001 10001 _ _ __ __ _ _ 0011000 _ __ __| | __ _ __ | '_ \ / _ \\ \ /\ / /000 110 | __|/ _ | / _ \| ' _| | | | || __/ \ v v /010 001 | | | |_| || __/| | |_| |_| \___| \_/\_/10101 00110|_| \__'_| \___||_| 00000110110box.sk -= newOrder.box.sk newsletter =- supporting and strengthening the community = ----------------------------------------------------------------------- = | issue: 00001110 October 25, 2006 | = ----------------------------------------------------------------------- = The newOrder newsletter is published by the newOrder staff with the help of many contributors. To register and subscribe to this newsletter visit http://neworder.box.sk -[ 0x00 . Contents ]------------------------------------------------------- 0x01 Newsletter Intro 0x02 Site Update - Article Review - On the Community 0x03 Security Review - Exploits and the Community - Thoughts on Vista - Filling the Void - News Review 0x04 NewOrder Extra - Data's Cryptographic Challenge - Resolution's Rant - Mac Envy? - Some Kind of Perl Column - From the Toolbox - PURE Regex Independence - Riding the Waves 0x05 Newsletter Outro -[ 0x01 . Newsletter Intro ]----------------------------------------------- It has been awhile since our last release, too long really. We started putting this edition together back in July of this year. Unfortunately your editor has found it difficult going and has been a bit slow in putting everything together, my apologies to both the readers and our contributors! Back on topic! It is the fourteenth edition of the newsletter. This edition is quite fantastic with a allot of stuff to keep you busy, including few full-length articles and the crypto-challenge. We hope you enjoy the issue! -[ 0x02 . Site Update ]---------------------------------------------------- Like I said earlier, it has been awhile since our last release and a lot has happened since as far as the site goes. We have reintroduced both the IRC channel and the gallery. I have to say that the gallery has been very active, so if you haven't seen it you should keep an eye on it. Even though it hasn't made its way to the front page yet it seems like there is a new picture every week and it really provides a great sense of community. While I am talking about active areas of the site I should probably mention the file and link archive. Byte69, Gray-Fox and Bulibuta have been putting a lot of effort updating and maintaining it. But wait, that isn't all. Another area that gets a lot of activity is the SMS queue. Cygnum actually spends half of his day hand picking stories and relevant news, so if you want to stay informed without wading through hundreds of rss feeds just keep an eye on our SMS section. With all of this activity it is hard to believe that we have actually suffered a few setbacks recently. You may remember that we did a clean install with the server a while ago and I think we are still working out the kinks. This is would be the reason behind those crazy mysql errors that keep popping up. [insert standard apology for downtime here]. I know that many of you are wondering about Edge V2 - that mythical beast that has been rumored to exist somewhere on the Box Network. I can tell you that it seems about seventy-five percent finished. So if anyone is experienced in PHP and MySQL development and would like to make a serious contribution to the community and the Edge Engine you should memo cereal. Only serious contributors should apply! Finally, I do not think that it would be fair if I left out the discovery of a sql-injection that occurred back in September. Ekskavaator discovered the vulnerability in edge, mentioned it in the forums and then revealed it to the staff. The vulnerability was quickly fixed by cereal. Good job Eks. ---[ Article Review ] A.I. - Can Computers Think? Out of the box by C0B01 on Sep 23 2006 In our this most recent article the author examines artificial intelligence with a specific focus on what artificial intelligence really is and our current capabilities and methods of learning. Read full: http://neworder.box.sk/news/15374 Quiet exploration of ports using NetCat Articles -> Security by root3d on Sep 09 2006 In this article the author gives a practical demonstration on the use of netcat as a port scanner. The article provided a hands-on introduction to netcat even though it was painfully obvious that netcat lacked the facilities of a proper scanner. Read full: http://neworder.box.sk/news/15268 Basics of Radio Out of the box by Cygnum on Aug 16 2006 In this article Cygnum explores the very basics of radio. He gives a general history of radio and the development the technology behind it. He also describes how we can transfer information through the modulation of radio waves. Read full: http://neworder.box.sk/files/basics%20of%20radio.pdf Bypassing software firewalls using process infection Articles -> Security by Iolaus on Jul 24 2006 In this article Iolaus revisits the issue of how to bypass firewall outbound detection through the use of process infection. He explains the necessary prerequisites and goes on to demonstrate a new method of finding trusted processes so as to avoid the outbound detection mechanisms. Read full: http://neworder.box.sk/news/15192 An Interview with Crispin Cowan on security in dynamic applications Interviews by nabiy on Jul 10 2006 In this article the author interviews Dr. Crispin Cowan, Director of Software Engineering at Novell. The interview covers security in popular scripting languages, like PHP, and ways to combat common problems. Read full: http://neworder.box.sk/news/15197 Hacking Hotmail through XSS Articles -> Security by A3aan on Jul 04 2006 In this article the author provides details on another XSS exploit with Microsoft's hotmail service. The method explained involves stealing the cookie (which is not IP-bound) and using it to log into the account. Read full: http://neworder.box.sk/news/15191 Alan Turing and His Universal Calculating Machine Articles -> History by Zwanderer on Jun 30 2006 The ideas presented by Alan Turing form the foundation of modern computers. In this article zwanderer presents some of the history and the basic concepts that make up those ideas. Read full: http://neworder.box.sk/news/15176 Internet Privacy and you Out of the box by byte69 on May 03 2006 Privacy is currently threatened by legislation that is being supported by various groups in the US and in the EU. Here byte69 lays out various reports and information on this legislation that demonstrates this very real threat. Read full: http://neworder.box.sk/news/14956 Choice and Responsiblity in Free Software Out of the box by nabiy on Apr 28 2006 Some very popular works from the opensource movement have become iconic in their stature and widespread use. In this commentary the author advocates a responsible legislative response by the public and the security community toward software that has become part of the public infrastructure. Read full: http://neworder.box.sk/news/14903 Our Right to Free Information Theme of the month by data on Apr 08 2006 This article discusses the topic of "free information" and was written in reaction to Resolution's Rant on computer crime. In the article the author clarifies what we mean when we say "free information" and the different ways we can promote that freedom. Read full: http://neworder.box.sk/news/14836 --[ On the Community . by Byte69 ] There seems to be fear of some in the community to find knowledge on there own. I don't know how often we see it on the boards but there is always simple questions that if the person would just look is found. If they would take the very questions they are asking us they would find it on google if used. I understand the need to get some questions asked to get moved in the correct direction. But this community is not here to spoon feed anyone. So what is the solution? NewOrder is not a school its a community of people interested in security of computers, networks, and of life at times. The community grows with new thoughts and ideas. So what am I going to do about it. Well first off I will be adding to the links section links to talks from BlackHat and Defcon. These talks won't be for the current year. The media is not available till a year after the original presentation in general. But they are informative and will help all of us gain knowledge from usually good presentations done at these gatherings. It has spurred my research and ideas. I will then feed that information and research to NewOrder for further work. Well back to the topic. As I have said NewOrder is not here to spoon feed you. But with the new links that will be added. It will be closer to a learning by watching idea. It will enable those of you who truly want to expand your knowledge a place to go and watch presentations on many topics and then it will help the community to grow because members will want to share new things that they have discovered. So it is not a school but if you desire the information it should now be accessible from NewOrder in the links section. It will be under Information Security Presentations. Remember to use the idea of learn by doing. That is the best way to solidify ideas in your mind. I am not saying go out and hack a system. I am saying if you want use the new knowledge to improve security on your own systems, and networks. If you want to hack another system go to the Hacking challenges link to find systems you can legally hack or use the slut box project to work your newly learned magic. -[ 0x03 . Security Review ]------------------------------------------------ ---[ Exploits and the Community . by login ] // Opening Rant I recently was in New York City attending HOPE6, which is supposed to be a hackers conference. Quite honestly, I wasn't too impressed with the overall quality of the talks that went on. Sure a few good moments arose now and then, but ladies and gentlemen, the majority of it was nothing to write home about. I'm not saying I didn't have a good time. I'm just saying, the content of the speakers should have been leading-edge, or at least interesting. Topics like, 'hacking the metra swipe card' and 'hacking