fF ~N «© on I Cc ” “” o © | a OQ > z | gG < Medication Adaptation Skimming Credit Card and ACH Payment Details from Tigerpaw Software Clients The Pipe Dream of Sensible School) Internet Policy Windows Subsystem for Linux. A nQObS Toy? TELECOM INFORMER Towards a Secure Telephone Network Ghosting an Operating System for Privacy Tracking Wi-Fi Devices with Python and GPS 8 HACKER PERSPECTIVI tuPos uee mraatfkotee r Vcapalellolaspr?l tea T.h nios W hlooonn eg esras yossm eeephmao ywpt oh owwnaoenustn d tcoa nu'upts oe nf tinhdet hme a — fjNsa useatvenoSe d Letéo.mn . ma ne r iunm thte iZco nar esPpieeclt ditshtarinc t,t het hisp ost oTit BIanddu stIrSiPa l OpCSoenter ol Systems and Cy bersecurity UTR el rae Cm ere har Ts)o e Photo by Howard Cherniack Leona OM LIT) Anonymous Temporary Storage and Retrieval How to Become a Hacker,in 24 Hours Thinking. in\Al LETTERS EFFECTING DIGITAL FREEDOM Fun with Text to Speech Hacker Email Cerebral Spill OhNoDaddy:; GoDaddy, Compromised Book Review: The HistOry of the Future ARTIFICIAL INTERRUPTION The Rise of the Machines - Learning to/Detect DGAS nOoR delTrso lrikae etit t RcOaen nU b er efeCorun da neoanr Slys tr eiemtps osaslCli beolveeae r , Ptooa W find, — owAthChSie crShsT C - isa OlTStw hhoyAM u grhi t eiltn’os oaksstm ill eevp eons Ms ibmlToeenr Tec imt ’Ese e vraemrneile yn t usiettd nLTT FRiecstpioonn:s ibHlaec kiDnigs cltohseu rNea koefd a PMrailnwceasrse 0xI1nf9i ltration Attempt owever.... : : Photo by Francisco Trevifio Photo by Bret Milles OAG oti remf oerueirgons me paEypTho nnea te phtoLt tosa tefo r yuosu?r Edmiagiitla l thceamm ertao ! pa(yDpoh onnoet s s@e n2d 60u0s .clionmk.s as MARKETPLACE 62 photos must be previously unpublished.) (more photos on inside back cover) 66 T he brutal attacks by even more police on of thing in the middle of a pandemic wa~s\ peaceful demonstrators and members of the grossly irresponsible and would result in press did more to shine a light on this sickness increasing the spread tremendously, But than any protester could. When the president that didn’t happen, most likely because the p himself threatened citizens exercising their vast majority of demonstrators acted in a The fact that this issue is even here proves care less about anyone else. They are the right to free speech with the full force of the responsible manner and wore masks. Weeks how much we are capable of adapting. True, ones who hoard vital supplies and don’t military, he also proved their point better later, no spike had occurred which provided we're more than two months late and it will lift a finger to help others. And somewhat than a thousand marches. Soon that morphed even more evidence of the effectiveness of take some time to recover from that. But for ironically, their selfishness turns into a into the actual s ei zing of ci t izens off streets these small efforts. Also proving the point a while, it looked like our future was very sense of imperviousness, and they soon start by unidentified federal agents in American were those not following these guidelines much in doubt - or actually, fairly certain of ignoring safety guidelines and acting as if cities. While our Constitution and basic who saw s skyrocket where they went not being there at all. they’re somehow above the virus. Were it not military protocol, at least in theory, protect to churches, bars, and political rallies. But Let’s be clear. Our problems are nothing for this attitude, we believe the crisis would us against such madness, the fact that this is instead of looking to themselves, they attack compared to what so many around the world be nowhere near as dire as it is today. where we are at this point in time is almost science. They attack the press. They label have been going through since our last issue. This chain of events played out during the as frightening as the pandemic. Put the two anyone who's not with them as the enemy, The COVID-19 pandemic has shut down 1918-1920 flu pandemic referenced above. A of them together and you'll soon realize that no matter what the facts and evidence prove. our worlds in almost every way imaginable. serious outbreak occurred early in 1918 that the kind of unhinged lunacy that somehow And it’s time the rest of us stop letting them What we witnessed was like something out of affected mostly the elderly and sick. But the managed to get put in charge is directly off so easy. We don’t have to let our fellow one of those post-apocalyptic movies where second wave that followed in the latter half responsible for COVID-19 spiraling out of citizens die because of ignorant leaders. all elements of society simply disappear or of the year was far more deadly, affecting control in this country, unlike most other We don’t have to continue honoring people fall into chaos. mostly young adults who were otherwise parts of the world where some semblance of whose sins outweigh their virtues, The 1700s We saw abandoned cities, shut down in good health. Had that first wave been actual leadership exists. were certainly a different time and applying schools, closed businesses, financial panic, quelled, it’s likely the second wave wouldn't We can only hope that people continue today’s values to them can be nonsensical. and more fear and uncertainty that most of us have had the same devastating results. While to react on such a scale as we've seen with But that doesn’t mean we pretend everything have ever seen. Those who lived through war there are many factors that have changed the Black Lives Matter demonstrations, now was fine and pure. Evil actions transcend would recognize the taste. Even a traumatic in the past century, not the least of which defined as the largest protest movement in honor. And we can all learn more from event like 9/11 is but a fraction of what the is our knowledge of medicine and science, our country’s history. The marches, sit-ins, real history than from the storybook kind. entire world has been going through. You there are too many similarities for us to feel and confrontations resonated everywhere, Besides, there is no shortage of noble people would have to go back a century to the last comfortable. Those who reject science in even in other parts of the world. And to erect statues and name highways for. great pandemic, where between 50 and 100 favor of politics or religion are given far too within days, we finally started to see those Instead of resisting this, we should all be million people are thought to have died, in much leeway to destroy the lives of innocent Confederate statues start coming down, taking pride in their accomplishments and order to realize how truly frightening an people. We stand helplessly by while those Mississippi's despicable flag was changed, building a better nation by doing so. event like this is. We're nowhere near that at the upper echelons of power continually and sports teams began to get rid of racist Yes, there’s been way too much in the way kind of number now (for it to be equivalent make the wrong decisions and favor greed names that they once swore they would of tragedy and avoidable death and suffering. - taking population increases into account - and their own personal ambitions over what never alter. Basically, having everything We can’t fix that. But we can acknowledge the death toll would have to be around four is right and logical for the health and safety from military bases to bridges and schools that throughout all of this, something better times that), but the signs are troubling and of all. When we find ourselves being proven named after slaveholders suddenly became in us can often emerge. We hope we're the potential great. correct when the disease spreads among widely perceived as a Really Bad Idea. seeing the beginnings of that. It will only What has happened so far is both shocking those who didn’t wear masks and observe Sure, there were those who claimed this succeed if we focus on progress, not revenge. and reprehensible. It’s shocking because we social distancing, often at the behest of their was somehow erasing