Re: Project Delta...

[K Redburn <kredburn@echip.com>]

Well then, I'll tell the story....


Many of the details simply weren't important to me at the time, such as
the year, which building the offices were housed in, etc.  I was
attending Delaware Technical and Community College at the time, and had
spent at least one summer helping Ed Boas teach basic to the high school
teachers.  It was a late night session at the computer center, and Ed
Jones and I were the only two there.  We got to talking, bragging of
course.  So I offered to show Ed something neat.  I created a file on my
account, Open foo.bar as file size -1.  This was our old standard
garbage collection technique.  This of course was not big deal, but then
while I had the file open, I asked Ed to delete it from his priveledged
account.  He did, and started laughing.  The resulting odd behavior,
several "error 11 end of file or account" messages came up on his screen
with other error messages intermixed.  We both thought it was cool.  So
Ed proceded to tell his own story....

With PIP, you could copy a file, over the top of an existing file, with
the right switches.  If, the two files were identical in size, the
privilege bit of the file would be maintained.  If you tried to modifiy
a priveleged file any other way, the bit dropped.  Using this technique,
if you could devise a way to get a priveleged compiled program on your
account, you could substitute your own program for the priveleged one.
This is why, all priveleged programs on Project Delta were write
protected against owner.

So Ed thought he was showing me a technique that was useless and moot. 
This turned out not to be so...

At that time, the University of Delaware kept a sister PDP-11 computer
to the one Project Delta ran on.  This sister computer had many many
duplicate accounts to the Delta computer.  This sister computer, was
being used by the teachers at Del. Tech. for the introduction of a new
program, a computerized testing program, called SIGI.  One of my
electronics teachers, was head of the program at Del. Tech. and had
enlisted my aid to show him how to use a computer, verify and test the
system, and help enter test questions and answers.  To this end, he
entrusted me with the account number and password, for [50,53], the
teachers account to the system.  Well who would have thought, that with
a little bit of detective work, I was able to discover that the account
[50,50] held the SIGI program itself, compiled and protected, 232,
which, sports fans I believe is the correct number. not protected
against owner.  All I needed was the password to account [50,50].  I
thought, let's try the obvious "SIGI".  It was meant to be.

So first thing, what is the privelege password to [0,1}?  Write a quick
little sys$chr$(14) application, add some extra crap to bring it up to
the same size as SIGI, make a copy of SIGI, and viola! the password was
"UOFDEL"  Augghhhhh!  I could have guessed that.  Damn.  Anyway, I was
in, the system was mine. Muhhh ha ha ha ha.....

Quickly, I was bored.  I was not destructive, mearly curious, I searched
accounts high and low, looking for enlightened source code.  Didn't find
much.  And I got tired very quickly of doing the substitution thing back
and forth, just to get one password for one account.  Why did I need to
keep fetching passwords?  Because then I could log onto the same
accounts on Project Delta's computer and start searching there as well.  

I was being very careful to keep my tracks covered, mostly.  I didn't
keep any permanent files any where they didn't belong.  I didn't spend a
lot of time logged in priveleged.  I was just exploring.  It became
tedious, so, being the brash moron that I was, I wanted a quicker way. 
I grabbed the source code to login, and slightly modified it.  I changed
the procedure, so that if the password given to an account was KJR, then
the program would look up the real password to the account, and
substitute it place of what I typed.  My initials would now log me into
any account on the system.  It was great, I was in heaven.  The end was
near, for as we all know, we get careless.  But first a bit of fun.

This sister computer that I had compromised, was the U of D version of
Project Delta.  It was used by UD faculty and students.  Not evil
munchkin high school students, and it's security was lax.  Certain
faculty had accounts on both computers, and, kept the same password on
both computers.  Does the name Ed Boas mean anything here.  I believe
his account was [20,11], a non-priveleged account.  Ed maintained a
program on this account on the Delta side, that when he typed in the
password, would log him into his priveleged account.  Zip, fast and
easy.  Delta was within my grasp, but not quite.  On Delta's computer, I
could look at the source code of this file, and even scan the binary for
ascii text, but it was not to be.  The program was protected against my
trick, and Ed was no fool.  I couldn't crack his account.  Delta
remained stallwart against my attacks.  :-(

Given enough time, I might have cracked the system, but it was not to
be.  Back on the sister computer, I started taking more and more
liberties, as the computer was pretty much ignored by everyone.  So I
was on a priveleged account, scanning the system, when I spotted a
student playing star trek.  I instant messaged the offender, disparaging
them this paper wasteful activity.  I recieved a smart aleck reply. I
threatened to terminate their jog.  Another smart aleck reply.  I
terminated their job, almost.  I typed in, "Kill Job 1$1".  The $, is
the symbol that appeared when you hit the escape key.  The escape key,
was the same as a return.  I killed Job 1.  This did not go unoticed by
the computing staff.  Here my memory blurs.  At some point, I was having
an annonymous discussion with the computing staff from a students
account I had appropriated, when they killed my job and changed the
password to the account.  I logged back into the account anyway, and
realized my mistake too late.  The next morning, Login had been returned
to it's natural state, all the priveleged software in the system had
been re-compiled and reset and a message had been posted that mentioned
me by name, informing users that if they lost any data to contact me
personally.  Details:  Many students never used their accounts, so the
password was still pswd.  I never had trouble getting on the systerm. 
The staff maintaining this computer didn't know how I did my trick, or
to protect their priveleged files.  So I got back on, and deleted the
message.  That too did not go unoticed.  So they did it all again, to no
avail. In retrospect I realize I caused a lot of trouble for the people
running the system, and after the second flush they did, I quietly got
the password for my own edification and just stayed low.  It was not too
much later they switched the system to UNIX.  Meanwhile Ed Boas pulled
my butt out of the fire with and convinced the university not to
prosecute me.   

Shortly after that, I was assigned my priveleged account on Delta.

One final note.  It was about 4 years later, I was working at the DuPont
experimental station, when they introduced a computer training program
on our buildings Vax system, called SIGI.  This program was for the
supervisors in the building.  I quietly copied the SIGI account file,
dumped it in ascii, confirmed that some people in the office had used
the same password for their SIGI account as they had for their
confidential Vax accounts, and quietly informed the system administrator
to warn people against this practice.  Of course, there were lots of
other ways I raised hell on that system.  But that's another story.

Kendall