Tales from my youth
These stories are not meant to glorify or vilify hackers; just to help people understand. My stories are out of date, and I was never a "hard core" hacker. I was more fringe, but was lightly plugged in (when I needed to be). But the concepts are not so different today. These little stories may teach you something -- not only about what I did, and how, but how the knowledge can be used to plug holes, or at least understand the hacker mentality. I'm not justifying what I did, nor bragging -- it was 20 years ago, and just a kid with too much time and a new way to express creative energy.
In High School we had access to mini computers, and a few Micros (back when PC's meant personal computers -- not just IBM-PC's). I went mostly for the Micros (Commodore PET's -- I liked the power of completely controlling my own machine). Still, there was warfare going on in class for mastery and for time on the computers. Remember, with mainframe and minicomputers your time was monitored, limited and a precious commodity. Many kids figured out the same thing on their own.
These are called Trojan horses (an application that looks or says it is one thing, but really does something else). They became popular and grew more and more sophisticated. I burned a few people with it (stole all their computer time) -- and I eventually got burned myself. Such was life. To this day, Trojans are still a common way to get people to give up information. Now days there are people who put up fake Bank ATM's (automated teller machines) to get your information and money (a hardware Trojan horse). So if you can't trust the access point to a system (which you usually can't), you can never really be secure -- welcome to the paranoia of knowing too much. High school kids have a lot of free time (if they want it). This time can be used to learn a lot. With all the stupid rules put on kids by society, many have contempt for the law/rules. They are told the 10,000 things they are not supposed to do. They've learned that most of the time adults are lying to them (or exaggerating things so much as to be the same thing) -- this gets to the point where some just get contemptuous to ALL (most) laws/rules (even some of the good ones) and all authority. Of course adults blame the kids for that contempt, and never question their own actions. Sadly, the contempt leads many into trouble -- not malice, just youthful (inexperienced) judgment. I spent the majority of my free time (when I wasn't working in a computer store, or consulting on the side), hacking, cracking and phreaking. I saw friends arrested by the FBI, and many others doing things that they could be arrested for. But it wasn't going to stop me -- and it isn't going to stop them now.
Another common way to break in is brute force. If someone really wanted to get into a site/network, you could just find an account, and try all possible passwords. Early Systems would give you a different error message if you had an invalid account or invalid password. So many would just try names (accounts) until they got one that worked, and then they would try passwords until they got in. The TV has popularize the myth that is the most common way in, but it is probably the least common way in. But you should know how it is done. The basics are that you learn enough about the System (Computer) that people are running to know the System Administrators (SysAdmin's) account name and default password. You'd be surprised how few actually change this, or change it to something lame (like their name, etc.). Easy in. Research almost always pays off for the hacker. With a little investigation, they can find out what the account names look like (first letter of first name + last name = account name) or the basic format that is being used. Once you have the account name, it is just a matter of trying all possible passwords until you got the one that worked. With 6 character (case insensitive, all test passwords), it was only about 27^6 possibilities (387,420,489 possibilities). That may sound like a lot, but a computer could find that in a year (assuming about 5 tries per second). But most passwords are either a name, or a word. So if you limit your password tries to what you find in a dictionary (less than 6 characters) or names, you get something that would probably take a week (even with slow communication). Now days there are hacker dictionaries for the most likely names and words -- probably about 50,000 possibilities (or as little as a few hours). Brute force is still a time costly way to break in -- and there were counter measures to make it harder. Many systems went to upper and lower case, require 8 character passwords, assigned passwords, require numbers or special symbols, force password rotation (changes) and the systems have a long pause between multiple tries (or disable an account after a certain amount of tries), all as a way to slow hackers down.
I started college at a midwestern private university. I'd been programming for years (and even been a consultant). I walked into the lab with the arrogance of a 18 year old expert, and talked to the System Administrator. He treated me like a lowlife freshman scum (which I expected), and someone that was beneath him (which was a mistake). To show off his "superiority" and power he leaked the information I needed and told me where they kept the System manuals. Without knowing it, he had thrown down the gauntlet, given me a club, then turned his back; this is known as BUGU (Bend-over and grease up), this was going to hurt (him, not me).
