Passwords based on the user's account name T}:\(bu:T{ Passwords based on the user's initials or given name T} \(bu:T{ Passwords which exactly match a word in a dictionary (not just /usr/dict/words) T}:\(bu:T{ Passwords which match a word in the dictionary with some or all letters capitalized T} \(bu:T{ Passwords which match a reversed word in the dictionary T}:\(bu:T{ Passwords which match a reversed word in the dictionary with some or all letters capitalized T} \(bu:T{ Passwords which match a word in a dictionary with an arbitrary letter turned into a control character T}:\(bu:T{ Passwords which match a dictionary word with the numbers `0', `1', `2', and `5' substituted for the letters `o', 'l', 'z', and 's' T} \(bu:T{ Passwords which are simple conjugations of a dictionary word (i.e., plurals, adding ``ing'' or ``ed'' to the end of the word, etc.) T}:\(bu:T{ Passwords which are patterns from the keyboard (i.e., ``aaaaaa'' or ``qwerty'') T} \(bu:T{ Passwords which are shorter than a specific length (i.e., nothing shorter than six characters) T}:\(bu:T{ Passwords which consist solely of numeric characters (i.e., Social Security numbers, telephone numbers, house addresses or office numbers) T} \(bu:T{ Passwords which do not contain mixed upper and lower case, or mixed letters and numbers, or mixed letters and punctuation T}:\(bu:T{ Passwords which look like a state-issued license plate number T} The configuration file which specifies the level of checking need not be readable by users. In fact, making this file unreadable by users (and by potential crackers) enhances system security by hiding a valuable guide to what passwords are acceptable (and conversely, which kind of passwords simply cannot be found). Of course, to make this proactive checker more effective, it woule be necessary to provide the dictionaries that were used in this research (perhaps augmented on a per-site basis). Even more importantly, in addition to rejecting passwords which could be easily guessed, the proactive password changer would also have to tell the user why a particular password was unacceptable, and give the user suggestions as to what an acceptable password looks like. Conclusion (and Sermon) It has often been said that ``good fences make good neighbors.'' On a Unix system, many users also say that ``I don't care who reads my files, so I don't need a good password.'' Regrettably, leaving an account vulnerable to attack is not the same thing as leaving files unprotected. In the latter case, all that is at risk is the data contained in the unprotected files, while in the former, the whole system is at risk. Leaving the front door to your house open, or even putting a flimsy lock on it, is an invitation to the unfortunately ubiquitous people with poor morals. The same holds true for an account that is vulnerable to attack by password cracking techniques. While it may not be actually true that good fences make good neighbors, a good fence at least helps keep out the bad neighbors. Good passwords are equivalent to those good fences, and a proactive checker is one way to ensure that those fences are in place before a breakin problem occurs. -- ============ -- =========== -- =========== -- =========== -- =========== -- "The only thing that separates us from the animals is superstition and mindless rituals". Daniel Klein CMU-SEI +1 412/268-7791 dvk@sei.cmu.edu -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=- The Empire Times -=- Volume 1, Issue 2, File 8 of 11 Phreak Knowledge Written, Edited, and Remixed By Rebel Lion You are about to witness the power of phreak knowledge. Maybe you're a lamer. Maybe you don't know what a lamer is. Maybe you just want to know a little bit about phreaking. I'm gonna teach you how. I. Definitions Dialup: A telephone number used to access a long distance service such as MCI. Once accessed, a call may be made through a Calling Card. An extender for an LD company. Calling Card: An account with a LD service such as Sprint or MCI. The card itself is plastic and has the subscriber's account number printed on the front, resembling a credit card. Never actually steal one, for it will be cancelled. Just copy down the number and use it for LD or whatever. INWATS: Inward Wide-Area Tellicommunications Service. WATS is an 800 number. Inwards means a WATS that recieves calls, (a normal 1-800 number). PBX: Private Branch Exchange. An extender owned by a private company that allows employees to make calls from outside the company, to be charged to the company. Naturally, a phreak uses this oppurtunity to hack out the code himself and use the PBX for his own needs. Loop: A loop involves two phone numbers. One is the tone side, which is called by one person. The other is the silent side which is called by the second person. The two people can