+ORC revealed
the best of Zen stalking
orc
+ORC's stuff
20 January 1999
by aZh nAZg
Courtesy of Reverser's page of reverse engineering
Well: helluya of a work! Even if aZh nAZg'style seems to me a little too convoluted (I hope he'll 'polish' a little this and detail better, for instance, his stalking on the archies), there's quite a lot to learn in here.
This said I actually don't believe (personally) that aZh nAZg's assumptions are correct.
Yes: "the trail (is) already long cold and well trampled", as aZh nAZg writes, yet I remember months of passionate stalking (with the Basilisk, +gthorne and Hackmore+Readrite) where we definitely came to the conclusion that +ORC is dutch. Not German, not Swede: dutch. And the fact that a very well known Amiga cracker of the eighties had as a Nickname 'ORC' gave us much to think (but we found few 'beef' on the Web, unfortunately).
Since +ORC is no more in contact with anyone of us, unfortunately, there's no way we can finish our stalking (I remember that when he wrote +gthorne that he was in Cairo (Egypt) for his hyerogliphical cracking, more than one year ago, I mobilized two egyptian crackers, who went in the CairoMuseum's bar asking if some funny european fellow had ordered considerable amounts of wodka-martini's... only to find out that no alcohol is served there :-(
Yes, +ORC does not publish any more his 'how to crack' masterpieces... yet he can still be useful for all reversers as stalking quarry :-)
I hope, in publishing this essay to open the way for some other good stalkers that want to improve their skills joining aZh nAZg in this fascinating stalking endeavour (a very difficult one now that the trial is cold). Good luck.
aZh nAZg's Nosferatu stalking is an impressive work of art and some of the evidences are quite heavy. Still I don't believe that +ORC is aZh nAZg's Swede: but this good swiss stalker may be right with the Idea that the tutorial has been translated from Cezch: my personal alternative theory is that +ORC is the Petr Horāk that wrote in Prag (in 1982!) the beautiful utility KGB that you can download on my tools page... Horāk sounds a little like +ORC, see, and wasn't +ORC himself that wrote that nomen est omen? :-)
There is a crack, a crack in everything That's how the light gets in
Rating
(*)Beginner ( )Intermediate ( )Advanced ( )Expert

a brief intro to zen in the art of stalking; elementary search engine use and search brainstorming
+ORC revealed
the best of Zen stalking
Written by aZh nAZg


Introduction
Our mentor: who is s/he? Pray continue, dear reader and ye shall find out

Tools required
indispensable: a working brain

Target's URL/FTP
http://www.asite.org/+ORC , hehe

Program History
n/a

Essay

Who is/was +ORC? A fine problem; perfect for a weeks contemplation. The Basilisk and others have already done fine work on bringing the issue to resolution. I soon realized that I was approaching a chase where the trail was already long cold and well trampled. Many brilliant stalkers had already tried all of the obvious approaches; there was however, some comfort to be had in that, as that very fact suggested that +ORC was either being *very* clever, or *very* candid.

While in regular stalking the trick is to have a good dictionary of synonyms to feed into the search engines, the trick with Zen stalking is to have an open mind ('zen mind'), untiring doggedness, and above all, to 'psych' oneself into the mindset of one's quarry.

OK, so, mindset of quarry, now let's see...what do we know about him? The Lessons (read and re-read them all several times, getting a feel for the language used), the Riddle itself, the URL and what it points to, +ORC's mention of it leading to a 'dead' page...

Ok, Riddle: the language used is heraldic, duh. The quote is from, well you know already, duh. Some lines are different than the original; there's numeric symbology used, could be something about shifting bits, adding, replacing numbers in the URL, after all, he was an assembly coder...

...nope, he'd be *zen!* too lazy to do that for real. He'd want us to *think* we should do that -- mount an exhaustive search of the Web -- and sit there revelling that he got all dem lamers up off their butts and doing something useful. But he's got a great sense of humor, so mebbe the heraldic stuff is still a clue, jest a diff sort of clue. Save it for lata...

The URL, of course leads into .mil territory, as trcroute will reveal (actually it winds up bouncing between two DNSs in .mil until it dies out). But as we already know, someone has visited reverser using that URL as their (spoofed) IP address, so we know that it's someone's calling card. How hard is it to do that? Not very, I could write the code from scratch in an hour or so.