history, when in After all, for those who truly want to see us always forget just how vulnerable we can be, leaders, we feel no joy. We feel anger. None actuality it was calling attention to those fail, progress is the bitterest revenge there is. both as individuals and as societies. It can all of this had to happen. parts of history we're not proud of, kind of As mentioned, we did not expect to make fall apart so quickly. And at times like these, We've seen not only how quickly things like when the Soviets toppled their statues it this far. Our spring issue pretty much knowing the difference between what truly can fall apart, but also how quickly people of old leaders for the exact same reason went straight to the dumpster in many cases. matters and what's completely insignificant can react when they've finally had enough. and we all cheered them on. There were While we printed the agreed upon amount is what defines the kind of human you are. It took the murder of George Floyd by police those who tried to focus only on negative and paid full price both for the printing and We've seen a lot of these distinctions lately. in Minneapolis this May, just the latest in reactions like rioting or violence, completely the shipping, stores then refused to take it There are people who will make tremendous an incalculable string of police killings ignoring the fact that peaceful protests due to the pandemic, meaning we had the sacrifices in order to help those around them against members of the African American don’t cause these things. Corrupt policies choice of having them thrown out or sent and to ensure that we get through this as best community, for people in every part of and systemic racism do. And, of course, back at our expense and then being forced to we can. Then there are those who couldn't the nation to rise up and demand change. ee were those who insisted that this sort pay a penalty for not having removed ey Page 4 2600 Magazine 37:2 Page 5 ~\ ~ (‘ rom the originating point. Nearly all issues already been through so much in planning Tep erhaps that same enthusiasm could still to have this many arti spread over such an sent to Canada never made it there. Again, the Hackers On Planet Earth conference for be communicated. Sure, it would be weird extended period of time. there was no restitution, we were expected 2020. Just working on doing a better job not having a visible audience. But, through Throughout it all, we used an open to pay full price for delivery and even more, dealing with disruptive elements that we a combination of prerecorded talks and live standard and lightweight protocol for real- and we wound up pouring a tremendous experienced in 2018 had taken a great deal question and answer sessions, we could get time communication known as Matrix to amount of energy and expense into of effort and attention. Then we lost Hotel the best of both worlds. keep attendees communicating with each something that many of our readers never Pennsylvania when they opted to triple our Then we sought to do something else that other and with speakers and presenters, This even got to see. Some distributors stopped price, which would have made it impossible was bigger than expected. We decided to get worked far better than we had envisioned paying us entirely for previous issues due to for most of our attendees to participate. But nine keynote speakers, one for every day of and brought with it advantages that more their own financial challenges, even though then we found a great new location at St. the conference. Having so many allowed mainstream services like Discord didn’t those issues predated all the craziness. And John’s University in Queens which opened us to reach out to all different parts of the offer, such as the ability to register without our next issue (this one) had almost nowhere up all kinds of options we never had before. hacker world. And we wound up with a truly giving up a phone number. As the old phone tuon ceber tasienntt y waist ht o swo himcah nyw ousltdo rebse colpoesne d at atnhde cIt omwmouunldi tyb e liav esb igfo r cthhaant ges,or t bouft thtihneg . hacker ailnl crewdiitbhl e spveacriifeitcy roefl evfaansccien attion g thes pehaakecrkse,r company ads once said, it was the next best time we sent issues out. Of course, all of those challenges and community, all truly happy to be there. It thiBnugt , to asb eianlgw aytsh,e re.it was the attendees who Again, our challenges are immeasurable efforts wound up meaning nothing, as no turned into a real celebration of what we're set the tone, many of whom were actually next to what so many others have been physical conference of any sort would be going through, not even taking health possible in the summer of 2020, This became all about. able to make it to HOPE for the first time We wound up being deluged with talk considerations into account. The system more and more obvious throughout the submissions - more than we had ever since no travel was required. And in this sometimes seems designed to have the most spring. And, as 2600 is dependent on HOPE received before. That alone helped us erase case, their mood of support, optimism, and vulnerable, the most independent fail with for survival, losing the conference on top of eagerness was infectious. For one thing, just no recourse. Large chains have little trouble all of the other challenges we were dealing agnoyi ng douabhte ad we withha d thiasb ouetv entt.h e Twhie sdoenme rgyof the fact that they were willing to support telling their landlords they're just going with seemed like we were approaching our level was palpable. People seemed to really the conference by holding onto their tickets to stop paying rent until all of this is over. final chapter. made us realize that there might actually be need this after months of losing one thing Independent and small businesses like ours At least, that’s what any reasonable person a future for us after all. We offered refunds after another. We had a similar response don’t get that option. If we try to exercise it, would conclude. to anyone who couldn't do this, but the vast with workshops, where attendees could we'll quickly find ourselves out on the street. As we've pointed out so many times in participate one-on-one with instructors. We majority opted to stick it out. Were it not for Had the setbacks and expenses been these pages, hackers don’t think like most had a few missteps figuring out how to get them, none of this would have happened and shared from top to bottom, nobody would people do, We tend to be creative, thinking people signed in to specific classes, but got it this very issue would not have eventually have systematically suffered more than outside the box, and willing to do things made it out. Those particular attendees will figured out and were able to quickly respond anyone else. The idea that people are losing nobody else has ever tried before, And, faced to attendee questions and concerns. In the always be very special to us and will always their homes because they can’t pay expenses with oblivion, that’s exactly what a bunch of end, we had more workshops than we ever get preferential treatment for anything in after the pandemic cost them their jobs is us wound up doing. the future that we're involved with. We in awnhootshee r fiirsntd ircualtei ons hooufl do ura lfwaaiylsu re bea s toa ssoucpipeotryt, to Tahlle oft htohue ghdti sawpapso intthamte nti nstoef adt he ofy eaard dianngd ehvaed ryb efbiotr ea s aancdt ivteh eya s wteher e inw-eplelr saotnt eknidnedd. and turn pledge to support those individuals, its Wmee'mvbee rtsr.ie d to be as creative and as positive cHaOnPcEel?i ngW hiHlOeP E,th e wthhyo ughnott osf imapnl y allr-evdierftiunael ourW e traaldsiot iomnaaln ageldo cktpoi ckhaivneg vivlillalgaegse,, likaes ewse tabbleilsihemvee ntsi,n anadn d thato rgwaen izawtainotn s t—o tsheaet as we can be. We managed to get a number conference sounded incredibly lame to well as everything from hackerspaces in survive. At the conference, we helped raise of our