What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group

Unix Edition
Mar. 8th, 2000 Part Two

.... .- .--. .--. -.-- .... .- -.-. -.- . .-. -.. .. --. . ... -
See the Happy Hacker web site at http://www.happyhacker.org
Firewall gives you problems? Try http://happyhacker.org
.... .- .--. .--. -.-- .... .- -.-. -.- . .-. -.. .. --. . ... -


Michael Cork <michaelcork@home.com>

Hello, my name is michael, and have been reading your website for a few weeks now and am trying to create my lan network. Well, have the LAN done but I just got a cable modem for the service with AT&T. IThe question that I have isa that I feel that a static IP address that the installer gave me is unsafe. I think that having the ip address might have some positive, but none that I can think of now. But this also gives others the posibility to hack in my puter. Right? Oh yeah I connect to a proxy server if that makes a diofference. Would it be worth the time to look into a fire wall? One more question please. I built my last computer and was thinking to use my old puter as a linux box. You think I can get my linux on my lan too to go out of the cable modem? Thanks for your help.........By the way, I tried to get your book the other day from Barnes and Nobles Book store in Birmingham, AL and they said that they don't stock your bok on the shelves. And that if I wanted to order it. It would take 6 to 8 weeks to get there. How long would it take if I sent you a check? Jst asking.........Thanks again for your time................Michael..........rhatreal

[Editor: Yes, yes, yes, yes, I don't know. Long answer: A static IP just makes
it easier to return to your computer once they've broken in. Make sure it's secure, read the CABLE-MODEM HOWTO for details on using that, then set up IP-Chains (read the IP Masquarading HOWTO) which will act as a mini-firewall. Also make sure your linux box is secure again, and turn on some serious TCP logging. Once that's done, you should be safe... provided you keep the system

*** Perl 101 Lesson 6

Last week (well, last issue) we discussed basic string operators. We mentioned
in the introductory lesson or two that a scalar variable is of the form
$variable_name. All aphanumeric characters are valid, as well as underscores,
I'm not sure about special characters. I could find out, but instead, why
don't you try it for yourself. One caveat: variable names cannot begin with a
number. So $var1, $v23_fkdl, and $goodName are all good (well, legal. none of
them are very descriptive) variable names. $1var, and myvar, are not. Do not
start variables with an underscore. While legal (in fact, perl uses some
automatically defined variables that begin with underscores) it's not a very
good idea.

Variables are assigned (given a value) by using the = operator. For example $var = 5, $var = $var2 + 1, $var = 'Test' . 'ing' are all legal constructs. Note that an assignment statement has the value assigned. Huh? Meaning, you can have a statement like $var1 = ($var2 = $var3) + 1. This would would assign
the value of $var3 to $var2, and that value + 1 to $var1. Like in C, there are
some shortcuts. $a = $a + $b is the same as $a += $b. -=, *=, /=, **=, and =. are all valid shortcuts. Also, the ++ and -- operators exist. These add 1 or
subtract 1 (respectively) to the given variable. For example, ++$a will add 1
to the value of $a, store it in $a, and return the (new) value of $a. So if $a
was 17, now $a is 18, and the statement returns 18. Why am I being so long
winded? Why don't I just say it adds 1, and returns that value? The answer is
because it doesn't. For ++$var, the steps are: add 1, store that in $var,
return $var. Compare that with $var++. Now the steps are: return $var, add 1,
store that in $var. So if $var1=$var2=1, then $var1++ will return 1, ++$var2
will return 2, but after both are executed, $var1 will be equal to $var2 (both
are 2). ++$var is called prefix, and $var++ is known as postfix. These can be
tricky, so be careful that you always use the one you intend. If in doubt,
think. Usually, for things like loops, you'll want $var++, so you can process
the current value, and then update it. Or, if you want to be clear (instead of
efficient), just make it two lines. If it's the only statement, both $var++and ++$var will have the same final result. It's only in statements like
$var1=$var2++ and $var1=++$var2 that you get different results.

Cutting down strings: Perl has two main operators used for cutting strings
down: chop and chomp. chop($var) replaces $var with every character in $var=

except the last one. It returns the chopped characters. So, let's examine the
following code snippet:


After running, $var will hold 'Strin', and $c = 'g'. Be careful not to write
$var=chop($var) (unless you want to replace a string by it's last element).

Chop will remove all characters; chomp will only remove a newline. So
chomp($var) would still be 'String' (assuming you didn't run chop), because there's no newline character.

Remember when we discussed single and double quoted strings? One of the differences I should have mentioned (and I think I did) is that double quoted strings are "interpolated" meaning that variable names are replaced by the contents of that variable. For example:

$var2='Hello $var1';
$var3="Hello $var1";

Now, $var2 is equal to Hello $var1, and $var3 is equal to Hello Mike. Note that double substition won't work... sort of:

$var3='Hello $var1';
$var4='Hello $var2';
$var5="Hello $var1";
$var6="Hello $var2";

Let's see here. Based on two paragraphs ago, we know that $var1 = '$name' (the
string dollarsign, n, a, m, e), and $var2 will say Mike. What about $var3, $var4, $var5, and $var6? Well, $var3 and $var4 are single quotes, so they'll say Hello $var1 and Hello var2, respectively. $var5 will contain Hello $name (not: no double substitution), but $var6 will say Hello Mike. This is because $var2 has already been expanded to contain Mike, and not $name.

