Plateforme de Hacking


HackBBS.org est une communauté faisant évoluer un système de services vulnérables.

Nous apprenons à exploiter de manière collaborative des solutions permettant de détourner les systèmes d'informations.
Cet apprentissage nous permet d'améliorer les technologies que nous utilisons et/ou de mieux comprendre l'ingénierie social.

Nous défendons les valeurs de l'entraide, du challenge personnel et contribuons modestement à rendre l'expérience des utilisateurs finaux la plus agréable possible.

Vous pouvez nous rencontrer via notre salon irc.
Le forum est en cours de remplacement par une version plus moderne, et tout aussi faillible que l'ancien ^^.
A ce jours nous enregistrons plusieurs dizaines de hack réussi contre notre site, et ce chiffre est en constante évolution. Merci a tous les contributeurs!

La refonte est en version alpha. Cette nouvelle plateforme permet de pentester à distance sans avoir son matériel à disposition.
Via l'exécution de scripts python connecté en websocket à l'ihm web, nous pouvons piloter le chargement de scénario
d'attaque/défense en "multijoueur" ^^.
Le système permet de charger des scripts de bibliothèques partagées et de chiffrer les échanges selon les modules déployés.
Vous trouverez dans la rubrique article de nombreux tutoriels afin de mieux comprendre la sécurité informatique,
ainsi que différents articles plus poussés.
Hacker
  • Sniffing
  • Cracking
  • Buffer overflow
  • Créations d'exploits
  • Social engineering
  • L'anonymat sur le web, spoofing
  • Bypass-proxy, Bypass-firewall
  • Injection de code SSI, SQL, etc...
  • Utilisation d'exploits, création de scripts(php, irc, perl)

Nous vous recommandons de sniffer votre réseau lors de votre navigation sur le site. La refonte vous fournira un outillage pour réaliser vos attaques/défenses.

Challenges
Vous pourrez également participer à de nombreux challenges
Dernièrement, les missions relativent aux derniers produits open sources marchent bien :)

Votre ultime challenge sera de défacer HackBBS. De nombreuses failles sont présentes. A vous de les trouver et de les exploiter.

Cet ultime test permettra de constater votre réactions face à une faille.
Black ou White? ^^

Ezine du moment: sysf05.txt
<<> i kn o w  tha t  i wo u  l dn   ' t  w an   t  it an  y ot h  e r  w ay <<>
                ,  ,                                      ,  ,
         i$$$$       $a     i$$$$:.. .    $$$$i  i$$$$       $a
         $$$$$:       :$$l ..:$$$$$      .. :$$$$$: $$$$$:..     :$$l:..
   .  ..:$$$$$:       :$$$l .:$$$$$     . ..:$$$$$::$$$$$:.      :$$$l:.. .
   ..  .:$$$$$:               $$$$$       ..:$$$$$::$$$$$:.. .
         $$$$$x       x$$$$$  $$$$$x        x$$$$$  $$$$$x       x$$$$$
               ,     ,:$$$$$::$$$$$  ,    ,               ,     ,:$$$$$:.. . .
     . .:$$$$$:   .   :$$$$$::$$$$$    .            $$$$$:   .   :$$$$$:.. .
@ @ @@@ @$@$@@@ @ @@@@@@$@$@:@@@$@$@ @@@##@@#@@ @# @@@@$g:@@@##@@#@$@$@:@@#@ @@
  .. . .:$$$$x       x$$$$$::$$$$::.  .  .  .  ..:$$$$x       x$$$$$:. ..
               ,     ,                                    ,     ,
                  .            (system failure)              .
                         a magazine from penguin palace.
                             anarchist(wax!ascii)

Ŀ
                          System Failure: Issue #5                          


Welcome once again to System Failure!  This WAS going to be the nifty neato
Halloween issue, since we all got lazy and are late.  Ok, ok, *I* got lazy
and it's MY fault it's this late.  I'M SORRY, OK?!

Anyways, like I said, it WAS going to be the Halloween issue, but since I
couldn't find anyone Halloween night, it's now the November issue.

November is a good month.  I turn 20 on the 25th of November.  You all better
send me shitloads of money and presents.

Anyhow, what's new with SysFail and all of that?  Well, I've been dead, gone,
etc.  LogicBox has been floating around on DALnet.  Darkcactus, who the hell
knows?  I don't think ANYONE has seen him for a while.  Pinguino is still in
303, but rumor is, she's going back to California.  When this happens is
still a mystery to us all.

Ya'll remember Justine from issue 3?  Well, it seems that she's been a little
depressed because none of you fanboy's have sent her lust-mail.  Apparently,
we seem to have printed the wrong email address for her.  Justine's CORRECT
email address is:  62010@telis.org.  NOT telis.com.  ORG, DAMMIT.  So all
you out there send her email telling her how much you want her body, and what
you're going to do with that tone-dialer.

Contact information has kind of changed.  system.failure@usa.net will still
get email to all of us who are important.  If you MUST talk to us in person,
then give me money for airfare, and we'll all come to your house and break
it.  If you need to contact us on IRC, then join #peng of the EFnet.

#rock got taken over by #deaf, and most everyone lost interest in it.  About
the only people that you're going to find in there will be kadafi, Sc0rp, and
a host of bots.  If you want to talk to the old #rock regulars, join #tacd
and ask Shaedow to kick you so you can see how super-spiffy-cool he is.

www.penguinpalace.com is kinda hosed for now.  No one knows what the problem
is, least of all InterNIC.  For SysFail back issues and whatever, check out
http://fly.hiwaay.net/~chb/ping/.

