Researching The Hack: Snooping

You can go on tours of a lot of places, either of-ficially or unofficially. A tour might be one that is regularly run for wide-eyed kiddies and their par-ents, or it may be one specially set up for you be-cause you say you are a journalist who wants to do an article on the company. While taking your tour you will be gleaning valuable
information about the computer rooms, and about the person conducting the tour. That's all good information that can be put to use in guessing passwords. If you're suave enough, you can talk a proud com-puter owner into showing off the power of his ma-chine or the new game he's gotten. This can only help you when you go
home that night and hack the place.

seeing the screen setup is helpful as I've outlined above.

Now here's a hint I like to make use of, though I get to do so only irregularly. We are all familiar with the phenomenon of phosphorus burnout. That is, when one image is displayed for an extended period of time, the image gets burnt into the screen. Very often menus get burnt into the screen, and so occasionally I've been
in places where there is an old terminal that used to be for employees only, but has been moved into a publicly accessible spot. Many of the functions available for staff use only are visible on the screen and can be put to use or hacked. (You might have to fiddle with the bright-ness controls to see what it all says.) Other times I've
snuck a peek at the computer behind the counter, and although an innocuous screen was being displayed at the time, there was worthwhile stuff barely visible, burnt into the screen.

Many businesses, institutes and organizations run what are called special libraries. These gener-ally concern themselves only with the product or service which is the group's field of interest, but also include valuable details on the group itself. For instance, a company library might have manuals in it to the company's unique
computer system. Often there is a helpful listing of what programs are available on the mainframes. Such a program list-ing might include mention of what security prod-ucts are enabled, and you can write to the maker of those security products for details.

Snooping around buildings undergoing recon-struction can be worthwhile, as can snooping around buildings whose occupants are moving to a new building. In such cases, doors are found wide open, with computers and manuals laying around all over the place.

I remember one building I went to that was temporarily vacated due to construction, which had tons of cartons, desks and workstations out in the corridors (they were repainting offices). I found masses of passwords stuck to keyboards by Post-It Notes, and passwords scribbled on desk blotters, and taped to the underside of drawers. It was amazing that people could leave their secrets lay-ing out in the open like that, and yet it happens all the time.

From snooping around the lounge in a school building, I came up with handy reference manuals,Secret information that must be used every day (such as access codes) is oftenfound hiding on little scraps of paper:(A) on a cork board, (B) attached to the side or top of the monitor, (C) on nearbyfile cabinets or other furniture,(D) under blotter, (E) under mouse pad, (F) in desk drawer, or (G) underneath the the desk.
decade-old literature from a defunct computer users group, programmers' guides, and other stuff. This wasn't all necessarily useful for hacking pur-poses, but it was interesting to read. And it was in-teresting to rescue it from its dusty box on the top shelf of a closet.

In that same building I found a little room whose door was closed and had four signs attached to it. The first, formal and engraved said, "Computer Room." The rest were menacing, either hand lettered or printed by computer: "Keep this door locked at all times!" "For authorized persons ONLY!" And lastly, another stem
reminder, "ALWAYS lock this door when you leave!" Needless to say, the door was unlocked.

Inside there was a huge and informative operating system reference manual and two PCs, each of which had modems. From surfing the hard disks on one of those computers, I found that the termi-nal program was set up with script files <A "script" is a file that you use with a terminal program. You set up the terminal program so that when you log onto a system, the contents of the script file are sent to that system.

So if you have to go through some long and convoluted login procedures, you can put the commands into a script and have the computer automatically log in for you. This is handy, both for legitimate users, and for hackers who happen to gain access to those script files.> that contained phone numbers, passwords and other login procedures. Always look for such things when you snoop.

Snooping can bring to you those tutorial and simulation disks, as well as damaged disks, trash and insider literature which one can only get from either being employed by a company, or by snooping around. It adds a bit of physical excite-ment to the usually passive art of hacking, and it gets you away from the eyestrain of computer screens for a while.

It is not always necessary to research before a hack, but it is always helpful. Research in any form doesn't have to be undertaken with a particular hack in mind. Like my random snoopings of the torn-apart building and the university lounge, general explorations can lead to fruitful information. In other words, all hacking
doesn't have to be done on computers. There is also such a thing as the person who hacks -joyously -life.

Researching The Hack: Examining Screenshots

The photographs of computers you see in books, magazines, system documentation, promotional literature such as posters and pamphlets, government publications and booklets, as well as the pictures of computers available on television documentaries, news shows and commercials -can all contain valuable hacking information.

Computer photos might show just the screen (or monitor), or the entire computer, including keyboard, CPU and accessories. Or the picture might depict an actual computer in its natural envi-ronment with perhaps an operator visible.

The first group, essentially "screenshots," can be helpful in showing you what it looks like to be in-side a particular system that you have never really accessed. This can clue you in on what accessing style the system uses, if the password is displayed on-screen as it is typed, username and password styles, what features
are available, and much more, depending on what the photographs are attempt-ing to illustrate. Similarly, in user manuals and other instructional aids, drawings of screens are often found containing the same information, also default login codes, text specifics, error messages, and other handy stuff.