spring issues sent to grocery stores almost all of us, we sought to figure out ways various parts of the world to anarchists nearly $15,000 for the Electronic Frontier instead of dumpsters. We figured since we to make it into something better than just a to radio broadcasters and enthusiasts. We Foundation and spread the word about had so many extra issues that had nowhere bunch of webinars and Zoom meetings. For even managed to have a film festival - not numerous other just causes. Never has the to go, why not at least try an experiment one thing, we realized that if we were going the kind where you go and watch films, time been more important to show that kind and see if we might get something positive to do this, we had to come up with something but the kind where you go and make films of support. out of all of this? We're glad we tried, but bigger than what we were used to. So we during the period of the conference. The This year has been hell. But we're now we know that a hacker magazine isn’t started by tripling the amount of time HOPE fact that people were able to be a part of all getting through it by adapting our what people are looking for when they go would last for - from three days to nine days. the conference and be able to create full- expectations and our behavior. In a crisis, food shopping. Our sales figures were far That started to get people's attention. fledged productions was nothing short of that is how you survive and eventually bring worse than we ever could have imagined. So Butit was about so much more than that. We incredible. And then, of course, there were things back to a normal state. In society, that yeah, another setback. But it still felt better knew we had some truly incredible speakers. the musical performers, typically getting on is how you create change and start down the than sitting around watching everything fall If we could get them enthused about this and stage at around midnight and impressing the road of progress. Through our combined apart. have them present what they were going to global audience with creative and unusual adaptation, the challenges of 2020 will \_ And then there was HOPE. We had talk about in a remote ee instead } 8 bras We had never before been able ultimately guide us to a better world. ) Page 6 00 Magazine 37:2 Page 7= SKINMaINaG n CAARRTDa AeND AC &P®R U TENT DETAELS:) (Ti gerpaw just embedded a web form into its real credit card entry form, so I could create an) desktop GUI. I took a peek at the source code indiscernible fake with one change: modify the wi yy Yat. ~. for this page and the form POSTed sensitive URL to which this form submits so it went to details to an HTTPS url, so at least sensitive my Flask server instead of the real destination. —— details were being encrypted, but I was pretty Further success: with a few print() lines added certain this single unencrypted web request to my Flask project I could now log credit card Tigerpaw conce . and _ sells BNG, who provides the vaulted payment could be abused. or banking routing numbers that a user entered business software to run day-to-day operations: processing through Tigerpaw. To use’ their At this point, I decided to spin up a virtual into Tigerpaw! everything from sales to service; inventory to service we were required to file a “Self machine and get some tools to thoroughly This is pretty bad on its own but, as the invoicing. They'd recently integrated payment Assessment Questionnaire” (SAQ) to be inspect the process. I installed mitmproxy, project stands, my server only receives sensitive processing by credit card or ACH into the stack. considered PCI compliant. Alternatively, we arpspoof and some Python frameworks, namely details and leaves the Tigerpaw client in a Tigerpaw, it must be noted here, is used primarily could pay an additional $25 a month if we didn’t Flask, so I could serve web pages; I configured broken state. I had a few ideas to fix, this but on Windows PCs. While a web version can be file a SAQ, but, amusingly, we are not absolved the attack VM to allow packet forwarding. none of them were entirely transparent. I installed and used, this article is focused on the from liability or responsibility if we opt to Then, from the attack VM, I poisoned my wanted to be the middleman for the whole desktop client. This is a story of how I came to pay the monthly penalty instead of attesting desktop’s ARP cache with arpspoof, making transaction - capturing sensitive details while discover a flaw in their credit card processing to our level of compliance. I digress, but this the VM the man in the middle, so all traffic not breaking the process. At this point, I have to implementation. It was discovered on version agreement was with yet another third party going through the gateway passed through admit, I spent a whole lot of time that ultimately 1.17.1.01, which may not have been the latest at company to BNG, so we're three middlemen the VM first. Finally, | configured the VM to did not contribute to the final solution. There that time, so this could affect versions slightly deep at this point, which made it difficult to get intercept and send all unsecured web requests were some TLS encrypted exchanges in the full older than that, but definitely not versions 18+. through to someone who understood (or cared to mitmproxy and I was ready to try serving process which contained details necessary to Bear with me while I cover some background about) our concern, arbitrary content in place of the payment detail handle the entire transaction myself. After quite about Tigerpaw and how I became curious I believe we were originally presented with form. some time I decided it wasn’t possible to accept about their online payment tools. Tigerpaw’s SAQ-C, a weighty document covering all Mitmproxy allows you to write rules to the sensitive details then go on to complete the payment processing is handled through a third kinds of scenarios and policies which made handle specific requests. So, for example, when transaction, at least not without installing a fake party company who provides an API to access a little sense for such a small company. We had a request for “tigerpawbng.azurewebsites.net” TLS certificate on the client. “vault” for accepting sensitive financial details processed credit cards through QuickBooks, is received, I can direct that request to my Flask I had given up for the day, but the problem and payment processing. The typical vault is PayPal, and Stripe which worked similarly server instead of the real destination. I started a occupied my mind through the night. It dawned designed so that sensitive details are not stored for years without any agreement. Among the Flask project returning a simple “Hello World” on me at some point that the Tigerpaw desktop ploacsasleldy. toS enthsei titvhei rd deptaaritlys caroem painnyst.e adA steockuerne lyis umsa nwya s quonees tiaosnksi ngt hatif adlil dns’te nsisteievem dteot aialpsp lyw ereto amnedt hobde gaonn mcyr eadteisnkgt opa naegawi n.c ustomer payment GbrUoIw sewra s arnedn dertihantg ba rwoewbs erp agew ouinl da n leimkebley dderudn received back from the third party company transmitted securely. We sure hoped so, but * Tigerpaw requests the credit card entry Kgiagie I wondered if I could: which represents the payment method stored we weren't the ones who wrote the software, form, Direct the secure POST request to my flask in the vault. This token is used to charge the so how could we attest this to be true? At this ¢ The request goes to my VM, the MITM, server as before. c ustomer in future transactions. The token is point, I was given the green light to spend some instead of the real gateway. * Log the sensitive details as before. worthless to anyone other than the business, time investigating! * The VM’s mitmproxy sees a request for * Reflect the original form back to the client so the sensitive financial details belonging The first thing I decided to do was log all “tigerpawbng.azurewebsites,net” and with their payment details filled so the