coupons' were just flat out lame. Perhaps next time I'll drink more and attend less of the speeches. :-) // MS Internet Explorer (MDAC) Remote Code Execution Exploit Well, if it isn't another remote hole in IE. This one requires a few tricks to pull off, but it's documented and will allow the remote execution of code as well as remote download of files. I haven't been able to successfully exploit this. But I heard MySpace was hit with this exploit, alongside a Flash8 exploit as well. So, if that report is true then this exploit remains sane. http://milw0rm.com/exploits/2052 // Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit I'm refusing to post a link for the source code to this. After returning from HOPE, I had a long chat with a few individuals about this exploit. Quite honestly, it's not that effective compared to the exploit below. Just use the exploit below. // Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit This race condition exploit is very effective. I've managed to run it on all my test boxes successfully, but you must find a file that is large enough to run it with. I basically created some garbage files in /tmp and then ran the exploit with those files. This works very well. http://milw0rm.com/exploits/2013 // Outro That's all for now. And don't forget, patching is your friend. // login ---[ Thoughts on Vista . by nabiy] One of the questions that has been cropping up in the forums is whether Vista is going to be worth switching to. It seems that the community suspects that the Vista will be just another Microsoft money-maker with little real improvement over previous editions windows. To address this I would like to point out a few significant changes that have been made in Windows Vista that should make it better for security-minded folk than Windows XP and thus should make it worth the upgrade. The biggest reason to upgrade to Vista is code review, which has reportedly been done since Windows Server 2003. This line-by-line review, the automated reviews using in-shop analysis tools, and better code annotation (as mentioned in the interview with Richard Ward) have certainly found many existing and potential problems within the code. Also, unlike XP, Vista has been designed with security in mind by using threat models in the design process. Whenever developers take a hard look at their product and design with security in mind you end up with a more secure product. You have certainly heard about the drama surrounding Microsofts effort on kernel security. These efforts include PatchGuard, new Kernel-mode integrity checks, and a more stringent requirement for signed drivers. Though many people have decried these efforts (claiming the motivation is DRM and copyright protection) this change is actually a good thing. It should decrease the threat of kernel mode rootkits in windows and provides better stability (the less change in the kernel the better). Another great implementation of Vista is its effort to apply the principle of least privilege. What this means is that any piece of code only has the minimum amount of privilege it needs to run properly. One of the ways they implement this is through file and registry virtualization. This addresses one of the wider under-noticed security risks in the windows environment - that is insecure premissions. Now, when a program wants to store data in a system area, such as the registry or in the shared directory tree (like Program Files) windows will redirect that access and store it in the users profile in an effort to contain the impact of that program on the system as a whole. Vista also applies this principle to windows services. Previous versions of windows ran many services under the local system account. Now permissions for services have been better fine-tuned under the guise of local service accounts, network service accounts and profiling. The final application of this principle that I would like to mention is User Interface Privilege Isolation. This feature isolates the processes on your system preventing one process from sending a message to any other process. This should prevent your classic shatter attacks. Integrity Control is another important security feature that has been introduced in Vista. Now everything on the system will have different integrity levels. These are basically degrees of trust between different objects on your operating system. An object that has less trust than another object will not be able to manipulate the object with a higher degree of trust. Conversely an object with a higher degree of trust will not be forced to rely on an object with a lower degree of trust. In the implementation of this there will be or are rather assumptions made about the integrity code introduced to the system, i.g. any program received from the Internet will have a low level of trust and should not be able to elevate that level of trust to affect the rest of the system. Vista is also introducing a new event logging system. In this new system management should become much easier with the native ability to forward events, and the systems use of XML technology. An open technology and the ability to monitor your logs from a central location is something that the previous system lacked. The way the logs are loaded into system memory has also been changed. Now, instead of mapping the whole log to memory windows will only map the logs in small bit-size chunks. Finally, another feature for the crypto buffs that is going to be added to certain versions of Vista is a new technology called Bitlocker. For this technology they have used AES-CBC with an added diffuser layer. Basically this will prevent attacks on a system from any outside source (knoppix) as it is a data encryption technology for your whole system. I am sure I have not touched on everything related to security. I didn't mention the increased control over device management and user control for instance but hopefully I have outlined enough to get you interested and ready to do some more reading. Here are some links to help you get started. Details on Bitlocker: http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6- 0a0be4bbb36e/BitLockerCipher200608.pdf Interview with Richard Ward (an architect on the kernel team for Vista): http://channel9.msdn.com/showpost.aspx?postid=182269 Symantec's View: http://www.symantec.com/avcenter/reference/ Windows_Vista_Kernel_Mode_Security.pdf The Vista Library (check out the security and management sections): http://www.microsoft.com/technet/windowsvista/library/ ---[ Filling the Void . by zshzn ] It came to my abrupt attention that our dear classic rattle has declined to write anything for this newsletter. Naturally, this void must be filled. So here, have some archaic QBasic code from my childhood. This program was writen long ago. On a modern computer, it will run far too fast. There are a few solutions. The first is to integrate timing code, which we often did then. The second is to just change the time delay to something acceptable. The third is to not modify this code, and instead run it on a slightly out of date machine, perhaps a PII with QBasic 4.5. You know, THAT box, its just a bit over *there*. SCREEN 12 CLS RANDOMIZE TIMER COLOR 2 a& = 1 b& = 2 DO UNTIL INKEY$ = CHR$(27) x = (INT(RND * 150) + 30) b& = b& + 1 FOR DELAY& = 1 TO 15000: NEXT DELAY& LOCATE a&, b& IF b& = 78 AND a& = 27 THEN GOTO matrix IF b& = 78 THEN b& = 2: a& = a& + 1 IF a& = 28 THEN a& = 1: b& = 2 PRINT CHR$(x) LOOP END matrix: DO UNTIL INKEY$ = CHR$(27) i = i + 1 LOCATE 14, 30: PRINT "T" LOCATE 14, 32: PRINT "H" LOCATE 14, 34: PRINT "E" LOCATE 14, 38: PRINT "M" LOCATE 14, 40: PRINT "A" LOCATE 14, 42: PRINT "T" LOCATE 14, 44: PRINT "R" LOCATE 14, 46: PRINT "I" LOCATE 14, 48: PRINT "X" u = (INT(RND * 27) + 1) v = (INT(RND * 79) + 1) LOCATE u, v: PRINT " " IF i = 12200 THEN GOTO yello FOR DELAY& = 1 TO 1000: NEXT DELAY& LOOP END yello: CLS LOCATE 14, 30: PRINT "T" LOCATE 14, 32: PRINT "H" LOCATE 14, 34: PRINT "E" LOCATE 14, 38: PRINT "M" LOCATE 14, 40: PRINT "A" LOCATE 14, 42: PRINT "T" LOCATE 14, 44: PRINT "R" LOCATE 14, 46: PRINT "I" LOCATE 14, 48: PRINT "X" SLEEP 2 Now, not only have we filled rattle's void, but I'm going to give you a bonus! When I told a QBasic guru that I used to work with that I was digging up some of the crappiest code I ever wrote, he decided to write up something elite just for the hell of it. Then he compiled both with FreeBasic (the future of basics!), and fun was had by all. It's even commented! Call me evil, but I stripped most of his detailed and explicit commenting to fit the wrapping. Or was it my inner comment-hater lashing out? We'll never know. '' '' Name: FreeBASIC Matrix Code '' Group: Atosoft++ '' Author: Oz '' Date: 07/24/2006 '' '$include: 'fbgfx.bi' '' This stores data for a residual letter (a shadow left) TYPE letter_life time AS DOUBLE '' when it was placed ascii AS INTEGER '' ascii-character px AS INTEGER '' position (x) py AS INTEGER '' position (y) END TYPE '' This is the actual letter that scrolls down the screen TYPE matrix_letter ascii AS INTEGER '' ascii-character speed AS SINGLE '' how fast it moves down the screen column AS INTEGER '' it's column (x) row AS INTEGER '' it's row (y) life AS INTEGER '' how many iterations END TYPE '' Generates a new matrix_letter randomly DECLARE FUNCTION generate_code( ) AS matrix_letter '' Draws letters (matrix_letter) on buffer DECLARE FUNCTION animate( mat AS matrix_letter ) AS matrix_letter '' Adds a residual letter (letter_life), basedon on a matrix_letter) DECLARE SUB add_glow( mat AS matrix_letter ) '' Deletes a residual letter by index in array DECLARE SUB kill_glow( index AS Integer ) '' Draw residual letter on to buffer DECLARE SUB render_glow() '' Delay a number of seconds DECLARE SUB delay( sec AS DOUBLE ) '' Configuration CONST xres% = 640 '' x resolution CONST yres% = 480 '' y resolution const glife& = 1.0 '' residual letter life (seconds) '' Holy Init, Batman! :-P DIM SHARED mcode_ascii(0 to 172) AS INTEGER DIM a AS integer FOR a = 0 to 9: mcode_ascii( a ) = a+48: next a FOR a = 10 to 35: mcode_ascii( a )= (a-10)+64: next a FOR a = 36 to 111: mcode_ascii( a ) = (a-36)+97: next a FOR a = 112 to 135: mcode_ascii( a ) = (a-112)+128: next a FOR a = 136 to 140: mcode_ascii( a ) = (a-136)+153: next a FOR a = 141 to 147: mcode_ascii( a ) = (a-141)+159: next a mcode_Ascii( 148 ) = 219 FOR a = 149 to 167: mcode_ascii( a ) = (a-149)+224: next a FOR a = 168 to 172: mcode_ascii( a ) = (a-151)+232: next a ScreenRes xres%, yres%, 16, 2, GFX_FULLSCREEN WindowTitle "Matrix Code :: Atosoft++" RANDOMIZE TIMER DIM SHARED ncode% ncode% = -1 DIM idx As Integer, cmd$ idx = 0 cmd$ = "-" while len(cmd$) > 0 cmd$ = COMMAND$( idx ) if lcase$(cmd$) = "-n" then cmd$ = COMMAND$( idx+1 ) ncode% = val( cmd$ ) exit while end if idx += 1 wend if ncode% = -1 then ncode% = 900 '' Declare various paging/frame counter variables DIM SHARED fpst AS DOUBLE, frames AS INTEGER, vispg AS INTEGER DIM SHARED wrkpg AS INTEGER, fps AS INTEGER '' Make a dynamic array for residual letters REDIM PRESERVE SHARED glow(0) AS letter_life '' Exitmode variable for checking DIM exitmode AS Integer '' Frames per second text DIM fpstxt$ '' Make code letters (only the number specified) DIM code(1 to ncode) AS matrix_letter FOR c% = 1 to ncode: code(c%) = generate_code(): NEXT c% vispg = 0 '' set visual page as 0 wrkpg = 1 '' set work page as 1 fpst = TIMER '' set frame counter-timer frames = 0 '' set frames to 0 fps = 0 '' set fps to 0 exitmode = 0 '' set exitmode to 0 ScreenSet wrkpg, vispg DO UNTIL ncode% < 1 LINE (0, 0)-(xres%, yres%), 0, BF render_glow() FOR c% = 1 to ncode% code( c% ) = animate( code( c% ) ) if code( c% ).life <= 0 then code( c% ) = generate_code() end if if code( c%).row MOD 8 = 0 then add_glow( code( c% ) ) end if NEXT c% '' Print the current frames per second string locate (yres%/8), (xres%\8)-len(fpstxt$): print fpstxt$; Flip wrkpg, vispg frames += 1 if (TIMER - fpst) > 1 then fps = frames frames = 0 fpst = TIMER fpstxt$ = str$(fps)+"fps" end if if MULTIKEY( &h01 ) then exitmode = 1 end if mms://real1.sans.org/sans/20061017-lb-ao.wma if exitmode = 1 then ncode% -= 20 end if LOOP delay( 1.0 ) DIM exitmsg AS String DIM center AS Integer, ypos AS Integer exitmsg = "The matrix has you..." center = (xres% - (len(exitmsg)*8)) \ 2 ypos = ((yres% - 8) / 2) FOR a% = 1 TO len(exitmsg) Draw String (center + ((a%-1)*8) ,ypos), MID$( exitmsg, a%, 1 ), RGB(255, 255, 255 ) Flip wrkpg, vispg Sleep INT(RND*60*5) NEXT a% delay( 1.0 ) END FUNCTION generate_code( ) AS matrix_letter DIM temp AS matrix_letter temp.ascii = mcode_ascii(INT(RND * 172)) DIM diff AS INTEGER diff = xres%\8 temp.column = INT(RND*diff) temp.row = INT(RND * yres%) temp.life = INT(RND * 300) temp.speed = (RND*7.0)+1 return temp END FUNCTION FUNCTION animate( mat AS matrix_letter ) AS matrix_letter DIM temp AS matrix_letter if mat.life <= 0 then return temp temp = mat '' Draw letter with small white offset Draw String (temp.column*8,temp.row-1), CHR$(temp.ascii), RGB( 150,255, 150 ) Draw String (temp.column*8,temp.row), CHR$(temp.ascii), RGB( 50, 200,50 ) temp.row += temp.speed if temp.row > yres% then temp.row -= yres% temp.life -= 1 return temp END FUNCTION SUB add_glow( mat AS matrix_letter ) DIM g% REDIM PRESERVE glow( 1 to ubound(glow)+1 ) as letter_life g% = ubound(glow) glow( g% ).time = TIMER '' Helps determine fade glow( g% ).ascii = mat.ascii '' Ascii value of glow glow( g% ).px = mat.column*8 '' Where the glow is glow( g% ).py = mat.row '' ditto END SUB SUB kill_glow( index AS Integer ) DIM size AS Integer size = ubound(glow) - lbound(glow) + 1 if size > 1 then swap glow(index), glow(ubound(glow)) REDIM PRESERVE glow( 1 to ubound(glow) - 1 ) AS letter_life else REDIM PRESERVE glow( 1 to 1 ) AS letter_life end if END SUB SUB render_glow() DIM lb As Integer, ub As Integer, alive As Double DIM id As Integer lb = LBOUND( glow ) '' get first index ub = UBOUND( glow ) '' get last index id = lb while id <= ub alive = TIMER - glow(id).time if alive <= glife& then max% = 175-(alive/glife&)*175 bw% = (alive/glife&)*max% Draw String (glow(id).px,glow(id).py),CHR$(glow(id).ascii),RGB(bw%,max%,bw%) else kill_glow( id ) ub = UBOUND( glow ) end if id += 1 wend END SUB SUB delay( sec AS DOUBLE ) DIM delayt& = TIMER WHILE TIMER - delayt& < sec: WEND END SUB Shit, that's fantastic. I guess that covers the incumbent part of New0rder staff. That's as much code as they combined have made since the last newsletter. Jokes, jokes, no offence to anybody. I'm out! Greetz from New York! --- [ News Review . by bulibuta ] = Intel: "An Open Source Fraud" = After the big "Opening" over at Intel, things went back to normal and everything seemed fine. Apparently it was all nice and fuzzy as long as no one asked for hardware docs or any kind of support for writing their own drivers for the product they bought. Needless to say this pissed some people off, specially the guys over at OpenBSD that have been fighting for open documentation with Intel for three years now. Theo de Raad made a call to the OpenBSD users to e-mail Intel and tell them how they feel about all this. Reactions from all over the community came in fast and, at one point, the issue spread over to Debian, FreeBSD and other related OpenSource communities. Motto: Some asshole said he was "open" but he was only open for business Reference: * Community Debate -- http://marc.theaimsgroup.com/?l=openbsd-misc&m= 116007886929917&w=2 * OpenBSD -- http://openbsd.org/lyrics.html#audio_extra * Motto -- http://developer.osdl.org/dev/opendrivers/summit2006/ james_ketrenos.pdf * Review -- http://kerneltrap.org/node/7184 = Mozilla flaws more joke than jeopardy = A whole scandal stared with Firefox having dozens and dozens of security flaws and being on the verge of turning itself into InternetExplorer. An article, claiming all of this, arose on every blog and every security portal out there. Apparently college student and Six Apart developer Mischa Spiegelmock and hacker Andrew "Wbeelsoi", presented at the ToorCon hacking convention in San Diego a remote exploit regarding the JavaScript implementation of the famous OpenSource browser. This was actually a very credible fact, and many browsers had similar flaws in the specified module. The hoax turned into a real media disaster as news.com posted the 'news' and (as usual) it spread all over the internet. Sadly nobody had seen any code or proof of concept. I guess it goes to show how bad journalism (even on the i-net) can affect large number of groups, from devels to end-users. Reactions against this breaking-news came in quickly and it was over in a few days with a quote from Spiegelmock and his employer: "I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim," Spiegelmock said in the statement posted to Mozilla's blog late Monday night. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not." Reference: * Statement -- http://developer.mozilla.org/devnews/index.php/2006/10/02/ update-possible-vulnerability-reported-at-toorcon/ * Vuln -- http://www.securityfocus.com/bid/20282/info * Related Vulns -- http://www.securityfocus.com/news/11119 * News.com -- http://news.com.com/2100-1002_3-6121608.html * Concomitent Microsoft problems -- http://www.securityfocus.com/brief/314%22 http://www.securityfocus.com/brief/318 * Full Review -- http://www.securityfocus.com/news/11416?ref=rss = Root Exploit For NVIDIA Blob UNIX Drivers = Well well -- this was a surprise...right! This was not something unexpected but something that was only a matter of time... NVidia is known for it's super-dooper 3D-enabled drivers for some time now. Very few NVidia Chipset owners refused to install the new driver. I guess the category that managed to escape the blob were the ones that knew what they were doing, were OpenSource fanatics or something along those lines. Otherwise practically every Linux/FreeBSD/Solaris user out there has this blob straight into the core of it's kernel. It's a major hit for NVidia and the context was just right for the debate over at OpenBSD regarding ClosedSource drivers, Blobs, and their effect on the community. Reference: * The Vuln -- http://download2.rapid7.com/r7-0025/ * The Exploit -- http://download2.rapid7.com/r7-0025/nv_exploit.c * Community Debate -- http://marc.theaimsgroup.com/?l=openbsd-misc&m= 116007886929917&w=2 * OpenBSD 3.9 Release Theme -- http://www.openbsd.org/lyrics.html#39 -[ 0x04 . NewOrder Extra ]------------------------------------------------- ---[ Data's Cryptographic Challenge ] Tell the color of the sky and win exciting prizes, not any more. Your favourite T.V channel 'accidently' hires a mathematician for channel promotion. If you answer his question correctly, the channel promoters provides you with a two day, three night stay package with your partner at an exotic island of your choice!. Here is his question Let y=g^x (modulo p) where 'p' is an odd prime. 