Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (11/11/83)
HUMAN-NETS Digest Wednesday, 9 Nov 1983 Volume 6 : Issue 70
Today's Topics:
Queries - "Hacker's Challenge/Revenge" game proposed &
Looking for contradiction in terms &
MCIMail,
Computers and People - Military uses of Video Games &
Electronic Junkmail (2 msgs) &
Error Messages,
Computer and the Law - System Crackers
----------------------------------------------------------------------
Date: 2 Nov 1983 22:37:40-PST
From: Robert P Cunningham <cunningh@Nosc>
Reply-to: cunningh@Nosc
Subject: "Hacker's Challenge/Revenge" game proposed.
We've talked, jokingly I hope, about games that might not 'really' be
games. I'd like to solicit comments on my idea of a game that would
deliberately be ambiguous to the player. That is: a a game that would
create the impression that it's for real.
I'm going to bring up at least one semi-public UNIX system, and just
had a brainstorming session with some friends on how to detect and
deter the inevitable break-in attempts.
One scheme we came up with (surely not original) is to create a 'game'
on the system that simulates breaking into the operating system,
perhaps even breaking into a simulated network of other computers.
We'd provide some not-too-obvious but phony security loophole in the
system. When someone tried it, they'd be into our game which we've
dubbed "Hacker's Challenge" (the play on words is deliberate, since we
think it will be indeed be a challenge to create a convincing
simulation -- though "Hacker's Revenge" might be a better name).
While the potential break-in artist was trying out his stuff, we'd be
logging information on him, and hopefully keeping him online long
enough to be able to trace his phone call, should we want to.
I don't expect the simulation to be effective for a more than a few
months or so on a particular system, and I'd hesitate to spend much
time developing such a thing, except that eventually it might make a
be fun to make it obviously outrageous, and make it generally
available to the authorized users for their amusement.
The trick, of course, would be to make the game convincing, but
inaccurate enough so that we weren't effectively training someone to
actually break into a system.
Any thoughts, comments or scenario suggestions?
Bob Cunningham
------------------------------
Date: 4 Nov 1983 10:08-PST
Subject: Looking for contradiction in terms.
From: the tty of Geoffrey S. Goodfellow
Reply-to: Geoff@SRI-CSL
On this mornings news, I heard two new contradiction in terms:
"Peace keeping force." (Lebanon)
"Non-Political Government [installed]." (Grenada)
This inspired me. I wish to collect as many of these as
possible. The other two that I have:
"Military Intelligence." (Rocky & Bullwinkle)
"Recreational Drugs." (Recreational espionage)
If you can think or know of others, please send them to
Geoff@SRI-CSL. If you would send them in the form of:
"Contradiction." <TAB> (Apropos/Like/Source)
I'll make a complete list and redistribute it to interested parties.
Geoff
------------------------------
Date: 30 October 1983 01:37 EDT
From: Andrew Scott Beals <BANDY @ MIT-ML>
Subject: Junkmail
Has anyone gotten [a] MCI's promised `Welcome' literature, or [b] had
actual experience with the system? (Does it have a mail interface of
the sophistication of MM or better? (i.e. `Delete (messages) text "you
may have already won"'))
Andy
------------------------------
Date: Thu, 3 Nov 83 0:52:25 EST
From: Ron Natalie <ron@brl-vgr>
Subject: Ender's Game
There was also a story in OMNI about a year ago entitled "The Last
Child Inside the Mountain" where the worlds greatest video game
player (who has become a millionaire playing them) is brought to
Cheyenne mountain to play the ultimate video game. He's locked in
a room such that no one can interfere with him while the game is
being played. The only problem is that after the game is played
for real and he has defeated the enemy, they can't get him to stop
playing as he keeps trying to get a higher point score.
-Ron
------------------------------
Return-Path: <andya@bbnccp>
Date: 31 Oct 1983 10:21:45 EST (Monday)
From: Andy Adler <andya@BBN-UNIX>
Subject: Junk Mail
Actually, it is to our advantage that junk mail comes with
ridiculous claims on the outside ("You may have wone the trip
of your dreams"). Such envelope decoration immediately marks
the item as junk mail and can be trashed immediately.
