|
+ORC revealed
the best of Zen stalking
|
+ORC's stuff
|
|
20 January 1999
| by
aZh nAZg
|
|
 |
Courtesy of Fravia's page
of
reverse engineering
|
|
Well: helluya of a work! Even if aZh nAZg'style seems to me a little too convoluted (I hope he'll
'polish' a little this and detail better, for instance, his stalking on the archies), there's quite
a lot to learn in here.
This said I actually don't believe (personally) that aZh nAZg's assumptions
are correct.
Yes: "the trail (is) already long cold and well trampled",
as aZh nAZg writes, yet I remember months of passionate stalking (with the Basilisk, +gthorne and
Hackmore+Readrite) where we definitely came to the conclusion that +ORC is dutch. Not German, not
Swede: dutch. And the fact that
a very well known Amiga cracker of the eighties had as a Nickname 'ORC' gave us much to
think (but we found few 'beef' on the Web, unfortunately).
Since +ORC is no more in contact with
anyone of us, unfortunately, there's no way we can finish our stalking (I remember that when he
wrote +gthorne that he was in Cairo (Egypt) for his hyerogliphical cracking, more than one year ago,
I mobilized two egyptian crackers, who went in the CairoMuseum's bar asking if some funny
european fellow had
ordered considerable amounts of wodka-martini's... only to find out that no alcohol is
served there :-(
Yes, +ORC does not publish any more his 'how to crack'
masterpieces... yet he can still be useful for all reversers
as
stalking quarry :-)
I hope, in publishing this essay to open the way for
some other good stalkers that want to improve their skills joining aZh nAZg
in this fascinating
stalking endeavour (a very difficult one now that the trial is cold).
Good luck.
aZh nAZg's
Nosferatu stalking is
an impressive work of art and some of the evidences are quite heavy. Still I don't believe that +ORC is aZh nAZg's Swede: but
this good swiss stalker may be right with the
Idea that the tutorial has been translated from Cezch:
my personal alternative theory is that +ORC is the Petr Horαk that wrote in Prag (in 1982!) the
beautiful utility KGB that you can download on my tools page... Horαk sounds a little
like +ORC, see, and wasn't +ORC himself that wrote that nomen est omen? :-)
|
|
There is a crack,
a crack in
everything
That's how the light gets in
| |
| Rating
|
(*)Beginner ( )Intermediate (
)Advanced (
)Expert
| |
a brief intro to zen in the art of stalking;
elementary search engine
use and search brainstorming
+ORC revealed
the best of Zen stalking
Written by
aZh nAZg
Our mentor: who is s/he? Pray continue, dear reader
and ye shall find
out
indispensable: a working brain
http://www.asite.org/+ORC , hehe
n/a
Who is/was +ORC? A fine problem; perfect for a weeks
contemplation.
The Basilisk and others have already done fine work on
bringing the
issue to resolution. I soon realized that I was
approaching a chase
where the trail was already long cold and well
trampled. Many
brilliant stalkers had already tried all of the
obvious approaches;
there was however, some comfort to be had in that, as
that very fact
suggested that +ORC was either being *very* clever, or
*very* candid.
While in regular stalking the trick is to have a good
dictionary of
synonyms to feed into the search engines, the trick
with Zen stalking
is to have an open mind ('zen mind'), untiring
doggedness, and above
all, to 'psych' oneself into the mindset of one's
quarry.
OK, so, mindset of quarry, now let's see...what do we
know about him?
The Lessons (read and re-read them all several times,
getting a feel
for the language used), the Riddle itself, the URL and
what it points
to, +ORC's mention of it leading to a 'dead' page...
Ok, Riddle: the language used is heraldic, duh. The
quote is from,
well you know already, duh. Some lines are different
than the
original; there's numeric symbology used, could be
something about
shifting bits, adding, replacing numbers in the URL,
after all, he was
an assembly coder...
...nope, he'd be *zen!* too lazy to do that for real.
He'd want us to
*think* we should do that -- mount an exhaustive
search of the Web --
and sit there revelling that he got all dem lamers up
off their butts
and doing something useful. But he's got a great
sense of humor, so
mebbe the heraldic stuff is still a clue, jest a diff
sort of clue.
Save it for lata...
