98/03/29 The Fixer's Tech Room Presents <<< Harvesting AVS Passes >>> (C)opyleft 1998 Homo ex Inferis ------------------------------------------------------------------------ What Freud and Scrooge Understand OK, you downloaded this file because you want one thing... PORN! And you don't want to pay to use each of the dozens of AVS's (Adult Verification Services) out there that most good porno sites sit behind. You know what I am talking about, that "adult check" password page where you have to enter a password that proves you're an adult to get into the site. Only catch is, that password can cost up to $69! So what do you do? Well, you can fork over a minimum of $25 for just ONE AVS pass which will only be good for a minority of sites, or you can try and commit credit card fraud, which will get you nowhere but busted fast, or you can try begging for "hacked" passes in newsgroups, which will get you flamed and treated like a loser. Or you can use your brain and get yourself a free pass, or use your brain and expend some effort and harvest a crapload of them! ------------------------------------------------------------------------ The Easy Way to Free Porn If you're an adult, perhaps the easiest way to get a free AVS pass is to run an adult site yourself. Most AVSes give their webmasters free accounts. All you have to do is put up a free web page somewhere with a few dozen GIFs or JPGs of naked people, sign up with an AVS as a webmaster, and that's it. If you put up a fairly good site and advertise it well (sorry, that means spam or IRC bots) then you stand a really good chance of making a good secondary income from the AVSes, as they all pay webmasters for every customer who signs up for a pass through their sites. A win-win situation for you and the AVS, and no hacking is involved. In fact some people actually make their living from running really big FREE adult websites; they receive enough hits to their sites that the revenue from AVSes and banners pays all their bills! But none of that probably applies to you. The fact that you're interested in a file on how to hack an AVS means that you're probably under 18. If you are, shame on you! You shouldn't know what naked people look like or how babies are made, Jerry Farwell said so! Sad news then if you are a young person, because it means that even if you put up an adult website, the AVSes won't touch you with a 69 foot pole. So you can kiss that free pass and secondary income (which isn't enough to live on but more than most teens' allowances) goodbye. Oh well. Maybe a good fake identity will get around that, but that's another subject for another text file. But wait, there may be, just MAY be a chance. ------------------------------------------------------------------------ The Hard Way - Harvesting Passes (or, P.T. Barnum was right) Let's make a few assumptions here. (#1) You are under 18 or for whatever other reason can't sign up as an AVS webmaster. Maybe you're chicken that your wife will open your mail and discover a $750 check from Porno Pass, I don't know. Maybe you're 17 and a good bullshitter but your parents are Jehovah's Witnesses, I don't know. Point is, doing it the legit way is not an option for you. That sucks but that's why I wrote this file. (#2) You COULD still put up an adult site, because you have webspace and porno files at hand. Maybe you raided some Swedish BBS or something, I don't know. Maybe your uncle screwed his pet llama and you got video of it, I REALLY don't want to know. Point is, you can still put up a porno site and all is not lost. So you can STILL use this file! (#3) Your webspace and email are not traceable back to you (i.e. you got a Tripod homepage and a usa.net email address). Note that Tripod will cut you off if they find out you are hosting porno. So will Geocities, Angelfire, well pretty much all the ones you can use. But it usually takes them weeks to figure it out, especially if the porno isn't linked from the default page. The point here is that you gotta do this with a web page and email address that you can access and control but that you don't care about. With this method you CAN expect to be discovered in the act after a while, so don't risk having your real site shut down if you have one. OK, now if you haven't got webspace and email, go sign up with Tripod or Geocities and usa.net or hotmail. Give bogus information. Spoof an IP if you know how. Use a public terminal if you must. Just don't leave a paper trail home. Next, put up a stupid "default" page that has nothing to do with porno. Just something that someone randomly surfing around would find. A fan page or something. We don't care; the point is to avoid the webspace host seeing your porno right away so they can turf you before you even get started. This default page is just a front for the purpose of temporarily defraying suspicion from your webspace provider's TOSsers. Then, in a subdirectory, set up an adult web page. Use all the webspace you are allowed, because you are going to arouse suspicion if there's not much stuff on your site. Make some fancy logos and set up the site so it looks nice and legit. Use text files (XXX rated stories) if you have a real space crunch, they're smaller than pictures. Now here's the tricky bit. You need to spoof the verification page of the AVS whose passes you wish to gather. Now, if you just want to gather a few passes quickly, then you don't have to go to much effort to do this, just make an official-looking HTML form where the surfer enters his password, and a SUBMIT button below. Only, instead of linking to the AVS's verification script, it emails the form to your throwaway account. If you want your page to last a little while, then you need to more accurately spoof the AVS's logon page. To do this, just visit another site that uses that AVS and save the HTML source. Change the Submit action to email the form to your throwaway address. Leave in everything else, including the signup script. Makes it look more real. There is a detailed example later in this article. When all of this is set up, post a bunch of your pictures/stories to Usenet newsgroups where people are looking for that sort of thing. Include the URL to your spoof page. Make sure to include HTML in your message body so that users of web-based news services can just click to your spoof page if they happen to like what they see. Within the hour, your page will begin to get hits. Stick a counter on it if you don't believe me. You can do something similar with IRC Bots in channels that allow Adbots. ------------------------------------------------------------------------ Example of a Pass Catcher Here is a form used by a well-known AVS to login to a free site. With minimal modification, you could use this directly, although I recommend visiting some other sites which use this AVS to get a more up-to-date form.