Knowing error messages and knowing the lay-out of the screen will make you a more believable system administrator or low-level user when you attempt some of the social engineering tricks men-tioned later in this book, especially if the computer system in question is one that is closed to outsiders. Seeing examples of
logins will give you ideas on how to go about a brute force attack. If a user name is shown or illustrated, it may be a valid one. Even if lower down on the screen all you get for pass-word information is a row of asterisks ("password: it will still help you in determining the length passwords are required to be. If in
separate photos taken from separate sources, both pass-words are shown being covered by eight asterisks, that is a good indication that either there is a de-fault eight-character password used to demonstrate the system, or that passwords are a maximum length of eight-characters.

Style of usernarne is important too, and will usually be visible. Seeing examples of usernarnes lets you know if first and last names are required, if uppercase letters are needed, whether abbrevia-tions or company names or group names are used for usemames.

Photographs that include more than just the screen often show the keyboard being used (look for misplaced or special keys), keyboard overlays, the kind of computer setup, and possibly messages taped to the CPU or monitor. A more generalized shot may show the computer's surroundings. Is it in a closed office, or are many
terminal operators working together in close proximity? What books are there on the shelves? You may be able to see things of interest hanging on a wall, or lying around on the desk. A user might be in the picture; is he or she wearing a name tag? Are pictures of a family present, or items suggesting a hobby, such as a
mounted baseball or a fishing rod? All avail-able data can be put to use by a hacker.

When I refer to the computing environment, I am, of course, only referring to pictures of comput-ers in their natural environments, as opposed to staged photos in advertisements, like the kind showing a Macintosh in your typical teenager's room. Newspaper and magazine articles are often accompanied by the kind of
computer photo you will want to analyze.

Seeing these things - signs of family life, books and hobbies, a typical user and what he or she is wearing - gives clues to passwords. The specific kind of computer may suggest ways of breaking in using known bugs or loopholes. The computing environment also will allow the social engineer to pretend familiarity with an
otherwise private room or office inside a building.

An additional way computer photographs can help is by looking to the bottom, usually in the caption, to where the source of the photo is listed. The source may give a photographer's name, in which case that photographer may be discreetly pumped for information, or it may give clues as to a relevant city, business or
organization. This can help in determining phone numbers, means of ac-cess, and also passwords.

These are just some of the ways in which close magnifying glass work will help you find out more about your intended target system. You can see why it is a good idea to videotape as many corn-puter-related TV shows as you can; you can always fastforward through the boring parts. Freeze framing a specific scene may help give insight into the hidden side of a system and the people who run it.

If you get a lot of static on your television when you freeze a frame, try cleaning the VCR. If that doesn't clear up the problem, it may be the audio component of the tape that is interfering with the video picture. Try taping just the video part of the tape you want to freeze. One way to do this is to connect two VCRs together
using just the Video In/Video Out cable, ignoring the audio link. Copy the relevant portion of the tape, and you will have a picture without accompanying sound to muddy the screen. You should only have an audio problem like this if there's a lot of background sound to begin with, like loud narration or loud music going on.

Here's an example of how this kind of photo-graphic detective work pays off: A hacker named Bellee was watching a behind-the-scenes-at-the-police-station show on her local cable channel. A close-up on a computer screen re-vealed the last three digits of a phone number that was being dialed by modem. The rest of the num-ber was invisible due to glare on the screen. Bellee knew the police databank being called was head-quartered in a specific town in Maryland, because the officer giving the tour had mentioned it. Some of the access codes being typed to get into the da-tabank were easily visible or inferable by all who watched the
show, but some weren't. A bit of h-brary research got Bellee the three-digit exchanges that were local to the township the cop had men-tioned. Bellee then dialed each of those exchanges until she found the correct phone number. (Because she had the last three digits from the television Just seeing the computers can be a
boon, and show, she only had to call each exchange 10 times to fill in the missing digit.)

Once she got through, she was able to use the login information she knew (a precinct number, municipality and state were needed) and hack the part she didn't (she knew she needed an eight-letter password from the TV show). So watching televi-sion paid off for Bellee.

Even widely syndicated shows can mess up by inadvertently revealing important clues to an observant audience. Anyone who happened to be watching a certain episode of Geraldo Rivera's Now It Can Be Told news show in late 1991 would have seen a story on a group of hackers and how they broke into a military computer. Several times dur-ing the course of the story the camera came close to the computer's screen, where the electronic address of the computer they had hacked was visible. The story also reported that the hackers had added an account to the system under the name "dquayle," with no password. As you can imagine, soon after the segment aired the account was closed up. As of this writing there is definitely no "dquayle" account on the system (I just called and checked), and some of the more common ways of gaining access to the system have been noticeably shut down. For ex-ample, it is no longer possible to call up anony-mously and retrieve files from that system.

Researching The Hack: Imperfections

If a disk looks okay, but will only give you "Read Errors," it is probably physically damaged on a microscopic level. It may have little holes or dents in it, imperfections that are too small for the naked eye to see. You can push past bad spots on a disk by manually rotating the disk inside. If the damage is limited to a small area of the disk, it may be that the damaged segment is the part the drive tries to read first. If you manually rotate the disk a little to the left or right, the new section of disk which you reveal may not have that damage and may there-fore be readable. Keep rotating the disk, a little at a time, until you've found a spot that is readable.

If you never find a readable spot, perhaps you've been duped! Maybe the disk is blank, or it isn't suitable for your computer. Or maybe it's single sided and you've inserted it with the wrong side facing the drive's read/write head.

A disk that you find in the trash bin may hold corporate data, proprietary software, maybe even a tutorial or simulation like we discussed earlier.