The URL, of course leads into .mil territory, as
trcroute will reveal
(actually it winds up bouncing between two DNSs in
.mil until it dies
out). But as we already know, someone has visited
fravia using that
URL as their (spoofed) IP address, so we know that
it's someone's
calling card. How hard is it to do that? Not very, I
could write the
code from scratch in an hour or so.
So, how about the reference to the 'dead' page? Well,
the obvious
thought is that what that means is a page that's no
longer being
maintained. I would imagine that many folks have
already searched all
available engines for a +ORC directory, with mixed
results (did you
find the Electric Company, in Minsk?). But, I hand
you +ORC's *own
words*: (Lesson 2: '...for those of you that do not
know anything,
here is the ARCHIE way you get all the program that do
EXIST on the
planet:...'). My favorite one is the one in
Oldenburg, Germany
(-oldenburg.de/Docs/net-serv/archie-gate.html).
Let's see...orc.htm...there it
is: www.sics.se/sicskatalog/orc/orc.htm, and hey! orc.gif as well.
Let's see who this is...
Ok, its Lars-Hakan Loenn ... and what's this, his
nickname? 'Orc' ...
well, well ... what does he do...search, search...a
hah! He was a
student at SU (university of Sweden) in 93, and in 94,
and...hmm, not
in 95...where was he in 95...search, search...a Hah!
He's at CalTech,
in the Swedish Club. And he didn't graduate...so he
was an exchange
student ... search, search ... he's into RPG (role
playing games),
specifically Gothic ... search, search ... while at
CalTech lists his
home server as nosferatu.sics.se ... search, search
... lot's of references to Gothic RPG. Save that for later...
Ok, orc.htm -- view source -- nothing interesting
here. Spider
sics.se ... search, search ... ok: Swedish Institute
of Computer
Science ... phone number, building name, a Hah! group
name ... search,
search ... here it is: his name on several of SICS's
web pages as
'Grafik: Loenn'. He's a webmaster. He likes
graphics. He might
think heraldry is kewl, gothic and all that. Hmm.
Search, search ... a hah! He's does marathon runs:
3000m and 5000m,
aka OL, which pardon my german means Orientierungs
Lauf or some such,
just as though he were in the militia at the time ...
c.f. 'possibly
once in the military' reference (forget where, duh).
Ok, so he knows
about encryption, and that .mil servers are off
limits. Hmm.
Ok, dejanews da sucka ... advanced search, 1 Dec 95
thru 1 Jun 96
author +ORC ... whaz dis? 16 Feb 96 : 'see if it
works' by +ORC
posted to alt.test ... see if *what* works? ... where
else doth he
post? Ok, alt.hacker.malicious, makes sense, but,
what's this:
de.org.ccc? whazzat? Ok, hmm, they're talking about
Germany's PTT
trying to regulate Inet access. Why Germany? He's
Swedish ... hmm,
mebbe he wants to go work in Germany when he's done
with school.
Means he must speak fluent German, at the very least
... his English
ain't lousy either ... could have a Dutch parent or
spend time there
on vacation or mebbe grew up there ... when's the
first Lesson? 20
Feb 96 thru 25 Jun 96 ... and what's this? he keeps on
re-posting
stuff - wierd! (tell ye why in a moment, hehe)
Now, dear reader, for some major Zen. Forgive me
while I quote
verbatim a rather lengthy chunk of news thread. You
will benefit from
reading it in its entirety b4 getting to my commentary
(and of course
you can check it out for yourself on dejanews): Posted
18 Feb 96 in
response to a post 15 Feb 96 in alt.hacker.malicious
et al:
"Re: Can you trace where this post came from? No
way!á
Author:
TheAnalyst
Email: TheAnalyst@Nfo.Org
Date: 1996/02/18
Forums: alt.2600, alt.hacker, alt.comp.virus,
alt.anonymous, alt.hack,
alt.hacker.malicious, alt.cracks
Gi_Joe@gi.joe.org (Gi Joe ) wrote:
>On Thu, 15 Feb 1996 23:32:39 GMT, swt@csd.uwm.edu
(Pale Rider)
wrote,
>and said:
>>borg@internet.net (=BORG=) wrote:
>>>So... can you guess where this article came
from?
>>>
>>>Computerz are our best friends. Especially when we
can make them
>>>obediently follow our orders. No, you can't order
to computers. You
can ask
>>>them to do things.