So, how about the reference to the 'dead' page? Well, the obvious thought is that what that means is a page that's no longer being maintained. I would imagine that many folks have already searched all available engines for a +ORC directory, with mixed results (did you find the Electric Company, in Minsk?). But, I hand you +ORC's *own words*: (Lesson 2: '...for those of you that do not know anything, here is the ARCHIE way you get all the program that do EXIST on the planet:...'). My favorite one is the one in Oldenburg, Germany (-oldenburg.de/Docs/net-serv/archie-gate.html). Let's see...orc.htm...there it is: www.sics.se/sicskatalog/orc/orc.htm, and hey! orc.gif as well. Let's see who this is...

Ok, its Lars-Hakan Loenn ... and what's this, his nickname? 'Orc' ... well, well ... what does he do...search, search...a hah! He was a student at SU (university of Sweden) in 93, and in 94, and...hmm, not in 95...where was he in 95...search, search...a Hah! He's at CalTech, in the Swedish Club. And he didn't graduate...so he was an exchange student ... search, search ... he's into RPG (role playing games), specifically Gothic ... search, search ... while at CalTech lists his home server as nosferatu.sics.se ... search, search ... lot's of references to Gothic RPG. Save that for later...

Ok, orc.htm -- view source -- nothing interesting here. Spider sics.se ... search, search ... ok: Swedish Institute of Computer Science ... phone number, building name, a Hah! group name ... search, search ... here it is: his name on several of SICS's web pages as 'Grafik: Loenn'. He's a webmaster. He likes graphics. He might think heraldry is kewl, gothic and all that. Hmm.

Search, search ... a hah! He's does marathon runs: 3000m and 5000m, aka OL, which pardon my german means Orientierungs Lauf or some such, just as though he were in the militia at the time ... c.f. 'possibly once in the military' reference (forget where, duh). Ok, so he knows about encryption, and that .mil servers are off limits. Hmm.

Ok, dejanews da sucka ... advanced search, 1 Dec 95 thru 1 Jun 96 author +ORC ... whaz dis? 16 Feb 96 : 'see if it works' by +ORC posted to alt.test ... see if *what* works? ... where else doth he post? Ok, alt.hacker.malicious, makes sense, but, what's this: de.org.ccc? whazzat? Ok, hmm, they're talking about Germany's PTT trying to regulate Inet access. Why Germany? He's Swedish ... hmm, mebbe he wants to go work in Germany when he's done with school. Means he must speak fluent German, at the very least ... his English ain't lousy either ... could have a Dutch parent or spend time there on vacation or mebbe grew up there ... when's the first Lesson? 20 Feb 96 thru 25 Jun 96 ... and what's this? he keeps on re-posting stuff - wierd! (tell ye why in a moment, hehe)

Now, dear reader, for some major Zen. Forgive me while I quote verbatim a rather lengthy chunk of news thread. You will benefit from reading it in its entirety b4 getting to my commentary (and of course you can check it out for yourself on dejanews): Posted 18 Feb 96 in response to a post 15 Feb 96 in alt.hacker.malicious et al:


