Archives for : DES

SSLv3 / TLS Man in the Middle vulnerability

Recently I have been looking into the vulnerabilities in the TLS negotiation process discovered late last year.

There are a range of experts debating the exploit methods, tools and how it may be fixed (server or client site or both). From what I have seen so far this may prompt a change to the TLS standard to introduce an extension to the protocol to validate sessions (session hand off and certificate validity).

I’m also trying to find some tools which may assist in testing for this. It looks like the exploit relies on an ARP poison or similar and then inserting plain text into the negotiation process.

Could be something that can be fixed over time as servers and clients are patched.

Ham Radio Iphone applications

I have a Iphone and have been loading Ham applications onto it… Below is a list of some of them.

  • Amateur Radio Exam Prep for iPhone – Amateur Radio License exams are composed of questions from a pool. Use this application to practice all possible questions prior to taking your exam
  • CallBook for iPhone– CallBook is an Amateur Radio application that allows you to look up call signs via the free WM7D server, the QRZ Online subscription service or the HamCall subscription server and track active APRS stations on Lookup results can be emailed and the QTH can be instantly viewed in the Maps application
  • Elmer for iPhone – iPhone Software to practice taking your Ham Radio Exam
  • Freq Finder: iPhone Repeater Directory – Freq Finder is an iPhone based Ham Radio Repeater Directory that locates repeaters based on the user location.
  • FreqLoader: iPhone companion for the mobile ham– FreqLoader is the perfect iPhone/iPod Touch companion for amateur radio operators, monitoring enthusiasts, shortwave listeners and anyone with an interest in the air waves. Whether you’re an active licensed ham or an avid scanner listener, FreqLoader will allow you to find what you’re looking for, keep track of your stations, maintain complete logs and share your finds with friends, groups and the world.
  • hamDXcluster for iPhone – DX Cluster for iPhone application
  • iLocator for iPhone – A small application for Apple iPhone that calculate grid locator from gps, wifi or gsm cells by IW2BSQ
  • iPhone Ham Radio Callsign Lookup– This webapp provides an iPhone-compatible lookup of Amateur Radio Callsigns. It provides the name, address, and license class (from the FCC’s public records) of any US-Licensed Amateur Radio Operator.
  • Morse Key for iPhone – A free simple touchscreen-based CW Morse Code straight key. Practice sending Morse Code on your iPhone.
  • IBCNU APRS on the Iphone - The Live IBCNU feed can be found here.
  • APRS – how to configure the application can be found at Find Maps  at


EchoLink is finally available for the iPhone and iPod touch. It even allows me to use my Bluetooth car kit to have a QSO.

HAM’s who use EchoLink on the PC and Mac will appreciate the value of this on the iPhone.

Ham Radio Links

Amateur Packet Radio Australian

Aussiewide Packet Radio Network


Queensland APRS Users Group

VK2KFJ’s Packet Radio Links page


VK5 AX25 Packet Network Map (VK5AH)




Amateur Packet Radio Gateways

Amateur Packet Radio, net 44, and AMPR.ORG `

American Febo Enterprises







G4JKQ TCP/IP Telnet listing

G7JJF TNC Driver Support (WINTNC)

High speed packet

High Speed Packet radio

High-speed Packet Radio


K4ABT (home page)

Linux® / Amateur Radio Information

Linux AX25-HOWTO


Packet Info and Downloads

Packet Links

Packet Net (VK5 packet map)

Packet Net (FBB software)

PAcket Digital Amateur Network (PADAN)

Radio-TNC Wiring Diagrams


Slovenian ATV/Packet

Sound Card Packet




TNOS Central


WA4DSY 56k RF Modem

Yet Another 9k6 Modem


Sound Card Packet

Sound Card Buddy

Soundcard Interfacing

Sound Card Packet AGWPE (KC2RLM)

Sound Card Interface with Tone Keyer (WA8LMF)

QDG sound card interface

Return to Top


Winlink! 2000

Aussie Winlink

Pactor Communications Australia


Winpack home page

Winpack info


TNC information


Setting Your TNC’s Audio Drive Level

TNC and Radio mods


MFJ-1278B Care and maintenance


AEA radio and TNC mods

Other suppliers


Fox Delta



The DXZone Digital and Packet Radio



TNC-X – The Expandable TNC


Amateur Packet Radio Gateways


The Gateways Home Page


High-Speed Digital Networks and Multimedia (Amateur)

North Texas High Speed MultiMedia group

Also take a look at the wireless LAN pages






APRS in Adelaide


APRS in the UK





BYONICS (Electronics Projects for Amateur Radio)


Dansk APRS Gruppe

France APRS

Kansas City APRS Working Group


Live Australian APRS data maps


Queensland APRS Users Group

Tri-State APRS Working Group

Other Digital Modes




Morse Code

CW Operators’ QRP Club Inc.