You never knew there was an archaeology side to computer hacking, did you? But that's exactly what all of this is; we are looking into people's lives to see what they think about, to find out what's im-portant to them, and to learn from their experiences. Hacking a damaged disk that you have un-earthed from a trash bin will lead you to details you would otherwise never have imagined existed. I highly recommend the exercise for the thrill value, and for the intellectual workout to be gained from this pursuit.

Researching The Hack: Rips And Tears

You can very carefully tape a ripped disk back together with thin transparent tape. Make sure to only put tape on one side at a time. Once you've gotten all the data you can off one side, you can remove the tape and repair the other side. As before, it is imperative that you don't let the tape get onto the side of the disk which the drive will be reading, or you could throw off your drive's read/write head, and may get sticky stuff on it, too.

Researching The Hack: Damage To One Side

Don't try this with your store bought disks! After slicing open the top, apply pressure
to the sides (A). Then (B) slide out the disk.
Now you can repair the disk,clean it, and slide it into afresh envelope

If the damage to a disk is limited to a single side, you will still be able to read data from the other side. There are two ways to do it.

The first way is to use a superzap program to selectively read tracks, piecing together data as you find it. Superzap programs, such as DOS's DEBUG utility, allow you to alter the data on a disk one bit at a time. If you can get your hands on an old single-sided drive it will make your work a bit easier: simply insert the disk bad-side-up, and read away. (In single-sided disks, data is normally read from and written to the back of the disk - the underside, if you hold the disk label-side up.)

A second option is to use a cosmetic disguise to hide the damaged side of the disk. For example, suppose you have found a 51/4" disk with unremov-able blemishes on one side only and your drive simply refuses to read the disk. Here's what you do.

Take another 51/4" disk, format it, then cut it open. Remove it from its envelope, and tape the new disk over the blemished disk. The tape should be between the two disks (thin double-sided tape works best). Make sure you line up the two disks precisely. Insert the taped disks back into a clean envelope, and see what you can make happen!

Researching The Hack: Check Up

Begin a found disk analysis by removing the disk from its paper sleeve if there is one, and eye-balling both sides for any distinct problems such as grooves, coffee stains or wrinkles. It is amazing what disasters disks can live through. During the early '80s when home computers first hit the mar-ketplace, there were warnings
everywhere: "Don't put disks by magnets, by your monitor, on your printer, or near your telephone. Don't bend disks, don't let your fingers stray from the label..." And on and on. Certainly you should treat disks carefully, but as we've learned since floppy drives became in-expensive enough for anyone to afford, disks just aren't as fragile as they were once thought to be. And certainly the plastic and Teflon they are made of are cheap enough to throw away, meaning dis-cards are common. So if you are rummaging through a company's trash bin and you see a man-gled disk, take it - you might be able to get some-thing interesting off it.

If there is nothing visibly wrong with the ( 5 1/4" ) disk, but you're still wary (because you found it in a garbage can or in a dusty place or something) you should carefully hold the envelope with one hand while rotating the disk with the other hand (using the hub ring). Look at the disk through the oval window as you do the rotation. Then turn the disk over and inspect the other side the same way. For 3 1/2" disks, you will have to hold open the sliding door with a finger as you rotate the disk using the hub ring.

If you suspect that a 5 1/4" disk is filthy, or if there is any dirt at all inside, rotating the disk may scratch it. Instead of rotating it, do this: Push the disk to the bottom of the envelope with your finger. Take a pair of sharp scissors or a knife and cut off a very thin strip of plastic from the top (label) edge of the envelope. With thumb and fingers, puff out the envelope, and ease out the disk. Don't wipe dirt off the disk - you don't want to scratch it. Try to blow away dust and dirt, or use a hair dryer set on low heat, or a can of compressed air.

Now look inside the plastic envelope. You will see a lining of a white gauze-like material. If that's dirty, throw away the envelope. Take a different disk ( that contains data you don't need any more ), slit the envelope open the same way, remove the disk and replace it with the other round floppy. Make sure the reinforced hub ring ( if it has one ) faces front. Now you can try using this disk on your cheap second-hand disk drive. For 31/2" disks, you can first carefully remove the door, then gently pry open the plastic envelope case with a knife. Don't jam the knife into the envelope; rather work around the edges and comers where the two halves are snapped together.

Re-move the floppy disk. Blow away any dirt, then put the disk into a clean envelope, using tape to keep the pieces together. Replace the sliding door if you can, but don't worry about that aspect if you have trouble doing so - most drives will not miss it.

51/4" disks sometimes get folded or bent. They are still usable but the bending can misalign your drive head. Not only will this ruin your disk drive, but subsequent disks inserted may be irreversibly damaged. Therefore, never use bent disks on a good drive, or good disks in your bad drive.

If you find a bent disk in the trash, first flatten it out as best you can. Put it on a hard, smooth, flat surface. Cover it with a few sheets of paper, then take a heavy book and press it down. Do NOT try to straighten disks by bending them the other way. If the outside envelope still seems in pretty bad shape, remove the inner disk and insert it in a good, flat envelope as described earlier.

Let's look at some of other ways a disk can be damaged but still remain salvageable.

