|
+ORC revealed
the best of Zen stalking
|
+ORC's stuff
|
|
20 January 1999
| by
aZh nAZg
|
|
 |
Courtesy of Fravia's page
of
reverse engineering
|
|
Well: helluya of a work! Even if aZh nAZg'style seems to me a little too convoluted (I hope he'll
'polish' a little this and detail better, for instance, his stalking on the archies), there's quite
a lot to learn in here.
This said I actually don't believe (personally) that aZh nAZg's assumptions
are correct.
Yes: "the trail (is) already long cold and well trampled",
as aZh nAZg writes, yet I remember months of passionate stalking (with the Basilisk, +gthorne and
Hackmore+Readrite) where we definitely came to the conclusion that +ORC is dutch. Not German, not
Swede: dutch. And the fact that
a very well known Amiga cracker of the eighties had as a Nickname 'ORC' gave us much to
think (but we found few 'beef' on the Web, unfortunately).
Since +ORC is no more in contact with
anyone of us, unfortunately, there's no way we can finish our stalking (I remember that when he
wrote +gthorne that he was in Cairo (Egypt) for his hyerogliphical cracking, more than one year ago,
I mobilized two egyptian crackers, who went in the CairoMuseum's bar asking if some funny
european fellow had
ordered considerable amounts of wodka-martini's... only to find out that no alcohol is
served there :-(
Yes, +ORC does not publish any more his 'how to crack'
masterpieces... yet he can still be useful for all Fravias
as
stalking quarry :-)
I hope, in publishing this essay to open the way for
some other good stalkers that want to improve their skills joining aZh nAZg
in this fascinating
stalking endeavour (a very difficult one now that the trial is cold).
Good luck.
aZh nAZg's
Nosferatu stalking is
an impressive work of art and some of the evidences are quite heavy. Still I don't believe that +ORC is aZh nAZg's Swede: but
this good swiss stalker may be right with the
Idea that the tutorial has been translated from Cezch:
my personal alternative theory is that +ORC is the Petr Horāk that wrote in Prag (in 1982!) the
beautiful utility KGB that you can download on my tools page... Horāk sounds a little
like +ORC, see, and wasn't +ORC himself that wrote that nomen est omen? :-)
|
|
There is a crack,
a crack in
everything
That's how the light gets in
| |
| Rating
|
(*)Beginner ( )Intermediate (
)Advanced (
)Expert
| |
a brief intro to zen in the art of stalking;
elementary search engine
use and search brainstorming
+ORC revealed
the best of Zen stalking
Written by
aZh nAZg
Our mentor: who is s/he? Pray continue, dear reader
and ye shall find
out
indispensable: a working brain
http://www.asite.org/+ORC , hehe
n/a
Who is/was +ORC? A fine problem; perfect for a weeks contemplation.
The Basilisk and others have already done fine work on bringing the
issue to resolution. I soon realized that I was approaching a chase
where the trail was already long cold and well trampled. Many
brilliant stalkers had already tried all of the obvious approaches;
there was however, some comfort to be had in that, as that very fact
suggested that +ORC was either being *very* clever, or *very* candid.
While in regular stalking the trick is to have a good dictionary of
synonyms to feed into the search engines, the trick with Zen stalking
is to have an open mind ('zen mind'), untiring doggedness, and above
all, to 'psych' oneself into the mindset of one's quarry.
OK, so, mindset of quarry, now let's see...what do we know about him?
The Lessons (read and re-read them all several times, getting a feel
for the language used), the Riddle itself, the URL and what it points
to, +ORC's mention of it leading to a 'dead' page...
Ok, Riddle: the language used is heraldic, duh. The quote is from,
well you know already, duh. Some lines are different than the
original; there's numeric symbology used, could be something about
shifting bits, adding, replacing numbers in the URL, after all, he was
an assembly coder...
...nope, he'd be *zen!* too lazy to do that for real.
He'd want us to *think* we should do that -- mount an exhaustive
search of the Web -- and sit there revelling that he got all dem lamers up
off their butts and doing something useful. But he's got a great
sense of humor, so mebbe the heraldic stuff is still a clue, jest a diff
sort of clue. Save it for lata...