Fists Down Under

LEARN MORSE CODE in one minute !

MRX morse code

Not Morse Code, Slow Scan , Packet or APRS

HamDream by HB9TLK (digital radio)

JE3HHT, Makoto (Mako) Mori

PSK31 and other PC Magic

WSJT ACTIVITY IN AU (follow link)

Amateur Digital Radio

AR Digital Voice Communications

Australian National D-Star

Ham Radio digital info

ICOM America digital

Temple University Digital Voice Project

Temple University Vocoder Redux

WinDRM – HF Digital Radio Mondiale



Australian D-Star information

D-Star wikipedia

ICOM America D-Star Forums


Software Defined Radio

FlexRadio Systems Software Defined Radios

Rocky software for SoftRock-40 hardware

SDRadio – a Software Defined Radio

SoftRock-40 Software Defined Radio

The Weaksignals pages og Alberto I2PHD (software)

Digital Radio

BBC digital Radio

Digital Audio Broadcasting

Digital Radio Broadcasting

Digital Radio


DRM – Digitaler Rundfunk unter 30 MHz


Amateur Radio Direction Finding

Amateur Radio Direction Finding and Orienteering

Amateur Radio Direction Finding Webring

Homing In


Victorian ARDF Group Inc.

Repeater Linking

There are currently There are 5 internet linking projects that I know of :-



Hamlink (K1RFD)

KWARC (live audio)

Internet Linking


IRLP status



G4CDY-L Internet Gateway



VK2JTP iLINK gateway

WB2REM & G4CDY’S  iLINK boards



laser diodes

A R Laser Communications

Australian Optical DX Group

Driver Enhancements

European Laser Communications


Amateur Radio Licence


Worldwide Information on Licensing for Radio Amateurs by OH2MCN

Amateur Radio Clubs and Organisations

Also see ATV link page

and VHF link page


Adelaide Hills Amateur Radio Society

Amateur Radio Victoria

Barossa Amateur Radio Club VK5BRC

Brisbane Amateur Radio Club

Brisbane VHF Group

Central Coast Amateur Radio Club

Central Goldfields A R Club


Coffs Harbour & District Amateur Radio Club

CW Operators’ QRP Club Inc.

Eastern and Mountain District Radio Club

Gold Coast AR Society

Healesville Amateur Radio Group

Historical Wireless Society of South East Queensland

Ipswich Metro Radio Group

Lockyer Valley Radio and Electronic Club Inc

Manly-Warringah Radio Society


QRP Amateur Radio Club International

Queensland APRS Users Group

RADAR Club Inc

Radio Amateurs Old Timers Club Australia Inc

Radio Sport

Radio and Electronics Association of Southern Tasmania

Riverland Amateur Radio Club

South Australian Packet User Group Inc. (SAPUG)


South Coast AMATEUR RADIO Club


Sunshine Coast Amateur Radio Club

VK Young Amateur Radio Operator’s Net


VK3BEZ (WIA Eastern Zone Amateur Radio Club)


West Australia Repeater Group





WICEN Australia

WICEN Brisbane Qld

New Zealand


Papakura Radio Club

Wanganui Amateur Radio Society Inc.

