



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                               Phrack Seventeen

                                07 April 1988



                   File 1 of 12 : Phrack XVII Introduction



     It's been a long time, but we're back.  After two successful releases

under the new editorship, Taran King told us that with his vacation from

school, he'd be able to put Phrack Seventeen together.  His plans soon

changed, and Seventeen was now our responsibility again.  Procrastination set

in, and some difficulty was encountered in compiling the files, but we finally

did it and here it is.



     There's a lot of good material in this issue, and we're lucky enough to

have PWN contributions from several sources, making it a true group effort.

Since The Mad Chemist and Sir Francis Drake, as well as myself, are moving on

to other things, the editorship of Phrack Inc. may be changing with the

release of Phrack Eighteen.  Regardless of what direction the publication

takes, I know that I will have no part in the creation of the next issue, so

I'd like to mention at this time that my involvement with the magazine, first

as a contributor and later as a contributing editor, has been fun.  Phrack

will go on, I'm sure, for another seventeen issues at least, and will continue

to be a primary monument to the vitality of the hacker culture.



                                              -- Shooting Shark

                                                 Contributing Editor



     Phrack XVII Table of Contents

     -----------------------------



#       Title                              Author                 Size

----    -----                              ------                 ----

17.1    Phrack XVII Introduction           Shooting Shark         3K

17.2    Dun & Bradstreet Report on AT&T    Elric of Imrryr        24K

17.3    D&B Report on Pacific Telesis      Elric of Imrryr        26K

17.4    Nitrogen-Trioxide Explosive        Signal Substain        7K

17.5    How to Hack Cyber Systems          Grey Sorcerer          23K

17.6    How to Hack HP2000's               Grey Sorcerer          3K

17.7    Accessing Government Computers     The Sorceress          9K

17.8    Dial-Back Modem Security           Elric of Imrryr        11K

17.9    Data Tapping Made Easy             Elric of Imrryr        4K

17.10   PWN17.1 Bust Update                Sir Francis Drake      3K

17.11   PWN17.2 "Illegal" Hacker Crackdown The $muggler           5K

17.12   PWN17.3 Cracker are Cheating Bell  The Sorceress          8K



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                File 2 of 12 : Dun & Bradstreet Report on AT&T







       AT&T Credit File, taken from Dun & Bradstreet by Elric of Imrryr









                        DUN'S FINANCIAL RECORDS

                           COPYRIGHT (C) 1987

                    DUN & BRADSTREET CREDIT SERVICE

Name & Address:

      AMERICAN TELEPHONE AND TELEGRAPH          Trade-Style Name:

      550 Madison Ave                           AT & T

      NEW YORK, NY 10022



      Telephone: 212-605-5300



      DUNS Number: 00-698-0080



      Line of Business: TELECOMMUNICATIONS SVCS TELE



      Primary SIC Code: 4811

      Secondary SIC Codes: 4821 3661 3357 3573 5999



      Year Started:  1885                 (12/31/86)  COMBINATION FISCAL

      Employees Total:     317,000        Sales:           34,087,000,000

      Employees Here:        1,800        Net Worth:       14,462,000,000



      This is a PUBLIC company





      12/31/86 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                        %     COMPANY    INDST

                                           COMPANY    CHANGE     %      NORM %

      Cash. . . . . . . . . . . . .     2,602,000      17.5      6.7      9.0

      Accounts Receivable . . . . .     7,820,000     (13.1)    20.1      5.7

      Notes Receivable. . . . . . .          ----      ----     ----      0.2

      Inventory . . . . . . . . . .     3,519,000     (26.1)     9.1      1.3

      Other Current Assets. . . . .     1,631,000      72.0      4.2      5.8



      Total Current Assets. . . . .    15,572,000      (8.0)    40.0     22.0



      Fixed Assets. . . . . . . . .    21,078,000      (4.7)    54.2     35.6

      Other Non-current Assets. . .     2,233,000      55.9      5.7     42.4



      Total Assets. . . . . . . . .    38,883,000      (3.9)   100.0    100.0



      Accounts Payable. . . . . . .     4,625,000      (6.4)    11.9      4.2

      Bank Loans. . . . . . . . . .          ----      ----     ----      0.2



      Notes Payable . . . . . . . .          ----      ----     ----      1.0

      Other Current Liabilities . .     6,592,000       0.8     17.0      6.2



      Total Current Liabilities . .    11,217,000      (2.4)    28.8     11.6



      Other Long Term Liab. . . . .    13,204,000      38.2     34.0     46.8

      Deferred Credits. . . . . . .          ----      ----     ----      6.4

      Net Worth . . . . . . . . . .    14,462,000      (1.2)    37.2     35.2



      Total Liabilities & Worth. .     38,883,000      (3.9)   100.0    100.0



      Net Sales . . . . . . . . . .    34,087,000      (2.4)   100.0    100.0

      Gross Profit. . . . . . . . .    15,838,000      ----     46.5     40.1

      Net Profit After Tax. . . . .       139,000     (91.1)     0.4     15.3

      Dividends/Withdrawals . . . .     1,371,000      (0.9)     4.0      7.7

      Working Capital . . . . . . .     4,355,000     (19.8)    ----     ----



      RATIOS                                     %    ---INDUSTRY QUARTILES---

                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER

          (SOLVENCY)



      Quick Ratio . . . . . . . . .      0.9   (10.0)     2.9     1.2     0.6

      Current Ratio . . . . . . . .      1.4    (6.7)     4.9     2.2     1.0

      Curr Liab to Net Worth (%). .     77.6    (1.1)    13.2    26.4    38.1

      Curr Liab to Inventory (%). .    318.8    32.1    244.8   475.8   675.0

      Total Liab to Net Worth (%) .    168.9    (4.3)   127.4   180.2   297.2

      Fix Assets to Net Worth (%) .    145.7    (3.6)   144.9   215.0   263.0



          (EFFICIENCY)

      Coll Period (days). . . . . .     83.7   (11.1)    31.9    46.7    61.6

      Sales to Inventory. . . . . .      9.7    32.9     56.2    33.8    20.0

      Assets to Sales (%) . . . . .    114.1    (1.6)   210.5   266.1   373.4

      Sales to Net Working Cap. . .      7.8    21.9      6.3     2.3     1.1

      Acct Pay to Sales (%) . . . .     13.6    (4.2)     4.9     8.7    13.8



          (PROFITABILITY)

      Return on Sales (%) . . . . .      0.4   (91.1)    20.1    14.6    11.3

      Return on Assets (%). . . . .      0.4   (89.5)     7.2     5.7     3.7

      Return on Net Worth (%) . . .      1.0   (90.6)    19.0    15.9    12.8



          Industry norms based on 469  firms,



          with assets over $5 million.



      12/31/85 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                        %     COMPANY    INDST

                                           COMPANY    CHANGE     %      NORM %

      Cash. . . . . . . . . . . . .     2,213,700       3.4      5.5      7.5

      Accounts Receivable . . . . .     8,996,100      (4.0)    22.2      5.6

      Notes Receivable. . . . . . .          ----      ----     ----      0.4

      Inventory . . . . . . . . . .     4,759,300      (0.6)    11.8      1.2

      Other Current Assets. . . . .       948,500      (8.2)     2.3      5.1



      Total Current Assets. . . . .    16,917,600      (2.4)    41.8     19.8



      Fixed Assets. . . . . . . . .    22,112,900       5.2     54.7     39.2

      Other Non-current Assets. . .     1,432,000      (3.2)     3.5     41.0



      Total Assets. . . . . . . . .    40,462,500       1.6    100.0    100.0





      Accounts Payable. . . . . . .     4,942,800     (11.4)    12.2      4.9

      Bank Loans. . . . . . . . . .          ----      ----     ----      0.3

      Notes Payable . . . . . . . .         2,100      ----     ----      0.8

      Other Current Liabilities . .     6,542,600      15.5     16.2      5.9



      Total Current Liabilities . .    11,487,500       2.2     28.4     11.9



      Other Long Term Liab. . . . .     9,553,200       2.7     23.6     46.8

      Deferred Credits. . . . . . .     4,788,500      18.9     11.8      6.8

      Net Worth . . . . . . . . . .    14,633,300      (4.1)    36.2     34.5



      Total Liabilities & Worth. .     40,462,500       1.6    100.0    100.0



      Net Sales . . . . . . . . . .    34,909,500       5.2    100.0    100.0

      Gross Profit. . . . . . . . .          ----      ----     ----     33.7

      Net Profit After Tax. . . . .     1,556,800      13.6      4.5     14.0

      Dividends/Withdrawals . . . .     1,382,900       3.7      4.0     13.0

      Working Capital . . . . . . .     5,430,100     (10.8)    ----     ----



      RATIOS                                     %    ---INDUSTRY QUARTILES---



                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER

          (SOLVENCY)

      Quick Ratio . . . . . . . . .      1.0    ----      2.5     1.1     0.6

      Current Ratio . . . . . . . .      1.5    ----      3.8     1.9     0.9

      Curr Liab to Net Worth (%). .     78.5     6.5     15.8    29.4    43.9

      Curr Liab to Inventory (%). .    241.4     2.8    285.7   485.5   790.6

      Total Liab to Net Worth (%) .    176.5     9.6    134.4   190.1   320.9

      Fix Assets to Net Worth (%) .    151.1     9.7    148.4   219.0   289.5



          (EFFICIENCY)

      Coll Period (days). . . . . .     94.1    (8.7)    31.5    47.2    63.8

      Sales to Inventory. . . . . .      7.3     5.8     52.3    31.4    18.0

      Assets to Sales (%) . . . . .    115.9    (3.4)   217.1   277.8   356.8

      Sales to Net Working Cap. . .      6.4    16.4      6.0     2.7     1.6

      Acct Pay to Sales (%) . . . .     14.2   (15.5)     6.1    10.4    15.7



          (PROFITABILITY)

      Return on Sales (%) . . . . .      4.5     9.8     19.0    13.6     9.5

      Return on Assets (%). . . . .      3.8    11.8      6.9     5.3     3.4

      Return on Net Worth (%) . . .     10.6    17.8     19.7    15.8    12.7





          Industry norms based on 605  firms,

          with assets over $5 million.



      12/31/84 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                     COMPANY    INDST

                                           COMPANY      %      NORM %

      Cash. . . . . . . . . . . . .     2,139,900       5.4      6.6

      Accounts Receivable . . . . .     9,370,800      23.5      6.3

      Notes Receivable. . . . . . .          ----      ----      0.4

      Inventory . . . . . . . . . .     4,789,200      12.0      1.2

      Other Current Assets. . . . .     1,033,100       2.6      4.1



      Total Current Assets. . . . .    17,333,000      43.5     18.6



      Fixed Assets. . . . . . . . .    21,015,000      52.8     45.0

      Other Non-current Assets. . .     1,478,600       3.7     36.4





      Total Assets. . . . . . . . .    39,826,600     100.0    100.0



      Accounts Payable. . . . . . .     5,580,300      14.0      5.2

      Bank Loans. . . . . . . . . .          ----      ----      0.2

      Notes Payable . . . . . . . .          ----      ----      1.0

      Other Current Liabilities . .     5,663,300      14.2      5.5



      Total Current Liabilities . .    11,243,600      28.2     11.9



      Other Long Term Liab. . . . .     9,300,200      23.4     47.8

      Deferred Credits. . . . . . .     4,026,000      10.1      6.5

      Net Worth . . . . . . . . . .    15,256,800      38.3     33.8



      Total Liabilities & Worth. .     39,826,600     100.0    100.0



      Net Sales . . . . . . . . . .    33,187,500     100.0    100.0

      Gross Profit. . . . . . . . .    16,436,200      49.5     28.1

      Net Profit After Tax. . . . .     1,369,900       4.1     14.1

      Dividends/Withdrawals . . . .     1,333,800       4.0      7.3

      Working Capital . . . . . . .     6,089,400      ----     ----





      RATIOS                                 ---INDUSTRY QUARTILES---

                                      COMPANY  UPPER  MEDIAN   LOWER

          (SOLVENCY)

      Quick Ratio . . . . . . . . .      1.0     2.3     1.0     0.6

      Current Ratio . . . . . . . .      1.5     3.4     1.6     0.9

      Curr Liab to Net Worth (%). .     73.7    17.7    30.6    43.5

      Curr Liab to Inventory (%). .    234.8   312.5   491.6   754.3

      Total Liab to Net Worth (%) .    161.0   139.2   193.7   314.9

      Fix Assets to Net Worth (%) .    137.7   161.5   228.9   295.3



          (EFFICIENCY)

      Coll Period (days). . . . . .    103.1    34.3    51.6    67.8

      Sales to Inventory. . . . . .      6.9    52.1    32.6    20.1

      Assets to Sales (%) . . . . .    120.0   216.7   268.2   353.0

      Sales to Net Working Cap. . .      5.5     7.2     3.1     1.7

      Acct Pay to Sales (%) . . . .     16.8     6.2    10.9    15.4



          (PROFITABILITY)

      Return on Sales (%) . . . . .      4.1    18.5    13.1     9.8



      Return on Assets (%). . . . .      3.4     7.0     5.3     3.3

      Return on Net Worth (%) . . .      9.0    19.7    15.7    12.6



          Industry norms based on 504  firms,

          with assets over $5 million.





             END OF DOCUMENT









Name & Address:

      AMERICAN TELEPHONE AND                    Trade-Style Name:

      550 Madison Ave                           At & T

      NEW YORK, NY 10022



      Telephone: 212-605-5300



      DUNS Number: 00-698-0080



      Line of Business: TELECOMMUNICATIONS SVCS TELE



      Primary SIC Code: 4811

      Secondary SIC Codes: 4821 3661 3357 3573 5999



      Year Started:  1885                 (12/31/86)  COMBINATION FISCAL

      Employees Total:     317,000        Sales:           34,087,000,000

      Employees Here:        1,800        Net Worth:       14,462,000,000



      This is a PUBLIC company







      HISTORY

      04/20/87



      JAMES E. OLSON, CHB-CEO+           ROBERT E. ALLEN, PRES-COO+

      RANDALL L TOBIAS, V CHM+           CHARLES MARSHALL, V CHM+

      MORRIS TANENBAUM, V CHM+           S. LAWRENCE PRENDERGAST, V PRES-

                                         TREAS

      C. PERRY COLWELL, V PRES-

      CONTROLLER

      DIRECTOR(S): The officers identified by (+) and Howard H. Baker Jr,

      James H. Evans, Peter F. Haas, Philip M. Hawley, Edward G. Jefferson,

      Belton K. Johnson, Juanita M. Kreps, Donald S. Perkins, Henry B.