'g' is a generator(modulo p) 'x' is a large positive integer. We know that p = 55043966783761716278659701487250086579117559740038746969702132145286149 026123635393680445274643016477310977 g = 5 and y = 39484558935413027037560973830889937944814968273298433695677167854170604 782536404097409028160938915426071678 Find 'x', which is a discrete log problem. [ Hint: p-1= (3*2^353) and once the least significant 8 bits of 'x' is found, a pattern emerges that would help you find the remaning bits of x. There is a much faster solution than brute force, though the calculations may be annoyingly large. There may be more than one approach to the problem. ] Disclaimer: The mathematician and the prize announcement are hypothetical. NewOrder will not bear any expense or responsibility towards the island trip :-) Please send in your solution to NewOrder.Newsletter AT gmail.com ---[ Resolution's Rant - Mac Envy? ] I've been thinking about making the switch for some time now. I suppose my main reasons stem from the fact that I am just sick of Microsoft and their bullshit. I'm tired of the lies, the greed, the spin, the FUD campaigns, and the relationship with their consumers that is anything but altruistic. Furthermore, I'm tired of the consumers "assuming the position" and letting Redmond have their way with them without question. Worst of all, I'm tired of being one of these people. Sure people complain about these immoralities, but most fail to do anything about it. Enter "the switch", or at least the notion of it. I've never really thought of myself as a Mac user, but after I wirelessly networked a Mac iBook G4 (now discontinued) with a Linksys WRT54G router, I became impressed with the OS X operating system; all the visually appealing aspects of a functional GUI that you should come to expect nowadays, as well as the power of BSD underneath the hood. Yeah. I'm sold. It's basically everything Linux has tried to achieve on the desktop, but has ultimately failed to do. The one-button mouse still irks me though... I think you can count the number of Mac users on Neworder with one or two hands. The most notable user is Teddy Vandenberg aka "That Guy". Sure, I've teased him to no end about being a Mac user, but like most Canadians, he is an easy target, eh? I've been looking at the MacBook Pro line of laptops. Personally, I think they are a little overpriced. I also don't care for the insane amount of wasted space around the keypad area, but I'm willing to ignore these minor aggravations for the time being. I didn't feel the need to purchase one with the Core Duo processor since there have been numerous complaints about strange noises, overheating, and poor battery life. Now that the Core 2 Duo line is out, I have a renewed interest in purchasing one in hopes that the majority of issues with the previous line of Macbooks have been corrected. Now I'm not planning on ditching Windows altogether and I don't think any real tech should since this is still a Windows dominated world. I just won't use it as my primary operating system. I don't want to have to rely on Windows for all my software needs, and it would be good to broaden my knowledge of another operating system. I also have a machine running a GUI-less version of FreeBSD so it should be fun to tinker with all three in a networked environment. With that said, I'm thinking between now and Christmas would be a good time for me to make "the switch". ---[ Some Kind of Perl Column . by zshzn ] Good morning, Perl coders, Perl well-wishers, and other readers. Whether or not it is morning when you read this is not relevant to me. It is certainly morning in the context of this article. I am certainly not awake, and I hope to be excused if I use some literary devices that may be considered unacceptable for such a droll position. Let us look back on our previous columns. First I wrote of list and scalar context, and even then I knew how much of a bore that would be. Following that I wrote of the open command, how specific and mundane that was! Even now you will not be spared from a third such article. I bring to you a lecture on safe Perl practices and the necessity to use them. As Iyov was punished for his silence, so too shall you be, yet I am not merciful enough to limit the suffering to two trials! Perl is often treated with a lack of respect. A typical Java (or pick an example more pleasing to your taste) coder may take particular care to write his code as best he can. He may spend a considerable percentage of his time commenting his code. He may plan how to best organize and deploy himself beforehand, with well designed class structures and algorithms. Time will be spent to best optimize memory use, and very often more time will be spent to that task than will ever be saved by the optimization itself. I do not feel it important to give further examples, for the reader well knows what I discuss as it is. These practices employed to increase the quality of code may, in many occurrences, be entirely impractical. They will speed the program's execution to a very slight degree, or limit the resources used by a similarly slight change. It may be better, or it may not be, but it usually is not noticeable. However, it is still generally agreed that using good practices as a rule will benefit the quality of code you produce. Some of the time you will avoid harsh problems because of it. Sometimes your thriftiness will be important. More likely, a lack of thriftiness invested in a large program will lead to unacceptable excesses of memory and resource consumption. I am not attempting to devalue this theology in the least. Instead, I mean to stress that it is just as important to apply your beliefs to Perl code. If you do not, it is not because you have analyzed Perl, or even dare to claim you have some form of understanding of the essence of the language, but because of a moral compromise. As a man on a distant business trip, away from the consequences of a knowing society, may have a sexual affair, you too, lacking a restraint on your improper behaviour, have acted poorly without consideration. Proper practices are just as important in Perl as in another language, if not more so. Furthermore, by being weakly typed and embracing a TIMTOWTDI attitude, Perl leaves you far more ways to shoot yourself in the foot than the average programming language. The first thing you need to be doing is using lexical variables. Just take my word for it. That doesn't just mean variables declared with my(). Lexical variables are entirely different than the global package variables you would otherwise be doing. The benefits are that you aren't clogging up an increasingly large namespace, your variables go out of scope and "disappear" out of their block, and that you'll know if you type a variable name wrong, among others. How will you know? You shall be using the 'strict' pragma, and it will tell you when you're using an unacceptable variable, which would generally be the case if you spell one wrong and try to use an undeclared variable. Some code examples: use strict; my $house; my ($horse, $dog, $cat); my ($name, $size) = ('zshzn', 'big'); Although I could explain why you need the parentheses in the bottom two situations, I can instead just refer you to my first column, or tell you to go read the manual. Take your pick. There are other important pragmas aside from strict. These include 'warnings' and 'diagnostics'. Only three small issues are covered by strict, one being 'vars' as previously explained. The explanations given by diagnostics are very lengthy. These three pragmas are not to be considered a harm, holding you back from productive code. They are all helpful, assuming you can read their output and understand the issues they bring up. They are an important part of consistent Perl development. However, they are not ends as much as means. Just as one should not consider the Decalogue a checklist of a moral life, one should not consider using strict and warnings as accounting for best practice observation. Additionally, you may want to use Taint mode when writing web scripts. Very shortly into your Perl career you are expected to discover regular expressions. The power to match specifically any input you want may overwhelm you into a state whereby you intend to use regex as much as possible, and even a bit further. You have to take a step back from regex and analyze your situation. When given such freedom, do not through greed or idleness strive for more, do not try to eat fruit of every tree. Regexen are not always the best solution. Additionally, they are more intensive and issue-prone than other string parsing commands. Perl is well suited with substr(), index(), case functions, and more. You need to be willing to use modules. Perl has a massive code archive, CPAN, available to your disposal. You even have Perl code to utilize CPAN. Your issues may have been solved hundreds of times before, and a module or many such modules have been designed for the convenience of all. Although it is certainly possible to reinvent the wheel, that does not mean it is easy, and evidence showing that those that know how tend to use ready-made wheels suggests that you should do the same. Design subroutines. Do not try to write Perl as a single top to bottom script. Write subs, send arguments to them, and return predictable and consistent information. Just as you would in other languages. No, a variable should not be global just because you will use it in a subroutine. You don't do that in other languages, do you? Do not excessively use goto to escape proper structures. Do not excessively simplify your code or use syntax tricks whenever possible. Some actions suitable for golf are not suitable for code that you or others will have to debug and maintain. Code can be expanded as best suits legibility. They are, after all, just lines. You are not being billed for each. Do not overuse $_. A descriptive variable name can go a long way. Additionally, you should comment your code. For a great deal of commenting, use POD. That's Plain Old Documentation. Use smart quoting. Single quotes and double quotes do different things. Don't forget here documents. Have an example: my $data = <\ where it is renamed to Dc[some-number].fileExtension. So if you had deleted p0rn.jpg the file would be moved to c:\Recycler\\Dc123.jpg. Once the file is moved into the recycle bin an entry about the file is made in a file called INFO2. Because the file format is proprietary (as all things Microsoft) we use Rifiuti to retrieve that information. Rifiuti will show us the date and time of deletion, the drive it was on, the INFO2 index number of the file, the original location of the file and the file size. Using Rifiuti is simple (whether you are on linux or windows) just remember to redirect the output for later use ( e.g. rifiuti INFO2 > output.txt ). One interesting note before I close out this toolbox section. The Recycle Bin is not a magic feature of NTFS. Because of this you can us it just like any other folder as long as you avoid windows explorer (which respects the desktop.ini file). links: http://www.foundstone.com/resources/proddesc/rifiuti.htm http://sourceforge.net/projects/odessa/ Do you have a tool or code fragment that you find useful in admin / sec? Do you want to share it with the community? Send your submission to newOrder.newsletter AT gmail.com along with your newOrder nick/handle. ---[ PURE Regex Independence . by zshzn ] There is a time