Wellington VHF Group


American QRP Club


Clear Lake Amateur Radio Club





K2MFF Amateur Radio club

North TeXas Repeater Association


The Repeater Builders Technical Information Page

Richardson Wireless Klub




Submarine Veterans Amateur Radio

Southgate AR club


The 500 KC Experimental Group for Amateur Radio

Tucson Amateur Packet Radio

W6DEK 435 Los Angeles

Amateur Radio


Australian AR Repeater Map



Ham Radio in Australia with VK1DA

HF Radio Antenna Tuners

Queensland AR Repeater listings

Radioactive Networks: Ham

Tony Hunt VK5AH (Home of Adelaides 10m Repeater)

VK1DA’s Amateur Radio Web Directory



VK2BA (AM radio)




VK3YE’s Gateway to AR










New Zealand

Micro Controller Projects for Radio Amateurs and Hobbyists

Precision Frequency Transmission and Reception



AC6V’s AR & DX Reference

Amateur radio with Knoppix

Amateur Radio Soundblaster Software Collection


AMRAD Low Frequency Web Page


Direction finding

DSP Links




eQSL (electronic QSL)


Felix Meyer



Gateway to Amateur Radio

Grid Square Locator


G4KLX (The [ON/]G4KLX Page)




Hamview DSP software

Homebrew RF Test Equipment And Software

KB4VOL   link site



KU4AY ham radio directory



K1TTT Technical Reference


K3TZ Ham Radio Experimentation

K6XC (links)

Lighthouses (International Lighthouse/ Lightship Weekend)



Michael Todd Computers & Communications



NW7US   (Amateur and Shortwave Radio)

N3EYR’s Radio Links


PI6ATV (ATV, Antenna, software, info)

Radio Links

Radio Corner (forum)

Ray Vaughan


streaming radio programs

The Elmer HAMlet (information)


WB6VUB (links)



XE1BEF  (DX, mods, links and more)

Communications Equipment


Andrews Communication Systems





Hamak (RM Products Italy)


KENWOOD Australia

Kyle Communications

ICOM Australia



Radio-Data (links)

Radio Specialists (equipment connectors and antenna)



Townsville CB& Communications

TTS Systems

VK4-ICE Communications

WiNRADiO (PC based receivers)



Vertex Standard


Z Communications Company (repair of old radio equipment)

See also Kits and components

Radio mods, cables, connection info

batlabs (Motorola radio connection, cable info)

Hall Electronics

Radio Mods (mods info and more)

W4RP IC-2720H Page

XE1BEF  (DX, mods, links and more)

Please also look at manufacture’s sites

Lightning Protection (video and links)

K9WK Amateur Radio

Lightning Protection Institute

Marine Grounding Systems

Moonraker boat lightning information



RFI Lightning protection


Amateur Spread Spectrum

Spread Spectrum Scene

Spread spectrum

SS Info

Call-sign finders

The DX Notebook



Equipment suppliers and manufacturers

Easy-radio (your DNS server may have problems finding this site)

Kits and Components

Australian and selected international suppliers




Antique Electronic Supply

Antenna Systems and Supplies Inc. (sm)



Clarke & Severn Electronics

Cliff Electronics (Aus) Pty. Ltd


David Hall Electronics

Dick Smith Electronics


Dominion Electronics


Elliott Sound Products


Fox Delta (ATV and more)

Hammond Mfg

Hy-Q International

IRH Components


Microwave Dynamics

MicroZed Computers



Mouser Electronics


Oatley electronics

Ocean State Electronics


pacific DATACOM


Prime Electronics

Radio Parts

R.C.S. Radio (circuit boards)

RF Modules Australia (ZigBee) http:\

RFShop (Brisbane)

Rockby Electronics and Computers

RS Components



Silvertone Electronics

South Island Component Centre (New Zealand)

Surplus Sales of Nebraska

Surplustronics (New Zealand)

Tandy (Australia)


TTS Systems

WB9ANQ’s Surplus Store


Worldwide Electronic Components http:/

Also look at the ATV links

PCB layout and schematic programs baas electronics LAYo1 PCB


Electronics WORKBENCH Industries McCAD OrCAD TARGET 3001! Tech5 TinyCAD VEGO ABACOM

Amateur Satellites and space



AMSAT-ZL (kiwisat)

CSXT Civilian Space eXploration Team



ISS fan club

SATSCAPE   (free satellite tracking program)

Satellite tracking software





IPS Radio and Space Services


Near-Real-Time MUF Map

Radio Mobile (path prediction)

VK4ZU (Propagation)


Satellite TV



KRISTAL electronics


Nationwide Antenna Systems




Radio and Scanning


Brisbane Radio Scanner

Extreme Worldwide Scanner Radio

Newcastle Area Radio Frequency Guide


New Zealand

Kiwi Radio


Wellington Scanner Frequencies


ZL3TMB (Christchurch NZ)