<--- This is the END of the Form code you must change --->

A---- Ch---

is the Internet's
Largest & Best
age verification system, protecting
THOUSANDS of Great Adult Sites
And growing rapidly!
Now With Instant Activation!

Enter with your Adult Check ID:

Adult Check ID#:

 <--- This is the START of the Form code you must change --->

Apply Now for an A---- Ch--- ID
The most Powerful ID on the Net!

WEBMASTER$ click here to protect your $ite!



<--- Before you set up your adult page, ask your webmaster for ---> <--- instructions on how their form to email service works. This ---> <--- is a generic example which will need modification depending ---> <--- on the peculiarities of your web service! ---> <--- This is the START of the HTML you must replace the above with --->
<--- This is the END of the HTML you must replace the above with ---> Do you follow what is happening here? This is part of an HTML form. We took out the "SUBMIT" part which diverts you to the AVS's verifier. In the original, if you submit a valid pass then the verifier diverts you to the protected page and you are set to start whacking off. In the modified code, the SUBMIT part instead emails the pass to you. When this is done, the "REDIRECT" part sends you off to your porno page, none the wiser. If you have promoted your page with enough/good enough spam, you should rack up a *lot* of hits very soon. The one part of this that should be obvious by now is that everyone gets through to the porn, even if they enter a wrong pass. This means eventually someone will notice and report your site to the AVS, which is where all hell will break loose. So this method won't last forever, and you shouldn't expect it to. But experience showed that the majority of responses received were valid passes. Can you imagine what it's like to check your mail, to find that you have 35 pieces waiting, all of them containing valid AVS passes? And to do the same again the next morning? ------------------------------------------------------------------------ Well, what now? Is this method "right?" Is it legal? Well, no one has ever been arrested for impersonating a website. You will definitely lose the webspace when your game is discovered but that's as far as it should go. The security of AVS passes is an illusion; anyone can spoof another site and get users to enter sensitive data. This sort of thing would apply to credit cards or login passwords too; there is just no authentication mechanism. A few people may suspect something when you spoof another site like this but most won't and will blithely enter their expensive and sensitive information never knowing any better. In a way, this is kind of a hands-off form of social engineering where you don't have to have any gift of the gab to pull it off. Like any really good scam. So next time you see someone posting to alt.2600 or some other newsgroup begging for AVS passes, offer them a trade. With this information you should be able to fish out all the passes you will ever need and lots more. ------------------------------------------------------------------------ Fixer's Tech Room: http://techroom.base.org Original and Archived Hacks for everyone.