Changes are made to wp-cache-phase2.php.

function wp_cache_ob_callback($buffer) {
 ..
	/* we avoid caching incomplete files */
	if (is_404() || !preg_match('/(<\/html>|<\/rss>|<\/feed>)/i',$buffer) ) {
		$new_cache = false;
		return $buffer;
	}
	// dun cache password protect post <-- add here
	global $post;
	if (is_single() && !empty($post->post_password)) {
		$new_cache = false;
		return $buffer;
	}

..

The base station's activities are governed by a base station controller, a special-purpose computer within the station that allocates radio channels and helps coordinate handovers between the transceivers under its control.

This controller in turn communicates with a mobile switching center that takes phone calls and connects them to call recipients within the same switching center, other switching centers within the company, or special exchanges that act as gateways to foreign networks, routing calls to other telephone networks (mobile or landline). The mobile switching centers are particularly important to the Athens affair because they hosted the rogue phone-tapping software, and it is there that the eavesdropping originated. They were the logical choice, because they are at the heart of the network; the intruders needed to take over only a few of them in order to carry out their attack.

A central processor coordinates the switch's operations and directs the switch to set up a speech or data path from one phone to another and then routes a call through it. Logs of network activity and billing records are stored on disk by a separate unit, called a management processor.

The key to understanding the hack at the heart of the Athens affair is knowing how the Ericsson AXE allows lawful intercepts—what are popularly called “wiretaps.” In AXE exchanges a remote-control equipment subsystem, or RES, carries out the phone tap by monitoring the speech and data streams of switched calls. It is a software subsystem typically used for setting up wiretaps, which only law officers are supposed to have access to. When the wiretapped phone makes a call, the RES copies the conversation into a second data stream and diverts that copy to a phone line used by law enforcement officials.

Ericsson optionally provides an interception management system (IMS), through which lawful call intercepts are set up and managed. When a court order is presented to the phone company, its operators initiate an intercept by filling out a dialog box in the IMS software. The optional IMS in the operator interface and the RES in the exchange each contain a list of wiretaps: wiretap requests in the case of the IMS, actual taps in the RES. Only IMS-initiated wiretaps should be active in the RES, so a wiretap in the RES without a request for a tap in the IMS is a pretty good indicator that an unauthorized tap has occurred.

It turns out Vodafone had not purchased the lawful intercept option at the time of the illegal wiretaps. The Vodafone system contained the software code necessary to intercept calls using the RES, even though it lacked the high-level user interface in the IMS normally used to facilitate such intercepts.

That odd circumstance would turn out to play a role in letting the Athens hackers illegally listen in on calls and yet escape detection for months and months.

It took guile and some serious programming chops to manipulate the lawful call-intercept functions in Vodafone's mobile switching centers. The intruders' task was particularly complicated because they needed to install and operate the wiretapping software on the exchanges without being detected by Vodafone or Ericsson system administrators. From time to time the intruders needed access to the rogue software to update the lists of monitored numbers and shadow phones. These activities had to be kept off all logs, while the software itself had to be invisible to the system administrators conducting routine maintenance activities. The intruders achieved all these objectives.

They took advantage of the fact that the AXE allows new software to be installed without rebooting the system, an important feature when any interruption would disconnect phone calls, lose text messages, and render emergency services unreachable. ..

See Image

Also see The Watchful Eye of FAM by Ethan McCallum.

I am trying to use it in an environment where I have no root access, and not using portmapper.

After some changes and testing, it seems to work.

• Change SuperUser uid to the uid you intend to run the program with, and also SuperUser_groups gid.
• Initialize Cred::Implementation::last = Cred::SuperUser.p;
• Bind to a specific non-reserved port.
• Remove the portmapper code following the binding.
• Remove the superuser check.
• Connect client to the same specific non-reserved port.
• and initialize bestvers = 2; and remove the portmapper code checking out which port to connect to.

Disclaimer:I do not claim this changes works. Furthermore, I do not understand the security impact, so, use at your own risk if you do.

The changes are recorded in the 2 diff files, fam.src.diff and fam.lib.diff.

Common subdirectories: fam-2.7.0/src/.deps and fam-2.7.0p/src/.deps
diff -Nau -x Makefile fam-2.7.0/src/Cred.c++ fam-2.7.0p/src/Cred.c++
--- fam-2.7.0/src/Cred.c++	Fri Nov 21 14:38:48 2003
+++ fam-2.7.0p/src/Cred.c++	Wed Jul 11 07:49:37 2007
@@ -38,10 +38,13 @@
 #include 
 #endif
 