Frequency guide

Incident Broadcast Network (including Australian feeds)

Radio H.F.  (some ham stuff)

Amateur Radio DX and Contest

DX Cluster

AA1V’s DX Info-Page

AC6V’s AR & DX Reference

Australian contesting

Buckmaster callsign database

DX Greyline

DX Summit

DX 425 News


EI8IC Global Overlay Mapper

eQSL (electronic QSL)

German DX Foundation-GDXF

GlobalTuners (provides access to remotely controlled radio receivers all over the world)

Ham Atlas by SP6NVK

Kiwi DX List

Oceania Amateur Radio DX Group Incorporated

Oceania DX Contest


The AM Window

The Daily DX

IARU QSL Bureaus

International DX Association

Internet Ham Atlas


IOTA groups and Reference


IOTA 425

Island Radio Expedition Fondation

LA9HW HF Contest page

NG3K Contest/DX Page

Northern California DX Foundation

Simple phrases in European Languages


Telnet Access to DX Packet Clusters

The DX Notebook

VE6OA’s DX Links Contest Club

World of DK4KQ

XE1BEF  DX and links

Logging Software

VK Contest Log (VKCL)

VK/ZL Logger

WinRD+ logging program




CLX Home page

DX CLUSTER programs




DX PacketCluster Sites on the Internet

DXSpider – DX cluster system is written in perl

Packet Cluster user manual

The DXSpider User Manual

VE7CC-1 Dx Spider Cluster


Short Wave DX


Electronic DX Press (HF, MW and VHF)

CQ World Wide DX Contest


Longwave Club of America (also Ham)

NIST time stations

OK1RR DX & Contesting Page

Prime Time Shortwave

Radio Interval Signals


SM3CER Contest Service

The British DX Club

Yankee Clipper Contest Club


Radio Scouting

Scouts Australia JOTA/JOTI

The history of the Jamboree On The Air history.htm

World Organization of the Scout Movement

Australian Regulator


International Regulator


Electronic Information and technical reference

AC6V’s Technical Reference

Chip directory

Circuit Sage

CommLinx Solutions Pty Ltd

Computer Power Supply Mods

Discover Circuits

Electronic Information

Electronics Links and Resources

Epanorama (lots of links)

Electronics Tutorials

Electronic Theory

Fox Delta


Hobby Projects (electronic resource)


Information site

ISO Date / Time

Latitude/Longitude Conversion utility – 3 formats

New Wave Instruments (check out SS Resources)

Paul Falstad (how electronic circuits work)

PINOUTS.RU (Handbook of hardware pinouts)



RF Cafe

RF Globalnet

RHR Laboratories


RS232 Connections, and wiring up serial devices

RF Power Table

Science Lobby (electronic links)

Tech FAQ (technical information for mobile electronics installers)

Electronic service

Repair of TV Sets

Sci.Electrinic.Repair FAQ

Service engineers Forum


Cable Data




Coaxial cable data

Coaxial Cable Page




NESS Engineering

RF Industries cables


Times Microwave


W4ZT Antenna cable chart

50 W Coaxial Cable Information

75 W Coaxial Cable Information

Antique Radio

Antique Electronic Supply

Alan Lord

Antique Radio

Apex Jr

Archives of Boatanchors

Australian Vintage Radio MK II

Australian Wireless (OZ-Wireless) Email List

AWA and Fisk Radiola

Crystal Radio


Hammond Museum of Radio

Historical Radio Society of Australia Inc.

JMH’s Virtual Valve Museum

John Rose’s Vintage Radio Home

Klausmobile Russian Tube Directory


Kurrajong Radio Museum

Links to Vintage Radios (Amateur)

Mike’s Electric Stuff

Nostalgiar Air

Phil’s Old Radios

Radio A’s Vintage Radio Page

Radio Era

Rap ‘n Tap

Replacing Capacitors

Savoy Hill Publications

South East Qld Group of the HRSA

SEQG of the HRSA Crystal comp

SEQG One Tube Radio comp


The Vintage Radio Emporium

The Wireless Works

Triode Tube Data Tubesworld  (Valve Audio and Valve data)