      Schacht, Michael I. Sovern, Donald F. McHenry, Rawleigh Warner Jr,

      Joseph D. Williams and Thomas H. Wyman.

           Incorporated New York Mar 3 1885.

           Authorized capital consists of 1,200,000,000 shares common stock $1

      par value and 100,000,000 shares preferred stock $1 par value.

           Outstanding Capital Stock at Feb 28 1987: 1,071,904,000 common

      shares and at Dec 31 1986 preferred stock outstanding consisted of

      redeemable preferred shares composed of 8,500,000 shares of $3.64

      preferred stated value $50; 8,800,000 shares of $3.74 preferred, stated

      value $50 and 25,500 shares of $77.50 preferred, stated value $1,000.

           Business started 1885.

           The  company's common stock is listed on the New York, Boston,

      Midwest, Philadelphia and Pacific Coast Stock Exchanges under the symbol

      "ATT". At Dec 31 1986 there were 2,782,102 common shareholders. At Jan 1

      1986 officers and directors as a group owned less than 1% of the

      outstanding common stock with the remainder owned by the public.

           OLSON, born 1925. 1950 Univ of North Dakota, BSC. Also attended

      Univ of Pennsylvania. 1943-1946 United States Army Air Force. 1960-1970

      Northwestern Bell Telephone Co, V Pres-Gen Mgr. 1970-1974 Indiana Bell

      Telephone Co, Pres. 1974-1977 Illinois Bell Telephone Co, Pres. 1977 to

      date AT&T, 1979 V Chb-Dir; Jun 1985 President, 1986 CHM.

           MARSHALL, born 1929, married. 1951 Univ of Illinois, BS; also

      attended Bradley Univ; 1953-present AT&T; 1980 Asst Treas, 1976 Vice

      Pres-Treas; 1985 Exec Vice President, 1986 V-CHM.

           TANENBAUM, born 1928 married. 1949 Johns Hopkins Univ, BA

      chemistry. 1950 Princeton Univ, MA chemistry. 1952 PhD in physical

      chemistry. 1952 to date AT&T, various positions, 1985 Ex Vice Pres, 1986

      V-CHM.

           PRENDERGAST, born 1941 married. 1963 Brown Univ, BA. 1969 New York

      Univ, MBA. 1963-1973 Western Electric Company; 1973 to date AT&T, 1980

      Asst Treas, 1984 V Pres-Treas.

           COLWELL, born 1927. Attended AT&T Institute of Technology.

      1945-1947 U S Army. Employed by AT&T and its subsidiaries since 1948 in

      various positions. 1984 Vice Pres & Contr, AT&T Technologies Inc

      (subsidiary); 1985-present V Pres-Contr.

           ALLEN  born 1935 married. 1957 Wabash College BA. Has held a

      vareity of executive position with former Bell Operating subsidiaries

      and AT&T subsidiaries. Appointed to current position in 1986.

           TOBIAS born 1943. 1964 Indiana University with a BS in Marketing.

      Has held a variety of management and executive positions with former

      Bell Operating subsidiaries and AT&T subsidiaries. Elected to current

      position in 1986.

           OTHER  OFFICERS: James R. Billingsley, Sr V Pres Federal

      Regulation; Michael Brunner, Ex V Pres Federal Systems; Harold

      Burlingame, Sr V Pres Public Relations and Employee Information;

      Vittorio Cassoni, Sr V Pres Data Systems Division; Richard Holbrook, Sr

      V Pres Business Sales; Robert Kavner, Sr V Pres & CFO; Gerald Lowrie, Sr

      V Pres Public Affairs; John Nemecek, Ex V Pres Components & Electronic

      Systems; John O'Neill, Ex V Pres National Systems Products; Alfred

      Partoll, Sr V Pres External Affairs; John Segall, Sr V Pres Corporate

      Strategy & Development; Alexander Stack, Sr V Pres Communications

      Systems; Paul Villiere, Ex V Pres Network Systems Marketing and Customer

      Operations; John Zegler, Sr V Pres and General Counsel; and Lydell

      Christensen, Corp V Pres and Secretary.

           DIRECTORS: MCHENRY, research professor, Georgetown University.

      BAKER JR, partner, Vinson & Elkins and Baker, Worthington, Crossley,

      Stansberry & Woolf, attorneys. EVANS, former Chairman, Union Pacific

      Corporation. HAAS, Chairman, Levi Strauss & Company. HAWLEY, Chairman,

      Carter Hawley Hale Stores Inc. JEFFERSON, former Chairman, E.I. du Pont

      de Nemours and Company. JOHNSON, private investor and owner of The

      Chaparrosa Ranch. KREPS, former United States Secretary of Commerce.

      PERKINS, former Chairman, Jewel Companies Inc. SCHACHT, Chairman,

      Cummins Engine Company Inc. SOVERN, President, Columbia University.

      WARNER JR, former Chairman, Mobil Corporation. WILLIAMS, Chairman,

      Warner Lambert Company. WYMAN, former Chairman, CBS Inc.

           As  a  result of an antitrust action entered against American

      Telephone and Telegraph Company (AT&T) by the Department of Justice,

      AT&T agreed in Jan 1982 to break up its holdings. In Aug 1982, the U. S.

      District Court-District of Columbia, entered a consent decree requiring

      AT&T to divest itself of portions of its operations.

           The  operations affected consisted of exchange telecommunications,

      exchange access functions, printed directory services and cellular radio

      telecommunications services. AT&T retained ownership of AT&T

      Communications Inc, AT&T Technologies Inc, Bell Telephone Laboratories

      Incorporated, AT&T Information Systems Inc, AT&T International Inc and

      those portions of the 22 Bell System Telephone Company subsidiaries

      which manufactured new customer premises equipment. The consent decree,

      with modifications, was agreed to by AT&T and the U. S. Department of

      Justice and approved by the U. S. Supreme Court in Feb 1983. In Dec

      1982, AT&T filed a plan of reorganization, outlining the means of

      compliance with the divestiture order. The plan was approved by the

      court in Aug 1983

           The divestiture completed on Jan 1 1984, was accomplished by the

      reorganization of the 22 principal AT&T Bell System Telephone Company

      subsidiaries under 7 new regional holding companies. Each AT&T common

      shareowner of record as of Dec 10 1983 received 1 share of common stock

      in each of the newly formed corporations for every 10 common shares of

      AT&T. AT&T common shareowners retained their AT&T stock ownership.

           The   company has an ownership interest in certain ventures to

      include:

           (1) Owns 22% of the voting stock of Ing C. Olivetti & C., S.p.A. of

      Milan, Italy with which the company develops and markets office

      automation products in Europe.

           (2) Owns 50% of a joint venture with the N. V. Philips Company of

      the Netherlands organized to manufacture and market switching and

      transmission systems in Europe and elsewhere.

           (3) Owns 44% of a joint venture with the Goldstar Group of the

      Republic of Korea which manufactures switching products and distributes

      the company's 3B Family of Computers in Korea.

           The company also maintain stock interests in other concerns.

           In addition to joint venture activities described above,

      intercompany relations have also included occasional advances from

      subject.



      OPERATION

      04/20/87





           Through subsidiaries, provides intrastate, interstate and

      international long distance telecommunications and information transport

      services, a broad range of voice and data services including, Domestic

      and Long Distance Service, Wide Area Telecommunications Services (WATS),

      800 Service, 900 Dial It Services and a series of low, medium and high

      speed digital voice and data services known as Accunet Digital Services.

      Also manufactures telephone communications equipment and apparatus,

      communications wire and cable, computers for use in communications

      systems, as well as for general purposes, retails and leases telephone

      communications equipment and provides research and development in

      information and telecommunications technology. The company is subject to

      the jurisdiction of the Federal Communications Commission with respect

      to interstate and international rates, lines, services and other

      matters. Terms: Net 30, cash and contract providing for progress

      payments with final payment upon completion. The company's AT&T

      Communications Inc subsidiary provides interstate and intrastate long

      distance communications services for 80 million residential customers

      and 7 million businesses. Sells to a wide variety of businesses,

      government agencies, individuals and others. Nonseasonal.

           EMPLOYEES: 317,000 including officers. 1,800 employed here.

           FACILITIES: Owns premises in multi story steel building in good

      condition. Premises neat.

           LOCATION: Central business section on main street.

           BRANCHES: The company's subsidiaries operate 19 major manufacturing

      plants located throughout the United States containing a total 26.2

      million square feet of space of which 1.49 million square feet were in

      leased premises. There are 7 regional centers and 24 distribution

      centers. In addition, there are numerous domestic and foreign branch

      offices.

           SUBSIDIARIES: The company had numerous subsidiaries as of Dec 31

      1986. Subsidiaries perform the various services and other functions

      described above. Its unconsolidated finance subsidiary, AT&T Credit

      Corporation, provides financing to customers through leasing and

      installment sales programs and purchases from AT&T's subsidiaries the

      rights to receivables under long-term service agreements. Intercompany

      relations consists of parent making occasional advances to subsidiaries

      and service transactions settled on a convenience basis. A list of

      principal subsidiaries as of Dec 31 1986 is on file at the Millburn, NJ

      office of Dun & Bradstreet.

      08-27(9Z0   /61)         00703                    001   678  NH



      Chemical Bank, 277 Park Ave; Marine Midland Bank, 140 Broadway; Chase

      Manhattan Bank, 1 Chase Manhattan Plaza



      12/31/86 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                        %     COMPANY    INDST

                                           COMPANY    CHANGE     %      NORM %

      Total Current Assets. . . . .    15,572,000      (8.0)    40.0     22.0

      Fixed Assets. . . . . . . . .    21,078,000      (4.7)    54.2     35.6

      Other Non-current Assets. . .     2,233,000      55.9      5.7     42.4

      Total Assets. . . . . . . . .    38,883,000      (3.9)   100.0    100.0

      Total Current Liabilities . .    11,217,000      (2.4)    28.8     11.6

      Other Long Term Liab. . . . .    13,204,000      38.2     34.0     46.8

      Net Worth . . . . . . . . . .    14,462,000      (1.2)    37.2     35.2

      Total Liabilities & Worth. .     38,883,000      (3.9)   100.0    100.0

      Net Sales . . . . . . . . . .    34,087,000      (2.4)   100.0    100.0

      Gross Profit. . . . . . . . .    15,838,000      ----     46.5     40.1



      RATIOS                                     %    ---INDUSTRY QUARTILES---



                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER

      Quick Ratio . . . . . . . . .      0.9   (10.0)     2.9     1.2     0.6

      Current Ratio . . . . . . . .      1.4    (6.7)     4.9     2.2     1.0

      Total Liab to Net Worth (%) .    168.9    (4.3)   127.4   180.2   297.2

      Sales to Inventory. . . . . .      9.7    32.9     56.2    33.8    20.0

      Return on Sales (%) . . . . .      0.4   (91.1)    20.1    14.6    11.3

      Return on Assets (%). . . . .      0.4   (89.5)     7.2     5.7     3.7

      Return on Net Worth (%) . . .      1.0   (90.6)    19.0    15.9    12.8



          Industry norms based on 469  firms,

          with assets over $5 million.





End_of_File.



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



          File 3 of 12 : Dun & Bradstreet Report on Pacific Telesis







 Pacific Telesis Credit File, taken from Dun & Bradstreet by Elric of Imrryr







Name & Address:

      PACIFIC TELESIS GROUP (INC)

      140 New Montgomery St

      SAN FRANCISCO, CA 94105



      Telephone: 415-882-8000



      DUNS Number: 10-346-0846



      Line of Business: TELECOMMUNICATION SERVICES



      Primary SIC Code: 4811

      Secondary SIC Codes: 2741 5063 5732 6159



      Year Started:  1906                 (12/31/86)  COMBINATION FISCAL

      Employees Total:      74,937        Sales:            8,977,300,000

      Employees Here:        2,000        Net Worth:        7,753,300,000



      This is a PUBLIC company





      12/31/86 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                        %     COMPANY    INDST

                                           COMPANY    CHANGE     %      NORM %

      Cash. . . . . . . . . . . . .       200,600     671.5      1.0      9.0

      Accounts Receivable . . . . .     1,390,700      (3.8)     6.8      5.7

      Notes Receivable. . . . . . .          ----      ----     ----      0.2

      Inventory . . . . . . . . . .       116,300      (4.4)     0.6      1.3

      Other Current Assets. . . . .       448,700      18.6      2.2      5.8



      Total Current Assets. . . . .     2,156,300       9.3     10.6     22.0



      Fixed Assets. . . . . . . . .    17,244,900       1.6     84.9     35.6

      Other Non-current Assets. . .       919,300      53.8      4.5     42.4



      Total Assets. . . . . . . . .    20,320,500       4.0    100.0    100.0



      Accounts Payable. . . . . . .     1,760,300      74.1      8.7      4.2

      Bank Loans. . . . . . . . . .        21,800     847.8      0.1      0.2



      Notes Payable . . . . . . . .          ----      ----     ----      1.0

      Other Current Liabilities . .       623,000     (35.8)     3.1      6.2



      Total Current Liabilities . .     2,405,100      21.3     11.8     11.6



      Other Long Term Liab. . . . .     5,564,600      (7.6)    27.4     46.8

      Deferred Credits. . . . . . .     4,597,500       9.0     22.6      6.4

      Net Worth . . . . . . . . . .     7,753,300       6.0     38.2     35.2



      Total Liabilities & Worth. .     20,320,500       4.0    100.0    100.0



      Net Sales . . . . . . . . . .     8,977,300       5.6    100.0    100.0

      Gross Profit. . . . . . . . .          ----      ----     ----     40.1

      Net Profit After Tax. . . . .     1,079,400      16.2     12.0     15.3

      Dividends/Withdrawals . . . .       654,100      10.0      7.3      7.7

      Working Capital . . . . . . .       248,800    (999.9)    ----     ----



      RATIOS                                     %    ---INDUSTRY QUARTILES---

                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER

          (SOLVENCY)



      Quick Ratio . . . . . . . . .      0.7    ----      2.9     1.2     0.6

      Current Ratio . . . . . . . .      0.9   (10.0)     4.9     2.2     1.0

      Curr Liab to Net Worth (%). .     31.0    14.4     13.2    26.4    38.1

      Curr Liab to Inventory (%). .    999.9    26.9    244.8   475.8   675.0

      Total Liab to Net Worth (%) .    162.1    (2.9)   127.4   180.2   297.2

      Fix Assets to Net Worth (%) .    222.4    (4.1)   144.9   215.0   263.0



          (EFFICIENCY)

      Coll Period (days). . . . . .     56.5    (9.0)    31.9    46.7    61.6

      Sales to Inventory. . . . . .     77.2    10.6     56.2    33.8    20.0

      Assets to Sales (%) . . . . .    226.4    (1.5)   210.5   266.1   373.4

      Sales to Net Working Cap. . .     ----    ----      6.3     2.3     1.1

      Acct Pay to Sales (%) . . . .     19.6    64.7      4.9     8.7    13.8



          (PROFITABILITY)

      Return on Sales (%) . . . . .     12.0    10.1     20.1    14.6    11.3

      Return on Assets (%). . . . .      5.3    10.4      7.2     5.7     3.7

      Return on Net Worth (%) . . .     13.9     9.4     19.0    15.9    12.8



          Industry norms based on 469  firms,



          with assets over $5 million.