"Re: Can you trace where this post came from? No way! 
Author:
TheAnalyst
Email: TheAnalyst@Nfo.Org
Date: 1996/02/18
Forums: alt.2600, alt.hacker, alt.comp.virus, alt.anonymous, alt.hack, alt.hacker.malicious, alt.cracks
Gi_Joe@gi.joe.org (Gi Joe) wrote:
>On Thu, 15 Feb 1996 23:32:39 GMT, swt@csd.uwm.edu (Pale Rider) wrote,
>and said:
>>borg@internet.net (=BORG=) wrote:
>>>So... can you guess where this article came from?
>>>
>>>Computerz are our best friends. Especially when we can make them
>>>obediently follow our orders. No, you can't order to computers. You can ask
>>>them to do things.
>>>
>>>Best Regardz,
>>>=BORG=
>>>
>>>"...You will be assimilated, resistance is futile..."
>>
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!tank.news.pipex.net!pipex!news.uoregon.edu!news.sol.net!uniserve!van-bc!news.iceonline.com!news.inc.net!news.uoregon.edu!accross.the.wirez!from.somewhere!news.u.washington.edu!uw-beaver!cornellcs!newsstand.cit.cornell.edu!from.myself!do.not.try.to.figure.it.out.reading.the.path
>>From: borg@internet.net (=BORG=)
>>Subject: Can you trace where this post came from? No way!
>>Approved: borg@internet.net
>>X-Newsreader: Why do you need to know what newsreader I've got?
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: somewhere.on.the.Net
>>Organization: Information should be free Ltd.
>>Message-ID: <0123456789@somewhere.net>
>>Date: Thu, 15 Feb 1996 19:59:36 GMT
>>
>>Newsgroups: alt.2600
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!in1.uu.net!van-bc!news.iceonline.com!Newsposter
>>From: <unknown@net.com> (unknown)
>>Subject: test, do not read
>>X-Newsreader: WinVN 0.92.6+
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: ns.iceonline.com
>>Organization: -
>>Message-ID: <DMu2CB.9Bw@iceonline.com>
>>Date: Thu, 15 Feb 1996 20:02:35 GMT
>>Lines: 3
>>
>>I'm going to guess "ns.iceonline.com"
>>
>>"I'm not against the police, I'm just afraid of them." -Alfred Hitchcock
>You missed the whole point of =BORG's= point . All you are doing is
>quoting the headers he WANTS you to see.

You are correct

>ns.iceonline.com is not traceable, nor is any of the other stuff he
WRONG! ^^^^^^^^^^^^^

>has; the NNTP is phony, as well as message ID.
>You need to have access to a newsserver to do this. Either =BORG= or Or a remailer.

>knows someone (his or her ISP) that will do this for him (or her).
>Notice the last thing =BORG= says: "You can ASK them to do things"
>Right =BORG=
>===
>GIJ
>===

Don't forget. the mentality of the poster should be taken into account. No real hacker is going to post something like "Trace me!". Only someone that wants to show off to their friends. So we have it generally limited to "netcom.com", "ix.netcom.com", "aol.com", "gnn.com", "cris.com" (This is a generalization of course).
Next we look at the "PATH:" which is completely useless. as is NNTP posting host field. So we turn to more unorthodoxed methods. His sig. . .
He put "BORG" in his sig well that is a helper. We go to one of many online "411" type services and search for "borg" starting with the entire internet. If that brought too many people then we look at the survers listed above. But since this left approximately 4 entries from the entire internet we convert the e-mail address to visit their homepages. . .
We then look at the home pages to see who has the mentality AND the expertise to use an anon remailer and to broadcast that they are using one. This brings it down to one person.
NOTE: The method above is not exactly tracing but hey, it works 99.9% of the time. And usually works against the anon remailer posters.
Should I post his location so you people can shut up about this?
he is at "ix.netcom.com"
I can post his entire e-mail address, but I don't think he would like getting requests about how he did it.
I KNOW HOW TO TRACE! SO SHUT UP about the above method!
Can I assume that "iceonline.com" is a remailer? I will have to check my list of remailers. Need to find my list first though. Oh, well the method above works even if the person didn't use an anon remailer.
--
Why should I hide my domain? I am doing nothing illegal.
NewBies, to find information go to:
pubweb.nexor.co.uk/public/cusi/cusi.html
pick a search engine, preferably Lycos
and use common sense in the key words.
Remember hackers don't need this kind of common sense help.
NEVER post underground URLz or FTPz."


Are you still there? Did you survive that? So, what do you think -- is +ORC more like 'BORG', or is he more like 'The Analyst'? To my taste, he's more like BORG. Why do a test in alt.test, IF HE KNOWS HOW TO HACK?? Why keep re-posting to news, rather than e-mail ppl direct? Why publish at all? Why publish EVERYTHING in just 4 months? I don't think we're looking at a 'leet hacker here. I think the guy that posted the Lessons was an amateur, that he found them somewhere and decided to post, and that he had a 'socialist' agenda regarding 'for profit' and distribution of goods. (Well, Sweden *is* socialist, after all). So, let's redefine the problem: are we looking for Able, that wrote the Lessons, or Baker that published them?

