Electronic Mail
Electronic mail services work by storing messages created by some
users until they are retrieved by their intended recipients.
** Page 39
The ingredients of a typical system are: registration/logging on
facilities, storage, search and retrieval, networking, timing and
billing. Electronic mail is an easy add-on to most mainframe
installations, but in recent years various organisations have sought
to market services to individuals, companies and industries where
electronic mail was the main purpose of the system, not an add-on.
The system software in widest use is that of ITI-Dialcom; it's the
one that runs Telecom Gold. Another successful package is that used
in the UK and USA by Easylink, which is supported by Cable & Wireless
and Western Union.
In the Dialcom/Telecom Gold service, the assumption is made that
most users will want to concentrate on a relatively narrow range of
correspondents. Accordingly, the way it is sold is as a series of
systems, each run by a 'manager': someone within a company. The
'manager' is the only person who has direct contact with the
electronic mail owner and he in turn is responsible for bringing
individual users on to his 'system' -- he can issue 'mailboxes'
direct, determine tariff levels, put up general messages. In most
other services, every user has a direct relationship with the
electronic mail company.
The services vary according to their tariff structures and levels;
and also in the additional facilities: some offer bi-directional
interfaces to telex; and some contain electronic magazines, a little
like videotex.
The basic systems tend to be quite robust and hacking is mainly
concentrated on second-guessing users IDs. Many of the systems have
now sought to increase security by insisting on passwords of a
certain length--and by giving users only three or four attempts at
logging on before closing down the line. But increasingly their
customers are using PCs and special software to automate logging-in.
The software packages of course have the IDs nicely pre-stored....
Government computers
Among hackers themselves the richest source of fantasising
revolves around official computers like those used by the tax and
national insurance authorities, the police, armed forces and
intelligence agencies.
The Pentagon was hacked in 1983 by a 19-year-old Los Angeles
student, Ronald Austin. Because of the techniques he used, a full
account is given in the operating systems section of chapter 6. NASA,
the Space Agency, has also acknowledged that its e-mail system has
been breached and that messages and pictures of Kilroy were left as
graffiti.
** Page 40
This leaves only one outstanding mega-target, Platform, the global
data network of 52 separate systems focused on the headquarters of
the US's electronic spooks, the National Security Agency at Fort
Meade, Maryland. The network includes at least one Cray-1, the worlds
most powerful number-cruncher, and facilities provided by GCHQ at
Cheltenham.
Although I know UK phone freaks who claim to have managed to
appear on the internal exchanges used by Century House (M16) and
Curzon Street House (M15) and have wandered along AUTOVON, the US
secure military phone network, I am not aware of anyone bold or
clever enough to have penetrated the UK's most secure computers.
It must be acknowledged that in general it is far easier to obtain
the information held on these machines--and lesser ones like the DVLC
(vehicle licensing) and PNC (Police National Computer)-- by criminal
means than by hacking -- bribery, trickery or blackmail, for example.
Nevertheless, there is an interesting hacker's exercise in
demonstrating how far it is possible to produce details from open
sources of these systems, even when the details are supposed to be
secret. But this relates to one of the hacker's own secret
weapons--thorough research, the subject of the next chapter.
** Page 41
CHAPTER 5
Hackers' Intelligence
Of all the features of hacking that mystify outsiders, the first
is how the hackers get the phone numbers that give access to the
computer systems, and the passwords that open the data. Of all the
ways in which hacking is portrayed in films, books and tv, the most
misleading is the concentration on the image of the solitary genius
bashing away at a keyboard trying to 'break in'.
It is now time to reveal one of the dirty secrets of hacking:
there are really two sorts of hacker. For this purpose I will call
them the trivial and the dedicated. Anyone can become a trivial
hacker: you acquire, from someone else, a phone number and a password
to a system; you dial up, wait for the whistle, tap out the password,
browse around for a few minutes and log off. You've had some fun,
perhaps, but you haven't really done anything except follow a
well-marked path. Most unauthorised computer invasions are actually
of this sort.
The dedicated hacker, by contrast, makes his or her own
discoveries, or builds on those of other pioneers. The motto of
dedicated hackers is modified directly from a celebrated split
infinitive: to boldly pass where no man has hacked before.
Successful hacking depends on good research. The materials of
research are all around: as well as direct hacker-oriented material
of the sort found on bulletin board systems and heard in quiet
corners during refreshment breaks at computer clubs, huge quantities
of useful literature are published daily by the marketing departments
of computer companies and given away to all comers: sheaves of
stationery and lorry loads of internal documentation containing
important clues are left around to be picked up. It is up to the
hacker to recognise this treasure for what it is, and to assemble it
in a form in which it can be used.
Anyone who has ever done any intelligence work, not necessarily
for a government, but for a company, or who has worked as an
investigative journalist, will tell you that easily 90% of the
information you want is freely available and that the difficult part
is recognising and analysing it. Of the remaining 10%, well over
half can usually be inferred from the material you already have,
because, given a desired objective, there are usually only a limited
number of sensible solutions.
** Page 42
You can go further: it is often possible to test your inferences and,
having done that, develop further hypotheses. So the dedicated
hacker, far from spending all the time staring at a VDU and 'trying
things' on the keyboard, is often to be found wandering around
exhibitions, attending demonstrations, picking up literature, talking
on the phone (voice-mode!) and scavenging in refuse bins.
But for both trivial operator, and the dedicated hacker who wishes
to consult with his colleagues, the bulletin board movement has been
the single greatest source of intelligence.
Bulletin Boards
Since 1980, when good software enabling solitary micro-computers
to offer a welcome to all callers first became widely available, the
bulletin board movement has grown by leaps and bounds. If you haven t
logged on to at least one already, now is the time to try. At the
very least it will test out your computer, modem and software --and
your skills in handling them. Current phone numbers, together with
system hours and comms protocol requirements, are regularly published
in computer mags; once you have got into one, you will usually find
current details of most of the others.
Somewhere on most boards you will find a series of Special
Interest Group (SIG) sections and among these, often, will be a
Hacker's Club. Entrance to each SIG will be at the discretion of the
Sysop, the Bulletin Board owner. Since the BBS software allows the
Sysop to conceal from users the list of possible SIGs, it may not be
immediately obvious whether a Hacker's section exists on a particular
board. Often the Sysop will be anxious to form a view of a new
entrant before admitting him or her to a 'sensitive' area. It has
even been known for bulletin boards to carry two hacker sections:
one, admission to which can be fairly easily obtained; and a second,
the very existence of which is a tightly-controlled secret, where
mutually trusting initiates swap information.
The first timer, reading through a hacker's bulletin board, will
find that it seems to consist of a series of discursive conversations
between friends. Occasionally, someone may write up a summary for
more universal consumption. You will see questions being posed. if
you feel you can contribute, do so, because the whole idea is that a
BBS is an information exchange. It is considered crass to appear on a
board and simply ask 'Got any good numbers?; if you do, you will not
get any answers. Any questions you ask should be highly specific,
show that you have already done some ground-work, and make clear that
any results derived from the help you receive will be reported back
to the board.
** Page 43
Confidential notes to individuals, not for general consumption,
can be sent using the E-Mail option on the bulletin board, but
remember, nothing is hidden from the Sysop.
A flavour of the type of material that can be seen on bulletin
boards appears from this slightly doctored excerpt (I have removed
some of the menu sequences in which the system asks what you want to
do next and have deleted the identities of individuals):
Msg#: 3538 *Modem Spot*
01/30/84 12:34:54 (Read 39 Times)
From: xxxxxxxxxx
To: ALL
Subj: BBC/MAPLIN MODEMS
RE THE CONNECTIONS ON THE BBC/MAPLIN MODEM SETUP. THE crs PIN IS USED TO
HANDSHAKE WITH THE RTS PIN E.G. ONE UNIT SENDS RTS (READY TO SEND) AND
SECOND UNIT REPLIES CTS (CLEAR TO SEND). USUALLY DONE BY TAKING PIN HIGH. IF
YOU STRAP IT HIGH I WOULD SUGGEST VIA A 4K7 RESISTOR TO THE VCC/+VE RAIL (5V).
IN THE EVENT OF A BUFFER OVERFLOW THESE RTS/CTS PINS ARE TAKEN LOW AND THIS
STOPS THE DATA TRANSFER. ON A 25WAY D TYPE CONNECTOR TX DATA IS PIN 2
RX DATA IS PIN 3
RTS IS PIN 4
CTS IS PIN 5
GROUND IS PIN 7
ALL THE BEST -- ANY COMMTO XXXXXXXXX
(DATA COMMS ENGINEER)
Msg#: 3570 *Modem Spot*
01/31/84 23:43:08 (Read 31 Times)
From: XXXXXXXXXX
To: XXXXXXXXXXX
Subj: REPLY TO MSG# 3538 (BBC/MAPLIN MODEMS)
ON THE BBC COMPUTER IT IS EASIER TO CONNECT THE RTS (READY TO SEND) PIN HE
CTS (CLEAR TO SEND) PIN. THIS OVERCOMES THE PROBLEM OF HANDSHAKING.
SINCE THE MAPLIN MODEM DOES NOT HAVE HANDSHAKING.I HAVE PUT MY RTS CTS JUMPER
INSIDE THE MODEM. MY CABLES ARE THEN STANDARD AND CAN BE USED WITH HANDSHAKERS.
REGARDS
Hsg#: 3662 *HACKER'S CLUB*
02/04/84 23:37:11 (Read 41 Times)
From: XXXXXXXXXX
To: ALL
Subj: PUBLIC DATA NET
Does anyone know what the Public Data Net is? I appear to have access to it, &
I daren't ask what it is!
Also, can anyone tell me more about the Primenet systems... Again I seem to
have the means,but no info. For instance, I have a relative who logs on to
another Prime Both of our systems are on Primenet, is there any way we can
communicate?
More info to those who want it...
<N>ext msg, <R>eply, or <S>top?
Msg has replies, read now(Y/N)? y
Reply has been deleted
<N>ext msg, <R>eply, or <S>top?
Msg#: 3739 *HACKER'S CLUB*
02/06/84 22:39:06 (Read 15 Times)
From: xxxxxxxxxx
To: xxxxxxxxxx
Subj: REPLY TO MSG# 3716 (PRIMENET COMMS)
Ahh, but what is the significance of the Address-does it mean a PSS number. or
some thing like that? Meanwhile, I'II get on-line (via voice-link on the phone!)
to my cousin, and see what he has on it....
** Page 44
Msg#: 3766 *HACKER'S CLUB*
02/07/84 13:37:54 (Read 13 Times)
From: xxxxxxxxxxx
To: xxxxxxxxxxx
Subj: REPLY TO MSG# 3751 (PUBLIC DATA NET)
Primenet is a local network. I know of one in Poole, An BTGold use
one between their systems too. It Is only an internal network, I
suggest using PSS to communicate between different primes. Cheers.
<N>ext msg, <R>eply, or <S>top?
Msg#: 3799 *BBC*
02/07/84 22:09:05 (Read 4 Times)
From: xxxxxxxxxxx
To: xxxxxxxxxxx
Subj: REPLY TO MSG# 3751 (RGB VIDEO)
The normal video output BNC can be made to produce colour video by
making a link near to the bnc socket on the pcb. details are in the
advanced user guide under the chapter on what the various links do.
If you require more I will try to help, as I have done this mod and
it works fine
Msg#: 935 *EREWHON*
09/25/83 01:23:00 (Read 90 Times)
From: xxxxxxxxxx
To: ALL
Subj: US PHONE FREAKING
USA Phone Freaking is done with a 2 out of 5 Code. The tones must be
with 30Hz, and have less than 1% Distortion.
Master Tone Frequency = 2600 Hz.
>1 = 700 & 900 Hz
>2 = 700 & 1100 Hz
>3 = 900 & 1100 HZ
>4 = 700 & 1300 Hz
>5 = 900 & 1300 Hz
>6 = 1100 & 1300 Hz
>7 = 700 & 1500 HZ
>8 = 900 & 1500 Hz
>9 = 1100 & 1500 Hz
>0 = 1300 & 1500 Hz
>Start Key Signal = 1100 & 1700 Hz
>End Key Signal = 1300 & 1700 Hz
> Military Priority Keys 11=700 & 1700 ; 12=900 & 1700 - I don't
recommend using these. ( The method of use will be explained in a
separate note. DO NOT DISCLOSE WHERE YOU GOT THESE FREQUENCIES TO
ANYONE!
Msg#: 936 *EREWHON*
09/20/83 01:34:43 (Read 89 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: UK PHONE FREAKING
The UK System also uses a 2 out of 5 tone pattern.
The Master Frequency is 2280 Hz
>I = 1380 & 1500 Hz
>2 = 1380 & 1620 Hz
>3 = 1500 & 1620 Hz
>4 = 1380 & 1740 Hz
>5 = 1500 & 1740 Hz
>6 = 1620 & 1740 Hz
>7 = 1380 & I860 Hz
>8 = 1500 & 1860 Hz
>9 = 1620 & 1860 Hz
>0 = 1740 & 1860 Hz
>Start Key = 1740 & 1980 ; End Keying = 1860 & 1980 Hz
>Unused I think 11 = 1380 & 1980 ; 12 = 1500 & 1980 Hz
This is from the CCITT White Book Vol. 6 and is known as SSMF No. 3
to some B.T. Personnel.
The 2280 Hz tone is being filtered out at many exchanges so you may
need quite high level for it to work.
** Page 45
Msg#: 951 *EREWHON*
09/21/83 17:44:28 (Read 79 Times)
From: xxxxxxxxxx
To: PHONE FREAK's
Subj: NEED YOU ASK ?
In two other messages you will find the frequencies listed for the
Internal phone system controls. This note is intended to explain how
the system could be operated. The central feature to realise is that
( especially in the (USA) the routing information in a call is not in
the Dialled Code. The normal sequence of a call is that the Area Code
is received while the Subscriber No. Is stored for a short period.
The Local Exchange reads the area code and selects the best route at
that time for the call. The call together with a new "INTERNAL"
dialling code Is then sent on to the next exchange together with the
subscriber number. This is repeated from area to area and group to
group. The system this way provides many routes and corrects itself
for failures.
The Technique. make a Long Distance call to a number which does not
answer. Send down the Master Tone. (2600 or 22080 Hz) This will
clear the line back, but leave you in the system. You may now send
the "Start key Pulse" followed by the Routing Code and the Subscriber
No. Finish with the "End keying Pulse". The system sees you as being
a distant exchange requesting a route for a call.
Meanwhile back at the home base. Your local exchange will be logging
you in as still ringing on the first call. There are further problems
in this in both the USA and the UK as the techniques are understood
and disapproved of by those in authority. You may need to have a
fairly strong signal into the system to get past filters present on
the line. Warning newer exchanges may link these filters to alarms.
Try from a phone box or a Public Place and see what happens or who
comes.
Example:- To call from within USA to Uk:
> Ring Toll Free 800 Number
> Send 2600 Hz Key Pulse
> When line goes dead you are in trunk level
> Start Pulse 182 End Pulse = White Plains N.Y. Gateway continued in
next message
Hsg#: 952 *EREWHON*
09/21/83 18:03:12 (Read 73 Times)
From: xxxxxxxxxx
To: PHONE FREAKS
Subj: HOW TO DO IT PT 2
> Start Pulse 044 = United Kingdom
> 1 = London ( Note no leading O please )
> 730 1234 = Harrods Department Store.