                                                        -Kenshiro Cochrane

Now that I'm done with my ramble, off to the:

Ŀ
                              TABLE OF CONTENTS                             
                                                                            
 SysInfoTrade                                                   by Pinguino 
 The Decline of H/P Civilization                               by Mr. Sonik 
 Never, EVER, do This!                                 by Kenshiro Cochrane 
 RC5-56 Cracked!                                                by Pinguino 
 The Right Way to Steal                                        by Astr0naut 
 Music Time!                                              by Jolly Spamhead 
 Listen to the Telco's Whine                           by Kenshiro Cochrane 
 How to Secure Your Linux Box                     by Saint skullY the Dazed 
 More Oncor Horror                                     by Kenshiro Cochrane 
 Want a Free Shell?  Read This!                           by Jolly Spamhead 


<-------+
        |  SysInfoTrade
        +----------------> pinguino@mindless.com

   Not a lot in the news this month...

--#peng now has a techno radio station, DJ'ed by muerte live! Check him
out at random times during the night via realaudio:
pnm://www.raver.org/muerte.ram
pnm is the real audio location file; you need the player to hear it.
Join #peng and find out what he's spinning.
--We still have System Failure and Thank You for Abusing AT&T stickers avail
in fine black vinyl. $1 each, e-mail pinguino@uix.com. New stickers coming
soon (as soon as I have access to a color printer somewhere).
-- October 20, 1998 a report was delivered to the White House with news that 
the nation was vulnerable to electronic attack- Cyber Terrorism. Even though
people *have* hacked their way into government sites, I guess they need to
pay some team a million dollars to analyze what happened and say, "Oh yeah,
we're a little insecure."
    "Today, the right command sent over the Internet to a power
generating station's control computer could be just as effective as a
backpack full of explosives and the perpetrator would be harder to
identify and apprehend," according to the panel's quote on CNN.
    Apparently they're freaked out that someone will gain control of the
power/communications grid; from within or on the outside of the US. They
put together *another* team of people to figure out how to "educate the
public" on this problem, and find solutions. The panel on the 20th reported
that this undertaking would be finished by the end of the year.
--According to the LA Times (Oct 10), Mitnik might get puter access once
again. The court wants to give him access to a laptop so that he can see
the evidence against him and work with his lawyer on his case. He's been in
jail since Feb. 1995. I think he gets email at mitnik@2600.com still.
--http://radiophone.dhp.com/ is the new URL for the revamped Radiophone page
--On Oct 19, the RCA Labs' RC5-32/12/7 56-bit secret key was cracked. More
info later in this issue of System Failure.
--Interested in AOL or MSN? AOL is giving away 100 free hours.. MSN is giving
away a free month. Time to start stocking up on free disks, coasters, and
destructible party objects. =)
--http://www.gaijin.com/EvilPeople/    cool site I had to share with you!

Ŀ
                     The Decline of H/P Civilization                        
                                by Mr. Sonik                                
                                                                            
            Mr. Sonik can be contacted via system.failure@usa.net           


Have you ever wondered why most of the new people to the scene think that
they are total badass 31337 hax0rs?

It really pissed me off when I tried to post a legitimate question about
phreaking to a newsgroup.  I got about 50 Flame messages and like two serious
answers to my question.

The messages ussually included replys like "HAHA LAMER" or "YOU DONT HAVE
SKILLS LAMER!@#" I would be willing to bet that all of the fucking time and
bandwidth wasting lamers didn't know what I was talking about so, they
decided to flame me for it.

This is the pointless type of shit that pisses me off.

I admit that I am new to the scene and that when I see posts from people that
dont know what they are talking about and have all the facts totally mixed up
I get a laugh out of it and share it with my friends.  But I by no means make
them feel like shit by flaming them, If I know what they are talking about I
will offer them any help that I can, and if I don't I will usually go to the
trouble to direct them to a knowledgable person.

I have learned most all of what I know from reading text files and zines that
cover my areas of interest.  I try not to waste peoples time by calling them
names and gay stuff.

One of the most disgusting things that I see is lazy fucking bastards who
feel that they have to post questions about "Warez Kodez" and FTP sites.  If
they had a ounce of brains they would check the web first and learn how to
use a search engine.

I feel strongly about keeping the H/P scene alive forever.

Thats why I try to help whenever possible and be as helpful as possible.  I
urge all of you new School kiddies to be helpful and informative.  I will
tell you all from experience that I get more respect from people when I help
them instead of flame them.

No one thinks flaming is cool except 11 year old warez kiddies, and nobody
thinks 11 year old warez kiddies are cool.

Ŀ
            Never, Ever, EVER Give Out Your Calling Card Number             
                             by Kenshiro Cochrane                           
                                                                            
         Kenshiro Cochrane can be contacted at kcochran@skipnet.com         


Since I'm the News Editor and all that jazz, and since we've had 4 issues,
and I haven't contributed one news related article in it (yeah, I've been
slacking), I figured it's time to do something that I'm supposed to.

Here's the story:

About a month ago, a bunch of people from EF #rock were on one of our
WorldVox teleconferences.  Being as one of us had three-way calling, I,
er, that person, decided to start calling numbers picked at random from
the telephone book.  Sounds fun, right, uh huhm yup...WE WERE REALLY BORED,
OK?!@#$

Anyhow, one of the many "pranks" that were done that night consisted of of
one of the few adult sounding conference callers to take up the role of an 
operator, with a collect call for the person or persons being called that 
night.

