PLA Issue #31: AcidFlux’s Story Time Hour

Written by Acidflux on May 16, 1995

Once upon a time (around March I think) a local sysop challenged me to
crack his friend's password on the local high school (Monte Vista,
monte.mvhs.srvusd.k12.ca.us, running Ultrix v4.1). So I get in, get
root (sysop access), and look at the password file. Unix passwords are
scrambled with a one-way encryption method. Say your password is "fuckchop".
It's stored in the password file as "hdVcOLOsIcvLE". When you login to a
unix system instead of decrypting the password it encrypts what you type
in and matches it with the stored encrypted password. So to crack passwords
you need a program such as CrackerJack that will go through a long list of
words (a password dictionary). I couldn't crack the guy's password so I
deleted his account and told the local sysop there never was one
(situation averted). So I make a few accounts, Bluesman gets on the system
and we start looking through people's mail (this is where that "Chia Pet"
letter from Delirium Issue #4 came from) when suddenly a root account
(chatter) starts paging me. Here's a log of the ntalk conversation with
"Anirvan Chatterjee" (It's been formatted for the sake of reading):

[Connection established]

Me: May I help you?

An: chan? Elizabeth?

Me: Yes? Have we met?

An: This is Anirvan, I believe...

Me: Anirvan! How are you?

An: Oh fine...do you see me listed as "root"?

Me: Yes, why?

An: oh...I was doing some routine syadmin stuff, when I saw you logged in...

Me: 10:00pm on a friday night eh?

An: what else is there to do on a friday night?!

Me: Yeah, I guess you're right.

An: well, i have friends online i talk to, and then tere's other fun stuff to do...

Me: Yeah, I'm new to this, you know how that is.

An: of course... where are you coming in from? an online service? a commercial carrier? ccnet's probab;ly

Me: Yeah, I have an account on there, why?

An: where? I mean, what's your email address? there...

Me: [email protected]

An: coolness... Geez....hate how those lines keep overlapping (type control-L t

Me: Yeah... say, doesn't it bother you in the slightest I have root?

An: say what? you have root? please explain..

Me: Well, I'm going to format your winchesters. Just business, nothing personal.

An: errr...who is this?

Me: Hehe, I'm just kidding! Internet humor.

An: errr, yes. Charlie?

Me: What? This is Liz.

An: I'm sure.

Me: y0ur c0mput3r h4s b33n b0rd3d by th 3l33t3st 0f th3 3l33t!!@#$!!

An: that's so nice to know.

Me: r3sist3nc3 iz futil3!!

An: yay. I'm so impressed.

Me: Wanna see a neat trick?

An: not really, so Charlie,

[Connection closing. Exiting]

# removeuser chatter

Enter login name for user to be removed: chatter

This is what the entry in /etc/passwd looks like:

chatter:.bplovnCwERio:337:15:Anirvan Chatterjee,CPR2,(510)837-7507,

:/u/students/chatter:/bin/csh

Is this the entry you wish to delete? y

Working ...

User chatter removed.

Do you want to remove chatter's home directory,

all subdirectories and files (y/n)? y

You should have backed up chatter's files if you do not wish to lose them.

Are you sure that you want to remove chatter's files (y/n)? y

Deleting /u/students/chatter

Then I kill all his processes and change the root password. Again,
situation averted. 10 minutes later he unmounts the drives.
The next morning he tells the computer lab who did it ("Acidflux, Bluesman
and Deadlocke [aka Silicon [)ragon]"... like I said, I made a few accounts
while I was on) and that we hacked in to use thier link to the Lawerence
Livermore Labs (local nuclear facility... anyone read The Cuckoo's Egg?).
On top of that Bluesman logged in from a New York system so Anirvan starts
talking like MOD was after his ass (This was in the California Bay Area BTW).
That afternoon Anirvan gets a call from a Monte Vista freshman named
Brett Nelson posing as _me_. He says "This is Acidflux, you will recieve a
call at 9pm tonight" along w/ some veiled threats and whatnot. They
recognized his voice and kicked him out of school (I think this story has a
moral in it somewhere). A couple months later the system is back up and I
find this article on Anirvan's Webpage (http://192.188.37.4/~anirvan):

"Beyond Wargames" by Anirvan Chatterjee (`95)

Net historians record the sudden increase in destructive net
activities after the release of Wargames (the seminal cracker-as-hero
movie, the tale of an antisocial nerdy 80s teen equipped with a modem
who stumbles onto the secrets of a corrupt military establishment (see
also, Sneakers)). Those were the days when cracker and darkside
hackers were truly dangerous only to government and corporate America.
Well, think again. While corporate network security has increased
severalfold since then, the massive growth rate of the Internet won't
be able to extend the same degree of protection to newcomers unable to
obtain the best protection money can buy. I speak from experience,
having gone through two such cases recently, both very close to home.