Any info on internal address codes would be appreciated from any
callers.
Msg#: 1028 *EREWHON*
09/25/83 23:02:35 (Read 94 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: FREEFONE PART I
The following info comes from a leaflet entitled 'FREEFONE':
"British Telecom's recent record profits and continuing appalling
service have prompted the circulation of this information. It
comprises a method of making telephone calls free of charge."
Circuit Diagram:
O---o------- -------o----O
: ! ! :
: ! ! :
L o-------- --------o P
I ! ! H
N ! ! O
E o-- ------ ----o N
: ! ! E
I ! ! :
N o------- -------o :
: :
: :
: :
O---------------------------O
** Page 46
S1 = XXX
C1 = XXX
D1 = XXX
D2 = XXX
R1 = XXX
Continued...
MSG#: 1029 *EREWHON*
09/25/83 23:19:17 (Read 87 Times)
From xxxxxxxxxxx
To: ALL
Subj: FREEFONE PART 2
Circuit Operation:
The circuit inhibits the charging for incoming calls only. When a
phone is answered, there is normally approx. IOOmA DC loop current
but only 8mA or so is necessary to polarise the mic In the handset.
Drawing only this small amount is sufficient to fool BT's ancient
"Electric Meccano".
It's extremely simple. When ringing, the polarity of the line
reverses so D1 effectively answers the call when the handset is
lifted. When the call is established, the line polarity reverts and
R1 limits the loop current while D2 is a LED to indicate the circuit
is in operation. C1 ensures speech is unaffected. S1 returns the
telephone to normal.
Local calls of unlimited length can be made free of charge. Long
distance calls using this circuit are prone to automatic
disconnection this varies from area to area but you will get at least
3 minutes before the line is closed down. Further experimentation
should bear fruit in this respect.
Sith the phone on the hook this circuit is completely undetectable.
The switch should be cLosed if a call is received from an operator,
for example, or to make an outgoing call. It has proved extremely
useful, particularly for friends phoning from pay phones with jammed
coin slots.
*Please DO NOT tell ANYONE where yoU found this information*
Msg#: 1194 *EREWHON*
10/07/83 04:50:34 (Read 81 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: FREE TEST NUMBERS
Free Test Numbers
Here are some no's that have been found to work:
Dial 174 <last 4 figs of your no>: this gives unobtainable then when
you replace handset the phone rings.
Dial 175 <last 4 figs of your no: this gives 'start test...start
test...', then when you hang-up the phone rings. Pick it up and you
either get dial tone which indicates OK or you will get a recording
i.e 'poor insulation B line' telling you what's wrong. If you get
dial tone you can immediately dial 1305 to do a further test which
might say 'faulty dial pulses'. Other numbers to try are 182, 184 or
185. I have discovered my exchange (Pontybodkin) gives a test ring
for 1267. These numbers all depend on you local exchange so It pays
to experiment, try numbers starting with 1 as these are all local
functions. Then when you discover something of interest let me know
on this SIG.
Msg: 2241 *EREWHON*
12/04/83 20:48:49 (Read 65 Times)
From: SYSOP
To: SERIOUS FREAKS
Subj: USA INFO
There is a company (?) in the USA called Loopmaniacs Unlimited,
PO Box 1197, Port Townsend. WA, 98368, who publish a line of books on
telephone hacking. Some have circuits even. Write to M. Hoy there.
One of their publications is "Steal This Book" at S5.95 plus about $4
post. Its Worth stealing, but don't show it to the customs!
** Page 47
Msg#: 3266 *EREWHON*
01/22/84 06:25:01 (Read 53 Times)
From: xxxxxxxxxx
To: ALL
Subj: UNIVERSITY COMPUTERS
As already described getting onto the UCL PAD allows various calls.
Via this network you can access many many university/research
computers To get a full list use CALL 40 then HELP, select GUIDE.
Typing '32' at the VIEW prompt will start listing the addresses. Host
of these can be used at the pad by 'CALL addr' where addr is the
address. For passwords you try DEMO HELP etc. If you find anything
interesting report it here.
HINT: To aviod the PAD hanging up at the end of each call use the
LOGON command - use anything for name and pwd. This seems to do the
trick.
Another number: Tel: (0235) 834531. This is another data
exchange. This one's a bit harder to wake up. You must send a 'break
level' to start. This can be done using software but with a maplin
just momentarily pull out the RS232 com. Then send RETURNs. To get a
list of 'classes' you could use say Manchesters HELP:- CALL 1020300,
user:DEMO pwd:DEMO en when you're on HELP PACX.
Msg#: 3687 *HACKER'S CLUB*
02/05/84 14:41:43 (Read 416 Times)
From: xxxxxxxxxxxx
To: ALL
Subj: HACKERS NUMBERS
The following are some of the numbers collected in the Hackers SIG:
Commodore BBS (Finland) 358 61 116223
Gateway test 01 600 1261
PRESTEST (1200/75) 01 583 9412
Some useful PRESTEL nodes - 640..Res.D (Martlesham's experiments in
Dynamic Prestel DRCS, CEPT standards, Picture Prestel, 601
(Mailbox,Telemessaging, Telex Link - and maybe Telecom Gold), 651
(Scratchpad -always changing). Occasionally parts of 650 (IP News)
are not properly CUGed off. 190 sometimes is interesting well.
These boards all specialised in lonely hearts services !
The boards with an asterisk all use BELL Tones
*Fairbanks, AK, 907-479-0315
*Burbank, CA, 213-840-8252
*Burbank, CA, 213-842-9452
*Clovis, CA, 209-298-1328
*Glendale, CA, 213-242-l882
*La Palma, CA, 714-220-0239
*Hollywood, CA, 213-764-8000
*San Francisco CA, 415-467-2588
*Santa Monica CA, 213-390-3239
*Sherman Oaks CA, 213-990-6830
*Tar~ana , CA, 213-345-1047
*Crystal Rivers FL,904-795-8850
*Atlanta, GA, 912-233-0863
*Hammond, IN, 219-845-4200
*Cleveland, OH, 216-932-9845
*Lynnefield, MA, 6l7-334-6369
*Omaha, NE, 402-571-8942
*Freehold, NJ, 201-462-0435
*New York, NY, 212-541-5975
*Cary, NC, 919-362-0676
*Newport News,VA 804-838-3973
*Vancouver, WA, 200-250-6624
Marseilles, France 33-91-91-0060
Both USA nos. prefix (0101)
a) Daily X-rated Doke Service 516-922-9463
b) Auto-Biographies of young ladies who normally work in
unpublishable magazines on 212-976-2727.
c)Dial a wank 0101,212,976,2626; 0101,212,976,2727
** Page 48
Msg#: 3688 *HACKER'S CLUB*
02/05/84 14:44:51 (Read 393 Times)
From: xxxxxxxxxxx
To: ALL
Subj: HACKERS NUMBERS CONT...
Hertford PDP 11/70 Hackers BBS:
Call 0707-263577 with 110 baud selected.
type: SET SPEED 300'CR'
After hitting CR switch to 300 baud.
Then type: HELLO 124,4'CR
!Password: HAE4 <CR>
When logged on type: COMMAND HACKER <CR>
Use: BYE to log out
*********
EUCLID 388-2333
TYPE A COUPLE OF <CR> THEN PAD <CR>
ONCE LOGGED ON TO PAD TYPE CALL 40 <CR> TRY DEMO AS A USERID WHY NOT
TRY A FEW DIFFER DIFFERENT CALLS THIS WILL LET U LOG ON TO A WHOLE
NETWORK SYSTEM ALL OVER EUROPE!
YOU CAN ALSO USE 01-278-4355.
********
unknown 300 Baud 01-854 2411
01-854 2499
******
Honeywell:From London dial the 75, else 0753(SLOUGH)
75 74199 75 76930
Type- TSS
User id: D01003
password: Unknown (up to 10 chars long)
Type: EXPL GAMES LIST to list games
To run a game type: FRN GAMES(NAME) E for a fotran game.
Replace FRN with BRN for BASIC games.
******
Central London Poly 01 637 7732/3/4/5
******
PSS (300) 0753 6141
******
Comshare (300) 01 351 2311
******
'Money Box' 01 828 9090
******
Imperial College 01 581 1366
01 581 1444
*******
These are most of the interesting numbers that have come up over the
last bit. If I have omitted any, please leave them in a message.
Cheers, xxxxx.
Msg#: 5156 *HACKER'S CLUB*
04/15/84 08:01:11 (Read 221 Times)
From: xxxxxxxxxx
To: ALL
Subj: FINANCIAL DATABASES
You can get into Datastream on dial-up at 300/300 on 251 6180 - no I
don't have any passwords....you can get into Inter Company
Comparisons (ICC) company database of 60,000 companies via their
1200/75 viewdata front-end processor on 253 8788. Type ***# when
asked for your company code to see a demo...
Msg#: 5195 *HACKER'S CLUB*
04/17/84 02:28:10 (Read 229 Times)
From: xxxxxxxxxx
To: ALL
Subj: PSS TELEX
THIS IS PROBOBLY OLD HAT BY NOW BUT IF YOU USE PSS THEN A92348******
WHERE **=UK TELEX NO. USE CTRL/P CLR TO BET OUT AFTER MESSAGE. YOU
WILL BE CHARGED FOR USE I GUESS
** Page 49
Msg#: 7468 *EREWHON*
06/29/84 23:30:24 (Read 27 Times)
From: xxxxxxxxxx
To: PHREAKS
Subj: NEW(OLD..) INFO
TODAY I WAS LUCKY ENOUGH TO DISCOVER A PREVIOUSLY UNKNOWN CACHE OF
AMERICAN MAGAZINE KNOWN AS TAP. ALTHOUGH THEYRE RATHER OUT OF DATE
(1974-1981) OR SO THEY ARE PRETTY FUNNY AND HAVE A FEW INTERESTING
BITS OF INFORMATION, ESPECIALLY IF U WANT TO SEE THE CIRCUIT DIAGRAMS
OF UNTOLD AMOUNTS OF BLUE/RED/BLACK/??? BOXES THERE ARE EVEN A FEW
SECTIONS ON THE UK (BUT AS I SAID ITS COMPLETELY OUT OF DATE). IN THE
FUTURE I WILL POST SOME OF THE GOOD STUFF FROM TAP ON THIS BOARD
(WHEN AND IF I CAN GET ON THIS BLOODY SYSTEM''). ALSO I MANAGED TO
FIND A HUGE BOOK PUBLISHED BY AT&T ON DISTANCE DIALING (DATED 1975).
DUNNO, IF ANYBODY'S INTERESTED THEN LEAVE A NOTE REQUESTING ANY INFO
YOU'RE ARE CHEERS PS ANYBODY KNOW DEPRAVO THE RAT?? DOES HE STILL
LIVE?
Msg#: 7852 t*ACKER'S CLUB*
08/17/84 00:39:05 (Read 93 Times)
From: xxxxxxxxxx
To: ALL USERS
Subj: NKABBS
NKABBS IS NOW ONLINE. FOR ATARI & OTHER MICRO USERS. OPERATING ON 300
BAUD VIA RINGBACK SYSTEM. TIMES 2130HRS-2400HRS DAILY. TEL :0795
842324. SYSTEM UP THESE TIMES ONLY UNTIL RESPONSE GROWS. ALL USERS
ARE WELCOME TO ON. EVENTUALLY WE WILL BE SERVING BBC,COMMODORE VIC
20/64 OWNERS.+NEWS ETC.
Msg#:8154 *EREWHON*
08/02/84 21:46:11 (Read 13 Times)
From: ANON
To: ALL
Subj: REPLY TO MSG# :1150 (PHREAK BOARDS)
PHREAK BOARD NUMBERS
ACROSS THE U.S.
IF YOU KNOW OF A BOARD THAT IS NOT LISTED HERE, PLEASE LET ME KNOW
ABOUT IT.
JOLLY ROGER 713-468-0174
PIRATE'S CHEST 617-981-1349
PIRATE'S DATA CENTER 213-341-3962
PIRATE'S SPACE STATION 617-244-8244
PIRATE'S OUTHOUSE 301-299-3953
PIRATE'S HANDLE 314-434-6187
PIRATE'S DREAM 713-997-5067
PIRATE'S TRADE 213-932-8294
PIRATE'S TREK 914-634-1268
PIRATE'S TREK III 914-835-3627
PIRATE-80 305-225-8059
SANCTUARY 201-891-9567
SECRET SERVICE ][ 215-855-7913
SKELETON ISLAND 804-285-0041
BOCA HARBOR 305-392-5924
PIRATES OF PUGET SOUND 206-783-9798
THE INSANITARIUM 609-234-6106
HAUNTED MANSION 516-367-8172
WASTELANDS 513-761-8250
PIRATE'S HARBOR 617-720-3600
SKULL ISLAND 203-972-1685
THE TEMPLE 305-798-1615
SIR LANCELOT'S CASTLE 914-381-2124
PIRATE'8 CITY 703-780-0610
PIRATE-S GALLEY 213-796-6602
THE PAWN SHOPPE 213-859-2735
HISSION CONTROL 301-983-8293
BIG BLUE MONSTER 305-781-1683
THE I.C.'S SOCKET 213-541-5607
THE MAGIC REALM 212-767-9046
PIRATE'S BAY 415-775-2384
BEYOND BELIEF 213-377-6568
PIRATE's TROVE 703-644-1665
CHEYANNE MOUNTAIN 303-753 1554
ALAHO CITY 512-623-6123
CROWS NEST 617-862-7037
PIRATE'S PUB ][ 617-891-5793
PIRATE'S I/0 201-543-6139
SOUNDCHASER 804-788-0774
SPLIT INFINITY 408-867-4455
CAPTAIN'S LOG 612-377-7747
THE SILHARILLION 714-535-7527
TWILIGHT PHONE 313-775-1649
THE UNDERGROUND 707-996-2427
THE INTERFACE 213-477-4605
THE DOC BOARD 713-471-4131
SYSTEM SEVEN 415-232-7200
SHADOW WORLD 713-777-8608
OUTER LIMITS 213-784-0204
METRO 313-855-6321
MAGUS 703-471-0611
GHOST SHIP 111 - PENTAGON 312-627-5138
GHOST SHIP - TARDIS 312-528-1611
DATA THIEVES 312-392-2403
DANGER ISLAND 409-846-2900
CORRUPT COMPUTING 313-453-9183
THE ORACLE 305-475-9062
PIRATE'S PLANET 901-756-0026
CAESER S PALACE 305-253-9869
CRASHER BBS 415-461-8215
PIRATE'S BEACH 305-865-5432
PIRATE'S COVE 516-698-4008
PIRATE'S WAREHOUSE 415-924-8338
PIRATE'S PORT 512-345-3752
PIRATE'S NEWSTAND ][ 213-373-3318
PIRATE'S GOLDMINE 617-443-7428
PIRATE'S SHIP 312-445-3883
PIRATE'S MOUNTAIN 213-472-4287
PIRATE'S TREK ][ 914-967-2917
PIRATE'S TREK IV 714-932-1124
PORT OR THIEVES 305-798-1051
SECRET SERVICE 213-932-8294
SHERWOOD FOREST 212-896-6063
GALAXY ONE 215-224-0864
R.A.G.T.I.H.E. 217-429-6310
KINGDOM OF SEVEN 206-767-7777
THE STAR SYSTEM 516-698-7345
ALPHANET 203-227-2987
HACKER HEAVEN 516-796-6454
PHANTOM ACCESS 814-868-1884
THE CONNECTION 516-487-1774
THE TAVERN 516-623-9004
PIRATE'S HIDEAWAY 617-449-2808
PIRATE'S PILLAGE 317-743-5789
THE PARADISE ON-LINE 512-477-2672
MAD BOARD FROM MARS 213-470-5912
NERVOUS SYSTEM 305-554-9332
DEVO 305-652-9422
TORTURE CHAMBER 213-375-6137
HELL 914-835-4919
CRASHER BBS 415-461-8215
ALCATRAZ 301-881-0846
THE TRADING POST 504-291-4970
DEATH STAR 312-627-5138
THE CPU 313-547-7903
TRADER'S INN 618-856-3321
PIRATE'S PUB 617-894-7266
BLUEBEARDS GALLEY 213-842-0227
MIDDLE EARTH 213-334-4323
EXIDY 2000 713-442-7644
SHERWOOD FOREST ][ 914-352-6543
WARLOCK~S CASTLE 618-345-6638
TRON 312-675-1819
THE SAFEHOUSE 612-724-7066
THE GRAPE VINE 612-454-6209
THE ARK 701-343-6426
SPACE VOYAGE 713-530-5249
OXGATE 804-898-7493
MINES OF MORIA ][ 408-688-9629
MERLIN'S TOWER 914-381-2374
GREENTREE 919-282-4205
GHOST SHIP ][ - ARAGORNS 312-644-5165
GENERAL HOSPITAL 201-992-9893
DARK REALM 713-333-2309
COSMIC VOYAGE 713-530-5249
CAMELOT 312-357-8075
PIRATE'S GUILD 312-279-4399
HKGES 305-676-5312
MINES OF MORIA 713-871-8577
A.S.C.I.I. 301-984-3772
** Page 50
If Anybody is mad enough to actually dial up one (or more') of these
BBs please log everything so thAt others may benefit from your
efforts. IE- WE only have to register once, and we find out if this
board suits our interest. Good luck and have fun! Cheers,
Msg#: 8163 *HACKER'S CLUB*
08/30/84 18:55:27 (Read 78 Times)
From: XXXXXXXXXX
To- ALL
Subj: XXXXXX
NBBS East is a relatively new bulletin board running from lOpm to
1230am on 0692 630610. There are now special facilities for BBC users
with colour, graphics etc. If you call it then please try to leave
some messages as more messages mean more callers, which in turn means
more messages Thanks a lot, Jon
Msg#: 8601 *HACKER'S CLUB*
09/17/84 10:52:43 (Read 57 Times!