Basically, what happened was, we got this old lady, told her we had an 
emergency collect call for her husband, and would she accept the charges?  
She, of course, said yes.  After "attempting to bill the charges to her 
phone," we informed her that we were unable to, and asked if she had a
collect call block on her telephone.  She confirmed this.  Upon asking
her if she had another way of paying for the call, she read off her calling
card number.

Pretty stupid, considering there were about 8 other people on the line.

We then informed her that the caller had hung up, and to have a good night.  
Some people apparently proceeded to test this calling card, as the following 
article was given to me by a local friend (HI JEANIE!) a few days later.

Here, then, is that article:

PHONE-CARD FRAUD WARNING ISSUED
by Marilyn Montgomery
Albany Democrat-Herald

A bogus emergency collect phone call in the middle of the night has prompted
a warning about how to use telephone calling cards.

An Albany woman, who asked that her name not be used, said she got a call at
2 a.m. on day last week.  The caller identified himself as "your AT&T long-
distance operator" and said he had a collect call for the woman's husband, 
whom he identified by name.

The woman asked who was calling, the "operator" gave her a name that she
didn't recognize, then told her the caller had said it was an emergency.
The woman said she would accept the call.

The operator asked if her phone was blocked from accepting such calls, 
claiming he couldn't make the connection.  After allegedly trying twice
to connect the call, ther operator asked if there was another way he could 
connect it.

"I should have hung up then," the woman said earlier this week.  Instead,
she gave the operator her calling card number, and he said that would work,
then told her that the emergency caller was no longer on the line.  Then
the operator hung up.

The woman said she called US West the next day to tell them what happened.
US West called the woman back a day later to report that the calling card
had been used in three East Coast states since she had given out the number.

"It's amazing how fast that number spread." she said.  The woman canceled
the number on the card, but whoever had it has tried to use it several times
since, she said.

Jim Gottschalk, area manager for US West in Eugene, said Wednesday the
woman's problem was the first of its kind that he'd heard of involving
calling cards.

No similiar problems have yet been reported to the company's business or
fraud offices, he said.

He called the emergency collect call a "clever ploy."

"It's easy to become confused, especially with all the changes going on in 
telecommunications," Gottschalk said.  "And, when someone says it's an 
emergency, you tend to do anything you can to help."

"We always advise customers to never give their personal identification 
numbers to anyone, even if they identify themselves as being with a law 
enforcement agency.  But it happens, and once it does, they need to tell us."

"You can never be too careful."

---

Amazing how fast it spread?  With 8 other fone nuts on the line?  I don't
think so.

And the telco's warning people not to give their PIN's to a law enforcement
agent?  What the hell would they need them for?  I mean, get real.

If this is the kind of person that US Worst is hiring for their "Area
Managers", then all of you out their reading this should go apply.  Surely
one of you will make CEO in a week or less.

Anyhow, if you'd like to contact this woman, and advise her on her
stupidity, she is:

June Green (her husband is Joe!)
34361 Riverside Drive
Albany, OR 97321

(541) 928-9077

Ŀ
                       Project Bovine Cracks the RC5-56                     
                                 by Pinguino                                
                                                                            
                Pinguino can be contacted at pinguino@leper.org             


Bovine Project page: http://rc5.distributed.net/

    A message encrypted with RSA Labs' 56-bit RC5 encryption algorithm was
cracked October 22, 1997. The message: It's time to move to a longer
key length. The person who found the key was Peter Stuer, working for the
STARLab Bovine Team of the Vrije Universiteit in Brussels, Belgium.
He was using an Intel Pentium Pro 200 running NT. The Bovine team is part
of a global Bovine effort headed by distributed.net.

    RSA is trying to prove that 128-bit encryption should be the standard
by holding a series of contests with $10,000 prizes. The sixth contest to
crack the RC6-64bit algorithm is in progress. Currently the US can only
export programs with 56-bit key encryption as a maximum. Programs like
Netscape and IE support the 128-bit keys. This is a direct smack in the
face to the Clinton administration, who don't want to allow the export of
stronger encryption programs.

    It took the Bovine team of 4,000 programmers and 10,000 idle computers
about 250 days to search 47% of the keyspace.

Distributed.net is equivalent in processing power to:
  14,685 Intel Pentium Pro 200 processors
  13,362 Motorola PowerPC 604e/200 processors
  116,326 Intel 486DX2/66 processors
  58,163 Intel Pentium 133 processors

Work on decrypting the 64-bit encrypted message is underway. With the
combined strength of this global network, we can do anything.
-----
Join the System Failure team for the sixth contest. Go download the program
suitable for your system, and put pinguino@uix.com for your email address.
We have the Power =)

Ŀ
                  The Right Way to Get Good Stuff for Free                  
                                by Astr0naut                                
                                                                            
            Astr0naut can be contacted via system.failure@usa.net           


An Enhancement on "Five-Finger Discounts" by Pinguino, Dark Hour, and Netmask

In their article in SysFail #1, Pinguino, Dark Hour, and Netmask mentioned
a couple of companies that are great to steal from. However they didn't
expand some of the exploitation to its fullest, such as Best Buy.

This has got to be one of the EASIEST stores on the entire planet to take
shit from.

Hummm, where to start?