Researching The Hack: Found Disk Analysis

When you hack you begin to find disks every-where. Some have been discarded, mangled, warped, bent; some have been carelessly lost, in the drive of a public computer, under a keyboard, be-hind a desk; and others you will find in their natural place - lying around on people's desks, in disk boxes, in library reference books, in file cabinets. You will want to be able to read data files off these disks and rerun any programs on them.

I am not going to suggest that you actively steal disks that you find in an office or wherever, but if you can manage to sneak one away for a few days or overnight without it being missed, then the best of luck to you!

Before I go into what should be done with found disks, let's get our terminology straight. Here I will be talking about microcomputer disks, which come in two varieties: 5 1/4" and 3 1/2" disks. A disk is composed of two parts. There is the square plastic outside, which I will refer to as the envelope, and the circular mylar disk inside. The square envelope is simply a means of protecting the flimsy and fragile disk within, and can be horribly mutilated without damaging data on the disk itself. 31h" disks have a small plastic or metal door that slides open to reveal the disk inside. 51/4" disks are unprotected in this way; their disks are exposed
through an oval hole.

WARNING!
••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

Never put a disk of unknown origin, especially a physically damaged one, into a good disk drive. Before examining found or damaged disks, you should get ahold of a cheap, second-hand drive and use that for found disk analysis. Examining bad disks can easily damage your disk drive. Never use bad, damaged or
found disks on a good quality drive!

Researching The Hack: GIRK

Of course, you can go out scavenging unarmed through the trash bins of the world, but to facilitate and quicken results, you will most likely want to prepare beforehand for your excursion into the trash of white collar America!

 A memo retreived from the garbage contains valuable information

Here are the things you should consider includ-ing in your GIRK - Garbaged Information Retrieval Kit:

Rubber gloves. Either surgical gloves, or the kind you use while washing dishes. Though most garbage you'll be rummaging through is "clean" (white paper bins for recycling) it's a good idea to wear some sort of thin gloves anyway. You'll also want to wear gloves when you're at home sorting through the bags you lifted.

Ladder. I'm not talking about real ladders here, al-though you may want to use one. Some dump-sters are very high, or are vertically-oriented, and so climbing out of them may be difficult. Find yourself an old chair or hassock some-body's throwing away, and take it in the trunk of your car. Then you can either put it into
the bin from outside if it looks like you'll have trouble climbing out, or you can use it to climb into the bin in the first place. Either way, if you have to leave in a hurry for some reason you can safely leave it behind - after all, it was garbage to begin with, right?

Flashlight. Take a piece of rope or a strip of denim or something and fashion a strap. Make the strap just big enough so you can easily slip the flashlight on and off your hand. Especially if you'll be rummaging at night, you will need a powerful flashlight to guide you through the garbage. Make sure the batteries are okay -best
thing is to use rechargeables.

Garbage bags. Not the clear kind. You must use black, brown, or similarly colored bags for this. After all, you don't want people to see what you've got in them. If you're just pulling manuals, memos, etc., out of the trash and are not bringing home whole, intact bags, you should bring along at least one of your own darkcolored garbage bags, to put everything in. You might want to take two bags, placing one inside the other, to insure against breakage.

Appropriate clothing. Don't go rummaging through garbage bins in your Sunday finery! Wear shoes you'll be able to climb and jump with. Wear clothes that won't snag, old clothes, clothes that you don't care if they get destroyed. You might want to wear a custodial type outfit, if you have it. If you know the company maintenance staff tends to wear baseball caps, or a certain color shirt or jacket, then by all means dress similarly. Wear dark colors, not bright pinks, reds, or yellows that everyone's going to be staring at.

Empty soda cans. Some hackers tell security guards or other onlookers that they're searching for aluminum cans to recycle. You might want to fill up the bottom third of one of your garbage bags with cans, or maybe leave an open bag of cans outside the bin so bypassers will be able to figure out for themselves that you're collecting cans for charity.

One time I told a stodgy old guard, "The sci-ence classes at my school are competing to see how many cans we can recycle. For every pound of cans we bring in, our school gets three dollars. The class that brings in the most cans wins a prize. Right now we're in second place, so I want to bring us up to first!" He walked
away and came back with a handful of empty beer cans and bottles. "Are you doing glass too?" he asked.

Remember: don't carry unnecessary things in your pockets, or things like watches that are going to fall off your wrist. You don't want to lose money, wallets, credit cards, notebooks or anything else to the hungry stomach of a garbage bin, so leave all that at home. Before you leave the house, do a pocket check. Make sure you have nothing that could identify you and nothing you can't afford to lose. This seems like obvious advice but I can recall at least four different messages posted by hackers on private BBSs where they said things like, "Jeez! I just came back from the CornpuPhone dump and I forgot to put my ring back on after I climbed out of the can! Now I'll have to go back there tomorrow!"

On the other hand, you might want to take along a cheap watch or something that didn't cost' much but looks expensive. Then if some curious person comes along you can jump up and say, "Here's that stupid watch! I knew that idiot janitor threw it out with the trash!" Also, another good idea: Take a shower when you get home!

Researching The Hack: Sorting Through Trash

It isn't really a dirty job, and nobody has got to do it, but serious investigators will. By "investigators" I refer to hackers who are research-ing a company or computer. It really isn't all that messy going through the garbage of most places. Often you'll find a separate bin for white paper. Some may be shredded, but mostly not. Try to plan your trips to the trash on days following a few days of sunny weather. You want your garbage to be in tip-top shape.