      12/31/85 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                        %     COMPANY    INDST

                                           COMPANY    CHANGE     %      NORM %

      Cash. . . . . . . . . . . . .        26,000     550.0      0.1      7.5

      Accounts Receivable . . . . .     1,446,200      20.6      7.4      5.6

      Notes Receivable. . . . . . .          ----      ----     ----      0.4

      Inventory . . . . . . . . . .       121,700      ----      0.6      1.2

      Other Current Assets. . . . .       378,300      (8.3)     1.9      5.1



      Total Current Assets. . . . .     1,972,200      22.1     10.1     19.8



      Fixed Assets. . . . . . . . .    16,968,400       6.1     86.8     39.2

      Other Non-current Assets. . .       597,700      29.4      3.1     41.0



      Total Assets. . . . . . . . .    19,538,300       8.1    100.0    100.0





      Accounts Payable. . . . . . .     1,011,100      14.6      5.2      4.9

      Bank Loans. . . . . . . . . .         2,300      ----     ----      0.3

      Notes Payable . . . . . . . .          ----      ----     ----      0.8

      Other Current Liabilities . .       969,900      18.6      5.0      5.9



      Total Current Liabilities . .     1,983,300      (1.0)    10.2     11.9



      Other Long Term Liab. . . . .     6,021,700       0.8     30.8     46.8

      Deferred Credits. . . . . . .     4,216,300      16.6     21.6      6.8

      Net Worth . . . . . . . . . .     7,317,000      12.9     37.4     34.5



      Total Liabilities & Worth. .     19,538,300       8.1    100.0    100.0



      Net Sales . . . . . . . . . .     8,498,600       8.6    100.0    100.0

      Gross Profit. . . . . . . . .          ----      ----     ----     33.7

      Net Profit After Tax. . . . .       929,100      12.1     10.9     14.0

      Dividends/Withdrawals . . . .       594,400      11.9      7.0     13.0

      Working Capital . . . . . . .        11,100      ----     ----     ----



      RATIOS                                     %    ---INDUSTRY QUARTILES---



                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER

          (SOLVENCY)

      Quick Ratio . . . . . . . . .      0.7    16.7      2.5     1.1     0.6

      Current Ratio . . . . . . . .      1.0    25.0      3.8     1.9     0.9

      Curr Liab to Net Worth (%). .     27.1   (12.3)    15.8    29.4    43.9

      Curr Liab to Inventory (%). .    999.9    ----    285.7   485.5   790.6

      Total Liab to Net Worth (%) .    167.0    (6.7)   134.4   190.1   320.9

      Fix Assets to Net Worth (%) .    231.9    (6.0)   148.4   219.0   289.5



          (EFFICIENCY)

      Coll Period (days). . . . . .     62.1    11.1     31.5    47.2    63.8

      Sales to Inventory. . . . . .     69.8    ----     52.3    31.4    18.0

      Assets to Sales (%) . . . . .    229.9    (0.5)   217.1   277.8   356.8

      Sales to Net Working Cap. . .     ----    ----      6.0     2.7     1.6

      Acct Pay to Sales (%) . . . .     11.9     5.3      6.1    10.4    15.7



          (PROFITABILITY)

      Return on Sales (%) . . . . .     10.9     2.8     19.0    13.6     9.5

      Return on Assets (%). . . . .      4.8     4.3      6.9     5.3     3.4

      Return on Net Worth (%) . . .     12.7    (0.8)    19.7    15.8    12.7





          Industry norms based on 605  firms,

          with assets over $5 million.



      12/31/84 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                     COMPANY    INDST

                                           COMPANY      %      NORM %

      Cash. . . . . . . . . . . . .         4,000      ----      6.6

      Accounts Receivable . . . . .     1,198,800       6.6      6.3

      Notes Receivable. . . . . . .          ----      ----      0.4

      Inventory . . . . . . . . . .          ----      ----      1.2

      Other Current Assets. . . . .       412,400       2.3      4.1



      Total Current Assets. . . . .     1,615,200       8.9     18.6



      Fixed Assets. . . . . . . . .    15,999,500      88.5     45.0

      Other Non-current Assets. . .       461,800       2.6     36.4





      Total Assets. . . . . . . . .    18,076,500     100.0    100.0



      Accounts Payable. . . . . . .       882,100       4.9      5.2

      Bank Loans. . . . . . . . . .          ----      ----      0.2

      Notes Payable . . . . . . . .       304,000       1.7      1.0

      Other Current Liabilities . .       817,600       4.5      5.5



      Total Current Liabilities . .     2,003,700      11.1     11.9



      Other Long Term Liab. . . . .     5,973,500      33.0     47.8

      Deferred Credits. . . . . . .     3,617,000      20.0      6.5

      Net Worth . . . . . . . . . .     6,482,300      35.9     33.8



      Total Liabilities & Worth. .     18,076,500     100.0    100.0



      Net Sales . . . . . . . . . .     7,824,300     100.0    100.0

      Gross Profit. . . . . . . . .          ----      ----     28.1

      Net Profit After Tax. . . . .       828,500      10.6     14.1

      Dividends/Withdrawals . . . .       531,200       6.8      7.3

      Working Capital . . . . . . .       388,500      ----     ----





      RATIOS                                 ---INDUSTRY QUARTILES---

                                      COMPANY  UPPER  MEDIAN   LOWER

          (SOLVENCY)

      Quick Ratio . . . . . . . . .      0.6     2.3     1.0     0.6

      Current Ratio . . . . . . . .      0.8     3.4     1.6     0.9

      Curr Liab to Net Worth (%). .     30.9    17.7    30.6    43.5

      Curr Liab to Inventory (%). .     ----   312.5   491.6   754.3

      Total Liab to Net Worth (%) .    178.9   139.2   193.7   314.9

      Fix Assets to Net Worth (%) .    246.8   161.5   228.9   295.3



          (EFFICIENCY)

      Coll Period (days). . . . . .     55.9    34.3    51.6    67.8

      Sales to Inventory. . . . . .     ----    52.1    32.6    20.1

      Assets to Sales (%) . . . . .    231.0   216.7   268.2   353.0

      Sales to Net Working Cap. . .     ----     7.2     3.1     1.7

      Acct Pay to Sales (%) . . . .     11.3     6.2    10.9    15.4



          (PROFITABILITY)

      Return on Sales (%) . . . . .     10.6    18.5    13.1     9.8

      Return on Assets (%). . . . .      4.6     7.0     5.3     3.3



      Return on Net Worth (%) . . .     12.8    19.7    15.7    12.6



          Industry norms based on 504  firms,

          with assets over $5 million.





             END OF DOCUMENT









Name & Address:

      PACIFIC TELESIS GROUP (INC)

      140 New Montgomery St

      SAN FRANCISCO, CA 94105



      Telephone: 415-882-8000



      DUNS Number: 10-346-0846



      Line of Business: TELECOMMUNICATION SERVICES



      Primary SIC Code: 4811

      Secondary SIC Codes: 2741 5063 5732 6159



      Year Started:  1906                 (12/31/86)  COMBINATION FISCAL

      Employees Total:      74,937        Sales:            8,977,300,000

      Employees Here:        2,000        Net Worth:        7,753,300,000



      This is a PUBLIC company







      HISTORY

      09/01/87



      DONALD E GUINN, CHB PRES+          THEODORE J SAENGER, V CHB GROUP

                                         PRES+

      SAM L GINN, V CHB+                 JOHN E HULSE, V CHB CFO+

      ROBERT V R DALENBERG, EX V PRES    BENTON W DIAL, EX V PRES-HUM

      GEN COUNSEL SEC                    RESOURCES

      ARTHUR C LATNO JR, EX V PRES       THOMAS G CROSS, V PRES TREAS

      FRANK V SPILLER, V PRES

      COMPTROLLER

      DIRECTOR(S): The officers identified by (+) and Norman Barker Jr,

      William P Clark, Willaim K Coblentz, Myron Du Bain, Herman E Gallegos

      James R Harvey, Ivan J Houston, Leslie L Luttgens, E L Mc Neely, S

      Donley Ritchey, Willaim French Smith & Mary S Metz.

           Incorporated Nevada Oct 26 1983. Authorized capital consists of

      505,000,000 shares common stock, $.10 par value.

           OUTSTANDING CAPITAL STOCK: Consists of following at Dec 31 1986:

      215,274,878 common shares at a stated value of $21.5 million plus

      additional paid in capital of $5,068.5 million.

           The stock is publicly traded on the New York, Pacific and Midwest

      Stock Exchanges. There were 1,170,161 common shareholders at Feb 1 1987.

      Officers and directors as a group hold less than 1% of stock. No other

      entity owned more than 5% of the common stock outstanding.

           The  authorized capital stock was increased to $1,100,000,000

      shares in 1987 by Charter Amendment. In addition, the company declared a

      two-for-one stock split in the form of a 100% stock dividend effective

      Mar 25 1987.

           BACKGROUND: This business was founded in 1906 as a California

      Corporation. The Pacific Telephone & Telegraph Company formed Dec 31

      1906. Majority of the stock was held by American Telephone & Telegraph

      Co (A T & T), New York, NY, prior to divestiture.

           DIVESTITURE: Pursuant to a court oder of the U S District Court for

      the Distirict of Columbia, A T & T divested itself of the exchange,

      telecommunications, exchange access and printing directory advertising

      portions of its 22 wholly-owned subsidiary operating telephone

      companies, including the Pacific Telephone & Telegraph Company. A T & T

      retains ownership of the former A T & T long lines interstate

      organization, as well as those portions of the subsidiaries that provide

      interchange services and customer premises equipment. To accomplish the

      divestiture, this regional holding company was formed, which took over

      the applicable operations and assets of the Pacific Telephone &

      Telegraph Company and its subsidiary, Bell Telephone Company of Nevada.

      Stock in the subject was distributed to the shareholders of A T & T, who

      also retained their existing A T & T Stock. The divestiture was

      accomplished on Jan 1 1984.

           RECENT EVENTS:During Jun 1986, the company completed the

      acquisition of Communications Industries Inc, Dallas, TX.

           In Dec 1986, the company's wholly-owned subsidiary Pac Tel Cellular

      Inc of Michigan signed an agreement to purhcase five cellular telephone

      properties for $316 million plus certain contingent payments. These five

      systems operate under the name of Cellular One. This acquaition is

      subject to regulatory and court approval and final legal review.

           ------------------------OFFICERS------------------------.

           GUINN born 1932 married. 1954 received BSCE from Oregon State

      University. 1954-60 with The Pacific Telephone & Telegraph Company, San

      Francisco, CA. 1960-64 with Pacific Northwest Bell Telephone Co,

      Seattle, WA, as vice president. 1964-70 with A T & T. 1970-76 with

      Pacific Northwest Bell. 1976-80 with A T & T as vice president-network

      service. 1980 chairman and chief executive officer of The Pacific

      Telephone & Telegraph Company. 1984 with Pacific Telesis Group as

      chairman, president and chief executive officer.

           SAENGER born 1928 married. 1951 received BS from the University of

      California. 1946-47 in the U S Army. 1951-52 secretary and manager for

      the Oakland Junior Chamber of Commerce. 1950-70 held various positions

      with The Pacific Telephone & Telegraph Company. 1970-71 traffic

      operations director for Network Administration in New York, A T & T.

      1971 with The Pacific Telephone & Telegraph Company. 1974 vice

      president. 1977 president. 1984 with Pacific Telesis Group as vice

      chairman and president, Pacific Bell.

           GINN born 1937 married. 1959 graduated from Auburn University. 1969

      received MS from Stanford University. 1959-60 in the U S Army Signal

      Corps as captain. 1960 joined A T & T Long Lines. 1977 vice

      president-staff for A T & T Long Lines. 1978 joined The Pacific

      Telephone & Telegraph Company as executive vice president-network. 1983

      vice chairman. 1984 with Pacific Telesis Group as vice chairman and

      group president, PacTel Companies.

           HULSE  born 1933 married. 1955 received BS from the University of

      South Dakota. 1956-58 in the U S Army. 1958 joined Northwestern Bell

      Telephone Co. 1980 joined The Pacific Telephone & Telegraph Company as

      executive vice president and chief financial officer. 1983 vice

      chairman. 1984 with Pacific Telesis Group as vice chairman and chief

      financial officer.

           LATNO  born 1929 married. Received BS degree from the University of

      Santa Clara. 1952 with Pacific Telephone & Telegraph Co. 1972 vice

      president-regulatory. 1975 executive vice president-external affairs.

      1984 with Pacific Telesis Group as executive vice president-external

      affairs.

           DALENBERG born 1930 married. Graduated from the University of

      Chicago Law School and Graduate School of Business. 1956 admitted to

      practice at the Illinois Bar and in 1973 the California Bar. 1957-67

      private law practice in Chicago, IL. 1967-72 general attorney for

      Illinois Bell. 1972-75 general attorney for The Pacific Telephone &

      Telegraph Company. 1975 associate general counsel. 1976 vice president

      and secretary-general counsel. 1984 with Pacific Telesis Group as

      executive vice president and general counsel-secretary.

           CROSS. Vice President and Treasurer and also Vice President of

      Pacific Bell.

           DIAL  born 1929 married. 1951 received BA from Whittier College.

