Collins: Hacking

From iGeek
Revision as of 16:34, 18 July 2017 by Ari (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
CollinsHack.jpeg

I had been a bit of a hack in High School and College(s). I was never the worst/best, both because I could be lazy about it, and because I had better things to do. But I could break into systems, and did at various times, and in various ways. But most of it was not criminal or vandalous; it was usually very focused and for a reason (or the conquest of a challenge). I'd gotten over it quickly, especially when a few friends got arrested by the FBI, but as I said, it took too much time, and was too dangerous, and I mostly left well enough alone. I was having too much fun getting paid to be criminal about things. Until one day...

It all starts so innocent

So there I am, trying to get stuff done. I'm dependent on another guy (Mackler), and he doesn't have enough privileges to do what he needs. I was about solving problems (over, under, around or through: I got the job done). The System Admins had gone home, and we were stopped. Screw that. I hacked into the machine the most common way; I just started guessing password names for the Admins before we had really good password security protocols or password scramblers. Also this was inside a secure building, and by secured people; so after that many layers, security wasn't that high.

It took about 10 minutes, and I was in. This is rare, and it is really a crapshoot; with most of the time this not working, or it at least taking a while. And most attacks have to be much more strategic than this. But heck, sometimes you get lucky. So I got in, and was not going to do any harm. I fixed Mackler's privilege problem, so he could get his thing done, and I could get my work done.... like sex: in-out, repeat if necessary.

But as long as I'm in, why not snoop around? Like a typical nerd with root access, I figured out that there was no good utility for decrypting the password files, so I wrote one; and then printed out a master list of the passwords (just in case).

Then I created my own "God" (admin) account... and figured out how to hide my account from prying eyes (so you couldn't find it with ordinary account searches), masked what I'd done from the the log files, and left. The usual. Wheeee, that was fun. It only took a couple hours, but that was because I was already a systems programmer for a related machine (so I was pretty well versed with the flaws). Oh well, back to work; no harm done.

No good deed goes unpunished

Monday rolls around, and I hear Mackler through the 6' high cube wall talking to the Admin, "You weren't around, and I want super-user access too (implying that I had it)".

Admin, "No, he doesn't. And you don't have a need.".

Mackler, "Yes he does, he fixed the space limitations this for me on Friday after you left...". And so on.

I was of course alternating between head-smacking, sky pleading, and furiously pantomiming strangling and beating Mackler to a pulp through the cube walls. Then the dull knocking noise that was my head hitting the desk, repeatedly. Never do nice things for idiots.

And the admin has figured out that Mackler does have more space and someone had to do it, but the clickety-clack of the keyboard is revealing no trace. And so the Admin (who is a friend) comes over, and is asking me delicately what the fsck is going on.

I tell him the whole story. No big, I hacked it using the other admins password, then fixed a few things, like I'd done in my few semesters of college and high school, it wasn't a secured computer or anything.

Bad news, we were securing that machine in a few days; they just don't like to tell people this stuff ahead of time. And the DoD would never allow a compromised computer to be secured. Basically I had turned a half million dollar computer into an expensive paperweight. And if the DoD found out, I'd be fired, black-listed, sodomized (and not in a good way), and never work in this town again.

I was thinking, "Religious bovines Batman, we gotta fix this".

The admin knew me, my motives, and was thankfully willing to work with me to cover my tracks, cover my ass, and save my job.

I went back, showed him everything I'd done, gave him my listings, deleted my utilities (actually, I think he kept a copy), and so on. We made sure the logs were cleaned, and undid my secret super-user account (he was greatly amused at how I hid it after an end-of-file pointer in the dead-space of a disk block and the login process was modified to also look there). Then we cleaned like a woman whose mother is coming to visit. And lastly, we pretended that nothing happened.

The sysadmin showed me where he kept the password written down in-case we needed something done when he wasn't around, but since I didn't have "official access" things were all legal. As it was, I never used it again anyways - I learned those DoD guys can have a limited sense of humor, even if I meant no harm. Better to stick to my own stuff. The system went secure, my ass was saved, and my wisdom got the better of my curiosity after that, in that job and others.

Conclusion

In hind site, it sorta makes sense. Kids and hackers don't think of virtual security like physical. I wouldn't break into someone's house or file cabinet, especially at a secured facility; but a computer was just a mental puzzle. I learned to better relate the two - violating security is an invasion of privacy, whether virtual or physical; but it sort of took the threat of incarceration and loss of job to really wake me up.

There are a lot of lessons about hackers here. I had a lot to lose; like a profitable career or my freedom. Many that stay in hacking have less to lose, or don't realize the costs. Many aren't as malicious as people think; but they can still do harm without meaning to. It takes a certain amount of intelligence, combined with a lack of wisdom to go too far down this path; that's why I think many grow out of it. There's often a luck factor, and most hackers are insiders with knowledge of the systems and processes, so know how to attack the system. Lastly, most intrusions are never discovered; but can completely compromise a system from then on. Either way, I'd learned my lessons before this event; this one event just pounded home the risks.

2003.05.05

Return to: Collins