next to customers can’t be stolen in the event of a network activity while creating a secure vault directs the request to the Flask server. time it’s submitted it will go to the real data breach, This is all good! Using this type entry. I was lazy, so instead of a packet capture * The flask server serves up a “Hello destination, of payment vault reduces a company’s PCI I went on the firewall and made a rule to log World!” page. ¢ Include some JavaScript to make all network connections the client click the submit emanating from my desktop. button after the page loads. I quickly learned _ that Tigerpaw made web requests This worked and was during the exchange. There completely transparent to the were no fancy services user! I wrote up the pertinent running on dedicated ports, details and got the attention just a few web requests, of the company’s president I moved onto proxy logs and lead developer to report on the firewall to see if I the problem. It has since been could identify specific web fixed. This bug, in my opinion, request types and URLs. was most likely a development One interesting entry stands holdover. The form was out: an unencrypted GET. available through https, it just Curious to see what was wasn't pulling from that URL. being pulled, I directed a It worked! Tigerpaw showed “Hello World!” It could have also been a misunderstanding ar airs requirements. browser to load the URL. It was a form to enter instead of the credit card form! that since the details were ultimately POSTed \ We signed up with this third party company, credit card or ACH details! It turns out that a next task was to grab the source for the securely that serving an unsecured form wasn’t Page 8 2600 Magazine Page 9 d angerous. to reduce their liability by offloading: it onto) ( co lin: Only time will tell what information gets degree of online autonomy in a space where they ) As for the document BNG and their third clients. shared and to whom by way of TikTok, but it’s don’t fear judgment or repercussion for accessing party required us to sign, we finally were able While I'd theoretically known how all these hardly more concerning in that sense than any sites that have been deemed non-educational. to reach someone who understood that we were components worked for years, this was the first other social media platform. Singling it out as We can still make sure students are being safe not directly processing payment details and, time I combined an array of tricks to discover Public Enemy Number One on district networks online (I am not arguing for the unblocking of since we were using their secure vault, a less and craft a real world exploit with criminal won't fix that, and doing so will only divert pornography on school networks), while also stringent agreement, SAQ-A, was sufficient. It potential, I also learned that the small amount energy away from preparing for the inevitable communicating to them that we trust them and could just be a misunderstanding, but I suspect of time it takes to look for bugs in obvious break-in that will happen to a district that, from they purposely push the full SAQ to customers places can have a big payoff. the outside, is laughably insecure. And of course, that they are worthy of trust. And to top it all off, my school district is neither the only district we won't have to constantly keep tabs on which to have vulnerabilities like this, nor the only new social media sites to block, and can instead district to so blatantly ignore them, and frankly, spend energy making sure the sensitive data we I'm very worried for the day the you-know-what have ess to is kept safe! dhiutrsi ngth e refamno,t e espleecairanlilnyg, ifw hiet n hapthpee nsin tergirgihtty naonwd be Rea p ipstei caldlrye, am,I uanndde rstthaant d latrhgate -sctahlise msihigfhtts accessibility of a school district's network is in perception like the one I'm advocating for The American public school system has security issues that could arise from sources more important than ever. don’t usually happen without an impetus, All I always had a strange relationship with students’ outside of the school’s network, There was no Students respond best when they are told the technological autonomy, When I was growing up mention of our students’ unbelievably easy to truth, and when they are given independence can say is | hope we come out of that impetus in the 2000s, technology in school was viewed guess default account passwords, no mention and responsibility. We would be much better in one piece. Until then, I don’t have too many with caution and resistance more than anything of the increased reliance on Google for account off educating them sincerely about the risks that problems with pesky school firewalls breeding else: Kid Pix and TypeToLearn were the only information and personal data storage, and no come with online activity, and allowing them a more hackers. applications readily and independently usable by mention of the school-specific WordPress sites students on school computers, and gett i ng online which are frighteningly out of date (when I HOP E without a teacher in the room was an uphill started working at my school in 2019, our site had battle at best. For better or worse, as | aged, this not been updated since 2013). TikTok was truly tchhraillll enofg e geotntliyng expacsitt eda dmiest riacntd fmirye wapleler s, creaatnedd tahne the TimkaTionk coins,c erofn . course, a place where students 22 .0.00.8.8.28.8.8.08.8.0 .808 urge in me to poke holes in security systems that can conceivably come across “bad” content, but still motivates me to this day. to spend time and energy attempting to prevent Now that I work as an elementary school’s IT students from getting there in the first: place specialist and can once again stick my fingers seems not only impossible but also tremendously Not What We Were Planning At All into the inner workings of public school district misguided. District [T departments can obviously tbacaecccekhs nso slotoomg eyt he acnIodnn tcesreenrcenutir,in tgay n dp noealwvisac:iy ,l abwI ihlfieiletely | otmfe ucshhtan rodrlweopagoryre,t wbiilgtonhco kr an“attn iyk ttoo rket”qh iuneiksn t tthhgaeot inhtghe aatd ien rw,oo ur lbdou utt protefhv eeytn hte wosnutelutddwe onrtbkse ibleW itshup pao rcto, mbainnda tiuonnb eloife vuanbfloer tusnkailtle acnidr cutamlsetnta,n cetshe, hcarcekateirv e cothmimnukinnigt,y incmraedde- have grown and changed dramatically in schools history this year. HOPE 2020 was a magical nine-day event that brought the from accessing the app. Proxies and firewall- over the years, the district-wide playbook for circumventing websites are as old as time, and world 130 talks, 60 workshops, a musical performance each night, and an cybersecurity is almost entirely unchanged. still work darn well. This is not even to mention absolutely amazing community atmosphere. While we all wanted an in-person Still, to this day it appears as though district the glaring hole ripped open in school Wi-Fi gathering, HOPE 2020 turned into something truly unique that really bright- cybersecurity departments spend most of their networks by cellular data. Even the least tech- ened a lot of summers (and winters since the southern hemisphere could also energy trying to keep students off of individual websites and platforms that they deem dangerous savvy student can turn off Wi-Fi in school and participate this year)! / use data to open apps and websites a lot worse instead of prioritizing the security of the district than TikTok, and they can even create a hotspot agnrneedta wto nrekft,iw roerwskae lcluaersd i tay gwahrmodleeean,s urItneh asto thiaesr re a wstoycrphdiosco,al l liynd issitdpreuit c tt'hisen to lBeut t thenior, fTrii ek nTdosk on,is tao o! main concern. Funnily of Wthee atlalrkesa dyin hfaulvle HtDh umnbo nd-riDvResM reMaPdy4 fofro rtmhaots e thwath o wilwla ntp laqyu iconk parcectetsys mtuo cahll place to police the students (and faculty) inside enough, YouTube receives none of the caution anything and which can be copied and