The URL, of course leads into .mil territory, as
trcroute will reveal
(actually it winds up bouncing between two DNSs in
.mil until it dies
out). But as we already know, someone has visited Fravia using that
URL as their (spoofed) IP address, so we know that
it's someone's
calling card. How hard is it to do that? Not very, I
could write the
code from scratch in an hour or so.
So, how about the reference to the 'dead' page? Well, the obvious
thought is that what that means is a page that's no longer being
maintained. I would imagine that many folks have already searched all
available engines for a +ORC directory, with mixed results (did you
find the Electric Company, in Minsk?). But, I hand you +ORC's *own
words*: (Lesson 2: '...for those of you that do not know anything,
here is the ARCHIE way you get all the program that do EXIST on the
planet:...'). My favorite one is the one in Oldenburg, Germany
(-oldenburg.de/Docs/net-serv/archie-gate.html).
Let's see...orc.htm...there it
is: www.sics.se/sicskatalog/orc/orc.htm, and hey! orc.gif as well.
Let's see who this is...
Ok, its Lars-Hakan Loenn ... and what's this, his
nickname? 'Orc' ... well, well ... what does he do...search, search...a
hah! He was a student at SU (university of Sweden) in 93, and in 94,
and...hmm, not in 95...where was he in 95...search, search...a Hah! He's at CalTech,
in the Swedish Club. And he didn't graduate...so he was an exchange
student ... search, search ... he's into RPG (role playing games),
specifically Gothic ... search, search ... while at CalTech lists his
home server as nosferatu.sics.se ... search, search
... lot's of references to Gothic RPG. Save that for later...
Ok, orc.htm -- view source -- nothing interesting here. Spider
sics.se ... search, search ... ok: Swedish Institute of Computer
Science ... phone number, building name, a Hah! group name ... search,
search ... here it is: his name on several of SICS's web pages as
'Grafik: Loenn'. He's a webmaster. He likes graphics. He might
think heraldry is kewl, gothic and all that. Hmm.
Search, search ... a hah! He's does marathon runs: 3000m and 5000m,
aka OL, which pardon my german means Orientierungs Lauf or some such,
just as though he were in the militia at the time ... c.f. 'possibly
once in the military' reference (forget where, duh). Ok, so he knows
about encryption, and that .mil servers are off limits. Hmm.
Ok, dejanews da sucka ... advanced search, 1 Dec 95 thru 1 Jun 96
author +ORC ... whaz dis? 16 Feb 96 : 'see if it works' by +ORC
posted to alt.test ... see if *what* works? ... where else doth he
post? Ok, alt.hacker.malicious, makes sense, but, what's this:
de.org.ccc? whazzat? Ok, hmm, they're talking about Germany's PTT
trying to regulate Inet access. Why Germany? He's Swedish ... hmm,
mebbe he wants to go work in Germany when he's done with school.
Means he must speak fluent German, at the very least ... his English
ain't lousy either ... could have a Dutch parent or spend time there
on vacation or mebbe grew up there ... when's the first Lesson? 20
Feb 96 thru 25 Jun 96 ... and what's this? he keeps on re-posting
stuff - wierd! (tell ye why in a moment, hehe)
Now, dear reader, for some major Zen. Forgive me while I quote
verbatim a rather lengthy chunk of news thread. You will benefit from
reading it in its entirety b4 getting to my commentary (and of course
you can check it out for yourself on dejanews): Posted 18 Feb 96 in
response to a post 15 Feb 96 in alt.hacker.malicious et al:
"Re: Can you trace where this post came from? No
way!
Author:
TheAnalyst
Email: TheAnalyst@Nfo.Org
Date: 1996/02/18
Forums: alt.2600, alt.hacker, alt.comp.virus, alt.anonymous, alt.hack, alt.hacker.malicious, alt.cracks
Gi_Joe@gi.joe.org (Gi Joe) wrote:
>On Thu, 15 Feb 1996 23:32:39 GMT, swt@csd.uwm.edu (Pale Rider)
wrote,
>and said:
>>borg@internet.net (=BORG=) wrote:
>>>So... can you guess where this article came
from?
>>>
>>>Computerz are our best friends. Especially when we can make them
>>>obediently follow our orders. No, you can't order to computers. You can ask
>>>them to do things.