Andy Adler
------------------------------
Date: 30 October 1983 01:37 EDT
From: Andrew Scott Beals <BANDY @ MIT-ML>
Subject: MCIMail
As to junkmail in general, perhaps making the sender pay the reader to
read the thing is a good idea (why do bulk mailers get such cheap
rates anyway? why not charge them regular rates and let us poor peons
get the cheap mail rates?), but a flat rate doesn't seem the right
thing to do. Assuming that the data was easily accessible enough
(hell, it must be, they >do< have your netaddress (or maybe they send
messages to all permutations of usernames and just throw away the
rejection notices from mailers all over the world ;-) ??)), you could
set for yourself a basic rate of x dollars (probably a small x, unless
you didn't like to get >any< junkmail) per character of text in the
message that they would pay you for the privlege of sending you a
message?
Andy
------------------------------
Date: Thursday, 3 November 1983, 10:01-PST
From: Richard Lamson <rsl at SPA-NIMBUS>
Subject: Found in "GLORIA"
One programmer, annoyed at the apparent pettiness of user
reaction, rewrote all the error messages in what he thought was
a sarcastic, overly courteous tone. One cryptic error message
thus became: "I'm terribly sorry. I can't interpret my
option. A reasonable tolerance of typed input is very
difficult to implement. So I am programmed to accept only a
very rigid format. The starting of the program may have at
most one option and it must begin with a dash (minus sign). I
received: 80. If you get help or read the listing yourself,
please refer to the part of the program indicated."
Much to the programmer's amazement, the users did not
detect sarcasm; instead they took the changes in the message
seriously and responded extremely favorably. Instead of
complaining about error messages, user began to cause errors
deliberately so they could read the new messages. The
programmer still remembers the day that users were calling to
one another, "Hey, look at this one - isn't this great?" while
he sat in his office angry at the reaction. That, however, was
the day he became converted to the user's viewpoint, he
admitted.
- "Experiments in teleterminal design",
by Hagelbarger & Thompson,
Bell Laboratories,
IEEE Spectrum, October, 1983
**==> That was Bob Walker's plan file.
------------------------------
Date: Fri 4 Nov 83 10:49:21-EST
From: DAVID.LEWIN <LEWIN@CMU-CS-C.ARPA>
Subject: Teenage computer crime
To: dehn@MIT-MULTICS.ARPA
cc: humna-nets-request@RUTGERS.ARPA
I received a call several days ago from a freelance writer
for "Family Computing" (a Scholastic Magazines publication
for teenagers and their families). He wanted to talk with
people about teenage 'hackers' (in the perjorative, system-
cracker sense) and computer ethics.
I liked what you had to say in the recent Human-nets digest, and
thought you might like to call him:
Lester Brooks
203-966-0610
Sincerely,
David Lewin <LEWIN@cmu-cs-c>
------------------------------
Date: 4 November 1983 02:20 EST
From: Richard P. Wilkes <RICK @ MIT-MC>
Subject: Whiz kids and communications
During the past eight years, I have been heavily involved with
"bulletin board" systems running on micros and mainframes. I'd
like to give a few examples of the destructiveness of many of
these "kids."
Most have probably heard of or called an RCP/M. Five years
ago, I wrote a similar type system for a TRS-80. This
software ran for 3.5 years without a problem. But now, as
more and more potential crackers have access to communications
equipment, this system has been crashed repeatedly.
When I was back in high school, the big thing was to find a
bug in the OS. But, once we found it, instead of using it to
keep the system flat on its back, we documented it and
sometimes even fixed it. Doesn't seem like that is the case
anymore...
On this system, some caller breaks in, deletes all the files,
and then writes a program which keeps the drives selected;
this burns out the motors on 5.25" drives, especially when
they run all night. This was done so often, the system was
brought down for a long time (until a trace could be put on
the dial-up).
I run my own system and publish software that turns a TRS-80
into a mail and message system. I have sat and watched
callers SYSTEMATICALLY attack the system. This takes several
forms:
1) All commands, series of commands, and options are tried.