While I'm inside the dumpster I like to make stacks of the papers I find and load them into garbage bags. Then I bring it home to examine what I've collected. You'll find internal phone directories, names of public and private individuals, training manuals, outdated files, letters, information about projects being worked on, and
sometimes even mention of the computer system. Much of it is help-ful, and most is interesting too.

Even the regular trash is usually a pretty clean place to be (somewhat). Rummaging around in the garbage bins of various companies, office centers and other institutions, I have come across: micro-fiche, computer cards, entire boxes of business cards, books, a dead cat (really gross), broken elec-tronic junk, and lots and lots of, well, garbage. Of course most of it isn't helpful for the hack, but often there is knowledge to be gained. You can find out a lot about how an organization functions by its trash, and the way in which that trash is organized.

The first time I did this, I took a single green trash bag from the bin behind a bank. Bank bags, by the way, are stapled shut with a paper receipt that tells the name of the bank, and the time and date of disposal of the bag. The trash within is of two types. There are smaller bags containing refuse from each individual's office in the bank, and then there is the cytoplasm of crumpled forms and dis-carded paper tapes from behind the counter. The interesting parts are the bags from individual of-fices. In my first garbage heist, one banker was Japanese - he was throwing out a Japanese newspaper and a Japanese candy wrapper in addition to his bankrelated stuff. There was also the womanon the diet, the struggling-to-make-endsmeet single mother, and the assistant bank director. Now the bank director her garbage was very interesting. It contained a discarded lock from the vault, a box of orange "key hole signals (style V)," some vault-key envelopes, a slip of paper with the combination to a safe scrawled across it like a clue in a parlor mystery (12R- 32L-14R in case you care), and a memorandum to "Branch Managers" from the woman in charge of "Branch Automation," which apparently had accompanied a disk. From that let-ter I was able to get the name, address, and room number of the bank's Branch Automation Depart-ment and from there evolved a social engineer through the mails (see chapter on Social Engineer-ing) which resulted in myself getting a copy of the disk in question as well as some other very useful information.

If you were caught hacking a trash bin, you used to be able to say that you were "just looking for cans to recycle." Now offices pre" much recy-cle everything, so that won't do for an excuse. The old "school" or "community project" ploy is always a good bet: Say you are rummaging around in there doing research for a report on government or busi-ness waste.

Before you even step out of your house the first time, do a bit of phone work to find out what the garbage situation will be like. Call up the Solid Vyaste Department and ask when garbage collec-tion is for the street you have in mind to plunder. If pickup is Monday morning, that's good, since you'll be able to go at night over the weekend, when no one is around. You don't want to end up going the day after collection, so make that call be-fore you hop in your car.

As for recycled white paper, if there aren't any outside bins devoted specifically to it, you might want to go to the office during the day ( if it has a publicly-accessible area ) and take a casual look at the level of white paper in the recycling cans inside. Do this at different times of day for a few days, and you'll get their recycling
schedule. Again, you'll want to nab white office paper when the bins are'at their fullest.

Researching The Hack: Online Computer Simulators And Tutorials

Computer-based simulators and tutorials are often employed in teaching the ways of the com-pany computer system. These programs mimic the computer screens users would see if they were to log in to the actual network. Tutorials and simulators differ from the actual network in that they talk the user through a typical use
of the system, per-haps showing off special features available to the user. If the user isn't given a guided tour, there is often a workbook that is to be used with a scaled-down version of the actual system, often one with extensive help facilities to teach the new user the ropes.

Tutorials and simulators give new users hands-on experience with the problems and poli-cies of software they will encounter. They are very often used for training purposes instead of the ac-tual system, or as a supplement to it. There are several reasons for this. What if the system is still be-ing installed " or undergoing a
renovation? Or per-haps not enough terminals are connected yet for all employees to access the actual system. Using simulators eliminates these problems since they can be set up on any computer.

Temporary employment agencies may use software from a specific company to pretrain their workers, especially if the agency gets a lot of jobs from a specific company. Or regular employees may want the convenience of being able to borrow a tutorial disk from the company library to practice on at home. Finally, a good tutorial program or simulation can ensure that everyone receives the same quality instructions, without leaving out im-portant details which a human instructor might forget to teach.

How to get them? Simulation programs may be available from corporate, special or even academic libraries. You may also get hold of one from the publisher. Write to a software publisher,' saying you're interested in making a large purchase and ask if a demonstration disk is available. And you may be able to procure one from a friendly member of the company's computer department (do some social engineeringi - pretend you're a company manager or supervisor).

Simulators and tutorials are great things for a hacker to come across; the usefulness of them should be self-evident. They will help you learn the systems, and perhaps reveal default entry-words, and might even come with descriptions of system bugs.

Social engineering is the act of talking to a system user, pretending that you are also a legal user of the system, and in the course of the conversation, manipulating the discussion so that the user reveals passwords or other good stuff. Sometimes you have to use your imagination to find other ways in which online simulators can help. I was waiting in an office one day to see someone. The receptionist stepped out for a mo-ment and I stepped behind her desk and borrowed a computer disk I'd noticed stuck in a book. e disk held a program called ARRSIM (ARRangement SIMulator) which was actually a copy of a program they used on-line, only with a minuscule database of names. The program was used to teach employees how to use the computers to arrange and schedule meetings between custom-ers and potential contractors.

