PLA031 AcidFlux's Story Time Hour

Delirium Presents

Acidflux's Story Time Hour

Written on May 16, 1995

Once upon a time (around March I think) a local sysop challenged me to crack his friend's password on the local high school (Monte Vista, monte.mvhs.srvusd.k12.ca.us, running Ultrix v4.1). So I get in, get root (sysop access), and look at the password file. Unix passwords are scrambled with a one-way encryption method. Say your password is "fuckchop". It's stored in the password file as "hdVcOLOsIcvLE". When you login to a unix system instead of decrypting the password it encrypts what you type in and matches it with the stored encrypted password. So to crack passwords you need a program such as CrackerJack that will go through a long list of words (a password dictionary). I couldn't crack the guy's password so I deleted his account and told the local sysop there never was one (situation averted). So I make a few accounts, Bluesman gets on the system and we start looking through people's mail (this is where that "Chia Pet" letter from Delirium Issue #4 came from) when suddenly a root account (chatter) starts paging me. Here's a log of the ntalk conversation with "Anirvan Chatterjee" (It's been formatted for the sake of reading):

[Connection established]

Me: May I help you?

An: chan? Elizabeth?

Me: Yes? Have we met?

An: This is Anirvan, I believe...

Me: Anirvan! How are you?

An: Oh fine...do you see me listed as "root"?

Me: Yes, why?

An: oh...I was doing some routine syadmin stuff, when I saw you logged in...

Me: 10:00pm on a friday night eh?

An: what else is there to do on a friday night?!

Me: Yeah, I guess you're right.

An: well, i have friends online i talk to, and then tere's other fun stuff to do...

Me: Yeah, I'm new to this, you know how that is.

An: of course... where are you coming in from? an online service? a commercial carrier? ccnet's probab;ly

Me: Yeah, I have an account on there, why?

An: where? I mean, what's your email address? there...

Me: Scall@ccnet.com

An: coolness... Geez....hate how those lines keep overlapping (type control-L t

Me: Yeah... say, doesn't it bother you in the slightest I have root?

An: say what? you have root? please explain..

Me: Well, I'm going to format your winchesters. Just business, nothing personal.

An: errr...who is this?

Me: Hehe, I'm just kidding! Internet humor.

An: errr, yes. Charlie?

Me: What? This is Liz.

An: I'm sure.

Me: y0ur c0mput3r h4s b33n b0rd3d by th 3l33t3st 0f th3 3l33t!!@#$!!

An: that's so nice to know.

Me: r3sist3nc3 iz futil3!!

An: yay. I'm so impressed.

Me: Wanna see a neat trick?

An: not really, so Charlie,

[Connection closing. Exiting]

# removeuser chatter

Enter login name for user to be removed: chatter

This is what the entry in /etc/passwd looks like:

chatter:.bplovnCwERio:337:15:Anirvan Chatterjee,CPR2,(510)837-7507,

:/u/students/chatter:/bin/csh

Is this the entry you wish to delete? y

Working ...

User chatter removed.

Do you want to remove chatter's home directory,

all subdirectories and files (y/n)? y

You should have backed up chatter's files if you do not wish to lose them.

Are you sure that you want to remove chatter's files (y/n)? y

Deleting /u/students/chatter

Then I kill all his processes and change the root password. Again, situation averted. 10 minutes later he unmounts the drives. The next morning he tells the computer lab who did it ("Acidflux, Bluesman and Deadlocke [aka Silicon [)ragon]"... like I said, I made a few accounts while I was on) and that we hacked in to use thier link to the Lawerence Livermore Labs (local nuclear facility... anyone read The Cuckoo's Egg?). On top of that Bluesman logged in from a New York system so Anirvan starts talking like MOD was after his ass (This was in the California Bay Area BTW). That afternoon Anirvan gets a call from a Monte Vista freshman named Brett Nelson posing as _me_. He says "This is Acidflux, you will recieve a call at 9pm tonight" along w/ some veiled threats and whatnot. They recognized his voice and kicked him out of school (I think this story has a moral in it somewhere). A couple months later the system is back up and I find this article on Anirvan's Webpage (http://192.188.37.4/~anirvan):

