lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070525133651.142CFC3820@mailserver10.hushmail.com>
Date: Fri, 25 May 2007 09:36:50 -0400
From: <auto294156@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: PHRACK 64: PHRACK WORLD NEWS

             _                                                _
            _/B\_                                            _/W\_
            (* *)            Phrack #64 file 3               (* *)
            | - |                                            | - |
            |   |            Phrack World News               |   |
            |   |                                            |   |
            |   |   compiled by The Circle of Lost Hackers   |   |
            |   |                                            |   |
            |   |                                            |   |
            (____________________________________________________)



The Circle of Lost Hackers is looking for any kind of news related 
to
security, hacking, conference report, philosophy, psychology, 
surrealism,
new technologies, space war, spying systems, information warfare, 
secret
societies, ... anything interesting! It could be a simple news with 
just
an URL, a short text or a long text. Feel free to send us your news.

Again, we need your help for this section. We can't know everything,
we try to do our best, but we need you ... the scene needs you...the
humanity needs you...even your girlfriend needs you but should 
already
know this... :-)


1. Speedy Gonzales news
2. One more outrage to the freedom of expression
3. How we could defeat the Orwellian Narus system
4. Feeling safer in a spying world
5. D-Wave computing demonstrates a quantum computer

--------------------------------------------


--[ 1.

 _____                     _
/  ___|                   | |
\ `--. _ __   ___  ___  __| |_   _
 `--. \ '_ \ / _ \/ _ \/ _` | | | |
/\__/ / |_) |  __/  __/ (_| | |_| |
\____/| .__/ \___|\___|\__,_|\__, |
      | |                     __/ |
      |_|                    |___/
 _____                      _
|  __ \                    | |
| |  \/ ___  _ __  ______ _| | ___  ___
| | __ / _ \| '_ \|_  / _` | |/ _ \/ __|
| |_\ \ (_) | | | |/ / (_| | |  __/\__ \
 \____/\___/|_| |_/___\__,_|_|\___||___/
 _   _
| \ | |
|  \| | _____      _____
| . ` |/ _ \ \ /\ / / __|
| |\  |  __/\ V  V /\__ \
\_| \_/\___| \_/\_/ |___/



-Speedy News-[ There is no age to start hacking ]--

http://www.dailyecho.co.uk/news/latest/display.var.
1280820.0.how_girl_6_hacked_into_mps_commons_computer.php



-Speedy News-[ Eeye hacked ? ]--

  snapshot.



-Speedy News-[ Anarchist Cookbook ]--

   The anarchist cookbook version 2006, be careful...

http://www.beyondweird.com/cookbook.html



-Speedy News-[ Is Hezbollah better than Israeli militants? ]--

http://www.fcw.com/article96532-10-19-06-Web



-Speedy News-[ How to be secure like an 31337 DoD dude ]--

https://addons.mozilla.org/en-US/firefox/addon/3182



-Speedy News-[ Hi I'm Skyper, ex-Phrack and I like Phrack's design! 
]--

http://conf.vnsecurity.net/cfp2007.txt



-Speedy News-[ The most obscure company in the world ]--

http://www.vanityfair.com/politics/features/2007/03/spyagency200703?
printable=true&currentPage=all

A "MUST READ" article...



-Speedy News-[ Terrorism excuse Vs freedom of information ]--

http://www.usatoday.com/news/washington/2007-03-13-archives_N.htm



-Speedy News-[ Zero Day can happen to anyone ]--

http://www.youtube.com/watch?v=L74o9RQbkUA



-Speedy News-[ NSA, contractors and the success of failure ]--

http://www.govexec.com/dailyfed/0407/040407mm.htm



-Speedy News-[Blood, Bullets, Bombs, and Bandwidth ]--

http://rezendi.com/travels/bbbb.html



-Speedy News-[ The day when the BCC predicted the future ]--

http://www.prisonplanet.com/articles/february2007/260207building7.ht
m



-Spirit News-[ Just because we like these websites ]--

http://www.cryptome.org/
http://www.2600.com/




--[ 2. One more outrage to the freedom of expression
		by Napoleon Bonaparte


The distribution of a book containing a copy of the Protocols of
the Elders of Zion was stopped in Belgium and France by Israeli 
lobbyists.