Caveat: Suppose you want to try some concatenation. So you write:


This should combine $var1 with lo, giving Hello, right? Wrong. It looks for a
variable called $var1lo, which doesn't exist. So, one solution would be to write a space in between. But what if you don't want a space? Easy, try $var2"($var1)lo"; The parenthesis just tell perl what is the variable name. Completely optional, but often helpful. Happy Perling!

*** On Secure Programming

The motivation for this mini-segment was an incident that occured here lastSunday. A friend of mine, who is in the Intro to Comp. Sci. course here, was having trouble getting a program of his (a poker program) to compile under g++. The course recently switched to STL'ed C++, and while he could make itrun under Visual C++, GNU's STL library was giving some weird errors. So I invited him over to my apartment, I figured, maybe the g++ on our schools LAN is screwed up (it usually is), and I'll let him use my Debian box, which iskept pretty current. So we're sitting here, and it wasn't working. Then I had a flash of inspiration. When the program asked, "How many hands do you want to play?" I typed in something along the lines of


Well, let's just say his code had a pretty big hiccup. Actually, it came closer to a stroke. So I said, "Phil, don't you guys do any input bounds checking or anything." He said, "what?" I asked, "Didn't your teacher tell you that programming is a race between idiot-proofing your code and the idiots getting dumber?" He said, well, yeah, he said we should make sure it's a numbe r less than 50. What about secure programming? I asked. Huh? So I figured, Ok, second semester, fair enough. Let me ask a senior. So I found a friend CS grad, and asked him, "What do you know about Unix programming?" (yes, it applied to Windows as well, but not as much). So he tells me, he know how to use vi (wow...), gcc, and he's written a little CGI. Ok, I said, good enough... what do you know about buffer overflows? Huh? Seg. faults? They're really bad. Secure programming? Huh?

Uh oh. Seems the world (at least by statistically insignificant 2 person survey) is in need of a serious reality check. HELLO, Y'ALL! WAKE UP! So many exploits (if not almost all exploits) are based on the concept of a program not reacting the way it should when given bad data. I mean, isn't that what hacking really is? Using something in a way not originally intended? Of course, like a doctor, the first law (or maybe even the zeroth) is "primum non nocere (do no harm)". Obviously, if you use your shoe to pound in a nail, you don't say, "I hacked my shoe." But that's really what hacking is... finding new ways to use old stuff, be it equiptment or code.

[As an aside: I saw an article in (I think) Wired about drugs and the hacking
scene. A certain "hacker" was quoted as saying, "Drugs are like hacking your
brain." Well... my hunch is he's more of a cracker, which would mean that
"Drugs are like cracking your brain." Eggs, anyone?]

So when you're writing code... remember buffer overflows. Always, always,
check any input. Watch out for things that will produce core dumps. This is extremely important in writing SUID code (even more so if writing code to be
run by root), but even normal code should be done carefully, in case root
decides to run it. So yes, the past 5 paragraphs were all for that one
sentence. So do it!

*** Linux/Solaris Dual Boot (<script language="JavaScript"><!-- var name = "webmaster"; var domain = "ipom.com"; document.write('<a href=\"mailto:' + name + '@' + domain + '\">'); document.write(name + '@' + domain + '</a>'); // --></script>)