-static gid_t SuperUser_groups[1] = { 0 };
-const Cred Cred::SuperUser(0, 1, SuperUser_groups, -1);
+//static gid_t SuperUser_groups[1] = { 0 };
+//const Cred Cred::SuperUser(0, 1, SuperUser_groups, -1);
+static gid_t SuperUser_groups[1] = { 111 };
+const Cred Cred::SuperUser(2222, 1, SuperUser_groups, -1);
 Cred Cred::untrusted;
-const Cred::Implementation *Cred::Implementation::last = NULL;
+//const Cred::Implementation *Cred::Implementation::last = NULL;
+const Cred::Implementation *Cred::Implementation::last = Cred::SuperUser.p;
 Cred::Implementation **Cred::impllist;
 unsigned Cred::nimpl;
 unsigned Cred::nimpl_alloc;
diff -Nau -x Makefile fam-2.7.0/src/Listener.c++ fam-2.7.0p/src/Listener.c++
--- fam-2.7.0/src/Listener.c++	Sun Jan 19 17:37:29 2003
+++ fam-2.7.0p/src/Listener.c++	Wed Jul 11 04:07:01 2007
@@ -87,14 +87,18 @@
 	{   Log::perror("can't create TCP/IP socket for rendezvous");
 	    exit(1);
 	}
+	//struct sockaddr_in addr;
 	struct sockaddr_in addr;
 	memset(&addr, 0, sizeof addr);
 	addr.sin_family = AF_INET;
         addr.sin_addr.s_addr = local_only ? htonl(INADDR_LOOPBACK) : 0;
-	addr.sin_port = htons(0);
-	if (bindresvport(sock, &addr) < 0)
+	//addr.sin_port = htons(0);
+	addr.sin_port = htons(7777);
+	//if (bindresvport(sock, &addr) < 0)
+	if (bind(sock, (struct sockaddr*) &addr, sizeof(addr)) < 0)
 	{
-	    Log::perror("can't bind to reserved port");
+	    //Log::perror("can't bind to reserved port");
+	    Log::perror("can't bind to port 7777");
 	    exit(1);
 	}
 	if (listen(sock, 1) < 0)
@@ -102,12 +106,12 @@
 	    Log::perror("can't listen for rendezvous");
 	    exit(1);
 	}
-	(void) pmap_unset(program, version);
-	if (!pmap_set(program, version, IPPROTO_TCP, ntohs(addr.sin_port)))
-	{
-	    Log::error("can't register with portmapper.");
-	    exit(1);
-	}
+	//(void) pmap_unset(program, version);
+	//if (!pmap_set(program, version, IPPROTO_TCP, ntohs(addr.sin_port)))
+	//{
+	//    Log::error("can't register with portmapper.");
+	//    exit(1);
+	//}
 	set_rendezvous_fd(sock);
     }
 }
diff -Nau -x Makefile fam-2.7.0/src/main.c++ fam-2.7.0p/src/main.c++
--- fam-2.7.0/src/main.c++	Sat Jan 18 23:15:51 2003
+++ fam-2.7.0p/src/main.c++	Wed Jul 11 02:46:52 2007
@@ -157,10 +157,10 @@
         }
     }
 
-    if (getuid() != 0)
-    {   Log::error("must be superuser");
-	exit(1);
-    }
+    //if (getuid() != 0)
+    //{   Log::error("must be superuser");
+//	exit(1);
+    //}
 
     parse_config(opts);

Changes to the client library side.

Common subdirectories: fam-2.7.0/lib/.deps and fam-2.7.0p/lib/.deps
diff -Nau -x Makefile fam-2.7.0/lib/Client.c++ fam-2.7.0p/lib/Client.c++
--- fam-2.7.0/lib/Client.c++	Sat Jan 18 07:18:12 2003
+++ fam-2.7.0p/lib/Client.c++	Wed Jul 11 07:05:01 2007
@@ -52,6 +52,7 @@
     sin.sin_addr.s_addr = htonl(host);
     //  This is set below instead.
     //sin.sin_port = htons(pmap_getport(&sin, prog, vers, IPPROTO_TCP));
+    sin.sin_port = htons(7777);
 
     //
     //  We'll run through the list of pmaps ourselves instead of calling
@@ -60,6 +61,8 @@
     //  need to know which version of fam we're talking to.  (Isn't there
     //  an easier way to do that?)
     //
+    unsigned long bestvers = 2;
+/*
     pmaplist *pl = pmap_getmaps(&sin);  //  this is leaked; see note below loop
     unsigned long bestvers = 0;
     for (pmaplist *plp = pl; plp != NULL; plp = plp->pml_next)
@@ -83,7 +86,7 @@
     //  just leak it.  This sucks!  (call CLNT_CALL(client, PMAPPROC_DUMP, ...
     //  ourselves?)
     //xdr_free((xdrproc_t)xdr_pmaplist, &pl);
-
+*/
     if(sin.sin_port == 0)
     {
         //  Couldn't get port for rpc call.

What I want to achieve is to show my Sky Explorer user guide posts with a different template. When I type a number behind the permalink url, I notice it actually display the same permalink post without the number. (Somehow, the number is being consumed) After a bit of debugging, I find out this is captured in $wp_query->query_vars["page"] , so I made a hack to select a different template by also using this value by replacing the get_single_template function in theme.php .

Seems to be working OK! Browse Sky Explorer User Guide.