2) The system is assaulted with all manners of control
sequences, trying to get some unexpected result.
3) I have even seem someone drop and then re-initiate carrier
to see if they could get somewhere.
If that doesn't work, they begin to crack passwords. They
know what they are doing... in one case, I watched as someone
went through what looked like the beginning of the Webster's
Dictionary trying to get superuser status. Since most people
use words, not a bad idea, right? Less intelligent ones start
with A and just try and try and try.
Oh, by the way, they are definitely using auto-dial modems and
software to do this.
If all else fails, they simply tie up the system. They choose
the most obviously disk intensive command, and execute it
again and again. Since many systems only timeout after
inactivity, this could tie up the system for many hours (not
to mention the wear and tear on the equipment).
These little bastards certainly aren't doing anything
constructive.
Seven years ago, I called up MIT-MC and got a tourist account
which I kept for three years until I got an authorized one.
It was a free account on an open system; the only strings were
***Sender closed connection***
=== brl netread error from RUTGERS at Thu Nov 10 23:06:07 ===Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (11/11/83)
HUMAN-NETS Digest Wednesday, 9 Nov 1983 Volume 6 : Issue 70
Today's Topics:
Queries - "Hacker's Challenge/Revenge" game proposed &
Looking for contradiction in terms &
MCIMail,
Computers and People - Military uses of Video Games &
Electronic Junkmail (2 msgs) &
Error Messages,
Computer and the Law - System Crackers
----------------------------------------------------------------------
Date: 2 Nov 1983 22:37:40-PST
From: Robert P Cunningham <cunningh@Nosc>
Reply-to: cunningh@Nosc
Subject: "Hacker's Challenge/Revenge" game proposed.
We've talked, jokingly I hope, about games that might not 'really' be
games. I'd like to solicit comments on my idea of a game that would
deliberately be ambiguous to the player. That is: a a game that would
create the impression that it's for real.
I'm going to bring up at least one semi-public UNIX system, and just
had a brainstorming session with some friends on how to detect and
deter the inevitable break-in attempts.
One scheme we came up with (surely not original) is to create a 'game'
on the system that simulates breaking into the operating system,
perhaps even breaking into a simulated network of other computers.
We'd provide some not-too-obvious but phony security loophole in the
system. When someone tried it, they'd be into our game which we've
dubbed "Hacker's Challenge" (the play on words is deliberate, since we
think it will be indeed be a challenge to create a convincing
simulation -- though "Hacker's Revenge" might be a better name).
While the potential break-in artist was trying out his stuff, we'd be
logging information on him, and hopefully keeping him online long
enough to be able to trace his phone call, should we want to.
I don't expect the simulation to be effective for a more than a few
months or so on a particular system, and I'd hesitate to spend much
time developing such a thing, except that eventually it might make a
be fun to make it obviously outrageous, and make it generally
available to the authorized users for their amusement.
The trick, of course, would be to make the game convincing, but
inaccurate enough so that we weren't effectively training someone to
actually break into a system.
Any thoughts, comments or scenario suggestions?
Bob Cunningham
------------------------------
Date: 4 Nov 1983 10:08-PST
Subject: Looking for contradiction in terms.
From: the tty of Geoffrey S. Goodfellow
Reply-to: Geoff@SRI-CSL
On this mornings news, I heard two new contradiction in terms:
"Peace keeping force." (Lebanon)
"Non-Political Government [installed]." (Grenada)
This inspired me. I wish to collect as many of these as
possible. The other two that I have:
"Military Intelligence." (Rocky & Bullwinkle)
"Recreational Drugs." (Recreational espionage)
If you can think or know of others, please send them to
Geoff@SRI-CSL. If you would send them in the form of:
"Contradiction." <TAB> (Apropos/Like/Source)
I'll make a complete list and redistribute it to interested parties.