shared as much as you want. Just $79 the garden instead of making sure that the garden that is given to TikTok, perhaps because it is more for two huge drives crammed full of talks plus a bunch of extra stuff. Full is safe from outsiders to begin with. established in the school system? More familiar to details at store.2600.com or write to 2600, PO Box 752, Middle Island, NY Atarecent call I attended with other IT workers teachers? Owned by American Google, innocuous 11953 USA. from my district, we discussed a multitude of and patriotic, unlike subversive and mysterious security concerns, but predictably the main one Chinese TikTok? Whatever the reason, YouTube If you were a ticket holder or presenter and you haven't heard from us held among many was the rise in popularity of is deemed educational, and TikTok is deemed TikTok, and the necessity (according to them) evil, despite the reality that TikTok is at worst a regarding your special shirt and badge, please contact us at [email protected]. of blocking access to it on the district's network. classroom distraction, and YouTube is at worst an We can never thank you enough for saving our asses this year and helping to Aside from the very valid concern of phishing, incubator for school shooters, But I digre: make this incredible event possible. But we intend to try. asl was practically no discussion of possible To be clear, TikTok is indeed a risky place to we Page 10 2600 Magaz i ne \ 37:2 Page Il oat by P4!nt This article should have been written nano to bring up something else: you a lot earlier and probably has been. But can indeed run X on this thing. But it’s Microsoft had included a nifty little sort of a process to get it running and feature into Windows 10 called the the only mainly functioning desktop by The Proph Windows Subsystem for Linux. When environment is xfce4. But there are I first saw the Windows Subsystem for some limitations. Namely, you can only Hello, and greferomt thei Cenntragl Osffic e! test recording), Oversubscription extends When I wrote the spring column, we were the throughout the system; interoffice circuits, Linux (or WSL as it’s called), I origi- really use xfce4 as a desktop environ- first place in the country to be experiencing tandem circuits, and long distance circuits nally thought it was a useless terminal ment and even then it somehow takes a the effects of the pandemic. Now the virus is (+1-541-967-0006) are also oversubscribed. emulator for nOObs to call them- performance hit. On my machine, for tearing through the country, killing thousands But the only recording you'll be hearing from selves “hackers.” So out of curiosity, I some reason, audio did not work, but of people every day with no end in sight, and a coin station without depositing 50 cents is thought “what have I got to lose” and it worked on my laptop. So mileage the government seemingly has no plan to get on +1-206-343-0011! went through the process of installing may vary on audio, And the worst of it under control, All of this has had a profound Telecommunications networks are set the required stuff for it and installing it all was that sometimes the X server impWahcitl e on vtohiec e telseercvoimcmeus nicaraet iornesg ulaltaendd sca(paen.d oupv erfwiltohw athnen oaubniclietmy enttos , contofoi. guFroer eexmaemrpgleen,c y if Ubuntu (not the 16.04 version that is would not work and, when it did, you have been carefully and resiliently designed there is an emergency, long distance carriers also on the Microsoft Store). were mainly stuck with xfce4. I tried 13 over decades to continue working through may play a related announcement (w W wW. 20 Afmtienru teist inist tatloloekd , toI saitn statlhlr ou(gthh antkhse and MATE with no real success. i3 kept pseerrviiocdess ofa re extnrote.m elyT he higdhi rty demlainttdle) , secdraetta =y maili.c : y coming up with errors and MATE just > carthquake in the area is an to my Western Digital 5400RPM hard crashed the X server. oofv erstoellde.c oJmusmtu nliickea taiiornlisn es iss ellt hamto rec apsaeactist y thanis example of one such AT&T announcement). drive), After | had made an account But is it a nOOb toy? Honestly, no. they have on the airplane (hoping that they An example “heavy calling” overflow and password, | was greeted with what Yes, it does seem childish, but Micro- “win” and get to keep a nonrefundable fare announcement can be heard at +1-313-849- I expected: a blank prompt with user soft actually introduced something that as pure profit when people fail to show up for 9906 as well. name@win-desktop. It reminded their flights), Internet and telecommunications You might wonder why all of this is the me of the Ubuntu terminal (namely is useful to Windows 10, Now, yes, it is service is also oversold. case. Wouldn't it be better to just build wXatse rmg)o,i nga ndto iI nsdtealcli dewda s tah e nifftiyr st prtohignrga m I tkhienrde ofa reu nfaa irf ew thaott heI rtse stoend tUhbe unMtiuc rowshoefnt airTlihneerse oivse ra serlelal lya ndb ig hodwi ffteerelnecceo mbmeutnwieceant iohnows tchaepya citwya nt fort o evdeo rysoon?e Wetol l,m akyees , cablults iwt’hs enreevalelry Store (mainly Debian, openSUSE Leap, firms oversell, though. Suppose that an expensive to build enough capacity for called neofetch. (For those who don’t and Kali Linux). Ubuntu is the one I airplane has 100 seats and, based on historica l everyone to use the network at once, so this know, neofetch displays system info data, the airline knows that on a given flight, never happens. Instead, we build only what in the terminal.) So right off the bat, I see a lot of beginners and nOObs going 20 people on average fail to show up. The we expect that people will actually use. This have to mention, run sudo apt-get towards, In the end, I see the Windows airline might, conservatively, decide to sell is the field of “traffic engineering” and it’s a ipdate first or you will run into Subsystem for Linux as a helpful tool 110 tickets in order to pocket the difference, highly structured discipline. Traflic engineers to assist people getting into Linux, and they'll usually get away with it. If 110 get involved in the initial construction of eatrhnardto rsn ite ojfduiesdtt chi lnidkieen estda I lldweidod r.k latSeolr i.k e o| neift ousnuhdpo dualotdu.et danodn e foorn sWoimne dotwo s getw itLhionuut x-tbhaes ende edt asfkosr oupfepfogerpr laedt ehe acart eusaftel wl yof oft dho etmhs ehmo vwo tuoc hupfei,rr sst thect ol asatsia rkleai nneda lwwaiitllellr atirenelv oelpvhneoedne ed ewdh eenx chbaausnpegddea st,es on tbou t couhra tnhgeiiyn nfgr asaltsrcoua cltluigrneegt And one line interested me: Kernel: dual-booting. flight. patterns. For example, we used to have far 4.4.0-17134-Microsoft. The Rig I tested WS L on: Would you believe that here in the Central fewer circuits to mobile phone providers than So it was indeed a Microsoft bastard- Office, we oversell our capacity by fen times? we do now, and we only had direct interoffice ized Linux kernel (most likely modified For every bank of 400 lines of service coming trunks to two wireless providers (both of in from the frame, the switch only has which we used to own). For the rest, we'd to talk to the NT kernel) running Ubuntu capacity to handle 40 of them at any given haul everything back to the tandem, causing 18.04 just like the kernel should. time. If you have ever heard a “ f a st busy” f requent queuing (it is exactly what it sounds I should add that, much like normal signal or gotten a recording that says “all like, and causes your phone calls to take a Ubuntu, it comes with nano installed circuits are busy now, please hang up and try long time to go through) and outright grade of which is pretty nifty. And I mention again,” you've experienced a grade of service service failures both at the tandem and on our failure (try calling +1-509-457-0051 for a own switch. Traffic engineers to the sonia, Ne Page 12 2 6 00 Magazine Z 37 : 2 P age 13 (—__ TOWARDS A SECURE TELEPHONE NETWORK (Th ese days, we work with all regional mobile