I'll go department by department.  First off, let's hit the music department.
In SysFail #1, they mention that you need to look like Mr. Innocent.  They're
right.  I know (not because I worked there or anything) that the LP (loss
prevention) looks for suspicious looking people, and when they are not doing
that they are usually looking at women (Sorry, girls).

Oh well, back to getting free stuff.  CD's have to be one of the easier
things to steal (besides video cards, etc.).  It's very simple; you find the
CD'ss you like/want and you go to the audio department (another wealth of
free stuff).  After all, CD'ss and audio go together.

You go to the audio department to divert attention from yourself.  Then from
the audio department, you casually make your way to the bathroom (where
merchandise is not allowed).  MAKE SURE NOBODY IS LOOKING!  Act like you are
there for a reason and act confident!  The LP team looks for guilty looking
people.

After you make your way into the bathroom, head to a stall, and proceed to
unwrap all the CD's and take them out of the cases.  Stick them wherever you
can hide them.  This method is proven to work.  I have known people who have
gotten over $300.00 worth of CD's this way.  You can also use this method for
Nintendo games, Sega games, Playstation games, etc.

Ok...Now, lets make our way to the computer department.  This is an extremely
easy department to rip off, considering that they are so busy most of the
time, more so during holidays.  You can go to the counter and ask to look
at a harddrive, or RAM or whatever you like.  Sit around and eye it and read
the box.  Most of the time, an angry customer will approach the sales person
and distract them when they are gone.  You can also have a friend do this.

Put the merchandise in your pocket and calmly walk out of the store.

IMPORTANT NOTE:  Once you have made it to the door you are basically home
free!  In Best Buy, employees ARE NOT allowed to chase/tackle or cause injury
to customers or they WILL be fired or severely punished.

Stores like Wal-Mart are allowed to chase you, and they will.

This next tactic involves spending some money, but it is a proven way to
work!  You have to look older for these, because you will need money and a
purpose.  Remember to look CONFIDENT!  Ask questions, don't try to hide.

Go to the appliance department and find a nice grill, but not one that is too
expensive.  Then stroll to the computer department, where you have other
"shopping" to do.  While down one of the back isles, which are rarely, if
ever, watched, open the top of the grill box and fit whatever you can inside:
joysticks, video cards, sound cards and more.  People have even managed to
fit a CPU or two in a grill box.

Guess what?  You've just spent $100.00 for $1000.00 or more in merchandise.

Video departments are one of the harder departments to steal from.  Just
about the only thing you can take from them are cameras, film, and any other
small stuff.  Take into consideration, however, that a woman put a 13 inch TV
under her dress and ALMOST got away with it.  I don't advise doing anything
like that though.

Anyways.  You know the locked cabinets that they keep the cameras or other
stuff in.  Well, I'll let you in on a little secret: THEY DON'T NEED KEYS!!
All you have to do is simply grab a hold of both side of the cabinet and pull
up and out, and presto, you have cameras.  (See above tactics for getting
them out of the store)  Don't ever go down the TV aisles to try and steal
stuff, because video is always a slow department and they have nothing to do
there but clean.

The audio department, as well as the video department can be a wealth of free
CD's and movies, if you don't mind that they have no cases.  They have to
test out the audio equipment some way, and what better way to do it with
then new CD's right off the shelf?  Help your self to a handful of 'em, and
while your at it, go and grab some movies or DVD discs that the video
deparment has used.

On a closing note, remote controls can be a great way to get free batteries
for Walkmen or Discmen, as they are required to have them working at all
times.



EDITOR'S NOTE:  Having worked at Target and as Security for a mall, I know
from experience that most of these techniques will work.  At Target and
Sears, you need to know a couple of facts.

If you ever fear that you are being followed, most likely, you are.

Sears LP (Loss Prevention) and Target AP (Assets Protection) have a couple of
common policies.

1>  They MUST let you leave the store with the stolen merchandise before they
apprehend you.

This is good for you for an obvious reason.  You don't leave the store, they
don't stop you.  If you leave the store, and they stop you, hope to hell that
you don't have any stolen merchandise on your person.  If you do, most likely
you're screwed.  If not, they open themselves up for a lawsuit (public
humiliation, defamation of character, etc.).  Once they've stopped you,
that is an accusation of theft.  If you don't have any merchandise on you,
you are quickly going to find the managers of the store kissing your ass.

2>  If you fear you are being followed, DUMP ALL THE STOLEN MERCHANDISE!
They won't stop you, since you haven't stolen it yet.  You can put it in your
pockets, and legally claim that you put it there since you couldn't fit it in
your hands.  YOU MUST LEAVE THE STORE TO HAVE "LEGALLY" STOLEN THE
MERCHANDISE!

3>  Go to the bathroom.  Try on clothes in the fitting room.

Target and Sears people have to actually SEE you conceal the merchandise.  If
the AP/LP don't see you put it away, then they can't do jack.  And it MUST be
the AP or LP.  Don't worry about the regular employees.  They can bother you,
but they can't accuse you of anything, and they can't apprehend you.  If a
regular peon sees you pocket something, don't worry about them, but do worry
about one thing:  They are most likely going to call AP or LP.  But even
then, the AP or LP can't get you for the stuff you already have.  Make a stop
in the bathroom or fitting room before you leave.

The reason for this is thus:  You COULD have dumped all the merchandise in
one of those places.  AP/LP must keep you in sight (Cameras don't count!)
from the moment you conceal the item to the moment you step outside the
store.  If they A, lose sight of you, or B, you go into the restroom/fitting
room, they have to let you go.  In those few seconds that you are out of
their sight, you could have dumped everything.  And if you did, and they stop
you, they open themselves up to a lawsuit.