>>>
>>>Best Regardz,
>>>=BORG=
>>>
>>>"...You will be assimilated, resistance is
futile..."
>>
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!tank.news.pipex.net!pipex!news.uoregon.edu!news.sol.net!uniserve!van-bc!news.iceonline.com!news.inc.net!news.uoregon.edu!accross.the.wirez!from.somewhere!news.u.washington.edu!uw-beaver!cornellcs!newsstand.cit.cornell.edu!from.myself!do.not.try.to.figure.it.out.reading.the.path
>>From: borg@internet.net (=BORG=)
>>Subject: Can you trace where this post came from? No
way!
>>Approved: borg@internet.net
>>X-Newsreader: Why do you need to know what
newsreader I've got?
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: somewhere.on.the.Net
>>Organization: Information should be free Ltd.
>>Message-ID: <0123456789@somewhere.net>
>>Date: Thu, 15 Feb 1996 19:59:36 GMT
>>
>>Newsgroups: alt.2600
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!in1.uu.net!van-bc!news.iceonline.com!Newsposter
>>From: <unknown@net.com> (unknown)
>>Subject: test, do not read
>>X-Newsreader: WinVN 0.92.6+
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: ns.iceonline.com
>>Organization: -
>>Message-ID: <DMu2CB.9Bw@iceonline.com>
>>Date: Thu, 15 Feb 1996 20:02:35 GMT
>>Lines: 3
>>
>>I'm going to guess "ns.iceonline.com"
>>
>>"I'm not against the police, I'm just afraid of
them." -Alfred
Hitchcock
>You missed the whole point of =BORG's= point . All
you are doing
is
>quoting the headers he WANTS you to see.
You are correct
>ns.iceonline.com is not traceable, nor is any of the
other stuff he
WRONG! ^^^^^^^^^^^^^
>has; the NNTP is phony, as well as message ID.
>You need to have access to a newsserver to do this.
Either =BORG= or
Or a remailer.
>knows someone (his or her ISP) that will do this for
him (or her).
>Notice the last thing =BORG= says: "You can ASK them
to do things"
>Right =BORG=
>===
>GIJ
>===
Don't forget. the mentality of the poster should be
taken into
account. No
real hacker is going to post something like "Trace
me!". Only someone
that
wants to show off to their friends. So we have it
generally limited to
"netcom.com", "ix.netcom.com", "aol.com", "gnn.com",
"cris.com" (This
is a
generalization of course).
Next we look at the "PATH:" which is completely
useless. as is NNTP
posting host field. So we turn to more unorthodoxed
methods. His
sig. . .
He put "BORG" in his sig well that is a helper. We go
to one of many
online
"411" type services and search for "borg" starting
with the entire
internet. If that brought too many people then we
look at the survers
listed above. But since this left approximately 4
entries from the
entire internet we convert the e-mail address to visit
their
homepages. . .
We then look at the home pages to see who has the
mentality AND the
expertise to use an anon remailer and to broadcast
that they are using
one. This brings it down to one person.
NOTE: The method above is not exactly tracing but
hey, it works 99.9%
of the time. And usually works against the anon
remailer posters.
Should I post his location so you people can shut up
about this?
he is at "ix.netcom.com"
I can post his entire e-mail address, but I don't
think he would like
getting
requests about how he did it.
I KNOW HOW TO TRACE! SO SHUT UP about the above
method!
Can I assume that "iceonline.com" is a remailer? I
will have to check
my list
of remailers. Need to find my list first though. Oh,
well the method
above
works even if the person didn't use an anon
remailer.
--
Why should I hide my domain? I am doing nothing
illegal.
NewBies, to find information go to:
pubweb.nexor.co.uk/public/cusi/cusi.html
pick a search engine, preferably Lycos
and use common sense in the key words.
Remember hackers don't need this kind of common sense
help.
NEVER post underground URLz or FTPz."
Are you still there? Did you survive that? So, what
do you think --
is +ORC more like 'BORG', or is he more like 'The
Analyst'? To my
taste, he's more like BORG. Why do a test in
alt.test, IF HE KNOWS
HOW TO HACK?? Why keep re-posting to news, rather
than e-mail ppl
direct? Why publish at all? Why publish EVERYTHING
in just 4 months?