When I got home I booted it up and started playing around. At one point I tried changing an address and the computer responded, "Supervisor Approval Required" and put a cursor on the screen. Apparently it wanted a password. I tried the one that was used to log into the simulator (which was scribbled on the disk label) but
that didn't work. I scanned through the disk with a file maintenance utility, but could find no text (i.e., hidden pass-word) that I had not already seen.

Now, it occurred to me that address changes were probably something that everyone had to do every once in a while. So why had it asked for a password when I tried to change an address? Ob-viously the program had been designed by your usual paranoid manager who did not trust a recep-tionist to change a name or address by herself.

So I called my favorite receptionist at the com-pany, and after some suave insider gossip about company matters ("So Sheila's a grandma! Was it a boy or a girl?" I had heard her discussing this with a coworker the day I was there), I popped the question: "Gaye, do you know what to type when it says 'Supervisor App'- "
"Oh isn't that silly!" she laughed. "It's really horrible. Type 'morris.' I don't know why they have that there. Nobody's supposed to know about it but we use it every day!" I thanked her and - you know what? -'morris' didn't work as a password on the simulator (I don't think anything did). But it was the password used to get into the actual net-work. Apparently only supervisors were supposed to be able to log on the terminals scattered throughout the offices.

Researching The Hack: Some Unusual Research Methods

They aren't really all that unusual, because after all, anything that works - works!

Any time you get an idea for a new way of discovering more about an online system or the people who run it you should do your best to act on that idea. In the long run every bit of data is potentially useful. Anything you manage to find will either help you get in your present target computer, or get in an-other one some time in
the future.

Besides, it's always a delight to find confidential data or insider secrets about a system. Share that knowledge with other hackers and you will be re-warded with interesting tips that will be beneficial to you. Here are five further research methods: online computer simulators and tutorials; sorting through trash; found disk analysis; examining screenshots; and snooping.

Remember - these research meth-ods work. Use them to your advantage.

Researching The Hack: Collecting Information

Before you begin researching you should know what kind of information you should be trying to find out. There are three topics a hacker should be concerned with: Telecommunications in general, computer systems in general, and specific systems. There is a certain level of understanding you should have about computers,
modems the tele-phone and human nature. Hopefully this"book will prepare you with most of the information in these categories that you will make use of. If not - and I readily admit this is not an all inclusive Bible of the Universe - then go around to some local or special libraries and find out what you need to know.

Maybe there isn't anything you specifically need to know. You will still want to keep up with the latest developments in technology as well as the organizations who run the computers you intend to hack. Even if you think you know everything there is to know, it can be most helpful to do a bit of reading to make sure you really are an expert in your field, especially when dealing with such rap-idly changing fields as computer hardware, soft-ware and telecommunications So go to your local library. Go to the shelves with the computer books, and the shelves with the criminal justice books, and the shelves with the business management books. That's where you'll find the "legit" books about hacking and computer crime. Every once in a while, take out some books on telecommunications and look through them. You want to start getting familiar with the various situations you'll be encountering, so look through books on the different information services, on-line  databases, computer crime, operating systems, BBSs, and anything else that pertains to what you can do with a computer and a modern.

Look up "telecommunications" in the card catalog. Also, security," "computers," "hacking," "telephones," modems," and anything else you can think of that's relevant. Also, remember to look through the books in the reference section; you will find the most useful materials there. Hacking is best learned by doing, but many good tricks and leads can be found in the literature.

By the way, do you know who the biggest book publisher in the world is? The United States government. If your library is a government depository, read through all the relevant government publications that interest you. You'll learn a lot from that stuff.

I'm not saying you should read every book in the library, and I'm certainly not saying you should read all this before you begin your hacking ex-ploits. What I am saying is that very often people don't realize the wealth of information that is available to them free for the asking - no need to hack. And by reading these things you will get familiar with what different computer systems look like when you log onto them. You will get to know the kinds of commands that are available to you, and what formats the systems use for names and pass-words. Also, you will often find toll free numbers listed in these books - lines you can call to test out various systems, or to get information on the sys-tems. All this information will be helpful to you as you proceed.

While you're at the library go to the periodicals section and take out some computer magazines and newspapers. Borrow some that you don't normally read, or that you've never heard of before. It is use-ful to write away for information from the maga-zines, and to send in the Reader Service postcards to get free information.

It's amazing what compa-nies will send you, and it's further amazing to think about all the great tips this information offers to the hacker. I'm now on several perpetual mailing lists from various computer security companies. I know everything I need to know about all their products, their upgrades, what businesses
use their software - and from that information, I can hack my way around their products. Knowing how they go about catching hackers, I know how to avoid getting caught.

Another, sometimes more practical way to use the library is to find out about donated books. Many libraries get donations of books, either for an annual book sale or for their shelves. A lot of those books are old technical and company manuals for computers, software, and operating system proce-dures. The librarians
who deal with donated materials will probably look at this sort of thing and throw it out as useless. If you make friends with them, surely they would prefer giving such 11useless" items to you, rather than discarding them. I've gotten many valuable guidebooks, reference guides, operating systems manuals, and disks this way. I even have a very nice and very current set of AT&T security books.

Sometimes the books you pick up have notes scribbled in the margins or on the cover. My favor-ite note was the one that gave a phone number and group ID access code. The access code had since been deleted, but the phone number still worked and so did the sample visitor's password listed in that manual.