One thing that strikes fear into a traffic \ providers to reliably send and receive traffic engineer’s heart is a letter from the state directly via VoIP trunks, often bypassing the Public Utility Commission. They'll usually tandem entirely. learn about this from a very unhappy manager, by Dave D’Rave Growth isn’t the only story in a regional and the issue will typically involve grade Analog telephone systems were invented in Secure and Authenticated Metadata economy, especially when you're selling of service failures to e911 services, For the the 1870s. First-generation digital telephone To make a phone call to someone without traditional land line telephone _ service. most part, Public Utility Commissions have systems (T-1) were developed in the late 1950s. delivering any metadata to the phone system, Demand for our services here in the Central stopped regulating quality of service, and Neither were specified with any thought to the you will need a telephone session server. Od(safsstnnofyneeeouherfodrrcdbee iu vvaesmdc iir dc eecceerod ees;iuth c ior baa dh senfeaa wo’ropsnnenrtssu t d l sw rii hioaccanautrlrheorerctu ee)van hh nn.esse 'c kcn mietuu od rschsDerratttoriesetebho lam pneuqmyb btpylu el eiaforyfacrnyirsso nae ym ou rdutbee ctsmpsstnhehroitecht doai drer o nneseiIbetnieg btnsu t eeotnnifidre’caddo sr tflnaaln ’ ypebftesa ii aot.nbcesu tetpeinrrere.bt c t oIllyuhofneee sftuWti ppioretrh hhnatraaipooehmnbaalgtnnseel sheeee,stete egtTeemfinto rvarnnea aieasftnwfl“nduowtlaieQ errorins9u iccgra1na n se1’k leg dt oier fhttv noea yiswtrgon hceieiusdaeg trrnet o hv ero iifvetncp d gihrheutiercsetsbshaces hla dri eeivesor dcs.yivuoi p C iiosges eec nhssnnfe n Hait ds’tfontr thetewrdaoe tsi ieuliy sac re v tiu felmonloyOnrrpou dfet p,tar feoer c isrdomtcoe sfeb orbsp .vlnueir ioseirantocuyrvvhtmIbere eeifo”l iscr ertcecmef mm a ieaedl,rtiielt isc.lgfs rnuu f riiroacaateoratdsnnssutrhe.dd,.rsee srlwithe*v riqiucuncIOqOttRghit hurr e ruaaiicrteslwgg eehmiaiii,iortettnn evyuhhnaa ie ltwttr dsheeedct i h nocecdmp ahb-cloape aalftrra l snetotl cdsi-siaup es elnbsoeunt slcssudsuier dcs irne oiabigco nnetlf egnwn yeit ioc hvtatterehu h ys oott peosrfhr ct eoeeuitc lanhraoblpdetdleunro lei i.iwsccl v ticdiahasnu estcigr ieygwr:.odntime an tenelhsltts esWa,pid etgha iohnotndsiafnaauglraye,chsar.s h-,-e pMro¢* osptY(cTstttY ooioehh“hos oeruaSeuenInv na r tPd enna reletstk nnlpaeh tme. elhreee ao vortcCdnteo naC.lderhel a a td o lhu dIlestft e hs prroeyanh tvin8snsuoh e 0stenImrf0aeyDe cbse- m a reNslsarsOlfh n saoRa t yl-vchsltePyaeet ho oOnnhnewu eL wcs Eah:r ”s vaypwcu)astpieop,rttsernp iahsevnoon odeerudn rctsta t o r socdyy ctr ioooha niluumslf p t..miooth arowwsTmnaniahtaensdyhe-,thse trbwieeudl saailt hneaedwds a sv ebb teueesolnfi e npdehhsioossnl cedo innfnsageei rlcvutrriieeco.ea n,s so nTwaehdb'eulresye e top srtpboeuacasnedisdynse eimsnwisgicet -sh a toiHrrmo opwutaebhcvelt ee ro,todh uuerer i f mtisoe sutsbrfusiaeiccsnsr t.i tbhveaWroth sl iuclmaaeenr , e bwersedec eprvoadirotlntc ’ihtny ug s ,gc eistri etc rudavi oitecsloes,t sOpRurheciochgne ieinsvta,eht a te wciaClt(alhnls lo enofr-r rsoewImciD ut rhlcoeeau)gnt an cocytCa l alltslbe eel rte osp phIoloDo.en fgeaescd.y. tele- ptrnhaeoecptnkoh eirtntt,geh .ed wshtIeofi r cvtthehhr ee yc wuoisnlehlrta .av idene sl ia vetcrheo mapnCa atlaliuebtrlh ee nItD ipchtaoon teeb,de ownoen 'to f bteh e coonmliyn gt hibnagcsk , keaenpdi ngi neorutri a trhaadsi tiboeneanl qofu alittryo ublteh eser epdoarytss, aIbntoeurtn et telise pahnoonteh ers ersvtiocrey Encryption of the Voice Channel aA sscuommpiantgi bleth at setchuer e perpshoonn e yoaun d waannts wehrass landline telephone business operating. While entirely. There are a variety of methods which allow the call, the server will authenticate them, we can't easily consolidate Central Offices, I Remember our friends, the __ traffic secure voice communication, if you have good transfer the session keys for voice encryp- think we'll likely see investment in smaller, engineers? They didn’t plan for the Internet key management. Modern microprocessors are tion, and you can start talking. more modern, and more efficient digital during a pandemic. Residential Internet very powerful, and good quality crypto can be This procedure means that, as far as the sPuwbilticch esU.t iliOtnyc eC omtmhie sscioomnpsa nyto goc ana loncgo nvwiitnhc ea stoe rviccaer ry hapso pulabree n strceaarmeifnugll y conetnegnit neeorveedr iYomup lecamne ntreeadd abwoiutth outhte deetxacielsss iovfe mobdaetrtner y cryupsteo. ptoh otnhee scerovmepr,a nayn d ist hec onscerevrenre d,m adyeo u a mcaaldl e to a ycoaulrl wfuel'll l mipgrriamtairoinl y to seVrovIiPc e seIrnvtiecrense,t ist’us bslcirkeilpyt iothnast epvereiroydosn e ofr unnpienakg VdPeNm ancdo,n necnotti onsfo r to newaorrlky awnedb simtae.n -in-the-middle attacks on your favorite ftrwioe ndo,f byuotu , thBereei ngi s anbol e cotnon emcatkieon cablelst weweint hotuhte from the Central Office, and telephone at full speed all day and then running video Let’s just say that good crypto exists, but that giving metadata to the switching network is an switching will be consolidated to one or two conferences on top of it. Almost overnight, many exploits exist. One of the best exploits is important first step towards secure and private bsseectdmflEyeuhxeaunroo eteerlllcgd iTyrvclaaieer chi-untnlsaiictlgiie f nsseeia,of etex m tniiro,episcnrtst paeo oh iv rcn ecooDots eearmlavp ,lcindvaein gfogeerkdituis niteoestnt oneru rhatmerrashLl wsfieemt eeloAf.hsryeiyimr eT'.dticn ai klo,A,nerlt iiT g, Thnnh a bhietgveun iame tiwsndita ntsh daehi ttwsic aev iweilicolietdh crshahlmp a ni rma“ o’tpagrtogbMp ea ttnybr Tl r tn.aiayrotSd ylfaA nhofOfee legfaifW_ syy cnia h c.eoe fte r etmssshein ittnepxenpsaag lplr ttafKieeoiivtornptcssytirrraethttoesacmiir eolfr cceeeurnfnaa’i”dpsetsllsco a cscseEpmmpabnwrqruuooroeevuieoubbmornctecn fauspveanwrhdilrcli ueosyl o bratssecrowisiisielktln..bl noi ce e e ektnavd ersepetno OCps.hradfeuil,oa yc sbetra miu dan tsmlssenaltyBytce odrtnihu u rrerdt andaos o vcgefcmiuhew i inodbba nattal felnlhstsloanlehdei ccetr ess-lneg itheseggnaeuq anu tr l nVunetrm aaenPhgaeptrddtuaeldeNiethon eetgneldei rh wy de otmb,o i ncu sirIgassost nkntdho intyfso dabfnoneplw fiureorileuwl t mlsnclcrejil eaastuhr owtlr skioeonio etfeoo fato s df n hldsi is oweds st.ubhtereehtpt royrvinrr rlisrpeitvael ociefnciitoBattfrn'ecatoudshi-gtselykt.,iecs eyaattuttpwlohnioneanhl eo dudrlio n eu-eqonsTTs pfptue ahhel theor ee ahreo -ts ai ahnethnce1 neosumn a 4lp seduadl-orot.islio bl htnoscdindme hgiapte le o on lrn fisckstuEn lda erhseauieecsecyydna kmh srhsp e e bhyieaptyopdtorbehesci ptsunerdo rf olheh n yfe dodiueepn nnsgsmrt”ycdeheeiooo “o nnonn dubtdeguom eu tr ilrec,hgmadnammt e teels gaashlonto le ytotrchm hclh .dareoheys s,tp yda b ha rpen pomo ttlgwukopphiaiehpleuolfocn ed isoseendirr cad t nahlfw gt osigo.ovenrke f o dae ntiey wdieecsfshiih revne4eari a eta0trechtrkstdcaahey,,--sints doiIwpbscofiDdaelbonoo)fictaslucm.fckuncll ome:ap”Vuodrm ul aArwe ilnrnneeyniitpodamW og cr ptohu oaphtcdsenhbceteh efenyueaira a mrdxo nm butmngehremteosetyeotereotr o . h at u sotds h“mehdao(oderrotstm iedvodagys ee rui.ueprtilti ns hgcitacws iiosl acOan unlatnanlgllfote dlty.riven i oe h o nmdaigo ibvc andea ee e e o y“ acbvoc ueteauslwshmlr eileileoys r ,t d db vh east epoce,sr htkrth”hn oov oe ou ner stetrouef sCwuiiabhnrpenlcicdtie atgalahrclil etiealalhr-arn-l, a compressed using some kind of lossy algorithm Degrading Traffic Analysis to estimate how rapidly a given area’s demand unregulated! The Public Utility Commission Tfohre tmealtehc omgemtusn ipcraetttiyo nsha irys,e rvbiuct esi f ywoilul' re grionwt.o can Ancdo mpwliatihn ,t habtu,t It'hme y gocainn’gt ftoi nel iguhst. up some t(hweanv eleentcsr ypatree d a usgionogd onceh oiocfe )t,h e pRaicjknedtaiezle d,f amialnyd collAenct ioni mpiso rttraanffti c acnaatleysgio s r .y Byo f obsheosrtviilne g hdaotwa that sort of thing, you can learn about the new fiber. Stay at home, stay safe, wear a of algorithms. This will probably require LOO many packets go from the person originating formulas typically used at en.wikipedia. mask, wash your hands, and enjoy all of the KBaud of physical bandwidth for high-grade the call versus how many packets go from the Ar org/u tei /erlang _ distribution. extra buffering. 