From: xxxxxxxxxx
To: xxxxxxxxx
Subj: REPLY TO Msg# 8563 (HONEYWELL)
The thing is I still ( sort of I work for XXX so I don't think they
would be too pleased if I gave out numbers or anything else. and I
would rather keep my job Surely you don't mean MFI furniture ??
Msg#: 8683 *HACKER'S CLUB*
09/19/84 19:54:05 (Read 63 Times)
From: xxxxxxxxx
To: ALL
Subj: DATA NODE
To those who have difficulty finding interesting numbers. try the UCL
Data Node on 01-388 2333 (300 baud).When you get the Which Service?
prompt. type PAD and a couple of CRs. Then, when the PAD> prompt
appears type CALL XOOXOOX, where is any(number orrange of numbers.
Indeed you can try several formats and numbers until you find
something interesting. The Merlin Cern computer is 9002003 And it's
difficult to trace You through aq data exchange! If anyone finds any
interesting numbers, let me know on this board, or Pretsel mailbox
012495225.
Msg has replies, read now(Y/N)' Y
Msg#: 9457 *HACKER'S CLUB*
10/11/84 01:52:56 (Read 15 Times)
From: xxxxxxxxxxx
To: xxxxxxxxxxx
Subj: REPLY TO MSG# 8683 (DATA NODE)
IF YOU WANT TO KNOW MORE ABOUT THIS xxxxx PHONE PHONE xxxx xxxxxx
ON 000 0000
Msg#: 8785 *HACKER'S CLUB*
09/21/B4 20-28-59 (Read 40 Times)
From xxxxxxxxxxxxxx
Subj: NEW Number
NEW Computer ON LINE TRY RINGING 960 7868 SORRY THAT'S 01 (IN LONDON) IN FRONT.
good LUCK!
** Page 51
Please note that none of these hints, rumours, phone numbers and
passwords are likely to work by the time you are reading this...
However, in the case of the US credit agency TRW, described in the
previous chapter, valid phone numbers and passwords appear to have
sat openly on a number of bulletin boards for up to a year before the
agency realised it. Some university mainframes have hacker's boards
hidden on them as well.
It is probably bad taste to mention it, but of course people try
to hack bulletin boards as well. An early version of one of the most
popular packages could be hacked simply by sending two semi-colons
(;;) when asked for your name. The system allowed you to become the
Sysop, even though you were sitting at a different computer; you
could access the user file, complete with all passwords, validate or
devalidate whomever you liked, destroy mail, write general notices,
and create whole new areas...
Research Sources
The computer industry has found it necessary to spend vast sums on
marketing its products and whilst some of that effort is devoted to
'image' and 'concept' type advertising--to making senior management
comfortable with the idea of the XXX Corporation's hardware because
it has 'heard' of it--much more is in the form of detailed product
information.
This information surfaces in glossies, in conference papers, and
in magazine journalism. Most professional computer magazines are
given away on subscription to 'qualified' readers; mostly the
publisher wants to know if the reader is in a position to influence a
key buying decision--or is looking for a job.
I have never had any difficulty in being regarded as qualified:
certainly no one ever called round to my address to check up the size
of my mainframe installation or the number of employees. If in doubt,
you can always call yourself a consultant. Registration is usually a
matter of filling in a post-paid card. My experience is that, once
you are on a few subscription lists, more magazines, unasked for,
tend to arrive every week or month--together with invitations to
expensive conferences in far-off climes. Do not be put off by the
notion that free magazines must be garbage. In the computer industry,
as in the medical world, this is absolutely not the case. Essential
regular reading for hackers are Computing, Computer Weekly, Software,
Datalink, Communicate, Communications Management, Datamation,
Mini-Micro Systems, and Telecommunications.
** Page 52
The articles and news items often contain information of use to
hackers: who is installing what, where; what sort of facilities are
being offered; what new products are appearing and what features they
have. Sometimes you will find surveys of sub-sets of the computer
industry. Leafing through the magazine pile that has accumulated
while this chapter was being written, I have marked for special
attention a feature on Basys Newsfury, an electronic newsroom package
used, among others, by ITN's Channel Four News; several articles on
new on-line hosts; an explanation of new enhanced Reuters services; a
comparison of various private viewdata software packages and who is
using them; some puffs for new Valued Added Networks (VANs); several
pieces on computer security; news of credit agencies selling
on-line and via viewdata; and a series on Defence Data Networks.
In most magazines, however, this is not all: each advertisement is
coded with a number which you have to circle on a tear-out post-paid
'bingo card': each one you mark will bring wads of useful
information: be careful, however, to give just enough information
about yourself to ensure that postal packets arrive and not
sufficient to give the 'I was just passing in the neighbourhood and
thought I would call in to see if I could help' sales rep a 'lead' he
thinks he can exploit.
Another excellent source of information are exhibitions: there are
the ubiquitous 'product information' sheets, but also the actual
machines and software to look at and maybe play with; perhaps you can
even get a full scale demonstration and interject a few questions.
The real bonus of exhibitions, of course, is that the security sense
of salespersons, exhausted by performing on a stand for several days
and by the almost compulsory off-hours entertainment of top clients
or attempted seduction of the hired-in 'glamour' is rather low.
Passwords are often written down on paper and consulted in your full
view. All you need is a quick eye and a reasonable memory.
At both exhibitions and conferences it is a good idea to be a
freelance journalist. Most computer mags have relatively small
full-time staff and rely on freelancers, so you won't be thought odd.
And you'll have your questions answered without anyone asking 'And
how soon do you think you'll be making a decision? Sometimes the lack
of security at exhibitions and demonstrations defies belief. When ICL
launched its joint venture product with Sinclair, the One-Per-Desk
communicating executive work- stations; it embarked on a modest
road-show to give hands-on experience to prospective purchasers. The
demonstration models had been pre-loaded with phone numbers...of
senior ICL directors, of the ICL mainframe at its headquarters in
Putney and various other remote services....
** Page 53
Beyond these open sources of information are a few murkier ones.
The most important aid in tackling a 'difficult' operating system or
applications program is the proper documentation: this can be
obtained in a variety of ways. Sometimes a salesman may let you look
at a manual while you 'help' him find the bit of information he can't
remember from his sales training. Perhaps an employee can provide a
'spare', or run you a photocopy. In some cases, you may even find the
manual stored electronically on the system; in which case, print it
out. Another desirable document is an organisation's internal phone
book...it may give you the numbers for the computer ports, but
failing that, you will be able to see the range of numbers in use
and, if you are using an auto-dial modem coupled with a
search-and-try program, you will be able to define the search
parameters more carefully. A phone book will also reveal the names of
computer managers and system engineers; perhaps they use fairly
obvious passwords.
It never ceases to astonish me what organisations leave in refuse
piles without first giving them a session with the paper shredder.
I keep my cuttings carefully stored away in a second-hand filing
cabinet; items that apply to more than one interest area are
duplicated in the photocopier.
Inference
But hackers' research doesn't rely simply on collecting vast
quantities of paper against a possible use. If you decide to target
on a particular computer or network, it is surprising what can be
found out with just a little effort. Does the organisation that owns
the system publish any information about it. In a handbook, annual
report, house magazine? When was the hardware and software installed?
Did any of the professional weekly computer mags write it up? What do
you know about the hardware, what sorts of operating systems would
you expect to see, who supplied the software, do you know anyone with
experience of similar systems, and so on.
By way of illustration, I will describe certain inferences it is
reasonable to make about the principal installation used by Britain's
Security Service, MI5. At the end, you will draw two conclusions:
first that someone seriously interested in illicitly extracting
information from the computer would find the traditional techniques
of espionage--suborning of MI5 employees by bribery, blackmail or
appeal to ideology--infinitely easier than pure hacking; and second,
that remarkable detail can be accumulated about machines and
systems, the very existence of which is supposed to be a secret--and
by using purely open sources and reasonable guess-work.
** Page 54
The MI5 databanks and associated networks have long been the
subject of interest to civil libertarians. Few people would deny
absolutely the need for an internal security service of some sort,
nor deny that service the benefit of the latest technology. But,
civil libertarians ask, who are the legitimate targets of MI5's
activities? If they are 'subversives', how do you define them? By
looking at the type of computer power MI5 and its associates possess,
it possible to see if perhaps they are casting too wide a net for
anyone's good. If, as has been suggested, the main installation can
hold and access 20 million records, each containing 150 words, and
Britain's total population including children, is 56 million, then
perhaps an awful lot of individuals are being marked as 'potential
subversives'.
It was to test these ideas out that two journalists, not
themselves out-and-out hackers, researched the evidence upon which
hackers have later built. The two writers were Duncan Campbell of the
New Statesman and Steve Connor, first of Computing and more recently
on the New Scientist. The inferences work this way: the only
computer manufacturer likely to be entrusted to supply so sensitive a
customer would be British and the single candidate would be ICL. You
must therefore look at their product range and decide which items
would be suitable for a really large, secure, real-time database
management job. In the late 1970s, the obvious path was the 2900
series, possibly doubled up and with substantive rapid-access disc
stores of the type EDS200.
Checking through back issues of trade papers it is possible to see
that just such a configuration, in fact a dual 2980 with a 2960 as
back-up and 20 gigabytes of disc store, were ordered for classified
database work by the Ministry of Defence'. ICL, on questioning by
the journalists, confirmed that they had sold 3 such large systems
two abroad and one for a UK government department. Campbell and
Connor were able to establish the site of the computer, in Mount Row,
London W1, and, in later stories, gave more detail, this time
obtained by a careful study of advertisements placed by two
recruitment agencies over several years. The main computer, for
example, has several minis attached to it, and at least 200
terminals. The journalists later went on to investigate details of
the networks--connections between National Insurance, Department of
Health, police and vehicle driving license Systems.
In fact, at a technical level, and still keeping to open sources,
You can build up even more detailed speculations about the MI5 main
computer.
** Page 55
ICL's communication protocols, CO1, C02, C03, are published items;
you can get terminal emulators to work on a PC, and both the company
and its employees have published accounts of their approaches to
database management systems, which, incidentally, integrate software
and hardware functions to an unusually high degree, giving speed but
also a great deal of security at fundamental operating system level.
Researching MI5 is an extreme example of what is possible; there
are few computer installations of which it is in the least difficult
to assemble an almost complete picture.
** Page 56
CHAPTER 6
Hackers' Techniques
The time has now come to sit at the keyboard, phone and modems at
the ready, relevant research materials convenient to hand and see
what you can access. In keeping with the 'handbook' nature of this
publication, I have put my most solid advice in the form of a
trouble-shooting appendix (I), so this chapter talks around the
techniques rather than spelling them out in great detail.
Hunting instincts Good hacking, like birdwatching and many other
pursuits, depends ultimately on raising your intellectual knowledge
almost to instinctive levels. The novice twitcher will, on being told
'There's a kingfisher!', roam all over the skies looking for the
little bird and probably miss it. The experienced ornithologist will
immediately look low over a patch of water, possibly a section shaded
by trees, because kingfishers are known to gulp the sort of flies
that hover over streams and ponds. Similarly, a good deal of skilful
hacking depends on knowing what to expect and how to react. The
instinct takes time to grow, but the first step is understanding that
you need to develop it in the first place.
Tricks with phones
If you don't have a complete phone number for a target computer,
then you can get an auto-dialler and a little utility program to
locate it for you. You will find a flow-chart for a program in
Appendix VII. An examination of the phone numbers in the vicinity of
the target machine should give you a range within which to search.
The program then accesses the auto-dial mechanism of the modem and
'listens' for any whistles. The program should enable the phone line
to be disconnected after two or three 'rings' as auto-anSwer modems
have usually picked up by then.
Such programs and their associated hardware are a little more
Complicated than the popularised portrayals suggest: you must have
software to run sequences of calls through your auto-dialler, the
hardware must tell you whether you have scored a 'hit' with a modem
or merely dialled a human being, and, since the whole point of the
exercise is that it works unattended, the process must generate a
list of numbers to try.
** Page 57
Logging on
You dial up, hear a whistle...and the VDU stays blank. What's gone
wrong? Assuming your equipment is not at fault, the answer must lie
either in wrong speed setting or wrong assumed protocol. Experienced
hackers listen to a whistle from an unknown computer before throwing
the data button on the modem or plunging the phone handset into the
rubber cups of an acoustic coupler. Different tones indicate
different speeds and the trained ear can easily detect the
difference--appendix III gives the common variants.
