Tales from my youth
These stories are not meant to glorify or vilify hackers; just to help people understand. My stories are out of date, and I was never a "hard core" hacker. I was more fringe, but was lightly plugged in (when I needed to be). But the concepts are not so different today. These little stories may teach you something -- not only about what I did, and how, but how the knowledge can be used to plug holes, or at least understand the hacker mentality. I'm not justifying what I did, nor bragging -- it was 20 years ago, and just a kid with too much time and a new way to express creative energy.
In High School we had access to mini computers, and a few Micros (back when PC's meant personal computers -- not just IBM-PC's). I went mostly for the Micros (Commodore PET's -- I liked the power of completely controlling my own machine). Still, there was warfare going on in class for mastery and for time on the computers. Remember, with mainframe and minicomputers your time was monitored, limited and a precious commodity. Many kids figured out the same thing on their own.
"If I write a program for the terminal, that looks exactly like the normal log-in program, then people will unwittingly type their name and password into my program (which I can make record that information). Then I can use up all THEIR time instead of my own".
These are called Trojan horses (an application that looks or says it is one thing, but really does something else). They became popular and grew more and more sophisticated. I burned a few people with it (stole all their computer time) -- and I eventually got burned myself. Such was life. To this day, Trojans are still a common way to get people to give up information. Now days there are people who put up fake Bank ATM's (automated teller machines) to get your information and money (a hardware Trojan horse). So if you can't trust the access point to a system (which you usually can't), you can never really be secure -- welcome to the paranoia of knowing too much. High school kids have a lot of free time (if they want it). This time can be used to learn a lot. With all the stupid rules put on kids by society, many have contempt for the law/rules. They are told the 10,000 things they are not supposed to do. They've learned that most of the time adults are lying to them (or exaggerating things so much as to be the same thing) -- this gets to the point where some just get contemptuous to ALL (most) laws/rules (even some of the good ones) and all authority. Of course adults blame the kids for that contempt, and never question their own actions. Sadly, the contempt leads many into trouble -- not malice, just youthful (inexperienced) judgment. I spent the majority of my free time (when I wasn't working in a computer store, or consulting on the side), hacking, cracking and phreaking. I saw friends arrested by the FBI, and many others doing things that they could be arrested for. But it wasn't going to stop me -- and it isn't going to stop them now.
Our laws are still so bad that we are all guilty of felonies right now. Since you are already guilty of a few felonies, what are a few more to the list? (Or so the thinking goes ). I'm not kidding on that felony thing -- in California it is illegal to own a circular saw blade -- it could be thrown and is considered a ninja throwing star (Shuriken/Shaken). Just owning one is a felony. My roommate and I (years ago) helped some minors out with a place to stay (to get them off the streets) -- felony. I've gambled in unapproved ways (played poker with friends) -- probably only a misdemeanor. We've all driven over the speed-limit -- probably at least once by enough to be a felony. Many have used non-state approved herbs, or used them in unapproved ways, or even drank while under age. When you are already guilty of dozens (if not hundred of crimes), what are a few more? Bad laws, and too many laws, teach people to be contemptuous of the law -- but I'm wandering into a different article.
Another common way to break in is brute force. If someone really wanted to get into a site/network, you could just find an account, and try all possible passwords. Early Systems would give you a different error message if you had an invalid account or invalid password. So many would just try names (accounts) until they got one that worked, and then they would try passwords until they got in. The TV has popularize the myth that is the most common way in, but it is probably the least common way in. But you should know how it is done. The basics are that you learn enough about the System (Computer) that people are running to know the System Administrators (SysAdmin's) account name and default password. You'd be surprised how few actually change this, or change it to something lame (like their name, etc.). Easy in. Research almost always pays off for the hacker. With a little investigation, they can find out what the account names look like (first letter of first name + last name = account name) or the basic format that is being used. Once you have the account name, it is just a matter of trying all possible passwords until you got the one that worked. With 6 character (case insensitive, all test passwords), it was only about 27^6 possibilities (387,420,489 possibilities). That may sound like a lot, but a computer could find that in a year (assuming about 5 tries per second). But most passwords are either a name, or a word. So if you limit your password tries to what you find in a dictionary (less than 6 characters) or names, you get something that would probably take a week (even with slow communication). Now days there are hacker dictionaries for the most likely names and words -- probably about 50,000 possibilities (or as little as a few hours). Brute force is still a time costly way to break in -- and there were counter measures to make it harder. Many systems went to upper and lower case, require 8 character passwords, assigned passwords, require numbers or special symbols, force password rotation (changes) and the systems have a long pause between multiple tries (or disable an account after a certain amount of tries), all as a way to slow hackers down.