Now, I speak fluent English, German and French, and can read pages written in Dutch, Swedish, Italian, Spanish and pig latin ( comes from having been in prep in Switzerland; veni vidi vici et al). Those Lessons read like a translation to English from (possibly) German, or even maybe Czech. My guess is, +ORC found the Lessons on fido, or in eastern europe, and translated them, or mebbe got them via CalTech while he was studying there. I did a quick scan of all threads in alt.hacker.malicious during the end of 95 and early 96, to see who if any stopped posting once +ORC started. There are several; take your pick. It t'ain't Destrukto cuz Destrukto still operates a site today as Destrukto. Noone on aol.com's a good bet, c.f. 'The Analyst' s comments above :). Btw, nfo.org is 'National Farmers Organisation", hehe.

Assuming this zen reasoning is correct (and i have no good reason to doubt my own intuition, hehe), we will probably *never* find out who authored the Lessons, unless we can find them somewhere with file dates prior to Feb 96. But I have great hopes of finding +ORC himself. For I know, he's into Gothic, and Graphics. Search, search ... here it is:

Nosferatu himself: http://www.geocities.com/TimesSquare/Stadium/9490. In his email he speaks of further riddles, so let's see. We know they won't be 'leet, or on par with the Lessons (was he too lazy to answer, or just didn't know?), so they shouldn't be too hard to crack ... :)

Ok, on index.htm:
- '...and sword-shaped toothpicks from a dry martini...'
- 'Last, and most importantly for the purposes of this site: The nosferatu are potent information- gatherers, managing to gain access to just about everything.'
- 'all is not as it appears'
Sounds like the +ORC we know and love, no? Hmm. Here, the page owner is soliciting help from ne1 who knows some javascript. Guess +ORC decided to 'help' out a bit, no? And put some Orc-isms in while he was at it.

Did you find the 'secret' door yet? I knew you would :). Here is the passage: 'So, you think your a good nosferatu just because you found the secret 'door'... Anyone with half a brain could have figured that out. OK, so you're bright enough to know that not everything is as it appears. Good for you.'
That 'good for you' is straight out of the Lessons, is it not? Which it would be if +ORC had translated them, for they would then be in his idiom of choice. Things are still making sense. Ooooh! Heres a Login script! Oh no! It's booby trapped! Re:

"Also for reference, this is impossible for mortals to hack. If they do successfully hack it, the site shuts down for a week and changes are made to prevent it from happening again. Also, it will mess with their computer so much that they couldn't hack it again if they wanted to. It uploads a virus to any computer that attempts to access it. The virus allows complete access to all files on that persons computer. It downloads all of their files to the creator of the site, right before it deletes al of them and even destroys their hardware. Only registered nosferatu have the anti-virus program. It is highly unlikely that anyone could program an adequate anti-virus program becaus hidden with the first virus (if it is disabled) then a second virus will activate and just erase all of their files (starting with their anti-virus). The masquerade is perfectly protected."

I'm sooo scared. Let's look at that script...

now, i don't feel *too* bad, cuz reverser dunno howto quote script either :)...

>!--
thispage="verify2.htm"
if (getcookie("lastvisit")!=null)
	{  user=username+"#"+accesslevel+"$"+numsub
	setcookie(user)
	document.clear()
	document.writeln("\>H1\<User verification\>/H1\<")
	document.writeln("You must log in with a registered username and password")
	document.writeln(">FORM NAME='myform'<")
	document.writeln("Username: >INPUT TYPE=TEXT SIZE=20 
                          NAME='username'<>BR<")
	document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
			  NAME='password'<>BR<>input type=hidden 
			  name='access' size=3 value='"+accesslevel+"'<>input 
                          type=hidden name=num size=3 value='"+numsub+"'<")
	document.writeln(">br<>br<>INPUT TYPE='BUTTON'
			  VALUE='Submit' onClick=authorize()<>INPUT TYPE='reset'
			  VALUE='Clear'<>input type=button value='Delete Access Account'
			  onclick=deletecookie('lastvisit')<>/form<>p<")
	document.writeln(">a href='apply.htm'<Click here if you want to apply
			  for usage of the NOSNET>/a<")
	}
	else
	{
	document.clear()
	document.writeln(">H1<User verification>/H1<")
	document.writeln("You must log in with a registered username and password")
	document.writeln(">FORM NAME='myform'<")
	document.writeln("Username: >INPUT TYPE=TEXT SIZE=20 
			NAME='username'<>BR<")
	document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
			NAME='password'<>BR<>input type=hidden name='access'
			size=3 value='#E3'<>input type=hidden name=num size=3
			value='$0'<")
	document.writeln(">br<>br<>INPUT TYPE='BUTTON' VALUE='Submit'
onClick=authorize(),setcookie(this.form.username.value+this.form.access.value+this.form.num.value)<
>INPUT TYPE='reset' VALUE='Clear'<>P<")
	document.writeln(">a href='apply.htm'<Click here if you want to apply
			for usage of the NOSNET>/a<")
	}
// -->
So, where does 'authorize()' live? Why, in userdata.js, of course:
<!--
function setcookie(name)
{
	today=new Date()
	document.cookie="lastvisit="+escape(today)+"_"+name+";expires=01-Jan-2000"
}

