     ээээ 
    ш ш  ш  Anarchist                                       Fri 17 Feb 1995
   шээшъъ   Philosophers                 Phile 002: Hacker Security by Sine
 эъ   ш шэш United дддддддддддддддддддддддддддддддддддддддддддддддддддддддд

 A few things have changed in the twelve days since APu put out its first
 phile. I've been calling some H/P boards recently, and The Hayden Andre
 Project in 905 has been designated the unofficial headquarters of APu.

 Still, APu is a group with only one member. Hopefully by distributing more
 philes I can attract some attention, and therefore some members. I don't
 want any part-time members though. Members should be able to produce at
 least one phile every two months, preferably much more. But if you are
 genuinely interested in joining APu as a writer, send me mail on The
 Hayden Andre Project and I should reply within a day or so. (I'm working
 on an Internet connection. Be patient.)

 Note: APu #001 was originally released as Phile 000. I realised that this
 would cause some problems in numbering. We would have our 100th phile
 celebration when we got to 099. It just didn't seem right, so I changed
 it. I hope I didn't cause any casualties from the shock and frantic
 confusion.

 Now onto the subject at hand: hacker security. This has come up for me
 recently in the past few days. In five hours last Saturday I dialed
 several dozen H/P boards across North America, using a single PBX code
 without a diverter for every call. The reason was that the diverter is 
 incompatible with the PBX, so I gave up and called directly. The person
 who gave me the code said he and his friends called without the diverter
 all the time, so I assumed it was okay.

 By calling these boards I had collected about five megs of g-files and
 H/P utils, so I thought it was a success. Then I read one of the files.
 It was about PBX code safety. My action, calling direct from my home
 line, was listed as the lamest thing to do of all.
 
 I resolved not to make this mistake again, and now I almost never use it.
 If the reasons are not obvious to you, I will try to explain them in this
 phile.

 The methods described in this phile are quite basic. It simply requires a
 conscious effort that many hackers don't provide, whether it's because of
 laziness, ignorance, or a bloated "can't catch me" ego.

 Why Should I Bother With These Methods?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 It's a stupid question, but unfortunately a common one. Take a look at
 this simple equation. No complicated formulae, just a simple equation.

                     Bust   =   End of H/P Career

 This is a stupid equation, but it is often forgotten. If you're busted,
 chances are at least nine out of ten that you won't be hacking again.
 Even if you get off easy in terms of jail time, your career will be over.

 Now, if you're a novice hacker, and you're caught, you'll retire as a
 novice hacker. You don't get the satisfaction that a successful hacker
 gets when he's caught. You go to jail wishing you had survived long
 enough to get good.

 That's the purpose of this phile. Spend a little more time now protecting
 yourself, and you'll have a lot more time to keep hacking later.

 Protecting Your Phone Number
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 I've seen some hackers post their home phone numbers publicly. Many more
 exchange with their close BBS friends. It is important to know who knows
 your home phone number, because if it falls into the wrong hands, you're
 screwed.

 You may be asked by a friend for your voice number so you can chat.
 Instead of risking your career, call a loop number (described later) and
 chat there. Your friend will have no reason to argue, unless of course
 he's a narc. If your friend is less security-conscious than you, you can
 also ask for his number.

 Protecting Your Handle
 ~~~~~~~~~~~~~~~~~~~~~~
 If you call PD or warez boards, be sure to use a different handle for
 them than your H/P handle. Also make no mention of your PD/pir8 handle
 while speaking with other hackers. As soon as the cops find out your PD
 board handle, they'll be able to trace you from there.

 Protecting Your Name and Address
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Your handle IS your name. There is no valid reason for someone to require
 that you give them your real name. The same goes with your address; no
 one is going to be sending you anything in the mail.

 It's usually okay to give out your first name. It's safer not to, but it
 makes conversation easier, and it's certainly a lot better than giving
 out your full name.

 For additional security you can fake the city and area code you are from.
 The police probably keep a list of possible hackers in their area, so
 you'll be easier to track down if they know the general area in which you
 live.

 Watching What You Post
 ~~~~~~~~~~~~~~~~~~~~~~
 Using miscellaneous information assembled from your posts, cops can put
 together a profile of your behaviour and activities that will make you
 easier to prosecute. If you post PBX codes and passwords, they might use
 it against you in court.

                     More Users   =   More Narcs

 For this simple reason, try to remain on smaller, more private boards
 with tough entrance requirements. This will keep out the bad narcs. But
 the good ones can get onto any board. No matter where you are, always be
 careful about what you post.