Vintage Radio

Vintage Radio Times

Vintage Radios and programs

Vintage Radios UK

Vintage Radio and Test Equipment Site

Vintage Radio World

Vintage Radio and Audio Pages



Ye Olde Hurdy Gurdy Museum of Vintage Radio

Valve Audio and Valve data Ake’e Tube Data CVC

Data Sheet Locator


Frank’s Electron tube Pages

Hammond  Manufacturing

House of Tubes

High Voltage Tube Archive


Industrial Valve Data


NJ7P Tube Data Search

RCA-R10 Data

SAS Audio Labs

Sowter Audio Transformers

Spice Valves



Tube datasheets

Vacuum Tube Links

Valves and Tubes

Valve Data Links

Valve Data

Valves Unlimited

Valve and Tube Supplies


Audio Calculators and Links Calculators & References Links.htm


Car Audio Australia

DIY Audio

Duncan’s Amp Pages

Elliott Sound Products


Norman Koren


The Self Site

The Class-A Amplifier Site


DUBUS (VHF magazine)

Elektor Electronics

Harlan Technologies (Amateur Television Quarterly)

Radio & Communications Monitoring Monthly


VHF Communications Mag



SETI Australia

Hacking SCADA/SAS Systems Used Techniques, Known Incidents and Possible Mitigations

I have been working in the SCADA engineering, network design, project governance and security area for lots of years.

As a result I have many documents and techniques I will be sharing here. This is the first of many documents which I hope others will find informative and help others to understand and shape their approach to these environments.

Local file

Nmap Examples

Some Nmap examples I thought I would post.

Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

Verbose Scan: nmap -v

This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

nmap -sS -O /24

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

nmap -v -iR 100000 -PN -p 80

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

nmap -sT -O

What this does is instruct nmap to scan every host between the IP addresses of and If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

nmap -sT -O -oN sample.txt

Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

nmap -sT -O -oM sample.txt

*Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

-I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

-iR Use this command to instruct nmap to scan random hosts for you.

-p Port range option allows you to pick what port or ports you wish nmap to scan against.

-v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

-h Displays a quick reference of nmap’s calls

Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

nmap -v -v -sS -O

This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses and This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

nmap -v -v -sS -O -oN sample.txt

Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of and Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

nmap -sS -p 23,80 -oN ftphttpscan.txt

Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

nmap -sS -iR -p 80

Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

Detect promiscuous network devices or sniffers on a network

Old versions       nmap –script=promiscuous

New Versions     nmap -sV –script=sniffer-detect

How To Hijack Fast Food Drive-Thru Frequencies

This is an article I found on the Phone Losers site I thought I would copy here so I can give it a go at some stage.

How To Hijack Fast Food Drive-Thru Frequencies

A few years back, some friends and I were messing around with a Taco Bell’s drive-thru frequencies. RijilV and isotek showed me how easy it was to hijack the frequencies of just about any fast food restaurant with a very simple mod to a ham radio. The radios they used were Yaesu VX-5 and VX-7 models. We had a few weeks of occasional fun, sitting a few parking lots away and saying all kinds of horrible things to potential fast food customers. For the most part, I didn’t record any of it. But you can find a few clips of our fast food hijinks if you scroll down on the PLA Sound Clips Archive page.

Finally we decided to capture a bit of our FCC violations on video. But instead of capturing actual customers being harassed by us as they placed an order, I drove through the Taco Bell drive-thru myself with a video camera sitting on the dashboard. As I attempted to place my order, RijilV informed me of some crazy new Taco Bell policies and a manager immediately rushed out to explain to me that I wasn’t actually talking to an employee. Here is that video:

After spending several years on Google Video and YouTube, it’s been watched approximately 20,000 times. And of those 20,000 people who have viewed it, approximately all of them have emailed me and asked me what kind of radio we used and how can they use a radio to do the same thing. So in the spirit of April 1st and in order to quell the number of emails sent to me and posts on the PLA Forums asking the same thing, I’ve decided to write this tutorial to help those people out.

But I’m not going to explain how to modify a Yaesu VX5 or a Yaesu VX7. A simple Google search will show you how to modify these ham radios. The problem with these mods is that, even though they’re fairly simple, you have to buy the radios which could cost you anywhere from $200 – $400. Then, after removing a couple solder points, you have to learn how to use it, you have to look up fast food frequency lists, you have to understand the difference between the transmit frequencies and the receive frequencies and you have to scroll through PL tones using trial and error to find the correct one.