2600 Magazine J voice quality. per son receiving the call, some idea can be Page 14 37:2 Page 15 =A (g ained about the call contents. The solution is tive ring when a non-secure call is incomin, Ghosting an Operaf Su Stal al alo 37 to send random packets at random intervals, so which would give the operator the option of as to balance out the apparent data flow. declining the call based on its security level. It also may be a good idea to send dummy by Diana traffic on the command channel to obscure, for More Advanced Features example, which time zone a phone is operating Secure conference calls require a server Upon wondering how to return privacy to was the same except for one line of assembly. in. that supports individual encrypted links. It also home and hobbyist computing, | thought of an The assembly to specify the drive: requires that the conference device itself has idea | applied on another system as a patch when MVI A, O3h ; to hard drive Key Management and access to the unencrypted voice data. Confer- rack zero of the hard drive was damaged. I feel =e: Authenticated Data Transfer ence calls inherently operate at a reduced level this idea could aid in providing a ghost portion Call Bios+SetDrive The usual way to attack these kinds of of trust. of an operating system to prevent snooping or systems is to engage in a “Man in the Middle” A somewhat better secure conference call spyware or unauthorized data gathering. And was changed to attack. The typical way to prevent such attacks serve would consist of multiple inbound The way to think of it is that surgically I A, O1 ; set to drive A: is to use public-key cryptography, with autho- (receive-only) voice channels, along with a removing parts of an operating system can take s+SetDrive rized servers and their authorized public standard conference call device which is in a vast amounts of time, espe ally if you do not As a result, when I used the Xerox 820, part keys pre-registered. As a practical matter, the secure location. The effective security of such have an interrupt map or operating system jump of the startup process was to put a specia I setup server's public key needs to be installed at the a system would depend critically on the phys- table, The method I'm describing relates to a CP/M disk in A drive with a submit script to factory. ical security of the server, and on the use of solution I performed in the 1980s with a Xerox link to the hard drive and add the modified ghost There are several levels of secure commu VPN technology to disguise the physical loca- 820 that ran CP/M, and it is still applicable today. nications in the system. First, there is an tion from IP scanning. When I received the Xerox 820, I rushed the code. This was done by writing a small loader authenticated/encrypted channel between the Tor is probably not a good idea. For one startup sequence for the 20MB hard drive that assembly program and then block moving an originating phone and the server. Second, there thing, it seems that more than half of the Tor came with it. As a result, track 0 was damaged. area open in RAM above the BIOS. is an authenticated/encrypted channel between gateways are controlled by national intel- So, when a program ran and a warm boot was Very reliable and it always worked. When my the server and the rec e i ving phone, Third, there ligence agencies. For another thing, Tor has needed, a disk error would appear. dad was alive, he would show friends as he was is end-to-end bidirectional encryption between poor latency chi teristics. I wanted to fix the disk error because the hard proud about how I worked out a neat hack to get the two phones. drive contained other programs added when I the full system to work. Compatibility with 802.11 The Teucshuanli caolp eraDteitnagi ls moodf e Lafyoer r thi1 s type b1 ouagnhdt Xetrheo x Xe8r2o0x bo8t2h0 . raIn rCeaPl/iMze d anmd,y aOs sba ornneew On current computers, the biggest issues and IP Phone Systems regarding privacy are communications ports and of device is some kind of packet-oriented graduate in computer science from University This system of telephony can be used with low latency network, such as the CDMA of Wisconsin, my studies included computer Wi Fi drivers. As many of us know, when you conventional voice channels, and it can also technology used by cell phones. Generally science, computer engineering, and operating bought a laptop circa 2005 and reinstalled the bTeh e uspehdy siwciatlh mpeadcikeutm vcooiucled orb e daantay thcihnagn newlist.h speaking, any fast Ethernet-type network will systems. OS, you had a special CD that included installing work. So, to fix the program, I studied how CP/M on the Wi-Fi driver. If the Wi-Fi CD was not used, sufficient bandwidth/latency, which obviously includes the Internet. When connecting over an analog network, the Osborne acted when a program ran for a cold e v en with the Wi-Fi part of chip on the CPU, One interesting feature is the ability of such as POTS or “Analog Cell Phone,” the boot. The primary mechanism was that rather there was no code to use it, so it was shut off. this system to run the control packets over a voice traffic must be converted into digital than have a program end with a HALT statement In areas where the Wi-Fi driver code is different channel from the actual voice, which signals using an analog modem. (This is 1980s in assembly, the programs actually ended with located, if one could devise ghosted code which econuhladn cersun mtehte advaotiac e sepcaucrkiettys. Foovre r exa amceplll e,p hoynoeu voicen oqluoaglyi.t)y Wmhaiyl e be thde egcroandneedc tisoubns tawnitlila llwyo.r k, tcaalbll e. $e0004+WarmBoot ; BIOS select for jump would feign talking to the Wi-Fi device but, data network, but send the setup, authentica- When connecting to a legacy (non- Since the WarmBoot constant related to a actually send the data to port NULL, then one tion, and management packets over a non- encrypted) phone, voice quality will be limited certain index in the BIOS jump table and the could control their privacy better than an air- related 802.11 connection. by whatever the non-encrypted channel BIOS jump table was loaded into RAM, this locked computer. supports. meant the table could be modified. So, the code The reason I say one could control their Compatibility with Non-Secure Phones for WarmBoot is 0. When you look at the jump privacy better than an air-locked computer is Technical Details of Layer While phones which do not support end- table for $e000, you will see the code “jmp because an air-locked computer uses a patch to-end encryption will not be as secure, 2 and Layer 3 WarmBootMain”. that sets a gate as to which data can go to the there are still certain advantages to using this The usual issues of MAC address spoofing Looking at the ‘armBootMain” code, I system, Metadata will be partly obscured, and and VPN setup apply. If you are using a VoIP thought that maybe I could ghost the original Wi-Fi part of the chip - which mean it still uses incoming calls can be scrubbed against spam system, it is probably a good idea to identify warm boot routine with a ghosted routine that the BIOS software part of the OS. So, a ghosted much more efficiently if a phone server is calls as “fax data” or “compressed video.” If would remap track 0 on the hard drive and use BIOS would act better beca use most people handling the routing. you are using generic Internet connections, track 0 on the “A:” floppy drive. When I looked at would see the same BIOS code when looking at In addition, a smart phone could be packets can be identified as “HTTP traffic” or ns code, my ghosted OS for “WarmBootMain” the machine code, not realizing the ghosting. \ Peogranemed to