Researching The Hack : Targeting

By targeting, I'm referring to the process by which a hacker will decide which of all possible computer installations to attempt to breach. This may seem like a trivial topic for many reasons, but in fact it is a topic well worth discussing.

Let's suppose you are a rookie at this game. You have gotten - through research of some kind, or just plain luck - a piece of information you feel will be helpful in entering a specific system. For ex-ample, suppose you've discovered through the computer crime grapevine the phone number of a large governmental espionage database. Naturally, it seems reasonable to call the number and see if it actually is what you've heard it to be. On the other hand, it might be better to first research your target to see if it's worth the time and the risk, and the phone bill. Look up the number in a criss-cross telephone directory for that region. Criss-cross directories., which are available at many libraries, are books (usually non-licensed by the phone com-pany) which list the names and addresses that go with phone numbers. Unlike regular phone books, criss-cross directories are sorted by number rather than name. If you can't get this sort of directory, call the operator and ask who the number belongs to. Naturally it is preferable to use a directory on your own, eliminating extraneous interaction with phone company employees ("witnesses"). If the phone number is publicly available, it probably isn't a computer line after all, let alone a secret one.

It may seem crazy to you to go out of your way to look up a number before dialing it, but remem-ber, it is important to get as much information as you can about a system before you make the first call. If it really is a top-secret database, it's reason-able to assume that your call will be traced, or at the very least, will arouse
suspicion. As a novice one tends to get excited with one's first big break -and tends to do stupid, dangerous things. You may not yet have the expertise to alter phone company data, or call from a pay phone, or in some other way make it seem like you are not the person placing the call. The rookie who calls a number of this kind after doing a bit of research might be taking a stupid risk, but that's a few steps higher on the professional hacker's scale than the one who calls without any preparation at all. That's just be-ing stupid, period.

So, as far as targeting is concerned, you may not want to follow up that first big lead right away. It may be preferable to wait awhile, until you have the expertise to do it properly. If you know some-thing about a system no one else knows, it's very likely going to remain a secret unless you spill the beans. If you try to act on your inside knowledge and fail, you are ruining your chances of getting in later, as the system managers might see their mis-takes and correct them.

My word of caution is this: Don't get in over your head. Get familiar with floating on your back before trying to scuba dive for sunken treasure or else you may end up being the one who's sunk.

Targeting also involves other research. What if you do have some exciting secret that will let you get in somewhere? Perhaps you should think about the best way of reaching that system in the first place. For instance, if the system you're stalking is on the Internet, you would have to determine a way to access the Internet disguised as someone else before you could proceed to your main goal. If you are enrolled at a college, or live near one and have access to your own Internet computer account, it is a trifling matter to log mi as yourself and, from there, attempt to connect to other systems. It's not only trifling - it's dumb!

Regardless of whether you have mischief in mind, it's irresponsible and lazy to do hacking logged in as yourself. Before you can move out of the few directories allowed by your minimal access level, you will have to figure out a way to disassociate yourself with what you do. That is - and I can't repeat it enough - you
will have to find a way to connect as somebody else, and through that connection go on to bigger things.

Breaking into major league computer systems is very often a matter of, first, personal hacking, and second, institutional hacking. That is, first you hack a person (figure out a way of masquerading as that person), and then you hack the institution (figure out a way of disguising that person as a legitimate user of the protected system).

Time, money and effort can be spent needlessly on attempts to access systems that ultimately turn out to be dead ends. Maybe your target is a school's computer, because you want to change your grade from an F to A. You may think your target individ-ual would be the dean or some other school head, but as it turns out, in
many instances you would be wrong. School heads often have little or no access to the computers which hold grades, unless they themselves teach classes. In this case you would want to target a professor or more likely, a teaching assistant (T.A.). They're the ones who have to do the actual inputting of grades.

Consequently you would want to research the professor or T.A. to get a handle on what their passwords might be.

Then there's the matter of the computer. Which computer should you target for your hack? Teach-ers, especially in math and computer science courses, will usually tell you their computer ad-dress so you can send them e-mail. But that isn't necessarily where you need to go to change your grade. More likely there is
some hush-hush admin-istrative computer which carries out those func-tions, and it is that computer you would want to hack.

It seems logical to assume that the president of a university has the highest level of computer ac-cess. But does he or she really? Does the president actually have a computer account AT ALL? You're probably better off targeting individual professors. One English teacher I had mentioned Kojak a cou-ple times in class, and on several occasions made references to things that could be interpreted as having some relation to that television show (sometimes he would use phrases that Kojak used in the series). Obviously, Kojak is the place to start if one is interested in forcing one's way into this guy's account (especially since he's an English pro-fessor, and therefore less likely to understand the value of non-real-word passwords). And trying Kojak-related words like "Telly Savalas," "lollipop," "bald," for passwords is the obvious way of per-sonally targeting that English teacher's account. But is he REALLY the one you want to use in the first place? If I had been failing that class and wanted to get into his account to change my grade, Kojak wouldn't have helped me; as far as I was ever able to determine, it was the teaching assistants who had control over the grading, not the profes-sors! This is why it's necessary to target in order to achieve your intended purposes. If you have goals
in mind, do the necessary research to find out if you are targeting the right PEOPLE, as well as the right computers.