      1961 received MS from California State University. 1951-53 in the U S

      Army. 1954 with The Pacific Telephone & Telegraph Company. 1973 vice

      president-regional staff and operations service for Southern California.

      1976 vice president-customer operations in Los Angeles, CA. 1977 vice

      president-corporate planning. 1980 vice president-human resources. 1984

      with Pacific Telesis Group as executive vice president-human resources.

           SPILLER born 1931 married. 1953 received BS from the University of

      California, San Francisco. 1954-56 in the U S Army as a second

      lieutenant. 1953 with The Pacific Telephone & Telegraph Company. 1977

      assistant comptroller. 1981 assistant vice president-finance management.

      1981 vice president and comptroller. 1984 with Pacific Telesis Group as

      vice president and comptroller.

           ---------------------OTHER DIRECTORS---------------------.

           BARKER. Retired chairman of First Interstate Bank Ltd.

           CLARK. Of counsel to the law firm of Rogers & Wells.

           COBLENTZ. Senior Partner in Coblentz, Cahen, Mc Cabe & Breyer,

      Attorneys, San Francisco, CA.

           DU BAIN. Chairman of SRI International.

           GALLEGOS. Management consultant.

           HARVEY. Chairman, and chief executive officer of Transamerica

      Corporation, San Francisco, CA.

           HOUSTON. Chairman and chief executive officer of Golden State

      Mutual Life Insurance Co.

           LUTTGENS. Is a community leader.

           MC NEELY. Chairman and chief executive officer of Oak Industries,

      Inc, San Diego, CA.

           RITCHEY. Retired Chairman of Lucky Stores Inc.

           SMITH. Partner in Gibson, Dunn & Crutcher, Attorneys.

           METZ.  President of Mills College.



      OPERATION

      09/01/87



           Pacific Telesis Group is a regional holding company whose

      operations are conducted by subsidiaries.

           The company's two major subsidiaries, Pacific Bell and Nevada Bell,

      provide a wide variety of communications services in California and

      Nevada, including local exchange and toll service, network access and

      directory advertising, and provided over 90% of total 1986 revenues.

           Other  subsidiaries, as noted below, are engaged in directory

      publishing, cellular mobile communications and services, wholesaling of

      telecommunications products, integrated systems and other services,

      retails communications equipment and supplies, financing services for

      products of affiliated customers, real estate development, and

      consulting. Specific percentages of these operations are not available

      but in the aggregate represent approximately 10%.

           Terms are net 30 days. Has over 11,000,000 accounts. Sells to the

      general public and commercial concerns. Territory :Worldwide.

           EMPLOYEES: 74,937 including officers. 2,000 employed here.

      Employees are on a consolidated basis as of Dec 31 1986.

           FACILITIES: Owns over 500,000 sq. ft. in 20 story concrete and

      steel building in good condition. Premises neat.

           LOCATION: Central business section on side street.

           BRANCHES: The subject maintains minor additional administrative

      offices in San Francisco, CA, but most operating branches are conducted

      by the operating subsidiaries, primarily Pacific Bell and Nevada Bell in

      their respective states.

           SUBSIDIARIES: Subsidiaries: The Company has the following principal

      operating subsidiaries, all wholly-owned either directly or indirectly.

      The telephone subsidiaries account for over 90% of the operating

      results.

           (1)  Pacific Bell (Inc) San Francisco CA. Formed 1906 as a

      California corporation. Acquired in 1984 as part of the divestiture of

      AT&T. It is the company's largest subsidiary . It provides

      telecommunicaton services within its service area in California.

           (2)  Nevada Bell (Inc) Reno NV. Incorporated in 1913. acquired from

      Pacific Bell in 1984 by the divestiture of its stock. Provides

      telecommunications, services in Nevada.

           (3)   Pac Tel Cellular Inc, TX. Renamed subsidiary formerly known

      as Comminications Industries Inc. Acquired in 1986. Operates as a

      marketer of cellular and paging services. This subsidiary, in turn, has

      several primary subsidiaries as follows:.

           (a) Gen Com Incorporated. Provides personal paging services.

           (b) Multicom Incorporated. Markets paging services.

           (4) Pac Tel Personal Communications. Formed to eventually hold all

      of the company's cellular and paging operations. It is the parent of the

      following:.

           (c)   Pac Tel Cellular supports the company's cellular activities.

           (d)  Pac Tel Mobile Services-formed to rent and sell cellular CPE

      and paging equipment and resell cellular services, is now largely

      inactive.

           (5) Pac Tel Corporation, San Francisco CA began operations in Jan

      1986 as a direct holding company subsidiary. It owns the stock of the

      following companies:.

           (e) Pac Tel Communications Companies-operates two primary

      divisions, Pac Tel Info Systems and Pac Tel Spectrum Services.

           (f) Pac Tel Finance-provides lease financing services.

           (g)  Pac Tel Properties-engages in real estate transactions holding

      real estate valued at approximately $140 million at Dec 31 1986.

           (h) Pac Tel Publishing -inactive at present.

           (i)  Pacific Telesis International-manages and operates

      telecommunicatin businesses in Great Britain, Japan, South Korea, Spain

      and Thailand.

           (6) Pac Tel Capital Resources, San Francisco, CA -provides funding

      through the sale of debt securities.

           INTERCOMPANY RELATIONS: Includes common management, intercompany

      services, inventory and equipment transactions, loans and advances. In

      addition, the debt of Pac Tel Capital Resources is backed by a support

      agreement from the parent with the debt unconditionally guaranteed for

      repayment without recourse to the stock or assets of the telephone

      subsidiaries or any interest therein.

      08-27(1Z2   /27)         29709                    052678678   H

      ANALYST: Dan Quinn



      12/31/86 COMBINATION FISCAL

      (Figures are in THOUSANDS)



      FINANCIALS                                        %     COMPANY    INDST

                                           COMPANY    CHANGE     %      NORM %

      Total Current Assets. . . . .     2,156,300       9.3     10.6     22.0

      Fixed Assets. . . . . . . . .    17,244,900       1.6     84.9     35.6

      Other Non-current Assets. . .       919,300      53.8      4.5     42.4

      Total Assets. . . . . . . . .    20,320,500       4.0    100.0    100.0

      Total Current Liabilities . .     2,405,100      21.3     11.8     11.6

      Other Long Term Liab. . . . .     5,564,600      (7.6)    27.4     46.8

      Net Worth . . . . . . . . . .     7,753,300       6.0     38.2     35.2

      Total Liabilities & Worth. .     20,320,500       4.0    100.0    100.0

      Net Sales . . . . . . . . . .     8,977,300       5.6    100.0    100.0

      Gross Profit. . . . . . . . .          ----      ----     ----     40.1





      RATIOS                                     %    ---INDUSTRY QUARTILES---

                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER

      Quick Ratio . . . . . . . . .      0.7    ----      2.9     1.2     0.6

      Current Ratio . . . . . . . .      0.9   (10.0)     4.9     2.2     1.0

      Total Liab to Net Worth (%) .    162.1    (2.9)   127.4   180.2   297.2

      Sales to Inventory. . . . . .     77.2    10.6     56.2    33.8    20.0

      Return on Sales (%) . . . . .     12.0    10.1     20.1    14.6    11.3

      Return on Assets (%). . . . .      5.3    10.4      7.2     5.7     3.7

      Return on Net Worth (%) . . .     13.9     9.4     19.0    15.9    12.8



          Industry norms based on 469  firms,

          with assets over $5 million.



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                 File 4 of 12 : Nitrogen-Trioxide Explosives





------------------------------------------------------------------------------

Working notes on Nitrogen Tri-Iodide (NI-3)



By: Signal Sustain







INTRODUCTION



This particular explosive is a real loser.  It is incredibly unstable,

dangerous to make, dangerous to work with, and you can't do much with it,

either.  A string of Black Cats is worth far more.  At least you can blow up

anthills with those.



NI-3 is basically a compound you can make easily by mixing up iodine crystals

and ammonia.  The resulting precipitate is very powerful and very unstable.

It is semi stable when wet (nothing you want to trust) and absolutely unstable

when dry.  When dry, anything will set it off, such as vibration, wind, sun, a

fly landing on it.  It has to be one of the most unstable explosives you can

deal with.



But it's easy to make.  Anyone can walk into a chem supply house, and get a

bottle of iodine, and and a supermarket, and get clear ammonia.  Mix them and

you're there.  (See below for more on this)



So, some of you are going to try it, so I might as well pass on some tips from

hard experience.  (I learned it was a loser by trying it).





Use Small Batches





First, make one very small batch first.  Once you learn how powerful this

stuff is, you'll see why.  If you're mixing iodine crystals (that's right,

crystals, iodine is a metal, a halogen, and its solid form is crystals; the

junk they sell as "iodine" in the grocery store is about 3% iodine in a bunch

of solvents, and doesn't work for this application), you want maybe 1/4

teaspoonful MAX, even less maybe.  1/4 TSP of this stuff is one hellacious

bang; it rattled the windows for a block around when it went off in my back

yard.



So go with 1/4 TSP, if I can talk you into it.  The reason is the instability

of this compound.  If you mix up two teaspoonfuls and it goes off in your

hand, kiss your hand goodbye right down to the wrist.  A bucketful would

probably level any house you'll find.  But 1/4 teaspoon, you might keep your

fingers.  Since I know you're not going to mix this stuff up with remote

tools, keep the quantities small.  This stuff is so unstable it's best to

hedge your bets.



Note:  When holding NI3, try to hold with remote tools -- forceps?  But if you

have to pick it up, fold your thumb next to your first finger, and grip around

with your fingers only.  Do not grip the flask the conventional way, fingers

on one side, thumb of the other.  This way, if it goes, you may still have an

opposing thumb, which is enough to get by with.



The compound is far more stable when wet, but not certain-stable.  That's why

companies that make explosives won't use it; even a small chance of it blowing

up is too dangerous.  (They still lose dynamite plants every now and then,

too, which is why they're fully automated).  But when this stuff gets dry,

look out.  Heinlein says "A harsh look will set it off", and he isn't kidding.

Wind, vibration, a breath across it, anything will trigger it off.  (By the

way, Heinlein's process, from  SF book "Farnham's Freehold", doesn't work,

either -- you can't use iodine liquid for this.  You must use iodine

crystals.)



Don't Store It



What's so wickedly dangerous is if you try to store the stuff.  Say you put it

in a cup.  After a day, a crust forms around the rim of the liquid, and it

dries out.  You pick up the cup, kabang!, the crust goes off, and the liquid

goes up from the shock.  Your fingers sail into your neighbor's lawn.  If you

make this, take extreme pains to keep it all wet.  At least stopper the

testtube, so it can't evaporate.





Making It



Still want to make it?  Okay.  Get some iodine crystals at a chem supply

store.  If they ask, say you need to purify water for a camping trip, and

they'll lecture you on better alternatives (halazone) but you can still get

it.  Or, tell them you've been elected to play Mr. Wizard, and be honest --

you'll probably get it too.  Possession is not illegal.



Get as little as possible.  You need little and it's useless once you've tried

it once.  Aim for 1/4 teaspoonful.



Second, get some CLEAR, NON SUDSY ammonia at the store, like for cleaning

purposes (BUT NO SUDS!  They screw things up, it doesn't make the NI-3).



Third, pour ammonia in a bowl.  Peeew!  Nice smell.



Fourth, add 1/4 TSP or less of iodine crystals.  Note these crystals, which

looks like instant coffee, will attack other metals, so look out for your

tableware.  Use plastic everything (Bowl, spoon) if you can.  These crystals

will also leave long-standing iodine stains on hands, and that's damned

incriminating if there was just an NI-3 explosion and they're looking for who

did it.  Rubber gloves, please, dispose after use.



Now the crystals will sort of spread out.  Stir a little if need be.  Be

damned careful not to leave solution on the spoon that might dry.  It'll go

off if you do, believe me.  (Experience).



Let them spread out and fizzz.  They will.  Then after an hour or so there

will be left some reddish-brown glop in the bottom of the clear ammonia.  It's

sticky like mud, hard to handle..  That's the NI-3.



It is safe right now, as it is wet.  (DO NOT LET A RIM FORM ON THE AMMONIA

LIQUID!)







Using It



Now let's use up this junk right away and DON'T try to store it.



Go put it outside someplace safe.  In my high school, someone once sprinkled

tiny, tiny bits (like individual crystals) in a hallway.  Works good, it's

like setting off a cap under someone's shoe after the stuff dries.  You need

far less than 1/4 TSP for this, too.



Spread it out in the sun, let it dry.  DO NOT DISTURB.  If you hear a sudden

CRACK!, why, it means the wind just blew enough to set it off, or maybe it

just went off by itself.  It does that too.



It must be thoroughly dry to reach max instability where a harsh look sets it

off.  Of course the top crystals dry first, so heads up.  Any sharp impact

will set it off, wet or dry.



While you're waiting for it to dry, go BURN the plastic cup and spoon you made

it with.  You'll hear small snapping noises as you do; this is the solution

drying and going off in the flames.



After two hours or so, toss rocks at the NI3 from a long ways away, and you'll

see it go off.  Purplish fumes follow each explosion.  It's a sharp CRACK, you

can't miss it.



Anyway.  Like I say, most people make this because the ingredients are so

easily available.  They make it, say what the hell do I do now?, and sprinkle

tiny crystals in the hallway.  Bang bang bang.  And they never make it again,

because you only get one set of fingers per hand, and most people want to keep

them.



Or they put it in door locks (while still in the "sludge" form), and wait for

it to try.  Next person who sticks a key in there has a big surprise.



(This is also why most high school chem teachers lock up the iodine crystals.)



Getting Rid Of It



If you wash the NI-3 crystals down your kitchen sink, then you have to only

wait for them to dry out and go off.  They'll stick to the pipe (halogen

property, there).  I heard a set of pipes pop and crackle for days after this

was done.  I'd recommend going and throwing the mess into a vacant lots or

something, and trying to set it off so no one else does accidentally.



If you do this, good luck, and you've been warned.