"Beyond Wargames" by Anirvan Chatterjee (`95)

Net historians record the sudden increase in destructive net activities after the release of Wargames (the seminal cracker-as-hero movie, the tale of an antisocial nerdy 80s teen equipped with a modem who stumbles onto the secrets of a corrupt military establishment (see also, Sneakers)). Those were the days when cracker and darkside hackers were truly dangerous only to government and corporate America. Well, think again. While corporate network security has increased severalfold since then, the massive growth rate of the Internet won't be able to extend the same degree of protection to newcomers unable to obtain the best protection money can buy. I speak from experience, having gone through two such cases recently, both very close to home.

Everybody probably knows about the cracker intrusion into Monte Vista's computer network. (You don't? The Reader's Digest Condensed Book editionI was online at Monte Vista from home on a Friday night when I saw someone else, a friend of mine, logged in too. I tried to "talk" to her online, but she didn't respond. So I was doing some routine system maintenance, when I saw a strange call to talk from someone logged in as the system operator--but I was the system operator. Oh well, I ignored it, until my friend finally agreed to talk to me. She seemed rather confused, didn't understand who I was. I tried asking her what she was planning to do this weekend. Suddenly, she burst into a rant along the lines of "I am elite! I broke into your system! Hahaha!" By this time, I'd realized that "she" was somebody who had broken in under that account, and broken into the system operator's account. We did some online jousting, (by now I had Charlie Hsu, speaking voice, advising me on the fax line) until I managed to remotely shut down the Monte Vista network, but only to find that he'd deleted my account, my email, my projects, my web page--everything. Talk about playing the martyr for my system. (Yes, yes, the proper authorities have been contacted, and they're working hard, trying to catch the evildoers.) Anyway, there's my story. Now you can laugh at it.)

But after all that, who to blame? The cracker, certainly, but also the cluelessness of the newbie system administrators (including yours truly) who just didn't know enough to implement current and effective security measures. That, and insecure usage habits on the part of so many equally clueless users ignoring even the most simple warnings about password security (a computer network is only as strong as its weakest password). As long as the Internet keeps expanding at such furious rates and the age, maturity, education, training, and all-around cluefulness of the average user keeps declining, this will keep growing as an issue.

Net.access is getting easier and easier to obtain, and security measures from many established, otherwise clueful net.folks are being correspondingly toned down to fit the minimal effort/maximum personal gain philosophy of many coming online for the first time (the same type of people who will break every point of net.courtesy to get information, rather than checking documentation, FAQs (Frequently Asked (and Answered) Question lists), or contacting their local system administrator). (For example, Microsoft Bob's password protection will automatically let you change it if you guess incorrectly three times in a row--even a four-year-old could get past that kind of protection!)

I found out very recently that my Internet carrier's security could be easily compromised, not online, but through what crackers call "social engineering"--by breaking in through their customer support. January 31, someone posing as the cracker who broke into Monte Vista called my house and left me a voice message instructing me to wait for a call at 9:00 p.m. if I wanted to recover my password. I tried dialing into my account, and found my password to be invalid--someone had changed it! Of course, I didn't believe that the caller was who he claimed to be for a second--he had pronounced my name correctly. Nobody ever pronounces my name correctly after having only seen the spelling, so I knew it had to be someone who knew me. And who had something against me. I listened to the message again (the idiot had done me a huge favor by leaving a long snippet of his voice digitally recorded for me to listen to again and again) when I realized who it was--an annoying Monte Vistan I'd busted and kicked off the Monte Vista network a few months ago, for some truly unsavory activities he'd gotten into, all the system rules he'd violated. I contacted my Internet carrier's support staff, and hooked up with a rather clueful administrator, who traced the breakin. I was informed that someone calling in from the local dial-in node had accessed my account (when I had been hours away from the nearest modem), and deleted all the files in it. Damn! Damn! Damn!