The authors advance that the bombing of the WTC could be in 
relation with
Israel. It's not the good place to argue about this statement, but 
what
is interesting is that 6 years after 11/09/01 we read probably more 
than
100 theories about the possible authors of WTC bombing: Al Qaeda, 
Saoudi
Arabia, Irak (!) or even Americans themselves. But this book 
advances the
theory that _maybe_ there is something with Israel and the 
diffusion is
forbidden, just one month after its release.

Before releasing this book, the Belgian association antisemitisme.be
read it to give his opinion. The result is apparent: the book is not
antisemitic. The only two things that could be antisemitic in this 
book
are:

- the diffusion of "The Protocols of the Elders of Zion" in the 
annexe
of the book. If you take a look on Amazon, you can find more than
30 books containing The Protocols.

- the cover of the book which show the US and Israeli flags linked 
with a
bundle of dollars.

Actually you can find the same kind of picture on the website of the
Americo-Israeli company Zionoil: http://www.zionoil.com/ . And the
cover of the book was designed before the author found the same 
picture on
Zionoil's website.

Also, something unsettling in this story is that the book was 
removed
on the insistence of a Belgian politician: Claude Marinower. And on 
the
website of this politician, we can see him with Moshe Katsav who is 
the
president of Israel and recently accused by Attorney General Meni 
Mazuz
for having committed rape and other crimes...

http://www.claudemarinower.be/uploads/ICJP-israelpresi.JPG

So why the distribution of this book was banned? Because the 
diffusion of
"The Protocols of the Elders of Zion" is dangerous? Maybe but...

You can find on Internet or amazon some books like "The Anarchist
Cookbook" which is really more "dangerous" than the "The Protocols 
of
the Elders of Zion".  In this book you can find some information 
like how
to kill someone or how to make a bomb. If we have to give to our 
children
either "The Anarchist Cookbook" or "The Protocols of the Elders of 
Zion",
I'm sure that 100% of the population will prefer to give "The 
Protocols
of the Elders of Zion". Simply because it's not dangerous.

So why? Probably because there are some truth in this book.

The revelations in this book are not only about 11/09/2001 but also 
about
the Brabant massacres in Belgium from 1982 to 1985. The authors 
advances
that these massacres were linked to the GLADIO/stay-behind network.

As Napoleon Bonaparte said: "History is a set of lies agreed upon".

He was right...


[1]
http://www.antisemitisme.be/site/event_detail.asp?language=FR&eventI
d
=473&catId=26

[2] http://www.ejpress.org/article/14608

[3]
http://www.wiesenthal.com/site/apps/nl/content2.asp?c=fwLYKnN8LzH&b
=245494&ct=2439597

[4]
http://www.osservatorioantisemitismo.it/scheda_evento.asp?number=106
7&
idmacro=2&n_macro=3&idtipo=59

[5] http://ro.novopress.info/?p=2278

[6] http://www.biblebelievers.org.au/przion1.htm



--[ 3. How we could defeat the Orwellian Narus system
		by Napoleon Bonaparte


AT&T, Verizon, VeriSign, Amdocs, Cisco, BellSouth, Top Layer 
Networks,
Narus, ... all theses companies are inter-connected in our wonderful
Orwellian world. And I don't even talk about companies like Raytheon
or others involved in "ECHELON".

That's not new, our governments spy us. They eavesdrop our phones
conversation, our Internet communications, they take beautiful
photos of us with their imagery satellites, they can even see 
through
walls using satellites reconnaissance (Lacrosse/Onyx?), they install
cameras everywhere in our cities (how many cameras in London???),
RFID tags are more and more present and with upcoming technologies 
like
nanotechnologies, bio-informatics or smartdusts system there is 
really
something to worry about.