give a red flash or a distinc- “FTP traffic.” Pa g e 16 2600 Mag a zine 7 Sika Page v7 ae al Fi Ne yi Pu e826 le (will download a manufacturers list taken from location. You can use the output from the time \ Wireshark and make a number of necessary your target wasn’t around as a blacklist file for It's s no Pseetrcar et that in today’s society most . identifier) is thrown all over the place in clear smcordiiptf ic(amtaikoen s sutroe ity osuo' rew e sticlal n counsne ecitt edw ithto tthhee twihone.n Thyiosu r witlalr gewt oriks kbneottwenr itno ab e loicna tithoen lwoictah- people are tracked in one way or another. This text even when it’s connected to an encrypted Internet and not in monitor mode). If you'd very little activity. You will be prompted for a tracking is often morally ambiguous. One network. It would be easy to spoof the MAC rather make your own manufacturers list, you blacklist file every time you run option #3, but could argue that by tracking your every move address every time it connects, but almost no can create a CSV file with a row for the known you can leave the field blank if you don’t want ment Google is making life more convenient. one does this. This set of conditions allows beginning ofa hardware address followed by to use one. Google can tell you when there’s a lot of traflic wifitrack to work. another row with the name you want to use for The blacklist file could also be used to on your morning commute. Google would love Also, please note I will be using the term that manufacturer. You don’t need this list, but continue your progress on option #3 if you have to give you directions to wherever you want to “hardware address” a lot instead of “MAC you will be prompted for it unless you have to restart wifitrack for any reason. Just use the go. Google knows where you work, and even address.” An access point’s MAC address is one with the name “hwvenderlist” in the direc- name of the output file you want to continue where you live. Some may argue that this goes also known as a BSSID, so if I'm talking about tory where you run wifitrack, You can just using as the blacklist file, and then again as a bit too far. either type, I will just say “hardware addre: press enter and leave this field empty if you'd the new output file name. Wifitrack will just That being said, I'm not writing this for This Python script that I wrote has several rather. append the new data and you won’t get any the sole purpose of starting a discussion about options. The first two options are merely for Another important thing to note about repeats of devices you already detected. morals. I'm writing this to introduce you to prepping your hardware and the last option option #3 is that it runs an instance of airo- Option #4 of wifitrack may give you a Python script I made for this article called returns your Wi-Fi card to normal. The real fun dump-ng in the background. All of the data yet another reason to turn your Wi-Fi off in wifitrack. Wifitrack was built to run on Linux. starts with option #3, which uses a GPS device will be dumped to a CSV file and the file name public places. To clarify, 1 don’t just mean Wifitrack can track and map Wi-Fi devices. and a Wi-Fi card in monitor mode. It can map will be the date and time you ran option #3. you shouldn’t connect to open Wi-Fi. | mean I did not design this script with any specific out all the devices in a given area. You could This file or files, depending on how many if you don’t want to be tracked, you should use case in mind. I created it for fun, and to in theory make note of how many of a specific times you run this option, will give us some probably just disable Wi-Fi completely possibly open some people’s eyes to methods manufacturer's TVs are in a certain area and basic information about whatever devices are public (not to mention Bluetooth or just your of tracking that they would have been unta compare that to another area, You could drive around. Option #6 will sift through all of the phone in general). You could mitigate this to miliar with otherwise. by hospitals and get a look at all the equipment data airodump-ng dumps and give us device some degree by spoofing your MAC address You might question if this tracking script (probably including active medical devices) probes from a specific MAC address that you every time you connect to an access point, but I've put together is immoral. | do not believe they have connected to Wi-Fi. You could even specify. It will also say which access point this depending on which device you use, that could that the program itself is immoral, but I do drive by places with voting machines and see if MAC address was associated with if any. This be more or less difficult. encourage you to only use it for good. I think it looks like any voting machines are connected brings me to my next point. Here’s a bit of a thought experiment. Let’s exploring this world of technology is essential to Wi-Fi. Our devices are often very noisy. If you say you wanted to find out the MAC address of for keeping things healthy. Some things may Output from wifitrack (option #3 and option have the Wi-Fi enabled on your phone, even Donald Trump’s unsecured Android phone to need to change in the future, but we'll never #5) is easy to import into satellite mapping if you’re not at home, there’s a chance your force him to look at lolcatz. Let’s pretend that know what to change if we don’t experiment. programs like Google Earth. Give your output device will try to probe your home network. he carries this phone around the country to all In the process of making this, my eyes were file a .CSV (comma separated value) extension Why is this a big deal? Well, there’s a large sorts of public speaking events. Let’s also say opened to things that made me feel like some and select the latitude field and the longitude wardriving database out there known as that, hypothetically, the people surrounding big changes should be made either to the Wi-Fi field when importing. wigle.net. You can search wigle.net him at these events change from day to day. If spectrum itself or in devic e manufacturers’ A list of partial hardware addresses and the for an access point’s ESSID or BSSID (your you want to follow the president around, you code. The main thing that comes to mind is corresponding manufacturer name can be used access point’s MAC address). If your device can run option #3 of wifitrack every time you that a dev *s real MAC address (a unique to help identify devic e s . Option #7 of wifitrack is asking for your home network and you have are in close proximity of the president. Option a unique access point name, someone could #4 will let you compare multiple option #3 fre Edt Yew look that up and find out where you live. (The outputs and find any hardware address matches same can be said if you take a screenshot of from file to file. If Trump keeps his Wi-Fi on, all of your available access points and share you could find his phone’s MAC address by it online. Don’t do that unless you don’t mind process of elimination. Now that you have his being geo-located.) The probes your device phone’s MAC address, you could work some makes can also just tell a story about the places wizardry to make him look at cute cats... but you've visited and the Wi-Fi you’ve connected perhaps that’s a topic for another article. Mette siete Cah Cala Maa ara oa to, The last feature we have to talk about is Eve youl If you're trying to find a target from only option #5. This option requires that you enter one location, you might want to try using at least one hardware address in a text file that a blacklist file. A blacklist file will let you you want to watch for. You can add multiple ignore all the addresses on the blacklist. Run addresses and you can label them by adding a BETH echinicd= lor CH USA Inc option #3 in the location when your target and comma immediately after the address followed Xo your target’s device are not in the by your label (example: “fh: fifi fhf aoe hy ‘ Page 18 2 600 Magazine A 37: 2 P a g e 1 9