SO MAKE USE OF THE RESTROOM AND FITTING ROOM, DAMMIT!

The fitting rooms are a great place to "try on" clothes, too.  Most fitting
room people at Sears and Target don't pay close attention to how many items
you take in with you.

Ŀ
                    Miscellaneous Songs to Play on Your Phone!              
                              by Jolly Spamhead                             
                                                                            
            Jolly Spamhead can be contacted at jizz-monkey@usa.net          


==================== \
My Five Min of fame  |
=====================/

        While reading the classic fred myers issue of PLA, I remembered one
thing RBCP did once he got into the the PA system. He played songs over
the loud speaker! I don't really remember the song he played, so I decided to
figure out a few songs on my own. Here is a list of what I could compose! My
songs are not as "l33t" as MMMbop or a Puff Daddy song, but I think they are
sufficient! =)

+==============+
|Da Songs Y0!  |
+==============+

Key To All Of This
--------------------------------------------------- \ 
- = Hold                                              \
, = Pause for 1 beat                                   /
. = Pause 1 beat for every dot! (Got it?)            /
---------------------------------------------------/

Jingle Bells

333,333,39123,666-663333322329,333,333,39123,666-6633,399621 

Happy Birthday

112,163,112,196,110,8521,008,121

Way Down Upon the Swanee River

321321045,6842,321321945,654224

Ode to Joy

3 3 6 9 9 6 3 2 1 1 2 3 3 2 2.. 3 3 6 9 9 6 3 2 1 1 2 3 2 1 1.. 2 2 3 1 2
3-6 3 2 3-6
3 2 1 2 7.. 3 3 6 9 9 6 3 2 1 2 3 2 1-1.. 

Mary had a little lamb

8 5 2 5 8 8 8.. 5 5 5.. 8 8 8.. 8 5 2 5 8 8 8.. 2 5 8 5 2.. 

Hot Cross Buns

6 5 4.. 6 5 4.. 4 4 4 4 5 5 5 5.. 6 5 4.. 

In The Jungle

2 5-8 5.. 8-9 8 5 2.. 5 8-5 2 8 5... 

Ŀ
              Small Telco's Demand a Stop to Internet Telephone             
                             by Kenshiro Cochrane                           
                                                                            
         Kenshiro Cochrane can be contacted at kcochran@skipnet.com         


Well, it looks like those wacky old telephone companies are losing money
on your Internet telephone calls.

Who'd of thought it would ever happen?

According to an AP wire, a group of small telephone companies, known as the
"America's Carriers Telecommunications Association" has asked the FCC to bar
companies that produce Internet telephone software from selling that same
software.

That same group also wants the Federal government to regulate Internet
telephone communcations much like they do traditional telephone carriers,
meaning that the producers of said software would have to pay fees that
support affordable telephone service for low-income and rural people.

Internet telephone services would also become subject to state and federal
regulations regarding traditional carriers.

The FCC hasn't acted yet on the petition, filed in March 1996.

International or long-distance calling over the Internet is much cheaper
than conventional phone service.  Because the call travels over data
networks rather than public telephone networks, the caller doesn't have
to pay long-distance or international charges, just the price of the
Internet service. 

Callers with the same Internet phone software can talk to each other
over computers, equipped with modems, speakers and microphones.

Some 60 companies now provide Internet phone service, though the business
is still in its infancy, according to Larry Flomm, vice president of new
business development for Dialogic Corp., an Internet phone provider. 

So let's take a second to figure this out.  Most Internet telephone software
is not compatible with other software.  This means that the caller and the
callee, if you will, must both have the same software.

And if 60 companies provide this service and software, then the chances
of you getting ahold of your long lost friend in San Juan Capistrano without
previous communcations (confirming that you both have the correct software
ahead of time) is practically nil.

Most people are still limited to modems that operate at 28800bps and
33600bps.  Including me, and probably most of you reading this.  I don't
know if you've ever used any Internet telephone software at all, but if you
have, you will have noticed a couple of things.

Number one, the price is about $50 - $75.  Most people on any kind of budget
aren't going to have that kind of money to buy a piece of software that they
can use to talk to maybe 3 people in the entire world.  Sure, it would be
much cheaper to use the Internet to talk to everybody, but the people that
*I* really need to talk to the most don't have it.  I can't call into
work and say I'm sick with this stuff.  I can't call the pizza joint and
order.  I can't call my parents or grandparents and tell them I need money
with this.  And I sure as hell can't call the President of the United States
to say what a shitty job he's doing.

At the current time, Internet phone is a novelty, not a threat, to telephone
companies.

Number two, the quality of the conversation is not that great at normal modem
speeds.  The transmission is going to be frought with background noise due
to the normally low quality of the microphone (I also don't have $50 to go
buy a high quality microphone), and lag.  Say I'm talking to Habib in India.
Habib says something to me, and I'm sitting there for 5 minutes waiting for
him to say it.

Number three, unless you want to spend a hell of a lot more money on a
wireless microphone, and better quality speakers, you have to stay at your
computer to talk to these people.

Cordless telephones have popped up EVERYWHERE.  You can't go somewhere and
NOT see one.  Sure, we like them for the obvious reasons, but the owners
like them for the convenience.  I don't know how many times I've been on the
telephone with my mother to hear her say "Hang on a sec, I have to stir this"
or whatever.