Potential targets can often be found by reading publicly available documents about a site. Documents pertaining to "ethical use" of the system, and articles encouraging "preventative security" are often particularly enlightening. For instance, here's a little quote I picked up from an outdated merno-randurn about security policies. This is one sugges-tion taken from a list of what was felt to be necessary improvements in security. By the time I read the article the improvements had already taken place, but thoughts of needing security were long gone from the minds of those who had written the memorandum, and so security was lax. Here's the one suggestion from the list that stuck out: Net 19 must be isolated completely by gateways from PCs and from the broadband.

Terminal server logins must be strictly enforced on all machines. PCs should be implemented which will run software that will monitor the network for signs of misuse andlor unethical usage. Look at the goldmine of information that is given here. We have these suggestions for improvement, so now it should be a simple task to determine which software was purchased to implement the suggestions. From there we can see what the
soft-ware will and will not do, find out about bugs or loopholes, and use other means to discover ways around that software. But most interesting of all (and the point that is related to this discussion of targeting) is the mention of "Net 19." What is Net 19? Obviously it is something that the administra-tion wants to go out of
their way to protect. Clearly it's something well worth hacking. If you had been the hacker to first read these words, clearly Net 19 would be the target of your hack.

Keep in mind that I read this document from a public terminal, without having to log in as any-body. It was accessed from a public information system. It is information available to anybody, and look at the wonderful clue it holds for all who see it! Now, when I read this I didn't know what Net 19 was, but I knew immediately to target all efforts to finding that system and penetrating its security.

This is an example of accidentally found knowl-edge being put to good use. But don't forget - I was reading through every publicly available document for the SOLE PURPOSE of breaking into the system. The specific bit of information I found was accidental, but my finding it wasn't.

In a way, doing this kind of on-line research -exploring every inch of the system available to you before going after the private regions - is a kind of targeting. If your goal is a specific private computer system, target all public systems related to it before you begin. This can only help you in the long run. It might lead to helpful
hints, such as the mention of Net 19, or it might at least familiarize you with various aspects of the system.

Things you should be looking for when you target a public system in this way, with the intent of going after a correlated private system, are: how it handles input and output; if any bugs are present and how the system reacts to them; what the command format is (three letters? control sequence?) and what kinds of commands are available; and machine specifications and hardware. Of course, there are numerous other things you should either be looking for, or will unconsciously be picking up anyway as you look around, like what the visual display is like and how long it takes the computer to process commands. These are things that will be helpful later on, because when you actually are trespassing, you won't want to spend hours trying to find the help command or how to log off.

Targeting may seem not just trivial, but dis-tracting as well. After all, a scientist can analyze a rainbow using specific technical terms that explain what a rainbow is, how it is formed, and why it displays its colors as it does. But in a way, this complicated description of a rainbow is completely unrelated to the rainbow being
described. The ex-planation ignores the beauty of it. The technojargon shuns the poetic connotations that we associate with the rainbow we are so interested in describing.

You may use similar arguments to complain that targeting and pre-thought and planning of hacking attacks distract from the pleasure of the hack itself. If you are a hired hacker you will need to get the job done if you expect to get paid. But otherwise, why should we bother to discipline our-selves with such nonsense as
targeting? You're right! Certainly you're correct! There is no reason to feel obligated to apply these suggestions that I pre-sent. There is no pressing need to think carefully about what you do before you do it, but you should be aware of these things as you start. At least, if you break the rules, you should understand
how following them might have helped.

Targeting specific computers that hold interest to you, and that you are sure hold the information you seek, and targeting people who have specific access levels and abilities - all of this is like ana-lyzing a rainbow and ending up with nothing but gobbledygook. But in the long run, if you really want to end up at a position further
from where you started, if you want to hack for the enjoyment of it and maintain high pleasure levels throughout the endeavor., I suggest you do these things. They will help lessen the amount of frivolous searching and brute-force monotony needed to get in, and will help you stay out of trouble. So, set up a gen-eral plan of action.

Make sure the goals you've out-lined are really the ones that apply to your case. That way you'll know that what you are hackin won't turn out to be a series of blind alleys.

I keep bringing up the point of "intentions," and it goals," but unless you're a private investigator or some sort of muckraker, you're probably willing and happy to break into any computer available any and all opportunities that present themselves. This is fine too, and many hackers are so devoted (fanatical?) in their
pursuits that even if they know a computer system will offer them nothing exciting once they get inside, they persevere because it is the thrill of the break-in itself that drives them.

But as you can well imagine, it is much more in-teresting to break into a system that holds secrets, than one whose contents are worthless to you. Is it worth it to spend months trying to get into a system that contains statistics on the copulation pat-terns of lab rats? (Not unless you happen to have an interest in that sort of
thing.) Choose your targets carefully. Getting into the system is half the fun; once you're inside, the other half can be more exciting.

Researching The Hack

Any serious hack will involve some prepara-tory research long before the hacker sets foot near a computer. This is simply because to hack intelli-gently, one must have knowledge of certain facts and ideas.

With computer hacking, you should obviously have some knowledge about computers and telecommunications (ideas) but to actually carry out a hack requires just one fact: a phone number. Or if not a phone number, at least one way of accessing a computer. Either case requires some research. Once you've called the computer for the first time, some on-line research is required to tell you how you should proceed with the hack. And finally, there is the ongoing research you will do once you've gained access to a system, to help you make full use of the facilities you've conquered. The "after re-search" is discussed in the chapter "What To Do When Inside." For now, let us discuss what to do to get started.