Untitled

in the wrong "memory hole" has either probably had a
talking to, or is being investigated even further. This
style and technique vary from words stick, to extra line
spaces, to off indentations, to bogus paragraphs, to typos.
The key is to make the same letter appear some·
what similar, but different enough to identify the
"mole " Also, this technique is performed to weed out
the moles in a high security situation concerning information
warfare.
We 'll never tell.
iZRaXXX
Dear 1600:
I had to write in to point out the errors and miscellaneous
lameness in Frieda's "eGI Flaws" article in
your Spring issue
I CGI is not inherently "flawed" because it runs on
the server-side. It isn't practical or desirable to transmit
large databases to the client so that they can be
processed on his/her machine. How many search engines
do you know that aren't server-side applications?
2. In the fake Is script, what's "copy"? We're on
UNIX, not DOS · try cp ...
3. What are all the extra "./"s for? Those have no ef
feet other than requiring extra typing.
4. Why does the fake Is script run the real Is with no
arguments??? Your ruse will be discovered pretty fast if
the sysadmin uses Is -l or something. The script should
say "Is $*".
5. The fake Is won't be executed if the sysadmin has
' . ' anywhere in his path! It would have to come before
Ibin and lusr/bin. If the sysadmin has '.' in his $PATH
and it doesn't come last he is very stupid indeed. This is
the first commandment of protecting yourself (and your
system) from your users. Besides, this old trick really
has nothing to do with CGI'
6. Frieda says to make .somebinary perfect before
you pull the suid gag. Not very flexible. Why not have
somebinary call .someotherbinary? That way you can
change .someotherbinary to do whatever you want.
7. SUID does indeed work on scripts on many/most
UNIXes, but not with csh . try sh or ksh. On some
UNIXes you need to use something like "#'lbinlsh .p"
to have the system preserve the effective UID.
The "Setting Up Unix Trapdoors" article in the
same issue was much more on-track, though there's one
glaring problem. All of the '>'s should be '» 's ' Other·
wise you're wiping out letc/services, letc/inetd.conf,
and I.rhosts. This will no doubt blow the system out of
the water - not very discreet.
Also, the hint to system admins to search for suid
programs with a modification time later than a certain
date is not very helpful - timestamps are trivial to fake.
diff is also unreliable as you'd need to be diffing against
backup copies of the suid programs which the hacker
will have found and modified if he's worth his salt.
Therefore, it's best to compare checksums. Hardcode
them into an executable so the hacker can't easily just
change them to the new values. And don't call the exe·
cutable compare_suid_checksums - make it something
innocuous so the hacker won't know to monkey with it
Whirlwind
Dear 1600:
nathan@senate.org 's article "setting up unix trapdoors"
has some errors in there that are very misleading
to unix newbies.
I contacted the author and he says he typed things
right, and I believe him. Just a reminder to your editors
and authors I guess that ">" is very different than " » "
The lines echo "nsp 2600/tcp # Network Secunty
Protocol" > jete/services and the associated line in inetd.conf
will replace those files as we all should know.
And you don't want to do that. Using » instead will, of
course, append those lines to their respective files without
overwriting them entirely
emory
Th is was a mistake that occurred on our end during
the layout proct!ss and prohahly one o{ the wurst we
could have made. Ironically, it was a computer error.
We 're sorry/hr any problems it may have caused.
Dear 1600:
Vandal's article in 15: I titled "ANI 2· the adventure
continues", is incorrect about five things:
I) ANACs using ANI II have been in existence for a
while. Over a year now, actually. So they haven't been
"popping up" as vandal suggested. On the same note,
ANI is not ANAC. There is a difference.
2) The call letters used are not Greek leuers; they
are phonetIc letters. "Charlie" is not a Greek letter (as
read off by the dead 800·555 ANAC).
3) The ANI II digits are read out hejiJre the number,
and then only on ANACs that are owned by MCI.
4) The list he provides is not every known ANI II
code, it's every possible ANI II code (He should have
read the damn thing firsL )
5) The 07 code does not signify an operator assisted
call. The 07 denotes that there is some type of restriction
on that line that prevents calling. For example, you are
at a COCOT and you call 1·800-487-9240. It reads back
all of its information and then says "ANI number
0,7,9,1 ,4,6,3,4,9,8,7,6". Perhaps that COCOT has an international
calling block, or a 900 or 0700 block. An·
other example: you are in a condo rented by a resort (as
in you are nut on their PBX). You call up the ANAC, and
it tells you that your ANI II digits are 07. Maybe that
line has a rest.rietion that prevents it from dialing out of
LATA . Or maybe you can't call directory assistance
from that phone. Just for the record, the correct ANI II
digits for an operator assisted call are 34. Check for
yoursclves.
On a different note, while many of the RBOCs have
stopped giving you a dial tone after one side hangs up,
SNET (Southern New England Te lephone, the reigning
LEC in Connecticut) is still doing this' Remember the
easy days of ripping pay phones off by letting 1·800·
LOAN· YES hang up? It's still possible there' Oddly
enough, it seems as ifsome of the countrywide COCOT
providers are unaware of this. Today (7117) I was at a
COCOT that was manufactured by Elcotel when I found
this out, coincidentally. I called up an ANAC to add an·
other pay phone number to my collection, and when the
letters continued on page 48
Fa ll 1998 2600 Magazine Page 3 9