function getcookie(name)
{
	var namestr = name+"="
	var namelen = namestr.length
	var cooklen = document.cookie.length
	var i=0
	while (i>cooklen)
		{var j=i+namelen
			if (document.cookie.substring(i,j)==namestr)
			{ endstr = document.cookie.indexOf (";",j)
		if (endstr==-1) {endstr=document.cookie.length}
			tempstr = unescape(document.cookie.substring(j,endstr))
			username = tempstr.substring(tempstr.indexOf("_")+1,
					   tempstr.indexOf("#")) 
			accesslevel=tempstr.substring(tempstr.indexOf("#")+1,
					    tempstr.indexOf("$")) 
			numsub = tempstr.substring(tempstr.indexOf("$")+1,tempstr.length)
			numsub = eval(numsub)
	
			return tempstr
			}
		i=document.cookie.indexOf(" ",i)+1
		if (i==0) break
		}
	return null
}

function deletecookie(name)
{
	var expdate=new Date()
	expdate.setTime (expdate.getTime()-1000000000)
	document.cookie=name+"="+getcookie(name)+";expires="+expdate.toGMTString()
	location="verify2.htm"
}

function steller(form) {
     location="steller.htm"
}

function surfto(form) {
     ident=document.forms[0].username.value
     location="agent.htm?user="+ident+"";
 }

function sysadmin(form) {

        location="admin.htm";
        
}

function authorize() {

if (document.myform.username.value == 'Thomas Hastings' &&
document.myform.password.value == "0000000000") {
        
        sysadmin(this.form)
        return true
        }
        
if (document.myform.username.value == 'Malthus' &&
document.myform.password.value == '8478691725') {
        
        surfto(this.form)
        return true
        }
        
if (document.myform.username.value == '`Spider' && 
document.myform.password.value == '209.42.128.3') {
        surfto(this.form)
        return true
        }

if (document.myform.username.value == 'ACE' && 
document.myform.password.value == '****'){

	sysadmin(this.form)
	return true
	}

if (document.myform.username.value == 'Luto' &&
document.myform.password.value == '7733271036') {
        
        surfto(this.form)
        return true
        }

if (document.myform.username.value == 'Miette' &&
document.myform.password.value == '7734041868') {
        
        surfto(this.form)
        return true
        }
        

        alert('Your username or password is incorrect. Access denied.')

        return true
        }
--<
Gee, that's one major protection scheme he's got goin'! So, just for the exercise, log in as admin, and create a user with nicely high access privileges (ye can figger out what the letter codes are, sure ye can!), and go view that nice rumor database! Piece of cake.

Paranoia sets in. What if +ORC really *is* an elite cracker? What if that page is merely a smokescreen, and there are other pages hidden on that site? What if i'm wrong? Go figure :-)



Final Notes
Rumor has it there exists a site called Old Red's Crackers. My contact thought she had seen it in domain .ca, but she couldn't remember - it had been too long ago.

Ob Duh
I wont even bother explaining you that you should BUY this explanation without thinking about it...

You are deep inside reverser's page of reverse engineering, choose your way out:


red homepage red links red search_forms red +ORC red how to protect red academy database
red reality cracking red how to search red javascript wars
red tools red anonymity academy red cocktails red antismut CGI-scripts red mail_reverser
red Is reverse engineering legal?