in every youth's life when he has an impulse, whether conscious or not, to gain a foothold of independence out of the muddy bog dominating his movements that we term "family". This independence may manifest itself as a "rebellion", and will often include highly deviant and unacceptable behaviour including experimental drug use and sexual discoveries. For me, this period has expressed itself in the formation of a regular expression engine. Although I find this time in my life to be most contrary and damaging, I do not regret it, and think I have gained as a person through it. Not all of our readers may know what a regular expression engine is, or what regular expressions are for that matter. Allow me to limit my typing and rephrase "regular expression" as regex. Some shorten it to "regexp", and I find that most unflattering to the English language. We use regex for pattern matching on a string. In programming languages, it is very easy to find out if something is exactly something else. It is not very easy to find out if something is almost something else, or suitably enough of something else to fit your desires. Perhaps we want to match a name insensitively. That is easy enough to do without regex, just lowercase both operands. What if I wanted to match a phone number entered by the user, to find out if a proper format number has been entered? Sure, I can just use a is_digit() number on the digits and check for proper placements of dashes. However, not all problems are easily solved with our exact comparison model. What if I wanted to check for acceptable forms of the word colour, with the first letter being optionally uppercase. I could compare all four acceptable possibilities, "colour", "color", "Color", and "Colour". As one can imagine, this trend becomes increasingly difficult to maintain. However, a pattern can easily express this. In many regex languages this could be described as "[Cc]olou?r". The [] denote a character class, and a question mark in this sense makes the preceding character optional. That is a pattern, and it will match those four occurrences. Regular expressions are, as Ilya Zakharevich describes, a language that makes "even inherently unreadable languages like Tcl or Lisp start looking like Dr. Seuss compared to regular expressions." It is, in itself, a language. A language used to describe a subject with accuracy yet range. Regex languages need to be able to specify what to match, what to not match, and how much of that. For specific matching, we have character classes including in brackets including a list of acceptable characters. With that list preceded by a caret, anything not included in the brackets will be matched. A period will match any character. A caret outside of a class will match only the beginning of a string. A dollar sign will match the end of a string only. These can be considered "anchors". Sets of classes, such as \d for digits and \w for word (a-zA-Z0-9_) characters, are commonly used. These are all used to match specific characters. Have some examples: [Ss]arah? \d\d\w\d\d [crmfbt]at .at Defcon \d In all those cases we matched each character specifically. The next important aspect is quantification. As previously explained, ? means to match 0 or 1 times. * matches 0 or more times. + matches 1 or more times. These differences will matter. When writing regular expressions, you need to write exactly what you want. You can specify exact amounts or ranges such as {3}, {2,5}, {,2}, {2,}. These mean 3, 2 up to 5, up to and including 2, 2 or higher. \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} Literal method for matching an IP address in this form (1-)?\d{3}-\d{3}-\d{4} Match a phone number, optionally with a 1- to start Additionally, another major aspect is alternation. The ability to choose one option or another, and not just for specific characters. This is done with |, and often parentheses to show just how much to alternate. Sold to (Bob|Charlie) These are the basic tenets of matching. Any may be expanded. There may be more specific classes or methods for matching specific characters. Following these, some other aspects may be added. The ability to capture (and return to some point) a chunk of text from one point to another in the string is usually included in an engine. The ability to have code run in regex may be added. Look-aheads, look-behinds, any odd feature can be added. For now, we must content ourselves with being mortals and dealing with those three tenets: character variations, string variations, and character and string quantities. My engine is being written in C++. It is dependent and works on ANSI strings. It would have been much cooler to write an engine for character pointer strings, since these are universal and I can always get one from an ANSI string with string.c_str(). However, woe is me, I took the easy road. If you are ready for advanced comparisons you are ready for advanced datatypes. It is designed to be a mini-engine, and handle as little as possible while still being competent. By the way, I have named it Perl "Uncompatible" Regular Expressions, easily remembered as PURE. This is in mockery of PCRE (of which you can guess the acronym) which is not actually Perl compatible, and is well hated by the Perl population. Instead of being arrogant, my engine will cleanly admit incompetence, and in at most 5% of the size. Firstly I built a small engine for matching through a string character by character, our first tenet. pure() first handles all the metadata associated with matching and then progresses through the string, calling match() for each character. match(), in the event of something other than a special character calls direct(), which calls fill(). fill() uses a character array *ok of 100 bytes. *ok is filled with periods, and then with any acceptable characters. This isn't true matching in the sense that not only is it limited to LESS than the standard character set, but I have abandoned any extended sets altogether. However, my engine is designed to be simple. Outside of my ASCII block isn't really needed, is it? direct() looks something like this: int direct (string regex, string s_in, int i, int pos) { char ok[100]; fill(regex, ok, pos); for (int j = 0; j < 100; j++) { if (s_in[i] == ok[j]) { r_pos++; return 1; } } return 0; } regex is the entire regex string, pos is the current position we're looking at. i is the unfortunately named index of the input string (s_in) that we're trying to match. All simple enough. Except for that r_pos. r_pos is a very important global variable. It tracks the current position we're at in the regex string. Why isn't this the same as pos? So that we can match outside of where we currently are. Why is r_pos incremented anyways? For the hell of it, I can decrement manually in the few situations where I'm not using direct() in that scenario. The ugly work for character sets is done in fill(). So that's how I manage consistent character matching. It's time to look back a bit about how this works. Matching is regex-oriented, not string oriented. We need to match everything in the regex against a string, not the other way around. Although the regex "cat" will match to "cat", it will also match to "I have a cat" and "concatenate". Those last two strings, however, as regex will not match "cat". We need to take the first character of our regex. We now go through the string until we find that character. Then we proceed to the next character in our regex. If we should fail before the end of the regex, we need to reset the start of the regex to the next location of the original character in the matched-against string. Only when we've got past all such characters, and have made it to the end of our string in the attempt to match the regex against it, have we failed in matching. I handle this in pure(). I have a subsection in match() to find the first acceptable location, and not just to attempt to match off of the current one. When I say character, I mean token. Ultimately this language has to be tokenized. We're not always dealing with single characters. We're dealing with characters, quantifiers, special characters, and optionals. However, because regex is not a language with control flow, we can try to hack our way straight through, which is almost what I do. regex: I(want){,5}a(dog|cat|rat)today tokens: I want{,5} a (dog|cat|rat) t o d a y We would then match specific tokens, based on the current working index of the string left by the last token. I handle alternation way back in pure(), before almost anything else. I break it up and call pure() for each option, returning 1 once one has been successful and returning 0 only if they have all failed regex: (cat|dog|rat) piece: (cat) // trim regex and call pure() regex: (dog|rat) piece: (dog) // trim regex and call pure() regex: (rat) piece: (rat) // call pure() // out of alternation engine, return 0 As you may have guessed, I wrote my engine without tokenizing in mind. That's right, in match() I have to look ahead for quantifiers. Our last great core aspect of matching. The quantifier. This, shame to say, I have not finished. First I take the character (not token) and see how often it will match. Then I see if that's in the acceptable range. If it is, great, I move on. Except this will not work. Let me give an example. regex: \w*bb string: aaaaaaabb There are two types of engines, greedy and non-greedy. Alternatively, you can specify one. Possibly, you could design an engine to be in the middle, which is just twisted enough for an author of a regex engine to try to write. I will detail this as a greedy engine. \w will try to match as much as possible. In our minds, we match it up to the last a, and then match the b's against the b's. Which is how it has to match. But a greedy (or non-greedy) engine will not do this. It will match as long as it can match \w, since * is a quantifier for 0 or more. It will match right over the b's in the string, and then the b's in the regex will have nothing to match against. Then, noticing it fails, it will backtrack to the last quantifier (the only in this case). It will try to match one less, so it will clobber all except the last b, and still not match. It will then backtrack another step back, and now it will match only through the a's, just as it should in this case. A non-greedy engine would work the opposite. It would match 0 a's, then try to match the b's and fail. It would then match 1 a, and try to match the b's. It would continue until the proper amount of a's are matched. I have to admit I have yet to design backtracking into my engine. It is in a state I call "super greedy". At this point you should be wondering how much backtracking could be done, and worse yet, what if there are multiple instances to do it in? In that event, the most recent, right-wise quantifier is tried until failure, at which point the next most recent is tried. It becomes a bit of a tree structure, with the first quantifier you used in your regex acting as the top option. In long strings with many quantifiers you can find yourself in situations that will cause some serious amount of resource use to get through. This is another reason why input should be as specific as possible, and alternating pieces should not match each other. IRC has it right when they match users as *!