That was really touching. I'm not sure if that's the right word. It was really nostalgic, despite me not having even been alive during that time.
I grew up reading books and magazines about people like Kevin Mitnick, John Draper, RTM, Kevin Poulsen, etc. If it's possible, I think there was a romantic era to hacking. This story brought me back to that era.
Mitnick's autobiography is coming out in August. I've been reading a prerelease copy, and it's really enjoyable (if you are into that sort of thing). Lots of details and stories about the things he was up to.
I was roaming around inside networks and machines around the same time as these guys and I don't think it was a romantic era, but it was an era in which the laws were very lax and you'd likely get a slap on the wrist rather than a jail sentence. Lots of systems were open, anonymous FTP was the norm, and it was trivial to spoof email using SMTP commands typed through telnet since the SMTP servers trusted whoever connected to them. Also many dial up systems used either no security (i.e. if you knew the number it was enough to get in), or really trivial passwords. Networks were easy to monitor once you were in and most passwords were sent plain text (the assumption was that you couldn't see the X.25 or TCP packets themselves, but, of course, you could).
I remember on one occasion receiving an email from a system administrator in a university where I had changed the 'ls' program to be a trojan of my own design. His email just said: "I have removed the new 'ls' program you installed on $SYSTEM_NAME." All it did was log the name of any user who had visited my $HOME so I could see who was looking in my files. Today, I would likely be on my way to prison.
The other thing that's become very real in the hacking world is the amount of money that's flowing around. You can get paid for exploits, paid for stolen information, paid for botnets, paid for viruses, etc. etc. If there was anything romantic about the 1980s it was that it was mostly being done for fun and without malicious intent.
Am I the only one who finds that action malicious and unflattering? It's one thing to try to hack into systems that you have no access to, and an entirely different thing to replace /bin/login to harvest passwords on a machine you have root access on.
I really don't see this as touching, warm or fuzzy at all. It has nothing to do with hacking, it's just a way of getting everyone's passwords.
I remember, a few years after the worm, Sun had just come out with shadow passwords; but our system hadn't implemented them yet. So I decided to run a dictionary attack the passwords stored in /etc/passwd. I wanted to show our sysadmins that going shadow was better, by telling them how many passwords could be broken. Obviously, I ran this password cracker on the same machine, and didn't bother to hide the fact.
The next day I get an email from our sysadmin, "why are you cracking passwords?".
"To show you how many of them are weak and can be cracked", I replied.
"Please don't do that" he replied, and I stopped.
In those days, harmless curiosity (as long as it wasn't malicious) was encouraged. People weren't as touchy as they are today.
I remember that episode. Memory's fuzzy, but I think Merlyn wasn't employed by Intel at that time; I think even his consultant gig had just lapsed. I think someone at Intel just got a bee up his bonnet and decided to raise a stink; and things snowballed after that.
In my case, I was a student with unbounded curiosity at a Univ; and the sysadmins were very tolerant then.
No, you're not the only one. That doesn't seem much like youthful mischief to me; in 1980 RHM would have been 48 (with a teenaged son RTM)!
That's if the story is true -- and we have no evidence to suggest it is.
P.S. Also I don't know what the author is talking about with regards to the encrypted files. Modern crypt(3) is clearly not something you use for reversible file encryption.
P.P.S. Ok, Wikipedia says there was a crypt(1), written by... Robert H. Morris. And it had weak encryption, to the extent that crackers for it were widely available in the mid-80s. Maybe this is plausible.
Back then, you owned the whole computer network. You could rebuild the kernel, change drivers, whatever.
We would write fake login pages just to burn somebody - wait for their login attempt, print lots of fake security log messages, simulate a crash screen - just for fun.
Imagine putting a potato in your buddies exhaust pipe, or wiring up their car radio volume knob backward.
Since there was no internet, there was no intent to 'rule the world' - just mess with your friends.
So no, it was no more malicious than a pre-med student putting a nervous system in their prof's mailbox.
Yes, of course. I'm not commenting on whether or not the story is true, but on the reactions. People say "that strikes me as a fond memory", "nice story", "how warm" when it seems to me like the OP meant it as a sort of indictment.
Youthful mischief can be at any age, but that's not mischief, that's a pretty egregious theft of data. It would have been very different if he had exploited some new script to gain access to a machine he didn't have access to, for example.
Anyway, perhaps this is not the time to focus on such things. The value of some passwords from a system in 1980 is not a big deal, really, considering that at this moment it's more appropriate to look at what the man did over his whole life.
It was a different age, with different social norms. Hacking didn't have anything close to the stigma that it rightfully has now, and most incidents weren't malicious. If you had an account broken into back then there wasn't the same sense of invasion of privacy, most things were work related and run of the mill.
I'm not saying he was going to steal people's credit card numbers or whatever (you'd need to call the president of the bank to make a credit card transaction at the time, anyway), what I'm saying is that, on the scale of hacking (actual hacking for excitement), replacing /bin/login with a trojan is pretty low, because there's no skill required to do it.
I wouldn't even call it hacking, really. It's like installing a keylogger, it's not a hack.
I'm not lying, at the time a trojan /bin/login was state of the art. Run of the mill hacking was calling up a strange system and using the login: guest to get access, or trying women's names as passwords over and over until you got lucky.
Actually knowing how to modify a C program was something of a skill, though your peers wouldn't be too impressed. Think more along the lines of office prank to misuse of company resources.
what strikes me is how differently 'hacking' is viewed today in the mainstream. Try any of that at a company as big as IBM, and you'll likely be rotting in a cell as a suspected cyber terrorist.
ok maybe I exaggerate, but I can't help but think how innocent those times sound in this story.
I was a young grad student when the worm came out. The funny part is: Keith Bostic & company (at UCB) released a "patch" for the worm to fix what was broken (so it wouldn't infect the same machine twice).
One of my professors was writing a book, and after the worm hit, he became paranoid and restored copy of the LaTeX source of his book from the last backup, presumably to see if the worm had somehow messed with his book (the answer was, no, of course). It was funny to see how freaked out some people were.
I grew up reading books and magazines about people like Kevin Mitnick, John Draper, RTM, Kevin Poulsen, etc. If it's possible, I think there was a romantic era to hacking. This story brought me back to that era.
RIP Robert.