Getting around Counter measures -- Many of these counter measures help hackers. Often the hacker just has to figure out the default passwords assigned by IS, or the format of the passwords assigned and it is even easier. If the System locks people out after too many failed password tries, annoyed hackers can just lock up dozens of accounts in protest -- let the IS types deal with THAT added workload. If a system forces people to change passwords too often (like more than twice, ever), after a while users get bored and start going for passwords like "111111" or "22222" so that they can remember them. So requiring too many password changes just opens up security holes (not closes them). In fact, it is so likely that SOMEONE used one of these passwords, that you hack the other way -- you start hacking for an account that uses this password (instead of hack a password for a particular account). This gets you around the 3 tries per account problem since you are just trying all the accounts. Duh! If a System gives users passwords, or forces complex alphanumeric combination, the users write down their passwords so they don't forget them -- then a hacker just has to get a shot at rifling a desk or daytimer, and that is an easy in. So many (most) counter measures may not only annoy users and reduce productivity and waste time, but they may make it far easier for hackers.
I started college at a midwestern private university. I'd been programming for years (and even been a consultant). I walked into the lab with the arrogance of a 18 year old expert, and talked to the System Administrator. He treated me like a lowlife freshman scum (which I expected), and someone that was beneath him (which was a mistake). To show off his "superiority" and power he leaked the information I needed and told me where they kept the System manuals. Without knowing it, he had thrown down the gauntlet, given me a club, then turned his back; this is known as BUGU (Bend-over and grease up), this was going to hurt (him, not me).
Arrogance and condescension is the best way to piss off a hacker. Hackers can take some things as challenges -- and not respecting them and what they have done (or are capable of) demands a response from them. Usually they will prove that they have superior knowledge -- and if you still don't accept that, it will keep escalating, and it can get ugly. Just treat hackers as they deserve to be treated -- very knowledgeable and somewhat dangerous individuals with too much time on their hands. Most of the best information is leaked by accident. People's mouths run off -- especially during geek-talk. Many keys to the family jewels have been given over in idle conversation.
I read the System manuals over the next couple days; they didn't put a lock on the door to the System manuals, and no one said I wasn't supposed to read them. It wasn't hard to figur out the Systems "flaws"; the biggest being that it used shared pools of memory for temp-storage (similar to Windows). Once you have that hole, many other security holes spring from it; as is proven by the dozens of security holes in Windows. Inside of a week I had programmed a utility that would allow users to live-chat with each other, and pass files; which the school had wanted to prevent. The school was not pleased with my additions, but then again, they didn't know they were mine.
Stupid rules and limitations don't matter to hackers. There was no reason to forbid this action (file copying or email) when kids could cheat by just typing homework in manually. So I ignored their vapid rules. The school had many other dumb rules. Once you give a teenager a stupid rule to ignore, they have contempt for all of them. Stupid rules are like a giant kick-me sign to hackers and antagonizes them.
As long as I could get into these temp-files (and shared memory), I made a utility that could steal an image of whatever someone was working on while they were on-line and working on the file. Of course I made a utility to tell me who was logged on, where they were, what they were working on, and so on.
Later, I tormented a professor who had wronged me. I had an alarm go off whenever he logged on, and I would change his work while he was working on it. He was sure the System was possessed, and looked like a fool complaining to everyone that the System kept introducing errors into his work, and so on. Of course, I considered it karma for screwing me (and the college) in a business deal with the school; he used influence on a board to veto a bid I'd made for a company, and get the deal swung to one that he got a kickback on. My point is not that I was right in the business deal, or that he was wrong (I know that), but that doesn't really matter, if a hacker thinks he is right that will be enough. Revenge was probably deserved; but in hindsight, I was a shit, and it was not my proudest of moments.
Hackers (like all of us) have had unfair things happen in our lives -- but they seem more likely to take more offense by it than the norm. I think that the kids most likely to become hacks, are somewhat isolated, more likely to have been picked on, etc. This means that they are more likely to have an extreme reaction towards a "drive for justice" and revenge -- since they may have put up with too much shit, for far too long. (That is how I see myself back then, and the others I knew). But Hackers are likely to have the power to do what we all might want to. They also probably have a lack of social skills, and aren't good at defining the lines as to where/when they should stop. If you don't wrong them, then you will probably be just fine. If you do wrong one, there can be a vendetta to make your life miserable.