Some modems, particularly those on mainframes, can operate at more
than one speed; the user sets it by sending the appropriate number of
carriage returns. In a typical situation, the mainframe answers at
110 baud (for teletypewriters), and two carriage returns take it up
to 300 baud, the normal default for asynchronous working.
Some hosts will not respond until they receive a character from
the user. Try sending a space or a carriage return.
If these obvious things don't work and you continue to get no
response, try altering the protocol settings (see chapters 2 and 3).
Straightforward asynchronous protocols with 7-bit ASCII, odd or even
parity and surrounded by one stop and one start bit is the norm, but
almost any variant is possible.
Once you start getting a stream from the host, you must evaluate
it to work out what to do next. Are all the lines over-writing each
other and not scrolling down the screen? Get your terminal software
to insert carriage returns. Are you getting a lot of corruption?
Check your phone connections and your protocols. The more familiar
you are with your terminal software at this point, the more rapidly
you will get results.
Passwords
Everyone thinks they know how to invent plausible and acceptable
passwords; here are the ones that seem to come up over and over
again:
HELP - TEST - TESTER - SYSTEM - SYSTEM - MANAGER - SYSMAN - SYSOP -
ENGINEER - OPS - OPERATIONS - CENTRAL - DEMO - DEMONSTRATION - AID -
DISPLAY - CALL - TERMINAL - EXTERNAL - REMOTE - CHECK - NET - NETWORK
- PHONE - FRED
** Page 58
Are you puzzled by the special inclusion of FRED? Look at your
computer keyboard sometime and see how easily the one-fingered typist
can find those four letters!
If you know of individuals likely to have legitimate access to a
system, find out what you can about them to see if you can
second-guess their choice of personal password. Own names, or those
of loved ones, or initials are the top favourites. Sometimes there is
some slight anagramming and other forms of obvious jumbling. If the
password is numeric, the obvious things to try are birthdays, home
phone numbers, vehicle numbers, bank account numbers (as displayed on
cheques) and so on.
Sometimes numeric passwords are even easier to guess: I have found
myself system manager of a private viewdata system simply by offering
it the password 1234567890 and other hackers have been astonished at
the results obtained from 11111111, 22222222 etc or 1010101, 2020202.
It is a good idea to see if you can work on the mentality and known
pre-occupations of the legitimate password holder: if he's keen on
classic rock'n'roll, you could try ELVIS; a gardener might choose
CLEMATIS; Tolkien readers almost invariably select FRODO or BILBO;
those who read Greek and Roman Literature at ancient universities
often assume that no one would ever guess a password like EURIPIDES;
it is a definitive rule that radio amateurs never use anything other
than their call-signs.
Military users like words like FEARLESS and VALIANT or TOPDOG;
universities, large companies and public corporations whose various
departments are known by acronyms (like the BBC) can find those
initials reappearing as passwords.
One less-publicised trick is to track down the name of the top
person in the organisation and guess a computer identity for them;
the hypothesis is that they were invited to try the computer when it
was first opened and were given an 'easy' password which has neither
been used since nor wiped from the user files. A related trick is to
identify passwords associated with the hardware or software
installer; usually the first job of a system manager on taking over a
computer is to remove such IDs, but often they neglect to do so.
Alternatively, a service engineer may have a permanent ID so that, if
the system falls over, it can be returned to full activity with the
minimum delay.
Nowadays there is little difficulty in devising theoretically
secure password systems, and bolstering them by allowing each user
only three false attempts before the disconnecting the line, as
Prestel does, for example. The real difficulty lies in getting humans
to follow the appropriate procedures. Most of us can only hold a
limited quantity of character and number sequences reliably in our
heads.
** Page 59
Make a log-on sequence too complicated, and users will feel compelled
to write little notes to themselves, even if expressly forbidden to
do so. After a while the complicated process becomes
counter-productive. I have a encrypting/decrypting software pack- age
for the IBM PC. It is undoubtedly many times more secure than the
famous Enigma codes of World War II and after. The trouble is that
that you need up to 25 different 14-digit numbers of your
specification, which you and your correspondent must share if
successful recovery of the original text is to take place.
Unfortunately the most convenient way to store these sequences is
in a separate disk file (get one character wrong and decryption is
impossible) and it is all too easy to save the key file either with
the enciphered stream, or with the software master, in both of which
locations they are vulnerable.
Nowadays many ordinary users of remote computer services use
terminal emulator software to store their passwords. It is all too
easy for the hacker to make a quick copy of a 'proper' user's disk,
take it away, and then examine the contents of the various log-on
files--usually by going into an 'amend password' option. The way for
the legitimate user to obtain protection, other than the obvious one
of keeping such disks secure, is to have the terminal software itself
password protected, and all files encrypted until the correct
password is input. But then that new password has to be committed to
the owner's memory....
Passwords can also be embedded in the firmware of a terminal.
This is the approach used in many Prestel viewdata sets when the user
can, sometimes with the help of the Prestel computer, program his or
her set into an EAROM (Electrically Alterable Read Only Memory). If,
in the case of Prestel, the entire 14-digit sequence is permanently
programmed in the set, that identity (and the user bill associated
with it) is vulnerable to the first person who hits the 'viewdata'
button on the keypad. Most users only program in the first 10 digits
and key in the last four manually. A skilful hacker can make a
terminal disgorge its programmed ID by sticking a modem in
answer-mode on its back (reversing tones and, in the case of
viewdata, speeds also) and sending the ASCII ENQ (ctrl-E) character,
which will often cause the user's terminal to send its identity.
A more devious trick with a conventional terminal is to write a
little program which overlays the usual sign-on sequence. The program
captures the password as it is tapped out by the legitimate user and
saves it to a file where the hacker can retrieve it later.
** Page 60
People reuse their passwords. The chances are that, if you obtain
someone's password on one system, the same one will appear on another
system to which that individual also has access.
Programming tricks
In most longish magazine articles about electronic crime, the
writer includes a list of 'techniques' with names like Salami, Trap
Door and Trojan Horse. Most of these are not applicable to pure
hacking, but refer to activities carried out by programmers
interested in fraud.
The Salami technique, for example, consists of extracting tiny
sums of money from a large number of bank accounts and dumping the
proceeds into an account owned by the frauds man. Typically there's
an algorithm which monitors deposits which have as their last digit
'8'; it then deducts '1' from that and then £1 or $1 is siphoned off.
The Trojan Horse is a more generalised technique which consists of
hiding away a bit of unorthodox active code in a standard legitimate
routine. The code could, for example, call a special larger routine
under certain conditions and that routine could carry out a rapid
fraud before wiping itself out and disappearing from the system for
good.
The Trap Door is perhaps the only one of these techniques that
pure hackers use. A typical case is when a hacker enters a system
with a legitimate identity but is able to access and alter the user
files. The hacker than creates a new identity with extra privileges
to roam over the system, and is thus able to enter it at any time as
a 'super-user' or 'system manager'.
Hardware tricks
For the hacker with some knowledge of computer hardware and
general electronics, and who is prepared to mess about with circuit
diagrams, a soldering iron and perhaps a voltmeter, logic probe or
oscilloscope, still further possibilities open up. One of the most
useful bits of kit consists of a small cheap radio receiver (MW/AM
band), a microphone and a tape recorder. Radios in the vicinity of
computers, modems and telephone lines can readily pick up the chirp
chirp of digital communications without the need of carrying out a
physical phone 'tap'.
Alternatively, an inductive loop with a small low-gain amplifier in
the vicinity of a telephone or line will give you a recording you can
analyse later at your leisure.
** Page 61
By identifying the pairs of tones being used, you can separate the
caller and the host. By feeding the recorded tones onto an
oscilloscope display you can freeze bits, 'characters' and 'words';
you can strip off the start and stop bits and, with the aid of an
ASCII-to-binary table, examine what is happening. With experience it
is entirely possible to identify a wide range of protocols simply
from the 'look' of an oscilloscope. A cruder technique is simply to
record and playback sign-on sequences; the limitation is that, even
if you manage to log on, you may not know what to do afterwards.
Listening on phone lines is of course a technique also used by
some sophisticated robbers. In 1982 the Lloyds Bank Holborn branch
was raided; the alarm did not ring because the thieves had previously
recorded the 'all-clear' signal from the phone line and then, during
the break-in, stuffed the recording up the line to the alarm
monitoring apparatus.
Sometimes the hacker must devise ad hoc bits of hardware trickery
in order to achieve his ends. Access has been obtained to a
well-known financial prices service largely by stringing together a
series of simple hardware skills. The service is available mostly on
leased lines, as the normal vagaries of dial-up would be too
unreliable for the City folk who are the principal customers.
However, each terminal also has an associated dial-up facility, in
case the leased line should go down; and in addition, the same
terminals can have access to Prestel. Thus the hacker thought that it
should be possible to access the service with ordinary viewdata
equipment instead of the special units supplied along with the annual
subscription. Obtaining the phone number was relatively easy: it was
simply a matter of selecting manual dial-up from the appropriate
menu, and listening to the pulses as they went through the regular
phone.
The next step was to obtain a password. The owners of the terminal
to which the hacker had access did not know their ID; they had no
need to know it because it was programmed into the terminal and sent
automatically. The hacker could have put a micro 'back-to-front'
across the line and sent a ENQ to see if an ID would be sent back.
Instead he tried something less obvious.
The terminal was known to be programmable, provided one knew how
and had the right type of keyboard. Engineers belonging to the
service had been seen doing just that. How could the hacker acquire
'engineer' status? He produced the following hypothesis: the keyboard
used by the service's customers was a simple affair, lacking many of
the obvious keys used by normal terminals; the terminal itself was
manufactured by the same company that produced a range of editing
terminals for viewdata operators and publishers. Perhaps if one
obtained a manual for the editing terminal, important clues might
appear. A suitable photocopy was obtained and, lo and behold, there
were instructions for altering terminal IDs, setting auto-diallers
and so on.
** Page 62
Now to obtain a suitable keyboard. Perhaps a viewdata editing
keyboard or a general purpose ASCII keyboard with switchable baud
rates? So far, no hardware difficulties. An examination of the back
of the terminal revealed that the supplied keypads used rather
unusual connectors, not the 270° 6-pin DIN which is the Prestel
standard. The hacker looked in another of his old files and
discovered some literature relating to viewdata terminals. Now he
knew what sort of things to expect from the strange socket at the
back of the special terminal: he pushed in an unterminated plug and
proceeded to test the free leads with a volt-meter against what he
expected; eight minutes and some cursing later he had it worked out;
five minutes after that he had built himself a little patch cord
between an ASCII keyboard, set initially to 75 baud and then to 1200
baud as the most likely speeds; one minute later he found the
terminal was responding as he had hoped...
Now to see if there were similarities between the programming
commands in the equipment for which he had a manual and the equipment
he wished to hack. Indeed there were: on the screen before him was
the menu and ID and phone data he had hoped to see. The final test
was to move over to a conventional Prestel set, dial up the number
for the financial service and send the ID.
The hacker himself was remarkably uninterested in the financial
world and, after describing to me how he worked his trick, has now
gone in search of other targets.
Operating Systems
The majority of simple home micros operate only in two modes--
Basic or machine code. Nearly all computers of a size greater than
this use operating systems which are essentially housekeeping
routines and which tell the processor where to expect instructions
from, how to identify and manipulate both active and stored memory,
how to keep track of drives and serial ports (and Joy-sticks and
mice), how to accept data from a keyboard and locate it on a screen,
how to dump results to screen or printer or disc drive, and so on.
Familiar micro-based operating systems lnclude CP/M, MS-DOS, CP/M-86
and so on, but more advanced operating systems have more
facilities--capacity to allow several users all accessing the same
data and programs without colliding with each other, enlarged
standard utilities to make fast file creation, fast sorting and fast
calculation much easier. Under Simple operating systems, the
programmer has comparatively few tools to help him; often there is
just the Basic language, which elf contains no standard
procedures--almost everything must be written from scratch each time.
** Page 63
But most computer programs rely, in essence, on a small set of
standard modules: forms to accept data to a program, files to keep
the data in, calculations to transform that data, techniques to sort
the data, forms to present the data to the user upon demand, the
ability to present results in various graphics, and so on. So
programs written under more advanced operating systems tend to be
comparatively briefer for the same end-result than those with Basic
acting not only as a language, but also as the computer's
housekeeper.
When you enter a mainframe computer as an ordinary customer, you
will almost certainly be located in an applications program, perhaps
with the capacity to call up a limited range of other applications
programs, whilst staying in the one which has logged you on as user
and is watching your connect-time and central processor usage.
One of the immediate aims of a serious hacker is to get out of
this environment and see what other facilities might be located on
the mainframe. For example, if access can be had to the user-log it
becomes possible for the hacker to create a whole new status for
himself, as a system manager, engineer, whatever. The new status,
together with a unique new password, can have all sorts o f
privileges not granted to ordinary users. The hacker, having acquired
the new status, logs out in his original identity and then logs back
with his new one.
There is no single way to break out of an applications program
into the operating system environment; people who do so seldom manage
it by chance: they tend to have had some experience of a similar
mainframe. One of the corny ways is to issue a BREAK or ctrl-C
command and see what happens; but most applications programs
concerned with logging users on to systems tend to filter out
'disturbing' commands of that sort. Sometimes it easier to go beyond
the logging-in program into an another 'authorised' program and try
to crash out of that. The usual evidence for success is that the
nature of the prompts will change. Thus, on a well-known mini family
OS, the usual user prompt is
COMMAND ?
or simply
>
** Page 64
Once you have crashed out the prompt may change to a simple
.
or
*
or even
:
it all depends.
To establish where you are in the system, you should ask for a
directory; DIR or its obvious variants often give results. Directories
may be hierarchical, as in MS-DOS version 2 and above, so that at
the bottom level you simply get directories of other directories.
Unix machines are very likely to exhibit this trait. And once you get
a list of files and programs...well, that's where the exploration
really begins.
In 1982, two Los Angeles hackers, still in their teens, devised
one of the most sensational hacks so far, running all over the
Pentagon's ARPA data exchange network. ARPAnet was and is the
definitive packet-switched network (more about these in the next
chapter). It has been running for twenty years, cost more than $500m
and links together over 300 computers across the United States and
beyond. Reputedly it has 5,000 legitimate customers, among them
NORAD, North American Air Defence Headquarters at Omaha, Nebraska.
Ron Austin and Kevin Poulsen were determined to explore it.
Their weapons were an old TRS-80 and a VIC-20, nothing
complicated, and their first attempts relied on password-guessing.
The fourth try, 'UCB', the obvious initials of the University of
California at Berkeley, got them in. The password in fact was little
used by its legitimate owner and in the end, it was to be their
downfall.
Aspects of ARPAnet have been extensively written up in the
text-books simply because it has so many features which were first
tried there and have since become 'standard' on all data networks.
From the bookshop at UCLA, the hackers purchased the manual for UNIX,
the multi-tasking, multi-user operating system devised by Bell
Laboratories, the experimental arm of AT&T, the USA's biggest
telephone company.