The only reason these companies feel a threat from this new medium is that
they don't want to have to get off their collective asses and better their
services.  They like being able to LEGALLY overcharge people and provide shit
service.  And then be able to say "Yo' Mama" when you call and complain.

Ŀ
                         How to Secure Your Linux Box                       
                           by Saint skullY the Dazed                        
                                                                            
       Saint skullY the Dazed can be contacted at skully@clipper.net        


    Ok, so you just downloaded Slackware and have installed it.  All your 
friends have told you how great Linux is, and you want to see yourself.  The
first thing you do, is get on IRC to show everyone how 'leet you are.  But 
someone there decides that you shouldn't be using such a powerful OS.  Next
thing you know, your HD goes crazy and all your files are gone.  Well, that
can be avoided. 

    Well, my first reaction to secure your system goes like this: killall -9
sendmail, killall -9 inetd, and don't install anything at all.  Well, for
most, that's too extreme.  Luckily, there is middle ground.

    First, edit /etc/inetd.conf.  Comment out everything except for telnet,
ftp, and auth.  If you don't want to give out accounts, then forget about
telnet and ftp.

    Next, you'll probably want to move telnet and ftp to different ports.  To
do this, open up inetd.conf again, and change telnet to telnetd, and ftp to
ftpd.  Then, open up /etc/services, and add these lines:

ftpd            556/tcp
telnetd         555/tcp
 
You can use any port you like. 555 and 556 are just examples.  Now your
system is fairly secure.  If you're going to be giving accounts to people who
might try to root your box, it'd be a good idea to take the suid bit off most
programs.

Most of them will be in /bin, /sbin, /usr/bin, and /usr/sbin.  To check for
suid programs, goto those directories, and do an ls -l | less.  Here's an
example:

-rwxr-xr-x   1 root     bin           360 Dec 12  1995 checkalias*
-rws--x--x   1 root     root        24184 Jun 16 11:56 chfn*

checkalias is not suid, chfn is.  The only programs which need to be suid for
a properly working box are login, su, sudo, and passwd.  Everything else is
up for your discretion.  Most people would like to be able to use ping, chfn,
and chsh, but they're not things that regular users need to use (They can
still be executed by root though).

    An easy way to look for all the suid programs on your system is with the
find command. 

find / -user root -perm -4000 -print

That will list all files with a suid bit on your system.  You might redirect 
the output to a file (find / -user root -perm -4000 -print > suid) so you 
don't have to shift-pageup to read it all.

    Then, there's the important part of passwords.  If you don't already have
shadowed passwords, get on sunsite and download shadow-ina-box.  That will
make it a lot harder for someone to crack your password file.  And be sure
not to use an easy password as your root password.  hi-mom is a horrible
password.  A better password would be to use gh3EhT5. That has both numbers
and letters, isn't a word, and uses mixed case. 

    If you take all of these suggestions, or even just some of them, your box
will be secure enough for everyday use. It won't be hack proof (There is not
one single computer out there that's hack proof) but at least it won't be
hacked by any and every lamer out there.

    If you have any comments/hatemail/cool mp3's to throw my way, send em to
me. 

Ŀ
          Yes, Yes, Yet Another Oncor Communications (Horror) Story         
                             by Kenshiro Cochrane                           
                                                                            
         Kenshiro Cochrane can be contacted at kcochran@skipnet.com         


Alrighty kiddies, here it is, the definitive OCI story.  I know you've all 
been waiting for it.  Wait no longer, I have delivered!

Oncor Communications Incorporated, more commonly known as OCI, is a telephone 
company that primarily services payphones in the Texas area.  Based out of 
Dallas, Texas, and employing only the worst in Arkansas white-trash (yeah,
YOU Inviz!), OCI is the lowest of low in the telecommunications industry.

OCI's practice of allowing, nay, even encouraging their operators and 
supervisors to verbally abuse, insult, provide poor service, listen in on 
customer telephone conversations, and more, is abhorrent.  

PLA used to bring you stories of OCI operators making cracks, such as "Yo' 
mama" jokes, making derogatory comments, and just in general being assholes 
barely scratches the service of treatment received by yours truly, and
others, while attempting to make perfectly legitimate telephone transactions
from numbers picked at random from the telephone directory.

I used to laugh when I saw a mention of OCI, and the horrid treatment
received from them.  I thought to myself, "No way in hell could an operator
get away with saying that, and still keep her job!"  I thought that, perhaps
in the grand tradition of so many PLA articles, most notably the supreme
Beige Boxing issue, that a certain amount of embellishment had taken place.  

Boy, was I sure fucking wrong.

My first call to OCI was rather bland.  I called them up to make a collect 
call to a Worldvox teleconference (ah, those were the days...), gave them a 
number from the telephone book, and a fictitious name, and they put the call 
through with a minimum of hassle.

Then, I got three-way calling, and we decided to have some fun.  The very 
first time, we were connected to Maria, who, for the sake of imagination, is
a very obese, sweaty, greasy, sleazy latino woman (no racism intended, she
was VERY latino).  

Maria proceeded to tell me that "Yo' mama is stupid, and yo' daddy stupid
too!"  Not a very witty insult, by any means, but enough to keep us
interested in her and OCI for the duration of the conference.

Later conferences introduced us to a male operator, who identified himself as 
"Dickweed Motha Fucka".  Mr. Fucka had an annoying tendency to mutter "Yo' 
mama" several times, repeatedly.  Truly, a dynamic individual.