>>>
>>>Best Regardz,
>>>=BORG=
>>>
>>>"...You will be assimilated, resistance is futile..."
>>
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!tank.news.pipex.net!pipex!news.uoregon.edu!news.sol.net!uniserve!van-bc!news.iceonline.com!news.inc.net!news.uoregon.edu!accross.the.wirez!from.somewhere!news.u.washington.edu!uw-beaver!cornellcs!newsstand.cit.cornell.edu!from.myself!do.not.try.to.figure.it.out.reading.the.path
>>From: borg@internet.net (=BORG=)
>>Subject: Can you trace where this post came from? No way!
>>Approved: borg@internet.net
>>X-Newsreader: Why do you need to know what newsreader I've got?
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: somewhere.on.the.Net
>>Organization: Information should be free Ltd.
>>Message-ID: <0123456789@somewhere.net>
>>Date: Thu, 15 Feb 1996 19:59:36 GMT
>>
>>Newsgroups: alt.2600
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!in1.uu.net!van-bc!news.iceonline.com!Newsposter
>>From: <unknown@net.com> (unknown)
>>Subject: test, do not read
>>X-Newsreader: WinVN 0.92.6+
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: ns.iceonline.com
>>Organization: -
>>Message-ID: <DMu2CB.9Bw@iceonline.com>
>>Date: Thu, 15 Feb 1996 20:02:35 GMT
>>Lines: 3
>>
>>I'm going to guess "ns.iceonline.com"
>>
>>"I'm not against the police, I'm just afraid of them." -Alfred Hitchcock
>You missed the whole point of =BORG's= point . All you are doing is
>quoting the headers he WANTS you to see.
You are correct
>ns.iceonline.com is not traceable, nor is any of the other stuff he
WRONG! ^^^^^^^^^^^^^
>has; the NNTP is phony, as well as message ID.
>You need to have access to a newsserver to do this. Either =BORG= or
Or a remailer.
>knows someone (his or her ISP) that will do this for him (or her).
>Notice the last thing =BORG= says: "You can ASK them to do things"
>Right =BORG=
>===
>GIJ
>===
Don't forget. the mentality of the poster should be taken into
account. No real hacker is going to post something like "Trace
me!". Only someone that wants to show off to their friends. So we have it
generally limited to "netcom.com", "ix.netcom.com", "aol.com", "gnn.com",
"cris.com" (This is a generalization of course).
Next we look at the "PATH:" which is completely useless. as is NNTP
posting host field. So we turn to more unorthodoxed methods. His sig. . .
He put "BORG" in his sig well that is a helper. We go to one of many
online "411" type services and search for "borg" starting with the entire
internet. If that brought too many people then we look at the survers
listed above. But since this left approximately 4 entries from the
entire internet we convert the e-mail address to visit their homepages. . .
We then look at the home pages to see who has the mentality AND the expertise to use an anon remailer and to broadcast
that they are using one. This brings it down to one person.
NOTE: The method above is not exactly tracing but hey, it works 99.9% of the time. And usually works against the anon
remailer posters.
Should I post his location so you people can shut up about this?
he is at "ix.netcom.com"
I can post his entire e-mail address, but I don't think he would like getting requests about how he did it.
I KNOW HOW TO TRACE! SO SHUT UP about the above method!
Can I assume that "iceonline.com" is a remailer? I will have to check
my list of remailers. Need to find my list first though. Oh, well the method
above works even if the person didn't use an anon remailer.
--
Why should I hide my domain? I am doing nothing illegal.
NewBies, to find information go to:
pubweb.nexor.co.uk/public/cusi/cusi.html
pick a search engine, preferably Lycos
and use common sense in the key words.
Remember hackers don't need this kind of common sense
help.
NEVER post underground URLz or FTPz."
Are you still there? Did you survive that? So, what do you think --
is +ORC more like 'BORG', or is he more like 'The Analyst'? To my
taste, he's more like BORG. Why do a test in alt.test, IF HE KNOWS
HOW TO HACK?? Why keep re-posting to news, rather than e-mail ppl
direct? Why publish at all? Why publish EVERYTHING in just 4 months?