** Page 65
At the heart of Unix is a small kernel containing system primitives;
Unix instructions are enclosed in a series of shells, and very
complicated procedures can be called in a small number of text lines
simply by defining a few pipes linking shells. Unix also contains a
large library of routines which are what you tend to find inside the
shells. Directories of files are arranged in a tree-like fashion,
with master or root directories leading to other directories, and so
on.
Ron and Kevin needed to become system 'super-users' with extra
privileges, if they were to explore the system properly; 'UCB' was
merely an ordinary user. Armed with their knowledge of Unix, they set
out to find the files containing legitimate users' passwords and
names. Associated with each password was a Unix shell which defined
the level of privilege. Ron wrote a routine which captured the
privilege shell associated with a known super-user at the point when
that user signed on and then dumped it into the shell associated with
a little-used identity they had decided to adopt for their own
explorations. They became 'Jim Miller'; the original super-user lost
his network status. Other IDs were added. Captured privilege shells
were hidden away in a small computer called Shasta at Stanford, at
the heart of California's Silicon Valley.
Ron and Kevin were now super-users. They dropped into SRI,
Stanford Research Institute, one of the world's great centres of
scientific research; into the Rand Corporation, known equally for its
extensive futurological forecasting and its 'thinking about the
unthinkable', the processes of escalation to nuclear war; into the
National Research Laboratory in Washington; into two private research
firms back in California and two defence contractors on the East
Coast; and across the Atlantic to the Norwegian Telecommunications
Agency which, among other things, is widely believed to have a
special role in watching Soviet Baltic activity. And, of course,
NORAD.
Their running about had not gone unnoticed; ARPAnet and its
constituent computers keep logs of activity as one form of security
(see the section below) and officials both at UCLA (where they were
puzzled to see an upsurge in activity by 'UCB') and in one of the
defence contractors sounded an alarm. The KGB were suspected, the FBI
alerted.
One person asked to act as sleuth was Brian Reid, a professor of
electrical engineering at Stanford. He and his associates set up a
series of system trips inside a Unix shell to notify them when
certain IDs entered an ARPAnet computer. His first results seemed to
indicate that the source of the hacking was Purdue, Indiana, but the
strange IDs seemed to enter ARPAnet from all over the place.
** Page 66
Eventually, his researches lead him to the Shasta computer and he had
identified 'Miller' as the identity he had to nail. He closed off
entry to Shasta from ARPanet. 'Miller' reappeared; apparently via a
gateway from another Stanford computer, Navajo. Reid, who in his
sleuthing role had extremely high privileges, sought to wipe 'Miller'
out of Navajo. A few minutes after 'Miller' had vanished from his
screen, he re- appeared from yet another local computer, Diablo. The
concentration of hacking effort in the Stanford area lead Reid to
suppose that the origin of the trouble was local. The most effective
way to catch the miscreant was by telephone trace. Accordingly, he
prepared some tantalising, apparently private, files. This was bait,
designed to keep 'Miller' online as long as possible while the FBI
organised a telephone trace. 'Miller' duly appeared, the FBI went
into action--and arrested an innocent businessman.
But back at UCLA they were still puzzling about 'UCB'. In one of
his earliest sessions, Ron had answered a registration questionnaire
with his own address, and things began to fall into place. In one of
his last computer 'chats' before arrest, Kevin, then only 17 and only
beginning to think that he and his friend might have someone on their
trail, is supposed to have signed off: 'Got to go now, the FBI is
knocking at my door.' A few hours later, that is exactly what
happened.
Computer Security Methods
Hackers have to be aware of the hazards of being caught: there is
now a new profession of computer security experts, and they have had
some successes. The first thing such consultants do is to attempt to
divide responsibility within a computer establishment as much as
possible. Only operators are allowed physical access to the
installation, only programmers can use the operating system (and
under some of these, such as VM, maybe only part of it.). Only system
managers are permitted to validate passwords, and only the various
classes of users are given access to the appropriate applications
programs.
Next, if the operating system permits (it usually does), all
accesses are logged; surveillance programs carry out an audit, which
gives a historic record, and also, sometimes, perform monitoring,
which is real-time surveillance.
In addition, separate programs may be in existence the sole
purpose of which is threat monitoring: they test the system to see if
anyone is trying repeatedly to log on without apparent success (say
by using a program to try out various likely passwords).
** Page 67
They assess if any one port or terminal is getting more than usual
usage, or if IDs other than a regular small list start using a
particular terminal--as when a hacker obtains a legitimate ID but one
that normally operates from only one terminal within close proximity
to the main installation, whereas the hacker is calling from outside.
Increasingly, in newer mainframe installations, security is built
into the operating system at hardware level. In older models this was
not done, partly because the need was not perceived, but also because
each such 'unnecessary' hardware call tended to slow the whole
machine down. (If a computer must encrypt and decrypt every process
before it is executed, regular calculations and data accesses take
much longer.) However, the largest manufacturers now seem to have
found viable solutions for this problem....
** Page 68
CHAPTER 7
Networks
Until ten years ago, the telecommunications and computer
industries were almost entirely separate. Shortly they will be almost
completely fused. Most of today's hackers operate largely in
ignorance of what goes on in the lines and switching centres between
the computer they own and the computer they wish to access.
Increasingly, dedicated hackers are having to acquire knowledge and
experience of data networks, a task made more interesting, but not
easier, by the fact that the world's leading telecommunications
organisations are pushing through an unprecedented rate of
innovation, both technical and commercial. Apart from purely local
lowspeed working, computer communications are now almost
exclusively found on separate high-speed data networks, separate that
is from the two traditional telecommunications systems telegraphy and
telephone. Telex lines operate typically at 50 or 75 baud with an
upper limit of 110 baud.
The highest efficient speed for telephone-line-based data is 1200
baud. All of these are pitifully slow compared with the internal
speed of even the most sluggish computer. When system designers first
came to evaluate what sort of facilities and performance would be
needed for data communications, it became obvious that relatively few
lessons would be drawn from the solutions already worked out in voice
communications.
Analogue Networks
In voicegrade networks, the challenge had been to squeeze as many
analogue signals down limited-size cables as possible. One of the
earlier solutions, still very widely used, is frequency division
multiplexing (FDM): each of the original speech paths is modulated
onto one of a specific series of radio frequency carrier waves; each
such rf wave is then suppressed at the transmitting source and
reinserted close to the receiving position so that only one of the
sidebands (the lower), the part that actually contains the
intelligence of the transmission, is actually sent over the main data
path. This is similar to ssb transmission in radio.
The entire series of suppressed carrier waves are then modulated onto
a further carrier wave, which then becomes the main vehicle for
taking the bundle of channels from one end of a line to the other.
** Page 69
Typically, a small coaxial cable can handle 60 to 120 channels in
this way, but large cables (the type dropped on the beds of oceans
and employing several stages of modulation) can carry 2700 analogue
channels. Changing audio channels (as they leave the telephone
instrument and enter the local exchange) into rf channels, as well as
making frequency division multiplexing possible, also brings benefits
in that over long circuits it is easier to amplify rf signals to
overcome losses in the cable.
Just before World War II, the first theoretical work was carried
out to find further ways of economising on cable usage; what was then
developed is called Pulse Code Modulation (PCM).
There are several stages. In the first, an analogue signal is
sampled at specific intervals to produce a series of pulses; this is
called Pulse Amplitude Modulation, and takes advantage of the
characteristic of the human ear that if such pulses are sent down a
line with only a very small interval between them, the brain smoothes
over the gaps and reconstitutes the entire original signal.
In the second stage, the levels of amplitude are sampled and
translated into a binary code. The process of dividing an analogue
signal into digital form and then reassembling it in analogue form is
called quantization. Most PCM systems use 128 quantizing levels, each
pulse being coded into 7 binary digits, with an eighth added for
supervisory purposes.
OPERATION OF A CHARACTER TDM
+-----+-----+-----+-----+-----+-----+-----+--
<------| SYN | CH1 | CH2 | CH3 | CH4 | SYN | CH1 |
+-----+-----+-----+-----+-----+-----+-----+--
+-----------------+ +-----------------+
1 | | | |1
--+ | +---+ +---+ | +--
2 | | | | | | | |2
--+ MULTIPLEXER |==+ M +--\/\/--+ M +==--+ MULTIPLEXER +--
3 | | | | | | | |3
--+ | +---+ +---+ | +--
4 | | | |4
--+-----------------+ +-----------------+--
--+-----+-----+-----+-----+-----+-----+----+
| CH1 | SYN | CH4 | CH3 | CH2 | CH1 |SYN |------->
--+-----+-----+-----+-----+-----+-----+----+
<---------------------------->
ONE DATA FRAME
** Page 70
By interleaving coded characters in a highspeed digital stream it
is possible to send several separate voice channels along one
physical link. This process is called Time Division Multiplexing
(TDM) and together with FDM still forms the basis of most of the
globe's voicegrade communications.
Digital Networks
Elegant though these solutions are, though, they are rapidly being
replaced by totally digital schemes. Analogue systems would be very
wasteful when all that is being transmitted are the discrete audio
tones of the output of a modem. In a speech circuit, the technology
has to be able to 'hear', receive, digitize and reassemble the entire
audio spectrum between 100 Hz and 3000 Hz, which is the usual
passband of what we have come to expect from the audio quality of the
telephone. Moreover, the technology must be sensitive to a wide range
of amplitude; speech is made up of pitch and associated loudness. In
a digital network, however, all one really wants to transmit are the
digits, and it doesn't matter whether they are signified by audio
tones, radio frequency values, voltage conditions or light pulses,
just so long as there is circuitry at either end which can encode and
decode.
There are other problems with voice transmission: once two parties
have made a connection with each other (by the one dialling a number
and the other lifting a handset), good sense has suggested that it
was desirable to keep a total physical path open between them, it not
being practical to close down the path during silences and re-open it
when someone speaks. In any case the electromechanical nature of most
of today's phone exchanges would make such turning off and on very
cumbersome and noisy.
But with a purely digital transmission, routing of a 'call'
doesn't have to be physical--individual blocks merely have to bear an
electronic label of their originating and destination addresses, such
addresses being 'read' in digital switching exchanges using chips,
rather than electromechanical ones. Two benefits are thus
simultaneously obtained: the valuable physical path (the cable or
satellite link) is only in use when some intelligence is actually
being transmitted and is not in use during 'silence'; secondly,
switching can be much faster and more reliable.
Packet Switching
These ideas were synthesised into creating what has now become
packet switching. The methods were first described in the mid-1960's
but it was not until a decade later that suitable cheap technology
existed to create a viable commercial service.
** Page 71
The British Telecom product is called Packet SwitchStream (PSS) and
notable comparable US services are Compuserve, Telenet and Tymnet.
Many other countries have their own services and international packet
switching is entirely possible--the UK service is called,
unsurprisingly, IPSS.
International Packet Switched Services and DNICs
INTERNATIONAL NETWORKS
Datacalls can be made to hosts on any listed International Networks.
The NIC (Data Network Identification Code) must precede the
international host's NUA. Charges quoted are for duration (per hour)
and volume (per Ksegment) and are raised in steps of 1 minute and 10
segments respectively.
Country Network DNIC
Australia Midas 5053
8elgium Euronet 2062
Belgium Euronet 2063
Canada Datapac 3020
Canada Globedat 3025
Canada Infoswitch 3029
Denmark Euronet 2383
France Transpac 2080
French Antilles Euronet 3400
Germany (FDR) Datex P 2624
Germany (FDR) Euronet 2623
Hong Kong IDAS 4542
Irish Republic Euronet 2723
Italy Euronet 2223
Japan DDX-P 4401
Japan Venus-P 4408
Luxembourg Euronet 2703
** Page 72
Netherlands Euronet 2043
Country Network DNIC
Norway Norpak 2422
Portugal N/A 2682
Singapore Telepac 5252
South Africa Saponet 6550
Spain TIDA 2141
Sweden Telepak 2405
Switzerland Datalink 2289
Switzerland Euronet 2283
U.S.A. Autonet 3126
U.S.A. Compuserve 3132
U.S.A. ITT (UDTS) 3103
U.S.A. RCA (LSDS) 3113
U.S.A. Telenet 3110
U.S.A. Tymnet 3106
U.S.A. Uninet 3125
U.S.A. WUI (DBS) 3104
Additionally, Datacalls to the U.K. may be initiated from:
Bahrain, Barbados, Bermuda, Israel, New Zealand and the United Arabs
Emirates.
Up to date Information can be obtained from IPSS Marketing on
01-9362743
In essence, the service operates at 48kbits/sec full duplex (both
directions simultaneously) and uses an extension of time division
multiplexing Transmission streams are separated in convenient- sized
blocks or packets, each one of which contains a head and tail
signifying origination and destination. The packets are assembled
either by the originating computer or by a special facility supplied
by the packet switch system. The packets in a single transmission
stream may all follow the same physical path or may use alternate
routes depending on congestion. The packets from one 'conversation'
are very likely to be interleaved with packets from many Other
'conversations'. The originating and receiving computers see none of
this. At the receiving end, the various packets are stripped of their
routing information, and re-assembled in the correct order before
presentation to the computer's VDU or applications program.
** Page 73
PACKET ASSEMBLY/DISASSEMBLY
+-------------------------
|
| PSS
+-----+
o> o> o> o> o> o> o> o> o> o> | | O> O> O>
Terminal D================================-+ PAD +-==========
<o <o <o <o <o <o <o <o <o <o | | <O <O <O
+-----+
|
|
+-------------------------
Key:
o> CHARACTERS O> PACKETS
<o <O
All public data networks using packet switching seek to be
compatible with each other, at least to a considerable degree. The
international standard they have to implement is called CCITT X.25.
This is a multi-layered protocol covering (potentially) everything
from electrical connections to the user interface.
The levels work like this:
7 APPLICATION User interface
6 PRESENTATION Data formatting & code conversion
5 SESSION Co-ordination between processes
4 TRANSPORT Control of quality service
3 NETWORK Set up and maintenance of connections
2 DATA LINK Reliable transfer between terminal and network
PHYSICAL Transfer of bitstream between terminal and network
** Page 74
At the moment international agreement has only been reached on the
lowest three levels, Physical, Data Link and Network. Above that,
there is a battle in progress between IBM, which has solutions to the
problems under the name SNA (Systems Network Architecture) and most
of the remainder of the principal main- frame manufacturers, whose
solution is called OSI (Open Systems Interconnection).
Packet Switching and the Single User
So much for the background explanation. How does this affect the
user? Single users can access packet switching in one of two
principal ways. They can use special terminals able to create the
data packets in an appropriate form--called Packet Terminals, in the
(In the original book there is a diagram showing Dial-up termials and
single users connecting to a PAD system and Packet Terminals directly
connected to the PSS. Note added by Electronic Images)
** Page 75
jargon--and these sit on the packet switch circuit, accessing it via
the nearest PSS exchange using a permanent dataline and modems
operating at speeds of 2400, 4800, 9600 or 48K baud, depending on
level of traffic. Alternatively, the customer can use an ordinary
asynchronous terminal without packet-creating capabilities, and
connect into a special PSS facility which handles the packet assembly
for him. Such devices are called Packet Assembler/ Disassemblers, or
PADs. In the jargon, such users are said to have Character Terminals.