-- Signal Sustain





------------------------------------------------------------------------------



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                   File 5 of 12 : How to Hack Cyber Systems







How To Hack A CDC Cyber



By: ** Grey Sorcerer





Index:



1. General Hacking Tips

2. Fun with the card punch

3. Getting a new user number the easy way

4. Hacking with Telex and the CDC's batch design

5. Grabbing a copy of the whole System

6. Staying Rolled In with BREAK

7. Macro Library

8. RJE Status Checks

9. The Worm

10. The Checkpoint/Restart Method to a Better Validation





I'm going to go ahead and skip all the stuff that's in your CDC reference

manuals.. what's a local file and all that.  If you're at the point of being

ready to hack the system, you know all that; if not, you'll have to get up to

speed on it before a lot of this will make sense.  Seems to me too many "how

to hack" files are just short rewrites of the user manuals (which you should

get for any serious penetration attempt anyway, or you'll miss lots of

possibilities), without any tips on ways to hack the system.





General hacking tips:





Don't get caught.  Use remote dialups if possible and never never use any user

number you could be associated with.  Also never re-use a user number.

Remember your typical Cyber site has a zillion user numbers, and they can't

watch every one.  Hide in numbers.  And anytime things get "hot", lay off for

awhile.



Magtapes are great.  They hold about 60 Meg, a pile of data, and can hold even

more with the new drives.  You can hide a lot of stuff here offline, like

dumps of the system, etc., to peruse.  Buy a few top quality ones..  I like

Black Watch tapes my site sells to me the most, and put some innocuous crap on

the first few records..  data or a class program or whatever, then get to the

good stuff.  That way you'll pass a cursory check.  Remember a usual site has

THOUSANDS of tapes and cannot possibly be scanning every one; they haven't

time.



One thing about the Cybers -- they keep this audit trail called a "port log"

on all PPU and CPU accesses.  Normally, it's not looked at.  But just remember

that *everything* you do is being recorded if someone has the brains and the

determination (which ultimately is from you) to look for it.  So don't do

something stupid like doing real work on your user number, log off, log right

onto another, and dump the system.  They WILL know.



Leave No Tracks.



Also remember the first rule of bragging:  Your Friends Turn You In.



And the second rule:  If everyone learns the trick to increasing priority,

you'll all be back on the same level again, won't you?  And if you show just

two friends, count on this:  they'll both show two friends, who will show

four...



So enjoy the joke yourself and keep it that way.





Fun With The Card Punch





Yes, incredibly, CDC sites still use punch cards.  This is well in keeping

with CDC's overall approach to life ("It's the 1960's").



The first thing to do is empty the card punch's punchbin of all the little

punchlets, and throw them in someone's hair some rowdy night.  I guarantee the

little suckers will stay in their hair for six months, they are impossible to

get out.  Static or something makes them cling like lice.  Showers don't even

work.



The next thing to do is watch how your local installation handles punch card

decks.  Generally it works like this.  The operators love punchcard jobs

because they can give them ultra-low priority, and make the poor saps who use

them wait while the ops run their poster-maker or Star Trek job at high

priority.  So usually you feed in your punchcard deck, go to the printout

room, and a year later, out comes your printout.



Also, a lot of people generally get their decks fed in at once at the card

reader.



If you can, punch a card that's completely spaghetti -- all holes punched.

This has also been known to crash the cardreader PPU and down the system.  Ha,

ha.  It is also almost certain to jam the reader.  If you want to watch an

operator on his back trying to pick pieces of card out of the reader with

tweezers, here's your chance.



Next, the structure of a card deck job gives lots of possibilities for fun.

Generally it looks like this:



  JOB card:  the job name (first 4 characters)

  User Card:  Some user number and  password -- varies with site

EOR card: 7-8-9 are punched

  Your Batch job (typically, Compile This Fortran Program).  You know, FTN.

  LGO.  (means, run the Compiled Program)

EOR card: 7-8-9 are punched

  The Fortran program source code

EOR card: 7-8-9 are punched

  The Data for your Fortran program

EOF card: 6-7-8-9 are punched.  This indicates:  (end of deck)



This is extremely typical for your beginning Fortran class.



In a usual mainframe site, the punchdecks accumulate in a bin at the operator

desk.  Then, whenever he gets to it, the card reader operator takes about

fifty punchdecks, gathers them all together end to end, and runs them through.

Then he puts them back in the bin and goes back to his Penthouse.





GETTING A NEW USER NUMBER THE EASY WAY





Try this for laughs:  make your Batch job into:



  JOB card:  the job name (first 4 characters)

  User Card:  Some user number and  password -- varies with site

  EOR card:  7-8-9 are punched

  COPYEI INPUT,filename:  This copies everything following the EOR mark to the

                          filename in this account.

  EOR Card:  7-8-9 are punched.



Then DO NOT put an EOF card at the end of your job.



Big surprise for the job following yours:  his entire punch deck, with, of

course, his user number and password, will be copied to your account.  This is

because the last card in YOUR deck is the end-of-record, which indicates the

program's data is coming next, and that's the next person's punch deck, all

the way up to -his- EOF card.  The COPYEI will make sure to skip those pesky

record marks, too.



I think you can imagine the rest, it ain't hard.





Hacking With Telex



When CDC added timeshare to the punch-card batch-job designed Cyber machines,

they made two types of access to the system:  Batch and Telex.  Batch is a

punch-card deck, typically, and is run whenever the operator feels like it.

Inside the system, it is given ultra low priority and is squeezed in whenever.

It's a "batch" of things to do, with a start and end.



Telex is another matter.  It's the timeshare system, and supports up to, oh,

60 terminals.  Depends on the system; the more RAM, the more swapping area (if

you're lucky enough to have that), the more terminals can be supported before

the whole system becomes slug-like.



Telex is handled as a weird "batch" file where the system doesn't know how

much it'll have to do, or where it'll end, but executes commands as you type

them in.  A real kludge.



Because the people running on a CRT expect some sort of response, they're

given higher priority.  This leads to "Telex thrashing" on heavily loaded CDC

systems; only the Telex users get anywhere, and they sit and fight over the

machine's resources.



The poor dorks with the punch card decks never get into the machine, because

all the Telex users are getting the priority and the CPU.  (So DON'T use punch

cards.)



Another good tip:  if you are REQUIRED to use punch cards, then go type in

your program on a CRT, and drop it to the automatic punch.  Sure saves trying

to correct those typos on cards..



When you're running under Telex, you're part of one of several "jobs" inside

the system.  Generally there's "TELEX," something to run the line printer,

something to run the card reader, the mag tape drivers (named "MAGNET") and

maybe a few others floating around.  There's limited space inside a Cyber..

would you believe 128K 60-bit words?..  so there's a limited number of jobs

that can fit.  CDC put all their effort into "job scheduling" to make the best

of what they had.



You can issue a status command to see all jobs running; it's educational.



Anyway, the CDC machines were originally designed to run card jobs with lots

of magtape access.  You know, like IRS stuff.  So they never thought a job

could "interrupt," like pressing BREAK on a CRT, because card jobs can't.

This gives great possibilities.



Like:



Grabbing a Copy Of The System



For instance.  Go into BATCH mode from Telex,  and do a Fortran compile.

While in that, press BREAK.  You'll get a "Continue?" verification prompt.

Say no, you'd like to stop.



Now go list your local files.  Whups, there's a new BIG one there.  In fact,

it's a copy of the ENTIRE system you're running on -- PPU code, CPU code, ALL

compilers, the whole shebang!  Go examine this local file; you'll see the

whole bloody works there, mate, ready to play with.



Of course, you're set up to drop this to tape or disk at your leisure, right?



This works because the people at CDC never thought that a Fortran compile

could be interrupted, because they always thought it would be running off

cards.  So they left the System local to the job until the compile was done.

Interrupt the compile, it stays local.



Warning:  When you do ANYTHING a copy of your current batch process shows up

on the operator console.  Typically the operators are reading Penthouse and

don't care, and anyway the display flickers by so fast it's hard to see.  But

if you copy the whole system, it takes awhile, and they get a blow-by-blow

description of what's being copied.  ("Hey, why is this %^&$^ on terminal 29

copying the PPU code?") I got nailed once this way; I played dumb and they let

me go.  ("I thought it was a data file from my program").





Staying "Rolled In"



When the people at CDC designed the job scheduler, they made several "queues."

"Queues" are lines.



There's:



1. Input Queue.  Your job hasn't even gotten in yet.  It is standing outside,

                 on disk, waiting.

2. Executing Queue.  Your job is currently memory resident and is being

                 executed, although other jobs currently in memory are

                 competing for the machine as well.  At least you're in

                 memory.

3. Timed/Event Rollout Queue:  Your job is waiting for something, usually a

                 magtape.  Can also be waiting for a given time.  Yes, this

                 means you can put a delayed effect job into the system.  Ha,

                 ha.  You are on disk at this point.

4. Rollout Queue:  Your job is waiting its turn to execute.  You're out on

                 disk right now doing nothing.



Anyway, let's say you've got a big Pascal compile.  First, ALWAYS RUN FROM

TELEX (means, off a CRT).  Never use cards.  If you use cards you're

automatically going to be low man on the priority schedule, because the CPU

doesn't *have* to get back to you soon.  Who of us has time to waste?



Okay, do the compile.  Then do a STATUS on your job from another machine.

Typically you'll be left inside the CPU (EXECUTE) for 10 seconds, where you'll

share the actual CPU with about 10-16 other jobs.  Then you'll be rolled-out

(ROLLOUT), at which time you're phucked; you have to wait for your priority to

climb back up before it'll execute some more of your job.  This can take

several minutes on a deeply loaded system.



(All jobs have a given priority level, which usually increments every 10 sec

or so, until they start executing).



Okay, do this.  Press BREAK, then at the "Continue?" prompt, say yes.  What

happened?  Telex had to "roll your job in" to process the BREAK!  So you get

another free 10 seconds of CPU -- which can get a lot done.



If you sit and hit BREAK - Y <return> every 10 sec or so during a really big

job, you will just fly through it.  Of course, everyone else will be sitting

and staring at their screen, doing nothing, because you've got the computer.



If you're at a school with a Cyber, this is how to get your homework done at

high speed.





Macro Library



If you have a typical CDC site, they won't give you access to the "Macro

library."  This is a set of CPU calls to do various things -- open files, do

directory commands, and whatnot.  They will be too terrified of "some hacker."

Reality:  The dimbulbs in power don't want to give up ANY of their power to

ANYONE.  You can't really do that much more with the Macro library, which

gives assembly language access to the computer, than you can with batch

commands..  except what you do leaves lots less tracks.  They REALLY have to

dig to find out what your program did if you use Macro calls..  they have to

go to PPU port logs, which is needle in a haystack sort of stuff, vs. batch

file logs, which are real obvious.



Worry not.  Find someone at Arizona State or Minnesota U. that's cool, and get

them to send you a tape of the libraries.  You'll get all the code you can

stand to look at.  By the way they have a great poster tape...  just copy the

posters to the line printer.  Takes a long time to print them but it's worth

it.  (They have all the classic ones..  man on the moon, various playmates,

Spock, etc.  Some are 7 frames wide!).



With the Macro library, you can do many cool things.



The best is a demon scanner.  All CDC user numbers have controlled access for

other users to individual files -- either private, (no access to anyone else),

semiprivate (others can read it but a record is made), or public (anyone can

diddle your files, no record).  What you want is a program (fairly easy to do

in Fortran) that counts through user numbers, doing directory commands.  If it

finds anything, it checks for non semi-private (so no records are made), then

copies it to you.



You'll find the damnedest stuff, I guarantee it.  Try to watch some system

type signing in and get the digits of his user number, then scan variations

beginning with that user #.  For instance, if he's a SYS1234, then scan all

user #'s beginning with SYS (sysaaaa to sys9999).



Since it's all inside the Fortran program, the only record, other than

hard-to-examine PPU logs, is a "Run Fortran Program" ("LGO.") on the batch

dayfile.  If you're not giving the overworked system people reason to suspect

that commonplace, every-day student Fortran compile is anything out of the

ordinary, they will never bother to check -- the amount of data in PPU logs is

OVERWHELMING.



But you can get great stuff.



There's a whole cool library of Fortran-callable routines to do damned near

anything a batch command could do in the Minnesota library.  Time to get some

Minnesota friends -- like on UseNet.  They're real cooperative about sending

out tapes, etc.



Generally you'll find old files that some System Type  made public one day (so

a buddy could copy them) then forgot about.  I picked off all sorts of stuff

like this.  What's great is I just claimed my Fortran programs were hanging

into infinite loops -- this explained the multi-second CPU execution times.

Since there wasn't any readily available record of what I was up to, they

believed it.  Besides, how many idiot users really DO hang into loops?  Lots.

Hide in numbers.  I got Chess 4.2 this way -- a championship Chess program --

and lots of other stuff.  The whole games library, for instance, which was

blocked from access to mere users but not to sysfolk.



Again, they *can* track this down if you make yourself obnoxious (it's going

to be pretty obvious what you're doing if there's a CAT: SYSAAAA

CAT: SYSAAAB  CAT: SYSAAAC .. etc. on your PPU port log) so do this on someone

else's user number.





RJE Status Checks



Lots of stupid CDC installations..  well, that doesn't narrow the field much..

have Remote Job Entry stations.  Generally at universities they let some poor

student run these at low pay.



What's funny is these RJE's can do a status on the jobs in the system, and the

system screeches to a halt while the status is performed.  It gets top

priority.



So, if you want to incite a little rebellion, just sit at your RJE and do

status requests over and over.  The system will be even slower than usual.





The Worm



Warning:  This is pretty drastic.  It goes past mere self-defense in getting

enough priority to get your homework done, or a little harmless exploration

inside your system, to trying to drop the whole shebang.



It works, too.





You can submit batch jobs to the system, just as if you'd run them through the

punchcard reader, using the SUBMIT command.  You set up a data file, then do

SUBMIT datafile.  It runs separate from you.



Now, let's say we set up a datafile named WORM.  It's a batch file.  It looks

like this:



JOB

USER,blah (whatever -- a user number you want crucified)

GET,WORM; get a copy of WORM

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

SUBMIT,WORM.; send it to system

  (16 times)

(end of file)



Now, you SUBMIT WORM.  What happens?  Worm makes 16 copies of itself and

submits those.  Those in turn make 16 copies of themselves (now we're up to

256) and submit those.  Next pass is 4096.  Then 65536.  Then...



Now, if you're really good, you'll put on your "job card" a request for high

priority.  How?  Tell the system you need very little memory and very little

CPU time (which is true, Submit takes almost nothing at all).  The scheduler

"squeezes" in little jobs between all the big ones everyone loves to run, and

gives ultra-priority to really tiny jobs.



What happens is the system submits itself to death.  Sooner or later the input

queue overflows .. there's only so much space .. and the system falls apart.