Or how about we do this a different way. A way that uses a couple items that you might already have in your home. You can easily modify most old CB radios in a way that will allow them to transmit directly to drive-thru frequencies. You won’t have to scroll through hundreds of possible drive-thru frequencies, because a CB radio’s channels line up in exactly the same way as most drive-thru’s channels, only at a higher frequency. How do you get your CB radio to run at a higher frequency? A simple replacement of the crystal inside, with a 6.5536 MHz crystal. This triples the megahertz that are broadcast on and there is no learning required. You just take the modified CB radio to a fast food restaurant and start broadcasting to the customers.

“But RBCP, I don’t have a 6.5536 MHz crystal lying around my house,” you might be whining at this point. But this isn’t true. Just about any house has several 6.5536 MHz crystals in them if you know where to look. This just happens to be the exact same crystal that you can find in electric heaters, hair dryers, electric stoves, curling irons, electric hot water heaters, irons, and toasters. These crystals are in just about any item that has heated coils and are used to control the frequency of the heating elements so that they don’t burn your house down.

So for this modification you need…

  • 1 CB radio. It has to be a 40 channel CB radio with a digital display, which includes just about any CB radio manufactured after the mid 1980’s. The old 23 channel CBs from the 1970’s will not work. It can even be a walkie talkie CB radio. If you don’t have one, you can find one at Goodwill or a yard sale for probably less than $10.
  • 1 toaster. (Or other item with heating elements inside.) A toaster is the most ideal to use, because it’s almost guaranteed to have the crystal inside of it. It’s more common to find curling irons and hair dryers that don’t. Again, it should be a toaster manufactured within the past 20 years or so. Before that they didn’t have crystal requirements for toaster manufacturers. (And incidentally, there were a lot more electrical house fires back then.) Goodwill will probably have a toaster for less than $10.
  • 1 soldering iron and solder. Don’t worry if you don’t have soldering experience. It’s actually pretty easy. Click here for a soldering tutorial. You can purchase a soldering iron at Radio Shack or Sears for about $10.
  • A few screwdrivers

Even if you have to buy all these materials, you’re only out $30. That’s a lot better than the $300 you might end up spending on a Yaesu radio. And some of you might already have all these items so you don’t have to pay anything. Ask a friend or a relative if they’ve got an old toaster or CB radio lying around that they don’t need.

First you’ll want to take apart your toaster. This isn’t too hard. Just flip it upside down and start removing the screws. You’ll probably need to pull off the plastic lever and knobs before you remove the top of the toaster. Once you have the top off, you’ll see a green or brown circuit board inside.

Flip the circuit board down and you’ll see all the components on the other side, including the 6.5536 MHz crystal. The crystal is silver and will have 6.5 stamped on the side of it. In the picture below, I’ve used an arrow to show you where it’s located.

The crystal is likely in a different spot in other toasters, but it’s hard to mistake for any other electronic component. The crystal will have some form of 6.5 stamped on the side of it. In my toaster, it showed 6.55-12. While the official frequency needed is 6.5536 MHz, anything within 1.6 megahertz will work. So don’t worry if your crystal just says 6.5 or 6.50 – it’s all the same for our purposes.

It’s kind of hard to see what I’m doing in the picture above, but I’m heating up the leads on the crystal from underneath with my soldering iron to melt the solder, and I’m pulling on the crystal from above with a pair of needle nose pliers. It only takes a few seconds to get the crystal out of the toaster.

Now that the crystal is out of your toaster, throw your toaster away! Do not attempt to use it once the crystal is removed. Remember, the crystal is in there for safety and using your toaster without the crystal could burn your toast and/or start a kitchen fire. It’s likely your toaster won’t even turn on with the missing crystal, but please don’t even try. Just throw it away.

As I mentioned before, just about any brand and model of CB radio will work, as long as it has the digital display on it. Which means, just about any CB radio manufactured after the mid 1980’s. These are the kinds of CB radios whose frequencies are controlled by a single crystal inside of them. For my mod, I used a Radio Shack TRC-207 walkie talkie CB radio, which is pictured above. I prefer using a walkie talkie CB radio because it doesn’t requiring sticking a huge CB antenna on the roof of my car which might be noticed if a fast food employee starts looking around the parking lot for the culprits.