With all these systems already installed, it's utopian to think that
we could come back to a world without any spying system. So what we
can do ? Probably not a lot of things. But I would like to propose a
funny idea about NARUS, the system allowing governments to eavesdrop
citizens Internet communications.

This short article is not an introduction to Narus. I will just give
you a short description of its capacities. A more longer article
could be written in a next release of Phrack (any volunteer?). So
Narus is an American company founded in 97. The first work of NARUS
was to analyze IP network traffic for billing purpose. In order to
accomplish this they have strongly contributed to the 
standardization
of the IPDR Streaming Protocol by releasing an API Code [1] (study 
this
doc, it's a key to break NARUS). Nowadays, Narus is also included in
what I will call the "spying business". According to their authors,
they can collect data from links, routers, soft switches, IDS/IPS,
databases, ..., normalize, correlate, aggregate and analyze all 
these
data to provide a comprehensive and detailed model of users, 
elements,
protocols, applications and networks behaviors. And the most 
important:
everything is done in real time. So all your e-mails, instant 
messages,
video streams, P2P traffic, HTTP traffic or VOIP can be monitored. 
And
they doesn't care about which transmission technology you use, 
optical
transmission can also be monitored. This system is simply amazing 
and 
we should send our congratulations to their designers. But we 
should 
also send our fears...

If we want to block Narus, there is an obvious way: using
cryptography. Nowadays, it's quite easy to send an encrypted email. 
You
don't even have to worry about your email client, everything it's
transparent (once configured). The problem is that you need to give
your public key to your interlocutor, which is not really "user
friendly". Especially if the purpose is simply to send an email to
your girlfriend. But it's still the best solution to block a system
like Narus. Another way to block Narus is to use steganography, but
it's more complicate to implement.

In conclusion, there is no way to stop totally a system like Narus 
and
the only good way to block it is to use cryptography. But we, 
hackers,
we can do something against Narus. Something funny. The idea is the
following: we should know where a Narus system is installed!

First step. An organization, a country or simply someone should buy
a Narus system and reverse it. There are a lot of tools to reverse a
system, free or commercial. Since the purpose of Narus is to analyze
data, the main task is parsing data. And we know that systems 
parsing
data are the most sensitive to bugs. So a first idea could be to 
fuzzing
it with random requests and if it doesn't work doing some 
reversing. Once
a bug is detected (and for sure, there IS at least one bug), the 
next
step is to exploit it. Difficult task but not impossible. The most
interesting part is the next one: the shellcode.

There are two possibilities, either the system where Narus is 
installed
has an outgoing Internet connexion or there isn't an outgoing 
Internet
connexion. If not, the shellcode will be quite limited, the "best"
idea is maybe just to destroy the system but it's not useful. What 
is
useful is when Narus is installed on a system with an outgoing 
Internet
connexion. We don't want a shell or something like that on the 
system,
what we want is to know where a Narus system is installed. So what 
our
shellcode has to do is just to send a ping or a special packet to a
server on Internet to say "hello a Narus is installed at this 
place". We
could hold a database with all the Narus system we discover in the 
world.

This idea is probably not very difficult to implement. The only bad
thing is if we release the vulnerability, it won't take a long time 
to
Narus to patch it.

But after all, what else can we do?

Again, as Napoleon said: "Victory belongs to the most persevering".

And hackers are...


[1] http://www.ipdr.org/public/DocumentMap/SP2.2.pdf


--[ 4. Feeling safer in a spying world
		by Julius Caesar


At first, it's subtle. It just sneaks up on you. The only ones who
notice are the paranoid tinfoil hat nutjobs -- the ones screaming 
about
conspiracies and big brother. They take a coincidence here and a 
fact
from over there and come up with 42. It's all about 42.