As we retraced the cracker's steps, we found that the [please substitute a handful of your favorite explicit pejoratives here] had unsuccessfully tried to access my account at 11:00 a.m. (why wasn't he at school during 4th period? note network knowledge has little correlation with common sense, intelligence, or academic achievement), then spoke to someone on the support staff between then and 1:00 p.m., convincing them that he was me. Then the "helpful" support staff changed my password for "me," as soon as the intruder was able to pronounce my name correctly, and give them my phone number and address. Once he had BS'ed his way past their safeguards, he then asked them to change "his" password for him, as he had "forgotten" it. Devious little [choose your own again], eh? Then a little before 1:00 p.m., and again at 1:40, p.m. he logged in under my account, with the new (now changed) password. He went through all my files. Then he deleted everything: my saved mail, my notes, my projects, my backups. And as if that wasn't enough, he then proceeded to browse through through my email. By this time in the conversation with the tech admin, I was seething. Luckily for me, the guy was able to restore most of my files and mail from system backups made the Friday before. So I didn't lose too much, but that's beside the point. I felt so violated. Nobody should be able to go through my email and files, reading and deleting at will, invading my privacy; there's a world of difference between system operators doing routine checks, and intruders breaking in as part of some sick revenge fantasy. So I registered several "secure" codewords with the support staff (my mother's maiden name, etc.) that they would have to get from anyone calling for support under my name. And that was that.

Yes, yes, the cracker, a (now "former"?) Monte Vista student, has been caught and arrested, for his numerous ugly computer-related crimes (physical theft of computer equipment is a rather silly idea if you want to stay on the good side of the law), and I have the oddest feeling I may have seen the last of him. But it's not the [yet another pejorative here] himself I'm so concerned about, as much as the trend he's running on. Online interaction has become so easy and widespread that it seems as if anybody with something against you could take action against you. And the more business that we conduct online, the more dangerous it is (I've purchased several items directly on the Internet over the course of the last year, using unencrypted credit card numbers--dangerous, I know.) From mailbombings and anonymous flames, canceled postings, forged mail or postings, to outright electronic intrusion, almost anything is possible. Take Kevin Mitnick, the recently captured master cracker who infiltrated sites in the hundreds, from the accounting records of Netcom (the nation's largest Internet Service Provider, and very possibly the least-liked (for its anarchic administration and dumbed-down service)) to the Well, arguably the coolest and most respected Service Provider in America, the home of the Net's "cultural elite" (synonymous with its technical elite). News reports say his breakins weren't "personal." God help anybody who pissed him off. Interestingly enough, at least three movies about the Internet are now filming. One of these is The Net, about someone who's very identity is tampered with when police, credit, and other identity records are all altered. As technically improbable as the plot is, the concept is definitely sound (recall the case of the vengeful phone phreaker who rerouted his parole officer's home phone to a (900) sex number). This stuff doesn't just happen to other people. Let the netizen beware. Tough times lie ahead.

An aside: Don't let this article scare you into not getting online. Accessing the Internet is a fabulous experience, and not akin to war as my words might lead you to believe; it just requires some common sense. As long as you have your wits about you, and aren't afraid to turn to manuals or your friendly neighborhood system administrator for help, you'll be OK. Interested in getting online? Do ask me, or someone else with online experience for help. I love helping people, but I'd much rather be able to help someone before s/he actually commits her time and money to problematic, expensive commercial networks.

Then I find this followup letter:

Dear Geek-meister:

Enjoyed your latest issue. A couple of philosophical and technical notes you may wish to ponder:

(1) Re: Anirvan's tome on Internet security, There's a consistent assumption that the crackers he describes in the article are male. How did the author know? Did "he" write about hunting giraffes? Use locker room humor (actually, I've heard enough qualifying material from females during stints at MV to dispel any such assumption)? How many readers just read along and assumed, along with the author, that the "perp" wears pants (oops), make that Jockeys (nope) boxers? (yikes), buttons left over right (okay, I think).

My purpose here is not to pick on AC--indeed, I think his energy, intellectual curiosity and considerable erudition in publishing Paradox are really laudable. I just think we should all ferret out, consider and overcome creeping sexism wherever we find it.

Sorry if this has been more self-glorifying than informative but after seeing Anirvan's side of the story I had to type this up. I'm going to go have a coke and a smile so I'm ending the story here. Watch out for that creeping sexism.

-Acidflux

Previous Issue Main Menu Next Issue