PADs are accessed either via leased line at 300 or 1200, or via
dial-up at those speeds, but also at 110 and 1200/75.
Most readers of this book, if they have used packet switching at
all, will have done so using their own computers as character
terminals and by dialling into a PAD. The phone numbers of UK PADs
can be found in the PSS directory, published by Telecom National
Networks. In order to use PSS, you as an individual need a Network
User Identity (NUI), which is registered at your local Packet Switch
Exchange (PSE). The PAD at the PSE will throw you off if you don't
give it a recognisable NUI. PADs are extremely flexible devices; they
will configure their ports to suit your equipment, both as to speed
and screen addressing, rather like a bulletin board (though to be
accurate, it is the bulletin board which mimics the PAD).
Phone numbers to access PSS PADs
Terminal operating speed:
PSE (STD) 110 OR 300 1200/75 1200 Duplex
Aberdeen (0224) 642242 642484 642644
Birmingham (021) 2145139 2146191 241 3061
Bristol (0272) 216411 216511 216611
Cambridge (0223) 82511 82411 82111
Edinburgh (031) 337 9141 337 9121 337 9393
Glasgow (041) 204 2011 204 2031 204 2051
Leeds (0532) 470711 470611 470811
Liverpool (051) 211 0000 212 5127 213 6327
London (01) 825 9421 407 8344 928 2333
or (01) 928 9111 928 3399 928 1737
Luton (0582) 8181 8191 8101
Manchester (061) 833 0242 833 0091 833 0631
Newcastle/Tyne (0632) 314171 314181 314161
Nottingham (0602) 881311 881411 881511
Portsmouth (0705) 53011 53911 53811
Reading (0734) 389111 380111 384111
(*)Slough (0753) 6141 6131 6171
(*)Local area code access to Slough is not available.
Switch the modem/dataphone to 'data' on receipt of data tone.
** Page 76
Next, you need the Network User Address (NUA) of the host you are
calling. These are also available from the same directory: Cambridge
University Computing Services's NUA is 234 222339399, BLAISE is 234
219200222, Istel is 234 252724241, and so on. The first four numbers
are known as the DNIC (Data Network Identification Code); of these
the first three are the country ('234' is the UK identifier), and the
last one the specific service in that country, '2' signifying PSS.
You can also get into Prestel via PSS, though for UK purposes it is
an academic exercise: A9 234 1100 2018 gives you Prestel without the
graphics (A9 indicates to the system that you have a teletype
terminal).
Once you have been routed to the host computer of your choice,
then it is exactly if you were entering by direct dial; your password
and so on will be requested. Costs of using PSS are governed by the
number of packets exchanged, rather than the distance between two
computers or the actual time of the call. A typical PSS session will
thus contain the following running costs: local phone call to PAD (on
regular phone bill, time-related), PSS charges (dependent on number
of packets sent) and host computer bills (which could be time-related
or be per record accessed or on fixed subscription).
Packet switching techniques are not confined to public data
networks Prestel uses them for its own mini-network between the
various Retrieval Computers (the ones the public dial into) and the
Update and Mailbox Computers, and also to handle Gateway connections.
Most newer private networks are packet switched.
** Page 77
Valued Added Networks (VANs) are basic telecoms networks or
facilities to which some additional service--data processing or
hosting of publishing ventures, for example--has been added.
Public Packet Switching, by offering easier and cheaper access, is
a boon to the hacker. No longer does the hacker have to worry about
the protocols that the host computer normally expects to see from its
users. The X.25 protocol and the adaptability of the PAD mean that
the hacker with even lowest quality asynchronous comms can talk to
anything on the network. The tariff structure, favouring packets
exchanged and not distance, means that any computer anywhere in the
world can be a target.
Austin and Poulsen, the ARPAnet hackers, made dramatic use of a
private packet-switched net; the Milwaukee 414s ran around GTE's
Telenet service, one of the biggest public systems in the US. Their
self-adopted name comes from the telephone area code for Milwaukee, a
city chiefly known hitherto as a centre of the American beer
industry. During the Spring and Summer of 1983, using publicly
published directories, and the usual guessing games about
pass-numbers and pass-words, the 414s dropped into the Security
Pacific Bank in Los Angeles, the Sloan-Kettering Cancer Clinic in New
York (it is still not clear to me if they actually altered patients
records or merely looked at them), a Canadian cement company and the
Los Alamos research laboratory in New Mexico, home of the atomic
bomb, and where work on nuclear weapons continues to this day. It is
believed that they saw there 'sensitive' but not 'classified' files.
Commenting about their activities, one prominent computer security
consultant, Joesph Coates, said: 'The Milwaukee babies are great, the
kind of kids anyone would like their own to - ~be...There's nothing
wrong with those kids. The problem is with the idiots who sold the
system and the ignorant people who bought it. Nobody should buy a
computer without knowing how much ~ . security is built in....You
have the timid dealing with the foolish.'
During the first couple of months of 1984, British hackers carried
out a thorough exploration of SERCNET, the private packet-switched
network sponsored by the Science and Engineering Research Council and
centred on the Rutherford Appleton Laboratory in Cambridge. It links
together all the science and technology universities and polytechnics
in the United Kingdom and has gateways to PSS and CERN (European
Nuclear Research).
** Page 78
Almost every type of mainframe and large mini-computer can be
discovered hanging on to the system, IBM 3032 and 370 at Rutherford
itself, Prime 400s, 550s and 750s all over the place, VAX 11/780s at
Oxford, Daresbury, other VAXs at Durham, Cambridge, York, East Anglia
and Newcastle, large numbers of GEC 4000 family members, and the odd
PDP11 running Unix.
Penetration was first achieved when a telephone number appeared on
a popular hobbyist bulletin board, together with the suggestion that
the instruction 'CALL 40' might give results. It was soon discovered
that if the hacker typed DEMO when asked for name and establishment,
things started to happen. For several days hackers left each other
messages on the hobbyist bulletin board, reporting progress, or the
lack of it. Eventually, it became obvious that DEMO was supposed, as
its name suggests, to be a limited facilities demonstration for
casual users, but that it had been insecurely set up.
I can remember the night I pulled down the system manual, which
had been left in an electronic file, watching page after page scroll
down my VDU at 300 baud. All I had had to do was type the word
'GUIDE'. I remember also fetching down lists of addresses and
mnemonics of SERCNET members. Included in the manual were extensive
descriptions of the network protocols and their relation to
'standard' PSS-style networks.
As I complete this chapter I know that certain forms of access to
SERCNET have been shut off, but that hacker exploration appears to
continue. Some of the best hacker stories do not have a definite
ending. I offer some brief extracts from captured SERCNET sessions.
03EOEHaae NODE 3.
Which Service?
PAD
COM
FAD>CALL 40
Welcome to SERCNET-PSS Gateway. Type HELP for help.
Gatew::~cInkging in
user HELP
ID last used Wednesday, 18 January 1984 16:53
Started - Wed 18 Jan 19a4 17:07:55
Please enter your name and establishment DEMO
Due to a local FTP problem messages entered via the HELP system
during the last month have been lost. Please resubmit if
problem/question is still outstanding 9/1/84
No authorisation is required for calls which do not incur charges at
the Gateway. There is now special support for TELEX. A TELEX service
may be announced shortlY.
Copies of the PSS Guide issue 4 are available on request to Program
Advisory Office at RAL, telephone 0235 44 6111 (direct dial in) or
0235 21900 Ext 6111. Requests for copies should no longer be placed
in this help system.
The following options are available:
** Page 79
NOTES GUIDE TITLES ERRORS EXAMPLES HELP QUIT
Which option do you require? GUIDE
The program 'VIEW' is used to display the Gateway guide
Commands available are:
<CR> or N next page
p previous page
n list page n
+n or -n go forward or back n pages
S first page
E last page
L/string find line Containing string
F/string find line beginning string
Q exit from VIEW
VIEW Vn 6> Q
The following options are available:
NOTES GUIDE TITLES ERRORS EXAMPLES HELP OUIT
Which option do you require? HELP
NOTES replies to user queries & other notes
GUIDE Is the complete Gateway user guide (including the Appendices)
TITLES 1- a list of SERCNET L PSS addresses & mnemonics (Guide
Appendix 1)
ERRORS List of error codes you may receive EXAMPLES are ome examples
of use of the Gateway (Guide Appendix 2)
QUIT exits from this session
The following options are available:
NOTES GUIDE TITLES ERRORS EXAMPLES HELP QUIT
Which option do you require? TITLES
VIEW Vn o>
If you have any comments, please type them now, terminate with E
on a line on its own. Otherwise just type <cr>
CPU used: 2 ieu, Elapsed: 14 mins, IO: 2380 units, Break: 114
Budgets: this period = 32.000 AUs, used = 0.015 AU, left - 29.161 AUs
User HELP terminal 2 logged out Wed 18 Jan 1984 17:21:59
84/04/18. 18.47.00.
I.C.C.C. NETWORK OPERATING SYSTEM. NOS 1.1-430.20A
USER NUMBER:
PASSWORD:
IMPROPER LOG IN, TRY AGAIN.
USER NUMBER:
PASSWORD:
>SCIENCE AND ENGINEERING RESEARCH COUNCIL
>RUTHERFORD APPLETON LABORATORY
COMPUTING DIVISION
>
> ThE SERCNET - PSS Gateway
> User's Guide
A S Dunn
>Issue 4 16 February 1983
>Introduction
** Page 80
Frm 1; Next>
The SERCNET-PSS Gateway provides access from SERCNET to PSS and PSS
to SERCNET. It functions as a 'straight through' connection between
the networks, ie it is protocol transparant. It operates as a
Transport Level gateway, in accordance with the 'Yellow book'
Transport Service. However the present implementation does not have a
full Transport Service. and therefore there are some limitations in
the service provided. For X29 which is incompatible with the Yellow
book Transport Service. special facilities are provided for the input
of user identification and addresses.
No protocol conversion facilities are provided by the Gateway -
protocol conversion facilities (eg X29 - TS29) can be provided by
calling through a third party machine (usually on SERCNET).
The Transport Service addressing has been extended to include
authorisation fields, so that users can be billed for any charges
they incur.
The Gateway also provides facilities for users to inspect their
accounts and change their passwords, and also a limited HELP
facility.
User Interface
The interface which the user sees will depend on the local equipment
to
Frm 2; Next>
which he is attached. This may be a PAD in which case he will
probably be using the X29 protocol, or a HOST (DTE) in which case he
might be using FTP for example. The local equipment must have some
way of generating a Transport Service Called Address for the Gateway,
which also includes an authorisation field - the format of this is
described below. The documentation for the local system must
therefore be consulted in order to find out how to generate the
Transport Service Called Address. Some examples given in Appendix 2.
A facility is provided for the benefit of users without access to the
'Fast Select' facility, eg BT PAD users (but available to all X29
terminal users) whereby either a minimal address can be included in
the Call User Data Field or an X25 subaddress can be used and the
Call User Data Field left absent.
The authorisation and address can then be entered when prompted by
the Gateway.
Unauthorised Use
Frm 5: Next>
No unauthorised use of the Gateway is allowed regardless of whether
charges are Incurred at the Gateway or not.
However, there is an account DEMO (password will be supplied on
request) With a small allocation which is available for users to try
out the Gateway but it should be noted that excessive use of this
account will soon exhaust the allocation thus depriving others of its
use.
Prospective users of the Gateway should first contact User Interface
Group In the Computing Division of the Rutherford Appleton
Laboratory.
Addressing
To connect a call through the Gateway the following information is
required in the Transport Service Called Address:
1) The name of the called network
2) Authorisation. consisting of a USERID, PASSWORD and ACCOUNT, and
optionally, a reverse charging request
3) The address of the target host on the called network
The format is as follows:
<netname>(<authorisation>).<host address>
1) <Netname> is one of the following:
** Page 81
SERCNET to connect to the SERC network
PSS to connect to PSS
S an alias for SERCNET
69 another alias for SERCNET
2) <Authorisation> is a list of positional or keyword
parameters or booleans as follows:
keyword Meaning
US User identifier
PW User's password
AC the account - not used at present - talen to be same as US
RF 'reply paid' request (see below)
R reverse charging indicator (boolean)
keywords are separated from their values by '='.
keyword-value pairs positional parameters and booleans are separated
from each other by ','. The whole string is enclosed in parentheses:
().
Examples:
(FRED.XYZ R)
(US=FRED,PW=XYZ,R)
(R,PW=XYZ,US=FRED)
All the above have exactly the same meaning. The first form is the
most usual.
When using positionals, the order is: US,PW,AC,RP,R
3)<Host address> is the address of the machine being called on the
target network. It may be a compound address, giving the service
within the target machine to be used. It may begin with a mnemonic
instead of a full DTE address. A list of current mnemonics for both
SERCNET and PSS is given in Appendix 1.
A restriction of using the Gateway is that where a Transport Service
address (service name) is required by the target machine to identify
the service to be used, then this must be included explicitly by the
user in the Transport Service Called Address, and not assumed from
the mnemonic, since the Gateway cannot Inow from the mnemonic. which
protocol is being used.
Examples:
RLGS.FTP
4.FTP
Both the above would refer to the FTP service on the GEC 'B' machine
at Rutherford.
RLGB alone would in fact connect to the X29 server, since no service
name is Frm 7; Next>
required for X29.
In order to enable subaddresses to be entered more easily with PSS
addresses, the delimiter '-' can be used to delimit a mnemonic. When
the mnemonic is translated to an address the delimiting '-' is
deleted so that the following string is combined with the address.
Eg:
SERC-99 is translated to 23422351919199
Putting the abovementioned three components together, a full
Transport Service Called Address might look like:
S(FRED,XYZ,R).RLGS.FTF
** Page 82
Of course a request for reverse charging on SERCNET is meaningless,
but not illegal.
Reply Paid Facility (Omit at first reading)
In many circumstances it is necessary for temporary authorisation to
be passed to a third party. For example, the recipient of network
MAIL may not himself be authorised to use the Gateway, and therefore
the sender may wish to grant him temporary authorisation in order to
reply. With the Job Transfer and maniplulation protocol, there is a
requirement to return output documents from jobs which have been
executed on a remote site.
The reply paid facility is involved by including the RP keyword in the
authorisation. It can be used either as a boolean or as a
keyword-value pair. When used as a boolean, a default value of I is
assumed.
The value of the RP parameter indicates the number of reply paid
calls which are to be authorised. All calls which use the reply paid
authorisation will be charged to the account of the user who
initiated the reply paid authorisation.
Frm 9; Next:
The reply paid authorisation parameters are transmitted to the
destination address of a call as a temporary user name and password
in the Transport Service Calling Address. The temporary user name and
password are in a form available for use by automatic systems in
setting up a reply to the address which initiated the original call.
Each time a successful call is completed using the temporary user
name and password, the number of reply paid authorisations is reduced
by 1, until there are none left, when no further replies are allowed.
In addition there is an expiry date of I week, after which the
authorisations are cancelled.
In the event of call failures and error situations, it is important
that the effects are clearly defined. In the following definitions,
the term 'fail' is used to refer to any call which terminates with
either a non-zero clearing cause or diagnostic code or both,
regardless of whether data has been communicated or not. The rules
are defined as follows:
1) If a call which has requested reply paid authorisation fails for
any reason, then the reply paid authorisation is not set up.