Taking apart your CB radio is just as easy as taking apart the toaster. Remove the screws and pop it open. You may or may not have to lift up the circuit board inside to find the crystal inside. In my particular model, the crystal actually plugged into a socket so I didn’t need to even desolder the old crystal. I just pulled it out with my fingers and then plugged in the new 6.55 MHz crystal. I don’t know how common this is, because in other CB radios that I’ve modified the crystal was soldered to the circuit board, just like in the toaster.

Put your CB back together and test it to make sure it’s working. You’re finished! Obviously, you won’t be able to talk on normal CB channels anymore since your CB is transmitting and receiving at a much higher frequency now. But who cares, CB channels are lame anyway. Let’s hop in the car and drive to our nearest fast food establishment to test it out.

Sit near the drive-thru and wait for a customer to pull up. While the customer is talking to the drive-thru speaker, start flipping through your channels until you hear them talking. I’ve found that most drive thrus end up being somewhere in the 16 – 25 channel range. I’ve never found one above channel 30 and only a few on channels 1 through 15. It all depends on how their drive-thru is set up and what frequencies they’re using. Anyway, push down your talk button and start talking to the customer.

The cool thing about using a CB radio to transmit on drive-thru frequencies is that a CB is designed to work for several miles. The headsets that those fast food people wear are only designed to work for about 100 feet. So you can easily overpower the employees, even if you’re several parking lots away. In fact, you may be inadvertently screwing with several other drive-thrus in town without even knowing it. This is more likely when you’re using the kind of CB radio that’s supposed to be installed in a car. Those usually run on 5 watts and can cover an entire city. This is another reason I like to use my walkie talkie. It’s lucky if it will work for even a mile, so I’m only harassing one restaurant at a time.

If you found this tutorial useful, you might also enjoy the video I’ve made on the same subject. It includes much of the same information in this tutorial, but also includes actual footage of us messing with a drive-thru with this CB mod. Enjoy!

You might also enjoy our original Taco Bell Takeover video, our Happy Birthday drive-thru video and our Drive-Thru Shenanigans video.

icon for podpress PLA TV: Hijacking Fast Food Frequencies [9:12m]: Download (4913)

Local Copy

Trojan software has been found in ATMs located in Eastern Europe

This is Great, I want one of these cards and a list of ATM’s.

From the Security Now Podcast

Steve: It’s like, oh, goodness, yeah. It’s quite something. So the big news, though, I just sort of had to kind of smile because I told all of our listeners this was going to happen. I said just wait, this is a bad idea, we’re going to see how bad it is. Trojans have – Trojan software has been found in ATMs located in Eastern Europe.
Leo: Oh. Oh.
Steve: From many different vendors.
Leo: Oh, dear.
Steve: But what one thing do all of the trojan-infected ATMs have in common, Leo?
Leo: Let me guess.
Steve: Mm-hmm.
Leo: Windows?
Steve: Windows XP.
Leo: Ai yi yi.
Steve: The LSASS service is the manager of protected content in the system. It’s not quite the right acronym. I can’t think of what it is right now. But it’s like the main security service. And fake ones have been found in the Windows directory. The LSASS EXE normally lives in the Windows System32 directory. They were written in Borland’s Delphi.
Leo: You’re kidding.
Steve: No.
Leo: Well, that’s kind of sophisticated for a hacker. Wow.
Steve: And it’s considered, I mean, it’s commercial-grade code. It’s good code.
Leo: Oh, boy.
Steve: These are not remote installation Trojans. It’s believed that somebody had to have access to the machines.
Leo: Oh, even worse.
Steve: But they have special credit cards. When they swipe the special credit card in the infected machine, it accesses the trojan software, which among other things allows them to dump out all the cash from the machine. But in the meantime it’s logging all of the users’ information and PINs, which it’s able to dump out encrypted with DES encryption from the printer, from the ATM printer in the front of the machine.
Leo: Wow.
Steve: So the – and anyway, so it’s interesting to me. Again, it’s, you know, people defended the idea of implementing these things that I contend should never have been written in Windows. They say, well, but it’s easier to write them. And it’s like, yes.