This is a particularly gruesome thing to do to a system, because if the guy

at the console (count on it) tries the usual startup, there will still be

copies of WORM in the input queue.  First one of those gets loose, the system

drops again.  With any luck the system will go up and down for several hours

before someone with several connected brain cells arrives at the operator

console and coldstarts the system.



If you've got a whole room full of computer twits, all with their hair tied

behind them with a rubber band into a ponytail, busily running their Pascal

and "C" compiles, you're in for a good time.  One second they will all be

printing -- the printers will be going weep-weep across the paper.  Next

second, after you run, they will stop.  And they will stay stopped.  If you've

done it right they can't get even get a status.  Ha, ha.



The faster the CPU, the faster it will run itself into the ground.



CDC claims there is a limit on the number of jobs a user number can have in

the system.  As usual they blew it and this limit doesn't exist.  Anyway, it's

the input queue overflow that kills things, and you can get to the input queue

without the # of jobs validation check.



Bear in mind that *anything* in that batch file is going to get repeated ten

zillion times at the operator console as the little jobs fly by by the

thousands.  So be sure to include some charming messages, like:



job,blah

user,blah

* eat me!

get,worm

submit,worm .. etc.



There will now be thousands of little "eat me!"'s scrolling across the console

as fast as the console PPU can print them.



Generally at this point the operator will have his blood pressure really

spraying out his ears.



Rest assured they will move heaven and earth to find you.  This includes past

dayfiles, user logs, etc.  So be clean.  Remember, "Revenge is a dish best

served cold."  If you're mad at them, and they know it, wait a year or so,

until they are scratching their heads, wondering who hates them this much.



Also:  make sure you don't take down a really important job someone else is

doing, okay?  Like, no medical databases, and so forth.



Now, for a really deft touch, submit a timed/event job.  This "blocks" the job

for awhile, until a given time is reached.  Then, when you're far, far away,

with a great alibi, the job restarts, the system falls apart, and you're

clear.  If you do the timed/event rollout with a Fortran program macro call,

it won't even show up on the log.



(Remember that the System Folk will eventually realize, in their little minds,

what you've done.  It may take them a year or two though).





CHECKPOINT / RESTART



I've saved the best for last.



CDC's programmers supplied two utilities, called CheckPoint and Restart,

primarily because their computers kept crashing before they would finish

anything.  What Checkpoint does is make a COMPLETE copy of what you're doing -

all local files, all of memory, etc. -- into a file, usually on a magtape.

Then Restart "restarts" from that point.



So, when you're running a 12 hour computer job, you sprinkle checkpoints

throughout, and if the CDC drops, you can restart from your last CKP.  It's

like a tape backup of a hard disk.  This way, you only lose the work done on

your data between the last checkpoint and now, rather than the whole 12 hours.

Look, this is real important on jobs that take days -- check out your local

IRS for details..



Now what's damned funny is if you look closely at the file Checkpoint

generates, you will find a copy of your user validations, which tell

everything about you to the system, along with the user files, memory, etc.

You'll have to do a little digging in hex to find the numbers, but they'll

match up nicely with the display you of your user validations from that batch

command.



Now, let's say you CKP,that makes the CKP file.  Then run a little FORTRAN

program to edit the validations that are inside that CKP-generated file.  Then

you RESTART from it.  Congratulations.  You're a self made man.  You can do

whatever you want to do - set your priority level to top, grab the line

printer as your personal printer, kick other jobs off the system (it's more

subtle to set their priority to zilch so they never execute), etc. etc.

You're the operator.



This is really the time to be a CDC whiz and know all sorts of dark, devious

things to do.  I'd have a list of user numbers handy that have files you'd

like made public access, so you can go in and superzap them (then peruse them

later from other signons), and so forth.



There's some gotchas in here.. for instance, CKP must be run as part of a

batch file out of Telex.  But you can work around them now that you know the

people at CDC made RESTART alter your user validations.



It makes sense in a way.  If you're trying to restart a job you need the same

priority, memory, and access you had when trying to run it before.



Conclusion





There you have it, the secrets of hacking the Cyber.



They've come out of several years at a college with one CDC machine, which I

will identify as being somewhere East.  They worked when I left; while CDC may

have patched some of them, I doubt it.  They're not real fast on updates to

their operating system.





** Grey Sorcerer



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                     File 6 of 12 : How to Hack HP2000's







How to Hack an HP 2000



By: ** Grey Sorcerer



Okay, so you've read the HP-2000 basic guides, and know your way around.  I

will not repeat all that.



There's two or three things I've found that allow you through HP 2000

security.



1. When you log in, a file called HELLO on the user number Z999 is run.  A lot

of time this file is used to deny you access.  Want in?  Well, it's just a

BASIC program, and an be BREAKed.. but, usually the first thing they do in

that program is turn Breaks (interrupts) off by the BRK(0) function.  However,

if you log in like this:



HELLO-D345,PASS (return) (break)



With the break nearly instantly after the return, a lot of time, you'll abort

the HELLO program, and be home free.



2. If you can create a "bad file", which takes some doing, then anytime you

try to CSAVE this file (compile and save), the system will quickly fade into a

hard crash.



3. How to make a bad file and other goodies:



The most deadly hole in security in the HP2000 is the "two terminal" method.

You've got to understand buffers to see how it works.  When you OPEN a file,

or ASSIGN it (same thing), you get 256 bytes of the file -- the first 256.

When you need anymore, you get 256 more.  They are brought in off the disk in

discrete chunks.  They are stored in "buffers."



So.  Save a bunch of junk to disk -- programs, data, whatever.  Then once your

user number is full, delete all of it.  The effect is to leave the raw jumbled

data on disk.





Pick a time when the system is REAL busy, then:



1. Have terminal #1 running a program that looks for a file to exist (with the

ASSIGN) statement as quickly as it can loop.  If it finds the file there, it

goes to the very end of the file, and starts reading backwards, record by

record, looking for data.  If it finds data, it lets you know, and stops at an

input prompt.  It is now running.



2. Have terminal #2 create a really huge data file (OPEN-FILE, 3000) or

however it goes.



What happens is terminal #2's command starts zeroing all the sectors of the

file, starting at file start.  But it only gets so far before someone else

needs the processor, and kicks #2 out.  The zeroing stops for a sec.  Terminal

#1 gets in, finds the file there, and reads to the end.  What's there?  Old

trash on disk.  (Which can be mighty damned interesting by the way -- did you

know HP uses a discrete mark to indicate end-of-buffer?  You've just maybe got

yourself a buffer that is as deep as system memory, and if you're clever, you

can peek or poke anywhere in memory.  If so, keep it, it is pure gold).



But.  Back to the action.



3. Terminal #2 completes the OPEN.  He now deletes the file.  This leaves

Terminal #1 with a buffer full of data waiting to be dumped back to disk at

that file's old disk location.



4. Terminal #2 now saves a load of program files, as many as are required to

fill up the area that was taken up by the deleted big file.



5. You let Terminal #1 past the input prompt, and it writes its buffer to

disk.  This promptly overlays some program just stored there.  Result:  "bad

program."  HPs are designed with a syntax checker and store programs in token;

a "bad program" is one that the tokens are screwed up in.  Since HP assumes

that if a program is THERE, it passed the syntax check, it must be okay...

it's in for big problems.  For a quick thrill, just CSAVE it..  system tries

to semi-compile bad code, and drops.



Really, the classier thing to do with this is to use the "bottomless buffer"

to look through your system and change what you don't like.. maybe the

password to A000?  Write some HP code, look around memory, have a good time.

It can be done.



** Grey Sorcerer



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                File 7 of 12 : Accessing Government Computers





                    +++++++++++++++++++++++++++++++++++++++

                    +   ACCESSING GOVERNMENT COMPUTERS    +

                    +             (LEGALLY!)              +

                    +-------------------------------------+

                    +      Written by The Sorceress       +

                    +    (The Far Side 415/471-1138)      +

                    +++++++++++++++++++++++++++++++++++++++





 Comment:  I came across this article in Computer Shopper (Sept. 1987)  and it

   talked about citizens access government computers since we do pay  for them

   with our  taxpayers monies.  Since then, I have had  friends and gone  on a

   few myself  and the  databases are full of  information for accessing.  One

   thing, you usually have to call the sysop for access and give him your real

   name, address  and the like.  They call you back and verify your existence.

   Just a word of  warning; crashing a BBS is a crime, so I wouldn't fool with

   these since they are government based.



 -----------------------------------------------------------------------------

 National Bureau of Standards -

 Microcomputers Electronic Information Exchange.



 Sysops: Ted Landberg & Lisa Carnahan

  Voice: 301-975-3359

   Data: 301-948-5717  300/1200/2400



 This BBS is  operated by the  Institute for Computer  Sciences and Technology

   which is one of four technical organizations within the National Bureau  of

   Standards.  This  board  also  contains  information  on  the  acquisition,

   management, security, and use of micro computers.

 -----------------------------------------------------------------------------

 Census Bureau -

 Census Microcomputer and Office Technology Center, Room 1065 FB-3 Washington,

   D.C. (Suitland, MD)



 Sysop: Nevins Frankel

 Voice: 301-763-4494

  Data: 301-763-4576  300/1200



 The purpose of  this BBS is  to allow users  to access the  following: Census

   Microcomputer  and  office  technology  information  center  bulletins  and

   catalogues,  software  and  hardware  evaluations,  Hardware  and  software

   inventories, Census computer club library, Public Domain software, etc.

 -----------------------------------------------------------------------------

 Census Bureau -

 Census  Microcomputer  and  Office  Technology  Center,  Personnel  Division,

   Washington DC.



 Voice: 301-763-4494

  Data: 301-763-4574  300/1200/2400



 The purpose of this  board is to display  Census Bureau vacancies from  entry

   level to senior management.

 -----------------------------------------------------------------------------

 Department of Commerce -



 Office  of  the  Under  Secretary  for  Economic  Affairs, Office of Business

   Analysis, Economic Bulletin Board.



 Sysop: Ken Rogers

 Voice: 202-377-0433

  Data: 202-377-3870  300/1200



 This is  another well  run BBS  with in-depth  news about  the Department  of

   Commerce Economic  Affairs Agencies  including current  press releases  and

   report summaries.

 -----------------------------------------------------------------------------

 COE BBS -

 Manpower  and  Force  Management  Division,  Headquarters, U.S. Army Corps of

   Engineers, 20 Massachusetts Ave. NW, Washington, DC.



 Sysop: Rich Courney

 Voice: 202-272-1646

  Data: 202-272-1514  300/1200/2400



 The files database was  one of the largest  they ever seen. Directory  70 has

   programs for designing masonry and retaining walls using Lotus's Symphony.



 -----------------------------------------------------------------------------

 General Services Administration -

 Information Resources Service Center.



 Data: 202-535-8054  300 bps

 Data: 202-535-7661  1200 bps



 GSA's Information Resources Service Center provides information on contracts,

   schedules, policies, and programs. One of the areas that is interesting was

   the weekly supplement to the  consolidated list of debarred, suspended  and

   ineligible contractors.

 -----------------------------------------------------------------------------

 Budget and Finance Board of the Office of Immigration Naturalization Service.



                   DO NOT CALL THIS BBS DURING WORKING HOURS.



 Sysop: Mike Arnold

  Data: 202-787-3460  300/1200/2400



 The system is devoted  to the exchange of  information related to budget  and

   financial  management in the  federal government.  It is a 'working' system

   for the Immigration and Naturalization Service personnel.

 -----------------------------------------------------------------------------

 Naval Aviation News Computer Information (NANei) -

 Supported by:  Naval Aviation  News Magazine,  Bldg. 159E,  Navy Yard  Annex,

   Washington, DC 20374.



 Sysop: Commander Howard Wheeler

 Voice: 202-475-4407

  Data: 202-475-1973   300/1200



 Available from 5 pm to 8 am. weekdays 5pm Friday to 8 am Monday



 This is a large BBS with lots of Navy related information and programs. NANci

   is  for  those  interested  in  stories,  facts, and historical information

   related to Naval Aviation.

 -----------------------------------------------------------------------------

 Federal National Mortgage Association -



 Sysop: Ken Goosens

  Data: 202-537-7475

        202-537-7945   300/1200



 This  BBS  is  in  transition.  Ken  Gossens  will  be  running  a new BBS at

   703-979-6360. The BBS maybe become a closed board under the new sysop. This

   BBS has/had one of largest collections of files for downloading.

 -----------------------------------------------------------------------------

 The World  Bank, Information,  Technology and  Facilities Department,  Office

   System Division, Washington DC.



 Sysop: Ashok Daswani

 Voice: 202-473-2237

  Data: 202-676-0920    300/1200



 Basically a software exchange BBS, but has other information about the use of

   microcomputers  and   software  supported  by  World   Bank.  IBM   product

   announcements also kept up to date.

 -----------------------------------------------------------------------------

 National Oceanic Atmospheric  Administration (NOAA), National  Meteorological

   Center.



       * You must obtain a password from the SYSOP to log on to this BBS.



 Sysop: Vernon Patterson

 Voice: 301-763-8071

  Data: 301-899-0825     300 bps

        301-899-0830    1200 bps



 This is one of the most  useful databases available on-line. With it  you can

   access meteorological  data collected  form 6000  locations throughout  the

   world.  It  can  also  display  crude,  but  useful  graphic maps of the US

   illustration temperatures, precipitation and forecasts.

 -----------------------------------------------------------------------------

 National Weather Service, US Dept. of Commerce, East Coast Marine Users BBS



           * You must obtain a p/w from the SYSOP to logon this BBS.



 Sysop: Ross Laporte

 Voice: 301-899-3296

  Data: 301-454-8700  300bps



 Use this  BBS to  obtain info  about marine  weather and  nautical info about

   coastal waterways including topical storm advisories.

 -----------------------------------------------------------------------------

 NARDAC, Navy Regional Data Automation Center, Norfolk, VA. 23511-6497



 Sysop: Jerry Dew

 Voice: 804-445-4298

  Data: 804-445-1627  300 & 1200 bps



 A basic Utilitarian  system developed to  support the informational  needs of

   NARDAC. The Dept. of Defense mag., CHIPS is available in the files  section

   of this BBS. There are also Navy and IBM related articles to read.

 -----------------------------------------------------------------------------

 Veterans Administration, Info Technology Bulletin Board.



 Data: 202-376-2184   300/1200 bps



 The  content  of  this  BBS  ranges  from job opening listings to information

   computer security.