2) If the Gateway is unable to set up the reply paid authorisation
for any reason (eg insufficient space), then the call requesting the
authorisation will be refused.
3) A call which is using reply paid authorisation may not create
another reply paid authorisation.
4) If a call which is using reply paid authorisation fails due to a
network error (clearing cause non zero) then the reply paid count is
not reduced.
5) If a call which is using reply paid authorisation fails due to a
host clearing (clearing cause zero, diagnostic code non-zero) then
the reply paid count is reduced, except where the total number of
segments transferred on the call is zero (ie call setup was never
completed).
Frm 11; Next?
X29 Terminal Protocol
There is a problem in that X29 is incompatible with the Transport
Service. For this reason, it is possible that some PAD
implementations will be unable to generate the Transport Service
Called Address. Also some PAD's, eg the British Telecom PAD, may be
unable to generate Fast Select calls - this means that the Call User
Data Field is only 12 bytes long - insufficient to hold the Transport
Service Address.
If a PAD is able to insert a text string into the Call User Data Field
beginning at the fifth byte, but is restricted to 12 characters
because of inability to generate Fast Select calls, then a partial
address can be included consisting of either the network name being
called, or the network name plus authorisation.
** Page 83
The first character is treated as a delimiter, and should be entered
as the character '7'. This is followed by the name of the called
network - SERCNET.
Alternatively, if the PAD is incapable of generating a Call User Data
Field, then the network name can be entered as an X25 subaddress. The
mechanism employed by the Gateway is to transcribe the X25 subaddress
to the beginning of the Transport Service Called Address, converting
the digits of the subaddress into ASCII characters in the process.
Note that this means only SERCNET can be called with this method at
present by using subaddress 69.
The response from the Gateway will be the following message:
Please enter your authorisation and address required in form:
(user,password).address
Reply with the appropriate response eg:
(FRED,XYZ).RLGB
There is a timeout of between 3 and 4 minutes for this response.
after which the call will be cleared. There is no limit to the number
of attempts which may be made within this time limit - if the
authorisation or address entered is invalid, the Gateway will request
it again. To abandon the attempt. the call should be cleared from the
local PAD.
A restriction of this method of use of the Gateway is that a call
must be correctly authorised by the Gateway before charging can
begin, thus reverse charge calls from PSS which do not contain
authorisation in the Call Request packet will be refused. However it
is possible to include the authorisation but not the address in the
Call Request packet. The authorisation must then be entered again
together with the address when requested by the Gateway.
The above also applies when using a subaddress to identify the called
network. In this case the Call User Data Field will contain only the
authorisation in parentheses (preceded by the delimiter '@')
- 5 -
Due to the lack of a Transport Service ACCEPT primitive in X29 it will be
found, on some PADs, that a 'call connected' message will appear on the
terminal as soon as the call has been connected to the Gateway. The 'call
connected' message should not be taken to imply that contact has been made
With the ultimate destination. The Gateway will output a message 'Call
connected to remote address' when the connection has been established.
Frm 14; Next
ITP Terminal Protocol
The terminal protocol ITP is used extensively on SERCNET and some
hosts support only this terminal protocol. Thus it will not be
possible to make calls directly between these hosts on SERCNET and
addresses on PSS which support only X29 or TS29. In these cases it
will be necessary to go through an intermediate machine on SERCNET
which supports both x29 and ITP or TS29 and ITP, such as a GEC ITP.
This is done by first making a call to the GEC MUM, and then making
an outgoing call from there to the desired destination.
PTS29 Terminal Protocol
This is the ideal protocol to use through the Gateway. since there
should be no problem about entering the Transport Service address.
However, it is divisable first to ascertain that the machine to be
called will support
When using this protocol, the service name of the TS29 server should be
entered explicitly, eg:
** Page 84
S(FRED,XYZ).RLGB.TS29
Restrictions
Due to the present lack of a full Transport Service in the Gateway,
some primitives are not fully supported.
In particular, the ADRESS, DISCONNECT and RESET primitives are not
fully supported. Howerver this should not present serious problems,
since the ADDRESS and REASET primitives are not widely used, and the
DISCONNECT primitive can be carried in a Clear Request packet.
IPSS
Access to IPSS is through PSS. Just enter the IPSS address in place
of the PSS address.
................ and on and on for 17 pages
** Page 85
CHAPTER 8
Viewdata Systems
Viewdata, or videotex, has had a curious history. At one stage, in
the late 1970s, it was possible to believe that it was about to take
over the world, giving computer power to the masses via their
domestic tv sets. It was revolutionary in the time it was developed,
around 1975, in research laboratories owned by what was then called
the Post Office, but which is now British Telecom. It had a
colour-and-graphics display, a user-friendly means of talking to it
at a time when most computers needed precise grunts to make them
work, and the ordinary layperson could learn how to use it in five
minutes.
The viewdata revolution never happened, because Prestel, its most
public incarnation, was mismarketed by its owners, British Telecom,
and because, in its original version, it is simply too clumsy and
limited to handle more sophisticated applications. All information is
held on electronic file cards which can easily be either too big or
too small for a particular answer and the only way you can obtain the
desired information is by keying numbers, trundling down endless
indices. In the early days of Prestel, most of what you got was
indices, not substantive information. By the time that viewdata sets
were supposed to exist in their hundreds of thousands, home
computers, which had not been predicted at all when viewdata first
appeared, had already sold into the millionth British home.
Yet private viewdata, mini-computers configured to look like
Prestel and to use the same special terminals, has been a modest
success. At the time of writing there are between 120 and 150
significant installations. They have been set up partly to serve the
needs of individual companies, but also to help particular trades,
industries and professions. The falling cost of viewdata terminals
has made private systems attractive to the travel trade, to retail
stores, the motor trade, to some local authorities and to the
financial world.
** Page 86
The hacker, armed with a dumb viewdata set, or with a software
fix for his micro, can go ahead and explore these services. At the
beginning of this book, I said my first hack was of a viewdata
service. Viditel, the Dutch system. It is astonishing how many
British hackers have had a similar experience. Indeed, the habit of
viewdata hacking has spread throughout Europe also: the wonder- fully
named Chaos Computer Club of Hamburg had some well-publicised fun
with Bildschirmtext, the West German Prestel equivalent
colloquially-named Btx.
What they appear to have done was to acquire the password of the
Hamburger Sparkasse, the country's biggest savings bank group.
Whereas telebanking is a relatively modest part of Prestel --the
service is called Homelink--the West German banks have been a
powerful presence on Btx since its earliest days. In fact, another
Hamburg bank, the Verbraucher Bank, was responsible for the world's
first viewdata Gateway, for once in this technology, showing the
British the way. The 25-member Computer Chaos Club probably acquired
the password as a result of the carelessness of a bank employee.
Having done so, they set about accessing the bank's own, rather high
priced, pages, some of which cost almost DM10 (£2.70). In a
deliberate demonstration, the Club then set a computer to
systematically call the pages over and over again, achieving a
re-access rate of one page every 20 seconds. During a weekend in
mid-November 1984, they made more than 13,000 accesses and ran up a
notional bill of DM135,000 (£36,000). Information Providers, of
course, are not charged for looking at their own pages, so no bill
was payable and the real cost of the hack was embarrassment.
In hacking terms, the Hamburg hack was relatively trivial-- simple
password acquisition. Much more sophisticated hacks have been
perpertrated by British enthusiasts.
Viewdata hacking has three aspects: to break into systems and become
user, editor or system manager thereof; to discover hidden parts of
systems to which you have been legitimately admitted, and to uncover
new services.
Viewdata software structures
An understanding of how a viewdata database is set up is a great
aid in learning to discover what might be hidden away. Remember,
there are always two ways to each page--by following the internal
indexes, or by direct keying using *nnn#. In typical viewdata
software, each electronic file card or 'page' exists on an overall
tree-like structure:
** Page 87
Page
0
|
---------------------+----------------------- ...
1 2 3 4 5 6 7 8
|
------------+-------------------------------- ...
31 32 33 34 35 36 37 38
|
------------------------+-------------------- ...
351 352 353 354 355 356 357 358 3-digit
| node
-------------+------------------------------- ...
3531 3532 3533 3534 3535 3536 3537 3538
|
-------------------------------------------+-- ...
Top pages are called parents; lower pages filials. Thus page 3538
needs parent pages 353, 35, 3 and 0 to support it, i.e. these pages
must exist on the system. On Prestel, the parents owned by
Information Providers (the electronic publishers) are 3 digits long
(3-digit nodes). Single and double-digit pages (0 to 99) are owned by
the 'system manager' (and so are any pages beginning with the
sequences 100nn-199nn and any beginning with a 9nnn). When a page is
set up by an Information Provider (the process of going into 'edit'
mode varies from software package to package; on Prestel, you call up
page 910) two processes are necessary--the overt page (i.e. the
display the user sees) must be written using a screen editor. Then
the IP must select a series of options--e.g. whether the page is for
gathering a response from the user or is just to furnish information;
whether the page is to be open for viewing by all, by a Closed User
Group, or just by the IP (this facility is used while a large
database is being written and so that users don't access part of it
by mistake); the price (if any) the page will bear--and the 'routing
instructions'. When you look at a viewdata page and it says 'Key 8
for more information on ABC', it is the routing table that is
constructed during edit that tells the viewdata computer: 'If a user
on this page keys 8, take him through to the following next page'.
Thus, page 353880 may say 'More information on ABC....KEY 8'. The
information on ABC is actually held on page 3537891. The routing
table on page 353880 will say: 8=3537891. In this example, you will
see that 3537891 i9 not a true filial of 353880--this does not
matter; however, in order for 3537891 to exist on the system, its
parents must exist, i.e. there must be pages 353789, 35378, 3537
etc.
** Page 88
P R E S T E L
PRESTEL EDITING SYSTEM
Input Details -
Update option o
Pageno 4190100 Frame-Id a
User CUG User access y
Frame type i Frame price 2p
Choice type s
Choices
0- * 1- 4196121
2- 4196118 3- 4196120
4- 4196112 5- 4196119
6- 4196110 7- *
8- 4190101 9- 4199
Prestel Editing. This is the 'choices' page which se s up the frame
before the overt page - the one the user sees - is prepared.
These quirky features of viewdata software can help the hacker
search out hidden databases:
* Using a published directory, you can draw up a list of 'nodes' and
who occupies them. You can then list out apparently 'unoccupied'
nodes and see if they contain anything interesting. It was when a
hacker spotted that an 'obvious' Prestel node, 456, had been unused
for a while, that news first got out early in 1984 about the Prestel
Micro computing service, several weeks ahead of the official
announcement.
* If you look at the front page of a service, you can follow the
routings of the main index--are all the obvious immediate filials
used? If not, can you get at them by direct keying?
** Page 89
* Do any services start lower down a tree than you might expect
(i.e. more digits in a page number than you might have thought)? In
that case, try accessing the parents and see what happens.
* Remember that you can get a message 'no such page' for two
reasons: because the page really doesn't exist, or because the
Information Provider has put it on 'no user access'. In the latter
case, check to see whether this has been done consistently--look at
the immediate possible filials. To go back to when Prestel launched
its Prestel Microcom- puting service, using page 456 as a main node,
456 itself was closed off until the formal opening, but page 45600
was open.
Prestel Special Features
In general, this book has avoided giving specific hints about
individual services, but Prestel is so widely available in the UK and
so extensive in its coverage that a few generalised notes seem
worthwhile.
Not all Prestel's databases may be found via the main index or in
the printed directories; even some that are on open access are
unadvertised. Of particular interest over the last few years have
been nodes 640 (owned by the Research and Development team at
Martlesham), 651 (Scratchpad--used for ad hoc demonstration
databases), 601 (mostly mailbox facilities but also known to carry
experimental advanced features so that they can be tried out), and
650 (News for Information Providers--mostly but not exclusively in a
Closed User Group). Occasionally equipment manufacturers offer
experimental services as well: I have found high-res graphics and
even instruction codes for digitised full video lurking around.
In theory, what you find on one Prestel computer you will find on
all the others. In practice this has never been true, as it has
always been possible to edit individually on each computer, as well
as on the main updating machine which is supposed to broadcast to all
the others. The differences in what is held in each machine will
become greater over time.
Gateway is a means of linking non-viewdata external computers to
the Prestel system. It enables on-screen buying and booking, complete
with validation and confirmation. It even permits telebanking, Most
'live' forms of gateway are very secure, with several layers of
password and security. However, gateways require testing before they
can be offered to the public; in the past, hackers have been able to
secure free rides out of Prestel....
** Page 90
Careful second-guessing of the routings on the databases including
telesoftware(*) have given users free programs while the
telesoftware(*) was still being tested and before actual public
release.
Prestel, as far as the ordinary user is concerned, is a very
secure system--it uses 14-digit passwords and disconnects after three
unsuccessful tries. For most purposes, the only way of hacking into
Prestel is to acquire a legitimate user's password, perhaps because
they have copied it down and left it prominently displayed. Most
commercial viewdata sets allow the owner to store the first ten
digits in the set (some even permit the full 14), thus making the
casual hacker's task easier. However, Prestel was sensationally
hacked at the end of October 1984, the whole system Iying at the feet
of a team of four West London hackers for just long enough to
demonstrate the extent of their skill to the press. Their success was
the result of persistence and good luck on their side and poor
security and bad luck on the part of BT. As always happens with
hacking activities that do not end up in court, some of the details
are disputed; there are also grounds for believing that news of the
hack was deliberately held back until remedial action had taken
place, but this is the version I believe:
The public Prestel service consists of a network of computers,
mostly for access by ordinary users, but with two special-purpose
machines, Duke for IPs to update their information into and Pandora,
to handle Mailboxes (Prestel's variant on electronic mail). The
computers are linked by non-public packet-switched lines. Ordinary
Prestel users are registered (usually) onto two or three computers
local to them which they can access with the simple three-digit
telephone number 618 or 918. In most parts of the UK, these two
numbers will return a Prestel whistle. (BT Prestel have installed a
large number of local telephone nodes and
(*)Tefesoftware is a technique for making regular computer programs
available via viewdata the program lines are compressed according to
a simple set of rules and set up on a senes of viewdata frames. Each
frame contains a modest error-checking code. To receive a program,
the user's computer, under the control of a 'download' routine calls
the first program page down from the viewdata host, runs the error
check on it, and demands a re transmission if the check gives a
'false' If it gives a 'true', the user's machine unsqueezes the
programmes and dumps them into the Computers main memory or disc
store. It then requests the next viewdata page unfil the whole
program is collected. You then have a text file which must be
Converted into program instructions. Depending on what model of
micro you have, and which telesoftware package, you can either run
the program immediately or expect it. Personally I found the
telesoftware experience interesting the first time I tried it, and
quite useless in terms of speed, reliability and quality afterwards.
** Page 91
leased lines to transport users to their nearest machine at local
call rates, even though in some cases that machine may be 200 miles
away). Every Prestel machine also has several regular phone numbers
associated with it, for IPs and engineers. Most of these numbers
confer no extra privileges on callers: if you are registered to a
particular computer and get in via a 'back-door' phone number you
will pay Prestel and IPs exactly the same as if you had dialled 618
or 918. If you are not registered, you will be thrown off after three
tries.