 Meeting in Person
 ~~~~~~~~~~~~~~~~~
 A good rule to remember, though it is of course exaggerated, is that one
 in three hackers you meet is a narc. One in three people you meet is
 going to find out all the information about you that he can, and then he
 is going to turn you in. He might be an ex-hacker cooperating with the
 cops to get lighter sentencing, or he might be an undercover cop on a
 sting operation. Either way, you're screwed if he finds out who you
 really are.
 
 A personal meet makes the narc's job ridiculously easy. Let's assume you
 meet at the other hacker's house, or a neutral location, rather than your
 own house (in which case you can kiss your H/P career goodbye). The narc
 will give the police a description of you, so when the cops come knocking
 at your door sometime later, they'll compare you to that picture and
 instantly they'll know everything about you. Feigning stupidity won't
 work.

 Loop Numbers
 ~~~~~~~~~~~~
 Loop numbers are two numbers in the same area code that are joined
 together. This means that if you call one, and another hacker calls the
 other, you will be able to talk, and neither of you will have your home
 phone numbers compromised.

 More detailed descriptions of loops are easy to find on H/P boards (and
 maybe a future APu phile). Try the following on THAP:

    UNT-NMB1.ZIP     4K 12/20/94  - [Valid Loops/950s/800 Numbers] -
    LOOPS   .TXT     3K 03/28/94 Info on loops to use
    MLOOPS  .TXT     3K 03/28/94 More loops to talk on

 Avoiding Traces
 ~~~~~~~~~~~~~~~
 Here's another stupid, yet somehow logical, equation continuing from the
 first one:

               Trace   =   Bust   =   End of H/P Career

 No matter how well you protect your information on BBSes, if you're
 hacking a system and you get traced it's all over. You'd better start
 destroying evidence and thinking of some good things to say when the
 police drop in for a visit. (The best advice is to say nothing. There are
 literally hundreds of g-philes available on the subject of talking with
 police.)

 To avoid being traced, you can build an Aqua box. An Aqua box is a device
 which sucks the voltage out of the line so you can't be traced. Since I'm
 a klutz with electronics, I have not bothered to try assembling one yet.
 Even if you do have the ability, the box does not tell you when you're
 being traced. So it seems to be of limited use. (If it still works at
 all, I'm not sure.)

 I have heard of a box (maybe a 'dark' box?) that will give you a warning
 when you're being traced. Since I haven't seen any actual diagrams, I
 don't know whether this is fact or fiction.

 The simplest and most effective way of avoiding traces is to use a
 diverter. First you must obtain a diverter number from a friend, BBS, or
 g-phile. When you call it, you will hear a tone, and from there you can
 call the number of the system you're about to hack. You may have to
 repeat the last digit of the number several times, until you hear a
 click. (11 times for a local call with my diverter.)

 Diverters simply forward your call, and it is not very difficult to trace
 through them to your number. But using a diverter will make the trace
 take longer (giving you time to get the hell off the system!) and will
 cause casual tracing and ANI (Automatic Number Identification) attempts
 to fail.

 In the System
 ~~~~~~~~~~~~~
 If the sysadmin doesn't know you're there, he won't try to trace you.
 This is the best way to remain safe.

 Remaining hidden while hacking a remote system is the subject of dozens
 of g-philes, possibly including future APu releases. But here are a few
 basic pointers.

 Always try to leave the system the way it was before you entered. Resist
 the temptation to change the message of the day or send mail to root.
 Also, try not to leave your handle in the system you're in. If you want
 you can assume another handle for use inside systems, but the sysadmins
 will use the appearances of this handle to link together where you've
 hacked and find patterns.

 Field Phreaking
 ~~~~~~~~~~~~~~~
 Trashing, disconnecting payphones, entering telco manholes (be sure it's
 not a sewer manhole!), climbing telephone poles, rewiring residential
 phone boxes: these are all what I consider "field phreaking", though my
 definition may not be exact.

 This can be a lot of fun, but when you do this you are (when it comes to
 avoiding the law) no better than the common street thug. You'll need your
 wits, but you'll also need to be able to run fast, climb fences, and spot
 hiding places. If you are good at this sort of thing, good luck, but if
 you're better in brains than brawn, you are better off staying with
 traditional hacking techniques. Field phreaking can get you locked up for
 a long time if you're not careful.

 Conclusion
 ~~~~~~~~~~
 There isn't too much in the way of original information in this phile.
 But hopefully I've reinforced some basic security techniques, and perhaps
 even taught something new to a novice hacker.

 Future APu releases: I plan to do something with a network, maybe pick a
 fairly small network like Autonet and explain it in depth. Or perhaps
 I'll start work on my "Hacker Ethics" phile, which I want to be a lot
 bigger than current releases (maybe 20-30k). My other planned
 'philosophical' work is "My Way," which is about non-violent anarchy and
 other such things. Since I've recently developed an interest in
 telephony, I might write an article on loops or diverters or something
 similar. I might even decide to try my hand at a fictional story like cDc
 does all the time.

 So many things to write about ... so little time.

 Keep on hacking,

 ЗSine