 -----------------------------------------------------------------------------

 Dept. of Energy, Office of Civilian Radioactive Waste Management, Infolink.



 Sysop: Bruce Birnbaum

 Voice: 202-586-9707

  Data: 202-586-9359   300/1200 bps



 This  BBS  has  press  leases,  fact  sheets,   backgrounders,  congressional

   questions,  answers,  speeches &  testimony,  from  the  Office of Civilian

   Radioactive Waste Management.

 -----------------------------------------------------------------------------



 I skipped listing a few of the BBSes in this article if the chances were slim

   to get  on or  if the BBS got a bad review.  Most of the ones listed seemed

   to have  lot of  informative files  for downloading  and viewing  pleasure.

   This article carried a very strong word of warning about tampering/crashing

   these since they are run by the govt. and a volunteer Sysop.  Since you can

   get on these legally why not use it?



                                                                 The Sorceress



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                    File 8 of 12 : Dialback Modem Security







In article <906@hoptoad.uucp> gnu@hoptoad.UUCP writes:

>Here are the two messages I have archived on the subject...



>[I believe the definitive article in that discussion was by Lauren Weinstein,

>vortex!lauren; perhaps he has a copy.



        What follows is the original article that started the discussion.  I

do not know whether it qualifies as the "definitive article" as I think I

remember Lauren and I both posted further comments.

                                                            - Dave



                            ** ARTICLE FOLLOWS **



------------------------------------------------------------------------------



        An increasingly popular technique for protecting dial-in ports from

the ravages of hackers and other more sinister system penetrators is dial back

operation wherein a legitimate user initiates a call to the system he desires

to connect with, types in his user ID and perhaps a password, disconnects and

waits for the system to call him back at a prearranged number. It is assumed

that a penetrator will not be able to specify the dial back number (which is

carefully protected), and so even if he is able to guess a user-name/password

pair he cannot penetrate the system because he cannot do anything meaningful

except type in a user-name and password when he is connected to the system. If

he has a correct pair it is assumed the worst that could happen is a spurious

call to some legitimate user which will do no harm and might even result in a

security investigation.



        Many installations depend on dial-back operation of modems for their

principle protection against penetration via their dial up ports on the

incorrect presumption that there is no way a penetrator could get connected to

the modem on the call back call unless he was able to tap directly into the

line being called back.  Alas, this assumption is not always true -

compromises in the design of modems and the telephone network unfortunately

make it all too possible for a clever penetrator to get connected to the call

back call and fool the modem into thinking that it had in fact dialed the

legitimate user.



        The problem areas are as follows:



                        Caller control central offices



        Many older telephone central office switches implement caller control

in which the release of the connection from a calling telephone to a called

telephone is exclusively controlled by the originating telephone.  This means

that if the penetrator simply failed to hang up a call to a modem on such a

central office after he typed the legitimate user's user-name and password,

the modem would be unable to hang up the connection.



        Almost all modems would simply go on-hook in this situation and not

notice that the connection had not been broken.  If the same line was used to

dial out on as the call came in on,  when the modem went to dial out to call

the legitimate user back the it might not notice (there is no standard way of

doing so electrically) that the penetrator was still connected on the line.

This means that the modem might attempt to dial and then wait for an

answerback tone from the far end modem. If the penetrator was kind enough to

supply the answerback tone from his modem after he heard the system modem

dial, he could make a connection and penetrate the system. Of course some

modems incorporate dial tone detectors and ringback detectors and in fact wait

for dial tone before dialing, and ringback after dialing but fooling those

with a recording of dial tone (or a dial tone generator chip) should pose

little problem.





                     Trying to call out on a ringing line



        Some modems are dumb enough to pick up a ringing line and attempt to

make a call out on it.   This fact could be used by a system penetrator to

break dial back security even on joint control or called party control central

offices.  A penetrator would merely have to dial in on the dial-out line

(which would work even if it was a separate line as long as the penetrator was

able to obtain it's number), just as the modem was about to dial out.  The

same technique of waiting for dialing to complete and then supplying

answerback tone could be used - and of course the same technique of supplying

dial tone to a modem which waited for it would work here too.



        Calling the dial-out line would work especially well in cases where

the software controlling the modem either disabled auto-answer during the

period between dial-in and dial-back (and thus allowed the line to ring with

no action being taken) or allowed the modem to answer the line (auto-answer

enabled) and paid no attention to whether the line was already connected when

it tried to dial out on it.





                               The ring window



        However, even carefully written software can be fooled by the ring

window problem.  Many central offices actually will connect an incoming call

to a line if the line goes off hook just as the call comes in without first

having put the 20 hz. ringing voltage on the line to make it ring.  The ring

voltage in many telephone central offices is supplied asynchronously every 6

seconds to every line on which there is an incoming call that has not been

answered, so if an incoming call reaches a line just an instant after the end

of the ring period and the line clairvoyantly responds by going off hook it

may never see any ring voltage.



        This means that a modem that picks up the line to dial out just as our

penetrator dials in may not see any ring voltage and may therefore have no way

of knowing that it is connected to an incoming call rather than the call

originating circuitry of the switch.  And even if the switch always rings

before connecting an incoming call, most modems have a window just as they are

going off hook to originate a call when they will ignore transients (such as

ringing voltage) on the assumption that they originate from the going-off-hook

process. [The author is aware that some central offices reverse battery (the

polarity of the voltage on the line) in the answer condition to distinguish it

from the originate condition, but as this is by no means universal few if any

modems take advantage of the information supplied]





                                  In Summary



        It is thus impossible to say with any certainty that when a modem goes

off hook and tries to dial out on a line which can accept incoming calls it

really is connected to the switch and actually making an outgoing call. And

because it is relatively easy for a system penetrator to fool the tone

detecting circuitry in a modem into believing that it is seeing dial tone,

ringback and so forth until he supplies answerback tone and connects and

penetrates system security should not depend on this sort of dial-back.





                             Some Recommendations



        Dial back using the same line used to dial in is not very secure and

cannot be made completely secure with conventional modems.  Use of dithered

(random) time delays between dial in and dial back combined with allowing the

modem to answer during the wait period (with provisions made for recognizing

the fact that this wasn't the originated call - perhaps by checking to see if

the modem is in originate or answer mode) will substantially reduce this

window of vulnerability but nothing can completely eliminate it.



        Obviously if one happens to be connected to an older caller control

switch, using the same line for dial in and dial out isn't secure at all.  It

is easy to experimentally determine this, so it ought to be possible to avoid

such situations.



        Dial back using a separate line (or line and modem) for dialing out is

much better, provided that either the dial out line is sterile (not readily

traceable by a penetrator to the target system) or that it is a one way line

that cannot accept incoming calls at all.  Unfortunately the later technique

is far superior to the former in most organizations as concealing the

telephone number of dial out lines for long periods involves considerable

risk.  The author has not tried to order a dial out only telephone line, so he

is unaware of what special charges might be made for this service or even if

it is available.



                           A final word of warning



        In years past it was possible to access telephone company test and

verification trunks in some areas of the country by using mf tones from so

called "blue boxes". These test trunks connect to special ports on telephone

switches that allow a test connection to be made to a line that doesn't

disconnect when the line hangs up.   These test connections could be used to

fool a dial out modem, even one on a dial out only line (since the telephone

company needs a way to test it, they usually supply test connections to it

even if the customer can't receive calls).



        Access to verification and test ports and trunks has been tightened

(they are a kind of dial-a-wiretap so it ought to be pretty difficult) but in

any as in any system there is always the danger that someone, through

stupidity or ignorance if not mendacity will allow a system penetrator access

to one.



                       **  Some more recent comments **



        Since posting this I have had several people suggest use of PBX lines

that can dial out but not be dialed into or outward WATS lines that also

cannot be dialed.  Several people have also suggested use of call forwarding

to forward incoming calls on the dial out line to the security office. [This

may not work too well in areas served by certain ESS's which ring the number

from which calls are being forwarded once anyway in case someone forgot to

cancel forwarding. Forwarding is also subject to being cancelled at random

times by central office software reboots]



        And since posting this I actually tried making some measurements of

how wide the incoming call window is for the modems we use for dial in at

CRDS.  It appears to be at least 2-3 seconds for US Robotics Courier 2400 baud

modems.  I found I could defeat same-line-for-dial-out dialback quite handily

in a few dozen tries no matter what tricks I played with timing and watching

modem status in the dial back login software. I eventually concluded that

short of reprogramming the micro in the modem to be smarter about monitoring

line state, there was little I could do at the login (getty) level to provide

much security for same line dialback.



        Since it usually took a few tries to break in, it is possible to

provide some slight security improvement by sharply limiting the number of

unsuccessful callbacks per user per day so that a hacker with only a couple of

passwords would have to try over a significant period of time.



        Note that dialback on a dedicated dial-out only line is somewhat

secure.





         David I. Emery    Charles River Data Systems   617-626-1102

         983 Concord St., Framingham, MA 01701.

         uucp: decvax!frog!die



--

          David I. Emery   Charles River Data Systems

983 Concord St., Framingham, MA 01701 (617) 626-1102 uucp: decvax!frog!die



                        % = % = % = % = % = % = % = %

                        =                           =

                        %   P h r a c k   X V I I   %

                        =                           =

                        % = % = % = % = % = % = % = %



                              Phrack  Seventeen

                                07 April 1988



                    File 9 of 12 : Data-Tapping Made Easy





--FEATURE ARTICLES AND REVIEWS-





 TAPPING COMPUTER DATA IS EASY, AND CLEARER THAN PHONE CALLS !



    BY RIC BLACKMON, SYSOP OF A FED BBS



        Aquired by Elric of Imrryr & Lunatic Labs UnLtd



Note from Elric:  This file was written by the sysop of a board for computer

security people (run on a CoCo), as far as I know the board no longer exists,

it was being crashed by hackers too much... (hehe).

---------------------



        FOR SEVERAL YEARS, I ACCEPTED CERTAIN BITS OF MISINFORMATION AS

TECHNICALLY ACCURATE, AND DIDN'T PROPERLY PURSUE THE MATTER.  SEVERAL FOOLS

GAVE ME FOOLISH INFORMATION, SUCH AS: A TAP INTERRUPTS COMPUTER DATA

TRANSMISSIONS; DATA COULD BE PICKED UP AS RF EMANATIONS BUT IT WAS A MASS OF

UNINTELLIGIBLE SIGNAL CAUSED BY DATA MOVING BETWEEN REGISTERS; ONE HAD TO BE

IN 'SYNC' WITH ANY SENDING COMPUTER; DATA COULDN'T BE READ UNLESS YOU HAD A

DIRECT MATCH IN SPEED, PARITY & BIT PATTERN; AND ONLY A COMPUTER OF THE SAME

MAKE AND MODEL COULD READ THE SENDING COMPUTER.  THIS IS ALL PLAIN SWILL.  IT

IS IN FACT, AN EASIER CHORE TO TAP A COMPUTER THAN A TELEPHONE.  THE TECHNIQUE

AND THE EQUIPMENT IS ALMOST THE SAME, BUT THE COMPUTER LINE WILL BE MORE

ACCURATE (THE TWO COMPUTERS INVOLVED, HAVE ERROR CORRECTING PROCEDURES) AND

CLEARER (DIGITAL TRANSMISSIONS HAVE MORE DISTINCT SIGNALS THAN ANALOG

TRANSMISSIONS).



FIRST, RECOGNIZE THAT NEARLY ALL DATA TRANSMISSIONS ARE SENT IN CLEARTEXT

ASCII SIGNALS.  THE LINES CARRYING OTHER BIT-GROUPS OR ENCIPHERED TEXTS ARE

RARE.  SECOND, THE SIGNAL APPEARS ON GREEN AND RED (WIRES) OF THE PHONE LINE

('TIP' AND 'RING').  THE DATA IS MOST LIKELY ASYNCHRONOUS SERIAL DATA MOVING

AT 300 BAUD.  NOW THAT 1200 BAUD IS BECOMING MORE CHIC, YOU CAN EXPECT TO FIND

A GROWING USE OF THE FASTER TRANSMISSION RATE.  FINALLY, YOU DON'T NEED TO

WORRY ABOUT THE PROTOCOL OR EVEN THE BAUD RATE (SPEED) UNTIL AFTER A TAPED

COPY OF A TRANSMISSION IS OBTAINED.



        IN A SIMPLE EXPERIMENT, A TAPED COPY OF A DATA TRANSMISSION WAS MADE

WITH THE CHEAPEST OF TAPE RECORDERS, TAPPING THE GREEN AND RED LINES BEYOND

THE MODEM.  THE RECORDING WAS THEN PLAYED INTO A MODEM AS THOUGH IT WERE AN

ORIGINAL TRANSMISSION. AT THAT POINT, HAD IT BEEN NECESSARY, THE PROTOCOL

SETTINGS ON RECEIVING TERMINAL COULD HAVE BEEN CHANGED TO MATCH THE TAPE.  NO

ADJUSTMENTS WERE NECESSARY AND A NICE, CLEAR ERROR-FREE DOCUMENT WAS RECEIVED

ON THE ILLICIT VIDEO SCREEN AND A NEAT HARD-COPY OF THE DOCUMENT CAME OFF THE

PRINTER.  THE MESSAGE WAS INDEED CAPTURED, BUT HAD IT BEEN AN INTERCEPTION

INSTEAD OF A SIMPLE MONITORING, IT COULD HAVE BEEN ALTERED WITH A SIMPLE WORD

PROCESSOR PROGRAM, TO SUIT ANY PURPOSE, AND PLACED BACK ON THE WIRE.



        WERE I TO HAVE AN INTEREST IN INFORMATION ORIGINATING FROM A

PARTICULAR COMPANY, AGENCY, OR OFFICE, I THINK THAT I WOULD FIND IT FAR MORE

PRODUCTIVE TO TAP A DATA TRANSMISSION THAN TO TAP A VOICE TRANSMISSION, AND

EVEN MORE REWARDING THAN GETTING HARDCOPY DOCUMENTS.



        *SIGNIFICANT & IMPORTANT INFORMATION IS MORE CONCENTRATED IN  A DATA

         TRANSMISSION.

        *SIGNIFICANT & IMPORTANT INFORMATION IS MORE EASILY LOCATED IN DATA

         TRANSMISSIONS THAN IN MASSES OF FILES OR PHONE CALLS.