In addition to the public Prestel computers there are a number of
other BT machines, not on the network, which look like Prestel and
indeed carry versions of the Prestel database. These machines, left
over from an earlier stage of Prestel's development, are now used for
testing and development of new Prestel features. The old Hogarth
computer, originally used for international access, is now called
'Gateway Test' and, as its name implies, is used by IPs to try out
the interconnections of their computers with those of Prestel prior
to public release. It is not clear how the hackers first became aware
of the existence of these 'extra' machines; one version is that it
was through the acquisition of a private phone book belonging to a BT
engineer. Another version suggests that they tried 'obvious' log-in
pass-numbers--2222222222 1234--on a public Prestel computer and found
themselves inside a BT internal Closed User Group which contained
lists of phone numbers for the develop computers. The existence of at
least two stories suggests that the hackers wished to protect their
actual sources. In fact, some of the phone numbers had, to my certain
knowledge, appeared previously on bulletin boards.
At this first stage, the hackers had no passwords; they could
simply call up the log-in page. Not being registered on that
computer, they were given the usual three tries before the line was
disconnected.
For a while, the existence of these log-in pages was a matter of
mild curiosity. Then, one day, in the last week of October, one of
the log-in pages looked different: it contained what appeared to be a
valid password, and one with system manager status, no less. A
satisfactory explanation for the appearance of this password
imprinted on a log-in page has not so far been forthcoming. Perhaps
it was carelessness on the part of a BT engineer who thought that, as
the phone number was unlisted, no unauthorised individual would ever
see it. The pass-number was tried and admission secured.
** Page 92
After a short period of exploration of the database, which
appeared to be a 'snapshot' of Prestel rather than a live version of
it--thus showing that particular computer was not receiving constant
updates from Duke--the hackers decided to explore the benefits of
System Manager status. Since they had between them some freelance
experience of editing on Prestel, they knew that all Prestel special
features pages are in the *9nn# range: 910 for editing; 920 to change
personal passwords; 930 for mailbox messages and so ...what would
pages 940, 950, 960 and so on do? It became obvious that these pages
would reveal details of users together with account numbers
(systelnos), passwords and personal passwords. There were facilities
to register and deregister users.
However, all this was taking place on a non-public computer. Would
the same passwords on a 'live' Prestel machine give the same
benefits? Amazingly enough, the passwords gave access to every
computer on the Prestel network. It was now time to examine the user
registration details of real users as opposed to the BT employees who
were on the development machine. The hackers were able to assume any
personality they wished and could thus enter any Closed User Group,
simply by picking the right name. Among the CUG services they swooped
into were high-priced ones providing investment advice for clients of
the stockbroker Hoare Govett and commentary on international currency
markets supplied by correspondents of the Financial Times. They were
also able to penetrate Homelink, the telebanking service run by the
Nottingham Building Society. They were not able to divert sums of
money, however, as Homelink uses a series of security checks which
are independent of the Prestel system.
Another benefit of being able to become whom they wished was the
ability to read Prestel Mailboxes, both messages in transit that had
not yet been picked up by the intended recipient and those that had
been stored on the system once they had been read. Among the
Mailboxes read was the one belonging to Prince Philip. Later, with a
newspaper reporter as witness, one hacker sent a Mailbox, allegedly
from Prince Philip to the Prestel System Manager:
I do so enjoy puzzles and games. Ta ta. Pip! Pip!
H R H Hacker
Newspaper reports also claimed that the hackers were able to gain
editing passwords belonging to IPs, enabling them to alter pages and
indeed the Daily Mail of November 2nd carried a photograph of a
Prestel page from the Financial Times International Financial Alert
saying:
** Page 93
FT NEWSFLASH!!! 1 EQUALS $50
The FT maintained that, whatever might theoretically have been
possible, in fact they had no record of their pages actually being so
altered and hazarded the suggestion that the hacker, having broken
into their CUG and accessed the page, had 'fetched it back' onto his
own micro and then edited there, long enough for the Mail's
photographer to snap it for his paper, but without actually
retransmitting the false page back to Prestel. As with so many other
hacking incidents, the full truth will never be known because no one
involved has any interest in its being told.
However, it is beyond doubt that the incident was regarded with the
utmost seriousness by Prestel itself. They were convinced of the
extent of the breach when asked to view page 1, the main index page,
which bore the deliberate mis-spelling: Idnex. Such a change
theoretically could only have been made by a Prestel employee with
the highest internal security clearance. Within 30 minutes, the
system manager password had been changed on all computers, public and
research. All 50,000 Prestel users signing on immediately after
November 2nd were told to change their personal password without
delay on every computer to which they were registered. And every IP
received, by Special Delivery, a complete set of new user and editing
passwords.
Three weeks after the story broke, the Daily Mail thought it had
found yet another Prestel hack and ran the following page 1 headline:
'Royal codebuster spies in new raid on Prestel', a wondrous
collection of headline writer's buzzwords to capture the attention of
the sleepy reader. This time an Information Provider was claiming
that, even after new passwords had been distributed, further security
breaches had occurred and that there was a 'mole' within Prestel
itself. That evening, Independent Television News ran a feature much
enjoyed by cognoscenti: although the story was about the Prestel
service, half the film footage used to illustrate it was wrong: they
showed pictures of the Oracle (teletext) editing facility and of
some-one using a keypad that could only have belonged to a TOPIC set,
as used for the Stock Exchange's private service. Finally, the name
of the expert pulled in for interview was mis-spelled although he was
a well-known author of micro books. The following day, BBC-tv's
breakfast show ran an item on the impossibility of keeping Prestel
secure, also full of ludicrous inaccuracies.
** Page 94
It was the beginning of a period during which hackers and hacking
attracted considerable press interest. No news service operating in
the last two months of 1984 felt it was doing an effective job if it
couldn't feature its own Hacker's Confession, suitably filmed in deep
shadow. As happens now and again, press enthusiasm for a story ran
ahead of the ability to check for accuracy and a number of Hacks That
Never Were were reported and, in due course, solemnly commented on.
BT had taken much punishment for the real hack--as well as causing
deep depression among Prestel staff, the whole incident had occurred
at the very point when the corporation was being privatised and
shares being offered for sale to the public--and to suffer an
unwarranted accusation of further lapses in security was just more
than they could bear. It is unlikely that penetration of Prestel to
that extent will ever happen again, though where hacking is
concerned, nothing is impossible.
There is one, relatively uncommented-upon vulnerability in the
present Prestel set-up: the information on Prestel is most easily
altered via the bulk update protocols used by Information Providers,
where there is a remarkable lack of security. All the system
presently requires is a 4-character editing password and the IP's
systel number, which is usually the same as his mailbox number
(obtainable from the on-system mailbox directory on page *7#) which
in turn is very likely to be derived from a phone number.
Other viewdata services
Large numbers of other viewdata services exist: in addition to the
Stock Exchange's TOPIC and the other viewdata based services
mentioned in chapter 4, the travel trade has really clutched the
technology to its bosom: the typical High Street agent not only
accesses Prestel but several other services which give up-to-date
information on the take-up of holidays, announce price changes and
allow confirmed air-line and holiday bookings.
Several of the UK's biggest car manufacturers have a stock locator
system for their dealers: if you want a British Leyland model with a
specific range of accessories and in the colour combinations of your
choice, the chances are that your local dealer will not have it
stock. He can, however, use the stock locator to tell him with which
other dealer such a machine may be found.
Stock control and management information is used by retail chains
using, in the main, a package developed by a subsidiary of Debenhams.
Debenhams had been early enthusiasts of Prestel in the days when it
was still being pitched at a mass consumer audience--its service was
called Debtel which wags suggested was for people who owed money or,
alternatively, for upper-class young ladies.
** Page 95
Later it formed DISC to link together its retail outlets, and this
was hacked in 1983. The store denied that anything much had
happened, but the hacker appeared (in shadow) on a tv program
together with a quite convincing demonstration of his control over
the system.
Audience research data is despatched in viewdata mode to
advertising agencies and broadcasting stations by AGB market
research. There are even alternate viewdata networks rivalling that
owned by Prestel, the most important of which is, at the time of
writing, the one owned by Istel and headquartered at Redditch in the
Midlands. This network transports several different trade and
professional services as well as the internal data of British
Leyland, of whom Istel is a subsidiary.
A viewdata front-end processor is a minicomputer package which
sits between a conventionally-structured database and its ports which
look into the phone-lines. Its purpose is to allow users with
viewdata sets to search the main database without the need to
purchase an additional conventional dumb terminal. Some view- data
front-end processors (FEPs) expect the user to have a full alphabetic
keyboard, and merely transform the data into viewdata pages 40
characters by 24 lines in the usual colours. More sophisticated FEPs
go further and allow users with only numeric keypads to retrieve
information as well. By using FEPs a database publisher or system
provider can reach a larger population of users. FEPs have been known
to have a lower standard of security protection than the conventional
systems to which they were attached.
Viewdata standards
The UK viewdata standard--the particular graphics set and method
of transmitting frames -- is adopted in many other European countries
and in former UK imperial possessions. Numbers and passwords to
access these services occasionally appear on bulletin boards and the
systems are particularly interesting to enter while they are still on
trial. As a result of a quirk of Austrian law, anyone can
legitimately enter their service without a password; though one is
needed if you are to extract valuable information. However, important
variants to the UK standards exist: the French (inevitably) have a
system that is remarkably similar in outline but incompatible.
** Page 96
In North America, the emerging standard which was originally put
together by the Canadians for their Telidon service but which has
now, with modifications, been promoted by Ma Bell, has high
resolution graphics because, instead of building up images from block
graphics, it uses picture description techniques (eg draw line, draw
arc, fill-in etc) of the sort relatively familiar to most users of
modern home micros. Implementations of NALPS (as the US standard is
called) are available for the IBM PC.
The Finnish public service uses software which can handle nearly
all viewdata formats, including a near-photographic mode.
Software similar to that used in the Finnish public service can be
found on some private systems. Countries vary considerably in their
use of viewdata technology: the German and Dutch systems consist
almost entirely of gateways to third-party computers; the French
originally cost-justified their system by linking it to a massive
project to make all telephone directories open to electronic enquiry,
thus saving the cost of printed versions. French viewdata terminals
thus have full alpha-keyboards instead of the numbers-only versions
common in other countries. For the French, the telephone directory is
central and all other information peripheral. Teletel/Antiope, as the
service is called, suffered its first serious hack late in 1984 when
a journalist on the political/satirical weekly Le Canard Finchaine
claimed to have penetrated the Atomic Energy Commission's computer
files accessible via Teletel and uncovered details of laser projects,
nuclear tests in the South Pacific and an experimental nuclear
reactor.
Viewdata: the future
Viewdata grew up at a time when the idea of mass computer
ownership was a fantasy, when the idea that private individuals could
store and process data locally was considered far-fetched and when
there were fears that the general public would have difficulties in
tackling anything more complicated than a numbers- only key-pad.
These failures of prediction have lead to the limitations and
clumsiness of present-day viewdata. Nevertheless, the energy and
success of the hardware salesmen plus the reluctance of companies and
organisations to change their existing set-ups will ensure that for
some time to come, new private viewdata systems will continue to be
introduced...and be worth trying to break into.
There is one dirty trick that hackers have performed on private
viewdata systems. Entering them is often easy, because high-level
editing passwords are, as mentioned earlier, sometimes desperately
insecure (see chapter 6) and it is easy to acquire editing status.
** Page 97
Once you have discovered you are an editor, you can go to edit
mode and edit the first page on the system, page 0: you can usually
place your own message on it, of course; but you can also default all
the routes to page 90. Now *90# in most viewdata systems is the
log-out command, so the effect is that, as soon as someone logs in
successfully and tries to go beyond the first page, the system logs
them out....
However, this is no longer a new trick, and one which should be
used with caution: is the database used by an important organisation?
Are you going to tell the system manager what you have done and
urge more care in password selection in future?
** Page 98
CHAPTER 9
Radio Computer Data
Vast quantities of data traffic are transmitted daily over the
radio frequency spectrum; hacking is simply a matter of hooking up a
good quality radio receiver and a computer through a suitable
interface. On offer are news services from the world's great press
agencies, commercial and maritime messages, meteorological data, and
plenty of heavily-encrypted diplomatic and military traffic. A
variety of systems, protocols and transmission methods are in use and
the hacker jaded by land-line communication (and perhaps for the
moment put off by the cost of phone calls) will find plenty of fun on
the airwaves.
The techniques of radio hacking are similar to those necessary for
computer hacking. Data transmission over the airwaves uses either a
series of audio tones to indicate binary 0 and 1 which are modulated
on transmit and demodulated on receive or alternatively frequency
shift keying which involves the sending of one of two slightly
different radio frequency carriers, corresponding to binary 0 or
binary 1. The two methods of transmission sound identical on a
communications receiver (see below) and both are treated the same for
decoding purposes. The tones are different from those used on
land-lines--'space' is nearly always 1275 Hz and 'mark' can be one of
three tones: 1445 Hz (170 Hz shift--quite often used by amateurs and
with certain technical advantages); 1725 Hz (450 Hz shift--the one
most commonly used by commercial and news services) and 2125 Hz (850
Hz shift--also used commercially). The commonest protocol uses the
5-bit Baudot code rather than 7-bit or 8-bit ASCII. The asynchronous,
start/stop mode is the most common. Transmission speeds include: 45
baud (60 words/minute), 50 baud (66 words/minute), 75 baud (100
words/ minute). 50 baud is the most common. However, many
interesting variants can be heard--special versions of Baudot for
non- European languages, error correction protocols, and various
forms of facsimile.
The material of greatest interest is to be found in the high
frequency or 'short wave' part of the radio spectrum, which goes from
2 MHz, just above the top of the medium wave broadcast band, through
to 30 MHz, which is the far end of the 10-meter amateur band which
itself is just above the well-known Citizens' Band at 27 MHz.
** Page 99
The reason this section of the spectrum is so interesting is that,
unique among radio waves, it has the capacity for world-wide
propagation without the use of satellites, the radio signals being
bounced back, in varying degrees, by the ionosphere. This special
quality means that everyone wants to use HF (high frequency)
transmission--not only international broadcasters, the propaganda
efforts of which are the most familiar uses of HF. Data transmission
certainly occurs on all parts of the radio spectrum, from VLF (Very
Low Frequency, the portion below the Long Wave broadcast band which
is used for submarine communication), through the commercial and
military VHF and UHF bands, beyond SHF (Super High Frequency, just
above 1000 MHz) right to the microwave bands. But HF is the most
rewarding in terms of range of material available, content of
messages and effort required to access it.
Before going any further, hackers should be aware that in a number
of countries even receiving radio traffic for which you are not
licensed is an offence; in nearly all countries making use of
information so received is also an offence and, in the case of news
agency material, breach of copyright may also present a problem.
However, owning the equipment required is usually not illegal and,
since few countries require a special license to listen to amateur
radio traffic (as opposed to transmitting, where a license is needed)
and since amateurs transmit in a variety of data modes as well,
hackers can set about acquiring the necessary capability without
fear.