Since the System administrator and I were already off to a bad start, I decided to secure my files from him. I wrote what was called a "hello" program (a program that automatically runs when you log-on). Then I made that program have a secondary password to get into MY account (and access my specially encrypted files). I also had System Information, so I made sure the hello program would run no matter what "type" of account I was assigned. (So that the SysAdmin couldn't just change account types and get around my little hello). Then I warned the administrator that I had my own security on, and that he shouldn't try to "get on as me".
As an administrator he could still copy my files without logging on, he could delete my accounts, he could do whatever he wanted except get on as me -- but he took my warning as a challenge. Which it was. He also underestimated me, as I knew he would.
When I came into the lab, later that day, he had locked up 4 terminals trying to get on my account. He kept changing my account type, and kept trying again. But I had messed up. The way I had made the privileges for my security, there was no way to just "kill" the tasks once you failed to log on. I had given myself three tries to get the password "right" -- figuring after two tries the person would "escape" and get out. He didn't. After the third try, the terminal was locked up, for good -- with no way to unlock it. In hind-site, I probably should have created a way to "unlock" a terminal. Mea culpa. He was furious when he learned that he had to reboot the entire computer system (many dozens of students and teachers were effected). He blamed me (to the administration), I blamed him and stated that I had warned him not to do what he did -- fortunately, I didn't get in trouble since one of the professors knew me and trusted me (and defended me). But now I was really pissed at the System Admin, he not only attacked me, then tried to blame me for his incompetence -- so I did what any self respecting hacker would do, I escalated the warfare.
Many hackers give warnings. They want people to know how smart they are -- so they tell you what they are going to do, if. Trust that they can do it, ask them not to. Many are a bit "socially stunted", but are not out to hurt people that don't wrong them. Many will do what you ask them, if you ask them nicely. Most of the harm done is by accident (not intentional) -- as was done in that case. Many hackers will tell you HOW they are doing it if you ask, allowing you to close the security hole and make it more challenging. Another problem is that many don't understand the ramification of what they are doing. Crashing a system (and destroying data) can cost companies $100,000's of dollars -- that can be a pretty large price just because someone snubbed them (or treated them like a kid). Most of the costly mistakes (to you), are innocent accidents by them -- but that will still cost you.
For my next trick, I wanted to totally crack the system wide open. I wanted my own administration account. In Unix this is called "getting Root" (the root directory and root account is the source to accessing everything). The school had a special terminal to assign accounts with. It was separate from other terminals, but not secured from others (other people could use it as a regular terminal -- but the SysAdmin could kick them off for his work). Back in the 80's, they used to have these things called "print buffers". They went between a computer and a printer, and could "spool" (record) a few pages of data, so that your printer would return control back to your computer faster -- and the spooler would do the job of feeding the data to your slow printer for you. With a snip and a solder iron, it wasn't hard to make this spooler just "snapshot" the first block of data that it saw, but still pass that, and everything else though. So I delicately placed my special buffer/spooler behind the System Administrators terminal, and went away and waited. When he logged in, my little data-camera captured his account and password (and the first few thousand characters) but kept passing through all data like normal. He had no reason to know anything was wrong. Eventually he did his work, logged off an left. I walked up, turned the camera around, pressed me "resend" button, so that it sent to the terminal screen everything that he had typed (including the password). From there it was short work to totally violate that system in 27 different ways, and make secret administration accounts (and hide them).
There were 100 other ways to violate the system. I chose the easy path -- one so easy that most people wouldn't have even thought of it. The point is that hackers are creative at solving these puzzles. You can think of 100 holes to plug, and they can find the one (or ten) holes that you didn't plug-- that is there job (in their minds). Again I went for a physical way through -- if someone has access to the System itself (and they are determined), then it is just a matter of time before they can figure a way to get the information that they want. Network lines, and the data path usually have some "opening". And if they can get to those lines, they can usually decode those streams too. There are a lot of ways in.
Once the SysAdmin learned I had more power of that System than he did, he stopped challenging me (wisely). Once I cracked the system open, I was bored and so went on to other things. I also left that school a few months later, and only tormented that SysAdmin on a few occasions. I had won, and it was on to the next challenges (which turned into more cracking and phreaking areas). I stopped hacking (more or less) for a few years.