I don't think we're looking at a 'leet hacker here. I think the guy
that posted the Lessons was an amateur, that he found them somewhere
and decided to post, and that he had a 'socialist' agenda regarding
'for profit' and distribution of goods. (Well, Sweden *is* socialist,
after all). So, let's redefine the problem: are we looking for Able,
that wrote the Lessons, or Baker that published them?
Now, I speak fluent English, German and French, and can read pages
written in Dutch, Swedish, Italian, Spanish and pig latin ( comes from
having been in prep in Switzerland; veni vidi vici et al). Those
Lessons read like a translation to English from (possibly) German, or
even maybe Czech. My guess is, +ORC found the Lessons on fido, or in
eastern europe, and translated them, or mebbe got them via CalTech
while he was studying there. I did a quick scan of all threads in
alt.hacker.malicious during the end of 95 and early 96, to see who if
any stopped posting once +ORC started. There are several; take your
pick. It t'ain't Destrukto cuz Destrukto still operates a site today
as Destrukto. Noone on aol.com's a good bet, c.f. 'The
Analyst' s comments above :). Btw, nfo.org is 'National Farmers Organisation", hehe.
Assuming this zen reasoning is correct (and i have no good reason to
doubt my own intuition, hehe), we will probably *never* find out who
authored the Lessons, unless we can find them somewhere with file
dates prior to Feb 96. But I have great hopes of finding +ORC
himself. For I know, he's into Gothic, and Graphics. Search, search
... here it is:
Nosferatu himself:
http://www.geocities.com/TimesSquare/Stadium/9490.
In his email he speaks of further riddles, so let's see. We know they
won't be 'leet, or on par with the Lessons (was he too lazy to answer,
or just didn't know?), so they shouldn't be too hard to crack ... :)
Ok, on index.htm:
- '...and sword-shaped toothpicks from a dry martini...'
- 'Last, and most importantly for the purposes of this site: The
nosferatu are potent information- gatherers, managing to gain
access to just about everything.'
- 'all is not as it appears'
Sounds like the +ORC we know and love, no? Hmm. Here, the page owner
is soliciting help from ne1 who knows some javascript.
Guess +ORC decided to 'help' out a bit, no? And put some
Orc-isms in while he was at it.
Did you find the 'secret' door yet? I knew you would :). Here is the
passage: 'So, you think your a good nosferatu just because you found
the secret 'door'... Anyone with half a brain could have figured that
out. OK, so you're bright enough to know that not everything is as it
appears. Good for you.'
That 'good for you' is straight out of the Lessons, is it not? Which
it would be if +ORC had translated them, for they would then be in his
idiom of choice. Things are still making sense. Ooooh! Heres a
Login script! Oh no! It's booby trapped! Re:
"Also for reference, this is impossible for mortals to hack. If they
do successfully hack it, the site shuts down for a week and changes
are made to prevent it from happening again. Also, it will mess with
their computer so much that they couldn't hack it again if they wanted
to. It uploads a virus to any computer that attempts to access it.
The virus allows complete access to all files on that persons
computer. It downloads all of their files to the creator of the site,
right before it deletes al of them and even destroys their hardware.
Only registered nosferatu have the anti-virus program.
It is highly unlikely that anyone could program an adequate anti-virus program
becaus hidden with the first virus (if it is disabled) then a second
virus will activate and just erase all of their files (starting with
their anti-virus). The masquerade is perfectly protected."
I'm sooo scared. Let's look at that script...
now, i don't feel *too* bad, cuz Fravia dunno howto quote script either :)...