DUKPT Overview and Transaction notes


I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link


I will come back at some stage and expand on this when I get time.

Transaction Process narrative:

The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

A good explanation of DUKPT can also be found at Wikipedia.


Diagram of the flow


DUKPT transaction flow - terminal to bank

DUKPT transaction flow - terminal to bank


Background notes:

  • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
  • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
  • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
  • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
  • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
  • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
  • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
  • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
  • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
  • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
  • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

HSM-8000-User Guide V2.2

VoIP and SIP links

I’m looking at the Microsoft OCS server and other SIP integration environments. So I thought I would put the links here for others who were interested. I am also considering the issues associated with Mitel VoIP and OCS integration.

It would be interesting if the Microsoft OCS could seamlessly allow the use of soft phones and the Mitel VoIP system. I assume a trunk needs to be setup between the two… Anyway something to look at.

Office Communications Server 2007 VoIP Test Set

OCS Testing Tool

Connect Mitel and OCS2007

Mitel 3300 & OCS – Ring on deskphone and softphone

Connecting Mitel 3300cx and OCS


OCS 2007 Best Practices Analyzer

Amateur Radio and Radhaz

Something I have been very wary about for some year had begun to be better understood over the last few years.

I remember a doctor from an Adelaide hospital who presented at an IEEE meeting saying “on the record there hasn’t been enough research performed to prove that electromagnetic radiation causes cancer, but off the record I have seen enough cases where I am convinces it does”.

This simple statement and other examples provided during the presentation really drove home that we must be wary and respectful when using an existing near electromagnetic emitting devices.

This article came from the local South Australia Amature Radio Experimentes Group Website – Thanks for allthe great work. See link

General Background Information

The question of Radhaz has to be considered when you are constructing an Amateur Radio station that will operate near members of the general public as well as your self.

The responsibility for ensuring that the operation of an Amateur Radio transmitting station is operating with in the ARPANSA and ACMA guidelines is souly the responsibility of the amateur radio operator in control of the radio transmitter.

As the standard for Radiation Protection Standard for Maximum Exposure Levels to Radiofrequency Fields – 3 kHz to 300 GHz changes from time to time. The information on this web site will become out of date. AREG accepts no responsibility for the information presented on this page, the relative orginsations should be consolted for the latest up to date information.

For complete appraisal of your situation, you should consult one of the many orginsations that are NATA certified.

As of March 1st 2003, the Australian Communications & Media Authority (ACMA) introduced new limits for human exposure to electromagnetic radiation (EMR) covering all mobile transmitters such as remote controlled toys, walkie-talkies and hand held two-way radios as well as radio communications installations such as broadcast towers and amateur radio stations.

Under the new regulations, mandatory limits are set by the Australian Radiation Protection and Nuclear Safety Agency (ARPANSA) and people who hold a licence for a radiocommunications facility will have to comply, and in certain cases, hold records demonstrating compliance with the limits.

For a complete details on the ARPANSA standard, please refer to the link below and the ARPANSA web site.


The RPS No:3 Standard is known as, Radiation Protection Standard for Maximum Exposure Levels to Radiofrequency Fields — 3 kHz to 300 GHz (2002).

This Standard specifies limits of human exposure to radiofrequency (RF) fields in the frequency range 3 kHz to 300 GHz, to prevent adverse health effects. These limits are defined in terms of basic restrictions for exposure of all or a part of the human body. Relevant derived reference levels are also provided as a practical means of showing compliance with the basic restrictions. In particular, this Standard specifies the following:

(a) Basic restrictions for occupational exposure with corresponding derived reference levels as a function of frequency.

(b) Basic restrictions for general public exposure, with corresponding derived reference levels as a function of frequency.

(c) Equipment and usage parameters in order to assist in the determination of compliance with this Standard.
The limits specified in this Standard are intended to be used as a basis for planning work procedures, designing protective facilities, the assessment of the efficacy of protective measures and practices, and guidance on health surveillance

IDEAS page is all about putting up design and other general ideas. These may include part circuits or drawings of things that we have thought other people may be interested in. In general don’t expect a complete package, as this page is only meant to give you some ideas on what we have done. So you can further your own experimentation.