How to annoy the DOD
Year later, I was working at Rockwell late one Friday, when almost everyone had gone home. Another employee needed to have something that he didn't have rights to, in order to get his job done. I knew the two System Administrators and their interests. So I gave it a shot. In 10 minutes I'd password-hacked the System (I just guessed at the password, knowing these people).
This is rare -- far rarer than people realize. Movies have sensationalized this way as the most common way of getting in -- it isn't -- it requires tons of luck and is unrewarding. Hackers value skill, not luck. Still, some people are good at this, and research people just to guess their way in. Still there is probably a 1:100 chance that this will actually work.
Once in, I quickly made my own System Administrator account, hid it from the others, and made a program to print out all the passwords in the System. (Just the basic stuff you do when you get in). Then I gave this guy the rights he needed to get his work done, and I went back to work (ironically, I was writing network communications and security for a military satellite terminal). Everything was fine, and that would have been it -- but no good deed goes unpunished. The guy I helped went to the System Administrators and whined, "why can I have superuser access? Dave's got it." The reply was, "oh no, he does not!". He responded, "well he did this for me on Friday, so 'oh yes he does'". And the SysAdmins came to me and asked what was going on. I explained what I did, and why. One laughed, the other turned pale. The DOD (and Rockwell) was going to secure that $200K+ minicomputer for secret information. It didn't matter that I had a security clearance, and wasn't doing anything malicious, if they found out what had happened they would have fired me, and NEVER allowed that machine to be secured, and Rockwell would have been most displeased. They would have also prevented me from working in Aerospace again. (DOD has a seriously limited sense of humor). We quickly covered up all traces of the violation, pulled out the hidden account, and we installed an encrypted password system -- and the SysAdmins showed me where they kept their passwords written down, in case there were any more "weekend updates" required. Everything came out well, but my innocent little act could have ended me up in prison, and certainly out of a job. When this extreme punishment happens, think about what it does to a hacker type person, and why they get a chip on their shoulder towards society and its laws. Over reactions can make the marginal types into full blown criminals (as it probably would have done to me).
Most security violations are from within. Most harm is done by disgruntled employees. You have far far more to fear from your employees than from external violations. If you treat your employees well, then you have far less to fear from hacking. Firewalls, and most corporate security is not effective against insiders. Many people that really want to break into a system, can get a job, or fake a badge, well enough to get "inside" and get the information they need. If the military isn't safe with draconian measures (literally), is anyone?
I've done a little white-hat stuff (breaking security to find the holes or help companies). Once you're inside the company, it is near impossible to block up the holes.
Recently a system admin said, "ha, I blocked all SSH and shell access. No one can get through this. See if you can get in". I chuckled at the naivete. Users needed access to upload files (it was a public web server), but since I could upload things, I could upload my own programs. I wrote my own shell in a web language, in about 5 minutes; this allowed my web page to control the machine. And the passwords were in a known place, and while read only and encrypted, they weren't that encrypted.
It is near impossible to simultaneously give someone access to your machine, and then to block it from that same person. If you can program a machine, you can program it to do things others may not expect. While I knew of many ways to plug more holes, there are even more to get through. Look, I'm nowhere near a security expert; imagine what far more focused hackers can do, especially with some training?
There are certainly other stories to tell, these are just some of what happened to me. I saw much more happening to others. I saw friends (or at least acquaintances) arrested by the FBI for doing stupid things, people just snooping where they didn't belong and so on. Most of it is not intentionally criminal or malicious, but many times they are willing to disregard laws as well.
For every way there is to plug holes, there can be new holes created. The biggest hole in security is people. There is no such thing as a secure system, as long as people have access. What people need to really do is figure out how to balance access with security, and decide what is acceptable.
Too many companies set their balance on one side or the other -- either completely open and vulnerable because they don't want to spend the time or money, or the system is so secure that employees waste time and money trying to actually use the network. Every company has to decide where they want that balance, but not go overboard either.
I have better things to do that hack anymore (and haven't for years and years) -- and things have change a lot in the last 15 years. But the concepts are similar. Maybe understanding what and why will help you avoid problems in the future. If not, I hope at least this article gives you some insights on what hacking is, why it is done, and what many of these guys might be thinking.