then talk to each other. Used by Ma Bell for some stupid testing thing. Used by Joe Phreaker to talk to people without giving out his home phone number [voice validation, maybe even conference shit]. Ma Bell: A generic term for the phone company, the place you're ripping off. Bridge: A bridge is one big line where many people can call up and be added to an on-going group talk. Used by phreaks for a big conference. AT&T Alliance Teleconference: A new conference system by AT&T that allows up to 50 people in a conference and can easily be accesed by any payphone with an AT&T calling card. It's made for business pigs, so it's a very un-suspicious user-phreindly system. It's run on a voice system, so its much easier than with an operator. ANI: Automatic Number Identification. It is used by companies to identify the number of the caller. Used by phreaks when beige boxing or using a diverter to tell the number they're calling through. Diverter: Basically calling up a company or small business and accesing their outward line. If you're gonna waste your time with this, make sure you use an ANI number to tell you actually have a diverter, and aren't just hearing your own dial tone [its happened]. Local: A non-LD call. Blue Boxing: The original phreaking. Using a 2600hz tone to seize a trunk (using a tone that operators use to connect phone calls). You can also move yourself all around the phone company when you blue box, because Ma Bell thinks you're an operator. This still works under ESS, but if you try it an FCC man will be at your door within an hour. See ESS. Beige Boxing: Using a lineman's handset, or similar homemade device, to access other people's lines through a bridge head. Red Boxing: Using a device ["box"] to produce quarter tones at a phortress phone. Free calls. Black Boxing: Using a device ["box"] to recieve a collect call without paying. Does not work under ESS. ESS: Electronic Switching System. New brand of switching system used by Ma Bell. It is a computer program written to monitor, detect, and prosocute phreakers to the fullest. ESS detects foreign tones on the line, and alerts another computer in the system exactly where the call was originated. As you can see, this is a dangerous weapon against phreakers. Other switching systems: The original switching system was step by step which used pulse and actually moved a relay for every digit you dialed. Next was crossbar, which had DTMF [touch-tones], but didn't have advanced features that ESS has, such as last call re-dial, trace call, other * fucntions, and 911 for emergancy. VMB: Voice Mail Box. An advanced answering machine where the user pays a VMB company to store messages for them, which are then retrieved by the user with a code. Phreaks can hack out a VMB's access code, and then change the box to their own. Conference Call: A telephone call where more than two parties [people] talk at one time. Area Code/NPA: First set of 3 digits in a telephone number. NPA-Nxx-xxxx. Prefix: Second set of 3 digits in a telephone number. NPA-Prefix-xxxx. Exchange: Last 4 digits of a telephone number. NPA-Nxx-exchange. CN/A: Customer Name and Address. This is an office that an emplyee of Ma Bell calls up to recieve the name and address of someone from their phone number. Used by phreaks to see who their ripping off. Phortress Phone: A standard pay phone. Phreaking: The illegal use of the phone system by an individual or group. Phreak: An abuser of the phone system for his own benefit. Scanning: Either by hand or by using a program, dialing random or sequential numbers in an exchange, prefix, or NPA, looking for carriers, PBX's, or other Ma Bell test functions. Extender: A number used by a LD company that can be dialed free from phortress phones [950-xxxx]. Provides instant long distance access for calling card holders. II. Abbreviations NPA: Number Planning Area [area code] (703) Nxx: Prefix (765) xxxx: Exchange (6567) VMB: Voice Mail Box ESS: Electronic Switching System CN/A: Customer name and Address PBX: Private Branch Exchange 99xx: A prefix scan (from 7659900 to 7659999) LD: Long Distance PIN: Personal Identification Number WATS: Wide Area Telecommunications Service XDC: X digit code, where x the number of digits in the code ACN: Any standard 10-digit telephone number CO: Central Office SxS: Step by Step, the first switching system III. Conclusion Phreak Knowledge is very usefull to everyone in the present. Hopefully, phreaking will not die, and any new technology Ma Bell comes up with, Phreaks will fight back at. Unfortunatley, ESS has disproven this theory. This new, electronic switching system, has shown the end to much of our heritage. Blue Boxing, Black Boxing, and in some places even Red Boxing, have all been destroyed. We must ban together and fight against these evils, or we all