And who can forget Kevin, who's normal greeting was "Thank you for calling 
OCI, this is Ke-VUHN, can I help you make a call, PUH-LEEZE?"  Kevin, 
obviously, became the brunt of many jokes.

Finally, OCI got to the point of "transferring us to their supervisor", when 
we became too much trouble for them.  "One moment while I transfer you to my 
supervisor."  "CLICK."  At this moment, they disconnected us.  VERY 
INTELLIGENT, if I say so myself.

Apparently, disconnecting us got too boring, so they created a recording 
circuit just for us.  You know how you get those circuits that say "The
number you are calling has been disconnected and is no longer in service.
No further infomation is available at this time"???  Well, our own personal
recording said:  "GET.  A.  LIFE."  EXTREMELY WITTY, is it not?

OCI finally wised up.  They now no longer accept any calls from a number that
is NOT an OCI payphone.  So basically, you need to visit Texas, make a list
of all the payphone numbers belonging to OCI, then give them to me.  Thanks.

Eventually, we got a supervisor who gave us a piece of his mind.  I asked
him if he allowed his operators to be this rude to all customers.  He said
yes.  I asked him if he knew his operators did this on a regular basis.  He
said yes. I asked him if he encouraged his operators to be this rude to
customers. Guess what he said?  He said yes.  I then asked him for the
address of OCI, and he provided it, then I informed him that he and all of
his operators were being taped, and that he should have a nice day.  He
disconnected us rather rapidly, I thought.

Anyhow, when calling OCI to get them to comment on this, I got this
transcript:

OCI> OCI, can I help you?
ME>  Hi, is it possible to speak to a supervisor please?
OCI> Sure, just one moment.
ME>  Thanks much.
OCI> *CLICK*

Shows their commitment to quality service, eh?

Oh well.  We can't have everything that we want.

If you want to hear some of these calls, check out 
http://www.teleport.com/~zigy.

Send all of your hate mail to:

OCI
ATTN: Bruce Campbell (The company president, woo hoo hoo!)
PO Box 50579 
Dallas, TX 75250-0579

Ŀ
              Obtaining Free Shell Accounts in the 860 Area Code            
                              by Jolly Spamhead                             
                                                                            
            Jolly Spamhead can be contacted at jizz-monkey@usa.net          


    In this article I will explain how to obtain free Unix shell
accounts in 860. In my opinion, no one should be without 1 or more shell
accounts. A ISP here called "Internet Access Company" or Tiac for short,
has wonderful no quota shells up for the taking. All u have to do is call
them up and order a few. It would go something like this...

(Dialing 860-947-7687)

Becky: Hi welcome to the Internet Access Company, How may I transfer your
       call?
You:   I'll like to order a shell+ account, I saw it offered on your webpage.
Becky: Sure, please hold on while I transfer your call!
You:   OK.

(After waiting 10-15 minutes and listening to Barbie Girl for the 5th time)

Eric: Hello, this is Eric Paul how may I help you?
You:  Hi Eric, I want to order one of those damn Shell+ accounts.
Eric: Would u like me to explain what a Shell+ account consists of?
You:  It would be a great honor if you would enlighten me sir.

(Snip 5 minutes of Eric's pointless rambling)

Eric: So, would you like to sign up now?
You:  Yes, would it be possible to have you guys bill it my house?
Eric: Well, we can do that, but we will need a major credit card to confirm.
You:  Ok no problem, could u hold on a second?
Eric: Yes, take your time
You:  I'm back
Eric: Ok could I have your name and phone number please?
You:  Ok my name is Tyrone Ashford and my digits are 860-569-0550
Eric: Great, now could I have your address followed by the card number
You:  167 Mercer Ave, East Hartford CT 06108
You:  My card number is 3133 7902 1069  10/98

After giving the guy a random name and credit card the number, u will most
likely have to wait a minute while his computer fires up. Since Tiac is a
very busy place you know.

Eric: Could I please have a user name and password for the account?
You:  Ok the user name will be "Dingo" and the password will be "god".
Eric: Well you know "god" is one of the 3 commonly most used passwords!
You:  Oh, so you saw the movie too?
Eric: I didn't just see it, I live it!
(Laughs)
Eric: Your account will be ready in the hour, would u like the dial-up?
You:  Yes, that would be nifty.
Eric: I don't know much about CT, are u closer to Hartford or New Haven?
You:  That's for me to know, why don't u just give me both numbers?
Eric: Ok Hartford is 860-947-7540 and New Haven is 203-752-3032
You:  Ok I got it, thanks so much Eric, I love you!
Eric: Ok have a nice day.
You:  No Eric, I really love u alot!
Eric: Well sir im not that kind of guy
You:  Ok I understand, cya later you mr eleet-o burito person u!
Eric: Ok bye now.
You:  Byte Me!

Anyway, give and take a little small talk here and there. That is basically
all that is needed to scam shells from Tiac. Once u get tired of ordering
just one crappy shell, you can try ordering 10-15 at a time. This works
because it is fairly commonplace for businesses to bulk order many accounts
at once.

      
+---------------------------------------------------------------------------+
|              Misc Internet Access Company Numbers                         |
+---------------------------------------------------------------------------+


    The majority of these numbers came from Tiac's webpage located
conveniently at http://www.tiac.net/. So here's what I got so far....