I don't think we're looking at a 'leet hacker here.
I think the guy
that posted the Lessons was an amateur, that he found
them somewhere
and decided to post, and that he had a 'socialist'
agenda regarding
'for profit' and distribution of goods. (Well, Sweden
*is* socialist,
after all). So, let's redefine the problem: are we
looking for Able,
that wrote the Lessons, or Baker that published them?
Now, I speak fluent English, German and French, and
can read pages
written in Dutch, Swedish, Italian, Spanish and pig
latin ( comes from
having been in prep in Switzerland; veni vidi vici et
al). Those
Lessons read like a translation to English from
(possibly) German, or
even maybe Czech. My guess is, +ORC found the Lessons
on fido, or in
eastern europe, and translated them, or mebbe got them
via CalTech
while he was studying there. I did a quick scan of
all threads in
alt.hacker.malicious during the end of 95 and early
96, to see who if
any stopped posting once +ORC started. There are
several; take your
pick. It t'ain't Destrukto cuz Destrukto still
operates a site today
as Destrukto. Noone on aol.com's a good bet, c.f. 'The
Analyst' s comments above :). Btw, nfo.org is 'National Farmers
Organisation", hehe.
Assuming this zen reasoning is correct (and i have no
good reason to
doubt my own intuition, hehe), we will probably
*never* find out who
authored the Lessons, unless we can find them
somewhere with file
dates prior to Feb 96. But I have great hopes of
finding +ORC
himself. For I know, he's into Gothic, and Graphics.
Search, search
... here it is:
Nosferatu himself:
http://www.geocities.com/TimesSquare/Stadium/9490.
In his email he speaks of further riddles, so let's
see. We know they
won't be 'leet, or on par with the Lessons (was he too
lazy to answer,
or just didn't know?), so they shouldn't be too hard
to crack ... :)
Ok, on index.htm:
- '...and sword-shaped toothpicks from a dry
martini...'
- 'Last, and most importantly for the purposes of this
site: The
nosferatu are potent information- gatherers,
managing to gain
access to just about everything.'
- 'all is not as it appears'
Sounds like the +ORC we know and love, no? Hmm.
Here, the page owner
is soliciting help from ne1 who knows some javascript.
Guess +ORC
decided to 'help' out a bit, no? And put some
Orc-isms in while he
was at it.
Did you find the 'secret' door yet? I knew you would
:). Here is the
passage: 'So, you think your a good nosferatu just
because you found
the secret 'door'... Anyone with half a brain could
have figured that
out. OK, so you're bright enough to know that not
everything is as it
appears. Good for you.'
That 'good for you' is straight out of the Lessons, is
it not? Which
it would be if +ORC had translated them, for they
would then be in his
idiom of choice. Things are still making sense.
Ooooh! Heres a
Login script! Oh no! It's booby trapped! Re:
"Also for reference, this is impossible for mortals to
hack. If they
do successfully hack it, the site shuts down for a
week and changes
are made to prevent it from happening again. Also, it
will mess with
their computer so much that they couldn't hack it
again if they wanted
to. It uploads a virus to any computer that attempts
to access it.
The virus allows complete access to all files on that
persons
computer. It downloads all of their files to the
creator of the site,
right before it deletes al of them and even destroys
their hardware.
Only registered nosferatu have the anti-virus program.
It is highly
unlikely that anyone could program an adequate
anti-virus program
becaus hidden with the first virus (if it is disabled)
then a second
virus will activate and just erase all of their files
(starting with
their anti-virus). The masquerade is perfectly
protected."
I'm sooo scared. Let's look at that script...
now, i don't feel *too* bad, cuz fravia dunno howto quote script either :)...