*@*. See those nice dividing characters? \w+!\w+@\w+ works nicely, even to my undeveloped engine. Let us recount our three tenets. Firstly, I have matched acceptable characters to a moderate degree. It works, I just haven't built in extended character sets and such. Secondly, I made an alternation engine that works suitably well. Thirdly, I have made a quantification engine that works except when given a range where the maximum is not the desired. As you can see, my engine is by no means complete. Following this I added a most necessary accessory. Although not a matching element at all, captures, also known as groups or as backreferences (most applicable when actually in the regex later on), are one of the most common regex tools. regex: my name is (\w+) In this case, whatever is in those parens will save itself somewhere. The syntax for doing this varies with language. As well, you may notice that parens were used earlier to define scope. Too bad, you can live with your scoped items being captured as well. Or, in real engines you have ways to specify not to capture. I chose to handle this just how Perl does it. I keep an array of integers for the beginning of captures, in the string that is. I keep an array for the end. I build an array of strings (actually, I use a vector object) built from the substrings between these two points. How I accurately find those points is a different matter. I have to analyze the regex and find out which parens go with which. a(b)cd(e(fgh)i) This will match and return b, efghi, and fgh. In that order in Perl's engine, while mine works inside out with b, fgh, efghi. I cannot just work left to right through matches. These parens are nested! I create two more arrays to store which points go with which in the regex, and these correspond to the ones in the string. int capt (string regex, vector &captures) { int temp = count(regex, "("); int many = 1, c_curr = 0; if (temp != -1 && temp != 0) many = temp; // Nice, easy, flexible list c_r_lead.resize(many); c_r_last.resize(many); c_s_lead.resize(many); c_s_last.resize(many); captures.resize(many); int point = regex.find("(", 0); for (int i = 0; i <= many; i++) { int unbalance = 0; c_r_lead[c_curr] = point; for (int k = point + 1; k <= regex.length(); k++) { if ( regex[k] == '(' ) unbalance++; if ( regex[k] == ')' ) { if (unbalance) unbalance--; else { c_r_last[c_curr] = k; break; } } } c_curr++; point = regex.find("(", point + 1); } } I call capt() before analyzing the regex, and it builds my pairs of regex arrays. These are c_r_lead and c_r_last. The c is for capture, as is everything involved with capturing. The r is for regex, while the s's are for string. As you can see I used vectors because I don't know how many matches I will end up having. count() is a handmade function to find the amount of unescaped characters. In match(), I handle the discovery of a paren like this: if ( regex[r_pos] == '(' ) { for (int k = 0; k <= c_r_last.size(); k++) { if ( c_r_lead[k] == r_pos ) { c_s_lead[k] = i_pos; c_s_last[k] = s_in.length() - 1; } } r_pos++; goto REDO; } if ( regex[r_pos] == ')' ) { for (int k = 0; k <= c_r_last.size(); k++) { if ( c_r_last[k] == r_pos ) { c_s_last[k] = i_pos; captures[c_som] = s_in_orig.substr(c_s_lead[k], c_s_last[k] - c_s_lead[k]); c_som++; } } r_pos++; goto REDO; } Otherwise there isn't much I do with my engine. Even earlier in pure() I check a few things and have several error codes. I have a couple of flags to mimic Perl's //i and //x modes, those being case insensitively and whitespace insensitivity, respectively. The idea behind //x was that regex would be a much nicer language if you didn't have to compact it entirely. It's a nice thought, until you take a look at one of japhy's apocalyptic 30-liners. I use function overloading to make parameters to pure() optional. int pure (string regex, string s_in) { vector unneeded; return pure(regex, s_in, unneeded, 0, 0); } int pure (string regex, string s_in, vector &needed) { return pure(regex, s_in, needed, 0, 0); } int pure (string regex, string s_in, int mode) { vector unneeded; return pure(regex, s_in, unneeded, mode, 0); } int pure (string regex, string s_in, vector &needed, int mode) { return pure(regex, s_in, needed, mode, 0); } regex and s_in are essential, obviously. The vector is only important when you want returns. mode is also optionally when //x and //i are not wanted. How do you use them? Masks. 1 for //i, 2 for //x. 3 for both. Easy extensible format. PURE will return 1 on success, 0 for no match, and a negative number for one of various syntax errors. if ( count(regex, "[") != count(regex, "]") ) return BAD_BRACKETS; if ( count(regex, "(") != count(regex, ")") ) return BAD_PARENS; if ( count(regex, "{") != count(regex, "}") ) return BAD_BRACES; Where those returns are enum values. My engine is at version 0.0.5-1_3beta6rc, by popular demand. I have no idea what that means. It is just a beginning. I took my usual ad hoc approach, and now I have learned many things. At this point I should be rewriting it. I may choose to instead write some ugly hacks to fix some issues. I do not have a lot of motivation for either task. I'm not going to paste the entire code here, because we haven't hit a suitably dependable version, and the code could be entirely different by the time you read this. As well, the code is not very clean. It was written over just a few days when I was in a state of insomnia and ill health. Not only do I need to make it complete, but I need to design optimizations. Not to mention the checks Perl's engine does. However, I think it fits a suitable role for me. Unlike PCRE, it isn't 60,000 lines, its 500. It's very easy to use and fits nicely into my C++ coding style. I wrote it, I know its limitations, and I can fix it at any time. It is z-only. I hope this article has taught you some things about regular expressions, about programming languages, and about how to implement a regular expression engine. More than anything else, I hope I have entertained you. Good night, and happy hacking. ---[ Riding the Waves . by mirrorshades ] VHF/UHF Frequency Scanning "Snoop onto them... as they snoop onto us." - Cereal Killer and Lord Nikon I. Scope There is, I believe, a natural curiosity that people interested in technology have. The same innate desire to know what makes a program, or a computer, or a network tick is often carried out into other areas as well. You can find this in a community of phone phreaks, for example, who know everything there is to know about telecommunications; or with the cypherpunks, who consider advanced mathematical formulas and cryptographic algorithms "small talk". For me, one of these areas is radio. No, not the lame, over-hyped, sugar coated Britney Spears crap that gets spoonfed to the masses... but the stuff that lurks out there on either side of the frequencies found on your AM/FM car stereo. I have an amateur ("ham") radio license; and while this is not directly related to the information that will be presented in this article, it is a great foundation for learning radio theory and a fun hobby to boot. Once upon a time, having a ham radio license was the norm for "hackers" -- it was a natural extension of the "let's tinker around with stuff and see what cool things we can do" mentality. Look up callsign N6NHG if you don't believe me. What I am going to outline here, however, doesn't require any involvement with ham radio at all. If you're curious about listening in on the radio transmissions of emergency services, aircraft, businesses, or anyone else using local two-way radios, then this article should help get you going in the right direction. If you are interested in listening to broadcast stations from around the world or long-range communications, a separate but similar hobby is called shortwave listening (SWL). The theory behind the two is the same, but this article will be focusing primarily on short-range local communication... so you are more aware of what's going on in the community where you live. II. Some Terminology VHF - Very High Frequency, frequencies from 30 MHz through 300 MHz. UHF - Ultra High Frequency, frequencies from 300 MHz through 3000 MHz. Band - A logical portioning of the frequency spectrum. "VHF" and "UHF" are frequency bands; within those bands can be found sub-bands, distinct "chunks" of bandwidth (amateur radio operators often use the "2 Meter" band, which runs from 144 to 148 MHz in the US -- "2 meters" describes the approximate wavelength of the frequencies). FM - Frequency Modulation, operating mode whereby the frequency of the carrier wave is changed (modulated) in relation to the audio being transmitted. Very common mode of operation on VHF/UHF frequencies. AM - Amplitude Modulation, operating mode whereby the amplitude of the carrier wave is modulated in relation to the audio being transmitted. Less common on VHF/UHF, sometimes used by aircraft and military communications. Propagation - This is the word that describes how radio waves travel through the atmosphere. In general, VHF and UHF radio waves propagate in such a way that makes them more conducive to local area communications -- this is sometimes called "line of sight", which is a bit of an oversimplification but carries the general meaning. Compare this to lower frequencies (in the HF -- "high frequency" -- band), which can be used to transmit around the world. A major difference between these two types of propagation deals with how a radio wave reacts when it gets to the Ionosphere. Most HF waves will "bounce" off the Ionosphere and return to earth, allowing for much further distances than line of sight. VHF and UHF will not bounce off the Ionosphere (in general), which shortens the range on land but allows you to do cool things like receive satellite or spacecraft transmissions with a handheld receiver running on battery power. VHF and UHF waves are also more suceptible (SP?) to lower-level atmospheric conditions (weather), and can do some unusual things (such as travel hundreds of miles beyond the normal range) if conditions are right. Repeater - A transceiver that is configured to receive on a given frequency and re-transmit what it hears. Commonly done in duplex mode, where it receives on one frequency and simultaneously transmits on a different one; simplex mode receives and transmits on the same frequency (with a delay). Repeaters are commonly used by emergency services, to help increase coverage in areas that may be radio "dead spots". Squelch - This is a setting on your scanner that lets you "quiet" the scanner when it is not actively receiving a radio transmission. Squelch is used to keep you from hearing the static on the frequencies, while still allowing a strong signal to be received. With the squelch all the way open, you will hear static (tune your FM car radio to an empty channel to hear what this sounds like). With the squelch all the way closed, you will hear either nothing or only the very strongest of signals. You may need to adjust the squelch of your scanner higher or lower, depending on what other RF "noise" is in your area. Computers and other electronic equipment can increase the intensity of the static, while being in a remote area is usually quieter. PL - This can go by a number of terms, including CTCSS or "subaudible tone squelch". The idea of PL is related to squelch -- radio transmitters can superimpose a tone on the transmission that cannot be detected by the human ear, but that can be detected by scanners or receivers. If you set your scanner to receive a particular frequency and specify a PL tone, then the squelch will not open for any transmission on that frequency that does not have that particular tone. This is useful in areas which may be "noisy", so people using radios don't have to keep adjusting the squelch level. This is also useful when different groups are using the same frequency -- each group can set their radios to send and receive a different PL tone, and they will not hear the communications by the other group. If you are familiar with the FRS/GMRS walkie-talkies, these are sometimes called "privacy tones". Note that they do not encrypt or scramble the transmission at all -- anyone can still listen in. They are used solely to control whether the squelch on the receiver is opened. Not all scanners are PL compatible, in which case they will just receive everything on a frequency by default in accordance with how you manually set the squelch. Trunked System - A computer-managed system of sharing a pool of frequencies between a number of users. It assumes that every single user will not need to use a frequency at the same time; thus, radios within the same "talk group" are tuned to a free transmit/receive frequency by computer when a transmission is made. (Compare to a trunked telephone line system.) III. Equipment Scanner - This is the piece of hardware that lets you do the snooping. They come in a few different varieties; you can have a handheld model that runs off a battery, a mobile unit that mounts in your car, or a base station unit that sits on a desk. They come in all shapes, sizes, and colors, and can be bought used for under US$50 or new for several hundred dollars. Calling it a "scanner" generally implies coverage of VHF/UHF frequencies and above, usually starting around 30 MHz. (If you are interested in lower frequencies, you will want to look into either a shortwave radio or a "general coverage receiver", which will allow you to listen below 30 MHz.) Scanners usually have a few hundred or more memory channels to allow you to save your favorite frequencies for listening. Some scanners provide support for listening to trunked systems, while others do not. Check the specs before making a purchase, if you are interested in a scanner with trunking capability. Antenna - A handheld scanner will usually come equipped with a flexible, 6-8 inch antenna known as a "rubber duck". This should be adequate for general listening, though the range will be somewhat limited (i.e. you may not be able to receive your home police frequencies in your office if you work very far away). If there are particular frequencies of interest to you, you can get an antenna that is more closely matched to the frequencies you are interested in which will improve reception. Additionally, the height of the antenna helps for VHF/UHF "line of sight", so if you have the opportunity to hang an antenna in your attic, you will get better results. There are also mobile antennas designed to be mounted on the roof or trunk of your car, that will provide better reception than the standard rubber duck inside the vehicle itself. Frequency Counter - Sometimes given a fancier brand or model name, this is a piece of equipment that will display the frequency of any strong signals in the nearby area. For example, if you are in a shopping mall, your frequency counter would be able to show you the frequency that the mall operations and security staff are using to communicate. Generally, frequency counters only display the frequencies they receive -- they don't let you listen in. Some types, however, can interface with a handheld or portable scanner and immediately tune the scanner to the detected frequency. Some scanners also come with this type of functionality built in (though expect to pay more). Computer - Some base station scanners can interact with various scanning software packages that help automate the scanning and documenting process. Additionally, many modern scanners can be programmed with software, which can save you entering the 582 different frequencies and 37 different trunked talk groups in your area by hand one at a time. Of the above equipment, all you really need is a scanner and some sort of antenna... a handheld scanner with rubber duck is a good place to start. You can always add more later, if you get bitten by the bug and want to see what else is out there. IV. Getting Started -- What Can You Do, and What Will You Hear? Okay... so you've purchased a simple handheld scanner from Radio Schlock and plugged in the battery charger. While the battery is charging, you should take the time to read the operating manual for your scanner. Since handheld scanners have a very limited human interface (keypad), some of the more detailed settings can be somewhat difficult to remember, and may not be very intuitive. If you have a compatible scanner, you can do the initial programming via computer; keep in mind, though, if you are out somewhere and want to make some changes, you are limited to your 10 fingers and the 20 or less keys on the keypad. There are more or less two different ways you can use a scanner to see what's going on in the world around you. The term "scanning" implies that you have some frequencies of interest saved in the memory of your scanner, and are looping through some or all of them very rapidly to see which are in use. Frequency lists can be found all over the Internet, and will help you quickly locate frequencies in your area that you want to listen to. While specific frequencies will vary depending on your area, this is a general overview of what you may find in different portions of the VHF/UHF spectrum (in the United States): * 43-50 MHz: some walkie-talkies, cordless phones, and baby monitors; miscellaneous * 50-54 MHz: amateur radio 6 meter band * 118-132 MHz: Airband; commercial and private aircraft and air traffic control (121.5 MHz for emergencies) * 144-148 MHz: amateur radio 2 meter band * 148-174 MHz: VHF "business band", various commercial 2-way communications; some emergency services * 156-174 MHz: Marine band radio (156.8 MHz for emergencies) * 162.40-162.55 MHz: NOAA weather reporting (very useful) * 174-222 MHz: Miscellaneous * 222-225 MHz: amateur radio 1.25 meter band * 225-400 MHz: Miscellaneous federal government and military (some scanners do not receive on these frequencies) * 420-450 MHz: amateur radio 70cm band * 450-470 MHz: UHF "business band"; GMRS/FRS radios; emergency services * 806-894 MHz: some emergency services; mostly analog cellular (it is illegal in the US to manufacture scanners that can receive cellular frequencies, even though most cell traffic now is digital) * 900 MHZ and up: various services, amateur radio, XM and Sirius satellite radio, WiFi (summarized from Wikipedia's VHF and UHF pages) As you can see, that's a lot of ground to cover. If you can find a listing of frequencies in your area, it can help you get down to business very quickly -- in fact, if you have a computer programmable scanner, you may find that someone can provide a pre-filled database that you can upload to your scanner and instantly have hundreds of potentially interesting frequencies from your area. Another way of using your scanner is to have it tune through a frequency range, just to see what is out there (if you're not looking for anything in particular). This is referred to as "searching", and is usually more of an exercise in patience than in actively listening to anything. If you get into the hobby more seriously, a base station scanner interfacing