        *TRANSMITTED DATA IS PRESUMED TRUE, AND WHEN ALTERATION IS DISCOVERED,

         IT'S READILY BLAMED ON THE EQUIPMENT.

        *THE LAWS CONCERNING TAPS ON UNCLASSIFIED AND NON-FINANCIAL COMPUTER

         DATA ARE EITHER QUITE LACKING OR ABJECTLY STUPID.



THE POINT OF ALL THIS IS THAT THE PRUDENT MANAGER REALLY OUGHT TO ENCRYPT ALL

DATA TRANSMISSIONS.  ENCRYPTION PACKAGES ARE CHEAP (A 'DES' PROGRAM IS NOW

PRICED AT $30) AND ARE EASY TO USE.



-------------------------------



                      #### PHRACK PRESENTS ISSUE 17 ####



                  ^*^*^*^ Phrack World News, Part 1 ^*^*^*^



                           **** File 10 of 12 ****





                  -   P H R A C K   W O R L D   N E W S   -

                    (Mainly Compiled By Sir Francis Drake)



                                    2/1/88





BUST UPDATE

===========



     All the people busted by the Secret Service last July were contacted in

September and asked if they "wanted to talk."  No one but Solid State heard

from the S.S. after this.  Solid State was prosecuted and got one year

probation plus some required community service.  The rest:  Ninja NYC, Bill

>From RNOC, Oryan QUEST, etc. are still waiting to hear.  Some rumors have gone

around that Oryan QUEST has cooperated extensively with the feds but I have no

idea about the validity of this.  The following is a short interview with

Oryan QUEST.  Remember that QUEST has a habit of lying.



PHRACK:  Did you hear from the SS in September?  It seems everybody else has.



QUEST:  No.  I haven't heard from them since I was busted.  Maybe they forgot

        me.



P:  What's your lawyer think of your case?



Q:  He says lay low.  He says it's no problem because of my age.



P:  What do your parents think?



Q:  They were REALLY pissed for about a week but then they relaxed.  I mean I

    think my parents knew I went through enough... I mean I felt like shit.



P:  Do you plan to keep involved in Telecom legit or otherwise?



Q:  Uhh, I wanna call boards... I mean I can understand why a sysop wouldn't

    give me an access but... I'm thinking of putting a board up, a secure

    board just to stay in touch ya know?  Cause I had a lot of fun I mean I

    just don't want to get busted again.



P:  Any further words of wisdom?



Q:  No matter what anyone says I'm *ELITE*.  NOOOO don't put that.



P:  Yes I am.



Q:  No I don't want people to think I'm a dick.



P:  Well...



Q:  You're a dick.





- On a completely different note, Taran King who as some of you know was

  busted, is going to be writing a file for Phrack about what happened real

  soon now.





MEDIA

=====



     The big media thing has been scare stories about computer viruses,

culminating in a one page Newsweek article written by good old Sandza and

friends.  John Markoff of the San Francisco Examiner wrote articles on

viruses, hacking voice mailboxes, and one that should come out soon about the

July Busts (centering on Oryan QUEST).  A small scoop:  He may be leaving for

the New York Times or the San Jose Mercury.



     Phreak media wise things have been going downhill.  Besides PHRACK (which

had a bad period but hopefully we're back for good) there is 2600, and

Syndicate Report.  Syndicate Report is dead, although their voice mail system

is up.  Sometimes.  2600 has gone from a monthly magazine to a quarterly one

because they were losing so much money.  One dead and 2 wounded.





MISCELLANEOUS

=============



     Taran King and Knight Lightning are having a fun time in their fraternity

at University of Missouri.  Their respective GPA's are 2.1 and 2.7

approximately.... Phantom Phreaker and Doom Prophet are in a (punk/metal)

band... Lex Luthor is alive and writing long articles for 2600... Sir Francis

Drake sold out and wrote phreak articles for Thrasher... Jester Sluggo has

become vaguely active again...





CONCLUSION

==========



Less and less people are phreaking, the world is in sorry shape, and I'm going

to bed.  Hail Eris.



sfd



                      #### PHRACK PRESENTS ISSUE 17 ####



                  ^*^*^*^ Phrack World News, Part 2 ^*^*^*^



                           **** File 11 of 12 ****





                          "Illegal Hacker Crackdown"

               from the California Computer News - October 1987

                      Article by Al Simmons - CCN Editor



Hackers beware!



Phone security authorities, the local police, and the Secret Service have been

closing down on illegal hacking - electronic thievery - that is costing the

long-distance communications companies and their customers millions of dollars

annually.  In the U.S., the loss tally on computer fraud, of all kinds, is now

running between $3 billion and $5 a year, according to government sources.



         "San Francisco D.A. Gets First Adult Conviction for Hacking"

                  (After about 18 years, it's a about time!)



San Francisco, District Attorney Arlo Smith recently announced the first

criminal conviction in San Francisco Superior Court involving an adult

computer hacker.



In a report released August 31, the San Francisco District Attorney's office

named defendant Steve Cseh, 25, of San Francisco as having pled guilty earlier

that month to a felony of "obtaining telephone services with fraudulent

intent" (phreaking) by means of a computer.



Cseh was sentenced by Superior Court Judge Laurence Kay to three years

probation and ordered to preform 120 hours of community service.



Judge Kay reduced the offense to a misdemeanor in light of Cseh's making full

restitution to U.S. Sprint - the victim phone company.



At the insistence of the prosecuting attorney, however, the Court ordered Cseh

to turn his computer and modem over to U.S. Sprint to help defray the phone

company's costs in detecting the defendant's thefts.  (That's like big money

there!)



A team of investigators from U.S. Sprint and Pac Tel (the gestapo) worked for

weeks earlier this year to detect the hacking activity and trace it to Cseh's

phone line, D.A. Arlo Smith said.



The case centered around the use of a computer and its software to illegally

acquire a number of their registered users to make long-distance calls.



Cseh's calls were monitored for a three-week period last March.  After tracing

the activity to Cseh's phone line, phone company security people (gestapo

stormtroopers) were able to obtain legal authority, under a federal phone

communications statute, to monitor the origin and duration of the illegal

calls.



Subsequently, the investigators along with Inspector George Walsh of the San

Francisco Police Dept. Fraud Detail obtained a search warrant of Cseh's

residence.  Computer equipment, a software dialing program, and notebooks

filled with codes and phone numbers were among the evidence seized, according

to Asst. D.A. Jerry Coleman who prosecuted the case.



U.S Sprint had initially reported more than $300,000 in losses from the use of

their codes during the past two years; however, the investigation efforts

could only prove specific losses of a lesser amount traceable to Cseh during

the three-week monitoring period.



"It is probable that other computer users had access to the hacked Sprint

codes throughout the country due to dissemination on illegal computer bulletin

boards," added Coleman (When where BBS's made illegal Mr. Coleman?)



          "Sacramento Investigators Breakup Tahoe Electronic Thefts"



Meanwhile, at South Shore Lake Tahoe, Secret Service and phone company

investigators arrested Thomas Gould Alvord, closing down an electronic theft

ring estimated to have rung up more than $2 million in unauthorized calls.



A Sacramento Bee story, filed by the Bee staff writers Ted Bell and Jim Lewis,

reported that Alvord, 37, was arrested September 9, on five felony counts of

computer hacking of long-distance access codes to five private telephone

companies.



Alvord is said to have used an automatic dialer, with computer programmed

dialing formulas, enabling him to find long-distance credit card numbers used

by clients of private telephone companies, according to an affidavit filed in

Sacramento's District Court.



The affidavit, filed by William S. Granger, a special agent of the Secret

Service, identified Paula Hayes, an investigator for Tel-America of Salt Lake

City, as the undercover agent who finally brought an end to Alvord's South

Shore Electronic Co. illegal hacking operation. Hayes worked undercover to

purchase access codes from Alvord.



Agent Garanger's affidavit lists U.S. Sprint losses at $340,000 but Sprint

spokesman Jenay Cottrell said that figure "could grow considerably," according

to the Bee report.



One stock brokerage firm, is reported to have seen its monthly Pacific Bell

telephone bill climb steadily from $3,000 in April to $72,000 in August.  The

long-distance access codes of the firm were among those traced to Alvord's

telephones, according to investigators the Bee said.



Alvord was reportedly hacking access codes from Sprint, Pacific Bell, and

other companies and was selling them to truck drivers for $60 a month.  Alvord

charged companies making overseas calls and larger businesses between $120 and

$300 a month for the long-distance services of his South Shore Electronics Co.



>From The $muggler



                      #### PHRACK PRESENTS ISSUE 17 ####



                  ^*^*^*^ Phrack World News, Part 3 ^*^*^*^



                           **** File 12 of 12 ****





  +-------------------------------------------------------------------------+

  -[ PHRACK XVII ]-----------------------------------------------------------



                   "The Code Crackers are Cheating Ma Bell"

           Typed by the Sorceress from the San Francisco Chronicle

                            Edited by the $muggler



             The Far Side..........................(415)471-1138

             Underground Communications, Inc.......(415)770-0140



  +-------------------------------------------------------------------------+

In California prisons, inmates use "the code" to make free telephone calls

lining up everything from gun running jobs to visits from grandma.



In a college dormitory in Tennessee, students use the code to open up a

long-distance line on a pay phone for 12 straight hours of free calls.



In a phone booth somewhere in the Midwest, a mobster uses the code to make

untraceable calls that bring a shipment of narcotics from South America to the

United States.



The code is actually millions of different personal identification numbers

assigned by the nation's telephone companies.  Fraudulent use of those codes

is now a nationwide epidemic that is costing America's phone companies more

than $500 million each year.



In the end, most of that cost is passed on to consumers, in the form of higher

phone rates, analysts say.



The security codes range form multidigit access codes used by customers of the

many alternative long-distance companies to the "calling card" numbers

assigned by America Telephone & Telegraph and the 22 local phone companies,

such as Pacific Bell.



Most of the loss comes form the activities of computer hackers, said Rene

Dunn, speaking for U.S. Sprint, the third-largest long-distance company.



These technical experts - frequently bright, if socially reclusive, teenagers

- set up their computers to dial the local access telephone number of one of

the alternative long-distance firms, such as MCI and U.S. Sprint.  When the

phone answers, a legitimate customer would normally punch in a secret personal

code, usually five digits, that allows him to make his call.



Hackers, however, have devised computer programs that will keep firing

combinations of numbers until it hits the right combination, much like a

safecracker waiting for the telltale sound of pins and tumblers meshing.



Then the hacker- known in the industry as a "cracker" because he has cracked

the code- has full access to that customer's phone line.



The customer does not realize what has happened until a huge phone bill

arrives at the end of the month. By that time, his access number and personal

code have been tacked up on thousands of electronic bulletin boards throughout

the country, accessible to anyone with a computer, a telephone and a modem,

the device that allows the computer to communicate over telephone lines.



"This is definitely a major problem," said one telephone security expert, who

declined to be identified.  "I've seen one account with a $98,000 monthly

bill."



One Berkeley man has battled the telephone cheats since last fall, when his

MCI bill showed about $100 in long-distance calls he had not made.



Although MCI assured him that the problem would be taken care of, the man's

latest bill was 11 pages long and has $563.40 worth of long-distance calls.

Those calls include:



[]  A two-hour call to Hyattsville, Maryland, on January 22.  A woman who

    answered the Hyattsville phone said she had no idea who called her house.



[]  Repeated calls to a dormitory telephone at UCLA.  The student who answered

    the phone there said she did not know who spent 39 minutes talking to her,

    or her roommate, shortly after midnight on January 23.



[]  Calls to dormitory rooms at Washington State University in Pullman and to

    the University of Colorado in Boulder.  Men who answered the phones there

    professed ignorance of who had called them or of any stolen long-distance

    codes.



The Berkeley customer, who asked not to be identified, said he reached his

frustration limit and canceled his MCI account.



The phone companies are pursing the hackers and other thieves with methods

that try to keep up with a technological monster that is linked by trillions

of miles of telephone lines.



The companies sometimes monitor customers' phone bills.  If a bill that

averages about $40 or $50 a month suddenly soars to several hundred dollars

with calls apparently placed from all over the country on the same day, the

phone company flags the bill and tries to track the source of the calls.



The FBI makes its own surveillance sweeps of electronic bulletin boards,

looking for stolen code numbers.  The phone companies occasionally call up

these boards and post messages, warning that arrest warrants will be coming

soon if the fraudulent practice does not stop.  Reputable bulletin boards post

their own warnings to telephone hackers, telling them to stay out.



Several criminal prosecutions are already in the works, said Jocelyne Calia,

the manager of toll fraud for U.S. Sprint.



If the detectives do not want to talk about their methods, the underground is

equally circumspect.  "If they (the companies) have effective (prevention)

methods, how come all this is still going on?" asked one computer expert, a

veteran hacker who says he went legitimate about 10 years ago.



The computer expert, who identified himself only as Dr. Strange, said he was

part of the original group of electronic wizards of the early 1970s who

devised the "blue boxes" complex instruments that emulate the tones of a

telephone and allowed these early hackers to break into the toll-free 800

system and call all over the world free of charge.



The new hacker bedeviling the phone companies are simply the result of the

"technology changing to one of computers, instead of blue boxes" Dr. Strange

said.  As the "phone company elevates the odds... the bigger a challenge it

becomes," he said.



A feeling of ambivalence toward the huge and largely anonymous phone companies

makes it easier for many people to rationalize their cheating.  A woman in a

Southwestern state who obtained an authorization code from her boyfriend said,

through an intermediary, that she never really thought of telephone fraud as a

"moral issue."  "I don't abuse it," the woman said of her newfound telephone

privilege.  "I don't use it for long periods of time - I never talk for more

than an hour at a time - and I don't give it out to friends."  Besides, she

said, the bills for calls she has been making all over the United States for

the past six weeks go to a "large corporation that I was dissatisfied with.

It's not as if an individual is getting the bills."



There is one place, however, where the phone companies maybe have the upper

hand in their constant war with the hackers and cheats.



In some prisons, said an MCI spokesman, "we've found we can use peer pressure.

Let's say we restrict access to the phones, or even take them out, and there

were a lot of prisoners who weren't abusing the phone system.  So the word

gets spread to those guys about which prisoner it was that caused the

telephones to get taken out.  Once you get the identification (of the

phone-abusing prisoner) out there, I don't think you have to worry much" the

spokesman said.  "There's a justice system in the prisons, too."



.