>!--
thispage="verify2.htm"
if (getcookie("lastvisit")!=null)
{ user=username+"#"+accesslevel+"$"+numsub
setcookie(user)
document.clear()
document.writeln("\>H1\<User verification\>/H1\<")
document.writeln("You must log in with a registered username and password")
document.writeln(">FORM NAME='myform'<")
document.writeln("Username: >INPUT TYPE=TEXT SIZE=20
NAME='username'<>BR<")
document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
NAME='password'<>BR<>input type=hidden
name='access' size=3 value='"+accesslevel+"'<>input
type=hidden name=num size=3 value='"+numsub+"'<")
document.writeln(">br<>br<>INPUT TYPE='BUTTON'
VALUE='Submit' onClick=authorize()<>INPUT TYPE='reset'
VALUE='Clear'<>input type=button value='Delete Access Account'
onclick=deletecookie('lastvisit')<>/form<>p<")
document.writeln(">a href='apply.htm'<Click here if you want to apply
for usage of the NOSNET>/a<")
}
else
{
document.clear()
document.writeln(">H1<User verification>/H1<")
document.writeln("You must log in with a registered username and password")
document.writeln(">FORM NAME='myform'<")
document.writeln("Username: >INPUT TYPE=TEXT SIZE=20
NAME='username'<>BR<")
document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
NAME='password'<>BR<>input type=hidden name='access'
size=3 value='#E3'<>input type=hidden name=num size=3
value='$0'<")
document.writeln(">br<>br<>INPUT TYPE='BUTTON' VALUE='Submit'
onClick=authorize(),setcookie(this.form.username.value+this.form.access.value+this.form.num.value)<
>INPUT TYPE='reset' VALUE='Clear'<>P<")
document.writeln(">a href='apply.htm'<Click here if you want to apply
for usage of the NOSNET>/a<")
}
// -->
So, where does 'authorize()' live? Why, in
userdata.js, of course:
<!--
function setcookie(name)
{
today=new Date()
document.cookie="lastvisit="+escape(today)+"_"+name+";expires=01-Jan-2000"
}
function getcookie(name)
{
var namestr = name+"="
var namelen = namestr.length
var cooklen = document.cookie.length
var i=0
while (i>cooklen)
{var j=i+namelen
if (document.cookie.substring(i,j)==namestr)
{ endstr = document.cookie.indexOf (";",j)
if (endstr==-1) {endstr=document.cookie.length}
tempstr = unescape(document.cookie.substring(j,endstr))
username = tempstr.substring(tempstr.indexOf("_")+1,
tempstr.indexOf("#"))
accesslevel=tempstr.substring(tempstr.indexOf("#")+1,
tempstr.indexOf("$"))
numsub = tempstr.substring(tempstr.indexOf("$")+1,tempstr.length)
numsub = eval(numsub)
return tempstr
}
i=document.cookie.indexOf(" ",i)+1
if (i==0) break
}
return null
}
function deletecookie(name)
{
var expdate=new Date()
expdate.setTime (expdate.getTime()-1000000000)
document.cookie=name+"="+getcookie(name)+";expires="+expdate.toGMTString()
location="verify2.htm"
}
function steller(form) {
location="steller.htm"
}
function surfto(form) {
ident=document.forms[0].username.value
location="agent.htm?user="+ident+"";
}
function sysadmin(form) {
location="admin.htm";
}
function authorize() {
if (document.myform.username.value == 'Thomas Hastings' &&
document.myform.password.value == "0000000000") {
sysadmin(this.form)
return true
}
if (document.myform.username.value == 'Malthus' &&
document.myform.password.value == '8478691725') {
surfto(this.form)
return true
}
if (document.myform.username.value == '`Spider' &&
document.myform.password.value == '209.42.128.3') {
surfto(this.form)
return true
}
if (document.myform.username.value == 'ACE' &&
document.myform.password.value == '****'){
sysadmin(this.form)
return true
}
if (document.myform.username.value == 'Luto' &&
document.myform.password.value == '7733271036') {
surfto(this.form)
return true
}
if (document.myform.username.value == 'Miette' &&
document.myform.password.value == '7734041868') {
surfto(this.form)
return true
}
alert('Your username or password is incorrect. Access denied.')
return true
}
--<
Gee, that's one major protection scheme he's got goin'!
So, just for the exercise, log in as admin, and create a user with
nicely high access privileges (ye can figger out what the letter
codes are, sure ye can!), and go view that nice rumor database! Piece
of cake.
Paranoia sets in. What if +ORC really *is* an elite
cracker? What if that page is merely a smokescreen, and there are other
pages hidden on that site? What if i'm wrong? Go figure :-)
Rumor has it there exists a site called Old Red's
Crackers. My contact thought she had seen it in domain .ca, but she
couldn't remember - it had been too long ago.
I wont even
bother explaining you
that you should BUY this explanation without
thinking about
it...
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
search_forms
+ORC
how to protect
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?