with some computer software can do this kind of thing around the clock -- tune through a pre-specified frequency range, logging and even recording what is heard. This can be interesting for locating new frequencies in use, but doing so on your commute to work or school will probably yield mostly empty air. - Emergency Services A lot of the appeal of scanning comes from the idea of listening to the various emergency services in a local area. For whatever reason, people like the idea of snooping in on police, fire, EMS, or other emergency or public safety communications. If this is your goal, it is a common one; it will be very easy to find frequency lists for your local, county, or state emergency services. However, listening in may not be quite what you think. here is a sample of what you might hear on a police dispatching frequency: Dispatch: "32-14" Officer: "14" Dispatch: "Proceed to 123 Elm Street. Respond to complaint of neighbors arguing, possible domestic." Officer: "Copy" Dispatch "16:34" Yes, that's it. The entire conversation took place in less than a minute, and there were no bad guys getting blown away, no helicopters, no car chases. What you heard is the dispatcher calling unit 32-14 (in my area, the first two numbers represent the township or borough, and the second two are the individual officer/unit... so 32-14 is unit 14 in area 32), who then responded with his ID. The dispatch was given, which the officer copied completely. The dispatcher finishes the communication by giving the time of day in 24-hour format (4:34 pm). The majority of emergency services communications that I have heard is more or less this kind of routine chatter. Ambulances and fire trucks may be dispatched with a series of tones that provide location and service provision requirements, but overall you probably won't hear extended car/foot pursuits, firefights, or hostage standoffs on a routine basis (or if you do, you may want to consider moving to a less dangerous area). The format and protocols you will hear with emergency or really any kind of communications will vary from location to location. In my area, for example, the city of Pittsburgh manages its own emergency services in the metropolitan area, while the county facilitates most of the outlying townships/boroughs. A large metro area (New York, Chicago, LA) will probably have very different protocols than a smaller rural area... but as you listen in, you'll get the hang of what is going on. If you will be using your scanner inside of your vehicle, you might want to take a few minutes to find out what the laws are in your area - some places prohibit scanning while mobile, others do not. Not that you would necessarily get pulled over for scanning... but if you happened to get stopped for another reason (seatbelt, speeding, etc...) and the officer sees a scanner, you could find yourself with more than one citation. See the link at the end of the article for a decent reference for local mobile scanner laws. I should also mention at this point that there are some people of a more malicious mindset who think that carrying a scanner to listen to the police frequencies may help give them an edge over the police if they are attempting some sort of illegal activity. In general, this is a very bad idea for a number of reasons. Many areas have laws that consider posession of a scanner during the commission of a crime to be very serious, and will net you some big fines. Additionally, you won't hear *everything* on a scanner... so what you *do* hear may not be the complete picture. It is not uncommon to hear one police officer tell another, "call me on my cell phone". They know people are listening in, and they act accordingly. - Transportation (Aircraft/Marine/Railroad) Depending on the area you live in, you may be able to tune in some different transportation related frequencies. Most areas likely have an airport within VHF/UHF range, so you should be able to hear some of the comings and goings of airline traffic (note that some airline traffic uses AM, which many handheld scanners do not support). You should be able to find a list of the various airport frequencies in your area -- there will be different ones for air to air, air to ground, and ground communication. Airports may also have some broadcast frequencies that loop pre-recorded messages related to weather and airport information, sometimes this can be interesting to listen to. Marine radio can be a combination of business and personal boaters, though the rise of cell phones have cut down on the amount of non-business communication on the marine frequencies. Marine radio is described in terms of different "channels", with each channel operating on a different frequency (this is because it is easier to reference a channel number than a numeric frequency). What you will hear is largely dependent on the type of marine activity in your area (recreational boaters, commercial shipping, Coast Guard, etc...); the FCC website gives a guide to the various channels and their uses: http://wireless.fcc.gov/marine/vhfchanl.html - FRS FRS stands for Family Radio Service -- these are the ever increasingly popular "cool" walkie talkies that moms and dads get and give to their kids so they can keep in touch at amusement parks, camping, or anywhere that groups may split up but still wish to maintain contact with each other. The FRS frequencies lie in the UHF band, and any scanner should be able to pick them up. You may not hear anything overly exciting, though it can be fun to snoop around and listen since many people who use these types of radios don't realize that anyone else can be listening in, particularly if they have a "privacy tone" enabled on the channel. - Other Stuff There are very likely a number of other VHF/UHF two-way radio users in your area that you can listen in on. These could be anyone: school bus drivers, mall security guards, football stadium concession vendors, delivery trucks, or construction workers on a large job site. Frequency lists for your area will give you a good starting point, and a forum or mailing list can give you "as it happens" information on some other non-standard frequencies. Overall, you never know what you may hear. V. Conclusion -- What Else Can You Do? That should be enough information to get you going into the hobby, to see if you like it or not. If you want to go further with it, you might see if you can find a local scanning or ham radio club (many hams are also interested in scanning) to get involved with, or maybe a web forum or email list if there isn't a formal club in your area. As you progress into the hobby, you may find that additional equipment can help you locate some more elusive stuff out there in the ether. You may hear various beeps and boops, squawks, or other telltale signs of digital communication... interfacing the audio of your scanner with your computer can help you decode some of the sounds you hear that aren't just people talking. Maybe there are some frequencies you've heard of that you can't hear while at home. Why not try building your own antenna, and hanging it up higher? Or, build a directional antenna that you can aim wherever you want to really pull in the distant signals. You may find that your curiosity has been piqued enough to wonder what else is out there to listen to, in which case you can explore shortwave listening to hear transmissions from around the world. There are some good resources out on the web -- enough to keep you busy for quite a while. In particular, I would recommend the Ticom 'Zine (see the links at the end for info) as an excellent source for intermediate and advanced level scanning (or as he refers to it, "Comint" for "communications intelligence"). I have also emailed back and forth with the author, and he is willing to answer questions related to the hobby, and is a nice guy to boot. Radio as a hobby has a lot of potential, and it can be whatever you make it out to be. It's a much older hobby than computers and, some might say, not as "cool"... but my hope is to give you a little picture of what can be done, and to give you some resources to help you find out more about what The Man is doing in your neck of the woods. VI. Links TICOM 'Zine: http://www.digivill.net/~ticom/ticomzine/ Scanning Laws (US): http://www.afn.org/~afn09444/scanlaws/ Scanning Laws (International): http://www.strongsignals.net/access/content/laws.html Binary Revolution Hardware Forum: http://www.binrev.com/forums/index.php?showforum=9 Live Streaming Public Safety: http://www.incidentbroadcast.com/index.php (TeamSpeak install required for Live feeds) Intro: http://www.geocities.com/intercept_new_england/nigel01.txt Digital Transmission Sound Samples: http://www.kb9ukd.com/digital/ -[ 0x05 . Newsletter Outro ]----------------------------------------------- That is it! This edition of the newOrder newsletter is officially over. However before we close this thing off I would like to send my deepest thanks to the following contributors: data, zshzn, login, bulibuta, mirrorshades, Byte69, izik, rattle, m4tt, resolution, and stand__sure (I am sure I left some people out). Without an indication of the work you contribute in your profile and with your articles lacking their own place in the article section of the site it is easy for posterity to underestimate the amount you have contributed to the community. It is your continued contribution that makes our community a good place to be. = ----------------------------------------------------------------------- = newOrder and the newOrder newsletter team do not make any guarantees expressed or implied as to the accuracy of this publication. If you do something stupid as a result of what you have read here, and something goes wrong, blame it on the freaking rain but not on us. All content is the intellectual property of the respective author(s). Copying of content without proper credit is prohibited and lame. Copyright (C) 2005 newOrder newsletter team, all rights reserved. Support the newOrder agenda, distribute freely! = ----------------------------------------------------------------------- =