We need cameras at ATM machines, to catch robbers and muggers. 
Sometimes
they even catch a shot of the Ryder truck driving by in the 
background. 
People get mugged in elevators, so we need some cameras there too. 
Traffic can be backed up for a while before the authorities notice, 
so 
let's have some cameras on the highway. Resolution gets better, and 
we 
can catch more child molestors and terrorists if they can record 
license 
plates and faces.

Cameras at intersections catch people running red lights and
speeding. We're getting safer every day.

Some neighborhoods need cameras to catch the hoods shooting each
other. Others need cameras to keep the sidewalks safe for shoppers. 
It's
all about safety.

Then one day, the former head of the KGIA is in charge, or arranges
for his dimwitted son to fuck up yet again as president of 
something.

Soon, we're at war. Not with anyone in particular. Just Them. You're
either with us, or you're with Them, and we're gonna to git Them.

Our phone calls need to me monitored, to make sure we're not one
of Them. Our web browsing and shopping and banking and reading and
writing and travel and credit all need to be monitored, so we can 
catch
Them. We'll need to be seached when travelling or visiting a 
government
building because we might have pointy metal things or guns on us. We
don't want to be like Them.

It's important to be safe, but how can we tell if we're safe or 
not? What
if we wonder into a place with no cameras? How would we know? What 
if
our web browsing isn't being monitored? How can we make sure we're 
safe?

Fortunately, there are ways.

Cameras see through a lens, and lenses have specific shapes with 
unique
characteristics. If we're in the viewing area  of a camera, then we
are perpendicular to a part of the surface of the lens, which 
usually
has reflective properties. This allows us to know when we're safely 
in
view of a camera.

All it takes is a few organic LEDs and a power supply (like a 9V
battery). Arrange the LEDs in a circle about 35mm in diameter, and 
wire
them appropriately for the power supply. Cut a hole in the center of
the circle formed by the LEDs.

Now look through the hole as you pan around the room. When you're
pointing at a lens, the portion of the curved surface of the lens 
which
is perpendicular to you will reflect the light of the LEDs directly
back at you. You'll notice a small bright white pinpoint. Blink the
LEDs on and off to make sure it's reflecting your LEDs, and know 
that
you are now safer.

Worried that your Internet connection may not be properly monitored
for activity that would identify you as one of Them? There are ways 
to
confirm this too.

Older equipment, such as carnivore or DCS1000 could often be 
detected
by traceroute, which would show up as odd hops on your route to the
net. As recently as 2006, AT&T's efforts to keep us safe showed up 
with
traceroute. But the forces of Them have prevailed, and our 
protectors
were forced to stop watching our net traffic. Almost. We can no 
longer
feel safe when seeing that odd hop, because it doesn't show up on
traceroute anymore.

It will, however, show up with ping -R, which requests every machine
to add its IP to the ping packet as it travels the network.

First, do a traceroute to find out where your ISP connects to the 
rest
of the net;

[snip]
 5  68.87.129.137 (68.87.129.137)  28.902 ms  14.221 ms  13.883 ms
 6  COMCAST-IP.car1.Washington1.Level3.net (63.210.62.58)  19.833 
ms *
 21.768 ms
 7  te-7-2.car1.Washington1.Level3.net (63.210.62.49)  19.781 ms  
19.092
 ms  17.356 ms

Hop #5 is on comcast's network. Hop #6 is their transit provider. We
want to send a ping -R to the transit provider
(63.210.62.58);

[root@...ack root]# ping -R 63.210.62.58
PING 63.210.62.58 (63.210.62.58) from XXX.XXX.XXX.XXX : 56(124) 
bytes
of data.
64 bytes from 63.210.62.58: icmp_seq=0 ttl=243 time=31.235 msec
NOP
RR:	[snip]
	68.87.129.138
	68.86.90.90
	4.68.121.50
	4.68.127.153
	12.123.8.117

117.8.123.12.in-addr.arpa. domain name pointer
sar1-a360s3.wswdc.ip.att.net.