I read the System manuals over the next couple days; they didn't put a lock on the door to the System manuals, and no one said I wasn't supposed to read them. It wasn't hard to figur out the Systems "flaws"; the biggest being that it used shared pools of memory for temp-storage (similar to Windows). Once you have that hole, many other security holes spring from it; as is proven by the dozens of security holes in Windows. Inside of a week I had programmed a utility that would allow users to live-chat with each other, and pass files; which the school had wanted to prevent. The school was not pleased with my additions, but then again, they didn't know they were mine.
As long as I could get into these temp-files (and shared memory), I made a utility that could steal an image of whatever someone was working on while they were on-line and working on the file. Of course I made a utility to tell me who was logged on, where they were, what they were working on, and so on.
Later, I tormented a professor who had wronged me. I had an alarm go off whenever he logged on, and I would change his work while he was working on it. He was sure the System was possessed, and looked like a fool complaining to everyone that the System kept introducing errors into his work, and so on. Of course, I considered it karma for screwing me (and the college) in a business deal with the school; he used influence on a board to veto a bid I'd made for a company, and get the deal swung to one that he got a kickback on. My point is not that I was right in the business deal, or that he was wrong (I know that), but that doesn't really matter, if a hacker thinks he is right that will be enough. Revenge was probably deserved; but in hindsight, I was a shit, and it was not my proudest of moments.
Since the System administrator and I were already off to a bad start, I decided to secure my files from him. I wrote what was called a "hello" program (a program that automatically runs when you log-on). Then I made that program have a secondary password to get into MY account (and access my specially encrypted files). I also had System Information, so I made sure the hello program would run no matter what "type" of account I was assigned. (So that the SysAdmin couldn't just change account types and get around my little hello). Then I warned the administrator that I had my own security on, and that he shouldn't try to "get on as me".
When I came into the lab, later that day, he had locked up 4 terminals trying to get on my account. He kept changing my account type, and kept trying again. But I had messed up. The way I had made the privileges for my security, there was no way to just "kill" the tasks once you failed to log on. I had given myself three tries to get the password "right" -- figuring after two tries the person would "escape" and get out. He didn't. After the third try, the terminal was locked up, for good -- with no way to unlock it. In hind-site, I probably should have created a way to "unlock" a terminal. Mea culpa. He was furious when he learned that he had to reboot the entire computer system (many dozens of students and teachers were effected). He blamed me (to the administration), I blamed him and stated that I had warned him not to do what he did -- fortunately, I didn't get in trouble since one of the professors knew me and trusted me (and defended me). But now I was really pissed at the System Admin, he not only attacked me, then tried to blame me for his incompetence -- so I did what any self respecting hacker would do, I escalated the warfare.
For my next trick, I wanted to totally crack the system wide open. I wanted my own administration account. In Unix this is called "getting Root" (the root directory and root account is the source to accessing everything). The school had a special terminal to assign accounts with. It was separate from other terminals, but not secured from others (other people could use it as a regular terminal -- but the SysAdmin could kick them off for his work). Back in the 80's, they used to have these things called "print buffers". They went between a computer and a printer, and could "spool" (record) a few pages of data, so that your printer would return control back to your computer faster -- and the spooler would do the job of feeding the data to your slow printer for you. With a snip and a solder iron, it wasn't hard to make this spooler just "snapshot" the first block of data that it saw, but still pass that, and everything else though. So I delicately placed my special buffer/spooler behind the System Administrators terminal, and went away and waited. When he logged in, my little data-camera captured his account and password (and the first few thousand characters) but kept passing through all data like normal. He had no reason to know anything was wrong. Eventually he did his work, logged off an left. I walked up, turned the camera around, pressed me "resend" button, so that it sent to the terminal screen everything that he had typed (including the password). From there it was short work to totally violate that system in 27 different ways, and make secret administration accounts (and hide them).
Once the SysAdmin learned I had more power of that System than he did, he stopped challenging me (wisely). Once I cracked the system open, I was bored and so went on to other things. I also left that school a few months later, and only tormented that SysAdmin on a few occasions. I had won, and it was on to the next challenges (which turned into more cracking and phreaking areas). I stopped hacking (more or less) for a few years.