will perish. -==============================Thanks=================================- Nat X, for teaching me the art of PBX'ing and to go through two of em when using Alliance. Chuck U Farley, for teaching me to always be cautious. -==============================Call===================================- Death Row (703) 892-0015 -=====================================================================- "All Is Fair In Love And Phreak." -=====================================================================- ___________________________ | | | Phreaking Will Never Die | |___________________________| | | | Rebel Lion 06/20/92 | |___________________________| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=- The Empire Times -=- Volume 1, Issue 2, File 9 of 11 The Beginner's Guide To Hacking On Datapac 1992 Update Written By The Lost Avenger Welcome to once again to the first return issue of the UPi newsletter. This file was originally released for Spectrum Issue #1, and then re-released in the very first UPi Newsletter (Volume 1, Issue 1) and from there I have now decided that the public's positive reaction to this file was still so tremendous that it made me decide to re-release the file again and also re-write and update it to the 1992 specifications for Datapac. Hope you enjoy reading this file as I did writing it. After reading through my large collection of g-files. I have found that there hasn't been a good text file for beginner about hacking the Datapac network. This guide will give a general incite on how to identity different types of operating systems when you are hacking about Datapac, and on generally basic information about Datapac. I hope this will give you more knowledge about the Datapac network to help get you started. Hope you learn a lot about Datapac and enjoy reading it at the same time. I have released this file in UPi Issue Number 1 but I have updated it and re-releasing it. These are the ten rules of hacking that I go by when I hack around on systems. These rules are important in order maintain from being caught or discovered illegally hacking on a system. I. Do not intentionally damage *any* system. II. Do not alter any system files other than ones needed to ensure your escape from detection and your future access (Trojan Horses, Altering Logs, and the like are all necessary to your survival for as long as possible.) III. Do not leave your (or anyone else's) real name, real handle, or real phone number on any system that you access illegally. They *can* and will track you down from your handle! IV. Be careful who you share information with. Feds are getting trickier. Generally, if you don't know their voice phone number, name, and occupation or haven't spoken with them voice on non-info trading conversations, be wary. V. Do not leave your real phone number to anyone you don't know. This includes logging on boards, no matter how k-rad they seem. If you don't know the sysop, leave a note telling some trustworthy people that will validate you. VI. Do not hack government computers. Yes, there are government systems that are safe to hack, but they are few and far between. And the government has infinitely more time and resources to track you down than a company who has to make a profit and justify expenses. VII. Don't use codes unless there is *NO* way around it (you don't have a local Telenet or Tymnet outdial and can't connect to anything 800...) You use codes long enough, you will get caught. Period. VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law. It doesn't hurt to store everything encrypted on your hard disk, or keep your notes buried in the backyard or in the trunk of your car. You may feel a little funny, but you'll feel a lot funnier when you when you meet Bruno, your transvestite cellmate who axed his family to death. IX. Watch what you post on boards. Most of the really great hackers in the country post *nothing* about the system they're currently working except in the broadest sense (I'm working on a UNIX, or a COSMOS, or something generic. Not "I'm hacking into General Electric's Voice Mail System" or something inane and revealing like that.) X. Don't be afraid to ask questions. That's what more experienced hackers are for. Don't expect *everything* you ask to be answered, though. There are some things (LMOS, for instance) that a beginning hacker shouldn't mess with. You'll either get caught, or screw it up for others, or both. I think in my own opinion the best way to find systems is by scanning them out. Getting them off a board or off a friend is not very safe as they may already have been hacked to death. Now you are probably wondering how you scan for systems, well this is what you do. First you select a four digit number representing the area you want to scan, for example 4910 or something like