   
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #14 - Article 7 of 15
          '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'


Inside Circuit City

By:  StankDawg@hotmail.com and bios@digitalrights.org


The store you love to hate is undergoing a change.  Yes, they still have annoying salespeople 
that attack you for commissions at the big screen TV section.  Yes, they are the same 
salespeople that are nowhere to be found when you need help finding a 3 dollar cable or 
something else less beneficial to their commission.  Yes, they still carry poor quality, overpriced 
computers.  Yes, they still lure you into the store with a Sunday ad then try the "bait and switch" 
method of claiming they are "out-of-stock" on the item in the ad and then try selling you 
something else.  So what is the change you ask?  Now, you have access to computers in almost 
every store!  So what does that mean?  Well, besides messing with the salespeople and showing 
them how much cheaper you can buy the same products online, you can use your imagination.

Bi0s and I did some research on stores in our respective area stores.  We came to find out 
several things that we were able to verify with each other.  We came to the conclusion that the 
majority of Circuit City stores were setup exactly the same.  They are trying very hard to 
emulate the success of stores like Best Buy, so they are probably forced by corporate 
headquarters to use the same universal setup.  There was little or no variation between our area 
stores.  All of the information that we found was done by manual excursions and fact-finding 
missions to different stores and then researching our information on the internet afterwards.  
Hopefully, someone who works at the "new Circuit City" can verify that our information is 
indeed correct.

How does it work?

The Software

When you walk up to one of these machines you are faced with a Netscape navigator screen.  
This could mean anything.  The menu only gives access to one function (to restart the browser) 
and right clicking accomplishes nothing.  All you can do is use the browser and the power of the 
web to see what you can dig up on the system.  First of all, I browse the files on the local 
computer.  I had a hunch from the "feel" of the limited interface that I saw, that it was a *NIX 
powered box.  Upon seeing a directory structure with names like /BIN, /USR, and /ETC my 
suspicions were confirmed.  But what flavor of *NIX was it?  I knew that they have used more 
heavy metal machines in the past to do live inventory and checkout functions, so I did not 
assume it was a PC version of *NIX.  I checked for network settings and configurations, but 
came up empty handed.  This was definitely some watered-down UNIX distribution.  This 
combined with the fact that the employees still used other terminals to access inventory 
information led me to believe that it must be some sort of LINUX running locally.  Well, almost.

Admittedly, I am a nubie at *NIX in general.  I recognized that it was there, and did some 
poking around into the system, but I pretty much hit a wall.  I had to call in the professionals for 
more advice.  Saitou187 and JinRai accompanied me on my next trip.  Saitou was able to 
determine that it was indeed running on a Linux platform.  Specifically, NeoLinux 2.2 which is a 
derivation of RedHat made by Neoware.  Researching this on the web taught me that this 
particular distribution was geared towards "net appliances".  It is a watered down (but still very 
functional) linux that is designed to provide stable modules while using a very small footprint (no 
hard drive needed, can be run from network, low memory requirements, etc...).

The other interesting bit of software news is the content filtering software.  Oddly enough, it did 
not block nearly as many sites as I was expecting.  I immediately tried to visit www.2600.com 
which is notorious for being blocked by this type of software.  No problem!  That is surprising, 
so I thought that maybe they only set it up to block pr0n sites.  I typed in www.playboy.com 
and bang!  Pr0n right there in Circuit City!  I saw a young salesperson approaching from the 
opposite direction, so I quickly diverted to www.nfl.com to throw him off.  I asked "Hey, dont 
you stop people from accessing sites that are not related to Circuit City business or 
merchandise?" while pointing at www.nfl.com knowing full well that it was pretty wide open.  
He informed me that some porn sites are blocked smiling.  I typed playboy.com back into the 
browser and gave him a "Gee whiz, playboy seems to work... look.  He seemed mildly surprised 
saying not all of them were blocked.  He showed me that www.bangbus.com was accessible 
but a couple of other hardcore sites were not (which made me wonder what they do after the 
store closes to know that, but I digress...).  They produced a dialogue box saying they were 
not accessible from this computer.  I believe this to be a customized filtering proxy that only has 
specific sites in the database.  Hacking sites seemed accessible, but some pr0n was blocked.  I 
left the site at www.digitalrights.org before I walked away.