How to annoy the DOD
Year later, I was working at Rockwell late one Friday, when almost everyone had gone home. Another employee needed to have something that he didn't have rights to, in order to get his job done. I knew the two System Administrators and their interests. So I gave it a shot. In 10 minutes I'd password-hacked the System (I just guessed at the password, knowing these people).
Once in, I quickly made my own System Administrator account, hid it from the others, and made a program to print out all the passwords in the System. (Just the basic stuff you do when you get in). Then I gave this guy the rights he needed to get his work done, and I went back to work (ironically, I was writing network communications and security for a military satellite terminal). Everything was fine, and that would have been it -- but no good deed goes unpunished. The guy I helped went to the System Administrators and whined, "why can I have superuser access? Dave's got it." The reply was, "oh no, he does not!". He responded, "well he did this for me on Friday, so 'oh yes he does'". And the SysAdmins came to me and asked what was going on. I explained what I did, and why. One laughed, the other turned pale. The DOD (and Rockwell) was going to secure that $200K+ minicomputer for secret information. It didn't matter that I had a security clearance, and wasn't doing anything malicious, if they found out what had happened they would have fired me, and NEVER allowed that machine to be secured, and Rockwell would have been most displeased. They would have also prevented me from working in Aerospace again. (DOD has a seriously limited sense of humor). We quickly covered up all traces of the violation, pulled out the hidden account, and we installed an encrypted password system -- and the SysAdmins showed me where they kept their passwords written down, in case there were any more "weekend updates" required. Everything came out well, but my innocent little act could have ended me up in prison, and certainly out of a job. When this extreme punishment happens, think about what it does to a hacker type person, and why they get a chip on their shoulder towards society and its laws. Over reactions can make the marginal types into full blown criminals (as it probably would have done to me).
Most security violations are from within. Most harm is done by disgruntled employees. You have far far more to fear from your employees than from external violations. If you treat your employees well, then you have far less to fear from hacking. Firewalls, and most corporate security is not effective against insiders. Many people that really want to break into a system, can get a job, or fake a badge, well enough to get "inside" and get the information they need. If the military isn't safe with draconian measures (literally), is anyone?
I've done a little white-hat stuff (breaking security to find the holes or help companies). Once you're inside the company, it is near impossible to block up the holes.
Recently a system admin said, "ha, I blocked all SSH and shell access. No one can get through this. See if you can get in". I chuckled at the naivete. Users needed access to upload files (it was a public web server), but since I could upload things, I could upload my own programs. I wrote my own shell in a web language, in about 5 minutes; this allowed my web page to control the machine. And the passwords were in a known place, and while read only and encrypted, they weren't that encrypted.
It is near impossible to simultaneously give someone access to your machine, and then to block it from that same person. If you can program a machine, you can program it to do things others may not expect. While I knew of many ways to plug more holes, there are even more to get through. Look, I'm nowhere near a security expert; imagine what far more focused hackers can do, especially with some training?
There are certainly other stories to tell, these are just some of what happened to me. I saw much more happening to others. I saw friends (or at least acquaintances) arrested by the FBI for doing stupid things, people just snooping where they didn't belong and so on. Most of it is not intentionally criminal or malicious, but many times they are willing to disregard laws as well.
For every way there is to plug holes, there can be new holes created. The biggest hole in security is people. There is no such thing as a secure system, as long as people have access. What people need to really do is figure out how to balance access with security, and decide what is acceptable.
Too many companies set their balance on one side or the other -- either completely open and vulnerable because they don't want to spend the time or money, or the system is so secure that employees waste time and money trying to actually use the network. Every company has to decide where they want that balance, but not go overboard either.
I have better things to do that hack anymore (and haven't for years and years) -- and things have change a lot in the last 15 years. But the concepts are similar. Maybe understanding what and why will help you avoid problems in the future. If not, I hope at least this article gives you some insights on what hacking is, why it is done, and what many of these guys might be thinking.