An AT&T hop on Level3's network? Wow, we are still safely under the
watchful eye of our magnificent benevolent intelligence agencies. I
feel safer already.



--[ 5. D-Wave demonstrates a quantum computer
	     by aris

February the 13'th, 2007, Wave computing made a public demonstration
of their brand-new quantum computer, which could be a revolution in 
computing and in cryptography in general. The demonstration took 
place at Mountain View, Silicon Valley, though the quantum computer 
itself was left at Vancouver, remotely connected by Internet.

The Quantum computer is a hybrid construction of classical 
computing and
a quantum "accelerator" chip: The classical computer makes the 
ordinary
operations, isolates the complicate stuff, prepare it to be 
processed
by the quantum chip then gives back the results. The whole mechanism
is meant to be usable over networks (with RPC) to be accessible for
companies that want a quantum computer but can't manage to handle it
at their main office (The hardware has special requirements). [1]

The quantum chip is a 16 Qbits engine, using superconductiong
electronics.

Previous tries to do quantum computers were made previously, none 
of them
known to have more than 3 or 4 Qbits. D-Wave also pretends being 
able
to scale that number of Qbits up to 1024 in 2008 ! That fact made a 
lot
of people in scientific area skeptic about the claims of D-Wave. 
The US
National Aeronautics and Space Administration (commonly known as 
NASA)
confirmed to the press that they've built the special chip for D-
Wave
conforming their specifications. [2]

Now, how does the chip works ? D-Wave hasn't released that much 
details
about the internals of their chip. They have chosen the 
superconductor
because it makes easier to exploit quantum mechanics. When atoms 
are 
very cold (approaching the 0K), they transform themselves into 
superconducting atoms. They have special characteristics, including 
the 
fact their electrons get a different quantum behaviur.

In the internals, the chips contains 16 Qbits arranged in a 4x4 
grid,
each Qbit being coupled with its four immediate neighbors and some 
in
the diagonals. [3]

The coupling of Qbits is what gives them their power : a Qbit is
believed to be at two states at same time. When coupling two Qbits,
the combination of their state contains four states, and so on.
The more Qbits are coupled together, the more possible number of 
states
they have, and when working an algorithm on them, you manipulate all
of their states at once, giving a very important performance boost. 
By
its nature, it may even help to resolve NP-Complete problems, that 
is,
problems that cannot be resolved by polynomial algorithms (we think
of large sudoku maps, multivariate polynomial systems, factoring 
large
integers ...).

Not coupling all of their Qbits makes their chip easier to build and
to scale, but their 16Qbits computer is not equal to the 
theoretical 16
Qbits computers academics and governments are trying to build for 
years.

The impact of this news to the world is currently minimal. Their 
chips
currently work slower than a low-range personal computer and costs
thousands of dollars, but maybe in some years it will become a real
solution for solving NP problems.

The NP problem that most people involved in security know is 
obviously
the factoring of large numbers. We even have a proof that it exists
a *linear* algorithm to factorize a multiple of two large integers,
it is named Shor's algorithm. It means when we'll have the hardware
to run it, factorizing a 1024 bits RSA private key will only take 
two
times the time needed to factorize a 512 bits key.

It completely destroys the security of the public cryptography as we
know it now.
Unfortunaly, we have no information on which known quantum 
algorithms
run on D-Wave computer, and D-Wave made no statement about running
Shor's algorithm on their beast. Also, no claim have been given 
letting
us think the chip could break RSA. And for sure, NSA experts 
probably
already studied the situation (in the case they don't already own 
their
own quantum computer).

References:

[1] http://www.dwavesys.com/index.php?page=quantum-computing
[2] http://www.itworld.com/Tech/3494/070309nasaquantum/index.html
[3] http://arstechnica.com/articles/paedia/hardware/quantum.ars

--
Best Commodity Trading Platform - Free Tools. Click Now!
http://tagline.hushmail.com/fc/CAaCXv1KfUS6Z1ptEXNTHEkvEbkHLqtZ/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