that. What you do from there is when you connect to the Datapac network (See Part V for more details on how to connect to Datapac) you type ".." and press enter. You should get some kind message such as "DATAPAC: XXXX XXXX" (with XXXX XXXX the Datapac node number you are on). Once you get that message you will enter a four digit number (the prefix) that you have selected, but don't press enter yet. After that type in another four digit number (the suffix) your have selected and press enter. Datapac will give respond to that by giving you a Network Message which is discussed later (see Part VII for the Datapac Network Messages). These messages will tell you if the system you are trying to reach is out of service, up, busy, and so on. If you have successfully connected to a system and want to disconnect from if and go back into Datapac type in the following string "-P Clear ". To continue scanning for more systems just keep on adding one to the last digit of the number in the suffix that you entered before and press enter. To keep on scanning just continue this until whatever suits your needs, for example you may start scanning at 4910 0000 and could stop scanning at 4910 1000. Ok now in this section I will discuss on how to connect to the Datapac network. Ok what you do to connect to Datapac is first make sure you computer is on. Then you load your terminal program, next call your local Datapac node. Once connected type to Datapac type in "..". Datapac will respond to this with the following message: DATAPAC: XXXX XXXX The XXXX XXXX is the Datapac node number you are on. If you have a Network User Identifier (NUI) then you can enter it in the following way, if you don't have one then skip this part: NUI you will then see the next message: PASSWORD: XXXXXX If Datapac did not send that message then that means that NUI that you entered is not a valid one. If you did get this message then enter the password assigned and press enter. Datapac will respond with either one of the following messages: DATAPAC: network user identifier active. which means that the password entered is correct or DATAPAC: network user identifier error which means that the password entered is not correct. Take note that if you have the valid NUI and it is on and you want to turn it off then type in the following command: NUI Off >from there Datapac will send: DATAPAC: network user identifier not active which means that you are no longer using the NUI, which also means that won't be able to connect to NUA's that don't accept collect calls. Once you enter in all that information.. you can know enter in a NUA. To enter in a NUA just type in 1+DNIC+NUA (example 1208057040540 for QSD). If you connect to the NUA properly then you will get this message: DATAPAC: Call connected to: XXXX XXXX The XXXX XXXX is the NUA that you have requested to connected to, otherwise it will display a different message which is discussed later on in this document. When a Datapac call is established through the network, a call connected message is received at the originating DTE. All or some of the following messages may be identified depending on the type of call, options used for the call, and the type of destination. Example: [HUNTED] [BACKED UP] [BACKED UP & HUNTED] [i LCN] [P/N PACKETSIZE: (128 OR 256)] [NUI (6 to 8 CHAR)CHARGING] [CUG:(CUG#)] [REVERSE CHARGE] MESSAGE EXPLANATION Call connected to: XXXXXXXX A virtual circuit has been established between an originating DTE and a remote (receiving) DTE. Hunted The remote logical channel is part of a hunt group. Backed Up The call attempt to the remote DTE has failed. The network has re-directed the call to another predetermined DTE that has been optioned as backup. i The call has been placed to an international address. P Priority service. Packet size: 128. N Normal service. Packet size: 128 or 256. DNA Data Network Address of the originating DTE. LCN Logical Channel Number of the recipient DTE. NUI The call will be billed to the 6 to 8 character Network User Identifier. CUG The recipient DTE is part of a closed user group. Reverse Charge The recipient DTE has accepted the charge associated with the established call. There are thirty-three messages which may appear when you are accessing the Datapac network. All of these network-generated messages which are sent to a terminal, are written as "Datapac: text". The "text" will be one of the following messages: ADDRESS This is a Datapac herald message for an SVC terminal. The "address" displayed is your Datapac network address. This message indicates that you are connected to the Datapac network. Proceed with the call request command. {P,R} TERMINAL ADDRESS -- (DESTINATION ADDRESS LOGICAL CHANNEL) This is a Datapac herald message for a PVC terminal. It indicates that you are connected to the network (