By this time the salespeople and managers are giving me strange looks.  I decide that it is time to 
leave.  But not before a quick visit to whatismyip.com to get the IP address.  I type the number 
into my cel phone, and then throw the Jedi mind trick on the apparent manager by pretending to 
be interested in a big screen TV and asking for his help.  After promising to "think about" buying 
the TV, I go home and try to get access remotely to play some more.  No luck.  I can neither 
ping nor traceroute the IP address.  This must mean it is behind some kind of firewall.  Bi0s 
comes to the same conclusion.


The Network

StankDawg gave me the IP address he found and I compared it to the one I had, and guess 
what, SAME IP!  But wait, thats not right, why would, or HOW would two computers 
connected to the internet have the same IP address?  This required some more digging, so it 
was back to circuit city.

This time I go with Evo_tech and Pearl, and I bring my palm m100, so I can jot down some info 
while Im there.  Last time all I got was the IP.  And I didnt have time to look into the system.  
Just as StankDawg said, its just Netscape you see on these machines, but I wasnt sure what 
OS.  So naturally, I type C:\ into the browser.  Nothing.  Aha!  It must me a *nix machine, next 
try FILE:// ..Bingo!  Im looking at the file structure.  Moving around and opening files in the 
browser, I find that I can read every file.  Unfortunately, I cant write to them.  Finally, I find a 
file containing version info.  This box was running NeoLinux version 1.1  which is a bit older 
compared to StankDawgs location, where they were running 2.2.

Neo Linux is locked up fairly tight.  Its a read-only OS which explains why neither of us were 
able to install any plug-ins.  All directories and files are non-writeable, except for one thats 
called (you guessed it!) /writeable.  Unfortunately, this only contains files that are changed by 
normal system processes. So, no fun there.  Apparently these computers seem to be run a 
dumb terminals and they are all controlled by a remote admin tool.  The entire OS is under 8 
megs! 

Ok, so we search a little deeper.  I find some DNS settings and a gateway IP, Ive been 
punching numbers into my palm for about 20 minutes and I can tell the employees are catching 
on.  They keep walking behind me and looking over my shoulder.  They can tell Im not 
browsing CCs website anymore ;) A few of them walk over & start talking to a manager, so I 
decide its time to split.

I get home, and decide its time to see where these IPs lead to.  StankDawg and I began to 
compare noted through IM.  First lookup. 12.26.69.43 which is the IP I got when I visited 
whatismyip.com on my first visit.  Its the same IP that StankDawg got over 1100 miles away!  
Heres the lookup info: 

* note addresses and contact names have been removed to protect the guilty*

12.0.0.0 - 12.255.255.255 
AT&T  
AT&T ITS 

12.26.69.0 - 12.26.69.255 
Circuit City Stores,Inc.  

This is very interesting.  As StankDawg said, it does not respond to ping or traceroute.  
However with Nmap (via cmnd line thank you) revealed that the IP was up.  Nmap just kept 
scanning & scanning but I never picked anything up.  StankDawg and I were both puzzled over 
this.  Ok, so whats the deal here?  How are they using the same IP at different stores?  Is what 
we saw at whatismyip.com just reflecting a proxy?  Hmmm... Lets move on to the other IPs I 
found.

Lets look at the gateway IP I found in a network config file. 

10.0.0.0 - 10.255.255.255 
IANA  
Internet Assigned Numbers Authority

heh... and so the suspect list grows.  But what about those DNS numbers?  They were in the 
same config file.  Heres the first: 192.64.203.121

192.64.0.0 - 192.64.255.255 
Hewlett-Packard Company 

192.64.203.0 - 192.64.204.255 
Circuit City Stores, Inc

And the second: 166.86.50.250

166.86.0.0 - 166.86.255.255 
Circuit City Stores, Inc.

Ok, this is weird; weve got AT&T (everyones favorite telecom), HP, IANA, and Circuit City.  
Wow, now thats a cast of players.  So, what is going on here?  Well, from what we can put 
together, they seem to be running a WAN and using specific IPs as a gateway for all of their 
stores. They seem to have all incoming traffic blocked, AND filtered!  StankDawg even gets 
filtered at different points sometimes depending on the port being tested.  Some lookups during 
a ping, you can see that the packets get filtered by a different IP than you are trying to ping.  
Also trying to get some info out of the network admins is like trying to pull teeth.  In my opinion, 
these stores are locked up fairly tight.  Its not impossible, nothing is, it will just take some time.  
Come to www.StankDawg.com/forums/ to find out the latest progress!