Everybody probably knows about the cracker intrusion into Monte
Vista's computer network. (You don't? The Reader's Digest Condensed
Book editionI was online at Monte Vista from home on a Friday night
when I saw someone else, a friend of mine, logged in too. I tried to
"talk" to her online, but she didn't respond. So I was doing some
routine system maintenance, when I saw a strange call to talk from
someone logged in as the system operator--but I was the system
operator. Oh well, I ignored it, until my friend finally agreed to
talk to me. She seemed rather confused, didn't understand who I was. I
tried asking her what she was planning to do this weekend. Suddenly,
she burst into a rant along the lines of "I am elite! I broke into
your system! Hahaha!" By this time, I'd realized that "she" was
somebody who had broken in under that account, and broken into the
system operator's account. We did some online jousting, (by now I had
Charlie Hsu, speaking voice, advising me on the fax line) until I
managed to remotely shut down the Monte Vista network, but only to
find that he'd deleted my account, my email, my projects, my web
page--everything. Talk about playing the martyr for my system. (Yes,
yes, the proper authorities have been contacted, and they're working
hard, trying to catch the evildoers.) Anyway, there's my story. Now
you can laugh at it.)

But after all that, who to blame? The cracker, certainly, but also the
cluelessness of the newbie system administrators (including yours
truly) who just didn't know enough to implement current and effective
security measures. That, and insecure usage habits on the part of so
many equally clueless users ignoring even the most simple warnings
about password security (a computer network is only as strong as its
weakest password). As long as the Internet keeps expanding at such
furious rates and the age, maturity, education, training, and
all-around cluefulness of the average user keeps declining, this will
keep growing as an issue.

Net.access is getting easier and easier to obtain, and security
measures from many established, otherwise clueful net.folks are being
correspondingly toned down to fit the minimal effort/maximum personal
gain philosophy of many coming online for the first time (the same
type of people who will break every point of net.courtesy to get
information, rather than checking documentation, FAQs (Frequently
Asked (and Answered) Question lists), or contacting their local system
administrator). (For example, Microsoft Bob's password protection will
automatically let you change it if you guess incorrectly three times
in a row--even a four-year-old could get past that kind of
protection!)

I found out very recently that my Internet carrier's security could be
easily compromised, not online, but through what crackers call "social
engineering"--by breaking in through their customer support. January
31, someone posing as the cracker who broke into Monte Vista called my
house and left me a voice message instructing me to wait for a call at
9:00 p.m. if I wanted to recover my password. I tried dialing into my
account, and found my password to be invalid--someone had changed it!
Of course, I didn't believe that the caller was who he claimed to be
for a second--he had pronounced my name correctly. Nobody ever
pronounces my name correctly after having only seen the spelling, so I
knew it had to be someone who knew me. And who had something against
me. I listened to the message again (the idiot had done me a huge
favor by leaving a long snippet of his voice digitally recorded for me
to listen to again and again) when I realized who it was--an annoying
Monte Vistan I'd busted and kicked off the Monte Vista network a few
months ago, for some truly unsavory activities he'd gotten into, all
the system rules he'd violated. I contacted my Internet carrier's
support staff, and hooked up with a rather clueful administrator, who
traced the breakin. I was informed that someone calling in from the
local dial-in node had accessed my account (when I had been hours away
from the nearest modem), and deleted all the files in it. Damn! Damn!
Damn!