Geoff
------------------------------
Date: 30 October 1983 01:37 EDT
From: Andrew Scott Beals <BANDY @ MIT-ML>
Subject: Junkmail
Has anyone gotten [a] MCI's promised `Welcome' literature, or [b] had
actual experience with the system? (Does it have a mail interface of
the sophistication of MM or better? (i.e. `Delete (messages) text "you
may have already won"'))
Andy
------------------------------
Date: Thu, 3 Nov 83 0:52:25 EST
From: Ron Natalie <ron@brl-vgr>
Subject: Ender's Game
There was also a story in OMNI about a year ago entitled "The Last
Child Inside the Mountain" where the worlds greatest video game
player (who has become a millionaire playing them) is brought to
Cheyenne mountain to play the ultimate video game. He's locked in
a room such that no one can interfere with him while the game is
being played. The only problem is that after the game is played
for real and he has defeated the enemy, they can't get him to stop
playing as he keeps trying to get a higher point score.
-Ron
------------------------------
Return-Path: <andya@bbnccp>
Date: 31 Oct 1983 10:21:45 EST (Monday)
From: Andy Adler <andya@BBN-UNIX>
Subject: Junk Mail
Actually, it is to our advantage that junk mail comes with
ridiculous claims on the outside ("You may have wone the trip
of your dreams"). Such envelope decoration immediately marks
the item as junk mail and can be trashed immediately.
Andy Adler
------------------------------
Date: 30 October 1983 01:37 EDT
From: Andrew Scott Beals <BANDY @ MIT-ML>
Subject: MCIMail
As to junkmail in general, perhaps making the sender pay the reader to
read the thing is a good idea (why do bulk mailers get such cheap
rates anyway? why not charge them regular rates and let us poor peons
get the cheap mail rates?), but a flat rate doesn't seem the right
thing to do. Assuming that the data was easily accessible enough
(hell, it must be, they >do< have your netaddress (or maybe they send
messages to all permutations of usernames and just throw away the
rejection notices from mailers all over the world ;-) ??)), you could
set for yourself a basic rate of x dollars (probably a small x, unless
you didn't like to get >any< junkmail) per character of text in the
message that they would pay you for the privlege of sending you a
message?
Andy
------------------------------
Date: Thursday, 3 November 1983, 10:01-PST
From: Richard Lamson <rsl at SPA-NIMBUS>
Subject: Found in "GLORIA"
One programmer, annoyed at the apparent pettiness of user
reaction, rewrote all the error messages in what he thought was
a sarcastic, overly courteous tone. One cryptic error message
thus became: "I'm terribly sorry. I can't interpret my
option. A reasonable tolerance of typed input is very
difficult to implement. So I am programmed to accept only a
very rigid format. The starting of the program may have at
most one option and it must begin with a dash (minus sign). I
received: 80. If you get help or read the listing yourself,
please refer to the part of the program indicated."
Much to the programmer's amazement, the users did not
detect sarcasm; instead they took the changes in the message
seriously and responded extremely favorably. Instead of
complaining about error messages, user began to cause errors
deliberately so they could read the new messages. The
programmer still remembers the day that users were calling to
one another, "Hey, look at this one - isn't this great?" while
he sat in his office angry at the reaction. That, however, was
the day he became converted to the user's viewpoint, he
admitted.
- "Experiments in teleterminal design",
by Hagelbarger & Thompson,
Bell Laboratories,
IEEE Spectrum, October, 1983
**==> That was Bob Walker's plan file.
------------------------------
Date: Fri 4 Nov 83 10:49:21-EST
From: DAVID.LEWIN <LEWIN@CMU-CS-C.ARPA>
Subject: Teenage computer crime
To: dehn@MIT-MULTICS.ARPA
cc: humna-nets-request@RUTGERS.ARPA
I received a call several days ago from a freelance writer
for "Family Computing" (a Scholastic Magazines publication
for teenagers and their families). He wanted to talk with
people about teenage 'hackers' (in the perjorative, system-
cracker sense) and computer ethics.