POP NUMBERS
------------------

CT (860)
---------
Hartford.......947-7540
Hartford.......947-7547

CT (203)
---------
New Haven.......752-3032
Stamford........352-1342
Trumbull........452-3894

MA (617)
---------
Boston...........531-TIAC
Brookline........992-TIAC
Cambridge........588-TIAC
Newton...........831-TIAC
Quincy...........249-TIAC

MA (781)
----------
Bedford..........275-0331
Burlington.......852-TIAC
Kingston.........585-7100
Lexington........778-TIAC
Maiden...........480-TIAC
Medford..........658-TIAC
Woburn...........970-TIAC

NY (212)
----------
Manhattan........220-TIAC

NY (516)
-----------
Central Islip....582-2819
Garden City......228-6606
Wantagh..........221-0029

NY (914)
-----------
White Plains.....328.3506


CUSTOMER SERVICE
---------------------

Eastern MA............781-932-2000
Western MA.............413-732-3138
Hartford CT...........860-947-7687
Stamford CT...........203-323-5957
Maine.................207-775-2467
New Hampshire.........603-421-0711
New Jersey............201-342-0060
New York City.........212-929-9777
NY/Westchester........914-328-5453
NY/Long Island........516-228-9058
Rhode Island..........401-453-0424
Washington D.C........202-822-6032
                         
+============================================================================+
|                           GREETS AND GRIPES                                |
|                                                                            |
| I hope u enjoyed the file, GREETS go out to RBCP, Colleen Card, El Jefe,   |
| the writers of System Failure, RNS for releasing kick ass mp3's that kept  |
| me alert when I wrote this, the makers of Jolt Cola, and of course my      |
| partner in crime Desperado.                                                |
|                                                                            |
| No GREETS to Tyrone Ashford, Dingo Rogers, Homi G BoBo, Phrack, Web TV,    |
| the asshole that invented ssping, and most of East Hartford High School.   |
+============================================================================+

Ŀ
                             Closing Comments                               
                       by The System Failure Staff                          
                                                                            
       Contact us all via system.failure@usa.net or whatever other          
                        email address you've seen                           


Well, once again we come to the close of another issue of System Failure.  If
you think that we have forgotten something, you want to tell us how great we
are, you want to tell us how much we suck, or you want to submit an article,
then email us at the above address.

Until then, may this find you all in good health (except Phelon).

                                                        -Kenshiro Cochrane

Yahoo!  Only half a month late this time... we're getting better.  I'll be
doing System Failure #6, and hopefully it'll be out in late November or early
December, so keep your eyes open.  penguinpalace.com is still offline, but
we're hoping it'll be back up soon... if it's not up in a few days, I'll
put up a mirror of the SysFail page on http://www.geekbox.net/sysfail/

                                                        -Logic Box

[NO COMMENT]

                                                        -Pinguino

[DC WAS AT WORK.  THE FOOL.]

                                                        -DarkCactus





Manifest
Le but de ce site est de mieux comprendre la sécurité informatique.
Un hacker par définition est une personne qui cherche à améliorer les systèmes d'information dans le seul et unique but de contribuer à la stabilité de ces systèmes!
La croyance populaire laisse entendre que les hackers sont des pirates.
C'est vrai. Mais il y a différents types de pirate.
Tout comme il y a différents types de personnes.
Les bavures courantes auxquelles on pense lorsqu'on évoque le terme de pirate informatique
seraient les hacks de compte msn, ordinateurs lâchement trojantés avec des exploits déjà tous faits
et encore peut-on classifier en tant que hack le fait de spammer
alors que depuis plus de 15 ans des scripts tous faits le font extrêmement bien?

Ce ne sont pas des hackers qui font ça!!!
Nous appelons ces gens des lammers! Quand ils sont mauvais,
ou des black hat lorsqu'ils sont doués dans la mise en application de leurs méfaits.
Aucun amour propre - Aucune dignité
Agissent par dégout, vengeance ou simple plaisir.
Les raisons peuvent être nombreuses et je ne prétends pas devoir juger qui que ce soit.
Je pense juste que l'on ne doit pas utiliser l'épée de fly pour commettre des injustices.
Il est 100 fois plus profitable d'améliorer un système que de marcher sur un château de sable... même si marcher sur un château de sable est rigolo :P
A vous de trouver votre amusement. ;)

Tu peux réagir sur la shootbox


Disclaimer Veuillez lire obligatoirement les règles ci-dessous avant de consulter ce site.
Conformément aux dispositions des différentes lois en vigueur, intrusions et maintenances frauduleuses sur un site, vol et / ou falsification de données.
Vous ne devez en aucun cas mettre en application les stratagèmes mis en place par ce site, qui sont présentés uniquement à titre d’éducation et de recherche dans le domaine de la protection de données.
Vous ne devez en aucun cas utiliser ce que vous aurez découvert, sauf si vous avez une autorisation écrite de l’administrateur d’un site ou que celui-ci vous ai ouvert un compte uniquement pour la recherche de failles.
Tout cela est interdit et illégal ne faites pas n'importe quoi.
Vous acceptez donc que l'administrateur de ce site n'est en aucun cas responsable d'aucun de vos actes. Sinon quittez ce site.
Vous êtes soumis à ce disclaimer.
ET À CE TITRE, NI LA COMMUNAUTÉ, NI L'ADMINISTRATEUR, NI L'HÉBERGEUR, NE POURRONT, NI NE SERONT RESPONSABLE DE VOS ACTES.