[40m[2J[0;1m
UNDERGROUND
[42C[30m[9C
[11C[13C[0m[12C[1;30m
[13C[37m   [0m  [1;30m      [0m  [1m
[13C [0m    [1;30m       [0m  [1m  
[11C[30m  [37m   [0m [1;30m           [0m   [1m  
[14C  [0m   [1;30m       [0m   [1m
[11C[30m  [37m[5C[0m[7C[1;30m      [6C   
    [32m˿   ˿ ˿ ˿    ˿ ˿ ˿ ˿ Ŀ
         ɼ      δ     δ    ˴
     ͼ                   

[37C[37mBY

[32Cô[0m[1;30m[37mô[0m[1;30m


[37mAs a CoSysOp of The Dojo BBS and resident hacking enthusiast, Yojimbo
asked me if I would be willing to write something about h/p/v in this noble
social experiment we call Synchronetics E-Zine. For those who are not as
versed in the digital underground, h/p/v stands for hacker/phreaker/virii.
Of course, I know there are some purists out there who believe a "c" should
be included (carding), but I don't agree. Carding is an illegal, ignoble
act perpetrated by anti-social, immature children that prove ,"A little
knowledge is a dangerous thing". Carding, by the way, is the illegal use
of credit card numbers to obtain merchandise, usually computer related.
But I digress. My purpose in writing this article is to inform sysops, and
anyone else out there willing to read it, about what we, the h/p/v community,
are all about. While this may not be entirely Synchronet specific, it is
more or less BBS related.

Most people's first taste of hacking was the classic movie "WAR GAMES", with
Matthew Broderick, I know it was for me. Watching that movie opened my eyes
to the power which the common person had in this new "information age" of
ours. I was hooked. I got my first computer and modem for my birthday the
next year, and I was jacked into the information superhighway (not much more
than a dirt road then, and now to a point). I started calling up local BBS's
and began to immerse myself in the underground culture of hacking and
phreaking. But, enough about my background, onto the purpose of this article.

There are two types of hackers you may come into contact with when running a
BBS, whether for fun or for profit: Hackers who hack for the sake of hacking,
and those who hack with a purpose (sometimes benign, but usually malign). To
be a little more specific, hackers who do it for it's own sake are usually
just curious people who like a good challenge. They aren't trying to gain
anything from their actions, except maybe knowledge, which is what a true
hacker prizes above all else. That is the entire reason for the hack in his
mind. That, and the satisfaction of overcoming that which is not meant to be
overcome. Usually, if this type of hacker successfully discovers a weakness
in a system's security, he will notify the system administrator of it's
existence and perhaps even assist in fixing the problem. This is what *TRUE*
hacking is all about. The other type of hacker you may find "knocking" at
your door usually has a more destructive purpose in mind for your system.
These are the type of people that have made hacking a bad thing in the
mind's of a great many people. This person may be a disgruntled ex-employee,
or perhaps an ex-user with a grudge. Or, it may be a complete stranger who
revels in the idea of causing chaos and destruction. Sometimes it's just a
"kid" using a little of that dangerous knowledge I spoke of earlier. The
important thing is that this guy is trying to get into your system without
your permission.

For the benefit of anyone new to SysOping or hacking, I thought I'd give a
an example of how someone like I would try to overcome your system's
security and gain access to sensitive information. In the case of system
intrusion, forewarned is indeed fore-armed. Knowing some of the tactics
employed may help you to design your system's defenses more effectively.

THE HACK

Since almost all systems require only a name and password, it just seems
logical that that's where most hacking begins. Usually the name isn't that
hard, all you have to do is log on as a new user (with bogus info) and
display a user list, and voila! You have a list of logon names. By the way,
did I mention the fact that most hackers worth their modems always have
their screen capture on when calling other systems. That way, they can make
a printout of everything that went across the screen for later viewing. A
good way to get little tidbits about a system here and there. Anyway, the
names aren't really useful without a password, right? Well, that's not too
hard if you just employ the method known as brute-force hacking. What this
means is you just try to guess someone's password until you get it right.
Sometimes it works, sometimes it doesn't. Let me give you an example: Let's
say you have a user on your board who is a big fan of Anne Rice, the lady
who wrote the Lestat books. And let's say this user chose the handle
Lestat, well, from that we could probably deduce that he would use some
kind of word related either to vampires, or Lestat or some such. You get
the picture? Sometimes it works, sometimes it doesn't. How do you defend
against this kind of attack? Well, either you keep your users lists
confidential, which is unrealistic if users post messages with their logon
names, or you make users choose a password that's difficult to guess.
Synchronet is good in the fact that it offers an apparently random sequence
of alpha-numeric characters for a newuser password, but this only works if
the user chooses to utilize it. In my experience, most people tend to use
easily remembered passwords, and use the same passwords on several
different boards. It's this laziness, and lax attitude about system security
that make a hacker's job easy. Being a CoSysOp, I also have access to the
system's user database here and I usually like to see what kind of passwords
people choose. You'd be surprised how many actually choose "PASSWORD" as a
password. If I try to hack a system, that's usually the first word I try. Or
perhaps "1234" or some variation on that. It's usually something simple and
easily remembered. Remember, a chain is only as strong as it's weakest link,
and your callers are it's weakest link. Educate them.[0m[255D