>!--
thispage="verify2.htm"
if (getcookie("lastvisit")!=null)
{ user=username+"#"+accesslevel+"$"+numsub
setcookie(user)
document.clear()
document.writeln("\>H1\<User verification\>/H1\<")
document.writeln("You must log in with a registered username and password")
document.writeln(">FORM NAME='myform'<")
document.writeln("Username: >INPUT TYPE=TEXT SIZE=20
NAME='username'<>BR<")
document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
NAME='password'<>BR<>input type=hidden
name='access' size=3 value='"+accesslevel+"'<>input
type=hidden name=num size=3 value='"+numsub+"'<")
document.writeln(">br<>br<>INPUT TYPE='BUTTON'
VALUE='Submit' onClick=authorize()<>INPUT TYPE='reset'
VALUE='Clear'<>input type=button value='Delete Access Account'
onclick=deletecookie('lastvisit')<>/form<>p<")
document.writeln(">a href='apply.htm'<Click here if you want to apply
for usage of the NOSNET>/a<")
}
else
{
document.clear()
document.writeln(">H1<User verification>/H1<")
document.writeln("You must log in with a registered username and password")
document.writeln(">FORM NAME='myform'<")
document.writeln("Username: >INPUT TYPE=TEXT SIZE=20
NAME='username'<>BR<")
document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
NAME='password'<>BR<>input type=hidden name='access'
size=3 value='#E3'<>input type=hidden name=num size=3
value='$0'<")
document.writeln(">br<>br<>INPUT TYPE='BUTTON' VALUE='Submit'
onClick=authorize(),setcookie(this.form.username.value+this.form.access.value+this.form.num.value)<
>INPUT TYPE='reset' VALUE='Clear'<>P<")
document.writeln(">a href='apply.htm'<Click here if you want to apply
for usage of the NOSNET>/a<")
}
// -->
So, where does 'authorize()' live? Why, in
userdata.js, of course:
<!--
function setcookie(name)
{
today=new Date()
document.cookie="lastvisit="+escape(today)+"_"+name+";expires=01-Jan-2000"
}
function getcookie(name)
{
var namestr = name+"="
var namelen = namestr.length
var cooklen = document.cookie.length
var i=0
while (i>cooklen)
{var j=i+namelen
if (document.cookie.substring(i,j)==namestr)
{ endstr = document.cookie.indexOf (";",j)
if (endstr==-1) {endstr=document.cookie.length}
tempstr = unescape(document.cookie.substring(j,endstr))
username = tempstr.substring(tempstr.indexOf("_")+1,
tempstr.indexOf("#"))
accesslevel=tempstr.substring(tempstr.indexOf("#")+1,
tempstr.indexOf("$"))
numsub = tempstr.substring(tempstr.indexOf("$")+1,tempstr.length)
numsub = eval(numsub)
return tempstr
}
i=document.cookie.indexOf(" ",i)+1
if (i==0) break
}
return null
}
function deletecookie(name)
{
var expdate=new Date()
expdate.setTime (expdate.getTime()-1000000000)
document.cookie=name+"="+getcookie(name)+";expires="+expdate.toGMTString()
location="verify2.htm"
}
function steller(form) {
location="steller.htm"
}
function surfto(form) {
ident=document.forms[0].username.value
location="agent.htm?user="+ident+"";
}
function sysadmin(form) {
location="admin.htm";
}
function authorize() {
if (document.myform.username.value == 'Thomas Hastings' &&
document.myform.password.value == "0000000000") {
sysadmin(this.form)
return true
}
if (document.myform.username.value == 'Malthus' &&
document.myform.password.value == '8478691725') {
surfto(this.form)
return true
}
if (document.myform.username.value == '`Spider' &&
document.myform.password.value == '209.42.128.3') {
surfto(this.form)
return true
}
if (document.myform.username.value == 'ACE' &&
document.myform.password.value == '****'){
sysadmin(this.form)
return true
}
if (document.myform.username.value == 'Luto' &&
document.myform.password.value == '7733271036') {
surfto(this.form)
return true
}
if (document.myform.username.value == 'Miette' &&
document.myform.password.value == '7734041868') {
surfto(this.form)
return true
}
alert('Your username or password is incorrect. Access denied.')
return true
}
--<
Gee, that's one major protection scheme he's got goin'!
So, just for the exercise, log in as admin, and create a user with
nicely high access privileges (ye can figger out what the letter
codes are, sure ye can!), and go view that nice rumor database! Piece
of cake.
Paranoia sets in. What if +ORC really *is* an elite
cracker? What if that page is merely a smokescreen, and there are other
pages hidden on that site? What if i'm wrong? Go figure :-)
Rumor has it there exists a site called Old Red's
Crackers. My contact thought she had seen it in domain .ca, but she
couldn't remember - it had been too long ago.
I wont even
bother explaining you
that you should BUY this explanation without
thinking about
it...
You are deep inside Fravia's page of reverse engineering,
choose your way out:
homepage
links
search_forms
+ORC
how to protect
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?