As we retraced the cracker's steps, we found that the [please
substitute a handful of your favorite explicit pejoratives here] had
unsuccessfully tried to access my account at 11:00 a.m. (why wasn't he
at school during 4th period? note network knowledge has little
correlation with common sense, intelligence, or academic achievement),
then spoke to someone on the support staff between then and 1:00 p.m.,
convincing them that he was me. Then the "helpful" support staff
changed my password for "me," as soon as the intruder was able to
pronounce my name correctly, and give them my phone number and
address. Once he had BS'ed his way past their safeguards, he then
asked them to change "his" password for him, as he had "forgotten" it.
Devious little [choose your own again], eh? Then a little before 1:00
p.m., and again at 1:40, p.m. he logged in under my account, with the
new (now changed) password. He went through all my files. Then he
deleted everything: my saved mail, my notes, my projects, my backups.
And as if that wasn't enough, he then proceeded to browse through
through my email. By this time in the conversation with the tech
admin, I was seething. Luckily for me, the guy was able to restore
most of my files and mail from system backups made the Friday before.
So I didn't lose too much, but that's beside the point. I felt so
violated. Nobody should be able to go through my email and files,
reading and deleting at will, invading my privacy; there's a world of
difference between system operators doing routine checks, and
intruders breaking in as part of some sick revenge fantasy. So I
registered several "secure" codewords with the support staff (my
mother's maiden name, etc.) that they would have to get from anyone
calling for support under my name. And that was that.

Yes, yes, the cracker, a (now "former"?) Monte Vista student, has been
caught and arrested, for his numerous ugly computer-related crimes
(physical theft of computer equipment is a rather silly idea if you
want to stay on the good side of the law), and I have the oddest
feeling I may have seen the last of him. But it's not the [yet another
pejorative here] himself I'm so concerned about, as much as the trend
he's running on. Online interaction has become so easy and widespread
that it seems as if anybody with something against you could take
action against you. And the more business that we conduct online, the
more dangerous it is (I've purchased several items directly on the
Internet over the course of the last year, using unencrypted credit
card numbers--dangerous, I know.) From mailbombings and anonymous
flames, canceled postings, forged mail or postings, to outright
electronic intrusion, almost anything is possible. Take Kevin Mitnick,
the recently captured master cracker who infiltrated sites in the
hundreds, from the accounting records of Netcom (the nation's largest
Internet Service Provider, and very possibly the least-liked (for its
anarchic administration and dumbed-down service)) to the Well,
arguably the coolest and most respected Service Provider in America,
the home of the Net's "cultural elite" (synonymous with its technical
elite). News reports say his breakins weren't "personal." God help
anybody who pissed him off. Interestingly enough, at least three
movies about the Internet are now filming. One of these is The Net,
about someone who's very identity is tampered with when police,
credit, and other identity records are all altered. As technically
improbable as the plot is, the concept is definitely sound (recall the
case of the vengeful phone phreaker who rerouted his parole officer's
home phone to a (900) sex number). This stuff doesn't just happen to
other people. Let the netizen beware. Tough times lie ahead.

An aside: Don't let this article scare you into not getting online.
Accessing the Internet is a fabulous experience, and not akin to war
as my words might lead you to believe; it just requires some common
sense. As long as you have your wits about you, and aren't afraid to
turn to manuals or your friendly neighborhood system administrator for
help, you'll be OK. Interested in getting online? Do ask me, or
someone else with online experience for help. I love helping people,
but I'd much rather be able to help someone before s/he actually
commits her time and money to problematic, expensive commercial
networks.

Then I find this followup letter:

Dear Geek-meister:

Enjoyed your latest issue. A couple of philosophical and technical
notes you may wish to ponder:

(1) Re: Anirvan's tome on Internet security, There's a consistent
assumption that the crackers he describes in the article are male. How
did the author know? Did "he" write about hunting giraffes? Use locker
room humor (actually, I've heard enough qualifying material from
females during stints at MV to dispel any such assumption)? How many
readers just read along and assumed, along with the author, that the
"perp" wears pants (oops), make that Jockeys (nope) boxers? (yikes),
buttons left over right (okay, I think).

My purpose here is not to pick on AC--indeed, I think his energy,
intellectual curiosity and considerable erudition in publishing
Paradox are really laudable. I just think we should all ferret out,
consider and overcome creeping sexism wherever we find it.

Sorry if this has been more self-glorifying than informative but after
seeing Anirvan's side of the story I had to type this up. I'm going to
go have a coke and a smile so I'm ending the story here. Watch out
for that creeping sexism.

-Acidflux

previous issue | index | next issue

Leave a Reply