I liked what you had to say in the recent Human-nets digest, and
thought you might like to call him:
Lester Brooks
203-966-0610
Sincerely,
David Lewin <LEWIN@cmu-cs-c>
------------------------------
Date: 4 November 1983 02:20 EST
From: Richard P. Wilkes <RICK @ MIT-MC>
Subject: Whiz kids and communications
During the past eight years, I have been heavily involved with
"bulletin board" systems running on micros and mainframes. I'd
like to give a few examples of the destructiveness of many of
these "kids."
Most have probably heard of or called an RCP/M. Five years
ago, I wrote a similar type system for a TRS-80. This
software ran for 3.5 years without a problem. But now, as
more and more potential crackers have access to communications
equipment, this system has been crashed repeatedly.
When I was back in high school, the big thing was to find a
bug in the OS. But, once we found it, instead of using it to
keep the system flat on its back, we documented it and
sometimes even fixed it. Doesn't seem like that is the case
anymore...
On this system, some caller breaks in, deletes all the files,
and then writes a program which keeps the drives selected;
this burns out the motors on 5.25" drives, especially when
they run all night. This was done so often, the system was
brought down for a long time (until a trace could be put on
the dial-up).
I run my own system and publish software that turns a TRS-80
into a mail and message system. I have sat and watched
callers SYSTEMATICALLY attack the system. This takes several
forms:
1) All commands, series of commands, and options are tried.
2) The system is assaulted with all manners of control
sequences, trying to get some unexpected result.
3) I have even seem someone drop and then re-initiate carrier
to see if they could get somewhere.
If that doesn't work, they begin to crack passwords. They
know what they are doing... in one case, I watched as someone
went through what looked like the beginning of the Webster's
Dictionary trying to get superuser status. Since most people
use words, not a bad idea, right? Less intelligent ones start
with A and just try and try and try.
Oh, by the way, they are definitely using auto-dial modems and
software to do this.
If all else fails, they simply tie up the system. They choose
the most obviously disk intensive command, and execute it
again and again. Since many systems only timeout after
inactivity, this could tie up the system for many hours (not
to mention the wear and tear on the equipment).
These little bastards certainly aren't doing anything
constructive.
Seven years ago, I called up MIT-MC and got a tourist account
which I kept for three years until I got an authorized one.
It was a free account on an open system; the only strings were
that I use it after hours and not tie up too many resources.
But things have changed. You can't have totally open systems
anymore without many precautions and almost constant
supervision.
For example, I have had to add many security features to these
small systems:
1) Three attempts and you lose the connection. Nine illegal
attempts at a username without a correct login causes a
suspension. Anyone trying to login under that name is
immediately suspended (with some exceptions).
2) Connection limited use.
3) Application process reviewed by sysop before someone can
use all features, or even use the system.
4) Isolate the user completely from all operating system
functions, even to the point of modifying the DOS to hang or
reset when necessary.
I do have one little "joke" up my sleeve. There is an account
on these systems called SYSOP. Now, if I was going to break
in, that is where I would start. I've put a little patch into
my host. After 39 incorrect tries on that account, IT ALLOWS
THE CALLER THROUGH. He gets a welcome message and Sysop
command:. He can renumber messages, change the date and time,
even delete from the directory, change usernames and
passwords. He can do all the things that a sysop can do. Of
course, he isn't *really* doing anything (he he he!) After,
oh say, 10 minutes, output stops. 24 linefeeds are issued and
the following appears (slowly, as if from a TTY):
HELLO INTRUDER! Gee, I want to thank you for hanging around
for the past ten minutes while we had a chance to trace your
call. It is too bad that some people just can't live
responsibly. But, I guess that is the reason we have the
police and FBI, right?
{disconnect}
I don't know what the answer is, but I do know that treating
this type of behavior casually must be stopped. There will
always be people who will try to circumvent all security
measures, sometimes out of curiousity, but recently more often
with the intention of doing something destructive.
It's too bad that the days of the unsecured systems is coming
to a close, but with hundreds of people scanning the exchanges
with their auto-dial modems looking for carriers, armed with 10
pages of pirated MCI access codes, we don't have much choice.
Comments welcome. -r (RICK at MIT-MC)
------------------------------
End of HUMAN-NETS Digest
************************