Linux and Solaris Dual Boot on the Same Hard Drive

I. Introduction
A. This document
B. Who I am
C. What I'm running
D. History
E. Boot Loaders

II. The Process
A. Prep for LILO
B. Install Solaris
C. Installing Linux
D. Finalizing your settings
E. How it works

III. The Last Bits
A. Thanks

I. Introduction
A. This document
This document is something I wrote based on the lack of
documentation on this subject. You may post it in
newsgroups, mailing lists, etc., as long as you put it IN ITS
ENTIRETY! If I ever update it, a master copy lies on
B. Who I am
My name is Phil Dibowitz (<script language="JavaScript"><!-- var name = "webmaster"; var domain = "ipom.com"; document.write('<a href=\"mailto:' + name + '@' + domain + '\">'); document.write(name + '@' + domain + '</a>'); // --></script>). I'm a student
(will be graduating high school in about 3 months.
I'm planning to attend a university in CA (in order of
preference: Berkley, USC, UCLA), or a few other colleges I
applied to, but those are my top choices (and unfortunately they don't
announce acceptances until late March/early April). I've
been using Linux/Unix for about 2 years now, and other parts of
my knowledge base include Perl/CGI, HTML, C++, and
SQL. I have a CNA, and I'm the Assistant Admin at my school,
which runs a fiber-optic LAN with Novell NetWare 5
servers and Win 9x workstations.
C. What I'm running
I'm running RedHat 6.0 and Solaris 2.6. This should work with
any Linux distro since LILO shouldn't be modified
between distros, and it should work with any version of Solaris
2.6 up, and quite possibly many versions prior to that.
D. History
My first experience with the Unix/Linux realm was fooling
around on a friend's machine via telnet. I was already
reading a book on Linux, so I had some knowledge but nothing to
practice on. I went out and bought a 2nd HD to install
Linux on, but my friend said that Solaris was being given away
for free and I should grab that. So I did. and Solaris
was MY first jump in.
So there I was with this machine learning REALLY slowly
(anything I did know was from a Linux book and only half
that stuff worked in Solaris). In the first 2 months I had to
reinstall Solaris like 2342340283409234 times. But I learned.
Shortly after I figured out how to get online, and had the basics
came quickly (after the first 2 months). I spent about a
year on that and my parents bought a new machine and gave me the
old one. I immediately scrapped Windows, and
ordered RedHat Linux for 2 bucks from cheapbytes.com. Installed
it after the Solaris partition. only to find out that
wouldn't work. So I set it up with /boot, then Solaris, then the
rest of Linux, as advised by people in the Linux room. But
spent the next year and a half trying to find out how to get LILO
to boot Solaris. I found several tutorials, but they all told
how to do it if Solaris was on the 2nd HD (which I didn't want to
do because a. the original hard drive on that machine I
removed cause it was failing leaving only 1 hard drive, and b.
because I wanted to figure out how to do this on 1 hard
drive)!! I guess it's the hacker-mentality/curiosity in me). At
length I decided the information was not available in the
'fine manual', as they say. nor anywhere on the Internet. Nor was
it in the mind of anyone in any Linux room on earth.
After close to about a year and a half of searching I did solve
the puzzle, but not alone...
E. Boot Loaders
There are two possible boot loaders in this setup. LILO and
Solaris' boot loader. I'd been trying to use LILO. So let
me give you the finale of my story. I saw the subject come up on
the Solaris newsgroup and emailed a guy who had a
similar setup to me. He said he no longer had that setup, and
found out that LILO cannot boot Solaris (just as I had).
He never completed his dual boot but said he was pretty sure that
I could set up Solaris' boot loader to boot Linux. All it
took was changing some 'active' flags in the partition table.
Haha. 2 years of looking and it took all of 5 minutes.
::::sigh:::: I've outlined the whole procedure for getting the
setup as I have it. if you already have both OS's installed
you should be able to skim everything but the last 2 steps. if
you're setup is similar. Sometimes you just may have
to redo your setup to do what you wanna do.

II. The Process
A. Setup a small partition (which will eventually become
Linux's /boot partition), but don't put anything in it. 15MB
should do it. I like to use Linux's fdisk utility on the setup
disk (run the install, it will allow you to run fdisk long before
it starts any installing.) to set that partition to some arbitrary
type, 8, or b7, or whatever. anything that's not Solaris or
Linux). Make sure it's not set as active. install will ask you to
B. Pop the Solaris install CD and DCA floppy in the computer
and restart. That will write the new partition table and
start the Solaris install. Install Solaris directly after that
small partition you just made.
C. Run Linux install. change the Solaris partition type to
something weird. 8 or b7 is fine again (because Solaris
is the same as Linux swap, don't wanna screw up your 2 hour Sol
install!!!). Change the first partition to Linux (83),
and setup whatever partitions you want for Linux after the
Solaris partition. Set the first partition to be active, make
sure nothing else is active. Exit fdisk, install will restart, then
set the mount point for your first little partition to be /boot.
the rest are up to you. when install gets to LILO, it will ask you
where to install LILO. select /dev/hda1 (/boot).
D. When Linux boots, login as root, run fdisk, change Solaris
back to it's original type (same as Linux swap. 82),
then make Solaris the active partition and make /boot INactive
(i.e. Solaris should be the ONLY active partition).
E. The Solaris boot loader should take over. Selecting the
first partition should drop you into LILO, which will get you
into Linux, and the 2nd will get you into Solaris.

III. The Last Bits
A. Thanks
Special thanks to Jim Grover (jgrover@columbus.rr.com) for
helping me to find this solution after so long of
B. Lastly
I still consider myself a beginner, and this there may well
be mistakes in here (and I'm sure there's a typo or two). If
you feel anything in here is wrong, or would like to add
something, or have a question, please feel free to email me at
<script language="JavaScript"><!-- var name = "webmaster"; var domain = "ipom.com"; document.write('<a href=\"mailto:' + name + '@' + domain + '\">'); document.write(name + '@' + domain + '</a>'); // --></script>

.... .- .--. .--. -.-- .... .- -.-. -.- . .-. -.. .. --. . ... -

This is a list devoted to *legal* hacking! If anyone plans to use any
information in this Digest or at our Web site to commit crime, go away! We like to put computer criminals behind bars where they belong!

 © 2013 Happy Hacker All rights reserved.